* origin/topic/dnthayer/test-improvements:
Fix the ip-broken-header.bro test on macOS
Improve reliability of the logging rotate.bro test
Improve reliability of missing-file-initially.bro test
BIT-1929 #merged
* origin/topic/seth/dhcp-update:
Rework to the DHCP analyzer.
First step of DHCP analyzer rearchitecture.
Add .btest scripts for dhck_ack and dhcp_discover messages verifying that new options are correctly reported in dhcp.log records.
Extend DHCP protocol analyzer with new options.
BIT-1924 #merged
Additional changes:
* Removed known-hosts.bro as the only thing populating its table was
the already-removed known-hosts-and-devices.bro. So a
known_devices.log will no longer be generated.
* In dhcp-options.pac, the process_relay_agent_inf_option had a memleak
and also process_auto_proxy_config_option looked like it accessed one
byte past the end of the available bytestring, so fixed those.
* origin/topic/jsiwek/bit-1914:
BIT-1914: comment out &check usages now that they emit warnings
Convert some BinPAC &check expressions to &enforce
Update &check'd fields in various protocol parsers
BIT-1914 #merged
Occasionally a few lines in the first part of the output file were
not in the expected order (this seems to be caused by each line in the
output being created by a process that is run in the background but
bro doesn't wait for it to finish). Fixed by sorting the output.
This test has failed numerous times on Travis CI. Fixes to make this
test more reliable: create the does-not-exist.dat file atomically, and
increase wait time after starting bro in order to give all input
streams a chance to try to read the input file.
Also added the input stream name to the test output, in order to make
output easier to understand if the test fails again.
On Travis CI, btest was using 32 threads when running with "-j". Reducing
this to "-j 4" seems to make the tests run a bit faster overall and
somewhat reduces the number of test failures.
* The altered Modbus checks seemed overly strict -- the pcap used
for the unit test at least had quantities/byte_count fields of
zero, to which the server responds with an error (expected).
* Most of the altered DNP3 checks seemed overly strict and caused
the unit tests to fail. The one that was just wrong was the
'start' field in header blocks.
* Removed the "start" parameter of the dnp3_header_block event
since it's always the same value.
* The SMB check failed to compile and I don't know what it intended
to do, so removed.
The test could fail on the order of 100s of iterations, so I bumped to
desired accuracy to actually check for results that are outside the
error margin.
* 'Reporter/MessageFix' of https://github.com/catenacyber/bro:
Better reporter for Brostring with embedded NUL
I slightly changed the code for beautification purposes and added a
testcase. No functional changes.
Remove some output from the Travis CI build log to make it easier
to read.
There is an issue with Travis CI when using encrypted environment
variables. In this case, when btest calls the python function
sys.stdout.isatty() it returns False, which causes btest to output one
line for each test (passed or failed). As a result, it is difficult to
see at a glance which tests failed. Switching to btest brief output to
address this issue.
The way in which TLS 1.3 is negotiated was changed slightly in later
revisions of the standard. The final version is only sent in an
extension - while the version field in the server hello still shows TLS
1.2.
This patch makes ssl.log show the correct version again.
I've moved .travis.job to testing/scripts/travis-job and adapted
.travis.yml accordingly.
* origin/topic/dnthayer/travis-ci-updates:
Fix information leak in the update-traces script
Add coverity scan and private testing to Travis CI
For trace files that require authentication to download, hide
part of the URL in output messages. This avoids leaking potentially
sensitive info when running tests using a continuous integration
service.
Highlights:
- Reduced all DHCP events into a single dhcp_message event. (removed legacy events since they weren't widely used anyway)
- Support many more DHCP options.
- DHCP log is completely reworked and now represents DHCP sessions
based on the transaction ID (and works on clusters).
- Removed the known-devices-and-hostnames script since it's generally
less relevant now with the updated log.
Closes BIT-1900.
* origin/topic/johanna/config:
Use port_mgr->Get() in the input framework config changes.
Allow the empty field separator to be empty; use in config framework.
Fix small bug in config reader.
Fix segmentation fault when parsing sets containing invalid elements.
Add config framework.
Closes BIT-1897.
* origin/topic/johanna/ssl_signature_details:
Make parsing of ServerKeyExchange work for D(TLS) < 1.2.
Add more details to ssl_server_signature.
* 'smb-transaction-messages' of https://github.com/jbencteux/bro:
add test for smb1_com_transaction_response event changes
add test for smb1_com_transaction2_secondary_request event changes
add test for smb1_com_transaction2_request event changes
add test for smb1_com_transaction_secondary_request event changes
add test for smb1_com_transaction_request event changes
fix setup field handling in smb1_com_transaction_request messages
fix smb1_com_transaction* messages
add smb1_transaction2_secondary_request event
add smb1_transaction_secondary_request event
add parameters and data to smb1_transaction_request/response messages
add SMB_Parameters.Words to smb1_transaction2_request event
* 'nfs-updates' of https://github.com/dtrejod/bro:
Format print nfs units tests to improve output readability. Add unit tests for new NFS events -- nfs_proc_symlink, nfs_proc_link, nfs_proc_sattr.
Bug fix: nfs3_writeargs didn't properly return filehandle.
Add nfs_proc_symlink, nfs_proc_link, nfs_proc_sattr.
* 'mount-protocol' of https://github.com/dtrejod/bro:
Add unit tests for new MOUNT events -- mount_proc_mnt, mount_proc_umnt, mount_proc_umnt_all, mount_proc_not_implemented.
Add mount_proc_null, mount_proc_mnt, mount_proc_umnt, mount_proc_umnt_all, mount_proc_not_implemented, mount_reply_status.
This small change allows the empty field separator to be empty. This
means that we can represent an empty list by a empty input string, which
was not possible before.
Before, an empty empty field separator meant that there is no empty
field - to get back to this behavior one now has to set the empty field
separator to a string that is guaranteed to not be part of the input
data. Note that we did not use "empty" empty field separators anywhere
and I am not aware of this being used by anyone - the new behavior seems
like it is much more useful in practice.
This also changes the config framework to interpret empty lists as...
empty, instead of interpreting them as lists that have one zero-length
element; this seems like the saner default.
The configure reader had a small bug that caused the tracking of changed
variables to be incorrect after the second update. This resulted in
change-events for unchanged variables.
Currently the destructor would try to free unallocated memory. This
could e.g. be triggered by the input framework reading a set with an
invalid element.
* Add proper namespace scoping to a 'SumStats::process_epoch_result'
scheduled event.
* Fix iterator invalidation within 'SumStats::process_epoch_result'
* Give 'SumStats::process_epoch_result' a copy of the result table so
that the SumStats framework can clear the original and move on to the
next epoch immediately.
* The previous baseline of the basic sumstats unit test did look wrong
to me and probably was actually indicative of the iterator invalidation
problem.
Thanks to Jim Mellander for reporting the issues.
