Merge commit 'b8ab0ebc22'

* commit 'b8ab0ebc22':
  Removing expire timer from http_sessions.

CHANGES

@@ -1,8 +1,9 @@
-@(#) $Id: CHANGES 7076 2010-09-13 02:42:27Z vern $
+1.6-dev.18 Wed Jan 19 16:37:13 PST 2011
 
--+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+  * Removing unnecessary expire timer from http_sessions. (Gregor
+    Maier)
 
-1.6-dev.4 Sat Jan 15 14:14:21 PST 2011
+1.6-dev.16 Sat Jan 15 14:14:21 PST 2011
 
 - Updates to the build system (Jonathan Siwek)
 
@@ -13,7 +14,7 @@
       now generate binary packages according to #295.
 
     * Additional configure options to change packaging behavior.
-      
+
     * OS X builds will now prefer to link static libraries of
       optional dependencies that don't come with the vanilla
       operating system.
@@ -54,7 +55,7 @@
 
 - The Bro source code is now developed in the new git repositories.
   See the developer pages at http://www.bro-ids.org for more
-  information on the new development process. 
+  information on the new development process.
 
 - Bro's build and installation setup has been moved from GNU
   autotools to CMake. As a result of that, layout and specifics of
@@ -77,7 +78,7 @@
   and can no longer be disabled.
 
 - ClamAV support has been removed, which has been non-functional for
-  a while already. 
+  a while already.
 
 1.5.2.7 Sun Sep 12 19:39:49 PDT 2010
 
@@ -455,7 +456,7 @@
  (1) Remote communication now no longer includes location information for
  serialized objects; that removes quite a bit of redundacy from the network
  traffic.
- 
+
  (2) The new option 'remote_check_sync_consistency" disables the cross-check
  on the receiving side of &synchronized state of whether the current value
  of a variable has the value expected by the sender. Transmitting the
@@ -472,7 +473,7 @@
  we maintain *two* caches independently for these types of objects; one
  with a low turn-over one and another with a high one.  This should reduce
  CPU load on both sender and receiver sides.
- 
+
  The new scheme is only used if both communicating Bros support it; with
  older Bros, as well as with Broccoli, we continue using the old scheme.
 
@@ -666,12 +667,12 @@
 		      bro -Y 0.0.0.0:5555 netflow
 		      bro -i eth0 -Y 10.0.0.1:1234=src1 brolite netflow
 
-	  -y|--flowfile <file>[=<ident>] 
+	  -y|--flowfile <file>[=<ident>]
 
 	    Used to read from a file. You can optionally include an
 	    identifier for the source.
 
-	    Examples: 
+	    Examples:
 		      bro -y myflowfile netflow
 		      bro -y myflowfile=src1 otherflowfile=src2 netflow
 
@@ -840,7 +841,7 @@
 
   So, to drop all sources triggering a specific notice, one can now, e.g.,
   write:
-  
+
 	redef notice_action_filters += { [Hot::SSH_Overflow] = drop_source };
 
   Related to this change, notice_info has a new field $dropped, set to
@@ -871,8 +872,8 @@
 	   before starting the main packet loop and another one when
 	   finished. These snapshots can then be analyzed with pprof.
 
-  For more information about the perftools see 
+  For more information about the perftools see
-  
+
 	http://code.google.com/p/google-perftools
 
 - Notice tags are now generated in a pseudo-unique fashion that, with high
@@ -946,7 +947,7 @@
 	detector tables.
 
 - When Bro serializes functions, it now does so by default using only
-  their name, rather than their full value (Robin Sommer).  This prevents 
+  their name, rather than their full value (Robin Sommer).  This prevents
   propagation of expiration functions associated with tables and sets.
   Note, currently there is no mechanism provided to switch from the
   default behavior, but the internal hooks are in place to do so.
@@ -1211,7 +1212,7 @@
 - An arbitrary tag can now be past to post-processors for log rotation
   (Robin Sommer).
 
-- Default inactivity timeouts for interactive services shortened to 
+- Default inactivity timeouts for interactive services shortened to
   1 hour (Robin Sommer).
 
 - The scanning variables distinct_{peers,ports,low_ports} are now
@@ -1524,7 +1525,7 @@
   This fixes a long-standing problem of sometimes $addl fields not showing
   up in connection summaries.
 
-- The new expressions record(...), table(...), set(...) and vector(...) 
+- The new expressions record(...), table(...), set(...) and vector(...)
   are constructors for the corresponding aggregate types (Vern Paxson).
   For example,
 
@@ -1678,7 +1679,7 @@
 - A new notice_action_filter, tally_notice_type_and_ignore, works the same
   as tally_notice_type but returns IGNORE (Robin Sommer)
 
-- Setting summary_interval == 0 disables the creation of irc-bots.summary.log 
+- Setting summary_interval == 0 disables the creation of irc-bots.summary.log
   (Robin Sommer).
 
 - If you @load foo and a directory "foo" is in your path, Bro no longer
@@ -1795,9 +1796,9 @@
 
 - Fixed using "time" values as table indices.
 
-- Added ssh to default brolite DPD configuration. 
+- Added ssh to default brolite DPD configuration.
 
-- Fixed catching up to real-time in case of lull. 
+- Fixed catching up to real-time in case of lull.
 
 - Fixed Broccoli "BRO_DATA_FORMAT_VERSION" to match version in Bro.
 
@@ -1807,11 +1808,11 @@
 
 - Added Linux tuning to brolite install script.
 
-- Modified Makefile to include broccoli/contrib. 
+- Modified Makefile to include broccoli/contrib.
 
-- Adding missing initialization to remote serializer. 
+- Adding missing initialization to remote serializer.
 
-- Minor documentation updates for reference manual and Broccoli. 
+- Minor documentation updates for reference manual and Broccoli.
 
 
 1.2 Tue Oct 17 12:09:49 PDT 2006
@@ -2030,7 +2031,7 @@
 
 	- notice_action_filters now reside in the new script
 	  notice-action-filter.bro (automatically loaded by notice.bro).
-        
+
 	- The notice actions NOTICE_ALARM_PER_CONN, NOTICE_ALARM_PER_ORIG,
 	  and NOTICE_ALARM_ONCE have been removed, as they were never
 	  actually implemented.
@@ -2050,7 +2051,7 @@
 
 - TRW analysis now skips UDP traffic because it currently treats
   all UDP connections as failures (Robin Sommer).
-     
+
 - trw.bro has been split into trw-impl.bro (the algorithm) and
   trw.bro (which simply activates the analysis), to facilitate writing
   scripts that have hooks into TRW analysis but don't presume it's
@@ -2183,7 +2184,7 @@
   (Robin Sommer).  This appears to still need some work, as now
   it generates redundant events.
 
-- Fix for initial exchange of &sync state which could lead to 
+- Fix for initial exchange of &sync state which could lead to
   referencing unknown IDs (Robin Sommer).
 
 - Fix to scan detection for differing semantics of connection compressor
@@ -2492,7 +2493,7 @@
 
 	- the new variable dump_backdoor_packets (default F) if set causes
 	  the packet that triggered the backdoor detection to be written to
-	  backdoor-packets/<tag>:<time> 
+	  backdoor-packets/<tag>:<time>
 
 	- the new variable backdoor_ignore_host_port_pairs is a set[addr, port]
 	  specify host/port combinations to ignore
@@ -2646,7 +2647,7 @@
 	- Now can ignore specific connections dynamically.
 
 	- TCP content gaps are now recognized and ADU delivery is for now
-	  stopped for such flows, unless explicitly requested. 
+	  stopped for such flows, unless explicitly requested.
 
 	- No longer logs to file in test mode.
 
@@ -2657,7 +2658,7 @@
 - Bro now performs serialization (such as when checkpointing &persistent
   tables or communicating them between Bro's) in an incremental fashion,
   intermingling transfers of large tables with ongoing packet processing
-  (Robin Sommer).  Doing so helps avoid packet drops for large items. 
+  (Robin Sommer).  Doing so helps avoid packet drops for large items.
   This has not yet been implemented for the initial handshake done
   for &synchronized items.
 
@@ -2720,7 +2721,7 @@
 
 - Notices now report current time for remotely-received notices rather
   than network time (Brian Tierney).
-  
+
 - Notices now include a tag es=<peer_description> any time a peer
   description is defined, not just for remote notices (Robin Sommer).
 
@@ -2924,9 +2925,9 @@
 
 - Bug fix for exchanging peer descriptions (Robin Sommer).
 
-- Bug fix for processing multipart-MIME HTTP messages with content-length 
+- Bug fix for processing multipart-MIME HTTP messages with content-length
   headers (Ruoming Pang).
-  
+
 - Bug fix for failing to escape "'s in HTTP server replies (Robin Sommer).
 
 - Bug fix for propagating increment operations on tables (Robin Sommer).
@@ -2940,7 +2941,7 @@
 - Bug fix for printing enum's (Christian Kreibich).
 
 - When not configured with --enable debug, Bro now still accepts (yet ignores)
-  option -B (Robin Sommer). 
+  option -B (Robin Sommer).
 
 - Serialization enhancements and fixes, including a change of the
   protocol version number (Robin Sommer).
@@ -2981,7 +2982,7 @@
 
 - Fix for connection compressor bug in tracking connection history
   (Robin Sommer).
-  
+
 - Bug fix for potential floating point exception in signature engine's
   resource-profiling code (Robin Sommer).
 
@@ -3107,7 +3108,7 @@
 	smb_get_dfs_referral(c: connection, max_referral_level: count,
 				file_name: string)
 		generated for SMB DFS referal requests
- 
+
 	dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count)
 		low-level event generated for each DNS request/reponse
 
@@ -3181,7 +3182,7 @@
 - The "bif" compiler for compiling Bro built-in functions now supports
   an "enum" type (Ruoming Pang).  The syntax is:
 
-	enum dce_rpc_ptype 
+	enum dce_rpc_ptype
 	%{
 		DCE_RPC_REQUEST,
 		DCE_RPC_PING,
@@ -3190,7 +3191,7 @@
 
   which is translated to an enum declaration of "dce_rpc_ptype" in
   Bro, an EnumType* enum_dce_rpc_ptype in NetVar.{h,cc} and a C++ enum
-  BroEnum::dce_rpc_ptype {...}. 
+  BroEnum::dce_rpc_ptype {...}.
 
   One limitation is that redef's on enum types cannot be taken into
   account because the bif is parsed at compile time.
@@ -3334,7 +3335,7 @@
   specify whether to broadcast events/state received from one peer to other
   peers (Robin Sommer).  Both default to F.  Note, these options are temporary;
   they will disappear when we add a more sophisticated script-level
-  communication framework. 
+  communication framework.
 
 - Vectors can now be initialized using the syntax such as
 
@@ -3376,11 +3377,11 @@
     //      VERSION messages must be exchanged.
     //      Ends when both peers have sent VERSION.
     //  Handshake:
-    //      REQUEST_EVENTS/REQUEST_SYNC/CAPTURE_FILTER/CAPS/selected SERIALs 
+    //      REQUEST_EVENTS/REQUEST_SYNC/CAPTURE_FILTER/CAPS/selected SERIALs
     //        may be exchanged.
     //      Phase ends when both peers have sent PHASE_DONE.
     //  State synchronization:
-    //      Entered iff at least one of the peers has sent REQUEST_SYNC.    
+    //      Entered iff at least one of the peers has sent REQUEST_SYNC.
     //      The peer with the smallest runtime (incl. in VERSION msg) sends
     //        SERIAL messages comprising all of its state.
     //      Phase ends when peer sends another PHASE_DONE.
@@ -4268,7 +4269,7 @@
 - A new flag, -e, lets you specify Bro code to execute via the command
   line (Christian Kreibich).  So, for example,
 
-	bro -r mytrace.tcpdump -e 'redef traditional_conn_format = T' tcp 
+	bro -r mytrace.tcpdump -e 'redef traditional_conn_format = T' tcp
 
   will run tcp.bro on the trace "mytrace.tcpdump", but with
   traditional_conn_format redefined to be true.  Note that statements
@@ -4365,7 +4366,7 @@
 - The new "weird" type "base64_illegal_encoding" takes the place of
   some previously unstructured Base64 "weird" errors.
 
-- A tweak to ftp.bro will give it slightly more consistent results 
+- A tweak to ftp.bro will give it slightly more consistent results
   for some forms of unusual traffic.
 
 
@@ -4442,7 +4443,7 @@
 
 - The new built-ins any_set() and all_set() return true if for a given
   boolean vector any element is true or all of the elements is true
-  (Umesh Shankar).  So, for example, "any_set(x < 0)" returns T if 
+  (Umesh Shankar).  So, for example, "any_set(x < 0)" returns T if
   an element of x is less than zero.
 
 - The new built-in sort() takes a vector as an argument and sorts it
@@ -4813,7 +4814,7 @@
   current CPU load. If the load is below cpu_lower_limit (default 40%),
   the load-level is decreased.  If it's above cpu_upper_limit (default
   90%), it's increased.  (Robin Sommer)
- 
+
 - The new policy script hand-over.bro can be used for a new running
   instance of Bro to smoothly take over operation from an old instance,
   i.e., it implements hand-over of state between two Bro instances when
@@ -4999,7 +5000,7 @@
 	$priority - type must be arithmetic (count, int, double).  This
 		  is the priority associated with the match of EXPR1
 		  if $pred returns true.
-  
+
   The way the expression works is that EXPR1 is evaluated yielding a
   value V.  EXPR2 is then evaluated yielding a set of records whose
   type includes the above fields.  Bro then spins through each of the
@@ -5334,8 +5335,8 @@
   Sommer).  The format is simple, just "include" or "ignore" followed
   by the SID number:
 
-	# sid-526 BAD TRAFFIC data in TCP SYN packet 
+	# sid-526 BAD TRAFFIC data in TCP SYN packet
-	ignore	526 
+	ignore	526
 
 	# sid-623 matches a null-flags stealth scan.  Include it even
 	# if we build with -p, since it doesn't tend to generate any
@@ -5488,7 +5489,7 @@
   A new function, get_event_source(), returns a record event_source
   describing the source that raised the last event.
 
-  See doc/ssl.txt for an explanation of how to create the keys/certificates.   
+  See doc/ssl.txt for an explanation of how to create the keys/certificates.
 
 - A fledgling Gnutella analyzer has been contributed (Mark Allman).
   It generates the following events:
@@ -5516,7 +5517,7 @@
 	  redef secondary_filters += {
 		  ["tcp[13] & 7 != 0"] = rst_syn_fin_flag,
 	  }
-  
+
   will invoke rst_syn_fin_flag() anytime a TCP packet is seen for
   which the SYN/FIN/RST bits are non-zero.  The event handler will
   be passed the string "tcp[13] & 7 != 0" (so it can tell which
@@ -5574,7 +5575,7 @@
   public key; it's used to then embed a Blowfish session key.  (Robin Sommer)
 
   A new utility, aux/bdcat/bdcat ("Bro decrypt cat") can be used to decrypt
-  the files. 
+  the files.
 
 - The internal structure of TCP analysis has been significantly altered.
   Previously, TCP_Endpoint tracked endpoint state and TCP_EndpointContents
@@ -5651,7 +5652,7 @@
     const remote_peers_ssl : table[addr, port] of Peer &redef;
     [...]
     for ( [ip, p] in remote_peers_ssl )
-        connect_ssl(ip, p, remote_peers_ssl[ip, p]$retry); 
+        connect_ssl(ip, p, remote_peers_ssl[ip, p]$retry);
 
 - Checkpointing of persistent state on SIGHUP now happens via bro.init
   (Robin Sommer).  Not tested.

VERSION

@@ -1 +1 @@
-1.6-dev.4
+1.6-dev.18

policy/heavy.http.bro

@@ -1,3 +0,0 @@
-# $Id: heavy.http.bro 4723 2007-08-07 18:14:35Z vern $
-
-redef http_sessions &write_expire = 5 hrs;

policy/http.bro

@@ -79,17 +79,8 @@ type http_session_info: record {
 
 const http_log = open_log_file("http") &redef;
 
-# Called when an HTTP session times out.
-global expire_http_session:
-	function(t: table[conn_id] of http_session_info, id: conn_id)
-		: interval;
-
 export {
-	# Indexed by conn_id.
+	global http_sessions: table[conn_id] of http_session_info;
-	# (Exported so that we can define a timeout on it.)
-	global http_sessions: table[conn_id] of http_session_info
-			&expire_func = expire_http_session
-			&read_expire = 15 min;
 }
 
 global http_session_id = 0;
@@ -202,30 +193,6 @@ event connection_state_remove(c: connection)
 	delete http_sessions[c$id];
 	}
 
-function expire_http_session(t: table[conn_id] of http_session_info,
-				id: conn_id): interval
-	{
-	### FIXME: not really clear that we need this function at all ...
-	#
-	# One would think that connection_state_remove() already takes care
-	# of everything.  However, without this expire-handler, some requests
-	# don't show up with the test-suite (but haven't reproduced with
-	# smaller traces) - Robin.
-
-	local s = http_sessions[id];
-	finish_stream(id, s$id, s$request_stream);
-	return 0 sec;
-	}
-
-# event connection_timeout(c: connection)
-# 	{
-# 	if ( ! maintain_http_sessions )
-# 		{
-# 		local id = c$id;
-# 		if ( [id$orig_h, id$resp_h] in http_sessions )
-# 			delete http_sessions[id$orig_h, id$resp_h];
-# 		}
-# 	}
 
 # event http_stats(c: connection, stats: http_stats_rec)
 # 	{