All types (besides EntropyVal) now support a native copy operation,
which uses primitives of the underlying datatypes to perform a quick
copy, without serialization.
EntropyVal is the one exception - since that type is rather complex
(many members) and will probably not be copied a lot, if at all, it
makes sense to just use the serialization function.
This will have to be slightly re-written in the near-term-future to use
the new serialization function for that opaque type.
This change also introduces a new x509_from_der bif, which allows to
parse a der into an opaque of x509.
This change removes the d2i_X509_ wrapper function; this was a remnant
when d2i_X509 took non-const arguments. We directly use d2i_X509 at
several places assuming const-ness, so there does not seem to ba a
reason to keep the wrapper.
This change also exposed a problem in the File cache - cases in which an
object was brought back into the cache, and writing occurred in the
file_open event were never correctly handeled as far as I can tell.
For backward compatibility when reading values, we first check
the ZEEK-prefixed value, and if not set, then check the corresponding
BRO-prefixed value.
* origin/topic/robin/gh-239:
Undo a change to btest.cfg from a recent commit
Updating submodule.
Fix zeek-wrapper
Update for renaming BroControl to ZeekControl.
Updating submodule.
GH-239: Rename bro to zeek, bro-config to zeek-config, and bro-path-dev to zeek-path-dev.
This commit removed functions/events that have been deprecated in Bro
2.6. It also removes the detection code that checks if the old
communication framework is used (since all the functions that are
checked were removed).
Addresses parts of GH-243
This also installs symlinks from "zeek" and "bro-config" to a wrapper
script that prints a deprecation warning.
The btests pass, but this is still WIP. broctl renaming is still
missing.
#239
The load-duplicates.bro test would never fail because loading
the provided script code twice wouldn't trigger an error.
Fixed this by changing the sample script content. Also added a
test case to verify that an error occurs as expected
when two scripts with the same content are loaded.
* 'master' of https://github.com/rdenniston/zeek:
Add linux netfilter NFLOG capture functionality initial commit
I made modifications:
- Formatting / code style
- More error handling and validity checks
- The Type and Length value of TLVs is technically host order
- Changed / fixed the Length value padding check: it's generally
32-bit alignment, not just aligning any TLV less than 8 bytes.
* Better parsing/error-checking of VXLAN and encapsulated packet headers
* Add/implement the "vxlan_packet" event
* Add "Tunnel::vxlan_ports" option to tune the set of VXLAN ports to
analyze/decapsulate
* Add "Tunnel::validate_vxlan_checksums" option to allow for tuning of how
checksums associated with the outer UDP header of a possible VXLAN
tunnel are handled
Fixes GH-250
* origin/topic/jsiwek/gh-211:
GH-208: change invalid subnet expressions to a runtime error
GH-211: improve consistency of how scripting errors are handled
Removed the 'allow_init_errors' option.
Scripting errors/mistakes now consistently generate a runtime error
which have the behavior of unwinding the call stack all the way out of
the current event handler.
Before, such errors were not treated consistently and either aborted
the process entirely or emitted a message while continuing to execute
subsequent statements without well-defined behavior (possibly causing
a cascade of errors).
The previous behavior also would only unwind out of the current
function (if within a function body), not out the current event
handler, which is especially problematic for functions that return
a value: the caller is essentially left a mess with no way to deal
with it.
This also changes the behavior of the startup/initialization process
to abort if there's errors during bro_init() rather than continue one
to the main run loop. The `allow_init_errors` option may change this
new, default behavior.
Added check for the optional sub-header in ERSPAN Type III as well
as additional truncation checks to the GRE parsing logic in general.
Also added a unit test for ERSPAN Type II.
This fixes some use-after-free issues in the shutdown order of
various systems: I/O, plugin, logging, and reporter systems may
interact during shutdown if there's errors emitted (or maybe just
still pending) during the shutdown.
Fixes GH-188
* 'fatemabw/bro' of https://github.com/fatemabw/bro:
DNSSEC support in Bro
I made several changes:
- renamed event/record types
- reformatted the info added to dns.log
- removed the "addl" scripts that added extended dnssec info to dns.log
- simplifications/improvements to the internal parsing logic
This change allows a weird sampling rate of 0, which completely suppresses
all notifications (previously this crashed Bro). If also fixes the sampling
threshold to work with sampling rates of 0.
* origin/topic/jsiwek/empty-lines:
Add 'smtp_excessive_pending_cmds' weird
Fix SMTP command string comparisons
Improve handling of empty lines in several text protocol analyzers
Add rate-limiting sampling mechanism for weird events
Teach timestamp canonifier about timestamps before ~2001
* origin/topic/vern/vec-append:
d'oh, still have a (deprecated) string_array rather than string_vector
forgot to update test suite results for v += e
reap the fruits of v += e
test case for v += e
documentation of v += e
v += e implemented
Fixed a mistake in find_ip_addresses()
* origin/topic/vern/set-ops2:
documentation, test suite update
implemented set relationals
bug fix for set intersection
set intersection implemented
mirroring previous topic/vern/set-ops to get branch up to date, since I'm a n00b
Fixed a couple memory leaks and added a leak test
The generation of weird events, by default, are now rate-limited
according to these tunable options:
- Weird::sampling_whitelist
- Weird::sampling_threshold
- Weird::sampling_rate
- Weird::sampling_duration
The new get_reporter_stats() BIF also allows one to query the
total number of weirds generated (pre-sampling) which the new
policy/misc/weird-stats.bro script uses periodically to populate
a weird_stats.log.
There's also new reporter BIFs to allow generating weirds from the
script-layer such that they go through the same, internal
rate-limiting/sampling mechanisms:
- Reporter::conn_weird
- Reporter::flow_weird
- Reporter::net_weird
Some of the code was adapted from previous work by Johanna Amann.
In some cases one can get the Type() of unaryexpr to be ANY. Vectors so
far did not deal gracefully with this and crashed because trying to
convert any to a vectortype.
This patch fixes this by just using the original vector-type in this
case.
* origin/topic/vern/case-insensitive-patterns:
use PCRE syntax instead of the beautiful new (?i ...) syntax
nitlet in NEWS entry
test suite update for case-insensitive patterns
document use of double quotes to escape case-insensitivity
bug fix for recent memory leak patch
documentation updates for case-insensitive patterns
d'oh there's isalpha. I looked earlier for isletter :-P
fix for handling [:(lower|upper):] in case-insensitive patterns
implemented /re/i for case-insensitive patterns
