Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 18:48:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
7390 commits 388 branches 195 tags 269 MiB
Commit graph

7390 commits

This branch
This branch
All branches
Author SHA1 Message Date
Robin Sommer
236acd683c Merge branch 'master' of git.bro.org:bro 2016-03-08 08:04:29 -08:00
Johanna Amann
6c0165b090 Commit correct version of conn.log. 
Sorry, I mistakenly committed the one triggering the bug, after testing
both of them for a bit.
 2016-03-08 07:45:16 -08:00
Robin Sommer
d8adcae3ba Merge branch 'master' of git.bro.org:bro 2016-03-08 07:38:49 -08:00
Robin Sommer
5b120784c5 Merge remote-tracking branch 'origin/topic/johanna/str-functions' 
Incudes tiny tweak to double-check memchr length parameter.

BIT-1546 #merged

* origin/topic/johanna/str-functions:
  Fix typo in previous string function replacement commit
  Remove old string functions.
 2016-03-08 07:15:26 -08:00
Johanna Amann
69b62be5d4 Merge remote-tracking branch 'origin/master' into topic/johanna/netcontrol 2016-03-07 14:59:25 -08:00
Johanna Amann
f89874b9e9 Merge branch 'patch-4' of https://github.com/aeppert/bro 
* 'patch-4' of https://github.com/aeppert/bro:
  (BIT-1545) Add "disable_analyzer_after_detection" en lieu of "skip_processing_after_detection"

I also removed the old disable_analyzer_after_detection option
completely - if someone wants that, they can just catch the event
themselves and call skip_further_processing.

I also adjusted the ssh test case to contain conn.log to prevent
re-addition of this problem in the future.

BIT-1545 #merged
 2016-03-07 13:39:28 -08:00
Johanna Amann
642542ab17 Merge branch 'topic/http-evasion' of https://github.com/0xcc-labs/bro 
* 'topic/http-evasion' of https://github.com/0xcc-labs/bro:
  updated weird message and tests
  update of http btest
  detect possible HTTP evasion attempts
 2016-03-07 13:09:56 -08:00
Seth Hall
c63ad1cdcf Add a signature for SMB 2016-03-07 16:03:31 -05:00
Johanna Amann
9a66527823 Update Changes 
[nomail]
 2016-03-07 12:43:45 -08:00
Seth Hall
6e842cf4da Fix a problem I introduced with SMB2 file handling. 
- Added an SMB2 test that encompasses the problem.
 2016-03-07 15:36:25 -05:00
Seth Hall
21d8cab0c0 First SMB test. 2016-03-07 13:50:25 -05:00
Seth Hall
c8818da09a Fix a bug that resulted in recursion in the type system. 
- There is a bit of other minor reorganization cleanup here too.
 2016-03-07 13:50:12 -05:00
Seth Hall
b58ee68c11 Removed a vestigial SMB file. 2016-03-07 11:20:50 -05:00
Seth Hall
12a8b8e5db Fix and clean up the DCE_RPC analyzer a bit and probably broke it in some way. 2016-03-07 11:18:22 -05:00
Seth Hall
ca58dc84d5 Create an smb_auth.log. 
- Brings the SMB NTLM support all the way to a log.
 - Only support SMB1 right now.
 - A bit more clean up of logged file actions and code organization.
 2016-03-07 11:17:51 -05:00
Seth Hall
481335e5ea Fixing problems in the RPC-DCE handling in SMB. 
- Renamed some fields to make everything clearer.
 - Fixed some more indentation problems.
 - Added the dce_rpc-protocol.pac files to the cmake list
   so that changes in it cause the smb analyzer to be rebuilt.
 2016-03-07 10:07:02 -05:00
Aaron Eppert
c93b057a97 (BIT-1545) Add "disable_analyzer_after_detection" en lieu of "skip_processing_after_detection" 
The default of "skip_processing_after_detection" is confusing and causes conn.log to not be written as one would assume, plus the counters are not incremented and thus some kinds of potential detections are short-changed. I propose adding "disable_analyzer_after_detection" which would react, on the surface, the same way by disabling the SSH analyzer, but allowing conn.log to be written appropriately.
 2016-03-05 11:59:52 -05:00
Robin Sommer
8cf5cbdbcf Updating submodule(s). 
[nomail]
 2016-03-04 20:35:06 -08:00
wglodek
9ebe7b2a21 updated weird message and tests 2016-03-04 18:03:24 -05:00
Robin Sommer
56798d6a6c Updating submodule(s). 
[nomail]
 2016-03-04 12:52:05 -08:00
Robin Sommer
154a5f1f7f Updating submodule(s). 
[nomail]
 2016-03-04 12:40:14 -08:00
Robin Sommer
484ce148f4 Merge remote-tracking branch 'origin/topic/johanna/openssl' 
BIT-1537 #merged

* origin/topic/johanna/openssl:
  Also update configure for the new openssl cmake script.
 2016-03-04 12:39:17 -08:00
Johanna Amann
9df5a36a5c Fix typo in previous string function replacement commit 2016-03-04 12:14:14 -08:00
Johanna Amann
446a44787a Remove old string functions. 
More specifically, this removes the functions:
strcasecmp_n
strchr_n
strrchr_n

and replaces the calls with the respective C-library calls that should
be part of just about all operating systems by now.
 2016-03-04 12:02:19 -08:00
Johanna Amann
9a09039c08 Also update configure for the new openssl cmake script. 2016-03-04 11:18:27 -08:00
Robin Sommer
4a88a85833 Updating submodule(s). 2016-03-04 08:25:40 -08:00
Robin Sommer
c916072e4c Merge remote-tracking branch 'origin/topic/johanna/freebsd9' 
BIT-1542 #merged

* origin/topic/johanna/freebsd9:
  More detailed installation instructions for FreeBSD 9.X
 2016-03-03 21:34:41 -08:00
Seth Hall
1b98e3bb24 Fix SMB1 file handling. 
File data wasn't being forwarded to the file analysis framework
correctly.
 2016-03-03 16:33:58 -05:00
Seth Hall
462316acdf Prevent some extra smb logging of cmd messages. 2016-03-03 16:33:29 -05:00
Seth Hall
b9afc01d91 Fixed a problem with file names and path names containing nulls. 
This would come up when a string is UTF-16 containing characters
outside of straight ASCII.  The file analysis framework uses
CheckString to create file IDs which can't cope with the NULL bytes.
 2016-03-03 15:52:34 -05:00
Seth Hall
e02c612742 Fix some SMB1 "field missing" expression errors. 2016-03-03 15:31:26 -05:00
Seth Hall
d453dc149c A lot of changes to SMB analyzer. 
- Add beginning of infrastructure for pipe support in SMB2.
 - Improve identification of non-file tree mappings.
 - Stop passing pipe data to the file analysis framework.
 - Reduce log volume in smb_files.log by watching for repeated
   files being seen so that you don't end up with nearly
   the exact same log line over and over and over.
 - Lots of little whitespace and indentation changes.
 2016-03-03 14:27:15 -05:00
Robin Sommer
71ec2c68bc Merge remote-tracking branch 'origin/topic/johanna/openssl' 
BIT-1537 #merged

* origin/topic/johanna/openssl:
  update cmake OpenSSL checks
 2016-03-03 08:01:41 -08:00
Robin Sommer
3dc445900b Merge remote-tracking branch 'origin/topic/johanna/bit-1529' 
BIT-1529 #merged

* origin/topic/johanna/bit-1529:
  Subscribe is a valid message per RFC 3265
 2016-03-03 07:58:10 -08:00
Robin Sommer
7857cc7d8c Merge remote-tracking branch 'origin/topic/johanna/bit-1535' 
* origin/topic/johanna/bit-1535:
  Update documentation for RSTR.

BIT-1535 #merged
 2016-03-03 07:57:06 -08:00
Daniel Thayer
7ede9c65d2 Add more documentation to sumstats framework scripts 2016-03-01 17:31:41 -06:00
Johanna Amann
f37139791a More detailed installation instructions for FreeBSD 9.X 2016-03-01 15:23:58 -08:00
Johanna Amann
fdf36393ba Update documentation for RSTR. 
Addresses BIT-1535
 2016-03-01 14:08:58 -08:00
Johanna Amann
9f6f7312a3 Subscribe is a valid message per RFC 3265 
Addresses BIT-1529
 2016-03-01 14:00:11 -08:00
Seth Hall
41e2eaa02d Source clean up and some fixes for SMB. 
- Remove the separate string handling for NTLM.
 - Fixed a crash in RPC Bind handling when no context
   elements are included.
 2016-03-01 14:16:45 -05:00
Seth Hall
2e2fb6831f Merge remote-tracking branch 'origin/topic/vladg/smb' into topic/seth/smb 
# Conflicts:
#	scripts/base/protocols/smb/files.bro
#	scripts/base/protocols/smb/main.bro
#	scripts/base/protocols/smb/smb1-main.bro
#	scripts/base/protocols/smb/smb2-main.bro
 2016-03-01 11:11:50 -05:00
Johanna Amann
17dd44a620 update cmake OpenSSL checks 2016-02-23 14:47:55 -08:00
Robin Sommer
611a8ab935 Updating submodule(s). 
[nomail]
 2016-02-23 14:02:43 -08:00
Seth Hall
dbb5992f43 Disable the smb_cmd.log by default. 2016-02-19 00:23:05 -05:00
Seth Hall
f9cbee20f8 Merge remote-tracking branch 'origin/master' into topic/seth/smb 
# Conflicts:
#	src/analyzer/protocol/smb/SMB.cc
 2016-02-18 23:09:22 -05:00
Seth Hall
af8c1d229b Fix some small SMB issues 
- Remove some fields from set_info that were causing trouble.
 - Improve some SMB2 error handling.
 2016-02-18 22:57:10 -05:00
Johanna Amann
3a2b583e32 Update submodule 
[nomail]
 2016-02-17 14:24:55 -08:00
Johanna Amann
c38e962030 Fix failing jenkins test (dump-events). 
The problem is that with certain compilers, the order of the file hash
events is reversed (for at this moment unknown reasons).

This fix simply removes all MD5 events from the dump-events test, only
leaving the SHA1 events. This removes this condition during the test.
 2016-02-17 14:12:57 -08:00
Johanna Amann
8f60974bc0 Add new logfiles for shunting and drops to netcontrol 
Also fix small bugs and update baselines.
 2016-02-17 12:48:16 -08:00
Robin Sommer
0ac6460e98 Updating submodule(s). 
[nomail]
 2016-02-15 11:07:49 -08:00