diff --git a/CHANGES b/CHANGES index f0693b928c..3d21b997c1 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,37 @@ +5.2.0-dev.209 | 2022-11-08 16:44:48 -0700 + + * {http,smtp}/entities: Align header regexes with extract_filename_from_content_disposition() (Arne Welzel, Corelight) + + * analyzer/HTTP: Call TCP_ApplicationAnalyzer::Done() after RequestMade()/ReplyMade() (Arne Welzel, Corelight) + + * file_analysis/Analyzer: Limit maximum number of violations (Arne Welzel, Corelight) + + Just the same as for protocol analyzers, prevent from violation event overload. + + * test: Add btest verifying max_analyzer_violations functionality (Arne Welzel, Corelight) + + The pcap has been generated roughly based on the example found on wikipedia + with some added garbled response after the STAT command from the client. + + * analyzer: Cap analyzer violations at 1000 per analyzer instance (Arne Welzel, Corelight) + + * Report an error if a key is too big for a DictEntry (Tim Wojtulewicz, Corelight) + + * Use larger size variable for DictEntry key_size to avoid overflows with big keys (Tim Wojtulewicz, Corelight) + + * ftp: Limit pending commands to FTP::max_pending_commands (default 20) (Arne Welzel, Corelight) + + * Update baselines after AnalyzePacket changes (Arne Welzel, Corelight) + + Mainly, for bad headers we do not (can not) put addresses into + the log anymore. Some were rather obviously bogus previously + already. + + * protocol/ip: Only attach IP_Hdr to Packet if valid (Arne Welzel, Corelight) + + Ensure packet->ip_hdr is not set (so no one can assume it's valid) + when AnalyzePacket() found something weird with the header. + 5.2.0-dev.198 | 2022-11-07 11:47:53 +0100 * Bump documentation. diff --git a/VERSION b/VERSION index cd9512b09c..b06c13293b 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -5.2.0-dev.198 +5.2.0-dev.209 diff --git a/scripts/base/protocols/http/entities.zeek b/scripts/base/protocols/http/entities.zeek index 4c0aae2d4b..4b4c8a8c67 100644 --- a/scripts/base/protocols/http/entities.zeek +++ b/scripts/base/protocols/http/entities.zeek @@ -98,7 +98,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr } if ( name == "CONTENT-DISPOSITION" && - /[fF][iI][lL][eE][nN][aA][mM][eE]/ in value ) + /[fF][iI][lL][eE][nN][aA][mM][eE][[:blank:]]*\*?=/ in value ) { c$http$current_entity$filename = extract_filename_from_content_disposition(value); } diff --git a/scripts/base/protocols/smtp/entities.zeek b/scripts/base/protocols/smtp/entities.zeek index 7bc43d7c2a..20fdfd816b 100644 --- a/scripts/base/protocols/smtp/entities.zeek +++ b/scripts/base/protocols/smtp/entities.zeek @@ -63,7 +63,7 @@ event mime_one_header(c: connection, h: mime_header_rec) &priority=5 } if ( h$name == "CONTENT-DISPOSITION" && - /[fF][iI][lL][eE][nN][aA][mM][eE]/ in h$value ) + /[fF][iI][lL][eE][nN][aA][mM][eE][[:blank:]]*\*?=/ in h$value ) c$smtp$entity$filename = extract_filename_from_content_disposition(h$value); if ( h$name == "CONTENT-TYPE" && diff --git a/testing/btest/Baseline/scripts.base.utils.files/output b/testing/btest/Baseline/scripts.base.utils.files/output index e39eea3678..523589365e 100644 --- a/testing/btest/Baseline/scripts.base.utils.files/output +++ b/testing/btest/Baseline/scripts.base.utils.files/output @@ -2,6 +2,9 @@ Economy US-$ rates \xa3 rates +filename.jpg +fieldName +fieldName test-prefix_141.142.220.118:48649-208.80.152.118:80_test-suffix test-prefix_141.142.220.118:48649-208.80.152.118:80 141.142.220.118:48649-208.80.152.118:80_test-suffix diff --git a/testing/btest/scripts/base/utils/files.test b/testing/btest/scripts/base/utils/files.test index e9c3e7df27..92af542eb5 100644 --- a/testing/btest/scripts/base/utils/files.test +++ b/testing/btest/scripts/base/utils/files.test @@ -17,4 +17,7 @@ event zeek_init() print extract_filename_from_content_disposition("attachment; filename=Economy"); print extract_filename_from_content_disposition("attachment; name=\"US-$ rates\""); print extract_filename_from_content_disposition("attachment; filename*=iso-8859-1'en'%A3%20rates"); + print extract_filename_from_content_disposition("form-data; name=\"fieldName\"; filename=\"filename.jpg\""); + print extract_filename_from_content_disposition("form-data; name=\"fieldName\""); + print extract_filename_from_content_disposition("form-data; filename=\"filename.jpg\"; name=\"fieldName\""); }