Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
19002 commits 387 branches 195 tags 255 MiB
Commit graph

19002 commits

This branch
This branch
All branches
Author SHA1 Message Date
Christian Kreibich
a040f550f4 NEWS updates for pluggable connection tuples. 2025-06-25 13:19:26 +02:00
Christian Kreibich
29b0f844c0 Add a VLAN-aware flow tuple implementation. 
This is a first "real" implementation of a custom tuple, adding additional
fields over the standard five-tuple.

Includes test cases.
 2025-06-25 13:19:26 +02:00
Christian Kreibich
a5122b5032 Deprecate ConnTuple and related APIs. 
Given IP-aware ConnKeys, ConnTuples aren't really required any more. ConnTuple
had two benefits:

- It preserved the original src/dst orientation from the packet headers it was
based on, which IPBasedConnKey now tracks and provides accessor methods for.

- In IPBasedAnalyzer::AnalyzePacket() its instance survived past the std:move()
of the key into NewConn(), which we sidestep by keeping the original src address
and port around until we need after the connection is obtained.
 2025-06-25 13:19:26 +02:00
Christian Kreibich
7548dc9e96 Deprecate the old Connection constructor and detail::ConnKey class. 
The new key-based Connection constructor replaces the former, and the new
ConnKey class tree replaces the latter.
 2025-06-25 13:19:26 +02:00
Christian Kreibich
52d6228b06 Switch to virtualized use of new zeek::ConnKey class tree 
This touches quite a few places, but each just swaps out existing
APIs and/or zeek::detail::ConnKey instances.
 2025-06-25 13:19:26 +02:00
Christian Kreibich
b8f82ff659 Provide a connkey factory for Zeek's default five-tuples. 
Since the base factory is pure virtual this is now the first full
implementation, but still a bit of a special case because it implements Zeek's
default behavior and doesn't add "custom" content to the tuple.
 2025-06-25 13:18:08 +02:00
Christian Kreibich
5af8fc242a Add IP-specific ConnKey implementation. 
The InitTuple() implementation here is a placeholder for a fuller one following
later, when we do away with the need for ConnTuple.
 2025-06-25 13:18:08 +02:00
Christian Kreibich
0c64f6a7b9 Establish plugin infrastructure for ConnKey factories. 
ConnKey factories are intermediaries that encapsulate the details of how to
instantiate ConnKeys, which codify the hash input for connection lookups.
 2025-06-25 13:18:07 +02:00
Christian Kreibich
d19fdfd17c Add new ConnKey abstraction. 2025-06-25 13:18:07 +02:00
Arne Welzel
4b472f2771 Merge remote-tracking branch 'origin/topic/awelzel/telemetry-endpoint-to-node-rename' 
* origin/topic/awelzel/telemetry-endpoint-to-node-rename:
  telemetry: Rename endpoint label to node label
 2025-06-25 09:33:55 +02:00
Arne Welzel
eea194ddd8 telemetry: Rename endpoint label to node label 
Using a label named "endpoint" is not intuitive and requires explaining to
users that it's really just the Cluster::node value. Change the label to
"node", so that we don't need to do the explaining.

This probably breaks some existing users of the Prometheus metrics, but after
looking more at metrics recently, "endpoint" really is a thorn in my eye.
 2025-06-25 09:33:01 +02:00
zeek-bot
261582bcd5 Update doc submodule [nomail] [skip ci] 2025-06-25 00:17:53 +00:00
Tim Wojtulewicz
4c2990f6ad Merge remote-tracking branch 'origin/topic/timw/available_tags' 
* origin/topic/timw/available_tags:
  Add get_tags_by_category BIF method
 2025-06-24 15:38:32 -07:00
bhaskarbhar
04d6fa3cb7 Add get_tags_by_category BIF method 2025-06-24 13:47:49 -07:00
Tim Wojtulewicz
4db7d40894 Add NEWS entry about deprecation of --with-binpac and --with-bifcl 2025-06-24 12:56:03 -07:00
Tim Wojtulewicz
e5afa4160c Merge remote-tracking branch 'origin/topic/timw/remove-with-binpac-bifcl' 
* origin/topic/timw/remove-with-binpac-bifcl:
  Deprecate --with-binpac/--with-bifcl configure options
  Remove deprecated --disable-archiver configure argument
 2025-06-24 12:51:15 -07:00
Tim Wojtulewicz
60953e14e7 Deprecate --with-binpac/--with-bifcl configure options 2025-06-24 12:50:35 -07:00
Tim Wojtulewicz
60a4aef941 Remove deprecated --disable-archiver configure argument 2025-06-24 12:50:35 -07:00
Arne Welzel
5e5d943273 Merge remote-tracking branch 'origin/topic/awelzel/publish-error-test-avoid-tsan-report' 
* origin/topic/awelzel/publish-error-test-avoid-tsan-report:
  btest/broker/publish-errors: Avoid exit(0)
 2025-06-24 19:07:23 +02:00
Arne Welzel
2e30f87e33 btest/broker/publish-errors: Avoid exit(0) 
Calling exit() doesn't properly shutdown the manager instances and TSAN reports a
leaked thread. Just avoid this for now by using terminate() instead.
 2025-06-24 19:06:52 +02:00
Arne Welzel
fbeb3adfe6 Merge remote-tracking branch 'origin/topic/awelzel/dns-naming-authority-pointer' 
* origin/topic/awelzel/dns-naming-authority-pointer:
  DNS: Implement NAPTR RR support
  DNS: Move extract_char_string() helper around
 2025-06-24 17:44:17 +02:00
Arne Welzel
4f1fc296b6 DNS: Implement NAPTR RR support 
My phone is sending NAPTR queries and we reported an unknown RR type 35
in weird.log for the response, so figured I'd just add it.
 2025-06-24 17:43:27 +02:00
Johanna Amann
9d06a13828 Only pass session ticket data in ssl_session_ticket_handshake event 
This commit fixes the parsing of the data field in the SSL analyzer. So
far, this field contained two extra bytes at the beginning, which
contain the length of the following data.

Now, the data passed to the event only contains the actual value of the
session ticket.

The Spicy analyzer already contains the correct handling of this field,
and does not need to be updated. A test that uses the event and
exhibited the bug was added.
 2025-06-24 16:33:14 +01:00
Arne Welzel
cab4ebf513 Merge remote-tracking branch 'origin/topic/awelzel/4586-zeromq-ipv6' 
* origin/topic/awelzel/4586-zeromq-ipv6:
  cluster/zeromq: Short-circuit DoPublishLogWrite() when not initialized
  cluster/zeromq: Hook up and enable IPV6 by default
  cluster/zeromq/connect: Make failures fatal
  cluster/zeromq: Move log_push creation to DoInit()
 2025-06-24 17:16:58 +02:00
Arne Welzel
1afd497c0c cluster/zeromq: Short-circuit DoPublishLogWrite() when not initialized 
After moving the log_push initialization from the constructor to the
DoInit() method, it's now possible that DoPublishLogWrites() is invoked
even if DoInit() was never called. Handle this by short-circuiting. This
is sort of an error, but can happen during tests if scripts are loaded
somewhat arbitrarily.
 2025-06-24 17:12:45 +02:00
Arne Welzel
89c0b0faf3 cluster/zeromq: Hook up and enable IPV6 by default 
ZeroMQ's IPv6 support isn't enabled by default, resulting in
"No such device" errors when attempting to listen on an IPv6
address. This change adds a ipv6 option to the ZeroMQ module
and enables it by default. Further, adds a test configuring
everything to listen on IPv6 ::1 as well, and one test to provoke
the original error. This also regularizes some error messages.

The addr_to_uri() calls weren't actually needed, but they apparently do
not hurt and the result is easier on the eyes, so use them :-)
 2025-06-24 17:12:45 +02:00
Benjamin Bannier
767ddfd8a1 Merge branch 'topic/bbannier/issue-4587' 2025-06-24 16:31:01 +02:00
Benjamin Bannier
c15d04282d Build builtin Spicy analyzers in debug mode if debug mode is enabled 
Closes #4587.
 2025-06-24 16:30:41 +02:00
Johanna Amann
72bd683c23 Merge remote-tracking branch 'origin/topic/johanna/default-canonifier-only-first-timestamp' 
* origin/topic/johanna/default-canonifier-only-first-timestamp:
  Default canonifier change to only remove first timestamp in line
  Align SMB timestamp calculation between operating systems
 2025-06-24 14:02:04 +01:00
Tim Wojtulewicz
e39a1d7271 Merge remote-tracking branch 'origin/topic/timw/ipv6-chain-vector' 
* origin/topic/timw/ipv6-chain-vector:
  Switch IPv6_Hdr_Chain to a vector of objects instead of pointers
 2025-06-23 10:52:33 -07:00
Tim Wojtulewicz
d6e25a2e22 Switch IPv6_Hdr_Chain to a vector of objects instead of pointers 2025-06-23 10:41:23 -07:00
Tim Wojtulewicz
33b23ef4b1 Merge remote-tracking branch 'origin/topic/timw/zeromq-include-paths' 
* origin/topic/timw/zeromq-include-paths:
  Remove unneeded include dirs in zeromq CMakeLists.txt
 2025-06-23 10:40:10 -07:00
Tim Wojtulewicz
7e6d3a6b39 Remove unneeded include dirs in zeromq CMakeLists.txt 2025-06-23 10:39:13 -07:00
Tim Wojtulewicz
8d92ad472c Merge branch 'topic/timw/clang-tidy-fixes' 
* topic/timw/clang-tidy-fixes: (41 commits)
  Deprecate BRO_PLUGIN_INSTALL_PATH constant
  Make constants in IP::ParseResult uppercase, deprecate the old ones
  Fix comparison against CapLen results in IPTunnel
  Fix clang-tidy cppcoreguidelines-virtual-class-destructor warnings in headers
  Fix clang-tidy cppcoreguidelines-macro-usage warnings in headers
  Fix clang-tidy modernize-use-using warnings in headers
  Fix clang-tidy modernize-use-transparent-functors warnings in headers
  Fix clang-tidy modernize-use-override warnings in headers
  Fix clang-tidy modernize-use-nullptr warnings in headers
  Fix clang-tidy modernize-use-equals-delete warnings in headers
  Fix clang-tidy modernize-use-emplace warnings in headers
  Fix clang-tidy modernize-use-default-member-init warnings in headers
  Fix clang-tidy modernize-use-bool-literals warnings in headers
  Fix clang-tidy modernize-return-braced-init-list warnings in headers
  Fix clang-tidy modernize-type-traits warnings in headers
  Fix clang-tidy modernize-redundnat-void-arg warnings in headers
  Fix clang-tidy modernize-pass-by-value warnings in headers
  Fix clang-tidy modernize-loop-convert warnings in headers
  Fix clang-tidy modernize-macro-to-enum warnings in headers
  Fix clang-tidy performance-unnecessary-copy-initialization warnings in headers
  ...
 2025-06-23 10:37:29 -07:00
Tim Wojtulewicz
6aa5145782 Deprecate BRO_PLUGIN_INSTALL_PATH constant 2025-06-23 08:35:25 -07:00
Tim Wojtulewicz
37be47328e Make constants in IP::ParseResult uppercase, deprecate the old ones 2025-06-23 08:35:25 -07:00
Tim Wojtulewicz
a27dee6370 Fix comparison against CapLen results in IPTunnel 2025-06-23 08:35:24 -07:00
Tim Wojtulewicz
311a744a20 Fix clang-tidy cppcoreguidelines-virtual-class-destructor warnings in headers 2025-06-23 08:35:24 -07:00
Tim Wojtulewicz
e84c99fb14 Fix clang-tidy cppcoreguidelines-macro-usage warnings in headers 2025-06-23 08:35:24 -07:00
Tim Wojtulewicz
74bf987b82 Fix clang-tidy modernize-use-using warnings in headers 2025-06-23 08:35:24 -07:00
Tim Wojtulewicz
6f79a6381f Fix clang-tidy modernize-use-transparent-functors warnings in headers 2025-06-23 08:35:24 -07:00
Tim Wojtulewicz
e613e7c304 Fix clang-tidy modernize-use-override warnings in headers 2025-06-23 08:35:24 -07:00
Tim Wojtulewicz
edf3ceb52c Fix clang-tidy modernize-use-nullptr warnings in headers 2025-06-23 08:35:24 -07:00
Tim Wojtulewicz
f15cab4a2b Fix clang-tidy modernize-use-equals-delete warnings in headers 2025-06-23 08:35:24 -07:00
Tim Wojtulewicz
cb78d2202f Fix clang-tidy modernize-use-emplace warnings in headers 2025-06-23 08:35:24 -07:00
Tim Wojtulewicz
fb55c8856e Fix clang-tidy modernize-use-default-member-init warnings in headers 2025-06-23 08:35:24 -07:00
Tim Wojtulewicz
a05b4abdf7 Fix clang-tidy modernize-use-bool-literals warnings in headers 2025-06-23 08:35:24 -07:00
Tim Wojtulewicz
ed202b36b2 Fix clang-tidy modernize-return-braced-init-list warnings in headers 2025-06-23 08:35:24 -07:00
Tim Wojtulewicz
157c488b9d Fix clang-tidy modernize-type-traits warnings in headers 2025-06-23 08:35:24 -07:00
Tim Wojtulewicz
23184af21c Fix clang-tidy modernize-redundnat-void-arg warnings in headers 2025-06-23 08:35:24 -07:00