diff --git a/NEWS b/NEWS index 98a0441d44..96c85f56de 100644 --- a/NEWS +++ b/NEWS @@ -31,26 +31,29 @@ New Functionality transferred over SMB can be analyzed. - Includes GSSAPI and NTLM analyzer and reimplements the DCE-RPC analyzer. - - New logs: smb_files.log, smb_mapping.log, ntlm.log, and dce_rpc.log + - New logs: smb_cmd.log, smb_files.log, smb_mapping.log, ntlm.log, and dce_rpc.log - Not every possible SMB command or functionality is implemented, but generally, file handling should work whenever files are transferred. Please speak up on the mailing list if there is an obvious oversight. - Bro now includes the NetControl framework. The framework allows for easy interaction of Bro with hard- and software switches, firewalls, etc. + New log files: net_control.log, netcontrol_catch_release.log, + netcontrol_drop.log, and netcontrol_shunt.log. - Bro's Intelligence Framework was refactored and new functionality has been added: - The framework now supports the new indicator type Intel::SUBNET. - As subnets are matched against seen addresses, the field 'matched' - was introduced to indicate which indicator type(s) caused the hit. + As subnets are matched against seen addresses, the new field 'matched' + in intel.log was introduced to indicate which indicator type(s) caused + the hit. - The new function remove() allows to delete intelligence items. - The intel framework now supports expiration of intelligence items. - Expiration can be configured by using Intel::item_expiration and - can be handled by using the item_expired() hook. The new script + Expiration can be configured using the new Intel::item_expiration constant + and can be handled by using the item_expired() hook. The new script do_expire.bro removes expired items. - The new hook extend_match() allows extending the framework. The new @@ -62,26 +65,23 @@ New Functionality - There is a new file entropy analyzer for files. - Bro now supports the remote framebuffer protocol (RFB) that is used by - VNC servers for remote graphical displays. + VNC servers for remote graphical displays. New log file: rfb.log. - Bro now supports the Radiotap header for 802.11 frames. -- Bro now has rudimentary IMAP and XMPP analyzers examinig the initial - phases of the protocol. Right now these analyzer only identify - STARTTLS sessions, handing them over to TLS analysis. The analyzer - does not yet analyze any further IMAP/XMPP content. +- Bro now has rudimentary IMAP and XMPP analyzers examining the initial + phases of the protocol. Right now these analyzers only identify + STARTTLS sessions, handing them over to TLS analysis. These analyzers + do not yet analyze any further IMAP/XMPP content. -- The new event ssl_extension_signature_algorithm allows access to the +- The new event ssl_extension_signature_algorithm() allows access to the TLS signature_algorithms extension that lists client supported signature and hash algorithm pairs. - Bro now tracks VLAN IDs. To record them inside the connection log, load protocols/conn/vlan-logging.bro. -- The new misc/stats.bro records Bro executions statistics in a - standard Bro log file. - -- A new dns_CAA_reply event gives access to DNS Certification Authority +- A new dns_CAA_reply() event gives access to DNS Certification Authority Authorization replies. - A new per-packet event raw_packet() provides access to layer 2 @@ -93,10 +93,10 @@ New Functionality argument that will be used for decoding errors into weird.log (instead of reporter.log). -- A new get_current_packet_header bif returns the headers of the current +- A new get_current_packet_header() bif returns the headers of the current packet. -- Two new built-in functions for handling set[subnet] and table[subnet]: +- Three new built-in functions for handling set[subnet] and table[subnet]: - check_subnet(subnet, table) checks if a specific subnet is a member of a set/table. This is different from the "in" operator, which always @@ -120,22 +120,25 @@ New Functionality - subnet_width(subnet) returns the width of a subnet. -- The IRC analyzer now recognizes StartTLS sessions and enable the SSL +- The IRC analyzer now recognizes StartTLS sessions and enables the SSL analyzer for them. -- A set of new built-in function for gathering execution statistics: +- The misc/stats.bro script is now loaded by default and logs more Bro + execution statistics to the stats.log file than it did previously. + +- A set of new built-in functions for gathering execution statistics: get_net_stats(), get_conn_stats(), get_proc_stats(), get_event_stats(), get_reassembler_stats(), get_dns_stats(), get_timer_stats(), get_file_analysis_stats(), get_thread_stats(), - get_gap_stats(), get_matcher_stats(), + get_gap_stats(), get_matcher_stats() - Two new functions haversine_distance() and haversine_distance_ip() - for calculating geographic distances. They requires that Bro be - built with libgeoip. + for calculating geographic distances. The latter function requires that Bro + be built with libgeoip. - Table expiration timeout expressions are evaluated dynamically as - timestmaps are updated. + timestamps are updated. - The pcap buffer size can be set through the new option Pcap::bufsize. @@ -144,7 +147,7 @@ New Functionality - The logging framework now supports user-defined record separators, renaming of column names, as well as extension data columns that can - be added to specific or all logfiles (e.g., to add noew names). + be added to specific or all logfiles (e.g., to add new names). - The new "bro-config" script can be used to determine the Bro installation paths. @@ -185,7 +188,7 @@ New Functionality - pf_ring: Native PF_RING support. - postgresql: A PostgreSQL reader/writer. - redis: An experimental log writer for Redis. - - tcprs: An TCP-level analyzer detecting retransmissions, reordering, and more. + - tcprs: A TCP-level analyzer detecting retransmissions, reordering, and more. Changed Functionality --------------------- @@ -195,10 +198,14 @@ Changed Functionality - Connections The 'history' field gains two new flags: '^' indicates that - Bro heuristically flipped to direction of the connection. + Bro heuristically flipped the direction of the connection. 't/T' indicates the first TCP payload retransmission from originator or responder, respectively. + - Intelligence + + New field 'matched' to indicate which indicator type(s) caused the hit. + - DNS New 'rtt' field to indicate the round trip time between when a @@ -211,42 +218,58 @@ Changed Functionality Changes in 'mailfrom' and 'rcptto' fields to remove some non-address cruft that will tend to be found. The main - example is the change from "" to - "user@domain.com". + example is the change from ``""`` to + ``"user@domain.com"``. - HTTP - Removed 'filename' field. + Removed 'filename' field (which was never filled out in the first + place). New 'orig_filenames' and 'resp_filenames' fields which each contain a vector of filenames seen in entities transferred. + - stats.log + + The following fields have been added: active_tcp_conns, + active_udp_conns, active_icmp_conns, tcp_conns, udp_conns, + icmp_conns, timers, active_timers, files, active_files, dns_requests, + active_dns_requests, reassem_tcp_size, reassem_file_size, + reassem_frag_size, reassem_unknown_size. + + The following fields have been renamed: lag -> pkt_lag. + + The following fields have been removed: pkts_recv. + - The BrokerComm and BrokerStore namespaces were renamed to Broker. - The Broker "print" function was renamed to Broker::send_print, and - "event" to "Broker::send_event". + The Broker "print()" function was renamed to Broker::send_print(), and + the "event()" function was renamed to Broker::send_event(). -- ``SSH::skip_processing_after_detection`` was removed. The functionality was - replaced by ``SSH::disable_analyzer_after_detection``. +- The constant ``SSH::skip_processing_after_detection`` was removed. The + functionality was replaced by the new constant + ``SSH::disable_analyzer_after_detection``. -- ``net_stats()`` and ``resource_usage()`` have been superseded by the - new execution statistics functions (see above). +- The ``net_stats()`` and ``resource_usage()`` functions have been + removed, and their functionality is now provided by the new execution + statistics functions (see above). -- Some script-level identifier have changed their names: +- Some script-level identifiers have changed their names: - snaplen -> Pcap::snaplen - precompile_pcap_filter() -> Pcap::precompile_pcap_filter() - install_pcap_filter() -> Pcap::install_pcap_filter() - pcap_error() -> Pcap::pcap_error() - -- In http.log, the "filename" field (which it turns out was never - filled out in the first place) has been split into to - "orig_filenames" and "resp_filenames". + - snaplen -> Pcap::snaplen + - precompile_pcap_filter() -> Pcap::precompile_pcap_filter() + - install_pcap_filter() -> Pcap::install_pcap_filter() + - pcap_error() -> Pcap::error() - TCP analysis was changed to process connections without the initial SYN packet. In the past, connections without a full handshake were treated as partial, meaning that most application-layer analyzers would refuse to inspect the payload. Now, Bro will consider these - connections as complete and all analyzers will process them notmally. + connections as complete and all analyzers will process them normally. + +- The ``policy/misc/capture-loss.bro`` script is now loaded by default. + +- The traceroute detection script package ``policy/misc/detect-traceroute`` + is no longer loaded by default. - Changed BroControl functionality in aux/broctl: @@ -284,33 +307,34 @@ Changed Functionality Removed Functionality --------------------- - - The app-stats scripts have been removed because they weren't - being maintained and they were becoming inaccurate. They - were also prone to needing more regular updates as the internet - changed and will likely be more relevant if maintained externally. +- The app-stats scripts have been removed because they weren't + being maintained and they were becoming inaccurate (as a result, the + app_stats.log is also gone). They were also prone to needing more regular + updates as the internet changed and will likely be more relevant if + maintained externally. - - The event ack_above_hole() has been removed, as it was a subset - of content_gap() and led to plenty noise. +- The event ack_above_hole() has been removed, as it was a subset + of content_gap() and led to plenty of noise. - - The command line options --set-seed and --md5-hashkey have been - removed. +- The command line options ``--analyze``, ``--set-seed``, and + ``--md5-hashkey`` have been removed. - - The packaging scripts pkg/make-\*-packages are gone. They aren't - used anymore for the binary Bro packages that the projects - distributes; haven't been supported in a while; and have - problems. +- The packaging scripts pkg/make-\*-packages are gone. They aren't + used anymore for the binary Bro packages that the project + distributes; haven't been supported in a while; and have + problems. Deprecated Functionality ------------------------ - - The built-in functions decode_base64_custom() and - encode_base64_custom() are no longer needed and will be removed - in the future. Their functionality is now provided directly by - decode_base64() and encode_base64(), which take an optional - parameter to change the Base64 alphabet. +- The built-in functions decode_base64_custom() and + encode_base64_custom() are no longer needed and will be removed + in the future. Their functionality is now provided directly by + decode_base64() and encode_base64(), which take an optional + parameter to change the Base64 alphabet. - - The ElasticSearch log writer hasn't been maintained for a while - and is now deprecated. It will be removed with the next release. +- The ElasticSearch log writer hasn't been maintained for a while + and is now deprecated. It will be removed with the next release. Bro 2.4