[Bro] new Bro releases
Vern Paxson
vern at icir.org
Wed Sep 8 19:24:29 PDT 2004
New CURRENT (0.9a4) and STABLE (0.8a88) releases are now available from:
ftp://bro-ids.org/bro-pub-0.9-current.tar.gz
ftp://bro-ids.org/bro-pub-0.8-stable.tar.gz
The CURRENT release includes some incompatible changes to file formats and
environment variables. NOTE: file formats for the "alert" and "signature"
logs are likely to change again in the near future. In addition, there
will soon be another release in which the current "log" and "alert" terms
are renamed (to "alarm" and "notice", respectively).
There are also some bug fixes, new features, and changes to the distribution's
directory structure, file formats, and environment variables, per the
appended change log.
The STABLE release fixes a bug:
> - Fixed broken VLAN support (integration of original patch was incomplete).
per the appended patch.
Vern
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0.9a4 Wed Sep 8 17:33:54 PDT 2004
- The directory structure of the Bro distribution has changed (Jason Lee).
The source code is now in a subdirectory, src/, and the scripts
snort2bro (and snort2bro.cfg) and make-ftp-safe-vocabulary.awk have
been moved into scripts/.
- "make install" has been revamped (Jason Lee).
- The format of the alert log file has changed. Fields in it are
colon-separated. THIS WILL LIKELY CHANGE SOON.
- The policy for formatting signature matches has been revamped,
including colon-separated fields in the signature log file
(Roger Winslow). THIS WILL LIKELY CHANGE SOON.
- The BRO_ID environment variable has been renamed BRO_LOG_SUFFIX.
- A new flag, -e, lets you specify Bro code to execute via the command
line (Christian Kreibich). So, for example,
bro -r mytrace.tcpdump -e 'redef traditional_conn_format = T' tcp
will run tcp.bro on the trace "mytrace.tcpdump", but with
traditional_conn_format redefined to be true. Note that statements
have an implicit ';' added to them for convenience.
- A new signature alert, "MultipleSigResponders", is generated if a
host triggers the same signature on multiple responders.
- Bro now supports "packet profiling", which provides fairly fine-grained
statistics on number of packets processed, volume, elapsed real/user/system
time, and change in memory consumption (Holger Dreger). Three variables
control the output. The double pkt_profile_freq controls the frequency
of output. The units in which it's interpreted depends on the setting
of the pkt_profile_mode variable (which is of type pkt_profile_modes,
an enum). A value of PKT_PROFILE_MODE_SECS means that statistics
are generated every pkt_profile_freq seconds; PKT_PROFILE_MODE_PKTS
means every pkt_profile_freq packets; and PKT_PROFILE_MODE_BYTES, every
pkt_profile_freq bytes. The default (PKT_PROFILE_MODE_NONE) means
to not generate packet profiling.
Packet profiling is written to the new log file, pkt_profile_file.
If you "@load pkt-profile", you can turn on packet profiling using
some handy defaults.
- statistics.bro now reports on how many TCP connections are in
<originator-state, responder-state> for the different TCP endpoint
states (SYN sent, SYN ack'd, connection established, etc.).
Contributed by Holger Dreger.
- tcp_content_delivery_ports_{orig,resp} are now table's of bool rather
than set's (Ruoming Pang). The semantics are that if you have a
tcp_contents event handler, then if the orig/resp port is in the given
table *and the yield value is T*, then the event will be invoked. This
allows you to now explicitly skip over some ports.
- The processing of default values in tables has been changed internally
(Ruoming Pang). It's possible this has introduced some subtle bugs
(as some of these came up during testing).
- A serious bug in Base64 processing has been fixed (Ruoming Pang).
- The NetBIOS and SMB analyzers have been updated in minor ways
(Ruoming Pang).
- statistics.bro now reports a "lag" figure indicating the elasped
time between the last expired timer's target expiration time and
the current packet timestamp (Robin Sommer). Lag can grow if Bro
is getting behind in timer expiration due to the setting of
max_timer_expires.
- Bro's default filter is now "tcp or udp or icmp" rather than
"tcp or udp".
- alert_info records now have an optional port associated with them
(for example, to be used to describe scan activity).
- A bug has been fixed in which deleting a table element with an
associated timer could crash Bro (Robin Sommer).
- A bug that would cause a crash for malformed EPASV directives
has been fixed (Robin Sommer).
- A bug with inactivity timeouts not being generated for partial
connections has been fixed (Robin Sommer).
- A bug in synflood.bro has been fixed (Robin Sommer).
- Some tuning adjustments to incremental expiration of table entries
(Robin Sommer).
- Improved portability to Darwin (Christian Kreibich).
- alert_info records now have additional optional fields, "iconn"
(associated ICMP connection), "dst" (destination address), and
"p" (associated port). The source_is_responder fields has been
removed.
- The default packet filter now includes "icmp".
- Some memory allocation/free mismatches & minor leaks (Robin Sommer).
- Minor tweaks to ssl.bro (Robin Sommer).
- Bro now supports "null" link layers (Christian Kreibich).
- aux/adtrace contains a program that spits out MAC/IP information
from traces (Holger Dreger).
- The formatting of "weird" messages that have additional parameters
has been changed to be more regularized with other "weird" messages.
- The new "weird" type "base64_illegal_encoding" takes the place of
some previously unstructured Base64 "weird" errors.
- A tweak to ftp.bro will give it slightly more consistent results
for some forms of unusual traffic.
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
diff -ru bro-pub-0.8a87/CHANGES bro-pub-0.8a88/CHANGES
--- bro-pub-0.8a87/CHANGES Sun Jul 11 10:26:36 2004
+++ bro-pub-0.8a88/CHANGES Wed Sep 8 17:56:23 2004
@@ -3,6 +3,11 @@
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+0.8a88 Wed Sep 8 17:56:03 PDT 2004
+
+- A serious bug in Base64/MIME processing has been fixed (Ruoming Pang).
+
+
0.8a87 Sun Jul 11 10:26:35 PDT 2004
- Fixed broken VLAN support (integration of original patch was incomplete).
diff -ru bro-pub-0.8a87/VERSION bro-pub-0.8a88/VERSION
--- bro-pub-0.8a87/VERSION Sun Jul 11 10:23:57 2004
+++ bro-pub-0.8a88/VERSION Wed Sep 8 17:55:55 2004
@@ -1 +1 @@
-0.8a87
+0.8a88
diff -ru bro-pub-0.8a87/Base64.cc bro-pub-0.8a88/Base64.cc
--- bro-pub-0.8a87/Base64.cc Sun Jun 6 10:42:38 2004
+++ bro-pub-0.8a88/Base64.cc Wed Sep 8 17:56:27 2004
@@ -60,33 +60,10 @@
*pbuf = buf = new char[blen];
}
- int rlen = 0;
- int dlen;
+ int dlen = 0;
- for ( dlen = 0; dlen < len; ++dlen )
+ while ( 1 )
{
- if ( data[dlen] == '=' )
- ++base64_padding;
-
- int k = base64_table[(unsigned char) data[dlen]];
- if ( k < 0 )
- {
- if ( ++errored == 1 )
- // ### This and the next one should be
- // a Weird, not a run-time error.
- IllegalEncoding(fmt("character %d ignored by Base64 decoding", (int) (data[dlen])));
- continue;
- }
-
- // Stop decoding if we don't have enough buffer.
- if ( base64_group_next < 3 )
- {
- if ( ++rlen > blen )
- break;
- }
-
- base64_group[base64_group_next++] = k;
-
if ( base64_group_next == 4 )
{
// For every group of 4 6-bit numbers,
@@ -99,14 +76,17 @@
continue;
}
+ int num_octets = 3 - base64_padding;
+
+ if ( buf + num_octets > *pbuf + blen )
+ break;
+
uint32 bit32 =
((base64_group[0] & 0x3f) << 18) |
((base64_group[1] & 0x3f) << 12) |
((base64_group[2] & 0x3f) << 6) |
((base64_group[3] & 0x3f));
- int num_octets = 3 - base64_padding;
-
if ( --num_octets >= 0 )
*buf++ = char((bit32 >> 16) & 0xff);
@@ -122,6 +102,23 @@
base64_group_next = 0;
base64_padding = 0;
}
+
+ if ( dlen >= len )
+ break;
+
+ if ( data[dlen] == '=' )
+ ++base64_padding;
+
+ int k = base64_table[(unsigned char) data[dlen]];
+ if ( k >= 0 )
+ base64_group[base64_group_next++] = k;
+ else
+ {
+ if ( ++errored == 1 )
+ IllegalEncoding(fmt("character %d ignored by Base64 decoding", (int) (data[dlen])));
+ }
+
+ ++dlen;
}
*pblen = buf - *pbuf;
@@ -134,7 +131,8 @@
if ( base64_group_next != 0 )
{
- IllegalEncoding(fmt("incomplete base64 group, padding with %d bits of 0", (4-base64_group_next) * 6));
+ if ( base64_group_next < 4 )
+ IllegalEncoding(fmt("incomplete base64 group, padding with %d bits of 0", (4-base64_group_next) * 6));
Decode(4 - base64_group_next, padding, pblen, pbuf);
return -1;
}
More information about the Bro
mailing list