- Add a timeout flag to file_analysis.log so it's easy to tell what
has had at least one timeout trigger happen.
- Fix ftp-data service tag not being set for reused connections.
- Fix HTTP::Incorrect_File_Type because mime types returned by FAF have
the charset still in them, but the HTTP::mime_types_extensions table
does not and it requires an exact string match. (still ugly)
- Add TRIGGER_NEW_CONN to track files going over multiple connections.
- Add an initial file/mime type guess for non-linear file transfers.
- Fix a case where file/mime type detection would never be attempted
if the start of the file was a content gap.
- Improve mime type tracking of HTTP byte-range/partial-content,
even if the requests are pipelined or over multiple connections.
- I changed the modbus.events test because having the baseline output
be 80+ MB is nuts and it was sensitive to connection record redefs.
In the *service* field of connection records, GridFTP control channels
are labeled as "gridftp" and data channels as "gridftp-data".
Added *client_subject* and *client_issuer_subject* as &log'd fields to
SSL::Info record. Also added *client_cert* and *client_cert_chain*
fields to track client cert chain.
Threads will now reliably get a call to DoFinish() no matter how the
thread terminates. This will always be called from within the thread,
whereas the destructor is called from the main thread after the child
thread has already terminated.
Also removing debugging code.
However, two problems remain with the ASCII writer (seeing them only
on MacOS):
- the #start/#end timestamps contain only dummy values right now.
The odd thing is that once I enable strftime() to print actual
timestamps, I get crashes (even though strftime() is supposed to
be thread-safe).
- occassionally, there's still output missing in tests. In those
cases, the file descriptor apparently goes bad: a write() will
suddently return EBADF for reasons I don't understand yet.
frameworks.
There were a number of cases that weren't thread-safe. In particular,
we don't use std::string anymore for anything that's passed between
threads (but instead plain old const char*, with manual memmory
managmenet).
This is still a check-point commit, I'll do more testing.
Turns out the finish methods weren't called correctly, caused by a
mess up with method names which all sounded too similar and the wrong
one ended up being called. I've reworked this by changing the
thread/writer/reader interfaces, which actually also simplifies them
by getting rid of the requirement for writer backends to call their
parent methods (i.e., less opportunity for errors).
This commit also includes the following (because I noticed the problem
above when working on some of these):
- The ASCII log writer now includes "#start <timestamp>" and
"#end <timestamp> lines in the each file. The latter supersedes
Bernhard's "EOF" patch.
This required a number of tests updates. The standard canonifier
removes the timestamps, but some tests compare files directly,
which doesn't work if they aren't printing out the same
timestamps (like the comm tests).
- The above required yet another change to the writer API to
network_time to methods.
- Renamed ASCII logger "header" options to "meta".
- Fixes#763 "Escape # when first character in log file line".
All btests pass for me on Linux FC15. Will try MacOS next.
- The option to use integers insteads of double was ignored.
- Renaming script-level options to remove the ds_ prefix.
- Log rotation didn't work.
- A set of simple unit tests.
- BRO_PROFILER_FILE now passes .X* templated filenames to mkstemp
for generating unique coverage state files. All test suites
now use this so each Bro instance writes to a unique coverage file.
- Rearranging Makefile targets. The general rule is that if the
all/brief target fails out due to a test failure, then the dependent
coverage target won't run, but can still be invoked directly later.
(e.g. make brief || make coverage)
Lines with a range were being output with text "lines", and so were
being listed after all other lines belonging to the same Bro script
(e.g., "lines 123-125" was listed after "line 492"). Fixed by using
the text "line" instead of "lines".
Line numbers with fewer digits were being listed after line numbers
with more digits (e.g., "line 85" was listed after "line 237").
Fixed by sorting on a reformatted string (this string does not appear
in the output) where line numbers are right justified (padded on left
with spaces) so that sorting produces the expected results.
- Skip diffing of debug.log always.
- Skip diffing of reporter.log if it only contains an error about
missing GeoIP support.
- Canonicalize X.509 Distinguished Name subjects since that can vary
depending on installed OpenSSL version.
- The absolute path canonifier was overzealously canonifying relevant
log fields, so it's no longer generally applied to diffing all
baselines. I don't think there's any logs that require local
filesystem path names that aren't already tested by a unit test,
but if any show up in the future, they can be canonified on a
case-by-case basis.
- Removed some logs from being diff'd in the diff-all script
because they're either already covered by a unit test
(load_scripts.log) or because of difficulty/maintainenance
tradeoff (prof.log).
Baselines for the external bro-testing repo still need updating.
This is because libmagic can return different results depending on
installation.
Note, this still doesn't fix all problems: smtp-entities sets md5
depending on the mime-type returned by libmagic ...
- The Makefiles now run btest with "-f diag.log" so that diangnostics
output will always be written into that file.
- Makefiles now hardcode path to btest to avoid picking up the wrong version
if in PATH.
- The canonifier scripts now live in testing/scripts, and they are
used from both btest/ and external/.
- There's a new diff-remove-uids scripts that removed connection UIDs
for diffing. The external/* tests now use that by default.
- Timestamp removal now has its own script: diff-remove-timestamps.
diff-canonifier calls that.
- All Makefile have a "brief" target that runs btest with -b.
- The higher-level directories have Makefile to call the subdirs.
