Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 15:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
1811 commits 385 branches 195 tags 258 MiB
Commit graph

186 commits

Author SHA1 Message Date
Seth Hall
727e626bb4 Added an option for filtering out urls before they are turned into HTTP::Incorrect_File_Type notices 2012-01-10 10:38:12 -05:00
Jon Siwek
e7cf347288 Add SFTP log postprocessor that transfers logs to remote hosts. 
Addresses #737
 2012-01-06 14:58:17 -06:00
Jon Siwek
645c80f974 Reduce snaplen default from 65535 to old default of 8192. (fixes #720) 
Also replaced the --snaplen/-l command line option with a
scripting-layer option called "snaplen" (which can also be
redefined on the command line, e.g. `bro -i eth0 snaplen=65535`).
 2012-01-04 16:30:15 -06:00
Seth Hall
f8ec98625d Merge remote-tracking branch 'origin/topic/robin/pp-alarms' 
* origin/topic/robin/pp-alarms:
  The silliest, tiniest little whitespace fixes.
  Update missing in last commit to this branch.
  Adding test for alarm mail.
  Tuning the pretty-printed alarms output.
 2012-01-04 13:41:28 -05:00
Seth Hall
adfbed8e56 The silliest, tiniest little whitespace fixes. 2012-01-04 13:37:07 -05:00
Robin Sommer
5e9153d7d6 Merge remote-tracking branch 'origin/topic/bernhard/notice-proto' 
* origin/topic/bernhard/notice-proto:
  log protocol in notices.

Conflicts:
	scripts/base/frameworks/notice/main.bro

Closes #718.
 2012-01-03 14:52:07 -08:00
Robin Sommer
c81477d9d3 Executive decision: empty fields are now logged as "(empty)" by default. 2011-12-19 08:49:30 -08:00
Robin Sommer
26ff8e1dab Merge remote branch 'origin/topic/seth/notice-email-delay' 
* origin/topic/seth/notice-email-delay:
  The hostname notice email extension works now.
  Fixed more bugs with delayed emails.
  Working around a problem with setting default container types.
  Ugh, still major failure.  I'm just cutting the timeout handling for now.
  Fixed a small bug major problem with email delay timeout catching.
  Initial fixes for the problem of async actions with notice email extensions.

Closes #727.
 2011-12-19 07:10:28 -08:00
Robin Sommer
0a3e160a8d Merge remote branch 'origin/topic/seth/dns-updates' 
* origin/topic/seth/dns-updates:
  Fixed some bugs with capturing data in the base DNS script.
  Some updates to the base DNS script.

Closes #702.
 2011-12-18 15:20:00 -08:00
Robin Sommer
f3c2811e14 Merge remote branch 'origin/topic/seth/ssl-updates-for-2.0' 
* origin/topic/seth/ssl-updates-for-2.0:
  Added is_orig fields to the SSL events and adapted script.

Closes #692.
 2011-12-18 15:15:57 -08:00
Seth Hall
8399d28c2e The hostname notice email extension works now. 2011-12-16 10:59:30 -05:00
Robin Sommer
8c53446292 Merge remote branch 'origin/fastpath' 
* origin/fastpath:
  Fixed major bug with cluster synchronization (it was broken!)
 2011-12-16 02:37:56 -08:00
Seth Hall
0b8b14a0ed Fixed major bug with cluster synchronization (it was broken!) 2011-12-15 15:59:51 -05:00
Seth Hall
b66c73baaa Fixed more bugs with delayed emails. 2011-12-15 15:57:42 -05:00
Seth Hall
667dcb251a Working around a problem with setting default container types. 2011-12-15 12:51:14 -05:00
Seth Hall
cb904cec4f Ugh, still major failure. I'm just cutting the timeout handling for now. 2011-12-15 12:46:15 -05:00
Seth Hall
f1f5719f83 Fixed a small bug major problem with email delay timeout catching. 2011-12-15 12:41:05 -05:00
Seth Hall
2d97e25eeb Initial fixes for the problem of async actions with notice email extensions. 2011-12-15 12:27:41 -05:00
Jon Siwek
86cba4c33f Fix missing action in notice policy for looking up GeoIP data. 2011-12-13 16:17:44 -06:00
Seth Hall
76a0b9ad3c Fixed some DPD signatures for IRC. Fixes ticket #311. 
- The larger issue from ticket 313 still stands.
 2011-12-10 22:33:49 -05:00
Seth Hall
ec721dffec Added is_orig fields to the SSL events and adapted script. 
- Added a field named $last_alert to the SSL log.  This doesn't even
  indicate the direction the alert was sent, but we need to start somewhere.

- The x509_certificate function has an is_orig field now instead of
  is_server and it's position in the argument list has moved.

- A bit of reorganization and cleanup in the core analyzer.
 2011-12-09 16:56:12 -05:00
Bernhard Amann
0313039977 log protocol in notices. 2011-12-08 14:44:45 -08:00
Seth Hall
04e2773d30 Fixed some bugs with capturing data in the base DNS script. 2011-12-08 13:06:45 -05:00
Jon Siwek
506a42638a Omit loading local-<node>.bro scripts from base cluster framework. 
The loading of these is better handled by BroControl and it seems
odd to load them from a base/ script anyway since they'll contain
site/policy specific code.

Addresses #663
 2011-12-05 13:02:39 -06:00
Robin Sommer
df3ae4b30d Merge remote-tracking branch 'origin/topic/jsiwek/remote-log-peer' 
* origin/topic/jsiwek/remote-log-peer:
  Add a remote_log_peer event which contains an event_peer record param.

Closes #493.
 2011-12-01 16:02:11 -08:00
Jon Siwek
0c8b5a712d Add a remote_log_peer event which contains an event_peer record param. 
Addresses #493.
 2011-12-01 14:07:08 -06:00
Seth Hall
70004cb04d Small updates to address the "globals" ticket. 
Fixes #633
 2011-11-30 11:35:53 -05:00
Seth Hall
bb47289bfa Some updates to the base DNS script. 
- Answers and TTLs are now vectors.

- The warning that was being generated (dns_reply_seen_after_done)
  from transaction ID reuse is fixed.

- Updated the single failing btest baseline.
 2011-11-30 10:19:41 -05:00
Robin Sommer
c35094ea0b Update missing in last commit to this branch. 2011-11-15 16:42:23 -08:00
Robin Sommer
2dc04b2ce5 Merge remote-tracking branch 'origin/master' into topic/robin/pp-alarms 2011-11-15 08:36:44 -08:00
Robin Sommer
fa76330afb Merge remote-tracking branch 'origin/fastpath' 
* origin/fastpath:
  Binary packaging script tweaks.
  More default "weird" tuning for the "SYN_with_data" notice.
  Tiny bugfix for http file extraction along with test.
 2011-11-15 07:53:36 -08:00
Seth Hall
4942767c4d More default "weird" tuning for the "SYN_with_data" notice. 
- I think the default tuning should be that anything not requiring
  a session to be established should use ACTION_LOG_PER_ORIG.

- We need to get some tie-in with the metrics framework in place
  so that we can find when lots of these values are being suppressed.
 2011-11-14 16:12:38 -05:00
Seth Hall
d14349a6f8 Merge remote-tracking branch 'origin/master' into fastpath 2011-11-14 16:06:44 -05:00
Seth Hall
b12d2c768e Tiny bugfix for http file extraction along with test. 2011-11-14 15:24:15 -05:00
Robin Sommer
e0692b898e Merge branch 'master' into topic/robin/pp-alarms 2011-11-03 15:30:41 -07:00
Robin Sommer
41a443677b Merge remote-tracking branch 'origin/fastpath' 
* origin/fastpath:
  No longer write to the PacketFilter::LOG stream if not reading traffic.
 2011-11-03 15:27:23 -07:00
Robin Sommer
c4d6f814ff Tuning the pretty-printed alarms output. 
- Now including the included time range into the subject.

- With some notices, it got confused who's the orginator.
 2011-11-02 18:09:09 -07:00
Seth Hall
507b51c957 No longer write to the PacketFilter::LOG stream if not reading traffic. 2011-11-02 15:09:57 -04:00
Seth Hall
ae3ae9a75b Awful fix for SSH login detection. 
- We need a counted measure of payload bytes (not ack tracking and
  not with the IP header which is what we have now).
 2011-10-27 09:41:34 -04:00
Robin Sommer
f3ed235ba7 Tuning the format of the pretty-printed alarm summaries. 
Turns out the old format doesn't work well with the new scripts.
 2011-10-26 21:12:16 -07:00
Robin Sommer
5b79d2b15f Baseline updates. 
Also a small tweak to the genDocSourcesList.sh as I was seein
non-consistent output order.
 2011-10-26 15:27:03 -07:00
Robin Sommer
ec2a8d7904 Merge remote-tracking branch 'origin/topic/robin/pp-alarms' 
* origin/topic/robin/pp-alarms:
  Removing debugging code.
  Now actually pretty-printing the notices.
  Small fixes, and new option to specify a different dest address.
  A new notice script that pretty-prints alarms in the summary email.
  Adding a dummy log writer WRITER_NONE that just discards everything.
 2011-10-26 14:44:46 -07:00
Robin Sommer
314e9c41f9 Removing debugging code. 2011-10-26 14:39:07 -07:00
Robin Sommer
eb6313adcb Now actually pretty-printing the notices. 
Output is similar to Bro 1.x.
 2011-10-26 13:42:42 -07:00
Robin Sommer
39ed489028 Small fixes, and new option to specify a different dest address. 2011-10-26 11:12:50 -07:00
Robin Sommer
73d5643302 A new notice script that pretty-prints alarms in the summary email. 
It works already, but the actual pretty-printing is still missing.
 2011-10-26 10:40:12 -07:00
Jon Siwek
55978d1c18 Changed generated root cert DN format for RFC2253 compliance. 2011-10-25 11:09:31 -05:00
Seth Hall
b2323305f8 Adding sub messages to emails. 2011-10-25 11:36:24 -04:00
Seth Hall
4753f2aeca Adding extra fields to smtp and http to track transaction depth. 
- This will for help linking in analysis scripts and databases later.

- Test baseline updates coming in a few minutes.
 2011-10-25 11:34:48 -04:00
Seth Hall
2131468b08 Merging this branch. It's working better than the existing code. 2011-10-25 11:17:19 -04:00