make sqlite support more or less work for logging and input

* add support for &type_column for reading
* add basic tests for logging & input
* clean up a bit
* add support for tables for reading (untested)

src/input/readers/SQLite.cc

@@ -9,13 +9,12 @@
 
 #include <fstream>
 #include <sstream>
-
-#include "../../threading/SerialTypes.h"
-
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <unistd.h>
 
+#include "../../threading/SerialTypes.h"
+
 using namespace input::reader;
 using threading::Value;
 using threading::Field;
@@ -54,6 +53,12 @@ bool SQLite::checkError( int code )
 
 bool SQLite::DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* arg_fields)
 	{
+	if ( sqlite3_threadsafe() == 0 ) 
+		{
+		Error("SQLite reports that it is not threadsafe. Bro needs a threadsafe version of SQLite. Aborting");
+		return false;
+		}
+		
 	started = false;
 
 	string fullpath(info.source);
@@ -64,7 +69,6 @@ bool SQLite::DoInit(const ReaderInfo& info, int arg_num_fields, const threading:
 	if ( it == info.config.end() ) 
 		{
 		MsgThread::Info(Fmt("dbname configuration option not found. Defaulting to source %s", info.source));
-		Error(Fmt("dbname configuration option not found. Defaulting to source %s", info.source));
 		dbname = info.source;
 		} 
 	else 
@@ -105,9 +109,10 @@ bool SQLite::DoInit(const ReaderInfo& info, int arg_num_fields, const threading:
 	return true;
 	}
 
-Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int pos)
+// pos = field position
+// subpos = subfield position, only used for port-field
+Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int pos, int subpos)  
 	{
-	
 	if ( sqlite3_column_type(st, pos ) == SQLITE_NULL ) 
 		return new Value(field->type, false);
 
@@ -130,7 +135,8 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p
 
 	case TYPE_BOOL:
 		{
-		if ( sqlite3_column_type(st, pos) != SQLITE_INTEGER ) {
+		if ( sqlite3_column_type(st, pos) != SQLITE_INTEGER ) 
+			{
 			Error("Invalid data type for boolean - expected Integer");
 			return 0;
 			}
@@ -163,11 +169,23 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p
 		break;
 
 	case TYPE_PORT:
+		{
 		val->val.port_val.port = sqlite3_column_int(st, pos);
 		val->val.port_val.proto = TRANSPORT_UNKNOWN;
+		if ( subpos != -1 ) 
+			{
+			const char *text = (const char*) sqlite3_column_text(st, subpos);
+			string s(text, sqlite3_column_bytes(st, subpos));
+			if ( text == 0 )
+				Error("Port protocol definition did not contain text");
+			else 
+				val->val.port_val.proto = io->StringToProto(s);
+			}
 		break;
+		}
 
-	case TYPE_SUBNET: {
+	case TYPE_SUBNET: 
+		{
 		const char *text = (const char*) sqlite3_column_text(st, pos);
 		string s(text, sqlite3_column_bytes(st, pos));
 		int pos = s.find("/");
@@ -177,8 +195,8 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p
 		val->val.subnet_val.prefix = io->StringToAddr(addr);
 		val->val.subnet_val.length = width;		
 		break;
-
 		}
+
 	case TYPE_ADDR: 
 		{
 		const char *text = (const char*) sqlite3_column_text(st, pos);
@@ -189,82 +207,13 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p
 
 	case TYPE_TABLE:
 	case TYPE_VECTOR:
-		assert(false);
-		/* 
-		// First - common initialization
-		// Then - initialization for table.
-		// Then - initialization for vector.
-		// Then - common stuff
 		{
-		// how many entries do we have...
+		const char *text = (const char*) sqlite3_column_text(st, pos);
-		unsigned int length = 1;
+		string s(text, sqlite3_column_bytes(st, pos));			
-		for ( unsigned int i = 0; i < s.size(); i++ )
+		val = io->StringToVal(s, "", field->type, field->subtype);
-			if ( s[i] == ',') length++;
-
-		unsigned int pos = 0;
-		
-		if ( s.compare(empty_field) == 0 ) 
-			length = 0;
-			
-
-		Value** lvals = new Value* [length];
-
-		if ( field->type == TYPE_TABLE ) 
-			{
-			val->val.set_val.vals = lvals;
-			val->val.set_val.size = length;
-			} 
-		else if ( field->type == TYPE_VECTOR ) 
-			{
-			val->val.vector_val.vals = lvals;
-			val->val.vector_val.size = length;
-		else 
-			assert(false);
-
-		if ( length == 0 )
-			break; //empty
-
-		istringstream splitstream(s);
-		while ( splitstream ) 
-			{
-			string element;
-
-			if ( !getline(splitstream, element, ',') )
-				break;
-
-			if ( pos >= length ) 
-				{
-				Error(Fmt("Internal error while parsing set. pos %d >= length %d. Element: %s", pos, length, element.c_str()));
 		break;
 		}
 
-			Field* newfield = new Field(*field);
-			newfield->type = field->subtype;
-			Value* newval = EntryToVal(element, newfield);
-			delete(newfield);
-			if ( newval == 0 ) 
-				{
-				Error("Error while reading set");
-				return 0;
-				}
-			lvals[pos] = newval;
-
-			pos++;
-	
-			}
-
-
-		if ( pos != length ) 
-			{
-			Error("Internal error while parsing set: did not find all elements");
-			return 0;
-			}
-
-		break;
-		}
-		*/
-
-
 	default:
 		Error(Fmt("unsupported field format %d", field->type));
 		return 0;
@@ -276,29 +225,26 @@ Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int p
 
 bool SQLite::DoUpdate() 
 	{
-
 	int numcolumns = sqlite3_column_count(st);
 
-	/* This can happen legitimately I think...
-	if ( numcolumns != num_fields ) 
-		{
-		Error(Fmt("SQLite query returned %d results, but input framework expected %d. Aborting", numcolumns, num_fields));
-		return false;
-		}
-	*/
-	
 	int *mapping = new int [num_fields];
+	int *submapping = new int [num_fields];
 	// first set them all to -1
 	for ( unsigned int i = 0; i < num_fields; ++i ) {
 		mapping[i] = -1;
+		submapping[i] = -1;
 	}
 
+
+
 	for ( unsigned int i = 0; i < numcolumns; ++i ) 
 		{
 		const char *name = sqlite3_column_name(st, i);
 
-		for ( unsigned j = 0; j < num_fields; j++ ) {
+		for ( unsigned j = 0; j < num_fields; j++ ) 
-			if ( strcmp(fields[j]->name, name) == 0 ) {
+			{
+			if ( strcmp(fields[j]->name, name) == 0 ) 
+				{
 				if ( mapping[j] != -1 ) 
 					{
 					Error(Fmt("SQLite statement returns several columns with name %s! Cannot decide which to choose, aborting", name));
@@ -306,10 +252,20 @@ bool SQLite::DoUpdate()
 					}
 
 				mapping[j] = i;
-				break;
-			}
 				}
 
+			if ( fields[j]->secondary_name != 0 && strcmp(fields[j]->secondary_name, name) == 0 )
+				{
+				assert(fields[j]->type == TYPE_PORT);
+				if ( submapping[j] != -1 ) 
+					{
+					Error(Fmt("SQLite statement returns several columns with name %s! Cannot decide which to choose, aborting", name));
+					return false;
+					}
+
+				submapping[j] = i;
+				}
+			}
 		}
 	
 	for ( unsigned int i = 0; i < num_fields; ++i ) {
@@ -327,14 +283,11 @@ bool SQLite::DoUpdate()
 
 		for ( unsigned int j = 0; j < num_fields; ++j) 
 			{
-
+			ofields[j] = EntryToVal(st, fields[j], mapping[j], submapping[j]);
-			ofields[j] = EntryToVal(st, fields[j], mapping[j]);
+			if ( ofields[j] == 0 ) 
-			if ( ofields[j] == 0 ) {
 				return false;
 			}
 
-			}
-
 		SendEntry(ofields);
 		}
 
@@ -344,7 +297,8 @@ bool SQLite::DoUpdate()
 
 	EndCurrentSend();
 
-	delete (mapping);
+	delete [] mapping;
+	delete [] submapping;
 
 	if ( checkError(sqlite3_reset(st)) )
 		return false;	

src/input/readers/SQLite.h

@@ -37,22 +37,16 @@ protected:
 private:
 	bool checkError(int code);	
 
-	unsigned int num_fields;
+	threading::Value* EntryToVal(sqlite3_stmt *st, const threading::Field *field, int pos, int subpos);
 	
 	const threading::Field* const * fields; // raw mapping		
-
+	unsigned int num_fields;
-	threading::Value* EntryToVal(sqlite3_stmt *st, const threading::Field *field, int pos);
-
 	int mode;
-
 	bool started;
 	string query;
-
 	sqlite3 *db;
 	sqlite3_stmt *st;
-
 	AsciiInputOutput* io;
-
 };
 
 

src/logging/writers/SQLite.cc

@@ -76,7 +76,7 @@ string SQLite::GetTableType(int arg_type, int arg_subtype) {
 	case TYPE_STRING:
 	case TYPE_FILE:
 	case TYPE_FUNC:
-		type = "TEXT";
+		type = "text";
 		break;
 
 	case TYPE_TABLE:
@@ -107,7 +107,8 @@ bool SQLite::checkError( int code )
 bool SQLite::DoInit(const WriterInfo& info, int num_fields,
 			    const Field* const * fields)
 	{
-	if ( sqlite3_threadsafe() == 0 ) {
+	if ( sqlite3_threadsafe() == 0 ) 
+		{
 		Error("SQLite reports that it is not threadsafe. Bro needs a threadsafe version of SQLite. Aborting");
 		return false;
 		}
@@ -117,10 +118,13 @@ bool SQLite::DoInit(const WriterInfo& info, int num_fields,
 	string dbname;
 
 	map<const char*, const char*>::const_iterator it = info.config.find("dbname");
-	if ( it == info.config.end() ) {
+	if ( it == info.config.end() ) 
+		{
 		MsgThread::Info(Fmt("dbname configuration option not found. Defaulting to path %s", info.path));
 		dbname = info.path;
-	} else {
+		} 
+	else 
+		{
 		dbname = it->second;
 		}
 
@@ -135,7 +139,7 @@ bool SQLite::DoInit(const WriterInfo& info, int num_fields,
 					NULL)) )
 		return false;
 
-	string create = "CREATE TABLE IF NOT EXISTS "+dbname+" (\n"; // yes. using path here is stupid. open for better ideas.
+	string create = "CREATE TABLE IF NOT EXISTS "+dbname+" (\n"; 
 		//"id SERIAL UNIQUE NOT NULL"; // SQLite has rowids, we do not need a counter here.
 
 	for ( int i = 0; i < num_fields; ++i )
@@ -197,7 +201,6 @@ bool SQLite::DoInit(const WriterInfo& info, int num_fields,
 			insert += "?";	
 
 			char* fieldname = sqlite3_mprintf("%Q", fields[i]->name);
-			printf("Fieldname: %s\n", fieldname);
 			if ( fieldname == 0 ) 
 				{
 				InternalError("Could not malloc memory");
@@ -219,7 +222,8 @@ bool SQLite::DoInit(const WriterInfo& info, int num_fields,
 	}
 
 // Format String
-char* SQLite::FS(const char* format, ...) {
+char* SQLite::FS(const char* format, ...) 
+	{
 	char * buf;
 
 	va_list al;

src/main.cc

@@ -16,6 +16,10 @@
 #include <curl/curl.h>
 #endif
 
+#ifdef USE_SQLITE
+#include "sqlite3.h"
+#endif
+
 #ifdef USE_IDMEF
 extern "C" {
 #include <libidmef/idmefxml.h>
@@ -724,6 +728,10 @@ int main(int argc, char** argv)
 	curl_global_init(CURL_GLOBAL_ALL);
 #endif
 
+#ifdef USE_SQLITE
+	sqlite3_initialize();
+#endif
+
 	// FIXME: On systems that don't provide /dev/urandom, OpenSSL doesn't
 	// seed the PRNG. We should do this here (but at least Linux, FreeBSD
 	// and Solaris provide /dev/urandom).
@@ -1078,6 +1086,10 @@ int main(int argc, char** argv)
 		curl_global_cleanup();
 #endif
 
+#ifdef USE_SQLITE
+		sqlite3_shutdown();
+#endif
+
 		terminate_bro();
 
 		// Close files after net_delete(), because net_delete()

testing/btest/Baseline/scripts.base.frameworks.input.sqlite.basic/out

@@ -0,0 +1,35 @@
+[ts=1300475167.096535, uid=dnGM1AdIVyh, id=[orig_h=141.142.220.202, orig_p=5353/unknown, resp_h=224.0.0.251, resp_p=5353/unknown], proto=udp, service=dns, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=S0, local_orig=<uninitialized>, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=73, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=<uninitialized>]
+[ts=1300475167.097012, uid=fv9q7WjEgp1, id=[orig_h=fe80::217:f2ff:fed7:cf65, orig_p=5353/unknown, resp_h=ff02::fb, resp_p=5353/unknown], proto=udp, service=<uninitialized>, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=S0, local_orig=<uninitialized>, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=199, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=<uninitialized>]
+[ts=1300475167.099816, uid=0Ox0H56yl88, id=[orig_h=141.142.220.50, orig_p=5353/unknown, resp_h=224.0.0.251, resp_p=5353/unknown], proto=udp, service=<uninitialized>, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=S0, local_orig=<uninitialized>, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=179, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=<uninitialized>]
+[ts=1300475168.853899, uid=rvmSc7rDQub, id=[orig_h=141.142.220.118, orig_p=43927/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000435, orig_bytes=38, resp_bytes=89, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=117, tunnel_parents=<uninitialized>]
+[ts=1300475168.854378, uid=ogkztouSArh, id=[orig_h=141.142.220.118, orig_p=37676/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.00042, orig_bytes=52, resp_bytes=99, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=80, resp_pkts=1, resp_ip_bytes=127, tunnel_parents=<uninitialized>]
+[ts=1300475168.854837, uid=0UIDdXFt7Tb, id=[orig_h=141.142.220.118, orig_p=40526/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000392, orig_bytes=38, resp_bytes=183, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=211, tunnel_parents=<uninitialized>]
+[ts=1300475168.857956, uid=WqFYV51UIq7, id=[orig_h=141.142.220.118, orig_p=32902/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000317, orig_bytes=38, resp_bytes=89, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=117, tunnel_parents=<uninitialized>]
+[ts=1300475168.858306, uid=ylcqZpbz6K2, id=[orig_h=141.142.220.118, orig_p=59816/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000343, orig_bytes=52, resp_bytes=99, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=80, resp_pkts=1, resp_ip_bytes=127, tunnel_parents=<uninitialized>]
+[ts=1300475168.858713, uid=blhldTzA7Y6, id=[orig_h=141.142.220.118, orig_p=59714/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000375, orig_bytes=38, resp_bytes=183, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=211, tunnel_parents=<uninitialized>]
+[ts=1300475168.891644, uid=Sc34cGJo3Kg, id=[orig_h=141.142.220.118, orig_p=58206/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000339, orig_bytes=38, resp_bytes=89, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=117, tunnel_parents=<uninitialized>]
+[ts=1300475168.892037, uid=RzvFrfXSRfk, id=[orig_h=141.142.220.118, orig_p=38911/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000335, orig_bytes=52, resp_bytes=99, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=80, resp_pkts=1, resp_ip_bytes=127, tunnel_parents=<uninitialized>]
+[ts=1300475168.892414, uid=GaaFI58mpbe, id=[orig_h=141.142.220.118, orig_p=59746/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000421, orig_bytes=38, resp_bytes=183, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=211, tunnel_parents=<uninitialized>]
+[ts=1300475168.893988, uid=tr7M6tvAIQa, id=[orig_h=141.142.220.118, orig_p=45000/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000384, orig_bytes=38, resp_bytes=89, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=117, tunnel_parents=<uninitialized>]
+[ts=1300475168.894422, uid=gV0TcSc2pb4, id=[orig_h=141.142.220.118, orig_p=48479/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000317, orig_bytes=52, resp_bytes=99, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=80, resp_pkts=1, resp_ip_bytes=127, tunnel_parents=<uninitialized>]
+[ts=1300475168.894787, uid=MOG0z4PYOhk, id=[orig_h=141.142.220.118, orig_p=48128/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000423, orig_bytes=38, resp_bytes=183, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=66, resp_pkts=1, resp_ip_bytes=211, tunnel_parents=<uninitialized>]
+[ts=1300475168.901749, uid=PlehgEduUyj, id=[orig_h=141.142.220.118, orig_p=56056/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000402, orig_bytes=36, resp_bytes=131, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=64, resp_pkts=1, resp_ip_bytes=159, tunnel_parents=<uninitialized>]
+[ts=1300475168.902195, uid=4eZgk09f2Re, id=[orig_h=141.142.220.118, orig_p=55092/unknown, resp_h=141.142.2.2, resp_p=53/unknown], proto=udp, service=dns, duration=0.000374, orig_bytes=36, resp_bytes=198, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=Dd, orig_pkts=1, orig_ip_bytes=64, resp_pkts=1, resp_ip_bytes=226, tunnel_parents=<uninitialized>]
+[ts=1300475169.899438, uid=3xwJPc7mQ9a, id=[orig_h=141.142.220.44, orig_p=5353/unknown, resp_h=224.0.0.251, resp_p=5353/unknown], proto=udp, service=dns, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=S0, local_orig=<uninitialized>, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=85, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=<uninitialized>]
+[ts=1300475170.862384, uid=yxTcvvTKWQ4, id=[orig_h=141.142.220.226, orig_p=137/unknown, resp_h=141.142.220.255, resp_p=137/unknown], proto=udp, service=dns, duration=2.613017, orig_bytes=350, resp_bytes=0, conn_state=S0, local_orig=<uninitialized>, missed_bytes=0, history=D, orig_pkts=7, orig_ip_bytes=546, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=<uninitialized>]
+[ts=1300475171.675372, uid=8bLW3XNfhCj, id=[orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/unknown, resp_h=ff02::1:3, resp_p=5355/unknown], proto=udp, service=dns, duration=0.100096, orig_bytes=66, resp_bytes=0, conn_state=S0, local_orig=<uninitialized>, missed_bytes=0, history=D, orig_pkts=2, orig_ip_bytes=162, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=<uninitialized>]
+[ts=1300475171.677081, uid=rqjhiiRPjEe, id=[orig_h=141.142.220.226, orig_p=55131/unknown, resp_h=224.0.0.252, resp_p=5355/unknown], proto=udp, service=dns, duration=0.100021, orig_bytes=66, resp_bytes=0, conn_state=S0, local_orig=<uninitialized>, missed_bytes=0, history=D, orig_pkts=2, orig_ip_bytes=122, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=<uninitialized>]
+[ts=1300475173.116749, uid=hTPyfL3QSGa, id=[orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/unknown, resp_h=ff02::1:3, resp_p=5355/unknown], proto=udp, service=dns, duration=0.099801, orig_bytes=66, resp_bytes=0, conn_state=S0, local_orig=<uninitialized>, missed_bytes=0, history=D, orig_pkts=2, orig_ip_bytes=162, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=<uninitialized>]
+[ts=1300475173.117362, uid=EruUQ9AJRj4, id=[orig_h=141.142.220.226, orig_p=55671/unknown, resp_h=224.0.0.252, resp_p=5355/unknown], proto=udp, service=dns, duration=0.099849, orig_bytes=66, resp_bytes=0, conn_state=S0, local_orig=<uninitialized>, missed_bytes=0, history=D, orig_pkts=2, orig_ip_bytes=122, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=<uninitialized>]
+[ts=1300475173.153679, uid=sw1bKJOMjuk, id=[orig_h=141.142.220.238, orig_p=56641/unknown, resp_h=141.142.220.255, resp_p=137/unknown], proto=udp, service=dns, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=S0, local_orig=<uninitialized>, missed_bytes=0, history=D, orig_pkts=1, orig_ip_bytes=78, resp_pkts=0, resp_ip_bytes=0, tunnel_parents=<uninitialized>]
+[ts=1300475168.724007, uid=NPHCuyWykE7, id=[orig_h=141.142.220.118, orig_p=48649/unknown, resp_h=208.80.152.118, resp_p=80/unknown], proto=tcp, service=http, duration=0.119905, orig_bytes=525, resp_bytes=232, conn_state=S1, local_orig=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=4, orig_ip_bytes=741, resp_pkts=3, resp_ip_bytes=396, tunnel_parents=<uninitialized>]
+[ts=1300475168.892936, uid=VapPqRhPgJ4, id=[orig_h=141.142.220.118, orig_p=50000/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.229603, orig_bytes=1148, resp_bytes=734, conn_state=S1, local_orig=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1468, resp_pkts=4, resp_ip_bytes=950, tunnel_parents=<uninitialized>]
+[ts=1300475168.859163, uid=3607hh8C3bc, id=[orig_h=141.142.220.118, orig_p=49998/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.215893, orig_bytes=1130, resp_bytes=734, conn_state=S1, local_orig=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1450, resp_pkts=4, resp_ip_bytes=950, tunnel_parents=<uninitialized>]
+[ts=1300475168.855305, uid=tgYMrIvzDSg, id=[orig_h=141.142.220.118, orig_p=49996/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.218501, orig_bytes=1171, resp_bytes=733, conn_state=S1, local_orig=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1491, resp_pkts=4, resp_ip_bytes=949, tunnel_parents=<uninitialized>]
+[ts=1300475168.895267, uid=xQsjPwNBrXd, id=[orig_h=141.142.220.118, orig_p=50001/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.227284, orig_bytes=1178, resp_bytes=734, conn_state=S1, local_orig=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1498, resp_pkts=4, resp_ip_bytes=950, tunnel_parents=<uninitialized>]
+[ts=1300475168.902635, uid=Ap3GzMI1vM9, id=[orig_h=141.142.220.118, orig_p=35642/unknown, resp_h=208.80.152.2, resp_p=80/unknown], proto=tcp, service=http, duration=0.120041, orig_bytes=534, resp_bytes=412, conn_state=S1, local_orig=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=4, orig_ip_bytes=750, resp_pkts=3, resp_ip_bytes=576, tunnel_parents=<uninitialized>]
+[ts=1300475168.85533, uid=FTVcgrmNy52, id=[orig_h=141.142.220.118, orig_p=49997/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.21972, orig_bytes=1125, resp_bytes=734, conn_state=S1, local_orig=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1445, resp_pkts=4, resp_ip_bytes=950, tunnel_parents=<uninitialized>]
+[ts=1300475169.780331, uid=1xFx4PGdeq5, id=[orig_h=141.142.220.235, orig_p=6705/unknown, resp_h=173.192.163.128, resp_p=80/unknown], proto=tcp, service=<uninitialized>, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=OTH, local_orig=<uninitialized>, missed_bytes=0, history=h, orig_pkts=0, orig_ip_bytes=0, resp_pkts=1, resp_ip_bytes=48, tunnel_parents=<uninitialized>]
+[ts=1300475168.652003, uid=WIG1ud65z22, id=[orig_h=141.142.220.118, orig_p=35634/unknown, resp_h=208.80.152.2, resp_p=80/unknown], proto=tcp, service=<uninitialized>, duration=0.061329, orig_bytes=463, resp_bytes=350, conn_state=OTH, local_orig=<uninitialized>, missed_bytes=0, history=DdA, orig_pkts=2, orig_ip_bytes=567, resp_pkts=1, resp_ip_bytes=402, tunnel_parents=<uninitialized>]
+[ts=1300475168.892913, uid=o2gAkl4V7sa, id=[orig_h=141.142.220.118, orig_p=49999/unknown, resp_h=208.80.152.3, resp_p=80/unknown], proto=tcp, service=http, duration=0.220961, orig_bytes=1137, resp_bytes=733, conn_state=S1, local_orig=<uninitialized>, missed_bytes=0, history=ShADad, orig_pkts=6, orig_ip_bytes=1457, resp_pkts=4, resp_ip_bytes=949, tunnel_parents=<uninitialized>]
+End of data

testing/btest/Baseline/scripts.base.frameworks.input.sqlite.port/out

@@ -0,0 +1,3 @@
+5353/udp
+6162/tcp
+End of data

testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select

@@ -0,0 +1,34 @@
+1300475167.09653|UWkUyAuUGXf|141.142.220.202|5353|224.0.0.251|5353|udp|dns||||S0||0|D|1|73|0|0|
+1300475167.09701|arKYeMETxOg|fe80::217:f2ff:fed7:cf65|5353|ff02::fb|5353|udp|||||S0||0|D|1|199|0|0|
+1300475167.09982|k6kgXLOoSKl|141.142.220.50|5353|224.0.0.251|5353|udp|||||S0||0|D|1|179|0|0|
+1300475168.652|nQcgTWjvg4c|141.142.220.118|35634|208.80.152.2|80|tcp||0.0613288879394531|463|350|OTH||0|DdA|2|567|1|402|
+1300475168.72401|j4u32Pc5bif|141.142.220.118|48649|208.80.152.118|80|tcp|http|0.1199049949646|525|232|S1||0|ShADad|4|741|3|396|
+1300475168.8539|TEfuqmmG4bh|141.142.220.118|43927|141.142.2.2|53|udp|dns|0.000435113906860352|38|89|SF||0|Dd|1|66|1|117|
+1300475168.85438|FrJExwHcSal|141.142.220.118|37676|141.142.2.2|53|udp|dns|0.000420093536376953|52|99|SF||0|Dd|1|80|1|127|
+1300475168.85484|5OKnoww6xl4|141.142.220.118|40526|141.142.2.2|53|udp|dns|0.000391960144042969|38|183|SF||0|Dd|1|66|1|211|
+1300475168.85533|VW0XPVINV8a|141.142.220.118|49997|208.80.152.3|80|tcp|http|0.219720125198364|1125|734|S1||0|ShADad|6|1445|4|950|
+1300475168.8553|3PKsZ2Uye21|141.142.220.118|49996|208.80.152.3|80|tcp|http|0.218501091003418|1171|733|S1||0|ShADad|6|1491|4|949|
+1300475168.85796|fRFu0wcOle6|141.142.220.118|32902|141.142.2.2|53|udp|dns|0.000317096710205078|38|89|SF||0|Dd|1|66|1|117|
+1300475168.85831|qSsw6ESzHV4|141.142.220.118|59816|141.142.2.2|53|udp|dns|0.000343084335327148|52|99|SF||0|Dd|1|80|1|127|
+1300475168.85871|iE6yhOq3SF|141.142.220.118|59714|141.142.2.2|53|udp|dns|0.000375032424926758|38|183|SF||0|Dd|1|66|1|211|
+1300475168.85916|GSxOnSLghOa|141.142.220.118|49998|208.80.152.3|80|tcp|http|0.215893030166626|1130|734|S1||0|ShADad|6|1450|4|950|
+1300475168.89164|qCaWGmzFtM5|141.142.220.118|58206|141.142.2.2|53|udp|dns|0.000339031219482422|38|89|SF||0|Dd|1|66|1|117|
+1300475168.89204|70MGiRM1Qf4|141.142.220.118|38911|141.142.2.2|53|udp|dns|0.000334978103637695|52|99|SF||0|Dd|1|80|1|127|
+1300475168.89241|h5DsfNtYzi1|141.142.220.118|59746|141.142.2.2|53|udp|dns|0.000420808792114258|38|183|SF||0|Dd|1|66|1|211|
+1300475168.89291|P654jzLoe3a|141.142.220.118|49999|208.80.152.3|80|tcp|http|0.220960855484009|1137|733|S1||0|ShADad|6|1457|4|949|
+1300475168.89294|Tw8jXtpTGu6|141.142.220.118|50000|208.80.152.3|80|tcp|http|0.229603052139282|1148|734|S1||0|ShADad|6|1468|4|950|
+1300475168.89399|c4Zw9TmAE05|141.142.220.118|45000|141.142.2.2|53|udp|dns|0.000384092330932617|38|89|SF||0|Dd|1|66|1|117|
+1300475168.89442|EAr0uf4mhq|141.142.220.118|48479|141.142.2.2|53|udp|dns|0.000316858291625977|52|99|SF||0|Dd|1|80|1|127|
+1300475168.89479|GvmoxJFXdTa|141.142.220.118|48128|141.142.2.2|53|udp|dns|0.000422954559326172|38|183|SF||0|Dd|1|66|1|211|
+1300475168.89527|0Q4FH8sESw5|141.142.220.118|50001|208.80.152.3|80|tcp|http|0.227283954620361|1178|734|S1||0|ShADad|6|1498|4|950|
+1300475168.90175|slFea8xwSmb|141.142.220.118|56056|141.142.2.2|53|udp|dns|0.000402212142944336|36|131|SF||0|Dd|1|64|1|159|
+1300475168.90219|UfGkYA2HI2g|141.142.220.118|55092|141.142.2.2|53|udp|dns|0.000374078750610352|36|198|SF||0|Dd|1|64|1|226|
+1300475168.90264|i2rO3KD1Syg|141.142.220.118|35642|208.80.152.2|80|tcp|http|0.120040893554688|534|412|S1||0|ShADad|4|750|3|576|
+1300475169.78033|2cx26uAvUPl|141.142.220.235|6705|173.192.163.128|80|tcp|||||OTH||0|h|0|0|1|48|
+1300475169.89944|BWaU4aSuwkc|141.142.220.44|5353|224.0.0.251|5353|udp|dns||||S0||0|D|1|85|0|0|
+1300475170.86238|10XodEwRycf|141.142.220.226|137|141.142.220.255|137|udp|dns|2.61301684379578|350|0|S0||0|D|7|546|0|0|
+1300475171.67537|zno26fFZkrh|fe80::3074:17d5:2052:c324|65373|ff02::1:3|5355|udp|dns|0.100096225738525|66|0|S0||0|D|2|162|0|0|
+1300475171.67708|v5rgkJBig5l|141.142.220.226|55131|224.0.0.252|5355|udp|dns|0.100020885467529|66|0|S0||0|D|2|122|0|0|
+1300475173.11675|eWZCH7OONC1|fe80::3074:17d5:2052:c324|54213|ff02::1:3|5355|udp|dns|0.0998010635375977|66|0|S0||0|D|2|162|0|0|
+1300475173.11736|0Pwk3ntf8O3|141.142.220.226|55671|224.0.0.252|5355|udp|dns|0.0998489856719971|66|0|S0||0|D|2|122|0|0|
+1300475173.15368|0HKorjr8Zp7|141.142.220.238|56641|141.142.220.255|137|udp|dns||||S0||0|D|1|78|0|0|

testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/http.select

@@ -0,0 +1,14 @@
+1300475168.78402|j4u32Pc5bif|141.142.220.118|48649|208.80.152.118|80|1|GET|bits.wikimedia.org|/skins-1.5/monobook/main.css|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||||||||
+1300475168.91602|VW0XPVINV8a|141.142.220.118|49997|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/6/63/Wikipedia-logo.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||||||||
+1300475168.91618|3PKsZ2Uye21|141.142.220.118|49996|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||||||||
+1300475168.91836|GSxOnSLghOa|141.142.220.118|49998|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/b/bd/Bookshelf-40x201_6.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||||||||
+1300475168.95231|Tw8jXtpTGu6|141.142.220.118|50000|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||||||||
+1300475168.9523|P654jzLoe3a|141.142.220.118|49999|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||||||||
+1300475168.95482|0Q4FH8sESw5|141.142.220.118|50001|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||||||||
+1300475168.96269|i2rO3KD1Syg|141.142.220.118|35642|208.80.152.2|80|1|GET|meta.wikimedia.org|/images/wikimedia-button.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||||||||
+1300475168.97593|VW0XPVINV8a|141.142.220.118|49997|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||||||||
+1300475168.97644|3PKsZ2Uye21|141.142.220.118|49996|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||||||||
+1300475168.97926|GSxOnSLghOa|141.142.220.118|49998|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||||||||
+1300475169.01459|P654jzLoe3a|141.142.220.118|49999|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||||||||
+1300475169.01462|Tw8jXtpTGu6|141.142.220.118|50000|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||||||||
+1300475169.01493|0Q4FH8sESw5|141.142.220.118|50001|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||||||||

testing/btest/scripts/base/frameworks/input/sqlite/basic.bro

@@ -0,0 +1,98 @@
+# @TEST-EXEC: cat conn.sql | sqlite3 conn.sqlite
+# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT
+# @TEST-EXEC: btest-bg-wait -k 5
+# @TEST-EXEC: btest-diff out
+
+@TEST-START-FILE conn.sql
+PRAGMA foreign_keys=OFF;
+BEGIN TRANSACTION;
+CREATE TABLE conn (
+'ts' double precision,
+'uid' text,
+'id.orig_h' text,
+'id.orig_p' integer,
+'id.resp_h' text,
+'id.resp_p' integer,
+'proto' text,
+'service' text,
+'duration' double precision,
+'orig_bytes' integer,
+'resp_bytes' integer,
+'conn_state' text,
+'local_orig' boolean,
+'missed_bytes' integer,
+'history' text,
+'orig_pkts' integer,
+'orig_ip_bytes' integer,
+'resp_pkts' integer,
+'resp_ip_bytes' integer,
+'tunnel_parents' text
+);
+INSERT INTO "conn" VALUES(1.30047516709653496744e+09,'dnGM1AdIVyh','141.142.220.202',5353,'224.0.0.251',5353,'udp','dns',NULL,NULL,NULL,'S0',NULL,0,'D',1,73,0,0,'');
+INSERT INTO "conn" VALUES(1.30047516709701204296e+09,'fv9q7WjEgp1','fe80::217:f2ff:fed7:cf65',5353,'ff02::fb',5353,'udp',NULL,NULL,NULL,NULL,'S0',NULL,0,'D',1,199,0,0,'');
+INSERT INTO "conn" VALUES(1.30047516709981608392e+09,'0Ox0H56yl88','141.142.220.50',5353,'224.0.0.251',5353,'udp',NULL,NULL,NULL,NULL,'S0',NULL,0,'D',1,179,0,0,'');
+INSERT INTO "conn" VALUES(1.30047516885389900212e+09,'rvmSc7rDQub','141.142.220.118',43927,'141.142.2.2',53,'udp','dns',4.351139068603515625e-04,38,89,'SF',NULL,0,'Dd',1,66,1,117,'');
+INSERT INTO "conn" VALUES(1.30047516885437798497e+09,'ogkztouSArh','141.142.220.118',37676,'141.142.2.2',53,'udp','dns',4.20093536376953125e-04,52,99,'SF',NULL,0,'Dd',1,80,1,127,'');
+INSERT INTO "conn" VALUES(1.30047516885483694076e+09,'0UIDdXFt7Tb','141.142.220.118',40526,'141.142.2.2',53,'udp','dns',3.9196014404296875e-04,38,183,'SF',NULL,0,'Dd',1,66,1,211,'');
+INSERT INTO "conn" VALUES(1.30047516885795593258e+09,'WqFYV51UIq7','141.142.220.118',32902,'141.142.2.2',53,'udp','dns',3.17096710205078125e-04,38,89,'SF',NULL,0,'Dd',1,66,1,117,'');
+INSERT INTO "conn" VALUES(1.30047516885830593104e+09,'ylcqZpbz6K2','141.142.220.118',59816,'141.142.2.2',53,'udp','dns',3.430843353271484375e-04,52,99,'SF',NULL,0,'Dd',1,80,1,127,'');
+INSERT INTO "conn" VALUES(1.30047516885871291159e+09,'blhldTzA7Y6','141.142.220.118',59714,'141.142.2.2',53,'udp','dns',3.750324249267578125e-04,38,183,'SF',NULL,0,'Dd',1,66,1,211,'');
+INSERT INTO "conn" VALUES(1.30047516889164400098e+09,'Sc34cGJo3Kg','141.142.220.118',58206,'141.142.2.2',53,'udp','dns',3.39031219482421875e-04,38,89,'SF',NULL,0,'Dd',1,66,1,117,'');
+INSERT INTO "conn" VALUES(1.30047516889203691487e+09,'RzvFrfXSRfk','141.142.220.118',38911,'141.142.2.2',53,'udp','dns',3.349781036376953125e-04,52,99,'SF',NULL,0,'Dd',1,80,1,127,'');
+INSERT INTO "conn" VALUES(1.30047516889241409298e+09,'GaaFI58mpbe','141.142.220.118',59746,'141.142.2.2',53,'udp','dns',4.208087921142578125e-04,38,183,'SF',NULL,0,'Dd',1,66,1,211,'');
+INSERT INTO "conn" VALUES(1.30047516889398789407e+09,'tr7M6tvAIQa','141.142.220.118',45000,'141.142.2.2',53,'udp','dns',3.840923309326171875e-04,38,89,'SF',NULL,0,'Dd',1,66,1,117,'');
+INSERT INTO "conn" VALUES(1.30047516889442205426e+09,'gV0TcSc2pb4','141.142.220.118',48479,'141.142.2.2',53,'udp','dns',3.168582916259765625e-04,52,99,'SF',NULL,0,'Dd',1,80,1,127,'');
+INSERT INTO "conn" VALUES(1.30047516889478707315e+09,'MOG0z4PYOhk','141.142.220.118',48128,'141.142.2.2',53,'udp','dns',4.22954559326171875e-04,38,183,'SF',NULL,0,'Dd',1,66,1,211,'');
+INSERT INTO "conn" VALUES(1.30047516890174889565e+09,'PlehgEduUyj','141.142.220.118',56056,'141.142.2.2',53,'udp','dns',4.022121429443359375e-04,36,131,'SF',NULL,0,'Dd',1,64,1,159,'');
+INSERT INTO "conn" VALUES(1.30047516890219497676e+09,'4eZgk09f2Re','141.142.220.118',55092,'141.142.2.2',53,'udp','dns',3.740787506103515625e-04,36,198,'SF',NULL,0,'Dd',1,64,1,226,'');
+INSERT INTO "conn" VALUES(1.30047516989943790432e+09,'3xwJPc7mQ9a','141.142.220.44',5353,'224.0.0.251',5353,'udp','dns',NULL,NULL,NULL,'S0',NULL,0,'D',1,85,0,0,'');
+INSERT INTO "conn" VALUES(1.30047517086238408089e+09,'yxTcvvTKWQ4','141.142.220.226',137,'141.142.220.255',137,'udp','dns',2.61301684379577636718e+00,350,0,'S0',NULL,0,'D',7,546,0,0,'');
+INSERT INTO "conn" VALUES(1.30047517167537188525e+09,'8bLW3XNfhCj','fe80::3074:17d5:2052:c324',65373,'ff02::1:3',5355,'udp','dns',1.00096225738525390625e-01,66,0,'S0',NULL,0,'D',2,162,0,0,'');
+INSERT INTO "conn" VALUES(1.30047517167708110807e+09,'rqjhiiRPjEe','141.142.220.226',55131,'224.0.0.252',5355,'udp','dns',1.00020885467529296875e-01,66,0,'S0',NULL,0,'D',2,122,0,0,'');
+INSERT INTO "conn" VALUES(1.30047517311674904827e+09,'hTPyfL3QSGa','fe80::3074:17d5:2052:c324',54213,'ff02::1:3',5355,'udp','dns',9.980106353759765625e-02,66,0,'S0',NULL,0,'D',2,162,0,0,'');
+INSERT INTO "conn" VALUES(1.30047517311736202235e+09,'EruUQ9AJRj4','141.142.220.226',55671,'224.0.0.252',5355,'udp','dns',9.98489856719970703125e-02,66,0,'S0',NULL,0,'D',2,122,0,0,'');
+INSERT INTO "conn" VALUES(1.30047517315367889406e+09,'sw1bKJOMjuk','141.142.220.238',56641,'141.142.220.255',137,'udp','dns',NULL,NULL,NULL,'S0',NULL,0,'D',1,78,0,0,'');
+INSERT INTO "conn" VALUES(1.30047516872400689127e+09,'NPHCuyWykE7','141.142.220.118',48649,'208.80.152.118',80,'tcp','http',1.19904994964599609375e-01,525,232,'S1',NULL,0,'ShADad',4,741,3,396,'');
+INSERT INTO "conn" VALUES(1.30047516889293599126e+09,'VapPqRhPgJ4','141.142.220.118',50000,'208.80.152.3',80,'tcp','http',2.29603052139282226562e-01,1148,734,'S1',NULL,0,'ShADad',6,1468,4,950,'');
+INSERT INTO "conn" VALUES(1.30047516885916304588e+09,'3607hh8C3bc','141.142.220.118',49998,'208.80.152.3',80,'tcp','http',2.15893030166625976562e-01,1130,734,'S1',NULL,0,'ShADad',6,1450,4,950,'');
+INSERT INTO "conn" VALUES(1.30047516885530495647e+09,'tgYMrIvzDSg','141.142.220.118',49996,'208.80.152.3',80,'tcp','http',2.1850109100341796875e-01,1171,733,'S1',NULL,0,'ShADad',6,1491,4,949,'');
+INSERT INTO "conn" VALUES(1.30047516889526700977e+09,'xQsjPwNBrXd','141.142.220.118',50001,'208.80.152.3',80,'tcp','http',2.27283954620361328125e-01,1178,734,'S1',NULL,0,'ShADad',6,1498,4,950,'');
+INSERT INTO "conn" VALUES(1.30047516890263509747e+09,'Ap3GzMI1vM9','141.142.220.118',35642,'208.80.152.2',80,'tcp','http',1.200408935546875e-01,534,412,'S1',NULL,0,'ShADad',4,750,3,576,'');
+INSERT INTO "conn" VALUES(1300475168.85533,'FTVcgrmNy52','141.142.220.118',49997,'208.80.152.3',80,'tcp','http',2.19720125198364257812e-01,1125,734,'S1',NULL,0,'ShADad',6,1445,4,950,'');
+INSERT INTO "conn" VALUES(1.30047516978033089643e+09,'1xFx4PGdeq5','141.142.220.235',6705,'173.192.163.128',80,'tcp',NULL,NULL,NULL,NULL,'OTH',NULL,0,'h',0,0,1,48,'');
+INSERT INTO "conn" VALUES(1.3004751686520030498e+09,'WIG1ud65z22','141.142.220.118',35634,'208.80.152.2',80,'tcp',NULL,6.1328887939453125e-02,463,350,'OTH',NULL,0,'DdA',2,567,1,402,'');
+INSERT INTO "conn" VALUES(1.3004751688929131031e+09,'o2gAkl4V7sa','141.142.220.118',49999,'208.80.152.3',80,'tcp','http',2.20960855484008789062e-01,1137,733,'S1',NULL,0,'ShADad',6,1457,4,949,'');
+COMMIT;
+@TEST-END-FILE
+
+@load base/protocols/conn
+
+redef Input::accept_unsupported_types = T;
+
+global outfile: file;
+
+module A;
+
+event line(description: Input::EventDescription, tpe: Input::Event, r: Conn::Info)
+	{
+	print outfile, r;
+	}
+
+event bro_init()
+	{
+	local config_strings: table[string] of string = {
+		 ["query"] = "select * from conn;",
+		 ["dbname"] = "conn"
+	};
+
+	outfile = open("../out");
+	# first read in the old stuff into the table...
+	Input::add_event([$source="../conn", $name="conn", $fields=Conn::Info, $ev=line, $want_record=T, $reader=Input::READER_SQLITE, $config=config_strings]);
+	}
+
+event Input::end_of_data(name: string, source:string)
+	{
+	print outfile, "End of data";
+	close(outfile);
+	terminate();
+	}

testing/btest/scripts/base/frameworks/input/sqlite/port.bro

@@ -0,0 +1,48 @@
+# @TEST-EXEC: cat port.sql | sqlite3 port.sqlite
+# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT
+# @TEST-EXEC: btest-bg-wait -k 5
+# @TEST-EXEC: btest-diff out
+
+@TEST-START-FILE port.sql
+PRAGMA foreign_keys=OFF;
+BEGIN TRANSACTION;
+CREATE TABLE port (
+'port' integer,
+'proto' text
+);
+INSERT INTO "port" VALUES(5353,'udp');
+INSERT INTO "port" VALUES(6162,'tcp');
+COMMIT;
+@TEST-END-FILE
+
+global outfile: file;
+
+module A;
+
+type Val: record {
+	p: port &type_column="proto";
+};
+
+event line(description: Input::EventDescription, tpe: Input::Event, p: port)
+	{
+	print outfile, p;
+	}
+
+event bro_init()
+	{
+	local config_strings: table[string] of string = {
+		 ["query"] = "select port as p, proto from port;",
+		 ["dbname"] = "port"
+	};
+
+	outfile = open("../out");
+	# first read in the old stuff into the table...
+	Input::add_event([$source="../port", $name="port", $fields=Val, $ev=line, $reader=Input::READER_SQLITE, $want_record=F, $config=config_strings]);
+	}
+
+event Input::end_of_data(name: string, source:string)
+	{
+	print outfile, "End of data";
+	close(outfile);
+	terminate();
+	}

testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.bro

@@ -0,0 +1,8 @@
+#
+# @TEST-GROUP: dataseries
+#
+# @TEST-EXEC: bro -r $TRACES/wikipedia.trace Log::default_writer=Log::WRITER_SQLITE
+# @TEST-EXEC: sqlite3 conn.sqlite 'select * from conn' | sort > conn.select
+# @TEST-EXEC: sqlite3 http.sqlite 'select * from http' | sort > http.select
+# @TEST-EXEC: btest-diff conn.select
+# @TEST-EXEC: btest-diff http.select