* origin/topic/robin/bit-1641:
Fixing duplicate SSH authentication failure events.
I changed the test slightly; the output of uniq is not stable between
operating systems (on OS-X, it emits a space, on Linux it apparently
emits a tab). I removed the call to uniq - sort by itself is enough to
create a difference if there are duplicate entries.
Addresses BIT-1641
* origin/topic/johanna/fix-analyzer-addition:
DTLS: Use magix constant from rfc5389 for stun detection.
DTLS: Fix binpac bug with DTLSv1.2 client hellos
Forgot to remove debug output.
DTLS: Fix interaction with STUN
Fix the way that child analyzers are added.
BIT-1604 #merged
Now the DTLS analyzer cleanly skips all STUN messages; no warnings
should be logged to dpd.log and parsing should work flawlessly with
intermixed STUN messages.
BIT-1574 #merged
* origin/topic/johanna/imap-starttls:
IMAP: add c++11 header file that gcc complains about.
IMAP: documentation and test updates
also generate an event when starttls is encounterd for imap.
Add support of getting server capabilities to IMAP parser.
Basic IMAP StartTLS analyzer.
This analyzer parses the Remote Frame Buffer
protocol, usually referred to as the 'VNC protocol'.
It supports several dialects (3.3, 3.7, 3.8) and
also handles the Apple Remote Desktop variant.
It will log such facts as client/server versions,
authentication method used, authentication result,
height, width and name of the shared screen.
It also includes two testcases.
Todo: Apple Remote Desktop seems to have some
bytes prepended to the screen name. This is
not interepreted correctly.
There were some cases where the log would be missing a field
or data wouldn't get sent to file analysis. At least some of
this is fixed now and I get confused a bit less when I look
at the logs now.
Also, I made the default handling "FILE" so that things like
FILE_UNKNOWN wouldn't show up in the logs so regularly. It's
technically correct that way, but it doesn't look good and it's
correct as FILE often enough that it make sense to make it the
default I think.
- It works with DCE/RPC over SMB1+2 now.
- Using named pipes in 1+2 and the transaction cmd in SMB1.
- Base scripts based on work by Josh Liburdi.
- New dce_rpc.log. Feedback on how to make this log more compact
and useful would be appreciated.
The server-reported file size was being collected poorly and if
a file name had a number in it, that was reported as the file
size instead of the actual size.
A new test is included to avoid reintroducing the problem.
* 'patch-4' of https://github.com/aeppert/bro:
(BIT-1545) Add "disable_analyzer_after_detection" en lieu of "skip_processing_after_detection"
I also removed the old disable_analyzer_after_detection option
completely - if someone wants that, they can just catch the event
themselves and call skip_further_processing.
I also adjusted the ssh test case to contain conn.log to prevent
re-addition of this problem in the future.
BIT-1545 #merged
* 'master' of https://github.com/marktayl/bro:
Better multi-space separator handling.
Also tweak multi-space separator handline some more and add test-case
triggering the new behavior.
* 'master' of https://github.com/marktayl/bro:
Removed duplicate parameter for IRC "QUIT" event handler.
Also add a test-case that checks the output of the quit
event handler.
The change from #49 made it an error to not have a URI. That however
then led requests with an URI yet no version to abort as well.
Instead, we now check if the token following the method is an "HTTP/"
version identifier. If, so accept that the URI is empty (and trigger
a weird) but otherwise keep processing.
Adding test cases for both HTTP requests without URI and without
version.
The alert in this case is caused by the server name in the SNI not being
recognized by the server, which triggers an alert. Since the server is
an apache, and this might happen reasonably often, the new signature
allows one TLS alert before the server hello is expected.
