Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'master' of ssh://git.bro-ids.org/bro

Browse source
This commit is contained in:
Seth Hall 2016-08-09 15:42:17 -04:00
commit fea63eef30
3 changed files with 70 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

18
CHANGES
View file

@ -1,4 +1,22 @@
2.4-905 | 2016-08-09 08:19:37 -0700
* GSSAPI analyzer now forwards authentication blobs more correctly.
(Seth Hall)
* The KRB analyzer now includes support for the PA_ENCTYPE_INFO2
pre-auth data type. (Seth Hall)
* Add an argument to "disable_analyzer" function to not do a
reporter message by default. (Seth Hall)
2.4-902 | 2016-08-08 16:50:35 -0400
* Adding SMB analyzer. (Seth Hall, Vlad Grigorescu and many others)
* NetControl: allow reasons in remove_rule calls. Addresses BIT-1655
(Johanna Amann)
2.4-893 | 2016-08-05 15:43:04 -0700 2.4-893 | 2016-08-05 15:43:04 -0700
* Remove -z/--analysis option. (Johanna Amann) * Remove -z/--analysis option. (Johanna Amann)

86
NEWS
View file

@ -18,47 +18,16 @@ New Dependencies
- When enabling Broker (which is disabled by default), Bro now requires - When enabling Broker (which is disabled by default), Bro now requires
version 0.14 of the C++ Actor Framework. version 0.14 of the C++ Actor Framework.
Log Changes
-----------
- Connections
- The 'history' field gains two new flags: '^' indicates that Bro
heuristically flipped to direction of the connection. 't/T' indicates
the first TCP payload retransmission from originator or responder,
respectively.
- DNS
- New 'rtt' field to indicate the round trip time between when a
request was sent and when a reply started.
- SMTP
- New 'cc' field which includes the 'Cc' header from MIME messages
sent over SMTP.
- Changes in 'mailfrom' and 'rcptto' fields to remove some non-address
cruft that will tend to be found. The main example is the change
from "<user@domain>" to "user@domain.com".
- HTTP
- Removed 'filename' field.
- New 'orig_filenames' and 'resp_filenames' fields which each contain
a vector of filenames seen in entities transferred.
New Functionality New Functionality
----------------- -----------------
- SMB analyzer. This is the rewrite that has been in development for - SMB analyzer. This is the rewrite that has been in development for
several years. The scripts are currently not loaded by default and several years. The scripts are currently not loaded by default and
must be loaded manually by loading policy/protocols/smb. The next must be loaded manually by loading policy/protocols/smb. The next
release will load the smb scripts by default. release will load the smb scripts by default.
- Implements SMB1+2. - Implements SMB1+2.
- Fully integrated with the file analysis framework so that files - Fully integrated with the file analysis framework so that files
transferred over SMB can be analyzed. transferred over SMB can be analyzed.
- Includes GSSAPI and NTLM analyzer and reimplements the DCE-RPC - Includes GSSAPI and NTLM analyzer and reimplements the DCE-RPC
analyzer. analyzer.
@ -70,6 +39,26 @@ New Functionality
- Bro now includes the NetControl framework. The framework allows for easy - Bro now includes the NetControl framework. The framework allows for easy
interaction of Bro with hard- and software switches, firewalls, etc. interaction of Bro with hard- and software switches, firewalls, etc.
- Bro's Intelligence Framework was refactored and new functionality
has been added:
- The framework now supports the new indicator type Intel::SUBNET.
As subnets are matched against seen addresses, the field 'matched'
was introduced to indicate which indicator type(s) caused the hit.
- The new function remove() allows to delete intelligence items.
- The intel framework now supports expiration of intelligence items.
Expiration can be configured by using Intel::item_expiration and
can be handled by using the item_expired() hook. The new script
do_expire.bro removes expired items.
- The new hook extend_match() allows extending the framework. The new
policy script whitelist.bro uses the hook to implement whitelisting.
- Intel notices are now suppressible and mails for intel notices now
list the identified services as well as the intel source.
- There is a new file entropy analyzer for files. - There is a new file entropy analyzer for files.
- Bro now supports the remote framebuffer protocol (RFB) that is used by - Bro now supports the remote framebuffer protocol (RFB) that is used by
@ -166,6 +155,33 @@ New Functionality
Changed Functionality Changed Functionality
--------------------- ---------------------
- Log changes:
- Connections
* The 'history' field gains two new flags: '^' indicates that
Bro heuristically flipped to direction of the connection.
't/T' indicates the first TCP payload retransmission from
originator or responder, respectively.
- DNS
* New 'rtt' field to indicate the round trip time between when a
request was sent and when a reply started.
- SMTP
* New 'cc' field which includes the 'Cc' header from MIME
messages sent over SMTP.
* Changes in 'mailfrom' and 'rcptto' fields to remove some
non-address cruft that will tend to be found. The main
example is the change from "<user@domain>" to
"user@domain.com".
- HTTP
* Removed 'filename' field.
* New 'orig_filenames' and 'resp_filenames' fields which each
contain a vector of filenames seen in entities transferred.
- The BrokerComm and BrokerStore namespaces were renamed to Broker. - The BrokerComm and BrokerStore namespaces were renamed to Broker.
The Broker "print" function was renamed to Broker::send_print, and The Broker "print" function was renamed to Broker::send_print, and
"event" to "Broker::send_event". "event" to "Broker::send_event".

2
VERSION
View file

@ -1 +1 @@
2.4-893 2.4-905