When encrypted data was bundled within the same segment as the NewKeys
message, it wasn't not reported via a ssh_encrypted_package event as
it should have been.
* origin/topic/jsiwek/gh-554-file-signature-optimizations:
GH-554: don't init PIA endpoint matchers if there's only file-magic
GH-554: remove use of file magic in protocol-based signature logic
The logic for initializing PIA endpoint matchers was previously
skipped if "there's no global rule matcher", and that's only true
when no signature files get loaded.
But when using `zeek -b`, some file-magic signatures still get loaded
by default, so the PIA endpoint matchers still get initialized even
though they don't need to be -- file-magic patterns play no part
in PIA.
For typical use-cases (not using the `-b` flag), this change won't
help any, but we do at least use `-b` often within the test suite.
This can be a significant performance/memory improvement since
otherwise the protocol-based rule matching logic ends up superfluously
creating file-matching state per file-matcher per connection/endpoint.
- Fixed the context list padding to only be used for dialect 0x0311.
The new test case includes an example where parsing the optional
padding would fail for another dialect.
* '555-smb3-negotiate-context-fix' of https://github.com/mad/zeek:
Fix for smb3 negotiate context
* origin/topic/timw/main-cleanup:
main: Properly close down SSL/sqlite at shutdown if net_run never started up
main: Finish processing program arguments before setting up SSL/sqlite
- Minor whitespace and comment adjustments
* origin/topic/timw/mapping:
Fix unit tests for new ordering from NetSessions::Drain
Change FragReassembler to use a tuple as a key and use std::map for fragments in Sessions
Rework Session/Connection tracking to use a std::map instead of PDict
- Changed .bif files to be detected as C++
* origin/topic/seth/github-linguist-fixes:
Adjusting how files are ignored for linguist and adding bif files to ignore.
Stop incorrect language identification on github.
I copied the same style that caf uses ("zk" with single dot and no space).
This gives some consistency with caf and avoids us wasting more
space beyond "bro: ". OSs only give 16 characters for thread names
so anything we can gain here is nice.
If you look at the languages that github is implemented in according
to our page on github, it has several incorrect things. PAC files and
SIG files being the big misidentifications. In my opinion it would look
better to mark these as no language so that javascript and ML stop showing
up as languages that Zeek is implemented in.
This change should make fix that on github according to:
https://github.com/github/linguist#overrides
If dpd_match_only_beginning is disabled, matches of protocol signatures
can be handeld using protocol_late_match. To prevent further matching in
this case, dpd_late_match_stop may be activated.
Includes fix for potential iterator invalidation during iteration.
* origin/topic/jsiwek/gh-532-improve-disable-analyzer:
GH-532: improve disable_analyzer BIF
* origin/topic/timw/deprecate-int-types:
Deprecate the internal int/uint types in favor of the cstdint types they were based on
Merge adjustments:
* A bpf type mistakenly got replaced (inside an unlikely #ifdef)
* Did a few substitutions that got missed (likely due to
pre-processing out of DEBUG macros)
