profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/Neverlord/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.

zeek/broker 51

Zeek's Messaging Library

inetrg/vslab-caf 1

Scaffold for practical exercise with CAF

glvi/actor-framework 0

An Open Source Implementation of the Actor Model in C++

inetrg/vs-cpp 0

Begleitendes Material zur VS Vorlesung

jssmith/cale 0

C++ Actor Log Engine

Neverlord/bro 0

Bro is a powerful network analysis framework that is much different from the typical IDS you may know. Official mirror of git.bro.org/bro.git .

Neverlord/cppusergroup 0

dojo source from the C++ Usergroup Hamburg

push eventzeek/zeek

Vern Paxson

commit sha dbe46fa90662643d0d1a665d0bc691745add4962

gearing up for multiple compilation units

view details

Vern Paxson

commit sha ccc9163ac9e0d24376bcff4086cea5898525f0f2

hooks for add-C++

view details

Vern Paxson

commit sha 2aa599f1ff15114b28f40aac0dd686b58e88b5d2

add-C++ now fully functional

view details

push time in 15 minutes

push eventzeek/zeek

Tim Wojtulewicz

commit sha 82d14096d6af726b0042bd683d16b5607b3d85ee

Trying to fix the build on LGTM

view details

push time in 22 minutes

delete branch zeek/zeek

delete branch : topic/seth/ntlm-fixes

delete time in an hour

delete branch zeek/zeek

delete branch : topic/seth/linux-cooked

delete time in an hour

delete branch zeek/zeek

delete branch : sethhall-fix-ssl-files-warning

delete time in an hour

delete branch zeek/zeek

delete branch : topic/seth/github-ident-flex

delete time in an hour

delete branch zeek/zeek

delete branch : topic/seth/more-file-type-ident

delete time in an hour

delete branch zeek/zeek

delete branch : topic/seth/config-reader-musl-support

delete time in an hour

delete branch zeek/zeek

delete branch : topic/seth/zeek-script-args

delete time in an hour

delete branch zeek/zeek

delete branch : topic/seth/make-cluster-port-optional

delete time in an hour

delete branch zeek/zeek

delete branch : topic/seth/plugin-dir

delete time in an hour

Pull request review commentzeek/zeek

Option to build external plugins directly into Zeek

 void Manager::LoadScriptsForStaticPlugins() 	{ 	for ( const auto& p : Manager::ActivePlugins() ) 		{-		if ( p->DynamicPlugin() )+		if ( p->DynamicPlugin() || p->Name() == "" )

Changed

sethhall

comment created time in an hour

push eventzeek/zeek

Seth Hall

commit sha 818deb98d2775dd6d923e5d70711d86a0b710593

Minor nit change for Tim

view details

push time in an hour

Pull request review commentzeek/zeek

Option to build external plugins directly into Zeek

 foreach (plugin_dir ${BUILTIN_PLUGIN_LIST})     add_subdirectory(${plugin_dir} ${CMAKE_CURRENT_BINARY_DIR}/plugins/${plugin_name}) endforeach () +# Write the preload Zeek script for static plugins.+file(GLOB STATIC_PLUGIN_PRELOADS CONFIGURE_DEPENDS "${CMAKE_BINARY_DIR}/scripts/plugins/*/__preload__.zeek")+file(WRITE ${CMAKE_BINARY_DIR}/scripts/plugins/__preload__.zeek "# Warning, this is an autogenerated file!\n")+foreach (static_preload_script ${STATIC_PLUGIN_PRELOADS})+    string(REPLACE ${CMAKE_BINARY_DIR}/scripts/ "" load_script ${static_preload_script})+    file(APPEND ${CMAKE_BINARY_DIR}/scripts/plugins/__preload__.zeek "@load ${load_script}\n")+endforeach ()+

There is a line just above that does WRITE which truncates the file to place the line that says the file is autogenerated.

sethhall

comment created time in 2 hours

push eventzeek/zeek

Seth Hall

commit sha 8aa3367e7ade55ddb14291c2ee66f35009d85ac0

Install the static plugin preload file

view details

push time in 2 hours

Pull request review commentzeek/zeek

Option to build external plugins directly into Zeek

 void Manager::LoadScriptsForStaticPlugins() 	{ 	for ( const auto& p : Manager::ActivePlugins() ) 		{-		if ( p->DynamicPlugin() )+		if ( p->DynamicPlugin() || p->Name() == "" )

I'd prefer p->Name().empty().

sethhall

comment created time in 2 hours

Pull request review commentzeek/zeek

Option to build external plugins directly into Zeek

 foreach (plugin_dir ${BUILTIN_PLUGIN_LIST})     add_subdirectory(${plugin_dir} ${CMAKE_CURRENT_BINARY_DIR}/plugins/${plugin_name}) endforeach () +# Write the preload Zeek script for static plugins.+file(GLOB STATIC_PLUGIN_PRELOADS CONFIGURE_DEPENDS "${CMAKE_BINARY_DIR}/scripts/plugins/*/__preload__.zeek")+file(WRITE ${CMAKE_BINARY_DIR}/scripts/plugins/__preload__.zeek "# Warning, this is an autogenerated file!\n")+foreach (static_preload_script ${STATIC_PLUGIN_PRELOADS})+    string(REPLACE ${CMAKE_BINARY_DIR}/scripts/ "" load_script ${static_preload_script})+    file(APPEND ${CMAKE_BINARY_DIR}/scripts/plugins/__preload__.zeek "@load ${load_script}\n")+endforeach ()+

Does this fully-overwrite this file every time CMake runs? Say, if you switch branches or update a submodule?

sethhall

comment created time in 2 hours

push eventzeek/zeek

Seth Hall

commit sha f897408dbeac456c9c2bfee949b9473bad9a9997

Fix a small bug (compile error)

view details

push time in 2 hours

issue commentactor-framework/actor-framework

Link errors building hello_world sample with clang 5

Thanks. It looks like you are testing clang 7 and 8 in CI. We are testing clang 6 through 10 in CI for the Conan Center package.

sourcedelica

comment created time in 2 hours

pull request commentzeek/zeek

Option to build external plugins directly into Zeek

Ok, now plugins with events defined that use script-land defined types work correctly. I had to shuffle around how the dependency loading works so that preload.zeek scripts are loaded before bif script definitions are loaded.

sethhall

comment created time in 3 hours

push eventzeek/zeek

Seth Hall

commit sha 99de2f070399f866a153719a347bc695111533cb

Minor code clean up

view details

push time in 4 hours

push eventzeek/zeek

Seth Hall

commit sha 9667528238a523f8bcec5208d347ea19be984b7e

Fix up plugin loading that has to load types for Bifs. If a plugin had a bif file with event definitions that used script land defined types, things weren't loading in the correct order. Now, cmake is building a script with loads all of the __preload__.zeek scripts and loading it in the init-frameworks-and-bifs.zeek script so that it loads before all of the bif definitions load.

view details

push time in 4 hours

issue commentzeek/zeek

Check openssl 3.0 compatibility

In absolute shocking news, Zeek compiles against the current alpha (alpha 12). We get a couple of deprecation warnings though that I will try to fix:

[985/1176] Building CXX object src/file_analysis/analyzer/x509/CMakeFiles/plugin-Zeek-X509.dir/X509.cc.o
../src/file_analysis/analyzer/x509/X509.cc:211:17: warning: 'EVP_PKEY_get0_RSA' is deprecated [-Wdeprecated-declarations]
                        RSA_get0_key(EVP_PKEY_get0_RSA(pkey), NULL, &e, NULL);
                                     ^
/Users/johanna/bro/install-ossl/include/openssl/evp.h:1254:1: note: 'EVP_PKEY_get0_RSA' has been explicitly marked deprecated here
OSSL_DEPRECATEDIN_3_0
^
/Users/johanna/bro/install-ossl/include/openssl/macros.h:182:49: note: expanded from macro 'OSSL_DEPRECATEDIN_3_0'
#   define OSSL_DEPRECATEDIN_3_0                OSSL_DEPRECATED(3.0)
                                                ^
/Users/johanna/bro/install-ossl/include/openssl/macros.h:62:52: note: expanded from macro 'OSSL_DEPRECATED'
#     define OSSL_DEPRECATED(since) __attribute__((deprecated))
                                                   ^
../src/file_analysis/analyzer/x509/X509.cc:211:4: warning: 'RSA_get0_key' is deprecated [-Wdeprecated-declarations]
                        RSA_get0_key(EVP_PKEY_get0_RSA(pkey), NULL, &e, NULL);
                        ^
/Users/johanna/bro/install-ossl/include/openssl/rsa.h:218:1: note: 'RSA_get0_key' has been explicitly marked deprecated here
OSSL_DEPRECATEDIN_3_0 void RSA_get0_key(const RSA *r,
^
/Users/johanna/bro/install-ossl/include/openssl/macros.h:182:49: note: expanded from macro 'OSSL_DEPRECATEDIN_3_0'
#   define OSSL_DEPRECATEDIN_3_0                OSSL_DEPRECATED(3.0)
                                                ^
/Users/johanna/bro/install-ossl/include/openssl/macros.h:62:52: note: expanded from macro 'OSSL_DEPRECATED'
#     define OSSL_DEPRECATED(since) __attribute__((deprecated))
                                                   ^
../src/file_analysis/analyzer/x509/X509.cc:463:34: warning: 'EVP_PKEY_get0_EC_KEY' is deprecated [-Wdeprecated-declarations]
        if ( (group = EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(key))) == NULL )
                                        ^
/Users/johanna/bro/install-ossl/include/openssl/evp.h:1278:1: note: 'EVP_PKEY_get0_EC_KEY' has been explicitly marked deprecated here
OSSL_DEPRECATEDIN_3_0
^
/Users/johanna/bro/install-ossl/include/openssl/macros.h:182:49: note: expanded from macro 'OSSL_DEPRECATEDIN_3_0'
#   define OSSL_DEPRECATEDIN_3_0                OSSL_DEPRECATED(3.0)
                                                ^
/Users/johanna/bro/install-ossl/include/openssl/macros.h:62:52: note: expanded from macro 'OSSL_DEPRECATED'
#     define OSSL_DEPRECATED(since) __attribute__((deprecated))
                                                   ^
../src/file_analysis/analyzer/x509/X509.cc:463:16: warning: 'EC_KEY_get0_group' is deprecated [-Wdeprecated-declarations]
        if ( (group = EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(key))) == NULL )
                      ^
/Users/johanna/bro/install-ossl/include/openssl/ec.h:1027:1: note: 'EC_KEY_get0_group' has been explicitly marked deprecated here
OSSL_DEPRECATEDIN_3_0 const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key);
^
/Users/johanna/bro/install-ossl/include/openssl/macros.h:182:49: note: expanded from macro 'OSSL_DEPRECATEDIN_3_0'
#   define OSSL_DEPRECATEDIN_3_0                OSSL_DEPRECATED(3.0)
                                                ^
/Users/johanna/bro/install-ossl/include/openssl/macros.h:62:52: note: expanded from macro 'OSSL_DEPRECATED'
#     define OSSL_DEPRECATED(since) __attribute__((deprecated))
                                                   ^
../src/file_analysis/analyzer/x509/X509.cc:487:16: warning: 'EVP_PKEY_get0_RSA' is deprecated [-Wdeprecated-declarations]
                RSA_get0_key(EVP_PKEY_get0_RSA(key), &n, NULL, NULL);
                             ^
/Users/johanna/bro/install-ossl/include/openssl/evp.h:1254:1: note: 'EVP_PKEY_get0_RSA' has been explicitly marked deprecated here
OSSL_DEPRECATEDIN_3_0
^
/Users/johanna/bro/install-ossl/include/openssl/macros.h:182:49: note: expanded from macro 'OSSL_DEPRECATEDIN_3_0'
#   define OSSL_DEPRECATEDIN_3_0                OSSL_DEPRECATED(3.0)
                                                ^
/Users/johanna/bro/install-ossl/include/openssl/macros.h:62:52: note: expanded from macro 'OSSL_DEPRECATED'
#     define OSSL_DEPRECATED(since) __attribute__((deprecated))
                                                   ^
../src/file_analysis/analyzer/x509/X509.cc:487:3: warning: 'RSA_get0_key' is deprecated [-Wdeprecated-declarations]
                RSA_get0_key(EVP_PKEY_get0_RSA(key), &n, NULL, NULL);
                ^
/Users/johanna/bro/install-ossl/include/openssl/rsa.h:218:1: note: 'RSA_get0_key' has been explicitly marked deprecated here
OSSL_DEPRECATEDIN_3_0 void RSA_get0_key(const RSA *r,
^
/Users/johanna/bro/install-ossl/include/openssl/macros.h:182:49: note: expanded from macro 'OSSL_DEPRECATEDIN_3_0'
#   define OSSL_DEPRECATEDIN_3_0                OSSL_DEPRECATED(3.0)
                                                ^
/Users/johanna/bro/install-ossl/include/openssl/macros.h:62:52: note: expanded from macro 'OSSL_DEPRECATED'
#     define OSSL_DEPRECATED(since) __attribute__((deprecated))
                                                   ^
../src/file_analysis/analyzer/x509/X509.cc:492:3: warning: 'DSA_get0_pqg' is deprecated [-Wdeprecated-declarations]
                DSA_get0_pqg(EVP_PKEY_get0_DSA(key), &p, NULL, NULL);
                ^
/Users/johanna/bro/install-ossl/include/openssl/dsa.h:201:1: note: 'DSA_get0_pqg' has been explicitly marked deprecated here
OSSL_DEPRECATEDIN_3_0 void DSA_get0_pqg(const DSA *d, const BIGNUM **p,
^
/Users/johanna/bro/install-ossl/include/openssl/macros.h:182:49: note: expanded from macro 'OSSL_DEPRECATEDIN_3_0'
#   define OSSL_DEPRECATEDIN_3_0                OSSL_DEPRECATED(3.0)
                                                ^
/Users/johanna/bro/install-ossl/include/openssl/macros.h:62:52: note: expanded from macro 'OSSL_DEPRECATED'
#     define OSSL_DEPRECATED(since) __attribute__((deprecated))
                                                   ^
../src/file_analysis/analyzer/x509/X509.cc:503:45: warning: 'EVP_PKEY_get0_EC_KEY' is deprecated [-Wdeprecated-declarations]
                const EC_GROUP *group = EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(key));
                                                          ^
/Users/johanna/bro/install-ossl/include/openssl/evp.h:1278:1: note: 'EVP_PKEY_get0_EC_KEY' has been explicitly marked deprecated here
OSSL_DEPRECATEDIN_3_0
^
/Users/johanna/bro/install-ossl/include/openssl/macros.h:182:49: note: expanded from macro 'OSSL_DEPRECATEDIN_3_0'
#   define OSSL_DEPRECATEDIN_3_0                OSSL_DEPRECATED(3.0)
                                                ^
/Users/johanna/bro/install-ossl/include/openssl/macros.h:62:52: note: expanded from macro 'OSSL_DEPRECATED'
#     define OSSL_DEPRECATED(since) __attribute__((deprecated))
                                                   ^
../src/file_analysis/analyzer/x509/X509.cc:503:27: warning: 'EC_KEY_get0_group' is deprecated [-Wdeprecated-declarations]
                const EC_GROUP *group = EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(key));
                                        ^
/Users/johanna/bro/install-ossl/include/openssl/ec.h:1027:1: note: 'EC_KEY_get0_group' has been explicitly marked deprecated here
OSSL_DEPRECATEDIN_3_0 const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key);
^
/Users/johanna/bro/install-ossl/include/openssl/macros.h:182:49: note: expanded from macro 'OSSL_DEPRECATEDIN_3_0'
#   define OSSL_DEPRECATEDIN_3_0                OSSL_DEPRECATED(3.0)
                                                ^
/Users/johanna/bro/install-ossl/include/openssl/macros.h:62:52: note: expanded from macro 'OSSL_DEPRECATED'
#     define OSSL_DEPRECATED(since) __attribute__((deprecated))
                                                   ^
9 warnings generated.

There also are a few weird segfaults in tests that I will investigate.

0xxon

comment created time in 7 hours

issue closedzeek/zeek

Telnet analyzer doesn't trigger relevant events after successfully registered for 23/tcp port

Hello all,

I tried to analyze a telnet session via zeek's telnet analyzer. And as the docs mentioned in Zeek::Login, zeek doesn't activate the analyzer by default:

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

So I registered the 23/tcp port for telnet, and enable the telnet analyzer, but the script running result didn't trigger any telnet events.

My script setup: under a telnet script directory there are 2 zeek scripts:

  • __load__.zeek:
@load tuning/json-logs
@load ./main
  • main.zeek:
# Disable all available analyzers initially
redef Analyzer::disable_all=T;

global tel_ports: set[port] = {23/tcp} &redef;

event zeek_init() &priority=5
{
    if (Analyzer::register_for_ports(Analyzer::ANALYZER_TELNET, tel_ports) ) {
        print "register telnet";
        if (Analyzer::enable_analyzer(Analyzer::ANALYZER_TELNET) ){
            print "enable telnet analyzer";
        } 
    }
}

## test trigger telnet events
event login_failure(c: connection, user: string, client_user: string, password: string, line: string)
{
    print "e login_fail";
}

event login_success(c: connection, user: string, client_user: string, password: string, line: string)
{
    print "e login_succ";
}

event login_input_line(c: connection, line: string)
{
    print "input line";
}

event login_output_line(c: connection, line: string)
{
    print "output line";
}

event login_terminal(c: connection, terminal: string)
{
    print "login terminal";
}

I put several events according to docs after zeek_init(), and I suppose those events should be triggered if the telnet analyzer is enabled correctly.

The script running result:

  • zeek version: 3.0.12
  • sample pcap: wireshark sample telnet
  • zeek cmd: $ zeek -Cr telnet-cooked.pcap ../../script/telnet/
  • zeek result:
register telnet
enable telnet analyzer

The result only print out statements in zeek_info(). It seems to me that the script enabled the telnet analyzer successfully, but none of the relevant events had been triggered. I wonder what's the issue?

Thanks and appreciate your help!

closed time in 7 hours

maofeichen

issue commentzeek/zeek

Telnet analyzer doesn't trigger relevant events after successfully registered for 23/tcp port

Hi,

you should be able to figure this out by building a debug build of Zeek, and running it with -B dbd. This will output a (rather verbose) debug.log which will show you which analyzers are attached when.

For telnet, you might just need TCP.

Closing this, since it is not actually a bug in Zeek.

maofeichen

comment created time in 7 hours

Pull request review commentzeek/zeek

Teach Zeekygen to produce source-code-range information

 string redef_indication(const string& from_script) 	                 from_script.c_str()); 	} +std::string normalize_script_path(std::string_view path)+	{+	if ( auto p = plugin_mgr->LookupPluginByPath(path) )+		{+		auto rval = util::detail::normalize_path(path);+		auto prefix = util::SafeBasename(p->PluginDirectory()).result;+		return prefix + "/" + rval.substr(p->PluginDirectory().size() + 1);+		}++	return util::detail::without_zeekpath_component(path);+	}++std::optional<std::string> source_code_range(const zeek::detail::ID* id)+	{+	const auto& type = id->GetType();++	if ( ! type )+		return {};++	// Some object locations won't end up capturing concrete syntax of closing+	// braces on subsequent line -- of course that doesn't have to always be+	// case, but it's true for current code style and the possibility of+	// capturing an extra line of context is not harmful (human reader shouldn't+	// be too confused by it).+	int extra_lines = 0;+	const zeek::detail::Location* loc = &zeek::detail::no_location;++	switch ( type->Tag() ) {+	case TYPE_FUNC:+		{+		const auto& v = id->GetVal();++		if ( v && v->AsFunc()->GetBodies().size() == 1 )+			{+			// Either a function or an event/hook with single body can+			// report that single, contiguous range.

a single, continuous?

jsiwek

comment created time in 8 hours

Pull request review commentzeek/zeek

Teach Zeekygen to produce source-code-range information

 string redef_indication(const string& from_script) 	                 from_script.c_str()); 	} +std::string normalize_script_path(std::string_view path)+	{+	if ( auto p = plugin_mgr->LookupPluginByPath(path) )+		{+		auto rval = util::detail::normalize_path(path);+		auto prefix = util::SafeBasename(p->PluginDirectory()).result;+		return prefix + "/" + rval.substr(p->PluginDirectory().size() + 1);+		}++	return util::detail::without_zeekpath_component(path);+	}++std::optional<std::string> source_code_range(const zeek::detail::ID* id)+	{+	const auto& type = id->GetType();++	if ( ! type )+		return {};++	// Some object locations won't end up capturing concrete syntax of closing+	// braces on subsequent line -- of course that doesn't have to always be+	// case, but it's true for current code style and the possibility of+	// capturing an extra line of context is not harmful (human reader shouldn't+	// be too confused by it).+	int extra_lines = 0;+	const zeek::detail::Location* loc = &zeek::detail::no_location;++	switch ( type->Tag() ) {+	case TYPE_FUNC:+		{+		const auto& v = id->GetVal();++		if ( v && v->AsFunc()->GetBodies().size() == 1 )+			{+			// Either a function or an event/hook with single body can+			// report that single, contiguous range.+			loc = v->AsFunc()->GetBodies()[0].stmts->GetLocationInfo();+			++extra_lines;+			}+		else+			loc = id->GetLocationInfo();+		}+		break;+	case TYPE_ENUM:+		// Fallthrough+	case TYPE_RECORD:+		if ( id->IsType() )+			{+			loc = type->GetLocationInfo();++			if ( zeek::util::ends_with(loc->filename, ".bif.zeek") )+				// Source code won't be availabel to reference, so fall back

availabel -> available

jsiwek

comment created time in 8 hours

issue commentzeek/zeek

Core dump: cloning illegal base Type

No one is working on this issue. So - please go for it.

initconf

comment created time in 8 hours

issue commentzeek/zeek

Telnet analyzer doesn't trigger relevant events after successfully registered for 23/tcp port

Hello all,

I figured out the issue was due to the statement in the script:

redef Analyzer::disable_all=T;

which disables all analyzers initially. If I comment it out, then the script was able to trigger relevant events, and can print out those "print" statement info in the script, such as:

output line
input line
login confused
...

So I assume that there are several fundamental analyzers that must to be turn on before analyzing the telnet protocol, I wonder what those analyzers are so I can activate them manually in the script.

Thanks!

maofeichen

comment created time in 11 hours

issue commentzeek/zeek

Core dump: cloning illegal base Type

Is anyone working on this issue ? If not can I plan to take it up ?

initconf

comment created time in 11 hours