Merge remote-tracking branch 'origin/topic/jsiwek/unknown-protocol-options'

* origin/topic/jsiwek/unknown-protocol-options:
  Move UnknownProtocol options to init-bare.zeek
  Coverity 1436183: Initialize packet_analysis::Manager fields

CHANGES

@@ -1,3 +1,30 @@
+
+3.3.0-dev.534 | 2020-11-12 14:31:10 -0800
+
+  * Move UnknownProtocol options to init-bare.zeek (Jon Siwek, Corelight)
+
+    Otherwise the `unknown_protocol` event cannot be used independently
+    from `policy/mic/unknown-protocols.zeek`.
+
+  * Coverity 1436183: Initialize packet_analysis::Manager fields (Jon Siwek, Corelight)
+
+  * GH-1273: Change SizeExpr to yield "any" type when operating on "any" (Jon Siwek, Corelight)
+
+  * Add enum_names() BIF to return names of an enum type's values (Jon Siwek, Corelight)
+
+  * Add type_aliases() BIF for introspecting type-names of types/values (Jon Siwek, Corelight)
+
+  * Change Type::type_aliases map to store IntrusivePtr (Jon Siwek, Corelight)
+
+    And deprecate Type::GetAliases() and Type::AddAlias() since they
+    took raw pointers.  Now replaced with Type::Aliases() and
+    Type::RegisterAlias().
+
+  * Fix lookup_ID() BIF to return enum values (Jon Siwek, Corelight)
+
+    Looking up an enum value from a string equal to its name previously
+    returned "<no ID value>".
+
 3.3.0-dev.524 | 2020-11-12 12:16:00 -0700
 
   * Move 'using namespace' declaration after other includes (Tim Wojtulewicz, Corelight)

VERSION

@@ -1 +1 @@
-3.3.0-dev.524
+3.3.0-dev.534

scripts/base/init-bare.zeek

@@ -5367,6 +5367,28 @@ export {
 	option sampling_duration = 10min;
 }
 
+module UnknownProtocol;
+export {
+	## How many reports for an analyzer/protocol pair will be allowed to
+	## raise events before becoming rate-limited.
+	const sampling_threshold : count = 3 &redef;
+
+	## The rate-limiting sampling rate. One out of every of this number of
+	## rate-limited pairs of a given type will be allowed to raise events
+	## for further script-layer handling. Setting the sampling rate to 0
+	## will disable all output of rate-limited pairs.
+	const sampling_rate : count = 100000 &redef;
+
+	## How long an analyzer/protocol pair is allowed to keep state/counters in
+	## in memory. Once the threshold has been hit, this is the amount of time
+	## before the rate-limiting for a pair expires and is reset.
+	const sampling_duration = 1hr &redef;
+
+	## The number of bytes to extract from the next header and log in the
+	## first bytes field.
+	const first_bytes_count = 10 &redef;
+}
+
 module BinPAC;
 export {
 	## Maximum capacity, in bytes, that the BinPAC flowbuffer is allowed to

scripts/policy/misc/unknown-protocols.zeek

@@ -26,25 +26,6 @@ export {
 		## header.
 		first_bytes:  string   &log;
 	};
-
-	## How many reports for an analyzer/protocol pair will be allowed to
-	## raise events before becoming rate-limited.
-	const sampling_threshold : count = 3 &redef;
-
-	## The rate-limiting sampling rate. One out of every of this number of
-	## rate-limited pairs of a given type will be allowed to raise events
-	## for further script-layer handling. Setting the sampling rate to 0
-	## will disable all output of rate-limited pairs.
-	const sampling_rate : count = 100000 &redef;
-
-	## How long an analyzer/protocol pair is allowed to keep state/counters in
-	## in memory. Once the threshold has been hit, this is the amount of time
-	## before the rate-limiting for a pair expires and is reset.
-	const sampling_duration = 1hr &redef;
-
-	## The number of bytes to extract from the next header and log in the
-	## first bytes field.
-	const first_bytes_count = 10 &redef;
 }
 
 event unknown_protocol(analyzer_name: string, protocol: count, first_bytes: string)

src/packet_analysis/Manager.cc

@@ -44,14 +44,11 @@ void Manager::InitPostScript()
 		                                          detail::pkt_profile_freq,
 		                                          pkt_profile_file->AsFile());
 
-	if ( unknown_protocol )
-		{
 	unknown_sampling_rate = id::find_val("UnknownProtocol::sampling_rate")->AsCount();
 	unknown_sampling_threshold = id::find_val("UnknownProtocol::sampling_threshold")->AsCount();
 	unknown_sampling_duration = id::find_val("UnknownProtocol::sampling_duration")->AsInterval();
 	unknown_first_bytes_count = id::find_val("UnknownProtocol::first_bytes_count")->AsCount();
 	}
-	}
 
 void Manager::Done()
 	{

src/packet_analysis/Manager.h

@@ -143,10 +143,10 @@ private:
 	using UnknownProtocolPair = std::pair<std::string, uint32_t>;
 	std::map<UnknownProtocolPair, uint64_t> unknown_protocols;
 
-	uint64_t unknown_sampling_threshold;
+	uint64_t unknown_sampling_threshold = 0;
-	uint64_t unknown_sampling_rate;
+	uint64_t unknown_sampling_rate = 0;
-	double unknown_sampling_duration;
+	double unknown_sampling_duration = 0;
-	uint64_t unknown_first_bytes_count;
+	uint64_t unknown_first_bytes_count = 0;
 };
 
 } // namespace packet_analysis

testing/btest/Baseline/core.unknown-protocol-event/out

@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ETHERNET, 35020, 02070400222d81db1004

testing/btest/core/unknown-protocol-event.zeek

@@ -0,0 +1,6 @@
+# @TEST-EXEC: zeek -b -r $TRACES/lldp.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+event unknown_protocol(analyzer_name: string, protocol: count, first_bytes: string)
+	{ print analyzer_name, protocol, bytestring_to_hexstr(first_bytes); }
+