Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-03 23:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
7932 commits 384 branches 195 tags 258 MiB
Commit graph

1835 commits

Author SHA1 Message Date
Vlad Grigorescu
10db1b552d Add username tracking 2014-10-08 17:23:20 -04:00
Vlad Grigorescu
f38a580c8c Add support for transaction2 Find_First2. 2014-10-08 16:29:51 -04:00
Vlad Grigorescu
261f6e8c45 Fix a segfault, and add script-level support for some more commands. 2014-10-08 12:06:33 -04:00
Vlad Grigorescu
e9c398a41c Merge remote-tracking branch 'origin/topic/seth/files-tracking' into topic/vladg/smb 2014-10-08 10:54:56 -04:00
Seth Hall
d77243823f Updates for file mime type identification. 
- Change to the default BOF buffer size to 3000 (was 1024).
 - Reorganized MS signatures into a separate file
 - Improved lots of the signatures and added new ones.
 2014-10-08 02:12:10 -04:00
Vlad Grigorescu
0d615b0319 Add more SMB subcommands and arguments. Log SMB1 error messages too. 2014-10-07 17:32:01 -04:00
Vlad Grigorescu
a6de23aaa3 Refine transaction2 support, rewrite SMB scripts. 2014-10-07 16:31:02 -04:00
Seth Hall
80656d5294 Improves shockwave flash file signatures. 
- This moves the signatures out of the libmagic imported signatures
   and into our own general.sig.

 - Expand the detection to LZMA compressed flash files.
 2014-10-06 11:13:13 -04:00
Johanna Amann
470d868558 new ssl extension type from iana and a few other ssl const changes. 2014-09-28 14:29:12 +02:00
Seth Hall
e4ca588127 Does the initial effort to add the SMB2 SetInfo command and better handle file lengths. 2014-09-27 03:11:01 -04:00
Seth Hall
cafd35e746 Updates the files event api and brings file reassembly up to master. 2014-09-26 00:40:37 -04:00
Vlad Grigorescu
6ee2ec666f Merge remote-tracking branch 'origin/master' into topic/vladg/smb 
Conflicts:
	src/analyzer/protocol/smb/Plugin.cc
 2014-09-24 18:38:43 -04:00
Seth Hall
42b2d56279 Merge remote-tracking branch 'origin/master' into topic/seth/files-tracking 
Conflicts:
	scripts/base/frameworks/files/main.bro
	src/file_analysis/File.cc
	testing/btest/Baseline/scripts.base.frameworks.file-analysis.actions.data_event/out
 2014-09-23 13:05:39 -04:00
Seth Hall
8d283db63b Adds a "node" field to Intel::Seen struture and intel.log. 
The intel framework can now indicate which node discovered a
hit on an intel item through the new "node" field in the
Intel::Seen data structure.  On clusters, this field will
contain the name of the node where the hit was seen.
 2014-09-23 12:23:39 -04:00
Daniel Thayer
d226fef723 Fixed some "make doc" warnings caused by reST formatting 2014-09-16 12:44:51 -05:00
Jon Siwek
f97f58e9db Raise http_entity_data in line with data arrival. 
As opposed to delaying until a certain-sized-buffer fills, which is
problematic because then the event becomes out of sync with the "rest of
the world".  E.g. content_gap handlers being called sooner than
expected.

Addresses BIT-1240.
 2014-09-10 13:20:47 -05:00
Robin Sommer
525816b03d Merge remote-tracking branch 'origin/topic/hui/dnp3-udp' 
* origin/topic/hui/dnp3-udp:
  remove redundnt codes; find a way to use the analyzer function, such as Weird; fix a small bug in ProcessData function in DNP3.cc; passed the test
  Renameing the DNP3 TCP analyzer
  quickly fix another bug; adding missing field of the declaration of dnp3_request_application_header and dnp3_response_application_header
  Removing the debug printf in DNP3.cc
  fixed the bug of deciding the size of object 1 varition 1 in DNP3
  Fix some things in DNP3 UDP analyzer.
  changed a bug, but still not working
  modify DNP3.cc and DNP3.h to add DNP3_UDP_Analyzer; binpac unchanged
 2014-09-07 21:09:53 -07:00
Vlad Grigorescu
51373b0592 SSH: Misc. updates to the new analyzer. 2014-09-02 00:15:32 -04:00
Vlad Grigorescu
0a50688afc Move auth method detection into script-land, to make it easier to change. 2014-08-28 18:23:30 -04:00
Vlad Grigorescu
214e6b3ea9 Move the SIP analyzer to uint64 sequences, and a number of other small SIP fixes. 2014-08-26 22:26:42 -04:00
Hui Lin
81606e7ff4 Renameing the DNP3 TCP analyzer 2014-08-25 10:33:28 -05:00
Vlad Grigorescu
f93f2af748 Merge tag 'v2.3' into topic/vladg/sip 
Version tag

Conflicts:
	scripts/base/init-default.bro
 2014-08-22 19:25:43 -04:00
Hui Lin
fb21236661 quickly fix another bug; adding missing field of the declaration of dnp3_request_application_header and dnp3_response_application_header 2014-08-16 11:01:30 -05:00
Robin Sommer
996d118d68 Fixing tests. 2014-08-13 21:33:03 -07:00
Robin Sommer
58f3a715f2 Merge branch 'topic/robin/reader-writer-plugins' of git.bro.org:bro into topic/robin/reader-writer-plugins 
Conflicts:
	scripts/base/frameworks/logging/writers/dataseries.bro
 2014-08-08 18:36:09 -07:00
Robin Sommer
355314718b Merge remote-tracking branch 'origin/master' into topic/robin/reader-writer-plugins 2014-08-08 18:32:45 -07:00
Robin Sommer
8737eae906 Move DataSeries and ElasticSearch into plugins. 2014-08-08 18:32:21 -07:00
Robin Sommer
8031da4ee7 More polishing of some of the branche's changes. 2014-08-08 18:32:05 -07:00
Vlad Grigorescu
250360eb55 Add support for more commands, and support quit 2014-08-08 13:53:16 -05:00
Vlad Grigorescu
1ceeafcb32 Redo the response handling.. 2014-08-08 13:46:12 -05:00
Jon Siwek
b83d4a9c84 Fix some things in DNP3 UDP analyzer. 
- DeliverPacket override had a wrong parameter.
- Change the DNP3 plugin to provide both UDP and TCP analyzer versions.
- Add a DPD signature.
 2014-08-06 15:41:53 -05:00
Johanna Amann
14d265482a add information about server chosen protocol to ssl.log, if provided by alpn. 
This is e.g. used to negotiate spdy or http/2
 2014-08-04 22:16:09 -07:00
Johanna Amann
026233d1f2 change SSL log to contain a boolean flag signaling if a session was resumed 
instead of the (usually not really that useful) session ID the client sent.
 2014-08-04 11:15:42 -07:00
Johanna Amann
fe60d5e9dd Split dhcp log writing from record creation. 
This allows users to customize dhcp.log by changing the record in their own
dhcp_ack event.
 2014-08-01 11:07:32 -07:00
Robin Sommer
ffd3d9d185 More polishing. 2014-07-31 15:08:45 -07:00
Robin Sommer
2b505b07c1 Merge remote-tracking branch 'origin/master' into topic/robin/reader-writer-plugins 2014-07-31 10:10:39 -07:00
Jon Siwek
69b1ba653d Minor adjustments to plugin code/docs. 
Mostly whitespace/typos.
Moved some Plugin methods out from public access.
 2014-07-30 16:48:23 -05:00
Vlad Grigorescu
ca55d203cb Kerberos analyzer 2014-07-24 21:55:41 -04:00
Vlad Grigorescu
6a34de5dd8 SMB & NTLM analyzers. 2014-07-24 21:46:38 -04:00
Vlad Grigorescu
101d340b18 MySQL analyzer 2014-07-24 15:52:42 -04:00
Robin Sommer
c6e204fbe2 Merge remote-tracking branch 'origin/master' into topic/robin/dynamic-plugins-2.3 
Conflicts:
	aux/btest
 2014-07-22 20:27:00 -07:00
Robin Sommer
48b251abd1 Merge branch 'topic/robin/dynamic-plugins-2.3' into topic/robin/reader-writer-plugins 2014-07-22 17:27:16 -07:00
Robin Sommer
9f0bc0fdf1 Starting to implement the proposed PACF API. 2014-07-22 03:57:05 +02:00
Robin Sommer
fa1ba06414 Merge remote-tracking branch 'origin/topic/hui/modbus-events' 
* origin/topic/hui/modbus-events:
  adding another trace file to test read and write coil function codes
  add/update test file and baseline result
  add implementation of bytestring_to_coils for modbusy analyzer
  adding a missing field in record ModbusHeaders
  add event handlers for modbus
 2014-07-22 01:03:48 +02:00
Robin Sommer
c9524757d2 Adding Files::register_for_mime_type() to associate a file analyzer 
with a MIME type.

Whenever that MIME is detected, Bro will now automatically activate
the analyzer. The interface mimics how well-known ports are defined
for protocol analyzers.

This isn't actually used by any existing file analyzer (because we
don't have any yet that target a specific file format), but there's a
test making sure it works.
 2014-07-21 16:31:22 +02:00
Robin Sommer
f4cbcb9b03 Converting log writers and input readers to plugins. 2014-07-20 19:17:58 +02:00
Robin Sommer
9616cd8e61 Further polishing and cleanup in preparation for merge. 2014-07-12 18:12:09 -07:00
Robin Sommer
aeb8e71e8c Merge remote-tracking branch 'origin/master' into topic/robin/dynamic-plugins-2.3 
Conflicts:
	aux/bro-aux
	aux/broccoli
 2014-07-10 20:11:52 -07:00
Robin Sommer
a7746afa0a Fixing DataSeries, which was using a now illegal value as default 
compression level.
 2014-07-10 14:50:15 -07:00
Vlad Grigorescu
d98b5b88b5 Parse PE section headers. 2014-06-22 07:18:12 -04:00