Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-11 11:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
6202 commits 387 branches 195 tags 271 MiB
Commit graph

6202 commits

This branch
This branch
All branches
Author SHA1 Message Date
Jon Siwek
58a9162ce7 Add NEWS items related to file analysis changes. 2015-01-05 16:57:24 -06:00
Jon Siwek
138438b88e Merge branch 'master' into topic/jsiwek/file-reassembly-merge 
Conflicts:
	testing/btest/Baseline/plugins.hooks/output
 2015-01-05 15:50:36 -06:00
Jon Siwek
1971d25a5c Fix race condition in unified2 file analyzer startup. 
Retrieval of extended alert information from sid-msg.map, gen-msg.map,
and classification.config files uses Bro's input framework, but since
the unified2 file analyzer also relies on the input framework,
coordination is needed to start analysis only after extended info has
been read at least once.
 2015-01-05 15:38:04 -06:00
Jon Siwek
a3d78cc830 Revert "Workaround race condition in unified2 file module." 
This reverts commit 1a03a95f35.
 2015-01-05 14:51:58 -06:00
Robin Sommer
494545f1eb Updating submodule(s). 
[nomail]
 2014-12-31 09:39:35 -08:00
Robin Sommer
bd8893f0d0 Changing Makefile's test-all to run test-all for broctl. 2014-12-31 09:19:09 -08:00
Robin Sommer
9af5fb1302 Updating submodule(s). 
[nomail]
 2014-12-31 09:14:55 -08:00
Robin Sommer
055e5c69f3 Merge remote-tracking branch 'origin/fastpath' 
* origin/fastpath:
  Correct a typo in the Notice framework doc
 2014-12-31 09:06:24 -08:00
Vlad Grigorescu
727eada9ac Move SSH analyzer to new plugin architecture. 2014-12-27 17:46:42 -06:00
Vlad Grigorescu
fa98aee0a7 Merge remote-tracking branch 'origin/master' into topic/vladg/ssh 
Conflicts:
	src/analyzer/protocol/CMakeLists.txt
	src/analyzer/protocol/ssh/Plugin.cc
	src/analyzer/protocol/ssh/SSH.h
 2014-12-27 17:22:26 -06:00
Vlad Grigorescu
3ed6dd5585 A bit of code cleanup. 2014-12-27 17:19:43 -06:00
Daniel Thayer
15ec117da6 Correct a typo in the Notice framework doc 2014-12-18 11:57:32 -06:00
Jon Siwek
1a03a95f35 Workaround race condition in unified2 file module. 
This makes the unit test pass consistently, but need to see about
fixing it in the unified2 file module directly.
 2014-12-17 09:57:06 -06:00
Jon Siwek
6941538f81 Fix reference counting bug in refactored file reassembly code. 2014-12-16 20:58:27 -06:00
Jon Siwek
f6257618e5 Change file extraction to explicitly NUL-fill gaps 
Instead of expecting pwrite to do it.
 2014-12-16 20:56:15 -06:00
Jon Siwek
cbbe7b52dc Review/fix/change file reassembly functionality. 
- Re-arrange how some fa_file fields (e.g. source, connection info, mime
  type) get updated/set for consistency.

- Add more robust mechanisms for flushing the reassembly buffer.
  The goal being to report all gaps and deliveries to file analyzers
  regardless of the state of the reassembly buffer at the time it has to
  be flushed.
 2014-12-16 14:05:15 -06:00
Jon Siwek
edaf7edc11 Merge remote-tracking branch 'origin/topic/seth/files-reassembly-and-mime-updates' into topic/jsiwek/file-reassembly-merge 
Conflicts:
	testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
 2014-12-15 10:33:09 -06:00
Robin Sommer
6f2b8cbe78 Merge remote-tracking branch 'origin/topic/jsiwek/bit-1298' 
* origin/topic/jsiwek/bit-1298:
  Change IP_Hdr copy ctor/assign to explicit method
  Fix PIA packet replay to deliver copy of IP header

BIT-1298 #merged
 2014-12-12 12:44:53 -08:00
Jon Siwek
d31b556b85 Change IP_Hdr copy ctor/assign to explicit method 
Addresses BIT-1298
 2014-12-12 14:14:24 -06:00
Robin Sommer
15cc08c940 Updating submodule(s). 
[nomail]
 2014-12-12 10:50:05 -08:00
Jon Siwek
c211a2c91a Fix PIA packet replay to deliver copy of IP header 
This prevented one from writing a packet-wise analyzer that needs access
to IP headers and can be attached to a connection via signature match.

None of the analyzers currently shipping are affected.  And maybe it's
unlikely there will be many that ever would be, but it's awkward for the
API to omit IP headers in this special case (i.e. packets buffer for use
with DPD signature matching).

Addresses BIT-1298
 2014-12-10 15:12:38 -06:00
Robin Sommer
69724c5e1f Updating submodule(s). 
[nomail]
 2014-12-08 13:57:08 -08:00
Robin Sommer
b40b3ef158 Merge remote-tracking branch 'origin/topic/dnthayer/ticket856' 
* origin/topic/dnthayer/ticket856:
  Improve man page for Bro
  Add man page for Bro

BIT-856 #merged
 2014-12-08 13:56:52 -08:00
Daniel Thayer
0a7d96dec3 Improve man page for Bro 2014-12-04 23:46:03 -06:00
Robin Sommer
665e6b00f1 Updating doc baselines. 2014-12-04 09:05:38 -08:00
Robin Sommer
a4e45dca80 Merge remote-tracking branch 'origin/topic/jsiwek/bit-1295' 
* origin/topic/jsiwek/bit-1295:
  Fix compound assignment to require proper L-value.

BIT-1295 #merged
 2014-12-03 14:22:36 -08:00
Robin Sommer
bb7d94d9c5 Merge remote-tracking branch 'origin/topic/jsiwek/bit-1296' 
* origin/topic/jsiwek/bit-1296:
  Make using local IDs in @if directives an error.

BIT-1296 #merged
 2014-12-03 14:14:23 -08:00
Robin Sommer
19d9a8bfa2 Merge remote-tracking branch 'origin/fastpath' 
* origin/fastpath:
  Fix some "make doc" warnings and update some doc tests
 2014-12-03 14:10:49 -08:00
Jon Siwek
cdbe459f20 Make using local IDs in @if directives an error. 
Addresses BIT-1296.
 2014-12-02 12:30:46 -06:00
Jon Siwek
3f590859bb Fix compound assignment to require proper L-value. 
Allows for catching more invalid assignments at parse-time instead of
aborting at runtime after realizing an assignment won't work.

Addresses BIT-1295.
 2014-12-02 10:12:48 -06:00
Seth Hall
379593c7fd Merge branch 'patch-1' of https://github.com/mpurzynski/bro 
- Adds version detection for Windows 10.
 2014-12-02 08:14:29 -05:00
Daniel Thayer
cc7286b628 Fix some "make doc" warnings and update some doc tests 2014-12-01 22:43:17 -06:00
Daniel Thayer
e4c9c58b9e Add man page for Bro 2014-12-01 20:58:37 -06:00
Jon Siwek
fe9e7d015e Update submodules/changes/version. 2014-12-01 12:17:34 -06:00
Jon Siwek
20ddf1e62f Merge branch 'master' of https://github.com/hillu/bro 
* 'master' of https://github.com/hillu/bro:
  BIFScanner: Make filename->symbol transformation more robust
 2014-12-01 12:08:07 -06:00
Jon Siwek
0a6b102e25 Merge remote-tracking branch 'origin/topic/johanna/ticket-1294' 
* origin/topic/johanna/ticket-1294:
  Do not change global event parameters in exec.bro

BIT-1294 #close
 2014-12-01 11:01:19 -06:00
Raúl Benencia
127a61597e Add/invoke "distclean" for testing directories. 
BIT-1292 #close
 2014-12-01 10:43:41 -06:00
Jon Siwek
b0383c22d6 Delete prebuilt python bytecode files from git. 
BIT-1291 #close
 2014-12-01 10:21:41 -06:00
Michal Purzynski
ebb2240e97 Update windows-version-detection.bro 2014-11-27 19:41:20 +01:00
Johanna Amann
5836feb64d Do not change global event parameters in exec.bro 
Addresses BIT-1294
 2014-11-27 10:00:48 -08:00
Hilko Bengen
fc71572aad BIFScanner: Make filename->symbol transformation more robust 
When trying to build bro from a path that contained a plus sign, an
invalid symbol name for the #ifdef guard was generated.
 2014-11-26 20:55:22 +01:00
Seth Hall
d17aedcc44 Merge remote-tracking branch 'origin/topic/vladg/cryptoapi' 
* origin/topic/vladg/cryptoapi:
  Add Windows detection based on CryptoAPI HTTP traffic as a software framework policy script.
 2014-11-26 12:20:05 -05:00
Robin Sommer
071834b948 Merge remote-tracking branch 'origin/topic/johanna/ssl-fail-earlier' 
BIT-1293 #merged

* origin/topic/johanna/ssl-fail-earlier:
  and just to be safe - also require the &if check in binpac
  make the SSL analyzer skip further processing once encountering situations which are very probably non-recoverable.
 2014-11-25 17:35:49 -08:00
Johanna Amann
d87476b403 and just to be safe - also require the &if check in binpac 2014-11-25 15:01:12 -08:00
Johanna Amann
529668670a make the SSL analyzer skip further processing once encountering 
situations which are very probably non-recoverable.

Current behavior could lead to us jumping in in the middle of an old
443 stream and interpreting some data as ssl before failing again.
 2014-11-25 14:57:10 -08:00
Robin Sommer
977446e7ee Merge remote-tracking branch 'origin/fastpath' 
* origin/fastpath:
  make sslv2 protocol tests more strict - in its current state they triggered on http traffic over port 443 sometimes.
  Fix x509 analyzer to correctly return ecdsa as the key_type for ecdsa certs.
 2014-11-25 14:28:10 -08:00
Johanna Amann
1e2ba6ebfb make sslv2 protocol tests more strict - in its current state they triggered 
on http traffic over port 443 sometimes.

Sorry, no test because that specific traffic is a tad hard to get.

Found by Michał Purzyński.
 2014-11-25 13:11:06 -08:00
Johanna Amann
cd21b7f130 Fix x509 analyzer to correctly return ecdsa as the key_type for ecdsa certs. 
Returned dsa so far.

Bug found by Michał Purzyński
 2014-11-25 11:18:07 -08:00
Gilbert Clark
cda7c93704 More small fixes 2014-11-24 16:35:26 -05:00
Gilbert Clark
616ed22572 Small fixes 2014-11-24 16:30:12 -05:00