Using pcaps from https://interop.seemann.io/ as samples for QUIC protocol
data didn't produce a conn.log for the contained data. `tcpdump -r`
and Wireshark do show the contained IP/UDP packets. Teach Zeek how
to handle link type DLT_PPP 0x09 using a new PPP analyzer based on the
PPPSerial analyzer code.
Usual update to files/x509 baseline after adding new analyzer due
to enum values changing.
This change makes the community-id script that adds the community id to
notice.log automatically load the main script if this was not already
loaded.
In the past, the script just did not perform any action if the main
script was not loaded.
This change also makes the notice script respect the seed/base64
settings that were set in the main script.
Fixes GH-3242
* origin/topic/robin/spicy-export-extensions:
[Spicy] Clean up representation of EVT record fields.
[Spicy] Extend functionality of `export` in EVT files.
[Spicy] Refactor parsing of `export` in EVT files.
We now support selecting which fields of a unit type get exported into
the automatically created Zeek record; as well as selecting which
fields get a `&log` attribute added automatically to either all fields
or to selected fields.
Syntax:
- To export only selected fields:
export Foo::X with { field1, field3 };
- To export all but selected fields:
export Foo::X without { field2, field3 };
- To `&log` all fields:
export Foo::X &log;
- To `&log` only selected fields:
export Foo::X with { field1 &log, field3 }; # exports (only) field1 and field3, and marks field1 for logging
Syntax is still subject to change.
Closes#3218.
Closes#3219.
* origin/topic/timw/3059-set-vector-conversion:
Fix conversion with record types
Add conversion between set and vector using 'as' keyword
Add std::move for a couple of variables passed by value
This commit switchexisd the Raw reader to use posix_spawn, instead of
the combination of fork + exec. This should be much more efficient, and
also makes the code smaller, and easier to read and understand.
* origin/topic/timw/3184-modbus-extensions:
Pass parsed file record information with ReadFile/WriteFile events
Add length field from header to ModbusHeaders record type
Modbus: Add support for Encapsulation Interface Transport (FC=2B) requests and responses
Modbus: Add support for Diagnostics (FC=8) requests and responses
* origin/topic/timw/3184-modbus-extensions:
Pass parsed file record information with ReadFile/WriteFile events
Add length field from header to ModbusHeaders record type
Modbus: Add support for Encapsulation Interface Transport (FC=2B) requests and responses
Modbus: Add support for Diagnostics (FC=8) requests and responses
* origin/topic/timw/cmake-find-package:
Change VERSION variable in CMake config to ZEEK_VERSION_FULL
Update bifcl and binpac for FindPackage fixes
Remove usage of FindRequiredPackage
Update zeekctl and cmake to deprecate FindRequiredPackage
Update broker submodule for pybind11 + cmake changes
