Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 16:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
3958 commits 386 branches 195 tags 258 MiB
Commit graph

960 commits

Author SHA1 Message Date
Robin Sommer
e4353fb96b Merge remote-tracking branch 'origin/fastpath' 
* origin/fastpath:
  Fix memory leak in ascii input reader.
  Improvements for the "bad checksums" detector to make it detect bad TCP checksums.
  Improved file name extraction for SMTP when file name is included in Content-Type header.

Small tweak to "bad checksum" script to avoid potential division by
zeros.
 2012-12-14 14:34:51 -08:00
Jon Siwek
290c2a0b4d Make const variables actually constant. Addresses #922. 
Both local and global variables declared with "const" could be modified,
but now expressions that would modify them should generate an error
message at parse-time.
 2012-12-13 15:05:29 -06:00
Bernhard Amann
12753f31ae Merge remote-tracking branch 'origin/master' into topic/bernhard/input-logging-commmon-functions 2012-12-13 11:22:58 -08:00
Seth Hall
3c27267223 Improvements for the "bad checksums" detector to make it detect bad TCP checksums. 2012-12-13 11:09:41 -05:00
Seth Hall
0cf98ac325 Improved file name extraction for SMTP when file name is included in Content-Type header. 2012-12-13 10:27:08 -05:00
Matthias Vallentin
816965f3c7 Merge remote-tracking branch 'origin/master' into topic/matthias/opaque 2012-12-11 16:32:01 -08:00
Matthias Vallentin
30bab14dbf Update base scripts and unit tests. 2012-12-11 16:26:17 -08:00
Robin Sommer
b867333c2e Merge remote-tracking branch 'origin/topic/jsiwek/gtp' 
* origin/topic/jsiwek/gtp:
  Change binpac exceptions in AYIYA/GTP analyzers to do protocol_violation
  Add GTP tunnel analyzer memory leak unit test.
  Add GPRS Tunnelling Protocol (GTPv1) decapsulation.

Closes #690.
 2012-12-10 14:48:18 -08:00
Seth Hall
dda36672ac Merge remote-tracking branch 'origin/master' into topic/seth/metrics-merge 2012-12-06 11:07:35 -05:00
Robin Sommer
57510464a1 Adapting the HTTP request line parsing to only accept methods 
consisting of letters [A-Za-z].

I had some bogus HTTP sessions now with the test-suite that reported
data as HTTP because it started with "<!... ". Requiring letters seems
a reasonable constraint.
 2012-12-05 16:56:54 -08:00
Robin Sommer
177c014cb7 Merge remote-tracking branch 'vlad/topic/vladg/http-verbs' 
* vlad/topic/vladg/http-verbs:
  A test for HTTP methods, including some horribly illegal requests.
  Remove hardcoded HTTP verbs from the analyzer (#741)

I added a "bad_HTTP_request" weird for HTTP request lines that don't
have more than a single word.

Closes #741.
 2012-12-05 15:27:42 -08:00
Seth Hall
d0e8a6eef3 Comment updates and revised scan detection duration logging. 
- Detection duration tracking is now logged in notices as 2m43s and
  only goes down to seconds.  Previously is was proceeding to milli-
  and micro seconds which aren't particularly useful.

- Inline docu-comment updates from Vlad Grigorescu.
 2012-12-04 11:54:39 -05:00
Seth Hall
3af4517e2a Adding an $end time for result values to measure the length of time a measurement took. 2012-12-04 11:04:01 -05:00
Seth Hall
d61d175a04 Merge remote-tracking branch 'origin/master' into topic/seth/metrics-merge 2012-12-04 00:17:43 -05:00
Seth Hall
e769ab469f Comment and indentation cleanup. 2012-12-04 00:15:49 -05:00
Seth Hall
3ca0333294 Fix to checking metrics thresholds at the end of the break interval ($every field). 2012-12-04 00:15:19 -05:00
Robin Sommer
63d43e6545 Renaming ASCII writer filter option 'only_single_header_row' to 'tsv'. 
Also clarifying usage.

Closes #912.
 2012-12-03 14:40:38 -08:00
Bernhard Amann
9c09dee294 and adapt to AsciiInputOutput - seems to work... 2012-12-03 14:14:40 -08:00
Bernhard Amann
0a59d0d4db Merge branch 'topic/bernhard/input-logging-commmon-functions' into topic/bernhard/sqlite 2012-12-03 13:46:58 -08:00
Bernhard Amann
9b2265877d and factor stuff out the input framework too. 2012-12-03 13:41:19 -08:00
Bernhard Amann
501328d61a factor out ascii input/output. 
First step - factored out everything the logging classes
use ( so only output ).

Moved the script-level configuration to logging/main,
and made the individual writers just refer to it -
no idea if this is good design. It works. But I am happy
about opinions :)

Next step - add support for input...
 2012-12-03 12:59:11 -08:00
Seth Hall
4bb8babb45 Small change to load the correct scan file in local.bro. 2012-12-03 14:58:11 -05:00
Seth Hall
f956554c74 Slightly fix up file name extraction from Content-Disposition headers. 2012-12-03 11:57:00 -05:00
Vlad Grigorescu
e98343b562 Remove hardcoded HTTP verbs from the analyzer (#741) 2012-11-30 20:08:20 -05:00
Seth Hall
1542b3696e Changed how traceroute detection works by having it check for low ttl packets after detecting time exceeded messages. 2012-11-30 11:27:09 -05:00
Seth Hall
bb7db64841 Fixed Sheharbano's name. 2012-11-30 09:51:20 -05:00
Seth Hall
96f850ca4e Moving scan.bro to a more appropriate place. 2012-11-30 09:49:16 -05:00
Seth Hall
2484295db3 scan.bro updates. 2012-11-30 09:48:52 -05:00
Jon Siwek
cc8f20c104 Merge branch 'master' into topic/jsiwek/gtp 2012-11-29 16:11:27 -06:00
Seth Hall
2b72275d7e More updates to clean up scan.bro 2012-11-28 17:07:30 -05:00
Seth Hall
f1b7ca62ee Actually fix the problem I just tried to fix a minute ago. 2012-11-28 15:58:29 -05:00
Seth Hall
92285a9711 Fix a race condition when multiple workers report intermediate indexes simultaneously. 2012-11-28 15:52:41 -05:00
Seth Hall
2add60b4b1 A function wasn't returning a value like it should be. 2012-11-28 15:22:45 -05:00
Seth Hall
956c23eb66 Merge remote-tracking branch 'origin/master' into topic/seth/metrics-merge 2012-11-28 14:57:42 -05:00
Bernhard Amann
2d7ffd8269 Merge remote-tracking branch 'origin/master' into topic/bernhard/sqlite 2012-11-26 20:46:27 -08:00
Seth Hall
6bdcdcecf9 Fixed a problem with metrics aggregation on clusters (thanks Jon!). 2012-11-26 16:17:35 -05:00
Seth Hall
c98301e51f Fixed a DNS attribute issue (reported by Matt Thompson). 2012-11-26 15:58:25 -05:00
Robin Sommer
a5e237f50c The ASCII writer now supports a filter config option 
'only_single_header_row' that turns the output into CSV format.

In that mode all meta data is skipped except for a single header line
with the fields names. Example:

    local my_filter: Log::Filter = [$name = "my-filter", $writer = Log::WRITER_ASCII, $config = table(["only_single_header_row"] = "T")];

Contributed by Carsten Langer.
 2012-11-23 19:38:53 -08:00
Seth Hall
3546d93f36 Merging master. 2012-11-21 12:18:03 -05:00
Seth Hall
ebacb80d1c Add intel detection for apparently successful logins. 2012-11-21 11:56:39 -05:00
Seth Hall
08538211e1 Some test updates. 2012-11-20 02:08:49 -05:00
Seth Hall
20fdd36a44 Updated the SQL injection detection script to make it include samples in notice emails. 2012-11-20 01:02:23 -05:00
Seth Hall
47f5d256d8 Added a script module for detecting hosts doing traceroutes. 2012-11-20 01:01:37 -05:00
Seth Hall
95b12262e4 More cleanup and fixed to the metrics framework. 2012-11-19 23:43:15 -05:00
Seth Hall
5b81cfe7e2 Implemented a nearly generic Queue in scriptland. 2012-11-19 23:42:19 -05:00
Seth Hall
257b460b18 Updated the app-metrics script to the new metrics api. 
- Inconsequential change to scan.bro.
 2012-11-16 03:05:43 -05:00
Seth Hall
e99e090b85 Merge remote-tracking branch 'origin/master' into topic/seth/metrics-merge 2012-11-16 02:49:36 -05:00
Seth Hall
d9195076b1 Metrics framework checkpoint. 
- New scan.bro merged in and reworked a bit.

 - Updated metrics API.  Now possible to calculate much more.
 2012-11-16 02:37:52 -05:00
Jon Siwek
e0805498c6 Fix some warnings from sphinx when building docs. 2012-11-15 16:40:18 -06:00
Robin Sommer
edf6750e3d Fixing tests after intel merge. 2012-11-05 16:25:59 -08:00