Merge remote-tracking branch 'origin/master' into topic/robin/http-connect

Conflicts: scripts/base/protocols/ssl/consts.bro
2025-10-03 23:28:20 +00:00 · 2014-03-02 13:55:13 -08:00 · 2014-03-02 13:55:13 -08:00 · 02ab000b81
commit 02ab000b81
parent 338d521003 f2f817c8b1
41 changed files with 249 additions and 756 deletions
--- a/scripts/base/protocols/dns/main.bro
+++ b/scripts/base/protocols/dns/main.bro
@ -109,16 +109,6 @@ export {
 	## DNS message query/transaction ID.
 	type PendingMessages: table[count] of Queue::Queue;

-	## Called when a pending DNS query has not been matched with a reply (or
-	## vice versa) in a sufficent amount of time.
-	##
-	## pending: table of pending messages, indexed by transaction ID.
-	##
-	## id: the index of he element being expired.
-	##
-	## Returns: amount of time to delay expiration of the element.
-	global expire_pending_msg: function(pending: PendingMessages, id: count): interval;
-
 	## The amount of time that DNS queries or replies for a given
 	## query/transaction ID are allowed to be queued while waiting for
 	## a matching reply or query.
@ -131,16 +121,21 @@ export {
 	## response is ongoing).
 	const max_pending_msgs = 50 &redef;

+	## Give up trying to match pending DNS queries or replies across all
+	## query/transaction IDs once there is at least one unmatched query or
+	## reply across this number of different query IDs.
+	const max_pending_query_ids = 50 &redef;
+
 	## A record type which tracks the status of DNS queries for a given
 	## :bro:type:`connection`.
 	type State: record {
 		## Indexed by query id, returns Info record corresponding to
 		## queries that haven't been matched with a response yet.
-		pending_queries: PendingMessages &read_expire=pending_msg_expiry_interval &expire_func=expire_pending_msg;
+		pending_queries: PendingMessages;

 		## Indexed by query id, returns Info record corresponding to
 		## replies that haven't been matched with a query yet.
-		pending_replies: PendingMessages &read_expire=pending_msg_expiry_interval &expire_func=expire_pending_msg;
+		pending_replies: PendingMessages;
 	};
 }

@ -176,7 +171,11 @@ function log_unmatched_msgs_queue(q: Queue::Queue)
 	Queue::get_vector(q, infos);

 	for ( i in infos )
+		{
+		event flow_weird("dns_unmatched_msg",
+		                 infos[i]$id$orig_h, infos[i]$id$resp_h);
 		Log::write(DNS::LOG, infos[i]);
+		}
 	}

 function log_unmatched_msgs(msgs: PendingMessages)
@ -191,16 +190,28 @@ function log_unmatched_msgs(msgs: PendingMessages)
 function enqueue_new_msg(msgs: PendingMessages, id: count, msg: Info)
 	{
 	if ( id !in msgs )
-		msgs[id] = Queue::init();
-	else if ( Queue::len(msgs[id]) > max_pending_msgs )
 		{
-		local info: Info = Queue::peek(msgs[id]);
-		event flow_weird("dns_unmatched_msg_quantity", info$id$orig_h,
-		                 info$id$resp_h);
-		log_unmatched_msgs_queue(msgs[id]);
-		# Throw away all unmatched on assumption they'll never be matched.
+		if ( |msgs| > max_pending_query_ids )
+			{
+			event flow_weird("dns_unmatched_query_id_quantity",
+			                 msg$id$orig_h, msg$id$resp_h);
+			# Throw away all unmatched on assumption they'll never be matched.
+			log_unmatched_msgs(msgs);
+			}
+
 		msgs[id] = Queue::init();
 		}
+	else
+		{
+		if ( Queue::len(msgs[id]) > max_pending_msgs )
+			{
+			event flow_weird("dns_unmatched_msg_quantity",
+			                 msg$id$orig_h, msg$id$resp_h);
+			log_unmatched_msgs_queue(msgs[id]);
+			# Throw away all unmatched on assumption they'll never be matched.
+			msgs[id] = Queue::init();
+			}
+		}

 	Queue::put(msgs[id], msg);
 	}
@ -447,18 +458,3 @@ event connection_state_remove(c: connection) &priority=-5
 	log_unmatched_msgs(c$dns_state$pending_queries);
 	log_unmatched_msgs(c$dns_state$pending_replies);
 	}
-
-function expire_pending_msg(pending: PendingMessages, id: count): interval
-	{
-	local infos: vector of Info;
-	Queue::get_vector(pending[id], infos);
-
-	for ( i in infos )
-		{
-		Log::write(DNS::LOG, infos[i]);
-		event flow_weird("dns_unmatched_msg", infos[i]$id$orig_h,
-		                 infos[i]$id$resp_h);
-		}
-
-	return 0sec;
-	}
--- a/scripts/base/protocols/http/dpd.sig
+++ b/scripts/base/protocols/http/dpd.sig
@ -1,8 +1,6 @@
-# List of HTTP headers pulled from:
-#   http://annevankesteren.nl/2007/10/http-methods
 signature dpd_http_client {
  ip-proto == tcp
-  payload /^[[:space:]]*(OPTIONS|GET|HEAD|POST|PUT|DELETE|TRACE|CONNECT|PROPFIND|PROPPATCH|MKCOL|COPY|MOVE|LOCK|UNLOCK|VERSION-CONTROL|REPORT|CHECKOUT|CHECKIN|UNCHECKOUT|MKWORKSPACE|UPDATE|LABEL|MERGE|BASELINE-CONTROL|MKACTIVITY|ORDERPATCH|ACL|PATCH|SEARCH|BCOPY|BDELETE|BMOVE|BPROPFIND|BPROPPATCH|NOTIFY|POLL|SUBSCRIBE|UNSUBSCRIBE|X-MS-ENUMATTS|RPC_OUT_DATA|RPC_IN_DATA)[[:space:]]*/
+  payload /^[[:space:]]*(GET|HEAD|POST)[[:space:]]*/
  tcp-state originator
 }

@ -13,5 +11,3 @@ signature dpd_http_server {
  requires-reverse-signature dpd_http_client
  enable "http"
 }
-
-
--- a/scripts/base/protocols/ssl/consts.bro
+++ b/scripts/base/protocols/ssl/consts.bro
@ -47,6 +47,7 @@ export {
 		[70] = "protocol_version",
 		[71] = "insufficient_security",
 		[80] = "internal_error",
+		[86] = "inappropriate_fallback",
 		[90] = "user_canceled",
 		[100] = "no_renegotiation",
 		[110] = "unsupported_extension",
@ -55,6 +56,7 @@ export {
 		[113] = "bad_certificate_status_response",
 		[114] = "bad_certificate_hash_value",
 		[115] = "unknown_psk_identity",
+		[120] = "no_application_protocol",
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 	
 	## Mapping between numeric codes and human readable strings for SSL/TLS
@ -87,6 +89,8 @@ export {
 		[13175] = "origin_bound_certificates",
 		[13180] = "encrypted_client_certificates",
 		[30031] = "channel_id",
+		[30032] = "channel_id_new",
+		[35655] = "padding",
 		[65281] = "renegotiation_info"
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 	
@ -263,6 +267,8 @@ export {
 	const TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C3;
 	const TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C4;
 	const TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C5;
+	# draft-bmoeller-tls-downgrade-scsv-01
+	const TLS_FALLBACK_SCSV = 0x5600;
 	# RFC 4492
 	const TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xC001;
 	const TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xC002;
@ -629,6 +635,7 @@ export {
 		[TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
 		[TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
 		[TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256",
+		[TLS_FALLBACK_SCSV] = "TLS_FALLBACK_SCSV",
 		[TLS_ECDH_ECDSA_WITH_NULL_SHA] = "TLS_ECDH_ECDSA_WITH_NULL_SHA",
 		[TLS_ECDH_ECDSA_WITH_RC4_128_SHA] = "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
 		[TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA] = "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
--- a/scripts/base/protocols/ssl/mozilla-ca-list.bro
+++ b/scripts/base/protocols/ssl/mozilla-ca-list.bro