Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 16:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
8424 commits 386 branches 195 tags 258 MiB
Commit graph

541 commits

Author SHA1 Message Date
Jon Siwek
3ea34d6ea3 GH-236: Add zeek_script_loaded event, deprecate bro_script_loaded 2019-04-19 12:02:22 -07:00
Jon Siwek
a994be9eeb Merge remote-tracking branch 'origin/topic/seth/zeek_init' 
* origin/topic/seth/zeek_init:
  Some more testing fixes.
  Update docs and tests for bro_(init|done) -> zeek_(init|done)
  Implement the zeek_init handler.
 2019-04-19 11:24:29 -07:00
Seth Hall
8cefb9be42 Implement the zeek_init handler. 
Implements the change and a test.
 2019-04-14 08:37:35 -04:00
Daniel Thayer
18bd74454b Rename all scripts to have ".zeek" file extension 2019-04-11 21:12:40 -05:00
Daniel Thayer
bff8392ad4 Remove unnecessary ".bro" from @load directives 
Removed ".bro" file extensions from "@load" directives because
they are not needed.
 2019-03-31 02:24:47 -05:00
Justin Azoff
73954bca27 Reduce weird-stats overhead 
observe_weird_stats only needs to be called when cluster_ss_request is
called for the weirds.statistics stat, not for all of them.
 2019-03-27 11:06:39 -04:00
Jon Siwek
8b29df96cc Merge branch 'master' of https://github.com/hosom/zeek 
* 'master' of https://github.com/hosom/zeek:
  Normalize the intel seen filename for smb.
  load smb-filenames in scripts/policy/frameworks/intel/seen/__load__.bro
  Add SMB::IN_FILE_NAME to Intel::Where enum
  Support filenamess for SMB files

I added a test case
 2019-03-25 16:45:59 -07:00
Jan Grashoefer
c301e1c9b4 Added policy script for intel removal. 2019-03-24 22:16:13 +01:00
Jon Siwek
01d303b480 Migrate table-based for-loops to key-value iteration 2019-03-15 19:54:44 -07:00
Jon Siwek
03ac32adec Merge branch 'topic/dopheide/fix-ssh-geo-data' of https://github.com/dopheide-esnet/bro 
* 'topic/dopheide/fix-ssh-geo-data' of https://github.com/dopheide-esnet/bro:
  Fix geo-data to log remote_location data when auth is successful.
 2019-03-15 13:03:59 -07:00
Michael Dopheide
0f6f6cdb29 Fix geo-data to log remote_location data when auth is successful. 2019-03-13 14:14:38 -05:00
Stephen Hosom
1d5eac4ee1 Normalize the intel seen filename for smb. 2019-02-27 09:24:52 -05:00
Stephen Hosom
2d3a21968e load smb-filenames in scripts/policy/frameworks/intel/seen/__load__.bro 2019-02-27 08:56:28 -05:00
Stephen Hosom
8ce6d67acc Add SMB::IN_FILE_NAME to Intel::Where enum 
This should reduce the ambiguity of where precisely the indicator was
seen so that it isn't confused with the normal File::IN_NAME hit.
 2019-02-27 08:53:52 -05:00
Stephen Hosom
4ae92161e9 Support filenamess for SMB files 
Hook file_new to observe filenames in SMB traffic and fire into Intel::seen
 2019-02-27 08:47:53 -05:00
Johanna Amann
2e2f611df5 Merge branch 'master' of https://github.com/hosom/zeek 
* 'master' of https://github.com/hosom/zeek:
  Add fuid to SSL:Invalid_Server_Cert notice
 2019-01-29 14:52:34 -08:00
Stephen Hosom
e30a02e186 Add fuid to SSL:Invalid_Server_Cert notice 
This is a very basid quality of life improvement. It should make it
much easier to find additional information about the certificate
in question.
 2019-01-29 13:34:51 -05:00
Jon Siwek
0cc5e4e044 Add missing record field comment 2018-10-26 10:42:05 -05:00
Jon Siwek
8d0087154a Add missing record field comments 2018-10-26 10:24:30 -05:00
Jon Siwek
c2c5754e28 Merge branch 'topic/jazoff/sqli-policy-hook' of https://github.com/JustinAzoff/bro 
* 'topic/jazoff/sqli-policy-hook' of https://github.com/JustinAzoff/bro:
  add sqli_policy hook
 2018-09-19 15:22:45 -05:00
Justin Azoff
a599c5d997 add sqli_policy hook 
Add a hook that can be used to prevent specific requests from being
counted towards SQL injection.
 2018-09-19 14:11:45 -04:00
Jon Siwek
c85cfdd470 Add @deprecate to policy/protocols/smb/__load__.bro 2018-08-31 09:26:22 -05:00
Jon Siwek
57a505b0e4 Allow loading policy/protocols/smb once again 
It just redirects to base/protocols/smb
 2018-08-30 16:07:04 -05:00
Jon Siwek
7e6fc58ab4 Merge remote-tracking branch 'origin/topic/johanna/tls-more-data' 
* origin/topic/johanna/tls-more-data:
  Update NEWS for ssl changes.
  SSL: test updates for record_layer version
  Final touches to SSL events with record layer version.
  Introduce ssl_plaintext_data event.
  Add record layer version to event ssl_encrypted_data.
  Add compression methods to ssl_client_hello event.
 2018-08-30 09:48:25 -05:00
Jon Siwek
31d8391af0 Fix a routing loop in control framework 
A controllee now subscribes to a topic prefix based on their node ID
instead of the common control topic prefix.
 2018-08-28 19:50:53 -05:00
Johanna Amann
27d47314f7 Merge remote-tracking branch 'origin/master' into topic/johanna/tls-more-data 2018-08-27 09:25:40 -07:00
Daniel Thayer
8b0b7d3304 Merge remote-tracking branch 'origin/master' into topic/dnthayer/ticket1963 2018-08-24 16:06:05 -05:00
Daniel Thayer
01a899255e Convert more redef-able constants to runtime options 2018-08-24 16:05:44 -05:00
Johanna Amann
b2a0418dc5 Final touches to SSL events with record layer version. 2018-08-23 14:18:38 -07:00
Johanna Amann
aa2488fb69 Merge remote-tracking branch 'origin/master' into topic/johanna/tls-more-data 2018-08-20 16:10:21 -07:00
Jon Siwek
bcf97f70ea Merge remote-tracking branch 'origin/topic/jsiwek/empty-lines' 
* origin/topic/jsiwek/empty-lines:
  Add 'smtp_excessive_pending_cmds' weird
  Fix SMTP command string comparisons
  Improve handling of empty lines in several text protocol analyzers
  Add rate-limiting sampling mechanism for weird events
  Teach timestamp canonifier about timestamps before ~2001
 2018-08-20 15:35:16 -05:00
Jon Siwek
6595b21e2e Merge remote-tracking branch 'origin/topic/dnthayer/ticket1963' 
* origin/topic/dnthayer/ticket1963:
  Remove unused redef-able constants
  Convert some redef-able constants to runtime options
 2018-08-20 12:44:58 -05:00
Jon Siwek
1671244a64 Merge remote-tracking branch 'origin/topic/dnthayer/doc-fixes-for-2.6' 
* origin/topic/dnthayer/doc-fixes-for-2.6:
  Fix some typos and improve formatting in NEWS
  Update the operators documentation
  Replace references to libgeoip in the documentation
  Update install instructions for python-ipaddress
  Update documentation of "option" and "redef" declarations
  Improvements to the config framework documentation
  Rearrange some lines on the "Log Files" documentation page
  Improve install/setup instructions for libmaxminddb
  Update NEWS for config framework clusterization changes
  Update config framework doc for clusterization changes
  Fix typos and formatting issues in config framework docs
 2018-08-17 17:10:34 -05:00
Jon Siwek
edf8658b11 Merge remote-tracking branch 'origin/topic/vladg/dhcp_event_deprecation' 
* origin/topic/vladg/dhcp_event_deprecation:
  Add script to support the old DHCP events

Updated coverage tests and fixed incorrect DHCP:: scoping on some things
 2018-08-17 16:38:19 -05:00
Daniel Thayer
1a4629b0dc Merge remote-tracking branch 'origin/master' into topic/dnthayer/ticket1963 2018-08-17 14:11:47 -05:00
Johanna Amann
b1dbd757a6 Merge remote-tracking branch 'origin/master' into topic/johanna/tls-more-data 2018-08-17 11:52:00 -07:00
Daniel Thayer
a71ed6f781 Merge remote-tracking branch 'origin/master' into topic/dnthayer/doc-fixes-for-2.6 2018-08-17 11:34:16 -05:00
Jon Siwek
fcabd72b92 BIT-1815: move SMB::write_cmd_log functionality into policy/ script 
The option is removed, but same functionality is now enabled simply
by loading policy/protocols/smb/log-cmds.bro
 2018-08-17 11:15:18 -05:00
Jon Siwek
a04c76c035 Enable SMB by default by moving scripts from policy/ to base/ 2018-08-16 17:23:28 -05:00
Jon Siwek
7fdf621a1d BIT-1924: add DHCP port to software.log for completeness 2018-08-16 16:08:29 -05:00
Daniel Thayer
c941c565a6 Replace references to libgeoip in the documentation 
Replace references to the old libgeoip library with "libmaxminddb" or
"GeoIP support".
 2018-08-16 15:45:58 -05:00
Daniel Thayer
dc0904a7f3 Convert some redef-able constants to runtime options 2018-08-15 10:17:14 -05:00
Jon Siwek
a2f8d81fb6 Fix validate-certs.bro comments 2018-08-13 10:20:58 -05:00
Jon Siwek
e6042940dc Fix (non)suppression of proxy-bound events in known-*.bro scripts 
When not using data stores, these scripts were intended to suppress
sending duplicate events to proxies by looking up the key in the local
cache.
 2018-08-06 17:04:42 -05:00
Jon Siwek
35827eeb31 Add rate-limiting sampling mechanism for weird events 
The generation of weird events, by default, are now rate-limited
according to these tunable options:

  - Weird::sampling_whitelist
  - Weird::sampling_threshold
  - Weird::sampling_rate
  - Weird::sampling_duration

The new get_reporter_stats() BIF also allows one to query the
total number of weirds generated (pre-sampling) which the new
policy/misc/weird-stats.bro script uses periodically to populate
a weird_stats.log.

There's also new reporter BIFs to allow generating weirds from the
script-layer such that they go through the same, internal
rate-limiting/sampling mechanisms:

  - Reporter::conn_weird
  - Reporter::flow_weird
  - Reporter::net_weird

Some of the code was adapted from previous work by Johanna Amann.
 2018-07-26 19:57:36 -05:00
Vern Paxson
88fd7510c6 reap the fruits of v += e 2018-07-26 12:51:36 -07:00
Vlad Grigorescu
fcaed26796 Add script to support the old DHCP events 2018-07-24 12:49:10 -05:00
Jon Siwek
6215d45f10 Improve control framework id-update/test output 2018-07-20 11:59:40 -05:00
Liviu Valsan
acf1c591ea Added support for making optional the extraction of DNS entries from X509 SAN as Intel::seen records. 2018-07-03 15:08:21 +02:00
Johanna Amann
b2dc7ffb26 Merge branch 'smb2-updates' of https://github.com/dtrejod/bro 2018-05-31 21:13:20 -07:00