Naming the analyzer different than the old one was a mistake that
required unnecessary code changes; keeping the old name makes things
like StartTLS in other protocol work without additional code changes.
* origin/master:
Update doc submodule [nomail] [skip ci]
build_inner_connection: Use the outer packet's timestamp
build_inner_connection: Avoid one extra Init()
packet_analysis: Do not run DetectProtocol() on disabled analyzers
packet_analysis/Dispatcher: Do not index table twice
packet_analysis: Avoid shared_ptr copying for analyzer lookups
Update doc submodule [nomail] [skip ci]
Update doc submodule [nomail] [skip ci]
SSL: Add new extension types and ECH test
Update `.git-blame-ignore-revs`
Format JSON with clang-format
Bump pre-commit hooks
Reformat Zeek in Spicy style
This commit adds a multitude of new extension types that were added in
the last few years; it also adds grease values to extensions, curves,
and ciphersuites.
Furthermore, it adds a test that contains a encrypted-client-hello
key-exchange (which uses several extension types that we do not have in
our baseline so far).
* origin/master: (386 commits)
Normalize version strings in test
Update doc submodule [nomail] [skip ci]
Update external testing baseline hashes
fuzzers: Add DTLS fuzzer
generic-analyzer-fuzzer: Support NextPacket() fuzzing
Require `truncate` for a test using it
Bump outdated baseline
Fix tests so they work both with GNU and BSD tools
Install libmaxminddb in macOS CI
Bump auxil/spicy to latest release
Supervisor: Handle EAGAIN error on stem pipe
fuzzer-setup: Allow customization without recompiling
ssl: Prevent unbounded ssl_history growth
ssl: Cap number of alerts parsed from SSL record
subdir-btest: Allow setting build_dir
Update doc submodule [nomail] [skip ci]
CI: Pass -A flag to btest for cluster-testing builds
Update doc submodule [nomail] [skip ci]
Update baselines
ftp: Do not base seq on number of pending commands
...
The ssl_history field may grow unbounded (e.g., ssl_alert event). Prevent this
by capping using a configurable limit (default 100) and raise a weird once reached.
Previously, seq was computed as the result of |pending_commands|+1. This
opened the possibility to override queued commands, as well as logging
the same pending ftp reply multiple times.
For example, when commands 1, 2, 3 are pending, command 1 may be dequeued,
but the incoming command then receives seq 3 and overrides the already
pending command 3. The second scenario happens when ftp_reply() selected
command 3 as pending for logging, but is then followed by many ftp_request()
events. This resulted in command 3's response being logged for every
following ftp_request() over and over again.
Avoid both scenarios by tracking the command sequence as an absolute counter.
* origin/topic/bbannier/issue-3234:
Introduce dedicated `LDAP::Info`
Remove redundant storing of protocol in LDAP logs
Use LDAP `RemovalHook` instead of implementing `connection_state_remove`
Tidy up LDAP code by using local references
Pluralize container names in LDAP types
Move LDAP script constants to their own file
Name `LDAP::Message` and `LDAP::Search` `*Info`
Make ports for LDAP analyzers fully configurable
Require have-spicy for tests which log spicy-ldap information
Fix LDAP analyzer setup for when Spicy analyzers are disabled
Bump zeek-testing-private
Integrate spicy-ldap test suite
Move spicy-ldap into Zeek protocol analyzer tree
Explicitly use all of spicy-ldap's modules
Explicitly list `asn1.spicy` as spicy-ldap source
Remove uses of `zeek` module in spicy-ldap
Fix typos in spicy-ldap
Remove project configuration files in spicy-ldap
Integrate spicy-ldap into build
Import zeek/spicy-ldap@57b5eff988
This moves the ports the LDAP analyzers should be triggered on from the
EVT file to the Zeek module. This gives users full control over which
ports the analyzers are registered for while previously they could only
register them for additional ports (there is no Zeek script equivalent
of `Manager::UnregisterAnalyzerForPort`).
The analyzers could still be triggered via DPD, but this is intentional.
To fully disable analyzers users can use e.g.,
```zeek
event zeek_init()
{
Analyzer::disable_analyzer(Analyzer::ANALYZER_LDAP_TCP);
}
```
OSS Fuzz generated a CWD request and reply followed by very many EPRT
requests. This caused Zeek to re-log the CWD request and invoke `build_url_ftp()`
over and over again resulting in long processing times.
Avoid this scenario by not logging commands that aren't pending anymore.
(cherry picked from commit b05dd31667ff634ec7d017f09d122f05878fdf65)
A call to `extract_filename_from_content_disposition()` is only
efficient if the string is guaranteed to contain the pattern that
is removed by `sub()`. Due to missing brackets around the `[:blank:]`
character class, an overly long string (756kb) ending in
"Type:dtanameaa=" matched the wrong pattern causing `sub()` to
exhibit quadratic runtime. Besides that, we may have potentially
extracted wrong information from a crafted header value.
(cherry picked from commit 6d385b1ca724a10444865e4ad38a58b31a2e2288)
When http_reply events are received before http_request events, either
through faking traffic or possible re-ordering, it is possible to trigger
unbounded state growth due to later http_requests never being matched
again with responses.
Prevent this by synchronizing request/response counters when late
requests come in.
Also forcefully flush pending requests when http_replies are never
observed either due to the analyzer having been disabled or because
half-duplex traffic.
Fixes#1705
This works around the new semantics of is_orig=T for "connections"
from DHCP servers to broadcast addresses. IMO, having the server address
as originator in the conn.log is still more intuitive.
This patch does two things:
1) For SMB close requests, tear down any associated DCE-RPC
analyzer if one exists.
2) Protect from fid_to_analyzer_map growing unbounded by introducing a
new SMB::max_dce_rpc_analyzers limit and forcefully wipe the
analyzers if exceeded. Propagate this to script land as event
smb_discarded_dce_rpc_analyzers() for additional cleanup.
This is mostly to fix how the binpac SMB analyzer tracks individual
DCE-RPC analyzers per open fid. Connections that re-open the same or
different pipe may currently allocate unbounded number of analyzers.
Closes#3145.
* origin/master: (82 commits)
Update doc submodule [nomail] [skip ci]
Update zeekjs submodule
Update broker submodule
telemetry: Disable metrics centralization by default
GSSAPI: basic support for MIC/WRAP tokens
CI: Force rebuild of tumbleweed VM to pick up newer version of python
formatters/JSON: Make JSON::NullDoubleWriter use zeek::json::detail version
formatters/JSON: Remove surrounding_braces
formatters/JSON: Prepare to remove rapidjson from installed Zeek headers
Stmt/Assert: Use std::move() for backtrace element
Update cmake submodule [nomail]
Update external testing hashes for 6.1 deprecation changes
Remove leftover baseline files from 6.1 deprecation removal
Update doc submodule [nomail] [skip ci]
Update external testing repo hashes to current master commits
Update dce-rpc constants
-O gen-C++ refinements for BiF failures, negative vector indices, boolean vector operations
Update docs submodule [nomail] [skip ci]
Force -std=c++17 mode for plugin targets, remove use of RequireCXX17.cmake
Add Spicy updates to NEWS for 6.0.
...
* origin/master: (200 commits)
Update link to slack in README.md
Update bifcl, binpac, and broker repos for cmake changes
bison_target argument changes from HEADER to DEFINES_FILE
Update cmake submodule [nomail]
Start of 6.1.0 development
Switch broker submodule back to master
Update broker submodule to 2.6.0 release tag [nomail] [skip ci]
Update docs submodule [nomail] [skip ci]
Updating CHANGES and VERSION.
Update baseline for coverage.test-all-policy-cluster test
catch-and-release: Mark cr_check_rule as is_used
Add test-all-policy-cluster
Revert "Merge remote-tracking branch 'origin/topic/vern/at-if-analyze'"
Simplify code generated for Spicy analyzer port ranges.
Register test analyzer only for required ports.
Update doc submodule [nomail] [skip ci]
Update broker submodule [nomail]
Update ZeekJS submodule to 0.9.1
Fix disappearing unit fields in Spicy type export.
Bump cluster testsuite to latest main
...
OSS-Fuzz generated traffic containing a CWD command with a single very large
path argument (427kb) starting with ".___/` \x00\x00...", This is followed
by a large number of ftp replies with code 250. The directory logic in
ftp_reply() would match every incoming reply with the one pending CWD command,
triggering path buildup ending with something 120MB in size.
Protect from re-using a directory command by setting a flag in the
CmdArg record when it was consumed for the path traversal logic.
This doesn't prevent unbounded path build-up generally, but does prevent the
amplification of a single large command with very many small ftp_replies.
Re-using a pending path command seems like a bug as well.
* origin/topic/awelzel/smb2-state-handling:
NEWS: Add entry about SMB::max_pending_messages and state discarding
scripts/smb2-main: Reset script-level state upon smb2_discarded_messages_state()
smb2: Limit per-connection read/ioctl/tree state
