[Bro] new Bro CURRENT release 1.1
Vern Paxson
vern at icir.org
Mon May 15 13:57:22 PDT 2006
Bro release 1.1 is now available from:
ftp://bro-ids.org/bro-1.x-current.tar.gz
This becomes the new CURRENT release. It contains a significant number
of new features and bug fixes, per the appended change log.
Vern
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1.1 Mon May 15 10:50:33 PDT 2006
- Bro now supports a "when" statement for taking action upon something
becoming true asynchronously (Robin Sommer). This provides a powerful
new mechanism with numerous applications.
Syntax:
when '(' <expr> ')' <stmt> [timeout <interval> '{ <stmts> '}']
where the first <stmt> can be a single statement or a block enclosed
in {}'s, but the set associated with "timeout" must be enclosed in
{}'s (to reduce ambiguities in Bro's grammar).
Bro executes the first statement when <expr> becomes true. If you give
a timeout and the condition has not been satisfied before it expires, Bro
executes the second statement instead.
A simple example:
global t: table[addr] of count;
event connection_established(c: connection)
{
local orig = c$id$orig_h;
if ( orig !in t )
{
t[orig] = 1;
when ( t[orig] == 5 )
print fmt("%s has established 5 connections", orig);
timeout 1 hr
{
print fmt("%s has NOT established 5 connections", orig);
delete t[orig];
}
}
else
++t[orig];
}
Notes:
- The condition may be evaluated more than once, and at arbitrary
times.
- When the when-body is executed, the condition is guaranteed to be
still satisfied.
- Expression reevaluation is primarily triggered by modifications
to globals. However, reevaluations do not take place immediately
but potentially at a later point. This means that if we change a
global to a value which would execute the trigger but then change
it back, the change may go unnoticed.
- Inside the condition you may introduce new locals. For example,
when ( (local x = foo()) && x == 42 ) ...
Such an assignment always yields true as its expression value
(but the assignment might be delayed, for example if foo() is
a delayed function call - see below).
Delaying function calls
=======================
Functions called inside the condition of a when-clause may delay their
results until they're ready. This works for both script-level and built-in
functions.
For script-level functions, there is a new construct, "return <when-stmt>",
to delay a function's result. When used, the function returns at the
time the when-stmt's condition becomes true, and it yields the value
that the when-stmt's body then returns. Toy example:
global X: table[string] of count;
function a() : count
{
# This delays until condition becomes true.
return when ( "a" in X )
{
return X["a"];
}
timeout 5 min
{
return 0;
}
}
event bro_init()
{
# Installs a trigger which fires if a() returns 42.
when ( a() == 42 ) { print "Yippie!"; }
X["a"] = 42;
}
There's also a new built-in function which can delay
lookup_addr(host: addr)
performs asynchronous DNS address->hostname lookups. Example:
local h; addr;
[...]
when (local name = lookup_addr(h)) { print h, name; }
See the function gen_hot_notice_with_hostnames() in conn.bro for
a more worked-out example of using the "when" clause to translate the
local address in SensitiveConnection notices to a hostname (contributed
by Brian Tierney). This functionality is activated by redef'ing
xlate_hot_local_addr to T.
Here is the full evaluation model of a when's condition:
- The condition may be evaluated more than once, at arbitrary times.
- It is always fully evaluated, no matter whether some former
evaluation has been suspended by a delaying function call.
- All function calls which do not delay are always *fully* executed
each time the condition is evaluated.
- Function calls which delay are only executed *once*; their result is
cached and re-used in the case the condition is evaluated again.
- The condition is guaranteed to be true when the body is executed
(potentially using cached function results)
- By default Bro now uses a configuration similar to what used to be
activated using reduce-memory.bro, along with some additional state
timeouts that are new (Robin Sommer and Vern Paxson). This allows for
better state management out-of-the-box, at the cost of some precision
of analysis and resilience to evasion. In particular, the intent is to
move towards being able to run Bro continuously without inexorably growing
the amount of memory used until exhaustion.
You can access a configuration similar to the previous default state
management settings by loading heavy-analysis.bro. It turns on a
load-prefix of "heavy", so when you load XXX.bro, a file heavy.XXX.bro
will also be automatically loaded if present. Note that, as was the
case for reduce-memory, you need to load heavy-analysis prior to other
files for it to have effect.
- The new module clear-passwords.bro monitors login/FTP/IRC/POP traffic
for cleartext passwords (Jason Lee).
- The new script service-probe.bro looks for remote hosts that repeatedly
connect to the same service on local hosts (for a configurable set of
services and connection sizes) in order to detect brute-forcing attacks
such as password-guessing (Jim Mellander).
- A new ARP analyzer generates three events:
event arp_request(mac_src: string, mac_dst: string,
SPA: addr, SHA: string, TPA: addr, THA: string);
event arp_reply(mac_src: string, mac_dst: string,
SPA: addr, SHA: string, TPA: addr, THA: string);
event bad_arp(SPA: addr, SHA: string, TPA: addr, THA: string,
explanation: string);
with a corresponding policy script arp.bro (Chema Gonzalez and Vern Paxson).
It writes logs to arp.$BRO_LOG_SUFFIX. It has not been tested much yet.
- Bro Lite changes (Jason Lee):
- default user for is now user 'bro'
- now uses the correct sysctl on FreeBSD 6
- now uses the correct Perl path if site-report.pl not installed
into '/usr/local/bro'
- no longer prompts to encrypt email unless you pick to email reports
- The default Bro Lite install now only checkpoints Bro once a week
(Brian Tierney).
- Implicit Bro file extensions (such as .bro for policy scripts and .sig
for signatures) are now searched for first rather than only if the
non-extension-version of the file doesn't exist (Vern Paxson). For
example, running "bro -r trace mt" now first searches $BROPATH for
"mt.bro" before searching for "mt", whereas it used to do these in
the other order.
- There's now a simpler mechanism for redef'ing variables on the command-line
(Christian Kreibich). Any command line arguments of the form <var>=<val>
are now expanded into policy code of the form "redef var=val;", where
<val> is wrapped in quotation marks if the value appears to be a string
and doesn't have quotation marks already. This works with strings with
whitespace such as foo="Hello World"; however, note that it means you
can't use the mechanism to redef an enum value.
- The Bro distribution now includes (and builds by default) Christian
Kreibich's Broccoli library (Bro C Client Library), which enables programs
to communicate with running Bro's (Christian Kreibich and Jason Lee).
Configure with --disable-broccoli to turn this off.
- Built-in functions log(x: double): double and exp(x: double): double
which do natural logarithms and their inverses (Jaeyeon Jung).
- The new built-in function gethostname() returns the local host's name
(Jason Lee & Robin Sommer).
- The new built-in function reading_traces() returns true if Bro
is reading trace files (Robin Sommer).
- The new built-ins suspend_processing() and continue_processing() provide
script-level control for instructing the event engine to stop or resume
processing packets (Robin Sommer). This is useful for coordinating
simultaneous processing by multiple Bro's.
- Email notices are now by default sent via /bin/mail, with "[Bro Alarm]"
in the subject.
- redef'ing a function now replaces the existing body rather than
supplementing it (Robin Sommer), which was a bug.
- You can now configure Bro to process encapsulated IP packets either
by setting, as before, a fixed encap_hdr_size (for VLANs), or setting
parse_udp_tunnels to T (Ruoming Pang). For the latter, you specify a
UDP tunnel port using udp_tunnel_port (the previous variable "tunnel_port"
has gone away); or you can leave it set to its default of 0/udp, in which
case Bro will look for IP encapsulated in UDP packets on any port.
- Added a simple form of profiling based on sampling the work done
per-packet (Vern Paxson). The event engine generates a
event load_sample(samples: load_sample_info, CPU: interval, dmem: int)
event every load_sample_freq packets (roughly; it's randomized), where
load_sample_freq defaults to 20. "samples" is simply a set[string]; it
contains the names of the functions, event handlers, and their source
files that were accessed during the processing of the sampled packet,
along with an estimate of the CPU cost of processing the packet and
(currently broken) memory allocated/freed.
- Bro now includes experimental support for Endace DAG cards (Gregor Maier
and Robin Sommer). To activate, configure with
--with-DAG=/path/to/dagtool/installation
and use "dag0" as the network interface. You may need to configure the
card with the dagtools first. In general, if dagsnap works, Bro should
work as well.
- Log rotation has changed in a number of ways (Mark Dedlow & Robin Sommer):
* The new variable log_rotate_base_time: string, if defined,
specifies that logs should be rotated at log_rotate_base_time +
i * rotate_interval intervals. Format is as a string in
24-hour time, "%H:%M", e.g, "12:00". This format may change
in the future to instead be a Bro time type.
* RotateLogs::date_format can be redefined to change format of
timestamps in rotated files.
* RotateLogs::build_name() can be redefined to implement an
arbitrary naming scheme for rotated files.
Note, this code has not been extensively tested.
- Bro now by default builds a version of malloc bundled with its
distribution (Vern Paxson & Brian Tierney).
- The syntax for the clone operator now looks like a function call,
"copy(x)" (Vern Paxson).
- The new flag DNS::logging (default F), if T, disables generation of
dns.log (which is often uninteresting and very large), though it
still performs analysis leading to NOTICEs (Robin Sommer).
- A new global, hostile_domain_list, has been added to dns.bro which
lists domains to be flagged if A or MX records are queried (Scott Campbell).
- Added globals dns_skip_all_{auth,addl} to skip all DNS AUTH/ADDL processing
(Vern Paxson). Skipping these is on (true) by default, because such
processing is quite expensive.
- backdoor.bro now turns off by default some detectors that from experience
have too many false positives, or (such as for HTTP) too many uninteresting
true positives (Brian Tierney). In addition:
- the module now generates a BackdoorFound notice for each backdoor
- the new variable dump_backdoor_packets (default F) if set causes
the packet that triggered the backdoor detection to be written to
backdoor-packets/<tag>:<time>
- the new variable backdoor_ignore_host_port_pairs is a set[addr, port]
specify host/port combinations to ignore
- 587/tcp is now recognized as another SMTP port, and 7000/tcp as
a popular IRC port ignored by default
- brolite-backdoor.bro is a sample of using backdoor.bro
- A bunch of enhancements and fixes for the IRC backdoor detector
(Vern Paxson).
- The cf utility in aux/cf/ now gets the format to use (unless you specify
-f fmt) from $CFTIMEFMT in the environment. You can now specify -f
without a format to revert to the default format. This change also
includes a significant performance improvement when processing large
files (Mark Dedlow and Craig Leres).
- Cleanups for brolite.bro and brolite-backdoor.bro (Brian Tierney).
brolite.bro now uses rotate-logs by default.
- backdoor.bro now enables analysis of partial connections (Vern Paxson).
- brolite config cleanup: removed smtp.bro from default, increased
max_timer_expires, changed default BROPATH to look at site dir
first (Brian Tierney).
- The reference manual has been updated for the terminology changes
of log -> alarm, alert -> notice, and rule -> signature (Vern Paxson).
Some vestiges of the older terminology remain, in part because they're
still present in some facets of Bro.
- The new script function get_current_packet(): pcap_packet returns
the current packet as a "pcap_packet" record with fields $ts_sec,
$ts_usec, $caplen, $len (all of type count) and $data (a string)
reflecting the corresponding libpcap values (Christian Kreibich).
You can write this packet to a dump file using the new function
dump_packet(pkt: pcap_packet, file_name: string): bool, which writes
(or appends) the packet to a file of the given name, returning T
on success and F on error.
- The new fmt() specifier 'T' converts values of type "time" to ISO
format timestamps, analogous to how 'D' does this for ISO dates
(Mark Dedlow). fmt("%T", <time>) is equivalent to
fmt("%s", strftime("%F-%T.%N", <time>)), except that strftime
does not (yet) offer "%N" for nanoseconds (but see 'date +%F-%T.%N').
- The new %S format for fmt() inserts a "raw" version of the given string -
that is, embedded NULs, control characters, etc., are present without
any escaping (Christian Kreibich).
- Zero-padding and field widths now work for all fmt() formats rather than
just %e/%f/%g (Christian Kreibich). For example, you can now say:
local filename = fmt("log-%04.txt", ++counter);
and get logfiles log-0001.txt, log-0002.txt, ..., log-0999.txt, etc.
- The 'x' format specifier now supports values of type "addr", converting
them t hex (Mark Dedlow). For example,
fmt("str=%s hex=%x", 1.2.3.4, 1.2.3.4)
produces
str=1.2.3.4 hex=01020304
The field designation is either %08x (if compiled for IPv4 only) or
%08x%08x%08x%08x (if compiled with IPv6 support).
- firewall.bro has been extended to support multiple independent
rule-sets (by calling begin() for the start of the next one),
specifying sets of addresses, being FTP-aware, and with a more
streamlined Notice message (Robin Sommer).
- The HTTP script variables maintain_http_sessions and http_sessions
are now exported so they can be redefined or, for the latter, have
timeouts added/adjusted (Robin Sommer).
- You can load the new policy script log-append.bro to change Bro's
behavior so that when it runs appends to existing log files rather
than overwriting them (Mark Dedlow).
- New &disable_print_hook attribute for files (Robin Sommer). If set,
print statements to the file don't trigger the print_hook event. This
is useful to keep the output of certain files from being propagated to
peers.
- You can now associate "classes" with remote peers (Robin Sommer). When
connecting, a node may send a specific class to which it considers itself
belonging. The accepting side can then tune its configuration based on
the received class.
This is primarily for the having multiple unrelated Broccolis running on the
same host, all connecting to the same remote Bro (e.g., sshd and syslog
sensors).
To use this, on the Bro side the record Remote::Destination now has a
field "class: string" (default: unset). If set, the given config entry
only applies for connecting remote peers that send the given class.
If it is set and we're connecting to another peer, we propagate the class.
Example:
On the listening Bro:
redef Remote::destinations += {
["peer-1"] =
[$host = 127.0.0.1, $class="ftp", $events = /ftp.*/],
["peer-2"] =
[$host = 127.0.0.1, $class="http", $events = /http.*/]
};
On peer 1:
redef Remote::destinations += {
["master"] =
[$host = 127.0.0.1, $class="ftp",
$events = /.*/, $connect=T]
};
On peer 2:
redef Remote::destinations += {
["master"] =
[$host = 127.0.0.1, $class="http",
$events = /.*/, $connect=T]
};
All of these may run on the same host.
- A bunch of changes to adu.bro (Christian Kreibich):
- New ADU_MAX_DEPTH limits depth (at ADU granularity) into a
flow up to which ADUs are reported.
- Handles UDP.
- New event adu_done(c: connection) signals that no further ADUs
will be delivered for a connection. This is useful since adu.bro
relies on event connection_state_remove() to remove state, and
if a policy using adu.bro likewise uses this event type then
event sequencing can cause adu_tx/rx events to occur after
connection_state_remove() has been processed.
- Now correctly clips ADU to maximum allowed size. (Note, this
has been temporarily commented out because it relies on a new
string function that has not yet been integrated into the
main distribution.)
- Now can ignore specific connections dynamically.
- TCP content gaps are now recognized and ADU delivery is for now
stopped for such flows, unless explicitly requested.
- No longer logs to file in test mode.
- The new function add_notice_tag() explicitly adds a unique notice tag
to a connection's $addl field (Robin Sommer). This is sometimes necessary
to ensure that the tag appears in the connection summary.
- Bro now performs serialization (such as when checkpointing &persistent
tables or communicating them between Bro's) in an incremental fashion,
intermingling transfers of large tables with ongoing packet processing
(Robin Sommer). Doing so helps avoid packet drops for large items.
This has not yet been implemented for the initial handshake done
for &synchronized items.
- ssl.bro now stores certificates by default in the subdirectory "certs/"
(Robin Sommer).
- Analysis of weak/unknown ciphersuites in ssl.bro reworked (Holger Dreger).
- New cipher for SSL analysis, SSL_CK_RC4_64_WITH_MD5 (Holger Dreger).
- load-levels and cpu-adapt now log their adaptations to the log file
rather than generating alarms (Robin Sommer).
- The default adaptation levels in cpu-adapt have been tweaked for better
behavior (Robin Sommer).
- A new structure of the event loop (implemented by Robin Sommer) is now
enabled during configuration by default (Christian Kreibich). You can
revert to the previous structure using --disable-select-loop.
- When configuring Bro, the version of pcap that comes with the Bro
distribution is no longer used by default (Jason Lee). Instead,
the system one is used, or one at the same directory level as Bro.
To use the Bro distribution version, configure with --enable-shippedpcap.
- backdoor.bro now has comments clarifying that it does not itself
alter capture_filters (Vern Paxson).
- If you set backdoor_stat_period to 0 sec, then this now turns off
the periodic component of backdoor analysis (Holger Dreger).
- The filters specified in notice_action_filters now take an additional
argument specifying the action that has been determined so far (Robin
Sommer). This allows the filter to decide to not change the current
action, if it so wishes.
- The new event notice_alarm(n: notice_info, action: NoticeAction) is
generated for every notice that results in an alarm (Robin Sommer).
- Tallying of notices is now done using a notice, which has type NoticeTally
(Robin Sommer).
- The new notice action filter alarm_always_notice specifies an action
of NOTICE_ALARM_ALWAYS (Vern Paxson).
- If the watchdog expires and Bro isn't generating a packet trace file,
the current packet is saved to "watchdog-pkt.pcap" (Robin Sommer).
- New boolean globals tcp_contents_deliver_all_{orig,resp} allow easy
requesting of content delivery for all TCP traffic in orig/resp directions
(Christian Kreibich).
- The new event udp_contents(u: connection, is_orig: bool, contents: string)
delivers the contents of UDP packets analogous to tcp_contents (Christian
Kreibich). The boolean globals udp_content_deliver_all_{orig,resp} and
tables udp_content_delivery_ports_{orig,resp} control for which ports
content is delivered, analogous to the globals that control tcp_contents.
- New option --set-seed=n sets the random number seed to n (Vern Paxson).
- Notices now report current time for remotely-received notices rather
than network time (Brian Tierney).
- Notices now include a tag es=<peer_description> any time a peer
description is defined, not just for remote notices (Robin Sommer).
- The global log_as_connection has been removed from icmp.bro, which now
only logs ICMP flows via the usual connection logging (Vern Paxson).
- The Destination variable $accept_state has been renamed $accept_input
to better reflect its meaning (Vern Paxson).
- A remote destination's $sync field now indicates whether to accept
ongoing state changes from peers, rather than just upon start-up
(Robin Sommer). The variable $accept_state controls whether we
accept events.
- Logging of forms of Bro communication has been unified (Robin Sommer).
- Updates for packet filtering documentation (Christian Kreibich).
- A new global, stp_skip_src, lists sources that should be skipped for
stepping-stone analysis (Vern Paxson). ssh-stepping.bro adds sources to
this list if they've instantiated more than src_fanout_no_stp_analysis_thresh
connections, keeping them blocked until they've been idle for 15 seconds.
- Added a default notice-policy.bro as an example (Brian Tierney).
- Expanded on descriptive text in notice-policy.bro (Vern Paxson).
- ef removed from aux/hf/, as it's of little use and a headache to
maintain for portability (Vern Paxson).
- The version of libpcap bundled with the distribution has been
elevated to 0.8.3 (Jason Lee).
- Bro now compiles again if non-blocking DNS is not available (Robin Sommer).
- Resource statistics logging now differentiates between offline
processing vs. remote-communication-only (Mark Dedlow and Robin Sommer).
- The script variable ICMP::distinct_pairs now times out its state,
with a default of 15 minutes after creation (Robin Sommer).
- The Bro version reported now includes "-debug" if Bro was configured
with --enable-debug (Robin Sommer).
- scan.bro now defaults "shut_down_all_scans" to T, meaning it by
default detects scans on all ports, not just those in the set
shut_down_scans (Vern Paxson). Please note, this variable is
misnamed - it should be "detect_all_scans" - but that change is
waiting on reworking the basic structure of scan detection.
- Major bugfix for signature matcher missing matches on analyzer data
(Robin Sommer). For example, a condition "http /foo/" would only have
match with the first URL in a connection, not subsequent ones. Fixing
this changes the calling sequence of the match_signatures() built-in to
take an additional final parameter, "clear", which, if set, resets the
matcher to its starting state prior to matching.
- Serious bug in regular expression matching - and hence signature engine -
fixed (Robin Sommer).
- Bug fix for formatting (via fmt()) of very long strings (Vern Paxson).
- Fixed mail_reports.sh to correctly find sendmail binary on various systems
(Brian Tierney).
- Numerous changes to Bro's internal string representation, and more
flexibility in how strings are rendered for display (Christian Kreibich).
- Pseudo-real-time now can be initialized using an optional argument
that corresponds to the degree of time compression (Robin Sommer).
For example, --pseudo-realtime=0.5 causes time to advance half as fast
as it would in real-time. The default value is 1.0; any value > 0 is
allowed.
- The SSH analyzer now looks for just linefeeds as line terminators when
extracting version strings, rather than carriage-return-line-feeds, to
match actual implementations rather than the RFC (suggested by Chema
Gonzalez).
- Playing back events from files now working again (Robin Sommer).
- Bro now uses current_time() rather than network_time to track the
modification time of variables, since network_time doesn't advance
when only receiving events (Robin Sommer).
- Bug fixes for IPv6 support, including processing UDP traffic
(which had been completely broken) and subtle interactions (actually,
lack thereof) between the connection compressor and IPv6 that
could lead to crashes (Vern Paxson).
- Portability tweaks for NetBSD, 64-bit Linux SuSe and FreeBSD 5.4
(Christian Kreibich, Jason Lee and Vern Paxson).
- Bug fix for IPv6 "::" constants that start with hex digits specified
using 0x (Vern Paxson).
- Calling the built-in terminate() function twice now has no additional
effect (Christian Kreibich). It used to terminate Bro abruptly, without
cleanly shutting down.
- Removed active.bro; use active_connection() + connection_record() instead
(Vern Paxson).
- Bro lite reports now work with rotated logs files (Brian Tierney)
- Bug fix for conditions such as "payload /^user/", which now work equivalent
to "payload /user/" (Robin Sommer).
- Tweaks to sensitive patterns in HTTP request URIs to reduce false
positives (Brian Tierney).
- Bug fixes for strip() built-in function (Holger Dreger).
- Memory leak in built-in function to_addr() fixed (Ruoming Pang).
- Bug fix for "hot" connections sometimes not having their notice tag
appearing in connection summaries (Robin Sommer).
- Bug fixes for IRC analysis (Vern Paxson and Robin Sommer).
- Syslogging now works if Bro is running in communication-only mode
i.e., live, but not reading a network interface (Robin Sommer).
- Bug fix to allow tuning of TRW parameters (Vern Paxson).
- Bug fixes for SSL analysis (Holger Dreger).
- Removed logic that inverted orig/resp in some scans (Vern Paxson).
- Lint & memory allocation tweaks (Vern Paxson).
- Bug fixes for inactivity timeouts (Robin Sommer).
- Bug fix for Bro Lite cron job (Jason Lee).
- When binding to a listening port for remote communication fails,
the port number is now reported (Robin Sommer).
- Some spurious reporting removed from configure output (Jason Lee).
- Fix for "weird"'s generated by connection compressor but not
recognized at the policy script level (Vern Paxson).
- Fixes for detecting content gaps and not matching previously delivered
data (Ruoming Pang).
- Bug fixes for TCP rewriter (Ruoming Pang).
- Bug fixes for crashes in SSL analyzer (Vern Paxson).
- Bug fix for avoiding busy-waiting when a communication child dies
(Robin Sommer).
- Bug fix for BiF's that use 'T' and 'F' in character constants
(Vern Paxson).
- Memory leak fixes (Robin Sommer, Christian Kreibich, Vern Paxson and
Ruoming Pang).
- The peer table for inter-Bro communication is now correctly indexed by a
peer_id (Robin Sommer).
- Bug fix for exchange of initial &synchronized state which could
prevent communication from entering main phase (Robin Sommer).
- Bug fix for propagating incremented table values derived from
a table's &default (Robin Sommer).
- Bug fixes for the POP3 analyzer when analyzing non-NUL-terminated strings
or bad base64 encodings (Vern Paxson).
- Updates for Bro's internal hash functions (Ruoming Pang).
- The debug and communication log files now comply with $BRO_LOG_SUFFIX
(Robin Sommer).
- Some internal debugging additions (Ruoming Pang).
- Internal cleanup regarding "const" strings (Ruoming Pang).
- A number of casts changed to use modern C++-style pointer casting
such as reinterpret_cast and static_cast (Ruoming Pang).
- Bug fixes for inter-Bro communication on 64-bit systems (Robin Sommer).
- Bug fixes for detecting errors for SSL connections (Robin Sommer).
- Potential null pointer dereference fixed (Robin Sommer).
- Inter-Bro communication is now more reliable in the presence of errors
(Robin Sommer).
- Performance enhancement for tracking values whose elements might
change (Robin Sommer).
- Fixes for peers having differing enum lists (Robin Sommer). This can
occur because they're running different scripts and which do different
redef +='s to add enum values.
- += now works for interval types (Vern Paxson).
- Bug fix for exchanging peer descriptions (Robin Sommer).
- Bug fix for processing multipart-MIME HTTP messages with content-length
headers (Ruoming Pang).
- Bug fix for failing to escape "'s in HTTP server replies (Robin Sommer).
- Bug fix for propagating increment operations on tables (Robin Sommer).
- Bug fixes for files (Robin Sommer): set open time to current time if
network time is not initialized; when deserializing files, prevent them
from being closed immediately due to reference-counting interaction.
- Bug fix to prevent reporting some scans twice (Robin Sommer).
- Bug fix for printing enum's (Christian Kreibich).
- When not configured with --enable debug, Bro now still accepts (yet ignores)
option -B (Robin Sommer).
- Serialization enhancements and fixes, including a change of the
protocol version number (Robin Sommer).
- Bug fix for logging inter-Bro communication (Robin Sommer).
- Bug fixes for enumerating attributes and timers (Robin Sommer).
- Bug fix for signatures matching first on one side of the connection,
and then on the other, being reported twice (Robin Sommer).
- Inter-Bro communication now continues to work even when packet processing
has been suspended (Robin Sommer).
- Fix for running multiple Bro's together in pseudo-realtime (Robin Sommer).
- Tweak to print-resources.bro so it can be loaded standalone (Vern Paxson).
- Bug fix for &persistent state not being save if Bro wasn't running
with an input source (Robin Sommer).
- Bug fix for which process ID to check to see if children are still alive
(Robin Sommer).
- Bug fix for no longer crashing if the expiration function associated
with a table deletes the element from the table rather than returning
an interval of 0 secs to indicate it should be deleted (Chema Gonzalez).
- Bug fix for OutboundTFTP notice: now checks to ensure that not only is
the source local, but the destination is not local (Vern Paxson).
- Bug fix for a subtle interaction mediated by errno, which could cause a
failed read() to later confuse pcap_dispatch() (Chema Gonzalez).
- Bug fix for TCP contents assertion checking (Ruoming Pang).
- Bug fix for error output on small RPC fragments (Ruoming Pang).
- Fix for connection compressor bug in tracking connection history
(Robin Sommer).
- Bug fix for potential floating point exception in signature engine's
resource-profiling code (Robin Sommer).
- Bug fix for low-level List data structure when replacing a list element
beyond the end of a list (Robin Sommer).
- Bug fix in initializing capabilities when setting up communication between
Bro peers (Robin Sommer).
- A number of connection compressor bug fixes: weird's for spontaneous
FINs and RSTs, consistent processing of "connections" that begin with
RSTs, correct checksum computations, and weird's printed to stderr if
no event handler defined (Robin Sommer).
- load_sample_freq is now &redef (Vern Paxson).
- Bug fix for backdoor detector incorrectly matching substrings (Vern Paxson).
- Bug fix for canceling timers sometimes failing to cancel all of
them (Robin Sommer).
- Error handling during un-serialization now handled more robustly
(Robin Sommer).
- Bug fix for division by zero if expensive_profiling_multiple
set to zero (Robin Sommer).
- Bug fix for connection logs failing to track all of the annotation
($addl) associated with a connection (Vern Paxson).
- Portability fix for BinPAC (Ruoming Pang).
- Fix to NFS analyzer for missing values in events reporting failed requests
(Vern Paxson).
- autogen.sh now aborts as soon as one of the tools it invokes fails
(Christian Kreibich).
- Fixed bug where not having SSL would cause bro to not compile (Jason Lee).
- State-holding fix for adu.bro (Christian Kreibich).
- A number of configuration tweaks (Craig Leres & Christian Kreibich).
- Fix for sig-functions.bro: checks isApache* functions, which ensure
that Apache is indeed in the software set before accessing the index
(Brian Tierney and Robin Sommer).
- Smith-Waterman fixes and test suite script (Christian Kreibich).
More information about the Bro
mailing list