From 0cb2a90da4aa1de49e3881b9471e69f862d62038 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 31 Jan 2014 17:04:58 -0600
Subject: [PATCH] Add script to detect filtered TCP traces, addresses BIT-1119.

If reading a trace file w/ only TCP control packets, a warning is
emitted to suggest the 'detect_filtered_traces' option if the user
doesn't desire Bro to report missing TCP segments for such a trace file.
---
 scripts/base/init-default.bro                 |   1 +
 scripts/base/misc/find-filtered-trace.bro     |  49 ++++++++++++++++++
 .../canonified_loaded_scripts.log             |   5 +-
 .../out1                                      |   1 +
 .../out2                                      |   0
 .../btest/Traces/http/bro.org-filtered.pcap   | Bin 0 -> 3934 bytes
 .../base/misc/find-filtered-trace.test        |   4 ++
 7 files changed, 58 insertions(+), 2 deletions(-)
 create mode 100644 scripts/base/misc/find-filtered-trace.bro
 create mode 100644 testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out1
 create mode 100644 testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out2
 create mode 100644 testing/btest/Traces/http/bro.org-filtered.pcap
 create mode 100644 testing/btest/scripts/base/misc/find-filtered-trace.test

diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro
index d0120d930b..d87574f4e5 100644
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@@ -60,3 +60,4 @@
 
 
 @load base/misc/find-checksum-offloading
+@load base/misc/find-filtered-trace
diff --git a/scripts/base/misc/find-filtered-trace.bro b/scripts/base/misc/find-filtered-trace.bro
new file mode 100644
index 0000000000..a723b656a7
--- /dev/null
+++ b/scripts/base/misc/find-filtered-trace.bro
@@ -0,0 +1,49 @@
+##! Discovers trace files that contain TCP traffic consisting only of
+##! control packets (e.g. it's been filtered to contain only SYN/FIN/RST
+##! packets and no content).  On finding such a trace, a warning is
+##! emitted that suggests toggling the :bro:see:`detect_filtered_trace`
+##! option may be desired if the user does not want Bro to report
+##! missing TCP segments.
+
+module FilteredTraceDetection;
+
+export {
+
+	## Flag to enable filtered trace file detection and warning message.
+	global enable: bool = T &redef;
+}
+
+global saw_tcp_conn_with_data: bool = F;
+global saw_a_tcp_conn: bool = F;
+
+event connection_state_remove(c: connection)
+	{
+	if ( ! reading_traces() )
+		return;
+
+	if ( ! enable )
+		return;
+
+	if ( saw_tcp_conn_with_data )
+		return;
+
+	if ( ! is_tcp_port(c$id$orig_p) )
+		return;
+
+	saw_a_tcp_conn = T;
+
+	if ( /[Dd]/ in c$history )
+		saw_tcp_conn_with_data = T;
+	}
+
+event bro_done()
+	{
+	if ( ! enable )
+		return;
+
+	if ( ! saw_a_tcp_conn )
+		return;
+
+	if ( ! saw_tcp_conn_with_data )
+		Reporter::warning("The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered.  By default, Bro reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired.");
+	}
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 90145d94fb..76b3f3a596 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2013-10-30-16-52-28
+#open	2014-01-31-22-54-38
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -220,5 +220,6 @@ scripts/base/init-default.bro
   scripts/base/files/unified2/__load__.bro
     scripts/base/files/unified2/main.bro
   scripts/base/misc/find-checksum-offloading.bro
+  scripts/base/misc/find-filtered-trace.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2013-10-30-16-52-28
+#close	2014-01-31-22-54-38
diff --git a/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out1 b/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out1
new file mode 100644
index 0000000000..c2f791ba82
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out1
@@ -0,0 +1 @@
+1389719059.311687 warning in /Users/jsiwek/Projects/bro/bro/scripts/base/misc/find-filtered-trace.bro, line 48: The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered.  By default, Bro reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired.
diff --git a/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out2 b/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out2
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/btest/Traces/http/bro.org-filtered.pcap b/testing/btest/Traces/http/bro.org-filtered.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b25905079eec524262b750a53c96cf96364a9f72
GIT binary patch
literal 3934
zcmaLae@vBC7zgn4z91k!#<*%KBwB%7`LR$EBWbd?G}Dpqzzy*-b89U_Cz?RTDsH%G
zh-q$2Oq)YV1*J?-DKVq50e`s65rYuatZ>-GG}=rgdcNoMo(^00-0d=W|M=YRdCqg5
zbNQjQ;gHGvne!SOW6YpGjE!Ac=id)y%jkE!vsN<Kd^3o}-I-Y!#1=D_9^=hm83DW2
z2QxFgWp8srcO0_^N81M>Rhwx+k&75J{U@CEH-m!N%%5M!bHmRs5c2+pFqTe#<1I|b
zCpj@^n2~%S5Gr(LcgI<u+Xm^k*1E>VhUW{Jev;K1Ark(7%IMulS(ztOx|!X%adaBe
zAmvEGxRh0Rj+Bt^P1earmO&0XB;`5GZa0?nJMx98zU5f@eBYH_`XuE1^HPpyc3sPf
zCPyxQXPmrG%{(|=C#MWRE}bCd1ZKCCeE*&!Kl8x1d|-x74p;}deyfy|m|fxe^>;^J
zJ>*-?U0`UsVHJIDM!^27N;f1~jq?oB@1h&B!-Y&gY0tX#Ry4Qz6)V9yooG-EN@1l%
zsuoMr=9<Z^KE;Z+&dfGwr@n+$azM3G_0}wIT~Vw#*4bGG_0v^Y9Z#v&t9t7(ZuKgb
z+iHq5sOzW03fbvcfmE;Ct^nV)cY6w9RaGb!)xP1Q3fEwa9Wgd`b0YQ^FIcWgTC0d#
zI~0p*ziC@bNoO0Zi6KG~)-=6U%&l_8qS_ZNscSju4{K4oYITv7N)PaM=8T+U?vy_>
za3+Ff=khbr*+$v6+Y!}$>ykvGXD92FrO!jjZ<Y!_vnTy2)eBG#(p*H1vZv^jfKn*+
zUa9a?G#EoQ-vebyB4fd%9J{9JOt**T1MS*Yr8;iw+!rr(7WfUII@=PQ>cDE(TkmqK
zOtIpulY9LJM=uq_y6}o>ZNF}4DjnU6)m6sI)nOJ>Cd#&g=ZY7rvwzYlG4)V(WlM$M
zJC}+n747{gZ|Du7JPh{Jb+(tUt5jJRow)lW?M7w=vheZDmxdbEh4^XKb!0sfg;mN#
z{3gh(Anze|?d1(3(e<nenyDZD9h90GQn8usZT@8oLg1!aQzFi-xKDrk8qaZ4A>Z`q
zK;LUk^px?nzOAg)wz}3Dq!(f$Bp-ApLKs<H^`<7}S5uMluTGgVhuO>1bNIc9l+mGT
z$|0|l5^~vPog5kq`DmMzS24TQb>kQW$Wf1vlW9$2{g5wr>g0|skZ-*y<y>ZOE}VVW
zk=-;+{`;mfG)}JX(#d6YkdrMbuV(gh)f@QvLgt8n?<TQl<K^YuI=QD2a_<5ud+0tr
zo;ugb{P(CPbH7d=NP~Rwl$7(By=WxpoFl(AzRp|m9DRm5C$I6>_1OoE<f<)7pXFFr
z(hcg5edx1CZi~!}!3r+YTIJk&L$Ov_eW?a@L@lgH`pSwu6V?j7wS!xm6)V^3Pd2Cr
z?!ijRQLU#-wYe&|wMns7TUX-^+Vw<OQFl};yIgDS<W_-V<yqHa4BCxmSmmZ_eWJHM
z<km*T@>tiS4eFVBu%`4mRyft(yD!A|KDs@haVtx)XkO$;d7E#Vn2ie?(Gz&V+WT>c
zW;TX*Wl&Gl#LI5uQ|+cn-lKLzX6+DtgP26h2>lo0`;P881Eu#xsfg1sk5)*D(t?I}
z3uXUdol<rJO7cpnh|`)#`^S|BhlMh%RXU2G+$xufm?rnAqqq_pB9v=2x-6k_P>%LU
zMNGR|>T#~zZxYJIPj$+`LMRtor6SI9Gj$PHUOOw4nifqTx;;INl&UyoztM*#_2GH!
zcQwCju;17z<6EuuBe!NN7W&YnK1_j?R0RhwSjl>;ms_!lg|lYTSxbVIa$HEl^60HA
o+=@{w%oCI5Ngb@Y->BAhy+vn<>h*+TVV;;YPyT?l*yULN0OWAI4*&oF

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/misc/find-filtered-trace.test b/testing/btest/scripts/base/misc/find-filtered-trace.test
new file mode 100644
index 0000000000..05b603ac92
--- /dev/null
+++ b/testing/btest/scripts/base/misc/find-filtered-trace.test
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -r $TRACES/http/bro.org-filtered.pcap >out1 2>&1
+# @TEST-EXEC: bro -r $TRACES/http/bro.org-filtered.pcap "FilteredTraceDetection::enable=F" >out2 2>&1
+# @TEST-EXEC: TEST_DIFF_CANOIFIER=$SCRIPTS/diff-remove-abspath btest-diff out1
+# @TEST-EXEC: btest-diff out2