Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-07 00:58:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
12029 commits 387 branches 195 tags 259 MiB
Commit graph

613 commits

Author SHA1 Message Date
Mauro Palumbo
1f7f42daea drop services starting with - 2019-07-31 17:07:10 +02:00
Mauro Palumbo
f7a8e8c8fb remove service from key for Cluster::publish_hrw 2019-07-31 16:28:25 +02:00
Mauro Palumbo
55013fa128 remove check for empty services 2019-07-31 16:08:36 +02:00
Mauro Palumbo
780aae8e51 remove empty services and include udp active connections when logging in connection_state_remove 2019-07-31 15:52:43 +02:00
Mauro Palumbo
9e1e177621 order list of services in store key 2019-07-31 11:11:28 +02:00
Mauro Palumbo
ddf2d2d8a9 remove repeated services in logs if already seen 2019-07-31 11:11:05 +02:00
Mauro Palumbo
cc0f0e2f09 add multiprotocol known_services when Known::use_service_store = T 2019-07-31 11:06:20 +02:00
Mauro Palumbo
98f8eb6317 remove hyphen in front of some services (for example -HTTP, -SSL) 
In some cases, there is an hyphen before the protocol name in the field
  connection$service. This can cause problems in known_services and
  is removed here. It originates probably in some analyzer where it
  would be better removed in the future.
 2019-07-31 10:53:43 +02:00
Mauro Palumbo
9faabe9991 add multiprotocol known_services when Known::use_service_store = F 2019-07-31 10:52:29 +02:00
Johanna Amann
e382369091 Merge branch 'master' of https://github.com/sfinlon/zeek 
* 'master' of https://github.com/sfinlon/zeek:
  Fix CIF integration and add logging options to intel.log and added comments to code
 2019-07-03 01:58:04 -07:00
sfinlon
fe46035366 Fix CIF integration and add logging options to intel.log and added comments to code 2019-07-01 23:54:24 -04:00
Jon Siwek
bfd037989b Remove deprecated open_log_file and log_file_name functions 2019-06-27 17:43:20 -07:00
Jon Siwek
56bb28a636 Merge remote-tracking branch 'origin/topic/jsiwek/gh-387-broker-topic-names' 
* origin/topic/jsiwek/gh-387-broker-topic-names:
  GH-387: update Broker topic names to use "zeek/" prefix
 2019-06-14 19:30:51 -07:00
Jon Siwek
dfed213f31 Deprecate functions with "bro" in them. 
* "bro_is_terminating" is now "zeek_is_terminating"

* "bro_version" is now "zeek_version"

The old function names still exist for now, but are deprecated.
 2019-06-05 16:18:57 -07:00
Jon Siwek
b5050437fa GH-379: move catch-and-release and unified2 scripts to policy/ 
These are no longer loaded by default due to the performance impact they
cause simply by being loaded (they have event handlers for commonly
generated events) and they aren't generally useful enough to justify it.
 2019-06-05 13:33:45 -07:00
Jon Siwek
1ce0fcce49 GH-387: update Broker topic names to use "zeek/" prefix 2019-05-29 15:56:37 -07:00
Daniel Thayer
be182aac83 More bro-to-zeek renaming in scripts and other files 2019-05-16 02:36:41 -05:00
Jon Siwek
6ad7099f7e Merge remote-tracking branch 'origin/topic/robin/gh-239' 
* origin/topic/robin/gh-239:
  Undo a change to btest.cfg from a recent commit
  Updating submodule.
  Fix zeek-wrapper
  Update for renaming BroControl to ZeekControl.
  Updating submodule.
  GH-239: Rename bro to zeek, bro-config to zeek-config, and bro-path-dev to zeek-path-dev.
 2019-05-14 13:27:40 -07:00
Jon Siwek
f2f06d66c0 Remove previously deprecated policy/protocols/smb/__load__ 2019-05-02 20:50:30 -07:00
Johanna Amann
5d44735209 Remove deprecated functions/events 
This commit removed functions/events that have been deprecated in Bro
2.6. It also removes the detection code that checks if the old
communication framework is used (since all the functions that are
checked were removed).

Addresses parts of GH-243
 2019-05-02 12:06:39 -07:00
Robin Sommer
789cb376fd GH-239: Rename bro to zeek, bro-config to zeek-config, and bro-path-dev to zeek-path-dev. 
This also installs symlinks from "zeek" and "bro-config" to a wrapper
script that prints a deprecation warning.

The btests pass, but this is still WIP. broctl renaming is still
missing.

#239
 2019-05-01 21:43:45 +00:00
Jon Siwek
aebcb1415d GH-234: rename Broxygen to Zeexygen along with roles/directives 
* All "Broxygen" usages have been replaced in
  code, documentation, filenames, etc.

* Sphinx roles/directives like ":bro:see" are now ":zeek:see"

* The "--broxygen" command-line option is now "--zeexygen"
 2019-04-22 19:45:50 -07:00
Jon Siwek
3ea34d6ea3 GH-236: Add zeek_script_loaded event, deprecate bro_script_loaded 2019-04-19 12:02:22 -07:00
Jon Siwek
a994be9eeb Merge remote-tracking branch 'origin/topic/seth/zeek_init' 
* origin/topic/seth/zeek_init:
  Some more testing fixes.
  Update docs and tests for bro_(init|done) -> zeek_(init|done)
  Implement the zeek_init handler.
 2019-04-19 11:24:29 -07:00
Seth Hall
8cefb9be42 Implement the zeek_init handler. 
Implements the change and a test.
 2019-04-14 08:37:35 -04:00
Daniel Thayer
18bd74454b Rename all scripts to have ".zeek" file extension 2019-04-11 21:12:40 -05:00
Daniel Thayer
bff8392ad4 Remove unnecessary ".bro" from @load directives 
Removed ".bro" file extensions from "@load" directives because
they are not needed.
 2019-03-31 02:24:47 -05:00
Justin Azoff
73954bca27 Reduce weird-stats overhead 
observe_weird_stats only needs to be called when cluster_ss_request is
called for the weirds.statistics stat, not for all of them.
 2019-03-27 11:06:39 -04:00
Jon Siwek
8b29df96cc Merge branch 'master' of https://github.com/hosom/zeek 
* 'master' of https://github.com/hosom/zeek:
  Normalize the intel seen filename for smb.
  load smb-filenames in scripts/policy/frameworks/intel/seen/__load__.bro
  Add SMB::IN_FILE_NAME to Intel::Where enum
  Support filenamess for SMB files

I added a test case
 2019-03-25 16:45:59 -07:00
Jan Grashoefer
c301e1c9b4 Added policy script for intel removal. 2019-03-24 22:16:13 +01:00
Jon Siwek
01d303b480 Migrate table-based for-loops to key-value iteration 2019-03-15 19:54:44 -07:00
Jon Siwek
03ac32adec Merge branch 'topic/dopheide/fix-ssh-geo-data' of https://github.com/dopheide-esnet/bro 
* 'topic/dopheide/fix-ssh-geo-data' of https://github.com/dopheide-esnet/bro:
  Fix geo-data to log remote_location data when auth is successful.
 2019-03-15 13:03:59 -07:00
Michael Dopheide
0f6f6cdb29 Fix geo-data to log remote_location data when auth is successful. 2019-03-13 14:14:38 -05:00
Stephen Hosom
1d5eac4ee1 Normalize the intel seen filename for smb. 2019-02-27 09:24:52 -05:00
Stephen Hosom
2d3a21968e load smb-filenames in scripts/policy/frameworks/intel/seen/__load__.bro 2019-02-27 08:56:28 -05:00
Stephen Hosom
8ce6d67acc Add SMB::IN_FILE_NAME to Intel::Where enum 
This should reduce the ambiguity of where precisely the indicator was
seen so that it isn't confused with the normal File::IN_NAME hit.
 2019-02-27 08:53:52 -05:00
Stephen Hosom
4ae92161e9 Support filenamess for SMB files 
Hook file_new to observe filenames in SMB traffic and fire into Intel::seen
 2019-02-27 08:47:53 -05:00
Johanna Amann
2e2f611df5 Merge branch 'master' of https://github.com/hosom/zeek 
* 'master' of https://github.com/hosom/zeek:
  Add fuid to SSL:Invalid_Server_Cert notice
 2019-01-29 14:52:34 -08:00
Stephen Hosom
e30a02e186 Add fuid to SSL:Invalid_Server_Cert notice 
This is a very basid quality of life improvement. It should make it
much easier to find additional information about the certificate
in question.
 2019-01-29 13:34:51 -05:00
Jon Siwek
0cc5e4e044 Add missing record field comment 2018-10-26 10:42:05 -05:00
Jon Siwek
8d0087154a Add missing record field comments 2018-10-26 10:24:30 -05:00
Jon Siwek
c2c5754e28 Merge branch 'topic/jazoff/sqli-policy-hook' of https://github.com/JustinAzoff/bro 
* 'topic/jazoff/sqli-policy-hook' of https://github.com/JustinAzoff/bro:
  add sqli_policy hook
 2018-09-19 15:22:45 -05:00
Justin Azoff
a599c5d997 add sqli_policy hook 
Add a hook that can be used to prevent specific requests from being
counted towards SQL injection.
 2018-09-19 14:11:45 -04:00
Jon Siwek
c85cfdd470 Add @deprecate to policy/protocols/smb/__load__.bro 2018-08-31 09:26:22 -05:00
Jon Siwek
57a505b0e4 Allow loading policy/protocols/smb once again 
It just redirects to base/protocols/smb
 2018-08-30 16:07:04 -05:00
Jon Siwek
7e6fc58ab4 Merge remote-tracking branch 'origin/topic/johanna/tls-more-data' 
* origin/topic/johanna/tls-more-data:
  Update NEWS for ssl changes.
  SSL: test updates for record_layer version
  Final touches to SSL events with record layer version.
  Introduce ssl_plaintext_data event.
  Add record layer version to event ssl_encrypted_data.
  Add compression methods to ssl_client_hello event.
 2018-08-30 09:48:25 -05:00
Jon Siwek
31d8391af0 Fix a routing loop in control framework 
A controllee now subscribes to a topic prefix based on their node ID
instead of the common control topic prefix.
 2018-08-28 19:50:53 -05:00
Johanna Amann
27d47314f7 Merge remote-tracking branch 'origin/master' into topic/johanna/tls-more-data 2018-08-27 09:25:40 -07:00
Daniel Thayer
8b0b7d3304 Merge remote-tracking branch 'origin/master' into topic/dnthayer/ticket1963 2018-08-24 16:06:05 -05:00
Daniel Thayer
01a899255e Convert more redef-able constants to runtime options 2018-08-24 16:05:44 -05:00