Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-03 15:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
1565 commits 386 branches 195 tags 257 MiB
Commit graph

1565 commits

This branch
This branch
All branches
Author SHA1 Message Date
Seth Hall
00f4751ada Merge remote branch 'origin/master' into topic/policy-scripts-new 2011-06-14 13:02:19 -04:00
Seth Hall
e0e0c99889 Cleaned up the webmail detection. 
- Moved webmail detection into the smtp/software script.
- Added an option to detect mail clients based on
  the actual TCP connection the mail was seen being
  transferred over.
 2011-06-14 12:47:25 -04:00
Seth Hall
c327144ac0 Extract application server software based on X-Powered-By header. 2011-06-13 21:56:18 -04:00
Jon Siwek
71c2e79202 Merge branch 'master' into fastpath 2011-06-13 20:21:24 -05:00
Robin Sommer
a73fc15659 Merge remote branch 'origin/fastpath' 2011-06-13 18:03:02 -07:00
Robin Sommer
5bd8caa7a0 Merge remote branch 'origin/topic/gregor/rpc' 
Note, I haven't gone through the script-level code as that will change
soon anyway.
 2011-06-13 17:56:28 -07:00
Jon Siwek
53dc4ef084 Change bro doc mode to write out docs immediately after parsing. 
Originally docs were written right after parsing, but it changed to after
the bro_init event happens when I was experimenting with auto-documenting
logging streams by querying the LogMgr after bro_init.  That experiment
dead-ended, and that location is bad for other reasons: the doc framework
may try to access BroObj's that have already been freed.
 2011-06-13 19:50:11 -05:00
Seth Hall
08dca169f6 Fixed a problem with accessing the method attribute on an HTTP::Info record. 
- Found by Jim Barlow.
 2011-06-13 14:30:16 -04:00
Jon Siwek
eb85ae9654 Really, null-terminate full 15-char NetBIOS host names, too. 2011-06-12 08:46:58 -05:00
Seth Hall
c6bf94f276 First commit of intelligence framework. 
- Data insertion and querying works.
- A few tests are implemented to show usage scenarios.
 2011-06-10 16:52:46 -04:00
Jon Siwek
b4d70a22db Fixed core.load-pkg test w/ diff canonifier instead 2011-06-10 15:07:32 -05:00
Jon Siwek
9e747a040d Revert "Fix core.load-pkg unit test." 
This reverts commit 80558a994a.
 2011-06-10 15:01:35 -05:00
Jon Siwek
cb89440593 Fix language.wrong-delete-field test by running through abs path canonifier 2011-06-10 14:56:49 -05:00
Jon Siwek
90196b4dc8 Fix bifs.unique_id-rnd test failing because of wc output formatting 2011-06-10 13:27:08 -05:00
Seth Hall
270758267e Updating the default policy script paths for the new scripts organization. 2011-06-10 14:10:56 -04:00
Seth Hall
999b48e801 Tuning fragment storage down to 5 minutes in the default tuning. 2011-06-10 14:09:58 -04:00
Seth Hall
d29ffc759d Added Zimbra to the webmail detection over SMTP. 2011-06-10 14:09:26 -04:00
Jon Siwek
d358ef1e71 Null-terminate the string created by decode_netbios_name BiF. 
(initially observed through failures of bifs.netbios-functions unit test)
 2011-06-10 12:59:05 -05:00
Seth Hall
64c296311c Add a field to the packet-filter log to indicate if it's the initial filter. 2011-06-10 13:48:31 -04:00
Seth Hall
887f5fcb79 Updates to the packet-filter framework. 
- Notices are generated in the cases of being unable
  to compile or install a new filter.
- A PacketFilter::install() function is now exported
  so that external scripts can update the packet
  filter.
 2011-06-10 13:41:27 -04:00
Jon Siwek
13c90fc732 Fix core.conn-id test on some platforms. 
The output of some versions of `wc` (e.g. MacOS) seems to indent
their output while others don't, causing the baseline diff to fail.
So pipe to sed to get rid of spaces before diffing.
 2011-06-10 12:17:10 -05:00
Jon Siwek
80558a994a Fix core.load-pkg unit test. 
Removed the test's diff against baseline output that contained absolute
paths so that it will work across systems.  Also don't redirect anything
to stderr so that failure information shows up in btest diagnostic output.
 2011-06-10 11:53:51 -05:00
Seth Hall
cbe3dc811e HTTP script updates 
- Fixed bug with new sessions accidently being created
  just after logging which caused a lot of empty records
  to be logged.
- Readded the HTTP::MD5 notice for when an MD5 sum is
  calculated for HTTP response bodies.
- Fixed bug with extracting value from content-length
  headers.
- Flushing values from md5 sum generation more reliably
  to avoid leaking memory.
 2011-06-10 09:25:42 -04:00
Seth Hall
55f4950ebd Removed the dns-passive-replication script. 2011-06-10 08:36:53 -04:00
Seth Hall
e33e047de5 Added the communication framework (remote.bro). 2011-06-10 08:31:42 -04:00
Seth Hall
bc00ce51cb Modifications to packet-filter framework. 
- default_pcap_filter now named PacketFilter::default_filter
- default_filter variable exported.
- moved over netstats script for logging packet loss.
 2011-06-10 08:31:13 -04:00
Seth Hall
2488088901 Fixing a bug with DCC SEND file extraction (found by Jon) 2011-06-09 23:25:20 -04:00
Seth Hall
cbe761c0ed Fixed the name for the PacketFilter module. 2011-06-09 14:11:32 -04:00
Seth Hall
6516087404 Fixed problem with files not being extracted from DCC SEND commands in IRC. 2011-06-09 13:58:55 -04:00
Seth Hall
ad41c575ef Syslog script level support. 
- Only does logging for now.
 2011-06-09 13:14:43 -04:00
Seth Hall
8c71e68c05 Fixed a bug where notices and the conn log. 
- Notices that weren't logged were still tagging
  the conn log which was confusing.  Only logged
  notices are now tagged in the conn log.
 2011-06-09 12:50:00 -04:00
Seth Hall
31b63295a1 Fixed a bug with SSH analysis. 
- SSH connections that appear successful weren't stopped
  from being analyzed for success after the detection.
 2011-06-09 12:45:59 -04:00
Seth Hall
31cc124578 Small updates to DPD scripts. 2011-06-09 12:29:26 -04:00
Seth Hall
2a01f1686e New policy directory: policy/tuning 
- The all.bro script loads tuning/defaults which is
  commonly applied tuning.
- Other less common tuning can be placed in the tuning/
  directory directly.
 2011-06-09 12:28:32 -04:00
Seth Hall
7285bf890e Merge branch 'topic/policy-scripts-new' of ssh://git.bro-ids.org/bro into topic/policy-scripts-new 2011-06-09 12:22:50 -04:00
Seth Hall
0be9f7aa3e Moved and renamed the pcap.bro script to be the packet-filter framework. 2011-06-09 12:22:33 -04:00
Seth Hall
d3d9fedd2c Reshuffling notice declarations to make them exported. 
- Notices were not available outside of their namespaces.
 2011-06-09 11:59:06 -04:00
Jon Siwek
49c026fc1e Comment tweak: autodoc can't be inside function bodies 2011-06-09 09:46:54 -05:00
Seth Hall
590e6d0360 Fixing some runtime errors in the software framework. 2011-06-08 00:55:42 -04:00
Seth Hall
5058fcc791 Reoganized the Weird file to make values available globally. 2011-06-08 00:42:27 -04:00
Seth Hall
47c6afac8e Slight changes to software detection framework. 
- This probably won't fix anything, but I'm checking
  for size of tables a bit more consistently now.
 2011-06-08 00:18:42 -04:00
Seth Hall
0778d5e8d5 Updates to the notice framework. 2011-06-08 00:17:54 -04:00
Seth Hall
4ff47db8c1 Fixed small bug with unique_id BiF. 2011-06-08 00:16:58 -04:00
Seth Hall
27f692799f Small but crucial fix for the new unique_id function. 2011-06-07 23:47:39 -04:00
Seth Hall
57531e0769 Merge remote branch 'origin/master' into topic/policy-scripts-new 
Conflicts:
	policy/bro.init
	policy/ssl.bro
 2011-06-07 23:26:03 -04:00
Seth Hall
29bfc5eff1 Fixed some new bugs with file extraction. 2011-06-07 23:12:49 -04:00
Seth Hall
63efdc89ef Fixes to HTTP scripts based on comments from Jon. 2011-06-07 23:09:31 -04:00
Seth Hall
0c1dac2fce Cleaned up and normalized file extraction across protocols. 2011-06-07 23:08:37 -04:00
Seth Hall
d12dd0f82c Signature script normalization and cleanup. 2011-06-07 23:06:29 -04:00
Seth Hall
e0174f583e Changing empty fields to also use "-" for ascii logging. 2011-06-07 23:05:35 -04:00