Merge remote-tracking branch 'origin/master' into topic/seth/smb

# Conflicts:
#	testing/btest/Baseline/plugins.hooks/output
#	testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
#	testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log

scripts/base/protocols/dns/main.bro

@@ -2,6 +2,7 @@
 ##! their responses.
 
 @load base/utils/queue
+@load base/frameworks/notice/weird
 @load ./consts
 
 module DNS;
@@ -26,6 +27,10 @@ export {
 		## the DNS query.  Also used in responses to match up replies to
 		## outstanding queries.
 		trans_id:      count              &log &optional;
+		## Round trip time for the query and response. This indicates
+		## the delay between when the request was seen until the
+		## answer started.
+		rtt:           interval           &log &optional;
 		## The domain name that is the subject of the DNS query.
 		query:         string             &log &optional;
 		## The QCLASS value specifying the class of the query.
@@ -99,7 +104,7 @@ export {
 	## when creating a new session value.
 	##
 	## c: The connection involved in the new session.
-	## 
+	##
 	## msg: The DNS message header information.
 	##
 	## is_query: Indicator for if this is being called for a query or a response.
@@ -172,8 +177,9 @@ function log_unmatched_msgs_queue(q: Queue::Queue)
 
 	for ( i in infos )
 		{
-		event flow_weird("dns_unmatched_msg",
-		                 infos[i]$id$orig_h, infos[i]$id$resp_h);
+		local wi = Weird::Info($ts=network_time(), $name="dns_unmatched_msg", $uid=infos[i]$uid,
+		                       $id=infos[i]$id);
+		Weird::weird(wi);
 		Log::write(DNS::LOG, infos[i]);
 		}
 	}
@@ -188,12 +194,14 @@ function log_unmatched_msgs(msgs: PendingMessages)
 
 function enqueue_new_msg(msgs: PendingMessages, id: count, msg: Info)
 	{
+	local wi: Weird::Info;
 	if ( id !in msgs )
 		{
 		if ( |msgs| > max_pending_query_ids )
 			{
-			event flow_weird("dns_unmatched_query_id_quantity",
-			                 msg$id$orig_h, msg$id$resp_h);
+			wi = Weird::Info($ts=network_time(), $name="dns_unmatched_msg", $uid=msg$uid,
+			                       $id=msg$id);
+			Weird::weird(wi);
 			# Throw away all unmatched on assumption they'll never be matched.
 			log_unmatched_msgs(msgs);
 			}
@@ -204,8 +212,9 @@ function enqueue_new_msg(msgs: PendingMessages, id: count, msg: Info)
 		{
 		if ( Queue::len(msgs[id]) > max_pending_msgs )
 			{
-			event flow_weird("dns_unmatched_msg_quantity",
-			                 msg$id$orig_h, msg$id$resp_h);
+			wi = Weird::Info($ts=network_time(), $name="dns_unmatched_msg_quantity", $uid=msg$uid,
+			                       $id=msg$id);
+			Weird::weird(wi);
 			log_unmatched_msgs_queue(msgs[id]);
 			# Throw away all unmatched on assumption they'll never be matched.
 			msgs[id] = Queue::init();
@@ -311,6 +320,16 @@ hook DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
 		c$dns$AA    = msg$AA;
 		c$dns$RA    = msg$RA;
 
+		if ( ! c$dns?$rtt )
+			{
+			c$dns$rtt = network_time() - c$dns$ts;
+			# This could mean that only a reply was seen since 
+			# we assume there must be some passage of time between
+			# request and response.
+			if ( c$dns$rtt == 0secs )
+				delete c$dns$rtt;
+			}
+
 		if ( reply != "" )
 			{
 			if ( ! c$dns?$answers )

scripts/base/protocols/http/entities.bro

@@ -17,12 +17,18 @@ export {
 		## An ordered vector of file unique IDs.
 		orig_fuids:      vector of string &log &optional;
 
+		## An order vector of filenames from the client.
+		orig_filenames:  vector of string &log &optional;
+
 		## An ordered vector of mime types.
 		orig_mime_types: vector of string &log &optional;
 
 		## An ordered vector of file unique IDs.
 		resp_fuids:      vector of string &log &optional;
 
+		## An order vector of filenames from the server.
+		resp_filenames:  vector of string &log &optional;
+
 		## An ordered vector of mime types.
 		resp_mime_types: vector of string &log &optional;
 
@@ -82,13 +88,31 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 				c$http$orig_fuids = string_vec(f$id);
 			else
 				c$http$orig_fuids[|c$http$orig_fuids|] = f$id;
+
+			if ( f$info?$filename )
+				{
+				if ( ! c$http?$orig_filenames )
+					c$http$orig_filenames = string_vec(f$info$filename);
+				else
+					c$http$orig_filenames[|c$http$orig_filenames|] = f$info$filename;
+				}
 			}
+
 		else
 			{
 			if ( ! c$http?$resp_fuids )
 				c$http$resp_fuids = string_vec(f$id);
 			else
 				c$http$resp_fuids[|c$http$resp_fuids|] = f$id;
+
+			if ( f$info?$filename )
+				{
+				if ( ! c$http?$resp_filenames )
+					c$http$resp_filenames = string_vec(f$info$filename);
+				else
+					c$http$resp_filenames[|c$http$resp_filenames|] = f$info$filename;
+				}
+
 			}
 		}
 	}

scripts/base/protocols/http/main.bro

@@ -60,9 +60,6 @@ export {
 		info_code:               count     &log &optional;
 		## Last seen 1xx informational reply message returned by the server.
 		info_msg:                string    &log &optional;
-		## Filename given in the Content-Disposition header sent by the
-		## server.
-		filename:                string    &log &optional;
 		## A set of indicators of various attributes discovered and
 		## related to a particular request/response pair.
 		tags:                    set[Tags] &log;

scripts/base/protocols/smtp/main.bro

@@ -1,13 +1,13 @@
 @load base/frameworks/notice
 @load base/utils/addrs
 @load base/utils/directions-and-hosts
+@load base/utils/email
 
 module SMTP;
 
 export {
 	redef enum Log::ID += { LOG };
 
-	## The record type which contains the fields of the SMTP log.
 	type Info: record {
 		## Time when the message was first seen.
 		ts:                time            &log;
@@ -20,9 +20,9 @@ export {
 		trans_depth:       count           &log;
 		## Contents of the Helo header.
 		helo:              string          &log &optional;
-		## Contents of the From header.
+		## Email addresses found in the From header.
 		mailfrom:          string          &log &optional;
-		## Contents of the Rcpt header.
+		## Email addresses found in the Rcpt header.
 		rcptto:            set[string]     &log &optional;
 		## Contents of the Date header.
 		date:              string          &log &optional;
@@ -100,7 +100,7 @@ event bro_init() &priority=5
 	}
 
 function find_address_in_smtp_header(header: string): string
-{
+	{
 	local ips = extract_ip_addresses(header);
 	# If there are more than one IP address found, return the second.
 	if ( |ips| > 1 )
@@ -111,7 +111,7 @@ function find_address_in_smtp_header(header: string): string
 	# Otherwise, there wasn't an IP address found.
 	else
 		return "";
-}
+	}
 
 function new_smtp_log(c: connection): Info
 	{
@@ -166,7 +166,14 @@ event smtp_request(c: connection, is_orig: bool, command: string, arg: string) &
 		{
 		if ( ! c$smtp?$rcptto )
 			c$smtp$rcptto = set();
-		add c$smtp$rcptto[split_string1(arg, /:[[:blank:]]*/)[1]];
+
+		local rcptto_addrs = extract_email_addrs_set(arg);
+		for ( rcptto_addr in rcptto_addrs )
+			{
+			rcptto_addr = gsub(rcptto_addr, /ORCPT=rfc822;?/, "");
+			add c$smtp$rcptto[rcptto_addr];
+			}
+
 		c$smtp$has_client_activity = T;
 		}
 
@@ -175,8 +182,9 @@ event smtp_request(c: connection, is_orig: bool, command: string, arg: string) &
 		# Flush last message in case we didn't see the server's acknowledgement.
 		smtp_message(c);
 
-		local partially_done = split_string1(arg, /:[[:blank:]]*/)[1];
-		c$smtp$mailfrom = split_string1(partially_done, /[[:blank:]]?/)[0];
+		local mailfrom = extract_first_email_addr(arg);
+		if ( mailfrom != "" )
+			c$smtp$mailfrom = mailfrom;
 		c$smtp$has_client_activity = T;
 		}
 	}
@@ -237,9 +245,11 @@ event mime_one_header(c: connection, h: mime_header_rec) &priority=5
 		if ( ! c$smtp?$to )
 			c$smtp$to = set();
 
-		local to_parts = split_string(h$value, /[[:blank:]]*,[[:blank:]]*/);
-		for ( i in to_parts )
-			add c$smtp$to[to_parts[i]];
+		local to_email_addrs = split_mime_email_addresses(h$value);
+		for ( to_email_addr in to_email_addrs )
+			{
+			add c$smtp$to[to_email_addr];
+			}
 		}
 
 	else if ( h$name == "CC" )
@@ -247,16 +257,16 @@ event mime_one_header(c: connection, h: mime_header_rec) &priority=5
 		if ( ! c$smtp?$cc )
 			c$smtp$cc = set();
 
-		local cc_parts = split_string(h$value, /[[:blank:]]*,[[:blank:]]*/);
-		for ( i in cc_parts )
-			add c$smtp$cc[cc_parts[i]];
+		local cc_parts = split_mime_email_addresses(h$value);
+		for ( cc_part in cc_parts )
+			add c$smtp$cc[cc_part];
 		}
 
 	else if ( h$name == "X-ORIGINATING-IP" )
 		{
 		local addresses = extract_ip_addresses(h$value);
-		if ( 1 in addresses )
-			c$smtp$x_originating_ip = to_addr(addresses[1]);
+		if ( 0 in addresses )
+			c$smtp$x_originating_ip = to_addr(addresses[0]);
 		}
 
 	else if ( h$name == "X-MAILER" ||
@@ -309,9 +319,9 @@ function describe(rec: Info): string
 	if ( rec?$mailfrom && rec?$rcptto )
 		{
 		local one_to = "";
-		for ( to in rec$rcptto )
+		for ( email in rec$rcptto )
 			{
-			one_to = to;
+			one_to = email;
 			break;
 			}
 		local abbrev_subject = "";

scripts/base/protocols/ssl/consts.bro

@@ -542,9 +542,17 @@ export {
 	const TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 = 0xC0AE;
 	const TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 = 0xC0AF;
 	# draft-agl-tls-chacha20poly1305-02
-	const TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC13;
-	const TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC14;
-	const TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC15;
+	const TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD = 0xCC13;
+	const TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD = 0xCC14;
+	const TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD = 0xCC15;
+	# RFC 7905
+	const TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCCA8;
+	const TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCCA9;
+	const TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAA;
+	const TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAB;
+	const TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAC;
+	const TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAD;
+	const TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAE;
 
 	const SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE;
 	const SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xFEFF;
@@ -908,9 +916,16 @@ export {
 		[TLS_ECDHE_ECDSA_WITH_AES_256_CCM] = "TLS_ECDHE_ECDSA_WITH_AES_256_CCM",
 		[TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8] = "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8",
 		[TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8] = "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8",
+		[TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD] = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD",
+		[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD] = "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD",
+		[TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD] = "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD",
 		[TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256] = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
 		[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256] = "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
 		[TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256] = "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+		[TLS_PSK_WITH_CHACHA20_POLY1305_SHA256] = "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256",
+		[TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256] = "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
+		[TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256] = "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
+		[TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256] = "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256",
 		[SSL_RSA_FIPS_WITH_DES_CBC_SHA] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA",
 		[SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",
 		[SSL_RSA_FIPS_WITH_DES_CBC_SHA_2] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA_2",