I'd like to ask guidance on how to contribute to BRO by proposing
extensions to existing protocol analyzers.
For instance, suppose that I realize a patch to the DHCP analyzer that
includes new unsupported options. Such patch would impact on multiple
files like those in src/analyzer/protocol/dhcp,
scripts/base/protocols/dhcp as well as new types to be included in
What would be the best procedure (and format) to submit such a patch?
We announce the release of Bro v2.5.2. The new version is now available for
or directly at:
Binary packages for the new version are currently building and will be available
in the next hours at:
This is a security release that fixes an out-of-bound write in the ContentLine
analyzer. This issue can be used by remote attackers to crash Bro (i.e. a DoS
attack). There also is a possibility this can be exploited in other ways.
This bug was found by Frank Meier. A CVE has been requested for this bug.
Bro 2.5.2 does not contain any other changes. We urge everyone to update their
installation as quickly as possible.
Due to the potential severity of this bug we also provide a patched version of
Bro v2.4.2. The only difference to version v2.4.1 is this bugfix. Please note
that we encourage users to use version 2.5.2 instead; we do generally not
provide security updates for old releases; version 2.4.2 is missing a number of
other bugfixes that were applied to v2.5.2.
Version 2.4.2 is available for download at:
Is there a way to view which host were scanned when receiving a notice for the scan.bro script? We have been receiving a lot of notices lately for “x.x.x.x scanned at least X unique hosts on port X in Xtime”. I cannot seem to find a good way to determine which host were scanned by the host machine.
Just wondering if anyone has tryed to use Bro on an openflow-based
network using mininet?
This email has been checked for viruses by Avast antivirus software.
So I am using the SMB plugin for Bro by loading in local.bro but it seems to be very inconsistent.
Often times when I am copying files between two windows machines over the domain there is no corresponding file in the files.log.
The smb_files.log itself seems to filled up with a lot of .ini files as well and they all seem to have the “SMB::FILE_OPEN” action even when I haven’t opened any of them.
I thought I would use files showing source as SMB in files.log to differentiate when files are actually copied over the network but often times Bro does not detect the same.
Is there any particular way I need to share the files in windows to get the copied files to show up consistently in bro?
I have this simple script :
the printing of variable a is important because its -0 once written in a
is there anyway of printing\writing large doubles ?
I am trying to read a csv file that has regex patterns in it.
it seems that bro does not like reading a column into a regex type.
anyway to accomplish that ? is there any function that converts string to
Thanks a lot,
Building a little off my previous question, I have a structure my_table defined:
global my_table: table[string] of vector of HTTP::Info &write_expire = 30secs &expire_func=process;
and my_table will get written to in the connection_state_remove event, which should then call the expire_func 30s later.
I have tried triggering the functionality two ways:
* Having Bro read in a 1GB test.pcap, waiting for minutes (with exit_only_after_terminate=T), then CTRL-C to exit
* Having Bro listen on a dummy interface and tcpthrow the test.pcap against it, waiting for minutes then CTRL-C to exit
It seems to work for a subset of the connections but not all of them. My hunch is that Bro’s connection state table has no strict time-based removal process, so the connection_state_remove event will not be triggered unless I throw more data at it. My second thought is that it does get triggered at the end for the CTRL-C, but then shuts down before the expire_func fires 30secs later.
If my hunches correct please let me know, as then it should theoretically work with Bro on the wire as new data comes in. But for testing purposes, is there any way to either force flushes of the connection table or ensure that Bro waits long enough after the CTRL-C to handle the expire_func?