Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 02:28:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
6849 commits 388 branches 195 tags 268 MiB
Commit graph

6849 commits

This branch
This branch
All branches
Author SHA1 Message Date
Bernhard Amann
1735e33691 Backport crash fix that made it into master with the x509_extension 
backport from here.
 2014-02-28 02:09:06 -08:00
Bernhard Amann
30860e4226 Merge remote-tracking branch 'origin/master' into topic/bernhard/file-analysis-x509 
Conflicts:
	src/analyzer/protocol/ssl/events.bif
	src/analyzer/protocol/ssl/ssl-analyzer.pac
 2014-02-28 01:49:16 -08:00
Robin Sommer
ae318c9e27 Merge remote-tracking branch 'origin/fastpath' 
* origin/fastpath:
  adjust timings of a few leak tests.
 2014-02-27 07:35:06 -08:00
Bernhard Amann
80c319b522 adjust timings of a few leak tests. 
Without the longer timeouts, these consistently fail for me
on caddy when doing "make test".
 2014-02-26 14:47:40 -08:00
Bernhard Amann
89bc959cb0 Merge remote-tracking branch 'origin/master' into fastpath 2014-02-26 14:17:11 -08:00
Bernhard Amann
3f584a08fd Remove packet sorter. Addresses BIT-700 2014-02-25 19:20:42 -08:00
Bernhard Amann
b3bd509b3f Allow iterating over bif functions with result type vector of any. 
This changes the internal type that is used to signal that a vector
is unspecified from any to void.

I tried to verify that the behavior of Bro is still the same. After
a lot of playing around, I think everything still should worl as before.

However, it might be good for someone to take a look at this.

addresses BIT-1144
 2014-02-25 15:30:29 -08:00
Robin Sommer
91c10d4963 Merge remote-tracking branch 'origin/fastpath' 
* origin/fastpath:
  More google tls extensions that are being actively used.
  Remove unused and potentially unsafe function ListVal::IncludedInString
 2014-02-25 07:25:05 -08:00
Bernhard Amann
bc75988bd9 More google tls extensions that are being actively used. 2014-02-24 12:56:06 -08:00
Bernhard Amann
09c2491896 Remove unused and potentially unsafe function ListVal::IncludedInString 2014-02-24 08:14:34 -08:00
Robin Sommer
58eb9bbf28 Merge remote-tracking branch 'origin/fastpath' 
* origin/fastpath:
  new TLS constants from https://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-01
  Revert "Correct return type of topk_get_top, addresses BIT-1144"
  Correct return type of topk_get_top, addresses BIT-1144
 2014-02-24 07:28:34 -08:00
Bernhard Amann
ca2cdd8861 new TLS constants from https://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-01 2014-02-21 11:24:03 -08:00
Bernhard Amann
81e561e5de Revert "Correct return type of topk_get_top, addresses BIT-1144" 
This reverts commit 0e7d70e219.

Sorry, bad idea.
 2014-02-21 11:18:35 -08:00
Bernhard Amann
0e7d70e219 Correct return type of topk_get_top, addresses BIT-1144 2014-02-21 06:05:12 -08:00
Robin Sommer
48568c9e1f Merge remote-tracking branch 'origin/fastpath' 
* origin/fastpath:
  New alert from https://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04
  update 3rdparty submodule (new SQLite version)
 2014-02-20 17:31:22 -08:00
Robin Sommer
10d89a4648 Updating submodule(s). 
[nomail]
 2014-02-20 17:28:01 -08:00
Robin Sommer
f18a75e17d Merge remote-tracking branch 'origin/topic/jsiwek/new-libmagic' 
* origin/topic/jsiwek/new-libmagic:
  Update to libmagic version 5.17, address BIT-1136.
 2014-02-20 17:27:14 -08:00
Bernhard Amann
18d89d6320 New alert from https://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04 2014-02-20 14:38:27 -08:00
Jon Siwek
90026f7196 Update to libmagic version 5.17, address BIT-1136. 2014-02-19 10:32:27 -06:00
Jon Siwek
2636d3aee7 Add memory leak unit test for SNMP. 2014-02-18 15:58:53 -06:00
Jon Siwek
3f008c8f0b Fix compiler nitpicks from new SNMP code. 2014-02-18 15:40:41 -06:00
Jon Siwek
a0c06a957b Add SNMP datagram parsing support. 
This supports parsing of SNMPv1 (RFC 1157), SNMPv2 (RFC 1901/3416), and
SNMPv2 (RFC 3412).  An event is raised for each SNMP PDU type, though
there's not currently any event handlers for them and not a default
snmp.log either.  However, simple presence of SNMP is currently visible
now in conn.log service field and known_services.log.
 2014-02-18 14:41:32 -06:00
Bernhard Amann
b712d6436c update 3rdparty submodule (new SQLite version) 2014-02-18 02:54:03 -08:00
Robin Sommer
ba81aa4387 Support for MPLS over VLAN. 
Patch by Chris Kanich.

BIT-1017 #merged
 2014-02-14 12:07:24 -08:00
Robin Sommer
78ab8de60d Merge remote-tracking branch 'origin/topic/vladg/radius' 
* origin/topic/vladg/radius:
  Fix a couple memleaks.
  Basic RADIUS functionality implemented.
  Basic RADIUS support - checkpoint
 2014-02-14 11:26:13 -08:00
Robin Sommer
4524406899 Merge remote-tracking branch 'origin/topic/vladg/socks_fix' 
* origin/topic/vladg/socks_fix:
  Fix misidentification of SOCKS traffic. Traffic that had a certain bytestring would get incorrectly identified as SOCKS. This seemed to happen a lot with DCE/RPC traffic.

Tweaked the error message and added SetSkip() to the "reserved" case
as well.

BIT-1130 #merged
 2014-02-14 10:53:49 -08:00
Robin Sommer
7d0fbcd7b7 Merge remote-tracking branch 'origin/topic/jsiwek/dns-perf' 
* origin/topic/jsiwek/dns-perf:
  Refactor DNS script's state management to improve performance.

BIT-1133
 2014-02-13 16:42:41 -08:00
Jon Siwek
3c95d1d695 Refactor DNS script's state management to improve performance. 
The amount of timers involved in DNS::PendingMessage tables'
expiration attributes have a significant performance hit.  Instead the
script now relies solely on maximum thresholds for pending message
quantities to limit amount of accumulated state.  There's a new option,
"DNS::max_pending_query_ids", to limit the number outstanding messages
across all DNS query IDs ("DNS::max_pending_msgs" still limits number
of outstanding messages for a *given* query ID).
 2014-02-13 14:55:45 -06:00
Robin Sommer
eb744fd329 Revert "Expanding the HTTP methods used in the signature to detect HTTP traffic." 
This reverts commit 506b26e5ff.

The corresponding patch adding HTTP CONNECT support doesn't work yet
so backing this out until we get that in shape.
 2014-02-13 12:49:46 -08:00
Robin Sommer
a57f0ef9a0 Merge remote-tracking branch 'origin/fastpath' 
* origin/fastpath:
  Increase timeouts of some unit tests.
  Fix memory leak in modbus analyzer.
  add channel_id tls extension number.
 2014-02-13 12:45:02 -08:00
Seth Hall
dd0856a57f HTTP CONNECT proxy support. 
- The HTTP analyzer now supports handling HTTP CONNECT proxies
   same as the SOCKS analyzer handles proxying.
 2014-02-12 22:38:59 -05:00
Jon Siwek
e844727e73 Increase timeouts of some unit tests. 2014-02-12 17:03:51 -06:00
Jon Siwek
6563b544d8 Fix memory leak in modbus analyzer. 
Would happen if there's a 'modbus_read_fifo_queue_response'
event handler.
 2014-02-12 17:00:12 -06:00
Robin Sommer
f45bd84f4c Updating submodule(s). 
[nomail]
 2014-02-11 16:16:49 -08:00
Robin Sommer
39be3828fd Baseline updates for DNS change. 
I assume these are expected, and in any case it's DS that's being
tested not DNS. :)
 2014-02-11 16:16:09 -08:00
Robin Sommer
857da46344 Merge branch 'master' of git.bro.org:bro 2014-02-11 15:50:51 -08:00
Robin Sommer
64d73d5a2b Updating submodule(s). 
[nomail]
 2014-02-11 15:41:16 -08:00
Vlad Grigorescu
3cd91f85d7 Merge remote-tracking branch 'origin/master' into topic/vladg/socks_fix 2014-02-11 16:28:48 -05:00
Vlad Grigorescu
80ec40bc93 Merge remote-tracking branch 'origin/master' into topic/vladg/radius 2014-02-11 16:17:40 -05:00
Seth Hall
506b26e5ff Expanding the HTTP methods used in the signature to detect HTTP traffic. 2014-02-11 15:30:22 -05:00
Bernhard Amann
adfe3a0754 add channel_id tls extension number. 
This number is not IANA defined, but we see it being
actively used.
 2014-02-10 23:56:23 -08:00
Seth Hall
70316a3f14 Merge remote-tracking branch 'origin/topic/jsiwek/dns-improvements' 
* origin/topic/jsiwek/dns-improvements:
  Rewrite DNS state tracking which matches queries and replies.
  Change dns.log to include only standard DNS queries.
  Improve DNS analysis.
 2014-02-09 23:50:43 -05:00
Robin Sommer
741ae7a368 Updating submodule(s). 
[nomail]
 2014-02-07 12:51:48 -08:00
Robin Sommer
f11373505d Updating submodule(s). 
[nomail]
 2014-02-07 10:44:31 -08:00
Robin Sommer
54ba3198f6 Merge remote-tracking branch 'origin/topic/jdopheid/bro_documentation' 
* origin/topic/jdopheid/bro_documentation:
  Updates to httpmonitor and mimestats documentation.
  Updates to Logs and Cluster documentation
  Updates to Bro IDS documentation

BIT-1127 #merged
 2014-02-07 09:12:44 -08:00
Robin Sommer
2fb9efa294 Merge remote-tracking branch 'origin/fastpath' 
* origin/fastpath:
  Fix x509-extension test sometimes failing.
 2014-02-07 08:07:08 -08:00
Robin Sommer
2bbf29681e Updating submodule(s). 
[nomail]
 2014-02-06 21:07:46 -08:00
Robin Sommer
71df27f9d5 Updating submodule(s). 
[nomail]
 2014-02-06 20:31:25 -08:00
Robin Sommer
c1f626d4ce Updating submodule(s). 
[nomail]
 2014-02-06 20:31:02 -08:00
Robin Sommer
a048082e68 Fixing bug in POP3 analyzer. 
With certain input the analyzer could end up trying to write to
non-writable memory.
 2014-02-06 20:26:40 -08:00