Mostly, treat HTTP0.9 completely separate. Because we're doing raw
delivery of a body directly, fake enough (connection_close=1, and finish
headers manually) so that the MIME infrastructure thinks it is seeing a
body.
This deals better with the body due to accounting for the first line. Also
it avoids the content line analyzer to strip CRLF/LF and the analyzer
then adding CRLF unconditionally by fully bypassing the content line
analyzer.
Concretely, the vlan-mpls test case contains a HTTP response with LF only,
but the previous implementation would use CRLF, accounting for two many bytes.
Same for the http.no-version test which would previously report a body
length of 280 and now is at 323 (which agrees with wireshark).
Further, the mime_type detection for the http-09 test case works because
it's now seeing the full body.
Drawback: We don't extract headers when a server actually replies with
a HTTP/1.1 message, but grrr, something needs to give I guess.
This reworks 2aec7640dd (zeek/zeek#2039) to
avoid calling ExtractNextPacketInternal() within GetNextTimeout() for
the non-pseudo-realtime case. Also relates to zeek/zeek#2842.
The intention of the referenced change was to avoid a 0.00002 timeout when
a non-selectable packet source has more packets queued. This was implemented
by checking for a new packet within GetNextTimeout().
The proposed change switches to an predictive approach: Use the result of
the previous ExtractNextPacket() call (stored as had_packet) as an indication
whether more packets are to be expected.
Calling ExtractNextPacketInternal() within GetNextTimeout() may cause
surprising behavior as some packet source may block [1] or spent a significant
amount of time (e.g. applying BPF filters [2]) within ExtractNextPacket().
The result of GetNextTimeout() should be available immediately as guidance
for the main-loop and the actual work should happen within the ->Process()
method.
This change also attempts to separate the pseudo-realtime logic from the
non-pseudo-realtime in an attempt show pseudo-realtime as special.
[1] 00c4d657e0/src/Napatech.cc (L116)
[2] 58b25c8eba/src/Myricom.cc (L250)
It wasn't possible from script land to determine the total size
of the cache table held by the DNS_Mgr. Add the total and also
also the TEXT entries count.
This commit introduces parsing of the CertificateRequest message in the
TLS handshake. It introduces a new event ssl_certificate_request, as
well as a new function parse_distinguished_name, which can be used to
parse part of the ssl_certificate_request event parameters.
This commit also introduces a new policy script, which appends
information about the CAs a TLS server requests in the
CertificateRequest message, if it sends it.
This adds two example plugins within testing/builtin-plugins/Files:
* protocol-plugin copied over from testing/btest/plugins/protocol-plugin
* py-lib-plugin that embeds Python to have a dependency on an external
shared library which was already available in CI and fun to use, too.
Closes#2837
The zeek-kafak plugin's VERSION file contains a commented license
header followed by an empty line, followed by the actual version.
Attempt to deal with this by using the first non-commented non-empty
line.
This reverts commit 957825441a, reversing
changes made to c8cdc75f2b.
Caused spurious CI failures in the external testing baselines. See zeek/zeek#2842.
* origin/topic/vern/Mar23-script-opt-maint:
extend BTest "path" canonicalization to include compiled-to-C++ variable names
use a subclass of TableType for incremental construction of compiled scripts
script_opt/CPP: errors, recursive type fixes, fix embedded comments
Fix for EnumVal's returning their underlying value
better (than nothing) run-time errors for compiled scripts
fixes for dealing with recursive types in compiled scripts
fix for values in compiled scripts containing embedded comment markers
Since ccache in Cirrus currently does not preserve timestamps the
timestamp-based cache pruning implemented by ccache likely would just
remove random files. To work around this, this patch implements a manual
pruning step. This step runs after the build so that at least the files
used in the build should have their timestamps updated. We can then
force eviction of some of the unused files from the cache by cleaning
the cache with a size less than the maximum cache size.
This fixes a potential crash due to trigger_mgr getting shutdown earlier
than dns_mgr, and dns_mgr then trying to use it after it's been deleted.
This change forces the order of initialization/destruction in
iosource_mgr to cause dns_mgr to be deleted first.
The ja3 package uses next instead of return and triggers the new
errors with Zeek 5.2. That seems somewhat bad.
In case we want to do a 5.2.1 that makes this a warning, this
would be change to do so.
* origin/topic/awelzel/zeekctl-ci:
Bump zeekctl submodule
cirrus: Add zeekctl CI task
cirrus: Do not run tasks for builds on cron triggered jobs
cirrus: Rename BRANCH_WHITELIST
This change exposes the signature tyope inside the signed portion of an
X.509 certificate. In the past, we only exposed the signature type that
is contained inside the signature, which is outside the signed portion
of the X.509 certificate.
In theory, both signature fields should have the same value; it is,
however, possible to encode differing values in both fields. The new
field is not logged by default.
Run the zeekctl testing suite within a Debian 11 container. This runs on
pushes to master and release branches. Also, tagging PRs with fullci or
zeekctlci triggers it.
Closeszeek/zeekctl#49
