If we added a file but the other side of the connection had already run
into a protocol violation and shut down we could previously have
dereferenced a null cookie. This patch fixes the code so it now throws
in such scenarios.
We would previously assert that it was available which could have lead
to aborts since when the analyzer for either side of a connection shuts
down the connection cookie could get cleared and become nil. This patch
reworks the code slightly so we now never assume it is available. We do
this by either throwing or by making the whole operation requesting the
cookie a noop.
This admittedly is a quite esoteric combination of protocols. But - as
we do correctly support them, it seems nice to have a slightly more
complete testcase that covers this.
Modified ubuntu24_clang_libcpp_task to be skipped on PRs.
* origin/topic/etyp/ubuntu-clang-ci:
CI: Upgrade FreeBSD 14 to 14.1
CI: Add Ubuntu Clang task
Fix up minor warnings in touched files
Fix Clang 19 deprecation failure
* origin/topic/awelzel/data-end-offset-v1:
signatures: Add data_end_offset to signature_match() and custom events
Add pattern_end_offset to signature_state
This feels more like a band-aid solution - it still requires very manual
intervention to get the next builds, but at least this way we don't rely
on whatever Clang/libc++ happens to ship with FreeBSD for the only
libc++ testing. It seems like sanitizer builds don't use libc++, but I'd
rather a dedicated Linux/Clang/libc++ task at least.
Fixes#3994
Clang 19 with libc++ started failing to compile because the default
implementation of `std::char_traits` was removed, making uses of
`std::char_traits<unsigned char>` invalid. This was more of used for
convenience before, but it should be roughly the same behavior with
`char`.
See relevant LLVM commits:
aeecef08c308a0faf4cd
This change tracks the current offset (number of bytes fed into matchers)
on the top-level RuleEndpointState such that we can compute the relative ending
for matched texts individually.
Additionally, it adds the data_end_offset as a new optional parameter to
signature_match().
This commit fixes three issues with Zeek's Modbus message logging:
1 - Some exception responses (e.g., READ_COILS_EXCEPTION) are logged
twice: once without and once with the exception message.
2 - Some exception responses (e.g., PROGRAM_484_EXCEPTION) are not
logged.
3 - Some known but reserved function codes (e.g., PROGRAM_UNITY) are
logged as unk-xxx (e.g., unk-90), while it would be possible to
log their known name.
To address these inconsistencies, the modbus parser has been updated
to parse all exception responses (i.e., all responses where the MSB
of the function code is set) using the already defined Exception
message.
Also, the Modbus main.zeek script has been updated to consistently
demand logging exception responses to the specialized
modbus_exception event, rather than logging some exception responses
in the modbus_message event and others in the modbus_exception event.
Finally, the main.zeek script has been updated to make sure that
for every known function code, the corresponding exception code was
also present, and the enumeration of known function codes in
consts.zeek has been expanded.
Closes#3984
Add pattern_end_offset to signature_state
Update init-bare.zeek
Update RuleMatcher.cc
Update RuleMatcher.h
Update init-bare.zeek
clang format
clang format
clang format
Using Match Offsets List
Temp commit
* origin/topic/vern/CPP-when-capture-naming:
fixed "-O gen-C++" naming of "when" captures to avoid ambiguities due to inlining
Simplified & made more robust maintenance helper script for "-O gen-C++" testing
"-a cpp" baseline updates to reflect recent BTest changes
remove instance of plus sign to account for real plus in sql
account for spaces encoding to plus signs in sqli regex detection
add test cases for sqli space to plus
account for spaces encoding to plus signs in sqli regex detection
forgot semicolon
account for spaces encoding to plus signs in sqli regex detection
* topic/christian/telemetry-make-bifs-primary:
Telemetry framework: move BIFs to the primary-bif stage
Minor comment tweaks for init-frameworks-and-bifs.zeek
