Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'master' of ssh://git.bro-ids.org/bro

Browse source
This commit is contained in:
Seth Hall 2016-08-09 15:42:17 -04:00
commit fea63eef30
3 changed files with 70 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

18
CHANGES
View file

@ -1,4 +1,22 @@
2.4-905 | 2016-08-09 08:19:37 -0700
* GSSAPI analyzer now forwards authentication blobs more correctly.
(Seth Hall)
* The KRB analyzer now includes support for the PA_ENCTYPE_INFO2
pre-auth data type. (Seth Hall)
* Add an argument to "disable_analyzer" function to not do a
reporter message by default. (Seth Hall)
2.4-902 | 2016-08-08 16:50:35 -0400
* Adding SMB analyzer. (Seth Hall, Vlad Grigorescu and many others)
* NetControl: allow reasons in remove_rule calls. Addresses BIT-1655
(Johanna Amann)
2.4-893 | 2016-08-05 15:43:04 -0700 2.4-893 | 2016-08-05 15:43:04 -0700
* Remove -z/--analysis option. (Johanna Amann) * Remove -z/--analysis option. (Johanna Amann)

78
NEWS
View file

@ -18,37 +18,6 @@ New Dependencies
- When enabling Broker (which is disabled by default), Bro now requires - When enabling Broker (which is disabled by default), Bro now requires
version 0.14 of the C++ Actor Framework. version 0.14 of the C++ Actor Framework.
Log Changes
-----------
- Connections
- The 'history' field gains two new flags: '^' indicates that Bro
heuristically flipped to direction of the connection. 't/T' indicates
the first TCP payload retransmission from originator or responder,
respectively.
- DNS
- New 'rtt' field to indicate the round trip time between when a
request was sent and when a reply started.
- SMTP
- New 'cc' field which includes the 'Cc' header from MIME messages
sent over SMTP.
- Changes in 'mailfrom' and 'rcptto' fields to remove some non-address
cruft that will tend to be found. The main example is the change
from "<user@domain>" to "user@domain.com".
- HTTP
- Removed 'filename' field.
- New 'orig_filenames' and 'resp_filenames' fields which each contain
a vector of filenames seen in entities transferred.
New Functionality New Functionality
----------------- -----------------
@ -70,6 +39,26 @@ New Functionality
- Bro now includes the NetControl framework. The framework allows for easy - Bro now includes the NetControl framework. The framework allows for easy
interaction of Bro with hard- and software switches, firewalls, etc. interaction of Bro with hard- and software switches, firewalls, etc.
- Bro's Intelligence Framework was refactored and new functionality
has been added:
- The framework now supports the new indicator type Intel::SUBNET.
As subnets are matched against seen addresses, the field 'matched'
was introduced to indicate which indicator type(s) caused the hit.
- The new function remove() allows to delete intelligence items.
- The intel framework now supports expiration of intelligence items.
Expiration can be configured by using Intel::item_expiration and
can be handled by using the item_expired() hook. The new script
do_expire.bro removes expired items.
- The new hook extend_match() allows extending the framework. The new
policy script whitelist.bro uses the hook to implement whitelisting.
- Intel notices are now suppressible and mails for intel notices now
list the identified services as well as the intel source.
- There is a new file entropy analyzer for files. - There is a new file entropy analyzer for files.
- Bro now supports the remote framebuffer protocol (RFB) that is used by - Bro now supports the remote framebuffer protocol (RFB) that is used by
@ -166,6 +155,33 @@ New Functionality
Changed Functionality Changed Functionality
--------------------- ---------------------
- Log changes:
- Connections
* The 'history' field gains two new flags: '^' indicates that
Bro heuristically flipped to direction of the connection.
't/T' indicates the first TCP payload retransmission from
originator or responder, respectively.
- DNS
* New 'rtt' field to indicate the round trip time between when a
request was sent and when a reply started.
- SMTP
* New 'cc' field which includes the 'Cc' header from MIME
messages sent over SMTP.
* Changes in 'mailfrom' and 'rcptto' fields to remove some
non-address cruft that will tend to be found. The main
example is the change from "<user@domain>" to
"user@domain.com".
- HTTP
* Removed 'filename' field.
* New 'orig_filenames' and 'resp_filenames' fields which each
contain a vector of filenames seen in entities transferred.
- The BrokerComm and BrokerStore namespaces were renamed to Broker. - The BrokerComm and BrokerStore namespaces were renamed to Broker.
The Broker "print" function was renamed to Broker::send_print, and The Broker "print" function was renamed to Broker::send_print, and
"event" to "Broker::send_event". "event" to "Broker::send_event".

2
VERSION
View file

@ -1 +1 @@
2.4-893 2.4-905