Wubi Posted August 2, 2012 Report Share Posted August 2, 2012 Our first post regarding Bro, the Network Security Monitor can be found here. It has since been updated! We now have Bro 2.1 Beta!“Bro is a powerful network analysis framework that is much different from the typical IDS you may know. While focusing on network security monitoring, Bro provides a comprehensive platform for more general network traffic analysis as well.”New Functionality:Bro now comes with extensive IPv6 support. In addition to Bro itself, the other Bro components have also been made IPv6-aware by default. In particular, significant changes were made to trace-summary, PySubnetTree, and Broccoli to support IPv6.Bro now decapsulates tunnels via its new tunnel framework located in scripts/base/frameworks/tunnels. It currently supports Teredo, AYIYA, IP-in-IP (both IPv4 and IPv6), and SOCKS.Bro now features a flexible input framework that allows users to integrate external information in real-time into Bro while it’s processing network traffic.BroControl now has built-in support for host-based load-balancing when using either PF_RING, Myricom cards, or individual interfaces.Bro now comes with experimental support for two alternative output formats:DataSeries: an efficient binary format for recording structured bulk data. DataSeries is developed and maintained at HP Labs. See doc/logging-dataseries for more information.ElasticSearch: a distributed RESTful, storage engine and search engine built on top of Apache Lucene. It scales very well, both for distributed indexing and distributed searching.Changed Functionality:Changes in dependencies: Bro now requires CMake >= 2.6.3.Bro now links in tcmalloc (part of Google perftools) if found at configure time. Doing so can significantly improve memory and CPU use.The configure switch —enable-brov6 is gone.DNS name lookups performed by Bro now also query AAAA records. The results of the A and AAAA queries for a given hostname are combined such that at the scripting layer, the name resolution can yield a set with both IPv4 and IPv6 addresses.The connection compressor was already deprecated in 2.0 and has now been removed from the code base.We removed the “match” statement, which was no longer used by any of the default scripts, nor was it likely to be used by anybody anytime soon. With that, “match” and “using” are no longer reserved keywords.The syntax for IPv6 literals changed from “2607:f8b0:4009:802::1012” to ”[2607:f8b0:4009:802::1012]”.Bro now spawns threads for doing its logging. From a user’s perspective not much should change, except that the OS may now show a bunch of Bro threads.We renamed the configure option —enable-perftools to —enable-perftools-debug to indicate that the switch is only relevant for debugging the heap.Bro’s ICMP analyzer now handles both IPv4 and IPv6 messages with a joint set of events. The icmp_conn record got a new boolean field ‘v6’ that indicates whether the ICMP message is v4 or v6.Log postprocessor scripts get an additional argument indicating the type of the log writer in use (e.g., “ascii”).BroControl’s make-archive-name script also receives the writer type, but as its 2nd(!) argument. If you’re using a custom version of that script, you need to adapt it. See the shipped version for details.Signature files can now be loaded via the new “@load-sigs” directive. In contrast to the existing (and still supported) signature_files constant, this can be used to load signatures relative to the current script (e.g., “@load-sigs ./foo.sig”).The options “tunnel_port” and “parse_udp_tunnels” have been removed. Bro now supports decapsulating tunnels directly for protocols it understands.ASCII logs now record the time when they were opened/closed at the beginning and end of the file, respectively (wall clock). The options LogAscii::header_prefix and LogAscii::include_header have been renamed to LogAscii::meta_prefix and LogAscii::include_meta, respectively.The ASCII writers “header_*” options have been renamed to “meta_*” (because there’s now also a footer).So you see, Bro 2.1 comes with extensive support for IPv6, tunnel decapsulation, a new input framework for integrating external information in real-time into the processing, support for load-balancing in BroControl, two new experimental log output formats (DataSeries, ElasticSearch), and many more improvements and fixes throughout the code base.Download Bro:Bro 2.1 Beta – bro-2.1-beta.tar.gzSursa: Bro 2.1 Beta! — PenTestIT Quote Link to comment Share on other sites More sharing options...
