From 3415b5fcbe36e37443ce93a159e5ade299ad9f6b Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Tue, 15 Jan 2013 16:01:30 -0800 Subject: [PATCH] make sqlite support more or less work for logging and input * add support for &type_column for reading * add basic tests for logging & input * clean up a bit * add support for tables for reading (untested) --- src/input/readers/SQLite.cc | 158 +++++++----------- src/input/readers/SQLite.h | 12 +- src/logging/writers/SQLite.cc | 24 +-- src/main.cc | 12 ++ .../out | 35 ++++ .../out | 3 + .../conn.select | 34 ++++ .../http.select | 14 ++ .../base/frameworks/input/sqlite/basic.bro | 98 +++++++++++ .../base/frameworks/input/sqlite/port.bro | 48 ++++++ .../frameworks/logging/sqlite/wikipedia.bro | 8 + 11 files changed, 325 insertions(+), 121 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.sqlite.basic/out create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.sqlite.port/out create mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select create mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/http.select create mode 100644 testing/btest/scripts/base/frameworks/input/sqlite/basic.bro create mode 100644 testing/btest/scripts/base/frameworks/input/sqlite/port.bro create mode 100644 testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.bro diff --git a/src/input/readers/SQLite.cc b/src/input/readers/SQLite.cc index e6192645e1..8821d1a8a2 100644 --- a/src/input/readers/SQLite.cc +++ b/src/input/readers/SQLite.cc @@ -9,13 +9,12 @@ #include #include - -#include "../../threading/SerialTypes.h" - #include #include #include +#include "../../threading/SerialTypes.h" + using namespace input::reader; using threading::Value; using threading::Field; @@ -54,6 +53,12 @@ bool SQLite::checkError( int code ) bool SQLite::DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* arg_fields) { + if ( sqlite3_threadsafe() == 0 ) + { + Error("SQLite reports that it is not threadsafe. Bro needs a threadsafe version of SQLite. Aborting"); + return false; + } + started = false; string fullpath(info.source); @@ -64,7 +69,6 @@ bool SQLite::DoInit(const ReaderInfo& info, int arg_num_fields, const threading: if ( it == info.config.end() ) { MsgThread::Info(Fmt("dbname configuration option not found. Defaulting to source %s", info.source)); - Error(Fmt("dbname configuration option not found. Defaulting to source %s", info.source)); dbname = info.source; } else @@ -105,9 +109,10 @@ bool SQLite::DoInit(const ReaderInfo& info, int arg_num_fields, const threading: return true; } -Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int pos) +// pos = field position +// subpos = subfield position, only used for port-field +Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int pos, int subpos) { - if ( sqlite3_column_type(st, pos ) == SQLITE_NULL ) return new Value(field->type, false); @@ -130,10 +135,11 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p case TYPE_BOOL: { - if ( sqlite3_column_type(st, pos) != SQLITE_INTEGER ) { + if ( sqlite3_column_type(st, pos) != SQLITE_INTEGER ) + { Error("Invalid data type for boolean - expected Integer"); return 0; - } + } int res = sqlite3_column_int(st, pos); @@ -163,11 +169,23 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p break; case TYPE_PORT: + { val->val.port_val.port = sqlite3_column_int(st, pos); val->val.port_val.proto = TRANSPORT_UNKNOWN; + if ( subpos != -1 ) + { + const char *text = (const char*) sqlite3_column_text(st, subpos); + string s(text, sqlite3_column_bytes(st, subpos)); + if ( text == 0 ) + Error("Port protocol definition did not contain text"); + else + val->val.port_val.proto = io->StringToProto(s); + } break; + } - case TYPE_SUBNET: { + case TYPE_SUBNET: + { const char *text = (const char*) sqlite3_column_text(st, pos); string s(text, sqlite3_column_bytes(st, pos)); int pos = s.find("/"); @@ -177,8 +195,8 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p val->val.subnet_val.prefix = io->StringToAddr(addr); val->val.subnet_val.length = width; break; - } + case TYPE_ADDR: { const char *text = (const char*) sqlite3_column_text(st, pos); @@ -189,81 +207,12 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p case TYPE_TABLE: case TYPE_VECTOR: - assert(false); - /* - // First - common initialization - // Then - initialization for table. - // Then - initialization for vector. - // Then - common stuff { - // how many entries do we have... - unsigned int length = 1; - for ( unsigned int i = 0; i < s.size(); i++ ) - if ( s[i] == ',') length++; - - unsigned int pos = 0; - - if ( s.compare(empty_field) == 0 ) - length = 0; - - - Value** lvals = new Value* [length]; - - if ( field->type == TYPE_TABLE ) - { - val->val.set_val.vals = lvals; - val->val.set_val.size = length; - } - else if ( field->type == TYPE_VECTOR ) - { - val->val.vector_val.vals = lvals; - val->val.vector_val.size = length; - else - assert(false); - - if ( length == 0 ) - break; //empty - - istringstream splitstream(s); - while ( splitstream ) - { - string element; - - if ( !getline(splitstream, element, ',') ) - break; - - if ( pos >= length ) - { - Error(Fmt("Internal error while parsing set. pos %d >= length %d. Element: %s", pos, length, element.c_str())); - break; - } - - Field* newfield = new Field(*field); - newfield->type = field->subtype; - Value* newval = EntryToVal(element, newfield); - delete(newfield); - if ( newval == 0 ) - { - Error("Error while reading set"); - return 0; - } - lvals[pos] = newval; - - pos++; - - } - - - if ( pos != length ) - { - Error("Internal error while parsing set: did not find all elements"); - return 0; - } - + const char *text = (const char*) sqlite3_column_text(st, pos); + string s(text, sqlite3_column_bytes(st, pos)); + val = io->StringToVal(s, "", field->type, field->subtype); break; } - */ - default: Error(Fmt("unsupported field format %d", field->type)); @@ -276,29 +225,26 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p bool SQLite::DoUpdate() { - int numcolumns = sqlite3_column_count(st); - /* This can happen legitimately I think... - if ( numcolumns != num_fields ) - { - Error(Fmt("SQLite query returned %d results, but input framework expected %d. Aborting", numcolumns, num_fields)); - return false; - } - */ - int *mapping = new int [num_fields]; + int *submapping = new int [num_fields]; // first set them all to -1 for ( unsigned int i = 0; i < num_fields; ++i ) { mapping[i] = -1; + submapping[i] = -1; } + + for ( unsigned int i = 0; i < numcolumns; ++i ) { const char *name = sqlite3_column_name(st, i); - for ( unsigned j = 0; j < num_fields; j++ ) { - if ( strcmp(fields[j]->name, name) == 0 ) { + for ( unsigned j = 0; j < num_fields; j++ ) + { + if ( strcmp(fields[j]->name, name) == 0 ) + { if ( mapping[j] != -1 ) { Error(Fmt("SQLite statement returns several columns with name %s! Cannot decide which to choose, aborting", name)); @@ -306,10 +252,20 @@ bool SQLite::DoUpdate() } mapping[j] = i; - break; - } - } + } + if ( fields[j]->secondary_name != 0 && strcmp(fields[j]->secondary_name, name) == 0 ) + { + assert(fields[j]->type == TYPE_PORT); + if ( submapping[j] != -1 ) + { + Error(Fmt("SQLite statement returns several columns with name %s! Cannot decide which to choose, aborting", name)); + return false; + } + + submapping[j] = i; + } + } } for ( unsigned int i = 0; i < num_fields; ++i ) { @@ -327,12 +283,9 @@ bool SQLite::DoUpdate() for ( unsigned int j = 0; j < num_fields; ++j) { - - ofields[j] = EntryToVal(st, fields[j], mapping[j]); - if ( ofields[j] == 0 ) { + ofields[j] = EntryToVal(st, fields[j], mapping[j], submapping[j]); + if ( ofields[j] == 0 ) return false; - } - } SendEntry(ofields); @@ -344,7 +297,8 @@ bool SQLite::DoUpdate() EndCurrentSend(); - delete (mapping); + delete [] mapping; + delete [] submapping; if ( checkError(sqlite3_reset(st)) ) return false; diff --git a/src/input/readers/SQLite.h b/src/input/readers/SQLite.h index 38fdddf3aa..6ab6bb9c58 100644 --- a/src/input/readers/SQLite.h +++ b/src/input/readers/SQLite.h @@ -37,22 +37,16 @@ protected: private: bool checkError(int code); - unsigned int num_fields; - + threading::Value* EntryToVal(sqlite3_stmt *st, const threading::Field *field, int pos, int subpos); + const threading::Field* const * fields; // raw mapping - - threading::Value* EntryToVal(sqlite3_stmt *st, const threading::Field *field, int pos); - + unsigned int num_fields; int mode; - bool started; string query; - sqlite3 *db; sqlite3_stmt *st; - AsciiInputOutput* io; - }; diff --git a/src/logging/writers/SQLite.cc b/src/logging/writers/SQLite.cc index fd8900851b..dc58688994 100644 --- a/src/logging/writers/SQLite.cc +++ b/src/logging/writers/SQLite.cc @@ -76,7 +76,7 @@ string SQLite::GetTableType(int arg_type, int arg_subtype) { case TYPE_STRING: case TYPE_FILE: case TYPE_FUNC: - type = "TEXT"; + type = "text"; break; case TYPE_TABLE: @@ -107,22 +107,26 @@ bool SQLite::checkError( int code ) bool SQLite::DoInit(const WriterInfo& info, int num_fields, const Field* const * fields) { - if ( sqlite3_threadsafe() == 0 ) { + if ( sqlite3_threadsafe() == 0 ) + { Error("SQLite reports that it is not threadsafe. Bro needs a threadsafe version of SQLite. Aborting"); return false; - } + } string fullpath(info.path); fullpath.append(".sqlite"); string dbname; map::const_iterator it = info.config.find("dbname"); - if ( it == info.config.end() ) { + if ( it == info.config.end() ) + { MsgThread::Info(Fmt("dbname configuration option not found. Defaulting to path %s", info.path)); dbname = info.path; - } else { + } + else + { dbname = it->second; - } + } if ( checkError(sqlite3_open_v2( @@ -135,7 +139,7 @@ bool SQLite::DoInit(const WriterInfo& info, int num_fields, NULL)) ) return false; - string create = "CREATE TABLE IF NOT EXISTS "+dbname+" (\n"; // yes. using path here is stupid. open for better ideas. + string create = "CREATE TABLE IF NOT EXISTS "+dbname+" (\n"; //"id SERIAL UNIQUE NOT NULL"; // SQLite has rowids, we do not need a counter here. for ( int i = 0; i < num_fields; ++i ) @@ -197,7 +201,6 @@ bool SQLite::DoInit(const WriterInfo& info, int num_fields, insert += "?"; char* fieldname = sqlite3_mprintf("%Q", fields[i]->name); - printf("Fieldname: %s\n", fieldname); if ( fieldname == 0 ) { InternalError("Could not malloc memory"); @@ -219,7 +222,8 @@ bool SQLite::DoInit(const WriterInfo& info, int num_fields, } // Format String -char* SQLite::FS(const char* format, ...) { +char* SQLite::FS(const char* format, ...) + { char * buf; va_list al; @@ -230,7 +234,7 @@ char* SQLite::FS(const char* format, ...) { assert(n >= 0); return buf; -} + } int SQLite::AddParams(Value* val, int pos) { diff --git a/src/main.cc b/src/main.cc index 5999186240..2c96104a8e 100644 --- a/src/main.cc +++ b/src/main.cc @@ -16,6 +16,10 @@ #include #endif +#ifdef USE_SQLITE +#include "sqlite3.h" +#endif + #ifdef USE_IDMEF extern "C" { #include @@ -724,6 +728,10 @@ int main(int argc, char** argv) curl_global_init(CURL_GLOBAL_ALL); #endif +#ifdef USE_SQLITE + sqlite3_initialize(); +#endif + // FIXME: On systems that don't provide /dev/urandom, OpenSSL doesn't // seed the PRNG. We should do this here (but at least Linux, FreeBSD // and Solaris provide /dev/urandom). @@ -1078,6 +1086,10 @@ int main(int argc, char** argv) curl_global_cleanup(); #endif +#ifdef USE_SQLITE + sqlite3_shutdown(); +#endif + terminate_bro(); // Close files after net_delete(), because net_delete() diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.sqlite.basic/out b/testing/btest/Baseline/scripts.base.frameworks.input.sqlite.basic/out new file mode 100644 index 0000000000..f227bb5d8e --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.sqlite.basic/out @@ -0,0 +1,35 @@ +[ts=1300475167.096535, uid=dnGM1AdIVyh, id=[orig_h=141.142.220.202, orig_p=5353/unknown, resp_h=224.0.0.251, resp_p=5353/unknown], proto=udp, service=dns, duration=, orig_bytes=, resp_bytes=, conn_state=S0, local_orig=, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=73, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=] +[ts=1300475167.097012, uid=fv9q7WjEgp1, id=[orig_h=fe80::217:f2ff:fed7:cf65, orig_p=5353/unknown, resp_h=ff02::fb, resp_p=5353/unknown], proto=udp, service=, duration=, orig_bytes=, resp_bytes=, conn_state=S0, local_orig=, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=199, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=] +[ts=1300475167.099816, uid=0Ox0H56yl88, id=[orig_h=141.142.220.50, orig_p=5353/unknown, resp_h=224.0.0.251, resp_p=5353/unknown], proto=udp, service=, duration=, orig_bytes=, resp_bytes=, conn_state=S0, local_orig=, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=179, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=] +[ts=1300475168.853899, uid=rvmSc7rDQub, id=[orig_h=141.142.220.118, orig_p=43927/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000435, orig_bytes=38, resp_bytes=89, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=117, tunnel_parents=] +[ts=1300475168.854378, uid=ogkztouSArh, id=[orig_h=141.142.220.118, orig_p=37676/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.00042, orig_bytes=52, resp_bytes=99, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=80, resp_pkts=1, resp_ip_bytes=127, tunnel_parents=] +[ts=1300475168.854837, uid=0UIDdXFt7Tb, id=[orig_h=141.142.220.118, orig_p=40526/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000392, orig_bytes=38, resp_bytes=183, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=211, tunnel_parents=] +[ts=1300475168.857956, uid=WqFYV51UIq7, id=[orig_h=141.142.220.118, orig_p=32902/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000317, orig_bytes=38, resp_bytes=89, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=117, tunnel_parents=] +[ts=1300475168.858306, uid=ylcqZpbz6K2, id=[orig_h=141.142.220.118, orig_p=59816/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000343, orig_bytes=52, resp_bytes=99, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=80, resp_pkts=1, resp_ip_bytes=127, tunnel_parents=] +[ts=1300475168.858713, uid=blhldTzA7Y6, id=[orig_h=141.142.220.118, orig_p=59714/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000375, orig_bytes=38, resp_bytes=183, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=211, tunnel_parents=] +[ts=1300475168.891644, uid=Sc34cGJo3Kg, id=[orig_h=141.142.220.118, orig_p=58206/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000339, orig_bytes=38, resp_bytes=89, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=117, tunnel_parents=] +[ts=1300475168.892037, uid=RzvFrfXSRfk, id=[orig_h=141.142.220.118, orig_p=38911/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000335, orig_bytes=52, resp_bytes=99, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=80, resp_pkts=1, resp_ip_bytes=127, tunnel_parents=] +[ts=1300475168.892414, uid=GaaFI58mpbe, id=[orig_h=141.142.220.118, orig_p=59746/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000421, orig_bytes=38, resp_bytes=183, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=211, tunnel_parents=] +[ts=1300475168.893988, uid=tr7M6tvAIQa, id=[orig_h=141.142.220.118, orig_p=45000/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000384, orig_bytes=38, resp_bytes=89, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=117, tunnel_parents=] +[ts=1300475168.894422, uid=gV0TcSc2pb4, id=[orig_h=141.142.220.118, orig_p=48479/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000317, orig_bytes=52, resp_bytes=99, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=80, resp_pkts=1, resp_ip_bytes=127, tunnel_parents=] +[ts=1300475168.894787, uid=MOG0z4PYOhk, id=[orig_h=141.142.220.118, orig_p=48128/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000423, orig_bytes=38, resp_bytes=183, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=211, tunnel_parents=] +[ts=1300475168.901749, uid=PlehgEduUyj, id=[orig_h=141.142.220.118, orig_p=56056/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000402, orig_bytes=36, resp_bytes=131, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=64, resp_pkts=1, resp_ip_bytes=159, tunnel_parents=] +[ts=1300475168.902195, uid=4eZgk09f2Re, id=[orig_h=141.142.220.118, orig_p=55092/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000374, orig_bytes=36, resp_bytes=198, conn_state=SF, local_orig=, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=64, resp_pkts=1, resp_ip_bytes=226, tunnel_parents=] +[ts=1300475169.899438, uid=3xwJPc7mQ9a, id=[orig_h=141.142.220.44, orig_p=5353/unknown, resp_h=224.0.0.251, resp_p=5353/unknown], proto=udp, service=dns, duration=, orig_bytes=, resp_bytes=, conn_state=S0, local_orig=, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=85, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=] +[ts=1300475170.862384, uid=yxTcvvTKWQ4, id=[orig_h=141.142.220.226, orig_p=137/unknown, resp_h=141.142.220.255, resp_p=137/unknown], proto=udp, service=dns, duration=2.613017, orig_bytes=350, resp_bytes=0, conn_state=S0, local_orig=, missed_bytes=0, history=D, orig_pkts=7, orig_ip_bytes=546, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=] +[ts=1300475171.675372, uid=8bLW3XNfhCj, id=[orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/unknown, resp_h=ff02::1:3, resp_p=5355/unknown], proto=udp, service=dns, duration=0.100096, orig_bytes=66, resp_bytes=0, conn_state=S0, local_orig=, missed_bytes=0, history=D, orig_pkts=2, orig_ip_bytes=162, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=] +[ts=1300475171.677081, uid=rqjhiiRPjEe, id=[orig_h=141.142.220.226, orig_p=55131/unknown, resp_h=224.0.0.252, resp_p=5355/unknown], proto=udp, service=dns, duration=0.100021, orig_bytes=66, resp_bytes=0, conn_state=S0, local_orig=, missed_bytes=0, history=D, orig_pkts=2, orig_ip_bytes=122, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=] +[ts=1300475173.116749, uid=hTPyfL3QSGa, id=[orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/unknown, resp_h=ff02::1:3, resp_p=5355/unknown], proto=udp, service=dns, duration=0.099801, orig_bytes=66, resp_bytes=0, conn_state=S0, local_orig=, missed_bytes=0, history=D, orig_pkts=2, orig_ip_bytes=162, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=] +[ts=1300475173.117362, uid=EruUQ9AJRj4, id=[orig_h=141.142.220.226, orig_p=55671/unknown, resp_h=224.0.0.252, resp_p=5355/unknown], proto=udp, service=dns, duration=0.099849, orig_bytes=66, resp_bytes=0, conn_state=S0, local_orig=, missed_bytes=0, history=D, orig_pkts=2, orig_ip_bytes=122, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=] +[ts=1300475173.153679, uid=sw1bKJOMjuk, id=[orig_h=141.142.220.238, orig_p=56641/unknown, resp_h=141.142.220.255, resp_p=137/unknown], proto=udp, service=dns, duration=, orig_bytes=, resp_bytes=, conn_state=S0, local_orig=, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=78, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=] +[ts=1300475168.724007, uid=NPHCuyWykE7, id=[orig_h=141.142.220.118, orig_p=48649/unknown, resp_h=208.80.152.118, resp_p=80/unknown], proto=tcp, service=http, duration=0.119905, orig_bytes=525, resp_bytes=232, conn_state=S1, local_orig=, missed_bytes=0, history=ShADad, orig_pkts=4, orig_ip_bytes=741, resp_pkts=3, resp_ip_bytes=396, tunnel_parents=] +[ts=1300475168.892936, uid=VapPqRhPgJ4, id=[orig_h=141.142.220.118, orig_p=50000/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.229603, orig_bytes=1148, resp_bytes=734, conn_state=S1, local_orig=, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1468, resp_pkts=4, resp_ip_bytes=950, tunnel_parents=] +[ts=1300475168.859163, uid=3607hh8C3bc, id=[orig_h=141.142.220.118, orig_p=49998/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.215893, orig_bytes=1130, resp_bytes=734, conn_state=S1, local_orig=, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1450, resp_pkts=4, resp_ip_bytes=950, tunnel_parents=] +[ts=1300475168.855305, uid=tgYMrIvzDSg, id=[orig_h=141.142.220.118, orig_p=49996/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.218501, orig_bytes=1171, resp_bytes=733, conn_state=S1, local_orig=, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1491, resp_pkts=4, resp_ip_bytes=949, tunnel_parents=] +[ts=1300475168.895267, uid=xQsjPwNBrXd, id=[orig_h=141.142.220.118, orig_p=50001/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.227284, orig_bytes=1178, resp_bytes=734, conn_state=S1, local_orig=, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1498, resp_pkts=4, resp_ip_bytes=950, tunnel_parents=] +[ts=1300475168.902635, uid=Ap3GzMI1vM9, id=[orig_h=141.142.220.118, orig_p=35642/unknown, resp_h=208.80.152.2, resp_p=80/unknown], proto=tcp, service=http, duration=0.120041, orig_bytes=534, resp_bytes=412, conn_state=S1, local_orig=, missed_bytes=0, history=ShADad, orig_pkts=4, orig_ip_bytes=750, resp_pkts=3, resp_ip_bytes=576, tunnel_parents=] +[ts=1300475168.85533, uid=FTVcgrmNy52, id=[orig_h=141.142.220.118, orig_p=49997/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.21972, orig_bytes=1125, resp_bytes=734, conn_state=S1, local_orig=, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1445, resp_pkts=4, resp_ip_bytes=950, tunnel_parents=] +[ts=1300475169.780331, uid=1xFx4PGdeq5, id=[orig_h=141.142.220.235, orig_p=6705/unknown, resp_h=173.192.163.128, resp_p=80/unknown], proto=tcp, service=, duration=, orig_bytes=, resp_bytes=, conn_state=OTH, local_orig=, missed_bytes=0, history=h, orig_pkts=0, orig_ip_bytes=0, resp_pkts=1, resp_ip_bytes=48, tunnel_parents=] +[ts=1300475168.652003, uid=WIG1ud65z22, id=[orig_h=141.142.220.118, orig_p=35634/unknown, resp_h=208.80.152.2, resp_p=80/unknown], proto=tcp, service=, duration=0.061329, orig_bytes=463, resp_bytes=350, conn_state=OTH, local_orig=, missed_bytes=0, history=DdA, orig_pkts=2, orig_ip_bytes=567, resp_pkts=1, resp_ip_bytes=402, tunnel_parents=] +[ts=1300475168.892913, uid=o2gAkl4V7sa, id=[orig_h=141.142.220.118, orig_p=49999/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.220961, orig_bytes=1137, resp_bytes=733, conn_state=S1, local_orig=, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1457, resp_pkts=4, resp_ip_bytes=949, tunnel_parents=] +End of data diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.sqlite.port/out b/testing/btest/Baseline/scripts.base.frameworks.input.sqlite.port/out new file mode 100644 index 0000000000..a2cc947fbc --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.sqlite.port/out @@ -0,0 +1,3 @@ +5353/udp +6162/tcp +End of data diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select new file mode 100644 index 0000000000..0e93dc54e1 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select @@ -0,0 +1,34 @@ +1300475167.09653|UWkUyAuUGXf|141.142.220.202|5353|224.0.0.251|5353|udp|dns||||S0||0|D|1|73|0|0| +1300475167.09701|arKYeMETxOg|fe80::217:f2ff:fed7:cf65|5353|ff02::fb|5353|udp|||||S0||0|D|1|199|0|0| +1300475167.09982|k6kgXLOoSKl|141.142.220.50|5353|224.0.0.251|5353|udp|||||S0||0|D|1|179|0|0| +1300475168.652|nQcgTWjvg4c|141.142.220.118|35634|208.80.152.2|80|tcp||0.0613288879394531|463|350|OTH||0|DdA|2|567|1|402| +1300475168.72401|j4u32Pc5bif|141.142.220.118|48649|208.80.152.118|80|tcp|http|0.1199049949646|525|232|S1||0|ShADad|4|741|3|396| +1300475168.8539|TEfuqmmG4bh|141.142.220.118|43927|141.142.2.2|53|udp|dns|0.000435113906860352|38|89|SF||0|Dd|1|66|1|117| +1300475168.85438|FrJExwHcSal|141.142.220.118|37676|141.142.2.2|53|udp|dns|0.000420093536376953|52|99|SF||0|Dd|1|80|1|127| +1300475168.85484|5OKnoww6xl4|141.142.220.118|40526|141.142.2.2|53|udp|dns|0.000391960144042969|38|183|SF||0|Dd|1|66|1|211| +1300475168.85533|VW0XPVINV8a|141.142.220.118|49997|208.80.152.3|80|tcp|http|0.219720125198364|1125|734|S1||0|ShADad|6|1445|4|950| +1300475168.8553|3PKsZ2Uye21|141.142.220.118|49996|208.80.152.3|80|tcp|http|0.218501091003418|1171|733|S1||0|ShADad|6|1491|4|949| +1300475168.85796|fRFu0wcOle6|141.142.220.118|32902|141.142.2.2|53|udp|dns|0.000317096710205078|38|89|SF||0|Dd|1|66|1|117| +1300475168.85831|qSsw6ESzHV4|141.142.220.118|59816|141.142.2.2|53|udp|dns|0.000343084335327148|52|99|SF||0|Dd|1|80|1|127| +1300475168.85871|iE6yhOq3SF|141.142.220.118|59714|141.142.2.2|53|udp|dns|0.000375032424926758|38|183|SF||0|Dd|1|66|1|211| +1300475168.85916|GSxOnSLghOa|141.142.220.118|49998|208.80.152.3|80|tcp|http|0.215893030166626|1130|734|S1||0|ShADad|6|1450|4|950| +1300475168.89164|qCaWGmzFtM5|141.142.220.118|58206|141.142.2.2|53|udp|dns|0.000339031219482422|38|89|SF||0|Dd|1|66|1|117| +1300475168.89204|70MGiRM1Qf4|141.142.220.118|38911|141.142.2.2|53|udp|dns|0.000334978103637695|52|99|SF||0|Dd|1|80|1|127| +1300475168.89241|h5DsfNtYzi1|141.142.220.118|59746|141.142.2.2|53|udp|dns|0.000420808792114258|38|183|SF||0|Dd|1|66|1|211| +1300475168.89291|P654jzLoe3a|141.142.220.118|49999|208.80.152.3|80|tcp|http|0.220960855484009|1137|733|S1||0|ShADad|6|1457|4|949| +1300475168.89294|Tw8jXtpTGu6|141.142.220.118|50000|208.80.152.3|80|tcp|http|0.229603052139282|1148|734|S1||0|ShADad|6|1468|4|950| +1300475168.89399|c4Zw9TmAE05|141.142.220.118|45000|141.142.2.2|53|udp|dns|0.000384092330932617|38|89|SF||0|Dd|1|66|1|117| +1300475168.89442|EAr0uf4mhq|141.142.220.118|48479|141.142.2.2|53|udp|dns|0.000316858291625977|52|99|SF||0|Dd|1|80|1|127| +1300475168.89479|GvmoxJFXdTa|141.142.220.118|48128|141.142.2.2|53|udp|dns|0.000422954559326172|38|183|SF||0|Dd|1|66|1|211| +1300475168.89527|0Q4FH8sESw5|141.142.220.118|50001|208.80.152.3|80|tcp|http|0.227283954620361|1178|734|S1||0|ShADad|6|1498|4|950| +1300475168.90175|slFea8xwSmb|141.142.220.118|56056|141.142.2.2|53|udp|dns|0.000402212142944336|36|131|SF||0|Dd|1|64|1|159| +1300475168.90219|UfGkYA2HI2g|141.142.220.118|55092|141.142.2.2|53|udp|dns|0.000374078750610352|36|198|SF||0|Dd|1|64|1|226| +1300475168.90264|i2rO3KD1Syg|141.142.220.118|35642|208.80.152.2|80|tcp|http|0.120040893554688|534|412|S1||0|ShADad|4|750|3|576| +1300475169.78033|2cx26uAvUPl|141.142.220.235|6705|173.192.163.128|80|tcp|||||OTH||0|h|0|0|1|48| +1300475169.89944|BWaU4aSuwkc|141.142.220.44|5353|224.0.0.251|5353|udp|dns||||S0||0|D|1|85|0|0| +1300475170.86238|10XodEwRycf|141.142.220.226|137|141.142.220.255|137|udp|dns|2.61301684379578|350|0|S0||0|D|7|546|0|0| +1300475171.67537|zno26fFZkrh|fe80::3074:17d5:2052:c324|65373|ff02::1:3|5355|udp|dns|0.100096225738525|66|0|S0||0|D|2|162|0|0| +1300475171.67708|v5rgkJBig5l|141.142.220.226|55131|224.0.0.252|5355|udp|dns|0.100020885467529|66|0|S0||0|D|2|122|0|0| +1300475173.11675|eWZCH7OONC1|fe80::3074:17d5:2052:c324|54213|ff02::1:3|5355|udp|dns|0.0998010635375977|66|0|S0||0|D|2|162|0|0| +1300475173.11736|0Pwk3ntf8O3|141.142.220.226|55671|224.0.0.252|5355|udp|dns|0.0998489856719971|66|0|S0||0|D|2|122|0|0| +1300475173.15368|0HKorjr8Zp7|141.142.220.238|56641|141.142.220.255|137|udp|dns||||S0||0|D|1|78|0|0| diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/http.select b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/http.select new file mode 100644 index 0000000000..774a93408a --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/http.select @@ -0,0 +1,14 @@ +1300475168.78402|j4u32Pc5bif|141.142.220.118|48649|208.80.152.118|80|1|GET|bits.wikimedia.org|/skins-1.5/monobook/main.css|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| +1300475168.91602|VW0XPVINV8a|141.142.220.118|49997|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/6/63/Wikipedia-logo.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| +1300475168.91618|3PKsZ2Uye21|141.142.220.118|49996|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| +1300475168.91836|GSxOnSLghOa|141.142.220.118|49998|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/b/bd/Bookshelf-40x201_6.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| +1300475168.95231|Tw8jXtpTGu6|141.142.220.118|50000|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| +1300475168.9523|P654jzLoe3a|141.142.220.118|49999|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| +1300475168.95482|0Q4FH8sESw5|141.142.220.118|50001|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| +1300475168.96269|i2rO3KD1Syg|141.142.220.118|35642|208.80.152.2|80|1|GET|meta.wikimedia.org|/images/wikimedia-button.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| +1300475168.97593|VW0XPVINV8a|141.142.220.118|49997|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| +1300475168.97644|3PKsZ2Uye21|141.142.220.118|49996|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| +1300475168.97926|GSxOnSLghOa|141.142.220.118|49998|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| +1300475169.01459|P654jzLoe3a|141.142.220.118|49999|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| +1300475169.01462|Tw8jXtpTGu6|141.142.220.118|50000|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| +1300475169.01493|0Q4FH8sESw5|141.142.220.118|50001|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified|||||||||| diff --git a/testing/btest/scripts/base/frameworks/input/sqlite/basic.bro b/testing/btest/scripts/base/frameworks/input/sqlite/basic.bro new file mode 100644 index 0000000000..39ff448b7d --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/sqlite/basic.bro @@ -0,0 +1,98 @@ +# @TEST-EXEC: cat conn.sql | sqlite3 conn.sqlite +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 +# @TEST-EXEC: btest-diff out + +@TEST-START-FILE conn.sql +PRAGMA foreign_keys=OFF; +BEGIN TRANSACTION; +CREATE TABLE conn ( +'ts' double precision, +'uid' text, +'id.orig_h' text, +'id.orig_p' integer, +'id.resp_h' text, +'id.resp_p' integer, +'proto' text, +'service' text, +'duration' double precision, +'orig_bytes' integer, +'resp_bytes' integer, +'conn_state' text, +'local_orig' boolean, +'missed_bytes' integer, +'history' text, +'orig_pkts' integer, +'orig_ip_bytes' integer, +'resp_pkts' integer, +'resp_ip_bytes' integer, +'tunnel_parents' text +); +INSERT INTO "conn" VALUES(1.30047516709653496744e+09,'dnGM1AdIVyh','141.142.220.202',5353,'224.0.0.251',5353,'udp','dns',NULL,NULL,NULL,'S0',NULL,0,'D',1,73,0,0,''); +INSERT INTO "conn" VALUES(1.30047516709701204296e+09,'fv9q7WjEgp1','fe80::217:f2ff:fed7:cf65',5353,'ff02::fb',5353,'udp',NULL,NULL,NULL,NULL,'S0',NULL,0,'D',1,199,0,0,''); +INSERT INTO "conn" VALUES(1.30047516709981608392e+09,'0Ox0H56yl88','141.142.220.50',5353,'224.0.0.251',5353,'udp',NULL,NULL,NULL,NULL,'S0',NULL,0,'D',1,179,0,0,''); +INSERT INTO "conn" VALUES(1.30047516885389900212e+09,'rvmSc7rDQub','141.142.220.118',43927,'141.142.2.2',53,'udp','dns',4.351139068603515625e-04,38,89,'SF',NULL,0,'Dd',1,66,1,117,''); +INSERT INTO "conn" VALUES(1.30047516885437798497e+09,'ogkztouSArh','141.142.220.118',37676,'141.142.2.2',53,'udp','dns',4.20093536376953125e-04,52,99,'SF',NULL,0,'Dd',1,80,1,127,''); +INSERT INTO "conn" VALUES(1.30047516885483694076e+09,'0UIDdXFt7Tb','141.142.220.118',40526,'141.142.2.2',53,'udp','dns',3.9196014404296875e-04,38,183,'SF',NULL,0,'Dd',1,66,1,211,''); +INSERT INTO "conn" VALUES(1.30047516885795593258e+09,'WqFYV51UIq7','141.142.220.118',32902,'141.142.2.2',53,'udp','dns',3.17096710205078125e-04,38,89,'SF',NULL,0,'Dd',1,66,1,117,''); +INSERT INTO "conn" VALUES(1.30047516885830593104e+09,'ylcqZpbz6K2','141.142.220.118',59816,'141.142.2.2',53,'udp','dns',3.430843353271484375e-04,52,99,'SF',NULL,0,'Dd',1,80,1,127,''); +INSERT INTO "conn" VALUES(1.30047516885871291159e+09,'blhldTzA7Y6','141.142.220.118',59714,'141.142.2.2',53,'udp','dns',3.750324249267578125e-04,38,183,'SF',NULL,0,'Dd',1,66,1,211,''); +INSERT INTO "conn" VALUES(1.30047516889164400098e+09,'Sc34cGJo3Kg','141.142.220.118',58206,'141.142.2.2',53,'udp','dns',3.39031219482421875e-04,38,89,'SF',NULL,0,'Dd',1,66,1,117,''); +INSERT INTO "conn" VALUES(1.30047516889203691487e+09,'RzvFrfXSRfk','141.142.220.118',38911,'141.142.2.2',53,'udp','dns',3.349781036376953125e-04,52,99,'SF',NULL,0,'Dd',1,80,1,127,''); +INSERT INTO "conn" VALUES(1.30047516889241409298e+09,'GaaFI58mpbe','141.142.220.118',59746,'141.142.2.2',53,'udp','dns',4.208087921142578125e-04,38,183,'SF',NULL,0,'Dd',1,66,1,211,''); +INSERT INTO "conn" VALUES(1.30047516889398789407e+09,'tr7M6tvAIQa','141.142.220.118',45000,'141.142.2.2',53,'udp','dns',3.840923309326171875e-04,38,89,'SF',NULL,0,'Dd',1,66,1,117,''); +INSERT INTO "conn" VALUES(1.30047516889442205426e+09,'gV0TcSc2pb4','141.142.220.118',48479,'141.142.2.2',53,'udp','dns',3.168582916259765625e-04,52,99,'SF',NULL,0,'Dd',1,80,1,127,''); +INSERT INTO "conn" VALUES(1.30047516889478707315e+09,'MOG0z4PYOhk','141.142.220.118',48128,'141.142.2.2',53,'udp','dns',4.22954559326171875e-04,38,183,'SF',NULL,0,'Dd',1,66,1,211,''); +INSERT INTO "conn" VALUES(1.30047516890174889565e+09,'PlehgEduUyj','141.142.220.118',56056,'141.142.2.2',53,'udp','dns',4.022121429443359375e-04,36,131,'SF',NULL,0,'Dd',1,64,1,159,''); +INSERT INTO "conn" VALUES(1.30047516890219497676e+09,'4eZgk09f2Re','141.142.220.118',55092,'141.142.2.2',53,'udp','dns',3.740787506103515625e-04,36,198,'SF',NULL,0,'Dd',1,64,1,226,''); +INSERT INTO "conn" VALUES(1.30047516989943790432e+09,'3xwJPc7mQ9a','141.142.220.44',5353,'224.0.0.251',5353,'udp','dns',NULL,NULL,NULL,'S0',NULL,0,'D',1,85,0,0,''); +INSERT INTO "conn" VALUES(1.30047517086238408089e+09,'yxTcvvTKWQ4','141.142.220.226',137,'141.142.220.255',137,'udp','dns',2.61301684379577636718e+00,350,0,'S0',NULL,0,'D',7,546,0,0,''); +INSERT INTO "conn" VALUES(1.30047517167537188525e+09,'8bLW3XNfhCj','fe80::3074:17d5:2052:c324',65373,'ff02::1:3',5355,'udp','dns',1.00096225738525390625e-01,66,0,'S0',NULL,0,'D',2,162,0,0,''); +INSERT INTO "conn" VALUES(1.30047517167708110807e+09,'rqjhiiRPjEe','141.142.220.226',55131,'224.0.0.252',5355,'udp','dns',1.00020885467529296875e-01,66,0,'S0',NULL,0,'D',2,122,0,0,''); +INSERT INTO "conn" VALUES(1.30047517311674904827e+09,'hTPyfL3QSGa','fe80::3074:17d5:2052:c324',54213,'ff02::1:3',5355,'udp','dns',9.980106353759765625e-02,66,0,'S0',NULL,0,'D',2,162,0,0,''); +INSERT INTO "conn" VALUES(1.30047517311736202235e+09,'EruUQ9AJRj4','141.142.220.226',55671,'224.0.0.252',5355,'udp','dns',9.98489856719970703125e-02,66,0,'S0',NULL,0,'D',2,122,0,0,''); +INSERT INTO "conn" VALUES(1.30047517315367889406e+09,'sw1bKJOMjuk','141.142.220.238',56641,'141.142.220.255',137,'udp','dns',NULL,NULL,NULL,'S0',NULL,0,'D',1,78,0,0,''); +INSERT INTO "conn" VALUES(1.30047516872400689127e+09,'NPHCuyWykE7','141.142.220.118',48649,'208.80.152.118',80,'tcp','http',1.19904994964599609375e-01,525,232,'S1',NULL,0,'ShADad',4,741,3,396,''); +INSERT INTO "conn" VALUES(1.30047516889293599126e+09,'VapPqRhPgJ4','141.142.220.118',50000,'208.80.152.3',80,'tcp','http',2.29603052139282226562e-01,1148,734,'S1',NULL,0,'ShADad',6,1468,4,950,''); +INSERT INTO "conn" VALUES(1.30047516885916304588e+09,'3607hh8C3bc','141.142.220.118',49998,'208.80.152.3',80,'tcp','http',2.15893030166625976562e-01,1130,734,'S1',NULL,0,'ShADad',6,1450,4,950,''); +INSERT INTO "conn" VALUES(1.30047516885530495647e+09,'tgYMrIvzDSg','141.142.220.118',49996,'208.80.152.3',80,'tcp','http',2.1850109100341796875e-01,1171,733,'S1',NULL,0,'ShADad',6,1491,4,949,''); +INSERT INTO "conn" VALUES(1.30047516889526700977e+09,'xQsjPwNBrXd','141.142.220.118',50001,'208.80.152.3',80,'tcp','http',2.27283954620361328125e-01,1178,734,'S1',NULL,0,'ShADad',6,1498,4,950,''); +INSERT INTO "conn" VALUES(1.30047516890263509747e+09,'Ap3GzMI1vM9','141.142.220.118',35642,'208.80.152.2',80,'tcp','http',1.200408935546875e-01,534,412,'S1',NULL,0,'ShADad',4,750,3,576,''); +INSERT INTO "conn" VALUES(1300475168.85533,'FTVcgrmNy52','141.142.220.118',49997,'208.80.152.3',80,'tcp','http',2.19720125198364257812e-01,1125,734,'S1',NULL,0,'ShADad',6,1445,4,950,''); +INSERT INTO "conn" VALUES(1.30047516978033089643e+09,'1xFx4PGdeq5','141.142.220.235',6705,'173.192.163.128',80,'tcp',NULL,NULL,NULL,NULL,'OTH',NULL,0,'h',0,0,1,48,''); +INSERT INTO "conn" VALUES(1.3004751686520030498e+09,'WIG1ud65z22','141.142.220.118',35634,'208.80.152.2',80,'tcp',NULL,6.1328887939453125e-02,463,350,'OTH',NULL,0,'DdA',2,567,1,402,''); +INSERT INTO "conn" VALUES(1.3004751688929131031e+09,'o2gAkl4V7sa','141.142.220.118',49999,'208.80.152.3',80,'tcp','http',2.20960855484008789062e-01,1137,733,'S1',NULL,0,'ShADad',6,1457,4,949,''); +COMMIT; +@TEST-END-FILE + +@load base/protocols/conn + +redef Input::accept_unsupported_types = T; + +global outfile: file; + +module A; + +event line(description: Input::EventDescription, tpe: Input::Event, r: Conn::Info) + { + print outfile, r; + } + +event bro_init() + { + local config_strings: table[string] of string = { + ["query"] = "select * from conn;", + ["dbname"] = "conn" + }; + + outfile = open("../out"); + # first read in the old stuff into the table... + Input::add_event([$source="../conn", $name="conn", $fields=Conn::Info, $ev=line, $want_record=T, $reader=Input::READER_SQLITE, $config=config_strings]); + } + +event Input::end_of_data(name: string, source:string) + { + print outfile, "End of data"; + close(outfile); + terminate(); + } diff --git a/testing/btest/scripts/base/frameworks/input/sqlite/port.bro b/testing/btest/scripts/base/frameworks/input/sqlite/port.bro new file mode 100644 index 0000000000..5cdc9a9d76 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/sqlite/port.bro @@ -0,0 +1,48 @@ +# @TEST-EXEC: cat port.sql | sqlite3 port.sqlite +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 +# @TEST-EXEC: btest-diff out + +@TEST-START-FILE port.sql +PRAGMA foreign_keys=OFF; +BEGIN TRANSACTION; +CREATE TABLE port ( +'port' integer, +'proto' text +); +INSERT INTO "port" VALUES(5353,'udp'); +INSERT INTO "port" VALUES(6162,'tcp'); +COMMIT; +@TEST-END-FILE + +global outfile: file; + +module A; + +type Val: record { + p: port &type_column="proto"; +}; + +event line(description: Input::EventDescription, tpe: Input::Event, p: port) + { + print outfile, p; + } + +event bro_init() + { + local config_strings: table[string] of string = { + ["query"] = "select port as p, proto from port;", + ["dbname"] = "port" + }; + + outfile = open("../out"); + # first read in the old stuff into the table... + Input::add_event([$source="../port", $name="port", $fields=Val, $ev=line, $reader=Input::READER_SQLITE, $want_record=F, $config=config_strings]); + } + +event Input::end_of_data(name: string, source:string) + { + print outfile, "End of data"; + close(outfile); + terminate(); + } diff --git a/testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.bro b/testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.bro new file mode 100644 index 0000000000..14134d5427 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.bro @@ -0,0 +1,8 @@ +# +# @TEST-GROUP: dataseries +# +# @TEST-EXEC: bro -r $TRACES/wikipedia.trace Log::default_writer=Log::WRITER_SQLITE +# @TEST-EXEC: sqlite3 conn.sqlite 'select * from conn' | sort > conn.select +# @TEST-EXEC: sqlite3 http.sqlite 'select * from http' | sort > http.select +# @TEST-EXEC: btest-diff conn.select +# @TEST-EXEC: btest-diff http.select