Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-03 07:08:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
3958 commits 386 branches 195 tags 257 MiB
Commit graph

514 commits

Author SHA1 Message Date
Bernhard Amann
53af0544cc re-enable table events 2011-11-21 19:03:35 -08:00
Bernhard Amann
18591b53d4 rename filter to tablefilter in preparation of event filters... 2011-11-21 15:20:52 -08:00
Bernhard Amann
b3f01915fb compiles with basic new filter framework - but crashes on use. 2011-11-20 12:07:50 -08:00
Bernhard Amann
e2c521fc4e start reworking input framework... 
does not compile at the moment, but there are a few uncommitted changes that will be reverted in the next commit.
 2011-11-18 10:49:20 -08:00
Bernhard Amann
4dd95fcf3c support for uninitialized fields & empty sets and tables. 
The only snag is... with the default output format of the log-file writer, the input reader cannot tell if a table or set is empty or uninitialized (both cases use the same character by default). In this case, by default it is assumed that the field/vector is uninitalized.
 2011-11-16 23:51:51 -08:00
Bernhard Amann
4fef1e3f8c set & entry separator configuration (with the restriction that they have to be exactly one character long) 2011-11-16 22:47:28 -08:00
Robin Sommer
c35094ea0b Update missing in last commit to this branch. 2011-11-15 16:42:23 -08:00
Bernhard Amann
b62e6899ad Merge remote-tracking branch 'origin/master' into topic/bernhard/input 2011-11-15 11:00:24 -08:00
Robin Sommer
2dc04b2ce5 Merge remote-tracking branch 'origin/master' into topic/robin/pp-alarms 2011-11-15 08:36:44 -08:00
Bernhard Amann
cde8153c18 switch to set if record or simple value is desired. 2011-11-15 08:36:03 -08:00
Seth Hall
4942767c4d More default "weird" tuning for the "SYN_with_data" notice. 
- I think the default tuning should be that anything not requiring
  a session to be established should use ACTION_LOG_PER_ORIG.

- We need to get some tie-in with the metrics framework in place
  so that we can find when lots of these values are being suppressed.
 2011-11-14 16:12:38 -05:00
Bernhard Amann
1d39eaf32d small fixes, less leakiness 2011-11-04 15:03:40 -07:00
Bernhard Amann
2aa0f6da57 beautify script calls, track filters 2011-11-04 14:33:34 -07:00
Bernhard Amann
72736510de Merge remote-tracking branch 'origin/master' into input 2011-11-04 14:12:59 -07:00
Bernhard Amann
2e3874331d support for filters and little event fix 2011-11-04 12:41:10 -07:00
Robin Sommer
e0692b898e Merge branch 'master' into topic/robin/pp-alarms 2011-11-03 15:30:41 -07:00
Robin Sommer
41a443677b Merge remote-tracking branch 'origin/fastpath' 
* origin/fastpath:
  No longer write to the PacketFilter::LOG stream if not reading traffic.
 2011-11-03 15:27:23 -07:00
Robin Sommer
c4d6f814ff Tuning the pretty-printed alarms output. 
- Now including the included time range into the subject.

- With some notices, it got confused who's the orginator.
 2011-11-02 18:09:09 -07:00
Bernhard Amann
86730c13dd more complex types... 2011-11-02 15:36:35 -07:00
Bernhard Amann
b245d4168a yay, basic table assignment. 2011-11-02 15:36:35 -07:00
Bernhard Amann
5b0c307f87 very basic input to event working... 2011-11-02 15:36:34 -07:00
Bernhard Amann
3654060246 compiles. sill doesn't do much. 2011-11-02 15:36:34 -07:00
Bernhard Amann
9c8b0dec3b event from c++ to script works (at last...) 2011-11-02 15:36:33 -07:00
Seth Hall
507b51c957 No longer write to the PacketFilter::LOG stream if not reading traffic. 2011-11-02 15:09:57 -04:00
Robin Sommer
f3ed235ba7 Tuning the format of the pretty-printed alarm summaries. 
Turns out the old format doesn't work well with the new scripts.
 2011-10-26 21:12:16 -07:00
Robin Sommer
5b79d2b15f Baseline updates. 
Also a small tweak to the genDocSourcesList.sh as I was seein
non-consistent output order.
 2011-10-26 15:27:03 -07:00
Robin Sommer
ec2a8d7904 Merge remote-tracking branch 'origin/topic/robin/pp-alarms' 
* origin/topic/robin/pp-alarms:
  Removing debugging code.
  Now actually pretty-printing the notices.
  Small fixes, and new option to specify a different dest address.
  A new notice script that pretty-prints alarms in the summary email.
  Adding a dummy log writer WRITER_NONE that just discards everything.
 2011-10-26 14:44:46 -07:00
Robin Sommer
314e9c41f9 Removing debugging code. 2011-10-26 14:39:07 -07:00
Robin Sommer
eb6313adcb Now actually pretty-printing the notices. 
Output is similar to Bro 1.x.
 2011-10-26 13:42:42 -07:00
Robin Sommer
39ed489028 Small fixes, and new option to specify a different dest address. 2011-10-26 11:12:50 -07:00
Robin Sommer
73d5643302 A new notice script that pretty-prints alarms in the summary email. 
It works already, but the actual pretty-printing is still missing.
 2011-10-26 10:40:12 -07:00
Seth Hall
b2323305f8 Adding sub messages to emails. 2011-10-25 11:36:24 -04:00
Seth Hall
320739e183 Updated/fixed MSIE version parsing in the software framework. 2011-10-25 09:30:06 -04:00
Seth Hall
7f838b6181 Merge branch 'topic/seth/weird-updates' 2011-10-24 23:47:31 -04:00
Seth Hall
ff51068598 Fixing a bug with handling downgrade from weird conn to orig. 2011-10-22 01:13:15 -04:00
Seth Hall
7746f5b223 Final notice email tuning. 2011-10-21 23:08:56 -04:00
Seth Hall
0e79ec46b6 More notice email tuning. 2011-10-21 22:58:44 -04:00
Seth Hall
75e5caeff5 Attempt to make hostname notice email extension work and small format adjustments. 2011-10-21 22:51:56 -04:00
Seth Hall
74240610c5 Fixed a problem with sending notice emails I introduced earlier. 2011-10-21 22:41:43 -04:00
Seth Hall
29bace02b2 More small weird refinements to reduce overload attacks. 2011-10-21 14:31:40 -04:00
Seth Hall
0cdcf490d6 Restoring former default weird behavior for unsolicited_SYN_response. 2011-10-21 14:17:54 -04:00
Seth Hall
f0b32b21ee weird.bro rewrite. 
- I want to test it for a short while before committing it to
  master just to make sure it is a sane modification.
 2011-10-21 14:08:54 -04:00
Seth Hall
3900d88e60 Field name change to notice framwork. $result -> $action 
- $result is renamed to $action to reflect changes to the notice framework
  since there is already another result-like field ($suppress_for) and
  there may be more in the future.

- Slipped in a change to add connection information to notice emails too.
 2011-10-21 14:01:39 -04:00
Seth Hall
0803df2e14 Changed communication option from listen_encrypted to listen_ssl. 
- Robin pointed out that SSL is providing authentication
  as well as encryption so listen_ssl is a more
  proper variable name.
 2011-10-07 23:57:08 -04:00
Seth Hall
da9b8cc283 Modification to the Communication framework API. 
- Simplified the communication API and made it easier to change
  to encrypted connections by not having separate variables to
  define encrypted and unencrypted ports.

- Now, to enable listening without configuring nodes just
  load the frameworks/communication/listen script.

- If encrypted listening is desired set the following:
	redef Communication::listen_encrypted=T;

- Accompanying test updates.
 2011-10-07 13:29:26 -04:00
Seth Hall
1dd3ba7f7d Fixed another "identifier not exported" error. 2011-10-07 03:32:28 -04:00
Seth Hall
9602e6e2f3 Fixed the "identifier is not exported" error. 2011-10-07 02:51:40 -04:00
Robin Sommer
90d2136fd1 Filtering some potentially high-volume DNS weirds. 2011-10-06 18:10:15 -07:00
Robin Sommer
fe77d385e0 Merge remote-tracking branch 'origin/topic/jsiwek/broctl-tweaks' 
* origin/topic/jsiwek/broctl-tweaks:
  Consolidating some node-specific functionality from scripts in broctl repo.
 2011-10-05 16:54:39 -07:00
Jon Siwek
88e089864b Consolidating some node-specific functionality from scripts in broctl repo. 2011-10-05 16:33:40 -05:00