* topic/robin/tunnels-merge: (51 commits)
Updating baselines and NEWS.
Remove &synchronized from Tunnel::active table.
Refactor of interal tunnel analysis code.
Add state management of NetSessions's IP tunnel map.
Add "encap_hdr_size" option back in.
Script-layer tunnel interface cleanup.
Fix performance problem checking packet encapsulation. (addresses #830)
Adding a SOCKS test case.
Updating DataSeries baselines.
Moving my todos over to the tracker ticket.
Extend weird names that occur in core packet processing during decapsulation.
Add Teredo analysis option to reduce false positive decapsulation.
Just some cleanup/documentation of new tunnel-handling code.
Memory leak fixes
Add a config.h definition for IPPROTO_IPV4.
Add AYIYA tunnel decapsulation unit test.
Add Teredo-specific events.
Refactor some of the NetSessions routines that recurse on IP packets.
Add independent options to toggle the different decapsulation methods
Add more sanity checks before recursing on encapsulated IP packets.
...
Conflicts:
src/event.bif
Teredo bubble packets (IPv6 w/ No Next Header and zero Payload Length)
with data extending past the inner IPv6 header (the outer IPv4 header's
Total Length and UDP header's Length indicate this) now only raises
a "Teredo_payload_len_mismatch" weird instead of causing a
ProtocolViolation().
This also fixes a crash in NetSessions::ParseIPPacket() that occurred
when the packet length didn't match the payload length field.
* origin/topic/jsiwek/tunnels-merge:
Remove &synchronized from Tunnel::active table.
Refactor of interal tunnel analysis code.
Add state management of NetSessions's IP tunnel map.
Add "encap_hdr_size" option back in.
Script-layer tunnel interface cleanup.
- Pulled more common code into NetSessions::DoNextInnerPacket()
and made the pcap header it makes internally use network_time
- Remove Encapsulation class ctor from pointer
- Rename Encapsulation class to EncapsulationStack
The "tunnel_port" and "parse_udp_tunnels" options are still gone
as those did not work entirely (e.g. IPv6 support and misnaming
of tunnel_port/udp_tunnel_port).
- Clarify "tunnel_changed" event documentation.
- Make expiration of "Tunnel::active" elements configuration via
"Tunnel::expiration_interval".
- Remove redundant registration of a connection's tunnels in
tunnel/main.bro's "tunnel_changed" handler.
- Rename "parents" field of "Conn::Info" to "tunnel_parents"
to give more context.
- The curl handle is now cleaned up correctly.
- Interval values are now treated as doubles. Treating them as uint64_t
was wrong because intervals can be negative. There is also no obvious
benefit in elasticsearch to converting the value to milliseconds.
- Fixed bug with how data is sent to elasticsearch.
- Added a feature to only allow data of a certain
size to be buffered before sending to the
elasticsearch server. Configured with the
LogElasticSearch::max_byte_size variable.
* origin/fastpath:
Remove an old, unused diff canonifier.
Improve an error message in ICMP analyzer.
Fix a warning message
Fix many errors in the event documentation
Fixed broken links, broken reST formatting, added missing event
parameters to the documentation, removed documentation of event
parameters that don't exist, corrected spelling errors, fixed some
summary lines (i.e., the first line in each event description) that
were truncated in the HTML, and reformatted some lines to fit
within 80 columns (much easier to read the docs when using a
text editor to view the source files).
Merge remote-tracking branch 'origin/topic/tunnels' into topic/robin/tunnels-merge
* origin/topic/tunnels: (41 commits)
Extend weird names that occur in core packet processing during decapsulation.
Add Teredo analysis option to reduce false positive decapsulation.
Just some cleanup/documentation of new tunnel-handling code.
Memory leak fixes
Add a config.h definition for IPPROTO_IPV4.
Add AYIYA tunnel decapsulation unit test.
Add Teredo-specific events.
Refactor some of the NetSessions routines that recurse on IP packets.
Add independent options to toggle the different decapsulation methods
Add more sanity checks before recursing on encapsulated IP packets.
Suppress Teredo weirds unless decapsulation was successful once before.
Tunnel support performance optimization.
Add Teredo tunnel decapsulation.
Fix for IP tunnel UID persistence.
Fix AYIYA analyzer tag.
Add summary documentation to tunnels/main.bro.
Make tunnels always identifiable by UID, tunnel.log now gets populated.
Some improvements to the AYIYA analyzer.
Remove Tunnel::decapsulate_ip option.
Remove invalid IP-in-IP encapsulated protocol value.
...
If some expression in an event handler body causes an
InterpreterException internally, then the rest of that body doesn't
get executed, but also the bodies of any other handlers were not
executed.
The summary lines (the first sentence in the description) for some BIFs
contained a period before the end of the sentence, so only part of the
sentence would appear in the "summary" section of the HTML document (fixed
by rewording the sentence).
Some summary lines were too long (fixed by splitting the sentence with first
sentence being more concise).
Also corrected the description of "fmt" and "floor" BIFs.
If lookup of enum name by value fails, an error is now sent through
the reporter framework and the value logged will be an empty string
(as opposed to trying to construct a string with null pointer which
throws a logic_error and aborts Bro).
This lead to hanging bro's because pclose apparently can wait for eternity
if things go wrong. And there probably are a couple of other problems with this approach.
