modified GetLinkHeaderSize to support link type
modified ProcessLayer2 to support NFLOG packets
expecting out of the box support from libpcap
hacking my way around bpf, bpf is not supported in libpcap (would be easy to implement) but at the moment, throw a warn if applying a filter and short circuit bpf code.
want to ensure this works... commenting out error states.
Fixed SetFilter to properly detect m_matches_anything, which is used by the DLT_NFLOG type to short circuit bpf filters.
Added NFLOG parsing to zeek source, added m_matches_anything flag check for bpf functionality (NFLOG is bpf incompatible, but shouldn't be)
* origin/topic/jsiwek/gh-211:
GH-208: change invalid subnet expressions to a runtime error
GH-211: improve consistency of how scripting errors are handled
Removed the 'allow_init_errors' option.
It turns out that bro -B all caused a segmentation fault since the
configuration framework was merged; this is caused by the fact that
calling the global_ids bif interacted poorly with -B all due to
side-effects that caused insertions into the global scope in the
global_ids loop.
Scripting errors/mistakes now consistently generate a runtime error
which have the behavior of unwinding the call stack all the way out of
the current event handler.
Before, such errors were not treated consistently and either aborted
the process entirely or emitted a message while continuing to execute
subsequent statements without well-defined behavior (possibly causing
a cascade of errors).
The previous behavior also would only unwind out of the current
function (if within a function body), not out the current event
handler, which is especially problematic for functions that return
a value: the caller is essentially left a mess with no way to deal
with it.
This also changes the behavior of the startup/initialization process
to abort if there's errors during bro_init() rather than continue one
to the main run loop. The `allow_init_errors` option may change this
new, default behavior.
* origin/topic/johanna/md5-fips:
A few more updates to the digest functions.
Tell OpenSSL that MD5 is not used for security in order to allow bro to work properly on a FIPS system
I changed a couple places that looked like memory management pitfalls:
moved some cleanup code into the dtors of HashVal derived classes
(seemed like it got stuck in ctors by accident) and also added a
cautionary cleanup in the MIME code.
Plus minor formatting changes.
This builds upon the previous commit to make Zeek compile on FIPS
systems.
This patch makes the changes a bit more aggressive. Instead of having a
number of different hash functions with different return values, we now
standardize on EVP_MD_CTX and just have one set of functions, to which
the hash algorithm that is desired is passed.
On the positive side, this enables us to support a wider range of hash
algorithm (and to easily add to them in the future).
I reimplemented the internal_md5 function - we don't support ebdic
systems in any case.
The md5/sha1 serialization functions are now also tested (I don't think
they were before).
When 'x' is an integral arithmetic expression, it's now coerced to
yield a signed integer before taking the absolute value of it to
prevent the common issue of unsigned integer overflow/wraparound for
values below zero.
Using a time or interval value/expression for 'x' now also yields a
time or interval, respective, from the |x| operation instead of
a double.
Hash key construction of nested sets depended on the order in
which their elements are iterated, which varied even between sets
containing equivalent elements. The iteration order is now sorted
by each element's hash value (or, on collision, by full key) such
that equivalent sets no longer hash differently.
* origin/topic/jsiwek/val_mgr:
Pre-allocate and re-use Vals for bool, int, count, enum and empty string
Preallocate booleans and small counts
I added a tiny change to CompHash to make sure that nothing messes this
up in the future.
Added check for the optional sub-header in ERSPAN Type III as well
as additional truncation checks to the GRE parsing logic in general.
Also added a unit test for ERSPAN Type II.
Disabling this option allows one to read pcaps, but still initiate
Broker peerings and automatically exit when done processing the pcap
file. The default behavior would normally cause Broker::peer() to
prevent shutting the process down even after done reading the pcap.
This fixes some use-after-free issues in the shutdown order of
various systems: I/O, plugin, logging, and reporter systems may
interact during shutdown if there's errors emitted (or maybe just
still pending) during the shutdown.
Fixes GH-188
