* origin/topic/timw/2324-llc-snap-and-novell-oh-my:
Update docs and NEWS to include LLC, SNAP, and Novell packet analyzers
Fix length checks in VLAN/Ethernet analyzers for non-ethertype protocols
Add forwarding from VLAN analyzer into LLC, SNAP, and Novell 802.3 analyzers
Remove non-standard way of forwarding out of the Ethernet analyzer
Add basic LLC, SNAP, and Novell 802.3 packet analyzers
ARP: add support for IEEE802 hardware type
* topic/timw/2167-aruba-expansion:
Add NEWS entry about 802.11 and ARUBA changes
Remove workaround for tunnels from IEEE 802.11 analyzer
PPP in the GRE analyzer is actually PP*T*P
Add support for 802.11 A-MSDU aggregates
Fix IEEE 802.11 analyzer to properly forward tunneled packets
Fix IEEE 802.11 analyzer to skip packets with the Protected bit enabled
Expand support for Aruba protocol types in GRE analyzer
Default tunnel_type in iosource::Packet to NONE
This also fixes the GRE analyzer to forward into the IEEE 802.11 analyzer
if it encounters Aruba packets with the proper protocol types. This way
the QoS header can be handled correctly.
* origin/topic/christian/sync-ignore_checksums-from-cli:
Given the -C flag, set script-layer ignore_checksums to true.
Add btest for "-C" flag vs the script-layer ignore_checksums global.
* 'topic/amazingpp/irc-fuid-missing' of github.com:AmazingPP/zeek:
Add irc_dcc_send_ack event and fix missing fields
I've moved IRC_Data back into the zeek::analyzer::file namespace, but
we did move the declaration from protocol/file/File.h to protocol/irc/IRC.h.
But, if someone actually customized IRC_Data and didn't include protocol/irc/IRC.h
for other reasons, I'll be surprised (and also just suggest to update the include).
* origin/topic/awelzel/add-community-id:
testing/external: Bump hashes for community_id addition
NEWS: Add entry for Community ID
policy: Import zeek-community-id scripts into protocols/conn frameworks/notice
Add community_id_v1() based on corelight/zeek-community-id
"Community ID" has become an established flow hash for connection correlation
across different monitoring and storage systems. Other NSMs have had native
and built-in support for Community ID since late 2018. And even though the
roots of "Community ID" are very close to Zeek, Zeek itself has never provided
out-of-the-box support and instead required users to install an external plugin.
While we try to make that installation as easy as possible, an external plugin
always sets the bar higher for an initial setup and can be intimidating.
It also requires a rebuild operation of the plugin during upgrades. Nothing
overly complicated, but somewhat unnecessary for such popular functionality.
This isn't a 1:1 import. The options are parameters and the "verbose"
functionality has been removed. Further, instead of a `connection`
record, the new bif works with `conn_id`, allowing computation of the
hash with little effort on the command line:
$ zeek -e 'print community_id_v1([$orig_h=1.2.3.4, $orig_p=1024/tcp, $resp_h=5.6.7.8, $resp_p=80/tcp])'
1:RcCrCS5fwYUeIzgDDx64EN3+okU
Reference: https://github.com/corelight/zeek-community-id/
This set contains the topics to reach all cluster nodes. Due to broker's
forwarding mechanism, we cannot define a single broadcast topic, as it
would create routing loops.
* origin/topic/awelzel/2935-publish-hrw-rr-type-check:
zeek.bif: Remove cat_sep() fully var_arg changes
broker/messaging: Runtime type checks for pool
bifcl: Bump for runtime-type checks in var_arg bifs
publish_hrw() and publish_rr() are excluded from type checking due to their
variadic nature. Passing a wrong type for the pool argument previously triggered
an abort, now the result is runtime errors. This isn't great, but it's
better than crashing Zeek.
Closes#2935
