From be609cff4135564e7c9a45902411735d8c1a88ff Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 3 Oct 2018 15:47:09 -0500 Subject: [PATCH 01/18] Increase broker unit test timeout intervals --- testing/btest/broker/connect-on-retry.bro | 2 +- testing/btest/broker/disconnect.bro | 4 ++-- testing/btest/broker/remote_event.bro | 2 +- testing/btest/broker/remote_event_any.bro | 2 +- testing/btest/broker/remote_event_auto.bro | 2 +- testing/btest/broker/remote_event_ssl_auth.bro | 2 +- testing/btest/broker/remote_event_vector_any.bro | 2 +- testing/btest/broker/remote_id.bro | 2 +- testing/btest/broker/remote_log.bro | 2 +- testing/btest/broker/remote_log_late_join.bro | 2 +- testing/btest/broker/remote_log_types.bro | 2 +- testing/btest/broker/ssl_auth_failure.bro | 2 +- testing/btest/broker/store/clone.bro | 2 +- testing/btest/broker/unpeer.bro | 2 +- 14 files changed, 15 insertions(+), 15 deletions(-) diff --git a/testing/btest/broker/connect-on-retry.bro b/testing/btest/broker/connect-on-retry.bro index 13cb2d629a..200dc5abd6 100644 --- a/testing/btest/broker/connect-on-retry.bro +++ b/testing/btest/broker/connect-on-retry.bro @@ -3,7 +3,7 @@ # @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out" # @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out" # -# @TEST-EXEC: btest-bg-wait 20 +# @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff send/send.out diff --git a/testing/btest/broker/disconnect.bro b/testing/btest/broker/disconnect.bro index 7eafe0b67f..3dd2dc45d4 100644 --- a/testing/btest/broker/disconnect.bro +++ b/testing/btest/broker/disconnect.bro @@ -3,10 +3,10 @@ # @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out" # @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out" -# @TEST-EXEC: $SCRIPTS/wait-for-pid $(cat recv/.pid) 30 || (btest-bg-wait -k 1 && false) +# @TEST-EXEC: $SCRIPTS/wait-for-pid $(cat recv/.pid) 45 || (btest-bg-wait -k 1 && false) # @TEST-EXEC: btest-bg-run recv2 "bro -B broker -b ../recv.bro >recv2.out" -# @TEST-EXEC: btest-bg-wait 30 +# @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff send/send.out # @TEST-EXEC: btest-diff recv/recv.out diff --git a/testing/btest/broker/remote_event.bro b/testing/btest/broker/remote_event.bro index c5f072c16c..1cb6fbd1ae 100644 --- a/testing/btest/broker/remote_event.bro +++ b/testing/btest/broker/remote_event.bro @@ -3,7 +3,7 @@ # @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out" # @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out" # -# @TEST-EXEC: btest-bg-wait 20 +# @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff send/send.out diff --git a/testing/btest/broker/remote_event_any.bro b/testing/btest/broker/remote_event_any.bro index 7053a8b4c7..a71261f889 100644 --- a/testing/btest/broker/remote_event_any.bro +++ b/testing/btest/broker/remote_event_any.bro @@ -3,7 +3,7 @@ # @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out" # @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out" # -# @TEST-EXEC: btest-bg-wait 20 +# @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff send/send.out diff --git a/testing/btest/broker/remote_event_auto.bro b/testing/btest/broker/remote_event_auto.bro index c209d6dbe3..ec060b4cf5 100644 --- a/testing/btest/broker/remote_event_auto.bro +++ b/testing/btest/broker/remote_event_auto.bro @@ -3,7 +3,7 @@ # @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out" # @TEST-EXEC: btest-bg-run send "bro -b ../send.bro >send.out" # -# @TEST-EXEC: btest-bg-wait 20 +# @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff send/send.out diff --git a/testing/btest/broker/remote_event_ssl_auth.bro b/testing/btest/broker/remote_event_ssl_auth.bro index 4a62ff2259..0c9335d803 100644 --- a/testing/btest/broker/remote_event_ssl_auth.bro +++ b/testing/btest/broker/remote_event_ssl_auth.bro @@ -3,7 +3,7 @@ # @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out" # @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out" # -# @TEST-EXEC: btest-bg-wait 20 +# @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff send/send.out diff --git a/testing/btest/broker/remote_event_vector_any.bro b/testing/btest/broker/remote_event_vector_any.bro index ef79df7545..25ac8cf5a2 100644 --- a/testing/btest/broker/remote_event_vector_any.bro +++ b/testing/btest/broker/remote_event_vector_any.bro @@ -3,7 +3,7 @@ # @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out" # @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out" # -# @TEST-EXEC: btest-bg-wait 20 +# @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out @TEST-START-FILE send.bro diff --git a/testing/btest/broker/remote_id.bro b/testing/btest/broker/remote_id.bro index 2748f4a061..11a13d8569 100644 --- a/testing/btest/broker/remote_id.bro +++ b/testing/btest/broker/remote_id.bro @@ -3,7 +3,7 @@ # @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out" # @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro test_var=newval >send.out" # -# @TEST-EXEC: btest-bg-wait 20 +# @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out @TEST-START-FILE send.bro diff --git a/testing/btest/broker/remote_log.bro b/testing/btest/broker/remote_log.bro index 2b784bc5f2..0f20ab7542 100644 --- a/testing/btest/broker/remote_log.bro +++ b/testing/btest/broker/remote_log.bro @@ -3,7 +3,7 @@ # @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out" # @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out" -# @TEST-EXEC: btest-bg-wait 20 +# @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff recv/test.log # @TEST-EXEC: btest-diff send/send.out diff --git a/testing/btest/broker/remote_log_late_join.bro b/testing/btest/broker/remote_log_late_join.bro index c8ca0285a1..8f2eae45b5 100644 --- a/testing/btest/broker/remote_log_late_join.bro +++ b/testing/btest/broker/remote_log_late_join.bro @@ -3,7 +3,7 @@ # @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out" # @TEST-EXEC: btest-bg-run send "bro -b ../send.bro >send.out" -# @TEST-EXEC: btest-bg-wait 20 +# @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff recv/test.log # @TEST-EXEC: btest-diff send/send.out diff --git a/testing/btest/broker/remote_log_types.bro b/testing/btest/broker/remote_log_types.bro index 9f0a97acf0..b965e0928a 100644 --- a/testing/btest/broker/remote_log_types.bro +++ b/testing/btest/broker/remote_log_types.bro @@ -3,7 +3,7 @@ # @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out" # @TEST-EXEC: btest-bg-run send "bro -b ../send.bro >send.out" -# @TEST-EXEC: btest-bg-wait 20 +# @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff recv/test.log # @TEST-EXEC: btest-diff send/send.out diff --git a/testing/btest/broker/ssl_auth_failure.bro b/testing/btest/broker/ssl_auth_failure.bro index 03b14aaab3..d78edd0ac3 100644 --- a/testing/btest/broker/ssl_auth_failure.bro +++ b/testing/btest/broker/ssl_auth_failure.bro @@ -3,7 +3,7 @@ # @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out" # @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out" # -# @TEST-EXEC: btest-bg-wait 15 +# @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff send/send.out diff --git a/testing/btest/broker/store/clone.bro b/testing/btest/broker/store/clone.bro index 4f04189fe2..0865e55923 100644 --- a/testing/btest/broker/store/clone.bro +++ b/testing/btest/broker/store/clone.bro @@ -3,7 +3,7 @@ # @TEST-EXEC: btest-bg-run clone "bro -B broker -b ../clone-main.bro >clone.out" # @TEST-EXEC: btest-bg-run master "bro -B broker -b ../master-main.bro >master.out" # -# @TEST-EXEC: btest-bg-wait 25 +# @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff clone/clone.out # @TEST-EXEC: btest-diff master/master.out diff --git a/testing/btest/broker/unpeer.bro b/testing/btest/broker/unpeer.bro index 541bc824d9..1165799488 100644 --- a/testing/btest/broker/unpeer.bro +++ b/testing/btest/broker/unpeer.bro @@ -3,7 +3,7 @@ # @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out" # @TEST-EXEC: btest-bg-run send "bro -b ../send.bro >send.out" # -# @TEST-EXEC: btest-bg-wait 20 +# @TEST-EXEC: btest-bg-wait 45 # @TEST-EXEC: btest-diff recv/recv.out # @TEST-EXEC: btest-diff send/send.out # From 894b24d180353d492409d0422c19ea6e71dd2d2d Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 3 Oct 2018 15:47:26 -0500 Subject: [PATCH 02/18] Improve broker.remote_id unit test --- CHANGES | 6 ++++++ VERSION | 2 +- .../Baseline/broker.remote_id/recv.recv.out | 1 - testing/btest/broker/remote_id.bro | 17 ++++++++++++++--- 4 files changed, 21 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index a251543ca1..376dc9ff49 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,10 @@ +2.6-beta2-20 | 2018-10-03 15:47:26 -0500 + + * Improve broker.remote_id unit test (Jon Siwek, Corelight) + + * Increase broker unit test timeout intervals (Jon Siwek, Corelight) + 2.6-beta2-18 | 2018-10-03 11:09:04 -0500 * Fix memory leak in broker type checking (Jon Siwek, Corelight) diff --git a/VERSION b/VERSION index b525750f18..ed3f24ec58 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-beta2-18 +2.6-beta2-20 diff --git a/testing/btest/Baseline/broker.remote_id/recv.recv.out b/testing/btest/Baseline/broker.remote_id/recv.recv.out index 4df78bcdd6..0ddc98f213 100644 --- a/testing/btest/Baseline/broker.remote_id/recv.recv.out +++ b/testing/btest/Baseline/broker.remote_id/recv.recv.out @@ -1,4 +1,3 @@ intial val, init peer added -peer lost updated val, newval diff --git a/testing/btest/broker/remote_id.bro b/testing/btest/broker/remote_id.bro index 11a13d8569..bf73e7e125 100644 --- a/testing/btest/broker/remote_id.bro +++ b/testing/btest/broker/remote_id.bro @@ -15,8 +15,9 @@ event bro_init() Broker::peer("127.0.0.1"); } -event die() +event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) { + print "peer lost"; terminate(); } @@ -24,7 +25,6 @@ event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) { print "peer added"; Broker::publish_id("bro/ids/test", "test_var"); - schedule 1sec { die() }; } @TEST-END-FILE @@ -33,6 +33,17 @@ event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) const test_var = "init" &redef; +event check_var() + { + if ( test_var == "init" ) + schedule 0.1sec { check_var() }; + else + { + print "updated val", test_var; + terminate(); + } + } + event bro_init() { print "intial val", test_var; @@ -43,12 +54,12 @@ event bro_init() event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) { print "peer added"; + schedule 1sec { check_var() }; } event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) { print "peer lost"; - print "updated val", test_var; terminate(); } From 1be7ac509c664811101f444575044b73859804e9 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 4 Oct 2018 11:28:56 -0500 Subject: [PATCH 03/18] Add 'fallthrough' comment to a switch/case block --- src/iosource/Packet.cc | 1 + 1 file changed, 1 insertion(+) diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc index 3aa0e28b92..a5c2622ecf 100644 --- a/src/iosource/Packet.cc +++ b/src/iosource/Packet.cc @@ -284,6 +284,7 @@ void Packet::ProcessLayer2() } pdata += rtheader_len; + // fallthrough } case DLT_IEEE802_11: From 0350004f1ef6d63db32d6d771c74f496bcb93d6d Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 4 Oct 2018 11:31:48 -0500 Subject: [PATCH 04/18] Add return value checks for some RPC parsing functions --- CHANGES | 6 ++ VERSION | 2 +- aux/broker | 2 +- src/analyzer/protocol/rpc/NFS.cc | 2 +- src/analyzer/protocol/rpc/RPC.cc | 25 ++++++++- .../.stdout | 4 +- .../scripts.base.protocols.nfs.basic/.stdout | 56 +++++++++---------- 7 files changed, 62 insertions(+), 35 deletions(-) diff --git a/CHANGES b/CHANGES index 376dc9ff49..da6f3457c9 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,10 @@ +2.6-beta2-22 | 2018-10-04 11:31:48 -0500 + + * Add return value checks for some RPC parsing functions (Jon Siwek, Corelight) + + * Add 'fallthrough' comment to a switch/case block (Jon Siwek, Corelight) + 2.6-beta2-20 | 2018-10-03 15:47:26 -0500 * Improve broker.remote_id unit test (Jon Siwek, Corelight) diff --git a/VERSION b/VERSION index ed3f24ec58..40564de710 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-beta2-20 +2.6-beta2-22 diff --git a/aux/broker b/aux/broker index 5bc2184081..cb6a0c42e4 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit 5bc2184081c3edc44398b15f92d67d4a85d0b44b +Subproject commit cb6a0c42e4d174bb14f06ab122f07ff75f9c218e diff --git a/src/analyzer/protocol/rpc/NFS.cc b/src/analyzer/protocol/rpc/NFS.cc index 710282df96..322f593e86 100644 --- a/src/analyzer/protocol/rpc/NFS.cc +++ b/src/analyzer/protocol/rpc/NFS.cc @@ -311,7 +311,7 @@ StringVal* NFS_Interp::nfs3_file_data(const u_char*& buf, int& n, uint64_t offse data_n = min(data_n, size); data_n = min(data_n, int(BifConst::NFS3::return_data_max)); - if ( data_n > 0 ) + if ( data && data_n > 0 ) return new StringVal(new BroString(data, data_n, 0)); return 0; diff --git a/src/analyzer/protocol/rpc/RPC.cc b/src/analyzer/protocol/rpc/RPC.cc index 6ccd8008b8..74c93337d7 100644 --- a/src/analyzer/protocol/rpc/RPC.cc +++ b/src/analyzer/protocol/rpc/RPC.cc @@ -27,6 +27,7 @@ namespace { // local namespace RPC_CallInfo::RPC_CallInfo(uint32 arg_xid, const u_char*& buf, int& n, double arg_start_time, double arg_last_time, int arg_rpc_len) { + v = nullptr; xid = arg_xid; start_time = arg_start_time; @@ -43,13 +44,35 @@ RPC_CallInfo::RPC_CallInfo(uint32 arg_xid, const u_char*& buf, int& n, double ar cred_flavor = extract_XDR_uint32(buf, n); int cred_opaque_n, machinename_n; const u_char* cred_opaque = extract_XDR_opaque(buf, n, cred_opaque_n); + + if ( ! cred_opaque ) + { + buf = nullptr; + return; + } + stamp = extract_XDR_uint32(cred_opaque, cred_opaque_n); + const u_char* tmp = extract_XDR_opaque(cred_opaque, cred_opaque_n, machinename_n); + + if ( ! tmp ) + { + buf = nullptr; + return; + } + machinename = std::string(reinterpret_cast(tmp), machinename_n); + uid = extract_XDR_uint32(cred_opaque, cred_opaque_n); gid = extract_XDR_uint32(cred_opaque, cred_opaque_n); size_t number_of_gids = extract_XDR_uint32(cred_opaque, cred_opaque_n); + if ( number_of_gids > 64 ) + { + buf = nullptr; + return; + } + for ( auto i = 0u; i < number_of_gids; ++i ) auxgids.push_back(extract_XDR_uint32(cred_opaque, cred_opaque_n)); @@ -58,8 +81,6 @@ RPC_CallInfo::RPC_CallInfo(uint32 arg_xid, const u_char*& buf, int& n, double ar header_len = call_n - n; valid_call = false; - - v = 0; } RPC_CallInfo::~RPC_CallInfo() diff --git a/testing/btest/Baseline/scripts.base.protocols.mount.basic/.stdout b/testing/btest/Baseline/scripts.base.protocols.mount.basic/.stdout index b3e377595b..1b8a6a00c6 100644 --- a/testing/btest/Baseline/scripts.base.protocols.mount.basic/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.mount.basic/.stdout @@ -1,2 +1,2 @@ -mount_proc_mnt: [id=[orig_h=10.111.131.18, orig_p=765/udp, resp_h=10.111.131.132, resp_p=20048/udp], orig=[size=144, state=1, num_pkts=2, num_bytes_ip=200, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=84, state=1, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.621984, duration=0.000553, service={\x0a\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, mnt_stat=MOUNT3::MNT3_OK, req_start=1514568131.62212, req_dur=0.0, req_len=96, rep_start=1514568131.622537, rep_dur=0.0, rep_len=52, rpc_uid=0, rpc_gid=0, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 5, 10, 24]]\x0a\x09[dirname=/pddevbal801]\x0a\x09[dirfh=\x01\x00\x06\x00\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2, auth_flavors=[MOUNT3::AUTH_UNIX]]\x0a -mount_proc_umnt: [id=[orig_h=10.111.131.18, orig_p=1016/udp, resp_h=10.111.131.132, resp_p=20048/udp], orig=[size=92, state=1, num_pkts=1, num_bytes_ip=120, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=24, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.665918, duration=0.000266, service={\x0a\x0a}, history=Dd, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, mnt_stat=MOUNT3::MNT3_OK, req_start=1514568131.665918, req_dur=0.0, req_len=84, rep_start=1514568131.666184, rep_dur=0.0, rep_len=16, rpc_uid=0, rpc_gid=0, rpc_stamp=1514568131, rpc_machine_name=pddevbal802, rpc_auxgids=[0]]\x0a\x09[dirname=/pddevbal801]\x0a +mount_proc_mnt: [id=[orig_h=10.111.131.18, orig_p=765/udp, resp_h=10.111.131.132, resp_p=20048/udp], orig=[size=144, state=1, num_pkts=2, num_bytes_ip=200, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=84, state=1, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.621984, duration=0.000553, service={\x0a\x0a}, history=Dd, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, mnt_stat=MOUNT3::MNT3_OK, req_start=1514568131.62212, req_dur=0.0, req_len=96, rep_start=1514568131.622537, rep_dur=0.0, rep_len=52, rpc_uid=0, rpc_gid=0, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 5, 10, 24]]\x0a\x09[dirname=/pddevbal801]\x0a\x09[dirfh=\x01\x00\x06\x00\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2, auth_flavors=[MOUNT3::AUTH_UNIX]]\x0a +mount_proc_umnt: [id=[orig_h=10.111.131.18, orig_p=1016/udp, resp_h=10.111.131.132, resp_p=20048/udp], orig=[size=92, state=1, num_pkts=1, num_bytes_ip=120, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=24, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.665918, duration=0.000266, service={\x0a\x0a}, history=Dd, uid=CtPZjS20MLrsMUOJi2, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, mnt_stat=MOUNT3::MNT3_OK, req_start=1514568131.665918, req_dur=0.0, req_len=84, rep_start=1514568131.666184, rep_dur=0.0, rep_len=16, rpc_uid=0, rpc_gid=0, rpc_stamp=1514568131, rpc_machine_name=pddevbal802, rpc_auxgids=[0]]\x0a\x09[dirname=/pddevbal801]\x0a diff --git a/testing/btest/Baseline/scripts.base.protocols.nfs.basic/.stdout b/testing/btest/Baseline/scripts.base.protocols.nfs.basic/.stdout index f80d355e65..acfb498d5f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.nfs.basic/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.nfs.basic/.stdout @@ -1,28 +1,28 @@ -nfs_proc_not_implemented: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=160, state=4, num_pkts=5, num_bytes_ip=368, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=112, state=4, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.000529, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.623455, req_dur=0.0, req_len=104, rep_start=1514568131.623576, rep_dur=0.0, rep_len=72, rpc_uid=0, rpc_gid=0, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 5, 10, 24]]\x0a\x09NFS3::PROC_FSINFO\x0a -nfs_proc_not_implemented: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=276, state=4, num_pkts=6, num_bytes_ip=524, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=172, state=4, num_pkts=4, num_bytes_ip=280, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.000673, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.6236, req_dur=0.0, req_len=104, rep_start=1514568131.62372, rep_dur=0.0, rep_len=48, rpc_uid=0, rpc_gid=0, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 5, 10, 24]]\x0a\x09NFS3::PROC_PATHCONF\x0a -nfs_proc_not_implemented: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=508, state=4, num_pkts=8, num_bytes_ip=836, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=372, state=4, num_pkts=6, num_bytes_ip=536, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.001007, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.623937, req_dur=0.0, req_len=104, rep_start=1514568131.624054, rep_dur=0.0, rep_len=72, rpc_uid=0, rpc_gid=0, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 5, 10, 24]]\x0a\x09NFS3::PROC_FSINFO\x0a -nfs_proc_not_implemented: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=744, state=4, num_pkts=10, num_bytes_ip=1152, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=612, state=4, num_pkts=8, num_bytes_ip=816, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.00556, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.628447, req_dur=0.0, req_len=108, rep_start=1514568131.628607, rep_dur=0.0, rep_len=112, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09NFS3::PROC_ACCESS\x0a -nfs_proc_mkdir: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=900, state=4, num_pkts=11, num_bytes_ip=1348, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=888, state=4, num_pkts=9, num_bytes_ip=980, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.006413, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.628646, req_dur=0.0, req_len=144, rep_start=1514568131.62946, rep_dur=0.0, rep_len=264, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x00\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2, fname=bro-nfs]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, obj_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=6, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.625387], dir_pre_attr=[size=4096, atime=1514568092.592619, mtime=1514568092.592619], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=17407, nlink=16, uid=0, gid=0, size=4096, used=4096, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=128, atime=0.0, mtime=1514568131.625387, ctime=1514568131.625387]]\x0a -nfs_proc_not_implemented: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1032, state=4, num_pkts=12, num_bytes_ip=1520, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1012, state=4, num_pkts=10, num_bytes_ip=1296, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.007316, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.630213, req_dur=0.0, req_len=120, rep_start=1514568131.630363, rep_dur=0.0, rep_len=112, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09NFS3::PROC_ACCESS\x0a -nfs_proc_lookup: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1172, state=4, num_pkts=13, num_bytes_ip=1700, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1132, state=4, num_pkts=11, num_bytes_ip=1460, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.007542, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_NOENT, req_start=1514568131.63039, req_dur=0.0, req_len=128, rep_start=1514568131.630589, rep_dur=0.0, rep_len=108, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile]\x0a\x09[fh=, obj_attr=, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=6, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.625387]]\x0a -nfs_proc_create: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1344, state=4, num_pkts=14, num_bytes_ip=1912, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1408, state=4, num_pkts=12, num_bytes_ip=1620, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.008344, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.63061, req_dur=0.0, req_len=160, rep_start=1514568131.631391, rep_dur=0.0, rep_len=264, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, obj_attr=[ftype=NFS3::FTYPE_REG, mode=33188, nlink=1, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.625387], dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.625387], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.625387]]\x0a -nfs_proc_sattr: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1500, state=4, num_pkts=15, num_bytes_ip=2108, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1556, state=4, num_pkts=13, num_bytes_ip=1936, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.008933, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.63142, req_dur=0.0, req_len=144, rep_start=1514568131.63198, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, new_attributes=[mode=, uid=, gid=, size=, atime=NFS3::SET_TO_SERVER_TIME, mtime=NFS3::SET_TO_SERVER_TIME]]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.625387], dir_post_attr=[ftype=NFS3::FTYPE_REG, mode=33188, nlink=1, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.625387]]\x0a -nfs_proc_sattr: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1660, state=4, num_pkts=16, num_bytes_ip=2308, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1704, state=4, num_pkts=14, num_bytes_ip=2124, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.010357, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.632743, req_dur=0.0, req_len=148, rep_start=1514568131.633404, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, new_attributes=[mode=448, uid=, gid=, size=, atime=NFS3::DONT_CHANGE, mtime=NFS3::DONT_CHANGE]]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.625387], dir_post_attr=[ftype=NFS3::FTYPE_REG, mode=33216, nlink=1, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.629387]]\x0a -nfs_proc_sattr: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1820, state=4, num_pkts=17, num_bytes_ip=2508, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1852, state=4, num_pkts=15, num_bytes_ip=2312, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.011929, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.634369, req_dur=0.0, req_len=148, rep_start=1514568131.634976, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, new_attributes=[mode=511, uid=, gid=, size=, atime=NFS3::DONT_CHANGE, mtime=NFS3::DONT_CHANGE]]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.629387], dir_post_attr=[ftype=NFS3::FTYPE_REG, mode=33279, nlink=1, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.629387]]\x0a -nfs_proc_lookup: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1968, state=4, num_pkts=18, num_bytes_ip=2696, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1972, state=4, num_pkts=16, num_bytes_ip=2500, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.012799, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_NOENT, req_start=1514568131.635694, req_dur=0.0, req_len=136, rep_start=1514568131.635846, rep_dur=0.0, rep_len=108, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-symlink]\x0a\x09[fh=, obj_attr=, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.625387]]\x0a -nfs_proc_symlink: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=2184, state=4, num_pkts=19, num_bytes_ip=2952, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=2248, state=4, num_pkts=17, num_bytes_ip=2660, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.013431, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.635899, req_dur=0.0, req_len=204, rep_start=1514568131.636478, rep_dur=0.0, rep_len=264, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[link=[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-symlink], symlinkdata=[symlink_attributes=[mode=511, uid=, gid=, size=, atime=NFS3::DONT_CHANGE, mtime=NFS3::DONT_CHANGE], nfspath=/nfs/pddevbal801/bro-nfs/testfile]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xfa\xdf\xa3@\x00\x00\x00\x00\x135nf, obj_attr=[ftype=NFS3::FTYPE_LNK, mode=41471, nlink=1, uid=3125, gid=200, size=33, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481530, atime=1514568131.629387, mtime=1514568131.629387, ctime=1514568131.629387], dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.625387], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=44, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.629387, ctime=1514568131.629387]]\x0a -nfs_proc_sattr: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=2348, state=4, num_pkts=20, num_bytes_ip=3156, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=2396, state=4, num_pkts=18, num_bytes_ip=2976, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.015041, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.637343, req_dur=0.0, req_len=152, rep_start=1514568131.638088, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, new_attributes=[mode=, uid=3125, gid=10, size=, atime=NFS3::DONT_CHANGE, mtime=NFS3::DONT_CHANGE]]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.629387], dir_post_attr=[ftype=NFS3::FTYPE_REG, mode=33279, nlink=1, uid=3125, gid=10, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.633387]]\x0a -nfs_proc_sattr: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=2512, state=4, num_pkts=21, num_bytes_ip=3360, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=2544, state=4, num_pkts=19, num_bytes_ip=3164, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.016413, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.638929, req_dur=0.0, req_len=152, rep_start=1514568131.63946, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, new_attributes=[mode=, uid=3125, gid=200, size=, atime=NFS3::DONT_CHANGE, mtime=NFS3::DONT_CHANGE]]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.633387], dir_post_attr=[ftype=NFS3::FTYPE_REG, mode=33279, nlink=1, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.633387]]\x0a -nfs_proc_lookup: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=2668, state=4, num_pkts=22, num_bytes_ip=3556, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=2664, state=4, num_pkts=20, num_bytes_ip=3352, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.017567, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_NOENT, req_start=1514568131.640452, req_dur=0.0, req_len=144, rep_start=1514568131.640614, rep_dur=0.0, rep_len=108, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-symlink.renamed]\x0a\x09[fh=, obj_attr=, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=44, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.629387, ctime=1514568131.629387]]\x0a -nfs_proc_rename: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=2880, state=4, num_pkts=23, num_bytes_ip=3808, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=2928, state=4, num_pkts=21, num_bytes_ip=3512, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.018252, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.640669, req_dur=0.0, req_len=200, rep_start=1514568131.641299, rep_dur=0.0, rep_len=252, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[src_dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, src_fname=testfile-symlink, dst_dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, dst_fname=testfile-symlink.renamed]\x0a\x09[src_dir_pre_attr=[size=0, atime=1514568131.629387, mtime=1514568131.629387], src_dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=52, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.637387, ctime=1514568131.637387], dst_dir_pre_attr=[size=0, atime=1514568131.629387, mtime=1514568131.629387], dst_dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=52, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.637387, ctime=1514568131.637387]]\x0a -nfs_proc_readlink: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=3136, state=4, num_pkts=25, num_bytes_ip=4144, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=3204, state=4, num_pkts=23, num_bytes_ip=3972, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.019333, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.64222, req_dur=0.0, req_len=116, rep_start=1514568131.64238, rep_dur=0.0, rep_len=148, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xfa\xdf\xa3@\x00\x00\x00\x00\x135nf\x0a\x09[attr=[ftype=NFS3::FTYPE_LNK, mode=41471, nlink=1, uid=3125, gid=200, size=33, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481530, atime=1514568131.629387, mtime=1514568131.629387, ctime=1514568131.637387], nfspath=/nfs/pddevbal801/bro-nfs/testfile]\x0a -nfs_proc_remove: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=3292, state=4, num_pkts=26, num_bytes_ip=4340, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=3352, state=4, num_pkts=24, num_bytes_ip=4172, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.020916, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.643131, req_dur=0.0, req_len=144, rep_start=1514568131.643963, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-symlink.renamed]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.637387, mtime=1514568131.637387], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.637387, ctime=1514568131.637387]]\x0a -nfs_proc_lookup: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=3440, state=4, num_pkts=27, num_bytes_ip=4528, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=3472, state=4, num_pkts=25, num_bytes_ip=4360, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.021753, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_NOENT, req_start=1514568131.644663, req_dur=0.0, req_len=136, rep_start=1514568131.6448, rep_dur=0.0, rep_len=108, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-link]\x0a\x09[fh=, obj_attr=, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.637387, ctime=1514568131.637387]]\x0a -nfs_proc_link: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=3624, state=4, num_pkts=28, num_bytes_ip=4752, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=3708, state=4, num_pkts=26, num_bytes_ip=4520, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.022398, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.644833, req_dur=0.0, req_len=172, rep_start=1514568131.645445, rep_dur=0.0, rep_len=224, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, link=[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-link]]\x0a\x09[post_attr=[ftype=NFS3::FTYPE_REG, mode=33279, nlink=2, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.641387], preattr=[size=0, atime=1514568131.637387, mtime=1514568131.637387], postattr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=41, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.641387, ctime=1514568131.641387]]\x0a -nfs_proc_readdir: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=3904, state=4, num_pkts=30, num_bytes_ip=5112, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=4588, state=4, num_pkts=28, num_bytes_ip=4952, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.023841, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.646733, req_dur=0.0, req_len=140, rep_start=1514568131.646888, rep_dur=0.0, rep_len=752, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[isplus=T, dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, cookie=0, cookieverf=0, dircount=512, maxcount=4096]\x0a\x09[isplus=T, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=41, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.641387, ctime=1514568131.641387], cookieverf=0, entries=[, [fileid=1084481527, fname=., cookie=4, attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=41, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.641387, ctime=1514568131.641387], fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf], [fileid=128, fname=.., cookie=6, attr=[ftype=NFS3::FTYPE_DIR, mode=17407, nlink=16, uid=0, gid=0, size=4096, used=4096, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=128, atime=0.0, mtime=1514568131.625387, ctime=1514568131.625387], fh=\x01\x00\x06\x00\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2], [fileid=1084481529, fname=testfile, cookie=9, attr=[ftype=NFS3::FTYPE_REG, mode=33279, nlink=2, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.641387], fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf], [fileid=1084481529, fname=testfile-link, cookie=512, attr=[ftype=NFS3::FTYPE_REG, mode=33279, nlink=2, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.641387], fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf]], eof=T]\x0a -nfs_proc_remove: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=4052, state=4, num_pkts=31, num_bytes_ip=5300, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=4736, state=4, num_pkts=29, num_bytes_ip=5756, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.025477, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.647753, req_dur=0.0, req_len=136, rep_start=1514568131.648524, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-link]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.641387, mtime=1514568131.641387], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.641387, ctime=1514568131.641387]]\x0a -nfs_proc_lookup: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=4200, state=4, num_pkts=32, num_bytes_ip=5488, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=4856, state=4, num_pkts=30, num_bytes_ip=5944, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.026817, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_NOENT, req_start=1514568131.649721, req_dur=0.0, req_len=136, rep_start=1514568131.649864, rep_dur=0.0, rep_len=108, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile.renamed]\x0a\x09[fh=, obj_attr=, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.641387, ctime=1514568131.641387]]\x0a -nfs_proc_rename: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=4524, state=4, num_pkts=34, num_bytes_ip=5892, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=5236, state=4, num_pkts=32, num_bytes_ip=6260, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.027593, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.65007, req_dur=0.0, req_len=184, rep_start=1514568131.65064, rep_dur=0.0, rep_len=252, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[src_dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, src_fname=testfile, dst_dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, dst_fname=testfile.renamed]\x0a\x09[src_dir_pre_attr=[size=0, atime=1514568131.641387, mtime=1514568131.641387], src_dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=29, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.645387, ctime=1514568131.645387], dst_dir_pre_attr=[size=0, atime=1514568131.641387, mtime=1514568131.641387], dst_dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=29, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.645387, ctime=1514568131.645387]]\x0a -nfs_proc_not_implemented: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=4784, state=4, num_pkts=36, num_bytes_ip=6232, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=5476, state=4, num_pkts=34, num_bytes_ip=6720, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.028734, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.651603, req_dur=0.0, req_len=120, rep_start=1514568131.651781, rep_dur=0.0, rep_len=112, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09NFS3::PROC_ACCESS\x0a -nfs_proc_remove: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=4932, state=4, num_pkts=37, num_bytes_ip=6420, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=5624, state=4, num_pkts=35, num_bytes_ip=6884, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.029354, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.651806, req_dur=0.0, req_len=136, rep_start=1514568131.652401, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile.renamed]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.645387, mtime=1514568131.645387], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=6, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.645387, ctime=1514568131.645387]]\x0a -nfs_proc_rmdir: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=5060, state=4, num_pkts=38, num_bytes_ip=6588, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=5772, state=4, num_pkts=36, num_bytes_ip=7072, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.030704, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.653118, req_dur=0.0, req_len=116, rep_start=1514568131.653751, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x00\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2, fname=bro-nfs]\x0a\x09[dir_pre_attr=[size=4096, atime=1514568131.625387, mtime=1514568131.625387], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=17407, nlink=15, uid=0, gid=0, size=4096, used=4096, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=128, atime=0.0, mtime=1514568131.649387, ctime=1514568131.649387]]\x0a +nfs_proc_not_implemented: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=160, state=4, num_pkts=5, num_bytes_ip=368, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=112, state=4, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.000529, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.623455, req_dur=0.0, req_len=104, rep_start=1514568131.623576, rep_dur=0.0, rep_len=72, rpc_uid=0, rpc_gid=0, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 5, 10, 24]]\x0a\x09NFS3::PROC_FSINFO\x0a +nfs_proc_not_implemented: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=276, state=4, num_pkts=6, num_bytes_ip=524, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=172, state=4, num_pkts=4, num_bytes_ip=280, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.000673, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.6236, req_dur=0.0, req_len=104, rep_start=1514568131.62372, rep_dur=0.0, rep_len=48, rpc_uid=0, rpc_gid=0, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 5, 10, 24]]\x0a\x09NFS3::PROC_PATHCONF\x0a +nfs_proc_not_implemented: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=508, state=4, num_pkts=8, num_bytes_ip=836, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=372, state=4, num_pkts=6, num_bytes_ip=536, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.001007, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.623937, req_dur=0.0, req_len=104, rep_start=1514568131.624054, rep_dur=0.0, rep_len=72, rpc_uid=0, rpc_gid=0, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 5, 10, 24]]\x0a\x09NFS3::PROC_FSINFO\x0a +nfs_proc_not_implemented: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=744, state=4, num_pkts=10, num_bytes_ip=1152, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=612, state=4, num_pkts=8, num_bytes_ip=816, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.00556, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.628447, req_dur=0.0, req_len=108, rep_start=1514568131.628607, rep_dur=0.0, rep_len=112, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09NFS3::PROC_ACCESS\x0a +nfs_proc_mkdir: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=900, state=4, num_pkts=11, num_bytes_ip=1348, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=888, state=4, num_pkts=9, num_bytes_ip=980, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.006413, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.628646, req_dur=0.0, req_len=144, rep_start=1514568131.62946, rep_dur=0.0, rep_len=264, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x00\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2, fname=bro-nfs]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, obj_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=6, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.625387], dir_pre_attr=[size=4096, atime=1514568092.592619, mtime=1514568092.592619], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=17407, nlink=16, uid=0, gid=0, size=4096, used=4096, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=128, atime=0.0, mtime=1514568131.625387, ctime=1514568131.625387]]\x0a +nfs_proc_not_implemented: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1032, state=4, num_pkts=12, num_bytes_ip=1520, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1012, state=4, num_pkts=10, num_bytes_ip=1296, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.007316, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.630213, req_dur=0.0, req_len=120, rep_start=1514568131.630363, rep_dur=0.0, rep_len=112, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09NFS3::PROC_ACCESS\x0a +nfs_proc_lookup: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1172, state=4, num_pkts=13, num_bytes_ip=1700, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1132, state=4, num_pkts=11, num_bytes_ip=1460, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.007542, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_NOENT, req_start=1514568131.63039, req_dur=0.0, req_len=128, rep_start=1514568131.630589, rep_dur=0.0, rep_len=108, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile]\x0a\x09[fh=, obj_attr=, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=6, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.625387]]\x0a +nfs_proc_create: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1344, state=4, num_pkts=14, num_bytes_ip=1912, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1408, state=4, num_pkts=12, num_bytes_ip=1620, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.008344, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.63061, req_dur=0.0, req_len=160, rep_start=1514568131.631391, rep_dur=0.0, rep_len=264, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, obj_attr=[ftype=NFS3::FTYPE_REG, mode=33188, nlink=1, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.625387], dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.625387], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.625387]]\x0a +nfs_proc_sattr: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1500, state=4, num_pkts=15, num_bytes_ip=2108, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1556, state=4, num_pkts=13, num_bytes_ip=1936, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.008933, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.63142, req_dur=0.0, req_len=144, rep_start=1514568131.63198, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, new_attributes=[mode=, uid=, gid=, size=, atime=NFS3::SET_TO_SERVER_TIME, mtime=NFS3::SET_TO_SERVER_TIME]]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.625387], dir_post_attr=[ftype=NFS3::FTYPE_REG, mode=33188, nlink=1, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.625387]]\x0a +nfs_proc_sattr: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1660, state=4, num_pkts=16, num_bytes_ip=2308, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1704, state=4, num_pkts=14, num_bytes_ip=2124, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.010357, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.632743, req_dur=0.0, req_len=148, rep_start=1514568131.633404, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, new_attributes=[mode=448, uid=, gid=, size=, atime=NFS3::DONT_CHANGE, mtime=NFS3::DONT_CHANGE]]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.625387], dir_post_attr=[ftype=NFS3::FTYPE_REG, mode=33216, nlink=1, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.629387]]\x0a +nfs_proc_sattr: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1820, state=4, num_pkts=17, num_bytes_ip=2508, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1852, state=4, num_pkts=15, num_bytes_ip=2312, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.011929, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.634369, req_dur=0.0, req_len=148, rep_start=1514568131.634976, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, new_attributes=[mode=511, uid=, gid=, size=, atime=NFS3::DONT_CHANGE, mtime=NFS3::DONT_CHANGE]]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.629387], dir_post_attr=[ftype=NFS3::FTYPE_REG, mode=33279, nlink=1, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.629387]]\x0a +nfs_proc_lookup: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1968, state=4, num_pkts=18, num_bytes_ip=2696, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1972, state=4, num_pkts=16, num_bytes_ip=2500, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.012799, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_NOENT, req_start=1514568131.635694, req_dur=0.0, req_len=136, rep_start=1514568131.635846, rep_dur=0.0, rep_len=108, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-symlink]\x0a\x09[fh=, obj_attr=, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.625387]]\x0a +nfs_proc_symlink: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=2184, state=4, num_pkts=19, num_bytes_ip=2952, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=2248, state=4, num_pkts=17, num_bytes_ip=2660, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.013431, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.635899, req_dur=0.0, req_len=204, rep_start=1514568131.636478, rep_dur=0.0, rep_len=264, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[link=[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-symlink], symlinkdata=[symlink_attributes=[mode=511, uid=, gid=, size=, atime=NFS3::DONT_CHANGE, mtime=NFS3::DONT_CHANGE], nfspath=/nfs/pddevbal801/bro-nfs/testfile]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xfa\xdf\xa3@\x00\x00\x00\x00\x135nf, obj_attr=[ftype=NFS3::FTYPE_LNK, mode=41471, nlink=1, uid=3125, gid=200, size=33, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481530, atime=1514568131.629387, mtime=1514568131.629387, ctime=1514568131.629387], dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.625387], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=44, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.629387, ctime=1514568131.629387]]\x0a +nfs_proc_sattr: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=2348, state=4, num_pkts=20, num_bytes_ip=3156, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=2396, state=4, num_pkts=18, num_bytes_ip=2976, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.015041, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.637343, req_dur=0.0, req_len=152, rep_start=1514568131.638088, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, new_attributes=[mode=, uid=3125, gid=10, size=, atime=NFS3::DONT_CHANGE, mtime=NFS3::DONT_CHANGE]]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.629387], dir_post_attr=[ftype=NFS3::FTYPE_REG, mode=33279, nlink=1, uid=3125, gid=10, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.633387]]\x0a +nfs_proc_sattr: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=2512, state=4, num_pkts=21, num_bytes_ip=3360, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=2544, state=4, num_pkts=19, num_bytes_ip=3164, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.016413, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.638929, req_dur=0.0, req_len=152, rep_start=1514568131.63946, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, new_attributes=[mode=, uid=3125, gid=200, size=, atime=NFS3::DONT_CHANGE, mtime=NFS3::DONT_CHANGE]]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.633387], dir_post_attr=[ftype=NFS3::FTYPE_REG, mode=33279, nlink=1, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.633387]]\x0a +nfs_proc_lookup: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=2668, state=4, num_pkts=22, num_bytes_ip=3556, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=2664, state=4, num_pkts=20, num_bytes_ip=3352, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.017567, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_NOENT, req_start=1514568131.640452, req_dur=0.0, req_len=144, rep_start=1514568131.640614, rep_dur=0.0, rep_len=108, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-symlink.renamed]\x0a\x09[fh=, obj_attr=, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=44, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.629387, ctime=1514568131.629387]]\x0a +nfs_proc_rename: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=2880, state=4, num_pkts=23, num_bytes_ip=3808, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=2928, state=4, num_pkts=21, num_bytes_ip=3512, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.018252, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.640669, req_dur=0.0, req_len=200, rep_start=1514568131.641299, rep_dur=0.0, rep_len=252, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[src_dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, src_fname=testfile-symlink, dst_dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, dst_fname=testfile-symlink.renamed]\x0a\x09[src_dir_pre_attr=[size=0, atime=1514568131.629387, mtime=1514568131.629387], src_dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=52, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.637387, ctime=1514568131.637387], dst_dir_pre_attr=[size=0, atime=1514568131.629387, mtime=1514568131.629387], dst_dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=52, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.637387, ctime=1514568131.637387]]\x0a +nfs_proc_readlink: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=3136, state=4, num_pkts=25, num_bytes_ip=4144, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=3204, state=4, num_pkts=23, num_bytes_ip=3972, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.019333, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.64222, req_dur=0.0, req_len=116, rep_start=1514568131.64238, rep_dur=0.0, rep_len=148, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xfa\xdf\xa3@\x00\x00\x00\x00\x135nf\x0a\x09[attr=[ftype=NFS3::FTYPE_LNK, mode=41471, nlink=1, uid=3125, gid=200, size=33, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481530, atime=1514568131.629387, mtime=1514568131.629387, ctime=1514568131.637387], nfspath=/nfs/pddevbal801/bro-nfs/testfile]\x0a +nfs_proc_remove: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=3292, state=4, num_pkts=26, num_bytes_ip=4340, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=3352, state=4, num_pkts=24, num_bytes_ip=4172, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.020916, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.643131, req_dur=0.0, req_len=144, rep_start=1514568131.643963, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-symlink.renamed]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.637387, mtime=1514568131.637387], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.637387, ctime=1514568131.637387]]\x0a +nfs_proc_lookup: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=3440, state=4, num_pkts=27, num_bytes_ip=4528, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=3472, state=4, num_pkts=25, num_bytes_ip=4360, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.021753, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_NOENT, req_start=1514568131.644663, req_dur=0.0, req_len=136, rep_start=1514568131.6448, rep_dur=0.0, rep_len=108, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-link]\x0a\x09[fh=, obj_attr=, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.637387, ctime=1514568131.637387]]\x0a +nfs_proc_link: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=3624, state=4, num_pkts=28, num_bytes_ip=4752, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=3708, state=4, num_pkts=26, num_bytes_ip=4520, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.022398, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.644833, req_dur=0.0, req_len=172, rep_start=1514568131.645445, rep_dur=0.0, rep_len=224, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, link=[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-link]]\x0a\x09[post_attr=[ftype=NFS3::FTYPE_REG, mode=33279, nlink=2, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.641387], preattr=[size=0, atime=1514568131.637387, mtime=1514568131.637387], postattr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=41, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.641387, ctime=1514568131.641387]]\x0a +nfs_proc_readdir: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=3904, state=4, num_pkts=30, num_bytes_ip=5112, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=4588, state=4, num_pkts=28, num_bytes_ip=4952, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.023841, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.646733, req_dur=0.0, req_len=140, rep_start=1514568131.646888, rep_dur=0.0, rep_len=752, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[isplus=T, dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, cookie=0, cookieverf=0, dircount=512, maxcount=4096]\x0a\x09[isplus=T, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=41, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.641387, ctime=1514568131.641387], cookieverf=0, entries=[, [fileid=1084481527, fname=., cookie=4, attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=41, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.641387, ctime=1514568131.641387], fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf], [fileid=128, fname=.., cookie=6, attr=[ftype=NFS3::FTYPE_DIR, mode=17407, nlink=16, uid=0, gid=0, size=4096, used=4096, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=128, atime=0.0, mtime=1514568131.625387, ctime=1514568131.625387], fh=\x01\x00\x06\x00\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2], [fileid=1084481529, fname=testfile, cookie=9, attr=[ftype=NFS3::FTYPE_REG, mode=33279, nlink=2, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.641387], fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf], [fileid=1084481529, fname=testfile-link, cookie=512, attr=[ftype=NFS3::FTYPE_REG, mode=33279, nlink=2, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.641387], fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf]], eof=T]\x0a +nfs_proc_remove: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=4052, state=4, num_pkts=31, num_bytes_ip=5300, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=4736, state=4, num_pkts=29, num_bytes_ip=5756, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.025477, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.647753, req_dur=0.0, req_len=136, rep_start=1514568131.648524, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-link]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.641387, mtime=1514568131.641387], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.641387, ctime=1514568131.641387]]\x0a +nfs_proc_lookup: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=4200, state=4, num_pkts=32, num_bytes_ip=5488, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=4856, state=4, num_pkts=30, num_bytes_ip=5944, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.026817, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_NOENT, req_start=1514568131.649721, req_dur=0.0, req_len=136, rep_start=1514568131.649864, rep_dur=0.0, rep_len=108, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile.renamed]\x0a\x09[fh=, obj_attr=, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.641387, ctime=1514568131.641387]]\x0a +nfs_proc_rename: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=4524, state=4, num_pkts=34, num_bytes_ip=5892, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=5236, state=4, num_pkts=32, num_bytes_ip=6260, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.027593, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.65007, req_dur=0.0, req_len=184, rep_start=1514568131.65064, rep_dur=0.0, rep_len=252, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[src_dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, src_fname=testfile, dst_dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, dst_fname=testfile.renamed]\x0a\x09[src_dir_pre_attr=[size=0, atime=1514568131.641387, mtime=1514568131.641387], src_dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=29, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.645387, ctime=1514568131.645387], dst_dir_pre_attr=[size=0, atime=1514568131.641387, mtime=1514568131.641387], dst_dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=29, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.645387, ctime=1514568131.645387]]\x0a +nfs_proc_not_implemented: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=4784, state=4, num_pkts=36, num_bytes_ip=6232, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=5476, state=4, num_pkts=34, num_bytes_ip=6720, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.028734, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.651603, req_dur=0.0, req_len=120, rep_start=1514568131.651781, rep_dur=0.0, rep_len=112, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09NFS3::PROC_ACCESS\x0a +nfs_proc_remove: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=4932, state=4, num_pkts=37, num_bytes_ip=6420, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=5624, state=4, num_pkts=35, num_bytes_ip=6884, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.029354, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.651806, req_dur=0.0, req_len=136, rep_start=1514568131.652401, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile.renamed]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.645387, mtime=1514568131.645387], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=6, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.645387, ctime=1514568131.645387]]\x0a +nfs_proc_rmdir: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=5060, state=4, num_pkts=38, num_bytes_ip=6588, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=5772, state=4, num_pkts=36, num_bytes_ip=7072, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.030704, service={\x0a\x0a}, history=ShADad, uid=ClEkJM2Vm5giqnMf4h, tunnel=, vlan=, inner_vlan=]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.653118, req_dur=0.0, req_len=116, rep_start=1514568131.653751, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x00\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2, fname=bro-nfs]\x0a\x09[dir_pre_attr=[size=4096, atime=1514568131.625387, mtime=1514568131.625387], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=17407, nlink=15, uid=0, gid=0, size=4096, used=4096, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=128, atime=0.0, mtime=1514568131.649387, ctime=1514568131.649387]]\x0a From 0dfc79c64db838762524999a33c64ea008a5f411 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 5 Oct 2018 11:43:06 -0500 Subject: [PATCH 05/18] Updating submodule(s). [nomail] --- aux/broker | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broker b/aux/broker index cb6a0c42e4..a843bfab04 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit cb6a0c42e4d174bb14f06ab122f07ff75f9c218e +Subproject commit a843bfab047999386c6268a47bb2f6969b7bbaf7 From 0f550806252b46d3e13be24cd2ab4bb8a63bf49b Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 5 Oct 2018 14:24:34 -0500 Subject: [PATCH 06/18] GH-184: add `bro-config --build_type`, outputs CMake build type --- CHANGES | 4 ++++ CMakeLists.txt | 1 + VERSION | 2 +- aux/bro-aux | 2 +- bro-config.in | 6 +++++- 5 files changed, 12 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index da6f3457c9..6641588884 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.6-beta2-24 | 2018-10-05 14:24:34 -0500 + + * GH-184: add `bro-config --build_type`, outputs CMake build type (Jon Siwek, Corelight) + 2.6-beta2-22 | 2018-10-04 11:31:48 -0500 * Add return value checks for some RPC parsing functions (Jon Siwek, Corelight) diff --git a/CMakeLists.txt b/CMakeLists.txt index 80e3d5049a..7353ff9c3b 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -230,6 +230,7 @@ if ( NOT BINARY_PACKAGING_MODE ) set(BRO_DIST ${CMAKE_SOURCE_DIR}) endif () +string(TOLOWER ${CMAKE_BUILD_TYPE} CMAKE_BUILD_TYPE_LOWER) configure_file(${CMAKE_CURRENT_SOURCE_DIR}/bro-config.h.in ${CMAKE_CURRENT_BINARY_DIR}/bro-config.h) include_directories(${CMAKE_CURRENT_BINARY_DIR}) diff --git a/VERSION b/VERSION index 40564de710..ffa82dd240 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-beta2-22 +2.6-beta2-24 diff --git a/aux/bro-aux b/aux/bro-aux index cdc9303cf4..4aceb3d1ef 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit cdc9303cf497ad0b0cbbe3af8f17ec3628953d0b +Subproject commit 4aceb3d1ef14d14fae1ee86ae4ba17647293a902 diff --git a/bro-config.in b/bro-config.in index be9ee551b3..9228271394 100755 --- a/bro-config.in +++ b/bro-config.in @@ -1,6 +1,7 @@ #!/bin/sh version=@VERSION@ +build_type=@CMAKE_BUILD_TYPE_LOWER@ prefix=@CMAKE_INSTALL_PREFIX@ script_dir=@BRO_SCRIPT_INSTALL_PATH@ site_dir=@BRO_SCRIPT_INSTALL_PATH@/site @@ -16,7 +17,7 @@ caf_root=@BRO_CONFIG_CAF_ROOT_DIR@ broker_root=@BRO_CONFIG_BROKER_ROOT_DIR@ usage="\ -Usage: bro-config [--version] [--prefix] [--script_dir] [--site_dir] [--plugin_dir] [--config_dir] [--python_dir] [--include_dir] [--cmake_dir] [--bropath] [--bro_dist] [--binpac_root] [--caf_root] [--broker_root]" +Usage: bro-config [--version] [--build_type] [--prefix] [--script_dir] [--site_dir] [--plugin_dir] [--config_dir] [--python_dir] [--include_dir] [--cmake_dir] [--bropath] [--bro_dist] [--binpac_root] [--caf_root] [--broker_root]" if [ $# -eq 0 ] ; then echo "${usage}" 1>&2 @@ -36,6 +37,9 @@ while [ $# -ne 0 ]; do --prefix) echo $prefix ;; + --build_type) + echo $build_type + ;; --script_dir) echo $script_dir ;; From 005bf5b6a4a4c6438bfab389b1ef207be921fb71 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 9 Oct 2018 16:33:26 -0700 Subject: [PATCH 07/18] Convert site::local_nets, etc. into options. These are probably some of the most desired options to be dynamically changeable; since they only are accessed in script-land there should not be any problems with them changing on the fly. --- scripts/base/utils/site.bro | 14 ++++----- testing/btest/Baseline/plugins.hooks/output | 32 ++++++++++++++++----- 2 files changed, 32 insertions(+), 14 deletions(-) diff --git a/scripts/base/utils/site.bro b/scripts/base/utils/site.bro index f90da4cdf2..696f091410 100644 --- a/scripts/base/utils/site.bro +++ b/scripts/base/utils/site.bro @@ -7,7 +7,7 @@ module Site; export { ## Address space that is considered private and unrouted. ## By default it has RFC defined non-routable IPv4 address space. - const private_address_space: set[subnet] = { + option private_address_space: set[subnet] = { 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, @@ -15,11 +15,11 @@ export { 127.0.0.0/8, [fe80::]/10, [::1]/128, - } &redef; + }; ## Networks that are considered "local". Note that BroControl sets ## this automatically. - const local_nets: set[subnet] &redef; + option local_nets: set[subnet] = {}; ## This is used for retrieving the subnet when using multiple entries in ## :bro:id:`Site::local_nets`. It's populated automatically from there. @@ -29,19 +29,19 @@ export { global local_nets_table: table[subnet] of subnet = {}; ## Networks that are considered "neighbors". - const neighbor_nets: set[subnet] &redef; + option neighbor_nets: set[subnet] = {}; ## If local network administrators are known and they have responsibility ## for defined address space, then a mapping can be defined here between ## networks for which they have responsibility and a set of email ## addresses. - const local_admins: table[subnet] of set[string] = {} &redef; + option local_admins: table[subnet] of set[string] = {}; ## DNS zones that are considered "local". - const local_zones: set[string] &redef; + option local_zones: set[string] = {}; ## DNS zones that are considered "neighbors". - const neighbor_zones: set[string] &redef; + option neighbor_zones: set[string] = {}; ## Function that returns true if an address corresponds to one of ## the local networks, false if not. diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 9ab4580aa6..87927520d8 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -274,7 +274,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1536179603.81225, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1539127994.704644, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) -> @@ -459,7 +459,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1536179603.81225, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1539127994.704644, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -513,6 +513,12 @@ 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (SSL::disable_analyzer_after_detection, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Signatures::ignored_ids, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Signatures::summary_interval, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> +0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Site::local_admins, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> +0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Site::local_nets, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> +0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Site::local_zones, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> +0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Site::neighbor_nets, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> +0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Site::neighbor_zones, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> +0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Site::private_address_space, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Software::asset_tracking, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Weird::ignore_hosts, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Weird::sampling_duration, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> @@ -1160,7 +1166,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1536179603.81225, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1539127994.704644, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Config::LOG)) @@ -1345,7 +1351,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1536179603.81225, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1539127994.704644, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1399,6 +1405,12 @@ 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (SSL::disable_analyzer_after_detection, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Signatures::ignored_ids, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Signatures::summary_interval, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) +0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Site::local_admins, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) +0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Site::local_nets, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) +0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Site::local_zones, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) +0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Site::neighbor_nets, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) +0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Site::neighbor_zones, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) +0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Site::private_address_space, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Software::asset_tracking, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Weird::ignore_hosts, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Weird::sampling_duration, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) @@ -2045,7 +2057,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1536179603.81225, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1539127994.704644, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG) @@ -2230,7 +2242,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1536179603.81225, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1539127994.704644, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2284,6 +2296,12 @@ 0.000000 | HookCallFunction Option::set_change_handler(SSL::disable_analyzer_after_detection, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction Option::set_change_handler(Signatures::ignored_ids, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction Option::set_change_handler(Signatures::summary_interval, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) +0.000000 | HookCallFunction Option::set_change_handler(Site::local_admins, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) +0.000000 | HookCallFunction Option::set_change_handler(Site::local_nets, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) +0.000000 | HookCallFunction Option::set_change_handler(Site::local_zones, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) +0.000000 | HookCallFunction Option::set_change_handler(Site::neighbor_nets, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) +0.000000 | HookCallFunction Option::set_change_handler(Site::neighbor_zones, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) +0.000000 | HookCallFunction Option::set_change_handler(Site::private_address_space, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction Option::set_change_handler(Software::asset_tracking, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction Option::set_change_handler(Weird::ignore_hosts, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction Option::set_change_handler(Weird::sampling_duration, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) @@ -2651,7 +2669,7 @@ 0.000000 | HookLoadFile base<...>/x509 0.000000 | HookLoadFile base<...>/xmpp 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} -0.000000 | HookLogWrite packet_filter [ts=1536179603.812250, node=bro, filter=ip or not ip, init=T, success=T] +0.000000 | HookLogWrite packet_filter [ts=1539127994.704644, node=bro, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() 0.000000 | HookQueueEvent bro_init() 0.000000 | HookQueueEvent filter_change_tracking() From 8792f5545cd5b7de433d0eee510fde94371fdee3 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 12 Oct 2018 08:33:32 -0400 Subject: [PATCH 08/18] Fix crash when modifying a table from within its &expire_func --- CHANGES | 4 ++ VERSION | 2 +- src/Val.cc | 4 +- .../Baseline/language.expire_func_mod/out | 10 +++++ testing/btest/language/expire_func_mod.bro | 41 +++++++++++++++++++ 5 files changed, 57 insertions(+), 4 deletions(-) create mode 100644 testing/btest/Baseline/language.expire_func_mod/out create mode 100644 testing/btest/language/expire_func_mod.bro diff --git a/CHANGES b/CHANGES index 6641588884..6414c3fcc3 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.6-beta2-25 | 2018-10-12 08:33:32 -0400 + + * Fix crash when modifying a table from within its &expire_func (Jon Siwek, Corelight) + 2.6-beta2-24 | 2018-10-05 14:24:34 -0500 * GH-184: add `bro-config --build_type`, outputs CMake build type (Jon Siwek, Corelight) diff --git a/VERSION b/VERSION index ffa82dd240..2d4d80fba8 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-beta2-24 +2.6-beta2-25 diff --git a/src/Val.cc b/src/Val.cc index 71d38e3c63..144eb995ee 100644 --- a/src/Val.cc +++ b/src/Val.cc @@ -2361,8 +2361,6 @@ void TableVal::DoExpire(double t) else if ( v->ExpireAccessTime() + timeout < t ) { - Val* val = v->Value(); - if ( expire_func ) { Val* idx = RecoverIndex(k); @@ -2403,8 +2401,8 @@ void TableVal::DoExpire(double t) new StateAccess(OP_EXPIRE, this, k)); tbl->RemoveEntry(k); + Unref(v->Value()); delete v; - Unref(val); Modified(); } diff --git a/testing/btest/Baseline/language.expire_func_mod/out b/testing/btest/Baseline/language.expire_func_mod/out new file mode 100644 index 0000000000..8790608ec1 --- /dev/null +++ b/testing/btest/Baseline/language.expire_func_mod/out @@ -0,0 +1,10 @@ +starting: ashish, 1 +inside table_expire_func: ashish, 2 +inside table_expire_func: ashish, 3 +inside table_expire_func: ashish, 4 +inside table_expire_func: ashish, 5 +inside table_expire_func: ashish, 6 +inside table_expire_func: ashish, 7 +inside table_expire_func: ashish, 8 +inside table_expire_func: ashish, 9 +inside table_expire_func: ashish, 10 diff --git a/testing/btest/language/expire_func_mod.bro b/testing/btest/language/expire_func_mod.bro new file mode 100644 index 0000000000..4790a9650e --- /dev/null +++ b/testing/btest/language/expire_func_mod.bro @@ -0,0 +1,41 @@ +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + +module Test; + +redef exit_only_after_terminate = T; +redef table_expire_interval = .1 secs ; + +export { + global table_expire_func: function(t: table[string] of count, + s: string): interval; + + global t: table[string] of count + &write_expire=0 secs + &expire_func=table_expire_func; +} + +event die() + { + terminate(); + } + +function table_expire_func(t: table[string] of count, s: string): interval + { + t[s] += 1 ; + + print fmt("inside table_expire_func: %s, %s", s, t[s]); + + if ( t[s] < 10 ) + return .1 secs ; + + schedule .1sec { die() }; + return 0 secs; + } + +event bro_init() + { + local s="ashish"; + t[s] = 1 ; + print fmt("starting: %s, %s", s, t[s]); + } From f05ef0cb1e5d4e2c745d1368ca252e8223aefbfc Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 12 Oct 2018 12:48:33 -0400 Subject: [PATCH 09/18] Fix test baseline for plugin skeleton update --- CHANGES | 4 ++++ VERSION | 2 +- aux/bro-aux | 2 +- testing/btest/Baseline/plugins.hooks/output | 17 +++++++---------- 4 files changed, 13 insertions(+), 12 deletions(-) diff --git a/CHANGES b/CHANGES index 11e37c32ca..db7f45af87 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.6-beta2-28 | 2018-10-12 12:48:33 -0400 + + * Fix test baseline for plugin skeleton update (Jon Siwek, Corelight) + 2.6-beta2-27 | 2018-10-12 12:18:02 -0400 * Convert site::local_nets, etc. into options. (Johanna Amann) diff --git a/VERSION b/VERSION index 53f31cc202..bd308201cf 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-beta2-27 +2.6-beta2-28 diff --git a/aux/bro-aux b/aux/bro-aux index 4aceb3d1ef..b65079e5f4 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 4aceb3d1ef14d14fae1ee86ae4ba17647293a902 +Subproject commit b65079e5f4d0ac7caef6710adcddd383e59d3cd8 diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 87927520d8..dce61908e3 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -274,7 +274,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1539127994.704644, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1539361390.052019, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) -> @@ -459,7 +459,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1539127994.704644, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1539361390.052019, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -721,7 +721,6 @@ 0.000000 MetaHookPost LoadFile(0, .<...>/hooks.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/inactivity.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/info.bro) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/init.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/input.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/input.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/last.bro) -> -1 @@ -1166,7 +1165,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1539127994.704644, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1539361390.052019, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Config::LOG)) @@ -1351,7 +1350,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1539127994.704644, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1539361390.052019, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1613,7 +1612,6 @@ 0.000000 MetaHookPre LoadFile(0, .<...>/hooks.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/inactivity.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/info.bro) -0.000000 MetaHookPre LoadFile(0, .<...>/init.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/input.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/input.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/last.bro) @@ -2057,7 +2055,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1539127994.704644, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1539361390.052019, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG) @@ -2242,7 +2240,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1539127994.704644, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1539361390.052019, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2510,7 +2508,6 @@ 0.000000 | HookLoadFile .<...>/image.sig 0.000000 | HookLoadFile .<...>/inactivity.bro 0.000000 | HookLoadFile .<...>/info.bro -0.000000 | HookLoadFile .<...>/init.bro 0.000000 | HookLoadFile .<...>/input.bif.bro 0.000000 | HookLoadFile .<...>/input.bro 0.000000 | HookLoadFile .<...>/last.bro @@ -2669,7 +2666,7 @@ 0.000000 | HookLoadFile base<...>/x509 0.000000 | HookLoadFile base<...>/xmpp 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} -0.000000 | HookLogWrite packet_filter [ts=1539127994.704644, node=bro, filter=ip or not ip, init=T, success=T] +0.000000 | HookLogWrite packet_filter [ts=1539361390.052019, node=bro, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() 0.000000 | HookQueueEvent bro_init() 0.000000 | HookQueueEvent filter_change_tracking() From 70233148be2a20cd6813b3f6e7b86c4d7aa677b7 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 12 Oct 2018 21:30:19 +0000 Subject: [PATCH 10/18] GH-186: fix JSON formatting of timestamps before Unix epoch --- CHANGES | 4 +++ VERSION | 2 +- src/threading/formatters/JSON.cc | 8 ++++-- .../ssh.log | 8 ++++++ .../logging/ascii-json-iso-timestamps.bro | 25 +++++++++++++++++++ 5 files changed, 44 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index db7f45af87..e51c5bf8c5 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.6-beta2-29 | 2018-10-12 21:30:19 +0000 + + * GH-186: fix JSON formatting of timestamps before Unix epoch (Jon Siwek, Corelight) + 2.6-beta2-28 | 2018-10-12 12:48:33 -0400 * Fix test baseline for plugin skeleton update (Jon Siwek, Corelight) diff --git a/VERSION b/VERSION index bd308201cf..7636e7dcb0 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-beta2-28 +2.6-beta2-29 diff --git a/src/threading/formatters/JSON.cc b/src/threading/formatters/JSON.cc index 1b0f20d16f..f495a76b62 100644 --- a/src/threading/formatters/JSON.cc +++ b/src/threading/formatters/JSON.cc @@ -116,7 +116,7 @@ bool JSON::Describe(ODesc* desc, Value* val, const string& name) const { char buffer[40]; char buffer2[40]; - time_t the_time = time_t(val->val.double_val); + time_t the_time = time_t(floor(val->val.double_val)); struct tm t; desc->AddRaw("\"", 1); @@ -133,7 +133,11 @@ bool JSON::Describe(ODesc* desc, Value* val, const string& name) const { double integ; double frac = modf(val->val.double_val, &integ); - snprintf(buffer2, sizeof(buffer2), "%s.%06.0fZ", buffer, frac * 1000000); + + if ( frac < 0 ) + frac += 1; + + snprintf(buffer2, sizeof(buffer2), "%s.%06.0fZ", buffer, fabs(frac) * 1000000); desc->Add(buffer2); } diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json-iso-timestamps/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json-iso-timestamps/ssh.log index 5673a0605a..236a0f7503 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json-iso-timestamps/ssh.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json-iso-timestamps/ssh.log @@ -1,2 +1,10 @@ {"t":"2008-07-09T16:13:30.005432Z"} {"t":"1986-12-01T01:01:01.900000Z"} +{"t":"1969-12-31T23:59:59.600000Z"} +{"t":"1969-12-31T23:59:59.500000Z"} +{"t":"1969-12-31T23:59:59.400000Z"} +{"t":"1969-12-31T23:59:59.000000Z"} +{"t":"1969-12-31T23:59:58.600000Z"} +{"t":"1969-12-31T23:59:58.500000Z"} +{"t":"1969-12-31T23:59:58.400000Z"} +{"t":"1969-12-31T23:58:21.000000Z"} diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-json-iso-timestamps.bro b/testing/btest/scripts/base/frameworks/logging/ascii-json-iso-timestamps.bro index fa2a6f1efd..8cb1210a68 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-json-iso-timestamps.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-json-iso-timestamps.bro @@ -27,5 +27,30 @@ event bro_init() $t=(strptime("%Y-%m-%dT%H:%M:%SZ", "1986-12-01T01:01:01Z") + 0.90 secs) ]); + Log::write(SSH::LOG, [ + $t=(strptime("%Y-%m-%dT%H:%M:%SZ", "1970-01-01T00:00:00Z") - 0.4 secs) + ]); + Log::write(SSH::LOG, [ + $t=(strptime("%Y-%m-%dT%H:%M:%SZ", "1970-01-01T00:00:00Z") - 0.5 secs) + ]); + Log::write(SSH::LOG, [ + $t=(strptime("%Y-%m-%dT%H:%M:%SZ", "1970-01-01T00:00:00Z") - 0.6 secs) + ]); + Log::write(SSH::LOG, [ + $t=(strptime("%Y-%m-%dT%H:%M:%SZ", "1970-01-01T00:00:00Z") - 1.0 secs) + ]); + Log::write(SSH::LOG, [ + $t=(strptime("%Y-%m-%dT%H:%M:%SZ", "1970-01-01T00:00:00Z") - 1.4 secs) + ]); + Log::write(SSH::LOG, [ + $t=(strptime("%Y-%m-%dT%H:%M:%SZ", "1970-01-01T00:00:00Z") - 1.5 secs) + ]); + Log::write(SSH::LOG, [ + $t=(strptime("%Y-%m-%dT%H:%M:%SZ", "1970-01-01T00:00:00Z") - 1.6 secs) + ]); + Log::write(SSH::LOG, [ + $t=(strptime("%Y-%m-%dT%H:%M:%SZ", "1970-01-01T00:00:00Z") - 99 secs) + ]); + } From a8efaf3a7e7146f4282c06c5e9ef7c238dde26eb Mon Sep 17 00:00:00 2001 From: Dale Lakes Date: Mon, 15 Oct 2018 16:47:10 -0400 Subject: [PATCH 11/18] Add DCE_RPC exchange_mapi operations to relevant consts.bro file New operations names and opnums come from the MSDN documentation and OpenChange Project. --- scripts/base/protocols/dce-rpc/consts.bro | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/scripts/base/protocols/dce-rpc/consts.bro b/scripts/base/protocols/dce-rpc/consts.bro index 80f7ea4e5e..7942661780 100644 --- a/scripts/base/protocols/dce-rpc/consts.bro +++ b/scripts/base/protocols/dce-rpc/consts.bro @@ -1431,6 +1431,11 @@ export { ["a4f1db00-ca47-1067-b31f-00dd010662da",0x07] = "EcRGetDCName", ["a4f1db00-ca47-1067-b31f-00dd010662da",0x08] = "EcRNetGetDCName", ["a4f1db00-ca47-1067-b31f-00dd010662da",0x09] = "EcDoRpcExt", + ["a4f1db00-ca47-1067-b31f-00dd010662da",0x0a] = "EcDoConnectEx", + ["a4f1db00-ca47-1067-b31f-00dd010662da",0x0b] = "EcDoRpcExt2", + ["a4f1db00-ca47-1067-b31f-00dd010662da",0x0c] = "EcUnknown0xC", + ["a4f1db00-ca47-1067-b31f-00dd010662da",0x0d] = "EcUnknown0xD", + ["a4f1db00-ca47-1067-b31f-00dd010662da",0x0e] = "EcDoAsyncConnectEx", # drsuapi ["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x00] = "DRSBind", From 3c765731b3217623818f7eb70819c6ad655f50d2 Mon Sep 17 00:00:00 2001 From: Dale Lakes Date: Mon, 15 Oct 2018 19:17:53 -0400 Subject: [PATCH 12/18] Refactor to use consistent numeric type in dce_rpc. Add missing DNS query type codes --- scripts/base/protocols/dce-rpc/consts.bro | 450 +++++++++++----------- scripts/base/protocols/dnp3/consts.bro | 4 +- scripts/base/protocols/dns/consts.bro | 92 ++++- 3 files changed, 298 insertions(+), 248 deletions(-) diff --git a/scripts/base/protocols/dce-rpc/consts.bro b/scripts/base/protocols/dce-rpc/consts.bro index 7942661780..af8c9d06df 100644 --- a/scripts/base/protocols/dce-rpc/consts.bro +++ b/scripts/base/protocols/dce-rpc/consts.bro @@ -101,259 +101,259 @@ export { const operations: table[string,count] of string = { # atsvc - ["1ff70682-0a51-30e8-076d-740be8cee98b",0] = "NetrJobAdd", - ["1ff70682-0a51-30e8-076d-740be8cee98b",1] = "NetrJobDel", - ["1ff70682-0a51-30e8-076d-740be8cee98b",2] = "NetrJobEnum", - ["1ff70682-0a51-30e8-076d-740be8cee98b",3] = "NetrJobGetInfo", + ["1ff70682-0a51-30e8-076d-740be8cee98b",0x00] = "NetrJobAdd", + ["1ff70682-0a51-30e8-076d-740be8cee98b",0x01] = "NetrJobDel", + ["1ff70682-0a51-30e8-076d-740be8cee98b",0x02] = "NetrJobEnum", + ["1ff70682-0a51-30e8-076d-740be8cee98b",0x03] = "NetrJobGetInfo", # sasec - ["378e52b0-c0a9-11cf-822d-00aa0051e40f",0] = "SASetAccountInformation", - ["378e52b0-c0a9-11cf-822d-00aa0051e40f",1] = "SASetNSAccountInformation", - ["378e52b0-c0a9-11cf-822d-00aa0051e40f",2] = "SAGetNSAccountInformation", - ["378e52b0-c0a9-11cf-822d-00aa0051e40f",3] = "SAGetAccountInformation", + ["378e52b0-c0a9-11cf-822d-00aa0051e40f",0x00] = "SASetAccountInformation", + ["378e52b0-c0a9-11cf-822d-00aa0051e40f",0x01] = "SASetNSAccountInformation", + ["378e52b0-c0a9-11cf-822d-00aa0051e40f",0x02] = "SAGetNSAccountInformation", + ["378e52b0-c0a9-11cf-822d-00aa0051e40f",0x03] = "SAGetAccountInformation", # idletask - ["0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53",0] = "ItSrvRegisterIdleTask", - ["0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53",1] = "ItSrvUnregisterIdleTask", - ["0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53",2] = "ItSrvProcessIdleTasks", - ["0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53",3] = "ItSrvSetDetectionParameters", + ["0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53",0x00] = "ItSrvRegisterIdleTask", + ["0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53",0x01] = "ItSrvUnregisterIdleTask", + ["0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53",0x02] = "ItSrvProcessIdleTasks", + ["0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53",0x03] = "ItSrvSetDetectionParameters", # ITaskSchedulerService - ["86d35949-83c9-4044-b424-db363231fd0c",0] = "SchRpcHighestVersion", - ["86d35949-83c9-4044-b424-db363231fd0c",1] = "SchRpcRegisterTask", - ["86d35949-83c9-4044-b424-db363231fd0c",2] = "SchRpcRetrieveTask", - ["86d35949-83c9-4044-b424-db363231fd0c",3] = "SchRpcCreateFolder", - ["86d35949-83c9-4044-b424-db363231fd0c",4] = "SchRpcSetSecurity", - ["86d35949-83c9-4044-b424-db363231fd0c",5] = "SchRpcGetSecurity", - ["86d35949-83c9-4044-b424-db363231fd0c",6] = "SchRpcEnumFolder", - ["86d35949-83c9-4044-b424-db363231fd0c",7] = "SchRpcEnumTasks", - ["86d35949-83c9-4044-b424-db363231fd0c",8] = "SchRpcEnumInstances", - ["86d35949-83c9-4044-b424-db363231fd0c",9] = "SchRpcGetInstanceInfo", - ["86d35949-83c9-4044-b424-db363231fd0c",10] = "SchRpcStopInstance", - ["86d35949-83c9-4044-b424-db363231fd0c",11] = "SchRpcStop", - ["86d35949-83c9-4044-b424-db363231fd0c",12] = "SchRpcRun", - ["86d35949-83c9-4044-b424-db363231fd0c",13] = "SchRpcDelete", - ["86d35949-83c9-4044-b424-db363231fd0c",14] = "SchRpcRename", - ["86d35949-83c9-4044-b424-db363231fd0c",15] = "SchRpcScheduledRuntimes", - ["86d35949-83c9-4044-b424-db363231fd0c",16] = "SchRpcGetLastRunInfo", - ["86d35949-83c9-4044-b424-db363231fd0c",17] = "SchRpcGetTaskInfo", + ["86d35949-83c9-4044-b424-db363231fd0c",0x00] = "SchRpcHighestVersion", + ["86d35949-83c9-4044-b424-db363231fd0c",0x01] = "SchRpcRegisterTask", + ["86d35949-83c9-4044-b424-db363231fd0c",0x02] = "SchRpcRetrieveTask", + ["86d35949-83c9-4044-b424-db363231fd0c",0x03] = "SchRpcCreateFolder", + ["86d35949-83c9-4044-b424-db363231fd0c",0x04] = "SchRpcSetSecurity", + ["86d35949-83c9-4044-b424-db363231fd0c",0x05] = "SchRpcGetSecurity", + ["86d35949-83c9-4044-b424-db363231fd0c",0x06] = "SchRpcEnumFolder", + ["86d35949-83c9-4044-b424-db363231fd0c",0x07] = "SchRpcEnumTasks", + ["86d35949-83c9-4044-b424-db363231fd0c",0x08] = "SchRpcEnumInstances", + ["86d35949-83c9-4044-b424-db363231fd0c",0x09] = "SchRpcGetInstanceInfo", + ["86d35949-83c9-4044-b424-db363231fd0c",0x0a] = "SchRpcStopInstance", + ["86d35949-83c9-4044-b424-db363231fd0c",0x0b] = "SchRpcStop", + ["86d35949-83c9-4044-b424-db363231fd0c",0x0c] = "SchRpcRun", + ["86d35949-83c9-4044-b424-db363231fd0c",0x0d] = "SchRpcDelete", + ["86d35949-83c9-4044-b424-db363231fd0c",0x0e] = "SchRpcRename", + ["86d35949-83c9-4044-b424-db363231fd0c",0x0f] = "SchRpcScheduledRuntimes", + ["86d35949-83c9-4044-b424-db363231fd0c",0x10] = "SchRpcGetLastRunInfo", + ["86d35949-83c9-4044-b424-db363231fd0c",0x11] = "SchRpcGetTaskInfo", # IObjectExporter - ["99fcfec4-5260-101b-bbcb-00aa0021347a",0] = "ResolveOxid", - ["99fcfec4-5260-101b-bbcb-00aa0021347a",1] = "SimplePing", - ["99fcfec4-5260-101b-bbcb-00aa0021347a",2] = "ComplexPing", - ["99fcfec4-5260-101b-bbcb-00aa0021347a",3] = "ServerAlive", - ["99fcfec4-5260-101b-bbcb-00aa0021347a",4] = "ResolveOxid2", - ["99fcfec4-5260-101b-bbcb-00aa0021347a",5] = "ServerAlive2", + ["99fcfec4-5260-101b-bbcb-00aa0021347a",0x00] = "ResolveOxid", + ["99fcfec4-5260-101b-bbcb-00aa0021347a",0x01] = "SimplePing", + ["99fcfec4-5260-101b-bbcb-00aa0021347a",0x02] = "ComplexPing", + ["99fcfec4-5260-101b-bbcb-00aa0021347a",0x03] = "ServerAlive", + ["99fcfec4-5260-101b-bbcb-00aa0021347a",0x04] = "ResolveOxid2", + ["99fcfec4-5260-101b-bbcb-00aa0021347a",0x05] = "ServerAlive2", # IActivation - ["4d9f4ab8-7d1c-11cf-861e-0020af6e7c57",0] = "RemoteActivation", + ["4d9f4ab8-7d1c-11cf-861e-0020af6e7c57",0x00] = "RemoteActivation", # nspi - ["f5cc5a18-4264-101a-8c59-08002b2f8426",0] = "NspiBind", - ["f5cc5a18-4264-101a-8c59-08002b2f8426",1] = "NspiUnbind", - ["f5cc5a18-4264-101a-8c59-08002b2f8426",2] = "NspiUpdateStat", - ["f5cc5a18-4264-101a-8c59-08002b2f8426",3] = "NspiQueryRows", - ["f5cc5a18-4264-101a-8c59-08002b2f8426",4] = "NspiSeekEntries", - ["f5cc5a18-4264-101a-8c59-08002b2f8426",5] = "NspiGetMatches", - ["f5cc5a18-4264-101a-8c59-08002b2f8426",6] = "NspiResortRestriction", - ["f5cc5a18-4264-101a-8c59-08002b2f8426",7] = "NspiDNToEph", - ["f5cc5a18-4264-101a-8c59-08002b2f8426",8] = "NspiGetPropList", - ["f5cc5a18-4264-101a-8c59-08002b2f8426",9] = "NspiGetProps", + ["f5cc5a18-4264-101a-8c59-08002b2f8426",0x00] = "NspiBind", + ["f5cc5a18-4264-101a-8c59-08002b2f8426",0x01] = "NspiUnbind", + ["f5cc5a18-4264-101a-8c59-08002b2f8426",0x02] = "NspiUpdateStat", + ["f5cc5a18-4264-101a-8c59-08002b2f8426",0x03] = "NspiQueryRows", + ["f5cc5a18-4264-101a-8c59-08002b2f8426",0x04] = "NspiSeekEntries", + ["f5cc5a18-4264-101a-8c59-08002b2f8426",0x05] = "NspiGetMatches", + ["f5cc5a18-4264-101a-8c59-08002b2f8426",0x06] = "NspiResortRestriction", + ["f5cc5a18-4264-101a-8c59-08002b2f8426",0x07] = "NspiDNToEph", + ["f5cc5a18-4264-101a-8c59-08002b2f8426",0x08] = "NspiGetPropList", + ["f5cc5a18-4264-101a-8c59-08002b2f8426",0x09] = "NspiGetProps", # IWbemServices - ["9556dc99-828c-11cf-a37e-00aa003240c7",3] = "OpenNamespace", - ["9556dc99-828c-11cf-a37e-00aa003240c7",4] = "CancelAsyncCall", - ["9556dc99-828c-11cf-a37e-00aa003240c7",5] = "QueryObjectSink", - ["9556dc99-828c-11cf-a37e-00aa003240c7",6] = "GetObject", - ["9556dc99-828c-11cf-a37e-00aa003240c7",7] = "GetObjectAsync", - ["9556dc99-828c-11cf-a37e-00aa003240c7",8] = "PutClass", - ["9556dc99-828c-11cf-a37e-00aa003240c7",9] = "PutClassAsync", - ["9556dc99-828c-11cf-a37e-00aa003240c7",10] = "DeleteClass", - ["9556dc99-828c-11cf-a37e-00aa003240c7",11] = "DeleteClassAsync", - ["9556dc99-828c-11cf-a37e-00aa003240c7",12] = "CreateClassEnum", - ["9556dc99-828c-11cf-a37e-00aa003240c7",13] = "CreateClassEnumAsync", - ["9556dc99-828c-11cf-a37e-00aa003240c7",14] = "PutInstance", - ["9556dc99-828c-11cf-a37e-00aa003240c7",15] = "PutInstanceAsync", - ["9556dc99-828c-11cf-a37e-00aa003240c7",16] = "DeleteClass", - ["9556dc99-828c-11cf-a37e-00aa003240c7",17] = "DeleteClassAsync", - ["9556dc99-828c-11cf-a37e-00aa003240c7",18] = "CreateInstanceEnum", - ["9556dc99-828c-11cf-a37e-00aa003240c7",19] = "CreateInstanceEnumAsync", - ["9556dc99-828c-11cf-a37e-00aa003240c7",20] = "ExecQuery", - ["9556dc99-828c-11cf-a37e-00aa003240c7",21] = "ExecQueryAsync", - ["9556dc99-828c-11cf-a37e-00aa003240c7",22] = "ExecNotificationQuery", - ["9556dc99-828c-11cf-a37e-00aa003240c7",23] = "ExecNotificationQueryAsync", - ["9556dc99-828c-11cf-a37e-00aa003240c7",24] = "ExecMethod", - ["9556dc99-828c-11cf-a37e-00aa003240c7",25] = "ExecMethodAsync", + ["9556dc99-828c-11cf-a37e-00aa003240c7",0x03] = "OpenNamespace", + ["9556dc99-828c-11cf-a37e-00aa003240c7",0x04] = "CancelAsyncCall", + ["9556dc99-828c-11cf-a37e-00aa003240c7",0x05] = "QueryObjectSink", + ["9556dc99-828c-11cf-a37e-00aa003240c7",0x06] = "GetObject", + ["9556dc99-828c-11cf-a37e-00aa003240c7",0x07] = "GetObjectAsync", + ["9556dc99-828c-11cf-a37e-00aa003240c7",0x08] = "PutClass", + ["9556dc99-828c-11cf-a37e-00aa003240c7",0x09] = "PutClassAsync", + ["9556dc99-828c-11cf-a37e-00aa003240c7",0x0a] = "DeleteClass", + ["9556dc99-828c-11cf-a37e-00aa003240c7",0x0b] = "DeleteClassAsync", + ["9556dc99-828c-11cf-a37e-00aa003240c7",0x0c] = "CreateClassEnum", + ["9556dc99-828c-11cf-a37e-00aa003240c7",0x0d] = "CreateClassEnumAsync", + ["9556dc99-828c-11cf-a37e-00aa003240c7",0x0e] = "PutInstance", + ["9556dc99-828c-11cf-a37e-00aa003240c7",0x0f] = "PutInstanceAsync", + ["9556dc99-828c-11cf-a37e-00aa003240c7",0x10] = "DeleteClass", + ["9556dc99-828c-11cf-a37e-00aa003240c7",0x11] = "DeleteClassAsync", + ["9556dc99-828c-11cf-a37e-00aa003240c7",0x12] = "CreateInstanceEnum", + ["9556dc99-828c-11cf-a37e-00aa003240c7",0x13] = "CreateInstanceEnumAsync", + ["9556dc99-828c-11cf-a37e-00aa003240c7",0x14] = "ExecQuery", + ["9556dc99-828c-11cf-a37e-00aa003240c7",0x15] = "ExecQueryAsync", + ["9556dc99-828c-11cf-a37e-00aa003240c7",0x16] = "ExecNotificationQuery", + ["9556dc99-828c-11cf-a37e-00aa003240c7",0x17] = "ExecNotificationQueryAsync", + ["9556dc99-828c-11cf-a37e-00aa003240c7",0x18] = "ExecMethod", + ["9556dc99-828c-11cf-a37e-00aa003240c7",0x19] = "ExecMethodAsync", # IWbemLevel1Login - ["f309ad18-d86a-11d0-a075-00c04fb68820",3] = "EstablishPosition", - ["f309ad18-d86a-11d0-a075-00c04fb68820",4] = "RequestChallenge", - ["f309ad18-d86a-11d0-a075-00c04fb68820",5] = "WBEMLogin", - ["f309ad18-d86a-11d0-a075-00c04fb68820",6] = "NTLMLogin", + ["f309ad18-d86a-11d0-a075-00c04fb68820",0x03] = "EstablishPosition", + ["f309ad18-d86a-11d0-a075-00c04fb68820",0x04] = "RequestChallenge", + ["f309ad18-d86a-11d0-a075-00c04fb68820",0x05] = "WBEMLogin", + ["f309ad18-d86a-11d0-a075-00c04fb68820",0x06] = "NTLMLogin", # FrsRpc - ["f5cc59b4-4264-101a-8c59-08002b2f8426",0] = "FrsRpcSendCommPkt", - ["f5cc59b4-4264-101a-8c59-08002b2f8426",1] = "FrsRpcVerifyPromotionParent", - ["f5cc59b4-4264-101a-8c59-08002b2f8426",2] = "FrsRpcStartPromotionParent", - ["f5cc59b4-4264-101a-8c59-08002b2f8426",3] = "FrsNOP", - ["f5cc59b4-4264-101a-8c59-08002b2f8426",4] = "FrsBackupComplete", - ["f5cc59b4-4264-101a-8c59-08002b2f8426",5] = "FrsBackupComplete", - ["f5cc59b4-4264-101a-8c59-08002b2f8426",6] = "FrsBackupComplete", - ["f5cc59b4-4264-101a-8c59-08002b2f8426",7] = "FrsBackupComplete", - ["f5cc59b4-4264-101a-8c59-08002b2f8426",8] = "FrsBackupComplete", - ["f5cc59b4-4264-101a-8c59-08002b2f8426",9] = "FrsBackupComplete", - ["f5cc59b4-4264-101a-8c59-08002b2f8426",10] = "FrsRpcVerifyPromotionParentEx", + ["f5cc59b4-4264-101a-8c59-08002b2f8426",0x00] = "FrsRpcSendCommPkt", + ["f5cc59b4-4264-101a-8c59-08002b2f8426",0x01] = "FrsRpcVerifyPromotionParent", + ["f5cc59b4-4264-101a-8c59-08002b2f8426",0x02] = "FrsRpcStartPromotionParent", + ["f5cc59b4-4264-101a-8c59-08002b2f8426",0x03] = "FrsNOP", + ["f5cc59b4-4264-101a-8c59-08002b2f8426",0x04] = "FrsBackupComplete", + ["f5cc59b4-4264-101a-8c59-08002b2f8426",0x05] = "FrsBackupComplete", + ["f5cc59b4-4264-101a-8c59-08002b2f8426",0x06] = "FrsBackupComplete", + ["f5cc59b4-4264-101a-8c59-08002b2f8426",0x07] = "FrsBackupComplete", + ["f5cc59b4-4264-101a-8c59-08002b2f8426",0x08] = "FrsBackupComplete", + ["f5cc59b4-4264-101a-8c59-08002b2f8426",0x09] = "FrsBackupComplete", + ["f5cc59b4-4264-101a-8c59-08002b2f8426",0x0a] = "FrsRpcVerifyPromotionParentEx", # IRemUnknown2 - ["00000143-0000-0000-c000-000000000046",0] = "QueryInterface", - ["00000143-0000-0000-c000-000000000046",1] = "AddRef", - ["00000143-0000-0000-c000-000000000046",2] = "Release", - ["00000143-0000-0000-c000-000000000046",3] = "RemQueryInterface", - ["00000143-0000-0000-c000-000000000046",4] = "RemAddRef", - ["00000143-0000-0000-c000-000000000046",5] = "RemRelease", - ["00000143-0000-0000-c000-000000000046",6] = "RemQueryInterface2", + ["00000143-0000-0000-c000-000000000046",0x00] = "QueryInterface", + ["00000143-0000-0000-c000-000000000046",0x01] = "AddRef", + ["00000143-0000-0000-c000-000000000046",0x02] = "Release", + ["00000143-0000-0000-c000-000000000046",0x03] = "RemQueryInterface", + ["00000143-0000-0000-c000-000000000046",0x04] = "RemAddRef", + ["00000143-0000-0000-c000-000000000046",0x05] = "RemRelease", + ["00000143-0000-0000-c000-000000000046",0x06] = "RemQueryInterface2", # IRemoteSCMActivator - ["000001a0-0000-0000-c000-000000000046",0] = "QueryInterfaceIRemoteSCMActivator", - ["000001a0-0000-0000-c000-000000000046",1] = "AddRefIRemoteISCMActivator", - ["000001a0-0000-0000-c000-000000000046",2] = "ReleaseIRemoteISCMActivator", - ["000001a0-0000-0000-c000-000000000046",3] = "RemoteGetClassObject", - ["000001a0-0000-0000-c000-000000000046",4] = "RemoteCreateInstance", + ["000001a0-0000-0000-c000-000000000046",0x00] = "QueryInterfaceIRemoteSCMActivator", + ["000001a0-0000-0000-c000-000000000046",0x01] = "AddRefIRemoteISCMActivator", + ["000001a0-0000-0000-c000-000000000046",0x02] = "ReleaseIRemoteISCMActivator", + ["000001a0-0000-0000-c000-000000000046",0x03] = "RemoteGetClassObject", + ["000001a0-0000-0000-c000-000000000046",0x04] = "RemoteCreateInstance", # netlogon - ["12345678-1234-abcd-ef00-01234567cffb",0] = "NetrLogonUasLogon", - ["12345678-1234-abcd-ef00-01234567cffb",1] = "NetrLogonUasLogoff", - ["12345678-1234-abcd-ef00-01234567cffb",2] = "NetrLogonSamLogon", - ["12345678-1234-abcd-ef00-01234567cffb",3] = "NetrLogonSamLogoff", - ["12345678-1234-abcd-ef00-01234567cffb",4] = "NetrServerReqChallenge", - ["12345678-1234-abcd-ef00-01234567cffb",5] = "NetrServerAuthenticate", - ["12345678-1234-abcd-ef00-01234567cffb",6] = "NetrServerPasswordSet", - ["12345678-1234-abcd-ef00-01234567cffb",7] = "NetrDatabaseDeltas", - ["12345678-1234-abcd-ef00-01234567cffb",8] = "NetrDatabaseSync", - ["12345678-1234-abcd-ef00-01234567cffb",9] = "NetrAccountDeltas", - ["12345678-1234-abcd-ef00-01234567cffb",10] = "NetrAccountSync", - ["12345678-1234-abcd-ef00-01234567cffb",11] = "NetrGetDCName", - ["12345678-1234-abcd-ef00-01234567cffb",12] = "NetrLogonControl", - ["12345678-1234-abcd-ef00-01234567cffb",13] = "NetrGetAnyDCName", - ["12345678-1234-abcd-ef00-01234567cffb",14] = "NetrLogonControl2", - ["12345678-1234-abcd-ef00-01234567cffb",15] = "NetrServerAuthenticate2", - ["12345678-1234-abcd-ef00-01234567cffb",16] = "NetrDatabaseSync2", - ["12345678-1234-abcd-ef00-01234567cffb",17] = "NetrDatabaseRedo", - ["12345678-1234-abcd-ef00-01234567cffb",18] = "NetrLogonControl2Ex", - ["12345678-1234-abcd-ef00-01234567cffb",19] = "NetrEnumerateTrustedDomains", - ["12345678-1234-abcd-ef00-01234567cffb",20] = "DsrGetDcName", - ["12345678-1234-abcd-ef00-01234567cffb",21] = "NetrLogonGetCapabilities", - ["12345678-1234-abcd-ef00-01234567cffb",22] = "NetrLogonSetServiceBits", - ["12345678-1234-abcd-ef00-01234567cffb",23] = "NetrLogonGetTrustRid", - ["12345678-1234-abcd-ef00-01234567cffb",24] = "NetrLogonComputeServerDigest", - ["12345678-1234-abcd-ef00-01234567cffb",25] = "NetrLogonComputeClientDigest", - ["12345678-1234-abcd-ef00-01234567cffb",26] = "NetrServerAuthenticate3", - ["12345678-1234-abcd-ef00-01234567cffb",27] = "DsrGetDcNameEx", - ["12345678-1234-abcd-ef00-01234567cffb",28] = "DsrGetSiteName", - ["12345678-1234-abcd-ef00-01234567cffb",29] = "NetrLogonGetDomainInfo", - ["12345678-1234-abcd-ef00-01234567cffb",30] = "NetrServerPasswordSet2", - ["12345678-1234-abcd-ef00-01234567cffb",31] = "NetrServerPasswordGet", - ["12345678-1234-abcd-ef00-01234567cffb",32] = "NetrLogonSendToSam", - ["12345678-1234-abcd-ef00-01234567cffb",33] = "DsrAddressToSiteNamesW", - ["12345678-1234-abcd-ef00-01234567cffb",34] = "DsrGetDcNameEx2", - ["12345678-1234-abcd-ef00-01234567cffb",35] = "NetrLogonGetTimeServiceParentDomain", - ["12345678-1234-abcd-ef00-01234567cffb",36] = "NetrEnumerateTrustedDomainsEx", - ["12345678-1234-abcd-ef00-01234567cffb",37] = "DsrAddressToSiteNamesExW", - ["12345678-1234-abcd-ef00-01234567cffb",38] = "DsrGetDcSiteCoverageW", - ["12345678-1234-abcd-ef00-01234567cffb",39] = "NetrLogonSamLogonEx", - ["12345678-1234-abcd-ef00-01234567cffb",40] = "DsrEnumerateDomainTrusts", - ["12345678-1234-abcd-ef00-01234567cffb",41] = "DsrDeregisterDnsHostRecords", - ["12345678-1234-abcd-ef00-01234567cffb",42] = "NetrServerTrustPasswordsGet", - ["12345678-1234-abcd-ef00-01234567cffb",43] = "DsrGetForestTrustInformation", - ["12345678-1234-abcd-ef00-01234567cffb",44] = "NetrGetForestTrustInformation", - ["12345678-1234-abcd-ef00-01234567cffb",45] = "NetrLogonSameLogonWithFlags", - ["12345678-1234-abcd-ef00-01234567cffb",46] = "NetrServerGetTrustInfo", - ["12345678-1234-abcd-ef00-01234567cffb",47] = "unused", - ["12345678-1234-abcd-ef00-01234567cffb",48] = "DsrUpdateReadOnlyServerDnsRecords", - ["12345678-1234-abcd-ef00-01234567cffb",49] = "NetrChainSetClientAttributes", + ["12345678-1234-abcd-ef00-01234567cffb",0x00] = "NetrLogonUasLogon", + ["12345678-1234-abcd-ef00-01234567cffb",0x01] = "NetrLogonUasLogoff", + ["12345678-1234-abcd-ef00-01234567cffb",0x02] = "NetrLogonSamLogon", + ["12345678-1234-abcd-ef00-01234567cffb",0x03] = "NetrLogonSamLogoff", + ["12345678-1234-abcd-ef00-01234567cffb",0x04] = "NetrServerReqChallenge", + ["12345678-1234-abcd-ef00-01234567cffb",0x05] = "NetrServerAuthenticate", + ["12345678-1234-abcd-ef00-01234567cffb",0x06] = "NetrServerPasswordSet", + ["12345678-1234-abcd-ef00-01234567cffb",0x07] = "NetrDatabaseDeltas", + ["12345678-1234-abcd-ef00-01234567cffb",0x08] = "NetrDatabaseSync", + ["12345678-1234-abcd-ef00-01234567cffb",0x09] = "NetrAccountDeltas", + ["12345678-1234-abcd-ef00-01234567cffb",0x0a] = "NetrAccountSync", + ["12345678-1234-abcd-ef00-01234567cffb",0x0b] = "NetrGetDCName", + ["12345678-1234-abcd-ef00-01234567cffb",0x0c] = "NetrLogonControl", + ["12345678-1234-abcd-ef00-01234567cffb",0x0d] = "NetrGetAnyDCName", + ["12345678-1234-abcd-ef00-01234567cffb",0x0e] = "NetrLogonControl2", + ["12345678-1234-abcd-ef00-01234567cffb",0x0f] = "NetrServerAuthenticate2", + ["12345678-1234-abcd-ef00-01234567cffb",0x10] = "NetrDatabaseSync2", + ["12345678-1234-abcd-ef00-01234567cffb",0x11] = "NetrDatabaseRedo", + ["12345678-1234-abcd-ef00-01234567cffb",0x12] = "NetrLogonControl2Ex", + ["12345678-1234-abcd-ef00-01234567cffb",0x13] = "NetrEnumerateTrustedDomains", + ["12345678-1234-abcd-ef00-01234567cffb",0x14] = "DsrGetDcName", + ["12345678-1234-abcd-ef00-01234567cffb",0x15] = "NetrLogonGetCapabilities", + ["12345678-1234-abcd-ef00-01234567cffb",0x16] = "NetrLogonSetServiceBits", + ["12345678-1234-abcd-ef00-01234567cffb",0x17] = "NetrLogonGetTrustRid", + ["12345678-1234-abcd-ef00-01234567cffb",0x18] = "NetrLogonComputeServerDigest", + ["12345678-1234-abcd-ef00-01234567cffb",0x19] = "NetrLogonComputeClientDigest", + ["12345678-1234-abcd-ef00-01234567cffb",0x1a] = "NetrServerAuthenticate3", + ["12345678-1234-abcd-ef00-01234567cffb",0x1b] = "DsrGetDcNameEx", + ["12345678-1234-abcd-ef00-01234567cffb",0x1c] = "DsrGetSiteName", + ["12345678-1234-abcd-ef00-01234567cffb",0x1d] = "NetrLogonGetDomainInfo", + ["12345678-1234-abcd-ef00-01234567cffb",0x1e] = "NetrServerPasswordSet2", + ["12345678-1234-abcd-ef00-01234567cffb",0x1f] = "NetrServerPasswordGet", + ["12345678-1234-abcd-ef00-01234567cffb",0x20] = "NetrLogonSendToSam", + ["12345678-1234-abcd-ef00-01234567cffb",0x21] = "DsrAddressToSiteNamesW", + ["12345678-1234-abcd-ef00-01234567cffb",0x22] = "DsrGetDcNameEx2", + ["12345678-1234-abcd-ef00-01234567cffb",0x23] = "NetrLogonGetTimeServiceParentDomain", + ["12345678-1234-abcd-ef00-01234567cffb",0x24] = "NetrEnumerateTrustedDomainsEx", + ["12345678-1234-abcd-ef00-01234567cffb",0x25] = "DsrAddressToSiteNamesExW", + ["12345678-1234-abcd-ef00-01234567cffb",0x26] = "DsrGetDcSiteCoverageW", + ["12345678-1234-abcd-ef00-01234567cffb",0x27] = "NetrLogonSamLogonEx", + ["12345678-1234-abcd-ef00-01234567cffb",0x28] = "DsrEnumerateDomainTrusts", + ["12345678-1234-abcd-ef00-01234567cffb",0x29] = "DsrDeregisterDnsHostRecords", + ["12345678-1234-abcd-ef00-01234567cffb",0x2a] = "NetrServerTrustPasswordsGet", + ["12345678-1234-abcd-ef00-01234567cffb",0x2b] = "DsrGetForestTrustInformation", + ["12345678-1234-abcd-ef00-01234567cffb",0x2c] = "NetrGetForestTrustInformation", + ["12345678-1234-abcd-ef00-01234567cffb",0x2d] = "NetrLogonSameLogonWithFlags", + ["12345678-1234-abcd-ef00-01234567cffb",0x2e] = "NetrServerGetTrustInfo", + ["12345678-1234-abcd-ef00-01234567cffb",0x2f] = "unused", + ["12345678-1234-abcd-ef00-01234567cffb",0x30] = "DsrUpdateReadOnlyServerDnsRecords", + ["12345678-1234-abcd-ef00-01234567cffb",0x31] = "NetrChainSetClientAttributes", # IRemoteWinspool - ["76f03f96-cdfd-44fc-a22c-64950a001209",0] = "RpcAsyncOpenPrinter", - ["76f03f96-cdfd-44fc-a22c-64950a001209",1] = "RpcAsyncAddPrinter", - ["76f03f96-cdfd-44fc-a22c-64950a001209",2] = "RpcAsyncSetJob", - ["76f03f96-cdfd-44fc-a22c-64950a001209",3] = "RpcAsyncGetJob", - ["76f03f96-cdfd-44fc-a22c-64950a001209",4] = "RpcAsyncEnumJobs", - ["76f03f96-cdfd-44fc-a22c-64950a001209",5] = "RpcAsyncAddJob", - ["76f03f96-cdfd-44fc-a22c-64950a001209",6] = "RpcAsyncScheduleJob", - ["76f03f96-cdfd-44fc-a22c-64950a001209",7] = "RpcAsyncDeletePrinter", - ["76f03f96-cdfd-44fc-a22c-64950a001209",8] = "RpcAsyncSetPrinter", - ["76f03f96-cdfd-44fc-a22c-64950a001209",9] = "RpcAsyncGetPrinter", - ["76f03f96-cdfd-44fc-a22c-64950a001209",10] = "RpcAsyncStartDocPrinter", - ["76f03f96-cdfd-44fc-a22c-64950a001209",11] = "RpcAsyncStartPagePrinter", - ["76f03f96-cdfd-44fc-a22c-64950a001209",12] = "RpcAsyncWritePrinter", - ["76f03f96-cdfd-44fc-a22c-64950a001209",13] = "RpcAsyncEndPagePrinter", - ["76f03f96-cdfd-44fc-a22c-64950a001209",14] = "RpcAsyncEndDocPrinter", - ["76f03f96-cdfd-44fc-a22c-64950a001209",15] = "RpcAsyncAbortPrinter", - ["76f03f96-cdfd-44fc-a22c-64950a001209",16] = "RpcAsyncGetPrinterData", - ["76f03f96-cdfd-44fc-a22c-64950a001209",17] = "RpcAsyncGetPrinterDataEx", - ["76f03f96-cdfd-44fc-a22c-64950a001209",18] = "RpcAsyncSetPrinterData", - ["76f03f96-cdfd-44fc-a22c-64950a001209",19] = "RpcAsyncSetPrinterDataEx", - ["76f03f96-cdfd-44fc-a22c-64950a001209",20] = "RpcAsyncClosePrinter", - ["76f03f96-cdfd-44fc-a22c-64950a001209",21] = "RpcAsyncAddForm", - ["76f03f96-cdfd-44fc-a22c-64950a001209",22] = "RpcAsyncDeleteForm", - ["76f03f96-cdfd-44fc-a22c-64950a001209",23] = "RpcAsyncGetForm", - ["76f03f96-cdfd-44fc-a22c-64950a001209",24] = "RpcAsyncSetForm", - ["76f03f96-cdfd-44fc-a22c-64950a001209",25] = "RpcAsyncEnumForms", - ["76f03f96-cdfd-44fc-a22c-64950a001209",26] = "RpcAsyncGetPrinterDriver", - ["76f03f96-cdfd-44fc-a22c-64950a001209",27] = "RpcAsyncEnumPrinterData", - ["76f03f96-cdfd-44fc-a22c-64950a001209",28] = "RpcAsyncEnumPrinterDataEx", - ["76f03f96-cdfd-44fc-a22c-64950a001209",29] = "RpcAsyncEnumPrinterKey", - ["76f03f96-cdfd-44fc-a22c-64950a001209",30] = "RpcAsyncDeletePrinterData", - ["76f03f96-cdfd-44fc-a22c-64950a001209",31] = "RpcAsyncDeletePrinterDataEx", - ["76f03f96-cdfd-44fc-a22c-64950a001209",32] = "RpcAsyncDeletePrinterKey", - ["76f03f96-cdfd-44fc-a22c-64950a001209",33] = "RpcAsyncXcvData", - ["76f03f96-cdfd-44fc-a22c-64950a001209",34] = "RpcAsyncSendRecvBidiData", - ["76f03f96-cdfd-44fc-a22c-64950a001209",35] = "RpcAsyncCreatePrinterIC", - ["76f03f96-cdfd-44fc-a22c-64950a001209",36] = "RpcAsyncPlayGdiScriptOnPrinterIC", - ["76f03f96-cdfd-44fc-a22c-64950a001209",37] = "RpcAsyncDeletePrinterIC", - ["76f03f96-cdfd-44fc-a22c-64950a001209",38] = "RpcAsyncEnumPrinters", - ["76f03f96-cdfd-44fc-a22c-64950a001209",39] = "RpcAsyncAddPrinterDriver", - ["76f03f96-cdfd-44fc-a22c-64950a001209",40] = "RpcAsyncEnumPrinterDrivers", - ["76f03f96-cdfd-44fc-a22c-64950a001209",41] = "RpcAsyncGetPrinterDriverDirectory", - ["76f03f96-cdfd-44fc-a22c-64950a001209",42] = "RpcAsyncDeletePrinterDriver", - ["76f03f96-cdfd-44fc-a22c-64950a001209",43] = "RpcAsyncDeletePrinterDriverEx", - ["76f03f96-cdfd-44fc-a22c-64950a001209",44] = "RpcAsyncAddPrintProcessor", - ["76f03f96-cdfd-44fc-a22c-64950a001209",45] = "RpcAsyncEnumPrintProcessors", - ["76f03f96-cdfd-44fc-a22c-64950a001209",46] = "RpcAsyncGetPrintProcessorDirectory", - ["76f03f96-cdfd-44fc-a22c-64950a001209",47] = "RpcAsyncEnumPorts", - ["76f03f96-cdfd-44fc-a22c-64950a001209",48] = "RpcAsyncEnumMonitors", - ["76f03f96-cdfd-44fc-a22c-64950a001209",49] = "RpcAsyncAddPort", - ["76f03f96-cdfd-44fc-a22c-64950a001209",50] = "RpcAsyncSetPort", - ["76f03f96-cdfd-44fc-a22c-64950a001209",51] = "RpcAsyncAddMonitor", - ["76f03f96-cdfd-44fc-a22c-64950a001209",52] = "RpcAsyncDeleteMonitor", - ["76f03f96-cdfd-44fc-a22c-64950a001209",53] = "RpcAsyncDeletePrintProcessor", - ["76f03f96-cdfd-44fc-a22c-64950a001209",54] = "RpcAsyncEnumPrintProcessorDatatypes", - ["76f03f96-cdfd-44fc-a22c-64950a001209",55] = "RpcAsyncAddPerMachineConnection", - ["76f03f96-cdfd-44fc-a22c-64950a001209",56] = "RpcAsyncDeletePerMachineConnection", - ["76f03f96-cdfd-44fc-a22c-64950a001209",57] = "RpcAsyncEnumPerMachineConnections", - ["76f03f96-cdfd-44fc-a22c-64950a001209",58] = "RpcSyncRegisterForRemoteNotifications", - ["76f03f96-cdfd-44fc-a22c-64950a001209",59] = "RpcSyncUnRegisterForRemoteNotifications", - ["76f03f96-cdfd-44fc-a22c-64950a001209",60] = "RpcSyncRefreshRemoteNotifications", - ["76f03f96-cdfd-44fc-a22c-64950a001209",61] = "RpcAsyncGetRemoteNotifications", - ["76f03f96-cdfd-44fc-a22c-64950a001209",62] = "RpcAsyncInstallPrinterDriverFromPackage", - ["76f03f96-cdfd-44fc-a22c-64950a001209",63] = "RpcAsyncUploadPrinterDriverPackage", - ["76f03f96-cdfd-44fc-a22c-64950a001209",64] = "RpcAsyncGetCorePrinterDrivers", - ["76f03f96-cdfd-44fc-a22c-64950a001209",65] = "RpcAsyncCorePrinterDriverInstalled", - ["76f03f96-cdfd-44fc-a22c-64950a001209",66] = "RpcAsyncGetPrinterDriverPackagePath", - ["76f03f96-cdfd-44fc-a22c-64950a001209",67] = "RpcAsyncDeletePrinterDriverPackage", - ["76f03f96-cdfd-44fc-a22c-64950a001209",68] = "RpcAsyncReadPrinter", - ["76f03f96-cdfd-44fc-a22c-64950a001209",69] = "RpcAsyncResetPrinter", - ["76f03f96-cdfd-44fc-a22c-64950a001209",70] = "RpcAsyncGetJobNamedPropertyValue", - ["76f03f96-cdfd-44fc-a22c-64950a001209",71] = "RpcAsyncSetJobNamedProperty", - ["76f03f96-cdfd-44fc-a22c-64950a001209",72] = "RpcAsyncDeleteJobNamedProperty", - ["76f03f96-cdfd-44fc-a22c-64950a001209",73] = "RpcAsyncEnumJobNamedProperties", - ["76f03f96-cdfd-44fc-a22c-64950a001209",74] = "RpcAsyncLogJobInfoForBranchOffice", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0x00] = "RpcAsyncOpenPrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0x01] = "RpcAsyncAddPrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0x2] = "RpcAsyncSetJob", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0x3] = "RpcAsyncGetJob", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0x4] = "RpcAsyncEnumJobs", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0x5] = "RpcAsyncAddJob", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0x6] = "RpcAsyncScheduleJob", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0x7] = "RpcAsyncDeletePrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0x8] = "RpcAsyncSetPrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0x9] = "RpcAsyncGetPrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0a] = "RpcAsyncStartDocPrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0b] = "RpcAsyncStartPagePrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0c] = "RpcAsyncWritePrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0d] = "RpcAsyncEndPagePrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0e] = "RpcAsyncEndDocPrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0f] = "RpcAsyncAbortPrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x10] = "RpcAsyncGetPrinterData", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x11] = "RpcAsyncGetPrinterDataEx", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x12] = "RpcAsyncSetPrinterData", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x13] = "RpcAsyncSetPrinterDataEx", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x14] = "RpcAsyncClosePrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x15] = "RpcAsyncAddForm", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x16] = "RpcAsyncDeleteForm", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x17] = "RpcAsyncGetForm", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x18] = "RpcAsyncSetForm", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x19] = "RpcAsyncEnumForms", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x1a] = "RpcAsyncGetPrinterDriver", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x1b] = "RpcAsyncEnumPrinterData", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x1c] = "RpcAsyncEnumPrinterDataEx", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x1d] = "RpcAsyncEnumPrinterKey", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x1e] = "RpcAsyncDeletePrinterData", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x1f] = "RpcAsyncDeletePrinterDataEx", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x20] = "RpcAsyncDeletePrinterKey", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x21] = "RpcAsyncXcvData", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x22] = "RpcAsyncSendRecvBidiData", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x23] = "RpcAsyncCreatePrinterIC", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x24] = "RpcAsyncPlayGdiScriptOnPrinterIC", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x25] = "RpcAsyncDeletePrinterIC", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x26] = "RpcAsyncEnumPrinters", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x27] = "RpcAsyncAddPrinterDriver", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x28] = "RpcAsyncEnumPrinterDrivers", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x29] = "RpcAsyncGetPrinterDriverDirectory", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x2a] = "RpcAsyncDeletePrinterDriver", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x2b] = "RpcAsyncDeletePrinterDriverEx", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x2c] = "RpcAsyncAddPrintProcessor", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x2d] = "RpcAsyncEnumPrintProcessors", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x2e] = "RpcAsyncGetPrintProcessorDirectory", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x2f] = "RpcAsyncEnumPorts", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x30] = "RpcAsyncEnumMonitors", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x31] = "RpcAsyncAddPort", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x32] = "RpcAsyncSetPort", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x33] = "RpcAsyncAddMonitor", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x34] = "RpcAsyncDeleteMonitor", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x35] = "RpcAsyncDeletePrintProcessor", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x36] = "RpcAsyncEnumPrintProcessorDatatypes", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x37] = "RpcAsyncAddPerMachineConnection", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x38] = "RpcAsyncDeletePerMachineConnection", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x39] = "RpcAsyncEnumPerMachineConnections", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x3a] = "RpcSyncRegisterForRemoteNotifications", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x3b] = "RpcSyncUnRegisterForRemoteNotifications", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x3c] = "RpcSyncRefreshRemoteNotifications", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x3d] = "RpcAsyncGetRemoteNotifications", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x3e] = "RpcAsyncInstallPrinterDriverFromPackage", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x3f] = "RpcAsyncUploadPrinterDriverPackage", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x40] = "RpcAsyncGetCorePrinterDrivers", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x41] = "RpcAsyncCorePrinterDriverInstalled", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x42] = "RpcAsyncGetPrinterDriverPackagePath", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x43] = "RpcAsyncDeletePrinterDriverPackage", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x44] = "RpcAsyncReadPrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x45] = "RpcAsyncResetPrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x46] = "RpcAsyncGetJobNamedPropertyValue", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x47] = "RpcAsyncSetJobNamedProperty", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x48] = "RpcAsyncDeleteJobNamedProperty", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x49] = "RpcAsyncEnumJobNamedProperties", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x4a] = "RpcAsyncLogJobInfoForBranchOffice", # InitShutdown - ["894de0c0-0d55-11d3-a322-00c04fa321a1",0] = "BaseInitiateShutdown", - ["894de0c0-0d55-11d3-a322-00c04fa321a1",1] = "BaseAbortShutdown", - ["894de0c0-0d55-11d3-a322-00c04fa321a1",2] = "BaseInitiateShutdownEx", + ["894de0c0-0d55-11d3-a322-00c04fa321a1",0x00] = "BaseInitiateShutdown", + ["894de0c0-0d55-11d3-a322-00c04fa321a1",0x01] = "BaseAbortShutdown", + ["894de0c0-0d55-11d3-a322-00c04fa321a1",0x02] = "BaseInitiateShutdownEx", # WindowsShutdown ["d95afe70-a6d5-4259-822e-2c84da1ddb0d",0x00] = "WsdrInitiateShutdown", diff --git a/scripts/base/protocols/dnp3/consts.bro b/scripts/base/protocols/dnp3/consts.bro index 1b2a6206ef..515738cbed 100644 --- a/scripts/base/protocols/dnp3/consts.bro +++ b/scripts/base/protocols/dnp3/consts.bro @@ -38,12 +38,12 @@ export { [0x1e] = "ABORT_FILE", [0x1f] = "ACTIVATE_CONFIG", [0x20] = "AUTHENTICATE_REQ", - [0x21] = "AUTHENTICATE_ERR", + [0x21] = "AUTHENTICATE_REQ_NR", # Responses. [0x81] = "RESPONSE", [0x82] = "UNSOLICITED_RESPONSE", - [0x83] = "AUTHENTICATE_RESP", + [0x83] = "AUTHENTICATE_RESPONSE", } &default=function(i: count):string { return fmt("unknown-%d", i); } &redef; } diff --git a/scripts/base/protocols/dns/consts.bro b/scripts/base/protocols/dns/consts.bro index dfcbc4031f..00fa6b0969 100644 --- a/scripts/base/protocols/dns/consts.bro +++ b/scripts/base/protocols/dns/consts.bro @@ -4,31 +4,81 @@ module DNS; export { - const PTR = 12; ##< RR TYPE value for a domain name pointer. - const EDNS = 41; ##< An OPT RR TYPE value described by EDNS. - const ANY = 255; ##< A QTYPE value describing a request for all records. - ## Mapping of DNS query type codes to human readable string ## representation. const query_types = { - [1] = "A", [2] = "NS", [3] = "MD", [4] = "MF", - [5] = "CNAME", [6] = "SOA", [7] = "MB", [8] = "MG", - [9] = "MR", [10] = "NULL", [11] = "WKS", [PTR] = "PTR", - [13] = "HINFO", [14] = "MINFO", [15] = "MX", [16] = "TXT", - [17] = "RP", [18] = "AFSDB", [19] = "X25", [20] = "ISDN", - [21] = "RT", [22] = "NSAP", [23] = "NSAP-PTR", [24] = "SIG", - [25] = "KEY", [26] = "PX" , [27] = "GPOS", [28] = "AAAA", - [29] = "LOC", [30] = "EID", [31] = "NIMLOC", [32] = "NB", - [33] = "SRV", [34] = "ATMA", [35] = "NAPTR", [36] = "KX", - [37] = "CERT", [38] = "A6", [39] = "DNAME", [40] = "SINK", - [EDNS] = "EDNS", [42] = "APL", [43] = "DS", [44] = "SSHFP", - [45] = "IPSECKEY", [46] = "RRSIG", [47] = "NSEC", [48] = "DNSKEY", - [49] = "DHCID", [99] = "SPF", [100] = "DINFO", [101] = "UID", - [102] = "GID", [103] = "UNSPEC", [249] = "TKEY", [250] = "TSIG", - [251] = "IXFR", [252] = "AXFR", [253] = "MAILB", [254] = "MAILA", + [1] = "A", + [2] = "NS", + [3] = "MD", + [4] = "MF", + [5] = "CNAME", + [6] = "SOA", + [7] = "MB", + [8] = "MG", + [9] = "MR", + [10] = "NULL", + [11] = "WKS", + [12] = "PTR", + [13] = "HINFO", + [14] = "MINFO", + [15] = "MX", + [16] = "TXT", + [17] = "RP", + [18] = "AFSDB", + [19] = "X25", + [20] = "ISDN", + [21] = "RT", + [22] = "NSAP", + [23] = "NSAP-PTR", + [24] = "SIG", + [25] = "KEY", + [26] = "PX" , + [27] = "GPOS", + [28] = "AAAA", + [29] = "LOC", + [30] = "EID", + [31] = "NIMLOC", + [32] = "NB", + [33] = "SRV", + [34] = "ATMA", + [35] = "NAPTR", + [36] = "KX", + [37] = "CERT", + [38] = "A6", + [39] = "DNAME", + [40] = "SINK", + [41] = "OPT", + [42] = "APL", + [43] = "DS", + [44] = "SSHFP", + [45] = "IPSECKEY", + [46] = "RRSIG", + [47] = "NSEC", + [48] = "DNSKEY", + [49] = "DHCID", + [50] = "NSEC3", + [51] = "NSEC3PARAM", + [52] = "TLSA", + [55] = "HIP", + [59] = "CDS", + [60] = "CDNSKEY", + [61] = "OPENPGPKEY", + [99] = "SPF", + [100] = "UINFO", + [101] = "UID", + [102] = "GID", + [103] = "UNSPEC", + [249] = "TKEY", + [250] = "TSIG", + [251] = "IXFR", + [252] = "AXFR", + [253] = "MAILB", + [254] = "MAILA", + [255] = "ANY" + [256] = "URI" [257] = "CAA", - [32768] = "TA", [32769] = "DLV", - [ANY] = "*", + [32768] = "TA", + [32769] = "DLV", } &default = function(n: count): string { return fmt("query-%d", n); }; ## Errors used for non-TSIG/EDNS types. From 6399a96ea5af2e98be90f5a53a609e7fa81fa7e2 Mon Sep 17 00:00:00 2001 From: Dale Lakes Date: Mon, 15 Oct 2018 19:59:32 -0400 Subject: [PATCH 13/18] Fix typo in dce-rpc consts --- scripts/base/protocols/dce-rpc/consts.bro | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/scripts/base/protocols/dce-rpc/consts.bro b/scripts/base/protocols/dce-rpc/consts.bro index af8c9d06df..a41ad38631 100644 --- a/scripts/base/protocols/dce-rpc/consts.bro +++ b/scripts/base/protocols/dce-rpc/consts.bro @@ -274,16 +274,16 @@ export { ["12345678-1234-abcd-ef00-01234567cffb",0x31] = "NetrChainSetClientAttributes", # IRemoteWinspool - ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0x00] = "RpcAsyncOpenPrinter", - ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0x01] = "RpcAsyncAddPrinter", - ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0x2] = "RpcAsyncSetJob", - ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0x3] = "RpcAsyncGetJob", - ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0x4] = "RpcAsyncEnumJobs", - ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0x5] = "RpcAsyncAddJob", - ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0x6] = "RpcAsyncScheduleJob", - ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0x7] = "RpcAsyncDeletePrinter", - ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0x8] = "RpcAsyncSetPrinter", - ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0x9] = "RpcAsyncGetPrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x00] = "RpcAsyncOpenPrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x01] = "RpcAsyncAddPrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x2] = "RpcAsyncSetJob", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x3] = "RpcAsyncGetJob", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x4] = "RpcAsyncEnumJobs", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x5] = "RpcAsyncAddJob", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x6] = "RpcAsyncScheduleJob", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x7] = "RpcAsyncDeletePrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x8] = "RpcAsyncSetPrinter", + ["76f03f96-cdfd-44fc-a22c-64950a001209",0x9] = "RpcAsyncGetPrinter", ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0a] = "RpcAsyncStartDocPrinter", ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0b] = "RpcAsyncStartPagePrinter", ["76f03f96-cdfd-44fc-a22c-64950a001209",0x0c] = "RpcAsyncWritePrinter", From c335988b0ca029852d1777e9296c91274c53c3a7 Mon Sep 17 00:00:00 2001 From: Dale Lakes Date: Mon, 15 Oct 2018 20:35:17 -0400 Subject: [PATCH 14/18] Missing commas... --- scripts/base/protocols/dns/consts.bro | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/base/protocols/dns/consts.bro b/scripts/base/protocols/dns/consts.bro index 00fa6b0969..b86a7c7e38 100644 --- a/scripts/base/protocols/dns/consts.bro +++ b/scripts/base/protocols/dns/consts.bro @@ -74,8 +74,8 @@ export { [252] = "AXFR", [253] = "MAILB", [254] = "MAILA", - [255] = "ANY" - [256] = "URI" + [255] = "ANY", + [256] = "URI", [257] = "CAA", [32768] = "TA", [32769] = "DLV", From cf99ecf8b21564cb31d3b97da0baa13c42c02686 Mon Sep 17 00:00:00 2001 From: Dale Lakes Date: Mon, 15 Oct 2018 21:15:31 -0400 Subject: [PATCH 15/18] Revert DNS query 255 from ANY to * --- scripts/base/protocols/dns/consts.bro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/base/protocols/dns/consts.bro b/scripts/base/protocols/dns/consts.bro index b86a7c7e38..8a98a2b0cd 100644 --- a/scripts/base/protocols/dns/consts.bro +++ b/scripts/base/protocols/dns/consts.bro @@ -74,7 +74,7 @@ export { [252] = "AXFR", [253] = "MAILB", [254] = "MAILA", - [255] = "ANY", + [255] = "*", [256] = "URI", [257] = "CAA", [32768] = "TA", From 1d57cd37271c7b287d7062998e18663d2f68ed70 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Tue, 16 Oct 2018 10:29:29 -0500 Subject: [PATCH 16/18] Fix SSH analyzer bug where is_server in capabilities is wrong. The ssh_capabilities event includes the capabilities reported by either the server or the client. The record also includes a field, is_server, so that scripts can determine which endpoint is reporting its capabilities. That field was being set incorrectly (it was being set as is_client rather than is_server, so it needed to be negated). This simple bug had some larger repercussions. RFC 4253 provides a method for client and server to agree on algorithms used in the SSH connection. Bro was calculating these incorrectly. Some of these, such as the encryption algorithm, are also used to determine whether or not Bro should attempt to detect successful versus failed authentications. In some cases, Bro would get this wrong, and make a guess when it could not correctly determine the authentication outcome. --- src/analyzer/protocol/ssh/ssh-analyzer.pac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analyzer/protocol/ssh/ssh-analyzer.pac b/src/analyzer/protocol/ssh/ssh-analyzer.pac index 0ee0b92569..ff53f10f09 100644 --- a/src/analyzer/protocol/ssh/ssh-analyzer.pac +++ b/src/analyzer/protocol/ssh/ssh-analyzer.pac @@ -101,7 +101,7 @@ refine flow SSH_Flow += { } - result->Assign(6, new Val(${msg.is_orig}, TYPE_BOOL)); + result->Assign(6, new Val(!${msg.is_orig}, TYPE_BOOL)); BifEvent::generate_ssh_capabilities(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(${msg.cookie}), From 5e5a4612bd01ca809571e2e0490d8f82b92ccd09 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Tue, 16 Oct 2018 10:33:52 -0500 Subject: [PATCH 17/18] Update baselines for SSH capabilities fix --- .../btest/Baseline/core.tunnels.gre/ssh.log | 6 +++--- .../scripts.base.protocols.ssh.basic/.stdout | 1 - .../scripts.base.protocols.ssh.basic/ssh.log | 18 +++++++++--------- .../ssh.log | 6 +++--- 4 files changed, 15 insertions(+), 16 deletions(-) diff --git a/testing/btest/Baseline/core.tunnels.gre/ssh.log b/testing/btest/Baseline/core.tunnels.gre/ssh.log index 7ffd15a845..a87018e2ca 100644 --- a/testing/btest/Baseline/core.tunnels.gre/ssh.log +++ b/testing/btest/Baseline/core.tunnels.gre/ssh.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ssh -#open 2017-08-01-16-46-22 +#open 2018-10-16-14-52-51 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version auth_success auth_attempts direction client server cipher_alg mac_alg compression_alg kex_alg host_key_alg host_key #types time string addr port addr port count bool count enum string string string string string string string string -1055289978.855137 CtPZjS20MLrsMUOJi2 66.59.111.190 40264 172.28.2.3 22 2 - 0 - SSH-2.0-OpenSSH_3.6.1p1 SSH-1.99-OpenSSH_3.1p1 aes128-cbc hmac-md5 none diffie-hellman-group-exchange-sha1 ssh-rsa 20:7c:e5:96:b0:4e:ce:a4:db:e4:aa:29:e8:90:98:07 -#close 2017-08-01-16-46-22 +1055289978.855137 CtPZjS20MLrsMUOJi2 66.59.111.190 40264 172.28.2.3 22 2 - 0 - SSH-2.0-OpenSSH_3.6.1p1 SSH-1.99-OpenSSH_3.1p1 blowfish-cbc hmac-md5 zlib diffie-hellman-group-exchange-sha1 ssh-rsa 20:7c:e5:96:b0:4e:ce:a4:db:e4:aa:29:e8:90:98:07 +#close 2018-10-16-14-52-51 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.basic/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/.stdout index 560031134f..9b9aca0d64 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssh.basic/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/.stdout @@ -1,4 +1,3 @@ -auth_result, CHhAvVGS1DHFjwGM9, F, 2 auth_result, ClEkJM2Vm5giqnMf4h, T, 1 auth_result, C4J4Th3PJpwUYZZ6gc, T, 3 auth_result, Ck51lg1bScffFj34Ri, T, 2 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log index 37d33ec57c..473d109bb1 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log @@ -3,14 +3,14 @@ #empty_field (empty) #unset_field - #path ssh -#open 2017-08-01-16-26-21 +#open 2018-10-16-15-00-07 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version auth_success auth_attempts direction client server cipher_alg mac_alg compression_alg kex_alg host_key_alg host_key #types time string addr port addr port count bool count enum string string string string string string string string -1324071333.792887 CHhAvVGS1DHFjwGM9 192.168.1.79 51880 131.159.21.1 22 2 F 2 - SSH-2.0-OpenSSH_5.9 SSH-2.0-OpenSSH_5.8 aes128-ctr hmac-md5 none ecdh-sha2-nistp256 ssh-rsa a7:26:62:3f:75:1f:33:8a:f3:32:90:8b:73:fd:2c:83 +1324071333.792887 CHhAvVGS1DHFjwGM9 192.168.1.79 51880 131.159.21.1 22 2 - 0 - SSH-2.0-OpenSSH_5.9 SSH-2.0-OpenSSH_5.8 aes128-ctr hmac-md5 zlib@openssh.com ecdh-sha2-nistp256 ecdsa-sha2-nistp256 a7:26:62:3f:75:1f:33:8a:f3:32:90:8b:73:fd:2c:83 1409516196.413240 ClEkJM2Vm5giqnMf4h 10.0.0.18 40184 128.2.6.88 41644 2 T 1 - SSH-2.0-OpenSSH_6.6 SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1 aes128-ctr hmac-md5 none ecdh-sha2-nistp256 ssh-rsa 8a:8d:55:28:1e:71:04:99:94:43:22:89:e5:ff:e9:03 1419870189.489202 C4J4Th3PJpwUYZZ6gc 192.168.2.1 57189 192.168.2.158 22 2 T 3 - SSH-2.0-OpenSSH_6.2 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 aes128-ctr hmac-md5-etm@openssh.com none diffie-hellman-group-exchange-sha256 ssh-rsa 28:78:65:c1:c3:26:f7:1b:65:6a:44:14:d0:04:8f:b3 1419870206.111841 CtPZjS20MLrsMUOJi2 192.168.2.1 57191 192.168.2.158 22 1 - 0 - SSH-1.5-OpenSSH_6.2 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98 -1419996264.344957 CUM0KZ3MLUfNB0cl11 192.168.2.1 55179 192.168.2.158 2200 2 - 0 - SSH-2.0-OpenSSH_6.2 SSH-2.0-paramiko_1.15.2 aes128-ctr hmac-sha1 none diffie-hellman-group14-sha1 ssh-rsa 60:73:38:44:cb:51:86:65:7f:de:da:a2:2b:5a:57:d5 +1419996264.344957 CUM0KZ3MLUfNB0cl11 192.168.2.1 55179 192.168.2.158 2200 2 - 0 - SSH-2.0-OpenSSH_6.2 SSH-2.0-paramiko_1.15.2 aes128-ctr hmac-md5 none diffie-hellman-group-exchange-sha1 ssh-rsa 60:73:38:44:cb:51:86:65:7f:de:da:a2:2b:5a:57:d5 1420588548.729561 CmES5u32sYpV7JYN 192.168.2.1 56594 192.168.2.158 22 1 - 0 - SSH-1.5-OpenSSH_5.3 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98 1420590124.885826 CP5puj4I8PtEU4qzYg 192.168.2.1 56821 192.168.2.158 22 1 - 0 - SSH-1.5-OpenSSH_6.2 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98 1420590308.781231 C37jN32gN3y3AZzyf6 192.168.2.1 56837 192.168.2.158 22 1 - 0 - SSH-1.5-OpenSSH_6.2 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98 @@ -23,9 +23,9 @@ 1420860283.057451 C9mvWx3ezztgzcexV7 192.168.1.32 41164 128.2.10.238 22 2 T 5 - SSH-2.0-OpenSSH_6.6p1-hpn14v4 SSH-1.99-OpenSSH_3.4+p1+gssapi+OpenSSH_3.7.1buf_fix+2006100301 aes128-cbc hmac-md5 none diffie-hellman-group-exchange-sha1 ssh-rsa 7f:e5:81:92:26:77:05:44:c4:60:fb:cd:89:c8:81:ee 1420860616.428738 CNnMIj2QSd84NKf7U3 192.168.1.32 33910 128.2.13.133 22 2 T 1 - SSH-2.0-OpenSSH_6.6p1-hpn14v4 SSH-2.0-OpenSSH_5.3 aes128-ctr hmac-md5 none diffie-hellman-group-exchange-sha256 ssh-rsa 93:d8:4c:0d:b2:c3:2e:da:b9:c0:67:db:e4:8f:95:04 1420868281.665872 C7fIlMZDuRiqjpYbb 192.168.1.32 41268 128.2.10.238 22 2 F 6 - SSH-2.0-OpenSSH_6.6 SSH-1.99-OpenSSH_3.4+p1+gssapi+OpenSSH_3.7.1buf_fix+2006100301 aes128-cbc hmac-md5 none diffie-hellman-group-exchange-sha1 ssh-rsa 7f:e5:81:92:26:77:05:44:c4:60:fb:cd:89:c8:81:ee -1420917487.227035 CpmdRlaUoJLN3uIRa 192.168.1.31 52294 192.168.1.32 22 2 T 2 - SSH-2.0-OpenSSH_6.7 SSH-2.0-OpenSSH_6.7 chacha20-poly1305@openssh.com hmac-sha2-512-etm@openssh.com none curve25519-sha256@libssh.org ssh-ed25519 e4:b1:8e:ca:6e:0e:e5:3c:7e:a4:0e:70:34:9d:b2:b1 -1421006072.224828 C1Xkzz2MaGtLrc1Tla 192.168.1.31 51489 192.168.1.32 22 2 T 3 - SSH-2.0-OpenSSH_6.7 SSH-2.0-OpenSSH_6.7 chacha20-poly1305@openssh.com hmac-sha2-512-etm@openssh.com none curve25519-sha256@libssh.org ssh-ed25519 e4:b1:8e:ca:6e:0e:e5:3c:7e:a4:0e:70:34:9d:b2:b1 -1421041177.031508 CLNN1k2QMum1aexUK7 192.168.1.32 58641 131.103.20.168 22 2 F 1 - SSH-2.0-OpenSSH_6.7 SSH-2.0-OpenSSH_5.3 aes128-ctr hmac-md5 none diffie-hellman-group-exchange-sha256 ssh-rsa 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40 -1421041299.777962 CBA8792iHmnhPLksKa 192.168.1.32 58646 131.103.20.168 22 2 T 1 - SSH-2.0-OpenSSH_6.7 SSH-2.0-OpenSSH_5.3 aes128-ctr hmac-md5 none diffie-hellman-group-exchange-sha256 ssh-rsa 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40 -1421041526.353524 CGLPPc35OzDQij1XX8 192.168.1.32 58649 131.103.20.168 22 2 T 1 - SSH-2.0-OpenSSH_6.7 SSH-2.0-OpenSSH_5.3 aes128-ctr hmac-md5 none diffie-hellman-group-exchange-sha256 ssh-rsa 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40 -#close 2017-08-01-16-26-21 +1420917487.227035 CpmdRlaUoJLN3uIRa 192.168.1.31 52294 192.168.1.32 22 2 T 2 - SSH-2.0-OpenSSH_6.7 SSH-2.0-OpenSSH_6.7 chacha20-poly1305@openssh.com hmac-sha2-512-etm@openssh.com none curve25519-sha256@libssh.org ssh-ed25519-cert-v01@openssh.com e4:b1:8e:ca:6e:0e:e5:3c:7e:a4:0e:70:34:9d:b2:b1 +1421006072.224828 C1Xkzz2MaGtLrc1Tla 192.168.1.31 51489 192.168.1.32 22 2 T 3 - SSH-2.0-OpenSSH_6.7 SSH-2.0-OpenSSH_6.7 chacha20-poly1305@openssh.com hmac-sha2-512-etm@openssh.com none curve25519-sha256@libssh.org ssh-ed25519-cert-v01@openssh.com e4:b1:8e:ca:6e:0e:e5:3c:7e:a4:0e:70:34:9d:b2:b1 +1421041177.031508 CLNN1k2QMum1aexUK7 192.168.1.32 58641 131.103.20.168 22 2 F 1 - SSH-2.0-OpenSSH_6.7 SSH-2.0-OpenSSH_5.3 aes128-ctr umac-64@openssh.com none diffie-hellman-group-exchange-sha256 ssh-rsa 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40 +1421041299.777962 CBA8792iHmnhPLksKa 192.168.1.32 58646 131.103.20.168 22 2 T 1 - SSH-2.0-OpenSSH_6.7 SSH-2.0-OpenSSH_5.3 aes128-ctr umac-64@openssh.com none diffie-hellman-group-exchange-sha256 ssh-rsa 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40 +1421041526.353524 CGLPPc35OzDQij1XX8 192.168.1.32 58649 131.103.20.168 22 2 T 1 - SSH-2.0-OpenSSH_6.7 SSH-2.0-OpenSSH_5.3 aes128-ctr umac-64@openssh.com none diffie-hellman-group-exchange-sha256 ssh-rsa 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40 +#close 2018-10-16-15-00-07 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.curve25519_kex/ssh.log b/testing/btest/Baseline/scripts.base.protocols.ssh.curve25519_kex/ssh.log index 4364419aff..51c1239ca2 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssh.curve25519_kex/ssh.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssh.curve25519_kex/ssh.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path ssh -#open 2017-10-05-19-34-53 +#open 2018-10-16-15-27-29 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version auth_success auth_attempts direction client server cipher_alg mac_alg compression_alg kex_alg host_key_alg host_key #types time string addr port addr port count bool count enum string string string string string string string string -1505524964.630115 CHhAvVGS1DHFjwGM9 192.168.1.100 60906 192.168.1.32 22 2 T 2 - SSH-2.0-OpenSSH_7.4 SSH-2.0-OpenSSH_7.5 chacha20-poly1305@openssh.com hmac-sha2-512-etm@openssh.com none curve25519-sha256 ssh-ed25519 e4:b1:8e:ca:6e:0e:e5:3c:7e:a4:0e:70:34:9d:b2:b1 -#close 2017-10-05-19-34-53 +1505524964.630115 CHhAvVGS1DHFjwGM9 192.168.1.100 60906 192.168.1.32 22 2 T 2 - SSH-2.0-OpenSSH_7.4 SSH-2.0-OpenSSH_7.5 chacha20-poly1305@openssh.com hmac-sha2-512-etm@openssh.com none curve25519-sha256 ssh-ed25519-cert-v01@openssh.com e4:b1:8e:ca:6e:0e:e5:3c:7e:a4:0e:70:34:9d:b2:b1 +#close 2018-10-16-15-27-29 From b6827820243cf90992d6da6d08c0494f4314fb9a Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 16 Oct 2018 09:22:54 -0700 Subject: [PATCH 18/18] Fix typo in Sessions.h Found by Eiji Yanagi (Cisco). --- CHANGES | 4 ++++ VERSION | 2 +- src/Sessions.h | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index d9c838ab92..d94378b555 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.6-beta2-32 | 2018-10-16 09:22:54 -0700 + + * Fix typo in Sessions.h (Eiji Yanagi (Cisco)) + 2.6-beta2-31 | 2018-10-15 16:42:36 -0500 * Add DCE_RPC exchange_mapi operations to relevant consts.bro file (Dale Lakes) diff --git a/VERSION b/VERSION index 56baa7562a..2a0d3d2e1c 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-beta2-31 +2.6-beta2-32 diff --git a/src/Sessions.h b/src/Sessions.h index 915b2f5631..b237428d25 100644 --- a/src/Sessions.h +++ b/src/Sessions.h @@ -186,7 +186,7 @@ protected: friend class IPTunnelTimer; Connection* NewConn(HashKey* k, double t, const ConnID* id, - const u_char* data, int proto, uint32 flow_lable, + const u_char* data, int proto, uint32 flow_label, const Packet* pkt, const EncapsulationStack* encapsulation); // Check whether the tag of the current packet is consistent with