Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-08 01:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
12680 commits 385 branches 195 tags 261 MiB
Commit graph

6667 commits

Author SHA1 Message Date
Bernhard Amann
1cf506071d make it compile on case-sensitive file systems and fix warnings 2013-05-01 18:12:20 -07:00
Bernhard Amann
5e01c34943 Merge remote-tracking branch 'origin/master' into topic/bernhard/hyperloglog 2013-05-01 18:04:39 -07:00
Robin Sommer
1603da5af3 Always apply tcp_connection_attempt. 
Before this change it was only applied when a connection_attempt()
event handler was defined.
 2013-05-01 18:03:52 -07:00
Bernhard Amann
c6e69ddc05 potentially found wrong Ref. 2013-05-01 17:06:45 -07:00
Bernhard Amann
a194fc874e t merge Merge remote-tracking branch 'origin/master' into topic/bernhard/topk 2013-04-29 22:09:38 -07:00
Robin Sommer
a201d2e033 Fixing more memory leaks. 2013-04-29 21:21:05 -07:00
Robin Sommer
1a41bfa0ef Fixing memory leak in CompHash. 
Amazing what code still has memory leaks ...

Closes #987.
 2013-04-29 21:18:55 -07:00
Robin Sommer
e8c9c2ee0b Fixing more memory leaks. 2013-04-29 21:14:11 -07:00
Robin Sommer
95cf662ff5 Fixing memory leak in CompHash. 
Amazing what code still has memory leaks ...

Closes #987.
 2013-04-29 21:14:11 -07:00
Jon Siwek
0141f51801 FileAnalysis: load custom mime magic database just once. 
This works around a bug in libmagic since version 5.12 (current at
time of writing is 5.14) -- second call to magic_load() w/ non-default
database segfaults.
 2013-04-29 12:49:22 -05:00
Seth Hall
07b53e9fe2 Merge remote-tracking branch 'origin/master' into topic/seth/file-analysis-exe-analyzer 2013-04-29 13:33:44 -04:00
Bernhard Amann
b968103c92 Merge remote-tracking branch 'origin/master' into topic/bernhard/sqlite 2013-04-28 22:06:34 -07:00
Bernhard Amann
160da6f1a6 add sum function that can be used to get the number of total 
observed elements.

Add methods to merge with and without pruning (before only merge
method was with pruning, which invalidates the number of total
observed elements)
 2013-04-28 21:55:06 -07:00
Bernhard Amann
1accee41ed fix memory leaks 2013-04-26 14:06:38 -07:00
Bernhard Amann
fd2e050306 fix warnings 2013-04-26 11:34:07 -07:00
Seth Hall
41967a8d0f Merge remote-tracking branch 'origin/topic/jsiwek/file-analysis' into topic/seth/file-analysis-exe-analyzer 2013-04-25 13:44:18 -04:00
Seth Hall
317252b5ae Another checkpoint 2013-04-25 13:44:12 -04:00
Bernhard Amann
f69db71f57 Merge remote-tracking branch 'origin/master' into topic/bernhard/hyperloglog 2013-04-24 16:01:05 -07:00
Bernhard Amann
dbd53a09a6 Merge remote-tracking branch 'origin/master' into topic/bernhard/topk 2013-04-24 15:02:19 -07:00
Bernhard Amann
c0890f2a0f make size of topk-list configureable when using sumstats 2013-04-24 15:01:06 -07:00
Jon Siwek
d22f30e9a1 Improve a libmagic-related error message. 2013-04-24 12:57:51 -05:00
Seth Hall
d72980828f Merge remote-tracking branch 'origin/topic/jsiwek/file-analysis' into topic/seth/file-analysis-exe-analyzer 
Conflicts:
	src/file_analysis/ActionSet.cc
	src/types.bif
 2013-04-24 13:01:39 -04:00
Seth Hall
4cc9ca4243 Checkpoint 2013-04-24 12:56:20 -04:00
Bernhard Amann
2f48008c42 implement merging for top-k. 
I am not (entirely) sure that this is mathematically correct, but
I am (more and more) getting the feeling that it... might be.

In any case - this was the last step and now it should work
in cluster settings.
 2013-04-24 06:17:51 -07:00
Bernhard Amann
6f863d2259 add serialization for topk 2013-04-23 23:24:02 -07:00
Robin Sommer
e986247ff2 Merge remote-tracking branch 'origin/topic/jsiwek/974' 
Closes #974.

* origin/topic/jsiwek/974:
  Fix schedule statements used outside event handlers (addresses #974).
 2013-04-23 20:38:21 -07:00
Robin Sommer
f6f00924fc Merge remote-tracking branch 'origin/topic/jsiwek/973' 
Closes #973.

* origin/topic/jsiwek/973:
  Fix record coercion for default inner record fields (addresses #973).
 2013-04-23 20:37:08 -07:00
Robin Sommer
71591d706e Small tweaks for bytestring_to_count(). 
Closes #968.
 2013-04-23 20:32:57 -07:00
Yun Zheng Hu
3fff71b37a Add bytestring_to_count function to bro.bif 2013-04-23 20:18:38 -07:00
Bernhard Amann
a426c76122 make the get function const 2013-04-23 18:23:34 -07:00
Bernhard Amann
de5769a88f topk for sumstats 2013-04-23 15:19:01 -07:00
Jon Siwek
f07760ba00 FileAnalysis: add is_orig field to fa_file & Info. 2013-04-23 10:50:43 -05:00
Jon Siwek
7069f679c3 Fix record coercion for default inner record fields (addresses #973). 2013-04-23 09:57:55 -05:00
Jon Siwek
fa30d4a313 Fix schedule statements used outside event handlers (addresses #974). 2013-04-22 13:00:44 -05:00
Bernhard Amann
ce7ad003f2 well, a test that works.. 
Note: merging top-k data structures is not yet possible (and is
actually quite awkward/expensive). I will have to think about
how to do that for a bit...
 2013-04-22 02:40:42 -07:00
Bernhard Amann
c21c18ea45 implement topk. 
This is _completely_ untested. It compiles. It will probably do
nothing else (well, besides crashing Bro).
 2013-04-22 01:10:29 -07:00
Robin Sommer
eb3218590e Cleaning up analyzer naming. 
Also adding the script-level ID to the -NN output.
 2013-04-19 16:35:18 -07:00
Robin Sommer
da696c4b24 Unifying analyzer names and descriptions. 2013-04-19 15:58:13 -07:00
Robin Sommer
4bc2ba60c9 Rename analyzer/protocols -> analyzer/protocol 2013-04-19 15:50:57 -07:00
Robin Sommer
f7a10d915b Renaming analyzer. 2013-04-19 15:40:15 -07:00
Robin Sommer
d8259b34dd Unifying *.h guards. 2013-04-19 15:38:08 -07:00
Robin Sommer
3959e254e2 Moving protocol-specific BiFs out of bro.bif. 
I hope I found them all ...
 2013-04-19 15:25:18 -07:00
Jon Siwek
cd0a8bfbdb FileAnalysis: inlined doc fixes. 2013-04-19 16:27:32 -05:00
Jon Siwek
c1f37dde5a FileAnalysis: optimizate connection set updating. 
Don't need to be checking/updating that for sequential data input, which
won't be over multiple conns.
 2013-04-19 11:55:48 -05:00
Bernhard Amann
8340af55d1 persistence really works. 
It took me way too long to find this - I got the uint8 serialize/deserialize
wrong :/
 2013-04-19 09:52:45 -07:00
Robin Sommer
5dc630f722 Working on TODOs. 
- Introducing analyzer::<protocol> namespaces.
- Moving protocol-specific events out of events.bif into analyzer/protocol/<protocol>/events.bif
- Moving ARP over (even though it's not an actual analyzer).
- Moving NetFlow over (even though it's not an actual analyzer).
- Moving MIME over (even though it's not an actual analyzer).
 2013-04-18 21:01:15 -07:00
Jon Siwek
cd2a6aa33a FileAnalysis: workarounds for older libmagics. 
Some of the unit tests revealed different versions of libmagic could
give different mime types for the same input file and magic database.

One way that could happen is because of the use of hardcoded/builtin
token (word) comparisons for ascii files -- MAGIC_NO_CHECK_TOKENS flag
will prevent that from being used (and it's obsoleted in newer
libmagics).

The other problem looked like a bug fixed as of 5.05 where
a match in the magic database that doesn't have a verbose description
but does have a mime type won't actually return that mime type due to
the the missing description.  The one case where that kept popping up
was in 5.04 not beign able to identify application/x-dosexec, so I added
a description to the top-level match for that to workaround the issue.
 2013-04-18 18:09:48 -05:00
Robin Sommer
dfc4cb0881 Moving all analyzers over to new structure. 
This is a checkpoint, it works but there's more cleanup to do. TODOs in
src/analyzer/protocols/TODO.
 2013-04-16 20:52:03 -07:00
Robin Sommer
56edef1646 Removing left-overs from BinPAC http analyzer. 2013-04-16 14:47:17 -07:00
Robin Sommer
a191eed7db Adding separate Plugin.cc for HTTP analyzer for consistency. 2013-04-16 14:43:52 -07:00