Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-13 12:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge remote-tracking branch 'origin/master' into topic/liangzhu/analyzer-ocsp

Browse source
This commit is contained in:
Liang Zhu 2015-08-18 16:00:59 -07:00
commit 12c68f197c
30 changed files with 255 additions and 252 deletions
Download patch file Download diff file Expand all files Collapse all files

15
testing/btest/Baseline/core.tunnels.false-teredo/weird.log
View file

@ -1,15 +0,0 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2009-11-18-17-59-51
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1258567191.405770 - - - - - truncated_header_in_tunnel - F bro
1258578181.260420 - - - - - truncated_header_in_tunnel - F bro
1258579063.557927 - - - - - truncated_header_in_tunnel - F bro
1258581768.568451 - - - - - truncated_header_in_tunnel - F bro
1258584478.859853 - - - - - truncated_header_in_tunnel - F bro
1258600683.934458 - - - - - truncated_header_in_tunnel - F bro
#close 2009-11-19-03-18-03

10
testing/btest/Baseline/core.tunnels.teredo-known-services/known_services.log
View file

@ -1,10 +0,0 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path known_services
#open 2014-04-01-22-57-25
#fields ts host port_num port_proto service
#types time addr port enum set[string]
1258567191.405770 192.168.1.1 53 udp TEREDO
#close 2014-04-01-22-57-25

16
testing/btest/Baseline/plugins.hooks/output
View file

@ -220,7 +220,7 @@
0.000000 MetaHookPost CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1429655378.868621, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1439244305.210087, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
0.000000 MetaHookPost CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
0.000000 MetaHookPost CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@ -326,7 +326,7 @@
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1429655378.868621, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1439244305.210087, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
0.000000 MetaHookPost CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
0.000000 MetaHookPost CallFunction(PacketFilter::build, <frame>, ()) -> <no result>
0.000000 MetaHookPost CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, )) -> <no result>
@ -490,6 +490,7 @@
0.000000 MetaHookPost LoadFile(./top-k.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./topk) -> -1
0.000000 MetaHookPost LoadFile(./types.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./types.bro) -> -1
0.000000 MetaHookPost LoadFile(./unique) -> -1
0.000000 MetaHookPost LoadFile(./utils) -> -1
0.000000 MetaHookPost LoadFile(./utils-commands) -> -1
@ -509,6 +510,7 @@
0.000000 MetaHookPost LoadFile(.<...>/raw) -> -1
0.000000 MetaHookPost LoadFile(.<...>/sqlite) -> -1
0.000000 MetaHookPost LoadFile(<...>/__load__.bro) -> -1
0.000000 MetaHookPost LoadFile(<...>/__preload__.bro) -> -1
0.000000 MetaHookPost LoadFile(<...>/hooks.bro) -> -1
0.000000 MetaHookPost LoadFile(base/bif) -> -1
0.000000 MetaHookPost LoadFile(base/init-default.bro) -> -1
@ -810,7 +812,7 @@
0.000000 MetaHookPre CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
0.000000 MetaHookPre CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1429655378.868621, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1439244305.210087, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@ -916,7 +918,7 @@
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
0.000000 MetaHookPre CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1429655378.868621, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1439244305.210087, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(Notice::want_pp, <frame>, ())
0.000000 MetaHookPre CallFunction(PacketFilter::build, <frame>, ())
0.000000 MetaHookPre CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, ))
@ -1080,6 +1082,7 @@
0.000000 MetaHookPre LoadFile(./top-k.bif.bro)
0.000000 MetaHookPre LoadFile(./topk)
0.000000 MetaHookPre LoadFile(./types.bif.bro)
0.000000 MetaHookPre LoadFile(./types.bro)
0.000000 MetaHookPre LoadFile(./unique)
0.000000 MetaHookPre LoadFile(./utils)
0.000000 MetaHookPre LoadFile(./utils-commands)
@ -1099,6 +1102,7 @@
0.000000 MetaHookPre LoadFile(.<...>/raw)
0.000000 MetaHookPre LoadFile(.<...>/sqlite)
0.000000 MetaHookPre LoadFile(<...>/__load__.bro)
0.000000 MetaHookPre LoadFile(<...>/__preload__.bro)
0.000000 MetaHookPre LoadFile(<...>/hooks.bro)
0.000000 MetaHookPre LoadFile(base/bif)
0.000000 MetaHookPre LoadFile(base/init-default.bro)
@ -1399,7 +1403,7 @@
0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1429655378.868621, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1439244305.210087, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@ -1505,7 +1509,7 @@
0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1429655378.868621, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1439244305.210087, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction Notice::want_pp()
0.000000 | HookCallFunction PacketFilter::build()
0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )

2
testing/btest/broker/master_store.bro
View file

@ -1,6 +1,6 @@
# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
# @TEST-EXEC: btest-bg-run master "bro -b -r $TRACES/wikipedia.trace %INPUT >out"
# @TEST-EXEC: btest-bg-run master "bro -b %INPUT >out"
# @TEST-EXEC: btest-bg-wait 60
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff master/out

3
testing/btest/core/tunnels/false-teredo.bro
View file

@ -1,9 +1,6 @@
# @TEST-EXEC: bro -r $TRACES/tunnels/false-teredo.pcap %INPUT >output
# @TEST-EXEC: test ! -e weird.log
# @TEST-EXEC: test ! -e dpd.log
# @TEST-EXEC: bro -r $TRACES/tunnels/false-teredo.pcap %INPUT Tunnel::yielding_teredo_decapsulation=F >output
# @TEST-EXEC: btest-diff weird.log
# @TEST-EXEC: test ! -e dpd.log
# In the first case, there isn't any weird or protocol violation logged
# since the teredo analyzer recognizes that the DNS analyzer has confirmed

4
testing/btest/core/tunnels/teredo-known-services.test
View file

@ -1,11 +1,7 @@
# @TEST-EXEC: bro -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd base/protocols/tunnels protocols/conn/known-services Tunnel::delay_teredo_confirmation=T "Site::local_nets+={192.168.1.0/24}"
# @TEST-EXEC: test ! -e known_services.log
# @TEST-EXEC: bro -b -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd base/protocols/tunnels protocols/conn/known-services Tunnel::delay_teredo_confirmation=F "Site::local_nets+={192.168.1.0/24}"
# @TEST-EXEC: btest-diff known_services.log
# The first case using Tunnel::delay_teredo_confirmation=T doesn't produce
# a known services.log since valid Teredo encapsulations from both endpoints
# of a connection is never witnessed and a protocol_confirmation never issued.
# The second case issues protocol_confirmations more hastily and so bogus
# entries in known-services.log are more likely to appear.