A user reported being confused about the fuid association of subsequent
FTP commands when a data transfer has completed. It seems reasonable to
unset fuid upon logging a FTP command which had a fuid.
The current behavior results in the PORT or PASV commands after a RETR or STOR
to have the fuid of the prior file transfer. Similarly, any CWD or DEL commands
following a file transfer will unnecessarily be logged with the fuid of the
prior file transfer.
This tickles the baselines for the private testing PCAP a lot, primarily
because there data connections in that pcap are never established properly.
E.g, the fuids FzDzid1Dxm9srVKHXf and FEfYX73q5C6GEQZXX9 have been re-used
for multiple commands.
This may look like we're losing information, but the fuids vanishing
in the normal btests belong to a LIST command that isn't logged by
default into ftp.log. If it was, the fuid would be attached to it.
* origin/topic/awelzel/cheaper-hex-printing:
zeek.bif: Booleanate String constructor calls
Conn/net_utils/fmt_mac: Avoid snprintf(), memcpy() and allocation
bytestring_to_hexstr: Use bytetohex() instead of snprintf()
digest/digest_print: Use bytetohex() instead of snprintf()
The fmt_mac() function returning a std::string means the resulting mac
is copied at least once upon returning. Then, the Assign() in GetVal()
taking a std::string internally allocates a new zeek::String which
hits a malloc (no short-string optimization for zeek::String) and then
also copies the content from the std::string into the malloced memory.
Save a few cycles by directly using the allocated memory with the
String instance. This change improves runtime for a SYN-only pcap
with just base/protocols/conn loaded by some 1-2%.
* origin/topic/timw/update-vcpkg:
Update .gitignore to add Emacs and Vim temp files
Update vcpkg submodule to pull in c-ares 1.26.0 to match other platforms
The Spicy analyzer is added as a child analyzer when enabled and the
WebSocket.cc logic dispatches between the BinPac and Spicy version.
It substantially slower when tested against a somewhat artificial
2.4GB PCAP. The first flamegraph indicates that the unmask() function
stands out with 35% of all samples, and above it shared_ptr samples.
This isn't used in-tree and has been misused by some external plugins
of mine (zeekjs and zeek-perf-support) for their own Stmt subclasses.
These plugins should be updated to use the new STMT_EXTERN statement.
Handle STMT_ANY explicitly in stmt_name() for the time being
to fix#3529 until we remove STMT_ANY for good.
It's currently possible for plugin's to implement their own statement
subclasses and override the Exec() implementation. This has been leveraged
by ZeekJS [1] and zeek-perf-support [2] as well as a private WASM plugin.
All of these used STMT_ANY as the tag of their own statement subclasses.
With STMT_EXTERN, we make the possibility to add external code into the AST
somewhat more supported. It's all in detail space and plugin authors have
no guarantee for stability, but it seems such a powerful extension point
that IMO we should keep it.
I'm conscious there's the broader topic how this interacts with ZAM
optimization like in-lining or rewriting of statements. However, this
already applies to the STMT_ANY usage of the mentioned plugins.
[1] https://github.com/corelight/zeekjs
[2] https://github.com/zeek/zeek-perf-support
* origin/topic/johanna/netcontrol-updates:
Netcontrol: add rule_added_policy
Netcontrol: more logging in catch-and-release
Netcontrol: allow supplying explicit name to Debug plugin
* origin/topic/christian/cluster-pool-nodetype-default:
Do not default PoolSpec topics to the empty string.
Do not default to proxy nodes in Broker::PoolSpec
* origin/topic/timw/fix-alpine-ci-image:
Add missing include for int32_t in DebugCmds.h
CI: Remove emacs backup file of fedora-38 Dockerfile
CI: Fix building of alpine image with regards to python packages
This requires pool creation to spell out a spec explicitly, which the only code
using these types already does. There's no reason for pools to automatically
refer to proxies.
rule_added_policy allows the modification of rules just after they have
been added. This allows the implementation of some more complex features
- like changing rule states depending on insertion in other plugins.
