[Bro] Bro 1.4 release now available

Vern Paxson vern at icir.org
Fri Oct 17 11:47:01 PDT 2008

Bro release 1.4 is now available from:


This release includes significant new functionality as well as numerous
refinements and fixes, per the appended changelog entries.

Previous releases are available at http://www.bro-ids.org/download.html .
We do not anticipate making any further changes to them.



1.4 Fri Oct 17 11:08:52 PDT 2008

- We are no longer supporting a previous Bro release as the "stable"
  version.  Rather, the model now is that the current public release will
  aim for increasing stability (occasionally updated with fixes), and those
  who wish to use a "bleeding-edge" snapshot can do so via access to the
  public SVN source code repository, as explained at


  Note that all previous releases remain available from the download page;
  what is changing is that we no longer commit to support for the most
  recent of these.

- We have clarified the copyright statement that covers most of the
  code to remove the "advertising clause" that derived from older
  BSD licenses, and we have removed copyright wording from most source
  code files.  See COPYING for the current wording and a list of
  files that retain their own copyright notices.

- Bro now supports analyzing NetFlow v5 data, i.e., from Cisco routers
  (Bernhard Ager).  NetFlow can be useful for intrusion detection as it
  allows analysis of traffic from many different points in the network.
  Bro can now read NetFlow data from a UDP socket, as well as (mostly
  for debugging purposes) from a file in a specialized format.  You can
  create these files with the programs given in aux/nftools.

  Command line switches:

	  -Y|--netflow <ip>:<prt>[=<id>] | read flow from socket

	    This is the usual way of getting NetFlow data into Bro by
	    opening a UDP socket on <ip>:<prt> and reading all incoming
	    packets.  Setting the <ip> to should work on most
	    platforms.  Optionally you may set an identifier <id> for the
	    source - useful if there are many different sources you want
	    to analyze in parallel. This might also be necessary if you
	    want to use this feature with a clustered Bro.

		      bro -Y netflow
		      bro -i eth0 -Y brolite netflow

	  -y|--flowfile <file>[=<ident>] 

	    Used to read from a file. You can optionally include an
	    identifier for the source.

		      bro -y myflowfile netflow
		      bro -y myflowfile=src1 otherflowfile=src2 netflow

  Netflow Events:

	  event netflow_v5_header(h: nf_v5_header)

	    Generated upon reading a new NetFlow PDU, as summarized in the
	    argument.  The field h_id gives the flow source identifier and
	    a serial number. You can use this field to associate subsequent
	    netflow_v5_record events with their header.

	  event netflow_v5_record (r: nf_v5_record)

	    Every record within a NFv5 PDU generates a corresponding
	    netflow_v5_record() event.  The relatively complex timestamp
	    format of NFv5 is already converted to Bro's time type, and
	    the TCP header flags are separated into bools.

  The distribution includes an example analysis script, netflow.bro.
  It simply dumps received NetFlow records.  If netflow_restitch is T
  (the default), then Bro performs flow restitching as well, and two
  script variables become relevant:

	  global netflow_finished_conn_expire = 310 sec &redef;

	    specifies how long to wait for additional flow records after
	    a RST or FIN for

	  const netflow_table_expire = 31 min;

	    Its setting only affects table declarations, and therefore
	    cannot be usefully redef'd.

  Auxiliary programs:

	    Bro uses a custom format for flow data stored in files,
	    to enable preserving timestamps of the PDU arrivals and the
	    exporter's IP address.  The tools nfcollector and ftwire2bro
	    in aux/nftools/ provide ways to manipulate the Bro NF file
	    format.  The first dumps NetFlow data from a UDP socket to
	    stdout or to a file in Bro format.  The second converts NetFlow
	    data in "wire" format to Bro format, and, while doing so,
	    fakes up the exporter's IP address and timestamp.  You can get
	    "wire" format from normal flow-tools files, e.g., by using
	    'flow-export -f 4'.  Please note that the Bro format is just
	    a hack to allow for easier debugging.  Therefore the format
	    is not in fact platform independent, and not suitable for data

- A new DHCP analyzer generates the following events (Po-Ching Lin):

	event dhcp_discover(c: connection, msg: dhcp_msg, req_addr: addr)
	event dhcp_offer(c: connection, msg: dhcp_msg, mask: addr,
	event dhcp_request(c: connection, msg: dhcp_msg,
	event dhcp_decline(c: connection, msg: dhcp_msg)
	event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr,
	event dhcp_nak(c: connection, msg: dhcp_msg)
	event dhcp_release(c: connection, msg: dhcp_msg)
	event dhcp_inform(c: connection, msg: dhcp_msg)

  where dhcp_msg values look like:

	type dhcp_msg: record {
		op: count;	# 1 = BOOTREQUEST, 2 = BOOTREPLY
		m_type: count;	# the type of DHCP message
		xid: count;	# transaction ID of a DHCP session
		h_addr: string;	# hardware address of the client
		ciaddr: addr;	# original IP address of the client
		yiaddr: addr;	# IP address assigned to the client

  See dhcp.bro for the corresponding analysis script (which could
  probably use some refinements).

  Note, this analyzer is implemented using BinPAC, so you will need
  to specify --use-binpac to activate it.

- A BitTorrent analyzer is now available (Nadi Sarrar).  See the policy
  scripts bittorrent.bro and bt-tracker.bro for the events generated for
  analyzing transfers and tracker dialogs, respectively.

- The "Bro Lite" configuration is now deprecated and will not in
  general be supported (Robin Sommer & Vern Paxson).

- "make install" now only installs a core set of files (Robin Sommer).
  Policy files are now installed in <prefix>/share/bro/* (or whatever
  configure determines $datadir to be), which is now in Bro's default
  search path.  It creates a directory <prefix>/share/bro/site for local
  policy files, and the default BROPATH is extended to include this.  The
  default path no longer includes policy/local.  You can install the
  additional files used by the (now deprecated) "Bro Lite" configuration
  using "make install-brolite".

- Substantial updates to Broccoli, including support for container
  types (tables and sets) as well as a new metadata structure for event
  callbacks, facilitating truly generic event handler implementations
  (Christian Kreibich, Seth Hall and Robin Sommer). See aux/broccoli/ChangeLog
  for details.

- Extensive changes to allow Bro to process packets captured in the
  past intermingled with those captured in real-time (Matthias Vallentin
  and Robin Sommer).  This operation reflects combining Bro with use of
  "Time Machine" functionality for packet capture.

- We have unfortunately had to disable support for configuring Bro
  to use ClamAV, since it turns out that the key interface we need
  for processing blocks of memory directly rather than whole files
  is no longer supported by the package, and in fact was buggy even
  when it was (Robin Sommer).

- The new signature option "http-body /<regexp>/" matches <regexp>
  on the body data of HTTP entities (Robin Sommer).  The matching is
  done after decompressing the body, if necessary.

- The new built-in function identify_data(data: string, return_mime: bool)
  analyzes the string "data" and returns its type according to libmagic,
  if installed (Seth Hall).  The second argument controls whether it should
  be returned as a MIME-type or just an identifying string.  For example,
  identify_data("MZpofigu", F) returns the string "MS-DOS executable", and
  print identify_data("MZpofigu", T) returns "application/x-dosexec".

- The new analysis script http-identified-files.bro identifies the
  type of items returned by Web servers using libMagic (if available)
  and generates notices for interesting types and mismatches between
  URLs and types (Seth Hall).

  You configure it using two variables.  watched_mime_types is a pattern
  (default /application\/x-dosexec/ | /application\/x-executable/ ) for
  which any MIME type matching the pattern generates a HTTP_WatchedMIMEType

  mime_types_extensions is a table mapping strings to patterns specifying
  how URLs for the given MIME type should appear.  (Ideally, this would
  be a table mapping patterns to patterns, but Bro doesn't currently support
  that.)  It defaults to:

		["application/x-dosexec"] = /\.([eE][xX][eE]|[dD][lL][lL])/

  i.e., do Windows executables end in .exe or .dll.

  You can also redef the pattern ignored_urls to specify URLs that should
  not generate complaints.  It defaults to matching Windows Update.

- The new script http-extract-items.bro extracts the items from HTTP
  traffic into individual files (Vern Paxson).  Files are named:


  where <prefix> is a redef'able prefix (default: "http-item"), <n> is a
  number uniquely identifying the item, the next four are describe the
  connection tuple, and <is-orig> is "orig" if the item was transferred
  from the originator to the responder, "resp" otherwise.

- The workings of how Bro interfaces to external programs for dropping/
  restoring connectivity of misbehaving hosts has been significantly
  reworked (Brian Tierney and Robin Sommer).

  First, dropping decisions used to be made directly by analyzer scripts,
  such as scan.bro directly calling drop_address().  Now instead the
  scripts generate Notices and then the notice policy can have an
  action of NOTICE_DROP to codify that the response to the given Notice
  is to drop the source.  The new notice_action_filter of drop_source
  drops the source of notices, and drop_source_and_terminate both
  drops the source and terminates the corresponding connection.

  So, to drop all sources triggering a specific notice, one can now, e.g.,
	redef notice_action_filters += { [Hot::SSH_Overflow] = drop_source };

  Related to this change, notice_info has a new field $dropped, set to
  true if the Notice triggered a (successful) drop.

  Second, by redef'ing Drop::use_catch_release to T (default F) you can
  activate "catch-and-release" logic.  You use this mode when you need to
  manage a limited number of possible blocks, or to build in automatic
  "forgiveness" in situations where blocked sources might become benign
  (such as due to dynamic IP addresses).  If a source has been idle for
  Drop::drop_time, then it is unblocked.  However, if it is again seen as
  block-worthy, then it is blocked for an interval of Drop::long_drop_time.

  Third, ICMP scanning is now reported by its own notice, ICMPAddressScan,
  rather than Scan::AddressScan.

- Google's perftools have replaced mpatrol for leak-checking and
  heap-profiling (Robin Sommer).  If Bro is compiled with --enable-perftools
  and configure finds the perftools, there are two command-line options

	-m turns on leak checking of the main packet loop, with some
	   uninteresting leaks are suppressed.  Currently, with one
	   exception (the RPC analyzer; problem not yet found), it reports
	   no leaks when running the test suite.

	-M turns on heap profiling: Bro will take a snapshot of the heap
	   before starting the main packet loop and another one when
	   finished. These snapshots can then be analyzed with pprof.

  For more information about the perftools see 

- Notice tags are now generated in a pseudo-unique fashion that, with high
  probability, ensures that tags generated by separate Bro processes don't
  clash when logged to a common location, such as for a Bro cluster (Robin
  Sommer).  Tags are now string's rather than count's, and are associated
  with all notices, not just that are connection-related.  You can however
  redef the string notice_tag_prefix or the function new_notice_tag to
  further control how such tags are generated.

- Four new built-ins for type conversion (Robin Sommer):

	function double_to_interval(d: double): interval
	function addr_to_count(a: addr): count
	function port_to_count(p: port): count
	function count_to_port(c: count, t: transport_proto): port

- Many policy scripts have been modified to use modules & scoping
  (Robin Sommer and Matthias Vallentin), which may require updates to
  existing scripts/refinements.

- The new script variable dpd_conn_logs (default F), if true, changes the
  semantics of the service field in connection logs written to conn.log,
  as follows (Robin Sommer).  It becomes a comma-separated list of analyzers
  confirmed by DPD to parse the connection's payload.  If no analyzer could
  confirm its protocol, but the connection uses a well-known port, the
  service is the name of the port with "?" appended (e.g., "http?"), as
  long as the corresponding analyzer has not declined the connection.
  In addition, ftp-data sessions are labeled "ftp-data" and portmapper
  connections are labeled with the specific method-call (just as before).

  dpd_conn_logs defaults to F because the change in semantics may break
  scripts that parse conn.logs; but it will likely change to the default
  in the future. With dpd_conn_logs turned off, conn logs are generated
  as they used to be, with a few rare exceptions (with previous versions,
  the service field was sometimes determined while the connection was still
  alive; now it's always determined at the time when the conn.log entry
  is written out).

- The SSL analyzer has been rewritten using BinPAC, with a number of
  robustness improvements (Tobias Kiesling).  It currently is only used
  if you execute with --use-binpac.

- Python bindings for Broccoli are now available in
  aux/broccoli/bindings/python/ (Robin Sommer).  See README/README.html
  in that director for details.

- The new "auth" option in remote.bro indicates whether a given side is
  considered "authoritative" for shared state, in which case it sends its
  initial state to &sync'ed peers (Robin Sommer).  When two peers synchronize
  their state, one side sends its current set of state to the other as
  soon as the remote connection is established.  The one sending the state
  used to be the one who has been running longer; now it can also be
  explicitly set via the "auth" flag in the Remote::Destination.

- Two new tuning parameters for scan.bro (Robin Sommer):

  ignore_scanners_threshold (default 0):

	If a host has scanned more than this many hosts, it is completely
	excluded from further scan detection.  0 disables.

  addr_scan_trigger (default 0):

	A host is only tracked for address scanning once it has contacted
	this many different hosts.  Primarily intended for using a two-stage
	scan detection with a Bro cluster: first, each node searches locally
	for scanners by looking for hosts contacting more than
	addr_scan_trigger destinations.  Those hosts which do are then
	globally tracked throughout the cluster by &synchronizing the scan
	detector tables.

- When Bro serializes functions, it now does so by default using only
  their name, rather than their full value (Robin Sommer).  This prevents 
  propagation of expiration functions associated with tables and sets.
  Note, currently there is no mechanism provided to switch from the
  default behavior, but the internal hooks are in place to do so.

- The new built-in variable trace_output_file gives the name of the -w
  output trace file (Robin Sommer).

- Bro no longer installs new file rotation timers when shutting down
  (Robin Sommer).

- The new policy scripts remote-print-id{,-reply}.bro support convenient
  access to printing the identifiers of a remote Bro (Robin Sommer).
  You use the script remote-print-id.bro to request and receive the
  printing; the remote Bro must have loaded remote-print-id-reply.bro
  in order to process the request.

  Example use:

	  bro -e 'redef PrintID::dst="<dst>" PrintID::id="<name-of-id>"'
			<other scripts> remote-print-id

- scan.bro has been heavily modified to better support distributed scan
  analysis (Matthias Vallentin and Robin Sommer).

- The check for unused event handlers is now turned off by default
  (Robin Sommer).  To enable, use "redef check_for_unused_event_handlers = T".

- The new script drop.bro has been split off from scan.bro to isolate
  the logic concerning dropping addresses to block scans (Robin Sommer).

- The new -l flag lists each script as it is loaded (Robin Sommer).

- Textual descriptions of identifiers now include their attributes
  (Robin Sommer).

- The new predefined function prefixed_id() returns a session identifier with
  its peer-ID prepended if it's associated with a remote Bro (Robin Sommer).
  This is now used when generating writing log files.

- remote.bro now assigns a priority of -10 to its bro_init() event handler
  to allow others a chance to modify destinations (Robin Sommer).

- A large number of BinPAC updates (Ruoming Pang and Robin Sommer).

- The new built-in type_name(v): string returns the name of the type
  of the value v (Vern Paxson).  For example, "typename(5.2)" returns
  "double".  This function is mainly for internal debugging (i.e.,
  finding mismatches between values generated by the event engine
  versus how their type is expected by the script layer).

- The new built-in str_shell_escape() does some basic escaping on strings
  that will be passed to system() (Christian Kreibich).  Note, this function
  isn't ready (robust enough) for routine use, however.

- The new built-in disable_print_hook(file) acts the same as
  the attribute &disable_print_hook (Robin Sommer).

- The new script terminate-connection.bro factors out the terminate_connection()
  functionality that used to be in conn.bro (Robin Sommer).

- The new attribute &group=<tag> can be associated with event handlers
  to group them together into a set that can be manipulated as a whole
  (Robin Sommer).  <tag> is a string reflecting the name given to the group.

  The built-in enable_event_group(group: string) turns on all the analyzers
  in a given group, and disable_event_group(group: string) deactivates them.

- The new attribute &raw_output applies to variables of type file, disabling
  escaping of non-printable characters (Seth Hall).

- You can now iterate over the characters in a string value using
  a "for" loop, e.g., "for ( c in str ) ..." (Robin Sommer).

- The new built-in

      function cat_sep%(sep: string, def: string, ...%): string

  works similarly to cat(), except that it (a) separates the values
  by "sep" and (b) substitutes "def" for empty strings (Seth Hall).

- The function string_escape() now takes a string of characters to escape
  rather than a single character (Robin Sommer).  Each character in the
  string is preceded by '\' in the return value (also any embedded '\'s,
  as before).

- The new built-in function global_ids() returns a table of all global
  identifiers along with associated information (Robin Sommer).  The
  return value has type table[string] of script_id, indexed by the name
  of the identifier and yielding records with the following fields:

	type script_id: record {
		type_name: string;
		exported: bool;
		constant: bool;
		enum_constant: bool;
		redefinable: bool;
		value: any &optional;

- The new script function find_last(str: string, re: pattern) returns
  the last occurrence of the given pattern in the given string, or
  an empty string if no match (Robin Sommer).  Note that this function
  returns the match that starts at the largest index in the string, which
  is not necessarily the longest match.  For example, a pattern of /.*/
  will return just the final character in the string.

- The new script variable record_all_packets, if redef'd to T (default F),
  instructs Bro to record every packet it processes (Robin Sommer).
  Prior to introducing this variable, Bro applied a few heuristics to
  reduce recording volume.  Setting this variable also causes packets
  to be recorded very early in processing, which can be helpful for
  debugging crashes.

- If the new script flag ssl_log_ciphers is set to T (default), ssl.bro
  logs the ciphers seen (Robin Sommer).

- Much more expanded Time Machine support, now located in
  policy/time-machine/ (Robin Sommer),

- The new command line option --status-file <file> (alias -U) specifies
  the name of a file into which Bro will write an indicator of its current
  processing status (Robin Sommer).  Possible values include "INITIALIZING",

- The new policy script targeted-scan.bro looks for repeated access from
  the same source to the same server, to detect things like SSH
  password-guessing attacks (Jim Mellander).

- The "alternative" style for printing strings (i.e., a fmt() argument
  of "%As") now renders the raw string, other than escape-expanding
  embedded NULs (Vern Paxson).  This change may be temporary, pending
  development of more fine-grained control over string rendering.

- For now we have removed the %S functionality for fmt() (Robin Sommer).
  %S was meant to print "raw" strings, but later processing of such
  printing still introduces artifacts.

- GeoIP information now includes latitude and longitude (Seth Hall).

- ssh.bro now supports the variable skip_processing_after_handshake
  which directs the event engine to omit any further processing of an
  SSH connection after its initial handshake (Seth Hall and Robin Sommer).
  This can help with performance for large file transfers but precludes
  some kinds of analyses (e.g., tracking connection size).  This change
  also adds a scope of "SSH".

- Email notification of notices now allows for separate destinations
  depending on notice type (in particular, a regular mail destination
  versus a pager destination), and also escapes the notice to prevent
  injection attacks (Seth Hall and Robin Sommer).

- The new policy script conn-flood.bro is a simple connection-flooding
  detector, mainly meant as a demonstration (Robin Sommer).

- A large number of additions to the TLS/SSL known-ciphers suite (Seth Hall).

- Serialization now uses 64-bit IDs to cache items rather than 32-bit,
  for robustness during long-running execution (Robin Sommer).

- The new script variable tcp_max_initial_window specifies, for flows
  for which ACKs have never been seen, the maximum volume of initial
  data after which Bro will assume that it is seeing only one side
  of the connection and will not buffer data for consistency checking
  awaiting the later arrival of ACKs (Robin Sommer).  It defaults to 4 KB.
  (Note, this used to be an internal value, so the behavior is not new.)
  Set to 0 to turn off this functionality and have Bro attempt to
  track all such flows.

- The new script variable tcp_max_above_hole_without_any_acks specifies,
  for flows for which ACKs have never been seen, the maximum volume of
  data above a sequence hole that Bro will tolerate for a connection
  before giving up on tracking the flow (Robin Sommer).  It defaults to 4 KB.
  (Note, this differs from tcp_max_initial_window in that this threshold
  applies to sequence holes rather than the beginning of flows.  Like
  tcp_max_initial_window this used to be an internal value.)  Set to 0 to
  turn off this functionality.

- The new script variable tcp_excessive_data_without_further_acks specifies
  a threshold similar to tcp_max_above_hole_without_any_acks, but for
  flows for which Bro has seen ACKs (Robin Sommer).  It defaults to 10 MB.
  Set to 0 to turn off the functionality.

- Equal signs ("=") in text for notices are now escaped when using the
  tagged format to keep them unambiguous from the "=" delimiters
  (Robin Sommer).

- The final tallies for notices are now processed as NoticeTally
  NOTICE's rather than directly alarm'd (Robin Sommer).

- WeirdActivity notices now include an associated connection when appropriate
  (Robin Sommer).

- Support for large (> 2^32 bytes) pcap trace files (Po-Ching Lin).

- Scoped names ("...::...") are now allowed in signature "eval"
  constructs (Christian Kreibich).

- scan.bro is now decoupled from conn.bro, i.e., you can @load the
  latter without getting the former (Vern Paxson).  As part of this
  change, the logic to invoke TRW is now in scan.bro.

- weird.bro has been updated with a number of missing Weird's (Vern Paxson).

- If when using inter-Bro communication the child Bro process terminates,
  it now also terminates the parent process (Robin Sommer).

- BinPAC analyzers now interoperate with DPD (Robin Sommer).

- Some http.bro processing options are now exported so they can be
  accessed in other scripts (Robin Sommer).

- SMTP analysis now applies to port 587/tcp as well as 25/tcp (Robin Sommer).

- $conn is now set in ServerFound notices (Robin Sommer).

- You can now create empty sets and tables using set() and table(),
  i.e., the usual set/table constructors with no arguments (Vern Paxson).
  By themselves, these have an unspecified type - you can't use them
  directly other than to assign them.  For example,

	local bad_guys: set[addr];
	bad_guys = set();	# start over assuming no bad guys

- A number of scripts have been (slightly) simplified to use the
  new empty set()/table() constructors (Vern Paxson).  Note that
  these still aren't usable for field assignments in record constructors,
  nor for attributes like &default = ...

- Removed unused syntax for declaring sets based on a list of initial
  values (Vern Paxson).

- set() and table() can now be used as arguments to function calls
  (Vern Paxson).

- The vestigial &match attribute has been removed.

- POP3 is now recognized using Dynamic Protocol Detection (Seth Hall).

- The new event expected_connection_seen(c: connection, a: AnalyzerTag)
  is generated whenever a connection is seen for which we have previously
  scheduled an analyzer via expect_connection() (Robin Sommer).

- The new built-in capture_state_updates logs all changes applied to
  &synchronized variables, in a fashion similar to the capture_events()
  built-in (Robin Sommer).  An accompanying policy script,
  capture-state-updates.bro, turns this on to the file state-updates.bst.

- If the new script variable suppress_local_output is set (default: F),
  Bro suppresses printing to local files if there's a receiver for
  print_hook events (Robin Sommer).  This option is however ignored
  for files with a &disable_print_hook attribute.

- The new notice action filter function file_if_remote specifies
  that notices from sent from remote source addresses should
  have an action NOTICE_FILE (Robin Sommer).

- The new notice action filter function file_local_bro_notices specifies
  that notices generated by the local Bro instance (as opposed to a
  remote peer) should have an action NOTICE_FILE (Robin Sommer).

- An arbitrary tag can now be past to post-processors for log rotation
  (Robin Sommer).

- Default inactivity timeouts for interactive services shortened to 
  1 hour (Robin Sommer).

- The scanning variables distinct_{peers,ports,low_ports} are now
  redef'able (Robin Sommer).

- The new -S (--summary-only) option for site-report.pl directs to
  only generate connection summaries (Brian Tierney)

- More useful default config file for edit-brorule.pl (Brian Tierney).

- Bro now includes a test suite in testing/istate/ for its "independent
  state" functionality (Robin Sommer).

- Support for parallel builds via make -j (Christian Kreibich).

- Bro's default search path now includes includes policy/sigs/ and
  policy/time-machine/ (Robin Sommer).

- Bro's internal processing of interprocess communication has been
  significantly overhauled to prevent potentially fatal race conditions
  (Robin Sommer).

- Bro now checks calls to fmt() at compile-time to ensure that the
  correct number of arguments are present (Vern Paxson).  This is useful
  in addition to Bro's run-time checking for arguments matching their
  corresponding format-specifiers in the case of rarely-executed statements
  that might not generate such run-time checks in routine testing.

- The ports associated with Telnet and Rlogin are now redef'able (Robin Sommer).

- MIME processing now removes leading whitespace from MIME headers
  (Sanmeet Bhatia and Robin Sommer).

- TCP "weird" events reported by the connection compressor now match
  (other than a few rare corner-cases) those produced for normal TCP
  processing (rmkml and Robin Sommer).

- Added Scan::suppress_UDP_scan_checks to control false positives
  on scan detection in environments with P2P protocols that use UDP
  (Vern Paxson).

- The internal analyzer interface now includes an EndOfData() method that
  analyzers can use to report that all of a message has been delivered
  (Robin Sommer).

- Fix for a significant memory leak in processing UDP when using -w
  (Robin Sommer).  Note: this change turns off by default trace rewriting
  for generic UDP traffic.

- Two serious regular expression bugs fixed (Vern Paxson).  In the
  first, searching for a regular expression inside a string would
  fail if the pattern occurred only after an embedded newline.  In
  the second, insufficient buffer was allocated when compiling regular
  expressions, leading to memory corruption.

- Base64 decoding bug fixes (Christian Kreibich and Ruoming Pang).

- Automatic rotation of files is now disabled for contents files written
  by the TCP reassembler, which otherwise leads to mangled files
  (Robin Sommer).

- Bro now ships with an updated version of libpcap (0.9.8), which hopefully
  fixes problems managing trace files > 4 GB in size.

- Significant bug fixes for gzip- and deflate-encoded Web items (Robin Sommer).

- Bug fix for secondary-filter.bro (Vern Paxson).

- Removed a naming ambiguity regarding TCP states (Vern Paxson).

- Bug fix for signature scanner not matching all of its input (Vern Paxson).

- Bug fix for using port values in signatures (Robin Sommer).

- Minor policy script tweaks: state management for weird's, processing
  of Notice tags associated with connections, and dependencies for
  irc-bot.bro (Robin Sommer).

- aux/ portability fixes (Vern Paxson).

- Workarounds added for a BinPAC deficiency, which is that code in %cleanup
  clauses can also be executed during recovery from exceptions when parsing
  new data.  This means that any delete's or Unref()'s need to also set the
  corresponding pointer to nil (Vern Paxson).

- Bug fix for crashes with the non-BinPAC SSL analyzer (Robin Sommer).

- Tweak to peer-status.bro since Bro now requires events to be
  declared prior to reference in a "schedule" statement (Robin Sommer).

- The signature keyword "enable" now optionally accepts the syntax
  "foo:bar" to specify "activate analyzer bar as a child of analyzer foo"
  (Robin Sommer).  This is used for example for an XML-over-HTTP analyzer
  that's in the works.

- irc-bot-syslog.bro now uses open_log_file() for its log file (including
  the logging suffix) rather than a direct open (Vern Paxson).

- Bug fix for tracking Blaster across a Bro Cluster (Robin Sommer).

- Bug fix for the HTTP BinPAC analyzer chopping the trailing character
  off of HTTP headers when generating the http_all_headers event (Gregor Maier).

- Bug fix for HTTP chunked items for which the chunk size line was terminated
  by CRLF but the CR and LF came in separate packets (Gregor Maier).

- A bug has been fixed that would cause partial lines (for line-oriented
  protocols) to fail to be processed when a connection terminated
  (Robin Sommer).

- Bro no longer treats a signal arriving before a previous signal has
  been processed as fatal, nor does it attempt processing of a termination
  signal if seemingly there are no race conditions to worry about
  (Robin Sommer).  Both of these changes are an attempt to improve
  Bro's robustness.

- Fix for attributes such as &encrypt not working in initial declarations
  but only in later redef's (Seth Hall and Robin Sommer).

- Fixes for memory leaks in SSL processing (Seth Hall and Robin Sommer).

- Fix for POP3 analyzer to not treat lines like "<space>." as message
  terminators (Robin Sommer).

- Bug fix for crashes arising from nil pointers in list expressions
  (Seth Hall and Robin Sommer).

- Bug fix: a signature's "enable" would activate the corresponding analyzer
  even if no event handlers were defined for it (Robin Sommer).

- Bug fixes to prevent crashes when mixing set_contents_file() with
  subsequent explicit close(), and to ensure all data written to
  file upon connection tear-down (Gert Doering and Robin Sommer).

- Configuration support for MacPorts and Fink package management systems
  (Christian Kreibich & Vern Paxson).

- Communication-only Bro's now send out email alarms (Robin Sommer).

- Writes to a file that fail due are now run-time errors rather than
  fatal internal errors, since often these occur due to the disk
  being full (Robin Sommer).

- Byte-order bug fix for lookup_location() (Robin Sommer).

- BinPAC portability fix for 64-bit machines (Bernhard Ager and Robin Sommer).

- Portability fixes for newer versions of gcc (Jan Gerrit Goebel and
  Robin Sommer).

- Some support for porting to Solaris (Stephan Toggweiler).

- Connection compressor bug fix for source and destination having the
  same IP address, such as when monitoring loopback (Robin Sommer).

- Connection compressor bug fix for connections with multiple SYNs
  (Robin Sommer).

- Bug fix for using already-declared local variables for looping
  over vectors in a "for" loop (Robin Sommer & Vern Paxson).

- Bug fix for not processing truncated UDP packets (Tom Kho and Robin Sommer).

- Bounds-check added to BinPAC-generated code (Tom Kho and Robin Sommer).

- Bug fix for checking whether an IPv6 address is part of a subnet
  (Seth Hall).

- Bug fixes for crashes relating to asynchronous DNS lookups performed
  at start-up (Robin Sommer).  These changes also lowered the timeout
  before assuming failure from 20 seconds down to 5 seconds.

- Portability and const-ness fixes (Kevin Lo and Robin Sommer).

- Suppression of some content-gap complaints when running on traces
  that have been filtered down to only TCP control packets (Robin Sommer).

- Removed unnecessary dependency in notice-action-filters.bro
  that led to errors when loading icmp.bro by itself (Vern Paxson).

- Bug fix for potential infinite loop in client communiation (Robin Sommer).

- Bug fix in reference counting that could eventually lead to roll-over
  (Robin Sommer).

- Bug fix in communication initialization (Robin Sommer).

- Internal documentation fix: timers are specified using absolute time,
  not relative (Robin Sommer).

- Performance improvement for built-in find_all() function when running
  on large strings (Robin Sommer).

- Memory leak fixes (Robin Sommer, Bernhard Ager, Christian Kreibich).

- Bug fix for error recovery when encountering an unknown link layer
  (Bernhard Ager).

- Bug fix for reversing client & server in a connection (Po-Ching Lin).

- Bug fix for packet_contents when capture length exceeds the IP payload
  length due to Ethernet frame padding (Christian Kreibich).

- Bug fix for tcp_packet event erroneously including Ethernet padding
  in its contents (Vern Paxson).

- Bug fix for lookup_connection built-in (Seth Hall).

- Portability nit for libedit tarball (Vern Paxson).

- Broccoli portability fix for NetBSD (Christoph Leuzinger).

- Type-checking for script-level event invocation was completedly broken -
  now fixed (Vern Paxson).

- Portability fixes for different versions of g++/STL (Nicholas Weaver
  and Vern Paxson).

- Fix for dynamic detection of SSL via DPD (Robin Sommer).

- IPv6 portability fix for BinPAC-based DNS analyzer (Vern Paxson).
  Note, more portability work is needed for it.

- Bug fix for bifcl error messages (Vern Paxson).

- Minor bug fix for remote communication, plus some improved communication
  logging (Robin Sommer).

- Bug fix for &printhook (Robin Sommer).

- Bug fix for error message output (Robin Sommer).

- Bug fix for termination cleanup (Robin Sommer).

- Bug fix for some Rlogin corner cases (Robin Sommer & Vern Paxson).

- Bug fix for bifcl generation of "interval" types (Vern Paxson).

- Bug fix for getting connection memory statistics when Bro is
  exiting (Robin Sommer).

- Config fix: --enable-debug now turns off -O2 for gcc (Robin Sommer).

- Bug fixes for "heavy" analysis (Vern Paxson).

- Broccoli bug fixes for types net and port (Robin Sommer).

- Bug fixes for Telnet environment options (Robin Sommer).

- Bug fix for accessing remote peer description (Robin Sommer).

- A fix for the connection compressor generating new_connection too
  late (Robin Sommer).

- Fixes for DAG support, including configuration and multiple
  interfaces (Robin Sommer).

- Bug fix for serializing time-stamps of table entries (Robin Sommer).

- Bug fix for dealing with peer IDs for remote communication (Robin Sommer).

- Bug fix to avoid installing timers when timers have already
  been canceled (Robin Sommer).

- Bug fix for interplay between serializing connections and
  connection compressor (Robin Sommer).

- Memory leak fix for enum's (Robin Sommer).

- Bug fix for files being closed prior to bro_done() (Vern Paxson).

- aux/broccoli/contrib was not included in distribution (Robin Sommer).

- Auto-configuration bug fix for BinPAC (Craig Leres).

- Bug fix for dynamic protocol detection (Robin Sommer).

- A number of configuration fixes for installation and portability
  (Christian Kreibich, Brian Tierney, Robin Sommer, Dan Kopecek).

More information about the Bro mailing list