When pcap_next failed to return packet data, such as when a live packet
capture interface has no traffic, the next_timestamp member would still
be set to possibly uninitialized or meaningless data.
Maybe addresses #611.
Before Log::rotation_control was removed in fe38c22d, it was used to
lookup rotation inverval at the time of installing a rotation timer,
and could fall back on the &default=default_rotation_inverval. But
now since filter rotation information is instead transferred to a Writer
when it's created, it also needed to be taught to fall back on the
default rotation interval.
- Worker raised notices are printed a single time by the manager now.
- Cluster/notices integration cleaned up.
- New tests for cluster/notice integration.
- Notice suppression fixes and tests.
- The table tracking notice suppressions is now done with a table
attribute instead of "manually" with scheduled events.
- The $suppress_for field can be set within PolicyItem's now too to
affect the suppression interval through the notice policy.
* origin/topic/jsiwek/path-func-record-demote:
Fix filter path_func to allow record argument as a subset of stream's columns.
Conflicts:
src/LogMgr.cc
Closes#600.
* origin/topic/jsiwek/filter-rotation:
Remove Log::rotation_control (addresses #572).
Add an optional Log::RotationControl to Log::Filter records.
Closes#572.
entities.
Before, whether they did depended on libmagic. To do that,
smpt/entities.bro gets a new option `never_calc_md5`.
Also restructuring the tests a bit so that load a common
testing-setup.bro scripts that can set a global configuration.
Both related to Val lists constructed as arguments to events that were
not freed because the event function was never called (e.g. no handlers).
Addresses #574
- The check for the root_certs variable was recreating the certificate
store over and over again which would eventually consume lots of memory
in the x509_stores internal (c++) variable. The index check uses the
Val pointer value for comparison now.
- The value of the content-length headers has now been removed
but it could be added back locally at an installation by a user.
- Added fields to indicate if some parsing interruption happened
during the body transfer.
- Closes#581
- If a protocol violation happens, Bro now logs what it has seen
up until the protocol violation and deletes the c$ssl record
so that a long lived connection with a protocol violation does
continue to hold the memory.
- Removed an notice definition from the base SSL scripts.
- Moved a logging stream ID into the export section for known-services
and bumped priority for creating the stream.
- Adding configuration knobs for the SQL injection attack detection
script and renaming the HTTP::SQL_Injection_Attack notice to
HTTP::SQL_Injection_Attack_Against
- Bumped priority when creating Known::CERTS_LOG.
- The test needed to append the second notice the event queue so that
the notice would be suppressed correctly.
- Setting $suppress_for manually in apply_policy since it doesn't pick
up the &default when directly creating the record inside the NOTICE call.
- Duplicate notices are discovered with the new Notice::Info
field $identifier. It's a string that is left up to the
notice implementor to define which would indicate a
fundamentally duplicate notice. The field is optional and
if it's not included it's not possible for notice
suppression to take place.
- Duplicate notices are suppressed by default for the interval
defined by the Notice::default_suppression_interval variable
(1 hour by default).
- A new notice action was defined ACTION_NO_SUPPRESS to prevent
suppression for a specific notice instance. A convenience set
named not_suppressed_types was also created to not suppress
entire notice types.
- A new field was added to the PolicyItem type to modify the length
of time a notice should be suppressed if the predicate matches.
The field is named $suppress_for. This name makes the code more
readable like this: $suppress_for = 1day
- New events were created to give visibility into the notice
framework's suppression activity.
- event Notice::begin_suppression(n: Notice::Info)
- event Notice::suppressed(n: Notice::Info)
- event Notice::end_suppression(n: Notice::Info)
- The suppression.bro script doesn't have a baseline because
it is causing a segfault in Bro. This one test is the
reason that this is being integrated into a branch instead
of master.
This required adding the ability for RecordVal::CoerceTo functions to
optionally allow orphaning fields. The default is to not allow it, but
now before writing to a log, the value of the stream's columns is coerced
down, if necessary, before passing it on to the filter's path_func.
Addresses #600.
