Commit graph

7724 commits

Author SHA1 Message Date
Christian Kreibich
353c467fb4 Merge remote-tracking branch 'security/topic/awelzel/215-pop3-mail-null-deref'
* security/topic/awelzel/215-pop3-mail-null-deref:
  POP3: Rework unbounded pending command fix

(cherry picked from commit 7fea32c6edc5d4d14646366f87c9208c8c9cf555)
2024-10-04 10:49:29 -07:00
Tim Wojtulewicz
9503d3298d Merge remote-tracking branch 'origin/topic/awelzel/3936-pop3-and-redis'
* origin/topic/awelzel/3936-pop3-and-redis:
  pop3: Remove unused headers
  pop3: Prevent unbounded state growth
  btest/pop3: Add somewhat more elaborate testing

(cherry picked from commit 702fb031a4)
2024-09-23 12:45:36 -07:00
Arne Welzel
36e504a1e4 Merge remote-tracking branch 'origin/topic/awelzel/tcp-reassembler-undelivered-data-match-bool-bool-bool-confusion'
* origin/topic/awelzel/tcp-reassembler-undelivered-data-match-bool-bool-bool-confusion:
  TCP_Reassembler: Fix IsOrig() position in Match() call

(cherry picked from commit 4a4cbf2576)
2024-08-30 14:44:52 -07:00
Christian Kreibich
1f04e5d545 Merge branch 'topic/christian/localversion'
* topic/christian/localversion:
  Parse and store localversion string
  Remove commented-out code
  Check ZEEK_VERSION_LOCAL for dashes
  Update version string btests for localversion
  Modify version parsing for localversion
  Update version used by spicyz
  Update build script
  Support for configurable localversion

(cherry picked from commit d09584e52e)
2024-05-14 16:09:58 -07:00
Tim Wojtulewicz
e9decdccde Merge remote-tracking branch 'pbcullen/topic/pbcullen/shadow-file-handling'
* pbcullen/topic/pbcullen/shadow-file-handling:
  reformat changes
  Gracefully handle empty/missing shadow file

(cherry picked from commit ad6d70d4e6)
2024-05-14 14:51:36 -07:00
Christian Kreibich
2ccded3beb Merge branch 'topic/christian/3671-fix-icmp-caplen-violations'
* topic/christian/3671-fix-icmp-caplen-violations:
  Factor in caplens in ICMPAnalyzer::DeliverPacket length calculations

(cherry picked from commit 7fdbb73511)
2024-05-14 14:48:12 -07:00
Tim Wojtulewicz
a1e7afa3f7 Add missing include for int32_t in DebugCmds.h
(cherry picked from commit 01d11d6c0b)
2024-05-14 10:17:24 -07:00
Tim Wojtulewicz
c0f12b5cd0 Fix warning with attribute string lookup
(cherry picked from commit b639f1426f)
2024-05-14 10:17:24 -07:00
Arne Welzel
5659cf18f8 MIME: Cap nested MIME analysis depth to 100
OSS-Fuzz managed to produce a MIME multipart message construction with
thousands of nested entities (or that's what Zeek makes out of it anyhow).
Prevent such deep analysis by capping at a nesting depth of 100,
preventing unnecessary resource usage. A new weird named exceeded_mime_max_depth
is reported when this limit is reached.

This change reduces the runtime of the OSS-Fuzz reproducer from ~45 seconds
to ~2.5 seconds.

The test PCAP was produced from a Python script using the email package
and sending the rendered version via POST to a HTTP server.

Closes #208

(cherry picked from commit 4e5849fe82c6097df5d25cd1a74d69ab4fa50f46)
2024-01-19 08:22:19 -07:00
Tim Wojtulewicz
b2429f4def Run clang-format on the branch to fix some issues from patch merges 2024-01-17 11:26:49 -07:00
Arne Welzel
ce0410f283 OCSP: Open-code unknown revoke reason strings
OpenSSL 3.2.0 knows about more reasons. Add some backwards compatibility.

Reference: 1c8a7f5091
(cherry picked from commit 02d00a1984)
2024-01-12 14:40:52 -07:00
Arne Welzel
af5b6b8c13 Merge remote-tracking branch 'origin/topic/awelzel/3523-expiration-iteration-at-termination'
* origin/topic/awelzel/3523-expiration-iteration-at-termination:
  Dict: Invalidate iterators during Clear()

(cherry picked from commit f1e94594f9)
2024-01-12 12:14:45 -07:00
Arne Welzel
a2af53cbf9 Merge remote-tracking branch 'origin/topic/awelzel/3453-dnssec-ed448-ed25519'
* origin/topic/awelzel/3453-dnssec-ed448-ed25519:
  DNS: Add Ed25519 and Ed448 enum values to parser

(cherry picked from commit a5a79d3f3a)
2024-01-12 11:34:51 -07:00
Arne Welzel
8ff101273f Merge branch 'topic/xb-anssi/http_signature_body_end_match' of https://github.com/xb-anssi/zeek
* 'topic/xb-anssi/http_signature_body_end_match' of https://github.com/xb-anssi/zeek:
  Let signature framework match HTTP body end
  Test how the signature framework matches HTTP body

(cherry picked from commit 8a13155a41)
2024-01-12 11:19:58 -07:00
Arne Welzel
da91cee022 ssl: Cap number of alerts parsed from SSL record
Limit the number of events raised from an SSL record with content_type
alert (21) to a configurable maximum number (default 10). For TLS 1.3,
the limit is set to 1 as specified in the RFC. Add a new weird for the
in cases where the limit is exceeded.

OSS-Fuzz managed to generate a reproducer that raised ~660k ssl_plaintext
and ssl_alert events together given ~810kb of input data. This prevents
it with hopefully no negative side-effect in the real-world.
2023-10-25 10:05:09 -07:00
Arne Welzel
3933102c84 X509Common/SCT parsing: Fix memory leak in error case
Failed to free the copy of the OCSP extension's value the inner
octet string couldn't be parsed.
2023-10-24 18:05:06 -07:00
Arne Welzel
72a54376bc IEEE802_11: Fix buffer-overflow due to not accounting for the amsdu header
The fuzzer generated input where data length left was 14 and the amsdu_len
field set to 14. That caused buffer overread due not taking into account
the amsdu header length of 14.
2023-10-24 18:02:56 -07:00
Arne Welzel
65f8222b92 Merge remote-tracking branch 'origin/topic/awelzel/mmdb-fix-and-tests'
* origin/topic/awelzel/mmdb-fix-and-tests:
  base/frameworks/spicy: Do not load base/misc/version
  btest/core/mmdb: Basic lookup_autonomous_system / lookup_location tests
  btest/files: Add mmdb testing databases and generator code
  zeek.bif: Switch mmdb stale check to network_time
  Fix mmdb pointer destruction

(cherry picked from commit 44b67894ac)
2023-10-24 13:49:25 -07:00
Arne Welzel
4d80668f1f Merge remote-tracking branch 'origin/topic/awelzel/3190-supervisor-eventmgr-shared-pipe-fix'
* origin/topic/awelzel/3190-supervisor-eventmgr-shared-pipe-fix:
  event: Reinitialize EventMgr's flare after fork() from stem

(cherry picked from commit 22fb445a7f)
2023-10-24 13:34:11 -07:00
Benjamin Bannier
3d2c69a13b Merge branch 'origin/topic/bbannier/spicy-reject_protocol-during-teardown'
(cherry picked from commit 03597d210d)
2023-10-16 13:27:18 -07:00
Tim Wojtulewicz
6de304e0dd Merge remote-tracking branch 'origin/topic/awelzel/3309-dns-mgr-revents-ouch'
* origin/topic/awelzel/3309-dns-mgr-revents-ouch:
  DNS_Mgr: Fix | vs & for pollfd.revents

(cherry picked from commit 0424eefd96)
2023-10-16 13:23:01 -07:00
Arne Welzel
7291ac4f26 DNS_Mgr: Replace ares_fds() with ares_getsock()
On Slack, a user reported "fortify source" aborts within ares_fds() due
to the FDs used by c-ares exceeding 1024 and thereby larger than the
maximum fd value that a fd_set can hold.

Switch to ares_get_socks() and poll() to avoid this.

Closes #3309.

(cherry picked from commit c4c4a23bfd)
2023-10-16 13:22:14 -07:00
Arne Welzel
651b208937 Merge remote-tracking branch 'origin/topic/bbannier/issue-3279'
* origin/topic/bbannier/issue-3279:
  Fix handling of module scope when checking exported Spicy types for collisions

(cherry picked from commit 30dc6af831)
2023-10-16 13:15:40 -07:00
Johanna Amann
3c3a3c92ea Add extract_limit_includes_missing option for file extraction
Setting this option to false does not count missing bytes in files towards the
extraction limits, and allows to extract data up to the desired limit,
even when partial files are written.

When missing bytes are encountered, files are now written as sparse
files.

Using this option requires the underlying storage and utilities to support
sparse files.

(cherry picked from commit afa6f3a0d3b8db1ec5b5e82d26225504c2891089)
2023-09-12 09:41:03 -07:00
Johanna Amann
9ab61fb626 File extraction: use fseek
In the past, we allocated a buffer with zeroes and wrote that with
fwrite. Now, instead we just fseek to the correct offset.

This changes the way in which the file extract limit is counted a bit;
skipped bytes do no longer count against the file size limit.

(cherry picked from commit 5071592e9b7105090a1d9de19689c499070749d4)
2023-09-12 09:40:56 -07:00
Tim Wojtulewicz
ef19a30015 Make sure that all sessions/connections are done before deleting plugins
(cherry picked from commit e29b499a211137cf3cf0c24a4ff82db1b806f132)
2023-09-12 09:40:32 -07:00
Tim Wojtulewicz
02af9a9787 VLAN: Fix length checking for non-Ethernet type 2 frames
(cherry picked from commit c579eb7b7cf3ca1d9008e74d7934155866c7e4f7)
2023-09-12 09:40:27 -07:00
Arne Welzel
a0c384015a Merge remote-tracking branch 'origin/topic/awelzel/dns-mgr-fixes'
* origin/topic/awelzel/dns-mgr-fixes:
  DNS_Mgr: Use Process() for timeout expiration
  DNS_Mgr: Fix GetNextTimeout() returning absolute values

(cherry picked from commit 1441b83411)
2023-09-08 11:10:16 -07:00
Arne Welzel
c413c6d71a Merge remote-tracking branch 'origin/topic/awelzel/3278-spicy-fix-port-range-off-by-one'
* origin/topic/awelzel/3278-spicy-fix-port-range-off-by-one:
  spicy: Do not register port N+1 for port N in .evt file

(cherry picked from commit 6e6a2bee8a)
2023-09-07 18:13:48 -07:00
Tim Wojtulewicz
973bdbec19 Merge remote-tracking branch 'origin/topic/neverlord/gh-3247'
* origin/topic/neverlord/gh-3247:
  Forward OpenSSL include path to plugins

(cherry picked from commit 19719b1862)
2023-08-29 12:15:20 -07:00
Arne Welzel
bde9c7070e Conn: In-place val flip and connection_flipped()
Avoids loosing state on a connection value when a connection is flipped.

Fixes up the NTP baseline as well where this was visible: analyzer_confirmation_info()
was raised for a connection value which was immediately forgotten due to
the subsequent connection flipping.

Closed #3028

(cherry picked from commit a2214ad611)
2023-08-16 09:57:33 -07:00
Johanna Amann
483f7a0322 Merge remote-tracking branch 'origin/topic/johanna/tcp-padding'
* origin/topic/johanna/tcp-padding:
  Do not forward padding to downstream TCP packet analyzer

(cherry picked from commit 81ce83590d)
2023-08-08 13:36:16 -07:00
Tim Wojtulewicz
a99231d956 Merge remote-tracking branch 'origin/topic/johanna/3205-do-not-parse-udp-padding'
* origin/topic/johanna/3205-do-not-parse-udp-padding:
  Do not forward more than the remaining data to downstream UDP analyzer

(cherry picked from commit 3c7a52d0a7)
2023-08-08 13:22:18 -07:00
Benjamin Bannier
8ef9498c00 Prefer Spicy include directories of this build over accidental ones.
Closes #3153.

(cherry picked from commit c718f7f632)
2023-08-08 13:15:43 -07:00
Tim Wojtulewicz
5811e58139 Merge remote-tracking branch 'origin/topic/awelzel/3145-dcerpc-state-clean'
* origin/topic/awelzel/3145-dcerpc-state-clean:
  dce-rpc: Test cases for unbounded state growth
  dce-rpc: Handle smb2_close_request() in scripts
  smb/dce-rpc: Cleanup DCE-RPC analyzers when fid is closed and limit them
  dce-rpc: Do not repeatedly register removal hooks

(cherry picked from commit f9904511ab)
2023-08-08 12:55:21 -07:00
Arne Welzel
c19069acdb Merge remote-tracking branch 'origin/topic/timw/3163-gperftools-build'
* origin/topic/timw/3163-gperftools-build:
  Define early_shutdown lambda earlier in zeek-setup, avoids build failure with gperftools

(cherry picked from commit 2da6f94ab6)
2023-08-08 12:55:03 -07:00
Robin Sommer
ddaa553418 Merge remote-tracking branch 'origin/topic/robin/gh-3157-export-switch'
* origin/topic/robin/gh-3157-export-switch:
  [Spicy] Support `switch` fields when exporting Spicy types to Zeek.

(cherry picked from commit cd2c193cb2)
2023-08-08 12:54:21 -07:00
Tim Wojtulewicz
0c6f3bacf0 Merge remote-tracking branch 'origin/topic/johanna/gh-3144'
* origin/topic/johanna/gh-3144:
  GSSAPI: basic support for MIC/WRAP tokens

(cherry picked from commit 93988d6db6)
2023-06-21 15:41:32 -07:00
Tim Wojtulewicz
669dd14adf Merge remote-tracking branch 'origin/topic/timw/force-std-c++-17'
* origin/topic/timw/force-std-c++-17:
  Force -std=c++17 mode for plugin targets, remove use of RequireCXX17.cmake

(cherry picked from commit 48af56c00b)
2023-06-15 13:04:27 -07:00
Arne Welzel
8ee9b3c9e4 Merge remote-tracking branch 'origin/topic/awelzel/3090-propagate-doctest-defines'
* origin/topic/awelzel/3090-propagate-doctest-defines:
  Options: Do not output full usage on --test error
  CMakeLists: Propagate DOCTEST defines to external plugins

(cherry picked from commit 2fddddbf51)
2023-06-15 13:03:08 -07:00
Arne Welzel
ac63f727f7 Merge remote-tracking branch 'origin/topic/awelzel/3090-propagate-build-type'
* origin/topic/awelzel/3090-propagate-build-type:
  ZeekPluginBootstrap: Encode Zeek's CMAKE_BUILD_TYPE

(cherry picked from commit 2eeba959fe)
2023-06-15 13:02:41 -07:00
Tim Wojtulewicz
1cfe0e3ee7 Merge remote-tracking branch 'origin/topic/bbannier/issue-3094'
* origin/topic/bbannier/issue-3094:
  Simplify code generated for Spicy analyzer port ranges.
2023-05-31 09:50:46 +02:00
Tim Wojtulewicz
5a3abbe364 Revert "Merge remote-tracking branch 'origin/topic/vern/at-if-analyze'"
This reverts commit 4e797ddbbc, reversing
changes made to 3ac28ba5a2.
2023-05-31 09:20:33 +02:00
Robin Sommer
cfbb7eb8ee
Merge remote-tracking branch 'origin/topic/robin/gh-3083-export-fix'
* origin/topic/robin/gh-3083-export-fix:
  Register test analyzer only for required ports.
  Fix disappearing unit fields in Spicy type export.
2023-05-30 14:59:00 +02:00
Benjamin Bannier
dc735371be Simplify code generated for Spicy analyzer port ranges.
We previously would reprent port ranges from EVT files element-wise.
This can potentially generate a lot of code (all on a single line
though) which some versions of GCC seem to have trouble with, and which
also causes JIT overhead.

With this patch we switch to directly representing ranges. Single ports
are represented as ranges `[start, start]`.

Closes #3094.
2023-05-29 12:20:44 +02:00
Tim Wojtulewicz
4e797ddbbc Merge remote-tracking branch 'origin/topic/vern/at-if-analyze'
* origin/topic/vern/at-if-analyze:
  updates reflecting review comments
  change base scripts to use run-time if's or @if ... &analyze
  a number of BTests updated with @if ... &analyze
  update for scripting coverage BTest demonstrating utility of @if ... &analyze
  BTests for new @if ... &analyze functionality
  "if ( ... ) &analyze" language feature
  classes for tracking "@if (...) &analyze" notion of code being/not being "activated"
  RemoveGlobal() method for Scope class + simplifying interfaces
2023-05-26 14:56:01 -07:00
Robin Sommer
fd86d8530b
Fix disappearing unit fields in Spicy type export.
When a Spicy unit type was used in an EVT event definition, it could
end up being cleared out at the time the logic for `export` got to see it.

Closes #3083.

Note: This needs backporting to the legacy plugin.
2023-05-26 11:37:23 +02:00
Arne Welzel
c202686cd1 Merge remote-tracking branch 'origin/topic/awelzel/src-cmakelists-zeek-config-skip-version-h'
* origin/topic/awelzel/src-cmakelists-zeek-config-skip-version-h:
  CMakeLists: Skip zeek-version.h include for zeek_objs, too
2023-05-26 10:03:48 +02:00
Vern Paxson
e441ba394a updates reflecting review comments 2023-05-25 18:00:13 -07:00
Tim Wojtulewicz
75188ea6d7 Fix minor type-clash warning on Windows 2023-05-25 16:50:22 -07:00