- Default extraction limit of 100MB now provided via a tuning script
loaded in local.bro so that command-line Bro is unlimited by default.
- Extraction directory is now created on request of file extraction
rather than unconditionally in bro_init().
* origin/topic/seth/unified2-analyzer:
Fixed a problem where the Unified2 analyzer was attached to every file.
Fixing intel framework tests.
Updating submodule(s).
Add file name support to intel framework.
Add file support to intel framework and slightly restructure intel http handling.
Conflicts:
CHANGES
VERSION
scripts/base/files/unified2/main.bro
testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
BIT-1054 #merged
* origin/topic/seth/unified2-analyzer:
Fixes in case a packet isn't seen that matches an event.
Finished work on unified2 analyzer.
Fixed some tests.
Working unified2 analyzer.
Unified2 file analyzer updated to new plugin style.
Adding the unified2 analyzer.
Conflicts:
testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
Includes a bit more docs/comments cleanup. We should eventually
document the events further but it should suffice for now.
* topic/robin/dnp3-merge-v3:
Tiny bit of cleanup and adapting the new test.
added a test case for dnp3 packets with only link layer
added condition to check DNP3 packet without app layer data
Fixing well-known port.
Pluginizing the DNP3 analyzer, plus a basic script logging requests and replies.
* origin/topic/seth/sumstats-updates:
Still fixing bugs in sumstats updated api cluster support.
Hopefully fix the SumStats cluster support.
Fix the SumStats top-k plugin and test.
Updates for SumStats API to deal with high memory stats.
Beginning rework of SumStats API.
Tiny fix to account for missing str field (not sure how this happens yet)
Add server samples to SSH bruteforce detection.
Fix a reporter message in sumstats.
SumStats changes to how thresholding works to simplify and reduce memory use.
More adjustments to try and correct SumStats memory use.
Hopefully fixing a strange error.
Large update for the SumStats framework.
- Do stream mode for commands done by exec module, it seems important
in some cases (e.g. ensure requested stdin is fully written).
- For cases where the raw input reader knows the child process has been
reaped, set the childpid member to a sentinel value to indicate such
so we don't later think we should kill it or wait on it anymore.
- More error checking on dup2/close calls. Set sentinel values when
closing ends of pipes to prevent double closing a fd.
- Signal flag not set when raw input reader's child exits as a result
of a signal. Left out a test for this -- might be portability issues
(e.g. Ubuntu seems to do things different regarding the exit code and
also is printing "Killed" to stderr where other platforms don't).
BIT-1048 #merged
I'm reverting the serializer version update for now as that breaks
Broccoli. Let's do that later for 2.2.
* topic/robin/topk-merge:
update documentation, rename get* to Get* and make hasher persistent
adapt to new folder structure
fix opaqueval-related memleak
synchronize pruned attribute
potentially found wrong Ref.
add sum function that can be used to get the number of total observed elements.
in cluster settings, the resultvals can apparently been uninitialized in some special cases
fix memory leaks
fix warnings
add topk cluster test
make size of topk-list configureable when using sumstats
implement merging for top-k.
add serialization for topk
make the get function const
topk for sumstats
well, a test that works..
implement topk.
Nice solution with the ComponentManager/TaggedComponent!
BIT-1049 #Merged Merged into master.
* origin/topic/jsiwek/faf-updates:
Fix some build errors.
Minor fix to file/protocol analyzer plugin reference doc.
Internal refactoring of how plugin components are tagged/managed.
Factor out the need for a tag field in Files::AnalyzerArgs record.
Add a distinct tag class for file analyzers.
Fix various documentation, mostly related to file analysis.
* topic/robin/bloom-filter-merge:
Using a real hash function for hashing a BitVector's internal state.
Support UHF hashing for >= UHASH_KEY_SIZE bytes.
Changing the Bloom filter hashing so that it's independent of CompositeHash.
Add new BiF for low-level Bloom filter initialization.
Introduce global_hash_seed script variable.
Conflicts:
testing/btest/Baseline/bifs.bloomfilter/output
