* origin/topic/timw/travis-leaks:
fixup! Add new distro to Travis CI configuration for running leak tests
Add new distro to Travis CI configuration for running leak tests
- Add an extra "prevent" parameter (default value of false), which
helps prevent the same analyzer type from being attached in the
future. It's useful in situations where you want to disable early
on, but a DPD signature may still trigger later and re-attach
the same analyzer. E.g. when not using this flag, but calling
disable_analyzer() inside an http_request event, will remove the
HTTP analyzer that was attached due to well-known-port, but a later
DPD signature match from upon seeing the HTTP reply will end up
attaching another HTTP analyzer. More surprising is that upon
re-attaching that analyzer, you'll get the same http_request as
before since the DPD buffer will get replayed into the new analyzer.
- Fixes disable_analyzer() to work when called even earlier, like
within the protocol_confirmation event. At that time, the
Analyzer tree may have not properly added the new analyzer into
Analyzer::children yet, but rather the temporary waiting list,
Analyzer::new_children. Analyzer::RemoveChildAnalyzer previously
did not inspect the later list.
- Fixes disable_analyzer() when called on an analyzer added to the
tree via TCP_Analyzer::AddChildPacketAnalyzer. TCP_Analyzer
keeps track of such children in its own list,
TCP_Analyzer::packet_children, which the previous
Analyzer::RemoveChildAnalyzer implementation didn't inspect.
* 'known_services_multiprotocols' of https://github.com/mauropalumbo75/zeek:
improve logging with broker store
drop services starting with -
remove service from key for Cluster::publish_hrw
remove check for empty services
update tests
order list of services in store key
remove repeated services in logs if already seen
add multiprotocol known_services when Known::use_service_store = T
remove hyphen in front of some services (for example -HTTP, -SSL) In some cases, there is an hyphen before the protocol name in the field connection$service. This can cause problems in known_services and is removed here. It originates probably in some analyzer where it would be better removed in the future.
add multiprotocol known_services when Known::use_service_store = F
Changes during merge:
* whitespace
* add unit test
* 'empty_services' of https://github.com/mauropalumbo75/zeek:
remove empty services and include udp active connections when logging in connection_state_remove
* 'export_intel_events' of https://github.com/mauropalumbo75/zeek:
minor restyle and add comments
add an empty read_error event to the intel framework (in the export block, so that users can implement further checks with it)
move event Intel::read_entry to export block
Adjusted whitespace in merge.
Packet length is encoded in up to four bytes, with MSB (0x80)
indicating if there's more bytes in the representation still to follow.
The comparison/bitwise-mask wasn't correctly testing the MSB.
Coverity CID 1403964
I.e. a type was not in the export section, but a field was added
to connection record via a redef that uses the "hidden" type.
That generally doesn't help to hide it that way since a user comes
to rely on it indirectly anyway, and it also causes problems with
the Zeekygen documentation not being able to find it.
This caps size of payload strings within mqtt_publish events and
mqtt_publish.log files. A new "payload_len" field in the log file
shows the real payload size in cases where it may have been truncated.
This also required updating a test that required a root-certificate that
was removed from the Mozilla store - the test now directly includes that
specific root-cert.
* origin/topic/jsiwek/lambda-name-fixes:
Guarantee unique internal name for each lambda function
Use consistent hashing method for internal lambda function names
Now, in addition to setting thresholds for bytes and packet, one can set
a threshold for connection duration. Note that the threshold event is
only raised once the next packet in the connection is seen.
This also fixes a small pre-existing bug, in which a bunch of warnings
were raised if someone just used the lower-level functions without going
through the higher-level scripting API.
* origin/topic/seth/mqtt:
Bug fixes and test baseline updates
Fix an issue with bro_init -> zeek_init
MQTT Analyzer heavily updated and ported from the analyzer originally by Supriya Kumar
Adjustments during merge:
* Minor whitespace cleanups
* Some bro to zeek renaming
* Fixed the parsing of unsubscribe messages to generate an event for each topic
