Checkpoint.
Decapsulation happens after IP Defragmentation. The "identity" of the
enclosing tunnel (the "parent") is added to the connection record of the
child (tunneled) connection as an optional field $tunnel_parent.
When using a `print` statement to write to a file that has raw output
enabled, NUL characters in string are no longer interpreted into "\0",
no newline is appended afterwards, and each argument to `print` is
written to the file without any additional separation.
(Re)Assigning to identifiers with the &raw_output attribute should also
now correctly apply the attribute to the file value being assigned.
Note that the write_file BiF should already be capable of raw string
data to a file, expect it bypasses the print_hook event.
Addresses #474
When reading from trace files, 'dropped' and 'link' fields are now
just zeroed.
When reading from an interface, the values filled in by pcap_stats()
are now only used when that function indicates success.
Closes#500.
The main change is that the postprocessor commands are no longer run
by the log writers themselves. Instead, the writers send back a
message to the log mgr once they have rotated. The manager then calls
a script level function to do somethign with the rotated file. By
default, it will be renamed to somethingn nice and then a
postprocessor shell command will be run on it if defined.
Pieces going into this:
- Terminology change: "postprocessor" now refers to a script
*function*. In addition, there are "postprocessor commands", which
are shell commands that may be triggered by the function to run on
a rotated file.
- The RotationInfo record now comes with all the information that
was previously provided internally to the C++ function running the
post-processor command.
- Changing the default time format to %Y-%m-%d-%H-%M-%S
- rotation_path_func is gone
- The default postprocessor function is defined individually by
each LogWriter in frameworks/logging/plugin/*
- The interface to postprocessor shell commands remains the same.
Needs a bit more testing ...
* origin/fastpath:
Normalize Notice::Type identifiers per convention. (closes#484)
Another fix to the default-loaded-scripts test.
Add new piped_exec BiF.
Revert "Fixes for email_notice_to() function."
Fixes for email_notice_to() function.
The currently loading script's path is prepended (vs. appended) to
BROPATH to search for the @load'd file to prevent being overshadowed by
scripts/directories/packages in the normal BROPATH with the same name.
This extra search path should also only be prepended to BROPATH in the
case when the @load'd file we're looking for is actually relative
(i.e. the name starts with "./" or "../").
When calling an Analyzer's method to remove a child analyzer, we now
postpone the actual removal to later, as otherwise the call to Done()
might trigger further analyzer activity that can interfere with code
running after that that triggered the removal.
This should fix the SSL assertion crashes that we have seen.
This change is a bit tricky internally, but the trace-based tests
produce the same output as before so things should be fine ...
* origin/topic/script-load-changes:
Fix reST file name associated w/ stdin when in doc mode (closes#497)
Update @prefixes test.
Rewrite a test using btest's TEST-START-FILE directive
Fix @unload'd files from generating bro_script_loaded event.
Renaming a test better.
Reimplementation of the @prefixes statement.
Fix accidental overwrite of BROPATH copy.
Make @load statements recognize relative paths.
* origin/topic/jsiwek/irc-orig:
Shorten what's displayed in the IRC's log mime_type column for DCC transfers
Add IRC unit tests.
Small tweak to IRC event handlder priorities
Fix IRC analyzer supplying wrong type to irc_dcc_message event.
Changes to IRC analyzer and events (addresses #469).
- Removed irc_client and irc_server events.
- Added is_orig arguments to all other irc events.
- Fix analyzer not recognizing Turbo DCC extension message format.
- Fix analyzer not generating irc_dcc_message event when irc_privmsg_message
event doesn't have a handler registered.
- Changes to IRC policy scripts to use the above changes.
Any added prefixes are now used *after* all input files have been
parsed to look for a prefixed, flattened version of the input file
somewhere in BROPATH and, if found, load it.
For example, if "lcl" is in @prefixes, and site.bro is loaded, then
a file named "lcl.site.bro" that's in BROPATH would end up being
automatically loaded as well. Packages work similarly, e.g. loading
"protocols/http" means a file named "lcl.protocols.http.bro" in BROPATH
gets loaded automatically.
For example a script can do "@load ./foo" to load a script named
foo.bro that lives in the same directory or "@load ../bar" to load
a script named bar.bro in the parent directory, even if those
directories are not contained in BROPATH.
Also removing the -l command-line option as that can now be done at
the script-level.
A couple tests fail now that use -l. Leaving that until we have
script-level replacement.
* remotes/origin/topic/policy-scripts-new:
Fixed another SSL analyzer memory leak.
Attempting to fix another SSL bug.
Fixing a ref counting bug in the SSL analyzer that I just introduced.
Fixing memory leaks in SSL analyzer.
Fixed a parsing bug in the SSL analyzer thanks to tracefile from Aashish Sharma.
Removing my fix from earlier. This is indicating the script-land generated events priority problem.
Updates to the DPD framework.
Fixed a bug in the auth-addl DNS script.
Conflicts:
src/bro.bif
* origin/topic/robin/reporting:
Syslog BiF now goes through the reporter as well.
Avoiding infinite loops when an error message handlers triggers errors itself.
Renaming the Logger to Reporter.
Overhauling the internal reporting of messages to the user.
Updating a bunch of tests/baselines as well.
Conflicts:
aux/broccoli
policy.old/alarm.bro
policy/all.bro
policy/bro.init
policy/frameworks/notice/weird.bro
policy/notice.bro
src/SSL-binpac.cc
src/bro.bif
src/main.cc
