When disabling_analyzer() was introduced, it was added to the GLOBAL
module. The awkward side-effect is that implementing a hook handler
in another module requires to prefix it with GLOBAL. Alternatively, one
can re-open the GLOBAL module and implement the handler in that scope.
Both are not great, and prefixing with GLOBAL is ugly, so move the
identifier to the Analyzer module and ask users to prefix with Analyzer.
Using "in" to query the language const. This also handles the case of not having a best guess and continue using the existing behavior.
Given
keyboard_layout = 1033 (0x0409), "keyboard-English - United States"
keyboard_layout = 66569 (0x00010409), "keyboard-English - United States (Best Guess)"
keyboard_layout = 12345 (0x3039), "keyboard-12345"
If the lookup table does not have an entry, it will just log as the raw decimal language/keyboard code. With this change, if we do not have an entry in the lookup table, we'll look at the low order / 4 least significant bits to see if we have a match. The high order / 4 most significant bits are flags/modifiers to the base language/keyboard code. We'll append that it is a "Best Guess"
(This is my first attempt at Zeek scripting, apologies upfront if I'm missing obvious language features. I feel like the const language lookup should return a success/fail return code that we would key off of, but unsure how to accomplish that so instead went for string matching on value in == value out).
* origin/topic/timw/zeek-path-dev:
Reduce startup time on Windows by using std::filesystem::canonical
Fix diff-remove-abspath to ignore Windows drive letters
Re-enable the float/double versions of hton{d,f} on Windows
Make sure the DEBUG flag is defined when building in debug mode
Don't close the kqueue manually on shutdown on Windows
Fix MSVC compiler warning due to a type mismatch
GH-2565: Update libunistd submodule to fix builds on VS2022
GH-2641: Lazy-load syslog to avoid creating bro.log on Windows
Use newer diff on Alpine for --strip-trailing-ci
Update btest submodule to version that supports Windows
Use pathsep btest value in btest.cfg
Use build_dir btest value in btest.cfg
Fix zeek-path-dev.sh creation to better support Windows
realpath() apparently doesn't handle Windows symlinks very well. This
causes plugin::Manager and ScannedFile to rescan a bunch of extra
paths that they should be skipping. This commit reduces the startup
time on Windows by 3-4 seconds (~8.5s to ~5s).
MSVC uses _DEBUG, unlike all of the other compilers, so we aren't
properly enabling/disabling varying bits of code that are dependent
on DEBUG being defined.
Fedora 35: CI folder was forgotten during removal
Opensuse Leap 15.3: EOL was 2022
Openssl-3: No longer necessary, since part of distributions (e.g. Ubuntu
22.10)
When passing invalid IPs or an out-of range port to parse_eftp()
a warning or error was generated on stderr (in addition to setting
the $valid field to F). Prevent the output by adding safe-guarding
and using IPAddr::ConvertString() instead.
fixes for using BiFs in standalone global initializations
avoiding redundant global initializations
updates to maintenance scripts and notes
removal of an unused member variable
- Ignore conan libpcap if PCAP_ROOT_DIR is passed
- Update the cmake submodule to pick up changes for finding the right
paths to npcap
- Add lazy-loading of npcap so the library path gets set correctly
at startup
* origin/topic/awelzel/analyzer-log:
btest/net-control: Use different expiration times for rules
analyzer: Add analyzer.log for logging violations/confirmations
The seen/file-names script relies on f$info$filename to be populated.
For HTTP and other network protocols, however, this field is only
populated during file_over_new_connection() that's running after
file_new().
Use the file_new() event only for files without connections and
file_over_new_connection() implies that f$conns is populated, anyway.
Special case SMB to avoid finding files twice, because there's a
custom implementation in seen/smb-filenames.zeek.
Fixes#2647
