Merge remote-tracking branch 'origin/master' into topic/seth/smb

# Conflicts: # testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log # testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log # testing/btest/Baseline/plugins.hooks/output # testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log # testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
2025-10-05 08:08:19 +00:00 · 2016-07-30 01:58:23 -04:00 · 2016-07-30 01:58:23 -04:00 · da7ec8064b
commit da7ec8064b
parent fee3af419b 4ad5d9073a
416 changed files with 27341 additions and 26258 deletions
--- a/scripts/base/frameworks/input/main.bro
+++ b/scripts/base/frameworks/input/main.bro
@ -103,6 +103,17 @@ export {
 		## it is skipped.
 		pred: function(typ: Input::Event, left: any, right: any): bool &optional;

+		## Error event that is raised when an information, warning or error
+		## is raised by the input stream. If the level is error, the stream will automatically
+		## be closed.
+		## The event receives the Input::TableDescription as the first argument, the
+		## message as the second argument and the Reporter::Level as the third argument.
+		##
+		## The event is raised like if it had been declared as follows:
+		## error_ev: function(desc: TableDescription, message: string, level: Reporter::Level) &optional;
+		## The actual declaration uses the ``any`` type because of deficiencies of the Bro type system.
+		error_ev: any &optional;
+
 		## A key/value table that will be passed to the reader.
 		## Interpretation of the values is left to the reader, but
 		## usually they will be used for configuration purposes.
@ -146,6 +157,17 @@ export {
 		## all fields, or each field value as a separate argument).
 		ev: any;

+		## Error event that is raised when an information, warning or error
+		## is raised by the input stream. If the level is error, the stream will automatically
+		## be closed.
+		## The event receives the Input::EventDescription as the first argument, the
+		## message as the second argument and the Reporter::Level as the third argument.
+		##
+		## The event is raised like it had been declared as follows:
+		## error_ev: function(desc: EventDescription, message: string, level: Reporter::Level) &optional;
+		## The actual declaration uses the ``any`` type because of deficiencies of the Bro type system.
+		error_ev: any &optional;
+
 		## A key/value table that will be passed to the reader.
 		## Interpretation of the values is left to the reader, but
 		## usually they will be used for configuration purposes.
--- a/scripts/base/frameworks/netcontrol/catch-and-release.bro
+++ b/scripts/base/frameworks/netcontrol/catch-and-release.bro
@ -125,6 +125,14 @@ export {
 	##          the inserted block.
 	global get_catch_release_info: function(a: addr) : BlockInfo;

+	## Event is raised when catch and release cases management of an IP address because no
+	## activity was seen within the watch_until period.
+	##
+	## a: The address that is no longer being managed.
+	##
+	## bi: The :bro:see:`NetControl::BlockInfo` record containing information about the block.
+	global catch_release_forgotten: event(a: addr, bi: BlockInfo);
+
 	## If true, catch_release_seen is called on the connection originator in new_connection,
 	## connection_established, partial_connection, connection_attempt, connection_rejected,
 	## connection_reset and connection_pending
@ -198,6 +206,8 @@ function per_block_interval(t: table[addr] of BlockInfo, idx: addr): interval
 		{
 		local log = populate_log_record(idx, t[idx], FORGOTTEN);
 		Log::write(CATCH_RELEASE, log);
+
+		event NetControl::catch_release_forgotten(idx, t[idx]);
 		}
@endif

--- a/scripts/base/frameworks/notice/actions/drop.bro
+++ b/scripts/base/frameworks/notice/actions/drop.bro
@ -19,7 +19,7 @@ export {
 	};
 }

-hook notice(n: Notice::Info)
+hook notice(n: Notice::Info) &priority=-5
 	{
 	if ( ACTION_DROP in n$actions )
 		{
--- a/scripts/base/frameworks/reporter/main.bro
+++ b/scripts/base/frameworks/reporter/main.bro
@ -17,22 +17,14 @@ export {
 	## The reporter logging stream identifier.
 	redef enum Log::ID += { LOG };

-	## An indicator of reporter message severity.
-	type Level: enum {
-		## Informational, not needing specific attention.
-		INFO,
-		## Warning of a potential problem.
-		WARNING,
-		## A non-fatal error that should be addressed, but doesn't
-		## terminate program execution.
-		ERROR
-	};
-
 	## The record type which contains the column fields of the reporter log.
 	type Info: record {
 		## The network time at which the reporter event was generated.
 		ts:       time   &log;
-		## The severity of the reporter message.
+		## The severity of the reporter message. Levels are INFO for informational
+		## messages, not needing specific attention; WARNING for warning of a potential
+		## problem, and ERROR for a non-fatal error that should be addressed, but doesn't
+		## terminate program execution.
 		level:    Level  &log;
 		## An info/warning/error message that could have either been
 		## generated from the internal Bro core or at the scripting-layer.
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@ -3434,6 +3434,23 @@ export {
 	};
 }

+module SSL;
+export {
+	type SignatureAndHashAlgorithm: record {
+		HashAlgorithm: count; ##< Hash algorithm number
+		SignatureAlgorithm: count; ##< Signature algorithm number
+	};
+}
+
+module GLOBAL;
+
+## A vector of Signature and Hash Algorithms.
+##
+## .. todo:: We need this type definition only for declaring builtin functions
+##    via ``bifcl``. We should extend ``bifcl`` to understand composite types
+##    directly and then remove this alias.
+type signature_and_hashalgorithm_vec: vector of SSL::SignatureAndHashAlgorithm;
+
 module X509;
 export {
 	type Certificate: record {
--- a/scripts/base/protocols/conn/main.bro
+++ b/scripts/base/protocols/conn/main.bro
@ -87,8 +87,10 @@ export {
 		## f       packet with FIN bit set
 		## r       packet with RST bit set
 		## c       packet with a bad checksum
+		## t       packet with retransmitted payload
 		## i       inconsistent packet (e.g. FIN+RST bits set)
 		## q       multi-flag packet (SYN+FIN or SYN+RST bits set)
+		## ^       connection direction was flipped by Bro's heuristic
 		## ======  ====================================================
 		##
 		## If the event comes from the originator, the letter is in
--- a/scripts/base/protocols/ssl/consts.bro
+++ b/scripts/base/protocols/ssl/consts.bro
@ -57,6 +57,27 @@ export {
 		[2] = "fatal",
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };

+	## Mapping between numeric codes and human readable strings for hash
+	## algorithms.
+	const hash_algorithms: table[count] of string = {
+		[0] = "none",
+		[1] = "md5",
+		[2] = "sha1",
+		[3] = "sha224",
+		[4] = "sha256",
+		[5] = "sha384",
+		[6] = "sha512",
+	} &default=function(i: count):string { return fmt("unknown-%d", i); };
+
+	## Mapping between numeric codes and human readable strings for signature
+	## algorithms.
+	const signature_algorithms: table[count] of string = {
+		[0] = "anonymous",
+		[1] = "rsa",
+		[2] = "dsa",
+		[3] = "ecdsa",
+	} &default=function(i: count):string { return fmt("unknown-%d", i); };
+
 	## Mapping between numeric codes and human readable strings for alert
 	## descriptions.
 	const alert_descriptions: table[count] of string = {