From 04a1ead97865af62d93bc0e3e605279867509cd1 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 8 Nov 2022 09:54:08 +0100 Subject: [PATCH] Provide infrastructure to migrate legacy analyzers to Spicy. As initial examples, this branch ports the Syslog and Finger analyzers over. We leave the old analyzers in place for now and activate them iff we compile without any Spicy. Needs `zeek-spicy-infra` branches in `spicy/`, `spicy-plugin/`, `CMake/`, and `zeek/zeek-testing-private`. Note that the analyzer events remain associated with the Spicy plugin for now: that's where they will show up with `-NN`, and also inside the Zeekygen documentation. We switch CMake over to linking the runtime library into the plugin, vs. at the top-level through object libraries. --- CMakeLists.txt | 68 ++++++++++++------ auxil/spicy-plugin | 2 +- auxil/spicy/spicy | 2 +- cmake | 2 +- scripts/base/init-default.zeek | 1 + scripts/base/protocols/finger/__load__.zeek | 2 + scripts/base/protocols/finger/main.zeek | 14 ++++ .../base/protocols/finger/spicy-events.zeek | 33 +++++++++ scripts/base/protocols/syslog/__load__.zeek | 3 +- .../base/protocols/syslog/spicy-events.zeek | 21 ++++++ src/analyzer/protocol/finger/CMakeLists.txt | 18 ++--- src/analyzer/protocol/finger/finger.evt | 10 +++ src/analyzer/protocol/finger/finger.spicy | 54 ++++++++++++++ .../protocol/finger/legacy/CMakeLists.txt | 9 +++ .../protocol/finger/{ => legacy}/Finger.cc | 4 +- .../protocol/finger/{ => legacy}/Finger.h | 0 .../protocol/finger/{ => legacy}/Plugin.cc | 2 +- .../protocol/finger/{ => legacy}/events.bif | 0 src/analyzer/protocol/syslog/CMakeLists.txt | 19 +++-- .../protocol/syslog/legacy/CMakeLists.txt | 10 +++ .../protocol/syslog/{ => legacy}/Plugin.cc | 2 +- .../protocol/syslog/{ => legacy}/Syslog.cc | 4 +- .../protocol/syslog/{ => legacy}/Syslog.h | 2 +- .../protocol/syslog/{ => legacy}/events.bif | 0 .../syslog/{ => legacy}/syslog-analyzer.pac | 0 .../syslog/{ => legacy}/syslog-protocol.pac | 0 .../protocol/syslog/{ => legacy}/syslog.pac | 2 +- src/analyzer/protocol/syslog/syslog.evt | 8 +++ src/analyzer/protocol/syslog/syslog.spicy | 32 +++++++++ .../Baseline/core.print-bpf-filters/output2 | 9 +-- .../canonified_loaded_scripts.log | 2 - .../canonified_loaded_scripts.log | 6 +- testing/btest/Baseline/plugins.hooks/output | 33 +++++---- .../output | 8 +++ .../btest/Baseline/spicy.spicyz-jit/output | 5 -- .../{spicy.spicyz-aot => spicy.spicyz}/output | 0 testing/btest/Traces/finger/standard.pcap | Bin 0 -> 3205 bytes testing/btest/Traces/finger/verbose.pcap | Bin 0 -> 1056 bytes .../btest/coverage/default-load-baseline.test | 2 +- .../logging/field-extension-invalid.zeek | 2 +- .../scripts/base/protocols/finger/events.zeek | 18 +++++ testing/btest/spicy/spicyz-jit.test | 39 ---------- .../spicy/{spicyz-aot.test => spicyz.test} | 0 .../external/commit-hash.zeek-testing-private | 2 +- testing/scripts/diff-canonifier-external | 1 + testing/scripts/diff-remove-spicy-abspath | 12 ++++ testing/scripts/have-spicy | 6 +- zeek-config.in | 14 ++++ 48 files changed, 359 insertions(+), 124 deletions(-) create mode 100644 scripts/base/protocols/finger/__load__.zeek create mode 100644 scripts/base/protocols/finger/main.zeek create mode 100644 scripts/base/protocols/finger/spicy-events.zeek create mode 100644 scripts/base/protocols/syslog/spicy-events.zeek create mode 100644 src/analyzer/protocol/finger/finger.evt create mode 100644 src/analyzer/protocol/finger/finger.spicy create mode 100644 src/analyzer/protocol/finger/legacy/CMakeLists.txt rename src/analyzer/protocol/finger/{ => legacy}/Finger.cc (95%) rename src/analyzer/protocol/finger/{ => legacy}/Finger.h (100%) rename src/analyzer/protocol/finger/{ => legacy}/Plugin.cc (91%) rename src/analyzer/protocol/finger/{ => legacy}/events.bif (100%) create mode 100644 src/analyzer/protocol/syslog/legacy/CMakeLists.txt rename src/analyzer/protocol/syslog/{ => legacy}/Plugin.cc (91%) rename src/analyzer/protocol/syslog/{ => legacy}/Syslog.cc (95%) rename src/analyzer/protocol/syslog/{ => legacy}/Syslog.h (95%) rename src/analyzer/protocol/syslog/{ => legacy}/events.bif (100%) rename src/analyzer/protocol/syslog/{ => legacy}/syslog-analyzer.pac (100%) rename src/analyzer/protocol/syslog/{ => legacy}/syslog-protocol.pac (100%) rename src/analyzer/protocol/syslog/{ => legacy}/syslog.pac (75%) create mode 100644 src/analyzer/protocol/syslog/syslog.evt create mode 100644 src/analyzer/protocol/syslog/syslog.spicy create mode 100644 testing/btest/Baseline/scripts.base.protocols.finger.events/output delete mode 100644 testing/btest/Baseline/spicy.spicyz-jit/output rename testing/btest/Baseline/{spicy.spicyz-aot => spicy.spicyz}/output (100%) create mode 100644 testing/btest/Traces/finger/standard.pcap create mode 100644 testing/btest/Traces/finger/verbose.pcap create mode 100644 testing/btest/scripts/base/protocols/finger/events.zeek delete mode 100644 testing/btest/spicy/spicyz-jit.test rename testing/btest/spicy/{spicyz-aot.test => spicyz.test} (100%) create mode 100755 testing/scripts/diff-remove-spicy-abspath diff --git a/CMakeLists.txt b/CMakeLists.txt index e6d3ed2d88..1c43720d18 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -547,14 +547,17 @@ else () endif () if ( NOT DISABLE_SPICY ) + set(USE_SPICY_ANALYZERS yes) + if ( NOT SPICY_ROOT_DIR ) + set(HAVE_SPICY yes) # evaluated by Spicy plugin build + add_subdirectory(auxil/spicy) # Set variables used by the spicy-plugin build since we are building Spicy # as part of Zeek so spicy-plugin cannot use `spicy-config` at configure # time to set these. set(SPICY_CONFIG "") - set(HAVE_SPICY "YES") set(SPICY_HAVE_TOOLCHAIN "YES") set(SPICY_INCLUDE_DIRS_RUNTIME ${PROJECT_SOURCE_DIR}/auxil/spicy/spicy/hilti/runtime/include @@ -564,6 +567,10 @@ if ( NOT DISABLE_SPICY ) ${PROJECT_SOURCE_DIR}/auxil/spicy/spicy/hilti/toolchain/include ${PROJECT_SOURCE_DIR}/auxil/spicy/spicy/spicy/toolchain/include) set(SPICY_LIBRARY spicy) + set(HILTI_LIBRARY_RT hilti-rt) + set(HILTI_LIBRARY_RT_DEBUG hilti-rt-debug) + set(SPICY_LIBRARY_RT spicy-rt) + set(SPICY_LIBRARY_RT_DEBUG spicy-rt-debug) # Needed only for logging from CMake configure phase. get_directory_property( @@ -586,12 +593,20 @@ if ( NOT DISABLE_SPICY ) endif () if ( NOT SPICY_PLUGIN_PATH ) + set(_spicy_plugin "included") set(SPICY_PLUGIN_PATH ${CMAKE_SOURCE_DIR}/auxil/spicy-plugin) endif () + set(SPICY_PLUGIN_BINARY_PATH ${CMAKE_BINARY_DIR}/src/builtin-plugins/spicy-plugin) string(APPEND ZEEK_INCLUDE_PLUGINS ";${SPICY_PLUGIN_PATH}") +else () + set(HAVE_SPICY no) # evaluated by Spicy plugin build + set(USE_SPICY_ANALYZERS no) endif () +set(USE_SPICY_ANALYZERS "${USE_SPICY_ANALYZERS}" CACHE BOOL "Use built-in Spicy analyzers") +include(BuiltInSpicyAnalyzer) + include_directories(BEFORE ${PCAP_INCLUDE_DIR} ${BIND_INCLUDE_DIR} @@ -866,26 +881,6 @@ if ( NOT DISABLE_SPICY ) add_dependencies(zeek spicyz) if ( NOT SPICY_ROOT_DIR ) - list(APPEND _spicy_rt_libs spicy-rt hilti-rt) - - # Use the debug runtime libraries if we are building a debug Zeek. - if ( SPICY_BUILD_MODE STREQUAL "Debug" ) - list(TRANSFORM _spicy_rt_libs APPEND "-debug") - endif () - - # If we build spicy-plugin into Zeek we also need to build the Spicy - # runtime dependencies into Zeek. Since no matter how Spicy itself was - # linked this is always a static library, link the object files so we - # get all symbols and can resolve all potential dependencies of - # HLTO files at runtime. - # - # TODO(bbannier): Conceptually cleaner would be linking the runtime - # objects into spicy-plugin and then inherit that up to zeek, but it - # seems this does not work reliable (due incomplete support for object - # libraries in CMake?). - list(TRANSFORM _spicy_rt_libs APPEND "-objects") - target_link_libraries(zeek ${_spicy_rt_libs}) - # Make sure we build targets of spicy-plugin after the `spicy` target. add_dependencies(plugin-Zeek-Spicy spicy) add_dependencies(spicyz spicy) @@ -959,6 +954,33 @@ if ( GEN_ZAM_EXE_PATH ) set(_gen_zam_exe_path ${GEN_ZAM_EXE_PATH}) endif () +set(_spicy "included") +if ( DISABLE_SPICY ) + set(_spicy "disabled") +elseif ( SPICY_ROOT_DIR ) + set(_spicy "external (${SPICY_ROOT_DIR})") +endif () + +if ( DISABLE_SPICY ) + set(_spicy_plugin "disabled") +elseif ( "${_spicy_plugin}" STREQUAL "" ) + set(_spicy_plugin "external (${SPICY_PLUGIN_PATH})") +endif () + +if ( ZEEK_LEGACY_ANALYZERS ) + list(JOIN ZEEK_LEGACY_ANALYZERS ", " _legacy_analyzers) + set(_legacy_analyzers "\n - Using unmaintained legacy analyzers for: ${_legacy_analyzers}") +endif () + +if ( ZEEK_SKIPPED_ANALYZERS ) + list(JOIN ZEEK_SKIPPED_ANALYZERS ", " _skipped_analyzers) + set(_skipped_analyzers "\n - Skipping analyzers: ${_skipped_analyzers}") +endif () + +if ( ZEEK_LEGACY_ANALYZERS OR ZEEK_SKIPPED_ANALYZERS ) + set(_analyzer_warning "\n\n[Warning] Some analyzers are not available due to lack of Spicy:${_legacy_analyzers}${_skipped_analyzers}") +endif () + message( "\n====================| Zeek Build Summary |====================" "\n" @@ -993,6 +1015,9 @@ message( "\nBTest tooling: ${_install_btest_tools_msg}" "\nGen-ZAM: ${_gen_zam_exe_path}" "\nzkg: ${INSTALL_ZKG}" + "\nSpicy: ${_spicy}" + "\nSpicy plugin: ${_spicy_plugin}" + "\nSpicy analyzers: ${USE_SPICY_ANALYZERS}" "\n" "\nlibmaxminddb: ${USE_GEOIP}" "\nKerberos: ${USE_KRB5}" @@ -1003,6 +1028,7 @@ message( "\n" "\nFuzz Targets: ${ZEEK_ENABLE_FUZZERS}" "\nFuzz Engine: ${ZEEK_FUZZING_ENGINE}" + "${_analyzer_warning}" "\n" "\n================================================================\n" ) diff --git a/auxil/spicy-plugin b/auxil/spicy-plugin index 9480a7dc8f..bd5a32f5c7 160000 --- a/auxil/spicy-plugin +++ b/auxil/spicy-plugin @@ -1 +1 @@ -Subproject commit 9480a7dc8f9049c46f42069b415e1c18a44aa51b +Subproject commit bd5a32f5c78e1cc1d60b8f010797fe3fb5a6c3aa diff --git a/auxil/spicy/spicy b/auxil/spicy/spicy index 8c5f9466c5..1e074f8db5 160000 --- a/auxil/spicy/spicy +++ b/auxil/spicy/spicy @@ -1 +1 @@ -Subproject commit 8c5f9466c5f87a237451438af82dbb8dcf743d5d +Subproject commit 1e074f8db5f2ccc4a946f66634410bcc7d94dcef diff --git a/cmake b/cmake index f69e08247e..9f05362a5c 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit f69e08247ed4d7e36258157df6328bad3c81269d +Subproject commit 9f05362a5c33ed11dab37d2dedf74206d59d8f6d diff --git a/scripts/base/init-default.zeek b/scripts/base/init-default.zeek index 2c628b958e..5a11969e4e 100644 --- a/scripts/base/init-default.zeek +++ b/scripts/base/init-default.zeek @@ -49,6 +49,7 @@ @load base/protocols/dhcp @load base/protocols/dnp3 @load base/protocols/dns +@load base/protocols/finger @load base/protocols/ftp @load base/protocols/http @load base/protocols/imap diff --git a/scripts/base/protocols/finger/__load__.zeek b/scripts/base/protocols/finger/__load__.zeek new file mode 100644 index 0000000000..7d68518851 --- /dev/null +++ b/scripts/base/protocols/finger/__load__.zeek @@ -0,0 +1,2 @@ +@load ./spicy-events +@load ./main diff --git a/scripts/base/protocols/finger/main.zeek b/scripts/base/protocols/finger/main.zeek new file mode 100644 index 0000000000..8f8842418f --- /dev/null +++ b/scripts/base/protocols/finger/main.zeek @@ -0,0 +1,14 @@ +##! Implements base functionality for Finger analysis. We currently do not generate +##! a log file, but just configure the analyzer. + +module Finger; + +export { + const ports = { 79/tcp }; + redef likely_server_ports += { ports }; +} + +event zeek_init() &priority=5 + { + Analyzer::register_for_ports(Analyzer::ANALYZER_FINGER, ports); + } diff --git a/scripts/base/protocols/finger/spicy-events.zeek b/scripts/base/protocols/finger/spicy-events.zeek new file mode 100644 index 0000000000..0e956683e5 --- /dev/null +++ b/scripts/base/protocols/finger/spicy-events.zeek @@ -0,0 +1,33 @@ +##! Events generated by the Finger analyzer. + +@ifdef ( Spicy::available ) # must not be used with legacy analyzer + +## Generated for Finger requests. +## +## See `Wikipedia `__ for more +## information about the Finger protocol. +## +## c: The connection. +## +## full: True if verbose information is requested (``/W`` switch). +## +## username: The request's user name. +## +## hostname: The request's host name. +## +## .. zeek:see:: finger_reply +global finger_request: event(c: connection, full: bool, username: string, hostname: string); + +## Generated for Finger replies. +## +## See `Wikipedia `__ for more +## information about the Finger protocol. +## +## c: The connection. +## +## reply_line: The reply as returned by the server +## +## .. zeek:see:: finger_request +global finger_reply: event(c: connection, reply_line: string); + +@endif diff --git a/scripts/base/protocols/syslog/__load__.zeek b/scripts/base/protocols/syslog/__load__.zeek index 0098b81a7a..2dd0f53bf8 100644 --- a/scripts/base/protocols/syslog/__load__.zeek +++ b/scripts/base/protocols/syslog/__load__.zeek @@ -1,2 +1,3 @@ +@load ./spicy-events @load ./consts -@load ./main \ No newline at end of file +@load ./main diff --git a/scripts/base/protocols/syslog/spicy-events.zeek b/scripts/base/protocols/syslog/spicy-events.zeek new file mode 100644 index 0000000000..060a481688 --- /dev/null +++ b/scripts/base/protocols/syslog/spicy-events.zeek @@ -0,0 +1,21 @@ +##! Events generated by the Syslog analyzer. + +@ifdef ( Spicy::available ) # must not be used with legacy analyzer + +## Generated for monitored Syslog messages. +## +## See `Wikipedia `__ for more +## information about the Syslog protocol. +## +## c: The connection record for the underlying transport-layer session/flow. +## +## facility: The "facility" included in the message. +## +## severity: The "severity" included in the message. +## +## msg: The message logged. +## +## .. note:: Zeek currently parses only UDP syslog traffic. +global syslog_message: event(c: connection, facility: count, severity: count, msg: string); + +@endif diff --git a/src/analyzer/protocol/finger/CMakeLists.txt b/src/analyzer/protocol/finger/CMakeLists.txt index e89f268a8a..056a5f93e2 100644 --- a/src/analyzer/protocol/finger/CMakeLists.txt +++ b/src/analyzer/protocol/finger/CMakeLists.txt @@ -1,9 +1,9 @@ - -include(ZeekPlugin) - -include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) - -zeek_plugin_begin(Zeek Finger) -zeek_plugin_cc(Finger.cc Plugin.cc) -zeek_plugin_bif(events.bif) -zeek_plugin_end() +spicy_add_analyzer( + NAME + Finger + SOURCES + finger.spicy + finger.evt + LEGACY + legacy +) diff --git a/src/analyzer/protocol/finger/finger.evt b/src/analyzer/protocol/finger/finger.evt new file mode 100644 index 0000000000..49c8199b4c --- /dev/null +++ b/src/analyzer/protocol/finger/finger.evt @@ -0,0 +1,10 @@ +# Copyright (c) 2022 by the Zeek Project. See LICENSE for details. + +protocol analyzer Finger over TCP: + parse originator with Finger::Request, + parse responder with Finger::Reply; + +import Finger; + +on Finger::Request -> event finger_request($conn, self.whois, self.user, self.host); +on Finger::ReplyLine if ( |self.data| != 0 ) -> event finger_reply($conn, self.data); diff --git a/src/analyzer/protocol/finger/finger.spicy b/src/analyzer/protocol/finger/finger.spicy new file mode 100644 index 0000000000..dd07dbb7c3 --- /dev/null +++ b/src/analyzer/protocol/finger/finger.spicy @@ -0,0 +1,54 @@ +# Copyright (c) 2022 by the Zeek Project. See LICENSE for details. +# +# Giving the rare number of instances of this protocol these days, we err on the side of +# rejecting sessions if they don't parse well. + +module Finger; + +import spicy; + +const OptionalWhiteSpace = /[ \t]*/; +const NewLine = /\r?\n/; + +public type Request = unit { + : OptionalWhiteSpace; + + switch { + -> : /\/W/ { self.whois = True; } + -> void; + }; + + : OptionalWhiteSpace; + + arg: /[^\r\n]*/ &convert=$$.strip().split1(b"@") { + # We require valid UTF-8 to weed out binary data. + self.user = self.arg[0].decode(); + + if ( |self.arg[1]| > 0 ) + self.host = self.arg[1].decode(); + } + + on %done { + if ( |self.arg[0]| > 0 || self.whois ) + spicy::accept_input(); + } + + var user: string; + var host: string; + var whois: bool = False; +}; + +type ReplyLine = unit { + data: /[^\r\n]*/ &convert=$$.decode(); # Require valid UTF-8 here as well. + : NewLine; + + on %done { + if ( |self.data| > 10 ) + # Require some non-trivial output to accept. + spicy::accept_input(); + } +}; + +public type Reply = unit { + : ReplyLine[]; +}; diff --git a/src/analyzer/protocol/finger/legacy/CMakeLists.txt b/src/analyzer/protocol/finger/legacy/CMakeLists.txt new file mode 100644 index 0000000000..e89f268a8a --- /dev/null +++ b/src/analyzer/protocol/finger/legacy/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(ZeekPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +zeek_plugin_begin(Zeek Finger) +zeek_plugin_cc(Finger.cc Plugin.cc) +zeek_plugin_bif(events.bif) +zeek_plugin_end() diff --git a/src/analyzer/protocol/finger/Finger.cc b/src/analyzer/protocol/finger/legacy/Finger.cc similarity index 95% rename from src/analyzer/protocol/finger/Finger.cc rename to src/analyzer/protocol/finger/legacy/Finger.cc index f0306fd174..44138d9fde 100644 --- a/src/analyzer/protocol/finger/Finger.cc +++ b/src/analyzer/protocol/finger/legacy/Finger.cc @@ -1,6 +1,6 @@ // See the file "COPYING" in the main distribution directory for copyright. -#include "zeek/analyzer/protocol/finger/Finger.h" +#include "zeek/analyzer/protocol/finger/legacy/Finger.h" #include "zeek/zeek-config.h" @@ -8,7 +8,7 @@ #include "zeek/Event.h" #include "zeek/NetVar.h" -#include "zeek/analyzer/protocol/finger/events.bif.h" +#include "zeek/analyzer/protocol/finger/legacy/events.bif.h" #include "zeek/analyzer/protocol/tcp/ContentLine.h" namespace zeek::analyzer::finger diff --git a/src/analyzer/protocol/finger/Finger.h b/src/analyzer/protocol/finger/legacy/Finger.h similarity index 100% rename from src/analyzer/protocol/finger/Finger.h rename to src/analyzer/protocol/finger/legacy/Finger.h diff --git a/src/analyzer/protocol/finger/Plugin.cc b/src/analyzer/protocol/finger/legacy/Plugin.cc similarity index 91% rename from src/analyzer/protocol/finger/Plugin.cc rename to src/analyzer/protocol/finger/legacy/Plugin.cc index b4ec617568..6398b4729d 100644 --- a/src/analyzer/protocol/finger/Plugin.cc +++ b/src/analyzer/protocol/finger/legacy/Plugin.cc @@ -3,7 +3,7 @@ #include "zeek/plugin/Plugin.h" #include "zeek/analyzer/Component.h" -#include "zeek/analyzer/protocol/finger/Finger.h" +#include "zeek/analyzer/protocol/finger/legacy/Finger.h" namespace zeek::plugin::detail::Zeek_Finger { diff --git a/src/analyzer/protocol/finger/events.bif b/src/analyzer/protocol/finger/legacy/events.bif similarity index 100% rename from src/analyzer/protocol/finger/events.bif rename to src/analyzer/protocol/finger/legacy/events.bif diff --git a/src/analyzer/protocol/syslog/CMakeLists.txt b/src/analyzer/protocol/syslog/CMakeLists.txt index 5e1fca87ad..c80aefeb32 100644 --- a/src/analyzer/protocol/syslog/CMakeLists.txt +++ b/src/analyzer/protocol/syslog/CMakeLists.txt @@ -1,10 +1,9 @@ - -include(ZeekPlugin) - -include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) - -zeek_plugin_begin(Zeek Syslog) -zeek_plugin_cc(Syslog.cc Plugin.cc) -zeek_plugin_bif(events.bif) -zeek_plugin_pac(syslog.pac syslog-analyzer.pac syslog-protocol.pac) -zeek_plugin_end() +spicy_add_analyzer( + NAME + Syslog + SOURCES + syslog.spicy + syslog.evt + LEGACY + legacy +) diff --git a/src/analyzer/protocol/syslog/legacy/CMakeLists.txt b/src/analyzer/protocol/syslog/legacy/CMakeLists.txt new file mode 100644 index 0000000000..5e1fca87ad --- /dev/null +++ b/src/analyzer/protocol/syslog/legacy/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(ZeekPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +zeek_plugin_begin(Zeek Syslog) +zeek_plugin_cc(Syslog.cc Plugin.cc) +zeek_plugin_bif(events.bif) +zeek_plugin_pac(syslog.pac syslog-analyzer.pac syslog-protocol.pac) +zeek_plugin_end() diff --git a/src/analyzer/protocol/syslog/Plugin.cc b/src/analyzer/protocol/syslog/legacy/Plugin.cc similarity index 91% rename from src/analyzer/protocol/syslog/Plugin.cc rename to src/analyzer/protocol/syslog/legacy/Plugin.cc index 8cb8c5b572..1bbcbc5893 100644 --- a/src/analyzer/protocol/syslog/Plugin.cc +++ b/src/analyzer/protocol/syslog/legacy/Plugin.cc @@ -3,7 +3,7 @@ #include "zeek/plugin/Plugin.h" #include "zeek/analyzer/Component.h" -#include "zeek/analyzer/protocol/syslog/Syslog.h" +#include "zeek/analyzer/protocol/syslog/legacy/Syslog.h" namespace zeek::plugin::detail::Zeek_Syslog { diff --git a/src/analyzer/protocol/syslog/Syslog.cc b/src/analyzer/protocol/syslog/legacy/Syslog.cc similarity index 95% rename from src/analyzer/protocol/syslog/Syslog.cc rename to src/analyzer/protocol/syslog/legacy/Syslog.cc index 8dfd5ab52c..26ba71eecd 100644 --- a/src/analyzer/protocol/syslog/Syslog.cc +++ b/src/analyzer/protocol/syslog/legacy/Syslog.cc @@ -1,6 +1,6 @@ -#include "zeek/analyzer/protocol/syslog/Syslog.h" +#include "zeek/analyzer/protocol/syslog/legacy/Syslog.h" -#include "zeek/analyzer/protocol/syslog/events.bif.h" +#include "zeek/analyzer/protocol/syslog/legacy/events.bif.h" #include "zeek/analyzer/protocol/tcp/TCP_Reassembler.h" namespace zeek::analyzer::syslog diff --git a/src/analyzer/protocol/syslog/Syslog.h b/src/analyzer/protocol/syslog/legacy/Syslog.h similarity index 95% rename from src/analyzer/protocol/syslog/Syslog.h rename to src/analyzer/protocol/syslog/legacy/Syslog.h index db6b078525..f01fe56007 100644 --- a/src/analyzer/protocol/syslog/Syslog.h +++ b/src/analyzer/protocol/syslog/legacy/Syslog.h @@ -2,7 +2,7 @@ #include "zeek/analyzer/protocol/tcp/TCP.h" -#include "analyzer/protocol/syslog/syslog_pac.h" +#include "analyzer/protocol/syslog/legacy/syslog_pac.h" namespace zeek::analyzer::syslog { diff --git a/src/analyzer/protocol/syslog/events.bif b/src/analyzer/protocol/syslog/legacy/events.bif similarity index 100% rename from src/analyzer/protocol/syslog/events.bif rename to src/analyzer/protocol/syslog/legacy/events.bif diff --git a/src/analyzer/protocol/syslog/syslog-analyzer.pac b/src/analyzer/protocol/syslog/legacy/syslog-analyzer.pac similarity index 100% rename from src/analyzer/protocol/syslog/syslog-analyzer.pac rename to src/analyzer/protocol/syslog/legacy/syslog-analyzer.pac diff --git a/src/analyzer/protocol/syslog/syslog-protocol.pac b/src/analyzer/protocol/syslog/legacy/syslog-protocol.pac similarity index 100% rename from src/analyzer/protocol/syslog/syslog-protocol.pac rename to src/analyzer/protocol/syslog/legacy/syslog-protocol.pac diff --git a/src/analyzer/protocol/syslog/syslog.pac b/src/analyzer/protocol/syslog/legacy/syslog.pac similarity index 75% rename from src/analyzer/protocol/syslog/syslog.pac rename to src/analyzer/protocol/syslog/legacy/syslog.pac index 4a5dfe2ede..159c6d6dd4 100644 --- a/src/analyzer/protocol/syslog/syslog.pac +++ b/src/analyzer/protocol/syslog/legacy/syslog.pac @@ -3,7 +3,7 @@ %include zeek.pac %extern{ -#include "zeek/analyzer/protocol/syslog/events.bif.h" +#include "zeek/analyzer/protocol/syslog/legacy/events.bif.h" %} analyzer Syslog withcontext { diff --git a/src/analyzer/protocol/syslog/syslog.evt b/src/analyzer/protocol/syslog/syslog.evt new file mode 100644 index 0000000000..22120ba8d4 --- /dev/null +++ b/src/analyzer/protocol/syslog/syslog.evt @@ -0,0 +1,8 @@ +# Copyright (c) 2022 by the Zeek Project. See LICENSE for details. + +protocol analyzer Syslog over UDP: + parse with Syslog::Message; + +import Syslog; + +on Syslog::Message -> event syslog_message($conn, self.facility, self.severity, self.msg); diff --git a/src/analyzer/protocol/syslog/syslog.spicy b/src/analyzer/protocol/syslog/syslog.spicy new file mode 100644 index 0000000000..fd4c845870 --- /dev/null +++ b/src/analyzer/protocol/syslog/syslog.spicy @@ -0,0 +1,32 @@ +# Copyright (c) 2022 by the Zeek Project. See LICENSE for details. + +module Syslog; + +import spicy; + +public type Message = unit { + switch { + -> prio: Priority; + -> void; + }; + + msg: bytes &eod; + + on %done { + spicy::accept_input(); + + if ( self?.prio ) { + self.severity = (self.prio.value & 0x07); + self.facility = (self.prio.value & 0x03f8) >> 3; + } + } + + var severity: uint64 = 999; # default per legacy analyzer + var facility: uint64 = 999; # default per legacy analyzer +}; + +type Priority = unit { + : b"<"; + value: /[[:digit:]]+/ &convert=$$.to_uint(); + : b">"; +}; diff --git a/testing/btest/Baseline/core.print-bpf-filters/output2 b/testing/btest/Baseline/core.print-bpf-filters/output2 index e5e7f829be..939abe6f39 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/output2 +++ b/testing/btest/Baseline/core.print-bpf-filters/output2 @@ -48,6 +48,7 @@ 1 6669 1 67 1 68 +1 79 1 80 1 8000 1 8080 @@ -59,8 +60,8 @@ 1 992 1 993 1 995 -66 and -65 or -66 port -43 tcp +67 and +66 or +67 port +44 tcp 23 udp diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index bb6062a732..a17f305bf9 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -151,7 +151,6 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_DNP3.events.bif.zeek build/scripts/base/bif/plugins/Zeek_DNS.events.bif.zeek build/scripts/base/bif/plugins/Zeek_File.events.bif.zeek - build/scripts/base/bif/plugins/Zeek_Finger.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FTP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek build/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek @@ -227,7 +226,6 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek build/scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek build/scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek - build/scripts/base/bif/plugins/Zeek_Syslog.events.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 2724600cd8..c69a7110bb 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -151,7 +151,6 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_DNP3.events.bif.zeek build/scripts/base/bif/plugins/Zeek_DNS.events.bif.zeek build/scripts/base/bif/plugins/Zeek_File.events.bif.zeek - build/scripts/base/bif/plugins/Zeek_Finger.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FTP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek build/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek @@ -227,7 +226,6 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek build/scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek build/scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek - build/scripts/base/bif/plugins/Zeek_Syslog.events.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek @@ -359,6 +357,9 @@ scripts/base/init-default.zeek scripts/base/protocols/dns/__load__.zeek scripts/base/protocols/dns/consts.zeek scripts/base/protocols/dns/main.zeek + scripts/base/protocols/finger/__load__.zeek + scripts/base/protocols/finger/spicy-events.zeek + scripts/base/protocols/finger/main.zeek scripts/base/protocols/ftp/__load__.zeek scripts/base/protocols/ftp/utils-commands.zeek scripts/base/protocols/ftp/info.zeek @@ -438,6 +439,7 @@ scripts/base/init-default.zeek scripts/base/protocols/ssh/__load__.zeek scripts/base/protocols/ssh/main.zeek scripts/base/protocols/syslog/__load__.zeek + scripts/base/protocols/syslog/spicy-events.zeek scripts/base/protocols/syslog/consts.zeek scripts/base/protocols/syslog/main.zeek scripts/base/protocols/tunnels/__load__.zeek diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 3ab46934ae..16854bc82e 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -12,6 +12,7 @@ 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_DNS, 5353/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_DNS, 5355/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_DTLS, 443/udp)) -> +0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_FINGER, 79/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_FTP, 21/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_FTP, 2811/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> @@ -73,6 +74,7 @@ 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_DNS, 5353/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_DNS, 5355/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_DTLS, 443/udp)) -> +0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_FINGER, 79/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_FTP, 21/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_FTP, 2811/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> @@ -126,6 +128,7 @@ 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_DNS, {5353<...>/tcp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_DTLS, {443/udp})) -> +0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_FINGER, {79/tcp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_FTP, {2811<...>/tcp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_HTTP, {80<...>/tcp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_IMAP, {143/tcp})) -> @@ -807,7 +810,6 @@ 0.000000 MetaHookPost LoadFile(0, ./Zeek_FileExtract.events.bif.zeek, <...>/Zeek_FileExtract.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_FileExtract.functions.bif.zeek, <...>/Zeek_FileExtract.functions.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_FileHash.events.bif.zeek, <...>/Zeek_FileHash.events.bif.zeek) -> -1 -0.000000 MetaHookPost LoadFile(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek) -> -1 @@ -895,7 +897,6 @@ 0.000000 MetaHookPost LoadFile(0, ./Zeek_Spicy.consts.bif.zeek, <...>/Zeek_Spicy.consts.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_Spicy.events.bif.zeek, <...>/Zeek_Spicy.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_Spicy.functions.bif.zeek, <...>/Zeek_Spicy.functions.bif.zeek) -> -1 -0.000000 MetaHookPost LoadFile(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) -> -1 @@ -977,6 +978,7 @@ 0.000000 MetaHookPost LoadFile(0, ./site, <...>/site.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./smb1-main, <...>/smb1-main.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./smb2-main, <...>/smb2-main.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, ./spicy-events, <...>/spicy-events.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./stats.bif.zeek, <...>/stats.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./std-dev, <...>/std-dev.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./store, <...>/store.zeek) -> -1 @@ -1058,6 +1060,7 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/files, <...>/files.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/find-checksum-offloading, <...>/find-checksum-offloading.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/find-filtered-trace, <...>/find-filtered-trace.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/finger, <...>/finger) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/ftp, <...>/ftp) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/geneve, <...>/geneve) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) -> -1 @@ -1194,7 +1197,6 @@ 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_FileExtract.events.bif.zeek, <...>/Zeek_FileExtract.events.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_FileExtract.functions.bif.zeek, <...>/Zeek_FileExtract.functions.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_FileHash.events.bif.zeek, <...>/Zeek_FileHash.events.bif.zeek) -> (-1, ) -0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek) -> (-1, ) @@ -1282,7 +1284,6 @@ 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Spicy.consts.bif.zeek, <...>/Zeek_Spicy.consts.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Spicy.events.bif.zeek, <...>/Zeek_Spicy.events.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Spicy.functions.bif.zeek, <...>/Zeek_Spicy.functions.bif.zeek) -> (-1, ) -0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) -> (-1, ) @@ -1364,6 +1365,7 @@ 0.000000 MetaHookPost LoadFileExtended(0, ./site, <...>/site.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./smb1-main, <...>/smb1-main.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./smb2-main, <...>/smb2-main.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./spicy-events, <...>/spicy-events.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./stats.bif.zeek, <...>/stats.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./std-dev, <...>/std-dev.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./store, <...>/store.zeek) -> (-1, ) @@ -1445,6 +1447,7 @@ 0.000000 MetaHookPost LoadFileExtended(0, base<...>/files, <...>/files.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/find-checksum-offloading, <...>/find-checksum-offloading.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/find-filtered-trace, <...>/find-filtered-trace.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/finger, <...>/finger) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/ftp, <...>/ftp) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/geneve, <...>/geneve) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) -> (-1, ) @@ -1573,6 +1576,7 @@ 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_DNS, 5353/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_DNS, 5355/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_DTLS, 443/udp)) +0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_FINGER, 79/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_FTP, 21/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_FTP, 2811/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_HTTP, 1080/tcp)) @@ -1634,6 +1638,7 @@ 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_DNS, 5353/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_DNS, 5355/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_DTLS, 443/udp)) +0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_FINGER, 79/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_FTP, 21/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_FTP, 2811/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_HTTP, 1080/tcp)) @@ -1687,6 +1692,7 @@ 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_DNS, {5353<...>/tcp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_DTLS, {443/udp})) +0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_FINGER, {79/tcp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_FTP, {2811<...>/tcp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_HTTP, {80<...>/tcp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_IMAP, {143/tcp})) @@ -2368,7 +2374,6 @@ 0.000000 MetaHookPre LoadFile(0, ./Zeek_FileExtract.events.bif.zeek, <...>/Zeek_FileExtract.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_FileExtract.functions.bif.zeek, <...>/Zeek_FileExtract.functions.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_FileHash.events.bif.zeek, <...>/Zeek_FileHash.events.bif.zeek) -0.000000 MetaHookPre LoadFile(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek) @@ -2456,7 +2461,6 @@ 0.000000 MetaHookPre LoadFile(0, ./Zeek_Spicy.consts.bif.zeek, <...>/Zeek_Spicy.consts.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_Spicy.events.bif.zeek, <...>/Zeek_Spicy.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_Spicy.functions.bif.zeek, <...>/Zeek_Spicy.functions.bif.zeek) -0.000000 MetaHookPre LoadFile(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) @@ -2538,6 +2542,7 @@ 0.000000 MetaHookPre LoadFile(0, ./site, <...>/site.zeek) 0.000000 MetaHookPre LoadFile(0, ./smb1-main, <...>/smb1-main.zeek) 0.000000 MetaHookPre LoadFile(0, ./smb2-main, <...>/smb2-main.zeek) +0.000000 MetaHookPre LoadFile(0, ./spicy-events, <...>/spicy-events.zeek) 0.000000 MetaHookPre LoadFile(0, ./stats.bif.zeek, <...>/stats.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./std-dev, <...>/std-dev.zeek) 0.000000 MetaHookPre LoadFile(0, ./store, <...>/store.zeek) @@ -2619,6 +2624,7 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/files, <...>/files.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/find-checksum-offloading, <...>/find-checksum-offloading.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/find-filtered-trace, <...>/find-filtered-trace.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/finger, <...>/finger) 0.000000 MetaHookPre LoadFile(0, base<...>/ftp, <...>/ftp) 0.000000 MetaHookPre LoadFile(0, base<...>/geneve, <...>/geneve) 0.000000 MetaHookPre LoadFile(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) @@ -2755,7 +2761,6 @@ 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_FileExtract.events.bif.zeek, <...>/Zeek_FileExtract.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_FileExtract.functions.bif.zeek, <...>/Zeek_FileExtract.functions.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_FileHash.events.bif.zeek, <...>/Zeek_FileHash.events.bif.zeek) -0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek) @@ -2843,7 +2848,6 @@ 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Spicy.consts.bif.zeek, <...>/Zeek_Spicy.consts.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Spicy.events.bif.zeek, <...>/Zeek_Spicy.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Spicy.functions.bif.zeek, <...>/Zeek_Spicy.functions.bif.zeek) -0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) @@ -2925,6 +2929,7 @@ 0.000000 MetaHookPre LoadFileExtended(0, ./site, <...>/site.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./smb1-main, <...>/smb1-main.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./smb2-main, <...>/smb2-main.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./spicy-events, <...>/spicy-events.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./stats.bif.zeek, <...>/stats.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./std-dev, <...>/std-dev.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./store, <...>/store.zeek) @@ -3006,6 +3011,7 @@ 0.000000 MetaHookPre LoadFileExtended(0, base<...>/files, <...>/files.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/find-checksum-offloading, <...>/find-checksum-offloading.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/find-filtered-trace, <...>/find-filtered-trace.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/finger, <...>/finger) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/ftp, <...>/ftp) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/geneve, <...>/geneve) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) @@ -3134,6 +3140,7 @@ 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNS, 5353/udp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNS, 5355/udp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DTLS, 443/udp) +0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FINGER, 79/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FTP, 21/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FTP, 2811/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 1080/tcp) @@ -3195,6 +3202,7 @@ 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNS, 5353/udp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNS, 5355/udp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DTLS, 443/udp) +0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FINGER, 79/tcp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FTP, 21/tcp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FTP, 2811/tcp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 1080/tcp) @@ -3248,6 +3256,7 @@ 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, {5353<...>/tcp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, {443/udp}) +0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_FINGER, {79/tcp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, {2811<...>/tcp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, {80<...>/tcp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_IMAP, {143/tcp}) @@ -3928,7 +3937,6 @@ 0.000000 | HookLoadFile ./Zeek_FileExtract.events.bif.zeek <...>/Zeek_FileExtract.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_FileExtract.functions.bif.zeek <...>/Zeek_FileExtract.functions.bif.zeek 0.000000 | HookLoadFile ./Zeek_FileHash.events.bif.zeek <...>/Zeek_FileHash.events.bif.zeek -0.000000 | HookLoadFile ./Zeek_Finger.events.bif.zeek <...>/Zeek_Finger.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_GSSAPI.events.bif.zeek <...>/Zeek_GSSAPI.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_GTPv1.events.bif.zeek <...>/Zeek_GTPv1.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_GTPv1.functions.bif.zeek <...>/Zeek_GTPv1.functions.bif.zeek @@ -4016,7 +4024,6 @@ 0.000000 | HookLoadFile ./Zeek_Spicy.consts.bif.zeek <...>/Zeek_Spicy.consts.bif.zeek 0.000000 | HookLoadFile ./Zeek_Spicy.events.bif.zeek <...>/Zeek_Spicy.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_Spicy.functions.bif.zeek <...>/Zeek_Spicy.functions.bif.zeek -0.000000 | HookLoadFile ./Zeek_Syslog.events.bif.zeek <...>/Zeek_Syslog.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_TCP.events.bif.zeek <...>/Zeek_TCP.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek 0.000000 | HookLoadFile ./Zeek_TCP.types.bif.zeek <...>/Zeek_TCP.types.bif.zeek @@ -4109,6 +4116,7 @@ 0.000000 | HookLoadFile ./site <...>/site.zeek 0.000000 | HookLoadFile ./smb1-main <...>/smb1-main.zeek 0.000000 | HookLoadFile ./smb2-main <...>/smb2-main.zeek +0.000000 | HookLoadFile ./spicy-events <...>/spicy-events.zeek 0.000000 | HookLoadFile ./stats.bif.zeek <...>/stats.bif.zeek 0.000000 | HookLoadFile ./std-dev <...>/std-dev.zeek 0.000000 | HookLoadFile ./store <...>/store.zeek @@ -4191,6 +4199,7 @@ 0.000000 | HookLoadFile base<...>/files <...>/files.zeek 0.000000 | HookLoadFile base<...>/find-checksum-offloading <...>/find-checksum-offloading.zeek 0.000000 | HookLoadFile base<...>/find-filtered-trace <...>/find-filtered-trace.zeek +0.000000 | HookLoadFile base<...>/finger <...>/finger 0.000000 | HookLoadFile base<...>/ftp <...>/ftp 0.000000 | HookLoadFile base<...>/geneve <...>/geneve 0.000000 | HookLoadFile base<...>/geoip-distance <...>/geoip-distance.zeek @@ -4315,7 +4324,6 @@ 0.000000 | HookLoadFileExtended ./Zeek_FileExtract.events.bif.zeek <...>/Zeek_FileExtract.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_FileExtract.functions.bif.zeek <...>/Zeek_FileExtract.functions.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_FileHash.events.bif.zeek <...>/Zeek_FileHash.events.bif.zeek -0.000000 | HookLoadFileExtended ./Zeek_Finger.events.bif.zeek <...>/Zeek_Finger.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_GSSAPI.events.bif.zeek <...>/Zeek_GSSAPI.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_GTPv1.events.bif.zeek <...>/Zeek_GTPv1.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_GTPv1.functions.bif.zeek <...>/Zeek_GTPv1.functions.bif.zeek @@ -4403,7 +4411,6 @@ 0.000000 | HookLoadFileExtended ./Zeek_Spicy.consts.bif.zeek <...>/Zeek_Spicy.consts.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_Spicy.events.bif.zeek <...>/Zeek_Spicy.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_Spicy.functions.bif.zeek <...>/Zeek_Spicy.functions.bif.zeek -0.000000 | HookLoadFileExtended ./Zeek_Syslog.events.bif.zeek <...>/Zeek_Syslog.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_TCP.events.bif.zeek <...>/Zeek_TCP.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_TCP.types.bif.zeek <...>/Zeek_TCP.types.bif.zeek @@ -4496,6 +4503,7 @@ 0.000000 | HookLoadFileExtended ./site <...>/site.zeek 0.000000 | HookLoadFileExtended ./smb1-main <...>/smb1-main.zeek 0.000000 | HookLoadFileExtended ./smb2-main <...>/smb2-main.zeek +0.000000 | HookLoadFileExtended ./spicy-events <...>/spicy-events.zeek 0.000000 | HookLoadFileExtended ./stats.bif.zeek <...>/stats.bif.zeek 0.000000 | HookLoadFileExtended ./std-dev <...>/std-dev.zeek 0.000000 | HookLoadFileExtended ./store <...>/store.zeek @@ -4578,6 +4586,7 @@ 0.000000 | HookLoadFileExtended base<...>/files <...>/files.zeek 0.000000 | HookLoadFileExtended base<...>/find-checksum-offloading <...>/find-checksum-offloading.zeek 0.000000 | HookLoadFileExtended base<...>/find-filtered-trace <...>/find-filtered-trace.zeek +0.000000 | HookLoadFileExtended base<...>/finger <...>/finger 0.000000 | HookLoadFileExtended base<...>/ftp <...>/ftp 0.000000 | HookLoadFileExtended base<...>/geneve <...>/geneve 0.000000 | HookLoadFileExtended base<...>/geoip-distance <...>/geoip-distance.zeek diff --git a/testing/btest/Baseline/scripts.base.protocols.finger.events/output b/testing/btest/Baseline/scripts.base.protocols.finger.events/output new file mode 100644 index 0000000000..1f5d247c00 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.finger.events/output @@ -0,0 +1,8 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +request, [orig_h=192.168.7.216, orig_p=56149/tcp, resp_h=95.179.238.241, resp_p=79/tcp], F, julien, +response, [orig_h=192.168.7.216, orig_p=56149/tcp, resp_h=95.179.238.241, resp_p=79/tcp], Login: julien\x09\x09\x09\x09Name: +response, [orig_h=192.168.7.216, orig_p=56149/tcp, resp_h=95.179.238.241, resp_p=79/tcp], Directory: /home/julien\x09\x09\x09Shell: /bin/sh +response, [orig_h=192.168.7.216, orig_p=56149/tcp, resp_h=95.179.238.241, resp_p=79/tcp], Logged: no +response, [orig_h=192.168.7.216, orig_p=56149/tcp, resp_h=95.179.238.241, resp_p=79/tcp], Project: +request, [orig_h=192.168.7.216, orig_p=56750/tcp, resp_h=95.179.238.241, resp_p=79/tcp], T, julien, +response, [orig_h=192.168.7.216, orig_p=56750/tcp, resp_h=95.179.238.241, resp_p=79/tcp], Are you lost? diff --git a/testing/btest/Baseline/spicy.spicyz-jit/output b/testing/btest/Baseline/spicy.spicyz-jit/output deleted file mode 100644 index e7ad0949ae..0000000000 --- a/testing/btest/Baseline/spicy.spicyz-jit/output +++ /dev/null @@ -1,5 +0,0 @@ -### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -8, [$data=[b"POST /post HTTP/1.1", b"User-Agent: curl/7.29.0", b"Host: httpbin.org", b"Accept: */*", b"Content-Length: 11", b"Content-Type: application/x-www-form-urlencoded", b"", b"hello world"]] -Event:, [POST /post HTTP/1.1, User-Agent: curl/7.29.0, Host: httpbin.org, Accept: */*, Content-Length: 11, Content-Type: application/x-www-form-urlencoded, , hello world] -8, [$data=[b"HTTP/1.1 200 OK", b"Server: gunicorn/0.16.1", b"Date: Tue, 19 Mar 2013 16:05:11 GMT", b"Content-Type: application/json", b"Content-Length: 366", b"Connection: close", b"", b"{\x0a \"origin\": \"10.142.133.148\",\x0a \"files\": {},\x0a \"form\": null,\x0a \"url\": \"http://httpbin.org/post\",\x0a \"args\": {},\x0a \"headers\": {\x0a \"Content-Length\": \"11\",\x0a \"Connection\": \"close\",\x0a \"Accept\": \"*/*\",\x0a \"User-Agent\": \"curl/7.29.0\",\x0a \"Host\": \"httpbin.org\",\x0a \"Content-Type\": \"application/x-www-form-urlencoded\"\x0a },\x0a \"json\": null,\x0a \"data\": \"hello world\"\x0a}"]] -Event:, [HTTP/1.1 200 OK, Server: gunicorn/0.16.1, Date: Tue, 19 Mar 2013 16:05:11 GMT, Content-Type: application/json, Content-Length: 366, Connection: close, , {\x0a "origin": "10.142.133.148",\x0a "files": {},\x0a "form": null,\x0a "url": "http://httpbin.org/post",\x0a "args": {},\x0a "headers": {\x0a "Content-Length": "11",\x0a "Connection": "close",\x0a "Accept": "*/*",\x0a "User-Agent": "curl/7.29.0",\x0a "Host": "httpbin.org",\x0a "Content-Type": "application/x-www-form-urlencoded"\x0a },\x0a "json": null,\x0a "data": "hello world"\x0a}] diff --git a/testing/btest/Baseline/spicy.spicyz-aot/output b/testing/btest/Baseline/spicy.spicyz/output similarity index 100% rename from testing/btest/Baseline/spicy.spicyz-aot/output rename to testing/btest/Baseline/spicy.spicyz/output diff --git a/testing/btest/Traces/finger/standard.pcap b/testing/btest/Traces/finger/standard.pcap new file mode 100644 index 0000000000000000000000000000000000000000..d5288e8b468ac8db950c7a9467d3b54c06f963de GIT binary patch literal 3205 zcmbtW-D@0G6rWAgG`*rk#ZrAbZILLnGudrw+eI*+Z4(?eVZA5)W z`gVMD^@~kE&3*Ixog2rrBgg+f`zsFCF7@2IH+oCcdU`ir&TZJxm&^5&+s|!3q~7)R zr08oWh&GM)>P&Id90~f%3VnCq(27D<8MGrej(L~gK8YD_e)`lu?>_%!f_|~Lr=M&X z9E}w^X4<59|Aok7h^o#m-oqL1^BufzBKq8^f&MMiKWJLUx2%vA;+~UDu3d-;S5#u< zzKC1^GTlzLdMxHCEKv^N~ zcrfBvf_P$G#48QNPg)TtP)l`oaeN8J6U4Xfi?}s+cl=xfaaAFvb&D33U5c(ZM|W_J zOq`=C+;R2_~p5xrmEkxZI~kW5kS0JrAE+EHFZsAV7sWMF==42|kZOMRJf=T`C|s zmZ6f|6%9kiRqE_=xkq&_DkOd1H7az<>a~$KqL7L(OT4s14pN^5tT8^h`%l#RsQr?8 zx3X=KT-R=WuhQbO)U zQYh#{d-eP}&%Kr+TVFwzwL5&&wrLoGbSbEKm$MQ&@xWmgXl?;76uV4d&-EU2KHmm#w?UZhT3hC{QnjY(R!c1#my znsqp#jX-<$^zNa*30Y^g755GqLq^s0c*Q6T6$(b3k}j7dA%(o2NAK(-WK8e{8h~Kd zdJDG$DsNax$Sw?Ng5~w0-3eG!aV1!$y#Rg;+;bq|0A;~_n3*^L*eIwDQy{46c`<}8 zk8n^;Fi9blQMpW55K3w~z{_BB2M3P{GjJfFwG2ye&jZQ1p4Ne>3xtdY9Ni|eB5(@9 zG2@*ORUK1O2Rv>esxCrMSlAp87!gD8nGjrrIvk}n!6hZiv(i-nEIDak0cUcU%>&K2N~5NeRm!RnM#I$6fu?o*!GlG zdKH&6sE&UDJAQ<_33YaM{GJL-s*eA}V0*_uol83Yv$?x(UT^RCn89bZ;JeTY;B!HD zA|s@=z)%R(Sk}-H>5Mo$$m(zF+?l4JIyp*VF^Lc?uoK!P1~oGTCsx%@4f>d35ibc{ zq#{mre4&gFs4!Bi8kJ-SPB0gA<>%E*aD~T^m@~ydq^Kz6`+#c(qo+(SL`9La zgSv*)=2*nI%Q-TMc_e_>0(`xQoisw*)?9|OiB3dyP(y|mm<;B5yp5zAnP1R^553vM zjm+uXsew)RCe|7onRB?2xuk6U^!`UfJhKN8{~TNCM!Z&hWW*=?wXyfR5&Nz-5j&Tj fmTcc}^M1a4>7ChwOYaZ0Z9T*rOYcYAY@PcTXd4*% literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/finger/verbose.pcap b/testing/btest/Traces/finger/verbose.pcap new file mode 100644 index 0000000000000000000000000000000000000000..28c218848cebeaf6b5543093216e38dd1fab0a02 GIT binary patch literal 1056 zcmbW0OGpA?5Xa|RS6hTgg~GbD(Xl`Ru}hM@F4BWe9SfpEAsIam7J?a3r?L`663ifo z9@6_91wF167=@jKD2UEhGoPmBicqoxyR7`?H~;ze?))GkfC!nN2n-*@aIk-&p#(bd zo+`94Qg`#}3)xTh&m?FAu+e4HRIi+F7TxzAzP-nz(6w#l1FPq4m+-iZQ$8tHwD0Cs$)N^+AuIK6@BW{oL8Wax zL_yN3+8-T6$4*5=UPW>$^WsB>YE8pfQFY#E*S;7+it(;sHlmBVy z=aw^R%k>{iebv8-dYs#E%S>BsLXoHMr{=dR_)3BOu8tLV3jt6KjCHqmj) literal 0 HcmV?d00001 diff --git a/testing/btest/coverage/default-load-baseline.test b/testing/btest/coverage/default-load-baseline.test index 3f7d656158..b94172cbc7 100644 --- a/testing/btest/coverage/default-load-baseline.test +++ b/testing/btest/coverage/default-load-baseline.test @@ -7,7 +7,7 @@ # prefix to make the test work everywhere. That's what the sed magic # below does. Don't ask. :-) -# @TEST-REQUIRES: test -x ${BUILD}/auxil/spicy/spicy/bin/spicy-config +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy # @TEST-EXEC: zeek misc/loaded-scripts # @TEST-EXEC: test -e loaded_scripts.log # @TEST-EXEC: cat loaded_scripts.log | grep -E -v '#' | sed 's/ //g' | sed -e ':a' -e '$!N' -e 's/^\(.*\).*\n\1.*/\1/' -e 'ta' >prefix diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension-invalid.zeek b/testing/btest/scripts/base/frameworks/logging/field-extension-invalid.zeek index fd74e42002..e547833052 100644 --- a/testing/btest/scripts/base/frameworks/logging/field-extension-invalid.zeek +++ b/testing/btest/scripts/base/frameworks/logging/field-extension-invalid.zeek @@ -1,4 +1,4 @@ -# @TEST-REQUIRES: test -x ${BUILD}/auxil/spicy/spicy/bin/spicy-config +# @TEST-REQUIRES: $SCRIPTS/have-spicy # @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT # @TEST-EXEC: btest-diff conn.log # @TEST-EXEC: btest-diff .stderr diff --git a/testing/btest/scripts/base/protocols/finger/events.zeek b/testing/btest/scripts/base/protocols/finger/events.zeek new file mode 100644 index 0000000000..b005bafdb9 --- /dev/null +++ b/testing/btest/scripts/base/protocols/finger/events.zeek @@ -0,0 +1,18 @@ +# @TEST-EXEC: zeek -r $TRACES/finger/standard.pcap %INPUT >>output +# @TEST-EXEC: zeek -r $TRACES/finger/verbose.pcap %INPUT >>output +# @TEST-EXEC: btest-diff output + +global resp_lines = 0; + +event finger_request(c: connection, full: bool, username: string, hostname: string) + { + print "request", c$id, full, username, hostname; + } + +event finger_reply(c: connection, reply_line: string) + { + if ( ++resp_lines >= 5 ) + return; + + print "response", c$id, reply_line; + } diff --git a/testing/btest/spicy/spicyz-jit.test b/testing/btest/spicy/spicyz-jit.test deleted file mode 100644 index 514bec8990..0000000000 --- a/testing/btest/spicy/spicyz-jit.test +++ /dev/null @@ -1,39 +0,0 @@ -# @TEST-DOC: Smoke test for a custom Spicy analyzer hooked into Zeek with JIT via Zeek itself. -# -# @TEST-REQUIRES: $SCRIPTS/have-spicy - -# Use a script here to prevent spicy from outputting warnings during compilation. If the build is -# failing, the script can be modified to not redirect the output. -# @TEST-EXEC: HILTI_CXX=$SCRIPTS/hilti-ignore-cxx-errors zeek -NN test.zeek test.spicy test.evt | grep -q ANALYZER_SPICY_TEST -# @TEST-EXEC: HILTI_CXX=$SCRIPTS/hilti-ignore-cxx-errors zeek -r ${TRACES}/http/post.trace test.spicy test.evt test.zeek "Spicy::enable_print = T;" >>output 2>&1 -# @TEST-EXEC: btest-diff output - -# @TEST-START-FILE test.spicy -module test; - -import zeek; - -public type Dummy = unit { - # Consume all data. We split data into lines and log the number of lines and the lines when done. - data: bytes &eod &convert=$$.split(b"\r\n"); - - on %done { print |self.data|, self; } -}; -# @TEST-END-FILE - -# @TEST-START-FILE test.evt -protocol analyzer spicy::Test over TCP: - parse with test::Dummy, - port 80/tcp; - -on test::Dummy -> event test::dummy(self.data); -# @TEST-END-FILE - -# @TEST-START-FILE test.zeek -module test; - -event test::dummy(data: vector of string) -{ - print "Event:", data; -} -# @TEST-END-FILE diff --git a/testing/btest/spicy/spicyz-aot.test b/testing/btest/spicy/spicyz.test similarity index 100% rename from testing/btest/spicy/spicyz-aot.test rename to testing/btest/spicy/spicyz.test diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private index 6b8aef994d..aaaa01bdc4 100644 --- a/testing/external/commit-hash.zeek-testing-private +++ b/testing/external/commit-hash.zeek-testing-private @@ -1 +1 @@ -c901e5a69c1d8496973e18d6475b7af7ca5e9fcc +7bbcd06c50dc5bcae3533842c302c617ac5f1852 diff --git a/testing/scripts/diff-canonifier-external b/testing/scripts/diff-canonifier-external index 43d2182fbd..d139420564 100755 --- a/testing/scripts/diff-canonifier-external +++ b/testing/scripts/diff-canonifier-external @@ -25,5 +25,6 @@ $(dirname $0)/diff-remove-timestamps | $(dirname $0)/diff-remove-x509-names | $(dirname $0)/diff-sort-conn-service | $(dirname $0)/diff-sort-set-elements | + $(dirname $0)/diff-remove-spicy-abspath | $(dirname $0)/diff-sort | eval $addl diff --git a/testing/scripts/diff-remove-spicy-abspath b/testing/scripts/diff-remove-spicy-abspath new file mode 100755 index 0000000000..d70fc00b31 --- /dev/null +++ b/testing/scripts/diff-remove-spicy-abspath @@ -0,0 +1,12 @@ +#!/usr/bin/env bash +# +# Replace absolute paths in Spicy error message with the basename. This is more +# restrictive than diff-remove-abspath to avoid catching other stuff. + +if [ $(uname) == "Linux" ]; then + sed="sed -r" +else + sed="sed -E" +fi + +$sed 's#/([^:/]{1,}/){1,}([^:/]{1,}\.spicy[:,])#<...>/\2#g' diff --git a/testing/scripts/have-spicy b/testing/scripts/have-spicy index d520e7438d..987542dac0 100755 --- a/testing/scripts/have-spicy +++ b/testing/scripts/have-spicy @@ -1,6 +1,2 @@ #!/bin/sh -if grep -q "DISABLE_SPICY:BOOL=true" "${BUILD}"/CMakeCache.txt; then - return 1 -else - true -fi +"${BUILD}/zeek-config" --have-spicy-analyzers >/dev/null diff --git a/zeek-config.in b/zeek-config.in index e6ac279c3b..5b08d8fcde 100755 --- a/zeek-config.in +++ b/zeek-config.in @@ -6,6 +6,7 @@ btest_tools_dir=@ZEEK_CONFIG_BTEST_TOOLS_DIR@ build_type=@CMAKE_BUILD_TYPE_LOWER@ cmake_dir=@CMAKE_INSTALL_PREFIX@/share/zeek/cmake config_dir=@ZEEK_ETC_INSTALL_DIR@ +have_spicy=@USE_SPICY_ANALYZERS@ include_dir=@CMAKE_INSTALL_PREFIX@/include lib_dir=@CMAKE_INSTALL_FULL_LIBDIR@ plugin_dir=@BRO_PLUGIN_INSTALL_PATH@ @@ -64,6 +65,10 @@ Toplevel installation directories for third-party components: --binpac_root BinPAC compiler --broker_root Broker communication framework + +Feature tests: + + --have-spicy-analyzers Prints 'yes' if built-in Spicy analyzers are available; exit code reflects result " } @@ -103,6 +108,15 @@ while [ $# -ne 0 ]; do --config_dir) echo $config_dir ;; + --have-spicy-analyzers) + if [ "$have_spicy" = "yes" ]; then + echo "yes" + exit 0 + else + echo "no" + exit 1 + fi + ;; --include_dir) echo $include_dir ;;