- SSL related files and classes renamed to remove the "binpac" term.
- A small fix for DPD scripts to make the DPD log more helpful if
there are multiple continued failures. Also, fixed the SSL
analyzer to make it stop doing repeated violation messages for
some handshake failures.
- Added a $issuer_subject to the SSL log.
- Created a basic test for SSL.
conn.log now sets a field indicating all the parent tunnel UIDs over
which a connection operated and cross reference the UIDs found in
the tunnel.log.
Also some renaming of tunnel related types at the scripting layer.
- Packet loss interval changed to 5 minutes by default. Users
were getting too many notices from this.
- BPF load balancing (ipv4 and ipv6). This will tie in with
upcoming BroControl support for configuring this.
- BPF based connection sampling.
- Small improvements to how and when filters are installed.
- AYIYA works.
- AYIYA analyzed connections are still labelled wrong in conn.log (logged as syslog)
- Some clean up for left over code.
- Small refactoring to pass packets back from analyzers to core.
- $uid is now optional in conn logs since ip-in-ip tunnel parent's
won't have an actual connection.
- The option to use integers insteads of double was ignored.
- Renaming script-level options to remove the ds_ prefix.
- Log rotation didn't work.
- A set of simple unit tests.
I copied the code over manually, no merging, because (1) it needed to
be adapted to the new threading API, and (2) there's more stuff in the
branch that I haven't ported yet.
The DS output generally seems to work, but it has seen no further
testing yet.
Not unit tests yet either.
- New script measures a couple of aspects of SMTP traffic.
- Existing metrics scripts had a small amount of work done
to make them work with changes to metrics framework.
- Metrics:ID enum has been replaced with strings.
- Uniqueness can now be measured with the Metrics::add_unique function.
- Filters can change the index value with the $normalize_func field.
compiles, not really tested.
basic test works 70% of the time, coredumps in the other 30 - but was not easy to debug on a first glance (most interestingly the crash happens in the logging framework - I wonder how that works).
Other tests are not adjusted to the new interface yet.
Seems to work -- all test pass.
But there are thread-safety issues at the moment, because the constructors of IPAddr and IPPrefix are not thread-safe, but needed by workers.
Conflicts:
src/logging/Manager.cc
* change internal reader interface again
* remove some quite embarassing bugs that must have been in the interface for rather long
* add different read methods to script & internal interface (like normal, streaming, etc). Not implemented in ascii reader yet.
- Large rework on packet filter framework to make many things easier.
- Removed the PacketFilter::all_packets variable because it was confusing.
- New variable (PacketFilter::enable_auto_protocol_capture_filters) to re-enable the old filtering model of only sniffing ports for analyzed protocols.
- In progress plugin model for adding filtering mechanisms.
- New default single item for capture_filters = { ["default"] = PacketFilter::default_capture_filter };
- Mechanism and helper functions to "shunt" traffic with filters.
- Created the Protocols framework to assist with reworking how base protocol scripts are registered with DPD and other things.
- Protocols framework creates BPF filters for registered analyzers. (if using PacketFilter framework in that mode).
But: there are still a few places where I am sure that there are race conditions & memory leaks & I do not really like the current interface & I have to add a few more messages between the front and backend.
But - it works :)
Internally, all BROv6 preprocessor switches were removed and
addr/subnet representations wrapped in the new IPAddr/IPPrefix classes.
Some script-layer changes of note:
- dns_AAAA_reply event signature changed: the string representation
of an IPv6 addr is easily derived from the addr value, it doesn't
need to be another parameter. This event also now generated directly
by the DNS analyzer instead of being "faked" into a dns_A_reply event.
- removed addr_to_count BIF. It used to return the host-order
count representation of IPv4 addresses only. To make it more
generic, we might later add a BIF to return a vector of counts
in order to support IPv6.
- changed the result of enclosing addr variables in vertical pipes
(e.g. |my_addr|) to return the bit-width of the address type which
is 128 for IPv6 and 32 for IPv4. It used to function the same
way as addr_to_count mentioned above.
- remove bro_has_ipv6 BIF
* origin/topic/bernhard/software:
change software framework interface again. At the moment everything should worl.
start reworking interface of software framework. working apart from detect-webapps.bro, which direcly manipulates a no longer available interface...
after talking to seth - change host_a field in record back to host.
forgotten policy files.
Software framework stores ports for server software.
