From ff5c11975de762754a4704db758f9b60fe7cb6cb Mon Sep 17 00:00:00 2001 From: fatema Date: Wed, 5 Sep 2018 14:12:07 -0400 Subject: [PATCH 1/4] DNSSEC support in Bro --- scripts/base/init-bare.bro | 60 ++ scripts/base/protocols/dns/consts.bro | 30 + scripts/base/protocols/dns/main.bro | 39 ++ scripts/policy/protocols/dns/addl-dnskey.bro | 42 ++ scripts/policy/protocols/dns/addl-ds.bro | 42 ++ scripts/policy/protocols/dns/addl-nsec3.bro | 76 +++ scripts/policy/protocols/dns/addl-rrsig.bro | 64 +++ src/NetVar.cc | 13 +- src/NetVar.h | 4 + src/analyzer/protocol/dns/DNS.cc | 536 +++++++++++++++++- src/analyzer/protocol/dns/DNS.h | 102 +++- src/analyzer/protocol/dns/events.bif | 63 ++ .../dns.log | 13 + .../dns.log | 11 + testing/btest/Traces/nsec-test.trace | Bin 0 -> 1134 bytes testing/btest/Traces/rrsig.trace | Bin 0 -> 4754 bytes .../scripts/base/protocols/dns/rrsig-test.bro | 4 + .../policy/protocols/dns/nsec-addl-rec.bro | 4 + 18 files changed, 1096 insertions(+), 7 deletions(-) create mode 100644 scripts/policy/protocols/dns/addl-dnskey.bro create mode 100644 scripts/policy/protocols/dns/addl-ds.bro create mode 100644 scripts/policy/protocols/dns/addl-nsec3.bro create mode 100644 scripts/policy/protocols/dns/addl-rrsig.bro create mode 100644 testing/btest/Baseline/scripts.base.protocols.dns.rrsig-test/dns.log create mode 100644 testing/btest/Baseline/scripts.policy.protocols.dns.nsec-addl-rec/dns.log create mode 100644 testing/btest/Traces/nsec-test.trace create mode 100644 testing/btest/Traces/rrsig.trace create mode 100644 testing/btest/scripts/base/protocols/dns/rrsig-test.bro create mode 100644 testing/btest/scripts/policy/protocols/dns/nsec-addl-rec.bro diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 70d59b30cf..83a44df5fe 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -3544,6 +3544,66 @@ type dns_tsig_additional: record { is_query: count; ##< TODO. }; +## A DNSSEC RRSIG record. +## +## .. bro:see:: dns_RRSIG_addl +type dns_rrsig_additional: record { + query: string; ##< Query. + answer_type: count; ##< Ans type. + type_covered: count; ## qtype covered by RRSIG RR. + algorithm: count; ##< Algorithm. + labels: count; ##< labels in the owner's name. + orig_ttl: interval; ##< original TTL + sig_exp: time; ##< Time when signed RR expires. + sig_incep: time; ##< Time when signed. + key_tag: count; ## key tag value + signer_name: string; ##< Signature. + signature: string; ##< Hash of the RRDATA + is_query: count; ##< The RR is a query/Response. +}; + +## A DNSSEC DNSKEY record. +## +## .. bro:see:: dns_DNSKEY_addl +type dns_dnskey_additional: record { + query: string; ##< Query. + answer_type: count; ##< Ans type. + flags: count; ##< flags filed. + protocol: count; ##< Protocol, should be always 3 for DNSSEC. + algorithm: count; ##< Algorithm for Public Key. + public_key: string; ##< Public Key + is_query: count; ##< The RR is a query/Response. +}; + +## A DNSSEC NSEC3 record. +## +## .. bro:see:: dns_NSEC3_addl +type dns_nsec3_additional: record { + query: string; ##< Query. + answer_type: count; ##< Ans type. + nsec_flags: count; ##< flags field. + nsec_hash_algo: count; ##< Hash algorithm. + nsec_iter: count; ##< Iterations. + nsec_salt_len: count; ##< salt length. + nsec_salt: string; ##< Salt value + nsec_hlen: count; ##< Hash length. + nsec_hash: string; ##< Hash value. + is_query: count; ##< The RR is a query/Response. +}; + +## A DNSSEC DS record. +## +## .. bro:see:: dns_DS_addl +type dns_ds_additional: record { + query: string; ##< Query. + answer_type: count; ##< Ans type. + key_tag: count; ##< flags filed. + algorithm: count; ##< Algorithm for Public Key. + digest_type: count; ##< Digest Type. + digest_val: string; ##< Digest Value. + is_query: count; ##< The RR is a query/Response. +}; + # DNS answer types. # # .. bro:see:: dns_answerr diff --git a/scripts/base/protocols/dns/consts.bro b/scripts/base/protocols/dns/consts.bro index dfcbc4031f..b62f923041 100644 --- a/scripts/base/protocols/dns/consts.bro +++ b/scripts/base/protocols/dns/consts.bro @@ -76,4 +76,34 @@ export { [254] = "C_NONE", [255] = "C_ANY", } &default = function(n: count): string { return fmt("qclass-%d", n); }; + + ## Possible values of the algorithms used in DNSKEY, DS and RRSIG records + const algorithms = { + [0] = "reserved0", + [1] = "RSA_MD5", + [2] = "Diffie_Hellman", + [3] = "DSA_SHA1", + [4] = "Elliptic_Curve", + [5] = "RSA_SHA1", + [6] = "DSA_NSEC3_SHA1", + [7] = "RSA_SHA1_NSEC3_SHA1", + [8] = "RSA_SHA256", + [10] = "RSA_SHA512", + [12] = "GOST_R_34_10_2001", + [13] = "ECDSA_curveP256withSHA256", + [14] = "ECDSA_curveP384withSHA384", + [252] = "Indirect", + [253] = "PrivateDNS", + [254] = "PrivateOID", + [255] = "reserved255", + } &default = function(n: count): string { return fmt("algorithm-%d", n); }; + + const digests = { + [0] = "reserved0", + [1] = "SHA1", + [2] = "SHA256", + [3] = "GOST_R_34_11_94", + [4] = "SHA384", + } &default = function(n: count): string { return fmt("digest-%d", n); }; + } diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index a6104e12a3..5a902cacf8 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -466,6 +466,45 @@ event dns_SRV_reply(c: connection, msg: dns_msg, ans: dns_answer, target: string # # } +event dns_RRSIG_addl(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_additional) + { + local rrsig_rec: string = fmt("RRSIG_Signer_%s", rrsig$signer_name); + if ( rrsig$signer_name == "") + rrsig_rec = fmt("RRSIG_Signer_"); + + hook DNS::do_reply(c, msg, ans, rrsig_rec); + } + +event dns_DNSKEY_addl(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_additional) + { + local dnskey_rec: string = fmt("DNSKEY_for_%s", ans$query); + if (ans$query == "") + dnskey_rec = fmt("DNSKEY_for_"); + hook DNS::do_reply(c, msg, ans, dnskey_rec); + } + +event dns_NSEC_addl(c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec) + { + hook DNS::do_reply(c, msg, ans, next_name); + } + +event dns_NSEC3_addl(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_additional, bitmaps: string_vec) + { + local nsec3_rec: string = fmt("NSEC3_for_%s", ans$query); + if (ans$query == "") + nsec3_rec = fmt("NSEC3_for_"); + + hook DNS::do_reply(c, msg, ans, nsec3_rec); + } + +event dns_DS_addl(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_additional) + { + local ds_rec: string = fmt("DS_for_%s", ans$query); + if (ans$query == "") + ds_rec = fmt("DS_for_"); + hook DNS::do_reply(c, msg, ans, ds_rec); + } + event dns_rejected(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=5 { if ( c?$dns ) diff --git a/scripts/policy/protocols/dns/addl-dnskey.bro b/scripts/policy/protocols/dns/addl-dnskey.bro new file mode 100644 index 0000000000..ef36b5433b --- /dev/null +++ b/scripts/policy/protocols/dns/addl-dnskey.bro @@ -0,0 +1,42 @@ +##! This script adds additional fields for the DNSKEY dns response of current +##! query to the DNS log. It can cause severe overhead. + +@load base/protocols/dns/main +@load base/protocols/dns/consts + +redef dns_skip_all_auth = F; +redef dns_skip_all_addl = F; + +module DNS; + +export { + redef record Info += { + + dnskey_flags: vector of count &log &optional; + dnskey_algo: vector of string &log &optional; + dnskey_proto: vector of count &log &optional; + dnskey_pubkey: vector of string &log &optional; + }; +} + +event dns_DNSKEY_addl(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_additional) + { + if ( c?$dns ) + { + if ( ! c$dns?$dnskey_flags ) + c$dns$dnskey_flags = vector(); + c$dns$dnskey_flags[|c$dns$dnskey_flags|] = dnskey$flags; + + if ( ! c$dns?$dnskey_algo ) + c$dns$dnskey_algo = vector(); + c$dns$dnskey_algo[|c$dns$dnskey_algo|] = DNS::algorithms[dnskey$algorithm]; + + if ( ! c$dns?$dnskey_proto ) + c$dns$dnskey_proto = vector(); + c$dns$dnskey_proto[|c$dns$dnskey_proto|] = dnskey$protocol; + + if ( ! c$dns?$dnskey_pubkey) + c$dns$dnskey_pubkey = vector(); + c$dns$dnskey_pubkey[|c$dns$dnskey_pubkey|] = bytestring_to_hexstr(dnskey$public_key); + } + } diff --git a/scripts/policy/protocols/dns/addl-ds.bro b/scripts/policy/protocols/dns/addl-ds.bro new file mode 100644 index 0000000000..aa9b2eddab --- /dev/null +++ b/scripts/policy/protocols/dns/addl-ds.bro @@ -0,0 +1,42 @@ +##! This script adds additional fields for the DS dns response of current +##! query to the DNS log. It can cause severe overhead. + +@load base/protocols/dns/main +@load base/protocols/dns/consts + +redef dns_skip_all_auth = F; +redef dns_skip_all_addl = F; + +module DNS; + +export { + redef record Info += { + + ds_key_tag: vector of count &log &optional; + ds_algo: vector of string &log &optional; + ds_digestType: vector of string &log &optional; + ds_digest: vector of string &log &optional; + }; +} + +event dns_DS_addl(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_additional) + { + if ( c?$dns ) + { + if ( ! c$dns?$ds_key_tag ) + c$dns$ds_key_tag = vector(); + c$dns$ds_key_tag[|c$dns$ds_key_tag|] = ds$key_tag; + + if ( ! c$dns?$ds_algo ) + c$dns$ds_algo = vector(); + c$dns$ds_algo[|c$dns$ds_algo|] = DNS::algorithms[ds$algorithm]; + + if ( ! c$dns?$ds_digestType ) + c$dns$ds_digestType = vector(); + c$dns$ds_digestType[|c$dns$ds_digestType|] = DNS::digests[ds$digest_type]; + + if ( ! c$dns?$ds_digest) + c$dns$ds_digest = vector(); + c$dns$ds_digest[|c$dns$ds_digest|] = bytestring_to_hexstr(ds$digest_val); + } + } diff --git a/scripts/policy/protocols/dns/addl-nsec3.bro b/scripts/policy/protocols/dns/addl-nsec3.bro new file mode 100644 index 0000000000..13dd5f6aa4 --- /dev/null +++ b/scripts/policy/protocols/dns/addl-nsec3.bro @@ -0,0 +1,76 @@ +##! This script adds additional fields for the NSEC3 dns response of current +##! query to the DNS log. It can cause severe overhead. + +@load base/protocols/dns/main +@load base/protocols/dns/consts + +redef dns_skip_all_auth = F; +redef dns_skip_all_addl = F; + +module DNS; + +export { + redef record Info += { + + nsec_flags: vector of count &log &optional; + nsec_hash_algo: vector of count &log &optional; + nsec_iter: vector of count &log &optional; + nsec_salt_len: vector of count &log &optional; + nsec_salt: vector of string &log &optional; + nsec_hlen: vector of count &log &optional; + nsec_hash: vector of string &log &optional; + nsec_bitmaps: vector of string &log &optional; + }; +} + +event dns_NSEC3_addl(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_additional, bitmaps: string_vec) + { + if ( c?$dns ) + { + if ( ! c$dns?$nsec_flags ) + c$dns$nsec_flags = vector(); + c$dns$nsec_flags[|c$dns$nsec_flags|] = nsec3$nsec_flags; + + if ( ! c$dns?$nsec_hash_algo ) + c$dns$nsec_hash_algo = vector(); + c$dns$nsec_hash_algo[|c$dns$nsec_hash_algo|] = nsec3$nsec_hash_algo; + + if ( ! c$dns?$nsec_iter ) + c$dns$nsec_iter = vector(); + c$dns$nsec_iter[|c$dns$nsec_iter|] = nsec3$nsec_iter; + + if ( ! c$dns?$nsec_salt_len) + c$dns$nsec_salt_len = vector(); + c$dns$nsec_salt_len[|c$dns$nsec_salt_len|] = nsec3$nsec_salt_len; + + if ( ! c$dns?$nsec_salt) + c$dns$nsec_salt = vector(); + c$dns$nsec_salt[|c$dns$nsec_salt|] = bytestring_to_hexstr(nsec3$nsec_salt); + + if ( ! c$dns?$nsec_hlen) + c$dns$nsec_hlen = vector(); + c$dns$nsec_hlen[|c$dns$nsec_hlen|] = nsec3$nsec_hlen; + + if ( ! c$dns?$nsec_hash) + c$dns$nsec_hash = vector(); + c$dns$nsec_hash[|c$dns$nsec_hash|] = bytestring_to_hexstr(nsec3$nsec_hash); + + if ( ! c$dns?$nsec_bitmaps) + c$dns$nsec_bitmaps = vector(); + + if ( |bitmaps| != 0) + { + local bitmap_strings: string = ""; + + for ( i in bitmaps ) + { + if ( i > 0 ) + bitmap_strings += " "; + + bitmap_strings += fmt("bitmap %d %s", |bitmaps[i]|, bitmaps[i]); + } + c$dns$nsec_bitmaps[|c$dns$nsec_bitmaps|] = bitmap_strings; + } + + } + } diff --git a/scripts/policy/protocols/dns/addl-rrsig.bro b/scripts/policy/protocols/dns/addl-rrsig.bro new file mode 100644 index 0000000000..9216432ba6 --- /dev/null +++ b/scripts/policy/protocols/dns/addl-rrsig.bro @@ -0,0 +1,64 @@ +##! This script adds additional fields corresponding to the RRSIG record responses for the current +##! query to the DNS log. It can cause severe overhead. + +@load base/protocols/dns/main +@load base/protocols/dns/consts + +module DNS; + +export { + redef record Info += { + rrsig_type_covered: vector of string &log &optional; + rrsig_orig_ttl: vector of interval &log &optional; + rrsig_key_tag: vector of count &log &optional; + rrsig_algo: vector of string &log &optional; + rrsig_labels: vector of count &log &optional; + rrsig_signer_name: vector of string &log &optional; + rrsig_signature: vector of string &log &optional; + rrsig_sig_exp: vector of time &log &optional; + rrsig_sig_inc: vector of time &log &optional; + }; +} + +event dns_RRSIG_addl(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_additional) + { + if ( c?$dns ) + { + if ( ! c$dns?$rrsig_type_covered ) + c$dns$rrsig_type_covered = vector(); + c$dns$rrsig_type_covered[|c$dns$rrsig_type_covered|] = DNS::query_types[rrsig$type_covered]; + + if ( ! c$dns?$rrsig_orig_ttl ) + c$dns$rrsig_orig_ttl = vector(); + c$dns$rrsig_orig_ttl[|c$dns$rrsig_orig_ttl|] = rrsig$orig_ttl; + + if ( ! c$dns?$rrsig_key_tag ) + c$dns$rrsig_key_tag = vector(); + c$dns$rrsig_key_tag[|c$dns$rrsig_key_tag|] = rrsig$key_tag; + + if ( ! c$dns?$rrsig_algo ) + c$dns$rrsig_algo = vector(); + c$dns$rrsig_algo[|c$dns$rrsig_algo|] = DNS::algorithms[rrsig$algorithm]; + + if ( ! c$dns?$rrsig_labels ) + c$dns$rrsig_labels = vector(); + c$dns$rrsig_labels[|c$dns$rrsig_labels|] = rrsig$labels; + + if ( ! c$dns?$rrsig_signer_name ) + c$dns$rrsig_signer_name = vector(); + c$dns$rrsig_signer_name[|c$dns$rrsig_signer_name|] = rrsig$signer_name; + + if ( ! c$dns?$rrsig_signature ) + c$dns$rrsig_signature = vector(); + c$dns$rrsig_signature[|c$dns$rrsig_signature|] = bytestring_to_hexstr(rrsig$signature); + + if ( ! c$dns?$rrsig_sig_exp ) + c$dns$rrsig_sig_exp = vector(); + c$dns$rrsig_sig_exp[|c$dns$rrsig_sig_exp|] = rrsig$sig_exp; + + if ( ! c$dns?$rrsig_sig_inc ) + c$dns$rrsig_sig_inc = vector(); + c$dns$rrsig_sig_inc[|c$dns$rrsig_sig_inc|] = rrsig$sig_incep; + } + + } diff --git a/src/NetVar.cc b/src/NetVar.cc index 93533b9627..c524d35f4a 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -115,6 +115,10 @@ RecordType* dns_answer; RecordType* dns_soa; RecordType* dns_edns_additional; RecordType* dns_tsig_additional; +RecordType* dns_rrsig_additional; +RecordType* dns_dnskey_additional; +RecordType* dns_nsec3_additional; +RecordType* dns_ds_additional; TableVal* dns_skip_auth; TableVal* dns_skip_addl; int dns_skip_all_auth; @@ -430,7 +434,14 @@ void init_net_var() internal_type("dns_edns_additional")->AsRecordType(); dns_tsig_additional = internal_type("dns_tsig_additional")->AsRecordType(); - + dns_rrsig_additional = + internal_type("dns_rrsig_additional")->AsRecordType(); + dns_dnskey_additional = + internal_type("dns_dnskey_additional")->AsRecordType(); + dns_nsec3_additional = + internal_type("dns_nsec3_additional")->AsRecordType(); + dns_ds_additional = + internal_type("dns_ds_additional")->AsRecordType(); dns_skip_auth = internal_val("dns_skip_auth")->AsTableVal(); dns_skip_addl = internal_val("dns_skip_addl")->AsTableVal(); dns_skip_all_auth = opt_internal_int("dns_skip_all_auth"); diff --git a/src/NetVar.h b/src/NetVar.h index 023be18867..f559eab922 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -118,6 +118,10 @@ extern RecordType* dns_answer; extern RecordType* dns_soa; extern RecordType* dns_edns_additional; extern RecordType* dns_tsig_additional; +extern RecordType* dns_rrsig_additional; +extern RecordType* dns_dnskey_additional; +extern RecordType* dns_nsec3_additional; +extern RecordType* dns_ds_additional; extern TableVal* dns_skip_auth; extern TableVal* dns_skip_addl; extern int dns_skip_all_auth; diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index 145d19950f..190de97220 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -312,6 +312,26 @@ int DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg, status = ParseRR_TSIG(msg, data, len, rdlength, msg_start); break; + case TYPE_RRSIG: + status = ParseRR_RRSIG(msg, data, len, rdlength, msg_start); + break; + + case TYPE_DNSKEY: + status = ParseRR_DNSKEY(msg, data, len, rdlength, msg_start); + break; + + case TYPE_NSEC: + status = ParseRR_NSEC(msg, data, len, rdlength, msg_start); + break; + + case TYPE_NSEC3: + status = ParseRR_NSEC3(msg, data, len, rdlength, msg_start); + break; + + case TYPE_DS: + status = ParseRR_DS(msg, data, len, rdlength, msg_start); + break; + default: if ( dns_unknown_reply && ! msg->skip_event ) @@ -724,6 +744,20 @@ void DNS_Interpreter::ExtractOctets(const u_char*& data, int& len, len -= dlen; } +void DNS_Interpreter::ExtractStream(const u_char*& data, int& len, + BroString** p, int siglen) + { + + int dlen = min(len, siglen); // Len in bytes of the algorithm use + + if ( p ) + *p = new BroString(data, dlen, 0); + + data += dlen; + len -= dlen; + + } + int DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength, const u_char* msg_start) @@ -769,6 +803,418 @@ int DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg, return 1; } +int DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) + { + + unsigned int type_covered = ExtractShort(data, len); + // split the two bytes for algo and labels extraction + uint32 algo_lab = ExtractShort(data, len); + unsigned int algo = (algo_lab >> 8) & 0xff; + unsigned int lab = algo_lab & 0xff; + + uint32 orig_ttl = ExtractLong(data, len); + uint32 sign_exp = ExtractLong(data, len); + uint32 sign_incp = ExtractLong(data, len); + unsigned int key_tag = ExtractShort(data, len); + + //implement signer's name with the msg_start offset + const u_char* data_start = data; + u_char name[513]; + int name_len = sizeof(name) - 1; + + u_char* name_end = ExtractName(data, len, name, name_len, msg_start); + if ( ! name_end ) + return 0; + + int sig_len = rdlength - ((data - data_start) + 18); + DNSSEC_Algo dsa = DNSSEC_Algo(algo); + BroString* sign; + + switch ( dsa ) { + + case RSA_MD5: + ExtractStream(data, len, &sign, sig_len); + analyzer->Weird("DNSSEC_RRSIG_NotRecommended_ZoneSignAlgo", fmt("%d", algo)); + break; + + case Diffie_Hellman: + ExtractStream(data, len, &sign, sig_len); + break; + + case DSA_SHA1: + ExtractStream(data, len, &sign, sig_len); + break; + + case Elliptic_Curve: + ExtractStream(data, len, &sign, sig_len); + break; + + case RSA_SHA1: + ExtractStream(data, len, &sign, sig_len); + break; + + case DSA_NSEC3_SHA1: + ExtractStream(data, len, &sign, sig_len); + break; + + case RSA_SHA1_NSEC3_SHA1: + ExtractStream(data, len, &sign, sig_len); + break; + + case RSA_SHA256: + ExtractStream(data, len, &sign, sig_len); + break; + + case RSA_SHA512: + ExtractStream(data, len, &sign, sig_len); + break; + + case GOST_R_34_10_2001: + ExtractStream(data, len, &sign, sig_len); + break; + + case ECDSA_curveP256withSHA256: + ExtractStream(data, len, &sign, sig_len); + break; + + case ECDSA_curveP384withSHA384: + ExtractStream(data, len, &sign, sig_len); + break; + + case Indirect: + ExtractStream(data, len, &sign, sig_len); + analyzer->Weird("DNSSEC_RRSIG_Indirect_ZoneSignAlgo", fmt("%d", algo)); + break; + + case PrivateDNS: + ExtractStream(data, len, &sign, sig_len); + analyzer->Weird("DNSSEC_RRSIG_PrivateDNS_ZoneSignAlgo", fmt("%d", algo)); + break; + + case PrivateOID: + ExtractStream(data, len, &sign, sig_len); + analyzer->Weird("DNSSEC_RRSIG_PrivateOID_ZoneSignAlgo", fmt("%d", algo)); + break; + + default: + ExtractStream(data, len, &sign, sig_len); + analyzer->Weird("DNSSEC_RRSIG_unknown_ZoneSignAlgo", fmt("%d", algo)); + break; + } + + msg->rrsig = new RRSIG_DATA; + msg->rrsig->type_covered = type_covered; + msg->rrsig->orig_ttl = orig_ttl; + msg->rrsig->sig_exp = sign_exp; + msg->rrsig->sig_incep = sign_incp; + msg->rrsig->key_tag = key_tag; + msg->rrsig->algorithm = algo; + msg->rrsig->labels = lab; + msg->rrsig->signer_name = new BroString(name, name_end - name, 1); + msg->rrsig->signature = sign; + + val_list* vl = new val_list; + + vl->append(analyzer->BuildConnVal()); + vl->append(msg->BuildHdrVal()); + vl->append(msg->BuildAnswerVal()); + vl->append(msg->BuildRRSIG_Val()); + + analyzer->ConnectionEvent(dns_RRSIG_addl, vl); + + return 1; + } + +int DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) + { + + unsigned int dflags = ExtractShort(data, len); + // split the two bytes for protocol and algorithm extraction + uint32 proto_algo = ExtractShort(data, len); + unsigned int dprotocol = (proto_algo >> 8) & 0xff; + unsigned int dalgorithm = proto_algo & 0xff; + + if (dflags != 256 and dflags != 257 and dflags != 0) + analyzer->Weird("DNSSEC_DNSKEY_Invalid_Flag", fmt("%d", dflags)); + + if ( dprotocol != 3 ) + analyzer->Weird("DNSSEC_DNSKEY_Invalid_Protocol", fmt("%d", dprotocol)); + + //Evaluating the size of remaining bytes for Public Key + int sig_len = rdlength - 4; + DNSSEC_Algo dsa = DNSSEC_Algo(dalgorithm); + BroString* sign; + + switch ( dsa ) { + + case RSA_MD5: + ExtractStream(data, len, &sign, sig_len); + analyzer->Weird("DNSSEC_DNSKEY_NotRecommended_ZoneSignAlgo", fmt("%d", dalgorithm)); + break; + + case Diffie_Hellman: + ExtractStream(data, len, &sign, sig_len); + break; + + case DSA_SHA1: + ExtractStream(data, len, &sign, sig_len); + break; + + case Elliptic_Curve: + ExtractStream(data, len, &sign, sig_len); + break; + + case RSA_SHA1: + ExtractStream(data, len, &sign, sig_len); + break; + + case DSA_NSEC3_SHA1: + ExtractStream(data, len, &sign, sig_len); + break; + + case RSA_SHA1_NSEC3_SHA1: + ExtractStream(data, len, &sign, sig_len); + break; + + case RSA_SHA256: + ExtractStream(data, len, &sign, sig_len); + break; + + case RSA_SHA512: + ExtractStream(data, len, &sign, sig_len); + break; + + case GOST_R_34_10_2001: + ExtractStream(data, len, &sign, sig_len); + break; + + case ECDSA_curveP256withSHA256: + ExtractStream(data, len, &sign, sig_len); + break; + + case ECDSA_curveP384withSHA384: + ExtractStream(data, len, &sign, sig_len); + break; + + case Indirect: + ExtractStream(data, len, &sign, sig_len); + analyzer->Weird("DNSSEC_DNSKEY_Indirect_ZoneSignAlgo", fmt("%d", dalgorithm)); + break; + + case PrivateDNS: + ExtractStream(data, len, &sign, sig_len); + analyzer->Weird("DNSSEC_DNSKEY_PrivateDNS_ZoneSignAlgo", fmt("%d", dalgorithm)); + break; + + case PrivateOID: + ExtractStream(data, len, &sign, sig_len); + analyzer->Weird("DNSSEC_DNSKEY_PrivateOID_ZoneSignAlgo", fmt("%d", dalgorithm)); + break; + + default: + ExtractStream(data, len, &sign, sig_len); + analyzer->Weird("DNSSEC_DNSKEY_unknown_ZoneSignAlgo", fmt("%d", dalgorithm)); + break; + } + + msg->dnskey = new DNSKEY_DATA; + msg->dnskey->dflags = dflags; + msg->dnskey->dprotocol = dprotocol; + msg->dnskey->dalgorithm = dalgorithm; + msg->dnskey->public_key = sign; + + val_list* vl = new val_list; + + vl->append(analyzer->BuildConnVal()); + vl->append(msg->BuildHdrVal()); + vl->append(msg->BuildAnswerVal()); + vl->append(msg->BuildDNSKEY_Val()); + + analyzer->ConnectionEvent(dns_DNSKEY_addl, vl); + + return 1; + } + +int DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) + { + + const u_char* data_start = data; + u_char name[513]; + int name_len = sizeof(name) - 1; + + u_char* name_end = ExtractName(data, len, name, name_len, msg_start); + if ( ! name_end ) + return 0; + + int typebitmaps_len = rdlength - (data - data_start); + + VectorVal* char_strings = new VectorVal(string_vec); + + while (typebitmaps_len > 0) + { + BroString* bitmap; + uint32 block_bmlen = ExtractShort(data, len); + unsigned int win_blck = ( block_bmlen >> 8) & 0xff; + unsigned int bmlen = block_bmlen & 0xff; + if (bmlen == 0) + { + analyzer->Weird("DNSSEC_NSEC_bitmapLen0", fmt("%d", win_blck)); + break; + } + ExtractStream(data, len, &bitmap, bmlen); + + char_strings->Assign(char_strings->Size(), new StringVal(bitmap)); + typebitmaps_len = typebitmaps_len - (2 + bmlen); + } + + val_list* vl = new val_list; + + vl->append(analyzer->BuildConnVal()); + vl->append(msg->BuildHdrVal()); + vl->append(msg->BuildAnswerVal()); + vl->append(new StringVal(new BroString(name, name_end - name, 1))); + vl->append(char_strings); + + analyzer->ConnectionEvent(dns_NSEC_addl, vl); + + return 1; + } + +int DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) + { + const u_char* data_start = data; + uint32 halgo_flags = ExtractShort(data, len); + unsigned int hash_algo = ( halgo_flags >> 8) & 0xff; + unsigned int nsec_flags = halgo_flags & 0xff; + unsigned int iter = ExtractShort(data,len); + + uint8 salt_len = data[0]; + ++data; + --len; + + BroString* salt_val; + ExtractStream(data, len, &salt_val, static_cast(salt_len)); + + uint8 hash_len = data[0]; + ++data; + --len; + + BroString* hash_val; + ExtractStream(data, len, &hash_val, static_cast(hash_len)); + + int typebitmaps_len = rdlength - (data - data_start); + + VectorVal* char_strings = new VectorVal(string_vec); + + while (typebitmaps_len > 0) + { + BroString* bitmap; + uint32 block_bmlen = ExtractShort(data, len); + unsigned int win_blck = ( block_bmlen >> 8) & 0xff; + unsigned int bmlen = block_bmlen & 0xff; + if (bmlen == 0) + { + analyzer->Weird("DNSSEC_NSEC_bitmapLen0", fmt("%d", win_blck)); + break; + } + ExtractStream(data, len, &bitmap, bmlen); + + char_strings->Assign(char_strings->Size(), new StringVal(bitmap)); + typebitmaps_len = typebitmaps_len - (2 + bmlen); + } + + msg->nsec3 = new NSEC3_DATA; + msg->nsec3->nsec_flags = nsec_flags; + msg->nsec3->nsec_hash_algo = hash_algo; + msg->nsec3->nsec_iter = iter; + msg->nsec3->nsec_salt_len = salt_len; + msg->nsec3->nsec_salt = salt_val; + msg->nsec3->nsec_hlen = hash_len; + msg->nsec3->nsec_hash = hash_val; + + val_list* vl = new val_list; + + vl->append(analyzer->BuildConnVal()); + vl->append(msg->BuildHdrVal()); + vl->append(msg->BuildAnswerVal()); + vl->append(msg->BuildNSEC3_Val()); + vl->append(char_strings); + + analyzer->ConnectionEvent(dns_NSEC3_addl, vl); + + return 1; + } + +int DNS_Interpreter::ParseRR_DS(DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start) + { + + unsigned int ds_key_tag = ExtractShort(data, len); + // split the two bytes for algorithm and digest type extraction + uint32 ds_algo_dtype = ExtractShort(data, len); + unsigned int ds_algo = ( ds_algo_dtype >> 8) & 0xff; + unsigned int ds_dtype = ds_algo_dtype & 0xff; + + int digest_len = rdlength - 4; + DNSSEC_Digest ds_digest_type = DNSSEC_Digest(ds_dtype); + BroString* ds_digest; + + switch ( ds_digest_type ) { + + case SHA1: + ExtractStream(data, len, &ds_digest, digest_len); + break; + + case SHA256: + ExtractStream(data, len, &ds_digest, digest_len); + break; + + case GOST_R_34_11_94: + ExtractStream(data, len, &ds_digest, digest_len); + break; + + case SHA384: + ExtractStream(data, len, &ds_digest, digest_len); + break; + + case reserved0: + ExtractStream(data, len, &ds_digest, digest_len); + analyzer->Weird("DNSSEC_DS_ResrevedDigestType", fmt("%d", ds_dtype)); + break; + + default: + ExtractStream(data, len, &ds_digest, digest_len); + analyzer->Weird("DNSSEC_DS_unknown_DigestType", fmt("%d", ds_dtype)); + break; + } + + msg->ds = new DS_DATA; + msg->ds->key_tag = ds_key_tag; + msg->ds->algorithm = ds_algo; + msg->ds->digest_type = ds_dtype; + msg->ds->digest_val = ds_digest; + + val_list* vl = new val_list; + + vl->append(analyzer->BuildConnVal()); + vl->append(msg->BuildHdrVal()); + vl->append(msg->BuildAnswerVal()); + vl->append(msg->BuildDS_Val()); + + analyzer->ConnectionEvent(dns_DS_addl, vl); + + return 1; + } + int DNS_Interpreter::ParseRR_A(DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength) { @@ -1003,6 +1449,10 @@ DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, int arg_is_query) answer_type = DNS_QUESTION; skip_event = 0; tsig = 0; + rrsig = 0; + dnskey = 0; + nsec3 = 0; + ds = 0; } DNS_MsgInfo::~DNS_MsgInfo() @@ -1063,7 +1513,7 @@ Val* DNS_MsgInfo::BuildEDNS_Val() // Need to break the TTL field into three components: // initial: [------------- ttl (32) ---------------------] - // after: [DO][ ext rcode (7)][ver # (8)][ Z field (16)] + // after: [ ext rcode (8)][ver # (8)][ Z field (16) ] unsigned int ercode = (ttl >> 24) & 0xff; unsigned int version = (ttl >> 16) & 0xff; @@ -1104,6 +1554,90 @@ Val* DNS_MsgInfo::BuildTSIG_Val() return r; } +Val* DNS_MsgInfo::BuildRRSIG_Val() + { + RecordVal* r = new RecordVal(dns_rrsig_additional); + + Ref(query_name); + r->Assign(0, query_name); + r->Assign(1, new Val(int(answer_type), TYPE_COUNT)); + r->Assign(2, new Val(rrsig->type_covered, TYPE_COUNT)); + r->Assign(3, new Val(rrsig->algorithm, TYPE_COUNT)); + r->Assign(4, new Val(rrsig->labels, TYPE_COUNT)); + r->Assign(5, new IntervalVal(double(rrsig->orig_ttl), Seconds)); + r->Assign(6, new Val(double(rrsig->sig_exp), TYPE_TIME)); + r->Assign(7, new Val(double(rrsig->sig_incep), TYPE_TIME)); + r->Assign(8, new Val(rrsig->key_tag, TYPE_COUNT)); + r->Assign(9, new StringVal(rrsig->signer_name)); + r->Assign(10, new StringVal(rrsig->signature)); + r->Assign(11, new Val(is_query, TYPE_COUNT)); + + delete rrsig; + rrsig = 0; + + return r; + } + +Val* DNS_MsgInfo::BuildDNSKEY_Val() + { + RecordVal* r = new RecordVal(dns_dnskey_additional); + + Ref(query_name); + r->Assign(0, query_name); + r->Assign(1, new Val(int(answer_type), TYPE_COUNT)); + r->Assign(2, new Val(dnskey->dflags, TYPE_COUNT)); + r->Assign(3, new Val(dnskey->dprotocol, TYPE_COUNT)); + r->Assign(4, new Val(dnskey->dalgorithm, TYPE_COUNT)); + r->Assign(5, new StringVal(dnskey->public_key)); + r->Assign(6, new Val(is_query, TYPE_COUNT)); + + delete dnskey; + dnskey = 0; + + return r; + } + +Val* DNS_MsgInfo::BuildNSEC3_Val() + { + RecordVal* r = new RecordVal(dns_nsec3_additional); + + Ref(query_name); + r->Assign(0, query_name); + r->Assign(1, new Val(int(answer_type), TYPE_COUNT)); + r->Assign(2, new Val(nsec3->nsec_flags, TYPE_COUNT)); + r->Assign(3, new Val(nsec3->nsec_hash_algo, TYPE_COUNT)); + r->Assign(4, new Val(nsec3->nsec_iter, TYPE_COUNT)); + r->Assign(5, new Val(nsec3->nsec_salt_len, TYPE_COUNT)); + r->Assign(6, new StringVal(nsec3->nsec_salt)); + r->Assign(7, new Val(nsec3->nsec_hlen, TYPE_COUNT)); + r->Assign(8, new StringVal(nsec3->nsec_hash)); + r->Assign(9, new Val(is_query, TYPE_COUNT)); + + delete nsec3; + nsec3 = 0; + + return r; + } + +Val* DNS_MsgInfo::BuildDS_Val() + { + RecordVal* r = new RecordVal(dns_ds_additional); + + Ref(query_name); + r->Assign(0, query_name); + r->Assign(1, new Val(int(answer_type), TYPE_COUNT)); + r->Assign(2, new Val(ds->key_tag, TYPE_COUNT)); + r->Assign(3, new Val(ds->algorithm, TYPE_COUNT)); + r->Assign(4, new Val(ds->digest_type, TYPE_COUNT)); + r->Assign(5, new StringVal(ds->digest_val)); + r->Assign(6, new Val(is_query, TYPE_COUNT)); + + delete ds; + ds = 0; + + return r; + } + Contents_DNS::Contents_DNS(Connection* conn, bool orig, DNS_Interpreter* arg_interp) : tcp::TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig) diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h index 58a263637e..0291056811 100644 --- a/src/analyzer/protocol/dns/DNS.h +++ b/src/analyzer/protocol/dns/DNS.h @@ -57,7 +57,12 @@ typedef enum { TYPE_TKEY = 249, ///< Transaction Key (RFC 2930) TYPE_TSIG = 250, ///< Transaction Signature (RFC 2845) TYPE_CAA = 257, ///< Certification Authority Authorization (RFC 6844) - + // DNSSEC RR's + TYPE_RRSIG = 46, ///< RR Signature record type (RFC4043) + TYPE_NSEC = 47, ///< Next Secure record (RFC4043) + TYPE_DNSKEY = 48, ///< DNS Key record (RFC 4034) + TYPE_DS = 43, ///< Delegation signer (RFC 4034) + TYPE_NSEC3 = 50, // The following are only valid in queries. TYPE_AXFR = 252, TYPE_ALL = 255, @@ -75,6 +80,33 @@ typedef enum { DNS_ADDITIONAL, } DNS_AnswerType; +typedef enum { + reserved0 = 0, + RSA_MD5 = 1, ///< [RFC2537] NOT RECOMMENDED + Diffie_Hellman = 2, ///< [RFC2539] + DSA_SHA1 = 3, ///< [RFC2536] OPTIONAL + Elliptic_Curve = 4, + RSA_SHA1 = 5, ///< [RFC3110] MANDATORY + DSA_NSEC3_SHA1 = 6, + RSA_SHA1_NSEC3_SHA1 = 7, + RSA_SHA256 = 8, + RSA_SHA512 = 10, + GOST_R_34_10_2001 = 12, + ECDSA_curveP256withSHA256 = 13, + ECDSA_curveP384withSHA384 =14, + Indirect = 252, ///< + PrivateDNS = 253, ///< OPTIONAL + PrivateOID = 254, ///< OPTIONAL + reserved255 = 255, +} DNSSEC_Algo; + +typedef enum { + reserved = 0, + SHA1 = 1, ///< [RFC3110] MANDATORY + SHA256 = 2, + GOST_R_34_11_94 = 3, + SHA384 = 4, +} DNSSEC_Digest; struct DNS_RawMsgHdr { unsigned short id; @@ -105,6 +137,42 @@ struct TSIG_DATA { unsigned short rr_error; }; +struct RRSIG_DATA { + unsigned short type_covered; // 16 : ExtractShort(data, len) + unsigned short algorithm; // 8 + unsigned short labels; // 8 + uint32 orig_ttl; // 32 + unsigned long sig_exp; // 32 + unsigned long sig_incep; // 32 + unsigned short key_tag; //16 + BroString* signer_name; + BroString* signature; +}; + +struct DNSKEY_DATA { + unsigned short dflags; // 16 : ExtractShort(data, len) + unsigned short dalgorithm; // 8 + unsigned short dprotocol; // 8 + BroString* public_key; // Variable lenght Public Key +}; + +struct NSEC3_DATA { + unsigned short nsec_flags; + unsigned short nsec_hash_algo; + unsigned short nsec_iter; + unsigned short nsec_salt_len; + BroString* nsec_salt; + unsigned short nsec_hlen; + BroString* nsec_hash; +}; + +struct DS_DATA { + unsigned short key_tag; // 16 : ExtractShort(data, len) + unsigned short algorithm; // 8 + unsigned short digest_type; // 8 + BroString* digest_val; // Variable lenght Digest of DNSKEY RR +}; + class DNS_MsgInfo { public: DNS_MsgInfo(DNS_RawMsgHdr* hdr, int is_query); @@ -114,6 +182,10 @@ public: Val* BuildAnswerVal(); Val* BuildEDNS_Val(); Val* BuildTSIG_Val(); + Val* BuildRRSIG_Val(); + Val* BuildDNSKEY_Val(); + Val* BuildNSEC3_Val(); + Val* BuildDS_Val(); int id; int opcode; ///< query type, see DNS_Opcode @@ -143,9 +215,14 @@ public: ///< for forward lookups // More values for spesific DNS types. - // struct EDNS_ADDITIONAL* edns; - + //struct EDNS_ADDITIONAL* edns; + //DNSSEC_Algo dnssec_algo; struct TSIG_DATA* tsig; + struct RRSIG_DATA* rrsig; + struct DNSKEY_DATA* dnskey; + struct NSEC3_DATA* nsec3; + struct DS_DATA* ds; + }; @@ -183,6 +260,8 @@ protected: uint32 ExtractLong(const u_char*& data, int& len); void ExtractOctets(const u_char*& data, int& len, BroString** p); + void ExtractStream(const u_char*& data, int& len, BroString** p, int sig_len); + int ParseRR_Name(DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength, const u_char* msg_start); @@ -218,7 +297,21 @@ protected: int ParseRR_TSIG(DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength, const u_char* msg_start); - + int ParseRR_RRSIG(DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); + int ParseRR_DNSKEY(DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); + int ParseRR_NSEC(DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); + int ParseRR_NSEC3(DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); + int ParseRR_DS(DNS_MsgInfo* msg, + const u_char*& data, int& len, int rdlength, + const u_char* msg_start); void SendReplyOrRejectEvent(DNS_MsgInfo* msg, EventHandlerPtr event, const u_char*& data, int& len, BroString* question_name); @@ -270,7 +363,6 @@ public: void Done() override; void ConnectionClosed(tcp::TCP_Endpoint* endpoint, tcp::TCP_Endpoint* peer, int gen_event) override; - void ExpireTimer(double t); static analyzer::Analyzer* Instantiate(Connection* conn) diff --git a/src/analyzer/protocol/dns/events.bif b/src/analyzer/protocol/dns/events.bif index ae796c8e4c..b780a1bf71 100644 --- a/src/analyzer/protocol/dns/events.bif +++ b/src/analyzer/protocol/dns/events.bif @@ -493,6 +493,69 @@ event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%); ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%); +## Generated for DNS replies of type *RRSIG*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## rrsig: The parsed RRSIG reply. +event dns_RRSIG_addl%(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_additional%); + +## Generated for DNS replies of type *DNSKEY*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## dnskey: The parsed DNSKEY reply. +event dns_DNSKEY_addl%(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_additional%); + +## Generated for DNS replies of type *NSEC*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## next_name: The parsed next secure domain name. +## bitmaps: vector of strings in hex for the bit maps present. +event dns_NSEC_addl%(c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec%); + +## Generated for DNS replies of type *NSEC3*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## nsec3: The parsed RDATA of Nsec3 reply. +## bitmaps: vector of strings in hex for the bit maps present. +event dns_NSEC3_addl%(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_additional, bitmaps: string_vec%); + +## Generated for DNS replies of type *DS*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## ds: The parsed RDATA of DS reply. +## +event dns_DS_addl%(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_additional%); + ## Generated at the end of processing a DNS packet. This event is the last ## ``dns_*`` event that will be raised for a DNS query/reply and signals that ## all resource records have been passed on. diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.rrsig-test/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.rrsig-test/dns.log new file mode 100644 index 0000000000..93fc583b44 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.rrsig-test/dns.log @@ -0,0 +1,13 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dns +#open 2018-09-05-15-35-13 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool +1533309955.393636 ClEkJM2Vm5giqnMf4h 35.184.172.191 10267 128.175.13.16 53 udp 17129 0.003405 virgo.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 128.91.234.142,RRSIG_Signer_upenn.edu 30.000000,30.000000 F +1533309959.571738 C4J4Th3PJpwUYZZ6gc 35.184.172.191 50056 128.175.13.16 53 udp 26222 0.003363 virgo.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 128.91.234.142,RRSIG_Signer_upenn.edu 30.000000,30.000000 F +1533309959.968589 CtPZjS20MLrsMUOJi2 35.184.172.191 39975 128.175.13.16 53 udp 27118 0.003748 workfamily.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 quasar.sas.upenn.edu,RRSIG_Signer_upenn.edu,128.91.234.145,RRSIG_Signer_upenn.edu 900.000000,900.000000,30.000000,30.000000 F +1533309950.391966 CHhAvVGS1DHFjwGM9 35.184.172.191 5386 128.175.13.16 53 udp 62809 - virgo.sas.upenn.edu 1 C_INTERNET 1 A - - F F F F 1 - - F +#close 2018-09-05-15-35-13 diff --git a/testing/btest/Baseline/scripts.policy.protocols.dns.nsec-addl-rec/dns.log b/testing/btest/Baseline/scripts.policy.protocols.dns.nsec-addl-rec/dns.log new file mode 100644 index 0000000000..3bc100d8d5 --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.protocols.dns.nsec-addl-rec/dns.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dns +#open 2018-09-05-15-51-18 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool set[string] set[string] +1533310046.924340 CHhAvVGS1DHFjwGM9 35.184.172.191 57073 128.175.13.16 53 udp 130 - dla.library.upenn.edu 1 C_INTERNET 28 AAAA 0 NOERROR F F F F 1 - - F dlxssvr.library.upenn.edu,assailants.net.isc.upenn.edu,RRSIG_Signer_upenn.edu - +1533310049.812056 ClEkJM2Vm5giqnMf4h 35.184.172.191 50693 128.175.13.16 53 udp 51063 0.001515 www.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 www.upenn.edgekey.net,RRSIG_Signer_upenn.edu 300.000000,300.000000 F - - +#close 2018-09-05-15-51-18 diff --git a/testing/btest/Traces/nsec-test.trace b/testing/btest/Traces/nsec-test.trace new file mode 100644 index 0000000000000000000000000000000000000000..355b782f1ddfa54b79f671f7a3ee9acbc42682e3 GIT binary patch literal 1134 zcmca|c+)~A1{MYcU}0bca^gx-qPIx#F~k7bAj}{wzOq-fp-_JEoMsLNR|N*YxmFAe zCW763$~)HVZ&=SOaPK37DT5W$S%xMC0k9Da42;YvIf?8!nMp;7MU||j1*v&?%&94* z3=A?L1)2gtV;g`NWY-iWJ_a`?1~5jmi-F0aJH~HxC%|COl~`Pyn3U-xFk2RxFogcfVvH< zL>>c!mH}8Jrxno6d;$m58T6n=&1GO?1v;HiAi9T9Cpslf=BPH3Nq22^G9zzt-_FfE z>0@)3S$EYf(%7IdEE7)=VD%8 z{kRz~Zv^aiiP~6Gb=AY--iOyBk~7nD_onZE@X|T-Yy1bsr&9gqeD(QW2NO7NsvfAY zeBSscf9=v6zrK2In}2Gy^39YB;BfKrbP93|ibQf2gFe*t%IqmQ6~)D6MeJA}PEPkZALnyd-1(OCN7jNpiA(yP zAyTSJ1g0v96dr~Upa(!0EmbKnxGmBLrQkM2SPDMI3QWO9Mkns#t2Ti ztOp<|7i0%>77v30Fin9lnjH*`Lfr|Vlsm;4k#d2y{L9~byd0czfyoA#axv{Vz{9`_ zvWZcLK^!5?o|=-Lnw?q+O0Nt+CEx@IR5F)=m6aK!IJ)XDLv(OvA4;4oStB8GDtT_> zp6qB-nXkrf0w2oX=x>gyek%C?&)?F8%k%F_Hn|(co{m0yJjQ;x&WT^vx0P*=a6Ab2 z@{(*1D6l!X!u5{tCcT3JOSV6Bzh|>ynO(|vBc{LBrS~LX+`Lpa{T}R literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/rrsig.trace b/testing/btest/Traces/rrsig.trace new file mode 100644 index 0000000000000000000000000000000000000000..e9dbf73b966ca03dce2f00697d1b4cb0ee6cce4d GIT binary patch literal 4754 zcmca|c+)~A1{MYcU}0bca{d*kM9ckVWrzZ@L6|{Wd}Xg{L!tcSIn5jlt_lo3x3(}a zmh*Q#$c);%^LmWiPOs#ke`?s*crHS`UxsgoLG$ESq3=w$1oQdI-p>ei*ET97#$mb;ixu}wrs1tF){X@|Uc9gAr z`ShJ9>sLOuIg#)6GBYQe8wrgF?Bq?@~l+i&qBq4~6hG5e{!3A=~Tm~jqpo;<Ew+HKFa z^~!N5)IYm(ocGq#lah;e zia_-;Q1t?8>|Y85Kv@n17#X;LdQs(=AX2~xVFsFmD#r|!V`kt1nu!Q3MpkBUVC7v{ z5$$eu4<)cF8a7{%<(||$Q|q4oAto``*x>A>*$4SVv#Mj&-fiBwc+=r$Hj`H;9B_0D zyE5aJW#W?;a@!5HD>$x&`e+H%U7zq;;?Pb{_Fapk+RU3z2%$Js2I|o6MBeD+laEjw z>h&+Mz5axPu_ZW*uF%_l+AX*Q*7e zbfZ_V=SkoVD|C z@PsV$iS_Q0j?+4ywSD|Jq4?CnSwUxyYRRKG6c(c8S52Y=9NwZhlsPT;;hybhxDK2% zn<6#!-`ce;@<-oYxc{SSkI_{1T@U;wM8*G%*ts`D|E5{R)a~^ra%V8V+;yi(;?C06 zn14&n$~3P2i3`nme`@db8{rz)*gTj`vLhc{E$1;$-NTd~wWi)FJMDG-1Gbl(+vYUp zM6PH)JYn4pjSXCu>*`X2n>$hykcxeFV6h*ylLJq&|0Wky>|5W375j%fK*fIhzqCBk zihYnxwZ}N{75ggSVqXbS>>uu6jaL1XmN#1Lj~4r*#r|lqA3a*^Q?Jll1_k$qy>~ z4X^PrECx3DK^V$rA^Z{&S$jfXSuzpkVsUWG71&Q<0QF!d9`M7~gL$_sIyN>B#r=sEN)3l6 zEpE;!t@g0Ha@eC+Z_6}&SI(JpdBpDu?1&0c+vp)6m8~;_cYSX~?V6vniYwF3{qSL7 zJ6d_fQRiFDs>3Dj+s?$To409Oes)5bXwtRSOCGa4W3*g9f5W#*Uxn&`4bBT%ox_6u zPIu6Gu=bAml0QO6-Wh2Mz4y${zU63Wc+eEB2Llwr5HrFeW{e_+(W^l+1HD&+Bn9c! z9MS{|A)1hbx(9Ox9M7Px7Ptp<@BuO(*n|0k%m?;h&Y<-~ka{pcy{Nqu8q_@)WQW4q+k>$O1B?ko@`HuwV64iJItBpb-RPhI literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/dns/rrsig-test.bro b/testing/btest/scripts/base/protocols/dns/rrsig-test.bro new file mode 100644 index 0000000000..9299257ad8 --- /dev/null +++ b/testing/btest/scripts/base/protocols/dns/rrsig-test.bro @@ -0,0 +1,4 @@ +# This tests the case where the queries and responses include DNSSEC RRs. +# +# @TEST-EXEC: bro -r $TRACES/rrsig.trace +# @TEST-EXEC: btest-diff dns.log diff --git a/testing/btest/scripts/policy/protocols/dns/nsec-addl-rec.bro b/testing/btest/scripts/policy/protocols/dns/nsec-addl-rec.bro new file mode 100644 index 0000000000..46ab1094c2 --- /dev/null +++ b/testing/btest/scripts/policy/protocols/dns/nsec-addl-rec.bro @@ -0,0 +1,4 @@ +# @TEST-EXEC: bro -r $TRACES/nsec-test.trace %INPUT +# @TEST-EXEC: btest-diff dns.log + +@load protocols/dns/auth-addl From 1ea9c8eb40e6c2fdb3de1ebba9c6b47090a8ace2 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 24 Sep 2018 15:34:16 -0500 Subject: [PATCH 2/4] GH-148: add priority to DNSSEC event handlers --- scripts/base/protocols/dns/main.bro | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index 300b1ef784..a0e22aae6b 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -466,7 +466,7 @@ event dns_SRV_reply(c: connection, msg: dns_msg, ans: dns_answer, target: string # # } -event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr) +event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr) &priority=5 { local s: string; s = fmt("RRSIG %s %s", rrsig$type_covered, @@ -474,24 +474,24 @@ event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_r hook DNS::do_reply(c, msg, ans, s); } -event dns_DNSKEY(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr) +event dns_DNSKEY(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr) &priority=5 { local s: string; s = fmt("DNSKEY %s", dnskey$algorithm); hook DNS::do_reply(c, msg, ans, s); } -event dns_NSEC(c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec) +event dns_NSEC(c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec) &priority=5 { hook DNS::do_reply(c, msg, ans, fmt("NSEC %s %s", ans$query, next_name)); } -event dns_NSEC3(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr) +event dns_NSEC3(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr) &priority=5 { hook DNS::do_reply(c, msg, ans, "NSEC3"); } -event dns_DS(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr) +event dns_DS(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr) &priority=5 { local s: string; s = fmt("DS %s %s", ds$algorithm, ds$digest_type); From 615ff782824fb6d1be889e3544eb034c0b6891a4 Mon Sep 17 00:00:00 2001 From: Jon Zeolla Date: Sat, 29 Sep 2018 23:08:10 -0400 Subject: [PATCH 3/4] Bro plugins should support a patch version (x.y.z) --- CHANGES | 3 +++ NEWS | 5 +++++ doc/devel/plugins.rst | 11 ++++++----- src/plugin/Plugin.cc | 2 ++ src/plugin/Plugin.h | 14 ++++++++++++-- .../plugins.bifs-and-scripts-install/output | 2 +- .../Baseline/plugins.bifs-and-scripts/output | 2 +- testing/btest/Baseline/plugins.file/output | 2 +- .../btest/Baseline/plugins.init-plugin/output | 2 +- .../btest/Baseline/plugins.pktdumper/output | 2 +- .../plugins.plugin-nopatchversion/output | 1 + .../plugins.plugin-withpatchversion/output | 1 + testing/btest/Baseline/plugins.protocol/output | 2 +- testing/btest/Baseline/plugins.reader/output | 2 +- testing/btest/Baseline/plugins.writer/output | 2 +- testing/btest/README | 18 +++++++++--------- .../btest/plugins/file-plugin/src/Plugin.cc | 1 + .../btest/plugins/hooks-plugin/src/Plugin.cc | 1 + .../plugins/logging-hooks-plugin/src/Plugin.cc | 1 + .../plugins/pktdumper-plugin/src/Plugin.cc | 1 + .../btest/plugins/pktsrc-plugin/src/Plugin.cc | 1 + .../plugin-nopatchversion-plugin/.btest-ignore | 0 .../plugin-nopatchversion-plugin/src/Plugin.cc | 16 ++++++++++++++++ .../btest/plugins/plugin-nopatchversion.bro | 5 +++++ .../.btest-ignore | 0 .../src/Plugin.cc | 17 +++++++++++++++++ .../btest/plugins/plugin-withpatchversion.bro | 5 +++++ .../plugins/protocol-plugin/src/Plugin.cc | 1 + .../btest/plugins/reader-plugin/src/Plugin.cc | 1 + .../plugins/reporter-hook-plugin/src/Plugin.cc | 1 + .../btest/plugins/writer-plugin/src/Plugin.cc | 1 + 31 files changed, 99 insertions(+), 24 deletions(-) create mode 100644 testing/btest/Baseline/plugins.plugin-nopatchversion/output create mode 100644 testing/btest/Baseline/plugins.plugin-withpatchversion/output create mode 100644 testing/btest/plugins/plugin-nopatchversion-plugin/.btest-ignore create mode 100644 testing/btest/plugins/plugin-nopatchversion-plugin/src/Plugin.cc create mode 100644 testing/btest/plugins/plugin-nopatchversion.bro create mode 100644 testing/btest/plugins/plugin-withpatchversion-plugin/.btest-ignore create mode 100644 testing/btest/plugins/plugin-withpatchversion-plugin/src/Plugin.cc create mode 100644 testing/btest/plugins/plugin-withpatchversion.bro diff --git a/CHANGES b/CHANGES index 57525ad3da..017f5cfa7f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2.6-beta2-16 | 2018-09-29 21:30:31 -0500 + + * Add an optional plugin patch version (Jon Zeolla) 2.6-beta2-14 | 2018-09-25 16:38:29 -0500 diff --git a/NEWS b/NEWS index a9360d2eec..1b71c14db7 100644 --- a/NEWS +++ b/NEWS @@ -544,6 +544,11 @@ Changed Functionality indicated whether each Bro process was the "parent" or "child", but this is no longer relevant because each Bro node now runs as a single process. +- Bro's Plugin framework now allows a patch version. If a patch version is not + provided, it will default to 0. To specify this, modify the plugin + Configuration class in your ``src/Plugin.cc` and set + ``config.version.patch``. + Removed Functionality --------------------- diff --git a/doc/devel/plugins.rst b/doc/devel/plugins.rst index dc1c9a3cd4..bdc9305924 100644 --- a/doc/devel/plugins.rst +++ b/doc/devel/plugins.rst @@ -99,7 +99,7 @@ option:: # export BRO_PLUGIN_PATH=/path/to/rot13-plugin/build # bro -N [...] - Demo::Rot13 - (dynamic, version 0.1) + Demo::Rot13 - (dynamic, version 0.1.0) [...] That looks quite good, except for the dummy description that we should @@ -115,6 +115,7 @@ is about. We do this by editing the ``config.description`` line in config.description = "Caesar cipher rotating a string's characters by 13 places."; config.version.major = 0; config.version.minor = 1; + config.version.patch = 0; return config; } [...] @@ -124,14 +125,14 @@ Now rebuild and verify that the description is visible:: # make [...] # bro -N | grep Rot13 - Demo::Rot13 - Caesar cipher rotating a string's characters by 13 places. (dynamic, version 0.1) + Demo::Rot13 - Caesar cipher rotating a string's characters by 13 places. (dynamic, version 0.1.0) Bro can also show us what exactly the plugin provides with the more verbose option ``-NN``:: # bro -NN [...] - Demo::Rot13 - Caesar cipher rotating a string's characters by 13 places. (dynamic, version 0.1) + Demo::Rot13 - Caesar cipher rotating a string's characters by 13 places. (dynamic, version 0.1.0) [Function] Demo::rot13 [...] @@ -166,7 +167,7 @@ unpacking. To distribute the plugin in binary form, the build process conveniently creates a corresponding tarball in ``build/dist/``. In -this case, it's called ``Demo_Rot13-0.1.tar.gz``, with the version +this case, it's called ``Demo_Rot13-0.1.0.tar.gz``, with the version number coming out of the ``VERSION`` file that ``init-plugin`` put into place. The binary tarball has everything needed to run the plugin, but no further source files. Optionally, one can include @@ -395,7 +396,7 @@ let's get that in place:: % 'btest-diff output' failed unexpectedly (exit code 100) % cat .diag == File =============================== - Demo::Rot13 - Caesar cipher rotating a string's characters by 13 places. (dynamic, version 0.1) + Demo::Rot13 - Caesar cipher rotating a string's characters by 13 places. (dynamic, version 0.1.0) [Function] Demo::rot13 == Error =============================== diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc index 1264759d02..92bfcae8dc 100644 --- a/src/plugin/Plugin.cc +++ b/src/plugin/Plugin.cc @@ -445,6 +445,8 @@ void Plugin::Describe(ODesc* d) const d->Add(config.version.major); d->Add("."); d->Add(config.version.minor); + d->Add("."); + d->Add(config.version.patch); d->Add(")"); } else diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h index 9c5416230b..d6d2ef9d94 100644 --- a/src/plugin/Plugin.h +++ b/src/plugin/Plugin.h @@ -69,16 +69,26 @@ extern const char* hook_name(HookType h); struct VersionNumber { int major; //< Major version number; int minor; //< Minor version number; + int patch; //< Patch version number; /** * Constructor. */ - VersionNumber() { major = minor = -1; } + VersionNumber() { + /** + * Major and minor versions are required. + */ + major = minor = -1; + /** + * Patch version is optional, and set to 0 if not manually set. + */ + patch = 0; + } /** * Returns true if the version is set to a non-negative value. */ - explicit operator bool() const { return major >= 0 && minor >= 0; } + explicit operator bool() const { return major >= 0 && minor >= 0 && patch >= 0; } }; /** diff --git a/testing/btest/Baseline/plugins.bifs-and-scripts-install/output b/testing/btest/Baseline/plugins.bifs-and-scripts-install/output index 093ab763f6..2ce5abfcc4 100644 --- a/testing/btest/Baseline/plugins.bifs-and-scripts-install/output +++ b/testing/btest/Baseline/plugins.bifs-and-scripts-install/output @@ -1,4 +1,4 @@ -Demo::Foo - (dynamic, version 0.1) +Demo::Foo - (dynamic, version 0.1.0) [Function] hello_plugin_world [Event] plugin_event diff --git a/testing/btest/Baseline/plugins.bifs-and-scripts/output b/testing/btest/Baseline/plugins.bifs-and-scripts/output index db9e4cbc49..139937d4cb 100644 --- a/testing/btest/Baseline/plugins.bifs-and-scripts/output +++ b/testing/btest/Baseline/plugins.bifs-and-scripts/output @@ -1,4 +1,4 @@ -Demo::Foo - (dynamic, version 0.1) +Demo::Foo - (dynamic, version 0.1.0) [Function] hello_plugin_world [Event] plugin_event diff --git a/testing/btest/Baseline/plugins.file/output b/testing/btest/Baseline/plugins.file/output index 487fa811c3..5b0ee4919f 100644 --- a/testing/btest/Baseline/plugins.file/output +++ b/testing/btest/Baseline/plugins.file/output @@ -1,4 +1,4 @@ -Demo::Foo - A Foo test analyzer (dynamic, version 1.0) +Demo::Foo - A Foo test analyzer (dynamic, version 1.0.0) [File Analyzer] Foo (ANALYZER_FOO) [Event] foo_piece diff --git a/testing/btest/Baseline/plugins.init-plugin/output b/testing/btest/Baseline/plugins.init-plugin/output index 8869685118..7c85d7a281 100644 --- a/testing/btest/Baseline/plugins.init-plugin/output +++ b/testing/btest/Baseline/plugins.init-plugin/output @@ -1,3 +1,3 @@ -Demo::Foo - (dynamic, version 0.1) +Demo::Foo - (dynamic, version 0.1.0) === diff --git a/testing/btest/Baseline/plugins.pktdumper/output b/testing/btest/Baseline/plugins.pktdumper/output index 42b51e8051..1e46e199aa 100644 --- a/testing/btest/Baseline/plugins.pktdumper/output +++ b/testing/btest/Baseline/plugins.pktdumper/output @@ -1,4 +1,4 @@ -Demo::Foo - A Foo packet dumper (dynamic, version 1.0) +Demo::Foo - A Foo packet dumper (dynamic, version 1.0.0) [Packet Dumper] FooPktDumper (dumper prefix: "foo") === diff --git a/testing/btest/Baseline/plugins.plugin-nopatchversion/output b/testing/btest/Baseline/plugins.plugin-nopatchversion/output new file mode 100644 index 0000000000..03f1437035 --- /dev/null +++ b/testing/btest/Baseline/plugins.plugin-nopatchversion/output @@ -0,0 +1 @@ +Testing::NoPatchVersion - Testing a plugin without a specified patch version (dynamic, version 0.1.0) diff --git a/testing/btest/Baseline/plugins.plugin-withpatchversion/output b/testing/btest/Baseline/plugins.plugin-withpatchversion/output new file mode 100644 index 0000000000..afb9fa61c3 --- /dev/null +++ b/testing/btest/Baseline/plugins.plugin-withpatchversion/output @@ -0,0 +1 @@ +Testing::WithPatchVersion - Testing a plugin with a specified patch version (dynamic, version 0.1.4) diff --git a/testing/btest/Baseline/plugins.protocol/output b/testing/btest/Baseline/plugins.protocol/output index 1c8dccc973..675a884b16 100644 --- a/testing/btest/Baseline/plugins.protocol/output +++ b/testing/btest/Baseline/plugins.protocol/output @@ -1,4 +1,4 @@ -Demo::Foo - A Foo test analyzer (dynamic, version 1.0) +Demo::Foo - A Foo test analyzer (dynamic, version 1.0.0) [Analyzer] Foo (ANALYZER_FOO, enabled) [Event] foo_message diff --git a/testing/btest/Baseline/plugins.reader/output b/testing/btest/Baseline/plugins.reader/output index 0f8980d0e7..1727ea77bc 100644 --- a/testing/btest/Baseline/plugins.reader/output +++ b/testing/btest/Baseline/plugins.reader/output @@ -1,4 +1,4 @@ -Demo::Foo - A Foo test input reader (dynamic, version 1.0) +Demo::Foo - A Foo test input reader (dynamic, version 1.0.0) [Reader] Foo (Input::READER_FOO) === diff --git a/testing/btest/Baseline/plugins.writer/output b/testing/btest/Baseline/plugins.writer/output index bbd11b8484..90cf6f42bf 100644 --- a/testing/btest/Baseline/plugins.writer/output +++ b/testing/btest/Baseline/plugins.writer/output @@ -1,4 +1,4 @@ -Demo::Foo - A Foo test logging writer (dynamic, version 1.0) +Demo::Foo - A Foo test logging writer (dynamic, version 1.0.0) [Writer] Foo (Log::WRITER_FOO) === diff --git a/testing/btest/README b/testing/btest/README index a635251939..04f2a626c1 100644 --- a/testing/btest/README +++ b/testing/btest/README @@ -20,17 +20,17 @@ Significant Subdirectories Packet captures utilized by the various BTest tests. * scripts/ - This hierarchy of tests emulates the hierarchy of the Bro scripts/ - directory. + This hierarchy of tests emulates the hierarchy of the Bro scripts/ + directory. * coverage/ - This collection of tests relates to checking whether we're covering - everything we want to in terms of tests, documentation, and which - scripts get loaded in different Bro configurations. These tests are - more prone to fail as new Bro scripts are developed and added to the - distribution -- checking the individual test's comments is the best - place to check for more details on what exactly the test is checking - and hints on how to fix it when it fails. + This collection of tests relates to checking whether we're covering + everything we want to in terms of tests, documentation, and which + scripts get loaded in different Bro configurations. These tests are + more prone to fail as new Bro scripts are developed and added to the + distribution -- checking the individual test's comments is the best + place to check for more details on what exactly the test is checking + and hints on how to fix it when it fails. Running Tests ============= diff --git a/testing/btest/plugins/file-plugin/src/Plugin.cc b/testing/btest/plugins/file-plugin/src/Plugin.cc index 4607a0549f..5c61d28e28 100644 --- a/testing/btest/plugins/file-plugin/src/Plugin.cc +++ b/testing/btest/plugins/file-plugin/src/Plugin.cc @@ -16,5 +16,6 @@ plugin::Configuration Plugin::Configure() config.description = "A Foo test analyzer"; config.version.major = 1; config.version.minor = 0; + config.version.patch = 0; return config; } diff --git a/testing/btest/plugins/hooks-plugin/src/Plugin.cc b/testing/btest/plugins/hooks-plugin/src/Plugin.cc index c5b8f4e981..52aea76bda 100644 --- a/testing/btest/plugins/hooks-plugin/src/Plugin.cc +++ b/testing/btest/plugins/hooks-plugin/src/Plugin.cc @@ -29,6 +29,7 @@ plugin::Configuration Plugin::Configure() config.description = "Exercises all plugin hooks"; config.version.major = 1; config.version.minor = 0; + config.version.patch = 0; return config; } diff --git a/testing/btest/plugins/logging-hooks-plugin/src/Plugin.cc b/testing/btest/plugins/logging-hooks-plugin/src/Plugin.cc index 32dd2b17b3..eb06d5a27d 100644 --- a/testing/btest/plugins/logging-hooks-plugin/src/Plugin.cc +++ b/testing/btest/plugins/logging-hooks-plugin/src/Plugin.cc @@ -21,6 +21,7 @@ plugin::Configuration Plugin::Configure() config.description = "Exercises Log hooks"; config.version.major = 1; config.version.minor = 0; + config.version.patch = 0; return config; } diff --git a/testing/btest/plugins/pktdumper-plugin/src/Plugin.cc b/testing/btest/plugins/pktdumper-plugin/src/Plugin.cc index 81ef8c79f4..f4417ff6a2 100644 --- a/testing/btest/plugins/pktdumper-plugin/src/Plugin.cc +++ b/testing/btest/plugins/pktdumper-plugin/src/Plugin.cc @@ -16,5 +16,6 @@ plugin::Configuration Plugin::Configure() config.description = "A Foo packet dumper"; config.version.major = 1; config.version.minor = 0; + config.version.patch = 0; return config; } diff --git a/testing/btest/plugins/pktsrc-plugin/src/Plugin.cc b/testing/btest/plugins/pktsrc-plugin/src/Plugin.cc index ecc94866a6..088a4dd36d 100644 --- a/testing/btest/plugins/pktsrc-plugin/src/Plugin.cc +++ b/testing/btest/plugins/pktsrc-plugin/src/Plugin.cc @@ -16,5 +16,6 @@ plugin::Configuration Plugin::Configure() config.description = "A Foo packet source"; config.version.major = 1; config.version.minor = 0; + config.version.patch = 0; return config; } diff --git a/testing/btest/plugins/plugin-nopatchversion-plugin/.btest-ignore b/testing/btest/plugins/plugin-nopatchversion-plugin/.btest-ignore new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/plugins/plugin-nopatchversion-plugin/src/Plugin.cc b/testing/btest/plugins/plugin-nopatchversion-plugin/src/Plugin.cc new file mode 100644 index 0000000000..292f2c90de --- /dev/null +++ b/testing/btest/plugins/plugin-nopatchversion-plugin/src/Plugin.cc @@ -0,0 +1,16 @@ + +#include "Plugin.h" + +namespace plugin { namespace Testing_NoPatchVersion { Plugin plugin; } } + +using namespace plugin::Testing_NoPatchVersion; + +plugin::Configuration Plugin::Configure() + { + plugin::Configuration config; + config.name = "Testing::NoPatchVersion"; + config.description = "Testing a plugin without a specified patch version"; + config.version.major = 0; + config.version.minor = 1; + return config; + } diff --git a/testing/btest/plugins/plugin-nopatchversion.bro b/testing/btest/plugins/plugin-nopatchversion.bro new file mode 100644 index 0000000000..2279efde6a --- /dev/null +++ b/testing/btest/plugins/plugin-nopatchversion.bro @@ -0,0 +1,5 @@ +# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin -u . Testing NoPatchVersion +# @TEST-EXEC: cp -r %DIR/plugin-nopatchversion-plugin/* . +# @TEST-EXEC: ./configure --bro-dist=${DIST} && make +# @TEST-EXEC: BRO_PLUGIN_PATH=$(pwd) bro -N Testing::NoPatchVersion >> output +# @TEST-EXEC: btest-diff output diff --git a/testing/btest/plugins/plugin-withpatchversion-plugin/.btest-ignore b/testing/btest/plugins/plugin-withpatchversion-plugin/.btest-ignore new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/plugins/plugin-withpatchversion-plugin/src/Plugin.cc b/testing/btest/plugins/plugin-withpatchversion-plugin/src/Plugin.cc new file mode 100644 index 0000000000..95221b7118 --- /dev/null +++ b/testing/btest/plugins/plugin-withpatchversion-plugin/src/Plugin.cc @@ -0,0 +1,17 @@ + +#include "Plugin.h" + +namespace plugin { namespace Testing_WithPatchVersion { Plugin plugin; } } + +using namespace plugin::Testing_WithPatchVersion; + +plugin::Configuration Plugin::Configure() + { + plugin::Configuration config; + config.name = "Testing::WithPatchVersion"; + config.description = "Testing a plugin with a specified patch version"; + config.version.major = 0; + config.version.minor = 1; + config.version.patch = 4; + return config; + } diff --git a/testing/btest/plugins/plugin-withpatchversion.bro b/testing/btest/plugins/plugin-withpatchversion.bro new file mode 100644 index 0000000000..4d86f09719 --- /dev/null +++ b/testing/btest/plugins/plugin-withpatchversion.bro @@ -0,0 +1,5 @@ +# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin -u . Testing WithPatchVersion +# @TEST-EXEC: cp -r %DIR/plugin-withpatchversion-plugin/* . +# @TEST-EXEC: ./configure --bro-dist=${DIST} && make +# @TEST-EXEC: BRO_PLUGIN_PATH=$(pwd) bro -N Testing::WithPatchVersion >> output +# @TEST-EXEC: btest-diff output diff --git a/testing/btest/plugins/protocol-plugin/src/Plugin.cc b/testing/btest/plugins/protocol-plugin/src/Plugin.cc index e6966bf538..bd2662d67c 100644 --- a/testing/btest/plugins/protocol-plugin/src/Plugin.cc +++ b/testing/btest/plugins/protocol-plugin/src/Plugin.cc @@ -16,5 +16,6 @@ plugin::Configuration Plugin::Configure() config.description = "A Foo test analyzer"; config.version.major = 1; config.version.minor = 0; + config.version.patch = 0; return config; } diff --git a/testing/btest/plugins/reader-plugin/src/Plugin.cc b/testing/btest/plugins/reader-plugin/src/Plugin.cc index acc715511a..fdf16c412b 100644 --- a/testing/btest/plugins/reader-plugin/src/Plugin.cc +++ b/testing/btest/plugins/reader-plugin/src/Plugin.cc @@ -15,5 +15,6 @@ plugin::Configuration Plugin::Configure() config.description = "A Foo test input reader"; config.version.major = 1; config.version.minor = 0; + config.version.patch = 0; return config; } diff --git a/testing/btest/plugins/reporter-hook-plugin/src/Plugin.cc b/testing/btest/plugins/reporter-hook-plugin/src/Plugin.cc index 9c8eee6ca8..d9c856966a 100644 --- a/testing/btest/plugins/reporter-hook-plugin/src/Plugin.cc +++ b/testing/btest/plugins/reporter-hook-plugin/src/Plugin.cc @@ -19,6 +19,7 @@ plugin::Configuration Plugin::Configure() config.description = "Exercise Reporter Hook"; config.version.major = 1; config.version.minor = 0; + config.version.patch = 0; return config; } diff --git a/testing/btest/plugins/writer-plugin/src/Plugin.cc b/testing/btest/plugins/writer-plugin/src/Plugin.cc index e07e071204..e22a2cd645 100644 --- a/testing/btest/plugins/writer-plugin/src/Plugin.cc +++ b/testing/btest/plugins/writer-plugin/src/Plugin.cc @@ -15,5 +15,6 @@ plugin::Configuration Plugin::Configure() config.description = "A Foo test logging writer"; config.version.major = 1; config.version.minor = 0; + config.version.patch = 0; return config; } From 1f450c05102be6dd7ebcc2c5901d5a3a231cd675 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 18 Oct 2018 14:57:21 -0500 Subject: [PATCH 4/4] Improve introspection of Record and TypeType values * TypeType values are now printable and yield the type name/alias * Fix record_fields BIF to return correct type name for fields * Allow TypeType values that point to a RecordType to be used with record_fields BIF --- src/Val.cc | 2 + src/bro.bif | 42 +- .../btest/Baseline/bifs.records_fields/out | 35 +- testing/btest/Baseline/plugins.hooks/output | 566 +++++++++--------- .../out | 8 +- .../scripts.base.frameworks.input.event/out | 14 +- .../out | 16 +- .../out | 2 +- .../out | 32 +- .../scripts.base.frameworks.input.reread/out | 28 +- testing/btest/bifs/records_fields.bro | 28 +- 11 files changed, 427 insertions(+), 346 deletions(-) diff --git a/src/Val.cc b/src/Val.cc index 144eb995ee..059ce24f4a 100644 --- a/src/Val.cc +++ b/src/Val.cc @@ -500,6 +500,8 @@ void Val::ValDescribe(ODesc* d) const AsFunc()->Describe(d); else if ( type->Tag() == TYPE_FILE ) AsFile()->Describe(d); + else if ( type->Tag() == TYPE_TYPE ) + d->Add(type->AsTypeType()->Type()->GetName()); else d->Add(""); break; diff --git a/src/bro.bif b/src/bro.bif index 88aaa487d0..a550f0e36a 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -1896,27 +1896,50 @@ function lookup_ID%(id: string%) : any ## includes the field name, whether it is logged, its value (if it has one), ## and its default value (if specified). ## -## rec: The record to inspect. +## rec: The record value or type to inspect. ## ## Returns: A table that describes the fields of a record. function record_fields%(rec: any%): record_field_table %{ TableVal* fields = new TableVal(record_field_table); - RecordVal* rv = rec->AsRecordVal(); - RecordType* rt = rv->Type()->AsRecordType(); + auto t = rec->Type(); - if ( rt->Tag() != TYPE_RECORD ) + if ( t->Tag() != TYPE_RECORD && t->Tag() != TYPE_TYPE ) { - reporter->Error("non-record passed to record_fields"); + reporter->Error("non-record value/type passed to record_fields"); return fields; } + RecordType* rt = nullptr; + RecordVal* rv = nullptr; + + if ( t->Tag() == TYPE_RECORD ) + { + rt = t->AsRecordType(); + rv = rec->AsRecordVal(); + } + else + { + t = t->AsTypeType()->Type(); + + if ( t->Tag() != TYPE_RECORD ) + { + reporter->Error("non-record value/type passed to record_fields"); + return fields; + } + + rt = t->AsRecordType(); + } + for ( int i = 0; i < rt->NumFields(); ++i ) { BroType* ft = rt->FieldType(i); TypeDecl* fd = rt->FieldDecl(i); - Val* fv = rv->Lookup(i); + Val* fv = nullptr; + + if ( rv ) + fv = rv->Lookup(i); if ( fv ) Ref(fv); @@ -1924,7 +1947,12 @@ function record_fields%(rec: any%): record_field_table bool logged = (fd->attrs && fd->FindAttr(ATTR_LOG) != 0); RecordVal* nr = new RecordVal(record_field); - nr->Assign(0, new StringVal(type_name(rt->Tag()))); + + if ( ft->Tag() == TYPE_RECORD ) + nr->Assign(0, new StringVal("record " + ft->GetName())); + else + nr->Assign(0, new StringVal(type_name(ft->Tag()))); + nr->Assign(1, new Val(logged, TYPE_BOOL)); nr->Assign(2, fv); nr->Assign(3, rt->FieldDefault(i)); diff --git a/testing/btest/Baseline/bifs.records_fields/out b/testing/btest/Baseline/bifs.records_fields/out index d3b97c8668..01bffa1510 100644 --- a/testing/btest/Baseline/bifs.records_fields/out +++ b/testing/btest/Baseline/bifs.records_fields/out @@ -1,8 +1,33 @@ -[a=42, b=Foo, c=, d=Bar] +[a=42, b=Foo, c=, d=Bar, e=tt] { -[b] = [type_name=record, log=F, value=Foo, default_val=Foo], -[c] = [type_name=record, log=F, value=, default_val=], -[a] = [type_name=record, log=F, value=42, default_val=], -[d] = [type_name=record, log=T, value=Bar, default_val=] +[b] = [type_name=string, log=F, value=Foo, default_val=Foo], +[c] = [type_name=double, log=F, value=, default_val=], +[e] = [type_name=any, log=F, value=tt, default_val=], +[a] = [type_name=count, log=F, value=42, default_val=], +[d] = [type_name=string, log=T, value=Bar, default_val=] } F +{ +[b] = [type_name=string, log=F, value=, default_val=Bar], +[c] = [type_name=double, log=F, value=, default_val=], +[a] = [type_name=bool, log=F, value=, default_val=], +[d] = [type_name=string, log=T, value=, default_val=], +[m] = [type_name=record myrec, log=F, value=, default_val=] +} +{ +[b] = [type_name=string, log=F, value=, default_val=Bar], +[c] = [type_name=double, log=F, value=, default_val=], +[a] = [type_name=bool, log=F, value=, default_val=], +[d] = [type_name=string, log=T, value=, default_val=], +[m] = [type_name=record myrec, log=F, value=, default_val=] +} +{ +[b] = [type_name=string, log=F, value=Foo, default_val=Foo], +[c] = [type_name=double, log=F, value=, default_val=], +[e] = [type_name=any, log=F, value=mystring, default_val=], +[a] = [type_name=count, log=F, value=42, default_val=], +[d] = [type_name=string, log=T, value=Bar, default_val=] +} +{ + +} diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index dce61908e3..04b213e240 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -228,53 +228,53 @@ 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=weird, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=x509, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) -> 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=mysql, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Broker::LOG, [columns=, ev=, path=broker])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Cluster::LOG, [columns=, ev=, path=cluster])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Config::LOG, [columns=, ev=Config::log_config, path=config])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Conn::LOG, [columns=, ev=Conn::log_conn, path=conn])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DCE_RPC::LOG, [columns=, ev=, path=dce_rpc])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DHCP::LOG, [columns=, ev=DHCP::log_dhcp, path=dhcp])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DNP3::LOG, [columns=, ev=DNP3::log_dnp3, path=dnp3])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DNS::LOG, [columns=, ev=DNS::log_dns, path=dns])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DPD::LOG, [columns=, ev=, path=dpd])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (FTP::LOG, [columns=, ev=FTP::log_ftp, path=ftp])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Files::LOG, [columns=, ev=Files::log_files, path=files])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (HTTP::LOG, [columns=, ev=HTTP::log_http, path=http])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (IRC::LOG, [columns=, ev=IRC::irc_log, path=irc])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Intel::LOG, [columns=, ev=Intel::log_intel, path=intel])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (KRB::LOG, [columns=, ev=KRB::log_krb, path=kerberos])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Modbus::LOG, [columns=, ev=Modbus::log_modbus, path=modbus])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NTLM::LOG, [columns=, ev=, path=ntlm])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NetControl::CATCH_RELEASE, [columns=, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NetControl::DROP, [columns=, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NetControl::LOG, [columns=, ev=NetControl::log_netcontrol, path=netcontrol])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NetControl::SHUNT, [columns=, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Notice::ALARM_LOG, [columns=, ev=, path=notice_alarm])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Notice::LOG, [columns=, ev=Notice::log_notice, path=notice])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (OpenFlow::LOG, [columns=, ev=OpenFlow::log_openflow, path=openflow])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (PE::LOG, [columns=, ev=PE::log_pe, path=pe])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (PacketFilter::LOG, [columns=, ev=, path=packet_filter])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (RADIUS::LOG, [columns=, ev=RADIUS::log_radius, path=radius])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (RDP::LOG, [columns=, ev=RDP::log_rdp, path=rdp])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (RFB::LOG, [columns=, ev=RFB::log_rfb, path=rfb])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Reporter::LOG, [columns=, ev=, path=reporter])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SIP::LOG, [columns=, ev=SIP::log_sip, path=sip])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SMB::FILES_LOG, [columns=, ev=, path=smb_files])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SMB::MAPPING_LOG, [columns=, ev=, path=smb_mapping])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SMTP::LOG, [columns=, ev=SMTP::log_smtp, path=smtp])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SNMP::LOG, [columns=, ev=SNMP::log_snmp, path=snmp])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SOCKS::LOG, [columns=, ev=SOCKS::log_socks, path=socks])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SSH::LOG, [columns=, ev=SSH::log_ssh, path=ssh])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SSL::LOG, [columns=, ev=SSL::log_ssl, path=ssl])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Signatures::LOG, [columns=, ev=Signatures::log_signature, path=signatures])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Software::LOG, [columns=, ev=Software::log_software, path=software])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Syslog::LOG, [columns=, ev=, path=syslog])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Tunnel::LOG, [columns=, ev=, path=tunnel])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Unified2::LOG, [columns=, ev=Unified2::log_unified2, path=unified2])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1539361390.052019, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Broker::LOG, [columns=Broker::Info, ev=, path=broker])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Cluster::LOG, [columns=Cluster::Info, ev=, path=cluster])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=, path=dce_rpc])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (DPD::LOG, [columns=DPD::Info, ev=, path=dpd])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NTLM::LOG, [columns=NTLM::Info, ev=, path=ntlm])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NetControl::CATCH_RELEASE, [columns=NetControl::CatchReleaseInfo, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NetControl::DROP, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (PacketFilter::LOG, [columns=PacketFilter::Info, ev=, path=packet_filter])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Reporter::LOG, [columns=Reporter::Info, ev=, path=reporter])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SMB::FILES_LOG, [columns=SMB::FileInfo, ev=, path=smb_files])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=, path=smb_mapping])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Syslog::LOG, [columns=Syslog::Info, ev=, path=syslog])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Tunnel::LOG, [columns=Tunnel::Info, ev=, path=tunnel])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Unified2::LOG, [columns=Unified2::Info, ev=Unified2::log_unified2, path=unified2])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> +0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1539890895.780919, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) -> @@ -413,53 +413,53 @@ 0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (Weird::LOG, default)) -> 0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (X509::LOG, default)) -> 0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (mysql::LOG, default)) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Broker::LOG, [columns=, ev=, path=broker])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Cluster::LOG, [columns=, ev=, path=cluster])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Config::LOG, [columns=, ev=Config::log_config, path=config])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Conn::LOG, [columns=, ev=Conn::log_conn, path=conn])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (DCE_RPC::LOG, [columns=, ev=, path=dce_rpc])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (DHCP::LOG, [columns=, ev=DHCP::log_dhcp, path=dhcp])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (DNP3::LOG, [columns=, ev=DNP3::log_dnp3, path=dnp3])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (DNS::LOG, [columns=, ev=DNS::log_dns, path=dns])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (DPD::LOG, [columns=, ev=, path=dpd])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (FTP::LOG, [columns=, ev=FTP::log_ftp, path=ftp])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Files::LOG, [columns=, ev=Files::log_files, path=files])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (HTTP::LOG, [columns=, ev=HTTP::log_http, path=http])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (IRC::LOG, [columns=, ev=IRC::irc_log, path=irc])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Intel::LOG, [columns=, ev=Intel::log_intel, path=intel])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (KRB::LOG, [columns=, ev=KRB::log_krb, path=kerberos])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Modbus::LOG, [columns=, ev=Modbus::log_modbus, path=modbus])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (NTLM::LOG, [columns=, ev=, path=ntlm])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (NetControl::CATCH_RELEASE, [columns=, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (NetControl::DROP, [columns=, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (NetControl::LOG, [columns=, ev=NetControl::log_netcontrol, path=netcontrol])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (NetControl::SHUNT, [columns=, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Notice::ALARM_LOG, [columns=, ev=, path=notice_alarm])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Notice::LOG, [columns=, ev=Notice::log_notice, path=notice])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (OpenFlow::LOG, [columns=, ev=OpenFlow::log_openflow, path=openflow])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (PE::LOG, [columns=, ev=PE::log_pe, path=pe])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (PacketFilter::LOG, [columns=, ev=, path=packet_filter])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (RADIUS::LOG, [columns=, ev=RADIUS::log_radius, path=radius])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (RDP::LOG, [columns=, ev=RDP::log_rdp, path=rdp])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (RFB::LOG, [columns=, ev=RFB::log_rfb, path=rfb])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Reporter::LOG, [columns=, ev=, path=reporter])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (SIP::LOG, [columns=, ev=SIP::log_sip, path=sip])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (SMB::FILES_LOG, [columns=, ev=, path=smb_files])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (SMB::MAPPING_LOG, [columns=, ev=, path=smb_mapping])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (SMTP::LOG, [columns=, ev=SMTP::log_smtp, path=smtp])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (SNMP::LOG, [columns=, ev=SNMP::log_snmp, path=snmp])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (SOCKS::LOG, [columns=, ev=SOCKS::log_socks, path=socks])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (SSH::LOG, [columns=, ev=SSH::log_ssh, path=ssh])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (SSL::LOG, [columns=, ev=SSL::log_ssl, path=ssl])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Signatures::LOG, [columns=, ev=Signatures::log_signature, path=signatures])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Software::LOG, [columns=, ev=Software::log_software, path=software])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Syslog::LOG, [columns=, ev=, path=syslog])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Tunnel::LOG, [columns=, ev=, path=tunnel])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Unified2::LOG, [columns=, ev=Unified2::log_unified2, path=unified2])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1539361390.052019, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Broker::LOG, [columns=Broker::Info, ev=, path=broker])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Cluster::LOG, [columns=Cluster::Info, ev=, path=cluster])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=, path=dce_rpc])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (DPD::LOG, [columns=DPD::Info, ev=, path=dpd])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (NTLM::LOG, [columns=NTLM::Info, ev=, path=ntlm])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (NetControl::CATCH_RELEASE, [columns=NetControl::CatchReleaseInfo, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (NetControl::DROP, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (PacketFilter::LOG, [columns=PacketFilter::Info, ev=, path=packet_filter])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Reporter::LOG, [columns=Reporter::Info, ev=, path=reporter])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (SMB::FILES_LOG, [columns=SMB::FileInfo, ev=, path=smb_files])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=, path=smb_mapping])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Syslog::LOG, [columns=Syslog::Info, ev=, path=syslog])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Tunnel::LOG, [columns=Tunnel::Info, ev=, path=tunnel])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Unified2::LOG, [columns=Unified2::Info, ev=Unified2::log_unified2, path=unified2])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> +0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1539890895.780919, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -1119,53 +1119,53 @@ 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=weird, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=x509, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=mysql, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Broker::LOG, [columns=, ev=, path=broker])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Cluster::LOG, [columns=, ev=, path=cluster])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Config::LOG, [columns=, ev=Config::log_config, path=config])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Conn::LOG, [columns=, ev=Conn::log_conn, path=conn])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (DCE_RPC::LOG, [columns=, ev=, path=dce_rpc])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (DHCP::LOG, [columns=, ev=DHCP::log_dhcp, path=dhcp])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (DNP3::LOG, [columns=, ev=DNP3::log_dnp3, path=dnp3])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (DNS::LOG, [columns=, ev=DNS::log_dns, path=dns])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (DPD::LOG, [columns=, ev=, path=dpd])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (FTP::LOG, [columns=, ev=FTP::log_ftp, path=ftp])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Files::LOG, [columns=, ev=Files::log_files, path=files])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (HTTP::LOG, [columns=, ev=HTTP::log_http, path=http])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (IRC::LOG, [columns=, ev=IRC::irc_log, path=irc])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Intel::LOG, [columns=, ev=Intel::log_intel, path=intel])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (KRB::LOG, [columns=, ev=KRB::log_krb, path=kerberos])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Modbus::LOG, [columns=, ev=Modbus::log_modbus, path=modbus])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (NTLM::LOG, [columns=, ev=, path=ntlm])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (NetControl::CATCH_RELEASE, [columns=, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (NetControl::DROP, [columns=, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (NetControl::LOG, [columns=, ev=NetControl::log_netcontrol, path=netcontrol])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (NetControl::SHUNT, [columns=, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Notice::ALARM_LOG, [columns=, ev=, path=notice_alarm])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Notice::LOG, [columns=, ev=Notice::log_notice, path=notice])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (OpenFlow::LOG, [columns=, ev=OpenFlow::log_openflow, path=openflow])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (PE::LOG, [columns=, ev=PE::log_pe, path=pe])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (PacketFilter::LOG, [columns=, ev=, path=packet_filter])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (RADIUS::LOG, [columns=, ev=RADIUS::log_radius, path=radius])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (RDP::LOG, [columns=, ev=RDP::log_rdp, path=rdp])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (RFB::LOG, [columns=, ev=RFB::log_rfb, path=rfb])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Reporter::LOG, [columns=, ev=, path=reporter])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SIP::LOG, [columns=, ev=SIP::log_sip, path=sip])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SMB::FILES_LOG, [columns=, ev=, path=smb_files])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SMB::MAPPING_LOG, [columns=, ev=, path=smb_mapping])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SMTP::LOG, [columns=, ev=SMTP::log_smtp, path=smtp])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SNMP::LOG, [columns=, ev=SNMP::log_snmp, path=snmp])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SOCKS::LOG, [columns=, ev=SOCKS::log_socks, path=socks])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SSH::LOG, [columns=, ev=SSH::log_ssh, path=ssh])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SSL::LOG, [columns=, ev=SSL::log_ssl, path=ssl])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Signatures::LOG, [columns=, ev=Signatures::log_signature, path=signatures])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Software::LOG, [columns=, ev=Software::log_software, path=software])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Syslog::LOG, [columns=, ev=, path=syslog])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Tunnel::LOG, [columns=, ev=, path=tunnel])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Unified2::LOG, [columns=, ev=Unified2::log_unified2, path=unified2])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1539361390.052019, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Broker::LOG, [columns=Broker::Info, ev=, path=broker])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Cluster::LOG, [columns=Cluster::Info, ev=, path=cluster])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=, path=dce_rpc])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (DPD::LOG, [columns=DPD::Info, ev=, path=dpd])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (NTLM::LOG, [columns=NTLM::Info, ev=, path=ntlm])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (NetControl::CATCH_RELEASE, [columns=NetControl::CatchReleaseInfo, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (NetControl::DROP, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (PacketFilter::LOG, [columns=PacketFilter::Info, ev=, path=packet_filter])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Reporter::LOG, [columns=Reporter::Info, ev=, path=reporter])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SMB::FILES_LOG, [columns=SMB::FileInfo, ev=, path=smb_files])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=, path=smb_mapping])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Syslog::LOG, [columns=Syslog::Info, ev=, path=syslog])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Tunnel::LOG, [columns=Tunnel::Info, ev=, path=tunnel])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Unified2::LOG, [columns=Unified2::Info, ev=Unified2::log_unified2, path=unified2])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) +0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1539890895.780919, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Config::LOG)) @@ -1304,53 +1304,53 @@ 0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (Weird::LOG, default)) 0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (X509::LOG, default)) 0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (mysql::LOG, default)) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Broker::LOG, [columns=, ev=, path=broker])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Cluster::LOG, [columns=, ev=, path=cluster])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Config::LOG, [columns=, ev=Config::log_config, path=config])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Conn::LOG, [columns=, ev=Conn::log_conn, path=conn])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (DCE_RPC::LOG, [columns=, ev=, path=dce_rpc])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (DHCP::LOG, [columns=, ev=DHCP::log_dhcp, path=dhcp])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (DNP3::LOG, [columns=, ev=DNP3::log_dnp3, path=dnp3])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (DNS::LOG, [columns=, ev=DNS::log_dns, path=dns])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (DPD::LOG, [columns=, ev=, path=dpd])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (FTP::LOG, [columns=, ev=FTP::log_ftp, path=ftp])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Files::LOG, [columns=, ev=Files::log_files, path=files])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (HTTP::LOG, [columns=, ev=HTTP::log_http, path=http])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (IRC::LOG, [columns=, ev=IRC::irc_log, path=irc])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Intel::LOG, [columns=, ev=Intel::log_intel, path=intel])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (KRB::LOG, [columns=, ev=KRB::log_krb, path=kerberos])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Modbus::LOG, [columns=, ev=Modbus::log_modbus, path=modbus])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (NTLM::LOG, [columns=, ev=, path=ntlm])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (NetControl::CATCH_RELEASE, [columns=, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (NetControl::DROP, [columns=, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (NetControl::LOG, [columns=, ev=NetControl::log_netcontrol, path=netcontrol])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (NetControl::SHUNT, [columns=, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Notice::ALARM_LOG, [columns=, ev=, path=notice_alarm])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Notice::LOG, [columns=, ev=Notice::log_notice, path=notice])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (OpenFlow::LOG, [columns=, ev=OpenFlow::log_openflow, path=openflow])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (PE::LOG, [columns=, ev=PE::log_pe, path=pe])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (PacketFilter::LOG, [columns=, ev=, path=packet_filter])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (RADIUS::LOG, [columns=, ev=RADIUS::log_radius, path=radius])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (RDP::LOG, [columns=, ev=RDP::log_rdp, path=rdp])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (RFB::LOG, [columns=, ev=RFB::log_rfb, path=rfb])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Reporter::LOG, [columns=, ev=, path=reporter])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (SIP::LOG, [columns=, ev=SIP::log_sip, path=sip])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (SMB::FILES_LOG, [columns=, ev=, path=smb_files])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (SMB::MAPPING_LOG, [columns=, ev=, path=smb_mapping])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (SMTP::LOG, [columns=, ev=SMTP::log_smtp, path=smtp])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (SNMP::LOG, [columns=, ev=SNMP::log_snmp, path=snmp])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (SOCKS::LOG, [columns=, ev=SOCKS::log_socks, path=socks])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (SSH::LOG, [columns=, ev=SSH::log_ssh, path=ssh])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (SSL::LOG, [columns=, ev=SSL::log_ssl, path=ssl])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Signatures::LOG, [columns=, ev=Signatures::log_signature, path=signatures])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Software::LOG, [columns=, ev=Software::log_software, path=software])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Syslog::LOG, [columns=, ev=, path=syslog])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Tunnel::LOG, [columns=, ev=, path=tunnel])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Unified2::LOG, [columns=, ev=Unified2::log_unified2, path=unified2])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1539361390.052019, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Broker::LOG, [columns=Broker::Info, ev=, path=broker])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Cluster::LOG, [columns=Cluster::Info, ev=, path=cluster])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=, path=dce_rpc])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (DPD::LOG, [columns=DPD::Info, ev=, path=dpd])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (NTLM::LOG, [columns=NTLM::Info, ev=, path=ntlm])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (NetControl::CATCH_RELEASE, [columns=NetControl::CatchReleaseInfo, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (NetControl::DROP, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (PacketFilter::LOG, [columns=PacketFilter::Info, ev=, path=packet_filter])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Reporter::LOG, [columns=Reporter::Info, ev=, path=reporter])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (SMB::FILES_LOG, [columns=SMB::FileInfo, ev=, path=smb_files])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=, path=smb_mapping])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Syslog::LOG, [columns=Syslog::Info, ev=, path=syslog])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Tunnel::LOG, [columns=Tunnel::Info, ev=, path=tunnel])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Unified2::LOG, [columns=Unified2::Info, ev=Unified2::log_unified2, path=unified2])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) +0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1539890895.780919, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -2009,53 +2009,53 @@ 0.000000 | HookCallFunction Log::__add_filter(Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=weird, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::__add_filter(X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=x509, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}]) 0.000000 | HookCallFunction Log::__add_filter(mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=mysql, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}]) -0.000000 | HookCallFunction Log::__create_stream(Broker::LOG, [columns=, ev=, path=broker]) -0.000000 | HookCallFunction Log::__create_stream(Cluster::LOG, [columns=, ev=, path=cluster]) -0.000000 | HookCallFunction Log::__create_stream(Config::LOG, [columns=, ev=Config::log_config, path=config]) -0.000000 | HookCallFunction Log::__create_stream(Conn::LOG, [columns=, ev=Conn::log_conn, path=conn]) -0.000000 | HookCallFunction Log::__create_stream(DCE_RPC::LOG, [columns=, ev=, path=dce_rpc]) -0.000000 | HookCallFunction Log::__create_stream(DHCP::LOG, [columns=, ev=DHCP::log_dhcp, path=dhcp]) -0.000000 | HookCallFunction Log::__create_stream(DNP3::LOG, [columns=, ev=DNP3::log_dnp3, path=dnp3]) -0.000000 | HookCallFunction Log::__create_stream(DNS::LOG, [columns=, ev=DNS::log_dns, path=dns]) -0.000000 | HookCallFunction Log::__create_stream(DPD::LOG, [columns=, ev=, path=dpd]) -0.000000 | HookCallFunction Log::__create_stream(FTP::LOG, [columns=, ev=FTP::log_ftp, path=ftp]) -0.000000 | HookCallFunction Log::__create_stream(Files::LOG, [columns=, ev=Files::log_files, path=files]) -0.000000 | HookCallFunction Log::__create_stream(HTTP::LOG, [columns=, ev=HTTP::log_http, path=http]) -0.000000 | HookCallFunction Log::__create_stream(IRC::LOG, [columns=, ev=IRC::irc_log, path=irc]) -0.000000 | HookCallFunction Log::__create_stream(Intel::LOG, [columns=, ev=Intel::log_intel, path=intel]) -0.000000 | HookCallFunction Log::__create_stream(KRB::LOG, [columns=, ev=KRB::log_krb, path=kerberos]) -0.000000 | HookCallFunction Log::__create_stream(Modbus::LOG, [columns=, ev=Modbus::log_modbus, path=modbus]) -0.000000 | HookCallFunction Log::__create_stream(NTLM::LOG, [columns=, ev=, path=ntlm]) -0.000000 | HookCallFunction Log::__create_stream(NetControl::CATCH_RELEASE, [columns=, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release]) -0.000000 | HookCallFunction Log::__create_stream(NetControl::DROP, [columns=, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop]) -0.000000 | HookCallFunction Log::__create_stream(NetControl::LOG, [columns=, ev=NetControl::log_netcontrol, path=netcontrol]) -0.000000 | HookCallFunction Log::__create_stream(NetControl::SHUNT, [columns=, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt]) -0.000000 | HookCallFunction Log::__create_stream(Notice::ALARM_LOG, [columns=, ev=, path=notice_alarm]) -0.000000 | HookCallFunction Log::__create_stream(Notice::LOG, [columns=, ev=Notice::log_notice, path=notice]) -0.000000 | HookCallFunction Log::__create_stream(OpenFlow::LOG, [columns=, ev=OpenFlow::log_openflow, path=openflow]) -0.000000 | HookCallFunction Log::__create_stream(PE::LOG, [columns=, ev=PE::log_pe, path=pe]) -0.000000 | HookCallFunction Log::__create_stream(PacketFilter::LOG, [columns=, ev=, path=packet_filter]) -0.000000 | HookCallFunction Log::__create_stream(RADIUS::LOG, [columns=, ev=RADIUS::log_radius, path=radius]) -0.000000 | HookCallFunction Log::__create_stream(RDP::LOG, [columns=, ev=RDP::log_rdp, path=rdp]) -0.000000 | HookCallFunction Log::__create_stream(RFB::LOG, [columns=, ev=RFB::log_rfb, path=rfb]) -0.000000 | HookCallFunction Log::__create_stream(Reporter::LOG, [columns=, ev=, path=reporter]) -0.000000 | HookCallFunction Log::__create_stream(SIP::LOG, [columns=, ev=SIP::log_sip, path=sip]) -0.000000 | HookCallFunction Log::__create_stream(SMB::FILES_LOG, [columns=, ev=, path=smb_files]) -0.000000 | HookCallFunction Log::__create_stream(SMB::MAPPING_LOG, [columns=, ev=, path=smb_mapping]) -0.000000 | HookCallFunction Log::__create_stream(SMTP::LOG, [columns=, ev=SMTP::log_smtp, path=smtp]) -0.000000 | HookCallFunction Log::__create_stream(SNMP::LOG, [columns=, ev=SNMP::log_snmp, path=snmp]) -0.000000 | HookCallFunction Log::__create_stream(SOCKS::LOG, [columns=, ev=SOCKS::log_socks, path=socks]) -0.000000 | HookCallFunction Log::__create_stream(SSH::LOG, [columns=, ev=SSH::log_ssh, path=ssh]) -0.000000 | HookCallFunction Log::__create_stream(SSL::LOG, [columns=, ev=SSL::log_ssl, path=ssl]) -0.000000 | HookCallFunction Log::__create_stream(Signatures::LOG, [columns=, ev=Signatures::log_signature, path=signatures]) -0.000000 | HookCallFunction Log::__create_stream(Software::LOG, [columns=, ev=Software::log_software, path=software]) -0.000000 | HookCallFunction Log::__create_stream(Syslog::LOG, [columns=, ev=, path=syslog]) -0.000000 | HookCallFunction Log::__create_stream(Tunnel::LOG, [columns=, ev=, path=tunnel]) -0.000000 | HookCallFunction Log::__create_stream(Unified2::LOG, [columns=, ev=Unified2::log_unified2, path=unified2]) -0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) -0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) -0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1539361390.052019, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__create_stream(Broker::LOG, [columns=Broker::Info, ev=, path=broker]) +0.000000 | HookCallFunction Log::__create_stream(Cluster::LOG, [columns=Cluster::Info, ev=, path=cluster]) +0.000000 | HookCallFunction Log::__create_stream(Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config]) +0.000000 | HookCallFunction Log::__create_stream(Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn]) +0.000000 | HookCallFunction Log::__create_stream(DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=, path=dce_rpc]) +0.000000 | HookCallFunction Log::__create_stream(DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp]) +0.000000 | HookCallFunction Log::__create_stream(DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3]) +0.000000 | HookCallFunction Log::__create_stream(DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns]) +0.000000 | HookCallFunction Log::__create_stream(DPD::LOG, [columns=DPD::Info, ev=, path=dpd]) +0.000000 | HookCallFunction Log::__create_stream(FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp]) +0.000000 | HookCallFunction Log::__create_stream(Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files]) +0.000000 | HookCallFunction Log::__create_stream(HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http]) +0.000000 | HookCallFunction Log::__create_stream(IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc]) +0.000000 | HookCallFunction Log::__create_stream(Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel]) +0.000000 | HookCallFunction Log::__create_stream(KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos]) +0.000000 | HookCallFunction Log::__create_stream(Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus]) +0.000000 | HookCallFunction Log::__create_stream(NTLM::LOG, [columns=NTLM::Info, ev=, path=ntlm]) +0.000000 | HookCallFunction Log::__create_stream(NetControl::CATCH_RELEASE, [columns=NetControl::CatchReleaseInfo, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release]) +0.000000 | HookCallFunction Log::__create_stream(NetControl::DROP, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop]) +0.000000 | HookCallFunction Log::__create_stream(NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol]) +0.000000 | HookCallFunction Log::__create_stream(NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt]) +0.000000 | HookCallFunction Log::__create_stream(Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm]) +0.000000 | HookCallFunction Log::__create_stream(Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice]) +0.000000 | HookCallFunction Log::__create_stream(OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow]) +0.000000 | HookCallFunction Log::__create_stream(PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe]) +0.000000 | HookCallFunction Log::__create_stream(PacketFilter::LOG, [columns=PacketFilter::Info, ev=, path=packet_filter]) +0.000000 | HookCallFunction Log::__create_stream(RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius]) +0.000000 | HookCallFunction Log::__create_stream(RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp]) +0.000000 | HookCallFunction Log::__create_stream(RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb]) +0.000000 | HookCallFunction Log::__create_stream(Reporter::LOG, [columns=Reporter::Info, ev=, path=reporter]) +0.000000 | HookCallFunction Log::__create_stream(SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip]) +0.000000 | HookCallFunction Log::__create_stream(SMB::FILES_LOG, [columns=SMB::FileInfo, ev=, path=smb_files]) +0.000000 | HookCallFunction Log::__create_stream(SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=, path=smb_mapping]) +0.000000 | HookCallFunction Log::__create_stream(SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp]) +0.000000 | HookCallFunction Log::__create_stream(SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp]) +0.000000 | HookCallFunction Log::__create_stream(SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks]) +0.000000 | HookCallFunction Log::__create_stream(SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh]) +0.000000 | HookCallFunction Log::__create_stream(SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl]) +0.000000 | HookCallFunction Log::__create_stream(Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures]) +0.000000 | HookCallFunction Log::__create_stream(Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software]) +0.000000 | HookCallFunction Log::__create_stream(Syslog::LOG, [columns=Syslog::Info, ev=, path=syslog]) +0.000000 | HookCallFunction Log::__create_stream(Tunnel::LOG, [columns=Tunnel::Info, ev=, path=tunnel]) +0.000000 | HookCallFunction Log::__create_stream(Unified2::LOG, [columns=Unified2::Info, ev=Unified2::log_unified2, path=unified2]) +0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) +0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) +0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1539890895.780919, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG) @@ -2194,53 +2194,53 @@ 0.000000 | HookCallFunction Log::add_stream_filters(Weird::LOG, default) 0.000000 | HookCallFunction Log::add_stream_filters(X509::LOG, default) 0.000000 | HookCallFunction Log::add_stream_filters(mysql::LOG, default) -0.000000 | HookCallFunction Log::create_stream(Broker::LOG, [columns=, ev=, path=broker]) -0.000000 | HookCallFunction Log::create_stream(Cluster::LOG, [columns=, ev=, path=cluster]) -0.000000 | HookCallFunction Log::create_stream(Config::LOG, [columns=, ev=Config::log_config, path=config]) -0.000000 | HookCallFunction Log::create_stream(Conn::LOG, [columns=, ev=Conn::log_conn, path=conn]) -0.000000 | HookCallFunction Log::create_stream(DCE_RPC::LOG, [columns=, ev=, path=dce_rpc]) -0.000000 | HookCallFunction Log::create_stream(DHCP::LOG, [columns=, ev=DHCP::log_dhcp, path=dhcp]) -0.000000 | HookCallFunction Log::create_stream(DNP3::LOG, [columns=, ev=DNP3::log_dnp3, path=dnp3]) -0.000000 | HookCallFunction Log::create_stream(DNS::LOG, [columns=, ev=DNS::log_dns, path=dns]) -0.000000 | HookCallFunction Log::create_stream(DPD::LOG, [columns=, ev=, path=dpd]) -0.000000 | HookCallFunction Log::create_stream(FTP::LOG, [columns=, ev=FTP::log_ftp, path=ftp]) -0.000000 | HookCallFunction Log::create_stream(Files::LOG, [columns=, ev=Files::log_files, path=files]) -0.000000 | HookCallFunction Log::create_stream(HTTP::LOG, [columns=, ev=HTTP::log_http, path=http]) -0.000000 | HookCallFunction Log::create_stream(IRC::LOG, [columns=, ev=IRC::irc_log, path=irc]) -0.000000 | HookCallFunction Log::create_stream(Intel::LOG, [columns=, ev=Intel::log_intel, path=intel]) -0.000000 | HookCallFunction Log::create_stream(KRB::LOG, [columns=, ev=KRB::log_krb, path=kerberos]) -0.000000 | HookCallFunction Log::create_stream(Modbus::LOG, [columns=, ev=Modbus::log_modbus, path=modbus]) -0.000000 | HookCallFunction Log::create_stream(NTLM::LOG, [columns=, ev=, path=ntlm]) -0.000000 | HookCallFunction Log::create_stream(NetControl::CATCH_RELEASE, [columns=, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release]) -0.000000 | HookCallFunction Log::create_stream(NetControl::DROP, [columns=, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop]) -0.000000 | HookCallFunction Log::create_stream(NetControl::LOG, [columns=, ev=NetControl::log_netcontrol, path=netcontrol]) -0.000000 | HookCallFunction Log::create_stream(NetControl::SHUNT, [columns=, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt]) -0.000000 | HookCallFunction Log::create_stream(Notice::ALARM_LOG, [columns=, ev=, path=notice_alarm]) -0.000000 | HookCallFunction Log::create_stream(Notice::LOG, [columns=, ev=Notice::log_notice, path=notice]) -0.000000 | HookCallFunction Log::create_stream(OpenFlow::LOG, [columns=, ev=OpenFlow::log_openflow, path=openflow]) -0.000000 | HookCallFunction Log::create_stream(PE::LOG, [columns=, ev=PE::log_pe, path=pe]) -0.000000 | HookCallFunction Log::create_stream(PacketFilter::LOG, [columns=, ev=, path=packet_filter]) -0.000000 | HookCallFunction Log::create_stream(RADIUS::LOG, [columns=, ev=RADIUS::log_radius, path=radius]) -0.000000 | HookCallFunction Log::create_stream(RDP::LOG, [columns=, ev=RDP::log_rdp, path=rdp]) -0.000000 | HookCallFunction Log::create_stream(RFB::LOG, [columns=, ev=RFB::log_rfb, path=rfb]) -0.000000 | HookCallFunction Log::create_stream(Reporter::LOG, [columns=, ev=, path=reporter]) -0.000000 | HookCallFunction Log::create_stream(SIP::LOG, [columns=, ev=SIP::log_sip, path=sip]) -0.000000 | HookCallFunction Log::create_stream(SMB::FILES_LOG, [columns=, ev=, path=smb_files]) -0.000000 | HookCallFunction Log::create_stream(SMB::MAPPING_LOG, [columns=, ev=, path=smb_mapping]) -0.000000 | HookCallFunction Log::create_stream(SMTP::LOG, [columns=, ev=SMTP::log_smtp, path=smtp]) -0.000000 | HookCallFunction Log::create_stream(SNMP::LOG, [columns=, ev=SNMP::log_snmp, path=snmp]) -0.000000 | HookCallFunction Log::create_stream(SOCKS::LOG, [columns=, ev=SOCKS::log_socks, path=socks]) -0.000000 | HookCallFunction Log::create_stream(SSH::LOG, [columns=, ev=SSH::log_ssh, path=ssh]) -0.000000 | HookCallFunction Log::create_stream(SSL::LOG, [columns=, ev=SSL::log_ssl, path=ssl]) -0.000000 | HookCallFunction Log::create_stream(Signatures::LOG, [columns=, ev=Signatures::log_signature, path=signatures]) -0.000000 | HookCallFunction Log::create_stream(Software::LOG, [columns=, ev=Software::log_software, path=software]) -0.000000 | HookCallFunction Log::create_stream(Syslog::LOG, [columns=, ev=, path=syslog]) -0.000000 | HookCallFunction Log::create_stream(Tunnel::LOG, [columns=, ev=, path=tunnel]) -0.000000 | HookCallFunction Log::create_stream(Unified2::LOG, [columns=, ev=Unified2::log_unified2, path=unified2]) -0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) -0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) -0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1539361390.052019, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::create_stream(Broker::LOG, [columns=Broker::Info, ev=, path=broker]) +0.000000 | HookCallFunction Log::create_stream(Cluster::LOG, [columns=Cluster::Info, ev=, path=cluster]) +0.000000 | HookCallFunction Log::create_stream(Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config]) +0.000000 | HookCallFunction Log::create_stream(Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn]) +0.000000 | HookCallFunction Log::create_stream(DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=, path=dce_rpc]) +0.000000 | HookCallFunction Log::create_stream(DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp]) +0.000000 | HookCallFunction Log::create_stream(DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3]) +0.000000 | HookCallFunction Log::create_stream(DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns]) +0.000000 | HookCallFunction Log::create_stream(DPD::LOG, [columns=DPD::Info, ev=, path=dpd]) +0.000000 | HookCallFunction Log::create_stream(FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp]) +0.000000 | HookCallFunction Log::create_stream(Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files]) +0.000000 | HookCallFunction Log::create_stream(HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http]) +0.000000 | HookCallFunction Log::create_stream(IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc]) +0.000000 | HookCallFunction Log::create_stream(Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel]) +0.000000 | HookCallFunction Log::create_stream(KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos]) +0.000000 | HookCallFunction Log::create_stream(Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus]) +0.000000 | HookCallFunction Log::create_stream(NTLM::LOG, [columns=NTLM::Info, ev=, path=ntlm]) +0.000000 | HookCallFunction Log::create_stream(NetControl::CATCH_RELEASE, [columns=NetControl::CatchReleaseInfo, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release]) +0.000000 | HookCallFunction Log::create_stream(NetControl::DROP, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop]) +0.000000 | HookCallFunction Log::create_stream(NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol]) +0.000000 | HookCallFunction Log::create_stream(NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt]) +0.000000 | HookCallFunction Log::create_stream(Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm]) +0.000000 | HookCallFunction Log::create_stream(Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice]) +0.000000 | HookCallFunction Log::create_stream(OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow]) +0.000000 | HookCallFunction Log::create_stream(PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe]) +0.000000 | HookCallFunction Log::create_stream(PacketFilter::LOG, [columns=PacketFilter::Info, ev=, path=packet_filter]) +0.000000 | HookCallFunction Log::create_stream(RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius]) +0.000000 | HookCallFunction Log::create_stream(RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp]) +0.000000 | HookCallFunction Log::create_stream(RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb]) +0.000000 | HookCallFunction Log::create_stream(Reporter::LOG, [columns=Reporter::Info, ev=, path=reporter]) +0.000000 | HookCallFunction Log::create_stream(SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip]) +0.000000 | HookCallFunction Log::create_stream(SMB::FILES_LOG, [columns=SMB::FileInfo, ev=, path=smb_files]) +0.000000 | HookCallFunction Log::create_stream(SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=, path=smb_mapping]) +0.000000 | HookCallFunction Log::create_stream(SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp]) +0.000000 | HookCallFunction Log::create_stream(SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp]) +0.000000 | HookCallFunction Log::create_stream(SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks]) +0.000000 | HookCallFunction Log::create_stream(SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh]) +0.000000 | HookCallFunction Log::create_stream(SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl]) +0.000000 | HookCallFunction Log::create_stream(Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures]) +0.000000 | HookCallFunction Log::create_stream(Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software]) +0.000000 | HookCallFunction Log::create_stream(Syslog::LOG, [columns=Syslog::Info, ev=, path=syslog]) +0.000000 | HookCallFunction Log::create_stream(Tunnel::LOG, [columns=Tunnel::Info, ev=, path=tunnel]) +0.000000 | HookCallFunction Log::create_stream(Unified2::LOG, [columns=Unified2::Info, ev=Unified2::log_unified2, path=unified2]) +0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) +0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) +0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1539890895.780919, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2666,7 +2666,7 @@ 0.000000 | HookLoadFile base<...>/x509 0.000000 | HookLoadFile base<...>/xmpp 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} -0.000000 | HookLogWrite packet_filter [ts=1539361390.052019, node=bro, filter=ip or not ip, init=T, success=T] +0.000000 | HookLogWrite packet_filter [ts=1539890895.780919, node=bro, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() 0.000000 | HookQueueEvent bro_init() 0.000000 | HookQueueEvent filter_change_tracking() diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.empty-values-hashing/out b/testing/btest/Baseline/scripts.base.frameworks.input.empty-values-hashing/out index 7fedeac618..6348fc6a6a 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.input.empty-values-hashing/out +++ b/testing/btest/Baseline/scripts.base.frameworks.input.empty-values-hashing/out @@ -11,7 +11,7 @@ Description [source=../input.log, reader=Input::READER_ASCII, mode=Input::REREAD, name=ssh, destination={ [2] = [s=, ss=], [1] = [s=, ss=TEST] -}, idx=, val=, want_record=T, ev=line +}, idx=A::Idx, val=A::Val, want_record=T, ev=line { print A::outfile, ============EVENT============; print A::outfile, Description; @@ -43,7 +43,7 @@ Description [source=../input.log, reader=Input::READER_ASCII, mode=Input::REREAD, name=ssh, destination={ [2] = [s=, ss=], [1] = [s=, ss=TEST] -}, idx=, val=, want_record=T, ev=line +}, idx=A::Idx, val=A::Val, want_record=T, ev=line { print A::outfile, ============EVENT============; print A::outfile, Description; @@ -88,7 +88,7 @@ Description [source=../input.log, reader=Input::READER_ASCII, mode=Input::REREAD, name=ssh, destination={ [2] = [s=TEST, ss=TEST], [1] = [s=TEST, ss=] -}, idx=, val=, want_record=T, ev=line +}, idx=A::Idx, val=A::Val, want_record=T, ev=line { print A::outfile, ============EVENT============; print A::outfile, Description; @@ -120,7 +120,7 @@ Description [source=../input.log, reader=Input::READER_ASCII, mode=Input::REREAD, name=ssh, destination={ [2] = [s=TEST, ss=TEST], [1] = [s=TEST, ss=] -}, idx=, val=, want_record=T, ev=line +}, idx=A::Idx, val=A::Val, want_record=T, ev=line { print A::outfile, ============EVENT============; print A::outfile, Description; diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.event/out b/testing/btest/Baseline/scripts.base.frameworks.input.event/out index 9f872270e0..f8f0481eb9 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.input.event/out +++ b/testing/btest/Baseline/scripts.base.frameworks.input.event/out @@ -1,4 +1,4 @@ -[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -10,7 +10,7 @@ print outfile, A::b; Input::EVENT_NEW 1 T -[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -22,7 +22,7 @@ print outfile, A::b; Input::EVENT_NEW 2 T -[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -34,7 +34,7 @@ print outfile, A::b; Input::EVENT_NEW 3 F -[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -46,7 +46,7 @@ print outfile, A::b; Input::EVENT_NEW 4 F -[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -58,7 +58,7 @@ print outfile, A::b; Input::EVENT_NEW 5 F -[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -70,7 +70,7 @@ print outfile, A::b; Input::EVENT_NEW 6 F -[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.raw.basic/out b/testing/btest/Baseline/scripts.base.frameworks.input.raw.basic/out index c2abecb575..8229dcf402 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.input.raw.basic/out +++ b/testing/btest/Baseline/scripts.base.frameworks.input.raw.basic/out @@ -1,4 +1,4 @@ -[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -16,7 +16,7 @@ terminate(); }] Input::EVENT_NEW sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF -[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -34,7 +34,7 @@ terminate(); }] Input::EVENT_NEW DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF -[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -52,7 +52,7 @@ terminate(); }] Input::EVENT_NEW q3r3057fdf -[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -70,7 +70,7 @@ terminate(); }] Input::EVENT_NEW sdfs\d -[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -88,7 +88,7 @@ terminate(); }] Input::EVENT_NEW -[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -106,7 +106,7 @@ terminate(); }] Input::EVENT_NEW dfsdf -[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -124,7 +124,7 @@ terminate(); }] Input::EVENT_NEW sdf -[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.raw.execute/out b/testing/btest/Baseline/scripts.base.frameworks.input.raw.execute/out index 06fd093d26..1f779acfff 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.input.raw.execute/out +++ b/testing/btest/Baseline/scripts.base.frameworks.input.raw.execute/out @@ -1,4 +1,4 @@ -[source=wc -l ../input.log |, reader=Input::READER_RAW, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line +[source=wc -l ../input.log |, reader=Input::READER_RAW, mode=Input::MANUAL, name=input, fields=Val, want_record=F, ev=line { print outfile, description; print outfile, tpe; diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.raw.rereadraw/out b/testing/btest/Baseline/scripts.base.frameworks.input.raw.rereadraw/out index a1fdab05f5..db57aee9d6 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.input.raw.rereadraw/out +++ b/testing/btest/Baseline/scripts.base.frameworks.input.raw.rereadraw/out @@ -1,4 +1,4 @@ -[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -16,7 +16,7 @@ terminate(); }] Input::EVENT_NEW sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF -[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -34,7 +34,7 @@ terminate(); }] Input::EVENT_NEW DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF -[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -52,7 +52,7 @@ terminate(); }] Input::EVENT_NEW q3r3057fdf -[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -70,7 +70,7 @@ terminate(); }] Input::EVENT_NEW sdfs\d -[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -88,7 +88,7 @@ terminate(); }] Input::EVENT_NEW -[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -106,7 +106,7 @@ terminate(); }] Input::EVENT_NEW dfsdf -[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -124,7 +124,7 @@ terminate(); }] Input::EVENT_NEW sdf -[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -142,7 +142,7 @@ terminate(); }] Input::EVENT_NEW 3rw43wRRERLlL#RWERERERE. -[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -160,7 +160,7 @@ terminate(); }] Input::EVENT_NEW sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF -[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -178,7 +178,7 @@ terminate(); }] Input::EVENT_NEW DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF -[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -196,7 +196,7 @@ terminate(); }] Input::EVENT_NEW q3r3057fdf -[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -214,7 +214,7 @@ terminate(); }] Input::EVENT_NEW sdfs\d -[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -232,7 +232,7 @@ terminate(); }] Input::EVENT_NEW -[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -250,7 +250,7 @@ terminate(); }] Input::EVENT_NEW dfsdf -[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; @@ -268,7 +268,7 @@ terminate(); }] Input::EVENT_NEW sdf -[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line { print outfile, A::description; print outfile, A::tpe; diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.reread/out b/testing/btest/Baseline/scripts.base.frameworks.input.reread/out index 4ac7a804a5..19d323afcb 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.input.reread/out +++ b/testing/btest/Baseline/scripts.base.frameworks.input.reread/out @@ -28,7 +28,7 @@ CC }, se={ }, vc=[10, 20, 30], ve=[]] -}, idx=, val=, want_record=T, ev=line +}, idx=A::Idx, val=A::Val, want_record=T, ev=line { print A::outfile, ============EVENT============; print A::outfile, Description; @@ -123,7 +123,7 @@ CC }, se={ }, vc=[10, 20, 30], ve=[]] -}, idx=, val=, want_record=T, ev=line +}, idx=A::Idx, val=A::Val, want_record=T, ev=line { print A::outfile, ============EVENT============; print A::outfile, Description; @@ -230,7 +230,7 @@ CC }, se={ }, vc=[10, 20, 30], ve=[]] -}, idx=, val=, want_record=T, ev=line +}, idx=A::Idx, val=A::Val, want_record=T, ev=line { print A::outfile, ============EVENT============; print A::outfile, Description; @@ -457,7 +457,7 @@ CC }, se={ }, vc=[10, 20, 30], ve=[]] -}, idx=, val=, want_record=T, ev=line +}, idx=A::Idx, val=A::Val, want_record=T, ev=line { print A::outfile, ============EVENT============; print A::outfile, Description; @@ -582,7 +582,7 @@ CC }, se={ }, vc=[10, 20, 30], ve=[]] -}, idx=, val=, want_record=T, ev=line +}, idx=A::Idx, val=A::Val, want_record=T, ev=line { print A::outfile, ============EVENT============; print A::outfile, Description; @@ -707,7 +707,7 @@ CC }, se={ }, vc=[10, 20, 30], ve=[]] -}, idx=, val=, want_record=T, ev=line +}, idx=A::Idx, val=A::Val, want_record=T, ev=line { print A::outfile, ============EVENT============; print A::outfile, Description; @@ -832,7 +832,7 @@ CC }, se={ }, vc=[10, 20, 30], ve=[]] -}, idx=, val=, want_record=T, ev=line +}, idx=A::Idx, val=A::Val, want_record=T, ev=line { print A::outfile, ============EVENT============; print A::outfile, Description; @@ -957,7 +957,7 @@ CC }, se={ }, vc=[10, 20, 30], ve=[]] -}, idx=, val=, want_record=T, ev=line +}, idx=A::Idx, val=A::Val, want_record=T, ev=line { print A::outfile, ============EVENT============; print A::outfile, Description; @@ -1187,7 +1187,7 @@ CC }, se={ }, vc=[10, 20, 30], ve=[]] -}, idx=, val=, want_record=T, ev=line +}, idx=A::Idx, val=A::Val, want_record=T, ev=line { print A::outfile, ============EVENT============; print A::outfile, Description; @@ -1240,7 +1240,7 @@ CC }, se={ }, vc=[10, 20, 30], ve=[]] -}, idx=, val=, want_record=T, ev=line +}, idx=A::Idx, val=A::Val, want_record=T, ev=line { print A::outfile, ============EVENT============; print A::outfile, Description; @@ -1293,7 +1293,7 @@ CC }, se={ }, vc=[10, 20, 30], ve=[]] -}, idx=, val=, want_record=T, ev=line +}, idx=A::Idx, val=A::Val, want_record=T, ev=line { print A::outfile, ============EVENT============; print A::outfile, Description; @@ -1346,7 +1346,7 @@ CC }, se={ }, vc=[10, 20, 30], ve=[]] -}, idx=, val=, want_record=T, ev=line +}, idx=A::Idx, val=A::Val, want_record=T, ev=line { print A::outfile, ============EVENT============; print A::outfile, Description; @@ -1399,7 +1399,7 @@ CC }, se={ }, vc=[10, 20, 30], ve=[]] -}, idx=, val=, want_record=T, ev=line +}, idx=A::Idx, val=A::Val, want_record=T, ev=line { print A::outfile, ============EVENT============; print A::outfile, Description; @@ -1452,7 +1452,7 @@ CC }, se={ }, vc=[10, 20, 30], ve=[]] -}, idx=, val=, want_record=T, ev=line +}, idx=A::Idx, val=A::Val, want_record=T, ev=line { print A::outfile, ============EVENT============; print A::outfile, Description; diff --git a/testing/btest/bifs/records_fields.bro b/testing/btest/bifs/records_fields.bro index ccaf5a719d..88df239b57 100644 --- a/testing/btest/bifs/records_fields.bro +++ b/testing/btest/bifs/records_fields.bro @@ -2,19 +2,45 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out +type myrec: record { + myfield: bool; +}; + +type tt: record { + a: bool; + b: string &default="Bar"; + c: double &optional; + d: string &log; + m: myrec; +}; + type r: record { a: count; b: string &default="Foo"; c: double &optional; d: string &log; + e: any; }; +type mystring: string; + event bro_init() { - local x: r = [$a=42, $d="Bar"]; + local x: r = [$a=42, $d="Bar", $e=tt]; print x; local t: record_field_table; t = record_fields(x); print t; print t["c"]?$value; + + t = record_fields(x$e); + print t; + t = record_fields(tt); + print t; + + x = [$a=42, $d="Bar", $e=mystring]; + t = record_fields(x); + print t; + t = record_fields(x$e); + print t; }