Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-12 19:48:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
3703 commits 389 branches 195 tags 271 MiB
Commit graph

3703 commits

This branch
This branch
All branches
Author SHA1 Message Date
Robin Sommer
d8801bb9c4 Canonifying internal order for plugins and their components to make it 
deterministic.
 2013-07-17 21:57:13 -07:00
Robin Sommer
57b05a2989 Small raw reader tweaks that I forgot to commit earlier. 2013-07-17 17:30:35 -07:00
Robin Sommer
18201afcf8 Merge remote-tracking branch 'origin/fastpath' 
* origin/fastpath:
  Small raw reader fixes * crash when accessing nonexistant file. * memory leak when reading from file.
 2013-07-15 18:19:08 -07:00
Bernhard Amann
7427ce511b Small raw reader fixes 
* crash when accessing nonexistant file.
* memory leak when reading from file.

Addresses #1038.
 2013-07-15 13:50:40 -07:00
Robin Sommer
58290d6fc0 Updating NEWS. 2013-07-14 08:42:35 -07:00
Robin Sommer
50357ec47a Merge remote-tracking branch 'origin/topic/bernhard/sqlite-update' 
* origin/topic/bernhard/sqlite-update:
  yep, freebsd still needs this fix
  bump sqlite to 3.7.17.

Closes #1037.
 2013-07-14 08:04:19 -07:00
Bernhard Amann
e01678d132 yep, freebsd still needs this fix 2013-07-12 21:09:13 +02:00
Robin Sommer
06287966a1 Bringing the DPD POP3 signature back. 
This also avoids the need for updating the external test suite.
 2013-07-10 14:19:00 -07:00
Robin Sommer
cb09bd6358 Merge remote-tracking branch 'origin/topic/seth/bittorrent-fix-and-dpd-sig-breakout' 
Closes #1035.

* origin/topic/seth/bittorrent-fix-and-dpd-sig-breakout:
  Small test fixes.
  Added a missing curly brace in smtp/dpd.sig
  Fix a bug where the same analyzer tag was reused for two different analyzers.
  Moved DPD signatures into script specific directories.
 2013-07-10 11:37:57 -07:00
Robin Sommer
7d8a135ca4 Merge remote-tracking branch 'origin/fastpath' 
* origin/fastpath:
  const adjustment
 2013-07-10 10:55:45 -07:00
Jon Siwek
0394493fac const adjustment 
And fixes compiler warning about overloaded virtual function hiding.
 2013-07-10 11:55:40 -05:00
Seth Hall
8322bbfd62 Small test fixes. 2013-07-09 23:28:09 -04:00
Seth Hall
60da0f4764 Added a missing curly brace in smtp/dpd.sig 2013-07-09 22:57:36 -04:00
Seth Hall
4dda9cd3ba Fix a bug where the same analyzer tag was reused for two different analyzers. 2013-07-09 22:45:21 -04:00
Seth Hall
39444b5af7 Moved DPD signatures into script specific directories. 
- This caused us to lose signatures for POP3 and Bittorrent.  These will
   need discovered in the repository again when we add scripts
   for those analyzers.
 2013-07-09 22:44:55 -04:00
Robin Sommer
841604bebe Updating submodule(s). 
[nomail]
 2013-07-08 20:46:52 -07:00
Robin Sommer
7fe7684d4a Updating submodule(s). 
[nomail]
 2013-07-08 13:28:07 -07:00
Robin Sommer
2ea1f483db Bringing back test for enable_auto_protocol_capture_filters (formerly 
all_packets).
 2013-07-08 13:06:03 -07:00
Robin Sommer
b62927e9de Merge remote-tracking branch 'origin/topic/seth/packet-filter-updates' 
Closes #1030.

* origin/topic/seth/packet-filter-updates:
  Missed a test fix.
  Updating test baselines.
  Updates for the PacketFilter framework to simplify it.
  Last test update for PacketFilter framework.
  Several final fixes for PacketFilter framework.
  Packet filter framework checkpoint.
  Checkpoint on the packet filter framework.
  Initial rework of packet filter framework.
 2013-07-07 21:09:28 -07:00
Seth Hall
1e5906af08 Missed a test fix. 2013-07-05 01:52:37 -04:00
Seth Hall
af87126521 Updating test baselines. 2013-07-05 01:27:59 -04:00
Seth Hall
4149724f59 Updates for the PacketFilter framework to simplify it. 2013-07-05 01:12:22 -04:00
Seth Hall
5f8ee93ef0 Merge remote-tracking branch 'origin/master' into topic/seth/analyzer-framework 
Conflicts:
	scripts/base/init-default.bro
	scripts/base/protocols/dns/main.bro
	scripts/base/protocols/ftp/main.bro
	scripts/base/protocols/http/main.bro
	scripts/base/protocols/irc/main.bro
	scripts/base/protocols/smtp/main.bro
	scripts/base/protocols/ssh/main.bro
	scripts/base/protocols/ssl/main.bro
	scripts/base/protocols/syslog/main.bro
	src/main.cc
	testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
 2013-07-04 23:07:52 -04:00
Seth Hall
fefef47f30 Merge branch 'topic/seth/ssh-login-monitoring-fix' 
* topic/seth/ssh-login-monitoring-fix:
  Add a call to lookup_connection in SSH scripts to update connval.
 2013-07-04 22:47:56 -04:00
Seth Hall
ca6d2bb6bc Add a call to lookup_connection in SSH scripts to update connval. 2013-07-04 22:32:07 -04:00
Robin Sommer
23b58d62d2 Updating submodule(s). 
[nomail]
 2013-07-03 17:24:11 -07:00
Robin Sommer
fa8777cbd2 Merge remote-tracking branch 'origin/topic/seth/ssl-remove-log-queue' 
Closes #1027.

* origin/topic/seth/ssl-remove-log-queue:
  Remove the log queueing mechanism that was included with the SSL log delay mechanism.
 2013-07-03 17:01:20 -07:00
Robin Sommer
96fe05633a Merge remote-tracking branch 'origin/topic/bernhard/input-update' 
Closes #1021.

* origin/topic/bernhard/input-update:
  this event handler fails the unused-event-handlers test because it is a bit of a special case.
  ...and fix the event ordering issue. Dispatch != QueueEvent
  add Terminate to input framework to prevent potential shutdown race-conditions.
  fix warning.
  fix stderr test. ls behaves differently on errors on linux...
  small fixes.
  linux does not have strnstr
  and close only fds that are currently open (the logging framework really did not like that :) )
  A bunch of more changes for the raw reader
  make reading from stdout and stderr simultaneously work.
  allow sending data to stdin of child process
  Streaming reads from external commands work without blocking anything.
  replace popen with fork and exec.
  change raw reader to use basic c io instead of fdstream encapsulation class.
 2013-07-03 16:52:28 -07:00
Robin Sommer
ba4f03bc98 Merge remote-tracking branch 'origin/topic/seth/tls-1.2-fix' 
Closes #1020.

* origin/topic/seth/tls-1.2-fix:
  Single character fix to correct support for TLS 1.2 (my bad).
 2013-07-03 16:34:21 -07:00
Robin Sommer
a329c3e7c3 Merge remote-tracking branch 'origin/topic/jsiwek/plugin-docs' 
Closes #1019.

* origin/topic/jsiwek/plugin-docs:
  Teach broxygen to generate protocol analyzer plugin reference.
  const adjustments
 2013-07-03 16:32:00 -07:00
Robin Sommer
ed45a6ea60 Merge remote-tracking branch 'origin/topic/jsiwek/1013' 
Closes #1013.

* origin/topic/jsiwek/1013:
  Fix redef of table index from clearing table.  Addresses #1013.
 2013-07-03 16:28:33 -07:00
Robin Sommer
d8b05af7e5 Merge remote-tracking branch 'origin/topic/jsiwek/faf-cleanup' 
Closes #1002.

* origin/topic/jsiwek/faf-cleanup:
  Move file analyzers to new plugin infrastructure.
  Add a general file analysis overview/how-to document.
  Improve file analysis doxygen comments.
  Improve tracking of HTTP file extraction (addresses #988).
  Fix HTTP multipart body file analysis.
  Remove logging of analyzers field of FileAnalysis::Info.
  Remove extraction counter in default file extraction scripts.
  Remove FileAnalysis::postpone_timeout.
  Make default get_file_handle handlers &priority=5.
  Add input interface to forward data for file analysis.
  File analysis framework interface simplifications.
 2013-07-03 16:27:16 -07:00
Bernhard Amann
fef3180942 bump sqlite to 3.7.17. 2013-07-02 18:54:46 -07:00
Seth Hall
030564a710 Single character fix to correct support for TLS 1.2 (my bad). 
- Thanks for help from Rafal Lesniak in nailing down the location
   of the bug and supplying test traffic.

 - Test traffic with a TLS 1.2 connection.

 - Addresses ticket #1020
 2013-07-02 14:49:36 -04:00
Seth Hall
7c50efde80 Remove the log queueing mechanism that was included with the SSL log delay mechanism. 
- One obvious downside is that queued logs at termination may not
    get logged because the trigger for the when statement never matches.
 2013-06-28 11:40:02 -04:00
Jon Siwek
ae5a75bad9 Fix redef of table index from clearing table. Addresses #1013. 
`redef foo["x"] = 1` now acts like `redef foo += { ["x"] = 1 }`
instead of `redef foo = { ["x"] = 1 }`.
 2013-06-12 15:18:58 -05:00
Jon Siwek
f84a661fa4 Merge branch 'master' into topic/jsiwek/faf-cleanup 2013-06-10 15:52:55 -05:00
Jon Siwek
7c7b6214a6 Move file analyzers to new plugin infrastructure. 2013-06-10 15:50:18 -05:00
Bernhard Amann
ebb7af1483 this event handler fails the unused-event-handlers test because 
it is a bit of a special case.

It is only called via the SendEvent function from a reader. The reader
does (at least with the current interface) however not provide
the function pointer, but looks up the name of the event dynamically.

Hence, internal_handler is never called for the event.

Even if resolving the event in the reader, e.g. in an initialization
function, this would not solve the issue - the initialization function
is only called when the first Raw reader is initialized - and in the
base configuration the raw reader will never be used (hence, internal_handler
also won't be called).

Calling it once in the manager seems like a really dirty hack. So - now
it is the second exception in the testcase, unless anyone has a better
idea :)
 2013-06-09 16:18:17 -04:00
Bernhard Amann
655187a4f4 ...and fix the event ordering issue. Dispatch != QueueEvent 2013-06-09 08:43:17 -04:00
Bernhard Amann
3517c0ba99 add Terminate to input framework to prevent potential shutdown race-conditions. 2013-06-09 08:27:08 -04:00
Bernhard Amann
a32bb59770 fix warning. 
Update baseline of stderr test to what it should be. There still is
a message ordering issue there (which is the last issue in the new
Raw reader I know of).

One message that sidesteps a bit of the usual processing does
not always arrive at the correct time (meaning it pops up from the
event queue too early). Even though it sidesteps a bit of the usual
processing that should not happen in my opinion (which clearly
does not matter). And I have not yet fully grasped how this can happen.
 2013-06-08 05:57:56 -07:00
Bernhard Amann
b39bffd9aa Merge remote-tracking branch 'origin/master' into topic/bernhard/input-update 2013-06-08 05:43:21 -07:00
Robin Sommer
f811e669ff Fixing typo that could cause an assertion to falsely trigger. 2013-06-07 17:29:39 -07:00
Robin Sommer
5487258b03 Updating submodule(s). 
[nomail]
 2013-06-07 16:37:53 -07:00
Robin Sommer
1302da10cd Fix for CMake 2.6.x. 2013-06-07 16:28:27 -07:00
Jon Siwek
f2574636b6 Merge branch 'master' into topic/jsiwek/faf-cleanup 
Conflicts:
	scripts/base/protocols/ftp/file-analysis.bro
	scripts/base/protocols/http/file-analysis.bro
	scripts/base/protocols/irc/file-analysis.bro
	scripts/base/protocols/smtp/file-analysis.bro
	src/file_analysis/File.cc
	src/file_analysis/File.h
	src/file_analysis/Manager.cc
	src/file_analysis/Manager.h
	testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/file_analysis.log
	testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-0.dat
	testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-1.dat
	testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-2.dat
	testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-3.dat
	testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-BTsa70Ua9x7-1.dat
	testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-BTsa70Ua9x7.dat
	testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-Rqjkzoroau4-0.dat
	testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-Rqjkzoroau4.dat
	testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-VLQvJybrm38-2.dat
	testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-VLQvJybrm38.dat
	testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-zrfwSs9K1yk-3.dat
	testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-zrfwSs9K1yk.dat
	testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp.log
	testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item-BFymS6bFgT3-0.dat
	testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item-BFymS6bFgT3.dat
	testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item.dat
	testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log
	testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item-wqKMAamJVSb-0.dat
	testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item-wqKMAamJVSb.dat
	testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item.dat
	testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc.log
	testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-0.dat
	testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-1.dat
	testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-Ltd7QO7jEv3-1.dat
	testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-Ltd7QO7jEv3.dat
	testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-cwR7l6Zctxb-0.dat
	testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-cwR7l6Zctxb.dat
	testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp_entities.log
	testing/btest/scripts/base/protocols/ftp/ftp-extract.bro
	testing/btest/scripts/base/protocols/http/http-extract-files.bro
	testing/btest/scripts/base/protocols/irc/dcc-extract.test
	testing/btest/scripts/base/protocols/smtp/mime-extract.test
 2013-06-07 15:44:36 -05:00
Jon Siwek
e56a17102e Teach broxygen to generate protocol analyzer plugin reference. 2013-06-07 13:21:18 -05:00
Jon Siwek
eee16e1177 const adjustments 2013-06-07 13:19:36 -05:00
Robin Sommer
b426040ccf Merge remote-tracking branch 'origin/topic/matthias/h3-dtor-fix' 
* origin/topic/matthias/h3-dtor-fix:
  Remove invalid free on non-allocated pointer.

Closes #1018.
 2013-06-07 08:38:58 -07:00