- The feature was primarily added to allow the value to be
modified for cluster based intermediate threshold checks
without requiring the user to write the metrics filter
differently for cluster consideration. It's also a nice
way to calculate some related information to the metric
without accidently applying thresholds to that value.
- Fixed a few small bugs in ftp detect-bruteforcing script
and adapted it to the new threshold value selection feature.
- Fixed several state maintenance issues for intermediate updates.
- Added a new tuning variable Metrics::max_outstanding_global_views
which limits the number of in-flight intermediate updates per
metric filter.
- Changed the default global view threshold percent to 20% (up from 10%)
This commit moves the notary script into the policy directory, along with some
architectural changes: the main SSL script now has functionality to add and
remove tokens for a given record. When adding a token, the script delays the
logging until the token has been removed or until the record exceeds a maximum
delay time.
As before, the base SSL script stores all records sequentially and buffers even
non-delayed records for the sake of having an ordered log file. If this turns
out to be not so important, we can easily revert to a simpler logic.
(This is still WiP, some debuggin statements still linger.)
There exists one complication: the new file notary.bro requires the definition
of the SSL::Info record, but as does main.bro. Because I did not really know
where to put the common code (it's not a constant, so ssl/const.bro does not
really fit), I put it into __load.bro__ so that it sticks out for now. If
anybody has an idea how to solve this elegantly, please let me know.
* origin/topic/matthias/opaque:
Add new unit test for opaque serialization.
Migrate entropy testing to opaque.
C++ify RandTest.*
Fix a hard-to-spot bug.
Use more descriptive error message.
Fix the fix :-/.
Fix initialization of hash values.
Be clearer about delegation.
Implement serialization of opaque types.
Update hash BiF documentation.
Migrate free SHA* functions to SHA*Val::digest().
Add missing type name that caused failing tests.
Update base scripts and unit tests.
Simplify hash function BiFs.
Add support for opaque hash values.
Adapt BiF & Bro parser to handle opaque types.
More lexer/parser work.
Implement equivalence relation for opaque types.
Support basic serialization of opaque.
Add opaque type to lexer, parser, and BroType.
Closes#925
Conflicts:
aux/broccoli
The index expression can take up to two indices for the start and end
index of the substring to return (e.g. "mystring[1,3]"). Negative
indices are allowed, with -1 representing the last character in the
string. The indexing is not cyclic -- if the starting index is >= the
length of the string an empty string is returned, and if the ending
index is >= the length of the string then it's interpreted as the last
index of the string. Assigning to substrings accessed like this isn't
allowed.
They behave like C-style switches except case labels can be comprised
of multiple literal constants delimited by commas. Only atomic types
are allowed for now. Case label bodies that don't execute a "return"
or "break" statement will fall through to subsequent cases. A default
case label is allowed.
- Removed default logging. Now a function is available for the new
$period_finished filter field to get the same behavior for logging
named Metrics::write_log.
- Added index rollups for getting multiple metrics result values
as the same time.
That field is based on TCP sequence numbers and on seeing a SYN followed
by a failed RST injection response, the initial sequence number tracked
the value in the injection (most likely zero) instead of value in
subsequent SYN response. This could make c$resp$size be set to large
values when it's not really.
Also removed some dead code paths.
* origin/fastpath:
Fix memory leak in ascii input reader.
Improvements for the "bad checksums" detector to make it detect bad TCP checksums.
Improved file name extraction for SMTP when file name is included in Content-Type header.
Small tweak to "bad checksum" script to avoid potential division by
zeros.
Specifically:
- Move implementation details into *.cc.
- Const correctness: do not require superfluous cast.
- Style: asterisk "binds" to type, not name.
Both local and global variables declared with "const" could be modified,
but now expressions that would modify them should generate an error
message at parse-time.
