We are getting close to finalizing the feature set for the upcoming
Bro 2.1 release. To give you an idea what’s in the queue, we will be
doing a series of blog postings that focus on the main areas we have
been working on since 2.0. Specifically, expect to see development
updates on the following areas:
- Extensive IPv6 Support
- We are completely revamping Bro’s IPv6 support. With Bro 2.1, IPv6 will be fully integrated into protocol analysis and scripting language (and no longer be the fragile, optional code that it used to be). In addition, we are adding support for many more IPv6 features, including ICMPv6 and tunnel decapsulation.
- Binary Logging
- Bro’s default ASCII output is not ideal for handling large volumes of logs. In 2.1, we are adding experimental support for binary output using HP Lab’s DataSeries. DataSeries is a format optimized for handling high-volume logs.
- Input Framework
- Bro 2.1 will come with a new framework for reading data into script-land at runtime, such as blacklists and other external context. Initially, we are focussing on reading ASCII files with a column-based structure similar to Bro’s logs. But we designed the framework internals more generally, and new input formats can be added as plugins, similar to how the existing logging framework operates.
- File Analysis Framework
- We are unifying Bro’s approach to inspecting file transfers it observes on the wire. In 2.1, a new framework will provide protocol-independent file reassembly and analysis, with extensive hooks to get access to their content.
The code for all these is either already merged into current git
master or is currently waiting for final touches in a feature branch.
Stay tuned for more information.