* origin/topic/timw/deprecate-int-types:
Deprecate the internal int/uint types in favor of the cstdint types they were based on
Merge adjustments:
* A bpf type mistakenly got replaced (inside an unlikely #ifdef)
* Did a few substitutions that got missed (likely due to
pre-processing out of DEBUG macros)
* origin/topic/timw/easy-pdict-replacements:
Cleanups related to PDict -> std::map replacements
Remove other simple uses of PDict
Protocols: Remove uses of PDict
g_dbgfilemaps: Remove uses of PDict
Scope: remove uses of PDict
DFA: remove uses of PDict
EventRegistry: remove uses of PDict
* origin/topic/timw/clang-tidy:
Change over to whitelisting clang-tidy options instead of blacklisting
Use FindClangTidy in the cmake submodule to make things easier
* origin/topic/jazoff/memory-reduction-contentline:
Remove redundant buffering in contentline
Adjusted NVT analyzer during merge for cases where it may have been
assuming the buffer was already resized before DoDeliver().
* origin/topic/jazoff/memory-reduction-mime:
Avoid buffering all http headers
Adjusted during merge:
* whitespace
* logic for HTTP needs to consider whether either mime_all_headers
or http_all_headers events are being used
Previously, some sub-projects, like binpac, use GNUInstallDirs.cmake
to choose the default name of the library install directory while
others hard-code "lib" as the default. The former may pick "lib64"
on some platforms, so for now, when installing such sub-projects as
part of Zeek, it's overridden to consistently be "lib".
Using exit() here may generally not work well since:
* That will result in calling global destructors
* We have global state that we potentially modify at run-time and
are in the middle of modiying at the time the FatalError occurs.
E.g. out-of-memory is one situation where it's likely we could
call the dtor of an object in which operation on it's internal
state is no longer consistent/safe.
* origin/topic/timw/travis-leaks:
fixup! Add new distro to Travis CI configuration for running leak tests
Add new distro to Travis CI configuration for running leak tests
- Add an extra "prevent" parameter (default value of false), which
helps prevent the same analyzer type from being attached in the
future. It's useful in situations where you want to disable early
on, but a DPD signature may still trigger later and re-attach
the same analyzer. E.g. when not using this flag, but calling
disable_analyzer() inside an http_request event, will remove the
HTTP analyzer that was attached due to well-known-port, but a later
DPD signature match from upon seeing the HTTP reply will end up
attaching another HTTP analyzer. More surprising is that upon
re-attaching that analyzer, you'll get the same http_request as
before since the DPD buffer will get replayed into the new analyzer.
- Fixes disable_analyzer() to work when called even earlier, like
within the protocol_confirmation event. At that time, the
Analyzer tree may have not properly added the new analyzer into
Analyzer::children yet, but rather the temporary waiting list,
Analyzer::new_children. Analyzer::RemoveChildAnalyzer previously
did not inspect the later list.
- Fixes disable_analyzer() when called on an analyzer added to the
tree via TCP_Analyzer::AddChildPacketAnalyzer. TCP_Analyzer
keeps track of such children in its own list,
TCP_Analyzer::packet_children, which the previous
Analyzer::RemoveChildAnalyzer implementation didn't inspect.
* 'known_services_multiprotocols' of https://github.com/mauropalumbo75/zeek:
improve logging with broker store
drop services starting with -
remove service from key for Cluster::publish_hrw
remove check for empty services
update tests
order list of services in store key
remove repeated services in logs if already seen
add multiprotocol known_services when Known::use_service_store = T
remove hyphen in front of some services (for example -HTTP, -SSL) In some cases, there is an hyphen before the protocol name in the field connection$service. This can cause problems in known_services and is removed here. It originates probably in some analyzer where it would be better removed in the future.
add multiprotocol known_services when Known::use_service_store = F
Changes during merge:
* whitespace
* add unit test
* 'empty_services' of https://github.com/mauropalumbo75/zeek:
remove empty services and include udp active connections when logging in connection_state_remove
* 'export_intel_events' of https://github.com/mauropalumbo75/zeek:
minor restyle and add comments
add an empty read_error event to the intel framework (in the export block, so that users can implement further checks with it)
move event Intel::read_entry to export block
Adjusted whitespace in merge.
Packet length is encoded in up to four bytes, with MSB (0x80)
indicating if there's more bytes in the representation still to follow.
The comparison/bitwise-mask wasn't correctly testing the MSB.
Coverity CID 1403964
I.e. a type was not in the export section, but a field was added
to connection record via a redef that uses the "hidden" type.
That generally doesn't help to hide it that way since a user comes
to rely on it indirectly anyway, and it also causes problems with
the Zeekygen documentation not being able to find it.
