Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-06 16:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
7219 commits 387 branches 195 tags 259 MiB
Commit graph

1696 commits

Author SHA1 Message Date
Vlad Grigorescu
3ad6b3004b SSH: Use the compression_algorithms const in another place. 2015-03-10 11:57:12 -04:00
Vlad Grigorescu
d9b4693240 Some cleanup and refactoring on SSH main.bro. 
Specifically, an overhaul of how the algorithm negotiation is
calculated, to simplify a lot of the code.
 2015-03-09 16:04:35 -04:00
Jon Siwek
9e53722b57 Rename comm/ directories to broker/ 2015-03-05 17:02:25 -06:00
Jon Siwek
fa08083a92 Rename broker-related namespaces. 
c++ namespace "comm" -> bro_broker
script module "Comm" -> BrokerComm
script module "Store" -> BrokerStore
 2015-03-05 16:20:51 -06:00
Seth Hall
ffdf2a46d7 Fixes tests in RDP branch. 
- Re-enable MySQL.  It had accidentally been disabled.
 2015-03-05 16:08:18 -05:00
Seth Hall
4737b235b6 Merge remote-tracking branch 'origin/master' into topic/seth/rdp 2015-03-05 14:38:34 -05:00
Seth Hall
276e072e6e A few more changes to handling encryption in RDP. 2015-03-05 13:38:54 -05:00
Seth Hall
b92a68e2bd Adds some comments and fixes a broxygen warning. 2015-03-05 11:37:37 -05:00
Seth Hall
f45e057779 Another big RDP update. 
- New fields for certificate type, number of certificates,
   if certificates are permanent on the server, and the selected
   security protocol.
 - Fixed some issues with X.509 certificate handling over RDP
   (the event handler wasn't sufficiently constrained).
 - Better detection of and transition into encrypted mode.  No more
   binpac parse failures from the test traces anymore!
 - Some event name clean up and new events.
 - X.509 Certificate chains are now handled correctly (was only grabbing
   a single certificate).
 2015-03-05 01:15:12 -05:00
Robin Sommer
e5adc768cc Merge branch 'stats-bytes-recvd' of https://github.com/msmiley/bro 2015-03-04 13:16:19 -08:00
Seth Hall
d361deb975 Merge remote-tracking branch 'origin/master' into topic/seth/rdp 2015-03-04 13:12:45 -05:00
Seth Hall
bbedb73a45 Huge updates to the RDP analyzer from Josh Liburdi. 
- More data pulled into scriptland.
  - Logs expanded with client screen resolution and desired color depth.
  - Values in UTF-16 on the wire are converted to UTF-8 before being
    sent to scriptland.
  - If the RDP turns into SSL records, we now pass data that appears
    to be SSL to the PIA analyzer.
  - If RDP uses native encryption with X.509 certs we pass those
    certs to the files framework and the base scripts pass them forward
    to the X.509 analyzer.
  - Lots of cleanup and adjustment to fit the documented protocol
    a bit better.
  - Cleaned up the DPD signatures.
  - Moved to flowunit instead of datagram.
  - Added tests.
 2015-03-04 13:12:03 -05:00
Johanna Amann
e48c6ccc4a Do not log common name by default (it is most interesting for scripts) 
and add a test case.
 2015-03-03 16:38:25 -08:00
Johanna Amann
252d57fd2c extract most specific common name from certificates 2015-03-03 16:09:54 -08:00
Robin Sommer
dfc88094ab Merge remote-tracking branch 'origin/topic/jsiwek/broker' 
* origin/topic/jsiwek/broker: (34 commits)
  Update broker submodule.
  Update broker submodule.
  broker integration: add missing baselines for doc tests
  broker integration: add prof.log statistics
  broker integration: add high-level usage documentation
  broker integration: add API documentation (broxygen/doxygen)
  broker integration: fix memory leak, add leak tests
  Update broker submodule.
  Improve comm tests.
  Fix gcc compile warnings.
  broker integration: fix unit tests to work when broker is not enabled.
  Add --enable-c++11 configure flag.
  broker integration: add (un)publish/(un)advertise functions
  broker integration: add knobs to set auto publish/advertise behavior
  broker integration: move listen port for unit tests to a btest variable
  broker integration: add events for incoming connection status updates
  broker integration: adapt to change in expiration_time
  Update coverage unit test baselines.
  broker integration: add Comm::enable function
  broker integration: process debug/diagnostic reports from broker
  ...

Conflicts:
	cmake
	testing/btest/Baseline/plugins.hooks/output
 2015-03-02 17:10:15 -08:00
Vlad Grigorescu
b129231d9b KRB: Clean up krb.log a bit. 2015-03-02 12:32:24 -05:00
Mike Smiley
3877b3e34b add bytes recvd to Stats and stats.bro 
use libpcap packet hdr.len to count bytes
 2015-02-23 21:27:28 -05:00
Vlad Grigorescu
96fc3b75f7 Merge remote-tracking branch 'origin/master' into topic/vladg/sip 2015-02-21 13:07:22 -05:00
Vlad Grigorescu
b90c8cb8ec Merge remote-tracking branch 'origin/master' into topic/vladg/file-analysis-exe-analyzer 
Conflicts:
	src/types.bif
 2015-02-19 16:59:52 -06:00
Mike Smiley
a1d49e791e add local_resp to Conn Info 
allow user to differentiate between local -> local and local -> remote
connections
 2015-02-18 20:41:40 -05:00
Jon Siwek
b06d82cced broker integration: add API documentation (broxygen/doxygen) 
Also changed asynchronous data store query code a bit; trying to make
memory management and handling of corner cases a bit clearer (former
maybe could still be better, but I need to lookup queries by memory
address to associate response cookies to them, and so wrapping pointers
kind of just gets in the way).
 2015-02-17 10:50:57 -06:00
Jon Siwek
e95116ba85 Merge branch 'master' into topic/jsiwek/broker 2015-02-16 10:00:17 -06:00
jshlbrd
dade1936be Update dpd.sig 2015-02-15 23:06:36 -08:00
jshlbrd
10071ffddf Fixed typo 2015-02-15 23:05:11 -08:00
jshlbrd
8a5bb0f6a7 Added check for connection existence 
Added a check for connection existence before trying to remove the RDP analyzer from a connection.
 2015-02-15 23:04:31 -08:00
Josh Liburdi
90bfbf9002 Added comments, changed logging events to reduce analyzer errors 2015-02-15 22:43:31 -08:00
Josh Liburdi
a3ab9f5b09 Added comments and TODOs 2015-02-15 10:18:52 -08:00
Josh Liburdi
af1f4be529 Added comments and TODOs 2015-02-15 10:16:16 -08:00
Josh Liburdi
0648dafa54 Removed scheduling of rdp_tracker event in server response events 2015-02-15 10:08:31 -08:00
Josh Liburdi
fd655aa85d Removed debug code for SSL 2015-02-15 09:24:28 -08:00
jshlbrd
2fcddc6441 Update init-default.bro 
Commented out mysql
 2015-02-14 13:31:23 -08:00
Josh Liburdi
46713fb5c7 Init RDP analyzer 2015-02-14 13:16:48 -08:00
Jon Siwek
212368b245 Merge remote-tracking branch 'origin/topic/jsiwek/socks-authentication' 
* origin/topic/jsiwek/socks-authentication:
  Refactor SOCKS5 user/pass authentication support.
  Update the SOCKS analyzer to support user/pass login.

BIT-1011 #merged
 2015-02-13 09:15:50 -06:00
Jon Siwek
961fd06cad Refactor SOCKS5 user/pass authentication support. 
- Rename event "socks_login_userpass" to "socks_login_userpass_request"
- Rename event "socks_login_reply" to "socks_login_userpass_reply"
- Split unsupported authN weird into 2 types: method vs. version

Addresses BIT-1011
 2015-02-12 17:06:38 -06:00
Jon Siwek
ebc9407a2b broker integration: add knobs to set auto publish/advertise behavior 2015-02-09 16:26:31 -06:00
Robin Sommer
23b9705a7b Fixing analyzer tag types for some Files::* functions. 2015-02-08 18:23:22 -08:00
Vlad Grigorescu
4a2d7f1d39 SIP: Move to the new string BIFs 2015-02-06 20:00:38 -05:00
Vlad Grigorescu
d852fe8b52 Merge remote-tracking branch 'origin/master' into topic/vladg/sip 2015-02-06 19:49:23 -05:00
Vlad Grigorescu
fc721d2d25 Merge remote-tracking branch 'origin/master' into topic/vladg/ssh 2015-02-06 18:58:38 -05:00
Vlad Grigorescu
9f19c74a10 Kerberos: A couple small tweaks. 2015-02-06 13:05:09 -05:00
Vlad Grigorescu
dfc42ffe8a Kerberos: Fix parsing of the cipher in tickets, and add it to the log. 2015-02-06 11:48:46 -05:00
Vlad Grigorescu
5bba7ad1eb Kerberos: A couple more formatting fixes. 2015-02-05 16:06:31 -05:00
Vlad Grigorescu
a8373b60e7 Change krb Info string to success bool 2015-02-05 14:30:18 -05:00
Vlad Grigorescu
7e1fcb1a10 Merge remote-tracking branch 'origin/master' into topic/vladg/kerberos 2015-02-05 14:22:29 -05:00
Vlad Grigorescu
444ff240bd Clean up formatting. 2015-02-05 14:21:34 -05:00
Vlad Grigorescu
aea0ae453e Documentation update, and rework events a bit. 2015-02-05 14:05:56 -05:00
Seth Hall
9592f64225 Update the SOCKS analyzer to support user/pass login. 
- This addresses BIT-1011
 - Add a new field to socks.log; "password".
 - Two new events; socks_login_userpass and socks_login_reply.
 - One new weird for unsupported authentication method.
 - A new test for authenticated socks traffic.
 - Credit to Nicolas Retrain for the initial patch.  Thanks!
 2015-02-05 12:44:10 -05:00
Vlad Grigorescu
457ad73e6d Add support for the SAFE message type. 2015-02-04 17:28:09 -05:00
Vlad Grigorescu
b981bc6c62 Add support for AP_REQ, AP_REP, PRIV, and CRED message types. 2015-02-04 16:28:44 -05:00
Jon Siwek
6b115c6999 Merge branch 'master' into topic/jsiwek/broker 2015-02-02 11:45:21 -06:00