new bro "CURRENT" release - 0.8a57

Vern Paxson vern at icir.org
Tue Dec 9 10:21:12 PST 2003


An updated "CURRENT" version of Bro is now available from the usual location:

	ftp://ftp.ee.lbl.gov/bro-pub-0.8-current.tar.gz

I've appended the changes between it and the last "CURRENT" version (0.8a48).

		Vern


-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


0.8a57 Tue Dec  9 10:14:30 PST 2003

- The format of Bro's connection summaries is changing.  The new format
  looks like

	  1069437569.904605 0.230644 1.2.3.4 5.6.7.8 http 59377 80 tcp 610 275 S3 L

  That is, <timestamp>, <duration>, <originator address>, <responder address>,
  <service>, <originator port>, <responder port>, <originator bytes>,
  <responder bytes>, <connection state>, <flags>.  (Robin Sommer)

  The script variable traditional_conn_format=T specifies to use the old
  format rather than this new one.  This is *currently* the default, but
  will change soon to default to F instead.  If you have comments on this
  new format, we'd like to hear them.

- The SigAction's available in signatures.bro have been extended (Robin Sommer).
  SIG_FILE_BUT_NO_SCAN is like SIG_FILE but without any horizontal/vertical
  processing; SIG_LOG_ONCE logs only an alert only the first time it occurs;
  SIG_LOG_PER_ORIG logs only the first instance of an alert generated by a
  particular originator; SIG_COUNT has been renamed SIG_COUNT_PER_RESP; and
  SIG_SUMMARY suppresses logging of individual alerts but generates a
  per-originator summary.

- A new -p option for snort2bro tells it to only process signatures that
  include matching on payload (Robin Sommer).

- You can now explicitly include or exclude particular SIDs when
  running snort2bro by specifying a configuration file via -c (Robin
  Sommer).  The format is simple, just "include" or "ignore" followed
  by the SID number:

	# sid-526 BAD TRAFFIC data in TCP SYN packet 
	ignore	526 

	# sid-623 matches a null-flags stealth scan.  Include it even
	# if we build with -p, since it doesn't tend to generate any
	# false positives.
	include	623

  The new "snort2bro.cfg" file gives examples (i.e., the above).

- Bro can now serialize functions and event handlers, meaning that these
  can be passed as values between Bro's and dumped using -g (Robin Sommer).
  One of the main goals in supporting this is to allow in situ alteration
  of the Bro's configuration (e.g., you can edit a function and change its
  functioning and have a running Bro pick up the change without having to
  stop and be restarted).  Such dynamic reconfiguration is experimentally
  supported via -g <dir> (see below).

- &persistent state is now stored in the *directory* given by state_dir
  (default: "./.state"), one file per variable, rather than a single file
  (Robin Sommer).

- Storing &persistent state to disk is now done incrementally: after writing
  each file, there's a delay of state_write_delay (default: 0.1 secs) before
  working on the next file (Robin Sommer). This may introduce small
  inconsistencies, but prevents load spikes that can lead to packet drops.
  Currently, there is no mechanism to incrementally store a single variable
  (like a large table), although there is already some framework in place
  to eventually support this.

- The *experimental* new -g <dir> option dumps the script-level configuration
  (excluding things defined in internal default scripts like bro.init)
  into the directory <dir>. These files may be printed with "bro -x <file>",
  or copied into the state_dir of a running Bro, which will then pick up
  the change if it has loaded checkpoint.bro.  (When picking up changes,
  event handlers are always added, while functions, types, and variables
  replace the current ones).

- Table values are now incrementally expired rather than all at once
  (Robin Sommer).  That is, if the expiration timer goes off and hundreds
  of values should now be expired, the work of doing so is spread over
  chunks of table_expire_size (default: 50) at a time, separated by a
  delay of table_expire_delay (default: 0.1 secs).  This change aims to
  prevent large processing spikes that can lead to packet drops.

- New built-ins sub() and gsub() act like awk's functions of the same
  name, changing substrings (either first, or all) that match a given
  regular expression to a given target string.  (Note, the calling sequence
  differs from the order used by awk.)

- The new auxiliary script aux/scripts/mvlog is a handy way to manage
  checkpointed logs.  See the script for documentation.

- The &expire_func function now takes two arguments.  The second is
  of type "any" and corresponds to the index(es) of the element being
  expired.  To access the individual indices, you use a new assignment form:

	[a, b, c] = index_val;

  (where index_val is the second argument of type "any").  This assigns
  a to the first index, b to the second, and c to the third.  NOTE: the
  use of "any" types here is *temporary* and will be changing in the
  future to a general "tuple" notion.  (Robin Sommer)

- scan.bro and conn.bro have been reworked to consume less memory and to
  support more flexible state expiration (Robin Sommer).

- The new builtin rescan_state() causes Bro to re-read any persistent
  data values (Robin Sommer).

- snort2bro now supports continued lines ("\<newline>") (Robin Sommer).

- The calling sequences of the software_version_found() and
  software_parse_error() events has changed, and a new event,
  software_unparsed_version_found(), is invoked for raw version
  strings (i.e., the version string prior to the event engine
  attempting to parse it into version/major/minor) (Robin Sommer).

- Software version tracking for clients now tracks all versions, not just
  the latest version (Robin Sommer).

- alert_info records now include an optional field event_src, which is the
  source of the event if it was received from an external Bro (Robin Sommer).

- Regular expressions now support {} iteration values of 0, and generate
  better error messages.

- Output generated by icmp.bro is now redirected into an "icmp" log file
  (Robin Sommer).

- autoconf tweaks for configuring OpenSSL on Linux (Ruoming Pang, Robin Sommer).
  Tested on RedHat (thanks to Anton Chuvakin), Debian, FreeBSD, Solaris.

- You can now turn off using OpenSSL even if the OS supports it, via
  configuring with --disable-openssl (Robin Sommer).

- Variable size computations (per global_sizes()) are now more accurate
  (Robin Sommer).

- A bug with combining file encryption and log rotation has been
  fixed (Robin Sommer).

- A problem tracking directionality in signatures fixed (Robin Sommer).

- Bro now continues running if DNS is not functioning (Robin Sommer).

- Rewriter memory use has been significantly reduced (Ruoming Pang).

- Some bugs with -A/-w interaction have been fixed (Ruoming Pang).



More information about the Bro mailing list