LDAP supports both, UDP and TCP as separate analyzers. The corpus
is identical, however. Started to hit the TLS analyzer fairly
quickly, too.
Closes#3860
The current test attempts to instantiate two spicy::SSH_1 protocol
analyzers in the .evt file. The intention likely was to use two
distinct protocol analyzer both trying to replace the builtin SSH
analyzer.
Coincidentally, fixing this happens to workaround TSAN errors tickled
by the FatalError() call while loading the .hlto with two identically
named analyzers.
$ cat .tmp/spicy.replaces-conflicts/output
error: redefinition of protocol analyzer spicy::SSH_1
ThreadSanitizer: main thread finished with ignores enabled
One of the following ignores was not ended (in order of probability)
Ignore was enabled at:
#0 __llvm_gcov_init __linker___d192e45c25d5ee23-484d3e0fc2caf5b4.cc (ssh.hlto+0x34036) (BuildId: 091934ca4da885e7)
#1 __llvm_gcov_init __linker___d192e45c25d5ee23-484d3e0fc2caf5b4.cc (ssh.hlto+0x34036) (BuildId: 091934ca4da885e7)
...
I was tempted to replace FatalError() with Error() and rely on
zeek-setup.cc's early exiting on any reporter errors, but this
seems easier for now.
Relates to #3865.
* origin/topic/timw/3081-prof-log-metrics:
Remove some unnecessary #includes
Avoid capturing 'this' for callback in telemetry::Manager
Make telemetry metrics out of MsgThread statistics
Split cpu time metric into user/system components like prof.log
Move broker statistics to be telemetry metrics
Add timer counts as telemetry metrics
Move thread manager stats to telemetry metric
Add extra metrics to session_mgr
Move dns_mgr stats to telemetry instruments
Move trigger stats to telemetry instruments
Move pulling of global state inside 'expensive' check for stats
This avoids the callbacks from being processed on the worker thread
spawned by Civetweb. It fixes data race issues with lookups involving
global variables, amongst other threading issues.
The ctu-sme-11-win7ad-1-ldap-tcp-50041.pcap file was harvested
from the CTU-SME-11 (Experiment-VM-Microsoft-Windows7AD-1) dataset
at https://zenodo.org/records/7958259 (DOI 10.5281/zenodo.7958258).
Closes#3853
* origin/topic/awelzel/mysql-amazing-pp-issue-2716-additions:
mysql: Simplify length computation
mysql: Improve date and time parsing
btest/mysql: Clean query-attr.pcapng
mysql: Support non-string query attributes
btest/mysql: Add pcap with non-string query attributes
mysql: Introduce mysql_ssl_request event
mysql: Fix EOFIfLegacyThenResultSet
mysql: Add data parameter to mysql_auth_plugin
mysql: Add mysql_auth_plugin, mysql_auth_more_data and mysql_auth_switch_request events
mysql: AuthSwitchRequest: &enforce a 0xfe / 254 status
mysql: Make auth_plugin_ a std::string
mysql: Fix auth_plugin_data_part2 length computation
Refactored connection phase state handling
Add support for "auth switch" and "query attrs"
Add support for parsing the "caching_sha2_password" auth plugin
Pcap was generated as follows. Doesn't seem wireshark even parses
this properly right now.
with common.get_connection() as c:
with c.cursor() as cur:
date1 = datetime.date(1987, 10, 18)
datetime1 = datetime.datetime(1990, 9, 26, 12, 13, 14)
cur.add_attribute("number1", 42)
cur.add_attribute("string1", "a string")
cur.add_attribute("date1", date1)
cur.add_attribute("datetime1", datetime1)
cur.execute("SELECT version()")
result = cur.fetchall()
print("result", result)
Remove caching_sha2_password parsing/state from the analyzer and implement
the generic events. If we actually want to peak into the authentication
mechanism, we could write a separate analyzer for it. For now, treat it
as opaque values that are exposed to script land.
The added tests show the --get-server-public-key in use where
mysql_auth_more_data contains an RSA public key.
