* origin/topic/vern/content-gap-history:
Refined state machine update placement to (1) properly deal with gaps capped by clean FIN handshakes, and (1) fix failure to detect split routing.
added 'g' $history character for content gaps
* is_valid_ip() is now implemented as a BIF instead of in
base/utils/addrs
* The IPv4 and IPv6 regular expressions provided by base/utils/addrs
have been improved/corrected (previously they could possibly match
some invalid IPv4 decimals, or various "zero compressed" IPv6 strings
with too many hextets)
* extract_ip_addresses() should give better results as a result of
the above two points
* 'master' of https://github.com/dnthayer/zeek:
Update tests and baselines due to renaming all scripts
Rename all scripts to have ".zeek" file extension
Update a few tests due to scripts with new file extension
Add test cases to verify new file extension is recognized
Fix the core/load-duplicates.bro test
Update script search logic for new file extension
Remove unnecessary ".bro" from @load directives
* 'smb2_write_response' of https://github.com/mauropalumbo75/zeek:
smb2_write_response event added
Fixed the unit test to ignore bad checksums in the pcap
Added ConnectionEventFast() and QueueEventFast() methods to avoid
redundant event handler existence checks.
It's common practice for caller to already check for event handler
existence before doing all the work of constructing the arguments, so
it's desirable to not have to check for existence again.
E.g. going through ConnectionEvent() means 3 existence checks:
one you do yourself before calling it, one in ConnectionEvent(), and then
another in QueueEvent().
The existence check itself can be more than a few operations sometimes
as it needs to check a few flags that determine if it's enabled, has
a local body, or has any remote receivers in the old comm. system or
has been flagged as something to publish in the new comm. system.
Majority of PLists are now created as automatic/stack objects,
rather than on heap and initialized either with the known-capacity
reserved upfront or directly from an initializer_list (so there's no
wasted slack in the memory that gets allocated for lists containing
a fixed/known number of elements).
Added versions of the ConnectionEvent/QueueEvent methods that take
a val_list by value.
Added a move ctor/assign-operator to Plists to allow passing them
around without having to copy the underlying array of pointers.
The load-duplicates.bro test would never fail because loading
the provided script code twice wouldn't trigger an error.
Fixed this by changing the sample script content. Also added a
test case to verify that an error occurs as expected
when two scripts with the same content are loaded.
When searching for script files, look for both the new and old file
extensions. If a file with ".zeek" can't be found, then search for
a file with ".bro" as a fallback.
* Consider parsing done after processing headers
* Remove the analyzer when done parsing
* Enforce a maximum DOS stub program length (helps filter out non-PE)
DTLS now only outputs protocol violations once it saw something that
looked like a DTLS connection (at least a client hello). Before the
danger that it misinterprets something is too high.
It has a configurable number of invalid packets that it can skip over
(because other protocols might be interleaved with the connection) and a
maximum amount of Protocol violations that it outputs because of wrong
packet versions.
Mostly rewrote the parsing logic to support incremental parsing and
to support parsing of client messages. Though I did not add events
for client messages, that's easy to add later.
Parsing now stops for both client and server if either encounters
any parsing error or invalid state.
After a complete handshake, server messages are no longer parsed.
Support for that is incomplete and not sure it's that useful anyway
since it mostly contains pixel data.
This changes many weird names to move non-static content from the
weird name into the "addl" field to help ensure the total number of
weird names is reasonably bounded. Note the net_weird and flow_weird
events do not have an "addl" parameter, so information may no longer
be available in those cases -- to make it available again we'd need
to either (1) define new events that contain such a parameter, or
(2) change net_weird/flow_weird event signature (which is a breaking
change for user-code at the moment).
Also, the generic handling of binpac exceptions for analyzers which
to not otherwise catch and handle them has been changed from a Weird
to a ProtocolViolation.
Finally, a new "file_weird" event has been added for reporting
weirdness found during file analysis.
