diff --git a/CHANGES b/CHANGES index 0d7f1ae69c..3d4985169c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,35 @@ +6.2.0-dev.38 | 2023-10-24 13:57:03 +0200 + + * base/frameworks/spicy: Do not load base/misc/version (Arne Welzel, Corelight) + + Unsure what it's used for today and also results in the situation that on + some platforms we generate a reporter.log in bare mode, while on others + where spicy is disabled, we do not. + + If we want base/frameworks/version loaded by default, should put it into + init-bare.zeek and possibly remove the loading of the reporter framework + from it - Reporter::error() would still work and be visible on stderr, + just not create a reporter.log. + + * btest/core/mmdb: Basic lookup_autonomous_system / lookup_location tests (Arne Welzel, Corelight) + + * btest/files: Add mmdb testing databases and generator code (Arne Welzel, Corelight) + + * zeek.bif: Switch mmdb stale check to network_time (Arne Welzel, Corelight) + + Makes testing easier and aligns better with log rotation and timer + expiration. Should not have an effect in practice. Also, log detail + about whether inode or modification time changed, too. + + * Fix mmdb pointer destruction (peter.cullen, Corelight) + + The mmdb references needs to use reset() instead of release() + so that the destructor gets called and the stale DB is actually + cleaned up. Otherwise, the pointer is leaked and the stale DB + remains in memory. + + * Bump auxil/spicy to latest development snapshot (Benjamin Bannier, Corelight) + 6.2.0-dev.29 | 2023-10-23 11:25:15 +0200 * GH-3370: Spicy: Avoid creating Zeek types multiple times. (Robin Sommer, Corelight) diff --git a/VERSION b/VERSION index 48b0bf100c..e94c762a21 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -6.2.0-dev.29 +6.2.0-dev.38 diff --git a/scripts/base/frameworks/spicy/init-framework.zeek b/scripts/base/frameworks/spicy/init-framework.zeek index 886b0f4170..ae3a3b8e65 100644 --- a/scripts/base/frameworks/spicy/init-framework.zeek +++ b/scripts/base/frameworks/spicy/init-framework.zeek @@ -1,5 +1,3 @@ -@load base/misc/version - # doc-common-start module Spicy; diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index c71faa7979..df7b56ebb8 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -1107,6 +1107,11 @@ type geo_autonomous_system: record { ## The directory containing MaxMind DB (.mmdb) files to use for GeoIP support. const mmdb_dir: string = "" &redef; +## Sets the interval for MaxMind DB file staleness checks. When Zeek detects a +## change in inode or modification time, the database is re-opened. Setting +## a negative interval disables staleness checks. +const mmdb_stale_check_interval: interval = 5min &redef; + ## Computed entropy values. The record captures a number of measures that are ## computed in parallel. See `A Pseudorandom Number Sequence Test Program ## `_ for more information, Zeek uses the same diff --git a/src/zeek.bif b/src/zeek.bif index 4c115ca4f3..e4d59690ff 100644 --- a/src/zeek.bif +++ b/src/zeek.bif @@ -4011,7 +4011,7 @@ static void report_mmdb_msg(const char* format, ...) va_list al; va_start(al, format); - std::string msg = zeek::util::fmt(format, al); + std::string msg = zeek::util::vfmt(format, al); va_end(al); zeek::reporter->Info("%s", msg.data()); @@ -4031,12 +4031,12 @@ private: MMDB_s mmdb; struct stat file_info; bool lookup_error; - std::chrono::time_point last_check; + double last_check; }; MMDB::MMDB(const char* filename, struct stat info) : file_info(info), lookup_error{false}, - last_check{std::chrono::steady_clock::now()} + last_check{zeek::run_state::network_time} { int status = MMDB_open(filename, MMDB_MODE_MMAP, &mmdb); @@ -4071,26 +4071,29 @@ MMDB_lookup_result_s MMDB::Lookup(const struct sockaddr* const sa) bool MMDB::StaleDB() { struct stat buf; - using Clock = std::chrono::steady_clock; - std::chrono::time_point now = Clock::now(); if ( lookup_error ) return true; - // Only perform stat once per 5 minutes. - using Min = std::chrono::minutes; - if ( std::chrono::duration_cast(now - last_check).count() < 5 ) + + static double mmdb_stale_check_interval = zeek::id::find_val("mmdb_stale_check_interval")->AsInterval(); + + if ( mmdb_stale_check_interval < 0.0 ) return false; - last_check = now; + if ( zeek::run_state::network_time - last_check < mmdb_stale_check_interval ) + return false; + + last_check = zeek::run_state::network_time; if ( 0 != stat(mmdb.filename, &buf) ) return true; if ( buf.st_ino != file_info.st_ino || buf.st_mtime != file_info.st_mtime ) { - report_mmdb_msg("Inode change detected for MaxMind DB [%s]", - mmdb.filename); + report_mmdb_msg("%s change detected for MaxMind DB [%s]", + buf.st_ino != file_info.st_ino ? "Inode" : "Modification time", + mmdb.filename); return true; } @@ -4159,7 +4162,7 @@ static void mmdb_check_loc() { report_mmdb_msg("Closing stale MaxMind DB [%s]", mmdb_loc->Filename()); did_mmdb_loc_db_error = false; - mmdb_loc.release(); + mmdb_loc.reset(); } } @@ -4169,7 +4172,7 @@ static void mmdb_check_asn() { report_mmdb_msg("Closing stale MaxMind DB [%s]", mmdb_asn->Filename()); did_mmdb_asn_db_error = false; - mmdb_asn.release(); + mmdb_asn.reset(); } } diff --git a/testing/btest/Baseline/broker.remote_event/recv.recv.out b/testing/btest/Baseline/broker.remote_event/recv.recv.out index dacc55938b..c13ab4ea41 100644 --- a/testing/btest/Baseline/broker.remote_event/recv.recv.out +++ b/testing/btest/Baseline/broker.remote_event/recv.recv.out @@ -10,4 +10,4 @@ is_remote should be T, and is, T receiver got ping: my-message, 4 is_remote should be T, and is, T receiver got ping: my-message, 5 -[num_peers=1, num_stores=0, num_pending_queries=0, num_events_incoming=5, num_events_outgoing=4, num_logs_incoming=0, num_logs_outgoing=2, num_ids_incoming=0, num_ids_outgoing=0] +[num_peers=1, num_stores=0, num_pending_queries=0, num_events_incoming=5, num_events_outgoing=4, num_logs_incoming=0, num_logs_outgoing=1, num_ids_incoming=0, num_ids_outgoing=0] diff --git a/testing/btest/Baseline/broker.remote_event_any/recv.recv.out b/testing/btest/Baseline/broker.remote_event_any/recv.recv.out index dacc55938b..c13ab4ea41 100644 --- a/testing/btest/Baseline/broker.remote_event_any/recv.recv.out +++ b/testing/btest/Baseline/broker.remote_event_any/recv.recv.out @@ -10,4 +10,4 @@ is_remote should be T, and is, T receiver got ping: my-message, 4 is_remote should be T, and is, T receiver got ping: my-message, 5 -[num_peers=1, num_stores=0, num_pending_queries=0, num_events_incoming=5, num_events_outgoing=4, num_logs_incoming=0, num_logs_outgoing=2, num_ids_incoming=0, num_ids_outgoing=0] +[num_peers=1, num_stores=0, num_pending_queries=0, num_events_incoming=5, num_events_outgoing=4, num_logs_incoming=0, num_logs_outgoing=1, num_ids_incoming=0, num_ids_outgoing=0] diff --git a/testing/btest/Baseline/broker.remote_event_ssl_auth/recv.recv.out b/testing/btest/Baseline/broker.remote_event_ssl_auth/recv.recv.out index b25425641f..7a0dc495f2 100644 --- a/testing/btest/Baseline/broker.remote_event_ssl_auth/recv.recv.out +++ b/testing/btest/Baseline/broker.remote_event_ssl_auth/recv.recv.out @@ -5,4 +5,4 @@ receiver got ping: my-message, 2 receiver got ping: my-message, 3 receiver got ping: my-message, 4 receiver got ping: my-message, 5 -[num_peers=1, num_stores=0, num_pending_queries=0, num_events_incoming=5, num_events_outgoing=4, num_logs_incoming=0, num_logs_outgoing=2, num_ids_incoming=0, num_ids_outgoing=0] +[num_peers=1, num_stores=0, num_pending_queries=0, num_events_incoming=5, num_events_outgoing=4, num_logs_incoming=0, num_logs_outgoing=1, num_ids_incoming=0, num_ids_outgoing=0] diff --git a/testing/btest/Baseline/core.mmdb.reopen/out b/testing/btest/Baseline/core.mmdb.reopen/out new file mode 100644 index 0000000000..5641085ef3 --- /dev/null +++ b/testing/btest/Baseline/core.mmdb.reopen/out @@ -0,0 +1,17 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +1299466805.0, 1, 128.3.0.1, asn, [number=16, organization=Lawrence Berkeley National Laboratory] +1299466805.0, 1, 128.3.0.1, location, [country_code=US, region=, city=Berkeley, latitude=37.751, longitude=-97.822] +1299466805.0, 1, 131.243.0.1, asn, [number=16, organization=Lawrence Berkeley National Laboratory] +1299466805.0, 1, 131.243.0.1, location, [country_code=US, region=, city=Berkeley, latitude=37.751, longitude=-97.822] +1299470395.0, 2, 128.3.0.1, asn, [number=16, organization=Lawrence Berkeley National Laboratory] +1299470395.0, 2, 128.3.0.1, location, [country_code=US, region=, city=Berkeley, latitude=37.751, longitude=-97.822] +1299470395.0, 2, 131.243.0.1, asn, [number=16, organization=Lawrence Berkeley National Laboratory] +1299470395.0, 2, 131.243.0.1, location, [country_code=US, region=, city=Berkeley, latitude=37.751, longitude=-97.822] +1299470405.0, 3, 128.3.0.1, asn, [number=16, organization=Lawrence Berkeley National Laboratory] +1299470405.0, 3, 128.3.0.1, location, [country_code=US, region=, city=Berkeley, latitude=37.751, longitude=-97.822] +1299470405.0, 3, 131.243.0.1, asn, [number=16, organization=Lawrence Berkeley National Laboratory] +1299470405.0, 3, 131.243.0.1, location, [country_code=US, region=, city=Berkeley, latitude=37.751, longitude=-97.822] +1299473995.0, 4, 128.3.0.1, asn, [number=16, organization=Lawrence Berkeley National Laboratory] +1299473995.0, 4, 128.3.0.1, location, [country_code=US, region=, city=Berkeley, latitude=37.751, longitude=-97.822] +1299473995.0, 4, 131.243.0.1, asn, [number=16, organization=Lawrence Berkeley National Laboratory] +1299473995.0, 4, 131.243.0.1, location, [country_code=US, region=, city=Berkeley, latitude=37.751, longitude=-97.822] diff --git a/testing/btest/Baseline/core.mmdb.reopen/reporter.log b/testing/btest/Baseline/core.mmdb.reopen/reporter.log new file mode 100644 index 0000000000..91b9edb7f8 --- /dev/null +++ b/testing/btest/Baseline/core.mmdb.reopen/reporter.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts level message location +1299470395.000000 Reporter::INFO Modification time change detected for MaxMind DB [.<...>/GeoLite2-ASN.mmdb] (empty) +1299470395.000000 Reporter::INFO Closing stale MaxMind DB [.<...>/GeoLite2-ASN.mmdb] (empty) +1299470395.000000 Reporter::INFO Modification time change detected for MaxMind DB [.<...>/GeoLite2-City.mmdb] (empty) +1299470395.000000 Reporter::INFO Closing stale MaxMind DB [.<...>/GeoLite2-City.mmdb] (empty) +1299473995.000000 Reporter::INFO Modification time change detected for MaxMind DB [.<...>/GeoLite2-ASN.mmdb] (empty) +1299473995.000000 Reporter::INFO Closing stale MaxMind DB [.<...>/GeoLite2-ASN.mmdb] (empty) +1299473995.000000 Reporter::INFO Modification time change detected for MaxMind DB [.<...>/GeoLite2-City.mmdb] (empty) +1299473995.000000 Reporter::INFO Closing stale MaxMind DB [.<...>/GeoLite2-City.mmdb] (empty) +1299473995.000000 Reporter::INFO received termination signal (empty) diff --git a/testing/btest/Baseline/core.mmdb.temporary-error/out b/testing/btest/Baseline/core.mmdb.temporary-error/out new file mode 100644 index 0000000000..7359472613 --- /dev/null +++ b/testing/btest/Baseline/core.mmdb.temporary-error/out @@ -0,0 +1,20 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +start +1299466805.0, 1, 128.3.0.1, asn, [number=16, organization=Lawrence Berkeley National Laboratory] +1299466805.0, 1, 128.3.0.1, location, [country_code=US, region=, city=Berkeley, latitude=37.751, longitude=-97.822] +corrupting db +1299470395.0, 2, 128.3.0.1, asn, [number=, organization=] +1299470395.0, 2, 128.3.0.1, location, [country_code=, region=, city=, latitude=, longitude=] +restoring backup db +1299470405.0, 3, 128.3.0.1, asn, [number=16, organization=Lawrence Berkeley National Laboratory] +1299470405.0, 3, 128.3.0.1, location, [country_code=US, region=, city=Berkeley, latitude=37.751, longitude=-97.822] +unlinking +1299473995.0, 4, 128.3.0.1, asn, [number=, organization=] +1299473995.0, 4, 128.3.0.1, location, [country_code=, region=, city=, latitude=, longitude=] +restoring backup db +1299474005.0, 5, 128.3.0.1, asn, [number=16, organization=Lawrence Berkeley National Laboratory] +1299474005.0, 5, 128.3.0.1, location, [country_code=US, region=, city=Berkeley, latitude=37.751, longitude=-97.822] +unlinking and restoring +1299477595.0, 6, 128.3.0.1, asn, [number=16, organization=Lawrence Berkeley National Laboratory] +1299477595.0, 6, 128.3.0.1, location, [country_code=US, region=, city=Berkeley, latitude=37.751, longitude=-97.822] +done diff --git a/testing/btest/Baseline/core.mmdb.temporary-error/reporter.log b/testing/btest/Baseline/core.mmdb.temporary-error/reporter.log new file mode 100644 index 0000000000..5ec6a3e3ec --- /dev/null +++ b/testing/btest/Baseline/core.mmdb.temporary-error/reporter.log @@ -0,0 +1,19 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts level message location +1299470395.000000 Reporter::INFO Modification time change detected for MaxMind DB [.<...>/GeoLite2-ASN.mmdb] , line 1 +1299470395.000000 Reporter::INFO Closing stale MaxMind DB [.<...>/GeoLite2-ASN.mmdb] , line 1 +1299470395.000000 Reporter::INFO Failed to open MaxMind DB: .<...>/GeoLite2-ASN.mmdb [The MaxMind DB file contains invalid metadata] , line 1 +1299470395.000000 Reporter::ERROR Failed to open GeoIP ASN database (lookup_autonomous_system(128.3.0.1)) <...>/temporary-error.zeek, line 83 +1299470395.000000 Reporter::INFO Modification time change detected for MaxMind DB [.<...>/GeoLite2-City.mmdb] , line 1 +1299470395.000000 Reporter::INFO Closing stale MaxMind DB [.<...>/GeoLite2-City.mmdb] , line 1 +1299470395.000000 Reporter::INFO Failed to open MaxMind DB: .<...>/GeoLite2-City.mmdb [The MaxMind DB file contains invalid metadata] , line 1 +1299470395.000000 Reporter::ERROR Failed to open GeoIP location database (lookup_location(128.3.0.1)) <...>/temporary-error.zeek, line 84 +1299473995.000000 Reporter::INFO Closing stale MaxMind DB [.<...>/GeoLite2-ASN.mmdb] , line 1 +1299473995.000000 Reporter::ERROR Failed to open GeoIP ASN database (lookup_autonomous_system(128.3.0.1)) <...>/temporary-error.zeek, line 83 +1299473995.000000 Reporter::INFO Closing stale MaxMind DB [.<...>/GeoLite2-City.mmdb] , line 1 +1299473995.000000 Reporter::ERROR Failed to open GeoIP location database (lookup_location(128.3.0.1)) <...>/temporary-error.zeek, line 84 +1299477595.000000 Reporter::INFO Inode change detected for MaxMind DB [.<...>/GeoLite2-ASN.mmdb] , line 1 +1299477595.000000 Reporter::INFO Closing stale MaxMind DB [.<...>/GeoLite2-ASN.mmdb] , line 1 +1299477595.000000 Reporter::INFO Inode change detected for MaxMind DB [.<...>/GeoLite2-City.mmdb] , line 1 +1299477595.000000 Reporter::INFO Closing stale MaxMind DB [.<...>/GeoLite2-City.mmdb] , line 1 +1299477605.000000 Reporter::INFO received termination signal , line 1 diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 5e034ad760..f7ca106dc0 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -268,10 +268,6 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_NoneWriter.none.bif.zeek build/scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek scripts/base/frameworks/spicy/init-framework.zeek - scripts/base/misc/version.zeek - scripts/base/frameworks/reporter/__load__.zeek - scripts/base/frameworks/reporter/main.zeek - scripts/base/utils/strings.zeek build/scripts/builtin-plugins/__load__.zeek scripts/policy/misc/loaded-scripts.zeek scripts/base/utils/paths.zeek diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 6fe637462b..ce766b6a49 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -268,10 +268,6 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_NoneWriter.none.bif.zeek build/scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek scripts/base/frameworks/spicy/init-framework.zeek - scripts/base/misc/version.zeek - scripts/base/frameworks/reporter/__load__.zeek - scripts/base/frameworks/reporter/main.zeek - scripts/base/utils/strings.zeek scripts/base/init-default.zeek scripts/base/utils/active-http.zeek scripts/base/utils/exec.zeek @@ -279,6 +275,8 @@ scripts/base/init-default.zeek scripts/base/utils/backtrace.zeek scripts/base/utils/conn-ids.zeek scripts/base/utils/dir.zeek + scripts/base/frameworks/reporter/__load__.zeek + scripts/base/frameworks/reporter/main.zeek scripts/base/utils/paths.zeek scripts/base/utils/directions-and-hosts.zeek scripts/base/utils/email.zeek @@ -286,6 +284,7 @@ scripts/base/init-default.zeek scripts/base/utils/geoip-distance.zeek scripts/base/utils/numbers.zeek scripts/base/utils/queue.zeek + scripts/base/utils/strings.zeek scripts/base/utils/thresholds.zeek scripts/base/utils/time.zeek scripts/base/utils/urls.zeek @@ -349,6 +348,7 @@ scripts/base/init-default.zeek scripts/base/frameworks/netcontrol/non-cluster.zeek scripts/base/frameworks/telemetry/__load__.zeek scripts/base/frameworks/telemetry/main.zeek + scripts/base/misc/version.zeek scripts/base/frameworks/spicy/__load__.zeek scripts/base/frameworks/spicy/main.zeek scripts/base/protocols/conn/__load__.zeek diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 81579a72dd..899c0b9f53 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -47,7 +47,6 @@ 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, path=http, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) -> 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, path=notice_alarm, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) -> 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, path=notice, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) -> -0.000000 MetaHookPost CallFunction(Log::__add_filter, , (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, path=reporter, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) -> 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, path=tunnel, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) -> 0.000000 MetaHookPost CallFunction(Log::__add_filter, , (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, path=weird, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Analyzer::Logging::LOG, [columns=Analyzer::Logging::Info, ev=, path=analyzer, policy=Analyzer::Logging::log_policy, event_groups={Analyzer::Logging}])) -> @@ -60,7 +59,6 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy, event_groups={}])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm, policy=Notice::log_policy_alarm, event_groups={}])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy, event_groups={}])) -> -0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Reporter::LOG, [columns=Reporter::Info, ev=, path=reporter, policy=Reporter::log_policy, event_groups={}])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Tunnel::LOG, [columns=Tunnel::Info, ev=, path=tunnel, policy=Tunnel::log_policy, event_groups={}])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy, event_groups={}])) -> 0.000000 MetaHookPost CallFunction(Log::__enable_stream, , (Analyzer::Logging::LOG)) -> @@ -74,7 +72,6 @@ 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (HTTP::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Notice::ALARM_LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Notice::LOG)) -> -0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Reporter::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Tunnel::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Weird::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_filter, , (Analyzer::Logging::LOG, [name=default, writer=Log::WRITER_ASCII, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) -> @@ -87,7 +84,6 @@ 0.000000 MetaHookPost CallFunction(Log::add_filter, , (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) -> 0.000000 MetaHookPost CallFunction(Log::add_filter, , (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) -> 0.000000 MetaHookPost CallFunction(Log::add_filter, , (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) -> -0.000000 MetaHookPost CallFunction(Log::add_filter, , (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) -> 0.000000 MetaHookPost CallFunction(Log::add_filter, , (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) -> 0.000000 MetaHookPost CallFunction(Log::add_filter, , (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) -> 0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (Analyzer::Logging::LOG, default)) -> @@ -100,7 +96,6 @@ 0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (HTTP::LOG, default)) -> 0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (Notice::ALARM_LOG, default)) -> 0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (Notice::LOG, default)) -> -0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (Reporter::LOG, default)) -> 0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (Tunnel::LOG, default)) -> 0.000000 MetaHookPost CallFunction(Log::add_stream_filters, , (Weird::LOG, default)) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Analyzer::Logging::LOG, [columns=Analyzer::Logging::Info, ev=, path=analyzer, policy=Analyzer::Logging::log_policy, event_groups={Analyzer::Logging}])) -> @@ -113,7 +108,6 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy, event_groups={}])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm, policy=Notice::log_policy_alarm, event_groups={}])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy, event_groups={}])) -> -0.000000 MetaHookPost CallFunction(Log::create_stream, , (Reporter::LOG, [columns=Reporter::Info, ev=, path=reporter, policy=Reporter::log_policy, event_groups={}])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Tunnel::LOG, [columns=Tunnel::Info, ev=, path=tunnel, policy=Tunnel::log_policy, event_groups={}])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy, event_groups={}])) -> 0.000000 MetaHookPost CallFunction(Log::enable_stream, , (Analyzer::Logging::LOG)) -> @@ -325,7 +319,6 @@ 0.000000 MetaHookPost CallFunction(Site::update_private_address_space, , (Site::private_address_space, {64:ff9b:1::<...>/15,fc00::<...>/10,::/128,2002:ffff:ffff::/48,::1/128,2002:cb00:7100::<...>/4,2002:c633:6400::/40,2002:a00::/24,100::<...>/8,2001:2::/48,2002:c000:200::<...>/12,2002:f000::/20,2002:7f00::/24,2001::/23,2002:6440::/26,2002:c000::<...>/16,2002:ac10::/28,2002:a9fe::/32,2002:c612::<...>/16,2002::/24,fe80::/10,2001:db8::<...>/24,2002:c0a8::<...>/24})) -> 0.000000 MetaHookPost CallFunction(Supervisor::__is_supervisor, , ()) -> 0.000000 MetaHookPost CallFunction(Supervisor::is_supervisor, , ()) -> -0.000000 MetaHookPost CallFunction(Version::parse, ..., ...) -> 0.000000 MetaHookPost CallFunction(__init_primary_bifs, , ()) -> 0.000000 MetaHookPost CallFunction(__init_secondary_bifs, , ()) -> 0.000000 MetaHookPost CallFunction(disable_event_group, , (Analyzer::Logging::include_confirmations)) -> @@ -333,7 +326,6 @@ 0.000000 MetaHookPost CallFunction(getenv, , (CLUSTER_NODE)) -> 0.000000 MetaHookPost CallFunction(getenv, , (ZEEK_DEFAULT_LISTEN_ADDRESS)) -> 0.000000 MetaHookPost CallFunction(global_options, , ()) -> -0.000000 MetaHookPost CallFunction(gsub, ..., ...) -> 0.000000 MetaHookPost CallFunction(has_event_group, , (Analyzer::Logging)) -> 0.000000 MetaHookPost CallFunction(has_module_events, , (Analyzer::Logging)) -> 0.000000 MetaHookPost CallFunction(have_spicy, , ()) -> @@ -341,7 +333,6 @@ 0.000000 MetaHookPost CallFunction(is_packet_analyzer, , (AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS)) -> 0.000000 MetaHookPost CallFunction(lambda_<15261139872714441626>, , (Analyzer::Logging::include_confirmations, F)) -> 0.000000 MetaHookPost CallFunction(lambda_<2645182068207650863>, , (Analyzer::Logging::enable, T)) -> -0.000000 MetaHookPost CallFunction(lstrip, ..., ...) -> 0.000000 MetaHookPost CallFunction(port_to_count, , (2123/udp)) -> 0.000000 MetaHookPost CallFunction(port_to_count, , (2152/udp)) -> 0.000000 MetaHookPost CallFunction(port_to_count, , (3544/udp)) -> @@ -351,12 +342,9 @@ 0.000000 MetaHookPost CallFunction(port_to_count, , (6081/udp)) -> 0.000000 MetaHookPost CallFunction(reading_traces, , ()) -> 0.000000 MetaHookPost CallFunction(set_to_regex, , ({}, (^\.?|\.)(~~)$)) -> -0.000000 MetaHookPost CallFunction(split_string1, ..., ...) -> 0.000000 MetaHookPost CallFunction(string_to_pattern, , ((^\.?|\.)()$, F)) -> 0.000000 MetaHookPost CallFunction(sub, , ((^\.?|\.)(~~)$, <...>/, )) -> -0.000000 MetaHookPost CallFunction(to_count, ..., ...) -> 0.000000 MetaHookPost CallFunction(zeek_init, , ()) -> -0.000000 MetaHookPost CallFunction(zeek_version, , ()) -> 0.000000 MetaHookPost DrainEvents() -> 0.000000 MetaHookPost LoadFile(0, ./CPP-load.bif.zeek, <...>/CPP-load.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_ARP.events.bif.zeek, <...>/Zeek_ARP.events.bif.zeek) -> -1 @@ -605,7 +593,6 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/ppp_serial, <...>/ppp_serial) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/pppoe, <...>/pppoe) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/removal-hooks, <...>/removal-hooks.zeek) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/reporter, <...>/reporter) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/reporter.bif, <...>/reporter.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/root, <...>/root) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/site, <...>/site.zeek) -> -1 @@ -623,7 +610,6 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/types.bif, <...>/types.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/udp, <...>/udp) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/utils, <...>/utils.zeek) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/version, <...>/version.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/vlan, <...>/vlan) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/vntag, <...>/vntag) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/vxlan, <...>/vxlan) -> -1 @@ -892,7 +878,6 @@ 0.000000 MetaHookPost LoadFileExtended(0, base<...>/ppp_serial, <...>/ppp_serial) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/pppoe, <...>/pppoe) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/removal-hooks, <...>/removal-hooks.zeek) -> (-1, ) -0.000000 MetaHookPost LoadFileExtended(0, base<...>/reporter, <...>/reporter) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/reporter.bif, <...>/reporter.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/root, <...>/root) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/site, <...>/site.zeek) -> (-1, ) @@ -910,7 +895,6 @@ 0.000000 MetaHookPost LoadFileExtended(0, base<...>/types.bif, <...>/types.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/udp, <...>/udp) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/utils, <...>/utils.zeek) -> (-1, ) -0.000000 MetaHookPost LoadFileExtended(0, base<...>/version, <...>/version.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/vlan, <...>/vlan) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/vntag, <...>/vntag) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/vxlan, <...>/vxlan) -> (-1, ) @@ -981,7 +965,6 @@ 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, path=http, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, path=notice_alarm, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, path=notice, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) -0.000000 MetaHookPre CallFunction(Log::__add_filter, , (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, path=reporter, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, path=tunnel, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) 0.000000 MetaHookPre CallFunction(Log::__add_filter, , (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, path=weird, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Analyzer::Logging::LOG, [columns=Analyzer::Logging::Info, ev=, path=analyzer, policy=Analyzer::Logging::log_policy, event_groups={Analyzer::Logging}])) @@ -994,7 +977,6 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy, event_groups={}])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm, policy=Notice::log_policy_alarm, event_groups={}])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy, event_groups={}])) -0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Reporter::LOG, [columns=Reporter::Info, ev=, path=reporter, policy=Reporter::log_policy, event_groups={}])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Tunnel::LOG, [columns=Tunnel::Info, ev=, path=tunnel, policy=Tunnel::log_policy, event_groups={}])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy, event_groups={}])) 0.000000 MetaHookPre CallFunction(Log::__enable_stream, , (Analyzer::Logging::LOG)) @@ -1008,7 +990,6 @@ 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (HTTP::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Notice::ALARM_LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Notice::LOG)) -0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Reporter::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Tunnel::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Weird::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_filter, , (Analyzer::Logging::LOG, [name=default, writer=Log::WRITER_ASCII, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) @@ -1021,7 +1002,6 @@ 0.000000 MetaHookPre CallFunction(Log::add_filter, , (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) 0.000000 MetaHookPre CallFunction(Log::add_filter, , (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) 0.000000 MetaHookPre CallFunction(Log::add_filter, , (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) -0.000000 MetaHookPre CallFunction(Log::add_filter, , (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) 0.000000 MetaHookPre CallFunction(Log::add_filter, , (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) 0.000000 MetaHookPre CallFunction(Log::add_filter, , (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=])) 0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (Analyzer::Logging::LOG, default)) @@ -1034,7 +1014,6 @@ 0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (HTTP::LOG, default)) 0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (Notice::ALARM_LOG, default)) 0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (Notice::LOG, default)) -0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (Reporter::LOG, default)) 0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (Tunnel::LOG, default)) 0.000000 MetaHookPre CallFunction(Log::add_stream_filters, , (Weird::LOG, default)) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Analyzer::Logging::LOG, [columns=Analyzer::Logging::Info, ev=, path=analyzer, policy=Analyzer::Logging::log_policy, event_groups={Analyzer::Logging}])) @@ -1047,7 +1026,6 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy, event_groups={}])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm, policy=Notice::log_policy_alarm, event_groups={}])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy, event_groups={}])) -0.000000 MetaHookPre CallFunction(Log::create_stream, , (Reporter::LOG, [columns=Reporter::Info, ev=, path=reporter, policy=Reporter::log_policy, event_groups={}])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Tunnel::LOG, [columns=Tunnel::Info, ev=, path=tunnel, policy=Tunnel::log_policy, event_groups={}])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy, event_groups={}])) 0.000000 MetaHookPre CallFunction(Log::enable_stream, , (Analyzer::Logging::LOG)) @@ -1259,7 +1237,6 @@ 0.000000 MetaHookPre CallFunction(Site::update_private_address_space, , (Site::private_address_space, {64:ff9b:1::<...>/15,fc00::<...>/10,::/128,2002:ffff:ffff::/48,::1/128,2002:cb00:7100::<...>/4,2002:c633:6400::/40,2002:a00::/24,100::<...>/8,2001:2::/48,2002:c000:200::<...>/12,2002:f000::/20,2002:7f00::/24,2001::/23,2002:6440::/26,2002:c000::<...>/16,2002:ac10::/28,2002:a9fe::/32,2002:c612::<...>/16,2002::/24,fe80::/10,2001:db8::<...>/24,2002:c0a8::<...>/24})) 0.000000 MetaHookPre CallFunction(Supervisor::__is_supervisor, , ()) 0.000000 MetaHookPre CallFunction(Supervisor::is_supervisor, , ()) -0.000000 MetaHookPre CallFunction(Version::parse, ..., ...) 0.000000 MetaHookPre CallFunction(__init_primary_bifs, , ()) 0.000000 MetaHookPre CallFunction(__init_secondary_bifs, , ()) 0.000000 MetaHookPre CallFunction(disable_event_group, , (Analyzer::Logging::include_confirmations)) @@ -1267,7 +1244,6 @@ 0.000000 MetaHookPre CallFunction(getenv, , (CLUSTER_NODE)) 0.000000 MetaHookPre CallFunction(getenv, , (ZEEK_DEFAULT_LISTEN_ADDRESS)) 0.000000 MetaHookPre CallFunction(global_options, , ()) -0.000000 MetaHookPre CallFunction(gsub, ..., ...) 0.000000 MetaHookPre CallFunction(has_event_group, , (Analyzer::Logging)) 0.000000 MetaHookPre CallFunction(has_module_events, , (Analyzer::Logging)) 0.000000 MetaHookPre CallFunction(have_spicy, , ()) @@ -1275,7 +1251,6 @@ 0.000000 MetaHookPre CallFunction(is_packet_analyzer, , (AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS)) 0.000000 MetaHookPre CallFunction(lambda_<15261139872714441626>, , (Analyzer::Logging::include_confirmations, F)) 0.000000 MetaHookPre CallFunction(lambda_<2645182068207650863>, , (Analyzer::Logging::enable, T)) -0.000000 MetaHookPre CallFunction(lstrip, ..., ...) 0.000000 MetaHookPre CallFunction(port_to_count, , (2123/udp)) 0.000000 MetaHookPre CallFunction(port_to_count, , (2152/udp)) 0.000000 MetaHookPre CallFunction(port_to_count, , (3544/udp)) @@ -1285,12 +1260,9 @@ 0.000000 MetaHookPre CallFunction(port_to_count, , (6081/udp)) 0.000000 MetaHookPre CallFunction(reading_traces, , ()) 0.000000 MetaHookPre CallFunction(set_to_regex, , ({}, (^\.?|\.)(~~)$)) -0.000000 MetaHookPre CallFunction(split_string1, ..., ...) 0.000000 MetaHookPre CallFunction(string_to_pattern, , ((^\.?|\.)()$, F)) 0.000000 MetaHookPre CallFunction(sub, , ((^\.?|\.)(~~)$, <...>/, )) -0.000000 MetaHookPre CallFunction(to_count, ..., ...) 0.000000 MetaHookPre CallFunction(zeek_init, , ()) -0.000000 MetaHookPre CallFunction(zeek_version, , ()) 0.000000 MetaHookPre DrainEvents() 0.000000 MetaHookPre LoadFile(0, ./CPP-load.bif.zeek, <...>/CPP-load.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_ARP.events.bif.zeek, <...>/Zeek_ARP.events.bif.zeek) @@ -1539,7 +1511,6 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/ppp_serial, <...>/ppp_serial) 0.000000 MetaHookPre LoadFile(0, base<...>/pppoe, <...>/pppoe) 0.000000 MetaHookPre LoadFile(0, base<...>/removal-hooks, <...>/removal-hooks.zeek) -0.000000 MetaHookPre LoadFile(0, base<...>/reporter, <...>/reporter) 0.000000 MetaHookPre LoadFile(0, base<...>/reporter.bif, <...>/reporter.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/root, <...>/root) 0.000000 MetaHookPre LoadFile(0, base<...>/site, <...>/site.zeek) @@ -1557,7 +1528,6 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/types.bif, <...>/types.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/udp, <...>/udp) 0.000000 MetaHookPre LoadFile(0, base<...>/utils, <...>/utils.zeek) -0.000000 MetaHookPre LoadFile(0, base<...>/version, <...>/version.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/vlan, <...>/vlan) 0.000000 MetaHookPre LoadFile(0, base<...>/vntag, <...>/vntag) 0.000000 MetaHookPre LoadFile(0, base<...>/vxlan, <...>/vxlan) @@ -1826,7 +1796,6 @@ 0.000000 MetaHookPre LoadFileExtended(0, base<...>/ppp_serial, <...>/ppp_serial) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/pppoe, <...>/pppoe) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/removal-hooks, <...>/removal-hooks.zeek) -0.000000 MetaHookPre LoadFileExtended(0, base<...>/reporter, <...>/reporter) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/reporter.bif, <...>/reporter.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/root, <...>/root) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/site, <...>/site.zeek) @@ -1844,7 +1813,6 @@ 0.000000 MetaHookPre LoadFileExtended(0, base<...>/types.bif, <...>/types.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/udp, <...>/udp) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/utils, <...>/utils.zeek) -0.000000 MetaHookPre LoadFileExtended(0, base<...>/version, <...>/version.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/vlan, <...>/vlan) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/vntag, <...>/vntag) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/vxlan, <...>/vxlan) @@ -1914,7 +1882,6 @@ 0.000000 | HookCallFunction Log::__add_filter(HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, path=http, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=]) 0.000000 | HookCallFunction Log::__add_filter(Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, path=notice_alarm, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=]) 0.000000 | HookCallFunction Log::__add_filter(Notice::LOG, [name=default, writer=Log::WRITER_ASCII, path=notice, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=]) -0.000000 | HookCallFunction Log::__add_filter(Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, path=reporter, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=]) 0.000000 | HookCallFunction Log::__add_filter(Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, path=tunnel, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=]) 0.000000 | HookCallFunction Log::__add_filter(Weird::LOG, [name=default, writer=Log::WRITER_ASCII, path=weird, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=]) 0.000000 | HookCallFunction Log::__create_stream(Analyzer::Logging::LOG, [columns=Analyzer::Logging::Info, ev=, path=analyzer, policy=Analyzer::Logging::log_policy, event_groups={Analyzer::Logging}]) @@ -1927,7 +1894,6 @@ 0.000000 | HookCallFunction Log::__create_stream(HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy, event_groups={}]) 0.000000 | HookCallFunction Log::__create_stream(Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm, policy=Notice::log_policy_alarm, event_groups={}]) 0.000000 | HookCallFunction Log::__create_stream(Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy, event_groups={}]) -0.000000 | HookCallFunction Log::__create_stream(Reporter::LOG, [columns=Reporter::Info, ev=, path=reporter, policy=Reporter::log_policy, event_groups={}]) 0.000000 | HookCallFunction Log::__create_stream(Tunnel::LOG, [columns=Tunnel::Info, ev=, path=tunnel, policy=Tunnel::log_policy, event_groups={}]) 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy, event_groups={}]) 0.000000 | HookCallFunction Log::__enable_stream(Analyzer::Logging::LOG) @@ -1941,7 +1907,6 @@ 0.000000 | HookCallFunction Log::add_default_filter(HTTP::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Notice::ALARM_LOG) 0.000000 | HookCallFunction Log::add_default_filter(Notice::LOG) -0.000000 | HookCallFunction Log::add_default_filter(Reporter::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Tunnel::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Weird::LOG) 0.000000 | HookCallFunction Log::add_filter(Analyzer::Logging::LOG, [name=default, writer=Log::WRITER_ASCII, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=]) @@ -1954,7 +1919,6 @@ 0.000000 | HookCallFunction Log::add_filter(HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=]) 0.000000 | HookCallFunction Log::add_filter(Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=]) 0.000000 | HookCallFunction Log::add_filter(Notice::LOG, [name=default, writer=Log::WRITER_ASCII, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=]) -0.000000 | HookCallFunction Log::add_filter(Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=]) 0.000000 | HookCallFunction Log::add_filter(Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=]) 0.000000 | HookCallFunction Log::add_filter(Weird::LOG, [name=default, writer=Log::WRITER_ASCII, path=, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=, config={}, policy=]) 0.000000 | HookCallFunction Log::add_stream_filters(Analyzer::Logging::LOG, default) @@ -1967,7 +1931,6 @@ 0.000000 | HookCallFunction Log::add_stream_filters(HTTP::LOG, default) 0.000000 | HookCallFunction Log::add_stream_filters(Notice::ALARM_LOG, default) 0.000000 | HookCallFunction Log::add_stream_filters(Notice::LOG, default) -0.000000 | HookCallFunction Log::add_stream_filters(Reporter::LOG, default) 0.000000 | HookCallFunction Log::add_stream_filters(Tunnel::LOG, default) 0.000000 | HookCallFunction Log::add_stream_filters(Weird::LOG, default) 0.000000 | HookCallFunction Log::create_stream(Analyzer::Logging::LOG, [columns=Analyzer::Logging::Info, ev=, path=analyzer, policy=Analyzer::Logging::log_policy, event_groups={Analyzer::Logging}]) @@ -1980,7 +1943,6 @@ 0.000000 | HookCallFunction Log::create_stream(HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy, event_groups={}]) 0.000000 | HookCallFunction Log::create_stream(Notice::ALARM_LOG, [columns=Notice::Info, ev=, path=notice_alarm, policy=Notice::log_policy_alarm, event_groups={}]) 0.000000 | HookCallFunction Log::create_stream(Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy, event_groups={}]) -0.000000 | HookCallFunction Log::create_stream(Reporter::LOG, [columns=Reporter::Info, ev=, path=reporter, policy=Reporter::log_policy, event_groups={}]) 0.000000 | HookCallFunction Log::create_stream(Tunnel::LOG, [columns=Tunnel::Info, ev=, path=tunnel, policy=Tunnel::log_policy, event_groups={}]) 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy, event_groups={}]) 0.000000 | HookCallFunction Log::enable_stream(Analyzer::Logging::LOG) @@ -2192,7 +2154,6 @@ 0.000000 | HookCallFunction Site::update_private_address_space(Site::private_address_space, {64:ff9b:1::<...>/15,fc00::<...>/10,::/128,2002:ffff:ffff::/48,::1/128,2002:cb00:7100::<...>/4,2002:c633:6400::/40,2002:a00::/24,100::<...>/8,2001:2::/48,2002:c000:200::<...>/12,2002:f000::/20,2002:7f00::/24,2001::/23,2002:6440::/26,2002:c000::<...>/16,2002:ac10::/28,2002:a9fe::/32,2002:c612::<...>/16,2002::/24,fe80::/10,2001:db8::<...>/24,2002:c0a8::<...>/24}) 0.000000 | HookCallFunction Supervisor::__is_supervisor() 0.000000 | HookCallFunction Supervisor::is_supervisor() -0.000000 | HookCallFunction Version::parse(...) 0.000000 | HookCallFunction __init_primary_bifs() 0.000000 | HookCallFunction __init_secondary_bifs() 0.000000 | HookCallFunction disable_event_group(Analyzer::Logging::include_confirmations) @@ -2200,7 +2161,6 @@ 0.000000 | HookCallFunction getenv(CLUSTER_NODE) 0.000000 | HookCallFunction getenv(ZEEK_DEFAULT_LISTEN_ADDRESS) 0.000000 | HookCallFunction global_options() -0.000000 | HookCallFunction gsub(...) 0.000000 | HookCallFunction has_event_group(Analyzer::Logging) 0.000000 | HookCallFunction has_module_events(Analyzer::Logging) 0.000000 | HookCallFunction have_spicy() @@ -2208,7 +2168,6 @@ 0.000000 | HookCallFunction is_packet_analyzer(AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS) 0.000000 | HookCallFunction lambda_<15261139872714441626>(Analyzer::Logging::include_confirmations, F) 0.000000 | HookCallFunction lambda_<2645182068207650863>(Analyzer::Logging::enable, T) -0.000000 | HookCallFunction lstrip(...) 0.000000 | HookCallFunction port_to_count(2123/udp) 0.000000 | HookCallFunction port_to_count(2152/udp) 0.000000 | HookCallFunction port_to_count(3544/udp) @@ -2218,12 +2177,9 @@ 0.000000 | HookCallFunction port_to_count(6081/udp) 0.000000 | HookCallFunction reading_traces() 0.000000 | HookCallFunction set_to_regex({}, (^\.?|\.)(~~)$) -0.000000 | HookCallFunction split_string1(...) 0.000000 | HookCallFunction string_to_pattern((^\.?|\.)()$, F) 0.000000 | HookCallFunction sub((^\.?|\.)(~~)$, <...>/, ) -0.000000 | HookCallFunction to_count(...) 0.000000 | HookCallFunction zeek_init() -0.000000 | HookCallFunction zeek_version() 0.000000 | HookDrainEvents 0.000000 | HookLoadFile ./CPP-load.bif.zeek <...>/CPP-load.bif.zeek 0.000000 | HookLoadFile ./Zeek_ARP.events.bif.zeek <...>/Zeek_ARP.events.bif.zeek @@ -2484,7 +2440,6 @@ 0.000000 | HookLoadFile base<...>/ppp_serial <...>/ppp_serial 0.000000 | HookLoadFile base<...>/pppoe <...>/pppoe 0.000000 | HookLoadFile base<...>/removal-hooks <...>/removal-hooks.zeek -0.000000 | HookLoadFile base<...>/reporter <...>/reporter 0.000000 | HookLoadFile base<...>/reporter.bif <...>/reporter.bif.zeek 0.000000 | HookLoadFile base<...>/root <...>/root 0.000000 | HookLoadFile base<...>/site <...>/site.zeek @@ -2502,7 +2457,6 @@ 0.000000 | HookLoadFile base<...>/types.bif <...>/types.bif.zeek 0.000000 | HookLoadFile base<...>/udp <...>/udp 0.000000 | HookLoadFile base<...>/utils <...>/utils.zeek -0.000000 | HookLoadFile base<...>/version <...>/version.zeek 0.000000 | HookLoadFile base<...>/vlan <...>/vlan 0.000000 | HookLoadFile base<...>/vntag <...>/vntag 0.000000 | HookLoadFile base<...>/vxlan <...>/vxlan @@ -2771,7 +2725,6 @@ 0.000000 | HookLoadFileExtended base<...>/ppp_serial <...>/ppp_serial 0.000000 | HookLoadFileExtended base<...>/pppoe <...>/pppoe 0.000000 | HookLoadFileExtended base<...>/removal-hooks <...>/removal-hooks.zeek -0.000000 | HookLoadFileExtended base<...>/reporter <...>/reporter 0.000000 | HookLoadFileExtended base<...>/reporter.bif <...>/reporter.bif.zeek 0.000000 | HookLoadFileExtended base<...>/root <...>/root 0.000000 | HookLoadFileExtended base<...>/site <...>/site.zeek @@ -2789,7 +2742,6 @@ 0.000000 | HookLoadFileExtended base<...>/types.bif <...>/types.bif.zeek 0.000000 | HookLoadFileExtended base<...>/udp <...>/udp 0.000000 | HookLoadFileExtended base<...>/utils <...>/utils.zeek -0.000000 | HookLoadFileExtended base<...>/version <...>/version.zeek 0.000000 | HookLoadFileExtended base<...>/vlan <...>/vlan 0.000000 | HookLoadFileExtended base<...>/vntag <...>/vntag 0.000000 | HookLoadFileExtended base<...>/vxlan <...>/vxlan diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-invalid/.stderr b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-invalid/.stderr index 9422ad94ac..e97cb1bad7 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-invalid/.stderr +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-invalid/.stderr @@ -1,3 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. XXXXXXXXXX.XXXXXX warning: non-void function returning without a value: add_extension -XXXXXXXXXX.XXXXXX warning: non-void function returning without a value: add_extension diff --git a/testing/btest/Files/mmdb/.gitignore b/testing/btest/Files/mmdb/.gitignore new file mode 100644 index 0000000000..b4daca1937 --- /dev/null +++ b/testing/btest/Files/mmdb/.gitignore @@ -0,0 +1 @@ +testmmdb diff --git a/testing/btest/Files/mmdb/GeoLite2-ASN.mmdb b/testing/btest/Files/mmdb/GeoLite2-ASN.mmdb new file mode 100644 index 0000000000..65ade5917e Binary files /dev/null and b/testing/btest/Files/mmdb/GeoLite2-ASN.mmdb differ diff --git a/testing/btest/Files/mmdb/GeoLite2-City.mmdb b/testing/btest/Files/mmdb/GeoLite2-City.mmdb new file mode 100644 index 0000000000..2f375e3bd6 Binary files /dev/null and b/testing/btest/Files/mmdb/GeoLite2-City.mmdb differ diff --git a/testing/btest/Files/mmdb/README b/testing/btest/Files/mmdb/README new file mode 100644 index 0000000000..269a36c045 --- /dev/null +++ b/testing/btest/Files/mmdb/README @@ -0,0 +1,13 @@ +These .mmdb databases were created with the mmdbwriter from MaxMind [1] for +testing purposes. See the main.go file. They only contain information about +LBL's network ranges: + + 128.3.0.0/16 + 131.243.0.0/16 + +Rebuild with: + + go build + ./testmmdb + +[1] https://github.com/maxmind/mmdbwriter diff --git a/testing/btest/Files/mmdb/go.mod b/testing/btest/Files/mmdb/go.mod new file mode 100644 index 0000000000..5aa1c9679c --- /dev/null +++ b/testing/btest/Files/mmdb/go.mod @@ -0,0 +1,11 @@ +module testmmdb + +go 1.21.0 + +require github.com/maxmind/mmdbwriter v1.0.0 + +require ( + github.com/oschwald/maxminddb-golang v1.12.0 // indirect + go4.org/netipx v0.0.0-20220812043211-3cc044ffd68d // indirect + golang.org/x/sys v0.10.0 // indirect +) diff --git a/testing/btest/Files/mmdb/go.sum b/testing/btest/Files/mmdb/go.sum new file mode 100644 index 0000000000..a7e4aa9667 --- /dev/null +++ b/testing/btest/Files/mmdb/go.sum @@ -0,0 +1,16 @@ +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/maxmind/mmdbwriter v1.0.0 h1:bieL4P6yaYaHvbtLSwnKtEvScUKKD6jcKaLiTM3WSMw= +github.com/maxmind/mmdbwriter v1.0.0/go.mod h1:noBMCUtyN5PUQ4H8ikkOvGSHhzhLok51fON2hcrpKj8= +github.com/oschwald/maxminddb-golang v1.12.0 h1:9FnTOD0YOhP7DGxGsq4glzpGy5+w7pq50AS6wALUMYs= +github.com/oschwald/maxminddb-golang v1.12.0/go.mod h1:q0Nob5lTCqyQ8WT6FYgS1L7PXKVVbgiymefNwIjPzgY= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +go4.org/netipx v0.0.0-20220812043211-3cc044ffd68d h1:ggxwEf5eu0l8v+87VhX1czFh8zJul3hK16Gmruxn7hw= +go4.org/netipx v0.0.0-20220812043211-3cc044ffd68d/go.mod h1:tgPU4N2u9RByaTN3NC2p9xOzyFpte4jYwsIIRF7XlSc= +golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= +golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/testing/btest/Files/mmdb/main.go b/testing/btest/Files/mmdb/main.go new file mode 100644 index 0000000000..ecad3ea8db --- /dev/null +++ b/testing/btest/Files/mmdb/main.go @@ -0,0 +1,71 @@ +// Create test MaxMind DB database files containing information about +// just LBL's IPv4 ranges for testing. +package main + +import ( + "log" + "net" + "os" + + "github.com/maxmind/mmdbwriter" + "github.com/maxmind/mmdbwriter/mmdbtype" +) + +func writeDb(fname, name string, record mmdbtype.Map, nets ...*net.IPNet) { + writer, err := mmdbwriter.New( + mmdbwriter.Options{ + DatabaseType: name, + }, + ) + if err != nil { + log.Fatal(err) + } + + for _, n := range nets { + if err = writer.Insert(n, record); err != nil { + log.Fatal(err) + } + } + + fh, err := os.Create(fname) + if err != nil { + log.Fatal(err) + } + defer fh.Close() + + _, err = writer.WriteTo(fh) + if err != nil { + log.Fatal(err) + } +} + +func main() { + _, net1, _ := net.ParseCIDR("128.3.0.0/16") + _, net2, _ := net.ParseCIDR("131.243.0.0/16") + + // The ASN record. + asn_record := mmdbtype.Map{} + asn_record["autonomous_system_number"] = mmdbtype.Uint32(16) + asn_record["autonomous_system_organization"] = mmdbtype.String("Lawrence Berkeley National Laboratory") + writeDb("GeoLite2-ASN.mmdb", "My-ASN-DB", asn_record, net1, net2) + + // The Location record. + loc_record := mmdbtype.Map{ + "country": mmdbtype.Map{ + "iso_code": mmdbtype.String("US"), + "names": mmdbtype.Map{ + "en": mmdbtype.String("United States"), + }, + }, + "location": mmdbtype.Map{ + "latitude": mmdbtype.Float64(37.75100), + "longitude": mmdbtype.Float64(-97.822000), + }, + "city": mmdbtype.Map{ + "names": mmdbtype.Map{ + "en": mmdbtype.String("Berkeley"), + }, + }, + } + writeDb("GeoLite2-City.mmdb", "My-City-DB", loc_record, net1, net2) +} diff --git a/testing/btest/core/mmdb/reopen.zeek b/testing/btest/core/mmdb/reopen.zeek new file mode 100644 index 0000000000..d9c120c8dc --- /dev/null +++ b/testing/btest/core/mmdb/reopen.zeek @@ -0,0 +1,37 @@ +# @TEST-DOC: Change the modification time of the mmdb database on every packet. This triggers reopening of the MMDB database. +# +# @TEST-REQUIRES: grep -q "#define USE_GEOIP" $BUILD/zeek-config.h +# +# @TEST-EXEC: cp -R $FILES/mmdb ./mmdb +# @TEST-EXEC: zeek -b -r $TRACES/rotation.trace %INPUT >out +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out +# @TEST-EXEC: zeek-cut -m < reporter.log > reporter.log.tmp && mv reporter.log.tmp reporter.log +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff reporter.log + +@load base/frameworks/reporter + +redef mmdb_dir = "./mmdb"; + +global pkt = 0; + +event new_packet(c: connection, p: pkt_hdr) + { + ++pkt; + # Set MMDB's modification time to current network time. + local asn_fn = safe_shell_quote(mmdb_dir + "/GeoLite2-ASN.mmdb"); + local city_fn = safe_shell_quote(mmdb_dir + "/GeoLite2-City.mmdb"); + + if ( ! piped_exec(fmt("touch -d @%s %s", network_time(), asn_fn), "") ) + exit(1); + + if ( ! piped_exec(fmt("touch -d @%s %s", network_time(), city_fn), "") ) + exit(1); + + print network_time(), pkt, 128.3.0.1, "asn", lookup_autonomous_system(128.3.0.1); + print network_time(), pkt, 128.3.0.1, "location", lookup_location(128.3.0.1); + print network_time(), pkt, 131.243.0.1, "asn", lookup_autonomous_system(131.243.0.1); + print network_time(), pkt, 131.243.0.1, "location", lookup_location(131.243.0.1); + + if ( pkt == 4 ) + terminate(); + } diff --git a/testing/btest/core/mmdb/temporary-error.zeek b/testing/btest/core/mmdb/temporary-error.zeek new file mode 100644 index 0000000000..0a5102535c --- /dev/null +++ b/testing/btest/core/mmdb/temporary-error.zeek @@ -0,0 +1,85 @@ +# @TEST-DOC: Test a few error and recovery cases (corrupted, removed and restored MMDB databases). +# +# @TEST-REQUIRES: grep -q "#define USE_GEOIP" $BUILD/zeek-config.h +# +# @TEST-EXEC: cp -R $FILES/mmdb ./mmdb +# @TEST-EXEC: cp -R $FILES/mmdb ./mmdb-backup +# @TEST-EXEC: zeek -b -r $TRACES/rotation.trace %INPUT mmdb_dir=./mmdb >out +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out +# @TEST-EXEC: zeek-cut -m < reporter.log > reporter.log.tmp && mv reporter.log.tmp reporter.log +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff reporter.log + +@load base/frameworks/reporter + +redef mmdb_dir = "./mmdb"; + +global pkt = 0; + +event new_packet(c: connection, p: pkt_hdr) + { + ++pkt; + + local asn_fn = safe_shell_quote(mmdb_dir + "/GeoLite2-ASN.mmdb"); + local city_fn = safe_shell_quote(mmdb_dir + "/GeoLite2-City.mmdb"); + + local asn_fn_backup = safe_shell_quote(mmdb_dir + "-backup/GeoLite2-ASN.mmdb"); + local city_fn_backup = safe_shell_quote(mmdb_dir + "-backup/GeoLite2-City.mmdb"); + + if ( pkt == 1 ) + { + print "start"; + } + if ( pkt == 2 ) + { + print "corrupting db"; + if ( ! piped_exec(fmt("truncate --size=8 %s", asn_fn), "") ) + exit(1); + + if ( ! piped_exec(fmt("truncate --size=8 %s", city_fn), "") ) + exit(1); + } + else if ( pkt == 4 ) + { + print "unlinking"; + if ( ! piped_exec(fmt("rm %s", asn_fn), "") ) + exit(1); + + if ( ! piped_exec(fmt("rm %s", city_fn), "") ) + exit(1); + } + else if ( pkt == 6 ) + { + # This should provoke an inode change. + print "unlinking and restoring"; + if ( ! piped_exec(fmt("mv %s %s.tmp; cp %s.tmp %s", asn_fn, asn_fn, asn_fn, asn_fn), "") ) + exit(1); + + if ( ! piped_exec(fmt("mv %s %s.tmp; cp %s.tmp %s", city_fn, city_fn, city_fn, city_fn), "") ) + exit(1); + } + else if ( pkt == 7 ) + { + print "done"; + terminate(); + return; + } + else if ( pkt == 3 || pkt == 5 ) + { + print "restoring backup db"; + if ( ! piped_exec(fmt("cp %s %s", asn_fn_backup, asn_fn), "") ) + exit(1); + + if ( ! piped_exec(fmt("cp %s %s", city_fn_backup, city_fn), "") ) + exit(1); + } + + # Set MMDB's modification time to current network time for predictability. + if ( ! piped_exec(fmt("test -f %s && touch -d @%s %s", asn_fn, network_time(), asn_fn), "") ) + exit(1); + + if ( ! piped_exec(fmt("test -f %s && touch -d @%s %s", city_fn, network_time(), city_fn), "") ) + exit(1); + + print network_time(), pkt, 128.3.0.1, "asn", lookup_autonomous_system(128.3.0.1); + print network_time(), pkt, 128.3.0.1, "location", lookup_location(128.3.0.1); + } diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension-invalid.zeek b/testing/btest/scripts/base/frameworks/logging/field-extension-invalid.zeek index e547833052..87a2caecbc 100644 --- a/testing/btest/scripts/base/frameworks/logging/field-extension-invalid.zeek +++ b/testing/btest/scripts/base/frameworks/logging/field-extension-invalid.zeek @@ -1,4 +1,3 @@ -# @TEST-REQUIRES: $SCRIPTS/have-spicy # @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT # @TEST-EXEC: btest-diff conn.log # @TEST-EXEC: btest-diff .stderr