Merge remote-tracking branch 'origin/master' into topic/johanna/spicy-tls

* origin/master: (93 commits) spicyz: Add back message about removed support for port / ports in evt rule-parse: Remove id_to_str() lookup to squelch coverity warning Update doc submodule [nomail] [skip ci] Update zeekctl submodule [nomail] btest: Skip core.script-args under TSAN Update doc submodule [nomail] [skip ci] Update zeekctl submodule Add note to NEWS about the removal of OpaqueVal::DoSerialize and OpaqueVal::DoUnserialize Remove deprecated port/ports fields for spicy analyzers Remove deprecated Cluster::Node::interface field Remove deprecated signature definition format Return an error if GLOBAL:: prefix is used Remove deprecated BloomFilter serialization methods Remove deprecated OpaqueVal serialization methods Remove deprecated DECLARE_OPAQUE_VALUE macro Make TypePtr::Capture member variables private Remove deprecated Trigger constructor Remove deprecated Controller::auto_assign_ports and Controller::auto_assign_start_port Remove deprecated load-balacing policy script Remove deprecated prometheus telemetry policy script ...
2025-10-10 02:28:21 +00:00 · 2024-08-13 10:37:52 +01:00 · 2024-08-13 10:37:52 +01:00 · 1e282989fe
commit 1e282989fe
parent 7c0c48b290 f943366e8e
202 changed files with 2903 additions and 1097 deletions
--- a/testing/btest/scripts/base/protocols/ldap/sasl-ntlm.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/sasl-ntlm.zeek
@ -0,0 +1,12 @@
+# Copyright (c) 2024 by the Zeek Project. See LICENSE for details.
+
+# @TEST-REQUIRES: have-spicy
+# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/sasl-ntlm.pcap %INPUT
+# @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff ldap.log
+# @TEST-EXEC: btest-diff ldap_search.log
+# @TEST-EXEC: ! test -f dpd.log
+# @TEST-EXEC: ! test -f analyzer.log
+#
+# @TEST-DOC: This broke after #3826 got merged
--- a/testing/btest/scripts/base/protocols/ldap/sasl-scram-sha-512.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/sasl-scram-sha-512.zeek
@ -0,0 +1,12 @@
+# Copyright (c) 2024 by the Zeek Project. See LICENSE for details.
+
+# @TEST-REQUIRES: have-spicy
+# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/sasl-scram-sha-512.pcap %INPUT
+# @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff ldap.log
+# @TEST-EXEC: btest-diff ldap_search.log
+# @TEST-EXEC: ! test -f dpd.log
+# @TEST-EXEC: ! test -f analyzer.log
+#
+# @TEST-DOC: This broke after #3826 got merged
--- a/testing/btest/scripts/base/protocols/ldap/sasl-srp-who-am-i.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/sasl-srp-who-am-i.zeek
@ -0,0 +1,11 @@
+# Copyright (c) 2024 by the Zeek Project. See LICENSE for details.
+
+# @TEST-REQUIRES: have-spicy
+# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/sasl-srp-who-am-i.pcap %INPUT
+# @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff ldap.log
+# @TEST-EXEC: ! test -f dpd.log
+# @TEST-EXEC: ! test -f analyzer.log
+#
+# @TEST-DOC: SASL authentication using SRP (Secure Remote Password)
--- a/testing/btest/scripts/base/protocols/ldap/spnego-ntlmssp.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/spnego-ntlmssp.zeek
@ -0,0 +1,15 @@
+# Copyright (c) 2024 by the Zeek Project. See LICENSE for details.
+#
+# The ctu-sme-11-win7ad-1-ldap-tcp-50041.pcap file was harvested
+# from the CTU-SME-11 (Experiment-VM-Microsoft-Windows7AD-1) dataset
+# at https://zenodo.org/records/7958259 (DOI 10.5281/zenodo.7958258).
+
+# @TEST-REQUIRES: have-spicy
+# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/ctu-sme-11-win7ad-1-ldap-tcp-50041.pcap
+# @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff ldap.log
+# @TEST-EXEC: ! test -f dpd.log
+# @TEST-EXEC: ! test -f analyzer.log
+#
+# @TEST-DOC: SASL bindRequest with SPNEGO NTLMSSP.
--- a/testing/btest/scripts/base/protocols/ldap/starttls.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/starttls.zeek
@ -0,0 +1,25 @@
+# Copyright (c) 2024 by the Zeek Project. See LICENSE for details.
+
+# @TEST-REQUIRES: have-spicy
+# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/ldap-starttls.pcap %INPUT >out
+# @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff ldap.log
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: ! test -f dpd.log
+# @TEST-EXEC: ! test -f analyzer.log
+#
+# @TEST-DOC: LDAP supports StartTLS through extendedRequest 1.3.6.1.4.1.1466.20037
+
+event LDAP::extended_request(c: connection, message_id: int, request_name: string, request_value: string) {
+  print c$uid, "extended_request", fmt("%s (%s)", request_name, LDAP::EXTENDED_REQUESTS[request_name]), request_value;
+}
+
+event LDAP::extended_response(c: connection, message_id: int, result: LDAP::ResultCode, response_name: string, response_value: string) {
+  print c$uid, "extended_response", result, response_name, response_value;
+}
+
+event LDAP::starttls(c: connection) {
+  print c$uid, "LDAP::starttls";
+}
--- a/testing/btest/scripts/base/protocols/ldap/who-am-i.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/who-am-i.zeek
@ -0,0 +1,20 @@
+# Copyright (c) 2024 by the Zeek Project. See LICENSE for details.
+
+# @TEST-REQUIRES: have-spicy
+# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/ldap-who-am-i.pcap %INPUT >out
+# @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff ldap.log
+# @TEST-EXEC: ! test -f dpd.log
+# @TEST-EXEC: ! test -f analyzer.log
+#
+# @TEST-DOC: Testing OpenLDAP's ldapwhoami utility with simple authentication.
+
+event LDAP::extended_request(c: connection, message_id: int, request_name: string, request_value: string) {
+  print c$uid, "extended_request", fmt("%s (%s)", request_name, LDAP::EXTENDED_REQUESTS[request_name]), request_value;
+}
+
+event LDAP::extended_response(c: connection, message_id: int, result: LDAP::ResultCode, response_name: string, response_value: string) {
+  print c$uid, "extended_response", result, response_name, response_value;
+}
--- a/testing/btest/scripts/base/protocols/mysql/caching_sha2_password-after-auth-switch.test
+++ b/testing/btest/scripts/base/protocols/mysql/caching_sha2_password-after-auth-switch.test
@ -0,0 +1,50 @@
+# @TEST-EXEC: zeek -b -C -r $TRACES/mysql/caching_sha2_password-after-auth-switch.pcapng %INPUT >out
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: btest-diff mysql.log
+
+@load base/protocols/mysql
+
+event mysql_ok(c: connection, affected_rows: count)
+	{
+	print "mysql ok", affected_rows;
+	}
+
+event mysql_eof(c: connection, is_intermediate: bool)
+	{
+	print "mysql eof", is_intermediate;
+	}
+
+event mysql_result_row(c: connection, row: string_vec)
+	{
+	print "mysql result row", row;
+	}
+
+event mysql_error(c: connection, code: count, msg: string)
+	{
+	print "mysql error", code, msg;
+	}
+
+event mysql_command_request(c: connection, command: count, arg: string)
+	{
+	print "mysql request", command, arg;
+	}
+
+event mysql_handshake(c: connection, username: string)
+	{
+	print "mysql handshake", username;
+	}
+
+event mysql_auth_plugin(c: connection, is_orig: bool, name: string, data: string)
+	{
+	print "mysql auth plugin", is_orig, name, data, |data|;
+	}
+
+event mysql_auth_switch_request(c: connection, name: string, data: string)
+	{
+	print "mysql auth switch request", name, data, |data|;
+	}
+
+event mysql_auth_more_data(c: connection, is_orig: bool, data: string)
+	{
+	print "mysql auth more data", is_orig, data, |data|;
+	}
--- a/testing/btest/scripts/base/protocols/mysql/caching_sha2_password.test
+++ b/testing/btest/scripts/base/protocols/mysql/caching_sha2_password.test
@ -0,0 +1,50 @@
+# @TEST-EXEC: zeek -b -C -r $TRACES/mysql/caching_sha2_password.trace %INPUT >out
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: btest-diff mysql.log
+
+@load base/protocols/mysql
+
+event mysql_ok(c: connection, affected_rows: count)
+	{
+	print "mysql ok", affected_rows;
+	}
+
+event mysql_eof(c: connection, is_intermediate: bool)
+	{
+	print "mysql eof", is_intermediate;
+	}
+
+event mysql_result_row(c: connection, row: string_vec)
+	{
+	print "mysql result row", row;
+	}
+
+event mysql_error(c: connection, code: count, msg: string)
+	{
+	print "mysql error", code, msg;
+	}
+
+event mysql_command_request(c: connection, command: count, arg: string)
+	{
+	print "mysql request", command, arg;
+	}
+
+event mysql_handshake(c: connection, username: string)
+	{
+	print "mysql handshake", username;
+	}
+
+event mysql_auth_plugin(c: connection, is_orig: bool, name: string, data: string)
+	{
+	print "mysql auth plugin", is_orig, name, data, |data|;
+	}
+
+event mysql_auth_switch_request(c: connection, name: string, data: string)
+	{
+	print "mysql auth switch request", name, data, |data|;
+	}
+
+event mysql_auth_more_data(c: connection, is_orig: bool, data: string)
+	{
+	print "mysql auth more data", is_orig, data, |data|;
+	}
--- a/testing/btest/scripts/base/protocols/mysql/encrypted-aws-rds.test
+++ b/testing/btest/scripts/base/protocols/mysql/encrypted-aws-rds.test
@ -1,15 +1,17 @@
 # Just two traces with MySQL running in Amazon RDS tls1.3 and tls1.2

-# @TEST-EXEC: zeek -b -r $TRACES/mysql/tls-12-amazon-rds.trace %INPUT
-# @TEST-EXEC: mkdir tls-12 && mv *log tls-12
+# @TEST-EXEC: zeek -b -r $TRACES/mysql/tls-12-amazon-rds.trace %INPUT >out
+# @TEST-EXEC: mkdir tls-12 && mv *log out tls-12
 #
-# @TEST-EXEC: zeek -b -r $TRACES/mysql/tls-13-amazon-rds.trace %INPUT
-# @TEST-EXEC: mkdir tls-13 && mv *log tls-13
+# @TEST-EXEC: zeek -b -r $TRACES/mysql/tls-13-amazon-rds.trace %INPUT >out
+# @TEST-EXEC: mkdir tls-13 && mv *log out tls-13
 #
+# @TEST-EXEC: btest-diff tls-12/out
 # @TEST-EXEC: btest-diff tls-12/conn.log
 # @TEST-EXEC: btest-diff tls-12/ssl.log
 # @TEST-EXEC: btest-diff tls-12/x509.log
 #
+# @TEST-EXEC: btest-diff tls-13/out
 # @TEST-EXEC: btest-diff tls-13/conn.log
 # @TEST-EXEC: btest-diff tls-13/ssl.log
 # @TEST-EXEC: ! test -f tls-13/x509.log
@ -17,3 +19,8 @@
@load base/protocols/conn
@load base/protocols/mysql
@load base/protocols/ssl
+
+event mysql_ssl_request(c: connection)
+	{
+	print "mysql ssl request", c$uid;
+	}
--- a/testing/btest/scripts/base/protocols/mysql/encrypted.test
+++ b/testing/btest/scripts/base/protocols/mysql/encrypted.test
@ -3,8 +3,9 @@
 # empty mysql.log file.

 # @TEST-EXEC: touch mysql.log
-# @TEST-EXEC: zeek -b -r $TRACES/mysql/encrypted.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/mysql/encrypted.trace %INPUT >out
 # @TEST-EXEC: btest-diff mysql.log
+# @TEST-EXEC: btest-diff out
 #
 # Ensure the connection was handed off by peaking into some other logs.
 # @TEST-EXEC: btest-diff conn.log
@ -14,3 +15,8 @@
@load base/protocols/conn
@load base/protocols/mysql
@load base/protocols/ssl
+
+event mysql_ssl_request(c: connection)
+	{
+	print "mysql ssl request", c$uid;
+	}
--- a/testing/btest/scripts/base/protocols/mysql/many-query-attr.test
+++ b/testing/btest/scripts/base/protocols/mysql/many-query-attr.test
@ -0,0 +1,35 @@
+# @TEST-EXEC: zeek -b -C -r $TRACES/mysql/many-query-attrs.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: btest-diff mysql.log
+
+@load base/protocols/mysql
+
+event mysql_ok(c: connection, affected_rows: count)
+	{
+	print "mysql ok", affected_rows;
+	}
+
+event mysql_eof(c: connection, is_intermediate: bool)
+	{
+	print "mysql eof", is_intermediate;
+	}
+
+event mysql_result_row(c: connection, row: string_vec)
+	{
+	print "mysql result row", row;
+	}
+
+event mysql_error(c: connection, code: count, msg: string)
+	{
+	print "mysql error", code, msg;
+	}
+
+event mysql_command_request(c: connection, command: count, arg: string)
+	{
+	print "mysql request", command, arg;
+	}
+
+event mysql_handshake(c: connection, username: string)
+	{
+	print "mysql handshake", username;
+	}
--- a/testing/btest/scripts/base/protocols/mysql/query-attr-non-string.test
+++ b/testing/btest/scripts/base/protocols/mysql/query-attr-non-string.test
@ -0,0 +1,35 @@
+# @TEST-EXEC: zeek -b -C -r $TRACES/mysql/mysql-9.0.0-query-attributes.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: btest-diff mysql.log
+
+@load base/protocols/mysql
+
+event mysql_ok(c: connection, affected_rows: count)
+	{
+	print "mysql ok", affected_rows;
+	}
+
+event mysql_eof(c: connection, is_intermediate: bool)
+	{
+	print "mysql eof", is_intermediate;
+	}
+
+event mysql_result_row(c: connection, row: string_vec)
+	{
+	print "mysql result row", row;
+	}
+
+event mysql_error(c: connection, code: count, msg: string)
+	{
+	print "mysql error", code, msg;
+	}
+
+event mysql_command_request(c: connection, command: count, arg: string)
+	{
+	print "mysql request", command, arg;
+	}
+
+event mysql_handshake(c: connection, username: string)
+	{
+	print "mysql handshake", username;
+	}
--- a/testing/btest/scripts/base/protocols/mysql/query-attr.test
+++ b/testing/btest/scripts/base/protocols/mysql/query-attr.test
@ -0,0 +1,35 @@
+# @TEST-EXEC: zeek -b -C -r $TRACES/mysql/query-attr.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: btest-diff mysql.log
+
+@load base/protocols/mysql
+
+event mysql_ok(c: connection, affected_rows: count)
+	{
+	print "mysql ok", affected_rows;
+	}
+
+event mysql_eof(c: connection, is_intermediate: bool)
+	{
+	print "mysql eof", is_intermediate;
+	}
+
+event mysql_result_row(c: connection, row: string_vec)
+	{
+	print "mysql result row", row;
+	}
+
+event mysql_error(c: connection, code: count, msg: string)
+	{
+	print "mysql error", code, msg;
+	}
+
+event mysql_command_request(c: connection, command: count, arg: string)
+	{
+	print "mysql request", command, arg;
+	}
+
+event mysql_handshake(c: connection, username: string)
+	{
+	print "mysql handshake", username;
+	}
--- a/testing/btest/scripts/base/protocols/smb/smb2-zero-byte-error-ioctl.test
+++ b/testing/btest/scripts/base/protocols/smb/smb2-zero-byte-error-ioctl.test
@ -0,0 +1,16 @@
+# @TEST-DOC: Tests handling of PDUs containing error ioctls with byte lengths of zero
+# @TEST-EXEC: zeek -b -r $TRACES/smb/smb2-zero-byte-error-ioctl.pcap %INPUT 2>&1 >out
+# @TEST-EXEC: ! test -f analyzer.log
+# @TEST-EXEC: btest-diff out
+
+@load base/protocols/smb
+
+event smb2_close_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID)
+{
+    print "smb2_close_request", hdr;
+}
+
+event smb2_close_response(c: connection, hdr: SMB2::Header, response: SMB2::CloseResponse)
+{
+    print "smb2_close_response", hdr, response;
+}
--- a/testing/btest/scripts/site/local-compat.test
+++ b/testing/btest/scripts/site/local-compat.test
@ -27,9 +27,6 @@ redef digest_salt = "Please change this value.";
 # This script logs which scripts were loaded during each run.
@load misc/loaded-scripts

-# Apply the default tuning scripts for common tuning settings.
-@load tuning/defaults
-
 # Estimate and log capture loss.
@load misc/capture-loss