From 05574ecce1d35e3af4f536aeabaf0fdb4194c253 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Thu, 26 Aug 2021 12:37:28 -0700 Subject: [PATCH] Add VXLAN packet analyzer, disable old analyzer --- scripts/base/frameworks/tunnels/main.zeek | 3 +- scripts/base/init-bare.zeek | 5 -- scripts/base/packet-protocols/__load__.zeek | 1 + .../base/packet-protocols/vxlan/__load__.zeek | 1 + scripts/base/packet-protocols/vxlan/main.zeek | 20 ++++++ src/analyzer/Manager.cc | 4 +- src/analyzer/protocol/CMakeLists.txt | 2 +- src/packet_analysis/protocol/CMakeLists.txt | 1 + src/packet_analysis/protocol/udp/UDP.cc | 4 +- .../protocol/vxlan/CMakeLists.txt | 6 ++ src/packet_analysis/protocol/vxlan/Plugin.cc | 27 ++++++++ src/packet_analysis/protocol/vxlan/VXLAN.cc | 65 +++++++++++++++++++ src/packet_analysis/protocol/vxlan/VXLAN.h | 25 +++++++ src/packet_analysis/protocol/vxlan/events.bif | 12 ++++ .../Baseline/core.tunnels.vxlan/conn.log | 4 +- .../canonified_loaded_scripts.log | 4 +- .../canonified_loaded_scripts.log | 4 +- testing/btest/Baseline/plugins.hooks/output | 27 +++++--- .../Baseline/signatures.dpd/dpd-ipv4.out | 2 +- .../Baseline/signatures.dpd/dpd-ipv6.out | 2 +- .../Baseline/signatures.dpd/nosig-ipv4.out | 2 +- .../Baseline/signatures.dpd/nosig-ipv6.out | 2 +- 22 files changed, 194 insertions(+), 29 deletions(-) create mode 100644 scripts/base/packet-protocols/vxlan/__load__.zeek create mode 100644 scripts/base/packet-protocols/vxlan/main.zeek create mode 100644 src/packet_analysis/protocol/vxlan/CMakeLists.txt create mode 100644 src/packet_analysis/protocol/vxlan/Plugin.cc create mode 100644 src/packet_analysis/protocol/vxlan/VXLAN.cc create mode 100644 src/packet_analysis/protocol/vxlan/VXLAN.h create mode 100644 src/packet_analysis/protocol/vxlan/events.bif diff --git a/scripts/base/frameworks/tunnels/main.zeek b/scripts/base/frameworks/tunnels/main.zeek index 60d26c5612..11b7a90470 100644 --- a/scripts/base/frameworks/tunnels/main.zeek +++ b/scripts/base/frameworks/tunnels/main.zeek @@ -92,7 +92,7 @@ export { const teredo_ports = { 3544/udp }; const gtpv1_ports = { 2152/udp, 2123/udp }; -redef likely_server_ports += { teredo_ports, gtpv1_ports, vxlan_ports }; +redef likely_server_ports += { teredo_ports, gtpv1_ports }; event zeek_init() &priority=5 { @@ -100,7 +100,6 @@ event zeek_init() &priority=5 Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports); Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports); - Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, vxlan_ports); } function register_all(ecv: EncapsulatingConnVector) diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 3754270565..9e102ed6fc 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -5060,11 +5060,6 @@ export { ## may choose whether to perform the validation. const validate_vxlan_checksums = T &redef; - ## The set of UDP ports used for VXLAN traffic. Traffic using this - ## UDP destination port will attempt to be decapsulated. Note that if - ## if you customize this, you may still want to manually ensure that - ## :zeek:see:`likely_server_ports` also gets populated accordingly. - const vxlan_ports: set[port] = { 4789/udp } &redef; } # end export module Reporter; diff --git a/scripts/base/packet-protocols/__load__.zeek b/scripts/base/packet-protocols/__load__.zeek index 35cbd54118..312db9f3b0 100644 --- a/scripts/base/packet-protocols/__load__.zeek +++ b/scripts/base/packet-protocols/__load__.zeek @@ -23,3 +23,4 @@ @load base/packet-protocols/iptunnel @load base/packet-protocols/ayiya @load base/packet-protocols/geneve +@load base/packet-protocols/vxlan diff --git a/scripts/base/packet-protocols/vxlan/__load__.zeek b/scripts/base/packet-protocols/vxlan/__load__.zeek new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/packet-protocols/vxlan/__load__.zeek @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/scripts/base/packet-protocols/vxlan/main.zeek b/scripts/base/packet-protocols/vxlan/main.zeek new file mode 100644 index 0000000000..83bde18c2b --- /dev/null +++ b/scripts/base/packet-protocols/vxlan/main.zeek @@ -0,0 +1,20 @@ +module PacketAnalyzer::VXLAN; + +export { + # There's no indicator in the VXLAN packet header format about what the next protocol + # in the chain is. All of the documentation just lists Ethernet, so default to that. + const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_ETHERNET &redef; + + ## The set of UDP ports used for VXLAN traffic. Traffic using this + ## UDP destination port will attempt to be decapsulated. Note that if + ## if you customize this, you may still want to manually ensure that + ## :zeek:see:`likely_server_ports` also gets populated accordingly. + const vxlan_ports: set[port] = { 4789/udp } &redef; +} + +redef likely_server_ports += { vxlan_ports }; + +event zeek_init() &priority=20 + { + PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, vxlan_ports); + } diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index ba21821a84..dfc6236147 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -74,10 +74,10 @@ Manager::~Manager() void Manager::InitPostScript() { - const auto& id = detail::global_scope()->Find("Tunnel::vxlan_ports"); + const auto& id = detail::global_scope()->Find("PacketAnalyzer::VXLAN::vxlan_ports"); if ( ! (id && id->GetVal()) ) - reporter->FatalError("Tunnel::vxlan_ports not defined"); + reporter->FatalError("PacketAnalyzer::VXLAN::vxlan_ports not defined"); auto table_val = id->GetVal()->AsTableVal(); auto port_list = table_val->ToPureListVal(); diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt index 7f042e361a..d6b42fa28e 100644 --- a/src/analyzer/protocol/CMakeLists.txt +++ b/src/analyzer/protocol/CMakeLists.txt @@ -42,6 +42,6 @@ add_subdirectory(ssl) add_subdirectory(syslog) add_subdirectory(tcp) add_subdirectory(teredo) -add_subdirectory(vxlan) +#add_subdirectory(vxlan) add_subdirectory(xmpp) add_subdirectory(zip) diff --git a/src/packet_analysis/protocol/CMakeLists.txt b/src/packet_analysis/protocol/CMakeLists.txt index 7cf36d5de9..53a1d8e161 100644 --- a/src/packet_analysis/protocol/CMakeLists.txt +++ b/src/packet_analysis/protocol/CMakeLists.txt @@ -24,3 +24,4 @@ add_subdirectory(gre) add_subdirectory(iptunnel) add_subdirectory(ayiya) add_subdirectory(geneve) +add_subdirectory(vxlan) diff --git a/src/packet_analysis/protocol/udp/UDP.cc b/src/packet_analysis/protocol/udp/UDP.cc index cd7681dcd9..b0cb1683a7 100644 --- a/src/packet_analysis/protocol/udp/UDP.cc +++ b/src/packet_analysis/protocol/udp/UDP.cc @@ -41,10 +41,10 @@ void UDPAnalyzer::Initialize() { IPBasedAnalyzer::Initialize(); - const auto& id = detail::global_scope()->Find("Tunnel::vxlan_ports"); + const auto& id = detail::global_scope()->Find("PacketAnalyzer::VXLAN::vxlan_ports"); if ( ! (id && id->GetVal()) ) - reporter->FatalError("Tunnel::vxlan_ports not defined"); + reporter->FatalError("PacketAnalyzer::VXLAN::vxlan_ports not defined"); auto table_val = id->GetVal()->AsTableVal(); auto port_list = table_val->ToPureListVal(); diff --git a/src/packet_analysis/protocol/vxlan/CMakeLists.txt b/src/packet_analysis/protocol/vxlan/CMakeLists.txt new file mode 100644 index 0000000000..695048f77e --- /dev/null +++ b/src/packet_analysis/protocol/vxlan/CMakeLists.txt @@ -0,0 +1,6 @@ +include(ZeekPlugin) + +zeek_plugin_begin(Zeek VXLAN) +zeek_plugin_cc(VXLAN.cc Plugin.cc) +zeek_plugin_bif(events.bif) +zeek_plugin_end() diff --git a/src/packet_analysis/protocol/vxlan/Plugin.cc b/src/packet_analysis/protocol/vxlan/Plugin.cc new file mode 100644 index 0000000000..21651ae071 --- /dev/null +++ b/src/packet_analysis/protocol/vxlan/Plugin.cc @@ -0,0 +1,27 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "zeek/plugin/Plugin.h" + +#include "zeek/packet_analysis/Component.h" +#include "zeek/packet_analysis/protocol/vxlan/VXLAN.h" + +namespace zeek::plugin::Zeek_VXLAN + { + +class Plugin : public zeek::plugin::Plugin + { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::packet_analysis::Component( + "VXLAN", zeek::packet_analysis::VXLAN::VXLAN_Analyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "Zeek::VXLAN"; + config.description = "VXLAN packet analyzer"; + return config; + } + + } plugin; + + } diff --git a/src/packet_analysis/protocol/vxlan/VXLAN.cc b/src/packet_analysis/protocol/vxlan/VXLAN.cc new file mode 100644 index 0000000000..7bc7b75c3e --- /dev/null +++ b/src/packet_analysis/protocol/vxlan/VXLAN.cc @@ -0,0 +1,65 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "zeek/packet_analysis/protocol/vxlan/VXLAN.h" + +#include "zeek/packet_analysis/protocol/iptunnel/IPTunnel.h" +#include "zeek/packet_analysis/protocol/vxlan/events.bif.h" + +using namespace zeek::packet_analysis::VXLAN; + +VXLAN_Analyzer::VXLAN_Analyzer() : zeek::packet_analysis::Analyzer("VXLAN") { } + +bool VXLAN_Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) + { + if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth ) + { + Weird("exceeded_tunnel_max_depth", packet); + return false; + } + + constexpr uint16_t hdr_size = 8; + + if ( hdr_size > len ) + { + AnalyzerViolation("VXLAN header truncation", packet->session, (const char*)data, len); + return false; + } + + if ( (data[0] & 0x08) == 0 ) + { + AnalyzerViolation("VXLAN 'I' flag not set", packet->session, (const char*)data, len); + return false; + } + + int vni = (data[4] << 16) + (data[5] << 8) + (data[6] << 0); + + len -= hdr_size; + data += hdr_size; + + int encap_index = 0; + auto inner_packet = packet_analysis::IPTunnel::build_inner_packet( + packet, &encap_index, nullptr, len, data, DLT_RAW, BifEnum::Tunnel::VXLAN, + GetAnalyzerTag()); + + bool fwd_ret_val = true; + if ( len > hdr_size ) + fwd_ret_val = ForwardPacket(len, data, inner_packet.get()); + + if ( fwd_ret_val ) + { + AnalyzerConfirmation(packet->session); + + if ( vxlan_packet && packet->session ) + { + EncapsulatingConn* ec = inner_packet->encap->At(encap_index); + if ( ec && ec->ip_hdr ) + inner_packet->session->EnqueueEvent(vxlan_packet, nullptr, + packet->session->GetVal(), + ec->ip_hdr->ToPktHdrVal(), val_mgr->Count(vni)); + } + } + else + AnalyzerViolation("VXLAN invalid inner packet", packet->session); + + return fwd_ret_val; + } diff --git a/src/packet_analysis/protocol/vxlan/VXLAN.h b/src/packet_analysis/protocol/vxlan/VXLAN.h new file mode 100644 index 0000000000..f1bc5053e6 --- /dev/null +++ b/src/packet_analysis/protocol/vxlan/VXLAN.h @@ -0,0 +1,25 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include "zeek/packet_analysis/Analyzer.h" +#include "zeek/packet_analysis/Component.h" + +namespace zeek::packet_analysis::VXLAN + { + +class VXLAN_Analyzer : public zeek::packet_analysis::Analyzer + { +public: + VXLAN_Analyzer(); + ~VXLAN_Analyzer() override = default; + + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + + static zeek::packet_analysis::AnalyzerPtr Instantiate() + { + return std::make_shared(); + } + }; + + } diff --git a/src/packet_analysis/protocol/vxlan/events.bif b/src/packet_analysis/protocol/vxlan/events.bif new file mode 100644 index 0000000000..d05c74dfbe --- /dev/null +++ b/src/packet_analysis/protocol/vxlan/events.bif @@ -0,0 +1,12 @@ +## Generated for any packet encapsulated in a VXLAN tunnel. +## See :rfc:`7348` for more information about the VXLAN protocol. +## +## outer: The VXLAN tunnel connection. +## +## inner: The VXLAN-encapsulated Ethernet packet header and transport header. +## +## vni: VXLAN Network Identifier. +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event vxlan_packet%(outer: connection, inner: pkt_hdr, vni: count%); diff --git a/testing/btest/Baseline/core.tunnels.vxlan/conn.log b/testing/btest/Baseline/core.tunnels.vxlan/conn.log index bb73bfef65..0688cd19d0 100644 --- a/testing/btest/Baseline/core.tunnels.vxlan/conn.log +++ b/testing/btest/Baseline/core.tunnels.vxlan/conn.log @@ -9,7 +9,7 @@ #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 10.0.0.1 8 10.0.0.2 0 icmp - 3.004616 224 224 OTH - - 0 - 4 336 4 336 CUM0KZ3MLUfNB0cl11,C4J4Th3PJpwUYZZ6gc XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 192.168.56.12 38071 192.168.56.11 4789 udp vxlan 3.004278 424 0 S0 - - 0 D 4 536 0 0 - -XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.56.12 40908 192.168.56.11 4789 udp - - - - S0 - - 0 D 1 78 0 0 - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.56.11 39924 192.168.56.12 4789 udp - - - - S0 - - 0 D 1 78 0 0 - +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.56.12 40908 192.168.56.11 4789 udp vxlan - - - S0 - - 0 D 1 78 0 0 - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.56.11 39924 192.168.56.12 4789 udp vxlan - - - S0 - - 0 D 1 78 0 0 - XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 192.168.56.11 48134 192.168.56.12 4789 udp vxlan 3.004434 424 0 S0 - - 0 D 4 536 0 0 - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index c641280119..be14ccb46b 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -71,6 +71,8 @@ scripts/base/init-bare.zeek scripts/base/packet-protocols/ayiya/main.zeek scripts/base/packet-protocols/geneve/__load__.zeek scripts/base/packet-protocols/geneve/main.zeek + scripts/base/packet-protocols/vxlan/__load__.zeek + scripts/base/packet-protocols/vxlan/main.zeek scripts/base/init-frameworks-and-bifs.zeek scripts/base/frameworks/logging/__load__.zeek scripts/base/frameworks/logging/main.zeek @@ -209,12 +211,12 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek - build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek build/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek + build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 289c6d1032..bab747594c 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -71,6 +71,8 @@ scripts/base/init-bare.zeek scripts/base/packet-protocols/ayiya/main.zeek scripts/base/packet-protocols/geneve/__load__.zeek scripts/base/packet-protocols/geneve/main.zeek + scripts/base/packet-protocols/vxlan/__load__.zeek + scripts/base/packet-protocols/vxlan/main.zeek scripts/base/init-frameworks-and-bifs.zeek scripts/base/frameworks/logging/__load__.zeek scripts/base/frameworks/logging/main.zeek @@ -209,12 +211,12 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek - build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek build/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek + build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 84e2946e17..30cef0ae06 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -60,7 +60,6 @@ 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SSL, 995/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> -0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_TCPSTATS)) -> @@ -124,7 +123,6 @@ 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SSL, 995/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> -0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_DCE_RPC, {135/tcp})) -> @@ -154,7 +152,6 @@ 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SSL, {563<...>/tcp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SYSLOG, {514/udp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_TEREDO, {3544/udp})) -> -0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_VXLAN, {4789/udp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_XMPP, {5222<...>/tcp})) -> 0.000000 MetaHookPost CallFunction(Broker::__set_metrics_export_endpoint_name, , ()) -> 0.000000 MetaHookPost CallFunction(Broker::__set_metrics_export_interval, , (1.0 sec)) -> @@ -583,8 +580,10 @@ 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_port, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_port, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp)) -> +0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_port, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_ports, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_ports, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp})) -> +0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_ports, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP)) -> @@ -633,6 +632,7 @@ 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)) -> +0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP)) -> @@ -676,6 +676,7 @@ 0.000000 MetaHookPost CallFunction(getenv, , (ZEEK_DEFAULT_LISTEN_ADDRESS)) -> 0.000000 MetaHookPost CallFunction(global_ids, , ()) -> 0.000000 MetaHookPost CallFunction(network_time, , ()) -> +0.000000 MetaHookPost CallFunction(port_to_count, , (4789/udp)) -> 0.000000 MetaHookPost CallFunction(port_to_count, , (5072/udp)) -> 0.000000 MetaHookPost CallFunction(port_to_count, , (6081/udp)) -> 0.000000 MetaHookPost CallFunction(reading_live_traffic, , ()) -> @@ -1038,6 +1039,7 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/version, <...>/version.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/vlan, <...>/vlan) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/vntag, <...>/vntag) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/vxlan, <...>/vxlan) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/weird, <...>/weird.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/x509, <...>/x509) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/xmpp, <...>/xmpp) -> -1 @@ -1408,6 +1410,7 @@ 0.000000 MetaHookPost LoadFileExtended(0, base<...>/version, <...>/version.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/vlan, <...>/vlan) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/vntag, <...>/vntag) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/vxlan, <...>/vxlan) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/weird, <...>/weird.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/x509, <...>/x509) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/xmpp, <...>/xmpp) -> (-1, ) @@ -1494,7 +1497,6 @@ 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SSL, 995/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SYSLOG, 514/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_TEREDO, 3544/udp)) -0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_VXLAN, 4789/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_TCPSTATS)) @@ -1558,7 +1560,6 @@ 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SSL, 995/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SYSLOG, 514/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_TEREDO, 3544/udp)) -0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_VXLAN, 4789/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_DCE_RPC, {135/tcp})) @@ -1588,7 +1589,6 @@ 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SSL, {563<...>/tcp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SYSLOG, {514/udp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_TEREDO, {3544/udp})) -0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_VXLAN, {4789/udp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_XMPP, {5222<...>/tcp})) 0.000000 MetaHookPre CallFunction(Broker::__set_metrics_export_endpoint_name, , ()) 0.000000 MetaHookPre CallFunction(Broker::__set_metrics_export_interval, , (1.0 sec)) @@ -2017,8 +2017,10 @@ 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_port, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_port, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp)) +0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_port, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_ports, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_ports, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp})) +0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_ports, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP)) @@ -2067,6 +2069,7 @@ 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)) +0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP)) @@ -2110,6 +2113,7 @@ 0.000000 MetaHookPre CallFunction(getenv, , (ZEEK_DEFAULT_LISTEN_ADDRESS)) 0.000000 MetaHookPre CallFunction(global_ids, , ()) 0.000000 MetaHookPre CallFunction(network_time, , ()) +0.000000 MetaHookPre CallFunction(port_to_count, , (4789/udp)) 0.000000 MetaHookPre CallFunction(port_to_count, , (5072/udp)) 0.000000 MetaHookPre CallFunction(port_to_count, , (6081/udp)) 0.000000 MetaHookPre CallFunction(reading_live_traffic, , ()) @@ -2472,6 +2476,7 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/version, <...>/version.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/vlan, <...>/vlan) 0.000000 MetaHookPre LoadFile(0, base<...>/vntag, <...>/vntag) +0.000000 MetaHookPre LoadFile(0, base<...>/vxlan, <...>/vxlan) 0.000000 MetaHookPre LoadFile(0, base<...>/weird, <...>/weird.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/x509, <...>/x509) 0.000000 MetaHookPre LoadFile(0, base<...>/xmpp, <...>/xmpp) @@ -2842,6 +2847,7 @@ 0.000000 MetaHookPre LoadFileExtended(0, base<...>/version, <...>/version.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/vlan, <...>/vlan) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/vntag, <...>/vntag) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/vxlan, <...>/vxlan) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/weird, <...>/weird.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/x509, <...>/x509) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/xmpp, <...>/xmpp) @@ -2928,7 +2934,6 @@ 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 995/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp) -0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp) 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_TCPSTATS) @@ -2992,7 +2997,6 @@ 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 995/tcp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp) -0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DCE_RPC, {135/tcp}) @@ -3022,7 +3026,6 @@ 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, {563<...>/tcp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, {514/udp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, {3544/udp}) -0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, {4789/udp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, {5222<...>/tcp}) 0.000000 | HookCallFunction Broker::__set_metrics_export_endpoint_name() 0.000000 | HookCallFunction Broker::__set_metrics_export_interval(1.0 sec) @@ -3450,8 +3453,10 @@ 0.000000 | HookCallFunction Option::set_change_handler(udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp) 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp) +0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp) 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp}) 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp}) +0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp}) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP) @@ -3500,6 +3505,7 @@ 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL) +0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP) @@ -3543,6 +3549,7 @@ 0.000000 | HookCallFunction getenv(ZEEK_DEFAULT_LISTEN_ADDRESS) 0.000000 | HookCallFunction global_ids() 0.000000 | HookCallFunction network_time() +0.000000 | HookCallFunction port_to_count(4789/udp) 0.000000 | HookCallFunction port_to_count(5072/udp) 0.000000 | HookCallFunction port_to_count(6081/udp) 0.000000 | HookCallFunction reading_live_traffic() @@ -3917,6 +3924,7 @@ 0.000000 | HookLoadFile base<...>/version <...>/version.zeek 0.000000 | HookLoadFile base<...>/vlan <...>/vlan 0.000000 | HookLoadFile base<...>/vntag <...>/vntag +0.000000 | HookLoadFile base<...>/vxlan <...>/vxlan 0.000000 | HookLoadFile base<...>/weird <...>/weird.zeek 0.000000 | HookLoadFile base<...>/x509 <...>/x509 0.000000 | HookLoadFile base<...>/xmpp <...>/xmpp @@ -4287,6 +4295,7 @@ 0.000000 | HookLoadFileExtended base<...>/version <...>/version.zeek 0.000000 | HookLoadFileExtended base<...>/vlan <...>/vlan 0.000000 | HookLoadFileExtended base<...>/vntag <...>/vntag +0.000000 | HookLoadFileExtended base<...>/vxlan <...>/vxlan 0.000000 | HookLoadFileExtended base<...>/weird <...>/weird.zeek 0.000000 | HookLoadFileExtended base<...>/x509 <...>/x509 0.000000 | HookLoadFileExtended base<...>/xmpp <...>/xmpp diff --git a/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out b/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out index 3164acb97b..06997a6c09 100644 --- a/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out +++ b/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out @@ -1,5 +1,5 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -|Analyzer::all_registered_ports()|, 2 +|Analyzer::all_registered_ports()|, 3 signature_match [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp] - matched my_ftp_client ftp_reply 199.233.217.249:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready. ftp_request 141.142.220.235:50003 - USER anonymous diff --git a/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out b/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out index baa45d3a06..8bcf84d4a5 100644 --- a/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out +++ b/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out @@ -1,5 +1,5 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -|Analyzer::all_registered_ports()|, 2 +|Analyzer::all_registered_ports()|, 3 signature_match [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp] - matched my_ftp_client ftp_reply [2001:470:4867:99::21]:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready. ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - USER anonymous diff --git a/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out b/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out index b012dac860..2cde803f33 100644 --- a/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out +++ b/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out @@ -1,2 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -|Analyzer::all_registered_ports()|, 2 +|Analyzer::all_registered_ports()|, 3 diff --git a/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out b/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out index b012dac860..2cde803f33 100644 --- a/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out +++ b/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out @@ -1,2 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -|Analyzer::all_registered_ports()|, 2 +|Analyzer::all_registered_ports()|, 3