* vlad/topic/vladg/http-verbs:
A test for HTTP methods, including some horribly illegal requests.
Remove hardcoded HTTP verbs from the analyzer (#741)
I added a "bad_HTTP_request" weird for HTTP request lines that don't
have more than a single word.
Closes#741.
Synchronization of state between connecting peers now skips over
identifiers that aren't initialized with a value yet. If they're
assigned a value later, that will be synchronized like usual.
* origin/topic/jsiwek/table-init-container-ctors:
Add test of record() constructor to table initializer unit test.
Fix table(), set(), vector() constructors in table initializer lists.
Closes#5.
* origin/topic/jsiwek/hook:
Change hook calls to only be allowed when preceded by "hook" keyword.
Clarification in hook documentation.
Hook functions now directly callable instead of w/ "hook" statements.
Closes#918.
- Identifiers that are initialized with set()/table() constructor
expressions now inherit attributes from the expression. Before,
statements like
const i: set[string] = set() &redef;
associated the attribute with the set() constructor, but not the
"i" identifier, preventing redefinition. Addresses #866.
- Allow &default attribute to apply to tables initialized as empty
(via either "{ }" or "table()") or if the expression supplied to it
can evaluate to a type that's promotable to the same yield type as
the table.
The return value of the call is an implicit boolean value of T if all
hook handlers ran, or F if one hook handler exited as a result of a
break statement and potentially prevented other handlers from running.
Scripts don't need to declare hooks with an explicit return type of bool
(internally, that's assumed), and any values given to (optional) return
statements in handler definitions are just ignored.
Addresses #918.
'only_single_header_row' that turns the output into CSV format.
In that mode all meta data is skipped except for a single header line
with the fields names. Example:
local my_filter: Log::Filter = [$name = "my-filter", $writer = Log::WRITER_ASCII, $config = table(["only_single_header_row"] = "T")];
Contributed by Carsten Langer.
For tables of a composite index type with the first type being a
record, membership checks with an inline index key could be
misinterpreted as a record constructor instead of an expression list.
E.g, if the table type is "global t = table[conn_id, bool] of count",
then checking membership like "[c$id, is_orig] in t" now works.
Addresses #80.
The names of enum types are tracked so that variables holding a value
of a given enum type can generate a reference to it instead of just
listing the type as a generic "enum".
* origin/topic/dnthayer/bytes-to-double:
Portability improvement (data alignment issues)
Add test cases for the bytestring_to_double BIF
Add a new BIF "bytestring_to_double"
Closes#908.
Instead of these events being generated for invalid byte count values
(they should always be even, not odd), a protocol_violation is raised.
modbus_read_holding_registers_response
modbus_read_input_registers_response
modbus_write_multiple_registers_request
modbus_read_write_multiple_registers_request
modbus_read_write_multiple_registers_response
modbus_read_fifo_queue_respons
For modbus message types that include variable amount of register values
(uint16[]), setting a &length attribute without an explicit array size
could trigger a parsing assertion since it allows for the "element" data
pointer to travel past the "end of data" (e.g. when &length is odd).
This is changed to now give both an array size and &length to earlier
terminate the parsing of elements before the assert is checked and
so a single out-of-bound check can be done for the entire array
(leaving off &length causes an out-of-bound check for each element).
Added another parameter to modbus events that carry register arrays to
the script-layer which indicates the associated byte count from the
message (allowing for invalid values to be detected):
modbus_read_holding_registers_response
modbus_read_input_registers_response
modbus_write_multiple_registers_request
modbus_read_write_multiple_registers_request
modbus_read_write_multiple_registers_response
modbus_read_fifo_queue_response
- Added a test for binpac exception handling -- the generated code
should use "binpac::Exception" and not "Exception" for exception
handling logic to avoid accidental overshadowing by
the analyzer-specific type "binpac::ModbusTCP::Exception", which
could lead to interesting asserts being triggered in binpac.
- Update baseline for the event coverage test -- seems that more
events get generated with working exception handling in the generated
binpac parser code.
- Coverage baseline was giving wrong number of events covered.
* topic/robin/intel-framework-merge: (22 commits)
Fixing tests after intel-framework merge.
Extracting URLs from message bodies over SMTP and sending them to Intel framework.
Small comment updates in the Intel framework CIF support.
Intelligence framework documentation first draft.
Only the manager tries to read files with the input framework now.
Initial support for Bro's Intel framework with the Collective Intelligence Framework.
Initial API for Intel framework is complete.
Fixed an issue with cluster data distribution.
Updating some intel framework test baselines.
Reworked cluster intelligence data distribution mechanism and fixed tests.
Lots more intelligence checking in SMTP traffic.
Added intelligence check for "Received" path checking and a bit of reshuffling.
Added sources to the intel log.
Fixing a problem with intel distribution on clusters.
Updated intel framework test to include matching.
Restructuring the scripts that feed data into the intel framework slightly.
One test for cluster transparency of the intel framework.
Fixed a cluster support bug.
Intelligence framework checkpoint
Major updates to fix the Intel framework API.
...
Closes#914.
