- FileAnalysis::Info is now just a record used for logging, the fa_file
record type is defined in init-bare.bro as the analogue to a
connection record.
- Starting to transfer policy hook triggers and analyzer results to
events.
All tests pass with one exception: some Broxygen tests are broken
because dpd_config doesn't exist anymore. Need to update the mechanism
for auto-documenting well-known ports.
Closes#946.
* origin/topic/jsiwek/ticket946:
Fix memory leaks resulting from 'when' and 'return when' statements.
Fix three bugs with 'when' and 'return when' statements. Addresses #946
Added a generic gtpv1_message event generated for any GTP message type.
Added specific events for the create/update/delete PDP context
request/response messages.
Addresses #934.
Case blocks in switch statements now must end in a break, return, or
fallthrough statement to give best mix of safety, readability, and
flexibility.
The new fallthrough keyword explicitly allows control to be passed to the
next case block in a switch statement.
Addresses #754.
Case bodies now don't require a "break" statement to prevent fallthrough
to case bodies below. Empty case bodies generate an error message at
parse-time to help indicate the absence of automatic fallthrough; to
associate multiple values with a case, use "case 1, 2:" instead of
"case 1: case 2:".
The index expression can take up to two indices for the start and end
index of the substring to return (e.g. "mystring[1,3]"). Negative
indices are allowed, with -1 representing the last character in the
string. The indexing is not cyclic -- if the starting index is >= the
length of the string an empty string is returned, and if the ending
index is >= the length of the string then it's interpreted as the last
index of the string. Assigning to substrings accessed like this isn't
allowed.
They behave like C-style switches except case labels can be comprised
of multiple literal constants delimited by commas. Only atomic types
are allowed for now. Case label bodies that don't execute a "return"
or "break" statement will fall through to subsequent cases. A default
case label is allowed.
That field is based on TCP sequence numbers and on seeing a SYN followed
by a failed RST injection response, the initial sequence number tracked
the value in the injection (most likely zero) instead of value in
subsequent SYN response. This could make c$resp$size be set to large
values when it's not really.
Also removed some dead code paths.
* origin/topic/jsiwek/hook:
Change hook calls to only be allowed when preceded by "hook" keyword.
Clarification in hook documentation.
Hook functions now directly callable instead of w/ "hook" statements.
Closes#918.
The return value of the call is an implicit boolean value of T if all
hook handlers ran, or F if one hook handler exited as a result of a
break statement and potentially prevented other handlers from running.
Scripts don't need to declare hooks with an explicit return type of bool
(internally, that's assumed), and any values given to (optional) return
statements in handler definitions are just ignored.
Addresses #918.
This currently supports automatic decapsulation of GTP-U packets on
UDP port 2152.
The GTPv1 headers for such tunnels can be inspected by handling the
"gtpv1_g_pdu_packet" event, which has a parameter of type "gtpv1_hdr".
Analyzer and test cases are derived from submissions by Carsten Langer.
Addresses #690.
This option indicates that the Teredo analyzer should wait until
it sees both sides of a connection using a valid Teredo encapsulation
before issuing a protocol_confirmation. Previous behavior confirmed
on the first instance of a valid encapsulation, which could result
in more false positives (and e.g. bogus entries in known-services.log).
Addresses #890.
Authentication Headers with a Payload Len field set to zero would cause
a crash due to invalid memory allocation because the previous code
assumed Payload Len would always be great enough to contain all
mandatory fields of the header. This changes it so the length of
the header is explicitly checked before attempting to extract fields
located past the minimum length (8 bytes) of an Authentication Header.
Crashes due to this are only possible when handling script-layer events
ipv6_ext_headers, new_packet, esp_packet, or teredo_*. Or also when
implementing one of the discarder_check_* family of functions.
Otherwise, Bro correctly parses past such a header.
Otherwise functions could be called with a mismatching argument list
and cause a crash at run-time. The incorrect function type is now
reported at parse-time.
If the metrics break interval happened to occur between first and second
worker starting up and getting connected to the cluster, the test
would fail because the second worker didn't get a chance to connect and
send data. The test now waits for the cluster setup to complete
before workers send metrics data.
- Some baselines for tests in "leaks" group were outdated.
- Changed a few of the cluster/communication tests to terminate
more explicitly instead of relying on btest-bg-wait to kill
processes. This makes the tests finish faster in the success case
and makes the reason for failing clearer in the that case.
Turns out the finish methods weren't called correctly, caused by a
mess up with method names which all sounded too similar and the wrong
one ended up being called. I've reworked this by changing the
thread/writer/reader interfaces, which actually also simplifies them
by getting rid of the requirement for writer backends to call their
parent methods (i.e., less opportunity for errors).
This commit also includes the following (because I noticed the problem
above when working on some of these):
- The ASCII log writer now includes "#start <timestamp>" and
"#end <timestamp> lines in the each file. The latter supersedes
Bernhard's "EOF" patch.
This required a number of tests updates. The standard canonifier
removes the timestamps, but some tests compare files directly,
which doesn't work if they aren't printing out the same
timestamps (like the comm tests).
- The above required yet another change to the writer API to
network_time to methods.
- Renamed ASCII logger "header" options to "meta".
- Fixes#763 "Escape # when first character in log file line".
All btests pass for me on Linux FC15. Will try MacOS next.
Also removed RefExpr::Eval(Val*) method since it was never called
(Clang emitted warning about this hiding overloaded virtual function
UnaryExpr::Eval(Frame*)) and doesn't appear to be necessary even if it
was called to avoid the default vector handling of UnaryExpr::Eval
(as the comment suggests as the intention).
This adds a new parameter of type "icmp6_nd_options" to the ICMPv6
neighbor discovery events (icmp_redirect, icmp_router_solicitation,
icmp_router_advertisement, icmp_neighbor_solicitation,
icmp_neighbor_advertisement) which includes data extracted from
all neighbor discovery options (RFC 4861) that are present in the
ICMPv6 message.
Teredo bubble packets (IPv6 w/ No Next Header and zero Payload Length)
with data extending past the inner IPv6 header (the outer IPv4 header's
Total Length and UDP header's Length indicate this) now only raises
a "Teredo_payload_len_mismatch" weird instead of causing a
ProtocolViolation().
This also fixes a crash in NetSessions::ParseIPPacket() that occurred
when the packet length didn't match the payload length field.
If some expression in an event handler body causes an
InterpreterException internally, then the rest of that body doesn't
get executed, but also the bodies of any other handlers were not
executed.
The Tunnel::yielding_teredo_decapsulation (on by default) makes it so
the Teredo analyzer doesn't attempt to decapsulate payloads when
there's already a sibling analyzer that thinks it's parsing the right
protocol. Sometimes, UDP payloads just happen to look like they are
validly Teredo-encapsulated and doing further analysis on the
decapsulated packet can quickly turn into a weird; this change helps
reduce such weirds.
