From johanna at icir.org Wed Feb 14 09:42:10 2018 From: johanna at icir.org (Johanna Amann) Date: Wed, 14 Feb 2018 09:42:10 -0800 Subject: [Bro-Announce] Bro 2.5.3 release (security update) Message-ID: <20180214174210.7jxxtf4bpjg2shlh@Beezling.local> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 We announce the release of Bro v2.5.3. The new version is now available for download at: https://bro.org/download/index.html or directly at: https://www.bro.org/downloads/bro-2.5.3.tar.gz Binary packages for the new version are currently building and will be available in the next hours at: https://bro.org/download/packages.html This is a security release that fixes an integer overflow in code generated by binpac. This issue can be used by remote attackers to crash Bro (i.e. a DoS attack). There also is a possibility this can be exploited in other ways. This bug was found by Philippe Antoine of Catena cyber. A CVE will be assigned to this bug. Bro 2.5.3 does not contain any other changes. We urge everyone to update their installation as quickly as possible. Johanna -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJahHMjAAoJECOZ8Wl8E8ZdgC0QAKLtWFynqWO7GyHitGCCnw60 AiBPBYZMcLeO7QRwkba2JvuFwYDWZGKkkiUdVWIfaVGCiYw0ZJ9WueHz6kVSU6zW OMQrtunO74iizdIgWqbvM0MnKMosc6im7wISDXW/q3DwcP4UfCajwiKiQqciK+x0 i3kTAm5jjqhD5BIHAMr05zHetF/gBOqRd1+2+xFqeLuUkxK9TlqMnhjORNMlSCRB d56fV00vZMIQNgpsMiDA9ICWBz8fsbyCkme1tbver6AytM1IvhAcXr89Wsfe9z4T VhrsUdf1klnCaiOmMUg2xGkJLxaosfUiQCyCs+G2JvH7DDPuf2CDFDK4nQohpppN T3PYcQa0w6T6YXnfz+lil/INN4g0l7PscWSaexv9fof8gwgljn1LWhYJ+rsEOzwa sM5fYdUHfRUg9n9F3lsTi7Qo34nh5HK3NXyYpwB4GH/yoCDglRKyGOVsrjc7FPeg NUjRchFHgfMCpcD9OGXcn0a/jNXiEtuRRsR4hec1IU7fVe40Y6CUyK/ka4QCA+E4 xzgJUOaVNT7NaTILoMfM+fjiVXFImm2e1kJXQizVzrkQUesUTY4eebDQXcFVIrpW ZoTZ3TtG5LqJy4/8g0mq5h7Bz48GdtvQce7XmMhYHt3Yp0AjIB9tSKfhxXxO/kaP TNhR36N1vDiFCo1z1QIi =2I6P -----END PGP SIGNATURE----- From jsiwek at corelight.com Tue Jun 5 14:48:50 2018 From: jsiwek at corelight.com (Jon Siwek) Date: Tue, 5 Jun 2018 16:48:50 -0500 Subject: [Bro-Announce] Bro 2.5.4 release (security update) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We announce the release of Bro v2.5.4. The new version is now available for download at: https://bro.org/download/index.html or directly at: https://www.bro.org/downloads/bro-2.5.4.tar.gz Binary packages for the new version are currently building and will be available in the next hours at: https://bro.org/download/packages.html This release has the following security fixes: * Incorrect array parsing behavior in BinPAC-generated code with potential for remotely-triggerable buffer over-reads, invalid memory accesses, or assertions in Bro analyzers. * The NCP analyzer could, depending on packet input, overflow signed integer storage and use the result in a subsequent memory allocation leading to crashes. Note that the NCP analyzer was not enabled by default and that it also was not properly updated to use newer Bro analyzer APIs, so the impact of this issue is limited to only those who may have done their own patching to get the NCP analyzer working in the first place. There's also the following bug fixes: * Fix a memory leak in the SMBv1 analyzer. * General fixes for the MySQL analyzer. This update is included to avoid the appearance of a regression in the analyzer's output/functionality due to having relied on the previous, incorrect behavior of BinPAC. Please update your Bro installations as soon as possible. -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJbFsWkAAoJEMaLSU31asx+sJoP/3e8tStsvUfo/7F4RLk31Dfk +6wtho/OstL1RyQRavCqXfThGZu8gzMY8z2i6+ACTiWf3KVooKrMjucX4CVnL0L3 JORpEra00V+KPWMyv7eU9XkZJQuc52oVtcVMQQsaBbmPcKSeyLx13K4qim3tZPqF r3IRbtjq+8vi5zgKw60MEmcguarkzDwnO7oVs+oiZ5BmhkZy0VWG3pKQQ28+6S/b bf3T659UmukeHyEgR6OrLA8JmuY501Tb43RGh5rsCOkyPtYS0k/ARZhXyBqx1qqz ap74nUBLFJ2LTKefXFDtcjjOYnq3cJqNZjojIOys3Ec0YMKLjQKso8MVqJdJgQ4i arMeBHZYTCnOsgyophCAp6BzOWtiB3hBpnE5UnjHB2c4jCPOcRbyk7b2oKqqfWyS S1UgmX6pUlyG+eDi2nVlEiqHkRbgalXrIhFmGvyAHzf8GHODpSbiNCfYKINP5lVj Ipo0q50fm1HDgjLSp6Bwy9pvWejaKSHg3qikCcFVAgnO/NkCxfLtYlBO1uGw1niP NLv1VBydyaTYJL8XFZHxgVz4mIMGDYjTMDQ+Biv5GYcAesVtPR0taTkWzGibP8D7 opdbXvVrOQDhnI+LnR9sLAkXifJyBiUNmSWSSeryqmCxj2Jo9zCBB5iV+nN/lLXp gr7epYv6u0g2au7u5lnm =TOdb -----END PGP SIGNATURE----- From johanna at icir.org Wed Jul 11 15:35:45 2018 From: johanna at icir.org (Johanna Amann) Date: Wed, 11 Jul 2018 15:35:45 -0700 Subject: [Bro-Announce] Save the Date: Bro Workshop Europe (@KIT, Karlsruhe, Germany, September 18th & 19th) Message-ID: <20180711223545.fqpvxdqormiyltbk@Trafalgar.local> Dear Bro Community, We are excited to announce the first Bro Workshop in Europe (which simultaneously is the first official Bro event outside of the USA). The workshop will be held at the Karlsruhe Institute of Technology (KIT) in Karlsruhe, Germany on Tuesday September 18th and Wednesday September 19th. The workshop is a one-day event split in two half-days to allow easy traveling for participants in Europe: the program will start at noon/the early afternoon on Tuesday and end after lunch on Wednesday. The workshop aims to bring together the Bro user community in Europe for which traveling to the US-based events has often been difficult. This will be a smaller, more informal event; we expect 30 to 50 attendees. Registration will open within the next week. We will send another email once this happens. The program will feature a mixture of external talks and talks of the Bro development team; several members of the team will attend the workshop. If you are interested in giving a talk at the Workshop, please send an email to info at bro.org. We thank the Decentralized Systems and Network Services Research Group for hosting us at KIT and extend special thanks to Jan Grash?fer who has put a lot of work into making this possible. Johanna From robin at icir.org Thu Jul 26 11:15:21 2018 From: robin at icir.org (Robin Sommer) Date: Thu, 26 Jul 2018 11:15:21 -0700 Subject: [Bro-Announce] BroCon 2018: Early bird deadline extended to Aug 10 In-Reply-To: <20180530222651.GH1911@icir.org> References: <20180530222651.GH1911@icir.org> Message-ID: <20180726181521.GA8385@icir.org> Early bird registration for BroCon 2018 has been extended to August 10. Register here: https://www.brocon2018.com/event/begin The program will be up shortly, the leadership team is currently reviewing the proposals it received. BroCon 2018 will take place October 10-12, in Arlington, VA. It offers the Bro community a chance to meet face-to-face, share new ideas and developments, and better understand and secure their networks. The conference is composed of presentations from members of the community and the Bro development team. Looking forward to seeing everybody there, Robin From jsiwek at corelight.com Wed Aug 29 14:25:19 2018 From: jsiwek at corelight.com (Jon Siwek) Date: Wed, 29 Aug 2018 16:25:19 -0500 Subject: [Bro-Announce] Bro 2.5.5 release (security update) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We announce the release of Bro v2.5.5. The new version is now available for download at: https://bro.org/download/index.html or directly at: https://www.bro.org/downloads/bro-2.5.5.tar.gz Binary packages for the new version are currently building and will be available in the next hours at: https://bro.org/download/packages.html This release has the following security fixes: * Fix array bounds checking in BinPAC: for arrays that are fields within a record, the bounds check was based on a pointer to the start of the record rather than the start of the array field, potentially resulting in a buffer over-read. * Fix SMTP command string comparisons: the number of bytes compared was based on the user-supplied string length and can lead to incorrect matches. e.g. giving a command of "X" incorrectly matched "X-ANONYMOUSTLS" (and empty commands match anything). The following changes address potential vectors for Denial of Service reported by Christian Titze & Jan Grash?fer of Karlsruhe Institute of Technology: * "Weird" events are now generally suppressed/sampled by default according to some tunable parameters (see the changelog for more details). These changes help improve performance issues resulting from excessive numbers of weird events. * Improved handling of empty lines in several text protocol analyzers that can cause performance issues when seen in long sequences. * Add 'smtp_excessive_pending_cmds' weird which serves as a notification for when the "pending command" queue has reached an upper limit and been cleared to prevent one from attempting to slowly exhaust memory. Please update your Bro installations as soon as possible. -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJbhYrrAAoJEMaLSU31asx+ChUQAKsl6Wz5lBhoB51MV8uP/QGX FCL2hbmAqrGKOMkgT0JAGck1jh9tgjV6KCaoeLbOYs4ai+fPktSpuoCFwlNfjkoK jvFkg1dTBRpg+Vd/4yghrVK0N9eTg+i9D/0iOnpwdNfuAaLhJXnUlstTgpaJpPiI powyp15kJmFlKhAeudlJpYXt5FbfLaRlOxHVaVQ5h60T4fEBe+zHA1YFpUOMCdPA hZA6Nz1mkzvSkntG8VwkjUUVr3sEhwSEQO5S+1YHPYyNftYTgAJnHR0KLxG1LWyX MOuomR2LpFagrLE3eFeZ/x9nsttDsBGaV8WXRCrYDknKwj4CBk6NhZESiOAzjCd8 Atv7A6i/ImY3qqkTlVrE4HC6xNsWagTgHeYGEp2nSuet88l9MbJsg/7C5VdiPXbK Xclzczw3aSJ+1Of2kvDnV5OrqfAAZ3+pGIm6Dul/I7CLvXUQispRtyGPtUwtDENE XIDPsG82AwRkZQEOek6DyQHcEPk13eJTgWsbtqmpyHhxWEe5mGfsu+4JWT+mZpLD 51nPNyv8NKNkcfMdNO8mpUekQVOEqYKfHZzoV1s+El2uz1VQ25jdBRZ8qcRBqZlb P7l1iIvRVIS/VFAhtksGLpNQVM++x+CDqYXFS4lq2sF8D4mpoyP5GReG9LaXFWFF cdSmPyEeM92Qsh/o3ySQ =x3s7 -----END PGP SIGNATURE----- From johanna at icir.org Tue Nov 6 07:36:46 2018 From: johanna at icir.org (Johanna Amann) Date: Tue, 6 Nov 2018 22:36:46 +0700 Subject: [Bro-Announce] Zeek (Bro) Workshop Europe 2019 - Registration open Message-ID: <20181106153645.zvqilb4qwktci673@dhcp-9e80.meeting.ietf.org> Hi, the registration for the Zeek Workshop Europe 2019 (April 9?11 @CERN, Geneva, Switzerland) is now open. To register, please visit https://indico.cern.ch/event/762505/ (this is also linked from https://bro.org). The workshop is a two-day event, split over three days to allow easy traveling for participants in Europe: the program will start with lunch on Tuesday and will end after lunch on Thursday. The program will consist of talks by the Bro development team and external contributors. As in our last event, a large part of the development team will be attending the workshop. We will send followup messages to bro at bro.org once a more detailed program is available. If you are interested in giving a talk at the Workshop, please send an email to info at bro.org. Johanna From jsiwek at corelight.com Thu Nov 29 10:25:11 2018 From: jsiwek at corelight.com (Jon Siwek) Date: Thu, 29 Nov 2018 12:25:11 -0600 Subject: [Bro-Announce] Bro 2.6 release Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bro v2.6 is now released and available for download: https://www.bro.org/download/index.html https://www.bro.org/downloads/bro-2.6.tar.gz The most significant change to be aware of is that Bro has switched to using the new Broker communication library. As a result, user-written scripts related to cluster operation or remote communication that worked in previous versions may require porting to new APIs. Please read the release notes carefully for helpful porting tips or other changes relevant to the upgrade process: https://www.bro.org/sphinx/install/release-notes.html Also note that the Bro project is in the process of being renamed to Zeek, however, the software distribution for this release is still named Bro. There's not yet been any related naming changes that alter usage for any provided tools or APIs. -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJcAC5uAAoJEKfUHOR63zbzp4sQAJgD8Nqr3V89LbIQdytLkwkT 3z9JJw0BRN1/0cx2NW0t8JudbpiwMMzKwbvoYLrc5sM7I3OSMKhJ6uoWZ5Sgennd W9kZDJZnmEMT1cfgtkuJHTiSthooDaFsTUNQOmWaebVvQCZdrNyaNKRu00IAbMFG Ut1OyBur980wAWLDwEq+XjygS0gRxJOvX/MZyBuambGbtTGt2/qvtHrLONQoMXTz jJSHLf6DICjvpVbfgBijezQj7Zi1adgrWa1pl7FOBGJIeDq5bMuf03Wo8pm/16sA 0AkHV2kLa2QABxRl+aQLKChpvO/28SbHy9glg+a1gBr6QAeKgEudvI/k0Sfoc01u eTZfm2lYxCxLm+nD6hXEyzGL2ZTEWJoB9F1AedE4AhYzClgo/7MjTO42LwG4igWL 5U0th7U5EsIaCtnRv0TtxXgr8c5zGLvkC8rwLqJC3+zL08SlK8NxLu8ivZ5k1IF4 OZfD/8sZF9EQs64+tDdgHy2iW5vsKOcWz6HCaxOJwt6veYZMglVXJDGtbcRymp2l 2eriwQpes3cZArYxGdTvGw3DZyyqjqWxjIib+832vblXHtoik9FXyhFJqMfX3Iyk 4w3GLkkI9QNjLTlVAWjdFxJPg/63Xb28ymcsWkK46bFdrO7Bs8NVn2lO6Xlq3oiW EEM4plKvcp8mh4KSWJiF =F3YY -----END PGP SIGNATURE----- From johanna at icir.org Wed Dec 19 04:38:42 2018 From: johanna at icir.org (Johanna Amann) Date: Wed, 19 Dec 2018 13:38:42 +0100 Subject: [Bro-Announce] Zeek mailing list renaming and outage Message-ID: <20181219123842.eizalnmhjjwdm5tp@Tranquility.fritz.box> Hello everyone, As part of renaming Bro to Zeek, we are going to change the addresses and names of all our mailing lists. The important thing first: this change is going to happen tomorrow (Thursday), 12/20. The mailing list rename will happen during a system maintenance window at ICSI (which is hosting the mailing list). Thus the mailing lists (including the archives) will be unavailable for a few hours during the day on Thursday. Mails sent to the lists during this time should be queued and delivered when the system is back up. The current Bro mailing lists will be renamed as follows: bro at bro.org -> zeek at zeek.org bro-dev at bro.org -> zeek-dev at zeek.org bro-commits at bro.org -> zeek-commits at zeek.org bro-announce at bro.org -> zeek-announce at zeek.org Similarly we will change the mailing list subject tags from Bro to Zeek. There will be redirects from the old mailing list names to the new ones, so mails sent to the old addresses will not be lost. Johanna From jsiwek at corelight.com Wed Dec 19 10:24:28 2018 From: jsiwek at corelight.com (Jon Siwek) Date: Wed, 19 Dec 2018 12:24:28 -0600 Subject: [Bro-Announce] Bro 2.6.1 release Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bro v2.6.1 is available for download: https://www.zeek.org/download/index.html https://www.zeek.org/downloads/bro-2.6.1.tar.gz This release updates the embedded SQLite to version 3.26.0 to address the "Magellan" remote code execution vulnerability. The stock Bro configuration/scripts don't use SQLite by default, but custom user scripts/packages may. This release also updates Broker to v1.1.2, which includes a minor bug fix in its Python bindings and improved support for building it as a static library. -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJcGowAAAoJEKfUHOR63zbz3EUP/iVCvDHFPwl/i8QQUQUTz7gQ bdyE95USUd4J7+tZEnd3f0yoqTDmFGxWfioLlr0U+Qpz7K8fgEb7lnSIin7O4vb+ nuPM3fRrl3uh8P0PjALWvmxqS7LQMiJOV72XCoBF/2illWny8G/57inkeaoqYeYl /bHMoS7xPb3BZVXjj/v2aLMXvyeDY9Xv3cqzmKEiKHAE09WxMUNFsWHQhyLqLunU 0bJqSRjQwy3nMDq9lUGUXdqXiVILufkVN7kXu8WgjTn2Cis1D8ZRDNhYSKW1PFQA kCKqxXjuBe97MAYlls/nv7IadivJx22h7A/sogjxJh7oTmjyDC4UKWnjH09zWjdh UYfS51D1bdDDv4yFLgCXGPkg02cUIRAO7w12XCfgTe1g0hoJOcl4faBWvNa3xBZV z5Qge+1mrW/k5MEtCSFnRPGvxD7SeZ7Dj+9PQcA9wY2iO6YNKQz7DYZjb8i6Gnaf L+4yO51B2qasUQICW0sZiYkg5LU847DyGrcfTE4z9ImlsSwpIxagbfG/3zxtIAow vpF5Su2g1/C9jXxJJovcthWf/HM3/VaBWwDpd8K7zmIssbMbd/apQvwitnMdM6y2 GJY9i7LPgSJTCkRyLrE1jvKBbuF3225VUfq1n4dwT6EByyJ9TxLgHfFA/gHYiG8Z skDvIlyix1XUZl5UpLLI =TFfn -----END PGP SIGNATURE-----