[Bro] new Bro CURRENT release (0.9a9)
Vern Paxson
vern at icir.org
Fri May 20 00:16:14 PDT 2005
A new CURRENT release, 0.9a9, is now available from:
ftp://ftp.ee.lbl.gov/bro-0.9-current.tar.gz
This release includes a significant number of changes and bug fixes, per
the appended. It has one known glitch, which is some bogus alarms generated
when using the DNS analyzer. We hope to have those fixed soon.
Vern
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0.9a9 Thu May 19 23:31:33 PDT 2005
- First cut at analyzer for NFS (Vern Paxson). It generates the following
events:
event nfs_request_null(n: connection)
event nfs_request_getattr(n: connection, fh: string, attrs: nfs3_attrs)
event nfs_request_lookup(n: connection, req: nfs3_lookup_args,
rep: nfs3_lookup_reply)
event nfs_request_fsstat(n: connection, root_fh: string,
stat: nfs3_fsstat)
event nfs_attempt_null(n: connection, status: count)
event nfs_attempt_getattr(n: connection, status: count, fh: string)
event nfs_attempt_lookup(n: connection, status: count,
req: nfs3_lookup_args,
dir_attrs: nfs3_opt_attrs)
event nfs_attempt_fsstat(n: connection, status: count,
root_fh: string, obj_attrs: nfs3_opt_attrs)
- The new script OS-fingerprint.bro integrates Bro's new passive OS
fingerprinting mechanism with the software.bro framework (Vern Paxson).
- You can now operate on patterns using && and || (Vern Paxson).
If p1 and p2 are patterns, then p1 && p2 yields a pattern that matches
their concatenation and p1 || p2 yields a pattern that matches either.
Note that the syntax for this may change in the future to a single '&'
or '|', which would be more consistent with the use of '|' in
constructing pattern constants.
- An experimental "connection compressor" tracks not-yet-established
connections using much less memory than Bro normally does (Robin Sommer).
This is potentially a major win during flooding attacks and high-speed
scans. You activate it by setting use_connection_compressor to T. You
can then control the granularity of its processing using the variables
cc_handle_resets, cc_handle_only_syns, and cc_instantiate_on_data. See
bro.init for brief discussion of these.
- The experimental new script firewall.bro supports firewall-rule-like
processing of connections in terms of allow/deny (Robin Sommer). It is
not particularly efficient.
- sensor-sshd.bro provides an experimental interface for receiving
events from instrumented SSH servers that communicate with Bro via
the Broccoli client library (Christian Kreibich and Robin Sommer).
Supporting this also entailed extensions to login.bro so it can
process the events even though they don't correspond to a connection
known to Bro's event engine.
- The new built-in function match_signatures() can be used in a policy
script to send text directly into the signature engine (Robin Sommer).
- Correction: the 0.9a8 CHANGES states that the mail_script variable used
for NOTICE_EMAIL defaults to mail_script.sh. The correct value is instead
"mail_notice.sh".
- The scripts rsh.bro and passwords.bro, and the passive-fingerprinting
signatures policy/sigs/p0fsyn.osf were inadvertantly left out of the
0.9a8 distribution.
- Added s2b (snort to bro) files into the distribution. (Jason Lee)
- Non-blocking packet capture under Linux has been fixed (Robin Sommer).
- Fixed printing of DNS replies, which used to work but was broken
a number of months ago (Vern Paxson).
- The new script brolite-sigs separates out how signatures are configured
in Bro Lite so the functionality can be enabled/disabled with a simple
load statement (Roger Winslow). That is, to use signatures with Bro
lite, simply add "@load brolite-sigs".
- The new script variable enable_syslog (default T) controls whether
alarm's are syslog'd (Robin Sommer). As before, syslogs can only happen
when Bro is reading from live network traffic (this should be changed
at some point, to accommodate real-time Bro's that don't read the network
but collect events from other sensors). Previously, in that case syslog's
always happened; now, you can turn them off using this variable.
- The new script variable expensive_profiling_multiple controls how
often, when doing profiling, to perform more expensive forms of
profiling, in particular, memory consumption profiling (Robin Sommer).
If profiling_interval is set to 15 sec and expensive_profiling_multiple
is set to 20, then expensive profiling will be done every 5 minutes
(these are the defaults now in profiling.bro). Also, the profiling_update
event now includes a second argument, expensive: bool, which indicates
whether the update corresponds to one of these expensive profiling
intervals.
- First cut at parsing DNS AAAA replies (Scott Campbell). This is quite
incomplete - currently, the replies are turned into fake A record replies,
due to the difficulty of dealing with IPv6 addresses if Bro wasn't built
to analyze IPv6 traffic.
- software.bro has been tweaked to have a new control variable,
"only_report_local" (default F). If true, then only software versions
for local addresses (as determined by is_local_addr()) will be
reported.
- synflood.bro now has a script variable max_sources (default 100) that
specifies the maximum number of sources to track for a given victim
(Robin Sommer).
- Remote peers now negotiate their versions of the serialization format
(Robin Sommer). If they don't agree then the connection is terminated.
- Generic UDP request/response processing has been moved into the new
policy script udp-common.bro, which, unlike udp.bro, does *not* set the
packet filter to capture all UDP traffic (Robin Sommer). A number
of UDP-based policy scripts have been modified to use udp-common.bro
rather than udp.bro.
- When printing serialized/independent state, access times are now
again included (Robin Sommer).
- Bro's implementation of timers has been switched (reverted) to using
priority queues (Vern Paxson).
- The http-request.bro script variables skip_remote_sensitive_URIs and
const sensitive_post_URIs are now exported so they can be accessed
externally (Robin Sommer).
- Some new rootkit filenames have been added to ftp.bro and
http-request.bro (Brian Tierney). The plan is to eventually
merge these lists so there's only one main list.
- trw.bro is now scoped as a module "TRW" (Brian Tierney).
- Better support of the '--disable-localpcap' flag to configure, and
consolidated all the pcap checks in configure.in (Jason Lee).
- A bug in processing bare carriage-returns in Telnet input/output
has been fixed (Vern Paxson).
- The Bro Lite bro.rc script has been tweaked to use the 'ax' flags
instead of '-ax' (Jason Lee).
- A bug with reporting ICMP "ports" (i.e., type + code) has been fixed
(Vern Paxson).
- Bug fix for excessively large RPC messages (Ruoming Pang).
- A bug with /0 subnet prefixes has been fixed (Robin Sommer).
- The function record_connection() now takes the file to write to
as its first argument (Robin Sommer).
- remote.bro now tracks whether a given Destination is connected
(Robin Sommer).
- mail_notice.sh is now installed as part of installing a distribution
(Jason Lee).
- Fixed bug where the sort order for the test suite changed depending
on locale. (Jason Lee)
- Bug fix for email_notice() when notice_action_filters not defined for
given notice (Vern Paxson).
- The test suite test for rare-events fixed to not give false positives
(Jason Lee).
- Date added for 0.9a8 release.
More information about the Bro
mailing list