From c1cb1a2e5f5e3ade501195c29bbfc6050da5c618 Mon Sep 17 00:00:00 2001 From: Christian Kreibich Date: Mon, 4 Aug 2025 09:21:54 -0700 Subject: [PATCH 01/27] Compile contributors for Zeek 8.0 in the NEWS file (cherry picked from commit 4fdd83f3f50a0e4631cb8e08ac931cc37f4637a3) --- .typos.toml | 1 + CHANGES | 6 ++++++ NEWS | 8 +++++++- VERSION | 2 +- 4 files changed, 15 insertions(+), 2 deletions(-) diff --git a/.typos.toml b/.typos.toml index fa01a8f47d..26093f65a9 100644 --- a/.typos.toml +++ b/.typos.toml @@ -38,6 +38,7 @@ extend-ignore-re = [ "\"BaR\"", "\"xFoObar\"", "\"FoO\"", + "Smoot", ] extend-ignore-identifiers-re = [ diff --git a/CHANGES b/CHANGES index 6fa6a80c07..da1079f226 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,9 @@ +8.0.0-dev.828 | 2025-08-04 09:38:55 -0700 + + * Compile contributors for Zeek 8.0 in the NEWS file (Christian Kreibich, Corelight) + + (cherry picked from commit 4fdd83f3f50a0e4631cb8e08ac931cc37f4637a3) + 8.0.0-dev.827 | 2025-08-01 17:10:13 +0200 * ci/windows: No ZeroMQ cluster backend (Arne Welzel, Corelight) diff --git a/NEWS b/NEWS index 26bb77cbfe..dc798eeb8c 100644 --- a/NEWS +++ b/NEWS @@ -6,7 +6,13 @@ release. For an exhaustive list of changes, see the ``CHANGES`` file Zeek 8.0.0 ========== -We would like to thank Bhaskar Bhar (@bhaskarbhar) for their contributions to this +We would like to thank @aidans111, Anthony Verez (@netantho), Baa (@Baa14453), +Bhaskar Bhar (@bhaskarbhar), @dwhitemv25, EdKo (@ephikos), @edoardomich, Fupeng +Zhao (@AmazingPP), hendrik.schwartke@os-s.de (@hendrikschwartke), @i2z1, Jan +Grashöfer (@J-Gras) Jean-Samuel Marier, Justin Azoff (@JustinAzoff), Mario D +(@mari0d), Markus Elfring (@elfring), Peter Cullen (@pbcullen), Sean Donaghy, +Simeon Miteff (@simeonmiteff), Steve Smoot (@stevesmoot), @timo-mue, +@wojciech-graj, and Xiaochuan Ye (@XueSongTap) for their contributions to this release. Breaking Changes diff --git a/VERSION b/VERSION index cf4112bb0a..afd4643c76 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -8.0.0-dev.827 +8.0.0-dev.828 From 1addeab4fe90a4ee7623d5e883ca02d6e9a60567 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Mon, 4 Aug 2025 09:44:48 -0700 Subject: [PATCH 02/27] Updating CHANGES and VERSION. --- CHANGES | 4 ++++ VERSION | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index da1079f226..80bc23b3a0 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +8.0.0-rc1 | 2025-08-04 09:39:08 -0700 + + * Release 8.0.0-rc1. + 8.0.0-dev.828 | 2025-08-04 09:38:55 -0700 * Compile contributors for Zeek 8.0 in the NEWS file (Christian Kreibich, Corelight) diff --git a/VERSION b/VERSION index afd4643c76..71f2983501 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -8.0.0-dev.828 +8.0.0-rc1 From 8e7482de4b305f36ee4ef73e0b3f167888448c91 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Thu, 7 Aug 2025 08:33:44 -0700 Subject: [PATCH 03/27] Update zeek-aux submodule with c++20 changes --- auxil/zeek-aux | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auxil/zeek-aux b/auxil/zeek-aux index 6c72725b18..6ff49f46d5 160000 --- a/auxil/zeek-aux +++ b/auxil/zeek-aux @@ -1 +1 @@ -Subproject commit 6c72725b184cc5fd7d12cea5084f0f51de3e82e3 +Subproject commit 6ff49f46d5714b894a1f10f8463941fbda3b9364 From a76b2148c622d6dbb42c50b4cd9b09a736e86bf4 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 6 Aug 2025 14:37:50 +0100 Subject: [PATCH 04/27] Merge remote-tracking branch 'origin/topic/johanna/analyzer-log-proto' * origin/topic/johanna/analyzer-log-proto: Add proto to analyzer.log (cherry picked from commit 2f2f328a722c38c9d53aa3812e3b35724c7f9e9f) --- CHANGES | 11 +++++++++++ VERSION | 2 +- scripts/base/frameworks/analyzer/logging.zeek | 5 ++++- .../analyzer.log | 6 +++--- .../analyzer.log | 6 +++--- .../analyzer.log | 6 +++--- .../analyzer.log | 6 +++--- .../analyzer.log | 6 +++--- .../analyzer.log | 6 +++--- .../analyzer.log | 6 +++--- .../analyzer.cut | 4 ++-- .../analyzer.log | 6 +++--- testing/btest/Baseline/spicy.parse-error/analyzer.log | 6 +++--- testing/external/commit-hash.zeek-testing | 2 +- testing/external/commit-hash.zeek-testing-private | 2 +- 15 files changed, 47 insertions(+), 33 deletions(-) diff --git a/CHANGES b/CHANGES index 80bc23b3a0..98b1aa42a4 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,14 @@ +8.0.0-rc1.2 | 2025-08-11 11:33:46 -0700 + + * Add proto to analyzer.log (Johanna Amann, Corelight) + + The analyzer.log file was missing the protocol field to distinguish + tcp/udp connections. + + (cherry picked from commit 2f2f328a722c38c9d53aa3812e3b35724c7f9e9f) + + * Update zeek-aux submodule with c++20 changes (Tim Wojtulewicz, Corelight) + 8.0.0-rc1 | 2025-08-04 09:39:08 -0700 * Release 8.0.0-rc1. diff --git a/VERSION b/VERSION index 71f2983501..e19097d063 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -8.0.0-rc1 +8.0.0-rc1.2 diff --git a/scripts/base/frameworks/analyzer/logging.zeek b/scripts/base/frameworks/analyzer/logging.zeek index 260bb5c4ec..11ad3dd8d3 100644 --- a/scripts/base/frameworks/analyzer/logging.zeek +++ b/scripts/base/frameworks/analyzer/logging.zeek @@ -23,8 +23,10 @@ export { uid: string &log &optional; ## File UID if available. fuid: string &log &optional; - ## Connection identifier if available + ## Connection identifier if available. id: conn_id &log &optional; + ## Transport protocol for the violation, if available. + proto: transport_proto &log &optional; ## Failure or violation reason, if available. failure_reason: string &log; ## Data causing failure or violation if available. Truncated @@ -62,6 +64,7 @@ function log_analyzer_failure(ts: time, atype: AllAnalyzers::Tag, info: Analyzer { rec$id = info$c$id; rec$uid = info$c$uid; + rec$proto = get_port_transport_proto(info$c$id$orig_p); } if ( info?$f ) diff --git a/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/analyzer.log b/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/analyzer.log index e246a5a9a7..4c1ad5c577 100644 --- a/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/analyzer.log +++ b/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/analyzer.log @@ -5,7 +5,7 @@ #unset_field - #path analyzer #open XXXX-XX-XX-XX-XX-XX -#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data -#types time string string string string addr port addr port string string -XXXXXXXXXX.XXXXXX packet GTPV1 CHhAvVGS1DHFjwGM9 - 173.86.159.28 2152 213.72.147.186 2152 Truncated GTPv1 - +#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data +#types time string string string string addr port addr port enum string string +XXXXXXXXXX.XXXXXX packet GTPV1 CHhAvVGS1DHFjwGM9 - 173.86.159.28 2152 213.72.147.186 2152 udp Truncated GTPv1 - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-empty-av-pair-seq/analyzer.log b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-empty-av-pair-seq/analyzer.log index bd4f3053a5..15f36babc1 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-empty-av-pair-seq/analyzer.log +++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-empty-av-pair-seq/analyzer.log @@ -5,7 +5,7 @@ #unset_field - #path analyzer #open XXXX-XX-XX-XX-XX-XX -#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data -#types time string string string string addr port addr port string string -XXXXXXXXXX.XXXXXX protocol NTLM CHhAvVGS1DHFjwGM9 - 192.168.0.173 1068 192.168.0.2 4997 NTLM AV Pair loop underflow - +#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data +#types time string string string string addr port addr port enum string string +XXXXXXXXXX.XXXXXX protocol NTLM CHhAvVGS1DHFjwGM9 - 192.168.0.173 1068 192.168.0.2 4997 tcp NTLM AV Pair loop underflow - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-unterminated-av-pair-seq/analyzer.log b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-unterminated-av-pair-seq/analyzer.log index bd4f3053a5..15f36babc1 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-unterminated-av-pair-seq/analyzer.log +++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-unterminated-av-pair-seq/analyzer.log @@ -5,7 +5,7 @@ #unset_field - #path analyzer #open XXXX-XX-XX-XX-XX-XX -#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data -#types time string string string string addr port addr port string string -XXXXXXXXXX.XXXXXX protocol NTLM CHhAvVGS1DHFjwGM9 - 192.168.0.173 1068 192.168.0.2 4997 NTLM AV Pair loop underflow - +#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data +#types time string string string string addr port addr port enum string string +XXXXXXXXXX.XXXXXX protocol NTLM CHhAvVGS1DHFjwGM9 - 192.168.0.173 1068 192.168.0.2 4997 tcp NTLM AV Pair loop underflow - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/analyzer.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/analyzer.log index 5580d6bee8..e87f618b36 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/analyzer.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/analyzer.log @@ -5,7 +5,7 @@ #unset_field - #path analyzer #open XXXX-XX-XX-XX-XX-XX -#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data -#types time string string string string addr port addr port string string -XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 127.0.0.1 51354 127.0.0.1 21 non-numeric reply code 99 PASV invalid +#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data +#types time string string string string addr port addr port enum string string +XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 127.0.0.1 51354 127.0.0.1 21 tcp non-numeric reply code 99 PASV invalid #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/analyzer.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/analyzer.log index d798bd340f..c9c8bf938f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/analyzer.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/analyzer.log @@ -5,7 +5,7 @@ #unset_field - #path analyzer #open XXXX-XX-XX-XX-XX-XX -#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data -#types time string string string string addr port addr port string string -XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 127.0.0.1 51344 127.0.0.1 21 non-numeric reply code SYST not supported +#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data +#types time string string string string addr port addr port enum string string +XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 127.0.0.1 51344 127.0.0.1 21 tcp non-numeric reply code SYST not supported #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/analyzer.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/analyzer.log index 5cc8cbbb69..2bc4e2b987 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/analyzer.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/analyzer.log @@ -5,7 +5,7 @@ #unset_field - #path analyzer #open XXXX-XX-XX-XX-XX-XX -#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data -#types time string string string string addr port addr port string string -XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 127.0.0.1 51346 127.0.0.1 21 invalid reply line 230_no_space +#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data +#types time string string string string addr port addr port enum string string +XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 127.0.0.1 51346 127.0.0.1 21 tcp invalid reply line 230_no_space #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-11-request-then-cruft/analyzer.log b/testing/btest/Baseline/scripts.base.protocols.http.http-11-request-then-cruft/analyzer.log index b9e08e7109..4cd07a87e6 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-11-request-then-cruft/analyzer.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-11-request-then-cruft/analyzer.log @@ -5,7 +5,7 @@ #unset_field - #path analyzer #open XXXX-XX-XX-XX-XX-XX -#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data -#types time string string string string addr port addr port string string -XXXXXXXXXX.XXXXXX protocol HTTP CHhAvVGS1DHFjwGM9 - 192.168.12.5 51792 192.0.78.212 80 not a http request line - +#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data +#types time string string string string addr port addr port enum string string +XXXXXXXXXX.XXXXXX protocol HTTP CHhAvVGS1DHFjwGM9 - 192.168.12.5 51792 192.0.78.212 80 tcp not a http request line - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/analyzer.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/analyzer.cut index c2e3790441..29d3e0f76a 100644 --- a/testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/analyzer.cut +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/analyzer.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data -1673270800.189652 protocol POSTGRESQL CHhAvVGS1DHFjwGM9 - 127.0.0.1 54958 127.0.0.1 5432 error while parsing PostgreSQL: &requires failed: (self.length >= 4) (...) - +ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data +1673270800.189652 protocol POSTGRESQL CHhAvVGS1DHFjwGM9 - 127.0.0.1 54958 127.0.0.1 5432 tcp error while parsing PostgreSQL: &requires failed: (self.length >= 4) (...) - diff --git a/testing/btest/Baseline/scripts.policy.frameworks.analyzer.packet-segment-logging/analyzer.log b/testing/btest/Baseline/scripts.policy.frameworks.analyzer.packet-segment-logging/analyzer.log index 95635816cd..55a5dae609 100644 --- a/testing/btest/Baseline/scripts.policy.frameworks.analyzer.packet-segment-logging/analyzer.log +++ b/testing/btest/Baseline/scripts.policy.frameworks.analyzer.packet-segment-logging/analyzer.log @@ -5,7 +5,7 @@ #unset_field - #path analyzer #open XXXX-XX-XX-XX-XX-XX -#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data packet_segment -#types time string string string string addr port addr port string string string -XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 2001:470:1f05:17a6:d69a:20ff:fefd:6b88 24316 2001:6a8:a40::21 21 non-numeric reply code SSH-2.0-mod_sftp/0.9.7 \xd4\x9a \xfdk\x88\x00\x80\xc8\xb9\xc2\x06\x86\xdd`\x00\x00\x00\x00t\x067 \x01\x06\xa8\x0a@\x00\x00\x00\x00\x00\x00\x00\x00\x00! \x01\x04p\x1f\x05\x17\xa6\xd6\x9a \xff\xfe\xfdk\x88\x00\x15^\xfc\x1f]\xed\x1b\xa9\x9f`\xf1P\x18\x00\x09~n\x00\x00SSH-2.0-mod_sftp/0.9.7\x0d\x0a\x00\x00\x00D\x08\x01\x00\x00\x00\x0c\x00\x00\x00)Maximum connections for host/user reached\x00\x00\x00\x05en-USI\xf8\xb9C\xae\xcf`\xc4 +#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data packet_segment +#types time string string string string addr port addr port enum string string string +XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 2001:470:1f05:17a6:d69a:20ff:fefd:6b88 24316 2001:6a8:a40::21 21 tcp non-numeric reply code SSH-2.0-mod_sftp/0.9.7 \xd4\x9a \xfdk\x88\x00\x80\xc8\xb9\xc2\x06\x86\xdd`\x00\x00\x00\x00t\x067 \x01\x06\xa8\x0a@\x00\x00\x00\x00\x00\x00\x00\x00\x00! \x01\x04p\x1f\x05\x17\xa6\xd6\x9a \xff\xfe\xfdk\x88\x00\x15^\xfc\x1f]\xed\x1b\xa9\x9f`\xf1P\x18\x00\x09~n\x00\x00SSH-2.0-mod_sftp/0.9.7\x0d\x0a\x00\x00\x00D\x08\x01\x00\x00\x00\x0c\x00\x00\x00)Maximum connections for host/user reached\x00\x00\x00\x05en-USI\xf8\xb9C\xae\xcf`\xc4 #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/spicy.parse-error/analyzer.log b/testing/btest/Baseline/spicy.parse-error/analyzer.log index 5686afd30b..9cb8dcb920 100644 --- a/testing/btest/Baseline/spicy.parse-error/analyzer.log +++ b/testing/btest/Baseline/spicy.parse-error/analyzer.log @@ -5,7 +5,7 @@ #unset_field - #path analyzer #open XXXX-XX-XX-XX-XX-XX -#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data -#types time string string string string addr port addr port string string -XXXXXXXXXX.XXXXXX protocol SPICY_SSH CHhAvVGS1DHFjwGM9 - 192.150.186.169 49244 131.159.14.23 22 failed to match regular expression (<...>/test.spicy:9:15-9:22) SSH-2.0-OpenSSH_3.8.1p1\x0a +#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data +#types time string string string string addr port addr port enum string string +XXXXXXXXXX.XXXXXX protocol SPICY_SSH CHhAvVGS1DHFjwGM9 - 192.150.186.169 49244 131.159.14.23 22 tcp failed to match regular expression (<...>/test.spicy:9:15-9:22) SSH-2.0-OpenSSH_3.8.1p1\x0a #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/external/commit-hash.zeek-testing b/testing/external/commit-hash.zeek-testing index 09e14d7010..4d12c67ff0 100644 --- a/testing/external/commit-hash.zeek-testing +++ b/testing/external/commit-hash.zeek-testing @@ -1 +1 @@ -270d4b46fa1ab9f2951c2945937bdf739e864304 +6dafc6fd68d9821f33b7f8f4d7d4d877b5827ae3 diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private index 544bc35294..f01f56f57a 100644 --- a/testing/external/commit-hash.zeek-testing-private +++ b/testing/external/commit-hash.zeek-testing-private @@ -1 +1 @@ -034c859753b435dc2a6368fa46ecf3e92c98d9da +1edbd3ae959471e8573c9edc0374235727970710 From 1511ca00dfd9a9086c5ca6e0ac7e6e34a8f7089b Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Fri, 8 Aug 2025 14:23:51 +0200 Subject: [PATCH 05/27] Merge remote-tracking branch 'origin/topic/awelzel/4176-cluster-on-sub-unsub-hooks' * origin/topic/awelzel/4176-cluster-on-sub-unsub-hooks: cluster: Add on_subscribe() and on_unsubscribe() hooks (cherry picked from commit 13f613eb1d29895924ae516ad51ca7090acd231f) --- CHANGES | 6 +++++ NEWS | 4 ++++ VERSION | 2 +- scripts/base/frameworks/cluster/main.zeek | 14 +++++++++++ src/cluster/Backend.cc | 21 ++++++++++++++++ src/cluster/Backend.h | 6 ++--- .../.stderr | 6 ++--- .../cluster.websocket.tls-usage-error/.stderr | 4 ++-- .../.stderr | 1 + .../.stdout | 6 +++++ .../generic/on-subscribe-unsubscribe.zeek | 24 +++++++++++++++++++ 11 files changed, 84 insertions(+), 10 deletions(-) create mode 100644 testing/btest/Baseline/cluster.generic.on-subscribe-unsubscribe/.stderr create mode 100644 testing/btest/Baseline/cluster.generic.on-subscribe-unsubscribe/.stdout create mode 100644 testing/btest/cluster/generic/on-subscribe-unsubscribe.zeek diff --git a/CHANGES b/CHANGES index 98b1aa42a4..f81ece3c1f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,9 @@ +8.0.0-rc1.3 | 2025-08-11 11:35:42 -0700 + + * GH-4176: cluster: Add on_subscribe() and on_unsubscribe() hooks (Arne Welzel, Corelight) + + (cherry picked from commit 13f613eb1d29895924ae516ad51ca7090acd231f) + 8.0.0-rc1.2 | 2025-08-11 11:33:46 -0700 * Add proto to analyzer.log (Johanna Amann, Corelight) diff --git a/NEWS b/NEWS index dc798eeb8c..b4e562e5cf 100644 --- a/NEWS +++ b/NEWS @@ -296,6 +296,10 @@ New Functionality ``get_net_stats()``, it's possible to determine the number of packets that have been received and accepted by Zeek, but eventually discarded without processing. +- Two new hooks, ``Cluster::on_subscribe()`` and ``Cluster::on_unsubscribe()`` have + been added to allow observing ``Subscribe()`` and ``Unsubscribe()`` calls on + backends by Zeek scripts. + Changed Functionality --------------------- diff --git a/VERSION b/VERSION index e19097d063..f09f2c681a 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -8.0.0-rc1.2 +8.0.0-rc1.3 diff --git a/scripts/base/frameworks/cluster/main.zeek b/scripts/base/frameworks/cluster/main.zeek index 3060ee08af..86c27eff4a 100644 --- a/scripts/base/frameworks/cluster/main.zeek +++ b/scripts/base/frameworks/cluster/main.zeek @@ -401,6 +401,20 @@ export { ## The value of the X-Application-Name HTTP header, if any. application_name: string &optional; }; + + ## A hook invoked for every :zeek:see:`Cluster::subscribe` call. + ## + ## Breaking from this hook has no effect. + ## + ## topic: The topic string as given to :zeek:see:`Cluster::subscribe`. + global on_subscribe: hook(topic: string); + + ## A hook invoked for every :zeek:see:`Cluster::subscribe` call. + ## + ## Breaking from this hook has no effect. + ## + ## topic: The topic string as given to :zeek:see:`Cluster::subscribe`. + global on_unsubscribe: hook(topic: string); } # Needs declaration of Cluster::Event type. diff --git a/src/cluster/Backend.cc b/src/cluster/Backend.cc index 3a0214b0eb..e0aa6f6c16 100644 --- a/src/cluster/Backend.cc +++ b/src/cluster/Backend.cc @@ -11,6 +11,7 @@ #include "zeek/EventHandler.h" #include "zeek/EventRegistry.h" #include "zeek/Func.h" +#include "zeek/ID.h" #include "zeek/Reporter.h" #include "zeek/Type.h" #include "zeek/Val.h" @@ -139,6 +140,26 @@ std::optional Backend::MakeClusterEvent(FuncValPtr handler, ArgsSpan args return Event{eh, std::move(*checked_args), std::move(meta)}; } +bool Backend::Subscribe(const std::string& topic_prefix, SubscribeCallback cb) { + static const auto on_subscribe = zeek::id::find_func("Cluster::on_subscribe"); + assert(on_subscribe && on_subscribe->Flavor() == FUNC_FLAVOR_HOOK); + + if ( on_subscribe && on_subscribe->HasEnabledBodies() ) + on_subscribe->Invoke(zeek::make_intrusive(topic_prefix)); + + return DoSubscribe(topic_prefix, std::move(cb)); +} + +bool Backend::Unsubscribe(const std::string& topic_prefix) { + static const auto on_unsubscribe = zeek::id::find_func("Cluster::on_unsubscribe"); + assert(on_unsubscribe && on_unsubscribe->Flavor() == FUNC_FLAVOR_HOOK); + + if ( on_unsubscribe->HasEnabledBodies() ) + on_unsubscribe->Invoke(zeek::make_intrusive(topic_prefix)); + + return DoUnsubscribe(topic_prefix); +} + void Backend::DoReadyToPublishCallback(Backend::ReadyCallback cb) { Backend::ReadyCallbackInfo info{Backend::CallbackStatus::Success}; cb(info); diff --git a/src/cluster/Backend.h b/src/cluster/Backend.h index f152ce4e14..9775d598f0 100644 --- a/src/cluster/Backend.h +++ b/src/cluster/Backend.h @@ -210,9 +210,7 @@ public: * @param cb callback invoked when the subscription was processed. * @return true if it's a new event subscription and it is now registered. */ - bool Subscribe(const std::string& topic_prefix, SubscribeCallback cb = SubscribeCallback()) { - return DoSubscribe(topic_prefix, std::move(cb)); - } + bool Subscribe(const std::string& topic_prefix, SubscribeCallback cb = SubscribeCallback()); /** * Unregister interest in messages on a certain topic. @@ -220,7 +218,7 @@ public: * @param topic_prefix a prefix previously supplied to Subscribe() * @return true if interest in topic prefix is no longer advertised. */ - bool Unsubscribe(const std::string& topic_prefix) { return DoUnsubscribe(topic_prefix); } + bool Unsubscribe(const std::string& topic_prefix); /** * Information passed to a ready callback. diff --git a/testing/btest/Baseline.zam/cluster.websocket.listen-idempotent/.stderr b/testing/btest/Baseline.zam/cluster.websocket.listen-idempotent/.stderr index f739a1dd5b..dce9b20598 100644 --- a/testing/btest/Baseline.zam/cluster.websocket.listen-idempotent/.stderr +++ b/testing/btest/Baseline.zam/cluster.websocket.listen-idempotent/.stderr @@ -1,5 +1,5 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -error in <...>/main.zeek, line 677: Already listening on 127.0.0.1: (Cluster::__listen_websocket(ws_opts_x)) -error in <...>/main.zeek, line 677: Already listening on 127.0.0.1: (Cluster::__listen_websocket(ws_opts_wss_port)) -error in <...>/main.zeek, line 677: Already listening on 127.0.0.1: (Cluster::__listen_websocket(ws_opts_qs)) +error in <...>/main.zeek, line 691: Already listening on 127.0.0.1: (Cluster::__listen_websocket(ws_opts_x)) +error in <...>/main.zeek, line 691: Already listening on 127.0.0.1: (Cluster::__listen_websocket(ws_opts_wss_port)) +error in <...>/main.zeek, line 691: Already listening on 127.0.0.1: (Cluster::__listen_websocket(ws_opts_qs)) received termination signal diff --git a/testing/btest/Baseline.zam/cluster.websocket.tls-usage-error/.stderr b/testing/btest/Baseline.zam/cluster.websocket.tls-usage-error/.stderr index 171791a278..3a54b399a3 100644 --- a/testing/btest/Baseline.zam/cluster.websocket.tls-usage-error/.stderr +++ b/testing/btest/Baseline.zam/cluster.websocket.tls-usage-error/.stderr @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -error in <...>/main.zeek, line 677: Invalid tls_options: No key_file field (Cluster::__listen_websocket(Cluster::options.0)) -error in <...>/main.zeek, line 677: Invalid tls_options: No cert_file field (Cluster::__listen_websocket(Cluster::options.3)) +error in <...>/main.zeek, line 691: Invalid tls_options: No key_file field (Cluster::__listen_websocket(Cluster::options.0)) +error in <...>/main.zeek, line 691: Invalid tls_options: No cert_file field (Cluster::__listen_websocket(Cluster::options.3)) diff --git a/testing/btest/Baseline/cluster.generic.on-subscribe-unsubscribe/.stderr b/testing/btest/Baseline/cluster.generic.on-subscribe-unsubscribe/.stderr new file mode 100644 index 0000000000..49d861c74c --- /dev/null +++ b/testing/btest/Baseline/cluster.generic.on-subscribe-unsubscribe/.stderr @@ -0,0 +1 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. diff --git a/testing/btest/Baseline/cluster.generic.on-subscribe-unsubscribe/.stdout b/testing/btest/Baseline/cluster.generic.on-subscribe-unsubscribe/.stdout new file mode 100644 index 0000000000..791b39dc64 --- /dev/null +++ b/testing/btest/Baseline/cluster.generic.on-subscribe-unsubscribe/.stdout @@ -0,0 +1,6 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +on_subscribe, zeek/supervisor +on_subscribe, /my_topic +on_unsubscribe, /my_topic +on_unsubscribe, /my_topic +on_subscribe, /my_topic2 diff --git a/testing/btest/cluster/generic/on-subscribe-unsubscribe.zeek b/testing/btest/cluster/generic/on-subscribe-unsubscribe.zeek new file mode 100644 index 0000000000..998b0d23d6 --- /dev/null +++ b/testing/btest/cluster/generic/on-subscribe-unsubscribe.zeek @@ -0,0 +1,24 @@ +# @TEST-DOC: Cluster::on_subscribe and Cluster::on_unsubscribe hooks +# +# @TEST-EXEC: zeek --parse-only -b %INPUT +# @TEST-EXEC: zeek -b %INPUT +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stdout + +hook Cluster::on_subscribe(topic: string) + { + print "on_subscribe", topic; + } + +hook Cluster::on_unsubscribe(topic: string) + { + print "on_unsubscribe", topic; + } + +event zeek_init() + { + Cluster::subscribe("/my_topic"); + Cluster::unsubscribe("/my_topic"); + Cluster::unsubscribe("/my_topic"); + Cluster::subscribe("/my_topic2"); + } From fcdfe2aca23199a7ebf43e416a258a29b4577d1f Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Mon, 11 Aug 2025 11:37:22 -0700 Subject: [PATCH 06/27] Merge remote-tracking branch 'origin/topic/awelzel/4730-smb-read-response-data-offset' * origin/topic/awelzel/4730-smb-read-response-data-offset: smb2/read: Parse only 1 byte for data_offset, ignore reserved1 (cherry picked from commit 76289a8022d258f94c4cba003dfa657428a247b1) --- CHANGES | 11 +++++++++++ VERSION | 2 +- src/analyzer/protocol/smb/smb2-com-read.pac | 5 +++-- .../files.log | 11 +++++++++++ testing/btest/Traces/README | 3 +++ .../smb/smb_v2_only_non_zero_reserved1.pcap | Bin 0 -> 40934 bytes .../smb2-read-response-non-zero-reserved1.test | 9 +++++++++ 7 files changed, 38 insertions(+), 3 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-response-non-zero-reserved1/files.log create mode 100644 testing/btest/Traces/smb/smb_v2_only_non_zero_reserved1.pcap create mode 100644 testing/btest/scripts/base/protocols/smb/smb2-read-response-non-zero-reserved1.test diff --git a/CHANGES b/CHANGES index f81ece3c1f..baeb97200a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,14 @@ +8.0.0-rc1.4 | 2025-08-11 11:38:57 -0700 + + * smb2/read: Parse only 1 byte for data_offset, ignore reserved1 (Arne Welzel, Corelight) + + A user provided a SMB2 pcap with the reserved1 field of a ReadResponse + set to 1 instead of 0. This confused the padding computation due to + including this byte into the offset. Properly split data_offset and + reserved1 into individual byte fields. + + (cherry picked from commit 76289a8022d258f94c4cba003dfa657428a247b1) + 8.0.0-rc1.3 | 2025-08-11 11:35:42 -0700 * GH-4176: cluster: Add on_subscribe() and on_unsubscribe() hooks (Arne Welzel, Corelight) diff --git a/VERSION b/VERSION index f09f2c681a..ac722fc67c 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -8.0.0-rc1.3 +8.0.0-rc1.4 diff --git a/src/analyzer/protocol/smb/smb2-com-read.pac b/src/analyzer/protocol/smb/smb2-com-read.pac index d9b2d7cf7f..4f0e7548ed 100644 --- a/src/analyzer/protocol/smb/smb2-com-read.pac +++ b/src/analyzer/protocol/smb/smb2-com-read.pac @@ -93,10 +93,11 @@ type SMB2_read_request(header: SMB2_Header) = record { type SMB2_read_response(header: SMB2_Header) = record { structure_size : uint16; - data_offset : uint16; + data_offset : uint8; + reserved1 : uint8; data_len : uint32; data_remaining : uint32; - reserved : uint32; + reserved2 : uint32; pad : padding to data_offset - header.head_length; data : bytestring &length=data_len; } &let { diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-response-non-zero-reserved1/files.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-response-non-zero-reserved1/files.log new file mode 100644 index 0000000000..fe939ef5e9 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-response-non-zero-reserved1/files.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path files +#open XXXX-XX-XX-XX-XX-XX +#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid +#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string +XXXXXXXXXX.XXXXXX FmcSEk2dq4v0hewpM4 CHhAvVGS1DHFjwGM9 172.31.112.17 57829 172.31.112.16 445 SMB 0 (empty) text/plain Test.txt 0.000000 T F 189 189 0 0 F - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Traces/README b/testing/btest/Traces/README index ec244576a9..a01d06902b 100644 --- a/testing/btest/Traces/README +++ b/testing/btest/Traces/README @@ -53,3 +53,6 @@ Trace Index/Sources: - ldap/adduser1.pcap ldap/adduser1-ntlm.pcap Provided by Mohan-Dhawan on #4275 https://github.com/zeek/zeek/issues/4275 +- smb_v2_only_non_zero_reserved1.pcap + Provided by @predator89090 on #4730 + https://github.com/zeek/zeek/issues/4730 diff --git a/testing/btest/Traces/smb/smb_v2_only_non_zero_reserved1.pcap b/testing/btest/Traces/smb/smb_v2_only_non_zero_reserved1.pcap new file mode 100644 index 0000000000000000000000000000000000000000..a30eecffe3fc85ffcfdde0f4ffebfb8a89cc35ce GIT binary patch literal 40934 zcmeHQ2Y6IP*Ph+%hL8YhOO>*erAZ(SNB|*)5(0!I^cqU&kc3bKrG$V+{6G{%X#y%1 zL_rY&Q8d^9jRpA-grHPGKmiLNqWtHbyOX^;d-v`_z8~~?oPB2R-CNF_^PV&3oS9qp zzaMOR#>h;}QB2H0KVDuxZq&deBTJxlRDWZIhT-q~8xIVA%IL>B7+JKfTpY{uW$cw& zIl)wej-4{>h_bXe0ZMuAU%MDnz?jiw-fZyk@iQ1qMo>JNs-_593SEU_+Lxf1^BAas zs$s{mQ^f_fl8EZby!0D4&j0F4v0R#wwV)PJB_0`TXe+PD<4L00IW@>?iMd~qG?A#x zCJLw$6(gHytDr-r3Q_rxPGhXYjUL?+ajZyFKF zjC8m)vT1mD$!fcH?Ktp#dm33AIs;XKyaXl^Ds3-^X_W+1=O|0dFbGwCy=WMaPa#^7 zq)}9fmeEiz?JLmAUad)sL|a#j)4KW>@fs({l7YZPZl=W388?iK{gpZRp^Vr|o#ubC zY2Uu9kH1%j6Un1*rB1jp^*_scA1)!E$ENWkhD`PKz1!DdHXGNB4eeb{~BTW99bHUgI!jX_4{ zWAq93VRUSLPQk#ew4QZ+>i+1<|Jk(gSdR+{3oE>B{cb=}*BV_5%eFbR`$pNwbevCp z88ql);8u94myu-=d#Em!GbC*vx13?lmSgQeR`?y{{;M^p8KRx#c36(La>H_heT*)a z(+uS8R)eLM}7%=e{vM znF-uYTp|Ol!RjXUGqPgZg6d**pWA|fzU+Kkepg&jdnTbD5?h-SdsabT!P>xTvmm}1 zttrKm)m0@G3QhH8$@a4d)ufXC*fzY)nhN3N)IIFk#-@fTJ-c@6(Ib_#$JkT(e#c8r zwXgWI;T>o-5VCIVZ)6kbKvWk?%Sih#WX+Z=t@g|)OUwhXv{k==q#;VkT8Xhj*jcc> zC0SM*wl@({*$<*cS*l6w9D8QYneaKM*7*1v49_@=HRlV{oFX9@$okSJhL#oc=O5qp z=+>x-OO8KIKY4kCJ;K`3nh>-H>rEeYGiA-dDzQGSGfQD%_AOy7l_jzWGK3H|iA|+X zQ#PJuv*BzgEqz#Hb}t*lvgmkaZy3v=eGzn&>(ORS8fBQDQ%3>#*9REcE)oV+HZUcKa z7-Y&fmJ=!f@hbG$K+6_}7KV>$S(83}X<3avQ|-SWrDYI(u9MO$=09{?sATx|7i`_j zRJZ+hA+hqx`z!1b>gY^Ljij_EhQLiB<#eS_GK*)KYywxn7y^7U%O$l;CiUc&s8Rbo zYFx9dXPehN)9UE11E1{ZJ8$}ze~FGJJlV*uXNGM5?d7*{^54g7e91ha9X}RMA620r zPkwE=d~w#)d){reaLTJK7Qb51G54XTY6V6IZ~48}mIbXY`j_}0$9ZL0Ju>1kY$RdY zjPPzr$TwwC+^i$$8^0oWdZ(PzC}_r|nOSdtKK;@QkKb52HQ>1rQxN*H`Ng7huY6s! z0!P8DJB>85)wGT(`xN$A+J2aIPBZ7|RcCXQrFA7T>!5EofesrXn>Cp!FYe6xwFWCY zKRspmXTHBLdbi5qRWlWzQiDBnS9n#JFca)vcrxemx6>Oh05!0?b`-gNtW%YHAzNt+ z(dvb*D-{>itpRppE`ScpQM2nq{jdt(%t&QQk$d4Ecjce`=))hcwS9Ex^Kp?aG8J|k zvVrt*uZn@>wcx4hanAdWHnN9_JgN)OGt$21Kqoo_UAG1S{V+J+eTZ|GDswJ?R&x$D z3;(h3@b?2gK45y{+~hQ$rAK~_2_mBu=6J(U%K%Il6KBvPstcxTZK0Z&K1`TSj&(UvYRvBvieWYzp(jFqiL6!TBp(yPDq|N$S z>NgXkENy(rIs;EqmP1Idk##HjjXUdnyi%v>+y3J_^@LBuqR&UXyf%WUXjx|t$Wy^G z9Oi8=OKDkwYRRUP0W>^ftg?OoUwO*Pxa4~Ge|6uet@h2gWue6vcmsyFg#nF5VAs=0 z)A_UyRn|0{oOTeJ>x|XxP7xKIX^L;STu(}J4UMwg(;HL_W5EpyI07vlj1F;H zoiu6DG{x{_PRK1r-u8VpM)6~f>=h!5Dq&<~t8A6sV)QC$%@T8obCfHzhF|K4?8kR2 z-UzEAt~Jk?JbY`|hEW*}-ijO6wBZOPA~*IJksZDiXqFkL8BK7dd?xv9Fq#pbBcx`wkn#a z78MuNHxOr`v2Oq?F{z;VAWVydV>1<@Kg47;XUbm3H$^neM!A$Z_5>C70_s+(h-`UO zH&YcQhE{?Ya+50jnD$ALX=0yxxl5X;siHa$$90<)KO9SWds@danb?jZ+KHz1^od<3 zVOyg|noi0{zEtOdv7cw%Gwg>{Vc*#2uD~t^jW@FUNHA2{6B)**6$Ab3Zq9a5-wCfxhrW-lE@+-B8e7@Ecn~lYO0Pe0u#UjioG!aN=>aqYF5(FPGBt zC8}1c0xj66K$ljz{iUk*>!B%#ZyZgv990xgeAQNBj?0K-2M)-zN|P%1Hp>eP6Y^lKnUuLI==&gIgdJf+s4hKEQv2;)Ok5x zp`_6Ik!UTZ4XARIW%Fz`w6u}<=DbrN;}G>E$=FAd(0A9w({7*X2=|hjNMxff%mNzNO5?Ik^M{rP+g=rnRX0P zWPd41@n)1ok)oy&0=KE95D^kwdFwYy8zB>@E$9ax@n#~V7YH2Z2z=p;z}+<4ryx+N zJ2gq^fI9@d?f0ccAd#4WtEEGQd`9eW&hANpG=8b)SVH-3&t8q9 zbV=m1pTZYK(P^iER`v|Z z3O*t$_=!AhXs^ZK$KWTUB|NORXq9$Oq&;zg9to=xJu`>atyBeCTG>18F4?b#CUQ%? z0yI&8Xl8$tUR1Se+TTyb1z~%EsHdoEQ5y1?ONgi{BLfa22blDt>i6IxwxQd8l;Hjm&y&*Wy=k> z<12D5PdS^relE`;S&8m6s(DmbQWYhJR)mFGY2Dpi>K9(l8G){#r)SZg=1gJHK-vEh zUH@Z z4-P1~7U3<2rS-uLmzmg9auukuEgMGL>S^KJDYCdAyfdVTeH%a;+Nf>WOmjHGmIZ#L z^}%MeLN$|F$p;6qhiH8>Re7$+TVK4_OJ5BBg)gSnk}D)w7u(f7+V9}fLZ6Dy_s*Lg zZ4Ia!65-AKJ*<7mauZul0;0O)a0}ATLJQfooNXzbZkSKXB`pM+zX3mnA+i=k|MXT1 z!bf|W;VVRQRK!f5mH%R_BQ4>ZtJ;@KX}O!Km8w7seO#Rh>}w27^!b5P~}!k)I-wE9a@ZgD{buBr#dT%^+& zo2b^5AC1RFe*tnRp887!OEn1ealDK?wmB8BewbMAL>QsE7+GxEIc{VVosBGlE~+P; z2J4mX0zpH0nRQ`g-m)GnvEF{@Ph0`4SDvB#il9Mtv506}eaRxu7_b4#EYNfcX9i>MNh zxL>A$CXdsIYMgppet4~#FX!2FdY-DGMCAv=j`?Q|6ZItB^t_s)i=;ntNhhl${oz=5 z<8`8%3rSA|xk|d5DC$VsNR!80qWY&=()^dye7Q*4SfX;)u;ZN-b>7jFbl5sIMHfkb z;*w5MNqROTbJ=@Dbq6H9ueGbBQ;4FDq<3rbxPzz`swKVrnn~{t%_b5R#d;OXz+6jR z$n1QFCR078!S~V^{Fz>eXlNgu11US z#R>biPyBxLX917ST-Rp9o*6jLL}!xQqBZn`s;}!x8zxDs=vBe&j!PSC8tr=`{`E_# z11j$slo{2e^Dn(C6>d0ObJjCQ($|g4spKkcjJ~u@C25uZs`Q0BF7259V}7f;sm_Rn zpGVhST>be8D}4@}$*r@e=f%yl=N658n^Fr|xA(kZQr(&5+`|k*(k?*S?2f7)2Co^n zY)exsg*VIPx!g|dk9&zs!toFeHzWG;WXaw>?)Cdy^B$8Q6ue6G{~nKf)%q}f(!smV zEhxID-A4i4D(+ldXI0s9xhtQ#vAqAR1H&K8bw$6eKKd6q`W;m0!@m{2v!d<@p#N~M zf6?a%Fe~}0oL9^Ko_=)Gy@S6Cc=5m&GZwvj<+pnetTy{q|Ly%c6SMkVc13@wKKhq9 z`s(|C5J&%VFZvGj`}F(ibAz?P;5FrsK6`$9y=Dy-d_1#PV>8Lm@~BdGL`LTFtAu{2yGI?xs7?4H;dyLem97kZS8meDjav>K z3jOG6_k)MKE~-jTI*Mcee;##21ih{=Yq%sU&lj3n_a*k5_Ro{`k1Zy>$2xy@=~Wa_ z`c0#V@-bx17|CtQ<*`mNP!hV5_1d%R^0w|PIW+pp;g(c3;r)0eDz~l6i}95eP>0z0D%A9i;&gznOaZaw`)DWb>I5$ z?*IPu?yI$$Klp7a!H@p6PLs_MOV5KDlz$5NbGMoFo~ez{?ByTtOYFaqzz=cvOs()} zVircW{N?rMY+Lp8sxz-9w0LU%w1xLMd$im1Ol{@X_pa}kpOQTL((}plevfT(d!MO2 zR^!RJ8@A0pbgkMan*xu9S%pUzy<^6!OMD-GqS`|+raS*kt>EfTKU14AseRF(8#lFh zd-9Ugryfc16A!6w+O=)&vWrRY0WJ8H1^Q+kDVa47)b#=~GFLV$jahf;c>RMi@8v|_ z(`w4cPgkE~y(4D5x7E<5tFFY4e*5WPyJR;hQ~mau_1$GozEiaJ23v6Vy$ds1cP*05 zdQMS?RZ~Zf!gR*JW(^Q{Isa3+lt(PV`!~*+l0NI{THA$L?+7}xqkh3Rf9TUr?)CpCZ$ut@=ZPAjf{GCoor;7_B-z8Zsv0H(e zAx1rkO_PXx{vGp7)v%iiA``ATiCmj+RDCsKhB7S9_1ddE4==Zas~c#C&!yASi*_pA zd^;6O?)B=$A_ugvGTKAuPeaX_P?*2nEeV3WGARb`ZU%wHK(y=A*}7_!ytY0 ziP>AB@5N4j?LzgLj2O)`Rk^*2B~LJT z+dI*oh3F87Jn=&t>H?(ee4uL>SGZxQ@3W@i(#mGdhB5Xir+3qaaim+Z9o+xHB~SbjadpD*+nb4%pL_1LUmI3>%zPyN z(}?fKej;aLg_CN0x_)$v7}&$V0}S3P=xbC!`A-H{no;Ynz3oQ#+5MZ3$i!aU8GmwD z?{PbE9L)OaE)xr-Zi?!XotSMcB(vt(Npjudf~ezU)}gU|d3)c;{s~?i{;3Av?M*Z{ z8Wd9Y6YL8)I}v-G+w(8U9%_2uo*DjFE-vi>qBnM%*fly5RSpU4eA-n&l>NGMNQgQf zW$D5I(Y}kkkwRyd8NY362<`F~BDmBLIzGQwpTN+~|22qPK1gr8IMeqpaoOHNB3$+j z-(B>uIDaOH9;og~H){0Y^npay9^G3>T1v*kr&1&O>`NR_1uk3rRuad4L-2lvpby7@ntUsX<2ih9S*Ke` zoLK)S-a%5rGhp3Iu!QU3SJ^u6Uc;6rQCvEKwxVn^)^0v zS$`#E`AhSHC|nef$2FM!k@aJn7ZhV9ib?<~+Lt)65m5{h6ye#i4HU06Ftc}wKU9fF zBYVx(+C4?|w^*gi&r=6q^^;p-42O`0K<#dJCYJUIXGg0gWwikz-|&Y#g6 zL2~Jpn|K%LaK*nhGPAGf7*v;3<-@eUxFPRzHspbgmTigbnYz>(^u`v@XG>*i6ff;~ zuZJgT`VkS4mT-#hzJi>0JCv0sbeW`4Ud+^ho zmh@bJb_$}WFPcp=!;52POkHHo!SOG|@p3u{)kP-@(r$obrw|EWxb&SB4g8>!rhjt! zPIpSX@U)G15C8cO=Yl4k|dE(b&wA=?AKet)Y$W9tm3|I=*_WyKgUG8@mXc z8iLf;Q109ixQq%i2DZC)1osZW{E^!{@5+30{51kKG-VGz912em<>Zqs$X0ZhyCB=ebqiJbYng zQ464j7j|nM+obx|@gYm&ItZ-@WLw^C)_G%RI^#B=ewu}%x^J)fXMJ}PvVpykkJAK_ zjI6K$Z;=fqB5Od&UZC?F;tY3&qsls`yTjW`I_KlRF08m9`UT=FL_4K7mFT>dy(Lc` z11WupfzUagbk5DyzloWVU**-MV_i%)fc5OPDrZMib)Xu%n=8&69I>9o0)YUflK${IzFq?F@o`R3dWhlVbI7WTz0p^D{nb0 z?eMC4ly0DomvH8R+IJ^~ly#6oD^SBa(c6|%Ra+|7ZB(^h?BFhG&Eu3DNvoCN5je*C zzt9axqKJo@ur405a_&KnmjVgPgb(t>S0O#3B)=30JcuIJ<7k7hWY|Y+G^Llc0acDE zh9}ZZKsM`7m3<&kubY3i3?>LHi#`Q?gHw75P7!#wQN=onCkaFXeXB1POQJTAIM=o> zm(tQo6-6NKN9zJ{Y{z45GV-|0gyJpo@LfP&ZeQ)Y;y}<|`mW9Yq^w_VdI-MgknyXl`cj(*dZmjj_$?W^kNctgwq}cunI817H9yydX8em@{zJ-nA5 z^7_!$Ucy<4ubCN{PtPDJf?_LkDO`s4!q&a@PTu={$LlAAZa4?@CA<)R3oisqnlaa` z^V+KPGF(qDtMo+i`RN(&tZ0a9ErGL7ar)cTeM9|PP;VtHt^e&zY{388>`QO`FAxZs zr`wl0NIK@Rz0Ce&-Tf*80Z)CY3{(~2Xy-q`9bnur&Kzk80lAW{#m~W z;?VM8E@#1Q4&^O}rR_`oA2sVejM!1aS@Bt~>`NRRuYMSDraqNU5)~!-93y{zji?0U z&+vfgTB3rvH&iJi(0i8C%W_1&S0Vbh^iEqziUg7XRf@!z?oE=gP$8O!KL#wI%!#IZ z;dg;Da7lW>toKUZ&Jsm6x|onUMvO4`ujEB`gyJc-yYqK?uhkO$M`=OZ->JP6# zkw4V2pX7ECQRVD8`+oMdTv>l$eh<0yw@eNv43C5d%IrA>$p3@+dhCR%qZ|m z$uH?f=w!(&sr($`-~T#7%N7d`jqBXT6C=fw0C1RnT-6sTo(zs(wj~;u94v84LU_j` z^!CqmBXm~@XPyc9MNqD>gkoz25nDY_=^|0#Idemnk+~{{s00ZrzGZ#&B6K;9=m||k zN#}8|apSq;h}I=3bRu*&2@7ty(SBqbJDnr+;CO6ooSUGkrl^zw}51-}*{&}H-K)9Tu%3ypLN`B)TdVwZT`g2@mA+IoT7 z+C^uex@0MD*}9`G$9=|Jqz5h?P_kEFLbk<^iXgk zd-&KEQI?ci=vil{^VaO~#=(u~Q8&xYtL1bN?x%%KN-fgUETN~bNTv(#n|X{uoRMNE zjpl9rB`Qj4TLx(?*V7C-4P@Tjqn^WZf`%q&(k&dC?y3%ikrQ1fi1tH<{46txND{+eIKe!{8Qx>zq3yEUrih~M8`n>?#4iUvfx~F^- ziH$0$(#Y1@21%mw&SEzRbe1c08eMo02?&0u|3sK~4%#NWS)Zgw#y1Ojz5e3y(@#9` zu9p+NqRL?Urxugb%a58BYWo7y4iu z{d$`*YsaJx$sM{UrgUuIu~WxRw2bf2zI{Ssy!g-&%AS%fVvn*+NMSd6bW0G{r3DGO z_}V4g&-jSd+BE9KKds^xqewQeTYTrPJ-T-9IWQr;d!HU1Xh+_4e?G|V(Ytq8Y9j2C zdN%WUl>S7-(CcM(fgqTfRY7n3x|BLZ@WG=H_b6HQuU}yNy8mDR#d_W_E%?AyXZ(7R zS~-&ex4aRk?i0D*1F{5hzxht4pyOr>OqhXWdwIl_=g-MOT%> zBvF-Ew7jH$BkY3A*s8j!yo)oIq!N_^LhCvR2oxlP*8EI%NofWBUXE=QUZIywUDai5 zxWt&2je*SazjPU^&KXnx3AC<_S%~7P&AK+0DKVyHV<7W`KA8~`87&**WZu-Zh#Fiz z^(!`YZ44A^Y|*7ylT%c`Hd5EdDiOs8#_Fnaq$H}Aje*RV@w%$4#Tiq-QBl{%nh?eJ zD*L+s-?v8TR!&i!EW$Vn`DFx3h9_MnTq#*lq95LuYO3bkytw} z4i7HGHc$-f?W>nqkJhB$X^e(I-FuxRcD9I zZRL|e$gyAIn9&z#Jx8>3U>hR|sTv9+Ul*`}KJs`_T)AAAySkh^byR`ph~0Vj=Te^I&BWiul znDozV?jux7qFD3E0KHs`9*3fg?puI&lrp-rbCJ=F{QUu#KT=65#)xp;D-to(%JCgW zy;fH6R`|^8(OYb#4YhK;jUPP~2VM z411tk*m{0AebN3XNI{r5alheX+O$j_b_CYy4o>p_7*55v!l8L9! zmg&ZpEU8mzWmh0GWQ}fYX}~*G8@ z|JaDj*GeUyZgvHVQ}rn}KT0}!^9QjDH0V`nn>CT^mKipj9oZS+A`5`;O1BdH8)PyNZh1{ zam`#+X-2q(wcuu}KX1%^fAajjoTlfaFz+MDHOa_6#o)_1Rjjnc~% z>$5P1Yh;jVy*`y`5*5Yz)@Ed`W~nMFd-SPHm#8Ruq8s1K4pLKTpR6mE89H)FW% zspQp&_S>FzEyN8A_6*s(TanOKhptAw+nz|1d1OQ+5x)VZC{O#TVXYgI{ts90BS`=N literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/smb/smb2-read-response-non-zero-reserved1.test b/testing/btest/scripts/base/protocols/smb/smb2-read-response-non-zero-reserved1.test new file mode 100644 index 0000000000..6d2858a8c8 --- /dev/null +++ b/testing/btest/scripts/base/protocols/smb/smb2-read-response-non-zero-reserved1.test @@ -0,0 +1,9 @@ +# @TEST-DOC: Regression test for #4730, ReadResponse not parsed properly. +# +# @TEST-EXEC: zeek -b -C -r $TRACES/smb/smb_v2_only_non_zero_reserved1.pcap %INPUT +# @TEST-EXEC: btest-diff files.log +# @TEST-EXEC: test ! -f analyzer.log +# @TEST-EXEC: test ! -f weird.log + +@load base/protocols/smb + From 84d28bc30cd16d016396279a732ab28be5ff0853 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Tue, 12 Aug 2025 11:06:57 -0700 Subject: [PATCH 07/27] Update docs submodule with 8.0.0-rc2 changes [nomail] [skip ci] --- doc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc b/doc index 1ce37d96e2..7b8c31b46b 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 1ce37d96e268134100fbc6793c0c64d48e162337 +Subproject commit 7b8c31b46b35b8143b431a333e1487d6a0427e7f From 04c4d792d1126a60f5c439c9c4d89ffff0ae0d68 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Tue, 12 Aug 2025 12:38:24 -0700 Subject: [PATCH 08/27] Merge remote-tracking branch 'origin/topic/bbannier/bump-spicy' * origin/topic/bbannier/bump-spicy: Bump pre-commit hooks Bump auxil/spicy to latest development snapshot (cherry picked from commit cc59bfa5d8a3e9fddc5d65adee68e1937ea5eda7) --- .pre-commit-config.yaml | 8 ++++---- CHANGES | 12 ++++++++++++ VERSION | 2 +- auxil/spicy | 2 +- src/cluster/Backend.h | 2 +- 5 files changed, 19 insertions(+), 7 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9b6440ef04..19ceeebcda 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -19,7 +19,7 @@ repos: files: '^testing/btest/.*$' - repo: https://github.com/pre-commit/mirrors-clang-format - rev: v20.1.7 + rev: v20.1.8 hooks: - id: clang-format types_or: @@ -28,13 +28,13 @@ repos: - "json" - repo: https://github.com/maxwinterstein/shfmt-py - rev: v3.11.0.2 + rev: v3.12.0.1 hooks: - id: shfmt args: ["-w", "-i", "4", "-ci"] - repo: https://github.com/astral-sh/ruff-pre-commit - rev: v0.12.1 + rev: v0.12.8 hooks: - id: ruff args: [--fix] @@ -46,7 +46,7 @@ repos: - id: cmake-format - repo: https://github.com/crate-ci/typos - rev: v1.33.1 + rev: v1.35.3 hooks: - id: typos exclude: '^(.typos.toml|src/SmithWaterman.cc|testing/.*|auxil/.*|scripts/base/frameworks/files/magic/.*|CHANGES|scripts/base/protocols/ssl/mozilla-ca-list.zeek)$' diff --git a/CHANGES b/CHANGES index baeb97200a..ad6099495b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,15 @@ +8.0.0-rc1.6 | 2025-08-12 12:41:33 -0700 + + * Bump pre-commit hooks (Benjamin Bannier, Corelight) + + (cherry picked from commit cc59bfa5d8a3e9fddc5d65adee68e1937ea5eda7) + + * Bump auxil/spicy to latest development snapshot (Benjamin Bannier, Corelight) + + (cherry picked from commit cc59bfa5d8a3e9fddc5d65adee68e1937ea5eda7) + + * Update docs submodule with 8.0.0-rc2 changes [nomail] [skip ci] (Tim Wojtulewicz, Corelight) + 8.0.0-rc1.4 | 2025-08-11 11:38:57 -0700 * smb2/read: Parse only 1 byte for data_offset, ignore reserved1 (Arne Welzel, Corelight) diff --git a/VERSION b/VERSION index ac722fc67c..6ff4ead650 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -8.0.0-rc1.4 +8.0.0-rc1.6 diff --git a/auxil/spicy b/auxil/spicy index 140e88c9a8..cef9b56b5a 160000 --- a/auxil/spicy +++ b/auxil/spicy @@ -1 +1 @@ -Subproject commit 140e88c9a8e04eca801bbd891e085cc180eee43f +Subproject commit cef9b56b5a77a3727036ecfe5f806f513bb1359e diff --git a/src/cluster/Backend.h b/src/cluster/Backend.h index 9775d598f0..4d520a1387 100644 --- a/src/cluster/Backend.h +++ b/src/cluster/Backend.h @@ -59,7 +59,7 @@ public: bool ProcessEvent(std::string_view topic, cluster::Event e) { return DoProcessEvent(topic, std::move(e)); } /** - * Method for enquing backend specific events. + * Method for enqueuing backend specific events. * * Some backend's may raise events destined for the local * scripting layer. That's usually wanted, but not always. From 56e55ba3ee444ffa7cb4ffca03ee2d8bdd2874df Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Tue, 12 Aug 2025 12:43:40 -0700 Subject: [PATCH 09/27] Updating CHANGES and VERSION. --- CHANGES | 4 ++++ VERSION | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index ad6099495b..600b10f7cf 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +8.0.0-rc2 | 2025-08-12 12:42:54 -0700 + + * Release 8.0.0-rc2. + 8.0.0-rc1.6 | 2025-08-12 12:41:33 -0700 * Bump pre-commit hooks (Benjamin Bannier, Corelight) diff --git a/VERSION b/VERSION index 6ff4ead650..e31a4cb90a 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -8.0.0-rc1.6 +8.0.0-rc2 From b2bd588740bf2c5d9e59923a0b0a6befd894de4b Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Sun, 17 Aug 2025 13:56:48 -0700 Subject: [PATCH 10/27] Clarify Event constructor deprectation message --- src/Event.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/Event.h b/src/Event.h index 69914e1432..10a1a196ce 100644 --- a/src/Event.h +++ b/src/Event.h @@ -55,7 +55,9 @@ constexpr double NO_TIMESTAMP = -1.0; class Event final : public Obj { public: - [[deprecated("Remove in v8.1: Do not instantiate raw events. Use EventMgr::Dispatch() or EventMgr::Enqueue().")]] + [[deprecated( + "Remove in v8.1: The public constructor for Event() is deprecated. Pass arguments directly to " + "EventMgr::Dispatch() or EventMgr::Enqueue() instead.")]] Event(const EventHandlerPtr& handler, zeek::Args args, util::detail::SourceID src = util::detail::SOURCE_LOCAL, analyzer::ID aid = 0, Obj* obj = nullptr, double ts = run_state::network_time); From 26bdaf94d88027f9ca3ce70a6c2f68c0e1f76ee0 Mon Sep 17 00:00:00 2001 From: Benjamin Bannier Date: Mon, 18 Aug 2025 12:57:24 +0200 Subject: [PATCH 11/27] Bump auxil/spicy to spicy-1.14.0 --- auxil/spicy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auxil/spicy b/auxil/spicy index cef9b56b5a..63594ca470 160000 --- a/auxil/spicy +++ b/auxil/spicy @@ -1 +1 @@ -Subproject commit cef9b56b5a77a3727036ecfe5f806f513bb1359e +Subproject commit 63594ca470b215fa4c9f3363a5f337ed97e0e529 From 7fdb266b2484f6d0d8aba6de85fcb27a737134bd Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Mon, 18 Aug 2025 16:36:43 +0000 Subject: [PATCH 12/27] Fix ci/update-zeekygen-docs to agree with ruff-format --- ci/update-zeekygen-docs.sh | 2 +- doc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ci/update-zeekygen-docs.sh b/ci/update-zeekygen-docs.sh index 4884994f24..3df9797a6f 100755 --- a/ci/update-zeekygen-docs.sh +++ b/ci/update-zeekygen-docs.sh @@ -64,7 +64,7 @@ branch="$(git branch --show-current)" if [[ "$branch" =~ ^release/.* ]]; then doc_config_file=$source_dir/doc/conf.py cat ${doc_config_file} | sed \ - -e "s#\(zeek_code_version[[:space:]]*=[[:space:]]*\)[^\n]*#\1'$branch'#g" \ + -e "s#\(zeek_code_version[[:space:]]*=[[:space:]]*\)[^\n]*#\1\"$branch\"#g" \ >${doc_config_file}.tmp mv ${doc_config_file}.tmp ${doc_config_file} fi diff --git a/doc b/doc index 7b8c31b46b..f7230cfebb 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 7b8c31b46b35b8143b431a333e1487d6a0427e7f +Subproject commit f7230cfebb1a4df07146ce2a06b31c6a826cbbfa From 69dc9209b53df2a9bd4b5fbab7e155647505a0ae Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Sun, 17 Aug 2025 17:28:59 +0200 Subject: [PATCH 13/27] Merge remote-tracking branch 'origin/topic/vern/stmt-line-numbers' * origin/topic/vern/stmt-line-numbers: maintenance updates for ZAM BiF-tracking fix line numbers associated with "if" and initialization statements (cherry picked from commit c0a863cba0896f860a0c44ce0ff668c21267c239) --- CHANGES | 14 ++++++++++++++ VERSION | 2 +- src/Stmt.cc | 6 +----- src/script_opt/FuncInfo.cc | 5 +++-- testing/btest/Baseline/opt.ZAM-bif-tracking/output | 2 +- testing/btest/opt/ZAM-bif-tracking.zeek | 6 ++++-- 6 files changed, 24 insertions(+), 11 deletions(-) diff --git a/CHANGES b/CHANGES index 600b10f7cf..a3add54c9f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,17 @@ +8.0.0-rc2.4 | 2025-08-18 16:36:59 +0000 + + * Merge remote-tracking branch 'origin/topic/vern/stmt-line-numbers' (Arne Welzel, Corelight) + + * origin/topic/vern/stmt-line-numbers: + maintenance updates for ZAM BiF-tracking + fix line numbers associated with "if" and initialization statements + + (cherry picked from commit c0a863cba0896f860a0c44ce0ff668c21267c239) + + * Fix ci/update-zeekygen-docs to agree with ruff-format (Tim Wojtulewicz, Corelight) + + * Bump auxil/spicy to spicy-1.14.0 (Benjamin Bannier, Corelight) + 8.0.0-rc2 | 2025-08-12 12:42:54 -0700 * Release 8.0.0-rc2. diff --git a/VERSION b/VERSION index e31a4cb90a..2e7fbac165 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -8.0.0-rc2 +8.0.0-rc2.4 diff --git a/src/Stmt.cc b/src/Stmt.cc index 88552848fb..9379e26cc2 100644 --- a/src/Stmt.cc +++ b/src/Stmt.cc @@ -426,10 +426,6 @@ IfStmt::IfStmt(ExprPtr test, StmtPtr arg_s1, StmtPtr arg_s2) : ExprStmt(STMT_IF, std::move(test)), s1(std::move(arg_s1)), s2(std::move(arg_s2)) { if ( ! e->IsError() && ! IsBool(e->GetType()->Tag()) ) e->Error("conditional in test must be boolean"); - - const Location* loc1 = s1->GetLocationInfo(); - const Location* loc2 = s2->GetLocationInfo(); - SetLocationInfo(loc1, loc2); } IfStmt::~IfStmt() = default; @@ -1488,7 +1484,7 @@ InitStmt::InitStmt(std::vector arg_inits) : Stmt(STMT_INIT) { inits = std::move(arg_inits); if ( ! inits.empty() ) - SetLocationInfo(inits[0]->GetLocationInfo()); + SetLocationInfo(inits.front()->GetLocationInfo(), inits.back()->GetLocationInfo()); } ValPtr InitStmt::Exec(Frame* f, StmtFlowType& flow) { diff --git a/src/script_opt/FuncInfo.cc b/src/script_opt/FuncInfo.cc index 874772d828..d33439b658 100644 --- a/src/script_opt/FuncInfo.cc +++ b/src/script_opt/FuncInfo.cc @@ -117,7 +117,7 @@ static std::unordered_map func_attrs = { {"Option::set_change_handler", ATTR_NO_SCRIPT_SIDE_EFFECTS}, {"PacketAnalyzer::GTPV1::remove_gtpv1_connection", ATTR_NO_SCRIPT_SIDE_EFFECTS}, {"PacketAnalyzer::Geneve::get_options", ATTR_NO_SCRIPT_SIDE_EFFECTS}, - {"PacketAnalyzer::PPPoE::session_id", ATTR_NO_SCRIPT_SIDE_EFFECTS}, + {"PacketAnalyzer::PPPoE::session_id", ATTR_NO_ZEEK_SIDE_EFFECTS}, {"PacketAnalyzer::TEREDO::remove_teredo_connection", ATTR_NO_SCRIPT_SIDE_EFFECTS}, {"PacketAnalyzer::__disable_analyzer", ATTR_NO_SCRIPT_SIDE_EFFECTS}, {"PacketAnalyzer::__enable_analyzer", ATTR_NO_SCRIPT_SIDE_EFFECTS}, @@ -162,6 +162,7 @@ static std::unordered_map func_attrs = { {"Storage::Sync::__get", ATTR_NO_SCRIPT_SIDE_EFFECTS}, {"Storage::Sync::__open_backend", ATTR_NO_SCRIPT_SIDE_EFFECTS}, {"Storage::Sync::__put", ATTR_NO_SCRIPT_SIDE_EFFECTS}, + {"Storage::is_forced_sync", ATTR_NO_ZEEK_SIDE_EFFECTS}, {"Supervisor::__create", ATTR_NO_SCRIPT_SIDE_EFFECTS}, {"Supervisor::__destroy", ATTR_NO_SCRIPT_SIDE_EFFECTS}, {"Supervisor::__is_supervised", ATTR_IDEMPOTENT}, @@ -301,6 +302,7 @@ static std::unordered_map func_attrs = { {"get_net_stats", ATTR_NO_ZEEK_SIDE_EFFECTS}, {"get_orig_seq", ATTR_NO_ZEEK_SIDE_EFFECTS}, {"get_package_readme", ATTR_FOLDABLE}, + {"get_plugin_components", ATTR_NO_ZEEK_SIDE_EFFECTS}, {"get_port_transport_proto", ATTR_FOLDABLE}, {"get_proc_stats", ATTR_NO_ZEEK_SIDE_EFFECTS}, {"get_reassembler_stats", ATTR_NO_ZEEK_SIDE_EFFECTS}, @@ -318,7 +320,6 @@ static std::unordered_map func_attrs = { {"global_ids", ATTR_IDEMPOTENT}, {"global_options", ATTR_IDEMPOTENT}, {"gsub", ATTR_FOLDABLE}, - {"get_plugin_components", ATTR_NO_ZEEK_SIDE_EFFECTS}, {"has_event_group", ATTR_NO_ZEEK_SIDE_EFFECTS}, {"has_module_events", ATTR_NO_ZEEK_SIDE_EFFECTS}, {"have_spicy", ATTR_IDEMPOTENT}, diff --git a/testing/btest/Baseline/opt.ZAM-bif-tracking/output b/testing/btest/Baseline/opt.ZAM-bif-tracking/output index 5926891fca..33665f2cc6 100644 --- a/testing/btest/Baseline/opt.ZAM-bif-tracking/output +++ b/testing/btest/Baseline/opt.ZAM-bif-tracking/output @@ -1,2 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -564 seen BiFs, 0 unseen BiFs (), 0 new BiFs () +566 seen BiFs, 0 unseen BiFs (), 0 new BiFs () diff --git a/testing/btest/opt/ZAM-bif-tracking.zeek b/testing/btest/opt/ZAM-bif-tracking.zeek index 687871038c..f1badd7312 100644 --- a/testing/btest/opt/ZAM-bif-tracking.zeek +++ b/testing/btest/opt/ZAM-bif-tracking.zeek @@ -150,6 +150,7 @@ global known_BiFs = set( "Option::set_change_handler", "PacketAnalyzer::GTPV1::remove_gtpv1_connection", "PacketAnalyzer::Geneve::get_options", + "PacketAnalyzer::PPPoE::session_id", "PacketAnalyzer::TEREDO::remove_teredo_connection", "PacketAnalyzer::__disable_analyzer", "PacketAnalyzer::__enable_analyzer", @@ -184,7 +185,6 @@ global known_BiFs = set( "Reporter::warning", "Spicy::__resource_usage", "Spicy::__toggle_analyzer", - "Storage::is_open", "Storage::Async::__close_backend", "Storage::Async::__erase", "Storage::Async::__get", @@ -195,6 +195,8 @@ global known_BiFs = set( "Storage::Sync::__get", "Storage::Sync::__open_backend", "Storage::Sync::__put", + "Storage::is_forced_sync", + "Storage::is_open", "Supervisor::__create", "Supervisor::__destroy", "Supervisor::__is_supervised", @@ -337,6 +339,7 @@ global known_BiFs = set( "get_net_stats", "get_orig_seq", "get_package_readme", + "get_plugin_components", "get_port_transport_proto", "get_proc_stats", "get_reassembler_stats", @@ -345,7 +348,6 @@ global known_BiFs = set( "get_reporter_stats", "get_resp_seq", "get_script_comments", - "get_plugin_components", "get_thread_stats", "get_timer_stats", "getenv", From 8a6a24cb701d214af81f8b86bc32ea4c951482e9 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Mon, 18 Aug 2025 09:40:41 -0700 Subject: [PATCH 14/27] Merge remote-tracking branch 'origin/topic/etyp/update-news-record-vec-deprecation' * origin/topic/etyp/update-news-record-vec-deprecation: Add `record_type_to_vector` deprecation to NEWS (cherry picked from commit a4da8d3f7bd455c7158465d12d25eb6030526f3f) --- CHANGES | 14 ++++++++++---- NEWS | 3 +++ VERSION | 2 +- 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index a3add54c9f..9d12d43ad0 100644 --- a/CHANGES +++ b/CHANGES @@ -1,10 +1,16 @@ +8.0.0-rc2.5 | 2025-08-18 16:41:20 +0000 + + * Add `record_type_to_vector` deprecation to NEWS (Evan Typanski, Corelight) + + (cherry picked from commit a4da8d3f7bd455c7158465d12d25eb6030526f3f) + 8.0.0-rc2.4 | 2025-08-18 16:36:59 +0000 - * Merge remote-tracking branch 'origin/topic/vern/stmt-line-numbers' (Arne Welzel, Corelight) + * maintenance updates for ZAM BiF-tracking (Vern Paxson, Corelight) - * origin/topic/vern/stmt-line-numbers: - maintenance updates for ZAM BiF-tracking - fix line numbers associated with "if" and initialization statements + (cherry picked from commit c0a863cba0896f860a0c44ce0ff668c21267c239) + + * fix line numbers associated with "if" and initialization statements (Vern Paxson, Corelight) (cherry picked from commit c0a863cba0896f860a0c44ce0ff668c21267c239) diff --git a/NEWS b/NEWS index b4e562e5cf..128f296047 100644 --- a/NEWS +++ b/NEWS @@ -429,6 +429,9 @@ Deprecated Functionality ``std::string`` and ``std::string_view`` added ``begins_with`` and ``ends_with`` methods in C++ 20, and those should be used instead. +- The ``record_type_to_vector`` BIF is deprecated in favor of using the newly ordered + ``record_fields`` BIF. + Zeek 7.2.0 ========== diff --git a/VERSION b/VERSION index 2e7fbac165..4a6e52d84f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -8.0.0-rc2.4 +8.0.0-rc2.5 From ef6999ed623b50777384a79cd47af548c49ce853 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Mon, 18 Aug 2025 17:08:25 +0000 Subject: [PATCH 15/27] Update docs submodule for 8.0.0 [nomail] [skip ci] --- doc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc b/doc index f7230cfebb..cf41c8c234 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit f7230cfebb1a4df07146ce2a06b31c6a826cbbfa +Subproject commit cf41c8c234995de78045bdd79dfe78f4fa95a896 From f07a59d32cbbefdd7706bbe47a053f350c36aed0 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Mon, 18 Aug 2025 18:01:55 +0000 Subject: [PATCH 16/27] Updating CHANGES and VERSION. --- CHANGES | 4 ++++ VERSION | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 9d12d43ad0..396cfcc073 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +8.0.0 | 2025-08-18 17:08:25 +0000 + + * Update docs submodule for 8.0.0 [nomail] [skip ci] (Tim Wojtulewicz, Corelight) + 8.0.0-rc2.5 | 2025-08-18 16:41:20 +0000 * Add `record_type_to_vector` deprecation to NEWS (Evan Typanski, Corelight) diff --git a/VERSION b/VERSION index 4a6e52d84f..ae9a76b924 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -8.0.0-rc2.5 +8.0.0 From abfb6ca156a9ad1b5e78ec8a048731b7e50d379b Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Mon, 18 Aug 2025 09:40:05 +0200 Subject: [PATCH 17/27] Merge remote-tracking branch 'amazing-pp/t/psql-login-no-role' * amazing-pp/t/psql-login-no-role: Report PostgreSQL login success only after ReadyForQuery (cherry picked from commit e04f725523dc4eaeb4739c8bbfcdce8a9ba06f7b) --- CHANGES | 18 ++++++++++++++++++ VERSION | 2 +- scripts/base/protocols/postgresql/main.zeek | 13 +++++++++---- .../conn.cut | 3 +++ .../postgresql.cut | 4 ++++ .../Traces/postgresql/psql-login-no-role.pcap | Bin 0 -> 1567 bytes .../postgresql/psql-login-no-role.zeek | 12 ++++++++++++ 7 files changed, 47 insertions(+), 5 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-no-role/conn.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-no-role/postgresql.cut create mode 100644 testing/btest/Traces/postgresql/psql-login-no-role.pcap create mode 100644 testing/btest/scripts/base/protocols/postgresql/psql-login-no-role.zeek diff --git a/CHANGES b/CHANGES index 0a1643190b..5c792aec20 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,21 @@ +8.0.0-3 | 2025-08-22 09:18:56 -0700 + + * Report PostgreSQL login success only after ReadyForQuery (Fupeng Zhao) + + Previously, Zeek treated the receipt of `AuthenticationOk` as a + successful login. However, according to the PostgreSQL + Frontend/Backend Protocol, the startup phase is not complete until + the server sends `ReadyForQuery`. It is still possible for the server + to emit an `ErrorResponse` (e.g. ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION) + after `AuthenticationOk` but before `ReadyForQuery`. + + This change updates the PostgreSQL analyzer to defer reporting login + success until `ReadyForQuery` is observed. This prevents false + positives in cases where authentication succeeds but session startup + fails. + + (cherry picked from commit e04f725523dc4eaeb4739c8bbfcdce8a9ba06f7b) + 8.0.0-2 | 2025-08-18 14:44:27 -0700 * Clarify Event constructor deprectation message (Tim Wojtulewicz, Corelight) diff --git a/VERSION b/VERSION index fad6269b63..279ab14ba6 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -8.0.0-2 +8.0.0-3 diff --git a/scripts/base/protocols/postgresql/main.zeek b/scripts/base/protocols/postgresql/main.zeek index bf262467d6..16ce4f6d3f 100644 --- a/scripts/base/protocols/postgresql/main.zeek +++ b/scripts/base/protocols/postgresql/main.zeek @@ -53,7 +53,7 @@ export { user: string &optional; database: string &optional; application_name: string &optional; - rows: count &default=0; + rows: count &optional; errors: vector of string; }; @@ -197,8 +197,6 @@ event PostgreSQL::authentication_ok(c: connection) { c$postgresql$backend = "auth_ok"; c$postgresql$success = T; - - emit_log(c); } event PostgreSQL::terminate(c: connection) { @@ -224,6 +222,9 @@ event PostgreSQL::simple_query(c: connection, query: string) { event PostgreSQL::data_row(c: connection, column_values: count) { hook set_session(c); + if ( ! c$postgresql_state?$rows ) + c$postgresql_state$rows = 0; + ++c$postgresql_state$rows; } @@ -236,7 +237,11 @@ event PostgreSQL::ready_for_query(c: connection, transaction_status: string) { if ( ! c$postgresql?$success ) c$postgresql$success = transaction_status == "I" || transaction_status == "T"; - c$postgresql$rows = c$postgresql_state$rows; + if ( c$postgresql_state?$rows ) { + c$postgresql$rows = c$postgresql_state$rows; + delete c$postgresql_state$rows; + } + emit_log(c); } diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-no-role/conn.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-no-role/conn.cut new file mode 100644 index 0000000000..23728e7aec --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-no-role/conn.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid id.orig_h id.orig_p id.resp_h id.resp_p service +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.21.179.53 51625 192.168.115.201 5432 postgresql diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-no-role/postgresql.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-no-role/postgresql.cut new file mode 100644 index 0000000000..66147ecc45 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-no-role/postgresql.cut @@ -0,0 +1,4 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.21.179.53 51625 192.168.115.201 5432 - - - ssl_request - ssl_reply N F - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.21.179.53 51625 192.168.115.201 5432 test postgres Navicat startup - auth_ok,error SeverityLocalized=FATAL,Severity=FATAL,Code=28000,Message=role "test" does not exist,File=miscinit.c,Line=694,Routine=InitializeSessionUserId F - diff --git a/testing/btest/Traces/postgresql/psql-login-no-role.pcap b/testing/btest/Traces/postgresql/psql-login-no-role.pcap new file mode 100644 index 0000000000000000000000000000000000000000..c65069ae52d514c3bf41e31e4ec6ae8874b059c3 GIT binary patch literal 1567 zcmd6mKWGzS7>9p%i8bhw3Mn0r;1H?USYwTYk}6gUvBXxzsqsv%=|P%=`>qmQ%p`bD zDpp)-ORY2rg8x7VAtERl>Yzc2B03nb;?M{#F7^HHvs&&#rwksv+*F~I6&XLw%@pa@5=Yul6C#mybp(fh|wKGscmv`Q{dt5$~>!9 z%Yo=+<=6;MD#^c=U&(;%-S9~AczlxNm3d;h<%!iV{}=_GAQg;24Ex&RKF-HE1JP=E z>%zATaVAS!41a9u4*KS9U{+g*1#x=vE+Si&z$jSIrvrIw^j zQp$ef;N@Zo8#`^5U{jV(S$a20*8rdQO-DEH>}E^THW#G7o?PZbmch+GpK+KUBlDSr zAN3#Cgr}~eggpew%ayXtVs^@{rYW7M-?o53-dgOO1d}3oIYa@YMvpCO)*&iGL(>x^ z>M;M~xn&P9!88M=#!RGDQ$3?H4TU^2Gls^X77AHCrJ8y^m&~c-8V1#~{482I@*gmy zJ7i2#E4*AfuUe+9(_Ys#>!8z6<`Sf{@*WtXn?5SO<2XIs-*>z(j+5ebuqPT0hjG-% zXEi0rB?XmqUSmowZz@_*Cu#lTI!oy}-Q1BvymxN|Lj!cs)vSJA8`c;jbtlO1Kw3EC zysOLR;tg37Ht&>U{BLdEcGMe7BIVhd6xZ}a#x8sMpB>Ymqv_XZWwHEPq*Pjx@?rgy oh|Th;DN8%CEC`m5ElK(LbUnLwN4VYT#}2zSvU`WGXyYsJ8~S<`egFUf literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/postgresql/psql-login-no-role.zeek b/testing/btest/scripts/base/protocols/postgresql/psql-login-no-role.zeek new file mode 100644 index 0000000000..4591b7b86a --- /dev/null +++ b/testing/btest/scripts/base/protocols/postgresql/psql-login-no-role.zeek @@ -0,0 +1,12 @@ +# @TEST-DOC: Test Zeek parsing a trace file through the PostgreSQL analyzer. +# +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy +# @TEST-EXEC: zeek -b -r ${TRACES}/postgresql/psql-login-no-role.pcap %INPUT >output +# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log > conn.cut +# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut +# +# @TEST-EXEC: btest-diff conn.cut +# @TEST-EXEC: btest-diff postgresql.cut + +@load base/protocols/conn +@load base/protocols/postgresql From 5de3ea1e2f365cf98bdfce2e7d3003366bbcce56 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Wed, 13 Aug 2025 21:20:50 +0200 Subject: [PATCH 18/27] Merge remote-tracking branch 'origin/topic/awelzel/docker-trixie' * origin/topic/awelzel/docker-trixie: ci: Run zeekctl and builtin tasks with Debian 13, too ci: Prepend timestamps to output ci: Enable Spicy for arm_debian13 ci: Add Debian 13.0 (trixie) docker: Bump to debian:trixie-slim (cherry picked from commit 63574b9fd4645a2f21d7ba3388e16c1b4c55812d) --- .cirrus.yml | 41 +++++++++++++------------- CHANGES | 22 ++++++++++++++ VERSION | 2 +- ci/{debian-11 => debian-13}/Dockerfile | 14 ++++++--- docker/builder.Dockerfile | 5 ++-- docker/final.Dockerfile | 7 +++-- 6 files changed, 60 insertions(+), 31 deletions(-) rename ci/{debian-11 => debian-13}/Dockerfile (64%) diff --git a/.cirrus.yml b/.cirrus.yml index 837675fd0b..818291afa3 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -142,6 +142,7 @@ ci_template: &CI_TEMPLATE env: CIRRUS_WORKING_DIR: /zeek + CIRRUS_LOG_TIMESTAMP: true ZEEK_CI_CPUS: *CPUS ZEEK_CI_BTEST_JOBS: *BTEST_JOBS ZEEK_CI_BTEST_RETRIES: *BTEST_RETRIES @@ -208,51 +209,49 @@ centosstream9_task: << : *RESOURCES_TEMPLATE << : *CI_TEMPLATE -debian12_task: +debian13_task: container: - # Debian 12 (bookworm) EOL: TBD - dockerfile: ci/debian-12/Dockerfile + # Debian 13 (trixie) EOL: TBD + dockerfile: ci/debian-13/Dockerfile << : *RESOURCES_TEMPLATE << : *CI_TEMPLATE -arm_debian12_task: +arm_debian13_task: arm_container: - # Debian 12 (bookworm) EOL: TBD - dockerfile: ci/debian-12/Dockerfile + # Debian 13 (trixie) EOL: TBD + dockerfile: ci/debian-13/Dockerfile << : *RESOURCES_TEMPLATE << : *CI_TEMPLATE - env: - ZEEK_CI_CONFIGURE_FLAGS: *NO_SPICY_CONFIG -debian12_static_task: +debian13_static_task: container: # Just use a recent/common distro to run a static compile test. - # Debian 12 (bookworm) EOL: TBD - dockerfile: ci/debian-12/Dockerfile + # Debian 13 (trixie) EOL: TBD + dockerfile: ci/debian-13/Dockerfile << : *RESOURCES_TEMPLATE << : *CI_TEMPLATE << : *SKIP_TASK_ON_PR env: ZEEK_CI_CONFIGURE_FLAGS: *STATIC_CONFIG -debian12_binary_task: +debian13_binary_task: container: # Just use a recent/common distro to run binary mode compile test. # As of 2024-03, the used configure flags are equivalent to the flags # that we use to create binary packages. # Just use a recent/common distro to run a static compile test. - # Debian 12 (bookworm) EOL: TBD - dockerfile: ci/debian-12/Dockerfile + # Debian 13 (trixie) EOL: TBD + dockerfile: ci/debian-13/Dockerfile << : *RESOURCES_TEMPLATE << : *CI_TEMPLATE << : *SKIP_TASK_ON_PR env: ZEEK_CI_CONFIGURE_FLAGS: *BINARY_CONFIG -debian11_task: +debian12_task: container: - # Debian 11 EOL: June 2026 - dockerfile: ci/debian-11/Dockerfile + # Debian 12 (bookworm) EOL: TBD + dockerfile: ci/debian-12/Dockerfile << : *RESOURCES_TEMPLATE << : *CI_TEMPLATE << : *SKIP_TASK_ON_PR @@ -797,8 +796,8 @@ zeekctl_debian12_task: $CIRRUS_BRANCH =~ 'release/.*' ) ) container: - # Debian 12 (bookworm) EOL: TBD - dockerfile: ci/debian-12/Dockerfile + # Debian 13 (trixie) EOL: TBD + dockerfile: ci/debian-13/Dockerfile << : *RESOURCES_TEMPLATE sync_submodules_script: git submodule update --recursive --init always: @@ -821,8 +820,8 @@ include_plugins_debian12_task: cpu: *CPUS memory: *MEMORY container: - # Debian 12 (bookworm) EOL: TBD - dockerfile: ci/debian-12/Dockerfile + # Debian 13 (trixie) EOL: TBD + dockerfile: ci/debian-13/Dockerfile << : *RESOURCES_TEMPLATE sync_submodules_script: git submodule update --recursive --init fetch_external_plugins_script: diff --git a/CHANGES b/CHANGES index 5c792aec20..90bb686f62 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,25 @@ +8.0.0-4 | 2025-08-22 09:21:32 -0700 + + * ci: Run zeekctl and builtin tasks with Debian 13, too (Arne Welzel, Corelight) + + (cherry picked from commit 63574b9fd4645a2f21d7ba3388e16c1b4c55812d) + + * ci: Prepend timestamps to output (Arne Welzel, Corelight) + + (cherry picked from commit 63574b9fd4645a2f21d7ba3388e16c1b4c55812d) + + * ci: Enable Spicy for arm_debian13 (Arne Welzel, Corelight) + + (cherry picked from commit 63574b9fd4645a2f21d7ba3388e16c1b4c55812d) + + * ci: Add Debian 13.0 (trixie) (Arne Welzel, Corelight) + + (cherry picked from commit 63574b9fd4645a2f21d7ba3388e16c1b4c55812d) + + * docker: Bump to debian:trixie-slim (Arne Welzel, Corelight) + + (cherry picked from commit 63574b9fd4645a2f21d7ba3388e16c1b4c55812d) + 8.0.0-3 | 2025-08-22 09:18:56 -0700 * Report PostgreSQL login success only after ReadyForQuery (Fupeng Zhao) diff --git a/VERSION b/VERSION index 279ab14ba6..e81c02c92e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -8.0.0-3 +8.0.0-4 diff --git a/ci/debian-11/Dockerfile b/ci/debian-13/Dockerfile similarity index 64% rename from ci/debian-11/Dockerfile rename to ci/debian-13/Dockerfile index a4a5442b65..a9bc9e8eea 100644 --- a/ci/debian-11/Dockerfile +++ b/ci/debian-13/Dockerfile @@ -1,32 +1,36 @@ -FROM debian:11 +FROM debian:13 ENV DEBIAN_FRONTEND="noninteractive" TZ="America/Los_Angeles" # A version field to invalidate Cirrus's build cache when needed, as suggested in # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822 -ENV DOCKERFILE_VERSION 20241024 +ENV DOCKERFILE_VERSION 20250813 RUN apt-get update && apt-get -y install \ bison \ bsdmainutils \ ccache \ cmake \ + cppzmq-dev \ curl \ + dnsmasq \ flex \ g++ \ gcc \ git \ jq \ libkrb5-dev \ + libnats-dev \ libnode-dev \ libpcap-dev \ + librdkafka-dev \ libssl-dev \ libuv1-dev \ - libzmq3-dev \ make \ python3 \ python3-dev \ python3-pip\ + python3-websockets \ sqlite3 \ swig \ wget \ @@ -35,4 +39,6 @@ RUN apt-get update && apt-get -y install \ && apt autoclean \ && rm -rf /var/lib/apt/lists/* -RUN pip3 install websockets junit2html +# Debian trixie really doesn't like using pip to install system wide stuff, but +# doesn't seem there's a python3-junit2html package, so not sure what we'd break. +RUN pip3 install --break-system-packages junit2html diff --git a/docker/builder.Dockerfile b/docker/builder.Dockerfile index 72ca2f3eb3..078c6ef7d6 100644 --- a/docker/builder.Dockerfile +++ b/docker/builder.Dockerfile @@ -1,7 +1,7 @@ # See the file "COPYING" in the main distribution directory for copyright. # Layer to build Zeek. -FROM debian:bookworm-slim +FROM debian:13-slim # Make the shell split commands in the log so we can determine reasons for # failures more easily. @@ -16,6 +16,7 @@ RUN echo 'Acquire::https::timeout "180";' >> /etc/apt/apt.conf.d/99-timeouts # Configure system for build. RUN apt-get -q update \ + && apt-get upgrade -q -y \ && apt-get install -q -y --no-install-recommends \ bind9 \ bison \ @@ -36,7 +37,7 @@ RUN apt-get -q update \ libz-dev \ make \ python3-minimal \ - python3.11-dev \ + python3-dev \ swig \ ninja-build \ python3-pip \ diff --git a/docker/final.Dockerfile b/docker/final.Dockerfile index 8cfb7b1942..395854e099 100644 --- a/docker/final.Dockerfile +++ b/docker/final.Dockerfile @@ -1,7 +1,7 @@ # See the file "COPYING" in the main distribution directory for copyright. # Final layer containing all artifacts. -FROM debian:bookworm-slim +FROM debian:13-slim # Make the shell split commands in the log so we can determine reasons for # failures more easily. @@ -15,14 +15,15 @@ RUN echo 'Acquire::http::timeout "180";' > /etc/apt/apt.conf.d/99-timeouts RUN echo 'Acquire::https::timeout "180";' >> /etc/apt/apt.conf.d/99-timeouts RUN apt-get -q update \ + && apt-get upgrade -q -y \ && apt-get install -q -y --no-install-recommends \ ca-certificates \ git \ jq \ libmaxminddb0 \ - libnode108 \ + libnode115 \ libpcap0.8 \ - libpython3.11 \ + libpython3.13 \ libssl3 \ libuv1 \ libz1 \ From 4bfac4a087afd4ae72e2946cc434a110528d4ef0 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Sun, 17 Aug 2025 16:56:57 +0200 Subject: [PATCH 19/27] Merge remote-tracking branch 'origin/topic/awelzel/4754-double-wrapped-broker-data-records' * origin/topic/awelzel/4754-double-wrapped-broker-data-records: cluster/serializer/broker: Do not special case Broker::Data anymore broker/Data: Support unwrapping Broker::Data records (cherry picked from commit 3d6a064ecce177868ad7f323c63b40524e7e8455) --- CHANGES | 22 +++++++++++++++ VERSION | 2 +- src/broker/Data.cc | 28 +++++++++++++++---- src/broker/Data.h | 3 +- src/cluster/serializer/broker/Serializer.cc | 13 ++------- .../..manager..stdout | 7 +++++ .../..worker-1..stdout | 3 ++ .../btest/cluster/generic/publish-any.zeek | 17 +++++++---- 8 files changed, 71 insertions(+), 24 deletions(-) diff --git a/CHANGES b/CHANGES index 90bb686f62..76c37885fd 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,25 @@ +8.0.0-5 | 2025-08-22 09:24:21 -0700 + + * cluster/serializer/broker: Do not special case Broker::Data anymore (Arne Welzel, Corelight) + + The previous approach ignored the fact that nested / inner values might + also be Broker::Data values. I'm not super sure about the validity of + the test, because it's essentially demonstrating any-nesting, but + it's not leading to extra Broker::Data encoding. + + (cherry picked from commit 3d6a064ecce177868ad7f323c63b40524e7e8455) + + * broker/Data: Support unwrapping Broker::Data records (Arne Welzel, Corelight) + + Calling val_to_data() on a Broker::Data ends up wrapping the + Broker::Data record instead of using the contained broker::value + directly. + + Seems this should be the default behavior and wonder if the flag + even makes sense, but for a 8.0 backport that seems more reasonable. + + (cherry picked from commit 3d6a064ecce177868ad7f323c63b40524e7e8455) + 8.0.0-4 | 2025-08-22 09:21:32 -0700 * ci: Run zeekctl and builtin tasks with Debian 13, too (Arne Welzel, Corelight) diff --git a/VERSION b/VERSION index e81c02c92e..6794513b70 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -8.0.0-4 +8.0.0-5 diff --git a/src/broker/Data.cc b/src/broker/Data.cc index bc3db0007e..466c4f8d7b 100644 --- a/src/broker/Data.cc +++ b/src/broker/Data.cc @@ -12,6 +12,7 @@ #include "zeek/IntrusivePtr.h" #include "zeek/RE.h" #include "zeek/Scope.h" +#include "zeek/Type.h" #include "zeek/broker/data.bif.h" #include "zeek/module_util.h" @@ -718,7 +719,7 @@ ValPtr data_to_val(broker::data& d, Type* type) { return visit(val_converter{type}, d); } -std::optional val_to_data(const Val* v) { +std::optional val_to_data(const Val* v, bool unwrap_broker_data) { switch ( v->GetType()->Tag() ) { case TYPE_BOOL: return {v->AsBool()}; case TYPE_INT: return {v->AsInt()}; @@ -804,7 +805,7 @@ std::optional val_to_data(const Val* v) { composite_key.reserve(vl->Length()); for ( auto k = 0; k < vl->Length(); ++k ) { - auto key_part = val_to_data(vl->Idx(k).get()); + auto key_part = val_to_data(vl->Idx(k).get(), unwrap_broker_data); if ( ! key_part ) return std::nullopt; @@ -822,7 +823,7 @@ std::optional val_to_data(const Val* v) { if ( is_set ) get(rval).emplace(std::move(key)); else { - auto val = val_to_data(te.value->GetVal().get()); + auto val = val_to_data(te.value->GetVal().get(), unwrap_broker_data); if ( ! val ) return std::nullopt; @@ -846,7 +847,7 @@ std::optional val_to_data(const Val* v) { return std::nullopt; } - auto item = val_to_data(item_val.get()); + auto item = val_to_data(item_val.get(), unwrap_broker_data); if ( ! item ) return std::nullopt; @@ -871,7 +872,7 @@ std::optional val_to_data(const Val* v) { return std::nullopt; } - auto item = val_to_data(item_val.get()); + auto item = val_to_data(item_val.get(), unwrap_broker_data); if ( ! item ) return std::nullopt; @@ -883,6 +884,21 @@ std::optional val_to_data(const Val* v) { } case TYPE_RECORD: { auto rec = v->AsRecordVal(); + + // If unwrap_broker_data is set and this record is a Broker::Data record, + // use the contained data field directly. + if ( unwrap_broker_data && rec->GetType() == BifType::Record::Broker::Data ) { + const auto ov = rec->GetField(0); + // Sanity. + if ( ov->GetType() != opaque_of_data_type ) { + reporter->Error("Broker::Data data field has wrong type: %s", + obj_desc_short(ov->GetType()).c_str()); + return std::nullopt; + } + + return static_cast(ov.get())->data; + } + broker::vector rval; size_t num_fields = v->GetType()->AsRecordType()->NumFields(); rval.reserve(num_fields); @@ -895,7 +911,7 @@ std::optional val_to_data(const Val* v) { continue; } - auto item = val_to_data(item_val.get()); + auto item = val_to_data(item_val.get(), unwrap_broker_data); if ( ! item ) return std::nullopt; diff --git a/src/broker/Data.h b/src/broker/Data.h index 0735acb28b..568e72e7ee 100644 --- a/src/broker/Data.h +++ b/src/broker/Data.h @@ -76,9 +76,10 @@ EnumValPtr get_data_type(RecordVal* v, zeek::detail::Frame* frame); /** * Convert a Zeek value to a Broker data value. * @param v a Zeek value. + * @param unwrap_broker_data If v or any nested value is a Broker::Data record, use its data broker::value directly. * @return a Broker data value if the Zeek value could be converted to one. */ -std::optional val_to_data(const Val* v); +std::optional val_to_data(const Val* v, bool unwrap_broker_data = false); /** * Convert a Broker data value to a Zeek value. diff --git a/src/cluster/serializer/broker/Serializer.cc b/src/cluster/serializer/broker/Serializer.cc index e17ea9a38d..5bbb8a2bcd 100644 --- a/src/cluster/serializer/broker/Serializer.cc +++ b/src/cluster/serializer/broker/Serializer.cc @@ -59,19 +59,10 @@ std::optional detail::to_broker_event(const zeek::cluster:: xs.reserve(ev.Args().size()); for ( const auto& a : ev.Args() ) { - if ( a->GetType() == zeek::BifType::Record::Broker::Data ) { - // When encountering a Broker::Data instance within args, pick out - // the broker::data directly to avoid double encoding, Broker::Data. - const auto& val = a->AsRecordVal()->GetField(0); - auto* data_val = static_cast(val.get()); - xs.emplace_back(data_val->data); - } - else if ( auto res = zeek::Broker::detail::val_to_data(a.get()) ) { + if ( auto res = zeek::Broker::detail::val_to_data(a.get(), /*flatten_broker_dataval=*/true) ) xs.emplace_back(std::move(res.value())); - } - else { + else return std::nullopt; - } } // Convert metadata from the cluster::detail::Event event to broker's event metadata format. diff --git a/testing/btest/Baseline/cluster.generic.publish-any/..manager..stdout b/testing/btest/Baseline/cluster.generic.publish-any/..manager..stdout index 1bb58756f0..f8a26eff5b 100644 --- a/testing/btest/Baseline/cluster.generic.publish-any/..manager..stdout +++ b/testing/btest/Baseline/cluster.generic.publish-any/..manager..stdout @@ -35,3 +35,10 @@ got pong, 27, with, 4, time (cluster publish), Broker::Data, [data=broker::data{ got pong, 28, with, 4, time (cluster event ), Broker::Data, [data=broker::data{42000000000ns}] got pong, 29, with, 4, time (cluster publish), Broker::Data, [data=broker::data{42000000000ns}] got pong, 30, with, 4, time (cluster event ), Broker::Data, [data=broker::data{42000000000ns}] +sending pings, 5, R, [c=42, a=[[c=42, a=hello]]] +got pong, 31, with, 5, R (cluster publish), Broker::Data, [data=broker::data{(42, ((42, hello)))}] +got pong, 32, with, 5, R (cluster event ), Broker::Data, [data=broker::data{(42, ((42, hello)))}] +got pong, 33, with, 5, R (cluster publish), Broker::Data, [data=broker::data{(42, ((42, hello)))}] +got pong, 34, with, 5, R (cluster event ), Broker::Data, [data=broker::data{(42, ((42, hello)))}] +got pong, 35, with, 5, R (cluster publish), Broker::Data, [data=broker::data{(42, ((42, hello)))}] +got pong, 36, with, 5, R (cluster event ), Broker::Data, [data=broker::data{(42, ((42, hello)))}] diff --git a/testing/btest/Baseline/cluster.generic.publish-any/..worker-1..stdout b/testing/btest/Baseline/cluster.generic.publish-any/..worker-1..stdout index 805fd81613..eae3c74d8c 100644 --- a/testing/btest/Baseline/cluster.generic.publish-any/..worker-1..stdout +++ b/testing/btest/Baseline/cluster.generic.publish-any/..worker-1..stdout @@ -14,4 +14,7 @@ got ping, 3, vector of count, Broker::Data, [data=broker::data{(1, 2, 3)}] got ping, 4, time, Broker::Data, [data=broker::data{42000000000ns}] got ping, 4, time, Broker::Data, [data=broker::data{42000000000ns}] got ping, 4, time, Broker::Data, [data=broker::data{42000000000ns}] +got ping, 5, R, Broker::Data, [data=broker::data{(42, ((42, hello)))}] +got ping, 5, R, Broker::Data, [data=broker::data{(42, ((42, hello)))}] +got ping, 5, R, Broker::Data, [data=broker::data{(42, ((42, hello)))}] got finish! diff --git a/testing/btest/cluster/generic/publish-any.zeek b/testing/btest/cluster/generic/publish-any.zeek index 3866bd9812..5a09dc7687 100644 --- a/testing/btest/cluster/generic/publish-any.zeek +++ b/testing/btest/cluster/generic/publish-any.zeek @@ -34,9 +34,14 @@ global pong: event(c: count, what: string, val: any) &is_used; global i = 0; global pongs = 0; +type R: record { + c: count; + a: any; +}; + event send_any() { - if ( i > 4 ) + if ( i > 5 ) return; local val: any; @@ -48,8 +53,10 @@ event send_any() val = 42/tcp; else if ( i == 3 ) val = vector(1, 2, 3); - else + else if ( i == 4 ) val = double_to_time(42.0); + else + val = R($c=42, $a=vector(R($c=42, $a="hello"))); print "sending pings", i, type_name(val), val; Cluster::publish_hrw(Cluster::worker_pool, cat(i), ping, i, type_name(val), val); @@ -64,10 +71,10 @@ event pong(c: count, what: string, val: any) ++pongs; print "got pong", pongs, "with", c, what, type_name(val), val; - # The manager sends 5 types of pings, in 3 different ways. The worker - # answers each ping in two ways, for a total of 30 expected pongs at the + # The manager sends 6 types of pings, in 3 different ways. The worker + # answers each ping in two ways, for a total of 36 expected pongs at the # manager. Every batch of pings involves 6 pongs. - if ( pongs == 30 ) + if ( pongs == 36 ) Cluster::publish(Cluster::worker_topic, finish); else if ( pongs > 0 && pongs % 6 == 0 ) { From c0a80fe610bd3be8c9dd1db3976a355fa90056a9 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Fri, 22 Aug 2025 10:12:35 +0200 Subject: [PATCH 20/27] Merge remote-tracking branch 'origin/topic/awelzel/cluster-event-metadata-fixes-for-8.0' * origin/topic/awelzel/cluster-event-metadata-fixes-for-8.0: cluster/Backend: Fallback to current network time when current event has not timestamp cluster/serializer/broker: Do not send empty metadata vectors around (cherry picked from commit 3e89e6b3288453b7a0f89fb742384e213cf5cc94) --- CHANGES | 22 ++++ VERSION | 2 +- src/cluster/Backend.cc | 13 +- src/cluster/serializer/broker/Serializer.cc | 6 +- .../..client-metadata-from-client..stderr | 1 + .../..client-metadata-from-client.out | 5 + .../..client-metadata..stderr | 1 + .../..client-metadata.out | 5 + .../..client-no-metadata..stderr | 1 + .../..client-no-metadata.out | 5 + .../..manager-metadata-from-client..stderr | 2 + .../..manager-metadata-from-client.out | 4 + .../..manager-metadata..stderr | 2 + .../..manager-metadata.out | 4 + .../..manager-no-metadata..stderr | 2 + .../..manager-no-metadata.out | 4 + .../cluster/websocket/bad-event-args.zeek | 2 +- testing/btest/cluster/websocket/metadata.zeek | 121 ++++++++++++++++++ 18 files changed, 196 insertions(+), 6 deletions(-) create mode 100644 testing/btest/Baseline/cluster.websocket.metadata/..client-metadata-from-client..stderr create mode 100644 testing/btest/Baseline/cluster.websocket.metadata/..client-metadata-from-client.out create mode 100644 testing/btest/Baseline/cluster.websocket.metadata/..client-metadata..stderr create mode 100644 testing/btest/Baseline/cluster.websocket.metadata/..client-metadata.out create mode 100644 testing/btest/Baseline/cluster.websocket.metadata/..client-no-metadata..stderr create mode 100644 testing/btest/Baseline/cluster.websocket.metadata/..client-no-metadata.out create mode 100644 testing/btest/Baseline/cluster.websocket.metadata/..manager-metadata-from-client..stderr create mode 100644 testing/btest/Baseline/cluster.websocket.metadata/..manager-metadata-from-client.out create mode 100644 testing/btest/Baseline/cluster.websocket.metadata/..manager-metadata..stderr create mode 100644 testing/btest/Baseline/cluster.websocket.metadata/..manager-metadata.out create mode 100644 testing/btest/Baseline/cluster.websocket.metadata/..manager-no-metadata..stderr create mode 100644 testing/btest/Baseline/cluster.websocket.metadata/..manager-no-metadata.out create mode 100644 testing/btest/cluster/websocket/metadata.zeek diff --git a/CHANGES b/CHANGES index 76c37885fd..496c7c4443 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,25 @@ +8.0.0-6 | 2025-08-22 09:25:14 -0700 + + * cluster/Backend: Fallback to current network time when current event has not timestamp (Arne Welzel, Corelight) + + When a WebSocket client sends an event to Zeek without explicit network + timestamp metadata, Zeek would use -1.0 as a timestamp for any events + published while handling this event. Instead, it seems far more sensible + to use the current network time in that scenario. + + (cherry picked from commit 3e89e6b3288453b7a0f89fb742384e213cf5cc94) + + * cluster/serializer/broker: Do not send empty metadata vectors around (Arne Welzel, Corelight) + + Event when there's no metadata attached to an event, we'd still use the + constructor passing an empty metadata vector, resulting in an on-the-wire + representation with an empty trailing vector. + + Particularly visible when just snooping events via websocat. There also + seems to be some bug with the timestamp -1 handling. + + (cherry picked from commit 3e89e6b3288453b7a0f89fb742384e213cf5cc94) + 8.0.0-5 | 2025-08-22 09:24:21 -0700 * cluster/serializer/broker: Do not special case Broker::Data anymore (Arne Welzel, Corelight) diff --git a/VERSION b/VERSION index 6794513b70..78558b1fa4 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -8.0.0-5 +8.0.0-6 diff --git a/src/cluster/Backend.cc b/src/cluster/Backend.cc index e0aa6f6c16..184e34a071 100644 --- a/src/cluster/Backend.cc +++ b/src/cluster/Backend.cc @@ -132,10 +132,19 @@ std::optional Backend::MakeClusterEvent(FuncValPtr handler, ArgsSpan args * * @J-Gras prefers the current behavior. @awelzel wonders if there should * be an opt-in/opt-out for this behavior. Procrastinating it for now. + * + * In any case, if the current event has no timestamp information + * (detail::NO_TIMESTAMP is -1.0), use the current network time for + * the outgoing event instead as network timestamp metadata. */ zeek::detail::EventMetadataVectorPtr meta; - if ( zeek::BifConst::EventMetadata::add_network_timestamp ) - meta = zeek::detail::MakeEventMetadataVector(zeek::event_mgr.CurrentEventTime()); + if ( zeek::BifConst::EventMetadata::add_network_timestamp ) { + auto ts = zeek::event_mgr.CurrentEventTime(); + if ( ts == zeek::detail::NO_TIMESTAMP ) + ts = run_state::network_time; + + meta = zeek::detail::MakeEventMetadataVector(ts); + } return Event{eh, std::move(*checked_args), std::move(meta)}; } diff --git a/src/cluster/serializer/broker/Serializer.cc b/src/cluster/serializer/broker/Serializer.cc index 5bbb8a2bcd..2dfa5cde49 100644 --- a/src/cluster/serializer/broker/Serializer.cc +++ b/src/cluster/serializer/broker/Serializer.cc @@ -66,8 +66,8 @@ std::optional detail::to_broker_event(const zeek::cluster:: } // Convert metadata from the cluster::detail::Event event to broker's event metadata format. - broker::vector broker_meta; if ( const auto* meta = ev.Metadata(); meta != nullptr ) { + broker::vector broker_meta; broker_meta.reserve(meta->size()); for ( const auto& m : *meta ) { @@ -81,9 +81,11 @@ std::optional detail::to_broker_event(const zeek::cluster:: obj_desc_short(m.Val()).c_str()); } } + + return broker::zeek::Event(ev.HandlerName(), xs, broker_meta); } - return broker::zeek::Event(ev.HandlerName(), xs, broker_meta); + return broker::zeek::Event(ev.HandlerName(), xs); } std::optional detail::to_zeek_event(const broker::zeek::Event& ev) { diff --git a/testing/btest/Baseline/cluster.websocket.metadata/..client-metadata-from-client..stderr b/testing/btest/Baseline/cluster.websocket.metadata/..client-metadata-from-client..stderr new file mode 100644 index 0000000000..49d861c74c --- /dev/null +++ b/testing/btest/Baseline/cluster.websocket.metadata/..client-metadata-from-client..stderr @@ -0,0 +1 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. diff --git a/testing/btest/Baseline/cluster.websocket.metadata/..client-metadata-from-client.out b/testing/btest/Baseline/cluster.websocket.metadata/..client-metadata-from-client.out new file mode 100644 index 0000000000..8de62193ff --- /dev/null +++ b/testing/btest/Baseline/cluster.websocket.metadata/..client-metadata-from-client.out @@ -0,0 +1,5 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +Connected! +ack {'type': 'ack', 'endpoint': 'endpoint', 'version': 'endpoint'} +ping {'type': 'data-message', 'topic': '/test/pings/', '@data-type': 'vector', 'data': [{'@data-type': 'count', 'data': 1}, {'@data-type': 'count', 'data': 1}, {'@data-type': 'vector', 'data': [{'@data-type': 'string', 'data': 'ping'}, {'@data-type': 'vector', 'data': [{'@data-type': 'string', 'data': 'fourty-two'}, {'@data-type': 'count', 'data': 42}]}, {'@data-type': 'vector', 'data': [{'@data-type': 'vector', 'data': [{'@data-type': 'count', 'data': 1}, {'@data-type': 'timestamp', 'data': '1970-01-01T01:42:42'}]}]}]}]} +pong {'type': 'data-message', 'topic': '/test/pongs/', '@data-type': 'vector', 'data': [{'@data-type': 'count', 'data': 1}, {'@data-type': 'count', 'data': 1}, {'@data-type': 'vector', 'data': [{'@data-type': 'string', 'data': 'pong'}, {'@data-type': 'vector', 'data': [{'@data-type': 'string', 'data': 'fourty-two fourty-two'}, {'@data-type': 'count', 'data': 84}]}, {'@data-type': 'vector', 'data': [{'@data-type': 'vector', 'data': [{'@data-type': 'count', 'data': 1}, {'@data-type': 'timestamp', 'data': '1970-01-01T01:42:42.000'}]}]}]}]} diff --git a/testing/btest/Baseline/cluster.websocket.metadata/..client-metadata..stderr b/testing/btest/Baseline/cluster.websocket.metadata/..client-metadata..stderr new file mode 100644 index 0000000000..49d861c74c --- /dev/null +++ b/testing/btest/Baseline/cluster.websocket.metadata/..client-metadata..stderr @@ -0,0 +1 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. diff --git a/testing/btest/Baseline/cluster.websocket.metadata/..client-metadata.out b/testing/btest/Baseline/cluster.websocket.metadata/..client-metadata.out new file mode 100644 index 0000000000..976973e17e --- /dev/null +++ b/testing/btest/Baseline/cluster.websocket.metadata/..client-metadata.out @@ -0,0 +1,5 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +Connected! +ack {'type': 'ack', 'endpoint': 'endpoint', 'version': 'endpoint'} +ping {'type': 'data-message', 'topic': '/test/pings/', '@data-type': 'vector', 'data': [{'@data-type': 'count', 'data': 1}, {'@data-type': 'count', 'data': 1}, {'@data-type': 'vector', 'data': [{'@data-type': 'string', 'data': 'ping'}, {'@data-type': 'vector', 'data': [{'@data-type': 'string', 'data': 'fourty-two'}, {'@data-type': 'count', 'data': 42}]}]}]} +pong {'type': 'data-message', 'topic': '/test/pongs/', '@data-type': 'vector', 'data': [{'@data-type': 'count', 'data': 1}, {'@data-type': 'count', 'data': 1}, {'@data-type': 'vector', 'data': [{'@data-type': 'string', 'data': 'pong'}, {'@data-type': 'vector', 'data': [{'@data-type': 'string', 'data': 'fourty-two fourty-two'}, {'@data-type': 'count', 'data': 84}]}, {'@data-type': 'vector', 'data': [{'@data-type': 'vector', 'data': [{'@data-type': 'count', 'data': 1}, {'@data-type': 'timestamp', 'data': '1970-01-01T01:18:31.000'}]}]}]}]} diff --git a/testing/btest/Baseline/cluster.websocket.metadata/..client-no-metadata..stderr b/testing/btest/Baseline/cluster.websocket.metadata/..client-no-metadata..stderr new file mode 100644 index 0000000000..49d861c74c --- /dev/null +++ b/testing/btest/Baseline/cluster.websocket.metadata/..client-no-metadata..stderr @@ -0,0 +1 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. diff --git a/testing/btest/Baseline/cluster.websocket.metadata/..client-no-metadata.out b/testing/btest/Baseline/cluster.websocket.metadata/..client-no-metadata.out new file mode 100644 index 0000000000..6cd8af058e --- /dev/null +++ b/testing/btest/Baseline/cluster.websocket.metadata/..client-no-metadata.out @@ -0,0 +1,5 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +Connected! +ack {'type': 'ack', 'endpoint': 'endpoint', 'version': 'endpoint'} +ping {'type': 'data-message', 'topic': '/test/pings/', '@data-type': 'vector', 'data': [{'@data-type': 'count', 'data': 1}, {'@data-type': 'count', 'data': 1}, {'@data-type': 'vector', 'data': [{'@data-type': 'string', 'data': 'ping'}, {'@data-type': 'vector', 'data': [{'@data-type': 'string', 'data': 'fourty-two'}, {'@data-type': 'count', 'data': 42}]}]}]} +pong {'type': 'data-message', 'topic': '/test/pongs/', '@data-type': 'vector', 'data': [{'@data-type': 'count', 'data': 1}, {'@data-type': 'count', 'data': 1}, {'@data-type': 'vector', 'data': [{'@data-type': 'string', 'data': 'pong'}, {'@data-type': 'vector', 'data': [{'@data-type': 'string', 'data': 'fourty-two fourty-two'}, {'@data-type': 'count', 'data': 84}]}]}]} diff --git a/testing/btest/Baseline/cluster.websocket.metadata/..manager-metadata-from-client..stderr b/testing/btest/Baseline/cluster.websocket.metadata/..manager-metadata-from-client..stderr new file mode 100644 index 0000000000..ad8891b254 --- /dev/null +++ b/testing/btest/Baseline/cluster.websocket.metadata/..manager-metadata-from-client..stderr @@ -0,0 +1,2 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +, line 1: received termination signal diff --git a/testing/btest/Baseline/cluster.websocket.metadata/..manager-metadata-from-client.out b/testing/btest/Baseline/cluster.websocket.metadata/..manager-metadata-from-client.out new file mode 100644 index 0000000000..07b0900c71 --- /dev/null +++ b/testing/btest/Baseline/cluster.websocket.metadata/..manager-metadata-from-client.out @@ -0,0 +1,4 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +Cluster::websocket_client_added, [/test/pongs/, /zeek/wstest/ws1/] +ping: fourty-two, 42 (metadata=[[id=EventMetadata::NETWORK_TIMESTAMP, val=6162.0]]), sending pong... +Cluster::websocket_client_lost diff --git a/testing/btest/Baseline/cluster.websocket.metadata/..manager-metadata..stderr b/testing/btest/Baseline/cluster.websocket.metadata/..manager-metadata..stderr new file mode 100644 index 0000000000..ad8891b254 --- /dev/null +++ b/testing/btest/Baseline/cluster.websocket.metadata/..manager-metadata..stderr @@ -0,0 +1,2 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +, line 1: received termination signal diff --git a/testing/btest/Baseline/cluster.websocket.metadata/..manager-metadata.out b/testing/btest/Baseline/cluster.websocket.metadata/..manager-metadata.out new file mode 100644 index 0000000000..bd0e5c02a5 --- /dev/null +++ b/testing/btest/Baseline/cluster.websocket.metadata/..manager-metadata.out @@ -0,0 +1,4 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +Cluster::websocket_client_added, [/test/pongs/, /zeek/wstest/ws1/] +ping: fourty-two, 42 (metadata=[]), sending pong... +Cluster::websocket_client_lost diff --git a/testing/btest/Baseline/cluster.websocket.metadata/..manager-no-metadata..stderr b/testing/btest/Baseline/cluster.websocket.metadata/..manager-no-metadata..stderr new file mode 100644 index 0000000000..e3f6131b1d --- /dev/null +++ b/testing/btest/Baseline/cluster.websocket.metadata/..manager-no-metadata..stderr @@ -0,0 +1,2 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +received termination signal diff --git a/testing/btest/Baseline/cluster.websocket.metadata/..manager-no-metadata.out b/testing/btest/Baseline/cluster.websocket.metadata/..manager-no-metadata.out new file mode 100644 index 0000000000..bd0e5c02a5 --- /dev/null +++ b/testing/btest/Baseline/cluster.websocket.metadata/..manager-no-metadata.out @@ -0,0 +1,4 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +Cluster::websocket_client_added, [/test/pongs/, /zeek/wstest/ws1/] +ping: fourty-two, 42 (metadata=[]), sending pong... +Cluster::websocket_client_lost diff --git a/testing/btest/cluster/websocket/bad-event-args.zeek b/testing/btest/cluster/websocket/bad-event-args.zeek index ae72dfdbb6..f9ecd042de 100644 --- a/testing/btest/cluster/websocket/bad-event-args.zeek +++ b/testing/btest/cluster/websocket/bad-event-args.zeek @@ -105,7 +105,7 @@ def run(ws_url): # This should be good ping(string, count) ws.send(json.dumps(make_ping([{"@data-type": "string", "data": "Hello"}, {"@data-type": "count", "data": 42}]))) pong = json.loads(ws.recv()) - name, args, _ = pong["data"][2]["data"] + name, args = pong["data"][2]["data"] print("pong", name, args) # This one fails again diff --git a/testing/btest/cluster/websocket/metadata.zeek b/testing/btest/cluster/websocket/metadata.zeek new file mode 100644 index 0000000000..dca18a41a1 --- /dev/null +++ b/testing/btest/cluster/websocket/metadata.zeek @@ -0,0 +1,121 @@ +# @TEST-DOC: Run a single node cluster (manager) with a websocket server and have a single client connect to check the metadata it receives. +# +# @TEST-REQUIRES: have-zeromq +# @TEST-REQUIRES: python3 -c 'import websockets.sync' +# +# @TEST-GROUP: cluster-zeromq +# +# @TEST-PORT: XPUB_PORT +# @TEST-PORT: XSUB_PORT +# @TEST-PORT: LOG_PULL_PORT +# @TEST-PORT: WEBSOCKET_PORT +# +# @TEST-EXEC: cp $FILES/zeromq/cluster-layout-simple.zeek cluster-layout.zeek +# @TEST-EXEC: cp $FILES/zeromq/test-bootstrap.zeek zeromq-test-bootstrap.zeek +# @TEST-EXEC: cp $FILES/ws/wstest.py . +# +# @TEST-EXEC: zeek -b --parse-only manager.zeek +# @TEST-EXEC: python3 -m py_compile client.py +# +# @TEST-EXEC: btest-bg-run manager-no-metadata "ZEEKPATH=$ZEEKPATH:.. && CLUSTER_NODE=manager zeek -b ../manager.zeek >out" +# @TEST-EXEC: btest-bg-run client-no-metadata "python3 ../client.py >out" +# +# @TEST-EXEC: btest-bg-wait 30 +# @TEST-EXEC: btest-diff ./manager-no-metadata/out +# @TEST-EXEC: btest-diff ./manager-no-metadata/.stderr +# @TEST-EXEC: btest-diff ./client-no-metadata/out +# @TEST-EXEC: btest-diff ./client-no-metadata/.stderr +# +# @TEST-EXEC: btest-bg-run manager-metadata "ZEEKPATH=$ZEEKPATH:.. && CLUSTER_NODE=manager zeek -b ../manager.zeek EventMetadata::add_network_timestamp=T >out" +# @TEST-EXEC: btest-bg-run client-metadata "python3 ../client.py >out" +# +# @TEST-EXEC: btest-bg-wait 30 +# @TEST-EXEC: btest-diff ./manager-metadata/out +# @TEST-EXEC: btest-diff ./manager-metadata/.stderr +# @TEST-EXEC: btest-diff ./client-metadata/out +# @TEST-EXEC: btest-diff ./client-metadata/.stderr +# +# @TEST-EXEC: btest-bg-run manager-metadata-from-client "ZEEKPATH=$ZEEKPATH:.. && CLUSTER_NODE=manager zeek -b ../manager.zeek EventMetadata::add_network_timestamp=T >out" +# @TEST-EXEC: btest-bg-run client-metadata-from-client "NETWORK_TIMESTAMP=1970-01-01T01:42:42 python3 ../client.py >out" + +# @TEST-EXEC: btest-bg-wait 30 +# @TEST-EXEC: btest-diff ./manager-metadata-from-client/out +# @TEST-EXEC: btest-diff ./manager-metadata-from-client/.stderr +# @TEST-EXEC: btest-diff ./client-metadata-from-client/out +# @TEST-EXEC: btest-diff ./client-metadata-from-client/.stderr + + +# @TEST-START-FILE manager.zeek +@load ./zeromq-test-bootstrap +redef exit_only_after_terminate = T; + +redef allow_network_time_forward = F; + +global ping: event(msg: string, c: count) &is_used; +global pong: event(msg: string, c: count) &is_used; + +event zeek_init() + { + set_network_time(double_to_time(4711.0)); + + Cluster::subscribe("/test/pings/"); + Cluster::listen_websocket([$listen_addr=127.0.0.1, $listen_port=to_port(getenv("WEBSOCKET_PORT"))]); + } + +event ping(msg: string, n: count) &is_used + { + print fmt("ping: %s, %s (metadata=%s), sending pong...", msg, n, EventMetadata::current_all()); + Cluster::publish("/test/pongs/", pong, msg + " " + msg, n + n); + } + +event Cluster::websocket_client_added(info: Cluster::EndpointInfo, subscriptions: string_vec) + { + print "Cluster::websocket_client_added", subscriptions; + } + +event Cluster::websocket_client_lost(info: Cluster::EndpointInfo, code: count, reason: string) + { + print "Cluster::websocket_client_lost"; + terminate(); + } +# @TEST-END-FILE + + +# @TEST-START-FILE client.py +import os +import wstest + +def run(ws_url): + with wstest.connect("ws1", ws_url) as c: + print("Connected!") + ack = c.hello_v1(["/test/pongs/"]) + assert "type" in ack + assert ack["type"] == "ack" + assert "endpoint" in ack + assert "version" in ack + + ack["endpoint"] = "endpoint" + ack["version"] = "endpoint" + print("ack", ack) + ping = wstest.build_event_v1("/test/pings/", "ping", ["fourty-two", 42]) + + if ts_str := os.environ.get("NETWORK_TIMESTAMP"): + # Sneak timestamp metadata into the ping if the env variable is set + ping["data"][2]["data"] += [{ + "@data-type": "vector", + "data": [{ + "@data-type": "vector", "data": [ + {"@data-type": "count", "data": 1}, + {"@data-type": "timestamp", "data": ts_str} + ], + }] + }] + + print("ping", ping) + c.send_json(ping) + pong = c.recv_json() + print("pong", pong) + +if __name__ == "__main__": + wstest.main(run, wstest.WS4_URL_V1) +# @TEST-END-FILE From 53b88d33b6c3c22fcb72d0f952f2e1e1537d788e Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Mon, 25 Aug 2025 12:30:33 -0700 Subject: [PATCH 21/27] Bump zeekctl submodule for MetricsAddr docs --- auxil/zeekctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auxil/zeekctl b/auxil/zeekctl index 93459b37c3..de6b849653 160000 --- a/auxil/zeekctl +++ b/auxil/zeekctl @@ -1 +1 @@ -Subproject commit 93459b37c3deab4bec9e886211672024fa3e4759 +Subproject commit de6b849653a19aff22b2a7b08be572bca48f4994 From 9e66cf873b77dcf8749e77c01d545d6f910cd6a0 Mon Sep 17 00:00:00 2001 From: Christian Kreibich Date: Thu, 21 Aug 2025 17:10:05 -0700 Subject: [PATCH 22/27] Merge branch 'topic/christian/news-typos' * topic/christian/news-typos: Minor fixes to a few NEWS entries. (cherry picked from commit 2929f1eb175e86799c8926ac8b0f1eeb5c9eac3d) --- CHANGES | 11 +++++++++++ NEWS | 8 ++++---- VERSION | 2 +- 3 files changed, 16 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index 496c7c4443..347f581413 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,14 @@ +8.0.0-8 | 2025-08-25 12:31:35 -0700 + + * Merge branch 'topic/christian/news-typos' (Christian Kreibich, Corelight) + + * topic/christian/news-typos: + Minor fixes to a few NEWS entries. + + (cherry picked from commit 2929f1eb175e86799c8926ac8b0f1eeb5c9eac3d) + + * Bump zeekctl submodule for MetricsAddr docs (Tim Wojtulewicz, Corelight) + 8.0.0-6 | 2025-08-22 09:25:14 -0700 * cluster/Backend: Fallback to current network time when current event has not timestamp (Arne Welzel, Corelight) diff --git a/NEWS b/NEWS index 128f296047..b282d5ce96 100644 --- a/NEWS +++ b/NEWS @@ -288,7 +288,7 @@ New Functionality - Zeek now supports extracting the PPPoE session ID. The ``PacketAnalyzer::PPPoE::session_id`` BiF can be used to get the session ID of the current packet. - The ``onn/pppoe-session-id-logging.zeek`` policy script adds pppoe session IDs to the + The ``conn/pppoe-session-id-logging.zeek`` policy script adds pppoe session IDs to the connection log. The ``get_conn_stats()`` function's return value now includes the number of packets @@ -362,7 +362,7 @@ Changed Functionality times in X509 certificates as local times. - The PPPoE parser now respects the size value given in the PPPoE header. Data - beyon the size given in the header will be truncated. + beyond the size given in the header will be truncated. - Record fields with ``&default`` attributes initializing empty ``vector``, ``table`` or ``set`` instances are now deferred until they are accessed, potentially @@ -754,7 +754,7 @@ New Functionality some updates to Zeek's internal DNS resolver due to changes in the c-ares API. At least version v1.28.0 is now required to build Zeek. - - Python 3.9 is now required for Zeek and all of it's associated subprojects. + - Python 3.9 is now required for Zeek and all of its associated subprojects. - IP-based connections that were previously not logged due to using an unknown IP protocol (e.g. not TCP, UDP, or ICMP) now appear in conn.log. All conn.log @@ -845,7 +845,7 @@ New Functionality analyzer used for processing the packet when the event is raised. The ``unknown_protocol.log`` file was extended to include this information. -- The MySQL analyzer now generates a ``mysql_user_change()`` event when the user +- The MySQL analyzer now generates a ``mysql_change_user()`` event when the user changes mid-session via the ``COM_USER_CHANGE`` command. - The DNS analyzer was extended to support TKEY RRs (RFC 2390). A corresponding diff --git a/VERSION b/VERSION index 78558b1fa4..e115759a9f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -8.0.0-6 +8.0.0-8 From f5d549fe9d57b4eb14ccd6883a61835666e8ebb3 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Mon, 25 Aug 2025 19:42:32 +0000 Subject: [PATCH 23/27] Update docs submodule for v8.0.1 [nomail] [skip ci] --- doc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc b/doc index cf41c8c234..f2f6889155 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit cf41c8c234995de78045bdd79dfe78f4fa95a896 +Subproject commit f2f68891551733b6ac78a4350dac6da6cff25171 From 708f914524b4a841cded0a558316d71a1f7065a9 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Tue, 26 Aug 2025 08:57:51 -0700 Subject: [PATCH 24/27] Update zeekctl submodule for docs fixes [nomail] [skip ci] --- auxil/zeekctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auxil/zeekctl b/auxil/zeekctl index de6b849653..322ff78626 160000 --- a/auxil/zeekctl +++ b/auxil/zeekctl @@ -1 +1 @@ -Subproject commit de6b849653a19aff22b2a7b08be572bca48f4994 +Subproject commit 322ff7862667f7c65c91cfb9e532623327a768fb From 2f38ff6c877df20c275095cfa9e45f8bbb7423d5 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Tue, 26 Aug 2025 08:59:20 -0700 Subject: [PATCH 25/27] Merge remote-tracking branch 'origin/topic/bbannier/issue-3266' * origin/topic/bbannier/issue-3266: Fix installation of symlink with `DESTDIR` (cherry picked from commit d7db612b0f1f802316ab745e292c03aa3d69c5bd) --- CHANGES | 18 ++++++++++++++++++ VERSION | 2 +- testing/CMakeLists.txt | 2 +- 3 files changed, 20 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 347f581413..817ea39135 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,21 @@ +8.0.0-11 | 2025-08-26 09:04:29 -0700 + + * Fix installation of symlink with `DESTDIR` (Benjamin Bannier, Corelight) + + We install test data which we also make available under an alternative + path for backwards compatibility. The installation of this symlink did + not take `DESTDIR` installs like used by Zeek's packaging into account + which caused installations from packages to behave different from + installs from source. + + This patch fixes the symlink to respect a possible `DESTDIR`. + + (cherry picked from commit d7db612b0f1f802316ab745e292c03aa3d69c5bd) + + * Update zeekctl submodule for docs fixes [nomail] [skip ci] (Tim Wojtulewicz, Corelight) + + * Update docs submodule for v8.0.1 [nomail] [skip ci] (Tim Wojtulewicz, Corelight) + 8.0.0-8 | 2025-08-25 12:31:35 -0700 * Merge branch 'topic/christian/news-typos' (Christian Kreibich, Corelight) diff --git a/VERSION b/VERSION index e115759a9f..bf82ea0d68 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -8.0.0-8 +8.0.0-11 diff --git a/testing/CMakeLists.txt b/testing/CMakeLists.txt index f3c12302e4..9d2e26883c 100644 --- a/testing/CMakeLists.txt +++ b/testing/CMakeLists.txt @@ -14,7 +14,7 @@ install( CODE "execute_process( \ COMMAND ${CMAKE_COMMAND} -E create_symlink \ ${ZEEK_CONFIG_BTEST_TOOLS_DIR}/data \ - ${CMAKE_INSTALL_PREFIX}/share/zeek/tests \ + \$ENV{DESTDIR}/${CMAKE_INSTALL_PREFIX}/share/zeek/tests \ )") install(DIRECTORY scripts/spicy/ DESTINATION ${ZEEK_CONFIG_BTEST_TOOLS_DIR}/data/Scripts From 56e4dc9247d03c0c48ade567ae0c6433262ad705 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Mon, 18 Aug 2025 16:44:30 +0200 Subject: [PATCH 26/27] Merge remote-tracking branch 'origin/topic/awelzel/4754-follow-up' * origin/topic/awelzel/4754-follow-up: cluster/serializer/broker: Drop unused include cluster/serializer/broker: fixup inconsistent param comment (cherry picked from commit 9b94e25e6707b2abdfe163d8bb3305edf3f9b201) --- CHANGES | 10 ++++++++++ VERSION | 2 +- src/cluster/serializer/broker/Serializer.cc | 4 ++-- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 817ea39135..39b210b3b0 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,13 @@ +8.0.0-12 | 2025-08-26 09:47:30 -0700 + + * cluster/serializer/broker: Drop unused include (Arne Welzel, Corelight) + + (cherry picked from commit 9b94e25e6707b2abdfe163d8bb3305edf3f9b201) + + * cluster/serializer/broker: fixup inconsistent param comment (Arne Welzel, Corelight) + + (cherry picked from commit 9b94e25e6707b2abdfe163d8bb3305edf3f9b201) + 8.0.0-11 | 2025-08-26 09:04:29 -0700 * Fix installation of symlink with `DESTDIR` (Benjamin Bannier, Corelight) diff --git a/VERSION b/VERSION index bf82ea0d68..5cfe27016b 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -8.0.0-11 +8.0.0-12 diff --git a/src/cluster/serializer/broker/Serializer.cc b/src/cluster/serializer/broker/Serializer.cc index 2dfa5cde49..38c66a0189 100644 --- a/src/cluster/serializer/broker/Serializer.cc +++ b/src/cluster/serializer/broker/Serializer.cc @@ -2,6 +2,7 @@ #include "zeek/cluster/serializer/broker/Serializer.h" +#include #include #include "zeek/DebugLogger.h" @@ -14,7 +15,6 @@ #include "zeek/broker/Data.h" #include "zeek/cluster/Event.h" -#include "broker/data.bif.h" #include "broker/data_envelope.hh" #include "broker/error.hh" #include "broker/format/json.hh" @@ -59,7 +59,7 @@ std::optional detail::to_broker_event(const zeek::cluster:: xs.reserve(ev.Args().size()); for ( const auto& a : ev.Args() ) { - if ( auto res = zeek::Broker::detail::val_to_data(a.get(), /*flatten_broker_dataval=*/true) ) + if ( auto res = zeek::Broker::detail::val_to_data(a.get(), /*unwrap_broker_data=*/true) ) xs.emplace_back(std::move(res.value())); else return std::nullopt; From 9458ebdd398e0414e83bc02fd3c636485c97292a Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Tue, 26 Aug 2025 17:58:37 +0000 Subject: [PATCH 27/27] Update CHANGES, VERSION, and NEWS for v8.0.1 --- CHANGES | 4 ++++ NEWS | 28 ++++++++++++++++++++++++++++ VERSION | 2 +- 3 files changed, 33 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 39b210b3b0..4ae920e305 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +8.0.1 | 2025-08-26 17:58:37 +0000 + + * Update CHANGES, VERSION, and NEWS for v8.0.1 (Tim Wojtulewicz, Corelight) + 8.0.0-12 | 2025-08-26 09:47:30 -0700 * cluster/serializer/broker: Drop unused include (Arne Welzel, Corelight) diff --git a/NEWS b/NEWS index b282d5ce96..4b1357a4c7 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,34 @@ This document summarizes the most important changes in the current Zeek release. For an exhaustive list of changes, see the ``CHANGES`` file (note that submodules, such as Broker, come with their own ``CHANGES``.) +Zeek 8.0.1 +========== + +We would like to thank Fupeng Zhao (@AmazingPP), Mike Dopheide (@dopheide-esnet), and +@DigiAngel for their contributions to this release. + +- The official Zeek docker images are now based on Debian 13.0 (trixie). + +- Cluster data passed via websockets was previously double-wrapping Broker data records, + leading to decoding issues. This is now resolved. + +- Cluster events will no longer pass empty arrays for metadata if there was no metadata + for the event. + +- The PostgreSQL analyzer now only reports login success after a ``ReadyForQuery`` message + is received. + +- Zeekctl added a new ``MetricsAddr`` address to override the address that the telemetry + uses to communicate to Prometheus. It defaults to ``0.0.0.0`` and the documentation + describes how to override it. + +- Zeekctl added documentation for the ``MetricsPort`` option used to control what ports + the telemetry framework listens on to communicate with Prometheus. It describes how + the range is chosen, as well as how to override it. + +- The deprecation warning for the ``zeek::Event`` should be more clear as to what action + plugin authors need to take. + Zeek 8.0.0 ========== diff --git a/VERSION b/VERSION index 5cfe27016b..cd1d2e94f3 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -8.0.0-12 +8.0.1