-
Notifications
You must be signed in to change notification settings - Fork 2
/
NEWS
2379 lines (1780 loc) · 94.9 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
This document summarizes the most important changes in the current Bro
release. For an exhaustive list of changes, see the ``CHANGES`` file
(note that submodules, such as BroControl and Broccoli, come with
their own ``CHANGES``.)
Bro 2.6.2
=========
This is a security patch release to address potential Denial of
Service vulnerabilities:
- Integer type mismatches in BinPAC-generated parser code and Bro
analyzer code may allow for crafted packet data to cause
unintentional code paths in the analysis logic to be taken due to
unsafe integer conversions causing the parser and analysis logic
to each expect different fields to have been parsed. One such
example, reported by Maksim Shudrak, causes the Kerberos analyzer
to dereference a null pointer. CVE-2019-12175 was assigned for
this issue.
- The Kerberos parser allows for several fields to be left
uninitialized, but they were not marked with an &optional attribute
and several usages lacked existence checks. Crafted packet data
could potentially cause an attempt to access such uninitialized
fields, generate a runtime error/exception, and leak memory.
Existence checks and &optional attributes have been added to the
relevent Kerberos fields.
- BinPAC-generated protocol parsers commonly contain fields whose
length is derived from other packet input, and for those that allow
for incremental parsing, BinPAC did not impose a limit on how
large such a field could grow, allowing for remotely-controlled
packet data to cause growth of BinPAC's flowbuffer bounded only
by the numeric limit of an unsigned 64-bit integer, leading
to memory exhaustion. There is now a generalized limit for
how large flowbuffers are allowed to grow, tunable by setting
"BinPAC::flowbuffer_capacity_max".
Bro 2.6.1
=========
Bro 2.6.1 updates the embedded SQLite to version 3.26.0 to address the
"Magellan" remote code execution vulnerability. The stock Bro
configuration/scripts don't use SQLite by default, but custom user
scripts/packages may.
This release also updates Broker to v1.1.2, which includes a minor bug
fix in its Python bindings and improved support for building it as a
static library.
Bro 2.6
=======
New Functionality
-----------------
- Bro has switched to using the new Broker library for all its
communication. Broker's API has been completely redesigned (compared
to the version in 2.5), and much of its implementation has been
redone. There's a new script-level "broker" framework that
supersedes the old "communication" framework, which is now
deprecated. All scripts that ship with Bro have been ported to use
Broker. BroControl has likewise been ported to use Broker.
For more about the new Broker framework, see
https://www.bro.org/sphinx-git/frameworks/broker.html. There's also
a guide there for porting existing Bro scripts to Broker. For more
about Broker itself, including its API for external applications,
see https://bro-broker.readthedocs.io/en/stable
When using BroControl, the function of proxies has changed with
Broker. If you are upgrading and have configured more than one proxy
currenty, we recommend going back down to a single proxy node now.
That should be fine unless you are using custom scripts doing
significant data distribution through the new cluster framework.
A side effect of the switch to using Broker is that each Bro node now runs
as a single process instead of two. Also, the number of file descriptors
being polled in Bro's main event loop has been reduced (1 per worker
versus 5). This should increase the number of workers one can
use before reaching the common 1024 file descriptor limitation of
"select()".
- Bro now has new "is" and "as" script operators for dynamic
type-checking and casting.
- "v as T" casts a value v into a value of type T, assuming that's
possible (if not, it triggers a runtime error).
- "v is T" returns a boolean indicating whether value v can be
casted into type T (i.e., if true then "v as T" will succeed).
This casting supports three cases currently: (1) a value of
declared type "any" can be casted to its actual underlying type;
(2) Broker values can be casted to their corresponding script
types; and (3) all values can be casted to their declared types
(i.e., a no-op).
Example for "any"::
# cat a.bro
function check(a: any)
{
local s: string = "default";
if ( a is string )
s = (a as string);
print fmt("s=%s", s);
}
event bro_init()
{
check("Foo");
check(1);
}
# bro a.bro
s=Foo
s=default
- The existing "switch" statement got extended to now also support switching by
type rather than value. The new syntax supports two type-based versions
of "case":
- "case type T: ...": Take branch if operand can be casted to type T.
- "case type T as x: ... ": Take branch if operand can be casted
to type T, and make the casted value available through ID "x".
Multiple types can be listed per branch, separated by commas.
However, one cannot mix cases with expressions and types inside a
single switch statement.
Example::
function switch_one(v: any)
{
switch (v) {
case type string:
print "It's a string!";
break;
case type count as c:
print "It's a count!", c;
break;
case type bool, type addr:
print "It's a bool or address!";
break;
default:
print "Something else!";
break;
}
}
- Bro now comes with a new "configuration framework" that allows
updating script options dynamically at runtime. This functionality
consists of three larger pieces working together:
- Option variables: The new "option" keyword allows variables to be
declared as runtime options. Such variables cannot be changed
using normal assignments. Instead, they can be changed using the
new function "Config::set_value". This function will automatically
apply the change to all nodes in a cluster. Note that options can also
be changed using the new function "Option::set", but this function will
not send the change to any other nodes, so Config::set_value should
typically be used instead of Option::set.
Various redef-able constants in the standard Bro scripts have
been converted to runtime options. This change will not affect any
user scripts because the initial value of runtime options can still be
redefined with a "redef" declaration. Example::
option testvar = "old value";
redef testvar = "new value";
It is possible to "subscribe" to an option through
"Option::set_change_handler", which will trigger a handler callback
when an option changes. Change handlers can optionally modify
values before they are applied by returning the desired value, or
reject updates by returning the old value. Priorities can be
specified if there are several handlers for one option.
Example script::
option testbool: bool = T;
function option_changed(ID: string, new_value: bool): bool
{
print fmt("Value of %s changed from %s to %s", ID, testbool, new_value);
return new_value;
}
event bro_init()
{
print "Old value", testbool;
Option::set_change_handler("testbool", option_changed);
Option::set("testbool", F);
print "New value", testbool;
}
- Script-level configuration framework: The new script framework
base/framework/config facilitates reading in new option values
from external files at runtime. The format for these files looks
like this::
[option name][tab/spaces][new variable value]
Configuration files to read can be specified by adding them to
"Config::config_files".
Usage example::
redef Config::config_files += { "/path/to/config.dat" };
module TestConfig;
export {
option testbool: bool = F;
}
The specified file will now be monitored continuously for changes, so
that writing "TestConfig::testbool T" into ``/path/to/config.dat`` will
automatically update the option's value accordingly.
The configuration framework creates a ``config.log`` that shows all
value changes that took place.
- Config reader: Internally, the configuration framework uses a new
type of input reader to read such configuration files into Bro.
The reader uses the option name to look up the type that variable
has, converts the read value to the correct type, and then updates
the option's value. Example script use::
type Idx: record {
option_name: string;
};
type Val: record {
option_val: string;
};
global currconfig: table[string] of string = table();
event InputConfig::new_value(name: string, source: string, id: string, value: any)
{
print id, value;
}
event bro_init()
{
Input::add_table([$reader=Input::READER_CONFIG, $source="../configfile", $name="configuration", $idx=Idx, $val=Val, $destination=currconfig, $want_record=F]);
}
- Support for OCSP and Signed Certificate Timestamp. This adds the
following events and BIFs:
- Events:
- ocsp_request
- ocsp_request_certificate
- ocsp_response_status
- ocsp_response_bytes
- ocsp_response_certificate
- ocsp_extension
- x509_ocsp_ext_signed_certificate_timestamp
- ssl_extension_signed_certificate_timestamp
- Functions:
- sct_verify
- x509_subject_name_hash
- x509_issuer_name_hash
- x509_spki_hash
- The SSL scripts provide a new hook "ssl_finishing(c: connection)"
to trigger actions after the handshake has concluded.
- New functionality has been added to the TLS parser, adding several
events. These events mostly extract information from the server and client
key exchange messages. The new events are:
- ssl_ecdh_server_params
- ssl_dh_server_params
- ssl_server_signature
- ssl_ecdh_client_params
- ssl_dh_client_params
- ssl_rsa_client_pms
Since "ssl_ecdh_server_params" contains more information than the old
"ssl_server_curve" event, "ssl_server_curve" is now marked as deprecated.
- The "ssl_application_data" event was retired and replaced with
"ssl_plaintext_data".
- Some SSL events were changed and now provide additional data. These events
are:
- ssl_client_hello
- ssl_server_hello
- ssl_encrypted_data
If you use these events, you can make your scripts work on old and new
versions of Bro by wrapping the event definition in an "@if", for example::
@if ( Version::at_least("2.6") || ( Version::number == 20500 && Version::info$commit >= 944 ) )
event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
@else
event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec)
@endif
- Functions for retrieving files by their ID have been added:
- Files::file_exists
- Files::lookup_File
- New functions in the logging API:
- Log::get_filter_names
- Log::enable_stream
- HTTP now recognizes and skips upgraded/websocket connections. A new event,
"http_connection_upgrade", is raised in such cases.
- A new hook, HTTP::sqli_policy, may be used to whitelist requests that
could otherwise be counted as SQL injection attempts.
- Added a MOUNT3 protocol parser
- This is not enabled by default (no ports are registered and no
DPD signatures exist, so no connections will end up attaching the
new Mount analyzer). If it were to be activated by users, the
following events are available:
- mount_proc_null
- mount_proc_mnt
- mount_proc_umnt
- mount_proc_umnt_all
- mount_proc_not_implemented
- mount_reply_status
- Added new NFS events:
- nfs_proc_symlink
- nfs_proc_link
- nfs_proc_sattr
- The SMB scripts in ``policy/protocols/smb`` are now moved into
``base/protocols/smb`` and loaded/enabled by default. If you previously
loaded these scripts from their ``policy/`` location (in local.bro or
other custom scripts) you may now remove/change those although they
should still work since ``policy/protocols/smb`` is simply a placeholder
script that redirects to the new ``base/`` location.
- Added new SMB events:
- smb1_transaction_secondary_request
- smb1_transaction2_secondary_request
- smb1_transaction_response
- Bro can now decrypt Kerberos tickets, and retrieve the authentication from
them, given a suitable keytab file.
- Added support for bitwise operations on "count" values. '&', '|' and
'^' are binary "and", "or" and "xor" operators, and '~' is a unary
ones-complement operator.
- The '&' and '|' operators can apply to patterns, too. p1 & p2 yields
a pattern that represents matching p1 followed by p2, and p1 | p2 yields
a pattern representing matching p1 or p2. The p1 | p2 functionality was
semi-present in previous versions of Bro, but required constants as
its operands; now you can use any pattern-valued expressions.
- You can now specify that a pattern matches in a case-insensitive
fashion by adding 'i' to the end of its specification. So for example
/fOO/i == "Foo" yields T, as does /fOO/i in "xFoObar".
You can achieve the same functionality for a subpattern enclosed in
parentheses by adding "?i:" to the open parenthesis. So for example
/foo|(?i:bar)/ will match "BaR", but not "FoO".
For both ways of specifying case-insensitivity, characters enclosed in
double quotes remain case-sensitive. So for example /"foo"/i will not
match "Foo", but it will match "foo".
- "make install" now installs Bro's include headers (and more) into
"--prefix" so that compiling plugins no longer needs access to a
source/build tree. For OS distributions, this also facilitates
creating "bro-devel" packages providing all files necessary to build
plugins.
- Bro now supports PPPoE over QinQ.
- Bro now supports OpenSSL 1.1.
- The new connection/conn.log history character 'W' indicates that
the originator ('w' = responder) advertised a TCP zero window
(instructing the peer to not send any data until receiving a
non-zero window).
- The connection/conn.log history characters 'C' (checksum error seen),
'T' (retransmission seen), and 'W' (zero window advertised) are now
repeated in a logarithmic fashion upon seeing multiple instances
of the corresponding behavior. Thus a connection with 2 C's in its
history means that the originator sent >= 10 packets with checksum
errors; 3 C's means >= 100, etc.
- The above connection history behaviors occurring multiple times
(i.e., starting at 10 instances, than again for 100 instances,
etc.) generate corresponding events:
- tcp_multiple_checksum_errors
- udp_multiple_checksum_errors
- tcp_multiple_zero_windows
- tcp_multiple_retransmissions
Each has the same form, e.g.::
event tcp_multiple_retransmissions(c: connection, is_orig: bool,
threshold: count);
- Added support for set union, intersection, difference, and comparison
operations. The corresponding operators for the first three are
"s1 | s2", "s1 & s2", and "s1 - s2". Relationals are in terms
of subsets, so "s1 < s2" yields true if s1 is a proper subset of s2
and "s1 == s2" if the two sets have exactly the same elements.
"s1 <= s2" holds for subsets or equality, and similarly "s1 != s2",
"s1 > s2", and "s1 >= s2" have the expected meanings in terms
of non-equality, proper superset, and superset-or-equal.
- An expression of the form "v += e" will append the value of the expression
"e" to the end of the vector "v" (of course assuming type-compatibility).
"redef v += { a, b, c }" will similarly extend a vector previously declared
with &redef by appending the result of expressions "a", "b", and "c" to
the vector at initialization-time.
- A new "@deprecated" directive was added. It marks a script-file as
deprecated.
Changed Functionality
---------------------
- All communication is now handled through Broker, requiring changes
to existing scripts to port them over to the new API. The Broker
framework documentation comes with a porting guide.
- The DHCP analyzer and its script-layer interface have been rewritten.
- Supports more DHCP options than before.
- The DHCP log now represents DHCP sessions based on transaction ID
and works on Bro cluster deployments.
- Removed the ``policy/protocols/dhcp/known-devices-and-hostnames.bro``
script since it's generally less relevant now with the updated log.
- Removed the ``base/protocols/dhcp/utils.bro`` script and thus the
"reverse_ip" function.
- Replaced all DHCP events with the single "dhcp_message" event.
The list of removed events includes:
- dhcp_discover
- dhcp_offer
- dhcp_request
- dhcp_decline
- dhcp_ack
- dhcp_nak
- dhcp_release
- dhcp_inform
- A new script, ``policy/protocols/dhcp/deprecated_events.bro``, may be
loaded to aid those transitioning away from the list of "removed"
events above. The script provides definitions for the old events
and automatically generates them from a "dhcp_message" handler, thus
providing equivalent functionality to the previous Bro release.
Such usage emits deprecation warnings.
- Removed ``policy/misc/known-devices.bro`` script and thus
``known_devices.log`` will no longer be created.
- The "--with-binpac" configure option has changed to mean "path
to the binpac executable" instead of "path to binpac installation root".
- The MIME types used to identify X.509 certificates in SSL
connections changed from "application/pkix-cert" to
"application/x-x509-user-cert" for host certificates and
"application/x-x509-ca-cert" for CA certificates.
- The "ssl_server_curve" event is considered deprecated and will be removed
in the future. See the new "ssl_ecdh_server_params" event for a
replacement.
- The Socks analyzer no longer logs passwords by default. This
brings its behavior in line with the FTP/HTTP analyzers which also
do not log passwords by default.
To restore the previous behavior and log Socks passwords, use::
redef SOCKS::default_capture_password = T;
- The DNS base scripts no longer generate some noisy and annoying
weirds:
- dns_unmatched_msg
- dns_unmatched_msg_quantity
- dns_unmatched_reply
- The "tunnel_parents" field of ``conn.log`` is now marked ``&optional``, so,
in the default configuration of logs, this field will show "-"
instead of "(empty)" for connections that lack any tunneling.
- SMB event argument changes:
- "smb1_transaction_request" now has two additional arguments, "parameters"
and "data" strings
- "smb1_transaction2_request" now has an additional "args" record argument
- The "SMB::write_cmd_log" option has been removed and the corresponding
logic moving to ``policy/protocols/smb/log-cmds.bro`` which can simply
be loaded to produce the same effect of toggling the old flag on.
- SSL event argument changes:
- "ssl_server_signature" now has an additional argument
"signature_and_hashalgorithm".
- The "dnp3_header_block" event no longer has the "start" parameter.
- The "string_to_pattern()" and now-deprecated "merge_pattern()"
built-ins are no longer restricted to only be called at initialization time.
- GeoIP Legacy Database support has been replaced with GeoIP2 MaxMind DB
format support.
- This updates the "lookup_location" and "lookup_asn" BIFs to use
libmaxminddb. The motivation for this is that MaxMind is discontinuing
GeoLite Legacy databases: no updates after April 1, 2018, no downloads
after January 2, 2019. It's also noted that all GeoIP Legacy databases
may be discontinued as they are superseded by GeoIP2.
- "Weird" events are now generally suppressed/sampled by default according to
some tunable parameters:
- Weird::sampling_whitelist
- Weird::sampling_threshold
- Weird::sampling_rate
- Weird::sampling_duration
Those options can be changed if one needs the previous behavior of
a "net_weird", "flow_weird", or "conn_weird" event being raised for
every single event.
The original ``weird.log`` may not differ much with these changes,
except in the cases where a particular weird type exceeds the
sampling threshold.
Otherwise, there is a new ``weird_stats.log`` generated via
``policy/misc/weird-stats.bro`` which contains concise summaries
of weird counts per type per time period.
- Improved DCE-RPC analysis via tracking of context identifier mappings
- These DCE-RPC events now contain an additional context-id argument:
- dce_rpc_bind
- dce_rpc_request
- dce_rpc_response
- Added new events:
- dce_rpc_alter_context
- dce_rpc_alter_context_resp
- The default value of ``Pcap::snaplen`` changed from 8192 to 9216 bytes
to better accommodate jumbo frames.
- Improvements to ``ntlm.log`` to fix incorrect reporting of login
success/failure. Also, the "status" field was removed and
"server_nb_computer_name", "server_dns_computer_name", and
"server_tree_name" fields added.
- BroControl: The output of the broctl "top" command has changed slightly.
The "Proc" column has been removed from the output. This column previously
indicated whether each Bro process was the "parent" or "child", but this
is no longer relevant because each Bro node now runs as a single process.
- The ``DNP3::function_codes`` name for request 0x21 has been corrected from
"AUTHENTICATE_ERR" to "AUTHENTICATE_REQ_NR".
- The ``DNS::query_types`` names for resource records 41 and 100 have been
corrected from "EDNS" to "OPT" and "DINFO" to "UINFO", respectively.
Removed Functionality
---------------------
- We no longer maintain any Bro plugins as part of the Bro
distribution. Most of the plugins that used to be in aux/plugins have
been moved over to use the Bro Package Manager instead. See
https://packages.bro.org for a list of Bro packages currently
available.
- The "ocsp_request" event no longer has "requestorName" parameter.
- The node-specific ``site/local-*.bro`` scripts have been removed.
- BroControl: The "IPv6Comm" and "ZoneID" options are no longer
available (though Broker should be able to handle IPv6 automatically).
Deprecated Functionality
------------------------
- The old communication system is now deprecated and scheduled for
removal with the next Bro release. This includes the "communication"
framework, the ``&sychronized`` attributes, and the existing
communication-related BiFs. Use Broker instead.
- The infrastructure for serializing Bro values into a binary
representation is now deprecated and scheduled for removal with the
next Bro release. This includes the ``&persistent`` attribute, as well
as BIFs like "send_id()". Use Broker data stores and the new
configuration framework instead.
- Mixing of scalars and vectors, such as "v + e" yielding a vector
corresponding to the vector v with the scalar e added to each of
its elements, has been deprecated.
- The built-in function "merge_pattern()" has been deprecated. It will
be replaced by the '&' operator for patterns.
- The undocumented feature of using "&&" and "||" operators for patterns
has been deprecated.
- BroControl: The "update" command is deprecated and scheduled for
removal with the next Bro release. Bro's new configuration framework
is taking its place.
Bro 2.5.5
=========
Bro 2.5.5 primarily addresses security issues.
- Fix array bounds checking in BinPAC: for arrays that are fields within
a record, the bounds check was based on a pointer to the start of the
record rather than the start of the array field, potentially resulting
in a buffer over-read.
- Fix SMTP command string comparisons: the number of bytes compared was
based on the user-supplied string length and can lead to incorrect
matches. e.g. giving a command of "X" incorrectly matched
"X-ANONYMOUSTLS" (and an empty commands match anything).
The following changes address potential vectors for Denial of Service
reported by Christian Titze & Jan Grashöfer of Karlsruhe Institute of
Technology:
- "Weird" events are now generally suppressed/sampled by default according
to some tunable parameters:
- Weird::sampling_whitelist
- Weird::sampling_threshold
- Weird::sampling_rate
- Weird::sampling_duration
Those options can be changed if one needs the previous behavior of
a "net_weird", "flow_weird", or "conn_weird" event being raised for
every single event. Otherwise, there is a new weird_stats.log which
contains concise summaries of weird counts per type per time period
and the original weird.log may not differ much either, except in
the cases where a particular weird type exceeds the sampling threshold.
These changes help improve performance issues resulting from excessive
numbers of weird events.
- Improved handling of empty lines in several text protocol analyzers
that can cause performance issues when seen in long sequences.
- Add 'smtp_excessive_pending_cmds' weird which serves as a notification
for when the "pending command" queue has reached an upper limit and
been cleared to prevent one from attempting to slowly exhaust memory.
Bro 2.5.4
=========
Bro 2.5.4 primarily fixes security issues:
* Multiple fixes and improvements to BinPAC generated code related to
array parsing, with potential impact to all Bro's BinPAC-generated
analyzers in the form of buffer over-reads or other invalid memory
accesses depending on whether a particular analyzer incorrectly
assumed that the evaulated-array-length expression is actually the
number of elements that were parsed out from the input.
* The NCP analyzer (not enabled by default and also updated to actually
work with newer Bro APIs in the release) performed a memory allocation
based directly on a field in the input packet and using signed integer
storage. This could result in a signed integer overflow and memory
allocations of negative or very large size, leading to a crash or
memory exhaustion. The new NCP::max_frame_size tuning option now
limits the maximum amount of memory that can be allocated.
There's also the following bug fixes:
* A memory leak in the SMBv1 analyzer.
* The MySQL analyzer was generally not working as intended, for example,
it now is able to parse responses that contain multiple results/rows.
Bro 2.5.3
=========
Bro 2.5.3 fixes a security issue in Binpac generated code. In some cases
the code generated by binpac could lead to an integer overflow which can
lead to out of bound reads and allow a remote attacker to crash Bro; there
is also a possibility that this can be exploited in other ways.
Bro 2.5.2
=========
Bro 2.5.2 fixes a security issue in the ContentLine analyzer. In rare cases
a bug in the ContentLine analyzer can lead to an out of bound write of a single
byte. This allows a remote attacker to crash Bro; there also is a possibility
this can be exploited in other ways. CVE-2017-1000458 has been assigned to this
issue.
Bro 2.5.1
=========
New Functionality
-----------------
- Bro now includes bifs for rename, unlink, and rmdir.
- Bro now includes events for two extensions used by TLS 1.3:
ssl_extension_supported_versions and ssl_extension_psk_key_exchange_modes
- Bro now includes hooks that can be used to interact with log processing
on the C++ level.
- Bro now supports ERSPAN. Currently this ignores the ethernet header that is
carried over the tunnel; if a MAC is logged currently only the outer MAC
is returned.
- Added a new BroControl option CrashExpireInterval to enable
"broctl cron" to remove crash directories that are older than the
specified number of days (the default value is 0, which means crash
directories never expire).
- Added a new BroControl option MailReceivingPackets to control
whether or not "broctl cron" will mail a warning when it notices
that no packets were seen on an interface.
- There is a new broctl command-line option "--version" which outputs
the BroControl version.
Changed Functionality
---------------------
- The input framework's Ascii reader is now more resilient. If an input
is marked to reread a file when it changes and the file didn't exist
during a check Bro would stop watching the file in previous versions.
The same could happen with bad data in a line of a file. These
situations do not cause Bro to stop watching input files anymore. The
old behavior is available through settings in the Ascii reader.
- The RADIUS scripts have been reworked. Requests are now logged even if
there is no response. The new framed_addr field in the log indicates
if the radius server is hinting at an address for the client. The ttl
field indicates how quickly the server is replying to the network access
server.
- With the introduction of the Bro package manager, the Bro plugin repository
is considered deprecated. The af_packet, postgresql, and tcprs plugins have
already been removed and are available via bro-pkg.
Bro 2.5
=======
New Dependencies
----------------
- Bro now requires a compiler with C++11 support for building the
source code.
- Bro now requires Python instead of Perl to compile the source code.
- When enabling Broker (which is disabled by default), Bro now requires
version 0.14 of the C++ Actor Framework.
New Functionality
-----------------
- SMB analyzer. This is the rewrite that has been in development for
several years. The scripts are currently not loaded by default and
must be loaded manually by loading policy/protocols/smb. The next
release will load the smb scripts by default.
- Implements SMB1+2.
- Fully integrated with the file analysis framework so that files
transferred over SMB can be analyzed.
- Includes GSSAPI and NTLM analyzer and reimplements the DCE-RPC
analyzer.
- New logs: smb_cmd.log, smb_files.log, smb_mapping.log, ntlm.log,
and dce_rpc.log
- Not every possible SMB command or functionality is implemented, but
generally, file handling should work whenever files are transferred.
Please speak up on the mailing list if there is an obvious oversight.
- Bro now includes the NetControl framework. The framework allows for easy
interaction of Bro with hard- and software switches, firewalls, etc.
New log files: netcontrol.log, netcontrol_catch_release.log,
netcontrol_drop.log, and netcontrol_shunt.log.
- Bro now includes the OpenFlow framework which exposes the data structures
necessary to interface to OpenFlow capable hardware.
- Bro's Intelligence Framework was refactored and new functionality
has been added:
- The framework now supports the new indicator type Intel::SUBNET.
As subnets are matched against seen addresses, the new field 'matched'
in intel.log was introduced to indicate which indicator type(s) caused
the hit.
- The new function remove() allows to delete intelligence items.
- The intel framework now supports expiration of intelligence items.
Expiration can be configured using the new Intel::item_expiration constant
and can be handled by using the item_expired() hook. The new script
do_expire.bro removes expired items.
- The new hook extend_match() allows extending the framework. The new
policy script whitelist.bro uses the hook to implement whitelisting.
- Intel notices are now suppressible and mails for intel notices now
list the identified services as well as the intel source.
- There is a new file entropy analyzer for files.
- Bro now supports the remote framebuffer protocol (RFB) that is used by
VNC servers for remote graphical displays. New log file: rfb.log.
- Bro now supports the Radiotap header for 802.11 frames.
- Bro now has rudimentary IMAP and XMPP analyzers examining the initial
phases of the protocol. Right now these analyzers only identify
STARTTLS sessions, handing them over to TLS analysis. These analyzers
do not yet analyze any further IMAP/XMPP content.
- New funtionality has been added to the SSL/TLS analyzer:
- Bro now supports (draft) TLS 1.3.
- The new event ssl_extension_signature_algorithm() allows access to the
TLS signature_algorithms extension that lists client supported signature
and hash algorithm pairs.
- The new event ssl_extension_key_share gives access to the supported named
groups in TLS 1.3.
- The new event ssl_application_data gives information about application data
that is exchanged before encryption fully starts. This is used to detect
when encryption starts in TLS 1.3.
- Bro now tracks VLAN IDs. To record them inside the connection log,
load protocols/conn/vlan-logging.bro.
- A new dns_CAA_reply() event gives access to DNS Certification Authority
Authorization replies.
- A new per-packet event raw_packet() provides access to layer 2
information. Use with care, generating events per packet is
expensive.
- A new built-in function, decode_base64_conn() for Base64 decoding.
It works like decode_base64() but receives an additional connection
argument that will be used for decoding errors into weird.log
(instead of reporter.log).
- A new get_current_packet_header() bif returns the headers of the current
packet.
- Three new built-in functions for handling set[subnet] and table[subnet]:
- check_subnet(subnet, table) checks if a specific subnet is a member
of a set/table. This is different from the "in" operator, which always
performs a longest prefix match.
- matching_subnets(subnet, table) returns all subnets of the set or table
that contain the given subnet.
- filter_subnet_table(subnet, table) works like matching_subnets, but returns
a table containing all matching entries.
- Several built-in functions for handling IP addresses and subnets were added:
- is_v4_subnet(subnet) checks whether a subnet specification is IPv4.
- is_v6_subnet(subnet) checks whether a subnet specification is IPv6.
- addr_to_subnet(addr) converts an IP address to a /32 subnet.
- subnet_to_addr(subnet) returns the IP address part of a subnet.
- subnet_width(subnet) returns the width of a subnet.
- The IRC analyzer now recognizes StartTLS sessions and enables the SSL
analyzer for them.
- The misc/stats.bro script is now loaded by default and logs more Bro
execution statistics to the stats.log file than it did previously. It
now also uses the standard Bro log format.
- A set of new built-in functions for gathering execution statistics:
get_net_stats(), get_conn_stats(), get_proc_stats(),
get_event_stats(), get_reassembler_stats(), get_dns_stats(),
get_timer_stats(), get_file_analysis_stats(), get_thread_stats(),
get_gap_stats(), get_matcher_stats()
- Two new functions haversine_distance() and haversine_distance_ip()
for calculating geographic distances. The latter function requires that Bro
be built with libgeoip.
- Table expiration timeout expressions are evaluated dynamically as
timestamps are updated.
- The pcap buffer size can be set through the new option Pcap::bufsize.
- Input framework readers stream types Table and Event can now define a custom
event (specified by the new "error_ev" field) to receive error messages
emitted by the input stream. This can, e.g., be used to raise notices in
case errors occur when reading an important input source.
- The logging framework now supports user-defined record separators,
renaming of column names, as well as extension data columns that can
be added to specific or all logfiles (e.g., to add new names).
- The new "bro-config" script can be used to determine the Bro installation
paths.
- New BroControl functionality in aux/broctl:
- There is a new node type "logger" that can be specified in
node.cfg (that file has a commented-out example). The purpose of
this new node type is to receive logs from all nodes in a cluster
in order to reduce the load on the manager node. However, if
there is no "logger" node, then the manager node will handle
logging as usual.
- The post-terminate script will send email if it fails to archive
any log files. These mails can be turned off by changing the
value of the new BroControl option MailArchiveLogFail.
- Added the ability for "broctl deploy" to reload the BroControl
configuration (both broctl.cfg and node.cfg). This happens
automatically if broctl detects any changes to those config files
since the last time the config was loaded. Note that this feature
is relevant only when using the BroControl shell interactively.
- The BroControl plugin API has a new function "broctl_config".
This gives plugin authors the ability to add their own script code
to the autogenerated broctl-config.bro script.
- There is a new BroControl plugin for custom load balancing. This
plugin can be used by setting "lb_method=custom" for your worker
nodes in node.cfg. To support packet source plugins, it allows
configuration of a prefix and suffix for the interface name.
- New Bro plugins in aux/plugins:
- af_packet: Native AF_PACKET support.
- kafka : Log writer interfacing to Kafka.
- myricom: Native Myricom SNF v3 support.
- pf_ring: Native PF_RING support.
- postgresql: A PostgreSQL reader/writer.
- redis: An experimental log writer for Redis.
- tcprs: A TCP-level analyzer detecting retransmissions, reordering, and more.
Changed Functionality
---------------------
- Log changes:
- Connections
The 'history' field gains two new flags: '^' indicates that
Bro heuristically flipped the direction of the connection.
't/T' indicates the first TCP payload retransmission from
originator or responder, respectively.
- Intelligence
New field 'matched' to indicate which indicator type(s) caused the hit.
- DNS