From 011ac442a132a9005e62dfcacf93ba166e08fa4c Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 3 Jun 2021 14:03:21 +0100 Subject: [PATCH] Remove the Stepping Stone analyzer This commit removes the stepping stone analyzer. It has been deactivated by default since at least Zeek 2.0, is dysfunctional in cluster settings and has a bunch of other issued. Relates to GH-1573 --- scripts/base/frameworks/analyzer/main.zeek | 1 - scripts/base/init-bare.zeek | 9 - src/NetVar.cc | 8 - src/NetVar.h | 2 - src/RunState.cc | 7 - src/analyzer/Manager.cc | 1 - src/analyzer/protocol/CMakeLists.txt | 1 - .../protocol/stepping-stone/CMakeLists.txt | 9 - .../protocol/stepping-stone/Plugin.cc | 22 -- .../protocol/stepping-stone/SteppingStone.cc | 227 ------------------ .../protocol/stepping-stone/SteppingStone.h | 91 ------- .../protocol/stepping-stone/events.bif | 17 -- .../protocol/tcp/TCPSessionAdapter.cc | 20 -- src/session/Manager.cc | 2 - .../canonified_loaded_scripts.log | 1 - .../canonified_loaded_scripts.log | 1 - testing/btest/Baseline/plugins.hooks/output | 9 - 17 files changed, 428 deletions(-) delete mode 100644 src/analyzer/protocol/stepping-stone/CMakeLists.txt delete mode 100644 src/analyzer/protocol/stepping-stone/Plugin.cc delete mode 100644 src/analyzer/protocol/stepping-stone/SteppingStone.cc delete mode 100644 src/analyzer/protocol/stepping-stone/SteppingStone.h delete mode 100644 src/analyzer/protocol/stepping-stone/events.bif diff --git a/scripts/base/frameworks/analyzer/main.zeek b/scripts/base/frameworks/analyzer/main.zeek index 3bfd60bfe6..54ba82178d 100644 --- a/scripts/base/frameworks/analyzer/main.zeek +++ b/scripts/base/frameworks/analyzer/main.zeek @@ -124,7 +124,6 @@ export { ## A set of analyzers to disable by default at startup. The default set ## contains legacy analyzers that are no longer supported. global disabled_analyzers: set[Analyzer::Tag] = { - ANALYZER_STEPPINGSTONE, ANALYZER_TCPSTATS, } &redef; } diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 5eb1d4de53..9b04b03039 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -4118,15 +4118,6 @@ type PE::SectionHeader: record { } module GLOBAL; -## Internal to the stepping stone detector. -const stp_delta: interval &redef; - -## Internal to the stepping stone detector. -const stp_idle_min: interval &redef; - -## Internal to the stepping stone detector. -global stp_skip_src: set[addr] &redef; - ## Description of a signature match. ## ## .. zeek:see:: signature_match diff --git a/src/NetVar.cc b/src/NetVar.cc index f2952277f2..9b428c0299 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -157,9 +157,6 @@ int dns_skip_all_auth; int dns_skip_all_addl; int dns_max_queries; -double stp_delta; -double stp_idle_min; - double table_expire_interval; double table_expire_delay; int table_incremental_step; @@ -312,11 +309,6 @@ void init_net_var() dns_skip_all_addl = id::find_val("dns_skip_all_addl")->AsBool(); dns_max_queries = id::find_val("dns_max_queries")->AsCount(); - stp_delta = 0.0; - if ( const auto& v = id::find_val("stp_delta") ) stp_delta = v->AsInterval(); - stp_idle_min = 0.0; - if ( const auto& v = id::find_val("stp_idle_min") ) stp_delta = v->AsInterval(); - orig_addr_anonymization = 0; if ( const auto& id = id::find("orig_addr_anonymization") ) if ( const auto& v = id->GetVal() ) diff --git a/src/NetVar.h b/src/NetVar.h index 0da196d547..b63a9f93b1 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -59,8 +59,6 @@ extern int dns_skip_all_auth; extern int dns_skip_all_addl; extern int dns_max_queries; -extern double stp_delta; -extern double stp_idle_min; extern double table_expire_interval; extern double table_expire_delay; extern int table_incremental_step; diff --git a/src/RunState.cc b/src/RunState.cc index f319330040..ffce8b96fb 100644 --- a/src/RunState.cc +++ b/src/RunState.cc @@ -37,7 +37,6 @@ extern "C" { #include "zeek/plugin/Manager.h" #include "zeek/broker/Manager.h" #include "zeek/packet_analysis/Manager.h" -#include "zeek/analyzer/protocol/stepping-stone/SteppingStone.h" extern "C" { extern int select(int, fd_set *, fd_set *, fd_set *, struct timeval *); @@ -46,8 +45,6 @@ extern int select(int, fd_set *, fd_set *, fd_set *, struct timeval *); static double last_watchdog_proc_time = 0.0; // value of above during last watchdog extern int signal_val; -using namespace zeek::analyzer::stepping_stone; - namespace zeek::run_state { namespace detail { @@ -197,9 +194,6 @@ void init_run(const std::optional& interface, session_mgr = new session::Manager(); - // Initialize the stepping stone manager. We intentionally throw away the result here. - SteppingStoneManager::Get(); - if ( do_watchdog ) { // Set up the watchdog to make sure we don't wedge. @@ -414,7 +408,6 @@ void delete_run() util::detail::set_processing_status("TERMINATING", "delete_run"); delete session_mgr; - delete SteppingStoneManager::Get(); for ( int i = 0; i < zeek::detail::NUM_ADDR_ANONYMIZATION_METHODS; ++i ) delete zeek::detail::ip_anonymizer[i]; diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 32c930161b..5bfd77f539 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -9,7 +9,6 @@ #include "zeek/analyzer/protocol/conn-size/ConnSize.h" #include "zeek/analyzer/protocol/pia/PIA.h" -#include "zeek/analyzer/protocol/stepping-stone/SteppingStone.h" #include "zeek/analyzer/protocol/tcp/TCP.h" #include "zeek/packet_analysis/protocol/ip/IPBasedAnalyzer.h" #include "zeek/packet_analysis/protocol/ip/SessionAdapter.h" diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt index 0d628ded1d..6bf668c4a1 100644 --- a/src/analyzer/protocol/CMakeLists.txt +++ b/src/analyzer/protocol/CMakeLists.txt @@ -40,7 +40,6 @@ add_subdirectory(snmp) add_subdirectory(socks) add_subdirectory(ssh) add_subdirectory(ssl) -add_subdirectory(stepping-stone) add_subdirectory(syslog) add_subdirectory(tcp) add_subdirectory(teredo) diff --git a/src/analyzer/protocol/stepping-stone/CMakeLists.txt b/src/analyzer/protocol/stepping-stone/CMakeLists.txt deleted file mode 100644 index 8975da49f9..0000000000 --- a/src/analyzer/protocol/stepping-stone/CMakeLists.txt +++ /dev/null @@ -1,9 +0,0 @@ - -include(ZeekPlugin) - -include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) - -zeek_plugin_begin(Zeek SteppingStone) -zeek_plugin_cc(SteppingStone.cc Plugin.cc) -zeek_plugin_bif(events.bif) -zeek_plugin_end() diff --git a/src/analyzer/protocol/stepping-stone/Plugin.cc b/src/analyzer/protocol/stepping-stone/Plugin.cc deleted file mode 100644 index 5225af089b..0000000000 --- a/src/analyzer/protocol/stepping-stone/Plugin.cc +++ /dev/null @@ -1,22 +0,0 @@ -// See the file in the main distribution directory for copyright. - -#include "zeek/plugin/Plugin.h" -#include "zeek/analyzer/Component.h" -#include "zeek/analyzer/protocol/stepping-stone/SteppingStone.h" - -namespace zeek::plugin::detail::Zeek_SteppingStone { - -class Plugin : public zeek::plugin::Plugin { -public: - zeek::plugin::Configuration Configure() override - { - AddComponent(new zeek::analyzer::Component("SteppingStone", zeek::analyzer::stepping_stone::SteppingStone_Analyzer::Instantiate)); - - zeek::plugin::Configuration config; - config.name = "Zeek::SteppingStone"; - config.description = "Stepping stone analyzer"; - return config; - } -} plugin; - -} // namespace zeek::plugin::detail::Zeek_SteppingStone diff --git a/src/analyzer/protocol/stepping-stone/SteppingStone.cc b/src/analyzer/protocol/stepping-stone/SteppingStone.cc deleted file mode 100644 index 2317e1518b..0000000000 --- a/src/analyzer/protocol/stepping-stone/SteppingStone.cc +++ /dev/null @@ -1,227 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#include "zeek/zeek-config.h" -#include "zeek/analyzer/protocol/stepping-stone/SteppingStone.h" - -#include - -#include "zeek/Event.h" -#include "zeek/RunState.h" -#include "zeek/NetVar.h" -#include "zeek/analyzer/protocol/tcp/TCP.h" -#include "zeek/util.h" - -#include "zeek/analyzer/protocol/stepping-stone/events.bif.h" - -namespace zeek::analyzer::stepping_stone { - -SteppingStoneManager* SteppingStoneManager::instance = nullptr; - -SteppingStoneEndpoint::SteppingStoneEndpoint(analyzer::tcp::TCP_Endpoint* e, SteppingStoneManager* m) - { - endp = e; - stp_max_top_seq = 0; - stp_last_time = stp_resume_time = 0.0; - stp_manager = m; - stp_id = stp_manager->NextID(); - - CreateEndpEvent(e->IsOrig()); - - // Make sure the connection does not get deleted. - Ref(endp->TCP()->Conn()); - } - -SteppingStoneEndpoint::~SteppingStoneEndpoint() - { - Unref(endp->TCP()->Conn()); - } - -void SteppingStoneEndpoint::Done() - { - if ( RefCnt() > 1 ) - return; - - SteppingStoneEndpoint* ep; - - for ( const auto& entry : stp_inbound_endps ) - { - ep = entry.second; - ep->stp_outbound_endps.erase(stp_id); - Event(stp_remove_pair, ep->stp_id, stp_id); - Unref(ep); - } - - for ( const auto& entry : stp_outbound_endps ) - { - ep = entry.second; - ep->stp_inbound_endps.erase(stp_id); - Event(stp_remove_pair, stp_id, ep->stp_id); - Unref(ep); - } - - Event(stp_remove_endp, stp_id); - } - -bool SteppingStoneEndpoint::DataSent(double t, uint64_t seq, int len, int caplen, - const u_char* data, const IP_Hdr* /* ip */, - const struct tcphdr* tp) - { - if ( caplen < len ) - len = caplen; - - if ( len <= 0 ) - return false; - - double tmin = t - zeek::detail::stp_delta; - - while ( ! stp_manager->OrderedEndpoints().empty() ) - { - auto e = stp_manager->OrderedEndpoints().front(); - - if ( e->stp_resume_time < tmin ) - { - stp_manager->OrderedEndpoints().pop_front(); - e->Done(); - Unref(e); - } - else - break; - } - - uint64_t ack = endp->ToRelativeSeqSpace(endp->AckSeq(), endp->AckWraps()); - uint64_t top_seq = seq + len; - - if ( top_seq <= ack || top_seq <= stp_max_top_seq ) - // There is no new data in this packet - return false; - - stp_max_top_seq = top_seq; - - if ( stp_last_time && t <= stp_last_time + zeek::detail::stp_idle_min ) - { - stp_last_time = t; - return true; - } - - // Either just starts, or resumes from an idle period. - stp_last_time = stp_resume_time = t; - - Event(stp_resume_endp, stp_id); - for ( auto ep : stp_manager->OrderedEndpoints() ) - { - if ( ep->endp->TCP() != endp->TCP() ) - { - Ref(ep); - Ref(this); - - stp_inbound_endps[ep->stp_id] = ep; - ep->stp_outbound_endps[stp_id] = this; - - Event(stp_correlate_pair, ep->stp_id, stp_id); - } - - else - { // ep and this belong to same connection - } - } - - stp_manager->OrderedEndpoints().push_back(this); - Ref(this); - - return true; - } - -void SteppingStoneEndpoint::Event(EventHandlerPtr f, int id1, int id2) - { - if ( ! f ) - return; - - if ( id2 >= 0 ) - endp->TCP()->EnqueueConnEvent(f, val_mgr->Int(id1), val_mgr->Int(id2)); - else - endp->TCP()->EnqueueConnEvent(f, val_mgr->Int(id1)); - } - -void SteppingStoneEndpoint::CreateEndpEvent(bool is_orig) - { - if ( ! stp_create_endp ) - return; - - endp->TCP()->EnqueueConnEvent(stp_create_endp, - endp->TCP()->ConnVal(), - val_mgr->Int(stp_id), - val_mgr->Bool(is_orig) - ); - } - -SteppingStone_Analyzer::SteppingStone_Analyzer(Connection* c) - : analyzer::tcp::TCP_ApplicationAnalyzer("STEPPINGSTONE", c) - { - stp_manager = SteppingStoneManager::Get(); - - orig_endp = resp_endp = nullptr; - orig_stream_pos = resp_stream_pos = 1; - } - -void SteppingStone_Analyzer::Init() - { - analyzer::tcp::TCP_ApplicationAnalyzer::Init(); - - assert(TCP()); - orig_endp = new SteppingStoneEndpoint(TCP()->Orig(), stp_manager); - resp_endp = new SteppingStoneEndpoint(TCP()->Resp(), stp_manager); - } - -void SteppingStone_Analyzer::DeliverPacket(int len, const u_char* data, - bool is_orig, uint64_t seq, - const IP_Hdr* ip, int caplen) - { - analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq, - ip, caplen); - - if ( is_orig ) - orig_endp->DataSent(run_state::network_time, seq, len, caplen, data, nullptr, nullptr); - else - resp_endp->DataSent(run_state::network_time, seq, len, caplen, data, nullptr, nullptr); - } - -void SteppingStone_Analyzer::DeliverStream(int len, const u_char* data, - bool is_orig) - { - analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); - - if ( is_orig ) - { - orig_endp->DataSent(run_state::network_time, orig_stream_pos, len, len, - data, nullptr, nullptr); - orig_stream_pos += len; - } - - else - { - resp_endp->DataSent(run_state::network_time, resp_stream_pos, len, len, - data, nullptr, nullptr); - resp_stream_pos += len; - } - } - -void SteppingStone_Analyzer::Done() - { - analyzer::tcp::TCP_ApplicationAnalyzer::Done(); - - orig_endp->Done(); - resp_endp->Done(); - - Unref(orig_endp); - Unref(resp_endp); - } - -SteppingStoneManager* SteppingStoneManager::Get() - { - if ( ! instance && stp_correlate_pair ) - instance = new SteppingStoneManager(); - - return instance; - } - -} // namespace zeek::analyzer::stepping_stone diff --git a/src/analyzer/protocol/stepping-stone/SteppingStone.h b/src/analyzer/protocol/stepping-stone/SteppingStone.h deleted file mode 100644 index 55cd890f89..0000000000 --- a/src/analyzer/protocol/stepping-stone/SteppingStone.h +++ /dev/null @@ -1,91 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#pragma once - -#include - -#include "zeek/analyzer/protocol/tcp/TCP.h" - -namespace zeek { - -namespace analyzer::stepping_stone { - -class SteppingStoneEndpoint; -class SteppingStoneManager; - -class SteppingStoneEndpoint : public Obj { -public: - SteppingStoneEndpoint(analyzer::tcp::TCP_Endpoint* e, SteppingStoneManager* m); - ~SteppingStoneEndpoint() override; - void Done(); - - bool DataSent(double t, uint64_t seq, int len, int caplen, const u_char* data, - const IP_Hdr* ip, const struct tcphdr* tp); - -protected: - void Event(EventHandlerPtr f, int id1, int id2 = -1); - void CreateEndpEvent(bool is_orig); - - analyzer::tcp::TCP_Endpoint* endp; - uint64_t stp_max_top_seq; - double stp_last_time; - double stp_resume_time; - SteppingStoneManager* stp_manager; - - // Hashes for inbound/outbound endpoints that are correlated - // at least once with this endpoint. They are necessary for - // removing correlated endpoint pairs in Bro, since there is - // no LOOP in Bro language. - int stp_id; - std::map stp_inbound_endps; - std::map stp_outbound_endps; -}; - -class SteppingStone_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer { -public: - explicit SteppingStone_Analyzer(Connection* c); - ~SteppingStone_Analyzer() override {}; - - void Init() override; - void Done() override; - - static analyzer::Analyzer* Instantiate(Connection* conn) - { return new SteppingStone_Analyzer(conn); } - -protected: - // We support both packet and stream input and can be put in place even - // if the TCP analyzer is not yet reassebmling. - void DeliverPacket(int len, const u_char* data, bool is_orig, - uint64_t seq, const IP_Hdr* ip, int caplen) override; - void DeliverStream(int len, const u_char* data, bool is_orig) override; - - int orig_stream_pos; - int resp_stream_pos; - - SteppingStoneManager* stp_manager; - SteppingStoneEndpoint* orig_endp; - SteppingStoneEndpoint* resp_endp; -}; - -// Manages ids for the possible stepping stone connections. -class SteppingStoneManager { -public: - - using EndpointQueue = std::deque; - - EndpointQueue& OrderedEndpoints() { return ordered_endps; } - - // Use postfix ++, since the first ID needs to be even. - int NextID() { return endp_cnt++; } - - static SteppingStoneManager* Get(); - -protected: - EndpointQueue ordered_endps; - int endp_cnt = 0; - - static SteppingStoneManager* instance; -}; - -} // namespace analyzer::stepping_stone -} // namespace zeek diff --git a/src/analyzer/protocol/stepping-stone/events.bif b/src/analyzer/protocol/stepping-stone/events.bif deleted file mode 100644 index 8d578eba64..0000000000 --- a/src/analyzer/protocol/stepping-stone/events.bif +++ /dev/null @@ -1,17 +0,0 @@ -## Deprecated. Will be removed. -event stp_create_endp%(c: connection, e: int, is_orig: bool%); - -# ##### Internal events. Not further documented. - -## Event internal to the stepping stone detector. -event stp_resume_endp%(e: int%); - -## Event internal to the stepping stone detector. -event stp_correlate_pair%(e1: int, e2: int%); - -## Event internal to the stepping stone detector. -event stp_remove_pair%(e1: int, e2: int%); - -## Event internal to the stepping stone detector. -event stp_remove_endp%(e: int%); - diff --git a/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc b/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc index 2609ef481a..99a794e1f8 100644 --- a/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc +++ b/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc @@ -10,7 +10,6 @@ #include "zeek/analyzer/protocol/tcp/TCP_Flags.h" #include "zeek/analyzer/protocol/tcp/TCP_Reassembler.h" #include "zeek/analyzer/protocol/pia/PIA.h" -#include "zeek/analyzer/protocol/stepping-stone/SteppingStone.h" #include "zeek/analyzer/protocol/conn-size/ConnSize.h" #include "zeek/packet_analysis/protocol/tcp/TCP.h" @@ -1604,7 +1603,6 @@ bool TCPSessionAdapter::IsReuse(double t, const u_char* pkt) void TCPSessionAdapter::AddExtraAnalyzers(Connection* conn) { static analyzer::Tag analyzer_connsize = analyzer_mgr->GetComponentTag("CONNSIZE"); - static analyzer::Tag analyzer_stepping = analyzer_mgr->GetComponentTag("STEPPINGSTONE"); static analyzer::Tag analyzer_tcpstats = analyzer_mgr->GetComponentTag("TCPSTATS"); // We have to decide whether to reassamble the stream. @@ -1634,24 +1632,6 @@ void TCPSessionAdapter::AddExtraAnalyzers(Connection* conn) if ( reass ) EnableReassembly(); - if ( analyzer_mgr->IsEnabled(analyzer_stepping) ) - { - // Add a SteppingStone analyzer if requested. The port - // should really not be hardcoded here, but as it can - // handle non-reassembled data, it doesn't really fit into - // our general framing ... Better would be to turn it - // on *after* we discover we have interactive traffic. - uint16_t resp_port = ntohs(Conn()->RespPort()); - if ( resp_port == 22 || resp_port == 23 || resp_port == 513 ) - { - static auto stp_skip_src = id::find_val("stp_skip_src"); - auto src = make_intrusive(Conn()->OrigAddr()); - - if ( ! stp_skip_src->FindOrDefault(src) ) - AddChildAnalyzer(new analyzer::stepping_stone::SteppingStone_Analyzer(conn), false); - } - } - if ( analyzer_mgr->IsEnabled(analyzer_tcpstats) ) // Add TCPStats analyzer. This needs to see packets so // we cannot add it as a normal child. diff --git a/src/session/Manager.cc b/src/session/Manager.cc index 82ee11b217..3a73d123d2 100644 --- a/src/session/Manager.cc +++ b/src/session/Manager.cc @@ -26,8 +26,6 @@ #include "zeek/iosource/IOSource.h" #include "zeek/packet_analysis/Manager.h" -#include "zeek/analyzer/protocol/stepping-stone/events.bif.h" - zeek::session::Manager* zeek::session_mgr = nullptr; zeek::session::Manager*& zeek::sessions = zeek::session_mgr; diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 95228fc7ea..e8ea8c920b 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -200,7 +200,6 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek build/scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek build/scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek - build/scripts/base/bif/plugins/Zeek_SteppingStone.events.bif.zeek build/scripts/base/bif/plugins/Zeek_Syslog.events.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 4ebc37ef20..8b78cd1ce0 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -200,7 +200,6 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek build/scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek build/scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek - build/scripts/base/bif/plugins/Zeek_SteppingStone.events.bif.zeek build/scripts/base/bif/plugins/Zeek_Syslog.events.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index f9928d808e..2d5ebf5215 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -1,5 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -0.000000 MetaHookPost CallFunction(Analyzer::__disable_analyzer, , (Analyzer::ANALYZER_STEPPINGSTONE)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__disable_analyzer, , (Analyzer::ANALYZER_TCPSTATS)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_DCE_RPC, 135/tcp)) -> @@ -66,7 +65,6 @@ 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> -0.000000 MetaHookPost CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_STEPPINGSTONE)) -> 0.000000 MetaHookPost CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_TCPSTATS)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_DCE_RPC, 135/tcp)) -> @@ -776,7 +774,6 @@ 0.000000 MetaHookPost LoadFile(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek) -> -1 -0.000000 MetaHookPost LoadFile(0, ./Zeek_SteppingStone.events.bif.zeek, <...>/Zeek_SteppingStone.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> -1 @@ -1032,7 +1029,6 @@ 0.000000 MetaHookPost QueueEvent(NetControl::init()) -> false 0.000000 MetaHookPost QueueEvent(filter_change_tracking()) -> false 0.000000 MetaHookPost QueueEvent(zeek_init()) -> false -0.000000 MetaHookPre CallFunction(Analyzer::__disable_analyzer, , (Analyzer::ANALYZER_STEPPINGSTONE)) 0.000000 MetaHookPre CallFunction(Analyzer::__disable_analyzer, , (Analyzer::ANALYZER_TCPSTATS)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_AYIYA, 5072/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_DCE_RPC, 135/tcp)) @@ -1099,7 +1095,6 @@ 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_VXLAN, 4789/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) -0.000000 MetaHookPre CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_STEPPINGSTONE)) 0.000000 MetaHookPre CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_TCPSTATS)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_AYIYA, 5072/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_DCE_RPC, 135/tcp)) @@ -1809,7 +1804,6 @@ 0.000000 MetaHookPre LoadFile(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek) -0.000000 MetaHookPre LoadFile(0, ./Zeek_SteppingStone.events.bif.zeek, <...>/Zeek_SteppingStone.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) @@ -2065,7 +2059,6 @@ 0.000000 MetaHookPre QueueEvent(NetControl::init()) 0.000000 MetaHookPre QueueEvent(filter_change_tracking()) 0.000000 MetaHookPre QueueEvent(zeek_init()) -0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_STEPPINGSTONE) 0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_TCPSTATS) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DCE_RPC, 135/tcp) @@ -2132,7 +2125,6 @@ 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp) -0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_STEPPINGSTONE) 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_TCPSTATS) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DCE_RPC, 135/tcp) @@ -2841,7 +2833,6 @@ 0.000000 | HookLoadFile ./Zeek_SSL.events.bif.zeek <...>/Zeek_SSL.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_SSL.functions.bif.zeek <...>/Zeek_SSL.functions.bif.zeek 0.000000 | HookLoadFile ./Zeek_SSL.types.bif.zeek <...>/Zeek_SSL.types.bif.zeek -0.000000 | HookLoadFile ./Zeek_SteppingStone.events.bif.zeek <...>/Zeek_SteppingStone.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_Syslog.events.bif.zeek <...>/Zeek_Syslog.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_TCP.events.bif.zeek <...>/Zeek_TCP.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek