* 'ntp-rewrite' of https://github.com/mauropalumbo75/zeek: (25 commits)
update tests baseline
Apply requested changes: - file dpd.sig and TODO comments for signature protocol detection removed - missing doc field filled in events.bif - rename OpCode and ReqCode fields into op_code and req_code respectively - removed unnecessary child method in NTP.h/.cc - main.zeek and ntp-protocol.pac reformatted
minor changes in the documentation
fix some initializations
fix wrong assignment of control key_id/crypto_checksum
code clean up
add extension fields parsing
add extended mac field with 20 byte digest (+4 byte key id)
update tests and add a new one for key_id and mac
fix auth field (key_id and mac) in standard and control msg
remove old NTP record in init-bare.zeek
fix key_id and digest (WIP)
fix wrong Assign with reference_id
add tests for ntp protocol (finished)
add tests for ntp protocol (WIP)
fix problem with time vals
add ntp records to init-bare.zeek
update ntp analyzer to val_mgr
extend and refact script-side of NTP analyzer
extend and refactor several fields
...
SPF response records are identical to TXT records in structure, and
can be parsed and interpreted the same way. However, they have a
different RR type, so they would generate weird events and not be
parsed by Zeek before this change.
Even though they're the same as TXT records from a protocol stance, I
created a new event type (dns_SPF_reply), and call the records out as
SPF in the logs, instead of as TXT records, since the distinction
could be important for detection purposes.
SPF records have been obsoleted, but continue to be seen in the wild.
- file dpd.sig and TODO comments for signature protocol detection removed
- missing doc field filled in events.bif
- rename OpCode and ReqCode fields into op_code and req_code respectively
- removed unnecessary child method in NTP.h/.cc
- main.zeek and ntp-protocol.pac reformatted
* origin/topic/johanna/tls13-details:
Update SSL documentation.
support the newer TLS 1.3 key_share extension.
Include all data of the server-hello random
Parse pre-shared-key extension.
Added a small portability fix for the gmt_unix_time byte-swapping.
* 'rdp_client_security' of https://github.com/neslog/zeek:
Adding comments specific to client security data in record definition.
Cleaning up indentations and return true.
Adding record to init-bare
Adding client_security_data to the analyzer.
I added a unit test.
* "bro_is_terminating" is now "zeek_is_terminating"
* "bro_version" is now "zeek_version"
The old function names still exist for now, but are deprecated.
These are no longer loaded by default due to the performance impact they
cause simply by being loaded (they have event handlers for commonly
generated events) and they aren't generally useful enough to justify it.
The type of the field also changed from "addr" to "string" because the
former cannot represent all possible values of the
Tunnel-Client-Endpoint attribute, which may include FQDNs, not just IP
addresses.
* origin/topic/vlad/rdp_bluekeep:
RDP: Update existing baselines with new client_channels field
RDP: Add parsing and logging of channels requested by the client. Can determine capabilities requested by the client, as well as attacks such as CVE-2019-0708
For backward compatibility when reading values, we first check
the ZEEK-prefixed value, and if not set, then check the corresponding
BRO-prefixed value.
To be more exact: &encrypt, &mergeable, &rotate_interval, &rotate_size
Also removes no longer used redef-able constants:
log_rotate_interval, log_max_size, log_encryption_key
GH-243
The KRB parser allowed for the following types/fields to be left
uninitialized, so an &optional attribute was added to reflect that:
- KRB::Error_Msg
- pvno
- msg_type
- server_time
- service_realm
- service_name
- KRB::KDC_Request
- kdc_options
- service_realm
- till
- nonce
- encryption_types
Usages have also been adapted to perform existence checks.
Broker::subscribe() after Broker::peer() may result in losing messages,
always best to do the reverse order.
Also possibly improved chance of unstable unit test output order.
* origin/topic/robin/gh-239:
Undo a change to btest.cfg from a recent commit
Updating submodule.
Fix zeek-wrapper
Update for renaming BroControl to ZeekControl.
Updating submodule.
GH-239: Rename bro to zeek, bro-config to zeek-config, and bro-path-dev to zeek-path-dev.
* origin/topic/johanna/243:
Fix missing include file on Linux
Deprecations: Update NEWS, and tie up a few loose ends.
Remove support for using &&/|| with patterns.
Remove RemoteSerializer and related code/types.
Remove PersistenceSerializer.
Remove synchrnized and persistent attributes.
