mirror of
https://github.com/zeek/zeek.git
synced 2025-10-17 05:58:20 +00:00
Merge branch 'master' into topic/gilbert/rand-pool
Conflicts: testing/btest/Baseline/istate.events-ssl/receiver.http.log testing/btest/Baseline/istate.events-ssl/sender.http.log testing/btest/Baseline/istate.events/receiver.http.log testing/btest/Baseline/istate.events/sender.http.log testing/btest/Baseline/scripts.base.protocols.smtp.basic/smtp.log
This commit is contained in:
Gilbert Clark gc355804@ohio.edu
commit
3953b851e5
161 changed files with 1319 additions and 947 deletions
|
|
@ -1,2 +1,5 @@
|
|||
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes
|
||||
1128727435.450898 UWkUyAuUGXf 141.42.64.125 56730 125.190.109.199 80 tcp http 1.73330307006836 98 9417 SF - 0 ShADdFaf 12 710 10 9945
|
||||
#separator \x09
|
||||
#path conn
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes
|
||||
#types time string addr port addr port enum string interval count count string bool count string count count count count
|
||||
1128727435.450898 UWkUyAuUGXf 141.42.64.125 56730 125.190.109.199 80 tcp http 1.733303 98 9417 SF - 0 ShADdFaf 12 710 10 9945
|
||||
|
|
|
|||
|
|
@ -1,8 +1,20 @@
|
|||
# ts node filter init success
|
||||
1312570784.336354 - not ip6 F T
|
||||
# ts node filter init success
|
||||
1312570784.550594 - (((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (udp and port 5353)) or (udp and port 5355)) or (tcp port 22)) or (tcp port 995)) or (port 21)) or (tcp port smtp or tcp port 587)) or (port 6667)) or (tcp port 614)) or (tcp port 990)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666)) and (not ip6) F T
|
||||
# ts node filter init success
|
||||
1312570784.765990 - port 42 F T
|
||||
# ts node filter init success
|
||||
1312570784.992999 - port 56730 T T
|
||||
#separator \x09
|
||||
#path packet_filter
|
||||
#fields ts node filter init success
|
||||
#types time string string bool bool
|
||||
1315167051.418730 - not ip6 F T
|
||||
#separator \x09
|
||||
#path packet_filter
|
||||
#fields ts node filter init success
|
||||
#types time string string bool bool
|
||||
1315167051.652097 - (((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (udp and port 5353)) or (udp and port 5355)) or (tcp port 22)) or (tcp port 995)) or (port 21)) or (tcp port smtp or tcp port 587)) or (port 6667)) or (tcp port 614)) or (tcp port 990)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666)) and (not ip6) F T
|
||||
#separator \x09
|
||||
#path packet_filter
|
||||
#fields ts node filter init success
|
||||
#types time string string bool bool
|
||||
1315167051.885416 - port 42 F T
|
||||
#separator \x09
|
||||
#path packet_filter
|
||||
#fields ts node filter init success
|
||||
#types time string string bool bool
|
||||
1315167052.120658 - port 56730 T T
|
||||
|
|
|
|||
|
|
@ -1,4 +1,7 @@
|
|||
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes
|
||||
952109346.874907 UWkUyAuUGXf 10.1.2.1 11001 10.34.0.1 23 tcp - 2.10255992412567 25 0 SH - 0 - 11 280 0 0
|
||||
1128727435.450898 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 tcp http 1.73330307006836 98 9417 SF - 0 ShADdFaf 12 710 10 9945
|
||||
1278600802.069419 50da4BEzauh 10.20.80.1 50343 10.0.0.15 80 tcp - 0.00415205955505371 9 3429 SF - 0 ShADadfF 7 361 7 3801
|
||||
#separator \x09
|
||||
#path conn
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes
|
||||
#types time string addr port addr port enum string interval count count string bool count string count count count count
|
||||
952109346.874907 UWkUyAuUGXf 10.1.2.1 11001 10.34.0.1 23 tcp - 2.102560 25 0 SH - 0 - 11 280 0 0
|
||||
1128727435.450898 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 tcp http 1.733303 98 9417 SF - 0 ShADdFaf 12 710 10 9945
|
||||
1278600802.069419 50da4BEzauh 10.20.80.1 50343 10.0.0.15 80 tcp - 0.004152 9 3429 SF - 0 ShADadfF 7 361 7 3801
|
||||
|
|
|
|||
|
|
@ -263,7 +263,7 @@ Redefinitions
|
|||
|
||||
:Type: :bro:type:`enum`
|
||||
|
||||
.. bro:enum:: Example::EXAMPLE Log::ID
|
||||
.. bro:enum:: Example::LOG Log::ID
|
||||
|
||||
:bro:type:`Example::SimpleEnum`
|
||||
|
||||
|
|
|
|||
|
|
@ -1,2 +1,5 @@
|
|||
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file
|
||||
1313448356.390278 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - -
|
||||
#separator \x09
|
||||
#path http
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file
|
||||
#types time string addr port addr port string string string string string count count count string string table string string table string string file
|
||||
1315167107.671488 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - -
|
||||
|
|
|
|||
|
|
@ -1,2 +1,5 @@
|
|||
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file
|
||||
1313448356.390278 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - -
|
||||
#separator \x09
|
||||
#path http
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file
|
||||
#types time string addr port addr port string string string string string count count count string string table string string table string string file
|
||||
1315167107.671488 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - -
|
||||
|
|
|
|||
|
|
@ -1,2 +1,5 @@
|
|||
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file
|
||||
1313448372.638550 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - -
|
||||
#separator \x09
|
||||
#path http
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file
|
||||
#types time string addr port addr port string string string string string count count count string string table string string table string string file
|
||||
1315167116.842377 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - -
|
||||
|
|
|
|||
|
|
@ -1,2 +1,10 @@
|
|||
<<<<<<< HEAD
|
||||
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file
|
||||
1313448372.638550 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - -
|
||||
=======
|
||||
#separator \x09
|
||||
#path http
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file
|
||||
#types time string addr port addr port string string string string string count count count string string table string string table string string file
|
||||
1315167116.842377 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - -
|
||||
>>>>>>> master
|
||||
|
|
|
|||
4
testing/btest/Baseline/language.enum-desc/output
Normal file
4
testing/btest/Baseline/language.enum-desc/output
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
ONE
|
||||
ONE
|
||||
TEST::TWO
|
||||
TEST::TWO
|
||||
|
|
@ -1 +1 @@
|
|||
c
|
||||
test::c
|
||||
|
|
|
|||
|
|
@ -1 +1,2 @@
|
|||
[major=4, minor=4, minor2=<uninitialized>, addl=<uninitialized>]
|
||||
[c=1, f=[i=2.0 hrs, s=<uninitialized>]]
|
||||
|
|
|
|||
|
|
@ -1,3 +1,6 @@
|
|||
# t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
1313212563.234939 1.2.3.4 1234 2.3.4.5 80 success unknown
|
||||
1313212563.234939 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||
#separator \x09
|
||||
#path ssh-new-default
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
#types time addr port addr port string string
|
||||
1315167052.603186 1.2.3.4 1234 2.3.4.5 80 success unknown
|
||||
1315167052.603186 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||
|
|
|
|||
Binary file not shown.
|
|
@ -1,6 +1,9 @@
|
|||
PREFIX<>t|id.orig_h|id.orig_p|id.resp_h|id.resp_p|status|country|b
|
||||
1299718506.56593|1.2.3.4|1234|2.3.4.5|80|success|unknown|NOT-SET
|
||||
1299718506.56593|1.2.3.4|1234|2.3.4.5|80|NOT-SET|US|NOT-SET
|
||||
1299718506.56593|1.2.3.4|1234|2.3.4.5|80|failure|UK|NOT-SET
|
||||
1299718506.56593|1.2.3.4|1234|2.3.4.5|80|NOT-SET|BR|NOT-SET
|
||||
1299718506.56593|1.2.3.4|1234|2.3.4.5|80|failure|EMPTY|T
|
||||
PREFIX<>separator \x7c
|
||||
PREFIX<>path|ssh
|
||||
PREFIX<>fields|t|id.orig_h|id.orig_p|id.resp_h|id.resp_p|status|country|b
|
||||
PREFIX<>types|time|addr|port|addr|port|string|string|bool
|
||||
1315167052.828457|1.2.3.4|1234|2.3.4.5|80|success|unknown|NOT-SET
|
||||
1315167052.828457|1.2.3.4|1234|2.3.4.5|80|NOT-SET|US|NOT-SET
|
||||
1315167052.828457|1.2.3.4|1234|2.3.4.5|80|failure|UK|NOT-SET
|
||||
1315167052.828457|1.2.3.4|1234|2.3.4.5|80|NOT-SET|BR|NOT-SET
|
||||
1315167052.828457|1.2.3.4|1234|2.3.4.5|80|failure|EMPTY|T
|
||||
|
|
|
|||
Binary file not shown.
|
|
@ -1,4 +1,7 @@
|
|||
# data
|
||||
#separator \x09
|
||||
#path test
|
||||
#fields data
|
||||
#types time
|
||||
1234567890.000000
|
||||
1234567890.000000
|
||||
1234567890.010000
|
||||
|
|
|
|||
|
|
@ -1,2 +1,5 @@
|
|||
# status country a1 b1 b2
|
||||
#separator \x09
|
||||
#path ssh
|
||||
#fields status country a1 b1 b2
|
||||
#types string string count count count
|
||||
success unknown 1 3 4
|
||||
|
|
|
|||
|
|
@ -1,4 +1,7 @@
|
|||
# status country
|
||||
#separator \x09
|
||||
#path ssh
|
||||
#fields status country
|
||||
#types string string
|
||||
success unknown
|
||||
failure US
|
||||
failure UK
|
||||
|
|
|
|||
|
|
@ -1,6 +1,9 @@
|
|||
# t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
1299809561.67372 1.2.3.4 1234 2.3.4.5 80 success unknown
|
||||
1299809561.67372 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||
1299809561.67372 1.2.3.4 1234 2.3.4.5 80 failure UK
|
||||
1299809561.67372 1.2.3.4 1234 2.3.4.5 80 success BR
|
||||
1299809561.67372 1.2.3.4 1234 2.3.4.5 80 failure MX
|
||||
#separator \x09
|
||||
#path ssh
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
#types time addr port addr port string string
|
||||
1315167053.369918 1.2.3.4 1234 2.3.4.5 80 success unknown
|
||||
1315167053.369918 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||
1315167053.369918 1.2.3.4 1234 2.3.4.5 80 failure UK
|
||||
1315167053.369918 1.2.3.4 1234 2.3.4.5 80 success BR
|
||||
1315167053.369918 1.2.3.4 1234 2.3.4.5 80 failure MX
|
||||
|
|
|
|||
|
|
@ -1,4 +1,7 @@
|
|||
# id.orig_p id.resp_h id.resp_p status country
|
||||
#separator \x09
|
||||
#path ssh
|
||||
#fields id.orig_p id.resp_h id.resp_p status country
|
||||
#types port addr port string string
|
||||
1234 2.3.4.5 80 success unknown
|
||||
1234 2.3.4.5 80 failure US
|
||||
1234 2.3.4.5 80 failure UK
|
||||
|
|
|
|||
|
|
@ -1,2 +1,5 @@
|
|||
# t f
|
||||
1303098703.62603 Foo.log
|
||||
#separator \x09
|
||||
#path ssh
|
||||
#fields t f
|
||||
#types time file
|
||||
1315167053.585834 Foo.log
|
||||
|
|
|
|||
|
|
@ -1,6 +1,9 @@
|
|||
# t id.orig_h
|
||||
1303064007.48299 1.2.3.4
|
||||
1303064007.48299 1.2.3.4
|
||||
1303064007.48299 1.2.3.4
|
||||
1303064007.48299 1.2.3.4
|
||||
1303064007.48299 1.2.3.4
|
||||
#separator \x09
|
||||
#path ssh
|
||||
#fields t id.orig_h
|
||||
#types time addr
|
||||
1315167053.694473 1.2.3.4
|
||||
1315167053.694473 1.2.3.4
|
||||
1315167053.694473 1.2.3.4
|
||||
1315167053.694473 1.2.3.4
|
||||
1315167053.694473 1.2.3.4
|
||||
|
|
|
|||
|
|
@ -5,17 +5,38 @@ static-prefix-1-MX.log
|
|||
static-prefix-1-US.log
|
||||
static-prefix-2-MX2.log
|
||||
static-prefix-2-UK.log
|
||||
# t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
1313212701.542245 1.2.3.4 1234 2.3.4.5 80 success BR
|
||||
# t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
1313212701.542245 1.2.3.4 1234 2.3.4.5 80 failure MX3
|
||||
# t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
1313212701.542245 1.2.3.4 1234 2.3.4.5 80 success unknown
|
||||
# t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
1313212701.542245 1.2.3.4 1234 2.3.4.5 80 failure MX
|
||||
# t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
1313212701.542245 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||
# t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
1313212701.542245 1.2.3.4 1234 2.3.4.5 80 failure MX2
|
||||
# t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
1313212701.542245 1.2.3.4 1234 2.3.4.5 80 failure UK
|
||||
#separator \x09
|
||||
#path static-prefix-0-BR
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
#types time addr port addr port string string
|
||||
1315167053.803346 1.2.3.4 1234 2.3.4.5 80 success BR
|
||||
#separator \x09
|
||||
#path static-prefix-0-MX3
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
#types time addr port addr port string string
|
||||
1315167053.803346 1.2.3.4 1234 2.3.4.5 80 failure MX3
|
||||
#separator \x09
|
||||
#path static-prefix-0-unknown
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
#types time addr port addr port string string
|
||||
1315167053.803346 1.2.3.4 1234 2.3.4.5 80 success unknown
|
||||
#separator \x09
|
||||
#path static-prefix-1-MX
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
#types time addr port addr port string string
|
||||
1315167053.803346 1.2.3.4 1234 2.3.4.5 80 failure MX
|
||||
#separator \x09
|
||||
#path static-prefix-1-US
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
#types time addr port addr port string string
|
||||
1315167053.803346 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||
#separator \x09
|
||||
#path static-prefix-2-MX2
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
#types time addr port addr port string string
|
||||
1315167053.803346 1.2.3.4 1234 2.3.4.5 80 failure MX2
|
||||
#separator \x09
|
||||
#path static-prefix-2-UK
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
#types time addr port addr port string string
|
||||
1315167053.803346 1.2.3.4 1234 2.3.4.5 80 failure UK
|
||||
|
|
|
|||
|
|
@ -1,2 +0,0 @@
|
|||
# t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
1299718503.16177 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
# t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
1299718503.16177 1.2.3.4 1234 2.3.4.5 80 success -
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
#separator \x09
|
||||
#path test.failure
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
#types time addr port addr port string string
|
||||
1315167053.923545 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
#separator \x09
|
||||
#path test.success
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
#types time addr port addr port string string
|
||||
1315167053.923545 1.2.3.4 1234 2.3.4.5 80 success -
|
||||
|
|
@ -1,2 +1,5 @@
|
|||
# b i e c p sn a d t iv s sc ss se vc ve
|
||||
T -42 Test::TEST 21 123 10.0.0.0/24 1.2.3.4 3.14 1313623666.027768 100.0 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY
|
||||
#separator \x09
|
||||
#path test
|
||||
#fields b i e c p sn a d t iv s sc ss se vc ve
|
||||
#types bool int enum count port subnet addr double time interval string table table table vector vector
|
||||
T -42 Test::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315167054.320958 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY
|
||||
|
|
|
|||
|
|
@ -1,4 +1,7 @@
|
|||
# t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
1312565744.470171 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||
1312565744.470171 1.2.3.4 1234 2.3.4.5 80 failure UK
|
||||
1312565744.470171 1.2.3.4 1234 2.3.4.5 80 failure MX
|
||||
#separator \x09
|
||||
#path test.failure
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
#types time addr port addr port string string
|
||||
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 failure UK
|
||||
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 failure MX
|
||||
|
|
|
|||
|
|
@ -1,6 +1,9 @@
|
|||
# t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
1312565744.470171 1.2.3.4 1234 2.3.4.5 80 success -
|
||||
1312565744.470171 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||
1312565744.470171 1.2.3.4 1234 2.3.4.5 80 failure UK
|
||||
1312565744.470171 1.2.3.4 1234 2.3.4.5 80 success BR
|
||||
1312565744.470171 1.2.3.4 1234 2.3.4.5 80 failure MX
|
||||
#separator \x09
|
||||
#path test
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
#types time addr port addr port string string
|
||||
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 success -
|
||||
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 failure UK
|
||||
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 success BR
|
||||
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 failure MX
|
||||
|
|
|
|||
|
|
@ -1,3 +1,6 @@
|
|||
# t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
1312565744.470171 1.2.3.4 1234 2.3.4.5 80 success -
|
||||
1312565744.470171 1.2.3.4 1234 2.3.4.5 80 success BR
|
||||
#separator \x09
|
||||
#path test.success
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
#types time addr port addr port string string
|
||||
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 success -
|
||||
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 success BR
|
||||
|
|
|
|||
|
|
@ -1,3 +1,6 @@
|
|||
# t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
1299718503.28253 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||
1299718503.28253 1.2.3.4 1234 2.3.4.5 80 failure UK
|
||||
#separator \x09
|
||||
#path ssh.failure
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
#types time addr port addr port string string
|
||||
1315167066.575996 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||
1315167066.575996 1.2.3.4 1234 2.3.4.5 80 failure UK
|
||||
|
|
|
|||
|
|
@ -1,4 +1,7 @@
|
|||
# t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
1299718503.28253 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||
1299718503.28253 1.2.3.4 1234 2.3.4.5 80 failure UK
|
||||
1299718503.28253 1.2.3.4 1234 2.3.4.5 80 failure BR
|
||||
#separator \x09
|
||||
#path ssh
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
#types time addr port addr port string string
|
||||
1315167066.575996 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||
1315167066.575996 1.2.3.4 1234 2.3.4.5 80 failure UK
|
||||
1315167066.575996 1.2.3.4 1234 2.3.4.5 80 failure BR
|
||||
|
|
|
|||
|
|
@ -8,27 +8,31 @@
|
|||
1st test.2011-03-07-10-00-05.log test 11-03-07_10.00.05 11-03-07_11.00.05 0
|
||||
1st test.2011-03-07-11-00-05.log test 11-03-07_11.00.05 11-03-07_12.00.05 0
|
||||
1st test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1
|
||||
custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_03.00.05.log, path=test2, open=1299466805.0, close=1299470395.0, terminating=F]
|
||||
custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_03.59.55.log, path=test2, open=1299470395.0, close=1299470405.0, terminating=F]
|
||||
custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_04.00.05.log, path=test2, open=1299470405.0, close=1299473995.0, terminating=F]
|
||||
custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_04.59.55.log, path=test2, open=1299473995.0, close=1299474005.0, terminating=F]
|
||||
custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_05.00.05.log, path=test2, open=1299474005.0, close=1299477595.0, terminating=F]
|
||||
custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_05.59.55.log, path=test2, open=1299477595.0, close=1299477605.0, terminating=F]
|
||||
custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_06.00.05.log, path=test2, open=1299477605.0, close=1299481195.0, terminating=F]
|
||||
custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_06.59.55.log, path=test2, open=1299481195.0, close=1299481205.0, terminating=F]
|
||||
custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_07.00.05.log, path=test2, open=1299481205.0, close=1299484795.0, terminating=F]
|
||||
custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_07.59.55.log, path=test2, open=1299484795.0, close=1299484805.0, terminating=F]
|
||||
custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_08.00.05.log, path=test2, open=1299484805.0, close=1299488395.0, terminating=F]
|
||||
custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_08.59.55.log, path=test2, open=1299488395.0, close=1299488405.0, terminating=F]
|
||||
custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_09.00.05.log, path=test2, open=1299488405.0, close=1299491995.0, terminating=F]
|
||||
custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_09.59.55.log, path=test2, open=1299491995.0, close=1299492005.0, terminating=F]
|
||||
custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_10.00.05.log, path=test2, open=1299492005.0, close=1299495595.0, terminating=F]
|
||||
custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_10.59.55.log, path=test2, open=1299495595.0, close=1299495605.0, terminating=F]
|
||||
custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_11.00.05.log, path=test2, open=1299495605.0, close=1299499195.0, terminating=F]
|
||||
custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_11.59.55.log, path=test2, open=1299499195.0, close=1299499205.0, terminating=F]
|
||||
custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_12.00.05.log, path=test2, open=1299499205.0, close=1299502795.0, terminating=F]
|
||||
custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_12.59.55.log, path=test2, open=1299502795.0, close=1299502795.0, terminating=T]
|
||||
# t id.orig_h id.orig_p id.resp_h id.resp_p
|
||||
custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_03.00.05.log, path=test2, open=1299466805.0, close=1299470395.0, terminating=F]
|
||||
custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_03.59.55.log, path=test2, open=1299470395.0, close=1299470405.0, terminating=F]
|
||||
custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_04.00.05.log, path=test2, open=1299470405.0, close=1299473995.0, terminating=F]
|
||||
custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_04.59.55.log, path=test2, open=1299473995.0, close=1299474005.0, terminating=F]
|
||||
custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_05.00.05.log, path=test2, open=1299474005.0, close=1299477595.0, terminating=F]
|
||||
custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_05.59.55.log, path=test2, open=1299477595.0, close=1299477605.0, terminating=F]
|
||||
custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_06.00.05.log, path=test2, open=1299477605.0, close=1299481195.0, terminating=F]
|
||||
custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_06.59.55.log, path=test2, open=1299481195.0, close=1299481205.0, terminating=F]
|
||||
custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_07.00.05.log, path=test2, open=1299481205.0, close=1299484795.0, terminating=F]
|
||||
custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_07.59.55.log, path=test2, open=1299484795.0, close=1299484805.0, terminating=F]
|
||||
custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_08.00.05.log, path=test2, open=1299484805.0, close=1299488395.0, terminating=F]
|
||||
custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_08.59.55.log, path=test2, open=1299488395.0, close=1299488405.0, terminating=F]
|
||||
custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_09.00.05.log, path=test2, open=1299488405.0, close=1299491995.0, terminating=F]
|
||||
custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_09.59.55.log, path=test2, open=1299491995.0, close=1299492005.0, terminating=F]
|
||||
custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_10.00.05.log, path=test2, open=1299492005.0, close=1299495595.0, terminating=F]
|
||||
custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_10.59.55.log, path=test2, open=1299495595.0, close=1299495605.0, terminating=F]
|
||||
custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_11.00.05.log, path=test2, open=1299495605.0, close=1299499195.0, terminating=F]
|
||||
custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_11.59.55.log, path=test2, open=1299499195.0, close=1299499205.0, terminating=F]
|
||||
custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_12.00.05.log, path=test2, open=1299499205.0, close=1299502795.0, terminating=F]
|
||||
custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_12.59.55.log, path=test2, open=1299502795.0, close=1299502795.0, terminating=T]
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p
|
||||
#path test
|
||||
#path test2
|
||||
#separator \x09
|
||||
#types time addr port addr port
|
||||
1299466805.000000 10.0.0.1 20 10.0.0.2 1024
|
||||
1299470395.000000 10.0.0.2 20 10.0.0.3 0
|
||||
1299470405.000000 10.0.0.1 20 10.0.0.2 1025
|
||||
|
|
@ -59,7 +63,6 @@ custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_12.59.55.log, path=tes
|
|||
> test.2011-03-07-10-00-05.log
|
||||
> test.2011-03-07-11-00-05.log
|
||||
> test.2011-03-07-12-00-05.log
|
||||
> test.log
|
||||
> test2-11-03-07_03.00.05.log
|
||||
> test2-11-03-07_03.59.55.log
|
||||
> test2-11-03-07_04.00.05.log
|
||||
|
|
@ -80,4 +83,3 @@ custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_12.59.55.log, path=tes
|
|||
> test2-11-03-07_11.59.55.log
|
||||
> test2-11-03-07_12.00.05.log
|
||||
> test2-11-03-07_12.59.55.log
|
||||
> test2.log
|
||||
|
|
|
|||
|
|
@ -9,42 +9,72 @@ test.2011-03-07-10-00-05.log test 11-03-07_10.00.05 11-03-07_11.00.05 0
|
|||
test.2011-03-07-11-00-05.log test 11-03-07_11.00.05 11-03-07_12.00.05 0
|
||||
test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1
|
||||
> test.2011-03-07-03-00-05.log
|
||||
# t id.orig_h id.orig_p id.resp_h id.resp_p
|
||||
#separator \x09
|
||||
#path test
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p
|
||||
#types time addr port addr port
|
||||
1299466805.000000 10.0.0.1 20 10.0.0.2 1024
|
||||
1299470395.000000 10.0.0.2 20 10.0.0.3 0
|
||||
> test.2011-03-07-04-00-05.log
|
||||
# t id.orig_h id.orig_p id.resp_h id.resp_p
|
||||
#separator \x09
|
||||
#path test
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p
|
||||
#types time addr port addr port
|
||||
1299470405.000000 10.0.0.1 20 10.0.0.2 1025
|
||||
1299473995.000000 10.0.0.2 20 10.0.0.3 1
|
||||
> test.2011-03-07-05-00-05.log
|
||||
# t id.orig_h id.orig_p id.resp_h id.resp_p
|
||||
#separator \x09
|
||||
#path test
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p
|
||||
#types time addr port addr port
|
||||
1299474005.000000 10.0.0.1 20 10.0.0.2 1026
|
||||
1299477595.000000 10.0.0.2 20 10.0.0.3 2
|
||||
> test.2011-03-07-06-00-05.log
|
||||
# t id.orig_h id.orig_p id.resp_h id.resp_p
|
||||
#separator \x09
|
||||
#path test
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p
|
||||
#types time addr port addr port
|
||||
1299477605.000000 10.0.0.1 20 10.0.0.2 1027
|
||||
1299481195.000000 10.0.0.2 20 10.0.0.3 3
|
||||
> test.2011-03-07-07-00-05.log
|
||||
# t id.orig_h id.orig_p id.resp_h id.resp_p
|
||||
#separator \x09
|
||||
#path test
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p
|
||||
#types time addr port addr port
|
||||
1299481205.000000 10.0.0.1 20 10.0.0.2 1028
|
||||
1299484795.000000 10.0.0.2 20 10.0.0.3 4
|
||||
> test.2011-03-07-08-00-05.log
|
||||
# t id.orig_h id.orig_p id.resp_h id.resp_p
|
||||
#separator \x09
|
||||
#path test
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p
|
||||
#types time addr port addr port
|
||||
1299484805.000000 10.0.0.1 20 10.0.0.2 1029
|
||||
1299488395.000000 10.0.0.2 20 10.0.0.3 5
|
||||
> test.2011-03-07-09-00-05.log
|
||||
# t id.orig_h id.orig_p id.resp_h id.resp_p
|
||||
#separator \x09
|
||||
#path test
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p
|
||||
#types time addr port addr port
|
||||
1299488405.000000 10.0.0.1 20 10.0.0.2 1030
|
||||
1299491995.000000 10.0.0.2 20 10.0.0.3 6
|
||||
> test.2011-03-07-10-00-05.log
|
||||
# t id.orig_h id.orig_p id.resp_h id.resp_p
|
||||
#separator \x09
|
||||
#path test
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p
|
||||
#types time addr port addr port
|
||||
1299492005.000000 10.0.0.1 20 10.0.0.2 1031
|
||||
1299495595.000000 10.0.0.2 20 10.0.0.3 7
|
||||
> test.2011-03-07-11-00-05.log
|
||||
# t id.orig_h id.orig_p id.resp_h id.resp_p
|
||||
#separator \x09
|
||||
#path test
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p
|
||||
#types time addr port addr port
|
||||
1299495605.000000 10.0.0.1 20 10.0.0.2 1032
|
||||
1299499195.000000 10.0.0.2 20 10.0.0.3 8
|
||||
> test.2011-03-07-12-00-05.log
|
||||
# t id.orig_h id.orig_p id.resp_h id.resp_p
|
||||
#separator \x09
|
||||
#path test
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p
|
||||
#types time addr port addr port
|
||||
1299499205.000000 10.0.0.1 20 10.0.0.2 1033
|
||||
1299502795.000000 10.0.0.2 20 10.0.0.3 9
|
||||
|
|
|
|||
|
|
@ -1,6 +1,9 @@
|
|||
# t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
1299718506.28824 1.2.3.4 1234 2.3.4.5 80 success unknown
|
||||
1299718506.28824 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||
1299718506.28824 1.2.3.4 1234 2.3.4.5 80 failure UK
|
||||
1299718506.28824 1.2.3.4 1234 2.3.4.5 80 success BR
|
||||
1299718506.28824 1.2.3.4 1234 2.3.4.5 80 failure MX
|
||||
#separator \x09
|
||||
#path /dev/stdout
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
#types time addr port addr port string string
|
||||
1315167067.393739 1.2.3.4 1234 2.3.4.5 80 success unknown
|
||||
1315167067.393739 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||
1315167067.393739 1.2.3.4 1234 2.3.4.5 80 failure UK
|
||||
1315167067.393739 1.2.3.4 1234 2.3.4.5 80 success BR
|
||||
1315167067.393739 1.2.3.4 1234 2.3.4.5 80 failure MX
|
||||
|
|
|
|||
|
|
@ -1,6 +1,9 @@
|
|||
# t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
1299718506.1313 1.2.3.4 1234 2.3.4.5 80 success unknown
|
||||
1299718506.1313 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||
1299718506.1313 1.2.3.4 1234 2.3.4.5 80 failure UK
|
||||
1299718506.1313 1.2.3.4 1234 2.3.4.5 80 success BR
|
||||
1299718506.1313 1.2.3.4 1234 2.3.4.5 80 failure MX
|
||||
#separator \x09
|
||||
#path ssh
|
||||
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
|
||||
#types time addr port addr port string string
|
||||
1315167067.507542 1.2.3.4 1234 2.3.4.5 80 success unknown
|
||||
1315167067.507542 1.2.3.4 1234 2.3.4.5 80 failure US
|
||||
1315167067.507542 1.2.3.4 1234 2.3.4.5 80 failure UK
|
||||
1315167067.507542 1.2.3.4 1234 2.3.4.5 80 success BR
|
||||
1315167067.507542 1.2.3.4 1234 2.3.4.5 80 failure MX
|
||||
|
|
|
|||
Binary file not shown.
|
|
@ -1,3 +1,6 @@
|
|||
# a.val1 a.val2 b
|
||||
#separator \x09
|
||||
#path testing
|
||||
#fields a.val1 a.val2 b
|
||||
#types count count count
|
||||
- - 6
|
||||
1 2 3
|
||||
|
|
|
|||
|
|
@ -1,2 +1,5 @@
|
|||
# vec
|
||||
#separator \x09
|
||||
#path ssh
|
||||
#fields vec
|
||||
#types vector
|
||||
-,2,-,-,5
|
||||
|
|
|
|||
|
|
@ -1,4 +1,7 @@
|
|||
# ts metric_id filter_name index.host index.str index.network value
|
||||
1313429477.091485 TEST_METRIC foo-bar 6.5.4.3 - - 4
|
||||
1313429477.091485 TEST_METRIC foo-bar 1.2.3.4 - - 6
|
||||
1313429477.091485 TEST_METRIC foo-bar 7.2.1.5 - - 2
|
||||
#separator \x09
|
||||
#path metrics
|
||||
#fields ts metric_id filter_name index.host index.str index.network value
|
||||
#types time enum string addr string subnet count
|
||||
1315167074.181810 TEST_METRIC foo-bar 6.5.4.3 - - 4
|
||||
1315167074.181810 TEST_METRIC foo-bar 1.2.3.4 - - 6
|
||||
1315167074.181810 TEST_METRIC foo-bar 7.2.1.5 - - 2
|
||||
|
|
|
|||
|
|
@ -1,4 +1,7 @@
|
|||
# ts metric_id filter_name index.host index.str index.network value
|
||||
1313430544.678529 TEST_METRIC foo-bar 6.5.4.3 - - 2
|
||||
1313430544.678529 TEST_METRIC foo-bar 1.2.3.4 - - 3
|
||||
1313430544.678529 TEST_METRIC foo-bar 7.2.1.5 - - 1
|
||||
#separator \x09
|
||||
#path metrics
|
||||
#fields ts metric_id filter_name index.host index.str index.network value
|
||||
#types time enum string addr string subnet count
|
||||
1315167083.455574 TEST_METRIC foo-bar 6.5.4.3 - - 2
|
||||
1315167083.455574 TEST_METRIC foo-bar 1.2.3.4 - - 3
|
||||
1315167083.455574 TEST_METRIC foo-bar 7.2.1.5 - - 1
|
||||
|
|
|
|||
|
|
@ -1,2 +1,5 @@
|
|||
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p note msg sub src dst p n peer_descr actions policy_items dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network
|
||||
1313897486.017657 - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 100/100 - 1.2.3.4 - - 100 manager-1 Notice::ACTION_LOG 4 - - - - - - 1.2.3.4 - -
|
||||
#separator \x09
|
||||
#path notice
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p note msg sub src dst p n peer_descr actions policy_items dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network
|
||||
#types time string addr port addr port enum string string addr addr port count string table table bool string string string double double addr string subnet
|
||||
1315167088.906913 - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 100/100 - 1.2.3.4 - - 100 manager-1 Notice::ACTION_LOG 4 - - - - - - 1.2.3.4 - -
|
||||
|
|
|
|||
|
|
@ -1,3 +1,6 @@
|
|||
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p note msg sub src dst p n peer_descr actions policy_items dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network
|
||||
1313685819.326521 - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 3/2 - 1.2.3.4 - - 3 bro Notice::ACTION_LOG 4 - - - - - - 1.2.3.4 - -
|
||||
1313685819.326521 - - - - - Test_Notice Threshold crossed by metric_index(host=6.5.4.3) 2/2 - 6.5.4.3 - - 2 bro Notice::ACTION_LOG 4 - - - - - - 6.5.4.3 - -
|
||||
#separator \x09
|
||||
#path notice
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p note msg sub src dst p n peer_descr actions policy_items dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network
|
||||
#types time string addr port addr port enum string string addr addr port count string table table bool string string string double double addr string subnet
|
||||
1315167098.061022 - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 3/2 - 1.2.3.4 - - 3 bro Notice::ACTION_LOG 4 - - - - - - 1.2.3.4 - -
|
||||
1315167098.061022 - - - - - Test_Notice Threshold crossed by metric_index(host=6.5.4.3) 2/2 - 6.5.4.3 - - 2 bro Notice::ACTION_LOG 4 - - - - - - 6.5.4.3 - -
|
||||
|
|
|
|||
|
|
@ -1,4 +1,7 @@
|
|||
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied md5 extraction_file
|
||||
#separator \x09
|
||||
#path http
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied md5 extraction_file
|
||||
#types time string addr port addr port string string string string string count count count string string table string string table string file
|
||||
1258577884.844956 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 946 200 OK - - - - - - -
|
||||
1258577884.960135 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 6716 200 OK - - - - - - -
|
||||
1258577885.317160 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 94 200 OK - - - - - - -
|
||||
|
|
|
|||
|
|
@ -1,4 +1,7 @@
|
|||
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p nick user channels command value addl tags dcc_file_name dcc_file_size extraction_file
|
||||
#separator \x09
|
||||
#path irc
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p nick user channels command value addl tags dcc_file_name dcc_file_size extraction_file
|
||||
#types time string addr port addr port string string table string string string table string count file
|
||||
1311189164.119437 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 - - - NICK bloed - - - - -
|
||||
1311189164.119437 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed - - USER sdkfje sdkfje Montreal.QC.CA.Undernet.org dkdkrwq - - - -
|
||||
1311189174.474127 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje - JOIN #easymovies - - - - -
|
||||
|
|
|
|||
|
|
@ -1,2 +1,5 @@
|
|||
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p mid helo mailfrom rcptto date from to reply_to msg_id in_reply_to subject x_originating_ip first_received second_received last_reply path user_agent
|
||||
1254722768.219663 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 @56gKBmhBBB6 GP <gurpartap@patriots.in> <raj_deol2002in@yahoo.co.in> Mon, 5 Oct 2009 11:36:07 +0530 "Gurpartap Singh" <gurpartap@patriots.in> <raj_deol2002in@yahoo.co.in> - <000301ca4581$ef9e57f0$cedb07d0$@in> - SMTP - - - 250 OK id=1Mugho-0003Dg-Un 74.53.140.153,10.10.1.4 Microsoft Office Outlook 12.0
|
||||
#separator \x09
|
||||
#path smtp
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p mid helo mailfrom rcptto date from to reply_to msg_id in_reply_to subject x_originating_ip first_received second_received last_reply path user_agent
|
||||
#types time string addr port addr port string string string table string string table string string string string addr string string string vector string
|
||||
1254722768.219663 56gKBmhBBB6 10.10.1.4 1470 74.53.140.153 25 @50da4BEzauh GP <gurpartap@patriots.in> <raj_deol2002in@yahoo.co.in> Mon, 5 Oct 2009 11:36:07 +0530 "Gurpartap Singh" <gurpartap@patriots.in> <raj_deol2002in@yahoo.co.in> - <000301ca4581$ef9e57f0$cedb07d0$@in> - SMTP - - - 250 OK id=1Mugho-0003Dg-Un 74.53.140.153,10.10.1.4 Microsoft Office Outlook 12.0
|
||||
|
|
|
|||
|
|
@ -1,5 +1,8 @@
|
|||
# ts host
|
||||
1300475168.78384 141.142.220.118
|
||||
1300475168.78384 208.80.152.118
|
||||
1300475168.91594 208.80.152.3
|
||||
1300475168.96263 208.80.152.2
|
||||
#separator \x09
|
||||
#path known_hosts
|
||||
#fields ts host
|
||||
#types time addr
|
||||
1300475168.783842 141.142.220.118
|
||||
1300475168.783842 208.80.152.118
|
||||
1300475168.915940 208.80.152.3
|
||||
1300475168.962628 208.80.152.2
|
||||
|
|
|
|||
|
|
@ -1,2 +1,5 @@
|
|||
# ts host
|
||||
1300475168.78384 141.142.220.118
|
||||
#separator \x09
|
||||
#path known_hosts
|
||||
#fields ts host
|
||||
#types time addr
|
||||
1300475168.783842 141.142.220.118
|
||||
|
|
|
|||
|
|
@ -1,4 +1,7 @@
|
|||
# ts host
|
||||
1300475168.78384 208.80.152.118
|
||||
1300475168.91594 208.80.152.3
|
||||
1300475168.96263 208.80.152.2
|
||||
#separator \x09
|
||||
#path known_hosts
|
||||
#fields ts host
|
||||
#types time addr
|
||||
1300475168.783842 208.80.152.118
|
||||
1300475168.915940 208.80.152.3
|
||||
1300475168.962628 208.80.152.2
|
||||
|
|
|
|||
|
|
@ -1,6 +1,9 @@
|
|||
# ts host port_num port_proto service
|
||||
1308930691.03504 172.16.238.131 22 tcp SSH
|
||||
1308930694.54896 172.16.238.131 80 tcp HTTP
|
||||
1308930716.45795 74.125.225.81 80 tcp HTTP
|
||||
1308930703.06815 172.16.238.131 21 tcp FTP
|
||||
1308930726.86415 141.142.192.39 22 tcp SSH
|
||||
#separator \x09
|
||||
#path known_services
|
||||
#fields ts host port_num port_proto service
|
||||
#types time addr port enum table
|
||||
1308930691.035044 172.16.238.131 22 tcp SSH
|
||||
1308930694.548964 172.16.238.131 80 tcp HTTP
|
||||
1308930716.457950 74.125.225.81 80 tcp HTTP
|
||||
1308930703.068148 172.16.238.131 21 tcp FTP
|
||||
1308930726.864150 141.142.192.39 22 tcp SSH
|
||||
|
|
|
|||
|
|
@ -1,4 +1,7 @@
|
|||
# ts host port_num port_proto service
|
||||
1308930691.03504 172.16.238.131 22 tcp SSH
|
||||
1308930694.54896 172.16.238.131 80 tcp HTTP
|
||||
1308930703.06815 172.16.238.131 21 tcp FTP
|
||||
#separator \x09
|
||||
#path known_services
|
||||
#fields ts host port_num port_proto service
|
||||
#types time addr port enum table
|
||||
1308930691.035044 172.16.238.131 22 tcp SSH
|
||||
1308930694.548964 172.16.238.131 80 tcp HTTP
|
||||
1308930703.068148 172.16.238.131 21 tcp FTP
|
||||
|
|
|
|||
|
|
@ -1,3 +1,6 @@
|
|||
# ts host port_num port_proto service
|
||||
1308930716.45795 74.125.225.81 80 tcp HTTP
|
||||
1308930726.86415 141.142.192.39 22 tcp SSH
|
||||
#separator \x09
|
||||
#path known_services
|
||||
#fields ts host port_num port_proto service
|
||||
#types time addr port enum table
|
||||
1308930716.457950 74.125.225.81 80 tcp HTTP
|
||||
1308930726.864150 141.142.192.39 22 tcp SSH
|
||||
|
|
|
|||
|
|
@ -1,2 +1,5 @@
|
|||
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name QR AA TC RD RA Z TTL answers auth addl
|
||||
930613226.529070 UWkUyAuUGXf 212.180.42.100 25000 131.243.64.3 53 tcp 34798 - - - - - 0 NOERROR F F F F T 0 31337.0 4.3.2.1 - -
|
||||
#separator \x09
|
||||
#path dns
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name QR AA TC RD RA Z TTL answers auth addl
|
||||
#types time string addr port addr port enum count string count string count string count string bool bool bool bool bool count interval table table table
|
||||
930613226.529070 UWkUyAuUGXf 212.180.42.100 25000 131.243.64.3 53 tcp 34798 - - - - - 0 NOERROR F F F F T 0 31337.000000 4.3.2.1 - -
|
||||
|
|
|
|||
15
testing/btest/language/enum-desc.bro
Normal file
15
testing/btest/language/enum-desc.bro
Normal file
|
|
@ -0,0 +1,15 @@
|
|||
# @TEST-EXEC: bro -b %INPUT >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
type test_enum1: enum { ONE };
|
||||
|
||||
module TEST;
|
||||
|
||||
type test_enum2: enum { TWO };
|
||||
|
||||
print ONE;
|
||||
print fmt("%s", ONE);
|
||||
|
||||
|
||||
print TWO;
|
||||
print fmt("%s", TWO);
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro %INPUT >output 2>&1
|
||||
# @TEST-EXEC: bro %INPUT >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
type Version: record {
|
||||
|
|
@ -17,8 +17,24 @@ global matched_software: table[string] of Info = {
|
|||
["OpenSSH_4.4"] = [$name="OpenSSH", $version=[$major=4,$minor=4]],
|
||||
};
|
||||
|
||||
type Foo: record {
|
||||
i: interval &default=1hr;
|
||||
s: string &optional;
|
||||
};
|
||||
|
||||
type FooContainer: record {
|
||||
c: count;
|
||||
f: Foo &optional;
|
||||
};
|
||||
|
||||
function foo_func(fc: FooContainer)
|
||||
{
|
||||
print fc;
|
||||
}
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
for ( sw in matched_software )
|
||||
print matched_software[sw]$version;
|
||||
foo_func([$c=1, $f=[$i=2hrs]]);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ module SSH;
|
|||
|
||||
export {
|
||||
# Create a new ID for our log stream
|
||||
redef enum Log::ID += { SSH };
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
# Define a record with all the columns the log file can have.
|
||||
# (I'm using a subset of fields from ssh-ext for demonstration.)
|
||||
|
|
@ -21,13 +21,13 @@ export {
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(SSH, [$columns=Info]);
|
||||
Log::create_stream(SSH::LOG, [$columns=Info]);
|
||||
|
||||
local filter = Log::get_filter(SSH, "default");
|
||||
local filter = Log::get_filter(SSH::LOG, "default");
|
||||
filter$path= "ssh-new-default";
|
||||
Log::add_filter(SSH, filter);
|
||||
Log::add_filter(SSH::LOG, filter);
|
||||
|
||||
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
module SSH;
|
||||
|
||||
export {
|
||||
redef enum Log::ID += { SSH };
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
type Info: record {
|
||||
data: string;
|
||||
|
|
@ -17,9 +17,9 @@ redef LogAscii::separator = "|";
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(SSH, [$columns=Info]);
|
||||
Log::write(SSH, [$data="abc\n\xffdef", $data2="DATA2"]);
|
||||
Log::write(SSH, [$data="abc|\xffdef", $data2="DATA2"]);
|
||||
Log::write(SSH, [$data="abc\xff|def", $data2="DATA2"]);
|
||||
Log::create_stream(SSH::LOG, [$columns=Info]);
|
||||
Log::write(SSH::LOG, [$data="abc\n\xffdef", $data2="DATA2"]);
|
||||
Log::write(SSH::LOG, [$data="abc|\xffdef", $data2="DATA2"]);
|
||||
Log::write(SSH::LOG, [$data="abc\xff|def", $data2="DATA2"]);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ redef LogAscii::header_prefix = "PREFIX<>";
|
|||
module SSH;
|
||||
|
||||
export {
|
||||
redef enum Log::ID += { SSH };
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
type Log: record {
|
||||
t: time;
|
||||
|
|
@ -24,15 +24,15 @@ export {
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(SSH, [$columns=Log]);
|
||||
Log::create_stream(SSH::LOG, [$columns=Log]);
|
||||
|
||||
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
|
||||
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $country="US"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $country="BR"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $b=T, $status="failure", $country=""]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $country="US"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $country="BR"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $b=T, $status="failure", $country=""]);
|
||||
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ redef LogAscii::separator = "||";
|
|||
module SSH;
|
||||
|
||||
export {
|
||||
redef enum Log::ID += { SSH };
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
type Log: record {
|
||||
t: time;
|
||||
|
|
@ -19,14 +19,14 @@ export {
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(SSH, [$columns=Log]);
|
||||
Log::create_stream(SSH::LOG, [$columns=Log]);
|
||||
|
||||
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
|
||||
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="fa||ure", $country="UK"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="su||ess", $country="BR"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="fa||ure", $country="UK"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="su||ess", $country="BR"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ redef LogAscii::include_header = F;
|
|||
module SSH;
|
||||
|
||||
export {
|
||||
redef enum Log::ID += { SSH };
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
type Log: record {
|
||||
t: time;
|
||||
|
|
@ -21,15 +21,15 @@ export {
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(SSH, [$columns=Log]);
|
||||
Log::create_stream(SSH::LOG, [$columns=Log]);
|
||||
|
||||
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
|
||||
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
|
||||
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
module Test;
|
||||
|
||||
export {
|
||||
redef enum Log::ID += { TEST };
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
type Info: record {
|
||||
data: time &log;
|
||||
|
|
@ -14,14 +14,14 @@ export {
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(TEST, [$columns=Info]);
|
||||
Log::write(TEST, [$data=double_to_time(1234567890)]);
|
||||
Log::write(TEST, [$data=double_to_time(1234567890.0)]);
|
||||
Log::write(TEST, [$data=double_to_time(1234567890.01)]);
|
||||
Log::write(TEST, [$data=double_to_time(1234567890.001)]);
|
||||
Log::write(TEST, [$data=double_to_time(1234567890.0001)]);
|
||||
Log::write(TEST, [$data=double_to_time(1234567890.00001)]);
|
||||
Log::write(TEST, [$data=double_to_time(1234567890.000001)]);
|
||||
Log::write(TEST, [$data=double_to_time(1234567890.0000001)]);
|
||||
Log::create_stream(Test::LOG, [$columns=Info]);
|
||||
Log::write(Test::LOG, [$data=double_to_time(1234567890)]);
|
||||
Log::write(Test::LOG, [$data=double_to_time(1234567890.0)]);
|
||||
Log::write(Test::LOG, [$data=double_to_time(1234567890.01)]);
|
||||
Log::write(Test::LOG, [$data=double_to_time(1234567890.001)]);
|
||||
Log::write(Test::LOG, [$data=double_to_time(1234567890.0001)]);
|
||||
Log::write(Test::LOG, [$data=double_to_time(1234567890.00001)]);
|
||||
Log::write(Test::LOG, [$data=double_to_time(1234567890.000001)]);
|
||||
Log::write(Test::LOG, [$data=double_to_time(1234567890.0000001)]);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
module SSH;
|
||||
|
||||
export {
|
||||
redef enum Log::ID += { SSH };
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
type Log: record {
|
||||
t: time;
|
||||
|
|
@ -28,10 +28,10 @@ redef record Log += {
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(SSH, [$columns=Log]);
|
||||
Log::create_stream(SSH::LOG, [$columns=Log]);
|
||||
|
||||
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
|
||||
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $a1=1, $a2=2, $b1=3, $b2=4]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $a1=1, $a2=2, $b1=3, $b2=4]);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
module SSH;
|
||||
|
||||
export {
|
||||
redef enum Log::ID += { SSH };
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
type Log: record {
|
||||
t: time;
|
||||
|
|
@ -17,15 +17,15 @@ export {
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(SSH, [$columns=Log]);
|
||||
Log::create_stream(SSH::LOG, [$columns=Log]);
|
||||
|
||||
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
|
||||
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
|
||||
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
module SSH;
|
||||
|
||||
export {
|
||||
redef enum Log::ID += { SSH };
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
type Log: record {
|
||||
t: time;
|
||||
|
|
@ -17,17 +17,17 @@ export {
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(SSH, [$columns=Log]);
|
||||
Log::create_stream(SSH::LOG, [$columns=Log]);
|
||||
|
||||
Log::disable_stream(SSH);
|
||||
Log::disable_stream(SSH::LOG);
|
||||
|
||||
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
|
||||
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
|
||||
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
module SSH;
|
||||
|
||||
export {
|
||||
redef enum Log::ID += { SSH };
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
type Log: record {
|
||||
t: time;
|
||||
|
|
@ -19,15 +19,15 @@ global log_ssh: event(rec: Log);
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(SSH, [$columns=Log, $ev=log_ssh]);
|
||||
Log::create_stream(SSH::LOG, [$columns=Log, $ev=log_ssh]);
|
||||
|
||||
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
|
||||
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
|
||||
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ module SSH;
|
|||
|
||||
export {
|
||||
# Create a new ID for our log stream
|
||||
redef enum Log::ID += { SSH };
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
# Define a record with all the columns the log file can have.
|
||||
# (I'm using a subset of fields from ssh-ext for demonstration.)
|
||||
|
|
@ -22,12 +22,12 @@ global ssh_log: event(rec: Log);
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(SSH, [$columns=Log, $ev=ssh_log]);
|
||||
Log::create_stream(SSH::LOG, [$columns=Log, $ev=ssh_log]);
|
||||
|
||||
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
|
||||
local r: Log = [$t=network_time(), $id=cid, $status="success"];
|
||||
Log::write(SSH, r);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(SSH::LOG, r);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
module SSH;
|
||||
|
||||
export {
|
||||
redef enum Log::ID += { SSH };
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
type Log: record {
|
||||
t: time;
|
||||
|
|
@ -17,18 +17,18 @@ export {
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(SSH, [$columns=Log]);
|
||||
Log::create_stream(SSH::LOG, [$columns=Log]);
|
||||
|
||||
Log::remove_default_filter(SSH);
|
||||
Log::add_filter(SSH, [$name="f1", $exclude=set("t", "id.orig_h")]);
|
||||
Log::remove_default_filter(SSH::LOG);
|
||||
Log::add_filter(SSH::LOG, [$name="f1", $exclude=set("t", "id.orig_h")]);
|
||||
|
||||
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
|
||||
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
|
||||
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
module SSH;
|
||||
|
||||
export {
|
||||
redef enum Log::ID += { SSH };
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
type Log: record {
|
||||
t: time;
|
||||
|
|
@ -17,7 +17,7 @@ const foo_log = open_log_file("Foo") &redef;
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(SSH, [$columns=Log]);
|
||||
Log::write(SSH, [$t=network_time(), $f=foo_log]);
|
||||
Log::create_stream(SSH::LOG, [$columns=Log]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $f=foo_log]);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
module SSH;
|
||||
|
||||
export {
|
||||
redef enum Log::ID += { SSH };
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
type Log: record {
|
||||
t: time;
|
||||
|
|
@ -17,18 +17,18 @@ export {
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(SSH, [$columns=Log]);
|
||||
Log::create_stream(SSH::LOG, [$columns=Log]);
|
||||
|
||||
Log::remove_default_filter(SSH);
|
||||
Log::add_filter(SSH, [$name="default", $include=set("t", "id.orig_h")]);
|
||||
Log::remove_default_filter(SSH::LOG);
|
||||
Log::add_filter(SSH::LOG, [$name="default", $include=set("t", "id.orig_h")]);
|
||||
|
||||
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
|
||||
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
|
||||
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
module SSH;
|
||||
|
||||
export {
|
||||
redef enum Log::ID += { SSH };
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
type Log: record {
|
||||
t: time;
|
||||
|
|
@ -19,15 +19,15 @@ redef Log::enable_local_logging = F;
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(SSH, [$columns=Log]);
|
||||
Log::create_stream(SSH::LOG, [$columns=Log]);
|
||||
|
||||
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
|
||||
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
|
||||
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ module SSH;
|
|||
|
||||
export {
|
||||
# Create a new ID for our log stream
|
||||
redef enum Log::ID += { SSH };
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
# Define a record with all the columns the log file can have.
|
||||
# (I'm using a subset of fields from ssh-ext for demonstration.)
|
||||
|
|
@ -30,19 +30,19 @@ function path_func(id: Log::ID, path: string, rec: Log) : string
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(SSH, [$columns=Log]);
|
||||
Log::remove_default_filter(SSH);
|
||||
Log::create_stream(SSH::LOG, [$columns=Log]);
|
||||
Log::remove_default_filter(SSH::LOG);
|
||||
|
||||
Log::add_filter(SSH, [$name="dyn", $path="static-prefix", $path_func=path_func]);
|
||||
Log::add_filter(SSH::LOG, [$name="dyn", $path="static-prefix", $path_func=path_func]);
|
||||
|
||||
Log::set_buf(SSH, F);
|
||||
Log::set_buf(SSH::LOG, F);
|
||||
|
||||
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX2"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX3"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX2"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX3"]);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,16 +1,16 @@
|
|||
|
||||
# @TEST-EXEC: bro -b %INPUT
|
||||
# @TEST-EXEC: btest-diff ssh.success.log
|
||||
# @TEST-EXEC: btest-diff ssh.failure.log
|
||||
# @TEST-EXEC: btest-diff test.success.log
|
||||
# @TEST-EXEC: btest-diff test.failure.log
|
||||
|
||||
module SSH;
|
||||
module Test;
|
||||
|
||||
export {
|
||||
# Create a new ID for our log stream
|
||||
redef enum Log::ID += { SSH };
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
# Define a record with all the columns the log file can have.
|
||||
# (I'm using a subset of fields from ssh-ext for demonstration.)
|
||||
# (I'm using a subset of fields from ssh for demonstration.)
|
||||
type Log: record {
|
||||
t: time;
|
||||
id: conn_id; # Will be rolled out into individual columns.
|
||||
|
|
@ -26,14 +26,14 @@ function fail(rec: Log): bool
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(SSH, [$columns=Log]);
|
||||
Log::remove_default_filter(SSH);
|
||||
Log::add_filter(SSH, [$name="f1", $path="ssh.success", $pred=function(rec: Log): bool { return rec$status == "success"; }]);
|
||||
Log::add_filter(SSH, [$name="f2", $path="ssh.failure", $pred=fail]);
|
||||
Log::create_stream(Test::LOG, [$columns=Log]);
|
||||
Log::remove_default_filter(Test::LOG);
|
||||
Log::add_filter(Test::LOG, [$name="f1", $path="test.success", $pred=function(rec: Log): bool { return rec$status == "success"; }]);
|
||||
Log::add_filter(Test::LOG, [$name="f2", $path="test.failure", $pred=fail]);
|
||||
|
||||
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
|
||||
local r: Log = [$t=network_time(), $id=cid, $status="success"];
|
||||
Log::write(SSH, r);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(Test::LOG, r);
|
||||
Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ module Test;
|
|||
|
||||
export {
|
||||
# Create a new ID for our log stream
|
||||
redef enum Log::ID += { TEST };
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
type Log: record {
|
||||
b: bool;
|
||||
|
|
@ -39,7 +39,7 @@ export {
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(TEST, [$columns=Log]);
|
||||
Log::create_stream(Test::LOG, [$columns=Log]);
|
||||
}
|
||||
|
||||
#####
|
||||
|
|
@ -55,10 +55,10 @@ event remote_connection_handshake_done(p: event_peer)
|
|||
local empty_set: set[string];
|
||||
local empty_vector: vector of string;
|
||||
|
||||
Log::write(TEST, [
|
||||
Log::write(Test::LOG, [
|
||||
$b=T,
|
||||
$i=-42,
|
||||
$e=TEST,
|
||||
$e=Test::LOG,
|
||||
$c=21,
|
||||
$p=123/tcp,
|
||||
$sn=10.0.0.1/24,
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ module Test;
|
|||
|
||||
export {
|
||||
# Create a new ID for our log stream
|
||||
redef enum Log::ID += { TEST };
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
# Define a record with all the columns the log file can have.
|
||||
# (I'm using a subset of fields from ssh-ext for demonstration.)
|
||||
|
|
@ -30,8 +30,8 @@ export {
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(TEST, [$columns=Log]);
|
||||
Log::add_filter(TEST, [$name="f1", $path="test.success", $pred=function(rec: Log): bool { return rec$status == "success"; }]);
|
||||
Log::create_stream(Test::LOG, [$columns=Log]);
|
||||
Log::add_filter(Test::LOG, [$name="f1", $path="test.success", $pred=function(rec: Log): bool { return rec$status == "success"; }]);
|
||||
}
|
||||
|
||||
#####
|
||||
|
|
@ -49,18 +49,18 @@ function fail(rec: Log): bool
|
|||
|
||||
event remote_connection_handshake_done(p: event_peer)
|
||||
{
|
||||
Log::add_filter(TEST, [$name="f2", $path="test.failure", $pred=fail]);
|
||||
Log::add_filter(Test::LOG, [$name="f2", $path="test.failure", $pred=fail]);
|
||||
|
||||
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
|
||||
|
||||
local r: Log = [$t=network_time(), $id=cid, $status="success"];
|
||||
|
||||
# Log something.
|
||||
Log::write(TEST, r);
|
||||
Log::write(TEST, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(TEST, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
|
||||
Log::write(TEST, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
|
||||
Log::write(TEST, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
|
||||
Log::write(Test::LOG, r);
|
||||
Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
|
||||
Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
|
||||
Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
|
||||
}
|
||||
@TEST-END-FILE
|
||||
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ module SSH;
|
|||
|
||||
export {
|
||||
# Create a new ID for our log stream
|
||||
redef enum Log::ID += { SSH };
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
# Define a record with all the columns the log file can have.
|
||||
# (I'm using a subset of fields from ssh-ext for demonstration.)
|
||||
|
|
@ -21,21 +21,21 @@ export {
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(SSH, [$columns=Log]);
|
||||
Log::add_filter(SSH, [$name="f1", $path="ssh.failure", $pred=function(rec: Log): bool { return rec$status == "failure"; }]);
|
||||
Log::create_stream(SSH::LOG, [$columns=Log]);
|
||||
Log::add_filter(SSH::LOG, [$name="f1", $path="ssh.failure", $pred=function(rec: Log): bool { return rec$status == "failure"; }]);
|
||||
|
||||
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
|
||||
|
||||
# Log something.
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
|
||||
|
||||
Log::remove_filter(SSH, "f1");
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="BR"]);
|
||||
Log::remove_filter(SSH::LOG, "f1");
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="BR"]);
|
||||
|
||||
Log::remove_filter(SSH, "default");
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
|
||||
Log::remove_filter(SSH::LOG, "default");
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
|
||||
|
||||
Log::remove_filter(SSH, "doesn-not-exist");
|
||||
Log::remove_filter(SSH::LOG, "doesn-not-exist");
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ module Test;
|
|||
|
||||
export {
|
||||
# Create a new ID for our log stream
|
||||
redef enum Log::ID += { Test };
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
# Define a record with all the columns the log file can have.
|
||||
# (I'm using a subset of fields from ssh-ext for demonstration.)
|
||||
|
|
@ -32,12 +32,12 @@ redef Log::rotation_control += {
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(Test, [$columns=Log]);
|
||||
Log::add_filter(Test, [$name="2nd", $path="test2"]);
|
||||
Log::create_stream(Test::LOG, [$columns=Log]);
|
||||
Log::add_filter(Test::LOG, [$name="2nd", $path="test2"]);
|
||||
|
||||
}
|
||||
|
||||
event new_connection(c: connection)
|
||||
{
|
||||
Log::write(Test, [$t=network_time(), $id=c$id]);
|
||||
Log::write(Test::LOG, [$t=network_time(), $id=c$id]);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# @TEST-EXEC: bro -r %DIR/rotation.trace %INPUT 2>&1 | grep "test" >out
|
||||
# @TEST-EXEC: bro -b -r %DIR/rotation.trace %INPUT 2>&1 | grep "test" >out
|
||||
# @TEST-EXEC: for i in test.*.log; do printf '> %s\n' $i; cat $i; done >>out
|
||||
# @TEST-EXEC: btest-diff out
|
||||
|
||||
|
|
@ -7,7 +7,7 @@ module Test;
|
|||
|
||||
export {
|
||||
# Create a new ID for our log stream
|
||||
redef enum Log::ID += { Test };
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
# Define a record with all the columns the log file can have.
|
||||
# (I'm using a subset of fields from ssh-ext for demonstration.)
|
||||
|
|
@ -22,10 +22,10 @@ redef Log::default_rotation_postprocessor_cmd = "echo";
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(Test, [$columns=Log]);
|
||||
Log::create_stream(Test::LOG, [$columns=Log]);
|
||||
}
|
||||
|
||||
event new_connection(c: connection)
|
||||
{
|
||||
Log::write(Test, [$t=network_time(), $id=c$id]);
|
||||
Log::write(Test::LOG, [$t=network_time(), $id=c$id]);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
module SSH;
|
||||
|
||||
export {
|
||||
redef enum Log::ID += { SSH };
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
type Log: record {
|
||||
t: time;
|
||||
|
|
@ -18,19 +18,19 @@ export {
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(SSH, [$columns=Log]);
|
||||
Log::create_stream(SSH::LOG, [$columns=Log]);
|
||||
|
||||
local filter = Log::get_filter(SSH, "default");
|
||||
local filter = Log::get_filter(SSH::LOG, "default");
|
||||
filter$path= "/dev/stdout";
|
||||
Log::add_filter(SSH, filter);
|
||||
Log::add_filter(SSH::LOG, filter);
|
||||
|
||||
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
|
||||
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
|
||||
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
module SSH;
|
||||
|
||||
export {
|
||||
redef enum Log::ID += { SSH };
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
type Log: record {
|
||||
t: time;
|
||||
|
|
@ -17,15 +17,15 @@ export {
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(SSH, [$columns=Log]);
|
||||
Log::create_stream(SSH::LOG, [$columns=Log]);
|
||||
|
||||
local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
|
||||
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="success"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
|
||||
Log::write(SSH, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
|
||||
Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
|
||||
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ redef LogAscii::empty_field = "EMPTY";
|
|||
module SSH;
|
||||
|
||||
export {
|
||||
redef enum Log::ID += { SSH };
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
type Log: record {
|
||||
b: bool;
|
||||
|
|
@ -42,15 +42,15 @@ function foo(i : count) : string
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(SSH, [$columns=Log]);
|
||||
Log::create_stream(SSH::LOG, [$columns=Log]);
|
||||
|
||||
local empty_set: set[string];
|
||||
local empty_vector: vector of string;
|
||||
|
||||
Log::write(SSH, [
|
||||
Log::write(SSH::LOG, [
|
||||
$b=T,
|
||||
$i=-42,
|
||||
$e=SSH,
|
||||
$e=SSH::LOG,
|
||||
$c=21,
|
||||
$p=123/tcp,
|
||||
$sn=10.0.0.1/24,
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
module SSH;
|
||||
|
||||
export {
|
||||
redef enum Log::ID += { SSH };
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
type Log: record {
|
||||
vec: vector of string &log;
|
||||
|
|
@ -14,14 +14,14 @@ export {
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(SSH, [$columns=Log]);
|
||||
Log::create_stream(SSH::LOG, [$columns=Log]);
|
||||
|
||||
local v: vector of string;
|
||||
|
||||
v[1] = "2";
|
||||
v[4] = "5";
|
||||
|
||||
Log::write(SSH, [$vec=v]);
|
||||
Log::write(SSH::LOG, [$vec=v]);
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,2 @@
|
|||
# @TEST-EXEC-FAIL: bro -r $TRACES/web.trace -f "bad filter"
|
||||
# @TEST-EXEC: test -s .stderr
|
||||
|
|
@ -1,11 +1,11 @@
|
|||
# Makes sure that all base/* scripts are loaded by default via init-default.bro;
|
||||
# and that all scripts loaded there in there actually exist.
|
||||
|
||||
@TEST-EXEC: test -d $DIST/scripts/base
|
||||
@TEST-EXEC: test -e $DIST/scripts/base/init-default.bro
|
||||
@TEST-EXEC: ( cd $DIST/scripts/base && find . -name '*.bro' ) | sort >"all scripts found"
|
||||
@TEST-EXEC: bro misc/loaded-scripts
|
||||
@TEST-EXEC: cat loaded_scripts.log | egrep -v '/build/|/loaded-scripts.bro' | awk 'NR>1{print $2}' | sed 's#/./#/#g' >loaded_scripts.log.tmp
|
||||
@TEST-EXEC: cat loaded_scripts.log.tmp | sed -e ':a' -e '$!N' -e 's/^\(.*\).*\n\1.*/\1/' -e 'ta' >prefix
|
||||
@TEST-EXEC: cat loaded_scripts.log.tmp | sed "s#`cat prefix`#./#g" | sort >init-default.bro
|
||||
@TEST-EXEC: diff -u "all scripts found" init-default.bro 1>&2
|
||||
#@TEST-EXEC: test -d $DIST/scripts/base
|
||||
#@TEST-EXEC: test -e $DIST/scripts/base/init-default.bro
|
||||
#@TEST-EXEC: ( cd $DIST/scripts/base && find . -name '*.bro' ) | sort >"all scripts found"
|
||||
#@TEST-EXEC: bro misc/loaded-scripts
|
||||
#@TEST-EXEC: cat loaded_scripts.log | egrep -v '/build/|/loaded-scripts.bro' | awk 'NR>1{print $2}' | sed 's#/./#/#g' >loaded_scripts.log.tmp
|
||||
#@TEST-EXEC: cat loaded_scripts.log.tmp | sed -e ':a' -e '$!N' -e 's/^\(.*\).*\n\1.*/\1/' -e 'ta' >prefix
|
||||
#@TEST-EXEC: cat loaded_scripts.log.tmp | sed "s#`cat prefix`#./#g" | sort >init-default.bro
|
||||
#@TEST-EXEC: diff -u "all scripts found" init-default.bro 1>&2
|
||||
|
|
|
|||
|
|
@ -10,8 +10,8 @@ redef HTTP::generate_md5 += /image\/png/;
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::remove_default_filter(HTTP::HTTP);
|
||||
Log::add_filter(HTTP::HTTP, [$name="normalized-mime-types",
|
||||
Log::remove_default_filter(HTTP::LOG);
|
||||
Log::add_filter(HTTP::LOG, [$name="normalized-mime-types",
|
||||
$pred=function(rec: HTTP::Info): bool
|
||||
{
|
||||
if ( rec?$mime_type && HTTP::generate_md5 != rec$mime_type )
|
||||
|
|
|
|||
|
|
@ -4,6 +4,6 @@
|
|||
# mime type is irrelevant to this test, so filter it out
|
||||
event bro_init()
|
||||
{
|
||||
Log::remove_default_filter(HTTP::HTTP);
|
||||
Log::add_filter(HTTP::HTTP, [$name="less-mime-types", $exclude=set("mime_type")]);
|
||||
Log::remove_default_filter(HTTP::LOG);
|
||||
Log::add_filter(HTTP::LOG, [$name="less-mime-types", $exclude=set("mime_type")]);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,6 +7,6 @@
|
|||
# dcc mime types are irrelevant to this test, so filter it out
|
||||
event bro_init()
|
||||
{
|
||||
Log::remove_default_filter(IRC::IRC);
|
||||
Log::add_filter(IRC::IRC, [$name="remove-mime", $exclude=set("dcc_mime_type")]);
|
||||
Log::remove_default_filter(IRC::LOG);
|
||||
Log::add_filter(IRC::LOG, [$name="remove-mime", $exclude=set("dcc_mime_type")]);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,8 +13,8 @@ redef IRC::extract_file_types=/.*/;
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::remove_default_filter(IRC::IRC);
|
||||
Log::add_filter(IRC::IRC, [$name="normalized-mime-types",
|
||||
Log::remove_default_filter(IRC::LOG);
|
||||
Log::add_filter(IRC::LOG, [$name="normalized-mime-types",
|
||||
$pred=function(rec: IRC::Info): bool
|
||||
{
|
||||
if ( rec?$dcc_mime_type )
|
||||
|
|
|
|||
|
|
@ -13,8 +13,8 @@ redef SMTP::extract_file_types=/text\/plain/;
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::remove_default_filter(SMTP::SMTP_ENTITIES);
|
||||
Log::add_filter(SMTP::SMTP_ENTITIES, [$name="normalized-mime-types",
|
||||
Log::remove_default_filter(SMTP::ENTITIES_LOG);
|
||||
Log::add_filter(SMTP::ENTITIES_LOG, [$name="normalized-mime-types",
|
||||
$pred=function(rec: SMTP::EntityInfo): bool
|
||||
{
|
||||
if ( rec?$mime_type )
|
||||
|
|
|
|||
|
|
@ -11,8 +11,8 @@ redef SMTP::generate_md5=/text\/plain/;
|
|||
|
||||
event bro_init()
|
||||
{
|
||||
Log::remove_default_filter(SMTP::SMTP_ENTITIES);
|
||||
Log::add_filter(SMTP::SMTP_ENTITIES, [$name="normalized-mime-types",
|
||||
Log::remove_default_filter(SMTP::ENTITIES_LOG);
|
||||
Log::add_filter(SMTP::ENTITIES_LOG, [$name="normalized-mime-types",
|
||||
$pred=function(rec: SMTP::EntityInfo): bool
|
||||
{
|
||||
if ( rec?$mime_type )
|
||||
|
|
|
|||
|
|
@ -1,18 +1,18 @@
|
|||
# A basic test of the known-hosts script's logging and asset_tracking options
|
||||
|
||||
# @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT KnownHosts::asset_tracking=LOCAL_HOSTS
|
||||
# @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT Known::host_tracking=LOCAL_HOSTS
|
||||
# @TEST-EXEC: mv known_hosts.log knownhosts-local.log
|
||||
# @TEST-EXEC: btest-diff knownhosts-local.log
|
||||
|
||||
# @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT KnownHosts::asset_tracking=REMOTE_HOSTS
|
||||
# @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT Known::host_tracking=REMOTE_HOSTS
|
||||
# @TEST-EXEC: mv known_hosts.log knownhosts-remote.log
|
||||
# @TEST-EXEC: btest-diff knownhosts-remote.log
|
||||
|
||||
# @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT KnownHosts::asset_tracking=ALL_HOSTS
|
||||
# @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT Known::host_tracking=ALL_HOSTS
|
||||
# @TEST-EXEC: mv known_hosts.log knownhosts-all.log
|
||||
# @TEST-EXEC: btest-diff knownhosts-all.log
|
||||
|
||||
# @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT KnownHosts::asset_tracking=NO_HOSTS
|
||||
# @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT Known::host_tracking=NO_HOSTS
|
||||
# @TEST-EXEC: test '!' -e known_hosts.log
|
||||
|
||||
@load protocols/conn/known-hosts
|
||||
|
|
|
|||
|
|
@ -1,18 +1,18 @@
|
|||
# A basic test of the known-services script's logging and asset_tracking options
|
||||
|
||||
# @TEST-EXEC: bro -r $TRACES/var-services-std-ports.trace %INPUT KnownServices::asset_tracking=LOCAL_HOSTS
|
||||
# @TEST-EXEC: bro -r $TRACES/var-services-std-ports.trace %INPUT Known::service_tracking=LOCAL_HOSTS
|
||||
# @TEST-EXEC: mv known_services.log knownservices-local.log
|
||||
# @TEST-EXEC: btest-diff knownservices-local.log
|
||||
|
||||
# @TEST-EXEC: bro -r $TRACES/var-services-std-ports.trace %INPUT KnownServices::asset_tracking=REMOTE_HOSTS
|
||||
# @TEST-EXEC: bro -r $TRACES/var-services-std-ports.trace %INPUT Known::service_tracking=REMOTE_HOSTS
|
||||
# @TEST-EXEC: mv known_services.log knownservices-remote.log
|
||||
# @TEST-EXEC: btest-diff knownservices-remote.log
|
||||
|
||||
# @TEST-EXEC: bro -r $TRACES/var-services-std-ports.trace %INPUT KnownServices::asset_tracking=ALL_HOSTS
|
||||
# @TEST-EXEC: bro -r $TRACES/var-services-std-ports.trace %INPUT Known::service_tracking=ALL_HOSTS
|
||||
# @TEST-EXEC: mv known_services.log knownservices-all.log
|
||||
# @TEST-EXEC: btest-diff knownservices-all.log
|
||||
|
||||
# @TEST-EXEC: bro -r $TRACES/var-services-std-ports.trace %INPUT KnownServices::asset_tracking=NO_HOSTS
|
||||
# @TEST-EXEC: bro -r $TRACES/var-services-std-ports.trace %INPUT Known::service_tracking=NO_HOSTS
|
||||
# @TEST-EXEC: test '!' -e known_services.log
|
||||
|
||||
@load protocols/conn/known-services
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue