- The logic for fragment handling has been rewritten and should be correct now.
- There are now tunables for fragment handling overflow situations.
- DCE_RPC::max_cmd_reassembly and DCE_RPC::max_frag_data
- They result in weirds and analyzer removal.
- Memory leak fixed by unique_ptr auto cleanup.
- DCE_RPC is now intolerate of content gaps and will stop
analyzing traffic if content gaps happen (like most other analyzers currently).
* origin/topic/vladg/bit-1641:
Logic fix for ssh/main.bro when the auth status is indeterminate, and fix a test. Addresses BIT-1641.
Clean up the logic for ssh_auth_failed. Addresses BIT-1641
Update baselines for adding a field to ssh.log as part of BIT-1641
Script-land changes for BIT-1641.
Change SSH.cc to use ssh_auth_attempted instead of ssh_auth_failed. Addresses BIT-1641.
Revert "Fixing duplicate SSH authentication failure events."
Create new SSH events ssh_auth_attempt and ssh_auth_result. Add auth_attempts to SSH::Info. Address BIT-1641.
I extended the tests a bit and did some small cleanups. I also moved the
SSH events back to the global namespace for backwards compatibility and
for consistency (the way it was at the moment, some of them were global
some SSH::).
Furthermore, I fixed the ssh_auth_result result event, it was only
raised in the success case. ssh_auth_result is now also checked in the
testcases. I also have a suspicion that the intel integration never
really worked before.
BIT-1641 #merged
The ones_complement_checksum function assumes that the bytes passed into
it are aligned on 16 bit boundaries.
When using gcc (GCC) 6.2.1 20160916 (Red Hat 6.2.1-2) with -O2, this
does not seem to hold true anymore; assuming 16 bit alignment will lead
to accesses to uninitialized memory and wrong checksums.
This commit adds a minimally invasive change that does not assume
alignment anymore. This might have a small performance impact for every
single packet we process.
This error occured reproducibly when called from icmp6_checksum.
Filter out the python 2 "L" suffix on long integers (not valid in Python 3),
and change python 3 "object at" to "instance at" when printing
class instances.
BIT-1727 #merged
* origin/topic/johanna/tls13:
Better way to deal with overloaded Assign constructors.
A few tabbing fixes in TLS 1.3 support
TLS 1.3 support.
With clang on FreeBSD 11.0-p1, some md5 functions tend to return the
wrong result. This is, e.g., visible when running the bifs/md5 testcase.
In this test, the checks using md5_hash_finish will return an empty
string.
The apparent cause is some confusion in clang when using a static char
inside a static inline function that is refered to several compilation
units.
Exact version of clang showing this issue is:
FreeBSD clang version 3.8.0 (tags/RELEASE_380/final 262564) (based on LLVM 3.8.0)
Target: x86_64-unknown-freebsd11.0
Thread model: posix
InstalledDir: /usr/bin
Issue occurs with -O2.
The first person to either find an existing clang bugreport for this, or
to create an minimal testcase and files one will get a drink from me :)
- DCE_RPC fragmentation handling returns!
- Fixed some general parsing issues
- Fixed an issue with the DCE_RPC signature not working for IPv6 connections.
We could actually already see these in traffic with people that use and
enabled them in chrome canary / firefox nightly builds. This change
includes the re-naming of a few names that were never formalli assigned
yet.
Nice, thanks!
BIT-1671 #merged
* origin/topic/vladg/bit-1671:
Add descriptions for what the SMB1 events do, and references to the specification.
Add descriptions for what the SMB2 events do, and references to the specification.
Improve the SMB2 documentation.
Improve the SMB1 documentation a bit. Clean it up, make it more consistent, and add references to similar events.
Add DCE-RPC and NTLM abbreviation documentation for their events.
Remove reference to epm_map_response in RPC documentation. Addresses BIT-1671.
Rename events referenced in SMB1::Header documentation with new SMB analyzer. Addresses BIT-1671.
