diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9b6440ef04..19ceeebcda 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -19,7 +19,7 @@ repos: files: '^testing/btest/.*$' - repo: https://github.com/pre-commit/mirrors-clang-format - rev: v20.1.7 + rev: v20.1.8 hooks: - id: clang-format types_or: @@ -28,13 +28,13 @@ repos: - "json" - repo: https://github.com/maxwinterstein/shfmt-py - rev: v3.11.0.2 + rev: v3.12.0.1 hooks: - id: shfmt args: ["-w", "-i", "4", "-ci"] - repo: https://github.com/astral-sh/ruff-pre-commit - rev: v0.12.1 + rev: v0.12.8 hooks: - id: ruff args: [--fix] @@ -46,7 +46,7 @@ repos: - id: cmake-format - repo: https://github.com/crate-ci/typos - rev: v1.33.1 + rev: v1.35.3 hooks: - id: typos exclude: '^(.typos.toml|src/SmithWaterman.cc|testing/.*|auxil/.*|scripts/base/frameworks/files/magic/.*|CHANGES|scripts/base/protocols/ssl/mozilla-ca-list.zeek)$' diff --git a/.typos.toml b/.typos.toml index fa01a8f47d..26093f65a9 100644 --- a/.typos.toml +++ b/.typos.toml @@ -38,6 +38,7 @@ extend-ignore-re = [ "\"BaR\"", "\"xFoObar\"", "\"FoO\"", + "Smoot", ] extend-ignore-identifiers-re = [ diff --git a/CHANGES b/CHANGES index 6fa6a80c07..600b10f7cf 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,57 @@ +8.0.0-rc2 | 2025-08-12 12:42:54 -0700 + + * Release 8.0.0-rc2. + +8.0.0-rc1.6 | 2025-08-12 12:41:33 -0700 + + * Bump pre-commit hooks (Benjamin Bannier, Corelight) + + (cherry picked from commit cc59bfa5d8a3e9fddc5d65adee68e1937ea5eda7) + + * Bump auxil/spicy to latest development snapshot (Benjamin Bannier, Corelight) + + (cherry picked from commit cc59bfa5d8a3e9fddc5d65adee68e1937ea5eda7) + + * Update docs submodule with 8.0.0-rc2 changes [nomail] [skip ci] (Tim Wojtulewicz, Corelight) + +8.0.0-rc1.4 | 2025-08-11 11:38:57 -0700 + + * smb2/read: Parse only 1 byte for data_offset, ignore reserved1 (Arne Welzel, Corelight) + + A user provided a SMB2 pcap with the reserved1 field of a ReadResponse + set to 1 instead of 0. This confused the padding computation due to + including this byte into the offset. Properly split data_offset and + reserved1 into individual byte fields. + + (cherry picked from commit 76289a8022d258f94c4cba003dfa657428a247b1) + +8.0.0-rc1.3 | 2025-08-11 11:35:42 -0700 + + * GH-4176: cluster: Add on_subscribe() and on_unsubscribe() hooks (Arne Welzel, Corelight) + + (cherry picked from commit 13f613eb1d29895924ae516ad51ca7090acd231f) + +8.0.0-rc1.2 | 2025-08-11 11:33:46 -0700 + + * Add proto to analyzer.log (Johanna Amann, Corelight) + + The analyzer.log file was missing the protocol field to distinguish + tcp/udp connections. + + (cherry picked from commit 2f2f328a722c38c9d53aa3812e3b35724c7f9e9f) + + * Update zeek-aux submodule with c++20 changes (Tim Wojtulewicz, Corelight) + +8.0.0-rc1 | 2025-08-04 09:39:08 -0700 + + * Release 8.0.0-rc1. + +8.0.0-dev.828 | 2025-08-04 09:38:55 -0700 + + * Compile contributors for Zeek 8.0 in the NEWS file (Christian Kreibich, Corelight) + + (cherry picked from commit 4fdd83f3f50a0e4631cb8e08ac931cc37f4637a3) + 8.0.0-dev.827 | 2025-08-01 17:10:13 +0200 * ci/windows: No ZeroMQ cluster backend (Arne Welzel, Corelight) diff --git a/NEWS b/NEWS index 26bb77cbfe..b4e562e5cf 100644 --- a/NEWS +++ b/NEWS @@ -6,7 +6,13 @@ release. For an exhaustive list of changes, see the ``CHANGES`` file Zeek 8.0.0 ========== -We would like to thank Bhaskar Bhar (@bhaskarbhar) for their contributions to this +We would like to thank @aidans111, Anthony Verez (@netantho), Baa (@Baa14453), +Bhaskar Bhar (@bhaskarbhar), @dwhitemv25, EdKo (@ephikos), @edoardomich, Fupeng +Zhao (@AmazingPP), hendrik.schwartke@os-s.de (@hendrikschwartke), @i2z1, Jan +Grashöfer (@J-Gras) Jean-Samuel Marier, Justin Azoff (@JustinAzoff), Mario D +(@mari0d), Markus Elfring (@elfring), Peter Cullen (@pbcullen), Sean Donaghy, +Simeon Miteff (@simeonmiteff), Steve Smoot (@stevesmoot), @timo-mue, +@wojciech-graj, and Xiaochuan Ye (@XueSongTap) for their contributions to this release. Breaking Changes @@ -290,6 +296,10 @@ New Functionality ``get_net_stats()``, it's possible to determine the number of packets that have been received and accepted by Zeek, but eventually discarded without processing. +- Two new hooks, ``Cluster::on_subscribe()`` and ``Cluster::on_unsubscribe()`` have + been added to allow observing ``Subscribe()`` and ``Unsubscribe()`` calls on + backends by Zeek scripts. + Changed Functionality --------------------- diff --git a/VERSION b/VERSION index cf4112bb0a..e31a4cb90a 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -8.0.0-dev.827 +8.0.0-rc2 diff --git a/auxil/spicy b/auxil/spicy index 140e88c9a8..cef9b56b5a 160000 --- a/auxil/spicy +++ b/auxil/spicy @@ -1 +1 @@ -Subproject commit 140e88c9a8e04eca801bbd891e085cc180eee43f +Subproject commit cef9b56b5a77a3727036ecfe5f806f513bb1359e diff --git a/auxil/zeek-aux b/auxil/zeek-aux index 6c72725b18..6ff49f46d5 160000 --- a/auxil/zeek-aux +++ b/auxil/zeek-aux @@ -1 +1 @@ -Subproject commit 6c72725b184cc5fd7d12cea5084f0f51de3e82e3 +Subproject commit 6ff49f46d5714b894a1f10f8463941fbda3b9364 diff --git a/doc b/doc index 1ce37d96e2..7b8c31b46b 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 1ce37d96e268134100fbc6793c0c64d48e162337 +Subproject commit 7b8c31b46b35b8143b431a333e1487d6a0427e7f diff --git a/scripts/base/frameworks/analyzer/logging.zeek b/scripts/base/frameworks/analyzer/logging.zeek index 260bb5c4ec..11ad3dd8d3 100644 --- a/scripts/base/frameworks/analyzer/logging.zeek +++ b/scripts/base/frameworks/analyzer/logging.zeek @@ -23,8 +23,10 @@ export { uid: string &log &optional; ## File UID if available. fuid: string &log &optional; - ## Connection identifier if available + ## Connection identifier if available. id: conn_id &log &optional; + ## Transport protocol for the violation, if available. + proto: transport_proto &log &optional; ## Failure or violation reason, if available. failure_reason: string &log; ## Data causing failure or violation if available. Truncated @@ -62,6 +64,7 @@ function log_analyzer_failure(ts: time, atype: AllAnalyzers::Tag, info: Analyzer { rec$id = info$c$id; rec$uid = info$c$uid; + rec$proto = get_port_transport_proto(info$c$id$orig_p); } if ( info?$f ) diff --git a/scripts/base/frameworks/cluster/main.zeek b/scripts/base/frameworks/cluster/main.zeek index 3060ee08af..86c27eff4a 100644 --- a/scripts/base/frameworks/cluster/main.zeek +++ b/scripts/base/frameworks/cluster/main.zeek @@ -401,6 +401,20 @@ export { ## The value of the X-Application-Name HTTP header, if any. application_name: string &optional; }; + + ## A hook invoked for every :zeek:see:`Cluster::subscribe` call. + ## + ## Breaking from this hook has no effect. + ## + ## topic: The topic string as given to :zeek:see:`Cluster::subscribe`. + global on_subscribe: hook(topic: string); + + ## A hook invoked for every :zeek:see:`Cluster::subscribe` call. + ## + ## Breaking from this hook has no effect. + ## + ## topic: The topic string as given to :zeek:see:`Cluster::subscribe`. + global on_unsubscribe: hook(topic: string); } # Needs declaration of Cluster::Event type. diff --git a/src/analyzer/protocol/smb/smb2-com-read.pac b/src/analyzer/protocol/smb/smb2-com-read.pac index d9b2d7cf7f..4f0e7548ed 100644 --- a/src/analyzer/protocol/smb/smb2-com-read.pac +++ b/src/analyzer/protocol/smb/smb2-com-read.pac @@ -93,10 +93,11 @@ type SMB2_read_request(header: SMB2_Header) = record { type SMB2_read_response(header: SMB2_Header) = record { structure_size : uint16; - data_offset : uint16; + data_offset : uint8; + reserved1 : uint8; data_len : uint32; data_remaining : uint32; - reserved : uint32; + reserved2 : uint32; pad : padding to data_offset - header.head_length; data : bytestring &length=data_len; } &let { diff --git a/src/cluster/Backend.cc b/src/cluster/Backend.cc index 3a0214b0eb..e0aa6f6c16 100644 --- a/src/cluster/Backend.cc +++ b/src/cluster/Backend.cc @@ -11,6 +11,7 @@ #include "zeek/EventHandler.h" #include "zeek/EventRegistry.h" #include "zeek/Func.h" +#include "zeek/ID.h" #include "zeek/Reporter.h" #include "zeek/Type.h" #include "zeek/Val.h" @@ -139,6 +140,26 @@ std::optional Backend::MakeClusterEvent(FuncValPtr handler, ArgsSpan args return Event{eh, std::move(*checked_args), std::move(meta)}; } +bool Backend::Subscribe(const std::string& topic_prefix, SubscribeCallback cb) { + static const auto on_subscribe = zeek::id::find_func("Cluster::on_subscribe"); + assert(on_subscribe && on_subscribe->Flavor() == FUNC_FLAVOR_HOOK); + + if ( on_subscribe && on_subscribe->HasEnabledBodies() ) + on_subscribe->Invoke(zeek::make_intrusive(topic_prefix)); + + return DoSubscribe(topic_prefix, std::move(cb)); +} + +bool Backend::Unsubscribe(const std::string& topic_prefix) { + static const auto on_unsubscribe = zeek::id::find_func("Cluster::on_unsubscribe"); + assert(on_unsubscribe && on_unsubscribe->Flavor() == FUNC_FLAVOR_HOOK); + + if ( on_unsubscribe->HasEnabledBodies() ) + on_unsubscribe->Invoke(zeek::make_intrusive(topic_prefix)); + + return DoUnsubscribe(topic_prefix); +} + void Backend::DoReadyToPublishCallback(Backend::ReadyCallback cb) { Backend::ReadyCallbackInfo info{Backend::CallbackStatus::Success}; cb(info); diff --git a/src/cluster/Backend.h b/src/cluster/Backend.h index f152ce4e14..4d520a1387 100644 --- a/src/cluster/Backend.h +++ b/src/cluster/Backend.h @@ -59,7 +59,7 @@ public: bool ProcessEvent(std::string_view topic, cluster::Event e) { return DoProcessEvent(topic, std::move(e)); } /** - * Method for enquing backend specific events. + * Method for enqueuing backend specific events. * * Some backend's may raise events destined for the local * scripting layer. That's usually wanted, but not always. @@ -210,9 +210,7 @@ public: * @param cb callback invoked when the subscription was processed. * @return true if it's a new event subscription and it is now registered. */ - bool Subscribe(const std::string& topic_prefix, SubscribeCallback cb = SubscribeCallback()) { - return DoSubscribe(topic_prefix, std::move(cb)); - } + bool Subscribe(const std::string& topic_prefix, SubscribeCallback cb = SubscribeCallback()); /** * Unregister interest in messages on a certain topic. @@ -220,7 +218,7 @@ public: * @param topic_prefix a prefix previously supplied to Subscribe() * @return true if interest in topic prefix is no longer advertised. */ - bool Unsubscribe(const std::string& topic_prefix) { return DoUnsubscribe(topic_prefix); } + bool Unsubscribe(const std::string& topic_prefix); /** * Information passed to a ready callback. diff --git a/testing/btest/Baseline.zam/cluster.websocket.listen-idempotent/.stderr b/testing/btest/Baseline.zam/cluster.websocket.listen-idempotent/.stderr index f739a1dd5b..dce9b20598 100644 --- a/testing/btest/Baseline.zam/cluster.websocket.listen-idempotent/.stderr +++ b/testing/btest/Baseline.zam/cluster.websocket.listen-idempotent/.stderr @@ -1,5 +1,5 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -error in <...>/main.zeek, line 677: Already listening on 127.0.0.1: (Cluster::__listen_websocket(ws_opts_x)) -error in <...>/main.zeek, line 677: Already listening on 127.0.0.1: (Cluster::__listen_websocket(ws_opts_wss_port)) -error in <...>/main.zeek, line 677: Already listening on 127.0.0.1: (Cluster::__listen_websocket(ws_opts_qs)) +error in <...>/main.zeek, line 691: Already listening on 127.0.0.1: (Cluster::__listen_websocket(ws_opts_x)) +error in <...>/main.zeek, line 691: Already listening on 127.0.0.1: (Cluster::__listen_websocket(ws_opts_wss_port)) +error in <...>/main.zeek, line 691: Already listening on 127.0.0.1: (Cluster::__listen_websocket(ws_opts_qs)) received termination signal diff --git a/testing/btest/Baseline.zam/cluster.websocket.tls-usage-error/.stderr b/testing/btest/Baseline.zam/cluster.websocket.tls-usage-error/.stderr index 171791a278..3a54b399a3 100644 --- a/testing/btest/Baseline.zam/cluster.websocket.tls-usage-error/.stderr +++ b/testing/btest/Baseline.zam/cluster.websocket.tls-usage-error/.stderr @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -error in <...>/main.zeek, line 677: Invalid tls_options: No key_file field (Cluster::__listen_websocket(Cluster::options.0)) -error in <...>/main.zeek, line 677: Invalid tls_options: No cert_file field (Cluster::__listen_websocket(Cluster::options.3)) +error in <...>/main.zeek, line 691: Invalid tls_options: No key_file field (Cluster::__listen_websocket(Cluster::options.0)) +error in <...>/main.zeek, line 691: Invalid tls_options: No cert_file field (Cluster::__listen_websocket(Cluster::options.3)) diff --git a/testing/btest/Baseline/cluster.generic.on-subscribe-unsubscribe/.stderr b/testing/btest/Baseline/cluster.generic.on-subscribe-unsubscribe/.stderr new file mode 100644 index 0000000000..49d861c74c --- /dev/null +++ b/testing/btest/Baseline/cluster.generic.on-subscribe-unsubscribe/.stderr @@ -0,0 +1 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. diff --git a/testing/btest/Baseline/cluster.generic.on-subscribe-unsubscribe/.stdout b/testing/btest/Baseline/cluster.generic.on-subscribe-unsubscribe/.stdout new file mode 100644 index 0000000000..791b39dc64 --- /dev/null +++ b/testing/btest/Baseline/cluster.generic.on-subscribe-unsubscribe/.stdout @@ -0,0 +1,6 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +on_subscribe, zeek/supervisor +on_subscribe, /my_topic +on_unsubscribe, /my_topic +on_unsubscribe, /my_topic +on_subscribe, /my_topic2 diff --git a/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/analyzer.log b/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/analyzer.log index e246a5a9a7..4c1ad5c577 100644 --- a/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/analyzer.log +++ b/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/analyzer.log @@ -5,7 +5,7 @@ #unset_field - #path analyzer #open XXXX-XX-XX-XX-XX-XX -#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data -#types time string string string string addr port addr port string string -XXXXXXXXXX.XXXXXX packet GTPV1 CHhAvVGS1DHFjwGM9 - 173.86.159.28 2152 213.72.147.186 2152 Truncated GTPv1 - +#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data +#types time string string string string addr port addr port enum string string +XXXXXXXXXX.XXXXXX packet GTPV1 CHhAvVGS1DHFjwGM9 - 173.86.159.28 2152 213.72.147.186 2152 udp Truncated GTPv1 - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-empty-av-pair-seq/analyzer.log b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-empty-av-pair-seq/analyzer.log index bd4f3053a5..15f36babc1 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-empty-av-pair-seq/analyzer.log +++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-empty-av-pair-seq/analyzer.log @@ -5,7 +5,7 @@ #unset_field - #path analyzer #open XXXX-XX-XX-XX-XX-XX -#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data -#types time string string string string addr port addr port string string -XXXXXXXXXX.XXXXXX protocol NTLM CHhAvVGS1DHFjwGM9 - 192.168.0.173 1068 192.168.0.2 4997 NTLM AV Pair loop underflow - +#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data +#types time string string string string addr port addr port enum string string +XXXXXXXXXX.XXXXXX protocol NTLM CHhAvVGS1DHFjwGM9 - 192.168.0.173 1068 192.168.0.2 4997 tcp NTLM AV Pair loop underflow - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-unterminated-av-pair-seq/analyzer.log b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-unterminated-av-pair-seq/analyzer.log index bd4f3053a5..15f36babc1 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-unterminated-av-pair-seq/analyzer.log +++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-unterminated-av-pair-seq/analyzer.log @@ -5,7 +5,7 @@ #unset_field - #path analyzer #open XXXX-XX-XX-XX-XX-XX -#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data -#types time string string string string addr port addr port string string -XXXXXXXXXX.XXXXXX protocol NTLM CHhAvVGS1DHFjwGM9 - 192.168.0.173 1068 192.168.0.2 4997 NTLM AV Pair loop underflow - +#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data +#types time string string string string addr port addr port enum string string +XXXXXXXXXX.XXXXXX protocol NTLM CHhAvVGS1DHFjwGM9 - 192.168.0.173 1068 192.168.0.2 4997 tcp NTLM AV Pair loop underflow - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/analyzer.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/analyzer.log index 5580d6bee8..e87f618b36 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/analyzer.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/analyzer.log @@ -5,7 +5,7 @@ #unset_field - #path analyzer #open XXXX-XX-XX-XX-XX-XX -#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data -#types time string string string string addr port addr port string string -XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 127.0.0.1 51354 127.0.0.1 21 non-numeric reply code 99 PASV invalid +#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data +#types time string string string string addr port addr port enum string string +XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 127.0.0.1 51354 127.0.0.1 21 tcp non-numeric reply code 99 PASV invalid #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/analyzer.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/analyzer.log index d798bd340f..c9c8bf938f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/analyzer.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/analyzer.log @@ -5,7 +5,7 @@ #unset_field - #path analyzer #open XXXX-XX-XX-XX-XX-XX -#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data -#types time string string string string addr port addr port string string -XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 127.0.0.1 51344 127.0.0.1 21 non-numeric reply code SYST not supported +#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data +#types time string string string string addr port addr port enum string string +XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 127.0.0.1 51344 127.0.0.1 21 tcp non-numeric reply code SYST not supported #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/analyzer.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/analyzer.log index 5cc8cbbb69..2bc4e2b987 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/analyzer.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/analyzer.log @@ -5,7 +5,7 @@ #unset_field - #path analyzer #open XXXX-XX-XX-XX-XX-XX -#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data -#types time string string string string addr port addr port string string -XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 127.0.0.1 51346 127.0.0.1 21 invalid reply line 230_no_space +#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data +#types time string string string string addr port addr port enum string string +XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 127.0.0.1 51346 127.0.0.1 21 tcp invalid reply line 230_no_space #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-11-request-then-cruft/analyzer.log b/testing/btest/Baseline/scripts.base.protocols.http.http-11-request-then-cruft/analyzer.log index b9e08e7109..4cd07a87e6 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-11-request-then-cruft/analyzer.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-11-request-then-cruft/analyzer.log @@ -5,7 +5,7 @@ #unset_field - #path analyzer #open XXXX-XX-XX-XX-XX-XX -#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data -#types time string string string string addr port addr port string string -XXXXXXXXXX.XXXXXX protocol HTTP CHhAvVGS1DHFjwGM9 - 192.168.12.5 51792 192.0.78.212 80 not a http request line - +#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data +#types time string string string string addr port addr port enum string string +XXXXXXXXXX.XXXXXX protocol HTTP CHhAvVGS1DHFjwGM9 - 192.168.12.5 51792 192.0.78.212 80 tcp not a http request line - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/analyzer.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/analyzer.cut index c2e3790441..29d3e0f76a 100644 --- a/testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/analyzer.cut +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/analyzer.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data -1673270800.189652 protocol POSTGRESQL CHhAvVGS1DHFjwGM9 - 127.0.0.1 54958 127.0.0.1 5432 error while parsing PostgreSQL: &requires failed: (self.length >= 4) (...) - +ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data +1673270800.189652 protocol POSTGRESQL CHhAvVGS1DHFjwGM9 - 127.0.0.1 54958 127.0.0.1 5432 tcp error while parsing PostgreSQL: &requires failed: (self.length >= 4) (...) - diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-response-non-zero-reserved1/files.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-response-non-zero-reserved1/files.log new file mode 100644 index 0000000000..fe939ef5e9 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-response-non-zero-reserved1/files.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path files +#open XXXX-XX-XX-XX-XX-XX +#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid +#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string +XXXXXXXXXX.XXXXXX FmcSEk2dq4v0hewpM4 CHhAvVGS1DHFjwGM9 172.31.112.17 57829 172.31.112.16 445 SMB 0 (empty) text/plain Test.txt 0.000000 T F 189 189 0 0 F - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.frameworks.analyzer.packet-segment-logging/analyzer.log b/testing/btest/Baseline/scripts.policy.frameworks.analyzer.packet-segment-logging/analyzer.log index 95635816cd..55a5dae609 100644 --- a/testing/btest/Baseline/scripts.policy.frameworks.analyzer.packet-segment-logging/analyzer.log +++ b/testing/btest/Baseline/scripts.policy.frameworks.analyzer.packet-segment-logging/analyzer.log @@ -5,7 +5,7 @@ #unset_field - #path analyzer #open XXXX-XX-XX-XX-XX-XX -#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data packet_segment -#types time string string string string addr port addr port string string string -XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 2001:470:1f05:17a6:d69a:20ff:fefd:6b88 24316 2001:6a8:a40::21 21 non-numeric reply code SSH-2.0-mod_sftp/0.9.7 \xd4\x9a \xfdk\x88\x00\x80\xc8\xb9\xc2\x06\x86\xdd`\x00\x00\x00\x00t\x067 \x01\x06\xa8\x0a@\x00\x00\x00\x00\x00\x00\x00\x00\x00! \x01\x04p\x1f\x05\x17\xa6\xd6\x9a \xff\xfe\xfdk\x88\x00\x15^\xfc\x1f]\xed\x1b\xa9\x9f`\xf1P\x18\x00\x09~n\x00\x00SSH-2.0-mod_sftp/0.9.7\x0d\x0a\x00\x00\x00D\x08\x01\x00\x00\x00\x0c\x00\x00\x00)Maximum connections for host/user reached\x00\x00\x00\x05en-USI\xf8\xb9C\xae\xcf`\xc4 +#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data packet_segment +#types time string string string string addr port addr port enum string string string +XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 2001:470:1f05:17a6:d69a:20ff:fefd:6b88 24316 2001:6a8:a40::21 21 tcp non-numeric reply code SSH-2.0-mod_sftp/0.9.7 \xd4\x9a \xfdk\x88\x00\x80\xc8\xb9\xc2\x06\x86\xdd`\x00\x00\x00\x00t\x067 \x01\x06\xa8\x0a@\x00\x00\x00\x00\x00\x00\x00\x00\x00! \x01\x04p\x1f\x05\x17\xa6\xd6\x9a \xff\xfe\xfdk\x88\x00\x15^\xfc\x1f]\xed\x1b\xa9\x9f`\xf1P\x18\x00\x09~n\x00\x00SSH-2.0-mod_sftp/0.9.7\x0d\x0a\x00\x00\x00D\x08\x01\x00\x00\x00\x0c\x00\x00\x00)Maximum connections for host/user reached\x00\x00\x00\x05en-USI\xf8\xb9C\xae\xcf`\xc4 #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/spicy.parse-error/analyzer.log b/testing/btest/Baseline/spicy.parse-error/analyzer.log index 5686afd30b..9cb8dcb920 100644 --- a/testing/btest/Baseline/spicy.parse-error/analyzer.log +++ b/testing/btest/Baseline/spicy.parse-error/analyzer.log @@ -5,7 +5,7 @@ #unset_field - #path analyzer #open XXXX-XX-XX-XX-XX-XX -#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data -#types time string string string string addr port addr port string string -XXXXXXXXXX.XXXXXX protocol SPICY_SSH CHhAvVGS1DHFjwGM9 - 192.150.186.169 49244 131.159.14.23 22 failed to match regular expression (<...>/test.spicy:9:15-9:22) SSH-2.0-OpenSSH_3.8.1p1\x0a +#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data +#types time string string string string addr port addr port enum string string +XXXXXXXXXX.XXXXXX protocol SPICY_SSH CHhAvVGS1DHFjwGM9 - 192.150.186.169 49244 131.159.14.23 22 tcp failed to match regular expression (<...>/test.spicy:9:15-9:22) SSH-2.0-OpenSSH_3.8.1p1\x0a #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Traces/README b/testing/btest/Traces/README index ec244576a9..a01d06902b 100644 --- a/testing/btest/Traces/README +++ b/testing/btest/Traces/README @@ -53,3 +53,6 @@ Trace Index/Sources: - ldap/adduser1.pcap ldap/adduser1-ntlm.pcap Provided by Mohan-Dhawan on #4275 https://github.com/zeek/zeek/issues/4275 +- smb_v2_only_non_zero_reserved1.pcap + Provided by @predator89090 on #4730 + https://github.com/zeek/zeek/issues/4730 diff --git a/testing/btest/Traces/smb/smb_v2_only_non_zero_reserved1.pcap b/testing/btest/Traces/smb/smb_v2_only_non_zero_reserved1.pcap new file mode 100644 index 0000000000..a30eecffe3 Binary files /dev/null and b/testing/btest/Traces/smb/smb_v2_only_non_zero_reserved1.pcap differ diff --git a/testing/btest/cluster/generic/on-subscribe-unsubscribe.zeek b/testing/btest/cluster/generic/on-subscribe-unsubscribe.zeek new file mode 100644 index 0000000000..998b0d23d6 --- /dev/null +++ b/testing/btest/cluster/generic/on-subscribe-unsubscribe.zeek @@ -0,0 +1,24 @@ +# @TEST-DOC: Cluster::on_subscribe and Cluster::on_unsubscribe hooks +# +# @TEST-EXEC: zeek --parse-only -b %INPUT +# @TEST-EXEC: zeek -b %INPUT +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stdout + +hook Cluster::on_subscribe(topic: string) + { + print "on_subscribe", topic; + } + +hook Cluster::on_unsubscribe(topic: string) + { + print "on_unsubscribe", topic; + } + +event zeek_init() + { + Cluster::subscribe("/my_topic"); + Cluster::unsubscribe("/my_topic"); + Cluster::unsubscribe("/my_topic"); + Cluster::subscribe("/my_topic2"); + } diff --git a/testing/btest/scripts/base/protocols/smb/smb2-read-response-non-zero-reserved1.test b/testing/btest/scripts/base/protocols/smb/smb2-read-response-non-zero-reserved1.test new file mode 100644 index 0000000000..6d2858a8c8 --- /dev/null +++ b/testing/btest/scripts/base/protocols/smb/smb2-read-response-non-zero-reserved1.test @@ -0,0 +1,9 @@ +# @TEST-DOC: Regression test for #4730, ReadResponse not parsed properly. +# +# @TEST-EXEC: zeek -b -C -r $TRACES/smb/smb_v2_only_non_zero_reserved1.pcap %INPUT +# @TEST-EXEC: btest-diff files.log +# @TEST-EXEC: test ! -f analyzer.log +# @TEST-EXEC: test ! -f weird.log + +@load base/protocols/smb + diff --git a/testing/external/commit-hash.zeek-testing b/testing/external/commit-hash.zeek-testing index 09e14d7010..4d12c67ff0 100644 --- a/testing/external/commit-hash.zeek-testing +++ b/testing/external/commit-hash.zeek-testing @@ -1 +1 @@ -270d4b46fa1ab9f2951c2945937bdf739e864304 +6dafc6fd68d9821f33b7f8f4d7d4d877b5827ae3 diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private index 544bc35294..f01f56f57a 100644 --- a/testing/external/commit-hash.zeek-testing-private +++ b/testing/external/commit-hash.zeek-testing-private @@ -1 +1 @@ -034c859753b435dc2a6368fa46ecf3e92c98d9da +1edbd3ae959471e8573c9edc0374235727970710