Remove variable content from weird names

This changes many weird names to move non-static content from the weird name into the "addl" field to help ensure the total number of weird names is reasonably bounded. Note the net_weird and flow_weird events do not have an "addl" parameter, so information may no longer be available in those cases -- to make it available again we'd need to either (1) define new events that contain such a parameter, or (2) change net_weird/flow_weird event signature (which is a breaking change for user-code at the moment). Also, the generic handling of binpac exceptions for analyzers which to not otherwise catch and handle them has been changed from a Weird to a ProtocolViolation. Finally, a new "file_weird" event has been added for reporting weirdness found during file analysis.
2025-10-03 07:08:19 +00:00 · 2019-04-01 18:27:53 -07:00 · 2019-04-01 18:27:53 -07:00 · 995368e68c
commit 995368e68c
parent 956674745b
47 changed files with 289 additions and 152 deletions
--- a/testing/btest/scripts/base/protocols/modbus/exception_handling.test
+++ b/testing/btest/scripts/base/protocols/modbus/exception_handling.test
@ -1,10 +1,8 @@
 # @TEST-EXEC: bro -r $TRACES/modbus/fuzz-72.trace
 # @TEST-EXEC: btest-diff modbus.log
-# @TEST-EXEC: btest-diff weird.log

 # The pcap has a flow with some fuzzed modbus traffic in it that should cause
 # the binpac-generated analyzer code to throw a binpac::ExceptionOutOfBound.
 # This should be correctly caught as a type of binpac::Exception and the
 # binpac::ModbusTCP::Exception type that's defined as part of the analyzer
 # shouldn't interfere with that handling and definitely shouldn't crash bro.
-# A weird is currently emitted for parsing exceptions.