mirror of
https://github.com/zeek/zeek.git
synced 2025-10-09 18:18:19 +00:00
Merge remote-tracking branch 'origin/master' into topic/johanna/ssl_signature_details
This commit is contained in:
Johanna Amann
commit
141394ac9b
137 changed files with 2701 additions and 2069 deletions
94
CHANGES
94
CHANGES
|
|
@ -1,4 +1,96 @@
|
|||
|
||||
2.5-392 | 2018-01-19 11:39:34 -0600
|
||||
|
||||
* Make nearly all bool conversion operators explicit. (Corelight)
|
||||
|
||||
2.5-390 | 2018-01-17 16:09:55 -0600
|
||||
|
||||
* Logging: implement get_filter_names and small fixes.
|
||||
|
||||
get_filter_names(id: ID) : set[string] returns the names of the current
|
||||
list of filters for a specified log stream.
|
||||
|
||||
Furthermore this commit makes a number of logging functions more robust
|
||||
by checking existence of values before trying to modify them. This
|
||||
commit also really implements (and tests) the enable_stream function.
|
||||
(Corelight)
|
||||
|
||||
2.5-388 | 2018-01-16 15:35:21 -0600
|
||||
|
||||
* HTTP: Recognize and skip upgrade/websocket connections.
|
||||
|
||||
This patches the HTTP analyzerto recognize when a connections is upgraded
|
||||
to a different protocol (e.g. client uses the Upgrade header and gets a
|
||||
101 reply). In this case, the analyzer stops further processing (which
|
||||
would have resulted in DPD errors) and raises a new event:
|
||||
|
||||
event http_connection_upgrade(c: connection, protocol: string);
|
||||
|
||||
The protocol parameter contains the name of the protocol that is being
|
||||
upgraded to, as specified in one of the header values. (Johanna Amann)
|
||||
|
||||
2.5-385 | 2018-01-16 14:51:07 -0600
|
||||
|
||||
* Make tunnel_parents in conn.log optional.
|
||||
|
||||
This makes conn.logs a bit prettier (and smaller) because all lines tha
|
||||
do not use a tunnel will now have a "-" instead of the "(empty)" for
|
||||
tunnel_parents. (Johanna Amann)
|
||||
|
||||
* Correct include-path in x509Common.h (Johanna Amann)
|
||||
|
||||
2.5-381 | 2018-01-12 10:03:21 -0800
|
||||
|
||||
* Preallocate all possible PortVals, mark PortVal ctors deprecated.
|
||||
|
||||
The performance benefit is small (maybe ~1% at most), however, it's a
|
||||
trivial change without downsides. (Jon Siwek)
|
||||
|
||||
* Add BRO_DEPRECATED macro. (Jon Siwek)
|
||||
|
||||
* Add functions for retrieving files by their id.
|
||||
|
||||
There are two new script level functions to query and lookup files
|
||||
from the core by their IDs. These are adding feature parity for
|
||||
similarly named functions for files. The function prototypes are
|
||||
as follows:
|
||||
|
||||
Files::file_exists(fuid: string): bool
|
||||
Files::lookup_File(fuid: string): fa_file (Seth Hall)
|
||||
|
||||
2.5-375 | 2018-01-11 11:47:01 -0600
|
||||
|
||||
* Fix a test that fails in some environments (Daniel Thayer)
|
||||
|
||||
* Add CVE ID for BIT-1856. (Johanna Amann)
|
||||
|
||||
2.5-372 | 2017-12-15 15:08:51 -0600
|
||||
|
||||
* Remove some DNS weirds that caused volume and are generally not useful:
|
||||
dns_unmatched_msg, dns_unmatched_msg_quantity, dns_unmatched_reply.
|
||||
(Corelight)
|
||||
|
||||
2.5-369 | 2017-12-13 14:22:47 -0600
|
||||
|
||||
* Fix typo in analyzer::Manager API docs (Corelight)
|
||||
|
||||
2.5-368 | 2017-12-08 13:09:25 -0600
|
||||
|
||||
* Improve for-loop iteration performance over empty tables. (Justin Azoff)
|
||||
|
||||
* Fix gcc7 warnings. (Johanna Amann)
|
||||
|
||||
2.5-363 | 2017-12-05 11:00:09 -0600
|
||||
|
||||
* Fix documentation for ReassemblerStats. (Corelight)
|
||||
|
||||
2.5-362 | 2017-12-02 09:45:04 -0600
|
||||
|
||||
* BIT-1791: Do not log SOCKS passwords by default and add
|
||||
SOCKS::default_capture_password option. (Johanna Amann)
|
||||
|
||||
* Add missing ; in SSL binpac parser, found by Luke Valenta. (Johanna Amann)
|
||||
|
||||
2.5-359 | 2017-11-29 14:01:37 -0600
|
||||
|
||||
* Add --ccache option to configure script (requires CMake 3.10+). (Corelight)
|
||||
|
|
@ -74,7 +166,7 @@
|
|||
* Patch OOB write in content-line analyzer.
|
||||
|
||||
A combination of packets can trigger an out of bound write of '0' byte
|
||||
in the content-line analyzer. Addresses BIT-1856.
|
||||
in the content-line analyzer. Addresses BIT-1856 / CVE-2017-1000458.
|
||||
(Frank Meier/Johanna Amann)
|
||||
|
||||
2.5-327 | 2017-10-16 12:21:01 -0700
|
||||
|
|
|
|||
24
NEWS
24
NEWS
|
|
@ -36,6 +36,15 @@ New Functionality
|
|||
Since ssl_ecdh_server_params contains more information than the old
|
||||
ssl_server_curve event, ssl_server_curve is now marked as deprecated.
|
||||
|
||||
- Functions for retrieving files by their ID have been added:
|
||||
|
||||
Files::file_exists, Files::lookup_File
|
||||
|
||||
- New functions in the logging API: Log::get_filter_names, Log::enable_stream
|
||||
|
||||
- HTTP now recognizes and skips upgraded/websocket connections. A new event,
|
||||
http_connection_upgrade, is raised in such cases.
|
||||
|
||||
Changed Functionality
|
||||
---------------------
|
||||
|
||||
|
|
@ -48,6 +57,21 @@ Changed Functionality
|
|||
event is considered deprecated and will be removed in a future
|
||||
version of Bro.
|
||||
|
||||
- The Socks analyzer no longer logs passwords by default. This
|
||||
brings its behavior in line with the FTP/HTTP analyzers which also
|
||||
do not log passwords by default.
|
||||
|
||||
To restore the previous behavior and log Socks passwords, use:
|
||||
|
||||
redef SOCKS::default_capture_password = T;
|
||||
|
||||
- The DNS base scripts no longer generate some noisy and annoying
|
||||
weirds (dns_unmatched_msg, dns_unmatched_msg_quantity, dns_unmatched_reply)
|
||||
|
||||
- The 'tunnel_parents' field of conn.log is now marked &optional, so, for
|
||||
the default configuration of logs, this field will show "-" instead of
|
||||
"(empty)" for connections that lack any tunelling.
|
||||
|
||||
Removed Functionality
|
||||
---------------------
|
||||
|
||||
|
|
|
|||
2
VERSION
2
VERSION
|
|
@ -1 +1 @@
|
|||
2.5-359
|
||||
2.5-392
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
Subproject commit 53bf0578a4ead2dcf6c488b610644451584d46e5
|
||||
Subproject commit c88ccbeb5902554f231443552b9648cff8b3fa70
|
||||
|
|
@ -1 +1 @@
|
|||
Subproject commit a075a80639b7d543b55cc31191965eb1364e3623
|
||||
Subproject commit 5a12aac3e83a9883c390c5e4cded99cc1108ac5d
|
||||
|
|
@ -1 +1 @@
|
|||
Subproject commit b3a5742b6b04acdd851dba4e08723a568c4aa755
|
||||
Subproject commit 28196a00da17847fbf4e6fd642b35d0daf653008
|
||||
|
|
@ -135,6 +135,20 @@ export {
|
|||
## The default per-file reassembly buffer size.
|
||||
const reassembly_buffer_size = 524288 &redef;
|
||||
|
||||
## Lookup to see if a particular file id exists and is still valid.
|
||||
##
|
||||
## fuid: the file id.
|
||||
##
|
||||
## Returns: T if the file uid is known.
|
||||
global file_exists: function(fuid: string): bool;
|
||||
|
||||
## Lookup an :bro:see:`fa_file` record with the file id.
|
||||
##
|
||||
## fuid: the file id.
|
||||
##
|
||||
## Returns: the associated :bro:see:`fa_file` record.
|
||||
global lookup_file: function(fuid: string): fa_file;
|
||||
|
||||
## Allows the file reassembler to be used if it's necessary because the
|
||||
## file is transferred out of order.
|
||||
##
|
||||
|
|
@ -338,6 +352,16 @@ function set_info(f: fa_file)
|
|||
f$info$is_orig = f$is_orig;
|
||||
}
|
||||
|
||||
function file_exists(fuid: string): bool
|
||||
{
|
||||
return __file_exists(fuid);
|
||||
}
|
||||
|
||||
function lookup_file(fuid: string): fa_file
|
||||
{
|
||||
return __lookup_file(fuid);
|
||||
}
|
||||
|
||||
function set_timeout_interval(f: fa_file, t: interval): bool
|
||||
{
|
||||
return __set_timeout_interval(f$id, t);
|
||||
|
|
|
|||
|
|
@ -300,7 +300,7 @@ export {
|
|||
## the correct type.
|
||||
##
|
||||
## .. bro:see:: Log::remove_filter Log::add_default_filter
|
||||
## Log::remove_default_filter
|
||||
## Log::remove_default_filter Log::get_filter Log::get_filter_names
|
||||
global add_filter: function(id: ID, filter: Filter) : bool;
|
||||
|
||||
## Removes a filter from an existing logging stream.
|
||||
|
|
@ -315,9 +315,21 @@ export {
|
|||
## if no filter associated with *name* was found.
|
||||
##
|
||||
## .. bro:see:: Log::remove_filter Log::add_default_filter
|
||||
## Log::remove_default_filter
|
||||
## Log::remove_default_filter Log::get_filter Log::get_filter_names
|
||||
global remove_filter: function(id: ID, name: string) : bool;
|
||||
|
||||
## Gets the names of all filters associated with an existing
|
||||
## logging stream.
|
||||
##
|
||||
## id: The ID of a logging stream from which to obtain the list
|
||||
## of filter names.
|
||||
##
|
||||
## Returns: The set of filter names associated with the stream.
|
||||
##
|
||||
## ..bro:see:: Log::remove_filter Log::add_default_filter
|
||||
## Log::remove_default_filter Log::get_filter
|
||||
global get_filter_names: function(id: ID) : set[string];
|
||||
|
||||
## Gets a filter associated with an existing logging stream.
|
||||
##
|
||||
## id: The ID associated with a logging stream from which to
|
||||
|
|
@ -331,7 +343,7 @@ export {
|
|||
## :bro:id:`Log::no_filter` sentinel value.
|
||||
##
|
||||
## .. bro:see:: Log::add_filter Log::remove_filter Log::add_default_filter
|
||||
## Log::remove_default_filter
|
||||
## Log::remove_default_filter Log::get_filter_names
|
||||
global get_filter: function(id: ID, name: string) : Filter;
|
||||
|
||||
## Writes a new log line/entry to a logging stream.
|
||||
|
|
@ -432,6 +444,8 @@ export {
|
|||
|
||||
global all_streams: table[ID] of Stream = table();
|
||||
|
||||
global stream_filters: table[ID] of set[string] = table();
|
||||
|
||||
# We keep a script-level copy of all filters so that we can manipulate them.
|
||||
global filters: table[ID, string] of Filter;
|
||||
|
||||
|
|
@ -525,16 +539,41 @@ function remove_stream(id: ID) : bool
|
|||
{
|
||||
delete active_streams[id];
|
||||
delete all_streams[id];
|
||||
|
||||
if ( id in stream_filters )
|
||||
{
|
||||
for ( i in stream_filters[id] )
|
||||
delete filters[id, i];
|
||||
|
||||
delete stream_filters[id];
|
||||
}
|
||||
return __remove_stream(id);
|
||||
}
|
||||
|
||||
function disable_stream(id: ID) : bool
|
||||
{
|
||||
delete active_streams[id];
|
||||
|
||||
return __disable_stream(id);
|
||||
}
|
||||
|
||||
function enable_stream(id: ID) : bool
|
||||
{
|
||||
if ( ! __enable_stream(id) )
|
||||
return F;
|
||||
|
||||
if ( id in all_streams )
|
||||
active_streams[id] = all_streams[id];
|
||||
}
|
||||
|
||||
# convenience function to add a filter name to stream_filters
|
||||
function add_stream_filters(id: ID, name: string)
|
||||
{
|
||||
if ( id in stream_filters )
|
||||
add stream_filters[id][name];
|
||||
else
|
||||
stream_filters[id] = set(name);
|
||||
}
|
||||
|
||||
function add_filter(id: ID, filter: Filter) : bool
|
||||
{
|
||||
local stream = all_streams[id];
|
||||
|
|
@ -545,13 +584,22 @@ function add_filter(id: ID, filter: Filter) : bool
|
|||
if ( ! filter?$path && ! filter?$path_func )
|
||||
filter$path_func = default_path_func;
|
||||
|
||||
filters[id, filter$name] = filter;
|
||||
return __add_filter(id, filter);
|
||||
local res = __add_filter(id, filter);
|
||||
if ( res )
|
||||
{
|
||||
add_stream_filters(id, filter$name);
|
||||
filters[id, filter$name] = filter;
|
||||
}
|
||||
return res;
|
||||
}
|
||||
|
||||
function remove_filter(id: ID, name: string) : bool
|
||||
{
|
||||
if ( id in stream_filters )
|
||||
delete stream_filters[id][name];
|
||||
|
||||
delete filters[id, name];
|
||||
|
||||
return __remove_filter(id, name);
|
||||
}
|
||||
|
||||
|
|
@ -563,6 +611,14 @@ function get_filter(id: ID, name: string) : Filter
|
|||
return no_filter;
|
||||
}
|
||||
|
||||
function get_filter_names(id: ID) : set[string]
|
||||
{
|
||||
if ( id in stream_filters )
|
||||
return stream_filters[id];
|
||||
else
|
||||
return set();
|
||||
}
|
||||
|
||||
function write(id: ID, columns: any) : bool
|
||||
{
|
||||
return __write(id, columns);
|
||||
|
|
|
|||
|
|
@ -531,7 +531,7 @@ type EventStats: record {
|
|||
dispatched: count; ##< Total number of events dispatched so far.
|
||||
};
|
||||
|
||||
## Summary statistics of all regular expression matchers.
|
||||
## Holds statistics for all types of reassembly.
|
||||
##
|
||||
## .. bro:see:: get_reassembler_stats
|
||||
type ReassemblerStats: record {
|
||||
|
|
|
|||
|
|
@ -116,7 +116,7 @@ export {
|
|||
## If this connection was over a tunnel, indicate the
|
||||
## *uid* values for any encapsulating parent connections
|
||||
## used over the lifetime of this inner connection.
|
||||
tunnel_parents: set[string] &log;
|
||||
tunnel_parents: set[string] &log &optional;
|
||||
};
|
||||
|
||||
## Event that can be handled to access the :bro:type:`Conn::Info`
|
||||
|
|
@ -207,7 +207,11 @@ function set_conn(c: connection, eoc: bool)
|
|||
c$conn$uid=c$uid;
|
||||
c$conn$id=c$id;
|
||||
if ( c?$tunnel && |c$tunnel| > 0 )
|
||||
{
|
||||
if ( ! c$conn?$tunnel_parents )
|
||||
c$conn$tunnel_parents = set();
|
||||
add c$conn$tunnel_parents[c$tunnel[|c$tunnel|-1]$uid];
|
||||
}
|
||||
c$conn$proto=get_port_transport_proto(c$id$resp_p);
|
||||
if( |Site::local_nets| > 0 )
|
||||
{
|
||||
|
|
@ -253,7 +257,11 @@ event tunnel_changed(c: connection, e: EncapsulatingConnVector) &priority=5
|
|||
{
|
||||
set_conn(c, F);
|
||||
if ( |e| > 0 )
|
||||
{
|
||||
if ( ! c$conn?$tunnel_parents )
|
||||
c$conn$tunnel_parents = set();
|
||||
add c$conn$tunnel_parents[e[|e|-1]$uid];
|
||||
}
|
||||
c$tunnel = e;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -2,7 +2,6 @@
|
|||
##! their responses.
|
||||
|
||||
@load base/utils/queue
|
||||
@load base/frameworks/notice/weird
|
||||
@load ./consts
|
||||
|
||||
module DNS;
|
||||
|
|
@ -177,9 +176,6 @@ function log_unmatched_msgs_queue(q: Queue::Queue)
|
|||
|
||||
for ( i in infos )
|
||||
{
|
||||
local wi = Weird::Info($ts=network_time(), $name="dns_unmatched_msg", $uid=infos[i]$uid,
|
||||
$id=infos[i]$id);
|
||||
Weird::weird(wi);
|
||||
Log::write(DNS::LOG, infos[i]);
|
||||
}
|
||||
}
|
||||
|
|
@ -187,21 +183,19 @@ function log_unmatched_msgs_queue(q: Queue::Queue)
|
|||
function log_unmatched_msgs(msgs: PendingMessages)
|
||||
{
|
||||
for ( trans_id in msgs )
|
||||
{
|
||||
log_unmatched_msgs_queue(msgs[trans_id]);
|
||||
}
|
||||
|
||||
clear_table(msgs);
|
||||
}
|
||||
|
||||
function enqueue_new_msg(msgs: PendingMessages, id: count, msg: Info)
|
||||
{
|
||||
local wi: Weird::Info;
|
||||
if ( id !in msgs )
|
||||
{
|
||||
if ( |msgs| > max_pending_query_ids )
|
||||
{
|
||||
wi = Weird::Info($ts=network_time(), $name="dns_unmatched_msg", $uid=msg$uid,
|
||||
$id=msg$id);
|
||||
Weird::weird(wi);
|
||||
# Throw away all unmatched on assumption they'll never be matched.
|
||||
log_unmatched_msgs(msgs);
|
||||
}
|
||||
|
|
@ -212,9 +206,6 @@ function enqueue_new_msg(msgs: PendingMessages, id: count, msg: Info)
|
|||
{
|
||||
if ( Queue::len(msgs[id]) > max_pending_msgs )
|
||||
{
|
||||
wi = Weird::Info($ts=network_time(), $name="dns_unmatched_msg_quantity", $uid=msg$uid,
|
||||
$id=msg$id);
|
||||
Weird::weird(wi);
|
||||
log_unmatched_msgs_queue(msgs[id]);
|
||||
# Throw away all unmatched on assumption they'll never be matched.
|
||||
msgs[id] = Queue::init();
|
||||
|
|
@ -271,7 +262,6 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5
|
|||
# Create a new DNS session and put it in the reply queue so
|
||||
# we can wait for a matching query.
|
||||
c$dns = new_session(c, msg$id);
|
||||
event conn_weird("dns_unmatched_reply", c, "");
|
||||
enqueue_new_msg(c$dns_state$pending_replies, msg$id, c$dns);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,32 +6,37 @@ module SOCKS;
|
|||
export {
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
## Whether passwords are captured or not.
|
||||
const default_capture_password = F &redef;
|
||||
|
||||
## The record type which contains the fields of the SOCKS log.
|
||||
type Info: record {
|
||||
## Time when the proxy connection was first detected.
|
||||
ts: time &log;
|
||||
ts: time &log;
|
||||
## Unique ID for the tunnel - may correspond to connection uid
|
||||
## or be non-existent.
|
||||
uid: string &log;
|
||||
uid: string &log;
|
||||
## The connection's 4-tuple of endpoint addresses/ports.
|
||||
id: conn_id &log;
|
||||
id: conn_id &log;
|
||||
## Protocol version of SOCKS.
|
||||
version: count &log;
|
||||
version: count &log;
|
||||
## Username used to request a login to the proxy.
|
||||
user: string &log &optional;
|
||||
user: string &log &optional;
|
||||
## Password used to request a login to the proxy.
|
||||
password: string &log &optional;
|
||||
password: string &log &optional;
|
||||
## Server status for the attempt at using the proxy.
|
||||
status: string &log &optional;
|
||||
status: string &log &optional;
|
||||
## Client requested SOCKS address. Could be an address, a name
|
||||
## or both.
|
||||
request: SOCKS::Address &log &optional;
|
||||
request: SOCKS::Address &log &optional;
|
||||
## Client requested port.
|
||||
request_p: port &log &optional;
|
||||
request_p: port &log &optional;
|
||||
## Server bound address. Could be an address, a name or both.
|
||||
bound: SOCKS::Address &log &optional;
|
||||
bound: SOCKS::Address &log &optional;
|
||||
## Server bound port.
|
||||
bound_p: port &log &optional;
|
||||
bound_p: port &log &optional;
|
||||
## Determines if the password will be captured for this request.
|
||||
capture_password: bool &default=default_capture_password;
|
||||
};
|
||||
|
||||
## Event that can be handled to access the SOCKS
|
||||
|
|
@ -93,7 +98,9 @@ event socks_login_userpass_request(c: connection, user: string, password: string
|
|||
set_session(c, 5);
|
||||
|
||||
c$socks$user = user;
|
||||
c$socks$password = password;
|
||||
|
||||
if ( c$socks$capture_password )
|
||||
c$socks$password = password;
|
||||
}
|
||||
|
||||
event socks_login_userpass_reply(c: connection, code: count) &priority=5
|
||||
|
|
|
|||
|
|
@ -82,7 +82,8 @@ int AnonymizeIPAddr::PreserveNet(ipaddr32_t input)
|
|||
|
||||
ipaddr32_t AnonymizeIPAddr_Seq::anonymize(ipaddr32_t /* input */)
|
||||
{
|
||||
return htonl(seq++);
|
||||
++seq;
|
||||
return htonl(seq);
|
||||
}
|
||||
|
||||
ipaddr32_t AnonymizeIPAddr_RandomMD5::anonymize(ipaddr32_t input)
|
||||
|
|
|
|||
|
|
@ -703,7 +703,7 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0,
|
|||
break;
|
||||
|
||||
case TYPE_PORT:
|
||||
pval = new PortVal(*kp);
|
||||
pval = port_mgr->Get(*kp);
|
||||
break;
|
||||
|
||||
default:
|
||||
|
|
|
|||
|
|
@ -364,9 +364,9 @@ RecordVal* Connection::BuildConnVal()
|
|||
|
||||
RecordVal* id_val = new RecordVal(conn_id);
|
||||
id_val->Assign(0, new AddrVal(orig_addr));
|
||||
id_val->Assign(1, new PortVal(ntohs(orig_port), prot_type));
|
||||
id_val->Assign(1, port_mgr->Get(ntohs(orig_port), prot_type));
|
||||
id_val->Assign(2, new AddrVal(resp_addr));
|
||||
id_val->Assign(3, new PortVal(ntohs(resp_port), prot_type));
|
||||
id_val->Assign(3, port_mgr->Get(ntohs(resp_port), prot_type));
|
||||
|
||||
RecordVal *orig_endp = new RecordVal(endpoint);
|
||||
orig_endp->Assign(0, new Val(0, TYPE_COUNT));
|
||||
|
|
|
|||
|
|
@ -166,7 +166,7 @@ RecordVal* EventMgr::GetLocalPeerVal()
|
|||
src_val = new RecordVal(peer);
|
||||
src_val->Assign(0, new Val(0, TYPE_COUNT));
|
||||
src_val->Assign(1, new AddrVal("127.0.0.1"));
|
||||
src_val->Assign(2, new PortVal(0));
|
||||
src_val->Assign(2, port_mgr->Get(0));
|
||||
src_val->Assign(3, new Val(true, TYPE_BOOL));
|
||||
|
||||
Ref(peer_description);
|
||||
|
|
|
|||
|
|
@ -102,7 +102,7 @@ public:
|
|||
|
||||
EventHandler* Ptr() { return handler; }
|
||||
|
||||
operator bool() const { return handler && *handler; }
|
||||
explicit operator bool() const { return handler && *handler; }
|
||||
EventHandler* operator->() { return handler; }
|
||||
const EventHandler* operator->() const { return handler; }
|
||||
|
||||
|
|
|
|||
|
|
@ -370,8 +370,8 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const
|
|||
int tcp_hdr_len = tp->th_off * 4;
|
||||
int data_len = PayloadLen() - tcp_hdr_len;
|
||||
|
||||
tcp_hdr->Assign(0, new PortVal(ntohs(tp->th_sport), TRANSPORT_TCP));
|
||||
tcp_hdr->Assign(1, new PortVal(ntohs(tp->th_dport), TRANSPORT_TCP));
|
||||
tcp_hdr->Assign(0, port_mgr->Get(ntohs(tp->th_sport), TRANSPORT_TCP));
|
||||
tcp_hdr->Assign(1, port_mgr->Get(ntohs(tp->th_dport), TRANSPORT_TCP));
|
||||
tcp_hdr->Assign(2, new Val(uint32(ntohl(tp->th_seq)), TYPE_COUNT));
|
||||
tcp_hdr->Assign(3, new Val(uint32(ntohl(tp->th_ack)), TYPE_COUNT));
|
||||
tcp_hdr->Assign(4, new Val(tcp_hdr_len, TYPE_COUNT));
|
||||
|
|
@ -388,8 +388,8 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const
|
|||
const struct udphdr* up = (const struct udphdr*) data;
|
||||
RecordVal* udp_hdr = new RecordVal(udp_hdr_type);
|
||||
|
||||
udp_hdr->Assign(0, new PortVal(ntohs(up->uh_sport), TRANSPORT_UDP));
|
||||
udp_hdr->Assign(1, new PortVal(ntohs(up->uh_dport), TRANSPORT_UDP));
|
||||
udp_hdr->Assign(0, port_mgr->Get(ntohs(up->uh_sport), TRANSPORT_UDP));
|
||||
udp_hdr->Assign(1, port_mgr->Get(ntohs(up->uh_dport), TRANSPORT_UDP));
|
||||
udp_hdr->Assign(2, new Val(ntohs(up->uh_ulen), TYPE_COUNT));
|
||||
|
||||
pkt_hdr->Assign(sindex + 3, udp_hdr);
|
||||
|
|
|
|||
|
|
@ -191,7 +191,7 @@ void PersistenceSerializer::RaiseFinishedSendState()
|
|||
{
|
||||
val_list* vl = new val_list;
|
||||
vl->append(new AddrVal(htonl(remote_host)));
|
||||
vl->append(new PortVal(remote_port));
|
||||
vl->append(port_mgr->Get(remote_port));
|
||||
|
||||
mgr.QueueEvent(finished_send_state, vl);
|
||||
reporter->Log("Serialization done.");
|
||||
|
|
|
|||
|
|
@ -1809,7 +1809,7 @@ RecordVal* RemoteSerializer::MakePeerVal(Peer* peer)
|
|||
v->Assign(0, new Val(uint32(peer->id), TYPE_COUNT));
|
||||
// Sic! Network order for AddrVal, host order for PortVal.
|
||||
v->Assign(1, new AddrVal(peer->ip));
|
||||
v->Assign(2, new PortVal(peer->port, TRANSPORT_TCP));
|
||||
v->Assign(2, port_mgr->Get(peer->port, TRANSPORT_TCP));
|
||||
v->Assign(3, new Val(false, TYPE_BOOL));
|
||||
v->Assign(4, new StringVal("")); // set when received
|
||||
v->Assign(5, peer->peer_class.size() ?
|
||||
|
|
|
|||
|
|
@ -339,7 +339,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
|
|||
|
||||
// For both of these it is safe to pass ip_hdr because the presence
|
||||
// is guaranteed for the functions that pass data to us.
|
||||
int ip_hdr_len = ip_hdr->HdrLen();
|
||||
uint16 ip_hdr_len = ip_hdr->HdrLen();
|
||||
if ( ip_hdr_len > len )
|
||||
{
|
||||
Weird("invalid_IP_header_size", ip_hdr, encapsulation);
|
||||
|
|
|
|||
|
|
@ -1293,6 +1293,9 @@ Val* ForStmt::DoExec(Frame* f, Val* v, stmt_flow_type& flow) const
|
|||
TableVal* tv = v->AsTableVal();
|
||||
const PDict(TableEntryVal)* loop_vals = tv->AsTable();
|
||||
|
||||
if ( ! loop_vals->Length() )
|
||||
return 0;
|
||||
|
||||
HashKey* k;
|
||||
IterCookie* c = loop_vals->InitForIteration();
|
||||
while ( loop_vals->NextEntry(k, c) )
|
||||
|
|
|
|||
|
|
@ -22,9 +22,9 @@ RecordVal* EncapsulatingConn::GetRecordVal() const
|
|||
|
||||
RecordVal* id_val = new RecordVal(conn_id);
|
||||
id_val->Assign(0, new AddrVal(src_addr));
|
||||
id_val->Assign(1, new PortVal(ntohs(src_port), proto));
|
||||
id_val->Assign(1, port_mgr->Get(ntohs(src_port), proto));
|
||||
id_val->Assign(2, new AddrVal(dst_addr));
|
||||
id_val->Assign(3, new PortVal(ntohs(dst_port), proto));
|
||||
id_val->Assign(3, port_mgr->Get(ntohs(dst_port), proto));
|
||||
rv->Assign(0, id_val);
|
||||
rv->Assign(1, new EnumVal(type, BifType::Enum::Tunnel::Type));
|
||||
|
||||
|
|
|
|||
|
|
@ -545,7 +545,7 @@ bool IndexType::DoUnserialize(UnserialInfo* info)
|
|||
DO_UNSERIALIZE(BroType);
|
||||
|
||||
UNSERIALIZE_OPTIONAL(yield_type, BroType::Unserialize(info));
|
||||
indices = (TypeList*) BroType::Unserialize(info, TYPE_LIST);
|
||||
indices = (TypeList*) BroType::Unserialize(info);
|
||||
return indices != 0;
|
||||
}
|
||||
|
||||
|
|
@ -865,11 +865,11 @@ bool FuncType::DoUnserialize(UnserialInfo* info)
|
|||
|
||||
UNSERIALIZE_OPTIONAL(yield, BroType::Unserialize(info));
|
||||
|
||||
args = (RecordType*) BroType::Unserialize(info, TYPE_RECORD);
|
||||
args = (RecordType*) BroType::Unserialize(info);
|
||||
if ( ! args )
|
||||
return false;
|
||||
|
||||
arg_types = (TypeList*) BroType::Unserialize(info, TYPE_LIST);
|
||||
arg_types = (TypeList*) BroType::Unserialize(info);
|
||||
if ( ! arg_types )
|
||||
return false;
|
||||
|
||||
|
|
|
|||
|
|
@ -59,9 +59,8 @@ public:
|
|||
/**
|
||||
* @return false if the UID instance was created via the default ctor
|
||||
* and not yet initialized w/ Set().
|
||||
* TODO: this would be better as an "explicit" conversion operator (C++11)
|
||||
*/
|
||||
operator bool() const
|
||||
explicit operator bool() const
|
||||
{ return initialized; }
|
||||
|
||||
/**
|
||||
|
|
|
|||
74
src/Val.cc
74
src/Val.cc
|
|
@ -760,34 +760,92 @@ bool IntervalVal::DoUnserialize(UnserialInfo* info)
|
|||
return true;
|
||||
}
|
||||
|
||||
PortVal::PortVal(uint32 p, TransportProto port_type) : Val(TYPE_PORT)
|
||||
PortManager::PortManager()
|
||||
{
|
||||
for ( auto i = 0u; i < ports.size(); ++i )
|
||||
{
|
||||
auto& arr = ports[i];
|
||||
auto port_type = (TransportProto)i;
|
||||
|
||||
for ( auto j = 0u; j < arr.size(); ++j )
|
||||
arr[j] = new PortVal(Mask(j, port_type), true);
|
||||
}
|
||||
}
|
||||
|
||||
PortManager::~PortManager()
|
||||
{
|
||||
for ( auto& arr : ports )
|
||||
for ( auto& pv : arr )
|
||||
Unref(pv);
|
||||
}
|
||||
|
||||
PortVal* PortManager::Get(uint32 port_num) const
|
||||
{
|
||||
auto mask = port_num & PORT_SPACE_MASK;
|
||||
port_num &= ~PORT_SPACE_MASK;
|
||||
|
||||
if ( mask == TCP_PORT_MASK )
|
||||
return Get(port_num, TRANSPORT_TCP);
|
||||
else if ( mask == UDP_PORT_MASK )
|
||||
return Get(port_num, TRANSPORT_UDP);
|
||||
else if ( mask == ICMP_PORT_MASK )
|
||||
return Get(port_num, TRANSPORT_ICMP);
|
||||
else
|
||||
return Get(port_num, TRANSPORT_UNKNOWN);
|
||||
}
|
||||
|
||||
PortVal* PortManager::Get(uint32 port_num, TransportProto port_type) const
|
||||
{
|
||||
if ( port_num >= 65536 )
|
||||
{
|
||||
reporter->Warning("bad port number %d", port_num);
|
||||
port_num = 0;
|
||||
}
|
||||
|
||||
auto rval = ports[port_type][port_num];
|
||||
::Ref(rval);
|
||||
return rval;
|
||||
}
|
||||
|
||||
uint32 PortManager::Mask(uint32 port_num, TransportProto port_type) const
|
||||
{
|
||||
// Note, for ICMP one-way connections:
|
||||
// src_port = icmp_type, dst_port = icmp_code.
|
||||
|
||||
if ( p >= 65536 )
|
||||
if ( port_num >= 65536 )
|
||||
{
|
||||
InternalWarning("bad port number");
|
||||
p = 0;
|
||||
reporter->Warning("bad port number %d", port_num);
|
||||
port_num = 0;
|
||||
}
|
||||
|
||||
switch ( port_type ) {
|
||||
case TRANSPORT_TCP:
|
||||
p |= TCP_PORT_MASK;
|
||||
port_num |= TCP_PORT_MASK;
|
||||
break;
|
||||
|
||||
case TRANSPORT_UDP:
|
||||
p |= UDP_PORT_MASK;
|
||||
port_num |= UDP_PORT_MASK;
|
||||
break;
|
||||
|
||||
case TRANSPORT_ICMP:
|
||||
p |= ICMP_PORT_MASK;
|
||||
port_num |= ICMP_PORT_MASK;
|
||||
break;
|
||||
|
||||
default:
|
||||
break; // "other"
|
||||
break; // "unknown/other"
|
||||
}
|
||||
|
||||
return port_num;
|
||||
}
|
||||
|
||||
PortVal::PortVal(uint32 p, TransportProto port_type) : Val(TYPE_PORT)
|
||||
{
|
||||
auto port_num = port_mgr->Mask(p, port_type);
|
||||
val.uint_val = static_cast<bro_uint_t>(port_num);
|
||||
}
|
||||
|
||||
PortVal::PortVal(uint32 p, bool unused) : Val(TYPE_PORT)
|
||||
{
|
||||
val.uint_val = static_cast<bro_uint_t>(p);
|
||||
}
|
||||
|
||||
|
|
|
|||
31
src/Val.h
31
src/Val.h
|
|
@ -7,6 +7,7 @@
|
|||
|
||||
#include <vector>
|
||||
#include <list>
|
||||
#include <array>
|
||||
|
||||
#include "net_util.h"
|
||||
#include "Type.h"
|
||||
|
|
@ -503,11 +504,35 @@ protected:
|
|||
#define UDP_PORT_MASK 0x20000
|
||||
#define ICMP_PORT_MASK 0x30000
|
||||
|
||||
class PortManager {
|
||||
public:
|
||||
PortManager();
|
||||
~PortManager();
|
||||
|
||||
// Port number given in host order.
|
||||
PortVal* Get(uint32 port_num, TransportProto port_type) const;
|
||||
|
||||
// Host-order port number already masked with port space protocol mask.
|
||||
PortVal* Get(uint32 port_num) const;
|
||||
|
||||
// Returns a masked port number
|
||||
uint32 Mask(uint32 port_num, TransportProto port_type) const;
|
||||
|
||||
private:
|
||||
std::array<std::array<PortVal*, 65536>, NUM_PORT_SPACES> ports;
|
||||
};
|
||||
|
||||
extern PortManager* port_mgr;
|
||||
|
||||
class PortVal : public Val {
|
||||
public:
|
||||
// Constructors - both take the port number in host order.
|
||||
// Port number given in host order.
|
||||
BRO_DEPRECATED("use port_mgr->Get() instead")
|
||||
PortVal(uint32 p, TransportProto port_type);
|
||||
PortVal(uint32 p); // used for already-massaged port value.
|
||||
|
||||
// Host-order port number already masked with port space protocol mask.
|
||||
BRO_DEPRECATED("use port_mgr->Get() instead")
|
||||
PortVal(uint32 p);
|
||||
|
||||
Val* SizeVal() const override { return new Val(val.uint_val, TYPE_INT); }
|
||||
|
||||
|
|
@ -533,7 +558,9 @@ public:
|
|||
|
||||
protected:
|
||||
friend class Val;
|
||||
friend class PortManager;
|
||||
PortVal() {}
|
||||
PortVal(uint32 p, bool unused);
|
||||
|
||||
void ValDescribe(ODesc* d) const override;
|
||||
|
||||
|
|
|
|||
|
|
@ -434,14 +434,16 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
|
|||
|
||||
if ( tcp_contents && ! reass )
|
||||
{
|
||||
PortVal dport(ntohs(conn->RespPort()), TRANSPORT_TCP);
|
||||
auto dport = port_mgr->Get(ntohs(conn->RespPort()), TRANSPORT_TCP);
|
||||
Val* result;
|
||||
|
||||
if ( ! reass )
|
||||
reass = tcp_content_delivery_ports_orig->Lookup(&dport);
|
||||
reass = tcp_content_delivery_ports_orig->Lookup(dport);
|
||||
|
||||
if ( ! reass )
|
||||
reass = tcp_content_delivery_ports_resp->Lookup(&dport);
|
||||
reass = tcp_content_delivery_ports_resp->Lookup(dport);
|
||||
|
||||
Unref(dport);
|
||||
}
|
||||
|
||||
if ( reass )
|
||||
|
|
|
|||
|
|
@ -114,7 +114,7 @@ public:
|
|||
bool DisableAnalyzer(Tag tag);
|
||||
|
||||
/**
|
||||
* Enables an analyzer type. Disabled analyzers will not be
|
||||
* Disables an analyzer type. Disabled analyzers will not be
|
||||
* instantiated for new connections.
|
||||
*
|
||||
* @param tag The analyzer's tag as an enum of script type \c
|
||||
|
|
|
|||
|
|
@ -42,11 +42,8 @@ public:
|
|||
/**
|
||||
* Returns false if the tag represents an error value rather than a
|
||||
* legal analyzer type.
|
||||
* TODO: make this conversion operator "explicit" (C++11) or use a
|
||||
* "safe bool" idiom (not necessary if "explicit" is available),
|
||||
* otherwise this may allow nonsense/undesired comparison operations.
|
||||
*/
|
||||
operator bool() const { return *this != Tag(); }
|
||||
explicit operator bool() const { return *this != Tag(); }
|
||||
|
||||
/**
|
||||
* Assignment operator.
|
||||
|
|
|
|||
|
|
@ -482,7 +482,7 @@ void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name,
|
|||
|
||||
RecordVal* peer = new RecordVal(bittorrent_peer);
|
||||
peer->Assign(0, new AddrVal(ad));
|
||||
peer->Assign(1, new PortVal(pt, TRANSPORT_TCP));
|
||||
peer->Assign(1, port_mgr->Get(pt, TRANSPORT_TCP));
|
||||
res_val_peers->Assign(peer, 0);
|
||||
|
||||
Unref(peer);
|
||||
|
|
|
|||
|
|
@ -222,7 +222,7 @@ flow BitTorrent_Flow(is_orig: bool) {
|
|||
connection()->bro_analyzer(),
|
||||
connection()->bro_analyzer()->Conn(),
|
||||
is_orig(),
|
||||
new PortVal(listen_port, TRANSPORT_TCP));
|
||||
port_mgr->Get(listen_port, TRANSPORT_TCP));
|
||||
}
|
||||
|
||||
return true;
|
||||
|
|
|
|||
|
|
@ -33,13 +33,13 @@ static Val* parse_port(const char* line)
|
|||
}
|
||||
|
||||
r->Assign(0, new AddrVal(htonl(addr)));
|
||||
r->Assign(1, new PortVal(port, TRANSPORT_TCP));
|
||||
r->Assign(1, port_mgr->Get(port, TRANSPORT_TCP));
|
||||
r->Assign(2, new Val(good, TYPE_BOOL));
|
||||
}
|
||||
else
|
||||
{
|
||||
r->Assign(0, new AddrVal(uint32(0)));
|
||||
r->Assign(1, new PortVal(0, TRANSPORT_TCP));
|
||||
r->Assign(1, port_mgr->Get(0, TRANSPORT_TCP));
|
||||
r->Assign(2, new Val(0, TYPE_BOOL));
|
||||
}
|
||||
|
||||
|
|
@ -109,7 +109,7 @@ static Val* parse_eftp(const char* line)
|
|||
}
|
||||
|
||||
r->Assign(0, new AddrVal(addr));
|
||||
r->Assign(1, new PortVal(port, TRANSPORT_TCP));
|
||||
r->Assign(1, port_mgr->Get(port, TRANSPORT_TCP));
|
||||
r->Assign(2, new Val(good, TYPE_BOOL));
|
||||
|
||||
return r;
|
||||
|
|
|
|||
|
|
@ -822,6 +822,9 @@ HTTP_Analyzer::HTTP_Analyzer(Connection* conn)
|
|||
|
||||
connect_request = false;
|
||||
pia = 0;
|
||||
upgraded = false;
|
||||
upgrade_connection = false;
|
||||
upgrade_protocol.clear();
|
||||
|
||||
content_line_orig = new tcp::ContentLine_Analyzer(conn, true);
|
||||
AddSupportAnalyzer(content_line_orig);
|
||||
|
|
@ -879,6 +882,9 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
|
|||
if ( TCP() && TCP()->IsPartial() )
|
||||
return;
|
||||
|
||||
if ( upgraded )
|
||||
return;
|
||||
|
||||
if ( pia )
|
||||
{
|
||||
// There will be a PIA instance if this connection has been identified
|
||||
|
|
@ -1468,15 +1474,35 @@ void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg)
|
|||
unanswered_requests.pop();
|
||||
}
|
||||
|
||||
reply_code = 0;
|
||||
|
||||
if ( reply_reason_phrase )
|
||||
{
|
||||
Unref(reply_reason_phrase);
|
||||
reply_reason_phrase = 0;
|
||||
}
|
||||
|
||||
if ( interrupted )
|
||||
// unanswered requests = 1 because there is no pop after 101.
|
||||
if ( reply_code == 101 && unanswered_requests.size() == 1 && upgrade_connection &&
|
||||
upgrade_protocol.size() )
|
||||
{
|
||||
// Upgraded connection that switches immediately - e.g. websocket.
|
||||
upgraded = true;
|
||||
RemoveSupportAnalyzer(content_line_orig);
|
||||
RemoveSupportAnalyzer(content_line_resp);
|
||||
|
||||
if ( http_connection_upgrade )
|
||||
{
|
||||
val_list* vl = new val_list();
|
||||
vl->append(BuildConnVal());
|
||||
vl->append(new StringVal(upgrade_protocol));
|
||||
ConnectionEvent(http_connection_upgrade, vl);
|
||||
}
|
||||
}
|
||||
|
||||
reply_code = 0;
|
||||
upgrade_connection = false;
|
||||
upgrade_protocol.clear();
|
||||
|
||||
if ( interrupted || upgraded )
|
||||
reply_state = EXPECT_REPLY_NOTHING;
|
||||
else
|
||||
reply_state = EXPECT_REPLY_LINE;
|
||||
|
|
@ -1611,11 +1637,17 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, mime::MIME_Header* h)
|
|||
|
||||
if ( ! is_orig &&
|
||||
mime::strcasecmp_n(h->get_name(), "connection") == 0 )
|
||||
{
|
||||
{
|
||||
if ( mime::strcasecmp_n(h->get_value_token(), "close") == 0 )
|
||||
connection_close = 1;
|
||||
connection_close = 1;
|
||||
else if ( mime::strcasecmp_n(h->get_value_token(), "upgrade") == 0 )
|
||||
upgrade_connection = true;
|
||||
}
|
||||
|
||||
if ( ! is_orig &&
|
||||
mime::strcasecmp_n(h->get_name(), "upgrade") == 0 )
|
||||
upgrade_protocol.assign(h->get_value_token().data, h->get_value_token().length);
|
||||
|
||||
if ( http_header )
|
||||
{
|
||||
Rule::PatternType rule =
|
||||
|
|
|
|||
|
|
@ -40,8 +40,8 @@ public:
|
|||
{ zip->Done(); delete zip; }
|
||||
}
|
||||
|
||||
void EndOfData();
|
||||
void Deliver(int len, const char* data, int trailing_CRLF);
|
||||
void EndOfData() override;
|
||||
void Deliver(int len, const char* data, int trailing_CRLF) override;
|
||||
int Undelivered(int64_t len);
|
||||
int64_t BodyLength() const { return body_length; }
|
||||
int64_t HeaderLength() const { return header_length; }
|
||||
|
|
@ -68,17 +68,17 @@ protected:
|
|||
bool send_size; // whether to send size indication to FAF
|
||||
std::string precomputed_file_id;
|
||||
|
||||
MIME_Entity* NewChildEntity() { return new HTTP_Entity(http_message, this, 1); }
|
||||
MIME_Entity* NewChildEntity() override { return new HTTP_Entity(http_message, this, 1); }
|
||||
|
||||
void DeliverBody(int len, const char* data, int trailing_CRLF);
|
||||
void DeliverBodyClear(int len, const char* data, int trailing_CRLF);
|
||||
|
||||
void SubmitData(int len, const char* buf);
|
||||
void SubmitData(int len, const char* buf) override;
|
||||
|
||||
void SetPlainDelivery(int64_t length);
|
||||
|
||||
void SubmitHeader(mime::MIME_Header* h);
|
||||
void SubmitAllHeaders();
|
||||
void SubmitHeader(mime::MIME_Header* h) override;
|
||||
void SubmitAllHeaders() override;
|
||||
};
|
||||
|
||||
enum {
|
||||
|
|
@ -106,18 +106,18 @@ public:
|
|||
bool is_orig, int expect_body, int64_t init_header_length);
|
||||
~HTTP_Message();
|
||||
void Done(const int interrupted, const char* msg);
|
||||
void Done() { Done(0, "message ends normally"); }
|
||||
void Done() override { Done(0, "message ends normally"); }
|
||||
|
||||
int Undelivered(int64_t len);
|
||||
|
||||
void BeginEntity(mime::MIME_Entity* /* entity */);
|
||||
void EndEntity(mime::MIME_Entity* entity);
|
||||
void SubmitHeader(mime::MIME_Header* h);
|
||||
void SubmitAllHeaders(mime::MIME_HeaderList& /* hlist */);
|
||||
void SubmitData(int len, const char* buf);
|
||||
int RequestBuffer(int* plen, char** pbuf);
|
||||
void BeginEntity(mime::MIME_Entity* /* entity */) override;
|
||||
void EndEntity(mime::MIME_Entity* entity) override;
|
||||
void SubmitHeader(mime::MIME_Header* h) override;
|
||||
void SubmitAllHeaders(mime::MIME_HeaderList& /* hlist */) override;
|
||||
void SubmitData(int len, const char* buf) override;
|
||||
int RequestBuffer(int* plen, char** pbuf) override;
|
||||
void SubmitAllData();
|
||||
void SubmitEvent(int event_type, const char* detail);
|
||||
void SubmitEvent(int event_type, const char* detail) override;
|
||||
|
||||
void SubmitTrailingHeaders(mime::MIME_HeaderList& /* hlist */);
|
||||
void SetPlainDelivery(int64_t length);
|
||||
|
|
@ -169,15 +169,15 @@ public:
|
|||
int HTTP_ReplyCode() const { return reply_code; };
|
||||
|
||||
// Overriden from Analyzer.
|
||||
virtual void Done();
|
||||
virtual void DeliverStream(int len, const u_char* data, bool orig);
|
||||
virtual void Undelivered(uint64 seq, int len, bool orig);
|
||||
void Done() override;
|
||||
void DeliverStream(int len, const u_char* data, bool orig) override;
|
||||
void Undelivered(uint64 seq, int len, bool orig) override;
|
||||
|
||||
// Overriden from tcp::TCP_ApplicationAnalyzer
|
||||
virtual void EndpointEOF(bool is_orig);
|
||||
virtual void ConnectionFinished(int half_finished);
|
||||
virtual void ConnectionReset();
|
||||
virtual void PacketWithRST();
|
||||
void EndpointEOF(bool is_orig) override;
|
||||
void ConnectionFinished(int half_finished) override;
|
||||
void ConnectionReset() override;
|
||||
void PacketWithRST() override;
|
||||
|
||||
static analyzer::Analyzer* Instantiate(Connection* conn)
|
||||
{ return new HTTP_Analyzer(conn); }
|
||||
|
|
@ -234,6 +234,13 @@ protected:
|
|||
|
||||
bool connect_request;
|
||||
pia::PIA_TCP *pia;
|
||||
// set to true after a connection was upgraded
|
||||
bool upgraded;
|
||||
// set to true when encountering an "connection" header in a reply.
|
||||
bool upgrade_connection;
|
||||
// set to the protocol string when encountering an "upgrade" header
|
||||
// in a reply.
|
||||
std::string upgrade_protocol;
|
||||
|
||||
Val* request_method;
|
||||
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
##
|
||||
## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
|
||||
## http_entity_data http_event http_header http_message_done http_reply http_stats
|
||||
## truncate_http_URI
|
||||
## truncate_http_URI http_connection_upgrade
|
||||
event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%);
|
||||
|
||||
## Generated for HTTP replies. Bro supports persistent and pipelined HTTP
|
||||
|
|
@ -40,7 +40,7 @@ event http_request%(c: connection, method: string, original_URI: string, unescap
|
|||
##
|
||||
## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
|
||||
## http_entity_data http_event http_header http_message_done http_request
|
||||
## http_stats
|
||||
## http_stats http_connection_upgrade
|
||||
event http_reply%(c: connection, version: string, code: count, reason: string%);
|
||||
|
||||
## Generated for HTTP headers. Bro supports persistent and pipelined HTTP
|
||||
|
|
@ -60,7 +60,7 @@ event http_reply%(c: connection, version: string, code: count, reason: string%);
|
|||
##
|
||||
## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
|
||||
## http_entity_data http_event http_message_done http_reply http_request
|
||||
## http_stats
|
||||
## http_stats http_connection_upgrade
|
||||
##
|
||||
## .. note:: This event is also raised for headers found in nested body
|
||||
## entities.
|
||||
|
|
@ -83,6 +83,7 @@ event http_header%(c: connection, is_orig: bool, name: string, value: string%);
|
|||
##
|
||||
## .. bro:see:: http_begin_entity http_content_type http_end_entity http_entity_data
|
||||
## http_event http_header http_message_done http_reply http_request http_stats
|
||||
## http_connection_upgrade
|
||||
##
|
||||
## .. note:: This event is also raised for headers found in nested body
|
||||
## entities.
|
||||
|
|
@ -104,7 +105,7 @@ event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%);
|
|||
##
|
||||
## .. bro:see:: http_all_headers http_content_type http_end_entity http_entity_data
|
||||
## http_event http_header http_message_done http_reply http_request http_stats
|
||||
## mime_begin_entity
|
||||
## mime_begin_entity http_connection_upgrade
|
||||
event http_begin_entity%(c: connection, is_orig: bool%);
|
||||
|
||||
## Generated when finishing parsing an HTTP body entity. This event is generated
|
||||
|
|
@ -123,7 +124,7 @@ event http_begin_entity%(c: connection, is_orig: bool%);
|
|||
##
|
||||
## .. bro:see:: http_all_headers http_begin_entity http_content_type http_entity_data
|
||||
## http_event http_header http_message_done http_reply http_request
|
||||
## http_stats mime_end_entity
|
||||
## http_stats mime_end_entity http_connection_upgrade
|
||||
event http_end_entity%(c: connection, is_orig: bool%);
|
||||
|
||||
## Generated when parsing an HTTP body entity, passing on the data. This event
|
||||
|
|
@ -152,6 +153,7 @@ event http_end_entity%(c: connection, is_orig: bool%);
|
|||
## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
|
||||
## http_event http_header http_message_done http_reply http_request http_stats
|
||||
## mime_entity_data http_entity_data_delivery_size skip_http_data
|
||||
## http_connection_upgrade
|
||||
event http_entity_data%(c: connection, is_orig: bool, length: count, data: string%);
|
||||
|
||||
## Generated for reporting an HTTP body's content type. This event is
|
||||
|
|
@ -173,6 +175,7 @@ event http_entity_data%(c: connection, is_orig: bool, length: count, data: strin
|
|||
##
|
||||
## .. bro:see:: http_all_headers http_begin_entity http_end_entity http_entity_data
|
||||
## http_event http_header http_message_done http_reply http_request http_stats
|
||||
## http_connection_upgrade
|
||||
##
|
||||
## .. note:: This event is also raised for headers found in nested body
|
||||
## entities.
|
||||
|
|
@ -198,6 +201,7 @@ event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string
|
|||
##
|
||||
## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
|
||||
## http_entity_data http_event http_header http_reply http_request http_stats
|
||||
## http_connection_upgrade
|
||||
event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%);
|
||||
|
||||
## Generated for errors found when decoding HTTP requests or replies.
|
||||
|
|
@ -214,7 +218,7 @@ event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%)
|
|||
##
|
||||
## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
|
||||
## http_entity_data http_header http_message_done http_reply http_request
|
||||
## http_stats mime_event
|
||||
## http_stats mime_event http_connection_upgrade
|
||||
event http_event%(c: connection, event_type: string, detail: string%);
|
||||
|
||||
## Generated at the end of an HTTP session to report statistics about it. This
|
||||
|
|
@ -228,5 +232,18 @@ event http_event%(c: connection, event_type: string, detail: string%);
|
|||
##
|
||||
## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
|
||||
## http_entity_data http_event http_header http_message_done http_reply
|
||||
## http_request
|
||||
## http_request http_connection_upgrade
|
||||
event http_stats%(c: connection, stats: http_stats_rec%);
|
||||
|
||||
## Generated when a HTTP session is upgraded to a different protocol (e.g. websocket).
|
||||
## This event is raised when a server replies with a HTTP 101 reply. No more HTTP events
|
||||
## will be raised after this event.
|
||||
##
|
||||
## c: The connection.
|
||||
##
|
||||
## protocol: The protocol to which the connection is switching.
|
||||
##
|
||||
## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
|
||||
## http_entity_data http_event http_header http_message_done http_reply
|
||||
## http_request
|
||||
event http_connection_upgrade%(c: connection, protocol: string%);
|
||||
|
|
|
|||
|
|
@ -352,9 +352,9 @@ RecordVal* ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& data)
|
|||
RecordVal* id_val = new RecordVal(conn_id);
|
||||
|
||||
id_val->Assign(0, new AddrVal(src_addr));
|
||||
id_val->Assign(1, new PortVal(src_port, proto));
|
||||
id_val->Assign(1, port_mgr->Get(src_port, proto));
|
||||
id_val->Assign(2, new AddrVal(dst_addr));
|
||||
id_val->Assign(3, new PortVal(dst_port, proto));
|
||||
id_val->Assign(3, port_mgr->Get(dst_port, proto));
|
||||
|
||||
iprec->Assign(0, id_val);
|
||||
iprec->Assign(1, new Val(ip_len, TYPE_COUNT));
|
||||
|
|
@ -411,9 +411,9 @@ RecordVal* ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& data)
|
|||
RecordVal* id_val = new RecordVal(conn_id);
|
||||
|
||||
id_val->Assign(0, new AddrVal(src_addr));
|
||||
id_val->Assign(1, new PortVal(src_port, proto));
|
||||
id_val->Assign(1, port_mgr->Get(src_port, proto));
|
||||
id_val->Assign(2, new AddrVal(dst_addr));
|
||||
id_val->Assign(3, new PortVal(dst_port, proto));
|
||||
id_val->Assign(3, port_mgr->Get(dst_port, proto));
|
||||
|
||||
iprec->Assign(0, id_val);
|
||||
iprec->Assign(1, new Val(ip_len, TYPE_COUNT));
|
||||
|
|
|
|||
|
|
@ -82,8 +82,8 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
|
|||
|
||||
val_list* vl = new val_list;
|
||||
vl->append(BuildConnVal());
|
||||
vl->append(new PortVal(local_port, TRANSPORT_TCP));
|
||||
vl->append(new PortVal(remote_port, TRANSPORT_TCP));
|
||||
vl->append(port_mgr->Get(local_port, TRANSPORT_TCP));
|
||||
vl->append(port_mgr->Get(remote_port, TRANSPORT_TCP));
|
||||
|
||||
ConnectionEvent(ident_request, vl);
|
||||
|
||||
|
|
@ -143,8 +143,8 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
|
|||
{
|
||||
val_list* vl = new val_list;
|
||||
vl->append(BuildConnVal());
|
||||
vl->append(new PortVal(local_port, TRANSPORT_TCP));
|
||||
vl->append(new PortVal(remote_port, TRANSPORT_TCP));
|
||||
vl->append(port_mgr->Get(local_port, TRANSPORT_TCP));
|
||||
vl->append(port_mgr->Get(remote_port, TRANSPORT_TCP));
|
||||
vl->append(new StringVal(end_of_line - line, line));
|
||||
|
||||
ConnectionEvent(ident_error, vl);
|
||||
|
|
@ -177,8 +177,8 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
|
|||
|
||||
val_list* vl = new val_list;
|
||||
vl->append(BuildConnVal());
|
||||
vl->append(new PortVal(local_port, TRANSPORT_TCP));
|
||||
vl->append(new PortVal(remote_port, TRANSPORT_TCP));
|
||||
vl->append(port_mgr->Get(local_port, TRANSPORT_TCP));
|
||||
vl->append(port_mgr->Get(remote_port, TRANSPORT_TCP));
|
||||
vl->append(new StringVal(end_of_line - line, line));
|
||||
vl->append(new StringVal(sys_type_s));
|
||||
|
||||
|
|
|
|||
|
|
@ -232,16 +232,16 @@ class MIME_Mail : public MIME_Message {
|
|||
public:
|
||||
MIME_Mail(analyzer::Analyzer* mail_conn, bool is_orig, int buf_size = 0);
|
||||
~MIME_Mail();
|
||||
void Done();
|
||||
void Done() override;
|
||||
|
||||
void BeginEntity(MIME_Entity* entity);
|
||||
void EndEntity(MIME_Entity* entity);
|
||||
void SubmitHeader(MIME_Header* h);
|
||||
void SubmitAllHeaders(MIME_HeaderList& hlist);
|
||||
void SubmitData(int len, const char* buf);
|
||||
int RequestBuffer(int* plen, char** pbuf);
|
||||
void BeginEntity(MIME_Entity* entity) override;
|
||||
void EndEntity(MIME_Entity* entity) override;
|
||||
void SubmitHeader(MIME_Header* h) override;
|
||||
void SubmitAllHeaders(MIME_HeaderList& hlist) override;
|
||||
void SubmitData(int len, const char* buf) override;
|
||||
int RequestBuffer(int* plen, char** pbuf) override;
|
||||
void SubmitAllData();
|
||||
void SubmitEvent(int event_type, const char* detail);
|
||||
void SubmitEvent(int event_type, const char* detail) override;
|
||||
void Undelivered(int len);
|
||||
|
||||
protected:
|
||||
|
|
|
|||
|
|
@ -126,7 +126,7 @@ int PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status status
|
|||
|
||||
RecordVal* rv = c->RequestVal()->AsRecordVal();
|
||||
Val* is_tcp = rv->Lookup(2);
|
||||
reply = new PortVal(CheckPort(port),
|
||||
reply = port_mgr->Get(CheckPort(port),
|
||||
is_tcp->IsOne() ?
|
||||
TRANSPORT_TCP : TRANSPORT_UDP);
|
||||
event = pm_request_getport;
|
||||
|
|
@ -178,7 +178,7 @@ int PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status status
|
|||
if ( ! opaque_reply )
|
||||
return 0;
|
||||
|
||||
reply = new PortVal(CheckPort(port), TRANSPORT_UDP);
|
||||
reply = port_mgr->Get(CheckPort(port), TRANSPORT_UDP);
|
||||
event = pm_request_callit;
|
||||
}
|
||||
else
|
||||
|
|
@ -202,7 +202,7 @@ Val* PortmapperInterp::ExtractMapping(const u_char*& buf, int& len)
|
|||
|
||||
int is_tcp = extract_XDR_uint32(buf, len) == IPPROTO_TCP;
|
||||
uint32 port = extract_XDR_uint32(buf, len);
|
||||
mapping->Assign(2, new PortVal(CheckPort(port),
|
||||
mapping->Assign(2, port_mgr->Get(CheckPort(port),
|
||||
is_tcp ? TRANSPORT_TCP : TRANSPORT_UDP));
|
||||
|
||||
if ( ! buf )
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ refine flow SIP_Flow += {
|
|||
|
||||
%init{
|
||||
content_length = 0;
|
||||
build_headers = (sip_all_headers != 0);
|
||||
build_headers = bool(sip_all_headers);
|
||||
%}
|
||||
|
||||
function get_content_length(): int
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@ refine connection SOCKS_Conn += {
|
|||
4,
|
||||
${request.command},
|
||||
sa,
|
||||
new PortVal(${request.port} | TCP_PORT_MASK),
|
||||
port_mgr->Get(${request.port} | TCP_PORT_MASK),
|
||||
array_to_string(${request.user}));
|
||||
|
||||
static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(true);
|
||||
|
|
@ -50,7 +50,7 @@ refine connection SOCKS_Conn += {
|
|||
4,
|
||||
${reply.status},
|
||||
sa,
|
||||
new PortVal(${reply.port} | TCP_PORT_MASK));
|
||||
port_mgr->Get(${reply.port} | TCP_PORT_MASK));
|
||||
|
||||
bro_analyzer()->ProtocolConfirmation();
|
||||
static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(false);
|
||||
|
|
@ -102,7 +102,7 @@ refine connection SOCKS_Conn += {
|
|||
5,
|
||||
${request.command},
|
||||
sa,
|
||||
new PortVal(${request.port} | TCP_PORT_MASK),
|
||||
port_mgr->Get(${request.port} | TCP_PORT_MASK),
|
||||
new StringVal(""));
|
||||
|
||||
static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(true);
|
||||
|
|
@ -141,7 +141,7 @@ refine connection SOCKS_Conn += {
|
|||
5,
|
||||
${reply.reply},
|
||||
sa,
|
||||
new PortVal(${reply.port} | TCP_PORT_MASK));
|
||||
port_mgr->Get(${reply.port} | TCP_PORT_MASK));
|
||||
|
||||
bro_analyzer()->ProtocolConfirmation();
|
||||
static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(false);
|
||||
|
|
|
|||
|
|
@ -38,18 +38,19 @@ TCP_Reassembler::TCP_Reassembler(analyzer::Analyzer* arg_dst_analyzer,
|
|||
|
||||
if ( ::tcp_contents )
|
||||
{
|
||||
// Val dst_port_val(ntohs(Conn()->RespPort()), TYPE_PORT);
|
||||
PortVal dst_port_val(ntohs(tcp_analyzer->Conn()->RespPort()),
|
||||
auto dst_port_val = port_mgr->Get(ntohs(tcp_analyzer->Conn()->RespPort()),
|
||||
TRANSPORT_TCP);
|
||||
TableVal* ports = IsOrig() ?
|
||||
tcp_content_delivery_ports_orig :
|
||||
tcp_content_delivery_ports_resp;
|
||||
Val* result = ports->Lookup(&dst_port_val);
|
||||
Val* result = ports->Lookup(dst_port_val);
|
||||
|
||||
if ( (IsOrig() && tcp_content_deliver_all_orig) ||
|
||||
(! IsOrig() && tcp_content_deliver_all_resp) ||
|
||||
(result && result->AsBool()) )
|
||||
deliver_tcp_contents = 1;
|
||||
|
||||
Unref(dst_port_val);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -130,7 +130,7 @@ RecordVal* TeredoEncapsulation::BuildVal(const IP_Hdr* inner) const
|
|||
RecordVal* teredo_origin = new RecordVal(teredo_origin_type);
|
||||
uint16 port = ntohs(*((uint16*)(origin_indication + 2))) ^ 0xFFFF;
|
||||
uint32 addr = ntohl(*((uint32*)(origin_indication + 4))) ^ 0xFFFFFFFF;
|
||||
teredo_origin->Assign(0, new PortVal(port, TRANSPORT_UDP));
|
||||
teredo_origin->Assign(0, port_mgr->Get(port, TRANSPORT_UDP));
|
||||
teredo_origin->Assign(1, new AddrVal(htonl(addr)));
|
||||
teredo_hdr->Assign(1, teredo_origin);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -97,14 +97,14 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
|
|||
|
||||
if ( udp_contents )
|
||||
{
|
||||
PortVal port_val(ntohs(up->uh_dport), TRANSPORT_UDP);
|
||||
auto port_val = port_mgr->Get(ntohs(up->uh_dport), TRANSPORT_UDP);
|
||||
Val* result = 0;
|
||||
bool do_udp_contents = false;
|
||||
|
||||
if ( is_orig )
|
||||
{
|
||||
result = udp_content_delivery_ports_orig->Lookup(
|
||||
&port_val);
|
||||
port_val);
|
||||
if ( udp_content_deliver_all_orig ||
|
||||
(result && result->AsBool()) )
|
||||
do_udp_contents = true;
|
||||
|
|
@ -112,7 +112,7 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
|
|||
else
|
||||
{
|
||||
result = udp_content_delivery_ports_resp->Lookup(
|
||||
&port_val);
|
||||
port_val);
|
||||
if ( udp_content_deliver_all_resp ||
|
||||
(result && result->AsBool()) )
|
||||
do_udp_contents = true;
|
||||
|
|
@ -126,6 +126,8 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
|
|||
vl->append(new StringVal(len, (const char*) data));
|
||||
ConnectionEvent(udp_contents, vl);
|
||||
}
|
||||
|
||||
Unref(port_val);
|
||||
}
|
||||
|
||||
if ( is_orig )
|
||||
|
|
|
|||
14
src/bro.bif
14
src/bro.bif
|
|
@ -2270,7 +2270,7 @@ function port_to_count%(p: port%): count
|
|||
## .. bro:see:: port_to_count
|
||||
function count_to_port%(num: count, proto: transport_proto%): port
|
||||
%{
|
||||
return new PortVal(num, (TransportProto)proto->AsEnum());
|
||||
return port_mgr->Get(num, (TransportProto)proto->AsEnum());
|
||||
%}
|
||||
|
||||
## Converts a :bro:type:`string` to an :bro:type:`addr`.
|
||||
|
|
@ -2430,16 +2430,16 @@ function to_port%(s: string%): port
|
|||
{
|
||||
++slash;
|
||||
if ( streq(slash, "tcp") )
|
||||
return new PortVal(port, TRANSPORT_TCP);
|
||||
return port_mgr->Get(port, TRANSPORT_TCP);
|
||||
else if ( streq(slash, "udp") )
|
||||
return new PortVal(port, TRANSPORT_UDP);
|
||||
return port_mgr->Get(port, TRANSPORT_UDP);
|
||||
else if ( streq(slash, "icmp") )
|
||||
return new PortVal(port, TRANSPORT_ICMP);
|
||||
return port_mgr->Get(port, TRANSPORT_ICMP);
|
||||
}
|
||||
}
|
||||
|
||||
builtin_error("wrong port format, must be /[0-9]{1,5}\\/(tcp|udp|icmp)/");
|
||||
return new PortVal(port, TRANSPORT_UNKNOWN);
|
||||
return port_mgr->Get(port, TRANSPORT_UNKNOWN);
|
||||
%}
|
||||
|
||||
## Converts a string of bytes (in network byte order) to a :bro:type:`double`.
|
||||
|
|
@ -3208,9 +3208,9 @@ function lookup_connection%(cid: conn_id%): connection
|
|||
|
||||
RecordVal* id_val = new RecordVal(conn_id);
|
||||
id_val->Assign(0, new AddrVal((unsigned int) 0));
|
||||
id_val->Assign(1, new PortVal(ntohs(0), TRANSPORT_UDP));
|
||||
id_val->Assign(1, port_mgr->Get(ntohs(0), TRANSPORT_UDP));
|
||||
id_val->Assign(2, new AddrVal((unsigned int) 0));
|
||||
id_val->Assign(3, new PortVal(ntohs(0), TRANSPORT_UDP));
|
||||
id_val->Assign(3, port_mgr->Get(ntohs(0), TRANSPORT_UDP));
|
||||
c->Assign(0, id_val);
|
||||
|
||||
RecordVal* orig_endp = new RecordVal(endpoint);
|
||||
|
|
|
|||
|
|
@ -135,7 +135,7 @@ struct val_converter {
|
|||
result_type operator()(broker::port& a)
|
||||
{
|
||||
if ( type->Tag() == TYPE_PORT )
|
||||
return new PortVal(a.number(), bro_broker::to_bro_port_proto(a.type()));
|
||||
return port_mgr->Get(a.number(), bro_broker::to_bro_port_proto(a.type()));
|
||||
|
||||
return nullptr;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -697,7 +697,7 @@ void bro_broker::Manager::Process()
|
|||
{
|
||||
val_list* vl = new val_list;
|
||||
vl->append(new StringVal(u.relation.remote_tuple().first));
|
||||
vl->append(new PortVal(u.relation.remote_tuple().second,
|
||||
vl->append(port_mgr->Get(u.relation.remote_tuple().second,
|
||||
TRANSPORT_TCP));
|
||||
vl->append(new StringVal(u.peer_name));
|
||||
mgr.QueueEvent(Broker::outgoing_connection_established, vl);
|
||||
|
|
@ -709,7 +709,7 @@ void bro_broker::Manager::Process()
|
|||
{
|
||||
val_list* vl = new val_list;
|
||||
vl->append(new StringVal(u.relation.remote_tuple().first));
|
||||
vl->append(new PortVal(u.relation.remote_tuple().second,
|
||||
vl->append(port_mgr->Get(u.relation.remote_tuple().second,
|
||||
TRANSPORT_TCP));
|
||||
mgr.QueueEvent(Broker::outgoing_connection_broken, vl);
|
||||
}
|
||||
|
|
@ -720,7 +720,7 @@ void bro_broker::Manager::Process()
|
|||
{
|
||||
val_list* vl = new val_list;
|
||||
vl->append(new StringVal(u.relation.remote_tuple().first));
|
||||
vl->append(new PortVal(u.relation.remote_tuple().second,
|
||||
vl->append(port_mgr->Get(u.relation.remote_tuple().second,
|
||||
TRANSPORT_TCP));
|
||||
mgr.QueueEvent(Broker::outgoing_connection_incompatible, vl);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -88,7 +88,7 @@ function Broker::__refine_to_port%(d: Broker::Data%): port
|
|||
%{
|
||||
auto& a = bro_broker::require_data_type<broker::port>(d->AsRecordVal(),
|
||||
TYPE_PORT, frame);
|
||||
return new PortVal(a.number(), bro_broker::to_bro_port_proto(a.type()));
|
||||
return port_mgr->Get(a.number(), bro_broker::to_bro_port_proto(a.type()));
|
||||
%}
|
||||
|
||||
function Broker::__refine_to_time%(d: Broker::Data%): time
|
||||
|
|
|
|||
|
|
@ -34,9 +34,9 @@ static RecordVal* get_conn_id_val(const Connection* conn)
|
|||
{
|
||||
RecordVal* v = new RecordVal(conn_id);
|
||||
v->Assign(0, new AddrVal(conn->OrigAddr()));
|
||||
v->Assign(1, new PortVal(ntohs(conn->OrigPort()), conn->ConnTransport()));
|
||||
v->Assign(1, port_mgr->Get(ntohs(conn->OrigPort()), conn->ConnTransport()));
|
||||
v->Assign(2, new AddrVal(conn->RespAddr()));
|
||||
v->Assign(3, new PortVal(ntohs(conn->RespPort()), conn->ConnTransport()));
|
||||
v->Assign(3, port_mgr->Get(ntohs(conn->RespPort()), conn->ConnTransport()));
|
||||
return v;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -448,7 +448,7 @@ bool Manager::IsDisabled(analyzer::Tag tag)
|
|||
if ( ! disabled )
|
||||
disabled = internal_const_val("Files::disable")->AsTableVal();
|
||||
|
||||
Val* index = new Val(tag, TYPE_COUNT);
|
||||
Val* index = new Val(bool(tag), TYPE_COUNT);
|
||||
Val* yield = disabled->Lookup(index);
|
||||
Unref(index);
|
||||
|
||||
|
|
|
|||
|
|
@ -256,6 +256,14 @@ public:
|
|||
bool SetExtractionLimit(const string& file_id, RecordVal* args,
|
||||
uint64 n) const;
|
||||
|
||||
/**
|
||||
* Try to retrieve a file that's being analyzed, using its identifier/hash.
|
||||
* @param file_id the file identifier/hash.
|
||||
* @return the File object mapped to \a file_id, or a null pointer if no
|
||||
* mapping exists.
|
||||
*/
|
||||
File* LookupFile(const string& file_id) const;
|
||||
|
||||
/**
|
||||
* Queue attachment of an analzer to the file identifier. Multiple
|
||||
* analyzers of a given type can be attached per file identifier at a time
|
||||
|
|
@ -355,14 +363,6 @@ protected:
|
|||
bool is_orig = false, bool update_conn = true,
|
||||
const char* source_name = 0);
|
||||
|
||||
/**
|
||||
* Try to retrieve a file that's being analyzed, using its identifier/hash.
|
||||
* @param file_id the file identifier/hash.
|
||||
* @return the File object mapped to \a file_id, or a null pointer if no
|
||||
* mapping exists.
|
||||
*/
|
||||
File* LookupFile(const string& file_id) const;
|
||||
|
||||
/**
|
||||
* Evaluate timeout policy for a file and remove the File object mapped to
|
||||
* \a file_id if needed.
|
||||
|
|
|
|||
|
|
@ -41,12 +41,8 @@ public:
|
|||
/**
|
||||
* Returns false if the tag represents an error value rather than a
|
||||
* legal analyzer type.
|
||||
* TODO: make this conversion operator "explicit" (C++11) or use a
|
||||
* "safe bool" idiom (not necessary if "explicit" is available),
|
||||
* otherwise this may allow nonsense/undesired comparison operations.
|
||||
*
|
||||
*/
|
||||
operator bool() const { return *this != Tag(); }
|
||||
explicit operator bool() const { return *this != Tag(); }
|
||||
|
||||
/**
|
||||
* Assignment operator.
|
||||
|
|
|
|||
|
|
@ -54,7 +54,7 @@ refine flow Flow += {
|
|||
case 17: proto = TRANSPORT_UDP; break;
|
||||
}
|
||||
|
||||
return new PortVal(n, proto);
|
||||
return port_mgr->Get(n, proto);
|
||||
%}
|
||||
|
||||
#function proc_record(rec: Record) : bool
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
#ifndef FILE_ANALYSIS_X509_COMMON
|
||||
#define FILE_ANALYSIS_X509_COMMON
|
||||
|
||||
#include "../File.h"
|
||||
#include "file_analysis/File.h"
|
||||
#include "Analyzer.h"
|
||||
|
||||
#include <openssl/x509.h>
|
||||
|
|
|
|||
|
|
@ -71,6 +71,28 @@ function Files::__analyzer_name%(tag: Files::Tag%) : string
|
|||
return new StringVal(file_mgr->GetComponentName(tag));
|
||||
%}
|
||||
|
||||
## :bro:see:`Files::file_exists`.
|
||||
function Files::__file_exists%(fuid: string%): bool
|
||||
%{
|
||||
if ( file_mgr->LookupFile(fuid->CheckString()) != nullptr )
|
||||
return new Val(true, TYPE_BOOL);
|
||||
else
|
||||
return new Val(false, TYPE_BOOL);
|
||||
%}
|
||||
|
||||
## :bro:see:`Files::lookup_file`.
|
||||
function Files::__lookup_file%(fuid: string%): fa_file
|
||||
%{
|
||||
auto f = file_mgr->LookupFile(fuid->CheckString());
|
||||
if ( f != nullptr )
|
||||
{
|
||||
return f->GetVal()->Ref();
|
||||
}
|
||||
|
||||
reporter->Error("file ID %s not a known file", fuid->CheckString());
|
||||
return 0;
|
||||
%}
|
||||
|
||||
module GLOBAL;
|
||||
|
||||
## For use within a :bro:see:`get_file_handle` handler to set a unique
|
||||
|
|
|
|||
|
|
@ -2287,7 +2287,7 @@ Val* Manager::ValueToVal(const Stream* i, const Value* val, BroType* request_typ
|
|||
}
|
||||
|
||||
case TYPE_PORT:
|
||||
return new PortVal(val->val.port_val.port, val->val.port_val.proto);
|
||||
return port_mgr->Get(val->val.port_val.port, val->val.port_val.proto);
|
||||
|
||||
case TYPE_ADDR:
|
||||
{
|
||||
|
|
|
|||
|
|
@ -87,6 +87,7 @@ int perftools_profile = 0;
|
|||
|
||||
DNS_Mgr* dns_mgr;
|
||||
TimerMgr* timer_mgr;
|
||||
PortManager* port_mgr = 0;
|
||||
logging::Manager* log_mgr = 0;
|
||||
threading::Manager* thread_mgr = 0;
|
||||
input::Manager* input_mgr = 0;
|
||||
|
|
@ -384,6 +385,7 @@ void terminate_bro()
|
|||
delete plugin_mgr;
|
||||
delete reporter;
|
||||
delete iosource_mgr;
|
||||
delete port_mgr;
|
||||
|
||||
reporter = 0;
|
||||
}
|
||||
|
|
@ -711,6 +713,7 @@ int main(int argc, char** argv)
|
|||
|
||||
bro_start_time = current_time(true);
|
||||
|
||||
port_mgr = new PortManager();
|
||||
reporter = new Reporter();
|
||||
thread_mgr = new threading::Manager();
|
||||
plugin_mgr = new plugin::Manager();
|
||||
|
|
|
|||
|
|
@ -78,7 +78,7 @@ struct VersionNumber {
|
|||
/**
|
||||
* Returns true if the version is set to a non-negative value.
|
||||
*/
|
||||
operator bool() const { return major >= 0 && minor >= 0; }
|
||||
explicit operator bool() const { return major >= 0 && minor >= 0; }
|
||||
};
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -474,7 +474,7 @@ F RET_CONST(new Val(false, TYPE_BOOL))
|
|||
reporter->Error("bad port number - %s", yytext);
|
||||
p = 0;
|
||||
}
|
||||
RET_CONST(new PortVal(p, TRANSPORT_TCP))
|
||||
RET_CONST(port_mgr->Get(p, TRANSPORT_TCP))
|
||||
}
|
||||
{D}"/udp" {
|
||||
uint32 p = atoi(yytext);
|
||||
|
|
@ -483,7 +483,7 @@ F RET_CONST(new Val(false, TYPE_BOOL))
|
|||
reporter->Error("bad port number - %s", yytext);
|
||||
p = 0;
|
||||
}
|
||||
RET_CONST(new PortVal(p, TRANSPORT_UDP))
|
||||
RET_CONST(port_mgr->Get(p, TRANSPORT_UDP))
|
||||
}
|
||||
{D}"/icmp" {
|
||||
uint32 p = atoi(yytext);
|
||||
|
|
@ -492,7 +492,7 @@ F RET_CONST(new Val(false, TYPE_BOOL))
|
|||
reporter->Error("bad port number - %s", yytext);
|
||||
p = 0;
|
||||
}
|
||||
RET_CONST(new PortVal(p, TRANSPORT_ICMP))
|
||||
RET_CONST(port_mgr->Get(p, TRANSPORT_ICMP))
|
||||
}
|
||||
{D}"/unknown" {
|
||||
uint32 p = atoi(yytext);
|
||||
|
|
@ -501,7 +501,7 @@ F RET_CONST(new Val(false, TYPE_BOOL))
|
|||
reporter->Error("bad port number - %s", yytext);
|
||||
p = 0;
|
||||
}
|
||||
RET_CONST(new PortVal(p, TRANSPORT_UNKNOWN))
|
||||
RET_CONST(port_mgr->Get(p, TRANSPORT_UNKNOWN))
|
||||
}
|
||||
|
||||
{FLOAT}{OWS}day(s?) RET_CONST(new IntervalVal(atof(yytext),Days))
|
||||
|
|
|
|||
|
|
@ -3,6 +3,15 @@
|
|||
#ifndef util_h
|
||||
#define util_h
|
||||
|
||||
#ifdef __GNUC__
|
||||
#define BRO_DEPRECATED(msg) __attribute__ ((deprecated(msg)))
|
||||
#elif defined(_MSC_VER)
|
||||
#define BRO_DEPRECATED(msg) __declspec(deprecated(msg)) func
|
||||
#else
|
||||
#pragma message("Warning: BRO_DEPRECATED macro not implemented")
|
||||
#define BRO_DEPRECATED(msg)
|
||||
#endif
|
||||
|
||||
// Expose C99 functionality from inttypes.h, which would otherwise not be
|
||||
// available in C++.
|
||||
#ifndef __STDC_FORMAT_MACROS
|
||||
|
|
|
|||
|
|
@ -6,5 +6,5 @@
|
|||
#open 2017-01-30-23-13-15
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents orig_l2_addr resp_l2_addr
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] string string
|
||||
1128727435.633408 CHhAvVGS1DHFjwGM9 141.42.64.125 56730 125.190.109.199 80 tcp http 1.550793 98 9417 SF - - 0 ^hADdFaf 11 670 10 9945 (empty) 00:d0:03:3b:f4:00 00:b0:c2:86:ec:00
|
||||
1128727435.633408 CHhAvVGS1DHFjwGM9 141.42.64.125 56730 125.190.109.199 80 tcp http 1.550793 98 9417 SF - - 0 ^hADdFaf 11 670 10 9945 - 00:d0:03:3b:f4:00 00:b0:c2:86:ec:00
|
||||
#close 2017-01-30-23-13-15
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
#open 2016-07-13-16-12-55
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1371685686.536606 CHhAvVGS1DHFjwGM9 65.65.65.65 19244 65.65.65.65 80 tcp - - - - OTH - - 0 D 1 257 0 0 (empty)
|
||||
1371686961.479321 C4J4Th3PJpwUYZZ6gc 65.65.65.65 61193 65.65.65.65 80 tcp - - - - OTH - - 0 D 1 710 0 0 (empty)
|
||||
1371686961.156859 ClEkJM2Vm5giqnMf4h 65.65.65.65 32828 65.65.65.65 80 tcp - - - - OTH - - 0 ^d 0 0 1 1500 (empty)
|
||||
1371685686.536606 CHhAvVGS1DHFjwGM9 65.65.65.65 19244 65.65.65.65 80 tcp - - - - OTH - - 0 D 1 257 0 0 -
|
||||
1371686961.479321 C4J4Th3PJpwUYZZ6gc 65.65.65.65 61193 65.65.65.65 80 tcp - - - - OTH - - 0 D 1 710 0 0 -
|
||||
1371686961.156859 ClEkJM2Vm5giqnMf4h 65.65.65.65 32828 65.65.65.65 80 tcp - - - - OTH - - 0 ^d 0 0 1 1500 -
|
||||
#close 2016-07-13-16-12-55
|
||||
|
|
|
|||
|
|
@ -6,20 +6,20 @@
|
|||
#open 2016-07-13-16-12-55
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1300475167.096535 CHhAvVGS1DHFjwGM9 141.142.220.202 5353 224.0.0.251 5353 udp dns - - - S0 - - 0 D 1 73 0 0 (empty)
|
||||
1300475168.853899 C4J4Th3PJpwUYZZ6gc 141.142.220.118 43927 141.142.2.2 53 udp dns 0.000435 38 89 SF - - 0 Dd 1 66 1 117 (empty)
|
||||
1300475168.854378 CtPZjS20MLrsMUOJi2 141.142.220.118 37676 141.142.2.2 53 udp dns 0.000420 52 99 SF - - 0 Dd 1 80 1 127 (empty)
|
||||
1300475168.854837 CUM0KZ3MLUfNB0cl11 141.142.220.118 40526 141.142.2.2 53 udp dns 0.000392 38 183 SF - - 0 Dd 1 66 1 211 (empty)
|
||||
1300475168.857956 CmES5u32sYpV7JYN 141.142.220.118 32902 141.142.2.2 53 udp dns 0.000317 38 89 SF - - 0 Dd 1 66 1 117 (empty)
|
||||
1300475168.858306 CP5puj4I8PtEU4qzYg 141.142.220.118 59816 141.142.2.2 53 udp dns 0.000343 52 99 SF - - 0 Dd 1 80 1 127 (empty)
|
||||
1300475168.858713 C37jN32gN3y3AZzyf6 141.142.220.118 59714 141.142.2.2 53 udp dns 0.000375 38 183 SF - - 0 Dd 1 66 1 211 (empty)
|
||||
1300475168.891644 C3eiCBGOLw3VtHfOj 141.142.220.118 58206 141.142.2.2 53 udp dns 0.000339 38 89 SF - - 0 Dd 1 66 1 117 (empty)
|
||||
1300475168.892037 CwjjYJ2WqgTbAqiHl6 141.142.220.118 38911 141.142.2.2 53 udp dns 0.000335 52 99 SF - - 0 Dd 1 80 1 127 (empty)
|
||||
1300475168.892414 C0LAHyvtKSQHyJxIl 141.142.220.118 59746 141.142.2.2 53 udp dns 0.000421 38 183 SF - - 0 Dd 1 66 1 211 (empty)
|
||||
1300475168.893988 CFLRIC3zaTU1loLGxh 141.142.220.118 45000 141.142.2.2 53 udp dns 0.000384 38 89 SF - - 0 Dd 1 66 1 117 (empty)
|
||||
1300475168.894422 C9rXSW3KSpTYvPrlI1 141.142.220.118 48479 141.142.2.2 53 udp dns 0.000317 52 99 SF - - 0 Dd 1 80 1 127 (empty)
|
||||
1300475168.894787 Ck51lg1bScffFj34Ri 141.142.220.118 48128 141.142.2.2 53 udp dns 0.000423 38 183 SF - - 0 Dd 1 66 1 211 (empty)
|
||||
1300475168.901749 C9mvWx3ezztgzcexV7 141.142.220.118 56056 141.142.2.2 53 udp dns 0.000402 36 131 SF - - 0 Dd 1 64 1 159 (empty)
|
||||
1300475168.902195 CNnMIj2QSd84NKf7U3 141.142.220.118 55092 141.142.2.2 53 udp dns 0.000374 36 198 SF - - 0 Dd 1 64 1 226 (empty)
|
||||
1300475168.652003 ClEkJM2Vm5giqnMf4h 141.142.220.118 35634 208.80.152.2 80 tcp - - - - OTH - - 0 D 1 515 0 0 (empty)
|
||||
1300475167.096535 CHhAvVGS1DHFjwGM9 141.142.220.202 5353 224.0.0.251 5353 udp dns - - - S0 - - 0 D 1 73 0 0 -
|
||||
1300475168.853899 C4J4Th3PJpwUYZZ6gc 141.142.220.118 43927 141.142.2.2 53 udp dns 0.000435 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
1300475168.854378 CtPZjS20MLrsMUOJi2 141.142.220.118 37676 141.142.2.2 53 udp dns 0.000420 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
1300475168.854837 CUM0KZ3MLUfNB0cl11 141.142.220.118 40526 141.142.2.2 53 udp dns 0.000392 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
1300475168.857956 CmES5u32sYpV7JYN 141.142.220.118 32902 141.142.2.2 53 udp dns 0.000317 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
1300475168.858306 CP5puj4I8PtEU4qzYg 141.142.220.118 59816 141.142.2.2 53 udp dns 0.000343 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
1300475168.858713 C37jN32gN3y3AZzyf6 141.142.220.118 59714 141.142.2.2 53 udp dns 0.000375 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
1300475168.891644 C3eiCBGOLw3VtHfOj 141.142.220.118 58206 141.142.2.2 53 udp dns 0.000339 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
1300475168.892037 CwjjYJ2WqgTbAqiHl6 141.142.220.118 38911 141.142.2.2 53 udp dns 0.000335 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
1300475168.892414 C0LAHyvtKSQHyJxIl 141.142.220.118 59746 141.142.2.2 53 udp dns 0.000421 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
1300475168.893988 CFLRIC3zaTU1loLGxh 141.142.220.118 45000 141.142.2.2 53 udp dns 0.000384 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
1300475168.894422 C9rXSW3KSpTYvPrlI1 141.142.220.118 48479 141.142.2.2 53 udp dns 0.000317 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
1300475168.894787 Ck51lg1bScffFj34Ri 141.142.220.118 48128 141.142.2.2 53 udp dns 0.000423 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
1300475168.901749 C9mvWx3ezztgzcexV7 141.142.220.118 56056 141.142.2.2 53 udp dns 0.000402 36 131 SF - - 0 Dd 1 64 1 159 -
|
||||
1300475168.902195 CNnMIj2QSd84NKf7U3 141.142.220.118 55092 141.142.2.2 53 udp dns 0.000374 36 198 SF - - 0 Dd 1 64 1 226 -
|
||||
1300475168.652003 ClEkJM2Vm5giqnMf4h 141.142.220.118 35634 208.80.152.2 80 tcp - - - - OTH - - 0 D 1 515 0 0 -
|
||||
#close 2016-07-13-16-12-55
|
||||
|
|
|
|||
|
|
@ -6,5 +6,5 @@
|
|||
#open 2016-07-13-16-12-56
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1300475168.892936 CHhAvVGS1DHFjwGM9 141.142.220.118 50000 208.80.152.3 80 tcp http 0.229603 1148 734 S1 - - 0 ShADad 6 1468 4 950 (empty)
|
||||
1300475168.892936 CHhAvVGS1DHFjwGM9 141.142.220.118 50000 208.80.152.3 80 tcp http 0.229603 1148 734 S1 - - 0 ShADad 6 1468 4 950 -
|
||||
#close 2016-07-13-16-12-56
|
||||
|
|
|
|||
|
|
@ -6,11 +6,11 @@
|
|||
#open 2016-07-13-16-12-57
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1284385417.962560 CUM0KZ3MLUfNB0cl11 fe80::ce05:eff:fe88:0 546 ff02::1:2 547 udp - 0.078000 114 0 S0 - - 0 D 2 210 0 0 (empty)
|
||||
1284385418.014560 CmES5u32sYpV7JYN fe80::c801:eff:fe88:8 547 fe80::ce05:eff:fe88:0 546 udp - 0.096000 192 0 S0 - - 0 D 2 288 0 0 (empty)
|
||||
1284385411.035560 CHhAvVGS1DHFjwGM9 fe80::c801:eff:fe88:8 143 ff02::16 0 icmp - 0.835000 160 0 OTH - - 0 - 8 608 0 0 (empty)
|
||||
1284385451.658560 CP5puj4I8PtEU4qzYg fc00:0:2:100::1:1 128 fc00::1 129 icmp - 0.156000 260 260 OTH - - 0 - 5 500 5 500 (empty)
|
||||
1284385412.963560 C4J4Th3PJpwUYZZ6gc fe80::ce05:eff:fe88:0 133 ff02::2 134 icmp - - - - OTH - - 0 - 1 48 0 0 (empty)
|
||||
1284385413.027560 CtPZjS20MLrsMUOJi2 fe80::c801:eff:fe88:8 134 fe80::ce05:eff:fe88:0 133 icmp - - - - OTH - - 0 - 1 64 0 0 (empty)
|
||||
1284385411.091560 ClEkJM2Vm5giqnMf4h fe80::c801:eff:fe88:8 136 ff02::1 135 icmp - - - - OTH - - 0 - 1 64 0 0 (empty)
|
||||
1284385417.962560 CUM0KZ3MLUfNB0cl11 fe80::ce05:eff:fe88:0 546 ff02::1:2 547 udp - 0.078000 114 0 S0 - - 0 D 2 210 0 0 -
|
||||
1284385418.014560 CmES5u32sYpV7JYN fe80::c801:eff:fe88:8 547 fe80::ce05:eff:fe88:0 546 udp - 0.096000 192 0 S0 - - 0 D 2 288 0 0 -
|
||||
1284385411.035560 CHhAvVGS1DHFjwGM9 fe80::c801:eff:fe88:8 143 ff02::16 0 icmp - 0.835000 160 0 OTH - - 0 - 8 608 0 0 -
|
||||
1284385451.658560 CP5puj4I8PtEU4qzYg fc00:0:2:100::1:1 128 fc00::1 129 icmp - 0.156000 260 260 OTH - - 0 - 5 500 5 500 -
|
||||
1284385412.963560 C4J4Th3PJpwUYZZ6gc fe80::ce05:eff:fe88:0 133 ff02::2 134 icmp - - - - OTH - - 0 - 1 48 0 0 -
|
||||
1284385413.027560 CtPZjS20MLrsMUOJi2 fe80::c801:eff:fe88:8 134 fe80::ce05:eff:fe88:0 133 icmp - - - - OTH - - 0 - 1 64 0 0 -
|
||||
1284385411.091560 ClEkJM2Vm5giqnMf4h fe80::c801:eff:fe88:8 136 ff02::1 135 icmp - - - - OTH - - 0 - 1 64 0 0 -
|
||||
#close 2016-07-13-16-12-57
|
||||
|
|
|
|||
|
|
@ -6,5 +6,5 @@
|
|||
#open 2016-07-13-16-12-58
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1278600802.069419 CHhAvVGS1DHFjwGM9 10.20.80.1 50343 10.0.0.15 80 tcp - 0.004152 9 3429 SF - - 0 ShADadfF 7 381 7 3801 (empty)
|
||||
1278600802.069419 CHhAvVGS1DHFjwGM9 10.20.80.1 50343 10.0.0.15 80 tcp - 0.004152 9 3429 SF - - 0 ShADadfF 7 381 7 3801 -
|
||||
#close 2016-07-13-16-12-59
|
||||
|
|
|
|||
|
|
@ -6,6 +6,6 @@
|
|||
#open 2016-07-13-16-13-00
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1363900699.548138 CHhAvVGS1DHFjwGM9 172.19.51.37 47808 172.19.51.63 47808 udp - 0.000100 36 0 S0 - - 0 D 2 92 0 0 (empty)
|
||||
1363900699.549647 ClEkJM2Vm5giqnMf4h 193.1.186.60 9875 224.2.127.254 9875 udp - 0.000139 552 0 S0 - - 0 D 2 608 0 0 (empty)
|
||||
1363900699.548138 CHhAvVGS1DHFjwGM9 172.19.51.37 47808 172.19.51.63 47808 udp - 0.000100 36 0 S0 - - 0 D 2 92 0 0 -
|
||||
1363900699.549647 ClEkJM2Vm5giqnMf4h 193.1.186.60 9875 224.2.127.254 9875 udp - 0.000139 552 0 S0 - - 0 D 2 608 0 0 -
|
||||
#close 2016-07-13-16-13-00
|
||||
|
|
|
|||
|
|
@ -6,6 +6,6 @@
|
|||
#open 2016-07-13-16-13-00
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1439902891.705224 CHhAvVGS1DHFjwGM9 172.17.156.76 61738 208.67.220.220 53 udp dns 0.041654 35 128 SF - - 0 Dd 1 63 1 156 (empty)
|
||||
1439903050.580632 ClEkJM2Vm5giqnMf4h fe80::a667:6ff:fef7:ec54 5353 ff02::fb 5353 udp dns - - - S0 - - 0 D 1 328 0 0 (empty)
|
||||
1439902891.705224 CHhAvVGS1DHFjwGM9 172.17.156.76 61738 208.67.220.220 53 udp dns 0.041654 35 128 SF - - 0 Dd 1 63 1 156 -
|
||||
1439903050.580632 ClEkJM2Vm5giqnMf4h fe80::a667:6ff:fef7:ec54 5353 ff02::fb 5353 udp dns - - - S0 - - 0 D 1 328 0 0 -
|
||||
#close 2016-07-13-16-13-00
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
#open 2016-07-13-16-13-01
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1395939406.175845 ClEkJM2Vm5giqnMf4h 192.168.56.1 59763 192.168.56.101 63988 tcp ftp-data 0.001676 0 270 SF - - 0 ShAdfFa 5 272 4 486 (empty)
|
||||
1395939411.361078 C4J4Th3PJpwUYZZ6gc 192.168.56.1 59764 192.168.56.101 37150 tcp ftp-data 150.496065 0 5416666670 SF - - 4675708816 ShAdfFa 13 688 12 24454 (empty)
|
||||
1395939399.984671 CHhAvVGS1DHFjwGM9 192.168.56.1 59762 192.168.56.101 21 tcp ftp 169.634297 104 1041 SF - - 0 ShAdDaFf 31 1728 18 1985 (empty)
|
||||
1395939406.175845 ClEkJM2Vm5giqnMf4h 192.168.56.1 59763 192.168.56.101 63988 tcp ftp-data 0.001676 0 270 SF - - 0 ShAdfFa 5 272 4 486 -
|
||||
1395939411.361078 C4J4Th3PJpwUYZZ6gc 192.168.56.1 59764 192.168.56.101 37150 tcp ftp-data 150.496065 0 5416666670 SF - - 4675708816 ShAdfFa 13 688 12 24454 -
|
||||
1395939399.984671 CHhAvVGS1DHFjwGM9 192.168.56.1 59762 192.168.56.101 21 tcp ftp 169.634297 104 1041 SF - - 0 ShAdDaFf 31 1728 18 1985 -
|
||||
#close 2016-07-13-16-13-01
|
||||
|
|
|
|||
|
|
@ -6,5 +6,5 @@
|
|||
#open 2016-07-13-16-13-02
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1331764471.664131 CHhAvVGS1DHFjwGM9 192.168.122.230 60648 77.238.160.184 80 tcp http 10.048360 538 2902 SF - - 2902 ShADafF 5 750 4 172 (empty)
|
||||
1331764471.664131 CHhAvVGS1DHFjwGM9 192.168.122.230 60648 77.238.160.184 80 tcp http 10.048360 538 2902 SF - - 2902 ShADafF 5 750 4 172 -
|
||||
#close 2016-07-13-16-13-02
|
||||
|
|
|
|||
|
|
@ -6,5 +6,5 @@
|
|||
#open 2016-07-13-17-58-31
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1128727435.633408 CHhAvVGS1DHFjwGM9 141.42.64.125 56730 125.190.109.199 80 tcp http 1.550793 98 9417 SF - - 0 ^hADdFaf 11 670 10 9945 (empty)
|
||||
1128727435.633408 CHhAvVGS1DHFjwGM9 141.42.64.125 56730 125.190.109.199 80 tcp http 1.550793 98 9417 SF - - 0 ^hADdFaf 11 670 10 9945 -
|
||||
#close 2016-07-13-17-58-31
|
||||
|
|
|
|||
|
|
@ -3,8 +3,8 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path conn
|
||||
#open 2016-07-13-16-13-02
|
||||
#open 2018-01-12-21-43-34
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1285862902.700271 CHhAvVGS1DHFjwGM9 10.0.88.85 50368 192.168.0.27 80 tcp - 60.991770 474 23783 RSTO - - 24257 ShADadtR 17 1250 22 28961 (empty)
|
||||
#close 2016-07-13-16-13-03
|
||||
1285862902.700271 CHhAvVGS1DHFjwGM9 10.0.88.85 50368 192.168.0.27 80 tcp - 60.991770 474 23783 RSTO - - 24257 ShADadtR 17 1250 22 28961 -
|
||||
#close 2018-01-12-21-43-34
|
||||
|
|
|
|||
|
|
@ -3,41 +3,41 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path conn
|
||||
#open 2016-07-13-16-13-03
|
||||
#open 2018-01-12-21-43-35
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1300475167.096535 CHhAvVGS1DHFjwGM9 141.142.220.202 5353 224.0.0.251 5353 udp dns - - - S0 - - 0 D 1 73 0 0 (empty)
|
||||
1300475167.097012 ClEkJM2Vm5giqnMf4h fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp dns - - - S0 - - 0 D 1 199 0 0 (empty)
|
||||
1300475167.099816 C4J4Th3PJpwUYZZ6gc 141.142.220.50 5353 224.0.0.251 5353 udp dns - - - S0 - - 0 D 1 179 0 0 (empty)
|
||||
1300475168.853899 CmES5u32sYpV7JYN 141.142.220.118 43927 141.142.2.2 53 udp dns 0.000435 38 89 SF - - 0 Dd 1 66 1 117 (empty)
|
||||
1300475168.854378 CP5puj4I8PtEU4qzYg 141.142.220.118 37676 141.142.2.2 53 udp dns 0.000420 52 99 SF - - 0 Dd 1 80 1 127 (empty)
|
||||
1300475168.854837 C37jN32gN3y3AZzyf6 141.142.220.118 40526 141.142.2.2 53 udp dns 0.000392 38 183 SF - - 0 Dd 1 66 1 211 (empty)
|
||||
1300475168.857956 C0LAHyvtKSQHyJxIl 141.142.220.118 32902 141.142.2.2 53 udp dns 0.000317 38 89 SF - - 0 Dd 1 66 1 117 (empty)
|
||||
1300475168.858306 CFLRIC3zaTU1loLGxh 141.142.220.118 59816 141.142.2.2 53 udp dns 0.000343 52 99 SF - - 0 Dd 1 80 1 127 (empty)
|
||||
1300475168.858713 C9rXSW3KSpTYvPrlI1 141.142.220.118 59714 141.142.2.2 53 udp dns 0.000375 38 183 SF - - 0 Dd 1 66 1 211 (empty)
|
||||
1300475168.891644 C9mvWx3ezztgzcexV7 141.142.220.118 58206 141.142.2.2 53 udp dns 0.000339 38 89 SF - - 0 Dd 1 66 1 117 (empty)
|
||||
1300475168.892037 CNnMIj2QSd84NKf7U3 141.142.220.118 38911 141.142.2.2 53 udp dns 0.000335 52 99 SF - - 0 Dd 1 80 1 127 (empty)
|
||||
1300475168.892414 C7fIlMZDuRiqjpYbb 141.142.220.118 59746 141.142.2.2 53 udp dns 0.000421 38 183 SF - - 0 Dd 1 66 1 211 (empty)
|
||||
1300475168.893988 CpmdRlaUoJLN3uIRa 141.142.220.118 45000 141.142.2.2 53 udp dns 0.000384 38 89 SF - - 0 Dd 1 66 1 117 (empty)
|
||||
1300475168.894422 C1Xkzz2MaGtLrc1Tla 141.142.220.118 48479 141.142.2.2 53 udp dns 0.000317 52 99 SF - - 0 Dd 1 80 1 127 (empty)
|
||||
1300475168.894787 CqlVyW1YwZ15RhTBc4 141.142.220.118 48128 141.142.2.2 53 udp dns 0.000423 38 183 SF - - 0 Dd 1 66 1 211 (empty)
|
||||
1300475168.901749 CBA8792iHmnhPLksKa 141.142.220.118 56056 141.142.2.2 53 udp dns 0.000402 36 131 SF - - 0 Dd 1 64 1 159 (empty)
|
||||
1300475168.902195 CGLPPc35OzDQij1XX8 141.142.220.118 55092 141.142.2.2 53 udp dns 0.000374 36 198 SF - - 0 Dd 1 64 1 226 (empty)
|
||||
1300475169.899438 Cipfzj1BEnhejw8cGf 141.142.220.44 5353 224.0.0.251 5353 udp dns - - - S0 - - 0 D 1 85 0 0 (empty)
|
||||
1300475170.862384 CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp dns 2.613017 350 0 S0 - - 0 D 7 546 0 0 (empty)
|
||||
1300475171.675372 CPhDKt12KQPUVbQz06 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp dns 0.100096 66 0 S0 - - 0 D 2 162 0 0 (empty)
|
||||
1300475171.677081 CAnFrb2Cvxr5T7quOc 141.142.220.226 55131 224.0.0.252 5355 udp dns 0.100021 66 0 S0 - - 0 D 2 122 0 0 (empty)
|
||||
1300475173.116749 C8rquZ3DjgNW06JGLl fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp dns 0.099801 66 0 S0 - - 0 D 2 162 0 0 (empty)
|
||||
1300475173.117362 CzrZOtXqhwwndQva3 141.142.220.226 55671 224.0.0.252 5355 udp dns 0.099849 66 0 S0 - - 0 D 2 122 0 0 (empty)
|
||||
1300475173.153679 CaGCc13FffXe6RkQl9 141.142.220.238 56641 141.142.220.255 137 udp dns - - - S0 - - 0 D 1 78 0 0 (empty)
|
||||
1300475169.780331 CFSwNi4CNGxcuffo49 141.142.220.235 6705 173.192.163.128 80 tcp - - - - OTH - - 0 ^h 0 0 1 48 (empty)
|
||||
1300475168.892913 CykQaM33ztNt0csB9a 141.142.220.118 49999 208.80.152.3 80 tcp http 0.220961 1137 733 S1 - - 0 ShADad 6 1457 4 949 (empty)
|
||||
1300475168.724007 CUM0KZ3MLUfNB0cl11 141.142.220.118 48649 208.80.152.118 80 tcp http 0.119905 525 232 S1 - - 0 ShADad 4 741 3 396 (empty)
|
||||
1300475168.855330 CwjjYJ2WqgTbAqiHl6 141.142.220.118 49997 208.80.152.3 80 tcp http 0.219720 1125 734 S1 - - 0 ShADad 6 1445 4 950 (empty)
|
||||
1300475168.855305 C3eiCBGOLw3VtHfOj 141.142.220.118 49996 208.80.152.3 80 tcp http 0.218501 1171 733 S1 - - 0 ShADad 6 1491 4 949 (empty)
|
||||
1300475168.652003 CtPZjS20MLrsMUOJi2 141.142.220.118 35634 208.80.152.2 80 tcp - 0.061329 463 350 OTH - - 0 DdA 2 567 1 402 (empty)
|
||||
1300475168.902635 CiyBAq1bBLNaTiTAc 141.142.220.118 35642 208.80.152.2 80 tcp http 0.120041 534 412 S1 - - 0 ShADad 4 750 3 576 (empty)
|
||||
1300475168.859163 Ck51lg1bScffFj34Ri 141.142.220.118 49998 208.80.152.3 80 tcp http 0.215893 1130 734 S1 - - 0 ShADad 6 1450 4 950 (empty)
|
||||
1300475168.892936 CtxTCR2Yer0FR1tIBg 141.142.220.118 50000 208.80.152.3 80 tcp http 0.229603 1148 734 S1 - - 0 ShADad 6 1468 4 950 (empty)
|
||||
1300475168.895267 CLNN1k2QMum1aexUK7 141.142.220.118 50001 208.80.152.3 80 tcp http 0.227284 1178 734 S1 - - 0 ShADad 6 1498 4 950 (empty)
|
||||
#close 2016-07-13-16-13-03
|
||||
1300475167.096535 CHhAvVGS1DHFjwGM9 141.142.220.202 5353 224.0.0.251 5353 udp dns - - - S0 - - 0 D 1 73 0 0 -
|
||||
1300475167.097012 ClEkJM2Vm5giqnMf4h fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp dns - - - S0 - - 0 D 1 199 0 0 -
|
||||
1300475167.099816 C4J4Th3PJpwUYZZ6gc 141.142.220.50 5353 224.0.0.251 5353 udp dns - - - S0 - - 0 D 1 179 0 0 -
|
||||
1300475168.853899 CmES5u32sYpV7JYN 141.142.220.118 43927 141.142.2.2 53 udp dns 0.000435 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
1300475168.854378 CP5puj4I8PtEU4qzYg 141.142.220.118 37676 141.142.2.2 53 udp dns 0.000420 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
1300475168.854837 C37jN32gN3y3AZzyf6 141.142.220.118 40526 141.142.2.2 53 udp dns 0.000392 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
1300475168.857956 C0LAHyvtKSQHyJxIl 141.142.220.118 32902 141.142.2.2 53 udp dns 0.000317 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
1300475168.858306 CFLRIC3zaTU1loLGxh 141.142.220.118 59816 141.142.2.2 53 udp dns 0.000343 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
1300475168.858713 C9rXSW3KSpTYvPrlI1 141.142.220.118 59714 141.142.2.2 53 udp dns 0.000375 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
1300475168.891644 C9mvWx3ezztgzcexV7 141.142.220.118 58206 141.142.2.2 53 udp dns 0.000339 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
1300475168.892037 CNnMIj2QSd84NKf7U3 141.142.220.118 38911 141.142.2.2 53 udp dns 0.000335 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
1300475168.892414 C7fIlMZDuRiqjpYbb 141.142.220.118 59746 141.142.2.2 53 udp dns 0.000421 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
1300475168.893988 CpmdRlaUoJLN3uIRa 141.142.220.118 45000 141.142.2.2 53 udp dns 0.000384 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
1300475168.894422 C1Xkzz2MaGtLrc1Tla 141.142.220.118 48479 141.142.2.2 53 udp dns 0.000317 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
1300475168.894787 CqlVyW1YwZ15RhTBc4 141.142.220.118 48128 141.142.2.2 53 udp dns 0.000423 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
1300475168.901749 CBA8792iHmnhPLksKa 141.142.220.118 56056 141.142.2.2 53 udp dns 0.000402 36 131 SF - - 0 Dd 1 64 1 159 -
|
||||
1300475168.902195 CGLPPc35OzDQij1XX8 141.142.220.118 55092 141.142.2.2 53 udp dns 0.000374 36 198 SF - - 0 Dd 1 64 1 226 -
|
||||
1300475169.899438 Cipfzj1BEnhejw8cGf 141.142.220.44 5353 224.0.0.251 5353 udp dns - - - S0 - - 0 D 1 85 0 0 -
|
||||
1300475170.862384 CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp dns 2.613017 350 0 S0 - - 0 D 7 546 0 0 -
|
||||
1300475171.675372 CPhDKt12KQPUVbQz06 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp dns 0.100096 66 0 S0 - - 0 D 2 162 0 0 -
|
||||
1300475171.677081 CAnFrb2Cvxr5T7quOc 141.142.220.226 55131 224.0.0.252 5355 udp dns 0.100021 66 0 S0 - - 0 D 2 122 0 0 -
|
||||
1300475173.116749 C8rquZ3DjgNW06JGLl fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp dns 0.099801 66 0 S0 - - 0 D 2 162 0 0 -
|
||||
1300475173.117362 CzrZOtXqhwwndQva3 141.142.220.226 55671 224.0.0.252 5355 udp dns 0.099849 66 0 S0 - - 0 D 2 122 0 0 -
|
||||
1300475173.153679 CaGCc13FffXe6RkQl9 141.142.220.238 56641 141.142.220.255 137 udp dns - - - S0 - - 0 D 1 78 0 0 -
|
||||
1300475169.780331 CFSwNi4CNGxcuffo49 141.142.220.235 6705 173.192.163.128 80 tcp - - - - OTH - - 0 ^h 0 0 1 48 -
|
||||
1300475168.892913 CykQaM33ztNt0csB9a 141.142.220.118 49999 208.80.152.3 80 tcp http 0.220961 1137 733 S1 - - 0 ShADad 6 1457 4 949 -
|
||||
1300475168.724007 CUM0KZ3MLUfNB0cl11 141.142.220.118 48649 208.80.152.118 80 tcp http 0.119905 525 232 S1 - - 0 ShADad 4 741 3 396 -
|
||||
1300475168.855330 CwjjYJ2WqgTbAqiHl6 141.142.220.118 49997 208.80.152.3 80 tcp http 0.219720 1125 734 S1 - - 0 ShADad 6 1445 4 950 -
|
||||
1300475168.855305 C3eiCBGOLw3VtHfOj 141.142.220.118 49996 208.80.152.3 80 tcp http 0.218501 1171 733 S1 - - 0 ShADad 6 1491 4 949 -
|
||||
1300475168.652003 CtPZjS20MLrsMUOJi2 141.142.220.118 35634 208.80.152.2 80 tcp - 0.061329 463 350 OTH - - 0 DdA 2 567 1 402 -
|
||||
1300475168.902635 CiyBAq1bBLNaTiTAc 141.142.220.118 35642 208.80.152.2 80 tcp http 0.120041 534 412 S1 - - 0 ShADad 4 750 3 576 -
|
||||
1300475168.859163 Ck51lg1bScffFj34Ri 141.142.220.118 49998 208.80.152.3 80 tcp http 0.215893 1130 734 S1 - - 0 ShADad 6 1450 4 950 -
|
||||
1300475168.892936 CtxTCR2Yer0FR1tIBg 141.142.220.118 50000 208.80.152.3 80 tcp http 0.229603 1148 734 S1 - - 0 ShADad 6 1468 4 950 -
|
||||
1300475168.895267 CLNN1k2QMum1aexUK7 141.142.220.118 50001 208.80.152.3 80 tcp http 0.227284 1178 734 S1 - - 0 ShADad 6 1498 4 950 -
|
||||
#close 2018-01-12-21-43-35
|
||||
|
|
|
|||
|
|
@ -7,8 +7,8 @@
|
|||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1257655301.595604 C37jN32gN3y3AZzyf6 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 tcp http 2.101052 2981 4665 S1 - - 0 ShADad 10 3605 11 5329 C4J4Th3PJpwUYZZ6gc
|
||||
1257655296.585034 C4J4Th3PJpwUYZZ6gc 192.168.3.101 53859 216.14.98.22 5072 udp ayiya 20.879001 5129 6109 SF - - 0 Dd 21 5717 13 6473 (empty)
|
||||
1257655293.629048 CHhAvVGS1DHFjwGM9 192.168.3.101 53796 216.14.98.22 5072 udp ayiya - - - SHR - - 0 ^d 0 0 1 176 (empty)
|
||||
1257655296.585034 C4J4Th3PJpwUYZZ6gc 192.168.3.101 53859 216.14.98.22 5072 udp ayiya 20.879001 5129 6109 SF - - 0 Dd 21 5717 13 6473 -
|
||||
1257655293.629048 CHhAvVGS1DHFjwGM9 192.168.3.101 53796 216.14.98.22 5072 udp ayiya - - - SHR - - 0 ^d 0 0 1 176 -
|
||||
1257655296.585333 CP5puj4I8PtEU4qzYg :: 135 ff02::1:ff00:2 136 icmp - - - - OTH - - 0 - 1 64 0 0 C4J4Th3PJpwUYZZ6gc
|
||||
1257655296.585151 CUM0KZ3MLUfNB0cl11 fe80::216:cbff:fe9a:4cb9 131 ff02::2:f901:d225 130 icmp - 0.719947 32 0 OTH - - 0 - 2 144 0 0 C4J4Th3PJpwUYZZ6gc
|
||||
1257655296.585034 CtPZjS20MLrsMUOJi2 fe80::216:cbff:fe9a:4cb9 131 ff02::1:ff9a:4cb9 130 icmp - 4.922880 32 0 OTH - - 0 - 2 144 0 0 C4J4Th3PJpwUYZZ6gc
|
||||
|
|
|
|||
|
|
@ -7,6 +7,6 @@
|
|||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1333458850.321642 ClEkJM2Vm5giqnMf4h 10.131.17.170 51803 173.199.115.168 80 tcp http 0.257902 1138 63424 S3 - - 0 ShADadf 29 2310 49 65396 CHhAvVGS1DHFjwGM9,C4J4Th3PJpwUYZZ6gc
|
||||
1333458850.321642 CHhAvVGS1DHFjwGM9 167.55.105.244 5906 207.233.125.40 2152 udp gtpv1 0.257902 2542 0 S0 - - 0 D 29 3354 0 0 (empty)
|
||||
1333458850.325787 C4J4Th3PJpwUYZZ6gc 207.233.125.40 2152 167.55.105.244 2152 udp gtpv1 0.251127 65788 0 S0 - - 0 D 49 67160 0 0 (empty)
|
||||
1333458850.321642 CHhAvVGS1DHFjwGM9 167.55.105.244 5906 207.233.125.40 2152 udp gtpv1 0.257902 2542 0 S0 - - 0 D 29 3354 0 0 -
|
||||
1333458850.325787 C4J4Th3PJpwUYZZ6gc 207.233.125.40 2152 167.55.105.244 2152 udp gtpv1 0.251127 65788 0 S0 - - 0 D 49 67160 0 0 -
|
||||
#close 2016-07-13-16-13-06
|
||||
|
|
|
|||
|
|
@ -6,5 +6,5 @@
|
|||
#open 2016-07-13-16-13-07
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1333458871.219794 CHhAvVGS1DHFjwGM9 10.131.24.6 2152 195.178.38.3 53 udp dns - - - S0 - - 0 D 1 64 0 0 (empty)
|
||||
1333458871.219794 CHhAvVGS1DHFjwGM9 10.131.24.6 2152 195.178.38.3 53 udp dns - - - S0 - - 0 D 1 64 0 0 -
|
||||
#close 2016-07-13-16-13-07
|
||||
|
|
|
|||
|
|
@ -7,6 +7,6 @@
|
|||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1333458851.770000 ClEkJM2Vm5giqnMf4h fe80::224c:4fff:fe43:414c 1234 ff02::1:3 5355 udp dns - - - S0 - - 0 D 1 80 0 0 CHhAvVGS1DHFjwGM9
|
||||
1333458851.770000 CHhAvVGS1DHFjwGM9 118.92.124.41 2152 118.92.124.72 2152 udp gtpv1 0.199236 152 0 S0 - - 0 D 2 208 0 0 (empty)
|
||||
1333458851.770000 CHhAvVGS1DHFjwGM9 118.92.124.41 2152 118.92.124.72 2152 udp gtpv1 0.199236 152 0 S0 - - 0 D 2 208 0 0 -
|
||||
1333458851.969236 C4J4Th3PJpwUYZZ6gc fe80::224c:4fff:fe43:414c 133 ff02::2 134 icmp - - - - OTH - - 0 - 1 56 0 0 CHhAvVGS1DHFjwGM9
|
||||
#close 2016-07-13-16-13-08
|
||||
|
|
|
|||
|
|
@ -10,17 +10,17 @@
|
|||
1333458850.035456 C0LAHyvtKSQHyJxIl 172.27.159.9 63912 94.245.121.253 3544 udp teredo - - - S0 - - 0 D 1 89 0 0 CwjjYJ2WqgTbAqiHl6
|
||||
1333458850.029783 C37jN32gN3y3AZzyf6 172.24.16.67 52298 65.55.158.118 3544 udp teredo - - - S0 - - 0 D 1 88 0 0 CmES5u32sYpV7JYN
|
||||
1333458850.040098 C7fIlMZDuRiqjpYbb 172.24.203.81 54447 65.55.158.118 3544 udp teredo 0.003698 120 0 S0 - - 0 D 2 176 0 0 CNnMIj2QSd84NKf7U3
|
||||
1333458850.037956 Ck51lg1bScffFj34Ri 190.104.181.57 2152 190.104.181.222 2152 udp gtpv1 - - - S0 - - 0 D 1 120 0 0 (empty)
|
||||
1333458850.037956 Ck51lg1bScffFj34Ri 190.104.181.57 2152 190.104.181.222 2152 udp gtpv1 - - - S0 - - 0 D 1 120 0 0 -
|
||||
1333458850.035460 C9rXSW3KSpTYvPrlI1 172.27.159.9 63912 94.245.121.254 3544 udp teredo - - - S0 - - 0 D 1 89 0 0 CwjjYJ2WqgTbAqiHl6
|
||||
1333458850.040098 CNnMIj2QSd84NKf7U3 174.94.190.229 2152 190.104.181.57 2152 udp gtpv1 0.003698 192 0 S0 - - 0 D 2 248 0 0 (empty)
|
||||
1333458850.035456 CwjjYJ2WqgTbAqiHl6 190.104.181.210 2152 190.104.181.125 2152 udp gtpv1 0.000004 194 0 S0 - - 0 D 2 250 0 0 (empty)
|
||||
1333458850.040098 CNnMIj2QSd84NKf7U3 174.94.190.229 2152 190.104.181.57 2152 udp gtpv1 0.003698 192 0 S0 - - 0 D 2 248 0 0 -
|
||||
1333458850.035456 CwjjYJ2WqgTbAqiHl6 190.104.181.210 2152 190.104.181.125 2152 udp gtpv1 0.000004 194 0 S0 - - 0 D 2 250 0 0 -
|
||||
1333458850.029781 CP5puj4I8PtEU4qzYg 172.24.16.67 52298 94.245.121.253 3544 udp teredo - - - S0 - - 0 D 1 88 0 0 CmES5u32sYpV7JYN
|
||||
1333458850.032887 C3eiCBGOLw3VtHfOj 10.131.42.160 62069 94.245.121.253 3544 udp teredo - - - SHR - - 0 ^d 0 0 1 84 C4J4Th3PJpwUYZZ6gc
|
||||
1333458850.037956 C9mvWx3ezztgzcexV7 10.131.112.102 51403 94.245.121.253 3544 udp teredo - - - SHR - - 0 ^d 0 0 1 84 Ck51lg1bScffFj34Ri
|
||||
1333458850.014199 CHhAvVGS1DHFjwGM9 174.94.190.213 2152 190.104.181.57 2152 udp gtpv1 - - - S0 - - 0 D 1 124 0 0 (empty)
|
||||
1333458850.016620 C4J4Th3PJpwUYZZ6gc 174.94.190.229 2152 190.104.181.62 2152 udp gtpv1 0.016267 88 92 SF - - 0 Dd 1 116 1 120 (empty)
|
||||
1333458850.014199 CHhAvVGS1DHFjwGM9 174.94.190.213 2152 190.104.181.57 2152 udp gtpv1 - - - S0 - - 0 D 1 124 0 0 -
|
||||
1333458850.016620 C4J4Th3PJpwUYZZ6gc 174.94.190.229 2152 190.104.181.62 2152 udp gtpv1 0.016267 88 92 SF - - 0 Dd 1 116 1 120 -
|
||||
1333458850.016620 CtPZjS20MLrsMUOJi2 172.24.16.121 61901 94.245.121.251 3544 udp teredo - - - S0 - - 0 D 1 80 0 0 C4J4Th3PJpwUYZZ6gc
|
||||
1333458850.029781 CmES5u32sYpV7JYN 190.104.181.254 2152 190.104.181.62 2152 udp gtpv1 0.000002 192 0 S0 - - 0 D 2 248 0 0 (empty)
|
||||
1333458850.029781 CmES5u32sYpV7JYN 190.104.181.254 2152 190.104.181.62 2152 udp gtpv1 0.000002 192 0 S0 - - 0 D 2 248 0 0 -
|
||||
1333458850.016620 CUM0KZ3MLUfNB0cl11 2001:0:5ef5:79fb:38b8:1695:2b37:be8e 128 2002:2571:c817::2571:c817 129 icmp - - - - OTH - - 0 - 1 52 0 0 CtPZjS20MLrsMUOJi2
|
||||
1333458850.035456 CFLRIC3zaTU1loLGxh fe80::ffff:ffff:fffe 133 ff02::2 134 icmp - 0.000004 0 0 OTH - - 0 - 2 96 0 0 C9rXSW3KSpTYvPrlI1,C0LAHyvtKSQHyJxIl
|
||||
#close 2016-07-13-16-13-08
|
||||
|
|
|
|||
|
|
@ -6,6 +6,6 @@
|
|||
#open 2016-07-13-16-13-09
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1333458850.867091 ClEkJM2Vm5giqnMf4h 247.56.43.214 2152 237.56.101.238 2152 udp - 0.028676 12 14 SF - - 0 Dd 1 40 1 42 (empty)
|
||||
1333458850.532814 CHhAvVGS1DHFjwGM9 247.56.43.90 2152 247.56.43.248 2152 udp - - - - S0 - - 0 D 1 52 0 0 (empty)
|
||||
1333458850.867091 ClEkJM2Vm5giqnMf4h 247.56.43.214 2152 237.56.101.238 2152 udp - 0.028676 12 14 SF - - 0 Dd 1 40 1 42 -
|
||||
1333458850.532814 CHhAvVGS1DHFjwGM9 247.56.43.90 2152 247.56.43.248 2152 udp - - - - S0 - - 0 D 1 52 0 0 -
|
||||
#close 2016-07-13-16-13-09
|
||||
|
|
|
|||
|
|
@ -7,5 +7,5 @@
|
|||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1333458852.011535 ClEkJM2Vm5giqnMf4h 10.222.10.10 44960 173.194.69.188 5228 tcp ssl 0.573499 704 1026 S1 - - 0 ShADad 17 1604 14 1762 CHhAvVGS1DHFjwGM9
|
||||
1333458852.011535 CHhAvVGS1DHFjwGM9 79.188.154.91 2152 243.149.173.198 2152 udp gtpv1 0.573499 1740 1930 SF - - 0 Dd 17 2216 14 2322 (empty)
|
||||
1333458852.011535 CHhAvVGS1DHFjwGM9 79.188.154.91 2152 243.149.173.198 2152 udp gtpv1 0.573499 1740 1930 SF - - 0 Dd 17 2216 14 2322 -
|
||||
#close 2016-07-13-16-13-10
|
||||
|
|
|
|||
|
|
@ -7,5 +7,5 @@
|
|||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1333458850.364667 ClEkJM2Vm5giqnMf4h 10.131.47.185 1923 79.101.110.141 80 tcp http 0.069783 2100 56702 SF - - 0 ShADadfF 27 3204 41 52594 CHhAvVGS1DHFjwGM9
|
||||
1333458850.364667 CHhAvVGS1DHFjwGM9 239.114.155.111 2152 63.94.149.181 2152 udp gtpv1 0.069813 3420 52922 SF - - 0 Dd 27 4176 41 54070 (empty)
|
||||
1333458850.364667 CHhAvVGS1DHFjwGM9 239.114.155.111 2152 63.94.149.181 2152 udp gtpv1 0.069813 3420 52922 SF - - 0 Dd 27 4176 41 54070 -
|
||||
#close 2016-07-13-16-13-10
|
||||
|
|
|
|||
|
|
@ -6,24 +6,24 @@
|
|||
#open 2016-07-13-16-13-14
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1210953047.736921 ClEkJM2Vm5giqnMf4h 192.168.2.16 1576 75.126.130.163 80 tcp - 0.000357 0 0 SHR - - 0 ^fA 1 40 1 40 (empty)
|
||||
1210953050.867067 C4J4Th3PJpwUYZZ6gc 192.168.2.16 1577 75.126.203.78 80 tcp - 0.000387 0 0 SHR - - 0 ^fA 1 40 1 40 (empty)
|
||||
1210953057.833364 C37jN32gN3y3AZzyf6 192.168.2.16 1577 75.126.203.78 80 tcp - 0.079208 0 0 SH - - 0 Fa 1 40 1 40 (empty)
|
||||
1210953058.007081 CwjjYJ2WqgTbAqiHl6 192.168.2.16 1576 75.126.130.163 80 tcp - - - - RSTOS0 - - 0 R 1 40 0 0 (empty)
|
||||
1210953057.834454 C3eiCBGOLw3VtHfOj 192.168.2.16 1578 75.126.203.78 80 tcp http 0.407908 790 171 RSTO - - 0 ShADadR 6 1038 4 335 (empty)
|
||||
1210953058.350065 C0LAHyvtKSQHyJxIl 192.168.2.16 1920 192.168.2.1 53 udp dns 0.223055 66 438 SF - - 0 Dd 2 122 2 494 (empty)
|
||||
1210953058.577231 CFLRIC3zaTU1loLGxh 192.168.2.16 137 192.168.2.255 137 udp dns 1.499261 150 0 S0 - - 0 D 3 234 0 0 (empty)
|
||||
1210953074.264819 CtxTCR2Yer0FR1tIBg 192.168.2.16 1920 192.168.2.1 53 udp dns 0.297723 123 598 SF - - 0 Dd 3 207 3 682 (empty)
|
||||
1210953074.570439 CpmdRlaUoJLN3uIRa 192.168.2.16 1580 67.228.110.120 80 tcp http 0.466677 469 3916 SF - - 0 ShADadFf 7 757 6 4164 (empty)
|
||||
1210953074.057124 CykQaM33ztNt0csB9a 192.168.2.16 1576 75.126.130.163 80 tcp - - - - RSTRH - - 0 ^r 0 0 1 40 (empty)
|
||||
1210953047.736921 ClEkJM2Vm5giqnMf4h 192.168.2.16 1576 75.126.130.163 80 tcp - 0.000357 0 0 SHR - - 0 ^fA 1 40 1 40 -
|
||||
1210953050.867067 C4J4Th3PJpwUYZZ6gc 192.168.2.16 1577 75.126.203.78 80 tcp - 0.000387 0 0 SHR - - 0 ^fA 1 40 1 40 -
|
||||
1210953057.833364 C37jN32gN3y3AZzyf6 192.168.2.16 1577 75.126.203.78 80 tcp - 0.079208 0 0 SH - - 0 Fa 1 40 1 40 -
|
||||
1210953058.007081 CwjjYJ2WqgTbAqiHl6 192.168.2.16 1576 75.126.130.163 80 tcp - - - - RSTOS0 - - 0 R 1 40 0 0 -
|
||||
1210953057.834454 C3eiCBGOLw3VtHfOj 192.168.2.16 1578 75.126.203.78 80 tcp http 0.407908 790 171 RSTO - - 0 ShADadR 6 1038 4 335 -
|
||||
1210953058.350065 C0LAHyvtKSQHyJxIl 192.168.2.16 1920 192.168.2.1 53 udp dns 0.223055 66 438 SF - - 0 Dd 2 122 2 494 -
|
||||
1210953058.577231 CFLRIC3zaTU1loLGxh 192.168.2.16 137 192.168.2.255 137 udp dns 1.499261 150 0 S0 - - 0 D 3 234 0 0 -
|
||||
1210953074.264819 CtxTCR2Yer0FR1tIBg 192.168.2.16 1920 192.168.2.1 53 udp dns 0.297723 123 598 SF - - 0 Dd 3 207 3 682 -
|
||||
1210953074.570439 CpmdRlaUoJLN3uIRa 192.168.2.16 1580 67.228.110.120 80 tcp http 0.466677 469 3916 SF - - 0 ShADadFf 7 757 6 4164 -
|
||||
1210953074.057124 CykQaM33ztNt0csB9a 192.168.2.16 1576 75.126.130.163 80 tcp - - - - RSTRH - - 0 ^r 0 0 1 40 -
|
||||
1210953061.312379 CNnMIj2QSd84NKf7U3 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 tcp http 12.810848 1675 10467 S1 - - 0 ShADad 10 2279 12 11191 Ck51lg1bScffFj34Ri
|
||||
1210953076.058333 C1Xkzz2MaGtLrc1Tla 192.168.2.16 1578 75.126.203.78 80 tcp - - - - RSTRH - - 0 ^r 0 0 1 40 (empty)
|
||||
1210953074.055744 C7fIlMZDuRiqjpYbb 192.168.2.16 1577 75.126.203.78 80 tcp - - - - RSTRH - - 0 ^r 0 0 1 40 (empty)
|
||||
1210953052.324629 CmES5u32sYpV7JYN 192.168.2.16 3797 65.55.158.81 3544 udp - - - - SHR - - 0 ^d 0 0 1 137 (empty)
|
||||
1210953052.202579 CtPZjS20MLrsMUOJi2 192.168.2.16 3797 65.55.158.80 3544 udp teredo 8.928880 129 48 SF - - 0 Dd 2 185 1 76 (empty)
|
||||
1210953058.933954 C9rXSW3KSpTYvPrlI1 0.0.0.0 68 255.255.255.255 67 udp dhcp - - - S0 - - 0 D 1 328 0 0 (empty)
|
||||
1210953060.829233 Ck51lg1bScffFj34Ri 192.168.2.16 3797 83.170.1.38 32900 udp teredo 13.293994 2359 11243 SF - - 0 Dd 12 2695 13 11607 (empty)
|
||||
1210953046.591933 CHhAvVGS1DHFjwGM9 192.168.2.16 138 192.168.2.255 138 udp - 28.448321 416 0 S0 - - 0 D 2 472 0 0 (empty)
|
||||
1210953076.058333 C1Xkzz2MaGtLrc1Tla 192.168.2.16 1578 75.126.203.78 80 tcp - - - - RSTRH - - 0 ^r 0 0 1 40 -
|
||||
1210953074.055744 C7fIlMZDuRiqjpYbb 192.168.2.16 1577 75.126.203.78 80 tcp - - - - RSTRH - - 0 ^r 0 0 1 40 -
|
||||
1210953052.324629 CmES5u32sYpV7JYN 192.168.2.16 3797 65.55.158.81 3544 udp - - - - SHR - - 0 ^d 0 0 1 137 -
|
||||
1210953052.202579 CtPZjS20MLrsMUOJi2 192.168.2.16 3797 65.55.158.80 3544 udp teredo 8.928880 129 48 SF - - 0 Dd 2 185 1 76 -
|
||||
1210953058.933954 C9rXSW3KSpTYvPrlI1 0.0.0.0 68 255.255.255.255 67 udp dhcp - - - S0 - - 0 D 1 328 0 0 -
|
||||
1210953060.829233 Ck51lg1bScffFj34Ri 192.168.2.16 3797 83.170.1.38 32900 udp teredo 13.293994 2359 11243 SF - - 0 Dd 12 2695 13 11607 -
|
||||
1210953046.591933 CHhAvVGS1DHFjwGM9 192.168.2.16 138 192.168.2.255 138 udp - 28.448321 416 0 S0 - - 0 D 2 472 0 0 -
|
||||
1210953052.324629 CP5puj4I8PtEU4qzYg fe80::8000:f227:bec8:61af 134 fe80::8000:ffff:ffff:fffd 133 icmp - - - - OTH - - 0 - 1 88 0 0 CmES5u32sYpV7JYN
|
||||
1210953060.829303 C9mvWx3ezztgzcexV7 2001:0:4137:9e50:8000:f12a:b9c8:2815 128 2001:4860:0:2001::68 129 icmp - 0.463615 4 4 OTH - - 0 - 1 52 1 52 CtPZjS20MLrsMUOJi2,Ck51lg1bScffFj34Ri
|
||||
1210953052.202579 CUM0KZ3MLUfNB0cl11 fe80::8000:ffff:ffff:fffd 133 ff02::2 134 icmp - - - - OTH - - 0 - 1 64 0 0 CtPZjS20MLrsMUOJi2
|
||||
|
|
|
|||
|
|
@ -7,9 +7,9 @@
|
|||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1340127577.354166 CP5puj4I8PtEU4qzYg 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 tcp http 0.052829 1675 10467 S1 - - 0 ShADad 10 2279 12 11191 CUM0KZ3MLUfNB0cl11
|
||||
1340127577.339015 C4J4Th3PJpwUYZZ6gc 192.168.2.16 3797 65.55.158.81 3544 udp - - - - SHR - - 0 ^d 0 0 1 137 (empty)
|
||||
1340127577.336558 CHhAvVGS1DHFjwGM9 192.168.2.16 3797 65.55.158.80 3544 udp teredo 0.010291 129 52 SF - - 0 Dd 2 185 1 80 (empty)
|
||||
1340127577.341510 CUM0KZ3MLUfNB0cl11 192.168.2.16 3797 83.170.1.38 32900 udp teredo 0.065485 2367 11243 SF - - 0 Dd 12 2703 13 11607 (empty)
|
||||
1340127577.339015 C4J4Th3PJpwUYZZ6gc 192.168.2.16 3797 65.55.158.81 3544 udp - - - - SHR - - 0 ^d 0 0 1 137 -
|
||||
1340127577.336558 CHhAvVGS1DHFjwGM9 192.168.2.16 3797 65.55.158.80 3544 udp teredo 0.010291 129 52 SF - - 0 Dd 2 185 1 80 -
|
||||
1340127577.341510 CUM0KZ3MLUfNB0cl11 192.168.2.16 3797 83.170.1.38 32900 udp teredo 0.065485 2367 11243 SF - - 0 Dd 12 2703 13 11607 -
|
||||
1340127577.339015 CtPZjS20MLrsMUOJi2 fe80::8000:f227:bec8:61af 134 fe80::8000:ffff:ffff:fffd 133 icmp - - - - OTH - - 0 - 1 88 0 0 C4J4Th3PJpwUYZZ6gc
|
||||
1340127577.343969 CmES5u32sYpV7JYN 2001:0:4137:9e50:8000:f12a:b9c8:2815 128 2001:4860:0:2001::68 129 icmp - 0.007778 4 4 OTH - - 0 - 1 52 1 52 CUM0KZ3MLUfNB0cl11,CHhAvVGS1DHFjwGM9
|
||||
1340127577.336558 ClEkJM2Vm5giqnMf4h fe80::8000:ffff:ffff:fffd 133 ff02::2 134 icmp - - - - OTH - - 0 - 1 64 0 0 CHhAvVGS1DHFjwGM9
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
#open 2016-07-13-16-13-15
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
952109346.874907 CHhAvVGS1DHFjwGM9 10.1.2.1 11001 10.34.0.1 23 tcp - 2.102560 26 0 SH - - 0 SADF 11 470 0 0 (empty)
|
||||
1128727435.450898 ClEkJM2Vm5giqnMf4h 141.42.64.125 56730 125.190.109.199 80 tcp http 1.733303 98 9417 SF - - 0 ShADdFaf 12 730 10 9945 (empty)
|
||||
1278600802.069419 C4J4Th3PJpwUYZZ6gc 10.20.80.1 50343 10.0.0.15 80 tcp - 0.004152 9 3429 SF - - 0 ShADadfF 7 381 7 3801 (empty)
|
||||
952109346.874907 CHhAvVGS1DHFjwGM9 10.1.2.1 11001 10.34.0.1 23 tcp - 2.102560 26 0 SH - - 0 SADF 11 470 0 0 -
|
||||
1128727435.450898 ClEkJM2Vm5giqnMf4h 141.42.64.125 56730 125.190.109.199 80 tcp http 1.733303 98 9417 SF - - 0 ShADdFaf 12 730 10 9945 -
|
||||
1278600802.069419 C4J4Th3PJpwUYZZ6gc 10.20.80.1 50343 10.0.0.15 80 tcp - 0.004152 9 3429 SF - - 0 ShADadfF 7 381 7 3801 -
|
||||
#close 2016-07-13-16-13-15
|
||||
|
|
|
|||
|
|
@ -6,38 +6,38 @@
|
|||
#open 2013-05-05-20-51-24
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool count string count count count count table[string]
|
||||
1300475167.096535 UWkUyAuUGXf 141.142.220.202 5353 224.0.0.251 5353 udp dns - - - S0 - 0 D 1 73 0 0 (empty)
|
||||
1300475167.097012 arKYeMETxOg fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp - - - - S0 - 0 D 1 199 0 0 (empty)
|
||||
1300475167.099816 k6kgXLOoSKl 141.142.220.50 5353 224.0.0.251 5353 udp - - - - S0 - 0 D 1 179 0 0 (empty)
|
||||
1300475168.853899 TEfuqmmG4bh 141.142.220.118 43927 141.142.2.2 53 udp dns 0.000435 38 89 SF - 0 Dd 1 66 1 117 (empty)
|
||||
1300475168.854378 FrJExwHcSal 141.142.220.118 37676 141.142.2.2 53 udp dns 0.000420 52 99 SF - 0 Dd 1 80 1 127 (empty)
|
||||
1300475168.854837 5OKnoww6xl4 141.142.220.118 40526 141.142.2.2 53 udp dns 0.000392 38 183 SF - 0 Dd 1 66 1 211 (empty)
|
||||
1300475168.857956 fRFu0wcOle6 141.142.220.118 32902 141.142.2.2 53 udp dns 0.000317 38 89 SF - 0 Dd 1 66 1 117 (empty)
|
||||
1300475168.858306 qSsw6ESzHV4 141.142.220.118 59816 141.142.2.2 53 udp dns 0.000343 52 99 SF - 0 Dd 1 80 1 127 (empty)
|
||||
1300475168.858713 iE6yhOq3SF 141.142.220.118 59714 141.142.2.2 53 udp dns 0.000375 38 183 SF - 0 Dd 1 66 1 211 (empty)
|
||||
1300475168.891644 qCaWGmzFtM5 141.142.220.118 58206 141.142.2.2 53 udp dns 0.000339 38 89 SF - 0 Dd 1 66 1 117 (empty)
|
||||
1300475168.892037 70MGiRM1Qf4 141.142.220.118 38911 141.142.2.2 53 udp dns 0.000335 52 99 SF - 0 Dd 1 80 1 127 (empty)
|
||||
1300475168.892414 h5DsfNtYzi1 141.142.220.118 59746 141.142.2.2 53 udp dns 0.000421 38 183 SF - 0 Dd 1 66 1 211 (empty)
|
||||
1300475168.893988 c4Zw9TmAE05 141.142.220.118 45000 141.142.2.2 53 udp dns 0.000384 38 89 SF - 0 Dd 1 66 1 117 (empty)
|
||||
1300475168.894422 EAr0uf4mhq 141.142.220.118 48479 141.142.2.2 53 udp dns 0.000317 52 99 SF - 0 Dd 1 80 1 127 (empty)
|
||||
1300475168.894787 GvmoxJFXdTa 141.142.220.118 48128 141.142.2.2 53 udp dns 0.000423 38 183 SF - 0 Dd 1 66 1 211 (empty)
|
||||
1300475168.901749 slFea8xwSmb 141.142.220.118 56056 141.142.2.2 53 udp dns 0.000402 36 131 SF - 0 Dd 1 64 1 159 (empty)
|
||||
1300475168.902195 UfGkYA2HI2g 141.142.220.118 55092 141.142.2.2 53 udp dns 0.000374 36 198 SF - 0 Dd 1 64 1 226 (empty)
|
||||
1300475169.899438 BWaU4aSuwkc 141.142.220.44 5353 224.0.0.251 5353 udp dns - - - S0 - 0 D 1 85 0 0 (empty)
|
||||
1300475170.862384 10XodEwRycf 141.142.220.226 137 141.142.220.255 137 udp dns 2.613017 350 0 S0 - 0 D 7 546 0 0 (empty)
|
||||
1300475171.675372 zno26fFZkrh fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp dns 0.100096 66 0 S0 - 0 D 2 162 0 0 (empty)
|
||||
1300475171.677081 v5rgkJBig5l 141.142.220.226 55131 224.0.0.252 5355 udp dns 0.100021 66 0 S0 - 0 D 2 122 0 0 (empty)
|
||||
1300475173.116749 eWZCH7OONC1 fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp dns 0.099801 66 0 S0 - 0 D 2 162 0 0 (empty)
|
||||
1300475173.117362 0Pwk3ntf8O3 141.142.220.226 55671 224.0.0.252 5355 udp dns 0.099849 66 0 S0 - 0 D 2 122 0 0 (empty)
|
||||
1300475173.153679 0HKorjr8Zp7 141.142.220.238 56641 141.142.220.255 137 udp dns - - - S0 - 0 D 1 78 0 0 (empty)
|
||||
1300475168.859163 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 tcp http 0.215893 1130 734 S1 - 0 ShADad 6 1450 4 950 (empty)
|
||||
1300475168.652003 nQcgTWjvg4c 141.142.220.118 35634 208.80.152.2 80 tcp - 0.061329 463 350 OTH - 0 DdA 2 567 1 402 (empty)
|
||||
1300475168.895267 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 tcp http 0.227284 1178 734 S1 - 0 ShADad 6 1498 4 950 (empty)
|
||||
1300475168.902635 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 tcp http 0.120041 534 412 S1 - 0 ShADad 4 750 3 576 (empty)
|
||||
1300475168.892936 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 tcp http 0.229603 1148 734 S1 - 0 ShADad 6 1468 4 950 (empty)
|
||||
1300475168.855305 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 tcp http 0.218501 1171 733 S1 - 0 ShADad 6 1491 4 949 (empty)
|
||||
1300475168.892913 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 tcp http 0.220961 1137 733 S1 - 0 ShADad 6 1457 4 949 (empty)
|
||||
1300475169.780331 2cx26uAvUPl 141.142.220.235 6705 173.192.163.128 80 tcp - - - - OTH - 0 h 0 0 1 48 (empty)
|
||||
1300475168.724007 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 tcp http 0.119905 525 232 S1 - 0 ShADad 4 741 3 396 (empty)
|
||||
1300475168.855330 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 tcp http 0.219720 1125 734 S1 - 0 ShADad 6 1445 4 950 (empty)
|
||||
1300475167.096535 UWkUyAuUGXf 141.142.220.202 5353 224.0.0.251 5353 udp dns - - - S0 - 0 D 1 73 0 0 -
|
||||
1300475167.097012 arKYeMETxOg fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp - - - - S0 - 0 D 1 199 0 0 -
|
||||
1300475167.099816 k6kgXLOoSKl 141.142.220.50 5353 224.0.0.251 5353 udp - - - - S0 - 0 D 1 179 0 0 -
|
||||
1300475168.853899 TEfuqmmG4bh 141.142.220.118 43927 141.142.2.2 53 udp dns 0.000435 38 89 SF - 0 Dd 1 66 1 117 -
|
||||
1300475168.854378 FrJExwHcSal 141.142.220.118 37676 141.142.2.2 53 udp dns 0.000420 52 99 SF - 0 Dd 1 80 1 127 -
|
||||
1300475168.854837 5OKnoww6xl4 141.142.220.118 40526 141.142.2.2 53 udp dns 0.000392 38 183 SF - 0 Dd 1 66 1 211 -
|
||||
1300475168.857956 fRFu0wcOle6 141.142.220.118 32902 141.142.2.2 53 udp dns 0.000317 38 89 SF - 0 Dd 1 66 1 117 -
|
||||
1300475168.858306 qSsw6ESzHV4 141.142.220.118 59816 141.142.2.2 53 udp dns 0.000343 52 99 SF - 0 Dd 1 80 1 127 -
|
||||
1300475168.858713 iE6yhOq3SF 141.142.220.118 59714 141.142.2.2 53 udp dns 0.000375 38 183 SF - 0 Dd 1 66 1 211 -
|
||||
1300475168.891644 qCaWGmzFtM5 141.142.220.118 58206 141.142.2.2 53 udp dns 0.000339 38 89 SF - 0 Dd 1 66 1 117 -
|
||||
1300475168.892037 70MGiRM1Qf4 141.142.220.118 38911 141.142.2.2 53 udp dns 0.000335 52 99 SF - 0 Dd 1 80 1 127 -
|
||||
1300475168.892414 h5DsfNtYzi1 141.142.220.118 59746 141.142.2.2 53 udp dns 0.000421 38 183 SF - 0 Dd 1 66 1 211 -
|
||||
1300475168.893988 c4Zw9TmAE05 141.142.220.118 45000 141.142.2.2 53 udp dns 0.000384 38 89 SF - 0 Dd 1 66 1 117 -
|
||||
1300475168.894422 EAr0uf4mhq 141.142.220.118 48479 141.142.2.2 53 udp dns 0.000317 52 99 SF - 0 Dd 1 80 1 127 -
|
||||
1300475168.894787 GvmoxJFXdTa 141.142.220.118 48128 141.142.2.2 53 udp dns 0.000423 38 183 SF - 0 Dd 1 66 1 211 -
|
||||
1300475168.901749 slFea8xwSmb 141.142.220.118 56056 141.142.2.2 53 udp dns 0.000402 36 131 SF - 0 Dd 1 64 1 159 -
|
||||
1300475168.902195 UfGkYA2HI2g 141.142.220.118 55092 141.142.2.2 53 udp dns 0.000374 36 198 SF - 0 Dd 1 64 1 226 -
|
||||
1300475169.899438 BWaU4aSuwkc 141.142.220.44 5353 224.0.0.251 5353 udp dns - - - S0 - 0 D 1 85 0 0 -
|
||||
1300475170.862384 10XodEwRycf 141.142.220.226 137 141.142.220.255 137 udp dns 2.613017 350 0 S0 - 0 D 7 546 0 0 -
|
||||
1300475171.675372 zno26fFZkrh fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp dns 0.100096 66 0 S0 - 0 D 2 162 0 0 -
|
||||
1300475171.677081 v5rgkJBig5l 141.142.220.226 55131 224.0.0.252 5355 udp dns 0.100021 66 0 S0 - 0 D 2 122 0 0 -
|
||||
1300475173.116749 eWZCH7OONC1 fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp dns 0.099801 66 0 S0 - 0 D 2 162 0 0 -
|
||||
1300475173.117362 0Pwk3ntf8O3 141.142.220.226 55671 224.0.0.252 5355 udp dns 0.099849 66 0 S0 - 0 D 2 122 0 0 -
|
||||
1300475173.153679 0HKorjr8Zp7 141.142.220.238 56641 141.142.220.255 137 udp dns - - - S0 - 0 D 1 78 0 0 -
|
||||
1300475168.859163 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 tcp http 0.215893 1130 734 S1 - 0 ShADad 6 1450 4 950 -
|
||||
1300475168.652003 nQcgTWjvg4c 141.142.220.118 35634 208.80.152.2 80 tcp - 0.061329 463 350 OTH - 0 DdA 2 567 1 402 -
|
||||
1300475168.895267 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 tcp http 0.227284 1178 734 S1 - 0 ShADad 6 1498 4 950 -
|
||||
1300475168.902635 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 tcp http 0.120041 534 412 S1 - 0 ShADad 4 750 3 576 -
|
||||
1300475168.892936 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 tcp http 0.229603 1148 734 S1 - 0 ShADad 6 1468 4 950 -
|
||||
1300475168.855305 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 tcp http 0.218501 1171 733 S1 - 0 ShADad 6 1491 4 949 -
|
||||
1300475168.892913 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 tcp http 0.220961 1137 733 S1 - 0 ShADad 6 1457 4 949 -
|
||||
1300475169.780331 2cx26uAvUPl 141.142.220.235 6705 173.192.163.128 80 tcp - - - - OTH - 0 h 0 0 1 48 -
|
||||
1300475168.724007 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 tcp http 0.119905 525 232 S1 - 0 ShADad 4 741 3 396 -
|
||||
1300475168.855330 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 tcp http 0.219720 1125 734 S1 - 0 ShADad 6 1445 4 950 -
|
||||
#close 2013-05-05-20-51-24
|
||||
|
|
|
|||
|
|
@ -6,10 +6,10 @@
|
|||
#open 2013-05-07-14-38-27
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool count string count count count count table[string]
|
||||
1320329757.771503 j4u32Pc5bif 10.0.2.15 49286 192.150.187.43 80 tcp http 15.161537 2899 1127 S2 - 0 ShADadF 20 3719 19 1891 (empty)
|
||||
1320329757.771262 nQcgTWjvg4c 10.0.2.15 49285 192.150.187.43 80 tcp http 15.161772 889 377 S2 - 0 ShADadF 8 1229 8 701 (empty)
|
||||
1320329757.761327 arKYeMETxOg 10.0.2.15 49283 192.150.187.43 80 tcp http 15.168898 459 189 S2 - 0 ShADadF 5 679 4 353 (empty)
|
||||
1320329757.458867 UWkUyAuUGXf 10.0.2.15 49282 192.150.187.43 80 tcp http 15.471378 1824 751 S2 - 0 ShADadF 12 2324 13 1275 (empty)
|
||||
1320329757.761638 k6kgXLOoSKl 10.0.2.15 49284 192.150.187.43 80 tcp http 15.168613 898 376 S2 - 0 ShADadF 8 1238 8 700 (empty)
|
||||
1320329757.771755 TEfuqmmG4bh 10.0.2.15 49287 192.150.187.43 80 tcp http 15.161267 900 376 S2 - 0 ShADadF 8 1240 8 700 (empty)
|
||||
1320329757.771503 j4u32Pc5bif 10.0.2.15 49286 192.150.187.43 80 tcp http 15.161537 2899 1127 S2 - 0 ShADadF 20 3719 19 1891 -
|
||||
1320329757.771262 nQcgTWjvg4c 10.0.2.15 49285 192.150.187.43 80 tcp http 15.161772 889 377 S2 - 0 ShADadF 8 1229 8 701 -
|
||||
1320329757.761327 arKYeMETxOg 10.0.2.15 49283 192.150.187.43 80 tcp http 15.168898 459 189 S2 - 0 ShADadF 5 679 4 353 -
|
||||
1320329757.458867 UWkUyAuUGXf 10.0.2.15 49282 192.150.187.43 80 tcp http 15.471378 1824 751 S2 - 0 ShADadF 12 2324 13 1275 -
|
||||
1320329757.761638 k6kgXLOoSKl 10.0.2.15 49284 192.150.187.43 80 tcp http 15.168613 898 376 S2 - 0 ShADadF 8 1238 8 700 -
|
||||
1320329757.771755 TEfuqmmG4bh 10.0.2.15 49287 192.150.187.43 80 tcp http 15.161267 900 376 S2 - 0 ShADadF 8 1240 8 700 -
|
||||
#close 2013-05-07-14-38-27
|
||||
|
|
|
|||
|
|
@ -7,7 +7,5 @@
|
|||
# bro -b -r http/get.trace connection_record_01.bro
|
||||
[id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.211484, service={
|
||||
|
||||
}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, conn=[ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={
|
||||
|
||||
}], extract_orig=F, extract_resp=F, thresholds=<uninitialized>]
|
||||
}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, conn=[ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], extract_orig=F, extract_resp=F, thresholds=<uninitialized>]
|
||||
|
||||
|
|
|
|||
|
|
@ -7,9 +7,7 @@
|
|||
# bro -b -r http/get.trace connection_record_02.bro
|
||||
[id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.211484, service={
|
||||
|
||||
}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, conn=[ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={
|
||||
|
||||
}], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={
|
||||
}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, conn=[ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={
|
||||
|
||||
}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={
|
||||
|
||||
|
|
|
|||
|
|
@ -16,15 +16,15 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path conn
|
||||
#open 2016-07-13-16-13-24
|
||||
#open 2018-01-12-21-43-52
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1300475167.096535 CHhAvVGS1DHFjwGM9 141.142.220.202 5353 224.0.0.251 5353 udp dns - - - S0 - - 0 D 1 73 0 0 (empty)
|
||||
1300475167.097012 ClEkJM2Vm5giqnMf4h fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp dns - - - S0 - - 0 D 1 199 0 0 (empty)
|
||||
1300475167.099816 C4J4Th3PJpwUYZZ6gc 141.142.220.50 5353 224.0.0.251 5353 udp dns - - - S0 - - 0 D 1 179 0 0 (empty)
|
||||
1300475168.853899 CmES5u32sYpV7JYN 141.142.220.118 43927 141.142.2.2 53 udp dns 0.000435 38 89 SF - - 0 Dd 1 66 1 117 (empty)
|
||||
1300475168.854378 CP5puj4I8PtEU4qzYg 141.142.220.118 37676 141.142.2.2 53 udp dns 0.000420 52 99 SF - - 0 Dd 1 80 1 127 (empty)
|
||||
1300475168.854837 C37jN32gN3y3AZzyf6 141.142.220.118 40526 141.142.2.2 53 udp dns 0.000392 38 183 SF - - 0 Dd 1 66 1 211 (empty)
|
||||
1300475168.857956 C0LAHyvtKSQHyJxIl 141.142.220.118 32902 141.142.2.2 53 udp dns 0.000317 38 89 SF - - 0 Dd 1 66 1 117 (empty)
|
||||
1300475167.096535 CHhAvVGS1DHFjwGM9 141.142.220.202 5353 224.0.0.251 5353 udp dns - - - S0 - - 0 D 1 73 0 0 -
|
||||
1300475167.097012 ClEkJM2Vm5giqnMf4h fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp dns - - - S0 - - 0 D 1 199 0 0 -
|
||||
1300475167.099816 C4J4Th3PJpwUYZZ6gc 141.142.220.50 5353 224.0.0.251 5353 udp dns - - - S0 - - 0 D 1 179 0 0 -
|
||||
1300475168.853899 CmES5u32sYpV7JYN 141.142.220.118 43927 141.142.2.2 53 udp dns 0.000435 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
1300475168.854378 CP5puj4I8PtEU4qzYg 141.142.220.118 37676 141.142.2.2 53 udp dns 0.000420 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
1300475168.854837 C37jN32gN3y3AZzyf6 141.142.220.118 40526 141.142.2.2 53 udp dns 0.000392 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
1300475168.857956 C0LAHyvtKSQHyJxIl 141.142.220.118 32902 141.142.2.2 53 udp dns 0.000317 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
[...]
|
||||
|
||||
|
|
|
|||
|
|
@ -256,7 +256,7 @@
|
|||
0.000000 MetaHookPost CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
|
||||
|
|
@ -343,6 +343,49 @@
|
|||
0.000000 MetaHookPost CallFunction(Log::add_filter, <frame>, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_filter, <frame>, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_filter, <frame>, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (Cluster::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (Communication::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (Conn::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (DCE_RPC::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (DHCP::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (DNP3::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (DNS::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (DPD::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (FTP::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (Files::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (HTTP::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (IRC::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (Intel::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (KRB::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (Modbus::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (NTLM::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (NetControl::CATCH_RELEASE, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (NetControl::DROP, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (NetControl::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (NetControl::SHUNT, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (Notice::ALARM_LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (Notice::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (OpenFlow::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (PE::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (PacketFilter::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (RADIUS::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (RDP::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (RFB::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (Reporter::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (SIP::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (SMTP::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (SNMP::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (SOCKS::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (SSH::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (SSL::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (Signatures::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (Software::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (Syslog::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (Tunnel::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (Unified2::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (Weird::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (X509::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::add_stream_filters, <frame>, (mysql::LOG, default)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>, path=cluster])) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>, path=communication])) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn, path=conn])) -> <no result>
|
||||
|
|
@ -386,7 +429,7 @@
|
|||
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(NetControl::init, <null>, ()) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
|
||||
|
|
@ -991,7 +1034,7 @@
|
|||
0.000000 MetaHookPre CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
|
||||
0.000000 MetaHookPre CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
|
||||
0.000000 MetaHookPre CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
|
||||
0.000000 MetaHookPre CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T]))
|
||||
0.000000 MetaHookPre CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T]))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
|
||||
|
|
@ -1078,6 +1121,49 @@
|
|||
0.000000 MetaHookPre CallFunction(Log::add_filter, <frame>, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_filter, <frame>, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_filter, <frame>, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (Cluster::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (Communication::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (Conn::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (DCE_RPC::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (DHCP::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (DNP3::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (DNS::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (DPD::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (FTP::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (Files::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (HTTP::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (IRC::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (Intel::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (KRB::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (Modbus::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (NTLM::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (NetControl::CATCH_RELEASE, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (NetControl::DROP, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (NetControl::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (NetControl::SHUNT, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (Notice::ALARM_LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (Notice::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (OpenFlow::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (PE::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (PacketFilter::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (RADIUS::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (RDP::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (RFB::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (Reporter::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (SIP::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (SMTP::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (SNMP::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (SOCKS::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (SSH::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (SSL::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (Signatures::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (Software::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (Syslog::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (Tunnel::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (Unified2::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (Weird::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (X509::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::add_stream_filters, <frame>, (mysql::LOG, default))
|
||||
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>, path=cluster]))
|
||||
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>, path=communication]))
|
||||
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn, path=conn]))
|
||||
|
|
@ -1121,7 +1207,7 @@
|
|||
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
|
||||
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
|
||||
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
|
||||
0.000000 MetaHookPre CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T]))
|
||||
0.000000 MetaHookPre CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T]))
|
||||
0.000000 MetaHookPre CallFunction(NetControl::check_plugins, <frame>, ())
|
||||
0.000000 MetaHookPre CallFunction(NetControl::init, <null>, ())
|
||||
0.000000 MetaHookPre CallFunction(Notice::want_pp, <frame>, ())
|
||||
|
|
@ -1725,7 +1811,7 @@
|
|||
0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
|
||||
0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
|
||||
0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
|
||||
0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T])
|
||||
0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])
|
||||
0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
|
||||
0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
|
||||
0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
|
||||
|
|
@ -1812,6 +1898,49 @@
|
|||
0.000000 | HookCallFunction Log::add_filter(Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
|
||||
0.000000 | HookCallFunction Log::add_filter(X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
|
||||
0.000000 | HookCallFunction Log::add_filter(mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(Cluster::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(Communication::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(Conn::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(DCE_RPC::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(DHCP::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(DNP3::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(DNS::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(DPD::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(FTP::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(Files::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(HTTP::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(IRC::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(Intel::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(KRB::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(Modbus::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(NTLM::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(NetControl::CATCH_RELEASE, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(NetControl::DROP, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(NetControl::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(NetControl::SHUNT, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(Notice::ALARM_LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(Notice::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(OpenFlow::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(PE::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(PacketFilter::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(RADIUS::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(RDP::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(RFB::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(Reporter::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(SIP::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(SMTP::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(SNMP::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(SOCKS::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(SSH::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(SSL::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(Signatures::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(Software::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(Syslog::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(Tunnel::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(Unified2::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(Weird::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(X509::LOG, default)
|
||||
0.000000 | HookCallFunction Log::add_stream_filters(mysql::LOG, default)
|
||||
0.000000 | HookCallFunction Log::create_stream(Cluster::LOG, [columns=<no value description>, ev=<uninitialized>, path=cluster])
|
||||
0.000000 | HookCallFunction Log::create_stream(Communication::LOG, [columns=<no value description>, ev=<uninitialized>, path=communication])
|
||||
0.000000 | HookCallFunction Log::create_stream(Conn::LOG, [columns=<no value description>, ev=Conn::log_conn, path=conn])
|
||||
|
|
@ -1855,7 +1984,7 @@
|
|||
0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
|
||||
0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
|
||||
0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
|
||||
0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T])
|
||||
0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])
|
||||
0.000000 | HookCallFunction NetControl::check_plugins()
|
||||
0.000000 | HookCallFunction NetControl::init()
|
||||
0.000000 | HookCallFunction Notice::want_pp()
|
||||
|
|
@ -2198,7 +2327,7 @@
|
|||
0.000000 | HookLoadFile base<...>/x509
|
||||
0.000000 | HookLoadFile base<...>/xmpp
|
||||
0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
|
||||
0.000000 | HookLogWrite packet_filter [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T]
|
||||
0.000000 | HookLogWrite packet_filter [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T]
|
||||
0.000000 | HookQueueEvent NetControl::init()
|
||||
0.000000 | HookQueueEvent bro_init()
|
||||
0.000000 | HookQueueEvent filter_change_tracking()
|
||||
|
|
@ -2654,8 +2783,8 @@
|
|||
1362692527.080972 MetaHookPost CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
|
||||
1362692527.080972 MetaHookPost CallFunction(KRB::do_log, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
|
||||
1362692527.080972 MetaHookPost CallFunction(KRB::fill_in_subjects, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
|
||||
1362692527.080972 MetaHookPost CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <no result>
|
||||
1362692527.080972 MetaHookPost CallFunction(Log::write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <no result>
|
||||
1362692527.080972 MetaHookPost CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])) -> <no result>
|
||||
1362692527.080972 MetaHookPost CallFunction(Log::write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])) -> <no result>
|
||||
1362692527.080972 MetaHookPost CallFunction(bro_done, <null>, ()) -> <no result>
|
||||
1362692527.080972 MetaHookPost CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
|
||||
1362692527.080972 MetaHookPost CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
|
||||
|
|
@ -2687,8 +2816,8 @@
|
|||
1362692527.080972 MetaHookPre CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
|
||||
1362692527.080972 MetaHookPre CallFunction(KRB::do_log, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
|
||||
1362692527.080972 MetaHookPre CallFunction(KRB::fill_in_subjects, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
|
||||
1362692527.080972 MetaHookPre CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
|
||||
1362692527.080972 MetaHookPre CallFunction(Log::write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
|
||||
1362692527.080972 MetaHookPre CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]))
|
||||
1362692527.080972 MetaHookPre CallFunction(Log::write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]))
|
||||
1362692527.080972 MetaHookPre CallFunction(bro_done, <null>, ())
|
||||
1362692527.080972 MetaHookPre CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
|
||||
1362692527.080972 MetaHookPre CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
|
||||
|
|
@ -2721,8 +2850,8 @@
|
|||
1362692527.080972 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
|
||||
1362692527.080972 | HookCallFunction KRB::do_log([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
|
||||
1362692527.080972 | HookCallFunction KRB::fill_in_subjects([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
|
||||
1362692527.080972 | HookCallFunction Log::__write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])
|
||||
1362692527.080972 | HookCallFunction Log::write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])
|
||||
1362692527.080972 | HookCallFunction Log::__write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])
|
||||
1362692527.080972 | HookCallFunction Log::write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])
|
||||
1362692527.080972 | HookCallFunction bro_done()
|
||||
1362692527.080972 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
|
||||
1362692527.080972 | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
|
||||
|
|
@ -2740,7 +2869,7 @@
|
|||
1362692527.080972 | HookCallFunction to_lower(HTTP)
|
||||
1362692527.080972 | HookDrainEvents
|
||||
1362692527.080972 | HookLogInit conn 1/1 {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}
|
||||
1362692527.080972 | HookLogWrite conn [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id.orig_h=141.142.228.5, id.orig_p=59856, id.resp_h=192.150.187.43, id.resp_p=80, proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=]
|
||||
1362692527.080972 | HookLogWrite conn [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id.orig_h=141.142.228.5, id.orig_p=59856, id.resp_h=192.150.187.43, id.resp_p=80, proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]
|
||||
1362692527.080972 | HookQueueEvent ChecksumOffloading::check()
|
||||
1362692527.080972 | HookQueueEvent bro_done()
|
||||
1362692527.080972 | HookQueueEvent connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
|
||||
|
|
|
|||
|
|
@ -6,5 +6,5 @@
|
|||
#open 2016-07-13-16-14-11
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1409193037.000000 CHhAvVGS1DHFjwGM9 1.2.0.2 2527 1.2.0.3 6649 tcp - - - - S0 - - 0 S 1 64 0 0 (empty)
|
||||
1409193037.000000 CHhAvVGS1DHFjwGM9 1.2.0.2 2527 1.2.0.3 6649 tcp - - - - S0 - - 0 S 1 64 0 0 -
|
||||
#close 2016-07-13-16-14-11
|
||||
|
|
|
|||
|
|
@ -2,13 +2,13 @@ Demo::Foo - A Foo test logging writer (dynamic, version 1.0)
|
|||
[Writer] Foo (Log::WRITER_FOO)
|
||||
|
||||
===
|
||||
[conn] 1340213005.165293|CHhAvVGS1DHFjwGM9|10.0.0.55|53994|60.190.189.214|8124|tcp|-|4.314406|0|0|S0|-|-|0|S|5|320|0|0|
|
||||
[conn] 1340213010.582723|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|tcp|socks,http|13.839419|3860|2934|SF|-|-|0|ShADadfF|23|5080|20|3986|
|
||||
[conn] 1340213048.780152|C4J4Th3PJpwUYZZ6gc|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|
|
||||
[conn] 1340213097.272764|CtPZjS20MLrsMUOJi2|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|
|
||||
[conn] 1340213162.160367|CUM0KZ3MLUfNB0cl11|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|
|
||||
[conn] 1340213226.561757|CmES5u32sYpV7JYN|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|
|
||||
[conn] 1340213290.981995|CP5puj4I8PtEU4qzYg|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|
|
||||
[conn] 1340213005.165293|CHhAvVGS1DHFjwGM9|10.0.0.55|53994|60.190.189.214|8124|tcp|-|4.314406|0|0|S0|-|-|0|S|5|320|0|0|-
|
||||
[conn] 1340213010.582723|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|tcp|socks,http|13.839419|3860|2934|SF|-|-|0|ShADadfF|23|5080|20|3986|-
|
||||
[conn] 1340213048.780152|C4J4Th3PJpwUYZZ6gc|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|-
|
||||
[conn] 1340213097.272764|CtPZjS20MLrsMUOJi2|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|-
|
||||
[conn] 1340213162.160367|CUM0KZ3MLUfNB0cl11|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|-
|
||||
[conn] 1340213226.561757|CmES5u32sYpV7JYN|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|-
|
||||
[conn] 1340213290.981995|CP5puj4I8PtEU4qzYg|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|-
|
||||
[files] 1340213020.732547|FBtZ7y1ppK8iIeY622|60.190.189.214|10.0.0.55|ClEkJM2Vm5giqnMf4h|HTTP|0||image/gif|-|0.000034|-|F|1368|1368|0|0|F|-|-|-|-|-|-|-
|
||||
[http] 1340213019.013158|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|1|GET|www.osnews.com|/images/printer2.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
|
||||
[http] 1340213019.013426|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|2|GET|www.osnews.com|/img2/shorturl.jpg|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
|
||||
|
|
@ -17,6 +17,6 @@ Demo::Foo - A Foo test logging writer (dynamic, version 1.0)
|
|||
[http] 1340213020.732963|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|5|GET|www.osnews.com|/images/icons/17.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
|
||||
[http] 1340213021.300269|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|6|GET|www.osnews.com|/images/left.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
|
||||
[http] 1340213021.861584|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|7|GET|www.osnews.com|/images/icons/32.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
|
||||
[packet_filter] 1485327742.161604|bro|ip or not ip|T|T
|
||||
[packet_filter] 1515793460.485950|bro|ip or not ip|T|T
|
||||
[socks] 1340213015.276495|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|5|-|-|succeeded|-|www.osnews.com|80|192.168.0.31|-|2688
|
||||
[tunnel] 1340213015.276495|-|10.0.0.55|0|60.190.189.214|8124|Tunnel::SOCKS|Tunnel::DISCOVER
|
||||
|
|
|
|||
|
|
@ -0,0 +1,9 @@
|
|||
error: file ID asdf not a known file
|
||||
warning: non-void function returns without a value: Files::lookup_file
|
||||
This should fail but not crash
|
||||
This should return F
|
||||
F
|
||||
lookup fid: FakNcS1Jfe01uljb3
|
||||
We should have found the file id: FakNcS1Jfe01uljb3
|
||||
This should return T
|
||||
T
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path ssh
|
||||
#open 2018-01-09-22-31-37
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
#types time addr port addr port string string
|
||||
1515537097.372589 1.2.3.4 1234 2.3.4.5 80 failure MX
|
||||
#close 2018-01-09-22-31-37
|
||||
|
|
@ -6,38 +6,38 @@
|
|||
#open 2016-08-10-20-36-59
|
||||
#fields _write_ts _stream _innerLogged.a _innerLogged.c _innerLogged.d _system_name ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string count count set[count] string time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475169.780331 C3eiCBGOLw3VtHfOj 173.192.163.128 80 141.142.220.235 6705 tcp - - - - OTH - - 0 H 1 48 0 0 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.892913 CmES5u32sYpV7JYN 141.142.220.118 49999 208.80.152.3 80 tcp - 0.220961 1137 733 S1 - - 0 ShADad 6 1457 4 949 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.724007 CHhAvVGS1DHFjwGM9 141.142.220.118 48649 208.80.152.118 80 tcp - 0.119905 525 232 S1 - - 0 ShADad 4 741 3 396 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.855330 ClEkJM2Vm5giqnMf4h 141.142.220.118 49997 208.80.152.3 80 tcp - 0.219720 1125 734 S1 - - 0 ShADad 6 1445 4 950 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.855305 C4J4Th3PJpwUYZZ6gc 141.142.220.118 49996 208.80.152.3 80 tcp - 0.218501 1171 733 S1 - - 0 ShADad 6 1491 4 949 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.652003 CwjjYJ2WqgTbAqiHl6 141.142.220.118 35634 208.80.152.2 80 tcp - 0.061329 463 350 OTH - - 0 DdA 2 567 1 402 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.902635 C37jN32gN3y3AZzyf6 141.142.220.118 35642 208.80.152.2 80 tcp - 0.120041 534 412 S1 - - 0 ShADad 4 750 3 576 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.859163 CtPZjS20MLrsMUOJi2 141.142.220.118 49998 208.80.152.3 80 tcp - 0.215893 1130 734 S1 - - 0 ShADad 6 1450 4 950 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.892936 CUM0KZ3MLUfNB0cl11 141.142.220.118 50000 208.80.152.3 80 tcp - 0.229603 1148 734 S1 - - 0 ShADad 6 1468 4 950 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.895267 CP5puj4I8PtEU4qzYg 141.142.220.118 50001 208.80.152.3 80 tcp - 0.227284 1178 734 S1 - - 0 ShADad 6 1498 4 950 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.853899 C0LAHyvtKSQHyJxIl 141.142.220.118 43927 141.142.2.2 53 udp - 0.000435 38 89 SF - - 0 Dd 1 66 1 117 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.901749 CFLRIC3zaTU1loLGxh 141.142.220.118 56056 141.142.2.2 53 udp - 0.000402 36 131 SF - - 0 Dd 1 64 1 159 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.902195 C9rXSW3KSpTYvPrlI1 141.142.220.118 55092 141.142.2.2 53 udp - 0.000374 36 198 SF - - 0 Dd 1 64 1 226 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.858713 Ck51lg1bScffFj34Ri 141.142.220.118 59714 141.142.2.2 53 udp - 0.000375 38 183 SF - - 0 Dd 1 66 1 211 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475167.099816 C9mvWx3ezztgzcexV7 141.142.220.50 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 179 0 0 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.854837 CNnMIj2QSd84NKf7U3 141.142.220.118 40526 141.142.2.2 53 udp - 0.000392 38 183 SF - - 0 Dd 1 66 1 211 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.894787 C7fIlMZDuRiqjpYbb 141.142.220.118 48128 141.142.2.2 53 udp - 0.000423 38 183 SF - - 0 Dd 1 66 1 211 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.894422 CykQaM33ztNt0csB9a 141.142.220.118 48479 141.142.2.2 53 udp - 0.000317 52 99 SF - - 0 Dd 1 80 1 127 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475169.899438 CtxTCR2Yer0FR1tIBg 141.142.220.44 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 85 0 0 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475170.862384 CpmdRlaUoJLN3uIRa 141.142.220.226 137 141.142.220.255 137 udp - 2.613017 350 0 S0 - - 0 D 7 546 0 0 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.892414 C1Xkzz2MaGtLrc1Tla 141.142.220.118 59746 141.142.2.2 53 udp - 0.000421 38 183 SF - - 0 Dd 1 66 1 211 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.858306 CqlVyW1YwZ15RhTBc4 141.142.220.118 59816 141.142.2.2 53 udp - 0.000343 52 99 SF - - 0 Dd 1 80 1 127 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475167.097012 CLNN1k2QMum1aexUK7 fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp - - - - S0 - - 0 D 1 199 0 0 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475173.117362 CBA8792iHmnhPLksKa 141.142.220.226 55671 224.0.0.252 5355 udp - 0.099849 66 0 S0 - - 0 D 2 122 0 0 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475173.153679 CGLPPc35OzDQij1XX8 141.142.220.238 56641 141.142.220.255 137 udp - - - - S0 - - 0 D 1 78 0 0 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.892037 CiyBAq1bBLNaTiTAc 141.142.220.118 38911 141.142.2.2 53 udp - 0.000335 52 99 SF - - 0 Dd 1 80 1 127 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475171.675372 CFSwNi4CNGxcuffo49 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp - 0.100096 66 0 S0 - - 0 D 2 162 0 0 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475167.096535 Cipfzj1BEnhejw8cGf 141.142.220.202 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 73 0 0 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.854378 CV5WJ42jPYbNW9JNWf 141.142.220.118 37676 141.142.2.2 53 udp - 0.000420 52 99 SF - - 0 Dd 1 80 1 127 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475171.677081 CPhDKt12KQPUVbQz06 141.142.220.226 55131 224.0.0.252 5355 udp - 0.100021 66 0 S0 - - 0 D 2 122 0 0 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475173.116749 CAnFrb2Cvxr5T7quOc fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp - 0.099801 66 0 S0 - - 0 D 2 162 0 0 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.893988 C8rquZ3DjgNW06JGLl 141.142.220.118 45000 141.142.2.2 53 udp - 0.000384 38 89 SF - - 0 Dd 1 66 1 117 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.857956 CzrZOtXqhwwndQva3 141.142.220.118 32902 141.142.2.2 53 udp - 0.000317 38 89 SF - - 0 Dd 1 66 1 117 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.891644 CaGCc13FffXe6RkQl9 141.142.220.118 58206 141.142.2.2 53 udp - 0.000339 38 89 SF - - 0 Dd 1 66 1 117 (empty)
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475169.780331 C3eiCBGOLw3VtHfOj 173.192.163.128 80 141.142.220.235 6705 tcp - - - - OTH - - 0 H 1 48 0 0 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.892913 CmES5u32sYpV7JYN 141.142.220.118 49999 208.80.152.3 80 tcp - 0.220961 1137 733 S1 - - 0 ShADad 6 1457 4 949 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.724007 CHhAvVGS1DHFjwGM9 141.142.220.118 48649 208.80.152.118 80 tcp - 0.119905 525 232 S1 - - 0 ShADad 4 741 3 396 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.855330 ClEkJM2Vm5giqnMf4h 141.142.220.118 49997 208.80.152.3 80 tcp - 0.219720 1125 734 S1 - - 0 ShADad 6 1445 4 950 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.855305 C4J4Th3PJpwUYZZ6gc 141.142.220.118 49996 208.80.152.3 80 tcp - 0.218501 1171 733 S1 - - 0 ShADad 6 1491 4 949 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.652003 CwjjYJ2WqgTbAqiHl6 141.142.220.118 35634 208.80.152.2 80 tcp - 0.061329 463 350 OTH - - 0 DdA 2 567 1 402 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.902635 C37jN32gN3y3AZzyf6 141.142.220.118 35642 208.80.152.2 80 tcp - 0.120041 534 412 S1 - - 0 ShADad 4 750 3 576 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.859163 CtPZjS20MLrsMUOJi2 141.142.220.118 49998 208.80.152.3 80 tcp - 0.215893 1130 734 S1 - - 0 ShADad 6 1450 4 950 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.892936 CUM0KZ3MLUfNB0cl11 141.142.220.118 50000 208.80.152.3 80 tcp - 0.229603 1148 734 S1 - - 0 ShADad 6 1468 4 950 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.895267 CP5puj4I8PtEU4qzYg 141.142.220.118 50001 208.80.152.3 80 tcp - 0.227284 1178 734 S1 - - 0 ShADad 6 1498 4 950 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.853899 C0LAHyvtKSQHyJxIl 141.142.220.118 43927 141.142.2.2 53 udp - 0.000435 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.901749 CFLRIC3zaTU1loLGxh 141.142.220.118 56056 141.142.2.2 53 udp - 0.000402 36 131 SF - - 0 Dd 1 64 1 159 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.902195 C9rXSW3KSpTYvPrlI1 141.142.220.118 55092 141.142.2.2 53 udp - 0.000374 36 198 SF - - 0 Dd 1 64 1 226 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.858713 Ck51lg1bScffFj34Ri 141.142.220.118 59714 141.142.2.2 53 udp - 0.000375 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475167.099816 C9mvWx3ezztgzcexV7 141.142.220.50 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 179 0 0 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.854837 CNnMIj2QSd84NKf7U3 141.142.220.118 40526 141.142.2.2 53 udp - 0.000392 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.894787 C7fIlMZDuRiqjpYbb 141.142.220.118 48128 141.142.2.2 53 udp - 0.000423 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.894422 CykQaM33ztNt0csB9a 141.142.220.118 48479 141.142.2.2 53 udp - 0.000317 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475169.899438 CtxTCR2Yer0FR1tIBg 141.142.220.44 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 85 0 0 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475170.862384 CpmdRlaUoJLN3uIRa 141.142.220.226 137 141.142.220.255 137 udp - 2.613017 350 0 S0 - - 0 D 7 546 0 0 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.892414 C1Xkzz2MaGtLrc1Tla 141.142.220.118 59746 141.142.2.2 53 udp - 0.000421 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.858306 CqlVyW1YwZ15RhTBc4 141.142.220.118 59816 141.142.2.2 53 udp - 0.000343 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475167.097012 CLNN1k2QMum1aexUK7 fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp - - - - S0 - - 0 D 1 199 0 0 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475173.117362 CBA8792iHmnhPLksKa 141.142.220.226 55671 224.0.0.252 5355 udp - 0.099849 66 0 S0 - - 0 D 2 122 0 0 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475173.153679 CGLPPc35OzDQij1XX8 141.142.220.238 56641 141.142.220.255 137 udp - - - - S0 - - 0 D 1 78 0 0 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.892037 CiyBAq1bBLNaTiTAc 141.142.220.118 38911 141.142.2.2 53 udp - 0.000335 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475171.675372 CFSwNi4CNGxcuffo49 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp - 0.100096 66 0 S0 - - 0 D 2 162 0 0 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475167.096535 Cipfzj1BEnhejw8cGf 141.142.220.202 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 73 0 0 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.854378 CV5WJ42jPYbNW9JNWf 141.142.220.118 37676 141.142.2.2 53 udp - 0.000420 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475171.677081 CPhDKt12KQPUVbQz06 141.142.220.226 55131 224.0.0.252 5355 udp - 0.100021 66 0 S0 - - 0 D 2 122 0 0 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475173.116749 CAnFrb2Cvxr5T7quOc fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp - 0.099801 66 0 S0 - - 0 D 2 162 0 0 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.893988 C8rquZ3DjgNW06JGLl 141.142.220.118 45000 141.142.2.2 53 udp - 0.000384 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.857956 CzrZOtXqhwwndQva3 141.142.220.118 32902 141.142.2.2 53 udp - 0.000317 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
1300475173.475401 conn 1 3 2,4,1,3 - 1300475168.891644 CaGCc13FffXe6RkQl9 141.142.220.118 58206 141.142.2.2 53 udp - 0.000339 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
#close 2016-08-10-20-36-59
|
||||
|
|
|
|||
|
|
@ -6,5 +6,5 @@
|
|||
#open 2016-08-10-20-26-22
|
||||
#fields _write_ts _stream _system_name ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string string time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
- - - 1362692526.869344 CHhAvVGS1DHFjwGM9 141.142.228.5 59856 192.150.187.43 80 tcp - 0.211484 136 5007 SF - - 0 ShADadFf 7 512 7 5379 (empty)
|
||||
- - - 1362692526.869344 CHhAvVGS1DHFjwGM9 141.142.228.5 59856 192.150.187.43 80 tcp - 0.211484 136 5007 SF - - 0 ShADadFf 7 512 7 5379 -
|
||||
#close 2016-08-10-20-26-22
|
||||
|
|
|
|||
|
|
@ -6,38 +6,38 @@
|
|||
#open 2016-08-10-20-27-56
|
||||
#fields _write_ts _system_name _undefined_string ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string string time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1300475173.475401 bro - 1300475173.475401 C3eiCBGOLw3VtHfOj 173.192.163.128 80 141.142.220.235 6705 tcp - - - - OTH - - 0 H 1 48 0 0 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 CmES5u32sYpV7JYN 141.142.220.118 49999 208.80.152.3 80 tcp - 0.220961 1137 733 S1 - - 0 ShADad 6 1457 4 949 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 CHhAvVGS1DHFjwGM9 141.142.220.118 48649 208.80.152.118 80 tcp - 0.119905 525 232 S1 - - 0 ShADad 4 741 3 396 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 ClEkJM2Vm5giqnMf4h 141.142.220.118 49997 208.80.152.3 80 tcp - 0.219720 1125 734 S1 - - 0 ShADad 6 1445 4 950 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 C4J4Th3PJpwUYZZ6gc 141.142.220.118 49996 208.80.152.3 80 tcp - 0.218501 1171 733 S1 - - 0 ShADad 6 1491 4 949 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 CwjjYJ2WqgTbAqiHl6 141.142.220.118 35634 208.80.152.2 80 tcp - 0.061329 463 350 OTH - - 0 DdA 2 567 1 402 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 C37jN32gN3y3AZzyf6 141.142.220.118 35642 208.80.152.2 80 tcp - 0.120041 534 412 S1 - - 0 ShADad 4 750 3 576 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 CtPZjS20MLrsMUOJi2 141.142.220.118 49998 208.80.152.3 80 tcp - 0.215893 1130 734 S1 - - 0 ShADad 6 1450 4 950 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 CUM0KZ3MLUfNB0cl11 141.142.220.118 50000 208.80.152.3 80 tcp - 0.229603 1148 734 S1 - - 0 ShADad 6 1468 4 950 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 CP5puj4I8PtEU4qzYg 141.142.220.118 50001 208.80.152.3 80 tcp - 0.227284 1178 734 S1 - - 0 ShADad 6 1498 4 950 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 C0LAHyvtKSQHyJxIl 141.142.220.118 43927 141.142.2.2 53 udp - 0.000435 38 89 SF - - 0 Dd 1 66 1 117 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 CFLRIC3zaTU1loLGxh 141.142.220.118 56056 141.142.2.2 53 udp - 0.000402 36 131 SF - - 0 Dd 1 64 1 159 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 C9rXSW3KSpTYvPrlI1 141.142.220.118 55092 141.142.2.2 53 udp - 0.000374 36 198 SF - - 0 Dd 1 64 1 226 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 Ck51lg1bScffFj34Ri 141.142.220.118 59714 141.142.2.2 53 udp - 0.000375 38 183 SF - - 0 Dd 1 66 1 211 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 C9mvWx3ezztgzcexV7 141.142.220.50 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 179 0 0 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 CNnMIj2QSd84NKf7U3 141.142.220.118 40526 141.142.2.2 53 udp - 0.000392 38 183 SF - - 0 Dd 1 66 1 211 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 C7fIlMZDuRiqjpYbb 141.142.220.118 48128 141.142.2.2 53 udp - 0.000423 38 183 SF - - 0 Dd 1 66 1 211 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 CykQaM33ztNt0csB9a 141.142.220.118 48479 141.142.2.2 53 udp - 0.000317 52 99 SF - - 0 Dd 1 80 1 127 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 CtxTCR2Yer0FR1tIBg 141.142.220.44 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 85 0 0 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 CpmdRlaUoJLN3uIRa 141.142.220.226 137 141.142.220.255 137 udp - 2.613017 350 0 S0 - - 0 D 7 546 0 0 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 C1Xkzz2MaGtLrc1Tla 141.142.220.118 59746 141.142.2.2 53 udp - 0.000421 38 183 SF - - 0 Dd 1 66 1 211 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 CqlVyW1YwZ15RhTBc4 141.142.220.118 59816 141.142.2.2 53 udp - 0.000343 52 99 SF - - 0 Dd 1 80 1 127 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 CLNN1k2QMum1aexUK7 fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp - - - - S0 - - 0 D 1 199 0 0 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 CBA8792iHmnhPLksKa 141.142.220.226 55671 224.0.0.252 5355 udp - 0.099849 66 0 S0 - - 0 D 2 122 0 0 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 CGLPPc35OzDQij1XX8 141.142.220.238 56641 141.142.220.255 137 udp - - - - S0 - - 0 D 1 78 0 0 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 CiyBAq1bBLNaTiTAc 141.142.220.118 38911 141.142.2.2 53 udp - 0.000335 52 99 SF - - 0 Dd 1 80 1 127 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 CFSwNi4CNGxcuffo49 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp - 0.100096 66 0 S0 - - 0 D 2 162 0 0 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 Cipfzj1BEnhejw8cGf 141.142.220.202 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 73 0 0 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 CV5WJ42jPYbNW9JNWf 141.142.220.118 37676 141.142.2.2 53 udp - 0.000420 52 99 SF - - 0 Dd 1 80 1 127 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 CPhDKt12KQPUVbQz06 141.142.220.226 55131 224.0.0.252 5355 udp - 0.100021 66 0 S0 - - 0 D 2 122 0 0 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 CAnFrb2Cvxr5T7quOc fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp - 0.099801 66 0 S0 - - 0 D 2 162 0 0 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 C8rquZ3DjgNW06JGLl 141.142.220.118 45000 141.142.2.2 53 udp - 0.000384 38 89 SF - - 0 Dd 1 66 1 117 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 CzrZOtXqhwwndQva3 141.142.220.118 32902 141.142.2.2 53 udp - 0.000317 38 89 SF - - 0 Dd 1 66 1 117 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 CaGCc13FffXe6RkQl9 141.142.220.118 58206 141.142.2.2 53 udp - 0.000339 38 89 SF - - 0 Dd 1 66 1 117 (empty)
|
||||
1300475173.475401 bro - 1300475173.475401 C3eiCBGOLw3VtHfOj 173.192.163.128 80 141.142.220.235 6705 tcp - - - - OTH - - 0 H 1 48 0 0 -
|
||||
1300475173.475401 bro - 1300475173.475401 CmES5u32sYpV7JYN 141.142.220.118 49999 208.80.152.3 80 tcp - 0.220961 1137 733 S1 - - 0 ShADad 6 1457 4 949 -
|
||||
1300475173.475401 bro - 1300475173.475401 CHhAvVGS1DHFjwGM9 141.142.220.118 48649 208.80.152.118 80 tcp - 0.119905 525 232 S1 - - 0 ShADad 4 741 3 396 -
|
||||
1300475173.475401 bro - 1300475173.475401 ClEkJM2Vm5giqnMf4h 141.142.220.118 49997 208.80.152.3 80 tcp - 0.219720 1125 734 S1 - - 0 ShADad 6 1445 4 950 -
|
||||
1300475173.475401 bro - 1300475173.475401 C4J4Th3PJpwUYZZ6gc 141.142.220.118 49996 208.80.152.3 80 tcp - 0.218501 1171 733 S1 - - 0 ShADad 6 1491 4 949 -
|
||||
1300475173.475401 bro - 1300475173.475401 CwjjYJ2WqgTbAqiHl6 141.142.220.118 35634 208.80.152.2 80 tcp - 0.061329 463 350 OTH - - 0 DdA 2 567 1 402 -
|
||||
1300475173.475401 bro - 1300475173.475401 C37jN32gN3y3AZzyf6 141.142.220.118 35642 208.80.152.2 80 tcp - 0.120041 534 412 S1 - - 0 ShADad 4 750 3 576 -
|
||||
1300475173.475401 bro - 1300475173.475401 CtPZjS20MLrsMUOJi2 141.142.220.118 49998 208.80.152.3 80 tcp - 0.215893 1130 734 S1 - - 0 ShADad 6 1450 4 950 -
|
||||
1300475173.475401 bro - 1300475173.475401 CUM0KZ3MLUfNB0cl11 141.142.220.118 50000 208.80.152.3 80 tcp - 0.229603 1148 734 S1 - - 0 ShADad 6 1468 4 950 -
|
||||
1300475173.475401 bro - 1300475173.475401 CP5puj4I8PtEU4qzYg 141.142.220.118 50001 208.80.152.3 80 tcp - 0.227284 1178 734 S1 - - 0 ShADad 6 1498 4 950 -
|
||||
1300475173.475401 bro - 1300475173.475401 C0LAHyvtKSQHyJxIl 141.142.220.118 43927 141.142.2.2 53 udp - 0.000435 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
1300475173.475401 bro - 1300475173.475401 CFLRIC3zaTU1loLGxh 141.142.220.118 56056 141.142.2.2 53 udp - 0.000402 36 131 SF - - 0 Dd 1 64 1 159 -
|
||||
1300475173.475401 bro - 1300475173.475401 C9rXSW3KSpTYvPrlI1 141.142.220.118 55092 141.142.2.2 53 udp - 0.000374 36 198 SF - - 0 Dd 1 64 1 226 -
|
||||
1300475173.475401 bro - 1300475173.475401 Ck51lg1bScffFj34Ri 141.142.220.118 59714 141.142.2.2 53 udp - 0.000375 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
1300475173.475401 bro - 1300475173.475401 C9mvWx3ezztgzcexV7 141.142.220.50 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 179 0 0 -
|
||||
1300475173.475401 bro - 1300475173.475401 CNnMIj2QSd84NKf7U3 141.142.220.118 40526 141.142.2.2 53 udp - 0.000392 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
1300475173.475401 bro - 1300475173.475401 C7fIlMZDuRiqjpYbb 141.142.220.118 48128 141.142.2.2 53 udp - 0.000423 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
1300475173.475401 bro - 1300475173.475401 CykQaM33ztNt0csB9a 141.142.220.118 48479 141.142.2.2 53 udp - 0.000317 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
1300475173.475401 bro - 1300475173.475401 CtxTCR2Yer0FR1tIBg 141.142.220.44 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 85 0 0 -
|
||||
1300475173.475401 bro - 1300475173.475401 CpmdRlaUoJLN3uIRa 141.142.220.226 137 141.142.220.255 137 udp - 2.613017 350 0 S0 - - 0 D 7 546 0 0 -
|
||||
1300475173.475401 bro - 1300475173.475401 C1Xkzz2MaGtLrc1Tla 141.142.220.118 59746 141.142.2.2 53 udp - 0.000421 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
1300475173.475401 bro - 1300475173.475401 CqlVyW1YwZ15RhTBc4 141.142.220.118 59816 141.142.2.2 53 udp - 0.000343 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
1300475173.475401 bro - 1300475173.475401 CLNN1k2QMum1aexUK7 fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp - - - - S0 - - 0 D 1 199 0 0 -
|
||||
1300475173.475401 bro - 1300475173.475401 CBA8792iHmnhPLksKa 141.142.220.226 55671 224.0.0.252 5355 udp - 0.099849 66 0 S0 - - 0 D 2 122 0 0 -
|
||||
1300475173.475401 bro - 1300475173.475401 CGLPPc35OzDQij1XX8 141.142.220.238 56641 141.142.220.255 137 udp - - - - S0 - - 0 D 1 78 0 0 -
|
||||
1300475173.475401 bro - 1300475173.475401 CiyBAq1bBLNaTiTAc 141.142.220.118 38911 141.142.2.2 53 udp - 0.000335 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
1300475173.475401 bro - 1300475173.475401 CFSwNi4CNGxcuffo49 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp - 0.100096 66 0 S0 - - 0 D 2 162 0 0 -
|
||||
1300475173.475401 bro - 1300475173.475401 Cipfzj1BEnhejw8cGf 141.142.220.202 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 73 0 0 -
|
||||
1300475173.475401 bro - 1300475173.475401 CV5WJ42jPYbNW9JNWf 141.142.220.118 37676 141.142.2.2 53 udp - 0.000420 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
1300475173.475401 bro - 1300475173.475401 CPhDKt12KQPUVbQz06 141.142.220.226 55131 224.0.0.252 5355 udp - 0.100021 66 0 S0 - - 0 D 2 122 0 0 -
|
||||
1300475173.475401 bro - 1300475173.475401 CAnFrb2Cvxr5T7quOc fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp - 0.099801 66 0 S0 - - 0 D 2 162 0 0 -
|
||||
1300475173.475401 bro - 1300475173.475401 C8rquZ3DjgNW06JGLl 141.142.220.118 45000 141.142.2.2 53 udp - 0.000384 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
1300475173.475401 bro - 1300475173.475401 CzrZOtXqhwwndQva3 141.142.220.118 32902 141.142.2.2 53 udp - 0.000317 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
1300475173.475401 bro - 1300475173.475401 CaGCc13FffXe6RkQl9 141.142.220.118 58206 141.142.2.2 53 udp - 0.000339 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
#close 2016-08-10-20-27-56
|
||||
|
|
|
|||
|
|
@ -6,38 +6,38 @@
|
|||
#open 2016-08-10-17-45-11
|
||||
#fields _write_ts _stream _system_name ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string string time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1300475173.475401 conn bro 1300475169.780331 C3eiCBGOLw3VtHfOj 173.192.163.128 80 141.142.220.235 6705 tcp - - - - OTH - - 0 H 1 48 0 0 (empty)
|
||||
1300475173.475401 conn bro 1300475168.892913 CmES5u32sYpV7JYN 141.142.220.118 49999 208.80.152.3 80 tcp - 0.220961 1137 733 S1 - - 0 ShADad 6 1457 4 949 (empty)
|
||||
1300475173.475401 conn bro 1300475168.724007 CHhAvVGS1DHFjwGM9 141.142.220.118 48649 208.80.152.118 80 tcp - 0.119905 525 232 S1 - - 0 ShADad 4 741 3 396 (empty)
|
||||
1300475173.475401 conn bro 1300475168.855330 ClEkJM2Vm5giqnMf4h 141.142.220.118 49997 208.80.152.3 80 tcp - 0.219720 1125 734 S1 - - 0 ShADad 6 1445 4 950 (empty)
|
||||
1300475173.475401 conn bro 1300475168.855305 C4J4Th3PJpwUYZZ6gc 141.142.220.118 49996 208.80.152.3 80 tcp - 0.218501 1171 733 S1 - - 0 ShADad 6 1491 4 949 (empty)
|
||||
1300475173.475401 conn bro 1300475168.652003 CwjjYJ2WqgTbAqiHl6 141.142.220.118 35634 208.80.152.2 80 tcp - 0.061329 463 350 OTH - - 0 DdA 2 567 1 402 (empty)
|
||||
1300475173.475401 conn bro 1300475168.902635 C37jN32gN3y3AZzyf6 141.142.220.118 35642 208.80.152.2 80 tcp - 0.120041 534 412 S1 - - 0 ShADad 4 750 3 576 (empty)
|
||||
1300475173.475401 conn bro 1300475168.859163 CtPZjS20MLrsMUOJi2 141.142.220.118 49998 208.80.152.3 80 tcp - 0.215893 1130 734 S1 - - 0 ShADad 6 1450 4 950 (empty)
|
||||
1300475173.475401 conn bro 1300475168.892936 CUM0KZ3MLUfNB0cl11 141.142.220.118 50000 208.80.152.3 80 tcp - 0.229603 1148 734 S1 - - 0 ShADad 6 1468 4 950 (empty)
|
||||
1300475173.475401 conn bro 1300475168.895267 CP5puj4I8PtEU4qzYg 141.142.220.118 50001 208.80.152.3 80 tcp - 0.227284 1178 734 S1 - - 0 ShADad 6 1498 4 950 (empty)
|
||||
1300475173.475401 conn bro 1300475168.853899 C0LAHyvtKSQHyJxIl 141.142.220.118 43927 141.142.2.2 53 udp - 0.000435 38 89 SF - - 0 Dd 1 66 1 117 (empty)
|
||||
1300475173.475401 conn bro 1300475168.901749 CFLRIC3zaTU1loLGxh 141.142.220.118 56056 141.142.2.2 53 udp - 0.000402 36 131 SF - - 0 Dd 1 64 1 159 (empty)
|
||||
1300475173.475401 conn bro 1300475168.902195 C9rXSW3KSpTYvPrlI1 141.142.220.118 55092 141.142.2.2 53 udp - 0.000374 36 198 SF - - 0 Dd 1 64 1 226 (empty)
|
||||
1300475173.475401 conn bro 1300475168.858713 Ck51lg1bScffFj34Ri 141.142.220.118 59714 141.142.2.2 53 udp - 0.000375 38 183 SF - - 0 Dd 1 66 1 211 (empty)
|
||||
1300475173.475401 conn bro 1300475167.099816 C9mvWx3ezztgzcexV7 141.142.220.50 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 179 0 0 (empty)
|
||||
1300475173.475401 conn bro 1300475168.854837 CNnMIj2QSd84NKf7U3 141.142.220.118 40526 141.142.2.2 53 udp - 0.000392 38 183 SF - - 0 Dd 1 66 1 211 (empty)
|
||||
1300475173.475401 conn bro 1300475168.894787 C7fIlMZDuRiqjpYbb 141.142.220.118 48128 141.142.2.2 53 udp - 0.000423 38 183 SF - - 0 Dd 1 66 1 211 (empty)
|
||||
1300475173.475401 conn bro 1300475168.894422 CykQaM33ztNt0csB9a 141.142.220.118 48479 141.142.2.2 53 udp - 0.000317 52 99 SF - - 0 Dd 1 80 1 127 (empty)
|
||||
1300475173.475401 conn bro 1300475169.899438 CtxTCR2Yer0FR1tIBg 141.142.220.44 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 85 0 0 (empty)
|
||||
1300475173.475401 conn bro 1300475170.862384 CpmdRlaUoJLN3uIRa 141.142.220.226 137 141.142.220.255 137 udp - 2.613017 350 0 S0 - - 0 D 7 546 0 0 (empty)
|
||||
1300475173.475401 conn bro 1300475168.892414 C1Xkzz2MaGtLrc1Tla 141.142.220.118 59746 141.142.2.2 53 udp - 0.000421 38 183 SF - - 0 Dd 1 66 1 211 (empty)
|
||||
1300475173.475401 conn bro 1300475168.858306 CqlVyW1YwZ15RhTBc4 141.142.220.118 59816 141.142.2.2 53 udp - 0.000343 52 99 SF - - 0 Dd 1 80 1 127 (empty)
|
||||
1300475173.475401 conn bro 1300475167.097012 CLNN1k2QMum1aexUK7 fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp - - - - S0 - - 0 D 1 199 0 0 (empty)
|
||||
1300475173.475401 conn bro 1300475173.117362 CBA8792iHmnhPLksKa 141.142.220.226 55671 224.0.0.252 5355 udp - 0.099849 66 0 S0 - - 0 D 2 122 0 0 (empty)
|
||||
1300475173.475401 conn bro 1300475173.153679 CGLPPc35OzDQij1XX8 141.142.220.238 56641 141.142.220.255 137 udp - - - - S0 - - 0 D 1 78 0 0 (empty)
|
||||
1300475173.475401 conn bro 1300475168.892037 CiyBAq1bBLNaTiTAc 141.142.220.118 38911 141.142.2.2 53 udp - 0.000335 52 99 SF - - 0 Dd 1 80 1 127 (empty)
|
||||
1300475173.475401 conn bro 1300475171.675372 CFSwNi4CNGxcuffo49 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp - 0.100096 66 0 S0 - - 0 D 2 162 0 0 (empty)
|
||||
1300475173.475401 conn bro 1300475167.096535 Cipfzj1BEnhejw8cGf 141.142.220.202 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 73 0 0 (empty)
|
||||
1300475173.475401 conn bro 1300475168.854378 CV5WJ42jPYbNW9JNWf 141.142.220.118 37676 141.142.2.2 53 udp - 0.000420 52 99 SF - - 0 Dd 1 80 1 127 (empty)
|
||||
1300475173.475401 conn bro 1300475171.677081 CPhDKt12KQPUVbQz06 141.142.220.226 55131 224.0.0.252 5355 udp - 0.100021 66 0 S0 - - 0 D 2 122 0 0 (empty)
|
||||
1300475173.475401 conn bro 1300475173.116749 CAnFrb2Cvxr5T7quOc fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp - 0.099801 66 0 S0 - - 0 D 2 162 0 0 (empty)
|
||||
1300475173.475401 conn bro 1300475168.893988 C8rquZ3DjgNW06JGLl 141.142.220.118 45000 141.142.2.2 53 udp - 0.000384 38 89 SF - - 0 Dd 1 66 1 117 (empty)
|
||||
1300475173.475401 conn bro 1300475168.857956 CzrZOtXqhwwndQva3 141.142.220.118 32902 141.142.2.2 53 udp - 0.000317 38 89 SF - - 0 Dd 1 66 1 117 (empty)
|
||||
1300475173.475401 conn bro 1300475168.891644 CaGCc13FffXe6RkQl9 141.142.220.118 58206 141.142.2.2 53 udp - 0.000339 38 89 SF - - 0 Dd 1 66 1 117 (empty)
|
||||
1300475173.475401 conn bro 1300475169.780331 C3eiCBGOLw3VtHfOj 173.192.163.128 80 141.142.220.235 6705 tcp - - - - OTH - - 0 H 1 48 0 0 -
|
||||
1300475173.475401 conn bro 1300475168.892913 CmES5u32sYpV7JYN 141.142.220.118 49999 208.80.152.3 80 tcp - 0.220961 1137 733 S1 - - 0 ShADad 6 1457 4 949 -
|
||||
1300475173.475401 conn bro 1300475168.724007 CHhAvVGS1DHFjwGM9 141.142.220.118 48649 208.80.152.118 80 tcp - 0.119905 525 232 S1 - - 0 ShADad 4 741 3 396 -
|
||||
1300475173.475401 conn bro 1300475168.855330 ClEkJM2Vm5giqnMf4h 141.142.220.118 49997 208.80.152.3 80 tcp - 0.219720 1125 734 S1 - - 0 ShADad 6 1445 4 950 -
|
||||
1300475173.475401 conn bro 1300475168.855305 C4J4Th3PJpwUYZZ6gc 141.142.220.118 49996 208.80.152.3 80 tcp - 0.218501 1171 733 S1 - - 0 ShADad 6 1491 4 949 -
|
||||
1300475173.475401 conn bro 1300475168.652003 CwjjYJ2WqgTbAqiHl6 141.142.220.118 35634 208.80.152.2 80 tcp - 0.061329 463 350 OTH - - 0 DdA 2 567 1 402 -
|
||||
1300475173.475401 conn bro 1300475168.902635 C37jN32gN3y3AZzyf6 141.142.220.118 35642 208.80.152.2 80 tcp - 0.120041 534 412 S1 - - 0 ShADad 4 750 3 576 -
|
||||
1300475173.475401 conn bro 1300475168.859163 CtPZjS20MLrsMUOJi2 141.142.220.118 49998 208.80.152.3 80 tcp - 0.215893 1130 734 S1 - - 0 ShADad 6 1450 4 950 -
|
||||
1300475173.475401 conn bro 1300475168.892936 CUM0KZ3MLUfNB0cl11 141.142.220.118 50000 208.80.152.3 80 tcp - 0.229603 1148 734 S1 - - 0 ShADad 6 1468 4 950 -
|
||||
1300475173.475401 conn bro 1300475168.895267 CP5puj4I8PtEU4qzYg 141.142.220.118 50001 208.80.152.3 80 tcp - 0.227284 1178 734 S1 - - 0 ShADad 6 1498 4 950 -
|
||||
1300475173.475401 conn bro 1300475168.853899 C0LAHyvtKSQHyJxIl 141.142.220.118 43927 141.142.2.2 53 udp - 0.000435 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
1300475173.475401 conn bro 1300475168.901749 CFLRIC3zaTU1loLGxh 141.142.220.118 56056 141.142.2.2 53 udp - 0.000402 36 131 SF - - 0 Dd 1 64 1 159 -
|
||||
1300475173.475401 conn bro 1300475168.902195 C9rXSW3KSpTYvPrlI1 141.142.220.118 55092 141.142.2.2 53 udp - 0.000374 36 198 SF - - 0 Dd 1 64 1 226 -
|
||||
1300475173.475401 conn bro 1300475168.858713 Ck51lg1bScffFj34Ri 141.142.220.118 59714 141.142.2.2 53 udp - 0.000375 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
1300475173.475401 conn bro 1300475167.099816 C9mvWx3ezztgzcexV7 141.142.220.50 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 179 0 0 -
|
||||
1300475173.475401 conn bro 1300475168.854837 CNnMIj2QSd84NKf7U3 141.142.220.118 40526 141.142.2.2 53 udp - 0.000392 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
1300475173.475401 conn bro 1300475168.894787 C7fIlMZDuRiqjpYbb 141.142.220.118 48128 141.142.2.2 53 udp - 0.000423 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
1300475173.475401 conn bro 1300475168.894422 CykQaM33ztNt0csB9a 141.142.220.118 48479 141.142.2.2 53 udp - 0.000317 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
1300475173.475401 conn bro 1300475169.899438 CtxTCR2Yer0FR1tIBg 141.142.220.44 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 85 0 0 -
|
||||
1300475173.475401 conn bro 1300475170.862384 CpmdRlaUoJLN3uIRa 141.142.220.226 137 141.142.220.255 137 udp - 2.613017 350 0 S0 - - 0 D 7 546 0 0 -
|
||||
1300475173.475401 conn bro 1300475168.892414 C1Xkzz2MaGtLrc1Tla 141.142.220.118 59746 141.142.2.2 53 udp - 0.000421 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
1300475173.475401 conn bro 1300475168.858306 CqlVyW1YwZ15RhTBc4 141.142.220.118 59816 141.142.2.2 53 udp - 0.000343 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
1300475173.475401 conn bro 1300475167.097012 CLNN1k2QMum1aexUK7 fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp - - - - S0 - - 0 D 1 199 0 0 -
|
||||
1300475173.475401 conn bro 1300475173.117362 CBA8792iHmnhPLksKa 141.142.220.226 55671 224.0.0.252 5355 udp - 0.099849 66 0 S0 - - 0 D 2 122 0 0 -
|
||||
1300475173.475401 conn bro 1300475173.153679 CGLPPc35OzDQij1XX8 141.142.220.238 56641 141.142.220.255 137 udp - - - - S0 - - 0 D 1 78 0 0 -
|
||||
1300475173.475401 conn bro 1300475168.892037 CiyBAq1bBLNaTiTAc 141.142.220.118 38911 141.142.2.2 53 udp - 0.000335 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
1300475173.475401 conn bro 1300475171.675372 CFSwNi4CNGxcuffo49 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp - 0.100096 66 0 S0 - - 0 D 2 162 0 0 -
|
||||
1300475173.475401 conn bro 1300475167.096535 Cipfzj1BEnhejw8cGf 141.142.220.202 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 73 0 0 -
|
||||
1300475173.475401 conn bro 1300475168.854378 CV5WJ42jPYbNW9JNWf 141.142.220.118 37676 141.142.2.2 53 udp - 0.000420 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
1300475173.475401 conn bro 1300475171.677081 CPhDKt12KQPUVbQz06 141.142.220.226 55131 224.0.0.252 5355 udp - 0.100021 66 0 S0 - - 0 D 2 122 0 0 -
|
||||
1300475173.475401 conn bro 1300475173.116749 CAnFrb2Cvxr5T7quOc fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp - 0.099801 66 0 S0 - - 0 D 2 162 0 0 -
|
||||
1300475173.475401 conn bro 1300475168.893988 C8rquZ3DjgNW06JGLl 141.142.220.118 45000 141.142.2.2 53 udp - 0.000384 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
1300475173.475401 conn bro 1300475168.857956 CzrZOtXqhwwndQva3 141.142.220.118 32902 141.142.2.2 53 udp - 0.000317 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
1300475173.475401 conn bro 1300475168.891644 CaGCc13FffXe6RkQl9 141.142.220.118 58206 141.142.2.2 53 udp - 0.000339 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
#close 2016-08-10-17-45-11
|
||||
|
|
|
|||
|
|
@ -6,38 +6,38 @@
|
|||
#open 2016-08-10-16-51-09
|
||||
#fields ts uid src src_port dst dst_port proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1300475169.780331 C3eiCBGOLw3VtHfOj 173.192.163.128 80 141.142.220.235 6705 tcp - - - - OTH - - 0 H 1 48 0 0 (empty)
|
||||
1300475168.892913 CmES5u32sYpV7JYN 141.142.220.118 49999 208.80.152.3 80 tcp - 0.220961 1137 733 S1 - - 0 ShADad 6 1457 4 949 (empty)
|
||||
1300475168.724007 CHhAvVGS1DHFjwGM9 141.142.220.118 48649 208.80.152.118 80 tcp - 0.119905 525 232 S1 - - 0 ShADad 4 741 3 396 (empty)
|
||||
1300475168.855330 ClEkJM2Vm5giqnMf4h 141.142.220.118 49997 208.80.152.3 80 tcp - 0.219720 1125 734 S1 - - 0 ShADad 6 1445 4 950 (empty)
|
||||
1300475168.855305 C4J4Th3PJpwUYZZ6gc 141.142.220.118 49996 208.80.152.3 80 tcp - 0.218501 1171 733 S1 - - 0 ShADad 6 1491 4 949 (empty)
|
||||
1300475168.652003 CwjjYJ2WqgTbAqiHl6 141.142.220.118 35634 208.80.152.2 80 tcp - 0.061329 463 350 OTH - - 0 DdA 2 567 1 402 (empty)
|
||||
1300475168.902635 C37jN32gN3y3AZzyf6 141.142.220.118 35642 208.80.152.2 80 tcp - 0.120041 534 412 S1 - - 0 ShADad 4 750 3 576 (empty)
|
||||
1300475168.859163 CtPZjS20MLrsMUOJi2 141.142.220.118 49998 208.80.152.3 80 tcp - 0.215893 1130 734 S1 - - 0 ShADad 6 1450 4 950 (empty)
|
||||
1300475168.892936 CUM0KZ3MLUfNB0cl11 141.142.220.118 50000 208.80.152.3 80 tcp - 0.229603 1148 734 S1 - - 0 ShADad 6 1468 4 950 (empty)
|
||||
1300475168.895267 CP5puj4I8PtEU4qzYg 141.142.220.118 50001 208.80.152.3 80 tcp - 0.227284 1178 734 S1 - - 0 ShADad 6 1498 4 950 (empty)
|
||||
1300475168.853899 C0LAHyvtKSQHyJxIl 141.142.220.118 43927 141.142.2.2 53 udp - 0.000435 38 89 SF - - 0 Dd 1 66 1 117 (empty)
|
||||
1300475168.901749 CFLRIC3zaTU1loLGxh 141.142.220.118 56056 141.142.2.2 53 udp - 0.000402 36 131 SF - - 0 Dd 1 64 1 159 (empty)
|
||||
1300475168.902195 C9rXSW3KSpTYvPrlI1 141.142.220.118 55092 141.142.2.2 53 udp - 0.000374 36 198 SF - - 0 Dd 1 64 1 226 (empty)
|
||||
1300475168.858713 Ck51lg1bScffFj34Ri 141.142.220.118 59714 141.142.2.2 53 udp - 0.000375 38 183 SF - - 0 Dd 1 66 1 211 (empty)
|
||||
1300475167.099816 C9mvWx3ezztgzcexV7 141.142.220.50 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 179 0 0 (empty)
|
||||
1300475168.854837 CNnMIj2QSd84NKf7U3 141.142.220.118 40526 141.142.2.2 53 udp - 0.000392 38 183 SF - - 0 Dd 1 66 1 211 (empty)
|
||||
1300475168.894787 C7fIlMZDuRiqjpYbb 141.142.220.118 48128 141.142.2.2 53 udp - 0.000423 38 183 SF - - 0 Dd 1 66 1 211 (empty)
|
||||
1300475168.894422 CykQaM33ztNt0csB9a 141.142.220.118 48479 141.142.2.2 53 udp - 0.000317 52 99 SF - - 0 Dd 1 80 1 127 (empty)
|
||||
1300475169.899438 CtxTCR2Yer0FR1tIBg 141.142.220.44 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 85 0 0 (empty)
|
||||
1300475170.862384 CpmdRlaUoJLN3uIRa 141.142.220.226 137 141.142.220.255 137 udp - 2.613017 350 0 S0 - - 0 D 7 546 0 0 (empty)
|
||||
1300475168.892414 C1Xkzz2MaGtLrc1Tla 141.142.220.118 59746 141.142.2.2 53 udp - 0.000421 38 183 SF - - 0 Dd 1 66 1 211 (empty)
|
||||
1300475168.858306 CqlVyW1YwZ15RhTBc4 141.142.220.118 59816 141.142.2.2 53 udp - 0.000343 52 99 SF - - 0 Dd 1 80 1 127 (empty)
|
||||
1300475167.097012 CLNN1k2QMum1aexUK7 fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp - - - - S0 - - 0 D 1 199 0 0 (empty)
|
||||
1300475173.117362 CBA8792iHmnhPLksKa 141.142.220.226 55671 224.0.0.252 5355 udp - 0.099849 66 0 S0 - - 0 D 2 122 0 0 (empty)
|
||||
1300475173.153679 CGLPPc35OzDQij1XX8 141.142.220.238 56641 141.142.220.255 137 udp - - - - S0 - - 0 D 1 78 0 0 (empty)
|
||||
1300475168.892037 CiyBAq1bBLNaTiTAc 141.142.220.118 38911 141.142.2.2 53 udp - 0.000335 52 99 SF - - 0 Dd 1 80 1 127 (empty)
|
||||
1300475171.675372 CFSwNi4CNGxcuffo49 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp - 0.100096 66 0 S0 - - 0 D 2 162 0 0 (empty)
|
||||
1300475167.096535 Cipfzj1BEnhejw8cGf 141.142.220.202 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 73 0 0 (empty)
|
||||
1300475168.854378 CV5WJ42jPYbNW9JNWf 141.142.220.118 37676 141.142.2.2 53 udp - 0.000420 52 99 SF - - 0 Dd 1 80 1 127 (empty)
|
||||
1300475171.677081 CPhDKt12KQPUVbQz06 141.142.220.226 55131 224.0.0.252 5355 udp - 0.100021 66 0 S0 - - 0 D 2 122 0 0 (empty)
|
||||
1300475173.116749 CAnFrb2Cvxr5T7quOc fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp - 0.099801 66 0 S0 - - 0 D 2 162 0 0 (empty)
|
||||
1300475168.893988 C8rquZ3DjgNW06JGLl 141.142.220.118 45000 141.142.2.2 53 udp - 0.000384 38 89 SF - - 0 Dd 1 66 1 117 (empty)
|
||||
1300475168.857956 CzrZOtXqhwwndQva3 141.142.220.118 32902 141.142.2.2 53 udp - 0.000317 38 89 SF - - 0 Dd 1 66 1 117 (empty)
|
||||
1300475168.891644 CaGCc13FffXe6RkQl9 141.142.220.118 58206 141.142.2.2 53 udp - 0.000339 38 89 SF - - 0 Dd 1 66 1 117 (empty)
|
||||
1300475169.780331 C3eiCBGOLw3VtHfOj 173.192.163.128 80 141.142.220.235 6705 tcp - - - - OTH - - 0 H 1 48 0 0 -
|
||||
1300475168.892913 CmES5u32sYpV7JYN 141.142.220.118 49999 208.80.152.3 80 tcp - 0.220961 1137 733 S1 - - 0 ShADad 6 1457 4 949 -
|
||||
1300475168.724007 CHhAvVGS1DHFjwGM9 141.142.220.118 48649 208.80.152.118 80 tcp - 0.119905 525 232 S1 - - 0 ShADad 4 741 3 396 -
|
||||
1300475168.855330 ClEkJM2Vm5giqnMf4h 141.142.220.118 49997 208.80.152.3 80 tcp - 0.219720 1125 734 S1 - - 0 ShADad 6 1445 4 950 -
|
||||
1300475168.855305 C4J4Th3PJpwUYZZ6gc 141.142.220.118 49996 208.80.152.3 80 tcp - 0.218501 1171 733 S1 - - 0 ShADad 6 1491 4 949 -
|
||||
1300475168.652003 CwjjYJ2WqgTbAqiHl6 141.142.220.118 35634 208.80.152.2 80 tcp - 0.061329 463 350 OTH - - 0 DdA 2 567 1 402 -
|
||||
1300475168.902635 C37jN32gN3y3AZzyf6 141.142.220.118 35642 208.80.152.2 80 tcp - 0.120041 534 412 S1 - - 0 ShADad 4 750 3 576 -
|
||||
1300475168.859163 CtPZjS20MLrsMUOJi2 141.142.220.118 49998 208.80.152.3 80 tcp - 0.215893 1130 734 S1 - - 0 ShADad 6 1450 4 950 -
|
||||
1300475168.892936 CUM0KZ3MLUfNB0cl11 141.142.220.118 50000 208.80.152.3 80 tcp - 0.229603 1148 734 S1 - - 0 ShADad 6 1468 4 950 -
|
||||
1300475168.895267 CP5puj4I8PtEU4qzYg 141.142.220.118 50001 208.80.152.3 80 tcp - 0.227284 1178 734 S1 - - 0 ShADad 6 1498 4 950 -
|
||||
1300475168.853899 C0LAHyvtKSQHyJxIl 141.142.220.118 43927 141.142.2.2 53 udp - 0.000435 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
1300475168.901749 CFLRIC3zaTU1loLGxh 141.142.220.118 56056 141.142.2.2 53 udp - 0.000402 36 131 SF - - 0 Dd 1 64 1 159 -
|
||||
1300475168.902195 C9rXSW3KSpTYvPrlI1 141.142.220.118 55092 141.142.2.2 53 udp - 0.000374 36 198 SF - - 0 Dd 1 64 1 226 -
|
||||
1300475168.858713 Ck51lg1bScffFj34Ri 141.142.220.118 59714 141.142.2.2 53 udp - 0.000375 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
1300475167.099816 C9mvWx3ezztgzcexV7 141.142.220.50 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 179 0 0 -
|
||||
1300475168.854837 CNnMIj2QSd84NKf7U3 141.142.220.118 40526 141.142.2.2 53 udp - 0.000392 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
1300475168.894787 C7fIlMZDuRiqjpYbb 141.142.220.118 48128 141.142.2.2 53 udp - 0.000423 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
1300475168.894422 CykQaM33ztNt0csB9a 141.142.220.118 48479 141.142.2.2 53 udp - 0.000317 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
1300475169.899438 CtxTCR2Yer0FR1tIBg 141.142.220.44 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 85 0 0 -
|
||||
1300475170.862384 CpmdRlaUoJLN3uIRa 141.142.220.226 137 141.142.220.255 137 udp - 2.613017 350 0 S0 - - 0 D 7 546 0 0 -
|
||||
1300475168.892414 C1Xkzz2MaGtLrc1Tla 141.142.220.118 59746 141.142.2.2 53 udp - 0.000421 38 183 SF - - 0 Dd 1 66 1 211 -
|
||||
1300475168.858306 CqlVyW1YwZ15RhTBc4 141.142.220.118 59816 141.142.2.2 53 udp - 0.000343 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
1300475167.097012 CLNN1k2QMum1aexUK7 fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp - - - - S0 - - 0 D 1 199 0 0 -
|
||||
1300475173.117362 CBA8792iHmnhPLksKa 141.142.220.226 55671 224.0.0.252 5355 udp - 0.099849 66 0 S0 - - 0 D 2 122 0 0 -
|
||||
1300475173.153679 CGLPPc35OzDQij1XX8 141.142.220.238 56641 141.142.220.255 137 udp - - - - S0 - - 0 D 1 78 0 0 -
|
||||
1300475168.892037 CiyBAq1bBLNaTiTAc 141.142.220.118 38911 141.142.2.2 53 udp - 0.000335 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
1300475171.675372 CFSwNi4CNGxcuffo49 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp - 0.100096 66 0 S0 - - 0 D 2 162 0 0 -
|
||||
1300475167.096535 Cipfzj1BEnhejw8cGf 141.142.220.202 5353 224.0.0.251 5353 udp - - - - S0 - - 0 D 1 73 0 0 -
|
||||
1300475168.854378 CV5WJ42jPYbNW9JNWf 141.142.220.118 37676 141.142.2.2 53 udp - 0.000420 52 99 SF - - 0 Dd 1 80 1 127 -
|
||||
1300475171.677081 CPhDKt12KQPUVbQz06 141.142.220.226 55131 224.0.0.252 5355 udp - 0.100021 66 0 S0 - - 0 D 2 122 0 0 -
|
||||
1300475173.116749 CAnFrb2Cvxr5T7quOc fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp - 0.099801 66 0 S0 - - 0 D 2 162 0 0 -
|
||||
1300475168.893988 C8rquZ3DjgNW06JGLl 141.142.220.118 45000 141.142.2.2 53 udp - 0.000384 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
1300475168.857956 CzrZOtXqhwwndQva3 141.142.220.118 32902 141.142.2.2 53 udp - 0.000317 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
1300475168.891644 CaGCc13FffXe6RkQl9 141.142.220.118 58206 141.142.2.2 53 udp - 0.000339 38 89 SF - - 0 Dd 1 66 1 117 -
|
||||
#close 2016-08-10-16-51-09
|
||||
|
|
|
|||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Add a link
Reference in a new issue