Adding tests for Flash version parsing and plugin detection.

(The plugin detection isn't testing the Chrome behaviour actually, don't have a trace for that.)
2025-10-02 06:38:20 +00:00 · 2015-07-29 09:01:00 -07:00 · 2015-07-29 09:01:00 -07:00 · 46e584daa2
commit 46e584daa2
parent 11aa119c5b
7 changed files with 34 additions and 1 deletions
--- a/7
+++ b/7
@ -1,4 +1,11 @@

+2.4-69 | 2015-07-29 09:01:00 -0700
+
+  * Updated detection of Flash and AdobeAIR. (Jan Grashoefer)
+
+  * Adding tests for Flash version parsing and browser plugin
+    detection. (Robin Sommer)
+
 2.4-63 | 2015-07-28 12:26:37 -0700

  * Updating submodule(s).
--- a/2
+++ b/2
@ -1 +1 @@
-2.4-63
+2.4-69
--- a/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output
+++ b/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output
@ -28,6 +28,7 @@ success on: Java1.2.2-JDeveloper
 success on: Total Commander
 success on: Apple iPhone v4.3.1 Weather v1.0.0.8G4
 success on: Opera/9.80 (J2ME/MIDP; Opera Mini/9.80 (S60; SymbOS; Opera Mobi/23.348; U; en) Presto/2.5.25 Version/10.54
+success on: Mozilla/5.0 (Windows; U; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0
 success on: wu-2.4.2-academ[BETA-18-VR14](1)
 success on: Zope/(Zope 2.7.8-final, python 2.3.5, darwin) ZServer/1.1 Plone/Unknown
 success on: Java1.3.1_04
@ -46,3 +47,4 @@ success on: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.11) Gecko/2010
 success on: Apache/2.0.63 (Unix) mod_auth_kerb/5.3 mod_ssl/2.0.63 OpenSSL/0.9.7a mod_fastcgi/2.4.2
 success on: mt2/1.2.3.967 Oct 13 2010-13:40:24 ord-pixel-x2 pid 0x35a3 13731
 success on: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)
+success on: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0
--- a/testing/btest/Baseline/scripts.policy.protocols.http.flash-version/software.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.http.flash-version/software.log
@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	software
+#open	2015-07-29-15-59-23
+#fields	ts	host	host_p	software_type	name	version.major	version.minor	version.minor2	version.minor3	version.addl	unparsed_version
+#types	time	addr	port	enum	string	count	count	count	count	string	string
+1320279616.824058	192.168.2.76	-	HTTP::BROWSER	AdobeAIR	2	6	-	-	-	Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/531.9 (KHTML, like Gecko) AdobeAIR/2.6
+1320279616.824058	192.168.2.76	-	HTTP::BROWSER_PLUGIN	AdobeAIR-Flash	10	2	159	1	-	AdobeAIR-Flash/10,2,159,1
+1320279616.907315	208.85.41.42	80	HTTP::SERVER	Apache	-	-	-	-	-	Apache
+#close	2015-07-29-15-59-23
--- a/testing/btest/Traces/http/flash-version.trace
+++ b/testing/btest/Traces/http/flash-version.trace
--- a/testing/btest/scripts/base/frameworks/software/version-parsing.bro
+++ b/testing/btest/scripts/base/frameworks/software/version-parsing.bro
@ -106,6 +106,10 @@ global matched_software: table[string] of Software::Description = {
 		[$name="vsFTPd", $version=[$major=2,$minor=0,$minor2=5], $unparsed_version=""],
 	["Apple Mail (2.1084)"] = 
 		[$name="Apple Mail", $version=[$major=2,$minor=1084], $unparsed_version=""],
+	["Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0"] = 
+		[$name="AdobeAIR", $version=[$major=1,$minor=0], $unparsed_version=""],
+	["Mozilla/5.0 (Windows; U; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0"] = 
+		[$name="AdobeAIR", $version=[$major=1,$minor=0], $unparsed_version=""],
 };

 event bro_init()
--- a/testing/btest/scripts/policy/protocols/http/flash-version.bro
+++ b/testing/btest/scripts/policy/protocols/http/flash-version.bro
@ -0,0 +1,8 @@
+# @TEST-EXEC: bro -r ${TRACES}/http/flash-version.trace %INPUT 
+# @TEST-EXEC: btest-diff software.log
+
+@load protocols/http/software
+@load protocols/http/software-browser-plugins
+
+redef Software::asset_tracking = ALL_HOSTS;
+
 @ -1 +1 @@
 .4-63
 .4-69