Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-06 08:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
12680 commits 387 branches 195 tags 258 MiB
Commit graph

6667 commits

Author SHA1 Message Date
Tim Wojtulewicz
bd1379e864 Move 'using namespace' declaration after other includes 2020-11-12 12:15:26 -07:00
Tim Wojtulewicz
0e9227b753 Use binpac.h as if it was an external dependency 2020-11-12 12:15:26 -07:00
Tim Wojtulewicz
5589484f26 Fix includes of bif.h and _pac.h files to use full paths inside build directory 2020-11-12 12:15:26 -07:00
Tim Wojtulewicz
133ab55c91 Remove unnecessary include of NetVar.h from packet analysis plugins 2020-11-12 12:15:26 -07:00
Tim Wojtulewicz
96d9115360 GH-1079: Use full paths starting with zeek/ when including files 2020-11-12 12:15:26 -07:00
Robin Sommer
78fc5615a5 Merge remote-tracking branch 'origin/topic/christian/fix-extfunc-includes' 
* origin/topic/christian/fix-extfunc-includes:
  Fix type clash fatal error with log filters that use $ext_func and $include/$exclude
 2020-11-12 10:33:48 +00:00
Jon Siwek
89af6f2004 Move UnknownProtocol options to init-bare.zeek 
Otherwise the `unknown_protocol` event cannot be used independently
from `policy/mic/unknown-protocols.zeek`.
 2020-11-11 12:58:38 -08:00
Jon Siwek
49094688fd Coverity 1436183: Initialize packet_analysis::Manager fields 2020-11-11 12:58:02 -08:00
Tim Wojtulewicz
a6a4b976ec Support for additional DNS RR Type: LOC[29], SSHFP[44], NSEC3PARAM[51], custom BIND9 signaling[65534] 2020-11-11 13:35:51 -07:00
Christian Kreibich
f97a33e14d Fix type clash fatal error with log filters that use $ext_func and $include/$exclude 
The logging manager's Manager::TraverseRecord(), called when adding a
log filter to a stream, skipped any fields intoduced by a filter's
$ext_func when such fields weren't mentioned in a $include restriction
or mentioned in an $exclude restriction. This was inconsistent with
Manager::RecordToFilterVals, used when actually writing log entries,
which does include those values.

The result was that the record indices descent in Manager::RecordToFilterVals
expects to find only record values, when in fact only the record
provided by ext_func is present. This leads to type mismatches and
hard Zeek exits like this one:

1300475173.475401 fatal error in zeek/share/zeek//base/init-bare.zeek, line 4810: Val::CONVERTER (string/record) (zeek)

The fix makes ext_func's field additions decisive, meaning the
filter's include/exclude lists don't apply to it. If a user really
wants to override this, they can reset the filter's ext_func back to
our no-op default.

The included btest produces the above error when the fix is not present.
 2020-11-10 18:13:16 -08:00
Tim Wojtulewicz
8722118935 Merge remote-tracking branch 'origin/topic/jsiwek/gh-1269' 
* origin/topic/jsiwek/gh-1269:
  GH-1269: Fix LogAscii::enable_leftover_log_rotation crash in bad dirs
 2020-11-10 14:06:10 -07:00
Tim Wojtulewicz
c3cf36e135 GH-1221: Add unknown_protocols.log for logging packet analyzer lookup failures 2020-11-09 20:37:26 -07:00
Jon Siwek
d4528162d1 GH-1273: Change SizeExpr to yield "any" type when operating on "any" 2020-11-09 19:03:42 -08:00
Tim Wojtulewicz
04dbc8e8be Remove now-unused Packet::l2_valid field 2020-11-09 10:49:57 -07:00
Tim Wojtulewicz
b3eb63c48a GH-1186: Remove Packet::hdr_size and uses of it. 
This change also removes Packet::IP(), since Packet now contains an ip_hdr member
that points at the IP header if it exists.
 2020-11-09 10:49:57 -07:00
Jon Siwek
0eb6839dae GH-1269: Fix LogAscii::enable_leftover_log_rotation crash in bad dirs 
Running with that option enabled inside a bad directory (e.g. lack of
permissions) crashed due to not checking for failure of opendir().
 2020-11-06 19:28:45 -08:00
Jon Siwek
f147c47271 Add enum_names() BIF to return names of an enum type's values 2020-11-06 18:31:41 -08:00
Jon Siwek
77514f234f Add type_aliases() BIF for introspecting type-names of types/values 2020-11-06 17:18:44 -08:00
Jon Siwek
1dda387ac9 Change Type::type_aliases map to store IntrusivePtr 
And deprecate Type::GetAliases() and Type::AddAlias() since they
took raw pointers.  Now replaced with Type::Aliases() and
Type::RegisterAlias().
 2020-11-06 17:18:20 -08:00
Jon Siwek
bfb7afc600 Fix lookup_ID() BIF to return enum values 
Looking up an enum value from a string equal to its name previously
returned "<no ID value>".
 2020-11-06 15:37:54 -08:00
Tim Wojtulewicz
3e16b5fde3 Add missing include to fix build on certain platforms 2020-11-02 22:01:20 +00:00
Tim Wojtulewicz
1f02bd5147 Use std::function instead of a function pointer in packet_analysis::Component 2020-11-02 13:05:05 -07:00
Tim Wojtulewicz
43f7b3beab Merge remote-tracking branch 'origin/topic/timw/1215-analyzer-registration' 
* origin/topic/timw/1215-analyzer-registration:
  GH-1215: Remove dispatch_map from packet analysis, replace with BIF methods for registering dispatches
 2020-11-02 12:04:05 -07:00
Tim Wojtulewicz
cd06bf34c7 GH-1215: Remove dispatch_map from packet analysis, replace with BIF methods for registering dispatches 2020-11-02 19:03:25 +00:00
Tim Wojtulewicz
72ccaee4d5 GH-1256: Write out strerror when writing errno during safe_write 2020-10-30 15:45:32 -07:00
Tim Wojtulewicz
008cdef712 Merge remote-tracking branch 'origin/topic/jsiwek/better-zeekygen-redef-info' 
* origin/topic/jsiwek/better-zeekygen-redef-info:
  Improve how Zeekygen generated record/enum redefinition docs
 2020-10-26 11:04:17 -07:00
Jon Siwek
fb85a19fa8 GH-1245: require TLD of hostname literals to start with a letter 2020-10-23 14:17:10 -07:00
Jon Siwek
73c1af838c GH-251 (revert): remove coercion-to-signed-integer for |x| expressions 
For `|x|`, where `x` is an expression with an integral result, an
implicit coercion of that result into signed `int` type no longer takes
place.

This was actually the behavior before Zeek 3.0 as well, but the attempt
to prevent mistakes that easily result from integer literals in Zeek
being unsigned like `|5 - 9|` causing an overflow/wraparound and
yielding a very large number is not generally consistent since overflows
are still generally able to happen in other ways and also in other
contexts besides just absolute-values.  So the preference was to revert
to a behavior that favors consistency.  For reference, see
https://github.com/zeek/zeek/pull/251#issuecomment-713956976
 2020-10-22 17:41:53 -07:00
Seth Hall
64fde758c1 Fixing how I define const on the Contains method. 
One day I'll actually learn c++!
 2020-10-22 13:30:30 -04:00
Seth Hall
61ede5db2f Screwed up a change. 2020-10-22 13:30:30 -04:00
Seth Hall
56e234a762 Changes in response to Johanna's code review. 2020-10-22 13:30:30 -04:00
Seth Hall
2f05318a08 Fixed a bug with ICMP checksum validation 2020-10-22 13:30:30 -04:00
Seth Hall
69bbcfedb3 Accidentally missed a change. 2020-10-22 13:23:10 -04:00
Seth Hall
552a24e07c Add an option to ignore packets sourced from particular subnets. 
It's implemented with a new set[subnet] option named ignore_checksums_nets.

If you populate this set with subnets, any packet with a src address within
that set of subnets will not have it's checksum validated.
 2020-10-22 13:23:10 -04:00
Tim Wojtulewicz
e70f578621 Merge remote-tracking branch 'origin/topic/timw/coverity' 
* origin/topic/timw/coverity:
  Fix a couple of Coverity findings (1433618, 1433619)
 2020-10-21 11:06:39 -07:00
Tim Wojtulewicz
ce2b00fe83 Fix a couple of Coverity findings (1433618, 1433619) 2020-10-21 10:53:34 -07:00
Jon Siwek
924a24ad2b Merge remote-tracking branch 'origin/topic/timw/packet-length-checks' into master 
* origin/topic/timw/packet-length-checks:
  Add length checks for IP header values before parsing TCP/UDP
 2020-10-19 18:58:19 -07:00
Jon Siwek
487d67ac50 Improve how Zeekygen generated record/enum redefinition docs 
It now provides a summary of the new fields/enums added by any given
redefinition along with associated commentary.
 2020-10-19 18:33:22 -07:00
Tim Wojtulewicz
e7f62de51b Add length checks for IP header values before parsing TCP/UDP 2020-10-19 12:30:55 -07:00
Jon Siwek
66eaf9c7cc Merge remote-tracking branch 'origin/topic/jsiwek/pop3-fuzzer-deprecation-warning' into master 
* origin/topic/jsiwek/pop3-fuzzer-deprecation-warning:
  Fix deprecation warning in POP3 fuzzer
 2020-10-19 11:54:40 -07:00
Tim Wojtulewicz
a19b018dc8 Add header length check to GRE packet analyzer 2020-10-19 10:58:10 -07:00
Jon Siwek
0cc1fc3d88 Merge remote-tracking branch 'origin/topic/jsiwek/avoid-memcmp-null-args' 
* origin/topic/jsiwek/avoid-memcmp-null-args:
  Avoid passing null pointers to memcmp in ZeekString comparison methods
 2020-10-16 12:42:07 -07:00
Jon Siwek
5e164469f3 Merge remote-tracking branch 'origin/topic/vlad/gh-1225' 
* origin/topic/vlad/gh-1225:
  Extract length as a uint8
  Change ICMP ND length to a uint16
 2020-10-16 10:37:08 -07:00
Jon Siwek
72b3a4244e Avoid passing null pointers to memcmp in ZeekString comparison methods 2020-10-16 10:28:11 -07:00
Vlad Grigorescu
11a311dfb9 Extract length as a uint8 2020-10-16 09:03:48 -05:00
Johanna Amann
65125121d8 Merge branch 'topic/johanna/GH-169' 
* topic/johanna/GH-169:
  Make event ordering deterministic
  dump-events: try to make baseline work on all systems
  Introduce generate_all_events bif and add option to misc/dump-events

Fixes GH-169
 2020-10-16 07:11:57 +00:00
Jon Siwek
e58104e8d8 Fix deprecation warning in POP3 fuzzer 2020-10-15 16:10:02 -07:00
Vlad Grigorescu
b5d11d1ace Change ICMP ND length to a uint16 2020-10-15 16:56:05 -05:00
Tim Wojtulewicz
a99b540e46 Rework Sessions::Weird 2020-10-15 13:03:11 -07:00
Tim Wojtulewicz
b1e517e863 Prevent String::Set from crashing if passed a nullptr 2020-10-15 12:49:08 -07:00