This commit removed functions/events that have been deprecated in Bro
2.6. It also removes the detection code that checks if the old
communication framework is used (since all the functions that are
checked were removed).
Addresses parts of GH-243
The later simply doesn't work well in conjunction with hostname
literals. i.e. "google.com" (without quotes) needs to be resolved
to a set of addresses at parse-time, so if a user wishes to use a
custom resolver, we need that to be configured independently from
the order in which scripts get parsed. Configuring 'dns_resolver'
via scripting "redef" is clearly dependent on parse order.
Note 'dns_resolver' hasn't been in any release version yet, so
I'm removing it outright, no deprecation. The ZEEK_DNS_RESOLVER
environment variable now serves the original purpose.
* All "Broxygen" usages have been replaced in
code, documentation, filenames, etc.
* Sphinx roles/directives like ":bro:see" are now ":zeek:see"
* The "--broxygen" command-line option is now "--zeexygen"
* origin/topic/vern/content-gap-history:
Refined state machine update placement to (1) properly deal with gaps capped by clean FIN handshakes, and (1) fix failure to detect split routing.
added 'g' $history character for content gaps
* is_valid_ip() is now implemented as a BIF instead of in
base/utils/addrs
* The IPv4 and IPv6 regular expressions provided by base/utils/addrs
have been improved/corrected (previously they could possibly match
some invalid IPv4 decimals, or various "zero compressed" IPv6 strings
with too many hextets)
* extract_ip_addresses() should give better results as a result of
the above two points
* 'master' of https://github.com/dnthayer/zeek:
Update tests and baselines due to renaming all scripts
Rename all scripts to have ".zeek" file extension
Update a few tests due to scripts with new file extension
Add test cases to verify new file extension is recognized
Fix the core/load-duplicates.bro test
Update script search logic for new file extension
Remove unnecessary ".bro" from @load directives
DTLS now only outputs protocol violations once it saw something that
looked like a DTLS connection (at least a client hello). Before the
danger that it misinterprets something is too high.
It has a configurable number of invalid packets that it can skip over
(because other protocols might be interleaved with the connection) and a
maximum amount of Protocol violations that it outputs because of wrong
packet versions.
This changes many weird names to move non-static content from the
weird name into the "addl" field to help ensure the total number of
weird names is reasonably bounded. Note the net_weird and flow_weird
events do not have an "addl" parameter, so information may no longer
be available in those cases -- to make it available again we'd need
to either (1) define new events that contain such a parameter, or
(2) change net_weird/flow_weird event signature (which is a breaking
change for user-code at the moment).
Also, the generic handling of binpac exceptions for analyzers which
to not otherwise catch and handle them has been changed from a Weird
to a ProtocolViolation.
Finally, a new "file_weird" event has been added for reporting
weirdness found during file analysis.
* 'smb3-negotiate-response' of https://github.com/mauropalumbo75/zeek:
added test and pcap files for smb 3.1.1 negotiate-response
smb3.1.1 additions to negotiate-response command
I made several modifications:
- Code format, style, naming changes
- For completeness/correctness, I added parsing support for the remaining
context type structures.
- Moved the optional padding before the NegotiateContextList field to
also require the 0x0311 dialect version (some failures in
pre-existing unit tests pointed this out as an issue)
* 'smb3-transform-header' of https://github.com/mauropalumbo75/zeek:
clean up, test and pcap for transform_header added
added smb2-com-transform-header for smb3.x
This introduces the following redefinable string constants, empty by
default:
- InputAscii::path_prefix
- InputBinary::path_prefix
- Intel::path_prefix
When using ASCII or binary reades in the Input/Intel Framework with an
input stream source that does not have an absolute path, these
constants cause Zeek to prefix the resulting paths accordingly. For
example, in the following the location on disk from which Zeek loads
the input becomes "/path/to/input/whitelist.data":
redef InputAscii::path_prefix = "/path/to/input";
event bro_init()
{
Input::add_table([$source="whitelist.data", ...]);
}
These path prefixes can be absolute or relative. When an input stream
source already uses an absolute path, this path is preserved and the
new variables have no effect (i.e., we do not affect configurations
already using absolute paths).
Since the Intel framework builds upon the Input framework, the first
two paths also affect Intel file locations. If this is undesirable,
the Intel::path_prefix variable allows specifying a separate path:
when its value is absolute, the resulting source seen by the Input
framework is absolute, therefore no further changes to the paths
happen.
Essentially, it will now process/parse priority values if they are
there, or else just accept whatever remaining data/text is there as the
syslog message. Reasoning is that there's syslog producers out there
that may have simply forgotten/neglected to send the priority value
and technically won't conform to what the standard says, though we can
infer the intent (some syslog consumers already may do similarly, but
I didn't verify).
* Better parsing/error-checking of VXLAN and encapsulated packet headers
* Add/implement the "vxlan_packet" event
* Add "Tunnel::vxlan_ports" option to tune the set of VXLAN ports to
analyze/decapsulate
* Add "Tunnel::validate_vxlan_checksums" option to allow for tuning of how
checksums associated with the outer UDP header of a possible VXLAN
tunnel are handled
Fixes GH-250
The "orig_fuids", "orig_filenames", "orig_mime_types" http.log fields as
well as their "resp" counterparts are now limited to having
"HTTP::max_files_orig" or "HTTP::max_files_resp" entries, which are 15
by default. The limit can also be ignored case-by-case via the
"HTTP::max_files_policy" hook.
Fixes GH-289
get_conn_transport_proto needs to use sessions->FindConnection and do a
hash lookup to find the connection while get_port_transport_proto just
looks at the port directly.
