There's a logic error in the packet analyzer's AnalyzerConfirmation()
method that causes analyzer_confirmation() events to be raised for every
packet rather than stopping after the first confirmation which appears to
have been the intention. This affects, for example, VXLAN and Geneve tunnels.
The optional arg_tag parameter was used for short-circuit'ing, but the return
value of GetAnalyzerTag() used for setting the session state causing the
disconnect.
In scenarios where Zeek receives purely tunneled monitoring traffic, this may
result in a non-negligible performance impact.
Somewhat related, ensure the session state is set to violated before
short-circuiting if no analyzer_violations are installed.
Suggesting this as a 5.0.3 candidate.
The current_entity tracking in HTTP assumes that client/server never
send HTTP entities at the same time. The attached pcap (generated
artificially) violates this and triggers:
1663698249.307259 expression error in <...>base/protocols/http/./entities.zeek, line 89: field value missing (HTTP::c$http$current_entity)
For the http-no-crlf test, include weird.log as baseline. Now that weird is
@load'ed from http, it is actually created and seems to make sense
to btest-diff it, too.
* topic/awelzel/dpd-ditch-service-negation:
scripts/conn: Open-code determine_service()
Make connection$service_violation a set[string]
strings: Implement join_string_set() as bif
dpd: Replace negated service fmt() magic with dedicated field
...the only known cases where the `-` for `connection$service` was
handled is to skip/ignore these analyzers.
Slight suspicion that join_string_set() should maybe become a bif
now determine_service() runs once for each connection.
Closes#2388
* origin/topic/timw/2387-cleanup:
Dict: Mark iterator move operator/constructors as noexcept
Remove unused headers from Dict.cc
Dict: Reduce some math required in repeatedly-called functions
Dict: use std::log2, remove custom Log2 method
* 'topic/amazingpp/2384-record-deprecation' of github.com:/AmazingPP/zeek:
Replace all the Warning() calls after IsFieldDeprecated() over to Warn()
Fix deprecation not flagged and incorrect line number in record
* origin/topic/vern/cpp-maint-Sep22:
oof more manual fixups
undo inadvertently committed tweak to test
update for btest only run in some environments
btest tweaks for recent changes
updates to notes for compile-to-C++ maintenance
newly-created btest files
baseline updates for -a cpp alternative (compile-to-C++)
tweak btest so it's recognized as a candidate for C++ compilation testing
split basic "int" btests into main part versus now-separate overflow part
fix deprecated "local" scoping in test scripts
annotated scripts to skip when testing compilation-to-C++
C++ script generation fix for lambdas that have identical bodies
fix for C++ scripts that refer to "opaque" types
C++ compilation support for 2-valued vector "for" loops
C++ compilation support for RE /s operator
run-time checking of vector operations for overflows and division-by-zero
error propagation fix to avoid a crash
* origin/topic/vern/ZAM-maint-Aug22.final:
updates to ZAM btest baselines
specialized ZAM operators for speeding up cat() operations
ZAM support for two-valued "for" loops over vectors
make it non-fatal for optimized scripts to encounter an empty "for" body
script optimization fix for new-style table constructors
the data/string handling in smb1-com-transaction.pcac was improved
with c75519ca88, re-use the added
functionality also for smb1-com-transaction-secondary.pac to avoid
buffer overflows.
