Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-07 09:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
3375 commits 387 branches 195 tags 259 MiB
Commit graph

3375 commits

This branch
This branch
All branches
Author SHA1 Message Date
Bernhard Amann
bff3cba129 Add two more TLS extension values that we see in live traffic. 
- origin_bound_certificates is a current draft
http://tools.ietf.org/html/draft-balfanz-tls-obc-01

- encrypted client certificates is a draft that
  expired yesterday.
http://tools.ietf.org/html/draft-agl-tls-encryptedclientcerts-00
 2012-04-27 16:18:14 -07:00
Seth Hall
88807df269 Fixed parsing of TLS server extensions. 2012-04-27 11:32:29 -04:00
Jon Siwek
064c5dddb8 Fix for IP tunnel UID persistence. 2012-04-27 10:28:46 -05:00
Seth Hall
8f91ecee71 Fixed IPv6 link local unicast CIDR and added IPv6 loopback to private address space. 2012-04-27 01:24:41 -04:00
Jon Siwek
8791ac7337 Fix AYIYA analyzer tag. 2012-04-26 13:05:53 -05:00
Jon Siwek
44c4d41d0d Add summary documentation to tunnels/main.bro. 2012-04-26 12:53:20 -05:00
Jon Siwek
b8e1604ab5 Make tunnels always identifiable by UID, tunnel.log now gets populated. 
conn.log now sets a field indicating all the parent tunnel UIDs over
which a connection operated and cross reference the UIDs found in
the tunnel.log.

Also some renaming of tunnel related types at the scripting layer.
 2012-04-26 12:29:59 -05:00
Seth Hall
c561a44326 Fixed a problem where cluster workers were still processing notices in some cases. 2012-04-26 10:45:28 -04:00
Seth Hall
8c14b5a911 Added Carrier Grade NAT CIDR and link local IPv6 to "private_address_space" 2012-04-25 14:38:11 -04:00
Robin Sommer
c91563fe75 DataSeries tuning. 
- Now using the new DS interface from git to remove warning.

- New leak tests, not yet tried,
 2012-04-24 17:57:05 -07:00
Robin Sommer
8766a2e2fc Updating submodule(s). 
[nomail]
 2012-04-24 15:04:39 -07:00
Robin Sommer
bdbb6d8068 Updating submodule(s). 
[nomail]
 2012-04-24 14:52:09 -07:00
Robin Sommer
c9c180eebe Merge remote-tracking branch 'origin/topic/dnthayer/bug801' 
* origin/topic/dnthayer/bug801:
  Added an option to specify the 'etc' directory

Closes #801.

Note, I've adapted the code in configure a bit to make it independent
of the argument order (same for an older option). Hope that works ...
 2012-04-24 14:47:34 -07:00
Robin Sommer
0ae38ce2b8 Merge remote-tracking branch 'origin/fastpath' 
* origin/fastpath:
  Add some extra TLS extension values.
  Fix problem with extracting FTP passwords.
 2012-04-24 14:39:27 -07:00
Seth Hall
ad55331258 Merge branch 'topic/tunnels' of ssh://git.bro-ids.org/bro into topic/tunnels 2012-04-24 17:30:57 -04:00
Seth Hall
2235647ab7 Some improvements to the AYIYA analyzer. 
- Reenabled AYIYA dpd sigs.
 2012-04-24 17:30:37 -04:00
Seth Hall
c10ff6fd69 Add some extra TLS extension values. 
- extended_random is an expired draft rfc, but we see it
  in live traffic.
  - http://tools.ietf.org/html/draft-rescorla-tls-extended-random-01

- heartbeat RFC was ratified in Feb. 2012.
  - http://tools.ietf.org/html/rfc6520
 2012-04-24 16:58:03 -04:00
Jon Siwek
bd01525a86 Remove Tunnel::decapsulate_ip option. 
Setting Tunnel::max_depth to zero effectively disables tunnel
decapsulation.
 2012-04-24 14:25:47 -05:00
Jon Siwek
4d86f38be0 Remove invalid IP-in-IP encapsulated protocol value. 2012-04-24 14:18:21 -05:00
Jon Siwek
85bb5deb92 Fix AYIYA analyzer from modifying parent connection's encapsulation. 2012-04-24 11:40:05 -05:00
Seth Hall
a4af694610 AYIYA analyzer ignores non-packet forwarding packets now. 2012-04-24 01:17:45 -04:00
Seth Hall
2a79fe95ec Another tunneling checkpoint. 
- AYIYA works.
  - AYIYA analyzed connections are still labelled wrong in conn.log (logged as syslog)
- Some clean up for left over code.
- Small refactoring to pass packets back from analyzers to core.
- $uid is now optional in conn logs since ip-in-ip tunnel parent's
  won't have an actual connection.
 2012-04-24 01:05:35 -04:00
Jon Siwek
ae96314196 Merge branch 'topic/tunnels' of git://git.bro-ids.org/bro into topic/tunnels 2012-04-23 13:24:36 -05:00
Jon Siwek
5ce00bda8a Rename TunnelHandler.{cc,h} to Tunnels.{cc,h}. 2012-04-23 13:24:02 -05:00
Jon Siwek
b51dd191d7 Refactor IP-in-IP tunnel support. 
UDP tunnel support removed for now, to be re-added in specific
analyzers later, but IP-in-IP is now decapsulated recursively
so nested tunnels can be seen and the inner packets get sent
through the IP fragment reassembler if necessary.
 2012-04-23 13:15:29 -05:00
Daniel Thayer
65eb974f5d Added an option to specify the 'etc' directory 
Addresses #801.
 2012-04-23 11:17:13 -05:00
Seth Hall
e2da969415 Return of Robin's old SOCKS analyzer/decapsulator and tunnel code checkpoint. 
- More discussion is needed to figure out how to integrate the SOCKS analyzer best.

- Tunnels framework now logs for the SOCKS analyzer.
 2012-04-21 23:50:09 -04:00
Seth Hall
dff3fabcea Added a DPD signature for AYIYA, but it's crashing Bro. 2012-04-21 15:25:19 -04:00
Seth Hall
69ab13c88f Added some scripts for a tunnels framework. 
- The AYIYA analyzer is now enabled on it's default port.
 2012-04-21 15:10:30 -04:00
Seth Hall
bcadb67731 First commit of binpac based AYIYA analyzer. 
- ayiya-analyzer.pac needs work to do something with the actual packet.

- Lots more cleanup to do, but it parses the protocol at least.
 2012-04-21 14:42:20 -04:00
Seth Hall
6e2205aa68 Fix problem with extracting FTP passwords. 
- Added "ftpuser" as another anonymous username.

- Problem discovered by Patrik Lundin.
 2012-04-21 14:33:14 -04:00
Daniel Thayer
faa89913de Don't print the various "weird" events to stderr 
Fixes #805.
 2012-04-19 13:45:20 -05:00
Robin Sommer
4b70adcb4b Tweaking DataSeries support. 2012-04-19 10:42:09 -07:00
Robin Sommer
18aa41c62b Extending log post-processor call to include the name of the writer. 2012-04-19 10:41:01 -07:00
Robin Sommer
3f1811afd2 Merge remote-tracking branch 'origin/fastpath' 
* origin/fastpath:
  Changes related to ICMPv6 Neighbor Discovery messages.
 2012-04-19 10:02:07 -07:00
Jon Siwek
4062fc1776 Merge branch 'master' into topic/tunnels 
Conflicts:
	doc/scripts/DocSourcesList.cmake
	scripts/base/init-bare.bro
	src/ConnCompressor.cc
	src/Sessions.cc

Just trying to bring topic/gregor/tunnel up to date in this new branch.
Compiles, but untested.
 2012-04-18 16:59:49 -05:00
Robin Sommer
1fba55f4f3 Removing an unnecessary const cast. 2012-04-18 14:59:42 -07:00
Jon Siwek
b933184b25 Changes related to ICMPv6 Neighbor Discovery messages. 
- The 'icmp_conn' record now contains an 'hlim' field since hop limit
  in the IP header is an interesting field for at least these ND
  messages.

- Changed 'icmp_router_advertisement' event parameters.
  'router_lifetime' is now an interval. Fix 'reachable_time' and
  'retrans_timer' using wrong internal Val type for intervals.
  Made more of the known router advertisement flags available through
  boolean parameters.

- Changed 'icmp_neighbor_advertisement' event parameters to add
  more of the known boolean flags.
 2012-04-18 13:13:56 -05:00
Bernhard Amann
a2f1af12fa Merge remote-tracking branch 'origin/master' into topic/bernhard/input-threads 2012-04-18 09:28:49 -07:00
Robin Sommer
5350cab371 Merge remote-tracking branch 'origin/topic/icmp6' 
* origin/topic/icmp6:
  Fixes for IPv6 truncation and ICMP/ICMP6 analysis.
  Change ICMPv6 checksum calculation to use IP_Hdr wrapper.
  Update IPv6 atomic fragment unit test to filter output of ICMPv6.
  Add more data to icmp events
  More code cleanup
  Add more icmpv6 events, and general code cleanup
  Fix compile failure after merge from master
  Significant edit pass over ICMPv6 code.
  Porting Matti's branch to git.

Closes #808.
 2012-04-17 19:02:59 -07:00
Robin Sommer
94c666f305 Updating submodule(s). 
[nomail]
 2012-04-17 17:42:38 -07:00
Robin Sommer
b3596f28d7 Updating submodule(s). 
[nomail]
 2012-04-17 17:41:37 -07:00
Robin Sommer
eae55caa84 Merge remote-tracking branch 'origin/topic/seth/64bit-binpac-updates' 
* origin/topic/seth/64bit-binpac-updates:
  Small updates for the bittorrent analyzer to support 64bit types in binpac.

Closes #761.
 2012-04-17 17:40:27 -07:00
Robin Sommer
ecfdf7d33c Merge remote-tracking branch 'origin/topic/jsiwek/ipv6-configure-checks' 
* origin/topic/jsiwek/ipv6-configure-checks:
  Add more support for <netinet/ip6.h>'s that lack some structure definitions.

Closes #810.
 2012-04-17 17:38:20 -07:00
Robin Sommer
a7bc12066b Merge remote-tracking branch 'origin/master' into topic/robin/dataseries 
Conflicts:
	CMakeLists.txt
	cmake
 2012-04-17 16:37:37 -07:00
Jon Siwek
1a5517f170 Merge branch 'master' into topic/seth/64bit-binpac-updates 2012-04-17 11:09:09 -05:00
Robin Sommer
f85e0bfe9a DataSeries TODO list with open issues/questions. 2012-04-16 18:15:05 -07:00
Robin Sommer
fede289d74 Updating submodule(s). 
[nomail]
 2012-04-16 18:12:25 -07:00
Robin Sommer
1cca1f874c Merge remote-tracking branch 'origin/fastpath' 
* origin/fastpath:
  Removing QR flag from DNS log in response to question on mailing list.
  Sync up patricia.c/h with pysubnettree repo
 2012-04-16 18:09:36 -07:00
Robin Sommer
fe2535b08d Updating baselines for DNS change. 2012-04-16 18:08:16 -07:00