Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 08:08:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
19350 commits 385 branches 195 tags 258 MiB
Commit graph

19350 commits

This branch
This branch
All branches
Author SHA1 Message Date
Tim Wojtulewicz
39814816af Tag truncated values with a flag, plus pack threading::Value better 2025-08-12 17:31:29 -07:00
Tim Wojtulewicz
c8818d76bd Remove length limiting on string fields for HTTP 2025-08-12 17:31:29 -07:00
Tim Wojtulewicz
29425688da Make total_size counter a member in logging::Manager 2025-08-12 17:31:29 -07:00
Tim Wojtulewicz
98a77b5f25 Remove using numeric_limits and just check for zero instead 2025-08-12 17:31:29 -07:00
Tim Wojtulewicz
8a4bc084f9 Expand the size of the log-size filters for x509 2025-08-12 17:31:28 -07:00
Tim Wojtulewicz
0ec2161b04 Add options to filter at the stream level as well as globally 2025-08-12 17:31:28 -07:00
Tim Wojtulewicz
339d46ae26 Add a weird that gets emitted when strings/containers are over the limits 2025-08-12 17:31:28 -07:00
Tim Wojtulewicz
837fde1a08 Add metrics to track string and container fields limited by length 2025-08-12 17:31:28 -07:00
Tim Wojtulewicz
cd74a4e138 Replace unused stream argument from RecordToLogRecord with WriterInfo 
This also adds a WriterInfo argument to ValToLogVal and passes the one from
RecordToLogRecord into it.
 2025-08-12 17:31:28 -07:00
Tim Wojtulewicz
e2e7ab28da Implement string- and container-length filtering at the log record level 2025-08-12 17:31:28 -07:00
Tim Wojtulewicz
cc59bfa5d8 Merge remote-tracking branch 'origin/topic/bbannier/bump-spicy' 
* origin/topic/bbannier/bump-spicy:
  Bump pre-commit hooks
  Bump auxil/spicy to latest development snapshot
 2025-08-12 12:38:51 -07:00
Tim Wojtulewicz
d9357b4204 Merge remote-tracking branch 'origin/topic/timw/remove-8.1-deprecations' 
* origin/topic/timw/remove-8.1-deprecations:
  Pass DNS complete_flag along as a uint8_t instead of a String
  Update docs submodule with 8.1 deprecation removals
  Update zeekjs submodule with 8.1 deprecation fixes
  Remove deprecations tagged for v8.1
 2025-08-12 11:01:29 -07:00
Tim Wojtulewicz
f1d69df165 Pass DNS complete_flag along as a uint8_t instead of a String 2025-08-12 11:00:40 -07:00
Tim Wojtulewicz
73c9a1f3d9 Update docs submodule with 8.1 deprecation removals 2025-08-12 11:00:40 -07:00
Tim Wojtulewicz
cdba3c601f Update zeekjs submodule with 8.1 deprecation fixes 2025-08-12 10:19:03 -07:00
Tim Wojtulewicz
d95affde4d Remove deprecations tagged for v8.1 2025-08-12 10:19:03 -07:00
Benjamin Bannier
62e742aa3b Bump pre-commit hooks 2025-08-12 17:49:42 +02:00
Benjamin Bannier
5465a1c312 Bump auxil/spicy to latest development snapshot 2025-08-12 17:47:40 +02:00
zeek-bot
e4dab3dded Update doc submodule [nomail] [skip ci] 2025-08-12 00:44:57 +00:00
Tim Wojtulewicz
76289a8022 Merge remote-tracking branch 'origin/topic/awelzel/4730-smb-read-response-data-offset' 
* origin/topic/awelzel/4730-smb-read-response-data-offset:
  smb2/read: Parse only 1 byte for data_offset, ignore reserved1
 2025-08-11 11:37:38 -07:00
Tim Wojtulewicz
dff534962e Merge remote-tracking branch 'origin/topic/timw/docs-generation-virtualenv' 
* origin/topic/timw/docs-generation-virtualenv:
  Update docs submodule with new python packages
  Use virtualenv in docs generation/builds
 2025-08-10 21:28:48 -07:00
Tim Wojtulewicz
302f6f2787 Update docs submodule with new python packages 2025-08-10 21:21:41 -07:00
Tim Wojtulewicz
ef055ddb7c Use virtualenv in docs generation/builds 2025-08-08 20:38:31 -07:00
Arne Welzel
b2a2ad7e10 smb2/read: Parse only 1 byte for data_offset, ignore reserved1 
A user provided a SMB2 pcap with the reserved1 field of a ReadResponse
set to 1 instead of 0. This confused the padding computation due to
including this byte into the offset. Properly split data_offset and
reserved1 into individual byte fields.

Closes #4730
 2025-08-08 16:12:20 +02:00
Arne Welzel
13f613eb1d Merge remote-tracking branch 'origin/topic/awelzel/4176-cluster-on-sub-unsub-hooks' 
* origin/topic/awelzel/4176-cluster-on-sub-unsub-hooks:
  cluster: Add on_subscribe() and on_unsubscribe() hooks
 2025-08-08 14:24:18 +02:00
Tim Wojtulewicz
54d67c3322 Merge remote-tracking branch 'origin/topic/timw/cleanup-warnings-from-plugin-btest-builds' 
* origin/topic/timw/cleanup-warnings-from-plugin-btest-builds:
  Update zeek-aux to remove BRO_DIST from plugin skeleton
  cmake_minimum_required() should come before project()
 2025-08-07 08:39:40 -07:00
Tim Wojtulewicz
162ecc022e Update zeek-aux to remove BRO_DIST from plugin skeleton 2025-08-07 08:39:08 -07:00
Arne Welzel
bd9130a69a Merge remote-tracking branch 'origin/topic/awelzel/tap-analyzer-take-four-thanks-clang-tidy' 
* origin/topic/awelzel/tap-analyzer-take-four-thanks-clang-tidy:
  btest/tap-analyzer: Update existing test and add new one for UpdateConnVal()
  SessionAdapter: Keep tap_analyzers until destruction
  tcp,udp,icmp adapters: Move TapPacket() to earlier
  tcp,udp,icmp adapters: Fix UpdateConnVal() superclass call
 2025-08-07 10:49:12 +02:00
Tim Wojtulewicz
3c535ec215 cmake_minimum_required() should come before project() 2025-08-06 12:10:41 -07:00
Arne Welzel
f98508bbb0 btest/tap-analyzer: Update existing test and add new one for UpdateConnVal() 
This also changes the output of connection UIDs from the tap analyzer to be
prefixed with C for easier correlation with other logs.

Relates to #4337 #4725 #4734 #4737
 2025-08-06 17:22:59 +02:00
Arne Welzel
bdff2935a4 SessionAdapter: Keep tap_analyzers until destruction 
connection_state_remove() is invoked after Done(), so it's not a good
idea to remove the tap analyzers before in case they have up-to-date
information for the connection val.

Relates to #4337 #4725 #4734 #4737
 2025-08-06 17:22:55 +02:00
Arne Welzel
ee93213d39 tcp,udp,icmp adapters: Move TapPacket() to earlier 
Writing a test, the packet was tapped after protocol analysis at least
for TCP. Ensure tapping happens before. The adapter->Process() moving
after pkt->session made me a bit wondering if things are underspecified
here, but seems reasonable to set the session on pkt before adapter->Process().

Relates to #4337 #4725 #4734 #4737
 2025-08-06 17:22:51 +02:00
Arne Welzel
9d7cfcbce3 tcp,udp,icmp adapters: Fix UpdateConnVal() superclass call 
Now that SessionAdapter implements UpdateConnVal(), the individual
adapters need to call that instead of Analyzer::UpdateConnVal()

Thanks clang-tidy.

Relates to #4337 #4725 #4734 #4737
 2025-08-06 17:22:44 +02:00
Johanna Amann
2f2f328a72 Merge remote-tracking branch 'origin/topic/johanna/analyzer-log-proto' 
* origin/topic/johanna/analyzer-log-proto:
  Add proto to analyzer.log
 2025-08-06 14:38:47 +01:00
Evan Typanski
22f77248f5 Merge remote-tracking branch 'origin/topic/etyp/fix-record-vec-type-conflict' 
* origin/topic/etyp/fix-record-vec-type-conflict:
  Fix record coercion with compatible types
 2025-08-06 09:10:19 -04:00
Arne Welzel
33b6869425 Merge remote-tracking branch 'origin/topic/awelzel/tap-analyzer-take-three' 
* origin/topic/awelzel/tap-analyzer-take-three:
  TapAnalyzer: Fix docstring
  btest/plugins/tap-analyzer: Update baseline
 2025-08-06 14:27:56 +02:00
Arne Welzel
ce7c394af1 TapAnalyzer: Fix docstring 
Relates to #4337 #4725 #4734
 2025-08-06 14:19:40 +02:00
Arne Welzel
ac776b0aad btest/plugins/tap-analyzer: Update baseline 
Relates to #4337 #4725 #4734
 2025-08-06 14:17:42 +02:00
Johanna Amann
82266b1e78 Add proto to analyzer.log 
The analyzer.log file was missing the protocol field to distinguish
tcp/udp connections.
 2025-08-06 11:34:57 +01:00
Arne Welzel
7dea987432 Merge remote-tracking branch 'origin/topic/awelzel/4337-tap-analyzer-follow-up' 
* origin/topic/awelzel/4337-tap-analyzer-follow-up:
  TapAnalyzer: More verdict to action rename
 2025-08-05 20:00:44 +02:00
Arne Welzel
b4925fbd16 TapAnalyzer: More verdict to action rename 
Relates to #4725 #4337
 2025-08-05 19:59:06 +02:00
Arne Welzel
1e05588e8e Merge remote-tracking branch 'origin/topic/awelzel/4337-tap-analyzer-sketch' 
* origin/topic/awelzel/4337-tap-analyzer-sketch:
  IPBasedAnalyzer: Call TapPacket() when skipping
  SessionAdapter: Introduce TapAnalyzer for session adapter
 2025-08-05 19:49:01 +02:00
Arne Welzel
4bc7f9532c IPBasedAnalyzer: Call TapPacket() when skipping 
When skip_further_processing() is called, a TapAnalyzer should still see
the packets as skipped with SkipReason "skipping".
 2025-08-05 19:47:04 +02:00
Arne Welzel
dc904b2216 SessionAdapter: Introduce TapAnalyzer for session adapter 
This commit introduces a mechanism to attach light weight analyzers to
the root analyzer of sessions in order to tap into the packets delivered
to child analyzer.
 2025-08-05 19:47:02 +02:00
Evan Typanski
006bef71b5 Fix record coercion with compatible types 
Fixes #4722
 2025-08-04 17:09:26 -04:00
Christian Kreibich
56325d1412 Merge branch 'topic/christian/zeek-8.0-news' 
* topic/christian/zeek-8.0-news:
  Compile contributors for Zeek 8.0 in the NEWS file
 2025-08-04 09:35:53 -07:00
Christian Kreibich
4fdd83f3f5 Compile contributors for Zeek 8.0 in the NEWS file 2025-08-04 09:32:58 -07:00
Tim Wojtulewicz
6afeeca090 Start of 8.1.0 development 2025-08-04 08:26:29 -07:00
Arne Welzel
4ecc62322e Merge remote-tracking branch 'origin/topic/awelzel/depend-on-libzmq' 
* origin/topic/awelzel/depend-on-libzmq:
  ci/windows: No ZeroMQ cluster backend
  cluster/zeromq: Bail on missing ZeroMQ by default
 2025-08-01 17:10:32 +02:00
Arne Welzel
3c2d01e19e Merge remote-tracking branch 'origin/topic/neverlord/std-span' 
* origin/topic/neverlord/std-span:
  Remove zeek::Span and use std::span instead
 2025-08-01 14:50:02 +02:00