mirror of
https://github.com/zeek/zeek.git
synced 2025-10-09 18:18:19 +00:00
Merge remote-tracking branch 'origin/master' into topic/vladg/kerberos
Conflicts: NEWS testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log testing/btest/Baseline/plugins.hooks/output testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
This commit is contained in:
Vlad Grigorescu
commit
9f9bad48a4
90 changed files with 3010 additions and 3367 deletions
|
|
@ -22,9 +22,6 @@ export {
|
|||
## is_orig: If true, threshold is set for bytes from originator, otherwise for bytes from responder.
|
||||
##
|
||||
## Returns: T on success, F on failure.
|
||||
##
|
||||
## .. bro:see:: bytes_threshold_crossed packets_threshold_crossed set_packets_threshold
|
||||
## delete_bytes_threshold delete_packets_threshold
|
||||
global set_bytes_threshold: function(c: connection, threshold: count, is_orig: bool): bool;
|
||||
|
||||
## Sets a packet threshold for connection sizes, adding it to potentially already existing thresholds.
|
||||
|
|
@ -37,9 +34,6 @@ export {
|
|||
## is_orig: If true, threshold is set for packets from originator, otherwise for packets from responder.
|
||||
##
|
||||
## Returns: T on success, F on failure.
|
||||
##
|
||||
## .. bro:see:: bytes_threshold_crossed packets_threshold_crossed set_bytes_threshold
|
||||
## delete_bytes_threshold delete_packets_threshold
|
||||
global set_packets_threshold: function(c: connection, threshold: count, is_orig: bool): bool;
|
||||
|
||||
## Deletes a byte threshold for connection sizes.
|
||||
|
|
@ -51,9 +45,6 @@ export {
|
|||
## is_orig: If true, threshold is removed for packets from originator, otherwhise for packets from responder.
|
||||
##
|
||||
## Returns: T on success, F on failure.
|
||||
##
|
||||
## .. bro:see:: bytes_threshold_crossed packets_threshold_crossed set_bytes_threshold set_packets_threshold
|
||||
## delete_packets_threshold
|
||||
global delete_bytes_threshold: function(c: connection, threshold: count, is_orig: bool): bool;
|
||||
|
||||
## Deletes a packet threshold for connection sizes.
|
||||
|
|
@ -65,9 +56,6 @@ export {
|
|||
## is_orig: If true, threshold is removed for packets from originator, otherwise for packets from responder.
|
||||
##
|
||||
## Returns: T on success, F on failure.
|
||||
##
|
||||
## .. bro:see:: bytes_threshold_crossed packets_threshold_crossed set_bytes_threshold set_packets_threshold
|
||||
## delete_bytes_threshold
|
||||
global delete_packets_threshold: function(c: connection, threshold: count, is_orig: bool): bool;
|
||||
|
||||
## Generated for a connection that crossed a set byte threshold
|
||||
|
|
@ -77,9 +65,6 @@ export {
|
|||
## threshold: the threshold that was set
|
||||
##
|
||||
## is_orig: True if the threshold was crossed by the originator of the connection
|
||||
##
|
||||
## .. bro:see:: packets_threshold_crossed set_bytes_threshold set_packets_threshold
|
||||
## delete_bytes_threshold delete_packets_threshold
|
||||
global bytes_threshold_crossed: event(c: connection, threshold: count, is_orig: bool);
|
||||
|
||||
## Generated for a connection that crossed a set byte threshold
|
||||
|
|
@ -89,9 +74,6 @@ export {
|
|||
## threshold: the threshold that was set
|
||||
##
|
||||
## is_orig: True if the threshold was crossed by the originator of the connection
|
||||
##
|
||||
## .. bro:see:: bytes_threshold_crossed set_bytes_threshold set_packets_threshold
|
||||
## delete_bytes_threshold delete_packets_threshold
|
||||
global packets_threshold_crossed: event(c: connection, threshold: count, is_orig: bool);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -63,10 +63,13 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
|
|||
f$ftp = ftp;
|
||||
}
|
||||
|
||||
event file_mime_type(f: fa_file, mime_type: string) &priority=5
|
||||
event file_sniff(f: fa_file, meta: fa_metadata) &priority=5
|
||||
{
|
||||
if ( ! f?$ftp )
|
||||
return;
|
||||
|
||||
f$ftp$mime_type = mime_type;
|
||||
if ( ! meta?$mime_type )
|
||||
return;
|
||||
|
||||
f$ftp$mime_type = meta$mime_type;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@ export {
|
|||
|
||||
event http_begin_entity(c: connection, is_orig: bool) &priority=10
|
||||
{
|
||||
set_state(c, F, is_orig);
|
||||
set_state(c, is_orig);
|
||||
|
||||
if ( is_orig )
|
||||
++c$http$orig_mime_depth;
|
||||
|
|
@ -93,24 +93,27 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
|
|||
}
|
||||
}
|
||||
|
||||
event file_mime_type(f: fa_file, mime_type: string) &priority=5
|
||||
event file_sniff(f: fa_file, meta: fa_metadata) &priority=5
|
||||
{
|
||||
if ( ! f?$http || ! f?$is_orig )
|
||||
return;
|
||||
|
||||
if ( ! meta?$mime_type )
|
||||
return;
|
||||
|
||||
if ( f$is_orig )
|
||||
{
|
||||
if ( ! f$http?$orig_mime_types )
|
||||
f$http$orig_mime_types = string_vec(mime_type);
|
||||
f$http$orig_mime_types = string_vec(meta$mime_type);
|
||||
else
|
||||
f$http$orig_mime_types[|f$http$orig_mime_types|] = mime_type;
|
||||
f$http$orig_mime_types[|f$http$orig_mime_types|] = meta$mime_type;
|
||||
}
|
||||
else
|
||||
{
|
||||
if ( ! f$http?$resp_mime_types )
|
||||
f$http$resp_mime_types = string_vec(mime_type);
|
||||
f$http$resp_mime_types = string_vec(meta$mime_type);
|
||||
else
|
||||
f$http$resp_mime_types[|f$http$resp_mime_types|] = mime_type;
|
||||
f$http$resp_mime_types[|f$http$resp_mime_types|] = meta$mime_type;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -89,6 +89,10 @@ export {
|
|||
current_request: count &default=0;
|
||||
## Current response in the pending queue.
|
||||
current_response: count &default=0;
|
||||
## Track the current deepest transaction.
|
||||
## This is meant to cope with missing requests
|
||||
## and responses.
|
||||
trans_depth: count &default=0;
|
||||
};
|
||||
|
||||
## A list of HTTP headers typically used to indicate proxied requests.
|
||||
|
|
@ -150,13 +154,11 @@ function new_http_session(c: connection): Info
|
|||
tmp$ts=network_time();
|
||||
tmp$uid=c$uid;
|
||||
tmp$id=c$id;
|
||||
# $current_request is set prior to the Info record creation so we
|
||||
# can use the value directly here.
|
||||
tmp$trans_depth = c$http_state$current_request;
|
||||
tmp$trans_depth = ++c$http_state$trans_depth;
|
||||
return tmp;
|
||||
}
|
||||
|
||||
function set_state(c: connection, request: bool, is_orig: bool)
|
||||
function set_state(c: connection, is_orig: bool)
|
||||
{
|
||||
if ( ! c?$http_state )
|
||||
{
|
||||
|
|
@ -165,15 +167,20 @@ function set_state(c: connection, request: bool, is_orig: bool)
|
|||
}
|
||||
|
||||
# These deal with new requests and responses.
|
||||
if ( request || c$http_state$current_request !in c$http_state$pending )
|
||||
c$http_state$pending[c$http_state$current_request] = new_http_session(c);
|
||||
if ( ! is_orig && c$http_state$current_response !in c$http_state$pending )
|
||||
c$http_state$pending[c$http_state$current_response] = new_http_session(c);
|
||||
|
||||
if ( is_orig )
|
||||
{
|
||||
if ( c$http_state$current_request !in c$http_state$pending )
|
||||
c$http_state$pending[c$http_state$current_request] = new_http_session(c);
|
||||
|
||||
c$http = c$http_state$pending[c$http_state$current_request];
|
||||
}
|
||||
else
|
||||
{
|
||||
if ( c$http_state$current_response !in c$http_state$pending )
|
||||
c$http_state$pending[c$http_state$current_response] = new_http_session(c);
|
||||
|
||||
c$http = c$http_state$pending[c$http_state$current_response];
|
||||
}
|
||||
}
|
||||
|
||||
event http_request(c: connection, method: string, original_URI: string,
|
||||
|
|
@ -186,7 +193,7 @@ event http_request(c: connection, method: string, original_URI: string,
|
|||
}
|
||||
|
||||
++c$http_state$current_request;
|
||||
set_state(c, T, T);
|
||||
set_state(c, T);
|
||||
|
||||
c$http$method = method;
|
||||
c$http$uri = unescaped_URI;
|
||||
|
|
@ -208,8 +215,10 @@ event http_reply(c: connection, version: string, code: count, reason: string) &p
|
|||
if ( c$http_state$current_response !in c$http_state$pending ||
|
||||
(c$http_state$pending[c$http_state$current_response]?$status_code &&
|
||||
! code_in_range(c$http_state$pending[c$http_state$current_response]$status_code, 100, 199)) )
|
||||
{
|
||||
++c$http_state$current_response;
|
||||
set_state(c, F, F);
|
||||
}
|
||||
set_state(c, F);
|
||||
|
||||
c$http$status_code = code;
|
||||
c$http$status_msg = reason;
|
||||
|
|
@ -233,7 +242,7 @@ event http_reply(c: connection, version: string, code: count, reason: string) &p
|
|||
|
||||
event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=5
|
||||
{
|
||||
set_state(c, F, is_orig);
|
||||
set_state(c, is_orig);
|
||||
|
||||
if ( is_orig ) # client headers
|
||||
{
|
||||
|
|
@ -257,7 +266,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
|
|||
add c$http$proxied[fmt("%s -> %s", name, value)];
|
||||
}
|
||||
|
||||
else if ( name == "AUTHORIZATION" )
|
||||
else if ( name == "AUTHORIZATION" || name == "PROXY-AUTHORIZATION" )
|
||||
{
|
||||
if ( /^[bB][aA][sS][iI][cC] / in value )
|
||||
{
|
||||
|
|
@ -278,12 +287,11 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) &priority = 5
|
||||
{
|
||||
set_state(c, F, is_orig);
|
||||
set_state(c, is_orig);
|
||||
|
||||
if ( is_orig )
|
||||
c$http$request_body_len = stat$body_length;
|
||||
|
|
|
|||
|
|
@ -42,8 +42,8 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
|
|||
f$irc = irc;
|
||||
}
|
||||
|
||||
event file_mime_type(f: fa_file, mime_type: string) &priority=5
|
||||
event file_sniff(f: fa_file, meta: fa_metadata) &priority=5
|
||||
{
|
||||
if ( f?$irc )
|
||||
f$irc$dcc_mime_type = mime_type;
|
||||
}
|
||||
if ( f?$irc && meta?$mime_type )
|
||||
f$irc$dcc_mime_type = meta$mime_type;
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue