* origin/fastpath:
Remove an old, unused diff canonifier.
Improve an error message in ICMP analyzer.
Fix a warning message
Fix many errors in the event documentation
Fixed broken links, broken reST formatting, added missing event
parameters to the documentation, removed documentation of event
parameters that don't exist, corrected spelling errors, fixed some
summary lines (i.e., the first line in each event description) that
were truncated in the HTML, and reformatted some lines to fit
within 80 columns (much easier to read the docs when using a
text editor to view the source files).
Merge remote-tracking branch 'origin/topic/tunnels' into topic/robin/tunnels-merge
* origin/topic/tunnels: (41 commits)
Extend weird names that occur in core packet processing during decapsulation.
Add Teredo analysis option to reduce false positive decapsulation.
Just some cleanup/documentation of new tunnel-handling code.
Memory leak fixes
Add a config.h definition for IPPROTO_IPV4.
Add AYIYA tunnel decapsulation unit test.
Add Teredo-specific events.
Refactor some of the NetSessions routines that recurse on IP packets.
Add independent options to toggle the different decapsulation methods
Add more sanity checks before recursing on encapsulated IP packets.
Suppress Teredo weirds unless decapsulation was successful once before.
Tunnel support performance optimization.
Add Teredo tunnel decapsulation.
Fix for IP tunnel UID persistence.
Fix AYIYA analyzer tag.
Add summary documentation to tunnels/main.bro.
Make tunnels always identifiable by UID, tunnel.log now gets populated.
Some improvements to the AYIYA analyzer.
Remove Tunnel::decapsulate_ip option.
Remove invalid IP-in-IP encapsulated protocol value.
...
If some expression in an event handler body causes an
InterpreterException internally, then the rest of that body doesn't
get executed, but also the bodies of any other handlers were not
executed.
does not support table and vector types because SQLite has no support for arrays.
also does not support rotation, etc.
Not really tested thoroughly - but starting bro with Log::default_writer=Log::WRITER_SQLITE
yields a couple of sqlite files that seem to contain sensible stuff.
The summary lines (the first sentence in the description) for some BIFs
contained a period before the end of the sentence, so only part of the
sentence would appear in the "summary" section of the HTML document (fixed
by rewording the sentence).
Some summary lines were too long (fixed by splitting the sentence with first
sentence being more concise).
Also corrected the description of "fmt" and "floor" BIFs.
If lookup of enum name by value fails, an error is now sent through
the reporter framework and the value logged will be an empty string
(as opposed to trying to construct a string with null pointer which
throws a logic_error and aborts Bro).
This lead to hanging bro's because pclose apparently can wait for eternity
if things go wrong. And there probably are a couple of other problems with this approach.
Appending a "_in_tunnel" to the weird name might help clarify that
the weird is happening with a packet that is attempting to be processed
as a result of decapsulation.
The Tunnel::yielding_teredo_decapsulation (on by default) makes it so
the Teredo analyzer doesn't attempt to decapsulate payloads when
there's already a sibling analyzer that thinks it's parsing the right
protocol. Sometimes, UDP payloads just happen to look like they are
validly Teredo-encapsulated and doing further analysis on the
decapsulated packet can quickly turn into a weird; this change helps
reduce such weirds.
* origin/topic/dnthayer/bif-tests:
Improve "fmt" BIF documentation comment
Improve tests of the type_name BIF
Improve test cases for "order" BIF
Fix documentation of sort BIF and add more tests
Fix documentation for system_env BIF
Deprecate the parse_dotted_addr BIF (use to_addr instead)
Improve tests for to_port and type_name BIFs
Improve tests for sort, order, and system_env BIFs
Fix the join_string_vec BIF and add more tests
Add more tests for previously-untested BIFs
Add more tests for previously-untested BIFs
Add more tests for previously-untested BIFs
Add more tests for previously-untested BIFs
Add tests for previously-untested strings BIFs
