Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
18948 commits 387 branches 195 tags 255 MiB
Commit graph

9576 commits

Author SHA1 Message Date
Arne Welzel
d70bcd07b9 analyzer/protocol: Reformat with spicy-format 2025-07-29 10:01:32 +02:00
Tim Wojtulewicz
22fc57a90a Merge remote-tracking branch 'origin/topic/johanna/gh-4656' 
* origin/topic/johanna/gh-4656:
  Fix parsing of EDNS rcode
 2025-07-28 14:16:24 -07:00
Tim Wojtulewicz
a33f100880 Add support for ircv3 tags 
This also replaces the irc-dcc-send.trace file in our pcap library with
a cleaner one that includes ircv3 tags.
 2025-07-28 14:06:33 -07:00
Tim Wojtulewicz
47553c79ec Move ID::type in structure to fill memory padding 2025-07-28 13:41:51 -07:00
Tim Wojtulewicz
035b4a4a8e Use sorted forward_list instead of multimap for ID option change handlers 2025-07-28 13:41:51 -07:00
Tim Wojtulewicz
d021845079 Remove intermediate cipher vectors in ssl-analyzer.pac 2025-07-28 13:03:25 -07:00
Tim Wojtulewicz
2cfa5e79fa Reduce the size of Func::Body quite a bit with some extra packing 2025-07-28 13:03:25 -07:00
Tim Wojtulewicz
72c79006ac Switch to using std::ranges algorithms 2025-07-28 13:03:25 -07:00
Tim Wojtulewicz
b4cbda4e02 Enable modernize-std-numbers clang-tidy checker, fix findings 2025-07-28 13:03:25 -07:00
Tim Wojtulewicz
414728cc71 Switch to using c++20 constraints instead of std::enable_if 2025-07-28 13:03:25 -07:00
Evan Typanski
7f93ff5ecd Deprecate record_type_to_vector 
After #4682, record_fields is ordered so this is redundant. Furthermore,
it is incorrectly documented, as it says nested records are flattened.
 2025-07-28 11:11:33 -04:00
Tim Wojtulewicz
e1342ff72d Use size_t for byte sizes in SerializationFormat 2025-07-25 09:13:10 -07:00
Tim Wojtulewicz
7a5209855f Add ODesc::Size() that returns size_t, deprecate ODesc::Len() 2025-07-25 09:13:10 -07:00
Arne Welzel
6e2a18ce4f Merge remote-tracking branch 'origin/topic/awelzel/conn-id-ctx-singleton' 
* origin/topic/awelzel/conn-id-ctx-singleton:
  RecordType: Allow field init deferral of deferrable record constructors
  Conn: Use conn_id_ctx singleton
  Conn: Add InitPostScript() and conn_id_ctx singleton
  ID: Add conn_id_ctx
 2025-07-25 10:59:07 +02:00
Arne Welzel
2cb26eda51 RecordType: Allow field init deferral of deferrable record constructors 
The ctx: conn_id_ctx &default=conn_id_ctx() field was not optimized
as deferrable even though by default its an empty record and so deferring
initialization seems safe. Open-code the special record constructor
expression case in ExprFieldInit so that the ctx field is not default
initialized at record construction anymore. I am wondering a bit if the
same applies to &default=set() and &default=table().
 2025-07-25 10:55:51 +02:00
Tim Wojtulewicz
d5db359772 Add process_start_time_seconds and process_pid metrics 2025-07-24 10:39:14 -07:00
Arne Welzel
906cec9adb Conn: Use conn_id_ctx singleton 2025-07-24 17:35:07 +02:00
Arne Welzel
eba6355b84 Conn: Add InitPostScript() and conn_id_ctx singleton 2025-07-24 17:28:31 +02:00
Arne Welzel
a2922cdde9 ID: Add conn_id_ctx 
Seemed a bit unfortunate to use id::connection and id::conn_id, but
then do something different for conn_id_ctx.
 2025-07-24 17:27:51 +02:00
Johanna Amann
383dce9343 Fix parsing of EDNS rcode 
The EDNS rcode was incorrectly calculated. The extended rcode is formed
by taking the upper 8 bits of the extended rcode field, plus the lower 4
bits of the existing rcode.

This also adds a new trace with an extended rcode, and a testcase
parsing it.

Reported by dwhitemv25.

Fixes GH-4656
 2025-07-24 14:57:00 +01:00
Arne Welzel
785bb2ee13 conn_key/fivetuple: Handle one-way ICMP conns in DoConnKeyFromVal() 
When a conn_id represents a ICMP "connection", we need to determine the
is_one_way flag for InitTuple() in order to skip any flipping of address
and ports for one-way ICMP connections.

Fixes #4645
 2025-07-24 09:48:33 +02:00
Johanna Amann
4399f171ae Merge remote-tracking branch 'origin/topic/johanna/pppoe-session-id-logging' 
* origin/topic/johanna/pppoe-session-id-logging:
  Update external tests for pppoe-session-id conn.log changes
  PPPoE: add session id logging
 2025-07-24 07:57:18 +01:00
Tim Wojtulewicz
64bca5ce4c Fix a few other minor issues reported by Coverity 2025-07-23 15:17:53 -07:00
Tim Wojtulewicz
d22810e476 Add a few extra null checks, plus a missing initialization that led to a bad null check 2025-07-23 15:17:53 -07:00
Tim Wojtulewicz
2e5db823ef Fix some integer overflow issues reported by Coverity 2025-07-23 15:17:53 -07:00
Tim Wojtulewicz
2da3b3a2a6 Ignore a couple of known-unused results reported by Coverity 2025-07-23 15:17:53 -07:00
Tim Wojtulewicz
d4cb3c8225 Fix some bit-shifting overflow/UB issues reported by Coverity 2025-07-23 15:17:53 -07:00
Tim Wojtulewicz
22e78c3c24 Reset the value of a status variable in SQLite backend before using it in a loop 2025-07-23 15:17:53 -07:00
Tim Wojtulewicz
0b3b5e2ef2 Fix a potential memory leak reported by Coverity 2025-07-23 15:17:53 -07:00
Tim Wojtulewicz
dea44003a1 Avoid some string copies in IRC analyzer 2025-07-23 15:17:53 -07:00
Tim Wojtulewicz
205c72d26f Add some additional std::moves reported by Coverity 2025-07-23 15:17:53 -07:00
Tim Wojtulewicz
2ce26f1be0 Fix an unsigned integer comparison reported by Coverity 2025-07-23 15:17:53 -07:00
Tim Wojtulewicz
4c58fb26c4 Fix uninitialized class member Coverity findings 2025-07-23 15:17:53 -07:00
Tim Wojtulewicz
923ffbf25a Handle uncaught exception during setup 2025-07-23 15:17:53 -07:00
Tim Wojtulewicz
146837fe73 Fix swapped storage metrics names 2025-07-23 13:14:46 -07:00
Tim Wojtulewicz
7e3ed2010d Add flag to force synchronous mode when calling storage script-land functions 2025-07-23 13:14:34 -07:00
Tim Wojtulewicz
3b6a27d0a3 Fix clang-tidy findings in embedded C++ from bif files 2025-07-23 10:19:32 -07:00
Johanna Amann
e5a434c392 PPPoE: add session id logging 
This adds a new PacketAnalyzer::PPPoE::session_id bif, which extracts
the PPPoE session ID from the current packet.

Furthermore, a new policy script is added which adds the pppoe session
id to the connection log.

Related to GH-4602
 2025-07-23 13:43:45 +01:00
Arne Welzel
84cbd3784f Merge remote-tracking branch 'origin/topic/awelzel/make-record-fields-ordered' 
* origin/topic/awelzel/make-record-fields-ordered:
  Type/RecordType: Make table returned by GetRecordFieldsVal() ordered
 2025-07-23 13:38:05 +02:00
Arne Welzel
9f3a3b423f Type/RecordType: Make table returned by GetRecordFieldsVal() ordered 
Seems only reasonable to provide that guarantee as pointed out in #4674.
 2025-07-22 16:58:40 +02:00
Tim Wojtulewicz
e458da944f Return weird if a log line is over a configurable size limit 2025-07-21 09:14:52 -07:00
Tim Wojtulewicz
d0a6d84237 Add SQLite page_count and file_size metrics 2025-07-18 14:28:04 -07:00
Tim Wojtulewicz
a0ffe7f748 Add storage metrics for operations, expirations, data transferred 2025-07-18 14:28:04 -07:00
Tim Wojtulewicz
cab0883254 Fix ordering of telemtry metrics when running under test 2025-07-18 14:28:04 -07:00
Tim Wojtulewicz
365e6cbc9e Make RunPragma take an optional value parser to return data 2025-07-18 14:28:04 -07:00
Tim Wojtulewicz
b44f7ca9ad Make SQLite::Step take a callback function for parsing result data 2025-07-18 14:28:04 -07:00
Tim Wojtulewicz
a1d121e5aa Use std::string/string_view versions of starts_with/ends_with where appropriate 
The util:: versions of these methods remain as a thin wrapper around them so
they can be used with const char* arguments. Otherwise callers have to manually
make string_view objects from the input.
s Please enter the commit message for your changes. Lines starting
 2025-07-17 09:08:54 -07:00
Tim Wojtulewicz
49a7f64460 Add nolint for enum size for HILTI_RT_ENUM use 2025-07-16 09:49:57 -07:00
Robin Sommer
c94ce6b946
Merge remote-tracking branch 'origin/topic/robin/gh-4481-test-analyzer' 
* origin/topic/robin/gh-4481-test-analyzer:
  Spicy: Fix missing include.
  Bump Spicy.
  Spicy: Add functions to check if Zeek provides an analyzer of a given name.
 2025-07-16 17:47:08 +02:00
Arne Welzel
a42875d033 SMTP: Add missing Undelivered() call 
Not that it's implement, but for consistency.
 2025-07-16 11:27:00 +02:00