Some of the existing mime types received extended matchers
to fix problems with UTF-16 BOMs.
New file mime types:
- .ini files
- MS Registry policy files
- MS Registry files
- MS Registry format files (e.g. DESKTOP.DAT)
- MS Outlook PST files
- Apple AFPInfo files
Mime type fixes:
- MP3 files with ID3 tags.
- JSON and XML matchers were extended
The auto-generated header rfb_pac.h had class member functions "major"
and "minor" which were clashing with macros of the same name defined
in /usr/include/sys/types.h on FreeBSD. Fixed by renaming the fields.
* topic/seth/file-entropy:
Add a file entropy test.
Fixing a test.
Updated tests for file entropy analyzer.
Update and clean up to file entropy measurement.
First commit of file entropy analyzer.
* martin/topic/fox/rfb:
Fixed issue in state machine
Some styling tweaks
Implement protocol confirmation
Analyzer and bro script for RFB protocol (VNC)
* <seth> I also applied a bit of clean up to the base
script to make it match other scripts better and
updated tests.
There is a slight difference in the message sequence
between version 3.7 and 3.8.
Version 3.8 will always send a Authentication Result
message when authentication type 'None' is selected
while 3.7 does not.
Do not set the service field in the bro script but
use the protocol confirmation paradigm.
Protocol is considered confirmed if both a
succesful client and server banner have been
parsed.
This analyzer parses the Remote Frame Buffer
protocol, usually referred to as the 'VNC protocol'.
It supports several dialects (3.3, 3.7, 3.8) and
also handles the Apple Remote Desktop variant.
It will log such facts as client/server versions,
authentication method used, authentication result,
height, width and name of the shared screen.
It also includes two testcases.
Todo: Apple Remote Desktop seems to have some
bytes prepended to the screen name. This is
not interepreted correctly.
BIT-1528 #merged
* origin/topic/vladg/bit-1528:
Call ProtocolConfirmation in SNMP only if we saw a response SNMP packet
Call ProtocolConfirmation in SIP only if we saw a response SIP packet
Separate the former BrokerComm and BrokerStore portions of the script
because these files will be much larger when script wrappers for BIFs are
written.
BIT-1553 #merged
* origin/topic/johanna/filter_subnet_table:
Check that there is only one of read, write, create_expire
Update NEWS
Fixed &read_expire for subnet-indexed tables
Added &read_expire testcase for subnet tables
Add filter_subnet_table bif
* 'topic/johanna/filter_subnet_table' of https://github.com/J-Gras/bro:
Fixed &read_expire for subnet-indexed tables
Added &read_expire testcase for subnet tables
Includes a bit of refactoring of commit code & code related to the
feature.
This bif works similar to the matching_subnet bif. The difference is
that, instead of returning a vector of the subnets that match, we return
a filtered view of the original set/table only containing the changed
subnets.
This commit also fixes a small bug in TableVal::UpdateTimestamp
(ReadOperation only has to be called when LoggingAccess() is true).
