[Bro] Bro 1.4 release now available
Vern Paxson
vern at icir.org
Fri Oct 17 11:47:01 PDT 2008
Bro release 1.4 is now available from:
ftp://bro-ids.org/bro-1.4.tar.gz
This release includes significant new functionality as well as numerous
refinements and fixes, per the appended changelog entries.
Previous releases are available at http://www.bro-ids.org/download.html .
We do not anticipate making any further changes to them.
Vern
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1.4 Fri Oct 17 11:08:52 PDT 2008
- We are no longer supporting a previous Bro release as the "stable"
version. Rather, the model now is that the current public release will
aim for increasing stability (occasionally updated with fixes), and those
who wish to use a "bleeding-edge" snapshot can do so via access to the
public SVN source code repository, as explained at
http://bro-ids.org/wiki/index.php/Subversion#Public_Access
Note that all previous releases remain available from the download page;
what is changing is that we no longer commit to support for the most
recent of these.
- We have clarified the copyright statement that covers most of the
code to remove the "advertising clause" that derived from older
BSD licenses, and we have removed copyright wording from most source
code files. See COPYING for the current wording and a list of
files that retain their own copyright notices.
- Bro now supports analyzing NetFlow v5 data, i.e., from Cisco routers
(Bernhard Ager). NetFlow can be useful for intrusion detection as it
allows analysis of traffic from many different points in the network.
Bro can now read NetFlow data from a UDP socket, as well as (mostly
for debugging purposes) from a file in a specialized format. You can
create these files with the programs given in aux/nftools.
Command line switches:
-Y|--netflow <ip>:<prt>[=<id>] | read flow from socket
This is the usual way of getting NetFlow data into Bro by
opening a UDP socket on <ip>:<prt> and reading all incoming
packets. Setting the <ip> to 0.0.0.0 should work on most
platforms. Optionally you may set an identifier <id> for the
source - useful if there are many different sources you want
to analyze in parallel. This might also be necessary if you
want to use this feature with a clustered Bro.
Examples:
bro -Y 0.0.0.0:5555 netflow
bro -i eth0 -Y 10.0.0.1:1234=src1 brolite netflow
-y|--flowfile <file>[=<ident>]
Used to read from a file. You can optionally include an
identifier for the source.
Examples:
bro -y myflowfile netflow
bro -y myflowfile=src1 otherflowfile=src2 netflow
Netflow Events:
event netflow_v5_header(h: nf_v5_header)
Generated upon reading a new NetFlow PDU, as summarized in the
argument. The field h_id gives the flow source identifier and
a serial number. You can use this field to associate subsequent
netflow_v5_record events with their header.
event netflow_v5_record (r: nf_v5_record)
Every record within a NFv5 PDU generates a corresponding
netflow_v5_record() event. The relatively complex timestamp
format of NFv5 is already converted to Bro's time type, and
the TCP header flags are separated into bools.
The distribution includes an example analysis script, netflow.bro.
It simply dumps received NetFlow records. If netflow_restitch is T
(the default), then Bro performs flow restitching as well, and two
script variables become relevant:
global netflow_finished_conn_expire = 310 sec &redef;
specifies how long to wait for additional flow records after
a RST or FIN for
const netflow_table_expire = 31 min;
Its setting only affects table declarations, and therefore
cannot be usefully redef'd.
Auxiliary programs:
Bro uses a custom format for flow data stored in files,
to enable preserving timestamps of the PDU arrivals and the
exporter's IP address. The tools nfcollector and ftwire2bro
in aux/nftools/ provide ways to manipulate the Bro NF file
format. The first dumps NetFlow data from a UDP socket to
stdout or to a file in Bro format. The second converts NetFlow
data in "wire" format to Bro format, and, while doing so,
fakes up the exporter's IP address and timestamp. You can get
"wire" format from normal flow-tools files, e.g., by using
'flow-export -f 4'. Please note that the Bro format is just
a hack to allow for easier debugging. Therefore the format
is not in fact platform independent, and not suitable for data
storage.
- A new DHCP analyzer generates the following events (Po-Ching Lin):
event dhcp_discover(c: connection, msg: dhcp_msg, req_addr: addr)
event dhcp_offer(c: connection, msg: dhcp_msg, mask: addr,
event dhcp_request(c: connection, msg: dhcp_msg,
event dhcp_decline(c: connection, msg: dhcp_msg)
event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr,
event dhcp_nak(c: connection, msg: dhcp_msg)
event dhcp_release(c: connection, msg: dhcp_msg)
event dhcp_inform(c: connection, msg: dhcp_msg)
where dhcp_msg values look like:
type dhcp_msg: record {
op: count; # 1 = BOOTREQUEST, 2 = BOOTREPLY
m_type: count; # the type of DHCP message
xid: count; # transaction ID of a DHCP session
h_addr: string; # hardware address of the client
ciaddr: addr; # original IP address of the client
yiaddr: addr; # IP address assigned to the client
};
See dhcp.bro for the corresponding analysis script (which could
probably use some refinements).
Note, this analyzer is implemented using BinPAC, so you will need
to specify --use-binpac to activate it.
- A BitTorrent analyzer is now available (Nadi Sarrar). See the policy
scripts bittorrent.bro and bt-tracker.bro for the events generated for
analyzing transfers and tracker dialogs, respectively.
- The "Bro Lite" configuration is now deprecated and will not in
general be supported (Robin Sommer & Vern Paxson).
- "make install" now only installs a core set of files (Robin Sommer).
Policy files are now installed in <prefix>/share/bro/* (or whatever
configure determines $datadir to be), which is now in Bro's default
search path. It creates a directory <prefix>/share/bro/site for local
policy files, and the default BROPATH is extended to include this. The
default path no longer includes policy/local. You can install the
additional files used by the (now deprecated) "Bro Lite" configuration
using "make install-brolite".
- Substantial updates to Broccoli, including support for container
types (tables and sets) as well as a new metadata structure for event
callbacks, facilitating truly generic event handler implementations
(Christian Kreibich, Seth Hall and Robin Sommer). See aux/broccoli/ChangeLog
for details.
- Extensive changes to allow Bro to process packets captured in the
past intermingled with those captured in real-time (Matthias Vallentin
and Robin Sommer). This operation reflects combining Bro with use of
"Time Machine" functionality for packet capture.
- We have unfortunately had to disable support for configuring Bro
to use ClamAV, since it turns out that the key interface we need
for processing blocks of memory directly rather than whole files
is no longer supported by the package, and in fact was buggy even
when it was (Robin Sommer).
- The new signature option "http-body /<regexp>/" matches <regexp>
on the body data of HTTP entities (Robin Sommer). The matching is
done after decompressing the body, if necessary.
- The new built-in function identify_data(data: string, return_mime: bool)
analyzes the string "data" and returns its type according to libmagic,
if installed (Seth Hall). The second argument controls whether it should
be returned as a MIME-type or just an identifying string. For example,
identify_data("MZpofigu", F) returns the string "MS-DOS executable", and
print identify_data("MZpofigu", T) returns "application/x-dosexec".
- The new analysis script http-identified-files.bro identifies the
type of items returned by Web servers using libMagic (if available)
and generates notices for interesting types and mismatches between
URLs and types (Seth Hall).
You configure it using two variables. watched_mime_types is a pattern
(default /application\/x-dosexec/ | /application\/x-executable/ ) for
which any MIME type matching the pattern generates a HTTP_WatchedMIMEType
notice.
mime_types_extensions is a table mapping strings to patterns specifying
how URLs for the given MIME type should appear. (Ideally, this would
be a table mapping patterns to patterns, but Bro doesn't currently support
that.) It defaults to:
["application/x-dosexec"] = /\.([eE][xX][eE]|[dD][lL][lL])/
i.e., do Windows executables end in .exe or .dll.
You can also redef the pattern ignored_urls to specify URLs that should
not generate complaints. It defaults to matching Windows Update.
- The new script http-extract-items.bro extracts the items from HTTP
traffic into individual files (Vern Paxson). Files are named:
<prefix>.<n>.<orig-addr>_<orig-port>.<resp-addr>_<resp-port>.<is-orig>
where <prefix> is a redef'able prefix (default: "http-item"), <n> is a
number uniquely identifying the item, the next four are describe the
connection tuple, and <is-orig> is "orig" if the item was transferred
from the originator to the responder, "resp" otherwise.
- The workings of how Bro interfaces to external programs for dropping/
restoring connectivity of misbehaving hosts has been significantly
reworked (Brian Tierney and Robin Sommer).
First, dropping decisions used to be made directly by analyzer scripts,
such as scan.bro directly calling drop_address(). Now instead the
scripts generate Notices and then the notice policy can have an
action of NOTICE_DROP to codify that the response to the given Notice
is to drop the source. The new notice_action_filter of drop_source
drops the source of notices, and drop_source_and_terminate both
drops the source and terminates the corresponding connection.
So, to drop all sources triggering a specific notice, one can now, e.g.,
write:
redef notice_action_filters += { [Hot::SSH_Overflow] = drop_source };
Related to this change, notice_info has a new field $dropped, set to
true if the Notice triggered a (successful) drop.
Second, by redef'ing Drop::use_catch_release to T (default F) you can
activate "catch-and-release" logic. You use this mode when you need to
manage a limited number of possible blocks, or to build in automatic
"forgiveness" in situations where blocked sources might become benign
(such as due to dynamic IP addresses). If a source has been idle for
Drop::drop_time, then it is unblocked. However, if it is again seen as
block-worthy, then it is blocked for an interval of Drop::long_drop_time.
Third, ICMP scanning is now reported by its own notice, ICMPAddressScan,
rather than Scan::AddressScan.
- Google's perftools have replaced mpatrol for leak-checking and
heap-profiling (Robin Sommer). If Bro is compiled with --enable-perftools
and configure finds the perftools, there are two command-line options
available:
-m turns on leak checking of the main packet loop, with some
uninteresting leaks are suppressed. Currently, with one
exception (the RPC analyzer; problem not yet found), it reports
no leaks when running the test suite.
-M turns on heap profiling: Bro will take a snapshot of the heap
before starting the main packet loop and another one when
finished. These snapshots can then be analyzed with pprof.
For more information about the perftools see
http://code.google.com/p/google-perftools
- Notice tags are now generated in a pseudo-unique fashion that, with high
probability, ensures that tags generated by separate Bro processes don't
clash when logged to a common location, such as for a Bro cluster (Robin
Sommer). Tags are now string's rather than count's, and are associated
with all notices, not just that are connection-related. You can however
redef the string notice_tag_prefix or the function new_notice_tag to
further control how such tags are generated.
- Four new built-ins for type conversion (Robin Sommer):
function double_to_interval(d: double): interval
function addr_to_count(a: addr): count
function port_to_count(p: port): count
function count_to_port(c: count, t: transport_proto): port
- Many policy scripts have been modified to use modules & scoping
(Robin Sommer and Matthias Vallentin), which may require updates to
existing scripts/refinements.
- The new script variable dpd_conn_logs (default F), if true, changes the
semantics of the service field in connection logs written to conn.log,
as follows (Robin Sommer). It becomes a comma-separated list of analyzers
confirmed by DPD to parse the connection's payload. If no analyzer could
confirm its protocol, but the connection uses a well-known port, the
service is the name of the port with "?" appended (e.g., "http?"), as
long as the corresponding analyzer has not declined the connection.
In addition, ftp-data sessions are labeled "ftp-data" and portmapper
connections are labeled with the specific method-call (just as before).
dpd_conn_logs defaults to F because the change in semantics may break
scripts that parse conn.logs; but it will likely change to the default
in the future. With dpd_conn_logs turned off, conn logs are generated
as they used to be, with a few rare exceptions (with previous versions,
the service field was sometimes determined while the connection was still
alive; now it's always determined at the time when the conn.log entry
is written out).
- The SSL analyzer has been rewritten using BinPAC, with a number of
robustness improvements (Tobias Kiesling). It currently is only used
if you execute with --use-binpac.
- Python bindings for Broccoli are now available in
aux/broccoli/bindings/python/ (Robin Sommer). See README/README.html
in that director for details.
- The new "auth" option in remote.bro indicates whether a given side is
considered "authoritative" for shared state, in which case it sends its
initial state to &sync'ed peers (Robin Sommer). When two peers synchronize
their state, one side sends its current set of state to the other as
soon as the remote connection is established. The one sending the state
used to be the one who has been running longer; now it can also be
explicitly set via the "auth" flag in the Remote::Destination.
- Two new tuning parameters for scan.bro (Robin Sommer):
ignore_scanners_threshold (default 0):
If a host has scanned more than this many hosts, it is completely
excluded from further scan detection. 0 disables.
addr_scan_trigger (default 0):
A host is only tracked for address scanning once it has contacted
this many different hosts. Primarily intended for using a two-stage
scan detection with a Bro cluster: first, each node searches locally
for scanners by looking for hosts contacting more than
addr_scan_trigger destinations. Those hosts which do are then
globally tracked throughout the cluster by &synchronizing the scan
detector tables.
- When Bro serializes functions, it now does so by default using only
their name, rather than their full value (Robin Sommer). This prevents
propagation of expiration functions associated with tables and sets.
Note, currently there is no mechanism provided to switch from the
default behavior, but the internal hooks are in place to do so.
- The new built-in variable trace_output_file gives the name of the -w
output trace file (Robin Sommer).
- Bro no longer installs new file rotation timers when shutting down
(Robin Sommer).
- The new policy scripts remote-print-id{,-reply}.bro support convenient
access to printing the identifiers of a remote Bro (Robin Sommer).
You use the script remote-print-id.bro to request and receive the
printing; the remote Bro must have loaded remote-print-id-reply.bro
in order to process the request.
Example use:
bro -e 'redef PrintID::dst="<dst>" PrintID::id="<name-of-id>"'
<other scripts> remote-print-id
- scan.bro has been heavily modified to better support distributed scan
analysis (Matthias Vallentin and Robin Sommer).
- The check for unused event handlers is now turned off by default
(Robin Sommer). To enable, use "redef check_for_unused_event_handlers = T".
- The new script drop.bro has been split off from scan.bro to isolate
the logic concerning dropping addresses to block scans (Robin Sommer).
- The new -l flag lists each script as it is loaded (Robin Sommer).
- Textual descriptions of identifiers now include their attributes
(Robin Sommer).
- The new predefined function prefixed_id() returns a session identifier with
its peer-ID prepended if it's associated with a remote Bro (Robin Sommer).
This is now used when generating writing log files.
- remote.bro now assigns a priority of -10 to its bro_init() event handler
to allow others a chance to modify destinations (Robin Sommer).
- A large number of BinPAC updates (Ruoming Pang and Robin Sommer).
- The new built-in type_name(v): string returns the name of the type
of the value v (Vern Paxson). For example, "typename(5.2)" returns
"double". This function is mainly for internal debugging (i.e.,
finding mismatches between values generated by the event engine
versus how their type is expected by the script layer).
- The new built-in str_shell_escape() does some basic escaping on strings
that will be passed to system() (Christian Kreibich). Note, this function
isn't ready (robust enough) for routine use, however.
- The new built-in disable_print_hook(file) acts the same as
the attribute &disable_print_hook (Robin Sommer).
- The new script terminate-connection.bro factors out the terminate_connection()
functionality that used to be in conn.bro (Robin Sommer).
- The new attribute &group=<tag> can be associated with event handlers
to group them together into a set that can be manipulated as a whole
(Robin Sommer). <tag> is a string reflecting the name given to the group.
The built-in enable_event_group(group: string) turns on all the analyzers
in a given group, and disable_event_group(group: string) deactivates them.
- The new attribute &raw_output applies to variables of type file, disabling
escaping of non-printable characters (Seth Hall).
- You can now iterate over the characters in a string value using
a "for" loop, e.g., "for ( c in str ) ..." (Robin Sommer).
- The new built-in
function cat_sep%(sep: string, def: string, ...%): string
works similarly to cat(), except that it (a) separates the values
by "sep" and (b) substitutes "def" for empty strings (Seth Hall).
- The function string_escape() now takes a string of characters to escape
rather than a single character (Robin Sommer). Each character in the
string is preceded by '\' in the return value (also any embedded '\'s,
as before).
- The new built-in function global_ids() returns a table of all global
identifiers along with associated information (Robin Sommer). The
return value has type table[string] of script_id, indexed by the name
of the identifier and yielding records with the following fields:
type script_id: record {
type_name: string;
exported: bool;
constant: bool;
enum_constant: bool;
redefinable: bool;
value: any &optional;
};
- The new script function find_last(str: string, re: pattern) returns
the last occurrence of the given pattern in the given string, or
an empty string if no match (Robin Sommer). Note that this function
returns the match that starts at the largest index in the string, which
is not necessarily the longest match. For example, a pattern of /.*/
will return just the final character in the string.
- The new script variable record_all_packets, if redef'd to T (default F),
instructs Bro to record every packet it processes (Robin Sommer).
Prior to introducing this variable, Bro applied a few heuristics to
reduce recording volume. Setting this variable also causes packets
to be recorded very early in processing, which can be helpful for
debugging crashes.
- If the new script flag ssl_log_ciphers is set to T (default), ssl.bro
logs the ciphers seen (Robin Sommer).
- Much more expanded Time Machine support, now located in
policy/time-machine/ (Robin Sommer),
- The new command line option --status-file <file> (alias -U) specifies
the name of a file into which Bro will write an indicator of its current
processing status (Robin Sommer). Possible values include "INITIALIZING",
"RUNNING", "TERMINATING", "TERMINATED".
- The new policy script targeted-scan.bro looks for repeated access from
the same source to the same server, to detect things like SSH
password-guessing attacks (Jim Mellander).
- The "alternative" style for printing strings (i.e., a fmt() argument
of "%As") now renders the raw string, other than escape-expanding
embedded NULs (Vern Paxson). This change may be temporary, pending
development of more fine-grained control over string rendering.
- For now we have removed the %S functionality for fmt() (Robin Sommer).
%S was meant to print "raw" strings, but later processing of such
printing still introduces artifacts.
- GeoIP information now includes latitude and longitude (Seth Hall).
- ssh.bro now supports the variable skip_processing_after_handshake
which directs the event engine to omit any further processing of an
SSH connection after its initial handshake (Seth Hall and Robin Sommer).
This can help with performance for large file transfers but precludes
some kinds of analyses (e.g., tracking connection size). This change
also adds a scope of "SSH".
- Email notification of notices now allows for separate destinations
depending on notice type (in particular, a regular mail destination
versus a pager destination), and also escapes the notice to prevent
injection attacks (Seth Hall and Robin Sommer).
- The new policy script conn-flood.bro is a simple connection-flooding
detector, mainly meant as a demonstration (Robin Sommer).
- A large number of additions to the TLS/SSL known-ciphers suite (Seth Hall).
- Serialization now uses 64-bit IDs to cache items rather than 32-bit,
for robustness during long-running execution (Robin Sommer).
- The new script variable tcp_max_initial_window specifies, for flows
for which ACKs have never been seen, the maximum volume of initial
data after which Bro will assume that it is seeing only one side
of the connection and will not buffer data for consistency checking
awaiting the later arrival of ACKs (Robin Sommer). It defaults to 4 KB.
(Note, this used to be an internal value, so the behavior is not new.)
Set to 0 to turn off this functionality and have Bro attempt to
track all such flows.
- The new script variable tcp_max_above_hole_without_any_acks specifies,
for flows for which ACKs have never been seen, the maximum volume of
data above a sequence hole that Bro will tolerate for a connection
before giving up on tracking the flow (Robin Sommer). It defaults to 4 KB.
(Note, this differs from tcp_max_initial_window in that this threshold
applies to sequence holes rather than the beginning of flows. Like
tcp_max_initial_window this used to be an internal value.) Set to 0 to
turn off this functionality.
- The new script variable tcp_excessive_data_without_further_acks specifies
a threshold similar to tcp_max_above_hole_without_any_acks, but for
flows for which Bro has seen ACKs (Robin Sommer). It defaults to 10 MB.
Set to 0 to turn off the functionality.
- Equal signs ("=") in text for notices are now escaped when using the
tagged format to keep them unambiguous from the "=" delimiters
(Robin Sommer).
- The final tallies for notices are now processed as NoticeTally
NOTICE's rather than directly alarm'd (Robin Sommer).
- WeirdActivity notices now include an associated connection when appropriate
(Robin Sommer).
- Support for large (> 2^32 bytes) pcap trace files (Po-Ching Lin).
- Scoped names ("...::...") are now allowed in signature "eval"
constructs (Christian Kreibich).
- scan.bro is now decoupled from conn.bro, i.e., you can @load the
latter without getting the former (Vern Paxson). As part of this
change, the logic to invoke TRW is now in scan.bro.
- weird.bro has been updated with a number of missing Weird's (Vern Paxson).
- If when using inter-Bro communication the child Bro process terminates,
it now also terminates the parent process (Robin Sommer).
- BinPAC analyzers now interoperate with DPD (Robin Sommer).
- Some http.bro processing options are now exported so they can be
accessed in other scripts (Robin Sommer).
- SMTP analysis now applies to port 587/tcp as well as 25/tcp (Robin Sommer).
- $conn is now set in ServerFound notices (Robin Sommer).
- You can now create empty sets and tables using set() and table(),
i.e., the usual set/table constructors with no arguments (Vern Paxson).
By themselves, these have an unspecified type - you can't use them
directly other than to assign them. For example,
local bad_guys: set[addr];
...
bad_guys = set(); # start over assuming no bad guys
- A number of scripts have been (slightly) simplified to use the
new empty set()/table() constructors (Vern Paxson). Note that
these still aren't usable for field assignments in record constructors,
nor for attributes like &default = ...
- Removed unused syntax for declaring sets based on a list of initial
values (Vern Paxson).
- set() and table() can now be used as arguments to function calls
(Vern Paxson).
- The vestigial &match attribute has been removed.
- POP3 is now recognized using Dynamic Protocol Detection (Seth Hall).
- The new event expected_connection_seen(c: connection, a: AnalyzerTag)
is generated whenever a connection is seen for which we have previously
scheduled an analyzer via expect_connection() (Robin Sommer).
- The new built-in capture_state_updates logs all changes applied to
&synchronized variables, in a fashion similar to the capture_events()
built-in (Robin Sommer). An accompanying policy script,
capture-state-updates.bro, turns this on to the file state-updates.bst.
- If the new script variable suppress_local_output is set (default: F),
Bro suppresses printing to local files if there's a receiver for
print_hook events (Robin Sommer). This option is however ignored
for files with a &disable_print_hook attribute.
- The new notice action filter function file_if_remote specifies
that notices from sent from remote source addresses should
have an action NOTICE_FILE (Robin Sommer).
- The new notice action filter function file_local_bro_notices specifies
that notices generated by the local Bro instance (as opposed to a
remote peer) should have an action NOTICE_FILE (Robin Sommer).
- An arbitrary tag can now be past to post-processors for log rotation
(Robin Sommer).
- Default inactivity timeouts for interactive services shortened to
1 hour (Robin Sommer).
- The scanning variables distinct_{peers,ports,low_ports} are now
redef'able (Robin Sommer).
- The new -S (--summary-only) option for site-report.pl directs to
only generate connection summaries (Brian Tierney)
- More useful default config file for edit-brorule.pl (Brian Tierney).
- Bro now includes a test suite in testing/istate/ for its "independent
state" functionality (Robin Sommer).
- Support for parallel builds via make -j (Christian Kreibich).
- Bro's default search path now includes includes policy/sigs/ and
policy/time-machine/ (Robin Sommer).
- Bro's internal processing of interprocess communication has been
significantly overhauled to prevent potentially fatal race conditions
(Robin Sommer).
- Bro now checks calls to fmt() at compile-time to ensure that the
correct number of arguments are present (Vern Paxson). This is useful
in addition to Bro's run-time checking for arguments matching their
corresponding format-specifiers in the case of rarely-executed statements
that might not generate such run-time checks in routine testing.
- The ports associated with Telnet and Rlogin are now redef'able (Robin Sommer).
- MIME processing now removes leading whitespace from MIME headers
(Sanmeet Bhatia and Robin Sommer).
- TCP "weird" events reported by the connection compressor now match
(other than a few rare corner-cases) those produced for normal TCP
processing (rmkml and Robin Sommer).
- Added Scan::suppress_UDP_scan_checks to control false positives
on scan detection in environments with P2P protocols that use UDP
(Vern Paxson).
- The internal analyzer interface now includes an EndOfData() method that
analyzers can use to report that all of a message has been delivered
(Robin Sommer).
- Fix for a significant memory leak in processing UDP when using -w
(Robin Sommer). Note: this change turns off by default trace rewriting
for generic UDP traffic.
- Two serious regular expression bugs fixed (Vern Paxson). In the
first, searching for a regular expression inside a string would
fail if the pattern occurred only after an embedded newline. In
the second, insufficient buffer was allocated when compiling regular
expressions, leading to memory corruption.
- Base64 decoding bug fixes (Christian Kreibich and Ruoming Pang).
- Automatic rotation of files is now disabled for contents files written
by the TCP reassembler, which otherwise leads to mangled files
(Robin Sommer).
- Bro now ships with an updated version of libpcap (0.9.8), which hopefully
fixes problems managing trace files > 4 GB in size.
- Significant bug fixes for gzip- and deflate-encoded Web items (Robin Sommer).
- Bug fix for secondary-filter.bro (Vern Paxson).
- Removed a naming ambiguity regarding TCP states (Vern Paxson).
- Bug fix for signature scanner not matching all of its input (Vern Paxson).
- Bug fix for using port values in signatures (Robin Sommer).
- Minor policy script tweaks: state management for weird's, processing
of Notice tags associated with connections, and dependencies for
irc-bot.bro (Robin Sommer).
- aux/ portability fixes (Vern Paxson).
- Workarounds added for a BinPAC deficiency, which is that code in %cleanup
clauses can also be executed during recovery from exceptions when parsing
new data. This means that any delete's or Unref()'s need to also set the
corresponding pointer to nil (Vern Paxson).
- Bug fix for crashes with the non-BinPAC SSL analyzer (Robin Sommer).
- Tweak to peer-status.bro since Bro now requires events to be
declared prior to reference in a "schedule" statement (Robin Sommer).
- The signature keyword "enable" now optionally accepts the syntax
"foo:bar" to specify "activate analyzer bar as a child of analyzer foo"
(Robin Sommer). This is used for example for an XML-over-HTTP analyzer
that's in the works.
- irc-bot-syslog.bro now uses open_log_file() for its log file (including
the logging suffix) rather than a direct open (Vern Paxson).
- Bug fix for tracking Blaster across a Bro Cluster (Robin Sommer).
- Bug fix for the HTTP BinPAC analyzer chopping the trailing character
off of HTTP headers when generating the http_all_headers event (Gregor Maier).
- Bug fix for HTTP chunked items for which the chunk size line was terminated
by CRLF but the CR and LF came in separate packets (Gregor Maier).
- A bug has been fixed that would cause partial lines (for line-oriented
protocols) to fail to be processed when a connection terminated
(Robin Sommer).
- Bro no longer treats a signal arriving before a previous signal has
been processed as fatal, nor does it attempt processing of a termination
signal if seemingly there are no race conditions to worry about
(Robin Sommer). Both of these changes are an attempt to improve
Bro's robustness.
- Fix for attributes such as &encrypt not working in initial declarations
but only in later redef's (Seth Hall and Robin Sommer).
- Fixes for memory leaks in SSL processing (Seth Hall and Robin Sommer).
- Fix for POP3 analyzer to not treat lines like "<space>." as message
terminators (Robin Sommer).
- Bug fix for crashes arising from nil pointers in list expressions
(Seth Hall and Robin Sommer).
- Bug fix: a signature's "enable" would activate the corresponding analyzer
even if no event handlers were defined for it (Robin Sommer).
- Bug fixes to prevent crashes when mixing set_contents_file() with
subsequent explicit close(), and to ensure all data written to
file upon connection tear-down (Gert Doering and Robin Sommer).
- Configuration support for MacPorts and Fink package management systems
(Christian Kreibich & Vern Paxson).
- Communication-only Bro's now send out email alarms (Robin Sommer).
- Writes to a file that fail due are now run-time errors rather than
fatal internal errors, since often these occur due to the disk
being full (Robin Sommer).
- Byte-order bug fix for lookup_location() (Robin Sommer).
- BinPAC portability fix for 64-bit machines (Bernhard Ager and Robin Sommer).
- Portability fixes for newer versions of gcc (Jan Gerrit Goebel and
Robin Sommer).
- Some support for porting to Solaris (Stephan Toggweiler).
- Connection compressor bug fix for source and destination having the
same IP address, such as when monitoring loopback (Robin Sommer).
- Connection compressor bug fix for connections with multiple SYNs
(Robin Sommer).
- Bug fix for using already-declared local variables for looping
over vectors in a "for" loop (Robin Sommer & Vern Paxson).
- Bug fix for not processing truncated UDP packets (Tom Kho and Robin Sommer).
- Bounds-check added to BinPAC-generated code (Tom Kho and Robin Sommer).
- Bug fix for checking whether an IPv6 address is part of a subnet
(Seth Hall).
- Bug fixes for crashes relating to asynchronous DNS lookups performed
at start-up (Robin Sommer). These changes also lowered the timeout
before assuming failure from 20 seconds down to 5 seconds.
- Portability and const-ness fixes (Kevin Lo and Robin Sommer).
- Suppression of some content-gap complaints when running on traces
that have been filtered down to only TCP control packets (Robin Sommer).
- Removed unnecessary dependency in notice-action-filters.bro
that led to errors when loading icmp.bro by itself (Vern Paxson).
- Bug fix for potential infinite loop in client communiation (Robin Sommer).
- Bug fix in reference counting that could eventually lead to roll-over
(Robin Sommer).
- Bug fix in communication initialization (Robin Sommer).
- Internal documentation fix: timers are specified using absolute time,
not relative (Robin Sommer).
- Performance improvement for built-in find_all() function when running
on large strings (Robin Sommer).
- Memory leak fixes (Robin Sommer, Bernhard Ager, Christian Kreibich).
- Bug fix for error recovery when encountering an unknown link layer
(Bernhard Ager).
- Bug fix for reversing client & server in a connection (Po-Ching Lin).
- Bug fix for packet_contents when capture length exceeds the IP payload
length due to Ethernet frame padding (Christian Kreibich).
- Bug fix for tcp_packet event erroneously including Ethernet padding
in its contents (Vern Paxson).
- Bug fix for lookup_connection built-in (Seth Hall).
- Portability nit for libedit tarball (Vern Paxson).
- Broccoli portability fix for NetBSD (Christoph Leuzinger).
- Type-checking for script-level event invocation was completedly broken -
now fixed (Vern Paxson).
- Portability fixes for different versions of g++/STL (Nicholas Weaver
and Vern Paxson).
- Fix for dynamic detection of SSL via DPD (Robin Sommer).
- IPv6 portability fix for BinPAC-based DNS analyzer (Vern Paxson).
Note, more portability work is needed for it.
- Bug fix for bifcl error messages (Vern Paxson).
- Minor bug fix for remote communication, plus some improved communication
logging (Robin Sommer).
- Bug fix for &printhook (Robin Sommer).
- Bug fix for error message output (Robin Sommer).
- Bug fix for termination cleanup (Robin Sommer).
- Bug fix for some Rlogin corner cases (Robin Sommer & Vern Paxson).
- Bug fix for bifcl generation of "interval" types (Vern Paxson).
- Bug fix for getting connection memory statistics when Bro is
exiting (Robin Sommer).
- Config fix: --enable-debug now turns off -O2 for gcc (Robin Sommer).
- Bug fixes for "heavy" analysis (Vern Paxson).
- Broccoli bug fixes for types net and port (Robin Sommer).
- Bug fixes for Telnet environment options (Robin Sommer).
- Bug fix for accessing remote peer description (Robin Sommer).
- A fix for the connection compressor generating new_connection too
late (Robin Sommer).
- Fixes for DAG support, including configuration and multiple
interfaces (Robin Sommer).
- Bug fix for serializing time-stamps of table entries (Robin Sommer).
- Bug fix for dealing with peer IDs for remote communication (Robin Sommer).
- Bug fix to avoid installing timers when timers have already
been canceled (Robin Sommer).
- Bug fix for interplay between serializing connections and
connection compressor (Robin Sommer).
- Memory leak fix for enum's (Robin Sommer).
- Bug fix for files being closed prior to bro_done() (Vern Paxson).
- aux/broccoli/contrib was not included in distribution (Robin Sommer).
- Auto-configuration bug fix for BinPAC (Craig Leres).
- Bug fix for dynamic protocol detection (Robin Sommer).
- A number of configuration fixes for installation and portability
(Christian Kreibich, Brian Tierney, Robin Sommer, Dan Kopecek).
More information about the Bro
mailing list