diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index 117430223e..af8f2de94b 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -16,6 +16,7 @@ rest_target(${CMAKE_CURRENT_SOURCE_DIR} example.bro internal) rest_target(${psd} base/init-default.bro internal) rest_target(${psd} base/init-bare.bro internal) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/bro.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/const.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/event.bif.bro) @@ -24,6 +25,7 @@ rest_target(${CMAKE_BINARY_DIR}/src base/logging.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/reporter.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/strings.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/types.bif.bro) +rest_target(${psd} base/frameworks/analyzer/main.bro) rest_target(${psd} base/frameworks/cluster/main.bro) rest_target(${psd} base/frameworks/cluster/nodes/manager.bro) rest_target(${psd} base/frameworks/cluster/nodes/proxy.bro) diff --git a/doc/scripts/example.bro b/doc/scripts/example.bro index 9f6f656ee1..4e2f533226 100644 --- a/doc/scripts/example.bro +++ b/doc/scripts/example.bro @@ -54,11 +54,13 @@ global example_ports = { 443/tcp, 562/tcp, } &redef; -# redefinitions of "dpd_config" are self-documenting and -# go into the generated doc's "Port Analysis" section -redef dpd_config += { - [ANALYZER_SSL] = [$ports = example_ports] -}; + +event bro_init() + { + # Registering a well-known port is self-documenting and + # go into the generated doc's "Port Analysis" section + Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, example_ports); + } # redefinitions of "Notice::Type" are self-documenting, but # more information can be supplied in two different ways diff --git a/scripts/base/frameworks/analyzer/main.bro b/scripts/base/frameworks/analyzer/main.bro index b93ebcba24..d2f2b3172b 100644 --- a/scripts/base/frameworks/analyzer/main.bro +++ b/scripts/base/frameworks/analyzer/main.bro @@ -20,6 +20,9 @@ export { ## XXX. global registered_ports: function(tag: Analyzer::Tag) : set[port]; + ## XXX + global all_registered_ports: function() : table[Analyzer::Tag] of set[port]; + ## Translate an analyzer type to an ASCII string. ## ## atype: The analyzer tag. @@ -106,6 +109,11 @@ function registered_ports(tag: Analyzer::Tag) : set[port] return tag in ports ? ports[tag] : set(); } +function all_registered_ports(): table[Analyzer::Tag] of set[port] + { + return ports; + } + function name(atype: Analyzer::Tag) : string { return __name(atype); diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index 66cdbc6241..6279ba4dab 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -126,6 +126,8 @@ event bro_init() &priority=5 { Log::create_stream(DNS::LOG, [$columns=Info, $ev=log_dns]); + Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, dns_tcp_ports); + Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, dns_udp_ports); Analyzer::register_for_ports(Analyzer::ANALYZER_DNS_TCP_BINPAC, dns_tcp_ports); Analyzer::register_for_ports(Analyzer::ANALYZER_DNS_UDP_BINPAC, dns_udp_ports); } diff --git a/scripts/policy/frameworks/dpd/detect-protocols.bro b/scripts/policy/frameworks/dpd/detect-protocols.bro index c45486b776..d50e4599ed 100644 --- a/scripts/policy/frameworks/dpd/detect-protocols.bro +++ b/scripts/policy/frameworks/dpd/detect-protocols.bro @@ -70,7 +70,7 @@ export { } # Table that tracks currently active dynamic analyzers per connection. -global conns: table[conn_id] of set[count]; +global conns: table[conn_id] of set[Analyzer::Tag]; # Table of reports by other analyzers about the protocol used in a connection. global protocols: table[conn_id] of set[string]; @@ -80,7 +80,7 @@ type protocol : record { sub: string; # "sub-protocols" reported by other sources }; -function get_protocol(c: connection, a: count) : protocol +function get_protocol(c: connection, a: Analyzer::Tag) : protocol { local str = ""; if ( c$id in protocols ) @@ -97,7 +97,7 @@ function fmt_protocol(p: protocol) : string return p$sub != "" ? fmt("%s (via %s)", p$sub, p$a) : p$a; } -function do_notice(c: connection, a: count, d: dir) +function do_notice(c: connection, a: Analyzer::Tag, d: dir) { if ( d == BOTH ) return; @@ -113,7 +113,7 @@ function do_notice(c: connection, a: count, d: dir) NOTICE([$note=Protocol_Found, $msg=fmt("%s %s on port %s", id_string(c$id), s, c$id$resp_p), - $sub=s, $conn=c, $n=a]); + $sub=s, $conn=c]); # We report multiple Server_Found's per host if we find a new # sub-protocol. @@ -129,7 +129,7 @@ function do_notice(c: connection, a: count, d: dir) NOTICE([$note=Server_Found, $msg=fmt("%s: %s server on port %s%s", c$id$resp_h, s, c$id$resp_p, (known ? " (update)" : "")), - $p=c$id$resp_p, $sub=s, $conn=c, $src=c$id$resp_h, $n=a]); + $p=c$id$resp_p, $sub=s, $conn=c, $src=c$id$resp_h]); if ( ! known ) servers[c$id$resp_h, c$id$resp_p, p$a] = set(); @@ -214,7 +214,7 @@ event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) } } -function found_protocol(c: connection, analyzer: Analyzer::tag, protocol: string) +function found_protocol(c: connection, atype: Analyzer::Tag, protocol: string) { # Don't report anything running on a well-known port. if ( c$id$resp_p in Analyzer::registered_ports(atype) ) diff --git a/src/RuleAction.cc b/src/RuleAction.cc index 808bead3d8..c0a4809c88 100644 --- a/src/RuleAction.cc +++ b/src/RuleAction.cc @@ -42,10 +42,16 @@ RuleActionAnalyzer::RuleActionAnalyzer(const char* arg_analyzer) string arg = str.substr(0, pos); analyzer = analyzer_mgr->GetAnalyzerTag(arg); + if ( ! analyzer ) + reporter->Warning("unknown analyzer '%s' specified in rule", arg.c_str()); + if ( pos != string::npos ) { arg = str.substr(pos + 1); child_analyzer = analyzer_mgr->GetAnalyzerTag(arg); + + if ( ! child_analyzer ) + reporter->Warning("unknown analyzer '%s' specified in rule", arg.c_str()); } else child_analyzer = analyzer::Tag::ERROR; diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc index ca15ad56e1..6ef67eb497 100644 --- a/src/analyzer/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -41,15 +41,20 @@ void AnalyzerTimer::Init(Analyzer* arg_analyzer, analyzer_timer_func arg_timer, analyzer::ID Analyzer::id_counter = 0;; +const string& Analyzer::GetAnalyzerName() const + { + return analyzer_mgr->GetAnalyzerName(tag); + } + bool Analyzer::IsAnalyzer(const char* name) { - return analyzer_mgr->GetAnalyzerName(Tag()) == name; + return analyzer_mgr->GetAnalyzerName(tag) == name; } // Used in debugging output. static string fmt_analyzer(Analyzer* a) { - return analyzer_mgr->GetAnalyzerName(a->GetTag()) + fmt("[%d]", a->GetID()); + return a->GetAnalyzerName() + fmt("[%d]", a->GetID()); } Analyzer::Analyzer(const char* name, Connection* arg_conn) @@ -320,7 +325,7 @@ void Analyzer::ForwardEndOfData(bool orig) void Analyzer::AddChildAnalyzer(Analyzer* analyzer, bool init) { - if ( HasChildAnalyzer(analyzer->GetTag()) ) + if ( HasChildAnalyzer(analyzer->GetAnalyzerTag()) ) { analyzer->Done(); delete analyzer; @@ -381,7 +386,7 @@ void Analyzer::RemoveChildAnalyzer(ID id) LOOP_OVER_CHILDREN(i) if ( (*i)->id == id && ! ((*i)->finished || (*i)->removing) ) { - DBG_LOG(DBG_DPD, "%s disabling child %s", analyzer_mgr->GetAnalyzerName(GetTag()).c_str(), id, + DBG_LOG(DBG_DPD, "%s disabling child %s", GetAnalyzerName().c_str(), id, fmt_analyzer(this).c_str(), fmt_analyzer(*i).c_str()); // See comment above. (*i)->removing = true; @@ -460,7 +465,7 @@ void Analyzer::DeleteChild(analyzer_list::iterator i) void Analyzer::AddSupportAnalyzer(SupportAnalyzer* analyzer) { - if ( HasSupportAnalyzer(analyzer->GetTag(), analyzer->IsOrig()) ) + if ( HasSupportAnalyzer(analyzer->GetAnalyzerTag(), analyzer->IsOrig()) ) { DBG_LOG(DBG_DPD, "%s already has %s %s", fmt_analyzer(this).c_str(), diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h index bc20d208b8..704c131bca 100644 --- a/src/analyzer/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -140,7 +140,8 @@ public: bool IsFinished() const { return finished; } - Tag GetTag() const { return tag; } + Tag GetAnalyzerTag() const { return tag; } + const string& GetAnalyzerName() const; bool IsAnalyzer(const char* name); // Management of the tree. diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index b2d35215f3..78c086d409 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -316,10 +316,12 @@ Analyzer* Manager::InstantiateAnalyzer(Tag tag, Connection* conn) return a; } -string Manager::GetAnalyzerName(Tag tag) +const string& Manager::GetAnalyzerName(Tag tag) { + static string error = ""; + if ( ! tag ) - return ""; + return error; PluginComponent* c = Lookup(tag); @@ -329,7 +331,7 @@ string Manager::GetAnalyzerName(Tag tag) return c->Name(); } -string Manager::GetAnalyzerName(Val* val) +const string& Manager::GetAnalyzerName(Val* val) { return GetAnalyzerName(Tag(val->AsEnumVal())); } @@ -354,13 +356,13 @@ EnumType* Manager::GetTagEnumType() PluginComponent* Manager::Lookup(const string& name) { - analyzer_map_by_name::const_iterator i = analyzers_by_name.find(name); + analyzer_map_by_name::const_iterator i = analyzers_by_name.find(to_upper(name)); return i != analyzers_by_name.end() ? i->second : 0; } PluginComponent* Manager::Lookup(const char* name) { - analyzer_map_by_name::const_iterator i = analyzers_by_name.find(name); + analyzer_map_by_name::const_iterator i = analyzers_by_name.find(to_upper(name)); return i != analyzers_by_name.end() ? i->second : 0; } @@ -598,7 +600,7 @@ bool Manager::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn, { if ( IsEnabled(analyzer_connsize) ) // Add ConnSize analyzer. Needs to see packets, not stream. - udp->AddChildAnalyzer(new ConnSize_Analyzer(conn)); + root->AddChildAnalyzer(new ConnSize_Analyzer(conn)); } if ( pia ) diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h index 47a70df716..ceca74bf0c 100644 --- a/src/analyzer/Manager.h +++ b/src/analyzer/Manager.h @@ -88,8 +88,8 @@ public: Analyzer* InstantiateAnalyzer(Tag tag, Connection* c); // Null if disabled. - string GetAnalyzerName(Tag tag); - string GetAnalyzerName(Val* val); + const string& GetAnalyzerName(Tag tag); + const string& GetAnalyzerName(Val* val); Tag GetAnalyzerTag(const string& name); // Tag::ERROR when not known. Tag GetAnalyzerTag(const char* name); // Tag::ERROR when not known. diff --git a/src/analyzer/PluginComponent.h b/src/analyzer/PluginComponent.h index 6db5aaf994..baad63f9f8 100644 --- a/src/analyzer/PluginComponent.h +++ b/src/analyzer/PluginComponent.h @@ -25,7 +25,7 @@ public: PluginComponent(std::string name, factory_callback factory, bool enabled, bool partial); PluginComponent(std::string name, Tag::subtype_t subtype, factory_callback factory, bool enabled, bool partial); - std::string Name() const { return name; } + const std::string& Name() const { return name; } factory_callback Factory() const { return factory; } bool Partial() const { return partial; } bool Enabled() const { return enabled; } diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 41209a4084..b476306ae6 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2012-07-20-14-34-11 +#open 2013-03-26-20-58-03 #fields name #types string scripts/base/init-bare.bro @@ -29,5 +29,8 @@ scripts/base/init-bare.bro scripts/base/frameworks/input/./readers/ascii.bro scripts/base/frameworks/input/./readers/raw.bro scripts/base/frameworks/input/./readers/benchmark.bro + scripts/base/frameworks/analyzer/__load__.bro + scripts/base/frameworks/analyzer/./main.bro + build/src/base/analyzer.bif.bro scripts/policy/misc/loaded-scripts.bro -#close 2012-07-20-14-34-11 +#close 2013-03-26-20-58-03 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index d9e8ee0703..ddcae1d0eb 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-02-11-18-44-43 +#open 2013-03-26-20-58-16 #fields name #types string scripts/base/init-bare.bro @@ -29,6 +29,9 @@ scripts/base/init-bare.bro scripts/base/frameworks/input/./readers/ascii.bro scripts/base/frameworks/input/./readers/raw.bro scripts/base/frameworks/input/./readers/benchmark.bro + scripts/base/frameworks/analyzer/__load__.bro + scripts/base/frameworks/analyzer/./main.bro + build/src/base/analyzer.bif.bro scripts/base/init-default.bro scripts/base/utils/site.bro scripts/base/utils/./patterns.bro @@ -119,4 +122,4 @@ scripts/base/init-default.bro scripts/base/protocols/syslog/./main.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-02-11-18-44-43 +#close 2013-03-26-20-58-16 diff --git a/testing/btest/Baseline/istate.events-ssl/events.rec.log b/testing/btest/Baseline/istate.events-ssl/events.rec.log index 04993fb84a..8c7f4f621c 100644 --- a/testing/btest/Baseline/istate.events-ssl/events.rec.log +++ b/testing/btest/Baseline/istate.events-ssl/events.rec.log @@ -8,7 +8,6 @@ http_all_headers http_content_type http_end_entity http_message_done -http_signature_found http_reply http_begin_entity http_header diff --git a/testing/btest/Baseline/istate.events-ssl/events.snd.log b/testing/btest/Baseline/istate.events-ssl/events.snd.log index 04993fb84a..8c7f4f621c 100644 --- a/testing/btest/Baseline/istate.events-ssl/events.snd.log +++ b/testing/btest/Baseline/istate.events-ssl/events.snd.log @@ -8,7 +8,6 @@ http_all_headers http_content_type http_end_entity http_message_done -http_signature_found http_reply http_begin_entity http_header diff --git a/testing/btest/Baseline/istate.events-ssl/receiver.http.log b/testing/btest/Baseline/istate.events-ssl/receiver.http.log index 3fc7f1b66f..5b56c38e66 100644 --- a/testing/btest/Baseline/istate.events-ssl/receiver.http.log +++ b/testing/btest/Baseline/istate.events-ssl/receiver.http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2012-07-20-01-53-03 +#open 2013-03-26-21-06-26 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file #types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file -1342749182.906082 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - - -#close 2012-07-20-01-53-04 +1364331986.091724 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - - +#close 2013-03-26-21-06-27 diff --git a/testing/btest/Baseline/istate.events-ssl/sender.http.log b/testing/btest/Baseline/istate.events-ssl/sender.http.log index 3fc7f1b66f..5b56c38e66 100644 --- a/testing/btest/Baseline/istate.events-ssl/sender.http.log +++ b/testing/btest/Baseline/istate.events-ssl/sender.http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2012-07-20-01-53-03 +#open 2013-03-26-21-06-26 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file #types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file -1342749182.906082 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - - -#close 2012-07-20-01-53-04 +1364331986.091724 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - - +#close 2013-03-26-21-06-27 diff --git a/testing/btest/Baseline/istate.events/events.rec.log b/testing/btest/Baseline/istate.events/events.rec.log index 04993fb84a..8c7f4f621c 100644 --- a/testing/btest/Baseline/istate.events/events.rec.log +++ b/testing/btest/Baseline/istate.events/events.rec.log @@ -8,7 +8,6 @@ http_all_headers http_content_type http_end_entity http_message_done -http_signature_found http_reply http_begin_entity http_header diff --git a/testing/btest/Baseline/istate.events/events.snd.log b/testing/btest/Baseline/istate.events/events.snd.log index 04993fb84a..8c7f4f621c 100644 --- a/testing/btest/Baseline/istate.events/events.snd.log +++ b/testing/btest/Baseline/istate.events/events.snd.log @@ -8,7 +8,6 @@ http_all_headers http_content_type http_end_entity http_message_done -http_signature_found http_reply http_begin_entity http_header diff --git a/testing/btest/Baseline/istate.events/receiver.http.log b/testing/btest/Baseline/istate.events/receiver.http.log index 6862c08b98..2863571349 100644 --- a/testing/btest/Baseline/istate.events/receiver.http.log +++ b/testing/btest/Baseline/istate.events/receiver.http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2012-07-20-01-53-12 +#open 2013-03-26-21-06-18 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file #types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file -1342749191.765740 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - - -#close 2012-07-20-01-53-13 +1364331977.210008 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - - +#close 2013-03-26-21-06-19 diff --git a/testing/btest/Baseline/istate.events/sender.http.log b/testing/btest/Baseline/istate.events/sender.http.log index 6862c08b98..484eb11f11 100644 --- a/testing/btest/Baseline/istate.events/sender.http.log +++ b/testing/btest/Baseline/istate.events/sender.http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2012-07-20-01-53-12 +#open 2013-03-26-21-06-17 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file #types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file -1342749191.765740 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - - -#close 2012-07-20-01-53-13 +1364331977.210008 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - - +#close 2013-03-26-21-06-18 diff --git a/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out b/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out index abb41f330c..d9f5126aab 100644 --- a/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out +++ b/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out @@ -1,6 +1,4 @@ -dpd_config, { - -} +|Analyzer::all_registered_ports()|, 0 signature_match [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp] - matched my_ftp_client ftp_reply 199.233.217.249:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready. ftp_request 141.142.220.235:50003 - USER anonymous diff --git a/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out b/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out index a2227ee890..f26ff25291 100644 --- a/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out +++ b/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out @@ -1,6 +1,4 @@ -dpd_config, { - -} +|Analyzer::all_registered_ports()|, 0 signature_match [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp] - matched my_ftp_client ftp_reply [2001:470:4867:99::21]:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready. ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - USER anonymous diff --git a/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out b/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out index 55566505d8..1b3be8e060 100644 --- a/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out +++ b/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out @@ -1,3 +1 @@ -dpd_config, { - -} +|Analyzer::all_registered_ports()|, 0 diff --git a/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out b/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out index 55566505d8..1b3be8e060 100644 --- a/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out +++ b/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out @@ -1,3 +1 @@ -dpd_config, { - -} +|Analyzer::all_registered_ports()|, 0 diff --git a/testing/btest/bifs/analyzer_name.bro b/testing/btest/bifs/analyzer_name.bro index 9297d2ca27..266d1c159f 100644 --- a/testing/btest/bifs/analyzer_name.bro +++ b/testing/btest/bifs/analyzer_name.bro @@ -4,6 +4,6 @@ event bro_init() { - local a = 1; - print analyzer_name(a); + local a = Analyzer::ANALYZER_PIA_TCP; + print Analyzer::name(a); } diff --git a/testing/btest/core/tunnels/gtp/non_recursive.test b/testing/btest/core/tunnels/gtp/non_recursive.test index d44bfce79d..0b03c0d6ae 100644 --- a/testing/btest/core/tunnels/gtp/non_recursive.test +++ b/testing/btest/core/tunnels/gtp/non_recursive.test @@ -5,7 +5,7 @@ # So if we find inside a GTP tunnel anohter IP/UDP packet with port 2152, # it is just a UDP packet, but not another GTP tunnel. -event protocol_violation(c: connection, atype: count, aid: count, reason: string) +event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) { print "protocol_violation", c$id, reason; } diff --git a/testing/btest/signatures/dpd.bro b/testing/btest/signatures/dpd.bro index d6ae02cb50..a311ae3bd3 100644 --- a/testing/btest/signatures/dpd.bro +++ b/testing/btest/signatures/dpd.bro @@ -33,7 +33,7 @@ signature my_ftp_server { event bro_init() { # no analyzer attached to any port by default, depends entirely on sigs - print "dpd_config", dpd_config; + print "|Analyzer::all_registered_ports()|", |Analyzer::all_registered_ports()|; } event signature_match(state: signature_state, msg: string, data: string)