While expiring a table, DoExpire checks at the end to see if NextEntry
returned nothing to determine if it should sleep for the short
table_expire_delay or the long table_expire_interval.
However, the check to see if the expire_func deleted the entry
re-assigns the same variable. This means that:
If you have a large table that is behind on expiring values
& The table defines an expire_func
& That expire_func deletes the item
& It so happens that the last item checked in the batch of
table_incremental_step size had expired
then DoExpire will reset the cookie and sleep for table_expire_interval
* origin/rtd-test:
Disable RTD pdf format due to exceeded capacity
Add RTD pdf format
Add RTD yaml config file
Remove some Bro usages in main TOC entries
Remove "contents" Sphinx directive usages
Add a `make livehtml` target
Use sourcecode Sphinx directive more widely
Use Sphinx RTD theme for user manual
Replace some code-block Sphinx directives
Remove unused Sphinx extensions
Remove broxygen Sphinx integration
Remove Sphinx btest integrations and tests
Fix a Sphinx deprecation
These are all changes required to build documentation from a static
Sphinx tree (e.g. on Read the Docs)
* origin/topic/jsiwek/alpine-support:
Add FTS dependency when building on Alpine
Remove unnecessary header include
Improve default DNS resolution support for Alpine/musl
Add dns_resolver option
* origin/dev/2.7:
Improve introspection of Record and TypeType values
Bro plugins should support a patch version (x.y.z)
GH-148: add priority to DNSSEC event handlers
DNSSEC support in Bro
* origin/master:
Fix SumStats "last" plugin in cluster mode
Remove unnessary check
Support appending to vector of any
Fix coding conventions nits/typos
Updating submodule(s).
Revert "Switch frag_timeout from redef to option"
Improve error handling in x509_ocsp_verify function
Updating submodule(s).
Updating submodule(s).
Update baseline for plugins.hooks for redef -> option changes
Switch frag_timeout from redef to option
Switch GridFTP options from redef to option
Updating submodule(s).
Fix a unit test relying on a bash-ism
The call to Empty() was originally meant as an optimization in the
lookup phase. However, the performance implications are substantial:
this check operates in O(f(m/8)) where m is the number of bits in the
Bloom filters and f a function that looks for the first non-empty block
of bits.
As the Bloom filter fills up, the check for Empty() becomes no longer
negligible and can lead to serious performance degradations when Bloom
filters are used frequently.
* origin/master: (23 commits)
Improve Travis script to show multiple core dump stacks
Improve a weird stats unit test
Updating submodule(s).
Fix Travis script typo
Add more debug output to Travis script
Add core file search and stack trace output for Travis builds
Updating submodule(s).
Update license year for 2018
GH-199: change `bro --help` exit status from 1 to 0
Updating submodule(s).
Add a test with an encrypted MySQL connection
Fix parsing of MySQL NUL Strings, where we now require it to have a NUL value at the end.
Updating submodule(s).
Add missing record field comment
Add missing record field comments
Fix minor documentation mistakes
Updating submodule(s).
Updating submodule(s).
Update btest baselines for fix in 46f727a6fa
Generate ssh_auth_attempted for the 'none' authentication method.
...
* origin/topic/vladg/mysql_nul_string_fix:
Add a test with an encrypted MySQL connection
Fix parsing of MySQL NUL Strings, where we now require it to have a NUL value at the end.
ssh_auth_attempted sets some requisite fields that ssh_auth_successful
relies on. ssh_auth_attempted wasn't getting called because of a logic
error.
For a more complete discussion of this issue, see:
https://github.com/bro/bro/issues/192
* TypeType values are now printable and yield the type name/alias
* Fix record_fields BIF to return correct type name for fields
* Allow TypeType values that point to a RecordType to be used with
record_fields BIF
* origin/master:
Fix typo in Sessions.h
Update baselines for SSH capabilities fix
Fix SSH analyzer bug where is_server in capabilities is wrong.
Revert DNS query 255 from ANY to *
Missing commas...
Fix typo in dce-rpc consts
Refactor to use consistent numeric type in dce_rpc. Add missing DNS query type codes
Add DCE_RPC exchange_mapi operations to relevant consts.bro file
GH-186: fix JSON formatting of timestamps before Unix epoch
Fix test baseline for plugin skeleton update
Fix crash when modifying a table from within its &expire_func
Convert site::local_nets, etc. into options.
GH-184: add `bro-config --build_type`, outputs CMake build type
Updating submodule(s).
Add return value checks for some RPC parsing functions
Add 'fallthrough' comment to a switch/case block
Improve broker.remote_id unit test
Increase broker unit test timeout intervals
The ssh_capabilities event includes the capabilities reported
by either the server or the client. The record also includes a field,
is_server, so that scripts can determine which endpoint is reporting
its capabilities. That field was being set incorrectly (it was being
set as is_client rather than is_server, so it needed to be negated).
This simple bug had some larger repercussions. RFC 4253 provides a
method for client and server to agree on algorithms used in the SSH
connection. Bro was calculating these incorrectly. Some of these, such
as the encryption algorithm, are also used to determine whether or not
Bro should attempt to detect successful versus failed
authentications. In some cases, Bro would get this wrong, and make a
guess when it could not correctly determine the authentication outcome.
