Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 16:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
5939 commits 386 branches 195 tags 258 MiB
Commit graph

1311 commits

Author SHA1 Message Date
Johanna Amann
e48c6ccc4a Do not log common name by default (it is most interesting for scripts) 
and add a test case.
 2015-03-03 16:38:25 -08:00
Johanna Amann
252d57fd2c extract most specific common name from certificates 2015-03-03 16:09:54 -08:00
Robin Sommer
dfc88094ab Merge remote-tracking branch 'origin/topic/jsiwek/broker' 
* origin/topic/jsiwek/broker: (34 commits)
  Update broker submodule.
  Update broker submodule.
  broker integration: add missing baselines for doc tests
  broker integration: add prof.log statistics
  broker integration: add high-level usage documentation
  broker integration: add API documentation (broxygen/doxygen)
  broker integration: fix memory leak, add leak tests
  Update broker submodule.
  Improve comm tests.
  Fix gcc compile warnings.
  broker integration: fix unit tests to work when broker is not enabled.
  Add --enable-c++11 configure flag.
  broker integration: add (un)publish/(un)advertise functions
  broker integration: add knobs to set auto publish/advertise behavior
  broker integration: move listen port for unit tests to a btest variable
  broker integration: add events for incoming connection status updates
  broker integration: adapt to change in expiration_time
  Update coverage unit test baselines.
  broker integration: add Comm::enable function
  broker integration: process debug/diagnostic reports from broker
  ...

Conflicts:
	cmake
	testing/btest/Baseline/plugins.hooks/output
 2015-03-02 17:10:15 -08:00
Vlad Grigorescu
b129231d9b KRB: Clean up krb.log a bit. 2015-03-02 12:32:24 -05:00
Mike Smiley
3877b3e34b add bytes recvd to Stats and stats.bro 
use libpcap packet hdr.len to count bytes
 2015-02-23 21:27:28 -05:00
Vlad Grigorescu
96fc3b75f7 Merge remote-tracking branch 'origin/master' into topic/vladg/sip 2015-02-21 13:07:22 -05:00
Vlad Grigorescu
b90c8cb8ec Merge remote-tracking branch 'origin/master' into topic/vladg/file-analysis-exe-analyzer 
Conflicts:
	src/types.bif
 2015-02-19 16:59:52 -06:00
Mike Smiley
a1d49e791e add local_resp to Conn Info 
allow user to differentiate between local -> local and local -> remote
connections
 2015-02-18 20:41:40 -05:00
Jon Siwek
b06d82cced broker integration: add API documentation (broxygen/doxygen) 
Also changed asynchronous data store query code a bit; trying to make
memory management and handling of corner cases a bit clearer (former
maybe could still be better, but I need to lookup queries by memory
address to associate response cookies to them, and so wrapping pointers
kind of just gets in the way).
 2015-02-17 10:50:57 -06:00
Jon Siwek
e95116ba85 Merge branch 'master' into topic/jsiwek/broker 2015-02-16 10:00:17 -06:00
jshlbrd
dade1936be Update dpd.sig 2015-02-15 23:06:36 -08:00
jshlbrd
10071ffddf Fixed typo 2015-02-15 23:05:11 -08:00
jshlbrd
8a5bb0f6a7 Added check for connection existence 
Added a check for connection existence before trying to remove the RDP analyzer from a connection.
 2015-02-15 23:04:31 -08:00
Josh Liburdi
90bfbf9002 Added comments, changed logging events to reduce analyzer errors 2015-02-15 22:43:31 -08:00
Josh Liburdi
a3ab9f5b09 Added comments and TODOs 2015-02-15 10:18:52 -08:00
Josh Liburdi
af1f4be529 Added comments and TODOs 2015-02-15 10:16:16 -08:00
Josh Liburdi
0648dafa54 Removed scheduling of rdp_tracker event in server response events 2015-02-15 10:08:31 -08:00
Josh Liburdi
fd655aa85d Removed debug code for SSL 2015-02-15 09:24:28 -08:00
jshlbrd
2fcddc6441 Update init-default.bro 
Commented out mysql
 2015-02-14 13:31:23 -08:00
Josh Liburdi
46713fb5c7 Init RDP analyzer 2015-02-14 13:16:48 -08:00
Jon Siwek
212368b245 Merge remote-tracking branch 'origin/topic/jsiwek/socks-authentication' 
* origin/topic/jsiwek/socks-authentication:
  Refactor SOCKS5 user/pass authentication support.
  Update the SOCKS analyzer to support user/pass login.

BIT-1011 #merged
 2015-02-13 09:15:50 -06:00
Jon Siwek
961fd06cad Refactor SOCKS5 user/pass authentication support. 
- Rename event "socks_login_userpass" to "socks_login_userpass_request"
- Rename event "socks_login_reply" to "socks_login_userpass_reply"
- Split unsupported authN weird into 2 types: method vs. version

Addresses BIT-1011
 2015-02-12 17:06:38 -06:00
Jon Siwek
ebc9407a2b broker integration: add knobs to set auto publish/advertise behavior 2015-02-09 16:26:31 -06:00
Robin Sommer
23b9705a7b Fixing analyzer tag types for some Files::* functions. 2015-02-08 18:23:22 -08:00
Vlad Grigorescu
4a2d7f1d39 SIP: Move to the new string BIFs 2015-02-06 20:00:38 -05:00
Vlad Grigorescu
d852fe8b52 Merge remote-tracking branch 'origin/master' into topic/vladg/sip 2015-02-06 19:49:23 -05:00
Vlad Grigorescu
fc721d2d25 Merge remote-tracking branch 'origin/master' into topic/vladg/ssh 2015-02-06 18:58:38 -05:00
Vlad Grigorescu
9f19c74a10 Kerberos: A couple small tweaks. 2015-02-06 13:05:09 -05:00
Vlad Grigorescu
dfc42ffe8a Kerberos: Fix parsing of the cipher in tickets, and add it to the log. 2015-02-06 11:48:46 -05:00
Vlad Grigorescu
5bba7ad1eb Kerberos: A couple more formatting fixes. 2015-02-05 16:06:31 -05:00
Vlad Grigorescu
a8373b60e7 Change krb Info string to success bool 2015-02-05 14:30:18 -05:00
Vlad Grigorescu
7e1fcb1a10 Merge remote-tracking branch 'origin/master' into topic/vladg/kerberos 2015-02-05 14:22:29 -05:00
Vlad Grigorescu
444ff240bd Clean up formatting. 2015-02-05 14:21:34 -05:00
Vlad Grigorescu
aea0ae453e Documentation update, and rework events a bit. 2015-02-05 14:05:56 -05:00
Seth Hall
9592f64225 Update the SOCKS analyzer to support user/pass login. 
- This addresses BIT-1011
 - Add a new field to socks.log; "password".
 - Two new events; socks_login_userpass and socks_login_reply.
 - One new weird for unsupported authentication method.
 - A new test for authenticated socks traffic.
 - Credit to Nicolas Retrain for the initial patch.  Thanks!
 2015-02-05 12:44:10 -05:00
Vlad Grigorescu
457ad73e6d Add support for the SAFE message type. 2015-02-04 17:28:09 -05:00
Vlad Grigorescu
b981bc6c62 Add support for AP_REQ, AP_REP, PRIV, and CRED message types. 2015-02-04 16:28:44 -05:00
Jon Siwek
6b115c6999 Merge branch 'master' into topic/jsiwek/broker 2015-02-02 11:45:21 -06:00
Jon Siwek
9875f5d3eb broker integration: add distributed data store api 
But haven't done the full gamut of testing on it yet.
 2015-01-30 14:39:16 -06:00
Jon Siwek
d2ea87735a broker integration: add bifs to inspect/manipulate broker data 
i.e. script-layer functions to convert between bro values and broker
values; mostly for use w/ Bro's data store interface (coming soon).
 2015-01-29 10:42:48 -06:00
Vlad Grigorescu
1f41c0470c Improve Kerberos DPD and fix a few parse errors. 2015-01-23 17:22:10 -05:00
Jon Siwek
23f04835c6 Deprecate split* family of BIFs. 
These functions are now deprecated in favor of alternative versions that
return a vector of strings rather than a table of strings.

Deprecated functions:

- split: use split_string instead.
- split1: use split_string1 instead.
- split_all: use split_string_all instead.
- split_n: use split_string_n instead.
- cat_string_array: see join_string_vec instead.
- cat_string_array_n: see join_string_vec instead.
- join_string_array: see join_string_vec instead.
- sort_string_array: use sort instead instead.
- find_ip_addresses: use extract_ip_addresses instead.

Changed functions:

- has_valid_octets: uses a string_vec parameter instead of string_array.

Addresses BIT-924, BIT-757.
 2015-01-21 15:34:42 -06:00
Vlad Grigorescu
b8376ca733 Add Kerberos support for PKINIT (x509 cert authentication) 2015-01-20 20:43:51 -05:00
Vlad Grigorescu
3c3920bfbc Kerberos - Add TCP support 2015-01-20 17:46:26 -05:00
Vlad Grigorescu
2e8eb574f5 A number of Kerberos fixes, following testing. Added some fields to the log, and parsed some more data. 2015-01-19 18:16:27 -05:00
Jon Siwek
7e563b7275 broker integration: add remote events 2015-01-15 15:45:08 -06:00
Robin Sommer
c67c7c6196 Merge remote-tracking branch 'origin/fastpath' 
* origin/fastpath:
  small changes to ec curve names in a newer draft
 2015-01-15 09:44:41 -08:00
Robin Sommer
0024881f3d Merge remote-tracking branch 'origin/topic/vladg/mysql' 
* origin/topic/vladg/mysql:
  Updating MySQL with Robin's suggestions:

BIT-1285 #merged
 2015-01-14 14:21:00 -08:00
Robin Sommer
41ff1c4cd0 Merge remote-tracking branch 'origin/topic/robin/dnp3-merge-v4' 
* origin/topic/robin/dnp3-merge-v4:
  add test trace in which DNP3 packets are over UDP; update test scripts and baseline results
  A bit more DNP3 tweaking.
  remove redundnt codes; find a way to use the analyzer function, such as Weird; fix a small bug in ProcessData function in DNP3.cc; passed the test
  Renameing the DNP3 TCP analyzer
  quickly fix another bug; adding missing field of the declaration of dnp3_request_application_header and dnp3_response_application_header
  Removing the debug printf in DNP3.cc
  fixed the bug of deciding the size of object 1 varition 1 in DNP3
  Fix some things in DNP3 UDP analyzer.
  changed a bug, but still not working
  modify DNP3.cc and DNP3.h to add DNP3_UDP_Analyzer; binpac unchanged

BIT-1231 #merged
 2015-01-14 13:25:42 -08:00
Jon Siwek
1e462481dc broker integration: add remote printing 2015-01-14 13:28:34 -06:00