KerberosString formatting for principal name to be compliant with RFC 4120 section 5.2.2, which states that there can be a few components (and in practice we have seen 3, more than the 1 or 2 that is typical)
* origin/topic/seth/smb-auth-fixes:
Disable SMB2 error data parsing.
Removed some files that aren't being used.
Fix SMB tree connect handling.
Fix a small issue where DCE_RPC commands were improperly being logged.
SMB fixes and cleanup.
Including a test for raw NTLM in SMB
Updates for SMB auth handling from Martin van Hensbergen.
BIT-1721 #merged
SMB error handling improved. The analyzer isn't destroyed when a problem
is encoutered anymore. The flowbuffer in the parser is now flushed and
the analyzer is set to resync against an SMB command. This was needed
because there is some state about open files that is kept within the
parser itself which was being destroyed and that was causing analysis
after content gaps or parse errors to be faulty. The new mechanism
doesn't detroy the parser so parsing after gaps is improved.
DCE_RPC handling in SMB is improved in the edge case where a drive
mapping isn't seen. There is a new const named SMB::pipe_filenames
which is used as a heuristic for identifying "files" opened on named
pipe shares. If the share mapping type isn't known and a filename
in this set is found, the share type will change to "PIPE" by
generating an event named "smb_pipe_connect_heuristic". Reads and
writes to that file will be sent to the DCE_RPC analyzer instead of
to the files framework.
The concept of "unknown" share types has been removed due to the new
heuristic detection of share types.
Some general clean up of how the SMB cmd log is written and when.
- Raw NTLM (not in GSSAPI) over SMB is now handled correctly.
- The encrypted NTLM session key is now passed into scriptland
through the ntlm_authenticate event.
the starttls command will sometimes be issued with a namespace, e.g. as
<ns2:starttls xmlns:ns2='urn:ietf:params:xml:ns:xmpp-tls'/>. The XMPP
analyzer did not handle this scenario correctly.
This is very similar to the following ejabberd bug:
https://support.process-one.net/browse/EJAB-1123
- The logic for fragment handling has been rewritten and should be correct now.
- There are now tunables for fragment handling overflow situations.
- DCE_RPC::max_cmd_reassembly and DCE_RPC::max_frag_data
- They result in weirds and analyzer removal.
- Memory leak fixed by unique_ptr auto cleanup.
- DCE_RPC is now intolerate of content gaps and will stop
analyzing traffic if content gaps happen (like most other analyzers currently).
* origin/topic/vladg/bit-1641:
Logic fix for ssh/main.bro when the auth status is indeterminate, and fix a test. Addresses BIT-1641.
Clean up the logic for ssh_auth_failed. Addresses BIT-1641
Update baselines for adding a field to ssh.log as part of BIT-1641
Script-land changes for BIT-1641.
Change SSH.cc to use ssh_auth_attempted instead of ssh_auth_failed. Addresses BIT-1641.
Revert "Fixing duplicate SSH authentication failure events."
Create new SSH events ssh_auth_attempt and ssh_auth_result. Add auth_attempts to SSH::Info. Address BIT-1641.
I extended the tests a bit and did some small cleanups. I also moved the
SSH events back to the global namespace for backwards compatibility and
for consistency (the way it was at the moment, some of them were global
some SSH::).
Furthermore, I fixed the ssh_auth_result result event, it was only
raised in the success case. ssh_auth_result is now also checked in the
testcases. I also have a suspicion that the intel integration never
really worked before.
BIT-1641 #merged
The ones_complement_checksum function assumes that the bytes passed into
it are aligned on 16 bit boundaries.
When using gcc (GCC) 6.2.1 20160916 (Red Hat 6.2.1-2) with -O2, this
does not seem to hold true anymore; assuming 16 bit alignment will lead
to accesses to uninitialized memory and wrong checksums.
This commit adds a minimally invasive change that does not assume
alignment anymore. This might have a small performance impact for every
single packet we process.
This error occured reproducibly when called from icmp6_checksum.
BIT-1727 #merged
* origin/topic/johanna/tls13:
Better way to deal with overloaded Assign constructors.
A few tabbing fixes in TLS 1.3 support
TLS 1.3 support.
With clang on FreeBSD 11.0-p1, some md5 functions tend to return the
wrong result. This is, e.g., visible when running the bifs/md5 testcase.
In this test, the checks using md5_hash_finish will return an empty
string.
The apparent cause is some confusion in clang when using a static char
inside a static inline function that is refered to several compilation
units.
Exact version of clang showing this issue is:
FreeBSD clang version 3.8.0 (tags/RELEASE_380/final 262564) (based on LLVM 3.8.0)
Target: x86_64-unknown-freebsd11.0
Thread model: posix
InstalledDir: /usr/bin
Issue occurs with -O2.
The first person to either find an existing clang bugreport for this, or
to create an minimal testcase and files one will get a drink from me :)
- DCE_RPC fragmentation handling returns!
- Fixed some general parsing issues
- Fixed an issue with the DCE_RPC signature not working for IPv6 connections.
Nice, thanks!
BIT-1671 #merged
* origin/topic/vladg/bit-1671:
Add descriptions for what the SMB1 events do, and references to the specification.
Add descriptions for what the SMB2 events do, and references to the specification.
Improve the SMB2 documentation.
Improve the SMB1 documentation a bit. Clean it up, make it more consistent, and add references to similar events.
Add DCE-RPC and NTLM abbreviation documentation for their events.
Remove reference to epm_map_response in RPC documentation. Addresses BIT-1671.
Rename events referenced in SMB1::Header documentation with new SMB analyzer. Addresses BIT-1671.
* Clean it up, make it more consistent, and add references to similar events.
* Commented out the smb2_set_info_request event, which wasn't being generated.
* Documented the SMB2 record types in init-bare
Because plugins register their script directories with the BROPATH,
Broxygen stripped them out from plugin script paths it was indexing.
That then led to multiple plugins ending up with the same script
paths, triggering warnings about duplicates.
I fixed this by checking if a script comes out of a plugin. If so, it
gets an artifcial index prefix "<plugin-name>:", followed by the
script's relative path inside the plugin's top-level directory. For
example, "/opt/bro/lib/bro/plugins/Bro_Netmap/scripts/init.bro" now
turns into "Bro::Netmap:scripts/init.bro" for Broxygen purposes
(whereas it used to be just "init.bro").
Addresses BIT-1663.
(Can't think of a good way to add a test for this unfortunately.)
With the introduction of the package manager, it will get more common
that applications are able to get information about the currently
running version of Bro. With this commit, scripts can easily compare
which version of Bro they are running.
Commonly, this probably will either look like this (both lines check if
the current Bro version is greater or equal to 2.5)
@if ( Version::num >= 20500 )
or
@if ( Version::greater_equal("2.5") )
Version::info contains detailed information about the running version of
Bro, including beta flags, etc.
Looks like the right fix. Two tiny tweaks:
- changed the order of arguments for DeleteVals() for consistency
with the corresponding Manager function.
- turned the InternalWarning into a Warning: if I understand
correctly, this can happen when scripts on nodes diverge; which
is a user-side problem, not an internal Bro logic issue.
BIT-1683 #merged
* origin/topic/johanna/bit-1683:
Actually check if the number of fields in a write are equal to the number of fields required.
