That could occur either in taking a zero-length mask on an IPv6 address
(e.g. [fe80::]/0) or a reverse mask of length 128 on any address (e.g.
via the remask_addr BuiltIn Function).
Added a new section that is intended as a how-to for configuring a Bro
cluster (this section does not discuss cluster architecture or theory)
that is aimed at beginners to Bro. Most of this content was moved here
from the BroControl doc (which is now intended as more of a reference guide
for more experienced users) and the load balancing FAQ on the website.
BIT-1189 #merged
* origin/topic/bernhard/ec-curve:
fix broxygen errors
Polish changes for ecdhe/dhe
Add DH support to SSL analyzer.
Add a few more ciphers Bro did not know at all so far.
Forgot a few ciphers in the EC list...
Log chosen curve when using ec cipher suite in TLS.
* origin/fastpath:
Fix missing "irc-dcc-data" service field from IRC DCC connections.
Change X509 extension value parsing to not abort on malloc failures.
* origin/fastpath:
Correct a notice for heartbleed. The notice is thrown correctly, just the message conteined wrong values.
Improve/standardize some malloc/realloc return val checks.
Improve file analysis manager shutdown/cleanup.
file_analysis::Manager's dtor now doesn't assume any more analysis
progress can be made because too many of Bro's other subsystems
are shutdown by that point. Any file analysis requests made after
Terminate cannot be reliably processed.
* origin/topic/bernhard/ssl-analyzer:
Fix a few failing tests
Add very basic ocsp stapling support.
Add documentation, consts and tests for the new events.
Support parsing of several TLS extensions.
Make SSL/TLS version detection less brittle.
Nicer notices for heartbleed.
rip out state handline from ssl analyzer.
enable detection of encrypted heartbleeds.
also extract payload data in ssl_heartbeat
add to local.bro, add disclaimer
make tls heartbeat messages a bit better.
fix tabs.
polish script and probably detect encrypted attacks too.
detect and alert on simple case of heartbleed
default to TLS when not being able to determine version
add is_orig to heartbeat event
Throw new event for heartbeat messages.
BIT-1178 #merged
* origin/topic/jsiwek/faf-perf:
Adapt HTTP partial content to cache file analysis IDs.
Adapt SSL analyzer to generate file analysis handles itself.
Adapt more of HTTP analyzer to use cached file analysis IDs.
Adapt IRC/FTP analyzers to cache file analysis IDs.
Refactor regex/signature AcceptingSet data structure and usages.
Enforce data size limit when checking files for MIME matches.
Refactor file analysis file ID lookup.
The "dns_TXT_reply" event now uses a "vector of strings" as the final
parameter instead of just a "string" in order to support DNS TXT
resource records that contain multiple character-strings.
The format in which the TXT answers are logged by default is now changed
to be a list of strings of the form `fmt("TXT %d %s", |str|, str)`, one
for each character-string in the RR and delimited by a space (' ')
character.
This also fixes the heartbleed detector to work for encrypted attacks in this
branch again. It stopped working, because the SSL analyzer now successfully detects
established connections, and the scripts usually disable analyzing after that.
(The heartbeat branch should not have been affected)
The initial file ID I think is still ambiguous and/or depends on
script-layer state tracking enough that it still needs to request a file
ID via an event at first, but once that is assigned to an HTTP (MIME)
entity, it never makes sense that it can change (so re-using a cached ID
works).
At the moment, we have support for:
elliptic_curves: client supported elliptic curves
ec_point_formats: list of client supported EC point formats
application_layer_protocol_negotiation: list of supported application layer protocols (used for spdy/http2 negotiation)
server_name: server name sent by client. This was supported before, but... a bit brittle.
