Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 10:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
15439 commits 388 branches 195 tags 265 MiB
Commit graph

22 commits

Author SHA1 Message Date
Arne Welzel
ba04f4c31d IPBasedAnalyzer: Don't flip connections when destination is broadcast 
Closes #3235
 2023-08-28 12:15:55 +02:00
Josh Soref
cd201aa24e Spelling src 
These are non-functional changes.

* accounting
* activation
* actual
* added
* addresult
* aggregable
* aligned
* alternatively
* ambiguous
* analysis
* analyzer
* anticlimactic
* apparently
* application
* appropriate
* arithmetic
* assignment
* assigns
* associated
* authentication
* authoritative
* barrier
* boundary
* broccoli
* buffering
* caching
* called
* canonicalized
* capturing
* certificates
* ciphersuite
* columns
* communication
* comparison
* comparisons
* compilation
* component
* concatenating
* concatenation
* connection
* convenience
* correctly
* corresponding
* could
* counting
* data
* declared
* decryption
* defining
* dependent
* deprecated
* detached
* dictionary
* directional
* directly
* directory
* discarding
* disconnecting
* distinguishes
* documentation
* elsewhere
* emitted
* empty
* endianness
* endpoint
* enumerator
* essentially
* evaluated
* everything
* exactly
* execute
* explicit
* expressions
* facilitates
* fiddling
* filesystem
* flag
* flagged
* for
* fragments
* guarantee
* guaranteed
* happen
* happening
* hemisphere
* identifier
* identifies
* identify
* implementation
* implemented
* implementing
* including
* inconsistency
* indeterminate
* indices
* individual
* information
* initial
* initialization
* initialize
* initialized
* initializes
* instantiate
* instantiated
* instantiates
* interface
* internal
* interpreted
* interpreter
* into
* it
* iterators
* length
* likely
* log
* longer
* mainly
* mark
* maximum
* message
* minimum
* module
* must
* name
* namespace
* necessary
* nonexistent
* not
* notifications
* notifier
* number
* objects
* occurred
* operations
* original
* otherwise
* output
* overridden
* override
* overriding
* overwriting
* ownership
* parameters
* particular
* payload
* persistent
* potential
* precision
* preexisting
* preservation
* preserved
* primarily
* probably
* procedure
* proceed
* process
* processed
* processes
* processing
* propagate
* propagated
* prototype
* provides
* publishing
* purposes
* queue
* reached
* reason
* reassem
* reassemble
* reassembler
* recommend
* record
* reduction
* reference
* regularly
* representation
* request
* reserved
* retrieve
* returning
* separate
* should
* shouldn't
* significant
* signing
* simplified
* simultaneously
* single
* somebody
* sources
* specific
* specification
* specified
* specifies
* specify
* statement
* subdirectories
* succeeded
* successful
* successfully
* supplied
* synchronization
* tag
* temporarily
* terminating
* that
* the
* transmitted
* true
* truncated
* try
* understand
* unescaped
* unforwarding
* unknown
* unknowndata
* unspecified
* update
* usually
* which
* wildcard

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-11-09 12:08:15 -05:00
Arne Welzel
f3f593c523 IPBasedAnalyzer/TCPSessionAdapter: Fix TCP reassembly decision for known port analyzers 
This seems to be an age-old bug. Reported by mchen on discourse [1].

The TCPSessionAdapter decides in AddExtraAnalyzers() whether to enable
reassembly or not. When dpd_reassemble_first_packets is F, this boils down to
! GetChildren().empty(). The intention being that if any analyzers have been
added to the connection based on known ports, reassembly is to be enabled.

However, GetChildren() does not take into account new_children and so
! GetChildren().empty() is always false here and reassembly solely
based on dpd_reassemble_first_packets=F (or the tcp_content... options).
Ouch.

Call AppendNewChildren() before AddExtraAnalyzers() as a fix. Without this,
the new test does not produce an http.log and service "http" isn't in conn.log.

[1] https://community.zeek.org/t/how-to-activate-an-application-layer-analyzer-when-signature-dpd-reassemble-first-packets-is-off/6763
 2022-10-25 16:07:40 +02:00
Tim Wojtulewicz
f624c18383 Deprecate bro_int_t and bro_uint_t 2022-07-12 12:01:23 -07:00
Tim Wojtulewicz
f93c5a6942 Store some additional information in the packet during processing 
- Session related to the packet
- is_orig information if a UDP header was found
 2021-11-23 19:36:49 -07:00
Tim Wojtulewicz
ed798c6aba Change Packet::ip_hdr to be a shared_ptr so it can be copied into EncapsulatingConn 2021-11-23 19:36:49 -07:00
Tim Wojtulewicz
8b544d648d Remove uses of deprecated Tag types 2021-11-23 19:36:49 -07:00
Johanna Amann
48ee7db3c1 Merge remote-tracking branch 'origin/topic/johanna/gh-1829' 
* origin/topic/johanna/gh-1829:
  Add documentation for GH-1829
  Packets with TSO: address review feedback.
  Accept packets that use tcp segment offloading.

Fixes GH-1829
 2021-11-23 10:20:07 +00:00
Tim Wojtulewicz
fe932944c4 GH-1620: Add event and plugin hook to track packets not processed 2021-11-12 09:30:26 -07:00
Johanna Amann
e14b695497 Accept packets that use tcp segment offloading. 
When checksum offloading is enabled, we now forward packets that
have 0 header lengths set - and assume that they have TSO enabled.

If checksum offloading is not enabled, we drop the packets.

Addresses GH-1829
 2021-10-28 17:12:54 +02:00
Tim Wojtulewicz
9af6b2f48d clang-format: Set penalty for breaking after assignment operator 2021-09-27 10:49:48 -07:00
Tim Wojtulewicz
b2f171ec69 Reformat the world 2021-09-16 15:35:39 -07:00
Johanna Amann
8192ad581d Do not lookup ignore_checksums_nets for every packet 
This could lead to a noticeable (single-percent) performance
improvement.

Most of the functionality for this is in the packet analyzers that now
cache ignore_chesksums_nets.

Based on a patch by Arne Welzel (Corelight).
 2021-08-06 10:32:53 +01:00
Tim Wojtulewicz
f849f024e5 Redo how reassembled flag is accessed in IP_Hdr, filling in a memory hole 2021-07-14 14:59:49 -07:00
Tim Wojtulewicz
12d768d0d8 Remove obsolete Skipping()/SetSkip() from Connection 2021-06-02 13:20:10 -07:00
Tim Wojtulewicz
08fb5d76ee Remove some code from IPBasedAnalyzer and children that was waiting for TCP to be implemented 2021-06-02 13:20:10 -07:00
Tim Wojtulewicz
9e1f6f95aa Move analyzer-to-port mapping out of analyzer::Manager into packet analyzers 2021-06-02 13:20:10 -07:00
Tim Wojtulewicz
f6e31107e1 Move old TCP analyzer into analyzer adapter in packet analysis tree 2021-06-02 13:20:10 -07:00
Tim Wojtulewicz
b22ce6848f Rename IPBasedTransportAnalyzer to SessionAdapter 
This also also combines the old TransportLayerAnalyzer class into
SessionAdapter, and removes the old class. This requires naming changes
in a few places but no functionality changes.
 2021-05-18 15:19:12 -07:00
Tim Wojtulewicz
c56fb3e8e4 Move building session analyzer tree out of analyzer::Manager 2021-05-18 11:52:04 -07:00
Tim Wojtulewicz
7dc803f7bb Rework the packet flow through the IP-based analyzers 2021-05-18 11:52:04 -07:00
Tim Wojtulewicz
c1f0d312b5 Add base class for IP-based packet analyzers 2021-05-18 11:52:03 -07:00