Still finding it to not be foolproof enough to enable generally for all
nodes in a cluster. Specific/advanced use-cases may still consider
enabling, possibly just for specific nodes.
This change allows a weird sampling rate of 0, which completely suppresses
all notifications (previously this crashed Bro). If also fixes the sampling
threshold to work with sampling rates of 0.
Updated the find-bro-logs.test to output the correct list of log files.
The test now runs about 50 times faster.
Also corrected a typo on the "Log Files" documentation page.
* origin/topic/johanna/tls-more-data:
Update NEWS for ssl changes.
SSL: test updates for record_layer version
Final touches to SSL events with record layer version.
Introduce ssl_plaintext_data event.
Add record layer version to event ssl_encrypted_data.
Add compression methods to ssl_client_hello event.
* origin/topic/jsiwek/bit-1967:
Fix a routing loop in control framework
Add Broker::forward() function
Enable implicit Broker message forwarding by default
Remove Cluster::broadcast_topic
Remove Intel Broker topics, re-use existing Cluster topics
Remove "relay" family of Broker functions
This enables explicit forwarding of events matching a given topic
prefix. Even if a receiving node has an event handler, it will not
be raised if the event was sent along a topic that matches a previous
call to Broker::forward().
This makes
@if (conditions)
event a(...)
@else
event b(...)
@endif
work, which threw an error in the past. This is useful when event
definition change in newer Bro version and code wants to accept both
kinds of events.
Namely these are now removed:
- Broker::relay
- Broker::publish_and_relay
- Cluster::relay_rr
- Cluster::relay_hrw
The idea being that Broker may eventually implement the necessary
routing (plus load balancing) functionality. For now, code that used
these should "manually" handle and re-publish events as needed.
Turns out that base/misc/version.bro did not parse Bro versions
correctly in case the version is just 2.5-12 or similar. This commit
fixes this oversight and adds a few more small testcases.
This adds previously-missing support for "Alter Context"
request/response PDUs (initial patch contributed by Mark Fernandez).
Also, context ID arguments were added to dce_rpc_bind, dce_rpc_request,
and dce_rpc_response in order to properly track what endpoint/operation
a given opnum maps to.
* origin/topic/jsiwek/empty-lines:
Add 'smtp_excessive_pending_cmds' weird
Fix SMTP command string comparisons
Improve handling of empty lines in several text protocol analyzers
Add rate-limiting sampling mechanism for weird events
Teach timestamp canonifier about timestamps before ~2001
* origin/topic/vladg/dhcp_event_deprecation:
Add script to support the old DHCP events
Updated coverage tests and fixed incorrect DHCP:: scoping on some things
