* simeonmiteff/master:
Pull changes from zeek/cmake fork
Skip test based on preprocessor flag set by cmake
Set flag for libpcap without DLT_LINUX_SLL2
Force event order in core/init-error btest
Update some coverage baselines
Update plugins/hooks baseline
Add support for DLT_LINUX_SLL2 PCAP link-type
spicy-plugin can find Spicy in paths given by `SPICY_ROOT_DIR` while
`./configure` instead set `SPICY_ROOT`. With this patch we now set the
correct variable.
We also adjust variations of the previous variable name with different
capitalization which caused us to not properly configure spicy-plugin
(which triggers finding Spicy in its given prefix).
Closes#2363.
* topic/christian/zeekygen-add-plugin-labels:
Bump doc to pull in Sphinx exclusion for autogenerated files
Remove long-unused BRO_DISABLE_BROXYGEN env var from btests
Add Sphinx label to Zeekygen-generated plugin docs
It turns out that this can be *very* spammy on networks where we're receiving
lots of these packets, and can fill up the reporter log very quickly. Weirds are
already reported in all of these cases anyways, so it doesn't make sense to log
a reporter warning too.
I ran into wanting to iterate over just the values of a vector and wondering
whether that could just work.
This adds support for the following, where v will be value of vec[i].
local vec = vector("zero", "one", "two");
for ( i, v in vec )
print i, v;
Plugin documentation generated by Zeekygen is currently difficult to reference
from elsewhere in the docs because references prefer labels for unique
identification. This expands the plugin section headings with a unique label,
based on the plugin name.
For example, the documentation for a plugin called Zeek::Foobar becomes linkable
from anywhere via :ref:`plugin-zeek-foobar`.
In the (private) zeek-security repo we currently hit the 2GB storage limit
whenever CI runs happen multiple times in one day, because our Docker Github
workflow preserves the output of the first job (the image build) for the second
job (the cluster tests).
For successful runs, there's no need for the Docker image to survive the CI
run. (For failures, it might help to grab the image for local testing.)
There's no Github-official way to delete an attachment within a workflow, so
this simply truncates the artifact if the workflow succeeds.
The change to the capture-loss test is actually a fix for a bug exposed by the
code change. Previously it wasn't firing the scheduled event because of a failed
name lookup. Now that the lookup has been fixed, the event happens twice.
* ssh://github.com/fatemabw/zeek:
Update options.zeek
Create out-27
Add files via upload
Update src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc
Updating the weird names to use all lower case
Fixing whitespaces..
Fixing clang pre-commit error
Add check for option 27
Add the parsed fields for TCP option 27
Add TCP options bad length check
I removed `deprecated-txhosts-rxhosts-connuids.zeek` from
`local.zeek`, seems preferable not to have a script-to-go-away in the
standard configuration for new users. Also tweaked `NEWS` just a tiny
bit.
* origin/topic/awelzel/files-log-unrolling:
files.log: Unroll and introduce uid and id fields
This is a script-only change that unrolls File::Info records into
multiple files.log entries if the same file was seen over different
connections by single worker. Consequently, the File::Info record
gets the commonly used uid and id fields added. These fields are
optional for File::Info - a file may be analyzed without relation
to a network connection (e.g by using Input::add_analysis()).
The existing tx_hosts, rx_hosts and conn_uids fields of Files::Info
are not meaningful after this change and removed by default. Therefore,
files.log will have them removed, too.
The tx_hosts, rx_hosts and conn_uids fields can be revived by using the
policy script frameworks/files/deprecated-txhosts-rxhosts-connuids.zeek
included in the distribution. However, with v6.1 this script will be
removed.
