* origin/fastpath:
Removing noisy output about doing incremental serialization. Addresses #292.
Loading scan.bro in portmappter.bro, per #330.
Connection compressor fix from #338.
Working around not being able to do lookup_addr() for IPv6 addresses.
IPv6 UDP checksum calculation was broken. (Matti Mantere)
Fix for portmapper analyzer segfaulting when parsing portmap dump replies. (Gregor Maier)
Keep buffering state across file rotation (Justin Azoff)
From ticket #339http://tracker.icir.org/bro/ticket/339 :
* Fixing a couple of minor issues in the HTTP analyzer, that made the
analyzer raise a ProtocolViolation() on strange but seemingly legal
HTTP traffic. Well, the traffic might not necessarily be adhering the
RFC, but the server has understood it.
* Also stops parsing when the message is interrupted to prevent further
parsing and ProtocolViolation() generation.
* skip_http_entity_data: check return value of FindAnalyzer, since it
can be NULL
In addition:
* http-headers.bro now loads http.bro
Testsuite changes:
* Added a new weird (empty_http_request). This shows up once in the medium
testsuite.
* no change when running short testsuite
The expire timeout for the http_sessions table is unnecessary and it
actually breaks http session semantics for long-lived sessions. The
connection_state_remove() event can take care of cleaning up unanswered
sessions.
If a HTTP transfer exceeds the expire timer, then once the expire timer
fires we get an "unanswered" HTTP request in http.log and once the
reply is done (http_reply_done event), it fails to locate the associated
request (because it expired) and thus results in an "unsolicited" HTTP
reply being logged (althoug they should be one http session).
There was a comment in the expire_function mentioning that without the
expire timer some requests don't show up with the test-suite. However,
after checking back with Robin, I could not reproduce this behavior.
(Actually there's one fewer request in the output without the
expire-timer, but this can be explained by the above observation, so
this is not an error but the way it should be).
This patch results in changes to test-suite output:
* Timestamps for unanswered HTTP replies differ for unanswered request
in the "short" test.
* Medium testcase (note: lines are sorted, they are not in the order)::
-902189670.828700 <unknown request> (0 "" [40880 (interrupted)])
-902189670.828700 GET /1998/b142.ps <no reply>
-902189670.828700 start <<IP>>:<<port>> <<IP>>:80
+902189670.828700 GET /1998/b142.ps (200 "OK" [40880 (interrupted)] <<a.host.name>>)
