[Bro] new Bro releases

Vern Paxson vern at icir.org
Wed Sep 8 19:24:29 PDT 2004


New CURRENT (0.9a4) and STABLE (0.8a88) releases are now available from:

	ftp://bro-ids.org/bro-pub-0.9-current.tar.gz
	ftp://bro-ids.org/bro-pub-0.8-stable.tar.gz

The CURRENT release includes some incompatible changes to file formats and
environment variables.  NOTE: file formats for the "alert" and "signature"
logs are likely to change again in the near future.  In addition, there
will soon be another release in which the current "log" and "alert" terms
are renamed (to "alarm" and "notice", respectively).

There are also some bug fixes, new features, and changes to the distribution's
directory structure, file formats, and environment variables, per the
appended change log.

The STABLE release fixes a bug:

> - Fixed broken VLAN support (integration of original patch was incomplete).

per the appended patch.

		Vern


-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


0.9a4 Wed Sep  8 17:33:54 PDT 2004

- The directory structure of the Bro distribution has changed (Jason Lee).
  The source code is now in a subdirectory, src/, and the scripts
  snort2bro (and snort2bro.cfg) and make-ftp-safe-vocabulary.awk have
  been moved into scripts/.

- "make install" has been revamped (Jason Lee).

- The format of the alert log file has changed.  Fields in it are
  colon-separated.  THIS WILL LIKELY CHANGE SOON.

- The policy for formatting signature matches has been revamped,
  including colon-separated fields in the signature log file
  (Roger Winslow).  THIS WILL LIKELY CHANGE SOON.

- The BRO_ID environment variable has been renamed BRO_LOG_SUFFIX.

- A new flag, -e, lets you specify Bro code to execute via the command
  line (Christian Kreibich).  So, for example,

	bro -r mytrace.tcpdump -e 'redef traditional_conn_format = T' tcp 

  will run tcp.bro on the trace "mytrace.tcpdump", but with
  traditional_conn_format redefined to be true.  Note that statements
  have an implicit ';' added to them for convenience.

- A new signature alert, "MultipleSigResponders", is generated if a
  host triggers the same signature on multiple responders.

- Bro now supports "packet profiling", which provides fairly fine-grained
  statistics on number of packets processed, volume, elapsed real/user/system
  time, and change in memory consumption (Holger Dreger).  Three variables
  control the output.  The double pkt_profile_freq controls the frequency
  of output.  The units in which it's interpreted depends on the setting
  of the pkt_profile_mode variable (which is of type pkt_profile_modes,
  an enum).  A value of PKT_PROFILE_MODE_SECS means that statistics
  are generated every pkt_profile_freq seconds; PKT_PROFILE_MODE_PKTS
  means every pkt_profile_freq packets; and PKT_PROFILE_MODE_BYTES, every
  pkt_profile_freq bytes.  The default (PKT_PROFILE_MODE_NONE) means
  to not generate packet profiling.

  Packet profiling is written to the new log file, pkt_profile_file.
  If you "@load pkt-profile", you can turn on packet profiling using
  some handy defaults.

- statistics.bro now reports on how many TCP connections are in
  <originator-state, responder-state> for the different TCP endpoint
  states (SYN sent, SYN ack'd, connection established, etc.).
  Contributed by Holger Dreger.

- tcp_content_delivery_ports_{orig,resp} are now table's of bool rather
  than set's (Ruoming Pang).  The semantics are that if you have a
  tcp_contents event handler, then if the orig/resp port is in the given
  table *and the yield value is T*, then the event will be invoked.  This
  allows you to now explicitly skip over some ports.

- The processing of default values in tables has been changed internally
  (Ruoming Pang).  It's possible this has introduced some subtle bugs
  (as some of these came up during testing).

- A serious bug in Base64 processing has been fixed (Ruoming Pang).

- The NetBIOS and SMB analyzers have been updated in minor ways
  (Ruoming Pang).

- statistics.bro now reports a "lag" figure indicating the elasped
  time between the last expired timer's target expiration time and
  the current packet timestamp (Robin Sommer).  Lag can grow if Bro
  is getting behind in timer expiration due to the setting of
  max_timer_expires.

- Bro's default filter is now "tcp or udp or icmp" rather than
  "tcp or udp".

- alert_info records now have an optional port associated with them
  (for example, to be used to describe scan activity).

- A bug has been fixed in which deleting a table element with an
  associated timer could crash Bro (Robin Sommer).

- A bug that would cause a crash for malformed EPASV directives
  has been fixed (Robin Sommer).

- A bug with inactivity timeouts not being generated for partial
  connections has been fixed (Robin Sommer).

- A bug in synflood.bro has been fixed (Robin Sommer).

- Some tuning adjustments to incremental expiration of table entries
  (Robin Sommer).

- Improved portability to Darwin (Christian Kreibich).

- alert_info records now have additional optional fields, "iconn"
  (associated ICMP connection), "dst" (destination address), and
  "p" (associated port).  The source_is_responder fields has been
  removed.

- The default packet filter now includes "icmp".

- Some memory allocation/free mismatches & minor leaks (Robin Sommer).

- Minor tweaks to ssl.bro (Robin Sommer).

- Bro now supports "null" link layers (Christian Kreibich).

- aux/adtrace contains a program that spits out MAC/IP information
  from traces (Holger Dreger).

- The formatting of "weird" messages that have additional parameters
  has been changed to be more regularized with other "weird" messages.

- The new "weird" type "base64_illegal_encoding" takes the place of
  some previously unstructured Base64 "weird" errors.

- A tweak to ftp.bro will give it slightly more consistent results 
  for some forms of unusual traffic.


-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


diff -ru bro-pub-0.8a87/CHANGES bro-pub-0.8a88/CHANGES
--- bro-pub-0.8a87/CHANGES	Sun Jul 11 10:26:36 2004
+++ bro-pub-0.8a88/CHANGES	Wed Sep  8 17:56:23 2004
@@ -3,6 +3,11 @@
 -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 
 
+0.8a88 Wed Sep  8 17:56:03 PDT 2004
+
+- A serious bug in Base64/MIME processing has been fixed (Ruoming Pang).
+
+
 0.8a87 Sun Jul 11 10:26:35 PDT 2004
 
 - Fixed broken VLAN support (integration of original patch was incomplete).
diff -ru bro-pub-0.8a87/VERSION bro-pub-0.8a88/VERSION
--- bro-pub-0.8a87/VERSION	Sun Jul 11 10:23:57 2004
+++ bro-pub-0.8a88/VERSION	Wed Sep  8 17:55:55 2004
@@ -1 +1 @@
-0.8a87
+0.8a88
diff -ru bro-pub-0.8a87/Base64.cc bro-pub-0.8a88/Base64.cc
--- bro-pub-0.8a87/Base64.cc	Sun Jun  6 10:42:38 2004
+++ bro-pub-0.8a88/Base64.cc	Wed Sep  8 17:56:27 2004
@@ -60,33 +60,10 @@
 		*pbuf = buf = new char[blen];
 		}
 
-	int rlen = 0;
-	int dlen;
+	int dlen = 0;
 
-	for ( dlen = 0; dlen < len; ++dlen )
+	while ( 1 )
 		{
-		if ( data[dlen] == '=' )
-			++base64_padding;
-
-		int k = base64_table[(unsigned char) data[dlen]];
-		if ( k < 0 )
-			{
-			if ( ++errored == 1 )
-				// ### This and the next one should be
-				// a Weird, not a run-time error.
-				IllegalEncoding(fmt("character %d ignored by Base64 decoding", (int) (data[dlen])));
-			continue;
-			}
-
-		// Stop decoding if we don't have enough buffer.
-		if ( base64_group_next < 3 )
-			{
-			if ( ++rlen > blen )
-				break;
-			}
-
-		base64_group[base64_group_next++] = k;
-
 		if ( base64_group_next == 4 )
 			{
 			// For every group of 4 6-bit numbers,
@@ -99,14 +76,17 @@
 				continue;
 				}
 
+			int num_octets = 3 - base64_padding;
+
+			if ( buf + num_octets > *pbuf + blen )
+				break;
+
 			uint32 bit32 =
 				((base64_group[0] & 0x3f) << 18) |
 				((base64_group[1] & 0x3f) << 12) |
 				((base64_group[2] & 0x3f) << 6)  |
 				((base64_group[3] & 0x3f));
 
-			int num_octets = 3 - base64_padding;
-
 			if ( --num_octets >= 0 )
 				*buf++ = char((bit32 >> 16) & 0xff);
 
@@ -122,6 +102,23 @@
 			base64_group_next = 0;
 			base64_padding = 0;
 			}
+
+		if ( dlen >= len )
+			break;
+
+		if ( data[dlen] == '=' )
+			++base64_padding;
+
+		int k = base64_table[(unsigned char) data[dlen]];
+		if ( k >= 0 )
+			base64_group[base64_group_next++] = k;
+		else
+			{
+			if ( ++errored == 1 )
+				IllegalEncoding(fmt("character %d ignored by Base64 decoding", (int) (data[dlen])));
+			}
+
+		++dlen;
 		}
 
 	*pblen = buf - *pbuf;
@@ -134,7 +131,8 @@
 
 	if ( base64_group_next != 0 )
 		{
-		IllegalEncoding(fmt("incomplete base64 group, padding with %d bits of 0", (4-base64_group_next) * 6));
+		if ( base64_group_next < 4 )
+			IllegalEncoding(fmt("incomplete base64 group, padding with %d bits of 0", (4-base64_group_next) * 6));
 		Decode(4 - base64_group_next, padding, pblen, pbuf);
 		return -1;
 		}



More information about the Bro mailing list