diff --git a/CHANGES b/CHANGES index d44c1eca55..e854acd264 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,14 @@ +7.0.0-dev.136 | 2024-04-18 09:02:14 -0700 + + * Update core.pcap.filter-warning baseline (Peter Cullen, Corelight) + + Only the line numbers changed. + + * Add PacketFilter::remove_exclude function (Peter Cullen, Corelight) + + This adds a public function to the PacketFilter framework that + allows the caller to remove an exclude filter by filter id. + 7.0.0-dev.132 | 2024-04-17 14:59:43 -0700 * Parse and store localversion string (Peter Cullen, Corelight) diff --git a/VERSION b/VERSION index 0e123ee13f..1da60c5828 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -7.0.0-dev.132 +7.0.0-dev.136 diff --git a/scripts/base/frameworks/packet-filter/main.zeek b/scripts/base/frameworks/packet-filter/main.zeek index 9e18795132..7a3689f49d 100644 --- a/scripts/base/frameworks/packet-filter/main.zeek +++ b/scripts/base/frameworks/packet-filter/main.zeek @@ -101,6 +101,16 @@ export { ## installed or not. global exclude_for: function(filter_id: string, filter: string, span: interval): bool; + ## Remove a previously added exclude filter fragment by name. The + ## traffic that was being filtered will be allowed through the filter + ## after calling this function. + ## + ## filter_id: The name given to the filter fragment which you'd like to remove. + ## + ## Returns: A boolean value to indicate if a filter fragment with the given name + ## actually installed. + global remove_exclude: function(filter_id: string): bool; + ## Call this function to build and install a new dynamically built ## packet filter. global install: function(): bool; @@ -194,12 +204,19 @@ function register_filter_plugin(fp: FilterPlugin) } event remove_dynamic_filter(filter_id: string) + { + remove_exclude(filter_id); + } + +function remove_exclude(filter_id: string): bool { if ( filter_id in dynamic_restrict_filters ) { delete dynamic_restrict_filters[filter_id]; install(); + return T; } + return F; } function exclude(filter_id: string, filter: string): bool diff --git a/testing/btest/Baseline/core.pcap.filter-warning/output b/testing/btest/Baseline/core.pcap.filter-warning/output index fdfc24df5d..d64c55dd45 100644 --- a/testing/btest/Baseline/core.pcap.filter-warning/output +++ b/testing/btest/Baseline/core.pcap.filter-warning/output @@ -1,2 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -warning in <...>/main.zeek, line 307: Warning while compiling pcap filter 'ip or not ip': IEEE 802.15.4 link-layer type filtering not implemented +warning in <...>/main.zeek, line 324: Warning while compiling pcap filter 'ip or not ip': IEEE 802.15.4 link-layer type filtering not implemented diff --git a/testing/btest/Baseline/core.pcap.filter-warning/reporter.log b/testing/btest/Baseline/core.pcap.filter-warning/reporter.log index 4da94c04f6..4b4444970b 100644 --- a/testing/btest/Baseline/core.pcap.filter-warning/reporter.log +++ b/testing/btest/Baseline/core.pcap.filter-warning/reporter.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts level message location #types time enum string string -XXXXXXXXXX.XXXXXX Reporter::WARNING Warning while compiling pcap filter 'ip or not ip': IEEE 802.15.4 link-layer type filtering not implemented <...>/main.zeek, line 307 +XXXXXXXXXX.XXXXXX Reporter::WARNING Warning while compiling pcap filter 'ip or not ip': IEEE 802.15.4 link-layer type filtering not implemented <...>/main.zeek, line 324 #close XXXX-XX-XX-XX-XX-XX