* origin/topic/dnthayer/broker-namespace:
Split the broker main.bro into two scripts
Rename the BrokerStore namespace to Broker
Rename the BrokerComm namespace to Broker
BIT-1563 #merged
In the merge, I changed IP.cc to use icmp6_hdr for icmpv6 instead of the
icmp* that was used in the patch. While it does not make a difference
for this case, it seems cleaner.
BIT-1570 #merged
Some of the existing mime types received extended matchers
to fix problems with UTF-16 BOMs.
New file mime types:
- .ini files
- MS Registry policy files
- MS Registry files
- MS Registry format files (e.g. DESKTOP.DAT)
- MS Outlook PST files
- Apple AFPInfo files
Mime type fixes:
- MP3 files with ID3 tags.
- JSON and XML matchers were extended
* topic/seth/file-entropy:
Add a file entropy test.
Fixing a test.
Updated tests for file entropy analyzer.
Update and clean up to file entropy measurement.
First commit of file entropy analyzer.
* martin/topic/fox/rfb:
Fixed issue in state machine
Some styling tweaks
Implement protocol confirmation
Analyzer and bro script for RFB protocol (VNC)
* <seth> I also applied a bit of clean up to the base
script to make it match other scripts better and
updated tests.
There is a slight difference in the message sequence
between version 3.7 and 3.8.
Version 3.8 will always send a Authentication Result
message when authentication type 'None' is selected
while 3.7 does not.
Do not set the service field in the bro script but
use the protocol confirmation paradigm.
Protocol is considered confirmed if both a
succesful client and server banner have been
parsed.
This analyzer parses the Remote Frame Buffer
protocol, usually referred to as the 'VNC protocol'.
It supports several dialects (3.3, 3.7, 3.8) and
also handles the Apple Remote Desktop variant.
It will log such facts as client/server versions,
authentication method used, authentication result,
height, width and name of the shared screen.
It also includes two testcases.
Todo: Apple Remote Desktop seems to have some
bytes prepended to the screen name. This is
not interepreted correctly.
BIT-1528 #merged
* origin/topic/vladg/bit-1528:
Call ProtocolConfirmation in SNMP only if we saw a response SNMP packet
Call ProtocolConfirmation in SIP only if we saw a response SIP packet
Separate the former BrokerComm and BrokerStore portions of the script
because these files will be much larger when script wrappers for BIFs are
written.
BIT-1553 #merged
* origin/topic/johanna/filter_subnet_table:
Check that there is only one of read, write, create_expire
Update NEWS
Fixed &read_expire for subnet-indexed tables
Added &read_expire testcase for subnet tables
Add filter_subnet_table bif
* 'topic/johanna/filter_subnet_table' of https://github.com/J-Gras/bro:
Fixed &read_expire for subnet-indexed tables
Added &read_expire testcase for subnet tables
Includes a bit of refactoring of commit code & code related to the
feature.
