Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-07 00:58:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
9176 commits 387 branches 195 tags 259 MiB
Commit graph

9176 commits

This branch
This branch
All branches
Author SHA1 Message Date
Tim Wojtulewicz
68accaa791 Use ntohl instead of manually swapping bytes in extract_XDR_uint32 (Coverity 1375796 and others) 2019-09-16 10:56:41 -07:00
Tim Wojtulewicz
aacd2134fa Add check for null init variable during make_var. (Coverity 1403419) 2019-09-16 10:56:41 -07:00
Tim Wojtulewicz
53c82cc872 Remove dead check in Val::check_and_promote. (Coverity 1401810) 2019-09-16 10:56:41 -07:00
Tim Wojtulewicz
c009cd3289 Handle failure of fcntl in Pipe. (Coverity 1241934, 1241935) 2019-09-16 10:56:41 -07:00
Tim Wojtulewicz
dddba3432f Initialize missing field in File. (Coverity 1057851, 1057852, 1057853) 2019-09-16 10:56:41 -07:00
Tim Wojtulewicz
0140098adb Add null check for results of dynamic_cast in AssignExpr::TypeCheck. Fixes coverity findings 1403416 and 1403417 2019-09-16 10:56:41 -07:00
Tim Wojtulewicz
40d4004453 Add null check when getting key size for List types. Fixes coverity finding 1058242 2019-09-16 10:56:41 -07:00
Jon Siwek
9c8db5f6ca Stop loading scan detection in local.zeek by default 2019-09-16 10:51:50 -07:00
Jon Siwek
0caa30076f Add comments to reassembly classes 2019-09-13 15:23:03 -07:00
Jon Siwek
69d1620374 Use DataBlock value instead of pointer in reassembly map 2019-09-13 14:17:41 -07:00
Jon Siwek
e1e779e90b Remove linked list from reassembly data structures 
Everything, including iteration is now done via an std::map
 2019-09-13 13:57:32 -07:00
Jon Siwek
9b13825e16 Use an std::map for reassembly DataBlock searches 
It's not free and adds some overhead to the common case where it
won't help much, but improves worst case overlap-checking situations.
 2019-09-12 18:01:25 -07:00
Jon Siwek
989ae91c94 Refactor Reassembler/DataBlock bookkeeping 
At least saves having to store a Reassembler pointer for each DataBlock
 2019-09-11 16:25:34 -07:00
Jon Siwek
b19c8fad7a Reorganize reassembly data structures 
Started by factoring some details into a new DataBlockList class to at
least make it more clear where modifications occur.  More abstractions
likely to happen later as I experiment with alternate data structures
aimed at improving worse-case scenarios.
 2019-09-11 16:25:34 -07:00
Jon Siwek
395c685da1 Remove a superfluous reassembler DataBlock member 2019-09-11 16:25:34 -07:00
Robin Sommer
6cedfe81bb Updating submodule(s). 
[nomail]
 2019-09-09 11:35:19 +00:00
Jon Siwek
506773ba13 Updating submodule(s). 
[nomail]
 2019-09-06 12:57:24 -07:00
Jon Siwek
cc2ccb7a3c Updating submodule(s). 
[nomail]
 2019-09-04 19:05:30 -07:00
Jon Siwek
f6f471f4b7 Update Broker include dir search path 
Related to https://github.com/zeek/broker/issues/51
 2019-09-04 16:29:04 -07:00
Jon Siwek
af5715ec5e Updating submodule(s). 
[nomail]
 2019-09-04 15:35:57 -07:00
Jon Siwek
c88568db4d Update embedded CAF to 0.17.1 (plus cherry-picked memory leak fix) 2019-09-04 13:42:55 -07:00
Jon Siwek
015464939e Updating submodule(s). 
[nomail]
 2019-09-04 10:27:26 -07:00
Jon Siwek
30da2f83d0 GH-566: fix cases where ssh_encrypted_packet event wasn't raised 
When encrypted data was bundled within the same segment as the NewKeys
message, it wasn't not reported via a ssh_encrypted_package event as
it should have been.
 2019-09-03 17:34:24 -07:00
Jon Siwek
d773b6986b Updating submodule(s). 
[nomail]
 2019-09-03 11:33:22 -07:00
Jon Siwek
655c142d01 Merge branch 'patch-2' of https://github.com/The-Alchemist/zeek 
* 'patch-2' of https://github.com/The-Alchemist/zeek:
  fix another minor typo
 2019-09-03 10:36:16 -07:00
Jon Siwek
bfa6eb54e8 Merge branch 'patch-1' of https://github.com/The-Alchemist/zeek 
* 'patch-1' of https://github.com/The-Alchemist/zeek:
  fix minor typo
 2019-09-03 10:34:57 -07:00
Jan Grashoefer
b216e9cbc9 Improve dpd_late_match event generation. 2019-08-30 20:19:24 +02:00
Jan Grashoefer
81b2b21211 Improve logging of speculative service. 2019-08-30 15:16:37 +02:00
Jan Grashoefer
a810365f0e Update test-all-policy script. 2019-08-30 11:30:33 +02:00
The Alchemist
a4e20bb58a
fix another minor typo 2019-08-29 16:10:26 -04:00
The Alchemist
a5e4720204
fix minor typo 2019-08-29 16:09:27 -04:00
Jon Siwek
39161e2192 CID 1404734: fix NetSessions::MemoryAllocation() 2019-08-29 13:06:09 -07:00
Jan Grashoefer
788b56a652 Add speculative service script. 
The speculative service script handles dpd_late_match events to extend
conn.log with infos about potential protocol identifications.
 2019-08-29 11:47:04 +02:00
Johanna Amann
bb98559c0d Merge remote-tracking branch 'origin/topic/jsiwek/gh-545-weird-addl' 
* origin/topic/jsiwek/gh-545-weird-addl:
  GH-545: add "addl" parameter to flow_weird and net_weird events
 2019-08-28 14:27:53 -07:00
Johanna Amann
1dd0b2e292 Merge remote-tracking branch 'origin/topic/jsiwek/gh-554-file-signature-optimizations' 
* origin/topic/jsiwek/gh-554-file-signature-optimizations:
  GH-554: don't init PIA endpoint matchers if there's only file-magic
  GH-554: remove use of file magic in protocol-based signature logic
 2019-08-28 11:39:13 -07:00
Johanna Amann
ec57894a85 Merge remote-tracking branch 'origin/topic/jsiwek/gh-541-ntlm-fix' 
* origin/topic/jsiwek/gh-541-ntlm-fix:
  GH-541: add test cases for NTLM AV Pair sequence handling
  GH-541: fix handling of NTLM AV Pair sequences
 2019-08-28 11:33:49 -07:00
Johanna Amann
81dea943d3 Merge remote-tracking branch 'origin/topic/jsiwek/simplify-tag-error-check' 
* origin/topic/jsiwek/simplify-tag-error-check:
  Make Tag::Error values constant
  Simplify operator bool()'s used for Tag error checks
 2019-08-28 10:58:54 -07:00
Johanna Amann
33958fa3da Merge remote-tracking branch 'origin/topic/jsiwek/unspecified-ip-constants' 
* origin/topic/jsiwek/unspecified-ip-constants:
  Add/use unspecified IPAddr constants
 2019-08-28 09:17:44 -07:00
Jon Siwek
316e8bb671 GH-554: don't init PIA endpoint matchers if there's only file-magic 
The logic for initializing PIA endpoint matchers was previously
skipped if "there's no global rule matcher", and that's only true
when no signature files get loaded.

But when using `zeek -b`, some file-magic signatures still get loaded
by default, so the PIA endpoint matchers still get initialized even
though they don't need to be -- file-magic patterns play no part
in PIA.

For typical use-cases (not using the `-b` flag), this change won't
help any, but we do at least use `-b` often within the test suite.
 2019-08-27 16:32:30 -07:00
Jon Siwek
8c9b3bd3ae GH-554: remove use of file magic in protocol-based signature logic 
This can be a significant performance/memory improvement since
otherwise the protocol-based rule matching logic ends up superfluously
creating file-matching state per file-matcher per connection/endpoint.
 2019-08-27 16:16:39 -07:00
Jon Siwek
289a1e2e8e Merge branch '555-smb3-negotiate-context-fix' of https://github.com/mad/zeek 
- Fixed the context list padding to only be used for dialect 0x0311.
  The new test case includes an example where parsing the optional
  padding would fail for another dialect.

* '555-smb3-negotiate-context-fix' of https://github.com/mad/zeek:
  Fix for smb3 negotiate context
 2019-08-27 10:08:42 -07:00
Pavel Ershov
de4a83206d Fix for smb3 negotiate context 2019-08-27 12:21:03 +03:00
Jon Siwek
08cdc0871f Merge remote-tracking branch 'origin/topic/timw/main-cleanup' 
* origin/topic/timw/main-cleanup:
  main: Properly close down SSL/sqlite at shutdown if net_run never started up
  main: Finish processing program arguments before setting up SSL/sqlite
 2019-08-26 14:59:56 -07:00
Tim Wojtulewicz
fa62e5b48c main: Properly close down SSL/sqlite at shutdown if net_run never started up 2019-08-26 10:31:17 -07:00
Tim Wojtulewicz
7edebe179f main: Finish processing program arguments before setting up SSL/sqlite 2019-08-26 10:29:43 -07:00
Jon Siwek
b954767488 GH-541: add test cases for NTLM AV Pair sequence handling 2019-08-26 10:28:46 -07:00
Jon Siwek
13af91febb Make Tag::Error values constant 2019-08-23 16:31:45 -07:00
Jon Siwek
0699b28893 Merge remote-tracking branch 'origin/topic/seth/github-ident-flex' 
* origin/topic/seth/github-ident-flex:
  Make github identify our Flex source correctly.
 2019-08-23 14:31:51 -07:00
Seth Hall
6268851a68 Make github identify our Flex source correctly. 2019-08-23 14:27:06 -04:00
Jon Siwek
b41e102a7c Simplify operator bool()'s used for Tag error checks 2019-08-23 11:31:18 -04:00