Simplified some function names, fixed some names of broker script wrappers,
reorder some broker function calls to avoid potential race conditions, and
don't have bro read a trace file when it will not be used.
Also renamed the "print" function to "send_print" and the "event"
function to "send_event" because Bro shows a syntax error when a
Bro script function is named "event" or "print".
There was a bug in the new parsing code, introduced in
708ede22c6 which parses validity times
incorrectly if they are before the year 2000. What happens in this case
is that the 2-digit year will be interpreted to be in the 21st century
(1999 will be parsed as 2099, e.g.).
This patch allows users to provide the fuid or the connection id
directly, in case they do not have access to either in the event that
they handle.
An example for this is the handling of certificates in SSL, where the
fa_file record cannot be retained because this would create a cyclic
data structure.
This patch also provides file IDs for hostname matches in certificates,
which was not possible with the previous API.
* origin/topic/dnthayer/broker-namespace:
Split the broker main.bro into two scripts
Rename the BrokerStore namespace to Broker
Rename the BrokerComm namespace to Broker
BIT-1563 #merged
In the merge, I changed IP.cc to use icmp6_hdr for icmpv6 instead of the
icmp* that was used in the patch. While it does not make a difference
for this case, it seems cleaner.
BIT-1570 #merged
- NTLM Authentication failures over SMB2 are now marked as such in
the ntlm.log.
- Slightly updated filtering mechanism for DCE/RPC operations.
- Uncommented the atsvc file so it compiles now.
Some of the existing mime types received extended matchers
to fix problems with UTF-16 BOMs.
New file mime types:
- .ini files
- MS Registry policy files
- MS Registry files
- MS Registry format files (e.g. DESKTOP.DAT)
- MS Outlook PST files
- Apple AFPInfo files
Mime type fixes:
- MP3 files with ID3 tags.
- JSON and XML matchers were extended
The auto-generated header rfb_pac.h had class member functions "major"
and "minor" which were clashing with macros of the same name defined
in /usr/include/sys/types.h on FreeBSD. Fixed by renaming the fields.
If only one side of a connection was seen, the ntlm.log
would indicate that the authentication failed. This has been
modified so that the success is listed as null since it's not
known whether or not the authentication was successful.
It can be inferred from continued SMB analysis though because
activity will continue taking place. I changed it though
because the log shouldn't assume more than what it sees.
- Fix an issue with svcctl uuid -> operation mapping.
- Add a heuristic to fill out the endpoint name in
case the original dce/rpc binding wasn't seen.
- Improve naming and code structure in the dce/rpc scripts.
* topic/seth/file-entropy:
Add a file entropy test.
Fixing a test.
Updated tests for file entropy analyzer.
Update and clean up to file entropy measurement.
First commit of file entropy analyzer.
* martin/topic/fox/rfb:
Fixed issue in state machine
Some styling tweaks
Implement protocol confirmation
Analyzer and bro script for RFB protocol (VNC)
* <seth> I also applied a bit of clean up to the base
script to make it match other scripts better and
updated tests.
There is a slight difference in the message sequence
between version 3.7 and 3.8.
Version 3.8 will always send a Authentication Result
message when authentication type 'None' is selected
while 3.7 does not.
