CHANGES

2.1-195 | 2012-12-03 14:50:33 -0800

  * Catching out-of-memory in patricia tree code. (Bill Parker)
    
2.1-194 | 2012-12-03 14:36:26 -0800

  * Renaming ASCII writer filter option 'only_single_header_row' to
    'tsv'. Also clarifying usage. Closes #912. (Robin Sommer)

2.1-193 | 2012-12-03 14:11:14 -0800

  * Fix a set of bugs with table/set attributes. (Jon Siwek)

    - Identifiers that are initialized with set()/table() constructor
      expressions now inherit attributes from the expression.  Before,
      statements like

         const i: set[string] = set() &redef;

      associated the attribute with the set() constructor, but not the
      "i" identifier, preventing redefinition.  Addresses #866.

    - Allow &default attribute to apply to tables initialized as empty
      (via either "{ }" or "table()") or if the expression supplied to it
      can evaluate to a type that's promotable to the same yield type as
      the table.

2.1-191 | 2012-12-03 14:08:56 -0800

  * Add test of record() constructor to table initializer unit test.
    (Jon Siwek)

  * Fix table(), set(), vector() constructors in table initializer
    lists. Also adds type checking of yield values to table()
    constructor and fixes the type checking of yield values in
    vector() constructor. Addresses #5. (Jon Siwek)

2.1-188 | 2012-12-03 14:04:29 -0800

  * Hook functions now callable with "hook" expression (i.e., hook is
    no longer a statement). The return value of the call is an
    implicit boolean value of T if all hook handlers ran, or F if one
    hook handler exited as a result of a break statement and
    potentially prevented other handlers from running.

    Scripts don't need to declare hooks with an explicit return type of bool
    (internally, that's assumed), and any values given to (optional) return
    statements in handler definitions are just ignored.

    Addresses #918. (Jon Siwek)

  * Clarification in hook documentation. (Jon Siwek)

2.1-184 | 2012-12-03 13:59:50 -0800

  * Slightly fix up file name extraction from Content-Disposition
    headers. (Seth Hall)

  * Adding -b flag to bro in unit tests so they run faster.

  * Fixed a DNS attribute issue. Reported by Matt Thompson. (Seth
    Hall)

  * Adding NEWS placeholder for hooks and CSV mode. (Robin Sommer)
    
2.1-178 | 2012-11-23 19:35:32 -0800

  * The ASCII writer now supports a new filter config option
    "only_single_header_row" that turns the output into CSV format
    when set to "T". (Carsten Langer)

  * Add new function flavor called a "hook". This new flavor of
    function behaves like a "synchronous event". See
    doc/scripts/builtins.rst more details on usage. (Jon Siwek)

  * Improve auto-generated enum documentation. The names of enum types
    are tracked so that variables holding a value of a given enum type
    can generate a reference to it instead of just listing the type as
    a generic "enum". (Jon Siwek)

2.1-171 | 2012-11-23 18:24:15 -0800

  * Fix ambiguity between composite table index and record ctor
    expressions. If a table type is "global t = table[conn_id, bool]
    of count", then checking membership like "[c$id, is_orig] in t"
    now works. Addresses #80. (Jon Siwek)

2.1-169 | 2012-11-23 18:21:32 -0800

  * Fix some warnings from sphinx when building docs. (Jon Siwek)

2.1-167 | 2012-11-14 13:19:17 -0800

  * Add a new BIF "bytestring_to_double" for converting from a binary
    representation of a double. Addresses #908. (Carsten Langer/Daniel
    Thayer)

2.1-162 | 2012-11-13 17:29:00 -0800

  * Fix modbus register array parsing. (Jon Siwek)

  * Adjustments to modbus test cases. (Jon Siwek)

2.1-157 | 2012-11-08 16:22:00 -0800

  * Fix for lookup_hostname BIF. (Jon Siwek)

  * Fix for modbus test portability. (Robin Sommer)

2.1-152 | 2012-11-05 16:52:34 -0800

  * Initial version of a completely reworked intelligence framework.
    See doc/intel.rst for more information. (Seth Hall)

  * Experimental Modbus analyzer. See policy/protocols/modbus/* for
    example policies. (Dina Hadziosmanovic, Seth Hall)

2.1-112 | 2012-11-05 13:58:20 -0800

  * New base script for detecting cases of checksum offloading. 
    Reporter messages will now tell if one has bad checksums. (Seth
    Hall)

  * Clarifying ownership rules for BroString constructors. (Robin
    Sommer)

2.1-109 | 2012-11-05 13:39:34 -0800

  * Add detection rate threshold for MHR. (Vlad Grigorescu)
    
  * lookup_hostname_txt fixes. (Vlad Grigorescu)
    
2.1-104 | 2012-11-01 10:37:50 -0700

  * A new built-in function lookup_hostname_txt() provides support for
    DNS TXT queries. (Vlad Grigorescu)

2.1-101 | 2012-10-31 14:30:26 -0700

  * Documentation reorg: The install info has been consolidated into a
    single document (INSTALL), the upgrade info has been moved from
    the FAQ to a section in the install doc, and the "upgrading from
    1.5 to 2.0" document has been updated (and renamed) to also
    include 2.0 to 2.1 upgrade info. (Daniel Thayer)

2.1-96 | 2012-10-31 14:23:50 -0700

  * Renaming option defining the frequency of alarm summary mails to
    'Logging::default_alarm_mail_interval'. (Daniel Thayer)

2.1-91 | 2012-10-24 16:04:47 -0700

  * Adding PPPoE support to Bro. (Seth Hall)

2.1-87 | 2012-10-24 15:40:06 -0700

  * Adding missing &redef for some TCP options. Addresses #905, #906,
    #907. (Carsten Langer)

2.1-86 | 2012-10-24 15:37:11 -0700

  * Add parsing rules for IPv4/IPv6 subnet literal constants.
    Addresses #888. (Jon Siwek)

2.1-84 | 2012-10-19 15:12:56 -0700

  * Added a BiF strptime() to wrap the corresponding C function. (Seth
    Hall)

2.1-82 | 2012-10-19 15:05:40 -0700

  * Add IPv6 support to signature header conditions. (Jon Siwek)

    - "src-ip" and "dst-ip" conditions can now use IPv6 addresses/subnets.
      They must be written in colon-hexadecimal representation and enclosed
      in square brackets (e.g. [fe80::1]).  Addresses #774.

    - "icmp6" is now a valid protocol for use with "ip-proto" and "header"
      conditions.  This allows signatures to be written that can match
      against ICMPv6 payloads.  Addresses #880.

    - "ip6" is now a valid protocol for use with the "header" condition.
      (also the "ip-proto" condition, but it results in a no-op in that
      case since signatures apply only to the inner-most IP packet when
      packets are tunneled).  This allows signatures to match specifically
      against IPv6 packets (whereas "ip" only matches against IPv4 packets).

    - "ip-proto" conditions can now match against IPv6 packets.  Before,
      IPv6 packets were just silently ignored which meant DPD based on
      signatures did not function for IPv6 -- protocol analyzers would only
      get attached to a connection over IPv6 based on the well-known ports
      set in the "dpd_config" table.

2.1-80 | 2012-10-19 14:48:42 -0700

  * Change how "gridftp" gets added to service field of connection
    records. In addition to checking for a finished SSL handshake over
    an FTP connection, it now also requires that the SSL handshake
    occurs after the FTP client requested AUTH GSSAPI, more
    specifically identifying the characteristics of GridFTP control
    channels. Addresses #891. (Jon Siwek)

  * Allow faster rebuilds in certain cases. Previously, when
    rebuilding with a different "--prefix" or "--scriptdir", all Bro
    source files were recompiled.  With this change, only util.cc is
    recompiled. (Daniel Thayer)

2.1-76 | 2012-10-12 10:32:39 -0700

  * Add support for recognizing GridFTP connections as an extension to
    the standard FTP analyzer. (Jon Siwek)

    This is enabled by default and includes:

      - An analyzer for GSI mechanism of GSSAPI FTP AUTH method. GSI
        authentication involves an encoded TLS/SSL handshake over the
        FTP control session. For FTP sessions that attempt GSI
        authentication, the *service* field of the connection log will
        include "gridftp" (as well as also "ftp" and "ssl").

      - Add an example of a GridFTP data channel detection script. It
        relies on the heuristics of GridFTP data channels commonly
        default to SSL mutual authentication with a NULL bulk cipher
        and that they usually transfer large datasets (default
        threshold of script is 1 GB).  The script also defaults to
        skip_further_processing() after detection to try to save
        cycles analyzing the large, benign connection.

        For identified GridFTP data channels, the *services* fields of
        the connection log will include "gridftp-data".

  * Add *client_subject* and *client_issuer_subject* as &log'd fields
    to SSL::Info record.  Also add *client_cert* and
    *client_cert_chain* fields to track client cert chain. (Jon Siwek)

  * Add a script in base/protocols/conn/polling that generalizes the
    process of polling a connection for interesting features. The
    GridFTP data channel detection script depends on it to monitor
    bytes transferred. (Jon Siwek)

2.1-68 | 2012-10-12 09:46:41 -0700

  * Rename the Input Framework's update_finished event to end_of_data.
    It will now not only fire after table-reads have been completed,
    but also after the last event of a whole-file-read (or
    whole-db-read, etc.). (Bernhard Amann)

  * Fix for DNS log problem when a DNS response is seen with 0 RRs.
    (Seth Hall)

2.1-64 | 2012-10-12 09:36:41 -0700

  * Teach --disable-dataseries/--disable-elasticsearch to ./configure.
    Addresses #877. (Jon Siwek)

  * Add --with-curl option to ./configure. Addresses #877. (Jon Siwek)
    
2.1-61 | 2012-10-12 09:32:48 -0700

  * Fix bug in the input framework: the config table did not work.
    (Bernhard Amann)

2.1-58 | 2012-10-08 10:10:09 -0700

  * Fix a problem with non-manager cluster nodes applying
    Notice::policy. This could, for example, result in duplicate
    emails being sent if Notice::emailed_types is redef'd in local.bro
    (or any script that gets loaded on all cluster nodes). (Jon Siwek)

2.1-56 | 2012-10-03 16:04:52 -0700

  * Add general FAQ entry about upgrading Bro. (Jon Siwek)

2.1-53 | 2012-10-03 16:00:40 -0700

  * Add new Tunnel::delay_teredo_confirmation option that indicates
    that the Teredo analyzer should wait until it sees both sides of a
    connection using a valid Teredo encapsulation before issuing a
    protocol_confirmation. Default is on. Addresses #890. (Jon Siwek)

2.1-50 | 2012-10-02 12:06:08 -0700

  * Fix a typing issue that prevented the ElasticSearch timeout to
    work. (Matthias Vallentin)

  * Use second granularity for ElasticSearch timeouts. (Matthias
    Vallentin)

  * Fix compile issues with older versions of libcurl, which don't
    offer *_MS timeout constants. (Matthias Vallentin)

2.1-47 | 2012-10-02 11:59:29 -0700

  * Fix for the input framework: BroStrings were constructed without a
    final \0, which makes them unusable by basically all internal
    functions (like to_count). (Bernhard Amann)

  * Remove deprecated script functionality (see NEWS for details).
    (Daniel Thayer)
    
2.1-39 | 2012-09-29 14:09:16 -0700

  * Reliability adjustments to istate tests with network
    communication. (Jon Siwek)

2.1-37 | 2012-09-25 14:21:37 -0700

  * Reenable some tests that previously would cause Bro to exit with
    an error. (Daniel Thayer)

  * Fix parsing of large integers on 32-bit systems. (Daniel Thayer)
    
  * Serialize language.when unit test with the "comm" group. (Jon
    Siwek)

2.1-32 | 2012-09-24 16:24:34 -0700

  * Fix race condition in language/when.bro test. (Daniel Thayer)

2.1-26 | 2012-09-23 08:46:03 -0700

  * Add an item to FAQ page about broctl options. (Daniel Thayer)
    
  * Add more language tests. We now have tests of all built-in Bro
    data types (including different representations of constant
    values, and max./min. values), keywords, and operators (including
    special properties of certain operators, such as short-circuit
    evaluation and associativity). (Daniel Thayer)

  * Fix construction of ip6_ah (Authentication Header) record values.

    Authentication Headers with a Payload Len field set to zero would
    cause a crash due to invalid memory allocation because the
    previous code assumed Payload Len would always be great enough to
    contain all mandatory fields of the header. (Jon Siwek)

  * Update compile/dependency docs for OS X. (Jon Siwek)

  * Adjusting Mac binary packaging script. Setting CMAKE_PREFIX_PATH
    helps link against standard system libs instead of ones that come
    from other package manager (e.g. MacPorts). (Jon Siwek)

  * Adjusting some unit tests that do cluster communication. (Jon Siwek)

  * Small change to non-blocking DNS initialization. (Jon Siwek)
    
  * Reorder a few statements in scan.l to make 1.5msecs etc work.
    Adresses #872. (Bernhard Amann)

2.1-6 | 2012-09-06 23:23:14 -0700

  * Fixed a bug where "a -= b" (both operands are intervals) was not
    allowed in Bro scripts (although "a = a - b" is allowed). (Daniel
    Thayer)

  * Fixed a bug where the "!=" operator with subnet operands was
    treated the same as the "==" operator. (Daniel Thayer)

  * Add sleeps to configuration_update test for better reliability.
    (Jon Siwek)

  * Fix a segfault when iterating over a set when using malformed
    index. (Daniel Thayer)

2.1 | 2012-08-28 16:46:42 -0700

  * Make bif.identify_magic robust against FreeBSD's libmagic config.
    (Robin Sommer)

  * Remove automatic use of gperftools on non-Linux systems.
    --enable-perftools must now explicity be supplied to ./configure
    on non-Linux systems to link against the tcmalloc library.

  * Fix uninitialized value for 'is_partial' in TCP analyzer. (Jon
    Siwek)

  * Parse 64-bit consts in Bro scripts correctly. (Bernhard Amann)
    
  * Output 64-bit counts correctly on 32-bit machines (Bernhard Amann)
    
  * Input framework fixes, including:  (Bernhard Amann)

    - One of the change events got the wrong parameters.

    - Escape commas in sets and vectors that were unescaped before
      tokenization.

    - Handling of zero-length-strings as last element in a set was
      broken (sets ending with a ,).

    - Hashing of lines just containing zero-length-strings was broken.

    - Make set_separators different from , work for input framework.
      
    - Input framework was not handling counts and ints out of
      32-bit-range correctly.

    - Errors in single lines do not kill processing, but simply ignore
      the line, log it, and continue.

  * Update documentation for builtin types. (Daniel Thayer)
    
    - Add missing description of interval "msec" unit.
      
    - Improved description of pattern by clarifying the issue of
      operand order and difference between exact and embedded
      matching.

  * Documentation fixes for signature 'eval' conditions. (Jon Siwek)
    
  * Remove orphaned 1.5 unit tests. (Jon Siwek)

  * Add type checking for signature 'eval' condition functions. (Jon
    Siwek)
    
  * Adding an identifier to the SMTP blocklist notices for duplicate
    suppression. (Seth Hall)

2.1-beta-45 | 2012-08-22 16:11:10 -0700

  * Add an option to the input framework that allows the user to chose
    to not die upon encountering files/functions. (Bernhard Amann)

2.1-beta-41 | 2012-08-22 16:05:21 -0700

  * Add test serialization to "leak" unit tests that use
    communication. (Jon Siwek)

  * Change to metrics/basic-cluster unit test for reliability. (Jon
    Siwek)

  * Fixed ack tracking which could overflow quickly in some
    situations. (Seth Hall)

  * Minor tweak to coverage.bare-mode-errors unit test to work with a
    symlinked 'scripts' dir. (Jon Siwek)

2.1-beta-35 | 2012-08-22 08:44:52 -0700

  * Add testcase for input framework reading sets (rather than
    tables). (Bernhard Amann)

2.1-beta-31 | 2012-08-21 15:46:05 -0700

  * Tweak to rotate-custom.bro unit test. (Jon Siwek)
    
  * Ignore small mem leak every rotation interval for dataseries logs.
    (Jon Siwek)

2.1-beta-28 | 2012-08-21 08:32:42 -0700

  * Linking ES docs into logging document. (Robin Sommer)

2.1-beta-27 | 2012-08-20 20:06:20 -0700

  * Add the Stream record to Log:active_streams to make more dynamic
    logging possible. (Seth Hall)

  * Fix portability of printing to files returned by
    open("/dev/stderr"). (Jon Siwek)

  * Fix mime type diff canonifier to also skip mime_desc columns. (Jon
    Siwek)

  * Unit test tweaks/fixes. (Jon Siwek)

    - Some baselines for tests in "leaks" group were outdated.

    - Changed a few of the cluster/communication tests to terminate
      more explicitly instead of relying on btest-bg-wait to kill
      processes.  This makes the tests finish faster in the success case
      and makes the reason for failing clearer in the that case.

  * Fix memory leak of serialized IDs when compiled with
    --enable-debug. (Jon Siwek)

2.1-beta-21 | 2012-08-16 11:48:56 -0700

  * Installing a handler for running out of memory in "new". Bro will
    now print an error message in that case rather than abort with an
    uncaught exception. (Robin Sommer)

2.1-beta-20 | 2012-08-16 11:43:31 -0700

  * Fixed potential problems with ElasticSearch output plugin. (Seth
    Hall)

2.1-beta-13 | 2012-08-10 12:28:04 -0700

  * Reporter warnings and error now print to stderr by default. New
	options Reporter::warnings_to_stderr and
	Reporter::errors_to_stderr to disable. (Seth Hall)

2.1-beta-9 | 2012-08-10 12:24:29 -0700

  * Add more BIF tests. (Daniel Thayer)

2.1-beta-6 | 2012-08-10 12:22:52 -0700

  * Fix bug in input framework with an edge case. (Bernhard Amann)
    
  * Fix small bug in input framework test script. (Bernhard Amann)
    
2.1-beta-3 | 2012-08-03 10:46:49 -0700

  * Merge branch 'master' of ssh://git.bro-ids.org/bro (Robin Sommer)
    
  * Fix configure script to exit with non-zero status on error (Jon
    Siwek)

  * Improve ASCII output performance. (Robin Sommer)

2.1-beta | 2012-07-30 11:59:53 -0700

  * Improve log filter compatibility with remote logging. Addresses
    #842. (Jon Siwek)

2.0-907 | 2012-07-30 09:13:36 -0700

  * Add missing breaks to switch cases in
    ElasticSearch::HTTPReceive(). (Jon Siwek)

2.0-905 | 2012-07-28 16:24:34 -0700

  * Fix log manager hanging on waiting for pending file rotations,
    plus writer API tweak for failed rotations. Addresses #860. (Jon
    Siwek and Robin Sommer)

  * Tweaking logs-to-elasticsearch.bro so that it doesn't do anything
    if ES server is unset. (Robin Sommer)

2.0-902 | 2012-07-27 12:42:13 -0700

  * New variable in logging framework Log::active_streams to indicate
    Log:ID enums which are currently active. (Seth Hall)

  * Reworked how the logs-to-elasticsearch scripts works to stop
    abusing the logging framework. (Seth Hall)

  * Fix input test for recent default change on fastpath. (Robin
    Sommer)

2.0-898 | 2012-07-27 12:22:03 -0700

  * Small (potential performance) improvement for logging framework. (Seth Hall)

  * Script-level rotation postprocessor fix. This fixes a problem with
    writers that don't have a postprocessor. (Seth Hall)

  * Update input framework documentation to reflect want_record
    change. (Bernhard Amann)

  * Fix crash when encountering an InterpreterException in a predicate
    in logging or input Framework. (Bernhard Amann)

  * Input framework: Make want_record=T the default for events
    (Bernhard Amann)
    
  * Changing the start/end markers in logs to open/close now
    reflecting wall clock. (Robin Sommer)

2.0-891 | 2012-07-26 17:15:10 -0700

  * Reader/writer API: preventing plugins from receiving further
    messages after a failure. (Robin Sommer)

  * New test for input framework that fails to find a file. (Robin
    Sommer)
    
  * Improving error handling for threads. (Robin Sommer)
    
  * Tweaking the custom-rotate test to produce stable output. (Robin
    Sommer)

2.0-884 | 2012-07-26 14:33:21 -0700

  * Add comprehensive error handling for close() calls. (Jon Siwek)
    
  * Add more test cases for input framework. (Bernhard Amann)

  * Input framework: make error output for non-matching event types
    much more verbose. (Bernhard Amann)

2.0-877 | 2012-07-25 17:20:34 -0700

  * Fix double close() in FilerSerializer class. (Jon Siwek)
    
  * Fix build warnings. (Daniel Thayer)

  * Fixes to ElasticSearch plugin to make libcurl handle http
    responses correctly. (Seth Hall)

  * Fixing FreeBSD compiler error. (Robin Sommer)
    
  * Silencing compiler warnings. (Robin Sommer)

2.0-871 | 2012-07-25 13:08:00 -0700

  * Fix complaint from valgrind about uninitialized memory usage. (Jon
    Siwek)

  * Fix differing log filters of streams from writing to same
    writer/path (which now produces a warning, but is otherwise
    skipped for the second). Addresses #842. (Jon Siwek)

  * Fix tests and error message for to_double BIF. (Daniel Thayer)

  * Compile fix. (Robin Sommer)

2.0-866 | 2012-07-24 16:02:07 -0700

  * Correct a typo in usage message. (Daniel Thayer)
    
  * Fix file permissions of log files (which were created with execute
    permissions after a recent change). (Daniel Thayer)

2.0-862 | 2012-07-24 15:22:52 -0700

  * Fix initialization problem in logging class. (Jon Siwek)

  * Input framework now accepts escaped ASCII values as input (\x##),
    and unescapes appropiately. (Bernhard Amann)

  * Make reading ASCII logfiles work when the input separator is
    different from \t. (Bernhard Amann)

  * A number of smaller fixes for input framework. (Bernhard Amann)

2.0-851 | 2012-07-24 15:04:14 -0700

  * New built-in function to_double(s: string). (Scott Campbell)

2.0-849 | 2012-07-24 11:06:16 -0700

  * Adding missing include needed on some systems. (Robin Sommer)

2.0-846 | 2012-07-23 16:36:37 -0700

  * Fix WriterBackend::WriterInfo serialization, reenable ascii
    start/end tags. (Jon Siwek)

2.0-844 | 2012-07-23 16:20:59 -0700

  * Reworking parts of the internal threading/logging/input APIs for
    thread-safety. (Robin Sommer)

  * Bugfix for SSL version check. (Bernhard Amann)

  * Changing a HTTP DPD from port 3138 to 3128. Addresses #857. (Robin
    Sommer)

  * ElasticSearch logging writer. See logging-elasticsearch.rst for
    more information. (Vlad Grigorescu and Seth Hall).

  * Give configure a --disable-perftools option to disable Perftools
    support even if found. (Robin Sommer)

  * The ASCII log writer now includes "#start <timestamp>" and "#end
    <timestamp> lines in the each file. (Robin Sommer)

  * Renamed ASCII logger "header" options to "meta". (Robin Sommer)

  * ASCII logs now escape '#' at the beginning of log lines. Addresses
    #763. (Robin Sommer)

  * Fix bug, where in dns.log rcode always was set to 0/NOERROR when
    no reply package was seen. (Bernhard Amann)

  * Updating to Mozilla's current certificate bundle. (Seth Hall)

2.0-769 | 2012-07-13 16:17:33 -0700

  * Fix some Info:Record field documentation. (Vlad Grigorescu)

  * Fix overrides of TCP_ApplicationAnalyzer::EndpointEOF. (Jon Siwek)

  * Fix segfault when incrementing whole vector values. Also removed
    RefExpr::Eval(Val*) method since it was never called. (Jon Siwek)

  * Remove baselines for some leak-detecting unit tests. (Jon Siwek)

  * Unblock SIGFPE, SIGILL, SIGSEGV and SIGBUS for threads, so that
    they now propagate to the main thread. Adresses #848. (Bernhard
    Amann)

2.0-761 | 2012-07-12 08:14:38 -0700

  * Some small fixes to further reduce SOCKS false positive logs. (Seth Hall)

  * Calls to pthread_mutex_unlock now log the reason for failures.
    (Bernhard Amann)

2.0-757 | 2012-07-11 08:30:19 -0700

  * Fixing memory leak. (Seth Hall)

2.0-755 | 2012-07-10 16:25:16 -0700

  * Add sorting canonifier to rotate-custom unit test. Addresses #846.
    (Jon Siwek)

  * Fix many compiler warnings. (Daniel Thayer)

  * Fix segfault when there's an error/timeout resolving DNS requests.
    Addresses #846. (Jon Siwek)

  * Remove a non-portable test case. (Daniel Thayer)

  * Fix typos in input framework doc. (Daniel Thayer)

  * Fix typos in DataSeries documentation. (Daniel Thayer)

  * Bugfix making custom rotate functions work again. (Robin Sommer)

  * Tiny bugfix for returning writer name. (Robin Sommer)

  * Moving make target update-doc-sources from top-level Makefile to
    btest Makefile. (Robin Sommer)

2.0-733 | 2012-07-02 15:31:24 -0700

  * Extending the input reader DoInit() API. (Bernhard Amann). It now
    provides a Info struct similar to what we introduced for log
    writers, including a corresponding "config" key/value table.

  * Fix to make writer-info work when debugging is enabled. (Bernhard
    Amann)

2.0-726 | 2012-07-02 15:19:15 -0700

  * Extending the log writer DoInit() API. (Robin Sommer)

    We now pass in a Info struct that contains:

        - the path name (as before)
        - the rotation interval
        - the log_rotate_base_time in seconds
        - a table of key/value pairs with further configuration options.

    To fill the table, log filters have a new field "config: table[string]
    of strings". This gives a way to pass arbitrary values from
    script-land to writers. Interpretation is left up to the writer.

  * Split calc_next_rotate() into two functions, one of which is
    thread-safe and can be used with the log_rotate_base_time value
    from DoInit().

  * Updates to the None writer. (Robin Sommer)

        - It gets its own script writers/none.bro.

        - New bool option LogNone::debug to enable debug output. It then
          prints out all the values passed to DoInit().

        - Fixed a bug that prevented Bro from terminating.

2.0-723 | 2012-07-02 15:02:56 -0700

  * Extract ICMPv6 NDP options and include in ICMP events.  This adds
    a new parameter of type "icmp6_nd_options" to the ICMPv6 neighbor
    discovery events. Addresses #833. (Jon Siwek)

  * Set input frontend type before starting the thread. This means
    that the thread type will be output correctly in the error
    message. (Bernhard Amann)

2.0-719 | 2012-07-02 14:49:03 -0700

  * Fix inconsistencies in random number generation. The
    srand()/rand() interface was being intermixed with the
    srandom()/random() one.  The later is now used throughout. (Jon
    Siwek)

  * Changed the srand() and rand() BIFs to work deterministically if
    Bro was given a seed file. Addresses #825. (Jon Siwek)

  * Updating input framework unit tests to make them more reliable and
    execute quicker. (Jon Siwek)

  * Fixed race condition in writer and reader initializations. (Jon
    Siwek)

  * Small tweak to make test complete quicker. (Jon Siwek)

  * Drain events before terminating log/thread managers. (Jon Siwek)

  * Fix strict-aliasing warning in RemoteSerializer.cc. Addresses
    #834. (Jon Siwek)

  * Fix typos in event documentation. (Daniel Thayer)

  * Fix typos in NEWS for Bro 2.1 beta. (Daniel Thayer)

2.0-709 | 2012-06-21 10:14:24 -0700

  * Fix exceptions thrown in event handlers preventing others from running. (Jon Siwek)

  * Add another SOCKS command. (Seth Hall)

  * Fixed some problems with the SOCKS analyzer and tests. (Seth Hall)

  * Updating NEWS in preparation for beta. (Robin Sommer)

  * Accepting different AF_INET6 values for loopback link headers.
    (Robin Sommer)

2.0-698 | 2012-06-20 14:30:40 -0700

  * Updates for the SOCKS analyzer (Seth Hall).

    - A SOCKS log!

    - Now supports SOCKSv5 in the analyzer and the DPD sigs.

    - Added protocol violations.

  * Updates to the tunnels framework. (Seth Hall)

    - Make the uid field optional since it's conceptually incorrect
      for proxies being treated as tunnels to have it.

    - Reordered two fields in the log.

    - Reduced the default tunnel expiration interface to something
      more reasonable (1 hour).

  * Make Teredo bubble packet parsing more lenient. (Jon Siwek)

  * Fix a crash in NetSessions::ParseIPPacket(). (Jon Siwek)

2.0-690 | 2012-06-18 16:01:33 -0700

  * Support for decapsulating tunnels via the new tunnel framework in
    base/frameworks/tunnels.

    Bro currently supports Teredo, AYIYA, IP-in-IP (both IPv4 and
    IPv6), and SOCKS. For all these, it logs the outher tunnel
    connections in both conn.log and tunnel.log, and proceeds to
    analyze the inner payload as if it were not tunneled, including
    also logging it in conn.log (with a new tunnel_parents column
    pointing back to the outer connection(s)). (Jon Siwek, Seth Hall,
    Gregor Maier)

  * The options "tunnel_port" and "parse_udp_tunnels" have been
    removed. (Jon Siwek)

2.0-623 | 2012-06-15 16:24:52 -0700

  * Changing an error in the input framework to a warning. (Robin
    Sommer)

2.0-622 | 2012-06-15 15:38:43 -0700

  * Input framework updates. (Bernhard Amann)

    - Disable streaming reads from executed commands. This lead to
      hanging Bros because pclose apparently can wait for eternity if
      things go wrong.

     - Automatically delete disabled input streams.

     - Documentation.

2.0-614 | 2012-06-15 15:19:49 -0700

  * Remove an old, unused diff canonifier. (Jon Siwek)

  * Improve an error message in ICMP analyzer. (Jon Siwek)

  * Fix a warning message when building docs. (Daniel Thayer)

  * Fix many errors in the event documentation. (Daniel Thayer)

2.0-608 | 2012-06-11 15:59:00 -0700

  * Add more error handling code to logging of enum vals. Addresses
    #829. (Jon Siwek)

2.0-606 | 2012-06-11 15:55:56 -0700

  * Fix summary lines for BIF documentation and corrected the
    description of "fmt" and "floor" BIFs. (Daniel Thayer)

  * Fix val_size BIF tests and improve docs. (Daniel Thayer)

2.0-602 | 2012-06-07 15:06:19 -0700

  * Include header for usleep(), caused compile failure on Archlinux. (Jon Siwek)

  * Revert "Fixed a bug with the MIME analyzer not removing whitespace
    on wrapped headers." Needs discussion. (Robin Sommer)

2.0-598 | 2012-06-06 11:47:00 -0700

  * Add @load-sigs directive for loading signature files (addresses
    #551). This can be used to load signatures relative to the current
    scripts (e.g., "@load-sigs ./foo.sig"). (Jon Siwek)


2.0-596 | 2012-06-06 11:41:00 -0700

    * Fixes for some BiFs and their documentation. (Daniel Thayer)

    * Many new unit tests for BiFs. (Daniel Thayer)

2.0-579 | 2012-06-06 11:04:46 -0700

  * Memory leak fixes for bad usages of VectorVal ctor. (Jon Siwek)

  * Fixed a bug with the MIME analyzer not removing whitespace on
    wrapped headers. (Seth Hall)

  * Change Input::update_finished lookup to happen at init time. (Jon Siwek)

  * Fix going through the internal_handler() function which will now
    set the event as "used" (i.e. it's marked as being raised
    somewhere). Addresses #823. (Jon Siwek)

  * Fix format specifier on RemoteSerializer::Connect. This caused
    32-bit systems to show a warning at compile-time, and fail when
    connecting to peers. (Jon Siwek)

  * Fixes for running tests in parallel. (Robin Sommer)

2.0-571 | 2012-05-30 19:12:43 -0700

  * Updating submodule(s).

2.0-570 | 2012-05-30 19:08:18 -0700

  * A new input framework enables scripts to read in external data
    dynamically on the fly as Bro is processing network traffic.
    (Bernhard Amann)

    Currently, the framework supports reading ASCII input that's
    structured similar as Bro's log files as well as raw blobs of
    data. Other formats will come in the future.

    See doc/input.rst for more information (this will be extended
    further soon).

2.0-395 | 2012-05-30 17:03:31 -0700

  * Remove unnecessary assert in ICMP analyzer which could lead to
    aborts. Addresses #822.

  * Improve script debugger backtrace and print commands. (Jon Siwek)

  * Switching default DS compression to gzip. (Robin Sommer)

  * Improve availability of IPv6 flow label in connection records.
    This adds a "flow_label" field to the "endpoint" record type,
    which is used for both the "orig" and "resp" fields of
    "connection" records.  The new "connection_flow_label_changed"
    event also allows tracking of changes in flow labels: it's raised
    each time one direction of the connection starts using a different
    label. (Jon Siwek)

  * Add unit tests for Broccoli SSL and Broccoli IPv6 connectivity.
    (Jon Siwek)

  * Remove AI_ADDRCONFIG getaddrinfo hints flag for listening sockets.
    (Jon Siwek)

  * Undo unnecessary communication protocol version bump. (Jon Siwek)

  * Add support to Bro for connecting with peers over IPv6. (Jon Siwek)

    - Communication::listen_ipv6 needs to be redef'd to true in order
      for IPv6 listening sockets to be opened.

    - Added Communication::listen_retry option as an interval at which
      to retry binding to socket addresses that were already in use.

    - Added some explicit baselines to check in the istate.events and
      istate.events-ssl tests -- the SSL test was incorrectly passing
      because it compared two empty files.  (The files being empty
      because "http/base" was given as an argument to Bro which it
      couldn't handle because that script doesn't exist anymore).

    - Support for communication over non-global IPv6 addresses. This
      usually requires specifying an additional zone identifier (see
      RFC 4007). The connect() and listen() BIFs have been changed to
      accept this zone identifier as an argument.


2.0-377 | 2012-05-24 16:46:06 -0700

  * Documentation fixes. (Jon Siwek and Daniel Thayer)

2.0-372 | 2012-05-17 13:59:45 -0700

  * Fix compile errors. (Jon Siwek)

  * Linking in the DS docs. (Robin Sommer)

  * Fix mobility checksums unit test. (Jon Siwek)

2.0-367 | 2012-05-17 12:42:30 -0700

  * Adding support for binary output via DataSeries. See
    logging-dataseries.rst for more information. (Gilbert Clark and
    Robin Sommer)

  * Adding target update-doc-sources to top-level Makefile that runs
    genDocSourcesList.sh. (Robin Sommer)

  * Moving trace for rotation test into traces directory. (Robin Sommer)

  * Fixing a rotation race condition at termination. (Robin Sommer)

  * Extending log post-processor call to include the name of the
    writer. (Robin Sommer)

  * In threads, an internal error now immediately aborts. Otherwise,
    the error won't make it back to the main thread for a while and
    subsequent code in the thread would still execute. (Robin Sommer)

  * DataSeries cleanup. (Robin Sommer)

  * Fixing threads' DoFinish() method. It wasn't called reliably. Now,
    it's always called before the thread is destroyed (assuming
    processing has went normally so far). (Robin Sommer)

2.0-341 | 2012-05-17 09:54:30 -0700

  * Add a comment to explain the ICMPv6 error message types. (Daniel Thayer)

  * Quieting external test output somehwat. (Robin Sommer)

2.0-336 | 2012-05-14 17:15:44 -0700

  * Don't print the various "weird" events to stderr. Address #805.
    (Daniel Thayer)

  * Generate icmp_error_message event for ICMPv6 error msgs.
    Previously, icmp_sent was being generated, but icmp_error_message
    contains more info.

  * Improved documentation comments for icmp-related events. (Daniel
    Thayer)

2.0-330 | 2012-05-14 17:05:56 -0700

  * Add `addr_to_uri` script-level function that adds brackets to an
    address if it's IPv6 and will be included in a URI or when a
    ":<port>" needs to be appended to it. (Jon Siwek)

  * Also add a test case for content extraction. (Jon Siwek)

  * Fix typos and improve INSTALL document. (Daniel Thayer)

  * Switching to new btest command TEST-SERIALIZE for communication
    tests. (Robin Sommer)

2.0-323 | 2012-05-04 21:04:34 -0700

  * Add SHA1 and SHA256 hashing BIFs. Addresses #542.

  * Refactor all internal MD5 stuff to use OpenSSL's. (Jon Siwek)

  * Changes to open-file caching limits and uncached file unserialization. (Jon Siwek)

    - Unserializing files that were previously kicked out of the open-file
      cache would cause them to be fopen'd with the original access
      permissions which is usually 'w' and causes truncation.  They
      are now opened in 'a' mode.  (addresses #780)

    - Add 'max_files_in_cache' script option to manually set the maximum
      amount of opened files to keep cached.  Mainly this just helped
      to create a simple test case for the above change.

    - Remove unused NO_HAVE_SETRLIMIT preprocessor switch.

    - On systems that don't enforce a limit on number of files opened for
      the process, raise default max size of open-file cache from
      32 to 512.

2.0-319 | 2012-05-03 13:24:44 -0700

  * SSL bugfixes and cleanup. (Seth Hall)

    - SSL related files and classes renamed to remove the "binpac" term.

    - A small fix for DPD scripts to make the DPD log more helpful if
      there are multiple continued failures.

    - Fixed the SSL analyzer to make it stop doing repeated violation
      messages for some handshake failures.

    - Added a $issuer_subject to the SSL log.

    - Created a basic test for SSL.

    - Fixed parsing of TLS server extensions. (Seth Hall)

2.0-315 | 2012-05-03 11:44:17 -0700

  * Add two more TLS extension values that we see in live traffic.
    (Bernhard Amann)

  * Fixed IPv6 link local unicast CIDR and added IPv6 loopback to
    private address space. (Seth Hall)

  * Fixed a problem where cluster workers were still processing
    notices in some cases. (Seth Hall)

  * Added a configure option to specify the 'etc' directory. Addresses
    #801. (Daniel Thayer)


2.0-306 | 2012-04-24 14:37:00 -0700

  * Add further TLS extension values "extended_random" and
    "heartbeat". (Seth Hall)

  * Fix problem with extracting FTP passwords and add "ftpuser" as
    another anonymous username.  (Seth Hall, discovered by Patrik
    Lundin).

2.0-303 | 2012-04-19 10:01:06 -0700

  * Changes related to ICMPv6 Neighbor Discovery messages. (Jon Siwek)

    - The 'icmp_conn' record now contains an 'hlim' field since hop limit
      in the IP header is an interesting field for at least these ND
      messages.

    - Fixed and extended 'icmp_router_advertisement' event parameters.

    - Changed 'icmp_neighbor_advertisement' event parameters to add
      more of the known boolean flags.

2.0-301 | 2012-04-17 17:58:55 -0700

  * Bro now support ICMPv6. (Matti Mantere, Jon Siwek, Robin Sommer,
	Daniel Thayer).

	Overall, Bro now raises the following ICMP events for v4 and v6 as
	appropiate:

        event icmp_sent(c: connection, icmp: icmp_conn);
        event icmp_echo_request(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string);
        event icmp_echo_reply(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string);
        event icmp_error_message(c: connection, icmp: icmp_conn, code: count, context: icmp_context);
        event icmp_unreachable(c: connection, icmp: icmp_conn, code: count, context: icmp_context);
        event icmp_packet_too_big(c: connection, icmp: icmp_conn, code: count, context: icmp_context);
        event icmp_time_exceeded(c: connection, icmp: icmp_conn, code: count, context: icmp_context);
        event icmp_parameter_problem(c: connection, icmp: icmp_conn, code: count, context: icmp_context);
        event icmp_router_solicitation(c: connection, icmp: icmp_conn);
        event icmp_router_advertisement(c: connection, icmp: icmp_conn, hop_limit: count, managed: bool, router_lifetime: count, reachable_time: interval, retrans_timer: interval);
        event icmp_neighbor_solicitation(c: connection, icmp: icmp_conn, tgt:addr);
        event icmp_neighbor_advertisement(c: connection, icmp: icmp_conn, tgt:addr);
        event icmp_redirect(c: connection, icmp: icmp_conn, tgt: addr, dest: addr);

    The `icmp_conn` record got a new boolean field 'v6' that indicates
    whether the ICMP message is v4 or v6.

    This change also includes further low-level work on existing IP
	and ICMP code, including a reorganization of how ICMPv4 is
	handled.

2.0-281 | 2012-04-17 17:40:39 -0700

  * Small updates for the bittorrent analyzer to support 64bit types
    in binpac. (Seth Hall)

  * Removed the attempt at bittorrent resynchronization. (Seth Hall)

2.0-276 | 2012-04-17 17:35:56 -0700

  * Add more support for <netinet/ip6.h>'s that lack some structure
    definitions. (Jon Siwek)

2.0-273 | 2012-04-16 18:08:56 -0700

  * Removing QR flag from DNS log in response, which should not have
    been there in the first place. (Seth Hall)

  * Sync up patricia.c/h with pysubnettree repo. (Daniel Thayer)

  * Adding missing leak groups to a couple tests. Also activating leak
    checking for proxy in basic-cluster test. (Robin Sommer)

2.0-267 | 2012-04-09 17:47:28 -0700

  * Add support for mobile IPv6 Mobility Header (RFC 6275).  (Jon
    Siwek)

    - Enabled through a new --enable-mobile-ipv6 configure-time
      option. If not enabled, the mobility header (routing type 2) and
      Home Address Destination option are ignored.

    - Accessible at script-layer through 'mobile_ipv6_message' event.

  * Refactor IP_Hdr routing header handling, add MobileIPv6 Home
    Address handling. Packets that use the Home Address Destination
    option use that option's address as the connection's originator.
    (Jon Siwek)

  * Revert TCP checksumming to cache common data, like it did before.
    (Jon Siwek)

  * Improve handling of IPv6 routing type 0 extension headers. (Jon
    Siwek)

    - flow_weird event with name argument value of "routing0_hdr" is raised
      for packets containing an IPv6 routing type 0 header because this
      type of header is now deprecated according to RFC 5095.

    - Packets with a routing type 0 header and non-zero segments left
      now use the last address in that header in order to associate
      with a connection/flow and for calculating TCP/UDP checksums.

    - Added a set of IPv4/IPv6 TCP/UDP checksum unit tests (Jon Siwek)

  * Fix table expiry for values assigned in bro_init() when reading
    live. (Jon Siwek)

2.0-257 | 2012-04-05 15:32:43 -0700

  * Fix CMake from warning about unused ENABLE_PERFTOOLS_DEBUG
    variable. (Jon Siwek)

  * Fix handling of IPv6 atomic fragments. (Jon Siwek)

  * Fix that prevents Bro processes that do neither local logging nor
    request remote logs from spawning threads. (Robin Sommer)

  * Fixing perftools-debug support. (Robin Sommer)

  * Reverting SocketComm change tuning I/O behaviour. (Robin Sommer)

  * Adding notice_policy.log canonification for external tests. (Robin Sommer)


2.0-245 | 2012-04-04 17:25:20 -0700

  * Internal restructuring of the logging framework: we now spawn
    threads doing the I/O. From a user's perspective not much should
    change, except that the OS may now show a bunch of Bro threads.
    (Gilbert Clark and Robin Sommer).

  * When building Bro, we now always link in tcmalloc if it's found at
    configure time. If it's installed but not picked up,
    --with-perftools may help. (Robin Sommer)

  * Renaming the configure option --enable-perftools to
    --enable-perftool-debug to indicate that the switch is only
    relevant for debugging the heap. It's not needed to pick up
    tcmalloc for better performance. (Robin Sommer)

2.0-184 | 2012-03-28 15:11:11 -0700

  * Improve handling of IPv6 Routing Type 0 headers.  (Jon Siwek)

    - For RH0 headers with non-zero segments left, a
      "routing0_segleft" flow_weird event is raised (with a
      destination indicating the last address in the routing header),
      and an "rh0_segleft" event can also be handled if the other
      contents of the packet header are of interest. No further
      analysis is done as the complexity required to correctly
      identify destination endpoints of connections doesn't seem worth
      it as RH0 has been deprecated by RFC 5095.

    - For RH0 headers without any segments left, a "routing0_header"
      flow_weird event is raised, but further analysis still occurs as
      normal.

2.0-182 | 2012-03-28 15:01:57 -0700

  * Remove dead tcp_checksum function from net_util. (Jon Siwek)

  * Change routing0_data_to_addrs BIF to return vector of addresses.
    The order of addresses in type 0 routing headers is
    interesting/important. (Jon Siwek)


2.0-179 | 2012-03-23 17:43:31 -0700

  * Remove the default "tcp or udp or icmp" filter. In default mode,
    Bro would load the packet filter script framework which installs a
    filter that allows all packets, but in bare mode (the -b option),
    this old filter would not follow IPv6 protocol chains and thus
    filter out packets with extension headers. (Jon Siwek)

  * Update PacketFilter/Discarder code for IP version independence.
    (Jon Siwek)

  * Fix some IPv6 header related bugs. (Jon Siwek)

  * Add IPv6 fragment reassembly. (Jon Siwek)

  * Add handling for IPv6 extension header chains. Addresses #531.
    (Jon Siwek)

    - The script-layer 'pkt_hdr' type is extended with a new 'ip6' field
      representing the full IPv6 header chain.

    - The 'new_packet' event is now raised for IPv6 packets. Addresses
      #523.

    - A new event called 'ipv6_ext_header' is raised for any IPv6
      packet containing extension headers.

    - A new event called 'esp_packet' is raised for any packets using
      ESP ('new_packet' and 'ipv6_ext_header' events provide
      connection info, but that info can't be provided here since the
      upper-layer payload is encrypted).

    - The 'unknown_protocol' weird is now raised more reliably when
      Bro sees a transport protocol or IPv6 extension header it can't
      handle. Addresses #522.

  * Add unit tests for IPv6 fragment reassembly, ipv6_ext_headers and
    esp_packet events. (Jon Siwek)

  * Adapt FreeBSD's inet_ntop implementation for internal use. Now we
    get consistent text representations of IPv6 addresses across
    platforms. (Jon Siwek)

  * Update documentation for new syntax of IPv6 literals. (Jon Siwek)


2.0-150 | 2012-03-13 16:16:22 -0700

  * Changing the regular expression to allow Site::local_nets in
    signatures. (Julien Sentier)

  * Removing a line of dead code. Found by . Closes #786. (Julien
    Sentier)

2.0-146 | 2012-03-13 15:39:38 -0700

  * Change IPv6 literal constant syntax to require encasing square
    brackets. (Jon Siwek)

2.0-145 | 2012-03-09 15:10:35 -0800

  * Remove the match expression. 'match' and 'using' are no longer
    keywords. Addressed #753. (Jon Siwek)

2.0-143 | 2012-03-09 15:07:42 -0800

  * Fix a BRO_PROFILER_FILE/mkstemp portability issue. Addresses #794.
    (Jon Siwek)

2.0-139 | 2012-03-02 09:33:04 -0800

  * Changes to how script coverage integrates with test suites. (Jon Siwek)

    - BRO_PROFILER_FILE now passes .X* templated filenames to mkstemp
      for generating unique coverage state files.

    - Rearranging Makefile targets.  The general rule is that if the
      all/brief target fails out due to a test failure, then the dependent
      coverage target won't run, but can still be invoked directly later.
      (e.g. make brief || make coverage)

  * Standardized on the &default function for SSL constants. (Seth
    Hall)

  * Adding btest group "leaks" to leak tests. (Robin Sommer)

  * Adding btest group "comm" to communication tests for parallelizing
    execution with new btest version. (Robin Sommer)

  * Sorting all output for diffing in the external tests. (Robin
    Sommer)

  * Cleaned up dead code from the old SSL analyzers. Reported by
    Julien Sentier. (Seth Hall)

  * Update/add tests for broccoli IPv6 addr/subnet support. Addresses
    #448. (Jon Siwek)

  * Remove connection compressor. Addresses #559. (Jon Siwek)

  * Refactor IP_Hdr class ctors. Addresses #532. (Jon Siwek)


2.0-121 | 2012-02-24 16:34:17 -0800

  * A number of smaller memory fixes and code cleanups. (Julien
    Sentier)

  * Add to_subnet bif. Fixes #782). (Jon Siwek)

  * Fix IPAddr::Mask/ReverseMask not allowing argument of 0. (Jon
    Siwek)

  * Refactor IPAddr v4 initialization from string. Fixes #775. (Jon Siwek)

  * Parse the dotted address string directly instead of canonicalizing
    and passing to inet_pton. (Jon Siwek)


2.0-108 | 2012-02-24 15:21:07 -0800

  * Refactoring a number of usages of new IPAddr class. (Jon Siwek)

  * Fixed a bug in remask_addr bif. (Jon Siwek)

2.0-106 | 2012-02-24 15:02:20 -0800

  * Raise minimum required CMake version to 2.6.3. (Jon Siwek)

2.0-104 | 2012-02-24 14:59:12 -0800

  * Add test case for FTP over IPv4. (Daniel Thayer)

  * Fix IPv6 URLs in ftp.log. (Daniel Thayer)

  * Add a test for FTP over IPv6 (Daniel Thayer)

  * Fix parsing of FTP EPRT command and EPSV response. (Daniel Thayer)

2.0-95 | 2012-02-22 05:27:34 -0800

  * GeoIP installation documentation update. (Seth Hall)

  * Decrease strictness of parsing IPv4 strings into addrs. Fixes #775. (Jon Siwek)

  * Fix memory leak in DNS manager. Fixes #777. (Jon Siwek)

  * Fix IPAddr/IPPrefix serialization bugs. (Jon Siwek)

  * Fix compile error. (Jon Siwek)

2.0-86 | 2012-02-17 15:41:06 -0800

  * Changing ARP detection to always kick in even if no analyzer is
    activated. (Robin Sommer)

  * DNS name lookups performed by Bro now also query AAAA records.
    DNS_Mgr handles combining the results of the A and AAAA queries
    for a given hostname such that at the scripting layer, the name
    resolution can yield a set with both IPv4 and IPv6 addresses. (Jon
    Siwek)

  * Add counts_to_addr and addr_to_counts conversion BIFs. (Jon Siwek)

  * Change HashKey threshold for using H3 to 36 bytes. (Jon Siwek)

  * Remove mention of --enable-brov6 in docs. (Daniel Thayer)

  * Remove --enable-brov6 from configure usage text (Daniel Thayer)

  * Add a test and baseline for addr_to_ptr_name BiF. (Daniel Thayer)

  * Adding a test and baseline for ptr_name_to_addr BiF. (Seth Hall)

  * Fix the ptr_name_to_addr BiF to work with IPv6 (Daniel Thayer)

  * Fix a memory leak that perftools now complains about. (Jon Siwek)

  * Remove --enable-brov6 flag, IPv6 now supported by default. (Jon Siwek)

    Some script-layer changes of note:

    - dns_AAAA_reply event signature changed: the string representation
      of an IPv6 addr is easily derived from the addr value, it doesn't
      need to be another parameter.  This event also now generated directly
      by the DNS analyzer instead of being "faked" into a dns_A_reply event.

    - Removed addr_to_count BIF.  It used to return the host-order
      count representation of IPv4 addresses only.  To make it more
      generic, we might later add a BIF to return a vector of counts
      in order to support IPv6.

    - Changed the result of enclosing addr variables in vertical pipes
      (e.g. |my_addr|) to return the bit-width of the address type which
      is 128 for IPv6 and 32 for IPv4.  It used to function the same
      way as addr_to_count mentioned above.

    - Remove bro_has_ipv6 BIF

2.0-57 | 2012-02-10 00:02:35 -0800

  * Fix typos in the documentation. (Daniel Thayer)

  * Fix compiler warning about Brofiler ctor init list order. (Jon Siwek)

  * Fix missing optional field access in webapp signature_match handler. (Jon Siwek)

2.0-41 | 2012-02-03 04:10:53 -0500

  * Updates to the Software framework to simplify the API. (Bernhard
    Amann)

2.0-40 | 2012-02-03 01:55:27 -0800

  * Fix typos in documentation. (Daniel Thayer)

  * Fix sorting of lines in Brofiler coverage.log. (Daniel Thayer)

2.0-38 | 2012-01-31 11:50:53 -0800

  * Canonify sorting of lines in Brofiler coverage.log. (Daniel
    Thayer)

2.0-36 | 2012-01-27 10:38:14 -0800

  * New "Brofiler" mode that tracks and records script statements
    executed during runtime. (Jon Siwek)

    Use the BROFILER_FILE environment variable to point to a file in
    which statement usage statistics from Bro script-layer can be
    output.

    Script statements that should be ignored can be marked with a "#
    @no-test" comment. For example:

        print "don't cover"; # @no-test

        if ( F )
            { # @no-test
            ...
            }

  * Integrated coverage measurement into test-suite. (Jon Siwek)

2.0-20 | 2012-01-25 16:34:51 -0800

  * BiF cleanup (Matthias Vallentin)

      - Rename NFS3::mode2string to a more generic file_mode().

      - Unify do_profiling()/make_connection_persistent()/expect_connection()
        to return any (i.e., nothing) instead of bools.

      - Perform type checking on count-to-port conversion. Related to #684.

      - Remove redundant connection_record() BiF. The same
        functionality is provided by lookup_connection().

      - Remove redundant active_connection() BiF. The same
        functionality is provided by connection_exists().

      - exit() now takes the exit code as argument.

      - to_port() now received a string instead of a count.

2.0-9 | 2012-01-25 13:47:13 -0800

  * Allow local table variables to be initialized with {} list
    expressions. (Jon Siwek)

2.0-7 | 2012-01-25 13:38:09 -0800

  * Teach CompHash to allow indexing by records with vector/table/set
    fields. Addresses #464. (Jon Siwek)

2.0-5 | 2012-01-25 13:25:19 -0800

  * Fixed a bug resulting in over-logging of detected webapps. (Seth Hall)

  * Make communication log baseline test more reliable. (Jon Siwek)

  * Fixed some broken links in documentation. (Daniel Thayer)

2.0 | 2012-01-11 13:52:22 -0800

  * Adding script reference documentation. (The Team).

2.0-beta-194 | 2012-01-10 10:44:32 -0800

  * Added an option for filtering out URLs before they are turned into
    HTTP::Incorrect_File_Type notices. (Seth Hall)

  * Fix ref counting bug in BIFs that call internal_type. Addresses
    #740. (Jon Siwek)

  * Adding back the stats.bro file. (Seth Hall)


2.0-beta-188 | 2012-01-10 09:49:29 -0800

  * Change SFTP/SCP log rotators to use 4-digit year in filenames
    Fixes #745. (Jon Siwek)

  * Adding back the stats.bro file. Addresses #656. (Seth Hall)

2.0-beta-185 | 2012-01-09 18:00:50 -0800

  * Tweaks for OpenBSD support. (Jon Siwek)

2.0-beta-181 | 2012-01-08 20:49:04 -0800

  * Add SFTP log postprocessor that transfers logs to remote hosts.
    Addresses #737. (Jon Siwek)

  * Add FAQ entry about disabling NIC offloading features. (Jon Siwek)

  * Add a file NEWS with release notes. (Robin Sommer)

2.0-beta-177 | 2012-01-05 15:01:07 -0800

  * Replace the --snaplen/-l command line option with a
    scripting-layer option called "snaplen" (which can also be
    redefined on the command line, e.g. `bro -i eth0 snaplen=65535`).

  * Reduce snaplen default from 65535 to old default of 8192. Fixes
    #720. (Jon Siwek)

2.0-beta-174 | 2012-01-04 12:47:10 -0800

  * SSL improvements. (Seth Hall)

    - Added the ssl_session_ticket_handshake event back.

    - Fixed a few bugs.

    - Removed the SSLv2.cc file since it's not used.

2.0-beta-169 | 2012-01-04 12:44:39 -0800

  * Tuning the pretty-printed alarm mails, which now include the
    covered time range into the subject. (Robin Sommer)

  * Adding top-level "test" target to Makefile. (Robin Sommer)

  * Adding SWIG as dependency to INSTALL. (Robin Sommer)

2.0-beta-155 | 2012-01-03 15:42:32 -0800

  * Remove dead code related to record type inheritance. (Jon Siwek)

2.0-beta-152 | 2012-01-03 14:51:34 -0800

  * Notices now record the transport-layer protocol. (Bernhard Amann)

2.0-beta-150 | 2012-01-03 14:42:45 -0800

  * CMake 2.6 top-level 'install' target compat. Fixes #729. (Jon Siwek)

  * Minor fixes to test process. Addresses #298.

  * Increase timeout interval of communication-related btests. (Jon Siwek)

2.0-beta-145 | 2011-12-19 11:37:15 -0800

  * Empty fields are now logged as "(empty)" by default. (Robin
    Sommer)

  * In log headers, only escape information when necessary. (Robin
    Sommer)

2.0-beta-139 | 2011-12-19 07:06:29 -0800

  * The hostname notice email extension works now, plus a general
    mechanism for adding delayed information to notices. (Seth Hall)

  * Fix &default fields in records not being initialized in coerced
    assignments. Addresses #722. (Jon Siwek)

  * Make log headers include the type of data stored inside a set or
    vector ("vector[string]"). (Bernhard Amann)

2.0-beta-126 | 2011-12-18 15:18:05 -0800

  * DNS updates.  (Seth Hall)

    - Fixed some bugs with capturing data in the base DNS script.

    - Answers and TTLs are now vectors.

    - A warning that was being generated (dns_reply_seen_after_done)
      from transaction ID reuse is fixed.

  * SSL updates. (Seth Hall)

    - Added is_orig fields to the SSL events and adapted script.

    - Added a field named last_alert to the SSL log.

    - The x509_certificate function has an is_orig field now instead
      of is_server and its position in the argument list has moved.

    - A bit of reorganization and cleanup in the core analyzer. (Seth
      Hall)

2.0-beta-121 | 2011-12-18 15:10:15 -0800

  * Enable warnings for malformed Broxygen xref roles. (Jon Siwek)

  * Fix Broxygen confusing scoped IDs at start of line as function
    parameter. (Jon Siwek)

  * Allow Broxygen markup "##<" for more general use. (Jon Siwek)

2.0-beta-116 | 2011-12-16 02:38:27 -0800

  * Cleanup some misc Broxygen css/js stuff. (Jon Siwek)

  * Add search box to Broxygen docs. Fixes #726. (Jon Siwek)

  * Fixed major bug with cluster synchronization, which was not
    working. (Seth Hall)

  * Fix missing action in notice policy for looking up GeoIP data.
    (Jon Siwek)

  * Better persistent state configuration warning messages (fixes
    #433). (Jon Siwek)

  * Renaming HTTP::SQL_Injection_Attack_Against to
    HTTP::SQL_Injection_Victim. (Seth Hall).

  * Fixed DPD signatures for IRC. Fixes #311. (Seth Hall)

  * Removing Off_Port_Protocol_Found notice. (Seth Hall)

  * Teach Broxygen to more generally reference attribute values by name. (Jon Siwek)

  * SSH::Interesting_Hostname_Login cleanup.  Fixes #664. (Seth Hall)

  * Fixed bug that was causing the malware hash registry script to
    break. (Seth Hall)

  * Remove remnant of libmagic optionality. (Jon Siwek)

2.0-beta-98 | 2011-12-07 08:12:08 -0800

  * Adapting test-suite's diff-all so that it expands globs in both
    current and baseline directory. Closes #677. (Robin Sommer)

2.0-beta-97 | 2011-12-06 11:49:29 -0800

  * Omit loading local-<node>.bro scripts from base cluster framework.
    Addresses #663 (Jon Siwek)

2.0-beta-94 | 2011-12-03 15:57:19 -0800

  * Adapting attribute serialization when talking to Broccoli. (Robin
    Sommer)

2.0-beta-92 | 2011-12-03 15:56:03 -0800

  * Changes to Broxygen master script package index.  (Jon Siwek)

    - Now only lists packages as those directories in the script hierarchy
      that contain an __load__.bro file.

    - Script packages (dirs with a __load__.bro file), can now include
      a README (in reST format) that will automatically be appended
      under the link to a specific package in the master package
      index.

2.0-beta-88 | 2011-12-02 17:00:58 -0800

  * Teach LogWriterAscii to use BRO_LOG_SUFFIX environemt variable.
    Addresses #704. (Jon Siwek)

  * Fix double-free of DNS_Mgr_Request object. Addresses #661.

  * Add a remote_log_peer event which comes with an event_peer record
    parameter. Addresses #493. (Jon Siwek)

  * Remove example redef of SMTP::entity_excerpt_len from local.bro.
    Fixes error emitted when loading local.bro in bare mode. (Jon
    Siwek)

  * Add missing doc targets to top Makefile; remove old doc/Makefile.
    Fixes #705. (Jon Siwek)

  * Turn some globals into constants. Addresses #633. (Seth Hall)

  * Rearrange packet filter and DPD documentation. (Jon Siwek)

2.0-beta-72 | 2011-11-30 20:16:09 -0800

  * Fine-tuning the Sphinx layout to better match www. (Jon Siwek and
    Robin Sommer)

2.0-beta-69 | 2011-11-29 16:55:31 -0800

  * Fixing ASCII logger to escape the unset-field place holder if
    written out literally. (Robin Sommer)

2.0-beta-68 | 2011-11-29 15:23:12 -0800

  * Lots of documentation polishing. (Jon Siwek)

  * Teach Broxygen the ".. bro:see::" directive. (Jon Siwek)

  * Teach Broxygen :bro:see: role for referencing any identifier in
    the Bro domain. (Jon Siwek)

  * Teach Broxygen to generate an index of Bro notices. (Jon Siwek)

  * Fix order of include directories. (Jon Siwek)

  * Catch if logged vectors do not contain only atomic types.
    (Bernhard Amann)

2.0-beta-47 | 2011-11-16 08:24:33 -0800

  * Catch if logged sets do not contain only atomic types. (Bernhard
    Amann)

  * Promote libz and libmagic to required dependencies. (Jon Siwek)

  * Fix parallel make from top-level to work on more platforms. (Jon
    Siwek)

  * Add decode_base64_custom(). Addresses #670 (Jon Siwek)

  * A bunch of Sphinx-doc reorgs and polishing. (Jon Siwek)

2.0-beta-28 | 2011-11-14 20:09:28 -0800

  * Binary packaging script tweaks. We now require CMake 2.8.6. (Jon Siwek)

  * More default "weird" tuning for the "SYN_with_data" notice. (Seth
    Hall)

  * Tiny bugfix for http file extraction along with test. (Seth Hall)

2.0-beta-21 | 2011-11-06 19:27:22 -0800

  * Quickstart doc fixes. (Jon Siwek)

2.0-beta-19 | 2011-11-03 17:41:00 -0700

  * Fixing packet filter test. (Robin Sommer)

2.0-beta-12 | 2011-11-03 15:21:08 -0700

  * No longer write to the PacketFilter::LOG stream if not reading
    traffic. (Seth Hall)

2.0-beta-10 | 2011-11-03 15:17:08 -0700

  * Notice framework documentation update. (Seth Hall)

  * Fixing compiler warnings (addresses #388) (Jon Siwek)

2.0-beta | 2011-10-27 17:46:28 -0700

  * Preliminary fix for SSH login detection: we need a counted measure
    of payload bytes (not ack tracking and not with the IP header
    which is what we have now). (Seth Hall)

  * Fixing send_id() problem. We no longer update &redef functions.
    Updating code on the fly isn't fully supported. (Robin Sommer)

  * Tuning the format of the pretty-printed alarm summaries. (Robin
    Sommer)

1.6-dev-1508 | 2011-10-26 17:24:50 -0700

  * Updating submodule(s). (Robin Sommer)

1.6-dev-1507 | 2011-10-26 15:10:18 -0700

  * Baseline updates. (Robin Sommer)

1.6-dev-1506 | 2011-10-26 14:48:43 -0700

  * Updating submodule(s). (Robin Sommer)

1.6-dev-1505 | 2011-10-26 14:43:58 -0700

  * A new base script that pretty-prints alarms in the regular
    summary. (Robin Sommer)

  * Adding a dummy log writer WRITER_NONE that just discards
    everything. (Robin Sommer)

1.6-dev-1498 | 2011-10-26 14:30:15 -0700

  * Adding instructions to local.bro how to do ACTION_ALARM by
  default. (Seth Hall)

1.6-dev-1495 | 2011-10-26 10:15:58 -0500

  * Updated unit test baselines. (Seth Hall)

1.6-dev-1491 | 2011-10-25 20:22:56 -0700

  * Updating submodule(s). (Robin Sommer)

1.6-dev-1482 | 2011-10-25 19:08:32 -0700

  * Fixing bug in log managers predicate evaluation. (Robin Sommer)

1.6-dev-1481 | 2011-10-25 18:17:03 -0700

  * Fix a problem with DNS servers being logged that aren't actually
    servers. (Seth Hall)

  * Changed generated root cert DN format for RFC2253 compliance. (Jon
    Siwek)

  * Removed :bro doc directives from notice documentation. (Seth Hall)

  * New notice framework docs. (Seth Hall)

  * Adding sub messages to emails. (Seth Hall)

  * Adding extra fields to smtp and http to track transaction depth.
    (Seth Hall)

  * Fix for SSH login detection heuristic. (Seth Hall)

  * Removed some fields from http analysis that weren't commonly
    needed or were wrong. (Seth Hall)

  * Updated/fixed MSIE version parsing in the software framework.
    (Seth Hall)

  * Update Mozilla trust roots to index certs by subject distinguished
    name. (Jon Siwek)

  * weird.bro rewrite. (Seth Hall)

  * More notice email tuning. (Seth Hall)

  * Slightly restructured http file hashing to fix a bug. (Seth Hall)

  * Changed the notice name for interesting ssh logins to correctly
    reflect semantics of the notice.  (Seth Hall)

  * Field name change to notice framwork.  $result -> $action

    - $result is renamed to $action to reflect changes to the notice
      framework since there is already another result-like field
      ($suppress_for) and there may be more in the future.

    - Slipped in a change to add connection information to notice
      emails too. (Seth Hall)

  * Small script refinements and documentation updates. (Seth Hall)

  * Pass over upgrade guide. (Robin Sommer)


1.6-dev-1430 | 2011-10-21 10:39:09 -0700

  * Fixing crash with unknown debug streams. Closes #643. (Robin
    Sommer)

  * Code to better handle interpreter errors, which can now be turned
    into non-fatal runtime errors rather than immediate aborts. (Robin
    Sommer).

  * Remove old make-src-packages script. (Jon Siwek)

  * Fixing a bunch of format strings. Closes #567. (Robin Sommer)

  * Cleaning up some distribution files. (Robin Sommer)

  * Various test, doc, and installation fixes/tweaks. (Seth Hall, Jon
    Siwek and Robin Sommer).

  * Varios smaller policy fixes and tweaks (Seth Hall).

  * Moving docs from web server into distribution. (Robin Sommer)

  * Fixing more (small) memory leaks. (Robin Sommer)

  * Profiling support for DNS_Mgr and triggers. With
    misc/profiling.bro, both now report a line in prof.log with some
    counters on usage. (Robin Sommer)

  * Fixing DNS memory leaks. Closes #534. (Robin Sommer)

  * Fix code for disabling analyzers. Closes #577. (Robin Sommer)

  * Changed communication option from listen_encrypted to listen_ssl.
    (Seth Hall)

  * Modification to the Communication framework API. (Seth Hall)

    - Simplified the communication API and made it easier to change
      to encrypted connections by not having separate variables to
      define encrypted and unencrypted ports.

    - Now, to enable listening without configuring nodes just
      load the frameworks/communication/listen script.

    - If encrypted listening is desired set the following:
    	redef Communication::listen_encrypted=T;

  * Connection compressor now disabled by default. Addresses #559.
    (Robin Sommer)


1.6-dev-1372 | 2011-10-06 18:09:17 -0700

  * Filtering some potentially high-volume DNS weirds. (Robin Sommer)

  * DNS now raises DPD events. Closes #577. (Robin Sommer)

  * Fixing a bunch of compiler warnings. (Robin Sommer)

  * Remote logs are auto-flushed if the last write was longer than a
    second ago. Addresses #498. (Robin Sommer)

  * Fix missing from previous MIME commit. (Robin Sommer)

1.6-dev-1366 | 2011-10-06 17:05:21 -0700

  * Make CompHash computation/recovery for functions deterministic.
    Closes #636. (Jon Siwek)

  * Removing unnecessary @load in local.bro. (Robin Sommer)

  * Optimizing some MIME code. (Robin Sommer)

  * Speed improvements in logging code. (Robin Sommer)

  * Consolidating some node-specific functionality from scripts in
    broctl repo. (Jon Siwek)

  * Another fix the for 1xx script code. (Robin Sommer)

1.6-dev-1352 | 2011-10-05 16:20:51 -0700

  * Fix for optional HTTP::Info status_code. (Jon Siwek)

  * Teaking some external testing scripts. (Jon Siwek)

  * HTTP bug fix reported by Martin Holste. (Seth Hall)

  * More script tuning. (Seth Hall)

    - Moved some of the weird events back to the base/ directory.

    - SSL fixes, updates, and performance optimization.

  * More adjustment to reduce Weird volumes. (Seth Hall)

  * Fixed an error when calculating x509 certificate hashes (reported
    by Martin Holste). (Seth Hall)

  * Clean up to cluster framework to make event handling clearer.
    (Seth Hall)

  * Fixed a bug in the notice framework. (Seth Hall)

  * Bug fix for FTP analysis script. (Seth Hall)

1.6-dev-1333 | 2011-09-29 22:29:51 -0700

  * Fixing a number of memory leaks. (Robin Sommer)

  * Loaded_scripts.log is indented with spaces now and makes more
     sense to look at. (Seth Hall)

  * Teach HTTP parser to derive content length of multipart/byteranges
     bodies. Addresses #488. (Jon Siwek)

  * Change logging of HTTP 1xx responses to occur in their own
    columns. Addresses #411. (Jon Siwek)

  * Fix handling of HTTP 1xx response codes. Addresses #411).

  * Taking advantage of yet another trick to get installed browser
  plugins. (Seth Hall)

    - With the software-browser-plugins script you can watch for Omniture
      advertising servers to grab the list of installed plugins.

    - I reorganized the plugin detection a bit too to abstract it better.

    - Removed the WEB_ prefix from all of the Software::Type HTTP enums.
      They were essentially redundant due to the full name already being
      HTTP::SERVER (for example).

1.6-dev-1316 | 2011-09-28 16:50:05 -0700

  * Unit test cleanup. Updated README and collected coverage-related
    tests in a common dir. (Jon Siwek)

  * Fixes for known-services. (Seth Hall)

  * Ported and 2.0ized the capture-loss script. (Seth Hall)

  * Communication fix and extension.(Robin Sommer)

    - Removing unnecessary log flushing. Closes #498.

    - Adding new BiF disconnect() that shuts a connection to a peer down.

    - terminate_connection() now first flushes any still buffered log
      messages.

  * Fix for high SSL memory usage by adding &transient attribute to
    top-level SSL pac array type. Closes #574. (Robin Sommer)

  * Fix a small bug in the metrics framework. (Seth Hall)

  * Temporarily removing scripts that aren't ready to be included.
    Will return before next release.  (Seth Hall)

  * New SSL policy scripts.  (Seth Hall)

    - protocols/ssl/expiring-certs uses time based information from
      certificates to determine if they will expire soon, have already
      expired, or haven't yet become valid.

    - protocols/ssl/extract-certs-pem is a script for taking certs off
      the line and converting them to PEM certificates with the openssl
      command line tool then dumping them to a file.

  * Notice::type_suppression_intervals: table[Notice::Type] of
    interval can be used to modify the suppression intervals for
    entire types of notices. (Seth Hall)

  * EOF SSL protocol violations are only generated a single time now.
    (Seth Hall)

  * Script level fixes.  (Seth Hall)

    - Fixed a type name conflict in the Known namespace.

    - Fixed a DPD framework bug that was causing Reporter messages.

    - Fixed the notice_policy log.

    - Predicate functions are now logged.

    - Predicate functions are now optional.  If not given, it's assumed that
      the result should always apply. (Seth Hall)

    - Fix a problem with accidental and mistaken HTTP log lines.

1.6-dev-1293 | 2011-09-22 19:44:37 -0700

  * Smaller script tweaks. (Seth Hall)

  * Duplicate notice suppression. (Seth Hall)

    - Duplicate notices are discovered with the new Notice::Info
      field $identifier.  It's a string that is left up to the
      notice implementor to define which would indicate a
      fundamentally duplicate notice.  The field is optional and
      if it's not included it's not possible for notice
      suppression to take place.

    - Duplicate notices are suppressed by default for the interval
      defined by the Notice::default_suppression_interval variable
      (1 hour by default).

    - A new notice action was defined ACTION_NO_SUPPRESS to prevent
      suppression for a specific notice instance.  A convenience set
      named not_suppressed_types was also created to not suppress
      entire notice types.

    - A new field was added to the PolicyItem type to modify the length
      of time a notice should be suppressed if the predicate matches.
      The field is named $suppress_for.  This name makes the code more
      readable like this: $suppress_for = 1day

    - New events were created to give visibility into the notice
      framework's suppression activity.
      - event Notice::begin_suppression(n: Notice::Info)
      - event Notice::suppressed(n: Notice::Info)
      - event Notice::end_suppression(n: Notice::Info)

    - The suppression.bro script doesn't have a baseline because
      it is causing a segfault in Bro.  This one test is the
      reason that this is being integrated into a branch instead
      of master. (Seth Hall)

  * Fix crash on exit. Addresses #607. (Jon Siwek)

  * Fix PktSrc setting next_timestamp even when no packet available.
    (Jon Siwek)

  * Fix lack of NUL-termination in to_upper/to_lower BIF's return val.
    (Jon Siwek)

  * Fixing unit tests and some minor bugs. (Jon Siwek)

  * Fix broctl cluster log rotation. Addresses #619. (Jon Siwek)

  * Added session ID to the SSL logging. (Seth Hall)

  * Adding "install-aux" target + updating bro-aux submodule. (Jon
    Siwek)

  * Cleaning up INSTALL and README. (Jon Siwek)

  * Remove $Id$ tags. (Jon Siwek)

  * Remove policy.old directory. Addresses #511. (Jon Siwek)

  * Small rework with ssl base script to reduce memory usage. (Seth
    Hall)

  * Updated the mozilla root certs. (Seth Hall)

1.6-dev-1261 | 2011-09-15 17:13:55 -0700

  * Memory leak fixes. Addresses #574 (Jon Siwek)

  * Add configure options for ruby/bindings integration. (Jon Siwek)

  * Fix filter path_func to allow record argument as a subset of
    stream's columns. Addresses #600. (Jon Siwek)

  * Log rotation is now controlled directly through Filter records. (Jon Siwek)

  * Fix indexing for record types with optional fields. Addresses #378
    (Jon Siwek)

1.6-dev-1248 | 2011-09-15 16:01:32 -0700

  * Removed custom malloc() implementation for FreeBSD. Closes #557.
    (Jon Siwek)

  * Testing/external scripts no longer compute MD5 checksums for SMTP
    entities. (Robin Sommer)

  * External tests no longer include the full content of mismatching
    files in the diagnostics output. (Robin Sommer)

1.6-dev-1241 | 2011-09-14 22:51:52 -0400

  * Fixing a major memory utilization issues with SSL analysis. (Seth
    Hall)

  * Enhancements to HTTP analysis: (Seth Hall)

      - More options for the header-names.bro script.

      - New script for logging header names and values. Closes #519.
        (Seth Hall)

      - HTTP body size measurement added to http.log.

      - The value of the content-length headers has now been removed
        in the default output but it could be added back locally at an
        installation by a user.

      - Added fields to indicate if some parsing interruption happened
        during the body transfer. Closes #581 (Seth Hall)

  * Misc smaller usability and correctness updates: (Seth Hall)

    - Removed an notice definition from the base SSL scripts.

    - Moved a logging stream ID into the export section for known-services
      and bumped priority for creating the stream.

    - Adding configuration knobs for the SQL injection attack detection
      script and renaming the HTTP::SQL_Injection_Attack notice to
      HTTP::SQL_Injection_Attack_Against

    - Bumped priority when creating Known::CERTS_LOG.

    - Fixing a warning from the cluster framework. (Seth Hall)

  * Bugfix for log writer, which didn't escape binary stuff in some
    situations. Closes #585. (Robin Sommer)

  * A larget set of changes to the testing/external infrastructure.
    The traces for external test-suites are no longer kept inside the
    repositories themselves but downloaded separately via curl. This
    is because git is pretty bad at dealing with large files. See the
    README for more information. (Robin Sommer)

1.6-dev-1221 | 2011-09-08 08:41:17 -0700

  * Updates for documentation framework and script docs. (Jon Siwek)

  * The script level PF_RING support isn't working so removing it.
    (Seth Hall)

  * Delete SSL certificates from memory after ssl_established event.
    (Seth Hall)

  * Small fixes for SSL analysis. (Seth Hall)

1.6-dev-1212 | 2011-09-07 16:15:28 -0700

  * Internally, the UID generation can now return values from
    different pool for better reproducability in testing mode.
    (Gilbert Clark).

  * Added new BiF unique_id_from(pool: string, prefix: string) that
    allows the user to specify a randomness pool. (Gilbert Clark)

1.6-dev-1198 | 2011-09-07 11:03:36 -0700

  * Extended header for ASCII log that make it easier for scripts to
    parse Bro log files. (Gilbert Clark)

  * Potential fix for rotation crashes. Addresses #588. (Robin Sommer)

  * Added PF_RING load balancing support to the scripting layer,
    enabled by loading the misc/pf-ring-load-balancing script. (Seth
    Hall)

  * Added a BiF setenv() for setting environment variables. (Seth
    Hall)

1.6-dev-1184 | 2011-09-04 09:34:50 -0700

  * FindPCAP now links against thread library when necessary (e.g.
    PF_RING's libpcap). (Jon Siwek)

  * Install binaries with an RPATH. (Jon Siwek)

  * Fix for a case where nested records weren't coerced even though
    possible. (Jon Siwek)

  * Changed ASCII writer to delay creation of log after rotation until
    next write.

  * Changed default snaplen to 65535 and added a -l/--snaplen command
    line option to set it explicitly. Addresses #447. (Jon Siwek)

  * Various updates to logging framework. (Seth Hall)

  * Changed presentation of enum labels to include namespace. (Jon
    Siwek)

  * HTTP analyzer is now enabled with any of the HTTP events. (Seth
    Hall)

  * Fixed missing format string that caused some segfaults. (Gregor
    Maier)

  * ASCII writer nows prints time interval with 6 decimal places.
    (Gregor Maier)

  * Added a Reporter::fatal BIF. (Jon Siwek)

  * Fixes for GeoIP support. Addresses #538. (Jon Siwek)

  * Fixed excessive memory usage of SSL analyzer on connections with
    gaps. (Gregor Maier)

  * Added a log postprocessing function that can SCP rotated logs to
    remote hosts. (Jon Siwek)

  * Added a BiF for getting the current Bro version string. (Jon
    Siwek)

  * Misc. doc/script/test cleanup. (Jon Siwek)

  * Fixed bare-mode @load dependency problems. (Jon Siwek)

  * Fixed check_for_unused_event_handlers option. (Jon Siwek)

  * Fixing some more bare-mode @load dependency issues (Jon Siwek)

  * Reorganizing btest/policy directory to match new scripts/
    organization. Addresses #545 (Jon Siwek)

  * bro scripts generated from bifs now install to
    $prefix/share/bro/base. Addresses #545 (Jon Siwek)

  * Changeed/fixed some cluster script error reporting. (Jon Siwek)

  * Various script normalization. (Jon Siwek)

  * Add a test that checks each individual script can be loaded in
    bare-mode. Adressess #545. (Jon Siwek)

  * Tune when c$conn is set. Addresses #554. (Gregor Maier)

  * Add ConnSize_Analyzer's fields to conn.log. (Gregor Maier)

  * Fixing bug in "interesting hostnames" detection. (Seth Hall)

  * Adding metrics framework intermediate updates. (Seth Hall)

1.6-dev-1120 | 2011-08-19 19:00:15 -0700

  * Fix for the CompHash fix. (Robin Sommer)

1.6-dev-1118 | 2011-08-18 14:11:55 -0700

  * Fixing key size calculation in composite hash code. (Robin Sommer)

1.6-dev-1116 | 2011-08-18 10:05:07 -0700

  * Remove the 'net' type from Bro (addresses #535).

  * Fix H3 assumption of an 8-bit byte/char. (Jon Siwek)

  * Allow reading from interface without additional script arguments.
    Explicitly passing in '-' as an additional command line argument
    still allows reading a script from stdin. (Jon Siwek)

  * SSH bruteforcing detection now done with metrics framework. (Seth
    Hall)

  * Updates for SQL injection attack detection to match the metrics
    framework updates. (Seth Hall)

  * Metrics framework now works on cluster setups. (Seth Hall)

  * Reclassifying more DNS manager errors as non-fatal errors. (Robin
    Sommer)

  * Fix ConnSize_Analyzer when used in conjunction with connection
    compressor. (Gregor Maier)

  * Fix reporter using part of the actual message as a format string.
    (Jon Siwek)

1.6-dev-1095 | 2011-08-13 11:59:07 -0700

  * A larger number of script documentation updates. Closes #543. (Jon
    Siwek)

  * Workaround for FreeBSD CMake port missing debug flags. (Jon Siwek)

  * piped_exec() can now deal with null bytes. (Seth Hall)

  * Fix vector initialization for lists of records with optional
    types. Closes #485. (Jon Siwek)

  * Fix redef'ing records with &default empty set fields. Closes #460.
    (Jon Siwek)

  * Fix ConnSize_Analyzer when used in conjunction with the connection
    compressor. (Gregor Maier)

  * Fix reporter using part of the actual message as a format string.
    (Jon Siwek)

  * Fixing reporter's location tracking. Closes #492. (Robin Sommer)

  * Turning DNS errors into warnings. Closes #255. (Robin Sommer)

  * Logging's path_func now receives the log record as argument.
    Closes #555. (Robin Sommer)

  * Functions can now be logged; their full body gets recorded.
    Closes #506. (Robin Sommer)

  * Bugfix for hostname notice email extension. (Seth Hall)

  * Updates for notice framework. (Seth Hall)

    - New ACTION_ADD_GEODATA to add geodata to notices in an extension
      field named remote_location.

    - Loading extend-email/hostnames by default now that it only does
      anything when the ACTION_EMAIL action is applied (finally).

  * Updates to local.bro (Seth Hall)

  * Added the profiling script. (Seth Hall)

  * Updates for SSH scripts. (Seth Hall)

  * ConnSize analyzer is turned on by default now. (Seth Hall)

  * Updates for the build system and site local scripts for cluster.
    (Seth Hall)

  * HTTP now uses the extract_filename_from_content_disposition function. (Seth Hall)

  * Major SMTP script refactor. Closes #509. (Jon Siwek and Seth Hall)

  * New variable Site::local_nets_table in utils/site for mapping
    address to defined local subnet.

  * Metrics framework updates, more to come. (Seth Hall)


1.6-dev-1061 | 2011-08-08 18:25:27 -0700

  * A set of new/changed tests regarding the new policy script
    organisation. (Robin Sommer)

1.6-dev-1058 | 2011-08-08 16:15:18 -0700

  * Reorganisation of the scripts that Bro loads by default. (Seth
    Hall)

    - policy/ renamed to scripts/

    - By default BROPATH now contains:
    	- scripts/
    	- scripts/policy
    	- scripts/site

    - The scripts in scripts/base/protocols/ only do logging and state
      building.

    - All of scripts/base/ is loaded by by default. This can however
      be disabled by switching Bro into "bare mode" using the new
      command-line option --bare-mode (or -b). The cripts in
      scripts/base/ don't use relative path loading to ease use of
      bare mode (to copy and paste that script).

    - The scripts in scripts/base/frameworks/ add functionality
      without causing any additional overhead.

    - All "detection" activity happens through scripts in
      scripts/policy/.

    - bro.init was renamed to base/init-bare.bro, and base/all.bro was
      renamed to init-default.bro.

    - local.bro now loads more functionality from policy/ and adds
      more documentation. (Seth Hall)

  * Adding default_path_func() to the logging framework that makes the
    default naming scheme script-level controlled. (Robin Sommer)

  * Reworking logging's postprocessor logic so that postprocessor
    commands are no longer run by the log writers themselves, but
    instead by a script level function. (Robin Sommer)

  * The communication subsystem is now by default off and must be
    enabled explicitly with a new BiF, enable_communication(). Closes
    #540. (Robin Sommer)

  * The hostname notice email extension now only add hostnames for
    emailed noticed. (Seth Hall)

  * Cleaning up doc generation. (Seth Hall)

1.6-dev-1044 | 2011-08-05 19:07:32 -0700

  * Fixing memory (and CPU) leak in log writer.

  * Fixing crash in memory profiling. (Robin Sommer)

  * Fix compiler warning. (Robin Sommer)

  * Fixing missing sync in cluster setup. (Robin Sommer)


1.6-dev-1038 | 2011-08-05 18:25:44 -0700

  * Smaller updates to script docs and their generation. (Jon Siwek)

  * When using a `print` statement to write to a file that has raw output
    enabled, NUL characters in string are no longer interpreted into "\0",
    no newline is appended afterwards, and each argument to `print` is
    written to the file without any additional separation. (Jon Siwek)

  * Test portatibility tweaks. (Jon Siwek)

  * Fixing PktSrc::Statistics() which retured bogus information
    offline mode. Closes #500. (Jon Siwek)

  * --with-perftools configure option now assumes --enable-perftools.
    Closes #527. (Jon Siwek)

1.6-dev-1018 | 2011-07-31 21:30:31 -0700

  * Updating CHANGES. (Robin Sommer)

1.6-dev-1016 | 2011-07-30 18:34:28 -0700

  * Install example config files dynamically. They'll only get
    installed when the distribution version differs from existing
    version on disk. (Jon Siwek)

  * Fixed memory leak in SSL analyzer. (Seth Hall)

  * Beginning rework of metrics interface. (Seth Hall)

  * New/updated unit tests for scripts. (Jon Siwek)

  * New/updated documentstion for scripts. (Jon Siwek)

  * A number of fixes for scripts in utils/. (Jon Siwek)

1.6-dev.244 Thu Jul 28 17:08:21 PDT 2011

- mask_addr() now returns subnet (addresses #512). (Jon Siwek)

- Normalize Notice::Type identifiers per convention (closes #484).
  (Jon Siwek)

- Fixing default-loaded-scripts test for BSD systems. (Jon Siwek)

- New piped_exec() BiF for pipeing data into an external command. (Jon
  Siwek)

1.6-dev.242 Mon Jul 25 21:42:39 PDT 2011

- Adding a documentation coverage test. (Jon Siwek)

- The CMake targets for generating reST docs from policy scripts are
  now automatically generated via the genDocSourcesList.sh script.
  (Jon Siwek)

- Fixed a number of script error. (Jon Siwek)

- Fixes to relative @load'ing.  (Jon Siwek)

- Fixes to tests. (Robin Sommer)

1.6-dev.240 Sun Jul 24 15:14:26 PDT 2011

- Updated tests and test baselines. (Jon Siwek)

- ASCII log writer now prints time values w/ constant 6 digit
  precision. (Jon Siwek)

- Many policy script updates acrsso the board (Seth Hall).

- Moving devel-tools to bro-aux. (Robin Sommer)

- BugFix for disable_analyzer(), which could cause crashes with some
  analyzers. (Robin Sommer)

- Bugfix for potential segfault in DebugLogger. (Robin Sommer)

1.6-dev.226 Thu Jul 21 15:23:39 PDT 2011

- Extensions to the @load and @unload process. (Jon Siwek)

    * Make @load statements recognize relative paths. For example a
      script can do "@load ./foo" to load a script named foo.bro that
      lives in the same directory or "@load ../bar" to load a script
      named bar.bro in the parent directory, even if those directories
      are not contained in BROPATH.

    * Reimplementation of the @prefixes statement. (Closes #486)

      Any added prefixes are now used *after* all input files have
      been parsed to look for a prefixed, flattened version of the
      input file somewhere in BROPATH and, if found, load it. For
      example, if "lcl" is in @prefixes, and site.bro is loaded, then
      a file named "lcl.site.bro" that's in BROPATH would end up being
      automatically loaded as well. Packages work similarly, e.g.
      loading "protocols/http" means a file named
      "lcl.protocols.http.bro" in BROPATH gets loaded automatically.

    * Fix @unload'd files from generating bro_script_loaded event.

    * Updates to tests.

1.6-dev.225 Wed Jul 20 17:10:41 PDT 2011

- IRC improvements (Jon Siwek). Including:

    * Shorten what's displayed in the IRC's log mime_type column for
      DCC transfers.

    * Add IRC unit tests.

    * Fix IRC analyzer supplying wrong type to irc_dcc_message event.

    * Removed irc_client and irc_server events.

    * Added is_orig arguments to all other irc events.

    * Fix analyzer not recognizing Turbo DCC extension message format.

    * Fix analyzer not generating irc_dcc_message event when irc_privmsg_message
      event doesn't have a handler registered.

- Fixing tests that need a diff canonifier. (Jon Siwek)

1.6-dev.223 Tue Jul 19 19:10:36 PDT 2011

- Adding a script to update CHANGES and VERSION. (Robin Sommer)

1.6-dev.218 Tue Jul 19 18:16:44 PDT 2011

- Comprehensive policy script overhaul/rewrite. (Seth Hall)

  Changes are too extensive to list individually.

- Removing undocumented -H command line flag. (Robin Sommer)

- Fixing many tests. (Everybody)

- Fixing 0-chunk bug in remote logging. (Robin Sommer)

- $PATH is now appropriately set by the bro-path-dev.(sh|csh) scripts.
  (Seth Hall)

- Making valgrind a bit more happy. (Robin Sommer)

- New BiF record_field_vals() that returns the fields of a record in a
  table with meta-information. (Robin Sommer)

- Adding a script in aux/devel-tools that extracts a connection from a
  trace based on uid. (Robin Sommer)

- Fixing bug causing crash when running without arguments. (Robin Sommer)

- A new event bro_script_loaded() raised for each policy script
  loaded. Also removing the -l command-line option as that can now be
  done at the script-level. (Robin Sommer)

- Fixing memory leaks. (Gilbert Clark, Seth Hall, Robin Sommer)

- Many SSL analysis improvements and fixes. (Seth Hall)

- Fixing bug with event priorities potentially being ignored for the
  handler. (Robin Sommer)

- Overhauling the internal reporting of messages to the user. The new
  Reporter class is now in charge of reporting all errors, warnings,
  informational messages, weirds, and syslogs; and it passes
  everything through the script layer. (Robin Sommer)

* Removed the alarm statement and the alarm_hook event. (Robin Sommer)

- Adding new policy file test-all.bro that loads all other policies.
  This is for testing only. (Robin Sommer)

- A new framework for doing regression testing with larger traces and
  more complex Bro configurations in testing/external. (Robin Sommer)

- Many updates to script doc generation.  (Jon Siwek)

1.6-dev.146 Sat Jun 25 18:12:27 PDT 2011

- DNS mapping are now becoming invalid when an entry's TTL expires.
  (Thomas Other)

- Reworking how Bro tracks which scripts are already loaded. Rather
  than paths, Bro now tracks inode numbers. (Jon Siwek)

- New BiF netstats() to query packet capture statistics. The netstats
  script now uses the new BiF to periocally report packets drops. The
  net_stats_update() event and the heartbeat_interval global went
  away. (Seth Hall)

- Fixing bug with logging &optional records. Closes #476. (Robin
  Sommer)

- Fixing istate.events-ssl test failing because of expired cert. (Jon
  Siwek)

- A large number of improvements and fixes for Bro's doc mode. (Jon
  Siwek)

- Significant updates for RPC and NFS analyzers (Gregor Maier)

    * Unify semantics for UDP and TCP connections.

    * RPC can now log to a log file if desired.

    * Portmapper can now log general activity to a log file and also log
      actual port mappings.

    * NFS analyzer now supports significantly more procedure calls as
      as file name tracking and file content extraction.

- NetBIOS fixes. (Jon Siwek)

- A number of unit tests are more robust and portable.  (Jon Siwek)

- A new BiF unique_id() that returns a string that's unique across Bro
  instaces with high probablity.  (Robin Sommer)

- Complete rewrite of the BinPAC SSL analyzer. (Seth Hall)

    * DER certificates are extracted as strings to be used with
      corresponding BiFs.

    * x509_verify function to verify single certs and/or full
      certificate chains.

    * Removed hand written SSL analyzer.

    * The ssl.bro script is just a place-holder for now. New version
      will come with the other new scripts.

- New syslog analyzer. (Seth Hall)

- @load now supports loading a directory. With a directory "foo"
  somewhere in BROPATH, "@load foo" now checks if there's a file
  "foo/__load__.bro". If so, it reads that file in. (Robin Sommer)

- ASCII logger now escapes non-printable characters. Closes #450.
  (Robin Sommer)

- Packaging tweaks and rewrite of 'dist' target. (Jon Siwek)

- Changes to allow DEB packaging via CPack, addresses #458. (Jon
  Siwek)

- An extension to the ICMP analyzer to handle redirects. Julien
  Sentier

- Removing old istate test-suite. (Robin Sommer)

- A hack to report missing GeoIP support only once. This closes #357,
  but #455 captures the need for a more general solution. (Robin
  Sommer)

- Bugfix: vectors in records were not initalized. Closes #421. (Robin
  Sommer)

- If IPv6 default is not compiled in, the default BPF filters now
  excludes IPv6 packets. (Robin Sommer)

- New bif bro_has_ipv6() to check whether IPv6 support is compiled in.
  (Robin Sommer)

- Updating btests and a Makefile. "make" now runs all the tests.
  (Robin Sommer)

- Moving the test-scripts from the old test-suite over to btest.
  (Robin Sommer)

- Fix for major bug in POP3 analyzer, which didn't recognize '.'
  terminators in multi-line replies if the terminator was bare (no
  newline). This caused it to ignore the rest of the session that it's
  analyzing. (Vern Paxson)

- Fix compiler warning with gcc-4.4.4 (Gregor Maier)

- Adding example documentation for a script's use of logging features.
  (Jon Siwek)

- Adding &log attribute to static attr_names array. (Jon Siwek)

- Bro can now track packet and byte counts per connection. (Gregor
  Maier)

    * If 'use_conn_size_analyzer' is true, the event engine tracks
      number of packets and raw IP bytes per connection. If
      report_conn_size_analyzer is true, these values are included as
      four new columns into conn.log

    * I changed conn.bro so that the value of
      report_conn_size_analyzer follows that of
      use_conn_size_analyzer. For the new conn.log, we probably want
      to get rid of report_conn_size_analyzer anyway.

- Fixing numerous compiler warnings and portability issues. (All)

- Switching vectors from being 1-based to 0-based. Note that this is a
  change that break backwards-compatibility. (Robin Sommer)

- Increasing serialization format version for the recent 64-bit
  changes. (Robin Sommer)

- Support for (mixed) MPLS and VLAN traffic, and a new default BPF
  filter. (Seth Hall and Robin Sommer)

    * Merging in the patch from #264, which provides support for mixed
      VLAN and MPLS traffic.

    * Changing Bro's default filter from being built dynamically to
      being a static "ip or not ip". To get the old behaviour back
      (i.e., the dynamically built filter), redef "all_packets" to
      false.

    * print-filter.bro now always prints the filter that Bro is
      actually using, even if overriden from the command line. (Robin
      Sommer)

- Changing the HTTP's analyzers internals to use 64-bit integers.
  (Gregor Maier).

- Fixing bug with deleting still unset record fields of table type.
  (Robin Sommer)

1.6-dev.99 Fri Apr 22 22:10:03 PDT 2011

- Extending the connection record with a unique identifier. (Robin
  Sommer)

    type connection: record {
        [...]
        id: string;
   };

  These identifiers very likely unique even across independent Bro
  runs.

- Delete operator for record fields. (Robin Sommer)

  "delete x$y" now resets record field "x" back to its original state
  if it is either &optional or has a &default. "delete" may not be
  used with non-optional/default fields.

- Fixing bug with nested record coercions. (Robin Sommer)

- Fixing a do_split() bug. (Seth Hall)


1.6-dev.94 Thu Apr 21 19:51:38 PDT 2011

- Fixing generation of config.h. (Jon Siwek)

- Updates and tests for NetBIOS name BiF. (Seth Hall)

- Fixing do_split bug(), and adding a test. (Seth Hall)

- When Bro is given a PRNG seed, it now uses its own internal random
  number generator that produces consistent results across sytems.
  Note that this internal generator isn't very good, so it should only
  be used for testing purpses. (Robin Sommer)

- The BTest configuration now sets the environemnt variables TZ=UTC
  and LANG=C to ensure consistent results. (Robin Sommer)

- Logging fixes. (Robin Sommer)

1.6-dev.88 Wed Apr 20 20:43:48 PDT 2011

- Implementation of Bro's new logging framework. We will document this
  separately. (Robin Sommer)

- Already defined record types can now be further extended via the
  '+=' operator. The added fields must be either &optional or have a
  &default value. (Robin Sommer)

  Example:

        type Foo: record {
            a: count;
            b: count &optional;
        };

        redef record Foo += {
            c: count &default=42;
            d: count &optional;
        };

        global f: Foo = [$a=21];

        print f;

  Output:

        [a=21, b=<uninitialized>, c=42, d=<uninitialized>]

- Enabling assignment of empty vectors ("vector()"). (Robin Sommer)

- Fixing attributes to allow &default attributes to be associated with
  records fields of type tables/sets/vector. (Robin Sommer)

- '[]' is now a valid record constructor. (Robin Sommer)

- A instance of a record type A is now coercable into one of type B if
  the fields of type A are a subset of those of type B. (Robin Sommer)

- A number of bug fixes and enhancements for record/set/table/vector
  coercion. (Robin Sommer)

- Fixing a problem with records that have optional fields when used as
  table/set indices. Addresses #367. (Robin Sommer)

- Fixing an off-by-one error in join_string_vec(). (Seth Hall)

- Updating to_count() to cope with 64bit ints. (Seth Hall)

- A new BiF count_to_v4_addr() to turn a count into an IPv4 address.
  (Seth Hall)

1.6-dev.80 Mon Apr 18 14:50:54 PDT 2011

- New framework for generating documentation from Bro scripts. (Jon
  Siwek)

  This includes:

    * Changes to Bro's scanner/parser to facilitate automatic
      generation of Bro policy script documentation in
      reStructuredText format.

    * New command line flags -Z/--doc-scripts to enable the new doc
      generation mode.

    * Changes to bifcl to pass comments starting with "##" through
      into the generated .bro script.

    * A "doc" build target for the top-level Makefile to first
      generate reStructuredText for a defined set of Bro policy
      scripts, and then run that through Sphinx to create HTML
      documentation.

1.6-dev.78 Mon Apr 18 12:52:55 PDT 2011

- Adding files to CMake build targets so they show up in generated IDE
  projects. This addresses #413. (Jon Siwek)

- Fix unnecessary config.h preprocessor (re)definitions. This
  addresses #414. (Jon Siwek)

- Updating istate tests. (Robin Sommer)

- Adding files to CMake build targets so they show up in generated IDE
  projects.

- Adding new environment variable BRO_SEED_FILE to set the seed file
  for the random number generator. (Robin Sommer)

1.6-dev.71 Fri Apr  1 16:06:33 PDT 2011

- Removing code for the following no longer supported functionality.

    * Trace rewriting.
    * DFA state expiration in regexp engine.
    * Active mapping.
    * Unused hash functions.

  (Robin Sommer)

- Fixing crashes when SSL is not configured correctly. (Robin Sommer)

1.6-dev.66 Tue Mar 29 21:52:01 PDT 2011

- Initial btest setup (Don Appleman and Robin Sommer)

- Porting the istate tests to btest (not finished) (Robin Sommer)

1.6-dev.63 Mon Mar 21 16:31:15 PDT 2011

- Changes to the way user-modifiable config files are installed  (Jon Siwek)

    * Duplicates of the distribution's configuration files are now
      always installed with a .example suffix

    * Added --binary-package configure option to toggle configure
      logic specific to the creation of binary packages.

    * When not in binary packaging mode, `make install` never
      overwrites existing configure files in case they've been
      modified. The previous behavior (CMake's default) would only
      avoid overwriting modified files if one consistently uses the
      same build directory and doesn't reconfigure.

- Fixed an issue with Mac package's pre-install script not preserving
  ACLs. (Jon Siwek)

- Minor cleanup/refactor of the make-mac/rpm-packages scripts. (Jon
  Siwek)

- Add explicit CMake check for compiler. (Jon Siwek)

- Add alternative way to set BROPATH for running bro from build/ dir.
  (Jon Siwek)

- Fixing compiler warnings (Gregor Maier)

- Remvoing leftover local variables that caused compile error on Mac
  OS X. (Gregor Maier)

1.6-dev.53 Fri Feb 25 17:03:05 PST 2011

- Fixing file detector leak in remote communication module. (Scott
  Campbell)

- Updating independent-state tests to work with new setup. (Robin
  Sommer)

1.6-dev.49 Fri Feb 25 15:37:28 PST 2011

- Enum IDs can have explicitly defined values. (Gregor Maier)

- Extensions for the built-in function compiler, bifcl. (Gregor Maier)

    * Support for policy-layer namespaces.
    * Support for type declarations in bif files (with access them
      from C++)
    * Extended const declarations in bif files.

  See http://bro.icir.org/devel/bif-doc for more information.

1.6-dev.48 Fri Feb 25 10:53:04 PST 2011

- Preliminary TCP Reassembler fix: deliver data after 2GB by disabling
  the unused seq_to_skip feature. (Gregor Maier)

1.6-dev.47 Fri Feb 25 10:40:22 PST 2011

- Fixing endianess error in XDR when data is not 4-byte aligned.
  (Gregor Maier)

- Fix for Val constructor with new int64 typedefs. (Gregor Maier)

- Updated fix for OS X 10.5 compile error wrt llabs(). (Gregor Maier)

- Fix more compiler warning wrt printf format strings.  (Gregor Maier)

1.6-dev.45 Tue Feb  8 21:28:01 PST 2011

- Fixing a number of compiler warnings. (Seth Hall and Robin Sommer)

1.6-dev.44 Tue Feb  8 20:11:44 PST 2011

- A number of updates to the SSL analyzer, including support for new
  ciphers; SSL extensions; and bug fixes. The analyzer does not longer
  throw weird for exceeding a predefined cipherspec_size anymore.
  (Seth Hall and Rmkml).

- The various split*() BiFs now handle strings containing null bytes
  correctly. (Seth Hall)

- Adding new aux/btest submodule. This is a framework we will use in
  the future for doing unit tests. (Robin Sommer)

1.6-dev.41 Mon Feb  7 13:43:56 PST 2011

- Smarter way to increase the parent/child pipe's socket buffer.
  (Craig Leres).

- Fixing bug with defining bro_int_t and bro_uint_t to be 64 bits wide
  on some platforms. (Robin Sommer)

1.6-dev.39 Mon Jan 31 16:42:23 PST 2011

- Login's confused messages now go through weird.bro. (Robin Sommer)

1.6-dev.36 Mon Jan 31 08:45:35 PST 2011

- Adding more configure options for finding dependencies, (Jon Siwek)

    --with-flex=PATH       path to flex executable
    --with-bison=PATH      path to bison executable
    --with-perl=PATH       path to perl executable
    --with-python=PATH     path to Python interpreter
    --with-python-lib=PATH path to libpython
    --with-python-inc=PATH path to Python headers
    --with-swig=PATH       path to SWIG executable

- Fixing typo in PCAPTests.cmake  (Jon Siwek)


1.6-dev.33 Mon Jan 24 15:29:04 PST 2011

- Fixing bug in SMB analyzer. (Robin Sommer)

- Configure wrapper now deletes previous CMake cache (Jon Siwek)

- Fix for the --with-binpac configure option. (Jon Siwek)

1.6-dev.30 Thu Jan 20 16:32:43 PST 2011

- Changed configure wrapper to create config.status. (Jon Siwek)

1.6-dev.29 Thu Jan 20 16:29:56 PST 2011

- Fixing little problem with initialization of Bro-to-Bro event
  communication. (Christian Kreibich)


1.6-dev.27 Thu Jan 20 13:52:25 PST 2011

- Fine-tuning of the HTTP analyzer in terms of raising protocol
  violations and interrupted transfers. (Gregor Maier)


1.6-dev.21 Wed Jan 19 17:36:02 PST 2011

- Added 4 new BiFs and a new record type for testing the entropy of
  strings. (Seth Hall)

    find_entropy(data: string): entropy_test_result
        This is a one shot function that accepts a string and
        returns the result of the entropy calculations.

    entropy_test_init(index: any): bool
        This and the next two functions are for calculating entropy
        piece-wise. It only needs an index which can be any type of
        variable. It needs to be something that uniquely identifies
        the data stream that is currently having it's entropy
        calculated.

    entropy_test_add(index: any, data: string): bool
        This function is used to add data into the entropy
        calculation. It takes the index used in the function above
        and the data that you are adding and returns true if
        everything seemed to work, false otherwise.

     entropy_test_finish(index: any): entropy_test_result
        Calling this function indicates that all of the desired data
        has been inserted into the entropy_test_add function and the
        entropy should be calculated. This function *must* be called
        in order to clean up an internal state tracking variable.
        If this is never called on an index, it will result in a
        memory leak.

  The entropy_test_result values have several measures of the
  entropy, but a good one to work with is the "entropy" attribute.
  It's a double and as the value approaches 8.0 it can be considered
  more and more random.  For example, a value of 7.832 would be
  quite random but a value of 4.671 is not very random.

1.6-dev.20 Wed Jan 19 17:30:11 PST 2011

- BRO_DNS_FAKE is now listed in the --help output. (Seth Hall)


1.6-dev.18 Wed Jan 19 16:37:13 PST 2011

- Removing unnecessary expire timer from http_sessions. (Gregor
  Maier)


1.6-dev.16 Sat Jan 15 14:14:21 PST 2011

- Updates to the build system. (Jonathan Siwek)

    * ``make dist`` is now available to be used with the top-level
      Makefile for creating source packages according to #344.

    * ``make-rpm-packages`` and ``make-mac-packages`` scripts can
      now generate binary packages according to #295.

    * Additional configure options to change packaging behavior.

    * OS X builds will now prefer to link static libraries of
      optional dependencies that don't come with the vanilla
      operating system.

    * Fix for OS X 10.5 compile error dealing with the llabs()
      function from stdlib.

    * Installing as a different user than the one that
      configured/built now works (although, a harmless error message
      about not being able to write the install manifest may occur).


1.6-dev.3 Wed Dec  8 04:09:38 PST 2010

- Merge with Subversion repository as of r7137. Incorporated change:

    * Fix for packet processing resumption when a remote Bro dies
      during state synchronization (Robin Sommer).

1.6-dev.2 Wed Dec  8 03:57:03 PST 2010

- Compatibility fix for OpenSSL 1.0.0 (Christian Kreibich, Gregor
  Maier).

1.6-dev.1 Sat Nov 27 12:19:47 PST 2010

- Merge with Subversion repository as of r7098. Incorporated changes:

    * Rotation post-processors are now passed an additional argument
      indicating whether Bro is terminating (Robin Sommer).

    * Bro now consistently generates a file_opened event for all
      fopen() calls. (Robin Sommer).

    * You can now redefine the email_notice_to function (Robin
      Sommer).

1.6-dev.0 Fri Nov 26 13:48:11 PST 2010

- The Bro source code is now developed in the new git repositories.
  See the developer pages at http://www.bro-ids.org for more
  information on the new development process.

- Bro's build and installation setup has been moved from GNU
  autotools to CMake. As a result of that, layout and specifics of
  the distribution has changed significantly.

- Lots of pieces have been removed from the distribution that are
  either now unnecessary or are no longer maintained.

- As part of the cleanup, a numbef of Bro configure options and
  their corresponding functionality have been removed, including:

    * --disable-select-loop
    * --with-dag
    * --disable-nbdns
    * --enable-activemapping
    * --enable-activemapping
    * --enable-shippedpcap

- The previous configure option --enable-int64 is now enabled by default,
  and can no longer be disabled.

- ClamAV support has been removed, which has been non-functional for
  a while already.

1.5.2.7 Sun Sep 12 19:39:49 PDT 2010

- Addressed a number of lint nits (Vern Paxson).


1.5.2.6 Sun Sep 12 17:00:13 PDT 2010

- The SWIG file now explicitly lists those pieces from broccoli.h which it
  wants to wrap, rather than just including all of broccoli.h (Robin Sommer).
  This fixes the problem that the SWIG bindings depend on what configure
  finds out about the availability of libpcap even though the corresponding
  functions don't need to be wrapped anyway.

- http-header.bro now includes a global include_header: set[string]
  (Robin Sommer).  If it contains any strings, then only those headers
  will be processed.  If left empty, then you continue to get the current
  behavior of processing all headers.

- Several changes to drop.bro (Robin Sommer):

	* If true, the new flag Drop::dont_drop_locals indicates that
	  local hosts should never be dropped.  On by default.

	* If true, the new flag Drop::debugging activates extensive debugging
	  output for the catch-and-release logic.  Off by default.

	* The timeout for tracking dropping information is now 1 day
	  rather than 7 days, to better echo the one-restart-a-day semantics
	  used in the past.

	* Bug fix for hosts once dropped by later cleared; some state
	  for them persisted.

- Portability fix for Broccoli Python bindings on 64-bit platforms (Robin
  Sommer).

- The HTTP analyzer no longer attempts to track Server/User-Agent
  versions, as these are hugely voluminous (Seth Hall).  Ideally this
  would still be available as an option for someone who truly wants
  the full set.

- HTTP and SMTP no longer have extra-short inactivity timeouts, as
  these were too often leading to premature expiration of a connection
  (Robin Sommer).

- The "rst" tool (aux/rst/) now takes an optional "-I <text>" argument
  that instructs it to inject <text> as payload rather than sending a RST
  packet (Vern Paxson).  <text> must be NUL-terminated, and the NUL is not
  included.

- Bug fix for crashes in the DNS analyzer when processing replies for
  which no request was seen (Robin Sommer).


1.5.2.5 Mon Jul 19 16:20:58 PDT 2010

- Removed now-quite-stale SSHv1 overflow detection, as it's more prone
  to false positives than useful detection (Vern Paxson).


1.5.2.4 Fri Jun  4 16:02:11 PDT 2010

- Bug fixes for terminating connections (Tyler Schoenke and Vern Paxson).


1.5.2.3 Wed Mar 24 18:23:57 PDT 2010

- Bug fixes for --enable-int64 and for avoiding bogus statistics /
  bad memory references when generating profiling information upon
  exit (Vern Paxson).


1.5.2.2 Tue Jan 12 12:33:42 PST 2010

- Broccoli compiler warning fixes (Kevin Lo).


1.5.2.1 Sun Jan 10 16:59:01 PST 2010

- Bug fix for Active Mapping support (Kevin Lo).


1.5.2 Sat Dec 26 18:38:37 PST 2009

- Portability fixes for --enable-int64 (Vern Paxson).


1.5.1 Fri Dec 18 15:17:12 PST 2009

- Due to a Python configuration problem, the original 1.5 distribution
  did not include the BroControl component, which also introduced a
  portability problem for CentOS.  These issues have now been fixed (Robin
  Sommer and Vern Paxson).


1.5 Wed Dec 16 21:28:47 PST 2009

- Bro now comes with a new framework, BroControl, for managing an
  operational Bro setup, including support for installation, configuration,
  and maintainance tasks such a log archival and mail notification.  The
  framework transparently supports both traditional standalone setups as
  well as cluster installations in which multiple Bro boxes coordinate to
  analyze a high-volume network link.

  See aux/broctl/README for more information about BroControl.

  Note, BroControl supersedes the older BroLite system, which is no longer
  supported and has been deprecated for a while now.

- Numerous adjustments to DPD = dynamic protocol detection (Robin Sommer):

    o The Analyzer::ProtocolViolation?() method can now be passed the
      offending data (which POP3, SMTP, and FTP now do).  This information
      is added to the "reason" string passed to the script level.

    o SMTP now more accurately reports violations.

    o FTP stops processing when client & server successfully negotiate
      an AUTH scheme (leading to subsequent encryption).

    o Analyzer::ProtocolViolation() is virtual, and
      TCP_ApplicationAnalyzer() overrides it to not report violations
      for any partial connections, because very likely these arise just
      due to the analyzer getting confused.

    o TCP::IsPartial() returns true if any side did not start with
      a SYN packet (used to be just be for the originator).

    o The connection_state_remove handler in conn.bro now has a higher
      &priority so that other handlers for the same event can use
      determine_service() and see any changes it performs.

    o DynDisable:max_volume specifies a volume limit (default 10K).
      Once a connection exceeds this limit, further protocol
      limitations will neither raise ProtocolViolation notices nor
      cause the analyzer to be disabled.

    o The event engine no longer raises protocol_violation events for
      TCP connections which had gaps, as these have proven too unreliable.
      (Note that, ideally, the *analyzers* should avoid reporting
      protocol_violations when they can't reliably parse a connection
      anymore after a gap; but many don't.)

- A set of new script functions provide support for incrementally computing
  MD5 checksums (Seth Hall).

	md5_hash_init(index: any): bool
		Initializes an incremental hashing instance.  "index" is
		a value of arbitrary type, used to identify this particular
		instance (you can have multiple concurrent instances by
		using different index values).  Returns T on success,
		F on failure (such as the index is already in use).

	md5_hash_update(index: any, data: string): bool
		For the given hashing instance, updates the hash
		based on the given data.  Returns T on success, F on
		failure (such as the index has not been initialized).

	md5_hash_finish(index: any): string
		Returns the MD5-printable hash for the given index
		and terminates the instance, or the string "" if the
		index was not active.

- Bro now supports a believed-to-be-robust mechanism for estimating the
  proportion of traffic that it failed to capture ("measurement drops"),
  which can arise due to overload in either Bro itself, the kernel's
  packet filter, or problems with the link tapping mechanism (Vern Paxson).
  The event engine can generate estimates for either live traffic or what
  was previously recorded in a trace file, though traces subject to some
  forms of selective omission (such as skipping over parts of a connection
  to reduce storage) can lead to erroneous values.

  The estimates are based on observing gaps in TCP data streams, and
  come in two forms: the rate at which such gaps appear, and the relative
  volume of data missing due to the gaps.  (We've found however that the
  volume-based estimator is not robust due to occasional packets with
  incorrect sequence numbers, so this estimator is off by default.)

  The easy way to get the estimates is to load capture-loss.bro.
  By default, it generates a CaptureLossSummary notice upon Bro's exit,
  which can look like:

	1130222759.344066 CaptureLossSummary estimated rate = 0.00089124 / 0.000970997 (events/bytes)

  If the estimated loss is none, however, it suppresses this notice,
  unless you redef CaptureLoss::summary_if_none to T.

  You can also get finer-grained access by defining a "gap_report"
  event handler and redef'ing gap_report_freq to a non-zero interval
  (such as "10 sec").  This event allows you to pinpoint regions in
  time that exhibit significant capture loss.  See capture-loss.bro
  for an example of a handler for this event.

  Finally, these changes include a number of fixes to Bro's
  ack_above_hole/content_gap analysis, which is now significantly
  more robust.

- GeoIP support now supports ASN lookups via the built-in
  function lookup_asn(a: addr): count (Scott Campbell and Seth Hall).

- The GeoIP built-in's lookup_location() and lookup_asn() now
  support IPv6 (Seth Hall).  Note, the current GeoIP distribution
  doesn't include any IPv6 databases, so for now these won't succeed,
  but the hooks are in place for when databases become available.

- lookup_location() now falls back back to the country database if
  the city database isn't available (Seth Hall).

- The new SuccessfulPasswordGuessing Notice is generated when a host
  has been seen attempting password guessing (currently only for FTP
  sessions) and then successfully logs in (Royal Chan).  You can control the
  threshold for such reports in terms of how many attempts the host must
  have made by redef'ing the variable password_guessing_success_threshhold,
  which defaults to 20.

- The new script http-detect-passwd.bro analyzes the Web items returned
  for fetches that appear to be accessing the passwd file (Akhil Dhar).
  It generates a PasswordFullFetch Notice if it appears that the item
  includes a full password file, and PasswordShadowFetch if it looks like
  a shadowed password file.

- The new built-in

	system_env(cmd: string, env: table[string] of string)

  works like system(), but puts the table entries into the environment
  before invoking the command (Robin Sommer).  Each <index> in the table
  creates an environment variable of the form "BRO_ARG_<index>", whose
  value is the corresponding table entry.

- The new script function

	execute_with_notice(cmd: string, notice_info)

  executes "cmd" with an environment containing the fields of the
  notice_info, i.e., the information associated with a Notice (Robin Sommer).
  Per the new system_env() function above, the environment variables appear
  as "BRO_ARG_<tag>", where <tag> is the field tag as it appears in
  notice.log when you enable use_tagging.

- The new built-in enable_raw_output(file) acts the same as
  the attribute &raw_output (Seth Hall).

- The new built-in file_opened(f: file) event is generated any time Bro
  opens a script-level file (Justin Azoff).  You can use this, for example,
  if you want to ensure that a given file has a prelude in it such as
  human-readable headers, even when the file is rotated.

- The notice_info record has a new field

	aux: table[string] of string &optional

  which you can use for information specific to a given type of notice
  (Robin Sommer).  Entries in $aux appear as "aux_<index>" tags in notice.log.

- Another new notice_info record field is the boolean do_alarm (default=T),
  which, if set to F, overides a notice action otherwise specifying to
  generate an alarm (Robin Sommer).  In other words, if do_alarm is F, no
  alarm will be generated independent of the notice action.

  This is a work-around for the fact that we can't specify more than one
  action.  In particular, we couldn't NOTICE_DROP but then *not* alarm,
  which we now can by returning NOTICE_DROP yet setting do_alarm to F.

- The notice_info record field $dropped now appears in the tagged output
  format if true (Robin Sommer).

- NOTICEs relating to scan detection now no longer include the connection
  that triggered the notice, as it really doesn't contain any useful
  information, given that the particular trigger simply depends on the
  detection algorithm and its parameters (Robin Sommer).  However, we do
  explicitly set $p (port number) in the notice, and also $n with the
  number of attempts.

- drop.bro now hardwires a Catch-and-Release redrop after seeing one
  connection from a previously-dropped-but-already-released host
  (Robin Sommer).

- drop.bro now provides some new hooks (Robin Sommer):

	event address_dropped(a: addr)
		Generated when an address has been dropped.

	event address_restored(a: addr)
		Generated when connectivity to an address has been restored,
		such as using the Catch-and-Release mechanism.

	event address_cleared(a: addr)
		Generated when an address that was dropped in the past is
		no longer being monitored looking for new connections
		(as part of the Catch-and-Release mechanism).

- The new built-in function

	hexdump(data_str: string) : string

  returns a hex dump representation of the given input data (Christian
  Kreibich).  The dump renders 16 bytes per line, with hex on the left and
  ASCII (where printable) on the right.

- Bro's notion of when a TCP connection begins now dastes to the first
  instance of an initial SYN packet seen, rather than the last (Gregor Maier).

- The Time Machine script tm-contents.bro now generates

	event contents_saved: event(c: connection, orig_file: string,
					resp_file: string)

  when the content of a connection has been completely saved to disk
  (Robin Sommer).

- The mime.bro script now exports the MIME header callback table, and also
  marks it as &redef'able so you can modify its entries (Matthias Vallentin).
  The mime_log file is also now exported.

- A new signature file, policy/sigs/http-bots.sig, contains signatures
  to detect some of the current HTTP based controlled bot families (Seth Hall).

- The signature engine's HTTP pattern matching has been fixed (Seth Hall)
  to align with the documentation at:

  http://www.bro-ids.org/wiki/index.php/Reference_Manual:_Signatures#Content_conditions

  In particular, the content condition "http" is now referred to as
  "http-request" (though "http" still works for backward compatibility),
  "http-request-header" and "http-reply-header" now provide access to
  headers seen in only one direction, and similarly for "http-request-body"
  and "http-reply-body".  (This latter is still accessible as "http-body"
  for backwards compatibility.)

- The new script variable max_remote_events_processed: count (default 10)
  sets a limit on the number of remote events processed in each round,
  before tending to other inputs (Robin Sommer).

- If you set the new script variable dump_used_event_handlers to T,
  then on startup Bro dumps out all of the event handlers that the
  loaded set of scripts can invoke (Matthias Vallenti).

- Summaries for DNS PTR scanning now use a separate Notice,
  DNS_PTR_Scan_Summary, rather than overloading DNS_PTR_Scan (Robin Sommer).

- scan.bro now provides a table skip_dest_server_ports: set[addr, port]
  which lists servers (defined as an address and a port) excluded from
  scan detection computations (Craig Leres and Jay Krous).

- When redefining values on the command line directly (using var=value),
  quotation marks are now implicit only if "var" is a variable of type
  string (Christian Kreibich).  This allows other string-like values
  (such as enum's) to be passed as well.

- scan.bro now explicitly loads conn.bro so that it can itself
  be loaded independently (Robin Sommer).

- login.bro depends on scan.bro (because of tracking authentication
  "scans"), so now it explicitly loads it (Vern Paxson).

- UDP_datagram_length_mismatch is now by default flagged just once per
  originating host rather than once per connection, as it can generate
  tons of messages (Vern Paxson).

- Removed now-long-boring flagging of access to Solaris "listen"
  service as "hot" (Vern Paxson).

- Removal of libedit, since libreadline provides similar functionality
  (Christian Kreibich).

- Added scripts missing from distribution: dce.bro, ncp.bro, and smb.bro
  (Vern Paxson).

- ssh.bro now exports ssh_ports (Seth Hall)

- A number of improvements to inter-Bro communication (Robin Sommer).

 (1) Remote communication now no longer includes location information for
 serialized objects; that removes quite a bit of redundacy from the network
 traffic.

 (2) The new option 'remote_check_sync_consistency" disables the cross-check
 on the receiving side of &synchronized state of whether the current value
 of a variable has the value expected by the sender. Transmitting the
 original values in addition to the updates generates quite a bit CPU &
 network load in some cases (in particular, a table of tables). The default
 for remote_check_sync_consistency is off, and so far that in particular
 seems to reduce the proxy's load quite a bit.

 (3) Complete overhaul of the internal caching of serialized objects.  The
 objective of the caching is avoid retransmitting already sent values over
 and over again. It turns out, however, that some objects are very stable
 and hardly change or get replaced (e.g., Bro types); while other change
 all the time and are hardly reused some time later (e.g., Vals).  Now
 we maintain *two* caches independently for these types of objects; one
 with a low turn-over one and another with a high one.  This should reduce
 CPU load on both sender and receiver sides.

 The new scheme is only used if both communicating Bros support it; with
 older Bros, as well as with Broccoli, we continue using the old scheme.

- Some reworking of remote printing (Robin Sommer), as follows.  Bro now
  uses a new interprocess message rather than print_hook events, to better
  manage buffering and associated load (these can produce failures depending
  on system configuration; see remote.log).  A number of timeouts and
  buffer sizes have been tuned.  Internally, EINTR errors are now treated
  separately from EAGAIN.  Finally, even with remote_check_sync_consistency=F,
  one type of consistency check was still being done; this is no longer
  the case.

- The DNS analyzer now generates events (dns_query_reply/dns_rejected)
  for replies with zero questions (Robin Sommer).

- Perftools support for incompatible changes in the 1.0 API (Robin Sommer).

- Rearranged (generally reducing, though not always) some state timeouts
  associated with scan detection (Robin Sommer).  In addition, when a
  scanning address crosses ignore_scanners_threshold (meaning that it will
  be ignored from now on anyway), it gets discarded from all state-tracking
  tables.  Finally, the ignore_scanners_threshold now applies all kinds
  of scans, not just address scans.

- Substantial Broccoli updates, including a new initialization requirement
  that breaks backward compatibility, support for enqueueing serialized
  event data for transmission, and OpenSSL threadsafe initialization.
  See aux/broccoli/ChangeLog for details (Christian Kreibich, Robin
  Sommer, and Matthias Vallentin).

- Broccoli hashtable optimisation. See aux/broccoli/ChangeLog for
  details (Christian Kreibich & Matthias Vallentin).

- Broccoli memory leak fixed, see aux/broccoli/ChangeLog for details
  (Christian Kreibich).

- Broccoli: updates to bropipe tool (Steve Chan and Robin Sommer).

- Bug fixes for Broccoli Python bindings (Robin Sommer and Matthias Vallentin).

- Fixed nasty bug due to module scoping that completely kept stepping-stone
  detection from working (Vern Paxson).

- A serious bug in the packet sorter has been fixed (Robin Sommer).

- Bug fix for extra NULs getting embedded in escaped strings (Seth Hall).

- Bug fix for HTTP messages that use "Connection: close" rather than length
  headers, which yielded erroneous reassembled messages with \r\n's when
  only \n's were present (Bernhard Ager).

- Fix for reporting on ICMP flows that are expired from the flow table
  (Vern Paxson).  Previously there was a race condition if the flow
  was flushed prior to its summary timer expiring.

- The -l option (list the scripts that Bro loads) now correctly prints
  scripts loaded by the prefix mechanism, and uses indentation to indicate
  the load hierarchy (Robin Sommer).

- A bug has been fixed (really, worked around) in drop.bro that prevented
  dropped addresses from being properly restored (Robin Sommer).

- Fixes for deadlocking problems in the Broccoli protocol. See
  aux/broccoli/ChangeLog for details (Christian Kreibich & Robin Sommer).

- Bug fix for DNS analyzer on 64-bit machines (Gregor Maier).

- Bug fix for asynchronous DNS lookups to prevent some successful lookups
  being reported as timed out (Robin Sommer).

- Bug fix for tracking line numbers associated with compound statements
  (Po-Ching Lin).

- Fix for a rare condition in which the main Bro process couldn't kill
  its child process (Robin Sommer).

- Fix for file rotation when the underlying file is deleted before the
  timer expires (Robin Sommer).

- Fix for potential crash when communication connections break down,
  and also for releasing cached objects (Robin Sommer).

- Fix for default table entries computed by function invocation to not
  cache previous results (Robin Sommer).

- Fix for Bro's internal DNS resolution (Scott Campbell and Robin Sommer).

- Portability fix for DAG packet capture (Gregor Maier).

- Portability fix for --enable-brov6 (Robin Sommer).

- Portability fixes for FreeBSD (Vern Paxson).

- A work around for new_packet() crashing on IPv6 packets (Vern Paxson).
  For now, IPv6 packets are skipped.  Also, for fragments the event handler
  is now only called for the fully reassembled packet.

- The new configuration option --disable-nbdns supports disabling non-blocking
  DNS at configure time (Sean McCreary).  Note, there are some known problems
  with it in some environments.

- A number of configuration fixes and enhancements (Christian Kreibich
  and Robin Sommer).

- Consistency nit for the configuration process (Seth Hall).

- A number of reference-counting and other memory management fixes
  (Robin Sommer).

- Bug fix for inter-Bro communication lockup (Seth Hall and Robin Sommer).

- Bug fix for computing TCP payload length in new_packet event (Lothar Braun).

- Bug fix for sending boolean True values via Broccoli (Seth Hall).

- make distcheck fix to clean up .bif.bro files (Christian Kreibich).

- Bug fix for DPD's recognition of SSLv2 connections (Seth Hall).

- Bug fix for &default for tables indexed by subnets (Seth Hall).

- A bug has been fixed that could crash Bro when you called get_event_peer()
  after a remote connection had already disppeared (Robin Sommer).

- Introduced a work-around for crashes that occur when Bro exits
  due to handling a signal (Robin Sommer).

- Bug fix for checkpoint.bro - don't schedule timers for times that
  aren't actually in the future (Robin Sommer).

- Hostname formatting fix for anon.bro (Fabian Schneider).

- Bug fix for redundant .log extension in Time Machine log file
  (reported by CS Lee).

- Removed now-outdated special-casing of Linux reporting of packet filter
  statistics (Peter Wurzinger and Robin Sommer).

- A number of memory leaks fixed (Robin Sommer).

- Addressed warnings from newer versions of g++ (Robin Sommer and Vern Paxson).

- Fixed an invocation issue in the ca-create script that prevented it from
  working with recent OpenSSL versions (Craig Leres & Christian Kreibich).

- Comment fixed in drop-adapt (Justin Azoff).

- Duplicate code removed from Val (Seth Hall).


1.4 Fri Oct 17 11:08:52 PDT 2008

- We are no longer supporting a previous Bro release as the "stable"
  version.  Rather, the model now is that the current public release will
  aim for increasing stability (occasionally updated with fixes), and those
  who wish to use a "bleeding-edge" snapshot can do so via access to the
  public SVN source code repository, as explained at

	  http://bro-ids.org/wiki/index.php/Subversion#Public_Access

  Note that all previous releases remain available from the download page;
  what is changing is that we no longer commit to support for the most
  recent of these.

- We have clarified the copyright statement that covers most of the
  code to remove the "advertising clause" that derived from older
  BSD licenses, and we have removed copyright wording from most source
  code files.  See COPYING for the current wording and a list of
  files that retain their own copyright notices.

- Bro now supports analyzing NetFlow v5 data, i.e., from Cisco routers
  (Bernhard Ager).  NetFlow can be useful for intrusion detection as it
  allows analysis of traffic from many different points in the network.
  Bro can now read NetFlow data from a UDP socket, as well as (mostly
  for debugging purposes) from a file in a specialized format.  You can
  create these files with the programs given in aux/nftools.

  Command line switches:

	  -Y|--netflow <ip>:<prt>[=<id>] | read flow from socket

	    This is the usual way of getting NetFlow data into Bro by
	    opening a UDP socket on <ip>:<prt> and reading all incoming
	    packets.  Setting the <ip> to 0.0.0.0 should work on most
	    platforms.  Optionally you may set an identifier <id> for the
	    source - useful if there are many different sources you want
	    to analyze in parallel. This might also be necessary if you
	    want to use this feature with a clustered Bro.

	    Examples:
		      bro -Y 0.0.0.0:5555 netflow
		      bro -i eth0 -Y 10.0.0.1:1234=src1 brolite netflow

	  -y|--flowfile <file>[=<ident>]

	    Used to read from a file. You can optionally include an
	    identifier for the source.

	    Examples:
		      bro -y myflowfile netflow
		      bro -y myflowfile=src1 otherflowfile=src2 netflow

  Netflow Events:

	  event netflow_v5_header(h: nf_v5_header)

	    Generated upon reading a new NetFlow PDU, as summarized in the
	    argument.  The field h_id gives the flow source identifier and
	    a serial number. You can use this field to associate subsequent
	    netflow_v5_record events with their header.

	  event netflow_v5_record (r: nf_v5_record)

	    Every record within a NFv5 PDU generates a corresponding
	    netflow_v5_record() event.  The relatively complex timestamp
	    format of NFv5 is already converted to Bro's time type, and
	    the TCP header flags are separated into bools.

  The distribution includes an example analysis script, netflow.bro.
  It simply dumps received NetFlow records.  If netflow_restitch is T
  (the default), then Bro performs flow restitching as well, and two
  script variables become relevant:

	  global netflow_finished_conn_expire = 310 sec &redef;

	    specifies how long to wait for additional flow records after
	    a RST or FIN for

	  const netflow_table_expire = 31 min;

	    Its setting only affects table declarations, and therefore
	    cannot be usefully redef'd.

  Auxiliary programs:

	    Bro uses a custom format for flow data stored in files,
	    to enable preserving timestamps of the PDU arrivals and the
	    exporter's IP address.  The tools nfcollector and ftwire2bro
	    in aux/nftools/ provide ways to manipulate the Bro NF file
	    format.  The first dumps NetFlow data from a UDP socket to
	    stdout or to a file in Bro format.  The second converts NetFlow
	    data in "wire" format to Bro format, and, while doing so,
	    fakes up the exporter's IP address and timestamp.  You can get
	    "wire" format from normal flow-tools files, e.g., by using
	    'flow-export -f 4'.  Please note that the Bro format is just
	    a hack to allow for easier debugging.  Therefore the format
	    is not in fact platform independent, and not suitable for data
	    storage.

- A new DHCP analyzer generates the following events (Po-Ching Lin):

	event dhcp_discover(c: connection, msg: dhcp_msg, req_addr: addr)
	event dhcp_offer(c: connection, msg: dhcp_msg, mask: addr,
	event dhcp_request(c: connection, msg: dhcp_msg,
	event dhcp_decline(c: connection, msg: dhcp_msg)
	event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr,
	event dhcp_nak(c: connection, msg: dhcp_msg)
	event dhcp_release(c: connection, msg: dhcp_msg)
	event dhcp_inform(c: connection, msg: dhcp_msg)

  where dhcp_msg values look like:

	type dhcp_msg: record {
		op: count;	# 1 = BOOTREQUEST, 2 = BOOTREPLY
		m_type: count;	# the type of DHCP message
		xid: count;	# transaction ID of a DHCP session
		h_addr: string;	# hardware address of the client
		ciaddr: addr;	# original IP address of the client
		yiaddr: addr;	# IP address assigned to the client
	};

  See dhcp.bro for the corresponding analysis script (which could
  probably use some refinements).

  Note, this analyzer is implemented using BinPAC, so you will need
  to specify --use-binpac to activate it.

- A BitTorrent analyzer is now available (Nadi Sarrar).  See the policy
  scripts bittorrent.bro and bt-tracker.bro for the events generated for
  analyzing transfers and tracker dialogs, respectively.

- The "Bro Lite" configuration is now deprecated and will not in
  general be supported (Robin Sommer & Vern Paxson).

- "make install" now only installs a core set of files (Robin Sommer).
  Policy files are now installed in <prefix>/share/bro/* (or whatever
  configure determines $datadir to be), which is now in Bro's default
  search path.  It creates a directory <prefix>/share/bro/site for local
  policy files, and the default BROPATH is extended to include this.  The
  default path no longer includes policy/local.  You can install the
  additional files used by the (now deprecated) "Bro Lite" configuration
  using "make install-brolite".

- Substantial updates to Broccoli, including support for container
  types (tables and sets) as well as a new metadata structure for event
  callbacks, facilitating truly generic event handler implementations
  (Christian Kreibich, Seth Hall and Robin Sommer). See aux/broccoli/ChangeLog
  for details.

- Extensive changes to allow Bro to process packets captured in the
  past intermingled with those captured in real-time (Matthias Vallentin
  and Robin Sommer).  This operation reflects combining Bro with use of
  "Time Machine" functionality for packet capture.

- We have unfortunately had to disable support for configuring Bro
  to use ClamAV, since it turns out that the key interface we need
  for processing blocks of memory directly rather than whole files
  is no longer supported by the package, and in fact was buggy even
  when it was (Robin Sommer).

- The new signature option "http-body /<regexp>/" matches <regexp>
  on the body data of HTTP entities (Robin Sommer).  The matching is
  done after decompressing the body, if necessary.

- The new built-in function identify_data(data: string, return_mime: bool)
  analyzes the string "data" and returns its type according to libmagic,
  if installed (Seth Hall).  The second argument controls whether it should
  be returned as a MIME-type or just an identifying string.  For example,
  identify_data("MZpofigu", F) returns the string "MS-DOS executable", and
  print identify_data("MZpofigu", T) returns "application/x-dosexec".

- The new analysis script http-identified-files.bro identifies the
  type of items returned by Web servers using libMagic (if available)
  and generates notices for interesting types and mismatches between
  URLs and types (Seth Hall).

  You configure it using two variables.  watched_mime_types is a pattern
  (default /application\/x-dosexec/ | /application\/x-executable/ ) for
  which any MIME type matching the pattern generates a HTTP_WatchedMIMEType
  notice.

  mime_types_extensions is a table mapping strings to patterns specifying
  how URLs for the given MIME type should appear.  (Ideally, this would
  be a table mapping patterns to patterns, but Bro doesn't currently support
  that.)  It defaults to:

		["application/x-dosexec"] = /\.([eE][xX][eE]|[dD][lL][lL])/

  i.e., do Windows executables end in .exe or .dll.

  You can also redef the pattern ignored_urls to specify URLs that should
  not generate complaints.  It defaults to matching Windows Update.

- The new script http-extract-items.bro extracts the items from HTTP
  traffic into individual files (Vern Paxson).  Files are named:

	<prefix>.<n>.<orig-addr>_<orig-port>.<resp-addr>_<resp-port>.<is-orig>

  where <prefix> is a redef'able prefix (default: "http-item"), <n> is a
  number uniquely identifying the item, the next four are describe the
  connection tuple, and <is-orig> is "orig" if the item was transferred
  from the originator to the responder, "resp" otherwise.

- The workings of how Bro interfaces to external programs for dropping/
  restoring connectivity of misbehaving hosts has been significantly
  reworked (Brian Tierney and Robin Sommer).

  First, dropping decisions used to be made directly by analyzer scripts,
  such as scan.bro directly calling drop_address().  Now instead the
  scripts generate Notices and then the notice policy can have an
  action of NOTICE_DROP to codify that the response to the given Notice
  is to drop the source.  The new notice_action_filter of drop_source
  drops the source of notices, and drop_source_and_terminate both
  drops the source and terminates the corresponding connection.

  So, to drop all sources triggering a specific notice, one can now, e.g.,
  write:

	redef notice_action_filters += { [Hot::SSH_Overflow] = drop_source };

  Related to this change, notice_info has a new field $dropped, set to
  true if the Notice triggered a (successful) drop.

  Second, by redef'ing Drop::use_catch_release to T (default F) you can
  activate "catch-and-release" logic.  You use this mode when you need to
  manage a limited number of possible blocks, or to build in automatic
  "forgiveness" in situations where blocked sources might become benign
  (such as due to dynamic IP addresses).  If a source has been idle for
  Drop::drop_time, then it is unblocked.  However, if it is again seen as
  block-worthy, then it is blocked for an interval of Drop::long_drop_time.

  Third, ICMP scanning is now reported by its own notice, ICMPAddressScan,
  rather than Scan::AddressScan.

- Google's perftools have replaced mpatrol for leak-checking and
  heap-profiling (Robin Sommer).  If Bro is compiled with --enable-perftools
  and configure finds the perftools, there are two command-line options
  available:

	-m turns on leak checking of the main packet loop, with some
	   uninteresting leaks are suppressed.  Currently, with one
	   exception (the RPC analyzer; problem not yet found), it reports
	   no leaks when running the test suite.

	-M turns on heap profiling: Bro will take a snapshot of the heap
	   before starting the main packet loop and another one when
	   finished. These snapshots can then be analyzed with pprof.

  For more information about the perftools see

	http://code.google.com/p/google-perftools

- Notice tags are now generated in a pseudo-unique fashion that, with high
  probability, ensures that tags generated by separate Bro processes don't
  clash when logged to a common location, such as for a Bro cluster (Robin
  Sommer).  Tags are now string's rather than count's, and are associated
  with all notices, not just that are connection-related.  You can however
  redef the string notice_tag_prefix or the function new_notice_tag to
  further control how such tags are generated.

- Four new built-ins for type conversion (Robin Sommer):

	function double_to_interval(d: double): interval
	function addr_to_count(a: addr): count
	function port_to_count(p: port): count
	function count_to_port(c: count, t: transport_proto): port

- Many policy scripts have been modified to use modules & scoping
  (Robin Sommer and Matthias Vallentin), which may require updates to
  existing scripts/refinements.

- The new script variable dpd_conn_logs (default F), if true, changes the
  semantics of the service field in connection logs written to conn.log,
  as follows (Robin Sommer).  It becomes a comma-separated list of analyzers
  confirmed by DPD to parse the connection's payload.  If no analyzer could
  confirm its protocol, but the connection uses a well-known port, the
  service is the name of the port with "?" appended (e.g., "http?"), as
  long as the corresponding analyzer has not declined the connection.
  In addition, ftp-data sessions are labeled "ftp-data" and portmapper
  connections are labeled with the specific method-call (just as before).

  dpd_conn_logs defaults to F because the change in semantics may break
  scripts that parse conn.logs; but it will likely change to the default
  in the future. With dpd_conn_logs turned off, conn logs are generated
  as they used to be, with a few rare exceptions (with previous versions,
  the service field was sometimes determined while the connection was still
  alive; now it's always determined at the time when the conn.log entry
  is written out).

- The SSL analyzer has been rewritten using BinPAC, with a number of
  robustness improvements (Tobias Kiesling).  It currently is only used
  if you execute with --use-binpac.

- Python bindings for Broccoli are now available in
  aux/broccoli/bindings/python/ (Robin Sommer).  See README/README.html
  in that director for details.

- The new "auth" option in remote.bro indicates whether a given side is
  considered "authoritative" for shared state, in which case it sends its
  initial state to &sync'ed peers (Robin Sommer).  When two peers synchronize
  their state, one side sends its current set of state to the other as
  soon as the remote connection is established.  The one sending the state
  used to be the one who has been running longer; now it can also be
  explicitly set via the "auth" flag in the Remote::Destination.

- Two new tuning parameters for scan.bro (Robin Sommer):

  ignore_scanners_threshold (default 0):

	If a host has scanned more than this many hosts, it is completely
	excluded from further scan detection.  0 disables.

  addr_scan_trigger (default 0):

	A host is only tracked for address scanning once it has contacted
	this many different hosts.  Primarily intended for using a two-stage
	scan detection with a Bro cluster: first, each node searches locally
	for scanners by looking for hosts contacting more than
	addr_scan_trigger destinations.  Those hosts which do are then
	globally tracked throughout the cluster by &synchronizing the scan
	detector tables.

- When Bro serializes functions, it now does so by default using only
  their name, rather than their full value (Robin Sommer).  This prevents
  propagation of expiration functions associated with tables and sets.
  Note, currently there is no mechanism provided to switch from the
  default behavior, but the internal hooks are in place to do so.

- The new built-in variable trace_output_file gives the name of the -w
  output trace file (Robin Sommer).

- Bro no longer installs new file rotation timers when shutting down
  (Robin Sommer).

- The new policy scripts remote-print-id{,-reply}.bro support convenient
  access to printing the identifiers of a remote Bro (Robin Sommer).
  You use the script remote-print-id.bro to request and receive the
  printing; the remote Bro must have loaded remote-print-id-reply.bro
  in order to process the request.

  Example use:

	  bro -e 'redef PrintID::dst="<dst>" PrintID::id="<name-of-id>"'
			<other scripts> remote-print-id

- scan.bro has been heavily modified to better support distributed scan
  analysis (Matthias Vallentin and Robin Sommer).

- The check for unused event handlers is now turned off by default
  (Robin Sommer).  To enable, use "redef check_for_unused_event_handlers = T".

- The new script drop.bro has been split off from scan.bro to isolate
  the logic concerning dropping addresses to block scans (Robin Sommer).

- The new -l flag lists each script as it is loaded (Robin Sommer).

- Textual descriptions of identifiers now include their attributes
  (Robin Sommer).

- The new predefined function prefixed_id() returns a session identifier with
  its peer-ID prepended if it's associated with a remote Bro (Robin Sommer).
  This is now used when generating writing log files.

- remote.bro now assigns a priority of -10 to its bro_init() event handler
  to allow others a chance to modify destinations (Robin Sommer).

- A large number of BinPAC updates (Ruoming Pang and Robin Sommer).

- The new built-in type_name(v): string returns the name of the type
  of the value v (Vern Paxson).  For example, "typename(5.2)" returns
  "double".  This function is mainly for internal debugging (i.e.,
  finding mismatches between values generated by the event engine
  versus how their type is expected by the script layer).

- The new built-in str_shell_escape() does some basic escaping on strings
  that will be passed to system() (Christian Kreibich).  Note, this function
  isn't ready (robust enough) for routine use, however.

- The new built-in disable_print_hook(file) acts the same as
  the attribute &disable_print_hook (Robin Sommer).

- The new script terminate-connection.bro factors out the terminate_connection()
  functionality that used to be in conn.bro (Robin Sommer).

- The new attribute &group=<tag> can be associated with event handlers
  to group them together into a set that can be manipulated as a whole
  (Robin Sommer).  <tag> is a string reflecting the name given to the group.

  The built-in enable_event_group(group: string) turns on all the analyzers
  in a given group, and disable_event_group(group: string) deactivates them.

- The new attribute &raw_output applies to variables of type file, disabling
  escaping of non-printable characters (Seth Hall).

- You can now iterate over the characters in a string value using
  a "for" loop, e.g., "for ( c in str ) ..." (Robin Sommer).

- The new built-in

      function cat_sep%(sep: string, def: string, ...%): string

  works similarly to cat(), except that it (a) separates the values
  by "sep" and (b) substitutes "def" for empty strings (Seth Hall).

- The function string_escape() now takes a string of characters to escape
  rather than a single character (Robin Sommer).  Each character in the
  string is preceded by '\' in the return value (also any embedded '\'s,
  as before).

- The new built-in function global_ids() returns a table of all global
  identifiers along with associated information (Robin Sommer).  The
  return value has type table[string] of script_id, indexed by the name
  of the identifier and yielding records with the following fields:

	type script_id: record {
		type_name: string;
		exported: bool;
		constant: bool;
		enum_constant: bool;
		redefinable: bool;
		value: any &optional;
	};

- The new script function find_last(str: string, re: pattern) returns
  the last occurrence of the given pattern in the given string, or
  an empty string if no match (Robin Sommer).  Note that this function
  returns the match that starts at the largest index in the string, which
  is not necessarily the longest match.  For example, a pattern of /.*/
  will return just the final character in the string.

- The new script variable record_all_packets, if redef'd to T (default F),
  instructs Bro to record every packet it processes (Robin Sommer).
  Prior to introducing this variable, Bro applied a few heuristics to
  reduce recording volume.  Setting this variable also causes packets
  to be recorded very early in processing, which can be helpful for
  debugging crashes.

- If the new script flag ssl_log_ciphers is set to T (default), ssl.bro
  logs the ciphers seen (Robin Sommer).

- Much more expanded Time Machine support, now located in
  policy/time-machine/ (Robin Sommer),

- The new command line option --status-file <file> (alias -U) specifies
  the name of a file into which Bro will write an indicator of its current
  processing status (Robin Sommer).  Possible values include "INITIALIZING",
  "RUNNING", "TERMINATING", "TERMINATED".

- The new policy script targeted-scan.bro looks for repeated access from
  the same source to the same server, to detect things like SSH
  password-guessing attacks (Jim Mellander).

- The "alternative" style for printing strings (i.e., a fmt() argument
  of "%As") now renders the raw string, other than escape-expanding
  embedded NULs (Vern Paxson).  This change may be temporary, pending
  development of more fine-grained control over string rendering.

- For now we have removed the %S functionality for fmt() (Robin Sommer).
  %S was meant to print "raw" strings, but later processing of such
  printing still introduces artifacts.

- GeoIP information now includes latitude and longitude (Seth Hall).

- ssh.bro now supports the variable skip_processing_after_handshake
  which directs the event engine to omit any further processing of an
  SSH connection after its initial handshake (Seth Hall and Robin Sommer).
  This can help with performance for large file transfers but precludes
  some kinds of analyses (e.g., tracking connection size).  This change
  also adds a scope of "SSH".

- Email notification of notices now allows for separate destinations
  depending on notice type (in particular, a regular mail destination
  versus a pager destination), and also escapes the notice to prevent
  injection attacks (Seth Hall and Robin Sommer).

- The new policy script conn-flood.bro is a simple connection-flooding
  detector, mainly meant as a demonstration (Robin Sommer).

- A large number of additions to the TLS/SSL known-ciphers suite (Seth Hall).

- Serialization now uses 64-bit IDs to cache items rather than 32-bit,
  for robustness during long-running execution (Robin Sommer).

- The new script variable tcp_max_initial_window specifies, for flows
  for which ACKs have never been seen, the maximum volume of initial
  data after which Bro will assume that it is seeing only one side
  of the connection and will not buffer data for consistency checking
  awaiting the later arrival of ACKs (Robin Sommer).  It defaults to 4 KB.
  (Note, this used to be an internal value, so the behavior is not new.)
  Set to 0 to turn off this functionality and have Bro attempt to
  track all such flows.

- The new script variable tcp_max_above_hole_without_any_acks specifies,
  for flows for which ACKs have never been seen, the maximum volume of
  data above a sequence hole that Bro will tolerate for a connection
  before giving up on tracking the flow (Robin Sommer).  It defaults to 4 KB.
  (Note, this differs from tcp_max_initial_window in that this threshold
  applies to sequence holes rather than the beginning of flows.  Like
  tcp_max_initial_window this used to be an internal value.)  Set to 0 to
  turn off this functionality.

- The new script variable tcp_excessive_data_without_further_acks specifies
  a threshold similar to tcp_max_above_hole_without_any_acks, but for
  flows for which Bro has seen ACKs (Robin Sommer).  It defaults to 10 MB.
  Set to 0 to turn off the functionality.

- Equal signs ("=") in text for notices are now escaped when using the
  tagged format to keep them unambiguous from the "=" delimiters
  (Robin Sommer).

- The final tallies for notices are now processed as NoticeTally
  NOTICE's rather than directly alarm'd (Robin Sommer).

- WeirdActivity notices now include an associated connection when appropriate
  (Robin Sommer).

- Support for large (> 2^32 bytes) pcap trace files (Po-Ching Lin).

- Scoped names ("...::...") are now allowed in signature "eval"
  constructs (Christian Kreibich).

- scan.bro is now decoupled from conn.bro, i.e., you can @load the
  latter without getting the former (Vern Paxson).  As part of this
  change, the logic to invoke TRW is now in scan.bro.

- weird.bro has been updated with a number of missing Weird's (Vern Paxson).

- If when using inter-Bro communication the child Bro process terminates,
  it now also terminates the parent process (Robin Sommer).

- BinPAC analyzers now interoperate with DPD (Robin Sommer).

- Some http.bro processing options are now exported so they can be
  accessed in other scripts (Robin Sommer).

- SMTP analysis now applies to port 587/tcp as well as 25/tcp (Robin Sommer).

- $conn is now set in ServerFound notices (Robin Sommer).

- You can now create empty sets and tables using set() and table(),
  i.e., the usual set/table constructors with no arguments (Vern Paxson).
  By themselves, these have an unspecified type - you can't use them
  directly other than to assign them.  For example,

	local bad_guys: set[addr];
	...
	bad_guys = set();	# start over assuming no bad guys

- A number of scripts have been (slightly) simplified to use the
  new empty set()/table() constructors (Vern Paxson).  Note that
  these still aren't usable for field assignments in record constructors,
  nor for attributes like &default = ...

- Removed unused syntax for declaring sets based on a list of initial
  values (Vern Paxson).

- set() and table() can now be used as arguments to function calls
  (Vern Paxson).

- The vestigial &match attribute has been removed.

- POP3 is now recognized using Dynamic Protocol Detection (Seth Hall).

- The new event expected_connection_seen(c: connection, a: AnalyzerTag)
  is generated whenever a connection is seen for which we have previously
  scheduled an analyzer via expect_connection() (Robin Sommer).

- The new built-in capture_state_updates logs all changes applied to
  &synchronized variables, in a fashion similar to the capture_events()
  built-in (Robin Sommer).  An accompanying policy script,
  capture-state-updates.bro, turns this on to the file state-updates.bst.

- If the new script variable suppress_local_output is set (default: F),
  Bro suppresses printing to local files if there's a receiver for
  print_hook events (Robin Sommer).  This option is however ignored
  for files with a &disable_print_hook attribute.

- The new notice action filter function file_if_remote specifies
  that notices from sent from remote source addresses should
  have an action NOTICE_FILE (Robin Sommer).

- The new notice action filter function file_local_bro_notices specifies
  that notices generated by the local Bro instance (as opposed to a
  remote peer) should have an action NOTICE_FILE (Robin Sommer).

- An arbitrary tag can now be past to post-processors for log rotation
  (Robin Sommer).

- Default inactivity timeouts for interactive services shortened to
  1 hour (Robin Sommer).

- The scanning variables distinct_{peers,ports,low_ports} are now
  redef'able (Robin Sommer).

- The new -S (--summary-only) option for site-report.pl directs to
  only generate connection summaries (Brian Tierney)

- More useful default config file for edit-brorule.pl (Brian Tierney).

- Bro now includes a test suite in testing/istate/ for its "independent
  state" functionality (Robin Sommer).

- Support for parallel builds via make -j (Christian Kreibich).

- Bro's default search path now includes includes policy/sigs/ and
  policy/time-machine/ (Robin Sommer).

- Bro's internal processing of interprocess communication has been
  significantly overhauled to prevent potentially fatal race conditions
  (Robin Sommer).

- Bro now checks calls to fmt() at compile-time to ensure that the
  correct number of arguments are present (Vern Paxson).  This is useful
  in addition to Bro's run-time checking for arguments matching their
  corresponding format-specifiers in the case of rarely-executed statements
  that might not generate such run-time checks in routine testing.

- The ports associated with Telnet and Rlogin are now redef'able (Robin Sommer).

- MIME processing now removes leading whitespace from MIME headers
  (Sanmeet Bhatia and Robin Sommer).

- TCP "weird" events reported by the connection compressor now match
  (other than a few rare corner-cases) those produced for normal TCP
  processing (rmkml and Robin Sommer).

- Added Scan::suppress_UDP_scan_checks to control false positives
  on scan detection in environments with P2P protocols that use UDP
  (Vern Paxson).

- The internal analyzer interface now includes an EndOfData() method that
  analyzers can use to report that all of a message has been delivered
  (Robin Sommer).

- Fix for a significant memory leak in processing UDP when using -w
  (Robin Sommer).  Note: this change turns off by default trace rewriting
  for generic UDP traffic.

- Two serious regular expression bugs fixed (Vern Paxson).  In the
  first, searching for a regular expression inside a string would
  fail if the pattern occurred only after an embedded newline.  In
  the second, insufficient buffer was allocated when compiling regular
  expressions, leading to memory corruption.

- Base64 decoding bug fixes (Christian Kreibich and Ruoming Pang).

- Automatic rotation of files is now disabled for contents files written
  by the TCP reassembler, which otherwise leads to mangled files
  (Robin Sommer).

- Bro now ships with an updated version of libpcap (0.9.8), which hopefully
  fixes problems managing trace files > 4 GB in size.

- Significant bug fixes for gzip- and deflate-encoded Web items (Robin Sommer).

- Bug fix for secondary-filter.bro (Vern Paxson).

- Removed a naming ambiguity regarding TCP states (Vern Paxson).

- Bug fix for signature scanner not matching all of its input (Vern Paxson).

- Bug fix for using port values in signatures (Robin Sommer).

- Minor policy script tweaks: state management for weird's, processing
  of Notice tags associated with connections, and dependencies for
  irc-bot.bro (Robin Sommer).

- aux/ portability fixes (Vern Paxson).

- Workarounds added for a BinPAC deficiency, which is that code in %cleanup
  clauses can also be executed during recovery from exceptions when parsing
  new data.  This means that any delete's or Unref()'s need to also set the
  corresponding pointer to nil (Vern Paxson).

- Bug fix for crashes with the non-BinPAC SSL analyzer (Robin Sommer).

- Tweak to peer-status.bro since Bro now requires events to be
  declared prior to reference in a "schedule" statement (Robin Sommer).

- The signature keyword "enable" now optionally accepts the syntax
  "foo:bar" to specify "activate analyzer bar as a child of analyzer foo"
  (Robin Sommer).  This is used for example for an XML-over-HTTP analyzer
  that's in the works.

- irc-bot-syslog.bro now uses open_log_file() for its log file (including
  the logging suffix) rather than a direct open (Vern Paxson).

- Bug fix for tracking Blaster across a Bro Cluster (Robin Sommer).

- Bug fix for the HTTP BinPAC analyzer chopping the trailing character
  off of HTTP headers when generating the http_all_headers event (Gregor Maier).

- Bug fix for HTTP chunked items for which the chunk size line was terminated
  by CRLF but the CR and LF came in separate packets (Gregor Maier).

- A bug has been fixed that would cause partial lines (for line-oriented
  protocols) to fail to be processed when a connection terminated
  (Robin Sommer).

- Bro no longer treats a signal arriving before a previous signal has
  been processed as fatal, nor does it attempt processing of a termination
  signal if seemingly there are no race conditions to worry about
  (Robin Sommer).  Both of these changes are an attempt to improve
  Bro's robustness.

- Fix for attributes such as &encrypt not working in initial declarations
  but only in later redef's (Seth Hall and Robin Sommer).

- Fixes for memory leaks in SSL processing (Seth Hall and Robin Sommer).

- Fix for POP3 analyzer to not treat lines like "<space>." as message
  terminators (Robin Sommer).

- Bug fix for crashes arising from nil pointers in list expressions
  (Seth Hall and Robin Sommer).

- Bug fix: a signature's "enable" would activate the corresponding analyzer
  even if no event handlers were defined for it (Robin Sommer).

- Bug fixes to prevent crashes when mixing set_contents_file() with
  subsequent explicit close(), and to ensure all data written to
  file upon connection tear-down (Gert Doering and Robin Sommer).

- Configuration support for MacPorts and Fink package management systems
  (Christian Kreibich & Vern Paxson).

- Communication-only Bro's now send out email alarms (Robin Sommer).

- Writes to a file that fail due are now run-time errors rather than
  fatal internal errors, since often these occur due to the disk
  being full (Robin Sommer).

- Byte-order bug fix for lookup_location() (Robin Sommer).

- BinPAC portability fix for 64-bit machines (Bernhard Ager and Robin Sommer).

- Portability fixes for newer versions of gcc (Jan Gerrit Goebel and
  Robin Sommer).

- Some support for porting to Solaris (Stephan Toggweiler).

- Connection compressor bug fix for source and destination having the
  same IP address, such as when monitoring loopback (Robin Sommer).

- Connection compressor bug fix for connections with multiple SYNs
  (Robin Sommer).

- Bug fix for using already-declared local variables for looping
  over vectors in a "for" loop (Robin Sommer & Vern Paxson).

- Bug fix for not processing truncated UDP packets (Tom Kho and Robin Sommer).

- Bounds-check added to BinPAC-generated code (Tom Kho and Robin Sommer).

- Bug fix for checking whether an IPv6 address is part of a subnet
  (Seth Hall).

- Bug fixes for crashes relating to asynchronous DNS lookups performed
  at start-up (Robin Sommer).  These changes also lowered the timeout
  before assuming failure from 20 seconds down to 5 seconds.

- Portability and const-ness fixes (Kevin Lo and Robin Sommer).

- Suppression of some content-gap complaints when running on traces
  that have been filtered down to only TCP control packets (Robin Sommer).

- Removed unnecessary dependency in notice-action-filters.bro
  that led to errors when loading icmp.bro by itself (Vern Paxson).

- Bug fix for potential infinite loop in client communiation (Robin Sommer).

- Bug fix in reference counting that could eventually lead to roll-over
  (Robin Sommer).

- Bug fix in communication initialization (Robin Sommer).

- Internal documentation fix: timers are specified using absolute time,
  not relative (Robin Sommer).

- Performance improvement for built-in find_all() function when running
  on large strings (Robin Sommer).

- Memory leak fixes (Robin Sommer, Bernhard Ager, Christian Kreibich).

- Bug fix for error recovery when encountering an unknown link layer
  (Bernhard Ager).

- Bug fix for reversing client & server in a connection (Po-Ching Lin).

- Bug fix for packet_contents when capture length exceeds the IP payload
  length due to Ethernet frame padding (Christian Kreibich).

- Bug fix for tcp_packet event erroneously including Ethernet padding
  in its contents (Vern Paxson).

- Bug fix for lookup_connection built-in (Seth Hall).

- Portability nit for libedit tarball (Vern Paxson).

- Broccoli portability fix for NetBSD (Christoph Leuzinger).

- Type-checking for script-level event invocation was completedly broken -
  now fixed (Vern Paxson).

- Portability fixes for different versions of g++/STL (Nicholas Weaver
  and Vern Paxson).

- Fix for dynamic detection of SSL via DPD (Robin Sommer).

- IPv6 portability fix for BinPAC-based DNS analyzer (Vern Paxson).
  Note, more portability work is needed for it.

- Bug fix for bifcl error messages (Vern Paxson).

- Minor bug fix for remote communication, plus some improved communication
  logging (Robin Sommer).

- Bug fix for &printhook (Robin Sommer).

- Bug fix for error message output (Robin Sommer).

- Bug fix for termination cleanup (Robin Sommer).

- Bug fix for some Rlogin corner cases (Robin Sommer & Vern Paxson).

- Bug fix for bifcl generation of "interval" types (Vern Paxson).

- Bug fix for getting connection memory statistics when Bro is
  exiting (Robin Sommer).

- Config fix: --enable-debug now turns off -O2 for gcc (Robin Sommer).

- Bug fixes for "heavy" analysis (Vern Paxson).

- Broccoli bug fixes for types net and port (Robin Sommer).

- Bug fixes for Telnet environment options (Robin Sommer).

- Bug fix for accessing remote peer description (Robin Sommer).

- A fix for the connection compressor generating new_connection too
  late (Robin Sommer).

- Fixes for DAG support, including configuration and multiple
  interfaces (Robin Sommer).

- Bug fix for serializing time-stamps of table entries (Robin Sommer).

- Bug fix for dealing with peer IDs for remote communication (Robin Sommer).

- Bug fix to avoid installing timers when timers have already
  been canceled (Robin Sommer).

- Bug fix for interplay between serializing connections and
  connection compressor (Robin Sommer).

- Memory leak fix for enum's (Robin Sommer).

- Bug fix for files being closed prior to bro_done() (Vern Paxson).

- aux/broccoli/contrib was not included in distribution (Robin Sommer).

- Auto-configuration bug fix for BinPAC (Craig Leres).

- Bug fix for dynamic protocol detection (Robin Sommer).

- A number of configuration fixes for installation and portability
  (Christian Kreibich, Brian Tierney, Robin Sommer, Dan Kopecek).


1.3 Mon Jul 16 22:11:00 PDT 2007

- The Bro manual has been wikified at:

	http://www.bro-ids.org/wiki/index.php/User_Manual

  and this is the format in which it will evolve in the future
  (Christian Kreibich).

- Much more extensive support for SMB, NetBIOS and NCP (Chris Grier).

- The new attribute &priority=n defines the order of execution for handlers
  of the same event (Robin Sommer).  Handlers with higher priority are
  executed first.  n is an integer expression that must evaluate to a
  constant when the script is loaded.

  Example:
          > cat foo.bro
          event bro_init() &priority = -5 { print -5; }
          event bro_init() &priority =  5 { print 5; }
          event bro_init()                { print 0; }	# default priority=0
          > ./bro foo.bro
          5
          0
          -5

  The connection_state_remove() handler in conn.bro now has priority
  -10 and therefore executes after all other handlers for this event.
  This fixes a long-standing problem of sometimes $addl fields not showing
  up in connection summaries.

- The new expressions record(...), table(...), set(...) and vector(...)
  are constructors for the corresponding aggregate types (Vern Paxson).
  For example,

	record($foo = "hi", $bar = -6)

  is the same as the existing constructor

	[$foo = "hi", $bar = -6]

  For tables, sets, and vectors, the "..." values within the ()'s have
  the same syntax as those that you can list in variable initializations.
  For example,

	table([1, T] = "black", [4, F] = "red")

  returns a table of type "table[count, bool] of string".

	set(4, 3, -1)

  is a value of type "set[int]".

- You can associate attributes with table() and set() constructors
  (Robin Sommer).  For example:

         local s = set(1.2.3.4) &read_expire = 5 secs;

  associates a 5-second read expiration with the set assigned to s.

- Bro now explicitly supports port numbers reflecting a transport protocol
  type of "unknown" (Christian Kreibich).  Currently, this means "not TCP,
  UDP or ICMP".  The numerical value of such a port is the IP protocol,
  so ranges from 0..255.  For example:

    global p: port = 0/unknown;

    print fmt("%s", p);
    print fmt("p is TCP? %s", get_port_transport_proto(p) == tcp);
    print fmt("p is unknown? %s",
		get_port_transport_proto(p) == unknown_transport);

  yields

    0/unknown
    p is TCP? F
    p is unknown? T

  In comparisons of different protocol types, the following holds:
  unknown < TCP < UDP < ICMP.

- If your system supports "GeoIP" (see http://www.maxmind.com/app/geolitecity
  for a corresponding city database), then the new script function

	  lookup_location(a: addr): geo_location

  returns a record of geographic information associated with an address
  (Seth Hall).  The geo_location record has $country_code, $region and
  $city fields.  If no information is available, each of these will be
  set to empty strings.

  If Bro hasn't been configured with GeoIP support, or if the address is
  IPv6 that cannot be directly converted to IPv4, then Bro produces a
  run-time error and likewise returns empty strings.

- Signature-matching on HTTP components now processes the URI with
  escape sequences expanded (Robin Sommer).  Ideally, there would be
  two signature keywords, one for decoded URIs (corresponding to this
  case) and one that allows matching against the URI as originally
  transmitted.

- The connection compressor is no longer considered experimental, and
  is used by default (Robin Sommer).

- The new function lookup_hostname(host: string): addr_set asychronously
  looks up the IPv4 address(es) of the given host via DNS (Robin Sommer).
  Like lookup_addr(), this function can only be used within a "when"
  statement.

- The new built-in

	raw_bytes_to_v4_addr(s: string): addr

  takes a string that points to at least 4 bytes, and returns an address
  corresponding to interpreting these as being an IPv4 address in network
  order (Vern Paxson; suggested by Mike Dopheide).

- Trace-rewriting support for DNS, SMB (Chris Grier).

- The new script function find_all(str: string, re: pattern): string_set
  returns a string_set giving all occurrences of the pattern "re" in
  the string "str" (Robin Sommer).  (Note that string_set's are unordered.)

- The new policy script save-peer-status.bro generates a log
  to peer_status.$BRO_LOG_SUFFIX of updates received from
  communication peers (Robin Sommer).

- The policy script print-filter.bro now includes two (scoped) variables,
  terminate_bro and to_file, which control whether to exit after printing
  the filter (default T) and whether to write to the log file
  pcap_filter.$BRO_LOG_SUFFIX or (default) to stdout (Robin Sommer).

- The new script variable check_for_unused_event_handlers controls whether
  Bro checks for unused event handlers (Robin Sommer).  It defaults to T,
  which was the past behavior (always report).

- Bro now terminates if the only pending activity is future timers
  (Robin Sommer).  It used to wait for those timers to expire, but this
  can cause fundamental problems if the timers are associated with table
  management (since these might never completely drain).

- Tables and sets inside of records are now initialized to empty
  values rather than uninitialized (Vern Paxson).

- A new variable allow_services_from (in hot.bro) complements the
  existing allow_service_to variable (Brian Tierney).  It specifies
  that access to the given service from the given originator is
  allowed.

- global_sizes() no longer reports internal variables (Robin Sommer).

- The IRC analyzer is now activated if any of the (many) IRC event
  handlers are defined (Robin Sommer).

- The default value for tcp_close_delay is now 5 sec rather than 0 sec
  (Robin Sommer).  This prevents some spurious connection events.

- Improved logic for dealing with "reversed" connections such
  as backscatter (Vern Paxson).

- You can now left-justify fields when using fmt() with "%-" like
  in sprintf (Christian Kreibich).

- Updates to DNS query types (Larry Leviton).

- Added mechanism to http-header.bro to skip printing some HTTP headers
  (Larry Leviton).

- The IrcHotWord notice now sets the associated connection (Robin Sommer).

- If a notice has a tag, it's no longer overridden (Robin Sommer).

- ServerFound notices now set the port field (Robin Sommer).

- The built-in lookup_ID() now returns the string "<unknown id>" if the
  ID does not exist, rather than a run-time error (Robin Sommer).

- The new tuning option ProtocolDetector::suppress_servers specifies a
  set of analyzers for which Bro generates ServerFound notices, but not
  ProtocolFound (Robin Sommer).  This both reduces log file size and
  conserves memory.

- A new notice_action_filter, tally_notice_type_and_ignore, works the same
  as tally_notice_type but returns IGNORE (Robin Sommer)

- Setting summary_interval == 0 disables the creation of irc-bots.summary.log
  (Robin Sommer).

- If you @load foo and a directory "foo" is in your path, Bro no longer
  tries to load it (Robin Sommer).

- A number of BinPAC fixes and enhancements (Ruoming Pang, Chris Grier
  and Vern Paxson).

- BinPAC now resides in aux/binpac rather than src/binpac (Ruoming Pang
  and Christian Kreibich).  This reflects a decoupling of it from Bro so
  that it can be used to generate protocol analyzers for other projects too.

- Removed example Inktomi entries from skip_scan_sources initialization,
  since they no longer exist (Vern Paxson).

- The variable make notice_once_per_orig_tally_interval is now
  redef'able (Brian Tierney).

- SIGPROF to the communication child process now logs resource stats to
  remote.log (Matthias Vallentin).

- The new built-in getpid(): count returns Bro's process ID (Robin Sommer).

- Patterns for detecting IRC-based bots updated (Robin Sommer).

- irc-bot-syslog now logs just bots, not all IRC client/servers (Robin Sommer).

- The new variable suppress_notice_actions in notice.bro suppresses
  notice_actions events for selected notice types (Robin Sommer).

- Files opened during operation now rotate just like those opened at
  startup (Robin Sommer).

- ResourceStats now also logs elapsed time and the reported number of
  packets-on-the-link (Mark Dedlow).

- Printing a "file" value now produces its name (Robin Sommer).

- Removed deliberate truncation of payload in port 80 FIN packets
  (Vern Paxson).

- remote.log now includes received peer_descriptions (Robin Sommer).

- Significant POP3 analyzer speed-ups (Vern Paxson).

- Updated README (Vern Paxson).

- Fix for "@load a" followed by "@load a.bro" not loading the same file
  twice (Robin Sommer).

- Bug fixes for propagating state operations to uninitialized variables
  and for spurious state inconsistency messags (Robin Sommer).

- Bug fix for sending final sync-points during pseudo-realtime mode
  (Robin Sommer).

- Fix for possible buffer overflow (Christian Kreibich).

- Bug fix for spurious end-of-file's during inter-Bro communication
  (Robin Sommer).

- Bug fix for dpd_match_only_beginning=F (Robin Sommer).

- Bug fix for updating timestamps (Christian Kreibich).

- Bug fix for skipping ADU processing in adu.bro (Christian Kreibich
  and Zhichun Li).

- Fix for ICMPs that carry ICMP headers (or non-TCP/UDP/ICMP headers)
  within them (Vern Paxson).

- Fix for files being rotated after the timer queue has been deleted
  (Vern Paxson).

- Bug fix for signature-matching with IPv6 subnets (Vern Paxson).

- Bug fix for connection compressor setting connection origin (Robin Sommer).

- Bug fix for interconn.bro when processing peculiar connections (Vern Paxson).

- Fix for off-by-one buffer in sscanf call (Christian Kreibich).

- Fixed inefficiency/warning flagged by g++ (Vern Paxson).

- Bug fix for NUL string termination in SMB processing (Zhichun Li).

- Fix for over-ref'ing of file Val's (Vern Paxson).

- Fixes for some g++ warnings (Christian Kreibich, Vern Paxson).

- gcc 3.4.2 portability fixes (Robin Sommer).

- Minor build fixes for Broccoli, including a version bump to match that
  of Bro.  See aux/broccoli/ChangeLog for details.

- distcheck fixes (Christian Kreibich).

- Configuration portability fixes (Matthias Vallentin, Jean-philippe Luiggi).

- OpenBSD portability fixes (Jean-philippe Luiggi, Christian Kreibich).


1.2.1 Mon Dec 11 16:22:58 PST 2006

- Fixed delayed triggering of new_connection events when using the
  connection compressor.

- Fixed tracking of first packet in TCP analyzer. (Reported by Guohan Lu)

- The syslog built-in got lost during some previous merge.

- Fixed crash if local variable is given as timeout value for table.
  (Reported by Mike Wood.)

- Fixed using "time" values as table indices.

- Added ssh to default brolite DPD configuration.

- Fixed catching up to real-time in case of lull.

- Fixed Broccoli "BRO_DATA_FORMAT_VERSION" to match version in Bro.

- Fixed Makefile problem in doc directory.

- Fixed Makefile dependency problem in binpac directory.

- Added Linux tuning to brolite install script.

- Modified Makefile to include broccoli/contrib.

- Adding missing initialization to remote serializer.

- Minor documentation updates for reference manual and Broccoli.


1.2 Tue Oct 17 12:09:49 PDT 2006

- Bro now supports DPD, dynamic protocol detection (Robin Sommer, Holger
  Dreger, and Michael Mai).  With DPD, Bro can analyze protocols regardless
  of what port numbers they use: it infers the protocol based on which
  application analyzers can parse it without error.  Adding this functionality
  involved extensive changes to Bro's internals, but also now enables
  multiple Bro analyzers to work on the same connection, either concurrently
  or one nested inside the other (we have not taken much advantage of this
  latter capability yet, but see the FTP events discussed below).

  There are a number of new policy scripts, events, and variables associated
  with DPD processing, as follows.

  Scripts:

	You activate DPD by @load'ing dpd.bro.  It in turn instructs Bro
	to load the signature file policy/sigs/dpd.sig.  Note that Bro
	uses signatures to expedite deciding which analyzers to try on
	a given connection; it does *not* simply use the signatures to
	make the determination of which protocol is in use, as this is
	insufficiently robust.  (At this point, Bro provides signatures
	for FTP, IRC, HTTP, SMTP, and SSH.  In the future we plan to add
	other protocols.)

	Along with dpd.bro, you need to @load detect-protocols.bro or
	detect-protocols-http.bro. The former enables general detection
	of application-layer protocols, while the latter does further
	inspection of HTTP sessions to characterize applications running
	on top of HTTP such as Gnutella or SOAP.   (Loading dpd.bro
	is separate from loading one of these scripts because in principle
	Bro could use a different means than signatures to activate
	the analyzers, although currently it does not.)

	If you @load dyn-disable.bro, then once an analyzer determines
	that it does not match a given connection, it is deactivated
	(and a Notice is generated).  Otherwise, it still proceeds to try
	its best to analyze the connection (to possibly be more robust
	against evasion).

	The scripts dce.bro and smb.bro enable DPD for the Windows DCE and
	SMB protocols, respectively.  (Note that analysis of these protocols
	is undergoing a major expansion, not yet complete.)

  Events:

	event protocol_confirmation(c: connection, atype: count, aid: count)
		Generated when the given connection has been confirmed as
		conforming with the application type (protocol) specified
		by atype. aid is a globally unique analyzer ID that identifies
		a particular analyzer instance.

		The values for atype are symbolic names associated with
		each of Bro's analyzers, such as ANALYZER_IRC.  See the
		initialization at the beginning of Analyzer.cc for the
		full set of names.

		The function analyzer_name(atype: count): string translates
		these symbolic names into text.  For example,

			analyzer_name(ANALYZER_IRC)

		yields "IRC".

	event protocol_violation(c: connection, atype: count, aid: count,
				reason: string)
		Generated when the given connection has been found to
		violate the protocol of the given application type, with
		"reason" giving details.

  Variables:

	dpd_buffer_size: count (default 1024)
		Specifies how much pending data Bro keeps for connections
		that have not been classified yet.  Once this fills, the
		data is deleted, though classification can still continue
		(see below).

	dpd_match_only_beginning: bool (default T)
		If set, specifies that Bro should stop signature matching
		if it has processed dpd_buffer_size bytes.

	dpd_ignore_ports: bool (default F)
		If set, then Bro does not take into consideration the port
		numbers associated with connections when attempting to
		classify them (which can otherwise help the process in
		some cases).

	dpd_reassemble_first_packets: bool (default T)
		If set, then Bro does TCP stream reassembly before applying
		signature-matching to detect protocols.

	likely_server_ports: set[port]
		Specifies a list of ports that Bro will consider as likely
		used by servers.  For example, if Bro sees a connection
		that has already been established (so it does not know
		which side sent the initial SYN), and one side uses a port
		in this set, then it will assume that that side is the
		server (connection responder).  The set is empty unless
		you populate it or @load server-ports.bro, which specifies
		a large number of values.

	dpd_config: table[AnalyzerTag] of dpd_protocol_config
		Specifies the DPD configuration associated with each tag.
		The type dpd_protocol_config is simply:

			type dpd_protocol_config: record {
				 ports: set[port] &optional;
			};

		i.e., an optional $ports field specifying a set of ports
		associatd with the tag.  For example, ftp.bro now includes
		the equivalent of:

			redef dpd_config += {
				[ANALYZER_FTP] = [$ports = 21/tcp]
			};

  Functions:

	The function

		expect_connection(orig: addr, resp: addr, resp_p: port,
					analyzer: count, tout: interval)

	is called to alert Bro that a new connection is expected, initiated
	by orig to a server running on resp's port resp_p (note: orig's port
	is not specified) which will correspond to the specified analyzer
	(e.g., "FILE", which is used to analyze files transferred by FTP -
	see next item).  "tout" is a timeout to associate with the waiting.

	The function

		function disable_analyzer(cid: conn_id, aid: count)

	instructs Bro to disable the analyzer that generated the current
	event, assuming the analyzer is associated with the given connection
	ID.  This is used by the dyn-disable.bro script discussed above.

- A much more complete BinPAC compiler, along with new HTTP, DNS, and
  RPC/Portmap analyzers in binpac (Ruoming Pang). The flag "--use-binpac"
  activates the BinPAC-based analyzers (currently for HTTP and DNS).
  See www.cs.princeton.edu/~rpang/binpac-paper.pdf for a description of
  BinPAC, and let Ruoming know if you are interested in using BinPAC to build
  new analyzers.

- A new type of analyzer, FILE, analyzes the contents of a connection as
  though it were a data file (Robin Sommer).  Currently, it can generate
  two events:

	event file_transferred(c: connection, prefix: string, descr: string,
				mime_type: string)
		Indicates that the connection transferred a file. "prefix"
		is the beginning of the file's data; "descr" and "mime_type"
		are indicators of the file's type, as reported by the
		"libmagic" library.

		descr/mime_type are only set if Bro is configured on a
		system that includes the "libmagic" library.

	event file_virus(c: connection, virname: string)
		Indicates the connection transferred an executable
		corresponding to a known virus of the given name.

		This functionality is only available if Bro is configured
		on a system that includes the "libclamav" library.

  Note, this analyzer is enabled via a call to expect_connection by
  the FTP analyzer.

- New events relating to IRC analysis (Robin Sommer):

	event irc_client(c: connection, prefix: string, data: string)
		Generated upon seing a client message sent over the given
		IRC connection.  "prefix" is the command's prefix as defined
		by the IRC protocol.  It is used by servers to indicate the
		true origin of the message; it may be empty.  "data" contains
		the message.

	event irc_server(c: connection, prefix: string, data: string)
		Same for server messages.

	event irc_user_message(c: connection, user: string, host: string,
				server: string, real_name: string)
		Generated upon seeing an IRC "USER" command.

	event irc_password_message(c: connection, password: string)
		Generated upon seeing an IRC "PASS" command.

	event irc_channel_topic(c: connection, channel: string, topic: string)
		Generated upon seeing an IRC server reply that includes
		the channel topic.

	event irc_global_users(c: connection, prefix: string, msg: string)
		Generated upon seeing an IRC server reply that includes
		a count of the number of IRC users.

- The new experimental script irc-bot.bro tracks IRC-based bots (Robin Sommer).
  The accompanying script irc-bot-syslog.bro syslog's the state of the
  bot analysis every IrcBot::summary_interval seconds (default 1 minute).

- The new script proxy.bro looks for open Web proxies by matching incoming
  requests to a server with outgoing requests it makes (Robin Sommer).  It
  generates HTTPProxyFound Notices when it finds one.

- Changes to notices.bro (Robin Sommer):

	- notice_policy_item's now have a default $result of
	  NOTICE_FILE and a default $priority of 1.

	- The new notice_action_filter, notice_alarm_per_orig, alarms
	  on the first NoticeType from a specific source.  Subsequent
	  instances are tallied.

	- notice_action_filters now reside in the new script
	  notice-action-filter.bro (automatically loaded by notice.bro).

	- The notice actions NOTICE_ALARM_PER_CONN, NOTICE_ALARM_PER_ORIG,
	  and NOTICE_ALARM_ONCE have been removed, as they were never
	  actually implemented.

	- If the notice_policy returns IGNORE or FILE, the action_filters
	  filters are no longer consulted.

- A new attribute for tables and sets, &mergeable, changes the semantics
  of assignments, as follows (Robin Sommer).  Given two &mergeable tables/sets
  A and B, an assignment "A = B" becomes actually a join "A = A \cup B"
  (i.e., union).  The envisoned use is to help avoid race conditions
  when doing remote state synchronization.

- The semantics of &synchronized expire_funcs has changed (Robin Sommer).
  Now, when a table entry is expired and the operation is propagated to a
  a peer, the peer will call its expire_function.

- TRW analysis now skips UDP traffic because it currently treats
  all UDP connections as failures (Robin Sommer).

- trw.bro has been split into trw-impl.bro (the algorithm) and
  trw.bro (which simply activates the analysis), to facilitate writing
  scripts that have hooks into TRW analysis but don't presume it's
  active (Robin Sommer).

- The option report_remote_notices in remote.bro has been replaced
  by a new script you include, remote-report-notices.bro (Robin Sommer).

- The new function connect_peer() explicitly connects to a remote host
  (Robin Sommer).

- The new script remote-send-id.bro sends the current value of an ID
  to a remote Bro and then terminates processing (Robin Sommer).  It's
  intended for use from the command-line, as in

	bro -e "redef dst="<dst>" id="<name-of-id>" <scripts> remote-send-id

  The other scripts must set up the connection. <dst> is an index into
  Remote::destinations corresponding to the destination.

- New built-ins {suspend,resume}_state_updates() can be called to
  temporarily avoid propagating updates to &sync'ed values (Robin Sommer).
  This can avoid duplicated activity.

- The new function terminate_communication() instructs Bro to end its
  communication with remote peers (Robin Sommer).

- The new event remote_state_access_performed is raised when remote state
  access has been performed (Robin Sommer).  This is primarily for debugging.

- The log() built-in has been renamed to ln() to avoid conflict (Vern Paxson).

- bifcl now generates event generation wrapper functions from event.bif
  (Ruoming Pang).  For example, to generate event http_reply, currently
  one writes:

		val_list* vl = new val_list;
		vl->append(BuildConnVal());
		vl->append(new StringVal(fmt("%.1f", reply_version)));
		vl->append(new Val(reply_code, TYPE_COUNT));
		if ( reply_reason_phrase )
			vl->append(reply_reason_phrase);
		else
			vl->append(new StringVal("<empty>"));
		ConnectionEvent(http_reply, vl);

  In the future, one will be able to just call bro_event_http_reply(), and
  the code generated by bifcl looks like:

	void bro_event_http_reply(Connection* c, StringVal* version,
					bro_uint_t code, StringVal* reason)
		{
		val_list* vl = new val_list;

		vl->append(c->BuildConnVal());
		vl->append(version);
		vl->append(new Val(code, TYPE_COUNT));
		vl->append(reason);

		mgr.QueueEvent(http_reply, vl, SOURCE_LOCAL, c);
		}

  Accompanying this change is a semantic shift to types "string" and "port"
  in .bif files.  They used to be translated to C++ types BroString* and
  uint32, respectively.  Now they are translated to StringVal* and PortVal*.
  The functions in bro.bif are changed accordingly, and please be aware
  of this change when you write built-in functions in future.

  Also for this change, the parameter 'new' for rsh_request has been renamed
  'new_session', as 'new' is a reserved word for C++.

- Some ICMP "connections" now have services identified ("icmp-echo",
  "icmp-unreach") rather than just listing the service as "other"
  (Ruoming Pang).

- The new option remote_trace_sync_interval specifies an interval after
  which each Bro will stop processing its trace and wait for all others
  to signal that they have reached the same time (Robin Sommer).  The
  intent is support for operating Bro in a distributed cluster fashion
  (and in particular for debugging such clusters when running off-line
  on traces).

  This option only works in pseudo-realtime mode, and requires the new
  global remote_trace_sync_peers to give the total number of remote peers
  (not including self).  Signaling is done via a new communication message
  type.

- Extensions for DNS transformation/anonymization, including introduction
  of trace transformation for protocols other than TCP (Jason Lee).
  Not yet fully developed/debugged.

- Extensions for HTTP transformation/anonymization (Martin Casado).
  Not yet fully developed/debugged.

- The $conn field is now included in HTTPProxyFound notices (Robin Sommer).

- Changed service inference algorithm to favor lower-numbered
  likely-servers over higher-numbered ones (Vern Paxson).

- In pseudo-realtime mode, Bro now uses real-time for deciding which
  peer should send state (Robin Sommer).

- Time synchronization for Bro's running on traces in pseudo-realtime mode
  added (Robin Sommer).

- Avoidance of false content gaps improved when sorting packets with
  out-of-order timestamps (Ruoming Pang).

- Packets from the packet sorter are now more robustly drained upon
  termination of input (Ruoming Pang).

- Documentation for deep-copy updated (Christian Kreibich).

- Nasty fragment reassembly bug fixed (Vern Paxson).

- Serious bugs in EDNS0 processing fixed (Vern Paxson).

- Fixed significant misfeature of interconn.bro that stopped all processing
  of a connection once it makes a detection (Vern Paxson).

- Fixes for &read_expire operation across synchronizes tables (Robin Sommer).

- Fixes for multiple peers exchanging initial &sync state simultaneously
  (Robin Sommer).

- Improvements to graceful termination of Bro when communicating with
  remote peers (Robin Sommer).

- Fix for ICMP analyzer not always generating icmp_sent events
  (Robin Sommer).  This appears to still need some work, as now
  it generates redundant events.

- Fix for initial exchange of &sync state which could lead to
  referencing unknown IDs (Robin Sommer).

- Fix to scan detection for differing semantics of connection compressor
  vs. non-compressor (Robin Sommer).

- Bug fix for distinguishing regular expression matches of length 0 from
  those of length 1 (Ruoming Pang).

- Fix for SSH version parsing in the presence of content gaps (Robin Sommer).

- Bug fix for IRC that could lead to crashes (Robin Sommer).

- Bug fix to refrain from adding new timers when a connection has
  already been removed from the connection table (Robin Sommer).

- Bug fix for packet_contents not including the transport-layer header
  (Robin Sommer).

- Some memory leaks fixed (Robin Sommer).

- A bunch of portability and distribution problems fixed (Christian
  Kreibich, Robin Sommer, Vern Paxson).


1.1 Mon May 15 10:50:33 PDT 2006

- Bro now supports a "when" statement for taking action upon something
  becoming true asynchronously (Robin Sommer).  This provides a powerful
  new mechanism with numerous applications.

  Syntax:

	when '(' <expr> ')' <stmt> [timeout <interval> '{ <stmts> '}']

  where the first <stmt> can be a single statement or a block enclosed
  in {}'s, but the set associated with "timeout" must be enclosed in
  {}'s (to reduce ambiguities in Bro's grammar).

  Bro executes the first statement when <expr> becomes true. If you give
  a timeout and the condition has not been satisfied before it expires, Bro
  executes the second statement instead.

  A simple example:

	global t: table[addr] of count;
	event connection_established(c: connection)
	    {
	    local orig = c$id$orig_h;
	    if ( orig !in t )
		{
		t[orig] = 1;

		when ( t[orig] == 5 )
		    print fmt("%s has established 5 connections", orig);
		timeout 1 hr
		    {
		    print fmt("%s has NOT established 5 connections", orig);
		    delete t[orig];
		    }
		}
	    else
		++t[orig];
	    }

  Notes:
	- The condition may be evaluated more than once, and at arbitrary
	  times.

	- When the when-body is executed, the condition is guaranteed to be
	  still satisfied.

	- Expression reevaluation is primarily triggered by modifications
	  to globals.  However, reevaluations do not take place immediately
	  but potentially at a later point.  This means that if we change a
	  global to a value which would execute the trigger but then change
	  it back, the change may go unnoticed.

	- Inside the condition you may introduce new locals.  For example,

	    when ( (local x = foo()) && x == 42 ) ...

	  Such an assignment always yields true as its expression value
	  (but the assignment might be delayed, for example if foo() is
	  a delayed function call - see below).

  Delaying function calls
  =======================

  Functions called inside the condition of a when-clause may delay their
  results until they're ready. This works for both script-level and built-in
  functions.

  For script-level functions, there is a new construct, "return <when-stmt>",
  to delay a function's result. When used, the function returns at the
  time the when-stmt's condition becomes true, and it yields the value
  that the when-stmt's body then returns. Toy example:

      global X: table[string] of count;

      function a() : count
	    {
	    # This delays until condition becomes true.
	    return when ( "a" in X )
		  {
		  return X["a"];
		  }
	    timeout 5 min
		  {
		  return 0;
		  }
	    }

      event bro_init()
	    {
	    # Installs a trigger which fires if a() returns 42.
	    when ( a() == 42 ) { print "Yippie!"; }

	    X["a"] = 42;
	    }

  There's also a new built-in function which can delay

	lookup_addr(host: addr)

  performs asynchronous DNS address->hostname lookups. Example:

	    local h; addr;
	    [...]
	    when (local name = lookup_addr(h)) { print h, name; }

  See the function gen_hot_notice_with_hostnames() in conn.bro for
  a more worked-out example of using the "when" clause to translate the
  local address in SensitiveConnection notices to a hostname (contributed
  by Brian Tierney).  This functionality is activated by redef'ing
  xlate_hot_local_addr to T.

  Here is the full evaluation model of a when's condition:

       - The condition may be evaluated more than once, at arbitrary times.

       - It is always fully evaluated, no matter whether some former
	 evaluation has been suspended by a delaying function call.

       - All function calls which do not delay are always *fully* executed
	 each time the condition is evaluated.

       - Function calls which delay are only executed *once*; their result is
	 cached and re-used in the case the condition is evaluated again.

       - The condition is guaranteed to be true when the body is executed
	 (potentially using cached function results)

- By default Bro now uses a configuration similar to what used to be
  activated using reduce-memory.bro, along with some additional state
  timeouts that are new (Robin Sommer and Vern Paxson).  This allows for
  better state management out-of-the-box, at the cost of some precision
  of analysis and resilience to evasion.  In particular, the intent is to
  move towards being able to run Bro continuously without inexorably growing
  the amount of memory used until exhaustion.

  You can access a configuration similar to the previous default state
  management settings by loading heavy-analysis.bro.  It turns on a
  load-prefix of "heavy", so when you load XXX.bro, a file heavy.XXX.bro
  will also be automatically loaded if present.  Note that, as was the
  case for reduce-memory, you need to load heavy-analysis prior to other
  files for it to have effect.

- The new module clear-passwords.bro monitors login/FTP/IRC/POP traffic
  for cleartext passwords (Jason Lee).

- The new script service-probe.bro looks for remote hosts that repeatedly
  connect to the same service on local hosts (for a configurable set of
  services and connection sizes) in order to detect brute-forcing attacks
  such as password-guessing (Jim Mellander).

- A new ARP analyzer generates three events:

	event arp_request(mac_src: string, mac_dst: string,
			SPA: addr, SHA: string, TPA: addr, THA: string);

	event arp_reply(mac_src: string, mac_dst: string,
			SPA: addr, SHA: string, TPA: addr, THA: string);

	event bad_arp(SPA: addr, SHA: string, TPA: addr, THA: string,
			explanation: string);

  with a corresponding policy script arp.bro (Chema Gonzalez and Vern Paxson).
  It writes logs to arp.$BRO_LOG_SUFFIX.  It has not been tested much yet.

- Bro Lite changes (Jason Lee):
	- default user for is now user 'bro'
	- now uses the correct sysctl on FreeBSD 6
	- now uses the correct Perl path if site-report.pl not installed
	  into '/usr/local/bro'
	- no longer prompts to encrypt email unless you pick to email reports

- The default Bro Lite install now only checkpoints Bro once a week
  (Brian Tierney).

- Implicit Bro file extensions (such as .bro for policy scripts and .sig
  for signatures) are now searched for first rather than only if the
  non-extension-version of the file doesn't exist (Vern Paxson).  For
  example, running "bro -r trace mt" now first searches $BROPATH for
  "mt.bro" before searching for "mt", whereas it used to do these in
  the other order.

- There's now a simpler mechanism for redef'ing variables on the command-line
  (Christian Kreibich).  Any command line arguments of the form <var>=<val>
  are now expanded into policy code of the form "redef var=val;", where
  <val> is wrapped in quotation marks if the value appears to be a string
  and doesn't have quotation marks already.  This works with strings with
  whitespace such as foo="Hello World"; however, note that it means you
  can't use the mechanism to redef an enum value.

- The Bro distribution now includes (and builds by default) Christian
  Kreibich's Broccoli library (Bro C Client Library), which enables programs
  to communicate with running Bro's (Christian Kreibich and Jason Lee).
  Configure with --disable-broccoli to turn this off.

- Built-in functions log(x: double): double and exp(x: double): double
  which do natural logarithms and their inverses (Jaeyeon Jung).

- The new built-in function gethostname() returns the local host's name
  (Jason Lee & Robin Sommer).

- The new built-in function reading_traces() returns true if Bro
  is reading trace files (Robin Sommer).

- The new built-ins suspend_processing() and continue_processing() provide
  script-level control for instructing the event engine to stop or resume
  processing packets (Robin Sommer).  This is useful for coordinating
  simultaneous processing by multiple Bro's.

- Email notices are now by default sent via /bin/mail, with "[Bro Alarm]"
  in the subject.

- redef'ing a function now replaces the existing body rather than
  supplementing it (Robin Sommer), which was a bug.

- You can now configure Bro to process encapsulated IP packets either
  by setting, as before, a fixed encap_hdr_size (for VLANs), or setting
  parse_udp_tunnels to T (Ruoming Pang).  For the latter, you specify a
  UDP tunnel port using udp_tunnel_port (the previous variable "tunnel_port"
  has gone away); or you can leave it set to its default of 0/udp, in which
  case Bro will look for IP encapsulated in UDP packets on any port.

- Added a simple form of profiling based on sampling the work done
  per-packet (Vern Paxson).  The event engine generates a

	event load_sample(samples: load_sample_info, CPU: interval, dmem: int)

  event every load_sample_freq packets (roughly; it's randomized), where
  load_sample_freq defaults to 20.  "samples" is simply a set[string]; it
  contains the names of the functions, event handlers, and their source
  files that were accessed during the processing of the sampled packet,
  along with an estimate of the CPU cost of processing the packet and
  (currently broken) memory allocated/freed.

- Bro now includes experimental support for Endace DAG cards (Gregor Maier
  and Robin Sommer).  To activate, configure with

	--with-DAG=/path/to/dagtool/installation

  and use "dag0" as the network interface. You may need to configure the
  card with the dagtools first. In general, if dagsnap works, Bro should
  work as well.

- Log rotation has changed in a number of ways (Mark Dedlow & Robin Sommer):

	  * The new variable log_rotate_base_time: string, if defined,
	    specifies that logs should be rotated at log_rotate_base_time +
	    i * rotate_interval intervals. Format is as a string in
	    24-hour time, "%H:%M", e.g, "12:00".  This format may change
	    in the future to instead be a Bro time type.

	  * RotateLogs::date_format can be redefined to change format of
	    timestamps in rotated files.

	  * RotateLogs::build_name() can be redefined to implement an
	    arbitrary naming scheme for rotated files.

  Note, this code has not been extensively tested.

- Bro now by default builds a version of malloc bundled with its
  distribution (Vern Paxson & Brian Tierney).

- The syntax for the clone operator now looks like a function call,
  "copy(x)" (Vern Paxson).

- The new flag DNS::logging (default F), if T, disables generation of
  dns.log (which is often uninteresting and very large), though it
  still performs analysis leading to NOTICEs (Robin Sommer).

- A new global, hostile_domain_list, has been added to dns.bro which
  lists domains to be flagged if A or MX records are queried (Scott Campbell).

- Added globals dns_skip_all_{auth,addl} to skip all DNS AUTH/ADDL processing
  (Vern Paxson).  Skipping these is on (true) by default, because such
  processing is quite expensive.

- backdoor.bro now turns off by default some detectors that from experience
  have too many false positives, or (such as for HTTP) too many uninteresting
  true positives (Brian Tierney).  In addition:

	- the module now generates a BackdoorFound notice for each backdoor

	- the new variable dump_backdoor_packets (default F) if set causes
	  the packet that triggered the backdoor detection to be written to
	  backdoor-packets/<tag>:<time>

	- the new variable backdoor_ignore_host_port_pairs is a set[addr, port]
	  specify host/port combinations to ignore

	- 587/tcp is now recognized as another SMTP port, and 7000/tcp as
	  a popular IRC port ignored by default

	- brolite-backdoor.bro is a sample of using backdoor.bro

- A bunch of enhancements and fixes for the IRC backdoor detector
  (Vern Paxson).

- The cf utility in aux/cf/ now gets the format to use (unless you specify
  -f fmt) from $CFTIMEFMT in the environment.  You can now specify -f
  without a format to revert to the default format.  This change also
  includes a significant performance improvement when processing large
  files (Mark Dedlow and Craig Leres).

- Cleanups for brolite.bro and brolite-backdoor.bro (Brian Tierney).
  brolite.bro now uses rotate-logs by default.

- backdoor.bro now enables analysis of partial connections (Vern Paxson).

- brolite config cleanup: removed smtp.bro from default, increased
  max_timer_expires, changed default BROPATH to look at site dir
  first (Brian Tierney).

- The reference manual has been updated for the terminology changes
  of log -> alarm, alert -> notice, and rule -> signature (Vern Paxson).
  Some vestiges of the older terminology remain, in part because they're
  still present in some facets of Bro.

- The new script function get_current_packet(): pcap_packet returns
  the current packet as a "pcap_packet" record with fields $ts_sec,
  $ts_usec, $caplen, $len (all of type count) and $data (a string)
  reflecting the corresponding libpcap values (Christian Kreibich).
  You can write this packet to a dump file using the new function
  dump_packet(pkt: pcap_packet, file_name: string): bool, which writes
  (or appends) the packet to a file of the given name, returning T
  on success and F on error.

- The new fmt() specifier 'T'  converts values of type "time" to ISO
  format timestamps, analogous to how 'D' does this for ISO dates
  (Mark Dedlow).  fmt("%T", <time>) is equivalent to
  fmt("%s", strftime("%F-%T.%N", <time>)), except that strftime
  does not (yet) offer "%N" for nanoseconds (but see 'date +%F-%T.%N').

- The new %S format for fmt() inserts a "raw" version of the given string -
  that is, embedded NULs, control characters, etc., are present without
  any escaping (Christian Kreibich).

- Zero-padding and field widths now work for all fmt() formats rather than
  just %e/%f/%g (Christian Kreibich).   For example, you can now say:

	local filename = fmt("log-%04.txt", ++counter);

  and get logfiles log-0001.txt, log-0002.txt, ..., log-0999.txt, etc.

- The 'x' format specifier now supports values of type "addr", converting
  them t hex (Mark Dedlow).  For example,

	  fmt("str=%s hex=%x", 1.2.3.4, 1.2.3.4)

  produces

	str=1.2.3.4 hex=01020304

  The field designation is either %08x (if compiled for IPv4 only) or
  %08x%08x%08x%08x (if compiled with IPv6 support).

- firewall.bro has been extended to support multiple independent
  rule-sets (by calling begin() for the start of the next one),
  specifying sets of addresses, being FTP-aware, and with a more
  streamlined Notice message (Robin Sommer).

- The HTTP script variables maintain_http_sessions and http_sessions
  are now exported so they can be redefined or, for the latter, have
  timeouts added/adjusted (Robin Sommer).

- You can load the new policy script log-append.bro to change Bro's
  behavior so that when it runs appends to existing log files rather
  than overwriting them (Mark Dedlow).

- New &disable_print_hook attribute for files (Robin Sommer).  If set,
  print statements to the file don't trigger the print_hook event.  This
  is useful to keep the output of certain files from being propagated to
  peers.

- You can now associate "classes" with remote peers (Robin Sommer).  When
  connecting, a node may send a specific class to which it considers itself
  belonging. The accepting side can then tune its configuration based on
  the received class.

  This is primarily for the having multiple unrelated Broccolis running on the
  same host, all connecting to the same remote Bro (e.g., sshd and syslog
  sensors).

  To use this, on the Bro side the record Remote::Destination now has a
  field "class: string" (default: unset).  If set, the given config entry
  only applies for connecting remote peers that send the given class.
  If it is set and we're connecting to another peer, we propagate the class.

  Example:

      On the listening Bro:

	    redef Remote::destinations += {
		["peer-1"] =
			[$host = 127.0.0.1, $class="ftp", $events = /ftp.*/],
	        ["peer-2"] =
			[$host = 127.0.0.1, $class="http", $events = /http.*/]
	    };

      On peer 1:

	    redef Remote::destinations += {
		  ["master"] =
			[$host = 127.0.0.1, $class="ftp",
			 $events = /.*/, $connect=T]
	    };

      On peer 2:

	    redef Remote::destinations += {
		  ["master"] =
			[$host = 127.0.0.1, $class="http",
			 $events = /.*/, $connect=T]
	    };

  All of these may run on the same host.

- A bunch of changes to adu.bro (Christian Kreibich):

	- New ADU_MAX_DEPTH limits depth (at ADU granularity) into a
	  flow up to which ADUs are reported.

	- Handles UDP.

	- New event adu_done(c: connection) signals that no further ADUs
	  will be delivered for a connection.  This is useful since adu.bro
	  relies on event connection_state_remove() to remove state, and
	  if a policy using adu.bro likewise uses this event type then
	  event sequencing can cause adu_tx/rx events to occur after
	  connection_state_remove() has been processed.

	- Now correctly clips ADU to maximum allowed size.  (Note, this
	  has been temporarily commented out because it relies on a new
	  string function that has not yet been integrated into the
	  main distribution.)

	- Now can ignore specific connections dynamically.

	- TCP content gaps are now recognized and ADU delivery is for now
	  stopped for such flows, unless explicitly requested.

	- No longer logs to file in test mode.

- The new function add_notice_tag() explicitly adds a unique notice tag
  to a connection's $addl field (Robin Sommer).  This is sometimes necessary
  to ensure that the tag appears in the connection summary.

- Bro now performs serialization (such as when checkpointing &persistent
  tables or communicating them between Bro's) in an incremental fashion,
  intermingling transfers of large tables with ongoing packet processing
  (Robin Sommer).  Doing so helps avoid packet drops for large items.
  This has not yet been implemented for the initial handshake done
  for &synchronized items.

- ssl.bro now stores certificates by default in the subdirectory "certs/"
  (Robin Sommer).

- Analysis of weak/unknown ciphersuites in ssl.bro reworked (Holger Dreger).

- New cipher for SSL analysis, SSL_CK_RC4_64_WITH_MD5 (Holger Dreger).

- load-levels and cpu-adapt now log their adaptations to the log file
  rather than generating alarms (Robin Sommer).

- The default adaptation levels in cpu-adapt have been tweaked for better
  behavior (Robin Sommer).

- A new structure of the event loop (implemented by Robin Sommer) is now
  enabled during configuration by default (Christian Kreibich).  You can
  revert to the previous structure using --disable-select-loop.

- When configuring Bro, the version of pcap that comes with the Bro
  distribution is no longer used by default (Jason Lee).  Instead,
  the system one is used, or one at the same directory level as Bro.
  To use the Bro distribution version, configure with --enable-shippedpcap.

- backdoor.bro now has comments clarifying that it does not itself
  alter capture_filters (Vern Paxson).

- If you set backdoor_stat_period to 0 sec, then this now turns off
  the periodic component of backdoor analysis (Holger Dreger).

- The filters specified in notice_action_filters now take an additional
  argument specifying the action that has been determined so far (Robin
  Sommer).  This allows the filter to decide to not change the current
  action, if it so wishes.

- The new event notice_alarm(n: notice_info, action: NoticeAction) is
  generated for every notice that results in an alarm (Robin Sommer).

- Tallying of notices is now done using a notice, which has type NoticeTally
  (Robin Sommer).

- The new notice action filter alarm_always_notice specifies an action
  of NOTICE_ALARM_ALWAYS (Vern Paxson).

- If the watchdog expires and Bro isn't generating a packet trace file,
  the current packet is saved to "watchdog-pkt.pcap" (Robin Sommer).

- New boolean globals tcp_contents_deliver_all_{orig,resp} allow easy
  requesting of content delivery for all TCP traffic in orig/resp directions
  (Christian Kreibich).

- The new event udp_contents(u: connection, is_orig: bool, contents: string)
  delivers the contents of UDP packets analogous to tcp_contents (Christian
  Kreibich).  The boolean globals udp_content_deliver_all_{orig,resp} and
  tables udp_content_delivery_ports_{orig,resp} control for which ports
  content is delivered, analogous to the globals that control tcp_contents.

- New option --set-seed=n sets the random number seed to n (Vern Paxson).

- Notices now report current time for remotely-received notices rather
  than network time (Brian Tierney).

- Notices now include a tag es=<peer_description> any time a peer
  description is defined, not just for remote notices (Robin Sommer).

- The global log_as_connection has been removed from icmp.bro, which now
  only logs ICMP flows via the usual connection logging (Vern Paxson).

- The Destination variable $accept_state has been renamed $accept_input
  to better reflect its meaning (Vern Paxson).

- A remote destination's $sync field now indicates whether to accept
  ongoing state changes from peers, rather than just upon start-up
  (Robin Sommer).  The variable $accept_state controls whether we
  accept events.

- Logging of forms of Bro communication has been unified (Robin Sommer).

- Updates for packet filtering documentation (Christian Kreibich).

- A new global, stp_skip_src, lists sources that should be skipped for
  stepping-stone analysis (Vern Paxson).  ssh-stepping.bro adds sources to
  this list if they've instantiated more than src_fanout_no_stp_analysis_thresh
  connections, keeping them blocked until they've been idle for 15 seconds.

- Added a default notice-policy.bro as an example (Brian Tierney).

- Expanded on descriptive text in notice-policy.bro (Vern Paxson).

- ef removed from aux/hf/, as it's of little use and a headache to
  maintain for portability (Vern Paxson).

- The version of libpcap bundled with the distribution has been
  elevated to 0.8.3 (Jason Lee).

- Bro now compiles again if non-blocking DNS is not available (Robin Sommer).

- Resource statistics logging now differentiates between offline
  processing vs. remote-communication-only (Mark Dedlow and Robin Sommer).

- The script variable ICMP::distinct_pairs now times out its state,
  with a default of 15 minutes after creation (Robin Sommer).

- The Bro version reported now includes "-debug" if Bro was configured
  with --enable-debug (Robin Sommer).

- scan.bro now defaults "shut_down_all_scans" to T, meaning it by
  default detects scans on all ports, not just those in the set
  shut_down_scans (Vern Paxson).  Please note, this variable is
  misnamed - it should be "detect_all_scans" - but that change is
  waiting on reworking the basic structure of scan detection.

- Major bug fix for signature matcher missing matches on analyzer data
  (Robin Sommer).  For example, a condition "http /foo/" would only have
  match with the first URL in a connection, not subsequent ones.  Fixing
  this changes the calling sequence of the match_signatures() built-in to
  take an additional final parameter, "clear", which, if set, resets the
  matcher to its starting state prior to matching.

- Serious bug in regular expression matching - and hence signature engine -
  fixed (Robin Sommer).

- Bug fix for formatting (via fmt()) of very long strings (Vern Paxson).

- Fixed mail_reports.sh to correctly find sendmail binary on various systems
  (Brian Tierney).

- Numerous changes to Bro's internal string representation, and more
  flexibility in how strings are rendered for display (Christian Kreibich).

- Pseudo-real-time now can be initialized using an optional argument
  that corresponds to the degree of time compression (Robin Sommer).
  For example, --pseudo-realtime=0.5 causes time to advance half as fast
  as it would in real-time.  The default value is 1.0; any value > 0 is
  allowed.

- The SSH analyzer now looks for just linefeeds as line terminators when
  extracting version strings, rather than carriage-return-line-feeds, to
  match actual implementations rather than the RFC (suggested by Chema
  Gonzalez).

- Playing back events from files now working again (Robin Sommer).

- Bro now uses current_time() rather than network_time to track the
  modification time of variables, since network_time doesn't advance
  when only receiving events (Robin Sommer).

- Bug fixes for IPv6 support, including processing UDP traffic
  (which had been completely broken) and subtle interactions (actually,
  lack thereof) between the connection compressor and IPv6 that
  could lead to crashes (Vern Paxson).

- Portability tweaks for NetBSD, 64-bit Linux SuSe and FreeBSD 5.4
  (Christian Kreibich, Jason Lee and Vern Paxson).

- Bug fix for IPv6 "::" constants that start with hex digits specified
  using 0x (Vern Paxson).

- Calling the built-in terminate() function twice now has no additional
  effect (Christian Kreibich).  It used to terminate Bro abruptly, without
  cleanly shutting down.

- Removed active.bro; use active_connection() + connection_record() instead
  (Vern Paxson).

- Bro lite reports now work with rotated logs files (Brian Tierney)

- Bug fix for conditions such as "payload /^user/", which now work equivalent
  to "payload /user/" (Robin Sommer).

- Tweaks to sensitive patterns in HTTP request URIs to reduce false
  positives (Brian Tierney).

- Bug fixes for strip() built-in function (Holger Dreger).

- Memory leak in built-in function to_addr() fixed (Ruoming Pang).

- Bug fix for "hot" connections sometimes not having their notice tag
  appearing in connection summaries (Robin Sommer).

- Bug fixes for IRC analysis (Vern Paxson and Robin Sommer).

- Syslogging now works if Bro is running in communication-only mode
  i.e., live, but not reading a network interface (Robin Sommer).

- Bug fix to allow tuning of TRW parameters (Vern Paxson).

- Bug fixes for SSL analysis (Holger Dreger).

- Removed logic that inverted orig/resp in some scans (Vern Paxson).

- Lint & memory allocation tweaks (Vern Paxson).

- Bug fixes for inactivity timeouts (Robin Sommer).

- Bug fix for Bro Lite cron job (Jason Lee).

- When binding to a listening port for remote communication fails,
  the port number is now reported (Robin Sommer).

- Some spurious reporting removed from configure output (Jason Lee).

- Fix for "weird"'s generated by connection compressor but not
  recognized at the policy script level (Vern Paxson).

- Fixes for detecting content gaps and not matching previously delivered
  data (Ruoming Pang).

- Bug fixes for TCP rewriter (Ruoming Pang).

- Bug fixes for crashes in SSL analyzer (Vern Paxson).

- Bug fix for avoiding busy-waiting when a communication child dies
  (Robin Sommer).

- Bug fix for BiF's that use 'T' and 'F' in character constants
  (Vern Paxson).

- Memory leak fixes (Robin Sommer, Christian Kreibich, Vern Paxson and
  Ruoming Pang).

- The peer table for inter-Bro communication is now correctly indexed by a
  peer_id (Robin Sommer).

- Bug fix for exchange of initial &synchronized state which could
  prevent communication from entering main phase (Robin Sommer).

- Bug fix for propagating incremented table values derived from
  a table's &default (Robin Sommer).

- Bug fixes for the POP3 analyzer when analyzing non-NUL-terminated strings
  or bad base64 encodings (Vern Paxson).

- Updates for Bro's internal hash functions (Ruoming Pang).

- The debug and communication log files now comply with $BRO_LOG_SUFFIX
  (Robin Sommer).

- Some internal debugging additions (Ruoming Pang).

- Internal cleanup regarding "const" strings (Ruoming Pang).

- A number of casts changed to use modern C++-style pointer casting
  such as reinterpret_cast and static_cast (Ruoming Pang).

- Bug fixes for inter-Bro communication on 64-bit systems (Robin Sommer).

- Bug fixes for detecting errors for SSL connections (Robin Sommer).

- Potential null pointer dereference fixed (Robin Sommer).

- Inter-Bro communication is now more reliable in the presence of errors
  (Robin Sommer).

- Performance enhancement for tracking values whose elements might
  change (Robin Sommer).

- Fixes for peers having differing enum lists (Robin Sommer).  This can
  occur because they're running different scripts and which do different
  redef +='s to add enum values.

- += now works for interval types (Vern Paxson).

- Bug fix for exchanging peer descriptions (Robin Sommer).

- Bug fix for processing multipart-MIME HTTP messages with content-length
  headers (Ruoming Pang).

- Bug fix for failing to escape "'s in HTTP server replies (Robin Sommer).

- Bug fix for propagating increment operations on tables (Robin Sommer).

- Bug fixes for files (Robin Sommer): set open time to current time if
  network time is not initialized; when deserializing files, prevent them
  from being closed immediately due to reference-counting interaction.

- Bug fix to prevent reporting some scans twice (Robin Sommer).

- Bug fix for printing enum's (Christian Kreibich).

- When not configured with --enable debug, Bro now still accepts (yet ignores)
  option -B (Robin Sommer).

- Serialization enhancements and fixes, including a change of the
  protocol version number (Robin Sommer).

- Bug fix for logging inter-Bro communication (Robin Sommer).

- Bug fixes for enumerating attributes and timers (Robin Sommer).

- Bug fix for signatures matching first on one side of the connection,
  and then on the other, being reported twice (Robin Sommer).

- Inter-Bro communication now continues to work even when packet processing
  has been suspended (Robin Sommer).

- Fix for running multiple Bro's together in pseudo-realtime (Robin Sommer).

- Tweak to print-resources.bro so it can be loaded standalone (Vern Paxson).

- Bug fix for &persistent state not being save if Bro wasn't running
  with an input source (Robin Sommer).

- Bug fix for which process ID to check to see if children are still alive
  (Robin Sommer).

- Bug fix for no longer crashing if the expiration function associated
  with a table deletes the element from the table rather than returning
  an interval of 0 secs to indicate it should be deleted (Chema Gonzalez).

- Bug fix for OutboundTFTP notice: now checks to ensure that not only is
  the source local, but the destination is not local (Vern Paxson).

- Bug fix for a subtle interaction mediated by errno, which could cause a
  failed read() to later confuse pcap_dispatch() (Chema Gonzalez).

- Bug fix for TCP contents assertion checking (Ruoming Pang).

- Bug fix for error output on small RPC fragments (Ruoming Pang).

- Fix for connection compressor bug in tracking connection history
  (Robin Sommer).

- Bug fix for potential floating point exception in signature engine's
  resource-profiling code (Robin Sommer).

- Bug fix for low-level List data structure when replacing a list element
  beyond the end of a list (Robin Sommer).

- Bug fix in initializing capabilities when setting up communication between
  Bro peers (Robin Sommer).

- A number of connection compressor bug fixes: weird's for spontaneous
  FINs and RSTs, consistent processing of "connections" that begin with
  RSTs, correct checksum computations, and weird's printed to stderr if
  no event handler defined (Robin Sommer).

- load_sample_freq is now &redef (Vern Paxson).

- Bug fix for backdoor detector incorrectly matching substrings (Vern Paxson).

- Bug fix for canceling timers sometimes failing to cancel all of
  them (Robin Sommer).

- Error handling during un-serialization now handled more robustly
  (Robin Sommer).

- Bug fix for division by zero if expensive_profiling_multiple
  set to zero (Robin Sommer).

- Bug fix for connection logs failing to track all of the annotation
  ($addl) associated with a connection (Vern Paxson).

- Portability fix for BinPAC (Ruoming Pang).

- Fix to NFS analyzer for missing values in events reporting failed requests
  (Vern Paxson).

- autogen.sh now aborts as soon as one of the tools it invokes fails
  (Christian Kreibich).

- Fixed bug where not having SSL would cause bro to not compile (Jason Lee).

- State-holding fix for adu.bro (Christian Kreibich).

- A number of configuration tweaks (Craig Leres & Christian Kreibich).

- Fix for sig-functions.bro: checks isApache* functions, which ensure
  that Apache is indeed in the software set before accessing the index
  (Brian Tierney and Robin Sommer).

- Smith-Waterman fixes and test suite script (Christian Kreibich).


1.0 Sun Oct 23 17:27:45 PDT 2005

- Bro now includes BinPAC (Binary Protocol Analyzer Compiler), a language
  and compiler for automating the construction of analyzers for binary
  protocols (Ruoming Pang).

- Ruoming has used BinPAC to rewrite the analyzers for DCE/RPC (with
  significant enhancements, including adding the endpoing mapper) and SMB
  (likewise enhanced and bug-fixed), and creating a new analyzer for NCP
  (Netware Core Protocol).  The NCP analyzer generates two events:

	ncp_request(c: connection, frame_type: count, length: count,
			func: count)

	ncp_reply(c: connection, frame_type: count, length: count,
			req_frame: count, req_func: count,
			completion_code: count)

- The beginnings of an analyzer for NetBIOS name service (Ruoming Pang).
  It generates the following events:

	event nbns_standard_name_query(c: connection)
	event nbns_nbstat_query(c: connection)
	event nbns_name_reg_request(c: connection)
	event nbns_nb_name_query(c: connection)

- New IRC analyzer (Roland Gruber).  It generates a lot of events; see
  policy/irc.bro.  Note, the formatting of the log file will at some point
  be changed to be more uniform and streamlined.

- ICMP events now include an initial parameter of type "connection",
  the same as for TCP & UDP flows (Ruoming Pang).  This facilitates
  traffic analysis by associating generic connection events such as
  connection_state_remove with ICMP events.  This affects:

	event icmp_sent(c: connection, icmp: icmp_conn)
	event icmp_echo_request(c: connection, icmp: icmp_conn,
			id: count, seq: count, payload: string)
	event icmp_echo_reply(c: connection, icmp: icmp_conn, id: count,
			seq: count, payload: string)
	event icmp_unreachable(c: connection, icmp: icmp_conn,
			code: count, context: icmp_context)
	event icmp_time_exceeded(c: connection, icmp: icmp_conn,
			code: count, context: icmp_context)

- New POP3 analyzer (Florian Schimandl, Hugh Dollman and Robin Sommer).
  Loading pop3.bro analyzes the protocol messages, and loading mime-pop.bro
  also extracts the email headers and content.

- New events (Ruoming Pang):

	connection_first_ACK(c: connection)
		generated upon the ACK completing a TCP handshake. Useful
		in detecting "blink scans" (a FIN coming from the client
		right after the ACK)

	tcp_rexmit(c: connection, is_orig: bool, seq: count, len: count,
			data_in_flight: count, window: count)
		generated when a TCP sender retransmits data

	rpc_call(c: connection, prog: count, ver: count, proc: count,
			status: count, start_time: time,
			call_len: count, reply_len: count)
		can be used to process RPC calls in a generic fashion

	nfs_reply_status(n: connection, status: count)
		supplies the status of NFS server replies

	netbios_session_raw_message(c: connection, is_orig: bool, msg: string)
		access to a NetBIOS SSN message in raw terms

	smb_get_dfs_referral(c: connection, max_referral_level: count,
				file_name: string)
		generated for SMB DFS referal requests

	dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count)
		low-level event generated for each DNS request/reponse

	dce_rpc_bind(c: connection, uuid: string)
		generated for DCE RPC binds

	dce_rpc_message(c: connection, is_orig: bool, ptype: dce_rpc_ptype,
			msg: string)
		low-level access to DCE RPC messages; see const.bif for
		dce_rpc_ptype values

	epm_map_response(c: connection, uuid: string, p: port, h: addr)
		reply from DCE portmapper

- New operator |x|, a sizeof operator (Christian Kreibich).  It yields
  absolute values for numerical values, file size for files, the number
  of enums for an enum type, the number of addresses in subnets, number
  of fields in records, numeric equivalent for addresses, the number of
  elements in vectors/sets/tables, and the length of strings.

- A new clone operator, "* <expr>", produces deep copies of aggregate
  values and the usual duplicates for atomic ones (Christian Kreibich).
  For example, while:

	   1	type foo: record {
	   2		c: count;
	   3		s: string;
	   4	};
	   5
	   6	f1$c = 10;
	   7	f1$s = "Hello";
	   8
	   9	f2 = f1;
	   10	f1$c = 20;
	   11	f1$s = "World";
	   12
	   13	print fmt("%d/%s %d/%s", f1$c, f1$s, f2$c, f2$s);

  yields "20/World 20/World", changing line 9 to:

	f2 = *f1;

  yields "20/World 10/Hello".

- New operators "+=" and "-=", which work on both numerical values and
  strings (Christian Kreibich).

- "+" now works on strings: s1 + s2 yields the concatenation of both
  (Christian Kreibich).

- You can now express the equivalent of ICMP "port numbers" using
  <number>/icmp, where <number> is the ICMP type (Ruoming Pang).

- Bro now accepts long versions of options, such as --readfile for -r
  (Christian Kreibich).

- Bro now has a "pseudo-realtime" mode, activated by --pseudo-realtime,
  that causes it to mimic real-time operation when executing against
  a trace (Robin Sommer).  This is useful for evaluating performance in
  a controlled fashion.

- SMTP analyzer changes (Roger Winslow): support for 554 code in RCPT
  responses; logging when the server refuses the argument to RCPT;
  support for 502 code in response to a HELP command.

- Addition of two universal hash functions: H3 (from David Moore, based
  on code by Ken Keys) and TwoWise (Dietzfelbinger, from Yin Zhang)
  (Ruoming Pang).  Use --enable-h3 and --enable-dietzfelbinger to enable
  them (used as the hash function for short data).  H3 is used by default.

- The "bif" compiler for compiling Bro built-in functions now supports
  an "enum" type (Ruoming Pang).  The syntax is:

	enum dce_rpc_ptype
	%{
		DCE_RPC_REQUEST,
		DCE_RPC_PING,
		DCE_RPC_RESPONSE,
	%}

  which is translated to an enum declaration of "dce_rpc_ptype" in
  Bro, an EnumType* enum_dce_rpc_ptype in NetVar.{h,cc} and a C++ enum
  BroEnum::dce_rpc_ptype {...}.

  One limitation is that redef's on enum types cannot be taken into
  account because the bif is parsed at compile time.

- 64-bit integer support via --enable-int64 (Ruoming Pang).

- The new, experimental policy script adu.bro provides a generic way to
  extract application-layer ADUs (Christian Kreibich).  It heuristicly
  groups blocks of content sent from one side to another, uninterrupted
  by any data in the opposite direction, into an approximate ADU (request
  or reply).  These then generate adu_tx (originator -> responder) and
  adu_rx (responder -> originator) events.  You can control on which ports
  it does this analysis, as well as the amount of data inspected nad
  grouped, using variables documented in the script.

- The new built-in function

	function str_smith_waterman(s1: string, s2: string, params: sw_params)
	: sw_substring_vec

  computes the Smith-Waterman overlap between two strings (Christian Kreibich).
  The third parameter is a record with two fields, $min_toklen (minimum
  length for common tokens) and $sw_variant, which takes a value of 0
  for single-matching and 1 for multiple-matching.

  The return value is a vector of sw_substring records, which hold the
  following fields:

	str: string;	# the common subsequence
	index1: count;	# where it occurs in input string 1
	index2: count;	# where it occurs in input string 2
	new: bool;	# true if start of new alignment

- If you set the new control variable record_state_history to T, then
  connections recorded to the conn.$BRO_LOG_SUFFIX log file will include
  a field that shows the different states encountered during the connection
  (Mark Allman):

	Symbol	State
	------	-----
	S	Initial SYN seen for TCP connection.
	H	SYN-ACK seen for TCP connection.
	D	Data packet seen (TCP or UDP).
	A	Pure ACK seen for TCP connection.
	F	FIN seen for TCP connection.
	R	RST seen for TCP connection.
	I	TCP connection included a FIN+RST packet.
	Q	TCP connection included a packet with multiple connection
		control flags other than FIN+RST (e.g., SYN+RST).
	C	Connection included one or more packets with failed checksums
		(TCP or UDP).

  The symbols are printed in upper-case for connection originators and
  lower-case for responders.  The S/H/F/R symbols are also repeated if
  Bro sees the corresponding control packet subsequently with a different
  sequence number.

  For example, a TCP connection which Bro saw from the beginning, i.e.,
  a normal establishment, followed by the client (originator) first sending
  data, then the server responding, followed by the server initiating a
  normal close which the client then completes, will be annotated as
  "ShADadfF".

- The "for" looping construct now can be used to iterate over the non-empty
  indices of a vector (Christian Kreibich).

- If you set the new variable skip_http_data to T (default: F), then the
  HTTP analyzer will attempt to not reassemble the data portions of HTTP
  request/responses (Ruoming Pang).  This can be a performance benefit
  in environments with high volumes of HTTP traffic, though it may not be
  a large win if the processing is dominated by executing the policy script.

- The new built-in

	remask_addr(a1: addr, a2: addr, top_bits_from_a1: count): addr

  take some top bits (e.g. subnet address) from a1 and remaining bits
  (intra-subnet part) from a2 and merge them to get a new address (Ruoming
  Pang).  Useful for anonymizing at the subnet level while preserving
  serial scans.

- The new built-in

	decode_netbios_name(name: string): string

  takes a string in NetBIOS encoding and returns its original form
  (Ruoming Pang).

- The new variable ignore_keep_alive_rexmit controls whether to
  include keep-alives when counting retransmitted packets (Ruoming Pang).
  It defaults to F (i.e., do count them).

- The calling sequence of dce_rpc_request and dce_rpc_reply have changed to:

	event dce_rpc_request(c: connection, opnum: count, stub: string)
	event dce_rpc_response(c: connection, opnum: count, stub: string)

  (Ruoming Pang).  Use dce_rpc_message to get access to the RPC type and
  the raw message.

- The calling sequence of the netbios_session_message event has changed to:

	netbios_ssn_message(c: connection, is_orig: bool,
				msg_type: count, data_len: count)

  (Ruoming Pang).  Previously it was parameterized with the connection
  and the raw message (now available via netbios_session_raw_message).

- The calling sequences of smb_com_{read,write}_andx have changed to
  no longer include the is_orig parameter because it is in fact fixed for
  these events (Ruoming Pang).

- The calling sequence of smb_message has changed (Ruoming Pang) to:

	smb_message(c: connection, is_orig: bool, cmd: string,
			body_length: count)

- Bug fix specifying the &default value for tables that yield function
  values (Ruoming Pang).  For example:

	type tcp_content_handler_func:
		function (c: connection, is_orig: bool, seq: count,
				contents: string);

	function default_tcp_content_handler(c: connection, is_orig: bool,
						seq: count, contents: string)
		{
		# do something ...
		}

	const tcp_content_orig_handlers: table[port] of
		tcp_content_handler_func = {} &redef &default =
			default_tcp_content_handler;

  Previously, Bro would take the function given with &default as the default
  function to call when accessing a missing element, rather than a default
  *value* to directly return. Bro now checks the value type against the
  function type to see if they match in type.

- The new variables forward_remote_events and forward_remote_state_changes
  specify whether to broadcast events/state received from one peer to other
  peers (Robin Sommer).  Both default to F.  Note, these options are temporary;
  they will disappear when we add a more sophisticated script-level
  communication framework.

- Vectors can now be initialized using the syntax such as

	global foo: vector of string = ["foo","bar"];

  (Robin Sommer).

- Bug fixes for &synchronize'ing vectors (Robin Sommer).

- The internal implementation of strings in the policy language has
  been heavily revamped (Christian Kreibich).

- String built-in functions are now in strings.bif rather than bro.bif
  (Christian Kreibich).  This includes two new built-ins:

	str_split(s: string, idx: index_vec): string_vec
	strstr(big: string, little: string): count

  string_vec is a new policy script type that is an alias for
  "vector of string".

- The new options --load-seeds <file> and --save-seeds <file> let you
  record Bro's seeds to a file and then re-use these seeds in a later
  invocation (Christian Kreibich). The primary intended usage is to
  provide determinism in hash table iterations etc. for debugging purposes.

- Communication protocol changes (Robin Sommer):

  * Internal PING/PONG messages to measure round-trip times.  The new script
    remote-ping.bro issues PINGs every second and logs to remote.log.

  * Optional data compression if libz is available.  Remote::Peer$compression
    specifies compression level, with no compression being the default.

  * Inter-Bro communication is now performed in four explicit phases:

    //  Setup:
    //      Initial phase.
    //      VERSION messages must be exchanged.
    //      Ends when both peers have sent VERSION.
    //  Handshake:
    //      REQUEST_EVENTS/REQUEST_SYNC/CAPTURE_FILTER/CAPS/selected SERIALs
    //        may be exchanged.
    //      Phase ends when both peers have sent PHASE_DONE.
    //  State synchronization:
    //      Entered iff at least one of the peers has sent REQUEST_SYNC.
    //      The peer with the smallest runtime (incl. in VERSION msg) sends
    //        SERIAL messages comprising all of its state.
    //      Phase ends when peer sends another PHASE_DONE.
    //  Running:
    //      Peers exchange SERIAL (and PING/PONG) messages.
    //      Phase ends with connection tear-down by one of the peers.

  * Serializing network packets includes textual tags for identification.

  * Serializing files includes the state of buffering.

- Pending events for remote peers are now flushed when Bro terminates,
  and the net_done event is *not* propagated to peers (Robin Sommer).

- Makefile.am cleanups (Christian Kreibich).

- libpcap portability fix for OpenBSD (Gordon Willem Klok).

- Performance bug fix for SMTP relay detection (Vern Paxson).

- sprintf -> snprintf tweak (Vern Paxson).

- Bug fix for serializer regular-expression matchers (Robin Sommer).

- Some fixes for access to uninitialized variables/state (Christian Kreibich
  and Vern Paxson).

- More informative messages for some internal errors (Christian Kreibich).

- Bug fixes for implementation of vectors (Christian Kreibich).

- Fixes for FreeBSD 5 installs (Jason Lee).

- gcc 4.0 compatibility (Christian Kreibich).

- Bug fix for correctly propagating libpcap failures (Chema Gonzalez).

- Bug fixes for prefix-preserving IP address anonymization (Chema Gonzalez).

- The MIME analyzer in mime.bro is now in "module MIME" (Vern Paxson).

- Bug fix for the IRC backdoor detector (Scott Campbell).

- The capture filter used for NFS traffic now includes UDP fragments,
  since NFS UDP traffic is often fragmented (Ruoming Pang).

- New internal mechanisms to suspend/resume processing to enable a Bro
  receiving synchronized state to put its own packet processing on hold
  (Robin Sommer).

- A bug with the serialization cache not being used for modified objects
  has been fixed (Robin Sommer).

- A number of enhancements to inter-Bro communication performance and error
  handling improved (Robin Sommer).

- Internal restructuring to fix problems with dispatching packets when
  using the packet sorter (Ruoming Pang).

- Christian Kreibich has contributed a number of fixes for code flaws
  such as potentially unsafe library calls.


0.9a10 Tue Sep  6 10:41:53 PDT 2005

- Fixes for portability to 64-bit architectures (Christian Kreibich).

- Bug fix for broken syslog'ing of alarms (Scott Campbell).

- The manual has been updated to clarify that aggregate values in events
  are passed as shallow copies, so that modifications to elements of the
  values after posting the event but before it's handled will be visible
  to the handlers for the events (Christian Kreibich).

- HTTP logging now includes the host from the Host header in the request
  (Craig Leres).  Note, currenty this only is done when using http-reply.bro,
  not if you only analyze requests.

- You can now specify a passphrase for the SSL cert used for inter-Bro
  communication by redef'ing the variaable "ssl_passphrase" (Christian
  Kreibich).  Leaving it unchanged causes the passphrase to be read
  interactively.

- Certificates created using ca-issue now have 2-year lifetimes rather
  than the default of 30 days (Christian Kreibich).

- A problem with handshaking between Bro peers has been fixed (Christian
  Kreibich).

- A bug has been fixed in scanning false positives due to backscatter
  in the form of SYN ACKs (Vern Paxson).

- Alerts sent via email now use a From address configured from bro.cfg
  (Randy Mcclelland-Bane).  Also, if sending an alert via gpg fails,
  it's sent instead as plaintext.

- Scan notices now include information about the connection that
  triggered the scan detection decision (Vern Paxson).

- Exported some TRW variables so the user can adjust their associated
  timers (Vern Paxson).

- The new script variable dns_max_queries sets a maximum on the number of
  queries that can appear in a DNS request (Scott Campbell & Vern Paxson).
  If more queries appear, the request is treated as non-DNS traffic and
  ignored.  The variable defaults to a value of 5.  Setting it to 0 turns
  off this functionality, so Bro processes all apparent requests.

- The "weird" messages generated by the DNS analyzer now have a more
  regular naming structure and processing (Scott Campbell and Vern Paxson).

- Tweaked bif_arg.cc to pass gcc4.0 and bro.bif to not collide with
  uuid in OSX 10.4 (Jason Lee).  Now works on OSX 10.4, though use
  --disable-localpcap when compiling.

- Bro now compiles cleanly under OpenBSD (Jason Lee).

- NOTE: the connection compressor has a known serious bug and should
  not be used at present.  Since it is an experimental feature, fixing it
  is deferred to the next release.

- Some bugs fixed in the management of hash keys when using the
  connection compressor (Robin Sommer).

- Tweak for the connection compressor to generate truncated_header weird's
  (Robin Sommer).

- Temporary bug fix for type clash in SSL version numbers (Vern Paxson)
  by making them consistently of type int.  The correct fix is probably
  for them to be consistently of type count, depending on how Bro's notion
  of general version processing, and its SSL analyzer, both evolve.

- Bug fix for trace rewriting failing if Bro was not compiled to check
  assertions (Martin Casado).

- Fixed logic bug in signal handling regarding whether we're currently
  idle waiting for input vs. processing a packet or the event queue
  (Vern Paxson).  Note, this change has not been heavily tested.

- Some bug fixes for correct operation when DNS names fail to resolve
  (Vern Paxson).  It's not clear that these fixes are complete, however.

- Fixed to not compile libpcap when --disable-localpcap is given to configure
  (Jason Lee).

- Fixed configuration of local pcap for IPv6 if --enable-brov6 is specified
  (Jason Lee).

- A problem with "make install" when building from the libpcap included
  in the sources has been fixed (Christian Kreibich).


0.9a9 Thu May 19 23:31:33 PDT 2005

- First cut at analyzer for NFS (Vern Paxson).  It generates the following
  events:
	event nfs_request_null(n: connection)
	event nfs_request_getattr(n: connection, fh: string, attrs: nfs3_attrs)
	event nfs_request_lookup(n: connection, req: nfs3_lookup_args,
				rep: nfs3_lookup_reply)
	event nfs_request_fsstat(n: connection, root_fh: string,
				stat: nfs3_fsstat)
	event nfs_attempt_null(n: connection, status: count)
	event nfs_attempt_getattr(n: connection, status: count, fh: string)
	event nfs_attempt_lookup(n: connection, status: count,
				req: nfs3_lookup_args,
				dir_attrs: nfs3_opt_attrs)
	event nfs_attempt_fsstat(n: connection, status: count,
				root_fh: string, obj_attrs: nfs3_opt_attrs)

- The new script OS-fingerprint.bro integrates Bro's new passive OS
  fingerprinting mechanism with the software.bro framework (Vern Paxson).

- You can now operate on patterns using && and || (Vern Paxson).
  If p1 and p2 are patterns, then p1 && p2 yields a pattern that matches
  their concatenation and p1 || p2 yields a pattern that matches either.
  Note that the syntax for this may change in the future to a single '&'
  or '|', which would be more consistent with the use of '|' in
  constructing pattern constants.

- An experimental "connection compressor" tracks not-yet-established
  connections using much less memory than Bro normally does (Robin Sommer).
  This is potentially a major win during flooding attacks and high-speed
  scans.  You activate it by setting use_connection_compressor to T.  You
  can then control the granularity of its processing using the variables
  cc_handle_resets, cc_handle_only_syns, and cc_instantiate_on_data.  See
  bro.init for brief discussion of these.

- The experimental new script firewall.bro supports firewall-rule-like
  processing of connections in terms of allow/deny (Robin Sommer).  It is
  not particularly efficient.

- sensor-sshd.bro provides an experimental interface for receiving
  events from instrumented SSH servers that communicate with Bro via
  the Broccoli client library (Christian Kreibich and Robin Sommer).
  Supporting this also entailed extensions to login.bro so it can
  process the events even though they don't correspond to a connection
  known to Bro's event engine.

- The new built-in function match_signatures() can be used in a policy
  script to send text directly into the signature engine (Robin Sommer).

- Correction: the 0.9a8 CHANGES states that the mail_script variable used
  for NOTICE_EMAIL defaults to mail_script.sh.  The correct value is instead
  "mail_notice.sh".

- The scripts rsh.bro and passwords.bro, and the passive-fingerprinting
  signatures policy/sigs/p0fsyn.osf were inadvertantly left out of the
  0.9a8 distribution.

- Added s2b (snort to bro) files into the distribution. (Jason Lee)

- Non-blocking packet capture under Linux has been fixed (Robin Sommer).

- Fixed printing of DNS replies, which used to work but was broken
  a number of months ago (Vern Paxson).

- The new script brolite-sigs separates out how signatures are configured
  in Bro Lite so the functionality can be enabled/disabled with a simple
  load statement (Roger Winslow).  That is, to use signatures with Bro
  lite, simply add "@load brolite-sigs".

- The new script variable enable_syslog (default T) controls whether
  alarm's are syslog'd (Robin Sommer).  As before, syslogs can only happen
  when Bro is reading from live network traffic (this should be changed
  at some point, to accommodate real-time Bro's that don't read the network
  but collect events from other sensors).  Previously, in that case syslog's
  always happened; now, you can turn them off using this variable.

- The new script variable expensive_profiling_multiple controls how
  often, when doing profiling, to perform more expensive forms of
  profiling, in particular, memory consumption profiling (Robin Sommer).
  If profiling_interval is set to 15 sec and expensive_profiling_multiple
  is set to 20, then expensive profiling will be done every 5 minutes
  (these are the defaults now in profiling.bro).  Also, the profiling_update
  event now includes a second argument, expensive: bool, which indicates
  whether the update corresponds to one of these expensive profiling
  intervals.

- First cut at parsing DNS AAAA replies (Scott Campbell).  This is quite
  incomplete - currently, the replies are turned into fake A record replies,
  due to the difficulty of dealing with IPv6 addresses if Bro wasn't built
  to analyze IPv6 traffic.

- software.bro has been tweaked to have a new control variable,
  "only_report_local" (default F).  If true, then only software versions
  for local addresses (as determined by is_local_addr()) will be
  reported.

- synflood.bro now has a script variable max_sources (default 100) that
  specifies the maximum number of sources to track for a given victim
  (Robin Sommer).

- Remote peers now negotiate their versions of the serialization format
  (Robin Sommer). If they don't agree then the connection is terminated.

- Generic UDP request/response processing has been moved into the new
  policy script udp-common.bro, which, unlike udp.bro, does *not* set the
  packet filter to capture all UDP traffic (Robin Sommer).  A number
  of UDP-based policy scripts have been modified to use udp-common.bro
  rather than udp.bro.

- When printing serialized/independent state, access times are now
  again included (Robin Sommer).

- Bro's implementation of timers has been switched (reverted) to using
  priority queues (Vern Paxson).

- The http-request.bro script variables skip_remote_sensitive_URIs and
  const sensitive_post_URIs are now exported so they can be accessed
  externally (Robin Sommer).

- Some new rootkit filenames have been added to ftp.bro and
  http-request.bro (Brian Tierney).  The plan is to eventually
  merge these lists so there's only one main list.

- trw.bro is now scoped as a module "TRW" (Brian Tierney).

- Better support of the '--disable-localpcap' flag to configure, and
  consolidated all the pcap checks in configure.in (Jason Lee).

- A bug in processing bare carriage-returns in Telnet input/output
  has been fixed (Vern Paxson).

- The Bro Lite bro.rc script has been tweaked to use the 'ax' flags
  instead of '-ax' (Jason Lee).

- A bug with reporting ICMP "ports" (i.e., type + code) has been fixed
  (Vern Paxson).

- Bug fix for excessively large RPC messages (Ruoming Pang).

- A bug with /0 subnet prefixes has been fixed (Robin Sommer).

- The function record_connection() now takes the file to write to
  as its first argument (Robin Sommer).

- remote.bro now tracks whether a given Destination is connected
  (Robin Sommer).

- mail_notice.sh is now installed as part of installing a distribution
  (Jason Lee).

- Fixed bug where the sort order for the test suite changed depending
  on locale. (Jason Lee)

- Bug fix for email_notice() when notice_action_filters not defined for
  given notice (Vern Paxson).

- The test suite test for rare-events fixed to not give false positives
  (Jason Lee).

- Date added for 0.9a8 release.


0.9a8 Wed Feb 16 17:09:34 PST 2005

- aux/rst/ contains the source for the "rst" tool used by Bro (via the
  policy script function terminate_connection() in conn.bro) to tear
  down established connections by forging RST packets.

- Bro's main event loop has been reworked (Robin Sommer).  This should
  (1) not cause any visible differences in most cases, (2) improve
  performance in some cases, (3) fixed problems running Bro without
  a network input (but still receiving asynchronous input from remote
  event sources).  There are some more changes coming to this soon.

- Passive OS fingerprinting has been added, based on Michal Zalewski's
  "p0f" tool (Holger Dreger).  Currently, it's limited to fingerprinting
  clients based on the initial SYNs they send.  To use it, define
  an event handler:

	OS_version_found(c: connection, host: addr, OS: OS_version)

  OS_version is a record containing a string $genre (e.g., "Solaris"),
  a string $detail (e.g., "2.0.27"), a count $dist (hop-count distance
  from monitor to host), and $match_type, which specifies via an
  enumerated type whether the match was direct from a signature,
  generic to the genre, or "fuzzy".

  The match is done against a passive fingerprinting signature file,
  which is specified by the variable passive_fingerprint_file.
  It defaults to "sigs/p0fsyn", which is found using $BROPATH
  and has an "osf" suffix added.

  You can restrict the matching to only be performed for hosts from
  particular subnets by adding those subnets to the variable
  generate_OS_version_event.  If it's empty (default), then all subnets
  are analyzed.

  Note, the passive fingerprinting should be integrated with the
  version-tracking in software.bro, but this hasn't been done yet.

- Support for IPv6 has been repaired and brought up to date.  Note, however,
  that inter-Bro communication currently only works over IPv4.

- Signature-matching is now off by default in brolite.bro.  If you want
  to use it, define use_signatures = T prior to @load'ing it.

- Notices are now tied to their corresponding connections (Scott Campbell).

- New backdoor detectors for IRC, SMTP, Gaobot (Scott Campbell).

- Signature matches now have a connection associated with them (Scott Campbell).

- Bro scripts that set initial timers (via "schedule" statements in a
  bro_init handler) but don't have any source of network input (trace
  files or live interfaces) now execute in real-time, with network_time
  set to the current time, rather than having their timers expire immediately.

- Default timeouts have been added to tables in trw.bro and http.bro, which
  have been found operationally to potentially grow very large (Scott Campbell).

- The new policy script large-conns.bro can be included in order to
  track the size of TCP connections (each direction is referred to
  as a "flow") using a secondary packet filter (Chema Gonzalez).
  This method is completely separate from Bro's usual size accounting,
  and offers the advantages that it tracks sizes even for connections
  that don't terminate (or for which Bro misses their establishment)
  and for connections with sizes > 4 GB.

  The interface is via the function:

	function estimate_flow_size_and_remove(cid: conn_id, orig: bool)

  If $orig=T, then an estimate of the size of the forward (originator)
  direction is returned.  If $orig=F, then the reverse (responder) direction
  is returned.  In both cases, what's returned is a "flow_size_est" record,
  which includes a flag, $have_est, indicating whether there was any
  estimate formed. If $have_est is T, then the record also includes
  an estimate in bounded by $lower (lower bound) and $upper (upper bound).
  The estimate also includes $num_inconsistent, which, if > 0, means that
  the estimates came from sequence numbers that were inconsistent, and
  thus something is wrong - perhaps packet drops by the secondary filter).
  Finally, calling the function causes the flow's record to be deleted.

- An RSH analyzer has been contributed by Manu (ManuX@rstack.org).
  It generates rsh_request and rsh_reply events, and the following notices:

	  DifferentRSH_Usernames
		Client and server username differ.

	  FailedRSH_Authentication
		Attempt to authenticate via RSH failed.

	  InteractiveRSH
		The RSH session appears to be interactive (multiple
		lines of user commands).

	  SensitiveRSH_Input
	  SensitiveRSH_Output
		RSH client input or server output match input_trouble/
		full_input_trouble or output_trouble/full_output_trouble.

- The new notice action NOTICE_EMAIL indicates that in addition to
  logging an alarm, it should also be sent out as email (Scott Campbell).
  By default, email is only sent if Bro is running on live traffic;
  you can override this via redef'ing the script variable mail_notification.
  Mail is sent using the script specified by the mail_script variable
  (default: "mail_script.sh", which is now included in the distribution,
  but at present is not installed), which must be in $PATH.  The mail
  is sent to the username specified in mail_dest (default: the local
  "bro" user, though you can change this to name@domain).

  Note that specifying email as a separate notice action may change
  in the future, to instead be an attribute that's associated with
  other notice actions.  For example, it may make sense to want
  to specify both NOTICE_ALARM_PER_CONN and NOTICE_EMAIL; currently,
  however, you can't do this.

- A similar notice action NOTICE_PAGE does the same thing as NOTICE_EMAIL
  except it send the mail to mail_page_dest (Scott Campbell).

- You can now use the attribute &rotate_size for file objects to
  specify the maximum file size in bytes (Robin Sommer). If the limit
  is reached, the file is rotated similiarly as is already done with
  &rotate (which, for consistency, has been renamed to &rotate_interval).

  For both &rotate_size and &rotate_interval, when they trigger they
  now generate events (rotate_size and rotate_interval, respectively;
  each takes the file as the sole argument) rather than invoking
  &postprocessor, which has been removed.

  There's also a new variable log_rotate_size to set a global size maximum.

  Related to log rotation are the following new built-in functions:

	rotate_file(f: file) closes the file, moves it to a temporary
	name, and opens a new one. It returns the new "rotate_info"
	record, which gives the temporary name and the open/close times.

	rotate_file_by_name(s: string): similar, but call by the name
	of the file rather than a Bro script value.  This is needed
	because some files are not represented by file objects but need
	to be rotated nevertheless (most importantly, the tcpdump save
	file and the dump files for dump_current_packet()). This function
	rotates the file with the given name.

  Finally, you can load the new policy script rotate-logs.bro to
  get default behavior of rotating all log files every hour.

- The new "@unload <script>" directive specifies that future @load's of
  <script> should be skipped.  This is useful for overriding analyzers
  loaded by scripts that pull in a bunch of analysis.  For example,

	@unload ntp
	@load mt

  would load all of the "mt" analyzers *except* ntp.bro.

- The new built-in function get_file_name(f: file): string returns
  the filename associated with a file (John McNicholas).

- The new built-in function get_contents_file(id: conn_id, direction: count)
  returns the contents file (set using set_contents_file()) for the given
  direction (John McNicholas).

- The new built-ins time_to_double() and double_to_time() convert between
  double values and time values (Robin Sommer).  The new built-in floor()
  returns the floor of a double value; this returned value is also a double.
  Thus, floor(-3.4) returns -4.0.

- Support for sending packets between Bro's (Robin Sommer).

- Bro now has a geneal mechanism internal for traversing policy scripts
  (Umesh Shankar).  Various script analyses can be specified using the
  new -z flag.

  Currently, the one supported form of analysis is "-z notice", which
  prints all of the different types of notices that the script you've
  loaded can generate.  For example, "bro -z notice ftp" will generate:

	  Found NOTICE: BackscatterSeen
	  Found NOTICE: FTP_PrivPort
	  Found NOTICE: FTP_BadPort
	  Found NOTICE: PortScan
	  Found NOTICE: FTP_ExcessiveFilename
	  Found NOTICE: ScanSummary
	  Found NOTICE: AddressDropped
	  Found NOTICE: DroppedPackets
	  Found NOTICE: SensitiveConnection
	  Found NOTICE: FTP_UnexpectedConn
	  Found NOTICE: SSH_Overflow
	  Found NOTICE: FTP_Sensitive
	  Found NOTICE: TerminatingConnection
	  Found NOTICE: PasswordGuessing
	  Found NOTICE: AddressDropIgnored
	  Found NOTICE: AddressScan

- The signature rule language now supports an "active" keyword,
  which can be set to "true" or "false", with the latter turning
  off the rule (Roger Winslow).  If set to false the signature will
  not be loaded into the rule matcher, otherwise it is.

- The signature rule language now supports meta data of the form
  ".MMM<whitespace>XXX", where MMM is arbitrary text which makes up the name
  of the meta data option and where XXX is arbitrary text up to the end
  of the current line (Roger Winslow).  The intent is that some forms of
  meta-data will be regularized/standardized in the future - information
  such as date modifed, category/class, weighting, etc.  For now, it
  provides a way to annotate rules with nominally more structure than just
  using comments (though it is currently treated the same, i.e., everything
  is ignored).

- The following meta data option names are now reserved: .version, .revision,
  .version-date, .revision-date, .date-created, .location

- The new enumerated type "transport_proto" is used to specify different
  types of transport protocols: "tcp", "udp", "icmp", and "unknown_transport".
  Associated with it are new built-in functions: is_udp_prot(), is_icmp_port(),
  get_conn_transport_proto, and get_port_transport_proto.  The latter two
  map a given connection and a given "port" value to their corresponding
  transport_proto value.

- A bunch of tuning (regular expressions for sensitive login sessions,
  scan detection thresholds, forbidden/hot usernames and filenames,
  sensitive URIs, "weird" actions) have been incorporated from
  operational configurations.

- Serious bugs in managing large numbers of files fixed.

- A serious bug with negative DNS TTL settings (and, more generally,
  with negative timer values) fixed.

- The traditional connection logging format is no longer supported.

- The SMTP analyzer's state machine processing has been modified to
  correctly deal with clients that (incorrectly) pipeline their commands
  (Ruoming Pang).

- A bug fixed in detecting SMTP relays for connections w/o message bodies
  (Ruoming Pang).

- A bunch of bugs in recording connection summaries for UDP flows
  have been fixed.

- A new script module, passwords.bro, generates PasswordExposed notices
  for activity (currently just rlogin/telnet logins) that expose passwords.

- A new script module, file-flush.bro, can be loaded to cause all log
  files to be flushed every file_flush_interval (default: 10) seconds.
  This is handy if you like to watch the files in real time.

- Zone transfers now generate a ZoneTransfer notice, unless the host
  making the request is in DNS::zone_transfers_okay.

- Bro's DNS cache (generated using -P and accessed using -F) is
  now kept in the .state/ subdirectory rather than in the user's
  home directory (Roger Winslow).

- Some changes to remote propagation of events/values and detection of
  state inconsistencies (Robin Sommer).

- A fix for avoiding delays on low-volume links for some systems for
  which it can take a long time to fill up the pcap buffer, and pcap doesn't
  return partial buffers (Robin Sommer).

- A bug in table expiration timers has been fixed (Robin Sommer).

- A bug in comparing subnets has been fixed.

- A bug in using a non-constant value for a &write_expire attribute
  has been fixed.

- A bug in using CONTENTS_BOTH for writing reassembled streams to
  files has been fixed (John McNicholas).

- A subtle but potentially damaging bug in fragment reassembly has
  been fixed.

- A bug with using local variables of vector types has been fixed.

- A bug with comparing strings has been fixed.

- Bro no longer generates the RST_with_data "weird", as with modern
  stacks it's no longer any sort of strange occurrence.

- Related to this, the signature rule matcher no longer matches
  against the payload of RST packets.  (Note, this is an imcompatibility
  with Snort.)

- Portmapper mappings are now written in the connection log in
  alphabetical order.

- The event engine variable frag_timeout now defaults to 5 minutes if you
  load frag.bro, and is accessed via redef rather than by defining the
  global directly.

- The interval that signatures.bro waits for until generating a signature
  summary can now be set using the new script variable sig_summary_interval,
  and a bug in generating the summaries has been fixed (Robin Sommer).

- The new script peer-status.bro generates periodic "update" events regarding
  a remote peer's status (Robin Sommer).  These take the form:

	type peer_status: record {
		res: bro_resources;
		stats: net_stats;
		current_time: time;
		cpu: double;		# average CPU load since last update
		default_filter: string;	# default capture filter
	};

- The bro_resources record returned by resource_usage() now includes
  three additional fields, $version (the version of Bro), $debug
  (T if Bro was compiled with debugging information), and $start_time
  (the time Bro began executing - clock time, not network time).

- The new built-in function same_object(o1: any, o2: any): bool
  returns true if its arguments refer to the same object, false
  otherwise.  This can be useful for comparing tables, for example
  in calls to table element expiration functions.

- The new built-in function bro_is_terminating(): bool returns true if
  Bro is done reading from its network input source(s) and is now
  in its final termination cleanup (Robin Sommer).

- A new built-in strftime() formats a timestamp, returning a string
  (Robin Sommer).

- A new built-in file_size() returns the size of the file with a
  given name (Robin Sommer - note: *not* a Bro file value).

- A potential deadlock with inter-Bro communication has been fixed
  (Robin Sommer).

- Bro now always forks a copy of itself when executing, as this
  can save considerable memory when using inter-Bro communication
  (Robin Sommer).

- The Bro interconnection protocol now includes explicit handshaking
  during session establishment to mark that a peer is ready (Robin Sommer).
  Implementing this includes a change in the wire protocol that is
  incompatible with the protocol used in the past.

- The TCP inactivity timer is now started whenever a connection
  transitions from a pre-establishment state (including "inactive")
  to some sort of established state (Robin Sommer).  Prior to this
  fix, connections for which a proper SYN handshake was not seen would
  not be timed out as inactive.

- The --disable-openssl configure option has been removed; now
  the only option is --with-openssl, and --with-openssl=no disables
  use of OpenSSL (Gregor Maier).

- A bug in invoking &expire_func functions has been fixed (Robin Sommer).

- A bug in logfile rotation has been fixed (Robin Sommer).

- A bug in recognizing negative floating point values has been fixed.

- worm.bro now suppresses the default signature action for worms
  it knows about, since it generates events for them (Robin Sommer).
  The list of worms detected via signatures now includes Bagle-BC.

- Signatures for known worms are now skipped when doing signature
  summaries and scan detection, if worm.bro is loaded (Robin Sommer).

- request_remote_events and request_remote_sync now implicitly
  do set_accept_state, too.

- Better error handling for SSL connections (Robin Sommer).

- Bug fixed which caused diagnostic messages to be lost when using
  inter-Bro communication (Robin Sommer).

- gcc 3.4 portability fixes (Brian Lindauer).

- Solaris portability fixes (Robin Sommer).

- The Bro distribution now includes and uses its own version of libpcap
  for portability reasons (Jason Lee).

- Some minor bug fixes to handling of tcpdump save files (Robin Sommer).

- Detection added for a (now quite old) SSHv1 overflow attack.

- A bug in skipping processing of connections for large chunks of
  data has been fixed (Chema Gonzalez).

- Some memory leaks fixed (Robin Sommer).

- fmt()'s "%d" format now accepts values of enum types.


0.9a7 Mon Nov  1 13:21:05 PST 2004

- New terminology:

	o We've found that the term "log" has been too overloaded,
	  sometimes meaning "something to record for audit purposes" and
	  other times meaning "something worthy of getting the operator's
	  attention right now, for example via syslog".

	  We are now using "log" to only refer to the first of these,
	  and refer to the second as "alarm".

	o We've found that "alert" (and the ALERT() function, etc) is
	  likewise confusing.  Some expect it to mean something alarm-worthy
	  (to use the new name from the previous item), while others
	  expect it to mean the output from a sensor, which might not
	  be worth getting the operator's attention.

	  We are now using "notice" to refer to what had previously
	  been called "alert".  So, for example, rather than call ALERT()
	  you call NOTICE() to enter something into the I've-seen-something-
	  maybe-it's-worth-an-alarm framework.  The first field associated
	  with such a call was $alert, which is now $note.  These notifications
	  are logged to notice.$BRO_LOG_SUFFIX rather than "alert."...

  These changes show up in many places in the policy scripts.  Some
  globals log_XXX are now alarm_XXX or notice_XXX.  However, uses of
  "log" that refer to "something to record for audit purposes" remain
  using that name.

- Bro now uses the "automake" suite of tools for its configuration
  (Jason Lee).  This includes major reworking of its Makefile's
  and configuration/installation scripts.

- Bro now flags event handlers that are never invoked (Umesh Shankar).
  This catches typos like:

	event bro_initt() { ... }

- The scripts directory now includes scripts for generating nightly
  reports (Roger Winslow).  Note that these are not presently a supported
  part of the public Bro distribution, but will become so in the
  not-too-distant future.

- policy/brolite.bro contains a first version of the "Bro Lite" configuration
  (Scott Campbell, Roger Winslow, et al).  This also is not presently
  supported for the public Bro distribution, but will become so.

- Major overhaul of the internal serialization framework (Robin Sommer).
  Some more changes are forthcoming, though not on this scale.

- Changed packet capture/drop statistics to (1) explicitly track received
  packets, (2) work better under Linux, (3) report link counts when available
  (Robin Sommer).  The net_stats record field "interface_drops" has been
  renamed "pkts_link".  It reports the number of packets captured by the
  NIC (if available), rather than the number dropped by the NIC (which never
  actually worked, anyway).

- The DNS analysis has been extended to deal with TSIG and to better deal
  with EDNS0 records, and its overall structure reworked somewhat
  (Scott Campbell & Roger Winslow).  The scripts in dns.bro are now
  inside "module DNS" scope.

- Improved logging of ICMP flows (Scott Campbell).  This includes the
  addition of a "len" field in icmp_conn.  Some significant additional
  changes/improvements to ICMP processing will be coming very soon.

- The Bro README and "quick start" documentation has been updated
  (Brian Tierney and Jim Rothfuss).

- Some significant state-holding problems in the presence of packet filtering
  or packet drops have been fixed.

- You can now instruct the signature engine to constrain the number of
  regular expressions it groups together into a single matcher using the
  new script variable "sig_max_group_size" (Robin Sommer).  This can result
  in significant memory savings for large sets of signatures.  It can
  increase the CPU processing required; however, in our testing so far
  this does not appear to be the case.

- The signature engine now provides better location information in its
  error messages (Robin Sommer).

- statistics.bro has been renamed profiling.bro.  Along with this change,
  the following script variables have been renamed:

	do_statistics => do_profiling
	statistics_file => profiling_file
	statistics_interval => profiling_interval

- A new script, stats.bro, can be included to generate light-weight
  running statistics on memory and CPU use.

- A new script, print-sig-states.bro, can be included to generate
  periodic dumps of signature-matching statistics (Robin Sommer).

- The connect_clear()/connect_ssl() built-ins have been replaced
  by a single connect() function (Robin Sommer).

- Remote Bro's (more generally, remote event sources) are now represented
  in policy scripts using the new "event_peer" type rather than as an
  addr/port pair, and get_event_source() has been renamed get_event_peer()
  (Robin Sommer).  The new function get_local_event_peer() returns an
  event_peer corresponding to the local Bro.

- The new script remote-print.bro can be used to print all events
  received from remote sources (Robin Sommer).

- When you call send_state(), an event finished_send_state() is now
  generated when all of the state has been sent (Robin Sommer).

- If you define a handler for the new print_hook() event, then it
  will be invoked every time a "print" statement executes (Robin Sommer).

- The -g flag no longer takes a directory as an argument, but always
  uses the .state directory (Robin Sommer).

- The new -I flag prints the value of a given identifier and exits
  (Robin Sommer).  This flag may go away in the future.  For now,
  its role is that it prints timestamps of things like table elements,
  which are no longer printed by a regular "print" statement.

- If a connection proceeds as SYN ->, <- RST, RST ->, this is now
  reported as a regular rejected ("REJ") connection, rather than
  one reset by the originator ("RSTO").

- The TCP analyzer now attempts to detect connections for which
  one side's packets are being filtered out.  It does this using
  two C++ variables (not presently accessible at the script level),

	const int max_initial_window = 4096;
	const int max_above_hole_without_any_acks = 4096;

  If more than max_initial_window data has been sent by one side and no
  ACKs have been seen by the other side, then it's assumed that no ACKs
  will ever show up, and the buffer for the data should be reclaimed
  immediately after it's reassembled.  max_above_hole_without_any_acks
  plays a similar role, but for the case when measurement drops have
  lead to Bro holding data for a sender for which it will never see
  an ACK (which would be an "ACK above hole"), so it should give up
  on buffering it.

- A portability bug in Bro's parser code has been fixed (Jason Lee).

- STARTTLS for SMTP now causes the SMTP session to be ignored, rather
  than generating a slew of error messages because the session becomes
  unparseable.

- Bro's "watchdog" handler is now less prone to crashing due to
  using non-reentrant library calls (Jason Lee).

- Better error message when reading an input file encounters an error.

- adtrace now prints its usage when invoked without the required
  arguments (Jason Lee).

- A bug in using recursive script functions has been fixed.

- A bunch of whitespace/code layout tweaks.


0.9a4 Wed Sep  8 17:33:54 PDT 2004

- The directory structure of the Bro distribution has changed (Jason Lee).
  The source code is now in a subdirectory, src/, and the scripts
  snort2bro (and snort2bro.cfg) and make-ftp-safe-vocabulary.awk have
  been moved into scripts/.

- "make install" has been revamped (Jason Lee).

- The format of the alert log file has changed.  Fields in it are
  colon-separated.  THIS WILL LIKELY CHANGE SOON.

- The policy for formatting signature matches has been revamped,
  including colon-separated fields in the signature log file
  (Roger Winslow).  THIS WILL LIKELY CHANGE SOON.

- The BRO_ID environment variable has been renamed BRO_LOG_SUFFIX.

- A new flag, -e, lets you specify Bro code to execute via the command
  line (Christian Kreibich).  So, for example,

	bro -r mytrace.tcpdump -e 'redef traditional_conn_format = T' tcp

  will run tcp.bro on the trace "mytrace.tcpdump", but with
  traditional_conn_format redefined to be true.  Note that statements
  have an implicit ';' added to them for convenience.

- A new signature alert, "MultipleSigResponders", is generated if a
  host triggers the same signature on multiple responders.

- Bro now supports "packet profiling", which provides fairly fine-grained
  statistics on number of packets processed, volume, elapsed real/user/system
  time, and change in memory consumption (Holger Dreger).  Three variables
  control the output.  The double pkt_profile_freq controls the frequency
  of output.  The units in which it's interpreted depends on the setting
  of the pkt_profile_mode variable (which is of type pkt_profile_modes,
  an enum).  A value of PKT_PROFILE_MODE_SECS means that statistics
  are generated every pkt_profile_freq seconds; PKT_PROFILE_MODE_PKTS
  means every pkt_profile_freq packets; and PKT_PROFILE_MODE_BYTES, every
  pkt_profile_freq bytes.  The default (PKT_PROFILE_MODE_NONE) means
  to not generate packet profiling.

  Packet profiling is written to the new log file, pkt_profile_file.
  If you "@load pkt-profile", you can turn on packet profiling using
  some handy defaults.

- statistics.bro now reports on how many TCP connections are in
  <originator-state, responder-state> for the different TCP endpoint
  states (SYN sent, SYN ack'd, connection established, etc.).
  Contributed by Holger Dreger.

- tcp_content_delivery_ports_{orig,resp} are now table's of bool rather
  than set's (Ruoming Pang).  The semantics are that if you have a
  tcp_contents event handler, then if the orig/resp port is in the given
  table *and the yield value is T*, then the event will be invoked.  This
  allows you to now explicitly skip over some ports.

- The processing of default values in tables has been changed internally
  (Ruoming Pang).  It's possible this has introduced some subtle bugs
  (as some of these came up during testing).

- A serious bug in Base64 processing has been fixed (Ruoming Pang).

- The NetBIOS and SMB analyzers have been updated in minor ways
  (Ruoming Pang).

- statistics.bro now reports a "lag" figure indicating the elasped
  time between the last expired timer's target expiration time and
  the current packet timestamp (Robin Sommer).  Lag can grow if Bro
  is getting behind in timer expiration due to the setting of
  max_timer_expires.

- Bro's default filter is now "tcp or udp or icmp" rather than
  "tcp or udp".

- alert_info records now have an optional port associated with them
  (for example, to be used to describe scan activity).

- A bug has been fixed in which deleting a table element with an
  associated timer could crash Bro (Robin Sommer).

- A bug that would cause a crash for malformed EPASV directives
  has been fixed (Robin Sommer).

- A bug with inactivity timeouts not being generated for partial
  connections has been fixed (Robin Sommer).

- A bug in synflood.bro has been fixed (Robin Sommer).

- Some tuning adjustments to incremental expiration of table entries
  (Robin Sommer).

- Improved portability to Darwin (Christian Kreibich).

- alert_info records now have additional optional fields, "iconn"
  (associated ICMP connection), "dst" (destination address), and
  "p" (associated port).  The source_is_responder fields has been
  removed.

- The default packet filter now includes "icmp".

- Some memory allocation/free mismatches & minor leaks (Robin Sommer).

- Minor tweaks to ssl.bro (Robin Sommer).

- Bro now supports "null" link layers (Christian Kreibich).

- aux/adtrace contains a program that spits out MAC/IP information
  from traces (Holger Dreger).

- A bug in handling malformed RPCs has been fixed (Scott Campbell).

- The formatting of "weird" messages that have additional parameters
  has been changed to be more regularized with other "weird" messages.

- The new "weird" type "base64_illegal_encoding" takes the place of
  some previously unstructured Base64 "weird" errors.

- A tweak to ftp.bro will give it slightly more consistent results
  for some forms of unusual traffic.


0.9a3 Wed Jul  7 22:06:26 PDT 2004

- Improved ICMP processing, including scan detection (Scott Campbell).

- ICMP "connections" are now considered unidirectional.

- Fixed broken VLAN support (integration of original patch was incomplete).

- Fixed a bug in erroneously generating additional "ContentGap"
  alerts after an initial one.

- Connection durations are now always reported as floating-point decimal,
  never in exponential notation.

- Removed unused time parameter from a bunch of internal calls.

- Fixed some compilation warnings.

- "make clean" now removes generated policy/*.bif.bro files (Christian
  Kreibich).


0.9a2 Fri Jun 11 00:07:04 PDT 2004

- NetBIOS analysis has been extended with a CIFS/SMB analyzer (Ruoming Pang).
  While this is incomplete, it has many important elements.  The corresponding
  events:

	smb_message(c: connection, is_orig: bool, cmd: string, msg: string)
	smb_com_tree_connect_andx(c: connection, path: string, service: string)
	smb_com_nt_create_andx(c: connection, name: string)
	smb_com_transaction(c: connection, is_orig: bool, subcmd: count,
				name: string, data: string)
	smb_com_transaction2(c: connection, is_orig: bool, subcmd: count,
				name: string, data: string)
	smb_com_read_andx(c: connection, is_orig: bool, data: string)
	smb_com_write_andx(c: connection, is_orig: bool, data: string)

  This analyzer is still experimental.

- Greater support for vectors (Umesh Shankar), much of it taken from
  the 'S' language.

  You can use a boolean vector as an index into another vector (providing
  both are the same length) and each 'T' value in the index extracts the
  corresponding element from the indexed vector.  For example, "x[x > 3]"
  returns a vector whose elements are those elements of x that are greater
  than, while if y is a vector of the same length as x then "y[x > 3]"
  extracts those elements of y that have the same position as the elements
  in x that are greater than 3.

  You can also use an arithmetic vector to index another vector.  Each
  element present in the index is extracted.  So, for example:

	global a: vector of count;
	global b: vector of string;

	a[1] = 3;
	a[2] = 3;
	a[3] = 1;

	b[1] = "foo";
	b[2] = "bar";
	b[3] = "bletch";

	print b[a];

  prints:

	[bletch, bletch, foo]

- The new built-ins any_set() and all_set() return true if for a given
  boolean vector any element is true or all of the elements is true
  (Umesh Shankar).  So, for example, "any_set(x < 0)" returns T if
  an element of x is less than zero.

- The new built-in sort() takes a vector as an argument and sorts it
  *in place* (Umesh Shankar).  (The in-place semantics may change in the
  future.)  An optional second argument can be used to specify a
  function to call for comparing elements, and is required for non-arithmetic
  vectors.  For example, the following could be used to sort a vector
  of strings based solely on the length of the strings:

	function string_compare(a : string, b: string): int
		{
		local la = byte_len(a);
		local lb = byte_len(b);

		return (la < lb) ? -1 : ((lb > la) ? 1 : 0);
		}

- The new function order() has the same calling sequence as sort(),
  but instead of returning (and altering in place) the sorted vector,
  it returns a "vector of count" giving the *indices* that if used
  to index the vector will return it sorted.  So, for example,
  given two vectors x and y of the same length (but not necessarily
  of the same type),

	local x_sort_indices = order(x);
	x = x[x_sort_indices];
	y = y[x_sort_indices];

  will assign x to a sorted version of itself and also rearrange y such
  that elements of y that were paired with elements of x originally
  remain paired after the sorting.

- The ICMP analyzer now has a general notion of "context", i.e., the packet
  associated with ICMP status messages such as Unreachable or Time Exceeded
  (Ruoming Pang).  This changes the parameters to the icmp_unreachable
  event.  A new event, icmp_time_exceed, is now also available.

- The tcp_segment even has been replaced by a pair of new events (Ruoming Pang):

	tcp_packet(c: connection, is_orig: bool, flags: string, seq: count,
			ack: count, len: count, payload: string)

  is invoked for each TCP packet.  "flags" is a string containing "SFAPU"
  for the SYN/FIN/etc TCP flags.

	  tcp_contents(c: connection, is_orig: bool, seq: count,
			contents: string)

  is invoked for each chunk of the byte-stream that has been reassembled
  in sequence, providing it satisfies tcp_content_delivery_ports_{orig,resp},
  per the next item.

- You can specify the set of ports for which contents should be reassembled
  for the originator (responder, respectively) stream using the new sets
  tcp_content_delivery_ports_{orig,resp} (Ruoming Pang).  This can be
  useful for user-level stream analysis for protocols not known to Bro's
  event engine.  These controls may change to a "table of bool" in the future,
  in order to support an &default attribute.

- New built-in functions (Ruoming Pang):

	function interval_to_double(i: interval): double
		Converts a value of type "interval" to "double".

	function write_file(f: file, data: string): bool
		Writes the given string to the given file, returning
		F on error.

	function is_ascii(str: string): bool
		Returns T if the given string consists entirely of
		ASCII characters (i.e., in the range 0..127).

	function sqrt(x: double): double
		Returns the square-root of x, or -1 and a run-time error
		if x is < 0.

	function uuid_to_string(uuid: string): string
		Takes a UUID and returns its string representation, where
		UUID = Universal Unique Identifier as defined per
		http://www.opengroup.org/onlinepubs/9629399/apdxa.htm#tagcjh_20

	function string_to_ascii_hex(s: string): string
		Returns the ASCII hex representation of the given string.
		For example, string_to_ascii_hex("foo") returns "666f6f".

	function match_pattern(s: string, p:pattern): pattern_match_result
		Matches the given pattern against the given string, returning
		a record with three fields:

			matched: bool;	# T if a match was found, F otherwise
			str: string;	# portion of string that first matched
			off: count;	# 1-based offset where match starts

		For example,
			match_pattern("foobar", /o*[a-k]/)
		returns
			[matched=T, str=f, off=1]
		because the *first* match is for zero o's followed by an [a-k],
		while
			match_pattern("foobar", /o+[a-k]/)
		returns
			[matched=T, str=oob, off=2]

- Functions that terminate without returning a value when they were declared
  to do so now generate a run-time warning (Christian Kreibich).  Functions
  in the standard set of policy scripts that did this have been fixed.

- The new event non_dns_request(c: connection, msg: string) is generate
  to make the contents of malformed DNS requests available for analysis,
  with the assumption that these are actually some other protocol entirely
  (Ruoming Pang).

- If you redef truncate_http_URI to have a value >= 0, then any HTTP
  URIs generated by the event engine will be truncated to this length
  (Ruoming Pang).  This can be convenient when analyzing traffic that
  generates huge URIs (as do some automated attacks).

- "SEARCH" is now recognized as a standard HTTP method (Ruoming Pang).

- The new event connection_EOF(c: connection, is_orig: bool) is generated
  when one side of a connection closes (Ruoming Pang).

- synflood.bro and the corresponding event engine internals now works
  in terms of probabilities (0.0-1.0) instead of percentages (0-100)
  (Robin Sommer).  The script has had several tweaks, including using
  new_connection() rather than connection_attempt(), which gives it
  quicker response and broader coverage (it'll detect non-TCP flooding,
  too, so "synflood" is now a bit of a misnomer), at the cost of perhaps
  more CPU load.

- A signature for Witty has been added to policy/sigs/worm.sig (Ruoming Pang).

- Makefile now has a "test" target.  Currently this only works for internal
  development (we haven't put together a public test suite yet; that will
  take some time due to the need to make sure no sensitive information leaks).

- The built-in function generator now knows about "double" as a built-in type
  (Ruoming Pang).

- Some generated files have been removed from the Bro distribution since
  they're redundant (Ruoming Pang).

- A bug has been fixed in which contents files might not be correctly
  written upon termination of Bro (Ruoming Pang).

- A bug has been fixed in which UDP connections didn't generate
  new_connection events (Ruoming Pang).

- Support for the Linux "cooked capture" link layer (Ruoming Pang).

- BPF support has been factored into a separate class, BPF_Program, which
  makes for easier portability (Christian Kreibich).

- A serious low-level Dictionary bug has been fixed (Christian Kreibich).

- A bug that could cause Bro to crash if it receives an event from another
  Bro that it isn't able to process has been fixed (Christian Kreibich).

- A bug in set file descriptors non-blocking has been fixed
  (Christian Kreibich).

- A bug that could cause some error messages to generate crashes has
  been fixed.

- The global skip_event_tcp_option has been removed.


0.9a1 Mon Jun  7 01:33:00 PDT 2004

- 0.8a85 is the new STABLE release, to be updated only for bug (and
  portability) fixes.  0.9a1 is the new CURRENT release, which will have
  both bug fixes and new functionality.

- Support for FTP EPRT, EPSV (Holger Dreger).

- Change to timer management to recover memory more quickly (Robin Sommer).

- Tweaks to eliminate a number of compiler warnings (Robin Sommer).

- Statistics now report number of connections terminated due
  to inactivity (Robin Sommer).

- New Makefile target, pub-tar-no-doc builds a public tarball but
  without the (large) doc/ subdirectory.

- Bug fix for identd requests with illegal port numbers.

- The example of a scanning source to skip in scan.bro has been changed
  from an AltaVista robot (now obsolete) to a Google robot.

- Some previously fatal internal errors have now been turned into
  "internal warnings", which Bro is able to continue operating
  in their presence.


0.8a84 Wed May 26 23:33:39 PDT 2004

- autoconf tweaks for portability to Darwin (Christian Kreibich).

- Fixed subtle bug in chunked-IO reads (Christian Kreibich).

- Fixed bug for the "discarder" framework in which specifying an
  IP discarder would cause other TCP/UDP/ICMP discarders not being
  invoked (Christian Kreibich).

- Fatal bug in signature matching fixed (Robin Sommer).

- Missing member variable initialization fixed (Robin Sommer).  (Needed for
  compilation with new versions of gcc.)

- Makefile bug for "make install" fixed.

- Fixed bug that could lead to Bro crashing if an SMTP session
  had data sent after a RST.

- Removed some out-of-date SMTP analysis warning messages.


0.8a82 Tue Apr 27 11:53:24 PDT 2004

- Fixed inactivity timer loop when a packet arrives exactly when
  the timer is set to expire.


0.8a81 Mon Apr 26 22:46:37 PDT 2004

- A bunch of memory leaks fixed (Chema Gonzalez).

- A new HTTP analyzer variable, content_truncation_limit, controls
  how much of an HTTP request/reply contents element (i.e., what's
  passed to http_entity_data - this is *not* the entire content, but
  the next chunk's worth) is logged in the log file.  It defaults
  to 40 bytes.  Setting it to 0 means "log all of it".

- Fix to avoid crashing for malformed RPC requests.

- Improved OpenSSL auto-configuration (Robin Sommer).

- Fix for compiling without OpenSSL.

- A new built-in, double_to_count(), converts a value of type "double"
  to the corresponding "count" (Chema Gonzalez).  We should probably
  add floor(), ceil(), etc.

- Parameterization of trw.bro tweaked (Jaeyeon Jung).


0.8a79 Wed Mar 24 22:02:53 PST 2004

- Bro now has an SSL analyzer, written by Michael Kuhn and Benedikt Ostermaier,
  with further development by Scott Campbell.  It generates the following
  events:

	event process_X509_extensions(c: connection, ex: X509_extension)
	event ssl_X509_error(c: connection, err: int, err_string: string)
	event ssl_certificate(c: connection, cert: X509, is_server: bool)
	event ssl_certificate_seen(c: connection, is_server: bool)
	event ssl_conn_alert(c: connection, version: count, level: count,
				description: count)
	event ssl_conn_attempt(c: connection, version: int)
	event ssl_conn_established(c: connection, version: int,
				cipher_suite: count)
	event ssl_conn_reused(c: connection, session_id: sessionID)
	event ssl_conn_server_reply(c: connection, version: int)
	event ssl_conn_weak(name: string, c: connection)
	event ssl_session_insertion(c: connection, id: sessionID)

  Note, it still has a lot of rough edges; particularly, handling
  non-conformant input.  It also generates unnecessary ContentGap alerts
  due to the way it runs multiple analyzers (SSLv2 and SSLv3) on a single
  connection.  This will be fixed in the fairly near-term future.

- The manual has been updated with chapters on signatures (Robin Sommer)
  and using the interactive debugger (Umesh Shankar), along with a partial
  description of the new SSL analyzer (Michael Kuhn and Benedikt Ostermaier)
  and a number of updates to the documentation of built-in functions (Umesh
  Shankar), though this latter is still not complete since Umesh actually
  contributed this quite a while ago.

- Ruoming Pang has contributed a crude analyzer for DCE/RPC (used for Windows).
  It generates simple dce_rpc_request and dce_rpc_reply events.  It should
  not be considered stable.

- The traditional connection logging format (traditional_conn_format)
  is no longer the default.  The 0.8a70 release notes stated that this
  was the case but this time it really is :-).

- An experimental "vector" type has been added (Umesh Shankar).  A vector
  is an aggregate type.  For example:

	local suspect_hosts: vector of addr;

  You can randomly access elements starting with the first as 1, e.g.,

	suspect_hosts[1] = 10.0.0.8;

  and can also add elements at later postions even if there are gaps:

	suspect_hosts[31337] = 10.0.0.9;

  *The semantics and capabilities of vectors will be changing considerably.*

- Umesh Shankar has developed a framework for generating IDMEF messages.
  Currently it needs a modified version of libidmef, which is not included
  in this distribution.  Contact me or Umesh if you want a copy.

- A new attribute &synchronized causes the given global variable to
  be *synchronized* across concurrent instances of Bro (which are
  intercommunicating via remote.bro).  Any change made by one of them
  to the variable will be reflected (soon after) in the copy at
  the others.  A new event remote_state_inconsistency is generated
  if two instances both change the value before they're synchronized.
  (Contributed by Robin Sommer.)

- trw.bro implements a new scan detection algorithm, Threshold Random Walk
  (Jaeyeon Jung).  It's described in an upcoming IEEE S&P symposium paper.
  The analyzer generates two events:

	TRWAddressScan, # source flagged as scanner by TRW algorithm
	TRWScanSummary, # summary of scanning activities reported by TRW

  TRW is generally much more sensitive than Bro's regular detection algorithm.

- vlan.bro provides support for VLAN encapsulation.  More generally, Bro
  now has support for any sort of constant-offset encapsulation (Vinod
  Yegneswaran).  You specify the header size by redef'ing encap_hdr_size.
  You can also redef tunnel_port to be a UDP port which Bro treats as being
  the encapsulation (in the packet stream - not addressed to it) rather
  than all traffic.

- If you turn on statistics (i.e., via @load statistics) and also redef
  segment_profiling to T, then Bro will generate to the statistics file
  a trace of its "segment" processing.  A segment is a unit of internal
  execution.  Profiles look like:

	1058517499.615430 segment-processing-packet dt=0.000013 dmem=0
	1058517499.615430 segment-draining-events dt=0.000012 dmem=0
	1058517499.615671 segment-expiring-timers dt=0.000010 dmem=0
	1058517499.615671 segment-processing-packet dt=0.000010 dmem=0
	1058517499.615671 segment-draining-events dt=0.000012 dmem=0
	1058517499.615671 segment-policy/conn.bro:282 dt=0.000011 dmem=0
	1058517499.615671 segment-policy/conn.bro:253 dt=0.000012 dmem=0

  The first line states that at the given (packet) timestamp, the event
  engine processed a packet, taking 13 usec of CPU time to do so, and
  not consuming any memory (from the kernel's perspective; this is *not*
  fine-grained memory consumption).  The next lines indicate 12 usec were
  spent draining events and 10 usec expiring timers.  The last two lines
  indicate that the functions at lines 282 and 253 in conn.bro were
  executed, requiring 11 usec and 12 usec, respectively.

  Note #1: timings are just what rusage() reports, so not necessarily
  very accurate for small times.

  Note #2: there's a bug in tracking function line numbers that hasn't
  been ferreted out yet, so they're only roughly correct.

- The inactivity_timeout global has been split into tcp_inactivity_timeout/
  udp_inactivity_timeout/icmp_inactivity_timeout (Robin Sommer).  Using
  this, the default inactivity timeouts for UDP and ICMP have been changed
  from "no timeout" to 10 seconds.  This is needed because otherwise
  analyzing a stream of UDP or ICMP traffic generally gobbles up memory
  quickly and never recovers it; and there's seems little point in trying
  to consolidate long-lived-but-often-inactive UDP/ICMP streams.

- The new policy script cpu-adapt.bro is an extension to load-levels.bro
  (see CHANGES for 0.8a37 below) to adapt the packet filter based on the
  current CPU load. If the load is below cpu_lower_limit (default 40%),
  the load-level is decreased.  If it's above cpu_upper_limit (default
  90%), it's increased.  (Robin Sommer)

- The new policy script hand-over.bro can be used for a new running
  instance of Bro to smoothly take over operation from an old instance,
  i.e., it implements hand-over of state between two Bro instances when
  checkpointing (Robin Sommer). First, all persistent data (i.e. variables
  declared &persistent and connections for which make_connection_persistent()
  has been called) is transferred from the old instance to the new instance.
  Then the old instance terminates itself and the new one starts processing.

  The host from which we want to take over the state has to be added to
  remote_peers_clear (or remote_peers_ssl), setting hand_over to T. The
  host which is allowed to perform a hand-over with us has to be added
  with a port of 0/tcp and hand_over=T. An example for a handover between
  two instances on the same machine:

  @load hand-over
  redef remote_peers_clear += {
        [127.0.0.1, 47756/tcp] = [$hand_over = T],
        [127.0.0.1, 0/tcp] = [$hand_over = T]
        };

  (This interface may be subject to change in the future.)

- New script functions (Robin Sommer):

      function terminate()
          Terminates Bro via SIGTERM.

      function dump_config()
          Dumps Bro's full configuration into state_dir (one file per
          variable/type/function, etc.)

      function send_state(ip: addr, p: port)
          Send all of persistent state to the remote host.

      function set_accept_state(ip: addr, p: port, accept: bool)
          If accept is true, state sent by the given host will be
          accepted (default: false)

      function make_connection_persistent(c: connection)
          Declare the given connection state to be persistent (i.e.
          to be saved upon termination and exchanged by send_state).
          checkpoint.bro uses this to declare some services to be
          persistent by default.

      function is_local_interface(ip: addr): bool
          Returns true if the given address is assigned to a local interface.

- Printing of sets and tables now includes timestamps indicating when the
  element was added (Robin Sommer):

         ID did_ssh_version = {
            [129.187.20.9, F] = 1 @11/01-15:55,
            [212.144.77.26, T] = 2 @11/01-15:55,
            [141.84.116.26, T] = 10 @11/01-15:55,
            [217.232.245.249, T] = 1 @11/01-15:55,
            [217.235.217.149, T] = 1 @11/01-15:55,
            [129.187.39.13, F] = 2 @11/01-15:55,
            [129.187.208.139, F] = 1 @11/01-15:55,
            }

  The format may change in the future, and will probably be made an option.

- Similarly, you can print functions to get both a timestamp of the last
  time the given block was executed and a count of how often (Robin Sommer):

	  ID record_connection = record_connection
	  (@11/01-16:03 #6549)
	  {
	  id = c$id;
	  local_init = is_local_addr(id$orig_h);
	  local_addr = local_init ? id$orig_h : id$resp_h;
		    remote_addr = local_init ? id$resp_h : id$orig_h;
	  flags = local_init ? "L" : "";
	  if (remote_addr in neighbor_nets)
		  (@<never> #0)
		  flags = cat(flags, "U");

	  if ("" == flags)
		  (@11/01-16:03 #2110)
		  flags = "X";

	  is_tcp = is_tcp_port(id$orig_p);
	  ;
	  if (is_tcp)
		  (@11/01-16:03 #6549)
		  {
		  if (c$orig$state in conn_closed || c$resp$state in conn_closed
)
			  (@11/01-16:03 #4739)
			  duration = fmt("%.6g", c$duration);
		  else
			  (@11/01-16:03 #1810)
			  duration = "?";
	  [...]

- You can now specify numbers using hex constants, e.g., 0xabcd = 43981
  (Michael Kuhn and Benedikt Ostermaier).

- A new function, join_string_array(sep: string, a: string_array) concatenates
  strings in 'a' and inserts 'sep' between every two adjacent elements
  (Ruoming Pang).  E.g., join_string_array("", {"a", "b", "c"}) returns
  "a b c", and join_string_array("", a) is the same as cat_string_array(a).

- checkpoint.bro now makes some services persistent by default
  (Robin Sommer).

- The new_packet event now includes both the associated connection
  and a pkt_hdr describing the packet (Robin Sommer).

- The functions functions connect_ssl() and connect_clear() have been replaced
  by a single connect() function taking an additional parameter to
  differentiate the types (Robin Sommer).

- The new function stop_listening() unbinds the listen port (Robin Sommer).

- A new flag packet_filter_default says whether the Bro-level packet-filter
  will by default accept all or reject everything (Robin Sommer).

- Function calls can now be sent to remote Bro's, though there isn't yet
  an interface for accessing this from the script level (Robin Sommer).

- Bro now has an generalized internal framework for serializing objects
  and monitoring access to state (Robin Sommer).

- Better memory allocation accounting (Robin Sommer).

- A minor tweak to the output generated by statistics.bro.

- Improved localization of source code for functions in messages (but
  there are still some bug).

- Autoconf looks for -ltermcap (Robin Sommer).

- Fixes for bugs in the management of table expiration values (Chema Gonzalez).

- A bug in printing "void" values has been fixed (Chema Gonzalez).

- -t bug fixed (Chema Gonzalez).

- A bug has been fixed in which sometimes "expression value ignored"
  was erroneously generated.

- A bug with packet_contents and UDP packets with checksum errors
  has been fixed (Ruoming Pang).

- A memory leak in packet timestamp sorting via packet_sort_window
  has been fixed (Ruoming Pang).

- A bug has been fixed in expanding NULs when printing strings (Ruoming Pang).

- Bug fixes for extracting connection contents via contents.bro (Ruoming Pang).

- Bogus error message "Can't install default pcap filter" when using -F
  removed.


0.8a70 Sun Feb  8 14:19:45 PST 2004

- Bro has a new home page at

	http://www-nrg.ee.lbl.gov/bro.html

  It includes a "wish list" of Bro development projects:

	http://www-nrg.ee.lbl.gov/bro-wishlist.html

- The "match" expression has been completely overhauled (Umesh Shankar).
  It now has the syntax:

	match EXPR1 using EXPR2

  Its semantics are complicated, but it's very powerful (see its use for
  alert filtering below).  EXPR1 can have any type T.  EXPR2 must be of
  type "set[R]", where R is a record type.  R must have the following fields:

	$pred	- type is "function(T): bool".  This is the predicate
		  associated with the record.  It is passed in EXPR1's
		  value and returns true or false.

	$result	- can have any type T'.  This is the value to use when
		  if $pred returns true for EXPR1.

	$priority - type must be arithmetic (count, int, double).  This
		  is the priority associated with the match of EXPR1
		  if $pred returns true.

  The way the expression works is that EXPR1 is evaluated yielding a
  value V.  EXPR2 is then evaluated yielding a set of records whose
  type includes the above fields.  Bro then spins through each of the
  records in the set and tests whether its $pred predicate holds for V.
  If so, it records the given $result and the associated $priority.
  It then returns for the value of the entire expression the $result
  with the highest $priority.

  Here's an example.  The following script:

	global match_stuff = {
		[$pred = function(a: count): bool { return a > 5; },
		 $result = "it's big",
		 $priority = 2],

		[$pred = function(a: count): bool { return a > 15; },
		 $result = "it's really big",
		 $priority = 3],

		[$pred = function(a: count): bool { return T; },
		 $result = "default",
		 $priority = 0],
	};

	print match 0 using match_stuff;
	print match 10 using match_stuff;
	print match 20 using match_stuff;

  when executed will print:

	default
	it's big
	it's really big

  (Note that Bro actually will first evalute $priority before evaluating
  $pred, and if it already has a better (higher) priority result, it
  will not bother calling $pred.)

- There's a new syntax for designating function values (Umesh Shankar).
  It currently only works when associating a function value with a
  record field in a record constructor:

	[$foo(bad_guy: addr) = { launch_counter_DDOS(bad_guy); return 3.14; }]

  is equivalent to:

	[$foo = function(bad_guy: addr): double = {
			launch_counter_DDOS(bad_guy);
			return 3.14;
	}]

  The goal is to make such functions easier on the eye to express.
  The changes are (1) no "function" keywork necessary, (2) no function
  return type necessary (note, it is inferred from the "return" statement
  in the function body; eventually this will work for all functions, not
  just those in record constructors), (3) the '=' sign comes after the ')'
  rather than before the keyword "function".

  Given this syntax, we can rewrite the initialization of match_stuff
  in the example above as:

	global match_stuff = {
		[$pred(a: count) = { return a > 5; },
		 $result = "it's big",
		 $priority = 2],

		[$pred(a: count) = { return a > 15; },
		 $result = "it's really big",
		 $priority = 3],

		[$pred(a: count) = { return T; },
		 $result = "default",
		 $priority = 0],
	};

- The motivation behind these elaborate new mechanisms is to provide a
  powerful and streamlined way to filter alerts.  According, alert.bro
  now processes any alerts generated via ALERT() through a new global,
  alert_policy.  alert_policy's type is set[alert_policy_item], where
  alert_policy_item is:

	type alert_policy_item: record {
		result: AlertAction;
		pred: function(a: alert_info): bool;
		priority: count;
	};

  The idea is that you specify your alert post-filtering by redef'ing
  new elements into alert_policy.  For example, here are two post-filtering
  rules used at LBL to weed out uninteresting alerts:

	# Ignore connections marked as sensitive because they're
	# NTP to otherwise-sensitive hosts (first clause) or they happen
	# to involve 2766/tcp (Solaris Listen), which happens frequently
	# to ftp.ee.lbl.gov if Bro misses the PORT negotiation.
	[$pred(a: alert_info) =
		{
		return a$alert == SensitiveConnection &&
			(a$conn$id$resp_p == 123/udp || # NTP
			 a$msg == /Solaris listen service/);
		},
	 $result = ALERT_FILE,
	 $priority = 1],


	# Ignore sensitive URIs if the request was unsuccessful (code 404,
	# or not answered.)
	[$pred(a: alert_info) =
		{
		return a$alert == HTTP::HTTP_SensitiveURI &&
			a$msg == /.*((\(404)|(no reply)).*/;
		},
	 $result = ALERT_FILE,
	 $priority = 1],

  These rules are part of:

	redef alert_policy += {
		... these records and others ...
	};

  The idea behind them is to demote certain alerts that would ordinarily
  be syslog'd (i.e., the associated action is ALERT_LOG_ALWAYS) to instead
  just be recorded in the alert.$BRO_ID file.  Naturally, there are
  many other possibilities.  For example:

	[$pred(a: alert_info) = {
		if ( a$alert == FTP::FTP_Sensitive &&
		     a$msg == /.*crown_jewels.*/ )
			{
			system("page_the_duty_officer \"crown jewels theft!\"");
			return T;
			}
		else
			return F;
		},
	$result = ALERT_LOG_ALWAYS,
	$priority = 1000],

  would run the program page_the_duty_officer with the argument "crown
  jewels theft!" if an FTP_Sensitive alert was generated and the log message
  included the text "crown_jewels".  More generally, post-filtering needn't
  just be about deciding on how the alert is logged; the processing can
  run programs, update tables, etc., just like any other function call might.

- You can use the new function tally_alert_type in an alert_action_filters
  initialization in order to suppress immediate logging of an alert and
  instead have Bro generate a summary of how many times the given alert
  was seen when it exits.  You can use another new function, file_alert,
  to specify an alert_action_filters initialization that causes the alerts
  to just be written to the alert.$BRO_ID file but not otherwise logged.

  For example:

	redef alert_action_filters += {
		# Just summarize various packet capture glitches.
		[[RetransmissionInconsistency, ContentGap, DroppedPackets,
		  AckAboveHole]] =
			tally_alert_type,

		[RemoteWorm] = file_alert,
	};

  would specify that RetransmissionInconsistency (etc.) alerts should just
  be reported in the log file (log.$BRO_ID) as a total count, and
  RemoteWorm should only be put in the alert.$BRO_ID file, but not
  otherwise logged or counted.

  You could get the same functionality by writing alert_policy records,
  but they're quite a bit bulkier than the above.  Note that
  alert_action_filters entries take precedence over alert_policy
  records, but are evaluated *after* the "match" on alert_policy,
  so if you have predicates in alert_policy with side-effects (like the
  invocation of page_the_duty_officer in the example above), those
  will still happen.

- The alert_info record (which is used in calls to ALERT) now has
  slots for some more additional information:

	user: string;	# can hold an assocaited username
	filename: string;	# an associated filename
	method: string;	# associated HTTP method
	URL: string;	# associated URL
	n: count;	# any associated count/number/status code

  (These are all &optional, so you don't need to specify them if they're
  not appropriate.)  A number of ALERT's in the default policy scripts
  have been changed to include these.  The intent is to add more such
  information in the future.  Ideally, alert_policy records shouldn't
  be doing checks like "a$msg == /.*((\(404)|(no reply)).*/" but instead
  extracting the status code directly from a field of 'a' (which is an
  alert_info record).

- ALERT now fills in the '$id' field in the alert_info record with
  the $id of the associated connection, if the caller didn't suppy
  a $id but did supply a $conn.  Likewise, it will fill in $src with
  the $orig_h from $id (after first filling in $id).  The net result
  is that you can rely on $id and $src being set for any alert that
  has an associated connection.

- The HTTP analysis scripts (policy/http*.bro) have been converted to
  use the "module" facility, similar to how ftp.bro was converted for
  0.8a48.  This may require changing some of your own scripts, generally
  just to add "HTTP::" qualifiers.

- Now that the variables associated with FTP analysis are part of an
  "FTP" module, the "ftp_" prefix associated with:

	ftp_excessive_filename_len
	ftp_excessive_filename_trunc_len
	ftp_guest_ids
	ftp_hot_cmds
	ftp_hot_files
	ftp_hot_guest_files
	ftp_ignore_invalid_PORT
	ftp_ignore_privileged_PASVs
	ftp_log
	ftp_skip_hot

  has been removed, and these are now called:

	excessive_filename_len
	excessive_filename_trunc_len
	guest_ids
	hot_cmds
	hot_files
	hot_guest_files
	ignore_invalid_PORT
	ignore_privileged_PASVs
	log_file
	skip_hot

  To get to them from other scripts, you specify, for example,

	redef FTP::guest_ids = { .... };

  whereas before you had to use:

	redef FTP::ftp_guest_ids = { .... };

- The new connection logging format introduced in 0.8a57 is now the
  default, unless you redef the new variable "traditional_conn_format"
  to be T (Robin Sommer).  Connections using unidentified ephemeral
  ports now have a service of simply "other" rather than other-XXXX.
  The 'U' connection status flag has been removed (unless you're using
  traditional_conn_format).

- Tables can now be directly indexed by records, and indexing using records
  is no longer interchangeable with using a corresponding list of indices
  (Umesh Shankar).  This may require adjustments to existing policy
  scripts.

- Hostnames such as www.google.com now have type set[addr] rather than
  a funky internal list type.

- The new function dump_current_packet(file_name: string) dumps a copy of
  the current packet to the file with the given name, appending it if the
  file already exists (Robin Sommer).  The file is in tcpdump format.
  A handy use for this is in an event handler for signature_match(),
  to record packets that match given signatures.

- The event new_packet() is invoked for each new packet (Robin Sommer).
  It currently doesn't provide the packet contents but soon will in
  a fashion similar to secondary-filter.bro.

- "cf -f fmt" specifies a strtime() format.  -u specifics UTC time rather
  than local time (Mark Delow and Craig Leres).  cf now has a man page
  (Craig Leres).

- Two new variables, backdoor_ignore_local and backdoor_ignore_remote,
  can be used to specify backdoor signatures that should be ignored
  if the server is local/remote.

- A bug has been fixed in which a "next" executed in the final iteration
  of a for loop would mangle the subsequent processing of the outer
  statements (Chema Gonzalez).

- Bug fixes for MIME and Base64 processing (Ruoming Pang).

- pcap.bro now builds its filter in the opposite order (restrict_filters
  first), which can improve packet filtering performance (Robin Sommer).

- A bug in &default has been fixed.

- More SSL autoconf tweaks (Robin Sommer).

- Portability for different pcap_compile_nopcap() calling sequences
  (Chema Gonzalez).

- Some tweaks for a minor reduction in memory consumption.

- A memory leak for secondary packet filters has been fixed.

- The localization of error messages (what script line they correspond to)
  has been improved.


0.8a58 Tue Dec 16 08:55:47 PST 2003

- Compatibility with older versions of libpcap (Chema Gonzalez).


0.8a57 Tue Dec  9 10:14:30 PST 2003

- The format of Bro's connection summaries is changing.  The new format
  looks like

	  1069437569.904605 0.230644 1.2.3.4 5.6.7.8 http 59377 80 tcp 610 275 S3 L

  That is, <timestamp>, <duration>, <originator address>, <responder address>,
  <service>, <originator port>, <responder port>, <originator bytes>,
  <responder bytes>, <connection state>, <flags>.  (Robin Sommer)

  The script variable traditional_conn_format=T specifies to use the old
  format rather than this new one.  This is *currently* the default, but
  will change soon to default to F instead.  If you have comments on this
  new format, we'd like to hear them.

- The SigAction's available in signatures.bro have been extended (Robin Sommer).
  SIG_FILE_BUT_NO_SCAN is like SIG_FILE but without any horizontal/vertical
  processing; SIG_LOG_ONCE logs only an alert only the first time it occurs;
  SIG_LOG_PER_ORIG logs only the first instance of an alert generated by a
  particular originator; SIG_COUNT has been renamed SIG_COUNT_PER_RESP; and
  SIG_SUMMARY suppresses logging of individual alerts but generates a
  per-originator summary.

- A new -p option for snort2bro tells it to only process signatures that
  include matching on payload (Robin Sommer).

- You can now explicitly include or exclude particular SIDs when
  running snort2bro by specifying a configuration file via -c (Robin
  Sommer).  The format is simple, just "include" or "ignore" followed
  by the SID number:

	# sid-526 BAD TRAFFIC data in TCP SYN packet
	ignore	526

	# sid-623 matches a null-flags stealth scan.  Include it even
	# if we build with -p, since it doesn't tend to generate any
	# false positives.
	include	623

  The new "snort2bro.cfg" file gives examples (i.e., the above).

- Bro can now serialize functions and event handlers, meaning that these
  can be passed as values between Bro's and dumped using -g (Robin Sommer).
  One of the main goals in supporting this is to allow in situ alteration
  of the Bro's configuration (e.g., you can edit a function and change its
  functioning and have a running Bro pick up the change without having to
  stop and be restarted).  Such dynamic reconfiguration is experimentally
  supported via -g <dir> (see below).

- &persistent state is now stored in the *directory* given by state_dir
  (default: "./.state"), one file per variable, rather than a single file
  (Robin Sommer).

- Storing &persistent state to disk is now done incrementally: after writing
  each file, there's a delay of state_write_delay (default: 0.1 secs) before
  working on the next file (Robin Sommer). This may introduce small
  inconsistencies, but prevents load spikes that can lead to packet drops.
  Currently, there is no mechanism to incrementally store a single variable
  (like a large table), although there is already some framework in place
  to eventually support this.

- The *experimental* new -g <dir> option dumps the script-level configuration
  (excluding things defined in internal default scripts like bro.init)
  into the directory <dir>. These files may be printed with "bro -x <file>",
  or copied into the state_dir of a running Bro, which will then pick up
  the change if it has loaded checkpoint.bro.  (When picking up changes,
  event handlers are always added, while functions, types, and variables
  replace the current ones).

- Table values are now incrementally expired rather than all at once
  (Robin Sommer).  That is, if the expiration timer goes off and hundreds
  of values should now be expired, the work of doing so is spread over
  chunks of table_expire_size (default: 50) at a time, separated by a
  delay of table_expire_delay (default: 0.1 secs).  This change aims to
  prevent large processing spikes that can lead to packet drops.

- New built-ins sub() and gsub() act like awk's functions of the same
  name, changing substrings (either first, or all) that match a given
  regular expression to a given target string.  (Note, the calling sequence
  differs from the order used by awk.)

- The new auxiliary script aux/scripts/mvlog is a handy way to manage
  checkpointed logs.  See the script for documentation.

- The &expire_func function now takes two arguments.  The second is
  of type "any" and corresponds to the index(es) of the element being
  expired.  To access the individual indices, you use a new assignment form:

	[a, b, c] = index_val;

  (where index_val is the second argument of type "any").  This assigns
  a to the first index, b to the second, and c to the third.  NOTE: the
  use of "any" types here is *temporary* and will be changing in the
  future to a general "tuple" notion.  (Robin Sommer)

- scan.bro and conn.bro have been reworked to consume less memory and to
  support more flexible state expiration (Robin Sommer).

- The new builtin rescan_state() causes Bro to re-read any persistent
  data values (Robin Sommer).

- snort2bro now supports continued lines ("\<newline>") (Robin Sommer).

- The calling sequences of the software_version_found() and
  software_parse_error() events has changed, and a new event,
  software_unparsed_version_found(), is invoked for raw version
  strings (i.e., the version string prior to the event engine
  attempting to parse it into version/major/minor) (Robin Sommer).

- Software version tracking for clients now tracks all versions, not just
  the latest version (Robin Sommer).

- alert_info records now include an optional field event_src, which is the
  source of the event if it was received from an external Bro (Robin Sommer).

- Regular expressions now support {} iteration values of 0, and generate
  better error messages.

- Output generated by icmp.bro is now redirected into an "icmp" log file
  (Robin Sommer).

- autoconf tweaks for configuring OpenSSL on Linux (Ruoming Pang, Robin Sommer).
  Tested on RedHat (thanks to Anton Chuvakin), Debian, FreeBSD, Solaris.

- You can now turn off using OpenSSL even if the OS supports it, via
  configuring with --disable-openssl (Robin Sommer).

- Variable size computations (per global_sizes()) are now more accurate
  (Robin Sommer).

- A bug with combining file encryption and log rotation has been
  fixed (Robin Sommer).

- A problem tracking directionality in signatures fixed (Robin Sommer).

- Bro now continues running if DNS is not functioning (Robin Sommer).

- Rewriter memory use has been significantly reduced (Ruoming Pang).

- Some bugs with -A/-w interaction have been fixed (Ruoming Pang).


0.8a48 Tue Oct 21 15:56:13 PDT 2003

- There is now a mechanism in place for multiple Bro's to communicate with
  one another via sockets (Robin Sommer).  *This is quite experimental at
  this point* and may have significant bugs and/or need significant
  enhancements.

  By loading listen-clear.bro or listen-ssl.bro, an instance of Bro starts
  to listen on a TCP port.  The first of these listens for unencrypted
  connections and the second for connections encrypted via OpenSSL.  To
  connect to a listening Bro, you load remote-clear.bro or remote-ssl.bro.
  For this connection, you specify which events you want to receive by
  giving a regular expression (e.g.  "/http_*/" for all HTTP events),
  although only those events for which you have defined a local handler
  are actually requested.  Communication is uni-directional in the sense
  that for a certain connection the events go only from Bro-A to Bro-B but
  not from B to A (you could set up a second connection for the other
  direction, though).

  The OpenSSL certificate used to authorize remote  Bro's is specified in
  the script variable "ssl_ca_certificate" and the private key and certificate
  for the local Bro via "ssl_private_key".

  If Bro A connects to Bro B, by default it sends over its capture_filter.
  But Bro B uses it only if it has loaded remote-pcap.bro.  This is the
  beginning of structuring inter-Bro trust mechanisms.  It is done via two
  new events, remote_capture_filter(ip: addr, p: port, filter: string) and
  send_capture_filter(ip: addr, p: port, s: string) : bool.

  The implementation forks a second process which does the socket
  communication, so that the main process should not be affected too much.
  The two processes communicate via a pipe.

  You can call is_remote_event() to determine whether the event currently
  being handled was originated by a remote Bro (if T) or the local Bro
  (if F).

  If a connection with a remote Bro terminates (for whatever reason), Bro
  may try to reconnect automatically.

  A new function, get_event_source(), returns a record event_source
  describing the source that raised the last event.

  See doc/ssl.txt for an explanation of how to create the keys/certificates.

- A fledgling Gnutella analyzer has been contributed (Mark Allman).
  It generates the following events:

	event gnutella_text_msg(c: connection, orig: bool, headers: string)
	event gnutella_binary_msg(c: connection, orig: bool, msg_type: count,
					ttl: count, hops: count, msg_len: count,
					payload: string, payload_len: count,
					trunc: bool, complete: bool)
	event gnutella_partial_binary_msg(c: connection, orig: bool,
						msg: string, len: count)
	event gnutella_establish(c: connection)
	event gnutella_not_establish(c: connection)
	event gnutella_http_notify(c: connection)

- Bro now supports a secondary channel for acquiring packets (Chema Gonzalez).
  You access it by redef'ing the new global "secondary_filters", adding
  table[string] of event(filter: string, pkt: pkt_hdr).  The string
  specifies a tcpdump filter; anytime a packet matches the filter
  (including packets that would *not* otherwise be matched by
  capture_filter), then the given event handler is invoked.

  For example,

	  redef secondary_filters += {
		  ["tcp[13] & 7 != 0"] = rst_syn_fin_flag,
	  }

  will invoke rst_syn_fin_flag() anytime a TCP packet is seen for
  which the SYN/FIN/RST bits are non-zero.  The event handler will
  be passed the string "tcp[13] & 7 != 0" (so it can tell which
  of possibly multiple filters matched) and a pkt_hdr value, which
  includes the IP header and, if present, the TCP, UDP or ICMP header.

  Another example, and what motivated the addition, is:

	  redef secondary_filters += {
		["ip[10:2] & 0xffc == 0x398"] = sampled_1_in_1024_packet,
	  }

  which will invoke sampled_1_in_1024_packet() any time the given
  10 bits in the IP checksum match the pattern 0x398.  If the checksum
  field is uniformly distributed then this roughly corresponds to
  1-in-1024 random sampling.  (Chema has also developed BPF additions
  to support true random sampling.)

  See policy/secondary-filter.bro for examples.

- Bro now does a much better job of keeping track of how much memory
  has been allocated for different structures (Robin Sommer).

  This includes more accurate computations for global_size().

  In addition, if you redef "statistics_interval" to be a non-zero time
  interval, then with that periodicity a summary of memory usage (including
  memory used by event engine components) is dumped to the file
  "statistics_file".  In addition, at this point a "do_statistics" event
  is generated.  You can also call the new built-in statistics_update()
  to generate memory statistics on demand.

  The above structure is likely to change in the future.  statistics_interval
  will probably go away, to be replaced by either explicit calls to
  statistics_update() (which you can do on a timer if you like by using
  "schedule"), or by a built-in function that returns a record of all
  the statistics, that you can then format however you want.

- A major memory leak in HTTP analysis has been fixed (Ruoming Pang).

- New attributes &rotate = <interval expression> and
  &postprocessor = <string expression> can be associated with a file
  variable in order to specify how often the file should be rotated to a
  new filename on disk, and, when rotation occurs, the name of a shell
  program to run on the now-older version as a postprocessor (Robin Sommer).

- Similarly, log_postprocessor and log_rotate_interval specify the default
  values for files.  Unless redef'd, these themselves default to the empty
  string (= no postprocessing) and 0.0 seconds (no rotation).  (Robin Sommer)

- A new attribute, &encrypt, applies to variables of "file" type.  It specifies
  that the version on disk should be encrypted, using either the key specified
  as the value of the attribute, or, if no value is specified, using the
  value of the new script variable log_encryption_key.  The key is an OpenSSL
  public key; it's used to then embed a Blowfish session key.  (Robin Sommer)

  A new utility, aux/bdcat/bdcat ("Bro decrypt cat") can be used to decrypt
  the files.

- The internal structure of TCP analysis has been significantly altered.
  Previously, TCP_Endpoint tracked endpoint state and TCP_EndpointContents
  (derived from it) did stream reassembly.  These have now been separated;
  TCP_Endpoint still tracks endpoint state, but TCP_EndointContents has
  become TCP_Contents, and is only loosely coupled with TCP_Endpoint.
  The reason for this change is to lay the groundwork for (1) applying
  an application analyzer to a connection after several packets for
  the connection have already been read, and (2) applying *multiple*
  application analyzers to a single connection.

- Bro now supports the universal hashing if USE_UHASH is defined
  (Ruoming Pang).  Universal hashing is a lighter-weight alternative
  to MD5 hashing that retains the property of being very difficult
  for an attacker to guess.  It comes in two flavors, a 32-bit
  version (which you get with USE_UHASH) and a faster 16-bit version
  (which you get if you also define USE_NH).  Bro will likely switch
  to using these by default in the near future, as their performance
  gain over MD5 is significant.

- New built-in functions srand() and rand() provide access to the
  usual C-style random number seeding & generation (Chema Gonzalez).

- You can now specify server/client addresses to leave in the clear in
  IP address anonymization (via the built-in variables preserve_orig_addr
  and preserve_resp_addr). Correspondingly, the built-in function for
  IP anonymization now takes a parameter to specify the type of the address
  (orig, resp, or other), instead of the method of anonymization
  (seq, random, prefix-preserving).  (Ruoming Pang)

- Trace anonymization now has prelminary support for handling TCP options
  via the new event "tcp_option" (Ruoming Pang).  It is only invoked
  if skip_event_tcp_option is F (it defaults to T).

- A new event, tcp_segment, is similar to the event "packet_content"
  but provides more information: is_orig (directionality), sequence
  number, and acknowledgement number (Ruoming Pang).

- ./configure finds OpenSSL if it's in some standard location.  Otherwise,
  you may specify it --with-openssl=<path>.  If OpenSSL is not available,
  Bro compiles cleanly without and gives warnings if a script tries use SSL.
  (Robin Sommer)

- The internal links in manual/entire.html have been fixed so they
  now work (Chema Gonzalez).

- A new policy script, blaster.bro, detects instances of the W32.Blaster
  worm (Robin Sommer).

- Signature files (for input to the signature engine) now reside in
  policy/sigs/*.sig.  This directory is now on the default $BROPATH.

- sig.ex.ssl-worm.bro and sig.ex.web-rules.bro have been updated
  to reflect changes in keywords (Robin Sommer).  They've been
  renamed to ex.ssl-worm.sig and ex.web-rules.sig and reside
  in policy/sigs/, per the above.

- The module facility has been changed to have its scope limited to
  the current file plus any additional files that are automatically
  processed based on its name plus $BRO_PREFIXES.

- As an experiment, ftp.bro has been modified to a style that includes
  using "module FTP".  Likely other policy scripts will be converted
  in the near future, and their variable names changed accordingly
  (e.g., "ftp_hot_files" will become "FTP::hot_files").

- The new "match" expression has been modified to allow any yield type
  rather than just strings.  It is likely to change significantly again
  soon.

- Iterating over multi-dimensional tables/sets now works (Robin Sommer).
  For example:

    const remote_peers_ssl : table[addr, port] of Peer &redef;
    [...]
    for ( [ip, p] in remote_peers_ssl )
        connect_ssl(ip, p, remote_peers_ssl[ip, p]$retry);

- Checkpointing of persistent state on SIGHUP now happens via bro.init
  (Robin Sommer).  Not tested.

- fmt() now supports %x for hexadecimal formatting (Chema Gonzalez).

- alert.bro logs the source for remote alerts; by redefining the new
  "event_source_description: string" locally, you can specify how a
  Bro is to refered to on the remote side.  (Robin Sommer)

- software.bro now tracks HTTP clients, too (Robin Sommer).  This
  will be extended in the near future.

- Some FreeBSD 5.X porting tweaks (Sergey Osokin).


0.8a37 Wed Sep  3 23:20:21 PDT 2003

- A new attribute, "&persistent", indicates that a global variable's
  state should persist on disk (Robin Sommer).  Currently, they
  reside in the file "state.bst".

  For example, given the following script:

	global a = 0 &persistent;

	event bro_init()
		{
		print ++a;
		}

  then every time you run it, a increases by one.

  You can dump the state file using "bro -x state.bst <scriptname>".
  (There's also a partially-implemented XML dumper which you invoke via
  "bro -X state.bst <scriptname>".)

  If you send Bro a HUP signal, then it will synchronize all persistent
  state to disk (checkpoint) at that point.  More generally, the policy
  script can do so at any time by calling the new built-in checkpoint_state().

  By including the new policy script "checkpoint", you can have Bro
  automatically checkpoint every time checkpoint_interval elapses
  (default 15 minutes).

- You can also record events to disk by loading the "capture-events"
  policy script, or calling the new capture_events() built-in (Robin Sommer).
  The events are written to the file events.bst.  You can dump these
  using bro -x (or -X), as above.  You can also replay them using
  "bro -R <file>".  By replaying them using the same policy script as
  generated them, you should get the same output.  For example:

	bro -r tracefile myscript capture-events

	...

	bro -R events.log myscript

- An experimental module facility has been added (Umesh Shankar).

  The module facility implements namespaces. Everything is in some namespace
  or other. The default namespace is called "GLOBAL" and is searched by
  default when doing name resolution. The scoping operator is "::" as in
  C++. You can only access things in the current namespace, things in the
  GLOBAL namespace, or things that have been explicitly exported from a
  different namespace. Exported variables and functions still require
  fully-qualified names. The syntax is as follows:

  module foo;  # Sets the current namespace to "foo"
  export {
	int i;
	int j;
  }
  int k;

  module bar;
  int i;

  foo::i = 1;
  bar::i = 2;
  print i;    # bar::i (since we're currently in module bar)
  j = 3;      # ERROR: j is exported, but the fully qualified name
              #        foo::j is required
  foo::k = 4; # ERROR: k is not exported

  The same goes for calling functions.

  One restriction currently in place is that variables not in the "GLOBAL"
  namespace can't shadow those in GLOBAL, so you can't have

    module GLOBAL;
    global i: int;

    module other_module;
    global i: int;

  It is a little confusing that the "global" declaration really only means
  that the variable i is global to the current module, not that it is truly
  global and thus visible everywhere (that would require that it be in
  GLOBAL, or if using the full name is ok, that it be exported).  Perhaps
  there will be a change to the syntax in the future to address this.

  The "module" statement cuts across @load commands, so that if you say:

	module foo;
	@load other_script;

  then other_script will be in module foo. Likewise if other_script changes
  to module bar, then the current module will be module bar even after
  other_script is done.  However, this functionality may change in the future
  if it proves problematic.

  The policy scripts in the Bro distribution have not yet been updated to
  use it, but there is a backward-compatibility feature so that existing
  scripts should work without modification. In particular, everything is
  put in GLOBAL by default.

- The hooks are now in place for communicating events between running
  Bro's.  An experimental implementation of doing so (written by Robin
  Sommer) will be integrated shortly.

- A side-effect of getting those hooks in place is that event handlers must
  now be directly specified (by naming them) rather than indirectly
  (for example, by indexing a table whose value yields an event handler).
  This may be fixed soon.

- An experimental "match" expression scans a list of predicates to find
  the first one that's both true and has the highest priority (Umesh Shankar).

  The general form is:

	match some_record on {
		[ priority, class_name, predicate ],
		...
	}

  where "predicate" is evaluated in the context of the value (and type) of
  some_record.  For example, if some_record has a field "num_alerts"
  then predicate could be "$num_alerts > 5".

  "priority" is a non-negative integer (i.e., of type "count"), and,
  for now, "class_name" is a string.

  For example,

	global c: conn_id;

	c = [ $orig_h = 0.0.0.0, $orig_p = 0/tcp,
	      $resp_h = 1.1.1.1, $resp_p = 1/tcp ];

	print match c on {
		[ 2, "emptyweb", $orig_h == 0.0.0.0 && $resp_p == 80/tcp ],
		[ 1, "emptyhost", $orig_h == 0.0.0.0 ],
		[ 0, "should not match", 1 == 0 ]
	};

  will print "emptyhost".

  The initial intent behind this is to eventually provide more flexible
  customization of alert processing, though it clearly has broader
  applicable.  *It is very likely that the semantics and perhaps the syntax
  of "match" will change in the near future.*

- Bro's packet filter is now computed via pcap.bro (which is automatically
  included via bro.init).  It uses two new built-ins:

	precompile_pcap_filter(id: PcapFilterID, s: string):  bool
	install_pcap_filter(id: PcapFilterID): bool

  The first is for precompiling a pcap filter so it can be installed
  or turned off dynamically. Associating an ID with the filter, you can
  then activate the filter by calling the second function (installing a
  new filter replaces the current one).  (Robin Sommer)

  Be default, pcap.bro is responsible for building a pcap string based on
  the capture/restrict_filters defined by the various analyzers. It compiles
  and installs this filter, so there is no observable difference in usage
  to the old implementation, except capture/restrict_filter are now *tables*
  rather than strings, and are written as plural rather than singular.
  So the analyzers need to define something like this:

	[finger.bro]
	redef capture_filters += { ["finger"] = "port finger" };

  This then allows "finger" to be used as the name for the corresponding
  filter element (see the next item).

- load-level.bro is an experimental policy script for allowing Bro to
  shed or add on load (in terms of which protocols it analyzes).  It
  provides three interface functions for setting the current loadlevel:

	# level is LoadLevel1, ..., LoadLevel10
	function set_load_level(level: PcapFilterID): bool

	function increase_load_level()
	function decrease_load_level()

  load-levels.bro defines ten different load levels (from 1 to 10, with 10
  being the one with the most load imposed on the system), which are
  configured by defining capture_load_level/restrict_load_levels: Example:

	redef capture_load_levels += {
		["dns"]          = LoadLevel1,
		["smtp"]         = LoadLevel2,
		["http-reply"]   = LoadLevel3,
		["http-request"] = LoadLevel8,
	};

  This means for example: "include the capture_filter associated with
  'http-reply' if the current load level is 3 or below".  There's a similar
  mechanism for restrict_filters:

	redef restrict_filters += {
		["cs-only"] = "net 131.159.0.0/16",
	};

	redef restrict_load_levels += {
		["cs-only"] = LoadLevel7,
	};

  This applies the given restrict_filter if the current load level is 7
  or *above*.

  The pcap filters belonging to the ten load levels are built and pre-compiled
  on startup. The three functions shown above just call install_pcap_filter()
  then.  (Robin Sommer)

- drop-adapt.bro tries to adjust the load level based on the current
  packet drop rate (Robin Sommer).

- synflood.bro is an experimental policy script for detecting SYN floods.
  It is not yet documented, other than brief comments in the script.
  (Robin Sommer)

- Subnet lookups now use Patricia trees instead of brute-force, which should
  make them significantly more efficient for large lists, e.g., local nets.
  (Robin Sommer)

- Due to the addition of modules, which use a C++-style "::" scope
  designator, you now need to use "0x" to introduce IPv6 address constants
  that use "::" to specify a series of empty octets.  For example, you
  used to be able to specify "deadbeef::cafe", but now this needs to be
  "0xdeadbeef::cafe".  Note that "1::2" can still be written without needing
  a "0x" prefix; it's just hex constants that start with letters that need
  the prefix.

- A new built-in, escape_string(), takes a string and returns a copy of
  it that uses escape sequences for any problematic characters (Robin Sommer).

- A number of low-level bug fixes and portability tweaks (Robin Sommer,
  Ruoming Pang, Christian Kreibich, Chema Gonzalez).

- A new timer, status_update_timer, fires for each ongoing connection
  every connection_status_update_interval seconds (default = 0 seconds,
  which means "don't fire).  (Robin Sommer)

- An additional Bro-level packet filter can filter/sample packets
  based on their src/dest ip/subnet (using a Patricia tree for
  efficiency; Robin Sommer). install_src_addr_filter(ip, flags, p) drops
  packets originating from ip with probability p (0..100) if none of the
  given TCP flags is set. install_src_net_filter, install_dst_addr_filter
  and install_dst_net_filter" work similarly.  The corresponding "uninstall_*"
  functions remove the filters again.

- The @if/@else/@endif mechanisms have been made more powerful (Robin Sommer).

- New configure option --enable-debug to compile without optimization
  (Robin Sommer).

- Small tweaks to the mpatrol support (Robin Sommer).

- SMTP is now one of the services which can use a small inactivity timeout
  in inactivity.bro (Robin Sommer).

- Alerts for signatures which are triggered by worms may be suppressed if
  we already know that the triggering host is indeed infected by a worm
  (Robin Sommer).

- Matches of a signature can now be counted per destination host
  (Robin Sommer).

- snort2bro now ignores sid-526 ("BAD TRAFFIC data in TCP SYN packet";
  Robin Sommer). Due to different semantics of Bro (matching stream-wise)
  and Snort (matching packet-wise) this signature generates a lot of
  false positives.


0.8a34 Sun Jul 13 09:11:32 PDT 2003

- The new "subnet" type corresponds to a CIDR prefix (Robin Sommer).
  You can use the '/' operator to convert an address to a subnet.  The
  "in" operator tests whether an address matches a subnet (e.g., "1.2.3.4
  in 1.2.255.255/16" yields T).

  You can index tables with index type "subnet" using addresses to retrieve
  the table entry with the longest-matching prefix for that address, and
  a number of tables/sets in the default scripts have been converted to
  this form.  So for example the local_16_nets and local_24_nets variables
  have been replaced by local_nets, which has type "set[subnet]",
  is_local_addr() now refers to it, and skip_scan_nets_{16,24} have
  likewise been consolidated into skip_scan_nets.

  One present deficiency is that subnets can't be used in tables/sets
  with multiple indices.  Fixing this is going to take some time ...
  Another deficiency is that the longest-match lookup is not very
  efficient.

  Caution: this feature has been only briefly tested with IPv6.

- ALERT now generates an event "alert_action" which includes the alert_info
  and AlertAction associated with an alert.  You can define your own handler
  to further customize alert processing.

- The "snort2bro" conversion utility has been extended to recognize some
  of the new Snort options (depth, distance, within; Robin Sommer).  For
  example:

      alert .... ( ... content:"|00 01 86 B8|";
		       content:"|00 00 00 02|"; distance:4; within:4;
		       content:"%x %x"; distance:16; within:256;
		       ... )

  is converted to:

      signature sid-1891 {
	  ...
	  payload /.*\x00\x01\x86\xB8.{4}\x00\x00\x00\x02.{16}.{0,251}%x %x/
	  }

  Note that not all of the new Snort options are supported yet.

- You can refer to script variables within signatures (Robin Sommer).
  For example, the following is now possible:

	signature sid-547 {
	  ip-proto == tcp
	  src-ip != local_nets
	  dst-ip == local_nets
	  dst-port == 21
	  event "FTP \"MKD  \" possible warez site"
	  tcp-state established
	  payload /[mM][kK][dD]  /
	  }

  This makes the signatures independent of the environment ("local_nets"
  in the above examle).  snort2bro now converts some well-known Snort
  variables into corresponding Bro variables, a number of which are listed
  in policy/site.bro.

- The default action for signature matches is now logging insted of only
  writing it to a file (Robin Sommer).

- You can now use the '^' and '$' regular expression operators inside
  subpatterns.  For example, /foo$/ | /^bar/ works now.

- You can now use "msec" for milliseconds (in addition to "usec" for
  microseconds, "sec" for seconds, etc).

- The log_file_name and open_log_file functions are now redef'able
  if you want to change their behavior.

- Bro now exits more cleanly upon exhaustion of memory (Robin Sommer).

- A bug was fixed for the case of getrlimit() returning RLIM_INFINITY for
  the maximum number of open files.

- Numerous additions of std:: scoping to address porting issues (Robin Sommer).

- gcc 3.X and Solaris portability fixes.

- A new event RemoteWorm is the complement of LocalWorm (Robin Sommer).

- A bug in which the FTP analyzer would complain about failing to be able
  to look up a connection has been fixed (Robin Sommer).

- You can now configure Bro using "--with-mpatrol" to activate MPatrol
  debugging hooks.  When built in this mode, -m dumps the leak table
  and -M shows unfreed parts of the heap.  These dumps can also be
  triggered using SIGUSR1 / SIGUSR2, respectively.  (Robin Sommmer)

- A script function get_contents_type() which returns the type of reassembling
  being done for a connection (none/orig-side/resp-side/both; Robin Sommer).

- A minor bug fix for the regular expression matcher (Robin Sommer).


0.8a32 Thu Jun 12 23:33:21 PDT 2003

- The low-level hash functions have been reimplemented to use HMAC-MD5 to
  counter the "algorithmic complexity attacks" discussed in the USENIX
  Security 2003 paper by Scott Crosby & Dan Wallach
  (http://www.cs.rice.edu/~scrosby/hash/) (Ruoming Pang and Vern Paxson)

- Ruoming Pang has made extensive changes to the anonymization/transformation
  framework.  A paper describing it will appear in SIGCOMM 2003, and will
  be included with the Bro distribution once the final copy is ready.

- Internal hash tables now resize incrementally, and more quickly.
  This makes a big difference in avoiding lengthy processing pauses when
  processing large volumes of traffic. (Craig Leres)

- gcc 3.1 and Linux portability tweaks.

- The calling sequence of http_request() has changed.  It now includes both
  the original URI and the escaped URI.  This was made explicit because
  we found that if only the original was passed in, it was too easy to forget
  to expand the escapes in it; and if only the escaped was passed in,
  some attacks could be missed. (Ruoming Pang)

- Signature rules can now refer to "finger" payload as well as HTTP and FTP
  (Robin Sommer).

- The signature engine now includes keywords "dst-ip", "dst-port",
  "ip-proto", "src-ip", "src-port".  (Robin Sommer)

- Packet sorting now defaults to off.

- The FTP analysis now attempts to track the current directory (Ruoming Pang).

- A number of scan detection additions have been added (Scott Campbell):

	activate_landmine_check = F
		if T, then access to more than landmine_thresh_trigger
		addresses in landmine_address (a set of addresses)
		constitutes a scan

	activate_priv_port_check = T
		if T, then inbound access to more than priv_scan_trigger
		privileged ports (i.e., ports < 1024) is considered a port
		scan.  You can exclude particular services from the count
		via troll_skip_service, which defaults to { smtp, ftp,
		ssh, 20/tcp, http }.

- The SMTP analysis now includes a new alert, HotEmailRecipient, which
  is triggered by mail sent to any of the addresses specified in
  the pattern hot_recipients (which defaults to a bare /@/).

- The new built-in cat_string_array_n() is like cat_string_array() except
  it takes starting and ending indices as additional arguments (Ruoming Pang).

- The new built-in sort_string_array() takes a string array and returns
  a sorted version (Ruoming Pang).  It currently uses an N^2 algorithm
  so shouldn't be used on large arrays.

- The new built-in subst() substitutes all instances of a given pattern
  in a given string with another string (Ruoming Pang).  For example,
  subst("fooboo", /oo/, "xxx") returns "fxxxbxxx".

- The new built-in cut_tail() trims characters from the end of a string
  (Ruoming Pang).  For example, cut_tail("fooboo", 2) returns "foob".

- sub_bytes() can now take a negative argument, which is with respect to
  the end of the string rather than the beginning (Ruoming Pang).

- The new built-in md5_hmac() returns an HMAC-MD5 hash of the given string
  (Ruoming Pang).  The HMAC secret key is generated from available entropy
  when Bro starts up, or it can be specified for repeatability using
  the new -K flag.

- The new built-in split_all() is like split() except that the returned
  array also includes the parts of the string that match the pattern
  used for the splitting (Ruoming Pang).

- The new built-in split_n() splits up to a given number of instances,
  optionally returning the parts matching the split pattern (Ruoming Pang).

- The new built-in split_complete() is the most general of the split functions
  (the others are written in terms of it).  It splits a given string
  with separators that appear in either a given pattern or a given set
  of strings, optionally including the text matching the separators in
  its return value, and optionally limiting the number of matches to
  a specified maximum.  (Ruoming Pang)

- The new built-in to_string_literal() returns an escaped version of a string
  suitable to feeding into Bro's parser.  For example, calling it on
  "foo\nbar" (where '\n' is an embedded newline) returns "foo\x0abar".
  (Ruoming Pang)

- subst_substring() has been renamed subst_string (Ruoming Pang).

- unescape_URI() no longer takes the connection as an argument (Ruoming Pang).

- config.guess and config.sub updated

- String escape expansion has been refined (Ruoming Pang) and some bugs
  fixed.  It now supports a format that's consistent with Bro string literals.

- Scanning of octal and hex escape sequences now stops after 3 or 2
  characters, respectively.  For example, "\0007" now expands to a
  NUL followed by the character '7'.  (Ruoming Pang)

- Bug fixes for handling of bare <CR> and <LF>'s when <CRLF> expected
  (Ruoming Pang), and associated "weird" events.

- A bug in signature matching reassembly has been fixed (Robin Sommer).

- A bug in reporting "bad connection size" for connection sizes > 2GB
  has been fixed.

- A bug in computing sizes for large partial connections has been fixed.

- A bug in delayed generation of connection closed events has been fixed.

- A framework has been added for compression of some "weird" events
  to only be generated once-per-connection (Ruoming Pang).

- Some of the "weird"'s generated by the HTTP analyzer have been regularized.

- Some memory management fixes.

- A performance problem in allocating List objects was fixed.

- The copyright dates have been updated (Craig Leres).


0.8a22 Wed Jan 15 16:47:18 PST 2003

- There is now a "conditional compilation" feature similar to C's preprocessor
  (contributed by Robin Sommer).  "@if (expr)" will include the remaining
  input lines up to "@endif" only if the given expression evaluates to true.
  "@ifdef (id)" will do so only if the given identifier has been defined,
  and "@ifndef (id)" only if it has not been defined.  There's currently
  no "@else" directive, and conditionals cannot be nested.  Both of these
  will be added in the future.

- New built-in functions (contributed by Ruoming Pang): parse_dotted_addr
  takes a string in A1.A2.A3.A4 form an returns a corresponding "addr" value.
  unescape_URI takes a URI that possibly has embedded escape sequences
  ("%61" for 'a') and expands the sequences.

- The URIs in HTTP requests are no longer automaticaly escaped.  Instead,
  they need to be manually escaped using unescape_URI.  As this is likely
  error-prone (users forgetting to do so), the plan is to change the
  calling sequence of http_request in the near future so that *both* the
  escaped and the unescaped URI are passed in.

- A number of g++ 3.0 porting tweaks have been added (thanks to Sean Irvine).

- The term "rule" has been systematically changed to "signature" (Robin Sommer).

- The functionality of monitoring packet drops has been moved into its
  own policy script, netstats.bro (Robin Sommer).

- A number of rewriter and location bugs have been fixed.

- Some missing HTTP "weird"'s have now been included in weird.bro.


0.8a21 Thu Nov 28 23:31:38 PST 2002

- A new mechanism will reorder packets within a window of packet_sort_window
  if due to their sequence numbers they appear to be out of order.  This
  can help a great deal when reading from multiple NICs.  (Contributed by
  Ruoming Pang.)

- A bug in regular-expression matching in which for example
  "2a1" == /[0-9]+/ would evaluate as true was fixed (Ruoming Pang).

- There's now a rewriter/anonymizer for FTP (Ruoming Pang).

- The rewriter/transformation framework now supports a notion of
  delaying transformation decisions until later (Ruoming Pang).

- An incompatibility with bison 1.75 has been identified.  The problem
  is that bison 1.75 generates incomplete location information for empty
  grammar productions (those for which the RHS is empty).  This will
  be fixed soon.

- Some bugs in the signature engine have been fixed (Robin Sommer).

- The sources no longer use the not-fully-portable hash_map template
  (Umesh Shankar).

- Some bugs with the debugger getting confused about source line number
  locations, and also with the -t option, have been fixed (Umesh Shankar).

- If a content gap occurs wholly inside an HTTP entity, then the analyzer
  will skip over the entity and continue processing any subseqeuent HTTP
  items, rather than giving up on processing the connection (Ruoming Pang).

- The following new built-in functions have been contributed by
  Ruoming Pang:

	function cat_string_array(a: string_array): string
	function split_all(str: string, re: pattern): string_array
	function strstr(big: string, little: string): count
	function subst_substring(s: string, from: string, to: string): string
	function int_to_count(n: int): count
	function fmt_ftp_port(a: addr, p: port): string


0.8a20 Sun Nov 17 20:09:31 PST 2002

- This is the first "public" Bro release (one accessible directly via
  the Web).  The README has been correspondingly updated.

- The user manual has been significantly expanded, and source for it is
  now included in the release.

- Some "active mapping" bug fixes (contributed by Umesh Shankar).

- The configuration script now checks for the presence of the necessary
  BIND libraries/headers, and also for bogus --enable options (contributed
  by Craig Leres).

- backdoor.bro now includes a tcpdump filter for detecting (some) KaZaA
  traffic.

- http-reply.bro now tracks the sizes of request/response entities.

- http-request.bro now treats an URL accessing variants of /etc/netconfig
  as sensitive.


0.8a18 Sun Oct 27 15:28:23 PST 2002

- Improvements to the performance of the SMTP analyzer (Ruoming Pang).
  A new function, skip_smtp_data, skips over the content of an SMTP
  message.

- If you're doing trace rewriting and specify -w but don't specify -A,
  then the rewritten traffic goes to the -w save file, along with the
  usual non-transformed traffic (Ruoming Pang).  If a connection is
  being transformed (which is specified by the new rewriting_smtp_trace
  and rewriting_http_trace globals), then only its transformed packets
  are written to the -w file; not the original packets.  This allows
  a potentially large degree of trace compression.  There's also a
  new variable omit_rewrite_place_holder, which directs that when rewriting
  a trace, packets that are placeholders for now-missing packets (because
  you've excised content) are *not* generated.  This diminishes the
  timing fidelity of the transformed trace, but also can save a large
  amount of space.

- SMTP relay analysis is now standalone from regular SMTP analysis
  (Ruoming Pang).

- Some memory management and error propagation fixes (Ruoming Pang and
  Vern Paxson).


0.8a16 Wed Oct 23 23:48:40 PDT 2002

- "--enable-brov6" was broken by some recent changes.  It now works again.

- Some "make distclean" tweaks.

- Error checking for "redef enum".


0.8a15 Tue Oct 22 00:02:51 PDT 2002

- Fixed Makefile bug which left out wide-spread dependencies on
  event.bif.netvar_h.


0.8a14 Mon Oct 21 01:16:46 PDT 2002

- The "add" statement has been implemented.  This allows you to add
  elements to sets.  A bunch of policy scripts that used to use
  "table [] of bool"'s for this purpose have been modified to instead
  use sets.

- You can now extend the elements of an enum using "redef enum foo += { ... }"
  where the additional names are listed in the braces (contributed by
  Umesh Shankar).  A number of policy scripts have been tweaked to use
  this for the (fairly) new Alert enum.  This allows you to create new
  Alert's without alert.bro having to know about them.

- Some bugs in identifying error locations have been fixed.

- -A now supports anonymizing IP addresses (contributed by Ruoming Pang).
  This includes four new functions: preserve_prefix, preserve_subnet, and
  preserve_net (which direct that the corresponding prefix/net/subnet
  not be anonymized) and anonymize_addr (which returns the anonymized
  version of the given address.

- Some bugs in HTTP -A have been fixed (thanks to Ruoming Pang).

- The beginnings of support for CIDR prefixes has been added by
  Ruoming Pang.

- Porting tweaks (use of map's rather than hash_map's, courtesy of
  Umesh Shankar; libedit comments fixed).

- http-detail.bro has gone away.

- Some more copyright and $Header -> $Id fixes.

- There is now a function string_cat() which concatenates two strings
  and returns the result (contributed by Ruoming Pang).  This function
  is useful in place of the regular cat() because the latter will
  expand escape sequences etc.  It probably shouldn't, and that may
  change in the future.


0.8a11 Sun Oct 13 10:53:07 PDT 2002

- The framework for defining built-in functions has been extended
  so it's also now the way to specify the interface to event handlers.
  See event.bif.  (Contributed by Ruoming Pang)

- A new policy script, http-abstract.bro, can be loaded when doing HTTP
  transformation (via http-rewriter.bro), contributed by Ruoming Pang.
  It trims HTTP text responses to the first "http_abstract_max_length" bytes.

- A new built-in, skip_http_entity_data, specifies that the entity
  associated with the current HTTP request/response should be skipped
  (Ruoming Pang).

- More changes have been made to the mechanisms for tracking source
  file locations in order to pinpoint error messages.  If you encounter
  problems, please let me know.

- If you try to configure but your resolve library lacks res_mkquery(),
  this is now a fatal error (Craig Leres).  Ideally, someone will modify
  DNS_Mgr.cc to work even if only blocking DNS is available ...

- In most (not all, yet) of the sources, the copyright notices have
  been updated, $Header has been changed to $Id, and config.h is included
  (Craig Leres).


0.8a10 Tue Oct  8 16:05:42 PDT 2002

- The way that Bro tracks the source-file location associated with
  different objects has been tweaked, with a resulting savings of
  about 10% in Bro's memory use and a smidgen of CPU time, too.

- Built-in functions now are better about identifying source-file locations
  associated with errors.

- The http.$BRO_ID log file format has changed to no longer track
  individual request streams.  (So it is now closer to how it used
  to operate in 0.7.)

- The autoconf setup has been tweaked so that you use:

	--enable-brov6              enable IPV6 processing
	--enable-activemapping      enable active mapping processing
	--enable-expire-dfa-states  enable DFA state expiration

  rather than --with-XXX as was the case in 0.8a9.


0.8a9 Mon Oct  7 10:15:12 PDT 2002

- A bunch of configuration/autoconf/portability tweaks (Craig Leres).
  These include compiling under Solaris.

  When running ../configure, you can now specify:

	--with-brov6              enable IPV6 processing
	--with-activemapping      enable active mapping processing
	--with-expire-dfa-states  enable DFA state expiration

  You no longer set these via editing the Makefile.

- Some bugs with HTTP 1.0 keep-alive connections fixed (Ruoming Pang).

- The "hf" suite of utilities is no longer distributed in aux/.  Instead,
  get it directly from ftp://ftp.ee.lbl.gov/hf.tar.gz.

- bro_logchk has been renamed bro-logchk.pl and is now distributed in aux/
  (it was supposed to be before, but was inadvertantly left out of the list
  of distribution files).


0.8a7 Fri Oct  4 22:24:30 PDT 2002

- HTTP reply analysis has been split into a number of policy script files:

	http-body.bro
	http-detail.bro
	http-entity.bro
	http-event.bro
	http-header.bro
	http-reply.bro
	http-rewriter.bro

  so you can readily trade off how detailed the HTTP processing is vs.
  the CPU/memory it consumes (contributed by Ruoming Pang).

- Bro now generates login_prompt events when the $TTYPROMPT environment
  variable is passed during a login session, in order to detect the
  recently publicized Solaris remote /bin/login exploit.

- Ruoming Pang has extended the framework for defining "rewriter" functions
  to now also serve as the way to define general built-in functions.

- bro.init has been rearranged to have a more logical structure (courtesy
  of Ruoming Pang).

- Craig Leres contributed a number of portability & autoconf tweaks.

- Craig Leres has extended nb_dns.{h,c} to support IPv6 DNS lookups.
  Bro does not yet take advantage of these extensions.

- The beginnings of portability to gcc 3.2 were added.  There unfortunately
  is more work to do here!

- The README has finally been updated to have more correspondence with
  the 0.8 release.


0.8a6 Wed Oct  2 18:58:12 PDT 2002

- Upgrade to autoconf 2.53 (Craig Leres).


0.8a5 Tue Oct  1 19:04:53 PDT 2002

- The regular expression matcher how has a mechanism to stop scanning when
  no further match is possible (Robin Sommer).  If you find problems with
  regular expression matching, especially if you're using EXPIRE_DFA_STATES,
  please let us know!

- Rule/signature files are now searched for using $BROPATH (Robin Sommer).
  In addition, you can define a list of signature files to incorporate
  using the new global "signature_files".  For example,

	redef signature_files += "web-stuff"

  will look for web-stuff and web-stuff.sig along $BROPATH.

- The tcp_deliver_undelivered variable is now tcp_match_undelivered and
  only applies to delivering otherwise-undelivered data to the signature
  matcher; such data is *not* delivered to any associated analyzer.
  (Robin Sommer)

- The framework for tracking version numbers now allows negative as
  well as positive versions (Robin Sommer).


0.8a4 Tue Oct  1 15:54:58 PDT 2002

- Support for extracting the contents of HTTP replies (and POST's),
  and for transforming/anonymizing HTTP traffic, contributed by Ruoming Pang.

- Some minor internal tweaks to the timer management to help track patterns
  of timer expiration.


0.8a3 Mon Sep 23 22:48:07 PDT 2002

- HTTP reply handling refined in policy scripts.

- New built-in functions to_int(), to_count() convert strings to
  integers/counts.

- Bug fixes for DNS_Mgr and IPv6.

- AckAboveHole alerts now ignored (just written to alert.$BRO_ID) by default.

- Packets belong to ignored connections (for example, partial connections if
  partial_connection_ok is false) are no longer recorded to the save file.

- Some minor formatting/naming tweaks.


0.8a1 Sat Sep 21 22:09:23 PDT 2002

- IPv6 support enabled if you build using -DBROv6.  Deficiencies: Bro
  doesn't yet look up hostnames for AAAA records; no handling of extension
  headers (if you have traces of these, please send them to me!); no
  handling of FTP PORT/PASV w/ IPv6 addresses (again, if you have traces,
  please send them!); DNS analyzer doesn't understand AAAA yet (again,
  please send me traces!); you have to change the capture_filter line
  in tcp.bro (as indicated in the script) in order to process TCP traffic,
  due to deficiencies in libpcap's support for IPv6.

- Bro is migrating towards a more structured way of handling log messages /
  alerts.  Analyzers now @load alert.bro, which has a function ALERT()
  for processing alerts.  Soon this function will provide a variety of
  filtering/processing hooks; expect changes.

- Bro now has an HTTP response analyzer (contributed by Ruoming Pang).
  The HTTP policy scripts have been split up into http.bro (just general
  definitions), http-request.bro (handles requests; loaded by http.bro),
  http-reply.bro (handles replies; you need to explicitly load this), and
  http-detail.bro (handles individual headers).  http-reply.bro will be
  undergoing some significant reworking in the near future; probably the
  scripts will be merged back into a single http.bro plus http-detail.bro.

- ssl-worm.bro contains a prototype policy script for detecting the
  Scalper SSL worm (contributed by Robin Sommer).  It uses the signature
  file sig.ex.ssl-worm.bro.  If someone has traces of Scalper in action
  to send us, that would be great.

- A new policy script, contents.bro, extracts the contents of each
  Bro connection into its own pair of files (one file for each
  direction).  Use in conjunction with -f or discarder_XXX() to
  extract specific connections.

- A new built-in function, strcmp(), returns the usual comparison between
  two strings (contributed by Robin Sommer).

- A new event, content_gap(), is generated when Bro detects that it is
  forced to skip over data in a reconstructed TCP stream because it is
  missing from the packet input.

- BIND8 is no longer included with the distribution.  If this causes you
  problems, let me know.

- aux/scripts/bro_logchk is a Perl script for parsing Bro HTTP & FTP logs
  (contributed by Jim Barlow).

- You can now compare addresses to see which is larger.  a < b means
  that in network order, the octets making up 'a' are ordered before
  those for 'b'.  E.g., 128.2.3.4 < 128.2.3.5 < 129.0.0.1.  Note that
  IPv4 addresses are all < IPv6 addresses (other than IPv4 addresses
  that are embedded in IPv6 addresses, e.g., ::128.2.3.4 < 128.2.3.5).

- Serious bug in TCP option handling fixed.

- Some bugs in CRLF handling fixed (courtesy Ruoming Pang).

- Bug in the implementation of &optional fixed.

- Bug in computing memory statistics when not reading packets (from
  an interface or the trace file) fixed.

- You can now include a trailing comma after the last item in an
  "enum" enumeration list.

- port-name.bro now maps 389/tcp to "ldap".

- A bug has been fixed in loading files multiple times


v0.7a175 Thu Aug 29 21:14:34 PDT 2002

- bro -s <file> reads in a *signature* file to search for regular expressions
  in packet payloads or TCP byte streams (written by Robin Sommer).
  See policy/rules.bro for an example of a policy script for processing
  the matches.

  Note that this feature is experimental, and will be evolving in the
  near future.

- The python script "snort2bro" reads in Snort signatures and translates
  them into Bro signature rules, suitable for processing using -s.

  An example of its operation is seen by running

	python snort2bro < sig.ex.web-rules.snort

  which, after reading in sig.ex.classification.config and
  sig.ex.reference.config, generates the output given in
  sig.ex.web-rules.bro, which is suitable to use as input to
  bro -s.

- bro -d invokes a gdb-like debugger (written by Umesh Shankar).  You can
  set breakpoints and watchpoints, examine tracebacks, print Bro expressions,
  and the like.  Type "help" for on-line help.

- bro -t <tracefile> turns on tracing of the policy script execution,
  written to the given file.

- Bro now includes an SMTP analyzer, which includes processing MIME
  message bodies (written by Ruoming Pang).  See smtp.bro and mime.bro
  for related policy scripts.  smtp.bro includes several experimental
  techniques for detecting mail relaying.

- You can now define enumerated types, such as

	type scanner_type: enum {
		SCANNER_STEALTH, SCANNER_HIGH_SPEED, SCANNER_AMBIGUOUS,
	};

  Enumerated types can be compared for equality with one another, and used
  as table indices, but cannot be converted to/from integers.

- bro -A <file> invokes an experimental, general trace transformation/
  anonymization framework (written by Ruoming Pang) which writes a modified
  tcpdump trace file from the input (which can be the network or another
  trace file) with potentially extensive modifications to the recorded
  packets.

  Transformers are built from .rw files (currently, {finger,ftp,ident,smtp}.rw),
  which are processed by the utility "rwcl" to generate both event engine
  analyzer components and rewriter policy scripts (for example, after
  configuring and building Bro, you'll find the scripts
  policy/{finger,ftp,ident,smtp}.rw.bro).

  See policy/smtp-rewriter.bro for an example of a policy script that
  performs transformation/anonymization.

- New built-ins:

	split(s: string, p: pattern): string_array;

	  takes a string and splits it into pieces at each occurrence of
	  the regular expression pattern p.  (The functionality is like
	  that in awk.)  It returns a string_array, which is a table[count]
	  of string that is indexed starting at 1, giving the different
	  pieces.

	  For example,

		split("foobar", /o/)

	  returns a 3-element table, for which [1] is the string "f",
	  [2] is the string "" (empty), and [3] is the string "bar".

	split1(s: string, p: pattern): string_array;

	  split1() does the same thing as split(), but only performs splitting
	  at the first occurrence, so it returns either a one-element table
	  (if the pattern doesn't appear in the string) or a two-element
	  table.  split1("foobar", /o/) returns a 2-element table for which
	  [1] is "f" and [2] is "obar".

	md5_hash(s: string): string

	  returns (in human-readable form) the MD5 hash of a given string.

	  So, for example,

		md5_hash("foobar")

	  yields "3858f62230ac3c915f300c664312c63f".

	to_addr(s: string): addr

	  takes a string representing an address in "dotted quad" format
	  and returns the correponding "addr" value.

	set_buf(f: file, buffered: bool)

	  sets the given file to have its writes buffered or unbuffered
	  depending on the value of "buffered".  It does not return a value.

	connection_exists: function(c: conn_id): bool

	  returns T if the given connection identifier corresponds to a
	  currently instantiated connection (one for which the event engine
	  has state), F otherwise.

	lookup_connection(c: conn_id): connection

	  returns the "connection" record associated with the given
	  connection identifier, or a fatal run-time error if there
	  isn't one.

	set_inactivity_timeout(c: conn_id, timeout: interval): interval

	  sets the inactivity timeout for the given connection to the
	  given interval, returning the old interval.

	  If the interval is non-zero, then when no packets have been
	  processed for a connection after that much time has elapsed,
	  the connection is deleted, and an "inactivity_timeout" event
	  generated.

	get_matcher_stats(): matcher_stats

	  used for gathering statistics about the signature matcher

	rewriting_trace(): bool

	  returns T if -A was specified (anonymize/rewrite a trace),
	  F otherwise.

- New events:

	connection_state_remove(c: connection);

	  Invoked when the event engine has removed the connection from
	  its state.

	connection_SYN_packet(c: connection, pkt: SYN_packet);

	  Invoked for each SYN/SYN-ACK packet.

	connection_timeout(c: connection);

	  Invoked when the event engine times out a connection - for
	  example, because the originator sent a SYN that was never
	  answered, so the connection was never established.

	connection_reused: event(c: connection);

	  Invoked when the event engine decides that a new SYN for
	  an existing connection reflects a reuse of the connection
	  four-tuple, rather than belonging to the existing connection.

- New globals:

	const ignore_checksums = F &redef;

	  If true, then the event engine does not verify checksums (and
	  hence will not discard packets with bad checksums).

	const tcp_deliver_undelivered = F &redef;

	  If true, then when the event engine closes a connection, if
	  that connection has a chunk of data not yet delivered to its
	  analyzer (which only happens if the data is above a sequence
	  hole, indicating either a packet filter glitch or a protocol
	  botch), then the undelivered data will at that point be delivered
	  to the connection's analyzer.

	const tcp_reassembler_ports_orig: set[port] = {} &redef;
	const tcp_reassembler_ports_resp: set[port] = {} &redef;

	  Sets of ports for which, if a connection has the corresponding
	  originator/responder port, then the event engine will reassemble
	  the byte stream of the connection.

	  Normally, the event engine reassembles byte streams for any
	  connection for which there's an analyzer, and otherwise doesn't.
	  These variables can be used to force reassembly for the originator
	  or responder side (respectively) of connections for which there
	  isn't otherwise an analyzer.  This is useful when doing signature
	  matching on reassembled byte streams, for protocols that are
	  not otherwise analyzed by the event engine.

	const table_expire_interval = 1 min &redef;

	  How often to check table entries to see whether they've expired
	  (see &read_expire, etc., below).

	const requires_trace_commitment = F;

	  If true, then when rewriting/anonymizing traces, nothing will
	  actually be written to the edited trace file unless you call:

		rewrite_commit_trace(c: connection, commit: bool, future: bool)

	  If "future" is true, then future rewritten packets will be
	  automatically commited; otherwise, writing them to the trace
	  file requires another explicit rewrite_commit_trace() call.

	const inactivity_timeout = 0 secs &redef;

	  As noted above, when a connection becomes inactive, time it out
	  after this interval.  If 0 secs, then don't time it out.

- An SSH analyzer extracts SSH client/server version information.  See
  ssh.bro for the related policy script.

- There's now a (very) simple TFTP analyzer available in tftp.bro.

- You can now set the global "frag_timeout" to an interval which controls
  how long fragments are kept before discarding them (contributed by Ashley
  Thomas).  If you don't set the global, or set it to 0.0 sec, then fragments
  are kept around indefinitely.

- An implementation of an experimental anti-evasion technique, "active
  mapping", has been written by Umesh Shankar.  It is not yet ready for
  general use, and isn't compiled in unless -DACTIVE_MAPPING.

- Four new attributes can now be associated with tables (implemented
  by Robin Sommer): &read_expire, &write_expire, and &create_expire
  will delete table entries after a given interval has elapsed since
  the table entry was last read, written, or created.  For example:

	global a: table[addr] of count &default=0 &create_expire = 5 sec;

  will delete each entry added to it 5 seconds after the entry was added,
  regardless of subsequent read/write activity to the element.

  &expire_func allows you to associate a function with the table such that
  whenever an entry expires, the function is invoked.  It's passed the
  value of the table entry (not the index - perhaps this should be changed),
  and returns an "interval" value.  If the interval is <= 0.0 seconds, then
  the table entry is immediately deleted.  Otherwise, it is deleted after
  the given interval has elapsed.

- When listing multiple attributes, you no longer separate them with
  commas.  For example, if you used to have:

	global a: table[string] of count &default=0, &redef;

  you now need to use:

	global a: table[string] of count &default=0 &redef;

- You can now construct records using

	[$field1 = <expression>, $field2 = <expression>, ...]

  Such record values can be assigned to other records providing that the
  target value's type includes all of the fields (same name and type)
  present in the record value, and that any missing fields have the
  &optional or &default attribute (see next item).

  You can also include a record value inside the record constructor, and
  all of its fields will be included in the constructed record value.

- Record fields can now be annotated with &optional, to indicate
  that the field needn't be present, or &default, which indicates
  a default value to provide if the field is missing.

- You can query as to whether a record has a value for a given field
  using the new "?$" operator.  So for example:

	type my_rec: record {
		num: count &default = 0;
		msg: string;	# mandatory, since no &optional/&default
	};

	global r: my_rec;

	r = [$msg = "hello"];

	print r?$num, r?$msg, r$num;

  will print "F, T, 0," because even though 'r' has a default value
  for $num (which shows up when printing r$num), that field is missing,
  hence r?$num is F.

- An experimental scheme has been added (by Umesh Shankar) for managing
  general attributes associated either with all values ("global attributes")
  or particular particular values.  This scheme is likely to change in
  the near future, and hence isn't explained here further.

- The DNS analysis now includes ADDL and AUTH records, and much richer
  policy script analysis (per policy/dns.bro).

- You can now "redef" a function or event handler to override its
  previous definition.  For a function, this looks like:

	redef log_hook = function(msg: string): bool
		{
		...
		}

  For an event handler, it's just the usual definition preceded by "redef.
  For example,

	redef event ack_above_hole(c: connection) { }

  would replace the default ack_above_hole handler with one that does nothing.

- HTTP server and HTTP proxy backdoor detectors have been added,
  generating http_signature_found and http_proxy_signature_found,
  respectively (contributed by Ruoming Pang).

- A KaZaA backdoor detector has been added, which generates
  kazaa_signature_found for likely KaZaA connections.

- The new policy scripts flag-irc.bro and flag-warez.bro provide
  hooks for defining site policies for detecting IRC and access
  to warez.

- portmapper.bro now tracks the services it sees, and the names are
  used in connection summaries rather than generic services like port-656.

- bro -C (or redef'ing the "ignore_checksums" global to T) instructs
  Bro to ignore any checksum errors and go ahead and analyze such packets.

- The (trivial) policy script print-globals.bro dumps out all of the policy
  script global variables and the amount of memory they consume.

- The policy script code-red.bro has been renamed worm.bro and generalized
  to detect Nimda as well as Code Red 1 & 2.

- A bunch of additional default sensitive URIs have been added to http.bro.
  http.bro also now doesn't report worm-related URIs.

- A bunch of less common portnames were removed from port-names.bro.

- Empty regular expressions are now allowed.

- The finger_request event now has a third parameter, the additional
  text after the username.

- More systematic handling of NULs and CRLF by the event engine.

- Hex escape sequences now must have exactly two hexadecimal characters.

- FYI - work has begun on significantly altering the way that policy
  scripts generate alerts.

- Work has begun (by Robin Sommer) on a general framework for tracking
  client/server versions.  See software.bro.

- Work has begun on a NETBIOS analyzer (see NetbiosSSN.cc).  Contributions
  (e.g., finishing it :-) welcome.

- Work has begun on migrating the internals to process IPv6 in addition
  to IPv4.

- A number of bug fixes, leaks, and memory allocation lint tweaks.

-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

v0.7a90 Thu Sep 06 00:50:43 PDT 2001

- Better state management, especially for use in high-volume sites.  There
  are now a number of ways to track the resources consumed by Bro while it
  runs, and to reduce the amount of memory Bro consumes.  Adding

	@load print-resources

  will log a summary of the resources consumed by Bro when it exits, and

	@load reduce-memory

  will change a number of default values in order to significantly diminish
  the amount of memory Bro requires.

  Other ways to lower the required memory discussed in the next three items.

- The global "maintain_http_sessions" now controls whether http.bro tracks
  multiple HTTP connections between the same hosts as a single HTTP session.
  Doing so costs a considerable amount of state (so set to F for reducing
  the memory impact of HTTP analysis).

- The global "suppress_scan_checks", if true, turns off address and port
  scan detection.  (You can't achieve this by simply not @load'ing scan.bro,
  because it's loaded by some of the default policy scripts.)  Turning it
  off can save a lot of memory.

- Note, the ident.bro is also expensive in terms of state-holding.

- New library functions:

	- resource_usage() returns a record detailing real time,
	  CPU time, memory, other getrusage info, and the current
	  and maximum number of TCP/UDP/ICMP connections, and
	  timers and fragments.

	- val_size() returns the size in bytes needed to represent
	  a given value (which can be a record, a table, or a
	  simple constant, for example).  It's not fully accurate
	  but is in the right ballpark.

	- global_sizes() return a table mapping every global
	  variable to its size (per val_size()).  Useful for
	  tracking which ones are growing large over time.

- You can now control a number of timers related to Bro's connection
  management.  Setting them to lower values generally decreases the
  amount of state Bro has to keep (see reduce-memory.bro), though
  this can also make it easier for an attacker to evade detection:

	tcp_SYN_timeout: interval
		Controls how long Bro waits after seeing the
		beginning of a connection (whether due to a SYN
		or not; the timer is misnamed) before checking
		whether it elicited any reply.

	tcp_session_timer: interval
		After a connection has closed, wait this long for
		further activity before checking whether to time
		out its state.

	tcp_connection_linger: interval
		When checking a closed connection for further
		activity, Bro should consider it inactive if there
		hasn't been any for this long.  It also complains
		if the connection is reused before this much time
		has elapsed.

	tcp_attempt_delay: interval
		Bro waits this long upon seeing an initial SYN
		before timing out the connection attempt.

	tcp_close_delay: interval
		Upon seeing a normal connection close, Bro flushes
		state after this much time.

	tcp_reset_delay: interval
		Upon seeing a RST, Bro flushes state after this
		much time.

	tcp_partial_close_delay: interval
		Bro generates a connection_partial_close event this
		much time after one half of a partial connection
		closes, assuming there has been no subsequent
		activity.

	non_analyzed_lifetime: interval
		If a connection belongs to an application that you
		aren't analyzing, Bro times it out after this
		interval.  If 0 secs (default), then it doesn't
		time it out.

	dns_session_timeout: interval
	ntp_session_timeout: interval
	rpc_timeout: interval
		Bro waits this long before timing out a DNS/NTP/RPC
		request.

	max_timer_expires: count
		The maximum number of timers to expire after
		processing each new packet.  The value trades off
		spreading out the timer expiration load with
		possibly having to hold state longer.  A value of 0
		means "process all expired timers with each new
		packet".

- Two new flags control other facets of Bro's connection management,
  and thus state-holding:

	partial_connection_ok: bool
		Whether Bro should analyze connections for which
		it doesn't see the beginning, only the middle.
		This can be very expensive to do in the face of
		stealth-scanning, which looks like a bunch of
		partial connections.

		Note, the HTTP analyzer has been modified to
		now always skip partial connections.  This should
		instead be user controllable.

	tcp_SYN_ack_ok: bool
		If true, Bro instantiates connection state when
		it sees a SYN ack but not the initial SYN (even
		if partial_connection_ok is false).  The intent
		behind this knob (which is not well tested) is
		to allow you to filter out initial SYNs and only
		react to SYN acks.  This keeps Bro from holding
		state during SYN scans and SYN flooding, except
		for when the destination responds.

- Some other miscellaneous thresholds that you can now modify from your
  policy script:

	heartbeat_interval: count
		How often to generate net_stats_update() events.
		This timer really isn't needed any more, since
		you can use "schedule" to achieve the same effect.

	tcp_storm_thresh: count
		If Bro sees this many FINs/RSTs in a row, it
		flags them as a "storm".

	tcp_storm_interarrival_thresh: interval
		The FINs/RSTs must come with this much time or less
		between them.

- The state management for line-oriented applications like HTTP requests
  has been improved.

- The HTTP analyzer now expands %hex sequences.  If anyone has a Unicode
  expander to contribute, that'd be terrific.

- The Code Red detection is more robust (fewer false positives).

- A new redefinable variable, skip_services, lists applications that should
  not be analyzed for purposes of detecting scans.  (Default:  ident)
  The point of having this (poorly named) hook is so that code-red.bro
  can add "http" to it, to avoid reporting the zillions of Code Red scans
  that a site can see.

- Bro now matches regular expressions using lazy DFA evaluation.  The upshot
  of this is (1) it no longer maintains .bro-RE-cache.v1, (2) it starts
  up fast regardless of whether you've added new regular expressions, (3)
  you can afford to add lots of regular expressions, and (4) it's actually
  a bit faster.

- The list of "hot_ids" has been expanded with a number of other common
  root-privileged accounts.

-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

v0.7a61 Fri Apr 06 14:51:47 PDT 2001

- An NTP analyzer has been added.  See policy/ntp.bro for a corresponding
  policy file that detects the newly discovered NTP remote buffer overflow
  attack.

- example-attacks/ is a new directory that contains trace files of attacks.
  Currently, there are just two to play with:

	bro -r example-attacks/ftp-site-exec.trace mt

  will run on a trace of a "site exec" overflow attack, and

	bro -r example-attacks/ntp-attack.trace mt ntp

  will run on an example of the NTP overflow.

- The doc/ directory includes the postscript and HTML versions of the
  first draft of the Bro manual.

- A new policy file, icmp.bro, has preliminary (and only partially developed)
  policy for analyzing ICMP.

- The file libpcap.bufsize.patch includes the patch necessary on some systems
  to increase the maximum libpcap buffer size.

- You can now use anonymous functions in &default expressions, so for
  example you can do:

	global foo: table[count] of string = {
		[1] = "1st", [2] = "2nd", [3] = "3rd",
	} &default = function(n: count): string { return fmt("%dth", n); };

  and then referring to foo[5] will yield "5th".

- There's now a "for" statement to iterate over the indices of a table
  or the members of a set:

	for ( i in foo )

  for the above "foo" will iterate with i assigned to 1, 2, and 3; *but
  not in general in that order*.

- The function contains_string() has been removed, and now you can instead
  use an expression like

	"bar" in "foobar"

  which will yield T.

- The scan detection now has a mechanism for attempting to detect SYN flooding
  backscatter and flagging it as different from a stealth scan.

- New event handlers:

	new_connection_contents()
		like new_connection(), but reassembles the
		stream so you can use set_content_files() to
		write it to a file

	udp_session_done()
		invoked when a UDP session (which is defined on
		a per-protocol basis; currently only for NTP)
		finishes.

	ntp_message()
		invoked for each NTP message

- UDP processing now does accounting for detecting scans.

- UDP processing now tracks numbers of requests/replies for sessions that
  support that notion.  The connections are annotated by udp_session_done()
  with "[m,n]" for "m" requests and "n" replies, providing either m or n > 1.

- New variable accessible from policy:

	watchdog_interval
		how often the watchdog should check for whether
		Bro is making internal progress

- A bunch of functions no longer have a first argument of the current time;
  get it instead from network_time() if you need it:

	authentication_accepted
	authentication_rejected
	conn_weird
	conn_weird_addl
	flow_weird
	net_weird

- A bunch of functions now return bool rather than int values:

	set_contents_file
	set_login_state
	set_record_packets
	skip_further_processing

- The variable "hot_dests" has been renamed to "hot_dsts".

- 111/tcp is now identified as "portmap" rather than "rpc".

- Connections flagged as hot for some types of characteristics are now
  annotated with the reason associated with the decision.  (I think a lot
  more of this is needed.)

- Portmapper dumps are annotated with the results of the mapping.  This
  will be streamlined in the future.

-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

v0.7a48 Wed Sep 13 14:37:30 PDT 2000

- Changes between this release and v0.6 missing :-(

-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

v0.6 Wed Jul 21 17:02:50 PDT 1999

- Support for regular expressions added.  You specify lex-style regular
  expressions between '/'s, for example "/\/etc\/(passwd|shadow)/" has
  the type "pattern" and matches /etc/passwd or /etc/shadow (the slashes
  in the pattern need to be escaped or else they'd delimit the end of the
  pattern).  Pattern-matching is via the "in" operator, so for example:

	if ( filename in /\/etc\/(passwd|shadow)/ )
		sensitive_file_access(filename);

  or

	const sensitive_files = /\/etc\/(passwd|shadow)/;

	...

	if ( filename in sensitive_files )
		sensitive_file_access(filename);

  Presently the "in" operator requires that the entire left-hand side
  be matched by the pattern.  So, for example, if you want to find the
  string "eggdrop" anywhere inside the string "line", you would use

	if ( line in /.*eggdrop.*/ )

  If you leave off either of the .*'s, then eggdrop will only be matched
  at the beginning or end of the line.

  In the future, there will be mechanisms for specifying whether you
  want to match anywhere in a line, or anchored; accordingly, *the above
  syntax is subject to change*.

  Bro compiles regular expressions into DFAs for fast matching.  This can take
  quite a bit of time for complicated patterns.  Consequently, it maintains a
  cache of compiled regular expressions in $HOME/.bro-RE-cache-v1.  You can
  always safely remove this file; Bro will recreate/repopulate it as needed.
  It does not clean up unused entries from it, so if you change your patterns
  frequently, you will accumulated lots of old ones and should delete the
  file to garbage collect them.

- An rlogin analysis module has been added and the telnet analysis
  generalized to generic "login" analysis, with the following events:

	login_failure(c: connection, user: string, client_user: string,
			password: string, line: string)
		Generated on a failed attempt to log in.  client_user is
		the remote user name, if the login is via the rlogin
		protocol.
	login_success(c: connection, user: string, client_user: string,
					password: string, line: string)
		Generated on a successful attempt to log in.

	login_input_line(c: connection, line: string)
		Generated per line of input typed by the user.
	login_output_line(c: connection, line: string)
		Generated per line of output generated by the server.

	login_confused(c: connection, msg: string, line: string)
		Generated when a login dialog confuses the heuristic
		analyzer.  msg is a tag for the state mismatch that
		was unexpected, line is the corresponding dialog text.

	login_confused_text(c: connection, line: string)
		Once a connection is in the confused state, then this
		is generated for each subsequent line.

	login_terminal(c: connection, terminal: string)
		Generated if the terminal type associated with the
		connection is seen.

	login_display(c: connection, display: string)
		Generated if the display associated with the connection
		is seen.

	excessive_line(c: connection)
		Generated when the connection has produced an excessively
		long line.

  login_input_line() and login_output_line() are very powerful for
  detecting intrusions, when coupled with regular-expression matching.

  login_terminal() is used to detect backdoors that are triggered
  by the terminal environment variable.

- An ident analysis module has been added (port 113).  It generates
  ident_request, ident_reply, and ident_error events.  Port 113 used
  to be referred to as "auth"; now it's referred to as "ident".

- A new type of scan detection has been added, which is triggered
  by a remote host trying a large number of username/password
  combinations.  See the account_tried() function in scan.bro.

- The default search path for .bro files is now

	  .:priv-policy:policy:pub-policy:/usr/local/lib/bro

  where priv-policy/ is intended for private policy and pub-policy/
  for public policy.  The Bro alpha distribution ships with a
  sample set of pub-policy scripts.

- New built-ins:

	system(s: string): int
		executes the given shell command using system()
		and returns its status.

	set_contents_file(c: conn_id, direction: count, f: file)
		copies connection c's reassembled byte stream in
		either the originator-to-responder direction (if
		direction is CONTENTS_ORIG) or the responder-to-
		originator direction (CONTENTS_RESP) to the file f.

	reading_live_traffic(): bool
		returns true if Bro is running on live traffic (read
		from a network interface), false if it's reading from
		a save file.

	mkdir(f: string): bool
		creates the given directory, returning true if it
		was able to, false if not.

	get_orig_seq(c: conn_id): count;
		returns the highest sequence number sent by the
		originator of connection c.
	get_resp_seq(c: conn_id): count;
		same for c's responder.

- Additional new events (other than those related to the new analyzers):

	new_connection(c: connection)
		is generated whenever a new connection is seen.

	partial_connection(c: connection)
		is generated whenever a new partial connection (one
		that doesn't begin with a SYN handshake) is seen.

	pm_bad_port(r: connection, bad_p: count)
		is generated when a portmapper response contains
		a bad port number.

- Functions, tables and sets can now be assigned.  Assignment is
  made by reference to the underlying object.

- Bro no longer looks up identifiers using getservbyname() to see if they
  should be interpreted as port numbers, since this led to portability
  problems.  Instead, a number of constants are defined in bro.init:
  bgp, domain, finger, ftp, gopher, http, ident, rlogin, smtp, ssh and telnet,

- Bro now supports an arbitrary number of open files (not bound by
  the system's limit on file descriptors).

- There's now a finger_reply event to go with finger_request.

- A bunch more RPC service names have been added, thanks to Job de Haas
  and others.

- A bug has been fixed in the watchdog handling that caused it to
  sometimes expire after a period of network inactivity.

- The Bro paper in doc/ has been revised (it isn't quite up-to-date,
  but considerably closer than the USENIX version).

- There has been a large amount of reworking of the internals, both
  to Bro itself and in the policy scripts.  If you find something you're
  wondering about, feel free to send me mail asking about it.

-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

v0.5 Sun Oct  4 00:19:35 PDT 1998

- Added Linux support.

- Major autoconf changes.

- Some tweaks to suppress g++ warnings.

-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

v0.4 Fri Sep 11 00:08:04 PDT 1998

- The new aux/ directory has some utility programs and scripts.
  See aux/README for details.

- Documentation (though exceedingly limited) describing the connection
  log summaries generated by policy/tcp.bro now available in doc/conn-logs.

- The Telnet username recognition code has been heavily reworked and is
  now significantly more robust.

- A new policy file, policy/scan.bro, detects port and address scanning.

- Bro now detects the "Land" attack (a trivial addition to its spoof
  detection).

- The distribution now comes with BIND 8.1.2.

- A new flavor of "weird" event has been added, flow_weird, for unusual
  events associated with <src IP addr, dst IP addr> flows (i.e., a coarser
  granularity than TCP or UDP connections).

- Bro now reassembles fragments, checking for overlaps and consistency.
  Associated with fragments are the following flow_weird's:

	excessively_large_fragment
	excessively_small_fragment
	fragment_inconsistency
	fragment_overlap
	fragment_protocol_inconsistency
	fragment_size_inconsistency
	fragment_with_DF
	incompletely_captured_fragment

- The TCP stream reassembly code was rewritten to share functionality
  with the new fragment reassembly code.

- If a handler for it is present, then Bro will generate "packet_contents"
  events containing the contents of each packet it receives.  This is just
  for experimenting with, and, in particular, this event does *not* reflect
  TCP stream reassembly.

- The handling of "conn_weird" events in tcp.bro now has more options.
  In the weird_action table, WEIRD_LOG_ALWAYS means that the weird event
  should always be logged; WEIRD_LOG_PER_CONN means that it should be
  logged once per connection; and WEIRD_LOG_PER_ORIG that it should be
  launched once per originator IP address.

- The example hot.bro now includes provisions for flagging sensitive
  inbound and outbound services.

- Bro now limits the number of events processed when draining the event
  queue after processing a packet.  This makes Bro less prone to packet
  loss during high-speed scans.

- The line-oriented TCP endpoint class was split into TCP_EndpointLine,
  which supports the line-oriented functionality, and TCP_NVT (derived
  from TCP_EndpointLine), which implements the Network Virtual Terminal
  used by Telnet and FTP.

- The TCP_NVT class now understands the Telnet Environment option.

- Escape sequences are now '\' followed by 1 or more octal digits,
  instead of excatly three octal digits (which is error prone).

- If the watchdog timer expires, it now reports the number of events
  processed in the current batch of packets, as well as other timing
  information.

- Bro now should not report packet drops that occur after it has begun
  to exit (these can occur when draining the pending event queue takes
  a while).

- Bro now detects TCP acknowledgements that occur above a sequence
  hole, generating an ack_above_hole event.  Nominally, this indicates
  packet filter drops, but in fact some buggy TCPs manage to do this :-(.

- Fledgling HTTP support added.  An http_request event is generated when
  a new HTTP request is seen, and http_stats is generated when an HTTP
  connection terminates, giving (uninteresting to most people) statistics
  concerning the request(s).  A lot more is needed: parsing persistent
  connections and HTTP replies, for one.  This is just a start.  A stub
  for http_reply exists but these events are not presently generated.

- Ported to Linux (thanks to Pascal Bouchareine).

- A bug in to_lower() and to_upper() was fixed.

- The reporting for unexpected FTP connections now more directly
  identifies the corresponding FTP session.

-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

v0.3 Fri Feb 13 19:59:39 PST 1998

- Timers are now implemented using calendar queues rather than priority
  queues (with thanks to Craig Leres).

- The new byte_len() built-in returns the length of a string interpreted
  as a set of bytes (including any NUL bytes, especially the final one
  for a typical string).

- The new sub_bytes() built-in extracts a subset of a string interpreted
  as a set of bytes (i.e., immune to any embedded NULs).

- Fixed bad interaction with the latest version of libpcap that on some
  BPF systems would cause Bro to exit any time a little bit of time went by
  without any traffic matching its filter.

- A bug with constant-folding of the ?: operator has been fixed.

- A new "conn_stats" event delivers statistical analysis (number of packets
  transmitted, retransmitted, out-of-order, replicated) of each connection.
  If you define a handler for it, then *no* other TCP processing is done.
  This was added for off-line analysis of traces with large numbers of
  connections in them.

- Some minor portability tweaks.

-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

v0.2 Sat Oct 25 11:22:37 PDT 1997

- Added autoconf support, thanks to Scott Denton.

- Ported to FreeBSD, Solaris.

- Fixed a bug in which partial connections were ignored even for
  protocols (e.g., FTP) that can make use of partial dialogs.

- Included BIND version 8 sources directly in the distribution.

- Better usage() information (again thanks to Scott), -h and -v flags.

- README, CHANGES files created.