When encrypted data was bundled within the same segment as the NewKeys
message, it wasn't not reported via a ssh_encrypted_package event as
it should have been.
* 'known_services_multiprotocols' of https://github.com/mauropalumbo75/zeek:
improve logging with broker store
drop services starting with -
remove service from key for Cluster::publish_hrw
remove check for empty services
update tests
order list of services in store key
remove repeated services in logs if already seen
add multiprotocol known_services when Known::use_service_store = T
remove hyphen in front of some services (for example -HTTP, -SSL) In some cases, there is an hyphen before the protocol name in the field connection$service. This can cause problems in known_services and is removed here. It originates probably in some analyzer where it would be better removed in the future.
add multiprotocol known_services when Known::use_service_store = F
Changes during merge:
* whitespace
* add unit test
* origin/topic/seth/mqtt:
Bug fixes and test baseline updates
Fix an issue with bro_init -> zeek_init
MQTT Analyzer heavily updated and ported from the analyzer originally by Supriya Kumar
Adjustments during merge:
* Minor whitespace cleanups
* Some bro to zeek renaming
* Fixed the parsing of unsubscribe messages to generate an event for each topic
This analyzer generates three logs to fully display what is happening over the MQTT connection.
- mqtt_connect.log
- mqtt_subscribe.log
- mqtt_publish.log
At this time it only supports MQTT 3.1 and 3.1.1
* 'ntp-rewrite' of https://github.com/mauropalumbo75/zeek: (25 commits)
update tests baseline
Apply requested changes: - file dpd.sig and TODO comments for signature protocol detection removed - missing doc field filled in events.bif - rename OpCode and ReqCode fields into op_code and req_code respectively - removed unnecessary child method in NTP.h/.cc - main.zeek and ntp-protocol.pac reformatted
minor changes in the documentation
fix some initializations
fix wrong assignment of control key_id/crypto_checksum
code clean up
add extension fields parsing
add extended mac field with 20 byte digest (+4 byte key id)
update tests and add a new one for key_id and mac
fix auth field (key_id and mac) in standard and control msg
remove old NTP record in init-bare.zeek
fix key_id and digest (WIP)
fix wrong Assign with reference_id
add tests for ntp protocol (finished)
add tests for ntp protocol (WIP)
fix problem with time vals
add ntp records to init-bare.zeek
update ntp analyzer to val_mgr
extend and refact script-side of NTP analyzer
extend and refactor several fields
...
SPF response records are identical to TXT records in structure, and
can be parsed and interpreted the same way. However, they have a
different RR type, so they would generate weird events and not be
parsed by Zeek before this change.
Even though they're the same as TXT records from a protocol stance, I
created a new event type (dns_SPF_reply), and call the records out as
SPF in the logs, instead of as TXT records, since the distinction
could be important for detection purposes.
SPF records have been obsoleted, but continue to be seen in the wild.
This one adds a separate new case that has to be parsed differently - if
a hello-retry-request is sent, only the namedgroup is sent - without the
additional key material.
Support for the legacy extension is retained.
Mostly rewrote the parsing logic to support incremental parsing and
to support parsing of client messages. Though I did not add events
for client messages, that's easy to add later.
Parsing now stops for both client and server if either encounters
any parsing error or invalid state.
After a complete handshake, server messages are no longer parsed.
Support for that is incomplete and not sure it's that useful anyway
since it mostly contains pixel data.
* 'smb3-negotiate-response' of https://github.com/mauropalumbo75/zeek:
added test and pcap files for smb 3.1.1 negotiate-response
smb3.1.1 additions to negotiate-response command
I made several modifications:
- Code format, style, naming changes
- For completeness/correctness, I added parsing support for the remaining
context type structures.
- Moved the optional padding before the NegotiateContextList field to
also require the 0x0311 dialect version (some failures in
pre-existing unit tests pointed this out as an issue)
* 'smb3-transform-header' of https://github.com/mauropalumbo75/zeek:
clean up, test and pcap for transform_header added
added smb2-com-transform-header for smb3.x
* 'master' of https://github.com/rdenniston/zeek:
Add linux netfilter NFLOG capture functionality initial commit
I made modifications:
- Formatting / code style
- More error handling and validity checks
- The Type and Length value of TLVs is technically host order
- Changed / fixed the Length value padding check: it's generally
32-bit alignment, not just aligning any TLV less than 8 bytes.
Essentially, it will now process/parse priority values if they are
there, or else just accept whatever remaining data/text is there as the
syslog message. Reasoning is that there's syslog producers out there
that may have simply forgotten/neglected to send the priority value
and technically won't conform to what the standard says, though we can
infer the intent (some syslog consumers already may do similarly, but
I didn't verify).
* Better parsing/error-checking of VXLAN and encapsulated packet headers
* Add/implement the "vxlan_packet" event
* Add "Tunnel::vxlan_ports" option to tune the set of VXLAN ports to
analyze/decapsulate
* Add "Tunnel::validate_vxlan_checksums" option to allow for tuning of how
checksums associated with the outer UDP header of a possible VXLAN
tunnel are handled
Fixes GH-250
Added check for the optional sub-header in ERSPAN Type III as well
as additional truncation checks to the GRE parsing logic in general.
Also added a unit test for ERSPAN Type II.
* origin/master: (23 commits)
Improve Travis script to show multiple core dump stacks
Improve a weird stats unit test
Updating submodule(s).
Fix Travis script typo
Add more debug output to Travis script
Add core file search and stack trace output for Travis builds
Updating submodule(s).
Update license year for 2018
GH-199: change `bro --help` exit status from 1 to 0
Updating submodule(s).
Add a test with an encrypted MySQL connection
Fix parsing of MySQL NUL Strings, where we now require it to have a NUL value at the end.
Updating submodule(s).
Add missing record field comment
Add missing record field comments
Fix minor documentation mistakes
Updating submodule(s).
Updating submodule(s).
Update btest baselines for fix in 46f727a6fa
Generate ssh_auth_attempted for the 'none' authentication method.
...
* 'fatemabw/bro' of https://github.com/fatemabw/bro:
DNSSEC support in Bro
I made several changes:
- renamed event/record types
- reformatted the info added to dns.log
- removed the "addl" scripts that added extended dnssec info to dns.log
- simplifications/improvements to the internal parsing logic
This adds previously-missing support for "Alter Context"
request/response PDUs (initial patch contributed by Mark Fernandez).
Also, context ID arguments were added to dce_rpc_bind, dce_rpc_request,
and dce_rpc_response in order to properly track what endpoint/operation
a given opnum maps to.
It was possibly never updated for newer Analyzer API changes, as simply
attaching the NCP analyzer to a connection would result in null pointer
derefernces and also support analyzers were not attached.
* origin/topic/jsiwek/binpac-fixes:
Update test baseline for binpac changes
Update test baseline for optimized binpac static-size array parsing
Fixes for MySQL and SMB protocol parsers
BIT-1829: add unit test for modbus parser issue
