Added a new BIF haversine_distance that computes distance between two
geographic locations.
Added a new Bro script function haversine_distance_ip that does the same
but takes two IP addresses instead of latitude/longitude. This function
requires that Bro be built with libgeoip.
The link-layer addresses are now part of the connection endpoints
following the originator-responder-pattern. The addresses are printed
with leading zeros. Additionally link-layer addresses are also extracted
for 802.11 plus RadioTap.
The ascii reader now accepts \r\n newlines without complaining.
Furthermore, the reader was slightly rewritten in a more c++11-y way,
removing all raw pointers from the class.
Addresses BIT-1198
I was hoping to report this right at startup through a static check
but turns out we don't have the right machinery in place for that.
That would need to be done after the AST has been finalized, but our
AST traversal code can't iterate over types. So instead I've changed
this so that it's still being reported at runtime but at least
doesn't crash Bro anymore.
Closes BIT-1597.
* origin/topic/johanna/fix-analyzer-addition:
DTLS: Use magix constant from rfc5389 for stun detection.
DTLS: Fix binpac bug with DTLSv1.2 client hellos
Forgot to remove debug output.
DTLS: Fix interaction with STUN
Fix the way that child analyzers are added.
BIT-1604 #merged
Now the DTLS analyzer cleanly skips all STUN messages; no warnings
should be logged to dpd.log and parsing should work flawlessly with
intermixed STUN messages.
By default, OS X 10.11 does not include openssl headers.
Since building a Bro plugin #includes Bro headers, which #include openssl
headers, we need to tell cmake to find these so that the compiler
can use them.
Scheduling a local event variable resulted in a global lookup instead of
evaluating the local variable. To prevent misunderstandings, this will
trigger an error now.
When receiving a remote log via broker, there was a bug that would
prevent a log from being written if the log record contained a field
without the &log attribute that was followed by a field with the &log
attribute.
Updated a test case to catch this error.
When Bro was compiled with broker disabled, then some Bro scripts
were referencing functions and types that were not defined. Fixed
by adding @ifdefs to several scripts. Removed one @ifdef because
it was causing several unit tests to fail.
Also fixed the @TEST-REQUIRES check in tests that rely on broker so
that such tests are skipped when broker is disabled.
(Cleaned up some code a little bit.)
* origin/topic/seth/stats-improvement:
Fixing tests for stats improvements
Rename the reporting interval variable for stats.
Removing more broken functionality due to changed stats apis.
Removing some references to resource_usage()
Removing Broker stats, it was broken and incomplete.
Fixing default stats collection interval to every 5 minutes.
Add DNS stats to the stats.log
Small stats script tweaks and beginning broker stats.
Continued stats cleanup and extension.
More stats collection extensions.
More stats improvements
Slight change to Mach API for collecting memory usage.
Fixing some small mistakes.
Updating the cmake submodule for the stats updates.
Fix memory usage collection on Mac OS X.
Cleaned up stats collection.
BIT-1581 #merged
* origin/topic/dnthayer/doc-improvements:
Fix some scripting tutorial examples
Add some missing Bro script documentation
Fix more "make doc" warnings
Fix some "make doc" warnings
Improve documentation of the "for" statement
Add more documentation to sumstats framework scripts
Update traffic per core estimate in the cluster doc
Update documentation for DNS "Z" field
Improve documentation of Bro script statements
BIT-1520 #merged
* origin/topic/johanna/xmpp-starttls:
XMPP: Add StartTLS event and update tests
Add xmpp dpd sig and fix a few parsing problems for connections that do not upgrade to TLS.
Add simple XMPP StartTLS analyzer.
BIT-1579 #merged
Some of the examples in the scripting tutorial were regularly getting
out of sync with the base scripts (because the line numbering would need
to be updated). Fixed this maintenance burden by using small example
scripts instead of actual Bro scripts. These small example scripts
do not need to be kept in sync with the bro base scripts.
BIT-1449 #merged
* origin/topic/dnthayer/ticket1449:
Rename broker BIF wrapper functions in a few more places
Sync the core/leaks/broker/data.bro test with broker/data.bro
Add missing tests for broker data BIFs
Code cleanup for some broker tests
Add script wrapper functions for broker data BIFs
Add script wrapper functions for broker BIFs
BIT-1574 #merged
* origin/topic/johanna/imap-starttls:
IMAP: add c++11 header file that gcc complains about.
IMAP: documentation and test updates
also generate an event when starttls is encounterd for imap.
Add support of getting server capabilities to IMAP parser.
Basic IMAP StartTLS analyzer.
Added tests for the table_clear and vector_clear BIFs, and added
more tests for container types (e.g. adding the same element twice
to a set or table, or overwriting a record field value, etc.).
Also reorganized several test cases.
Simplified some function names, fixed some names of broker script wrappers,
reorder some broker function calls to avoid potential race conditions, and
don't have bro read a trace file when it will not be used.
Also renamed the "print" function to "send_print" and the "event"
function to "send_event" because Bro shows a syntax error when a
Bro script function is named "event" or "print".
There was a bug in the new parsing code, introduced in
708ede22c6 which parses validity times
incorrectly if they are before the year 2000. What happens in this case
is that the 2-digit year will be interpreted to be in the 21st century
(1999 will be parsed as 2099, e.g.).
This patch allows users to provide the fuid or the connection id
directly, in case they do not have access to either in the event that
they handle.
An example for this is the handling of certificates in SSL, where the
fa_file record cannot be retained because this would create a cyclic
data structure.
This patch also provides file IDs for hostname matches in certificates,
which was not possible with the previous API.
