The ICMP/ICMPv6 analyzers function correctly when full packets have
not been captured, but everything up to and including the ICMP header
is there (e.g. the functions that inspect ICMP error message context
correctly check the caplen to see if more info can be extracted).
The "Should have been caught earlier already." comment may have referred
to NetSessions::CheckHeaderTrunc, which works as intended to catch cases
where the ICMP header is not there in full, but then the assert was
still not correctly formulated for that...
Also changed the ICMP checksum calculation to not occur when the full
packet has not been captured, which seems consistent with what the UDP
analysis does.
- SSL related files and classes renamed to remove the "binpac" term.
- A small fix for DPD scripts to make the DPD log more helpful if
there are multiple continued failures. Also, fixed the SSL
analyzer to make it stop doing repeated violation messages for
some handshake failures.
- Added a $issuer_subject to the SSL log.
- Created a basic test for SSL.
- The 'icmp_conn' record now contains an 'hlim' field since hop limit
in the IP header is an interesting field for at least these ND
messages.
- Changed 'icmp_router_advertisement' event parameters.
'router_lifetime' is now an interval. Fix 'reachable_time' and
'retrans_timer' using wrong internal Val type for intervals.
Made more of the known router advertisement flags available through
boolean parameters.
- Changed 'icmp_neighbor_advertisement' event parameters to add
more of the known boolean flags.
- Add more guards against trying to analyze captured packets with a
truncated IPv6 static header or extension header chain.
- Add back in the ICMP payload tracking for ICMP "connections".
- Fix 'icmp_context' record construction. Some field assignments
were mismatched for ICMP and ICMP6. Source and destination
addresses were set incorrectly for context packets that don't
contain a full IP header. Some fields for ICMP6 weren't filled out.
- Changed ICMP Time Exceeded packets to raise the 'icmp_time_exceeded'
event instead of 'icmp_error_message'.
- Add unit tests for truncation and the main types of ICMP/ICMP6
that have specific events.
- Documentation clarifications.
So that src/dst addresses used in pseudo-header are correct when
there's certain extension headers (routing/destination).
Add ICMP/ICMPv6 checksum unit tests.
* origin/topic/jsiwek/mobile-ipv6:
Add support for mobile IPv6 Mobility Header (RFC 6275).
Refactor IP_Hdr routing header handling, add MobileIPv6 Home Address handling.
Revert TCP checksumming to cache common data, like it did before.
Revert "Improve handling of IPv6 Routing Type 0 headers."
Improve handling of IPv6 routing type 0 extension headers.
- Accessible at script-layer through 'mobile_ipv6_message' event.
- All Mobile IPv6 analysis now enabled through --enable-mobile-ipv6
configure-time option, otherwise the mobility header, routing type 2,
and Home Address Destination option are ignored.
The FragReassembler expire_timer was left uninitialized until after
the first fragment is added, but since the atomic fragment is also
the last, the reassembler thought expire_timer needed to be deleted.
This fix just initializes expire_timer before the first fragment is
added.
- For RH0 headers with non-zero segments left, a "routing0_segleft"
flow_weird event is raised (with a destination indicating the last
address in the routing header), and an "rh0_segleft" event can also
be handled if the other contents of the packet header are of interest.
No further analysis is done as the complexity required to correctly
identify destination endpoints of connections doesn't seem worth it
as RH0 has been deprecated by RFC 5095.
- For RH0 headers without any segments left, a "routing0_header"
flow_weird event is raised, but further analysis still occurs
as normal.
- flow_weird event with name argument value of "routing0_hdr" is raised
for packets containing an IPv6 routing type 0 header because this
type of header is now deprecated according to RFC 5095.
- packets with a routing type 0 header and non-zero segments left
now use the last address in that header in order to associate
with a connection/flow and for calculating TCP/UDP checksums.
- added a set of IPv4/IPv6 TCP/UDP checksum unit tests
The signatures of script-layer functions 'discarder_check_ip',
'discarder_check_tcp', 'discarder_check_udp', and 'discarder_check_icmp'
were changed to use the more general 'pkt_hdr' type as a parameter
instead of individual header types.
Changed the parser to not treat 1xx response codes as a final answer
to an unanswered request -- a later response is still expected.
The scripting layer will also not finish a request-reply pair when
seeing 1xx's, instead it logs both the 1xx and final response messages
with associated information of the current request as they're seen.
- message header state tracking is now done by handling mime_one_header
instead of parsing the data in the smtp_data event
- changed the logging point to be when an smtp_reply is seen in response
to the end of a DATA section
- the smtp package now uses it's own mime script and logging stream for
logging entities, extraction, etc.
- fixes for mime file extraction: now logs the extracted file name, and
the count of extracted files needed to be maintained in the State record
If 'use_conn_size_analyzer' is true, the event engine tracks number of
packets and raw IP bytes per connection. If report_conn_size_analyzer
is true, these values are included as four new columns into conn.log
I changed conn.bro so that the value of report_conn_size_analyzer
follows that of use_conn_size_analyzer. For the new conn.log, we
probably want to get rid of report_conn_size_analyzer anyway.
filter. (Seth Hall and Robin Sommer)
- Merging in the patch from #264, which provides support for mixed
VLAN and MPLS traffic.
- Changing Bro's default filter from being built dynamically to being
a static "ip or not ip". To get the old behaviour back (i.e., the
dynamically built filter), redef "all_packets" to false.
- print-filter.bro now always prints the filter that Bro is actually
using, even if overriden from the command line.
Note that currently most of them don't pass because (i) the code
adding the environment variable for seeding the RNG has not been
merged into master yet; and (2) Broccoli to Bro communication is
currently broken because of the int64 problem. Once these are fixed,
then baselines need to be recreated and checked.
Therefore, the istate tests aren't activated in btest.cfg yet.
Note that I've shifted things around a little bit. The traces are now
in Traces/* (capital T), and the known-hosts-test in policy/*.
Scripts/ was meant just for helper shell scripts for the testing
framework. Also, I've not yet included "policy" in btest.cfg as a
TestDir because the corresponding script is not yet in master.
* origin/topic/appleman/unittests:
Test, trace file, and baseline for testing the known-services policy script
Baseline for KNOWN-HOSTS tesT
Initial drop of known-hosts unit test, with tracefile and directory structure, as well as c ouple of files pulled from Robin's logging branch.
