I was hoping to report this right at startup through a static check
but turns out we don't have the right machinery in place for that.
That would need to be done after the AST has been finalized, but our
AST traversal code can't iterate over types. So instead I've changed
this so that it's still being reported at runtime but at least
doesn't crash Bro anymore.
Closes BIT-1597.
This introduces two new events, NetControl::rule_new and
NetControl::rule_destroyed, which are raised when rules are first added
and then deleted from the internal state tracking.
* origin/topic/johanna/fix-analyzer-addition:
DTLS: Use magix constant from rfc5389 for stun detection.
DTLS: Fix binpac bug with DTLSv1.2 client hellos
Forgot to remove debug output.
DTLS: Fix interaction with STUN
Fix the way that child analyzers are added.
BIT-1604 #merged
Now the DTLS analyzer cleanly skips all STUN messages; no warnings
should be logged to dpd.log and parsing should work flawlessly with
intermixed STUN messages.
Bro contains functionality to add child analyzers delayed, so that an
just added analyzer does not influence the list of current analyzers
(which, in some combinations of mostly UDP and traffic replay by PIA can
lead to duplicate packets sent to the analyzer).
Sadly, this feature was broken sometime in the past, leading to the
aforementioned duplicate packets. Re-enabling this also necessitated
some changes in the analyzer manager, which immediately timed out all
connections when that feature was re-enabled.
There currently is no testcase (this is a bit hard to trigger); however,
I will add one with a later fix for DTLS.
Turns out the code implementing them went missing with the recent
merge of the stats changes.
For peer status, I removed most of the numbers that the code used to
return because (1) we don't have access to that data anymore, and (2)
even in 2.4 the numbers returned already didn't make sense (because
they were global values, not per peer). We could consider just
removing the peer_status command at all.
This seems to be a non-standardized microsoft extension that, besides
having a different name, works pretty much the same as StartTLS. We just
treat it as such.
I tested this against provided traffic and it works; I do not have
traffic I can share for a testcase.
By default, OS X 10.11 does not include openssl headers.
Since building a Bro plugin #includes Bro headers, which #include openssl
headers, we need to tell cmake to find these so that the compiler
can use them.
The extension mechanism is basically the one that Seth introduced with
his intel extensions. The main difference lies in using a hook instead
of an event. An example policy implements whitelisting.
Scheduling a local event variable resulted in a global lookup instead of
evaluating the local variable. To prevent misunderstandings, this will
trigger an error now.
When receiving a remote log via broker, there was a bug that would
prevent a log from being written if the log record contained a field
without the &log attribute that was followed by a field with the &log
attribute.
Updated a test case to catch this error.
When Bro was compiled with broker disabled, then some Bro scripts
were referencing functions and types that were not defined. Fixed
by adding @ifdefs to several scripts. Removed one @ifdef because
it was causing several unit tests to fail.
Also fixed the @TEST-REQUIRES check in tests that rely on broker so
that such tests are skipped when broker is disabled.
(Cleaned up some code a little bit.)
* origin/topic/seth/stats-improvement:
Fixing tests for stats improvements
Rename the reporting interval variable for stats.
Removing more broken functionality due to changed stats apis.
Removing some references to resource_usage()
Removing Broker stats, it was broken and incomplete.
Fixing default stats collection interval to every 5 minutes.
Add DNS stats to the stats.log
Small stats script tweaks and beginning broker stats.
Continued stats cleanup and extension.
More stats collection extensions.
More stats improvements
Slight change to Mach API for collecting memory usage.
Fixing some small mistakes.
Updating the cmake submodule for the stats updates.
Fix memory usage collection on Mac OS X.
Cleaned up stats collection.
BIT-1581 #merged
This was causing occasional problems with the time on processes
running lots of threads. The use of gmtime in the json
formatter is the likely culprit due to the fact that the
json formatter runs in threads. More evidence for this is that
the problem only appears to exhibit when logs are being written
as JSON.
* origin/topic/dnthayer/doc-improvements:
Fix some scripting tutorial examples
Add some missing Bro script documentation
Fix more "make doc" warnings
Fix some "make doc" warnings
Improve documentation of the "for" statement
Add more documentation to sumstats framework scripts
Update traffic per core estimate in the cluster doc
Update documentation for DNS "Z" field
Improve documentation of Bro script statements
BIT-1520 #merged
* origin/topic/johanna/xmpp-starttls:
XMPP: Add StartTLS event and update tests
Add xmpp dpd sig and fix a few parsing problems for connections that do not upgrade to TLS.
Add simple XMPP StartTLS analyzer.
BIT-1579 #merged
Some of the examples in the scripting tutorial were regularly getting
out of sync with the base scripts (because the line numbering would need
to be updated). Fixed this maintenance burden by using small example
scripts instead of actual Bro scripts. These small example scripts
do not need to be kept in sync with the bro base scripts.
* origin/fastpath:
Fix a few incorrect type tags in Bro broker source code
Update docs and tests of the fmt() function
Revert "Fix RFB analyzer to build on FreeBSD"
Fix RFB analyzer to build on FreeBSD
