Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
17381 commits 387 branches 195 tags 255 MiB
Commit graph

17381 commits

This branch
This branch
All branches
Author SHA1 Message Date
Tim Wojtulewicz
e3763df065 DNS_Mgr: Remove processing of dns aliases in general 2024-11-08 12:45:51 -07:00
Arne Welzel
346a9233da Merge remote-tracking branch 'origin/topic/vern/zam-any-coerce-leak' 
* origin/topic/vern/zam-any-coerce-leak:
  Fixed ZAM memory leak when coercing values to "any"
 2024-11-08 18:36:34 +01:00
Arne Welzel
cb679e4d7a policy/community-id: Populate conn$community_id in new_connection() 
This wasn't possible before #3028 was fixed, but now it's safe to set
the value in new_connection() and allow other users access to the
field much earlier. We do not have to deal with connection_flipped()
because the community-id hash is symmetric.
 2024-11-08 18:19:55 +01:00
Arne Welzel
3f4de778ae ci: Add dnsmasq to a few platforms for testing 2024-11-08 09:50:35 -07:00
Arne Welzel
0a7c9365be ci: Remove -b from test_script lines for zam tasks 
Better for monitoring process.
 2024-11-08 17:13:49 +01:00
Arne Welzel
4f8ef3c792 Merge remote-tracking branch 'origin/topic/vern/zam-degenerate-CFT-propagation' 
* origin/topic/vern/zam-degenerate-CFT-propagation:
  fixes for ZAM's propagation of control flow information for some degenerate constructs
 2024-11-08 15:35:08 +01:00
Vern Paxson
148215aa87 fixes for ZAM's propagation of control flow information for some degenerate constructs 2024-11-08 15:34:21 +01:00
Arne Welzel
bc75b1811d Merge remote-tracking branch 'origin/topic/vern/zam-vector-loop-leak' 
* origin/topic/vern/zam-vector-loop-leak:
  fixed ZAM memory leak when looping over vectors of records
 2024-11-08 15:32:57 +01:00
Arne Welzel
8613f821f9 Merge remote-tracking branch 'origin/topic/vern/cat-builtin-tmp' 
* origin/topic/vern/cat-builtin-tmp:
  fixed access to uninitialized memory in ZAM's "cat" built-in
 2024-11-08 15:23:00 +01:00
Arne Welzel
8945b2b186 Merge remote-tracking branch 'origin/topic/awelzel/asan-zam-ci' 
* origin/topic/awelzel/asan-zam-ci:
  ci: Add asan and ubsan sanitizer tasks for ZAM
 2024-11-08 15:22:26 +01:00
Arne Welzel
6f9eec6c33 ci: Add asan and ubsan sanitizer tasks for ZAM 
Closes #3906
 2024-11-08 15:17:03 +01:00
Robin Sommer
d57c125942
Spicy: Improve error messages reporting malformed unit names in EVT files. 2024-11-08 13:44:09 +01:00
Robin Sommer
2d935d9668
Spicy:: Remove unhelpful assertion. 
In cases of a malformed event definition, this could fire instead of a
more helpful error message coming later.

Closes #3988.
 2024-11-08 12:54:14 +01:00
Robin Sommer
9e1592d5c4
Spicy: Do not raise an analyzer error when a connection is missing a regular tear-down. 
So far, when Zeek didn't see a connection's regular tear-down (e.g.,
because its state timed-out before we got to the end), we'd still
signal a regular end-of-data to Spicy parsers. As a result, they would
then typically raise a parse error because they were probably still
expecting data and would now declare it missing. That's not very
useful because semantically it's not really a protocol issue if the
data just doesn't make it over to us; it's a transport-layer issue
that Zeek already handles elsewhere. So we now switch to signaling
end-of-data to Spicy analyzers only if the connection indeed shuts
down regularly. This is also matches how BinPAC handles it.

This also comes with a test exercising various combinations of
end-of-data behavior so that we ensure consistent/desired behavior.

Closes #4007.
 2024-11-08 12:20:29 +01:00
Arne Welzel
5859a7e28c DNS_Mgr: Fix aliases memory issues 2024-11-08 11:29:40 +01:00
Arne Welzel
f3fbe45c4c btest: Add integration test for DNS_Mgr 
This makes use of an ephemeral dnsmasq instance
 2024-11-08 11:29:31 +01:00
Vern Paxson
6c2b2819c7 fixed access to uninitialized memory in ZAM's "cat" built-in 2024-11-07 17:13:22 -08:00
Vern Paxson
cf1de7e6b7 Fixed ZAM memory leak when coercing values to "any" 2024-11-07 08:28:34 -08:00
Tim Wojtulewicz
b8b14537a9 diff-remove-abspath: Add separate handling of Windows paths 2024-11-06 16:06:17 -07:00
Tim Wojtulewicz
9cc7b05064 diff-remove-abspath: Remove capture of windows drive letters from POSIX regex 2024-11-06 16:05:08 -07:00
Tim Wojtulewicz
d95057d618 DNS_Mgr: Remove usage of ares_getsock from Lookup 2024-11-06 16:01:04 -07:00
Tim Wojtulewicz
6739fca645 DNS_Mgr: Remove usage of ares_getsock from GetNextTimeout 2024-11-06 16:01:04 -07:00
Tim Wojtulewicz
16474ed77f DNS_Mgr: Switch to ares_set_servers_csv 2024-11-06 16:01:04 -07:00
Tim Wojtulewicz
65a59419b0 DNS_Mgr: Use ares_dns_record methods for queries 2024-11-06 16:01:04 -07:00
Tim Wojtulewicz
b52a8ed9e2 Update vcpkg submodule to pick up c-ares v1.34.2 2024-11-06 16:01:04 -07:00
Tim Wojtulewicz
da495400ca Update c-ares submodule to v1.34.2 2024-11-06 16:00:48 -07:00
Vern Paxson
04ff5bead9 fixed ZAM memory leak when looping over vectors of records 2024-11-06 08:25:40 -08:00
Arne Welzel
219d621234 netcontrol: Replace Broker::auto_publish() 
I'd think we could drop the cluster.zeek and non-cluster.zeek and
just unconditionally do the publish(), but keeping it for now.
 2024-11-06 15:27:48 +01:00
Arne Welzel
93478a246e intel: Switch to Cluster::publish() 
This isn't quite making things a lot nicer, but more explicit.
 2024-11-06 15:27:48 +01:00
Arne Welzel
91c03cd988 broker: Support publish() of unspecified set() / table() 
Calling Broker::make_event(..., table()) or Broker::publish(..., table())
caused runtime type errors as same_type() would result in false.
 2024-11-06 15:27:26 +01:00
Arne Welzel
189565d131 types: Fix table() resulting in table_type->IsSet() == true 
typename(table()) apparently always resulted in a set[] type
being rendered. Make the yield type of an unspecified table
ANY so that type->IsSet() ends up false.

While at it, also render unspecified types as table(), set() and
vector() rather than vector of void, set[] or table[] of any which
IMO should help to figure out what's going.
 2024-11-06 13:28:57 +01:00
Benjamin Bannier
e4dbba20a4 Merge remote-tracking branch 'origin/topic/bbannier/bump-spicy' 2024-11-06 11:57:01 +01:00
Benjamin Bannier
f57955321e Make Spicy hook execution order deterministic in test 2024-11-06 09:42:33 +01:00
Benjamin Bannier
f47a089576 Bump auxil/spicy to latest development snapshot 2024-11-06 09:26:00 +01:00
Benjamin Bannier
2e8d6e86e7 Merge remote-tracking branch 'origin/topic/bbannier/spicy-cookie-nullptr-deref' 2024-11-05 17:39:12 +01:00
Benjamin Bannier
93c201df57 Fix potential nullptr deref in Spicy plugin runtime 
If we added a file but the other side of the connection had already run
into a protocol violation and shut down we could previously have
dereferenced a null cookie. This patch fixes the code so it now throws
in such scenarios.
 2024-11-05 16:48:35 +01:00
Benjamin Bannier
0028ba320d Assume no Spicy cookie in most places 
We would previously assert that it was available which could have lead
to aborts since when the analyzer for either side of a connection shuts
down the connection cookie could get cleared and become nil. This patch
reworks the code slightly so we now never assume it is available. We do
this by either throwing or by making the whole operation requesting the
cookie a noop.
 2024-11-05 16:48:35 +01:00
Arne Welzel
a3a0155825 Merge remote-tracking branch 'origin/topic/awelzel/sqli-test-followup' 
* origin/topic/awelzel/sqli-test-followup:
  btest: Add detect-sqli test script
 2024-11-04 19:35:34 +01:00
Arne Welzel
c171d9e8c2 Merge remote-tracking branch 'origin/topic/vern/canonicalize-std-string' 
* origin/topic/vern/canonicalize-std-string:
  switched CPPCompile::Canonicalize() to take std::string instead of const char*
 2024-11-04 18:47:18 +01:00
Arne Welzel
b69222d5f6 btest: Add detect-sqli test script 
...I added the baselines during the merge, just not the test itself.
 2024-11-04 18:42:55 +01:00
Vern Paxson
519fec2592 switched CPPCompile::Canonicalize() to take std::string instead of const char* 2024-11-04 08:22:37 -08:00
Arne Welzel
8935dc9ed4 Merge remote-tracking branch 'origin/topic/vern/script-opt-fnv1a64' 
* origin/topic/vern/script-opt-fnv1a64:
  minor ZAM BTest updates for recently added fnv1a64 BiF
 2024-11-04 16:33:21 +01:00
Arne Welzel
db497d1da7 Merge remote-tracking branch 'origin/topic/awelzel/pattern-matches-rework' 
* origin/topic/awelzel/pattern-matches-rework:
  RuleMatcher: Use a single list for tracking pattern_matches
  ZeekString: Implement move constructor
 2024-11-04 16:32:48 +01:00
Arne Welzel
e443624c32 RuleMatcher: Use a single list for tracking pattern_matches 2024-11-04 16:17:49 +01:00
Arne Welzel
0ecbd4435e ZeekString: Implement move constructor 2024-11-04 16:17:47 +01:00
Benjamin Bannier
8fc5b7fcda Merge remote-tracking branch 'origin/topic/bbannier/bump-spicy-format' 2024-11-04 09:43:28 +01:00
Benjamin Bannier
b829b2165e Bump and reenable spicy-format pre-commit hook 2024-11-04 07:25:44 +01:00
Vern Paxson
d5c820d2c5 minor ZAM BTest updates for recently added fnv1a64 BiF 2024-11-03 14:05:19 -08:00
Johanna Amann
84d8e74884 Merge remote-tracking branch 'origin/topic/johanna/snap-tcp-test' 
* origin/topic/johanna/snap-tcp-test:
  Add test for TCP over 802.3/SNAP
 2024-10-31 16:17:31 +00:00
Johanna Amann
807bb142a7 Add test for TCP over 802.3/SNAP 
This admittedly is a quite esoteric combination of protocols. But - as
we do correctly support them, it seems nice to have a slightly more
complete testcase that covers this.
 2024-10-31 14:37:44 +00:00