This previously checked against the amount of out-of-sequence data
being buffered by the reassembler. It now checks against the total
size of all blocks being buffered in the reassembler, which, by nature
of still being buffered there, means it's not been acked yet.
* topic/johanna/openssl-1.1:
Fix recently introduced double free in OpenSSL code.
Adjust coding style & fix test failures.
Adapt most of the X509 support to OpenSSL 1.1
This small change allows the empty field separator to be empty. This
means that we can represent an empty list by a empty input string, which
was not possible before.
Before, an empty empty field separator meant that there is no empty
field - to get back to this behavior one now has to set the empty field
separator to a string that is guaranteed to not be part of the input
data. Note that we did not use "empty" empty field separators anywhere
and I am not aware of this being used by anyone - the new behavior seems
like it is much more useful in practice.
This also changes the config framework to interpret empty lists as...
empty, instead of interpreting them as lists that have one zero-length
element; this seems like the saner default.
The configure reader had a small bug that caused the tracking of changed
variables to be incorrect after the second update. This resulted in
change-events for unchanged variables.
Currently the destructor would try to free unallocated memory. This
could e.g. be triggered by the input framework reading a set with an
invalid element.
The file used a relative path which leads to problems if it is included
by an external Plugin. This commit changes this to an absolute path,
like everywhere else.
* remotes/origin/topic/jsiwek/prealloc-ports:
Clean up PortManager class, mark PortVal ctors deprecated.
Add BRO_DEPRECATED macro.
Preallocate all possible PortVals.
BIT-1881 #merged
This field is an array of 16 bit words and was parsed as an array of
32 bit words. Moreover, one can not assume the format is going to be a
16 bits opcode followed by a 16 bit file ID, the content of the setup
field is different according to its first 16 bits word that defines
the subcommand code. See MS-CIFS section 2.2.4.33.1 :
Setup (variable): An array of two-byte words that provides transaction
context to the server. The size and content of the array are specific
to individual subcommands.
There are two new script level functions to query and lookup files
from the core by their IDs. These are adding feature parity for
similarly named functions for files. The function prototypes are
as follows:
Files::file_exists(fuid: string): bool
Files::lookup_File(fuid: string): fa_file
Add the folowing option types:
- 55 Parameters Request List;
- 58 Renewal time;
- 59 Rebinding time;
- 61 Client Identifier;
- 82 Relay Agent Information.
Extend the following events with new parameters, specifically:
- dhcp_discover exports client identifier and parameters request list;
- dhcp_request exports client_identifier and parameters request list;
- dhcp_ack exports rebinding time, renewal time and list of suboptions value of
dhcp relay agent information option;
- dhcp_inform exports parameters request list.
Add option type specific variables within the scope of DHCP module
(see src/analyzer/protocol/dhcp/types.bif).
Move protocol specific variables "dhcp_msg" and "dhcp_router_list" from scope Global to DHCP::
and adapt inet_net_var in src/NetVar.cc consequently.
Extend src/analyzer/protocols/dhcp/main.bro to handle the new events and to log
dhcp_ack, dhcp_request and dhcp_discover.
Modify scripts/policy/protocols/dhcp/known-devices-and-hostnames.bro to
include new events' variables.
This change doubles the performance of for loops over empty tables.
A bro binary that prints out this size shows for
testing/external/bro-testing/2009-M57-day11-18.trace, for loops are run
over tables of size:
11477 for size 0
8371 for size 1
1227 for size 3
239 for size 2
141 for size 6
57 for size 5
10 for size 4
5 for size 7
2 for size 13
2 for size 8
2 for size 11
1 for size 9
~53% of the for loops were across an empty table. These loops come from
things like the for loop in the http script over c$http_state$pending
This change prevents the creation of an iteration cookie entirely if the
table is empty.
Using this test script:
const scan_ports: table[port] of count = { };
local x = 0;
while ( x < 20000000 ) {
for(p in scan_ports) {
}
++x;
}
$ time bro.orig -b ___bench.bro
real 0m10.732s
user 0m10.415s
sys 0m0.113s
$ time bro.nocookie -b ___bench.bro
real 0m4.694s
user 0m4.464s
sys 0m0.086s
expose SMB_Data.Trans_Parameters and SMB_Data.Trans_Data fields of
SMB_COM_TRANSACTION (0x25) message type. See MS-CIFS section
2.2.4.33.1.
These fields are exposed to the script level as Bro strings. Note that
this commit also expose a new event smb1_transaction_response.
Warning is:
/home/johanna/bro/master/src/Type.cc: In member function 'virtual bool IndexType::DoUnserialize(UnserialInfo*)':
/home/johanna/bro/master/src/Type.cc:548:60: warning: enum constant in boolean context [-Wint-in-bool-context]
indices = (TypeList*) BroType::Unserialize(info, TYPE_LIST);
^
/home/johanna/bro/master/src/Type.cc: In member function 'virtual bool FuncType::DoUnserialize(UnserialInfo*)':
/home/johanna/bro/master/src/Type.cc:868:61: warning: enum constant in boolean context [-Wint-in-bool-context]
args = (RecordType*) BroType::Unserialize(info, TYPE_RECORD);
^
/home/johanna/bro/master/src/Type.cc:872:62: warning: enum constant in boolean context [-Wint-in-bool-context]
arg_types = (TypeList*) BroType::Unserialize(info, TYPE_LIST);
This one is a really nice catch in my opinion. GCC is completely correct
- the 2nd argument to Unserialize is a bool. This means that all these
calls always evaluate to Unserialize(info, true). Which is equivalent
with the default, so I just removed the type from the call.
This was probably caused by someone thinking of BroVal::Unserialize,
which needs the type as the 2nd argument.
/home/johanna/bro/master/src/Sessions.cc: In member function 'void NetSessions::DoNextPacket(double, const Packet*, const IP_Hdr*, const EncapsulationStack*)':
/home/johanna/bro/master/src/Sessions.cc:343:18: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
if ( ip_hdr_len > len )
~~~~~~~~~~~^~~~~
/home/johanna/bro/master/src/Sessions.cc:349:18: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
if ( ip_hdr_len > caplen )
~~~~~~~~~~~^~~~~~~~
/home/johanna/bro/master/src/Sessions.cc:399:20: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
if ( ip_hdr_len > len )
~~~~~~~~~~~^~~~~
In file included from /usr/include/machine/endian.h:6:0,
from /usr/include/sys/types.h:44,
from /usr/include/unistd.h:37,
from /home/johanna/bro/master/src/Anon.cc:2:
/home/johanna/bro/master/src/Anon.cc: In member function 'virtual ipaddr32_t AnonymizeIPAddr_Seq::anonymize(ipaddr32_t)':
/home/johanna/bro/master/src/Anon.cc:85:18: warning: operation on '((AnonymizeIPAddr_Seq*)this)->AnonymizeIPAddr_Seq::seq' may be undefined [-Wsequence-point]
return htonl(seq++);
^
Now we only parse the SignatureAndHashalgorithm field in cases where it
is present. This change also takes care to respect SCTs, which do
include the SignatureAndHashalgorithm in their digitally-signed struct,
even when used in protocol versions that do not have the
SignatureAndHashalgorithm in the protocols digitally-signed struct.
I also added tests to make sure this does indeed work with TLS 1.1 - it
turns out that so far we did not have a single TLS 1.1 pcap.
The configuration framework consists of three mostly distinct parts:
* option variables
* the config reader
* the script level framework
I will describe the three elements in the following.
Internally, this commit also performs a range of changes to the Input
manager; it marks a lot of functions as const and introduces a new
ValueToVal method (which could in theory replace the already existing
one - it is a bit more powerful).
This also changes SerialTypes to have a subtype for Values, just as
Fields already have it; I think it was mostly an oversight that this was
not introduced from the beginning. This should not necessitate any code
changes for people already using SerialTypes.
option variable
===============
The option keyword allows variables to be specified as run-tine options.
Such variables cannot be changed using normal assignments. Instead, they
can be changed using Option::set. It is possible to "subscribe" to
options and be notified when an option value changes.
Change handlers can also change values before they are applied; this
gives them the opportunity to reject changes. Priorities can be
specified if there are several handlers for one option.
Example script:
option testbool: bool = T;
function option_changed(ID: string, new_value: bool): bool
{
print fmt("Value of %s changed from %s to %s", ID, testbool, new_value);
return new_value;
}
event bro_init()
{
print "Old value", testbool;
Option::set_change_handler("testbool", option_changed);
Option::set("testbool", F);
print "New value", testbool;
}
config reader
=============
The config reader provides a way to read configuration files back into
Bro. Most importantly it automatically converts values to the correct
types. This is important because it is at least inconvenient (and
sometimes near impossible) to perform the necessary type conversions in
Bro scripts themselves. This is especially true for sets/vectors.
Configuration generally look like this:
[option name][tab/spaces][new variable value]
so, for example:
testaddr 2607:f8b0:4005:801::200e
testinterval 60
testtime 1507321987
test_set a b c d erdbeerschnitzel
The reader uses the option name to look up the type that variable has in
the Bro core and automatically converts the value to the correct type.
Example script use:
type Idx: record {
option_name: string;
};
type Val: record {
option_val: string;
};
global currconfig: table[string] of string = table();
event InputConfig::new_value(name: string, source: string, id: string, value: any)
{
print id, value;
}
event bro_init()
{
Input::add_table([$reader=Input::READER_CONFIG, $source="../configfile", $name="configuration", $idx=Idx, $val=Val, $destination=currconfig, $want_record=F]);
}
Script-level config framework
=============================
The script-level framework ties these two features together and makes
them a bit more convenient to use. Configuration files can simply be
specified by placing them into Config::config_files. The framework also
creates a config.log that shows all value changes that took place.
Usage example:
redef Config::config_files += {configfile};
export {
option testbool : bool = F;
}
The file is now monitored for changes; when a change occurs the
respective option values are automatically updated and the value change
is written to config.log.
This commit fixes a few small issues.
* server key exchange parameters are only parsed when a named curve is
given.
* I removed the ssl-verbose.bro and moved the functionality into the
testcase.
The information that we get with these events is likely irrelevant to
the majority of Bro users; I do not think that we have to ship a
script that uses them by default. A script like this would be
something to publish via the Bro package manager instead; this is the
approach that we have taken with a number of the recent SSL addition.
* I marked the ssl_server_curve event as deprecated. More information is
contained in the new ssl_ecdh_server_params event.
This is an events that is probably seldomly (or never) directly used
by anyone; I plan to completely remove it right after the 2.6 release.
