Release Notes ============= This document summarizes the most important changes in the current Bro release. For a complete list of changes, see the ``CHANGES`` file. Bro 2.1 ------- - Dependencies: * Bro now requires CMake >= 2.6.3. * Bro now links in tcmalloc (part of Google perftools) if found at configure time. Doing so can significantly improve memory and CPU use. - Bro now supports IPv6 out of the box; the configure switch --enable-brov6 is gone. - DNS name lookups performed by Bro now also query AAAA records. The results of the A and AAAA queries for a given hostname are combined such that at the scripting layer, the name resolution can yield a set with both IPv4 and IPv6 addresses. - The connection compressor was already deprecated in 2.0 and has now been removed from the code base. - We removed the "match" statement, which was no longer used by any of the default scripts, nor was it likely to be used by anybody anytime soon. With that, "match" and "using" are no longer reserved keywords. - The syntax for IPv6 literals changed from "2607:f8b0:4009:802::1012" to "[2607:f8b0:4009:802::1012]". - Bro now spawn threads for doing its logging. From a user's perspective not much should change, except that the OS may now show a bunch of Bro threads. - We renamed the configure option --enable-perftools to --enable-perftool-debug to indicate that the switch is only relevant for debugging the heap. - Bro's ICMP analyzer now handles both IPv4 and IPv6 messages with a joint set of events. The `icmp_conn` record got a new boolean field 'v6' that indicates whether the ICMP message is v4 or v6. - Log postprocessor scripts get an additional argument indicating the type of the log writer in use (e.g., "ascii"). - BroControl's make-archive-name scripts also receives the writer type, but as it's 2nd(!) argument. If you're using a custom version of that script, you need to adapt it. See the shipped version for details. - Signature files can now be loaded via the new "@load-sigs" directive. In contrast to the existing (and still supported) signature_files constant, this can be used to load signatures relative to the current script (e.g., "@load-sigs ./foo.sig"). TODO: Extend. Bro 2.0 ------- As the version number jump suggests, Bro 2.0 is a major upgrade and lots of things have changed. We have assembled a separate upgrade guide with the most important changes compared to Bro 1.5 at http://www.bro-ids.org/documentation/upgrade.html. You can find the offline version of that document in ``doc/upgrade.rst.``. Compared to the earlier 2.0 Beta version, the major changes in the final release are: * The default scripts now come with complete reference documentation. See http://www.bro-ids.org/documentation/index.html. * libz and libmagic are now required dependencies. * Reduced snaplen default from 65535 to old default of 8192. The large value was introducing performance problems on many systems. * Replaced the --snaplen/-l command line option with a scripting-layer option called "snaplen". The new option can also be redefined on the command line, e.g. ``bro -i eth0 snaplen=65535``. * Reintroduced the BRO_LOG_SUFFIX environment variable that the ASCII logger now respects to add a suffix to the log files it creates. * The ASCII logs now include further header information, and fields set to an empty value are now logged as ``(empty)`` by default (instead of ``-``, which is already used for fields that are not set at all). * Some NOTICES were renamed, and the signatures of some SSL events have changed. * bro-cut got some new capabilities: - If no field names are given on the command line, we now pass through all fields. - New options -u/-U for time output in UTC. - New option -F to give output field separator. * Broccoli supports more types internally, allowing to send complex records. * Many smaller bug fixes, portability improvements, and general polishing across all modules.