This unfortunately cuases a ton of flow-down changes because a lot of other
code was depending on that definition existing. This has a fairly large chance
to break builds of external plugins, considering how many internal ones it broke.
Minor whitespace adjusted during merge.
* 'topic/ak/rdpeudp' of https://github.com/anthonykasza/zeek:
change: -C flag to btest
add: ignore checksum added to btest script
change: update btest baselines for rdpeudp-handshake-success
add: rdpeudp2-handshake-success btest baseline
Update src/analyzer/protocol/rdp/rdpeudp-protocol.pac
Update src/analyzer/protocol/rdp/rdpeudp-analyzer.pac
add: btest for rdpeudp2
add: more robust handling of RDPEUDP2 negotiation
change: RDPUDP_CORRELATION_ID_PAYLOAD definition
change: debugging why the orig synex flags aren't parsed correctly but the resp synex flags are...
add: handling for orig SYNEX flags
add: test trace for when RDPEUDP negotiates RDPEUDP2
add: more SYN PDU parsing structs
Pattern values used as table/set indices are stored in serialized form
using just the pattern text, but re-creating the value from that didn't
fully initialize/compile the regex matcher after (re-)creating it from
that pattern text.
This controls whether ports given by "udp_content_delivery_ports_orig" and
"udp_content_delivery_ports_orig" are in terms of the UDP packet's
destination port or by the Connection's "responder" port (the former is
the unchanged default behavior).
The big hitters:
Dict: Fills in four 4-byte holes in the structure. This shrinks Dictionary from 136 bytes to 114 bytes.
Desc: Fills in a 6-byte hole in the structure. This shrinks ODesc from 152 bytes to 144 bytes.
Frame: Moves and combines 4 bool variables from a few places into one single 4-byte block. This resolves all of the holes at once. This shrinks Frame from 216 bytes to 192 bytes and removes one cache line.
Func: Moves one int32_t variable to fill in a 4-byte hole. This shrinks Func from 112 bytes to 104 bytes.
ID: Moves two bool variables to fill in a 3-byte hole. This leaves behind a 1-byte hole, but removes a 6-byte pad from the end of the structure. This shrinks ID from 144 bytes to 136 bytes.
Other changes:
RuleHdrTest: Fills in one 4-byte hole in the structure. This shrinks RuleHdrTest from 248 bytes to 240 bytes.
RuleEndpointState: Moves one bool variable down in the structure to reduce a 7-byte hole. This unfortunately causes a 3-byte hole later in the structure but there’s no easy way to filll it in. This does shrink RuleEndpointState from 128 bytes to 120 bytes though.
ScannedFile: Moves two bool values to reduce a 4-byte hole by 2 bytes. This shrinks ScannedFile from 64 bytes to 56 bytes.
Brofiler: Moves one char value to reduce a 4-byte hole by 1 byte. This shrinks Brofiler from 96 bytes to 88 bytes and removes one cache line.
DbgBreakpoint: Moves some values around to fill in a 4-byte hole and reduce a second. A 2-byte hole still exists, but the structure shrinks from 632 bytes to 624 bytes. It’s possible on this one that one of the int32_t values could be an int16_t and remove the last 2-byte gap.
ParseLocationRec: Moves one int to fill in a 4-byte hole. This shrinks ParseLocationRec from 32 bytes to 24 bytes.
DebugCmdInfo: Moves one bool variable to shift a few others up. This results in a 6-byte pad at the end of the structure but removes a 7-byte hole in the middle. This shrinks DebugCmdInfo from 56 bytes to 48 bytes.
FragReassembler: Moves one variable down to fill in a 4-byte hole. This shrinks FragReassembler from 272 bytes to 264 bytes.
nb_dns_result: Moves ones uint32_t variable to fill in a 4-byte hole, also removing a 4-byte pad from the end of the structure. This shrinks nb_dns_result from 32 bytes to 24 bytes.
nb_dns_entry: Moves one short value to fill in a 2-byte hole, also removing a 6-byte hole. This shrinks nb_dns_entry from 1064 bytes to 1056 bytes.
Connection durations were being compared "less than" instead of "greater
than" the desired duration threshold as provided to
set_current_conn_bytes_threshold() or
ConnThreshold::set_duration_threshold()
- Squashed the original commit set
- Cleaned up formatting
- Fixed register_for_ports() for right RDPEUDP analyzer
* topic/ak/rdpeudp:
Add RDP over UDP analyzer
The alternates must be some subset of the canonical prototype (the one
that's first declared) and allows users to define handlers for any
such prototype. Example:
# Prototype declarations
global my_event: event(s: string, c: count);
global my_event: event(c: count);
global my_event: event();
# Handler definitions
event my_event(s: string, c: count) { print s, c; }
event my_event(c: count) { print c; }
event my_event() { }
This allows handlers to consume a subset of the arguments or even
re-order them. This makes it easier to either extend an existing
event/hook's arguments and/or deprecate usages of certain prototypes.
* origin/topic/jsiwek/misc-lambda-fixes:
GH-725: fix logic for finding a lambda's usage of outer IDs
Change record field anonymous functions to use lambda expressions
* origin/topic/timw/override:
Mark input/output message classes as final, since nothing should be inheriting from them
Add missing override specifier to a number of methods, remove virtual from some as well
Add override specifier to Configure() method in almost all of the internal plugins
