These changes should be safe -- testing the failure cases proves a bit
difficult at the moment due to the fact that OpenSSL seems to fix the
values that are present in the original ASN.1 before passing them on to
us. It is thus not directly easily possible to trigger the error cases
from scriptland.
This also means that a lot of the new error cases we try to catch here
can probably never happen.
- Q (MULTI_FLAG_PKT) was not in the documentation for the history field.
- I (FIN_RST_PKT) was documented incorrectly. It was documented as a
SYN+RST, when it actually represents a FIN+RST.
The new documentation was derived from:
d3f513f/src/analyzer/protocol/tcp/TCP.cc (L493)
Addresses BIT-1466
- Change SIP header - according to RFC3261, space on both sides of ':' should be expected.
- Change to SIP_request and SIP_Reply - We encountered packets that do not contain newline and msg part of request/reply. Bro parser was segfaulting with:
0x0000000001227de2 in binpac::SIP::SIP_Headers::Parse (this=0x1c709120,
t_begin_of_data=0x2aaaadd56348 <Address 0x2aaaadd56348 out of bounds>,
t_end_of_data=0x2aaaadd56346 <Address 0x2aaaadd56346 out of bounds>, t_context=0x1c6f9a90)
at src/analyzer/protocol/sip/sip_pac.cc:586
This small change should have it fixed.
Contributed by Martina Balint in https://github.com/bro/bro/pull/39.
(I didn't merge the github branch, as that has some more stuff in its
history. Instead I applied the single-line change directly.)
Making two changes here:
- Renaming the hook to SetupAnalyzerTree.
- Reverting the reversal of the script load order. Instead, I'm
adding an additional script that Bro looks for to load first,
"__preload__.bro". Also extending the plugin docs to cover this.
- Increasing plugin API version, as I suppose adding a new virtual
function may invalidate binary compatibility.
* 'topic/jswaro/feature/HookAddToAnalyzer-tcprs-support' of https://github.com/jswaro/bro:
Add hook 'HookAddToAnalyzerTree' to support TCPRS plugin
Base64 encoding-errors during authentication in POP3 analyzer,
authentication in FTP analyzer (using GSI) and basic
authentication on HTTP will be logged to Weird.
Updated the install section for FreeBSD and OS X.
Added a section to explain how to quickly test that everything is
setup correctly.
Improved the usage section by removing the misleading record definition
(a link to the reference doc is provided), and explaining that some
fields will be uninitialized.
Corrected the example so that it doesn't try to access uninitialized
fields.
Base64Converter now uses a connection directly, instead of an analyzer
redirecting to the underlying connection for reporting to Weird. The new
built-in functions en-/decode_base64_intern make use of this to send
encoding-errors to Weird instead of Reporter.
According to the documentation, using the empty string as alphabet in
the built-in functions, will use the default alphabet. Therefore the
built-in functions can now use default arguments and
en-/decode_base64_custom is deprecated.
The tests have been updated accordingly.
