The order in which the plugin initializers are executed is compiler
dependent. With this change, Tags will always be generated in
alphabetical ordering, not in compiler-dependent order.
* origin/topic/seth/log-framework-ext:
Log extensions: series of small fixes and new tests.
Change the function for log extension to take a path only and update tests.
Final changes to log framework ext code.
Add logging framework metadata mechanism.
Add unrolling separator & field name map to logging framework.
The extensions now work with optional types, as well with complex types
(like subrecords). Not returning a record in the ext_func no longer
crashes bro.
The default_ext_func was switched to return void in
cases where no extension revord is defined (was bool).
I also got rid of the offsets in the indices - with the rest of the
implementation, that was not really necessary and made the code more
complex.
We do no longer need to define BROKER_PYTHON_HOME, because as of
5bae0ee6f202038ad6ed74c1c2fdf1c07c81, broker uses PY_MOD_INSTALL_DIR as
the install location, which is already set.
Please note that this means that now the broker python bindings will be
installed to /lib/broctl instead of /lib/python.
Addresses BIT-1667
The "metadata" functionality has been renamed to "ext" to
represent that the logs are being extended. The function that
returns the record which is used to extend the log now receives
a log filter as it's single argument.
The field name "unrolling" is now renamed to "scope" so the variables
names now look like this: "Log::default_scope_sep"
Previously, the GSSAPI analyzer blindly forwarded authentication
blobs to the NTLM analyzer (which it instantiated too early). Now
it waits to instantiate sub analyzers until a blob of a particular
type has been seen. It also makes the distinction between krb and
ntlm and forwards to the correct analyzer.
This required some fixes to the KRB analyzer because KRB over GSSAPI
looks slightly different than raw KRB.
The KRB analyzer also now includes support for the PA_ENCTYPE_INFO2
pre-auth data type.
If the analyzer is not found directly attached to the connection,
useless error messages are being output. There are now several
cases where analyzers are attached within other analyzers so the
connection itself doesn't know about the analyzer. This hides
these useless messages.
This adds the capability for the user to attach a reason when removing
or destroying a rule. The message will both be logged in netcontrol.log
and forwarded to the responsible plugins.
Addresses BIT-1655
* origin/topic/dnthayer/ticket1627:
Add a test for starting a cluster with a logger node
Update broctl submodule
Update broctl submodule to branch topic/dnthayer/ticket1627
Change how logger node is detected in cluster framework
Update test baselines for the new logger node type
Update docs for the new logger node type
Add a new node type for logging
* topic/seth/smb: (93 commits)
Update NEWS
Add some more DCE_RPC endpoints.
SMB cleanup.
Add rename and delete events for SMB2.
Remove a file that wasn't even being compiled
Simplify how packets go into the SMB analyzer.
Minor cleanup.
Add a DCE-RPC test.
SMB: call Done() for analyzers instantiated by dce_rpc-auth
Fix for an issue with GSSAPI mech_token from Florent Monjalet
Now actually loading DCE-RPC's dpd.sig
Fix a compile breakage.
Fixes for some SMB merge conflicts with master.
Updating the broctl pointer.
Fixing SMB tests again.
Simplify SMB string handling.
SMB test clean up and docs
SMB: fix number of small issues.
Fix a small poor implementation in SMB string handling.
Update tests to match move of smb base scripts into policy/
...
Closes github's #77 and closes BIT-1606
* topic/seth/intel-update-merge:
Tiny scoping updates and test baseline updates for Intel framework.
Minor documentation cleanups.
Fixed insertion of nested subnets.
Refactored FAF integration of intel framework.
Added expiration for intelligence items.
Improved intel notices.
Added hook to allow extending the intel log.
Added remove function to intel-framework.
Added support for subnets to intel-framework.
Refactoring of meta data handling for intel.
Added testcase for intel updates.
