Dot release?


making a 2.2.1 release has been coming up a few times and I'm thinking
we should just snapshot current master for that. We've been fixing
quite a number of things since 2.2, yet there aren't any larger new
features yet (GRE tunnel decapsulation being the only one I can think
of right now).

I'd wait for two more things though:

    - Merging, and some testing, of Jon's recent file analysis
    framework API changes that make the file handle management more

    - Figuring out the exec and/or sumstats problems (it looks certain
    at this point that exec isn't cleaning up fully; and sumstats may
    have a larger than expected CPU impact, but that's not clear yet I

Once 2.2.1 is out, I'd then next work on merging my dynamic plugin
code, which is mostly ready but needs cleanup, review, documentation,

How does that sound? If good, now would also be the time to finalize
any other minor fixes that people might want to see in 2.2.1.


I like that plan. I think there are some minor Maverick's issues too that Daniel found. So we might want to get those in there as well.

I already told Robin - but just for the record, I think it is a good idea/plan.


Yes, the current master is WAY more stable on busy production sensors that 2.2. For sites really leaning on the intel framework master is the only way to go.


Liam Randall

I'd wait for two more things though:

Aashish also raised some potential bugs with Bro's hashing. It appears
that the Bloom filters fill up too quickly, i.e., do not meet their
false positive requirements. My hunch is that this has to do with the
construction of hash functions, perhaps they are not pairwise
independent unless parametrized in a certain way, or perhaps there's
just some other smaller bug in place. In any case, it needs to be
fixed and I wonder whether 2.2.1 is the right target for that.


Yes, that would be good to get in there too if we can figure out
what's going on.


I'm in the same boat as Johanna here. Looking forward to the 2.2.1 release. :wink: