mirror of
https://github.com/zeek/zeek.git
synced 2025-10-15 04:58:21 +00:00
Merge remote-tracking branch 'origin/master' into topic/robin/broker-logging
This commit is contained in:
commit
524002eefa
13 changed files with 99 additions and 17 deletions
19
CHANGES
19
CHANGES
|
@ -1,4 +1,23 @@
|
||||||
|
|
||||||
|
2.5-62 | 2017-02-15 15:56:38 -0800
|
||||||
|
|
||||||
|
* Fix case in which scripts were able to access unitialized variables
|
||||||
|
in certain cases. Addresses BIT-1785. (Jon Siwek)
|
||||||
|
|
||||||
|
2.5-60 | 2017-02-15 15:19:20 -0800
|
||||||
|
|
||||||
|
* Implement ERSPAN support.
|
||||||
|
|
||||||
|
There is a small caveat to this implementation. The ethernet
|
||||||
|
header that is carried over the tunnel is ignored. If a user
|
||||||
|
tries to do MAC address logging, it will only show the MAC
|
||||||
|
addresses for the outer tunnel and the inner MAC addresses
|
||||||
|
will be stripped and not available anywhere. (Seth Hall)
|
||||||
|
|
||||||
|
* Tiny mime-type fix from Dan Caselden. (Seth Hall)
|
||||||
|
|
||||||
|
* Update failing intel framework test. (Johanna Amann)
|
||||||
|
|
||||||
2.5-55 | 2017-02-10 09:50:43 -0500
|
2.5-55 | 2017-02-10 09:50:43 -0500
|
||||||
|
|
||||||
* Fixed intel expiration reset. Reinserting the same indicator did not reset
|
* Fixed intel expiration reset. Reinserting the same indicator did not reset
|
||||||
|
|
2
VERSION
2
VERSION
|
@ -1 +1 @@
|
||||||
2.5-55
|
2.5-62
|
||||||
|
|
|
@ -116,7 +116,7 @@ signature file-reg-utf16 {
|
||||||
|
|
||||||
# Microsoft Registry format (typically DESKTOP.DAT)
|
# Microsoft Registry format (typically DESKTOP.DAT)
|
||||||
signature file-regf {
|
signature file-regf {
|
||||||
file-mime "application vnd.ms-regf", 49
|
file-mime "application/vnd.ms-regf", 49
|
||||||
file-magic /^\x72\x65\x67\x66/
|
file-magic /^\x72\x65\x67\x66/
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -33,6 +33,15 @@ Frame::~Frame()
|
||||||
Release();
|
Release();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void Frame::Reset(int startIdx)
|
||||||
|
{
|
||||||
|
for ( int i = startIdx; i < size; ++i )
|
||||||
|
{
|
||||||
|
Unref(frame[i]);
|
||||||
|
frame[i] = 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
void Frame::Release()
|
void Frame::Release()
|
||||||
{
|
{
|
||||||
for ( int i = 0; i < size; ++i )
|
for ( int i = 0; i < size; ++i )
|
||||||
|
|
|
@ -24,6 +24,7 @@ public:
|
||||||
frame[n] = v;
|
frame[n] = v;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void Reset(int startIdx);
|
||||||
void Release();
|
void Release();
|
||||||
|
|
||||||
void Describe(ODesc* d) const;
|
void Describe(ODesc* d) const;
|
||||||
|
|
|
@ -397,6 +397,7 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const
|
||||||
bodies[i].stmts->GetLocationInfo());
|
bodies[i].stmts->GetLocationInfo());
|
||||||
|
|
||||||
Unref(result);
|
Unref(result);
|
||||||
|
f->Reset(args->length());
|
||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
|
|
|
@ -431,7 +431,6 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
int proto = ip_hdr->NextProto();
|
int proto = ip_hdr->NextProto();
|
||||||
|
|
||||||
if ( CheckHeaderTrunc(proto, len, caplen, pkt, encapsulation) )
|
if ( CheckHeaderTrunc(proto, len, caplen, pkt, encapsulation) )
|
||||||
|
@ -510,6 +509,11 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
|
||||||
uint16 proto_typ = ntohs(*((uint16*)(data + 2)));
|
uint16 proto_typ = ntohs(*((uint16*)(data + 2)));
|
||||||
int gre_version = flags_ver & 0x0007;
|
int gre_version = flags_ver & 0x0007;
|
||||||
|
|
||||||
|
// If a carried packet has ethernet, this will help skip it.
|
||||||
|
unsigned int eth_len = 0;
|
||||||
|
unsigned int gre_len = gre_header_len(flags_ver);
|
||||||
|
unsigned int ppp_len = gre_version == 1 ? 1 : 0;
|
||||||
|
|
||||||
if ( gre_version != 0 && gre_version != 1 )
|
if ( gre_version != 0 && gre_version != 1 )
|
||||||
{
|
{
|
||||||
Weird(fmt("unknown_gre_version_%d", gre_version), ip_hdr,
|
Weird(fmt("unknown_gre_version_%d", gre_version), ip_hdr,
|
||||||
|
@ -519,7 +523,18 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
|
||||||
|
|
||||||
if ( gre_version == 0 )
|
if ( gre_version == 0 )
|
||||||
{
|
{
|
||||||
if ( proto_typ != 0x0800 && proto_typ != 0x86dd )
|
if ( proto_typ == 0x6558 && len > gre_len + 14 )
|
||||||
|
{
|
||||||
|
// transparent ethernet bridging
|
||||||
|
eth_len = 14;
|
||||||
|
proto_typ = ntohs(*((uint16*)(data + gre_len + 12)));
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( proto_typ == 0x0800 )
|
||||||
|
proto = IPPROTO_IPV4;
|
||||||
|
else if ( proto_typ == 0x86dd )
|
||||||
|
proto = IPPROTO_IPV6;
|
||||||
|
else
|
||||||
{
|
{
|
||||||
// Not IPv4/IPv6 payload.
|
// Not IPv4/IPv6 payload.
|
||||||
Weird(fmt("unknown_gre_protocol_%" PRIu16, proto_typ), ip_hdr,
|
Weird(fmt("unknown_gre_protocol_%" PRIu16, proto_typ), ip_hdr,
|
||||||
|
@ -527,7 +542,6 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
proto = (proto_typ == 0x0800) ? IPPROTO_IPV4 : IPPROTO_IPV6;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
else // gre_version == 1
|
else // gre_version == 1
|
||||||
|
@ -556,10 +570,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
unsigned int gre_len = gre_header_len(flags_ver);
|
if ( len < gre_len + ppp_len + eth_len || caplen < gre_len + ppp_len + eth_len )
|
||||||
unsigned int ppp_len = gre_version == 1 ? 1 : 0;
|
|
||||||
|
|
||||||
if ( len < gre_len + ppp_len || caplen < gre_len + ppp_len )
|
|
||||||
{
|
{
|
||||||
Weird("truncated_GRE", ip_hdr, encapsulation);
|
Weird("truncated_GRE", ip_hdr, encapsulation);
|
||||||
return;
|
return;
|
||||||
|
@ -578,9 +589,9 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
|
||||||
proto = (ppp_proto == 0x0021) ? IPPROTO_IPV4 : IPPROTO_IPV6;
|
proto = (ppp_proto == 0x0021) ? IPPROTO_IPV4 : IPPROTO_IPV6;
|
||||||
}
|
}
|
||||||
|
|
||||||
data += gre_len + ppp_len;
|
data += gre_len + ppp_len + eth_len;
|
||||||
len -= gre_len + ppp_len;
|
len -= gre_len + ppp_len + eth_len;
|
||||||
caplen -= gre_len + ppp_len;
|
caplen -= gre_len + ppp_len + eth_len;
|
||||||
|
|
||||||
// Treat GRE tunnel like IP tunnels, fallthrough to logic below now
|
// Treat GRE tunnel like IP tunnels, fallthrough to logic below now
|
||||||
// that GRE header is stripped and only payload packet remains.
|
// that GRE header is stripped and only payload packet remains.
|
||||||
|
@ -607,7 +618,6 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
|
||||||
// Check for a valid inner packet first.
|
// Check for a valid inner packet first.
|
||||||
IP_Hdr* inner = 0;
|
IP_Hdr* inner = 0;
|
||||||
int result = ParseIPPacket(caplen, data, proto, inner);
|
int result = ParseIPPacket(caplen, data, proto, inner);
|
||||||
|
|
||||||
if ( result < 0 )
|
if ( result < 0 )
|
||||||
Weird("truncated_inner_IP", ip_hdr, encapsulation);
|
Weird("truncated_inner_IP", ip_hdr, encapsulation);
|
||||||
|
|
||||||
|
@ -794,6 +804,7 @@ void NetSessions::DoNextInnerPacket(double t, const Packet* pkt,
|
||||||
// Construct fake packet for DoNextPacket
|
// Construct fake packet for DoNextPacket
|
||||||
Packet p;
|
Packet p;
|
||||||
p.Init(DLT_RAW, &ts, caplen, len, data, false, "");
|
p.Init(DLT_RAW, &ts, caplen, len, data, false, "");
|
||||||
|
|
||||||
DoNextPacket(t, &p, inner, outer);
|
DoNextPacket(t, &p, inner, outer);
|
||||||
|
|
||||||
delete inner;
|
delete inner;
|
||||||
|
|
10
testing/btest/Baseline/core.erspan/tunnel.log
Normal file
10
testing/btest/Baseline/core.erspan/tunnel.log
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
#separator \x09
|
||||||
|
#set_separator ,
|
||||||
|
#empty_field (empty)
|
||||||
|
#unset_field -
|
||||||
|
#path tunnel
|
||||||
|
#open 2017-02-03-20-27-11
|
||||||
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action
|
||||||
|
#types time string addr port addr port enum enum
|
||||||
|
1442309933.472798 CHhAvVGS1DHFjwGM9 10.200.0.3 0 10.200.0.224 0 Tunnel::GRE Tunnel::DISCOVER
|
||||||
|
#close 2017-02-03-20-27-11
|
2
testing/btest/Baseline/language.uninitialized-local2/out
Normal file
2
testing/btest/Baseline/language.uninitialized-local2/out
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
error in /home/jon/projects/bro/bro/testing/btest/.tmp/language.uninitialized-local2/uninitialized-local2.bro, line 19: value used but not set (var_b)
|
||||||
|
var_a is, baz
|
|
@ -3,9 +3,9 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path reporter
|
#path reporter
|
||||||
#open 2016-09-20-22-35-58
|
#open 2017-02-11-16-36-40
|
||||||
#fields ts level message location
|
#fields ts level message location
|
||||||
#types time enum string string
|
#types time enum string string
|
||||||
0.000000 Reporter::INFO Tried to remove non-existing item '192.168.1.1' (Intel::ADDR). /home/jgras/devel/bro/scripts/base/frameworks/intel/./main.bro, lines 507-508
|
0.000000 Reporter::INFO Tried to remove non-existing item '192.168.1.1' (Intel::ADDR). /home/johanna/bro/master/scripts/base/frameworks/intel/./main.bro, lines 520-521
|
||||||
0.000000 Reporter::INFO received termination signal (empty)
|
0.000000 Reporter::INFO received termination signal (empty)
|
||||||
#close 2016-09-20-22-35-59
|
#close 2017-02-11-16-36-40
|
||||||
|
|
BIN
testing/btest/Traces/erspan.trace
Normal file
BIN
testing/btest/Traces/erspan.trace
Normal file
Binary file not shown.
4
testing/btest/core/erspan.bro
Normal file
4
testing/btest/core/erspan.bro
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
# @TEST-EXEC: bro -C -b -r $TRACES/erspan.trace %INPUT
|
||||||
|
# @TEST-EXEC: btest-diff tunnel.log
|
||||||
|
|
||||||
|
@load base/frameworks/tunnels
|
25
testing/btest/language/uninitialized-local2.bro
Normal file
25
testing/btest/language/uninitialized-local2.bro
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
# @TEST-EXEC: bro -b %INPUT >out 2>&1
|
||||||
|
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
|
||||||
|
|
||||||
|
event test()
|
||||||
|
{
|
||||||
|
local var_a: string = "foo";
|
||||||
|
}
|
||||||
|
|
||||||
|
event test()
|
||||||
|
{
|
||||||
|
if ( F )
|
||||||
|
{
|
||||||
|
local var_b: string = "bar";
|
||||||
|
}
|
||||||
|
|
||||||
|
local var_a: string = "baz";
|
||||||
|
|
||||||
|
print "var_a is", var_a;
|
||||||
|
print "var_b is", var_b;
|
||||||
|
}
|
||||||
|
|
||||||
|
event bro_init()
|
||||||
|
{
|
||||||
|
event test();
|
||||||
|
}
|
Loading…
Add table
Add a link
Reference in a new issue