Now manually keeps track of peer count instead of querying Broker for
that information (which would result in waiting upon a blocking request
to the core actor).
When encountering an extension unknown to OpenSSL, we would read from
the wrong memory location. Also added a testcase to prevent this specific
case from happening again.
For fuzzed/damaged/corrupted pcaps, a timestamp of 0 could lead to an
infinite loop in Bro as it interprets that as meaning the packet source
is not ready yet.
* origin/topic/jsiwek/broker-misc:
Add Broker::publish_and_relay BIF
Document variable argument list BIFs using ellipsis
Support unserializing broker data into type 'any'
Fix a bug in broker data type-casting check
Remove dead code in broker data/val conversion function
This environment variable is now set to listen only on IPv4 loopback
when running unit tests (instead of using the default INADDR_ANY).
This also moves some of the @loads out from init-bare.bro into a new
init-frameworks-and-bifs.bro in order to better support calling BIFs
(like `getenv`) from variable initializations in those particular
frameworks.
References to Input::Reader and Log::Writer enum types no longer emit
warnings as they are now hardcoded to be documented as part of their
associated framework scripts and so links to them now work.
The receiver side will wrap the data as a Broker::Data value, which
can then be type-checked/cast via 'is' or 'as' operators to a specific
Bro type. For example:
Sender:
Broker::publish("topic", my_event, "hello")
Receiver:
event my_event(arg: any)
{
if ( arg is string )
print arg as string;
}
It was possibly never updated for newer Analyzer API changes, as simply
attaching the NCP analyzer to a connection would result in null pointer
derefernces and also support analyzers were not attached.
* origin/topic/jsiwek/binpac-fixes:
Update test baseline for binpac changes
Update test baseline for optimized binpac static-size array parsing
Fixes for MySQL and SMB protocol parsers
BIT-1829: add unit test for modbus parser issue
* MySQL: the parser for this was generally broken (not following
the specification well) and needed many changes. One addition is a
new "mysql_result_row" event that provides access to the results of
queries.
* SMB: the spec seems to explitly call out the omission of the
PrimaryDomain field on SMB_COM_SESSION_SETUP_ANDX responses (and I
don't see that field in pcaps either), so this may have just been a
typo that used to work fine in the past only due to faulty array
parsing behavior in binpac.
ARP_Analyzer::NextPacket() incorrectly assumed that the MAC source
address was at data+6 (which is fine for classical ARP over Ethernet
frames but incorrect for ARP over Wi-Fi for example) and the
destination was at data.
Use pkt->l2_src and pkt->l2_dst instead, set by Packet::ProcessLayer2().
Since the function was never used to check for anything other than
equality, I've changed it to return a bool, otherwise the changes to
its implementation are based on a patch submitted by Jeffrey Bencteux:
Function was comparing two strings based on the length of a user
provided string which could lead to evasions. Any prefix of the static
string could pass conditions where strcasecmp_n was used. Comparison
is now based on the static string length and lengths are checked
before calling strncasecmp.
According to RFC 7230, Transfer-Encoding was added in HTTP/1.1. Such a
header in a HTTP/1.0 message should be ignored. Interpreting it can be
harmful when sending a HTTP/1.0 message because the parser would
indefinitely wait for a chunk size instead of parsing the message's
body as non-chunked, leading to a HTTP content evasion.
In the case where no Content-Length header is seen, the content_length
value still should be set based upon the range (same as it would
have been before the patch).
Partial content bytes range length value and content length value
should not be stored in the same variable. An attacker could override
a given Content-Length or Content-Range with a smaller value to
evade HTTP content.
RFC 7230 section 4.2.3 states that:
"A recipient SHOULD consider 'x-gzip' to be equivalent to 'gzip'"
This could lead to evasions as an attacker could use:
Content-Encoding: x-gzip
To bypass Bro's decompression.
* 'patch-1' of https://github.com/assafmo/bro:
dump_packet & dump_current_packet better detect which file is being dumped to
Fix dump_packet & dump_current_packet ignores file_name
* origin/topic/seth/dhcp-update:
Rework to the DHCP analyzer.
First step of DHCP analyzer rearchitecture.
Add .btest scripts for dhck_ack and dhcp_discover messages verifying that new options are correctly reported in dhcp.log records.
Extend DHCP protocol analyzer with new options.
BIT-1924 #merged
Additional changes:
* Removed known-hosts.bro as the only thing populating its table was
the already-removed known-hosts-and-devices.bro. So a
known_devices.log will no longer be generated.
* In dhcp-options.pac, the process_relay_agent_inf_option had a memleak
and also process_auto_proxy_config_option looked like it accessed one
byte past the end of the available bytestring, so fixed those.
