For tables of a composite index type with the first type being a
record, membership checks with an inline index key could be
misinterpreted as a record constructor instead of an expression list.
E.g, if the table type is "global t = table[conn_id, bool] of count",
then checking membership like "[c$id, is_orig] in t" now works.
Addresses #80.
The names of enum types are tracked so that variables holding a value
of a given enum type can generate a reference to it instead of just
listing the type as a generic "enum".
* origin/topic/dnthayer/bytes-to-double:
Portability improvement (data alignment issues)
Add test cases for the bytestring_to_double BIF
Add a new BIF "bytestring_to_double"
Closes#908.
Instead of these events being generated for invalid byte count values
(they should always be even, not odd), a protocol_violation is raised.
modbus_read_holding_registers_response
modbus_read_input_registers_response
modbus_write_multiple_registers_request
modbus_read_write_multiple_registers_request
modbus_read_write_multiple_registers_response
modbus_read_fifo_queue_respons
For modbus message types that include variable amount of register values
(uint16[]), setting a &length attribute without an explicit array size
could trigger a parsing assertion since it allows for the "element" data
pointer to travel past the "end of data" (e.g. when &length is odd).
This is changed to now give both an array size and &length to earlier
terminate the parsing of elements before the assert is checked and
so a single out-of-bound check can be done for the entire array
(leaving off &length causes an out-of-bound check for each element).
Added another parameter to modbus events that carry register arrays to
the script-layer which indicates the associated byte count from the
message (allowing for invalid values to be detected):
modbus_read_holding_registers_response
modbus_read_input_registers_response
modbus_write_multiple_registers_request
modbus_read_write_multiple_registers_request
modbus_read_write_multiple_registers_response
modbus_read_fifo_queue_response
* remotes/origin/topic/seth/modbus-merge:
Small modbus documentation update and tiny refactoring.
Final touches to modbus analyzer for now.
Major revisions to Modbus analyzer support (not quite done yet).
put some make-up on Modbus analyser
Modbus analyser, added support: FC=20,21
Modbus analyzer,added support: FC=1,2,15,24
Modbus analyzer, current support: FC=3,4,5,6,7,16,22,23
Closes#915.
* vlad/topic/vladg/dns_txt_queries:
Add detection rate threshold for MHR.
Make sure lookup_hostname_txt isn't checking lookup_hostname's cache for answers.
A couple of lookup_hostname_txt fixes.
Reverting the earlier function-join during merging.
* vlad/topic/vladg/dns_txt_queries:
DNS TXT support
I've tweaked it a little bit, still seems to work ...
I'd like to add a test for this but I'n not quite sure how to do that.
We'd have to hardcode a destination server that then'd be contacted
each time the test-suite runs.
- There are still some broken events in the modbus analyzer because
I don't have traffic to test with (coil and record related events primarily).
- There are a few example scripts in policy/protocols/modbus
As opposed to creating weirds for e.g. "binpac::ExceptionOutOfBound".
The protocol_violation will also result in the disabling of the
analyzer by default.
Looks like the code in this function is getting ready for some
refactoring. Leaving that for another time though ...
Closes#909.
* origin/topic/seth/pppoe:
Adding a test for PPPoE support.
Adding PPPoE support to Bro.
This currently supports automatic decapsulation of GTP-U packets on
UDP port 2152.
The GTPv1 headers for such tunnels can be inspected by handling the
"gtpv1_g_pdu_packet" event, which has a parameter of type "gtpv1_hdr".
Analyzer and test cases are derived from submissions by Carsten Langer.
Addresses #690.
- "src-ip" and "dst-ip" conditions can now use IPv6 addresses/subnets.
They must be written in colon-hexadecimal representation and enclosed
in square brackets (e.g. [fe80::1]). Addresses #774.
- "icmp6" is now a valid protocol for use with "ip-proto" and "header"
conditions. This allows signatures to be written that can match
against ICMPv6 payloads. Addresses #880.
- "ip6" is now a valid protocol for use with the "header" condition.
(also the "ip-proto" condition, but it results in a no-op in that
case since signatures apply only to the inner-most IP packet when
packets are tunneled). This allows signatures to match specifically
against IPv6 packets (whereas "ip" only matches against IPv4 packets).
- "ip-proto" conditions can now match against IPv6 packets. Before,
IPv6 packets were just silently ignored which meant DPD based on
signatures did not function for IPv6 -- protocol analyzers would only
get attached to a connection over IPv6 based on the well-known ports
set in the "dpd_config" table.
Previously, when rebuilding with a different "--prefix" or "--scriptdir",
all Bro source files were recompiled. With this change, only util.cc
is recompiled. Instead of specifying command-line preprocessor
macros on all source files, a header file is regenerated when needed
which only util.cc includes.
* origin/topic/jsiwek/gridftp:
Add memory leak unit test for GridFTP.
Enable GridFTP detection by default. Track/log SSL client certs.
Add analyzer for GSI mechanism of GSSAPI FTP AUTH method.
Add an example of a GridFTP data channel detection script.
* origin/fastpath:
...and forgotten debug-output, sorry (was already merged in some other internal repositories before I noticed)
and another bug in the input framework: config table does not work (is not transmitted to the readers) because the initialization was done the wrong way round.
more cases.
It will now not only fire after table-reads have been completed,
but also after the last event of a whole-file-read (or whole-db-read, etc.).
The interface also has been extended a bit to allow readers to
directly fire the event should they so choose. This allows the
event to be fired in direct table-setting/event-sending modes,
which was previously not possible.
GSI authentication involves an encoded TLS/SSL handshake over the FTP
control session. Decoding the exchanged tokens and passing them to an
SSL analyzer instance allows use of all the familiar script-layer events
in inspecting the handshake (e.g. client/server certificats are
available). For FTP sessions that attempt GSI authentication, the
service field of the connection record will have both "ftp" and "ssl".
One additional change is an FTP server's acceptance of an AUTH request
no longer causes analysis of the connection to cease (because further
analysis likely wasn't possible). This decision can be made more
dynamically at the script-layer (plus there's now the fact that further
analysis can be done at least on the GSSAPI AUTH method).
This option indicates that the Teredo analyzer should wait until
it sees both sides of a connection using a valid Teredo encapsulation
before issuing a protocol_confirmation. Previous behavior confirmed
on the first instance of a valid encapsulation, which could result
in more false positives (and e.g. bogus entries in known-services.log).
Addresses #890.
without a final \0 - which means that strings read by the input framework are
unusable by basically all internal functions (like to_count).
the basic test now also checks this.
Thanks at Sheharbano for noticing this.
Since the millisecond resolution cannot be harnessed universally and is not
supported by older version of libcurl, we will allow only specifications at the
granularity of seconds.
This commit also fixes a typing issue that causes that prevented the
ElasticSearch timeout to work in the first place: curl_easy_setopt requires a
long but was given a uint64_t.
Older versions of libcurl do not offer *_MS timeout constants, which causes the
build to fail. For sub-second timeout specification, we now fall back to
hard-coded timeouts in older libcurl version.
