number of fields required.
Addresses BIT-1683
I do not think this quite fixes the underlying issue of BIT-1683 - it
should not be possible to get to this state in normal operations.
Also fixes a small memory leak for disabled writers.
(Note this a "manual" merge: I've copied just the two relevant *pac
files over, as there were a bunch of independent commits in the branch
history that I didn't want to pull in.)
BIT-1681 #merged
On OS X, Bro was failing to startup without first using the "ulimit -n"
command to increase the allowed number of open files (OS X has a much
lower default limit than Linux or FreeBSD).
The "file_extraction_limit" event was passing a Files::AnalyzerArgs
record as an "any" type. This is not right at the least and may
have been causing a crash for a user at worst.
I wasn't accounting for analyzers being disabled and not actually
instantiating when requested. This includes a test which
verifies there is no crash or problem when a user disables DCE_RPC.
Whenever we saw errors in UTF16->UTF8 conversion before, we would
get a reporter message with no connection information. Now we
get a weird attached to a connection so that debugging these
problems will hopefully be a bit easier in the future.
The order in which the plugin initializers are executed is compiler
dependent. With this change, Tags will always be generated in
alphabetical ordering, not in compiler-dependent order.
* origin/topic/seth/log-framework-ext:
Log extensions: series of small fixes and new tests.
Change the function for log extension to take a path only and update tests.
Final changes to log framework ext code.
Add logging framework metadata mechanism.
Add unrolling separator & field name map to logging framework.
The extensions now work with optional types, as well with complex types
(like subrecords). Not returning a record in the ext_func no longer
crashes bro.
The default_ext_func was switched to return void in
cases where no extension revord is defined (was bool).
I also got rid of the offsets in the indices - with the rest of the
implementation, that was not really necessary and made the code more
complex.
The "metadata" functionality has been renamed to "ext" to
represent that the logs are being extended. The function that
returns the record which is used to extend the log now receives
a log filter as it's single argument.
The field name "unrolling" is now renamed to "scope" so the variables
names now look like this: "Log::default_scope_sep"
Previously, the GSSAPI analyzer blindly forwarded authentication
blobs to the NTLM analyzer (which it instantiated too early). Now
it waits to instantiate sub analyzers until a blob of a particular
type has been seen. It also makes the distinction between krb and
ntlm and forwards to the correct analyzer.
This required some fixes to the KRB analyzer because KRB over GSSAPI
looks slightly different than raw KRB.
The KRB analyzer also now includes support for the PA_ENCTYPE_INFO2
pre-auth data type.
If the analyzer is not found directly attached to the connection,
useless error messages are being output. There are now several
cases where analyzers are attached within other analyzers so the
connection itself doesn't know about the analyzer. This hides
these useless messages.
* origin/topic/robin/bit-1641:
Fixing duplicate SSH authentication failure events.
I changed the test slightly; the output of uniq is not stable between
operating systems (on OS-X, it emits a space, on Linux it apparently
emits a tab). I removed the call to uniq - sort by itself is enough to
create a difference if there are duplicate entries.
Addresses BIT-1641
Compiling a plugin required having access to OpenSSL headers because
they were pulled in by Bro headers that the plugin had to include.
Removinng then OpenSSL dependency from those Bro headers.
I'm also reverting a4e5591e. This is a different fix for the same
problem, and reverting that commit gives us a test case. :-)
