Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-03 23:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
13262 commits 384 branches 195 tags 258 MiB
Commit graph

708 commits

Author SHA1 Message Date
Johanna Amann
41606e18fb Intel: Allow to provide uid/fuid instead of conn/f. 
This patch allows users to provide the fuid or the connection id
directly, in case they do not have access to either in the event that
they handle.

An example for this is the handling of certificates in SSL, where the
fa_file record cannot be retained because this would create a cyclic
data structure.

This patch also provides file IDs for hostname matches in certificates,
which was not possible with the previous API.
 2016-04-25 16:54:47 -07:00
Robin Sommer
efde4a74b0 Merge remote-tracking branch 'origin/topic/johanna/intel-cert-hash' 
BIT-1567 #merged

* origin/topic/johanna/intel-cert-hash:
  Intel: CERT_HASH indicator type was never checked
 2016-04-22 08:37:14 -07:00
Johanna Amann
00e759b44c Intel: CERT_HASH indicator type was never checked 
Hence, when people specify data of type CERT_HASH in their intel source
files, it will never trigger an alert.
 2016-04-11 15:50:55 +02:00
Seth Hall
89b4d79f93 Merge remote-tracking branch 'origin/master' into topic/seth/file-entropy 
# Conflicts:
#	scripts/test-all-policy.bro
#	testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
 2016-03-21 11:39:15 -04:00
Seth Hall
2509f79a10 Merge branch 'topic/jgras/bit-1507' of https://github.com/J-Gras/bro into J-Gras-topic/jgras/bit-1507 2016-01-21 10:45:42 -05:00
Jan Grashoefer
d819692204 Fixed matching mail address intel 
Addresses BIT-1507.
 2016-01-19 00:09:03 +01:00
Seth Hall
41a181d98d Removing more broken functionality due to changed stats apis. 2016-01-14 21:22:09 -05:00
Seth Hall
53db5d1711 Removing some references to resource_usage() 2016-01-14 17:09:55 -05:00
Seth Hall
ee763381b2 Fixing default stats collection interval to every 5 minutes. 2016-01-14 16:17:41 -05:00
Seth Hall
16adf2ff5a Add DNS stats to the stats.log 2016-01-14 14:05:23 -05:00
Seth Hall
18a1e6f76b Small stats script tweaks and beginning broker stats. 2016-01-11 09:25:36 -05:00
Seth Hall
cfdabb901f Continued stats cleanup and extension. 2016-01-09 01:14:13 -05:00
Seth Hall
3c71d4ffa8 More stats collection extensions. 2016-01-08 17:03:16 -05:00
Seth Hall
6d836b7956 More stats improvements 
Broke out the stats collection into a bunch of new Bifs
in stats.bif.  Scripts that use stats collection functions
have also been updated.  More work to do.
 2016-01-07 16:20:24 -05:00
Seth Hall
2b0a28686a Cleaned up stats collection. 
- Removed the gap_report event.  It wasn't used anymore
   and functionally no more capable that scheduling events
   and using the get_gap_summary bif.

 - Added functionality to Dictionaries to count cumulative
   numbers of inserts performed.  This is further used to
   measure the total number of connections of various types.
   Previously only the number of active connections was
   available.

 - The Reassembler base class now tracks active reassembly
   size for all subclasses (File/TCP/Frag & unknown).

 - Improvements to the stats.log.  Mostly, more information.
 2016-01-04 00:55:52 -05:00
Johanna Amann
d92fd52b35 Remove measurement scripts 2015-12-14 16:06:31 -08:00
Johanna Amann
da9b5425e4 Merge remote-tracking branch 'origin/master' into topic/johanna/ocsp 2015-12-14 16:05:41 -08:00
Johanna Amann
c93a9fbebd Log only local-originated IPs. 2015-12-08 14:55:50 -08:00
Aaron Eppert
5d1ed9c134 Update windows-version-detection.bro 
mscrl.microsoft.com is the proper hostname, however to be safe, let's use regex to identify it.
 2015-12-04 09:46:14 -05:00
Daniel Thayer
28f4d45d33 Fix potential race condition when logging VLAN info to conn.log 
Lowered priority of a connection_state_remove event handler to ensure
that the "conn" field is initialized in the connection record before
attempting to add the VLAN tags.
 2015-11-05 12:14:05 -06:00
Robin Sommer
a83d97937e Extending rexmit_inconsistency() event to receive an additional 
parameter with the packet's TCP flags, if available.
 2015-10-26 14:16:08 -07:00
Daniel Thayer
5ba8610681 Correct a typo in controller.bro documentation 2015-10-21 12:48:35 -05:00
Richard van den Berg
aa8f56c2bd hash-all-files.bro depends on base/files/hash 2015-09-11 13:01:43 +02:00
Liang Zhu
cdc812074c fix data structure recursion 2015-08-19 11:38:34 -07:00
Liang Zhu
d45558d2a1 log the number of certs in OCSP response 2015-08-18 21:44:52 -07:00
Liang Zhu
adbc0b1eaf Merge remote-tracking branch 'origin/master' into topic/liangzhu/analyzer-ocsp 2015-08-05 17:15:09 -07:00
Liang Zhu
5d168792ee deal with bug url 2015-07-28 16:20:38 -07:00
Liang Zhu
e9f028be4c Merge remote-tracking branch 'origin/master' into topic/liangzhu/analyzer-ocsp 2015-07-28 13:47:21 -07:00
Robin Sommer
ba10115181 Merge branch 'topic/jgras/flash-detection' of https://github.com/J-Gras/bro 
Switching from using the http_all_headers() event to
http_message_done(). That delays it a bit, but is the less expensive
event.

* 'topic/jgras/flash-detection' of https://github.com/J-Gras/bro:
  Updated detection of Flash and AdobeAIR.
 2015-07-27 11:05:49 -07:00
Jan Grashoefer
b765c95d6e Updated detection of Flash and AdobeAIR. 2015-07-24 14:33:53 +02:00
Robin Sommer
fb848f795d Merge branch 'master' of https://github.com/aaronmbr/bro 
* 'master' of https://github.com/aaronmbr/bro:
  Copy-paste issue
  Allow for logging of the VLAN data about a connection in conn.log
  Save the inner vlan in the Packet object for Q-in-Q setups
 2015-07-23 13:05:28 -07:00
Aaron Brown
f29dbb90a5 Allow for logging of the VLAN data about a connection in conn.log 2015-07-22 14:13:17 -04:00
Liang Zhu
cea1b62a9a small bug fix 2015-07-21 23:38:56 -07:00
Liang Zhu
462f6608a8 log the time for server first encrypted application data 2015-07-21 14:44:33 -07:00
Liang Zhu
5f2cb840d7 add user_agent to ocsp-to-match log 2015-07-20 16:55:19 -07:00
Liang Zhu
fa654121ec fix url parsing bug 2015-07-20 15:46:21 -07:00
Liang Zhu
4e8d15d8d1 small bug fix 2015-07-18 01:53:28 -07:00
Liang Zhu
0c3b03ac8d log original uri and fix GET url parsing 2015-07-18 01:06:31 -07:00
Liang Zhu
6c9b49a5d7 fix a bug for ocsp-ssl-split.bro 2015-07-17 16:00:18 -07:00
Liang Zhu
cb0aa7725e fix a few bug for logging 2015-07-16 18:20:57 -07:00
Liang Zhu
f0c642cd25 update logging for ocsp and baseline 2015-07-15 13:31:41 -07:00
Liang Zhu
1f5a7aecbc change log schema for ocsp-ssl-split.bro 2015-07-13 15:23:56 -07:00
Liang Zhu
9553c8aefc separated logging for ocsp and ssl 2015-07-12 13:52:26 -07:00
Liang Zhu
406fec9ef4 potentially fix a memory problem ocsp-measurement 2015-07-09 11:56:58 -07:00
Liang Zhu
6947387522 add status_type to ocsp stapling log 2015-07-08 14:21:53 -07:00
Liang Zhu
545848d906 add parameter 'status_type' to event ssl_stapled_ocsp 2015-07-08 14:11:14 -07:00
Liang Zhu
e2c30f0005 record more timestamp for ocsp measurement 2015-07-06 17:52:13 -07:00
Liang Zhu
8844d344af add connection in ocsp log 2015-07-02 17:46:43 -07:00
Liang Zhu
386a5b811d add optional logging for parsed ocsp stapling message 2015-07-02 14:23:38 -07:00
Liang Zhu
2743966fcc add a script to combine ocsp with ssl 2015-07-01 17:00:41 -07:00