* origin/topic/jsiwek/irc-orig:
Shorten what's displayed in the IRC's log mime_type column for DCC transfers
Add IRC unit tests.
Small tweak to IRC event handlder priorities
Fix IRC analyzer supplying wrong type to irc_dcc_message event.
Changes to IRC analyzer and events (addresses #469).
- Removed irc_client and irc_server events.
- Added is_orig arguments to all other irc events.
- Fix analyzer not recognizing Turbo DCC extension message format.
- Fix analyzer not generating irc_dcc_message event when irc_privmsg_message
event doesn't have a handler registered.
- Changes to IRC policy scripts to use the above changes.
- Fixing more vestiges from moving site.bro and removing functions.bro
- Updates comments on analysis-groups.bro
- Added the trim-trace-file script from broctl.
- Scripts now use the full path for @load to remove the subpaths
from the shipped BROPATH.
- Some script sets have been reorganized to make optional loads
more obvious.
* remotes/origin/topic/policy-scripts-new:
Fixed another SSL analyzer memory leak.
Attempting to fix another SSL bug.
Fixing a ref counting bug in the SSL analyzer that I just introduced.
Fixing memory leaks in SSL analyzer.
Fixed a parsing bug in the SSL analyzer thanks to tracefile from Aashish Sharma.
Removing my fix from earlier. This is indicating the script-land generated events priority problem.
Updates to the DPD framework.
Fixed a bug in the auth-addl DNS script.
Conflicts:
src/bro.bif
* origin/topic/robin/reporting:
Syslog BiF now goes through the reporter as well.
Avoiding infinite loops when an error message handlers triggers errors itself.
Renaming the Logger to Reporter.
Overhauling the internal reporting of messages to the user.
Updating a bunch of tests/baselines as well.
Conflicts:
aux/broccoli
policy.old/alarm.bro
policy/all.bro
policy/bro.init
policy/frameworks/notice/weird.bro
policy/notice.bro
src/SSL-binpac.cc
src/bro.bif
src/main.cc
- Fixed a pretty major eternal looping bug in the SSL analyzer and
a few other parsing problems.
- New core scripts and log for SSL connection analysis.
- New known-certs script for logging certificate assets.
- When ACTION_EMAIL_ADMIN_ORIG or ACTION_EMAIL_ADMIN_RESP
is applied to a notice,
the email addresses associated with the address
are collected from the new local_admins table
and the email is sent to all discovered email addresses.
- The site.bro script is now in the Site module.
- Some other small cleanup.
- Split Item into Item and QueryItem as suggested by Robin.
- QueryItem now has $and_tags and $or_tags. Each
acts as AND or OR for the given tags against
each relevant metadata value.
- 'insert' turned into a function and new insert_event created.
- First use of intelligence framework in HTTP analysis.
- Removed reverse dependency of mime loading smtp.
- Extracting filename correctly now.
- Now copes with mime_end_entity dual firing bug.
- File hashing interface more similar to other file
hashing interfaces.
- New notice for when a hash is calculated.
- Defaults for all built-in asset tracking changed to LOCAL_HOSTS
- Added a tuning script for changing asset tracking
to ALL_HOSTS in all of the core scripts that do
asset tracking.
- Default Notice::policy files notices instead of alarming on them.
- Moved KnownHosts::Info back to export section because
the log_known_hosts event can't be defined in the
export section without it.
- Moved the Malware Hash Registry detection out of
the core HTTP protocol scripts and added it to the
all.bro script.
- Split enum values into two separate enums.
- Renamed to fit the enum naming convention.
- New global variable named default_asset_tracking
that changes default behavior of any script that
tracks assets, usually by storing some amount
of information about the network in memory.
- Changed enum values to determine hosts and directions.
- Fixed a bug in detecting mail clients.
- Fixed a couple of problems with vulnerable software detection.
- New variable "Software::asset_tracking" for
determining which software to track.
- Moved webmail detection into the smtp/software script.
- Added an option to detect mail clients based on
the actual TCP connection the mail was seen being
transferred over.
- Fixed bug with new sessions accidently being created
just after logging which caused a lot of empty records
to be logged.
- Readded the HTTP::MD5 notice for when an MD5 sum is
calculated for HTTP response bodies.
- Fixed bug with extracting value from content-length
headers.
- Flushing values from md5 sum generation more reliably
to avoid leaking memory.
