Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 10:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
5140 commits 388 branches 195 tags 265 MiB
Commit graph

5140 commits

This branch
This branch
All branches
Author SHA1 Message Date
Jon Siwek
de8f8f87b6 Adapt more of HTTP analyzer to use cached file analysis IDs. 
Some EndOfFile calls can re-use a cached file ID.
 2014-04-23 16:26:18 -05:00
Jon Siwek
0250489730 Adapt IRC/FTP analyzers to cache file analysis IDs. 2014-04-23 16:14:13 -05:00
Jon Siwek
782615e9dd Remove unused Val::attribs member. 2014-04-23 10:44:47 -05:00
Robin Sommer
b9e956176e Updating submodule(s). 
[nomail]
 2014-04-22 21:35:30 -07:00
Robin Sommer
2bbe36b4a7 Merge remote-tracking branch 'origin/topic/jsiwek/odesc-escaping' 
* origin/topic/jsiwek/odesc-escaping:
  Refactor various hex escaping code.

BIT-1184 #merged
 2014-04-22 20:13:59 -07:00
Robin Sommer
e24f3f5fd5 Updating CHANGES and VERSION. 2014-04-22 20:01:55 -07:00
Jon Siwek
171c6ce86b Refactor regex/signature AcceptingSet data structure and usages. 
Several parts of that code would do membership checks and that's going
to be more efficient with a set instead of a list data structure.
 2014-04-21 16:55:51 -05:00
Jon Siwek
8126f06ffb Enforce data size limit when checking files for MIME matches. 
The value of *bof_buffer_size* in the *fa_file* record was supposed to
always limit the amount of data used by the signature matching engine,
but some corner cases would cause matching to be performed on data
beyond that.
 2014-04-21 16:51:45 -05:00
Bernhard Amann
594975c93d Make SSL/TLS version detection less brittle. 
This still cannot deal with v2 hellos that use the long length.
On the other hand - OpenSSL also cannot deal with these and we should
not see many sslv2 connections in any case - so... they probably
would not work in practice in any case.
 2014-04-21 11:23:12 -07:00
Bernhard Amann
8ce3cf65f2 Merge branch 'topic/bernhard/heartbeat' into topic/bernhard/ssl-analyzer 
Conflicts:
	src/analyzer/protocol/ssl/ssl-analyzer.pac
	src/analyzer/protocol/ssl/ssl-protocol.pac
 2014-04-21 10:34:36 -07:00
Bernhard Amann
0b53ff5b92 Merge remote-tracking branch 'origin/master' into topic/bernhard/ssl-analyzer 2014-04-21 10:31:16 -07:00
Bernhard Amann
b283883997 define empty request_key method for sumstats in cluster mode. 
This prevents the worker nodes from crashing, when request_key is used
in cluster mode and called on the worker and the manager nodes (i.e. when
a non-cluster-aware script is used).

Addresses BIT-1177
 2014-04-18 16:29:51 -07:00
Jon Siwek
bc5c02cb74 Refactor file analysis file ID lookup. 
Now using a dictionary instead of std::map as order doesn't matter and
lookup time shouldn't increase as more files are in process of being
analyzed.
 2014-04-18 16:35:43 -05:00
Bernhard Amann
a92ff71e19 Merge remote-tracking branch 'origin/master' into topic/bernhard/heartbeat 2014-04-18 14:26:13 -07:00
Jon Siwek
e8a5ea8844 Refactor various hex escaping code. 2014-04-18 13:19:50 -05:00
Robin Sommer
80d7a1482c Merge remote-tracking branch 'origin/topic/jsiwek/ascii-log-memleak-fix' 
* origin/topic/jsiwek/ascii-log-memleak-fix:
  Refactor initialization of ASCII log writer options.
  Fix a memory leak in ASCII log writer.
 2014-04-17 18:01:41 -05:00
Robin Sommer
1ef4daf0a7 Merge remote-tracking branch 'origin/fastpath' 
* origin/fastpath:
  Change how input/logging threads set their name.
  Fix bug when clearing Bloom filter contents.
 2014-04-17 17:49:52 -05:00
Bernhard Amann
ef41cc7189 Nicer notices for heartbleed. 
Duplicates are now excluded and the notice texts contain a bit more useful information.
 2014-04-16 10:48:22 -07:00
Jon Siwek
c9b40f1ca7 Change how input/logging threads set their name. 
Setting the thread name on every heartbeat uses a mild amount of
cycles and there's not much benefit to doing it there to get the
additional info regarding the number of processed messages since thread
names usually get truncated to 16 characters and omit that part anyway.
 2014-04-15 16:36:47 -05:00
Jon Siwek
2a5b209f6d Refactor initialization of ASCII log writer options. 2014-04-15 12:50:10 -05:00
jshlbrd
b43c2c347b Update http-headers.bro 2014-04-15 09:15:57 -04:00
jshlbrd
9083b03bd6 Update http-headers.bro 2014-04-15 09:12:09 -04:00
jshlbrd
85bbc39194 Update http-headers.bro 2014-04-15 09:10:38 -04:00
jshlbrd
2dbca1ccd9 Add Intel::ADDR lookup to host field 
IP addresses are often seen in the HTTP host field; this change checks if the value in the host field is a valid IP address and processes the Intel::seen event to check for an Intel::ADDR indicator.
 2014-04-15 09:07:21 -04:00
Matthias Vallentin
cb4eaf762c Fix bug when clearing Bloom filter contents. 
This patch fixes a bug that occurred when calling the BiF bloomfilter_clear,
which used to not only clear the underlying bit vector but also set its size to
zero. As a result, subsequent element access or computations using the bit
vector size caused erroneous behavior.

Reported by @colonelxc.
 2014-04-15 12:48:56 +02:00
Jon Siwek
13d8908a8d Fix a memory leak in ASCII log writer. 2014-04-14 16:53:49 -05:00
Seth Hall
db80947b5f Updated snmp script. Feedback would be welcome! 2014-04-14 15:58:37 -04:00
Bernhard Amann
cc838c6b2e rip out state handline from ssl analyzer. 
still seems to work, but basically untested.
 2014-04-10 15:12:33 -07:00
Robin Sommer
9b672f9e7f Merge remote-tracking branch 'origin/fastpath' 
* origin/fastpath:
  Small logic fix for main ssl script.
  test for new ssl/tls dpd signature
 2014-04-10 15:05:44 -07:00
Bernhard Amann
c741ea7c50 Small logic fix for main ssl script. 
Thank you, Jon
 2014-04-10 14:35:05 -07:00
Bernhard Amann
5d9fb1631c test for new ssl/tls dpd signature 2014-04-10 14:33:14 -07:00
Robin Sommer
a5fdf7996f Updating submodule(s). 
[nomail]
 2014-04-10 08:32:33 -07:00
Robin Sommer
8af9fbf7e5 Merge remote-tracking branch 'origin/fastpath' 
* origin/fastpath:
  update dpd for tls 1.2
  Remove unused data member of SMTP_Analyzer.
  Fix missing @load dependencies in some scripts.
 2014-04-10 08:24:18 -07:00
Bernhard Amann
4405121fb2 Merge branch 'fastpath' into topic/bernhard/heartbeat 2014-04-10 08:13:29 -07:00
Bernhard Amann
aa73d42120 update dpd for tls 1.2 
all tests still pass
 2014-04-10 08:12:02 -07:00
Jon Siwek
c617be6f50 Remove unused data member of SMTP_Analyzer. 
To silence a Coverity warning.
 2014-04-09 16:39:46 -05:00
Jon Siwek
d4ef9f3693 Fix missing @load dependencies in some scripts. 
And update the unit test which is supposed to catch such errors.
 2014-04-09 16:32:23 -05:00
Jon Siwek
04344d09eb Update SNMP analyzer's DeliverPacket method signature. 2014-04-09 13:36:44 -05:00
Jon Siwek
f3bb4a455f Merge branch 'master' into topic/jsiwek/bit-348 2014-04-09 13:14:32 -05:00
Jon Siwek
2b3c2bd394 Fix reassembly of data w/ sizes beyond 32-bit capacities (BIT-348). 
The main change is that reassembly code (e.g. for TCP) now uses
int64/uint64 (signedness is situational) data types in place of int
types in order to support delivering data to analyzers that pass 2GB
thresholds.  There's also changes in logic that accompany the change in
data types, e.g. to fix TCP sequence space arithmetic inconsistencies.

Another significant change is in the Analyzer API: the *Packet and
*Undelivered methods now use a uint64 in place of an int for the
relative sequence space offset parameter.
 2014-04-09 13:03:24 -05:00
Bernhard Amann
2414aaf4bb enable detection of encrypted heartbleeds. 2014-04-08 21:57:37 -07:00
Robin Sommer
285ef548ff Updating test baselines. 2014-04-08 15:47:11 -07:00
Robin Sommer
cf7e25643e Merge remote-tracking branch 'origin/topic/jsiwek/snmp' 
* origin/topic/jsiwek/snmp:
  Add memory leak unit test for SNMP.
  Fix compiler nitpicks from new SNMP code.
  Add SNMP datagram parsing support.

BIT-1142
 2014-04-08 15:31:03 -07:00
Bernhard Amann
2942a26280 also extract payload data in ssl_heartbeat 2014-04-08 12:44:51 -07:00
Bernhard Amann
f2c2da92c6 add to local.bro, add disclaimer 2014-04-08 11:53:01 -07:00
Bernhard Amann
cb87f834f9 make tls heartbeat messages a bit better. 2014-04-08 11:40:48 -07:00
Bernhard Amann
4d33bdbb1e fix tabs. 2014-04-08 11:28:13 -07:00
Bernhard Amann
c41810a337 polish script and probably detect encrypted attacks too. 2014-04-08 11:19:30 -07:00
Bernhard Amann
335a30b08f detect and alert on simple case of heartbleed 2014-04-08 11:03:12 -07:00
Bernhard Amann
018735a574 default to TLS when not being able to determine version 2014-04-08 09:49:00 -07:00