* origin/topic/jsiwek/gh-1264-ssh-host-key-fingerprints:
Simply ssh/main.zeek by using "ssh_server_host_key" for fingerprinting
Deprecate "ssh1_server_host_key" parameters *e* and *p*
GH-1264: Implement "ssh_server_host_key" event
This change allows users to specify an epoch length of 0, which means
that the user manually has to finish the epochs. A new next_epoch
function is introduced to allow users to manually end epochs.
Addresses GH-348
In non-clustered mode, epoch_finished was not called when there was no
data during the epoch.
This behavior does not fit the documentation, and also is different in
cluster-mode, where epoch_finished is, indeed, called after every epoch.
This small change fixes this behavior.
SSH can set in its identification a version 1.99 (SSH-1.99-xxx).
That means the client/server is compatible with SSHv1 and SSHv2.
So the version choice depends of the both side.
1.99 : 1.99 => 2.0
1.99 : 1.x => 1.x
1.99 : 2.0 => 2.O
(see "Compatibility With Old SSH Versions" in RFC 4253)
Changes \x00-\x37 ranges to \x00-\x1f with assumption that the former
was attempting to match ASCII control characters, but mistook an octal
range for hex. This change reduces some false positives.
It's implemented with a new set[subnet] option named ignore_checksums_nets.
If you populate this set with subnets, any packet with a src address within
that set of subnets will not have it's checksum validated.
* topic/johanna/GH-169:
Make event ordering deterministic
dump-events: try to make baseline work on all systems
Introduce generate_all_events bif and add option to misc/dump-events
Fixes GH-169
* origin/topic/seth/make-cluster-port-optional:
Apply suggestions from code review
Update scripts/base/frameworks/cluster/main.zeek
Make defining a port number for hosts in a cluster that only connect outbound optional
* origin/topic/jsiwek/zeek-script-args:
Improve zeek_script_args test case and documentation
Apply suggestions from code review
Add a test for script args.
Fixed an option processing bug
Make it possible to pass command line options through to scripts.
- Minor adjustments to whitespace/formatting
* origin/topic/seth/pcap_findalldevs:
Finishing changes from code review.
Update src/iosource/pcap/pcap.bif
Update src/iosource/pcap/pcap.bif
Update scripts/base/init-bare.zeek
Update src/iosource/pcap/pcap.bif
I accidentally missed a paren
New bif to wrap pcap_findalldevs
- Tweaked the Too_Little_Traffic notice message to avoid
cluster-specific terminology.
* origin/topic/vlad/caploss_no_traffic:
Fix scheduling due to network_time being 0 in zeek_init
Add test for CaptureLoss::Too_Little_Traffic
Add CaptureLoss::Too_Little_Traffic
Add CaptureLoss::initial_watch_interval for a quick read on cluster health after startup.
Documentation update, reference the threshold variable. [nomail] [skip ci]
Whitespace fixes only [nomail] [skip ci]
generate_all_events causes all events to be raised internally; this
makes it possible for dump_events to really capture all events (and not
just those that were handled).
Addresses GH-169
(Adding a NEWS entry.)
* origin/topic/christian/364-logfilter-hooks:
Update testing/btest/scripts/base/frameworks/logging/hooks.zeek
Btests for log filter policy hooks
Btest baseline updates to reflect new logging policy hooks
Migrate existing use of filter predicates to policy hooks
Support for log filter policy hooks
- Improved documentation/comment for the new option
* 'logging-ascii-enable-shadow-logs' of https://github.com/awelzel/zeek:
logging/ascii: Support leftover log rotation in non-supervisor setups
We have a use case to rotate leftover log files in a non-supervisor
setup. There doesn't seem to be a strict requirement on supervisor
functionality. Allow enabling leftover log rotation through
LogAscii::enable_leftover_log_rotation and redef this for the
logger node in a supervisor setup individually.
