I downloaded and installed bro 0.6 without problems, apart from some
minor changes required in Makefile.in and Rlogin.h.
(These are fixed for 0.7, by the way.)
I noticed, however, that this version of bro still validates values
of type 'net' according to the outdated 'class A/B/C/D' convention.
Yes, sorry about that. This isn't fixed for 0.7, either (since the sites
at which I run Bro don't happen to need this, and I'm short of cycles),
except there are some uses of mask_addr() that let you use /24's for
particular networks that Bro looks at. You can get a pre-release snapshot
from:
ftp://ftp.ee.lbl.gov/.vp-bro-pub-0.7a48.tar.gz
by the way.
The general solution requires adding CIDR prefixes to Bro, which is tricky
because they have to work efficiently when used as table/set indices.
It's that difficulty that's made it expensive for me to add this, absent
a need to do so in my daytime job.
In addition, I'd like to know whether bro developers have planned
to extend bro language with a type 'interval of IP addresses'.
I hadn't considered this - do you need something different from what you
could achieve if Bro supported /n prefixes?
Vern