- Intel data distribution on clusters is now pushed in whole
by the manager when a worker connects. Additions after that point
are managed by the normal single-item distribution mechanism already
built into the intelligence framework.
- The manager maintains the complete "minimal" data store that the
workers use to do their matching so that full "minimal" data
distribution is very easy.
- Tests are cleaned up and work.
This option indicates that the Teredo analyzer should wait until
it sees both sides of a connection using a valid Teredo encapsulation
before issuing a protocol_confirmation. Previous behavior confirmed
on the first instance of a valid encapsulation, which could result
in more false positives (and e.g. bogus entries in known-services.log).
Addresses #890.
* origin/fastpath:
Small but important fix for the input framework. BroStrings were constructed without a final \0 - which means that strings read by the input framework are unusable by basically all internal functions (like to_count).
without a final \0 - which means that strings read by the input framework are
unusable by basically all internal functions (like to_count).
the basic test now also checks this.
Thanks at Sheharbano for noticing this.
It relies on the heuristics of GridFTP data channels commonly default to
SSL mutual authentication with a NULL bulk cipher and that they usually
transfer large datasets (default threshold of script is 1 GB). The
script also defaults to skip_further_processing() after detection to try
to save cycles analyzing the large, benign connection.
Also added a script in base/protocols/conn/polling that generalizes the
process of polling a connection for interesting features. The GridFTP
data channel detection script depends on it to monitor bytes
transferred.
- Basic API seems to works, but tests aren't updated yet.
- Several scripts are available in policy/frameworks/intel that
call the "seen" function to provide data into the intel
framework to be tested.
- Intel::policy is not done yet and needs to be discussed to
figure out what it needs to have.
- Running the intel framework and having it do something finally
is really cool!
Since the millisecond resolution cannot be harnessed universally and is not
supported by older version of libcurl, we will allow only specifications at the
granularity of seconds.
This commit also fixes a typing issue that causes that prevented the
ElasticSearch timeout to work in the first place: curl_easy_setopt requires a
long but was given a uint64_t.
Older versions of libcurl do not offer *_MS timeout constants, which causes the
build to fail. For sub-second timeout specification, we now fall back to
hard-coded timeouts in older libcurl version.
* origin/topic/dnthayer/language-tests:
Update language tests for recent bug fixes
Add more language tests
Add more language tests
Add more language tests
Update language tests
Add more language tests
Add tests of the Bro scripting language
* origin/fastpath:
Fix construction of ip6_ah (Authentication Header) record values.
Update compile/dependency docs for OS X.
Adjusting Mac binary packaging script.
Unit test reliability adjustment.
Adjusting some unit tests that do cluster communication.
Small change to non-blocking DNS initialization.
reorder a few statements in scan.l to make 1.5msecs etc work.
Authentication Headers with a Payload Len field set to zero would cause
a crash due to invalid memory allocation because the previous code
assumed Payload Len would always be great enough to contain all
mandatory fields of the header. This changes it so the length of
the header is explicitly checked before attempting to extract fields
located past the minimum length (8 bytes) of an Authentication Header.
Crashes due to this are only possible when handling script-layer events
ipv6_ext_headers, new_packet, esp_packet, or teredo_*. Or also when
implementing one of the discarder_check_* family of functions.
Otherwise, Bro correctly parses past such a header.
- Renamed many data structures to align with most recent standard.
- Reworked modbus events to make them more canonically "Bro".
- Converted the Modbus analyzer to a simpler style for easier maintenance.
- Modbus coil related events still don't work (I haven't finished the
function for converting the data structures).
- Modbus file record events remain incomplete.
