Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-14 20:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge remote-tracking branch 'origin/master' into topic/seth/elasticsearch

Browse source
This commit is contained in:
Seth Hall 2012-07-17 13:57:59 -04:00
commit 485e473561
41 changed files with 237 additions and 281 deletions
Download patch file Download diff file Expand all files Collapse all files

26
CHANGES
View file

@ -1,4 +1,30 @@
2.0-769 | 2012-07-13 16:17:33 -0700
* Fix some Info:Record field documentation. (Vlad Grigorescu)
* Fix overrides of TCP_ApplicationAnalyzer::EndpointEOF. (Jon Siwek)
* Fix segfault when incrementing whole vector values. Also removed
RefExpr::Eval(Val*) method since it was never called. (Jon Siwek)
* Remove baselines for some leak-detecting unit tests. (Jon Siwek)
* Unblock SIGFPE, SIGILL, SIGSEGV and SIGBUS for threads, so that
they now propagate to the main thread. Adresses #848. (Bernhard
Amann)
2.0-761 | 2012-07-12 08:14:38 -0700
* Some small fixes to further reduce SOCKS false positive logs. (Seth Hall)
* Calls to pthread_mutex_unlock now log the reason for failures.
(Bernhard Amann)
2.0-757 | 2012-07-11 08:30:19 -0700
* Fixing memory leak. (Seth Hall)
2.0-755 | 2012-07-10 16:25:16 -0700 2.0-755 | 2012-07-10 16:25:16 -0700
* Add sorting canonifier to rotate-custom unit test. Addresses #846. * Add sorting canonifier to rotate-custom unit test. Addresses #846.

2
VERSION
View file

@ -1 +1 @@
2.0-755 2.0-769

22
scripts/base/frameworks/communication/main.bro
View file

@ -10,14 +10,14 @@ export {
## The communication logging stream identifier. ## The communication logging stream identifier.
redef enum Log::ID += { LOG }; redef enum Log::ID += { LOG };
## Which interface to listen on. The addresses ``0.0.0.0`` and ``[::]`` ## Which interface to listen on. The addresses ``0.0.0.0`` and ``[::]``
## are wildcards. ## are wildcards.
const listen_interface = 0.0.0.0 &redef; const listen_interface = 0.0.0.0 &redef;
## Which port to listen on. ## Which port to listen on.
const listen_port = 47757/tcp &redef; const listen_port = 47757/tcp &redef;
## This defines if a listening socket should use SSL. ## This defines if a listening socket should use SSL.
const listen_ssl = F &redef; const listen_ssl = F &redef;
@ -34,7 +34,7 @@ export {
## :bro:id:`Communication::listen_port` if it's already in use. ## :bro:id:`Communication::listen_port` if it's already in use.
const listen_retry = 30 secs &redef; const listen_retry = 30 secs &redef;
## Default compression level. Compression level is 0-9, with 0 = no ## Default compression level. Compression level is 0-9, with 0 = no
## compression. ## compression.
global compression_level = 0 &redef; global compression_level = 0 &redef;
@ -42,7 +42,7 @@ export {
type Info: record { type Info: record {
## The network time at which a communication event occurred. ## The network time at which a communication event occurred.
ts: time &log; ts: time &log;
## The peer name (if any) for which a communication event is concerned. ## The peer name (if any) with which a communication event is concerned.
peer: string &log &optional; peer: string &log &optional;
## Where the communication event message originated from, that is, ## Where the communication event message originated from, that is,
## either from the scripting layer or inside the Bro process. ## either from the scripting layer or inside the Bro process.
@ -70,7 +70,7 @@ export {
## If the *host* field is a non-global IPv6 address, this field ## If the *host* field is a non-global IPv6 address, this field
## can specify a particular :rfc:`4007` ``zone_id``. ## can specify a particular :rfc:`4007` ``zone_id``.
zone_id: string &optional; zone_id: string &optional;
## Port of the remote Bro communication endpoint if we are initiating ## Port of the remote Bro communication endpoint if we are initiating
## the connection based on the :bro:id:`connect` field. ## the connection based on the :bro:id:`connect` field.
p: port &optional; p: port &optional;
@ -120,7 +120,7 @@ export {
## The remote peer. ## The remote peer.
peer: event_peer &optional; peer: event_peer &optional;
## Indicates the status of the node. ## Indicates the status of the node.
connected: bool &default = F; connected: bool &default = F;
}; };
@ -163,7 +163,7 @@ event bro_init() &priority=5
function do_script_log_common(level: count, src: count, msg: string) function do_script_log_common(level: count, src: count, msg: string)
{ {
Log::write(Communication::LOG, [$ts = network_time(), Log::write(Communication::LOG, [$ts = network_time(),
$level = (level == REMOTE_LOG_INFO ? "info" : "error"), $level = (level == REMOTE_LOG_INFO ? "info" : "error"),
$src_name = src_names[src], $src_name = src_names[src],
$peer = get_event_peer()$descr, $peer = get_event_peer()$descr,
@ -199,9 +199,9 @@ function connect_peer(peer: string)
local class = node?$class ? node$class : ""; local class = node?$class ? node$class : "";
local zone_id = node?$zone_id ? node$zone_id : ""; local zone_id = node?$zone_id ? node$zone_id : "";
local id = connect(node$host, zone_id, p, class, node$retry, node$ssl); local id = connect(node$host, zone_id, p, class, node$retry, node$ssl);
if ( id == PEER_ID_NONE ) if ( id == PEER_ID_NONE )
Log::write(Communication::LOG, [$ts = network_time(), Log::write(Communication::LOG, [$ts = network_time(),
$peer = get_event_peer()$descr, $peer = get_event_peer()$descr,
$message = "can't trigger connect"]); $message = "can't trigger connect"]);
pending_peers[id] = node; pending_peers[id] = node;
@ -340,7 +340,7 @@ event bro_init() &priority = -10 # let others modify nodes
{ {
if ( |nodes| > 0 ) if ( |nodes| > 0 )
enable_communication(); enable_communication();
for ( tag in nodes ) for ( tag in nodes )
{ {
if ( ! nodes[tag]$connect ) if ( ! nodes[tag]$connect )

49
scripts/base/protocols/conn/main.bro
View file

@ -17,7 +17,7 @@ export {
type Info: record { type Info: record {
## This is the time of the first packet. ## This is the time of the first packet.
ts: time &log; ts: time &log;
## A unique identifier of a connection. ## A unique identifier of the connection.
uid: string &log; uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports. ## The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log; id: conn_id &log;
@ -30,7 +30,7 @@ export {
## tear-downs, this will not include the final ACK. ## tear-downs, this will not include the final ACK.
duration: interval &log &optional; duration: interval &log &optional;
## The number of payload bytes the originator sent. For TCP ## The number of payload bytes the originator sent. For TCP
## this is taken from sequence numbers and might be inaccurate ## this is taken from sequence numbers and might be inaccurate
## (e.g., due to large connections) ## (e.g., due to large connections)
orig_bytes: count &log &optional; orig_bytes: count &log &optional;
## The number of payload bytes the responder sent. See ``orig_bytes``. ## The number of payload bytes the responder sent. See ``orig_bytes``.
@ -54,16 +54,16 @@ export {
## OTH No SYN seen, just midstream traffic (a "partial connection" that was not later closed). ## OTH No SYN seen, just midstream traffic (a "partial connection" that was not later closed).
## ========== =============================================== ## ========== ===============================================
conn_state: string &log &optional; conn_state: string &log &optional;
## If the connection is originated locally, this value will be T. If ## If the connection is originated locally, this value will be T. If
## it was originated remotely it will be F. In the case that the ## it was originated remotely it will be F. In the case that the
## :bro:id:`Site::local_nets` variable is undefined, this field will ## :bro:id:`Site::local_nets` variable is undefined, this field will
## be left empty at all times. ## be left empty at all times.
local_orig: bool &log &optional; local_orig: bool &log &optional;
## Indicates the number of bytes missed in content gaps which is ## Indicates the number of bytes missed in content gaps, which is
## representative of packet loss. A value other than zero will ## representative of packet loss. A value other than zero will
## normally cause protocol analysis to fail but some analysis may ## normally cause protocol analysis to fail but some analysis may
## have been completed prior to the packet loss. ## have been completed prior to the packet loss.
missed_bytes: count &log &default=0; missed_bytes: count &log &default=0;
@ -83,25 +83,26 @@ export {
## i inconsistent packet (e.g. SYN+RST bits both set) ## i inconsistent packet (e.g. SYN+RST bits both set)
## ====== ==================================================== ## ====== ====================================================
## ##
## If the letter is in upper case it means the event comes from the ## If the event comes from the originator, the letter is in upper-case; if it comes
## originator and lower case then means the responder. ## from the responder, it's in lower-case. Multiple packets of the same type will
## Also, there is compression. We only record one "d" in each direction, ## only be noted once (e.g. we only record one "d" in each direction, regardless of
## for instance. I.e., we just record that data went in that direction. ## how many data packets were seen.)
## This history is not meant to encode how much data that happened to
## be.
history: string &log &optional; history: string &log &optional;
## Number of packets the originator sent. ## Number of packets that the originator sent.
## Only set if :bro:id:`use_conn_size_analyzer` = T ## Only set if :bro:id:`use_conn_size_analyzer` = T
orig_pkts: count &log &optional; orig_pkts: count &log &optional;
## Number IP level bytes the originator sent (as seen on the wire, ## Number of IP level bytes that the originator sent (as seen on the wire,
## taken from IP total_length header field). ## taken from IP total_length header field).
## Only set if :bro:id:`use_conn_size_analyzer` = T ## Only set if :bro:id:`use_conn_size_analyzer` = T
orig_ip_bytes: count &log &optional; orig_ip_bytes: count &log &optional;
## Number of packets the responder sent. See ``orig_pkts``. ## Number of packets that the responder sent.
## Only set if :bro:id:`use_conn_size_analyzer` = T
resp_pkts: count &log &optional; resp_pkts: count &log &optional;
## Number IP level bytes the responder sent. See ``orig_pkts``. ## Number og IP level bytes that the responder sent (as seen on the wire,
## taken from IP total_length header field).
## Only set if :bro:id:`use_conn_size_analyzer` = T
resp_ip_bytes: count &log &optional; resp_ip_bytes: count &log &optional;
## If this connection was over a tunnel, indicate the ## If this connection was over a tunnel, indicate the
## *uid* values for any encapsulating parent connections ## *uid* values for any encapsulating parent connections
## used over the lifetime of this inner connection. ## used over the lifetime of this inner connection.
tunnel_parents: set[string] &log; tunnel_parents: set[string] &log;
@ -199,10 +200,10 @@ function set_conn(c: connection, eoc: bool)
c$conn$proto=get_port_transport_proto(c$id$resp_p); c$conn$proto=get_port_transport_proto(c$id$resp_p);
if( |Site::local_nets| > 0 ) if( |Site::local_nets| > 0 )
c$conn$local_orig=Site::is_local_addr(c$id$orig_h); c$conn$local_orig=Site::is_local_addr(c$id$orig_h);
if ( eoc ) if ( eoc )
{ {
if ( c$duration > 0secs ) if ( c$duration > 0secs )
{ {
c$conn$duration=c$duration; c$conn$duration=c$duration;
c$conn$orig_bytes=c$orig$size; c$conn$orig_bytes=c$orig$size;
@ -218,7 +219,7 @@ function set_conn(c: connection, eoc: bool)
c$conn$resp_ip_bytes = c$resp$num_bytes_ip; c$conn$resp_ip_bytes = c$resp$num_bytes_ip;
} }
local service = determine_service(c); local service = determine_service(c);
if ( service != "" ) if ( service != "" )
c$conn$service=service; c$conn$service=service;
c$conn$conn_state=conn_state(c, get_port_transport_proto(c$id$resp_p)); c$conn$conn_state=conn_state(c, get_port_transport_proto(c$id$resp_p));
@ -230,7 +231,7 @@ function set_conn(c: connection, eoc: bool)
event content_gap(c: connection, is_orig: bool, seq: count, length: count) &priority=5 event content_gap(c: connection, is_orig: bool, seq: count, length: count) &priority=5
{ {
set_conn(c, F); set_conn(c, F);
c$conn$missed_bytes = c$conn$missed_bytes + length; c$conn$missed_bytes = c$conn$missed_bytes + length;
} }
@ -241,7 +242,7 @@ event tunnel_changed(c: connection, e: EncapsulatingConnVector) &priority=5
add c$conn$tunnel_parents[e[|e|-1]$uid]; add c$conn$tunnel_parents[e[|e|-1]$uid];
c$tunnel = e; c$tunnel = e;
} }
event connection_state_remove(c: connection) &priority=5 event connection_state_remove(c: connection) &priority=5
{ {
set_conn(c, T); set_conn(c, T);

8
scripts/base/protocols/dns/main.bro
View file

@ -45,16 +45,16 @@ export {
AA: bool &log &default=F; AA: bool &log &default=F;
## The Truncation bit specifies that the message was truncated. ## The Truncation bit specifies that the message was truncated.
TC: bool &log &default=F; TC: bool &log &default=F;
## The Recursion Desired bit indicates to a name server to recursively ## The Recursion Desired bit in a request message indicates that
## purse the query. ## the client wants recursive service for this query.
RD: bool &log &default=F; RD: bool &log &default=F;
## The Recursion Available bit in a response message indicates if ## The Recursion Available bit in a response message indicates that
## the name server supports recursive queries. ## the name server supports recursive queries.
RA: bool &log &default=F; RA: bool &log &default=F;
## A reserved field that is currently supposed to be zero in all ## A reserved field that is currently supposed to be zero in all
## queries and responses. ## queries and responses.
Z: count &log &default=0; Z: count &log &default=0;
## The set of resource descriptions in answer of the query. ## The set of resource descriptions in the query answer.
answers: vector of string &log &optional; answers: vector of string &log &optional;
## The caching intervals of the associated RRs described by the ## The caching intervals of the associated RRs described by the
## ``answers`` field. ## ``answers`` field.

2
scripts/base/protocols/ftp/main.bro
View file

@ -28,7 +28,9 @@ export {
type Info: record { type Info: record {
## Time when the command was sent. ## Time when the command was sent.
ts: time &log; ts: time &log;
## Unique ID for the connection.
uid: string &log; uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log; id: conn_id &log;
## User name for the current FTP session. ## User name for the current FTP session.
user: string &log &default="<unknown>"; user: string &log &default="<unknown>";

2
scripts/base/protocols/http/main.bro
View file

@ -22,7 +22,9 @@ export {
type Info: record { type Info: record {
## Timestamp for when the request happened. ## Timestamp for when the request happened.
ts: time &log; ts: time &log;
## Unique ID for the connection.
uid: string &log; uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log; id: conn_id &log;
## Represents the pipelined depth into the connection of this ## Represents the pipelined depth into the connection of this
## request/response transaction. ## request/response transaction.

2
scripts/base/protocols/irc/main.bro
View file

@ -11,7 +11,9 @@ export {
type Info: record { type Info: record {
## Timestamp when the command was seen. ## Timestamp when the command was seen.
ts: time &log; ts: time &log;
## Unique ID for the connection.
uid: string &log; uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log; id: conn_id &log;
## Nick name given for the connection. ## Nick name given for the connection.
nick: string &log &optional; nick: string &log &optional;

28
scripts/base/protocols/smtp/main.bro
View file

@ -8,33 +8,51 @@ export {
redef enum Log::ID += { LOG }; redef enum Log::ID += { LOG };
type Info: record { type Info: record {
## Time when the message was first seen.
ts: time &log; ts: time &log;
## Unique ID for the connection.
uid: string &log; uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log; id: conn_id &log;
## This is a number that indicates the number of messages deep into ## A count to represent the depth of this message transaction in a single
## this connection where this particular message was transferred. ## connection where multiple messages were transferred.
trans_depth: count &log; trans_depth: count &log;
## Contents of the Helo header.
helo: string &log &optional; helo: string &log &optional;
## Contents of the From header.
mailfrom: string &log &optional; mailfrom: string &log &optional;
## Contents of the Rcpt header.
rcptto: set[string] &log &optional; rcptto: set[string] &log &optional;
## Contents of the Date header.
date: string &log &optional; date: string &log &optional;
## Contents of the From header.
from: string &log &optional; from: string &log &optional;
## Contents of the To header.
to: set[string] &log &optional; to: set[string] &log &optional;
## Contents of the ReplyTo header.
reply_to: string &log &optional; reply_to: string &log &optional;
## Contents of the MsgID header.
msg_id: string &log &optional; msg_id: string &log &optional;
## Contents of the In-Reply-To header.
in_reply_to: string &log &optional; in_reply_to: string &log &optional;
## Contents of the Subject header.
subject: string &log &optional; subject: string &log &optional;
## Contents of the X-Origininating-IP header.
x_originating_ip: addr &log &optional; x_originating_ip: addr &log &optional;
## Contents of the first Received header.
first_received: string &log &optional; first_received: string &log &optional;
## Contents of the second Received header.
second_received: string &log &optional; second_received: string &log &optional;
## The last message the server sent to the client. ## The last message that the server sent to the client.
last_reply: string &log &optional; last_reply: string &log &optional;
## The message transmission path, as extracted from the headers.
path: vector of addr &log &optional; path: vector of addr &log &optional;
## Value of the User-Agent header from the client.
user_agent: string &log &optional; user_agent: string &log &optional;
## Indicate if the "Received: from" headers should still be processed. ## Indicates if the "Received: from" headers should still be processed.
process_received_from: bool &default=T; process_received_from: bool &default=T;
## Indicates if client activity has been seen, but not yet logged ## Indicates if client activity has been seen, but not yet logged.
has_client_activity: bool &default=F; has_client_activity: bool &default=F;
}; };

13
scripts/base/protocols/socks/main.bro
View file

@ -9,19 +9,21 @@ export {
type Info: record { type Info: record {
## Time when the proxy connection was first detected. ## Time when the proxy connection was first detected.
ts: time &log; ts: time &log;
## Unique ID for the tunnel - may correspond to connection uid or be non-existent.
uid: string &log; uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log; id: conn_id &log;
## Protocol version of SOCKS. ## Protocol version of SOCKS.
version: count &log; version: count &log;
## Username for the proxy if extracted from the network. ## Username for the proxy if extracted from the network..
user: string &log &optional; user: string &log &optional;
## Server status for the attempt at using the proxy. ## Server status for the attempt at using the proxy.
status: string &log &optional; status: string &log &optional;
## Client requested SOCKS address. Could be an address, a name or both. ## Client requested SOCKS address. Could be an address, a name or both.
request: SOCKS::Address &log &optional; request: SOCKS::Address &log &optional;
## Client requested port. ## Client requested port.
request_p: port &log &optional; request_p: port &log &optional;
## Server bound address. Could be an address, a name or both. ## Server bound address. Could be an address, a name or both.
bound: SOCKS::Address &log &optional; bound: SOCKS::Address &log &optional;
## Server bound port. ## Server bound port.
bound_p: port &log &optional; bound_p: port &log &optional;
@ -83,5 +85,8 @@ event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Addres
event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port) &priority=-5 event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port) &priority=-5
{ {
Log::write(SOCKS::LOG, c$socks); # This will handle the case where the analyzer failed in some way and was removed. We probably
# don't want to log these connections.
if ( "SOCKS" in c$service )
Log::write(SOCKS::LOG, c$socks);
} }

10
scripts/base/protocols/ssh/main.bro
View file

@ -26,21 +26,23 @@ export {
type Info: record { type Info: record {
## Time when the SSH connection began. ## Time when the SSH connection began.
ts: time &log; ts: time &log;
## Unique ID for the connection.
uid: string &log; uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log; id: conn_id &log;
## Indicates if the login was heuristically guessed to be "success" ## Indicates if the login was heuristically guessed to be "success"
## or "failure". ## or "failure".
status: string &log &optional; status: string &log &optional;
## Direction of the connection. If the client was a local host ## Direction of the connection. If the client was a local host
## logging into an external host, this would be OUTBOUD. INBOUND ## logging into an external host, this would be OUTBOUND. INBOUND
## would be set for the opposite situation. ## would be set for the opposite situation.
# TODO: handle local-local and remote-remote better. # TODO: handle local-local and remote-remote better.
direction: Direction &log &optional; direction: Direction &log &optional;
## Software string given by the client. ## Software string from the client.
client: string &log &optional; client: string &log &optional;
## Software string given by the server. ## Software string from the server.
server: string &log &optional; server: string &log &optional;
## Amount of data returned from the server. This is currently ## Amount of data returned from the server. This is currently
## the only measure of the success heuristic and it is logged to ## the only measure of the success heuristic and it is logged to
## assist analysts looking at the logs to make their own determination ## assist analysts looking at the logs to make their own determination
## about the success on a case-by-case basis. ## about the success on a case-by-case basis.

10
scripts/base/protocols/ssl/main.bro
View file

@ -9,13 +9,15 @@ export {
redef enum Log::ID += { LOG }; redef enum Log::ID += { LOG };
type Info: record { type Info: record {
## Time when the SSL connection began. ## Time when the SSL connection was first detected.
ts: time &log; ts: time &log;
uid: string &log; ## Unique ID for the connection.
uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log; id: conn_id &log;
## SSL/TLS version the server offered. ## SSL/TLS version that the server offered.
version: string &log &optional; version: string &log &optional;
## SSL/TLS cipher suite the server chose. ## SSL/TLS cipher suite that the server chose.
cipher: string &log &optional; cipher: string &log &optional;
## Value of the Server Name Indicator SSL/TLS extension. It ## Value of the Server Name Indicator SSL/TLS extension. It
## indicates the server name that the client was requesting. ## indicates the server name that the client was requesting.

4
scripts/base/protocols/syslog/main.bro
View file

@ -9,9 +9,11 @@ export {
redef enum Log::ID += { LOG }; redef enum Log::ID += { LOG };
type Info: record { type Info: record {
## Timestamp of when the syslog message was seen. ## Timestamp when the syslog message was seen.
ts: time &log; ts: time &log;
## Unique ID for the connection.
uid: string &log; uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log; id: conn_id &log;
## Protocol over which the message was seen. ## Protocol over which the message was seen.
proto: transport_proto &log; proto: transport_proto &log;

6
src/BitTorrent.cc
View file

@ -106,10 +106,10 @@ void BitTorrent_Analyzer::Undelivered(int seq, int len, bool orig)
// } // }
} }
void BitTorrent_Analyzer::EndpointEOF(TCP_Reassembler* endp) void BitTorrent_Analyzer::EndpointEOF(bool is_orig)
{ {
TCP_ApplicationAnalyzer::EndpointEOF(endp); TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(endp->IsOrig()); interp->FlowEOF(is_orig);
} }
void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig) void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig)

2
src/BitTorrent.h
View file

@ -15,7 +15,7 @@ public:
virtual void Done(); virtual void Done();
virtual void DeliverStream(int len, const u_char* data, bool orig); virtual void DeliverStream(int len, const u_char* data, bool orig);
virtual void Undelivered(int seq, int len, bool orig); virtual void Undelivered(int seq, int len, bool orig);
virtual void EndpointEOF(TCP_Reassembler* endp); virtual void EndpointEOF(bool is_orig);
static Analyzer* InstantiateAnalyzer(Connection* conn) static Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new BitTorrent_Analyzer(conn); } { return new BitTorrent_Analyzer(conn); }

4
src/BitTorrentTracker.cc
View file

@ -215,9 +215,9 @@ void BitTorrentTracker_Analyzer::Undelivered(int seq, int len, bool orig)
stop_resp = true; stop_resp = true;
} }
void BitTorrentTracker_Analyzer::EndpointEOF(TCP_Reassembler* endp) void BitTorrentTracker_Analyzer::EndpointEOF(bool is_orig)
{ {
TCP_ApplicationAnalyzer::EndpointEOF(endp); TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
} }
void BitTorrentTracker_Analyzer::InitBencParser(void) void BitTorrentTracker_Analyzer::InitBencParser(void)

2
src/BitTorrentTracker.h
View file

@ -48,7 +48,7 @@ public:
virtual void Done(); virtual void Done();
virtual void DeliverStream(int len, const u_char* data, bool orig); virtual void DeliverStream(int len, const u_char* data, bool orig);
virtual void Undelivered(int seq, int len, bool orig); virtual void Undelivered(int seq, int len, bool orig);
virtual void EndpointEOF(TCP_Reassembler* endp); virtual void EndpointEOF(bool is_orig);
static Analyzer* InstantiateAnalyzer(Connection* conn) static Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new BitTorrentTracker_Analyzer(conn); } { return new BitTorrentTracker_Analyzer(conn); }

6
src/DNS-binpac.cc
View file

@ -63,10 +63,10 @@ void DNS_TCP_Analyzer_binpac::Done()
interp->FlowEOF(false); interp->FlowEOF(false);
} }
void DNS_TCP_Analyzer_binpac::EndpointEOF(TCP_Reassembler* endp) void DNS_TCP_Analyzer_binpac::EndpointEOF(bool is_orig)
{ {
TCP_ApplicationAnalyzer::EndpointEOF(endp); TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(endp->IsOrig()); interp->FlowEOF(is_orig);
} }
void DNS_TCP_Analyzer_binpac::DeliverStream(int len, const u_char* data, void DNS_TCP_Analyzer_binpac::DeliverStream(int len, const u_char* data,

2
src/DNS-binpac.h
View file

@ -45,7 +45,7 @@ public:
virtual void Done(); virtual void Done();
virtual void DeliverStream(int len, const u_char* data, bool orig); virtual void DeliverStream(int len, const u_char* data, bool orig);
virtual void Undelivered(int seq, int len, bool orig); virtual void Undelivered(int seq, int len, bool orig);
virtual void EndpointEOF(TCP_Reassembler* endp); virtual void EndpointEOF(bool is_orig);
static Analyzer* InstantiateAnalyzer(Connection* conn) static Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new DNS_TCP_Analyzer_binpac(conn); } { return new DNS_TCP_Analyzer_binpac(conn); }

7
src/Expr.cc
View file

@ -1035,12 +1035,10 @@ Val* IncrExpr::Eval(Frame* f) const
{ {
Val* new_elt = DoSingleEval(f, elt); Val* new_elt = DoSingleEval(f, elt);
v_vec->Assign(i, new_elt, this, OP_INCR); v_vec->Assign(i, new_elt, this, OP_INCR);
Unref(new_elt); // was Ref()'d by Assign()
} }
else else
v_vec->Assign(i, 0, this, OP_INCR); v_vec->Assign(i, 0, this, OP_INCR);
} }
// FIXME: Is the next line needed?
op->Assign(f, v_vec, OP_INCR); op->Assign(f, v_vec, OP_INCR);
} }
@ -2402,11 +2400,6 @@ Expr* RefExpr::MakeLvalue()
return this; return this;
} }
Val* RefExpr::Eval(Val* v) const
{
return Fold(v);
}
void RefExpr::Assign(Frame* f, Val* v, Opcode opcode) void RefExpr::Assign(Frame* f, Val* v, Opcode opcode)
{ {
op->Assign(f, v, opcode); op->Assign(f, v, opcode);

4
src/Expr.h
View file

@ -608,10 +608,6 @@ public:
void Assign(Frame* f, Val* v, Opcode op = OP_ASSIGN); void Assign(Frame* f, Val* v, Opcode op = OP_ASSIGN);
Expr* MakeLvalue(); Expr* MakeLvalue();
// Only overridden to avoid special vector handling which doesn't apply
// for this class.
Val* Eval(Val* v) const;
protected: protected:
friend class Expr; friend class Expr;
RefExpr() { } RefExpr() { }

6
src/HTTP-binpac.cc
View file

@ -20,10 +20,10 @@ void HTTP_Analyzer_binpac::Done()
interp->FlowEOF(false); interp->FlowEOF(false);
} }
void HTTP_Analyzer_binpac::EndpointEOF(TCP_Reassembler* endp) void HTTP_Analyzer_binpac::EndpointEOF(bool is_orig)
{ {
TCP_ApplicationAnalyzer::EndpointEOF(endp); TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(endp->IsOrig()); interp->FlowEOF(is_orig);
} }
void HTTP_Analyzer_binpac::DeliverStream(int len, const u_char* data, bool orig) void HTTP_Analyzer_binpac::DeliverStream(int len, const u_char* data, bool orig)

2
src/HTTP-binpac.h
View file

@ -13,7 +13,7 @@ public:
virtual void Done(); virtual void Done();
virtual void DeliverStream(int len, const u_char* data, bool orig); virtual void DeliverStream(int len, const u_char* data, bool orig);
virtual void Undelivered(int seq, int len, bool orig); virtual void Undelivered(int seq, int len, bool orig);
virtual void EndpointEOF(TCP_Reassembler* endp); virtual void EndpointEOF(bool is_orig);
static Analyzer* InstantiateAnalyzer(Connection* conn) static Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new HTTP_Analyzer_binpac(conn); } { return new HTTP_Analyzer_binpac(conn); }

15
src/SOCKS.cc
View file

@ -31,10 +31,10 @@ void SOCKS_Analyzer::Done()
interp->FlowEOF(false); interp->FlowEOF(false);
} }
void SOCKS_Analyzer::EndpointEOF(TCP_Reassembler* endp) void SOCKS_Analyzer::EndpointEOF(bool is_orig)
{ {
TCP_ApplicationAnalyzer::EndpointEOF(endp); TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(endp->IsOrig()); interp->FlowEOF(is_orig);
} }
void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
@ -67,7 +67,14 @@ void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
} }
else else
{ {
interp->NewData(orig, data, data + len); try
{
interp->NewData(orig, data, data + len);
}
catch ( const binpac::Exception& e )
{
ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
}
} }
} }

2
src/SOCKS.h
View file

@ -23,7 +23,7 @@ public:
virtual void Done(); virtual void Done();
virtual void DeliverStream(int len, const u_char* data, bool orig); virtual void DeliverStream(int len, const u_char* data, bool orig);
virtual void Undelivered(int seq, int len, bool orig); virtual void Undelivered(int seq, int len, bool orig);
virtual void EndpointEOF(TCP_Reassembler* endp); virtual void EndpointEOF(bool is_orig);
static Analyzer* InstantiateAnalyzer(Connection* conn) static Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new SOCKS_Analyzer(conn); } { return new SOCKS_Analyzer(conn); }

6
src/SSL.cc
View file

@ -23,10 +23,10 @@ void SSL_Analyzer::Done()
interp->FlowEOF(false); interp->FlowEOF(false);
} }
void SSL_Analyzer::EndpointEOF(TCP_Reassembler* endp) void SSL_Analyzer::EndpointEOF(bool is_orig)
{ {
TCP_ApplicationAnalyzer::EndpointEOF(endp); TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(endp->IsOrig()); interp->FlowEOF(is_orig);
} }
void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig)

2
src/SSL.h
View file

@ -15,7 +15,7 @@ public:
virtual void Undelivered(int seq, int len, bool orig); virtual void Undelivered(int seq, int len, bool orig);
// Overriden from TCP_ApplicationAnalyzer. // Overriden from TCP_ApplicationAnalyzer.
virtual void EndpointEOF(TCP_Reassembler* endp); virtual void EndpointEOF(bool is_orig);
static Analyzer* InstantiateAnalyzer(Connection* conn) static Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new SSL_Analyzer(conn); } { return new SSL_Analyzer(conn); }

12
src/ssl-analyzer.pac
View file

@ -305,12 +305,12 @@ refine connection SSL_Conn += {
//i2t_ASN1_OBJECT(&pBuffer, length, obj) //i2t_ASN1_OBJECT(&pBuffer, length, obj)
// printf("extension length: %d\n", length); // printf("extension length: %d\n", length);
// -1 indicates an error. // -1 indicates an error.
if ( length < 0 ) if ( length >= 0 )
continue; {
StringVal* value = new StringVal(length, (char*)pBuffer);
StringVal* value = new StringVal(length, (char*)pBuffer); BifEvent::generate_x509_extension(bro_analyzer(),
BifEvent::generate_x509_extension(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, value);
bro_analyzer()->Conn(), ${rec.is_orig}, value); }
OPENSSL_free(pBuffer); OPENSSL_free(pBuffer);
} }
} }

17
src/threading/BasicThread.cc
View file

@ -86,12 +86,12 @@ void BasicThread::Start()
int err = pthread_mutex_init(&terminate, 0); int err = pthread_mutex_init(&terminate, 0);
if ( err != 0 ) if ( err != 0 )
reporter->FatalError("Cannot create terminate mutex for thread %s:%s", name.c_str(), strerror(err)); reporter->FatalError("Cannot create terminate mutex for thread %s: %s", name.c_str(), strerror(err));
// We use this like a binary semaphore and acquire it immediately. // We use this like a binary semaphore and acquire it immediately.
err = pthread_mutex_lock(&terminate); err = pthread_mutex_lock(&terminate);
if ( err != 0 ) if ( err != 0 )
reporter->FatalError("Cannot aquire terminate mutex for thread %s:%s", name.c_str(), strerror(err)); reporter->FatalError("Cannot aquire terminate mutex for thread %s: %s", name.c_str(), strerror(err));
err = pthread_create(&pthread, 0, BasicThread::launcher, this); err = pthread_create(&pthread, 0, BasicThread::launcher, this);
if ( err != 0 ) if ( err != 0 )
@ -116,8 +116,9 @@ void BasicThread::Stop()
// Signal that it's ok for the thread to exit now by unlocking the // Signal that it's ok for the thread to exit now by unlocking the
// mutex. // mutex.
if ( pthread_mutex_unlock(&terminate) != 0 ) int err = pthread_mutex_unlock(&terminate);
reporter->FatalError("Failure flagging terminate condition for thread %s", name.c_str()); if ( err != 0 )
reporter->FatalError("Failure flagging terminate condition for thread %s: %s", name.c_str(), strerror(err));
terminating = true; terminating = true;
@ -163,6 +164,14 @@ void* BasicThread::launcher(void *arg)
// process. // process.
sigset_t mask_set; sigset_t mask_set;
sigfillset(&mask_set); sigfillset(&mask_set);
// Unblock the signals where according to POSIX the result is undefined if they are blocked
// in a thread and received by that thread. If those are not unblocked, threads will just
// hang when they crash without the user being notified.
sigdelset(&mask_set, SIGFPE);
sigdelset(&mask_set, SIGILL);
sigdelset(&mask_set, SIGSEGV);
sigdelset(&mask_set, SIGBUS);
int res = pthread_sigmask(SIG_BLOCK, &mask_set, 0); int res = pthread_sigmask(SIG_BLOCK, &mask_set, 0);
assert(res == 0); // assert(res == 0); //

15
testing/btest/Baseline/core.leaks.ayiya/conn.log
View file

@ -1,15 +0,0 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes parents
#types time string addr port addr port enum string interval count count string bool count string count count count count table[string]
1257655301.595604 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 tcp http 2.101052 2981 4665 S1 - 0 ShADad 10 3605 11 5329 k6kgXLOoSKl
1257655296.585034 k6kgXLOoSKl 192.168.3.101 53859 216.14.98.22 5072 udp ayiya 20.879001 5129 6109 SF - 0 Dd 21 5717 13 6473 (empty)
1257655293.629048 UWkUyAuUGXf 192.168.3.101 53796 216.14.98.22 5072 udp ayiya - - - SHR - 0 d 0 0 1 176 (empty)
1257655296.585333 FrJExwHcSal :: 135 ff02::1:ff00:2 136 icmp - - - - OTH - 0 - 1 64 0 0 k6kgXLOoSKl
1257655293.629048 arKYeMETxOg 2001:4978:f:4c::1 128 2001:4978:f:4c::2 129 icmp - 23.834987 168 56 OTH - 0 - 3 312 1 104 UWkUyAuUGXf,k6kgXLOoSKl
1257655296.585188 TEfuqmmG4bh fe80::216:cbff:fe9a:4cb9 131 ff02::1:ff00:2 130 icmp - 0.919988 32 0 OTH - 0 - 2 144 0 0 k6kgXLOoSKl
1257655296.585151 j4u32Pc5bif fe80::216:cbff:fe9a:4cb9 131 ff02::2:f901:d225 130 icmp - 0.719947 32 0 OTH - 0 - 2 144 0 0 k6kgXLOoSKl
1257655296.585034 nQcgTWjvg4c fe80::216:cbff:fe9a:4cb9 131 ff02::1:ff9a:4cb9 130 icmp - 4.922880 32 0 OTH - 0 - 2 144 0 0 k6kgXLOoSKl

10
testing/btest/Baseline/core.leaks.ayiya/http.log
View file

@ -1,10 +0,0 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
1257655301.652206 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 1 GET ipv6.google.com / - Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 10102 200 OK - - - (empty) - - - text/html - -
1257655302.514424 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 2 GET ipv6.google.com /csi?v=3&s=webhp&action=&tran=undefined&e=17259,19771,21517,21766,21887,22212&ei=BUz2Su7PMJTglQfz3NzCAw&rt=prt.77,xjs.565,ol.645 http://ipv6.google.com/ Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 0 204 No Content - - - (empty) - - - - - -
1257655303.603569 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 3 GET ipv6.google.com /gen_204?atyp=i&ct=fade&cad=1254&ei=BUz2Su7PMJTglQfz3NzCAw&zx=1257655303600 http://ipv6.google.com/ Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 0 204 No Content - - - (empty) - - - - - -

11
testing/btest/Baseline/core.leaks.ayiya/tunnel.log
View file

@ -1,11 +0,0 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path tunnel
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p action tunnel_type
#types time string addr port addr port enum enum
1257655293.629048 UWkUyAuUGXf 192.168.3.101 53796 216.14.98.22 5072 Tunnel::DISCOVER Tunnel::AYIYA
1257655296.585034 k6kgXLOoSKl 192.168.3.101 53859 216.14.98.22 5072 Tunnel::DISCOVER Tunnel::AYIYA
1257655317.464035 k6kgXLOoSKl 192.168.3.101 53859 216.14.98.22 5072 Tunnel::CLOSE Tunnel::AYIYA
1257655317.464035 UWkUyAuUGXf 192.168.3.101 53796 216.14.98.22 5072 Tunnel::CLOSE Tunnel::AYIYA

28
testing/btest/Baseline/core.leaks.teredo/conn.log
View file

@ -1,28 +0,0 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes parents
#types time string addr port addr port enum string interval count count string bool count string count count count count table[string]
1210953047.736921 arKYeMETxOg 192.168.2.16 1576 75.126.130.163 80 tcp - 0.000357 0 0 SHR - 0 fA 1 40 1 40 (empty)
1210953050.867067 k6kgXLOoSKl 192.168.2.16 1577 75.126.203.78 80 tcp - 0.000387 0 0 SHR - 0 fA 1 40 1 40 (empty)
1210953057.833364 5OKnoww6xl4 192.168.2.16 1577 75.126.203.78 80 tcp - 0.079208 0 0 SH - 0 Fa 1 40 1 40 (empty)
1210953058.007081 VW0XPVINV8a 192.168.2.16 1576 75.126.130.163 80 tcp - - - - RSTOS0 - 0 R 1 40 0 0 (empty)
1210953057.834454 3PKsZ2Uye21 192.168.2.16 1578 75.126.203.78 80 tcp http 0.407908 790 171 RSTO - 0 ShADadR 6 1038 4 335 (empty)
1210953058.350065 fRFu0wcOle6 192.168.2.16 1920 192.168.2.1 53 udp dns 0.223055 66 438 SF - 0 Dd 2 122 2 494 (empty)
1210953058.577231 qSsw6ESzHV4 192.168.2.16 137 192.168.2.255 137 udp dns 1.499261 150 0 S0 - 0 D 3 234 0 0 (empty)
1210953074.264819 Tw8jXtpTGu6 192.168.2.16 1920 192.168.2.1 53 udp dns 0.297723 123 598 SF - 0 Dd 3 207 3 682 (empty)
1210953061.312379 70MGiRM1Qf4 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 tcp http 12.810848 1675 10467 S1 - 0 ShADad 10 2279 12 11191 GSxOnSLghOa
1210953076.058333 EAr0uf4mhq 192.168.2.16 1578 75.126.203.78 80 tcp - - - - RSTRH - 0 r 0 0 1 40 (empty)
1210953074.055744 h5DsfNtYzi1 192.168.2.16 1577 75.126.203.78 80 tcp - - - - RSTRH - 0 r 0 0 1 40 (empty)
1210953074.057124 P654jzLoe3a 192.168.2.16 1576 75.126.130.163 80 tcp - - - - RSTRH - 0 r 0 0 1 40 (empty)
1210953074.570439 c4Zw9TmAE05 192.168.2.16 1580 67.228.110.120 80 tcp http 0.466677 469 3916 SF - 0 ShADadFf 7 757 6 4164 (empty)
1210953052.202579 nQcgTWjvg4c 192.168.2.16 3797 65.55.158.80 3544 udp teredo 8.928880 129 48 SF - 0 Dd 2 185 1 76 (empty)
1210953060.829233 GSxOnSLghOa 192.168.2.16 3797 83.170.1.38 32900 udp teredo 13.293994 2359 11243 SF - 0 Dd 12 2695 13 11607 (empty)
1210953058.933954 iE6yhOq3SF 0.0.0.0 68 255.255.255.255 67 udp - - - - S0 - 0 D 1 328 0 0 (empty)
1210953052.324629 TEfuqmmG4bh 192.168.2.16 3797 65.55.158.81 3544 udp teredo - - - SHR - 0 d 0 0 1 137 (empty)
1210953046.591933 UWkUyAuUGXf 192.168.2.16 138 192.168.2.255 138 udp - 28.448321 416 0 S0 - 0 D 2 472 0 0 (empty)
1210953052.324629 FrJExwHcSal fe80::8000:f227:bec8:61af 134 fe80::8000:ffff:ffff:fffd 133 icmp - - - - OTH - 0 - 1 88 0 0 TEfuqmmG4bh
1210953060.829303 qCaWGmzFtM5 2001:0:4137:9e50:8000:f12a:b9c8:2815 128 2001:4860:0:2001::68 129 icmp - 0.463615 4 4 OTH - 0 - 1 52 1 52 GSxOnSLghOa,nQcgTWjvg4c
1210953052.202579 j4u32Pc5bif fe80::8000:ffff:ffff:fffd 133 ff02::2 134 icmp - - - - OTH - 0 - 1 64 0 0 nQcgTWjvg4c

11
testing/btest/Baseline/core.leaks.teredo/http.log
View file

@ -1,11 +0,0 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
1210953057.917183 3PKsZ2Uye21 192.168.2.16 1578 75.126.203.78 80 1 POST download913.avast.com /cgi-bin/iavs4stats.cgi - Syncer/4.80 (av_pro-1169;f) 589 0 204 <empty> - - - (empty) - - - text/plain - -
1210953061.585996 70MGiRM1Qf4 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 1 GET ipv6.google.com / - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 6640 200 OK - - - (empty) - - - text/html - -
1210953073.381474 70MGiRM1Qf4 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 2 GET ipv6.google.com /search?hl=en&q=Wireshark+!&btnG=Google+Search http://ipv6.google.com/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 25119 200 OK - - - (empty) - - - text/html - -
1210953074.674817 c4Zw9TmAE05 192.168.2.16 1580 67.228.110.120 80 1 GET www.wireshark.org / http://ipv6.google.com/search?hl=en&q=Wireshark+%21&btnG=Google+Search Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 11845 200 OK - - - (empty) - - - text/xml - -

83
testing/btest/Baseline/core.leaks.teredo/output
View file

@ -1,83 +0,0 @@
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp]
ip6: [class=0, flow=0, len=24, nxt=58, hlim=255, src=fe80::8000:ffff:ffff:fffd, dst=ff02::2, exts=[]]
auth: [id=, value=, nonce=14796129349558001544, confirm=0]
auth: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp]
ip6: [class=0, flow=0, len=24, nxt=58, hlim=255, src=fe80::8000:ffff:ffff:fffd, dst=ff02::2, exts=[]]
auth: [id=, value=, nonce=14796129349558001544, confirm=0]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.81, resp_p=3544/udp]
ip6: [class=0, flow=0, len=48, nxt=58, hlim=255, src=fe80::8000:f227:bec8:61af, dst=fe80::8000:ffff:ffff:fffd, exts=[]]
auth: [id=, value=, nonce=14796129349558001544, confirm=0]
origin: [p=3797/udp, a=70.55.215.234]
auth: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.81, resp_p=3544/udp]
ip6: [class=0, flow=0, len=48, nxt=58, hlim=255, src=fe80::8000:f227:bec8:61af, dst=fe80::8000:ffff:ffff:fffd, exts=[]]
auth: [id=, value=, nonce=14796129349558001544, confirm=0]
origin: [p=3797/udp, a=70.55.215.234]
origin: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.81, resp_p=3544/udp]
ip6: [class=0, flow=0, len=48, nxt=58, hlim=255, src=fe80::8000:f227:bec8:61af, dst=fe80::8000:ffff:ffff:fffd, exts=[]]
auth: [id=, value=, nonce=14796129349558001544, confirm=0]
origin: [p=3797/udp, a=70.55.215.234]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
ip6: [class=0, flow=0, len=0, nxt=59, hlim=21, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
bubble: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
ip6: [class=0, flow=0, len=0, nxt=59, hlim=21, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp]
ip6: [class=0, flow=0, len=12, nxt=58, hlim=21, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp]
ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=fe80::708d:fe83:4114:a512, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
origin: [p=32900/udp, a=83.170.1.38]
origin: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp]
ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=fe80::708d:fe83:4114:a512, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
origin: [p=32900/udp, a=83.170.1.38]
bubble: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp]
ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=fe80::708d:fe83:4114:a512, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
origin: [p=32900/udp, a=83.170.1.38]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=fe80::708d:fe83:4114:a512, exts=[]]
bubble: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=fe80::708d:fe83:4114:a512, exts=[]]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
ip6: [class=0, flow=0, len=12, nxt=58, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
ip6: [class=0, flow=0, len=24, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
ip6: [class=0, flow=0, len=24, nxt=6, hlim=245, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
ip6: [class=0, flow=0, len=817, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
ip6: [class=0, flow=0, len=20, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
ip6: [class=0, flow=0, len=514, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
ip6: [class=0, flow=0, len=898, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
ip6: [class=0, flow=0, len=812, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
ip6: [class=0, flow=0, len=717, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]]
packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp]
ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]]

13
testing/btest/Baseline/core.leaks.teredo/tunnel.log
View file

@ -1,13 +0,0 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path tunnel
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p action tunnel_type
#types time string addr port addr port enum enum
1210953052.202579 nQcgTWjvg4c 192.168.2.16 3797 65.55.158.80 3544 Tunnel::DISCOVER Tunnel::TEREDO
1210953052.324629 TEfuqmmG4bh 192.168.2.16 3797 65.55.158.81 3544 Tunnel::DISCOVER Tunnel::TEREDO
1210953061.292918 GSxOnSLghOa 192.168.2.16 3797 83.170.1.38 32900 Tunnel::DISCOVER Tunnel::TEREDO
1210953076.058333 nQcgTWjvg4c 192.168.2.16 3797 65.55.158.80 3544 Tunnel::CLOSE Tunnel::TEREDO
1210953076.058333 GSxOnSLghOa 192.168.2.16 3797 83.170.1.38 32900 Tunnel::CLOSE Tunnel::TEREDO
1210953076.058333 TEfuqmmG4bh 192.168.2.16 3797 65.55.158.81 3544 Tunnel::CLOSE Tunnel::TEREDO

5
testing/btest/Baseline/language.incr-vec-expr/out Normal file
View file

@ -0,0 +1,5 @@
[0, 0, 0]
[a=0, b=test, c=[1, 2, 3]]
[1, 1, 1]
[a=1, b=test, c=[1, 2, 3]]
[a=1, b=test, c=[2, 3, 4]]

3
testing/btest/core/leaks/ayiya.test
View file

@ -5,6 +5,3 @@
# @TEST-GROUP: leaks # @TEST-GROUP: leaks
# #
# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -r $TRACES/tunnels/ayiya3.trace # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -r $TRACES/tunnels/ayiya3.trace
# @TEST-EXEC: btest-diff tunnel.log
# @TEST-EXEC: btest-diff conn.log
# @TEST-EXEC: btest-diff http.log

35
testing/btest/core/leaks/incr-vec-expr.test Normal file
View file

@ -0,0 +1,35 @@
# Needs perftools support.
#
# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
#
# @TEST-GROUP: leaks
#
# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -b -m -r $TRACES/chksums/ip4-udp-good-chksum.pcap %INPUT
type rec: record {
a: count;
b: string;
c: vector of count;
};
global vec: vector of count = vector(0,0,0);
global v: rec = [$a=0, $b="test", $c=vector(1,2,3)];
event new_connection(c: connection)
{
print vec;
print v;
++vec;
print vec;
++v$a;
print v;
++v$c;
print v;
}

4
testing/btest/core/leaks/teredo.bro
View file

@ -5,10 +5,6 @@
# @TEST-GROUP: leaks # @TEST-GROUP: leaks
# #
# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -r $TRACES/tunnels/Teredo.pcap %INPUT >output # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -r $TRACES/tunnels/Teredo.pcap %INPUT >output
# @TEST-EXEC: btest-diff output
# @TEST-EXEC: btest-diff tunnel.log
# @TEST-EXEC: btest-diff conn.log
# @TEST-EXEC: btest-diff http.log
function print_teredo(name: string, outer: connection, inner: teredo_hdr) function print_teredo(name: string, outer: connection, inner: teredo_hdr)
{ {

27
testing/btest/language/incr-vec-expr.test Normal file
View file

@ -0,0 +1,27 @@
# @TEST-EXEC: bro -b %INPUT >out
# @TEST-EXEC: btest-diff out
type rec: record {
a: count;
b: string;
c: vector of count;
};
global vec: vector of count = vector(0,0,0);
global v: rec = [$a=0, $b="test", $c=vector(1,2,3)];
print vec;
print v;
++vec;
print vec;
++v$a;
print v;
++v$c;
print v;