From BroWiki
Bro Version 1.3.2 - Released July 24 2007
- Bug fix for files being closed prior to bro_done() (Vern Paxson).
- aux/broccoli/contrib was not included in distribution (Robin Sommer).
- Auto-configuration bug fix for BinPAC (Craig Leres).
Bro Version 1.3.1 - Released July 19 2007
- Bug fix for dynamic protocol detection (Robin Sommer).
- Bug fix for zip-encoded Web items (Robin Sommer).
- Configuration fix for installation (Brian Tierney).
Bro Version 1.3 - Released July 16 2007
- The Bro manual has been wikified at:
http://www.bro-ids.org/wiki/index.php/User_Manual
and this is the format in which it will evolve in the future
(Christian Kreibich).
- Much more extensive support for SMB, NetBIOS and NCP (Chris Grier).
- The new attribute &priority=n defines the order of execution for handlers
of the same event (Robin Sommer). Handlers with higher priority are
executed first. n is an integer expression that must evaluate to a
constant when the script is loaded.
Example:
> cat foo.bro
event bro_init() &priority = -5 { print -5; }
event bro_init() &priority = 5 { print 5; }
event bro_init() { print 0; } # default priority=0
> ./bro foo.bro
5
0
-5
The connection_state_remove() handler in conn.bro now has priority
-10 and therefore executes after all other handlers for this event.
This fixes a long-standing problem of sometimes $addl fields not showing
up in connection summaries.
- The new expressions record(...), table(...), set(...) and vector(...)
are constructors for the corresponding aggregate types (Vern Paxson).
For example,
record($foo = "hi", $bar = -6)
is the same as the existing constructor
[$foo = "hi", $bar = -6]
For tables, sets, and vectors, the "..." values within the ()'s have
the same syntax as those that you can list in variable initializations.
For example,
table([1, T] = "black", [4, F] = "red")
returns a table of type "table[count, bool] of string".
set(4, 3, -1)
is a value of type "set[int]".
- You can associate attributes with table() and set() constructors
(Robin Sommer). For example:
local s = set(1.2.3.4) &read_expire = 5 secs;
associates a 5-second read expiration with the set assigned to s.
- Bro now explicitly supports port numbers reflecting a transport protocol
type of "unknown" (Christian Kreibich). Currently, this means "not TCP,
UDP or ICMP". The numerical value of such a port is the IP protocol,
so ranges from 0..255. For example:
global p: port = 0/unknown;
print fmt("%s", p);
print fmt("p is TCP? %s", get_port_transport_proto(p) == tcp);
print fmt("p is unknown? %s",
get_port_transport_proto(p) == unknown_transport);
yields
0/unknown
p is TCP? F
p is unknown? T
In comparisons of different protocol types, the following holds:
unknown < TCP < UDP < ICMP.
- If your system supports "GeoIP" (see http://www.maxmind.com/app/geolitecity
for a corresponding city database), then the new script function
lookup_location(a: addr): geo_location
returns a record of geographic information associated with an address
(Seth Hall). The geo_location record has $country_code, $region and
$city fields. If no information is available, each of these will be
set to empty strings.
If Bro hasn't been configured with GeoIP support, or if the address is
IPv6 that cannot be directly converted to IPv4, then Bro produces a
run-time error and likewise returns empty strings.
- Signature-matching on HTTP components now processes the URI with
escape sequences expanded (Robin Sommer). Ideally, there would be
two signature keywords, one for decoded URIs (corresponding to this
case) and one that allows matching against the URI as originally
transmitted.
- The connection compressor is no longer considered experimental, and
is used by default (Robin Sommer).
- The new function lookup_hostname(host: string): addr_set asychronously
looks up the IPv4 address(es) of the given host via DNS (Robin Sommer).
Like lookup_addr(), this function can only be used within a "when"
statement.
- The new built-in
raw_bytes_to_v4_addr(s: string): addr
takes a string that points to at least 4 bytes, and returns an address
corresponding to interpreting these as being an IPv4 address in network
order (Vern Paxson; suggested by Mike Dopheide).
- Trace-rewriting support for DNS, SMB (Chris Grier).
- The new script function find_all(str: string, re: pattern): string_set
returns a string_set giving all occurrences of the pattern "re" in
the string "str" (Robin Sommer). (Note that string_set's are unordered.)
- The new policy script save-peer-status.bro generates a log
to peer_status.$BRO_LOG_SUFFIX of updates received from
communication peers (Robin Sommer).
- The policy script print-filter.bro now includes two (scoped) variables,
terminate_bro and to_file, which control whether to exit after printing
the filter (default T) and whether to write to the log file
pcap_filter.$BRO_LOG_SUFFIX or (default) to stdout (Robin Sommer).
- The new script variable check_for_unused_event_handlers controls whether
Bro checks for unused event handlers (Robin Sommer). It defaults to T,
which was the past behavior (always report).
- Bro now terminates if the only pending activity is future timers
(Robin Sommer). It used to wait for those timers to expire, but this
can cause fundamental problems if the timers are associated with table
management (since these might never completely drain).
- Tables and sets inside of records are now initialized to empty
values rather than uninitialized (Vern Paxson).
- A new variable allow_services_from (in hot.bro) complements the
existing allow_service_to variable (Brian Tierney). It specifies
that access to the given service from the given originator is
allowed.
- global_sizes() no longer reports internal variables (Robin Sommer).
- The IRC analyzer is now activated if any of the (many) IRC event
handlers are defined (Robin Sommer).
- The default value for tcp_close_delay is now 5 sec rather than 0 sec
(Robin Sommer). This prevents some spurious connection events.
- Improved logic for dealing with "reversed" connections such
as backscatter (Vern Paxson).
- You can now left-justify fields when using fmt() with "%-" like
in sprintf (Christian Kreibich).
- Updates to DNS query types (Larry Leviton).
- Added mechanism to http-header.bro to skip printing some HTTP headers
(Larry Leviton).
- The IrcHotWord notice now sets the associated connection (Robin Sommer).
- If a notice has a tag, it's no longer overridden (Robin Sommer).
- ServerFound notices now set the port field (Robin Sommer).
- The built-in lookup_ID() now returns the string "<unknown id>" if the
ID does not exist, rather than a run-time error (Robin Sommer).
- The new tuning option ProtocolDetector::suppress_servers specifies a
set of analyzers for which Bro generates ServerFound notices, but not
ProtocolFound (Robin Sommer). This both reduces log file size and
conserves memory.
- A new notice_action_filter, tally_notice_type_and_ignore, works the same
as tally_notice_type but returns IGNORE (Robin Sommer)
- Setting summary_interval == 0 disables the creation of irc-bots.summary.log
(Robin Sommer).
- If you @load foo and a directory "foo" is in your path, Bro no longer
tries to load it (Robin Sommer).
- A number of BinPAC fixes and enhancements (Ruoming Pang, Chris Grier
and Vern Paxson).
- BinPAC now resides in aux/binpac rather than src/binpac (Ruoming Pang
and Christian Kreibich). This reflects a decoupling of it from Bro so
that it can be used to generate protocol analyzers for other projects too.
- Removed example Inktomi entries from skip_scan_sources initialization,
since they no longer exist (Vern Paxson).
- The variable make notice_once_per_orig_tally_interval is now
redef'able (Brian Tierney).
- SIGPROF to the communication child process now logs resource stats to
remote.log (Matthias Vallentin).
- The new built-in getpid(): count returns Bro's process ID (Robin Sommer).
- Patterns for detecting IRC-based bots updated (Robin Sommer).
- irc-bot-syslog now logs just bots, not all IRC client/servers (Robin Sommer).
- The new variable suppress_notice_actions in notice.bro suppresses
notice_actions events for selected notice types (Robin Sommer).
- Files opened during operation now rotate just like those opened at
startup (Robin Sommer).
- ResourceStats now also logs elapsed time and the reported number of
packets-on-the-link (Mark Dedlow).
- Printing a "file" value now produces its name (Robin Sommer).
- Removed deliberate truncation of payload in port 80 FIN packets
(Vern Paxson).
- remote.log now includes received peer_descriptions (Robin Sommer).
- Significant POP3 analyzer speed-ups (Vern Paxson).
- Updated README (Vern Paxson).
- Fix for "@load a" followed by "@load a.bro" not loading the same file
twice (Robin Sommer).
- Bug fixes for propagating state operations to uninitialized variables
and for spurious state inconsistency messags (Robin Sommer).
- Bug fix for sending final sync-points during pseudo-realtime mode
(Robin Sommer).
- Fix for possible buffer overflow (Christian Kreibich).
- Bug fix for spurious end-of-file's during inter-Bro communication
(Robin Sommer).
- Bug fix for dpd_match_only_beginning=F (Robin Sommer).
- Bug fix for updating timestamps (Christian Kreibich).
- Bug fix for skipping ADU processing in adu.bro (Christian Kreibich
and Zhichun Li).
- Fix for ICMPs that carry ICMP headers (or non-TCP/UDP/ICMP headers)
within them (Vern Paxson).
- Fix for files being rotated after the timer queue has been deleted
(Vern Paxson).
- Bug fix for signature-matching with IPv6 subnets (Vern Paxson).
- Bug fix for connection compressor setting connection origin (Robin Sommer).
- Bug fix for interconn.bro when processing peculiar connections (Vern Paxson).
- Fix for off-by-one buffer in sscanf call (Christian Kreibich).
- Fixed inefficiency/warning flagged by g++ (Vern Paxson).
- Bug fix for NUL string termination in SMB processing (Zhichun Li).
- Fix for over-ref'ing of file Val's (Vern Paxson).
- Fixes for some g++ warnings (Christian Kreibich, Vern Paxson).
- gcc 3.4.2 portability fixes (Robin Sommer).
- Minor build fixes for Broccoli, including a version bump to match that
of Bro. See aux/broccoli/ChangeLog for details.
- distcheck fixes (Christian Kreibich).
- Configuration portability fixes (Matthias Vallentin, Jean-philippe Luiggi).
- OpenBSD portability fixes (Jean-philippe Luiggi, Christian Kreibich).
