The pcap file format has a global header and a header per packet. The
global header of the pcap in question had a snaplen of 1, but with
packet headers indicating the full number of bytes saved within the
file. It seems like the pcap file must of been artifically edited in
order for it to be this way.
When reporting the captured length of a packet, Apple's version of
libpcap now seems to report the full number of bytes saved within the
pcap's per-packet headers, but other versions seem to report the snaplen
from the global pcap header. This caused the core.truncation test to
behave differently on macOS from other platforms.
I've manually hexedit'd the pcap so that the snaplen is still 1, but
contains just a single packet with a pcap header indicating a length of
8, which is less than the size of the link layer header and so should
still test the original code path that the unit test intended to
exercise.
The expire-redef.bro test was sometimes failing due to the second "Run"
message being printed after (should happen before) the "Expired"
message. Fixed by increasing the time interval between events.
Also reduced the number of events raised to make the test finish more
quickly.
The catch-and-release.bro test was failing whenever three conditions
were all true: sorting the netcontrol.log before comparing to
the baseline, the presence of LC_ALL=C in btest.cfg changes the sort
order, and sometimes the timestamp increases slightly beginning
with one of the rule_id == 5 lines.
As a result of these three conditions, the sorted order of the lines
with rule_id of 5 were different than the baseline.
Fixed by not sorting netcontrol.log, as this doesn't seem necessary.
This adds a slight patch to the HTTP analyzer, which recognizez when a connection is
upgraded to a different protocol (using a 101 reply with a few specific headers being
set).
In this case, the analyzer stops further processing of the connection (which will
result in DPD errors) and raises a new event:
event http_connection_upgrade(c: connection, protocol: string);
Protocol contains the name of the protocol that is being upgraded to, as specified in
one of the header values.
Closes#1830.
* origin/topic/johanna/ocsp-sct-validate: (82 commits)
Tiny script changes for SSL.
Update CT Log list
SSL: Update OCSP/SCT scripts and documentation.
Revert "add parameter 'status_type' to event ssl_stapled_ocsp"
Revert "parse multiple OCSP stapling responses"
SCT: Fix script error when mime type of file unknown.
SCT: another memory leak in SCT parsing.
SCT validation: fix small memory leak (public keys were not freed)
Change end-of-connection handling for validation
OCSP/TLS/SCT: Fix a number of test failures.
SCT Validate: make caching a bit less aggressive.
SSL: Fix type of ssl validation result
TLS-SCT: compile on old versions of OpenSSL (1.0.1...)
SCT: Add caching support for validation
SCT: Add signed certificate timestamp validation script.
SCT: Allow verification of SCTs in Certs.
SCT: only compare correct OID/NID for Cert/OCSP.
SCT: add validation of proofs for extensions and OCSP.
SCT: pass timestamp as uint64 instead of time
Add CT log information to Bro
...
log-hostcerts-only relied on old event ordering; the identifier key of
validate-certs is now shorter (no function change, just potentially a
tiny bit faster).
I added another small change - since we are inlining Configure(), we can
just set bro_plugin directly to BRO_PLUGIN_BRO_VERSION in
src/plugin/Plugin.h, instead of depending on the plugin to do it. This
also means we do not need to change init-plugin in bro-aux at this
moment.
BIT-1828 #closed
* origin/topic/robin/plugin-version-check:
Adding plugin API number into versioned function name, and removing old runtime API version check.
Extend plugin infrastructure to catch Bro version mismatches at link time.
- Addresses Philip Romero's question from the Bro mailing list.
- Adds Microsoft Edge as a detected browser.
- We are now unescaping encoded characters in software names.
time.
People keep running into the problem that they upgrade Bro but forget
to recompile their plugins--which can lead to crashes. While the
plugins' API version was supposed to catch this, it's not reliable as
that check may come too late. This change takes a different tack: We
compile a C function into the Bro binary that has Bro's version number
encoded into its name. A plugin can then reference that function. If
the Bro version changes, the function goes away and the plugin won't
load anymore.
I've integrated that function reference into the plugin skeleton code
so that new plugins get it automatically (unless explicitly removed).
I couldn't see a way to do it transparently for already existing
plugins unfortunately.
The version number used for the function name is slightly normalized
to skip any git revision postfixes (i.e., "2.5-xxx" is always treated
as "2.5-git") so that one doesn't need to recompile all plugins after
every master commit. That seems good enough, usually people run into
this when upgrading to a new release.
If one loads an old plugin into a new Bro, the error message looks
like this:
$ bro -NN Demo::Foo
fatal error in /home/robin/bro/master/scripts/base/init-bare.bro, line 1:
cannot load plugin library /home/robin/tmp/p/build//lib/Demo-Foo.linux-x86_64.so:
/home/robin/tmp/p/build//lib/Demo-Foo.linux-x86_64.so: undefined symbol: bro_version_2_5_git_debug
Not the prettiest, but better than a crash!
TODO: I'm still unsure if we should remove the plugin API version
altogetger now. This link-time check should catch everything the API
version does, except for master commits.
* origin/topic/dnthayer/ticket1821:
Remove loading of listen.bro in tests that do not need it
Serialize tests that load listen.bro
Fix race condition causing some tests to fail
Fix a race condition in some failing tests
The broccoli-v6addrs "-r" option was renamed to "-R"
Fix a race condition in some failing tests
