* origin/fastpath:
Fix construction of ip6_ah (Authentication Header) record values.
Update compile/dependency docs for OS X.
Adjusting Mac binary packaging script.
Unit test reliability adjustment.
Adjusting some unit tests that do cluster communication.
Small change to non-blocking DNS initialization.
reorder a few statements in scan.l to make 1.5msecs etc work.
Authentication Headers with a Payload Len field set to zero would cause
a crash due to invalid memory allocation because the previous code
assumed Payload Len would always be great enough to contain all
mandatory fields of the header. This changes it so the length of
the header is explicitly checked before attempting to extract fields
located past the minimum length (8 bytes) of an Authentication Header.
Crashes due to this are only possible when handling script-layer events
ipv6_ext_headers, new_packet, esp_packet, or teredo_*. Or also when
implementing one of the discarder_check_* family of functions.
Otherwise, Bro correctly parses past such a header.
- Renamed many data structures to align with most recent standard.
- Reworked modbus events to make them more canonically "Bro".
- Converted the Modbus analyzer to a simpler style for easier maintenance.
- Modbus coil related events still don't work (I haven't finished the
function for converting the data structures).
- Modbus file record events remain incomplete.
The trailing dot on "localhost." circumvents use of /etc/hosts in
some environments (I saw it on FreeBSD 9.0-RELEASE-p3) and so emits
an actual DNS query. When running the test suite, that would be
hundreds of useless queries.
* origin/fastpath:
Fix the "-=" operator for intervals
Fix "!=" operator for subnets
Add sleeps to configuration_update test for better reliability.
Fix a segfault when iterating over a set
When iterating over a set with a "for" loop, bro would segfault
when the number of index variables was less than required.
Example: for ( [c1,c2] in s1 ) ...
where s1 is defined as set[addr,port,count].
* origin/master:
Two fixes.
Updating CHANGES and VERSION.
Updating CHANGES and VERSION.
Remove automatic use of gperftools on non-Linux systems.
Set VERSION to 2.1-rc3 so that we don't get confused.
Fix uninitialized value for 'is_partial' in TCP analyzer.
parse 64-bit consts correctly.
on 32-bit machines only unsigned long longs are 64-bits long. Not just unsigned longs...
* origin/topic/dina/modbus:
put some make-up on Modbus analyser
Modbus analyser, added support: FC=20,21
Modbus analyzer,added support: FC=1,2,15,24
Modbus analyzer, current support: FC=3,4,5,6,7,16,22,23
I cleaned up the code a bit, mainly layout style.
I did not include the *.bro scripts for now, but a test script
../testing/btest/scripts/base/protocols/modbus/events.bro that prints
out the value for each event.
Merged the Modbus traces from the ics repository into a single trace
as input for the test. They currently trigger 20 of the 34 events.
Addresses #870.
* origin/fastpath:
Remove automatic use of gperftools on non-Linux systems.
Fix uninitialized value for 'is_partial' in TCP analyzer.
parse 64-bit consts correctly.
on 32-bit machines only unsigned long longs are 64-bits long. Not just unsigned longs...
This led to non-deterministic behavior in cases where the first packet
analyzed wasn't from the originator side (see the conditionals in
TCP_Analyzer::CheckFlagCombos()).
The 'short' test in private test suite showed this behavior most often.
* remotes/origin/topic/bernhard/input-warn-on-invalid-numbers:
...and another small change to error handling -> now errors in single lines do not kill processing, but simply ignore the line, log it, and continue.
Ok, this one was a little bit sneaky.
ok, this one might really be a bit too big for 2.1
If I understand things correctly, calling other string functions
on an stl string may alter the contents of the buffer to which
earlier .c_str()-calls pointed. Kind of makes sense when thinking
about it.
Basically moving around a few lines should fix this.
(And thank you again Robin)
* origin/fastpath:
Ok, this one is not really necessary for 2.1 and more of a nice-to-have
another small bug found while searching for something else...
Fix two little bugs:
sorry. the patch for the set_separator.
make set_separators different from , work for input framework.
Bug found bei Keith & Seth: input framework was not handling counts and ints out of 32-bit-range correctly.
Before this patch, empty values were not hashed at all. Which had the unfortunate side-effect
that e.g. the lines
TEST -
and
- TEST
have the same hash values. On re-reads that means that the change will
be ignored.
This is probably pretty academic, but this patch changes it and adds a testcase.
Output of the reread test changes due to re-ordering of the output (probably
due to the fact that the internal hash values are changed and thus transferred
in a different order)
Escaped ,'s in sets and vectors were unescaped before tokenization
Handling of zero-length-strings as last element in a set was broken (sets ending with a ,).
Hashing of lines just containing zero-length-strings was broken (now a \0 is appended to each
string before it is hashed - giving us a hash of something for a line just consisting of \0s.
This also allows to differentiate between vectors with varying numbers of zero-length-strings).
* origin/fastpath:
Update documentation for builtin types
Adding an identifier to the SMTP blocklist notices for duplicate suppression.
Doc fixes for signature 'eval' conditions.
Remove orphaned unit tests.
Add type checking for signature 'eval' condition functions.
Otherwise functions could be called with a mismatching argument list
and cause a crash at run-time. The incorrect function type is now
reported at parse-time.
* origin/topic/bernhard/input-allow_invalid_types:
to be sure - add a small assertion
add an option to the input framework that allows the user to chose to not die upon encountering files/functions.
That's the last feature for 2.1!
- Problem presented itself through incorrect results in capture-loss.bro
under odd traffic circumstances (exact circumstances unknown).
- Changed variables involved in ack tracking to all be uint64 values.
Not sure if more can be done to work around it, but reported to
dataseries devs here: https://github.com/dataseries/DataSeries/issues/1
The core/leaks/dataseries-rotate.bro unit test fails without this.
* origin/fastpath:
Add the Stream record to Log:active_streams to make more dynamic logging possible.
Fix portability of printing to files returned by open("/dev/stderr").
Fix mime type diff canonifier to also skip mime_desc columns
Unit test tweaks/fixes.
Fix memory leak of serialized IDs when compiled with --enable-debug.
One tweak to the open() change: make sure we don't try to rotate the
special files.
The BroFile ctor now wraps /dev/std{in,out,err} string arguments
into the actual FILE* provided by stdio.h because use of the former
directly isn't POSIX compliant and led to subtle differences that
broke unit tests on certain platforms (e.g. OS X redirection of stderr
behavior started differing from Linux). The BroFile (un)serialization
methods already did this kind of logic, so adding it in the ctor also
should make things more consistent.
Some of the reporter-related unit tests looked like they were missing
output because of this, and the coverage test for bare-mode errors
needed tweaking to branch on whether or not libcurl was available
(since the error output differs when elasticsearch isn't there).
When using --enable-debug, values keep track of the last identifier
to which they were bound by storing a ref'd ID pointer. This could
lead to some circular dependencies in which an ID is never reclaimed
because the Val is bound to the ID and the ID is bound to the Val, with
both holding references to each other.
There might be more cases where this feature of --enable-debug caused
a leak, but it showed up in particular when running the
core.leaks.remote unit test due to the internal
SendID("peer_description") call during the handshake between remote
processes. Other tests showed the send_id() BIF leaked more generally.
Tracking the ID last bound to a Val through just the identifier string
instead of a ref'd ID pointer fixes the leak.
