Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge commit 'b8ab0ebc22'

Browse source 
* commit 'b8ab0ebc22':
  Removing expire timer from http_sessions.
This commit is contained in:
Robin Sommer 2011-01-19 16:20:03 -08:00
commit 127ed569a6
4 changed files with 53 additions and 88 deletions
Download patch file Download diff file Expand all files Collapse all files

101
CHANGES
View file

@ -1,8 +1,9 @@
@(#) $Id: CHANGES 7076 2010-09-13 02:42:27Z vern $
1.6-dev.18 Wed Jan 19 16:37:13 PST 2011
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* Removing unnecessary expire timer from http_sessions. (Gregor
Maier)
1.6-dev.4 Sat Jan 15 14:14:21 PST 2011
1.6-dev.16 Sat Jan 15 14:14:21 PST 2011
- Updates to the build system (Jonathan Siwek)
@ -13,7 +14,7 @@
now generate binary packages according to #295.
* Additional configure options to change packaging behavior.
* OS X builds will now prefer to link static libraries of
optional dependencies that don't come with the vanilla
operating system.
@ -54,7 +55,7 @@
- The Bro source code is now developed in the new git repositories.
See the developer pages at http://www.bro-ids.org for more
information on the new development process.
information on the new development process.
- Bro's build and installation setup has been moved from GNU
autotools to CMake. As a result of that, layout and specifics of
@ -77,7 +78,7 @@
and can no longer be disabled.
- ClamAV support has been removed, which has been non-functional for
a while already.
a while already.
1.5.2.7 Sun Sep 12 19:39:49 PDT 2010
@ -455,7 +456,7 @@
(1) Remote communication now no longer includes location information for
serialized objects; that removes quite a bit of redundacy from the network
traffic.
(2) The new option 'remote_check_sync_consistency" disables the cross-check
on the receiving side of &synchronized state of whether the current value
of a variable has the value expected by the sender. Transmitting the
@ -472,7 +473,7 @@
we maintain *two* caches independently for these types of objects; one
with a low turn-over one and another with a high one. This should reduce
CPU load on both sender and receiver sides.
The new scheme is only used if both communicating Bros support it; with
older Bros, as well as with Broccoli, we continue using the old scheme.
@ -666,12 +667,12 @@
bro -Y 0.0.0.0:5555 netflow
bro -i eth0 -Y 10.0.0.1:1234=src1 brolite netflow
-y|--flowfile <file>[=<ident>]
-y|--flowfile <file>[=<ident>]
Used to read from a file. You can optionally include an
identifier for the source.
Examples:
Examples:
bro -y myflowfile netflow
bro -y myflowfile=src1 otherflowfile=src2 netflow
@ -840,7 +841,7 @@
So, to drop all sources triggering a specific notice, one can now, e.g.,
write:
redef notice_action_filters += { [Hot::SSH_Overflow] = drop_source };
Related to this change, notice_info has a new field $dropped, set to
@ -871,8 +872,8 @@
before starting the main packet loop and another one when
finished. These snapshots can then be analyzed with pprof.
For more information about the perftools see
For more information about the perftools see
http://code.google.com/p/google-perftools
- Notice tags are now generated in a pseudo-unique fashion that, with high
@ -946,7 +947,7 @@
detector tables.
- When Bro serializes functions, it now does so by default using only
their name, rather than their full value (Robin Sommer). This prevents
their name, rather than their full value (Robin Sommer). This prevents
propagation of expiration functions associated with tables and sets.
Note, currently there is no mechanism provided to switch from the
default behavior, but the internal hooks are in place to do so.
@ -1211,7 +1212,7 @@
- An arbitrary tag can now be past to post-processors for log rotation
(Robin Sommer).
- Default inactivity timeouts for interactive services shortened to
- Default inactivity timeouts for interactive services shortened to
1 hour (Robin Sommer).
- The scanning variables distinct_{peers,ports,low_ports} are now
@ -1524,7 +1525,7 @@
This fixes a long-standing problem of sometimes $addl fields not showing
up in connection summaries.
- The new expressions record(...), table(...), set(...) and vector(...)
- The new expressions record(...), table(...), set(...) and vector(...)
are constructors for the corresponding aggregate types (Vern Paxson).
For example,
@ -1678,7 +1679,7 @@
- A new notice_action_filter, tally_notice_type_and_ignore, works the same
as tally_notice_type but returns IGNORE (Robin Sommer)
- Setting summary_interval == 0 disables the creation of irc-bots.summary.log
- Setting summary_interval == 0 disables the creation of irc-bots.summary.log
(Robin Sommer).
- If you @load foo and a directory "foo" is in your path, Bro no longer
@ -1795,9 +1796,9 @@
- Fixed using "time" values as table indices.
- Added ssh to default brolite DPD configuration.
- Added ssh to default brolite DPD configuration.
- Fixed catching up to real-time in case of lull.
- Fixed catching up to real-time in case of lull.
- Fixed Broccoli "BRO_DATA_FORMAT_VERSION" to match version in Bro.
@ -1807,11 +1808,11 @@
- Added Linux tuning to brolite install script.
- Modified Makefile to include broccoli/contrib.
- Modified Makefile to include broccoli/contrib.
- Adding missing initialization to remote serializer.
- Adding missing initialization to remote serializer.
- Minor documentation updates for reference manual and Broccoli.
- Minor documentation updates for reference manual and Broccoli.
1.2 Tue Oct 17 12:09:49 PDT 2006
@ -2030,7 +2031,7 @@
- notice_action_filters now reside in the new script
notice-action-filter.bro (automatically loaded by notice.bro).
- The notice actions NOTICE_ALARM_PER_CONN, NOTICE_ALARM_PER_ORIG,
and NOTICE_ALARM_ONCE have been removed, as they were never
actually implemented.
@ -2050,7 +2051,7 @@
- TRW analysis now skips UDP traffic because it currently treats
all UDP connections as failures (Robin Sommer).
- trw.bro has been split into trw-impl.bro (the algorithm) and
trw.bro (which simply activates the analysis), to facilitate writing
scripts that have hooks into TRW analysis but don't presume it's
@ -2183,7 +2184,7 @@
(Robin Sommer). This appears to still need some work, as now
it generates redundant events.
- Fix for initial exchange of &sync state which could lead to
- Fix for initial exchange of &sync state which could lead to
referencing unknown IDs (Robin Sommer).
- Fix to scan detection for differing semantics of connection compressor
@ -2492,7 +2493,7 @@
- the new variable dump_backdoor_packets (default F) if set causes
the packet that triggered the backdoor detection to be written to
backdoor-packets/<tag>:<time>
backdoor-packets/<tag>:<time>
- the new variable backdoor_ignore_host_port_pairs is a set[addr, port]
specify host/port combinations to ignore
@ -2646,7 +2647,7 @@
- Now can ignore specific connections dynamically.
- TCP content gaps are now recognized and ADU delivery is for now
stopped for such flows, unless explicitly requested.
stopped for such flows, unless explicitly requested.
- No longer logs to file in test mode.
@ -2657,7 +2658,7 @@
- Bro now performs serialization (such as when checkpointing &persistent
tables or communicating them between Bro's) in an incremental fashion,
intermingling transfers of large tables with ongoing packet processing
(Robin Sommer). Doing so helps avoid packet drops for large items.
(Robin Sommer). Doing so helps avoid packet drops for large items.
This has not yet been implemented for the initial handshake done
for &synchronized items.
@ -2720,7 +2721,7 @@
- Notices now report current time for remotely-received notices rather
than network time (Brian Tierney).
- Notices now include a tag es=<peer_description> any time a peer
description is defined, not just for remote notices (Robin Sommer).
@ -2924,9 +2925,9 @@
- Bug fix for exchanging peer descriptions (Robin Sommer).
- Bug fix for processing multipart-MIME HTTP messages with content-length
- Bug fix for processing multipart-MIME HTTP messages with content-length
headers (Ruoming Pang).
- Bug fix for failing to escape "'s in HTTP server replies (Robin Sommer).
- Bug fix for propagating increment operations on tables (Robin Sommer).
@ -2940,7 +2941,7 @@
- Bug fix for printing enum's (Christian Kreibich).
- When not configured with --enable debug, Bro now still accepts (yet ignores)
option -B (Robin Sommer).
option -B (Robin Sommer).
- Serialization enhancements and fixes, including a change of the
protocol version number (Robin Sommer).
@ -2981,7 +2982,7 @@
- Fix for connection compressor bug in tracking connection history
(Robin Sommer).
- Bug fix for potential floating point exception in signature engine's
resource-profiling code (Robin Sommer).
@ -3107,7 +3108,7 @@
smb_get_dfs_referral(c: connection, max_referral_level: count,
file_name: string)
generated for SMB DFS referal requests
dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count)
low-level event generated for each DNS request/reponse
@ -3181,7 +3182,7 @@
- The "bif" compiler for compiling Bro built-in functions now supports
an "enum" type (Ruoming Pang). The syntax is:
enum dce_rpc_ptype
enum dce_rpc_ptype
%{
DCE_RPC_REQUEST,
DCE_RPC_PING,
@ -3190,7 +3191,7 @@
which is translated to an enum declaration of "dce_rpc_ptype" in
Bro, an EnumType* enum_dce_rpc_ptype in NetVar.{h,cc} and a C++ enum
BroEnum::dce_rpc_ptype {...}.
BroEnum::dce_rpc_ptype {...}.
One limitation is that redef's on enum types cannot be taken into
account because the bif is parsed at compile time.
@ -3334,7 +3335,7 @@
specify whether to broadcast events/state received from one peer to other
peers (Robin Sommer). Both default to F. Note, these options are temporary;
they will disappear when we add a more sophisticated script-level
communication framework.
communication framework.
- Vectors can now be initialized using the syntax such as
@ -3376,11 +3377,11 @@
// VERSION messages must be exchanged.
// Ends when both peers have sent VERSION.
// Handshake:
// REQUEST_EVENTS/REQUEST_SYNC/CAPTURE_FILTER/CAPS/selected SERIALs
// REQUEST_EVENTS/REQUEST_SYNC/CAPTURE_FILTER/CAPS/selected SERIALs
// may be exchanged.
// Phase ends when both peers have sent PHASE_DONE.
// State synchronization:
// Entered iff at least one of the peers has sent REQUEST_SYNC.
// Entered iff at least one of the peers has sent REQUEST_SYNC.
// The peer with the smallest runtime (incl. in VERSION msg) sends
// SERIAL messages comprising all of its state.
// Phase ends when peer sends another PHASE_DONE.
@ -4268,7 +4269,7 @@
- A new flag, -e, lets you specify Bro code to execute via the command
line (Christian Kreibich). So, for example,
bro -r mytrace.tcpdump -e 'redef traditional_conn_format = T' tcp
bro -r mytrace.tcpdump -e 'redef traditional_conn_format = T' tcp
will run tcp.bro on the trace "mytrace.tcpdump", but with
traditional_conn_format redefined to be true. Note that statements
@ -4365,7 +4366,7 @@
- The new "weird" type "base64_illegal_encoding" takes the place of
some previously unstructured Base64 "weird" errors.
- A tweak to ftp.bro will give it slightly more consistent results
- A tweak to ftp.bro will give it slightly more consistent results
for some forms of unusual traffic.
@ -4442,7 +4443,7 @@
- The new built-ins any_set() and all_set() return true if for a given
boolean vector any element is true or all of the elements is true
(Umesh Shankar). So, for example, "any_set(x < 0)" returns T if
(Umesh Shankar). So, for example, "any_set(x < 0)" returns T if
an element of x is less than zero.
- The new built-in sort() takes a vector as an argument and sorts it
@ -4813,7 +4814,7 @@
current CPU load. If the load is below cpu_lower_limit (default 40%),
the load-level is decreased. If it's above cpu_upper_limit (default
90%), it's increased. (Robin Sommer)
- The new policy script hand-over.bro can be used for a new running
instance of Bro to smoothly take over operation from an old instance,
i.e., it implements hand-over of state between two Bro instances when
@ -4999,7 +5000,7 @@
$priority - type must be arithmetic (count, int, double). This
is the priority associated with the match of EXPR1
if $pred returns true.
The way the expression works is that EXPR1 is evaluated yielding a
value V. EXPR2 is then evaluated yielding a set of records whose
type includes the above fields. Bro then spins through each of the
@ -5334,8 +5335,8 @@
Sommer). The format is simple, just "include" or "ignore" followed
by the SID number:
# sid-526 BAD TRAFFIC data in TCP SYN packet
ignore 526
# sid-526 BAD TRAFFIC data in TCP SYN packet
ignore 526
# sid-623 matches a null-flags stealth scan. Include it even
# if we build with -p, since it doesn't tend to generate any
@ -5488,7 +5489,7 @@
A new function, get_event_source(), returns a record event_source
describing the source that raised the last event.
See doc/ssl.txt for an explanation of how to create the keys/certificates.
See doc/ssl.txt for an explanation of how to create the keys/certificates.
- A fledgling Gnutella analyzer has been contributed (Mark Allman).
It generates the following events:
@ -5516,7 +5517,7 @@
redef secondary_filters += {
["tcp[13] & 7 != 0"] = rst_syn_fin_flag,
}
will invoke rst_syn_fin_flag() anytime a TCP packet is seen for
which the SYN/FIN/RST bits are non-zero. The event handler will
be passed the string "tcp[13] & 7 != 0" (so it can tell which
@ -5574,7 +5575,7 @@
public key; it's used to then embed a Blowfish session key. (Robin Sommer)
A new utility, aux/bdcat/bdcat ("Bro decrypt cat") can be used to decrypt
the files.
the files.
- The internal structure of TCP analysis has been significantly altered.
Previously, TCP_Endpoint tracked endpoint state and TCP_EndpointContents
@ -5651,7 +5652,7 @@
const remote_peers_ssl : table[addr, port] of Peer &redef;
[...]
for ( [ip, p] in remote_peers_ssl )
connect_ssl(ip, p, remote_peers_ssl[ip, p]$retry);
connect_ssl(ip, p, remote_peers_ssl[ip, p]$retry);
- Checkpointing of persistent state on SIGHUP now happens via bro.init
(Robin Sommer). Not tested.

2
VERSION
View file

@ -1 +1 @@
1.6-dev.4
1.6-dev.18

3
policy/heavy.http.bro
View file

@ -1,3 +0,0 @@
# $Id: heavy.http.bro 4723 2007-08-07 18:14:35Z vern $
redef http_sessions &write_expire = 5 hrs;

35
policy/http.bro
View file

@ -79,17 +79,8 @@ type http_session_info: record {
const http_log = open_log_file("http") &redef;
# Called when an HTTP session times out.
global expire_http_session:
function(t: table[conn_id] of http_session_info, id: conn_id)
: interval;
export {
# Indexed by conn_id.
# (Exported so that we can define a timeout on it.)
global http_sessions: table[conn_id] of http_session_info
&expire_func = expire_http_session
&read_expire = 15 min;
global http_sessions: table[conn_id] of http_session_info;
}
global http_session_id = 0;
@ -202,30 +193,6 @@ event connection_state_remove(c: connection)
delete http_sessions[c$id];
}
function expire_http_session(t: table[conn_id] of http_session_info,
id: conn_id): interval
{
### FIXME: not really clear that we need this function at all ...
#
# One would think that connection_state_remove() already takes care
# of everything. However, without this expire-handler, some requests
# don't show up with the test-suite (but haven't reproduced with
# smaller traces) - Robin.
local s = http_sessions[id];
finish_stream(id, s$id, s$request_stream);
return 0 sec;
}
# event connection_timeout(c: connection)
# {
# if ( ! maintain_http_sessions )
# {
# local id = c$id;
# if ( [id$orig_h, id$resp_h] in http_sessions )
# delete http_sessions[id$orig_h, id$resp_h];
# }
# }
# event http_stats(c: connection, stats: http_stats_rec)
# {