Checkpoint.
Decapsulation happens after IP Defragmentation. The "identity" of the
enclosing tunnel (the "parent") is added to the connection record of the
child (tunneled) connection as an optional field $tunnel_parent.
When using a `print` statement to write to a file that has raw output
enabled, NUL characters in string are no longer interpreted into "\0",
no newline is appended afterwards, and each argument to `print` is
written to the file without any additional separation.
(Re)Assigning to identifiers with the &raw_output attribute should also
now correctly apply the attribute to the file value being assigned.
Note that the write_file BiF should already be capable of raw string
data to a file, expect it bypasses the print_hook event.
Addresses #474
When reading from trace files, 'dropped' and 'link' fields are now
just zeroed.
When reading from an interface, the values filled in by pcap_stats()
are now only used when that function indicates success.
Closes#500.
* origin/topic/jsiwek/unit-tests:
Fix utils/conn-ids test due to renamed conn-ids.bro
Moving the test for site.bro to live w/ other utils/ tests.
Fix test due to moving of site.bro
More policy/utils unit tests and documentation.
Updating documentation for some utils/ policy scripts
Add unit tests for utils/paths.bro with some changes
Adding unit tests for utils.
Adding test for utils/addrs.bro.
Add unit test for site.bro.
Conflicts:
policy/utils/site.bro
Closes#525.
- Beginning rework of metrics interface.
- Updates to URI based SQLI detection to match metrics framework.
- Addition to SQLI regex to catch use of XOR.
The main change is that the postprocessor commands are no longer run
by the log writers themselves. Instead, the writers send back a
message to the log mgr once they have rotated. The manager then calls
a script level function to do somethign with the rotated file. By
default, it will be renamed to somethingn nice and then a
postprocessor shell command will be run on it if defined.
Pieces going into this:
- Terminology change: "postprocessor" now refers to a script
*function*. In addition, there are "postprocessor commands", which
are shell commands that may be triggered by the function to run on
a rotated file.
- The RotationInfo record now comes with all the information that
was previously provided internally to the C++ function running the
post-processor command.
- Changing the default time format to %Y-%m-%d-%H-%M-%S
- rotation_path_func is gone
- The default postprocessor function is defined individually by
each LogWriter in frameworks/logging/plugin/*
- The interface to postprocessor shell commands remains the same.
Needs a bit more testing ...
- message header state tracking is now done by handling mime_one_header
instead of parsing the data in the smtp_data event
- changed the logging point to be when an smtp_reply is seen in response
to the end of a DATA section
- the smtp package now uses it's own mime script and logging stream for
logging entities, extraction, etc.
- fixes for mime file extraction: now logs the extracted file name, and
the count of extracted files needed to be maintained in the State record
* origin/fastpath:
Normalize Notice::Type identifiers per convention. (closes#484)
Another fix to the default-loaded-scripts test.
Add new piped_exec BiF.
Revert "Fixes for email_notice_to() function."
Fixes for email_notice_to() function.
sed on some platforms like OS X (maybe FreeBSD in general) won't recognize
semi-colon delimited commands as multiple commands, instead use the -e
option multiple times to build the command list.
Newline characters need escaping so that an echo command can interpret
them into a newline in the output piped to sendmail, else sendmail can't
parse the headers correctly.
I made the echo command a configurable option of the notice framework
in case `echo -e` is overshadowed by some shell-specific implementation
that doesn't support that option for interpreting char sequences.
* origin/fastpath:
Updating baseline for default loaded scripts... again.
Update core.conn-uid test baseline.
Rename/change policy.misc.loaded-scripts, again baselines default loaded scripts
Changes to unit tests that rely on libmagic.
Change policy.misc.loaded-scripts tests.
core.load-pkg test now insensitive to default-loaded scripts.
LogWriterAscii now prints time values w/ constant 6 digit precision.
- The CMake targets for generating reST docs from policy scripts are now
automatically generated via the genDocSourcesList.sh script
- Fixed a lot of parsing errors in policy scripts that I saw along the way
