- When a log record is being "unrolled" (sub-records flattened
out into a single record), it's now possible to choose the
character/string to separate the outer name from the inner
name. This can be used to work around the problems
with ElasticSearch 2.0 not supporting dots "." in field names.
This value can be provided per-filter as well as a global
default value.
- Log fields can be renamed by providing a table per-filter
(or a global default) to rename fields for any log writer.
The name translation is performed after unrolling so the
value in the field name table must match whatever is being
used to separate field names.
For example if the unrolling separator was set to "*":
redef Log::default_unrolling_sep = "*";
The field name map would need to reflect it:
redef Log::default_field_name_map = {
["id*orig_h"] = "src",
["id*orig_p"] = "src_port",
["id*resp_h"] = "dst",
["id*resp_p"] = "dst_port",
};
By default, OS X 10.11 does not include openssl headers.
Since building a Bro plugin #includes Bro headers, which #include openssl
headers, we need to tell cmake to find these so that the compiler
can use them.
The extension mechanism is basically the one that Seth introduced with
his intel extensions. The main difference lies in using a hook instead
of an event. An example policy implements whitelisting.
Scheduling a local event variable resulted in a global lookup instead of
evaluating the local variable. To prevent misunderstandings, this will
trigger an error now.
When receiving a remote log via broker, there was a bug that would
prevent a log from being written if the log record contained a field
without the &log attribute that was followed by a field with the &log
attribute.
Updated a test case to catch this error.
When Bro was compiled with broker disabled, then some Bro scripts
were referencing functions and types that were not defined. Fixed
by adding @ifdefs to several scripts. Removed one @ifdef because
it was causing several unit tests to fail.
Also fixed the @TEST-REQUIRES check in tests that rely on broker so
that such tests are skipped when broker is disabled.
(Cleaned up some code a little bit.)
* origin/topic/seth/stats-improvement:
Fixing tests for stats improvements
Rename the reporting interval variable for stats.
Removing more broken functionality due to changed stats apis.
Removing some references to resource_usage()
Removing Broker stats, it was broken and incomplete.
Fixing default stats collection interval to every 5 minutes.
Add DNS stats to the stats.log
Small stats script tweaks and beginning broker stats.
Continued stats cleanup and extension.
More stats collection extensions.
More stats improvements
Slight change to Mach API for collecting memory usage.
Fixing some small mistakes.
Updating the cmake submodule for the stats updates.
Fix memory usage collection on Mac OS X.
Cleaned up stats collection.
BIT-1581 #merged
This was causing occasional problems with the time on processes
running lots of threads. The use of gmtime in the json
formatter is the likely culprit due to the fact that the
json formatter runs in threads. More evidence for this is that
the problem only appears to exhibit when logs are being written
as JSON.
* origin/topic/dnthayer/doc-improvements:
Fix some scripting tutorial examples
Add some missing Bro script documentation
Fix more "make doc" warnings
Fix some "make doc" warnings
Improve documentation of the "for" statement
Add more documentation to sumstats framework scripts
Update traffic per core estimate in the cluster doc
Update documentation for DNS "Z" field
Improve documentation of Bro script statements
BIT-1520 #merged
* origin/topic/johanna/xmpp-starttls:
XMPP: Add StartTLS event and update tests
Add xmpp dpd sig and fix a few parsing problems for connections that do not upgrade to TLS.
Add simple XMPP StartTLS analyzer.
BIT-1579 #merged
Some of the examples in the scripting tutorial were regularly getting
out of sync with the base scripts (because the line numbering would need
to be updated). Fixed this maintenance burden by using small example
scripts instead of actual Bro scripts. These small example scripts
do not need to be kept in sync with the bro base scripts.
* origin/fastpath:
Fix a few incorrect type tags in Bro broker source code
Update docs and tests of the fmt() function
Revert "Fix RFB analyzer to build on FreeBSD"
Fix RFB analyzer to build on FreeBSD
BIT-1449 #merged
* origin/topic/dnthayer/ticket1449:
Rename broker BIF wrapper functions in a few more places
Sync the core/leaks/broker/data.bro test with broker/data.bro
Add missing tests for broker data BIFs
Code cleanup for some broker tests
Add script wrapper functions for broker data BIFs
Add script wrapper functions for broker BIFs
BIT-1574 #merged
* origin/topic/johanna/imap-starttls:
IMAP: add c++11 header file that gcc complains about.
IMAP: documentation and test updates
also generate an event when starttls is encounterd for imap.
Add support of getting server capabilities to IMAP parser.
Basic IMAP StartTLS analyzer.
* 'master' of https://github.com/vitalyrepin/bro:
Unknown data link type error message printed out props.link_type instead of arg_props.link_type. It lead to the meaningless and misleading output (E.g.: 'unknown data link type 0xffffffff')
Added tests for the table_clear and vector_clear BIFs, and added
more tests for container types (e.g. adding the same element twice
to a set or table, or overwriting a record field value, etc.).
Also reorganized several test cases.
