Closes#1030.
* origin/topic/seth/packet-filter-updates:
Missed a test fix.
Updating test baselines.
Updates for the PacketFilter framework to simplify it.
Last test update for PacketFilter framework.
Several final fixes for PacketFilter framework.
Packet filter framework checkpoint.
Checkpoint on the packet filter framework.
Initial rework of packet filter framework.
Closes#1021.
* origin/topic/bernhard/input-update:
this event handler fails the unused-event-handlers test because it is a bit of a special case.
...and fix the event ordering issue. Dispatch != QueueEvent
add Terminate to input framework to prevent potential shutdown race-conditions.
fix warning.
fix stderr test. ls behaves differently on errors on linux...
small fixes.
linux does not have strnstr
and close only fds that are currently open (the logging framework really did not like that :) )
A bunch of more changes for the raw reader
make reading from stdout and stderr simultaneously work.
allow sending data to stdin of child process
Streaming reads from external commands work without blocking anything.
replace popen with fork and exec.
change raw reader to use basic c io instead of fdstream encapsulation class.
Closes#983.
* origin/topic/jsiwek/983:
Add named constructor examples to docs.
Allow named vector constructors. Addresses #983.
Allow named table constructors. Addresses #983.
Improve set constructor argument coercion.
Allow named set constructors. Addresses #983.
Allow named record constructors. Addresses #983.
So much nicer!
Closes#954.
* origin/topic/seth/notice-framework-updates:
Update notice framework documentation to represent the new reality.
Complete removal of the old table based notice policy mechanism.
Updates for the notices framework.
* origin/topic/matthias/opaque:
Add new unit test for opaque serialization.
Migrate entropy testing to opaque.
C++ify RandTest.*
Fix a hard-to-spot bug.
Use more descriptive error message.
Fix the fix :-/.
Fix initialization of hash values.
Be clearer about delegation.
Implement serialization of opaque types.
Update hash BiF documentation.
Migrate free SHA* functions to SHA*Val::digest().
Add missing type name that caused failing tests.
Update base scripts and unit tests.
Simplify hash function BiFs.
Add support for opaque hash values.
Adapt BiF & Bro parser to handle opaque types.
More lexer/parser work.
Implement equivalence relation for opaque types.
Support basic serialization of opaque.
Add opaque type to lexer, parser, and BroType.
Closes#925
Conflicts:
aux/broccoli
* origin/topic/jsiwek/gridftp:
Add memory leak unit test for GridFTP.
Enable GridFTP detection by default. Track/log SSL client certs.
Add analyzer for GSI mechanism of GSSAPI FTP AUTH method.
Add an example of a GridFTP data channel detection script.
* origin/fastpath:
Small but important fix for the input framework. BroStrings were constructed without a final \0 - which means that strings read by the input framework are unusable by basically all internal functions (like to_count).
* origin/fastpath:
Remove automatic use of gperftools on non-Linux systems.
Fix uninitialized value for 'is_partial' in TCP analyzer.
parse 64-bit consts correctly.
on 32-bit machines only unsigned long longs are 64-bits long. Not just unsigned longs...
Turns out the finish methods weren't called correctly, caused by a
mess up with method names which all sounded too similar and the wrong
one ended up being called. I've reworked this by changing the
thread/writer/reader interfaces, which actually also simplifies them
by getting rid of the requirement for writer backends to call their
parent methods (i.e., less opportunity for errors).
This commit also includes the following (because I noticed the problem
above when working on some of these):
- The ASCII log writer now includes "#start <timestamp>" and
"#end <timestamp> lines in the each file. The latter supersedes
Bernhard's "EOF" patch.
This required a number of tests updates. The standard canonifier
removes the timestamps, but some tests compare files directly,
which doesn't work if they aren't printing out the same
timestamps (like the comm tests).
- The above required yet another change to the writer API to
network_time to methods.
- Renamed ASCII logger "header" options to "meta".
- Fixes#763 "Escape # when first character in log file line".
All btests pass for me on Linux FC15. Will try MacOS next.
Merge remote-tracking branch 'origin/topic/tunnels' into topic/robin/tunnels-merge
* origin/topic/tunnels: (41 commits)
Extend weird names that occur in core packet processing during decapsulation.
Add Teredo analysis option to reduce false positive decapsulation.
Just some cleanup/documentation of new tunnel-handling code.
Memory leak fixes
Add a config.h definition for IPPROTO_IPV4.
Add AYIYA tunnel decapsulation unit test.
Add Teredo-specific events.
Refactor some of the NetSessions routines that recurse on IP packets.
Add independent options to toggle the different decapsulation methods
Add more sanity checks before recursing on encapsulated IP packets.
Suppress Teredo weirds unless decapsulation was successful once before.
Tunnel support performance optimization.
Add Teredo tunnel decapsulation.
Fix for IP tunnel UID persistence.
Fix AYIYA analyzer tag.
Add summary documentation to tunnels/main.bro.
Make tunnels always identifiable by UID, tunnel.log now gets populated.
Some improvements to the AYIYA analyzer.
Remove Tunnel::decapsulate_ip option.
Remove invalid IP-in-IP encapsulated protocol value.
...
* origin/topic/robin/dataseries:
Moving trace for rotation test into traces directory.
Fixing a rotation race condition at termination.
Portability fixes.
Extending DS docs with some examples.
Updating doc.
Fixing pack_scale and time-as-int.
Adding format specifier to DS spec to print out double as %.6f.
DataSeries updates and fixes.
DataSeries tuning.
Tweaking DataSeries support.
Extending log post-processor call to include the name of the writer.
Removing an unnecessary const cast.
DataSeries TODO list with open issues/questions.
Starting DataSeries HowTo.
Additional test output canonification for ds2txt's timestamps.
In threads, an internal error now immediately aborts.
DataSeries cleanup.
Working on DataSeries support.
Merging in DataSeries support from topic/gilbert/logging.
Fixing threads' DoFinish() method.
* origin/topic/icmp6:
Fixes for IPv6 truncation and ICMP/ICMP6 analysis.
Change ICMPv6 checksum calculation to use IP_Hdr wrapper.
Update IPv6 atomic fragment unit test to filter output of ICMPv6.
Add more data to icmp events
More code cleanup
Add more icmpv6 events, and general code cleanup
Fix compile failure after merge from master
Significant edit pass over ICMPv6 code.
Porting Matti's branch to git.
Closes#808.
* topic/robin/log-threads: (42 commits)
Two more tweaks to reliably terminate when reading from trace.
This could be fixing the memory problems finally.
Fix compile errors due to now-explicit IPAddr ctors and global IPFamily enum.
Switching log buffer size back to normal
Teaching cmake to always link in tcmalloc if it finds it.
Extending queue statistics.
Small fixes and tweaks.
Don't assert during shutdown.
Reverting accidental commit.
Finetuning communication CPU usage.
Adding new leak tests involving remote logging.
Removing some no longer needed checks.
Fixing problem logging remotely when local logging was turned off.
Preventing busy looping when no threads have been spawned.
Prevent manager from busy looping.
Adding missing includes needed on FreeBSD.
Updating submodule(s).
Updating submodule(s).
A number of bugfixes for the recent threading updates.
Making exchange of addresses between threads thread-safe.
...
