From 8a6e7e8036c78d2b445e89791fb346c1fa2917aa Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Wed, 23 Oct 2013 16:04:03 -0500 Subject: [PATCH 1/3] Add NEWS about new features of broctl and upgrade info --- NEWS | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/NEWS b/NEWS index 5a97c2e4a3..f4ec88ad83 100644 --- a/NEWS +++ b/NEWS @@ -236,6 +236,35 @@ New Functionality To use CPU pinning, a new per-node option ``pin_cpus`` can be specified in node.cfg if the OS is either Linux or FreeBSD. +- BroControl now returns useful exit codes. Most BroControl commands + return 0 if everything was OK, and 1 otherwise. However, there are + a few exceptions. The "status" and "top" commands return 0 if all Bro + nodes are running, and 1 if not all nodes are running. The "cron" + command always returns 0 (but it still sends email if there were any + problems). Any command provided by a plugin always returns 0. + +- BroControl now has an option "env_vars" to set Bro environment variables. + The value of this option is a comma-separated list of environment variable + assignments (e.g., "VAR1=value, VAR2=another"). The "env_vars" option + can apply to all Bro nodes (by setting it in broctl.cfg), or can be + node-specific (by setting it in node.cfg). Environment variables in + node.cfg have priority over any specified in broctl.cfg. + +- BroControl now supports load balancing with PF_RING while sniffing + multiple interfaces. Rather than assigning the same PF_RING cluster ID + to all workers on a host, cluster ID assignment is now based on which + interface a worker is sniffing (i.e., all workers on a host that sniff + the same interface will share a cluster ID). This is handled by + BroControl automatically. + +- BroControl has several new options: MailConnectionSummary (for + disabling the sending of connection summary report emails), + MailAlarmsInterval (for specifying a different interval to send alarm + summary emails), CompressCmd (if archived log files will be compressed, + this specifies the command that will be used to compress them), + CompressExtension (if archived log files will be compressed, this + specifies the file extension to use). + - BroControl comes with its own test-suite now. ``make test`` in ``aux/broctl`` will run it. @@ -362,6 +391,14 @@ Changed Functionality - We removed the BitTorrent DPD signatures pending further updates to that analyzer. +- In previous versions of BroControl, running "broctl cron" would create + a file ``$prefix/logs/stats/www`` (where "$prefix" indicates the + installation prefix of Bro). Now, it is created as a directory. + Therefore, if you perform an upgrade install and you're using BroControl, + then you may see an email (generated by "broctl cron") containing an + error message: "error running update-stats". To fix this problem, + either remove that file (it is not needed) or rename it. + Bro 2.1 ======= From 72a4a9041685b07338cda50f45cf482825d36143 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Wed, 23 Oct 2013 16:36:14 -0500 Subject: [PATCH 2/3] Add more script package README files The text from these README files appears on the "Bro Script Packages" page after building the documentation. --- scripts/base/files/extract/README | 1 + scripts/base/files/hash/README | 1 + scripts/base/files/unified2/README | 1 + scripts/base/frameworks/logging/postprocessors/README | 1 + scripts/base/frameworks/reporter/README | 2 ++ scripts/base/frameworks/signatures/README | 4 ++++ scripts/base/frameworks/sumstats/plugins/README | 1 + scripts/policy/frameworks/intel/seen/README | 1 + scripts/policy/misc/app-stats/plugins/README | 1 + scripts/policy/tuning/README | 1 + 10 files changed, 14 insertions(+) create mode 100644 scripts/base/files/extract/README create mode 100644 scripts/base/files/hash/README create mode 100644 scripts/base/files/unified2/README create mode 100644 scripts/base/frameworks/logging/postprocessors/README create mode 100644 scripts/base/frameworks/reporter/README create mode 100644 scripts/base/frameworks/signatures/README create mode 100644 scripts/base/frameworks/sumstats/plugins/README create mode 100644 scripts/policy/frameworks/intel/seen/README create mode 100644 scripts/policy/misc/app-stats/plugins/README create mode 100644 scripts/policy/tuning/README diff --git a/scripts/base/files/extract/README b/scripts/base/files/extract/README new file mode 100644 index 0000000000..1a2116a9e0 --- /dev/null +++ b/scripts/base/files/extract/README @@ -0,0 +1 @@ +Support for extracing files with the file analysis framework. diff --git a/scripts/base/files/hash/README b/scripts/base/files/hash/README new file mode 100644 index 0000000000..855a30effe --- /dev/null +++ b/scripts/base/files/hash/README @@ -0,0 +1 @@ +Support for file hashes with the file analysis framework. diff --git a/scripts/base/files/unified2/README b/scripts/base/files/unified2/README new file mode 100644 index 0000000000..08b5014db6 --- /dev/null +++ b/scripts/base/files/unified2/README @@ -0,0 +1 @@ +Support for Unified2 files in the file analysis framework. diff --git a/scripts/base/frameworks/logging/postprocessors/README b/scripts/base/frameworks/logging/postprocessors/README new file mode 100644 index 0000000000..33fb4e5462 --- /dev/null +++ b/scripts/base/frameworks/logging/postprocessors/README @@ -0,0 +1 @@ +Support for postprocessors in the logging framework. diff --git a/scripts/base/frameworks/reporter/README b/scripts/base/frameworks/reporter/README new file mode 100644 index 0000000000..0a0bd9334f --- /dev/null +++ b/scripts/base/frameworks/reporter/README @@ -0,0 +1,2 @@ +This framework is intended to create an output and filtering path for +internally generated messages/warnings/errors. diff --git a/scripts/base/frameworks/signatures/README b/scripts/base/frameworks/signatures/README new file mode 100644 index 0000000000..fd45cd3a19 --- /dev/null +++ b/scripts/base/frameworks/signatures/README @@ -0,0 +1,4 @@ +The signature framework provides for doing low-level pattern matching. While +signatures are not Bro's preferred detection tool, they sometimes come in +handy and are closer to what many people are familiar with from using +other NIDS. diff --git a/scripts/base/frameworks/sumstats/plugins/README b/scripts/base/frameworks/sumstats/plugins/README new file mode 100644 index 0000000000..4c4f36a623 --- /dev/null +++ b/scripts/base/frameworks/sumstats/plugins/README @@ -0,0 +1 @@ +Plugins for the summary statistics framework. diff --git a/scripts/policy/frameworks/intel/seen/README b/scripts/policy/frameworks/intel/seen/README new file mode 100644 index 0000000000..e06a869125 --- /dev/null +++ b/scripts/policy/frameworks/intel/seen/README @@ -0,0 +1 @@ +Scripts that send data to the intelligence framework. diff --git a/scripts/policy/misc/app-stats/plugins/README b/scripts/policy/misc/app-stats/plugins/README new file mode 100644 index 0000000000..cb2e04d8ba --- /dev/null +++ b/scripts/policy/misc/app-stats/plugins/README @@ -0,0 +1 @@ +Plugins for AppStats. diff --git a/scripts/policy/tuning/README b/scripts/policy/tuning/README new file mode 100644 index 0000000000..9f04f71108 --- /dev/null +++ b/scripts/policy/tuning/README @@ -0,0 +1 @@ +Miscellaneous tuning parameters. From 0b5c1a1f2883df3d8ac365e6cff5f9cfa94b2312 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Thu, 24 Oct 2013 10:23:17 -0500 Subject: [PATCH 3/3] Add gawk to list of optional packages BSD and debian-based Linux do not include gawk by default. Noticed that a test was failing on these platforms due to the use of a bro-cut option that requires gawk. --- doc/install/install.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/install/install.rst b/doc/install/install.rst index 86e92c23c6..a4bd51d29e 100644 --- a/doc/install/install.rst +++ b/doc/install/install.rst @@ -97,6 +97,7 @@ build time: * LibGeoIP (for geo-locating IP addresses) * sendmail (enables Bro and BroControl to send mail) + * gawk (enables all features of bro-cut) * gperftools (tcmalloc is used to improve memory and CPU usage) * ipsumdump (for trace-summary; http://www.cs.ucla.edu/~kohler/ipsumdump) * Ruby executable, library, and headers (for Broccoli Ruby bindings)