* 'topic/rework-packets' of https://github.com/jsbarber/bro:
One more tinker to Packet -- ensure no uninitialized values
Packet::IP()-created IP_Hdr should not free
Make enums work for non-C++11 config
Refactor to make bro use a common Packet object. Do a better job of parsing layer 2 and keeping track of layer 3 proto. Add support for raw packet event, including Layer2 headers.
Conflicts:
aux/plugins
I've worked on this a bit more:
- Added tcp_max_old_segments to init-bare.bro.
- Removed the existing call to Overlap() as that now led to
duplicate events.
- Fixed the code checking for overlaps, as it didn't catch all the
cases.
BIT-1314 #merged
GitHub #31 merged
* topic/yunzheng/bit-1314:
BIT-1314: Added QI test for rexmit_inconsistency
BIT-1314: Add detection for Quantum Insert attacks
I've changed the dynamic allocation of the unzipbuf back to stack
allocation, hope I'm not not missing the reason for doing that ...
* origin/topic/seth/deflate-missing-headers-fix:
Fixes an issue with missing zlib headers on deflated HTTP content.
BIT-1399 #merged
After a PDU is successfully parsed from both sides of a
modbus connection we're now declaring the protocol confirmed.
A small extension to the modbus/events test was added to verify
that "modbus" was identified in the service field in conn.log.
Sorted cmd-line options in alphabetical order to make it easier to
add or remove options (or even to just check if they're listed
correctly in the source code).
Lots of good stuff! Thanks for catchign the plugin doc inconsistencies!
* origin/topic/dnthayer/doc-improvements-2.4:
Add missing documentation on the "Bro Package Index" page
More improvements to the Logging Framework doc
Fix documentation typo
Update the "Log Files" documentation
Add links in the logging framework doc
Add a link to the bro-plugins documentation
Update bro man page
Update script language reference documentation
Fix typos in the "writing bro plugins" doc
Fix a "make doc" warning
Improve logging framework doc
Add link to broctl doc from the quickstart doc
Update install documentation and fix some typos
Minor improvements to logging framework documentation
Correct a minor typo in the docs
TCP_Reassembler can now keep a history of old TCP segments using the
`tcp_max_old_segments` option. A value of zero will disable it.
An overlapping segment with different data can indicate a possible
TCP injection attack. The rexmit_inconsistency event will fire if this
is the case.
The spec doesn't actually seem to permit these, but Seth had a (private)
pcap showing them used in the wild (and the HTTP/MIME analyzer failed to
parse content as a result).
