A new Bro pre-release is now available from:
ftp://ftp.ee.lbl.gov/.vp-bro-pub-0.7a61.tar.gz
The most timely change is the addition of an NTP analyzer that can detect
the new NTP remote root compromise attack.
A summary of the changes with respect to 0.7a48:
- An NTP analyzer has been added. See policy/ntp.bro for a
corresponding policy file that detects the newly discovered
NTP remote buffer overflow attack.
- example-attacks/ is a new directory that contains trace files
of attacks. Currently, there are just two to play with:
bro -r example-attacks/ftp-site-exec.trace mt
will run on a trace of a "site exec" overflow attack, and
bro -r example-attacks/ntp-attack.trace mt ntp
will run on an example of the NTP overflow.
- The doc/ directory includes the postscript and HTML versions
of the first draft of the Bro manual.
- A new policy file, icmp.bro, has preliminary (and only
partially developed) policy for analyzing ICMP.
- The file libpcap.bufsize.patch includes the patch necessary
on some systems to increase the maximum libpcap buffer size.
- You can now use anonymous functions in &default expressions,
so for example you can do:
global foo: table[count] of string = {
[1] = "1st", [2] = "2nd", [3] = "3rd",
} &default = function(n: count): string { return fmt("%dth", n); };
and then referring to foo[5] will yield "5th".
- There's now a "for" statement to iterate over the indices of
a table or the members of a set:
for ( i in foo )
for the above "foo" will iterate with i assigned to 1, 2, and 3;
*but not in general in that order*.
- The function contains_string() has been removed, and now you
can instead use an expression like
"bar" in "foobar"
which will yield T.
- The scan detection now has a mechanism for attempting to detect
SYN flooding backscatter and flagging it as different from a
stealth scan.
- New event handlers:
new_connection_contents()
like new_connection(), but reassembles the
stream so you can use set_content_files() to
write it to a file
udp_session_done()
invoked when a UDP session (which is defined on
a per-protocol basis; currently only for NTP)
finishes.
ntp_message()
invoked for each NTP message
- UDP processing now does accounting for detecting scans.
- UDP processing now tracks numbers of requests/replies for
sessions that support that notion. The connections are
annotated by udp_session_done() with "[m,n]" for "m"
requests and "n" replies, providing either m or n > 1.
- New variable accessible from policy:
watchdog_interval
how often the watchdog should check for whether
Bro is making internal progress
- A bunch of functions no longer have a first argument of the
current time; get it instead from network_time() if you need it:
authentication_accepted
authentication_rejected
conn_weird
conn_weird_addl
flow_weird
net_weird
- A bunch of functions now return bool rather than int values:
set_contents_file
set_login_state
set_record_packets
skip_further_processing
- The variable "hot_dests" has been renamed to "hot_dsts".
- 111/tcp is now identified as "portmap" rather than "rpc".
- Connections flagged as hot for some types of characteristics
are now annotated with the reason associated with the
decision. (I think a lot more of this is needed.)
- Portmapper dumps are annotated with the results of the mapping.
This will be streamlined in the future.
- Vern