- On-demand access to sumstats results through "return from"
functions named SumStats::request and Sumstats::request_key.
Both functions are tested in standalone and clustered modes.
- $name field has returned to SumStats which simplifies cluster
code and makes the on-demand access stuff possible.
- Clustered results can only be collected for 1 minute from their
time of creation now instead of time of last read.
- Thresholds use doubles instead of counts everywhere now.
- Calculation dependency resolution occurs at start up time now
instead of doing it at observation time which provide a minor
cpu performance improvement. A new plugin registration mechanism
was created to support this change.
- AppStats now has a minimal doc string and is broken into hook-based
plugins.
- AppStats and traceroute detection added to local.bro
* origin/topic/seth/metrics-merge: (70 commits)
Added protocol to the traceroute detection script.
Added an automatic state limiter for threshold based SumStats.
Removed some dead code in scan.bro
Renamed a plugin hook in sumstats framework.
Move loading variance back to where it should be alphabetically.
Fix a bug with path building in FTP. Came up when changing the path utils.
Fix a few tests.
SumStats test checkpoint.
SumStats tests pass.
Checkpoint for SumStats rename.
Fix another occasional reporter error.
Small updates to hopefully correct reporter errors leading to lost memory.
Trying to fix a state maintenance issue.
Updating DocSourcesList
Updated FTP bruteforce detection and a few other small changes.
Test updates and cleanup.
Fixed the measurement "sample" plugin.
Fix path compression to include removing "/./".
Removed the example metrics scripts. Better real world examples exist now.
Measurement framework is ready for testing.
...
- New, expanded API.
- Calculations moved into plugins.
- Scripts using measurement framework ported.
- Updated the script-land queue implementation to make it more generic.
-
* origin/topic/bernhard/base64:
and re-enable caching of extracted certs
and add bae64 bif tests.
re-unify classes
and modernize script.
add base64-encode functionality and bif.
Closes#965.
* origin/topic/seth/software-version-updates2:
Correctly handle DNS lookups for software version ranges.
Improvements to vulnerable software detection.
Update software version parsing and comparison to account for a third numeric subversion.
Closes#938.
So much nicer!
Closes#954.
* origin/topic/seth/notice-framework-updates:
Update notice framework documentation to represent the new reality.
Complete removal of the old table based notice policy mechanism.
Updates for the notices framework.
This allows replacing an ugly openssl-call from one of
the policy scripts. The openssl call is now replaced with
a still-but-less-ugly call to base64_encode.
I do not know if I split the Base64 classes in a "smart" way... :)
- Moved the Notice::notice event and Notice::policy table to both be hooks.
- Renamed the old Notice::policy to Notice::policy_table and documented it as deprecated.
Added a generic gtpv1_message event generated for any GTP message type.
Added specific events for the create/update/delete PDP context
request/response messages.
Addresses #934.
- Add a DNS based updating method. This needs to be tested still.
- Vulnerable version ranges are used now instead
of only single versions. This can deal with
software with multiple stable major versions.
* origin/topic/matthias/notary:
Small cosmetic changes.
Give log buffer the correct name.
Simplify delayed logging of SSL records.
Implement delay-token style SSL logging.
More style tweaks: replace spaces with tabs.
Factor notary code into separte file.
Adhere to Bro coding style guidelines.
Enhance ssl.log with information from notary.
Closes#928
* topic/robin/exit-after-terminate:
Updating submodule(s).
Fixing exit-after-terminate when used with bare mode.
New option exit_only_after_terminate to prevent Bro from exiting.
These cases should be avoidable by fixing scripts where they occur and
they can also help catch typos that would lead to unintentional runtime
behavior.
Adding this already revealed several scripts where a field in an inlined
record was never removed after a code refactor.
* origin/topic/bernhard/input-logging-commmon-functions:
add the last of Robins suggestions (separate info-struct for constructors).
port memory leak fix from master
harmonize function naming
move AsciiInputOutput over to threading
and thinking about it, ascii-io doesn't need the separator
change constructors
and factor stuff out the input framework too.
factor out ascii input/output.
std::string accessors to escape_sequence functionality
intermediate commit - it has been over a month since I touched this...
I cleaned up the AsciiInputOutput class somewhat, including renaming
it to AsciiFormatter, renaming some of its methods, and turning the
static methods into members for consistency.
Closes#929.
