Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
1759 commits 386 branches 195 tags 256 MiB
Commit graph

165 commits

Author SHA1 Message Date
Robin Sommer
55c982fa14 Adding Broxygen comments to init-bare.bro. 
I've left a few TODOs in there for protocol-specific fields that I
couldn't directly figure out in their meaning. Feel free to fill in
where you can.
 2011-12-15 06:38:59 -08:00
Jon Siwek
303993254e Add more DPD and packet filter framework docs. 2011-12-14 16:07:36 -06:00
Jon Siwek
d89658c19b Add more signature framework documentation. 2011-12-14 12:50:54 -06:00
Jon Siwek
a543ebbea5 Add more notice framework documentation. 2011-12-14 10:05:52 -06:00
Jon Siwek
8e89d78788 Add more cluster and communication framework documentation. 2011-12-09 17:31:47 -06:00
Jon Siwek
1f57827e54 Add more logging framework documentation. 2011-12-09 14:30:21 -06:00
Jon Siwek
5126b65493 Add reporter bif/framework documentation. 2011-12-07 16:54:40 -06:00
Jon Siwek
506a42638a Omit loading local-<node>.bro scripts from base cluster framework. 
The loading of these is better handled by BroControl and it seems
odd to load them from a base/ script anyway since they'll contain
site/policy specific code.

Addresses #663
 2011-12-05 13:02:39 -06:00
Robin Sommer
df3ae4b30d Merge remote-tracking branch 'origin/topic/jsiwek/remote-log-peer' 
* origin/topic/jsiwek/remote-log-peer:
  Add a remote_log_peer event which contains an event_peer record param.

Closes #493.
 2011-12-01 16:02:11 -08:00
Jon Siwek
0c8b5a712d Add a remote_log_peer event which contains an event_peer record param. 
Addresses #493.
 2011-12-01 14:07:08 -06:00
Seth Hall
70004cb04d Small updates to address the "globals" ticket. 
Fixes #633
 2011-11-30 11:35:53 -05:00
Robin Sommer
fa76330afb Merge remote-tracking branch 'origin/fastpath' 
* origin/fastpath:
  Binary packaging script tweaks.
  More default "weird" tuning for the "SYN_with_data" notice.
  Tiny bugfix for http file extraction along with test.
 2011-11-15 07:53:36 -08:00
Seth Hall
4942767c4d More default "weird" tuning for the "SYN_with_data" notice. 
- I think the default tuning should be that anything not requiring
  a session to be established should use ACTION_LOG_PER_ORIG.

- We need to get some tie-in with the metrics framework in place
  so that we can find when lots of these values are being suppressed.
 2011-11-14 16:12:38 -05:00
Seth Hall
d14349a6f8 Merge remote-tracking branch 'origin/master' into fastpath 2011-11-14 16:06:44 -05:00
Seth Hall
b12d2c768e Tiny bugfix for http file extraction along with test. 2011-11-14 15:24:15 -05:00
Robin Sommer
41a443677b Merge remote-tracking branch 'origin/fastpath' 
* origin/fastpath:
  No longer write to the PacketFilter::LOG stream if not reading traffic.
 2011-11-03 15:27:23 -07:00
Seth Hall
507b51c957 No longer write to the PacketFilter::LOG stream if not reading traffic. 2011-11-02 15:09:57 -04:00
Seth Hall
ae3ae9a75b Awful fix for SSH login detection. 
- We need a counted measure of payload bytes (not ack tracking and
  not with the IP header which is what we have now).
 2011-10-27 09:41:34 -04:00
Robin Sommer
f3ed235ba7 Tuning the format of the pretty-printed alarm summaries. 
Turns out the old format doesn't work well with the new scripts.
 2011-10-26 21:12:16 -07:00
Robin Sommer
5b79d2b15f Baseline updates. 
Also a small tweak to the genDocSourcesList.sh as I was seein
non-consistent output order.
 2011-10-26 15:27:03 -07:00
Robin Sommer
ec2a8d7904 Merge remote-tracking branch 'origin/topic/robin/pp-alarms' 
* origin/topic/robin/pp-alarms:
  Removing debugging code.
  Now actually pretty-printing the notices.
  Small fixes, and new option to specify a different dest address.
  A new notice script that pretty-prints alarms in the summary email.
  Adding a dummy log writer WRITER_NONE that just discards everything.
 2011-10-26 14:44:46 -07:00
Robin Sommer
314e9c41f9 Removing debugging code. 2011-10-26 14:39:07 -07:00
Robin Sommer
eb6313adcb Now actually pretty-printing the notices. 
Output is similar to Bro 1.x.
 2011-10-26 13:42:42 -07:00
Robin Sommer
39ed489028 Small fixes, and new option to specify a different dest address. 2011-10-26 11:12:50 -07:00
Robin Sommer
73d5643302 A new notice script that pretty-prints alarms in the summary email. 
It works already, but the actual pretty-printing is still missing.
 2011-10-26 10:40:12 -07:00
Jon Siwek
55978d1c18 Changed generated root cert DN format for RFC2253 compliance. 2011-10-25 11:09:31 -05:00
Seth Hall
b2323305f8 Adding sub messages to emails. 2011-10-25 11:36:24 -04:00
Seth Hall
4753f2aeca Adding extra fields to smtp and http to track transaction depth. 
- This will for help linking in analysis scripts and databases later.

- Test baseline updates coming in a few minutes.
 2011-10-25 11:34:48 -04:00
Seth Hall
2131468b08 Merging this branch. It's working better than the existing code. 2011-10-25 11:17:19 -04:00
Seth Hall
dcc8d8456a Removed some fields from http analysis that weren't commonly needed or were wrong. 2011-10-25 09:32:31 -04:00
Seth Hall
320739e183 Updated/fixed MSIE version parsing in the software framework. 2011-10-25 09:30:06 -04:00
Jon Siwek
522e0e4d46 Update Mozilla trust roots to index certs by subject distinguished name. 2011-10-25 07:52:24 -05:00
Seth Hall
e6a8489780 Testing a fix for SSH login detection heuristic. 2011-10-25 00:01:04 -04:00
Seth Hall
7f838b6181 Merge branch 'topic/seth/weird-updates' 2011-10-24 23:47:31 -04:00
Seth Hall
ff51068598 Fixing a bug with handling downgrade from weird conn to orig. 2011-10-22 01:13:15 -04:00
Seth Hall
7746f5b223 Final notice email tuning. 2011-10-21 23:08:56 -04:00
Seth Hall
0e79ec46b6 More notice email tuning. 2011-10-21 22:58:44 -04:00
Seth Hall
75e5caeff5 Attempt to make hostname notice email extension work and small format adjustments. 2011-10-21 22:51:56 -04:00
Seth Hall
74240610c5 Fixed a problem with sending notice emails I introduced earlier. 2011-10-21 22:41:43 -04:00
Seth Hall
29bace02b2 More small weird refinements to reduce overload attacks. 2011-10-21 14:31:40 -04:00
Seth Hall
0cdcf490d6 Restoring former default weird behavior for unsolicited_SYN_response. 2011-10-21 14:17:54 -04:00
Seth Hall
f0b32b21ee weird.bro rewrite. 
- I want to test it for a short while before committing it to
  master just to make sure it is a sane modification.
 2011-10-21 14:08:54 -04:00
Seth Hall
8b56c54348 Slightly restructured http file hashing to fix a bug. 2011-10-21 14:03:31 -04:00
Seth Hall
3900d88e60 Field name change to notice framwork. $result -> $action 
- $result is renamed to $action to reflect changes to the notice framework
  since there is already another result-like field ($suppress_for) and
  there may be more in the future.

- Slipped in a change to add connection information to notice emails too.
 2011-10-21 14:01:39 -04:00
Seth Hall
8661abe9d9 Small script refinements and documentation updates. 2011-10-21 13:58:58 -04:00
Seth Hall
0803df2e14 Changed communication option from listen_encrypted to listen_ssl. 
- Robin pointed out that SSL is providing authentication
  as well as encryption so listen_ssl is a more
  proper variable name.
 2011-10-07 23:57:08 -04:00
Seth Hall
6d67f7830d Added to the likely_server_ports set for protocols with analyzers. 
- Updated some tests since Bro is getting the direction
  correct now.

- Updated BPF filter test since I added a few ports to IRC
  as well.
 2011-10-07 13:44:28 -04:00
Seth Hall
686946d0dd Internal simplication for FTP analysis scripts. 2011-10-07 13:36:02 -04:00
Seth Hall
8600b676e6 Fixed a TODO in the DNS analysis script. 2011-10-07 13:32:44 -04:00
Seth Hall
acc4d6ccd3 Removed unused script code from init-bare.bro 2011-10-07 13:31:28 -04:00