Zeek

Recent Commits

• Evan Typanski (03 Jun 26)

  Merge remote-tracking branch 'dxbjavid/nflog-tlv-oob-read' * dxbjavid/nflog-tlv-oob-read: Fix test and format python script for contribution nflog: report bad TLV lengths and add a regression test nflog: fix out-of-bounds read in NFLogAnalyzer::AnalyzePacket

• Evan Typanski (03 Jun 26)

  Merge remote-tracking branch 'dxbjavid/ayiya-identity-len-truncation' * dxbjavid/ayiya-identity-len-truncation: ayiya: add test for identity length that overflows uint8_t widen ayiya identity_len to avoid uint8_t truncation

• Evan Typanski (03 Jun 26)

  Merge remote-tracking branch 'dxbjavid/dce-rpc-bind-ack-oob-read' * dxbjavid/dce-rpc-bind-ack-oob-read: Add test for dce-rpc behavior change dce-rpc: fix out-of-bounds read in process_dce_rpc_bind_ack

• Arne Welzel (03 Jun 26)

  Merge branch 'tcp-window-scale-shift-ub' of https://github.com/dxbjavid/zeek * 'tcp-window-scale-shift-ub' of https://github.com/dxbjavid/zeek: tcp: log TCP_scale_range weird for out-of-range window scale tcp: clamp window_scale to RFC 7323 max to avoid oversized shift

• Tim Wojtulewicz (03 Jun 26)

  Merge remote-tracking branch 'origin/topic/timw/ci-pass-token-to-github-requests' * origin/topic/timw/ci-pass-token-to-github-requests: CI: Pass token to github requests for labels

• Tim Wojtulewicz (03 Jun 26)

  CI: Pass token to github requests for labels

• dxbjavid (03 Jun 26)

  tcp: log TCP_scale_range weird for out-of-range window scale Raise a TCP_scale_range weird with the offending shift count when a SYN carries a window scale above the RFC 7323 max of 14, then clamp to 14 as the RFC prescribes. Add a btest with a pcap whose SYN advertises shift count 255.

• Johanna Amann (03 Jun 26)

  Merge branch 'fix/ssl-decrypt-oob-read-short-records' of github.com:uwezkhan/zeek * 'fix/ssl-decrypt-oob-read-short-records' of github.com:uwezkhan/zeek: ssl: validate record length before reading AEAD nonce during decryption

• uwezkhan (03 Jun 26)

  ssl: validate record length before reading AEAD nonce during decryption

• Benjamin Bannier (03 Jun 26)

  Merge branch 'topic/bbannier/gh-ci-concurrency' [skip ci]

• Evan Typanski (03 Jun 26)

  Add test for dce-rpc behavior change The pcap was generated by a Claude-generated scapy script.

• Evan Typanski (03 Jun 26)

  Fix test and format python script for contribution

• Benjamin Bannier (03 Jun 26)

  Do not run concurrent GH actions workflow for anything but tags [skip ci] While Cirrus CI only cancelled concurrent jobs for the same PR, this goes a step further and cancels existing jobs for anything but tag builds. For `master` this reflects our workflow of pushing individual merges in rapid succession where we only care about the last push. This should free up additional resources so jobs can schedule faster.

• Johanna Amann (03 Jun 26)

  Merge remote-tracking branch 'origin/topic/johanna/ssl-log-ext-ech' * origin/topic/johanna/ssl-log-ext-ech: Add encrypted_client_hello HPKE KDF and AEAD id to ssl-log-ext

• Johanna Amann (03 Jun 26)

  Merge remote-tracking branch 'origin/topic/johanna/encrypted-client-hello' * origin/topic/johanna/encrypted-client-hello: Binpac support for the TLS 1.3 encrypted client hello extension Spicy SSL support for the Encrypted Client Hello extension

• Arne Welzel (03 Jun 26)

  Merge remote-tracking branch 'origin/topic/awelzel/mime-remove-uninitialized-variable' * origin/topic/awelzel/mime-remove-uninitialized-variable: MIME: Fix mime_content_hash_sha256 and remove unused variable

• Arne Welzel (03 Jun 26)

  Merge remote-tracking branch 'origin/topic/awelzel/cifuzz-nightly-only' * origin/topic/awelzel/cifuzz-nightly-only: github/workflows: Switch cifuzz to run nightly

• Arne Welzel (03 Jun 26)

  Merge remote-tracking branch 'origin/topic/awelzel/asan-cluster-tests-timeouts' * origin/topic/awelzel/asan-cluster-tests-timeouts: testing/btest: Skip large-cluster under ASAN, bump some timeouts

• Benjamin Bannier (03 Jun 26)

  Automatically cancel exisiting GH CI workflows on PR update Previously we would run all GH actions CI workflows to completion, even if the PR was updated and another run was started. Since we only have a limited number of workers available this causes contention across the whole GH org. It is also inconsistent with how Cirrus CI behaved, so people are not at all concious about cancelling outdated jobs. This PR changes the configuration of all workflows which trigger for pull requests to automatically cancel existing jobs on updates, mirroring the behavior of Cirrus CI.

• Johanna Amann (02 Jun 26)

  Add encrypted_client_hello HPKE KDF and AEAD id to ssl-log-ext This commit adds two new cryptographic values from the TLS 1.3 encrypted client hello extension to the ssl-log-ext policy script. This commit was partially authored by Claude Opus 4.7 J: Lines starting with "JJ:" (like this one) will be removed.

• Johanna Amann (20 May 26)

  Binpac support for the TLS 1.3 encrypted client hello extension This commit was mostly authored by Claude Opus 4.7

• Arne Welzel (03 Jun 26)

  testing/btest: Skip large-cluster under ASAN, bump some timeouts Saw these failing on Circle CI in the ASAN build and figured 5 and 10 seconds might be a bit too short and the large-cluster test seems fine to just skip under ASAN.

• Johanna Amann (20 May 26)

  Spicy SSL support for the Encrypted Client Hello extension

• Christian Kreibich (02 Jun 26)

  Merge branch 'topic/timw/update-btest-submodule' * topic/timw/update-btest-submodule: Update btest submodule for unstable-junit changes

• Evan Typanski (02 Jun 26)

  Merge remote-tracking branch 'origin/topic/etyp/flush-all-news-move' * origin/topic/etyp/flush-all-news-move: Move `Log::flush_all` and pcapng source NEWS

• Arne Welzel (01 Jun 26)

  MIME: Fix mime_content_hash_sha256 and remove unused variable Local fuzzing with ubsan tickled an integer overflow for content_hash_length_sha256 due to the variable never being initialized in the first place. It also hadn't actually been used and there was a bug for mime_content_hash_sha256 receiving content_hash_length, but that one only being updated when mime_content_hash was in use. So, just use the one single content_hash_length for both and add a test for the different combinations of event usages.

• Tim Wojtulewicz (02 Jun 26)

  Merge remote-tracking branch 'origin/topic/timw/ci-set-windows-vsinstalldir' * origin/topic/timw/ci-set-windows-vsinstalldir: CI: Set VSINSTALLDIR for Circle Windows builds

• Tim Wojtulewicz (02 Jun 26)

  CI: Set VSINSTALLDIR for Circle Windows builds

• Arne Welzel (02 Jun 26)

  github/workflows: Switch cifuzz to run nightly This was added originally to ensure we don't break fuzzers unknowingly. It doesn't need to run on every PR push or merge. Every night should be fine.

• Johanna Amann (02 Jun 26)

  Merge remote-tracking branch 'origin/topic/johanna/ai-policy' * origin/topic/johanna/ai-policy: Add AI Usage Policy