Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-11 02:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
19533 commits 388 branches 195 tags 270 MiB
Commit graph

9733 commits

Author SHA1 Message Date
Tim Wojtulewicz
29425688da Make total_size counter a member in logging::Manager 2025-08-12 17:31:29 -07:00
Tim Wojtulewicz
98a77b5f25 Remove using numeric_limits and just check for zero instead 2025-08-12 17:31:29 -07:00
Tim Wojtulewicz
0ec2161b04 Add options to filter at the stream level as well as globally 2025-08-12 17:31:28 -07:00
Tim Wojtulewicz
339d46ae26 Add a weird that gets emitted when strings/containers are over the limits 2025-08-12 17:31:28 -07:00
Tim Wojtulewicz
837fde1a08 Add metrics to track string and container fields limited by length 2025-08-12 17:31:28 -07:00
Tim Wojtulewicz
cd74a4e138 Replace unused stream argument from RecordToLogRecord with WriterInfo 
This also adds a WriterInfo argument to ValToLogVal and passes the one from
RecordToLogRecord into it.
 2025-08-12 17:31:28 -07:00
Tim Wojtulewicz
e2e7ab28da Implement string- and container-length filtering at the log record level 2025-08-12 17:31:28 -07:00
Tim Wojtulewicz
cc59bfa5d8 Merge remote-tracking branch 'origin/topic/bbannier/bump-spicy' 
* origin/topic/bbannier/bump-spicy:
  Bump pre-commit hooks
  Bump auxil/spicy to latest development snapshot
 2025-08-12 12:38:51 -07:00
Tim Wojtulewicz
f1d69df165 Pass DNS complete_flag along as a uint8_t instead of a String 2025-08-12 11:00:40 -07:00
Tim Wojtulewicz
d95affde4d Remove deprecations tagged for v8.1 2025-08-12 10:19:03 -07:00
Benjamin Bannier
62e742aa3b Bump pre-commit hooks 2025-08-12 17:49:42 +02:00
Arne Welzel
b2a2ad7e10 smb2/read: Parse only 1 byte for data_offset, ignore reserved1 
A user provided a SMB2 pcap with the reserved1 field of a ReadResponse
set to 1 instead of 0. This confused the padding computation due to
including this byte into the offset. Properly split data_offset and
reserved1 into individual byte fields.

Closes #4730
 2025-08-08 16:12:20 +02:00
Arne Welzel
13f613eb1d Merge remote-tracking branch 'origin/topic/awelzel/4176-cluster-on-sub-unsub-hooks' 
* origin/topic/awelzel/4176-cluster-on-sub-unsub-hooks:
  cluster: Add on_subscribe() and on_unsubscribe() hooks
 2025-08-08 14:24:18 +02:00
Arne Welzel
bdff2935a4 SessionAdapter: Keep tap_analyzers until destruction 
connection_state_remove() is invoked after Done(), so it's not a good
idea to remove the tap analyzers before in case they have up-to-date
information for the connection val.

Relates to #4337 #4725 #4734 #4737
 2025-08-06 17:22:55 +02:00
Arne Welzel
ee93213d39 tcp,udp,icmp adapters: Move TapPacket() to earlier 
Writing a test, the packet was tapped after protocol analysis at least
for TCP. Ensure tapping happens before. The adapter->Process() moving
after pkt->session made me a bit wondering if things are underspecified
here, but seems reasonable to set the session on pkt before adapter->Process().

Relates to #4337 #4725 #4734 #4737
 2025-08-06 17:22:51 +02:00
Arne Welzel
9d7cfcbce3 tcp,udp,icmp adapters: Fix UpdateConnVal() superclass call 
Now that SessionAdapter implements UpdateConnVal(), the individual
adapters need to call that instead of Analyzer::UpdateConnVal()

Thanks clang-tidy.

Relates to #4337 #4725 #4734 #4737
 2025-08-06 17:22:44 +02:00
Evan Typanski
22f77248f5 Merge remote-tracking branch 'origin/topic/etyp/fix-record-vec-type-conflict' 
* origin/topic/etyp/fix-record-vec-type-conflict:
  Fix record coercion with compatible types
 2025-08-06 09:10:19 -04:00
Arne Welzel
ce7c394af1 TapAnalyzer: Fix docstring 
Relates to #4337 #4725 #4734
 2025-08-06 14:19:40 +02:00
Arne Welzel
b4925fbd16 TapAnalyzer: More verdict to action rename 
Relates to #4725 #4337
 2025-08-05 19:59:06 +02:00
Arne Welzel
4bc7f9532c IPBasedAnalyzer: Call TapPacket() when skipping 
When skip_further_processing() is called, a TapAnalyzer should still see
the packets as skipped with SkipReason "skipping".
 2025-08-05 19:47:04 +02:00
Arne Welzel
dc904b2216 SessionAdapter: Introduce TapAnalyzer for session adapter 
This commit introduces a mechanism to attach light weight analyzers to
the root analyzer of sessions in order to tap into the packets delivered
to child analyzer.
 2025-08-05 19:47:02 +02:00
Evan Typanski
006bef71b5 Fix record coercion with compatible types 
Fixes #4722
 2025-08-04 17:09:26 -04:00
Arne Welzel
4ecc62322e Merge remote-tracking branch 'origin/topic/awelzel/depend-on-libzmq' 
* origin/topic/awelzel/depend-on-libzmq:
  ci/windows: No ZeroMQ cluster backend
  cluster/zeromq: Bail on missing ZeroMQ by default
 2025-08-01 17:10:32 +02:00
Arne Welzel
3c2d01e19e Merge remote-tracking branch 'origin/topic/neverlord/std-span' 
* origin/topic/neverlord/std-span:
  Remove zeek::Span and use std::span instead
 2025-08-01 14:50:02 +02:00
Arne Welzel
1a87ebab72 cluster: Add on_subscribe() and on_unsubscribe() hooks 
Closes #4176
 2025-08-01 14:06:19 +02:00
Arne Welzel
993502e0b6 cluster/zeromq: Bail on missing ZeroMQ by default 2025-08-01 09:46:06 +02:00
Tim Wojtulewicz
647da4f970 Fix use-after-move reported by clang-tidy 
This was introduced by 9eb94ee151.
 2025-07-31 09:55:43 -07:00
Arne Welzel
10e7f14f78 Merge remote-tracking branch 'origin/topic/awelzel/defer-more-stuff' 
* origin/topic/awelzel/defer-more-stuff:
  RecordType: Ensure &default fields are always re-initialized
  Attr: Deprecate using &default and &optional together on record fields
  RecordType: Allow deferring &default=vector(), set(), table() fields
 2025-07-30 10:35:56 +02:00
Arne Welzel
9eb94ee151 RecordType: Ensure &default fields are always re-initialized 
This started working partly after the deferral logic introduced with
Zeek 6.0 so this finishes it :-)
 2025-07-30 10:26:06 +02:00
Arne Welzel
473723cc47 Attr: Deprecate using &default and &optional together on record fields 
If &default implies re-initialization of the field, using them together
doesn't make much sense.
 2025-07-30 10:26:06 +02:00
Arne Welzel
23181e4811 RecordType: Allow deferring &default=vector(), set(), table() fields 2025-07-30 10:26:06 +02:00
Arne Welzel
d7fbd49d9e Merge remote-tracking branch 'origin/topic/vern/zam-record-fields-fixes' 
* origin/topic/vern/zam-record-fields-fixes:
  fixes for specialized ZAM operations needing to check whether record fields exist
 2025-07-30 10:08:21 +02:00
Vern Paxson
47bf6af6a5 fixes for specialized ZAM operations needing to check whether record fields exist 2025-07-30 08:36:04 +02:00
Johanna Amann
a22b45c69e Merge remote-tracking branch 'origin/topic/johanna/gh-4202' 
* origin/topic/johanna/gh-4202:
  Update NEWS for Conn::set_conn changes
  DNS-fuzzer: raise new_connection event
  Optimize Conn::set_conn to minimize operations
  Move Conn::set_conn() from connection_state_remove to new_connection
 2025-07-29 21:01:51 +01:00
Johanna Amann
5e74eefd88 DNS-fuzzer: raise new_connection event 
The conn protocol scripts now assume that new_connection is run before
connection_state_remove. Update the DNS analyzer to raise the
new_connection event.
 2025-07-29 18:41:59 +01:00
Arne Welzel
ab282e3637 Merge remote-tracking branch 'origin/topic/awelzel/cluster-event-out-of-detail' 
* origin/topic/awelzel/cluster-event-out-of-detail:
  cluster::Event: Move implementation into cluster/Event.{h,cc}
  cluster: Move cluster::detail::Event to cluster::Event
 2025-07-29 18:24:20 +02:00
Arne Welzel
40389603c2 cluster::Event: Move implementation into cluster/Event.{h,cc} 2025-07-29 18:13:59 +02:00
Arne Welzel
bda70067ec cluster: Move cluster::detail::Event to cluster::Event 
This class is a parameter of virtual methods of the Backend API for users
to implement and also a parameter to the HookPublishEvent() API. Seems it
shouldn't be in detail and instead we should own it.

Alternatively, could mark the cluster APIs as not-stable-yet, but I
think we can move forward and make it non-detail for 8.0.
 2025-07-29 18:13:59 +02:00
Tim Wojtulewicz
9f3a1a135f Merge remote-tracking branch 'origin/topic/timw/fix-fuzzer-conn-key-deprecation' 
* origin/topic/timw/fix-fuzzer-conn-key-deprecation:
  Fix ConnKey deprecation warnings from generic fuzzer
 2025-07-29 07:41:23 -07:00
Tim Wojtulewicz
743b9e27cc Merge remote-tracking branch 'origin/topic/timw/fix-irc-analyzer-event-types' 
* origin/topic/timw/fix-irc-analyzer-event-types:
  Fix types passed to some of the IRC analyzer events
 2025-07-29 07:19:36 -07:00
Tim Wojtulewicz
06ec03046d Merge remote-tracking branch 'origin/topic/timw/fix-ranges-debian-11-build-failure' 
* origin/topic/timw/fix-ranges-debian-11-build-failure:
  Fix build failure with std::ranges on Debian 11
 2025-07-29 07:19:11 -07:00
Arne Welzel
cd7836dda2 Merge remote-tracking branch 'origin/topic/awelzel/4431-zeromq-drop-policy-v2' 
* origin/topic/awelzel/4431-zeromq-drop-policy-v2:
  cluster.bif: Improve Cluster::publish() docstring
  btest/cluster/zeromq: Add tests for overload behavior
  cluster/zeromq: Metric for msg errors
  cluster/zeromq: Drop events when overloaded
  cluster/zeromq: Comments and move lookups to InitPostScript()
  cluster/zeromq: Rework lambdas to member functions
  cluster/zeromq: Support local XPUB/XSUB hwm and buf configurability
  cluster/OnLoop: Support DontBlock and Force flags for queueing
  cluster/ThreadedBackend: Injectable OnLoopProcess instance
 2025-07-29 11:38:49 +02:00
Arne Welzel
55ecd90928 cluster.bif: Improve Cluster::publish() docstring 2025-07-29 11:23:53 +02:00
Arne Welzel
d2bb86f8b4 cluster/zeromq: Metric for msg errors 2025-07-29 11:23:53 +02:00
Arne Welzel
073de9f5fd cluster/zeromq: Drop events when overloaded 
When either the XPUB socket's hwm is reached, or the onloop queue is
full, drop the events. Users can set ths xpub_sndhwm and
onloop_queue_hwm to 0 to avoid these drops at the risk of unbounded
memory growth.
 2025-07-29 11:23:53 +02:00
Arne Welzel
5de9296c77 cluster/zeromq: Comments and move lookups to InitPostScript() 2025-07-29 11:23:53 +02:00
Arne Welzel
85d5dda028 cluster/zeromq: Rework lambdas to member functions 2025-07-29 11:23:53 +02:00
Arne Welzel
5dc4586b70 cluster/zeromq: Support local XPUB/XSUB hwm and buf configurability 2025-07-29 11:23:53 +02:00
Arne Welzel
d79d4b1b2a cluster/OnLoop: Support DontBlock and Force flags for queueing 
Also allow max_queue_size to be 0 for unlimited queueing.
 2025-07-29 11:23:53 +02:00
Arne Welzel
12518e8256 Merge remote-tracking branch 'origin/topic/awelzel/expose-num-packets-unprocessed' 
* origin/topic/awelzel/expose-num-packets-unprocessed:
  ConnStats: Expose num_packets_unprocessed
  packet_analysis/Manager: Rename GetUnprocessedCount() to PacketsUnprocessed()
 2025-07-29 10:12:46 +02:00