Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 22:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
13346 commits 386 branches 195 tags 257 MiB
Commit graph

880 commits

Author SHA1 Message Date
Seth Hall
4de670a10e Fixing some doc warnings. 2012-01-10 01:30:55 -05:00
Seth Hall
9b6373584c Forgot to add protocol identifier support for TLS 1.2 2012-01-10 01:09:35 -05:00
Seth Hall
911d7d8436 Finished SSL & syslog autodocs. 2012-01-10 00:56:12 -05:00
Seth Hall
a8f9af3531 Merge branch 'topic/script-reference' of ssh://git.bro-ids.org/bro into topic/script-reference 2012-01-10 00:25:54 -05:00
Seth Hall
8ab372ccff Adding the draft SSL extension type next_protocol_negotiation. 2012-01-09 22:53:53 -05:00
Daniel Thayer
acf5537acf Add ssl and syslog script documentation 2012-01-09 15:26:34 -06:00
Jon Siwek
62d012e04a Add Conn and DNS protocol script documentation. (fixes #731) 2012-01-09 14:23:24 -06:00
Seth Hall
3be1222532 Documentation updates for HTTP & IRC scripts. 
Closes #733
 2012-01-08 02:22:52 -05:00
Seth Hall
48ed922e06 SSH&FTP Documentation updates. 
Closes #732
 2012-01-08 01:16:40 -05:00
Jon Siwek
a4117016e9 Merge branch 'master' into topic/script-reference 
Conflicts:
	aux/broccoli
	aux/broctl
	scripts/base/frameworks/notice/main.bro
	src/event.bif
 2011-12-19 16:17:58 -06:00
Robin Sommer
0a3e160a8d Merge remote branch 'origin/topic/seth/dns-updates' 
* origin/topic/seth/dns-updates:
  Fixed some bugs with capturing data in the base DNS script.
  Some updates to the base DNS script.

Closes #702.
 2011-12-18 15:20:00 -08:00
Robin Sommer
f3c2811e14 Merge remote branch 'origin/topic/seth/ssl-updates-for-2.0' 
* origin/topic/seth/ssl-updates-for-2.0:
  Added is_orig fields to the SSL events and adapted script.

Closes #692.
 2011-12-18 15:15:57 -08:00
Jon Siwek
cc1459ef35 Fix some malformed Broxygen xref roles. 2011-12-16 14:30:36 -06:00
Matthias Vallentin
3814313b0b Merge branch 'master' into topic/bif_cleanup 2011-12-11 18:47:19 -08:00
Seth Hall
ec721dffec Added is_orig fields to the SSL events and adapted script. 
- Added a field named $last_alert to the SSL log.  This doesn't even
  indicate the direction the alert was sent, but we need to start somewhere.

- The x509_certificate function has an is_orig field now instead of
  is_server and it's position in the argument list has moved.

- A bit of reorganization and cleanup in the core analyzer.
 2011-12-09 16:56:12 -05:00
Seth Hall
04e2773d30 Fixed some bugs with capturing data in the base DNS script. 2011-12-08 13:06:45 -05:00
Seth Hall
70004cb04d Small updates to address the "globals" ticket. 
Fixes #633
 2011-11-30 11:35:53 -05:00
Seth Hall
bb47289bfa Some updates to the base DNS script. 
- Answers and TTLs are now vectors.

- The warning that was being generated (dns_reply_seen_after_done)
  from transaction ID reuse is fixed.

- Updated the single failing btest baseline.
 2011-11-30 10:19:41 -05:00
Matthias Vallentin
0325b5ea32 to_port() now parses a string instead of a count. 
Addresses #684.
 2011-11-20 21:41:41 -08:00
Robin Sommer
fa76330afb Merge remote-tracking branch 'origin/fastpath' 
* origin/fastpath:
  Binary packaging script tweaks.
  More default "weird" tuning for the "SYN_with_data" notice.
  Tiny bugfix for http file extraction along with test.
 2011-11-15 07:53:36 -08:00
Seth Hall
d14349a6f8 Merge remote-tracking branch 'origin/master' into fastpath 2011-11-14 16:06:44 -05:00
Seth Hall
b12d2c768e Tiny bugfix for http file extraction along with test. 2011-11-14 15:24:15 -05:00
Seth Hall
ae3ae9a75b Awful fix for SSH login detection. 
- We need a counted measure of payload bytes (not ack tracking and
  not with the IP header which is what we have now).
 2011-10-27 09:41:34 -04:00
Jon Siwek
55978d1c18 Changed generated root cert DN format for RFC2253 compliance. 2011-10-25 11:09:31 -05:00
Seth Hall
4753f2aeca Adding extra fields to smtp and http to track transaction depth. 
- This will for help linking in analysis scripts and databases later.

- Test baseline updates coming in a few minutes.
 2011-10-25 11:34:48 -04:00
Seth Hall
2131468b08 Merging this branch. It's working better than the existing code. 2011-10-25 11:17:19 -04:00
Seth Hall
dcc8d8456a Removed some fields from http analysis that weren't commonly needed or were wrong. 2011-10-25 09:32:31 -04:00
Jon Siwek
522e0e4d46 Update Mozilla trust roots to index certs by subject distinguished name. 2011-10-25 07:52:24 -05:00
Seth Hall
e6a8489780 Testing a fix for SSH login detection heuristic. 2011-10-25 00:01:04 -04:00
Seth Hall
8b56c54348 Slightly restructured http file hashing to fix a bug. 2011-10-21 14:03:31 -04:00
Seth Hall
8661abe9d9 Small script refinements and documentation updates. 2011-10-21 13:58:58 -04:00
Seth Hall
6d67f7830d Added to the likely_server_ports set for protocols with analyzers. 
- Updated some tests since Bro is getting the direction
  correct now.

- Updated BPF filter test since I added a few ports to IRC
  as well.
 2011-10-07 13:44:28 -04:00
Seth Hall
686946d0dd Internal simplication for FTP analysis scripts. 2011-10-07 13:36:02 -04:00
Seth Hall
8600b676e6 Fixed a TODO in the DNS analysis script. 2011-10-07 13:32:44 -04:00
Jon Siwek
c9a540b992 Add check for optional HTTP::Info status_code. 2011-10-04 14:27:51 -05:00
Seth Hall
be30dde827 Bug fix for FTP analysis script. 2011-10-03 00:06:05 -04:00
Robin Sommer
221d1663be Merge branch 'master' of ssh://git.bro-ids.org/bro 
Conflicts:
	scripts/base/protocols/http/main.bro
 2011-09-29 18:54:50 -07:00
Seth Hall
012d8cfc5f Fix for shutdown bug in http scripts. 
- The bug was introduced with the recent 1xx update.

- I updated some tests that seemed be written wrong.
 2011-09-29 21:25:00 -04:00
Robin Sommer
f7521ad222 Fixing occasional HTTP crash with new 1xx code. 
Sometimes the status_code field isn't set. Adding check for that, hope
that's all that needed.
 2011-09-29 16:18:25 -07:00
Robin Sommer
4d6a90ce89 Merge remote-tracking branch 'origin/topic/jsiwek/http-1xx-replies' 
* origin/topic/jsiwek/http-1xx-replies:
  Change logging of HTTP 1xx responses to occur in their own columns.
  Fix handling of HTTP 1xx response codes (addresses #411).
 2011-09-28 17:10:40 -07:00
Seth Hall
c621da523b Since these now measure "seen" data, set the default to 0. 
- A null value no longer fits since if there is no body
  a value of zero makes sense.  Previously, a null value would
  makes sense because the Content-Length header may not have
  been sent which would leave the field null.
 2011-09-28 11:18:24 -04:00
Jon Siwek
7af3977a50 Change logging of HTTP 1xx responses to occur in their own columns. 
Instead of as entirely new log lines (addresses #411).
 2011-09-27 14:15:23 -05:00
Seth Hall
19f1e34408 Deleting scripts that aren't ready to be included. 
- scan.bro and hot.conn.bro will be returning soon.

- The rest are going to return as updated protocol analysis
  scripts and new/updated frameworks later.
 2011-09-27 14:40:11 -04:00
Jon Siwek
64e821624b Fix handling of HTTP 1xx response codes (addresses #411). 
Changed the parser to not treat 1xx response codes as a final answer
to an unanswered request -- a later response is still expected.

The scripting layer will also not finish a request-reply pair when
seeing 1xx's, instead it logs both the 1xx and final response messages
with associated information of the current request as they're seen.
 2011-09-26 17:37:29 -05:00
Seth Hall
8710d3749f New SSL policy scripts. 
- protocols/ssl/expiring-certs uses time based information from
  certificates to determine if they will expire soon, have already
  expired, or haven't yet become valid.

- protocols/ssl/extract-certs-pem is a script for taking certs off
  the line and converting them to PEM certificates with the openssl
  command line tool then dumping them to a file.
 2011-09-25 02:42:36 -04:00
Seth Hall
3449321dc1 Fix a problem with accidental and mistaken HTTP log lines. 2011-09-25 00:56:53 -04:00
Seth Hall
f53d5fe0b9 Added session ID to the SSL logging. 2011-09-20 13:59:22 -04:00
Seth Hall
16eafb771f Merge branch 'master' of ssh://git.bro-ids.org/bro 2011-09-20 13:56:02 -04:00
Seth Hall
b20edb8542 Updated the mozilla root certs. 2011-09-20 13:55:36 -04:00
Seth Hall
123a3bd4e3 Small rework with ssl base script to reduce memory usage. 
- We are now removing the SSL analyzer after logging the session
  infomrtion.  This seems to help a lot with overly high memroy
  consumption.
 2011-09-16 23:47:04 -04:00