* origin/topic/jsiwek/gh-211:
GH-208: change invalid subnet expressions to a runtime error
GH-211: improve consistency of how scripting errors are handled
Removed the 'allow_init_errors' option.
Scripting errors/mistakes now consistently generate a runtime error
which have the behavior of unwinding the call stack all the way out of
the current event handler.
Before, such errors were not treated consistently and either aborted
the process entirely or emitted a message while continuing to execute
subsequent statements without well-defined behavior (possibly causing
a cascade of errors).
The previous behavior also would only unwind out of the current
function (if within a function body), not out the current event
handler, which is especially problematic for functions that return
a value: the caller is essentially left a mess with no way to deal
with it.
This also changes the behavior of the startup/initialization process
to abort if there's errors during bro_init() rather than continue one
to the main run loop. The `allow_init_errors` option may change this
new, default behavior.
Disabling this option allows one to read pcaps, but still initiate
Broker peerings and automatically exit when done processing the pcap
file. The default behavior would normally cause Broker::peer() to
prevent shutting the process down even after done reading the pcap.
* origin/master:
Fix SumStats "last" plugin in cluster mode
Remove unnessary check
Support appending to vector of any
Fix coding conventions nits/typos
Updating submodule(s).
Revert "Switch frag_timeout from redef to option"
Improve error handling in x509_ocsp_verify function
Updating submodule(s).
Updating submodule(s).
Update baseline for plugins.hooks for redef -> option changes
Switch frag_timeout from redef to option
Switch GridFTP options from redef to option
Updating submodule(s).
Fix a unit test relying on a bash-ism
* origin/master: (23 commits)
Improve Travis script to show multiple core dump stacks
Improve a weird stats unit test
Updating submodule(s).
Fix Travis script typo
Add more debug output to Travis script
Add core file search and stack trace output for Travis builds
Updating submodule(s).
Update license year for 2018
GH-199: change `bro --help` exit status from 1 to 0
Updating submodule(s).
Add a test with an encrypted MySQL connection
Fix parsing of MySQL NUL Strings, where we now require it to have a NUL value at the end.
Updating submodule(s).
Add missing record field comment
Add missing record field comments
Fix minor documentation mistakes
Updating submodule(s).
Updating submodule(s).
Update btest baselines for fix in 46f727a6fa
Generate ssh_auth_attempted for the 'none' authentication method.
...
* origin/master:
Fix typo in Sessions.h
Update baselines for SSH capabilities fix
Fix SSH analyzer bug where is_server in capabilities is wrong.
Revert DNS query 255 from ANY to *
Missing commas...
Fix typo in dce-rpc consts
Refactor to use consistent numeric type in dce_rpc. Add missing DNS query type codes
Add DCE_RPC exchange_mapi operations to relevant consts.bro file
GH-186: fix JSON formatting of timestamps before Unix epoch
Fix test baseline for plugin skeleton update
Fix crash when modifying a table from within its &expire_func
Convert site::local_nets, etc. into options.
GH-184: add `bro-config --build_type`, outputs CMake build type
Updating submodule(s).
Add return value checks for some RPC parsing functions
Add 'fallthrough' comment to a switch/case block
Improve broker.remote_id unit test
Increase broker unit test timeout intervals
* 'master' of https://github.com/spitfire55/bro:
Revert DNS query 255 from ANY to *
Missing commas...
Fix typo in dce-rpc consts
Refactor to use consistent numeric type in dce_rpc. Add missing DNS query type codes
I added back in DNS constants for PTR, EDNS, and ANY to avoid breaking
code for any people that use them.
Also omitted the DNP3 function code 0x83 name change from
"AUTHENTICATE_RESP" to "AUTHENTICATE_RESPONSE", again to avoid
potentially breaking code unnecessarily: "RESP" vs. "RESPONSE" is not
wrong in any sense, just maybe a matter of clarify.
These are probably some of the most desired options to be dynamically
changeable; since they only are accessed in script-land there should not
be any problems with them changing on the fly.
* 'fatemabw/bro' of https://github.com/fatemabw/bro:
DNSSEC support in Bro
I made several changes:
- renamed event/record types
- reformatted the info added to dns.log
- removed the "addl" scripts that added extended dnssec info to dns.log
- simplifications/improvements to the internal parsing logic
* origin/topic/seth/fix-raw-reader-subprocess-exit:
Fix an issue with raw reader culling streams for dead processes.
Updated the 'exec' utility to no longer remove input streams for
processes that are finished as the core C++ code will take care of that
(and trying to remove a stream multiple times emits a warning message).
Still finding it to not be foolproof enough to enable generally for all
nodes in a cluster. Specific/advanced use-cases may still consider
enabling, possibly just for specific nodes.
* origin/topic/johanna/weird-options:
Update test baselines (weird options)
Weird settings: make constants into options.
Permit weird sampling rate of 0.
This change allows a weird sampling rate of 0, which completely suppresses
all notifications (previously this crashed Bro). If also fixes the sampling
threshold to work with sampling rates of 0.
* origin/topic/johanna/tls-more-data:
Update NEWS for ssl changes.
SSL: test updates for record_layer version
Final touches to SSL events with record layer version.
Introduce ssl_plaintext_data event.
Add record layer version to event ssl_encrypted_data.
Add compression methods to ssl_client_hello event.
* origin/topic/jsiwek/bit-1967:
Fix a routing loop in control framework
Add Broker::forward() function
Enable implicit Broker message forwarding by default
Remove Cluster::broadcast_topic
Remove Intel Broker topics, re-use existing Cluster topics
Remove "relay" family of Broker functions
This enables explicit forwarding of events matching a given topic
prefix. Even if a receiving node has an event handler, it will not
be raised if the event was sent along a topic that matches a previous
call to Broker::forward().
