* The altered Modbus checks seemed overly strict -- the pcap used
for the unit test at least had quantities/byte_count fields of
zero, to which the server responds with an error (expected).
* Most of the altered DNP3 checks seemed overly strict and caused
the unit tests to fail. The one that was just wrong was the
'start' field in header blocks.
* Removed the "start" parameter of the dnp3_header_block event
since it's always the same value.
* The SMB check failed to compile and I don't know what it intended
to do, so removed.
* origin/topic/seth/smb-pending-fix:
Updating the defined SMB2 dialects to match Microsofts current docs.
On rare occasions the server doesn't return the tree id on read responses.
Fix an issue with pending commands.
BIT-1862 #merged
* 'Reporter/MessageFix' of https://github.com/catenacyber/bro:
Better reporter for Brostring with embedded NUL
I slightly changed the code for beautification purposes and added a
testcase. No functional changes.
Systems that have gcc 4.8 (such as RHEL 7 or ubuntu 14.04 LTS) have a
version of libstdc++ that doesn't implement the C++11 regex functions
(the header and functions exist, but calling them results in the process
being terminated). On those systems, the following tests fail:
scripts.base.frameworks.config.basic ... failed
scripts.base.frameworks.config.read_config ... failed
scripts.base.frameworks.config.several-files ... failed
scripts.base.frameworks.config.updates ... failed
scripts.base.frameworks.input.config.basic ... failed
scripts.base.frameworks.input.config.errors ... failed
As a workaround, this commit switches to using the POSIX regex.h
functions.
This tracks the tree id given by the request
This also addresses BIT-1862 with code submitted by Stefano Rinaldi
and took some hints from his changes in other areas of the code.
Too much parsing was being done in C++ so I moved more of
it into binpac. Also, fixed up a bunch of the whitespace
(the new code was indented with spaces).
Good stuff!
Closes BIT-1915
* origin/topic/johanna/cleanup:
Mark one-parameter constructors as explicit & use override where possible
Remove unimplemented & unused functions from header files.
Make data flow more explicit for complilers.
The way in which TLS 1.3 is negotiated was changed slightly in later
revisions of the standard. The final version is only sent in an
extension - while the version field in the server hello still shows TLS
1.2.
This patch makes ssl.log show the correct version again.
This commit marks (hopefully) ever one-parameter constructor as explicit.
It also uses override in (hopefully) all circumstances where a virtual
method is overridden.
There are a very few other minor changes - most of them were necessary
to get everything to compile (like one additional constructor). In one
case I changed an implicit operation to an explicit string conversion -
I think the automatically chosen conversion was much more convoluted.
This took longer than I want to admit but not as long as I feared :)
gcc likes complaining about ev potentially not being initialized. Make
it clear that this cannot happen by marking the default case as
unreachable after the error output.
Highlights:
- Reduced all DHCP events into a single dhcp_message event. (removed legacy events since they weren't widely used anyway)
- Support many more DHCP options.
- DHCP log is completely reworked and now represents DHCP sessions
based on the transaction ID (and works on clusters).
- Removed the known-devices-and-hostnames script since it's generally
less relevant now with the updated log.
* origin/fastpath:
Fix another warning when building the documentation
Fix a warning when building documentation
Fix the config framework several-files.bro test
Closes BIT-1900.
* origin/topic/johanna/config:
Use port_mgr->Get() in the input framework config changes.
Allow the empty field separator to be empty; use in config framework.
Fix small bug in config reader.
Fix segmentation fault when parsing sets containing invalid elements.
Add config framework.
Includes small readability tweaks, see BIT-1854.
Closes BIT-1854.
* origin/topic/jsiwek/bit-1854-reassembler-improvements:
BIT-1854: improve reassembly overlap checking
BIT-1854: fix the 'tcp_excessive_data_without_further_acks' option
Closes BIT-1897.
* origin/topic/johanna/ssl_signature_details:
Make parsing of ServerKeyExchange work for D(TLS) < 1.2.
Add more details to ssl_server_signature.
* 'smb-transaction-messages' of https://github.com/jbencteux/bro:
add test for smb1_com_transaction_response event changes
add test for smb1_com_transaction2_secondary_request event changes
add test for smb1_com_transaction2_request event changes
add test for smb1_com_transaction_secondary_request event changes
add test for smb1_com_transaction_request event changes
fix setup field handling in smb1_com_transaction_request messages
fix smb1_com_transaction* messages
add smb1_transaction2_secondary_request event
add smb1_transaction_secondary_request event
add parameters and data to smb1_transaction_request/response messages
add SMB_Parameters.Words to smb1_transaction2_request event
* 'nfs-updates' of https://github.com/dtrejod/bro:
Format print nfs units tests to improve output readability. Add unit tests for new NFS events -- nfs_proc_symlink, nfs_proc_link, nfs_proc_sattr.
Bug fix: nfs3_writeargs didn't properly return filehandle.
Add nfs_proc_symlink, nfs_proc_link, nfs_proc_sattr.
* 'mount-protocol' of https://github.com/dtrejod/bro:
Add unit tests for new MOUNT events -- mount_proc_mnt, mount_proc_umnt, mount_proc_umnt_all, mount_proc_not_implemented.
Add mount_proc_null, mount_proc_mnt, mount_proc_umnt, mount_proc_umnt_all, mount_proc_not_implemented, mount_reply_status.
Old event prototypes have changed and the events are broken right
now and may be removed in favor of the new generic "dhcp_message"
event.
DHCP option parsing is abstracted from the main code base of the
protocol parser and are all now located in their own file.
Documentation, tests, and final code cleanup are still pending.
