new bro "CURRENT" release - 0.8a79
Marc Spitzer
mspitze1 at optonline.net
Thu Mar 25 10:19:37 PST 2004
This really blows snort out of the water.
Thank you,
marc
On Thu, 25 Mar 2004 09:25:39 -0800
Vern Paxson <vern at icir.org> wrote:
> An updated "CURRENT" version of Bro is now available from the usual
> location:
>
> ftp://ftp.ee.lbl.gov/bro-pub-0.8-current.tar.gz
>
> This version has a lot of changes, including new analyzers,
> documentation, language features, VLAN support, and the beginnings of
> IDMEF support. I've appended the changes since the last "CURRENT"
> version (0.8a70).
>
> Vern
>
>
> -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
> +-+
>
>
> 0.8a79 Wed Mar 24 22:02:53 PST 2004
>
> - Bro now has an SSL analyzer, written by Michael Kuhn and Benedikt
> Ostermaier,
> with further development by Scott Campbell. It generates the
> following events:
>
> event process_X509_extensions(c: connection, ex: X509_extension)
> event ssl_X509_error(c: connection, err: int, err_string:
> string) event ssl_certificate(c: connection, cert: X509,
> is_server: bool) event ssl_certificate_seen(c: connection,
> is_server: bool) event ssl_conn_alert(c: connection, version:
> count, level: count,
> description: count)
> event ssl_conn_attempt(c: connection, version: int)
> event ssl_conn_established(c: connection, version: int,
> cipher_suite: count)
> event ssl_conn_reused(c: connection, session_id: sessionID)
> event ssl_conn_server_reply(c: connection, version: int)
> event ssl_conn_weak(name: string, c: connection)
> event ssl_session_insertion(c: connection, id: sessionID)
>
> Note, it still has a lot of rough edges; particularly, handling
> non-conformant input. It also generates unnecessary ContentGap
> alerts due to the way it runs multiple analyzers (SSLv2 and SSLv3)
> on a single connection. This will be fixed in the fairly near-term
> future.
>
> - The manual has been updated with chapters on signatures (Robin
> Sommer)
> and using the interactive debugger (Umesh Shankar), along with a
> partial description of the new SSL analyzer (Michael Kuhn and
> Benedikt Ostermaier) and a number of updates to the documentation of
> built-in functions (Umesh Shankar), though this latter is still not
> complete since Umesh actually contributed this quite a while ago.
>
> - Ruoming Pang has contributed a crude analyzer for DCE/RPC (used for
> Windows).
> It generates simple dce_rpc_request and dce_rpc_reply events. It
> should not be considered stable.
>
> - The traditional connection logging format (traditional_conn_format)
> is no longer the default. The 0.8a70 release notes stated that this
> was the case but this time it really is :-).
>
> - An experimental "vector" type has been added (Umesh Shankar). A
> vector
> is an aggregate type. For example:
>
> local suspect_hosts: vector of addr;
>
> You can randomly access elements starting with the first as 1, e.g.,
>
> suspect_hosts[1] = 10.0.0.8;
>
> and can also add elements at later postions even if there are gaps:
>
> suspect_hosts[31337] = 10.0.0.9;
>
> *The semantics and capabilities of vectors will be changing
> considerably.*
>
> - Umesh Shankar has developed a framework for generating IDMEF
> messages.
> Currently it needs a modified version of libidmef, which is not
> included in this distribution. Contact me or Umesh if you want a
> copy.
>
> - A new attribute &synchronized causes the given global variable to
> be *synchronized* across concurrent instances of Bro (which are
> intercommunicating via remote.bro). Any change made by one of them
> to the variable will be reflected (soon after) in the copy at
> the others. A new event remote_state_inconsistency is generated
> if two instances both change the value before they're synchronized.
> (Contributed by Robin Sommer.)
>
> - trw.bro implements a new scan detection algorithm, Threshold Random
> Walk
> (Jaeyeon Jung). It's described in an upcoming IEEE S&P symposium
> paper. The analyzer generates two events:
>
> TRWAddressScan, # source flagged as scanner by TRW algorithm
> TRWScanSummary, # summary of scanning activities reported by TRW
>
> TRW is generally much more sensitive than Bro's regular detection
> algorithm.
>
> - vlan.bro provides support for VLAN encapsulation. More generally,
> Bro
> now has support for any sort of constant-offset encapsulation (Vinod
> Yegneswaran). You specify the header size by redef'ing
> encap_hdr_size. You can also redef tunnel_port to be a UDP port
> which Bro treats as being the encapsulation (in the packet stream -
> not addressed to it) rather than all traffic.
>
> - If you turn on statistics (i.e., via @load statistics) and also
> redef
> segment_profiling to T, then Bro will generate to the statistics
> file a trace of its "segment" processing. A segment is a unit of
> internal execution. Profiles look like:
>
> 1058517499.615430 segment-processing-packet dt=0.000013 dmem=0
> 1058517499.615430 segment-draining-events dt=0.000012 dmem=0
> 1058517499.615671 segment-expiring-timers dt=0.000010 dmem=0
> 1058517499.615671 segment-processing-packet dt=0.000010 dmem=0
> 1058517499.615671 segment-draining-events dt=0.000012 dmem=0
> 1058517499.615671 segment-policy/conn.bro:282 dt=0.000011 dmem=0
> 1058517499.615671 segment-policy/conn.bro:253 dt=0.000012 dmem=0
>
> The first line states that at the given (packet) timestamp, the
> event engine processed a packet, taking 13 usec of CPU time to do
> so, and not consuming any memory (from the kernel's perspective;
> this is *not* fine-grained memory consumption). The next lines
> indicate 12 usec were spent draining events and 10 usec expiring
> timers. The last two lines indicate that the functions at lines 282
> and 253 in conn.bro were executed, requiring 11 usec and 12 usec,
> respectively.
>
> Note #1: timings are just what rusage() reports, so not necessarily
> very accurate for small times.
>
> Note #2: there's a bug in tracking function line numbers that hasn't
> been ferreted out yet, so they're only roughly correct.
>
> - The inactivity_timeout global has been split into
> tcp_inactivity_timeout/
> udp_inactivity_timeout/icmp_inactivity_timeout (Robin Sommer).
> Using this, the default inactivity timeouts for UDP and ICMP have
> been changed from "no timeout" to 10 seconds. This is needed
> because otherwise analyzing a stream of UDP or ICMP traffic
> generally gobbles up memory quickly and never recovers it; and
> there's seems little point in trying to consolidate
> long-lived-but-often-inactive UDP/ICMP streams.
>
> - The new policy script cpu-adapt.bro is an extension to
> load-levels.bro
> (see CHANGES for 0.8a37 below) to adapt the packet filter based on
> the current CPU load. If the load is below cpu_lower_limit (default
> 40%), the load-level is decreased. If it's above cpu_upper_limit
> (default 90%), it's increased. (Robin Sommer)
>
> - The new policy script hand-over.bro can be used for a new running
> instance of Bro to smoothly take over operation from an old
> instance, i.e., it implements hand-over of state between two Bro
> instances when checkpointing (Robin Sommer). First, all persistent
> data (i.e. variables declared &persistent and connections for which
> make_connection_persistent() has been called) is transferred from
> the old instance to the new instance. Then the old instance
> terminates itself and the new one starts processing.
>
> The host from which we want to take over the state has to be added
> to remote_peers_clear (or remote_peers_ssl), setting hand_over to T.
> The host which is allowed to perform a hand-over with us has to be
> added with a port of 0/tcp and hand_over=T. An example for a
> handover between two instances on the same machine:
>
> @load hand-over
> redef remote_peers_clear += {
> [127.0.0.1, 47756/tcp] = [$hand_over = T],
> [127.0.0.1, 0/tcp] = [$hand_over = T]
> };
>
> (This interface may be subject to change in the future.)
>
> - New script functions (Robin Sommer):
>
> function terminate()
> Terminates Bro via SIGTERM.
>
> function dump_config()
> Dumps Bro's full configuration into state_dir (one file per
> variable/type/function, etc.)
>
> function send_state(ip: addr, p: port)
> Send all of persistent state to the remote host.
>
> function set_accept_state(ip: addr, p: port, accept: bool)
> If accept is true, state sent by the given host will be
> accepted (default: false)
>
> function make_connection_persistent(c: connection)
> Declare the given connection state to be persistent (i.e.
> to be saved upon termination and exchanged by send_state).
> checkpoint.bro uses this to declare some services to be
> persistent by default.
>
> function is_local_interface(ip: addr): bool
> Returns true if the given address is assigned to a local
> interface.
>
> - Printing of sets and tables now includes timestamps indicating when
> the
> element was added (Robin Sommer):
>
> ID did_ssh_version = {
> [129.187.20.9, F] = 1 @11/01-15:55,
> [212.144.77.26, T] = 2 @11/01-15:55,
> [141.84.116.26, T] = 10 @11/01-15:55,
> [217.232.245.249, T] = 1 @11/01-15:55,
> [217.235.217.149, T] = 1 @11/01-15:55,
> [129.187.39.13, F] = 2 @11/01-15:55,
> [129.187.208.139, F] = 1 @11/01-15:55,
> }
>
> The format may change in the future, and will probably be made an
> option.
>
> - Similarly, you can print functions to get both a timestamp of the
> last
> time the given block was executed and a count of how often (Robin
> Sommer):
>
> ID record_connection = record_connection
> (@11/01-16:03 #6549)
> {
> id = c$id;
> local_init = is_local_addr(id$orig_h);
> local_addr = local_init ? id$orig_h : id$resp_h;
> remote_addr = local_init ? id$resp_h : id$orig_h;
> flags = local_init ? "L" : "";
> if (remote_addr in neighbor_nets)
> (@<never> #0)
> flags = cat(flags, "U");
>
> if ("" == flags)
> (@11/01-16:03 #2110)
> flags = "X";
>
> is_tcp = is_tcp_port(id$orig_p);
> ;
> if (is_tcp)
> (@11/01-16:03 #6549)
> {
> if (c$orig$state in conn_closed || c$resp$state in
> conn_closed
> )
> (@11/01-16:03 #4739)
> duration = fmt("%.6g", c$duration);
> else
> (@11/01-16:03 #1810)
> duration = "?";
> [...]
>
> - You can now specify numbers using hex constants, e.g., 0xabcd =
> 43981
> (Michael Kuhn and Benedikt Ostermaier).
>
> - A new function, join_string_array(sep: string, a: string_array)
> concatenates
> strings in 'a' and inserts 'sep' between every two adjacent elements
> (Ruoming Pang). E.g., join_string_array("", {"a", "b", "c"})
> returns"a b c", and join_string_array("", a) is the same as
> cat_string_array(a).
>
> - checkpoint.bro now makes some services persistent by default
> (Robin Sommer).
>
> - The new_packet event now includes both the associated connection
> and a pkt_hdr describing the packet (Robin Sommer).
>
> - The functions functions connect_ssl() and connect_clear() have been
> replaced
> by a single connect() function taking an additional parameter to
> differentiate the types (Robin Sommer).
>
> - The new function stop_listening() unbinds the listen port (Robin
> Sommer).
>
> - A new flag packet_filter_default says whether the Bro-level
> packet-filter
> will by default accept all or reject everything (Robin Sommer).
>
> - Function calls can now be sent to remote Bro's, though there isn't
> yet
> an interface for accessing this from the script level (Robin
> Sommer).
>
> - Bro now has an generalized internal framework for serializing
> objects
> and monitoring access to state (Robin Sommer).
>
> - Better memory allocation accounting (Robin Sommer).
>
> - A minor tweak to the output generated by statistics.bro.
>
> - Improved localization of source code for functions in messages (but
> there are still some bug).
>
> - Autoconf looks for -ltermcap (Robin Sommer).
>
> - Fixes for bugs in the management of table expiration values (Chema
> Gonzalez).
>
> - A bug in printing "void" values has been fixed (Chema Gonzalez).
>
> - -t bug fixed (Chema Gonzalez).
>
> - A bug has been fixed in which sometimes "expression value ignored"
> was erroneously generated.
>
> - A bug with packet_contents and UDP packets with checksum errors
> has been fixed (Ruoming Pang).
>
> - A memory leak in packet timestamp sorting via packet_sort_window
> has been fixed (Ruoming Pang).
>
> - A bug has been fixed in expanding NULs when printing strings
> (Ruoming Pang).
>
> - Bug fixes for extracting connection contents via contents.bro
> (Ruoming Pang).
>
> - Bogus error message "Can't install default pcap filter" when using
> -F
> removed.
More information about the Bro
mailing list