Commit graph

16055 commits

Author SHA1 Message Date
Arne Welzel
e9fa853048 smb1: Ensure existence of dialect_index in offered dialects
When a negotiate request offers no dialects, but the response contains
an ntlm record which selects a dialect, a script error is triggered.

    $ zeek -C -r ./f2b0e.pcap 'DPD::ignore_violations+={ Analyzer::ANALYZER_SMB }'
    1668615340.837882 expression error in /home/awelzel/corelight-oss/zeek/scripts/base/protocols/smb/./smb1-main.zeek, line 96: no such index (SMB1::c$smb_state$current_cmd$smb1_offered_dialects[SMB1::response$ntlm$dialect_index])

Script error triggered by fuzzing when testing Tim's all-the-fuzzing branch.
2022-11-16 17:49:55 +01:00
Arne Welzel
187096d4a4 ssh: Test for c$ssh$analyzer_id existence
While unusual, analyzer_confirmation() may never be called for the
SSH analyzer, but still ssh_auth_attempted is invoked later indicating
successful authentication. I haven't checked how that is actually possible,
but seems prudent to check for the existence of c$ssh$analyzer_id before
referencing it (also in light of runtime enable/disabling of events).

This was found testing Tim's all-the-fuzzing branch on large system,
merging this should avoid oss-fuzz telling us about it.

    $ zeek -C -r ./e83db.pcap 'DPD::ignore_violations+={ Analyzer::ANALYZER_SSH }'
    1668610572.429058 expression error in scripts/base/protocols/ssh/./main.zeek, line 260: field value missing (SSH::c$ssh$analyzer_id)
2022-11-16 16:35:57 +01:00
Robin Sommer
6fbebc5e94
Fixing productive connections with missing SYN still considered partial after flipping direction.
In https://github.com/zeek/zeek/pull/2191, we added endpoint flipping
for cases where a connection starts with a SYN/ACK followed by ACK or
data. The goal was to treat the connection as productive and go ahead
and parse it. But the TCP analyzer could continue to consider it
partial after flipping, meaning that app layers would bail out. #2426
shows such a case: HTTP gets correctly activated after flipping
through content inspection, but it won't process anything because
`IsPartial()` returns true. As the is-partial state reflects
whether we saw the first packets each in direction, this patch now
overrides that state for the originally missing SYN after flipping.

We actually had the same problem at a couple of other locations already
as well. One of that only happened to work because of the originally
inconsistent state flipping that was fixed in the previous commit. The
corresponding unit test now broke after that change. This commit
updates that logic as well to override the state.

This fix is a bit of a hack, but the best solution I could think of
without introducing larger changes.

Closes #2426.
2022-11-16 09:56:51 +01:00
Benjamin Bannier
b94c8bc91b Make dependency of zeek on spicy-plugin's driver object file explicit.
For generators like Makefile the implicit dependency would not have been
apparent to `make` which could have lead to build failures (depending on
the way targets were scheduled). This patch makes the dependency
explicit so it can be enforced.

Closes #2586.
2022-11-16 09:23:47 +01:00
zeek-bot
ec3eca0549 Update doc submodule [nomail] [skip ci] 2022-11-16 01:02:52 +00:00
Josh Soref
e7bdf1d7b0 spelling: github
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2022-11-15 17:57:58 -05:00
Josh Soref
f04e0f3ac4 spelling: organization
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2022-11-15 17:47:49 -05:00
Josh Soref
9c42b92a2b spelling: invalidate
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2022-11-15 17:47:36 -05:00
Tim Wojtulewicz
f810f78e3e Merge remote-tracking branch 'origin/topic/awelzel/fix-zeek-see-get-event-handler-call-counts'
* origin/topic/awelzel/fix-zeek-see-get-event-handler-call-counts:
  init-bare: Fix zeek:see after bif renaming
2022-11-15 11:35:08 -07:00
Arne Welzel
c9b2b15eb9 init-bare: Fix zeek:see after bif renaming
The docs build is currently broken due to this :-/
2022-11-15 16:04:37 +01:00
Tim Wojtulewicz
ee8e2decec Merge remote-tracking branch 'origin/topic/timw/broker-sanity-check'
* origin/topic/timw/broker-sanity-check:
  Update broker submodule [nomail]
2022-11-14 13:19:43 -07:00
Tim Wojtulewicz
f7322cba03 Update broker submodule [nomail] 2022-11-14 12:22:36 -07:00
Tim Wojtulewicz
e2d46ea6b7 Merge remote-tracking branch 'origin/topic/timw/windows-follow-ups'
* origin/topic/timw/windows-follow-ups:
  Re-enable strcasestr on Windows, fix linking error
  Minor renaming changes to event handler stats bif, plus a test
  Remove unneeded forward-declaration of select()
  Rework setting adding ports to map slightly
2022-11-14 09:42:03 -07:00
Tim Wojtulewicz
51cdbbd59d Re-enable strcasestr on Windows, fix linking error 2022-11-14 09:13:31 -07:00
Tim Wojtulewicz
bfd5b06943 Minor renaming changes to event handler stats bif, plus a test 2022-11-14 09:13:31 -07:00
Tim Wojtulewicz
accac2d3bb Remove unneeded forward-declaration of select() 2022-11-14 09:13:31 -07:00
Tim Wojtulewicz
bd52ab1a55 Rework setting adding ports to map slightly 2022-11-14 09:13:31 -07:00
zeek-bot
11be8888d7 Update doc submodule [nomail] [skip ci] 2022-11-12 00:41:52 +00:00
Tim Wojtulewicz
a8fc63e182 Merge remote-tracking branch 'microsoft/master'
* microsoft/master: (71 commits)
  Clang formatting
  Mask ports before inserting them into the map
  Fix compiler warning from applied patch
  Remove statistics plugin in favor of stats bif
  Add EventHandler version of stats plugin
  Mark a few EventHandler methods const
  Changed implementation from std::map to std::unordered_map of Val.cc
  Removed const, Windows build is now working
  Added fixes suggested in PR
  Update src/packet_analysis/protocol/ip/IP.cc
  Apply suggestions from code review
  Clang format again but now with v13.0.1
  Rewrote usages of define(_MSC_VER) to ifdef _MSC_VER
  Clang format it all
  Fixed initial CR comments
  Add NEWS entry about Windows port
  Add a couple of extra unistd.h includes to fix a build failure
  Use std::chrono instead of gettimeofday
  Update libkqueue submodule [nomail]
  Don't call tokenize_string if the input string is empty
  ...
2022-11-11 15:23:21 -07:00
Tim Wojtulewicz
2739275b88 Merge remote-tracking branch 'jsoref/spelling-src'
* jsoref/spelling-src:
  Spelling src
2022-11-11 12:49:15 -07:00
Tomer Lev
642d44009a Clang formatting 2022-11-11 18:54:05 +02:00
voidbar
425a9585b4
Merge pull request #1 from timwoj/master
Add a non-plugin version of statistics plugin
2022-11-11 18:48:14 +02:00
Tim Wojtulewicz
5996520cc7 Mask ports before inserting them into the map 2022-11-11 08:22:08 -07:00
Tim Wojtulewicz
a26e98f170 Fix compiler warning from applied patch 2022-11-10 13:37:31 -07:00
Tim Wojtulewicz
5d5f5de1d1 Remove statistics plugin in favor of stats bif 2022-11-10 13:37:31 -07:00
Tim Wojtulewicz
3a963f080e Add EventHandler version of stats plugin 2022-11-10 12:19:12 -07:00
Tim Wojtulewicz
194960eafa Mark a few EventHandler methods const 2022-11-10 11:17:53 -07:00
Tomer Lev
9a3855cc38 Changed implementation from std::map to std::unordered_map of Val.cc 2022-11-10 19:09:57 +02:00
Tomer Lev
d7474e2aa2 Removed const, Windows build is now working 2022-11-10 19:04:37 +02:00
Tomer Lev
e2be5ddc0c Added fixes suggested in PR 2022-11-10 19:01:29 +02:00
voidbar
9a74be1558
Update src/packet_analysis/protocol/ip/IP.cc
Co-authored-by: Tim Wojtulewicz <timwoj@gmail.com>
2022-11-10 18:43:47 +02:00
Tim Wojtulewicz
951250b753 Merge remote-tracking branch 'origin/topic/vern/script-opt-Nov22-maint'
* origin/topic/vern/script-opt-Nov22-maint:
  Script optimization maintenance and updates:   maintenance fixes for variadic run-time checks, '_' placeholder identifier   "-O allow-cond" permits compiling scripts to C++ when influenced by @if conditionals   more robust standalone compile-to-C++ properties   fix for nested "when" statements   test suite updates
2022-11-09 18:24:03 -07:00
Tim Wojtulewicz
cdae33fad8 Merge remote-tracking branch 'jsoref/spelling-pac'
* jsoref/spelling-pac:
  spelling: variation
  spelling: value
  spelling: session
  spelling: repetitions
  spelling: params
  spelling: further
  spelling: confirm
  spelling: channel
  spelling: announcement
2022-11-09 18:18:22 -07:00
Tim Wojtulewicz
a85f1044eb Merge remote-tracking branch 'jsoref/spelling-expr'
* jsoref/spelling-expr:
  spelling: successful
  spelling: deterministic
  spelling: canonicalize
  spelling: algorithm
2022-11-09 18:17:28 -07:00
Tim Wojtulewicz
c3b3056e68 Merge remote-tracking branch 'origin/topic/neverlord/gh-2524'
* origin/topic/neverlord/gh-2524:
  Configure script: drop --with-caf, add -D option
2022-11-09 11:03:54 -07:00
Josh Soref
cd201aa24e Spelling src
These are non-functional changes.

* accounting
* activation
* actual
* added
* addresult
* aggregable
* aligned
* alternatively
* ambiguous
* analysis
* analyzer
* anticlimactic
* apparently
* application
* appropriate
* arithmetic
* assignment
* assigns
* associated
* authentication
* authoritative
* barrier
* boundary
* broccoli
* buffering
* caching
* called
* canonicalized
* capturing
* certificates
* ciphersuite
* columns
* communication
* comparison
* comparisons
* compilation
* component
* concatenating
* concatenation
* connection
* convenience
* correctly
* corresponding
* could
* counting
* data
* declared
* decryption
* defining
* dependent
* deprecated
* detached
* dictionary
* directional
* directly
* directory
* discarding
* disconnecting
* distinguishes
* documentation
* elsewhere
* emitted
* empty
* endianness
* endpoint
* enumerator
* essentially
* evaluated
* everything
* exactly
* execute
* explicit
* expressions
* facilitates
* fiddling
* filesystem
* flag
* flagged
* for
* fragments
* guarantee
* guaranteed
* happen
* happening
* hemisphere
* identifier
* identifies
* identify
* implementation
* implemented
* implementing
* including
* inconsistency
* indeterminate
* indices
* individual
* information
* initial
* initialization
* initialize
* initialized
* initializes
* instantiate
* instantiated
* instantiates
* interface
* internal
* interpreted
* interpreter
* into
* it
* iterators
* length
* likely
* log
* longer
* mainly
* mark
* maximum
* message
* minimum
* module
* must
* name
* namespace
* necessary
* nonexistent
* not
* notifications
* notifier
* number
* objects
* occurred
* operations
* original
* otherwise
* output
* overridden
* override
* overriding
* overwriting
* ownership
* parameters
* particular
* payload
* persistent
* potential
* precision
* preexisting
* preservation
* preserved
* primarily
* probably
* procedure
* proceed
* process
* processed
* processes
* processing
* propagate
* propagated
* prototype
* provides
* publishing
* purposes
* queue
* reached
* reason
* reassem
* reassemble
* reassembler
* recommend
* record
* reduction
* reference
* regularly
* representation
* request
* reserved
* retrieve
* returning
* separate
* should
* shouldn't
* significant
* signing
* simplified
* simultaneously
* single
* somebody
* sources
* specific
* specification
* specified
* specifies
* specify
* statement
* subdirectories
* succeeded
* successful
* successfully
* supplied
* synchronization
* tag
* temporarily
* terminating
* that
* the
* transmitted
* true
* truncated
* try
* understand
* unescaped
* unforwarding
* unknown
* unknowndata
* unspecified
* update
* usually
* which
* wildcard

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2022-11-09 12:08:15 -05:00
voidbar
2e3425000f Apply suggestions from code review
Co-authored-by: Tim Wojtulewicz <timwoj@gmail.com>
2022-11-09 18:56:00 +02:00
Tomer Lev
73e749a162 Clang format again but now with v13.0.1 2022-11-09 18:56:00 +02:00
Tomer Lev
a105ea9d80 Rewrote usages of define(_MSC_VER) to ifdef _MSC_VER 2022-11-09 18:56:00 +02:00
Tomer Lev
5cdc6e150e Clang format it all 2022-11-09 18:55:51 +02:00
Tomer Lev
12494aac45 Fixed initial CR comments 2022-11-09 18:54:42 +02:00
Tim Wojtulewicz
7d55057d88 Add NEWS entry about Windows port 2022-11-09 18:54:26 +02:00
Tim Wojtulewicz
af947ae000 Add a couple of extra unistd.h includes to fix a build failure 2022-11-09 18:17:11 +02:00
Tim Wojtulewicz
fbcb7bd2ec Use std::chrono instead of gettimeofday 2022-11-09 18:17:11 +02:00
Tim Wojtulewicz
ef096eedf3 Update libkqueue submodule [nomail] 2022-11-09 18:17:11 +02:00
Tim Wojtulewicz
359b5547cd Don't call tokenize_string if the input string is empty 2022-11-09 18:17:10 +02:00
Tim Wojtulewicz
2e457eb3ea Fix a few compiler warnings from MSVC 2022-11-09 18:17:07 +02:00
Tim Wojtulewicz
6bf469b7a8 Remove extra <filesystem> include from util.cc 2022-11-09 18:16:13 +02:00
Tim Wojtulewicz
baee0d8026 Replace uses of std::filesystem with zeek::filesystem 2022-11-09 18:16:13 +02:00
Tim Wojtulewicz
42575a63db Add src/include to hilti include paths 2022-11-09 18:16:13 +02:00