* 'topic/corelight/load-hook' of https://github.com/corelight/bro:
Fix and extend behavior of HookLoadFile
I refactored some parts of scan.l to avoid the ambiguity of some
branches returning 0 and some branches not returning anything.
This just skips over IPv6 nameserver addresses for now and uses the
first IPv4 one in the resolver config. Should be possible to support
IPv6, but that may need more testing (e.g. need to make sure the code
will be portable to various platforms).
The pcap file format has a global header and a header per packet. The
global header of the pcap in question had a snaplen of 1, but with
packet headers indicating the full number of bytes saved within the
file. It seems like the pcap file must of been artifically edited in
order for it to be this way.
When reporting the captured length of a packet, Apple's version of
libpcap now seems to report the full number of bytes saved within the
pcap's per-packet headers, but other versions seem to report the snaplen
from the global pcap header. This caused the core.truncation test to
behave differently on macOS from other platforms.
I've manually hexedit'd the pcap so that the snaplen is still 1, but
contains just a single packet with a pcap header indicating a length of
8, which is less than the size of the link layer header and so should
still test the original code path that the unit test intended to
exercise.
I added another small change - since we are inlining Configure(), we can
just set bro_plugin directly to BRO_PLUGIN_BRO_VERSION in
src/plugin/Plugin.h, instead of depending on the plugin to do it. This
also means we do not need to change init-plugin in bro-aux at this
moment.
BIT-1828 #closed
* origin/topic/robin/plugin-version-check:
Adding plugin API number into versioned function name, and removing old runtime API version check.
Extend plugin infrastructure to catch Bro version mismatches at link time.
* 'nfs_changes' of https://github.com/jwallior/bro:
Add nfs unittest. Includes an example for the new nfs_proc_rename.
Added rename event to rpc/nfs protocol analyzer. This event identifies and reports information about nfs/rpc calls and replies of the type rename.
Expand parsing of RPC Call packets to add Uid, Gid, Stamp, MachineName and AuxGIDs
Fix NFS protocol parser.
* topic/seth/input-thread-behavior:
Minor documentation fixes.
Ascii reader error changes - fix small bugs
Tiny fix to correct a warning message.
Input's ascii reader is now more resilient.
Another resilient Ascii reader checkpoint.
In progress on ascii writer behavior change.
* origin/topic/robin/broker-logging:
Another fix for the new Broker-based remote logging.
Fix some minor issues.
Adding Broker ifdefs for new remote logging code.
Changing semantics of Broker's remote logging to match old communication framework.
* topic/seth/krb5-ticket-tracking-merge:
Refactor base krb scripts and update tests.
Add script to log ticket hashes in krb log
Ensure TGS req does not stomp out AP data
Add ciphertext to ticket data structures
* origin/topic/robin/file-analysis-fixes:
Adding test with command line that used to trigger a crash.
Cleaning up a couple of comments.
Fix delay in disabling file analyzers.
Fix file analyzer memory management.
The merge changes around functionality a bit again - instead of having
a list of done analyzers, analyzers are simply set to skipping when they
are removed, and cleaned up later on destruction of the AnalyzerSet.
BIT-1782 #merged
