Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'origin/topic/awelzel/tcp-reassembler-undelivered-data-match-bool-bool-bool-confusion'

Browse source 
* origin/topic/awelzel/tcp-reassembler-undelivered-data-match-bool-bool-bool-confusion:
  TCP_Reassembler: Fix IsOrig() position in Match() call
This commit is contained in:
Arne Welzel 2024-08-23 09:40:53 +02:00
commit 4a4cbf2576
3 changed files with 29 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

22
CHANGES
View file

@ -1,3 +1,25 @@
7.1.0-dev.217 | 2024-08-23 09:40:53 +0200
* TCP_Reassembler: Fix IsOrig() position in Match() call (Arne Welzel, Corelight)
Found during a debug session with @rsmmr. Undelivered TCP data
would only be matched for the responder and eol set to IsOrig().
* Spicy: Register well-known ports through an event handler. (Robin Sommer, Corelight)
This avoids the earlier problem of not tracking ports correctly in
scriptland, while still supporting `port` in EVT files and `%port` in
Spicy files.
As it turns out we are already following the same approach for file
analyzers' MIME types, so I'm applying the same pattern: it's one
event per port, without further customization points. That leaves the
patch pretty small after all while fixing the original issue.
* Revert "Remove deprecated port/ports fields for spicy analyzers" (Robin Sommer, Corelight)
This reverts commit 15d404dd191a723960e4efd956eec22739d3f1c2.
7.1.0-dev.211 | 2024-08-20 11:38:48 +0100
* Make ssl_history work for SSLv2 handshakes/connections (Johanna Amann, Corelight)

2
VERSION
View file

@ -1 +1 @@
7.1.0-dev.211
7.1.0-dev.217

7
src/analyzer/protocol/tcp/TCP_Reassembler.cc
View file

@ -273,7 +273,12 @@ void TCP_Reassembler::MatchUndelivered(uint64_t up_to_seq, bool use_last_upper)
if ( b.upper > last_reassem_seq )
break;
tcp_analyzer->Conn()->Match(zeek::detail::Rule::PAYLOAD, b.block, b.Size(), false, false, IsOrig(), false);
// Note: Even though this passes bol=false, at the point where
// this code runs, the matcher is re-initialized resulting in
// undelivered data implicitly being bol-anchored. It's unclear
// if that was intended, but there's hardly a right way here,
// so that seems ok.
tcp_analyzer->Conn()->Match(zeek::detail::Rule::PAYLOAD, b.block, b.Size(), IsOrig(), false, false, false);
}
}