This repository has been archived by the owner on Apr 1, 2024. It is now read-only.
Change format of rules output by print-types.zeek #6
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
they were previously like this:
{"_path": "http", "descriptor": "conn_log"}
and are now like this:
{"name": "_path", "value": "http", "descriptor": "conn_log"}
which is easier to validate and handle programmatically.
|
(The types.json that is stored in https://github.com/brimsec/zq already reflects this change.) |
philrz
approved these changes
Mar 25, 2020
nwt
pushed a commit
that referenced
this pull request
Apr 24, 2020
…cket An attacker can make Zeek crash by posting the KEX packet twice, which will result in an assertion failure in binpac::datastring::init(): #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007ffff5196535 in __GI_abort () at abort.c:79 #2 0x00007ffff519640f in __assert_fail_base (fmt=0x7ffff52f86e0 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x1d33530 "!data_", file=0x1d33537 "aux/binpac/lib/binpac_bytestring.h", line=108, function=<optimized out>) at assert.c:92 #3 0x00007ffff51a3b92 in __GI___assert_fail (assertion=0x1d33530 "!data_", file=0x1d33537 "aux/binpac/lib/binpac_bytestring.h", line=108, function=0x1d3356c "void binpac::datastring<unsigned char>::init(const T *, int) [T = unsigned char]") at assert.c:101 #4 0x0000000000c1e970 in binpac::datastring<unsigned char>::init (this=0x608000d609d0, begin=0x603001bdd1d0 "diffie-hellman-group16-sha512", length=29) at aux/binpac/lib/binpac_bytestring.h:108 #5 0x0000000000e9ab60 in binpac::SSH::SSH_Conn::update_kex (this=0x608000d609a0, algs=..., orig=true) at src/analyzer/protocol/ssh/ssh_pac.cc:205 #6 0x0000000000ea0d06 in binpac::SSH::SSH2_KEXINIT::Parse (this=0x60b000734680, t_begin_of_data=0x621000004753 "\200\275\a%\223\023Y8\204t\235\363!\031I.", t_end_of_data=0x621000004b85 "ޭ\276", <incomplete sequence \357>, t_context=0x603001bdcc90, t_byteorder=0) at src/analyzer/protocol/ssh/ssh_pac.cc:1598 #7 0x0000000000e9f8f4 in binpac::SSH::SSH2_Message::Parse (this=0x608000d60ea0, t_begin_of_data=0x621000004753 "\200\275\a%\223\023Y8\204t\235\363!\031I.", t_end_of_data=0x621000004b85 "ޭ\276", <incomplete sequence \357>, t_context=0x603001bdcc90, t_byteorder=0) at src/analyzer/protocol/ssh/ssh_pac.cc:1326 #8 0x0000000000e9d7e1 in binpac::SSH::SSH2_Key_Exchange::Parse (this=0x604001779850, t_begin_of_data=0x621000004751 "\006\024\200\275\a%\223\023Y8\204t\235\363!\031I.", t_end_of_data=0x621000004b85 "ޭ\276", <incomplete sequence \357>, t_context=0x603001bdcc90, t_byteorder=0) at src/analyzer/protocol/ssh/ssh_pac.cc:1210 #9 0x0000000000e9c981 in binpac::SSH::SSH_Key_Exchange::ParseBuffer (this=0x603001bdccc0, t_flow_buffer=0x608000d60a20, t_context=0x603001bdcc90, t_byteorder=0) at src/analyzer/protocol/ssh/ssh_pac.cc:628 #10 0x0000000000e9c26c in binpac::SSH::SSH_PDU::ParseBuffer (this=0x604001779810, t_flow_buffer=0x608000d60a20, t_context=0x603001bdcc90) at src/analyzer/protocol/ssh/ssh_pac.cc:446 #11 0x0000000000ea6f04 in binpac::SSH::SSH_Flow::NewData (this=0x604001774690, t_begin_of_data=0x62100000474d "", t_end_of_data=0x621000004b85 "ޭ\276", <incomplete sequence \357>) at src/analyzer/protocol/ssh/ssh_pac.cc:3071 #12 0x0000000000e9a38f in binpac::SSH::SSH_Conn::NewData (this=0x608000d609a0, is_orig=true, begin=0x62100000474d "", end=0x621000004b85 "ޭ\276", <incomplete sequence \357>) at src/analyzer/protocol/ssh/ssh_pac.cc:63 #13 0x0000000000e98335 in analyzer::SSH::SSH_Analyzer::DeliverStream (this=0x7fffffffdd40, len=1080, data=0x62100000474d "", orig=true) at src/analyzer/protocol/ssh/SSH.cc:68 With assertions turned off, this would "only" be a memory leak. This commit fixes the vulnerability by freeing and clearing the `binpac::datastring` before assigning a new value.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
They were previously like this
{"_path": "http", "descriptor": "conn_log"}and this PR changes them to be like this{"name": "_path", "value": "http", "descriptor": "conn_log"}, which is easier to validate and handle programmatically. The former representation was intended to allow matching rules on multiple fields, but that doesn't seem likely to be a necessary feature any time soon.