Merge remote-tracking branch 'origin/master' into topic/liangzhu/analyzer-ocsp

CHANGES

@@ -1,4 +1,33 @@
 
+2.4-63 | 2015-07-28 12:26:37 -0700
+
+  * Updating submodule(s).
+
+2.4-61 | 2015-07-28 12:13:39 -0700
+
+  * Renaming config.h to bro-config.h. (Robin Sommer)
+
+2.4-58 | 2015-07-24 15:06:07 -0700
+
+  * Add script protocols/conn/vlan-logging.bro to record VLAN data in
+    conn.log. (Aaron Brown)
+
+  * Add field "vlan" and "inner_vlan" to connection record. (Aaron
+    Brown)
+
+  * Save the inner vlan in the Packet object for Q-in-Q setups. (Aaron
+    Brown)
+
+  * Increasing plugin API version for recent packet source changes.
+    (Robin Sommer)
+
+  * Slightly earlier protocol confirmation for POP3. (Johanna Amann)
+
+2.4-46 | 2015-07-22 10:56:40 -0500
+
+  * Fix broker python bindings install location to track --prefix.
+    (Jon Siwek)
+
 2.4-45 | 2015-07-21 15:19:43 -0700
 
   * Enabling Broker by default. This means CAF is now a required

CMakeLists.txt

@@ -170,8 +170,8 @@ include(RequireCXX11)
 # Tell the plugin code that we're building as part of the main tree.
 set(BRO_PLUGIN_INTERNAL_BUILD true CACHE INTERNAL "" FORCE)
 
-configure_file(${CMAKE_CURRENT_SOURCE_DIR}/config.h.in
+configure_file(${CMAKE_CURRENT_SOURCE_DIR}/bro-config.h.in
-               ${CMAKE_CURRENT_BINARY_DIR}/config.h)
+               ${CMAKE_CURRENT_BINARY_DIR}/bro-config.h)
 
 include_directories(${CMAKE_CURRENT_BINARY_DIR})
 

NEWS

@@ -16,6 +16,20 @@ New Dependencies
 - Bro now requires the C++ Actor Framework, CAF, which must be
   installed first. See http://actor-framework.org.
 
+New Functionality
+-----------------
+
+- Bro now tracks VLAN IDs. To record them inside the connection log,
+  load protocols/conn/vlan-logging.bro.
+
+- A new per-packet event raw_packet() provides access to layer 2
+  information. Use with care, generating events per packet is
+  expensive.
+
+- New Bro plugins in aux/plugins:
+
+    - pf_ring: Native PF_RING support.
+
 Bro 2.4
 =======
 

VERSION

@@ -1 +1 @@
-2.4-45
+2.4-63

aux/broctl

@@ -1 +1 @@
-Subproject commit 54377d4746e2fd3ba7b7ca97e4a6ceccbd2cc236
+Subproject commit 94eee5b76e0ec78fb646e3a340c558dfe3026b14

aux/plugins

@@ -1 +1 @@
-Subproject commit 98ad8a5b97f601a3ec9a773d87582438212b8290
+Subproject commit 2799b2a13577fc70eea1da6192879a25c58902de

config.h.in

@@ -1,225 +0,0 @@
-/* Old libpcap versions (< 0.6.1) need defining pcap_freecode and
-   pcap_compile_nopcap */
-#cmakedefine DONT_HAVE_LIBPCAP_PCAP_FREECODE
-
-/* should explicitly declare socket() and friends */
-#cmakedefine DO_SOCK_DECL
-
-/* Define if you have the <getopt.h> header file. */
-#cmakedefine HAVE_GETOPT_H
-
-/* Define if you have the `getopt_long' function. */
-#cmakedefine HAVE_GETOPT_LONG
-
-/* We are on a Linux system */
-#cmakedefine HAVE_LINUX
-
-/* Define if you have the `mallinfo' function. */
-#cmakedefine HAVE_MALLINFO
-
-/* Define if you have the <memory.h> header file. */
-#cmakedefine HAVE_MEMORY_H
-
-/* Define if you have the <netinet/if_ether.h> header file. */
-#cmakedefine HAVE_NETINET_IF_ETHER_H
-
-/* Define if you have the <netinet/ip6.h> header file. */
-#cmakedefine HAVE_NETINET_IP6_H
-
-/* Define if you have the <net/ethernet.h> header file. */
-#cmakedefine HAVE_NET_ETHERNET_H
-
-/* Define if you have the <net/ethertypes.h> header file. */
-#cmakedefine HAVE_NET_ETHERTYPES_H
-
-/* have os-proto.h */
-#cmakedefine HAVE_OS_PROTO_H
-
-/* Define if you have the <pcap-int.h> header file. */
-#cmakedefine HAVE_PCAP_INT_H
-
-/* line editing & history powers */
-#cmakedefine HAVE_READLINE
-
-/* Define if you have the `sigaction' function, but not `sigset'. */
-#cmakedefine HAVE_SIGACTION
-
-/* Define if you have the `sigset' function. */
-#cmakedefine HAVE_SIGSET
-
-/* Define if you have the `strcasestr' function. */
-#cmakedefine HAVE_STRCASESTR
-
-/* Define if you have the `strerror' function. */
-#cmakedefine HAVE_STRERROR
-
-/* Define if you have the `strsep' function. */
-#cmakedefine HAVE_STRSEP
-
-/* Define if you have the <sys/ethernet.h> header file. */
-#cmakedefine HAVE_SYS_ETHERNET_H
-
-/* Some libpcap versions use an extra parameter (error) in pcap_compile_nopcap
-   */
-#cmakedefine LIBPCAP_PCAP_COMPILE_NOPCAP_HAS_ERROR_PARAMETER
-
-/* Include krb5.h */
-#cmakedefine NEED_KRB5_H
-
-/* Compatibility for Darwin */
-#cmakedefine NEED_NAMESER_COMPAT_H
-
-/* d2i_x509 uses const char** */
-#cmakedefine OPENSSL_D2I_X509_USES_CONST_CHAR
-
-/* Define as the return type of signal handlers (`int' or `void'). */
-#define RETSIGTYPE @RETSIGTYPE@
-
-/* signal function return value */
-#define RETSIGVAL @RETSIGVAL@
-
-/* have sin_len field in sockaddr_in */
-#cmakedefine SIN_LEN
-
-/* The size of `long int', as computed by sizeof. */
-#define SIZEOF_LONG_INT @SIZEOF_LONG_INT@
-
-/* The size of `long long', as computed by sizeof. */
-#define SIZEOF_LONG_LONG @SIZEOF_LONG_LONG@
-
-/* The size of `void *', as computed by sizeof. */
-#define SIZEOF_VOID_P @SIZEOF_VOID_P@
-
-/* should we declare syslog() and openlog() */
-#cmakedefine SYSLOG_INT
-
-/* Define if you have <sys/time.h> */
-#cmakedefine HAVE_SYS_TIME_H
-
-/* Define if you can safely include both <sys/time.h> and <time.h>. */
-#cmakedefine TIME_WITH_SYS_TIME
-
-/* GeoIP geographic lookup functionality */
-#cmakedefine USE_GEOIP
-
-/* Whether the found GeoIP API supports IPv6 Country Edition */
-#cmakedefine HAVE_GEOIP_COUNTRY_EDITION_V6
-
-/* Whether the found GeoIP API supports IPv6 City Edition */
-#cmakedefine HAVE_GEOIP_CITY_EDITION_REV0_V6
-
-/* Use Google's perftools */
-#cmakedefine USE_PERFTOOLS_DEBUG
-
-/* Analyze Mobile IPv6 traffic */
-#cmakedefine ENABLE_MOBILE_IPV6
-
-/* Use libCurl. */
-#cmakedefine USE_CURL
-
-/* Use the DataSeries writer. */
-#cmakedefine USE_DATASERIES
-
-/* Use the ElasticSearch writer. */
-#cmakedefine USE_ELASTICSEARCH
-
-/* Version number of package */
-#define VERSION "@VERSION@"
-
-/* whether words are stored with the most significant byte first */
-#cmakedefine WORDS_BIGENDIAN
-
-/* whether htonll/ntohll is defined in <arpa/inet.h> */
-#cmakedefine HAVE_BYTEORDER_64
-
-/* ultrix can't hack const */
-#cmakedefine NEED_ULTRIX_CONST_HACK
-#ifdef NEED_ULTRIX_CONST_HACK
-#define const
-#endif
-
-/* Define int32_t */
-#cmakedefine int32_t @int32_t@
-
-/* use sigset() instead of signal() */
-#ifdef HAVE_SIGSET
-#define signal sigset
-#endif
-
-/* define to int if socklen_t not available */
-#cmakedefine socklen_t @socklen_t@
-
-/* Define u_int16_t */
-#cmakedefine u_int16_t @u_int16_t@
-
-/* Define u_int32_t */
-#cmakedefine u_int32_t @u_int32_t@
-
-/* Define u_int8_t */
-#cmakedefine u_int8_t @u_int8_t@
-
-/* OpenBSD's bpf.h may not declare this data link type, but it's supposed to be
-   used consistently for the same purpose on all platforms. */
-#cmakedefine HAVE_DLT_PPP_SERIAL
-#ifndef HAVE_DLT_PPP_SERIAL
-#define DLT_PPP_SERIAL @DLT_PPP_SERIAL@
-#endif
-
-/* IPv6 Next Header values defined by RFC 3542 */
-#cmakedefine HAVE_IPPROTO_HOPOPTS
-#ifndef HAVE_IPPROTO_HOPOPTS
-#define IPPROTO_HOPOPTS 0
-#endif
-#cmakedefine HAVE_IPPROTO_IPV6
-#ifndef HAVE_IPPROTO_IPV6
-#define IPPROTO_IPV6 41
-#endif
-#cmakedefine HAVE_IPPROTO_IPV4
-#ifndef HAVE_IPPROTO_IPV4
-#define IPPROTO_IPV4 4
-#endif
-#cmakedefine HAVE_IPPROTO_ROUTING
-#ifndef HAVE_IPPROTO_ROUTING
-#define IPPROTO_ROUTING 43
-#endif
-#cmakedefine HAVE_IPPROTO_FRAGMENT
-#ifndef HAVE_IPPROTO_FRAGMENT
-#define IPPROTO_FRAGMENT 44
-#endif
-#cmakedefine HAVE_IPPROTO_ESP
-#ifndef HAVE_IPPROTO_ESP
-#define IPPROTO_ESP 50
-#endif
-#cmakedefine HAVE_IPPROTO_AH
-#ifndef HAVE_IPPROTO_AH
-#define IPPROTO_AH 51
-#endif
-#cmakedefine HAVE_IPPROTO_ICMPV6
-#ifndef HAVE_IPPROTO_ICMPV6
-#define IPPROTO_ICMPV6 58
-#endif
-#cmakedefine HAVE_IPPROTO_NONE
-#ifndef HAVE_IPPROTO_NONE
-#define IPPROTO_NONE 59
-#endif
-#cmakedefine HAVE_IPPROTO_DSTOPTS
-#ifndef HAVE_IPPROTO_DSTOPTS
-#define IPPROTO_DSTOPTS 60
-#endif
-
-/* IPv6 options structure defined by RFC 3542 */
-#cmakedefine HAVE_IP6_OPT
-
-/* Common IPv6 extension structure */
-#cmakedefine HAVE_IP6_EXT
-
-/* String with host architecture (e.g., "linux-x86_64") */
-#define HOST_ARCHITECTURE "@HOST_ARCHITECTURE@"
-
-/* String with extension of dynamic libraries (e.g., ".so") */
-#define DYNAMIC_PLUGIN_SUFFIX "@CMAKE_SHARED_MODULE_SUFFIX@"
-
-/* True if we're building outside of the main Bro source code tree. */
-#ifndef BRO_PLUGIN_INTERNAL_BUILD
-#define BRO_PLUGIN_INTERNAL_BUILD @BRO_PLUGIN_INTERNAL_BUILD@
-#endif

configure

@@ -161,7 +161,7 @@ while [ $# -ne 0 ]; do
             append_cache_entry BRO_ROOT_DIR         PATH   $optarg
             append_cache_entry PY_MOD_INSTALL_DIR   PATH   $optarg/lib/broctl
 
-            if [ -n "$user_disabled_broker" ]; then
+            if [ -z "$user_disabled_broker" ]; then
                 append_cache_entry BROKER_PYTHON_HOME   PATH   $optarg
             fi
             ;;

scripts/base/init-bare.bro

@@ -345,6 +345,12 @@ type connection: record {
 	## for the connection unless the :bro:id:`tunnel_changed` event is
 	## handled and reassigns this field to the new encapsulation.
 	tunnel: EncapsulatingConnVector &optional;
+
+	## The outer VLAN, if applicable, for this connection.
+	vlan: int &optional;
+
+	## The VLAN vlan, if applicable, for this connection.
+	inner_vlan: int &optional;
 };
 
 ## Default amount of time a file can be inactive before the file analysis
@@ -1511,6 +1517,7 @@ type l2_hdr: record {
 	src: string &optional;	##< L2 source (if Ethernet).
 	dst: string &optional;	##< L2 destination (if Ethernet).
 	vlan: count &optional;	##< Outermost VLAN tag if any (and Ethernet).
+	inner_vlan: count &optional;	##< Innermost VLAN tag if any (and Ethernet).
 	eth_type: count &optional;	##< Innermost Ethertype (if Ethernet).
 	proto: layer3_proto;	##< L3 protocol.
 };

scripts/policy/protocols/conn/vlan-logging.bro

@@ -0,0 +1,26 @@
+##! This script add VLAN information to the connection logs
+
+@load base/protocols/conn
+
+module Conn;
+
+redef record Info += {
+	## The outer VLAN for this connection, if applicable.
+	vlan: int      &log &optional;
+
+	## The inner VLAN for this connection, if applicable.
+	inner_vlan: int      &log &optional;
+};
+
+# Add the VLAN information to the Conn::Info structure after the connection
+# has been removed. This ensures it's only done once, and is done before the
+# connection information is written to the log.
+event connection_state_remove(c: connection) &priority=5
+	{
+	if ( c?$vlan )
+		c$conn$vlan = c$vlan;
+
+	if ( c?$inner_vlan )
+		c$conn$inner_vlan = c$inner_vlan;
+	}
+

scripts/site/local.bro

@@ -1,4 +1,4 @@
-##! Local site policy. Customize as appropriate. 
+##! Local site policy. Customize as appropriate.
 ##!
 ##! This file will not be overwritten when upgrading or reinstalling!
 
@@ -11,16 +11,16 @@
 # Load the scan detection script.
 @load misc/scan
 
-# Log some information about web applications being used by users 
+# Log some information about web applications being used by users
 # on your network.
 @load misc/app-stats
 
-# Detect traceroute being run on the network.  
+# Detect traceroute being run on the network.
 @load misc/detect-traceroute
 
 # Generate notices when vulnerable versions of software are discovered.
 # The default is to only monitor software found in the address space defined
-# as "local".  Refer to the software framework's documentation for more 
+# as "local".  Refer to the software framework's documentation for more
 # information.
 @load frameworks/software/vulnerable
 
@@ -35,12 +35,12 @@
 @load protocols/smtp/software
 @load protocols/ssh/software
 @load protocols/http/software
-# The detect-webapps script could possibly cause performance trouble when 
+# The detect-webapps script could possibly cause performance trouble when
 # running on live traffic.  Enable it cautiously.
 #@load protocols/http/detect-webapps
 
-# This script detects DNS results pointing toward your Site::local_nets 
+# This script detects DNS results pointing toward your Site::local_nets
-# where the name is not part of your local DNS zone and is being hosted 
+# where the name is not part of your local DNS zone and is being hosted
 # externally.  Requires that the Site::local_zones variable is defined.
 @load protocols/dns/detect-external-names
 
@@ -62,7 +62,7 @@
 # certificate notary service; see http://notary.icsi.berkeley.edu .
 # @load protocols/ssl/notary
 
-# If you have libGeoIP support built in, do some geographic detections and 
+# If you have libGeoIP support built in, do some geographic detections and
 # logging for SSH traffic.
 @load protocols/ssh/geo-data
 # Detect hosts doing SSH bruteforce attacks.
@@ -84,3 +84,7 @@
 # Uncomment the following line to enable detection of the heartbleed attack. Enabling
 # this might impact performance a bit.
 # @load policy/protocols/ssl/heartbleed
+
+# Uncomment the following line to enable logging of connection VLANs. Enabling
+# this adds two VLAN fields to the conn.log file.
+# @load policy/protocols/conn/vlan-logging

scripts/test-all-policy.bro

@@ -62,6 +62,7 @@
 @load misc/trim-trace-file.bro
 @load protocols/conn/known-hosts.bro
 @load protocols/conn/known-services.bro
+@load protocols/conn/vlan-logging.bro
 @load protocols/conn/weirds.bro
 @load protocols/dhcp/known-devices-and-hostnames.bro
 @load protocols/dns/auth-addl.bro

src/Attr.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "Attr.h"
 #include "Expr.h"

src/Base64.cc

@@ -1,4 +1,4 @@
-#include "config.h"
+#include "bro-config.h"
 #include "Base64.h"
 #include <math.h>
 

src/BroString.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <algorithm>
 #include <ctype.h>

src/CCL.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "CCL.h"
 #include "RE.h"

src/ChunkedIO.cc

@@ -9,7 +9,7 @@
 
 #include <algorithm>
 
-#include "config.h"
+#include "bro-config.h"
 #include "ChunkedIO.h"
 #include "NetVar.h"
 #include "RemoteSerializer.h"

src/ChunkedIO.h

@@ -3,7 +3,7 @@
 #ifndef CHUNKEDIO_H
 #define CHUNKEDIO_H
 
-#include "config.h"
+#include "bro-config.h"
 #include "List.h"
 #include "util.h"
 #include "Flare.h"

src/CompHash.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "CompHash.h"
 #include "Val.h"

src/Conn.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <ctype.h>
 
@@ -115,7 +115,8 @@ unsigned int Connection::external_connections = 0;
 IMPLEMENT_SERIAL(Connection, SER_CONNECTION);
 
 Connection::Connection(NetSessions* s, HashKey* k, double t, const ConnID* id,
-                       uint32 flow, const EncapsulationStack* arg_encap)
+                       uint32 flow, uint32 arg_vlan, uint32 arg_inner_vlan,
+		       const EncapsulationStack* arg_encap)
 	{
 	sessions = s;
 	key = k;
@@ -131,6 +132,9 @@ Connection::Connection(NetSessions* s, HashKey* k, double t, const ConnID* id,
 	saw_first_orig_packet = 1;
 	saw_first_resp_packet = 0;
 
+	vlan = arg_vlan;
+	inner_vlan = arg_inner_vlan;
+
 	conn_val = 0;
 	login_conn = 0;
 
@@ -378,6 +382,12 @@ RecordVal* Connection::BuildConnVal()
 
 		if ( encapsulation && encapsulation->Depth() > 0 )
 			conn_val->Assign(8, encapsulation->GetVectorVal());
+
+		if ( vlan != 0 )
+			conn_val->Assign(9, new Val(vlan, TYPE_INT));
+
+		if ( inner_vlan != 0 )
+			conn_val->Assign(10, new Val(inner_vlan, TYPE_INT));
 		}
 
 	if ( root_analyzer )

src/Conn.h

@@ -56,7 +56,7 @@ namespace analyzer { class Analyzer; }
 class Connection : public BroObj {
 public:
 	Connection(NetSessions* s, HashKey* k, double t, const ConnID* id,
-	           uint32 flow, const EncapsulationStack* arg_encap);
+	           uint32 flow, uint32 vlan, uint32 inner_vlan, const EncapsulationStack* arg_encap);
 	virtual ~Connection();
 
 	// Invoked when an encapsulation is discovered. It records the
@@ -294,7 +294,8 @@ protected:
 	IPAddr resp_addr;
 	uint32 orig_port, resp_port;	// in network order
 	TransportProto proto;
-	uint32 orig_flow_label, resp_flow_label; // most recent IPv6 flow labels
+	uint32 orig_flow_label, resp_flow_label;	// most recent IPv6 flow labels
+	uint32 vlan, inner_vlan;	// VLAN this connection traverses, if available
 	double start_time, last_time;
 	double inactivity_timeout;
 	RecordVal* conn_val;

src/DFA.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <openssl/md5.h>
 

src/DNS_Mgr.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <openssl/md5.h>
 #include <sys/types.h>

src/DbgBreakpoint.cc

@@ -1,6 +1,6 @@
 // Implementation of breakpoints.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <assert.h>
 

src/DbgHelp.cc

@@ -1,5 +1,5 @@
 // Bro Debugger Help
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "Debug.h"

src/DbgWatch.cc

@@ -1,6 +1,6 @@
 // Implementation of watches
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "Debug.h"
 #include "DbgWatch.h"

src/Debug.cc

@@ -1,6 +1,6 @@
 // Debugging support for Bro policy files.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <stdio.h>
 #include <stdarg.h>

src/DebugCmds.cc

@@ -1,7 +1,7 @@
 // Support routines to help deal with Bro debugging commands and
 // implementation of most commands.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <sys/types.h>
 

src/Desc.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <stdlib.h>
 #include <errno.h>

src/Dict.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #ifdef HAVE_MEMORY_H
 #include <memory.h>

src/Discard.cc

@@ -2,7 +2,7 @@
 
 #include <algorithm>
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "Net.h"
 #include "Var.h"

src/EquivClass.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "EquivClass.h"
 

src/Event.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "Event.h"
 #include "Func.h"

src/Expr.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "Expr.h"
 #include "Event.h"

src/File.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <sys/types.h>
 #ifdef TIME_WITH_SYS_TIME

src/Frag.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "util.h"
 #include "Hash.h"

src/Frame.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "Frame.h"
 #include "Stmt.h"

src/Func.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <sys/types.h>
 #include <sys/stat.h>

src/Hash.cc

@@ -15,7 +15,7 @@
 // for the adversary to construct conflicts, though I do not know if
 // HMAC/MD5 is provably universal.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "Hash.h"
 

src/ID.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "ID.h"
 #include "Expr.h"

src/IP.h

@@ -3,7 +3,7 @@
 #ifndef ip_h
 #define ip_h
 
-#include "config.h"
+#include "bro-config.h"
 #include "net_util.h"
 #include "IPAddr.h"
 #include "Reporter.h"

src/IntSet.cc

@@ -1,4 +1,4 @@
-#include "config.h"
+#include "bro-config.h"
 
 #ifdef HAVE_MEMORY_H
 #include <memory.h>

src/List.cc

@@ -1,4 +1,4 @@
-#include "config.h"
+#include "bro-config.h"
 
 #include <stdio.h>
 #include <stdlib.h>

src/NFA.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "NFA.h"
 #include "EquivClass.h"

src/Net.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <sys/types.h>
 #ifdef TIME_WITH_SYS_TIME

src/NetVar.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "Var.h"
 #include "NetVar.h"

src/Obj.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <stdlib.h>
 

src/PacketDumper.cc

@@ -1,7 +1,7 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <assert.h>
 #include <stdlib.h>

src/PolicyFile.cc

@@ -1,4 +1,4 @@
-#include "config.h"
+#include "bro-config.h"
 
 #include <sys/types.h>
 #include <sys/stat.h>

src/PriorityQueue.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <stdio.h>
 #include <stdlib.h>

src/Queue.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <string.h>
 

src/RE.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <stdlib.h>
 #include <utility>

src/Reassem.cc

@@ -2,7 +2,7 @@
 
 #include <algorithm>
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "Reassem.h"
 #include "Serializer.h"

src/RemoteSerializer.cc

@@ -159,7 +159,7 @@
 #include <strings.h>
 #include <stdarg.h>
 
-#include "config.h"
+#include "bro-config.h"
 #ifdef TIME_WITH_SYS_TIME
 # include <sys/time.h>
 # include <time.h>

src/Reporter.cc

@@ -4,7 +4,7 @@
 
 #include <syslog.h>
 
-#include "config.h"
+#include "bro-config.h"
 #include "Reporter.h"
 #include "Event.h"
 #include "NetVar.h"

src/Rule.cc

@@ -1,4 +1,4 @@
-#include "config.h"
+#include "bro-config.h"
 
 #include "Rule.h"
 #include "RuleMatcher.h"

src/RuleAction.cc

@@ -1,7 +1,7 @@
 #include <string>
 using std::string;
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "RuleAction.h"
 #include "RuleMatcher.h"

src/RuleCondition.cc

@@ -1,4 +1,4 @@
-#include "config.h"
+#include "bro-config.h"
 
 #include "RuleCondition.h"
 #include "analyzer/protocol/tcp/TCP.h"

src/RuleMatcher.cc

@@ -1,7 +1,7 @@
 #include <algorithm>
 #include <functional>
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "analyzer/Analyzer.h"
 #include "RuleMatcher.h"

src/Scope.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "ID.h"
 #include "Val.h"

src/SerialObj.h

@@ -37,7 +37,7 @@
 #include "DebugLogger.h"
 #include "Continuation.h"
 #include "SerialTypes.h"
-#include "config.h"
+#include "bro-config.h"
 
 #if SIZEOF_LONG_LONG < 8
 # error "Serialization requires that sizeof(long long) is at least 8. (Remove this message only if you know what you're doing.)"

src/Sessions.cc

@@ -1,7 +1,7 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <arpa/inet.h>
 
@@ -674,7 +674,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 	conn = (Connection*) d->Lookup(h);
 	if ( ! conn )
 		{
-		conn = NewConn(h, t, &id, data, proto, ip_hdr->FlowLabel(), encapsulation);
+		conn = NewConn(h, t, &id, data, proto, ip_hdr->FlowLabel(), pkt->vlan, pkt->inner_vlan, encapsulation);
 		if ( conn )
 			d->Insert(h, conn);
 		}
@@ -694,7 +694,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 				conn->Event(connection_reused, 0);
 
 			Remove(conn);
-			conn = NewConn(h, t, &id, data, proto, ip_hdr->FlowLabel(), encapsulation);
+			conn = NewConn(h, t, &id, data, proto, ip_hdr->FlowLabel(), pkt->vlan, pkt->inner_vlan, encapsulation);
 			if ( conn )
 				d->Insert(h, conn);
 			}
@@ -1173,6 +1173,7 @@ void NetSessions::GetStats(SessionStats& s) const
 
 Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id,
 					const u_char* data, int proto, uint32 flow_label,
+					uint32 vlan, uint32 inner_vlan,
 					const EncapsulationStack* encapsulation)
 	{
 	// FIXME: This should be cleaned up a bit, it's too protocol-specific.
@@ -1229,7 +1230,7 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id,
 		id = &flip_id;
 		}
 
-	Connection* conn = new Connection(this, k, t, id, flow_label, encapsulation);
+	Connection* conn = new Connection(this, k, t, id, flow_label, vlan, inner_vlan, encapsulation);
 	conn->SetTransport(tproto);
 
 	if ( ! analyzer_mgr->BuildInitialAnalyzerTree(conn) )

src/Sessions.h

@@ -184,6 +184,7 @@ protected:
 
 	Connection* NewConn(HashKey* k, double t, const ConnID* id,
 			const u_char* data, int proto, uint32 flow_lable,
+			uint32 vlan, uint32 inner_vlan,
 			const EncapsulationStack* encapsulation);
 
 	// Check whether the tag of the current packet is consistent with

src/SmithWaterman.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <algorithm>
 #include <ctype.h>

src/Stmt.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "Expr.h"
 #include "Event.h"

src/Tag.h

@@ -3,7 +3,7 @@
 #ifndef TAG_H
 #define TAG_H
 
-#include "config.h"
+#include "bro-config.h"
 #include "util.h"
 #include "Type.h"
 

src/Timer.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "util.h"
 #include "Timer.h"

src/TunnelEncapsulation.h

@@ -3,7 +3,7 @@
 #ifndef TUNNELS_H
 #define TUNNELS_H
 
-#include "config.h"
+#include "bro-config.h"
 #include "NetVar.h"
 #include "IPAddr.h"
 #include "Val.h"

src/Type.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "Type.h"
 #include "Attr.h"

src/Val.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <sys/types.h>
 #include <sys/param.h>

src/Var.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "Var.h"
 #include "Func.h"

src/analyzer/Component.h

@@ -7,7 +7,7 @@
 #include "plugin/Component.h"
 #include "plugin/TaggedComponent.h"
 
-#include "../config.h"
+#include "../bro-config.h"
 #include "../util.h"
 
 class Connection;

src/analyzer/Tag.h

@@ -3,7 +3,7 @@
 #ifndef ANALYZER_TAG_H
 #define ANALYZER_TAG_H
 
-#include "config.h"
+#include "bro-config.h"
 #include "util.h"
 #include "../Tag.h"
 #include "plugin/TaggedComponent.h"

src/analyzer/protocol/arp/ARP.h

@@ -3,7 +3,7 @@
 #ifndef ANALYZER_PROTOCOL_ARP_ARP_H
 #define ANALYZER_PROTOCOL_ARP_ARP_H
 
-#include "config.h"
+#include "bro-config.h"
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netinet/in.h>

src/analyzer/protocol/backdoor/BackDoor.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "BackDoor.h"
 #include "Event.h"

src/analyzer/protocol/dce-rpc/DCE_RPC.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <stdlib.h>
 #include <string>

src/analyzer/protocol/dns/DNS.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <ctype.h>
 #include <sys/types.h>

src/analyzer/protocol/finger/Finger.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <ctype.h>
 

src/analyzer/protocol/ftp/FTP.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <stdlib.h>
 

src/analyzer/protocol/gnutella/Gnutella.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <ctype.h>
 

src/analyzer/protocol/http/HTTP.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <ctype.h>
 #include <math.h>

src/analyzer/protocol/icmp/ICMP.cc

@@ -2,7 +2,7 @@
 
 #include <algorithm>
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "Net.h"
 #include "NetVar.h"

src/analyzer/protocol/ident/Ident.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <ctype.h>
 

src/analyzer/protocol/interconn/InterConn.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "InterConn.h"
 #include "Event.h"

src/analyzer/protocol/login/Login.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <ctype.h>
 #include <stdlib.h>

src/analyzer/protocol/login/NVT.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <stdlib.h>
 

src/analyzer/protocol/login/RSH.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "NetVar.h"
 #include "Event.h"

src/analyzer/protocol/login/Rlogin.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "NetVar.h"
 #include "Event.h"

src/analyzer/protocol/login/Telnet.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "Telnet.h"
 #include "NVT.h"

src/analyzer/protocol/mime/MIME.cc

@@ -1,4 +1,4 @@
-#include "config.h"
+#include "bro-config.h"
 
 #include "NetVar.h"
 #include "MIME.h"

src/analyzer/protocol/ncp/NCP.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <stdlib.h>
 #include <string>

src/analyzer/protocol/netbios/NetbiosSSN.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <ctype.h>
 

src/analyzer/protocol/ntp/NTP.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "NetVar.h"
 #include "NTP.h"

src/analyzer/protocol/pop3/POP3.cc

@@ -1,7 +1,7 @@
 // This code contributed to Bro by Florian Schimandl, Hugh Dollman and
 // Robin Sommer.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <stdlib.h>
 #include <iostream>
@@ -720,14 +720,16 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
 			break;
 			}
 
+		case CAPA:
+			ProtocolConfirmation();
 		case UIDL:
 		case LIST:
-		case CAPA:
 			if (requestForMultiLine == true)
 				multiLine = true;
 			break;
 
 		case STLS:
+			ProtocolConfirmation();
 			tls = true;
 			StartTLS();
 			return;

src/analyzer/protocol/rpc/NFS.cc

@@ -2,7 +2,7 @@
 
 #include <algorithm>
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "NetVar.h"
 #include "XDR.h"

src/analyzer/protocol/rpc/Portmap.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "NetVar.h"
 #include "XDR.h"

src/analyzer/protocol/rpc/RPC.cc

@@ -4,7 +4,7 @@
 
 #include <algorithm>
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "NetVar.h"
 #include "XDR.h"

src/analyzer/protocol/rpc/XDR.cc

@@ -2,7 +2,7 @@
 
 #include <algorithm>
 
-#include "config.h"
+#include "bro-config.h"
 
 #include "XDR.h"
 

src/analyzer/protocol/smtp/SMTP.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <stdlib.h>
 

src/analyzer/protocol/stepping-stone/SteppingStone.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "config.h"
+#include "bro-config.h"
 
 #include <stdlib.h>