Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 02:28:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge remote-tracking branch 'origin/master' into topic/seth/metrics-merge

Browse source 
Conflicts:
	testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
	testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log
	testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log
	testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log
This commit is contained in:
Seth Hall 2013-03-13 00:26:55 -04:00
commit 09cbaa7ccc
114 changed files with 2308 additions and 897 deletions
Download patch file Download diff file Expand all files Collapse all files

1
testing/btest/Baseline/bifs.byte_len/out
View file

@ -1 +0,0 @@
11

6
testing/btest/Baseline/bifs.length/out
View file

@ -1,6 +0,0 @@
1
4
2
0
0
0

2
testing/btest/Baseline/core.tunnels.gtp.ext_header/out Normal file
View file

@ -0,0 +1,2 @@
gtpv1_message, [orig_h=10.155.148.149, orig_p=9000/udp, resp_h=10.155.148.157, resp_p=2152/udp]
[version=1, pt_flag=T, rsv=F, e_flag=T, s_flag=T, pn_flag=F, msg_type=255, length=1508, teid=1050199, seq=5, n_pdu=0, next_type=192]

2
testing/btest/Baseline/core.tunnels.gtp.non_recursive/out
View file

@ -1 +1 @@
protocol_violation, [orig_h=74.125.216.149, orig_p=2152/udp, resp_h=10.131.138.69, resp_p=2152/udp], GTP-in-GTP [n\xd9'|\x00\x00\x01\xb6[\xf6\xdc0\xb7d\xe5\xe6\xa76\x91\xfbk\x0e\x02\xc8A\x05\xa8\xe6\xf3Gi\x80(]\xcew\x84\xae}\xd2...]
protocol_violation, [orig_h=74.125.216.149, orig_p=2152/udp, resp_h=10.131.138.69, resp_p=2152/udp], GTP-in-GTP [\x80\xe1Bc.\xe20\xebn\xd9'|\x00\x00\x01\xb6[\xf6\xdc0\xb7d\xe5\xe6\xa76\x91\xfbk\x0e\x02\xc8A\x05\xa8\xe6\xf3Gi\x80...]

24
testing/btest/Baseline/core.tunnels.gtp.pdp_ctx_messages/out Normal file
View file

@ -0,0 +1,24 @@
gtpv1_message, [orig_h=192.169.100.1, orig_p=34273/udp, resp_h=10.100.200.33, resp_p=2123/udp]
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=16, length=137, teid=0, seq=4875, n_pdu=0, next_type=0]
gtp create request, [orig_h=192.169.100.1, orig_p=34273/udp, resp_h=10.100.200.33, resp_p=2123/udp]
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=16, length=137, teid=0, seq=4875, n_pdu=0, next_type=0]
[imsi=460004100000101, rai=[mcc=460, mnc=6, lac=65534, rac=255], recovery=176, select_mode=1, data1=854600697, cp=854600697, nsapi=5, linked_nsapi=<uninitialized>, charge_character=<uninitialized>, trace_ref=<uninitialized>, trace_type=<uninitialized>, end_user_addr=[pdp_type_org=1, pdp_type_num=33, pdp_ip=<uninitialized>, pdp_other_addr=<uninitialized>], ap_name=^Feetest, opts=\x80\x80!^V^A^A\0^V^C^F\0\0\0\0\x81^F\0\0\0\0\x83^F\0\0\0\0, signal_addr=[ip=192.169.100.1, other=<uninitialized>], user_addr=[ip=192.169.100.1, other=<uninitialized>], msisdn=\x91hQ"^A\0^A\xf1, qos_prof=[priority=2, data=\x1bB\x1fs\x8c@@tK@@], tft=<uninitialized>, trigger_id=<uninitialized>, omc_id=<uninitialized>, ext=[id=10923, value=^B^A^C]]
gtpv1_message, [orig_h=192.169.100.1, orig_p=34273/udp, resp_h=10.100.200.33, resp_p=2123/udp]
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=17, length=101, teid=854600697, seq=4875, n_pdu=0, next_type=0]
gtp create response, [orig_h=192.169.100.1, orig_p=34273/udp, resp_h=10.100.200.33, resp_p=2123/udp]
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=17, length=101, teid=854600697, seq=4875, n_pdu=0, next_type=0]
[cause=128, reorder_req=F, recovery=24, data1=268435589, cp=268435584, charging_id=103000009, end_user_addr=[pdp_type_org=1, pdp_type_num=33, pdp_ip=192.168.252.130, pdp_other_addr=<uninitialized>], opts=\x80\x80!^P^D^A\0^P\x81^F\0\0\0\0\x83^F\0\0\0\0\x80!^J^C^A\0^J^C^F\xc0\xa8\xfc\x82, cp_addr=[ip=10.100.200.34, other=<uninitialized>], user_addr=[ip=10.100.200.49, other=<uninitialized>], qos_prof=[priority=2, data=\x1bB\x1fs\x8c@@tK@@], charge_gateway=<uninitialized>, ext=<uninitialized>]
gtpv1_message, [orig_h=127.0.0.2, orig_p=2123/udp, resp_h=127.0.0.1, resp_p=2123/udp]
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=1, length=4, teid=0, seq=3072, n_pdu=0, next_type=0]
gtpv1_message, [orig_h=127.0.0.2, orig_p=2123/udp, resp_h=127.0.0.1, resp_p=2123/udp]
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=2, length=6, teid=0, seq=3072, n_pdu=0, next_type=0]
gtpv1_message, [orig_h=127.0.0.2, orig_p=2123/udp, resp_h=127.0.0.1, resp_p=2123/udp]
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=16, length=104, teid=0, seq=3073, n_pdu=0, next_type=0]
gtp create request, [orig_h=127.0.0.2, orig_p=2123/udp, resp_h=127.0.0.1, resp_p=2123/udp]
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=16, length=104, teid=0, seq=3073, n_pdu=0, next_type=0]
[imsi=240010123456789, rai=<uninitialized>, recovery=3, select_mode=1, data1=1, cp=1, nsapi=0, linked_nsapi=<uninitialized>, charge_character=2048, trace_ref=<uninitialized>, trace_type=<uninitialized>, end_user_addr=[pdp_type_org=1, pdp_type_num=33, pdp_ip=<uninitialized>, pdp_other_addr=<uninitialized>], ap_name=^Hinternet, opts=\x80\xc0#^Q^A^A\0^Q^Cmig^Hhemmelig, signal_addr=[ip=127.0.0.2, other=<uninitialized>], user_addr=[ip=127.0.0.2, other=<uninitialized>], msisdn=\x91d^G^R2T\xf6, qos_prof=[priority=0, data=^K\x92\x1f], tft=<uninitialized>, trigger_id=<uninitialized>, omc_id=<uninitialized>, ext=<uninitialized>]
gtpv1_message, [orig_h=127.0.0.2, orig_p=2123/udp, resp_h=127.0.0.1, resp_p=2123/udp]
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=17, length=78, teid=1, seq=3073, n_pdu=0, next_type=0]
gtp create response, [orig_h=127.0.0.2, orig_p=2123/udp, resp_h=127.0.0.1, resp_p=2123/udp]
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=17, length=78, teid=1, seq=3073, n_pdu=0, next_type=0]
[cause=128, reorder_req=F, recovery=1, data1=1, cp=1, charging_id=1, end_user_addr=[pdp_type_org=1, pdp_type_num=33, pdp_ip=192.168.0.2, pdp_other_addr=<uninitialized>], opts=\x80\x80!^P^B\0\0^P\x81^F\0\0\0\0\x83^F\0\0\0\0, cp_addr=[ip=127.0.0.1, other=<uninitialized>], user_addr=[ip=127.0.0.1, other=<uninitialized>], qos_prof=[priority=0, data=^K\x92\x1f], charge_gateway=<uninitialized>, ext=<uninitialized>]

6
testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/dpd.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path dpd
#open 2012-10-19-17-38-54
#open 2013-01-25-21-49-19
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto analyzer failure_reason
#types time string addr port addr port enum string string
1333458853.075889 UWkUyAuUGXf 173.86.159.28 2152 213.72.147.186 2152 udp GTPV1 Truncated GTPv1 [E\x00\x05\xc8G\xea@\x00\x80\x06\xb6\x83\x0a\x83w&\xd9\x14\x9c\x04\xd9\xc2\x00P\xddh\xb4\x8f41eVP\x10\x10\xe0u\xcf\x00\x00...]
#close 2012-10-19-17-38-54
1333458853.075889 UWkUyAuUGXf 173.86.159.28 2152 213.72.147.186 2152 udp GTPV1 Truncated GTPv1 [0\xff\x00\xac\x98\x13\x01LE\x00\x05\xc8G\xea@\x00\x80\x06\xb6\x83\x0a\x83w&\xd9\x14\x9c\x04\xd9\xc2\x00P\xddh\xb4\x8f41eV...]
#close 2013-01-25-21-49-19

4
testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/tunnel.log
View file

@ -3,9 +3,9 @@
#empty_field (empty)
#unset_field -
#path tunnel
#open 2012-10-19-17-38-54
#open 2013-01-25-21-49-19
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action
#types time string addr port addr port enum enum
1333458853.034734 UWkUyAuUGXf 173.86.159.28 2152 213.72.147.186 2152 Tunnel::GTPv1 Tunnel::DISCOVER
1333458853.108391 UWkUyAuUGXf 173.86.159.28 2152 213.72.147.186 2152 Tunnel::GTPv1 Tunnel::CLOSE
#close 2012-10-19-17-38-54
#close 2013-01-25-21-49-19

5
testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
View file

@ -3,7 +3,7 @@
#empty_field (empty)
#unset_field -
#path loaded_scripts
#open 2012-11-20-06-11-08
#open 2013-02-11-18-44-43
#fields name
#types string
scripts/base/init-bare.bro
@ -54,6 +54,7 @@ scripts/base/init-default.bro
scripts/base/frameworks/cluster/./main.bro
scripts/base/frameworks/control/__load__.bro
scripts/base/frameworks/control/./main.bro
scripts/base/frameworks/notice/./non-cluster.bro
scripts/base/frameworks/notice/./actions/pp-alarms.bro
scripts/base/frameworks/dpd/__load__.bro
scripts/base/frameworks/dpd/./main.bro
@ -119,4 +120,4 @@ scripts/base/init-default.bro
scripts/base/protocols/syslog/./main.bro
scripts/base/misc/find-checksum-offloading.bro
scripts/policy/misc/loaded-scripts.bro
#close 2012-11-20-06-11-08
#close 2013-02-11-18-44-43

44
testing/btest/Baseline/language.container-ctor-scope/out Normal file
View file

@ -0,0 +1,44 @@
{
[2/tcp] = 2,
[1/tcp] = 1,
[3/tcp] = 3
}
{
[2/tcp] = 2,
[1/tcp] = 1,
[3/tcp] = 3
}
{
2/tcp,
1/tcp,
3/tcp
}
{
2/tcp,
1/tcp,
3/tcp
}
[1/tcp, 2/tcp, 3/tcp, 1/tcp]
[1/tcp, 2/tcp, 3/tcp, 1/tcp]
{
[2/tcp] = 2,
[1/tcp] = 1,
[3/tcp] = 3
}
{
[2/tcp] = 2,
[1/tcp] = 1,
[3/tcp] = 3
}
{
2/tcp,
1/tcp,
3/tcp
}
{
2/tcp,
1/tcp,
3/tcp
}
[1/tcp, 2/tcp, 3/tcp, 1/tcp]
[1/tcp, 2/tcp, 3/tcp, 1/tcp]

4
testing/btest/Baseline/language.func-assignment/out Normal file
View file

@ -0,0 +1,4 @@
Brogrammers, like bowties, are cool. Brogrammers, like bowties, are cool. Brogrammers, like bowties, are cool.
Brogrammers, like bowties, are cool. Brogrammers, like bowties, are cool.
BROGRAMMERS, LIKE BOWTIES, ARE COOL.
BROGRAMMERS, LIKE BOWTIES, ARE COOL.

12
testing/btest/Baseline/language.returnwhen/bro..stdout Normal file
View file

@ -0,0 +1,12 @@
dummy from async_func() from bro_init()
async_func() return result in bro_init(), flag in my_set
dummy from bro_init() when block
hi!
dummy from async_func() from do_another()
async_func() return result in do_another(), flag in my_set
dummy from do_another() when block
hi!
dummy from async_func() from do_another()
async_func() return result in do_another(), timeout
dummy from do_another() when block
hi!

168
testing/btest/Baseline/scripts.base.frameworks.input.tableevent/out
View file

@ -1,189 +1,21 @@
[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={
[2] = T,
[4] = F,
[6] = F,
[7] = T,
[1] = T,
[5] = F,
[3] = F
}, idx=<no value description>, val=<no value description>, want_record=F, ev=line
{
print outfile, description;
print outfile, tpe;
print outfile, left;
print outfile, right;
try = try + 1;
if (7 == try)
{
close(outfile);
terminate();
}
}, pred=<uninitialized>, config={
}]
Input::EVENT_NEW
[i=1]
T
[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={
[2] = T,
[4] = F,
[6] = F,
[7] = T,
[1] = T,
[5] = F,
[3] = F
}, idx=<no value description>, val=<no value description>, want_record=F, ev=line
{
print outfile, description;
print outfile, tpe;
print outfile, left;
print outfile, right;
try = try + 1;
if (7 == try)
{
close(outfile);
terminate();
}
}, pred=<uninitialized>, config={
}]
Input::EVENT_NEW
[i=2]
T
[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={
[2] = T,
[4] = F,
[6] = F,
[7] = T,
[1] = T,
[5] = F,
[3] = F
}, idx=<no value description>, val=<no value description>, want_record=F, ev=line
{
print outfile, description;
print outfile, tpe;
print outfile, left;
print outfile, right;
try = try + 1;
if (7 == try)
{
close(outfile);
terminate();
}
}, pred=<uninitialized>, config={
}]
Input::EVENT_NEW
[i=3]
F
[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={
[2] = T,
[4] = F,
[6] = F,
[7] = T,
[1] = T,
[5] = F,
[3] = F
}, idx=<no value description>, val=<no value description>, want_record=F, ev=line
{
print outfile, description;
print outfile, tpe;
print outfile, left;
print outfile, right;
try = try + 1;
if (7 == try)
{
close(outfile);
terminate();
}
}, pred=<uninitialized>, config={
}]
Input::EVENT_NEW
[i=4]
F
[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={
[2] = T,
[4] = F,
[6] = F,
[7] = T,
[1] = T,
[5] = F,
[3] = F
}, idx=<no value description>, val=<no value description>, want_record=F, ev=line
{
print outfile, description;
print outfile, tpe;
print outfile, left;
print outfile, right;
try = try + 1;
if (7 == try)
{
close(outfile);
terminate();
}
}, pred=<uninitialized>, config={
}]
Input::EVENT_NEW
[i=5]
F
[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={
[2] = T,
[4] = F,
[6] = F,
[7] = T,
[1] = T,
[5] = F,
[3] = F
}, idx=<no value description>, val=<no value description>, want_record=F, ev=line
{
print outfile, description;
print outfile, tpe;
print outfile, left;
print outfile, right;
try = try + 1;
if (7 == try)
{
close(outfile);
terminate();
}
}, pred=<uninitialized>, config={
}]
Input::EVENT_NEW
[i=6]
F
[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={
[2] = T,
[4] = F,
[6] = F,
[7] = T,
[1] = T,
[5] = F,
[3] = F
}, idx=<no value description>, val=<no value description>, want_record=F, ev=line
{
print outfile, description;
print outfile, tpe;
print outfile, left;
print outfile, right;
try = try + 1;
if (7 == try)
{
close(outfile);
terminate();
}
}, pred=<uninitialized>, config={
}]
Input::EVENT_NEW
[i=7]
T

2
testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.options/ssh.ds.xml
View file

@ -1,4 +1,4 @@
<ExtentType name="ssh" version="1.0" namespace="bro-ids.org">
<ExtentType name="ssh" version="1.0" namespace="bro.org">
<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>
<field type="int64" name="id.orig_p" />

20
testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.rotate/out
View file

@ -19,7 +19,7 @@ test.2011-03-07-12-00-05.ds test 11-03-07_12.00.05 11-03-07_12.59.55 1 dataserie
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="test" version="1.0" namespace="bro-ids.org">
<ExtentType name="test" version="1.0" namespace="bro.org">
<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>
<field type="int64" name="id.orig_p" />
@ -47,7 +47,7 @@ t id.orig_h id.orig_p id.resp_h id.resp_p
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="test" version="1.0" namespace="bro-ids.org">
<ExtentType name="test" version="1.0" namespace="bro.org">
<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>
<field type="int64" name="id.orig_p" />
@ -75,7 +75,7 @@ t id.orig_h id.orig_p id.resp_h id.resp_p
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="test" version="1.0" namespace="bro-ids.org">
<ExtentType name="test" version="1.0" namespace="bro.org">
<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>
<field type="int64" name="id.orig_p" />
@ -103,7 +103,7 @@ t id.orig_h id.orig_p id.resp_h id.resp_p
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="test" version="1.0" namespace="bro-ids.org">
<ExtentType name="test" version="1.0" namespace="bro.org">
<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>
<field type="int64" name="id.orig_p" />
@ -131,7 +131,7 @@ t id.orig_h id.orig_p id.resp_h id.resp_p
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="test" version="1.0" namespace="bro-ids.org">
<ExtentType name="test" version="1.0" namespace="bro.org">
<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>
<field type="int64" name="id.orig_p" />
@ -159,7 +159,7 @@ t id.orig_h id.orig_p id.resp_h id.resp_p
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="test" version="1.0" namespace="bro-ids.org">
<ExtentType name="test" version="1.0" namespace="bro.org">
<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>
<field type="int64" name="id.orig_p" />
@ -187,7 +187,7 @@ t id.orig_h id.orig_p id.resp_h id.resp_p
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="test" version="1.0" namespace="bro-ids.org">
<ExtentType name="test" version="1.0" namespace="bro.org">
<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>
<field type="int64" name="id.orig_p" />
@ -215,7 +215,7 @@ t id.orig_h id.orig_p id.resp_h id.resp_p
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="test" version="1.0" namespace="bro-ids.org">
<ExtentType name="test" version="1.0" namespace="bro.org">
<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>
<field type="int64" name="id.orig_p" />
@ -243,7 +243,7 @@ t id.orig_h id.orig_p id.resp_h id.resp_p
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="test" version="1.0" namespace="bro-ids.org">
<ExtentType name="test" version="1.0" namespace="bro.org">
<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>
<field type="int64" name="id.orig_p" />
@ -271,7 +271,7 @@ t id.orig_h id.orig_p id.resp_h id.resp_p
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="test" version="1.0" namespace="bro-ids.org">
<ExtentType name="test" version="1.0" namespace="bro.org">
<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>
<field type="int64" name="id.orig_p" />

2
testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.test-logging/ssh.ds.txt
View file

@ -8,7 +8,7 @@
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="ssh" version="1.0" namespace="bro-ids.org">
<ExtentType name="ssh" version="1.0" namespace="bro.org">
<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>
<field type="int64" name="id.orig_p" />

2
testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.time-as-int/conn.ds.txt
View file

@ -8,7 +8,7 @@
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="conn" version="1.0" namespace="bro-ids.org">
<ExtentType name="conn" version="1.0" namespace="bro.org">
<field type="int64" name="ts" pack_relative="ts" units="microseconds" epoch="unix"/>
<field type="variable32" name="uid" pack_unique="yes"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>

2
testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/conn.ds.txt
View file

@ -8,7 +8,7 @@
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="conn" version="1.0" namespace="bro-ids.org">
<ExtentType name="conn" version="1.0" namespace="bro.org">
<field type="double" name="ts" pack_relative="ts" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="uid" pack_unique="yes"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>

2
testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/http.ds.txt
View file

@ -8,7 +8,7 @@
<field type="variable32" name="xmltype" />
</ExtentType>
<ExtentType name="http" version="1.0" namespace="bro-ids.org">
<ExtentType name="http" version="1.0" namespace="bro.org">
<field type="double" name="ts" pack_relative="ts" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
<field type="variable32" name="uid" pack_unique="yes"/>
<field type="variable32" name="id.orig_h" pack_unique="yes"/>

10
testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path notice
#open 2012-07-20-01-50-59
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network
#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double addr string subnet
1342749059.978651 - - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 100/100 - 1.2.3.4 - - 100 manager-1 Notice::ACTION_LOG 6 3600.000000 F - - - - - 1.2.3.4 - -
#close 2012-07-20-01-51-08
#open 2013-02-11-18-41-03
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network
#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double addr string subnet
1360608063.517719 - - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 100/100 - 1.2.3.4 - - 100 manager-1 Notice::ACTION_LOG 3600.000000 F - - - - - 1.2.3.4 - -
#close 2013-02-11-18-41-03

10
testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path notice
#open 2012-11-20-06-46-22
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double
1353393982.260495 - - - - - - Test_Notice test notice! - - - - - worker-1 Notice::ACTION_LOG 6 3600.000000 F - - - - -
#close 2012-11-20-06-46-22
#open 2013-02-11-18-45-43
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network
#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double addr string subnet
1360608343.088948 - - - - - - Test_Notice test notice! - - - - - worker-1 Notice::ACTION_LOG 3600.000000 F - - - - - - - -
#close 2013-02-11-18-45-43

10
testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path notice
#open 2012-11-20-06-45-52
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double
1353393952.489496 - - - - - - Test_Notice test notice! - - - - - worker-2 Notice::ACTION_LOG 6 3600.000000 F - - - - -
#close 2012-11-20-06-45-56
#open 2013-02-11-18-45-14
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network
#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double addr string subnet
1360608314.794257 - - - - - - Test_Notice test notice! - - - - - worker-2 Notice::ACTION_LOG 3600.000000 F - - - - - - - -
#close 2013-02-11-18-45-17

10
testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path notice
#open 2012-07-20-01-49-23
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double
1342748963.685754 - - - - - - Test_Notice test - - - - - bro Notice::ACTION_LOG 6 3600.000000 F - - - - -
#close 2012-07-20-01-49-23
#open 2013-02-11-18-32-39
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double
1360607559.193954 - - - - - - Test_Notice test - - - - - bro Notice::ACTION_LOG 3600.000000 F - - - - -
#close 2013-02-11-18-32-39

10
testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path notice
#open 2012-11-20-06-09-07
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions policy_items suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port enum enum string string addr addr port count string table[enum] table[count] interval bool string string string double double
1348168976.558309 arKYeMETxOg 192.168.57.103 35391 192.168.57.101 55968 tcp GridFTP::Data_Channel GridFTP data channel over threshold 2 bytes - 192.168.57.103 192.168.57.101 55968 - bro Notice::ACTION_LOG 6 3600.000000 F - - - - -
#close 2012-11-20-06-09-07
#open 2013-02-11-18-33-41
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network
#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double addr string subnet
1348168976.558309 arKYeMETxOg 192.168.57.103 35391 192.168.57.101 55968 tcp GridFTP::Data_Channel GridFTP data channel over threshold 2 bytes - 192.168.57.103 192.168.57.101 55968 - bro Notice::ACTION_LOG 3600.000000 F - - - - - - - -
#close 2013-02-11-18-33-41

4
testing/btest/README
View file

@ -1,7 +1,7 @@
This a test suite of small "unit tests" that verify individual pieces of Bro
functionality. They all utilize BTest, a simple framework/driver for
writing unit tests. More information about BTest can be found at
http://www.bro-ids.org/development/btest.html
http://www.bro.org/development/btest.html
The test suite's BTest configuration is handled through the
``btest.cfg`` file. Of particular interest is the "TestDirs" settings,
@ -61,7 +61,7 @@ Adding Tests
=============
See either the `BTest documentation
<http://www.bro-ids.org/development/btest.html>`_ or the existing unit
<http://www.bro.org/development/btest.html>`_ or the existing unit
tests for examples of what they actually look like. The essential
components of a new test include:

BIN
testing/btest/Traces/tunnels/gtp/gtp_control_prime.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/tunnels/gtp/gtp_create_pdp_ctx.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/tunnels/gtp/gtp_ext_header.pcap Normal file
View file

Binary file not shown.

10
testing/btest/bifs/byte_len.bro
View file

@ -1,10 +0,0 @@
#
# @TEST-EXEC: bro -b %INPUT >out
# @TEST-EXEC: btest-diff out
event bro_init()
{
local a = "hello\0there";
print byte_len(a);
}

22
testing/btest/bifs/length.bro
View file

@ -1,22 +0,0 @@
#
# @TEST-EXEC: bro -b %INPUT > out
# @TEST-EXEC: btest-diff out
event bro_init()
{
local mytable: table[string] of string = { ["key1"] = "val1" };
local myset: set[count] = set( 3, 6, 2, 7 );
local myvec: vector of string = vector( "value1", "value2" );
print length(mytable);
print length(myset);
print length(myvec);
mytable = table();
myset = set();
myvec = vector();
print length(mytable);
print length(myset);
print length(myvec);
}

84
testing/btest/core/leaks/returnwhen.bro Normal file
View file

@ -0,0 +1,84 @@
# Needs perftools support.
#
# @TEST-GROUP: leaks
#
# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
#
# @TEST-EXEC: btest-bg-run bro HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -b %INPUT
# @TEST-EXEC: btest-bg-wait 15
redef exit_only_after_terminate = T;
global my_set: set[string] = set();
global flag: string = "flag";
global done: bool = F;
function dummyfunc(s: string): string
{
return "dummy " + s;
}
function async_func(s: string): string
{
print dummyfunc("from async_func() " + s);
return when ( flag in my_set )
{
return flag + " in my_set";
}
timeout 3sec
{
return "timeout";
}
}
event set_flag()
{
add my_set[flag];
}
event do_another()
{
delete my_set[flag];
local local_dummy = dummyfunc;
local anon = function(s: string): string { return s + "!"; };
if ( ! done )
schedule 1sec { set_flag() };
when ( local result = async_func("from do_another()") )
{
print "async_func() return result in do_another()", result;
print local_dummy("from do_another() when block");
print anon("hi");
if ( result == "timeout" )
terminate();
else
{
done = T;
schedule 10msec { do_another() };
}
}
}
event bro_init()
{
local local_dummy = dummyfunc;
local anon = function(s: string): string { return s + "!"; };
schedule 1sec { set_flag() };
when ( local result = async_func("from bro_init()") )
{
print "async_func() return result in bro_init()", result;
print local_dummy("from bro_init() when block");
print anon("hi");
if ( result == "timeout" ) terminate();
schedule 10msec { do_another() };
}
}

8
testing/btest/core/tunnels/gtp/ext_header.test Normal file
View file

@ -0,0 +1,8 @@
# @TEST-EXEC: bro -r $TRACES/tunnels/gtp/gtp_ext_header.pcap %INPUT >out
# @TEST-EXEC: btest-diff out
event gtpv1_message(c: connection, hdr: gtpv1_hdr)
{
print "gtpv1_message", c$id;
print hdr;
}

56
testing/btest/core/tunnels/gtp/pdp_ctx_messages.test Normal file
View file

@ -0,0 +1,56 @@
# @TEST-EXEC: bro -r $TRACES/tunnels/gtp/gtp_control_prime.pcap -r $TRACES/tunnels/gtp/gtp_create_pdp_ctx.pcap %INPUT >out
# @TEST-EXEC: btest-diff out
event gtpv1_message(c: connection, hdr: gtpv1_hdr)
{
print "gtpv1_message", c$id;
print hdr;
}
event gtpv1_create_pdp_ctx_request(c: connection, hdr: gtpv1_hdr,
elements: gtp_create_pdp_ctx_request_elements)
{
print "gtp create request", c$id;
print hdr;
print elements;
}
event gtpv1_create_pdp_ctx_response(c: connection, hdr: gtpv1_hdr,
elements: gtp_create_pdp_ctx_response_elements)
{
print "gtp create response", c$id;
print hdr;
print elements;
}
event gtpv1_update_pdp_ctx_request(c: connection, hdr: gtpv1_hdr,
elements: gtp_update_pdp_ctx_request_elements)
{
print "gtp update request", c$id;
print hdr;
print elements;
}
event gtpv1_update_pdp_ctx_response(c: connection, hdr: gtpv1_hdr,
elements: gtp_update_pdp_ctx_response_elements)
{
print "gtp update response", c$id;
print hdr;
print elements;
}
event gtpv1_delete_pdp_ctx_request(c: connection, hdr: gtpv1_hdr,
elements: gtp_delete_pdp_ctx_request_elements)
{
print "gtp delete request", c$id;
print hdr;
print elements;
}
event gtpv1_delete_pdp_ctx_response(c: connection, hdr: gtpv1_hdr,
elements: gtp_delete_pdp_ctx_response_elements)
{
print "gtp delete response", c$id;
print hdr;
print elements;
}

38
testing/btest/language/container-ctor-scope.bro Normal file
View file

@ -0,0 +1,38 @@
# @TEST-EXEC: bro -b %INPUT >out
# @TEST-EXEC: btest-diff out
# All various container contructors should work at both global and local scope.
global gt1: table[port] of count = table( [1/tcp] = 1, [2/tcp] = 2, [3/tcp] = 3 );
global gs1: set[port] = set( 1/tcp, 2/tcp, 3/tcp );
global gv1: vector of port = vector( 1/tcp, 2/tcp, 3/tcp, 1/tcp );
global gt2: table[port] of count = { [1/tcp] = 1, [2/tcp] = 2, [3/tcp] = 3 };
global gs2: set[port] = { 1/tcp, 2/tcp, 3/tcp };
global gv2: vector of port = { 1/tcp, 2/tcp, 3/tcp, 1/tcp };
local t1: table[port] of count = table( [1/tcp] = 1, [2/tcp] = 2, [3/tcp] = 3 );
local s1: set[port] = set( 1/tcp, 2/tcp, 3/tcp );
local v1: vector of port = vector( 1/tcp, 2/tcp, 3/tcp, 1/tcp );
local t2: table[port] of count = { [1/tcp] = 1, [2/tcp] = 2, [3/tcp] = 3 };
local s2: set[port] = { 1/tcp, 2/tcp, 3/tcp };
local v2: vector of port = { 1/tcp, 2/tcp, 3/tcp, 1/tcp };
print gt1;
print gt2;
print gs1;
print gs2;
print gv1;
print gv2;
print t1;
print t2;
print s1;
print s2;
print v1;
print v2;

39
testing/btest/language/func-assignment.bro Normal file
View file

@ -0,0 +1,39 @@
# @TEST-EXEC: bro -b %INPUT >out
# @TEST-EXEC: btest-diff out
function double_string(s: string): string
{
return string_cat(s, " ", s);
}
function triple_string(str: string): string
{
return string_cat(str, " ", str, " ", str);
}
type sample_function: record {
s: string;
f: function(str: string): string;
};
event bro_init()
{
local test_sf: sample_function;
test_sf$s = "Brogrammers, like bowties, are cool.";
test_sf$f = triple_string;
print test_sf$f(test_sf$s);
test_sf$f = double_string;
print test_sf$f(test_sf$s);
# Works as expected
test_sf$f = function(str: string): string
{ return to_upper(str); };
print test_sf$f(test_sf$s);
# Func arg names shouldn't factor in to the type check.
test_sf$f = function(s: string): string
{ return to_upper(s); };
print test_sf$f(test_sf$s);
}

79
testing/btest/language/returnwhen.bro Normal file
View file

@ -0,0 +1,79 @@
# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
# @TEST-EXEC: btest-bg-wait 15
# @TEST-EXEC: btest-diff bro/.stdout
redef exit_only_after_terminate = T;
global my_set: set[string] = set();
global flag: string = "flag";
global done: bool = F;
function dummyfunc(s: string): string
{
return "dummy " + s;
}
function async_func(s: string): string
{
print dummyfunc("from async_func() " + s);
return when ( flag in my_set )
{
return flag + " in my_set";
}
timeout 3sec
{
return "timeout";
}
}
event set_flag()
{
add my_set[flag];
}
event do_another()
{
delete my_set[flag];
local local_dummy = dummyfunc;
local anon = function(s: string): string { return s + "!"; };
if ( ! done )
schedule 1sec { set_flag() };
when ( local result = async_func("from do_another()") )
{
print "async_func() return result in do_another()", result;
print local_dummy("from do_another() when block");
print anon("hi");
if ( result == "timeout" )
terminate();
else
{
done = T;
schedule 10msec { do_another() };
}
}
}
event bro_init()
{
local local_dummy = dummyfunc;
local anon = function(s: string): string { return s + "!"; };
schedule 1sec { set_flag() };
when ( local result = async_func("from bro_init()") )
{
print "async_func() return result in bro_init()", result;
print local_dummy("from bro_init() when block");
print anon("hi");
if ( result == "timeout" ) terminate();
schedule 10msec { do_another() };
}
}

1
testing/btest/scripts/base/frameworks/input/tableevent.bro
View file

@ -35,7 +35,6 @@ global destination: table[int] of Val = table();
event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, right: bool)
{
print outfile, description;
print outfile, tpe;
print outfile, left;
print outfile, right;

6
testing/btest/scripts/base/frameworks/notice/mail-alarms.bro
View file

@ -1,7 +1,11 @@
# @TEST-EXEC: bro -C -r $TRACES/web.trace %INPUT
# @TEST-EXEC: btest-diff alarm-mail.txt
redef Notice::policy += { [$action = Notice::ACTION_ALARM, $priority = 1 ] };
hook Notice::policy(n: Notice::Info) &priority=1
{
add n$actions[Notice::ACTION_ALARM];
}
redef Notice::force_email_summaries = T;
redef enum Notice::Type += {