The http.log that both sides produce is the same, but the
http-related events that each serializes into events.bst
don't look equivalent when read back and cause the test to fail.
I removed the diff'ing against which scripts Bro outputs as loaded
because that's going to be sensitive to changes in which scripts
get loaded by default. What really matters is the output that shows
that Bro was able to load the script via a directory's __load__.bro
This change primarily improves the way Bro detects and prevents
the same script from being loaded twice. It now compares inode
numbers instead of path names.
"conn-id.bro" was the name of a script in the policy/ directory that conn.bro
expected to @load, but when the unit test was also named "conn-id.bro",
it would be loaded twice during the test (once from conn.bro and once
as a command line argument to bro). This means two event handlers were
registered in error and the baseline output contained duplicate lines
that can be removed.
- Split Item into Item and QueryItem as suggested by Robin.
- QueryItem now has $and_tags and $or_tags. Each
acts as AND or OR for the given tags against
each relevant metadata value.
- 'insert' turned into a function and new insert_event created.
- First use of intelligence framework in HTTP analysis.
- Split Item into Item and QueryItem as suggested by Robin.
- QueryItem now has $and_tags and $or_tags. Each
acts as AND or OR for the given tags against
each relevant metadata value.
- 'insert' turned into a function and new insert_event created.
- First use of intelligence framework in HTTP analysis.
- Removed reverse dependency of mime loading smtp.
- Extracting filename correctly now.
- Now copes with mime_end_entity dual firing bug.
- File hashing interface more similar to other file
hashing interfaces.
- New notice for when a hash is calculated.
- Removed the net_stats_update event.
- Created a net_stats function for building and retrieving the
current network statistics.
- Removed the internal timer for firing the net_stats_update event
along with the global heartbeat_interval variable.
- Updated the netstats script to use the new BiF.
- Updated the stats script to use the new BiF.
Logging to stdout for use in a baseline doesn't work well when
there may be scripts that get loaded by default (in this case,
packet-filter) and also do logging. Instead just baseline against
the logs generated by the test in question.
- The action-filters don't work now because of a
meta-programming limitation so the notice policy
tuning is more manual by fully defining a PolicyItem.
- There are two default action cheats defined. ignore_types
and email_types are sets which will ignore or email
notices of those types.
This lets events be sent to bro that contain record arguments that
don't have to fill in all &optional record fields.
This corresponds to broccoli-python tests that were updated in
commit 8b87d8f61ef89162019cd4acc01be93700b0c588
