With this change, we also parse signed certificate timestamps from OCSP
replies. This introduces a common base class between the OCSP and X509
analyzer, which now share a bit of common code. The event for signed
certificate timestamps is raised by both and thus renamed do:
x509_ocsp_ext_signed_certificate_timestamp
This is a tiny bit evil because it uses parts of the SSL protocol
analyzer in the X.509 certificate parser. Which is the fault of the
protocol, which replicates the functionality.
This event is the replacement for ssl_application_data, which is removed
in the same commit. It is more generic, containing more information than
ssl_application_dataand is raised for all SSL/TLS messages that are
exchanged before encryption starts.
It is used by Bro internally to determine when a TLS1.3 session has been
completely established. Apart from that, it can be used to, e.g.,
determine the record layer TLS version.
This exposes the record layer version of the fragment in addition to the
content type and the length. The ordering of the arguments in the event
is the same as the ordering in the protocol message (first type, then
version, then length).
This also includes a slight change to the analyzer, no longer calling
the generate function if the event is not used.
This change adds compression methods to the ssl_client_hello event. It
not being included was an oversight from a long time ago.
This change means that the signature of ssl_client_hello changes
slightly and scripts will have to be adjusted; since this is a commonly
used event, the impact of it might be higher than usually for event
changes.
- New fields: extracted_cutoff and extracted_size.
These fields will be null if the file isn't extracted.
- Extended the extraction test to test the files log too.
* origin/topic/seth/smb-auth-fixes:
Disable SMB2 error data parsing.
Removed some files that aren't being used.
Fix SMB tree connect handling.
Fix a small issue where DCE_RPC commands were improperly being logged.
SMB fixes and cleanup.
Including a test for raw NTLM in SMB
Updates for SMB auth handling from Martin van Hensbergen.
BIT-1721 #merged
* origin/topic/vladg/bit-1641:
Logic fix for ssh/main.bro when the auth status is indeterminate, and fix a test. Addresses BIT-1641.
Clean up the logic for ssh_auth_failed. Addresses BIT-1641
Update baselines for adding a field to ssh.log as part of BIT-1641
Script-land changes for BIT-1641.
Change SSH.cc to use ssh_auth_attempted instead of ssh_auth_failed. Addresses BIT-1641.
Revert "Fixing duplicate SSH authentication failure events."
Create new SSH events ssh_auth_attempt and ssh_auth_result. Add auth_attempts to SSH::Info. Address BIT-1641.
I extended the tests a bit and did some small cleanups. I also moved the
SSH events back to the global namespace for backwards compatibility and
for consistency (the way it was at the moment, some of them were global
some SSH::).
Furthermore, I fixed the ssh_auth_result result event, it was only
raised in the success case. ssh_auth_result is now also checked in the
testcases. I also have a suspicion that the intel integration never
really worked before.
BIT-1641 #merged
One more name change: version_num -> version_number
BIT-1707 #merged
* origin/topic/johanna/version:
Slight naming changes for Bro version information.
Add convenient way to access version information to Bro.
With the introduction of the package manager, it will get more common
that applications are able to get information about the currently
running version of Bro. With this commit, scripts can easily compare
which version of Bro they are running.
Commonly, this probably will either look like this (both lines check if
the current Bro version is greater or equal to 2.5)
@if ( Version::num >= 20500 )
or
@if ( Version::greater_equal("2.5") )
Version::info contains detailed information about the running version of
Bro, including beta flags, etc.
number of fields required.
Addresses BIT-1683
I do not think this quite fixes the underlying issue of BIT-1683 - it
should not be possible to get to this state in normal operations.
Also fixes a small memory leak for disabled writers.
I wasn't accounting for analyzers being disabled and not actually
instantiating when requested. This includes a test which
verifies there is no crash or problem when a user disables DCE_RPC.
* origin/topic/seth/log-framework-ext:
Log extensions: series of small fixes and new tests.
Change the function for log extension to take a path only and update tests.
Final changes to log framework ext code.
Add logging framework metadata mechanism.
Add unrolling separator & field name map to logging framework.
The extensions now work with optional types, as well with complex types
(like subrecords). Not returning a record in the ext_func no longer
crashes bro.
The default_ext_func was switched to return void in
cases where no extension revord is defined (was bool).
I also got rid of the offsets in the indices - with the rest of the
implementation, that was not really necessary and made the code more
complex.
The "metadata" functionality has been renamed to "ext" to
represent that the logs are being extended. The function that
returns the record which is used to extend the log now receives
a log filter as it's single argument.
The field name "unrolling" is now renamed to "scope" so the variables
names now look like this: "Log::default_scope_sep"
This adds the capability for the user to attach a reason when removing
or destroying a rule. The message will both be logged in netcontrol.log
and forwarded to the responsible plugins.
Addresses BIT-1655
* origin/topic/dnthayer/ticket1627:
Add a test for starting a cluster with a logger node
Update broctl submodule
Update broctl submodule to branch topic/dnthayer/ticket1627
Change how logger node is detected in cluster framework
Update test baselines for the new logger node type
Update docs for the new logger node type
Add a new node type for logging
Closes github's #77 and closes BIT-1606
* topic/seth/intel-update-merge:
Tiny scoping updates and test baseline updates for Intel framework.
Minor documentation cleanups.
Fixed insertion of nested subnets.
Refactored FAF integration of intel framework.
Added expiration for intelligence items.
Improved intel notices.
Added hook to allow extending the intel log.
Added remove function to intel-framework.
Added support for subnets to intel-framework.
Refactoring of meta data handling for intel.
Added testcase for intel updates.
* origin/topic/robin/bit-1641:
Fixing duplicate SSH authentication failure events.
I changed the test slightly; the output of uniq is not stable between
operating systems (on OS-X, it emits a space, on Linux it apparently
emits a tab). I removed the call to uniq - sort by itself is enough to
create a difference if there are duplicate entries.
Addresses BIT-1641
