Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-17 05:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
1986 commits 387 branches 198 tags 286 MiB
Commit graph

295 commits

Author SHA1 Message Date
Robin Sommer
8c53446292 Merge remote branch 'origin/fastpath' 
* origin/fastpath:
  Fixed major bug with cluster synchronization (it was broken!)
 2011-12-16 02:37:56 -08:00
Robin Sommer
4e17ef63f0 Merge remote branch 'origin/fastpath' 
* origin/fastpath:
  Fix missing action in notice policy for looking up GeoIP data.
  Better persistent state config warning messages (fixes #433).
  A few updates for SQL injection detection.
  Fixed some DPD signatures for IRC.  Fixes ticket #311.
  Removing Off_Port_Protocol_Found notice.
  SSH::Interesting_Hostname_Login cleanup.  Fixes #664.
  Teach Broxygen to more generally reference attribute values by name.
  Fixed a really dumb bug that was causing the malware hash registry script to break.
  Fix Broxygen confusing scoped id at start of line as function parameter.
  Remove remnant of libmagic optionality
 2011-12-16 02:36:43 -08:00
Matthias Vallentin
3ab03874b5 Merge branch 'topic/script-reference' into topic/bif_cleanup 
Conflicts:
	src/bro.bif
 2011-12-15 22:54:52 -08:00
Seth Hall
0b8b14a0ed Fixed major bug with cluster synchronization (it was broken!) 2011-12-15 15:59:51 -05:00
Seth Hall
b66c73baaa Fixed more bugs with delayed emails. 2011-12-15 15:57:42 -05:00
Seth Hall
667dcb251a Working around a problem with setting default container types. 2011-12-15 12:51:14 -05:00
Seth Hall
cb904cec4f Ugh, still major failure. I'm just cutting the timeout handling for now. 2011-12-15 12:46:15 -05:00
Seth Hall
f1f5719f83 Fixed a small bug major problem with email delay timeout catching. 2011-12-15 12:41:05 -05:00
Seth Hall
2d97e25eeb Initial fixes for the problem of async actions with notice email extensions. 2011-12-15 12:27:41 -05:00
Robin Sommer
55c982fa14 Adding Broxygen comments to init-bare.bro. 
I've left a few TODOs in there for protocol-specific fields that I
couldn't directly figure out in their meaning. Feel free to fill in
where you can.
 2011-12-15 06:38:59 -08:00
Jon Siwek
303993254e Add more DPD and packet filter framework docs. 2011-12-14 16:07:36 -06:00
Jon Siwek
d89658c19b Add more signature framework documentation. 2011-12-14 12:50:54 -06:00
Jon Siwek
a543ebbea5 Add more notice framework documentation. 2011-12-14 10:05:52 -06:00
Jon Siwek
86cba4c33f Fix missing action in notice policy for looking up GeoIP data. 2011-12-13 16:17:44 -06:00
Seth Hall
61aa592db5 A few updates for SQL injection detection. 
- The biggest change is the change in notice names from
	HTTP::SQL_Injection_Attack_Against to
	HTTP::SQL_Injection_Victim

- A few new SQL injection attacks in the tests that we need to
  support at some point.
 2011-12-12 14:26:54 -05:00
Matthias Vallentin
3814313b0b Merge branch 'master' into topic/bif_cleanup 2011-12-11 18:47:19 -08:00
Seth Hall
76a0b9ad3c Fixed some DPD signatures for IRC. Fixes ticket #311. 
- The larger issue from ticket 313 still stands.
 2011-12-10 22:33:49 -05:00
Seth Hall
6478b4acaf Removing Off_Port_Protocol_Found notice. 
- Other very small cleanup.
 2011-12-10 00:18:10 -05:00
Seth Hall
00fb187927 SSH::Interesting_Hostname_Login cleanup. Fixes #664. 2011-12-10 00:13:37 -05:00
Bernhard Amann
dcc7fe3c38 start reworking interface of software framework. working apart from detect-webapps.bro, which direcly manipulates a no longer available interface... 2011-12-09 16:47:58 -08:00
Jon Siwek
8e89d78788 Add more cluster and communication framework documentation. 2011-12-09 17:31:47 -06:00
Seth Hall
ec721dffec Added is_orig fields to the SSL events and adapted script. 
- Added a field named $last_alert to the SSL log.  This doesn't even
  indicate the direction the alert was sent, but we need to start somewhere.

- The x509_certificate function has an is_orig field now instead of
  is_server and it's position in the argument list has moved.

- A bit of reorganization and cleanup in the core analyzer.
 2011-12-09 16:56:12 -05:00
Jon Siwek
1f57827e54 Add more logging framework documentation. 2011-12-09 14:30:21 -06:00
Bernhard Amann
0313039977 log protocol in notices. 2011-12-08 14:44:45 -08:00
Bernhard Amann
311cd1b116 after talking to seth - change host_a field in record back to host. 2011-12-08 14:25:46 -08:00
Seth Hall
3391270527 Fixed a really dumb bug that was causing the malware hash registry script to break. 2011-12-08 14:25:52 -05:00
Seth Hall
04e2773d30 Fixed some bugs with capturing data in the base DNS script. 2011-12-08 13:06:45 -05:00
Bernhard Amann
7e3ebc1817 forgotten policy files. 2011-12-07 15:03:36 -08:00
Jon Siwek
5126b65493 Add reporter bif/framework documentation. 2011-12-07 16:54:40 -06:00
Bernhard Amann
707926aaa4 Software framework stores ports for server software. 2011-12-07 12:12:46 -08:00
Jon Siwek
506a42638a Omit loading local-<node>.bro scripts from base cluster framework. 
The loading of these is better handled by BroControl and it seems
odd to load them from a base/ script anyway since they'll contain
site/policy specific code.

Addresses #663
 2011-12-05 13:02:39 -06:00
Robin Sommer
df3ae4b30d Merge remote-tracking branch 'origin/topic/jsiwek/remote-log-peer' 
* origin/topic/jsiwek/remote-log-peer:
  Add a remote_log_peer event which contains an event_peer record param.

Closes #493.
 2011-12-01 16:02:11 -08:00
Jon Siwek
0c8b5a712d Add a remote_log_peer event which contains an event_peer record param. 
Addresses #493.
 2011-12-01 14:07:08 -06:00
Jon Siwek
14c1d2ae1f Remove example redef of SMTP::entity_excerpt_len from local.bro. 2011-12-01 09:31:38 -06:00
Jon Siwek
8d7ca1360f Fix error emitted when loading local.bro in bare mode 
Regarding the redef of SMTP::entity_excerpt_len without having
been previously defined.
 2011-11-30 13:56:30 -06:00
Seth Hall
70004cb04d Small updates to address the "globals" ticket. 
Fixes #633
 2011-11-30 11:35:53 -05:00
Seth Hall
bb47289bfa Some updates to the base DNS script. 
- Answers and TTLs are now vectors.

- The warning that was being generated (dns_reply_seen_after_done)
  from transaction ID reuse is fixed.

- Updated the single failing btest baseline.
 2011-11-30 10:19:41 -05:00
Matthias Vallentin
0325b5ea32 to_port() now parses a string instead of a count. 
Addresses #684.
 2011-11-20 21:41:41 -08:00
Robin Sommer
c35094ea0b Update missing in last commit to this branch. 2011-11-15 16:42:23 -08:00
Robin Sommer
2dc04b2ce5 Merge remote-tracking branch 'origin/master' into topic/robin/pp-alarms 2011-11-15 08:36:44 -08:00
Robin Sommer
fa76330afb Merge remote-tracking branch 'origin/fastpath' 
* origin/fastpath:
  Binary packaging script tweaks.
  More default "weird" tuning for the "SYN_with_data" notice.
  Tiny bugfix for http file extraction along with test.
 2011-11-15 07:53:36 -08:00
Seth Hall
4942767c4d More default "weird" tuning for the "SYN_with_data" notice. 
- I think the default tuning should be that anything not requiring
  a session to be established should use ACTION_LOG_PER_ORIG.

- We need to get some tie-in with the metrics framework in place
  so that we can find when lots of these values are being suppressed.
 2011-11-14 16:12:38 -05:00
Seth Hall
d14349a6f8 Merge remote-tracking branch 'origin/master' into fastpath 2011-11-14 16:06:44 -05:00
Seth Hall
b12d2c768e Tiny bugfix for http file extraction along with test. 2011-11-14 15:24:15 -05:00
Robin Sommer
e0692b898e Merge branch 'master' into topic/robin/pp-alarms 2011-11-03 15:30:41 -07:00
Robin Sommer
41a443677b Merge remote-tracking branch 'origin/fastpath' 
* origin/fastpath:
  No longer write to the PacketFilter::LOG stream if not reading traffic.
 2011-11-03 15:27:23 -07:00
Robin Sommer
c4d6f814ff Tuning the pretty-printed alarms output. 
- Now including the included time range into the subject.

- With some notices, it got confused who's the orginator.
 2011-11-02 18:09:09 -07:00
Seth Hall
507b51c957 No longer write to the PacketFilter::LOG stream if not reading traffic. 2011-11-02 15:09:57 -04:00
Robin Sommer
69b61be0ef Merge branch 'master' of ssh://git.bro-ids.org/bro 
Conflicts:
	scripts/policy/frameworks/control/controller.bro
 2011-10-27 12:41:18 -07:00
Seth Hall
75e470ac9a The control framework no longer sends functions with the configuration_update command. 2011-10-27 15:29:28 -04:00