new Bro releases
Vern Paxson
vern at icir.org
Fri Jun 11 01:13:50 PDT 2004
New CURRENT (0.9a2) and STABLE (0.8a86) releases are now available from:
ftp://bro-ids.org/bro-pub-0.9-current.tar.gz
ftp://bro-ids.org/bro-pub-0.8-stable.tar.gz
The CURRENT release has a large number of changes, per the appended.
The STABLE release fixes the following bugs:
> - A bug has been fixed in which contents files might not be correctly
> written upon termination of Bro (Ruoming Pang).
>
> - A bug has been fixed in which UDP connections didn't generate
> new_connection events (Ruoming Pang).
>
> - Support for the Linux "cooked capture" link layer (Ruoming Pang).
>
> - A serious low-level Dictionary bug has been fixed (Christian Kreibich).
>
> - A bug that could cause Bro to crash if it receives an event from another
> Bro that it isn't able to process has been fixed (Christian Kreibich).
>
> - A bug in set file descriptors non-blocking has been fixed
> (Christian Kreibich).
>
> - A bug that could cause some error messages to generate crashes has
> been fixed.
per the appended diffs.
Vern
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0.9a2 Fri Jun 11 00:07:04 PDT 2004
- NetBIOS analysis has been extended with a CIFS/SMB analyzer (Ruoming Pang).
While this is incomplete, it has many important elements. The corresponding
events:
smb_message(c: connection, is_orig: bool, cmd: string, msg: string)
smb_com_tree_connect_andx(c: connection, path: string, service: string)
smb_com_nt_create_andx(c: connection, name: string)
smb_com_transaction(c: connection, is_orig: bool, subcmd: count,
name: string, data: string)
smb_com_transaction2(c: connection, is_orig: bool, subcmd: count,
name: string, data: string)
smb_com_read_andx(c: connection, is_orig: bool, data: string)
smb_com_write_andx(c: connection, is_orig: bool, data: string)
This analyzer is still experimental.
- Greater support for vectors (Umesh Shankar), much of it taken from
the 'S' language.
You can use a boolean vector as an index into another vector (providing
both are the same length) and each 'T' value in the index extracts the
corresponding element from the indexed vector. For example, "x[x > 3]"
returns a vector whose elements are those elements of x that are greater
than, while if y is a vector of the same length as x then "y[x > 3]"
extracts those elements of y that have the same position as the elements
in x that are greater than 3.
You can also use an arithmetic vector to index another vector. Each
element present in the index is extracted. So, for example:
global a: vector of count;
global b: vector of string;
a[1] = 3;
a[2] = 3;
a[3] = 1;
b[1] = "foo";
b[2] = "bar";
b[3] = "bletch";
print b[a];
prints:
[bletch, bletch, foo]
- The new built-ins any_set() and all_set() return true if for a given
boolean vector any element is true or all of the elements is true
(Umesh Shankar). So, for example, "any_set(x < 0)" returns T if
an element of x is less than zero.
- The new built-in sort() takes a vector as an argument and sorts it
*in place* (Umesh Shankar). (The in-place semantics may change in the
future.) An optional second argument can be used to specify a
function to call for comparing elements, and is required for non-arithmetic
vectors. For example, the following could be used to sort a vector
of strings based solely on the length of the strings:
function string_compare(a : string, b: string): int
{
local la = byte_len(a);
local lb = byte_len(b);
return (la < lb) ? -1 : ((lb > la) ? 1 : 0);
}
- The new function order() has the same calling sequence as sort(),
but instead of returning (and altering in place) the sorted vector,
it returns a "vector of count" giving the *indices* that if used
to index the vector will return it sorted. So, for example,
given two vectors x and y of the same length (but not necessarily
of the same type),
local x_sort_indices = order(x);
x = x[x_sort_indices];
y = y[x_sort_indices];
will assign x to a sorted version of itself and also rearrange y such
that elements of y that were paired with elements of x originally
remain paired after the sorting.
- The ICMP analyzer now has a general notion of "context", i.e., the packet
associated with ICMP status messages such as Unreachable or Time Exceeded
(Ruoming Pang). This changes the parameters to the icmp_unreachable
event. A new event, icmp_time_exceed, is now also available.
- The tcp_segment even has been replaced by a pair of new events (Ruoming Pang):
tcp_packet(c: connection, is_orig: bool, flags: string, seq: count,
ack: count, len: count, payload: string)
is invoked for each TCP packet. "flags" is a string containing "SFAPU"
for the SYN/FIN/etc TCP flags.
tcp_contents(c: connection, is_orig: bool, seq: count,
contents: string)
is invoked for each chunk of the byte-stream that has been reassembled
in sequence, providing it satisfies tcp_content_delivery_ports_{orig,resp},
per the next item.
- You can specify the set of ports for which contents should be reassembled
for the originator (responder, respectively) stream using the new sets
tcp_content_delivery_ports_{orig,resp} (Ruoming Pang). This can be
useful for user-level stream analysis for protocols not known to Bro's
event engine. These controls may change to a "table of bool" in the future,
in order to support an &default attribute.
- New built-in functions (Ruoming Pang):
function interval_to_double(i: interval): double
Converts a value of type "interval" to "double".
function write_file(f: file, data: string): bool
Writes the given string to the given file, returning
F on error.
function is_ascii(str: string): bool
Returns T if the given string consists entirely of
ASCII characters (i.e., in the range 0..127).
function sqrt(x: double): double
Returns the square-root of x, or -1 and a run-time error
if x is < 0.
function uuid_to_string(uuid: string): string
Takes a UUID and returns its string representation, where
UUID = Universal Unique Identifier as defined per
http://www.opengroup.org/onlinepubs/9629399/apdxa.htm#tagcjh_20
function string_to_ascii_hex(s: string): string
Returns the ASCII hex representation of the given string.
For example, string_to_ascii_hex("foo") returns "666f6f".
function match_pattern(s: string, p:pattern): pattern_match_result
Matches the given pattern against the given string, returning
a record with three fields:
matched: bool; # T if a match was found, F otherwise
str: string; # portion of string that first matched
off: count; # 1-based offset where match starts
For example,
match_pattern("foobar", /o*[a-k]/)
returns
[matched=T, str=f, off=1]
because the *first* match is for zero o's followed by an [a-k],
while
match_pattern("foobar", /o+[a-k]/)
returns
[matched=T, str=oob, off=2]
- Functions that terminate without returning a value when they were declared
to do so now generate a run-time warning (Christian Kreibich). Functions
in the standard set of policy scripts that did this have been fixed.
- The new event non_dns_request(c: connection, msg: string) is generate
to make the contents of malformed DNS requests available for analysis,
with the assumption that these are actually some other protocol entirely
(Ruoming Pang).
- If you redef truncate_http_URI to have a value >= 0, then any HTTP
URIs generated by the event engine will be truncated to this length
(Ruoming Pang). This can be convenient when analyzing traffic that
generates huge URIs (as do some automated attacks).
- "SEARCH" is now recognized as a standard HTTP method (Ruoming Pang).
- The new event connection_EOF(c: connection, is_orig: bool) is generated
when one side of a connection closes (Ruoming Pang).
- synflood.bro and the corresponding event engine internals now works
in terms of probabilities (0.0-1.0) instead of percentages (0-100)
(Robin Sommer). The script has had several tweaks, including using
new_connection() rather than connection_attempt(), which gives it
quicker response and broader coverage (it'll detect non-TCP flooding,
too, so "synflood" is now a bit of a misnomer), at the cost of perhaps
more CPU load.
- A signature for Witty has been added to policy/sigs/worm.sig (Ruoming Pang).
- Makefile now has a "test" target. Currently this only works for internal
development (we haven't put together a public test suite yet; that will
take some time due to the need to make sure no sensitive information leaks).
- The built-in function generator now knows about "double" as a built-in type
(Ruoming Pang).
- Some generated files have been removed from the Bro distribution since
they're redundant (Ruoming Pang).
- A bug has been fixed in which contents files might not be correctly
written upon termination of Bro (Ruoming Pang).
- A bug has been fixed in which UDP connections didn't generate
new_connection events (Ruoming Pang).
- Support for the Linux "cooked capture" link layer (Ruoming Pang).
- BPF support has been factored into a separate class, BPF_Program, which
makes for easier portability (Christian Kreibich).
- A serious low-level Dictionary bug has been fixed (Christian Kreibich).
- A bug that could cause Bro to crash if it receives an event from another
Bro that it isn't able to process has been fixed (Christian Kreibich).
- A bug in set file descriptors non-blocking has been fixed
(Christian Kreibich).
- A bug that could cause some error messages to generate crashes has
been fixed.
- The global skip_event_tcp_option has been removed.
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
diff -ru bro-pub-0.8a85/CHANGES bro-pub-0.8a86/CHANGES
--- bro-pub-0.8a85/CHANGES Sun Jun 6 10:42:54 2004
+++ bro-pub-0.8a86/CHANGES Fri Jun 11 01:01:53 2004
@@ -3,6 +3,28 @@
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+0.8a86 Fri Jun 11 01:01:49 PDT 2004
+
+- A bug has been fixed in which contents files might not be correctly
+ written upon termination of Bro (Ruoming Pang).
+
+- A bug has been fixed in which UDP connections didn't generate
+ new_connection events (Ruoming Pang).
+
+- Support for the Linux "cooked capture" link layer (Ruoming Pang).
+
+- A serious low-level Dictionary bug has been fixed (Christian Kreibich).
+
+- A bug that could cause Bro to crash if it receives an event from another
+ Bro that it isn't able to process has been fixed (Christian Kreibich).
+
+- A bug in set file descriptors non-blocking has been fixed
+ (Christian Kreibich).
+
+- A bug that could cause some error messages to generate crashes has
+ been fixed.
+
+
0.8a85
- 0.8a85 is the new STABLE release, to be updated only for bug (and
diff -ru bro-pub-0.8a85/ChunkedIO.cc bro-pub-0.8a86/ChunkedIO.cc
--- bro-pub-0.8a85/ChunkedIO.cc Wed May 26 22:00:28 2004
+++ bro-pub-0.8a86/ChunkedIO.cc Fri Jun 11 00:56:46 2004
@@ -1,4 +1,4 @@
-// $Id: ChunkedIO.cc,v 1.11 2004/05/27 05:00:19 vern Exp $
+// $Id: ChunkedIO.cc,v 1.12 2004/06/10 23:27:16 vern Exp $
#include <unistd.h>
#include <fcntl.h>
@@ -37,14 +37,22 @@
ChunkedIOFd::ChunkedIOFd(int arg_fd)
{
+ int flags;
+
fd = arg_fd;
eof = 0;
last_flush = current_time();
- if ( fcntl(fd, F_SETFL, O_NONBLOCK) < 0 )
+ if ( (flags = fcntl(fd, F_GETFL, 0)) < 0)
+ {
+ error(fmt("can't obtain socket flags: %s", strerror(errno)));
+ exit(1);
+ }
+
+ if ( fcntl(fd, F_SETFL, flags|O_NONBLOCK) < 0 )
{
error(fmt("can't set fd to non-blocking: %s (%d)",
- strerror(errno), getpid()));
+ strerror(errno), getpid()));
exit(1);
}
@@ -570,10 +578,18 @@
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
}
- if ( fcntl(socket, F_SETFL, O_NONBLOCK) < 0 )
+ int flags;
+
+ if ( (flags = fcntl(socket, F_GETFL, 0)) < 0)
+ {
+ error(fmt("can't obtain socket flags: %s", strerror(errno)));
+ return false;
+ }
+
+ if ( fcntl(socket, F_SETFL, flags|O_NONBLOCK) < 0 )
{
error(fmt("can't set socket to non-blocking: %s",
- strerror(errno)));
+ strerror(errno)));
return false;
}
diff -ru bro-pub-0.8a85/Dict.cc bro-pub-0.8a86/Dict.cc
--- bro-pub-0.8a85/Dict.cc Sat Apr 17 18:13:20 2004
+++ bro-pub-0.8a86/Dict.cc Fri Jun 11 00:56:46 2004
@@ -1,4 +1,4 @@
-// $Id: Dict.cc,v 1.29 2004/04/18 01:13:11 vern Exp $
+// $Id: Dict.cc,v 1.30 2004/06/11 06:49:19 vern Exp $
//
// Copyright (c) 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003
// The Regents of the University of California. All rights reserved.
@@ -253,7 +253,7 @@
void* Dictionary::NthEntry(int n, const void*& key, int& key_len) const
{
- if ( order || n < 0 || n >= Length() )
+ if ( ! order || n < 0 || n >= Length() )
return 0;
DictEntry* entry = (*order)[n];
diff -ru bro-pub-0.8a85/PktSrc.cc bro-pub-0.8a86/PktSrc.cc
--- bro-pub-0.8a85/PktSrc.cc Sat Apr 17 18:13:21 2004
+++ bro-pub-0.8a86/PktSrc.cc Fri Jun 11 00:56:46 2004
@@ -236,6 +236,10 @@
hdr_size = 13 + 8; // fddi_header + LLC
break;
+ case DLT_LINUX_SLL:
+ hdr_size = 16;
+ break;
+
default:
sprintf(errbuf, "unknown data link type 0x%x", dl);
Close();
diff -ru bro-pub-0.8a85/RuleMatcher.cc bro-pub-0.8a86/RuleMatcher.cc
--- bro-pub-0.8a85/RuleMatcher.cc Mon Mar 1 04:23:48 2004
+++ bro-pub-0.8a86/RuleMatcher.cc Fri Jun 11 00:56:46 2004
@@ -1,4 +1,4 @@
-// $Id: RuleMatcher.cc,v 1.26 2004/03/01 12:23:25 vern Exp $
+// $Id: RuleMatcher.cc,v 1.27 2004/06/10 23:27:16 vern Exp $
#include "config.h"
@@ -114,8 +114,8 @@
void RuleHdrTest::PrintDebug()
{
- static char* str_comp[] = { "<=", ">=", "<", ">", "==", "!=" };
- static char* str_prot[] = { "", "ip", "icmp", "tcp", "udp" };
+ static const char* str_comp[] = { "<=", ">=", "<", ">", "==", "!=" };
+ static const char* str_prot[] = { "", "ip", "icmp", "tcp", "udp" };
fprintf(stderr, " RuleHdrTest %s[%d:%d] %s",
str_prot[prot], offset, size, str_comp[comp]);
diff -ru bro-pub-0.8a85/Sessions.cc bro-pub-0.8a86/Sessions.cc
--- bro-pub-0.8a85/Sessions.cc Sat Apr 17 18:13:21 2004
+++ bro-pub-0.8a86/Sessions.cc Fri Jun 11 00:56:46 2004
@@ -1126,6 +1126,9 @@
c->SetLifetime(non_analyzed_lifetime);
}
+ if ( new_connection )
+ c->Event(new_connection);
+
return c;
}
diff -ru bro-pub-0.8a85/Type.cc bro-pub-0.8a86/Type.cc
--- bro-pub-0.8a85/Type.cc Mon Mar 15 12:11:47 2004
+++ bro-pub-0.8a86/Type.cc Fri Jun 11 00:56:46 2004
@@ -1,4 +1,4 @@
-// $Id: Type.cc,v 1.61 2004/03/15 20:11:41 vern Exp $
+// $Id: Type.cc,v 1.63 2004/06/11 06:48:53 vern Exp $
//
// Copyright (c) 1995, 1996, 1997, 1998, 1999, 2001, 2002
// The Regents of the University of California. All rights reserved.
@@ -53,6 +53,7 @@
"table", "union", "record", "types",
"func",
"file",
+ "vector",
"error",
};
diff -ru bro-pub-0.8a85/VERSION bro-pub-0.8a86/VERSION
--- bro-pub-0.8a85/VERSION Sun Jun 6 10:39:29 2004
+++ bro-pub-0.8a86/VERSION Fri Jun 11 00:58:49 2004
@@ -1 +1 @@
-0.8a85
+0.8a86
diff -ru bro-pub-0.8a85/main.cc bro-pub-0.8a86/main.cc
--- bro-pub-0.8a85/main.cc Mon May 24 13:13:35 2004
+++ bro-pub-0.8a86/main.cc Fri Jun 11 00:56:46 2004
@@ -1,4 +1,4 @@
-// $Id: main.cc,v 1.101 2004/05/24 20:13:30 vern Exp $
+// $Id: main.cc,v 1.102 2004/06/10 23:27:16 vern Exp $
//
// Copyright (c) 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003
// The Regents of the University of California. All rights reserved.
@@ -210,8 +210,6 @@
delete event_serializer;
delete event_registry;
delete secondary_path;
-
- BroFile::CloseManagedFiles();
}
void termination_signal()
@@ -777,6 +775,10 @@
done_with_network();
terminate_bro();
net_delete();
+
+ // Close files after net_delete(), because net_delete()
+ // might write to connection content files.
+ BroFile::CloseManagedFiles();
#ifdef USE_MPATROL
fputs( "Stopping mpatrol logging...", stderr );
More information about the Bro
mailing list