* 'topic/oakljon/gh-1352-smtp-header-parsing' of https://github.com/theavgjojo/zeek:
GH-1352: Added flag to stop processing SMTP headers in attached messages
Changes \x00-\x37 ranges to \x00-\x1f with assumption that the former
was attempting to match ASCII control characters, but mistook an octal
range for hex. This change reduces some false positives.
- Tweaked the Too_Little_Traffic notice message to avoid
cluster-specific terminology.
* origin/topic/vlad/caploss_no_traffic:
Fix scheduling due to network_time being 0 in zeek_init
Add test for CaptureLoss::Too_Little_Traffic
Add CaptureLoss::Too_Little_Traffic
Add CaptureLoss::initial_watch_interval for a quick read on cluster health after startup.
Documentation update, reference the threshold variable. [nomail] [skip ci]
Whitespace fixes only [nomail] [skip ci]
* origin/topic/jsiwek/gh-822-ubsan-ci:
Fix negative-value-left-shift undefined behavior in patricia trie
Improve negation of ConstExpr
Avoid signed integer overflow when combining SMB header PID bits
Avoid unary negation of INT64_MIN in modp_litoa10
Avoid double-to-int conversion overflows in modp_dtoa functions
Fix divide-by-zero in Entropy analyzer
Fix divide-by-zero in stats/profiling memory usage calculation
Fix uninitialized field in POP3 fuzzer
Add framework for running UndefinedBehaviorSanitizer in CI
The RSTOS0 `conn_state` label is documented as "Originator sent a SYN
followed by a RST, never saw SYN-ACK from responder", but was previously
applied to cases where no originator SYN exists, like a single RST-only
packet.
* origin/topic/timw/open-dict: (40 commits)
Move Dict constants to detail namespace
Add a few missing deprecation fixes
Adjust Dict whitespace/style
Adjust more btest timings
Improve termination reliability/speed for brokerstore btests
General btest cleanup
Update NEWS about change in Dictionary implementation
Improve Intel expire-item btest to be less time-sensitive
Improve btests with unstable table/set output ordering
Update doc submodule
Adjust a few btests that were unstable due to time-sensitivity
Fix DNS script deleting a table element while iterating
Improve a brokerstore btest to filter out Broker connection messages
Sort output of a few SumStats cluster tests
Fix extract_first_email_addr() to really return the first email
Add find_all_ordered() BIF
Extend external test suite canonifier with set-sorting logic
Update btests/baselines for OpenDict compat
Fix new/malloc/delete/free mismatches in Dictionary code
Add explanation for a Dict TODO item
...
The use of find_all() in extract_email_addrs_vec() extracted occurrences
to an intermediate set and thus lost any sense of ordering.
This changes extract_email_addrs_vec() to use find_all_ordered() and
return all occurrences of email addresses found in the argument,
included duplicates, with their order of occurrence preserved.
The body-lengths of sub-entities, like multipart messages, got counted
twice by mistake: once upon the end of the sub-entity and then again
upon the end of the top-level entity that contains all sub-entities.
The size of just the top-level entity is the correct one to use.
Changes during merge
- Changed the policy script to use an event handler that behaves
for like the base script: &priority=5, msg$opcode != early-out,
no record field existence checks
- Also extended dns_query_reply event with original_query param
- Removed ExtractName overload, and just use default param
* 'dns-original-query-case' of https://github.com/rvictory/zeek:
Fixed some places where tabs became spaces
Stricter checking if we have a dns field on the connection being processed
Modified the DNS protocol analyzer to add a new parameter to the dns_request event which includes the DNS query in its original case. Added a policy script that will add the original_case to the dns.log file as well. Created new btests to test both.
- Updated the logic significantly: still filters out ICMP from being
considered an active service (like before) and adds a new
"Known::service_udp_requires_response" option (defaults to true) for
whether to require UDP server response before being considered an
active service.
* 'topic/dopheide/known-services' of https://github.com/dopheide-esnet/zeek:
Log services with unknown protocols
* topic/johanna/gh-744-cache-the-heck-out-of-these-certs:
X509 caching API change: callback gets entry directly
Address feedback
Small default updates & external baselines.
X509 caching: small API changes, tests & test updates
Certificate caching - now working in principle.
First (sadly not completely working) approach at caching X509 certificates
Fixes in merge:
- Memory leak in HashKey ctor
- Minor whitespace/style changes
* origin/topic/dev/patterns-in-sets:
Enable Patterns as Table index in non singleton cases
Added support to create a Hashkey for PatternVals using their Pattern Texts
* origin/topic/jsiwek/asan: (28 commits)
Increase timeout for a btest
Switch CI scripts to use ASAN/LSAN instead of gperftools
Remove redundant memory leak btests
Fix reference counting issues related to lambdas/closures
Disable LeakSanitizer for btests that have known leaks
Rewrite the btest for when-statement timeouts
Fix memory leak when a logging plugin hook prevents a write
Fix memory leaks in various input framework error-handling cases
Fix memory leak in Reporter::get_weird_sampling_whitelist() BIF
Fix reference counting of Log::Filter "config" field
Fix memory leak in system_env() BIF
Clean up triggers awaiting global state modification at shutdown
Fix memory leak in initializing log writers with no local backend
Fix packet filter memory leaks
Skip sending thread heartbeat if it alread asked to be finished
Fix memory leak of sqlite input reader prepared statement
Prevent duplicate "finish" threading messages
Fix memory leak when table-based input stream overwrites old entries
Fix scripting error in a DHCP btest
Fix memory leaks in Kerberos ticket decryption
...
Or otherwise convert into a regular btest if it didn't already seem to
be covered.
There's no need for a separate memory leak test group since compiling
with LeakSanitizer now covers leak checking for the full btest suite.
* origin/topic/timw/travis-leaks:
fixup! Add new distro to Travis CI configuration for running leak tests
Add new distro to Travis CI configuration for running leak tests
