Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 18:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
16736 commits 387 branches 195 tags 267 MiB
Commit graph

16736 commits

This branch
This branch
All branches
Author SHA1 Message Date
Robin Sommer
77f17ab4e5
Fix missing version number in spicyz. 
Needs associated `cmake` PR.

Closes #3383.
 2023-10-19 11:27:25 +02:00
Arne Welzel
a503c2a672 Merge remote-tracking branch 'origin/topic/awelzel/quic-ldap-event-prototypes' 
* origin/topic/awelzel/quic-ldap-event-prototypes:
  ldap: Use longer event names
  ldap: Add spicy-events.zeek
  quic: Add spicy-events.zeek
 2023-10-19 11:08:36 +02:00
Arne Welzel
e1864ec131 ldap: Use longer event names 
It's unusual to compress and shorten event names of protocol analyzers,
switch to a slightly longer name instead.
 2023-10-19 10:49:19 +02:00
Arne Welzel
fb31ad0c6e ldap: Add spicy-events.zeek 2023-10-19 10:48:34 +02:00
Arne Welzel
2389f6f6c5 quic: Add spicy-events.zeek 2023-10-19 10:48:24 +02:00
Tim Wojtulewicz
fc62bb477c Merge remote-tracking branch 'origin/topic/timw/3382-update-ssh-key-exchanges' 
* origin/topic/timw/3382-update-ssh-key-exchanges:
  Add new SSH key exchange algorithms reported by OpenSSH 9.0
 2023-10-18 12:05:37 -07:00
Tim Wojtulewicz
a0a1328e02 Add new SSH key exchange algorithms reported by OpenSSH 9.0 2023-10-18 12:05:00 -07:00
Arne Welzel
bccf1a9253 IEEE802_11: Fix buffer-overflow due to not accounting for the amsdu header 
The fuzzer generated input where data length left was 14 and the amsdu_len
field set to 14. That caused buffer overread due not taking into account
the amsdu header length of 14.
 2023-10-18 10:53:06 +02:00
Arne Welzel
a5b94f04fd Merge remote-tracking branch 'origin/topic/awelzel/better-gre-over-udp-pcap' 
* origin/topic/awelzel/better-gre-over-udp-pcap:
  gre-over-udp: Update testing pcap with both endpoints
 2023-10-17 19:34:01 +02:00
Arne Welzel
a17923da50 Merge branch 'ldap-asn1-fixes' of https://github.com/pauldokas/zeek 
* 'ldap-asn1-fixes' of https://github.com/pauldokas/zeek:
  performance improvements for the LDAP ASN.1 analyzer
 2023-10-17 17:20:53 +02:00
Arne Welzel
536686f02d gre-over-udp: Update testing pcap with both endpoints 
The first pcap only contained packets from the originator, not the responder.

What stands out here is that the Linux kernel doesn't seem to use a symmetric
flow hash for the tunneled connection, resulting in a total of four tunnel
connections for the two inner connections. Sigh.
 2023-10-17 12:30:14 +02:00
zeek-bot
ae0f8677b3 Update doc submodule [nomail] [skip ci] 2023-10-17 00:20:37 +00:00
Tim Wojtulewicz
d4993ebf7f Merge remote-tracking branch 'origin/topic/timw/3344-gre-over-udp' 
* origin/topic/timw/3344-gre-over-udp:
  Add registration for GRE-over-UDP
 2023-10-16 11:52:18 -07:00
Tim Wojtulewicz
6d9d4523bc Add registration for GRE-over-UDP 2023-10-16 11:42:24 -07:00
Tim Wojtulewicz
01302a8989 Merge remote-tracking branch 'origin/topic/timw/update-cares' 
* origin/topic/timw/update-cares:
  Update c-ares to v1.20.1 [nomail]
 2023-10-16 09:48:08 -07:00
Tim Wojtulewicz
6990d50e08 Merge remote-tracking branch 'origin/topic/neverlord/broker-refactoring' 
* origin/topic/neverlord/broker-refactoring:
  Broker: Adapt to upstream API adjustments
 2023-10-13 14:40:34 -07:00
Paul Dokas
07a010a643 performance improvements for the LDAP ASN.1 analyzer 2023-10-13 16:44:48 -04:00
Dominik Charousset
015608fef6 Broker: Adapt to upstream API adjustments 2023-10-13 13:27:32 -07:00
Tim Wojtulewicz
c9551c0a59 Update c-ares to v1.20.1 [nomail] 2023-10-13 12:48:37 -07:00
Tim Wojtulewicz
738c39379f Start of 6.2.0 development 2023-10-13 10:58:29 -07:00
Tim Wojtulewicz
7332c45ee1 Update docs submodule [nomail] [skip ci] 2023-10-13 10:49:39 -07:00
Tim Wojtulewicz
a4da0c64a1 Add missing NEWS entries for upcoming 6.1 release, reformat slightly 2023-10-13 10:00:34 -07:00
Arne Welzel
bd9b82f1fb Merge remote-tracking branch 'origin/topic/awelzel/quic-reuse-openssl-ctxs' 
* origin/topic/awelzel/quic-reuse-openssl-ctxs:
  protocol/quic/decrypt_crypto: Reuse OpenSSL context objects
 2023-10-13 13:16:15 +02:00
Arne Welzel
4365e81fe2 Merge remote-tracking branch 'origin/topic/bbannier/bump-spicy' 
* origin/topic/bbannier/bump-spicy:
  Bump auxil/spicy to latest development snapshot
 2023-10-13 13:14:00 +02:00
Benjamin Bannier
e67d18c2fa Bump auxil/spicy to latest development snapshot 2023-10-13 12:00:31 +02:00
Arne Welzel
701eb6161a Merge remote-tracking branch 'origin/topic/timw/docker-builder-timeouts' 
* origin/topic/timw/docker-builder-timeouts:
  CI: Add more logging during docker builds
  CI: Add timeouts for apt commands in docker builder Dockerfiles
 2023-10-13 08:16:54 +02:00
zeek-bot
384fc07050 Update doc submodule [nomail] [skip ci] 2023-10-13 00:20:14 +00:00
Tim Wojtulewicz
3d1380305b CI: Add more logging during docker builds 2023-10-12 15:00:52 -07:00
Arne Welzel
84d5c63fa3 protocol/quic/decrypt_crypto: Reuse OpenSSL context objects 
It is not necessary to allocate and free the context objects used for
HKDF and AES all the time, they can be re-used. The main assumption here
is no cross-thread usage, but this should be guaranteed even with the
fibers: QUIC_decrypt_crypto_payload() always runs to completion.

A pcap with ~12k QUIC connections had ~15% samples in
QUIC_decrypt_crypto_payload. After this change it is down to 5%
of samples. The improvement in runtime is ~16%, 12.2 seconds
to 10.2 seconds.

From zeek/spicy-quic#14
 2023-10-12 20:29:30 +02:00
Benjamin Bannier
e121654ee7 Merge remote-tracking branch 'origin/topic/bbannier/fix-signed-unsigned-comparison' 2023-10-12 17:11:38 +02:00
Benjamin Bannier
7ad0255274 Fix signed-unsigned comparison. 
We compared the return value of `sizeof` which returns a `std::size_t`
with an `int` which GCC warned about. This patch changes the `int` to a
`size_t`.
 2023-10-12 15:59:32 +02:00
Arne Welzel
aa665435a6 Merge remote-tracking branch 'origin/topic/awelzel/no-bytes-in-variable-length-integer' 
* origin/topic/awelzel/no-bytes-in-variable-length-integer:
  quic: Avoid bytes for VariableLengthInteger
 2023-10-12 15:54:04 +02:00
Arne Welzel
994d66185c quic: Avoid bytes for VariableLengthInteger 
Allocation of bytes objects due to parsing and usage of pack and the
invocation of to_uint() showed significantly in profiles (3.3% sample
matches). Switch to a more procedural approach to avoid the allocation
overhead.

From zeek/spicy-quic/pull/13
 2023-10-12 14:17:09 +02:00
zeek-bot
e33528ec5b Update doc submodule [nomail] [skip ci] 2023-10-12 00:22:10 +00:00
Tim Wojtulewicz
2d8e7368ae CI: Add timeouts for apt commands in docker builder Dockerfiles 2023-10-11 12:56:30 -07:00
Arne Welzel
dc8e98d790 protocol/quic: Add doc-id/doc-description to .evt file 
Without this, the QUIC enums end up under Zeek::Spicy and we don't
have an extra Zeek::QUIC section in the docs.
 2023-10-11 18:48:42 +02:00
Arne Welzel
007bcefd09 Merge remote-tracking branch 'origin/topic/awelzel/2326-import-quic' 
* origin/topic/awelzel/2326-import-quic:
  ci/btest: Remove spicy-quic helper, disable Spicy on CentOS 7
  btest/core/ppp: Run test in bare mode
  btest/quic: Update other tests
  testing/quic: Fixups and simplification after Zeek integration
  quic: Integrate as default analyzer
  quic: Include Copyright lines to the analyzer's source code contributed by Fox-IT
  quic: Squashed follow-ups: quic.log, tests, various fixes, performance
  quic: Initial implementation
 2023-10-11 18:05:14 +02:00
Arne Welzel
1774a25f00 ci/btest: Remove spicy-quic helper, disable Spicy on CentOS 7 
The have-quic pattern wasn't great and it wouldn't scale.
 2023-10-11 17:17:23 +02:00
Arne Welzel
01bf1d4764 Merge remote-tracking branch 'origin/topic/awelzel/update-zeekygen-docs-show-stderr' 
* origin/topic/awelzel/update-zeekygen-docs-show-stderr:
  ci/update-zeekygen-docs.sh: Do output stderr by default
  zeekygen: Disable zeek_init() handlers causing error output
  zeekygen/example: Squelch unused function warning
 2023-10-11 15:21:31 +02:00
Arne Welzel
94a8cf2a09 Merge remote-tracking branch 'origin/topic/awelzel/pcap-reading-configurable-buffer' 
* origin/topic/awelzel/pcap-reading-configurable-buffer:
  iosource/pcap: Support configurable buffer size
  util/setvbuf: Respect buf argument
 2023-10-11 15:20:17 +02:00
Arne Welzel
2cbe76d296 ci/update-zeekygen-docs.sh: Do output stderr by default 
stderr was only produced when there was a real failure as it had been a
bit noisy previously, but has hidden actual problems. Now that there is
less noise, just output stderr all the time.
 2023-10-11 15:18:36 +02:00
Arne Welzel
6f3e3a10e6 zeekygen: Disable zeek_init() handlers causing error output 
These modules have zeek_init() handlers with actual logic that has side-effects
and error outputs. Just disable them during zeekygen runs.
 2023-10-11 15:18:33 +02:00
Arne Welzel
e51d7815f2 btest/core/ppp: Run test in bare mode 2023-10-11 15:13:23 +02:00
Arne Welzel
f814be4484 btest/quic: Update other tests 2023-10-11 15:13:18 +02:00
Arne Welzel
6fd68bc607 zeekygen/example: Squelch unused function warning 2023-10-11 14:28:33 +02:00
Arne Welzel
3f99aa7996 testing/quic: Fixups and simplification after Zeek integration 2023-10-11 14:10:22 +02:00
Arne Welzel
ee827eecf7 quic: Integrate as default analyzer 2023-10-11 14:10:22 +02:00
Arne Welzel
d0d461ec13 quic: Include Copyright lines to the analyzer's source code contributed by Fox-IT 
This is primarily such that they stay intact when importing into the
Zeek project. Also move LICENSE to COPYING.
 2023-10-11 14:10:22 +02:00
Arne Welzel
359f8d2ae6 quic: Squashed follow-ups: quic.log, tests, various fixes, performance 2023-10-11 14:10:22 +02:00
Joost
44d7c45723 quic: Initial implementation 2023-10-11 14:10:22 +02:00