- Raw NTLM (not in GSSAPI) over SMB is now handled correctly.
- The encrypted NTLM session key is now passed into scriptland
through the ntlm_authenticate event.
the starttls command will sometimes be issued with a namespace, e.g. as
<ns2:starttls xmlns:ns2='urn:ietf:params:xml:ns:xmpp-tls'/>. The XMPP
analyzer did not handle this scenario correctly.
This is very similar to the following ejabberd bug:
https://support.process-one.net/browse/EJAB-1123
- The logic for fragment handling has been rewritten and should be correct now.
- There are now tunables for fragment handling overflow situations.
- DCE_RPC::max_cmd_reassembly and DCE_RPC::max_frag_data
- They result in weirds and analyzer removal.
- Memory leak fixed by unique_ptr auto cleanup.
- DCE_RPC is now intolerate of content gaps and will stop
analyzing traffic if content gaps happen (like most other analyzers currently).
* origin/topic/vladg/bit-1641:
Logic fix for ssh/main.bro when the auth status is indeterminate, and fix a test. Addresses BIT-1641.
Clean up the logic for ssh_auth_failed. Addresses BIT-1641
Update baselines for adding a field to ssh.log as part of BIT-1641
Script-land changes for BIT-1641.
Change SSH.cc to use ssh_auth_attempted instead of ssh_auth_failed. Addresses BIT-1641.
Revert "Fixing duplicate SSH authentication failure events."
Create new SSH events ssh_auth_attempt and ssh_auth_result. Add auth_attempts to SSH::Info. Address BIT-1641.
I extended the tests a bit and did some small cleanups. I also moved the
SSH events back to the global namespace for backwards compatibility and
for consistency (the way it was at the moment, some of them were global
some SSH::).
Furthermore, I fixed the ssh_auth_result result event, it was only
raised in the success case. ssh_auth_result is now also checked in the
testcases. I also have a suspicion that the intel integration never
really worked before.
BIT-1641 #merged
The ones_complement_checksum function assumes that the bytes passed into
it are aligned on 16 bit boundaries.
When using gcc (GCC) 6.2.1 20160916 (Red Hat 6.2.1-2) with -O2, this
does not seem to hold true anymore; assuming 16 bit alignment will lead
to accesses to uninitialized memory and wrong checksums.
This commit adds a minimally invasive change that does not assume
alignment anymore. This might have a small performance impact for every
single packet we process.
This error occured reproducibly when called from icmp6_checksum.
Filter out the python 2 "L" suffix on long integers (not valid in Python 3),
and change python 3 "object at" to "instance at" when printing
class instances.
BIT-1727 #merged
* origin/topic/johanna/tls13:
Better way to deal with overloaded Assign constructors.
A few tabbing fixes in TLS 1.3 support
TLS 1.3 support.
With clang on FreeBSD 11.0-p1, some md5 functions tend to return the
wrong result. This is, e.g., visible when running the bifs/md5 testcase.
In this test, the checks using md5_hash_finish will return an empty
string.
The apparent cause is some confusion in clang when using a static char
inside a static inline function that is refered to several compilation
units.
Exact version of clang showing this issue is:
FreeBSD clang version 3.8.0 (tags/RELEASE_380/final 262564) (based on LLVM 3.8.0)
Target: x86_64-unknown-freebsd11.0
Thread model: posix
InstalledDir: /usr/bin
Issue occurs with -O2.
The first person to either find an existing clang bugreport for this, or
to create an minimal testcase and files one will get a drink from me :)
- DCE_RPC fragmentation handling returns!
- Fixed some general parsing issues
- Fixed an issue with the DCE_RPC signature not working for IPv6 connections.
We could actually already see these in traffic with people that use and
enabled them in chrome canary / firefox nightly builds. This change
includes the re-naming of a few names that were never formalli assigned
yet.
