Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-13 20:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge remote-tracking branch 'origin/master' into topic/johanna/tls-more-data

Browse source
This commit is contained in:
Johanna Amann 2018-08-24 15:36:34 -07:00
commit 4b40b6ebe4
42 changed files with 500 additions and 83 deletions
Download patch file Download diff file Expand all files Collapse all files

19
.update-changes.cfg Normal file
View file

@ -0,0 +1,19 @@
function new_version_hook
{
# This can be used to automatically adapt version numbers in files,
# except it's not used for that currently. Instead it updates the files
# which store the commit hashes associated with the version of external
# test suite repos to check out on a CI system.
version=$1
if [ -d testing/external/bro-testing ]; then
( cd testing/external/bro-testing && git fetch origin && git rev-parse origin/master ) > testing/external/commit-hash.bro-testing
git add testing/external/commit-hash.bro-testing
fi
if [ -d testing/external/bro-testing-private ]; then
( cd testing/external/bro-testing-private && git fetch origin && git rev-parse origin/master ) > testing/external/commit-hash.bro-testing-private
git add testing/external/commit-hash.bro-testing-private
fi
}

59
CHANGES
View file

@ -1,4 +1,63 @@
2.5-906 | 2018-08-24 14:57:55 -0500
* Stabilize a cluster logging unit test (Jon Siwek, Corelight)
2.5-905 | 2018-08-24 10:21:35 -0500
* Detect MaxMind DB changes and auto-reload (Jonathan Perkins, Corelight)
2.5-903 | 2018-08-23 16:54:24 -0500
* Fix finding of kerberos and libmaxminddb CMake < 3.3 (Daniel Thayer)
* BIT-1885: fix "kill" threading message (Jon Siwek, Corelight)
2.5-900 | 2018-08-23 15:18:48 -0500
* Improve readability of the Travis job log (Daniel Thayer)
* Fix tracking of DCE-RPC context identifier mappings
This adds previously-missing support for "Alter Context"
request/response PDUs (initial patch contributed by Mark Fernandez).
Also, context ID arguments were added to dce_rpc_bind, dce_rpc_request,
and dce_rpc_response in order to properly track what endpoint/operation
a given opnum maps to. (Jon Siwek, Corelight)
2.5-897 | 2018-08-23 15:53:16 +0000
* BIT-1885: Fix input framework memory leak. For input threads that
get joined during run-time, messages could remain in the thread's
queue and leak. (Jon Siwek, Corelight)
* Increase timeout for a memleak test. (Jon Siwek, Corelight)
2.5-894 | 2018-08-22 12:05:19 -0500
* Ensure external test repo hashes track origin/master (Jon Siwek, Corelight)
2.5-892 | 2018-08-22 11:49:12 -0500
* Fix "unused CMake variable" configuration warnings (Jon Siwek, Corelight)
2.5-890 | 2018-08-21 16:47:52 -0500
* Fix Travis CI script to checkout particular commits of external tests
(Jon Siwek, Corelight)
* Fix signed/unsigned comparison warning (Jon Siwek, Corelight)
2.5-888 | 2018-08-21 15:54:56 -0500
* Add --with-broker configure option (Jon Siwek, Corelight)
2.5-887 | 2018-08-21 14:54:12 -0500
* Change default snaplen to 9216 bytes to better accommodate jumbo frames
(Justin Azoff)
2.5-884 | 2018-08-20 15:39:21 -0500
* Fix outdated documentation test baselines (Jon Siwek, Corelight)

28
CMakeLists.txt
View file

@ -95,14 +95,6 @@ FindRequiredPackage(OpenSSL)
FindRequiredPackage(BIND)
FindRequiredPackage(ZLIB)
find_package(CAF COMPONENTS core io openssl)
if (CAF_FOUND)
# e.g. if not using embedded CAF, then need to know where to look
# for CAF headers since that may differ from where Broker headers
# are found (and including a Broker header may pull in CAF headers).
include_directories(BEFORE ${CAF_INCLUDE_DIRS})
endif ()
if (NOT BINPAC_EXE_PATH AND
EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/aux/binpac/CMakeLists.txt)
add_subdirectory(aux/binpac)
@ -142,7 +134,7 @@ include_directories(BEFORE
set(USE_GEOIP false)
find_package(LibMMDB)
if (LibMMDB_FOUND)
if (LIBMMDB_FOUND)
set(USE_GEOIP true)
include_directories(BEFORE ${LibMMDB_INCLUDE_DIR})
list(APPEND OPTLIBS ${LibMMDB_LIBRARY})
@ -151,7 +143,7 @@ endif ()
set(USE_KRB5 false)
if ( ${CMAKE_SYSTEM_NAME} MATCHES Linux )
find_package(LibKrb5)
if (LibKrb5_FOUND)
if (LIBKRB5_FOUND)
set(USE_KRB5 true)
list(APPEND OPTLIBS ${LibKrb5_LIBRARY})
endif ()
@ -255,7 +247,11 @@ else ()
set(BRO_CONFIG_BINPAC_ROOT_DIR ${BRO_ROOT_DIR})
endif ()
if ( BROKER_ROOT_DIR )
set(BRO_CONFIG_BROKER_ROOT_DIR ${BROKER_ROOT_DIR})
else ()
set(BRO_CONFIG_BROKER_ROOT_DIR ${BRO_ROOT_DIR})
endif ()
configure_file(${CMAKE_CURRENT_SOURCE_DIR}/bro-config.in
${CMAKE_CURRENT_BINARY_DIR}/bro-config @ONLY)
@ -267,10 +263,22 @@ install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/cmake DESTINATION share/bro
########################################################################
## Recurse on sub-directories
if ( BROKER_ROOT_DIR )
find_package(Broker REQUIRED)
find_package(CAF COMPONENTS core io openssl REQUIRED)
set(brodeps ${brodeps} ${BROKER_LIBRARY} ${CAF_LIBRARIES})
include_directories(BEFORE ${BROKER_INCLUDE_DIR})
else ()
add_subdirectory(aux/broker)
set(brodeps ${brodeps} broker)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}/aux/broker
${CMAKE_CURRENT_BINARY_DIR}/aux/broker)
endif ()
# CAF headers aren't necessarily in same location as Broker headers and
# inclusion of a Broker header may pull in CAF headers.
include_directories(BEFORE ${CAF_INCLUDE_DIR_CORE})
include_directories(BEFORE ${CAF_INCLUDE_DIR_IO})
include_directories(BEFORE ${CAF_INCLUDE_DIR_OPENSSL})

16
NEWS
View file

@ -434,6 +434,19 @@ Changed Functionality
and the original weird.log may not differ much either, except in
the cases where a particular weird type exceeds the sampling threshold.
- Improved DCE-RPC analysis via tracking of context identifier mappings
- These DCE-RPC events now contain an additional context-id argument:
- dce_rpc_bind
- dce_rpc_request
- dce_rpc_response
- Added new events:
- dce_rpc_alter_context
- dce_rpc_alter_context_resp
Removed Functionality
---------------------
@ -450,6 +463,9 @@ Removed Functionality
- The node-specific ``site/local-*.bro`` scripts have been removed.
- The default value of ``Pcap::snaplen`` changed from 8192 to 9216 bytes
to better accommodate jumbo frames.
Deprecated Functionality
------------------------

2
VERSION
View file

@ -1 +1 @@
2.5-884
2.5-906

2
aux/bifcl

@ -1 +1 @@
Subproject commit e99152c00aad8f81c684a01bc4d40790a295f85c
Subproject commit b0ba021208c0c5fe8d7c92412b919d6667f63961

2
aux/binpac

@ -1 +1 @@
Subproject commit 74cf55ace0de2bf061bbbf285ccf47cba122955f
Subproject commit ff8c94964fccbf60abae401d03c9fb35a8894c16

2
aux/bro-aux

@ -1 +1 @@
Subproject commit 53aae820242c02790089e384a9fe2d3174799ab1
Subproject commit 9866d31e45f5e1467c0f1fd4a1cd9948b067ce43

2
aux/broccoli

@ -1 +1 @@
Subproject commit edf754ea6e89a84ad74eff69a454c5e285c4b81b
Subproject commit 1898e81bba7c595108bc20c5148df7f0f6a2258f

2
aux/broctl

@ -1 +1 @@
Subproject commit 336e719c33d64efebe65f11322e2fbc6d11c946b
Subproject commit 486bbb9d9ee7c66b55003e58f986d18e951902ec

2
aux/broker

@ -1 +1 @@
Subproject commit 2727afff785201168b33b0c7448c886643f10e08
Subproject commit 18d56b70558db61f424dc90e5d010f57b75de459

2
cmake

@ -1 +1 @@
Subproject commit 4cc3e344cf2698010a46684d32a2907a943430e3
Subproject commit 433676df0af266540b8a3d9216cfd9dbc1361b09

12
configure vendored
View file

@ -69,8 +69,10 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
--with-flex=PATH path to flex executable
--with-bison=PATH path to bison executable
--with-python=PATH path to Python executable
--with-caf=PATH path to C++ Actor Framework installation for using external version
(a required Broker dependency)
--with-broker=PATH path to Broker install root
(Bro uses an embedded version by default)
--with-caf=PATH path to C++ Actor Framework install root
(a Broker dependency that is embedded by default)
Optional Packages in Non-Standard Locations:
--with-geoip=PATH path to the libmaxminddb install root
@ -142,8 +144,6 @@ append_cache_entry INSTALL_BROCTL BOOL true
append_cache_entry CPACK_SOURCE_IGNORE_FILES STRING
append_cache_entry ENABLE_MOBILE_IPV6 BOOL false
append_cache_entry DISABLE_PERFTOOLS BOOL false
append_cache_entry DISABLE_RUBY_BINDINGS BOOL true
append_cache_entry ENABLE_COVERAGE BOOL false
# parse arguments
while [ $# -ne 0 ]; do
@ -220,6 +220,7 @@ while [ $# -ne 0 ]; do
append_cache_entry ENABLE_JEMALLOC BOOL true
;;
--enable-broccoli)
append_cache_entry DISABLE_RUBY_BINDINGS BOOL true
append_cache_entry INSTALL_BROCCOLI BOOL yes
;;
--disable-broctl)
@ -285,6 +286,9 @@ while [ $# -ne 0 ]; do
--with-swig=*)
append_cache_entry SWIG_EXECUTABLE PATH $optarg
;;
--with-broker=*)
append_cache_entry BROKER_ROOT_DIR PATH $optarg
;;
--with-caf=*)
append_cache_entry CAF_ROOT_DIR PATH $optarg
;;

2
scripts/base/init-bare.bro
View file

@ -4813,7 +4813,7 @@ export {
module Pcap;
export {
## Number of bytes per packet to capture from live interfaces.
const snaplen = 8192 &redef;
const snaplen = 9216 &redef;
## Number of Mbytes to provide as buffer space when capturing from live
## interfaces.

46
scripts/base/protocols/dce-rpc/main.bro
View file

@ -37,6 +37,7 @@ export {
type State: record {
uuid : string &optional;
named_pipe : string &optional;
ctx_to_uuid: table[count] of string &optional;
};
# This is to store the log and state information
@ -100,11 +101,30 @@ function set_session(c: connection, fid: count)
set_state(c, state_x);
}
event dce_rpc_bind(c: connection, fid: count, uuid: string, ver_major: count, ver_minor: count) &priority=5
event dce_rpc_bind(c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count) &priority=5
{
set_session(c, fid);
local uuid_str = uuid_to_string(uuid);
if ( ! c$dce_rpc_state?$ctx_to_uuid )
c$dce_rpc_state$ctx_to_uuid = table();
c$dce_rpc_state$ctx_to_uuid[ctx_id] = uuid_str;
c$dce_rpc_state$uuid = uuid_str;
c$dce_rpc$endpoint = uuid_endpoint_map[uuid_str];
}
event dce_rpc_alter_context(c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count) &priority=5
{
set_session(c, fid);
local uuid_str = uuid_to_string(uuid);
if ( ! c$dce_rpc_state?$ctx_to_uuid )
c$dce_rpc_state$ctx_to_uuid = table();
c$dce_rpc_state$ctx_to_uuid[ctx_id] = uuid_str;
c$dce_rpc_state$uuid = uuid_str;
c$dce_rpc$endpoint = uuid_endpoint_map[uuid_str];
}
@ -120,7 +140,12 @@ event dce_rpc_bind_ack(c: connection, fid: count, sec_addr: string) &priority=5
}
}
event dce_rpc_request(c: connection, fid: count, opnum: count, stub_len: count) &priority=5
event dce_rpc_alter_context_resp(c: connection, fid: count) &priority=5
{
set_session(c, fid);
}
event dce_rpc_request(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count) &priority=5
{
set_session(c, fid);
@ -130,7 +155,7 @@ event dce_rpc_request(c: connection, fid: count, opnum: count, stub_len: count)
}
}
event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count) &priority=5
event dce_rpc_response(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count) &priority=5
{
set_session(c, fid);
@ -146,15 +171,26 @@ event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count)
}
}
if ( c?$dce_rpc && c$dce_rpc?$endpoint )
if ( c?$dce_rpc )
{
if ( c$dce_rpc?$endpoint )
{
c$dce_rpc$operation = operations[c$dce_rpc_state$uuid, opnum];
if ( c$dce_rpc$ts != network_time() )
c$dce_rpc$rtt = network_time() - c$dce_rpc$ts;
}
if ( c$dce_rpc_state?$ctx_to_uuid &&
ctx_id in c$dce_rpc_state$ctx_to_uuid )
{
local u = c$dce_rpc_state$ctx_to_uuid[ctx_id];
c$dce_rpc$endpoint = uuid_endpoint_map[u];
c$dce_rpc$operation = operations[u, opnum];
}
}
}
event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count) &priority=-5
event dce_rpc_response(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count) &priority=-5
{
if ( c?$dce_rpc )
{

2
src/3rdparty

@ -1 +1 @@
Subproject commit 6cdefdd1d45465ca09aba9e05c7ca12e1484ccc0
Subproject commit 7c95b51de202ac534b27dd721da5778b773dd614

39
src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac
View file

@ -54,6 +54,23 @@ refine connection DCE_RPC_Conn += {
BifEvent::generate_dce_rpc_bind(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${req.id},
bytestring_to_val(${req.abstract_syntax.uuid}),
${req.abstract_syntax.ver_major},
${req.abstract_syntax.ver_minor});
}
return true;
%}
function process_dce_rpc_alter_context(req: ContextRequest): bool
%{
if ( dce_rpc_alter_context )
{
BifEvent::generate_dce_rpc_alter_context(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${req.id},
bytestring_to_val(${req.abstract_syntax.uuid}),
${req.abstract_syntax.ver_major},
${req.abstract_syntax.ver_minor});
@ -86,6 +103,17 @@ refine connection DCE_RPC_Conn += {
return true;
%}
function process_dce_rpc_alter_context_resp(bind: DCE_RPC_AlterContext_Resp): bool
%{
if ( dce_rpc_alter_context_resp )
{
BifEvent::generate_dce_rpc_alter_context_resp(bro_analyzer(),
bro_analyzer()->Conn(),
fid);
}
return true;
%}
function process_dce_rpc_request(req: DCE_RPC_Request): bool
%{
if ( dce_rpc_request )
@ -93,6 +121,7 @@ refine connection DCE_RPC_Conn += {
BifEvent::generate_dce_rpc_request(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${req.context_id},
${req.opnum},
${req.stub}.length());
}
@ -109,6 +138,7 @@ refine connection DCE_RPC_Conn += {
BifEvent::generate_dce_rpc_response(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${resp.context_id},
get_cont_id_opnum_map(${resp.context_id}),
${resp.stub}.length());
}
@ -127,13 +157,20 @@ refine typeattr DCE_RPC_Header += &let {
};
refine typeattr ContextRequest += &let {
proc = $context.connection.process_dce_rpc_bind(this);
proc = case ptype of {
DCE_RPC_BIND -> $context.connection.process_dce_rpc_bind(this);
DCE_RPC_ALTER_CONTEXT -> $context.connection.process_dce_rpc_alter_context(this);
};
};
refine typeattr DCE_RPC_Bind_Ack += &let {
proc = $context.connection.process_dce_rpc_bind_ack(this);
};
refine typeattr DCE_RPC_AlterContext_Resp += &let {
proc = $context.connection.process_dce_rpc_alter_context_resp(this);
};
refine typeattr DCE_RPC_Request += &let {
proc = $context.connection.process_dce_rpc_request(this);
};

23
src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
View file

@ -71,7 +71,7 @@ type Syntax = record {
ver_minor : uint16;
};
type ContextRequest = record {
type ContextRequest(ptype: uint8) = record {
id : uint16;
num_syntaxes : uint8;
reserved : padding[1];
@ -85,11 +85,11 @@ type ContextReply = record {
syntax : Syntax;
};
type ContextList(is_request: bool) = record {
type ContextList(is_request: bool, ptype: uint8) = record {
num_contexts : uint8;
reserved : padding[3];
req_reply : case is_request of {
true -> request_contexts : ContextRequest[num_contexts];
true -> request_contexts : ContextRequest(ptype)[num_contexts];
false -> reply_contexts : ContextReply[num_contexts];
};
};
@ -98,7 +98,7 @@ type DCE_RPC_Bind = record {
max_xmit_frag : uint16;
max_recv_frag : uint16;
assoc_group_id : uint32;
context_list : ContextList(1);
context_list : ContextList(1, DCE_RPC_BIND);
};
type DCE_RPC_Bind_Ack = record {
@ -108,7 +108,7 @@ type DCE_RPC_Bind_Ack = record {
sec_addr_length : uint16;
sec_addr : bytestring &length=sec_addr_length;
pad : padding align 4;
contexts : ContextList(0);
contexts : ContextList(0, DCE_RPC_BIND_ACK);
};
type DCE_RPC_Request(h: DCE_RPC_Header) = record {
@ -136,15 +136,17 @@ type DCE_RPC_AlterContext = record {
max_xmit_frag : uint16;
max_recv_frag : uint16;
assoc_group_id : uint32;
contexts : ContextList(0);
context_list : ContextList(1, DCE_RPC_ALTER_CONTEXT);
};
type DCE_RPC_AlterContext_Resp = record {
max_xmit_frag : uint16;
max_recv_frag : uint16;
assoc_group_id : uint32;
sec_addr_len : uint16;
contexts : ContextList(0);
sec_addr_length : uint16;
sec_addr : bytestring &length=sec_addr_length;
pad : padding align 4;
contexts : ContextList(0, DCE_RPC_ALTER_CONTEXT_RESP);
};
type DCE_RPC_Body(header: DCE_RPC_Header) = case header.PTYPE of {
@ -152,9 +154,8 @@ type DCE_RPC_Body(header: DCE_RPC_Header) = case header.PTYPE of {
DCE_RPC_BIND_ACK -> bind_ack : DCE_RPC_Bind_Ack;
DCE_RPC_REQUEST -> request : DCE_RPC_Request(header);
DCE_RPC_RESPONSE -> response : DCE_RPC_Response;
# TODO: Something about the two following structures isn't being handled correctly.
#DCE_RPC_ALTER_CONTEXT -> alter_context : DCE_RPC_AlterContext;
#DCE_RPC_ALTER_CONTEXT_RESP -> alter_resp : DCE_RPC_AlterContext_Resp;
DCE_RPC_ALTER_CONTEXT -> alter_context : DCE_RPC_AlterContext;
DCE_RPC_ALTER_CONTEXT_RESP -> alter_resp : DCE_RPC_AlterContext_Resp;
default -> other : bytestring &restofdata;
};

44
src/analyzer/protocol/dce-rpc/events.bif
View file

@ -25,6 +25,8 @@ event dce_rpc_message%(c: connection, is_orig: bool, fid: count, ptype_id: count
## message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
## not transported over a pipe.
##
## ctx_id: The context identifier of the data representation.
##
## uuid: The string interpretted uuid of the endpoint being requested.
##
## ver_major: The major version of the endpoint being requested.
@ -32,7 +34,28 @@ event dce_rpc_message%(c: connection, is_orig: bool, fid: count, ptype_id: count
## ver_minor: The minor version of the endpoint being requested.
##
## .. bro:see:: dce_rpc_message dce_rpc_bind_ack dce_rpc_request dce_rpc_response
event dce_rpc_bind%(c: connection, fid: count, uuid: string, ver_major: count, ver_minor: count%);
event dce_rpc_bind%(c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count%);
## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context request message.
## Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur
## multiple times for a single RPC message.
##
## c: The connection.
##
## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
## message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
## not transported over a pipe.
##
## ctx_id: The context identifier of the data representation.
##
## uuid: The string interpretted uuid of the endpoint being requested.
##
## ver_major: The major version of the endpoint being requested.
##
## ver_minor: The minor version of the endpoint being requested.
##
## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response dce_rpc_alter_context_resp
event dce_rpc_alter_context%(c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count%);
## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request ack message.
##
@ -47,6 +70,17 @@ event dce_rpc_bind%(c: connection, fid: count, uuid: string, ver_major: count, v
## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_request dce_rpc_response
event dce_rpc_bind_ack%(c: connection, fid: count, sec_addr: string%);
## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` alter context response message.
##
## c: The connection.
##
## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
## message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
## not transported over a pipe.
##
## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response dce_rpc_alter_context
event dce_rpc_alter_context_resp%(c: connection, fid: count%);
## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message.
##
## c: The connection.
@ -55,12 +89,14 @@ event dce_rpc_bind_ack%(c: connection, fid: count, sec_addr: string%);
## message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
## not transported over a pipe.
##
## ctx_id: The context identifier of the data representation.
##
## opnum: Number of the RPC operation.
##
## stub_len: Length of the data for the request.
##
## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response
event dce_rpc_request%(c: connection, fid: count, opnum: count, stub_len: count%);
event dce_rpc_request%(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count%);
## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message.
##
@ -70,9 +106,11 @@ event dce_rpc_request%(c: connection, fid: count, opnum: count, stub_len: count%
## message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
## not transported over a pipe.
##
## ctx_id: The context identifier of the data representation.
###
## opnum: Number of the RPC operation.
##
## stub_len: Length of the data for the response.
##
## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request
event dce_rpc_response%(c: connection, fid: count, opnum: count, stub_len: count%);
event dce_rpc_response%(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count%);

2
src/analyzer/protocol/smtp/SMTP.cc
View file

@ -819,7 +819,7 @@ void SMTP_Analyzer::UpdateState(const int cmd_code, const int reply_code, bool o
static bool istrequal(const char* s, const char* cmd, int s_len)
{
auto cmd_len = strlen(cmd);
int cmd_len = strlen(cmd);
if ( cmd_len != s_len )
return false;

75
src/bro.bif
View file

@ -3598,6 +3598,8 @@ function lookup_hostname%(host: string%) : addr_set
%%{
#ifdef USE_GEOIP
#include <chrono>
extern "C" {
#include <maxminddb.h>
#include <sys/stat.h>
@ -3608,17 +3610,24 @@ extern "C" {
class MMDB {
public:
MMDB(const char* filename);
MMDB(const char* filename, struct stat info);
~MMDB();
MMDB_lookup_result_s Lookup(const struct sockaddr* const sa);
bool StaleDB();
const char* Filename();
private:
MMDB_s mmdb;
struct stat file_info;
bool lookup_error;
std::chrono::time_point<std::chrono::steady_clock> last_check;
};
MMDB::MMDB(const char *filename)
MMDB::MMDB(const char* filename, struct stat info)
: file_info{info}, lookup_error{false},
last_check{std::chrono::steady_clock::now()}
{
int status = MMDB_open(filename, MMDB_MODE_MMAP, &mmdb);
@ -3640,12 +3649,50 @@ MMDB_lookup_result_s MMDB::Lookup(const struct sockaddr* const sa)
if ( MMDB_SUCCESS != mmdb_error )
{
lookup_error = true;
throw std::runtime_error(MMDB_strerror(mmdb_error));
}
return result;
}
// Check to see if the Maxmind DB should be closed and reopened. This will
// happen if there was a lookup error or if the mmap'd file has been replaced
// by an external process.
bool MMDB::StaleDB()
{
struct stat buf;
using Clock = std::chrono::steady_clock;
std::chrono::time_point<Clock> now = Clock::now();
if ( lookup_error )
return true;
// Only perform stat once per 5 minutes.
using Min = std::chrono::minutes;
if ( std::chrono::duration_cast<Min>(now - last_check).count() < 5 )
return false;
last_check = now;
if ( 0 != stat(mmdb.filename, &buf) )
return true;
if ( buf.st_ino != file_info.st_ino || buf.st_mtime != file_info.st_mtime )
{
reporter->Info("Inode change detected for MaxMind DB [%s]",
mmdb.filename);
return true;
}
return false;
}
const char* MMDB::Filename()
{
return mmdb.filename;
}
std::unique_ptr<MMDB> mmdb_loc;
std::unique_ptr<MMDB> mmdb_asn;
@ -3662,11 +3709,11 @@ static bool mmdb_open(const char* filename, bool asn)
{
if ( asn )
{
mmdb_asn.reset(new MMDB(filename));
mmdb_asn.reset(new MMDB(filename, buf));
}
else
{
mmdb_loc.reset(new MMDB(filename));
mmdb_loc.reset(new MMDB(filename, buf));
}
}
@ -3690,6 +3737,24 @@ static bool mmdb_open_asn(const char* filename)
return mmdb_open(filename, true);
}
static void mmdb_check_loc()
{
if ( mmdb_loc && mmdb_loc->StaleDB() )
{
reporter->Info("Closing stale MaxMind DB [%s]", mmdb_loc->Filename());
mmdb_loc.release();
}
}
static void mmdb_check_asn()
{
if ( mmdb_asn && mmdb_asn->StaleDB() )
{
reporter->Info("Closing stale MaxMind DB [%s]", mmdb_asn->Filename());
mmdb_asn.release();
}
}
static bool mmdb_lookup(const IPAddr& addr, MMDB_lookup_result_s& result,
bool asn)
{
@ -3873,6 +3938,7 @@ function lookup_location%(a: addr%) : geo_location
RecordVal* location = new RecordVal(geo_location);
#ifdef USE_GEOIP
mmdb_check_loc();
if ( ! mmdb_loc )
{
if ( ! mmdb_try_open_loc() )
@ -3950,6 +4016,7 @@ function lookup_location%(a: addr%) : geo_location
function lookup_asn%(a: addr%) : count
%{
#ifdef USE_GEOIP
mmdb_check_asn();
if ( ! mmdb_asn )
{
if ( ! mmdb_try_open_asn() )

1
src/threading/Manager.cc
View file

@ -160,6 +160,7 @@ void Manager::Process()
for ( all_thread_list::iterator i = to_delete.begin(); i != to_delete.end(); i++ )
{
BasicThread* t = *i;
t->WaitForStop();
all_threads.remove(t);

10
src/threading/MsgThread.cc
View file

@ -21,6 +21,8 @@ public:
network_time(network_time) { }
virtual bool Process() {
if ( Object()->child_finished )
return true;
bool result = Object()->OnFinish(network_time);
Object()->Finished();
return result;
@ -90,7 +92,13 @@ public:
KillMeMessage(MsgThread* thread)
: OutputMessage<MsgThread>("ReporterMessage", thread) {}
virtual bool Process() { thread_mgr->KillThread(Object()); return true; }
virtual bool Process()
{
Object()->SignalStop();
Object()->WaitForStop();
thread_mgr->KillThread(Object());
return true;
}
};
#ifdef DEBUG

1
src/threading/MsgThread.h
View file

@ -181,6 +181,7 @@ protected:
friend class HeartbeatMessage;
friend class FinishMessage;
friend class FinishedMessage;
friend class KillMeMessage;
/**
* Pops a message sent by the child from the child-to-main queue.

9
testing/btest/Baseline/bifs.dump_current_packet/1.hex Normal file
View file

@ -0,0 +1,9 @@
00000000 d4 c3 b2 a1 02 00 04 00 00 00 00 00 00 00 00 00 |................|
00000010 00 24 00 00 01 00 00 00 1f ad 83 4d 17 79 01 00 |.$.........M.y..|
00000020 57 00 00 00 57 00 00 00 01 00 5e 00 00 fb 00 30 |W...W.....^....0|
00000030 48 bd 3e c4 08 00 45 00 00 49 00 00 40 00 ff 11 |H.>...E..I..@...|
00000040 30 4f 8d 8e dc ca e0 00 00 fb 14 e9 14 e9 00 35 |0O.............5|
00000050 7f 62 00 00 00 00 00 01 00 00 00 00 00 00 06 67 |.b.............g|
00000060 65 6d 69 6e 69 09 5f 73 66 74 70 2d 73 73 68 04 |emini._sftp-ssh.|
00000070 5f 74 63 70 05 6c 6f 63 61 6c 00 00 21 00 01 |_tcp.local..!..|
0000007f

BIN
testing/btest/Baseline/bifs.dump_current_packet/1.pcap
View file

Binary file not shown.

17
testing/btest/Baseline/bifs.dump_current_packet/2.hex Normal file
View file

@ -0,0 +1,17 @@
00000000 d4 c3 b2 a1 02 00 04 00 00 00 00 00 00 00 00 00 |................|
00000010 00 24 00 00 01 00 00 00 1f ad 83 4d f4 7a 01 00 |.$.........M.z..|
00000020 d5 00 00 00 d5 00 00 00 33 33 00 00 00 fb 00 17 |........33......|
00000030 f2 d7 cf 65 86 dd 60 00 00 00 00 9f 11 ff fe 80 |...e..`.........|
00000040 00 00 00 00 00 00 02 17 f2 ff fe d7 cf 65 ff 02 |.............e..|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 fb 14 e9 |................|
00000060 14 e9 00 9f 44 e9 00 00 84 00 00 00 00 01 00 00 |....D...........|
00000070 00 04 06 67 65 6d 69 6e 69 09 5f 73 66 74 70 2d |...gemini._sftp-|
00000080 73 73 68 04 5f 74 63 70 05 6c 6f 63 61 6c 00 00 |ssh._tcp.local..|
00000090 21 80 01 00 00 00 78 00 0f 00 00 00 00 00 16 06 |!.....x.........|
000000a0 67 65 6d 69 6e 69 c0 22 c0 39 00 1c 80 01 00 00 |gemini.".9......|
000000b0 00 78 00 10 fe 80 00 00 00 00 00 00 02 17 f2 ff |.x..............|
000000c0 fe d7 cf 65 c0 39 00 01 80 01 00 00 00 78 00 04 |...e.9.......x..|
000000d0 8d 8e dc 32 c0 0c 00 2f 80 01 00 00 00 78 00 09 |...2.../.....x..|
000000e0 c0 0c 00 05 00 00 80 00 40 c0 39 00 2f 80 01 00 |........@.9./...|
000000f0 00 00 78 00 08 c0 39 00 04 40 00 00 08 |..x...9..@...|
000000fd

BIN
testing/btest/Baseline/bifs.dump_current_packet/2.pcap
View file

Binary file not shown.

2
testing/btest/Baseline/core.pcap.dumper/output
View file

@ -1,4 +1,4 @@
2c2
< 00000010 ff ff 00 00 01 00 00 00 1d a2 b2 4e 73 00 07 00 |...........Ns...|
---
> 00000010 00 20 00 00 01 00 00 00 1d a2 b2 4e 73 00 07 00 |. .........Ns...|
> 00000010 00 24 00 00 01 00 00 00 1d a2 b2 4e 73 00 07 00 |.$.........Ns...|

14
testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-cluster-error/manager-reporter.log
View file

@ -1,12 +1,2 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path reporter
#open 2018-04-27-22-48-04
#fields _write_ts _stream _system_name ts level message location
#types time string string time enum string string
1524869284.624934 reporter manager-1 0.000000 Reporter::WARNING WriterFrontend broker/Log::WRITER_ASCII expected 9 fields in write, got 6. Skipping line. (empty)
1524869284.679015 reporter manager-1 0.000000 Reporter::WARNING WriterFrontend cluster/Log::WRITER_ASCII expected 6 fields in write, got 3. Skipping line. (empty)
1524869299.534389 reporter manager-1 0.000000 Reporter::INFO received termination signal (empty)
#close 2018-04-27-22-48-19
1535139819.649067 Reporter::INFO qux /home/jon/projects/bro/bro/testing/btest/.tmp/scripts.base.frameworks.logging.field-extension-cluster-error/field-extension-cluster-error.bro, line XX
1535139821.906059 bah manager-1 0.000000 Reporter::INFO qux /home/jon/projects/bro/bro/testing/btest/.tmp/scripts.base.frameworks.logging.field-extension-cluster-error/field-extension-cluster-error.bro, line XX

12
testing/btest/Baseline/scripts.base.protocols.dce-rpc.context/dce_rpc.log Normal file
View file

@ -0,0 +1,12 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dce_rpc
#open 2018-08-23-19-54-19
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p rtt named_pipe endpoint operation
#types time string addr port addr port interval string string string
1347446180.330312 CHhAvVGS1DHFjwGM9 192.168.122.145 55614 192.168.122.3 1024 0.005544 \\PIPE\\drsuapi drsuapi DRSBind
1347446180.336310 CHhAvVGS1DHFjwGM9 192.168.122.145 55614 192.168.122.3 1024 0.000788 \\PIPE\\drsuapi drsuapi DRSCrackNames
1347446180.369165 CHhAvVGS1DHFjwGM9 192.168.122.145 55614 192.168.122.3 1024 0.000580 \\PIPE\\drsuapi drsuapi DRSUnbind
#close 2018-08-23-19-54-19

15
testing/btest/Baseline/scripts.base.protocols.dce-rpc.context/out Normal file
View file

@ -0,0 +1,15 @@
dce_rpc_bind :: fid == 0
dce_rpc_bind :: ctx_id == 0
dce_rpc_bind :: uuid == e3514235-4b06-11d1-ab04-00c04fc2dcd2
dce_rpc_bind :: fid == 0
dce_rpc_bind :: ctx_id == 1
dce_rpc_bind :: uuid == e3514235-4b06-11d1-ab04-00c04fc2dcd2
dce_rpc_bind :: fid == 0
dce_rpc_bind :: ctx_id == 2
dce_rpc_bind :: uuid == e3514235-4b06-11d1-ab04-00c04fc2dcd2
dce_rpc_bind_ack :: fid == 0
dce_rpc_bind_ack :: sec_addr == \PIPE\drsuapi
dce_rpc_alter_context :: fid == 0
dce_rpc_alter_context :: ctx_id == 0
dce_rpc_alter_context :: uuid == e3514235-4b06-11d1-ab04-00c04fc2dcd2
dce_rpc_alter_context_resp :: fid == 0

BIN
testing/btest/Traces/dce-rpc/cs_window7-join_stream092.pcap Normal file
View file

Binary file not shown.

10
testing/btest/bifs/dump_current_packet.bro
View file

@ -1,6 +1,12 @@
# @TEST-EXEC: bro -b -r $TRACES/wikipedia.trace %INPUT
# @TEST-EXEC: btest-diff 1.pcap
# @TEST-EXEC: btest-diff 2.pcap
# @TEST-EXEC: hexdump -C 1.pcap >1.hex
# @TEST-EXEC: hexdump -C 2.pcap >2.hex
# @TEST-EXEC: btest-diff 1.hex
# @TEST-EXEC: btest-diff 2.hex
# Note that the hex output will contain global pcap header information,
# including Bro's snaplen setting (so maybe check that out in the case
# you are reading this message due to this test failing in the future).
global i: count = 0;

4
testing/btest/core/leaks/input-raw.bro
View file

@ -6,9 +6,9 @@
#
# @TEST-EXEC: cp input1.log input.log
# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b %INPUT
# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got2 8 || (btest-bg-wait -k 1 && false)
# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got2 60 || (btest-bg-wait -k 1 && false)
# @TEST-EXEC: cat input2.log >> input.log
# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got6 8 || (btest-bg-wait -k 1 && false)
# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got6 15 || (btest-bg-wait -k 1 && false)
# @TEST-EXEC: cat input3.log >> input.log
# @TEST-EXEC: btest-bg-wait 60

4
testing/btest/core/pcap/dumper.bro
View file

@ -2,4 +2,8 @@
# @TEST-EXEC: hexdump -C $TRACES/workshop_2011_browse.trace >1
# @TEST-EXEC: hexdump -C dump >2
# @TEST-EXEC: diff 1 2 >output || true
# Note that we're diff'ing the diff because there is an expected
# difference in the pcaps: namely, the snaplen setting stored in the
# global pcap header.
# @TEST-EXEC: btest-diff output

24
testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro
View file

@ -3,8 +3,9 @@
# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT"
# @TEST-EXEC: btest-bg-run worker-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/wikipedia.trace %INPUT"
# @TEST-EXEC: btest-bg-wait 20
# @TEST-EXEC: cat manager-1/reporter.log | grep -v "reporter/" > manager-reporter.log
# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-canonifier | grep -v ^# | $SCRIPTS/diff-sort" btest-diff manager-reporter.log
# @TEST-EXEC: grep qux manager-1/reporter.log | sed 's#line ..#line XX#g' > manager-reporter.log
# @TEST-EXEC: grep qux manager-1/reporter-2.log | sed 's#line ..*#line XX#g' >> manager-reporter.log
# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-canonifier | $SCRIPTS/diff-remove-abspath | grep -v ^# | $SCRIPTS/diff-sort" btest-diff manager-reporter.log
@TEST-START-FILE cluster-layout.bro
@ -35,7 +36,7 @@ type Extension: record {
function add_extension(path: string): Extension
{
return Extension($write_ts = network_time(),
$stream = path,
$stream = "bah",
$system_name = peer_description);
}
@ -56,16 +57,31 @@ event slow_death()
event kill_worker()
{
Reporter::info("qux");
Broker::publish("death", slow_death);
}
event bro_init()
{
if ( Cluster::node == "worker-1" )
{
Broker::subscribe("death");
suspend_processing();
}
}
event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
{
if ( Cluster::node == "manager-1" )
schedule 13sec { kill_worker() };
{
schedule 2sec { kill_worker() };
}
if ( Cluster::node == "worker-1" )
{
continue_processing();
Reporter::info("qux");
}
}
event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)

6
testing/btest/scripts/base/frameworks/logging/field-extension-cluster.bro
View file

@ -57,13 +57,19 @@ event kill_worker()
event bro_init()
{
if ( Cluster::node == "worker-1" )
{
suspend_processing();
Broker::subscribe("death");
}
}
event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
{
if ( Cluster::node == "manager-1" )
schedule 2sec { kill_worker() };
if ( Cluster::node == "worker-1" )
continue_processing();
}
event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)

31
testing/btest/scripts/base/protocols/dce-rpc/context.bro Normal file
View file

@ -0,0 +1,31 @@
# @TEST-EXEC: bro -b -C -r $TRACES/dce-rpc/cs_window7-join_stream092.pcap %INPUT >out
# @TEST-EXEC: btest-diff out
# @TEST-EXEC: btest-diff dce_rpc.log
@load base/protocols/dce-rpc
event dce_rpc_bind(c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count) &priority=5
{
print fmt("dce_rpc_bind :: fid == %s", fid);
print fmt("dce_rpc_bind :: ctx_id == %s", ctx_id);
print fmt("dce_rpc_bind :: uuid == %s", uuid_to_string(uuid));
}
event dce_rpc_alter_context(c: connection, fid: count, ctx_id: count, uuid: string, ver_major: count, ver_minor: count) &priority=5
{
print fmt("dce_rpc_alter_context :: fid == %s", fid);
print fmt("dce_rpc_alter_context :: ctx_id == %s", ctx_id);
print fmt("dce_rpc_alter_context :: uuid == %s", uuid_to_string(uuid));
}
event dce_rpc_bind_ack(c: connection, fid: count, sec_addr: string) &priority=5
{
print fmt("dce_rpc_bind_ack :: fid == %s", fid);
print fmt("dce_rpc_bind_ack :: sec_addr == %s", sec_addr);
}
event dce_rpc_alter_context_resp(c: connection, fid: count) &priority=5
{
print fmt("dce_rpc_alter_context_resp :: fid == %s", fid);
}

1
testing/external/commit-hash.bro-testing vendored Normal file
View file

@ -0,0 +1 @@
489007e9bd035777cd1d33a9e1db9857449f805b

1
testing/external/commit-hash.bro-testing-private vendored Normal file
View file

@ -0,0 +1 @@
1917c0c602b18aa52150c7a940e9038a4382aa44

14
testing/scripts/travis-job
View file

@ -198,10 +198,24 @@ run() {
make init
fi
if [ -d bro-testing ]; then
commit=`cat commit-hash.bro-testing`
echo "Checking out $commit"
( cd bro-testing && git checkout -q $commit )
fi
echo
if [ ! -d bro-testing-private ]; then
get_private_tests
fi
if [ -d bro-testing-private ]; then
commit=`cat commit-hash.bro-testing-private`
echo "Checking out $commit"
( cd bro-testing-private && git checkout -q $commit )
fi
echo
echo "Running external tests ##############################################"
echo