diff --git a/CHANGES b/CHANGES index 1fcbac23dc..88b92a66ab 100644 --- a/CHANGES +++ b/CHANGES @@ -1,8 +1,15 @@ -2.2-beta-143 | 2013-10-24 14:01:21 -0700 +2.2-beta-148 | 2013-10-24 14:34:35 -0700 - * Intel framework notes added to NEWS (Seth Hall) + * Add gawk to list of optional packages. (Daniel Thayer) + * Add more script package README files. (Daniel Thayer) + + * Add NEWS about new features of BroControl and upgrade info. + (Daniel Thayer) + + * Intel framework notes added to NEWS. (Seth Hall) + * Temporary OSX Mavericks libc++ issue workaround for getline() problem in ASCII reader. (Bernhard Amann) diff --git a/NEWS b/NEWS index 7b1034bd89..d36febddcf 100644 --- a/NEWS +++ b/NEWS @@ -15,22 +15,22 @@ New Functionality for feeding data into the framework to be matched against the data available. It also provides a function named ``Intel::match`` which makes any hits on intelligence data available to the - scripting language. + scripting language. Using input framework, the intel framework can load data from text files. It can also update and add data if changes are - made to the file being monitored. Files to monitor for - intelligence can be provided by redef-ing the + made to the file being monitored. Files to monitor for + intelligence can be provided by redef-ing the ``Intel::read_files`` variable. - The intel framework is cluster-ready. On a cluster, the + The intel framework is cluster-ready. On a cluster, the manager is the only node that needs to load in data from disk, the cluster support will distribute the data across a cluster automatically. - Scripts are provided at ``policy/frameworks/intel/seen`` that + Scripts are provided at ``policy/frameworks/intel/seen`` that provide a broad set of sources of data to feed into the intel - framwork to be matched. + framwork to be matched. - A new file analysis framework moves most of the processing of file content from script-land into the core, where it belongs. See @@ -75,7 +75,7 @@ New Functionality information from many independent monitoring points (including clusters). It provides a transparent, easy-to-use user interface, and can optionally deploy a set of probabilistic data structures for - memory-efficient operation. The framework is located in + memory-efficient operation. The framework is located in ``scripts/base/frameworks/sumstats``. A number of new applications now ship with Bro that are built on top @@ -86,7 +86,7 @@ New Functionality Bro versions <2.0; it's now back, but quite different). * Tracerouter detector: ``policy/misc/detect-traceroute.bro`` - + * Web application detection/measurement: ``policy/misc/app-stats/*`` @@ -258,6 +258,35 @@ New Functionality To use CPU pinning, a new per-node option ``pin_cpus`` can be specified in node.cfg if the OS is either Linux or FreeBSD. +- BroControl now returns useful exit codes. Most BroControl commands + return 0 if everything was OK, and 1 otherwise. However, there are + a few exceptions. The "status" and "top" commands return 0 if all Bro + nodes are running, and 1 if not all nodes are running. The "cron" + command always returns 0 (but it still sends email if there were any + problems). Any command provided by a plugin always returns 0. + +- BroControl now has an option "env_vars" to set Bro environment variables. + The value of this option is a comma-separated list of environment variable + assignments (e.g., "VAR1=value, VAR2=another"). The "env_vars" option + can apply to all Bro nodes (by setting it in broctl.cfg), or can be + node-specific (by setting it in node.cfg). Environment variables in + node.cfg have priority over any specified in broctl.cfg. + +- BroControl now supports load balancing with PF_RING while sniffing + multiple interfaces. Rather than assigning the same PF_RING cluster ID + to all workers on a host, cluster ID assignment is now based on which + interface a worker is sniffing (i.e., all workers on a host that sniff + the same interface will share a cluster ID). This is handled by + BroControl automatically. + +- BroControl has several new options: MailConnectionSummary (for + disabling the sending of connection summary report emails), + MailAlarmsInterval (for specifying a different interval to send alarm + summary emails), CompressCmd (if archived log files will be compressed, + this specifies the command that will be used to compress them), + CompressExtension (if archived log files will be compressed, this + specifies the file extension to use). + - BroControl comes with its own test-suite now. ``make test`` in ``aux/broctl`` will run it. @@ -384,6 +413,14 @@ Changed Functionality - We removed the BitTorrent DPD signatures pending further updates to that analyzer. +- In previous versions of BroControl, running "broctl cron" would create + a file ``$prefix/logs/stats/www`` (where "$prefix" indicates the + installation prefix of Bro). Now, it is created as a directory. + Therefore, if you perform an upgrade install and you're using BroControl, + then you may see an email (generated by "broctl cron") containing an + error message: "error running update-stats". To fix this problem, + either remove that file (it is not needed) or rename it. + Bro 2.1 ======= diff --git a/VERSION b/VERSION index e4bfeb18bc..8577f33ef0 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.2-beta-143 +2.2-beta-148 diff --git a/doc/install/install.rst b/doc/install/install.rst index 86e92c23c6..a4bd51d29e 100644 --- a/doc/install/install.rst +++ b/doc/install/install.rst @@ -97,6 +97,7 @@ build time: * LibGeoIP (for geo-locating IP addresses) * sendmail (enables Bro and BroControl to send mail) + * gawk (enables all features of bro-cut) * gperftools (tcmalloc is used to improve memory and CPU usage) * ipsumdump (for trace-summary; http://www.cs.ucla.edu/~kohler/ipsumdump) * Ruby executable, library, and headers (for Broccoli Ruby bindings) diff --git a/scripts/base/files/extract/README b/scripts/base/files/extract/README new file mode 100644 index 0000000000..1a2116a9e0 --- /dev/null +++ b/scripts/base/files/extract/README @@ -0,0 +1 @@ +Support for extracing files with the file analysis framework. diff --git a/scripts/base/files/hash/README b/scripts/base/files/hash/README new file mode 100644 index 0000000000..855a30effe --- /dev/null +++ b/scripts/base/files/hash/README @@ -0,0 +1 @@ +Support for file hashes with the file analysis framework. diff --git a/scripts/base/files/unified2/README b/scripts/base/files/unified2/README new file mode 100644 index 0000000000..08b5014db6 --- /dev/null +++ b/scripts/base/files/unified2/README @@ -0,0 +1 @@ +Support for Unified2 files in the file analysis framework. diff --git a/scripts/base/frameworks/logging/postprocessors/README b/scripts/base/frameworks/logging/postprocessors/README new file mode 100644 index 0000000000..33fb4e5462 --- /dev/null +++ b/scripts/base/frameworks/logging/postprocessors/README @@ -0,0 +1 @@ +Support for postprocessors in the logging framework. diff --git a/scripts/base/frameworks/reporter/README b/scripts/base/frameworks/reporter/README new file mode 100644 index 0000000000..0a0bd9334f --- /dev/null +++ b/scripts/base/frameworks/reporter/README @@ -0,0 +1,2 @@ +This framework is intended to create an output and filtering path for +internally generated messages/warnings/errors. diff --git a/scripts/base/frameworks/signatures/README b/scripts/base/frameworks/signatures/README new file mode 100644 index 0000000000..fd45cd3a19 --- /dev/null +++ b/scripts/base/frameworks/signatures/README @@ -0,0 +1,4 @@ +The signature framework provides for doing low-level pattern matching. While +signatures are not Bro's preferred detection tool, they sometimes come in +handy and are closer to what many people are familiar with from using +other NIDS. diff --git a/scripts/base/frameworks/sumstats/plugins/README b/scripts/base/frameworks/sumstats/plugins/README new file mode 100644 index 0000000000..4c4f36a623 --- /dev/null +++ b/scripts/base/frameworks/sumstats/plugins/README @@ -0,0 +1 @@ +Plugins for the summary statistics framework. diff --git a/scripts/policy/frameworks/intel/seen/README b/scripts/policy/frameworks/intel/seen/README new file mode 100644 index 0000000000..e06a869125 --- /dev/null +++ b/scripts/policy/frameworks/intel/seen/README @@ -0,0 +1 @@ +Scripts that send data to the intelligence framework. diff --git a/scripts/policy/misc/app-stats/plugins/README b/scripts/policy/misc/app-stats/plugins/README new file mode 100644 index 0000000000..cb2e04d8ba --- /dev/null +++ b/scripts/policy/misc/app-stats/plugins/README @@ -0,0 +1 @@ +Plugins for AppStats. diff --git a/scripts/policy/tuning/README b/scripts/policy/tuning/README new file mode 100644 index 0000000000..9f04f71108 --- /dev/null +++ b/scripts/policy/tuning/README @@ -0,0 +1 @@ +Miscellaneous tuning parameters.