Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-08 17:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
16055 commits 387 branches 195 tags 264 MiB
Commit graph

16055 commits

This branch
This branch
All branches
Author SHA1 Message Date
zeek-bot
f6297effa7 Update doc submodule [nomail] [skip ci] 2022-11-29 00:15:49 +00:00
Vern Paxson
732faa998f provide deprecated version of merge_type_list() 2022-11-28 10:00:11 -08:00
Christian Kreibich
417ff10a0a CI: add Fedora 37 2022-11-27 19:33:52 -08:00
Arne Welzel
2becb1337f TimerMgr: Add back max_timer_expires=0 special case 
Commit 58fae22708 removed the max_expire==0
handling from DoAdvance() due to not being obvious what use it is. Jan
later reported that it broke the `redef max_timer_expires=0` (#2514).

This commit adds back the special case re-introducing the `max_timer_expires=0` ,
trying to make it fairly explicit that it exists.

This is an adaption of #2516 not adding a new option and trying a bit
to avoid global variable accesses down in DoAdvance(), though that
just moved to InitPostScript().

Fixes #2514.
 2022-11-27 15:02:14 +01:00
Jan Grashoefer
8cdc3e4374 Add btest for expiration of all pending timers. 2022-11-27 15:02:09 +01:00
zeek-bot
0e97c29eb8 Update doc submodule [nomail] [skip ci] 2022-11-24 00:38:34 +00:00
Vern Paxson
c4973706e0 keep merge_types() externally available; address reviewing suggestion 2022-11-23 11:32:27 -08:00
Arne Welzel
8698a00f03 smb: Drop references to uid_map in state. 
This isn't ever written to and probably was meant to be removed during
the following commit: 5b5589e167
 2022-11-23 18:19:53 +01:00
Arne Welzel
b04f378f0f smb: Drop AUTH_LOG 
This is never used and probably should've been removed
with 143eee5d8d
 2022-11-23 18:18:20 +01:00
Arne Welzel
4718010388 zeekygen/normalize_script_path: Special case plugin dirnames without _ 
In normal installations, a plugin's basename has an underscore in it
to separate the namespace from the plugin name. E.g Zeek_Spicy. When
there is no underscore, this is most likely due to ./build being
picked up when using ZEEK_PLUGIN_PATH. The basename ends-up "build"
and is susceptible to collisions.

Prepend one parent directory as a heuristic to make this scenario less
likely, assuming ./build is usually below a repository checkout that
uniquely identifies the plugin.

Fixes #2577
 2022-11-23 11:29:10 +01:00
Christian Kreibich
0a760c50b7 Merge remote-tracking branch 'origin/topic/vern/add-to-remove-from-coercions' 
* origin/topic/vern/add-to-remove-from-coercions:
  Type coercion fix: transform +=/-= operators with arithmetic targets to explict assignments
 2022-11-22 21:16:03 -08:00
Christian Kreibich
7c5f3c94b7 Merge remote-tracking branch 'origin/topic/awelzel/zeekygen-declaring-script' 
* origin/topic/awelzel/zeekygen-declaring-script:
  zeekygen.bif: Drop using namespace zeekygen
  zeekygen: Add BIFs to access declaring scripts
 2022-11-22 15:49:38 -08:00
Vern Paxson
baf2a91a85 Type coercion fix: transform +=/-= operators with arithmetic targets to explict assignments 2022-11-22 13:01:10 -08:00
Tim Wojtulewicz
ee11a4d5d2 Update broker submodule [nomail] 2022-11-22 13:22:45 -07:00
Tim Wojtulewicz
743d42f211 Merge remote-tracking branch 'security/topic/timw/120-ipv6-options-negative-length' 
* security/topic/timw/120-ipv6-options-negative-length:
  Add additional length checking to IPv6::ToVal
 2022-11-22 12:28:01 -07:00
Tim Wojtulewicz
9e8833e2d5 Merge remote-tracking branch 'security/topic/awelzel/121-ftp-timeout-again' 
* security/topic/awelzel/121-ftp-timeout-again:
  ftp: Introduce FTP::max_command_length
 2022-11-22 12:27:37 -07:00
Tim Wojtulewicz
eb3fb68fcc Merge remote-tracking branch 'security/topic/awelzel/119-http-timeout-tspacerr' 
* security/topic/awelzel/119-http-timeout-tspacerr:
  http: Heuristic around rejecting malformed HTTP/0.9 traffic
 2022-11-22 12:27:10 -07:00
Arne Welzel
4aecbbda49 zeekygen.bif: Drop using namespace zeekygen 
I might be missing something, but not sure why there are there.
 2022-11-22 13:23:15 +01:00
Arne Welzel
ef166649bf zeekygen: Add BIFs to access declaring scripts 
Two new BIFs get_identifier_declaring_script() and get_record_field_declaring_script()
mirroring existing functions for comments. This allows to query the declaring
script information from Zeek scripts and further determine if a redef operations
were involved for record fields or enum names by comparing the declaring script
with the one of the involved type. See the tests.

Yet another one of @stevesmoot's requests.
 2022-11-22 13:23:01 +01:00
zeek-bot
e7c6d17156 Update doc submodule [nomail] [skip ci] 2022-11-22 00:33:27 +00:00
Vern Paxson
47152e38c4 change vector constructors to require direct type equivalence for non-arithmetics 2022-11-21 15:32:46 -08:00
Tim Wojtulewicz
c1e5389929 Merge remote-tracking branch 'dop/topic/dopheide/vfmt-buf_len' 
* dop/topic/dopheide/vfmt-buf_len:
  Fix logic error in vfmt() when growing the buffer
 2022-11-21 09:10:37 -07:00
Tim Wojtulewicz
26030f4a57 Merge remote-tracking branch 'nadav/topic/nadavk/ntlm' 
* nadav/topic/nadavk/ntlm:
  Added NTLM challenge and response
 2022-11-21 09:09:18 -07:00
Arne Welzel
3f5cb75a2a ftp: Introduce FTP::max_command_length 
oss-fuzz produced FTP traffic with a ~550KB long FTP command. Cap FTP command
length at 100 bytes, log a weird if a command is larger than that and move
on to the next. Likely it's not actual FTP traffic, but raising an
analyzer violation would allow clients an easy way to disable the analyzer
by sending an overly long command.

The added test PCAP was generated using a fake Python socket server/client.
 2022-11-21 09:36:29 +01:00
Vern Paxson
134f8f2ef5 script optimization fixes: 
new initialization model for standalone C++ scripts
 type coercion fix
 ZAM fix for compiling using C++ optimizer
 disambiguate empty constructors
 2022-11-20 12:16:25 -08:00
zeek-bot
dbb2aa88a6 Update doc submodule [nomail] [skip ci] 2022-11-19 00:36:18 +00:00
Michael Dopheide
e47b055769 Fix logic error in vfmt() when growing the buffer 2022-11-18 17:46:03 +00:00
Arne Welzel
540fe7aff7 http: Heuristic around rejecting malformed HTTP/0.9 traffic 
oss-fuzz generated "HTTP traffic" containing 250k+ sequences of "T<space>\r\r"
which Zeek then logged as individual HTTP requests. Add a heuristic to bail
on such request lines. It's a bit specific to the test case, but should work.

There are more issues around handling HTTP/0.9, e.g. triggering
"not a http reply line" when HTTP/0.9 never had such a thing, but
I don't think that's worth fixing up.

Fixes #119
 2022-11-18 18:19:58 +01:00
Tim Wojtulewicz
ade2bb385b Merge remote-tracking branch 'origin/topic/awelzel/topic/amazon-ecr-zeek-not-zeekurity' 
* origin/topic/awelzel/topic/amazon-ecr-zeek-not-zeekurity:
  docker/ecr: Push into zeek/zeek, not zeekurity/zeek
 2022-11-18 09:41:51 -07:00
Tim Wojtulewicz
1ed15fb807 Merge remote-tracking branch 'origin/topic/neverlord/web-socket-events-warning' 
* origin/topic/neverlord/web-socket-events-warning:
  Fix warning in broker.web-socket-events btest
 2022-11-18 09:41:18 -07:00
Tim Wojtulewicz
c92b14fa40 Merge remote-tracking branch 'origin/topic/timw/fix-strcasestr-unit-test' 
* origin/topic/timw/fix-strcasestr-unit-test:
  Fix the strcasestr unit test
 2022-11-18 09:41:00 -07:00
Tim Wojtulewicz
976caf61ba Merge remote-tracking branch 'jsoref/spelling-repetition' 
* jsoref/spelling-repetition:
  spelling: repetitions
 2022-11-18 09:40:43 -07:00
Josh Soref
186fe346ad spelling: repetitions 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-11-18 10:26:33 -05:00
Robin Sommer
d2585e21be
Merge remote-tracking branch 'origin/topic/robin/gh-2426-flipping' 
* origin/topic/robin/gh-2426-flipping:
  Fixing productive connections with missing SYN still considered partial after flipping direction.
  Add some missing bits when flipping endpoints.
 2022-11-18 11:50:28 +01:00
Arne Welzel
9bb8ea3b5f docker/ecr: Push into zeek/zeek, not zeekurity/zeek 2022-11-18 09:33:13 +01:00
Christian Kreibich
9c2b36027b Merge branch 'topic/bbannier/publish-on-ecr' 
* topic/bbannier/publish-on-ecr:
  Publish container images to ECR in addition to docker.io.
 2022-11-17 16:29:01 -08:00
Tim Wojtulewicz
d5a1eb162e Add additional length checking to IPv6::ToVal 2022-11-17 12:05:26 -07:00
Tim Wojtulewicz
a0659994f0 Merge remote-tracking branch 'origin/topic/bbannier/issue-2586' 
* origin/topic/bbannier/issue-2586:
  Make dependency of `zeek` on spicy-plugin's driver object file explicit.
 2022-11-17 11:34:55 -07:00
Tim Wojtulewicz
224d2b0284 Merge remote-tracking branch 'jsoref/spelling-root' 
* jsoref/spelling-root:
  Spelling NEWS & CMakeLists.txt
 2022-11-17 11:31:38 -07:00
Tim Wojtulewicz
03d311c915 Merge remote-tracking branch 'jsoref/spelling-testing' 
* jsoref/spelling-testing:
  Spelling testing
 2022-11-17 11:30:35 -07:00
Tim Wojtulewicz
ca8f82a574 Fix the strcasestr unit test 2022-11-17 11:21:40 -07:00
nadavkluger
dd849bc339 Added NTLM challenge and response 2022-11-17 18:38:49 +02:00
Dominik Charousset
1b1af51bdc Fix warning in broker.web-socket-events btest 2022-11-17 12:13:30 +01:00
Josh Soref
4b7eb50892 Spelling NEWS & CMakeLists.txt 
* analyzer
* calling
* can
* compatibility
* configurable
* conjunction
* connection
* corresponding
* currently
* evaluated
* framework
* frequently
* functionality
* handshake
* information
* more
* necessary
* occurred
* ocsp
* potentially
* preexisting
* serialized
* superseded
* synchronized
* timer
* unnecessary
* workarounds

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-11-16 20:21:38 -05:00
Josh Soref
74af1ebe16 Spelling testing 
* alphabet
* another
* associated
* avoiding
* base
* because
* constructors
* defining
* deterministic
* directly
* endlessly
* entity
* function
* indefinitely
* initial
* interpreter
* into
* modifying
* negotiate
* nonexistent
* observations
* occasional
* omission
* orphaned
* overridden
* passing
* primitive
* produces
* reassembly
* repository
* restore
* shouldn't
* something
* statement
* the
* therefore
* transferred
* uninitialized
* unsuccessful

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-11-16 20:05:03 -05:00
zeek-bot
53394bca0c Update doc submodule [nomail] [skip ci] 2022-11-17 00:41:43 +00:00
Tim Wojtulewicz
d236c15b68 Merge remote-tracking branch 'jsoref/spelling-ci' 
* jsoref/spelling-ci:
  spelling: organization
  spelling: invalidate
 2022-11-16 14:55:16 -07:00
Tim Wojtulewicz
116204d0a9 Merge remote-tracking branch 'jsoref/spelling-github' 
* jsoref/spelling-github:
  spelling: github
 2022-11-16 14:53:48 -07:00
Tim Wojtulewicz
6055a85b3c Merge remote-tracking branch 'origin/topic/awelzel/smb1-avoid-dialect-index-error' 
* origin/topic/awelzel/smb1-avoid-dialect-index-error:
  smb1: Ensure existence of dialect_index in offered dialects
 2022-11-16 14:51:56 -07:00
Tim Wojtulewicz
5b57d5efd5 Merge remote-tracking branch 'origin/topic/awelzel/ssh-analyzer-id-existence' 
* origin/topic/awelzel/ssh-analyzer-id-existence:
  ssh: Test for c$ssh$analyzer_id existence
 2022-11-16 14:51:22 -07:00