Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-08 17:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
16829 commits 387 branches 195 tags 264 MiB
Commit graph

3398 commits

Author SHA1 Message Date
Robin Sommer
e5adc768cc Merge branch 'stats-bytes-recvd' of https://github.com/msmiley/bro 2015-03-04 13:16:19 -08:00
Robin Sommer
0cc3e574f0 Merge remote-tracking branch 'origin/topic/johanna/x509-cn' 
* origin/topic/johanna/x509-cn:
  Use our new features to send the CN and SAN fields of certificates to the intel framework.
  Do not log common name by default (it is most interesting for scripts) and add a test case.
  extract most specific common name from certificates

BIT-1323 #merged
 2015-03-04 12:31:34 -08:00
Seth Hall
0d04557ac4 New script to add a field to rdp.log when the connection is upgraded to SSL. 2015-03-04 14:50:41 -05:00
Seth Hall
d361deb975 Merge remote-tracking branch 'origin/master' into topic/seth/rdp 2015-03-04 13:12:45 -05:00
Seth Hall
bbedb73a45 Huge updates to the RDP analyzer from Josh Liburdi. 
- More data pulled into scriptland.
  - Logs expanded with client screen resolution and desired color depth.
  - Values in UTF-16 on the wire are converted to UTF-8 before being
    sent to scriptland.
  - If the RDP turns into SSL records, we now pass data that appears
    to be SSL to the PIA analyzer.
  - If RDP uses native encryption with X.509 certs we pass those
    certs to the files framework and the base scripts pass them forward
    to the X.509 analyzer.
  - Lots of cleanup and adjustment to fit the documented protocol
    a bit better.
  - Cleaned up the DPD signatures.
  - Moved to flowunit instead of datagram.
  - Added tests.
 2015-03-04 13:12:03 -05:00
Johanna Amann
946f19fb9d Use our new features to send the CN and SAN fields of certificates to 
the intel framework.
 2015-03-03 17:15:24 -08:00
Johanna Amann
e48c6ccc4a Do not log common name by default (it is most interesting for scripts) 
and add a test case.
 2015-03-03 16:38:25 -08:00
Johanna Amann
252d57fd2c extract most specific common name from certificates 2015-03-03 16:09:54 -08:00
Robin Sommer
07222bb107 Merge remote-tracking branch 'origin/topic/johanna/ssl-policy' 
* origin/topic/johanna/ssl-policy:
  Extend the weak-keys policy file to also alert when encountering ssl connections with old versions as well as unsafe cipher suites.

BIT-1321 #merged
 2015-03-02 17:19:00 -08:00
Robin Sommer
dfc88094ab Merge remote-tracking branch 'origin/topic/jsiwek/broker' 
* origin/topic/jsiwek/broker: (34 commits)
  Update broker submodule.
  Update broker submodule.
  broker integration: add missing baselines for doc tests
  broker integration: add prof.log statistics
  broker integration: add high-level usage documentation
  broker integration: add API documentation (broxygen/doxygen)
  broker integration: fix memory leak, add leak tests
  Update broker submodule.
  Improve comm tests.
  Fix gcc compile warnings.
  broker integration: fix unit tests to work when broker is not enabled.
  Add --enable-c++11 configure flag.
  broker integration: add (un)publish/(un)advertise functions
  broker integration: add knobs to set auto publish/advertise behavior
  broker integration: move listen port for unit tests to a btest variable
  broker integration: add events for incoming connection status updates
  broker integration: adapt to change in expiration_time
  Update coverage unit test baselines.
  broker integration: add Comm::enable function
  broker integration: process debug/diagnostic reports from broker
  ...

Conflicts:
	cmake
	testing/btest/Baseline/plugins.hooks/output
 2015-03-02 17:10:15 -08:00
Vlad Grigorescu
b129231d9b KRB: Clean up krb.log a bit. 2015-03-02 12:32:24 -05:00
Seth Hall
2e47c277d8 Merge remote-tracking branch 'origin/master' into topic/seth/file-entropy 
Conflicts:
	testing/btest/Baseline/plugins.hooks/output
 2015-02-26 16:46:37 -05:00
Seth Hall
39ebf8df79 Updated tests for file entropy analyzer. 2015-02-26 09:17:55 -05:00
Johanna Amann
897351f87e Extend the weak-keys policy file to also alert when encountering 
ssl connections with old versions as well as unsafe cipher suites.

Also make the notice suppression handling of other ssl policy files
a tad more robust.
 2015-02-25 13:57:04 -08:00
Mike Smiley
3877b3e34b add bytes recvd to Stats and stats.bro 
use libpcap packet hdr.len to count bytes
 2015-02-23 21:27:28 -05:00
Vlad Grigorescu
96fc3b75f7 Merge remote-tracking branch 'origin/master' into topic/vladg/sip 2015-02-21 13:07:22 -05:00
Vlad Grigorescu
b90c8cb8ec Merge remote-tracking branch 'origin/master' into topic/vladg/file-analysis-exe-analyzer 
Conflicts:
	src/types.bif
 2015-02-19 16:59:52 -06:00
Mike Smiley
a1d49e791e add local_resp to Conn Info 
allow user to differentiate between local -> local and local -> remote
connections
 2015-02-18 20:41:40 -05:00
Jon Siwek
b06d82cced broker integration: add API documentation (broxygen/doxygen) 
Also changed asynchronous data store query code a bit; trying to make
memory management and handling of corner cases a bit clearer (former
maybe could still be better, but I need to lookup queries by memory
address to associate response cookies to them, and so wrapping pointers
kind of just gets in the way).
 2015-02-17 10:50:57 -06:00
Jon Siwek
e95116ba85 Merge branch 'master' into topic/jsiwek/broker 2015-02-16 10:00:17 -06:00
jshlbrd
dade1936be Update dpd.sig 2015-02-15 23:06:36 -08:00
jshlbrd
10071ffddf Fixed typo 2015-02-15 23:05:11 -08:00
jshlbrd
8a5bb0f6a7 Added check for connection existence 
Added a check for connection existence before trying to remove the RDP analyzer from a connection.
 2015-02-15 23:04:31 -08:00
Josh Liburdi
90bfbf9002 Added comments, changed logging events to reduce analyzer errors 2015-02-15 22:43:31 -08:00
Josh Liburdi
a3ab9f5b09 Added comments and TODOs 2015-02-15 10:18:52 -08:00
Josh Liburdi
af1f4be529 Added comments and TODOs 2015-02-15 10:16:16 -08:00
Josh Liburdi
0648dafa54 Removed scheduling of rdp_tracker event in server response events 2015-02-15 10:08:31 -08:00
Josh Liburdi
fd655aa85d Removed debug code for SSL 2015-02-15 09:24:28 -08:00
jshlbrd
2fcddc6441 Update init-default.bro 
Commented out mysql
 2015-02-14 13:31:23 -08:00
Josh Liburdi
46713fb5c7 Init RDP analyzer 2015-02-14 13:16:48 -08:00
Jon Siwek
212368b245 Merge remote-tracking branch 'origin/topic/jsiwek/socks-authentication' 
* origin/topic/jsiwek/socks-authentication:
  Refactor SOCKS5 user/pass authentication support.
  Update the SOCKS analyzer to support user/pass login.

BIT-1011 #merged
 2015-02-13 09:15:50 -06:00
Jon Siwek
961fd06cad Refactor SOCKS5 user/pass authentication support. 
- Rename event "socks_login_userpass" to "socks_login_userpass_request"
- Rename event "socks_login_reply" to "socks_login_userpass_reply"
- Split unsupported authN weird into 2 types: method vs. version

Addresses BIT-1011
 2015-02-12 17:06:38 -06:00
Jon Siwek
ebc9407a2b broker integration: add knobs to set auto publish/advertise behavior 2015-02-09 16:26:31 -06:00
Robin Sommer
23b9705a7b Fixing analyzer tag types for some Files::* functions. 2015-02-08 18:23:22 -08:00
Vlad Grigorescu
4a2d7f1d39 SIP: Move to the new string BIFs 2015-02-06 20:00:38 -05:00
Vlad Grigorescu
d852fe8b52 Merge remote-tracking branch 'origin/master' into topic/vladg/sip 2015-02-06 19:49:23 -05:00
Vlad Grigorescu
fc721d2d25 Merge remote-tracking branch 'origin/master' into topic/vladg/ssh 2015-02-06 18:58:38 -05:00
Vlad Grigorescu
9f19c74a10 Kerberos: A couple small tweaks. 2015-02-06 13:05:09 -05:00
Vlad Grigorescu
dfc42ffe8a Kerberos: Fix parsing of the cipher in tickets, and add it to the log. 2015-02-06 11:48:46 -05:00
Vlad Grigorescu
5bba7ad1eb Kerberos: A couple more formatting fixes. 2015-02-05 16:06:31 -05:00
Vlad Grigorescu
a8373b60e7 Change krb Info string to success bool 2015-02-05 14:30:18 -05:00
Vlad Grigorescu
7e1fcb1a10 Merge remote-tracking branch 'origin/master' into topic/vladg/kerberos 2015-02-05 14:22:29 -05:00
Vlad Grigorescu
444ff240bd Clean up formatting. 2015-02-05 14:21:34 -05:00
Vlad Grigorescu
aea0ae453e Documentation update, and rework events a bit. 2015-02-05 14:05:56 -05:00
Seth Hall
9592f64225 Update the SOCKS analyzer to support user/pass login. 
- This addresses BIT-1011
 - Add a new field to socks.log; "password".
 - Two new events; socks_login_userpass and socks_login_reply.
 - One new weird for unsupported authentication method.
 - A new test for authenticated socks traffic.
 - Credit to Nicolas Retrain for the initial patch.  Thanks!
 2015-02-05 12:44:10 -05:00
Vlad Grigorescu
457ad73e6d Add support for the SAFE message type. 2015-02-04 17:28:09 -05:00
Vlad Grigorescu
b981bc6c62 Add support for AP_REQ, AP_REP, PRIV, and CRED message types. 2015-02-04 16:28:44 -05:00
Seth Hall
9c692bad39 Update and clean up to file entropy measurement. 
- Updated to newer file analyzer api.
 2015-02-03 15:04:36 -05:00
Seth Hall
b81510592a Merge remote-tracking branch 'origin/master' into topic/seth/file-entropy 2015-02-03 14:19:57 -05:00
Jon Siwek
6b115c6999 Merge branch 'master' into topic/jsiwek/broker 2015-02-02 11:45:21 -06:00