* origin/topic/johanna/cert-validation:
and still use the hash for notice suppression.
add knob to revert to old validation behavior
Update certificate validation script - new version will cache valid intermediate chains that it encounters on the wire and use those to try to validate chains that might be missing intermediate certificates.
BIT-1332 #merged
The only thing that is missing is a signature to detect the protocol (it
has no well-known port).
Reassembly is kind of fidgety - at the moment we only support
re-assembling one simultaneous message per direction (which looking at
our test-traffic might not be a problem). And I am not quite sure if I
got all cases correct...
But - it works :)
intermediate chains that it encounters on the wire and use those to try
to validate chains that might be missing intermediate certificates.
This vastly improves the number of certificates that Bro can validate.
The only drawback is that now validation behavior is not entirely
predictable anymore - the certificate of a server can fail to validate
when Bro just started up (due to the intermediate missing), and succeed
later, when the intermediate can be found in the cache.
Has been tested on big-ish clusters and should not introduce any
performance problems.
ssl connections with old versions as well as unsafe cipher suites.
Also make the notice suppression handling of other ssl policy files
a tad more robust.
* origin/fastpath:
Crashing bug in WriterBackend when deserializing WriterInfo where config is present. Testcase crashes on unpatched versions of Bro.
Fix wrong value test in WriterBackend. Found by Aaron Eppert (aeppert@gmail.com)
is present. Testcase crashes on unpatched versions of Bro.
Found by Aaron Eppert <aeppert@gmail.com>.
This (probably) fixes the crash issue with sqlite a few people have
reported on the mailing list in the past.
- This addresses BIT-1011
- Add a new field to socks.log; "password".
- Two new events; socks_login_userpass and socks_login_reply.
- One new weird for unsupported authentication method.
- A new test for authenticated socks traffic.
- Credit to Nicolas Retrain for the initial patch. Thanks!
- Any files where the total size was below the size of the
default bof_buffer size couldn't have stream analyzers successfully
attached because the bof_buffer never reached the full size
and was never flushed. This branch explicitly marks the buf_buffer
as full and flushes it when the file is being removed.
These functions are now deprecated in favor of alternative versions that
return a vector of strings rather than a table of strings.
Deprecated functions:
- split: use split_string instead.
- split1: use split_string1 instead.
- split_all: use split_string_all instead.
- split_n: use split_string_n instead.
- cat_string_array: see join_string_vec instead.
- cat_string_array_n: see join_string_vec instead.
- join_string_array: see join_string_vec instead.
- sort_string_array: use sort instead instead.
- find_ip_addresses: use extract_ip_addresses instead.
Changed functions:
- has_valid_octets: uses a string_vec parameter instead of string_array.
Addresses BIT-924, BIT-757.
* origin/topic/robin/dnp3-merge-v4:
add test trace in which DNP3 packets are over UDP; update test scripts and baseline results
A bit more DNP3 tweaking.
remove redundnt codes; find a way to use the analyzer function, such as Weird; fix a small bug in ProcessData function in DNP3.cc; passed the test
Renameing the DNP3 TCP analyzer
quickly fix another bug; adding missing field of the declaration of dnp3_request_application_header and dnp3_response_application_header
Removing the debug printf in DNP3.cc
fixed the bug of deciding the size of object 1 varition 1 in DNP3
Fix some things in DNP3 UDP analyzer.
changed a bug, but still not working
modify DNP3.cc and DNP3.h to add DNP3_UDP_Analyzer; binpac unchanged
BIT-1231 #merged
- I've changed/extended the URI record fields a bit:
- path is always the full path including the full file name
- if there's no path, the field still still be set set "/".
- file_name is the full name including extenstion, and
file_base and file_ext split it out.
- Adding a test exercising a bunch of URLs.
The logic for determining whether a gap was entirely within a MIME
entity body was not asking the current entity, which may be better able
to answer that question if it was using the Content-Range header and
thus knows if the gap exceeds the length of the body that's still
expected.
Addresses BIT-1247
For example, if we have a connection between TCP "A" and TCP "B" and "A"
sends segments "1" and "2", but we don't see the first and then the next
acknowledgement from "B" is for everything up to, and including, "2",
the gap would be reported to include both segments instead of just the
first and then delivering the second. Put generally: any segments that
weren't yet delivered because they're waiting for an earlier gap to be
filled would be dropped when an ACK comes in that includes the gap as
well as those pending segments. (If a distinct ACK was seen for just
the gap, that situation would have worked).
Addresses BIT-1246.
As opposed to delaying until a certain-sized-buffer fills, which is
problematic because then the event becomes out of sync with the "rest of
the world". E.g. content_gap handlers being called sooner than
expected.
Addresses BIT-1240.
* origin/topic/hui/dnp3-udp:
remove redundnt codes; find a way to use the analyzer function, such as Weird; fix a small bug in ProcessData function in DNP3.cc; passed the test
Renameing the DNP3 TCP analyzer
quickly fix another bug; adding missing field of the declaration of dnp3_request_application_header and dnp3_response_application_header
Removing the debug printf in DNP3.cc
fixed the bug of deciding the size of object 1 varition 1 in DNP3
Fix some things in DNP3 UDP analyzer.
changed a bug, but still not working
modify DNP3.cc and DNP3.h to add DNP3_UDP_Analyzer; binpac unchanged
Now the right signer certificate for the reply is looked up (and no longer assumed that it is the first one) and a few compares are fixed. Plus - there are more test cases that partially send certificates in the ocsp message and partially do not - and it seems to work fine in all cases.
Addresses BIT-1212
