- Minor whitespace and comment adjustments
* origin/topic/timw/mapping:
Fix unit tests for new ordering from NetSessions::Drain
Change FragReassembler to use a tuple as a key and use std::map for fragments in Sessions
Rework Session/Connection tracking to use a std::map instead of PDict
- Changed .bif files to be detected as C++
* origin/topic/seth/github-linguist-fixes:
Adjusting how files are ignored for linguist and adding bif files to ignore.
Stop incorrect language identification on github.
I copied the same style that caf uses ("zk" with single dot and no space).
This gives some consistency with caf and avoids us wasting more
space beyond "bro: ". OSs only give 16 characters for thread names
so anything we can gain here is nice.
If you look at the languages that github is implemented in according
to our page on github, it has several incorrect things. PAC files and
SIG files being the big misidentifications. In my opinion it would look
better to mark these as no language so that javascript and ML stop showing
up as languages that Zeek is implemented in.
This change should make fix that on github according to:
https://github.com/github/linguist#overrides
If dpd_match_only_beginning is disabled, matches of protocol signatures
can be handeld using protocol_late_match. To prevent further matching in
this case, dpd_late_match_stop may be activated.
Includes fix for potential iterator invalidation during iteration.
* origin/topic/jsiwek/gh-532-improve-disable-analyzer:
GH-532: improve disable_analyzer BIF
* origin/topic/timw/deprecate-int-types:
Deprecate the internal int/uint types in favor of the cstdint types they were based on
Merge adjustments:
* A bpf type mistakenly got replaced (inside an unlikely #ifdef)
* Did a few substitutions that got missed (likely due to
pre-processing out of DEBUG macros)
* origin/topic/timw/easy-pdict-replacements:
Cleanups related to PDict -> std::map replacements
Remove other simple uses of PDict
Protocols: Remove uses of PDict
g_dbgfilemaps: Remove uses of PDict
Scope: remove uses of PDict
DFA: remove uses of PDict
EventRegistry: remove uses of PDict
* origin/topic/timw/clang-tidy:
Change over to whitelisting clang-tidy options instead of blacklisting
Use FindClangTidy in the cmake submodule to make things easier
* origin/topic/jazoff/memory-reduction-contentline:
Remove redundant buffering in contentline
Adjusted NVT analyzer during merge for cases where it may have been
assuming the buffer was already resized before DoDeliver().
* origin/topic/jazoff/memory-reduction-mime:
Avoid buffering all http headers
Adjusted during merge:
* whitespace
* logic for HTTP needs to consider whether either mime_all_headers
or http_all_headers events are being used
Previously, some sub-projects, like binpac, use GNUInstallDirs.cmake
to choose the default name of the library install directory while
others hard-code "lib" as the default. The former may pick "lib64"
on some platforms, so for now, when installing such sub-projects as
part of Zeek, it's overridden to consistently be "lib".
Using exit() here may generally not work well since:
* That will result in calling global destructors
* We have global state that we potentially modify at run-time and
are in the middle of modiying at the time the FatalError occurs.
E.g. out-of-memory is one situation where it's likely we could
call the dtor of an object in which operation on it's internal
state is no longer consistent/safe.
* origin/topic/timw/travis-leaks:
fixup! Add new distro to Travis CI configuration for running leak tests
Add new distro to Travis CI configuration for running leak tests
- Add an extra "prevent" parameter (default value of false), which
helps prevent the same analyzer type from being attached in the
future. It's useful in situations where you want to disable early
on, but a DPD signature may still trigger later and re-attach
the same analyzer. E.g. when not using this flag, but calling
disable_analyzer() inside an http_request event, will remove the
HTTP analyzer that was attached due to well-known-port, but a later
DPD signature match from upon seeing the HTTP reply will end up
attaching another HTTP analyzer. More surprising is that upon
re-attaching that analyzer, you'll get the same http_request as
before since the DPD buffer will get replayed into the new analyzer.
- Fixes disable_analyzer() to work when called even earlier, like
within the protocol_confirmation event. At that time, the
Analyzer tree may have not properly added the new analyzer into
Analyzer::children yet, but rather the temporary waiting list,
Analyzer::new_children. Analyzer::RemoveChildAnalyzer previously
did not inspect the later list.
- Fixes disable_analyzer() when called on an analyzer added to the
tree via TCP_Analyzer::AddChildPacketAnalyzer. TCP_Analyzer
keeps track of such children in its own list,
TCP_Analyzer::packet_children, which the previous
Analyzer::RemoveChildAnalyzer implementation didn't inspect.
* 'known_services_multiprotocols' of https://github.com/mauropalumbo75/zeek:
improve logging with broker store
drop services starting with -
remove service from key for Cluster::publish_hrw
remove check for empty services
update tests
order list of services in store key
remove repeated services in logs if already seen
add multiprotocol known_services when Known::use_service_store = T
remove hyphen in front of some services (for example -HTTP, -SSL) In some cases, there is an hyphen before the protocol name in the field connection$service. This can cause problems in known_services and is removed here. It originates probably in some analyzer where it would be better removed in the future.
add multiprotocol known_services when Known::use_service_store = F
Changes during merge:
* whitespace
* add unit test
* 'empty_services' of https://github.com/mauropalumbo75/zeek:
remove empty services and include udp active connections when logging in connection_state_remove
* 'export_intel_events' of https://github.com/mauropalumbo75/zeek:
minor restyle and add comments
add an empty read_error event to the intel framework (in the export block, so that users can implement further checks with it)
move event Intel::read_entry to export block
Adjusted whitespace in merge.
