According to RFC 2535, RFC 3655, and RFC 4035, the Z field has been
partitioned into three 1-bit fields. Therefore, we cannot claim in
the documentation that it always has the value zero.
- Daniel Guerra pointed out a type issue for SIP
request and response code length fields which is now
corrected.
- Some redundant code was removed.
- if/else tree modified to use switch instead.
The alert in this case is caused by the server name in the SNI not being
recognized by the server, which triggers an alert. Since the server is
an apache, and this might happen reasonably often, the new signature
allows one TLS alert before the server hello is expected.
* 'topic/jgras/base64-logging' of https://github.com/J-Gras/bro:
Update calls of Base64 functions.
Refactoring of Base64 functions.
I've removed the additional bif for encoding with a connection, as I'm
not sure there's much of a use case for it; we can always add it back
later if it turns out there is. I've also renamed
decode_base64_intern() to decode_base64_conn() to be a bit more
explicit about the difference.
- Q (MULTI_FLAG_PKT) was not in the documentation for the history field.
- I (FIN_RST_PKT) was documented incorrectly. It was documented as a
SYN+RST, when it actually represents a FIN+RST.
The new documentation was derived from:
d3f513f/src/analyzer/protocol/tcp/TCP.cc (L493)
Addresses BIT-1466
Contributed by Martina Balint in https://github.com/bro/bro/pull/39.
(I didn't merge the github branch, as that has some more stuff in its
history. Instead I applied the single-line change directly.)
Base64 encoding-errors during authentication in POP3 analyzer,
authentication in FTP analyzer (using GSI) and basic
authentication on HTTP will be logged to Weird.
This is a very simple XMPP analyzer that basically only can parse the
protocol until the client and server start negotiating a TLS session. At
that point, the TLS analyzer is attached.
While the basic case seems to be working, I fully expect that I missed
something and that this might break in a lot of cases.
Lots of good stuff! Thanks for catchign the plugin doc inconsistencies!
* origin/topic/dnthayer/doc-improvements-2.4:
Add missing documentation on the "Bro Package Index" page
More improvements to the Logging Framework doc
Fix documentation typo
Update the "Log Files" documentation
Add links in the logging framework doc
Add a link to the bro-plugins documentation
Update bro man page
Update script language reference documentation
Fix typos in the "writing bro plugins" doc
Fix a "make doc" warning
Improve logging framework doc
Add link to broctl doc from the quickstart doc
Update install documentation and fix some typos
Minor improvements to logging framework documentation
Correct a minor typo in the docs
* origin/fastpath:
Update usage output and list of cmd-line options
A small fix to ssh/geo-data.bro. ssh can now be unset for local-local or remote-remote, so make the script deal with this.
- People were seeing some reporter messages where the
SIP scripts were not handling things safely.
- New fields to show {request|response}_{from|to}.
- Fixed a case where logs could be over logged on accident (junk logs).
* origin/topic/vladg/sip:
Update NEWS.
Update baselines.
Spruce up SIP events.bif documentation a bit.
Register SIP analyzer to well known port.
Fix indenting issue in main.bro
Add SIP btests.
Small update for the SIP logs and DPD sig.
SIP: Fix up DPD and the TCP analyzer a bit.
SIP: Move to the new string BIFs
SIP: Move to new analyzer format.
Move the SIP analyzer to uint64 sequences, and a number of other small SIP fixes.
Rely on content inspection and not just is_orig to determine client/server.
Enable SIP in CMakeLists.txt
Merge topic/seth/faf-updates.
BIT-1370 #merged
* origin/topic/vladg/kerberos: (27 commits)
Add Kerberos to NEWS.
Add Kerberos memleak btest.
Add Kerberos analyzer btest.
Update baselines for Kerberos analyzer.
Add known ports to krb/main.bro
KRB: Clean up krb.log a bit.
Kerberos: Remove debugging output.
Kerberos: Fix a memleak.
Kerberos: A couple small tweaks.
Kerberos: Fix parsing of the cipher in tickets, and add it to the log.
Kerberos: A couple more formatting fixes.
Change krb Info string to success bool
Clean up formatting.
Documentation update, and rework events a bit.
Add support for the SAFE message type.
Add support for AP_REQ, AP_REP, PRIV, and CRED message types.
Fix parsing error for KRB_Ticket_Sequence
Continue clean-up. Some reformatting, removing hard-coded values, documentation, etc.
Kerberos analyzer updates: - Split up the (quite length) krb-protocol.pac into krb-protocol, krb-defs, krb-types and krb-padata - Add some supporting types to get rid of awkward and difficult to read case true/false statements - Clean up the conversion code in krb-analyzer.pac
Improve Kerberos DPD and fix a few parse errors.
...
BIT-1369 #merged
* origin/topic/seth/more-file-type-ident-fixes:
File API updates complete.
Fixes for file type identification.
API changes to file analysis mime type detection.
Make HTTP 206 reassembly require ETags by default.
More file type identification improvements
Fix an issue with files having gaps before the bof_buffer is filled.
Fix an issue with packet loss in http file reporting.
Adding WOFF fonts to file type identification.
Extended JSON matching and added OCSP responses.
Another large signature update.
More signature updates.
Even more file type ident clean up.
Lots of fixes for file type identification.
BIT-1368 #merged
Noticed these gave warnings due to missing namespace, but rather than
fix I'm just removing because they reference names in the same
module/file that will appear inches away from each other in the final
output.
- Backed out eTag changes. The real world is more complicated
than just using eTags to identify the same file.
- A bit of code simplication in the http base scripts.
- Test updates (more existing small problems were identified!).
-
* origin/topic/johanna/conn-threshold:
Wrap threshold stuff up - fix two small bugs and update baselines.
update GridFTP analyzer to use connection thresholding instead of polling
Add high level api for thresholding that holds lists of thresholds and raises an event for each threshold exactly once.
Allow setting packet and byte thresholds for connections.
BIT-1377 #merged
