The event now really returns the extension. If openssl supports printing
it, it is converted into the openssl ascii output.
The output does not always look pretty because it can contain newlines.
New event syntax:
event x509_extension(c: connection, is_orig: bool, cert:X509, extension: X509_extension_info)
Example output for extension:
[name=X509v3 Extended Key Usage,
short_name=extendedKeyUsage,
oid=2.5.29.37,
critical=F,
value=TLS Web Server Authentication, TLS Web Client Authentication]
[name=X509v3 Certificate Policies,
short_name=certificatePolicies,
oid=2.5.29.32,
critical=F,
value=Policy: 1.3.6.1.4.1.6449.1.2.1.3.4^J CPS: https://secure.comodo.com/CPS^J]
If a file is nothing but gaps (e.g. due to missing/dropped packets), Bro
can sometimes detect a file is supposed to have been present and never
saw any of its content, but failed to raise file_over_new_connection
events for it. This was mostly apparent because the tx_hosts/rx_hosts
fields in files.log would not be populated in such cases (but are now
with this change).
If TCP endpoint A and B are synchronized at some point, but A
closes/aborts/crashes and B goes on without knowledge of it and then A
tries to re-synchronize, Bro could end up seeing something like
(sequence numbers made up):
A: SYN 100
B: ACK 500
A: RST 500
The final sequence number of A, in this case, is not useful in the
context of determining the number of data bytes sent by A, so Bro now
reports that as 0 (where before it could often be misleadingly large).
The previous behavior was to accomodate SYN/FIN/RST-filtered traces by
not reporting missing data (via the content_gap event) for such
connections. The new behavior always reports gaps for connections that
are established and terminate normally, but sequence numbers indicate
that all data packets of the connection were missed. The behavior can
be reverted by redef'ing "detect_filtered_trace".
In the case multiple FIN packets are seen from a TCP endpoint (e.g.
when one is retransmitted), only the first counted towards a byte in the
sequence space. This could cause a subsequent FIN packet to induce an
incorrect wrap around in the sequence numbers (e.g. the retransmitted
FIN packet now is one sequence number behind the the first) and
misleadingly large connection sizes. The change is to always treat a
FIN packet as counting one byte in to the sequence space.
When an anonymoys function was defined inside an initialization
context, that context transfered over to the function body and could
lead to spurious error messages.
This is mainly an experiment to see if this makes sense. I'm not very
fond of the arguments being wrapped into a discriminating union, but I
like it better than other alternatives at least.
The new code is untested.
* origin/topic/jsiwek/review-rafael-bro-manual-changes:
Add unit tests for new Bro Manual docs.
Reformat line width of some docs (i.e. `fmt -72`).
Pass over doc xref links and linking style.
New Bro Manual Development Edition and basic.css to fix btest output overflow problem (Update 1).
BIT-1118 #merged
The Plugin.cc file is now just a standard class, with the interface
changed a bit to make it more easy to write. However, there're still
some conventions that one must follow to make everything work (like
using the right namespace structure).
This commit also includes the option to compile built-in plugins
dynamically instead of statically by adding
SET(BRO_PLUGIN_BUILD_DYNAMIC TRUE) to their CMake config. This hasn't
been tested much yet, and I'm still undecided if it's somethign we
would want to do by default--but we could now if wanted. :)
Also some minor other cleanup of plugin APIs and built infrastructure.
All tested on MacOS only currently.
* origin/topic/jazoff/notice_file_info:
Include file information in notices
BIT-1113 #merged
I'm wondering if there's a way to test creating these emails ... ?
* origin/topic/jsiwek/libmagic-integration:
Don't use LOG_* options to ExternalProject_Add if not supported.
Integrate libmagic 5.16 via CMake ExternalProject.
BIT-1116 #merged
This includes enhanced GRE headers. GRE tunnels are treated just like
IP-in-IP tunnels by parsing past the GRE header in between the delivery
and payload IP packets.
* origin/fastpath:
Improve GeoIP City database support.
Broxygen init fixes, addresses BIT-1110.
Fix for packet writing to make it use the global snaplength.
Fix for traffic with TCP segmentation offloading with IP header len field being set to zero.
When trying to open a city database, it now considers both the "REV0"
and "REV1" versions of the city database instead of just the former.
The extra fields of the "REV1" version (metro/area code) aren't yet put
in geo_location records, this change just allows this version of the
city database to be opened w/ same functionality as the other version.
This should be convenient because libGeoIP expects either version to
live at the same file system path, it's hard to tell which version
you've got, and current free GeoLite databases seem to be "REV1".
- Don't check mtime of bro binary if BRO_DISABLE_BROXYGEN env var set.
- Fix failure to locate bro binary if invoking from a relative
path and '.' isn't in PATH.
Instead of storing the entire notice in Notice::suppressing,
just store the time the notice should be suppressed until.
This has the same functionality, except that end_suppression can no
longer be generated.
* origin/topic/dnthayer/doc-updates:
Fix typo in Bro 2.2 NEWS
Fixed typo in the Quick Start Guide
Add documentation for event parameters
Fix typos in BIF documentation
Update the documentation of types and attributes
BIT-1109 #merged
