Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 08:08:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
9214 commits 385 branches 195 tags 258 MiB
Commit graph

2932 commits

Author SHA1 Message Date
Henri DF
a645e38b78 Recursively handle into container types in record_fields() 2019-11-13 15:28:06 +01:00
Henri DF
26633eb727 Print full container types in record_fields() 2019-11-12 13:19:12 +01:00
Jon Siwek
63fe835acf Allow record_fields() string arguments that name a record type 2019-11-01 12:46:17 -07:00
Jon Siwek
8d31baf3b7 Fix Travis CI script to run Coverity build in container 
It was previously running on the host and didn't have adequate compiler
to do C++17.
 2019-10-31 12:09:18 -07:00
Jon Siwek
9c4e44924f GH-664: fix signature matching for payload-carrying SYN packets 
Or more generally, signatures would not work correctly for any case
where the first TCP packet seen contained payload data, regardless of
its TCP flags.
 2019-10-29 17:20:08 -07:00
Jon Siwek
36d7628bcb Install cmake3 from EPEL on CentOS CI system 2019-10-28 20:18:45 -07:00
Johanna Amann
44086c1f03 Merge remote-tracking branch 'origin/topic/jsiwek/gh-654-coerce-unspecified-table-defaults' 
* origin/topic/jsiwek/gh-654-coerce-unspecified-table-defaults:
  GH-654: allow table() in function &default expressions
  GH-654: allow table() in record &default expressions

Fixes GH-654
 2019-10-28 20:59:39 +01:00
Robin Sommer
29164c5992 Merge remote-tracking branch 'origin/topic/jsiwek/gh-585-c++17' 
* origin/topic/jsiwek/gh-585-c++17:
  Update Travis CI config for C++17
  GH-585: Require C++17
 2019-10-28 10:06:16 +00:00
Robin Sommer
9d7c9f37d4 Merge branch 'Fix_http_build_url' of ssh://github.com/Olerdrive/zeek 
I changed the format string of the port to %d and added a test.
 2019-10-28 09:32:32 +00:00
Jon Siwek
b698c5507a GH-654: allow table() in function &default expressions 
Table parameters of functions previously did not coerce unspecified
tables used in their &default attribute to the correct type.
 2019-10-25 13:00:46 -07:00
Jon Siwek
34bf78984b GH-654: allow table() in record &default expressions 
Table fields of records previously did not coerce unspecified tables
used in their &default attribute to the correct type.
 2019-10-25 12:48:52 -07:00
Jon Siwek
81ab0b0d05 Use explicit path name for NTP log stream 
For consistency (we do this for all other logs) and just to avoid
the extra path function calls.
 2019-10-25 10:38:58 -07:00
Jon Siwek
08e2f97393 Update Travis CI config for C++17 
Several platforms didn't have a C++17 compiler in their default repos.

Also moved from Fedora 28 to Fedora 30 since that will soon be the
oldest, still-supported version.
 2019-10-24 22:27:54 -07:00
Jon Siwek
4bf3c6ff22 Improve &default validation for global vars: exclude sets 2019-10-15 18:24:35 -07:00
Johanna Amann
5265613a9e Merge remote-tracking branch 'origin/topic/jsiwek/gh-618-tcp-option-values' 
* origin/topic/jsiwek/gh-618-tcp-option-values:
  Add weirds for invalid TCP option lengths
  GH-618: add "tcp_options" event containing TCP option values
  Fix tcp_option event
 2019-10-15 16:50:43 -07:00
Johanna Amann
f62a51b41b Merge remote-tracking branch 'origin/topic/jsiwek/fix-table-default-redef' 
* origin/topic/jsiwek/fix-table-default-redef:
  Fix redef'ing a table with a new &default attribute
 2019-10-14 22:06:35 -07:00
Johanna Amann
66effde97d Merge remote-tracking branch 'origin/topic/seth/624' 
* origin/topic/seth/624:
  Support whitespace at end of line for config reader.

This merge fixes a failing test; it also sprinkles a few more spaces
into another test file.

The main change is that this now also works with configuration lines
that don't have a value.
 2019-10-14 21:47:59 -07:00
Seth Hall
cd06cb24cc Support whitespace at end of line for config reader. 
This commit addresses issue #624
 2019-10-14 11:43:16 -04:00
Jon Siwek
42b6040952 Fix redef'ing a table with a new &default attribute 2019-10-11 18:57:03 -07:00
Johanna Amann
916205e254 Merge remote-tracking branch 'origin/topic/jsiwek/print-raw-bif' 
* origin/topic/jsiwek/print-raw-bif:
  Add new BIF: print_raw()
 2019-10-08 15:15:55 -07:00
Johanna Amann
e615d1f4a8 Merge remote-tracking branch 'origin/topic/jsiwek/gh-589-sub-microsecond-printing' 
* origin/topic/jsiwek/gh-589-sub-microsecond-printing:
  GH-589: improve printing of sub-microsecond intervals
 2019-10-07 10:51:40 -07:00
Jon Siwek
052feacbda GH-618: add "tcp_options" event containing TCP option values 2019-10-03 18:59:02 -07:00
Jon Siwek
222e3ad3ea Fix tcp_option event 
It was not being raised in all the cases it should have been due to
an incorrect/unnecessary truncation check.
 2019-10-03 17:55:07 -07:00
Jon Siwek
39b06e3cee GH-591: allow Config::set_value() to use empty/unspecified table/sets 2019-10-02 22:13:43 -07:00
Jon Siwek
fd66e7b9f6 GH-591: fix reading set[enum] values from input files 2019-10-02 22:09:16 -07:00
Jon Siwek
5622df4d1b Add new BIF: print_raw() 
This is a convenience function to make it easier to print literal byte
sequences to stdout without additional escaping like what may be added
by the default `print` statement behavior.

For example, related to GH-596, `print` currently escapes even valid
UTF-8 byte sequences and makes it difficult to output valid JSON strings
containing such.
 2019-10-02 15:21:24 -07:00
Jon Siwek
a5d71ed2d2 Merge remote-tracking branch 'origin/topic/timw/595-json-perf' 
* origin/topic/timw/595-json-perf:
  Update COPYING.3rdparty
  Use json::emplace to avoid some extra calls to operator[]
  Use tessil/unordered-map instead of nlohmann/fifo-map to mitigate performance issues when logging JSON
 2019-10-01 16:42:59 -07:00
Jon Siwek
a34ade4876 Improve RecordVal JSON formatting 
No need to create a record introspection table each time when all
the required information can be obtained directly in the RecordVal
and RecordType objects.  Besides the additional overhead, using such
a table will re-order the fields arbitrarily instead of using the
order in which they're defined.
 2019-09-30 19:04:55 -07:00
Jon Siwek
d258ebe5ca Fix memory leak in RecordVal JSON formatting 2019-09-30 19:02:33 -07:00
Jon Siwek
97519e4350 Merge remote-tracking branch 'origin/topic/timw/606-json-nulls' 
* origin/topic/timw/606-json-nulls:
  GH-606: Output nulls into json data if a field isn't set
 2019-09-30 17:40:27 -07:00
Tim Wojtulewicz
d4c394b72a GH-606: Output nulls into json data if a field isn't set 2019-09-27 14:12:48 -07:00
Tim Wojtulewicz
756f363185 GH-598: handle multi-key sets correctly when outputting json 2019-09-27 12:01:47 -07:00
Tim Wojtulewicz
d4d1009b5c Use json::emplace to avoid some extra calls to operator[] 2019-09-27 09:58:24 -07:00
Jon Siwek
f287d9abe8 GH-589: improve printing of sub-microsecond intervals 2019-09-23 19:57:49 -07:00
Jon Siwek
aeef4bf030 Merge branch 'topic/jgras/dpd-late-match' of https://github.com/J-Gras/zeek 
* 'topic/jgras/dpd-late-match' of https://github.com/J-Gras/zeek:
  Improve dpd_late_match event generation.
  Improve logging of speculative service.
  Update test-all-policy script.
  Add speculative service script.
  Allow to handle late DPD matches.
 2019-09-17 11:17:41 -07:00
Robin Sommer
6f9d1ec72d Merge remote-tracking branch 'origin/topic/jsiwek/gh-566-fix-ssh-encrypted-packet' 
* origin/topic/jsiwek/gh-566-fix-ssh-encrypted-packet:
  GH-566: fix cases where ssh_encrypted_packet event wasn't raised
 2019-09-17 17:22:27 +00:00
Dominik Charousset
c1f3fe7829 Switch from header guards to pragma once 2019-09-17 14:10:30 +02:00
Jon Siwek
9c8db5f6ca Stop loading scan detection in local.zeek by default 2019-09-16 10:51:50 -07:00
Jon Siwek
30da2f83d0 GH-566: fix cases where ssh_encrypted_packet event wasn't raised 
When encrypted data was bundled within the same segment as the NewKeys
message, it wasn't not reported via a ssh_encrypted_package event as
it should have been.
 2019-09-03 17:34:24 -07:00
Jan Grashoefer
81b2b21211 Improve logging of speculative service. 2019-08-30 15:16:37 +02:00
Jan Grashoefer
788b56a652 Add speculative service script. 
The speculative service script handles dpd_late_match events to extend
conn.log with infos about potential protocol identifications.
 2019-08-29 11:47:04 +02:00
Johanna Amann
bb98559c0d Merge remote-tracking branch 'origin/topic/jsiwek/gh-545-weird-addl' 
* origin/topic/jsiwek/gh-545-weird-addl:
  GH-545: add "addl" parameter to flow_weird and net_weird events
 2019-08-28 14:27:53 -07:00
Johanna Amann
ec57894a85 Merge remote-tracking branch 'origin/topic/jsiwek/gh-541-ntlm-fix' 
* origin/topic/jsiwek/gh-541-ntlm-fix:
  GH-541: add test cases for NTLM AV Pair sequence handling
  GH-541: fix handling of NTLM AV Pair sequences
 2019-08-28 11:33:49 -07:00
Jon Siwek
289a1e2e8e Merge branch '555-smb3-negotiate-context-fix' of https://github.com/mad/zeek 
- Fixed the context list padding to only be used for dialect 0x0311.
  The new test case includes an example where parsing the optional
  padding would fail for another dialect.

* '555-smb3-negotiate-context-fix' of https://github.com/mad/zeek:
  Fix for smb3 negotiate context
 2019-08-27 10:08:42 -07:00
Pavel Ershov
de4a83206d Fix for smb3 negotiate context 2019-08-27 12:21:03 +03:00
Jon Siwek
b954767488 GH-541: add test cases for NTLM AV Pair sequence handling 2019-08-26 10:28:46 -07:00
Tim Wojtulewicz
01207c0720 Fix unit tests for new ordering from NetSessions::Drain 2019-08-21 09:24:02 -04:00
Jon Siwek
2d7c926291 GH-545: add "addl" parameter to flow_weird and net_weird events 2019-08-20 22:45:22 -04:00
Robin Sommer
8ab0650c1e Merge remote-tracking branch 'origin/topic/jsiwek/gh-532-improve-disable-analyzer' 
Includes fix for potential iterator invalidation during iteration.

* origin/topic/jsiwek/gh-532-improve-disable-analyzer:
  GH-532: improve disable_analyzer BIF
 2019-08-16 18:46:35 +00:00
Jon Siwek
9ccf3549fd Merge remote-tracking branch 'origin/topic/timw/360-log-gzip' 
* origin/topic/timw/360-log-gzip:
  Add new LogAscii::gzip_file_extension option.

Adjusted documentation during merge.
 2019-08-13 13:49:45 -07:00