Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
18127 commits 387 branches 195 tags 255 MiB
Commit graph

3583 commits

Author SHA1 Message Date
Steve Smoot
9ef579b09e Change from_json to return an error rather than print it. 2025-04-23 15:56:12 -07:00
Arne Welzel
011029addc cluster/websocket: Make websocket dispatcher queue size configurable 
Limit the number WebSocket events queued from external clients to
dispatcher instances to produce back pressure to the clients if
Zeek's IO loop is overloaded.
 2025-04-23 14:27:43 +02:00
Arne Welzel
ab25e5d24b broker/main: Reference Cluster::publish() for auto_publish() deprecation 
In hindsight, this is the better thing to do and with Zeek 7.2 we should
be confident enough that it'll work.
 2025-04-23 14:27:43 +02:00
Arne Welzel
a7423104e1 broker/main: Deprecate Broker::listen_websocket() 
Optimistically deprecate Broker::listen_websocket() and promote
Cluster::listen_websocket() instead.
 2025-04-23 14:27:43 +02:00
Arne Welzel
3d3b7a0759 cluster/Backend: Add ProcessError() 
Allow backends to pass errors to a strategy. Locally, these raise
Cluster::Backend::error() events that are logged to the reporter
as errors.
 2025-04-23 14:19:08 +02:00
Christian Kreibich
549e678dff Use Broker peering directionality when re-peering after backpressure overflows 
This avoids creating pointless connection reattempts to ephemeral TCP
client-side ports, which have been cluttering up the Broker logs since 7.1.
 2025-04-21 14:08:42 -07:00
Christian Kreibich
b430d5235c Expand Broker APIs to allow tracking directionality of peering establishment 
This provides ways to figure out for a given peer, or a given address/port pair,
whether the local node originally established the peering.
 2025-04-21 14:08:42 -07:00
Arne Welzel
b8e573a3b9 ldap: Clean up from code review 
Co-authored-by: Benjamin Bannier <benjamin.bannier@corelight.com>
 2025-04-15 20:10:56 +02:00
Arne Welzel
07bf7f8b18 ldap: Add Sicily Authentication constants 
The aduser1-ntlm.pcap contains bindRequest messages using Microsoft AD
specific Sicily Authentication [1]. Add the entries to the enum so we
don't log undefined for these and also check the NTLMSSP signature.

[1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/8b9dbfb2-5b6a-497a-a533-7e709cb9a982
 2025-04-15 20:10:56 +02:00
Tim Wojtulewicz
cb1ef47a31 Add STORAGE_ prefixes for backends and serializers 2025-04-14 10:11:13 -07:00
Tim Wojtulewicz
e545fe8256 Ground work for pluggable storage serializers 2025-04-14 10:02:35 -07:00
Robin Sommer
9db73415cd
Spicy: Document lifetime semantics of Zeek analyzers created from Spicy. 
Closes #3522.
 2025-04-10 12:17:05 +02:00
Arne Welzel
6bc36e8cf8 broker/main: Adapt enum values to agree with comm.bif 
Logic to detect this error already existed, but due to enum identifiers
not having a value set, it never triggered before.

Should probably backport this one.
 2025-04-04 15:36:42 +02:00
Robin Sommer
94ddd7f411
Spicy: Port over to Spicy's new tuple representation. 
Includes a fix for supporting CMake 4.0.
 2025-04-02 14:14:26 +02:00
Tim Wojtulewicz
55e458c5f7 Add comment annotation to disable copying redef value into docs 2025-04-01 10:23:55 -07:00
Arne Welzel
14697ea6ba Merge remote-tracking branch 'origin/topic/neverlord/broker-logging' 
* origin/topic/neverlord/broker-logging:
  Integrate review feedback
  Hook into Broker logs via its new API
 2025-03-31 18:53:43 +02:00
Christian Kreibich
98c203b8cb Add "U" to QUIC history docstrings and expand version string docs 
Looks like we overlooked documenting "U" in zeek/zeek#3526 .
 2025-03-27 13:29:40 -07:00
Christian Kreibich
2199cb1ddd Remove "experimental" from the QUIC history field's comment string [skip ci] 
We're unlikely to fundamentally change (or remove) this field at this point, and
some users wondered whether we might do so, given the labeling.
 2025-03-26 14:03:52 -07:00
Arne Welzel
2963c49f27 cluster/zeromq: Fix node_topic() and nodeid_topic() 
Due to prefix matching, worker-1's node_topic() also matched worker-10,
worker-11, etc. Suffix the node topic with a `.`. The original implementation
came from NATS, where subjects are separated by `.`.

Adapt nodeid_topic() for consistency.
 2025-03-24 18:36:26 +01:00
Tim Wojtulewicz
43faea880b Add analyzer registration from VLAN to VNTAG 2025-03-18 11:51:27 -07:00
Tim Wojtulewicz
c7015e8250 Split storage.bif file into events/sync/async, add more comments 2025-03-18 10:20:34 -07:00
Tim Wojtulewicz
f40947f6ac Update comments in script files, run zeek-format on all of them 2025-03-18 10:20:34 -07:00
Tim Wojtulewicz
a40db844eb Redis: Handle disconnection correctly via callback 2025-03-18 10:20:34 -07:00
Tim Wojtulewicz
c7503654e8 Add IN_PROGRESS return code, handle for async backends 2025-03-18 10:20:34 -07:00
Tim Wojtulewicz
9ed3e33f97 Completely rework return values from storage operations 2025-03-18 10:20:33 -07:00
Tim Wojtulewicz
c247de8ec3 Redis: Rework everything to only use async mode 2025-03-18 10:20:33 -07:00
Tim Wojtulewicz
40f60f26b3 Run expiration on a separate thread 2025-03-18 10:20:33 -07:00
Tim Wojtulewicz
a485b1d237 Make backend options a record, move actual options to be sub-records 2025-03-18 10:20:33 -07:00
Tim Wojtulewicz
28951dccf1 Split sync and async into separate script-land namespaces 2025-03-18 10:20:33 -07:00
Tim Wojtulewicz
f1a7376e0a Return generic result for get operations that includes error messages 2025-03-18 09:32:34 -07:00
Tim Wojtulewicz
4695060d75 Allow opening and closing backends to be async 2025-03-18 09:32:34 -07:00
Tim Wojtulewicz
52d94b781a Redis: Force storage sync mode when reading pcaps, default to async mode 2025-03-18 09:32:34 -07:00
Tim Wojtulewicz
31e146b16d Redis: Add new backend 2025-03-18 09:32:34 -07:00
Tim Wojtulewicz
3e8ff836aa SQLite: Add tuning options to configuration 2025-03-18 09:32:34 -07:00
Tim Wojtulewicz
9d1eef3fbc Add basic SQLite storage backend 2025-03-18 09:32:34 -07:00
Tim Wojtulewicz
7ad6a05f5b Add infrastructure for asynchronous storage operations 2025-03-18 09:32:34 -07:00
Tim Wojtulewicz
d07d27453a Add infrastructure for automated expiration of storage entries 
This is used for backends that don't support expiration natively.
 2025-03-18 09:32:34 -07:00
Tim Wojtulewicz
8dee733a7d Change args to Storage::put to be a record 
The number of args being passed to the put() methods was getting to be
fairly long, with more on the horizon. Changing to a record means simplifying
things a little bit.
 2025-03-18 09:32:34 -07:00
Tim Wojtulewicz
69d940533d Pass key/value types for validation when opening backends 2025-03-18 09:32:34 -07:00
Tim Wojtulewicz
2ea0f3e70a Lay out initial parts for the Storage framework 
This includes a manager, component manager, BIF and script code, and
parts to support new storage backend plugins.
 2025-03-18 09:32:34 -07:00
Arne Welzel
cc0c48423d cluster/backends/zeromq: Fix rst link in docs 2025-03-12 10:11:25 +01:00
Arne Welzel
6032741868 cluster/websocket: Implement WebSocket server 2025-03-10 17:07:30 +01:00
Arne Welzel
aad512c616 cluster/zeromq: Support configuring IO threads for proxy thread 2025-03-10 17:07:30 +01:00
Arne Welzel
ba7b605a97 cluster/zeromq: Move variable lookups from DoInit() to DoInitPostScript() 2025-03-10 17:07:30 +01:00
Johanna Amann
b8c135d7cb Remove violating analyzer from services field again 
This reverts some of the recent DPD changes; specifically violations
trigger removal from the services field, again, by default.

Discussion in GH-4521
 2025-03-04 15:10:49 +00:00
Benjamin Bannier
5d44073b94 Bump pre-commit hooks 2025-03-04 08:14:26 +01:00
Arne Welzel
776c003033 PacketAnalyzer::Geneve: Add get_options() 
Allow to extract Geneve options on-demand, for example during a
new_connection() event.
 2025-02-22 12:19:42 -08:00
Dominik Charousset
20b3eca257 Integrate review feedback 2025-02-15 16:37:24 +01:00
Dominik Charousset
30615f425e Hook into Broker logs via its new API 
The new Broker API allows us to provide a custom logger to Broker that
pulls previously unattainable context information out of Broker to put
them into broker.log for users of Zeek.

Since Broker log events happen asynchronously, we cache them in a queue
and use a flare to notify Zeek of activity. Furthermore, the Broker
manager now implements the `ProcessFd` function to avoid unnecessary
polling of the new log queue. As a side effect, data stores are polled
less as well.
 2025-02-08 16:28:02 +01:00
Johanna Amann
fc233fd8d0 Merge remote-tracking branch 'origin/topic/johanna/dpd-changes' 
* origin/topic/johanna/dpd-changes:
  DPD: failed services logging alignment
  DPD: update test baselines; change options for external tests.
  DPD: change policy script for service violation logging; add NEWS
  DPD changes - small script fixes and renames.
  Update public and private test suite for DPD changes.
  Allow to track service violations in conn.log.
  Make conn.log service field ordered
  DPD: change handling of pre-confirmation violations, remove max_violations
  DPD: log analyzers that have confirmed
  IRC analyzer - make protocol confirmation more robust.
 2025-02-07 07:35:30 +00:00