Frame types except data and frames subtypes without payload are skipped.
Header length is determined based on presence of QoS and flags
indicating the use of the 4th address field. Handling of aggregated
MSDUs is explicitly prevented.
This commit changes the calculation of the rho-value to be in line with
the implementation of the original research paper, counting the number
of zero bits before the data.
This also fixes an infinite loop in case the hash value is 0.
I also cleaned up the code a bit, converting the raw pointers that were
used to a STL vector.
Addresses BIT-1612
The expiration attribute expression is now evaluated for every use. Thus
later adjustments of the value (e.g. by redefining a const) will now
take effect. Values less than 0 will disable expiration.
Added a new BIF haversine_distance that computes distance between two
geographic locations.
Added a new Bro script function haversine_distance_ip that does the same
but takes two IP addresses instead of latitude/longitude. This function
requires that Bro be built with libgeoip.
I changed the patch slightly - now debug.log is only created, if a debug
stream is enabled.
BIT-1616 #merged
* origin/topic/dnthayer/ticket1616:
Don't create debug.log immediately upon startup
The RFB analyzer's state machine did not foresee that a server could
send two subsequent messages in one packet. This would result in the
error. Patch by Martin van Hensbergen.
BIT-1611 #merged
* origin/topic/seth/remove-unescaped_special_char-weird:
Add urldecoding for the unofficial %u00AE style of encoding.
Remove the unescaped_special_char HTTP weird.
Instead of creating the debug.log immediately when bro starts,
now it is created only after the debug streams are enabled.
This avoids having an empty log being created when it shouldn't be,
in usages such as "bro -h", "bro -v", or "bro -B help" (and also
when using broctl, which needs to run "bro -v").
The latter is thread-safe, but a GNU addition which does not exist on
OS-X. Since the function only is called in the main thread, it should
not matter if it is or is not threadsafe.
The link-layer addresses are now part of the connection endpoints
following the originator-responder-pattern. The addresses are printed
with leading zeros. Additionally link-layer addresses are also extracted
for 802.11 plus RadioTap.
The ascii reader now accepts \r\n newlines without complaining.
Furthermore, the reader was slightly rewritten in a more c++11-y way,
removing all raw pointers from the class.
Addresses BIT-1198
Intel notices are identified by a direction independent 3-tuple
(indicator, originator IP, responder IP). This allows notice
suppression. Additionally service and intel source are added to the
notice mail.
forgotten messages are only logged on the manager (or standalone host)
now. Logs are not written by default anymore when Bro encounters traffic
that should have been blocked.
This weird points out a lot of benign stuff and it would
be easily reimplemented in a Bro script. This commit
also makes the minor change to update the reserved and
unreserved characters from a newer from of the URI RFC.
This commit rewrites catch and release, fixing issues with it and making
it fully cluster capable. A dedicated netcontrol_catch_release.log is
also added.
This is not quite done yet; a few more log messages are missing. There
should hopefully not be many big issues left.
