Binpac exceptions caught in Analyzer.cc are passed to Reporter::Weird
and from there to Reporter::WeirdHelper. WeirdHelper has var args, to
support passing them on to DoLog, but there were no forced format
strings. Since the binpac exception can contain network data which can
contain %-characters, that caused segfaults.
The SSL analyzer used excessive amounts of memory after a gap. We fix
this by tracking whether there was gap and not delivering any more data
if there was.
- Since each host in a cluster has it's own view of the metrics
the only time the manager would get a chance for a global view
is the break_interval. This update improves that time. If a
worker crosses 10% of the full threshold, it will send it's
value to the manager which can then ask the rest of the cluster
for a global view. The manager then adds all of the values for
each workers metric indexes together and will do the notice
if it crosses the threshold so that it isn't dependent on
waiting for the break interval to hit. This functionality
works completely independently of the break_interval too. Logging
will happen as normal.
- Small update for SSH bruteforcer detection to match additions in
the metrics framework API.
- The hope is that this update is mostly invisible from anyone's
perspective. The only affect it should have on users is to better
the detection of metric values crossing thresholds on cluster
deployments.
After discussion with Seth we now set c$conn in
connection_state_remove() with priority 5, and log it with priority -5.
If users want to extend c$conn before connection_state_remove, they can
just create c$conn and add custom fields.
Addresses: #554
Reading from an interface like `bro -i en0` no longer expects to
start reading stdin for a script to load. Explicitly passing in
'-' as an additional command line argument still allows reading a
script from stdin.
Closes#561
The hash function was internally casting the void* data argument into an
unsigned char* and then using values from that to index another internal
array that's dimensioned based on the assumption of 256 values possible
for an unsigned char (8-bit chars/bytes). This is probably a correct
assumption most of the time, but should be safer to use the limits as
defined in standard headers to get it right for the particular
system/compiler.
There was an unused uint8* casted variable in HashKey::HashBytes that
seemed like it might have been meant to be passed to H3's hash function
as an unfinished attempt to solve the 8-bit byte assumption problem, but
that doesn't seem as good as taking care of that internally in H3 so
users of the API are only concerned with byte sizes as reported by
`sizeof`. Removing the unused variable addresses #530.
Also a minor tweak to an hmac_md5 call that was casting away const from
one argument (which doesn't match the prototype).
- fixing some Metrics::add_data() call signatures
- slight refactors to cluster framework @if and adding a NONE NodeType for
so local_node_type() will return that instead of just emitting an error
when cluster mode isn't enabled
- `make restdoc` target now uses bro's bare-mode
- bro scripts generated from bifs now really only live in the build/src/base/
directory and changed the DocSourcesList.cmake to dynamically figure out
what bifs exist by looking in src/ instead of build/src/
- add some missing @load dependencies
- Metrics now work on cluster deployments with no caveats. It should be
completely transparent. Intermediate updates to speed some detection
will come later.
* origin/topic/jsiwek/autodoc-fixes:
Update doc sources and touch up a few script comments.
Fixes for script auto-documentation.
Conflicts:
scripts/base/frameworks/logging/main.bro
If possible the list elements now get promoted to the yield type of the
vector. There was also a problem with the value returned by the record
constructor expression's eval being completely unref'd since the vector
element assignment function doesn't ref the element -- so I changed it
to ref values if they just constructed before assigning them to the
vector.
Addresses #485.
Attributes have state to track whether they're in a record and should
apply to a record field, but this state wasn't being set for TypeDecls
that are part of a redef'd record.
Closes#460
When not reporting via events, the final contents of the message buffer
after formatting was being used as a format string to fprintf instead of
writing out the actual string.
It seems these errors aren't Bro's fault, and in any case it's clearly
not an internal error. This should finally solve the problem in #255.
Closes#255.
The function's code is rendered as ASCII and included as a string.
Closes#506.
Note that I'm not sure if the formatting is as desired: should the LFs
and tabs be rendered as \xXX or removed?.
