An updated "CURRENT" version of Bro is now available from the usual location:
ftp://ftp.ee.lbl.gov/bro-pub-0.8-current.tar.gz
I've appended the changes between it and the last "CURRENT" version (0.8a48).
Vern
- The format of Bro's connection summaries is changing. The new format
looks like1069437569.904605 0.230644 1.2.3.4 5.6.7.8 http 59377 80 tcp 610 275 S3 L
That is, <timestamp>, <duration>, <originator address>, <responder address>,
<service>, <originator port>, <responder port>, <originator bytes>,
<responder bytes>, <connection state>, <flags>. (Robin Sommer)The script variable traditional_conn_format=T specifies to use the old
format rather than this new one. This is *currently* the default, but
will change soon to default to F instead. If you have comments on this
new format, we'd like to hear them.
The changes notes above don't mention the <addl> field. Is that just
an oversight in the notes, or is it being droppped from the red log?
Will <service> still contain port numbers? Or will "other-nnnnn" become
simply "other"? (that would be my preference)
Although I don't know what the "neighbor net" U flag even means, I wonder
if this is the time to drop that, as the BRO manual says the whole notion
is historical.
Mark