Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-08 09:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
6022 commits 385 branches 195 tags 262 MiB
Commit graph

6022 commits

This branch
This branch
All branches
Author SHA1 Message Date
Jon Siwek
186e67ec1d Allow logging filters to inherit default path from stream. 
This allows the path for the default filter to be specified explicitly
when creating a stream and reduces the need to rely on the default path
function to magically supply the path.

The default path function is now only used if, when a filter is added to
a stream, it has neither a path nor a path function already.

Adapted the existing Log::create_stream calls to explicitly specify a
path value.

Addresses BIT-1324
 2015-03-19 14:49:55 -05:00
Jon Siwek
4c00729104 Tune parameters related to TCP initial window. 
Increase default values of "tcp_max_above_hole_without_any_acks" and
"tcp_max_initial_window" from 4096 to 16384 bytes.

BIT-1255 #close
 2015-03-19 13:23:55 -05:00
Jon Siwek
6ebd80a8b4 BIT-849: turn SMTP reporter warnings into weirds. 
The new weirds are named "smtp_nested_mail_transaction" and
"smtp_unmatched_end_of_data".

BIT-849 #close
 2015-03-19 12:18:37 -05:00
Jon Siwek
8efaae96cd BIT-788: use DNS QR field to better identify flow direction. 2015-03-19 11:53:40 -05:00
Seth Hall
3956df4407 Merge remote-tracking branch 'origin/topic/vladg/rrsig' 
* origin/topic/vladg/rrsig:
  DNS: Log the type number for the DNS_RR_unknown_type weird.
 2015-03-18 22:51:37 -04:00
Daniel Thayer
eec7f77913 Correct a spelling error 2015-03-18 16:39:06 -05:00
Daniel Thayer
9aa5cdc53a Merge remote-tracking branch 'origin/master' into fastpath 2015-03-18 16:33:32 -05:00
Jon Siwek
981be3b670 BIT-342: add "icmp_sent_payload" event. 2015-03-18 16:16:24 -05:00
Johanna Amann
443106dbdb a few more small script-level fixes 
Sorry, forgot to commit these.
 2015-03-18 13:26:46 -07:00
Johanna Amann
e180403e76 update test baselines 2015-03-18 12:56:02 -07:00
Johanna Amann
5f557849a6 add a simple leak test for dtls 2015-03-18 12:48:22 -07:00
Vlad Grigorescu
1ea5463037 Merge remote-tracking branch 'origin/master' into topic/vladg/sip 2015-03-18 15:44:09 -04:00
Johanna Amann
28e6aa9561 Merge remote-tracking branch 'origin/master' into topic/johanna/dtls 2015-03-18 12:25:39 -07:00
Johanna Amann
58ed2eb9ae add signature for dtls client hello 2015-03-18 11:58:46 -07:00
Johanna Amann
90bc5add6e Make the plugin structure more... legal. 2015-03-18 11:15:18 -07:00
Vlad Grigorescu
01e5de8234 DNS: Log the type number for the DNS_RR_unknown_type weird. 2015-03-18 13:31:12 -04:00
Vlad Grigorescu
29f78cf90f SSH: Add memleak btest 2015-03-18 13:04:44 -04:00
Vlad Grigorescu
be6188bf00 SSH: Update baselines 2015-03-18 13:02:33 -04:00
Vlad Grigorescu
61c94d1809 SSH: Added some more events for SSH2 2015-03-18 12:52:46 -04:00
Robin Sommer
567073ac09 Updating submodule(s). 
[nomail]
 2015-03-18 08:46:56 -07:00
Robin Sommer
d3afe97f83 Splitting test-all target into Bro tests and test-aux. 
Also making failure of one sub-suite non-fatal.
 2015-03-17 15:57:28 -07:00
Robin Sommer
468e7bbce2 Increasing a test timeout to not fail on slower machines. 2015-03-17 15:41:14 -07:00
Robin Sommer
b0e066d3e0 Merge remote-tracking branch 'origin/topic/johanna/cert-validation' 
* origin/topic/johanna/cert-validation:
  add x509 canonifiers to test to not make it fail on differing openssl versions.
 2015-03-17 15:29:47 -07:00
Johanna Amann
d236643894 Make error message when encountering not existing enums better. 
Example:
internal error: Value not 'NoSuch::Notice' for stream 'ignored_notices' is not a valid enum.
Abort trap: 6

Addresses BIT-1199
 2015-03-17 13:45:00 -07:00
Johanna Amann
e291ccc14a add x509 canonifiers to test to not make it fail on differing openssl 
versions.
 2015-03-17 12:51:57 -07:00
Vlad Grigorescu
092a78d14b Merge remote-tracking branch 'origin/master' into topic/vladg/ssh 2015-03-17 12:36:30 -04:00
Vlad Grigorescu
0cffee7694 SSH: Intel framework integration (PUBKEY_HASH) 2015-03-17 12:33:09 -04:00
Robin Sommer
e3be3c9e02 Merge remote-tracking branch 'origin/topic/jsiwek/bit-1305' 
* origin/topic/jsiwek/bit-1305:
  Deprecate &rotate_interval, &rotate_size, &encrypt, &mergeable.

BIT-1305 #merged
 2015-03-17 09:24:13 -07:00
Robin Sommer
1ec4243ea8 Merge remote-tracking branch 'origin/topic/jsiwek/bit-1077' 
* origin/topic/jsiwek/bit-1077:
  BIT-1077: fix HTTP::log_server_header_names.

BIT-1077 #merged
 2015-03-17 09:12:55 -07:00
Robin Sommer
0cfe431f15 Merge remote-tracking branch 'origin/topic/johanna/cert-validation' 
* origin/topic/johanna/cert-validation:
  and still use the hash for notice suppression.
  add knob to revert to old validation behavior
  Update certificate validation script - new version will cache valid intermediate chains that it encounters on the wire and use those to try to validate chains that might be missing intermediate certificates.

BIT-1332 #merged
 2015-03-17 09:09:54 -07:00
Robin Sommer
62a3a23a2b Updating submodule(s). 
[nomail]
 2015-03-17 09:02:46 -07:00
Robin Sommer
1d40d5c6e9 Updating submodule(s). 
[nomail]
 2015-03-17 09:02:12 -07:00
Jon Siwek
c09411bc8b BIT-1077: fix HTTP::log_server_header_names. 
Before, it just re-logged fields from the client side.
 2015-03-16 15:12:48 -05:00
Vlad Grigorescu
65d982acc1 Update baselines for new SSH analyzer. 2015-03-16 16:12:18 -04:00
Vlad Grigorescu
8218461d35 Update SSH policy scripts with new events. 2015-03-16 13:50:43 -04:00
Vlad Grigorescu
370f4f2179 SSH: Add documentation 2015-03-16 13:32:13 -04:00
Pete Nelson
3ef2cd70a4 Add defensive check for localtime_r() call 2015-03-14 16:56:35 -04:00
Seth Hall
19f498b4a4 Even more file type ident clean up. 
- Add detection for ColdFusion scripts.
 - Support detection of XML/HTML with prefixed comment blocks.
 2015-03-14 00:25:13 -04:00
Seth Hall
ee3e885712 Lots of fixes for file type identification. 
- Plain text now identified with BOMs for UTF8,16,32
   (even though 16 and 32 wouldn't get identified as plain text, oh-well)
 - X.509 certificates are now populating files.log with
   the mime type application/pkix-cert.
 - File signatures are split apart into file types
   to help group and organize signatures a bit better.
 - Normalized some FILE_ANALYSIS debug messages.
 - Improved Javascript detection.
 - Improved HTML detection.
 - Removed a bunch of bad signatures.
 - Merged a bunch of signatures that ultimately detected
   the same mime type.
 - Added detection for MS LNK files.
 - Added detection for cross-domain-policy XML files.
 - Added detection for SOAP envelopes.
 2015-03-13 22:14:44 -04:00
Jon Siwek
5e2defebe5 Make INSTALL a symlink to doc/install/install.rst 
BIT-1275 #close
 2015-03-13 15:45:20 -05:00
Jon Siwek
778b37b5d0 Deprecate &rotate_interval, &rotate_size, &encrypt, &mergeable. 
Addresses BIT-1305.
 2015-03-13 14:54:46 -05:00
Jon Siwek
46f7d23888 Fix Broxygen coverage. 2015-03-13 14:53:11 -05:00
Jon Siwek
0b957cbe75 Include timestamp in default extracted file names. 
And add a policy script to extract all files.

BIT-1335 #close
 2015-03-13 14:25:30 -05:00
Jon Siwek
6fbceb6a98 Identify GRE tunnels as Tunnel::GRE, not Tunnel::IP. 
BIT-1311 #close
 2015-03-13 13:03:58 -05:00
Jon Siwek
51010eccd4 Add Connection class getter methods for flow labels. 
BIT-1309 #close
 2015-03-13 13:00:29 -05:00
Johanna Amann
88beb31270 Only force logging of SSL if it actually was the SSL analyzer that 
failed.
 2015-03-12 16:10:26 -07:00
Johanna Amann
991e4f5dc3 DTLS working. 
The only thing that is missing is a signature to detect the protocol (it
has no well-known port).

Reassembly is kind of fidgety - at the moment we only support
re-assembling one simultaneous message per direction (which looking at
our test-traffic might not be a problem). And I am not quite sure if I
got all cases correct...

But - it works :)
 2015-03-12 15:46:17 -07:00
Jon Siwek
c56df225b0 Fix Broker leak tests. 
Forgot to update Broker module names when they changed.
 2015-03-12 16:17:34 -05:00
Jon Siwek
b47376b8e4 Updating submodule(s). 
[nomail]
 2015-03-12 13:09:44 -05:00
Jon Siwek
ccd5387a9f Update NEWS file. 
BIT-1338 #close
 2015-03-12 11:03:20 -05:00