new Bro pre-release available - 0.7a61

A new Bro pre-release is now available from:

The most timely change is the addition of an NTP analyzer that can detect
the new NTP remote root compromise attack.

A summary of the changes with respect to 0.7a48:

  - An NTP analyzer has been added. See policy/ntp.bro for a
    corresponding policy file that detects the newly discovered
    NTP remote buffer overflow attack.

  - example-attacks/ is a new directory that contains trace files
    of attacks. Currently, there are just two to play with:

    bro -r example-attacks/ftp-site-exec.trace mt

    will run on a trace of a "site exec" overflow attack, and

    bro -r example-attacks/ntp-attack.trace mt ntp

    will run on an example of the NTP overflow.

  - The doc/ directory includes the postscript and HTML versions
    of the first draft of the Bro manual.

  - A new policy file, icmp.bro, has preliminary (and only
    partially developed) policy for analyzing ICMP.

  - The file libpcap.bufsize.patch includes the patch necessary
    on some systems to increase the maximum libpcap buffer size.

  - You can now use anonymous functions in &default expressions,
    so for example you can do:

    global foo: table[count] of string = {
      [1] = "1st", [2] = "2nd", [3] = "3rd",
    } &default = function(n: count): string { return fmt("%dth", n); };

    and then referring to foo[5] will yield "5th".

  - There's now a "for" statement to iterate over the indices of
    a table or the members of a set:

    for ( i in foo )

    for the above "foo" will iterate with i assigned to 1, 2, and 3;
    *but not in general in that order*.

  - The function contains_string() has been removed, and now you
    can instead use an expression like

    "bar" in "foobar"

    which will yield T.
  - The scan detection now has a mechanism for attempting to detect
    SYN flooding backscatter and flagging it as different from a
    stealth scan.

  - New event handlers:
      like new_connection(), but reassembles the
      stream so you can use set_content_files() to
      write it to a file

      invoked when a UDP session (which is defined on
      a per-protocol basis; currently only for NTP)

      invoked for each NTP message

  - UDP processing now does accounting for detecting scans.

  - UDP processing now tracks numbers of requests/replies for
    sessions that support that notion. The connections are
    annotated by udp_session_done() with "[m,n]" for "m"
    requests and "n" replies, providing either m or n > 1.

  - New variable accessible from policy:

      how often the watchdog should check for whether
      Bro is making internal progress
  - A bunch of functions no longer have a first argument of the
    current time; get it instead from network_time() if you need it:

  - A bunch of functions now return bool rather than int values:


  - The variable "hot_dests" has been renamed to "hot_dsts".
  - 111/tcp is now identified as "portmap" rather than "rpc".

  - Connections flagged as hot for some types of characteristics
    are now annotated with the reason associated with the
    decision. (I think a lot more of this is needed.)

  - Portmapper dumps are annotated with the results of the mapping.
    This will be streamlined in the future.

- Vern