- New script extracted from weird.bro to implement the
connection related "weird" data into an optionally
loaded script.
- Adjusted the default notice tuning to stop ignoring
the connection related weirds since they aren't loaded
by default anymore.
- Fixed a bug where notices were being passed to proxies.
This was a mistake and should greatly reduce load on
many clusters.
- Cluster event regex variables renamed to:
- Notice::manager2worker_events
- Notice::manager2proxy_events
- Notice::worker2manager_events
- Notice::worker2proxy_events
- Notice::proxy2manager_events
- Notice::proxy2worker_events
- The default Notice::policy set is cleared for all cluster
nodes except for managers to cause all default notice
processing to occur on managers. This should reduce load
on workers slightly.
- Certificate validation volume has been greatly cut down by
caching results.
- Cert hashing is now done in one place instead of being repeated
everywhere a cert hash was needed.
- Some small cleanups for notice suppression that should greatly reduce
duplicate notice volume about invalid certificates.
- With the software-browser-plugins script you can watch for Omniture
advertising servers to grab the list of installed plugins.
- I reorganized the plugin detection a bit too to abstract it better.
- Removed the WEB_ prefix from all of the Software::Type HTTP enums.
They were essentially redundant due to the full name already being
HTTP::SERVER (for example).
* origin/topic/jsiwek/http-1xx-replies:
Change logging of HTTP 1xx responses to occur in their own columns.
Fix handling of HTTP 1xx response codes (addresses #411).
- I was wildly misunderstanding the semantics of the
connection_state_remove event. That's fixed now in
my brain and in the script.
- If a service isn't detected, logging is delayed by
2 minutes to try and allow for another connection
to happen that actually does the protocol correctly
and detectably.
- A null value no longer fits since if there is no body
a value of zero makes sense. Previously, a null value would
makes sense because the Content-Length header may not have
been sent which would leave the field null.
- I removed the byte loss estimate since everything indicated that
it could frequently be inaccurate.
- It has it's own logging stream now. Notices are only used
when too much loss has been detected (CaptureLoss::Too_Much_Loss)
- The gap_report event isn't used anymore. I'm scheduling events
to get the same effect by using the get_gap_summary BiF to
collect the gap summary on demand.
- scan.bro and hot.conn.bro will be returning soon.
- The rest are going to return as updated protocol analysis
scripts and new/updated frameworks later.
Updated README and collected coverage-related tests in a common dir.
There are still coverage failures resulting from either the following
scripts not being @load'd in the default bro mode:
base/frameworks/time-machine/notice.bro
base/protocols/http/partial-content.bro
base/protocols/rpc/main.bro
Or the following result in errors when @load'd:
policy/protocols/conn/scan.bro
policy/hot.conn.bro
If these are all scripts-in-progress, can we move them all to live
outside the main scripts/ directory until they're ready?
Changed the parser to not treat 1xx response codes as a final answer
to an unanswered request -- a later response is still expected.
The scripting layer will also not finish a request-reply pair when
seeing 1xx's, instead it logs both the 1xx and final response messages
with associated information of the current request as they're seen.
- protocols/ssl/expiring-certs uses time based information from
certificates to determine if they will expire soon, have already
expired, or haven't yet become valid.
- protocols/ssl/extract-certs-pem is a script for taking certs off
the line and converting them to PEM certificates with the openssl
command line tool then dumping them to a file.
- Fixed the notice_policy log.
- Predicate functions are now logged.
- Predicate functions are now optional. If not given, it's assumed that
the result should always apply.
* origin/topic/seth/notice-suppression:
Updated a notice related baseline and added a necessary @load line.
Notice suppression clean up and notice/cluster integrtion fixes.
Updates for notice suppression to use the &create_expire attribute
Small, mostly cosmetic updates and fixing a test.
Fix crash on exit (addresses #607).
Duplicate notice suppression.
Closes#623.
* origin/fastpath:
Fix PktSrc setting next_timestamp even when no packet available
Fix lack of NUL-termination in to_upper/to_lower BIF's return val.
Fixing unit tests and some minor bugs.
Fix broctl cluster log rotation (addresses #619)
* master:
