- Ignore conan libpcap if PCAP_ROOT_DIR is passed
- Update the cmake submodule to pick up changes for finding the right
paths to npcap
- Add lazy-loading of npcap so the library path gets set correctly
at startup
* origin/topic/awelzel/analyzer-log:
btest/net-control: Use different expiration times for rules
analyzer: Add analyzer.log for logging violations/confirmations
The seen/file-names script relies on f$info$filename to be populated.
For HTTP and other network protocols, however, this field is only
populated during file_over_new_connection() that's running after
file_new().
Use the file_new() event only for files without connections and
file_over_new_connection() implies that f$conns is populated, anyway.
Special case SMB to avoid finding files twice, because there's a
custom implementation in seen/smb-filenames.zeek.
Fixes#2647
By default this only logs all the violations, regardless of the
confirmation state (for which there's still dpd.log). It includes
packet, protocol and file analyzers.
This uses options, change handlers and event groups for toggling
the functionality at runtime.
Closes#2031
While there's a btest environment for ZAM, it's currently not run by
default. Add a single zam/basic.test so that we catch memory leaks or
dead-on-arrival cases with the current CI setup.
This is just a small optimization on top of what is there.
Add state to Func for tracking if any enabled bodies exist which
allows us to propagate it up to the EventHandler::bool() operator.
In turn, when all bodies of an event's Func have been runtime disabled,
the event itself will not be invoked anymore.
Experiments have shown that this allows runtime toggling of new_event()
without performance impact when disabled. This could enable use-cases
where new_packet() handlers are enabled for a split second once in a
while to either dump or sample raw packet data at runtime.
This keeps GitHub from being confused about this file being part of
the repository's license, and thus not displaying the proper linkage
to our actual COPYING file.
We may want to copy some of the current feature and lts releases
over to zeek/zeek by hand, but for now see if pushing works out
for zeek/zeek-dev, mainly.
In certain deployment scenarios, all analyzers are disabled by default.
However, conditionally/optionally loaded scripts may rely on analyzers
functioning and declare a request for them.
Add a global set set to the Analyzer module where external scripts can record
their requirement/request for a certain analyzer. Analyzers found in this
set are enabled at zeek_init() time.
* origin/topic/awelzel/fix-dump-events-test:
Func: Use std::stable_sort() for sorting bodies by priority
btest/dump-events: Do not skip everywhere and update baselines
