* origin/topic/awelzel/3455-do-split-string-2:
strings.bif/do_split_string: Pass bol and eol to MatchPrefix()
RE_Matcher: Add MatchPrefix with bol/eol control
* origin/topic/vern/script-opt.Nov23:
retention of superseded AST elements to prevent pointer mis-aliasing
BTest updates for latest ZAM maintenance
greater ZAM optimization of inlined function calls
some minor ZAM optimization improvements
added "-O noinline" option to turn off ZAM inlining, to help with diagnosing optimization problems
fixes for a number of ZAM optimization bugs
allow explicitly marking an identifier as equivalent to special '_' identifier
fixed some warnings about mixing signed & unsigned integers
descriptions of "for" statements now include their "value variable" if present
```
## Tells Zeek to skip sending any further input data to the current analyzer.
## This is supported for protocol and file analyzers.
public function skip_input() : void;
```
Closes#3443.
* origin/topic/awelzel/deprecate-things-for-7.1:
Bump zeekctl
EventHandler: Deprecate SetUsed() and Used() as well.
EventRegistry: Deprecate UsedHandlers() and UnusedHandlers()
time machine: Mark leftovers for removal in v7.1
policy/misc/load-balancing: Deprecate script
cluster: Deprecate the Cluster::Node$interface field
Seems the latter isn't used outside of the functions that were deprecated
in the previous commit and with UsageAnalyzer not making use of this
information unclear why we should keep it around.
Relates to #3187.
and check_for_unused_event_handlers: UsageAnalyzer is more thorough
and the previous ones weren't extended to work with &is_used and
should probably be considered superseded by the UsageAnalyzer even
if that currently does not provide a public API and just prints
out deprecation warnings.
I'm also tempted to deprecate SetUsed() and Used() of EventHandler
for the same reason.
Closes#3187.
This field isn't required by a worker and it's certainly not used by a
worker to listen on that specific interface. It also isn't required to
be set consistently and its use in-tree limited to the old load-balancing
script.
There's a bif called packet_source() which on a worker will provide
information about the actually used packet source.
Relates to zeek/zeek#2877.
* 'topic/xb-anssi/http_signature_body_end_match' of https://github.com/xb-anssi/zeek:
Let signature framework match HTTP body end
Test how the signature framework matches HTTP body
The HTTP analyzer never tells the signature framework when the body of a
request or a response ends, so any signature regex ending in a '$' used
in an 'http-request-body' or in an 'http-reply-body' condition will
never match.
This made it impossible to write a signature which could distinguish an
HTTP body consisting only of something from an HTTP body prefixed by
that same something.
- Fix:
The fix notifies the signature framework on EndOfData() that there will
be no further data to match for this body by giving it an empty buffer
of length 0 with the eol parameter set to true and all others set to
false. This lets it reach the '$' state in its DFA, and doesn't affect
other documented HTTP match behaviours.
- Limitation:
Since the signature framework doesn't appear to keep previously consumed
data on hand, any match of an http-*-body condition whose patterns ends
with a '$' will lead to an empty data parameter being passed to the
signature_match() event because the body data is no longer available
when EndOfData() happens.
Due to segmentation there is anyway no guarantee the data parameter
would have held the entire match even without the '$', since the data
parameter only receives the last chunk of data which completed the match
condition, as can be seen on prefix matches in the btest cases where the
matching data spans multiple segments (the event gives 'B' and not
'AB'), so this is only an extreme case of partial data being given to
that event.
