We now extract email addresses in the fields that one would expect
to contain addresses. This makes further downstream processing of
these fields easier like log analysis or using these fields in the
Intel framework. The primary downside is that any other content
in these fields is no longer available such as full name and any
group information. I believe the simplification of the content in
these fields is worth the change.
Added "cc" to the script that feeds information from SMTP into the
Intel framework.
A new script for email handling utility functions has been created
as a side effect of these changes.
Added a new BIF haversine_distance that computes distance between two
geographic locations.
Added a new Bro script function haversine_distance_ip that does the same
but takes two IP addresses instead of latitude/longitude. This function
requires that Bro be built with libgeoip.
When Bro was compiled with broker disabled, then some Bro scripts
were referencing functions and types that were not defined. Fixed
by adding @ifdefs to several scripts. Removed one @ifdef because
it was causing several unit tests to fail.
Also fixed the @TEST-REQUIRES check in tests that rely on broker so
that such tests are skipped when broker is disabled.
* origin/topic/dnthayer/broker-namespace:
Split the broker main.bro into two scripts
Rename the BrokerStore namespace to Broker
Rename the BrokerComm namespace to Broker
BIT-1563 #merged
This analyzer parses the Remote Frame Buffer
protocol, usually referred to as the 'VNC protocol'.
It supports several dialects (3.3, 3.7, 3.8) and
also handles the Apple Remote Desktop variant.
It will log such facts as client/server versions,
authentication method used, authentication result,
height, width and name of the shared screen.
It also includes two testcases.
Todo: Apple Remote Desktop seems to have some
bytes prepended to the screen name. This is
not interepreted correctly.
This is a very simple XMPP analyzer that basically only can parse the
protocol until the client and server start negotiating a TLS session. At
that point, the TLS analyzer is attached.
While the basic case seems to be working, I fully expect that I missed
something and that this might break in a lot of cases.
* origin/topic/vladg/sip:
Update NEWS.
Update baselines.
Spruce up SIP events.bif documentation a bit.
Register SIP analyzer to well known port.
Fix indenting issue in main.bro
Add SIP btests.
Small update for the SIP logs and DPD sig.
SIP: Fix up DPD and the TCP analyzer a bit.
SIP: Move to the new string BIFs
SIP: Move to new analyzer format.
Move the SIP analyzer to uint64 sequences, and a number of other small SIP fixes.
Rely on content inspection and not just is_orig to determine client/server.
Enable SIP in CMakeLists.txt
Merge topic/seth/faf-updates.
BIT-1370 #merged
* origin/topic/vladg/kerberos: (27 commits)
Add Kerberos to NEWS.
Add Kerberos memleak btest.
Add Kerberos analyzer btest.
Update baselines for Kerberos analyzer.
Add known ports to krb/main.bro
KRB: Clean up krb.log a bit.
Kerberos: Remove debugging output.
Kerberos: Fix a memleak.
Kerberos: A couple small tweaks.
Kerberos: Fix parsing of the cipher in tickets, and add it to the log.
Kerberos: A couple more formatting fixes.
Change krb Info string to success bool
Clean up formatting.
Documentation update, and rework events a bit.
Add support for the SAFE message type.
Add support for AP_REQ, AP_REP, PRIV, and CRED message types.
Fix parsing error for KRB_Ticket_Sequence
Continue clean-up. Some reformatting, removing hard-coded values, documentation, etc.
Kerberos analyzer updates: - Split up the (quite length) krb-protocol.pac into krb-protocol, krb-defs, krb-types and krb-padata - Add some supporting types to get rid of awkward and difficult to read case true/false statements - Clean up the conversion code in krb-analyzer.pac
Improve Kerberos DPD and fix a few parse errors.
...
BIT-1369 #merged
the describe function for types to descend into record fields that
are marked with it.
With this, we can actually load the pacf scripts without crashing Bro
when running tests :)
work fine now.
Todo:
* update all baselines
* fix the circular reference to the fa_file structure I introduced :)
Sadly this does not seem to be entirely straightforward.
addresses BIT-953, BIT-760
This supports parsing of SNMPv1 (RFC 1157), SNMPv2 (RFC 1901/3416), and
SNMPv2 (RFC 3412). An event is raised for each SNMP PDU type, though
there's not currently any event handlers for them and not a default
snmp.log either. However, simple presence of SNMP is currently visible
now in conn.log service field and known_services.log.
If reading a trace file w/ only TCP control packets, a warning is
emitted to suggest the 'detect_filtered_traces' option if the user
doesn't desire Bro to report missing TCP segments for such a trace file.
the ssl-analyzer and the topic/bernhard/x509 branch.
Simply prints information about the encountered certificates (I have
not yet my mind up, what I will log...).
Next step: extensions...
BIT-1054 #merged
* origin/topic/seth/unified2-analyzer:
Fixes in case a packet isn't seen that matches an event.
Finished work on unified2 analyzer.
Fixed some tests.
Working unified2 analyzer.
Unified2 file analyzer updated to new plugin style.
Adding the unified2 analyzer.
Conflicts:
testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
