Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-12 11:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Update NEWS

Browse source 
Corrected some typos, fixed some reST formatting, and added some more
useful info.
This commit is contained in:
Daniel Thayer 2016-08-19 00:44:02 -05:00
parent 058e378ced
commit e8bfa49f69
1 changed files with 88 additions and 64 deletions
Download patch file Download diff file Expand all files Collapse all files

152
NEWS
View file

@ -31,26 +31,29 @@ New Functionality
transferred over SMB can be analyzed.
- Includes GSSAPI and NTLM analyzer and reimplements the DCE-RPC
analyzer.
- New logs: smb_files.log, smb_mapping.log, ntlm.log, and dce_rpc.log
- New logs: smb_cmd.log, smb_files.log, smb_mapping.log, ntlm.log, and dce_rpc.log
- Not every possible SMB command or functionality is implemented, but
generally, file handling should work whenever files are transferred.
Please speak up on the mailing list if there is an obvious oversight.
- Bro now includes the NetControl framework. The framework allows for easy
interaction of Bro with hard- and software switches, firewalls, etc.
New log files: net_control.log, netcontrol_catch_release.log,
netcontrol_drop.log, and netcontrol_shunt.log.
- Bro's Intelligence Framework was refactored and new functionality
has been added:
- The framework now supports the new indicator type Intel::SUBNET.
As subnets are matched against seen addresses, the field 'matched'
was introduced to indicate which indicator type(s) caused the hit.
As subnets are matched against seen addresses, the new field 'matched'
in intel.log was introduced to indicate which indicator type(s) caused
the hit.
- The new function remove() allows to delete intelligence items.
- The intel framework now supports expiration of intelligence items.
Expiration can be configured by using Intel::item_expiration and
can be handled by using the item_expired() hook. The new script
Expiration can be configured using the new Intel::item_expiration constant
and can be handled by using the item_expired() hook. The new script
do_expire.bro removes expired items.
- The new hook extend_match() allows extending the framework. The new
@ -62,26 +65,23 @@ New Functionality
- There is a new file entropy analyzer for files.
- Bro now supports the remote framebuffer protocol (RFB) that is used by
VNC servers for remote graphical displays.
VNC servers for remote graphical displays. New log file: rfb.log.
- Bro now supports the Radiotap header for 802.11 frames.
- Bro now has rudimentary IMAP and XMPP analyzers examinig the initial
phases of the protocol. Right now these analyzer only identify
STARTTLS sessions, handing them over to TLS analysis. The analyzer
does not yet analyze any further IMAP/XMPP content.
- Bro now has rudimentary IMAP and XMPP analyzers examining the initial
phases of the protocol. Right now these analyzers only identify
STARTTLS sessions, handing them over to TLS analysis. These analyzers
do not yet analyze any further IMAP/XMPP content.
- The new event ssl_extension_signature_algorithm allows access to the
- The new event ssl_extension_signature_algorithm() allows access to the
TLS signature_algorithms extension that lists client supported signature
and hash algorithm pairs.
- Bro now tracks VLAN IDs. To record them inside the connection log,
load protocols/conn/vlan-logging.bro.
- The new misc/stats.bro records Bro executions statistics in a
standard Bro log file.
- A new dns_CAA_reply event gives access to DNS Certification Authority
- A new dns_CAA_reply() event gives access to DNS Certification Authority
Authorization replies.
- A new per-packet event raw_packet() provides access to layer 2
@ -93,10 +93,10 @@ New Functionality
argument that will be used for decoding errors into weird.log
(instead of reporter.log).
- A new get_current_packet_header bif returns the headers of the current
- A new get_current_packet_header() bif returns the headers of the current
packet.
- Two new built-in functions for handling set[subnet] and table[subnet]:
- Three new built-in functions for handling set[subnet] and table[subnet]:
- check_subnet(subnet, table) checks if a specific subnet is a member
of a set/table. This is different from the "in" operator, which always
@ -120,22 +120,25 @@ New Functionality
- subnet_width(subnet) returns the width of a subnet.
- The IRC analyzer now recognizes StartTLS sessions and enable the SSL
- The IRC analyzer now recognizes StartTLS sessions and enables the SSL
analyzer for them.
- A set of new built-in function for gathering execution statistics:
- The misc/stats.bro script is now loaded by default and logs more Bro
execution statistics to the stats.log file than it did previously.
- A set of new built-in functions for gathering execution statistics:
get_net_stats(), get_conn_stats(), get_proc_stats(),
get_event_stats(), get_reassembler_stats(), get_dns_stats(),
get_timer_stats(), get_file_analysis_stats(), get_thread_stats(),
get_gap_stats(), get_matcher_stats(),
get_gap_stats(), get_matcher_stats()
- Two new functions haversine_distance() and haversine_distance_ip()
for calculating geographic distances. They requires that Bro be
built with libgeoip.
for calculating geographic distances. The latter function requires that Bro
be built with libgeoip.
- Table expiration timeout expressions are evaluated dynamically as
timestmaps are updated.
timestamps are updated.
- The pcap buffer size can be set through the new option Pcap::bufsize.
@ -144,7 +147,7 @@ New Functionality
- The logging framework now supports user-defined record separators,
renaming of column names, as well as extension data columns that can
be added to specific or all logfiles (e.g., to add noew names).
be added to specific or all logfiles (e.g., to add new names).
- The new "bro-config" script can be used to determine the Bro installation
paths.
@ -185,7 +188,7 @@ New Functionality
- pf_ring: Native PF_RING support.
- postgresql: A PostgreSQL reader/writer.
- redis: An experimental log writer for Redis.
- tcprs: An TCP-level analyzer detecting retransmissions, reordering, and more.
- tcprs: A TCP-level analyzer detecting retransmissions, reordering, and more.
Changed Functionality
---------------------
@ -195,10 +198,14 @@ Changed Functionality
- Connections
The 'history' field gains two new flags: '^' indicates that
Bro heuristically flipped to direction of the connection.
Bro heuristically flipped the direction of the connection.
't/T' indicates the first TCP payload retransmission from
originator or responder, respectively.
- Intelligence
New field 'matched' to indicate which indicator type(s) caused the hit.
- DNS
New 'rtt' field to indicate the round trip time between when a
@ -211,42 +218,58 @@ Changed Functionality
Changes in 'mailfrom' and 'rcptto' fields to remove some
non-address cruft that will tend to be found. The main
example is the change from "<user@domain>" to
"user@domain.com".
example is the change from ``"<user@domain>"`` to
``"user@domain.com"``.
- HTTP
Removed 'filename' field.
Removed 'filename' field (which was never filled out in the first
place).
New 'orig_filenames' and 'resp_filenames' fields which each
contain a vector of filenames seen in entities transferred.
- stats.log
The following fields have been added: active_tcp_conns,
active_udp_conns, active_icmp_conns, tcp_conns, udp_conns,
icmp_conns, timers, active_timers, files, active_files, dns_requests,
active_dns_requests, reassem_tcp_size, reassem_file_size,
reassem_frag_size, reassem_unknown_size.
The following fields have been renamed: lag -> pkt_lag.
The following fields have been removed: pkts_recv.
- The BrokerComm and BrokerStore namespaces were renamed to Broker.
The Broker "print" function was renamed to Broker::send_print, and
"event" to "Broker::send_event".
The Broker "print()" function was renamed to Broker::send_print(), and
the "event()" function was renamed to Broker::send_event().
- ``SSH::skip_processing_after_detection`` was removed. The functionality was
replaced by ``SSH::disable_analyzer_after_detection``.
- The constant ``SSH::skip_processing_after_detection`` was removed. The
functionality was replaced by the new constant
``SSH::disable_analyzer_after_detection``.
- ``net_stats()`` and ``resource_usage()`` have been superseded by the
new execution statistics functions (see above).
- The ``net_stats()`` and ``resource_usage()`` functions have been
removed, and their functionality is now provided by the new execution
statistics functions (see above).
- Some script-level identifier have changed their names:
- Some script-level identifiers have changed their names:
snaplen -> Pcap::snaplen
precompile_pcap_filter() -> Pcap::precompile_pcap_filter()
install_pcap_filter() -> Pcap::install_pcap_filter()
pcap_error() -> Pcap::pcap_error()
- In http.log, the "filename" field (which it turns out was never
filled out in the first place) has been split into to
"orig_filenames" and "resp_filenames".
- snaplen -> Pcap::snaplen
- precompile_pcap_filter() -> Pcap::precompile_pcap_filter()
- install_pcap_filter() -> Pcap::install_pcap_filter()
- pcap_error() -> Pcap::error()
- TCP analysis was changed to process connections without the initial
SYN packet. In the past, connections without a full handshake were
treated as partial, meaning that most application-layer analyzers
would refuse to inspect the payload. Now, Bro will consider these
connections as complete and all analyzers will process them notmally.
connections as complete and all analyzers will process them normally.
- The ``policy/misc/capture-loss.bro`` script is now loaded by default.
- The traceroute detection script package ``policy/misc/detect-traceroute``
is no longer loaded by default.
- Changed BroControl functionality in aux/broctl:
@ -284,33 +307,34 @@ Changed Functionality
Removed Functionality
---------------------
- The app-stats scripts have been removed because they weren't
being maintained and they were becoming inaccurate. They
were also prone to needing more regular updates as the internet
changed and will likely be more relevant if maintained externally.
- The app-stats scripts have been removed because they weren't
being maintained and they were becoming inaccurate (as a result, the
app_stats.log is also gone). They were also prone to needing more regular
updates as the internet changed and will likely be more relevant if
maintained externally.
- The event ack_above_hole() has been removed, as it was a subset
of content_gap() and led to plenty noise.
- The event ack_above_hole() has been removed, as it was a subset
of content_gap() and led to plenty of noise.
- The command line options --set-seed and --md5-hashkey have been
removed.
- The command line options ``--analyze``, ``--set-seed``, and
``--md5-hashkey`` have been removed.
- The packaging scripts pkg/make-\*-packages are gone. They aren't
used anymore for the binary Bro packages that the projects
distributes; haven't been supported in a while; and have
problems.
- The packaging scripts pkg/make-\*-packages are gone. They aren't
used anymore for the binary Bro packages that the project
distributes; haven't been supported in a while; and have
problems.
Deprecated Functionality
------------------------
- The built-in functions decode_base64_custom() and
encode_base64_custom() are no longer needed and will be removed
in the future. Their functionality is now provided directly by
decode_base64() and encode_base64(), which take an optional
parameter to change the Base64 alphabet.
- The built-in functions decode_base64_custom() and
encode_base64_custom() are no longer needed and will be removed
in the future. Their functionality is now provided directly by
decode_base64() and encode_base64(), which take an optional
parameter to change the Base64 alphabet.
- The ElasticSearch log writer hasn't been maintained for a while
and is now deprecated. It will be removed with the next release.
- The ElasticSearch log writer hasn't been maintained for a while
and is now deprecated. It will be removed with the next release.
Bro 2.4