If you haven't see it yet, the new Broker version has been merged into
git master a little while ago. This is a major internal change that's
on track for release in Bro 2.6, and we are interested in feedback on
how it works for people.
With this merge, we are completely replacing usage of Bro's classic
communication system with the new Broker library. All of Bro's
standard scripts have been ported over, and BroControl has been
adapted as well. The old communication system remains available for
the time being, but it is turned off by default and scheduled to be
removed in Bro 2.7 (not 2.6).
If you have an environment where you can test drive new Bro versions,
please give this a try. We're interested in any feedback you have,
including in particular any observations about performance; there are
some knobs we are still tuning. For now, you'll need to compile from
git, see:
https://www.bro.org/sphinx/install/install.html#installing-from-source.
Binary builds will be coming shortly.
From a user's perspective, not much should even be changing, most of
the new stuff is under the hood. The exception are custom scripts
doing communication themselves, they need to be ported over to Broker.
Documentation for that is here:
https://www.bro.org/sphinx-git/frameworks/broker.html, including a
porting guide for existing scripts. The Broker library itself comes
with a new user manual as well, it's online at
https://bro-broker.readthedocs.io/en/stable/index.html.
One specific note on upgrading existing Bro clusters: the meaning of
"proxy" has changed. They still exist, but play a quite different role
now. If you're currently using more than one proxy, we recommend going
back to one as the initial default; that'll most likely be fine with
the standard scripts. If that works fine, you could add a 2nd one for
redundancy.
Robin