This ordering fixes a test failure we're seeing on Alpine for the
signatures/tcp-end-of-match btest, since discrepancies in rule match traversal
could lead to discrepancies in corresponding event ordering.
It looks safe to rely on across platforms since the index is driven by signature
load order, which shouldn't deviate. If this somehow doesn't hold in the future,
we'll only wind up with a test failure, not incorrect match behavior.
(Correction to 2e03fbb8b0, which I pushed
accidentally.)
* origin/topic/christian/debug-stream-tweaks:
Make debug stream names use "-", and handle "_" transparently
Make "-B all" apply to plugin streams as well.
Sort streams in "-B help" output, and match case-insensitively throughout
We already accept that the packets coming into this analyzer won't
be processed, so forwarding out of it will just result in a failure.
Forwarding will also report a weird for every packet which just
results in extra noise.
Matching of plugins' debug streams was still case-sensitive. Also contains some
minor output tweaks.
It'd be nice to only list plugin debug streams actually _used_ by plugins. I
didn't see a quick way to do that so that's for another time.
* origin/topic/awelzel/log-broker-io-telemetry-rules-includes:
zeek-setup: Remove some unused headers
clang-format: Sort doctest header at the bottom
RuleMatcher: Move plugin/Manager.h include from .h to .cc
iosource/Manager: Remove superflous includes
telemetry/Manager: Remove broker header include, add fnmatch.h
logging/Manager: Fix using filename from input.h in debug log
GetFieldAs() does not initialize an optional or default field. Apparently,
for ZAM that makes a difference, possibly the [] record construction is
optimized, not initializing proto until actually accessed. Not quite
sure why that's not happening for classic script interpretation
though.
The zeek_binpac.h one isn't used directly, but keeping it over
<binpac.h> include. Also do some std prefixing. binpac.h has
'using namespace std', so these slip through :-(
Establishing reliable ordering fixes a test failure we're seeing on Alpine for
the signatures/tcp-end-of-match btest, since discrepancies in rule match
traversal could lead to discrepancies in corresponding event ordering.
Discussed with @J-Gras, calling Broker::publish() within a scheduled
should use the "intended timestamp" implicitly.
This is subtle, but supposedly more expected when running
a pcap replay cluster.
* topic/christian/ci-updates:
CI: Use FEDORA40 crypto policy in Fedora 41
Bump zeekjs to 0.13.0
CI: bump FreeBSD 13 to 13.4, released in September
CI: drop Fedora 39, add 41
* origin/topic/timw/3915-unknown-ip-protocol:
Add NEWS entry for ip_proto feature
Move IP protocol names table out of policy script to init-bare
Minor review nits
Fixes for community ID hashing with new proto values
Use new_connection instead of connection_state_remove
Add policy script to remove ip_proto field, rename protocol naming script
Rename protocol_id field to ip_proto and similar renaming for name field
Increase size of proto fields to uint16_t, add common default value
Disable part of core/dict-iteration-expire5 btest to avoid iteration bug
Add conn.log entries for connections with unhandled IP protocols
