This adds the capability for the user to attach a reason when removing
or destroying a rule. The message will both be logged in netcontrol.log
and forwarded to the responsible plugins.
Addresses BIT-1655
* topic/seth/smb: (93 commits)
Update NEWS
Add some more DCE_RPC endpoints.
SMB cleanup.
Add rename and delete events for SMB2.
Remove a file that wasn't even being compiled
Simplify how packets go into the SMB analyzer.
Minor cleanup.
Add a DCE-RPC test.
SMB: call Done() for analyzers instantiated by dce_rpc-auth
Fix for an issue with GSSAPI mech_token from Florent Monjalet
Now actually loading DCE-RPC's dpd.sig
Fix a compile breakage.
Fixes for some SMB merge conflicts with master.
Updating the broctl pointer.
Fixing SMB tests again.
Simplify SMB string handling.
SMB test clean up and docs
SMB: fix number of small issues.
Fix a small poor implementation in SMB string handling.
Update tests to match move of smb base scripts into policy/
...
Closes github's #77 and closes BIT-1606
* topic/seth/intel-update-merge:
Tiny scoping updates and test baseline updates for Intel framework.
Minor documentation cleanups.
Fixed insertion of nested subnets.
Refactored FAF integration of intel framework.
Added expiration for intelligence items.
Improved intel notices.
Added hook to allow extending the intel log.
Added remove function to intel-framework.
Added support for subnets to intel-framework.
Refactoring of meta data handling for intel.
Added testcase for intel updates.
* origin/topic/robin/bit-1641:
Fixing duplicate SSH authentication failure events.
I changed the test slightly; the output of uniq is not stable between
operating systems (on OS-X, it emits a space, on Linux it apparently
emits a tab). I removed the call to uniq - sort by itself is enough to
create a difference if there are duplicate entries.
Addresses BIT-1641
Compiling a plugin required having access to OpenSSL headers because
they were pulled in by Bro headers that the plugin had to include.
Removinng then OpenSSL dependency from those Bro headers.
I'm also reverting a4e5591e. This is a different fix for the same
problem, and reverting that commit gives us a test case. :-)
ninja said:
ninja: warning: multiple rules generate
scripts/base/bif/const.bif.bro. builds involving this target will
not be correct; continuing anyway [-w dupbuild=warn]
Looks like there's a larger problem here involving *.bif of the same
name at different locations of the source tree. For now, I'ved fixed
this one by merging src/iosource/pcap/{const,functions}.bif into
pcap.bif.
We aren't using them anymore for the packages we distribute. Because
of that, they haven't been supported in a while, and have problems.
BIT-1509 #closed
This adds an event that is raised once Catch & Release ceases the
block management for an IP address because the IP has not been seen in
traffic during the watch interval.
This allows users who use their own logic on the top of catch and
release know when they will have to start re-blocking the IP if it
occurs in traffic again.
There was a copy of every single packet being made as it entered
the SMB analyzer. This was because the entire analyzer used to be
handwritten (only using binpac for unit parsing, not for parsing
the whole protocol). Now that the entire parser is binpac we don't
need that layer of indirection anymore and we're able to remove
a lot of complexity.
The types used by the core did not match the types expected by the
scripting framework, leading, e.g., to trouble with the logging
framework.
Discovered and fixed by Grant Moyer.
Fixes BIT-1650
Calling Error() in an input reader now automatically will disable the
reader and return a failure in the Update/Heartbeat calls.
Also adds more tests.
Addresses BIT-1181
This change introduces error events for Table and Event readers. Users
can now specify an event that is called when an info, warning, or error
is emitted by their input reader. This can, e.g., be used to raise
notices in case errors occur when reading an important input stream.
Example:
event error_event(desc: Input::TableDescription, msg: string, level: Reporter::Level)
{
...
}
event bro_init()
{
Input::add_table([$source="a", $error_ev=error_event, ...]);
}
For the moment, this converts all errors in the Asciiformatter into
warnings (to show that they are non-fatal) - the Reader itself also has
to throw an Error to show that a fatal error occurred and processing
will be abort.
It might be nicer to change this and require readers to mark fatal
errors as such when throwing them.
Addresses BIT-1181
This allows all threads accessing the same database to share sqlite
objects. This, for example, fixes the issue with several threads
simultaneously writing to the same database file.
See https://www.sqlite.org/sharedcache.html
Addresses BIT-1325
