From e3cc7aa48f04e1ea474bb5f67a88042c68505e19 Mon Sep 17 00:00:00 2001 From: Aaron Eppert Date: Wed, 18 Mar 2015 00:28:19 -0400 Subject: [PATCH 01/93] Seems to fix a case where an entry in the table may be null on insert. #0 0x0000000000713b87 in Dictionary::Insert (this=0x1339840, new_entry=0xb18a9d0, copy_key=0) at /root/psdev/bro/src/Dict.cc:419 #1 0x00000000007130b0 in Dictionary::Insert (this=0x1339840, key=0xa23f6d0, key_size=36, hash=658668102, val=0x67fde40, copy_key=0) at /root/psdev/bro/src/Dict.cc:158 #2 0x00000000006cb508 in Dictionary::Insert (this=0x1339840, key=0x7ffff4ba81b0, val=0x67fde40) at /root/psdev/bro/src/Dict.h:47 (gdb) print *this $59 = {_vptr.Dictionary = 0xaf7810, tbl = 0x215b400, num_buckets = 1347, num_entries = 3879, max_num_entries = 4042, den_thresh = 3, thresh_entries = 4041, tbl2 = 0x1afcc9e0, num_buckets2 = 2695, num_entries2 = 181, max_num_entries2 = 181, den_thresh2 = 3, thresh_entries2 = 8085, tbl_next_ind = 60, order = 0x133bfb0, delete_func = 0, cookies = { = {entry = 0x133d790, chunk_size = 10, max_entries = 10, num_entries = 0}, }} (gdb) print *tbl $60 = (DictEntryPList *) 0x0 --- src/Dict.cc | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/src/Dict.cc b/src/Dict.cc index cd7792b539..15ac1b48f7 100644 --- a/src/Dict.cc +++ b/src/Dict.cc @@ -416,13 +416,15 @@ void* Dictionary::Insert(DictEntry* new_entry, int copy_key) { DictEntry* entry = (*chain)[i]; - if ( entry->hash == new_entry->hash && - entry->len == n && - ! memcmp(entry->key, new_entry->key, n) ) - { - void* old_value = entry->value; - entry->value = new_entry->value; - return old_value; + if ( entry ) { + if ( entry->hash == new_entry->hash && + entry->len == n && + ! memcmp(entry->key, new_entry->key, n) ) + { + void* old_value = entry->value; + entry->value = new_entry->value; + return old_value; + } } } } From 2088928fb603d2671d57f5f6a300e3d4df591cb4 Mon Sep 17 00:00:00 2001 From: Aaron Eppert Date: Wed, 18 Mar 2015 11:15:38 -0400 Subject: [PATCH 02/93] A fatal error, especially in DEBUG, should result in a core. This issue is especially helpful in the case of the Val::CONVERTER error and having: "fatal error in : Val::CONVERTER ..." Nebulous error and sans location, it is extremely hard to figure out the culprit. Thus, if Bro is built DEBUG, fatal should provide a core. This subtle change prevents having to change FatalErrors to FatalErrorWithCore everywhere. --- src/Reporter.cc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/Reporter.cc b/src/Reporter.cc index cd1aa09d4c..d138e23b88 100644 --- a/src/Reporter.cc +++ b/src/Reporter.cc @@ -88,7 +88,11 @@ void Reporter::FatalError(const char* fmt, ...) va_end(ap); set_processing_status("TERMINATED", "fatal_error"); +#ifdef DEBUG + abort(); +#else exit(1); +#endif // DEBUG } void Reporter::FatalErrorWithCore(const char* fmt, ...) @@ -393,4 +397,3 @@ void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out, if ( alloced ) free(alloced); } - From 8f3ded5e2d16d5fd2609a04aa05d1a9cd2664fb4 Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Tue, 4 Aug 2015 15:46:24 +0200 Subject: [PATCH 03/93] Refactoring of Base64 functions. Base64Converter now uses a connection directly, instead of an analyzer redirecting to the underlying connection for reporting to Weird. The new built-in functions en-/decode_base64_intern make use of this to send encoding-errors to Weird instead of Reporter. According to the documentation, using the empty string as alphabet in the built-in functions, will use the default alphabet. Therefore the built-in functions can now use default arguments and en-/decode_base64_custom is deprecated. The tests have been updated accordingly. --- src/Base64.cc | 16 ++-- src/Base64.h | 19 ++-- src/analyzer/protocol/mime/MIME.cc | 10 +- src/bro.bif | 94 +++++++++++++++++-- testing/btest/Baseline/bifs.decode_base64/out | 8 ++ testing/btest/Baseline/bifs.encode_base64/out | 4 + testing/btest/bifs/decode_base64.bro | 8 ++ testing/btest/bifs/encode_base64.bro | 5 + 8 files changed, 136 insertions(+), 28 deletions(-) diff --git a/src/Base64.cc b/src/Base64.cc index 2ff858cad5..3644740c7e 100644 --- a/src/Base64.cc +++ b/src/Base64.cc @@ -82,7 +82,7 @@ int* Base64Converter::InitBase64Table(const string& alphabet) return base64_table; } -Base64Converter::Base64Converter(analyzer::Analyzer* arg_analyzer, const string& arg_alphabet) +Base64Converter::Base64Converter(Connection* arg_conn, const string& arg_alphabet) { if ( arg_alphabet.size() > 0 ) { @@ -98,7 +98,7 @@ Base64Converter::Base64Converter(analyzer::Analyzer* arg_analyzer, const string& base64_group_next = 0; base64_padding = base64_after_padding = 0; errored = 0; - analyzer = arg_analyzer; + conn = arg_conn; } Base64Converter::~Base64Converter() @@ -216,9 +216,9 @@ int Base64Converter::Done(int* pblen, char** pbuf) } -BroString* decode_base64(const BroString* s, const BroString* a) +BroString* decode_base64(const BroString* s, const BroString* a, Connection* conn) { - if ( a && a->Len() != 64 ) + if ( a && a->Len() != 0 && a->Len() != 64 ) { reporter->Error("base64 decoding alphabet is not 64 characters: %s", a->CheckString()); @@ -229,7 +229,7 @@ BroString* decode_base64(const BroString* s, const BroString* a) int rlen2, rlen = buf_len; char* rbuf2, *rbuf = new char[rlen]; - Base64Converter dec(0, a ? a->CheckString() : ""); + Base64Converter dec(conn, a ? a->CheckString() : ""); if ( dec.Decode(s->Len(), (const char*) s->Bytes(), &rlen, &rbuf) == -1 ) goto err; @@ -248,9 +248,9 @@ err: return 0; } -BroString* encode_base64(const BroString* s, const BroString* a) +BroString* encode_base64(const BroString* s, const BroString* a, Connection* conn) { - if ( a && a->Len() != 64 ) + if ( a && a->Len() != 0 && a->Len() != 64 ) { reporter->Error("base64 alphabet is not 64 characters: %s", a->CheckString()); @@ -259,7 +259,7 @@ BroString* encode_base64(const BroString* s, const BroString* a) char* outbuf = 0; int outlen = 0; - Base64Converter enc(0, a ? a->CheckString() : ""); + Base64Converter enc(conn, a ? a->CheckString() : ""); enc.Encode(s->Len(), (const unsigned char*) s->Bytes(), &outlen, &outbuf); return new BroString(1, (u_char*)outbuf, outlen); diff --git a/src/Base64.h b/src/Base64.h index d7e4384ac5..7214ba6f29 100644 --- a/src/Base64.h +++ b/src/Base64.h @@ -8,15 +8,16 @@ #include "util.h" #include "BroString.h" #include "Reporter.h" -#include "analyzer/Analyzer.h" +#include "Conn.h" // Maybe we should have a base class for generic decoders? class Base64Converter { public: - // is used for error reporting, and it should be zero when - // the decoder is called by the built-in function decode_base64() or encode_base64(). + // is used for error reporting. If it is set to zero, e.g. done by the + // built-in functions decode_base64() and encode_base64(), encoding-errors will + // go to Reporter instead of Weird. Usage-errors go to Reporter in any case. // Empty alphabet indicates the default base64 alphabet. - Base64Converter(analyzer::Analyzer* analyzer, const string& alphabet = ""); + Base64Converter(Connection* conn, const string& alphabet = ""); ~Base64Converter(); // A note on Decode(): @@ -42,8 +43,8 @@ public: void IllegalEncoding(const char* msg) { // strncpy(error_msg, msg, sizeof(error_msg)); - if ( analyzer ) - analyzer->Weird("base64_illegal_encoding", msg); + if ( conn ) + conn->Weird("base64_illegal_encoding", msg); else reporter->Error("%s", msg); } @@ -63,11 +64,11 @@ protected: int base64_after_padding; int* base64_table; int errored; // if true, we encountered an error - skip further processing - analyzer::Analyzer* analyzer; + Connection* conn; }; -BroString* decode_base64(const BroString* s, const BroString* a = 0); -BroString* encode_base64(const BroString* s, const BroString* a = 0); +BroString* decode_base64(const BroString* s, const BroString* a = 0, Connection* conn = 0); +BroString* encode_base64(const BroString* s, const BroString* a = 0, Connection* conn = 0); #endif /* base64_h */ diff --git a/src/analyzer/protocol/mime/MIME.cc b/src/analyzer/protocol/mime/MIME.cc index be10681266..f40e931299 100644 --- a/src/analyzer/protocol/mime/MIME.cc +++ b/src/analyzer/protocol/mime/MIME.cc @@ -1116,13 +1116,21 @@ void MIME_Entity::DecodeBase64(int len, const char* data) void MIME_Entity::StartDecodeBase64() { + analyzer::Analyzer* analyzer = message->GetAnalyzer(); + Connection* conn = 0; + if ( base64_decoder ) { reporter->InternalWarning("previous MIME Base64 decoder not released"); delete base64_decoder; } - base64_decoder = new Base64Converter(message->GetAnalyzer()); + if( analyzer ) + conn = analyzer->Conn(); + else + reporter->InternalWarning("no analyzer associated with MIME message"); + + base64_decoder = new Base64Converter(conn); } void MIME_Entity::FinishDecodeBase64() diff --git a/src/bro.bif b/src/bro.bif index 629abe7735..5a3a3ba759 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -2723,14 +2723,51 @@ function hexstr_to_bytestring%(hexstr: string%): string ## Encodes a Base64-encoded string. ## -## s: The string to encode +## s: The string to encode. +## +## a: The custom alphabet. The empty string indicates the default alphabet. The +## length of *a* must be 64. For example, a custom alphabet could be +## ``"!#$%&/(),-.:;<>@[]^ `_{|}~abcdefghijklmnopqrstuvwxyz0123456789+?"``. ## ## Returns: The encoded version of *s*. ## -## .. bro:see:: encode_base64_custom decode_base64 -function encode_base64%(s: string%): string +## .. bro:see:: encode_base64_intern decode_base64 +function encode_base64%(s: string, a: string &default=""%): string %{ - BroString* t = encode_base64(s->AsString()); + BroString* t = encode_base64(s->AsString(), a->AsString()); + if ( t ) + return new StringVal(t); + else + { + reporter->Error("error in encoding string %s", s->CheckString()); + return new StringVal(""); + } + %} + +## Encodes a Base64-encoded string. +## +## cid: The connection identifier, identifiying the connection which is used to +## handle encoding-errors (errors will go to Weird). +## +## s: The string to encode. +## +## a: The custom alphabet. The empty string indicates the default alphabet. The +## length of *a* must be 64. For example, a custom alphabet could be +## ``"!#$%&/(),-.:;<>@[]^ `_{|}~abcdefghijklmnopqrstuvwxyz0123456789+?"``. +## +## Returns: The encoded version of *s*. +## +## .. bro:see:: encode_base64 decode_base64_intern +function encode_base64_intern%(cid: conn_id, s: string, a: string &default=""%): string + %{ + Connection* conn = sessions->FindConnection(cid); + if ( ! conn ) + { + builtin_error("connection ID not a known connection", cid); + return new StringVal(""); + } + + BroString* t = encode_base64(s->AsString(), a->AsString(), conn); if ( t ) return new StringVal(t); else @@ -2742,7 +2779,7 @@ function encode_base64%(s: string%): string ## Encodes a Base64-encoded string with a custom alphabet. ## -## s: The string to encode +## s: The string to encode. ## ## a: The custom alphabet. The empty string indicates the default alphabet. The ## length of *a* must be 64. For example, a custom alphabet could be @@ -2751,7 +2788,7 @@ function encode_base64%(s: string%): string ## Returns: The encoded version of *s*. ## ## .. bro:see:: encode_base64 decode_base64_custom -function encode_base64_custom%(s: string, a: string%): string +function encode_base64_custom%(s: string, a: string%): string &deprecated %{ BroString* t = encode_base64(s->AsString(), a->AsString()); if ( t ) @@ -2767,12 +2804,49 @@ function encode_base64_custom%(s: string, a: string%): string ## ## s: The Base64-encoded string. ## +## a: The custom alphabet. The empty string indicates the default alphabet. The +## length of *a* must be 64. For example, a custom alphabet could be +## ``"!#$%&/(),-.:;<>@[]^ `_{|}~abcdefghijklmnopqrstuvwxyz0123456789+?"``. +## ## Returns: The decoded version of *s*. ## -## .. bro:see:: decode_base64_custom encode_base64 -function decode_base64%(s: string%): string +## .. bro:see:: decode_base64_intern encode_base64 +function decode_base64%(s: string, a: string &default=""%): string %{ - BroString* t = decode_base64(s->AsString()); + BroString* t = decode_base64(s->AsString(), a->AsString()); + if ( t ) + return new StringVal(t); + else + { + reporter->Error("error in decoding string %s", s->CheckString()); + return new StringVal(""); + } + %} + +## Decodes a Base64-encoded string. +## +## cid: The connection identifier, identifiying the connection which is used to +## handle encoding-errors (errors will go to Weird). +## +## s: The Base64-encoded string. +## +## a: The custom alphabet. The empty string indicates the default alphabet. The +## length of *a* must be 64. For example, a custom alphabet could be +## ``"!#$%&/(),-.:;<>@[]^ `_{|}~abcdefghijklmnopqrstuvwxyz0123456789+?"``. +## +## Returns: The decoded version of *s*. +## +## .. bro:see:: decode_base64 encode_base64_intern +function decode_base64_intern%(cid: conn_id, s: string, a: string &default=""%): string + %{ + Connection* conn = sessions->FindConnection(cid); + if ( ! conn ) + { + builtin_error("connection ID not a known connection", cid); + return new StringVal(""); + } + + BroString* t = decode_base64(s->AsString(), a->AsString(), conn); if ( t ) return new StringVal(t); else @@ -2793,7 +2867,7 @@ function decode_base64%(s: string%): string ## Returns: The decoded version of *s*. ## ## .. bro:see:: decode_base64 encode_base64_custom -function decode_base64_custom%(s: string, a: string%): string +function decode_base64_custom%(s: string, a: string%): string &deprecated %{ BroString* t = decode_base64(s->AsString(), a->AsString()); if ( t ) diff --git a/testing/btest/Baseline/bifs.decode_base64/out b/testing/btest/Baseline/bifs.decode_base64/out index af0d32fbb8..aa265d2148 100644 --- a/testing/btest/Baseline/bifs.decode_base64/out +++ b/testing/btest/Baseline/bifs.decode_base64/out @@ -4,3 +4,11 @@ bro bro bro bro +bro +bro +bro +bro +bro +bro +bro +bro diff --git a/testing/btest/Baseline/bifs.encode_base64/out b/testing/btest/Baseline/bifs.encode_base64/out index 84c2c98264..3008115853 100644 --- a/testing/btest/Baseline/bifs.encode_base64/out +++ b/testing/btest/Baseline/bifs.encode_base64/out @@ -1,5 +1,9 @@ YnJv YnJv +YnJv +}n-v +YnJv +YnJv }n-v cGFkZGluZw== cGFkZGluZzE= diff --git a/testing/btest/bifs/decode_base64.bro b/testing/btest/bifs/decode_base64.bro index d4cbd2f37d..2d552a2523 100644 --- a/testing/btest/bifs/decode_base64.bro +++ b/testing/btest/bifs/decode_base64.bro @@ -6,9 +6,17 @@ global default_alphabet: string = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrs global my_alphabet: string = "!#$%&/(),-.:;<>@[]^ `_{|}~abcdefghijklmnopqrstuvwxyz0123456789+?"; print decode_base64("YnJv"); +print decode_base64("YnJv", default_alphabet); +print decode_base64("YnJv", ""); # should use default alpabet +print decode_base64("}n-v", my_alphabet); print decode_base64_custom("YnJv", default_alphabet); +print decode_base64_custom("YnJv", ""); # should use default alpabet print decode_base64_custom("}n-v", my_alphabet); print decode_base64("YnJv"); +print decode_base64("YnJv", default_alphabet); +print decode_base64("YnJv", ""); # should use default alpabet +print decode_base64("}n-v", my_alphabet); print decode_base64_custom("YnJv", default_alphabet); +print decode_base64_custom("YnJv", ""); # should use default alpabet print decode_base64_custom("}n-v", my_alphabet); diff --git a/testing/btest/bifs/encode_base64.bro b/testing/btest/bifs/encode_base64.bro index a351392bb5..bbad715ecc 100644 --- a/testing/btest/bifs/encode_base64.bro +++ b/testing/btest/bifs/encode_base64.bro @@ -6,7 +6,12 @@ global default_alphabet: string = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrs global my_alphabet: string = "!#$%&/(),-.:;<>@[]^ `_{|}~abcdefghijklmnopqrstuvwxyz0123456789+?"; print encode_base64("bro"); +print encode_base64("bro", default_alphabet); +print encode_base64("bro", ""); # should use default alpabet +print encode_base64("bro", my_alphabet); + print encode_base64_custom("bro", default_alphabet); +print encode_base64_custom("bro", ""); # should use default alpabet print encode_base64_custom("bro", my_alphabet); print encode_base64("padding"); From 6d031c41f14353c7e5e7819de6392fb3a41649eb Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Tue, 4 Aug 2015 22:00:54 -0500 Subject: [PATCH 04/93] Significant improvements to the GeoLocation doc Updated the install section for FreeBSD and OS X. Added a section to explain how to quickly test that everything is setup correctly. Improved the usage section by removing the misleading record definition (a link to the reference doc is provided), and explaining that some fields will be uninitialized. Corrected the example so that it doesn't try to access uninitialized fields. --- doc/frameworks/geoip.rst | 91 ++++++++++++++++++++++++---------------- 1 file changed, 56 insertions(+), 35 deletions(-) diff --git a/doc/frameworks/geoip.rst b/doc/frameworks/geoip.rst index 98252d7184..d756f97589 100644 --- a/doc/frameworks/geoip.rst +++ b/doc/frameworks/geoip.rst @@ -20,11 +20,13 @@ GeoLocation Install libGeoIP ---------------- +Before building Bro, you need to install libGeoIP. + * FreeBSD: .. console:: - sudo pkg_add -r GeoIP + sudo pkg install GeoIP * RPM/RedHat-based Linux: @@ -40,80 +42,99 @@ Install libGeoIP * Mac OS X: - Vanilla OS X installations don't ship with libGeoIP, but if - installed from your preferred package management system (e.g. - MacPorts, Fink, or Homebrew), they should be automatically detected - and Bro will compile against them. + You need to install from your preferred package management system + (e.g. MacPorts, Fink, or Homebrew). The name of the package that you need + may be libgeoip, geoip, or geoip-dev, depending on which package management + system you are using. GeoIPLite Database Installation ------------------------------------- +------------------------------- A country database for GeoIPLite is included when you do the C API install, but for Bro, we are using the city database which includes cities and regions in addition to countries. `Download `__ the GeoLite city -binary database. +binary database: - .. console:: +.. console:: wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz gunzip GeoLiteCity.dat.gz -Next, the file needs to be put in the database directory. This directory -should already exist and will vary depending on which platform and package -you are using. For FreeBSD, use ``/usr/local/share/GeoIP``. For Linux, -use ``/usr/share/GeoIP`` or ``/var/lib/GeoIP`` (choose whichever one +Next, the file needs to be renamed and put in the GeoIP database directory. +This directory should already exist and will vary depending on which platform +and package you are using. For FreeBSD, use ``/usr/local/share/GeoIP``. For +Linux, use ``/usr/share/GeoIP`` or ``/var/lib/GeoIP`` (choose whichever one already exists). - .. console:: +.. console:: mv GeoLiteCity.dat /GeoIPCity.dat +Note that there is a separate database for IPv6 addresses, which can also +be installed if you want GeoIP functionality for IPv6. + +Testing +------- + +Before using the GeoIP functionality, it is a good idea to verify that +everything is setup correctly. After installing libGeoIP and the GeoIP city +database, and building Bro, you can quickly check if the GeoIP functionality +works by running a command like this: + +.. console:: + + bro -e "print lookup_location(8.8.8.8);" + +If you see an error message similar to "Failed to open GeoIP City database", +then you may need to either rename or move your GeoIP city database file (the +error message should give you the full pathname of the database file that +Bro is looking for). + +If you see an error message similar to "Bro was not configured for GeoIP +support", then you need to rebuild Bro and make sure it is linked against +libGeoIP. Normally, if libGeoIP is installed correctly then it should +automatically be found when building Bro. If this doesn't happen, then +you may need to specify the path to the libGeoIP installation +(e.g. ``./configure --with-geoip=``). Usage ----- -There is a single built in function that provides the GeoIP -functionality: +There is a built-in function that provides the GeoIP functionality: .. code:: bro function lookup_location(a:addr): geo_location -There is also the :bro:see:`geo_location` data structure that is returned -from the :bro:see:`lookup_location` function: - -.. code:: bro - - type geo_location: record { - country_code: string; - region: string; - city: string; - latitude: double; - longitude: double; - }; - +The return value of the :bro:see:`lookup_location` function is a record +type called :bro:see:`geo_location`, and it consists of several fields +containing the country, region, city, latitude, and longitude of the specified +IP address. Since one or more fields in this record will be uninitialized +for some IP addresses (for example, the country and region of an IP address +might be known, but the city could be unknown), a field should be checked +if it has a value before trying to access the value. Example ------- -To write a line in a log file for every ftp connection from hosts in -Ohio, this is now very easy: +To show every ftp connection from hosts in Ohio, this is now very easy: .. code:: bro - global ftp_location_log: file = open_log_file("ftp-location"); - event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) { local client = c$id$orig_h; local loc = lookup_location(client); - if (loc$region == "OH" && loc$country_code == "US") + + if (loc?$region && loc$region == "OH" && loc$country_code == "US") { - print ftp_location_log, fmt("FTP Connection from:%s (%s,%s,%s)", client, loc$city, loc$region, loc$country_code); + local city = loc?$city ? loc$city : ""; + + print fmt("FTP Connection from:%s (%s,%s,%s)", client, city, + loc$region, loc$country_code); } } - From 55dc982a332130dbc6dbb7e0527eeb272b3d4875 Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Wed, 5 Aug 2015 11:33:57 +0200 Subject: [PATCH 05/93] Update calls of Base64 functions. Base64 encoding-errors during authentication in POP3 analyzer, authentication in FTP analyzer (using GSI) and basic authentication on HTTP will be logged to Weird. --- scripts/base/protocols/http/main.bro | 2 +- src/analyzer/protocol/ftp/FTP.cc | 4 ++-- src/analyzer/protocol/pop3/POP3.cc | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro index 916723ebcb..4d9969fa7d 100644 --- a/scripts/base/protocols/http/main.bro +++ b/scripts/base/protocols/http/main.bro @@ -270,7 +270,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr { if ( /^[bB][aA][sS][iI][cC] / in value ) { - local userpass = decode_base64(sub(value, /[bB][aA][sS][iI][cC][[:blank:]]/, "")); + local userpass = decode_base64_intern(c$id, sub(value, /[bB][aA][sS][iI][cC][[:blank:]]/, "")); local up = split_string(userpass, /:/); if ( |up| >= 2 ) { diff --git a/src/analyzer/protocol/ftp/FTP.cc b/src/analyzer/protocol/ftp/FTP.cc index fd38ee8f29..402532eff1 100644 --- a/src/analyzer/protocol/ftp/FTP.cc +++ b/src/analyzer/protocol/ftp/FTP.cc @@ -206,7 +206,7 @@ void FTP_ADAT_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { line = skip_whitespace(line + cmd_len, end_of_line); StringVal encoded(end_of_line - line, line); - decoded_adat = decode_base64(encoded.AsString()); + decoded_adat = decode_base64(encoded.AsString(), 0, this->Conn()); if ( first_token ) { @@ -273,7 +273,7 @@ void FTP_ADAT_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { line += 5; StringVal encoded(end_of_line - line, line); - decoded_adat = decode_base64(encoded.AsString()); + decoded_adat = decode_base64(encoded.AsString(), 0, this->Conn()); } break; diff --git a/src/analyzer/protocol/pop3/POP3.cc b/src/analyzer/protocol/pop3/POP3.cc index 05ff3c317d..69740eb71d 100644 --- a/src/analyzer/protocol/pop3/POP3.cc +++ b/src/analyzer/protocol/pop3/POP3.cc @@ -137,7 +137,7 @@ void POP3_Analyzer::ProcessRequest(int length, const char* line) ++authLines; BroString encoded(line); - BroString* decoded = decode_base64(&encoded); + BroString* decoded = decode_base64(&encoded, 0, this->Conn()); if ( ! decoded ) { From 28c467df4ea39134e6e3f0cd7d453e26cffcba28 Mon Sep 17 00:00:00 2001 From: Kris Nielander Date: Sun, 9 Aug 2015 22:08:46 +0200 Subject: [PATCH 06/93] Allowed libpcap buffer size to be set via configuration. --- scripts/base/init-bare.bro | 3 +++ src/Net.h | 3 +++ src/iosource/PktSrc.cc | 5 ++++ src/iosource/PktSrc.h | 5 ++++ src/iosource/pcap/Source.cc | 46 +++++++++++++++++++++++++++++++++++-- src/main.cc | 2 ++ 6 files changed, 62 insertions(+), 2 deletions(-) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 24c6f6f5f1..f28aa66c74 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -3715,6 +3715,9 @@ module GLOBAL; ## Number of bytes per packet to capture from live interfaces. const snaplen = 8192 &redef; +## Number of bytes for libpcap buffer. +const bufsize = 128 &redef; + ## Seed for hashes computed internally for probabilistic data structures. Using ## the same value here will make the hashes compatible between independent Bro ## instances. If left unset, Bro will use a temporary local seed. diff --git a/src/Net.h b/src/Net.h index d19bd9083c..e57c4a8c7f 100644 --- a/src/Net.h +++ b/src/Net.h @@ -73,6 +73,9 @@ extern bool using_communication; // Snaplen passed to libpcap. extern int snaplen; +// Buffer size passed to libpcap. +extern int bufsize; + extern const Packet* current_pkt; extern int current_dispatched; extern double current_timestamp; diff --git a/src/iosource/PktSrc.cc b/src/iosource/PktSrc.cc index f44aae77c5..125a72c052 100644 --- a/src/iosource/PktSrc.cc +++ b/src/iosource/PktSrc.cc @@ -71,6 +71,11 @@ int PktSrc::SnapLen() const return snaplen; // That's a global. Change? } +int PktSrc::BufSize() const + { + return bufsize; // That's a global too. Change? + } + bool PktSrc::IsLive() const { return props.is_live; diff --git a/src/iosource/PktSrc.h b/src/iosource/PktSrc.h index bf4c811dca..d6ff03f5b5 100644 --- a/src/iosource/PktSrc.h +++ b/src/iosource/PktSrc.h @@ -100,6 +100,11 @@ public: */ int SnapLen() const; + /** + * Returns the buffer size for this source. + */ + int BufSize() const; + /** * In pseudo-realtime mode, returns the logical timestamp of the * current packet. Undefined if not running pseudo-realtime mode. diff --git a/src/iosource/pcap/Source.cc b/src/iosource/pcap/Source.cc index 2af21bf9b4..9c5ba2819a 100644 --- a/src/iosource/pcap/Source.cc +++ b/src/iosource/pcap/Source.cc @@ -89,11 +89,53 @@ void PcapSource::OpenLive() // broken on FreeBSD: even when select() indicates that we can read // something, we may get nothing if the store buffer hasn't filled up // yet.) - pd = pcap_open_live(props.path.c_str(), SnapLen(), 1, 1, tmp_errbuf); + pd = pcap_create(props.path.c_str(), errbuf); if ( ! pd ) { - Error(tmp_errbuf); + safe_snprintf(errbuf, sizeof(errbuf), + "pcap_create: %s", pcap_geterr(pd)); + Error(errbuf); + return; + } + + if ( pcap_set_snaplen(pd, SnapLen()) ) + { + safe_snprintf(errbuf, sizeof(errbuf), + "pcap_set_snaplen: %s", pcap_geterr(pd)); + Error(errbuf); + return; + } + + if ( pcap_set_promisc(pd, 1) ) + { + safe_snprintf(errbuf, sizeof(errbuf), + "pcap_set_promisc: %s", pcap_geterr(pd)); + Error(errbuf); + return; + } + + if ( pcap_set_timeout(pd, 1) ) + { + safe_snprintf(errbuf, sizeof(errbuf), + "pcap_set_timeout: %s", pcap_geterr(pd)); + Error(errbuf); + return; + } + + if ( pcap_set_buffer_size(pd, BufSize()) ) + { + safe_snprintf(errbuf, sizeof(errbuf), + "pcap_set_buffer_size: %s", pcap_geterr(pd)); + Error(errbuf); + return; + } + + if ( pcap_activate(pd) ) + { + safe_snprintf(errbuf, sizeof(errbuf), + "pcap_activate: %s", pcap_geterr(pd)); + Error(errbuf); return; } diff --git a/src/main.cc b/src/main.cc index 64acb408ea..347d01137e 100644 --- a/src/main.cc +++ b/src/main.cc @@ -122,6 +122,7 @@ vector params; set requested_plugins; char* proc_status_file = 0; int snaplen = 0; // this gets set from the scripting-layer's value +int bufsize = 0; OpaqueType* md5_type = 0; OpaqueType* sha1_type = 0; @@ -990,6 +991,7 @@ int main(int argc, char** argv) } snaplen = internal_val("snaplen")->AsCount(); + bufsize = internal_val("bufsize")->AsCount() * 1024 * 1024; // Size in Mbytes if ( dns_type != DNS_PRIME ) net_init(interfaces, read_files, writefile, do_watchdog); From 54078407d43d3503603d9edfc16302bf52883e3b Mon Sep 17 00:00:00 2001 From: Kris Nielander Date: Sun, 9 Aug 2015 22:41:28 +0200 Subject: [PATCH 07/93] Allow Bro to run in fanout mode. --- CMakeLists.txt | 1 + bro-config.h.in | 3 +++ scripts/base/init-bare.bro | 24 +++++++++++++++++++++++- src/const.bif | 3 +++ src/iosource/IOSource.h | 21 +++++++++++++++++++++ src/iosource/PktSrc.cc | 2 +- src/iosource/pcap/Source.cc | 16 ++++++++++++++-- src/iosource/pcap/Source.h | 7 +++++++ src/main.cc | 16 +++++++++++++++- 9 files changed, 88 insertions(+), 5 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 7dbf8109ad..f345514aa9 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -155,6 +155,7 @@ include(TestBigEndian) test_big_endian(WORDS_BIGENDIAN) include(CheckSymbolExists) check_symbol_exists(htonll arpa/inet.h HAVE_BYTEORDER_64) +check_symbol_exists(PACKET_FANOUT linux/if_packet.h HAVE_PACKET_FANOUT) include(OSSpecific) include(CheckTypes) diff --git a/bro-config.h.in b/bro-config.h.in index 755a9eee98..fd24a1fe30 100644 --- a/bro-config.h.in +++ b/bro-config.h.in @@ -213,6 +213,9 @@ /* Common IPv6 extension structure */ #cmakedefine HAVE_IP6_EXT +/* Linux packet fanout */ +#cmakedefine HAVE_PACKET_FANOUT + /* String with host architecture (e.g., "linux-x86_64") */ #define HOST_ARCHITECTURE "@HOST_ARCHITECTURE@" diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index f28aa66c74..0097e4d47b 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -3710,12 +3710,34 @@ export { ## external harness and shouldn't output anything to the console. const errors_to_stderr = T &redef; } + +module Fanout; + +type Method: enum { + METHOD_HASH = 0, + METHOD_LB = 1, + METHOD_CPU = 2, + METHOD_ROLLOVER = 3 +}; + +type Flag: enum { + FLAG_NONE = 0, + FLAG_DEFRAG = 0x8000, + FLAG_ROLLOVER = 0x1000 +}; + +export { + const enable = F &redef; + const id = 0 &redef; + const method = METHOD_HASH &redef; + const flag = FLAG_NONE &redef; +} module GLOBAL; ## Number of bytes per packet to capture from live interfaces. const snaplen = 8192 &redef; -## Number of bytes for libpcap buffer. +## Number of bytes per packet to capture from live interfaces. const bufsize = 128 &redef; ## Seed for hashes computed internally for probabilistic data structures. Using diff --git a/src/const.bif b/src/const.bif index 0ba168ca85..f96b15818b 100644 --- a/src/const.bif +++ b/src/const.bif @@ -9,6 +9,9 @@ const detect_filtered_trace: bool; const report_gaps_for_partial: bool; const exit_only_after_terminate: bool; +const Fanout::enable: bool; +const Fanout::id: count; + const NFS3::return_data: bool; const NFS3::return_data_max: count; const NFS3::return_data_first_only: bool; diff --git a/src/iosource/IOSource.h b/src/iosource/IOSource.h index df82012268..a129429e0e 100644 --- a/src/iosource/IOSource.h +++ b/src/iosource/IOSource.h @@ -3,6 +3,27 @@ #ifndef IOSOURCE_IOSOURCE_H #define IOSOURCE_IOSOURCE_H +#ifdef HAVE_PACKET_FANOUT +#include +#ifndef PACKET_FANOUT +#define PACKET_FANOUT 18 +#define PACKET_FANOUT_HASH 0 +#define PACKET_FANOUT_LB 1 +#define PACKET_FANOUT_CPU 2 +#define PACKET_FANOUT_FLAG_DEFRAG 0x8000 + +#ifndef PACKET_FANOUT_ROLLOVER +#define PACKET_FANOUT_ROLLOVER 3 +#endif + +#ifndef PACKET_FANOUT_FLAG_ROLLOVER +#define PACKET_FANOUT_FLAG_ROLLOVER 0x1000 +#endif + +#define PACKET_FANOUT_FLAG_NONE -1 +#endif /* PACKET_FANOUT */ +#endif /* HAVE_PACKET_FANOUT */ + extern "C" { #include } diff --git a/src/iosource/PktSrc.cc b/src/iosource/PktSrc.cc index 125a72c052..42be77cb21 100644 --- a/src/iosource/PktSrc.cc +++ b/src/iosource/PktSrc.cc @@ -73,7 +73,7 @@ int PktSrc::SnapLen() const int PktSrc::BufSize() const { - return bufsize; // That's a global too. Change? + return bufsize; // That's a global. Change? } bool PktSrc::IsLive() const diff --git a/src/iosource/pcap/Source.cc b/src/iosource/pcap/Source.cc index 9c5ba2819a..e430dfc6a7 100644 --- a/src/iosource/pcap/Source.cc +++ b/src/iosource/pcap/Source.cc @@ -84,13 +84,12 @@ void PcapSource::OpenLive() props.netmask = PktSrc::NETMASK_UNKNOWN; #endif - // We use the smallest time-out possible to return almost immediately if + // ### We use the smallest time-out possible to return almost immediately if // no packets are available. (We can't use set_nonblocking() as it's // broken on FreeBSD: even when select() indicates that we can read // something, we may get nothing if the store buffer hasn't filled up // yet.) pd = pcap_create(props.path.c_str(), errbuf); - if ( ! pd ) { safe_snprintf(errbuf, sizeof(errbuf), @@ -160,6 +159,19 @@ void PcapSource::OpenLive() // Was closed, couldn't get header size. return; +#ifdef HAVE_PACKET_FANOUT + /* Turn on cluster mode for the device. */ + if ( fanout_enable ) + { + uint32_t fanout_arg = (fanout_method << 16) | (fanout_id & 0xffff); + if (setsockopt(props.selectable_fd, SOL_PACKET, PACKET_FANOUT, &fanout_arg, sizeof(fanout_arg)) == -1) + { + Error(fmt("%s: setsockopt: %s", __FUNCTION__, strerror(errno))); + return; + } + } +#endif + props.is_live = true; Opened(props); diff --git a/src/iosource/pcap/Source.h b/src/iosource/pcap/Source.h index f627e30afa..2f169f7819 100644 --- a/src/iosource/pcap/Source.h +++ b/src/iosource/pcap/Source.h @@ -5,6 +5,13 @@ #include "../PktSrc.h" +#ifdef HAVE_PACKET_FANOUT +extern bool fanout_enable; +extern int fanout_id; +extern int fanout_method; +extern int fanout_flag; +#endif + namespace iosource { namespace pcap { diff --git a/src/main.cc b/src/main.cc index 347d01137e..b7d1bbfa40 100644 --- a/src/main.cc +++ b/src/main.cc @@ -124,6 +124,13 @@ char* proc_status_file = 0; int snaplen = 0; // this gets set from the scripting-layer's value int bufsize = 0; +#ifdef HAVE_PACKET_FANOUT +bool fanout_enable = false; +int fanout_id = 0; +int fanout_method = PACKET_FANOUT_HASH; +int fanout_flag = 0; +#endif + OpaqueType* md5_type = 0; OpaqueType* sha1_type = 0; OpaqueType* sha256_type = 0; @@ -991,7 +998,14 @@ int main(int argc, char** argv) } snaplen = internal_val("snaplen")->AsCount(); - bufsize = internal_val("bufsize")->AsCount() * 1024 * 1024; // Size in Mbytes + bufsize = internal_val("bufsize")->AsCount() * 1024 * 1024; + +#ifdef HAVE_PACKET_FANOUT + fanout_enable = internal_val("Fanout::enable")->AsBool(); + fanout_id = internal_val("Fanout::id")->AsCount(); + fanout_method = internal_val("Fanout::method")->AsEnum(); + fanout_flag = internal_val("Fanout::flag")->AsEnum(); +#endif if ( dns_type != DNS_PRIME ) net_init(interfaces, read_files, writefile, do_watchdog); From f5429ee794814d7b102e8d29796d1498ccadbeb7 Mon Sep 17 00:00:00 2001 From: Kris Nielander Date: Sun, 9 Aug 2015 22:08:46 +0200 Subject: [PATCH 08/93] Allow libpcap buffer size to be set manually. --- scripts/base/init-bare.bro | 3 +++ src/Net.h | 3 +++ src/iosource/PktSrc.cc | 5 ++++ src/iosource/PktSrc.h | 5 ++++ src/iosource/pcap/Source.cc | 46 +++++++++++++++++++++++++++++++++++-- src/main.cc | 2 ++ 6 files changed, 62 insertions(+), 2 deletions(-) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 24c6f6f5f1..f28aa66c74 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -3715,6 +3715,9 @@ module GLOBAL; ## Number of bytes per packet to capture from live interfaces. const snaplen = 8192 &redef; +## Number of bytes for libpcap buffer. +const bufsize = 128 &redef; + ## Seed for hashes computed internally for probabilistic data structures. Using ## the same value here will make the hashes compatible between independent Bro ## instances. If left unset, Bro will use a temporary local seed. diff --git a/src/Net.h b/src/Net.h index d19bd9083c..e57c4a8c7f 100644 --- a/src/Net.h +++ b/src/Net.h @@ -73,6 +73,9 @@ extern bool using_communication; // Snaplen passed to libpcap. extern int snaplen; +// Buffer size passed to libpcap. +extern int bufsize; + extern const Packet* current_pkt; extern int current_dispatched; extern double current_timestamp; diff --git a/src/iosource/PktSrc.cc b/src/iosource/PktSrc.cc index f44aae77c5..125a72c052 100644 --- a/src/iosource/PktSrc.cc +++ b/src/iosource/PktSrc.cc @@ -71,6 +71,11 @@ int PktSrc::SnapLen() const return snaplen; // That's a global. Change? } +int PktSrc::BufSize() const + { + return bufsize; // That's a global too. Change? + } + bool PktSrc::IsLive() const { return props.is_live; diff --git a/src/iosource/PktSrc.h b/src/iosource/PktSrc.h index bf4c811dca..d6ff03f5b5 100644 --- a/src/iosource/PktSrc.h +++ b/src/iosource/PktSrc.h @@ -100,6 +100,11 @@ public: */ int SnapLen() const; + /** + * Returns the buffer size for this source. + */ + int BufSize() const; + /** * In pseudo-realtime mode, returns the logical timestamp of the * current packet. Undefined if not running pseudo-realtime mode. diff --git a/src/iosource/pcap/Source.cc b/src/iosource/pcap/Source.cc index 2af21bf9b4..9c5ba2819a 100644 --- a/src/iosource/pcap/Source.cc +++ b/src/iosource/pcap/Source.cc @@ -89,11 +89,53 @@ void PcapSource::OpenLive() // broken on FreeBSD: even when select() indicates that we can read // something, we may get nothing if the store buffer hasn't filled up // yet.) - pd = pcap_open_live(props.path.c_str(), SnapLen(), 1, 1, tmp_errbuf); + pd = pcap_create(props.path.c_str(), errbuf); if ( ! pd ) { - Error(tmp_errbuf); + safe_snprintf(errbuf, sizeof(errbuf), + "pcap_create: %s", pcap_geterr(pd)); + Error(errbuf); + return; + } + + if ( pcap_set_snaplen(pd, SnapLen()) ) + { + safe_snprintf(errbuf, sizeof(errbuf), + "pcap_set_snaplen: %s", pcap_geterr(pd)); + Error(errbuf); + return; + } + + if ( pcap_set_promisc(pd, 1) ) + { + safe_snprintf(errbuf, sizeof(errbuf), + "pcap_set_promisc: %s", pcap_geterr(pd)); + Error(errbuf); + return; + } + + if ( pcap_set_timeout(pd, 1) ) + { + safe_snprintf(errbuf, sizeof(errbuf), + "pcap_set_timeout: %s", pcap_geterr(pd)); + Error(errbuf); + return; + } + + if ( pcap_set_buffer_size(pd, BufSize()) ) + { + safe_snprintf(errbuf, sizeof(errbuf), + "pcap_set_buffer_size: %s", pcap_geterr(pd)); + Error(errbuf); + return; + } + + if ( pcap_activate(pd) ) + { + safe_snprintf(errbuf, sizeof(errbuf), + "pcap_activate: %s", pcap_geterr(pd)); + Error(errbuf); return; } diff --git a/src/main.cc b/src/main.cc index 64acb408ea..347d01137e 100644 --- a/src/main.cc +++ b/src/main.cc @@ -122,6 +122,7 @@ vector params; set requested_plugins; char* proc_status_file = 0; int snaplen = 0; // this gets set from the scripting-layer's value +int bufsize = 0; OpaqueType* md5_type = 0; OpaqueType* sha1_type = 0; @@ -990,6 +991,7 @@ int main(int argc, char** argv) } snaplen = internal_val("snaplen")->AsCount(); + bufsize = internal_val("bufsize")->AsCount() * 1024 * 1024; // Size in Mbytes if ( dns_type != DNS_PRIME ) net_init(interfaces, read_files, writefile, do_watchdog); From d8c9b7255e053aaf054145c08d55b1550d5d69d4 Mon Sep 17 00:00:00 2001 From: Kris Nielander Date: Sun, 9 Aug 2015 22:41:28 +0200 Subject: [PATCH 09/93] Allow Bro to run in fanout mode. --- CMakeLists.txt | 1 + bro-config.h.in | 3 +++ scripts/base/init-bare.bro | 24 +++++++++++++++++++++++- src/const.bif | 3 +++ src/iosource/IOSource.h | 21 +++++++++++++++++++++ src/iosource/PktSrc.cc | 2 +- src/iosource/pcap/Source.cc | 16 ++++++++++++++-- src/iosource/pcap/Source.h | 7 +++++++ src/main.cc | 16 +++++++++++++++- 9 files changed, 88 insertions(+), 5 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 7dbf8109ad..f345514aa9 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -155,6 +155,7 @@ include(TestBigEndian) test_big_endian(WORDS_BIGENDIAN) include(CheckSymbolExists) check_symbol_exists(htonll arpa/inet.h HAVE_BYTEORDER_64) +check_symbol_exists(PACKET_FANOUT linux/if_packet.h HAVE_PACKET_FANOUT) include(OSSpecific) include(CheckTypes) diff --git a/bro-config.h.in b/bro-config.h.in index 755a9eee98..fd24a1fe30 100644 --- a/bro-config.h.in +++ b/bro-config.h.in @@ -213,6 +213,9 @@ /* Common IPv6 extension structure */ #cmakedefine HAVE_IP6_EXT +/* Linux packet fanout */ +#cmakedefine HAVE_PACKET_FANOUT + /* String with host architecture (e.g., "linux-x86_64") */ #define HOST_ARCHITECTURE "@HOST_ARCHITECTURE@" diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index f28aa66c74..0097e4d47b 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -3710,12 +3710,34 @@ export { ## external harness and shouldn't output anything to the console. const errors_to_stderr = T &redef; } + +module Fanout; + +type Method: enum { + METHOD_HASH = 0, + METHOD_LB = 1, + METHOD_CPU = 2, + METHOD_ROLLOVER = 3 +}; + +type Flag: enum { + FLAG_NONE = 0, + FLAG_DEFRAG = 0x8000, + FLAG_ROLLOVER = 0x1000 +}; + +export { + const enable = F &redef; + const id = 0 &redef; + const method = METHOD_HASH &redef; + const flag = FLAG_NONE &redef; +} module GLOBAL; ## Number of bytes per packet to capture from live interfaces. const snaplen = 8192 &redef; -## Number of bytes for libpcap buffer. +## Number of bytes per packet to capture from live interfaces. const bufsize = 128 &redef; ## Seed for hashes computed internally for probabilistic data structures. Using diff --git a/src/const.bif b/src/const.bif index 0ba168ca85..f96b15818b 100644 --- a/src/const.bif +++ b/src/const.bif @@ -9,6 +9,9 @@ const detect_filtered_trace: bool; const report_gaps_for_partial: bool; const exit_only_after_terminate: bool; +const Fanout::enable: bool; +const Fanout::id: count; + const NFS3::return_data: bool; const NFS3::return_data_max: count; const NFS3::return_data_first_only: bool; diff --git a/src/iosource/IOSource.h b/src/iosource/IOSource.h index df82012268..a129429e0e 100644 --- a/src/iosource/IOSource.h +++ b/src/iosource/IOSource.h @@ -3,6 +3,27 @@ #ifndef IOSOURCE_IOSOURCE_H #define IOSOURCE_IOSOURCE_H +#ifdef HAVE_PACKET_FANOUT +#include +#ifndef PACKET_FANOUT +#define PACKET_FANOUT 18 +#define PACKET_FANOUT_HASH 0 +#define PACKET_FANOUT_LB 1 +#define PACKET_FANOUT_CPU 2 +#define PACKET_FANOUT_FLAG_DEFRAG 0x8000 + +#ifndef PACKET_FANOUT_ROLLOVER +#define PACKET_FANOUT_ROLLOVER 3 +#endif + +#ifndef PACKET_FANOUT_FLAG_ROLLOVER +#define PACKET_FANOUT_FLAG_ROLLOVER 0x1000 +#endif + +#define PACKET_FANOUT_FLAG_NONE -1 +#endif /* PACKET_FANOUT */ +#endif /* HAVE_PACKET_FANOUT */ + extern "C" { #include } diff --git a/src/iosource/PktSrc.cc b/src/iosource/PktSrc.cc index 125a72c052..42be77cb21 100644 --- a/src/iosource/PktSrc.cc +++ b/src/iosource/PktSrc.cc @@ -73,7 +73,7 @@ int PktSrc::SnapLen() const int PktSrc::BufSize() const { - return bufsize; // That's a global too. Change? + return bufsize; // That's a global. Change? } bool PktSrc::IsLive() const diff --git a/src/iosource/pcap/Source.cc b/src/iosource/pcap/Source.cc index 9c5ba2819a..e430dfc6a7 100644 --- a/src/iosource/pcap/Source.cc +++ b/src/iosource/pcap/Source.cc @@ -84,13 +84,12 @@ void PcapSource::OpenLive() props.netmask = PktSrc::NETMASK_UNKNOWN; #endif - // We use the smallest time-out possible to return almost immediately if + // ### We use the smallest time-out possible to return almost immediately if // no packets are available. (We can't use set_nonblocking() as it's // broken on FreeBSD: even when select() indicates that we can read // something, we may get nothing if the store buffer hasn't filled up // yet.) pd = pcap_create(props.path.c_str(), errbuf); - if ( ! pd ) { safe_snprintf(errbuf, sizeof(errbuf), @@ -160,6 +159,19 @@ void PcapSource::OpenLive() // Was closed, couldn't get header size. return; +#ifdef HAVE_PACKET_FANOUT + /* Turn on cluster mode for the device. */ + if ( fanout_enable ) + { + uint32_t fanout_arg = (fanout_method << 16) | (fanout_id & 0xffff); + if (setsockopt(props.selectable_fd, SOL_PACKET, PACKET_FANOUT, &fanout_arg, sizeof(fanout_arg)) == -1) + { + Error(fmt("%s: setsockopt: %s", __FUNCTION__, strerror(errno))); + return; + } + } +#endif + props.is_live = true; Opened(props); diff --git a/src/iosource/pcap/Source.h b/src/iosource/pcap/Source.h index f627e30afa..2f169f7819 100644 --- a/src/iosource/pcap/Source.h +++ b/src/iosource/pcap/Source.h @@ -5,6 +5,13 @@ #include "../PktSrc.h" +#ifdef HAVE_PACKET_FANOUT +extern bool fanout_enable; +extern int fanout_id; +extern int fanout_method; +extern int fanout_flag; +#endif + namespace iosource { namespace pcap { diff --git a/src/main.cc b/src/main.cc index 347d01137e..b7d1bbfa40 100644 --- a/src/main.cc +++ b/src/main.cc @@ -124,6 +124,13 @@ char* proc_status_file = 0; int snaplen = 0; // this gets set from the scripting-layer's value int bufsize = 0; +#ifdef HAVE_PACKET_FANOUT +bool fanout_enable = false; +int fanout_id = 0; +int fanout_method = PACKET_FANOUT_HASH; +int fanout_flag = 0; +#endif + OpaqueType* md5_type = 0; OpaqueType* sha1_type = 0; OpaqueType* sha256_type = 0; @@ -991,7 +998,14 @@ int main(int argc, char** argv) } snaplen = internal_val("snaplen")->AsCount(); - bufsize = internal_val("bufsize")->AsCount() * 1024 * 1024; // Size in Mbytes + bufsize = internal_val("bufsize")->AsCount() * 1024 * 1024; + +#ifdef HAVE_PACKET_FANOUT + fanout_enable = internal_val("Fanout::enable")->AsBool(); + fanout_id = internal_val("Fanout::id")->AsCount(); + fanout_method = internal_val("Fanout::method")->AsEnum(); + fanout_flag = internal_val("Fanout::flag")->AsEnum(); +#endif if ( dns_type != DNS_PRIME ) net_init(interfaces, read_files, writefile, do_watchdog); From f3fb2b2f527de34b2b888122f6a24af126e4edd4 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Sat, 15 Aug 2015 21:05:40 -0500 Subject: [PATCH 10/93] Fix diff-canonifier-external to use basename of input file Use basename of the input filename because sometimes it will have directory components, such as for the baseline files. --- testing/scripts/diff-canonifier-external | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/testing/scripts/diff-canonifier-external b/testing/scripts/diff-canonifier-external index aabe9218e6..ee6405b3a8 100755 --- a/testing/scripts/diff-canonifier-external +++ b/testing/scripts/diff-canonifier-external @@ -2,13 +2,15 @@ # # Default canonifier used with the trace-based tests in testing/external/*. +filename=`basename $1` + addl="cat" -if [ "$1" == "capture_loss.log" ]; then +if [ "$filename" == "capture_loss.log" ]; then addl="`dirname $0`/diff-remove-fractions" fi -if [ "$1" == "ssh.log" ]; then +if [ "$filename" == "ssh.log" ]; then addl="`dirname $0`/diff-remove-fields remote_location" fi From 7b6ab180b69914953bd722f4a5950f23fb5a00f7 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Mon, 17 Aug 2015 14:58:22 -0500 Subject: [PATCH 11/93] Fix typo in documentation of a field in connection record --- scripts/base/init-bare.bro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 40f518b682..ade1169091 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -349,7 +349,7 @@ type connection: record { ## The outer VLAN, if applicable, for this connection. vlan: int &optional; - ## The VLAN vlan, if applicable, for this connection. + ## The inner VLAN, if applicable, for this connection. inner_vlan: int &optional; }; From c6dec18e2b913f259fd6bae8efef61913ff4a501 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Mon, 17 Aug 2015 16:24:02 -0500 Subject: [PATCH 12/93] Improve documentation of table and set types Add a list of the types that are not allowed to be the index type of a table or set. --- doc/script-reference/types.rst | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/doc/script-reference/types.rst b/doc/script-reference/types.rst index cc601db75f..847e0f8fab 100644 --- a/doc/script-reference/types.rst +++ b/doc/script-reference/types.rst @@ -340,15 +340,18 @@ Here is a more detailed description of each type: table [ type^+ ] of type - where *type^+* is one or more types, separated by commas. - For example: + where *type^+* is one or more types, separated by commas. The + index type cannot be any of the following types: pattern, table, set, + vector, file, opaque, any. + + Here is an example of declaring a table indexed by "count" values + and yielding "string" values: .. code:: bro global a: table[count] of string; - declares a table indexed by "count" values and yielding - "string" values. The yield type can also be more complex: + The yield type can also be more complex: .. code:: bro @@ -441,7 +444,9 @@ Here is a more detailed description of each type: set [ type^+ ] - where *type^+* is one or more types separated by commas. + where *type^+* is one or more types separated by commas. The + index type cannot be any of the following types: pattern, table, set, + vector, file, opaque, any. Sets can be initialized by listing elements enclosed by curly braces: From f56b3ebd93856af6c4f1d25c3c9fa95aeab126f4 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Tue, 18 Aug 2015 14:23:48 -0500 Subject: [PATCH 13/93] Fix some doc build warnings --- doc/components/bro-plugins/pf_ring/README.rst | 1 + doc/components/bro-plugins/redis/README.rst | 1 + doc/devel/plugins.rst | 6 +++--- 3 files changed, 5 insertions(+), 3 deletions(-) create mode 120000 doc/components/bro-plugins/pf_ring/README.rst create mode 120000 doc/components/bro-plugins/redis/README.rst diff --git a/doc/components/bro-plugins/pf_ring/README.rst b/doc/components/bro-plugins/pf_ring/README.rst new file mode 120000 index 0000000000..5ea666e8c9 --- /dev/null +++ b/doc/components/bro-plugins/pf_ring/README.rst @@ -0,0 +1 @@ +../../../../aux/plugins/pf_ring/README \ No newline at end of file diff --git a/doc/components/bro-plugins/redis/README.rst b/doc/components/bro-plugins/redis/README.rst new file mode 120000 index 0000000000..c42051828e --- /dev/null +++ b/doc/components/bro-plugins/redis/README.rst @@ -0,0 +1 @@ +../../../../aux/plugins/redis/README \ No newline at end of file diff --git a/doc/devel/plugins.rst b/doc/devel/plugins.rst index 0ed22a0cb9..dc1c9a3cd4 100644 --- a/doc/devel/plugins.rst +++ b/doc/devel/plugins.rst @@ -286,9 +286,9 @@ Activating a plugin will: 1. Load the dynamic module 2. Make any bif items available 3. Add the ``scripts/`` directory to ``BROPATH`` - 5. Load ``scripts/__preload__.bro`` - 6. Make BiF elements available to scripts. - 7. Load ``scripts/__load__.bro`` + 4. Load ``scripts/__preload__.bro`` + 5. Make BiF elements available to scripts. + 6. Load ``scripts/__load__.bro`` By default, Bro will automatically activate all dynamic plugins found in its search path ``BRO_PLUGIN_PATH``. However, in bare mode (``bro From 92c5885f06f8e8ee88aa335671bfe089a3bd0e26 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Tue, 18 Aug 2015 15:50:58 -0500 Subject: [PATCH 14/93] Remove unnecessary blank lines from some broker doc files --- doc/frameworks/broker/connecting-connector.bro | 1 - doc/frameworks/broker/connecting-listener.bro | 1 - doc/frameworks/broker/events-listener.bro | 1 - doc/frameworks/broker/printing-listener.bro | 1 - doc/frameworks/broker/testlog.bro | 1 - .../output | 1 - .../output | 1 - .../output | 1 - .../output | 1 - .../doc.sphinx.include-doc_frameworks_broker_testlog_bro/output | 1 - .../include-doc_frameworks_broker_connecting-connector_bro.btest | 1 - .../include-doc_frameworks_broker_connecting-listener_bro.btest | 1 - .../include-doc_frameworks_broker_events-listener_bro.btest | 1 - .../include-doc_frameworks_broker_printing-listener_bro.btest | 1 - .../doc/sphinx/include-doc_frameworks_broker_testlog_bro.btest | 1 - 15 files changed, 15 deletions(-) diff --git a/doc/frameworks/broker/connecting-connector.bro b/doc/frameworks/broker/connecting-connector.bro index a7e621e4a6..cd5c74add8 100644 --- a/doc/frameworks/broker/connecting-connector.bro +++ b/doc/frameworks/broker/connecting-connector.bro @@ -1,4 +1,3 @@ - const broker_port: port = 9999/tcp &redef; redef exit_only_after_terminate = T; redef BrokerComm::endpoint_name = "connector"; diff --git a/doc/frameworks/broker/connecting-listener.bro b/doc/frameworks/broker/connecting-listener.bro index c37af3ae4d..21c67f9696 100644 --- a/doc/frameworks/broker/connecting-listener.bro +++ b/doc/frameworks/broker/connecting-listener.bro @@ -1,4 +1,3 @@ - const broker_port: port = 9999/tcp &redef; redef exit_only_after_terminate = T; redef BrokerComm::endpoint_name = "listener"; diff --git a/doc/frameworks/broker/events-listener.bro b/doc/frameworks/broker/events-listener.bro index aa6ea9ee4e..dc18795903 100644 --- a/doc/frameworks/broker/events-listener.bro +++ b/doc/frameworks/broker/events-listener.bro @@ -1,4 +1,3 @@ - const broker_port: port = 9999/tcp &redef; redef exit_only_after_terminate = T; redef BrokerComm::endpoint_name = "listener"; diff --git a/doc/frameworks/broker/printing-listener.bro b/doc/frameworks/broker/printing-listener.bro index 080d09e8f5..f55c5b9bad 100644 --- a/doc/frameworks/broker/printing-listener.bro +++ b/doc/frameworks/broker/printing-listener.bro @@ -1,4 +1,3 @@ - const broker_port: port = 9999/tcp &redef; redef exit_only_after_terminate = T; redef BrokerComm::endpoint_name = "listener"; diff --git a/doc/frameworks/broker/testlog.bro b/doc/frameworks/broker/testlog.bro index f63c19ac48..506d359bb7 100644 --- a/doc/frameworks/broker/testlog.bro +++ b/doc/frameworks/broker/testlog.bro @@ -1,4 +1,3 @@ - module Test; export { diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-connector_bro/output index 0953d88a3e..042b8999f3 100644 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-connector_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-connector_bro/output @@ -2,7 +2,6 @@ connecting-connector.bro - const broker_port: port = 9999/tcp &redef; redef exit_only_after_terminate = T; redef BrokerComm::endpoint_name = "connector"; diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-listener_bro/output index 2879beb396..33e3df2330 100644 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-listener_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-listener_bro/output @@ -2,7 +2,6 @@ connecting-listener.bro - const broker_port: port = 9999/tcp &redef; redef exit_only_after_terminate = T; redef BrokerComm::endpoint_name = "listener"; diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-listener_bro/output index 59e697601b..9f004692cb 100644 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-listener_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-listener_bro/output @@ -2,7 +2,6 @@ events-listener.bro - const broker_port: port = 9999/tcp &redef; redef exit_only_after_terminate = T; redef BrokerComm::endpoint_name = "listener"; diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-listener_bro/output index 9cb48a0528..fb416612ab 100644 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-listener_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-listener_bro/output @@ -2,7 +2,6 @@ printing-listener.bro - const broker_port: port = 9999/tcp &redef; redef exit_only_after_terminate = T; redef BrokerComm::endpoint_name = "listener"; diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_testlog_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_testlog_bro/output index da2261ebc4..c87fc3cd6f 100644 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_testlog_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_testlog_bro/output @@ -2,7 +2,6 @@ testlog.bro - module Test; export { diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-connector_bro.btest index 0953d88a3e..042b8999f3 100644 --- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-connector_bro.btest +++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-connector_bro.btest @@ -2,7 +2,6 @@ connecting-connector.bro - const broker_port: port = 9999/tcp &redef; redef exit_only_after_terminate = T; redef BrokerComm::endpoint_name = "connector"; diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-listener_bro.btest index 2879beb396..33e3df2330 100644 --- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-listener_bro.btest +++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-listener_bro.btest @@ -2,7 +2,6 @@ connecting-listener.bro - const broker_port: port = 9999/tcp &redef; redef exit_only_after_terminate = T; redef BrokerComm::endpoint_name = "listener"; diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-listener_bro.btest index 59e697601b..9f004692cb 100644 --- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-listener_bro.btest +++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-listener_bro.btest @@ -2,7 +2,6 @@ events-listener.bro - const broker_port: port = 9999/tcp &redef; redef exit_only_after_terminate = T; redef BrokerComm::endpoint_name = "listener"; diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-listener_bro.btest index 9cb48a0528..fb416612ab 100644 --- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-listener_bro.btest +++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-listener_bro.btest @@ -2,7 +2,6 @@ printing-listener.bro - const broker_port: port = 9999/tcp &redef; redef exit_only_after_terminate = T; redef BrokerComm::endpoint_name = "listener"; diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_testlog_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_testlog_bro.btest index da2261ebc4..c87fc3cd6f 100644 --- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_testlog_bro.btest +++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_testlog_bro.btest @@ -2,7 +2,6 @@ testlog.bro - module Test; export { From 5d12a56e0f07ca2f01e60c2380befab99c367689 Mon Sep 17 00:00:00 2001 From: balintm Date: Wed, 19 Aug 2015 16:11:33 +0100 Subject: [PATCH 15/93] Update to SIP protocol - Change SIP header - according to RFC3261, space on both sides of ':' should be expected. - Change to SIP_request and SIP_Reply - We encountered packets that do not contain newline and msg part of request/reply. Bro parser was segfaulting with: 0x0000000001227de2 in binpac::SIP::SIP_Headers::Parse (this=0x1c709120, t_begin_of_data=0x2aaaadd56348
, t_end_of_data=0x2aaaadd56346
, t_context=0x1c6f9a90) at src/analyzer/protocol/sip/sip_pac.cc:586 This small change should have it fixed. --- src/analyzer/protocol/sip/sip-protocol.pac | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/analyzer/protocol/sip/sip-protocol.pac b/src/analyzer/protocol/sip/sip-protocol.pac index a9e03cf2c1..23072b64fd 100644 --- a/src/analyzer/protocol/sip/sip-protocol.pac +++ b/src/analyzer/protocol/sip/sip-protocol.pac @@ -10,6 +10,7 @@ type SIP_COLON = RE/:/; type SIP_TO_EOL = RE/[^\r\n]*/; type SIP_EOL = RE/(\r\n){1,2}/; type SIP_URI = RE/[[:alnum:]@[:punct:]]+/; +type SIP_NL = RE/(\r\n)/; type SIP_PDU(is_orig: bool) = case is_orig of { true -> request: SIP_Request; @@ -18,13 +19,13 @@ type SIP_PDU(is_orig: bool) = case is_orig of { type SIP_Request = record { request: SIP_RequestLine; - newline: padding[2]; + newline: SIP_NL; msg: SIP_Message; }; type SIP_Reply = record { reply: SIP_ReplyLine; - newline: padding[2]; + newline: SIP_NL; msg: SIP_Message; }; @@ -67,6 +68,7 @@ type SIP_Message = record { type SIP_HEADER_NAME = RE/[^: \t]+/; type SIP_Header = record { name: SIP_HEADER_NAME; + : SIP_WS; : SIP_COLON; : SIP_WS; value: SIP_TO_EOL; From 7ce0cefcba939008b9f3fb038bcbcc2322119243 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Wed, 19 Aug 2015 13:28:35 -0500 Subject: [PATCH 16/93] Minor clarifications and typo fixes in broker doc --- doc/frameworks/broker.rst | 72 +++++++++++++++++++-------------------- doc/install/install.rst | 4 +-- 2 files changed, 37 insertions(+), 39 deletions(-) diff --git a/doc/frameworks/broker.rst b/doc/frameworks/broker.rst index 3cd8dab6e3..8c5ed24e25 100644 --- a/doc/frameworks/broker.rst +++ b/doc/frameworks/broker.rst @@ -9,10 +9,7 @@ Broker-Enabled Communication Framework Bro can now use the `Broker Library <../components/broker/README.html>`_ to exchange information with - other Bro processes. To enable it run Bro's ``configure`` script - with the ``--enable-broker`` option. Note that a C++11 compatible - compiler (e.g. GCC 4.8+ or Clang 3.3+) is required as well as the - `C++ Actor Framework `_. + other Bro processes. .. contents:: @@ -23,26 +20,26 @@ Communication via Broker must first be turned on via :bro:see:`BrokerComm::enable`. Bro can accept incoming connections by calling :bro:see:`BrokerComm::listen` -and then monitor connection status updates via +and then monitor connection status updates via the :bro:see:`BrokerComm::incoming_connection_established` and -:bro:see:`BrokerComm::incoming_connection_broken`. +:bro:see:`BrokerComm::incoming_connection_broken` events. .. btest-include:: ${DOC_ROOT}/frameworks/broker/connecting-listener.bro Bro can initiate outgoing connections by calling :bro:see:`BrokerComm::connect` -and then monitor connection status updates via +and then monitor connection status updates via the :bro:see:`BrokerComm::outgoing_connection_established`, :bro:see:`BrokerComm::outgoing_connection_broken`, and -:bro:see:`BrokerComm::outgoing_connection_incompatible`. +:bro:see:`BrokerComm::outgoing_connection_incompatible` events. .. btest-include:: ${DOC_ROOT}/frameworks/broker/connecting-connector.bro Remote Printing =============== -To receive remote print messages, first use -:bro:see:`BrokerComm::subscribe_to_prints` to advertise to peers a topic -prefix of interest and then create an event handler for +To receive remote print messages, first use the +:bro:see:`BrokerComm::subscribe_to_prints` function to advertise to peers a +topic prefix of interest and then create an event handler for :bro:see:`BrokerComm::print_handler` to handle any print messages that are received. @@ -71,17 +68,17 @@ the Broker message format is simply: Remote Events ============= -Receiving remote events is similar to remote prints. Just use -:bro:see:`BrokerComm::subscribe_to_events` and possibly define any new events -along with handlers that peers may want to send. +Receiving remote events is similar to remote prints. Just use the +:bro:see:`BrokerComm::subscribe_to_events` function and possibly define any +new events along with handlers that peers may want to send. .. btest-include:: ${DOC_ROOT}/frameworks/broker/events-listener.bro -To send events, there are two choices. The first is to use call -:bro:see:`BrokerComm::event` directly. The second option is to use -:bro:see:`BrokerComm::auto_event` to make it so a particular event is -automatically sent to peers whenever it is called locally via the normal -event invocation syntax. +There are two different ways to send events. The first is to call the +:bro:see:`BrokerComm::event` function directly. The second option is to call +the :bro:see:`BrokerComm::auto_event` function where you specify a +particular event that will be automatically sent to peers whenever the +event is called locally via the normal event invocation syntax. .. btest-include:: ${DOC_ROOT}/frameworks/broker/events-connector.bro @@ -98,7 +95,7 @@ the Broker message format is: broker::message{std::string{}, ...}; The first parameter is the name of the event and the remaining ``...`` -are its arguments, which are any of the support Broker data types as +are its arguments, which are any of the supported Broker data types as they correspond to the Bro types for the event named in the first parameter of the message. @@ -107,23 +104,23 @@ Remote Logging .. btest-include:: ${DOC_ROOT}/frameworks/broker/testlog.bro -Use :bro:see:`BrokerComm::subscribe_to_logs` to advertise interest in logs -written by peers. The topic names that Bro uses are implicitly of the +Use the :bro:see:`BrokerComm::subscribe_to_logs` function to advertise interest +in logs written by peers. The topic names that Bro uses are implicitly of the form "bro/log/". .. btest-include:: ${DOC_ROOT}/frameworks/broker/logs-listener.bro -To send remote logs either use :bro:see:`Log::enable_remote_logging` or -:bro:see:`BrokerComm::enable_remote_logs`. The former allows any log stream -to be sent to peers while the later toggles remote logging for -particular streams. +To send remote logs either redef :bro:see:`Log::enable_remote_logging` or +use the :bro:see:`BrokerComm::enable_remote_logs` function. The former +allows any log stream to be sent to peers while the latter enables remote +logging for particular streams. .. btest-include:: ${DOC_ROOT}/frameworks/broker/logs-connector.bro Message Format -------------- -For other applications that want to exchange logs messages with Bro, +For other applications that want to exchange log messages with Bro, the Broker message format is: .. code:: c++ @@ -132,7 +129,7 @@ the Broker message format is: The enum value corresponds to the stream's :bro:see:`Log::ID` value, and the record corresponds to a single entry of that log's columns record, -in this case a ``Test::INFO`` value. +in this case a ``Test::Info`` value. Tuning Access Control ===================== @@ -152,11 +149,12 @@ that take a :bro:see:`BrokerComm::SendFlags` such as :bro:see:`BrokerComm::print :bro:see:`BrokerComm::enable_remote_logs`. If not using the ``auto_advertise`` flag, one can use the -:bro:see:`BrokerComm::advertise_topic` and :bro:see:`BrokerComm::unadvertise_topic` -to manupulate the set of topic prefixes that are allowed to be -advertised to peers. If an endpoint does not advertise a topic prefix, -the only way a peers can send messages to it is via the ``unsolicited`` -flag of :bro:see:`BrokerComm::SendFlags` and choosing a topic with a matching +:bro:see:`BrokerComm::advertise_topic` and +:bro:see:`BrokerComm::unadvertise_topic` functions +to manipulate the set of topic prefixes that are allowed to be +advertised to peers. If an endpoint does not advertise a topic prefix, then +the only way peers can send messages to it is via the ``unsolicited`` +flag of :bro:see:`BrokerComm::SendFlags` and choosing a topic with a matching prefix (i.e. full topic may be longer than receivers prefix, just the prefix needs to match). @@ -172,7 +170,7 @@ specific type of frontend, but a standalone frontend can also exist to e.g. query and modify the contents of a remote master store without actually "owning" any of the contents itself. -A master data store can be be cloned from remote peers which may then +A master data store can be cloned from remote peers which may then perform lightweight, local queries against the clone, which automatically stays synchronized with the master store. Clones cannot modify their content directly, instead they send modifications to the @@ -181,7 +179,7 @@ all clones. Master and clone stores get to choose what type of storage backend to use. E.g. In-memory versus SQLite for persistence. Note that if clones -are used, data store sizes should still be able to fit within memory +are used, then data store sizes must be able to fit within memory regardless of the storage backend as a single snapshot of the master store is sent in a single chunk to initialize the clone. @@ -198,5 +196,5 @@ needed, just replace the :bro:see:`BrokerStore::create_clone` call with :bro:see:`BrokerStore::create_frontend`. Queries will then be made against the remote master store instead of the local clone. -Note that all queries are made within Bro's asynchrounous ``when`` -statements and must specify a timeout block. +Note that all data store queries must be made within Bro's asynchronous +``when`` statements and must specify a timeout block. diff --git a/doc/install/install.rst b/doc/install/install.rst index ff8d83ad97..10fdfeefaf 100644 --- a/doc/install/install.rst +++ b/doc/install/install.rst @@ -32,13 +32,13 @@ before you begin: * Libz * Bash (for BroControl) * Python (for BroControl) - * C++ Actor Framework (CAF) (http://actor-framework.org) + * C++ Actor Framework (CAF) version 0.14 (http://actor-framework.org) To build Bro from source, the following additional dependencies are required: * CMake 2.8 or greater (http://www.cmake.org) * Make - * C/C++ compiler with C++11 support + * C/C++ compiler with C++11 support (GCC 4.8+ or Clang 3.3+) * SWIG (http://www.swig.org) * Bison (GNU Parser Generator) * Flex (Fast Lexical Analyzer) From ac9552a0cf2aedbfb678d9927b26c5cd3fb4ed7e Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Thu, 20 Aug 2015 10:45:22 -0500 Subject: [PATCH 17/93] Update documentation of Conn::Info history field --- scripts/base/protocols/conn/main.bro | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/base/protocols/conn/main.bro b/scripts/base/protocols/conn/main.bro index 7ef204268b..015c5520db 100644 --- a/scripts/base/protocols/conn/main.bro +++ b/scripts/base/protocols/conn/main.bro @@ -87,7 +87,8 @@ export { ## f packet with FIN bit set ## r packet with RST bit set ## c packet with a bad checksum - ## i inconsistent packet (e.g. SYN+RST bits both set) + ## i inconsistent packet (e.g. FIN+RST bits set) + ## q multi-flag packet (SYN+FIN or SYN+RST bits set) ## ====== ==================================================== ## ## If the event comes from the originator, the letter is in From ab8a8d3ef3ac1164cd9056774764490a5866dba5 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Fri, 21 Aug 2015 16:30:51 -0500 Subject: [PATCH 18/93] Split long lines in input framework docs --- doc/frameworks/logging-input-sqlite.rst | 91 ++++++++++--------- scripts/base/frameworks/input/main.bro | 22 +++-- scripts/base/frameworks/input/readers/raw.bro | 6 +- 3 files changed, 66 insertions(+), 53 deletions(-) diff --git a/doc/frameworks/logging-input-sqlite.rst b/doc/frameworks/logging-input-sqlite.rst index 6f5e867686..e0f10308ae 100644 --- a/doc/frameworks/logging-input-sqlite.rst +++ b/doc/frameworks/logging-input-sqlite.rst @@ -23,17 +23,18 @@ In contrast to the ASCII reader and writer, the SQLite plugins have not yet seen extensive use in production environments. While we are not aware of any issues with them, we urge to caution when using them in production environments. There could be lingering issues which only occur -when the plugins are used with high amounts of data or in high-load environments. +when the plugins are used with high amounts of data or in high-load +environments. Logging Data into SQLite Databases ================================== Logging support for SQLite is available in all Bro installations starting with -version 2.2. There is no need to load any additional scripts or for any compile-time -configurations. +version 2.2. There is no need to load any additional scripts or for any +compile-time configurations. -Sending data from existing logging streams to SQLite is rather straightforward. You -have to define a filter which specifies SQLite as the writer. +Sending data from existing logging streams to SQLite is rather straightforward. +You have to define a filter which specifies SQLite as the writer. The following example code adds SQLite as a filter for the connection log: @@ -44,15 +45,15 @@ The following example code adds SQLite as a filter for the connection log: # Make sure this parses correctly at least. @TEST-EXEC: bro ${DOC_ROOT}/frameworks/sqlite-conn-filter.bro -Bro will create the database file ``/var/db/conn.sqlite``, if it does not already exist. -It will also create a table with the name ``conn`` (if it does not exist) and start -appending connection information to the table. +Bro will create the database file ``/var/db/conn.sqlite``, if it does not +already exist. It will also create a table with the name ``conn`` (if it +does not exist) and start appending connection information to the table. -At the moment, SQLite databases are not rotated the same way ASCII log-files are. You -have to take care to create them in an adequate location. +At the moment, SQLite databases are not rotated the same way ASCII log-files +are. You have to take care to create them in an adequate location. -If you examine the resulting SQLite database, the schema will contain the same fields -that are present in the ASCII log files:: +If you examine the resulting SQLite database, the schema will contain the +same fields that are present in the ASCII log files:: # sqlite3 /var/db/conn.sqlite @@ -75,27 +76,31 @@ from being created, you can remove the default filter: Log::remove_filter(Conn::LOG, "default"); -To create a custom SQLite log file, you have to create a new log stream that contains -just the information you want to commit to the database. Please refer to the -:ref:`framework-logging` documentation on how to create custom log streams. +To create a custom SQLite log file, you have to create a new log stream +that contains just the information you want to commit to the database. +Please refer to the :ref:`framework-logging` documentation on how to +create custom log streams. Reading Data from SQLite Databases ================================== -Like logging support, support for reading data from SQLite databases is built into Bro starting -with version 2.2. +Like logging support, support for reading data from SQLite databases is +built into Bro starting with version 2.2. -Just as with the text-based input readers (please refer to the :ref:`framework-input` -documentation for them and for basic information on how to use the input-framework), the SQLite reader -can be used to read data - in this case the result of SQL queries - into tables or into events. +Just as with the text-based input readers (please refer to the +:ref:`framework-input` documentation for them and for basic information +on how to use the input framework), the SQLite reader can be used to +read data - in this case the result of SQL queries - into tables or into +events. Reading Data into Tables ------------------------ -To read data from a SQLite database, we first have to provide Bro with the information, how -the resulting data will be structured. For this example, we expect that we have a SQLite database, -which contains host IP addresses and the user accounts that are allowed to log into a specific -machine. +To read data from a SQLite database, we first have to provide Bro with +the information, how the resulting data will be structured. For this +example, we expect that we have a SQLite database, which contains +host IP addresses and the user accounts that are allowed to log into +a specific machine. The SQLite commands to create the schema are as follows:: @@ -107,8 +112,8 @@ The SQLite commands to create the schema are as follows:: insert into machines_to_users values ('192.168.17.2', 'bernhard'); insert into machines_to_users values ('192.168.17.3', 'seth,matthias'); -After creating a file called ``hosts.sqlite`` with this content, we can read the resulting table -into Bro: +After creating a file called ``hosts.sqlite`` with this content, we can +read the resulting table into Bro: .. btest-include:: ${DOC_ROOT}/frameworks/sqlite-read-table.bro @@ -117,22 +122,25 @@ into Bro: # Make sure this parses correctly at least. @TEST-EXEC: bro ${DOC_ROOT}/frameworks/sqlite-read-table.bro -Afterwards, that table can be used to check logins into hosts against the available -userlist. +Afterwards, that table can be used to check logins into hosts against +the available userlist. Turning Data into Events ------------------------ -The second mode is to use the SQLite reader to output the input data as events. Typically there -are two reasons to do this. First, when the structure of the input data is too complicated -for a direct table import. In this case, the data can be read into an event which can then -create the necessary data structures in Bro in scriptland. +The second mode is to use the SQLite reader to output the input data as events. +Typically there are two reasons to do this. First, when the structure of +the input data is too complicated for a direct table import. In this case, +the data can be read into an event which can then create the necessary +data structures in Bro in scriptland. -The second reason is, that the dataset is too big to hold it in memory. In this case, the checks -can be performed on-demand, when Bro encounters a situation where it needs additional information. +The second reason is, that the dataset is too big to hold it in memory. In +this case, the checks can be performed on-demand, when Bro encounters a +situation where it needs additional information. -An example for this would be an internal huge database with malware hashes. Live database queries -could be used to check the sporadically happening downloads against the database. +An example for this would be an internal huge database with malware +hashes. Live database queries could be used to check the sporadically +happening downloads against the database. The SQLite commands to create the schema are as follows:: @@ -151,9 +159,10 @@ The SQLite commands to create the schema are as follows:: insert into malware_hashes values ('73f45106968ff8dc51fba105fa91306af1ff6666', 'ftp-trace'); -The following code uses the file-analysis framework to get the sha1 hashes of files that are -transmitted over the network. For each hash, a SQL-query is run against SQLite. If the query -returns with a result, we had a hit against our malware-database and output the matching hash. +The following code uses the file-analysis framework to get the sha1 hashes +of files that are transmitted over the network. For each hash, a SQL-query +is run against SQLite. If the query returns with a result, we had a hit +against our malware-database and output the matching hash. .. btest-include:: ${DOC_ROOT}/frameworks/sqlite-read-events.bro @@ -162,5 +171,5 @@ returns with a result, we had a hit against our malware-database and output the # Make sure this parses correctly at least. @TEST-EXEC: bro ${DOC_ROOT}/frameworks/sqlite-read-events.bro -If you run this script against the trace in ``testing/btest/Traces/ftp/ipv4.trace``, you -will get one hit. +If you run this script against the trace in +``testing/btest/Traces/ftp/ipv4.trace``, you will get one hit. diff --git a/scripts/base/frameworks/input/main.bro b/scripts/base/frameworks/input/main.bro index fa766ba27b..82c46b870c 100644 --- a/scripts/base/frameworks/input/main.bro +++ b/scripts/base/frameworks/input/main.bro @@ -73,22 +73,23 @@ export { idx: any; ## Record that defines the values used as the elements of the table. - ## If this is undefined, then *destination* has to be a set. + ## If this is undefined, then *destination* must be a set. val: any &optional; ## Defines if the value of the table is a record (default), or a single value. ## When this is set to false, then *val* can only contain one element. want_record: bool &default=T; - ## The event that is raised each time a value is added to, changed in or removed - ## from the table. The event will receive an Input::Event enum as the first - ## argument, the *idx* record as the second argument and the value (record) as the - ## third argument. + ## The event that is raised each time a value is added to, changed in or + ## removed from the table. The event will receive an Input::Event enum + ## as the first argument, the *idx* record as the second argument and + ## the value (record) as the third argument. ev: any &optional; # event containing idx, val as values. - ## Predicate function that can decide if an insertion, update or removal should - ## really be executed. Parameters are the same as for the event. If true is - ## returned, the update is performed. If false is returned, it is skipped. + ## Predicate function that can decide if an insertion, update or removal + ## should really be executed. Parameters are the same as for the event. + ## If true is returned, the update is performed. If false is returned, + ## it is skipped. pred: function(typ: Input::Event, left: any, right: any): bool &optional; ## A key/value table that will be passed on the reader. @@ -123,8 +124,9 @@ export { ## If this is set to true (default), the event receives all fields in a single record value. want_record: bool &default=T; - ## The event that is raised each time a new line is received from the reader. - ## The event will receive an Input::Event enum as the first element, and the fields as the following arguments. + ## The event that is raised each time a new line is received from the + ## reader. The event will receive an Input::Event enum as the first + ## element, and the fields as the following arguments. ev: any; ## A key/value table that will be passed on the reader. diff --git a/scripts/base/frameworks/input/readers/raw.bro b/scripts/base/frameworks/input/readers/raw.bro index b1e0fb6831..a1e95b71a1 100644 --- a/scripts/base/frameworks/input/readers/raw.bro +++ b/scripts/base/frameworks/input/readers/raw.bro @@ -11,7 +11,9 @@ export { ## ## name: name of the input stream. ## source: source of the input stream. - ## exit_code: exit code of the program, or number of the signal that forced the program to exit. - ## signal_exit: false when program exited normally, true when program was forced to exit by a signal. + ## exit_code: exit code of the program, or number of the signal that forced + ## the program to exit. + ## signal_exit: false when program exited normally, true when program was + ## forced to exit by a signal. global process_finished: event(name: string, source:string, exit_code:count, signal_exit:bool); } From 918bf665bf45c5cf49a309f30079970006564763 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 21 Aug 2015 16:43:45 -0700 Subject: [PATCH 19/93] Updating submodule(s). [nomail] --- aux/broctl | 2 +- aux/broker | 2 +- aux/plugins | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/aux/broctl b/aux/broctl index d37009f1e8..8daf193c2b 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit d37009f1e81b5fac8e34f6707690841e6d4d739a +Subproject commit 8daf193c2bba31b24181cafd18ba637ac37cc17c diff --git a/aux/broker b/aux/broker index d25efc7d5f..ace04e162f 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit d25efc7d5f495c30294b11180c1857477078f2d6 +Subproject commit ace04e162fccc87db657db7c10e60a18e06e280d diff --git a/aux/plugins b/aux/plugins index bb86ad945c..082676f548 160000 --- a/aux/plugins +++ b/aux/plugins @@ -1 +1 @@ -Subproject commit bb86ad945c823c94ea8385ec4ebb9546ba5198af +Subproject commit 082676f54874de968bc95bb8fede13a6c2521b5e From 7f5f2822dc8bd0454fe2711ddf8c6d7b26dcb418 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 21 Aug 2015 17:07:02 -0700 Subject: [PATCH 20/93] Updating submodule(s). [nomail] --- aux/btest | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/btest b/aux/btest index a89cd0fda0..ee979e6502 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit a89cd0fda0f17f69b96c935959cae89145b92927 +Subproject commit ee979e65028aa67b43bbf9026047245d43bbe2b5 From fe1bbb3e70b256e695901a33a7fb0f97fc768d75 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 21 Aug 2015 17:22:40 -0700 Subject: [PATCH 21/93] Updating submodule(s). [nomail] --- aux/btest | 2 +- cmake | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/aux/btest b/aux/btest index ee979e6502..a89cd0fda0 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit ee979e65028aa67b43bbf9026047245d43bbe2b5 +Subproject commit a89cd0fda0f17f69b96c935959cae89145b92927 diff --git a/cmake b/cmake index 6406fb79d3..0fab31c3b3 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 6406fb79d30df8d7956110ce65a97d18e4bc8c3b +Subproject commit 0fab31c3b3b6606831364a9c4266128bb7e53465 From cf4ab1d381cbc5f1da2f78d0d003763bc78b9acb Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 21 Aug 2015 17:23:39 -0700 Subject: [PATCH 22/93] Updating submodule(s). --- CHANGES | 4 ++++ VERSION | 2 +- aux/binpac | 2 +- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- aux/broker | 2 +- 7 files changed, 10 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index 1086e0ed06..17f18ffb0e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.4-93 | 2015-08-21 17:23:39 -0700 + + * Make plugin install honor DESTDIR= convention. (Jeff Barber) + 2.4-89 | 2015-08-18 07:53:36 -0700 * Fix diff-canonifier-external to use basename of input file. diff --git a/VERSION b/VERSION index 4eb136256b..e95592a8cb 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4-89 +2.4-93 diff --git a/aux/binpac b/aux/binpac index 4f33233aef..ff16caf3d8 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 4f33233aef5539ae4f12c6d0e4338247833c3900 +Subproject commit ff16caf3d8c5b12febd465a8ddd1524af60eae1a diff --git a/aux/bro-aux b/aux/bro-aux index 2470f64b58..2ec49971f1 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 2470f64b58d875f9491e251b866a15a2ec4c05da +Subproject commit 2ec49971f12176e1fabe9db21445435b77bad68e diff --git a/aux/broccoli b/aux/broccoli index 74bb4bbd94..0c051fb343 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 74bb4bbd949e61e099178f8a97499d3f1355de8b +Subproject commit 0c051fb3439abe7b4c915dbdaa751e91140dcf1e diff --git a/aux/broctl b/aux/broctl index 8daf193c2b..992a79e1e3 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 8daf193c2bba31b24181cafd18ba637ac37cc17c +Subproject commit 992a79e1e36cef032373bf42cff456bb3598597d diff --git a/aux/broker b/aux/broker index ace04e162f..9e640c393a 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit ace04e162fccc87db657db7c10e60a18e06e280d +Subproject commit 9e640c393a2144a48a464bdcbe685743131299b8 From b14b189d12f33f374936c4345a8d31e59f334b14 Mon Sep 17 00:00:00 2001 From: "dmfreemon@users.noreply.github.com" Date: Tue, 18 Aug 2015 12:17:54 -0500 Subject: [PATCH 23/93] add support for MIME type video/MP2T BIT-1457 #merged --- CHANGES | 4 ++++ VERSION | 2 +- scripts/base/frameworks/files/magic/video.sig | 9 +++++++++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 17f18ffb0e..b4bc8adbf2 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.4-94 | 2015-08-21 17:31:32 -0700 + + * Add file type detection support for video/MP2T. (Mike Freemon) + 2.4-93 | 2015-08-21 17:23:39 -0700 * Make plugin install honor DESTDIR= convention. (Jeff Barber) diff --git a/VERSION b/VERSION index e95592a8cb..1b85ec1580 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4-93 +2.4-94 diff --git a/scripts/base/frameworks/files/magic/video.sig b/scripts/base/frameworks/files/magic/video.sig index 5d499f2119..d939c15618 100644 --- a/scripts/base/frameworks/files/magic/video.sig +++ b/scripts/base/frameworks/files/magic/video.sig @@ -71,6 +71,14 @@ signature file-mp2p { file-magic /\x00\x00\x01\xba([\x40-\x7f\xc0-\xff])/ } +# MPEG transport stream data. These files typically have the extension "ts". +# Note: The 0x47 repeats every 188 bytes. Using four as the number of +# occurrences for the test here is arbitrary. +signature file-mp2t { + file-mime "video/mp2t", 40 + file-magic /^(\x47.{187}){4}/ +} + # Silicon Graphics video signature file-sgi-movie { file-mime "video/x-sgi-movie", 70 @@ -94,3 +102,4 @@ signature file-3gpp { file-mime "video/3gpp", 60 file-magic /^....ftyp(3g[egps2]|avc1|mmp4)/ } + From 4788e4e715f0fdbb9ec42d6fd3ba803ff250c799 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Sat, 22 Aug 2015 21:56:55 -0500 Subject: [PATCH 24/93] Fix some test canonifiers in scripts/policy/protocols/ssl --- .../protocols/ssl/validate-certs-cluster.bro | 2 +- .../protocols/ssl/validate-certs-no-cache.bro | 2 +- .../policy/protocols/ssl/validate-certs.bro | 2 +- .../policy/protocols/ssl/validate-ocsp.bro | 6 +++--- testing/scripts/diff-remove-x509-names | 19 ++++++++++++------- 5 files changed, 18 insertions(+), 13 deletions(-) diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-certs-cluster.bro b/testing/btest/scripts/policy/protocols/ssl/validate-certs-cluster.bro index 795aa78c40..1b4f96af2f 100644 --- a/testing/btest/scripts/policy/protocols/ssl/validate-certs-cluster.bro +++ b/testing/btest/scripts/policy/protocols/ssl/validate-certs-cluster.bro @@ -9,7 +9,7 @@ # @TEST-EXEC: btest-bg-run worker-2 "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-2 bro --pseudo-realtime -C -r $TRACES/tls/missing-intermediate.pcap %INPUT" # @TEST-EXEC: btest-bg-wait 20 # @TEST-EXEC: cat manager-1/ssl*.log > ssl.log -# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-file-ids btest-diff ssl.log +# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl.log # redef Log::default_rotation_interval = 0secs; diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.bro b/testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.bro index 343b2fb196..5212d42b78 100644 --- a/testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.bro +++ b/testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.bro @@ -1,5 +1,5 @@ # @TEST-EXEC: bro -C -r $TRACES/tls/missing-intermediate.pcap %INPUT -# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-x509-names btest-diff ssl.log +# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl.log @load protocols/ssl/validate-certs.bro diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-certs.bro b/testing/btest/scripts/policy/protocols/ssl/validate-certs.bro index 40e5e09361..332bae4050 100644 --- a/testing/btest/scripts/policy/protocols/ssl/validate-certs.bro +++ b/testing/btest/scripts/policy/protocols/ssl/validate-certs.bro @@ -2,6 +2,6 @@ # @TEST-EXEC: cat ssl.log > ssl-all.log # @TEST-EXEC: bro -C -r $TRACES/tls/missing-intermediate.pcap %INPUT # @TEST-EXEC: cat ssl.log >> ssl-all.log -# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-x509-names btest-diff ssl-all.log +# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl-all.log @load protocols/ssl/validate-certs.bro diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro b/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro index 3f88638ee3..b2f600f734 100644 --- a/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro +++ b/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro @@ -1,10 +1,10 @@ # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling.trace %INPUT -# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-x509-names btest-diff ssl.log +# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl.log # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling-twimg.trace %INPUT # @TEST-EXEC: mv ssl.log ssl-twimg.log -# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-x509-names btest-diff ssl-twimg.log +# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl-twimg.log # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling-digicert.trace %INPUT # @TEST-EXEC: mv ssl.log ssl-digicert.log -# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-x509-names btest-diff ssl-digicert.log +# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl-digicert.log @load protocols/ssl/validate-ocsp diff --git a/testing/scripts/diff-remove-x509-names b/testing/scripts/diff-remove-x509-names index 4534cb7d87..d9437b0741 100755 --- a/testing/scripts/diff-remove-x509-names +++ b/testing/scripts/diff-remove-x509-names @@ -25,43 +25,48 @@ BEGIN { FS="\t"; OFS="\t"; s_col = -1; i_col = -1; is_col = -1; cs_col = -1; ci_ } } -s_col >= 0 { +/^#/ { + print; + next; +} + +s_col > 0 { if ( $s_col != "-" ) # Mark that it's set, but ignore content. $s_col = "+"; } -i_col >= 0 { +i_col > 0 { if ( $i_col != "-" ) # Mark that it's set, but ignore content. $i_col = "+"; } -is_col >= 0 { +is_col > 0 { if ( $is_col != "-" ) # Mark that it's set, but ignore content. $is_col = "+"; } -cs_col >= 0 { +cs_col > 0 { if ( $cs_col != "-" ) # Mark that it's set, but ignore content. $cs_col = "+"; } -ci_col >= 0 { +ci_col > 0 { if ( $ci_col != "-" ) # Mark that it's set, but ignore content. $ci_col = "+"; } -cert_subj_col >= 0 { +cert_subj_col > 0 { if ( $cert_subj_col != "-" ) # Mark that it's set, but ignore content. $cert_subj_col = "+"; } -cert_issuer_col >= 0 { +cert_issuer_col > 0 { if ( $cert_issuer_col != "-" ) # Mark that it's set, but ignore content. $cert_issuer_col = "+"; From 9cd4071cb3212a61e73f1b8f92c6c5b4d6969fcc Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Mon, 24 Aug 2015 12:10:35 -0500 Subject: [PATCH 25/93] Add Q and update I documentation for conn history - Q (MULTI_FLAG_PKT) was not in the documentation for the history field. - I (FIN_RST_PKT) was documented incorrectly. It was documented as a SYN+RST, when it actually represents a FIN+RST. The new documentation was derived from: https://github.com/bro/bro/blob/d3f513f/src/analyzer/protocol/tcp/TCP.cc#L493 Addresses BIT-1466 --- scripts/base/protocols/conn/main.bro | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/base/protocols/conn/main.bro b/scripts/base/protocols/conn/main.bro index 7ef204268b..de9a78f975 100644 --- a/scripts/base/protocols/conn/main.bro +++ b/scripts/base/protocols/conn/main.bro @@ -87,7 +87,8 @@ export { ## f packet with FIN bit set ## r packet with RST bit set ## c packet with a bad checksum - ## i inconsistent packet (e.g. SYN+RST bits both set) + ## i inconsistent packet (FIN+RST bits both set) + ## q multi-flag packet (SYN+FIN or SYN+RST bits both set) ## ====== ==================================================== ## ## If the event comes from the originator, the letter is in From ba4c816b0e38e6cb50f6d0a201ccbfe67589bc3c Mon Sep 17 00:00:00 2001 From: Kris Nielander Date: Mon, 24 Aug 2015 23:45:21 +0200 Subject: [PATCH 26/93] Refactored patch (removed options, less ambiguous name) --- scripts/base/init-bare.bro | 28 ++++++++++------------------ src/const.bif | 4 ++-- src/iosource/IOSource.h | 17 ----------------- src/iosource/pcap/Source.cc | 10 +++++++--- src/iosource/pcap/Source.h | 7 +++---- src/main.cc | 14 ++++++-------- 6 files changed, 28 insertions(+), 52 deletions(-) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 0097e4d47b..e2b0e169df 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -3710,28 +3710,20 @@ export { ## external harness and shouldn't output anything to the console. const errors_to_stderr = T &redef; } +module GLOBAL; -module Fanout; - -type Method: enum { - METHOD_HASH = 0, - METHOD_LB = 1, - METHOD_CPU = 2, - METHOD_ROLLOVER = 3 -}; - -type Flag: enum { - FLAG_NONE = 0, - FLAG_DEFRAG = 0x8000, - FLAG_ROLLOVER = 0x1000 -}; - +module PacketFanout; export { + ## Toggle whether to do packet fanout. const enable = F &redef; + + ## The packet fanout id should be shared amongst worker processes operating + ## the same socket. const id = 0 &redef; - const method = METHOD_HASH &redef; - const flag = FLAG_NONE &redef; -} + + ## If true, causes packets to be defragmented before fanout is applied. + const flag_defrag = T &redef; +} # end export module GLOBAL; ## Number of bytes per packet to capture from live interfaces. diff --git a/src/const.bif b/src/const.bif index f96b15818b..2129a22578 100644 --- a/src/const.bif +++ b/src/const.bif @@ -9,8 +9,8 @@ const detect_filtered_trace: bool; const report_gaps_for_partial: bool; const exit_only_after_terminate: bool; -const Fanout::enable: bool; -const Fanout::id: count; +const PacketFanout::enable: bool; +const PacketFanout::id: count; const NFS3::return_data: bool; const NFS3::return_data_max: count; diff --git a/src/iosource/IOSource.h b/src/iosource/IOSource.h index a129429e0e..356b8eee70 100644 --- a/src/iosource/IOSource.h +++ b/src/iosource/IOSource.h @@ -5,25 +5,8 @@ #ifdef HAVE_PACKET_FANOUT #include -#ifndef PACKET_FANOUT -#define PACKET_FANOUT 18 -#define PACKET_FANOUT_HASH 0 -#define PACKET_FANOUT_LB 1 -#define PACKET_FANOUT_CPU 2 -#define PACKET_FANOUT_FLAG_DEFRAG 0x8000 - -#ifndef PACKET_FANOUT_ROLLOVER -#define PACKET_FANOUT_ROLLOVER 3 #endif -#ifndef PACKET_FANOUT_FLAG_ROLLOVER -#define PACKET_FANOUT_FLAG_ROLLOVER 0x1000 -#endif - -#define PACKET_FANOUT_FLAG_NONE -1 -#endif /* PACKET_FANOUT */ -#endif /* HAVE_PACKET_FANOUT */ - extern "C" { #include } diff --git a/src/iosource/pcap/Source.cc b/src/iosource/pcap/Source.cc index e430dfc6a7..9dc36cfa5f 100644 --- a/src/iosource/pcap/Source.cc +++ b/src/iosource/pcap/Source.cc @@ -161,10 +161,14 @@ void PcapSource::OpenLive() #ifdef HAVE_PACKET_FANOUT /* Turn on cluster mode for the device. */ - if ( fanout_enable ) + if ( packet_fanout_enable ) { - uint32_t fanout_arg = (fanout_method << 16) | (fanout_id & 0xffff); - if (setsockopt(props.selectable_fd, SOL_PACKET, PACKET_FANOUT, &fanout_arg, sizeof(fanout_arg)) == -1) + uint32_t packet_fanout_arg = (PACKET_FANOUT_HASH << 16) | (packet_fanout_id & 0xffff); + + if ( packet_fanout_flag_defrag ) + packet_fanout_arg |= (PACKET_FANOUT_FLAG_DEFRAG << 16); + + if (setsockopt(props.selectable_fd, SOL_PACKET, PACKET_FANOUT, &packet_fanout_arg, sizeof(packet_fanout_arg)) == -1) { Error(fmt("%s: setsockopt: %s", __FUNCTION__, strerror(errno))); return; diff --git a/src/iosource/pcap/Source.h b/src/iosource/pcap/Source.h index 2f169f7819..0e618e06e3 100644 --- a/src/iosource/pcap/Source.h +++ b/src/iosource/pcap/Source.h @@ -6,10 +6,9 @@ #include "../PktSrc.h" #ifdef HAVE_PACKET_FANOUT -extern bool fanout_enable; -extern int fanout_id; -extern int fanout_method; -extern int fanout_flag; +extern bool packet_fanout_enable; +extern int packet_fanout_id; +extern bool packet_fanout_flag_defrag; #endif namespace iosource { diff --git a/src/main.cc b/src/main.cc index b7d1bbfa40..207dae6193 100644 --- a/src/main.cc +++ b/src/main.cc @@ -125,10 +125,9 @@ int snaplen = 0; // this gets set from the scripting-layer's value int bufsize = 0; #ifdef HAVE_PACKET_FANOUT -bool fanout_enable = false; -int fanout_id = 0; -int fanout_method = PACKET_FANOUT_HASH; -int fanout_flag = 0; +bool packet_fanout_enable = false; +int packet_fanout_id = 0; +bool packet_fanout_flag_defrag = false; #endif OpaqueType* md5_type = 0; @@ -1001,10 +1000,9 @@ int main(int argc, char** argv) bufsize = internal_val("bufsize")->AsCount() * 1024 * 1024; #ifdef HAVE_PACKET_FANOUT - fanout_enable = internal_val("Fanout::enable")->AsBool(); - fanout_id = internal_val("Fanout::id")->AsCount(); - fanout_method = internal_val("Fanout::method")->AsEnum(); - fanout_flag = internal_val("Fanout::flag")->AsEnum(); + packet_fanout_enable = internal_val("PacketFanout::enable")->AsBool(); + packet_fanout_id = internal_val("PacketFanout::id")->AsCount(); + packet_fanout_flag_defrag = internal_val("PacketFanout::flag_defrag")->AsBool(); #endif if ( dns_type != DNS_PRIME ) From 99e104b49c5b4844a3240871ec0c67360d0287f6 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 25 Aug 2015 07:56:57 -0700 Subject: [PATCH 27/93] Updating submodule(s). [nomail] --- CHANGES | 5 +++++ VERSION | 2 +- aux/btest | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 9ee33c7cef..1055a270bb 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,9 @@ +2.4-99 | 2015-08-25 07:56:57 -0700 + + * Add ``Q`` and update ``I`` documentation for connection history + field. Addresses BIT-1466. (Vlad Grigorescu) + 2.4-96 | 2015-08-21 17:37:56 -0700 * Update SIP analyzer. (balintm) diff --git a/VERSION b/VERSION index 9e1848cc69..2748777ff1 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4-96 +2.4-99 diff --git a/aux/btest b/aux/btest index b628230acb..25658b96d2 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit b628230acb0258dc5ae6723789bbf2f4dbc09a1a +Subproject commit 25658b96d252786a4428418cc837486b4d07bbcf From d0541587139173ce96331825213f0da97bb7a033 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 27 Aug 2015 21:44:37 -0700 Subject: [PATCH 28/93] Make asn.1 date/time parsing more robust. These changes should be safe -- testing the failure cases proves a bit difficult at the moment due to the fact that OpenSSL seems to fix the values that are present in the original ASN.1 before passing them on to us. It is thus not directly easily possible to trigger the error cases from scriptland. This also means that a lot of the new error cases we try to catch here can probably never happen. --- src/file_analysis/analyzer/x509/X509.cc | 63 +++++++++++++++++++------ src/file_analysis/analyzer/x509/X509.h | 4 +- 2 files changed, 50 insertions(+), 17 deletions(-) diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index 8c70597dca..9ba807c0bf 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -52,7 +52,7 @@ bool file_analysis::X509::EndOfFile() X509Val* cert_val = new X509Val(ssl_cert); // cert_val takes ownership of ssl_cert - RecordVal* cert_record = ParseCertificate(cert_val); // parse basic information into record + RecordVal* cert_record = ParseCertificate(cert_val, GetFile()->GetID().c_str()); // parse basic information into record // and send the record on to scriptland val_list* vl = new val_list(); @@ -84,7 +84,7 @@ bool file_analysis::X509::EndOfFile() return false; } -RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val) +RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char* id_arg) { ::X509* ssl_cert = cert_val->GetCertificate(); @@ -131,8 +131,8 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val) pX509Cert->Assign(3, new StringVal(len, buf)); BIO_free(bio); - pX509Cert->Assign(5, new Val(GetTimeFromAsn1(X509_get_notBefore(ssl_cert)), TYPE_TIME)); - pX509Cert->Assign(6, new Val(GetTimeFromAsn1(X509_get_notAfter(ssl_cert)), TYPE_TIME)); + pX509Cert->Assign(5, new Val(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), id_arg), TYPE_TIME)); + pX509Cert->Assign(6, new Val(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), id_arg), TYPE_TIME)); // we only read 255 bytes because byte 256 is always 0. // if the string is longer than 255, that will be our null-termination, @@ -515,68 +515,101 @@ unsigned int file_analysis::X509::KeyLength(EVP_PKEY *key) reporter->InternalError("cannot be reached"); } -double file_analysis::X509::GetTimeFromAsn1(const ASN1_TIME* atime) +double file_analysis::X509::GetTimeFromAsn1(const ASN1_TIME* atime, const char * id_arg) { + const char * id = id_arg; + if ( id_arg == 0 ) + id = ""; + time_t lResult = 0; char lBuffer[24]; char* pBuffer = lBuffer; size_t lTimeLength = atime->length; - char * pString = (char *) atime->data; + const char * pString = (const char *) atime->data; + + unsigned int remaining = 0; if ( atime->type == V_ASN1_UTCTIME ) { if ( lTimeLength < 11 || lTimeLength > 17 ) + { + reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- UTCTime has wrong length", id)); return 0; + } memcpy(pBuffer, pString, 10); pBuffer += 10; pString += 10; + + remaining = lTimeLength-10; } - else + else // generalized time. We apparently ignore the YYYYMMDDHH case for now and assume we always have minutes and seconds { - if ( lTimeLength < 13 ) + if ( lTimeLength < 12 || lTimeLength > 23 ) + { + reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- Generalized time has wrong length", id)); return 0; + } memcpy(pBuffer, pString, 12); pBuffer += 12; pString += 12; + + remaining = lTimeLength-12; } - if ((*pString == 'Z') || (*pString == '-') || (*pString == '+')) + if ( (remaining == 0) || (*pString == 'Z') || (*pString == '-') || (*pString == '+') ) { *(pBuffer++) = '0'; *(pBuffer++) = '0'; } - else + else if ( remaining >= 2 ) { *(pBuffer++) = *(pString++); *(pBuffer++) = *(pString++); + remaining -= 2; + // Skip any fractional seconds... - if (*pString == '.') + if ( (remaining > 0) && (*pString == '.') ) { pString++; - while ((*pString >= '0') && (*pString <= '9')) + remaining--; + while ( (remaining) > 0 && (*pString >= '0') && (*pString <= '9') ) pString++; + remaining--; } } + else + { + reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- additional char after time", id)); + return 0; + } *(pBuffer++) = 'Z'; *(pBuffer++) = '\0'; time_t lSecondsFromUTC; - if ( *pString == 'Z' ) + if ( remaining == 0 || *pString == 'Z' ) lSecondsFromUTC = 0; - else { - if ((*pString != '+') && (pString[5] != '-')) + if ( remaining < 5 ) + { + reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- not enough bytes remaining for offset", id)); return 0; + } + + if ((*pString != '+') && (*pString != '-')) + { + reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- unknown offset type", id)); + return 0; + } lSecondsFromUTC = ((pString[1]-'0') * 10 + (pString[2]-'0')) * 60; lSecondsFromUTC += (pString[3]-'0') * 10 + (pString[4]-'0'); diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h index bd4c8fc7a5..fa45ffd9e9 100644 --- a/src/file_analysis/analyzer/x509/X509.h +++ b/src/file_analysis/analyzer/x509/X509.h @@ -32,7 +32,7 @@ public: * @param Returns the new record value and passes ownership to * caller. */ - static RecordVal* ParseCertificate(X509Val* cert_val); + static RecordVal* ParseCertificate(X509Val* cert_val, const char* id_arg = 0); static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file) { return new X509(args, file); } @@ -59,7 +59,7 @@ private: std::string cert_data; // Helpers for ParseCertificate. - static double GetTimeFromAsn1(const ASN1_TIME * atime); + static double GetTimeFromAsn1(const ASN1_TIME * atime, const char * id_arg = 0); static StringVal* KeyCurve(EVP_PKEY *key); static unsigned int KeyLength(EVP_PKEY *key); }; From 68f1d25edda9c90e0e4ad5c8fc0d88d560bf0ac2 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 28 Aug 2015 12:56:29 -0700 Subject: [PATCH 29/93] Get way more permissive on what characters we accept as an unquoted multipart boundary. Addresses BIT-1459 --- src/analyzer/protocol/mime/MIME.cc | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/src/analyzer/protocol/mime/MIME.cc b/src/analyzer/protocol/mime/MIME.cc index be10681266..690d4a81b4 100644 --- a/src/analyzer/protocol/mime/MIME.cc +++ b/src/analyzer/protocol/mime/MIME.cc @@ -248,9 +248,7 @@ int MIME_get_field_name(int len, const char* data, data_chunk_t* name) int MIME_is_tspecial (char ch, bool is_boundary = false) { if ( is_boundary ) - return ch == '(' || ch == ')' || ch == '@' || - ch == ',' || ch == ';' || ch == ':' || ch == '\\' || ch == '"' || - ch == '/' || ch == '[' || ch == ']' || ch == '?' || ch == '='; + return ch == '"'; else return ch == '(' || ch == ')' || ch == '<' || ch == '>' || ch == '@' || ch == ',' || ch == ';' || ch == ':' || ch == '\\' || ch == '"' || @@ -272,7 +270,11 @@ int MIME_is_token_char (char ch, bool is_boundary = false) int MIME_get_token(int len, const char* data, data_chunk_t* token, bool is_boundary) { - int i = MIME_skip_lws_comments(len, data); + int i = 0; + + if ( !is_boundary ) + i = MIME_skip_lws_comments(len, data); + while ( i < len ) { int j; @@ -366,7 +368,9 @@ int MIME_get_quoted_string(int len, const char* data, data_chunk_t* str) int MIME_get_value(int len, const char* data, BroString*& buf, bool is_boundary) { - int offset = MIME_skip_lws_comments(len, data); + int offset = 0; + if ( !is_boundary ) // for boundaries, simply accept everything... + offset = MIME_skip_lws_comments(len, data); len -= offset; data += offset; @@ -876,6 +880,12 @@ int MIME_Entity::ParseFieldParameters(int len, const char* data) // token or quoted-string (and some lenience for characters // not explicitly allowed by the RFC, but encountered in the wild) offset = MIME_get_value(len, data, val, true); + if ( !val ) + { + IllegalFormat("Could not parse multipart boundary"); + continue; + } + data_chunk_t vd = get_data_chunk(val); multipart_boundary = new BroString((const u_char*)vd.data, vd.length, 1); From d88e6b3f1a95d86e63b478b2939ef6bff8ae8ea9 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Sat, 29 Aug 2015 11:42:31 -0700 Subject: [PATCH 30/93] Updating CHANGES and VERSION. --- CHANGES | 7 +++++++ VERSION | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 1055a270bb..ba487e115c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,11 @@ +2.4-103 | 2015-08-29 10:51:55 -0700 + + * Make ASN.1 date/time parsing more robust. (Johanna Amann) + + * Be more permissive on what characters we accept as an unquoted + multipart boundary. Addresses BIT-1459. (Johanna Amann) + 2.4-99 | 2015-08-25 07:56:57 -0700 * Add ``Q`` and update ``I`` documentation for connection history diff --git a/VERSION b/VERSION index 2748777ff1..29307c8aaa 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4-99 +2.4-103 From 587fac59247ee7dc8a6f75d5f54428698948480e Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Sun, 30 Aug 2015 17:21:42 -0500 Subject: [PATCH 31/93] Fix initialization of a pointer in RDP analyzer A pointer to the end of a buffer was incorrectly being initialized to a value beyond the end of the buffer. --- src/analyzer/protocol/rdp/rdp-analyzer.pac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analyzer/protocol/rdp/rdp-analyzer.pac b/src/analyzer/protocol/rdp/rdp-analyzer.pac index a70d55fb7b..0f32c8fe40 100644 --- a/src/analyzer/protocol/rdp/rdp-analyzer.pac +++ b/src/analyzer/protocol/rdp/rdp-analyzer.pac @@ -21,7 +21,7 @@ refine flow RDP_Flow += { resultstring.resize(utf8size, '\0'); const UTF16* sourcestart = reinterpret_cast(utf16.begin()); - const UTF16* sourceend = sourcestart + widesize; + const UTF16* sourceend = reinterpret_cast(utf16.end()); UTF8* targetstart = reinterpret_cast(&resultstring[0]); UTF8* targetend = targetstart + utf8size; From 1b9ee38e6933fbaf1db5822ab0e3088e41435c49 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Sun, 30 Aug 2015 18:49:05 -0700 Subject: [PATCH 32/93] Fix potential crash TCP headers were captured incompletely. Test case provided by Jonathan Ganz. BIT-1425 #close --- src/analyzer/protocol/tcp/TCP.cc | 2 +- .../Baseline/core.tcp.truncated-header/out | 23 ++++++++++++++++++ .../btest/Traces/tcp/truncated-header.pcap | Bin 0 -> 1722 bytes testing/btest/core/tcp/truncated-header.bro | 9 +++++++ 4 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 testing/btest/Baseline/core.tcp.truncated-header/out create mode 100644 testing/btest/Traces/tcp/truncated-header.pcap create mode 100644 testing/btest/core/tcp/truncated-header.bro diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc index 72cad8a05c..258fdfcf58 100644 --- a/src/analyzer/protocol/tcp/TCP.cc +++ b/src/analyzer/protocol/tcp/TCP.cc @@ -442,7 +442,7 @@ const struct tcphdr* TCP_Analyzer::ExtractTCP_Header(const u_char*& data, } if ( tcp_hdr_len > uint32(len) || - sizeof(struct tcphdr) > uint32(caplen) ) + tcp_hdr_len > uint32(caplen) ) { // This can happen even with the above test, due to TCP // options. diff --git a/testing/btest/Baseline/core.tcp.truncated-header/out b/testing/btest/Baseline/core.tcp.truncated-header/out new file mode 100644 index 0000000000..df112791b4 --- /dev/null +++ b/testing/btest/Baseline/core.tcp.truncated-header/out @@ -0,0 +1,23 @@ +1103139821.635001, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] +1103139821.833528, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] +1103139821.841126, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] +1103139822.039902, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] +1103139822.040151, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] +1103139822.040254, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] +1103139822.040878, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] +1103139822.240529, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] +1103139822.240632, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] +1103139822.247627, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] +1103139822.450278, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] +1103139822.450381, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] +1103139822.453253, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] +1103139822.65178, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] +1103139822.651883, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] +1103139822.652756, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] +1103139822.882264, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] +1103139822.933982, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] +1103139822.934084, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] +1103139822.934209, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] +1103139822.934214, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] +1103139823.145731, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] +1103139823.145958, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] diff --git a/testing/btest/Traces/tcp/truncated-header.pcap b/testing/btest/Traces/tcp/truncated-header.pcap new file mode 100644 index 0000000000000000000000000000000000000000..b7a6817f1f399d5cd159ce2c9a07c65110dfab74 GIT binary patch literal 1722 zcmaKsZ%9*77>AE@&5f2!3Eix4lGLJ8(7=lPw(+#?UW6->$g zy>`Q!IC%Wd;i78~Gz>qNz%%=MZC2O2#+BE1Je^asJ&YCP`2@C2rTy}1u(P-^J}u;T zF+*YMX%GCE-FlHSc6FRFg>uCsr9!QSuK&tmK!C>>`Zl6(9X9{V&?^#MbxE?*^|lV?gyf@@_f$K zPNI+dj>N};KB9iw*ipyWJh*sV>_09U7Ieux&vEHNm!m^OnYclea&VCq31@SV^16jf z(F5fsQ3^X3U1STJJ`G}#b&aH`2Z{osZd%=Of++o6L{Y%G$tXV?o+D+bluLnKoJ~Y& zyB8nX3@c|J)|KnPjtMZLjTv!5uzD201xOmTDQk~_QH#Zq6G>M)DCsTpSr zQ4YK$mt(w>K6GjrDI;IG6f80jWyYh56jkwxN;ZDRqIK_=7dgyO)Qv?)f(bf>h~oZ5E@ix;UHNTD31@LBSagXfRgP7$ zi%cbtvFJ~_q^Md5RVIi!IHL}t)Ch^ODcR~ir0iVJrQk_lAj;?xihP&LJy>)}6B literal 0 HcmV?d00001 diff --git a/testing/btest/core/tcp/truncated-header.bro b/testing/btest/core/tcp/truncated-header.bro new file mode 100644 index 0000000000..f3ae369b2e --- /dev/null +++ b/testing/btest/core/tcp/truncated-header.bro @@ -0,0 +1,9 @@ +# @TEST-EXEC: bro -b -r $TRACES/tcp/truncated-header.pcap %INPUT >out +# @TEST-EXEC: btest-diff out + +event tcp_packet(c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string) + { + # Just having this handler used to crash Bro on this trace. + print network_time(), c$id; + } + From 710409507c9f0f6b9639c2b4e85c11c5ba8bfbba Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 31 Aug 2015 10:55:29 -0700 Subject: [PATCH 33/93] Fix FreeBSD build errors --- CHANGES | 4 ++++ VERSION | 2 +- src/analyzer/protocol/rdp/rdp-analyzer.pac | 4 ++-- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 187c0b0ecc..1c8acb87d3 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ + +2.4-118 | 2015-08-31 10:55:29 -0700 + + * Fix FreeBSD build errors (Johanna Amann) 2.4-117 | 2015-08-30 22:16:24 -0700 diff --git a/VERSION b/VERSION index eb8f6706b2..81b37427ab 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4-117 +2.4-118 diff --git a/src/analyzer/protocol/rdp/rdp-analyzer.pac b/src/analyzer/protocol/rdp/rdp-analyzer.pac index c70f87460e..fdfb8c44fc 100644 --- a/src/analyzer/protocol/rdp/rdp-analyzer.pac +++ b/src/analyzer/protocol/rdp/rdp-analyzer.pac @@ -25,9 +25,9 @@ refine flow RDP_Flow += { UTF16 utf16_copy[utf16.length()]; // Twice as much memory than necessary. memcpy(utf16_copy, utf16.begin(), utf16.length()); - char* utf16_copy_end = reinterpret_cast(utf16_copy) + utf16.length(); + const char* utf16_copy_end = reinterpret_cast(utf16_copy) + utf16.length(); const UTF16* sourcestart = utf16_copy; - const UTF16* sourceend = reinterpret_cast(utf16_copy_end); + const UTF16* sourceend = reinterpret_cast(utf16_copy_end); UTF8* targetstart = reinterpret_cast(&resultstring[0]); UTF8* targetend = targetstart + utf8size; From fd6f9e470faee85d7e1158c6da8c578aa440837e Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 31 Aug 2015 12:58:25 -0700 Subject: [PATCH 34/93] Add a number of out_of_bound checks to Packet.cc Mostly this verifies that we actually have the full headers that we are trying to read in a packet. Addresses BIT-1463 --- src/iosource/Packet.cc | 40 +++++++++++++++++- testing/btest/Baseline/core.truncation/output | 26 ++++++++---- testing/btest/Traces/trunc/trunc-hdr.pcap | Bin 0 -> 6435 bytes testing/btest/core/truncation.test | 6 +++ 4 files changed, 62 insertions(+), 10 deletions(-) create mode 100644 testing/btest/Traces/trunc/trunc-hdr.pcap diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc index d40941095a..9c2c70454c 100644 --- a/src/iosource/Packet.cc +++ b/src/iosource/Packet.cc @@ -47,6 +47,12 @@ void Packet::Init(int arg_link_type, struct timeval *arg_ts, uint32 arg_caplen, l2_valid = false; + if ( data && cap_len < hdr_size ) + { + Weird("truncated_header"); + return; + } + if ( data ) ProcessLayer2(); } @@ -94,12 +100,14 @@ void Packet::ProcessLayer2() bool have_mpls = false; const u_char* pdata = data; + unsigned int remaining = cap_len; switch ( link_type ) { case DLT_NULL: { int protocol = (pdata[3] << 24) + (pdata[2] << 16) + (pdata[1] << 8) + pdata[0]; pdata += GetLinkHeaderSize(link_type); + remaining -= GetLinkHeaderSize(link_type); // From the Wireshark Wiki: "AF_INET6, unfortunately, has // different values in {NetBSD,OpenBSD,BSD/OS}, @@ -127,6 +135,7 @@ void Packet::ProcessLayer2() // Get protocol being carried from the ethernet frame. int protocol = (pdata[12] << 8) + pdata[13]; pdata += GetLinkHeaderSize(link_type); + remaining -= GetLinkHeaderSize(link_type); eth_type = protocol; switch ( protocol ) @@ -140,9 +149,15 @@ void Packet::ProcessLayer2() // 802.1q / 802.1ad case 0x8100: case 0x9100: + if ( remaining < 4 ) + { + Weird("truncated_header"); + return; + } vlan = ((pdata[0] << 8) + pdata[1]) & 0xfff; protocol = ((pdata[2] << 8) + pdata[3]); pdata += 4; // Skip the vlan header + remaining -= 4; // Check for MPLS in VLAN. if ( protocol == 0x8847 ) @@ -154,9 +169,15 @@ void Packet::ProcessLayer2() // Check for double-tagged (802.1ad) if ( protocol == 0x8100 || protocol == 0x9100 ) { + if ( remaining < 4 ) + { + Weird("truncated_header"); + return; + } inner_vlan = ((pdata[0] << 8) + pdata[1]) & 0xfff; protocol = ((pdata[2] << 8) + pdata[3]); pdata += 4; // Skip the vlan header + remaining -= 4; } eth_type = protocol; @@ -166,6 +187,7 @@ void Packet::ProcessLayer2() case 0x8864: protocol = (pdata[6] << 8) + pdata[7]; pdata += 8; // Skip the PPPoE session and PPP header + remaining -= 8; if ( protocol == 0x0021 ) l3_proto = L3_IPV4; @@ -206,6 +228,7 @@ void Packet::ProcessLayer2() // Get PPP protocol. int protocol = (pdata[2] << 8) + pdata[3]; pdata += GetLinkHeaderSize(link_type); + remaining -= GetLinkHeaderSize(link_type); if ( protocol == 0x0281 ) { @@ -230,6 +253,12 @@ void Packet::ProcessLayer2() { // Assume we're pointing at IP. Just figure out which version. pdata += GetLinkHeaderSize(link_type); + if ( remaining < sizeof(struct ip) ) + { + Weird("truncated_header"); + return; + } + const struct ip* ip = (const struct ip *)pdata; if ( ip->ip_v == 4 ) @@ -254,8 +283,14 @@ void Packet::ProcessLayer2() while ( ! end_of_stack ) { + if ( remaining < 4 ) + { + Weird("truncated_header"); + return; + } end_of_stack = *(pdata + 2) & 0x01; pdata += 4; + remaining -= 4; if ( pdata >= pdata + cap_len ) { @@ -288,12 +323,13 @@ void Packet::ProcessLayer2() else if ( encap_hdr_size ) { // Blanket encapsulation. We assume that what remains is IP. - pdata += encap_hdr_size; - if ( pdata + sizeof(struct ip) >= data + cap_len ) + if ( pdata + encap_hdr_size + sizeof(struct ip) >= data + cap_len ) { Weird("no_ip_left_after_encap"); return; } + pdata += encap_hdr_size; + remaining -= encap_hdr_size; const struct ip* ip = (const struct ip *)pdata; diff --git a/testing/btest/Baseline/core.truncation/output b/testing/btest/Baseline/core.truncation/output index 9243c2f873..46d3eecceb 100644 --- a/testing/btest/Baseline/core.truncation/output +++ b/testing/btest/Baseline/core.truncation/output @@ -3,38 +3,48 @@ #empty_field (empty) #unset_field - #path weird -#open 2012-04-11-16-01-35 +#open 2015-08-31-19-57-29 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string 1334160095.895421 - - - - - truncated_IP - F bro -#close 2012-04-11-16-01-35 +#close 2015-08-31-19-57-29 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2012-04-11-14-57-21 +#open 2015-08-31-19-57-30 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string 1334156241.519125 - - - - - truncated_IP - F bro -#close 2012-04-11-14-57-21 +#close 2015-08-31-19-57-30 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2012-04-10-21-50-48 +#open 2015-08-31-19-57-31 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string 1334094648.590126 - - - - - truncated_IP - F bro -#close 2012-04-10-21-50-48 +#close 2015-08-31-19-57-31 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2012-05-29-22-02-34 +#open 2015-08-31-19-57-32 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string 1338328954.078361 - - - - - internally_truncated_header - F bro -#close 2012-05-29-22-02-34 +#close 2015-08-31-19-57-32 +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path weird +#open 2015-08-31-19-57-33 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer +#types time string addr port addr port string string bool string +0.000000 - - - - - truncated_header - F bro +#close 2015-08-31-19-57-33 diff --git a/testing/btest/Traces/trunc/trunc-hdr.pcap b/testing/btest/Traces/trunc/trunc-hdr.pcap new file mode 100644 index 0000000000000000000000000000000000000000..0ab12ee6c78e1c88093333c6638359514c28c750 GIT binary patch literal 6435 zcma)A2|Scr8$a)Cw!tu#QDo3XA@59fEo4_BBDA^;BO(mh3S&)*N=0Q!De5Z9(kIpQ zMX8&*A(fJHtJ|d_NvrES?~Ex+b-(lbo!{?$&wJkg^PJ~-&a<^&K79xW2tYUx_<+s5 z2dmr^KS+V4@EMyxGvlxANo90@``dn^zy<&dWp4{$K>~nRMi@{U&?H0Uy`HkP}%lL>0@cYW|9t?Gi zUm`?RccEAScBX)@XAngLiU6CFQ4o0@_3xo%3Q%YkAaET33U~y(fPX*5BlVZM8a`f= z91!!2)tX~_89CtX>tLL`HuuPX%;=>m3Q&%0o*Yk{r_PfGroaSbfOMWTj|dDw3Qv|N z%2Vb|2MU17ljPxnIFHH`j)NSz0trCC0|W=efdK@O0+K)pu8{!^ZWf266#3gl;E(bUga|>X z&>nCQKpIdWmnFr-?0f*NuQuf?UqXx;PV6Hz5Yw|jBb+O zna7s<@4$o(RXONF0q;e%lvaxb<0 zWcJ)Ur_^nllL2kSq=nTU9BMCXl|4XR$qnX{LRkXs*g_jzghz&I6?2s8R*ID^(FnYA zdL(%3>!lV49#^`Bkp_L6-pYgko(urfMiD517vf`r69_KBl;|CXg;o=@Ase zn`jOz#E<1i_wWf0^z-2ahKA7HSm9BuaJrQxIzv$s{%3%iqWs|vUyV=$29v?W-n~&S zBEe8Wr(?L%WI31cz$hOMi|!mA;1d!U%LijnQ5j;N4hbP3T;o~r+6npgk{DZ@2MJ(OXxm$E2T@+{s? zzmJ?9Ivu?CtQ~RBV)=Dx|AgMJ9_)7rQGLC2M(!<{UUOH5@)r-I->ZWT;EG(;cHXpg z4AeXoSKFX(WWSv4EH#+(?8=?j`)k^+47;okS~cRo@b;}O3dLL#86bUarJpBf$(s@U zn(}RORoVUioPuh?Z5IzwDe)4c3yGk;JBxR@aIzS~%$1ki%TuVw8)s zLsg;hR5S=QR3TArew#~aM{&jLw~p(?S#4_VA3k(Qqbk@2DS`q)jthd_zN^ zv2w_p4%Ch_dSWN8ekC^3O1i?OoF%&j`4VA)(N+ZZ9fq=&miv>*lLQp{ENTSeA zi9``R^7RQ9|MM}2&Eae`)7SS651u=Y+0YI85o{l(9xF;O0^TsoaJ>M=9JmKHC}tL; zY2*GH9Zdw^4nE;8*4MulVJy=L=J0YFlf>4g*&}Hq!8in+jcN-y#UTpH7%vf!8NNT@ zj6=0@aYK{RN5+naAcS}{7M&^l6-Cl$W5)>fjo3Kh7^v&lT_S0=!o&Jto+e_#Mt$Mc z!CZ~d(|mI@0zYGA35CGnUsM$;rU4uZCb>O47xVJ6y5qh4x8SclWy~5|=_`xt5JrsP ze_)b=02|er=l+&^zIoP_pwFDyp?A9Ko;(~`NSYPz#A5ai`%#v*7C$|y(NK#jSA!3k zE%+0OcXY0*A2e(T^6gOB)8khZDY9*eyIB7h^#!MBgr}%@(Kcr* zZcJ^TSya63o_kYI{vQv)FF~`D9ktgyIH^p2iep=6>_cZ5cFzCp)NhQ8H@z<=hq&Vx z0@wHN<7PI3#K;@koEhA5MIIk>metgS_cV8>d2q!+{87}SD%3+!9{MhywLL*9$&=K922XUP!YIVgkN8mt^OQnIIUyEp>nlrh zbD=DJhhDTtt1mT%g+*pWycIx*Z`b`;dQB!G3Xo*74mAf0(`^ zS5|`bHv!sdsaZRGI~%GjOnTbhy(}ft&dy)Zl&{EqNz3~5hJ4gdE%kR1ib17ohK?%x zKxqwrc^Zk!u-DbH4uf^TV99s|dkb82t z>FZDS-u3IqbAK^%YMM*%@&=i~5ywHwxdf@9I~R5+Y?XDt$MZ3GJ^WDbWn=m;Y1{9q zJ*{*iZ+&R0sn|7qH#hYjL2Y9}Xz1vwdXpzMzk96E-l8mNx#D=;S*>$bPe0A>SJQ}` zR-tzw%`ofWrkaR~d%1c~-;xVnUt0R>7DZlIq3)wMA1T^ObI061;s67o4JwOyEB^IH zMqyToIo#zVLWhf_{foneS;rHyL-pMGjFMpTtxjV?khiWd~mOEVKXtMFi901#wH zUpFG+lk=NWjPW;_HO>2zraA6fYHqtf^`GRDkA+!>Z%D2=GyfJLI$KUIj(PAZ zIJ&B_=8*e#Zx8kn^^NnA!tNK8*_aPK8!lPabv5qS7olWM-`P%*=;Mp&k})nja}LnV zcVdx19!7!$ykL%%fy^HaQ>+BViaC5(OCweXNVrX`1ClcN5rPKZjp_m5rS-;8n|eZX z%boYJFjGgm6@b(On7-VFM%*TjfMPCk13osB!~|IZ3gadh`43#GL6ZtgVAAqE?b4)~ zFp))#=Ax*Hp#hdSN1$P-11e@q)RDr&x&jd79EQ$k(k@1k@|qr5=&{Yi)<1ooHXh9a z2s5OqRYD?|LZMh@Y{?iMS3f|rLBQ=I%HGVti0L*sxeSZc{;u6i<(dQT62=v{UrW;s zQM#{78>^3su(M-Dy3bZCZTP%{x^Tg@FOM#rGZF2Z{Yqwpdv6x+=1%YFrexKqdF-1m z39VO4XsI&>0v;at@L<38mLX}^8+%g*$S+ObzCG3{6@9VnpPmy63i5GAg@ax3FSq2+ zJ+*2m_nxO!`bxXNBLRJH88Z5hQT}Vyub4w&Xzw9{JpGMC)x8mJtH0I>G1G|;$j%I1{IzPu|+CYcqObPeZTzNf? zQ@OcnMMQjEoPtxH!JS-Lr^`=A2Atpdp7pM85=*_A@HqEm$MJ&+Vejs~vcBjVLg!TM zGO;}`n*J($*6$jrcEOE@Hh%uS$05q?*=b(a+8{@9XPG?bqMKHr>`BwY0F$M5Lv}A; zi|?T2G|xXb=jFLr^Q-gM^i1sD5$uh1l8m9|Ii%pxzB4}A-|N=n*~87PtK zjEZ8eEb5NcTbaUi*q75EbeZK=e?;3F^eHBLuKAZb*v|G=&4tGSbn32*Itc}nrH{l~ zVv4Yi1wm@80$&Vorjqcg1;JBU;4fv;PhWxi&<~Yuop_DZOLK z{epyByC_Z{BfPZFyWKEbtt?tloo)VEtn4;^G^}}*$qVb>=(iON)ZX=XnV=EShx*s*}u7&dRQ{O*MtFj<;~0U!rUPHawYl_8{-Cd?N~o(Do_ zsK)P=rL;ZJ3=ejJ&hUJ--~h+rL5{-ASr-)lQNB`tQzYeH`ohphhHD7h?#El_*3_n) zNl=e*oWCdEX*bUALs4wSJi@0hNl2&Sv5SY(%?^zodoE(fx(a&b3(Zzt4BO{H&&fJ| zLm{zX!L8f>jf3OMih}$7J*>FV{`}b`t%bR7@5D+RwKwg5P+NNYL(CzA>&cru+Whxe zfJHl|v+ss)>v=n%ZS=S1$E~_6v&D2%Ru|{s;%~R_ZYtikx+h|vP*56RrdFZ)HHz2f zH(hVmQ&njm*Ou=LH9)eqTvOB;&i?WEvc|neDpGvF50haIl%de7iBl}8&;r^3yZ~6M zQDBc)Gc!E6uPn6++T)-w#idmcfjcxJY)-KxI|k=_mNbR}Es0$YfFl0hgn@u*F@L$Z z*R8t+_O-nWdsG1$U_-6}!cW#TIQi-drfDfTp`ry%(bOu)={8K!mx3^S1SIi>G*50` zY<`4iJ-3&5iDGPS6p+Ncxx3u|M90<(ylZ7a_xxT-ghUUxcSqw)Zb;ZW-r!tisBH=&rBjz|^x?wOr+&C2@2@gE!4scoq)4v+{U^ z0!}|#w^OF!z1JhD*4__)4}B>eKIi5bfDwp+1je-;u~uQ0Fhu~`EzNuac@u?|=E^4^ z1Ku^1VLHSHhSd$Rgyu0tvD&9+Pgbl2W*%4tWDL#Yz0f?Kb`hTc7)9E4G78_wFcepa z^0kiY`zbHa2F6fICYb8asiIce8*4}q)C%i%D=1psBu?I l1ygB_)g+a=VM=s?&P`$!_Jj=#OZjJ5+FCRCSd0E0>wgL>%KZQU literal 0 HcmV?d00001 diff --git a/testing/btest/core/truncation.test b/testing/btest/core/truncation.test index 3406879183..c0e4ee857a 100644 --- a/testing/btest/core/truncation.test +++ b/testing/btest/core/truncation.test @@ -19,4 +19,10 @@ # @TEST-EXEC: bro -r $TRACES/trunc/icmp-header-trunc.pcap # @TEST-EXEC: cat weird.log >> output + +# Truncated packets where the captured length is less than the length required +# for the packet header should also raise a Weird +# @TEST-EXEC: bro -r $TRACES/trunc/trunc-hdr.pcap +# @TEST-EXEC: cat weird.log >> output + # @TEST-EXEC: btest-diff output From 8763e1a485e89c89ce17097d4b17ecb9c2bf1317 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 31 Aug 2015 13:45:00 -0700 Subject: [PATCH 35/93] Refactor oob tests using different approach. --- src/iosource/Packet.cc | 29 ++++++++++++++++------------- src/iosource/Packet.h | 1 + 2 files changed, 17 insertions(+), 13 deletions(-) diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc index 9c2c70454c..3aafe679e6 100644 --- a/src/iosource/Packet.cc +++ b/src/iosource/Packet.cc @@ -38,6 +38,8 @@ void Packet::Init(int arg_link_type, struct timeval *arg_ts, uint32 arg_caplen, else data = arg_data; + end_of_data = data + cap_len; + time = ts.tv_sec + double(ts.tv_usec) / 1e6; hdr_size = GetLinkHeaderSize(arg_link_type); l3_proto = L3_UNKNOWN; @@ -100,14 +102,12 @@ void Packet::ProcessLayer2() bool have_mpls = false; const u_char* pdata = data; - unsigned int remaining = cap_len; switch ( link_type ) { case DLT_NULL: { int protocol = (pdata[3] << 24) + (pdata[2] << 16) + (pdata[1] << 8) + pdata[0]; pdata += GetLinkHeaderSize(link_type); - remaining -= GetLinkHeaderSize(link_type); // From the Wireshark Wiki: "AF_INET6, unfortunately, has // different values in {NetBSD,OpenBSD,BSD/OS}, @@ -135,7 +135,6 @@ void Packet::ProcessLayer2() // Get protocol being carried from the ethernet frame. int protocol = (pdata[12] << 8) + pdata[13]; pdata += GetLinkHeaderSize(link_type); - remaining -= GetLinkHeaderSize(link_type); eth_type = protocol; switch ( protocol ) @@ -149,7 +148,7 @@ void Packet::ProcessLayer2() // 802.1q / 802.1ad case 0x8100: case 0x9100: - if ( remaining < 4 ) + if ( pdata + 4 >= end_of_data ) { Weird("truncated_header"); return; @@ -157,7 +156,6 @@ void Packet::ProcessLayer2() vlan = ((pdata[0] << 8) + pdata[1]) & 0xfff; protocol = ((pdata[2] << 8) + pdata[3]); pdata += 4; // Skip the vlan header - remaining -= 4; // Check for MPLS in VLAN. if ( protocol == 0x8847 ) @@ -169,7 +167,7 @@ void Packet::ProcessLayer2() // Check for double-tagged (802.1ad) if ( protocol == 0x8100 || protocol == 0x9100 ) { - if ( remaining < 4 ) + if ( pdata + 4 >= end_of_data ) { Weird("truncated_header"); return; @@ -177,7 +175,6 @@ void Packet::ProcessLayer2() inner_vlan = ((pdata[0] << 8) + pdata[1]) & 0xfff; protocol = ((pdata[2] << 8) + pdata[3]); pdata += 4; // Skip the vlan header - remaining -= 4; } eth_type = protocol; @@ -185,9 +182,13 @@ void Packet::ProcessLayer2() // PPPoE carried over the ethernet frame. case 0x8864: + if ( pdata + 8 >= end_of_data ) + { + Weird("truncated_header"); + return; + } protocol = (pdata[6] << 8) + pdata[7]; pdata += 8; // Skip the PPPoE session and PPP header - remaining -= 8; if ( protocol == 0x0021 ) l3_proto = L3_IPV4; @@ -226,9 +227,13 @@ void Packet::ProcessLayer2() case DLT_PPP_SERIAL: { // Get PPP protocol. + if ( pdata + 4 >= end_of_data ) + { + Weird("truncated_header"); + return; + } int protocol = (pdata[2] << 8) + pdata[3]; pdata += GetLinkHeaderSize(link_type); - remaining -= GetLinkHeaderSize(link_type); if ( protocol == 0x0281 ) { @@ -253,7 +258,7 @@ void Packet::ProcessLayer2() { // Assume we're pointing at IP. Just figure out which version. pdata += GetLinkHeaderSize(link_type); - if ( remaining < sizeof(struct ip) ) + if ( pdata + sizeof(struct ip) >= end_of_data ) { Weird("truncated_header"); return; @@ -283,14 +288,13 @@ void Packet::ProcessLayer2() while ( ! end_of_stack ) { - if ( remaining < 4 ) + if ( pdata + 4 >= end_of_data ) { Weird("truncated_header"); return; } end_of_stack = *(pdata + 2) & 0x01; pdata += 4; - remaining -= 4; if ( pdata >= pdata + cap_len ) { @@ -329,7 +333,6 @@ void Packet::ProcessLayer2() return; } pdata += encap_hdr_size; - remaining -= encap_hdr_size; const struct ip* ip = (const struct ip *)pdata; diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h index a96f14ebdd..1a1675c659 100644 --- a/src/iosource/Packet.h +++ b/src/iosource/Packet.h @@ -151,6 +151,7 @@ public: double time; /// Timestamp reconstituted as float struct timeval ts; /// Capture timestamp const u_char* data; /// Packet data. + const u_char* end_of_data; /// Pointer to byte after the end of data uint32 len; /// Actual length on wire uint32 cap_len; /// Captured packet length uint32 link_type; /// pcap link_type (DLT_EN10MB, DLT_RAW, etc) From 16e12cab0245943f9427aa0dc6e848fa098761b4 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 31 Aug 2015 14:39:41 -0700 Subject: [PATCH 36/93] Fixing errors in 2.4 release notes. --- CHANGES | 16 ++++++++++++---- NEWS | 4 ++-- VERSION | 2 +- 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/CHANGES b/CHANGES index 1c8acb87d3..7d6c04035e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,7 +1,15 @@ - -2.4-118 | 2015-08-31 10:55:29 -0700 - - * Fix FreeBSD build errors (Johanna Amann) + +2.4-122 | 2015-08-31 14:39:41 -0700 + + * Add a number of out-of-bound checks to layer 2 code. Addresses + BIT-1463 (Johanna Amann) + + * Fix error in 2.4 release notes regarding SSH events. (Robin + Sommer) + +2.4-118 | 2015-08-31 10:55:29 -0700 + + * Fix FreeBSD build errors (Johanna Amann) 2.4-117 | 2015-08-30 22:16:24 -0700 diff --git a/NEWS b/NEWS index e3c97f68f0..0ef4c4bbe5 100644 --- a/NEWS +++ b/NEWS @@ -225,8 +225,8 @@ Changed Functionality - The SSH changes come with a few incompatibilities. The following events have been renamed: - * ``SSH::heuristic_failed_login`` to ``SSH::ssh_auth_failed`` - * ``SSH::heuristic_successful_login`` to ``SSH::ssh_auth_successful`` + * ``SSH::heuristic_failed_login`` to ``ssh_auth_failed`` + * ``SSH::heuristic_successful_login`` to ``ssh_auth_successful`` The ``SSH::Info`` status field has been removed and replaced with the ``auth_success`` field. This field has been changed from a diff --git a/VERSION b/VERSION index 81b37427ab..4365e48ae5 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4-118 +2.4-122 From be89bcd1156d3959bae89be65d820f40cc445c11 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 31 Aug 2015 14:44:12 -0700 Subject: [PATCH 37/93] Fixing line endings in CHANGES. No content change. --- CHANGES | 29962 +++++++++++++++++++++++++++--------------------------- 1 file changed, 14981 insertions(+), 14981 deletions(-) diff --git a/CHANGES b/CHANGES index 7d6c04035e..42ac97e455 100644 --- a/CHANGES +++ b/CHANGES @@ -1,14981 +1,14981 @@ - -2.4-122 | 2015-08-31 14:39:41 -0700 - - * Add a number of out-of-bound checks to layer 2 code. Addresses - BIT-1463 (Johanna Amann) - - * Fix error in 2.4 release notes regarding SSH events. (Robin - Sommer) - -2.4-118 | 2015-08-31 10:55:29 -0700 - - * Fix FreeBSD build errors (Johanna Amann) - -2.4-117 | 2015-08-30 22:16:24 -0700 - - * Fix initialization of a pointer in RDP analyzer. (Daniel - Thayer/Robin Sommer) - -2.4-115 | 2015-08-30 21:57:35 -0700 - - * Enable Bro to leverage packet fanout mode on Linux. (Kris - Nielander). - - ## Toggle whether to do packet fanout (Linux-only). - const Pcap::packet_fanout_enable = F &redef; - - ## If packet fanout is enabled, the id to sue for it. This should be shared amongst - ## worker processes processing the same socket. - const Pcap::packet_fanout_id = 0 &redef; - - ## If packet fanout is enabled, whether packets are to be defragmented before - ## fanout is applied. - const Pcap::packet_fanout_defrag = T &redef; - - * Allow libpcap buffer size to be set via configuration. (Kris Nielander) - - ## Number of Mbytes to provide as buffer space when capturing from live - ## interfaces. - const Pcap::bufsize = 128 &redef; - - * Move the pcap-related script-level identifiers into the new Pcap - namespace. (Robin Sommer) - - snaplen -> Pcap::snaplen - precompile_pcap_filter() -> Pcap::precompile_pcap_filter() - install_pcap_filter() -> Pcap::install_pcap_filter() - pcap_error() -> Pcap::pcap_error() - - -2.4-108 | 2015-08-30 20:14:31 -0700 - - * Update Base64 decoding. (Jan Grashoefer) - - - A new built-in function, decode_base64_conn() for Base64 - decoding. It works like decode_base64() but receives an - additional connection argument that will be used for - reporting decoding errors into weird.log (instead of - reporter.log). - - - FTP, POP3, and HTTP analyzers now likewise log Base64 - decoding errors to weird.log. - - - The built-in functions decode_base64_custom() and - encode_base64_custom() are now deprecated. Their - functionality is provided directly by decode_base64() and - encode_base64(), which take an optional parameter to change - the Base64 alphabet. - - * Fix potential crash if TCP header was captured incompletely. - (Robin Sommer) - -2.4-103 | 2015-08-29 10:51:55 -0700 - - * Make ASN.1 date/time parsing more robust. (Johanna Amann) - - * Be more permissive on what characters we accept as an unquoted - multipart boundary. Addresses BIT-1459. (Johanna Amann) - -2.4-99 | 2015-08-25 07:56:57 -0700 - - * Add ``Q`` and update ``I`` documentation for connection history - field. Addresses BIT-1466. (Vlad Grigorescu) - -2.4-96 | 2015-08-21 17:37:56 -0700 - - * Update SIP analyzer. (balintm) - - - Allows space on both sides of ':'. - - Require CR/LF after request/reply line. - -2.4-94 | 2015-08-21 17:31:32 -0700 - - * Add file type detection support for video/MP2T. (Mike Freemon) - -2.4-93 | 2015-08-21 17:23:39 -0700 - - * Make plugin install honor DESTDIR= convention. (Jeff Barber) - -2.4-89 | 2015-08-18 07:53:36 -0700 - - * Fix diff-canonifier-external to use basename of input file. - (Daniel Thayer) - -2.4-87 | 2015-08-14 08:34:41 -0700 - - * Removing the yielding_teredo_decapsulation option. (Robin Sommer) - -2.4-86 | 2015-08-12 17:02:24 -0700 - - * Make Teredo DPD signature more precise. (Martina Balint) - -2.4-84 | 2015-08-10 14:44:39 -0700 - - * Add hook 'HookSetupAnalyzerTree' to allow plugins access to a - connection's initial analyzer tree for customization. (James - Swaro) - - * Plugins now look for a file "__preload__.bro" in the top-level - script directory. If found, they load it first, before any scripts - defining BiF elements. This can be used to define types that the - BiFs already depend on (like a custom type for an event argument). - (Robin Sommer) - -2.4-81 | 2015-08-08 07:38:42 -0700 - - * Fix a test that is failing very frequently. (Daniel Thayer) - -2.4-78 | 2015-08-06 22:25:19 -0400 - - * Remove build dependency on Perl (now requiring Python instad). - (Daniel Thayer) - - * CID 1314754: Fixing unreachable code in RSH analyzer. (Robin - Sommer) - - * CID 1312752: Add comment to mark 'case' fallthrough as ok. (Robin - Sommer) - - * CID 1312751: Removing redundant assignment. (Robin Sommer) - -2.4-73 | 2015-07-31 08:53:49 -0700 - - * BIT-1429: SMTP logs now include CC: addresses. (Albert Zaharovits) - -2.4-70 | 2015-07-30 07:23:44 -0700 - - * Updated detection of Flash and AdobeAIR. (Jan Grashoefer) - - * Adding tests for Flash version parsing and browser plugin - detection. (Robin Sommer) - -2.4-63 | 2015-07-28 12:26:37 -0700 - - * Updating submodule(s). - -2.4-61 | 2015-07-28 12:13:39 -0700 - - * Renaming config.h to bro-config.h. (Robin Sommer) - -2.4-58 | 2015-07-24 15:06:07 -0700 - - * Add script protocols/conn/vlan-logging.bro to record VLAN data in - conn.log. (Aaron Brown) - - * Add field "vlan" and "inner_vlan" to connection record. (Aaron - Brown) - - * Save the inner vlan in the Packet object for Q-in-Q setups. (Aaron - Brown) - - * Increasing plugin API version for recent packet source changes. - (Robin Sommer) - - * Slightly earlier protocol confirmation for POP3. (Johanna Amann) - -2.4-46 | 2015-07-22 10:56:40 -0500 - - * Fix broker python bindings install location to track --prefix. - (Jon Siwek) - -2.4-45 | 2015-07-21 15:19:43 -0700 - - * Enabling Broker by default. This means CAF is now a required - dependency, altjough for now at least, there's still a switch - --disable-broker to turn it off. - - * Requiring a C++11 compiler, and turning on C++11 support. (Robin - Sommer) - - * Tweaking the listing of hooks in "bro -NN" for consistency. (Robin - Sommer) - -2.4-41 | 2015-07-21 08:35:17 -0700 - - * Fixing compiler warning. (Robin Sommer) - - * Updates to IANA TLS registry. (Johanna Amann) - -2.4-38 | 2015-07-20 15:30:35 -0700 - - * Refactor code to use a common Packet type throught. (Jeff - Barber/Robin Sommer) - - * Extend parsing layer 2 and keeping track of layer 3 protoco. (Jeff Barber) - - * Add a raw_packet() event that generated for all packets and - include layer 2 information. (Jeff Barber) - -2.4-27 | 2015-07-15 13:31:49 -0700 - - * Fix race condition in intel test. (Johanna Amann) - -2.4-24 | 2015-07-14 08:04:11 -0700 - - * Correct Perl package name on FreeBSD in documentation.(Justin Azoff) - - * Adding an environment variable to BTest configuration for external - scripts. (Robin Sommer) - -2.4-20 | 2015-07-03 10:40:21 -0700 - - * Adding a weird for when truncated packets lead TCP reassembly to - ignore content. (Robin Sommer) - -2.4-19 | 2015-07-03 09:04:54 -0700 - - * A set of tests exercising IP defragmentation and TCP reassembly. - (Robin Sommer) - -2.4-17 | 2015-06-28 13:02:41 -0700 - - * BIT-1314: Add detection for Quantum Insert attacks. The TCP - reassembler can now keep a history of old TCP segments using the - tcp_max_old_segments option. An overlapping segment with different - data will then generate an rexmit_inconsistency event. The default - for tcp_max_old_segments is zero, which disabled any additional - buffering. (Yun Zheng Hu/Robin Sommer) - -2.4-14 | 2015-06-28 12:30:12 -0700 - - * BIT-1400: Allow '<' and '>' in MIME multipart boundaries. The spec - doesn't actually seem to permit these, but they seem to occur in - the wild. (Jon Siwek) - -2.4-12 | 2015-06-28 12:21:11 -0700 - - * BIT-1399: Trying to decompress deflated HTTP content even when - zlib headers are missing. (Seth Hall) - -2.4-10 | 2015-06-25 07:11:17 -0700 - - * Correct a name used in a header identifier (Justin Azoff) - -2.4-8 | 2015-06-24 07:50:50 -0700 - - * Restore the --load-seeds cmd-line option and enable the short - options -G/-H for --load-seeds/--save-seeds. (Daniel Thayer) - -2.4-6 | 2015-06-19 16:26:40 -0700 - - * Generate protocol confirmations for Modbus, making it appear as a - confirmed service in conn.log. (Seth Hall) - - * Put command line options in alphabetical order. (Daniel Thayer) - - * Removing dead code for no longer supported -G switch. (Robin - Sommer) (Robin Sommer) - -2.4 | 2015-06-09 07:30:53 -0700 - - * Release 2.4. - - * Fixing tiny thing in NEWS. (Robin Sommer) - -2.4-beta-42 | 2015-06-08 09:41:39 -0700 - - * Fix reporter errors with GridFTP traffic. (Robin Sommer) - -2.4-beta-40 | 2015-06-06 08:20:52 -0700 - - * PE Analyzer: Change how we calculate the rva_table size. (Vlad Grigorescu) - -2.4-beta-39 | 2015-06-05 09:09:44 -0500 - - * Fix a unit test to check for Broker requirement. (Jon Siwek) - -2.4-beta-38 | 2015-06-04 14:48:37 -0700 - - * Test for Broker termination. (Robin Sommer) - -2.4-beta-37 | 2015-06-04 07:53:52 -0700 - - * BIT-1408: Improve I/O loop and Broker IOSource. (Jon Siwek) - -2.4-beta-34 | 2015-06-02 10:37:22 -0700 - - * Add signature support for F4M files. (Seth Hall) - -2.4-beta-32 | 2015-06-02 09:43:31 -0700 - - * A larger set of documentation updates, fixes, and extentions. - (Daniel Thayer) - -2.4-beta-14 | 2015-06-02 09:16:44 -0700 - - * Add memleak btest for attachments over SMTP. (Vlad Grigorescu) - - * BIT-1410: Fix flipped tx_hosts and rx_hosts in files.log. Reported - by Ali Hadi. (Vlad Grigorescu) - - * Updating the Mozilla root certs. (Seth Hall) - - * Updates for the urls.bro script. Fixes BIT-1404. (Seth Hall) - -2.4-beta-6 | 2015-05-28 13:20:44 -0700 - - * Updating submodule(s). - -2.4-beta-2 | 2015-05-26 08:58:37 -0700 - - * Fix segfault when DNS is not available. Addresses BIT-1387. (Frank - Meier and Robin Sommer) - -2.4-beta | 2015-05-07 21:55:31 -0700 - - * Release 2.4-beta. - - * Update local-compat.test (Johanna Amann) - -2.3-913 | 2015-05-06 09:58:00 -0700 - - * Add /sbin to PATH in btest.cfg and remove duplicate default_path. - (Daniel Thayer) - -2.3-911 | 2015-05-04 09:58:09 -0700 - - * Update usage output and list of command line options. (Daniel - Thayer) - - * Fix to ssh/geo-data.bro for unset directions. (Vlad Grigorescu) - - * Improve SIP logging and remove reporter messages. (Seth Hall) - -2.3-905 | 2015-04-29 17:01:30 -0700 - - * Improve SIP logging and remove reporter messages. (Seth Hall) - -2.3-903 | 2015-04-27 17:27:59 -0700 - - * BIT-1350: Improve record coercion type checking. (Jon Siwek) - -2.3-901 | 2015-04-27 17:25:27 -0700 - - * BIT-1384: Remove -O (optimize scripts) command-line option, which - hadn't been working for a while already. (Jon Siwek) - -2.3-899 | 2015-04-27 17:22:42 -0700 - - * Fix the -J/--set-seed cmd-line option. (Daniel Thayer) - - * Remove unused -l, -L, and -Z cmd-line options. (Daniel Thayer) - -2.3-892 | 2015-04-27 08:22:22 -0700 - - * Fix typos in the Broker BIF documentation. (Daniel Thayer) - - * Update installation instructions and remove outdated references. - (Johanna Amann) - - * Easier support for systems with tcmalloc_minimal installed. (Seth - Hall) - -2.3-884 | 2015-04-23 12:30:15 -0500 - - * Fix some outdated documentation unit tests. (Jon Siwek) - -2.3-883 | 2015-04-23 07:10:36 -0700 - - * Fix -N option to work with builtin plugins as well. (Robin Sommer) - -2.3-882 | 2015-04-23 06:59:40 -0700 - - * Add missing .pac dependencies for some binpac analyzer targets. - (Jon Siwek) - -2.3-879 | 2015-04-22 10:38:07 -0500 - - * Fix compile errors. (Jon Siwek) - -2.3-878 | 2015-04-22 08:21:23 -0700 - - * Fix another compiler warning in DTLS. (Johanna Amann) - -2.3-877 | 2015-04-21 20:14:16 -0700 - - * Adding missing include. (Robin Sommer) - -2.3-876 | 2015-04-21 16:40:10 -0700 - - * Attempt at fixing a potential std::length_error exception in RDP - analyzer. Addresses BIT-1337. (Robin Sommer) - - * Fixing compile problem caused by overeager factorization. (Robin - Sommer) - -2.3-874 | 2015-04-21 16:09:20 -0700 - - * Change details of escaping when logging/printing. (Seth Hall/Robin - Sommer) - - - Log files now escape non-printable characters consistently - as "\xXX'. Furthermore, backslashes are escaped as "\\", - making the representation fully reversible. - - - When escaping via script-level functions (escape_string, - clean), we likewise now escape consistently with "\xXX" and - "\\". - - - There's no "alternative" output style anymore, i.e., fmt() - '%A' qualifier is gone. - - Addresses BIT-1333. - - * Remove several BroString escaping methods that are no longer - useful. (Seth Hall) - -2.3-864 | 2015-04-21 15:24:02 -0700 - - * A SIP protocol analyzer. (Vlad Grigorescu) - - Activity gets logged into sip.log. It generates the following - events: - - event sip_request(c: connection, method: string, original_URI: string, version: string); - event sip_reply(c: connection, version: string, code: count, reason: string); - event sip_header(c: connection, is_orig: bool, name: string, value: string); - event sip_all_headers(c: connection, is_orig: bool, hlist: mime_header_list); - event sip_begin_entity(c: connection, is_orig: bool); - event sip_end_entity(c: connection, is_orig: bool); - - The analyzer support SIP over UDP currently. - - * BIT-1343: Factor common ASN.1 code from RDP, SNMP, and Kerberos - analyzers. (Jon Siwek/Robin Sommer) - -2.3-838 | 2015-04-21 13:40:12 -0700 - - * BIT-1373: Fix vector index assignment reference count bug. (Jon Siwek) - -2.3-836 | 2015-04-21 13:37:31 -0700 - - * Fix SSH direction field being unset. Addresses BIT-1365. (Vlad - Grigorescu) - -2.3-835 | 2015-04-21 16:36:00 -0500 - - * Clarify Broker examples. (Jon Siwek) - -2.3-833 | 2015-04-21 12:38:32 -0700 - - * A Kerberos protocol analyzer. (Vlad Grigorescu) - - Activity gets logged into kerberos.log. It generates the following - events: - - event krb_as_request(c: connection, msg: KRB::KDC_Request); - event krb_as_response(c: connection, msg: KRB::KDC_Response); - event krb_tgs_request(c: connection, msg: KRB::KDC_Request); - event krb_tgs_response(c: connection, msg: KRB::KDC_Response); - event krb_ap_request(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options); - event krb_priv(c: connection, is_orig: bool); - event krb_safe(c: connection, is_orig: bool, msg: KRB::SAFE_Msg); - event krb_cred(c: connection, is_orig: bool, tickets: KRB::Ticket_Vector); - event krb_error(c: connection, msg: KRB::Error_Msg); - -2.3-793 | 2015-04-20 20:51:00 -0700 - - * Add decoding of PROXY-AUTHORIZATION header to HTTP analyze, - treating it the same as AUTHORIZATION. (Josh Liburdi) - - * Remove deprecated fields "hot" and "addl" from the connection - record. Remove the functions append_addl() and - append_addl_marker(). (Robin Sommer) - - * Removing the NetFlow analyzer, which hasn't been used anymore - since then corresponding command-line option went away. (Robin - Sommer) - -2.3-787 | 2015-04-20 19:15:23 -0700 - - * A file analyzer for Portable Executables. (Vlad Grigorescu/Seth - Hall). - - Activity gets logged into pe.log. It generates the following - events: - - event pe_dos_header(f: fa_file, h: PE::DOSHeader); - event pe_dos_code(f: fa_file, code: string); - event pe_file_header(f: fa_file, h: PE::FileHeader); - event pe_optional_header(f: fa_file, h: PE::OptionalHeader); - event pe_section_header(f: fa_file, h: PE::SectionHeader); - -2.3-741 | 2015-04-20 13:12:39 -0700 - - * API changes to file analysis mime type detection. Removed - "file_mime_type" and "file_mime_types" event, replacing them with - a new event called "file_metadata_inferred". Addresses BIT-1368. - (Jon Siwek) - - * A large series of improvements for file type identification. This - inludes a many signature updates (new types, cleanup, performance - improvments) and splitting out signatures into subfiles. (Seth - Hall) - - * Fix an issue with files having gaps before the bof_buffer is - filled, which could lead to file type identification not working - correctly. (Seth Hall) - - * Fix an issue with packet loss in HTTP file reporting for file type - identification wasn't working correctly zero-length bodies. (Seth - Hall) - - * X.509 certificates are now populating files.log with the mime type - application/pkix-cert. (Seth Hall) - - * Normalized some FILE_ANALYSIS debug messages. (Seth Hall) - -2.3-725 | 2015-04-20 12:54:54 -0700 - - * Updating submodule(s). - -2.3-724 | 2015-04-20 14:11:02 -0500 - - * Fix uninitialized field in raw input reader. (Jon Siwek) - -2.3-722 | 2015-04-20 12:59:03 -0500 - - * Remove unneeded documentation cross-referencing. (Jon Siwek) - -2.3-721 | 2015-04-20 12:47:05 -0500 - - * BIT-1380: Improve Broxygen output of &default expressions. - (Jon Siwek) - -2.3-720 | 2015-04-17 14:18:26 -0700 - - * Updating NEWS. - -2.3-716 | 2015-04-17 13:06:37 -0700 - - * Add seeking functionality to raw reader. One can now add an option - "offset" to the config map. Positive offsets are interpreted to be - from the beginning of the file, negative from the end of the file - (-1 is end of file). Only works for raw reader in streaming or - manual mode. Does not work with executables. Addresses BIT-985. - (Johanna Amann) - - * Allow setting packet and byte thresholds for connections. (Johanna Amann) - - This extends the ConnSize analyzer to be able to raise events when - each direction of a connection crosses a certain amount of bytes - or packets. - - Thresholds are set using: - - set_conn_bytes_threshold(c$id, [num-bytes], [direction]); - - set_conn_packets_threshold(c$id, [num-packets], [direction]); - - They raise the events, respectively: - - event conn_bytes_threshold_crossed(c: connection, threshold: count, is_orig: bool) - - event conn_packets_threshold_crossed(c: connection, threshold: count, is_orig: bool) - - Current thresholds can be examined using get_conn_bytes_threshold() - and get_conn_packets_threshold(). - - Only one threshold can be set per connection. - - * Add high-level API for packet/bytes thresholding in - base/protocols/conn/thresholds.bro that holds lists of thresholds - and raises an event for each threshold exactly once. (Johanna - Amann) - - * Fix a bug where child packet analyzers of the TCP analyzer - where not found using FindChild. - - * Update GridFTP analyzer to use connection thresholding instead of - polling. (Johanna Amann) - -2.3-709 | 2015-04-17 12:37:32 -0700 - - * Fix addressing the dreaded "internal error: unknown msg type 115 - in Poll()". (Jon Siwek) - - This patch removes the error handling code for overload conditions - in the main process that could cause trouble down the road. The - "chunked_io_buffer_soft_cap" script variable can now tune when the - client process begins shutting down peer connections, and the - default setting is now double what it used to be. Addresses - BIT-1376. - -2.3-707 | 2015-04-17 10:57:59 -0500 - - * Add more info about Broker to NEWS. (Jon Siwek) - -2.3-705 | 2015-04-16 08:16:45 -0700 - - * Update Mozilla CA list. (Johanna Amann) - - * Update tests to have them keep using older certificates where - appropiate. (Johanna Amann) - -2.3-699 | 2015-04-16 09:51:58 -0500 - - * Fix the to_count function to use strtoull versus strtoll. - (Jon Siwek) - -2.3-697 | 2015-04-15 09:51:15 -0700 - - * Removing error check verifying that an ASCII writer has been - properly finished. Instead of aborting, we now just clean up in - that case and proceed. Addresses BIT-1331. (Robin Sommer) - -2.3-696 | 2015-04-14 15:56:36 -0700 - - * Update sqlite to 3.8.9 - -2.3-695 | 2015-04-13 10:34:42 -0500 - - * Fix iterator invalidation in broker::Manager dtor. (Jon Siwek) - - * Add paragraph to plugin documentation. (Robin Sommer) - -2.3-693 | 2015-04-11 10:56:31 -0700 - - * BIT-1367: improve coercion of anonymous records in set constructor. - (Jon Siwek) - - * Allow to specify ports for sftp log rotator. (Johanna Amann) - -2.3-690 | 2015-04-10 21:51:10 -0700 - - * Make sure to always delete the remote serializer. Addresses - BIT-1306 and probably also BIT-1356. (Robin Sommer) - - * Cleaning up --help. -D and -Y/y were still listed, even though - they had no effect anymore. Removing some dead code along with -D. - Addresses BIT-1372. (Robin Sommer) - -2.3-688 | 2015-04-10 08:10:44 -0700 - - * Update SQLite to 3.8.8.3. - -2.3-687 | 2015-04-10 07:32:52 -0700 - - * Remove stale signature benchmarking code (-L command-line option). - (Jon Siwek) - - * BIT-844: fix UDP payload signatures to match packet-wise. (Jon - Siwek) - -2.3-682 | 2015-04-09 12:07:00 -0700 - - * Fixing input readers' component type. (Robin Sommer) - - * Tiny spelling correction. (Seth Hall) - -2.3-680 | 2015-04-06 16:02:43 -0500 - - * BIT-1371: remove CMake version check from binary package scripts. - (Jon Siwek) - -2.3-679 | 2015-04-06 10:16:36 -0500 - - * Increase some unit test timeouts. (Jon Siwek) - - * Fix Coverity warning in RDP analyzer. (Jon Siwek) - -2.3-676 | 2015-04-02 10:10:39 -0500 - - * BIT-1366: improve checksum offloading warning. - (Frank Meier, Jon Siwek) - -2.3-675 | 2015-03-30 17:05:05 -0500 - - * Add an RDP analyzer. (Josh Liburdi, Seth Hall, Johanna Amann) - -2.3-640 | 2015-03-30 13:51:51 -0500 - - * BIT-1359: Limit maximum number of DTLS fragments to 30. (Johanna Amann) - -2.3-637 | 2015-03-30 12:02:07 -0500 - - * Increase timeout duration in some broker tests. (Jon Siwek) - -2.3-636 | 2015-03-30 11:26:32 -0500 - - * Updates related to SSH analysis. (Jon Siwek) - - - Some scripts used wrong SSH module/namespace scoping on events. - - Fix outdated notice documentation related to SSH password guessing. - - Add a unit test for SSH pasword guessing notice. - -2.3-635 | 2015-03-30 11:02:45 -0500 - - * Fix outdated documentation unit tests. (Jon Siwek) - -2.3-634 | 2015-03-30 10:22:45 -0500 - - * Add a canonifier to a unit test's output. (Jon Siwek) - -2.3-633 | 2015-03-25 18:32:59 -0700 - - * Log::write in signature framework was missing timestamp. - (Andrew Benson/Michel Laterman) - -2.3-631 | 2015-03-25 11:03:12 -0700 - - * New SSH analyzer. (Vlad Grigorescu) - -2.3-600 | 2015-03-25 10:23:46 -0700 - - * Add defensive checks in code to calculate log rotation intervals. - (Pete Nelson). - -2.3-597 | 2015-03-23 12:50:04 -0700 - - * DTLS analyzer. (Johanna Amann) - - * Implement correct parsing of TLS record fragmentation. (Johanna - Amann) - -2.3-582 | 2015-03-23 11:34:25 -0700 - - * BIT-1313: In debug builds, "bro -B " now supports "all" and - "help" for "". "all" enables all debug streams. "help" prints a - list of available debug streams. (John Donnelly/Robin Sommer). - - * BIT-1324: Allow logging filters to inherit default path from - stream. This allows the path for the default filter to be - specified explicitly through $path="..." when creating a stream. - Adapted the existing Log::create_stream calls to explicitly - specify a path value. (Jon Siwek) - - * BIT-1199: Change the way the input framework deals with values it - cannot convert into BroVals, raising error messages instead of - aborting execution. (Johanna Amann) - - * BIT-788: Use DNS QR field to better identify flow direction. (Jon - Siwek) - -2.3-572 | 2015-03-23 13:04:53 -0500 - - * BIT-1226: Fix an example in quickstart docs. (Jon siwek) - -2.3-570 | 2015-03-23 09:51:20 -0500 - - * Correct a spelling error (Daniel Thayer) - - * Improvement to SSL analyzer failure mode. (Johanna Amann) - -2.3-565 | 2015-03-20 16:27:41 -0500 - - * BIT-978: Improve documentation of 'for' loop iterator invalidation. - (Jon Siwek) - -2.3-564 | 2015-03-20 11:12:02 -0500 - - * BIT-725: Remove "unmatched_HTTP_reply" weird. (Jon Siwek) - -2.3-562 | 2015-03-20 10:31:02 -0500 - - * BIT-1207: Add unit test to catch breaking changes to local.bro - (Jon Siwek) - - * Fix failing sqlite leak test (Johanna Amann) - -2.3-560 | 2015-03-19 13:17:39 -0500 - - * BIT-1255: Increase default values of - "tcp_max_above_hole_without_any_acks" and "tcp_max_initial_window" - from 4096 to 16384 bytes. (Jon Siwek) - -2.3-559 | 2015-03-19 12:14:33 -0500 - - * BIT-849: turn SMTP reporter warnings into weirds, - "smtp_nested_mail_transaction" and "smtp_unmatched_end_of_data". - (Jon Siwek) - -2.3-558 | 2015-03-18 22:50:55 -0400 - - * DNS: Log the type number for the DNS_RR_unknown_type weird. (Vlad Grigorescu) - -2.3-555 | 2015-03-17 15:57:13 -0700 - - * Splitting test-all Makefile target into Bro tests and test-aux. - (Robin Sommer) - -2.3-554 | 2015-03-17 15:40:39 -0700 - - * Deprecate &rotate_interval, &rotate_size, &encrypt. Addresses - BIT-1305. (Jon Siwek) - -2.3-549 | 2015-03-17 09:12:18 -0700 - - * BIT-1077: Fix HTTP::log_server_header_names. Before, it just - re-logged fields from the client side. (Jon Siwek) - -2.3-547 | 2015-03-17 09:07:51 -0700 - - * Update certificate validation script to cache valid intermediate - chains that it encounters on the wire and use those to try to - validate chains that might be missing intermediate certificates. - (Johanna Amann) - -2.3-541 | 2015-03-13 15:44:08 -0500 - - * Make INSTALL a symlink to doc/install/install.rst (Jon siwek) - - * Fix Broxygen coverage. (Jon Siwek) - -2.3-539 | 2015-03-13 14:19:27 -0500 - - * BIT-1335: Include timestamp in default extracted file names. - And add a policy script to extract all files. (Jon Siwek) - - * BIT-1311: Identify GRE tunnels as Tunnel::GRE, not Tunnel::IP. - (Jon Siwek) - - * BIT-1309: Add Connection class getter methods for flow labels. - (Jon Siwek) - -2.3-536 | 2015-03-12 16:16:24 -0500 - - * Fix Broker leak tests. (Jon Siwek) - -2.3-534 | 2015-03-12 10:59:49 -0500 - - * Update NEWS file. (Jon Siwek) - -2.3-533 | 2015-03-12 10:18:53 -0500 - - * Give broker python bindings default install path within --prefix. - (Jon Siwek) - -2.3-530 | 2015-03-10 13:22:39 -0500 - - * Fix broker data stores in absence of --enable-debug. (Jon Siwek) - -2.3-529 | 2015-03-09 13:14:27 -0500 - - * Fix format specifier in SSL protocol violation. (Jon Siwek) - -2.3-526 | 2015-03-06 12:48:49 -0600 - - * Fix build warnings, clarify broker requirements, update submodule. - (Jon Siwek) - - * Rename comm/ directories to broker/ (Jon Siwek) - - * Rename broker-related namespaces. (Jon Siwek) - - * Improve remote logging via broker by only sending fields w/ &log. - (Jon Siwek) - - * Disable a stream's remote logging via broker if it fails. (Jon Siwek) - - * Improve some broker communication unit tests. (Jon Siwek) - -2.3-518 | 2015-03-04 13:13:50 -0800 - - * Add bytes_recvd to stats.log recording the number of bytes - received, according to packet headers. (Mike Smiley) - -2.3-516 | 2015-03-04 12:30:06 -0800 - - * Extract most specific Common Name from SSL certificates (Johanna - Amann) - - * Send CN and SAN fields of SSL certificates to the Intel framework. - (Johanna Amann) - -2.3-511 | 2015-03-02 18:07:17 -0800 - - * Changes to plugin meta hooks for function calls. (Gilbert Clark) - - - Add frame argument. - - - Change return value to tuple unambigiously whether hook - returned a result. - -2.3-493 | 2015-03-02 17:17:32 -0800 - - * Extend the SSL weak-keys policy file to also alert when - encountering SSL connections with old versions as well as unsafe - cipher suites. (Johanna Amann) - - * Make the notice suppression handling of other SSL policy files a - tad more robust. (Johanna Amann) - -2.3-491 | 2015-03-02 17:12:56 -0800 - - * Updating docs for recent addition of local_resp. (Robin Sommer) - -2.3-489 | 2015-03-02 15:29:30 -0800 - - * Integrate Broker, Bro's new communication library. (Jon Siwek) - - See aux/broker/README for more information on Broker, and - doc/frameworks/comm.rst for the corresponding Bro script API. - - Broker support is by default off for now; it can be enabled at - configure time with --enable-broker. It requires CAF - (https://github.com/actor-framework/actor-framework); for now iot - needs CAF's "develop" branch. Broker also requires a C++11 - compiler. - - Broker will become a mandatory dependency in future Bro versions. - - * Add --enable-c++11 configure flag to compile Bro's source code in - C++11 mode with a corresponding compiler. (Jon Siwek) - -2.3-451 | 2015-02-24 16:37:08 -0800 - - * Updating submodule(s). - -2.3-448 | 2015-02-23 16:58:10 -0800 - - * Updating NEWS. (Robin Sommer) - -2.3-447 | 2015-02-23 16:28:30 -0800 - - * Fix potential crash in logging framework when deserializing - WriterInfo from remote. where config is present. Testcase crashes - on unpatched versions of Bro. (Aaron Eppert) - - * Fix wrong value test in WriterBackend. (Aaron Eppert) - -2.3-442 | 2015-02-23 13:29:30 -0800 - - * Add a "local_resp" field to conn.log, along the lines of the - existing "local_orig". (Mike Smiley) - -2.3-440 | 2015-02-23 11:39:17 -0600 - - * Updating plugin docs to recent changes. (Robin Sommer) - - * Updating plugin tests to recent changes. (Robin Sommer) - - * Making plugin names case-insensitive for some internal comparisions. - Makes plugin system more tolerant against spelling inconsistencies - are hard to catch otherwise. (Robin Sommer) - - * Explicitly removing some old scripts on install that have moved - into plugins to prevent them causing confusion. (Robin Sommer) - - * BIT-1312: Removing setting installation plugin path from - bro-path-dev.sh. Also, adding to existing BRO_PLUGIN_PATH rather - than replacing. (Robin Sommer) - - * Creating the installation directory for plugins at install time. - (Robin Sommer) - -2.3-427 | 2015-02-20 13:49:33 -0800 - - * Removing dependency on PCAP_NETMASK_UNKNOWN to compile with - libpcap < 1.1.1. (Robin Sommer) - -2.3-426 | 2015-02-20 12:45:51 -0800 - - * Add 'while' statement to Bro language. Really. (Jon Siwek) - -2.3-424 | 2015-02-20 12:39:10 -0800 - - * Add the ability to remove surrounding braces from the JSON - formatter. (Seth Hall) - -2.3-419 | 2015-02-13 09:10:44 -0600 - - * BIT-1011: Update the SOCKS analyzer to support user/pass login. - (Nicolas Retrain, Seth Hall, Jon Siwek) - - - Add a new field to socks.log: "password". - - Two new events: "socks_login_userpass_request" and - "socks_login_userpass_reply". - - Two new weirds for unsupported SOCKS authentication method or - version. - - A new test for authenticated socks traffic. - -2.3-416 | 2015-02-12 12:18:42 -0600 - - * Submodule update - newest sqlite version (Johanna Amann) - - * Fix use of deprecated gperftools headers. (Jon Siwek) - -2.3-413 | 2015-02-08 18:23:05 -0800 - - * Fixing analyzer tag types for some Files::* functions. (Robin Sommer) - - * Changing load order for plugin scripts. (Robin Sommer) - -2.3-411 | 2015-02-05 10:05:48 -0600 - - * Fix file analysis of files with total size below the bof_buffer size - never delivering content to stream analyzers. (Seth Hall) - - * Add/fix log fields in x509 diff canonifier. (Jon Siwek) - - * "id" not defined for debug code when using -DPROFILE_BRO_FUNCTIONS - (Mike Smiley) - -2.3-406 | 2015-02-03 17:02:45 -0600 - - * Add x509 canonifier to a unit test. (Jon Siwek) - -2.3-405 | 2015-02-02 11:14:24 -0600 - - * Fix memory leak in new split_string* functions. (Jon Siwek) - -2.3-404 | 2015-01-30 14:23:27 -0800 - - * Update documentation (broken links, outdated tests). (Jon Siwek) - - * Deprecate split* family of BIFs. (Jon Siwek) - - These functions are now deprecated in favor of alternative versions that - return a vector of strings rather than a table of strings. - - Deprecated functions: - - - split: use split_string instead. - - split1: use split_string1 instead. - - split_all: use split_string_all instead. - - split_n: use split_string_n instead. - - cat_string_array: see join_string_vec instead. - - cat_string_array_n: see join_string_vec instead. - - join_string_array: see join_string_vec instead. - - sort_string_array: use sort instead instead. - - find_ip_addresses: use extract_ip_addresses instead. - - Changed functions: - - - has_valid_octets: uses a string_vec parameter instead of string_array. - - Addresses BIT-924. - - * Add a new attribute: &deprecated. While scripts are parsed, a - warning is raised for each usage of an identifier marked as - &deprecated. This also works for BIFs. Addresses BIT-924, - BIT-757. (Jon Siwek) - -2.3-397 | 2015-01-27 10:13:10 -0600 - - * Handle guess_lexer exceptions in pygments reST directive (Jon Siwek) - -2.3-396 | 2015-01-23 10:49:15 -0600 - - * DNP3: fix reachable assertion and buffer over-read/overflow. - CVE number pending. (Travis Emmert, Jon Siwek) - - * Update binpac: Fix potential out-of-bounds memory reads in generated - code. CVE-2014-9586. (John Villamil and Chris Rohlf - Yahoo - Paranoids, Jon Siwek) - - * Fixing (harmless) Coverity warning. (Robin Sommer) - -2.3-392 | 2015-01-15 09:44:15 -0800 - - * Small changes to EC curve names in a newer draft. (Johanna Amann) - -2.3-390 | 2015-01-14 13:27:34 -0800 - - * Updating MySQL analyses. (Vlad Grigorescu) - - Use a boolean success instead of a result string. - - Change the affected_rows response detail string to a "rows" count. - - Fix the state tracking to log incomplete command. - - * Extend DNP3 to support communication over UDP. (Hui Lin) - - * Fix a bug in DNP3 determining the length of an object in some - cases. (Hui Lin) - -2.3-376 | 2015-01-12 09:38:10 -0600 - - * Improve documentation for connection_established event. (Jon Siwek) - -2.3-375 | 2015-01-08 13:10:09 -0600 - - * Increase minimum required CMake version to 2.8. (Jon Siwek) - -2.3-374 | 2015-01-07 10:03:17 -0600 - - * Improve documentation of the Intelligence Framework. (Daniel Thayer) - -2.3-371 | 2015-01-06 09:58:09 -0600 - - * Update/improve file mime type identification. (Seth Hall) - - - Change to the default BOF buffer size to 3000 (was 1024). - - - Reorganized MS signatures into a separate file. - - - Remove all of the x-c detections. Nearly all false positives. - - - Improve TAR detections, removing old, back up TAR detections. - - - Remove one of the x-elc detections that was too loose - and caused many false positives. - - - Improved lots of the signatures and added new ones. (Seth Hall) - - * Add support for file reassembly in the file analysis framework - (Seth Hall, Jon Siwek). - - - The reassembly behavior can be modified per-file by enabling or - disabling the reassembler and/or modifying the size of the - reassembly buffer. - - - Changed the file extraction analyzer to use stream-wise input to - avoid issues with the chunk-wise approach not immediately - triggering the file_new event due to mime-type detection delay. - Before, early chunks frequently ended up lost. Extraction also - will now explicitly NUL-fill gaps in the file instead of - implicitly relying on pwrite to do it. - -2.3-349 | 2015-01-05 15:21:13 -0600 - - * Fix race condition in unified2 file analyzer startup. (Jon siwek) - -2.3-348 | 2014-12-31 09:19:34 -0800 - - * Changing Makefile's test-all to run test-all for broctl, which now - executes trace-summary tests as well. (Robin Sommer) - -2.3-345 | 2014-12-31 09:06:15 -0800 - - * Correct a typo in the Notice framework doc. (Daniel Thayer) - -2.3-343 | 2014-12-12 12:43:46 -0800 - - * Fix PIA packet replay to deliver copy of IP header. This prevented - one from writing a packet-wise analyzer that needs access to IP - headers and can be attached to a connection via signature match. - Addresses BIT-1298 (Jon Siwek) - -2.3-338 | 2014-12-08 13:56:19 -0800 - - * Add man page for Bro. (Raúl Benencia) - - * Updating doc baselines. (Robin Sommer) - -2.3-334 | 2014-12-03 14:22:07 -0800 - - * Fix compound assignment to require proper L-value. Addresses - BIT-1295. (Jon Siwek) - -2.3-332 | 2014-12-03 14:14:11 -0800 - - * Make using local IDs in @if directives an error. Addresses - BIT-1296. (Jon Siwek) - -2.3-330 | 2014-12-03 14:10:39 -0800 - - * Fix some "make doc" warnings and update some doc tests. (Daniel - Thayer) - -2.3-328 | 2014-12-02 08:13:10 -0500 - - * Update windows-version-detection.bro to add support for - Windows 10. (Michal Purzynski) - -2.3-326 | 2014-12-01 12:10:27 -0600 - - * BIFScanner: fix invalid characters in generated preprocessor macros. - (Hilko Bengen) - - * BIT-1294: fix exec.bro from mutating Input::end_of_data event - parameters. (Johanna Amann) - - * Add/invoke "distclean" for testing directories. (Raúl Benencia) - - * Delete prebuilt python bytecode files from git. (Jon Siwek) - - * Add Windows detection based on CryptoAPI HTTP traffic as a software - framework policy script. (Vlad Grigorescu) - -2.3-316 | 2014-11-25 17:35:06 -0800 - - * Make the SSL analyzer skip further processing once encountering - situations which are very probably non-recoverable. (Johanna - Amann) - -2.3-313 | 2014-11-25 14:27:07 -0800 - - * Make SSL v2 protocol tests more strict. In its former state they - triggered on http traffic over port 443 sometimes. Found by Michał - Purzyński. (Johanna Amann) - - * Fix X509 analyzer to correctly return ECDSA as the key_type for - ECDSA certs. Bug found by Michał Purzyński. (Johanna Amann) - -2.3-310 | 2014-11-19 10:56:59 -0600 - - * Disable verbose bison output. (Jon Siwek) - -2.3-309 | 2014-11-18 12:17:53 -0800 - - * New decompose_uri() function in base/utils/urls that splits a URI - into its pieces. (Anthony Kasza). - -2.3-305 | 2014-11-18 11:09:04 -0800 - - * Improve coercion of &default expressions. Addresses BIT-1288. (Jon - Siwek) - -2.3-303 | 2014-11-18 10:53:04 -0800 - - * For DH key exchanges, use p as the parameter for weak key - exchanges. (Johanna Amann) - -2.3-301 | 2014-11-11 13:47:27 -0800 - - * Add builtin function enum_to_int() that converts an enum into a - integer. (Christian Struck) - -2.3-297 | 2014-11-11 11:50:47 -0800 - - * Removing method from SSL analyzer that's no longer used. (Robin - Sommer) - -2.3-296 | 2014-11-11 11:42:38 -0800 - - * A new analyzer parsing the MySQL wire protocol. Activity gets - logged into mysql.log. Supports protocol versions 9 and 10. (Vlad - Grigorescu) - -2.3-280 | 2014-11-05 09:46:33 -0500 - - * Add Windows detection based on CryptoAPI HTTP traffic as a - software framework policy script. (Vlad Grigorescu) - -2.3-278 | 2014-11-03 18:55:18 -0800 - - * Add new curves from draft-ietf-tls-negotiated-ff-dhe to SSL - analysis. (Johanna Amann) - -2.3-274 | 2014-10-31 17:45:25 -0700 - - * Adding call to new binpac::init() function. (Robin Sommer) - -2.3-272 | 2014-10-31 16:29:42 -0700 - - * Fix segfault if when statement's RHS is unitialized. Addresses - BIT-1176. (Jon Siwek) - - * Fix checking vector indices via "in". Addresses BIT-1280. (Jon - Siwek) - -2.3-268 | 2014-10-31 12:12:22 -0500 - - * BIT-1283: Fix crash when using &encrypt. (Jon Siwek) - -2.3-267 | 2014-10-31 10:35:02 -0500 - - * BIT-1284: Allow arbitrary when statement timeout expressions - (Jon Siwek) - -2.3-266 | 2014-10-31 09:21:28 -0500 - - * BIT-1166: Add configure options to fine tune local state dirs used - by BroControl. (Jon Siwek) - -2.3-264 | 2014-10-30 13:25:57 -0500 - - * Fix some minor Coverity Scan complaints. (Jon Siwek) - -2.3-263 | 2014-10-28 15:09:10 -0500 - - * Fix checking of fwrite return values (Johanna Amann) - -2.3-260 | 2014-10-27 12:54:17 -0500 - - * Fix errors/warnings when compiling with -std=c++11 (Jon Siwek) - -2.3-259 | 2014-10-27 10:04:04 -0500 - - * Documentation fixes. (Vicente Jimenez Aguilar and Stefano Azzalini) - -2.3-256 | 2014-10-24 15:33:45 -0700 - - * Adding missing test baseline. (Robin Sommer) - -2.3-255 | 2014-10-24 13:39:44 -0700 - - * Fixing unstable active-http test. (Robin Sommer) - -2.3-254 | 2014-10-24 11:40:51 -0700 - - * Fix active-http.bro to deal reliably with empty server responses, - which will now be passed back as empty files. (Christian Struck) - -2.3-248 | 2014-10-23 14:20:59 -0700 - - * Change order in which a plugin's scripts are loaded at startup. - (Robin Sommer) - -2.3-247 | 2014-10-21 13:42:38 -0700 - - * Updates to the SSL analyzer. (Johanna Amann) - - * Mark everything below 2048 bit as a weak key. - - * Fix notice suppression. - - * Add information about server-chosen protocol to ssl.log, if - provided by application_layer_next_protocol. - - * Add boolean flag to ssl.log signaling if a session was - resumed. Remove the (usually not really that useful) session - ID that the client sent. - -2.3-240 | 2014-10-21 13:36:33 -0700 - - * Fix Coverity-reported issues in DNP3 analyzer. (Seth Hall) - -2.3-238 | 2014-10-16 06:51:49 -0700 - - * Fix multipart HTTP/MIME entity file analysis so that (1) singular - CR or LF characters in multipart body content are no longer - converted to a full CRLF (thus corrupting the file) and (2) it - also no longer considers the CRLF before the multipart boundary as - part of the content. Addresses BIT-1235. (Jon Siwek) - -2.3-235 | 2014-10-15 10:20:47 -0500 - - * BIT-1273: Add error message for bad enum declaration syntax. - (Jon Siwek) - -2.3-234 | 2014-10-14 14:42:09 -0500 - - * Documentation fixes. (Steve Smoot) - -2.3-233 | 2014-10-09 16:00:27 -0500 - - * Change find-bro-logs unit test to follow symlinks. (Jon Siwek) - - * Add error checks and messages to a test script (Daniel Thayer) - -2.3-230 | 2014-10-08 08:15:17 -0700 - - * Further baseline normalization for plugin test portability. (Robin - Sommer) - -2.3-229 | 2014-10-07 20:18:11 -0700 - - * Fix for test portability. (Robin Sommer) - -2.3-228 | 2014-10-07 15:32:37 -0700 - - * Include plugin unit tests into the top-level btest configuration. (Robin Sommer) - - * Switching the prefix separator for packet source/dumper plugins - once more, now to "::". Addresses BIT-1267. (Robin Sommer) - - * Fix for allowing a packet source/dumper plugin to support multiple - prefixes with a colon. (Robin Sommer) - -2.3-225 | 2014-10-07 15:13:35 -0700 - - * Updating plugin documentation. (Robin Sommer) - -2.3-224 | 2014-10-07 14:32:17 -0700 - - * Improved the log file reference documentation. (Jeannette Dopheide - and Daniel Thayer) - - * Improves shockwave flash file signatures. (Seth Hall) - - - This moves the signatures out of the libmagic imported signatures - and into our own general.sig. - - - Expand the detection to LZMA compressed flash files. - - * Add new script language reference documentation on operators, - statements, and directives. Also improved the documentation on - types and attributes by splitting them into two docs, and - providing more examples and adding a chart on the top of each page - with links to each type and attribute for easier access to the - information. (Daniel Thayer) - - * Split the types and attributes reference doc into two docs. - (Daniel Thayer) - -2.3-208 | 2014-10-03 09:38:52 -0500 - - * BIT-1268: Fix uninitialized router_list argument in - dhcp_offer/dhcp_ack. (Jon Siwek) - -2.3-207 | 2014-10-02 16:39:17 -0700 - - * Updating plugin docs. (Robin Sommer) - - * Fix packet sources being treated as idle when a packet is - available. Addresses BIT-1266. (Jon Siwek) - - * Fix regression causing the main loop to spin more frequently. - Addresses BIT-1266. (Jon Siwek) - -2.3-203 | 2014-09-29 20:06:54 -0700 - - * Fix to use length parameter in DNP3 time conversion correctly now. - (Robin Sommer) - -2.3-202 | 2014-09-29 17:05:18 -0700 - - * New SSL extension type from IANA and a few other SSL const - changes. (Johanna Amann) - - * Make unexpected pipe errors fatal as precaution. Addresses - BIT-1260. (Jon Siwek) - - * Adding a function for DNP3 to translate the timestamp format. (Hui - Lin) - -2.3-197 | 2014-09-29 10:42:01 -0500 - - * Fix possible seg fault in TCP reassembler. (Jon Siwek) - -2.3-196 | 2014-09-25 17:53:27 -0700 - - * Changing prefix for packet sources/dumper from ':' to '%'. - Addresses BIT-1249. (Robin Sommer) - - * Remove timeouts from remote communication loop. The select() now - blocks until there's work to do instead of relying on a small - timeout value which can cause unproductive use of cpu cycles. (Jon - Siwek) - - * Improve error message when failing to activate a plugin. Also fix - a unit test helper script that checks plugin availability. (Jon - Siwek) - -2.3-183 | 2014-09-24 10:08:04 -0500 - - * Add a "node" field to Intel::Seen struture and intel.log to - indicate which node discovered a hit on an intel item. (Seth Hall) - - * BIT-1261: Fixes to plugin quick start doc. (Jon Siwek) - -2.3-180 | 2014-09-22 12:52:41 -0500 - - * BIT-1259: Fix issue w/ duplicate TCP reassembly deliveries. - (Jon Siwek) - -2.3-178 | 2014-09-18 14:29:46 -0500 - - * BIT-1256: Fix file analysis events from coming after bro_done(). - (Jon Siwek) - -2.3-177 | 2014-09-17 09:41:27 -0500 - - * Documentation fixes. (Chris Mavrakis) - -2.3-174 | 2014-09-17 09:37:09 -0500 - - * Fixed some "make doc" warnings caused by reST formatting - (Daniel Thayer). - -2.3-172 | 2014-09-15 13:38:52 -0500 - - * Remove unneeded allocations for HTTP messages. (Jon Siwek) - -2.3-171 | 2014-09-15 11:14:57 -0500 - - * Fix a compile error on systems without pcap-int.h. (Jon Siwek) - -2.3-170 | 2014-09-12 19:28:01 -0700 - - * Fix incorrect data delivery skips after gap in HTTP Content-Range. - Addresses BIT-1247. (Jon Siwek) - - * Fix file analysis placement of data after gap in HTTP - Content-Range. Addresses BIT-1248. (Jon Siwek) - - * Fix issue w/ TCP reassembler not delivering some segments. - Addresses BIT-1246. (Jon Siwek) - - * Fix MIME entity file data/gap ordering and raise http_entity_data - in line with data arrival. Addresses BIT-1240. (Jon Siwek) - - * Implement file ID caching for MIME_Mail. (Jon Siwek) - - * Fix a compile error. (Jon Siwek) - -2.3-161 | 2014-09-09 12:35:38 -0500 - - * Bugfixes and test updates/additions. (Robin Sommer) - - * Interface tweaks and docs for PktSrc/PktDumper. (Robin Sommer) - - * Moving PCAP-related bifs to iosource/pcap.bif. (Robin Sommer) - - * Moving some of the BPF filtering code into base class. - This will allow packet sources that don't support BPF natively to - emulate the filtering via libpcap. (Robin Sommer) - - * Removing FlowSrc. (Robin Sommer) - - * Removing remaining pieces of the 2ndary path, and left-over - files of packet sorter. (Robin Sommer) - - * A bunch of infrastructure work to move IOSource, IOSourceRegistry - (now iosource::Manager) and PktSrc/PktDumper code into iosource/, - and over to a plugin structure. (Robin Sommer) - -2.3-137 | 2014-09-08 19:01:13 -0500 - - * Fix Broxygen's rendering of opaque types. (Jon Siwek) - -2.3-136 | 2014-09-07 20:50:46 -0700 - - * Change more http links to https. (Johanna Amann) - -2.3-134 | 2014-09-04 16:16:36 -0700 - - * Fixed a number of issues with OCSP reply validation. Addresses - BIT-1212. (Johanna Amann) - - * Fix null pointer dereference in OCSP verification code in case no - certificate is sent as part as the ocsp reply. Addresses BIT-1212. - (Johanna Amann) - -2.3-131 | 2014-09-04 16:10:32 -0700 - - * Make links in documentation templates protocol relative. (Johanna - Amann) - -2.3-129 | 2014-09-02 17:21:21 -0700 - - * Simplify a conditional with equivalent branches. (Jon Siwek) - - * Change EDNS parsing code to use rdlength more cautiously. (Jon - Siwek) - - * Fix a memory leak when bind() fails due to EADDRINUSE. (Jon Siwek) - - * Fix possible buffer over-read in DNS TSIG parsing. (Jon Siwek) - -2.3-124 | 2014-08-26 09:24:19 -0500 - - * Better documentation for sub_bytes (Jimmy Jones) - - * BIT-1234: Fix build on systems that already have ntohll/htonll - (Jon Siwek) - -2.3-121 | 2014-08-22 15:22:15 -0700 - - * Detect functions that try to bind variables from an outer scope - and raise an error saying that's not supported. Addresses - BIT-1233. (Jon Siwek) - -2.3-116 | 2014-08-21 16:04:13 -0500 - - * Adding plugin testing to Makefile's test-all. (Robin Sommer) - - * Converting log writers and input readers to plugins. - DataSeries and ElasticSearch plugins have moved to the new - bro-plugins repository, which is now a git submodule in the - aux/plugins directory. (Robin Sommer) - -2.3-98 | 2014-08-19 11:03:46 -0500 - - * Silence some doc-related warnings when using `bro -e`. - Closes BIT-1232. (Jon Siwek) - - * Fix possible null ptr derefs reported by Coverity. (Jon Siwek) - -2.3-96 | 2014-08-01 14:35:01 -0700 - - * Small change to DHCP documentation. In server->client messages the - host name may differ from the one requested by the client. - (Johanna Amann) - - * Split DHCP log writing from record creation. This allows users to - customize dhcp.log by changing the record in their own dhcp_ack - event. (Johanna Amann) - - * Update PATH so that documentation btests can find bro-cut. (Daniel - Thayer) - - * Remove gawk from list of optional packages in documentation. - (Daniel Thayer) - - * Fix for redefining built-in constants. (Robin Sommer) - -2.3-86 | 2014-07-31 14:19:58 -0700 - - * Fix for redefining built-in constants. (Robin Sommer) - - * Adding missing check that a plugin's API version matches what Bro - defines. (Robin Sommer) - - * Adding NEWS entry for plugins. (Robin Sommer) - -2.3-83 | 2014-07-30 16:26:11 -0500 - - * Minor adjustments to plugin code/docs. (Jon Siwek) - - * Dynamic plugin support. (Rpbin Sommer) - - Bro now supports extending core functionality, like protocol and - file analysis, dynamically with external plugins in the form of - shared libraries. See doc/devel/plugins.rst for an overview of the - main functionality. Changes coming with this: - - - Replacing the old Plugin macro magic with a new API. - - - The plugin API changed to generally use std::strings instead - of const char*. - - - There are a number of invocations of PLUGIN_HOOK_ - {VOID,WITH_RESULT} across the code base, which allow plugins - to hook into the processing at those locations. - - - A few new accessor methods to various classes to allow - plugins to get to that information. - - - network_time cannot be just assigned to anymore, there's now - function net_update_time() for that. - - - Redoing how builtin variables are initialized, so that it - works for plugins as well. No more init_net_var(), but - instead bifcl-generated code that registers them. - - - Various changes for adjusting to the now dynamic generation - of analyzer instances. - - - same_type() gets an optional extra argument allowing record type - comparision to ignore if field names don't match. (Robin Sommer) - - - Further unify file analysis API with the protocol analyzer API - (assigning IDs to analyzers; adding Init()/Done() methods; - adding subtypes). (Robin Sommer) - - - A new command line option -Q that prints some basic execution - time stats. (Robin Sommer) - - - Add support to the file analysis for activating analyzers by - MIME type. (Robin Sommer) - - - File::register_for_mime_type(tag: Analyzer::Tag, mt: - string): Associates a file analyzer with a MIME type. - - - File::add_analyzers_for_mime_type(f: fa_file, mtype: - string): Activates all analyzers registered for a MIME - type for the file. - - - The default file_new() handler calls - File::add_analyzers_for_mime_type() with the file's MIME - type. - -2.3-20 | 2014-07-22 17:41:02 -0700 - - * Updating submodule(s). - -2.3-19 | 2014-07-22 17:29:19 -0700 - - * Implement bytestring_to_coils() in Modbus analyzer so that coils - gets passed to the corresponding events. (Hui Lin) - - * Add length field to ModbusHeaders. (Hui Lin) - -2.3-12 | 2014-07-10 19:17:37 -0500 - - * Include yield of vectors in Broxygen's type descriptions. - Addresses BIT-1217. (Jon Siwek) - -2.3-11 | 2014-07-10 14:49:27 -0700 - - * Fixing DataSeries output. It was using a now illegal value as its - default compression level. (Robin Sommer) - -2.3-7 | 2014-06-26 17:35:18 -0700 - - * Extending "make test-all" to include aux/bro-aux. (Robin Sommer) - -2.3-6 | 2014-06-26 17:24:10 -0700 - - * DataSeries compilation issue fixed. (mlaterman) - - * Fix a reference counting bug in ListVal ctor. (Jon Siwek) - -2.3-3 | 2014-06-26 15:41:04 -0500 - - * Support tilde expansion when Bro tries to find its own path. (Jon - Siwek) - -2.3-2 | 2014-06-23 16:54:15 -0500 - - * Remove references to line numbers in tutorial text. (Daniel Thayer) - -2.3 | 2014-06-16 09:48:25 -0500 - - * Release 2.3. - -2.3-beta-33 | 2014-06-12 11:59:28 -0500 - - * Documentation improvements/fixes. (Daniel Thayer) - -2.3-beta-24 | 2014-06-11 15:35:31 -0500 - - * Fix SMTP state tracking when server response is missing. - (Robin Sommer) - -2.3-beta-22 | 2014-06-11 12:31:38 -0500 - - * Fix doc/test that broke due to a Bro script change. (Jon Siwek) - - * Remove unused --with-libmagic configure option. (Jon Siwek) - -2.3-beta-20 | 2014-06-10 18:16:51 -0700 - - * Fix use-after-free in some cases of reassigning a table index. - Addresses BIT-1202. (Jon Siwek) - -2.3-beta-18 | 2014-06-06 13:11:50 -0700 - - * Add two more SSL events, one triggered for each handshake message - and one triggered for the tls change cipherspec message. (Bernhard - Amann) - - * Small SSL bug fix. In case SSL::disable_analyzer_after_detection - was set to false, the ssl_established event would fire after each - data packet once the session is established. (Bernhard Amann) - -2.3-beta-16 | 2014-06-06 13:05:44 -0700 - - * Re-activate notice suppression for expiring certificates. - (Bernhard Amann) - -2.3-beta-14 | 2014-06-05 14:43:33 -0700 - - * Add new TLS extension type numbers from IANA (Bernhard Amann) - - * Switch to double hashing for Bloomfilters for better performance. - (Matthias Vallentin) - - * Bugfix to use full digest length instead of just one byte for - Bloomfilter's universal hash function. Addresses BIT-1140. - (Matthias Vallentin) - - * Make buffer for X509 certificate subjects larger. Addresses - BIT-1195 (Bernhard Amann) - -2.3-beta-5 | 2014-05-29 15:34:42 -0500 - - * Fix misc/load-balancing.bro's reference to - PacketFilter::sampling_filter (Jon Siwek) - -2.3-beta-4 | 2014-05-28 14:55:24 -0500 - - * Fix potential mem leak in remote function/event unserialization. - (Jon Siwek) - - * Fix reference counting bug in table coercion expressions (Jon Siwek) - - * Fix an "unused value" warning. (Jon Siwek) - - * Remove a duplicate unit test baseline dir. (Jon Siwek) - -2.3-beta | 2014-05-19 16:36:50 -0500 - - * Release 2.3-beta - - * Clean up OpenSSL data structures on exit. (Bernhard Amann) - - * Fixes for OCSP & x509 analysis memory leak issues. (Bernhard Amann) - - * Remove remaining references to BROMAGIC (Daniel Thayer) - - * Fix typos and formatting in event and BiF documentation (Daniel Thayer) - - * Update intel framework plugin for ssl server_name extension API - changes. (Bernhard Amann, Justin Azoff) - - * Fix expression errors in SSL/x509 scripts when unparseable data - is in certificate chain. (Bernhard Amann) - -2.2-478 | 2014-05-19 15:31:33 -0500 - - * Change record ctors to only allow record-field-assignment - expressions. (Jon Siwek) - -2.2-477 | 2014-05-19 14:13:00 -0500 - - * Fix X509::Result record's "result" field to be set internally as type int instead of type count. (Bernhard Amann) - - * Fix a couple of doc build warnings (Daniel Thayer) - -2.2-470 | 2014-05-16 15:16:32 -0700 - - * Add a new section "Cluster Configuration" to the docs that is - intended as a how-to for configuring a Bro cluster. Most of this - content was moved here from the BroControl doc (which is now - intended as more of a reference guide for more experienced users) - and the load balancing FAQ on the website. (Daniel Thayer) - - * Update some doc tests and line numbers (Daniel Thayer) - -2.2-457 | 2014-05-16 14:38:31 -0700 - - * New script policy/protocols/ssl/validate-ocsp.bro that adds OSCP - validation to ssl.log. The work is done by a new bif - x509_ocsp_verify(). (Bernhard Amann) - - * STARTTLS support for POP3 and SMTP. The SSL analyzer takes over - when seen. smtp.log now logs when a connection switches to SSL. - (Bernhard Amann) - - * Replace errors when parsing x509 certs with weirds. (Bernhard - Amann) - - * Improved Heartbleed attack/scan detection. (Bernhard Amann) - - * Let TLS analyzer fail better when no longer in sync with the data - stream. (Bernhard Amann) - -2.2-444 | 2014-05-16 14:10:32 -0500 - - * Disable all default AppStat plugins except facebook. (Jon Siwek) - - * Update for the active http test to force it to use ipv4. (Seth Hall) - -2.2-441 | 2014-05-15 11:29:56 -0700 - - * A new RADIUS analyzer. (Vlad Grigorescu) - - It produces a radius.log and generates two events: - - event radius_message(c: connection, result: RADIUS::Message); - event radius_attribute(c: connection, attr_type: count, value: string); - -2.2-427 | 2014-05-15 13:37:23 -0400 - - * Fix dynamic SumStats update on clusters (Bernhard Amann) - -2.2-425 | 2014-05-08 16:34:44 -0700 - - * Fix reassembly of data w/ sizes beyond 32-bit capacities. (Jon Siwek) - - Reassembly code (e.g. for TCP) now uses int64/uint64 (signedness - is situational) data types in place of int types in order to - support delivering data to analyzers that pass 2GB thresholds. - There's also changes in logic that accompany the change in data - types, e.g. to fix TCP sequence space arithmetic inconsistencies. - - Another significant change is in the Analyzer API: the *Packet and - *Undelivered methods now use a uint64 in place of an int for the - relative sequence space offset parameter. - - Addresses BIT-348. - - * Fixing compiler warnings. (Robin Sommer) - - * Update SNMP analyzer's DeliverPacket method signature. (Jon Siwek) - -2.2-417 | 2014-05-07 10:59:22 -0500 - - * Change handling of atypical OpenSSL error case in x509 verification. (Jon Siwek) - - * Fix memory leaks in X509 certificate parsing/verification. (Jon Siwek) - - * Fix new []/delete mismatch in input::reader::Raw::DoClose(). (Jon Siwek) - - * Fix buffer over-reads in file_analysis::Manager::Terminate() (Jon Siwek) - - * Fix buffer overlows in IP address masking logic. (Jon Siwek) - - That could occur either in taking a zero-length mask on an IPv6 address - (e.g. [fe80::]/0) or a reverse mask of length 128 on any address (e.g. - via the remask_addr BuiltIn Function). - - * Fix new []/delete mismatch in ~Base64Converter. (Jon Siwek) - -2.2-410 | 2014-05-02 12:49:53 -0500 - - * Replace an unneeded OPENSSL_malloc call. (Jon Siwek) - -2.2-409 | 2014-05-02 12:09:06 -0500 - - * Clean up and documentation for base SNMP script. (Jon Siwek) - - * Update base SNMP script to now produce a snmp.log. (Seth Hall) - - * Add DH support to SSL analyzer. When using DHE or DH-Anon, sever - key parameters are now available in scriptland. Also add script to - alert on weak certificate keys or weak dh-params. (Bernhard Amann) - - * Add a few more ciphers Bro did not know at all so far. (Bernhard Amann) - - * Log chosen curve when using ec cipher suite in TLS. (Bernhard Amann) - -2.2-397 | 2014-05-01 20:29:20 -0700 - - * Fix reference counting for lookup_ID() usages. (Jon Siwek) - -2.2-395 | 2014-05-01 20:25:48 -0700 - - * Fix missing "irc-dcc-data" service field from IRC DCC connections. - (Jon Siwek) - - * Correct a notice for heartbleed. The notice is thrown correctly, - just the message conteined wrong values. (Bernhard Amann) - - * Improve/standardize some malloc/realloc return value checks. (Jon - Siwek) - - * Improve file analysis manager shutdown/cleanup. (Jon Siwek) - -2.2-388 | 2014-04-24 18:38:07 -0700 - - * Fix decoding of MIME quoted-printable. (Mareq) - -2.2-386 | 2014-04-24 18:22:29 -0700 - - * Do a Intel::ADDR lookup for host field if we find an IP address - there. (jshlbrd) - -2.2-381 | 2014-04-24 17:08:45 -0700 - - * Add Java version to software framework. (Brian Little) - -2.2-379 | 2014-04-24 17:06:21 -0700 - - * Remove unused Val::attribs member. (Jon Siwek) - -2.2-377 | 2014-04-24 16:57:54 -0700 - - * A larger set of SSL improvements and extensions. Addresses - BIT-1178. (Bernhard Amann) - - - Fixes TLS protocol version detection. It also should - bail-out correctly on non-tls-connections now - - - Adds support for a few TLS extensions, including - server_name, alpn, and ec-curves. - - - Adds support for the heartbeat events. - - - Add Heartbleed detector script. - - - Adds basic support for OCSP stapling. - - * Fix parsing of DNS TXT RRs w/ multiple character-strings. - Addresses BIT-1156. (Jon Siwek) - -2.2-353 | 2014-04-24 16:12:30 -0700 - - * Adapt HTTP partial content to cache file analysis IDs. (Jon Siwek) - - * Adapt SSL analyzer to generate file analysis handles itself. (Jon - Siwek) - - * Adapt more of HTTP analyzer to use cached file analysis IDs. (Jon - Siwek) - - * Adapt IRC/FTP analyzers to cache file analysis IDs. (Jon Siwek) - - * Refactor regex/signature AcceptingSet data structure and usages. - (Jon Siwek) - - * Enforce data size limit when checking files for MIME matches. (Jon - Siwek) - - * Refactor file analysis file ID lookup. (Jon Siwek) - -2.2-344 | 2014-04-22 20:13:30 -0700 - - * Refactor various hex escaping code. (Jon Siwek) - -2.2-341 | 2014-04-17 18:01:41 -0500 - - * Fix duplicate DNS log entries. (Robin Sommer) - -2.2-341 | 2014-04-17 18:01:01 -0500 - - * Refactor initialization of ASCII log writer options. (Jon Siwek) - - * Fix a memory leak in ASCII log writer. (Jon Siwek) - -2.2-338 | 2014-04-17 17:48:17 -0500 - - * Disable input/logging threads setting their names on every - heartbeat. (Jon Siwek) - - * Fix bug when clearing Bloom filter contents. Reported by - @colonelxc. (Matthias Vallentin) - -2.2-335 | 2014-04-10 15:04:57 -0700 - - * Small logic fix for main SSL script. (Bernhard Amann) - - * Update DPD signatures for detecting TLS 1.2. (Bernhard Amann) - - * Remove unused data member of SMTP_Analyzer to silence a Coverity - warning. (Jon Siwek) - - * Fix missing @load dependencies in some scripts. Also update the - unit test which is supposed to catch such errors. (Jon Siwek) - -2.2-326 | 2014-04-08 15:21:51 -0700 - - * Add SNMP datagram parsing support.This supports parsing of SNMPv1 - (RFC 1157), SNMPv2 (RFC 1901/3416), and SNMPv2 (RFC 3412). An - event is raised for each SNMP PDU type, though there's not - currently any event handlers for them and not a default snmp.log - either. However, simple presence of SNMP is currently visible now - in conn.log service field and known_services.log. (Jon Siwek) - -2.2-319 | 2014-04-03 15:53:25 -0700 - - * Improve __load__.bro creation for .bif.bro stubs. (Jon Siwek) - -2.2-317 | 2014-04-03 10:51:31 -0400 - - * Add a uid field to the signatures.log. Addresses BIT-1171 - (Anthony Verez) - -2.2-315 | 2014-04-01 16:50:01 -0700 - - * Change logging's "#types" description of sets to "set". Addresses - BIT-1163 (Bernhard Amann) - -2.2-313 | 2014-04-01 16:40:19 -0700 - - * Fix a couple nits reported by Coverity.(Jon Siwek) - - * Fix potential memory leak in IP frag reassembly reported by - Coverity. (Jon Siwek) - -2.2-310 | 2014-03-31 18:52:22 -0700 - - * Fix memory leak and unchecked dynamic cast reported by Coverity. - (Jon Siwek) - - * Fix potential memory leak in x509 parser reported by Coverity. - (Bernhard Amann) - -2.2-304 | 2014-03-30 23:05:54 +0200 - - * Replace libmagic w/ Bro signatures for file MIME type - identification. Addresses BIT-1143. (Jon Siwek) - - Includes: - - - libmagic is no longer used at all. All MIME type detection is - done through new Bro signatures, and there's no longer a means - to get verbose file type descriptions. The majority of the - default file magic signatures are derived from the default magic - database of libmagic ~5.17. - - - File magic signatures consist of two new constructs in the - signature rule parsing grammar: "file-magic" gives a regular - expression to match against, and "file-mime" gives the MIME type - string of content that matches the magic and an optional strength - value for the match. - - - Modified signature/rule syntax for identifiers: they can no - longer start with a '-', which made for ambiguous syntax when - doing negative strength values in "file-mime". Also brought - syntax for Bro script identifiers in line with reality (they - can't start with numbers or include '-' at all). - - - A new built-in function, "file_magic", can be used to get all - file magic matches and their corresponding strength against a - given chunk of data. - - - The second parameter of the "identify_data" built-in function - can no longer be used to get verbose file type descriptions, - though it can still be used to get the strongest matching file - magic signature. - - - The "file_transferred" event's "descr" parameter no longer - contains verbose file type descriptions. - - - The BROMAGIC environment variable no longer changes any behavior - in Bro as magic databases are no longer used/installed. - - - Removed "binary" and "octet-stream" mime type detections. They - don' provide any more information than an uninitialized - mime_type field which implicitly means no magic signature - matches and so the media type is unknown to Bro. - - - The "fa_file" record now contains a "mime_types" field that - contains all magic signatures that matched the file content - (where the "mime_type" field is just a shortcut for the - strongest match). - - - Reverted back to minimum requirement of CMake 2.6.3 from 2.8.0. - - * The logic for adding file ids to {orig,resp}_fuids fields of the - http.log incorrectly depended on the state of - {orig,resp}_mime_types fields, so sometimes not all file ids - associated w/ the session were logged. (Jon Siwek) - - * Fix MHR script's use of fa_file$mime_type before checking if it's - initialized. (Jon Siwek) - -2.2-294 | 2014-03-30 22:08:25 +0200 - - * Rework and move X509 certificate processing from the SSL protocol - analyzer to a dedicated file analyzer. This will allow us to - examine X509 certificates from sources other than SSL in the - future. Furthermore, Bro now parses more fields and extensions - from the certificates (e.g. elliptic curve information, subject - alternative names, basic constraints). Certificate validation also - was improved, should be easier to use and exposes information like - the full verified certificate chain. (Bernhard Amann) - - This update changes the format of ssl.log and adds a new x509.log - with certificate information. Furthermore all x509 events and - handling functions have changed. - -2.2-271 | 2014-03-30 20:25:17 +0200 - - * Add unit tests covering vector/set/table ctors/inits. (Jon Siwek) - - * Fix parsing of "local" named table constructors. (Jon Siwek) - - * Improve type checking of records. Addresses BIT-1159. (Jon Siwek) - -2.2-267 | 2014-03-30 20:21:43 +0200 - - * Improve documentation of Bro clusters. Addresses BIT-1160. - (Daniel Thayer) - -2.2-263 | 2014-03-30 20:19:05 +0200 - - * Don't include locations into serialization when cloning values. - (Robin Sommer) - -2.2-262 | 2014-03-30 20:12:47 +0200 - - * Refactor SerializationFormat::EndWrite and ChunkedIO::Chunk memory - management. (Jon Siwek) - - * Improve SerializationFormat's write buffer growth strategy. (Jon - Siwek) - - * Add --parse-only option to exit after parsing scripts. May be - useful for syntax-checking tools. (Jon Siwek) - -2.2-256 | 2014-03-30 19:57:28 +0200 - - * For the summary statistics framewirk, change all &create_expire - attributes to &read_expire in the cluster part. (Bernhard Amann) - -2.2-254 | 2014-03-30 19:55:22 +0200 - - * Update instructions on how to build Bro docs. (Daniel Thayer) - -2.2-251 | 2014-03-28 08:37:37 -0400 - - * Quick fix to the ElasticSearch writer. (Seth Hall) - -2.2-250 | 2014-03-19 17:20:55 -0400 - - * Improve performance of MHR script by reducing cloned Vals in - a "when" scope. (Jon Siwek) - -2.2-248 | 2014-03-19 14:47:40 -0400 - - * Make SumStats work incrementally and non-blocking in non-cluster - mode, but force it to operate by blocking if Bro is shutting - down. (Seth Hall) - -2.2-244 | 2014-03-17 08:24:17 -0700 - - * Fix compile errror on FreeBSD caused by wrong include file order. - (Bernhard Amann) - -2.2-240 | 2014-03-14 10:23:54 -0700 - - * Derive results of DNS lookups from from input when in BRO_DNS_FAKE - mode. Addresses BIT-1134. (Jon Siwek) - - * Fixing a few cases of undefined behaviour introduced by recent - formatter work. - - * Fixing compiler error. (Robin Sommer) - - * Fixing (very unlikely) double delete in HTTP analyzer when - decapsulating CONNECTs. (Robin Sommer) - -2.2-235 | 2014-03-13 16:21:19 -0700 - - * The Ascii writer has a new option LogAscii::use_json for writing - out logs as JSON. (Seth Hall) - - * Ascii input reader now supports all config options as per-input - stream "config" values. (Seth Hall) - - * Refactored formatters and updated the the writers a bit. (Seth - Hall) - -2.2-229 | 2014-03-13 14:58:30 -0700 - - * Refactoring analyzer manager code to reuse - ApplyScheduledAnalyzers(). (Robin Sommer) - -2.2-228 | 2014-03-13 14:25:53 -0700 - - * Teach async DNS lookup builtin-functions about BRO_DNS_FAKE. - Addresses BIT-1134. (Jon Siwek) - - * Enable fake DNS mode for test suites. - - * Improve analysis of TCP SYN/SYN-ACK reversal situations. (Jon - Siwek) - - - Since it's just the handshake packets out of order, they're no - longer treated as partial connections, which some protocol analyzers - immediately refuse to look at. - - - The TCP_Reassembler "is_orig" state failed to change, which led to - protocol analyzers sometimes using the wrong value for that. - - - Add a unit test which exercises the Connection::FlipRoles() code - path (i.e. the SYN/SYN-ACK reversal situation). - - Addresses BIT-1148. - - * Fix bug in Connection::FlipRoles. It didn't swap address values - right and also didn't consider that analyzers might be scheduled - for the new connection tuple. Reported by Kevin McMahon. Addresses - BIT-1148. (Jon Siwek) - -2.2-221 | 2014-03-12 17:23:18 -0700 - - * Teach configure script --enable-jemalloc, --with-jemalloc. - Addresses BIT-1128. (Jon Siwek) - -2.2-218 | 2014-03-12 17:19:45 -0700 - - * Improve DBG_LOG macro (perf. improvement for --enable-debug mode). - (Jon Siwek) - - * Silences some documentation warnings from Sphinx. (Jon Siwek) - -2.2-215 | 2014-03-10 11:10:15 -0700 - - * Fix non-deterministic logging of unmatched DNS msgs. Addresses - BIT-1153 (Jon Siwek) - -2.2-213 | 2014-03-09 08:57:37 -0700 - - * No longer accidentally attempting to parse NBSTAT RRs as SRV RRs - in DNS analyzer. (Seth Hall) - - * Fix DNS SRV responses and a small issue with NBNS queries and - label length. (Seth Hall) - - - DNS SRV responses never had the code written to actually - generate the dns_SRV_reply event. Adding this required - extending the event a bit to add extra information. SRV responses - now appear in the dns.log file correctly. - - - Fixed an issue where some Microsoft NetBIOS Name Service lookups - would exceed the max label length for DNS and cause an incorrect - "DNS_label_too_long" weird. - -2.2-210 | 2014-03-06 22:52:36 -0500 - - * Improve SSL logging so that connections are logged even when the - ssl_established event is not generated as well as other small SSL - fixes. (Bernhard Amann) - -2.2-206 | 2014-03-03 16:52:28 -0800 - - * HTTP CONNECT proxy support. The HTTP analyzer now supports - handling HTTP CONNECT proxies. (Seth Hall) - - * Expanding the HTTP methods used in the DPD signature to detect - HTTP traffic. (Seth Hall) - - * Fixing removal of support analyzers. (Robin Sommer) - -2.2-199 | 2014-03-03 16:34:20 -0800 - - * Allow iterating over bif functions with result type vector of any. - This changes the internal type that is used to signal that a - vector is unspecified from any to void. Addresses BIT-1144 - (Bernhard Amann) - -2.2-197 | 2014-02-28 15:36:58 -0800 - - * Remove test code. (Robin Sommer) - -2.2-194 | 2014-02-28 14:50:53 -0800 - - * Remove packet sorter. Addresses BIT-700. (Bernhard Amann) - -2.2-192 | 2014-02-28 09:46:43 -0800 - - * Update Mozilla root bundle. (Bernhard Amann) - -2.2-190 | 2014-02-27 07:34:44 -0800 - - * Adjust timings of a few leak tests. (Bernhard Amann) - -2.2-187 | 2014-02-25 07:24:42 -0800 - - * More Google TLS extensions that are being actively used. (Bernhard - Amann) - - * Remove unused, and potentially unsafe, function - ListVal::IncludedInString. (Bernhard Amann) - -2.2-184 | 2014-02-24 07:28:18 -0800 - - * New TLS constants from - https://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-01. - (Bernhard Amann) - -2.2-180 | 2014-02-20 17:29:14 -0800 - - * New SSL alert descriptions from - https://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04. - (Bernhard Amann) - - * Update SQLite. (Bernhard Amann) - -2.2-177 | 2014-02-20 17:27:46 -0800 - - * Update to libmagic version 5.17. Addresses BIT-1136. (Jon Siwek) - -2.2-174 | 2014-02-14 12:07:04 -0800 - - * Support for MPLS over VLAN. (Chris Kanich) - -2.2-173 | 2014-02-14 10:50:15 -0800 - - * Fix misidentification of SOCKS traffic that in particiular seemed - to happen a lot with DCE/RPC traffic. (Vlad Grigorescu) - -2.2-170 | 2014-02-13 16:42:07 -0800 - - * Refactor DNS script's state management to improve performance. - (Jon Siwek) - - * Revert "Expanding the HTTP methods used in the signature to detect - HTTP traffic." (Robin Sommer) - -2.2-167 | 2014-02-12 20:17:39 -0800 - - * Increase timeouts of some unit tests. (Jon Siwek) - - * Fix memory leak in modbus analyzer. Would happen if there's a - 'modbus_read_fifo_queue_response' event handler. (Jon Siwek) - - * Add channel_id TLS extension number. This number is not IANA - defined, but we see it being actively used. (Bernhard Amann) - - * Test baseline updates for DNS change. (Robin Sommer) - -2.2-158 | 2014-02-09 23:45:39 -0500 - - * Change dns.log to include only standard DNS queries. (Jon Siwek) - - * Improve DNS analysis. (Jon Siwek) - - - Fix parsing of empty question sections (when QDCOUNT == 0). In this - case, the DNS parser would extract two 2-byte fields for use in either - "dns_query_reply" or "dns_rejected" events (dependent on value of - RCODE) as qclass and qtype parameters. This is not correct, because - such fields don't actually exist in the DNS message format when - QDCOUNT is 0. As a result, these events are no longer raised when - there's an empty question section. Scripts that depends on checking - for an empty question section can do that in the "dns_message" event. - - - Add a new "dns_unknown_reply" event, for when Bro does not know how - to fully parse a particular resource record type. This helps fix a - problem in the default DNS scripts where the logic to complete - request-reply pair matching doesn't work because it's waiting on more - RR events to complete the reply. i.e. it expects ANCOUNT number of - dns_*_reply events and will wait until it gets that many before - completing a request-reply pair and logging it to dns.log. This could - cause bogus replies to match a previous request if they happen to - share a DNS transaction ID. (Jon Siwek) - - - The previous method of matching queries with replies was still - unreliable in cases where the reply contains no answers. The new code - also takes extra measures to avoid pending state growing too large in - cases where the condition to match a query with a corresponding reply is - never met, but yet DNS messages continue to be exchanged over the same - connection 5-tuple (preventing cleanup of the pending state). (Jon Siwek) - - * Updates to httpmonitor and mimestats documentation. (Jeannette Dopheide) - - * Updates to Logs and Cluster documentation (Jeannette Dopheide) - -2.2-147 | 2014-02-07 08:06:53 -0800 - - * Fix x509-extension test sometimes failing. (Bernhard Amann) - -2.2-144 | 2014-02-06 20:31:18 -0800 - - * Fixing bug in POP3 analyzer. With certain input the analyzer could - end up trying to write to non-writable memory. (Robin Sommer) - -2.2-140 | 2014-02-06 17:58:04 -0800 - - * Fixing memory leaks in input framework. (Robin Sommer) - - * Add script to detect filtered TCP traces. Addresses BIT-1119. (Jon - Siwek) - -2.2-137 | 2014-02-04 09:09:55 -0800 - - * Minor unified2 script documentation fix. (Jon Siwek) - -2.2-135 | 2014-01-31 11:09:36 -0800 - - * Added some grammar and spelling corrections to Installation and - Quick Start Guide. (Jeannette Dopheide) - -2.2-131 | 2014-01-30 16:11:11 -0800 - - * Extend file analysis API to allow file ID caching. This allows an - analyzer to either provide file IDs associated with some file - content or to cache a file ID that was already determined by - script-layer logic so that subsequent calls to the file analysis - interface can bypass costly detours through script-layer. This - can yield a decent performance improvement for analyzers that are - able to take advantage of it and deal with streaming content (like - HTTP, which has been adapted accordingly). (Jon Siwek) - -2.2-128 | 2014-01-30 15:58:47 -0800 - - * Add leak test for Exec module. (Bernhard Amann) - - * Fix file_over_new_connection event to trigger when entire file is - missed. (Jon Siwek) - - * Improve TCP connection size reporting for half-open connections. - (Jon Siwek) - - * Improve gap reporting in TCP connections that never see data. We - no longer accomodate SYN/FIN/RST-filtered traces by not reporting - missing data. The behavior can be reverted by redef'ing - "detect_filtered_trace". (Jon Siwek) - - * Improve TCP FIN retransmission handling. (Jon Siwek) - -2.2-120 | 2014-01-28 10:25:23 -0800 - - * Fix and extend x509_extension() event, which now actually returns - the extension. (Bernhard Amann) - - New event signauture: - - event x509_extension(c: connection, is_orig: bool, cert:X509, extension: X509_extension_info) - -2.2-117 | 2014-01-23 14:18:19 -0800 - - * Fixing initialization context in anonymous functions. (Robin - Sommer) - -2.2-115 | 2014-01-22 12:11:18 -0800 - - * Add unit tests for new Bro Manual docs. (Jon Siwek) - - * New content for the "Using Bro" section of the manual. (Rafael - Bonilla/Jon Siwek) - -2.2-105 | 2014-01-20 12:16:48 -0800 - - * Support GRE tunnel decapsulation, including enhanced GRE headers. - GRE tunnels are treated just like IP-in-IP tunnels by parsing past - the GRE header in between the delivery and payload IP packets. - Addresses BIT-867. (Jon Siwek) - - * Simplify FragReassembler memory management. (Jon Siwek) - -2.2-102 | 2014-01-20 12:00:29 -0800 - - * Include file information (MIME type and description) into notice - emails if available. (Justin Azoff) - -2.2-100 | 2014-01-20 11:54:58 -0800 - - * Fix caching of recently validated SSL certifcates. (Justin Azoff) - -2.2-98 | 2014-01-20 11:50:32 -0800 - - * For notice suppresion, instead of storing the entire notice in - Notice::suppressing, just store the time the notice should be - suppressed until. This saves significant memory but can no longer - raise end_suppression, which has been removed. (Justin Azoff) - -2.2-96 | 2014-01-20 11:41:07 -0800 - - * Integrate libmagic 5.16. Bro now now always relies on - builtin/shipped magic library/database. (Jon Siwek) - - * Bro now requires a CMake 2.8.x, but no longer a pre-installed - libmagic. (Jon Siwek) - -2.2-93 | 2014-01-13 09:16:51 -0800 - - * Fixing compile problems with some versions of libc++. Reported by - Craig Leres. (Robin Sommer) - -2.2-91 | 2014-01-13 01:33:28 -0800 - - * Improve GeoIP City database support. When trying to open a city - database, it now considers both the "REV0" and "REV1" versions of - the city database instead of just the former. (Jon Siwek) - - * Broxygen init fixes. Addresses BIT-1110. (Jon Siwek) - - - Don't check mtime of bro binary if BRO_DISABLE_BROXYGEN env var set. - - - Fix failure to locate bro binary if invoking from a relative - path and '.' isn't in PATH. - - * Fix for packet writing to make it use the global snap length. - (Seth Hall) - - * Fix for traffic with TCP segmentation offloading with IP header - len field being set to zero. (Seth Hall) - - * Canonify output of a unit test. (Jon Siwek) - - * A set of documentation updates. (Daniel Thayer) - - - Fix typo in Bro 2.2 NEWS on string indexing. - - Fix typo in the Quick Start Guide, and clarified the - instructions about modifying crontab. - - Add/fix documentation for missing/misnamed event parameters. - - Fix typos in BIF documentation of hexstr_to_bytestring. - - Update the documentation of types and attributes. - - Documented the new substring extraction functionality. - - Clarified the description of "&priority" and "void". - -2.2-75 | 2013-12-18 08:36:50 -0800 - - * Fixing segfault with mismatching set &default in record fields. - (Robin Sommer) - -2.2-74 | 2013-12-16 08:49:55 -0800 - - * Improve warnings emitted from raw/execute input reader. (Jon - Siwek) - - * Further improve core.when-interpreter-exceptions unit test. (Jon - Siwek) - -2.2-72 | 2013-12-12 07:12:47 -0800 - - * Improve the core.when-interpreter-exceptions unit test to prevent - it from occasionally timing out. (Jon Siwek) - -2.2-70 | 2013-12-10 15:02:50 -0800 - - * Fix (harmless) uninitialized field in basename/dirname util - wrapper. (Jon Siwek) - -2.2-68 | 2013-12-09 15:19:37 -0800 - - * Several improvements to input framework error handling for more - robustness and more helpful error messages. Includes tests for - many cases. (Bernhard Amann) - -2.2-66 | 2013-12-09 13:54:16 -0800 - - * Fix table &default reference counting for record ctor expressions. - (Jon Siwek) - - * Close signature files after done parsing. (Jon Siwek) - - * Fix unlikely null ptr deref in broxygen::Manager. (Jon Siwek) - - * FreeBSD build fix addendum: unintended variable shadowing. (Jon - Siwek) - - * Fix build on FreeBSD. basename(3)/dirname(3) const-ness may vary - w/ platform. (Jon Siwek) - - * Updated software framework to support parsing IE11 user-agent - strings. (Seth Hall) - - * Fix the irc_reply event for several server message types. (Seth - Hall) - - * Fix memory leak in input framework. If the input framework was - used to read event streams and those streams contained records - with more than one field, not all elements of the threading Values - were cleaned up. Addresses BIT-1103. (Bernhard Amann) - - * Minor Broxygen improvements. Addresses BIT-1098. (Jon Siwek) - -2.2-51 | 2013-12-05 07:53:37 -0800 - - * Improve a unit test involving 'when' conditionals. (Jon Siwek) - -2.2-48 | 2013-12-04 13:45:47 -0800 - - * Support omission of string slice low/high indices, BIT-1097. - - Omission of the low index defaults to 0: - - s = "12345"; s[:3] == "123" - - Omission of the high index defaults to length of the string: - - s = "12345"; s[3:] == "45" (Jon Siwek) - - * Tweak to SMTP script to adjust for new string slicing behaviour. - (Robin Sommer) - - * Test updates. (Robin Sommer) - -2.2-44 | 2013-12-04 12:41:51 -0800 - - * Fix string slice notation. Addresses BIT-1097. (Jon Siwek) - - Slice ranges were not correctly determined for negative indices - and also off by one in general (included one more element at the - end of the substring than what actually matched the index range). - It's now equivalent to Python slice notation. Accessing a string - at a single index is also the same as Python except that an - out-of-range index returns an empty string instead of throwing an - expection. - -2.2-41 | 2013-12-04 12:40:51 -0800 - - * Updating tests. (Robin Sommer) - -2.2-40 | 2013-12-04 12:16:38 -0800 - - * ssl_client_hello() now receives a vector of ciphers, instead of a - set, to preserve their order. (Bernhard Amann) - -2.2-38 | 2013-12-04 12:10:54 -0800 - - * New script misc/dump-events.bro, along with core support, that - dumps events Bro is raising in an easily readable form for - debugging. (Robin Sommer) - - * Prettyfing Describe() for record types. If a record type has a - name and ODesc is set to short, we now print the name instead of - the full field list. (Robin Sommer) - -2.2-35 | 2013-12-04 10:10:32 -0800 - - * Rework the automated script-reference documentation generation - process, broxygen. Addresses BIT-701 and BIT-751. (Jon Siwek) - - Highlights: - - - Remove --doc-scripts and -Z options to toggle documentation - mode. The parser is now always instrumented to gather - documentation from comments of the form "##", "##!", or - "##<". - - - Raw comments are available at runtime through several BIF - functions: get_*_comments; - - - Add --broxygen and -X options to toggle generating - reST-format documentation output, driven by a config file - argument. - - - Add a "broxygen" Sphinx extension domain, allowing certain - pieces of documentation to be generated on-the-fly via - invoking a Bro process. Re-organized/cleaned up the Sphinx - source tree in doc/ to use this in some places. - -2.2-11 | 2013-12-03 10:56:28 -0800 - - * Unit test for broccoli vector support. (Jon Siwek) - - * Changed ordering of Bro type tag enum, which was out of sync. (Jon - Siwek) - -2.2-9 | 2013-11-18 14:03:21 -0800 - - * Update local.bro for Bro >= 2.2. The commented out Notice::policy - example didn't work anymore. (Daniel Thayer) - -2.2-6 | 2013-11-15 07:05:15 -0800 - - * Make "install-example-configs" target use DESTDIR. (Jon Siwek) - -2.2-5 | 2013-11-11 13:47:54 -0800 - - * Fix the irc_reply event for certain server message types. (Seth - Hall) - - * Fixed Segmentation fault in SQLite Writer. (Jon Crussell) - -2.2 | 2013-11-07 10:25:50 -0800 - - * Release 2.2. - - * Removing location information from ssh.log in external tests. - (Robin Sommer) - -2.2-beta-199 | 2013-11-07 00:36:46 -0800 - - * Fixing warnings during doc build. (Robin Sommer) - -2.2-beta-198 | 2013-11-06 22:54:30 -0800 - - * Update docs and tests for a recent change to detect-MHR.bro - (Daniel Thayer) - - * Update tests and baselines for sumstats docs. (Daniel Thayer) - -2.2-beta-194 | 2013-11-06 14:39:50 -0500 - - * Remove resp_size from the ssh log. Refactor when we write out to - the log a bit. Geodata now works reliably. (Vlad Grigorescu) - - * Update VirusTotal URL to work with changes to their website and - changed it to a redef. (Vlad Grigorescu) - - * Added a document for the SumStats framework. (Seth Hall) - -2.2-beta-184 | 2013-11-03 22:53:42 -0800 - - * Remove swig-ruby from required packages section of install doc. - (Daniel Thayer) - -2.2-beta-182 | 2013-11-01 05:26:05 -0700 - - * Adding source and original copyright statement to Mozilla cert - list. (Robin Sommer) - - * Canonfying an intel test to not depend on output order. (Robin - Sommer) - -2.2-beta-177 | 2013-10-30 04:54:54 -0700 - - * Fix thread processing/termination conditions. (Jon Siwek) - -2.2-beta-175 | 2013-10-29 09:30:09 -0700 - - * Return the Dir module to file name tracking instead of inode - tracking to avoid missing files that reuse a formerly seen inode. - (Seth Hall) - - * Deprecate Broccoli Ruby bindings and no longer build them by - default; use --enable-ruby to do so. (Jon Siwek) - -2.2-beta-167 | 2013-10-29 06:02:38 -0700 - - * Change percent_lost in capture-loss from a string to a double. - (Vlad Grigorescu) - - * New version of the threading queue deadlock fix. (Robin Sommer) - - * Updating README with download/git information. (Robin Sommer) - -2.2-beta-161 | 2013-10-25 15:48:15 -0700 - - * Add curl to list of optional dependencies. It's used by the - active-http.bro script. (Daniel Thayer) - - * Update test and baseline for a recent doc test fix. (Daniel - Thayer) - -2.2-beta-158 | 2013-10-25 15:05:08 -0700 - - * Updating README with download/git information. (Robin Sommer) - -2.2-beta-157 | 2013-10-25 11:11:17 -0700 - - * Extend the documentation of the SQLite reader/writer framework. - (Bernhard Amann) - - * Fix inclusion of wrong example file in scripting tutorial. - Reported by Michael Auger @LM4K. (Bernhard Amann) - - * Alternative fix for the thrading deadlock issue to avoid potential - performance impact. (Bernhard Amann) - -2.2-beta-152 | 2013-10-24 18:16:49 -0700 - - * Fix for input readers occasionally dead-locking. (Robin Sommer) - -2.2-beta-151 | 2013-10-24 16:52:26 -0700 - - * Updating submodule(s). - -2.2-beta-150 | 2013-10-24 16:32:14 -0700 - - * Change temporary ASCII reader workaround for getline() on - Mavericks to permanent fix. (Bernhard Amann) - -2.2-beta-148 | 2013-10-24 14:34:35 -0700 - - * Add gawk to list of optional packages. (Daniel Thayer) - - * Add more script package README files. (Daniel Thayer) - - * Add NEWS about new features of BroControl and upgrade info. - (Daniel Thayer) - - * Intel framework notes added to NEWS. (Seth Hall) - - * Temporary OSX Mavericks libc++ issue workaround for getline() - problem in ASCII reader. (Bernhard Amann) - - * Change test of identify_data BIF to ignore charset as it may vary - with libmagic version. (Jon Siwek) - - * Ensure that the starting BPF filter is logged on clusters. (Seth - Hall) - - * Add UDP support to the checksum offload detection script. (Seth - Hall) - -2.2-beta-133 | 2013-10-23 09:50:16 -0700 - - * Fix record coercion tolerance of optional fields. (Jon Siwek) - - * Add NEWS about incompatible local.bro changes, addresses BIT-1047. - (Jon Siwek) - - * Fix minor formatting problem in NEWS. (Jon Siwek) - -2.2-beta-129 | 2013-10-23 09:47:29 -0700 - - * Another batch of documentation fixes and updates. (Daniel Thayer) - -2.2-beta-114 | 2013-10-18 14:17:57 -0700 - - * Moving the SQLite examples into separate Bro files to turn them - into sphinx-btest tests. (Robin Sommer) - -2.2-beta-112 | 2013-10-18 13:47:13 -0700 - - * A larger chunk of documentation fixes and cleanup. (Daniel Thayer) - - Apart from many smaller improves this includes in particular: - - * Add README files for most Bro frameworks and base/protocols. - * Add README files for base/protocols. - * Update installation instructions. - * Improvements to file analysis docs and conversion to using - btest sphinx. - -2.2-beta-80 | 2013-10-18 13:18:05 -0700 - - * SQLite reader/writer documentation. (Bernhard Amann) - - * Check that the SQLite reader is only used in MANUAL reading mode. - (Bernhard Amann) - - * Rename the SQLite writer "dbname" configuration option to - "tablename". (Bernhard Amann) - - * Remove the "dbname" configuration option from the SQLite reader as - it wasn't used there. (Bernhard Amann) - -2.2-beta-73 | 2013-10-14 14:28:25 -0700 - - * Fix misc. Coverity-reported issues (leaks, potential null pointer - deref, dead code, uninitialized values, - time-of-check-time-of-use). (Jon Siwek) - - * Add check for sqlite3 command to tests that require it. (Daniel - Thayer) - -2.2-beta-68 | 2013-10-14 09:26:09 -0700 - - * Add check for curl command to active-http.test. (Daniel Thayer) - -2.2-beta-64 | 2013-10-14 09:20:04 -0700 - - * Review usage of Reporter::InternalError, addresses BIT-1045. - - Replaced some with InternalWarning or AnalyzerError, the later - being a new method which signals the analyzer to not process - further input. (Jon Siwek) - - * Add new event for TCP content file write failures: - "contents_file_write_failure". (Jon Siwek) - -2.2-beta-57 | 2013-10-11 17:23:25 -0700 - - * Improve Broxygen end-of-sentence detection. (Jon Siwek) - -2.2-beta-55 | 2013-10-10 13:36:38 -0700 - - * A couple of new TLS extension numbers. (Bernhard Amann) - - * Suport for three more new TLS ciphers. (Bernhard Amann) - - * Removing ICSI notary from default site config. (Robin Sommer) - -2.2-beta-51 | 2013-10-07 17:33:56 -0700 - - * Polishing the reference and scripting sections of the manual. - (Robin Sommer) - - * Fixing the historical CHANGES record. (Robin Sommer) - - * Updating copyright notice. (Robin Sommer) - -2.2-beta-38 | 2013-10-02 11:03:29 -0700 - - * Fix uninitialized (or unused) fields. (Jon Siwek) - - * Remove logically dead code. (Jon Siwek) - - * Remove dead/unfinished code in unary not expression. (Jon Siwek) - - * Fix logic for failed DNS TXT lookups. (Jon Siwek) - - * A couple null ptr checks. (Jon Siwek) - - * Improve return value checking and error handling. (Jon Siwek) - - * Remove unused variable assignments. (Jon Siwek) - - * Prevent division/modulo by zero in scripts. (Jon Siwek) - - * Fix unintentional always-false condition. (Jon Siwek) - - * Fix invalidated iterator usage. (Jon Siwek) - - * Fix DNS_Mgr iterator mismatch. (Jon Siwek) - - * Set safe umask when creating script profiler tmp files. (Jon Siwek) - - * Fix nesting/indent level whitespace mismatch. (Jon Siwek) - - * Add checks to avoid improper negative values use. (Jon Siwek) - -2.2-beta-18 | 2013-10-02 10:28:17 -0700 - - * Add support for further TLS cipher suites. (Bernhard Amann) - -2.2-beta-13 | 2013-10-01 11:31:55 -0700 - - * Updating bifcl usage message. (Robin Sommer) - - * Fix bifcl getopt() usage. (Jon Siwek) - -2.2-beta-8 | 2013-09-28 11:16:29 -0700 - - * Fix a "make doc" warning. (Daniel Thayer) - -2.2-beta-4 | 2013-09-24 13:23:30 -0700 - - * Fix for setting REPO in Makefile. (Robin Sommer) - - * Whitespace fix. (Robin Sommer) - - * Removing :doc: roles so that we can render this with docutils - directly. (Robin Sommer) - -2.2-beta | 2013-09-23 20:57:48 -0700 - - * Update 'make dist' target. (Jon Siwek) - -2.1-1387 | 2013-09-23 11:54:48 -0700 - - * Change submodules to fixed URL. (Jon Siwek) - - * Updating NEWS. (Robin Sommer) - - * Fixing an always false condition. (Robin Sommer) - - * Fix required for compiling with clang 3.3. (Robin Sommer) - -2.1-1377 | 2013-09-20 14:38:15 -0700 - - * Updates to the scripting introduction. (Scott Runnels) - - * Kill raw input reader's child by process group to reliably clean - it up. (Jon Siwek) - -2.1-1368 | 2013-09-19 20:07:57 -0700 - - * Add more links in the GeoLocation document (Daniel Thayer) - -2.1-1364 | 2013-09-19 15:12:08 -0700 - - * Add links to Intelligence Framework documentation. (Daniel Thayer) - - * Update Mozilla root CA list. (Bernhard Amann, Jon Siwek) - - * Update documentation of required packages. (Daniel Thayer) - -2.1-1359 | 2013-09-18 15:01:50 -0700 - - * Make client and server random available on script-level. Addresses - BIT-950. (Eric Wustrow) - -2.1-1357 | 2013-09-18 14:58:52 -0700 - - * Update HLL API and its documentation. (Bernhard Amann) - - * Fix case in HLL where hll_error_margin could be undefined. - (Bernhard Amann) - -2.1-1352 | 2013-09-18 14:42:28 -0700 - - * Fix a number of compiler warnings. (Daniel Thayer) - - * Fix cmake warning about ENABLE_PERFTOOLS not being used. (Daniel - Thayer) - -2.1-1344 | 2013-09-16 16:20:55 -0500 - - * Refactor Analyzer::AddChildAnalyzer and usages. (Jon Siwek) - - * Minor refactor to SSL BinPAC grammer. (Jon Siwek) - - * Minor refactor to Broxygen enum comments. (Jon Siwek) - - * Fix possible (unlikely) use of uninitialized value. (Jon Siwek) - - * Fix/improve dereference-before-null-checks. (Jon Siwek) - - * Fix out-of-bounds memory accesses, and remove a - variable-length-array usage. (Jon Siwek) - - * Fix potential mem leak. (Jon Siwek) - - * Fix double-free and deallocator mismatch. (Jon Siwek) - - * Fix another function val reference counting bug. (Jon Siwek) - -2.1-1335 | 2013-09-12 16:13:53 -0500 - - * Documentation fixes (Daniel Thayer, Jon Siwek) - - * Fix various potential memory leaks. (Jon Siwek) - - * Fix significant memory leak in function unserialization. (Jon Siwek) - - * Fix use-after-free and invalid/mismatch deallocator bugs. (Jon Siwek) - - * Fixed an issue with the HLL_UNIQUE SumStats plugin that caused a reporter error. (Seth Hall) - - * Make the notice $actions field have a default empty set to avoid having to check for it's presence. (Seth Hall) - - * Fix signatures that use identifiers of type table. (Jon Siwek) - - * Fix memory leak if a DNS request fails to be made. (Jon Siwek) - - * Fix memory leak in DNS TXT lookups. (Jon Siwek) - - * Fix raw execution input reader's signal blocking which resulted in lingering processes. (Jon Siwek) - -2.1-1306 | 2013-08-31 16:06:05 -0700 - - * Reorganized and signifcantly extended documentation. This includes - two new chapters contributed by Scott Runnels. - -2.1-1216 | 2013-08-31 10:39:40 -0700 - - - * Support for probabilistic set cardinality, using the HyperLogLog - algorithm. (Bernhard Amann, Soumya Basu) - - Bro now provides the following BiFs: - - hll_cardinality_init(err: double, confidence: double): opaque of cardinality - hll_cardinality_add(handle: opaque of cardinality, elem: any): bool - hll_cardinality_merge_into(handle1: opaque of cardinality, handle2: opaque of cardinality): bool - hll_cardinality_estimate(handle: opaque of cardinality): double - hll_cardinality_copy(handle: opaque of cardinality): opaque of cardinality - -2.1-1154 | 2013-08-30 08:27:45 -0700 - - * Fix global opaque val segfault. Addresses BIT-1071. (Jon Siwek) - - * Fix malloc/delete mismatch. (Jon Siwek) - - * Fix invalid pointer dereference in AsciiFormatter. (Jon Siwek) - -2.1-1150 | 2013-08-29 13:43:01 -0700 - - * Fix input framework memory leaks. (Jon Siwek) - - * Fix memory leak in SOCKS analyzer for bad addr types. (Jon Siwek) - - * Fix Bloom filter memory leaks. (Jon Siwek) - -2.1-1144 | 2013-08-28 18:51:06 -0700 - - * Add bits_per_uid unit test. Addresses BIT-1016. (Jon Siwek) - - * UID optimizations. Addresses BIT-1016. (Jon Siwek) - - * Added a $unique_max field to Reducers for the SumStats::UNIQUE - calculation, and using the new option in scan.bro and the FTP - bruteforce detection. (Seth Hall) - -2.1-1137 | 2013-08-27 13:26:44 -0700 - - * Add BiF hexstr_to_bytestring() that does exactly the opposite of - bytestring_to_hexstr(). (Bernhard Amann) - -2.1-1135 | 2013-08-27 12:16:26 -0700 - - * More SumStats fixes. (Seth Hall) - - * Increase UIDs to 96 bits. (Jon Siwek) - - - The bit-length is adjustable via redef'ing bits_per_uid. - - - Prefix 'C' is added to connection UIDS (including IP tunnels) - and 'F' to files. - - Addresses BIT-1016. - -2.1-1128 | 2013-08-24 10:27:29 -0700 - - * Remove code relict in input framework. (Jon Siwek) - - * Fix documentation for mkdir BIF. (Jon Siwek) - - * File extraction tweaks. (Jon Siwek) - - - Default extraction limit of 100MB now provided via a tuning - script loaded in local.bro so that command-line Bro is unlimited - by default. - - - Extraction directory is now created on request of file - extraction rather than unconditionally in bro_init(). (Jon - Siwek) - -2.1-1124 | 2013-08-23 16:33:52 -0700 - - * Fixed a number of object bugs DNP3 analyzer. (Hui Lin) - -2.1-1122 | 2013-08-22 16:52:27 -0700 - - * Use macros to create file analyzer plugin classes. (Jon Siwek) - - * Add options to limit extracted file sizes w/ 100MB default. (Jon - Siwek) - -2.1-1117 | 2013-08-22 08:44:12 -0700 - - * A number of input framework fixes and corresponding test stability - improvements. (Jon Siwek) - - * Make memory leak tests able to time out. (Jon Siwek) - - * Fix a compiler warning regarding strncat misuse. (Jon Siwek) - -2.1-1103 | 2013-08-21 19:11:34 -0400 - - * A number of sumstats fixes. (Seth Hall, Vlad Grigorescu) - - * Fix memory leak w/ when statements. Addresses BIT-1058. (Jon - Siwek) - - * Switching to relative submodule paths (Robin Sommer) - -2.1-1089 | 2013-08-19 11:25:11 -0700 - - * Fix bloom filters' dependence on size_t. (Jon Siwek, Matthias - Vallentin). - -2.1-1081 | 2013-08-19 11:19:33 -0700 - - * New BiF levenshtein_distance() to compute the Levenshtein distance - between two strings. (Anthony Kasza) - -2.1-1078 | 2013-08-19 09:29:30 -0700 - - * Moving sqlite code into new external 3rdparty submodule. (Bernhard - Amann) - -2.1-1074 | 2013-08-14 10:29:54 -0700 - - * Fix timer type enum and timer name array mismatch. (Jon Siwek) - -2.1-1072 | 2013-08-14 10:28:51 -0700 - - * Adding the unified2 analyzer that reads unified2 files from disk, - turning them into events. (Seth Hall) - - * Fixing intel framework tests. (Seth Hall) - -2.1-1059 | 2013-08-13 23:52:41 -0400 - - * Add file name support to intel framework. (Seth Hall) - - * Add file support to intel framework and slightly restructure - intel http handling. (Seth Hall) - -2.1-1052 | 2013-08-12 14:38:14 -0700 - - * Fixing bug in DNP3 analyzer flagged by compiler warning. (Robin - Sommer) - -2.1-1050 | 2013-08-12 11:37:44 -0700 - - * Experimental DNP3 analyzer. This includes only very basic - script-level support at the moment, but quite a number of events - are provided. (Hui Lin, Robin Sommer) - -2.1-1041 | 2013-08-09 15:32:22 -0700 - - * Update coverage baselines for canonical load order of scripts. - (Jon Siwek) - -2.1-1039 | 2013-08-09 15:30:15 -0700 - - * Fix mem leak in DHCP analyzer. (Jon Siwek) - - * Fix a unit test outdated by recent sumstats changes. (Jon Siwek) - -2.1-1036 | 2013-08-05 17:29:11 -0400 - - * Fix the SSL infinite loop I just created. (Seth Hall) - -2.1-1035 | 2013-08-05 16:44:50 -0400 - - * Change to SSL log delay to cause the log to write even if delay times out. (Seth Hall) - -2.1-1034 | 2013-08-03 20:27:43 -0700 - - * A set of DHCP extensions. (Vlad Grigorescu) - - - Leases are logged to dhcp.log as they are seen. - - scripts/policy/protocols/dhcp/known-devices-and-hostnames.bro - - Added DPD sig. - -2.1-1027 | 2013-08-03 01:57:37 -0400 - - * Fix a major memory issue in the SumStats framework. - -2.1-1026 | 2013-08-02 22:35:09 -0400 - - * Fix the SumStats top-k plugin and test. (Seth Hall) - - * Rework of SumStats API to reduce high instantaneous memory - use on clusters. (Seth Hall) - - * Large update for the SumStats framework. - - - On-demand access to sumstats results through "return from" - functions named SumStats::request and Sumstats::request_key. - Both functions are tested in standalone and clustered modes. - - - $name field has returned to SumStats which simplifies cluster - code and makes the on-demand access stuff possible. - - - Clustered results can only be collected for 1 minute from their - time of creation now instead of time of last read. - - - Thresholds use doubles instead of counts everywhere now. - - - Calculation dependency resolution occurs at start up time now - instead of doing it at observation time which provide a minor - cpu performance improvement. A new plugin registration mechanism - was created to support this change. - - - AppStats now has a minimal doc string and is broken into hook-based - plugins. - - - AppStats and traceroute detection added to local.bro (Seth Hall) - -2.1-1009 | 2013-08-02 17:19:08 -0700 - - * A number of exec module and raw input reader fixes. (Jon Siwek) - -2.1-1007 | 2013-08-01 15:41:54 -0700 - - * More function documentation. (Bernhard Amann) - -2.1-1004 | 2013-08-01 14:37:43 -0700 - - * Adding a probabilistic data structure for computing "top k" - elements. (Bernhard Amann) - - The corresponding functions are: - - topk_init(size: count): opaque of topk - topk_add(handle: opaque of topk, value: any) - topk_get_top(handle: opaque of topk, k: count) - topk_count(handle: opaque of topk, value: any): count - topk_epsilon(handle: opaque of topk, value: any): count - topk_size(handle: opaque of topk): count - topk_sum(handle: opaque of topk): count - topk_merge(handle1: opaque of topk, handle2: opaque of topk) - topk_merge_prune(handle1: opaque of topk, handle2: opaque of topk) - -2.1-971 | 2013-08-01 13:28:32 -0700 - - * Fix some build errors. (Jon Siwek) - - * Internal refactoring of how plugin components are tagged/managed. - (Jon Siwek) - - * Fix various documentation, mostly related to file analysis. (Jon - Siwek) - - * Changing the Bloom filter hashing so that it's independent of - CompositeHash. (Robin Sommer) - -2.1-951 | 2013-08-01 11:19:23 -0400 - - * Small fix to deal with a bug in the SSL log delay mechanism. - -2.1-948 | 2013-07-31 20:08:28 -0700 - - * Fix segfault caused by merging an empty bloom-filter with a - bloom-filter already containing values. (Bernhard Amann) - -2.1-945 | 2013-07-30 10:05:10 -0700 - - * Make hashers serializable. (Matthias Vallentin) - - * Add docs and use default value for hasher names. (Matthias - Vallentin) - -2.1-939 | 2013-07-29 15:42:38 -0700 - - * Added Exec, Dir, and ActiveHTTP modules. (Seth Hall) - - base/utils/exec.bro provides a module to start external processes - asynchronously and retrieve their output on termination. - base/utils/dir.bro uses it to monitor a directory for changes, and - base/utils/active-http.bro for providing an interface for querying - remote web servers. - -2.1-930 | 2013-07-29 15:06:07 -0700 - - * Major file analysis overhaul in naming and appearance, along with - fixes and test updates. (Seth Hall and Jon Siwek) - - Includes: - - * Added protocol description functions that provide a super - compressed log representation. (Seth Hall) - - * Added mime types to http.log (Seth Hall) - - * Add jar files to the default MHR lookups. (Seth Hall) - - * Adding CAB files for MHR checking. (Seth Hall) - - * Improve malware hash registry script. - - - Include a link to a virustotal search in the notice sub message field. - - Give all information returned from Team Cymru in the notice message. - - Add more file types to match on to the default set. - - * Make the custom libmagic database a git submodule. - - * Add an is_orig parameter to file_over_new_connection event. - - * Recorrected the module name to Files. - - * Added Files::analyzer_name to get a more readable name for a - file analyzer. - - * Improved and just overall better handled multipart mime - transfers in HTTP and SMTP. HTTP now has orig_fuids and - resp_fuids log fields since multiple "files" can be transferred - with multipart mime in a single request/response pair. SMTP has - an fuids field which has file unique IDs for all parts - transferred. FTP and IRC have a log field named fuid added - because only a single file can be transferred per irc and ftp - log line. - -2.1-895 | 2013-07-29 14:07:35 -0700 - - * Adding a test for a DNSKEY RR. (Robin Sommer) - -2.1-894 | 2013-07-29 16:44:41 -0400 - - * Updates for the Intel Framework. (Seth Hall) - - - policy/frameworks/intel/seen is the new location for the - scripts that push data into the intel framework for checking. - - - The new policy/frameworks/intel/do_notice script adds an - example mechanism for data driven notices. - - - Remove the Intel insertion after heuristically detecting SSH - bruteforcing. - - - Intel importing format has changed (refer to docs). - - - All string matching is now case insensitive. - - - SMTP intel script has been updated to extract email - addresses correctly. - - - Small fix sneaking into the smtp base script to actually - extract individual email addresses in the To: field - correctly. - - -2.1-888 | 2013-07-25 12:02:41 -0700 - - * Protection about broken traces with empty pcap headers. (Matt - Thompson) - -2.1-887 | 2013-07-25 11:33:27 -0700 - - * Support for Bloom filter. (Matthias Vallentin) - - Bro now provides the following BiFs: - - bloomfilter_basic_init(fp: double, capacity: count, name: string &default=""): opaque of bloomfilter - bloomfilter_counting_init(k: count, cells: count, max: count, name: string &default=""): opaque of bloomfilter - bloomfilter_add(bf: opaque of bloomfilter, x: any) - bloomfilter_lookup(bf: opaque of bloomfilter, x: any): count - bloomfilter_merge(bf1: opaque of bloomfilter, bf2: opaque of bloomfilter): opaque of bloomfilter - bloomfilter_clear(bf: opaque of bloomfilter) - - Note that currently Bloom filters from separate Bro instances - (e.g., from different cluster nodes) cannot be merged. - -2.1-826 | 2013-07-25 10:12:26 -0700 - - * bif files declared with bif_target() are now automatically - compiled in. No more manual includes to pull them in. (Robin - Sommer) - - * Covenience make target in testing/btest to update the three - coverage tests that usually need tweaking when scripts get - added/removed. (Robin Sommer) - -2.1-824 | 2013-07-22 14:25:14 -0400 - - * Fixed a scriptland state issue that manifested especially badly on proxies. (Seth Hall) - - * Another test fix. (Robin Sommer) - - * Canonyfying the output of core.print-bpf-filters. (Robin Sommer) - -2.1-820 | 2013-07-18 12:30:04 -0700 - - * Extending external canonifier to remove fractional values from - capture_loss.log. (Robin Sommer) - - * Canonifying internal order for plugins and their components to - make it deterministic. (Robin Sommer) - - * Small raw reader tweaks that got left our earlier. (Robin Sommer) - -2.1-814 | 2013-07-15 18:18:20 -0700 - - * Fixing raw reader crash when accessing nonexistant file, and - memory leak when reading from file. Addresses #1038. (Bernhard - Amann) - -2.1-811 | 2013-07-14 08:01:54 -0700 - - * Bump sqlite to 3.7.17. (Bernhard Amann) - - * Small test fixes. (Seth Hall) - - * Fix a bug where the same analyzer tag was reused for two different - analyzers. (Seth Hall) - - * Moved DPD signatures into script specific directories. Left out - the BitTorrent signatures pending further updates to that - analyzer. (Seth Hall) - -2.1-802 | 2013-07-10 10:55:14 -0700 - - * Const adjustment for methods. (Jon Siwek) - -2.1-798 | 2013-07-08 13:05:37 -0700 - - * Rewrite of the packet filter framework. (Seth Hall) - - This includes: - - - Plugin interface for adding filtering mechanisms. - - - Integrated the packet filter framework with the analyzer - framework to retrieve well-known ports from there. - - - Support for BPF-based load balancing (IPv4 and IPv6). This will - tie in with upcoming BroControl support for configuring this. - - - Support for BPF-based connection sampling. - - - Support for "shunting" traffic with BPF filters. - - - Replaced PacketFilter::all_packets with - PacketFilter::enable_auto_protocol_capture_filters. - -2.1-784 | 2013-07-04 22:28:48 -0400 - - * Add a call to lookup_connection in SSH scripts to update connval. (Seth Hall) - - * Updating submodule(s). (Robin Sommer) - -2.1-782 | 2013-07-03 17:00:39 -0700 - - * Remove the SSL log queueing mechanism that was included with the - log delay mechanism. (Seth Hall) - -2.1-780 | 2013-07-03 16:46:26 -0700 - - * Rewrite of the RAW input reader for improved robustness and new - features. (Bernhard Amann) This includes: - - - Send "end_of_data" event for all kind of streams. - - Send "process_finished" event with exit code of child - process at process termination. - - Expose name of input stream to readers. - - Better error handling. - - New "force_kill" option which SIGKILLs processes on reader termination. - - Supports reading from stdout and stderr simultaneously. - - Support sending data to stdin of child process. - - Streaming reads from external commands work without blocking. - -2.1-762 | 2013-07-03 16:33:22 -0700 - - * Fix to correct support for TLS 1.2. Addresses #1020. (Seth Hall, - with help from Rafal Lesniak). - -2.1-760 | 2013-07-03 16:31:36 -0700 - - * Teach broxygen to generate protocol analyzer plugin reference. - (Jon Siwek) - - * Adding 'const' to a number of C++ methods. (Jon Siwek) - -2.1-757 | 2013-07-03 16:28:10 -0700 - - * Fix redef of table index from clearing table. - - `redef foo["x"] = 1` now acts like `redef foo += { ["x"] = 1 }` - instead of `redef foo = { ["x"] = 1 }`. - - Addresses #1013. (Jon Siwek) - - -2.1-755 | 2013-07-03 16:22:43 -0700 - - * Add a general file analysis overview/how-to document. (Jon Siwek) - - * Improve file analysis doxygen comments. (Jon Siwek) - - * Improve tracking of HTTP file extraction. http.log now has files - taken from request and response bodies in different fields for - each, and can now track multiple files per body. That is, the - "extraction_file" field is now "extracted_request_files" and - "extracted_response_files". Addresses #988. (Jon Siwek) - - * Fix HTTP multipart body file analysis. Each part now gets assigned - a different file handle/id. (Jon Siwek) - - * Remove logging of analyzers field of FileAnalysis::Info. (Jon - Siwek) - - * Remove extraction counter in default file extraction scripts. (Jon - Siwek) - - * Remove FileAnalysis::postpone_timeout. - FileAnalysis::set_timeout_interval can now perform same function. - (Jon Siwek) - - * Make default get_file_handle handlers &priority=5 so they're - easier to override. (Jon Siwek) - - * Add input interface to forward data for file analysis. The new - Input::add_analysis function is used to automatically forward - input data on to the file analysis framework. (Jon Siwek) - - * File analysis framework interface simplifications. (Jon Siwek) - - - Remove script-layer data input interface (will be managed directly - by input framework later). - - - Only track files internally by file id hash. Chance of collision - too small to justify also tracking unique file string. - - -2.1-741 | 2013-06-07 17:28:50 -0700 - - * Fixing typo that could cause an assertion to falsely trigger. - (Robin Sommer) - -2.1-740 | 2013-06-07 16:37:32 -0700 - - * Fix for CMake 2.6.x. (Robin Sommer) - -2.1-738 | 2013-06-07 08:38:13 -0700 - - * Remove invalid free on non-allocated pointer in hash function - object. Addresses #1018. (Matthias Vallentin) - -2.1-736 | 2013-06-06 10:05:20 -0700 - - * New "magic constants" @DIR and @FILENAME that expand to the - directory path of the current script and just the script file name - without path, respectively. (Jon Siwek) - -2.1-731 | 2013-06-04 21:19:08 -0700 - - * Reorginization of internal protocol analyzer code. We're moving - them to a modularized structure, based on a plugin model. Along - with this change comes generic plugin infrastructure that we'll - later extend to other Bro component as well. For now all plugins - are compiled in statically, but in the future we plan to also - enable dynamic loading at run time. (Robin Sommer) - - * Ignoring file ids in external tests. (Robin Sommer) - -2.1-675 | 2013-06-02 20:03:19 -0700 - - * Fix a compiler warning. (Robin Sommer) - - * Allow named vector/set/table/record constructors. Addresses #983. - (Jon Siwek) - - * Adding Makefile target test-all that also runs the BroControl test - suite. (Robin Sommer) - -2.1-664 | 2013-05-28 21:37:46 -0700 - - * Dangling pointer fix. Addresses #1004. (Jon Siwek) - -2.1-659 | 2013-05-24 17:24:18 -0700 - - * Fix broken/missing documentation. (Jon Siwek) - - * Fixing test that would fail without ES/curl support. (Robin - Sommer) - -2.1-656 | 2013-05-17 15:58:07 -0700 - - * Fix mutex lock problem for writers. (Bernhard Amann) - -2.1-654 | 2013-05-17 13:49:52 -0700 - - * Tweaks to sqlite3 configuration to address threading issues. - (Bernhard Amann) - -2.1-651 | 2013-05-17 13:37:16 -0700 - - * Fix uninitialized DPM member. (Jon Siwek) - - * Fix issue with transaction ID reuse in a single DNS connection. (Seth Hall) - - * New function added to the queue.bro script to support peeking at - the new gettable item in the queue without removing it. (Seth Hall) - -2.1-647 | 2013-05-17 07:47:14 -0700 - - * Fixing Broxygen generation to have BROMAGIC set. (Robin Sommer) - - * Fix for 'fchmod undeclared here' on FreeBSD. (Robin Sommer) - - * CMake policy fix to avoid errors with older versions. (Robin - Sommer) - -2.1-641 | 2013-05-15 18:15:09 -0700 - - * Test update. (Robin Sommer) - -2.1-640 | 2013-05-15 17:24:09 -0700 - - * Support for cleaning up threads that have terminated. (Bernhard - Amann and Robin Sommer). Includes: - - - Both logging and input frameworks now clean up threads once - they aren't further needed anymnore. - - - New function Log::remove_stream() that removes a logging - stream, stopping all writer threads that are associated with - it. Note, however, that removing a *filter* from a stream - still doesn't clean up any threads. The problem is that - because of the output paths potentially being created - dynamically it's unclear if the writer thread will still be - needed in the future. - -2.1-626 | 2013-05-15 16:09:31 -0700 - - * Add "reservoir" sampler for SumStats framework. This maintains - a set of N uniquely distributed random samples. (Bernhard Amann) - -2.1-619 | 2013-05-15 16:01:42 -0700 - - * SQLite reader and writer combo. This allows to read/write - persistent data from on disk SQLite databases. The current - interface is quite low-level, we'll add higher-level abstractions - in the future. (Bernhard Amann) - -2.1-576 | 2013-05-15 14:29:09 -0700 - - * Initial version of new file analysis framework. This moves most of - the processing of file content from script-land into the core, - where it belongs. Much of this is an internal change, and at this - point the new code has essentially feature-equality with the old - one. More script-level changes to come. (Jon Siwek) - -2.1-502 | 2013-05-10 19:29:37 -0700 - - * Allow default function/hook/event parameters. Addresses #972. (Jon - Siwek) - - * Change the endianness parameter of bytestring_to_count() BIF to - default to false (big endian). (Jon Siwek) - -2.1-500 | 2013-05-10 19:22:24 -0700 - - * Fix to prevent merge-hook of SumStat's unique plugin from damaging - source data. (Bernhard Amann) - -2.1-498 | 2013-05-03 17:44:08 -0700 - - * Table lookups return copy of non-const &default vals. This - prevents unintentional modifications to the &default value itself. - Addresses #981. (Jon Siwek) - -2.1-496 | 2013-05-03 15:54:47 -0700 - - * Fix memory leak and unnecessary allocations in OpaqueVal. - Addresses #986. (Matthias Vallentin) - -2.1-492 | 2013-05-02 12:46:26 -0700 - - * Work-around for sumstats framework not propagating updates after - intermediate check in cluster environments. (Bernhard Amann) - - * Always apply tcp_connection_attempt. Before this change it was - only applied when a connection_attempt() event handler was - defined. (Robin Sommer) - - * Fixing coverage.bare-mode-errors test. (Robin Sommer) - -2.1-487 | 2013-05-01 18:03:22 -0700 - - * Always apply tcp_connection_attempt timer, even if no - connection_attempt() event handler is defined. (Robin Sommer) - -2.1-486 | 2013-05-01 15:28:45 -0700 - - * New framework for computing summary statistics in - base/framework/sumstats. This replaces the metrics frameworks, and - comes with a number of applications build on top, see NEWS. More - documentation to follow. (Seth Hall) - -2.1-397 | 2013-04-29 21:19:00 -0700 - - * Fixing memory leaks in CompHash implementation. Addresses #987. - (Robin Sommer) - -2.1-394 | 2013-04-27 15:02:31 -0700 - - * Fixed a bug in the vulnerable software script and added a test. - (Seth Hall) - - * Fix schedule statements used outside event handlers. Addresses - #974. (Jon Siwek) - - * Fix record coercion for default inner record fields. Addresses - #973. (Jon Siwek) - - * Add bytestring_to_count function to bro.bif. Addresses #968. (Yun - Zheng Hu) - -2.1-386 | 2013-03-22 12:41:50 -0700 - - * Added reverse() function to strings.bif. (Yun Zheng Hu) - -2.1-384 | 2013-03-22 12:10:14 -0700 - - * Fix record constructors in table initializer indices. Addresses - #660. (Jon Siwek) - -2.1-382 | 2013-03-22 12:01:34 -0700 - - * Add support for 802.1ah (Q-in-Q). Addresses #641. (Seth Hall) - -2.1-380 | 2013-03-18 12:18:10 -0700 - - * Fix gcc compile warnings in base64 encoder and benchmark reader. - (Bernhard Amann) - -2.1-377 | 2013-03-17 17:36:09 -0700 - - * Fixing potential leak in DNS error case. (Vlad Grigorescu) - -2.1-375 | 2013-03-17 13:14:26 -0700 - - * Add base64 encoding functionality, including new BiFs - encode_base64() and encode_base64_custom(). (Bernhard Amann) - - * Replace call to external "openssl" in extract-certs-pem.bro with - that encode_base64(). (Bernhard Amann) - - * Adding a test for extract-certs-pem.pem. (Robin Sommer) - - * Renaming Base64Decoder to Base64Converter. (Robin Sommer) - -2.1-366 | 2013-03-17 12:35:59 -0700 - - * Correctly handle DNS lookups for software version ranges. (Seth - Hall) - - * Improvements to vulnerable software detection. (Seth Hall) - - - Add a DNS based updating method. This needs to be tested - still. - - - Vulnerable version ranges are used now instead of only single - versions. This can deal with software with multiple stable - major versions. - - * Update software version parsing and comparison to account for a - third numeric subversion. Also, $addl is now compared numerically - if the value is actually numeric. (Seth Hall) - -2.1-361 | 2013-03-13 07:18:22 -0700 - - * Add check for truncated link frames. Addresses #962. (Jacob - Baines) - - * Fix large memory allocation in IP fragment reassembly. Addresses - #961. (Jacob Baines) - -2.1-357 | 2013-03-08 09:18:35 -0800 - - * Fix race-condition in table-event test. (Bernhard Amann) - - * s/bro-ids.org/bro.org/g. (Robin Sommer) - -2.1-353 | 2013-03-07 13:31:37 -0800 - - * Fix function type-equivalence requiring same parameter names. - Addresses #957. (Jon Siwek) - -2.1-351 | 2013-03-07 13:27:29 -0800 - - * Fix new/delete mismatch. Addresses #958. (Jacob Baines) - - * Fix compiler warnings. (Jon Siwek) - -2.1-347 | 2013-03-06 16:48:44 -0800 - - * Remove unused parameter from vector assignment method. (Bernhard Amann) - - * Remove the byte_len() and length() bifs. (Bernhard Amann) - -2.1-342 | 2013-03-06 15:42:52 -0800 - - * Moved the Notice::notice event and Notice::policy table to both be - hooks. See documentation and NEWS for information. (Seth Hall). - -2.1-338 | 2013-03-06 15:10:43 -0800 - - * Fix init of local sets/vectors via curly brace initializer lists. - (Jon Siwek) - -2.1-336 | 2013-03-06 15:08:06 -0800 - - * Fix memory leaks resulting from 'when' and 'return when' - statements. Addresses #946. (Jon Siwek) - - * Fix three bugs with 'when' and 'return when' statements. Addresses - #946. (Jon Siwek) - -2.1-333 | 2013-03-06 14:59:47 -0800 - - * Add parsing for GTPv1 extension headers and control messages. (Jon Siwek) - - This includes: - - - A new generic gtpv1_message() event generated for any GTP - message type. - - - Specific events for the create/update/delete PDP context - request/response messages. - - Addresses #934. - -2.1-331 | 2013-03-06 14:54:33 -0800 - - * Fix possible null pointer dereference in identify_data BIF. Also - centralized libmagic calls for consistent error handling/output. - (Jon Siwek) - - * Fix build on OpenBSD 5.2. (Jon Siwek) - -2.1-328 | 2013-02-05 01:34:29 -0500 - - * New script to query the ICSI Certificate Notary - (http://notary.icsi.berkeley.edu/) over DNS and add information - to the SSL log at runtime. (Matthias Vallentin) - - * Add delayed logging to SSL base scripts. (Matthias Vallentin) - -2.1-319 | 2013-02-04 09:45:34 -0800 - - * Update input tests to use exit_only_after_terminate. (Bernhard - Amann) - - * New option exit_only_after_terminate to prevent Bro from exiting. - If set, the main loop won't terminate before somebody calls - terminate(). (Robin Sommer) - -2.1-311 | 2013-02-01 08:03:01 -0800 - - * Updating submodule(s). - -2.1-310 | 2013-01-30 20:09:27 -0800 - - * Add an error for record coercions that would orphan a field. (Jon - Siwek) - - * Fixing several scripts where a field in an inlined record was - never removed after a code refactor. (Jon Siwek) - -2.1-307 | 2013-01-25 13:50:57 -0800 - - * Fix runaway reference counting bug in record coercion. (Jon Siwek) - - * Fix memory leak in some reporter messaging cases. (Jon Siwek) - -2.1-304 | 2013-01-23 19:43:27 -0800 - - * Making a test portable. (Robin Sommer) - -2.1-302 | 2013-01-23 16:17:29 -0800 - - * Refactoring ASCII formatting/parsing from loggers/readers into a - separate AsciiFormatter class. (Bernhard Amann) - - * Fix uninitialized locals in event/hook handlers from having a - value. Addresses #932. (Jon Siwek) - - * Add a null value check in CompositeHash::ComputeHash. Addresses - #930. (Jon Siwek) - - * Change reporter messages to more reliably print to stderr. - Addressed #930 (and revisits #836). (Jon Siwek) - - * Changing test=suite's btest call to use "-j" instead of "-j 5". - (Robin Sommer) - - * Require "case" blocks to end with either "break", "return", or a - new "fallthrough" statement that passes control on to the - subsequent case. This gives us the best mix of safety, - readability, and flexibility. Addresses #754. (Jon Siwek) - -2.1-279 | 2013-01-18 17:18:22 -0800 - - * Revert "Trick for parallelizing input framework unit tests." The - old way of doing the tests seems more reliable for now. (Jon - Siwek) - - * Fixing variable size issues with http response code in - ElasticSearch writer. (Gilbert Clark) - - * Removing unused class member. (Robin Sommer) - - * Add opaque type-ignoring for the accept_unsupported_types input - framework option. (Bernhard Amann) - -2.1-271 | 2013-01-08 10:18:57 -0800 - - * Change substring index notation to use a colon. String slice - notation is now written as `s[1:2]`. Addresses #422. (Jon Siwek) - -2.1-268 | 2013-01-07 09:43:44 -0800 - - * Fix memory leak in OpaqueType::DoUnserialize. (Jon Siwek) - -2.1-265 | 2012-12-20 17:38:42 -0800 - - * Add array-style index accessor for strings. Addresses #422. (Jon - Siwek) - - The index expression can take up to two indices for the start and - end index of the substring to return (e.g. "mystring[1,3]"). - Negative indices are allowed, with -1 representing the last - character in the string. The indexing is not cyclic -- if the - starting index is >= the length of the string an empty string is - returned, and if the ending index is >= the length of the string - then it's interpreted as the last index of the string. Assigning - to substrings accessed like this isn't allowed. - -2.1-263 | 2012-12-20 16:22:09 -0800 - - * Bro's language now has a new set of types "opaque of X". (Matthias - Vallentin) - - Opaque values can be passed around like other values but they can - only be manipulated with BiF functions, not with other operators. - Currently, the following opaque types are supported: - - - opaque of md5 - - opaque of sha1 - - opaque of sha256 - - opaquey of entropy. - - They go along with the corrsponding BiF functions md5_*, sha1_*, - sha256_*, and entropy_*, respectively. Note that these functions - have changed their signatures to work with opaques types rather - than global state as it was before. - -2.1-240 | 2012-12-20 15:21:07 -0800 - - * Improve error for invalid use of types as values. Addresses #923. - (Jon Siwek) - -2.1-238 | 2012-12-20 15:11:25 -0800 - - * Finish implementation of script-layer switch statement. Addresses - #754. (Jon Siwek) - - They behave like C-style switches except case labels can be - comprised of multiple literal constants delimited by commas. Only - atomic types are allowed for now. Case label bodies that don't - execute a "return" or "break" statement will fall through to - subsequent cases. A default case label is allowed. - - * Fix a case where c$resp$size is misrepresented. Addresses #730. - (Jon Siwek) - -2.1-234 | 2012-12-20 12:12:19 -0800 - - * Fix return value of hook calls that have no handlers. For this - case, the return value is always true. (Jon Siwek) - - * Fix to_port() BIF for port strings with a port number of zero. - (Jon Siwek) - -2.1-231 | 2012-12-14 14:51:35 -0800 - - * Make const variables actually constant. Both local and global - variables declared with "const" could be modified, but now - expressions that would modify them generate an error message at - parse-time. Addresses #922. (Jon Siwek) - -2.1-229 | 2012-12-14 14:46:12 -0800 - - * Fix memory leak in ASCII reader when encoutering errors in input. - (Bernhard Amann) - - * Improvements for the "bad checksums" detector to make it detect - bad TCP checksums. (Seth Hall) - -2.1-223 | 2012-12-12 14:25:15 -0800 - - * Trick for parallelizing input framework unit tests. Instead of - loading listen.bro to block until files are read, just read a pcap - file in pseudo-realtime. (Jon Siwek) - - * Fix reliability of a unit test that relies on when statements. - (Jon Siwek) - - * Remove unused attributes. (Daniel Thayer) - - Removed attributes &postprocessor and &match from documentation and source code. - - Removed undocumented attribute &attr from source code. - - Removed internal attribute "(&tracked)" from documentation. - -2.1-218 | 2012-12-10 14:45:04 -0800 - - * Add GPRS Tunnelling Protocol (GTPv1) decapsulation. This currently - supports automatic decapsulation of GTP-U packets on UDP port 2152. - The GTPv1 headers for such tunnels can be inspected by handling - the "gtpv1_g_pdu_packet" event, which has a parameter of type - "gtpv1_hdr". Addresses #690. (Jon Siwek; derived from patch by - Carsten Langer) - - * Change BinPAC exceptions in AYIYA/GTP analyzers to do - "protocol_violation". (Jon Siwek) - -2.1-212 | 2012-12-07 19:42:03 -0800 - - * Changing the HTTP parser to accept request methods in alignment - with the RFC. (Robin Sommer) - -2.1-209 | 2012-12-05 16:44:04 -0800 - - * Adapting the HTTP request line parsing to only accept methods - consisting of letters [A-Za-z]. (Robin Sommer) - -2.1-207 | 2012-12-05 15:47:32 -0800 - - * Reporting warnings if kill/waitpid fail in communication system. - (Bill Parker) - - * Replace() bzero with memset(). (Bill Parker) - - * Merge remote-tracking branch 'vlad/topic/vladg/http-verbs' - - * vlad/topic/vladg/http-verbs: - A test for HTTP methods, including some horribly illegal requests. - Remove hardcoded HTTP verbs from the analyzer (#741) - - I added a "bad_HTTP_request" weird for HTTP request lines that don't - have more than a single word. - - Closes #741. (Robin Sommer) - - * A test for HTTP methods, including some horribly illegal requests. (Vlad Grigorescu) - - * Remove hardcoded HTTP verbs from the analyzer (#741) (Vlad Grigorescu) - - -2.1-203 | 2012-12-05 14:36:56 -0800 - - * Fix segfault: Synchronization of state between connecting peers - now skips over identifiers that aren't initialized with a value - yet. Addresses #66. (Jon Siwek) - - * Fix segfault: Delete correct entry in error case in input - framework. (Bernhard Amann) - - * Bad record constructor initializers now give an error. Addresses - #34. (Jon Siwek) - - * Invalid vector indices now generate error message. Addresses #24. - (Jon Siwek) - - * Bump CPack RPM package requirement to Python >= 2.6.0. (Jon Siwek) - - * Interpreter exceptions occurring in "when" blocks are now handled. - Addresses #779 (Jon Siwek) - -2.1-195 | 2012-12-03 14:50:33 -0800 - - * Catching out-of-memory in patricia tree code. (Bill Parker) - -2.1-194 | 2012-12-03 14:36:26 -0800 - - * Renaming ASCII writer filter option 'only_single_header_row' to - 'tsv'. Also clarifying usage. Closes #912. (Robin Sommer) - -2.1-193 | 2012-12-03 14:11:14 -0800 - - * Fix a set of bugs with table/set attributes. (Jon Siwek) - - - Identifiers that are initialized with set()/table() constructor - expressions now inherit attributes from the expression. Before, - statements like - - const i: set[string] = set() &redef; - - associated the attribute with the set() constructor, but not the - "i" identifier, preventing redefinition. Addresses #866. - - - Allow &default attribute to apply to tables initialized as empty - (via either "{ }" or "table()") or if the expression supplied to it - can evaluate to a type that's promotable to the same yield type as - the table. - -2.1-191 | 2012-12-03 14:08:56 -0800 - - * Add test of record() constructor to table initializer unit test. - (Jon Siwek) - - * Fix table(), set(), vector() constructors in table initializer - lists. Also adds type checking of yield values to table() - constructor and fixes the type checking of yield values in - vector() constructor. Addresses #5. (Jon Siwek) - -2.1-188 | 2012-12-03 14:04:29 -0800 - - * Hook functions now callable with "hook" expression (i.e., hook is - no longer a statement). The return value of the call is an - implicit boolean value of T if all hook handlers ran, or F if one - hook handler exited as a result of a break statement and - potentially prevented other handlers from running. - - Scripts don't need to declare hooks with an explicit return type of bool - (internally, that's assumed), and any values given to (optional) return - statements in handler definitions are just ignored. - - Addresses #918. (Jon Siwek) - - * Clarification in hook documentation. (Jon Siwek) - -2.1-184 | 2012-12-03 13:59:50 -0800 - - * Slightly fix up file name extraction from Content-Disposition - headers. (Seth Hall) - - * Adding -b flag to bro in unit tests so they run faster. - - * Fixed a DNS attribute issue. Reported by Matt Thompson. (Seth - Hall) - - * Adding NEWS placeholder for hooks and CSV mode. (Robin Sommer) - -2.1-178 | 2012-11-23 19:35:32 -0800 - - * The ASCII writer now supports a new filter config option - "only_single_header_row" that turns the output into CSV format - when set to "T". (Carsten Langer) - - * Add new function flavor called a "hook". This new flavor of - function behaves like a "synchronous event". See - doc/scripts/builtins.rst more details on usage. (Jon Siwek) - - * Improve auto-generated enum documentation. The names of enum types - are tracked so that variables holding a value of a given enum type - can generate a reference to it instead of just listing the type as - a generic "enum". (Jon Siwek) - -2.1-171 | 2012-11-23 18:24:15 -0800 - - * Fix ambiguity between composite table index and record ctor - expressions. If a table type is "global t = table[conn_id, bool] - of count", then checking membership like "[c$id, is_orig] in t" - now works. Addresses #80. (Jon Siwek) - -2.1-169 | 2012-11-23 18:21:32 -0800 - - * Fix some warnings from sphinx when building docs. (Jon Siwek) - -2.1-167 | 2012-11-14 13:19:17 -0800 - - * Add a new BIF "bytestring_to_double" for converting from a binary - representation of a double. Addresses #908. (Carsten Langer/Daniel - Thayer) - -2.1-162 | 2012-11-13 17:29:00 -0800 - - * Fix modbus register array parsing. (Jon Siwek) - - * Adjustments to modbus test cases. (Jon Siwek) - -2.1-157 | 2012-11-08 16:22:00 -0800 - - * Fix for lookup_hostname BIF. (Jon Siwek) - - * Fix for modbus test portability. (Robin Sommer) - -2.1-152 | 2012-11-05 16:52:34 -0800 - - * Initial version of a completely reworked intelligence framework. - See doc/intel.rst for more information. (Seth Hall) - - * Experimental Modbus analyzer. See policy/protocols/modbus/* for - example policies. (Dina Hadziosmanovic, Seth Hall) - -2.1-112 | 2012-11-05 13:58:20 -0800 - - * New base script for detecting cases of checksum offloading. - Reporter messages will now tell if one has bad checksums. (Seth - Hall) - - * Clarifying ownership rules for BroString constructors. (Robin - Sommer) - -2.1-109 | 2012-11-05 13:39:34 -0800 - - * Add detection rate threshold for MHR. (Vlad Grigorescu) - - * lookup_hostname_txt fixes. (Vlad Grigorescu) - -2.1-104 | 2012-11-01 10:37:50 -0700 - - * A new built-in function lookup_hostname_txt() provides support for - DNS TXT queries. (Vlad Grigorescu) - -2.1-101 | 2012-10-31 14:30:26 -0700 - - * Documentation reorg: The install info has been consolidated into a - single document (INSTALL), the upgrade info has been moved from - the FAQ to a section in the install doc, and the "upgrading from - 1.5 to 2.0" document has been updated (and renamed) to also - include 2.0 to 2.1 upgrade info. (Daniel Thayer) - -2.1-96 | 2012-10-31 14:23:50 -0700 - - * Renaming option defining the frequency of alarm summary mails to - 'Logging::default_alarm_mail_interval'. (Daniel Thayer) - -2.1-91 | 2012-10-24 16:04:47 -0700 - - * Adding PPPoE support to Bro. (Seth Hall) - -2.1-87 | 2012-10-24 15:40:06 -0700 - - * Adding missing &redef for some TCP options. Addresses #905, #906, - #907. (Carsten Langer) - -2.1-86 | 2012-10-24 15:37:11 -0700 - - * Add parsing rules for IPv4/IPv6 subnet literal constants. - Addresses #888. (Jon Siwek) - -2.1-84 | 2012-10-19 15:12:56 -0700 - - * Added a BiF strptime() to wrap the corresponding C function. (Seth - Hall) - -2.1-82 | 2012-10-19 15:05:40 -0700 - - * Add IPv6 support to signature header conditions. (Jon Siwek) - - - "src-ip" and "dst-ip" conditions can now use IPv6 addresses/subnets. - They must be written in colon-hexadecimal representation and enclosed - in square brackets (e.g. [fe80::1]). Addresses #774. - - - "icmp6" is now a valid protocol for use with "ip-proto" and "header" - conditions. This allows signatures to be written that can match - against ICMPv6 payloads. Addresses #880. - - - "ip6" is now a valid protocol for use with the "header" condition. - (also the "ip-proto" condition, but it results in a no-op in that - case since signatures apply only to the inner-most IP packet when - packets are tunneled). This allows signatures to match specifically - against IPv6 packets (whereas "ip" only matches against IPv4 packets). - - - "ip-proto" conditions can now match against IPv6 packets. Before, - IPv6 packets were just silently ignored which meant DPD based on - signatures did not function for IPv6 -- protocol analyzers would only - get attached to a connection over IPv6 based on the well-known ports - set in the "dpd_config" table. - -2.1-80 | 2012-10-19 14:48:42 -0700 - - * Change how "gridftp" gets added to service field of connection - records. In addition to checking for a finished SSL handshake over - an FTP connection, it now also requires that the SSL handshake - occurs after the FTP client requested AUTH GSSAPI, more - specifically identifying the characteristics of GridFTP control - channels. Addresses #891. (Jon Siwek) - - * Allow faster rebuilds in certain cases. Previously, when - rebuilding with a different "--prefix" or "--scriptdir", all Bro - source files were recompiled. With this change, only util.cc is - recompiled. (Daniel Thayer) - -2.1-76 | 2012-10-12 10:32:39 -0700 - - * Add support for recognizing GridFTP connections as an extension to - the standard FTP analyzer. (Jon Siwek) - - This is enabled by default and includes: - - - An analyzer for GSI mechanism of GSSAPI FTP AUTH method. GSI - authentication involves an encoded TLS/SSL handshake over the - FTP control session. For FTP sessions that attempt GSI - authentication, the *service* field of the connection log will - include "gridftp" (as well as also "ftp" and "ssl"). - - - Add an example of a GridFTP data channel detection script. It - relies on the heuristics of GridFTP data channels commonly - default to SSL mutual authentication with a NULL bulk cipher - and that they usually transfer large datasets (default - threshold of script is 1 GB). The script also defaults to - skip_further_processing() after detection to try to save - cycles analyzing the large, benign connection. - - For identified GridFTP data channels, the *services* fields of - the connection log will include "gridftp-data". - - * Add *client_subject* and *client_issuer_subject* as &log'd fields - to SSL::Info record. Also add *client_cert* and - *client_cert_chain* fields to track client cert chain. (Jon Siwek) - - * Add a script in base/protocols/conn/polling that generalizes the - process of polling a connection for interesting features. The - GridFTP data channel detection script depends on it to monitor - bytes transferred. (Jon Siwek) - -2.1-68 | 2012-10-12 09:46:41 -0700 - - * Rename the Input Framework's update_finished event to end_of_data. - It will now not only fire after table-reads have been completed, - but also after the last event of a whole-file-read (or - whole-db-read, etc.). (Bernhard Amann) - - * Fix for DNS log problem when a DNS response is seen with 0 RRs. - (Seth Hall) - -2.1-64 | 2012-10-12 09:36:41 -0700 - - * Teach --disable-dataseries/--disable-elasticsearch to ./configure. - Addresses #877. (Jon Siwek) - - * Add --with-curl option to ./configure. Addresses #877. (Jon Siwek) - -2.1-61 | 2012-10-12 09:32:48 -0700 - - * Fix bug in the input framework: the config table did not work. - (Bernhard Amann) - -2.1-58 | 2012-10-08 10:10:09 -0700 - - * Fix a problem with non-manager cluster nodes applying - Notice::policy. This could, for example, result in duplicate - emails being sent if Notice::emailed_types is redef'd in local.bro - (or any script that gets loaded on all cluster nodes). (Jon Siwek) - -2.1-56 | 2012-10-03 16:04:52 -0700 - - * Add general FAQ entry about upgrading Bro. (Jon Siwek) - -2.1-53 | 2012-10-03 16:00:40 -0700 - - * Add new Tunnel::delay_teredo_confirmation option that indicates - that the Teredo analyzer should wait until it sees both sides of a - connection using a valid Teredo encapsulation before issuing a - protocol_confirmation. Default is on. Addresses #890. (Jon Siwek) - -2.1-50 | 2012-10-02 12:06:08 -0700 - - * Fix a typing issue that prevented the ElasticSearch timeout to - work. (Matthias Vallentin) - - * Use second granularity for ElasticSearch timeouts. (Matthias - Vallentin) - - * Fix compile issues with older versions of libcurl, which don't - offer *_MS timeout constants. (Matthias Vallentin) - -2.1-47 | 2012-10-02 11:59:29 -0700 - - * Fix for the input framework: BroStrings were constructed without a - final \0, which makes them unusable by basically all internal - functions (like to_count). (Bernhard Amann) - - * Remove deprecated script functionality (see NEWS for details). - (Daniel Thayer) - -2.1-39 | 2012-09-29 14:09:16 -0700 - - * Reliability adjustments to istate tests with network - communication. (Jon Siwek) - -2.1-37 | 2012-09-25 14:21:37 -0700 - - * Reenable some tests that previously would cause Bro to exit with - an error. (Daniel Thayer) - - * Fix parsing of large integers on 32-bit systems. (Daniel Thayer) - - * Serialize language.when unit test with the "comm" group. (Jon - Siwek) - -2.1-32 | 2012-09-24 16:24:34 -0700 - - * Fix race condition in language/when.bro test. (Daniel Thayer) - -2.1-26 | 2012-09-23 08:46:03 -0700 - - * Add an item to FAQ page about broctl options. (Daniel Thayer) - - * Add more language tests. We now have tests of all built-in Bro - data types (including different representations of constant - values, and max./min. values), keywords, and operators (including - special properties of certain operators, such as short-circuit - evaluation and associativity). (Daniel Thayer) - - * Fix construction of ip6_ah (Authentication Header) record values. - - Authentication Headers with a Payload Len field set to zero would - cause a crash due to invalid memory allocation because the - previous code assumed Payload Len would always be great enough to - contain all mandatory fields of the header. (Jon Siwek) - - * Update compile/dependency docs for OS X. (Jon Siwek) - - * Adjusting Mac binary packaging script. Setting CMAKE_PREFIX_PATH - helps link against standard system libs instead of ones that come - from other package manager (e.g. MacPorts). (Jon Siwek) - - * Adjusting some unit tests that do cluster communication. (Jon Siwek) - - * Small change to non-blocking DNS initialization. (Jon Siwek) - - * Reorder a few statements in scan.l to make 1.5msecs etc work. - Adresses #872. (Bernhard Amann) - -2.1-6 | 2012-09-06 23:23:14 -0700 - - * Fixed a bug where "a -= b" (both operands are intervals) was not - allowed in Bro scripts (although "a = a - b" is allowed). (Daniel - Thayer) - - * Fixed a bug where the "!=" operator with subnet operands was - treated the same as the "==" operator. (Daniel Thayer) - - * Add sleeps to configuration_update test for better reliability. - (Jon Siwek) - - * Fix a segfault when iterating over a set when using malformed - index. (Daniel Thayer) - -2.1 | 2012-08-28 16:46:42 -0700 - - * Make bif.identify_magic robust against FreeBSD's libmagic config. - (Robin Sommer) - - * Remove automatic use of gperftools on non-Linux systems. - --enable-perftools must now explicity be supplied to ./configure - on non-Linux systems to link against the tcmalloc library. - - * Fix uninitialized value for 'is_partial' in TCP analyzer. (Jon - Siwek) - - * Parse 64-bit consts in Bro scripts correctly. (Bernhard Amann) - - * Output 64-bit counts correctly on 32-bit machines (Bernhard Amann) - - * Input framework fixes, including: (Bernhard Amann) - - - One of the change events got the wrong parameters. - - - Escape commas in sets and vectors that were unescaped before - tokenization. - - - Handling of zero-length-strings as last element in a set was - broken (sets ending with a ,). - - - Hashing of lines just containing zero-length-strings was broken. - - - Make set_separators different from , work for input framework. - - - Input framework was not handling counts and ints out of - 32-bit-range correctly. - - - Errors in single lines do not kill processing, but simply ignore - the line, log it, and continue. - - * Update documentation for builtin types. (Daniel Thayer) - - - Add missing description of interval "msec" unit. - - - Improved description of pattern by clarifying the issue of - operand order and difference between exact and embedded - matching. - - * Documentation fixes for signature 'eval' conditions. (Jon Siwek) - - * Remove orphaned 1.5 unit tests. (Jon Siwek) - - * Add type checking for signature 'eval' condition functions. (Jon - Siwek) - - * Adding an identifier to the SMTP blocklist notices for duplicate - suppression. (Seth Hall) - -2.1-beta-45 | 2012-08-22 16:11:10 -0700 - - * Add an option to the input framework that allows the user to chose - to not die upon encountering files/functions. (Bernhard Amann) - -2.1-beta-41 | 2012-08-22 16:05:21 -0700 - - * Add test serialization to "leak" unit tests that use - communication. (Jon Siwek) - - * Change to metrics/basic-cluster unit test for reliability. (Jon - Siwek) - - * Fixed ack tracking which could overflow quickly in some - situations. (Seth Hall) - - * Minor tweak to coverage.bare-mode-errors unit test to work with a - symlinked 'scripts' dir. (Jon Siwek) - -2.1-beta-35 | 2012-08-22 08:44:52 -0700 - - * Add testcase for input framework reading sets (rather than - tables). (Bernhard Amann) - -2.1-beta-31 | 2012-08-21 15:46:05 -0700 - - * Tweak to rotate-custom.bro unit test. (Jon Siwek) - - * Ignore small mem leak every rotation interval for dataseries logs. - (Jon Siwek) - -2.1-beta-28 | 2012-08-21 08:32:42 -0700 - - * Linking ES docs into logging document. (Robin Sommer) - -2.1-beta-27 | 2012-08-20 20:06:20 -0700 - - * Add the Stream record to Log:active_streams to make more dynamic - logging possible. (Seth Hall) - - * Fix portability of printing to files returned by - open("/dev/stderr"). (Jon Siwek) - - * Fix mime type diff canonifier to also skip mime_desc columns. (Jon - Siwek) - - * Unit test tweaks/fixes. (Jon Siwek) - - - Some baselines for tests in "leaks" group were outdated. - - - Changed a few of the cluster/communication tests to terminate - more explicitly instead of relying on btest-bg-wait to kill - processes. This makes the tests finish faster in the success case - and makes the reason for failing clearer in the that case. - - * Fix memory leak of serialized IDs when compiled with - --enable-debug. (Jon Siwek) - -2.1-beta-21 | 2012-08-16 11:48:56 -0700 - - * Installing a handler for running out of memory in "new". Bro will - now print an error message in that case rather than abort with an - uncaught exception. (Robin Sommer) - -2.1-beta-20 | 2012-08-16 11:43:31 -0700 - - * Fixed potential problems with ElasticSearch output plugin. (Seth - Hall) - -2.1-beta-13 | 2012-08-10 12:28:04 -0700 - - * Reporter warnings and error now print to stderr by default. New - options Reporter::warnings_to_stderr and - Reporter::errors_to_stderr to disable. (Seth Hall) - -2.1-beta-9 | 2012-08-10 12:24:29 -0700 - - * Add more BIF tests. (Daniel Thayer) - -2.1-beta-6 | 2012-08-10 12:22:52 -0700 - - * Fix bug in input framework with an edge case. (Bernhard Amann) - - * Fix small bug in input framework test script. (Bernhard Amann) - -2.1-beta-3 | 2012-08-03 10:46:49 -0700 - - * Merge branch 'master' of ssh://git.bro-ids.org/bro (Robin Sommer) - - * Fix configure script to exit with non-zero status on error (Jon - Siwek) - - * Improve ASCII output performance. (Robin Sommer) - -2.1-beta | 2012-07-30 11:59:53 -0700 - - * Improve log filter compatibility with remote logging. Addresses - #842. (Jon Siwek) - -2.0-907 | 2012-07-30 09:13:36 -0700 - - * Add missing breaks to switch cases in - ElasticSearch::HTTPReceive(). (Jon Siwek) - -2.0-905 | 2012-07-28 16:24:34 -0700 - - * Fix log manager hanging on waiting for pending file rotations, - plus writer API tweak for failed rotations. Addresses #860. (Jon - Siwek and Robin Sommer) - - * Tweaking logs-to-elasticsearch.bro so that it doesn't do anything - if ES server is unset. (Robin Sommer) - -2.0-902 | 2012-07-27 12:42:13 -0700 - - * New variable in logging framework Log::active_streams to indicate - Log:ID enums which are currently active. (Seth Hall) - - * Reworked how the logs-to-elasticsearch scripts works to stop - abusing the logging framework. (Seth Hall) - - * Fix input test for recent default change on fastpath. (Robin - Sommer) - -2.0-898 | 2012-07-27 12:22:03 -0700 - - * Small (potential performance) improvement for logging framework. (Seth Hall) - - * Script-level rotation postprocessor fix. This fixes a problem with - writers that don't have a postprocessor. (Seth Hall) - - * Update input framework documentation to reflect want_record - change. (Bernhard Amann) - - * Fix crash when encountering an InterpreterException in a predicate - in logging or input Framework. (Bernhard Amann) - - * Input framework: Make want_record=T the default for events - (Bernhard Amann) - - * Changing the start/end markers in logs to open/close now - reflecting wall clock. (Robin Sommer) - -2.0-891 | 2012-07-26 17:15:10 -0700 - - * Reader/writer API: preventing plugins from receiving further - messages after a failure. (Robin Sommer) - - * New test for input framework that fails to find a file. (Robin - Sommer) - - * Improving error handling for threads. (Robin Sommer) - - * Tweaking the custom-rotate test to produce stable output. (Robin - Sommer) - -2.0-884 | 2012-07-26 14:33:21 -0700 - - * Add comprehensive error handling for close() calls. (Jon Siwek) - - * Add more test cases for input framework. (Bernhard Amann) - - * Input framework: make error output for non-matching event types - much more verbose. (Bernhard Amann) - -2.0-877 | 2012-07-25 17:20:34 -0700 - - * Fix double close() in FilerSerializer class. (Jon Siwek) - - * Fix build warnings. (Daniel Thayer) - - * Fixes to ElasticSearch plugin to make libcurl handle http - responses correctly. (Seth Hall) - - * Fixing FreeBSD compiler error. (Robin Sommer) - - * Silencing compiler warnings. (Robin Sommer) - -2.0-871 | 2012-07-25 13:08:00 -0700 - - * Fix complaint from valgrind about uninitialized memory usage. (Jon - Siwek) - - * Fix differing log filters of streams from writing to same - writer/path (which now produces a warning, but is otherwise - skipped for the second). Addresses #842. (Jon Siwek) - - * Fix tests and error message for to_double BIF. (Daniel Thayer) - - * Compile fix. (Robin Sommer) - -2.0-866 | 2012-07-24 16:02:07 -0700 - - * Correct a typo in usage message. (Daniel Thayer) - - * Fix file permissions of log files (which were created with execute - permissions after a recent change). (Daniel Thayer) - -2.0-862 | 2012-07-24 15:22:52 -0700 - - * Fix initialization problem in logging class. (Jon Siwek) - - * Input framework now accepts escaped ASCII values as input (\x##), - and unescapes appropiately. (Bernhard Amann) - - * Make reading ASCII logfiles work when the input separator is - different from \t. (Bernhard Amann) - - * A number of smaller fixes for input framework. (Bernhard Amann) - -2.0-851 | 2012-07-24 15:04:14 -0700 - - * New built-in function to_double(s: string). (Scott Campbell) - -2.0-849 | 2012-07-24 11:06:16 -0700 - - * Adding missing include needed on some systems. (Robin Sommer) - -2.0-846 | 2012-07-23 16:36:37 -0700 - - * Fix WriterBackend::WriterInfo serialization, reenable ascii - start/end tags. (Jon Siwek) - -2.0-844 | 2012-07-23 16:20:59 -0700 - - * Reworking parts of the internal threading/logging/input APIs for - thread-safety. (Robin Sommer) - - * Bugfix for SSL version check. (Bernhard Amann) - - * Changing a HTTP DPD from port 3138 to 3128. Addresses #857. (Robin - Sommer) - - * ElasticSearch logging writer. See logging-elasticsearch.rst for - more information. (Vlad Grigorescu and Seth Hall). - - * Give configure a --disable-perftools option to disable Perftools - support even if found. (Robin Sommer) - - * The ASCII log writer now includes "#start " and "#end - lines in the each file. (Robin Sommer) - - * Renamed ASCII logger "header" options to "meta". (Robin Sommer) - - * ASCII logs now escape '#' at the beginning of log lines. Addresses - #763. (Robin Sommer) - - * Fix bug, where in dns.log rcode always was set to 0/NOERROR when - no reply package was seen. (Bernhard Amann) - - * Updating to Mozilla's current certificate bundle. (Seth Hall) - -2.0-769 | 2012-07-13 16:17:33 -0700 - - * Fix some Info:Record field documentation. (Vlad Grigorescu) - - * Fix overrides of TCP_ApplicationAnalyzer::EndpointEOF. (Jon Siwek) - - * Fix segfault when incrementing whole vector values. Also removed - RefExpr::Eval(Val*) method since it was never called. (Jon Siwek) - - * Remove baselines for some leak-detecting unit tests. (Jon Siwek) - - * Unblock SIGFPE, SIGILL, SIGSEGV and SIGBUS for threads, so that - they now propagate to the main thread. Adresses #848. (Bernhard - Amann) - -2.0-761 | 2012-07-12 08:14:38 -0700 - - * Some small fixes to further reduce SOCKS false positive logs. (Seth Hall) - - * Calls to pthread_mutex_unlock now log the reason for failures. - (Bernhard Amann) - -2.0-757 | 2012-07-11 08:30:19 -0700 - - * Fixing memory leak. (Seth Hall) - -2.0-755 | 2012-07-10 16:25:16 -0700 - - * Add sorting canonifier to rotate-custom unit test. Addresses #846. - (Jon Siwek) - - * Fix many compiler warnings. (Daniel Thayer) - - * Fix segfault when there's an error/timeout resolving DNS requests. - Addresses #846. (Jon Siwek) - - * Remove a non-portable test case. (Daniel Thayer) - - * Fix typos in input framework doc. (Daniel Thayer) - - * Fix typos in DataSeries documentation. (Daniel Thayer) - - * Bugfix making custom rotate functions work again. (Robin Sommer) - - * Tiny bugfix for returning writer name. (Robin Sommer) - - * Moving make target update-doc-sources from top-level Makefile to - btest Makefile. (Robin Sommer) - -2.0-733 | 2012-07-02 15:31:24 -0700 - - * Extending the input reader DoInit() API. (Bernhard Amann). It now - provides a Info struct similar to what we introduced for log - writers, including a corresponding "config" key/value table. - - * Fix to make writer-info work when debugging is enabled. (Bernhard - Amann) - -2.0-726 | 2012-07-02 15:19:15 -0700 - - * Extending the log writer DoInit() API. (Robin Sommer) - - We now pass in a Info struct that contains: - - - the path name (as before) - - the rotation interval - - the log_rotate_base_time in seconds - - a table of key/value pairs with further configuration options. - - To fill the table, log filters have a new field "config: table[string] - of strings". This gives a way to pass arbitrary values from - script-land to writers. Interpretation is left up to the writer. - - * Split calc_next_rotate() into two functions, one of which is - thread-safe and can be used with the log_rotate_base_time value - from DoInit(). - - * Updates to the None writer. (Robin Sommer) - - - It gets its own script writers/none.bro. - - - New bool option LogNone::debug to enable debug output. It then - prints out all the values passed to DoInit(). - - - Fixed a bug that prevented Bro from terminating. - -2.0-723 | 2012-07-02 15:02:56 -0700 - - * Extract ICMPv6 NDP options and include in ICMP events. This adds - a new parameter of type "icmp6_nd_options" to the ICMPv6 neighbor - discovery events. Addresses #833. (Jon Siwek) - - * Set input frontend type before starting the thread. This means - that the thread type will be output correctly in the error - message. (Bernhard Amann) - -2.0-719 | 2012-07-02 14:49:03 -0700 - - * Fix inconsistencies in random number generation. The - srand()/rand() interface was being intermixed with the - srandom()/random() one. The later is now used throughout. (Jon - Siwek) - - * Changed the srand() and rand() BIFs to work deterministically if - Bro was given a seed file. Addresses #825. (Jon Siwek) - - * Updating input framework unit tests to make them more reliable and - execute quicker. (Jon Siwek) - - * Fixed race condition in writer and reader initializations. (Jon - Siwek) - - * Small tweak to make test complete quicker. (Jon Siwek) - - * Drain events before terminating log/thread managers. (Jon Siwek) - - * Fix strict-aliasing warning in RemoteSerializer.cc. Addresses - #834. (Jon Siwek) - - * Fix typos in event documentation. (Daniel Thayer) - - * Fix typos in NEWS for Bro 2.1 beta. (Daniel Thayer) - -2.0-709 | 2012-06-21 10:14:24 -0700 - - * Fix exceptions thrown in event handlers preventing others from running. (Jon Siwek) - - * Add another SOCKS command. (Seth Hall) - - * Fixed some problems with the SOCKS analyzer and tests. (Seth Hall) - - * Updating NEWS in preparation for beta. (Robin Sommer) - - * Accepting different AF_INET6 values for loopback link headers. - (Robin Sommer) - -2.0-698 | 2012-06-20 14:30:40 -0700 - - * Updates for the SOCKS analyzer (Seth Hall). - - - A SOCKS log! - - - Now supports SOCKSv5 in the analyzer and the DPD sigs. - - - Added protocol violations. - - * Updates to the tunnels framework. (Seth Hall) - - - Make the uid field optional since it's conceptually incorrect - for proxies being treated as tunnels to have it. - - - Reordered two fields in the log. - - - Reduced the default tunnel expiration interface to something - more reasonable (1 hour). - - * Make Teredo bubble packet parsing more lenient. (Jon Siwek) - - * Fix a crash in NetSessions::ParseIPPacket(). (Jon Siwek) - -2.0-690 | 2012-06-18 16:01:33 -0700 - - * Support for decapsulating tunnels via the new tunnel framework in - base/frameworks/tunnels. - - Bro currently supports Teredo, AYIYA, IP-in-IP (both IPv4 and - IPv6), and SOCKS. For all these, it logs the outher tunnel - connections in both conn.log and tunnel.log, and proceeds to - analyze the inner payload as if it were not tunneled, including - also logging it in conn.log (with a new tunnel_parents column - pointing back to the outer connection(s)). (Jon Siwek, Seth Hall, - Gregor Maier) - - * The options "tunnel_port" and "parse_udp_tunnels" have been - removed. (Jon Siwek) - -2.0-623 | 2012-06-15 16:24:52 -0700 - - * Changing an error in the input framework to a warning. (Robin - Sommer) - -2.0-622 | 2012-06-15 15:38:43 -0700 - - * Input framework updates. (Bernhard Amann) - - - Disable streaming reads from executed commands. This lead to - hanging Bros because pclose apparently can wait for eternity if - things go wrong. - - - Automatically delete disabled input streams. - - - Documentation. - -2.0-614 | 2012-06-15 15:19:49 -0700 - - * Remove an old, unused diff canonifier. (Jon Siwek) - - * Improve an error message in ICMP analyzer. (Jon Siwek) - - * Fix a warning message when building docs. (Daniel Thayer) - - * Fix many errors in the event documentation. (Daniel Thayer) - -2.0-608 | 2012-06-11 15:59:00 -0700 - - * Add more error handling code to logging of enum vals. Addresses - #829. (Jon Siwek) - -2.0-606 | 2012-06-11 15:55:56 -0700 - - * Fix summary lines for BIF documentation and corrected the - description of "fmt" and "floor" BIFs. (Daniel Thayer) - - * Fix val_size BIF tests and improve docs. (Daniel Thayer) - -2.0-602 | 2012-06-07 15:06:19 -0700 - - * Include header for usleep(), caused compile failure on Archlinux. (Jon Siwek) - - * Revert "Fixed a bug with the MIME analyzer not removing whitespace - on wrapped headers." Needs discussion. (Robin Sommer) - -2.0-598 | 2012-06-06 11:47:00 -0700 - - * Add @load-sigs directive for loading signature files (addresses - #551). This can be used to load signatures relative to the current - scripts (e.g., "@load-sigs ./foo.sig"). (Jon Siwek) - - -2.0-596 | 2012-06-06 11:41:00 -0700 - - * Fixes for some BiFs and their documentation. (Daniel Thayer) - - * Many new unit tests for BiFs. (Daniel Thayer) - -2.0-579 | 2012-06-06 11:04:46 -0700 - - * Memory leak fixes for bad usages of VectorVal ctor. (Jon Siwek) - - * Fixed a bug with the MIME analyzer not removing whitespace on - wrapped headers. (Seth Hall) - - * Change Input::update_finished lookup to happen at init time. (Jon Siwek) - - * Fix going through the internal_handler() function which will now - set the event as "used" (i.e. it's marked as being raised - somewhere). Addresses #823. (Jon Siwek) - - * Fix format specifier on RemoteSerializer::Connect. This caused - 32-bit systems to show a warning at compile-time, and fail when - connecting to peers. (Jon Siwek) - - * Fixes for running tests in parallel. (Robin Sommer) - -2.0-571 | 2012-05-30 19:12:43 -0700 - - * Updating submodule(s). - -2.0-570 | 2012-05-30 19:08:18 -0700 - - * A new input framework enables scripts to read in external data - dynamically on the fly as Bro is processing network traffic. - (Bernhard Amann) - - Currently, the framework supports reading ASCII input that's - structured similar as Bro's log files as well as raw blobs of - data. Other formats will come in the future. - - See doc/input.rst for more information (this will be extended - further soon). - -2.0-395 | 2012-05-30 17:03:31 -0700 - - * Remove unnecessary assert in ICMP analyzer which could lead to - aborts. Addresses #822. - - * Improve script debugger backtrace and print commands. (Jon Siwek) - - * Switching default DS compression to gzip. (Robin Sommer) - - * Improve availability of IPv6 flow label in connection records. - This adds a "flow_label" field to the "endpoint" record type, - which is used for both the "orig" and "resp" fields of - "connection" records. The new "connection_flow_label_changed" - event also allows tracking of changes in flow labels: it's raised - each time one direction of the connection starts using a different - label. (Jon Siwek) - - * Add unit tests for Broccoli SSL and Broccoli IPv6 connectivity. - (Jon Siwek) - - * Remove AI_ADDRCONFIG getaddrinfo hints flag for listening sockets. - (Jon Siwek) - - * Undo unnecessary communication protocol version bump. (Jon Siwek) - - * Add support to Bro for connecting with peers over IPv6. (Jon Siwek) - - - Communication::listen_ipv6 needs to be redef'd to true in order - for IPv6 listening sockets to be opened. - - - Added Communication::listen_retry option as an interval at which - to retry binding to socket addresses that were already in use. - - - Added some explicit baselines to check in the istate.events and - istate.events-ssl tests -- the SSL test was incorrectly passing - because it compared two empty files. (The files being empty - because "http/base" was given as an argument to Bro which it - couldn't handle because that script doesn't exist anymore). - - - Support for communication over non-global IPv6 addresses. This - usually requires specifying an additional zone identifier (see - RFC 4007). The connect() and listen() BIFs have been changed to - accept this zone identifier as an argument. - - -2.0-377 | 2012-05-24 16:46:06 -0700 - - * Documentation fixes. (Jon Siwek and Daniel Thayer) - -2.0-372 | 2012-05-17 13:59:45 -0700 - - * Fix compile errors. (Jon Siwek) - - * Linking in the DS docs. (Robin Sommer) - - * Fix mobility checksums unit test. (Jon Siwek) - -2.0-367 | 2012-05-17 12:42:30 -0700 - - * Adding support for binary output via DataSeries. See - logging-dataseries.rst for more information. (Gilbert Clark and - Robin Sommer) - - * Adding target update-doc-sources to top-level Makefile that runs - genDocSourcesList.sh. (Robin Sommer) - - * Moving trace for rotation test into traces directory. (Robin Sommer) - - * Fixing a rotation race condition at termination. (Robin Sommer) - - * Extending log post-processor call to include the name of the - writer. (Robin Sommer) - - * In threads, an internal error now immediately aborts. Otherwise, - the error won't make it back to the main thread for a while and - subsequent code in the thread would still execute. (Robin Sommer) - - * DataSeries cleanup. (Robin Sommer) - - * Fixing threads' DoFinish() method. It wasn't called reliably. Now, - it's always called before the thread is destroyed (assuming - processing has went normally so far). (Robin Sommer) - -2.0-341 | 2012-05-17 09:54:30 -0700 - - * Add a comment to explain the ICMPv6 error message types. (Daniel Thayer) - - * Quieting external test output somehwat. (Robin Sommer) - -2.0-336 | 2012-05-14 17:15:44 -0700 - - * Don't print the various "weird" events to stderr. Address #805. - (Daniel Thayer) - - * Generate icmp_error_message event for ICMPv6 error msgs. - Previously, icmp_sent was being generated, but icmp_error_message - contains more info. - - * Improved documentation comments for icmp-related events. (Daniel - Thayer) - -2.0-330 | 2012-05-14 17:05:56 -0700 - - * Add `addr_to_uri` script-level function that adds brackets to an - address if it's IPv6 and will be included in a URI or when a - ":" needs to be appended to it. (Jon Siwek) - - * Also add a test case for content extraction. (Jon Siwek) - - * Fix typos and improve INSTALL document. (Daniel Thayer) - - * Switching to new btest command TEST-SERIALIZE for communication - tests. (Robin Sommer) - -2.0-323 | 2012-05-04 21:04:34 -0700 - - * Add SHA1 and SHA256 hashing BIFs. Addresses #542. - - * Refactor all internal MD5 stuff to use OpenSSL's. (Jon Siwek) - - * Changes to open-file caching limits and uncached file unserialization. (Jon Siwek) - - - Unserializing files that were previously kicked out of the open-file - cache would cause them to be fopen'd with the original access - permissions which is usually 'w' and causes truncation. They - are now opened in 'a' mode. (addresses #780) - - - Add 'max_files_in_cache' script option to manually set the maximum - amount of opened files to keep cached. Mainly this just helped - to create a simple test case for the above change. - - - Remove unused NO_HAVE_SETRLIMIT preprocessor switch. - - - On systems that don't enforce a limit on number of files opened for - the process, raise default max size of open-file cache from - 32 to 512. - -2.0-319 | 2012-05-03 13:24:44 -0700 - - * SSL bugfixes and cleanup. (Seth Hall) - - - SSL related files and classes renamed to remove the "binpac" term. - - - A small fix for DPD scripts to make the DPD log more helpful if - there are multiple continued failures. - - - Fixed the SSL analyzer to make it stop doing repeated violation - messages for some handshake failures. - - - Added a $issuer_subject to the SSL log. - - - Created a basic test for SSL. - - - Fixed parsing of TLS server extensions. (Seth Hall) - -2.0-315 | 2012-05-03 11:44:17 -0700 - - * Add two more TLS extension values that we see in live traffic. - (Bernhard Amann) - - * Fixed IPv6 link local unicast CIDR and added IPv6 loopback to - private address space. (Seth Hall) - - * Fixed a problem where cluster workers were still processing - notices in some cases. (Seth Hall) - - * Added a configure option to specify the 'etc' directory. Addresses - #801. (Daniel Thayer) - - -2.0-306 | 2012-04-24 14:37:00 -0700 - - * Add further TLS extension values "extended_random" and - "heartbeat". (Seth Hall) - - * Fix problem with extracting FTP passwords and add "ftpuser" as - another anonymous username. (Seth Hall, discovered by Patrik - Lundin). - -2.0-303 | 2012-04-19 10:01:06 -0700 - - * Changes related to ICMPv6 Neighbor Discovery messages. (Jon Siwek) - - - The 'icmp_conn' record now contains an 'hlim' field since hop limit - in the IP header is an interesting field for at least these ND - messages. - - - Fixed and extended 'icmp_router_advertisement' event parameters. - - - Changed 'icmp_neighbor_advertisement' event parameters to add - more of the known boolean flags. - -2.0-301 | 2012-04-17 17:58:55 -0700 - - * Bro now support ICMPv6. (Matti Mantere, Jon Siwek, Robin Sommer, - Daniel Thayer). - - Overall, Bro now raises the following ICMP events for v4 and v6 as - appropiate: - - event icmp_sent(c: connection, icmp: icmp_conn); - event icmp_echo_request(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string); - event icmp_echo_reply(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string); - event icmp_error_message(c: connection, icmp: icmp_conn, code: count, context: icmp_context); - event icmp_unreachable(c: connection, icmp: icmp_conn, code: count, context: icmp_context); - event icmp_packet_too_big(c: connection, icmp: icmp_conn, code: count, context: icmp_context); - event icmp_time_exceeded(c: connection, icmp: icmp_conn, code: count, context: icmp_context); - event icmp_parameter_problem(c: connection, icmp: icmp_conn, code: count, context: icmp_context); - event icmp_router_solicitation(c: connection, icmp: icmp_conn); - event icmp_router_advertisement(c: connection, icmp: icmp_conn, hop_limit: count, managed: bool, router_lifetime: count, reachable_time: interval, retrans_timer: interval); - event icmp_neighbor_solicitation(c: connection, icmp: icmp_conn, tgt:addr); - event icmp_neighbor_advertisement(c: connection, icmp: icmp_conn, tgt:addr); - event icmp_redirect(c: connection, icmp: icmp_conn, tgt: addr, dest: addr); - - The `icmp_conn` record got a new boolean field 'v6' that indicates - whether the ICMP message is v4 or v6. - - This change also includes further low-level work on existing IP - and ICMP code, including a reorganization of how ICMPv4 is - handled. - -2.0-281 | 2012-04-17 17:40:39 -0700 - - * Small updates for the bittorrent analyzer to support 64bit types - in binpac. (Seth Hall) - - * Removed the attempt at bittorrent resynchronization. (Seth Hall) - -2.0-276 | 2012-04-17 17:35:56 -0700 - - * Add more support for 's that lack some structure - definitions. (Jon Siwek) - -2.0-273 | 2012-04-16 18:08:56 -0700 - - * Removing QR flag from DNS log in response, which should not have - been there in the first place. (Seth Hall) - - * Sync up patricia.c/h with pysubnettree repo. (Daniel Thayer) - - * Adding missing leak groups to a couple tests. Also activating leak - checking for proxy in basic-cluster test. (Robin Sommer) - -2.0-267 | 2012-04-09 17:47:28 -0700 - - * Add support for mobile IPv6 Mobility Header (RFC 6275). (Jon - Siwek) - - - Enabled through a new --enable-mobile-ipv6 configure-time - option. If not enabled, the mobility header (routing type 2) and - Home Address Destination option are ignored. - - - Accessible at script-layer through 'mobile_ipv6_message' event. - - * Refactor IP_Hdr routing header handling, add MobileIPv6 Home - Address handling. Packets that use the Home Address Destination - option use that option's address as the connection's originator. - (Jon Siwek) - - * Revert TCP checksumming to cache common data, like it did before. - (Jon Siwek) - - * Improve handling of IPv6 routing type 0 extension headers. (Jon - Siwek) - - - flow_weird event with name argument value of "routing0_hdr" is raised - for packets containing an IPv6 routing type 0 header because this - type of header is now deprecated according to RFC 5095. - - - Packets with a routing type 0 header and non-zero segments left - now use the last address in that header in order to associate - with a connection/flow and for calculating TCP/UDP checksums. - - - Added a set of IPv4/IPv6 TCP/UDP checksum unit tests (Jon Siwek) - - * Fix table expiry for values assigned in bro_init() when reading - live. (Jon Siwek) - -2.0-257 | 2012-04-05 15:32:43 -0700 - - * Fix CMake from warning about unused ENABLE_PERFTOOLS_DEBUG - variable. (Jon Siwek) - - * Fix handling of IPv6 atomic fragments. (Jon Siwek) - - * Fix that prevents Bro processes that do neither local logging nor - request remote logs from spawning threads. (Robin Sommer) - - * Fixing perftools-debug support. (Robin Sommer) - - * Reverting SocketComm change tuning I/O behaviour. (Robin Sommer) - - * Adding notice_policy.log canonification for external tests. (Robin Sommer) - - -2.0-245 | 2012-04-04 17:25:20 -0700 - - * Internal restructuring of the logging framework: we now spawn - threads doing the I/O. From a user's perspective not much should - change, except that the OS may now show a bunch of Bro threads. - (Gilbert Clark and Robin Sommer). - - * When building Bro, we now always link in tcmalloc if it's found at - configure time. If it's installed but not picked up, - --with-perftools may help. (Robin Sommer) - - * Renaming the configure option --enable-perftools to - --enable-perftool-debug to indicate that the switch is only - relevant for debugging the heap. It's not needed to pick up - tcmalloc for better performance. (Robin Sommer) - -2.0-184 | 2012-03-28 15:11:11 -0700 - - * Improve handling of IPv6 Routing Type 0 headers. (Jon Siwek) - - - For RH0 headers with non-zero segments left, a - "routing0_segleft" flow_weird event is raised (with a - destination indicating the last address in the routing header), - and an "rh0_segleft" event can also be handled if the other - contents of the packet header are of interest. No further - analysis is done as the complexity required to correctly - identify destination endpoints of connections doesn't seem worth - it as RH0 has been deprecated by RFC 5095. - - - For RH0 headers without any segments left, a "routing0_header" - flow_weird event is raised, but further analysis still occurs as - normal. - -2.0-182 | 2012-03-28 15:01:57 -0700 - - * Remove dead tcp_checksum function from net_util. (Jon Siwek) - - * Change routing0_data_to_addrs BIF to return vector of addresses. - The order of addresses in type 0 routing headers is - interesting/important. (Jon Siwek) - - -2.0-179 | 2012-03-23 17:43:31 -0700 - - * Remove the default "tcp or udp or icmp" filter. In default mode, - Bro would load the packet filter script framework which installs a - filter that allows all packets, but in bare mode (the -b option), - this old filter would not follow IPv6 protocol chains and thus - filter out packets with extension headers. (Jon Siwek) - - * Update PacketFilter/Discarder code for IP version independence. - (Jon Siwek) - - * Fix some IPv6 header related bugs. (Jon Siwek) - - * Add IPv6 fragment reassembly. (Jon Siwek) - - * Add handling for IPv6 extension header chains. Addresses #531. - (Jon Siwek) - - - The script-layer 'pkt_hdr' type is extended with a new 'ip6' field - representing the full IPv6 header chain. - - - The 'new_packet' event is now raised for IPv6 packets. Addresses - #523. - - - A new event called 'ipv6_ext_header' is raised for any IPv6 - packet containing extension headers. - - - A new event called 'esp_packet' is raised for any packets using - ESP ('new_packet' and 'ipv6_ext_header' events provide - connection info, but that info can't be provided here since the - upper-layer payload is encrypted). - - - The 'unknown_protocol' weird is now raised more reliably when - Bro sees a transport protocol or IPv6 extension header it can't - handle. Addresses #522. - - * Add unit tests for IPv6 fragment reassembly, ipv6_ext_headers and - esp_packet events. (Jon Siwek) - - * Adapt FreeBSD's inet_ntop implementation for internal use. Now we - get consistent text representations of IPv6 addresses across - platforms. (Jon Siwek) - - * Update documentation for new syntax of IPv6 literals. (Jon Siwek) - - -2.0-150 | 2012-03-13 16:16:22 -0700 - - * Changing the regular expression to allow Site::local_nets in - signatures. (Julien Sentier) - - * Removing a line of dead code. Found by . Closes #786. (Julien - Sentier) - -2.0-146 | 2012-03-13 15:39:38 -0700 - - * Change IPv6 literal constant syntax to require encasing square - brackets. (Jon Siwek) - -2.0-145 | 2012-03-09 15:10:35 -0800 - - * Remove the match expression. 'match' and 'using' are no longer - keywords. Addressed #753. (Jon Siwek) - -2.0-143 | 2012-03-09 15:07:42 -0800 - - * Fix a BRO_PROFILER_FILE/mkstemp portability issue. Addresses #794. - (Jon Siwek) - -2.0-139 | 2012-03-02 09:33:04 -0800 - - * Changes to how script coverage integrates with test suites. (Jon Siwek) - - - BRO_PROFILER_FILE now passes .X* templated filenames to mkstemp - for generating unique coverage state files. - - - Rearranging Makefile targets. The general rule is that if the - all/brief target fails out due to a test failure, then the dependent - coverage target won't run, but can still be invoked directly later. - (e.g. make brief || make coverage) - - * Standardized on the &default function for SSL constants. (Seth - Hall) - - * Adding btest group "leaks" to leak tests. (Robin Sommer) - - * Adding btest group "comm" to communication tests for parallelizing - execution with new btest version. (Robin Sommer) - - * Sorting all output for diffing in the external tests. (Robin - Sommer) - - * Cleaned up dead code from the old SSL analyzers. Reported by - Julien Sentier. (Seth Hall) - - * Update/add tests for broccoli IPv6 addr/subnet support. Addresses - #448. (Jon Siwek) - - * Remove connection compressor. Addresses #559. (Jon Siwek) - - * Refactor IP_Hdr class ctors. Addresses #532. (Jon Siwek) - - -2.0-121 | 2012-02-24 16:34:17 -0800 - - * A number of smaller memory fixes and code cleanups. (Julien - Sentier) - - * Add to_subnet bif. Fixes #782). (Jon Siwek) - - * Fix IPAddr::Mask/ReverseMask not allowing argument of 0. (Jon - Siwek) - - * Refactor IPAddr v4 initialization from string. Fixes #775. (Jon Siwek) - - * Parse the dotted address string directly instead of canonicalizing - and passing to inet_pton. (Jon Siwek) - - -2.0-108 | 2012-02-24 15:21:07 -0800 - - * Refactoring a number of usages of new IPAddr class. (Jon Siwek) - - * Fixed a bug in remask_addr bif. (Jon Siwek) - -2.0-106 | 2012-02-24 15:02:20 -0800 - - * Raise minimum required CMake version to 2.6.3. (Jon Siwek) - -2.0-104 | 2012-02-24 14:59:12 -0800 - - * Add test case for FTP over IPv4. (Daniel Thayer) - - * Fix IPv6 URLs in ftp.log. (Daniel Thayer) - - * Add a test for FTP over IPv6 (Daniel Thayer) - - * Fix parsing of FTP EPRT command and EPSV response. (Daniel Thayer) - -2.0-95 | 2012-02-22 05:27:34 -0800 - - * GeoIP installation documentation update. (Seth Hall) - - * Decrease strictness of parsing IPv4 strings into addrs. Fixes #775. (Jon Siwek) - - * Fix memory leak in DNS manager. Fixes #777. (Jon Siwek) - - * Fix IPAddr/IPPrefix serialization bugs. (Jon Siwek) - - * Fix compile error. (Jon Siwek) - -2.0-86 | 2012-02-17 15:41:06 -0800 - - * Changing ARP detection to always kick in even if no analyzer is - activated. (Robin Sommer) - - * DNS name lookups performed by Bro now also query AAAA records. - DNS_Mgr handles combining the results of the A and AAAA queries - for a given hostname such that at the scripting layer, the name - resolution can yield a set with both IPv4 and IPv6 addresses. (Jon - Siwek) - - * Add counts_to_addr and addr_to_counts conversion BIFs. (Jon Siwek) - - * Change HashKey threshold for using H3 to 36 bytes. (Jon Siwek) - - * Remove mention of --enable-brov6 in docs. (Daniel Thayer) - - * Remove --enable-brov6 from configure usage text (Daniel Thayer) - - * Add a test and baseline for addr_to_ptr_name BiF. (Daniel Thayer) - - * Adding a test and baseline for ptr_name_to_addr BiF. (Seth Hall) - - * Fix the ptr_name_to_addr BiF to work with IPv6 (Daniel Thayer) - - * Fix a memory leak that perftools now complains about. (Jon Siwek) - - * Remove --enable-brov6 flag, IPv6 now supported by default. (Jon Siwek) - - Some script-layer changes of note: - - - dns_AAAA_reply event signature changed: the string representation - of an IPv6 addr is easily derived from the addr value, it doesn't - need to be another parameter. This event also now generated directly - by the DNS analyzer instead of being "faked" into a dns_A_reply event. - - - Removed addr_to_count BIF. It used to return the host-order - count representation of IPv4 addresses only. To make it more - generic, we might later add a BIF to return a vector of counts - in order to support IPv6. - - - Changed the result of enclosing addr variables in vertical pipes - (e.g. |my_addr|) to return the bit-width of the address type which - is 128 for IPv6 and 32 for IPv4. It used to function the same - way as addr_to_count mentioned above. - - - Remove bro_has_ipv6 BIF - -2.0-57 | 2012-02-10 00:02:35 -0800 - - * Fix typos in the documentation. (Daniel Thayer) - - * Fix compiler warning about Brofiler ctor init list order. (Jon Siwek) - - * Fix missing optional field access in webapp signature_match handler. (Jon Siwek) - -2.0-41 | 2012-02-03 04:10:53 -0500 - - * Updates to the Software framework to simplify the API. (Bernhard - Amann) - -2.0-40 | 2012-02-03 01:55:27 -0800 - - * Fix typos in documentation. (Daniel Thayer) - - * Fix sorting of lines in Brofiler coverage.log. (Daniel Thayer) - -2.0-38 | 2012-01-31 11:50:53 -0800 - - * Canonify sorting of lines in Brofiler coverage.log. (Daniel - Thayer) - -2.0-36 | 2012-01-27 10:38:14 -0800 - - * New "Brofiler" mode that tracks and records script statements - executed during runtime. (Jon Siwek) - - Use the BROFILER_FILE environment variable to point to a file in - which statement usage statistics from Bro script-layer can be - output. - - Script statements that should be ignored can be marked with a "# - @no-test" comment. For example: - - print "don't cover"; # @no-test - - if ( F ) - { # @no-test - ... - } - - * Integrated coverage measurement into test-suite. (Jon Siwek) - -2.0-20 | 2012-01-25 16:34:51 -0800 - - * BiF cleanup (Matthias Vallentin) - - - Rename NFS3::mode2string to a more generic file_mode(). - - - Unify do_profiling()/make_connection_persistent()/expect_connection() - to return any (i.e., nothing) instead of bools. - - - Perform type checking on count-to-port conversion. Related to #684. - - - Remove redundant connection_record() BiF. The same - functionality is provided by lookup_connection(). - - - Remove redundant active_connection() BiF. The same - functionality is provided by connection_exists(). - - - exit() now takes the exit code as argument. - - - to_port() now received a string instead of a count. - -2.0-9 | 2012-01-25 13:47:13 -0800 - - * Allow local table variables to be initialized with {} list - expressions. (Jon Siwek) - -2.0-7 | 2012-01-25 13:38:09 -0800 - - * Teach CompHash to allow indexing by records with vector/table/set - fields. Addresses #464. (Jon Siwek) - -2.0-5 | 2012-01-25 13:25:19 -0800 - - * Fixed a bug resulting in over-logging of detected webapps. (Seth Hall) - - * Make communication log baseline test more reliable. (Jon Siwek) - - * Fixed some broken links in documentation. (Daniel Thayer) - -2.0 | 2012-01-11 13:52:22 -0800 - - * Adding script reference documentation. (The Team). - -2.0-beta-194 | 2012-01-10 10:44:32 -0800 - - * Added an option for filtering out URLs before they are turned into - HTTP::Incorrect_File_Type notices. (Seth Hall) - - * Fix ref counting bug in BIFs that call internal_type. Addresses - #740. (Jon Siwek) - - * Adding back the stats.bro file. (Seth Hall) - - -2.0-beta-188 | 2012-01-10 09:49:29 -0800 - - * Change SFTP/SCP log rotators to use 4-digit year in filenames - Fixes #745. (Jon Siwek) - - * Adding back the stats.bro file. Addresses #656. (Seth Hall) - -2.0-beta-185 | 2012-01-09 18:00:50 -0800 - - * Tweaks for OpenBSD support. (Jon Siwek) - -2.0-beta-181 | 2012-01-08 20:49:04 -0800 - - * Add SFTP log postprocessor that transfers logs to remote hosts. - Addresses #737. (Jon Siwek) - - * Add FAQ entry about disabling NIC offloading features. (Jon Siwek) - - * Add a file NEWS with release notes. (Robin Sommer) - -2.0-beta-177 | 2012-01-05 15:01:07 -0800 - - * Replace the --snaplen/-l command line option with a - scripting-layer option called "snaplen" (which can also be - redefined on the command line, e.g. `bro -i eth0 snaplen=65535`). - - * Reduce snaplen default from 65535 to old default of 8192. Fixes - #720. (Jon Siwek) - -2.0-beta-174 | 2012-01-04 12:47:10 -0800 - - * SSL improvements. (Seth Hall) - - - Added the ssl_session_ticket_handshake event back. - - - Fixed a few bugs. - - - Removed the SSLv2.cc file since it's not used. - -2.0-beta-169 | 2012-01-04 12:44:39 -0800 - - * Tuning the pretty-printed alarm mails, which now include the - covered time range into the subject. (Robin Sommer) - - * Adding top-level "test" target to Makefile. (Robin Sommer) - - * Adding SWIG as dependency to INSTALL. (Robin Sommer) - -2.0-beta-155 | 2012-01-03 15:42:32 -0800 - - * Remove dead code related to record type inheritance. (Jon Siwek) - -2.0-beta-152 | 2012-01-03 14:51:34 -0800 - - * Notices now record the transport-layer protocol. (Bernhard Amann) - -2.0-beta-150 | 2012-01-03 14:42:45 -0800 - - * CMake 2.6 top-level 'install' target compat. Fixes #729. (Jon Siwek) - - * Minor fixes to test process. Addresses #298. - - * Increase timeout interval of communication-related btests. (Jon Siwek) - -2.0-beta-145 | 2011-12-19 11:37:15 -0800 - - * Empty fields are now logged as "(empty)" by default. (Robin - Sommer) - - * In log headers, only escape information when necessary. (Robin - Sommer) - -2.0-beta-139 | 2011-12-19 07:06:29 -0800 - - * The hostname notice email extension works now, plus a general - mechanism for adding delayed information to notices. (Seth Hall) - - * Fix &default fields in records not being initialized in coerced - assignments. Addresses #722. (Jon Siwek) - - * Make log headers include the type of data stored inside a set or - vector ("vector[string]"). (Bernhard Amann) - -2.0-beta-126 | 2011-12-18 15:18:05 -0800 - - * DNS updates. (Seth Hall) - - - Fixed some bugs with capturing data in the base DNS script. - - - Answers and TTLs are now vectors. - - - A warning that was being generated (dns_reply_seen_after_done) - from transaction ID reuse is fixed. - - * SSL updates. (Seth Hall) - - - Added is_orig fields to the SSL events and adapted script. - - - Added a field named last_alert to the SSL log. - - - The x509_certificate function has an is_orig field now instead - of is_server and its position in the argument list has moved. - - - A bit of reorganization and cleanup in the core analyzer. (Seth - Hall) - -2.0-beta-121 | 2011-12-18 15:10:15 -0800 - - * Enable warnings for malformed Broxygen xref roles. (Jon Siwek) - - * Fix Broxygen confusing scoped IDs at start of line as function - parameter. (Jon Siwek) - - * Allow Broxygen markup "##<" for more general use. (Jon Siwek) - -2.0-beta-116 | 2011-12-16 02:38:27 -0800 - - * Cleanup some misc Broxygen css/js stuff. (Jon Siwek) - - * Add search box to Broxygen docs. Fixes #726. (Jon Siwek) - - * Fixed major bug with cluster synchronization, which was not - working. (Seth Hall) - - * Fix missing action in notice policy for looking up GeoIP data. - (Jon Siwek) - - * Better persistent state configuration warning messages (fixes - #433). (Jon Siwek) - - * Renaming HTTP::SQL_Injection_Attack_Against to - HTTP::SQL_Injection_Victim. (Seth Hall). - - * Fixed DPD signatures for IRC. Fixes #311. (Seth Hall) - - * Removing Off_Port_Protocol_Found notice. (Seth Hall) - - * Teach Broxygen to more generally reference attribute values by name. (Jon Siwek) - - * SSH::Interesting_Hostname_Login cleanup. Fixes #664. (Seth Hall) - - * Fixed bug that was causing the malware hash registry script to - break. (Seth Hall) - - * Remove remnant of libmagic optionality. (Jon Siwek) - -2.0-beta-98 | 2011-12-07 08:12:08 -0800 - - * Adapting test-suite's diff-all so that it expands globs in both - current and baseline directory. Closes #677. (Robin Sommer) - -2.0-beta-97 | 2011-12-06 11:49:29 -0800 - - * Omit loading local-.bro scripts from base cluster framework. - Addresses #663 (Jon Siwek) - -2.0-beta-94 | 2011-12-03 15:57:19 -0800 - - * Adapting attribute serialization when talking to Broccoli. (Robin - Sommer) - -2.0-beta-92 | 2011-12-03 15:56:03 -0800 - - * Changes to Broxygen master script package index. (Jon Siwek) - - - Now only lists packages as those directories in the script hierarchy - that contain an __load__.bro file. - - - Script packages (dirs with a __load__.bro file), can now include - a README (in reST format) that will automatically be appended - under the link to a specific package in the master package - index. - -2.0-beta-88 | 2011-12-02 17:00:58 -0800 - - * Teach LogWriterAscii to use BRO_LOG_SUFFIX environemt variable. - Addresses #704. (Jon Siwek) - - * Fix double-free of DNS_Mgr_Request object. Addresses #661. - - * Add a remote_log_peer event which comes with an event_peer record - parameter. Addresses #493. (Jon Siwek) - - * Remove example redef of SMTP::entity_excerpt_len from local.bro. - Fixes error emitted when loading local.bro in bare mode. (Jon - Siwek) - - * Add missing doc targets to top Makefile; remove old doc/Makefile. - Fixes #705. (Jon Siwek) - - * Turn some globals into constants. Addresses #633. (Seth Hall) - - * Rearrange packet filter and DPD documentation. (Jon Siwek) - -2.0-beta-72 | 2011-11-30 20:16:09 -0800 - - * Fine-tuning the Sphinx layout to better match www. (Jon Siwek and - Robin Sommer) - -2.0-beta-69 | 2011-11-29 16:55:31 -0800 - - * Fixing ASCII logger to escape the unset-field place holder if - written out literally. (Robin Sommer) - -2.0-beta-68 | 2011-11-29 15:23:12 -0800 - - * Lots of documentation polishing. (Jon Siwek) - - * Teach Broxygen the ".. bro:see::" directive. (Jon Siwek) - - * Teach Broxygen :bro:see: role for referencing any identifier in - the Bro domain. (Jon Siwek) - - * Teach Broxygen to generate an index of Bro notices. (Jon Siwek) - - * Fix order of include directories. (Jon Siwek) - - * Catch if logged vectors do not contain only atomic types. - (Bernhard Amann) - -2.0-beta-47 | 2011-11-16 08:24:33 -0800 - - * Catch if logged sets do not contain only atomic types. (Bernhard - Amann) - - * Promote libz and libmagic to required dependencies. (Jon Siwek) - - * Fix parallel make from top-level to work on more platforms. (Jon - Siwek) - - * Add decode_base64_custom(). Addresses #670 (Jon Siwek) - - * A bunch of Sphinx-doc reorgs and polishing. (Jon Siwek) - -2.0-beta-28 | 2011-11-14 20:09:28 -0800 - - * Binary packaging script tweaks. We now require CMake 2.8.6. (Jon Siwek) - - * More default "weird" tuning for the "SYN_with_data" notice. (Seth - Hall) - - * Tiny bugfix for http file extraction along with test. (Seth Hall) - -2.0-beta-21 | 2011-11-06 19:27:22 -0800 - - * Quickstart doc fixes. (Jon Siwek) - -2.0-beta-19 | 2011-11-03 17:41:00 -0700 - - * Fixing packet filter test. (Robin Sommer) - -2.0-beta-12 | 2011-11-03 15:21:08 -0700 - - * No longer write to the PacketFilter::LOG stream if not reading - traffic. (Seth Hall) - -2.0-beta-10 | 2011-11-03 15:17:08 -0700 - - * Notice framework documentation update. (Seth Hall) - - * Fixing compiler warnings (addresses #388) (Jon Siwek) - -2.0-beta | 2011-10-27 17:46:28 -0700 - - * Preliminary fix for SSH login detection: we need a counted measure - of payload bytes (not ack tracking and not with the IP header - which is what we have now). (Seth Hall) - - * Fixing send_id() problem. We no longer update &redef functions. - Updating code on the fly isn't fully supported. (Robin Sommer) - - * Tuning the format of the pretty-printed alarm summaries. (Robin - Sommer) - -1.6-dev-1508 | 2011-10-26 17:24:50 -0700 - - * Updating submodule(s). (Robin Sommer) - -1.6-dev-1507 | 2011-10-26 15:10:18 -0700 - - * Baseline updates. (Robin Sommer) - -1.6-dev-1506 | 2011-10-26 14:48:43 -0700 - - * Updating submodule(s). (Robin Sommer) - -1.6-dev-1505 | 2011-10-26 14:43:58 -0700 - - * A new base script that pretty-prints alarms in the regular - summary. (Robin Sommer) - - * Adding a dummy log writer WRITER_NONE that just discards - everything. (Robin Sommer) - -1.6-dev-1498 | 2011-10-26 14:30:15 -0700 - - * Adding instructions to local.bro how to do ACTION_ALARM by - default. (Seth Hall) - -1.6-dev-1495 | 2011-10-26 10:15:58 -0500 - - * Updated unit test baselines. (Seth Hall) - -1.6-dev-1491 | 2011-10-25 20:22:56 -0700 - - * Updating submodule(s). (Robin Sommer) - -1.6-dev-1482 | 2011-10-25 19:08:32 -0700 - - * Fixing bug in log managers predicate evaluation. (Robin Sommer) - -1.6-dev-1481 | 2011-10-25 18:17:03 -0700 - - * Fix a problem with DNS servers being logged that aren't actually - servers. (Seth Hall) - - * Changed generated root cert DN format for RFC2253 compliance. (Jon - Siwek) - - * Removed :bro doc directives from notice documentation. (Seth Hall) - - * New notice framework docs. (Seth Hall) - - * Adding sub messages to emails. (Seth Hall) - - * Adding extra fields to smtp and http to track transaction depth. - (Seth Hall) - - * Fix for SSH login detection heuristic. (Seth Hall) - - * Removed some fields from http analysis that weren't commonly - needed or were wrong. (Seth Hall) - - * Updated/fixed MSIE version parsing in the software framework. - (Seth Hall) - - * Update Mozilla trust roots to index certs by subject distinguished - name. (Jon Siwek) - - * weird.bro rewrite. (Seth Hall) - - * More notice email tuning. (Seth Hall) - - * Slightly restructured http file hashing to fix a bug. (Seth Hall) - - * Changed the notice name for interesting ssh logins to correctly - reflect semantics of the notice. (Seth Hall) - - * Field name change to notice framwork. $result -> $action - - - $result is renamed to $action to reflect changes to the notice - framework since there is already another result-like field - ($suppress_for) and there may be more in the future. - - - Slipped in a change to add connection information to notice - emails too. (Seth Hall) - - * Small script refinements and documentation updates. (Seth Hall) - - * Pass over upgrade guide. (Robin Sommer) - - -1.6-dev-1430 | 2011-10-21 10:39:09 -0700 - - * Fixing crash with unknown debug streams. Closes #643. (Robin - Sommer) - - * Code to better handle interpreter errors, which can now be turned - into non-fatal runtime errors rather than immediate aborts. (Robin - Sommer). - - * Remove old make-src-packages script. (Jon Siwek) - - * Fixing a bunch of format strings. Closes #567. (Robin Sommer) - - * Cleaning up some distribution files. (Robin Sommer) - - * Various test, doc, and installation fixes/tweaks. (Seth Hall, Jon - Siwek and Robin Sommer). - - * Varios smaller policy fixes and tweaks (Seth Hall). - - * Moving docs from web server into distribution. (Robin Sommer) - - * Fixing more (small) memory leaks. (Robin Sommer) - - * Profiling support for DNS_Mgr and triggers. With - misc/profiling.bro, both now report a line in prof.log with some - counters on usage. (Robin Sommer) - - * Fixing DNS memory leaks. Closes #534. (Robin Sommer) - - * Fix code for disabling analyzers. Closes #577. (Robin Sommer) - - * Changed communication option from listen_encrypted to listen_ssl. - (Seth Hall) - - * Modification to the Communication framework API. (Seth Hall) - - - Simplified the communication API and made it easier to change - to encrypted connections by not having separate variables to - define encrypted and unencrypted ports. - - - Now, to enable listening without configuring nodes just - load the frameworks/communication/listen script. - - - If encrypted listening is desired set the following: - redef Communication::listen_encrypted=T; - - * Connection compressor now disabled by default. Addresses #559. - (Robin Sommer) - - -1.6-dev-1372 | 2011-10-06 18:09:17 -0700 - - * Filtering some potentially high-volume DNS weirds. (Robin Sommer) - - * DNS now raises DPD events. Closes #577. (Robin Sommer) - - * Fixing a bunch of compiler warnings. (Robin Sommer) - - * Remote logs are auto-flushed if the last write was longer than a - second ago. Addresses #498. (Robin Sommer) - - * Fix missing from previous MIME commit. (Robin Sommer) - -1.6-dev-1366 | 2011-10-06 17:05:21 -0700 - - * Make CompHash computation/recovery for functions deterministic. - Closes #636. (Jon Siwek) - - * Removing unnecessary @load in local.bro. (Robin Sommer) - - * Optimizing some MIME code. (Robin Sommer) - - * Speed improvements in logging code. (Robin Sommer) - - * Consolidating some node-specific functionality from scripts in - broctl repo. (Jon Siwek) - - * Another fix the for 1xx script code. (Robin Sommer) - -1.6-dev-1352 | 2011-10-05 16:20:51 -0700 - - * Fix for optional HTTP::Info status_code. (Jon Siwek) - - * Teaking some external testing scripts. (Jon Siwek) - - * HTTP bug fix reported by Martin Holste. (Seth Hall) - - * More script tuning. (Seth Hall) - - - Moved some of the weird events back to the base/ directory. - - - SSL fixes, updates, and performance optimization. - - * More adjustment to reduce Weird volumes. (Seth Hall) - - * Fixed an error when calculating x509 certificate hashes (reported - by Martin Holste). (Seth Hall) - - * Clean up to cluster framework to make event handling clearer. - (Seth Hall) - - * Fixed a bug in the notice framework. (Seth Hall) - - * Bug fix for FTP analysis script. (Seth Hall) - -1.6-dev-1333 | 2011-09-29 22:29:51 -0700 - - * Fixing a number of memory leaks. (Robin Sommer) - - * Loaded_scripts.log is indented with spaces now and makes more - sense to look at. (Seth Hall) - - * Teach HTTP parser to derive content length of multipart/byteranges - bodies. Addresses #488. (Jon Siwek) - - * Change logging of HTTP 1xx responses to occur in their own - columns. Addresses #411. (Jon Siwek) - - * Fix handling of HTTP 1xx response codes. Addresses #411). - - * Taking advantage of yet another trick to get installed browser - plugins. (Seth Hall) - - - With the software-browser-plugins script you can watch for Omniture - advertising servers to grab the list of installed plugins. - - - I reorganized the plugin detection a bit too to abstract it better. - - - Removed the WEB_ prefix from all of the Software::Type HTTP enums. - They were essentially redundant due to the full name already being - HTTP::SERVER (for example). - -1.6-dev-1316 | 2011-09-28 16:50:05 -0700 - - * Unit test cleanup. Updated README and collected coverage-related - tests in a common dir. (Jon Siwek) - - * Fixes for known-services. (Seth Hall) - - * Ported and 2.0ized the capture-loss script. (Seth Hall) - - * Communication fix and extension.(Robin Sommer) - - - Removing unnecessary log flushing. Closes #498. - - - Adding new BiF disconnect() that shuts a connection to a peer down. - - - terminate_connection() now first flushes any still buffered log - messages. - - * Fix for high SSL memory usage by adding &transient attribute to - top-level SSL pac array type. Closes #574. (Robin Sommer) - - * Fix a small bug in the metrics framework. (Seth Hall) - - * Temporarily removing scripts that aren't ready to be included. - Will return before next release. (Seth Hall) - - * New SSL policy scripts. (Seth Hall) - - - protocols/ssl/expiring-certs uses time based information from - certificates to determine if they will expire soon, have already - expired, or haven't yet become valid. - - - protocols/ssl/extract-certs-pem is a script for taking certs off - the line and converting them to PEM certificates with the openssl - command line tool then dumping them to a file. - - * Notice::type_suppression_intervals: table[Notice::Type] of - interval can be used to modify the suppression intervals for - entire types of notices. (Seth Hall) - - * EOF SSL protocol violations are only generated a single time now. - (Seth Hall) - - * Script level fixes. (Seth Hall) - - - Fixed a type name conflict in the Known namespace. - - - Fixed a DPD framework bug that was causing Reporter messages. - - - Fixed the notice_policy log. - - - Predicate functions are now logged. - - - Predicate functions are now optional. If not given, it's assumed that - the result should always apply. (Seth Hall) - - - Fix a problem with accidental and mistaken HTTP log lines. - -1.6-dev-1293 | 2011-09-22 19:44:37 -0700 - - * Smaller script tweaks. (Seth Hall) - - * Duplicate notice suppression. (Seth Hall) - - - Duplicate notices are discovered with the new Notice::Info - field $identifier. It's a string that is left up to the - notice implementor to define which would indicate a - fundamentally duplicate notice. The field is optional and - if it's not included it's not possible for notice - suppression to take place. - - - Duplicate notices are suppressed by default for the interval - defined by the Notice::default_suppression_interval variable - (1 hour by default). - - - A new notice action was defined ACTION_NO_SUPPRESS to prevent - suppression for a specific notice instance. A convenience set - named not_suppressed_types was also created to not suppress - entire notice types. - - - A new field was added to the PolicyItem type to modify the length - of time a notice should be suppressed if the predicate matches. - The field is named $suppress_for. This name makes the code more - readable like this: $suppress_for = 1day - - - New events were created to give visibility into the notice - framework's suppression activity. - - event Notice::begin_suppression(n: Notice::Info) - - event Notice::suppressed(n: Notice::Info) - - event Notice::end_suppression(n: Notice::Info) - - - The suppression.bro script doesn't have a baseline because - it is causing a segfault in Bro. This one test is the - reason that this is being integrated into a branch instead - of master. (Seth Hall) - - * Fix crash on exit. Addresses #607. (Jon Siwek) - - * Fix PktSrc setting next_timestamp even when no packet available. - (Jon Siwek) - - * Fix lack of NUL-termination in to_upper/to_lower BIF's return val. - (Jon Siwek) - - * Fixing unit tests and some minor bugs. (Jon Siwek) - - * Fix broctl cluster log rotation. Addresses #619. (Jon Siwek) - - * Added session ID to the SSL logging. (Seth Hall) - - * Adding "install-aux" target + updating bro-aux submodule. (Jon - Siwek) - - * Cleaning up INSTALL and README. (Jon Siwek) - - * Remove $Id$ tags. (Jon Siwek) - - * Remove policy.old directory. Addresses #511. (Jon Siwek) - - * Small rework with ssl base script to reduce memory usage. (Seth - Hall) - - * Updated the mozilla root certs. (Seth Hall) - -1.6-dev-1261 | 2011-09-15 17:13:55 -0700 - - * Memory leak fixes. Addresses #574 (Jon Siwek) - - * Add configure options for ruby/bindings integration. (Jon Siwek) - - * Fix filter path_func to allow record argument as a subset of - stream's columns. Addresses #600. (Jon Siwek) - - * Log rotation is now controlled directly through Filter records. (Jon Siwek) - - * Fix indexing for record types with optional fields. Addresses #378 - (Jon Siwek) - -1.6-dev-1248 | 2011-09-15 16:01:32 -0700 - - * Removed custom malloc() implementation for FreeBSD. Closes #557. - (Jon Siwek) - - * Testing/external scripts no longer compute MD5 checksums for SMTP - entities. (Robin Sommer) - - * External tests no longer include the full content of mismatching - files in the diagnostics output. (Robin Sommer) - -1.6-dev-1241 | 2011-09-14 22:51:52 -0400 - - * Fixing a major memory utilization issues with SSL analysis. (Seth - Hall) - - * Enhancements to HTTP analysis: (Seth Hall) - - - More options for the header-names.bro script. - - - New script for logging header names and values. Closes #519. - (Seth Hall) - - - HTTP body size measurement added to http.log. - - - The value of the content-length headers has now been removed - in the default output but it could be added back locally at an - installation by a user. - - - Added fields to indicate if some parsing interruption happened - during the body transfer. Closes #581 (Seth Hall) - - * Misc smaller usability and correctness updates: (Seth Hall) - - - Removed an notice definition from the base SSL scripts. - - - Moved a logging stream ID into the export section for known-services - and bumped priority for creating the stream. - - - Adding configuration knobs for the SQL injection attack detection - script and renaming the HTTP::SQL_Injection_Attack notice to - HTTP::SQL_Injection_Attack_Against - - - Bumped priority when creating Known::CERTS_LOG. - - - Fixing a warning from the cluster framework. (Seth Hall) - - * Bugfix for log writer, which didn't escape binary stuff in some - situations. Closes #585. (Robin Sommer) - - * A larget set of changes to the testing/external infrastructure. - The traces for external test-suites are no longer kept inside the - repositories themselves but downloaded separately via curl. This - is because git is pretty bad at dealing with large files. See the - README for more information. (Robin Sommer) - -1.6-dev-1221 | 2011-09-08 08:41:17 -0700 - - * Updates for documentation framework and script docs. (Jon Siwek) - - * The script level PF_RING support isn't working so removing it. - (Seth Hall) - - * Delete SSL certificates from memory after ssl_established event. - (Seth Hall) - - * Small fixes for SSL analysis. (Seth Hall) - -1.6-dev-1212 | 2011-09-07 16:15:28 -0700 - - * Internally, the UID generation can now return values from - different pool for better reproducability in testing mode. - (Gilbert Clark). - - * Added new BiF unique_id_from(pool: string, prefix: string) that - allows the user to specify a randomness pool. (Gilbert Clark) - -1.6-dev-1198 | 2011-09-07 11:03:36 -0700 - - * Extended header for ASCII log that make it easier for scripts to - parse Bro log files. (Gilbert Clark) - - * Potential fix for rotation crashes. Addresses #588. (Robin Sommer) - - * Added PF_RING load balancing support to the scripting layer, - enabled by loading the misc/pf-ring-load-balancing script. (Seth - Hall) - - * Added a BiF setenv() for setting environment variables. (Seth - Hall) - -1.6-dev-1184 | 2011-09-04 09:34:50 -0700 - - * FindPCAP now links against thread library when necessary (e.g. - PF_RING's libpcap). (Jon Siwek) - - * Install binaries with an RPATH. (Jon Siwek) - - * Fix for a case where nested records weren't coerced even though - possible. (Jon Siwek) - - * Changed ASCII writer to delay creation of log after rotation until - next write. - - * Changed default snaplen to 65535 and added a -l/--snaplen command - line option to set it explicitly. Addresses #447. (Jon Siwek) - - * Various updates to logging framework. (Seth Hall) - - * Changed presentation of enum labels to include namespace. (Jon - Siwek) - - * HTTP analyzer is now enabled with any of the HTTP events. (Seth - Hall) - - * Fixed missing format string that caused some segfaults. (Gregor - Maier) - - * ASCII writer nows prints time interval with 6 decimal places. - (Gregor Maier) - - * Added a Reporter::fatal BIF. (Jon Siwek) - - * Fixes for GeoIP support. Addresses #538. (Jon Siwek) - - * Fixed excessive memory usage of SSL analyzer on connections with - gaps. (Gregor Maier) - - * Added a log postprocessing function that can SCP rotated logs to - remote hosts. (Jon Siwek) - - * Added a BiF for getting the current Bro version string. (Jon - Siwek) - - * Misc. doc/script/test cleanup. (Jon Siwek) - - * Fixed bare-mode @load dependency problems. (Jon Siwek) - - * Fixed check_for_unused_event_handlers option. (Jon Siwek) - - * Fixing some more bare-mode @load dependency issues (Jon Siwek) - - * Reorganizing btest/policy directory to match new scripts/ - organization. Addresses #545 (Jon Siwek) - - * bro scripts generated from bifs now install to - $prefix/share/bro/base. Addresses #545 (Jon Siwek) - - * Changeed/fixed some cluster script error reporting. (Jon Siwek) - - * Various script normalization. (Jon Siwek) - - * Add a test that checks each individual script can be loaded in - bare-mode. Adressess #545. (Jon Siwek) - - * Tune when c$conn is set. Addresses #554. (Gregor Maier) - - * Add ConnSize_Analyzer's fields to conn.log. (Gregor Maier) - - * Fixing bug in "interesting hostnames" detection. (Seth Hall) - - * Adding metrics framework intermediate updates. (Seth Hall) - -1.6-dev-1120 | 2011-08-19 19:00:15 -0700 - - * Fix for the CompHash fix. (Robin Sommer) - -1.6-dev-1118 | 2011-08-18 14:11:55 -0700 - - * Fixing key size calculation in composite hash code. (Robin Sommer) - -1.6-dev-1116 | 2011-08-18 10:05:07 -0700 - - * Remove the 'net' type from Bro (addresses #535). - - * Fix H3 assumption of an 8-bit byte/char. (Jon Siwek) - - * Allow reading from interface without additional script arguments. - Explicitly passing in '-' as an additional command line argument - still allows reading a script from stdin. (Jon Siwek) - - * SSH bruteforcing detection now done with metrics framework. (Seth - Hall) - - * Updates for SQL injection attack detection to match the metrics - framework updates. (Seth Hall) - - * Metrics framework now works on cluster setups. (Seth Hall) - - * Reclassifying more DNS manager errors as non-fatal errors. (Robin - Sommer) - - * Fix ConnSize_Analyzer when used in conjunction with connection - compressor. (Gregor Maier) - - * Fix reporter using part of the actual message as a format string. - (Jon Siwek) - -1.6-dev-1095 | 2011-08-13 11:59:07 -0700 - - * A larger number of script documentation updates. Closes #543. (Jon - Siwek) - - * Workaround for FreeBSD CMake port missing debug flags. (Jon Siwek) - - * piped_exec() can now deal with null bytes. (Seth Hall) - - * Fix vector initialization for lists of records with optional - types. Closes #485. (Jon Siwek) - - * Fix redef'ing records with &default empty set fields. Closes #460. - (Jon Siwek) - - * Fix ConnSize_Analyzer when used in conjunction with the connection - compressor. (Gregor Maier) - - * Fix reporter using part of the actual message as a format string. - (Jon Siwek) - - * Fixing reporter's location tracking. Closes #492. (Robin Sommer) - - * Turning DNS errors into warnings. Closes #255. (Robin Sommer) - - * Logging's path_func now receives the log record as argument. - Closes #555. (Robin Sommer) - - * Functions can now be logged; their full body gets recorded. - Closes #506. (Robin Sommer) - - * Bugfix for hostname notice email extension. (Seth Hall) - - * Updates for notice framework. (Seth Hall) - - - New ACTION_ADD_GEODATA to add geodata to notices in an extension - field named remote_location. - - - Loading extend-email/hostnames by default now that it only does - anything when the ACTION_EMAIL action is applied (finally). - - * Updates to local.bro (Seth Hall) - - * Added the profiling script. (Seth Hall) - - * Updates for SSH scripts. (Seth Hall) - - * ConnSize analyzer is turned on by default now. (Seth Hall) - - * Updates for the build system and site local scripts for cluster. - (Seth Hall) - - * HTTP now uses the extract_filename_from_content_disposition function. (Seth Hall) - - * Major SMTP script refactor. Closes #509. (Jon Siwek and Seth Hall) - - * New variable Site::local_nets_table in utils/site for mapping - address to defined local subnet. - - * Metrics framework updates, more to come. (Seth Hall) - - -1.6-dev-1061 | 2011-08-08 18:25:27 -0700 - - * A set of new/changed tests regarding the new policy script - organisation. (Robin Sommer) - -1.6-dev-1058 | 2011-08-08 16:15:18 -0700 - - * Reorganisation of the scripts that Bro loads by default. (Seth - Hall) - - - policy/ renamed to scripts/ - - - By default BROPATH now contains: - - scripts/ - - scripts/policy - - scripts/site - - - The scripts in scripts/base/protocols/ only do logging and state - building. - - - All of scripts/base/ is loaded by by default. This can however - be disabled by switching Bro into "bare mode" using the new - command-line option --bare-mode (or -b). The cripts in - scripts/base/ don't use relative path loading to ease use of - bare mode (to copy and paste that script). - - - The scripts in scripts/base/frameworks/ add functionality - without causing any additional overhead. - - - All "detection" activity happens through scripts in - scripts/policy/. - - - bro.init was renamed to base/init-bare.bro, and base/all.bro was - renamed to init-default.bro. - - - local.bro now loads more functionality from policy/ and adds - more documentation. (Seth Hall) - - * Adding default_path_func() to the logging framework that makes the - default naming scheme script-level controlled. (Robin Sommer) - - * Reworking logging's postprocessor logic so that postprocessor - commands are no longer run by the log writers themselves, but - instead by a script level function. (Robin Sommer) - - * The communication subsystem is now by default off and must be - enabled explicitly with a new BiF, enable_communication(). Closes - #540. (Robin Sommer) - - * The hostname notice email extension now only add hostnames for - emailed noticed. (Seth Hall) - - * Cleaning up doc generation. (Seth Hall) - -1.6-dev-1044 | 2011-08-05 19:07:32 -0700 - - * Fixing memory (and CPU) leak in log writer. - - * Fixing crash in memory profiling. (Robin Sommer) - - * Fix compiler warning. (Robin Sommer) - - * Fixing missing sync in cluster setup. (Robin Sommer) - - -1.6-dev-1038 | 2011-08-05 18:25:44 -0700 - - * Smaller updates to script docs and their generation. (Jon Siwek) - - * When using a `print` statement to write to a file that has raw output - enabled, NUL characters in string are no longer interpreted into "\0", - no newline is appended afterwards, and each argument to `print` is - written to the file without any additional separation. (Jon Siwek) - - * Test portatibility tweaks. (Jon Siwek) - - * Fixing PktSrc::Statistics() which retured bogus information - offline mode. Closes #500. (Jon Siwek) - - * --with-perftools configure option now assumes --enable-perftools. - Closes #527. (Jon Siwek) - -1.6-dev-1018 | 2011-07-31 21:30:31 -0700 - - * Updating CHANGES. (Robin Sommer) - -1.6-dev-1016 | 2011-07-30 18:34:28 -0700 - - * Install example config files dynamically. They'll only get - installed when the distribution version differs from existing - version on disk. (Jon Siwek) - - * Fixed memory leak in SSL analyzer. (Seth Hall) - - * Beginning rework of metrics interface. (Seth Hall) - - * New/updated unit tests for scripts. (Jon Siwek) - - * New/updated documentstion for scripts. (Jon Siwek) - - * A number of fixes for scripts in utils/. (Jon Siwek) - -1.6-dev.244 Thu Jul 28 17:08:21 PDT 2011 - -- mask_addr() now returns subnet (addresses #512). (Jon Siwek) - -- Normalize Notice::Type identifiers per convention (closes #484). - (Jon Siwek) - -- Fixing default-loaded-scripts test for BSD systems. (Jon Siwek) - -- New piped_exec() BiF for pipeing data into an external command. (Jon - Siwek) - -1.6-dev.242 Mon Jul 25 21:42:39 PDT 2011 - -- Adding a documentation coverage test. (Jon Siwek) - -- The CMake targets for generating reST docs from policy scripts are - now automatically generated via the genDocSourcesList.sh script. - (Jon Siwek) - -- Fixed a number of script error. (Jon Siwek) - -- Fixes to relative @load'ing. (Jon Siwek) - -- Fixes to tests. (Robin Sommer) - -1.6-dev.240 Sun Jul 24 15:14:26 PDT 2011 - -- Updated tests and test baselines. (Jon Siwek) - -- ASCII log writer now prints time values w/ constant 6 digit - precision. (Jon Siwek) - -- Many policy script updates acrsso the board (Seth Hall). - -- Moving devel-tools to bro-aux. (Robin Sommer) - -- BugFix for disable_analyzer(), which could cause crashes with some - analyzers. (Robin Sommer) - -- Bugfix for potential segfault in DebugLogger. (Robin Sommer) - -1.6-dev.226 Thu Jul 21 15:23:39 PDT 2011 - -- Extensions to the @load and @unload process. (Jon Siwek) - - * Make @load statements recognize relative paths. For example a - script can do "@load ./foo" to load a script named foo.bro that - lives in the same directory or "@load ../bar" to load a script - named bar.bro in the parent directory, even if those directories - are not contained in BROPATH. - - * Reimplementation of the @prefixes statement. (Closes #486) - - Any added prefixes are now used *after* all input files have - been parsed to look for a prefixed, flattened version of the - input file somewhere in BROPATH and, if found, load it. For - example, if "lcl" is in @prefixes, and site.bro is loaded, then - a file named "lcl.site.bro" that's in BROPATH would end up being - automatically loaded as well. Packages work similarly, e.g. - loading "protocols/http" means a file named - "lcl.protocols.http.bro" in BROPATH gets loaded automatically. - - * Fix @unload'd files from generating bro_script_loaded event. - - * Updates to tests. - -1.6-dev.225 Wed Jul 20 17:10:41 PDT 2011 - -- IRC improvements (Jon Siwek). Including: - - * Shorten what's displayed in the IRC's log mime_type column for - DCC transfers. - - * Add IRC unit tests. - - * Fix IRC analyzer supplying wrong type to irc_dcc_message event. - - * Removed irc_client and irc_server events. - - * Added is_orig arguments to all other irc events. - - * Fix analyzer not recognizing Turbo DCC extension message format. - - * Fix analyzer not generating irc_dcc_message event when irc_privmsg_message - event doesn't have a handler registered. - -- Fixing tests that need a diff canonifier. (Jon Siwek) - -1.6-dev.223 Tue Jul 19 19:10:36 PDT 2011 - -- Adding a script to update CHANGES and VERSION. (Robin Sommer) - -1.6-dev.218 Tue Jul 19 18:16:44 PDT 2011 - -- Comprehensive policy script overhaul/rewrite. (Seth Hall) - - Changes are too extensive to list individually. - -- Removing undocumented -H command line flag. (Robin Sommer) - -- Fixing many tests. (Everybody) - -- Fixing 0-chunk bug in remote logging. (Robin Sommer) - -- $PATH is now appropriately set by the bro-path-dev.(sh|csh) scripts. - (Seth Hall) - -- Making valgrind a bit more happy. (Robin Sommer) - -- New BiF record_field_vals() that returns the fields of a record in a - table with meta-information. (Robin Sommer) - -- Adding a script in aux/devel-tools that extracts a connection from a - trace based on uid. (Robin Sommer) - -- Fixing bug causing crash when running without arguments. (Robin Sommer) - -- A new event bro_script_loaded() raised for each policy script - loaded. Also removing the -l command-line option as that can now be - done at the script-level. (Robin Sommer) - -- Fixing memory leaks. (Gilbert Clark, Seth Hall, Robin Sommer) - -- Many SSL analysis improvements and fixes. (Seth Hall) - -- Fixing bug with event priorities potentially being ignored for the - handler. (Robin Sommer) - -- Overhauling the internal reporting of messages to the user. The new - Reporter class is now in charge of reporting all errors, warnings, - informational messages, weirds, and syslogs; and it passes - everything through the script layer. (Robin Sommer) - -* Removed the alarm statement and the alarm_hook event. (Robin Sommer) - -- Adding new policy file test-all.bro that loads all other policies. - This is for testing only. (Robin Sommer) - -- A new framework for doing regression testing with larger traces and - more complex Bro configurations in testing/external. (Robin Sommer) - -- Many updates to script doc generation. (Jon Siwek) - -1.6-dev.146 Sat Jun 25 18:12:27 PDT 2011 - -- DNS mapping are now becoming invalid when an entry's TTL expires. - (Thomas Other) - -- Reworking how Bro tracks which scripts are already loaded. Rather - than paths, Bro now tracks inode numbers. (Jon Siwek) - -- New BiF netstats() to query packet capture statistics. The netstats - script now uses the new BiF to periocally report packets drops. The - net_stats_update() event and the heartbeat_interval global went - away. (Seth Hall) - -- Fixing bug with logging &optional records. Closes #476. (Robin - Sommer) - -- Fixing istate.events-ssl test failing because of expired cert. (Jon - Siwek) - -- A large number of improvements and fixes for Bro's doc mode. (Jon - Siwek) - -- Significant updates for RPC and NFS analyzers (Gregor Maier) - - * Unify semantics for UDP and TCP connections. - - * RPC can now log to a log file if desired. - - * Portmapper can now log general activity to a log file and also log - actual port mappings. - - * NFS analyzer now supports significantly more procedure calls as - as file name tracking and file content extraction. - -- NetBIOS fixes. (Jon Siwek) - -- A number of unit tests are more robust and portable. (Jon Siwek) - -- A new BiF unique_id() that returns a string that's unique across Bro - instaces with high probablity. (Robin Sommer) - -- Complete rewrite of the BinPAC SSL analyzer. (Seth Hall) - - * DER certificates are extracted as strings to be used with - corresponding BiFs. - - * x509_verify function to verify single certs and/or full - certificate chains. - - * Removed hand written SSL analyzer. - - * The ssl.bro script is just a place-holder for now. New version - will come with the other new scripts. - -- New syslog analyzer. (Seth Hall) - -- @load now supports loading a directory. With a directory "foo" - somewhere in BROPATH, "@load foo" now checks if there's a file - "foo/__load__.bro". If so, it reads that file in. (Robin Sommer) - -- ASCII logger now escapes non-printable characters. Closes #450. - (Robin Sommer) - -- Packaging tweaks and rewrite of 'dist' target. (Jon Siwek) - -- Changes to allow DEB packaging via CPack, addresses #458. (Jon - Siwek) - -- An extension to the ICMP analyzer to handle redirects. Julien - Sentier - -- Removing old istate test-suite. (Robin Sommer) - -- A hack to report missing GeoIP support only once. This closes #357, - but #455 captures the need for a more general solution. (Robin - Sommer) - -- Bugfix: vectors in records were not initalized. Closes #421. (Robin - Sommer) - -- If IPv6 default is not compiled in, the default BPF filters now - excludes IPv6 packets. (Robin Sommer) - -- New bif bro_has_ipv6() to check whether IPv6 support is compiled in. - (Robin Sommer) - -- Updating btests and a Makefile. "make" now runs all the tests. - (Robin Sommer) - -- Moving the test-scripts from the old test-suite over to btest. - (Robin Sommer) - -- Fix for major bug in POP3 analyzer, which didn't recognize '.' - terminators in multi-line replies if the terminator was bare (no - newline). This caused it to ignore the rest of the session that it's - analyzing. (Vern Paxson) - -- Fix compiler warning with gcc-4.4.4 (Gregor Maier) - -- Adding example documentation for a script's use of logging features. - (Jon Siwek) - -- Adding &log attribute to static attr_names array. (Jon Siwek) - -- Bro can now track packet and byte counts per connection. (Gregor - Maier) - - * If 'use_conn_size_analyzer' is true, the event engine tracks - number of packets and raw IP bytes per connection. If - report_conn_size_analyzer is true, these values are included as - four new columns into conn.log - - * I changed conn.bro so that the value of - report_conn_size_analyzer follows that of - use_conn_size_analyzer. For the new conn.log, we probably want - to get rid of report_conn_size_analyzer anyway. - -- Fixing numerous compiler warnings and portability issues. (All) - -- Switching vectors from being 1-based to 0-based. Note that this is a - change that break backwards-compatibility. (Robin Sommer) - -- Increasing serialization format version for the recent 64-bit - changes. (Robin Sommer) - -- Support for (mixed) MPLS and VLAN traffic, and a new default BPF - filter. (Seth Hall and Robin Sommer) - - * Merging in the patch from #264, which provides support for mixed - VLAN and MPLS traffic. - - * Changing Bro's default filter from being built dynamically to - being a static "ip or not ip". To get the old behaviour back - (i.e., the dynamically built filter), redef "all_packets" to - false. - - * print-filter.bro now always prints the filter that Bro is - actually using, even if overriden from the command line. (Robin - Sommer) - -- Changing the HTTP's analyzers internals to use 64-bit integers. - (Gregor Maier). - -- Fixing bug with deleting still unset record fields of table type. - (Robin Sommer) - -1.6-dev.99 Fri Apr 22 22:10:03 PDT 2011 - -- Extending the connection record with a unique identifier. (Robin - Sommer) - - type connection: record { - [...] - id: string; - }; - - These identifiers very likely unique even across independent Bro - runs. - -- Delete operator for record fields. (Robin Sommer) - - "delete x$y" now resets record field "x" back to its original state - if it is either &optional or has a &default. "delete" may not be - used with non-optional/default fields. - -- Fixing bug with nested record coercions. (Robin Sommer) - -- Fixing a do_split() bug. (Seth Hall) - - -1.6-dev.94 Thu Apr 21 19:51:38 PDT 2011 - -- Fixing generation of config.h. (Jon Siwek) - -- Updates and tests for NetBIOS name BiF. (Seth Hall) - -- Fixing do_split bug(), and adding a test. (Seth Hall) - -- When Bro is given a PRNG seed, it now uses its own internal random - number generator that produces consistent results across sytems. - Note that this internal generator isn't very good, so it should only - be used for testing purpses. (Robin Sommer) - -- The BTest configuration now sets the environemnt variables TZ=UTC - and LANG=C to ensure consistent results. (Robin Sommer) - -- Logging fixes. (Robin Sommer) - -1.6-dev.88 Wed Apr 20 20:43:48 PDT 2011 - -- Implementation of Bro's new logging framework. We will document this - separately. (Robin Sommer) - -- Already defined record types can now be further extended via the - '+=' operator. The added fields must be either &optional or have a - &default value. (Robin Sommer) - - Example: - - type Foo: record { - a: count; - b: count &optional; - }; - - redef record Foo += { - c: count &default=42; - d: count &optional; - }; - - global f: Foo = [$a=21]; - - print f; - - Output: - - [a=21, b=, c=42, d=] - -- Enabling assignment of empty vectors ("vector()"). (Robin Sommer) - -- Fixing attributes to allow &default attributes to be associated with - records fields of type tables/sets/vector. (Robin Sommer) - -- '[]' is now a valid record constructor. (Robin Sommer) - -- A instance of a record type A is now coercable into one of type B if - the fields of type A are a subset of those of type B. (Robin Sommer) - -- A number of bug fixes and enhancements for record/set/table/vector - coercion. (Robin Sommer) - -- Fixing a problem with records that have optional fields when used as - table/set indices. Addresses #367. (Robin Sommer) - -- Fixing an off-by-one error in join_string_vec(). (Seth Hall) - -- Updating to_count() to cope with 64bit ints. (Seth Hall) - -- A new BiF count_to_v4_addr() to turn a count into an IPv4 address. - (Seth Hall) - -1.6-dev.80 Mon Apr 18 14:50:54 PDT 2011 - -- New framework for generating documentation from Bro scripts. (Jon - Siwek) - - This includes: - - * Changes to Bro's scanner/parser to facilitate automatic - generation of Bro policy script documentation in - reStructuredText format. - - * New command line flags -Z/--doc-scripts to enable the new doc - generation mode. - - * Changes to bifcl to pass comments starting with "##" through - into the generated .bro script. - - * A "doc" build target for the top-level Makefile to first - generate reStructuredText for a defined set of Bro policy - scripts, and then run that through Sphinx to create HTML - documentation. - -1.6-dev.78 Mon Apr 18 12:52:55 PDT 2011 - -- Adding files to CMake build targets so they show up in generated IDE - projects. This addresses #413. (Jon Siwek) - -- Fix unnecessary config.h preprocessor (re)definitions. This - addresses #414. (Jon Siwek) - -- Updating istate tests. (Robin Sommer) - -- Adding files to CMake build targets so they show up in generated IDE - projects. - -- Adding new environment variable BRO_SEED_FILE to set the seed file - for the random number generator. (Robin Sommer) - -1.6-dev.71 Fri Apr 1 16:06:33 PDT 2011 - -- Removing code for the following no longer supported functionality. - - * Trace rewriting. - * DFA state expiration in regexp engine. - * Active mapping. - * Unused hash functions. - - (Robin Sommer) - -- Fixing crashes when SSL is not configured correctly. (Robin Sommer) - -1.6-dev.66 Tue Mar 29 21:52:01 PDT 2011 - -- Initial btest setup (Don Appleman and Robin Sommer) - -- Porting the istate tests to btest (not finished) (Robin Sommer) - -1.6-dev.63 Mon Mar 21 16:31:15 PDT 2011 - -- Changes to the way user-modifiable config files are installed (Jon Siwek) - - * Duplicates of the distribution's configuration files are now - always installed with a .example suffix - - * Added --binary-package configure option to toggle configure - logic specific to the creation of binary packages. - - * When not in binary packaging mode, `make install` never - overwrites existing configure files in case they've been - modified. The previous behavior (CMake's default) would only - avoid overwriting modified files if one consistently uses the - same build directory and doesn't reconfigure. - -- Fixed an issue with Mac package's pre-install script not preserving - ACLs. (Jon Siwek) - -- Minor cleanup/refactor of the make-mac/rpm-packages scripts. (Jon - Siwek) - -- Add explicit CMake check for compiler. (Jon Siwek) - -- Add alternative way to set BROPATH for running bro from build/ dir. - (Jon Siwek) - -- Fixing compiler warnings (Gregor Maier) - -- Remvoing leftover local variables that caused compile error on Mac - OS X. (Gregor Maier) - -1.6-dev.53 Fri Feb 25 17:03:05 PST 2011 - -- Fixing file detector leak in remote communication module. (Scott - Campbell) - -- Updating independent-state tests to work with new setup. (Robin - Sommer) - -1.6-dev.49 Fri Feb 25 15:37:28 PST 2011 - -- Enum IDs can have explicitly defined values. (Gregor Maier) - -- Extensions for the built-in function compiler, bifcl. (Gregor Maier) - - * Support for policy-layer namespaces. - * Support for type declarations in bif files (with access them - from C++) - * Extended const declarations in bif files. - - See http://bro.icir.org/devel/bif-doc for more information. - -1.6-dev.48 Fri Feb 25 10:53:04 PST 2011 - -- Preliminary TCP Reassembler fix: deliver data after 2GB by disabling - the unused seq_to_skip feature. (Gregor Maier) - -1.6-dev.47 Fri Feb 25 10:40:22 PST 2011 - -- Fixing endianess error in XDR when data is not 4-byte aligned. - (Gregor Maier) - -- Fix for Val constructor with new int64 typedefs. (Gregor Maier) - -- Updated fix for OS X 10.5 compile error wrt llabs(). (Gregor Maier) - -- Fix more compiler warning wrt printf format strings. (Gregor Maier) - -1.6-dev.45 Tue Feb 8 21:28:01 PST 2011 - -- Fixing a number of compiler warnings. (Seth Hall and Robin Sommer) - -1.6-dev.44 Tue Feb 8 20:11:44 PST 2011 - -- A number of updates to the SSL analyzer, including support for new - ciphers; SSL extensions; and bug fixes. The analyzer does not longer - throw weird for exceeding a predefined cipherspec_size anymore. - (Seth Hall and Rmkml). - -- The various split*() BiFs now handle strings containing null bytes - correctly. (Seth Hall) - -- Adding new aux/btest submodule. This is a framework we will use in - the future for doing unit tests. (Robin Sommer) - -1.6-dev.41 Mon Feb 7 13:43:56 PST 2011 - -- Smarter way to increase the parent/child pipe's socket buffer. - (Craig Leres). - -- Fixing bug with defining bro_int_t and bro_uint_t to be 64 bits wide - on some platforms. (Robin Sommer) - -1.6-dev.39 Mon Jan 31 16:42:23 PST 2011 - -- Login's confused messages now go through weird.bro. (Robin Sommer) - -1.6-dev.36 Mon Jan 31 08:45:35 PST 2011 - -- Adding more configure options for finding dependencies, (Jon Siwek) - - --with-flex=PATH path to flex executable - --with-bison=PATH path to bison executable - --with-perl=PATH path to perl executable - --with-python=PATH path to Python interpreter - --with-python-lib=PATH path to libpython - --with-python-inc=PATH path to Python headers - --with-swig=PATH path to SWIG executable - -- Fixing typo in PCAPTests.cmake (Jon Siwek) - - -1.6-dev.33 Mon Jan 24 15:29:04 PST 2011 - -- Fixing bug in SMB analyzer. (Robin Sommer) - -- Configure wrapper now deletes previous CMake cache (Jon Siwek) - -- Fix for the --with-binpac configure option. (Jon Siwek) - -1.6-dev.30 Thu Jan 20 16:32:43 PST 2011 - -- Changed configure wrapper to create config.status. (Jon Siwek) - -1.6-dev.29 Thu Jan 20 16:29:56 PST 2011 - -- Fixing little problem with initialization of Bro-to-Bro event - communication. (Christian Kreibich) - - -1.6-dev.27 Thu Jan 20 13:52:25 PST 2011 - -- Fine-tuning of the HTTP analyzer in terms of raising protocol - violations and interrupted transfers. (Gregor Maier) - - -1.6-dev.21 Wed Jan 19 17:36:02 PST 2011 - -- Added 4 new BiFs and a new record type for testing the entropy of - strings. (Seth Hall) - - find_entropy(data: string): entropy_test_result - This is a one shot function that accepts a string and - returns the result of the entropy calculations. - - entropy_test_init(index: any): bool - This and the next two functions are for calculating entropy - piece-wise. It only needs an index which can be any type of - variable. It needs to be something that uniquely identifies - the data stream that is currently having it's entropy - calculated. - - entropy_test_add(index: any, data: string): bool - This function is used to add data into the entropy - calculation. It takes the index used in the function above - and the data that you are adding and returns true if - everything seemed to work, false otherwise. - - entropy_test_finish(index: any): entropy_test_result - Calling this function indicates that all of the desired data - has been inserted into the entropy_test_add function and the - entropy should be calculated. This function *must* be called - in order to clean up an internal state tracking variable. - If this is never called on an index, it will result in a - memory leak. - - The entropy_test_result values have several measures of the - entropy, but a good one to work with is the "entropy" attribute. - It's a double and as the value approaches 8.0 it can be considered - more and more random. For example, a value of 7.832 would be - quite random but a value of 4.671 is not very random. - -1.6-dev.20 Wed Jan 19 17:30:11 PST 2011 - -- BRO_DNS_FAKE is now listed in the --help output. (Seth Hall) - - -1.6-dev.18 Wed Jan 19 16:37:13 PST 2011 - -- Removing unnecessary expire timer from http_sessions. (Gregor - Maier) - - -1.6-dev.16 Sat Jan 15 14:14:21 PST 2011 - -- Updates to the build system. (Jonathan Siwek) - - * ``make dist`` is now available to be used with the top-level - Makefile for creating source packages according to #344. - - * ``make-rpm-packages`` and ``make-mac-packages`` scripts can - now generate binary packages according to #295. - - * Additional configure options to change packaging behavior. - - * OS X builds will now prefer to link static libraries of - optional dependencies that don't come with the vanilla - operating system. - - * Fix for OS X 10.5 compile error dealing with the llabs() - function from stdlib. - - * Installing as a different user than the one that - configured/built now works (although, a harmless error message - about not being able to write the install manifest may occur). - - -1.6-dev.3 Wed Dec 8 04:09:38 PST 2010 - -- Merge with Subversion repository as of r7137. Incorporated change: - - * Fix for packet processing resumption when a remote Bro dies - during state synchronization (Robin Sommer). - -1.6-dev.2 Wed Dec 8 03:57:03 PST 2010 - -- Compatibility fix for OpenSSL 1.0.0 (Christian Kreibich, Gregor - Maier). - -1.6-dev.1 Sat Nov 27 12:19:47 PST 2010 - -- Merge with Subversion repository as of r7098. Incorporated changes: - - * Rotation post-processors are now passed an additional argument - indicating whether Bro is terminating (Robin Sommer). - - * Bro now consistently generates a file_opened event for all - fopen() calls. (Robin Sommer). - - * You can now redefine the email_notice_to function (Robin - Sommer). - -1.6-dev.0 Fri Nov 26 13:48:11 PST 2010 - -- The Bro source code is now developed in the new git repositories. - See the developer pages at http://www.bro-ids.org for more - information on the new development process. - -- Bro's build and installation setup has been moved from GNU - autotools to CMake. As a result of that, layout and specifics of - the distribution has changed significantly. - -- Lots of pieces have been removed from the distribution that are - either now unnecessary or are no longer maintained. - -- As part of the cleanup, a numbef of Bro configure options and - their corresponding functionality have been removed, including: - - * --disable-select-loop - * --with-dag - * --disable-nbdns - * --enable-activemapping - * --enable-activemapping - * --enable-shippedpcap - -- The previous configure option --enable-int64 is now enabled by default, - and can no longer be disabled. - -- ClamAV support has been removed, which has been non-functional for - a while already. - --+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - -1.5.3 Thu Mar 3 08:55:11 PST 2011 - -- Removing aux/broctl/policy/cluster-addrs.hot.bro from the - distribution. The script is no longer needed and could in fact break - an installation because it redefines an old variable that has went - away. (Robin Sommer) - -- Smarter way to increase the communication module's pipe's socket - buffer size, resulting in a value closer to the allowed maximum. - (Craig Leres) - -- BroControl now also maintains links from the log archive to the - current set of logs when running in standalone mode. (Robin Sommer) - -- Bug fix for a file descriptor leak in the remote communication - module. (Scott Campbell) - -- Bug fix for BroControl to now activate trace-summary's sampling in - cluster mode, but not anymore in standalone mode. (Robin Sommer) - -- Broccoli updates: - - * Accept empty strings ("") as values in the configuration file. - (Craig Leres) - - * Support for specifying a separate host key for SSL-enabled - operation, with documentation update. (Craig Leres) - -1.5.2 Wed Jan 12 17:34:55 PST 2011 - -- Portability fixes for --enable-int64 (Vern Paxson). - -- Bug fix for Active Mapping support (Kevin Lo). - -- Broccoli compiler warning fixes (Kevin Lo). - -- Bug fixes for --enable-int64 and for avoiding bogus statistics / - bad memory references when generating profiling information upon - exit (Vern Paxson). - -- Bug fixes for terminating connections (Tyler Schoenke and Vern Paxson). - -- Removed now-quite-stale SSHv1 overflow detection, as it's more prone - to false positives than useful detection (Vern Paxson). - -- The SWIG file now explicitly lists those pieces from broccoli.h which it - wants to wrap, rather than just including all of broccoli.h (Robin Sommer). - -- http-header.bro now includes a global "include_header: set[string]" If it - contains any strings, then only those headers will be processed. If left - empty, then you continue to get the current behavior of processing all - headers. (Robin Sommer). - -- Several changes to drop.bro (Robin Sommer): - - * If True, the new flag Drop::dont_drop_locals indicates that - local hosts should never be dropped. On by default. - - * If True, the new flag Drop::debugging activates extensive debugging - output for the catch-and-release logic. Off by default. - - * The timeout for tracking dropping information is now 1 day - rather than 7 days, to better echo the one-restart-a-day semantics - used in the past. - - * Bug fix for hosts once dropped by later cleared; some state - for them persisted. - -- Portability fix for Broccoli Python bindings on 64-bit platforms (Robin - Sommer). - -- The HTTP analyzer no longer attempts to track Server/User-Agent - versions, as these are hugely voluminous (Seth Hall). - -- HTTP and SMTP no longer have extra-short inactivity timeouts, as - these were too often leading to premature expiration of a connection - (Robin Sommer). - -- Tracking of HTTP refer[r]er's by setting log_referrer. (Vern Paxson). - -- The "rst" tool (aux/rst/) now takes an optional "-I " argument - that instructs it to inject as payload rather than sending a RST - packet (Vern Paxson). must be NUL-terminated, and the NUL is not - included. - -- Bug fix for crashes in the DNS analyzer when processing replies for - which no request was seen (Robin Sommer). - -- Addressed a number of lint nits (Vern Paxson). - -- Rotation post-processors are now passed an additional argument - indicating whether Bro is terminating (Robin Sommer). - -- Bro now consistently generates a file_opened event for all fopen() calls. - (Robin Sommer). - -- The "cf" utility now ignores a leading "t=" prefix, for compatibility - with Bro's "tagged" logging format (Robin Sommer). - -- You can now redefine the email_notice_to function (Robin Sommer). - -- Fix for packet processing resumption when a remote Bro dies during - state synchronization (Robin Sommer). - -- OpenSSL/X509 portability fix, at long last (Gregor Maier & Christian - Kreibich). - -- Fix for compatibility with newer versions of autoconf (Gregor Maier). - -- A larger BroControl update (Robin Sommer, if not marked otherwise): - - o Increasing default timeouts for scan detector significantly. - - o Increasing the manager's max_remote_events_processed to - something large, as it would slow down the process too much - otherwise and there's no other work to be interleaved with it - anyway. - - o Adding debug output to cluster's part of catch-and-release - (extends the debugging already present in policy/debug.bro) - - o Fixing typo in util.py. Closes #223. - - o Added note to README pointing to HTML version. - - o Disabling print_hook for proxies' remote.log. - - o broctl's capstats now reports a total as well, and stats.log - tracks these totals. Closes #160. - - o Avoiding spurious "waiting for lock" messages in cron mode. - Closes #206. - - o Bug fixes for installation on NFS. - - o Bug fix for top command on FreeBSD 8. - - o crash-diag now checks whether gdb is available. - - o trace-summary reports the sample factor in use in its output, - and now also applies it to the top-local-networks output (not - doing the latter was a bug). - - o Removed the default twice-a-day rotation for conn.log. The - default rotation for conn.log now is now once every 24h, just - like for all other logs with the exception of mail.log (which is - still rotated twice a day, and thus the alarms are still mailed - out twice a day). - - o Fixed the problem of logs sometimes being filed into the wrong - directory (see the (now gone) FAQ entry in the README). - - o One can now customize the archive naming scheme. See the - corresponding FAQ entry in the README. - - o Cleaned up, and extended, collection of cluster statistics. - - ${logdir}/stats now looks like this: - - drwxr-xr-x 4 bro wheel 59392 Apr 5 17:55 . - drwxr-xr-x 96 bro wheel 2560 Apr 6 12:00 .. - -rw-r--r-- 1 bro wheel 576 Apr 6 16:40 meta.dat - drwxr-xr-x 2 bro wheel 2048 Apr 6 16:40 profiling - -rw-r--r-- 1 bro wheel 771834825 Apr 6 16:40 stats.log - drwxr-xr-x 2 bro wheel 2048 Apr 6 16:25 www - - stats.log accumulates cluster statistics collected every time - "cron" is called. - - - profiling/ keeps the nodes' prof.logs. - - - www/ keeps a subset of stats.log in CSV format for easy plotting. - - - meta.dat contains meta information about the current cluster - state (in particular which nodes we have, and when the last - stats update was done). - - Note that there is no Web setup yet to actually visualize the data in - www/. - - o BroControl now automatically maintains links inside today's log - archive directory pointing to the current live version of the - corresponding log file (if Bro is running). For example: - - smtp.log.11:52:18-current -> /usr/local/cluster/spool/manager/smtp.log - - o Alarms mailed out by BroControl now (1) have the notice msg in the - subject; and (2) come with the full mail.log entry in the body. - - o Fixing broctl's top output. (Seth Hall). - - o Fixing broctl's df output in certain situations. - - o BroControl fix for dealing with large vsize values reported by - "top" (Craig Leres). - -1.5.1 Fri Dec 18 15:17:12 PST 2009 - -- Due to a Python configuration problem, the original 1.5 distribution - did not include the BroControl component, which also introduced a - portability problem for CentOS. These issues have now been fixed (Robin - Sommer and Vern Paxson). - - -1.5 Wed Dec 16 21:28:47 PST 2009 - -- Bro now comes with a new framework, BroControl, for managing an - operational Bro setup, including support for installation, configuration, - and maintainance tasks such a log archival and mail notification. The - framework transparently supports both traditional standalone setups as - well as cluster installations in which multiple Bro boxes coordinate to - analyze a high-volume network link. - - See aux/broctl/README for more information about BroControl. - - Note, BroControl supersedes the older BroLite system, which is no longer - supported and has been deprecated for a while now. - -- Numerous adjustments to DPD = dynamic protocol detection (Robin Sommer): - - o The Analyzer::ProtocolViolation?() method can now be passed the - offending data (which POP3, SMTP, and FTP now do). This information - is added to the "reason" string passed to the script level. - - o SMTP now more accurately reports violations. - - o FTP stops processing when client & server successfully negotiate - an AUTH scheme (leading to subsequent encryption). - - o Analyzer::ProtocolViolation() is virtual, and - TCP_ApplicationAnalyzer() overrides it to not report violations - for any partial connections, because very likely these arise just - due to the analyzer getting confused. - - o TCP::IsPartial() returns true if any side did not start with - a SYN packet (used to be just be for the originator). - - o The connection_state_remove handler in conn.bro now has a higher - &priority so that other handlers for the same event can use - determine_service() and see any changes it performs. - - o DynDisable:max_volume specifies a volume limit (default 10K). - Once a connection exceeds this limit, further protocol - limitations will neither raise ProtocolViolation notices nor - cause the analyzer to be disabled. - - o The event engine no longer raises protocol_violation events for - TCP connections which had gaps, as these have proven too unreliable. - (Note that, ideally, the *analyzers* should avoid reporting - protocol_violations when they can't reliably parse a connection - anymore after a gap; but many don't.) - -- A set of new script functions provide support for incrementally computing - MD5 checksums (Seth Hall). - - md5_hash_init(index: any): bool - Initializes an incremental hashing instance. "index" is - a value of arbitrary type, used to identify this particular - instance (you can have multiple concurrent instances by - using different index values). Returns T on success, - F on failure (such as the index is already in use). - - md5_hash_update(index: any, data: string): bool - For the given hashing instance, updates the hash - based on the given data. Returns T on success, F on - failure (such as the index has not been initialized). - - md5_hash_finish(index: any): string - Returns the MD5-printable hash for the given index - and terminates the instance, or the string "" if the - index was not active. - -- Bro now supports a believed-to-be-robust mechanism for estimating the - proportion of traffic that it failed to capture ("measurement drops"), - which can arise due to overload in either Bro itself, the kernel's - packet filter, or problems with the link tapping mechanism (Vern Paxson). - The event engine can generate estimates for either live traffic or what - was previously recorded in a trace file, though traces subject to some - forms of selective omission (such as skipping over parts of a connection - to reduce storage) can lead to erroneous values. - - The estimates are based on observing gaps in TCP data streams, and - come in two forms: the rate at which such gaps appear, and the relative - volume of data missing due to the gaps. (We've found however that the - volume-based estimator is not robust due to occasional packets with - incorrect sequence numbers, so this estimator is off by default.) - - The easy way to get the estimates is to load capture-loss.bro. - By default, it generates a CaptureLossSummary notice upon Bro's exit, - which can look like: - - 1130222759.344066 CaptureLossSummary estimated rate = 0.00089124 / 0.000970997 (events/bytes) - - If the estimated loss is none, however, it suppresses this notice, - unless you redef CaptureLoss::summary_if_none to T. - - You can also get finer-grained access by defining a "gap_report" - event handler and redef'ing gap_report_freq to a non-zero interval - (such as "10 sec"). This event allows you to pinpoint regions in - time that exhibit significant capture loss. See capture-loss.bro - for an example of a handler for this event. - - Finally, these changes include a number of fixes to Bro's - ack_above_hole/content_gap analysis, which is now significantly - more robust. - -- GeoIP support now supports ASN lookups via the built-in - function lookup_asn(a: addr): count (Scott Campbell and Seth Hall). - -- The GeoIP built-in's lookup_location() and lookup_asn() now - support IPv6 (Seth Hall). Note, the current GeoIP distribution - doesn't include any IPv6 databases, so for now these won't succeed, - but the hooks are in place for when databases become available. - -- lookup_location() now falls back back to the country database if - the city database isn't available (Seth Hall). - -- The new SuccessfulPasswordGuessing Notice is generated when a host - has been seen attempting password guessing (currently only for FTP - sessions) and then successfully logs in (Royal Chan). You can control the - threshold for such reports in terms of how many attempts the host must - have made by redef'ing the variable password_guessing_success_threshhold, - which defaults to 20. - -- The new script http-detect-passwd.bro analyzes the Web items returned - for fetches that appear to be accessing the passwd file (Akhil Dhar). - It generates a PasswordFullFetch Notice if it appears that the item - includes a full password file, and PasswordShadowFetch if it looks like - a shadowed password file. - -- The new built-in - - system_env(cmd: string, env: table[string] of string) - - works like system(), but puts the table entries into the environment - before invoking the command (Robin Sommer). Each in the table - creates an environment variable of the form "BRO_ARG_", whose - value is the corresponding table entry. - -- The new script function - - execute_with_notice(cmd: string, notice_info) - - executes "cmd" with an environment containing the fields of the - notice_info, i.e., the information associated with a Notice (Robin Sommer). - Per the new system_env() function above, the environment variables appear - as "BRO_ARG_", where is the field tag as it appears in - notice.log when you enable use_tagging. - -- The new built-in enable_raw_output(file) acts the same as - the attribute &raw_output (Seth Hall). - -- The new built-in file_opened(f: file) event is generated any time Bro - opens a script-level file (Justin Azoff). You can use this, for example, - if you want to ensure that a given file has a prelude in it such as - human-readable headers, even when the file is rotated. - -- The notice_info record has a new field - - aux: table[string] of string &optional - - which you can use for information specific to a given type of notice - (Robin Sommer). Entries in $aux appear as "aux_" tags in notice.log. - -- Another new notice_info record field is the boolean do_alarm (default=T), - which, if set to F, overides a notice action otherwise specifying to - generate an alarm (Robin Sommer). In other words, if do_alarm is F, no - alarm will be generated independent of the notice action. - - This is a work-around for the fact that we can't specify more than one - action. In particular, we couldn't NOTICE_DROP but then *not* alarm, - which we now can by returning NOTICE_DROP yet setting do_alarm to F. - -- The notice_info record field $dropped now appears in the tagged output - format if true (Robin Sommer). - -- NOTICEs relating to scan detection now no longer include the connection - that triggered the notice, as it really doesn't contain any useful - information, given that the particular trigger simply depends on the - detection algorithm and its parameters (Robin Sommer). However, we do - explicitly set $p (port number) in the notice, and also $n with the - number of attempts. - -- drop.bro now hardwires a Catch-and-Release redrop after seeing one - connection from a previously-dropped-but-already-released host - (Robin Sommer). - -- drop.bro now provides some new hooks (Robin Sommer): - - event address_dropped(a: addr) - Generated when an address has been dropped. - - event address_restored(a: addr) - Generated when connectivity to an address has been restored, - such as using the Catch-and-Release mechanism. - - event address_cleared(a: addr) - Generated when an address that was dropped in the past is - no longer being monitored looking for new connections - (as part of the Catch-and-Release mechanism). - -- The new built-in function - - hexdump(data_str: string) : string - - returns a hex dump representation of the given input data (Christian - Kreibich). The dump renders 16 bytes per line, with hex on the left and - ASCII (where printable) on the right. - -- Bro's notion of when a TCP connection begins now dastes to the first - instance of an initial SYN packet seen, rather than the last (Gregor Maier). - -- The Time Machine script tm-contents.bro now generates - - event contents_saved: event(c: connection, orig_file: string, - resp_file: string) - - when the content of a connection has been completely saved to disk - (Robin Sommer). - -- The mime.bro script now exports the MIME header callback table, and also - marks it as &redef'able so you can modify its entries (Matthias Vallentin). - The mime_log file is also now exported. - -- A new signature file, policy/sigs/http-bots.sig, contains signatures - to detect some of the current HTTP based controlled bot families (Seth Hall). - -- The signature engine's HTTP pattern matching has been fixed (Seth Hall) - to align with the documentation at: - - http://www.bro-ids.org/wiki/index.php/Reference_Manual:_Signatures#Content_conditions - - In particular, the content condition "http" is now referred to as - "http-request" (though "http" still works for backward compatibility), - "http-request-header" and "http-reply-header" now provide access to - headers seen in only one direction, and similarly for "http-request-body" - and "http-reply-body". (This latter is still accessible as "http-body" - for backwards compatibility.) - -- The new script variable max_remote_events_processed: count (default 10) - sets a limit on the number of remote events processed in each round, - before tending to other inputs (Robin Sommer). - -- If you set the new script variable dump_used_event_handlers to T, - then on startup Bro dumps out all of the event handlers that the - loaded set of scripts can invoke (Matthias Vallenti). - -- Summaries for DNS PTR scanning now use a separate Notice, - DNS_PTR_Scan_Summary, rather than overloading DNS_PTR_Scan (Robin Sommer). - -- scan.bro now provides a table skip_dest_server_ports: set[addr, port] - which lists servers (defined as an address and a port) excluded from - scan detection computations (Craig Leres and Jay Krous). - -- When redefining values on the command line directly (using var=value), - quotation marks are now implicit only if "var" is a variable of type - string (Christian Kreibich). This allows other string-like values - (such as enum's) to be passed as well. - -- scan.bro now explicitly loads conn.bro so that it can itself - be loaded independently (Robin Sommer). - -- login.bro depends on scan.bro (because of tracking authentication - "scans"), so now it explicitly loads it (Vern Paxson). - -- UDP_datagram_length_mismatch is now by default flagged just once per - originating host rather than once per connection, as it can generate - tons of messages (Vern Paxson). - -- Removed now-long-boring flagging of access to Solaris "listen" - service as "hot" (Vern Paxson). - -- Removal of libedit, since libreadline provides similar functionality - (Christian Kreibich). - -- Added scripts missing from distribution: dce.bro, ncp.bro, and smb.bro - (Vern Paxson). - -- ssh.bro now exports ssh_ports (Seth Hall) - -- A number of improvements to inter-Bro communication (Robin Sommer). - - (1) Remote communication now no longer includes location information for - serialized objects; that removes quite a bit of redundacy from the network - traffic. - - (2) The new option 'remote_check_sync_consistency" disables the cross-check - on the receiving side of &synchronized state of whether the current value - of a variable has the value expected by the sender. Transmitting the - original values in addition to the updates generates quite a bit CPU & - network load in some cases (in particular, a table of tables). The default - for remote_check_sync_consistency is off, and so far that in particular - seems to reduce the proxy's load quite a bit. - - (3) Complete overhaul of the internal caching of serialized objects. The - objective of the caching is avoid retransmitting already sent values over - and over again. It turns out, however, that some objects are very stable - and hardly change or get replaced (e.g., Bro types); while other change - all the time and are hardly reused some time later (e.g., Vals). Now - we maintain *two* caches independently for these types of objects; one - with a low turn-over one and another with a high one. This should reduce - CPU load on both sender and receiver sides. - - The new scheme is only used if both communicating Bros support it; with - older Bros, as well as with Broccoli, we continue using the old scheme. - -- Some reworking of remote printing (Robin Sommer), as follows. Bro now - uses a new interprocess message rather than print_hook events, to better - manage buffering and associated load (these can produce failures depending - on system configuration; see remote.log). A number of timeouts and - buffer sizes have been tuned. Internally, EINTR errors are now treated - separately from EAGAIN. Finally, even with remote_check_sync_consistency=F, - one type of consistency check was still being done; this is no longer - the case. - -- The DNS analyzer now generates events (dns_query_reply/dns_rejected) - for replies with zero questions (Robin Sommer). - -- Perftools support for incompatible changes in the 1.0 API (Robin Sommer). - -- Rearranged (generally reducing, though not always) some state timeouts - associated with scan detection (Robin Sommer). In addition, when a - scanning address crosses ignore_scanners_threshold (meaning that it will - be ignored from now on anyway), it gets discarded from all state-tracking - tables. Finally, the ignore_scanners_threshold now applies all kinds - of scans, not just address scans. - -- Substantial Broccoli updates, including a new initialization requirement - that breaks backward compatibility, support for enqueueing serialized - event data for transmission, and OpenSSL threadsafe initialization. - See aux/broccoli/ChangeLog for details (Christian Kreibich, Robin - Sommer, and Matthias Vallentin). - -- Broccoli hashtable optimisation. See aux/broccoli/ChangeLog for - details (Christian Kreibich & Matthias Vallentin). - -- Broccoli memory leak fixed, see aux/broccoli/ChangeLog for details - (Christian Kreibich). - -- Broccoli: updates to bropipe tool (Steve Chan and Robin Sommer). - -- Bug fixes for Broccoli Python bindings (Robin Sommer and Matthias Vallentin). - -- Fixed nasty bug due to module scoping that completely kept stepping-stone - detection from working (Vern Paxson). - -- A serious bug in the packet sorter has been fixed (Robin Sommer). - -- Bug fix for extra NULs getting embedded in escaped strings (Seth Hall). - -- Bug fix for HTTP messages that use "Connection: close" rather than length - headers, which yielded erroneous reassembled messages with \r\n's when - only \n's were present (Bernhard Ager). - -- Fix for reporting on ICMP flows that are expired from the flow table - (Vern Paxson). Previously there was a race condition if the flow - was flushed prior to its summary timer expiring. - -- The -l option (list the scripts that Bro loads) now correctly prints - scripts loaded by the prefix mechanism, and uses indentation to indicate - the load hierarchy (Robin Sommer). - -- A bug has been fixed (really, worked around) in drop.bro that prevented - dropped addresses from being properly restored (Robin Sommer). - -- Fixes for deadlocking problems in the Broccoli protocol. See - aux/broccoli/ChangeLog for details (Christian Kreibich & Robin Sommer). - -- Bug fix for DNS analyzer on 64-bit machines (Gregor Maier). - -- Bug fix for asynchronous DNS lookups to prevent some successful lookups - being reported as timed out (Robin Sommer). - -- Bug fix for tracking line numbers associated with compound statements - (Po-Ching Lin). - -- Fix for a rare condition in which the main Bro process couldn't kill - its child process (Robin Sommer). - -- Fix for file rotation when the underlying file is deleted before the - timer expires (Robin Sommer). - -- Fix for potential crash when communication connections break down, - and also for releasing cached objects (Robin Sommer). - -- Fix for default table entries computed by function invocation to not - cache previous results (Robin Sommer). - -- Fix for Bro's internal DNS resolution (Scott Campbell and Robin Sommer). - -- Portability fix for DAG packet capture (Gregor Maier). - -- Portability fix for --enable-brov6 (Robin Sommer). - -- Portability fixes for FreeBSD (Vern Paxson). - -- A work around for new_packet() crashing on IPv6 packets (Vern Paxson). - For now, IPv6 packets are skipped. Also, for fragments the event handler - is now only called for the fully reassembled packet. - -- The new configuration option --disable-nbdns supports disabling non-blocking - DNS at configure time (Sean McCreary). Note, there are some known problems - with it in some environments. - -- A number of configuration fixes and enhancements (Christian Kreibich - and Robin Sommer). - -- Consistency nit for the configuration process (Seth Hall). - -- A number of reference-counting and other memory management fixes - (Robin Sommer). - -- Bug fix for inter-Bro communication lockup (Seth Hall and Robin Sommer). - -- Bug fix for computing TCP payload length in new_packet event (Lothar Braun). - -- Bug fix for sending boolean True values via Broccoli (Seth Hall). - -- make distcheck fix to clean up .bif.bro files (Christian Kreibich). - -- Bug fix for DPD's recognition of SSLv2 connections (Seth Hall). - -- Bug fix for &default for tables indexed by subnets (Seth Hall). - -- A bug has been fixed that could crash Bro when you called get_event_peer() - after a remote connection had already disppeared (Robin Sommer). - -- Introduced a work-around for crashes that occur when Bro exits - due to handling a signal (Robin Sommer). - -- Bug fix for checkpoint.bro - don't schedule timers for times that - aren't actually in the future (Robin Sommer). - -- Hostname formatting fix for anon.bro (Fabian Schneider). - -- Bug fix for redundant .log extension in Time Machine log file - (reported by CS Lee). - -- Removed now-outdated special-casing of Linux reporting of packet filter - statistics (Peter Wurzinger and Robin Sommer). - -- A number of memory leaks fixed (Robin Sommer). - -- Addressed warnings from newer versions of g++ (Robin Sommer and Vern Paxson). - -- Fixed an invocation issue in the ca-create script that prevented it from - working with recent OpenSSL versions (Craig Leres & Christian Kreibich). - -- Comment fixed in drop-adapt (Justin Azoff). - -- Duplicate code removed from Val (Seth Hall). - - -1.4 Fri Oct 17 11:08:52 PDT 2008 - -- We are no longer supporting a previous Bro release as the "stable" - version. Rather, the model now is that the current public release will - aim for increasing stability (occasionally updated with fixes), and those - who wish to use a "bleeding-edge" snapshot can do so via access to the - public SVN source code repository, as explained at - - http://bro-ids.org/wiki/index.php/Subversion#Public_Access - - Note that all previous releases remain available from the download page; - what is changing is that we no longer commit to support for the most - recent of these. - -- We have clarified the copyright statement that covers most of the - code to remove the "advertising clause" that derived from older - BSD licenses, and we have removed copyright wording from most source - code files. See COPYING for the current wording and a list of - files that retain their own copyright notices. - -- Bro now supports analyzing NetFlow v5 data, i.e., from Cisco routers - (Bernhard Ager). NetFlow can be useful for intrusion detection as it - allows analysis of traffic from many different points in the network. - Bro can now read NetFlow data from a UDP socket, as well as (mostly - for debugging purposes) from a file in a specialized format. You can - create these files with the programs given in aux/nftools. - - Command line switches: - - -Y|--netflow :[=] | read flow from socket - - This is the usual way of getting NetFlow data into Bro by - opening a UDP socket on : and reading all incoming - packets. Setting the to 0.0.0.0 should work on most - platforms. Optionally you may set an identifier for the - source - useful if there are many different sources you want - to analyze in parallel. This might also be necessary if you - want to use this feature with a clustered Bro. - - Examples: - bro -Y 0.0.0.0:5555 netflow - bro -i eth0 -Y 10.0.0.1:1234=src1 brolite netflow - - -y|--flowfile [=] - - Used to read from a file. You can optionally include an - identifier for the source. - - Examples: - bro -y myflowfile netflow - bro -y myflowfile=src1 otherflowfile=src2 netflow - - Netflow Events: - - event netflow_v5_header(h: nf_v5_header) - - Generated upon reading a new NetFlow PDU, as summarized in the - argument. The field h_id gives the flow source identifier and - a serial number. You can use this field to associate subsequent - netflow_v5_record events with their header. - - event netflow_v5_record (r: nf_v5_record) - - Every record within a NFv5 PDU generates a corresponding - netflow_v5_record() event. The relatively complex timestamp - format of NFv5 is already converted to Bro's time type, and - the TCP header flags are separated into bools. - - The distribution includes an example analysis script, netflow.bro. - It simply dumps received NetFlow records. If netflow_restitch is T - (the default), then Bro performs flow restitching as well, and two - script variables become relevant: - - global netflow_finished_conn_expire = 310 sec &redef; - - specifies how long to wait for additional flow records after - a RST or FIN for - - const netflow_table_expire = 31 min; - - Its setting only affects table declarations, and therefore - cannot be usefully redef'd. - - Auxiliary programs: - - Bro uses a custom format for flow data stored in files, - to enable preserving timestamps of the PDU arrivals and the - exporter's IP address. The tools nfcollector and ftwire2bro - in aux/nftools/ provide ways to manipulate the Bro NF file - format. The first dumps NetFlow data from a UDP socket to - stdout or to a file in Bro format. The second converts NetFlow - data in "wire" format to Bro format, and, while doing so, - fakes up the exporter's IP address and timestamp. You can get - "wire" format from normal flow-tools files, e.g., by using - 'flow-export -f 4'. Please note that the Bro format is just - a hack to allow for easier debugging. Therefore the format - is not in fact platform independent, and not suitable for data - storage. - -- A new DHCP analyzer generates the following events (Po-Ching Lin): - - event dhcp_discover(c: connection, msg: dhcp_msg, req_addr: addr) - event dhcp_offer(c: connection, msg: dhcp_msg, mask: addr, - event dhcp_request(c: connection, msg: dhcp_msg, - event dhcp_decline(c: connection, msg: dhcp_msg) - event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, - event dhcp_nak(c: connection, msg: dhcp_msg) - event dhcp_release(c: connection, msg: dhcp_msg) - event dhcp_inform(c: connection, msg: dhcp_msg) - - where dhcp_msg values look like: - - type dhcp_msg: record { - op: count; # 1 = BOOTREQUEST, 2 = BOOTREPLY - m_type: count; # the type of DHCP message - xid: count; # transaction ID of a DHCP session - h_addr: string; # hardware address of the client - ciaddr: addr; # original IP address of the client - yiaddr: addr; # IP address assigned to the client - }; - - See dhcp.bro for the corresponding analysis script (which could - probably use some refinements). - - Note, this analyzer is implemented using BinPAC, so you will need - to specify --use-binpac to activate it. - -- A BitTorrent analyzer is now available (Nadi Sarrar). See the policy - scripts bittorrent.bro and bt-tracker.bro for the events generated for - analyzing transfers and tracker dialogs, respectively. - -- The "Bro Lite" configuration is now deprecated and will not in - general be supported (Robin Sommer & Vern Paxson). - -- "make install" now only installs a core set of files (Robin Sommer). - Policy files are now installed in /share/bro/* (or whatever - configure determines $datadir to be), which is now in Bro's default - search path. It creates a directory /share/bro/site for local - policy files, and the default BROPATH is extended to include this. The - default path no longer includes policy/local. You can install the - additional files used by the (now deprecated) "Bro Lite" configuration - using "make install-brolite". - -- Substantial updates to Broccoli, including support for container - types (tables and sets) as well as a new metadata structure for event - callbacks, facilitating truly generic event handler implementations - (Christian Kreibich, Seth Hall and Robin Sommer). See aux/broccoli/ChangeLog - for details. - -- Extensive changes to allow Bro to process packets captured in the - past intermingled with those captured in real-time (Matthias Vallentin - and Robin Sommer). This operation reflects combining Bro with use of - "Time Machine" functionality for packet capture. - -- We have unfortunately had to disable support for configuring Bro - to use ClamAV, since it turns out that the key interface we need - for processing blocks of memory directly rather than whole files - is no longer supported by the package, and in fact was buggy even - when it was (Robin Sommer). - -- The new signature option "http-body //" matches - on the body data of HTTP entities (Robin Sommer). The matching is - done after decompressing the body, if necessary. - -- The new built-in function identify_data(data: string, return_mime: bool) - analyzes the string "data" and returns its type according to libmagic, - if installed (Seth Hall). The second argument controls whether it should - be returned as a MIME-type or just an identifying string. For example, - identify_data("MZpofigu", F) returns the string "MS-DOS executable", and - print identify_data("MZpofigu", T) returns "application/x-dosexec". - -- The new analysis script http-identified-files.bro identifies the - type of items returned by Web servers using libMagic (if available) - and generates notices for interesting types and mismatches between - URLs and types (Seth Hall). - - You configure it using two variables. watched_mime_types is a pattern - (default /application\/x-dosexec/ | /application\/x-executable/ ) for - which any MIME type matching the pattern generates a HTTP_WatchedMIMEType - notice. - - mime_types_extensions is a table mapping strings to patterns specifying - how URLs for the given MIME type should appear. (Ideally, this would - be a table mapping patterns to patterns, but Bro doesn't currently support - that.) It defaults to: - - ["application/x-dosexec"] = /\.([eE][xX][eE]|[dD][lL][lL])/ - - i.e., do Windows executables end in .exe or .dll. - - You can also redef the pattern ignored_urls to specify URLs that should - not generate complaints. It defaults to matching Windows Update. - -- The new script http-extract-items.bro extracts the items from HTTP - traffic into individual files (Vern Paxson). Files are named: - - .._._. - - where is a redef'able prefix (default: "http-item"), is a - number uniquely identifying the item, the next four are describe the - connection tuple, and is "orig" if the item was transferred - from the originator to the responder, "resp" otherwise. - -- The workings of how Bro interfaces to external programs for dropping/ - restoring connectivity of misbehaving hosts has been significantly - reworked (Brian Tierney and Robin Sommer). - - First, dropping decisions used to be made directly by analyzer scripts, - such as scan.bro directly calling drop_address(). Now instead the - scripts generate Notices and then the notice policy can have an - action of NOTICE_DROP to codify that the response to the given Notice - is to drop the source. The new notice_action_filter of drop_source - drops the source of notices, and drop_source_and_terminate both - drops the source and terminates the corresponding connection. - - So, to drop all sources triggering a specific notice, one can now, e.g., - write: - - redef notice_action_filters += { [Hot::SSH_Overflow] = drop_source }; - - Related to this change, notice_info has a new field $dropped, set to - true if the Notice triggered a (successful) drop. - - Second, by redef'ing Drop::use_catch_release to T (default F) you can - activate "catch-and-release" logic. You use this mode when you need to - manage a limited number of possible blocks, or to build in automatic - "forgiveness" in situations where blocked sources might become benign - (such as due to dynamic IP addresses). If a source has been idle for - Drop::drop_time, then it is unblocked. However, if it is again seen as - block-worthy, then it is blocked for an interval of Drop::long_drop_time. - - Third, ICMP scanning is now reported by its own notice, ICMPAddressScan, - rather than Scan::AddressScan. - -- Google's perftools have replaced mpatrol for leak-checking and - heap-profiling (Robin Sommer). If Bro is compiled with --enable-perftools - and configure finds the perftools, there are two command-line options - available: - - -m turns on leak checking of the main packet loop, with some - uninteresting leaks are suppressed. Currently, with one - exception (the RPC analyzer; problem not yet found), it reports - no leaks when running the test suite. - - -M turns on heap profiling: Bro will take a snapshot of the heap - before starting the main packet loop and another one when - finished. These snapshots can then be analyzed with pprof. - - For more information about the perftools see - - http://code.google.com/p/google-perftools - -- Notice tags are now generated in a pseudo-unique fashion that, with high - probability, ensures that tags generated by separate Bro processes don't - clash when logged to a common location, such as for a Bro cluster (Robin - Sommer). Tags are now string's rather than count's, and are associated - with all notices, not just that are connection-related. You can however - redef the string notice_tag_prefix or the function new_notice_tag to - further control how such tags are generated. - -- Four new built-ins for type conversion (Robin Sommer): - - function double_to_interval(d: double): interval - function addr_to_count(a: addr): count - function port_to_count(p: port): count - function count_to_port(c: count, t: transport_proto): port - -- Many policy scripts have been modified to use modules & scoping - (Robin Sommer and Matthias Vallentin), which may require updates to - existing scripts/refinements. - -- The new script variable dpd_conn_logs (default F), if true, changes the - semantics of the service field in connection logs written to conn.log, - as follows (Robin Sommer). It becomes a comma-separated list of analyzers - confirmed by DPD to parse the connection's payload. If no analyzer could - confirm its protocol, but the connection uses a well-known port, the - service is the name of the port with "?" appended (e.g., "http?"), as - long as the corresponding analyzer has not declined the connection. - In addition, ftp-data sessions are labeled "ftp-data" and portmapper - connections are labeled with the specific method-call (just as before). - - dpd_conn_logs defaults to F because the change in semantics may break - scripts that parse conn.logs; but it will likely change to the default - in the future. With dpd_conn_logs turned off, conn logs are generated - as they used to be, with a few rare exceptions (with previous versions, - the service field was sometimes determined while the connection was still - alive; now it's always determined at the time when the conn.log entry - is written out). - -- The SSL analyzer has been rewritten using BinPAC, with a number of - robustness improvements (Tobias Kiesling). It currently is only used - if you execute with --use-binpac. - -- Python bindings for Broccoli are now available in - aux/broccoli/bindings/python/ (Robin Sommer). See README/README.html - in that director for details. - -- The new "auth" option in remote.bro indicates whether a given side is - considered "authoritative" for shared state, in which case it sends its - initial state to &sync'ed peers (Robin Sommer). When two peers synchronize - their state, one side sends its current set of state to the other as - soon as the remote connection is established. The one sending the state - used to be the one who has been running longer; now it can also be - explicitly set via the "auth" flag in the Remote::Destination. - -- Two new tuning parameters for scan.bro (Robin Sommer): - - ignore_scanners_threshold (default 0): - - If a host has scanned more than this many hosts, it is completely - excluded from further scan detection. 0 disables. - - addr_scan_trigger (default 0): - - A host is only tracked for address scanning once it has contacted - this many different hosts. Primarily intended for using a two-stage - scan detection with a Bro cluster: first, each node searches locally - for scanners by looking for hosts contacting more than - addr_scan_trigger destinations. Those hosts which do are then - globally tracked throughout the cluster by &synchronizing the scan - detector tables. - -- When Bro serializes functions, it now does so by default using only - their name, rather than their full value (Robin Sommer). This prevents - propagation of expiration functions associated with tables and sets. - Note, currently there is no mechanism provided to switch from the - default behavior, but the internal hooks are in place to do so. - -- The new built-in variable trace_output_file gives the name of the -w - output trace file (Robin Sommer). - -- Bro no longer installs new file rotation timers when shutting down - (Robin Sommer). - -- The new policy scripts remote-print-id{,-reply}.bro support convenient - access to printing the identifiers of a remote Bro (Robin Sommer). - You use the script remote-print-id.bro to request and receive the - printing; the remote Bro must have loaded remote-print-id-reply.bro - in order to process the request. - - Example use: - - bro -e 'redef PrintID::dst="" PrintID::id=""' - remote-print-id - -- scan.bro has been heavily modified to better support distributed scan - analysis (Matthias Vallentin and Robin Sommer). - -- The check for unused event handlers is now turned off by default - (Robin Sommer). To enable, use "redef check_for_unused_event_handlers = T". - -- The new script drop.bro has been split off from scan.bro to isolate - the logic concerning dropping addresses to block scans (Robin Sommer). - -- The new -l flag lists each script as it is loaded (Robin Sommer). - -- Textual descriptions of identifiers now include their attributes - (Robin Sommer). - -- The new predefined function prefixed_id() returns a session identifier with - its peer-ID prepended if it's associated with a remote Bro (Robin Sommer). - This is now used when generating writing log files. - -- remote.bro now assigns a priority of -10 to its bro_init() event handler - to allow others a chance to modify destinations (Robin Sommer). - -- A large number of BinPAC updates (Ruoming Pang and Robin Sommer). - -- The new built-in type_name(v): string returns the name of the type - of the value v (Vern Paxson). For example, "typename(5.2)" returns - "double". This function is mainly for internal debugging (i.e., - finding mismatches between values generated by the event engine - versus how their type is expected by the script layer). - -- The new built-in str_shell_escape() does some basic escaping on strings - that will be passed to system() (Christian Kreibich). Note, this function - isn't ready (robust enough) for routine use, however. - -- The new built-in disable_print_hook(file) acts the same as - the attribute &disable_print_hook (Robin Sommer). - -- The new script terminate-connection.bro factors out the terminate_connection() - functionality that used to be in conn.bro (Robin Sommer). - -- The new attribute &group= can be associated with event handlers - to group them together into a set that can be manipulated as a whole - (Robin Sommer). is a string reflecting the name given to the group. - - The built-in enable_event_group(group: string) turns on all the analyzers - in a given group, and disable_event_group(group: string) deactivates them. - -- The new attribute &raw_output applies to variables of type file, disabling - escaping of non-printable characters (Seth Hall). - -- You can now iterate over the characters in a string value using - a "for" loop, e.g., "for ( c in str ) ..." (Robin Sommer). - -- The new built-in - - function cat_sep%(sep: string, def: string, ...%): string - - works similarly to cat(), except that it (a) separates the values - by "sep" and (b) substitutes "def" for empty strings (Seth Hall). - -- The function string_escape() now takes a string of characters to escape - rather than a single character (Robin Sommer). Each character in the - string is preceded by '\' in the return value (also any embedded '\'s, - as before). - -- The new built-in function global_ids() returns a table of all global - identifiers along with associated information (Robin Sommer). The - return value has type table[string] of script_id, indexed by the name - of the identifier and yielding records with the following fields: - - type script_id: record { - type_name: string; - exported: bool; - constant: bool; - enum_constant: bool; - redefinable: bool; - value: any &optional; - }; - -- The new script function find_last(str: string, re: pattern) returns - the last occurrence of the given pattern in the given string, or - an empty string if no match (Robin Sommer). Note that this function - returns the match that starts at the largest index in the string, which - is not necessarily the longest match. For example, a pattern of /.*/ - will return just the final character in the string. - -- The new script variable record_all_packets, if redef'd to T (default F), - instructs Bro to record every packet it processes (Robin Sommer). - Prior to introducing this variable, Bro applied a few heuristics to - reduce recording volume. Setting this variable also causes packets - to be recorded very early in processing, which can be helpful for - debugging crashes. - -- If the new script flag ssl_log_ciphers is set to T (default), ssl.bro - logs the ciphers seen (Robin Sommer). - -- Much more expanded Time Machine support, now located in - policy/time-machine/ (Robin Sommer), - -- The new command line option --status-file (alias -U) specifies - the name of a file into which Bro will write an indicator of its current - processing status (Robin Sommer). Possible values include "INITIALIZING", - "RUNNING", "TERMINATING", "TERMINATED". - -- The new policy script targeted-scan.bro looks for repeated access from - the same source to the same server, to detect things like SSH - password-guessing attacks (Jim Mellander). - -- The "alternative" style for printing strings (i.e., a fmt() argument - of "%As") now renders the raw string, other than escape-expanding - embedded NULs (Vern Paxson). This change may be temporary, pending - development of more fine-grained control over string rendering. - -- For now we have removed the %S functionality for fmt() (Robin Sommer). - %S was meant to print "raw" strings, but later processing of such - printing still introduces artifacts. - -- GeoIP information now includes latitude and longitude (Seth Hall). - -- ssh.bro now supports the variable skip_processing_after_handshake - which directs the event engine to omit any further processing of an - SSH connection after its initial handshake (Seth Hall and Robin Sommer). - This can help with performance for large file transfers but precludes - some kinds of analyses (e.g., tracking connection size). This change - also adds a scope of "SSH". - -- Email notification of notices now allows for separate destinations - depending on notice type (in particular, a regular mail destination - versus a pager destination), and also escapes the notice to prevent - injection attacks (Seth Hall and Robin Sommer). - -- The new policy script conn-flood.bro is a simple connection-flooding - detector, mainly meant as a demonstration (Robin Sommer). - -- A large number of additions to the TLS/SSL known-ciphers suite (Seth Hall). - -- Serialization now uses 64-bit IDs to cache items rather than 32-bit, - for robustness during long-running execution (Robin Sommer). - -- The new script variable tcp_max_initial_window specifies, for flows - for which ACKs have never been seen, the maximum volume of initial - data after which Bro will assume that it is seeing only one side - of the connection and will not buffer data for consistency checking - awaiting the later arrival of ACKs (Robin Sommer). It defaults to 4 KB. - (Note, this used to be an internal value, so the behavior is not new.) - Set to 0 to turn off this functionality and have Bro attempt to - track all such flows. - -- The new script variable tcp_max_above_hole_without_any_acks specifies, - for flows for which ACKs have never been seen, the maximum volume of - data above a sequence hole that Bro will tolerate for a connection - before giving up on tracking the flow (Robin Sommer). It defaults to 4 KB. - (Note, this differs from tcp_max_initial_window in that this threshold - applies to sequence holes rather than the beginning of flows. Like - tcp_max_initial_window this used to be an internal value.) Set to 0 to - turn off this functionality. - -- The new script variable tcp_excessive_data_without_further_acks specifies - a threshold similar to tcp_max_above_hole_without_any_acks, but for - flows for which Bro has seen ACKs (Robin Sommer). It defaults to 10 MB. - Set to 0 to turn off the functionality. - -- Equal signs ("=") in text for notices are now escaped when using the - tagged format to keep them unambiguous from the "=" delimiters - (Robin Sommer). - -- The final tallies for notices are now processed as NoticeTally - NOTICE's rather than directly alarm'd (Robin Sommer). - -- WeirdActivity notices now include an associated connection when appropriate - (Robin Sommer). - -- Support for large (> 2^32 bytes) pcap trace files (Po-Ching Lin). - -- Scoped names ("...::...") are now allowed in signature "eval" - constructs (Christian Kreibich). - -- scan.bro is now decoupled from conn.bro, i.e., you can @load the - latter without getting the former (Vern Paxson). As part of this - change, the logic to invoke TRW is now in scan.bro. - -- weird.bro has been updated with a number of missing Weird's (Vern Paxson). - -- If when using inter-Bro communication the child Bro process terminates, - it now also terminates the parent process (Robin Sommer). - -- BinPAC analyzers now interoperate with DPD (Robin Sommer). - -- Some http.bro processing options are now exported so they can be - accessed in other scripts (Robin Sommer). - -- SMTP analysis now applies to port 587/tcp as well as 25/tcp (Robin Sommer). - -- $conn is now set in ServerFound notices (Robin Sommer). - -- You can now create empty sets and tables using set() and table(), - i.e., the usual set/table constructors with no arguments (Vern Paxson). - By themselves, these have an unspecified type - you can't use them - directly other than to assign them. For example, - - local bad_guys: set[addr]; - ... - bad_guys = set(); # start over assuming no bad guys - -- A number of scripts have been (slightly) simplified to use the - new empty set()/table() constructors (Vern Paxson). Note that - these still aren't usable for field assignments in record constructors, - nor for attributes like &default = ... - -- Removed unused syntax for declaring sets based on a list of initial - values (Vern Paxson). - -- set() and table() can now be used as arguments to function calls - (Vern Paxson). - -- The vestigial &match attribute has been removed. - -- POP3 is now recognized using Dynamic Protocol Detection (Seth Hall). - -- The new event expected_connection_seen(c: connection, a: AnalyzerTag) - is generated whenever a connection is seen for which we have previously - scheduled an analyzer via expect_connection() (Robin Sommer). - -- The new built-in capture_state_updates logs all changes applied to - &synchronized variables, in a fashion similar to the capture_events() - built-in (Robin Sommer). An accompanying policy script, - capture-state-updates.bro, turns this on to the file state-updates.bst. - -- If the new script variable suppress_local_output is set (default: F), - Bro suppresses printing to local files if there's a receiver for - print_hook events (Robin Sommer). This option is however ignored - for files with a &disable_print_hook attribute. - -- The new notice action filter function file_if_remote specifies - that notices from sent from remote source addresses should - have an action NOTICE_FILE (Robin Sommer). - -- The new notice action filter function file_local_bro_notices specifies - that notices generated by the local Bro instance (as opposed to a - remote peer) should have an action NOTICE_FILE (Robin Sommer). - -- An arbitrary tag can now be past to post-processors for log rotation - (Robin Sommer). - -- Default inactivity timeouts for interactive services shortened to - 1 hour (Robin Sommer). - -- The scanning variables distinct_{peers,ports,low_ports} are now - redef'able (Robin Sommer). - -- The new -S (--summary-only) option for site-report.pl directs to - only generate connection summaries (Brian Tierney) - -- More useful default config file for edit-brorule.pl (Brian Tierney). - -- Bro now includes a test suite in testing/istate/ for its "independent - state" functionality (Robin Sommer). - -- Support for parallel builds via make -j (Christian Kreibich). - -- Bro's default search path now includes includes policy/sigs/ and - policy/time-machine/ (Robin Sommer). - -- Bro's internal processing of interprocess communication has been - significantly overhauled to prevent potentially fatal race conditions - (Robin Sommer). - -- Bro now checks calls to fmt() at compile-time to ensure that the - correct number of arguments are present (Vern Paxson). This is useful - in addition to Bro's run-time checking for arguments matching their - corresponding format-specifiers in the case of rarely-executed statements - that might not generate such run-time checks in routine testing. - -- The ports associated with Telnet and Rlogin are now redef'able (Robin Sommer). - -- MIME processing now removes leading whitespace from MIME headers - (Sanmeet Bhatia and Robin Sommer). - -- TCP "weird" events reported by the connection compressor now match - (other than a few rare corner-cases) those produced for normal TCP - processing (rmkml and Robin Sommer). - -- Added Scan::suppress_UDP_scan_checks to control false positives - on scan detection in environments with P2P protocols that use UDP - (Vern Paxson). - -- The internal analyzer interface now includes an EndOfData() method that - analyzers can use to report that all of a message has been delivered - (Robin Sommer). - -- Fix for a significant memory leak in processing UDP when using -w - (Robin Sommer). Note: this change turns off by default trace rewriting - for generic UDP traffic. - -- Two serious regular expression bugs fixed (Vern Paxson). In the - first, searching for a regular expression inside a string would - fail if the pattern occurred only after an embedded newline. In - the second, insufficient buffer was allocated when compiling regular - expressions, leading to memory corruption. - -- Base64 decoding bug fixes (Christian Kreibich and Ruoming Pang). - -- Automatic rotation of files is now disabled for contents files written - by the TCP reassembler, which otherwise leads to mangled files - (Robin Sommer). - -- Bro now ships with an updated version of libpcap (0.9.8), which hopefully - fixes problems managing trace files > 4 GB in size. - -- Significant bug fixes for gzip- and deflate-encoded Web items (Robin Sommer). - -- Bug fix for secondary-filter.bro (Vern Paxson). - -- Removed a naming ambiguity regarding TCP states (Vern Paxson). - -- Bug fix for signature scanner not matching all of its input (Vern Paxson). - -- Bug fix for using port values in signatures (Robin Sommer). - -- Minor policy script tweaks: state management for weird's, processing - of Notice tags associated with connections, and dependencies for - irc-bot.bro (Robin Sommer). - -- aux/ portability fixes (Vern Paxson). - -- Workarounds added for a BinPAC deficiency, which is that code in %cleanup - clauses can also be executed during recovery from exceptions when parsing - new data. This means that any delete's or Unref()'s need to also set the - corresponding pointer to nil (Vern Paxson). - -- Bug fix for crashes with the non-BinPAC SSL analyzer (Robin Sommer). - -- Tweak to peer-status.bro since Bro now requires events to be - declared prior to reference in a "schedule" statement (Robin Sommer). - -- The signature keyword "enable" now optionally accepts the syntax - "foo:bar" to specify "activate analyzer bar as a child of analyzer foo" - (Robin Sommer). This is used for example for an XML-over-HTTP analyzer - that's in the works. - -- irc-bot-syslog.bro now uses open_log_file() for its log file (including - the logging suffix) rather than a direct open (Vern Paxson). - -- Bug fix for tracking Blaster across a Bro Cluster (Robin Sommer). - -- Bug fix for the HTTP BinPAC analyzer chopping the trailing character - off of HTTP headers when generating the http_all_headers event (Gregor Maier). - -- Bug fix for HTTP chunked items for which the chunk size line was terminated - by CRLF but the CR and LF came in separate packets (Gregor Maier). - -- A bug has been fixed that would cause partial lines (for line-oriented - protocols) to fail to be processed when a connection terminated - (Robin Sommer). - -- Bro no longer treats a signal arriving before a previous signal has - been processed as fatal, nor does it attempt processing of a termination - signal if seemingly there are no race conditions to worry about - (Robin Sommer). Both of these changes are an attempt to improve - Bro's robustness. - -- Fix for attributes such as &encrypt not working in initial declarations - but only in later redef's (Seth Hall and Robin Sommer). - -- Fixes for memory leaks in SSL processing (Seth Hall and Robin Sommer). - -- Fix for POP3 analyzer to not treat lines like "." as message - terminators (Robin Sommer). - -- Bug fix for crashes arising from nil pointers in list expressions - (Seth Hall and Robin Sommer). - -- Bug fix: a signature's "enable" would activate the corresponding analyzer - even if no event handlers were defined for it (Robin Sommer). - -- Bug fixes to prevent crashes when mixing set_contents_file() with - subsequent explicit close(), and to ensure all data written to - file upon connection tear-down (Gert Doering and Robin Sommer). - -- Configuration support for MacPorts and Fink package management systems - (Christian Kreibich & Vern Paxson). - -- Communication-only Bro's now send out email alarms (Robin Sommer). - -- Writes to a file that fail due are now run-time errors rather than - fatal internal errors, since often these occur due to the disk - being full (Robin Sommer). - -- Byte-order bug fix for lookup_location() (Robin Sommer). - -- BinPAC portability fix for 64-bit machines (Bernhard Ager and Robin Sommer). - -- Portability fixes for newer versions of gcc (Jan Gerrit Goebel and - Robin Sommer). - -- Some support for porting to Solaris (Stephan Toggweiler). - -- Connection compressor bug fix for source and destination having the - same IP address, such as when monitoring loopback (Robin Sommer). - -- Connection compressor bug fix for connections with multiple SYNs - (Robin Sommer). - -- Bug fix for using already-declared local variables for looping - over vectors in a "for" loop (Robin Sommer & Vern Paxson). - -- Bug fix for not processing truncated UDP packets (Tom Kho and Robin Sommer). - -- Bounds-check added to BinPAC-generated code (Tom Kho and Robin Sommer). - -- Bug fix for checking whether an IPv6 address is part of a subnet - (Seth Hall). - -- Bug fixes for crashes relating to asynchronous DNS lookups performed - at start-up (Robin Sommer). These changes also lowered the timeout - before assuming failure from 20 seconds down to 5 seconds. - -- Portability and const-ness fixes (Kevin Lo and Robin Sommer). - -- Suppression of some content-gap complaints when running on traces - that have been filtered down to only TCP control packets (Robin Sommer). - -- Removed unnecessary dependency in notice-action-filters.bro - that led to errors when loading icmp.bro by itself (Vern Paxson). - -- Bug fix for potential infinite loop in client communiation (Robin Sommer). - -- Bug fix in reference counting that could eventually lead to roll-over - (Robin Sommer). - -- Bug fix in communication initialization (Robin Sommer). - -- Internal documentation fix: timers are specified using absolute time, - not relative (Robin Sommer). - -- Performance improvement for built-in find_all() function when running - on large strings (Robin Sommer). - -- Memory leak fixes (Robin Sommer, Bernhard Ager, Christian Kreibich). - -- Bug fix for error recovery when encountering an unknown link layer - (Bernhard Ager). - -- Bug fix for reversing client & server in a connection (Po-Ching Lin). - -- Bug fix for packet_contents when capture length exceeds the IP payload - length due to Ethernet frame padding (Christian Kreibich). - -- Bug fix for tcp_packet event erroneously including Ethernet padding - in its contents (Vern Paxson). - -- Bug fix for lookup_connection built-in (Seth Hall). - -- Portability nit for libedit tarball (Vern Paxson). - -- Broccoli portability fix for NetBSD (Christoph Leuzinger). - -- Type-checking for script-level event invocation was completedly broken - - now fixed (Vern Paxson). - -- Portability fixes for different versions of g++/STL (Nicholas Weaver - and Vern Paxson). - -- Fix for dynamic detection of SSL via DPD (Robin Sommer). - -- IPv6 portability fix for BinPAC-based DNS analyzer (Vern Paxson). - Note, more portability work is needed for it. - -- Bug fix for bifcl error messages (Vern Paxson). - -- Minor bug fix for remote communication, plus some improved communication - logging (Robin Sommer). - -- Bug fix for &printhook (Robin Sommer). - -- Bug fix for error message output (Robin Sommer). - -- Bug fix for termination cleanup (Robin Sommer). - -- Bug fix for some Rlogin corner cases (Robin Sommer & Vern Paxson). - -- Bug fix for bifcl generation of "interval" types (Vern Paxson). - -- Bug fix for getting connection memory statistics when Bro is - exiting (Robin Sommer). - -- Config fix: --enable-debug now turns off -O2 for gcc (Robin Sommer). - -- Bug fixes for "heavy" analysis (Vern Paxson). - -- Broccoli bug fixes for types net and port (Robin Sommer). - -- Bug fixes for Telnet environment options (Robin Sommer). - -- Bug fix for accessing remote peer description (Robin Sommer). - -- A fix for the connection compressor generating new_connection too - late (Robin Sommer). - -- Fixes for DAG support, including configuration and multiple - interfaces (Robin Sommer). - -- Bug fix for serializing time-stamps of table entries (Robin Sommer). - -- Bug fix for dealing with peer IDs for remote communication (Robin Sommer). - -- Bug fix to avoid installing timers when timers have already - been canceled (Robin Sommer). - -- Bug fix for interplay between serializing connections and - connection compressor (Robin Sommer). - -- Memory leak fix for enum's (Robin Sommer). - -- Bug fix for files being closed prior to bro_done() (Vern Paxson). - -- aux/broccoli/contrib was not included in distribution (Robin Sommer). - -- Auto-configuration bug fix for BinPAC (Craig Leres). - -- Bug fix for dynamic protocol detection (Robin Sommer). - -- A number of configuration fixes for installation and portability - (Christian Kreibich, Brian Tierney, Robin Sommer, Dan Kopecek). - - -1.3 Mon Jul 16 22:11:00 PDT 2007 - -- The Bro manual has been wikified at: - - http://www.bro-ids.org/wiki/index.php/User_Manual - - and this is the format in which it will evolve in the future - (Christian Kreibich). - -- Much more extensive support for SMB, NetBIOS and NCP (Chris Grier). - -- The new attribute &priority=n defines the order of execution for handlers - of the same event (Robin Sommer). Handlers with higher priority are - executed first. n is an integer expression that must evaluate to a - constant when the script is loaded. - - Example: - > cat foo.bro - event bro_init() &priority = -5 { print -5; } - event bro_init() &priority = 5 { print 5; } - event bro_init() { print 0; } # default priority=0 - > ./bro foo.bro - 5 - 0 - -5 - - The connection_state_remove() handler in conn.bro now has priority - -10 and therefore executes after all other handlers for this event. - This fixes a long-standing problem of sometimes $addl fields not showing - up in connection summaries. - -- The new expressions record(...), table(...), set(...) and vector(...) - are constructors for the corresponding aggregate types (Vern Paxson). - For example, - - record($foo = "hi", $bar = -6) - - is the same as the existing constructor - - [$foo = "hi", $bar = -6] - - For tables, sets, and vectors, the "..." values within the ()'s have - the same syntax as those that you can list in variable initializations. - For example, - - table([1, T] = "black", [4, F] = "red") - - returns a table of type "table[count, bool] of string". - - set(4, 3, -1) - - is a value of type "set[int]". - -- You can associate attributes with table() and set() constructors - (Robin Sommer). For example: - - local s = set(1.2.3.4) &read_expire = 5 secs; - - associates a 5-second read expiration with the set assigned to s. - -- Bro now explicitly supports port numbers reflecting a transport protocol - type of "unknown" (Christian Kreibich). Currently, this means "not TCP, - UDP or ICMP". The numerical value of such a port is the IP protocol, - so ranges from 0..255. For example: - - global p: port = 0/unknown; - - print fmt("%s", p); - print fmt("p is TCP? %s", get_port_transport_proto(p) == tcp); - print fmt("p is unknown? %s", - get_port_transport_proto(p) == unknown_transport); - - yields - - 0/unknown - p is TCP? F - p is unknown? T - - In comparisons of different protocol types, the following holds: - unknown < TCP < UDP < ICMP. - -- If your system supports "GeoIP" (see http://www.maxmind.com/app/geolitecity - for a corresponding city database), then the new script function - - lookup_location(a: addr): geo_location - - returns a record of geographic information associated with an address - (Seth Hall). The geo_location record has $country_code, $region and - $city fields. If no information is available, each of these will be - set to empty strings. - - If Bro hasn't been configured with GeoIP support, or if the address is - IPv6 that cannot be directly converted to IPv4, then Bro produces a - run-time error and likewise returns empty strings. - -- Signature-matching on HTTP components now processes the URI with - escape sequences expanded (Robin Sommer). Ideally, there would be - two signature keywords, one for decoded URIs (corresponding to this - case) and one that allows matching against the URI as originally - transmitted. - -- The connection compressor is no longer considered experimental, and - is used by default (Robin Sommer). - -- The new function lookup_hostname(host: string): addr_set asychronously - looks up the IPv4 address(es) of the given host via DNS (Robin Sommer). - Like lookup_addr(), this function can only be used within a "when" - statement. - -- The new built-in - - raw_bytes_to_v4_addr(s: string): addr - - takes a string that points to at least 4 bytes, and returns an address - corresponding to interpreting these as being an IPv4 address in network - order (Vern Paxson; suggested by Mike Dopheide). - -- Trace-rewriting support for DNS, SMB (Chris Grier). - -- The new script function find_all(str: string, re: pattern): string_set - returns a string_set giving all occurrences of the pattern "re" in - the string "str" (Robin Sommer). (Note that string_set's are unordered.) - -- The new policy script save-peer-status.bro generates a log - to peer_status.$BRO_LOG_SUFFIX of updates received from - communication peers (Robin Sommer). - -- The policy script print-filter.bro now includes two (scoped) variables, - terminate_bro and to_file, which control whether to exit after printing - the filter (default T) and whether to write to the log file - pcap_filter.$BRO_LOG_SUFFIX or (default) to stdout (Robin Sommer). - -- The new script variable check_for_unused_event_handlers controls whether - Bro checks for unused event handlers (Robin Sommer). It defaults to T, - which was the past behavior (always report). - -- Bro now terminates if the only pending activity is future timers - (Robin Sommer). It used to wait for those timers to expire, but this - can cause fundamental problems if the timers are associated with table - management (since these might never completely drain). - -- Tables and sets inside of records are now initialized to empty - values rather than uninitialized (Vern Paxson). - -- A new variable allow_services_from (in hot.bro) complements the - existing allow_service_to variable (Brian Tierney). It specifies - that access to the given service from the given originator is - allowed. - -- global_sizes() no longer reports internal variables (Robin Sommer). - -- The IRC analyzer is now activated if any of the (many) IRC event - handlers are defined (Robin Sommer). - -- The default value for tcp_close_delay is now 5 sec rather than 0 sec - (Robin Sommer). This prevents some spurious connection events. - -- Improved logic for dealing with "reversed" connections such - as backscatter (Vern Paxson). - -- You can now left-justify fields when using fmt() with "%-" like - in sprintf (Christian Kreibich). - -- Updates to DNS query types (Larry Leviton). - -- Added mechanism to http-header.bro to skip printing some HTTP headers - (Larry Leviton). - -- The IrcHotWord notice now sets the associated connection (Robin Sommer). - -- If a notice has a tag, it's no longer overridden (Robin Sommer). - -- ServerFound notices now set the port field (Robin Sommer). - -- The built-in lookup_ID() now returns the string "" if the - ID does not exist, rather than a run-time error (Robin Sommer). - -- The new tuning option ProtocolDetector::suppress_servers specifies a - set of analyzers for which Bro generates ServerFound notices, but not - ProtocolFound (Robin Sommer). This both reduces log file size and - conserves memory. - -- A new notice_action_filter, tally_notice_type_and_ignore, works the same - as tally_notice_type but returns IGNORE (Robin Sommer) - -- Setting summary_interval == 0 disables the creation of irc-bots.summary.log - (Robin Sommer). - -- If you @load foo and a directory "foo" is in your path, Bro no longer - tries to load it (Robin Sommer). - -- A number of BinPAC fixes and enhancements (Ruoming Pang, Chris Grier - and Vern Paxson). - -- BinPAC now resides in aux/binpac rather than src/binpac (Ruoming Pang - and Christian Kreibich). This reflects a decoupling of it from Bro so - that it can be used to generate protocol analyzers for other projects too. - -- Removed example Inktomi entries from skip_scan_sources initialization, - since they no longer exist (Vern Paxson). - -- The variable make notice_once_per_orig_tally_interval is now - redef'able (Brian Tierney). - -- SIGPROF to the communication child process now logs resource stats to - remote.log (Matthias Vallentin). - -- The new built-in getpid(): count returns Bro's process ID (Robin Sommer). - -- Patterns for detecting IRC-based bots updated (Robin Sommer). - -- irc-bot-syslog now logs just bots, not all IRC client/servers (Robin Sommer). - -- The new variable suppress_notice_actions in notice.bro suppresses - notice_actions events for selected notice types (Robin Sommer). - -- Files opened during operation now rotate just like those opened at - startup (Robin Sommer). - -- ResourceStats now also logs elapsed time and the reported number of - packets-on-the-link (Mark Dedlow). - -- Printing a "file" value now produces its name (Robin Sommer). - -- Removed deliberate truncation of payload in port 80 FIN packets - (Vern Paxson). - -- remote.log now includes received peer_descriptions (Robin Sommer). - -- Significant POP3 analyzer speed-ups (Vern Paxson). - -- Updated README (Vern Paxson). - -- Fix for "@load a" followed by "@load a.bro" not loading the same file - twice (Robin Sommer). - -- Bug fixes for propagating state operations to uninitialized variables - and for spurious state inconsistency messags (Robin Sommer). - -- Bug fix for sending final sync-points during pseudo-realtime mode - (Robin Sommer). - -- Fix for possible buffer overflow (Christian Kreibich). - -- Bug fix for spurious end-of-file's during inter-Bro communication - (Robin Sommer). - -- Bug fix for dpd_match_only_beginning=F (Robin Sommer). - -- Bug fix for updating timestamps (Christian Kreibich). - -- Bug fix for skipping ADU processing in adu.bro (Christian Kreibich - and Zhichun Li). - -- Fix for ICMPs that carry ICMP headers (or non-TCP/UDP/ICMP headers) - within them (Vern Paxson). - -- Fix for files being rotated after the timer queue has been deleted - (Vern Paxson). - -- Bug fix for signature-matching with IPv6 subnets (Vern Paxson). - -- Bug fix for connection compressor setting connection origin (Robin Sommer). - -- Bug fix for interconn.bro when processing peculiar connections (Vern Paxson). - -- Fix for off-by-one buffer in sscanf call (Christian Kreibich). - -- Fixed inefficiency/warning flagged by g++ (Vern Paxson). - -- Bug fix for NUL string termination in SMB processing (Zhichun Li). - -- Fix for over-ref'ing of file Val's (Vern Paxson). - -- Fixes for some g++ warnings (Christian Kreibich, Vern Paxson). - -- gcc 3.4.2 portability fixes (Robin Sommer). - -- Minor build fixes for Broccoli, including a version bump to match that - of Bro. See aux/broccoli/ChangeLog for details. - -- distcheck fixes (Christian Kreibich). - -- Configuration portability fixes (Matthias Vallentin, Jean-philippe Luiggi). - -- OpenBSD portability fixes (Jean-philippe Luiggi, Christian Kreibich). - - -1.2.1 Mon Dec 11 16:22:58 PST 2006 - -- Fixed delayed triggering of new_connection events when using the - connection compressor. - -- Fixed tracking of first packet in TCP analyzer. (Reported by Guohan Lu) - -- The syslog built-in got lost during some previous merge. - -- Fixed crash if local variable is given as timeout value for table. - (Reported by Mike Wood.) - -- Fixed using "time" values as table indices. - -- Added ssh to default brolite DPD configuration. - -- Fixed catching up to real-time in case of lull. - -- Fixed Broccoli "BRO_DATA_FORMAT_VERSION" to match version in Bro. - -- Fixed Makefile problem in doc directory. - -- Fixed Makefile dependency problem in binpac directory. - -- Added Linux tuning to brolite install script. - -- Modified Makefile to include broccoli/contrib. - -- Adding missing initialization to remote serializer. - -- Minor documentation updates for reference manual and Broccoli. - - -1.2 Tue Oct 17 12:09:49 PDT 2006 - -- Bro now supports DPD, dynamic protocol detection (Robin Sommer, Holger - Dreger, and Michael Mai). With DPD, Bro can analyze protocols regardless - of what port numbers they use: it infers the protocol based on which - application analyzers can parse it without error. Adding this functionality - involved extensive changes to Bro's internals, but also now enables - multiple Bro analyzers to work on the same connection, either concurrently - or one nested inside the other (we have not taken much advantage of this - latter capability yet, but see the FTP events discussed below). - - There are a number of new policy scripts, events, and variables associated - with DPD processing, as follows. - - Scripts: - - You activate DPD by @load'ing dpd.bro. It in turn instructs Bro - to load the signature file policy/sigs/dpd.sig. Note that Bro - uses signatures to expedite deciding which analyzers to try on - a given connection; it does *not* simply use the signatures to - make the determination of which protocol is in use, as this is - insufficiently robust. (At this point, Bro provides signatures - for FTP, IRC, HTTP, SMTP, and SSH. In the future we plan to add - other protocols.) - - Along with dpd.bro, you need to @load detect-protocols.bro or - detect-protocols-http.bro. The former enables general detection - of application-layer protocols, while the latter does further - inspection of HTTP sessions to characterize applications running - on top of HTTP such as Gnutella or SOAP. (Loading dpd.bro - is separate from loading one of these scripts because in principle - Bro could use a different means than signatures to activate - the analyzers, although currently it does not.) - - If you @load dyn-disable.bro, then once an analyzer determines - that it does not match a given connection, it is deactivated - (and a Notice is generated). Otherwise, it still proceeds to try - its best to analyze the connection (to possibly be more robust - against evasion). - - The scripts dce.bro and smb.bro enable DPD for the Windows DCE and - SMB protocols, respectively. (Note that analysis of these protocols - is undergoing a major expansion, not yet complete.) - - Events: - - event protocol_confirmation(c: connection, atype: count, aid: count) - Generated when the given connection has been confirmed as - conforming with the application type (protocol) specified - by atype. aid is a globally unique analyzer ID that identifies - a particular analyzer instance. - - The values for atype are symbolic names associated with - each of Bro's analyzers, such as ANALYZER_IRC. See the - initialization at the beginning of Analyzer.cc for the - full set of names. - - The function analyzer_name(atype: count): string translates - these symbolic names into text. For example, - - analyzer_name(ANALYZER_IRC) - - yields "IRC". - - event protocol_violation(c: connection, atype: count, aid: count, - reason: string) - Generated when the given connection has been found to - violate the protocol of the given application type, with - "reason" giving details. - - Variables: - - dpd_buffer_size: count (default 1024) - Specifies how much pending data Bro keeps for connections - that have not been classified yet. Once this fills, the - data is deleted, though classification can still continue - (see below). - - dpd_match_only_beginning: bool (default T) - If set, specifies that Bro should stop signature matching - if it has processed dpd_buffer_size bytes. - - dpd_ignore_ports: bool (default F) - If set, then Bro does not take into consideration the port - numbers associated with connections when attempting to - classify them (which can otherwise help the process in - some cases). - - dpd_reassemble_first_packets: bool (default T) - If set, then Bro does TCP stream reassembly before applying - signature-matching to detect protocols. - - likely_server_ports: set[port] - Specifies a list of ports that Bro will consider as likely - used by servers. For example, if Bro sees a connection - that has already been established (so it does not know - which side sent the initial SYN), and one side uses a port - in this set, then it will assume that that side is the - server (connection responder). The set is empty unless - you populate it or @load server-ports.bro, which specifies - a large number of values. - - dpd_config: table[AnalyzerTag] of dpd_protocol_config - Specifies the DPD configuration associated with each tag. - The type dpd_protocol_config is simply: - - type dpd_protocol_config: record { - ports: set[port] &optional; - }; - - i.e., an optional $ports field specifying a set of ports - associatd with the tag. For example, ftp.bro now includes - the equivalent of: - - redef dpd_config += { - [ANALYZER_FTP] = [$ports = 21/tcp] - }; - - Functions: - - The function - - expect_connection(orig: addr, resp: addr, resp_p: port, - analyzer: count, tout: interval) - - is called to alert Bro that a new connection is expected, initiated - by orig to a server running on resp's port resp_p (note: orig's port - is not specified) which will correspond to the specified analyzer - (e.g., "FILE", which is used to analyze files transferred by FTP - - see next item). "tout" is a timeout to associate with the waiting. - - The function - - function disable_analyzer(cid: conn_id, aid: count) - - instructs Bro to disable the analyzer that generated the current - event, assuming the analyzer is associated with the given connection - ID. This is used by the dyn-disable.bro script discussed above. - -- A much more complete BinPAC compiler, along with new HTTP, DNS, and - RPC/Portmap analyzers in binpac (Ruoming Pang). The flag "--use-binpac" - activates the BinPAC-based analyzers (currently for HTTP and DNS). - See www.cs.princeton.edu/~rpang/binpac-paper.pdf for a description of - BinPAC, and let Ruoming know if you are interested in using BinPAC to build - new analyzers. - -- A new type of analyzer, FILE, analyzes the contents of a connection as - though it were a data file (Robin Sommer). Currently, it can generate - two events: - - event file_transferred(c: connection, prefix: string, descr: string, - mime_type: string) - Indicates that the connection transferred a file. "prefix" - is the beginning of the file's data; "descr" and "mime_type" - are indicators of the file's type, as reported by the - "libmagic" library. - - descr/mime_type are only set if Bro is configured on a - system that includes the "libmagic" library. - - event file_virus(c: connection, virname: string) - Indicates the connection transferred an executable - corresponding to a known virus of the given name. - - This functionality is only available if Bro is configured - on a system that includes the "libclamav" library. - - Note, this analyzer is enabled via a call to expect_connection by - the FTP analyzer. - -- New events relating to IRC analysis (Robin Sommer): - - event irc_client(c: connection, prefix: string, data: string) - Generated upon seing a client message sent over the given - IRC connection. "prefix" is the command's prefix as defined - by the IRC protocol. It is used by servers to indicate the - true origin of the message; it may be empty. "data" contains - the message. - - event irc_server(c: connection, prefix: string, data: string) - Same for server messages. - - event irc_user_message(c: connection, user: string, host: string, - server: string, real_name: string) - Generated upon seeing an IRC "USER" command. - - event irc_password_message(c: connection, password: string) - Generated upon seeing an IRC "PASS" command. - - event irc_channel_topic(c: connection, channel: string, topic: string) - Generated upon seeing an IRC server reply that includes - the channel topic. - - event irc_global_users(c: connection, prefix: string, msg: string) - Generated upon seeing an IRC server reply that includes - a count of the number of IRC users. - -- The new experimental script irc-bot.bro tracks IRC-based bots (Robin Sommer). - The accompanying script irc-bot-syslog.bro syslog's the state of the - bot analysis every IrcBot::summary_interval seconds (default 1 minute). - -- The new script proxy.bro looks for open Web proxies by matching incoming - requests to a server with outgoing requests it makes (Robin Sommer). It - generates HTTPProxyFound Notices when it finds one. - -- Changes to notices.bro (Robin Sommer): - - - notice_policy_item's now have a default $result of - NOTICE_FILE and a default $priority of 1. - - - The new notice_action_filter, notice_alarm_per_orig, alarms - on the first NoticeType from a specific source. Subsequent - instances are tallied. - - - notice_action_filters now reside in the new script - notice-action-filter.bro (automatically loaded by notice.bro). - - - The notice actions NOTICE_ALARM_PER_CONN, NOTICE_ALARM_PER_ORIG, - and NOTICE_ALARM_ONCE have been removed, as they were never - actually implemented. - - - If the notice_policy returns IGNORE or FILE, the action_filters - filters are no longer consulted. - -- A new attribute for tables and sets, &mergeable, changes the semantics - of assignments, as follows (Robin Sommer). Given two &mergeable tables/sets - A and B, an assignment "A = B" becomes actually a join "A = A \cup B" - (i.e., union). The envisoned use is to help avoid race conditions - when doing remote state synchronization. - -- The semantics of &synchronized expire_funcs has changed (Robin Sommer). - Now, when a table entry is expired and the operation is propagated to a - a peer, the peer will call its expire_function. - -- TRW analysis now skips UDP traffic because it currently treats - all UDP connections as failures (Robin Sommer). - -- trw.bro has been split into trw-impl.bro (the algorithm) and - trw.bro (which simply activates the analysis), to facilitate writing - scripts that have hooks into TRW analysis but don't presume it's - active (Robin Sommer). - -- The option report_remote_notices in remote.bro has been replaced - by a new script you include, remote-report-notices.bro (Robin Sommer). - -- The new function connect_peer() explicitly connects to a remote host - (Robin Sommer). - -- The new script remote-send-id.bro sends the current value of an ID - to a remote Bro and then terminates processing (Robin Sommer). It's - intended for use from the command-line, as in - - bro -e "redef dst="" id="" remote-send-id - - The other scripts must set up the connection. is an index into - Remote::destinations corresponding to the destination. - -- New built-ins {suspend,resume}_state_updates() can be called to - temporarily avoid propagating updates to &sync'ed values (Robin Sommer). - This can avoid duplicated activity. - -- The new function terminate_communication() instructs Bro to end its - communication with remote peers (Robin Sommer). - -- The new event remote_state_access_performed is raised when remote state - access has been performed (Robin Sommer). This is primarily for debugging. - -- The log() built-in has been renamed to ln() to avoid conflict (Vern Paxson). - -- bifcl now generates event generation wrapper functions from event.bif - (Ruoming Pang). For example, to generate event http_reply, currently - one writes: - - val_list* vl = new val_list; - vl->append(BuildConnVal()); - vl->append(new StringVal(fmt("%.1f", reply_version))); - vl->append(new Val(reply_code, TYPE_COUNT)); - if ( reply_reason_phrase ) - vl->append(reply_reason_phrase); - else - vl->append(new StringVal("")); - ConnectionEvent(http_reply, vl); - - In the future, one will be able to just call bro_event_http_reply(), and - the code generated by bifcl looks like: - - void bro_event_http_reply(Connection* c, StringVal* version, - bro_uint_t code, StringVal* reason) - { - val_list* vl = new val_list; - - vl->append(c->BuildConnVal()); - vl->append(version); - vl->append(new Val(code, TYPE_COUNT)); - vl->append(reason); - - mgr.QueueEvent(http_reply, vl, SOURCE_LOCAL, c); - } - - Accompanying this change is a semantic shift to types "string" and "port" - in .bif files. They used to be translated to C++ types BroString* and - uint32, respectively. Now they are translated to StringVal* and PortVal*. - The functions in bro.bif are changed accordingly, and please be aware - of this change when you write built-in functions in future. - - Also for this change, the parameter 'new' for rsh_request has been renamed - 'new_session', as 'new' is a reserved word for C++. - -- Some ICMP "connections" now have services identified ("icmp-echo", - "icmp-unreach") rather than just listing the service as "other" - (Ruoming Pang). - -- The new option remote_trace_sync_interval specifies an interval after - which each Bro will stop processing its trace and wait for all others - to signal that they have reached the same time (Robin Sommer). The - intent is support for operating Bro in a distributed cluster fashion - (and in particular for debugging such clusters when running off-line - on traces). - - This option only works in pseudo-realtime mode, and requires the new - global remote_trace_sync_peers to give the total number of remote peers - (not including self). Signaling is done via a new communication message - type. - -- Extensions for DNS transformation/anonymization, including introduction - of trace transformation for protocols other than TCP (Jason Lee). - Not yet fully developed/debugged. - -- Extensions for HTTP transformation/anonymization (Martin Casado). - Not yet fully developed/debugged. - -- The $conn field is now included in HTTPProxyFound notices (Robin Sommer). - -- Changed service inference algorithm to favor lower-numbered - likely-servers over higher-numbered ones (Vern Paxson). - -- In pseudo-realtime mode, Bro now uses real-time for deciding which - peer should send state (Robin Sommer). - -- Time synchronization for Bro's running on traces in pseudo-realtime mode - added (Robin Sommer). - -- Avoidance of false content gaps improved when sorting packets with - out-of-order timestamps (Ruoming Pang). - -- Packets from the packet sorter are now more robustly drained upon - termination of input (Ruoming Pang). - -- Documentation for deep-copy updated (Christian Kreibich). - -- Nasty fragment reassembly bug fixed (Vern Paxson). - -- Serious bugs in EDNS0 processing fixed (Vern Paxson). - -- Fixed significant misfeature of interconn.bro that stopped all processing - of a connection once it makes a detection (Vern Paxson). - -- Fixes for &read_expire operation across synchronizes tables (Robin Sommer). - -- Fixes for multiple peers exchanging initial &sync state simultaneously - (Robin Sommer). - -- Improvements to graceful termination of Bro when communicating with - remote peers (Robin Sommer). - -- Fix for ICMP analyzer not always generating icmp_sent events - (Robin Sommer). This appears to still need some work, as now - it generates redundant events. - -- Fix for initial exchange of &sync state which could lead to - referencing unknown IDs (Robin Sommer). - -- Fix to scan detection for differing semantics of connection compressor - vs. non-compressor (Robin Sommer). - -- Bug fix for distinguishing regular expression matches of length 0 from - those of length 1 (Ruoming Pang). - -- Fix for SSH version parsing in the presence of content gaps (Robin Sommer). - -- Bug fix for IRC that could lead to crashes (Robin Sommer). - -- Bug fix to refrain from adding new timers when a connection has - already been removed from the connection table (Robin Sommer). - -- Bug fix for packet_contents not including the transport-layer header - (Robin Sommer). - -- Some memory leaks fixed (Robin Sommer). - -- A bunch of portability and distribution problems fixed (Christian - Kreibich, Robin Sommer, Vern Paxson). - - -1.1 Mon May 15 10:50:33 PDT 2006 - -- Bro now supports a "when" statement for taking action upon something - becoming true asynchronously (Robin Sommer). This provides a powerful - new mechanism with numerous applications. - - Syntax: - - when '(' ')' [timeout '{ '}'] - - where the first can be a single statement or a block enclosed - in {}'s, but the set associated with "timeout" must be enclosed in - {}'s (to reduce ambiguities in Bro's grammar). - - Bro executes the first statement when becomes true. If you give - a timeout and the condition has not been satisfied before it expires, Bro - executes the second statement instead. - - A simple example: - - global t: table[addr] of count; - event connection_established(c: connection) - { - local orig = c$id$orig_h; - if ( orig !in t ) - { - t[orig] = 1; - - when ( t[orig] == 5 ) - print fmt("%s has established 5 connections", orig); - timeout 1 hr - { - print fmt("%s has NOT established 5 connections", orig); - delete t[orig]; - } - } - else - ++t[orig]; - } - - Notes: - - The condition may be evaluated more than once, and at arbitrary - times. - - - When the when-body is executed, the condition is guaranteed to be - still satisfied. - - - Expression reevaluation is primarily triggered by modifications - to globals. However, reevaluations do not take place immediately - but potentially at a later point. This means that if we change a - global to a value which would execute the trigger but then change - it back, the change may go unnoticed. - - - Inside the condition you may introduce new locals. For example, - - when ( (local x = foo()) && x == 42 ) ... - - Such an assignment always yields true as its expression value - (but the assignment might be delayed, for example if foo() is - a delayed function call - see below). - - Delaying function calls - ======================= - - Functions called inside the condition of a when-clause may delay their - results until they're ready. This works for both script-level and built-in - functions. - - For script-level functions, there is a new construct, "return ", - to delay a function's result. When used, the function returns at the - time the when-stmt's condition becomes true, and it yields the value - that the when-stmt's body then returns. Toy example: - - global X: table[string] of count; - - function a() : count - { - # This delays until condition becomes true. - return when ( "a" in X ) - { - return X["a"]; - } - timeout 5 min - { - return 0; - } - } - - event bro_init() - { - # Installs a trigger which fires if a() returns 42. - when ( a() == 42 ) { print "Yippie!"; } - - X["a"] = 42; - } - - There's also a new built-in function which can delay - - lookup_addr(host: addr) - - performs asynchronous DNS address->hostname lookups. Example: - - local h; addr; - [...] - when (local name = lookup_addr(h)) { print h, name; } - - See the function gen_hot_notice_with_hostnames() in conn.bro for - a more worked-out example of using the "when" clause to translate the - local address in SensitiveConnection notices to a hostname (contributed - by Brian Tierney). This functionality is activated by redef'ing - xlate_hot_local_addr to T. - - Here is the full evaluation model of a when's condition: - - - The condition may be evaluated more than once, at arbitrary times. - - - It is always fully evaluated, no matter whether some former - evaluation has been suspended by a delaying function call. - - - All function calls which do not delay are always *fully* executed - each time the condition is evaluated. - - - Function calls which delay are only executed *once*; their result is - cached and re-used in the case the condition is evaluated again. - - - The condition is guaranteed to be true when the body is executed - (potentially using cached function results) - -- By default Bro now uses a configuration similar to what used to be - activated using reduce-memory.bro, along with some additional state - timeouts that are new (Robin Sommer and Vern Paxson). This allows for - better state management out-of-the-box, at the cost of some precision - of analysis and resilience to evasion. In particular, the intent is to - move towards being able to run Bro continuously without inexorably growing - the amount of memory used until exhaustion. - - You can access a configuration similar to the previous default state - management settings by loading heavy-analysis.bro. It turns on a - load-prefix of "heavy", so when you load XXX.bro, a file heavy.XXX.bro - will also be automatically loaded if present. Note that, as was the - case for reduce-memory, you need to load heavy-analysis prior to other - files for it to have effect. - -- The new module clear-passwords.bro monitors login/FTP/IRC/POP traffic - for cleartext passwords (Jason Lee). - -- The new script service-probe.bro looks for remote hosts that repeatedly - connect to the same service on local hosts (for a configurable set of - services and connection sizes) in order to detect brute-forcing attacks - such as password-guessing (Jim Mellander). - -- A new ARP analyzer generates three events: - - event arp_request(mac_src: string, mac_dst: string, - SPA: addr, SHA: string, TPA: addr, THA: string); - - event arp_reply(mac_src: string, mac_dst: string, - SPA: addr, SHA: string, TPA: addr, THA: string); - - event bad_arp(SPA: addr, SHA: string, TPA: addr, THA: string, - explanation: string); - - with a corresponding policy script arp.bro (Chema Gonzalez and Vern Paxson). - It writes logs to arp.$BRO_LOG_SUFFIX. It has not been tested much yet. - -- Bro Lite changes (Jason Lee): - - default user for is now user 'bro' - - now uses the correct sysctl on FreeBSD 6 - - now uses the correct Perl path if site-report.pl not installed - into '/usr/local/bro' - - no longer prompts to encrypt email unless you pick to email reports - -- The default Bro Lite install now only checkpoints Bro once a week - (Brian Tierney). - -- Implicit Bro file extensions (such as .bro for policy scripts and .sig - for signatures) are now searched for first rather than only if the - non-extension-version of the file doesn't exist (Vern Paxson). For - example, running "bro -r trace mt" now first searches $BROPATH for - "mt.bro" before searching for "mt", whereas it used to do these in - the other order. - -- There's now a simpler mechanism for redef'ing variables on the command-line - (Christian Kreibich). Any command line arguments of the form = - are now expanded into policy code of the form "redef var=val;", where - is wrapped in quotation marks if the value appears to be a string - and doesn't have quotation marks already. This works with strings with - whitespace such as foo="Hello World"; however, note that it means you - can't use the mechanism to redef an enum value. - -- The Bro distribution now includes (and builds by default) Christian - Kreibich's Broccoli library (Bro C Client Library), which enables programs - to communicate with running Bro's (Christian Kreibich and Jason Lee). - Configure with --disable-broccoli to turn this off. - -- Built-in functions log(x: double): double and exp(x: double): double - which do natural logarithms and their inverses (Jaeyeon Jung). - -- The new built-in function gethostname() returns the local host's name - (Jason Lee & Robin Sommer). - -- The new built-in function reading_traces() returns true if Bro - is reading trace files (Robin Sommer). - -- The new built-ins suspend_processing() and continue_processing() provide - script-level control for instructing the event engine to stop or resume - processing packets (Robin Sommer). This is useful for coordinating - simultaneous processing by multiple Bro's. - -- Email notices are now by default sent via /bin/mail, with "[Bro Alarm]" - in the subject. - -- redef'ing a function now replaces the existing body rather than - supplementing it (Robin Sommer), which was a bug. - -- You can now configure Bro to process encapsulated IP packets either - by setting, as before, a fixed encap_hdr_size (for VLANs), or setting - parse_udp_tunnels to T (Ruoming Pang). For the latter, you specify a - UDP tunnel port using udp_tunnel_port (the previous variable "tunnel_port" - has gone away); or you can leave it set to its default of 0/udp, in which - case Bro will look for IP encapsulated in UDP packets on any port. - -- Added a simple form of profiling based on sampling the work done - per-packet (Vern Paxson). The event engine generates a - - event load_sample(samples: load_sample_info, CPU: interval, dmem: int) - - event every load_sample_freq packets (roughly; it's randomized), where - load_sample_freq defaults to 20. "samples" is simply a set[string]; it - contains the names of the functions, event handlers, and their source - files that were accessed during the processing of the sampled packet, - along with an estimate of the CPU cost of processing the packet and - (currently broken) memory allocated/freed. - -- Bro now includes experimental support for Endace DAG cards (Gregor Maier - and Robin Sommer). To activate, configure with - - --with-DAG=/path/to/dagtool/installation - - and use "dag0" as the network interface. You may need to configure the - card with the dagtools first. In general, if dagsnap works, Bro should - work as well. - -- Log rotation has changed in a number of ways (Mark Dedlow & Robin Sommer): - - * The new variable log_rotate_base_time: string, if defined, - specifies that logs should be rotated at log_rotate_base_time + - i * rotate_interval intervals. Format is as a string in - 24-hour time, "%H:%M", e.g, "12:00". This format may change - in the future to instead be a Bro time type. - - * RotateLogs::date_format can be redefined to change format of - timestamps in rotated files. - - * RotateLogs::build_name() can be redefined to implement an - arbitrary naming scheme for rotated files. - - Note, this code has not been extensively tested. - -- Bro now by default builds a version of malloc bundled with its - distribution (Vern Paxson & Brian Tierney). - -- The syntax for the clone operator now looks like a function call, - "copy(x)" (Vern Paxson). - -- The new flag DNS::logging (default F), if T, disables generation of - dns.log (which is often uninteresting and very large), though it - still performs analysis leading to NOTICEs (Robin Sommer). - -- A new global, hostile_domain_list, has been added to dns.bro which - lists domains to be flagged if A or MX records are queried (Scott Campbell). - -- Added globals dns_skip_all_{auth,addl} to skip all DNS AUTH/ADDL processing - (Vern Paxson). Skipping these is on (true) by default, because such - processing is quite expensive. - -- backdoor.bro now turns off by default some detectors that from experience - have too many false positives, or (such as for HTTP) too many uninteresting - true positives (Brian Tierney). In addition: - - - the module now generates a BackdoorFound notice for each backdoor - - - the new variable dump_backdoor_packets (default F) if set causes - the packet that triggered the backdoor detection to be written to - backdoor-packets/: