Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 10:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
9997 commits 388 branches 195 tags 265 MiB
Commit graph

9997 commits

This branch
This branch
All branches
Author SHA1 Message Date
Jon Siwek
b776f17cea Merge remote-tracking branch 'origin/topic/vern/any-typetype-when-fix' 
- Minor whitespace adjutment in merge

* origin/topic/vern/any-typetype-when-fix:
  bug fixes for using "when" in functions that have a local of type "any"
 2020-04-27 13:33:40 -07:00
Johanna Amann
faa8a38578 Merge remote-tracking branch 'origin/topic/jsiwek/gh-854-preserve-header-name' 
* origin/topic/jsiwek/gh-854-preserve-header-name:
  GH-854: provide access to original HTTP/MIME header names
 2020-04-27 19:31:49 +00:00
Johanna Amann
0136648342 Merge remote-tracking branch 'origin/topic/jsiwek/empty-bloomfilter-lookup' 
* origin/topic/jsiwek/empty-bloomfilter-lookup:
  Remove error message from empty bloomfilter lookups
 2020-04-27 19:23:16 +00:00
Johanna Amann
bb2f328cff Merge remote-tracking branch 'origin/topic/vern/unused' 
* origin/topic/vern/unused:
  unused variables found via use-def analysis (plus an indentation micro-nit)
 2020-04-27 19:21:33 +00:00
Tim Wojtulewicz
13674e7c31 Merge remote-tracking branch 'origin/topic/jsiwek/bif-return-intrusive' 
* origin/topic/jsiwek/bif-return-intrusive:
  Update various BIFs to return IntrusivePtr
 2020-04-27 12:09:58 -07:00
Jon Siwek
9e56881c70 Update various BIFs to return IntrusivePtr 2020-04-27 11:50:35 -07:00
Vern Paxson
fe46ef06a0 unused variables found via use-def analysis (plus an indentation micro-nit) 2020-04-25 18:06:47 -07:00
Vern Paxson
b86d5b4424 bug fixes for using "when" in functions that have a local of type "any" 2020-04-25 16:56:24 -07:00
Tim Wojtulewicz
17f72d6be6 Update submodule 
[nomail]
 2020-04-24 16:22:33 -07:00
Tim Wojtulewicz
cb40dbd58b Merge remote-tracking branch 'origin/topic/jsiwek/intrusive-ptr-chipping' 
* origin/topic/jsiwek/intrusive-ptr-chipping:
  Deprecate returning Val* from BIFs
  Deprecate binpac::string_to_val
  Deprecate binpac::bytestring_to_val, replace with binpac::to_stringval
  Update deprecated BifEvent::generate_* usages
  Deprecate Connection::Event and Analyzer::Event methods
  Deprecate BuildConnVal() methods and update usages to ConnVal()
  Update all BIFs to return IntrusivePtr instead of Val*
  Update deprecated ValManager::GetPort usages
  Update deprecated ValManager::GetEmptyString usages
  Update deprecated ValManager::GetCount usages
  Update deprecated ValManager::GetInt usages
  Update deprecated ValManager::GetBool usages
  Update deprecated ValManager GetTrue/GetFalse usages
  Deprecate all ValManager "Get" methods
  Change BIFs to return a wrapper object
 2020-04-24 16:20:08 -07:00
Jon Siwek
f452f26d11 Remove error message from empty bloomfilter lookups 
If a bloomfilter doesn't have a type, that just means no
bloomfilter_add() has been called yet, so seems undesirable to emit an
error for a lookup against something that's known to be empty.
 2020-04-24 10:15:57 -07:00
Jon Siwek
6e2cd3ae44 Merge branch 'ident_overflow' of https://github.com/MaxKellermann/zeek 
* 'ident_overflow' of https://github.com/MaxKellermann/zeek:
  analyzer/protocol/ident: fix buffer overflow in ParsePort()
 2020-04-22 10:44:43 -07:00
Max Kellermann
9b2709ca18 analyzer/protocol/ident: fix buffer overflow in ParsePort() 
The given buffer is not null-terminated; the method must obey the
"end_of_line" pointer.
 2020-04-22 17:26:06 +02:00
Jon Siwek
f849571910 Merge remote-tracking branch 'origin/topic/johanna/remove_connection_external' 
* origin/topic/johanna/remove_connection_external:
  Remove connection_external
 2020-04-21 10:26:07 -07:00
Johanna Amann
e3de46ba9b Remove connection_external 
This event was forgotten in our broccoli cleanup. It cannot be
raised by anything anymore.
 2020-04-21 09:00:05 -07:00
Jon Siwek
5032993b94 GH-854: provide access to original HTTP/MIME header names 
The "http_header" event now has an "original_name" parameter that allows
access to the original header name (the "name" parameter reamins the
same as before: it's the uppercased header name).

The "mime_header_rec" record type now also includes an "original_name"
field to similarly provide access to original header name in the
following events: "http_all_headers", "mime_one_header", and
"mime_all_headers".
 2020-04-20 16:56:41 -07:00
Jon Siwek
80d3918b13 Deprecate returning Val* from BIFs 2020-04-20 15:20:42 -07:00
Jon Siwek
6c0a9b0d8f Deprecate binpac::string_to_val 2020-04-20 14:43:06 -07:00
Jon Siwek
743303950b Deprecate binpac::bytestring_to_val, replace with binpac::to_stringval 2020-04-20 14:30:49 -07:00
Johanna Amann
cfe6616de1 Update submodule 
[nomail]
 2020-04-19 19:45:08 -07:00
Jon Siwek
81517bd703 Update deprecated BifEvent::generate_* usages 2020-04-17 18:42:58 -07:00
Jon Siwek
e60a7afbbc Update submodule(s) 
[nomail]
 2020-04-17 10:22:51 -07:00
Johanna Amann
0eb04da821 Update submodule 
[nomail]
 2020-04-16 22:15:50 -07:00
Jon Siwek
9b2fb29aca Deprecate Connection::Event and Analyzer::Event methods 
And update usages to the "EnqueueEvent" methods.
 2020-04-16 19:45:30 -07:00
Jon Siwek
2a63e4a4a2 Deprecate BuildConnVal() methods and update usages to ConnVal() 
The later being a new method that returns IntrusivePtr
 2020-04-16 17:00:01 -07:00
Jon Siwek
094d6de979 Update all BIFs to return IntrusivePtr instead of Val* 2020-04-16 17:00:01 -07:00
Jon Siwek
d7be84de97 Update deprecated ValManager::GetPort usages 2020-04-16 16:47:19 -07:00
Jon Siwek
de8761f761 Update deprecated ValManager::GetEmptyString usages 2020-04-16 16:46:38 -07:00
Jon Siwek
93f4c5871b Update deprecated ValManager::GetCount usages 2020-04-16 16:46:36 -07:00
Jon Siwek
0ddac4abcf Update deprecated ValManager::GetInt usages 2020-04-16 16:44:35 -07:00
Jon Siwek
d9edd855da Update deprecated ValManager::GetBool usages 2020-04-16 16:44:33 -07:00
Jon Siwek
9af84bb2b0 Update deprecated ValManager GetTrue/GetFalse usages 2020-04-16 16:40:59 -07:00
Jon Siwek
202b3f877d Deprecate all ValManager "Get" methods 
Alternate methods that return IntrusivePtr are available in similarly
named methods that omit the "Get" prefix.
 2020-04-16 16:40:57 -07:00
Jon Siwek
eb77411dbf Change BIFs to return a wrapper object 
That allows returning either Val* or IntrusivePtr<T>.  The former could
eventually be deprecated, but it's used extensively at the moment.
 2020-04-16 16:40:07 -07:00
Jon Siwek
8843f69002 Remove ineffective &default in netcontrol cluster event handler args 2020-04-16 15:40:27 -07:00
Johanna Amann
730f78d0c2 Merge remote-tracking branch 'origin/topic/jsiwek/no-vla' 
* origin/topic/jsiwek/no-vla:
  GH-895: Remove use of Variable-Length-Arrays

Fixes GH-895
 2020-04-16 14:18:38 -07:00
Johanna Amann
df71d963c9 Merge remote-tracking branch 'origin/topic/jsiwek/krb-consts-defaults' 
* origin/topic/jsiwek/krb-consts-defaults:
  Add default function for Kerberos constant-lookup-tables
 2020-04-16 13:05:05 -07:00
Johanna Amann
7c012f9b91 Merge branch 'master' of https://github.com/mmguero-dev/zeek 
* 'master' of https://github.com/mmguero-dev/zeek:
  check for the existance of f?$conns in file_sniff event in policy/protocols/ssl/log-hostcerts-only.zeek
 2020-04-16 12:59:12 -07:00
Jon Siwek
c8e070b8ee Add default function for Kerberos constant-lookup-tables 2020-04-16 12:34:41 -07:00
SG
42bf41aca1 check for the existance of f?$conns in file_sniff event in policy/protocols/ssl/log-hostcerts-only.zeek 
In using the corelight/bro-xor-exe-plugin (https://github.com/corelight/bro-xor-exe-plugin) I noticed this error when running the PCAP trace file in its tests directory:

1428602842.525435 expression error in /opt/zeek/share/zeek/policy/protocols/ssl/log-hostcerts-only.zeek, line 44: field value missing (X509::f$conns)

Examining log-hostcerts-only.zeek, I saw that although f$conns is being checked for length, it's not being checked to see if it exists first.

This commit changes "if ( |f$conns| != 1 )" to "if (( ! f?$conns ) || ( |f$conns| != 1 ))" so that the script returns if there is no f$conns field.

In my local testing, this seems to fix the error. My testing was being done with v3.0.5, but I think this patch can be applied to both the 3.0.x and 3.1.x branches.
 2020-04-16 10:19:59 -06:00
Jon Siwek
15a19414ca GH-895: Remove use of Variable-Length-Arrays 2020-04-15 16:25:21 -07:00
Jon Siwek
991501a3d2 Update submodule(s) 
[nomail]
 2020-04-15 15:14:35 -07:00
Tim Wojtulewicz
ccc0cbdcd5
Update README.md to fix the logo and one of the links 2020-04-15 13:45:25 -07:00
Jon Siwek
2d91f9d89f Merge remote-tracking branch 'origin/topic/timw/dict-cleanup' 
* origin/topic/timw/dict-cleanup:
  A few minor cleanups in Dict
 2020-04-14 15:46:03 -07:00
Jon Siwek
f70ecccc34 Fix a confusing variable name shadowing 2020-04-14 15:30:15 -07:00
Jon Siwek
ffe8a018a1 Updating CHANGES and VERSION. 2020-04-14 11:10:07 -07:00
Johanna Amann
bb3250c28e Fix Stack Overflow in POP3_Analyzer::ProcessRequest. 
The VLA can overflow given a large enough string. As a small fix, this
commit gets rid of the VLA and assigns the password directly to the
target string.

This was reported by Matteo Rizzo (Google).
 2020-04-14 11:06:04 -07:00
Tim Wojtulewicz
ba1c03188f Merge remote-tracking branch 'origin/topic/jsiwek/alternate-hook-event-prototypes' 
* origin/topic/jsiwek/alternate-hook-event-prototypes:
  Add warning for ineffective &default arguments in handlers
  Fix frame size allocation of alternate event/hook handlers
  Emit error for alternate event/hook prototype args with attributes
  Improve alternate event/hook prototype matching
  Allow alternate event/hook prototype declarations
 2020-04-13 15:00:25 -07:00
Tim Wojtulewicz
d4784f5525 A few minor cleanups in Dict 2020-04-13 13:39:17 -07:00
Jon Siwek
ce9183a2ed Fix Broker topics used to uniquely identify cluster nodes 
Node-specific topic prefix subscriptions/publications now add a trailing
slash like "zeek/cluster/node/<name>/".  Without the trailing slash,
messages attempting to target "proxy-10" may also be sent to "proxy-1"
since subscription matching is prefix-based.
 2020-04-10 14:36:00 -07:00