new bro "CURRENT" release - 0.8a79

An updated "CURRENT" version of Bro is now available from the usual location:

This version has a lot of changes, including new analyzers, documentation,
language features, VLAN support, and the beginnings of IDMEF support. I've
appended the changes since the last "CURRENT" version (0.8a70).


and the beginnings of IDMEF support.

Just curious, what is the motivation for IDMEF support? Just to be
consistent with industry "standard" or something else? Basically, I am
asking how users are supposed to use IDMEF in production enviorment.


This really blows snort out of the water.

Thank you,


0. cat /etc/redhat-release
Red Hat Linux release 7.3 (Valhalla)

1. ./configure --disable-openssl

2. make

g++ -o bro main.o net_util.o util.o parse.o scan.o re-parse.o re-scan.o
rule-parse.o rule-scan.o Act ive.o Anon.o Attr.o BackDoor.o Base64.o
BroString.o CCL.o ChunkedIO.o CompHash.o Conn.o DCE_RPC.o DF A.o DNS.o
DNS_Mgr.o DbgBreakpoint.o DbgHelp.o DbgWatch.o Debug.o DebugCmds.o Desc.o
Dict.o Discard.o EquivClass.o Event.o EventHandler.o EventRegistry.o
Expr.o FTP.o File.o Finger.o Frag.o Frame.o Func.o Gnutella.o HTTP.o
Hash.o ICMP.o ID.o Ident.o IntSet.o InterConn.o List.o Logger.o Login.o
MIME.o NFA.o NTP.o NVT.o Net.o NetVar.o NetbiosSSN.o Obj.o PacketFilter.o
PacketSort.o PktSrc.o PolicyFile .o Portmap.o PrefixTable.o
PriorityQueue.o Queue.o RE.o RPC.o Reassem.o RemoteSerializer.o Rlogin.o
Rule.o RuleAction.o RuleCondition.o RuleMatcher.o SMTP.o SSH.o Scope.o
SerializationFormat.o SerialO bj.o Serializer.o Sessions.o StateAccess.o
Stats.o SteppingStone.o Stmt.o TCP.o TCP_Contents.o TCP_E ndpoint.o
TCP_Rewriter.o Telnet.o Timer.o Type.o UDP.o Val.o Var.o XDR.o cq.o md5.o
patricia.o setsi gnal.o version.o nb_dns.o -Llibedit -ledit -lresolv
-lpcap -lpcap /usr/lib/libresolv.a -ltermca p -lm

Sessions.o: In function `NetSessions::NewConn(HashKey *, double, ConnID
const *, tcphdr const *)':
Sessions.o(.text+0x41a4): undefined reference to
ns *, HashKey *, double, ConnID const *, tcphdr const *)'
collect2: ld returned 1 exit status
make: *** [bro] Error 1

Any ideas?

Same error happens if ssl is not disabled.

First, it's indeed simply a standardized way to talk to other
systems. If you're using different kinds of NIDSs (either at
different locations or even at the same place), they may share their
results with IDMEF.

Second, it's interesting to see how Bro's semantics map to IDMEF and
vice versa. Most parts of Bro work on a lower-level than IDMEF. So,
a large fraction of Bro's state is not (reasonably) convertible to
IDMEF. On the other hand, Bro's alert framework looks quite similar
to IDMEF's model. By adding IDMEF support we should be able to
better understand what kind of information can actually be
represented in this format (and if it's sufficient for the task its
supposed to do).

Regarding the question how to use it: if you want to connect
multiple Bros, IDMEF is probably not the best way; there are other
mechanisms now (which are still experimental though). But if you
want to share alerts with other systems, IDMEF could be an option.