If there's some bad state we can be in where MMDB lookup/open operations
consistently fail, then the volume of associated reporter messages can
get overwhelmingly large especially if a lookup operation is being done
for each network connection.
This adds a limit of an arbitrary 20 messages every 5 minutes, which
should be enough information to understand the overall
open/close/lookup-failure pattern.
* origin/topic/timw/unordered-lists:
Review fixups
Change timer_list in BroList to be an unordered list.
Add ability for List to be ordered/unordered
Add unit testing for List
Fix bug with List where replace() doesn't work with non-pointer types
- Adjusted the formatting during merge
* 'set_to_regex-docs' of https://github.com/jlagermann/zeek:
added examples to set_to_regex comments Signed-ff-by: James Lagermann <james.lagermann@corelight.com>
- Minor whitespace/format adjustments
* 'network-time-init' of https://github.com/J-Gras/zeek:
Fix documentation for network_time_init.
Improve network_time_init() test and add baseline.
Add network_time_init() event.
Add test for network_time behavior.
- Changed the logic significantly to just guarantee there's only ever a
single inactivity timer per connection
- Updated language.expire_subnet btest which is unduly sensitive to
timer-related changes
* origin/topic/jazoff/avoid-redundant-inactivity-timers:
avoid scheduling redundant inactivity timers
The IP fragment reassembly process assumes a packet contains at least
the minimum IP header, but such a check did not previously occur,
resulting in a heap buffer over-read. For example, a self-reported
IPv4 IHL field with a value less than minimum IPv4 header length of
20 bytes. Such packets likely aren't routable on their own, but one
can create an artifical pcap like that or possibly encapsulate it
within another protocol to trigger this bug.
This type is used by Conn and Analyzer to hold onto timers being added and removed. We
don't expect the elements in those lists to maintain an order as the list is being
modified.
This fixes a "bug" with List where remove_nth() can be an O(n) operation when it doesn't
need to be. remove_nth for lists that don't necessarily need to keep an order can be an
O(1) operation instead.
This commit switches UID hashing from md5 to a highway hash. It also
moves the salt value out of the file plugin - and makes it
installation-specific instead - it is moved to the global namespace.
There now are digest hash functions to make "static"
installation-specific hashes that are stable over workers available to
everyone; hashes can be 64, 128 or 256 bits in size.
Due to the fact that we switch the file hashing algorithm, all file
hashes change.
The underlyigng algorithm that is used for hashing is highwayhash-128,
which is significantly faster than md5.
* origin/topic/seth/more-file-type-ident:
Adds a note in NEWS about the signature addition and restructuring
Fixes a small bug in one signature with a duplicate name.
Organized and added to the shipped file identification signatures.
The places that used md5 basically already used it as a digest
algorithm. Switching to a digest just means that the internal values
used to not change between runs - which is actually wanted in these
cases.
This commit also removes our special cmake subdirectory. We don't expose
highwayhash in headers anymore - so we can just treat it as an internal
implementation choice that is not directly exposed to plugins.
- Added test case and adjusted whitespace in merge
* 'stats-logging-fix' of https://github.com/brittanydonowho/zeek:
Fixed stats.zeek to log all data before zeek terminates rather than return too soon
There's now a couple placeholder/unimplemented status values in Broker
related to upcoming routing features that we don't want to handle
explicitly for compatibility reasons, but also don't want the compiler
warning about unhandled values in the switch.
