Prepare repository for Tenzir v4.0.0-rc8 (#3355)

This commit is was created with /scripts/prepare-release.

Here is a high-level summary of the changes:

* Updated `/version.json` to v4.0.0-rc8 and the expected rev-count of
the merge commit to 17446.
* Generated a new entry in the docs version selector list.
* Removed the docs for the previous release candidate.
* Moved all changelog entries from `/changelog/next` to
`/changelog/v4.0.0-rc8`.
* Moved all changelog entries from `/changelog/v4.0.0-rc7` to
`/changelog/v4.0.0-rc8`.
* Updated the python bindings version in `/python/pyproject.toml` to
v4.0.0-rc8.

python/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "pyvast"
-version = "4.0.0-rc7"
+version = "4.0.0-rc8"
 description = "A security telemetry engine for detection and response"
 authors = ["Tenzir <engineering@tenzir.com>"]
 maintainers = ["Tenzir <engineering@tenzir.com>"]

version.json

@@ -4,14 +4,14 @@
     "annotated git tag without the leading 'v'.",
     "This value gets updated automatically by `scripts/prepare-release`."
   ],
-  "tenzir-version-fallback": "4.0.0-rc7",
+  "tenzir-version-fallback": "4.0.0-rc8",
   "tenzir-version-rev-count_COMMENT": [
     "This value stores the ancestor count of the tagged commit, calculated",
     "with `git rev-list --count HEAD`, then incremented by 1. This operates",
     "under the assumption that the release-preparing PR contains exactly one",
     "commit and is rebased before merging."
   ],
-  "tenzir-version-rev-count": 17373,
+  "tenzir-version-rev-count": 17446,
   "tenzir-partition-version_COMMENT": [
     "The partition version. This number must be bumped alongside the release",
     "version for releases that contain major format changes to the on-disk",

web/versioned_docs/version-Tenzir v4.0-rc8/connectors/nic.md

@@ -0,0 +1,44 @@
+# nic
+
+Reads bytes from a network interface card (NIC).
+
+[pcap-rfc]: https://datatracker.ietf.org/doc/id/draft-gharris-opsawg-pcap-00.html
+
+## Synopsis
+
+```
+nic <iface> [-s|--snaplen <count>]
+```
+
+## Description
+
+The `nic` loader uses libpcap to acquire packets from a network interface and
+packs them into blocks of bytes that represent PCAP packet records.
+
+The received first packet triggers also emission of PCAP file header such that
+downstream operators can treat the packet stream as valid PCAP capture file.
+
+The default parser for the `nic` loader is [`pcap`](../formats/pcap.md).
+
+### `-s|--snaplen <count>`
+
+Sets the snapshot length of the captured packets.
+
+This value is an upper bound on the packet size. Packets larger than this size
+get truncated to `<count>` bytes.
+
+Defaults to `262144`.
+
+## Examples
+
+Read PCAP packets from `eth0`:
+
+```
+from nic eth0
+```
+
+Perform the equivalent of `tcpdump -i en0 -w trace.pcap`:
+
+```
+load nic en0 | save file trace.pcap
+```

web/versioned_docs/version-Tenzir v4.0-rc8/formats/pcap.md

@@ -0,0 +1,78 @@
+# pcap
+
+Reads and writes raw network packets in [PCAP][pcap-rfc] file format.
+
+[pcap-rfc]: https://datatracker.ietf.org/doc/id/draft-gharris-opsawg-pcap-00.html
+
+## Synopsis
+
+Parser:
+
+```
+pcap [-e|--emit-file-header]
+```
+
+Printer:
+
+```
+pcap
+```
+
+## Description
+
+The `pcap` parser converts raw bytes representing a [PCAP][pcap-rfc] file into
+events, and the `pcap` printer generates a PCAP file from events.
+
+[pcapng-rfc]: https://www.ietf.org/archive/id/draft-tuexen-opsawg-pcapng-05.html
+
+:::note PCAPNG
+The current implementation does *not* support [PCAPNG][pcapng-rfc]. Please
+[reach out](/discord) if you would like to see support.
+:::
+
+The structured representation of packets has the `pcap.packet` schema:
+
+```yaml
+pcap.packet:
+  record:
+    - linktype: uint64
+    - time:
+        timestamp: time
+    - captured_packet_length: uint64
+    - original_packet_length: uint64
+    - data: string
+```
+
+### `-e|--emit-file-header` (Parser)
+
+Emit a `pcap.file_header` event that represents the the PCAP file header. If present,
+the parser injects this additional event before the subsequent stream of
+packets.
+
+Emitting this extra event makes it possible to seed the `pcap` printer with a
+file header from the input. This allows for controlling the timestamp formatting
+(microseconds vs. nanosecond granularity) and byte order in the packet headers.
+
+Use this option when you would like to reproduce the identical trace file layout
+of the PCAP input.
+
+## Examples
+
+Read packets from a PCAP file:
+
+```
+from file /tmp/trace.pcap read pcap
+```
+
+Read packets from the [network interface](../connectors/nic.md) `eth0`:
+
+```
+from nic eth0 read pcap
+```
+
+[Decapsulate](../operators/transformations/decapsulate.md) packets in a PCAP
+file:
+
+```
+read pcap | decapsulate
+```

web/versioned_docs/version-Tenzir v4.0-rc7/get-started.md → web/versioned_docs/version-Tenzir v4.0-rc8/get-started.md

@@ -323,7 +323,7 @@ Aside from filtering, you can also perform aggregations with
 
 ```
 export
-| #schema == "suricata.alert"
+| where #schema == "suricata.alert"
 | summarize count=count(src_ip) by severity
 ```