- New log file for auditing the notice policy to
see at a specific point in time what the fully
ordered (by priority) notice policy was.
- New notice action "ACTION_STOP" to stop processing
the notice policy. This is essentially how the old
IGNORE action can be done with the accumulative
notices actions. It just needs to be set as the
$result at an at an appropriately high priority.
- No longer using the "match" statement as it didn't
provide the flexibility to implement accumulative
notice actions. The functionality is now implemented
completely in script-land.
- Beginning removal of action-filters script.
Still need to come up with a way to implement
some of the functionality of that script.
- Small documentation updates.
The http.log that both sides produce is the same, but the
http-related events that each serializes into events.bst
don't look equivalent when read back and cause the test to fail.
I removed the diff'ing against which scripts Bro outputs as loaded
because that's going to be sensitive to changes in which scripts
get loaded by default. What really matters is the output that shows
that Bro was able to load the script via a directory's __load__.bro
This change primarily improves the way Bro detects and prevents
the same script from being loaded twice. It now compares inode
numbers instead of path names.
"conn-id.bro" was the name of a script in the policy/ directory that conn.bro
expected to @load, but when the unit test was also named "conn-id.bro",
it would be loaded twice during the test (once from conn.bro and once
as a command line argument to bro). This means two event handlers were
registered in error and the baseline output contained duplicate lines
that can be removed.
- Split Item into Item and QueryItem as suggested by Robin.
- QueryItem now has $and_tags and $or_tags. Each
acts as AND or OR for the given tags against
each relevant metadata value.
- 'insert' turned into a function and new insert_event created.
- First use of intelligence framework in HTTP analysis.
- Split Item into Item and QueryItem as suggested by Robin.
- QueryItem now has $and_tags and $or_tags. Each
acts as AND or OR for the given tags against
each relevant metadata value.
- 'insert' turned into a function and new insert_event created.
- First use of intelligence framework in HTTP analysis.
- Removed reverse dependency of mime loading smtp.
- Extracting filename correctly now.
- Now copes with mime_end_entity dual firing bug.
- File hashing interface more similar to other file
hashing interfaces.
- New notice for when a hash is calculated.
- Removed the net_stats_update event.
- Created a net_stats function for building and retrieving the
current network statistics.
- Removed the internal timer for firing the net_stats_update event
along with the global heartbeat_interval variable.
- Updated the netstats script to use the new BiF.
- Updated the stats script to use the new BiF.
Logging to stdout for use in a baseline doesn't work well when
there may be scripts that get loaded by default (in this case,
packet-filter) and also do logging. Instead just baseline against
the logs generated by the test in question.
