From 4ccd6d76fd520554aa3ae9af8654b40b0b57c799 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 17 May 2013 18:09:59 -0700 Subject: [PATCH] Fixing tests. Part of this involves making the file-analysis tests independent of specific hash values. I've done that only partially though. --- doc/scripts/DocSourcesList.cmake | 67 +++++++++++++--- scripts/base/protocols/ftp/main.bro | 70 ++++++++--------- scripts/base/protocols/irc/dcc-send.bro | 2 +- scripts/test-all-policy.bro | 1 - src/AnalyzerTags.h | 57 -------------- src/analyzer/Tag.cc | 2 + src/analyzer/Tag.h | 2 + src/file_analysis/File.h | 3 +- src/file_analysis/Manager.h | 2 +- .../canonified_loaded_scripts.log | 72 +++++++++++++++--- .../canonified_loaded_scripts.log | 72 +++++++++++++++--- .../doc.autogen-reST-example/example.rst | 11 --- .../out | 4 +- .../{Cx92a0ym5R8-file => 1-file} | 0 .../{kg59rqyYxN-file => 2-file} | 0 .../a.size | 2 +- .../b.out | 8 +- .../b.size | 2 +- .../c.out | 4 +- .../c.size | 2 +- .../{aFQKI8SPOL2-file => 1-file} | 0 .../{CCU3vUEr06l-file => 2-file} | 0 .../{HCzA0dVwDPj-file => 3-file} | Bin .../{a1Zu1fteVEf-file => 4-file} | Bin .../{xXlF7wFdsR-file => 5-file} | Bin .../{v5HLI7MxPQh-file => 1-file} | 0 .../{PZS1XGHkIf1-file => 2-file} | 0 ...-item-Rqjkzoroau4-0.dat => ftp-item-0.dat} | 0 ...-item-BTsa70Ua9x7-1.dat => ftp-item-1.dat} | 0 ...-item-VLQvJybrm38-2.dat => ftp-item-2.dat} | 0 ...-item-zrfwSs9K1yk-3.dat => ftp-item-3.dat} | 0 .../ftp.log | 12 +-- ...p-item-BFymS6bFgT3-0.dat => http-item.dat} | 0 .../http.log | 6 +- ...tem-wqKMAamJVSb-0.dat => irc-dcc-item.dat} | Bin .../irc.log | 6 +- ...ty-cwR7l6Zctxb-0.dat => smtp-entity-0.dat} | 0 ...ty-Ltd7QO7jEv3-1.dat => smtp-entity-1.dat} | 0 .../smtp_entities.log | 8 +- .../core/tunnels/teredo-known-services.test | 4 +- .../frameworks/file-analysis/http/get.bro | 12 +-- .../file-analysis/http/partial-content.bro | 8 +- .../file-analysis/http/pipeline.bro | 14 ++-- .../frameworks/file-analysis/http/post.bro | 8 +- .../base/protocols/ftp/ftp-extract.bro | 12 ++- .../protocols/http/http-extract-files.bro | 3 +- .../base/protocols/irc/dcc-extract.test | 5 +- .../base/protocols/smtp/mime-extract.test | 10 ++- 48 files changed, 294 insertions(+), 197 deletions(-) delete mode 100644 src/AnalyzerTags.h rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/{Cx92a0ym5R8-file => 1-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/{kg59rqyYxN-file => 2-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/{aFQKI8SPOL2-file => 1-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/{CCU3vUEr06l-file => 2-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/{HCzA0dVwDPj-file => 3-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/{a1Zu1fteVEf-file => 4-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/{xXlF7wFdsR-file => 5-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/{v5HLI7MxPQh-file => 1-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/{PZS1XGHkIf1-file => 2-file} (100%) rename testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/{ftp-item-Rqjkzoroau4-0.dat => ftp-item-0.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/{ftp-item-BTsa70Ua9x7-1.dat => ftp-item-1.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/{ftp-item-VLQvJybrm38-2.dat => ftp-item-2.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/{ftp-item-zrfwSs9K1yk-3.dat => ftp-item-3.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/{http-item-BFymS6bFgT3-0.dat => http-item.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/{irc-dcc-item-wqKMAamJVSb-0.dat => irc-dcc-item.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/{smtp-entity-cwR7l6Zctxb-0.dat => smtp-entity-0.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/{smtp-entity-Ltd7QO7jEv3-1.dat => smtp-entity-1.dat} (100%) diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index e4c92a0777..0b077c2c50 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -16,15 +16,63 @@ rest_target(${CMAKE_CURRENT_SOURCE_DIR} example.bro internal) rest_target(${psd} base/init-default.bro internal) rest_target(${psd} base/init-bare.bro internal) -rest_target(${CMAKE_BINARY_DIR}/src base/bro.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/const.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/event.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/file_analysis.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/input.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/logging.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/reporter.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/strings.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/types.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/analyzer.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/bro.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/const.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/event.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/file_analysis.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/input.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/logging.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_ARP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_AYIYA.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_BackDoor.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_BitTorrent.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_ConnSize.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_DCE_RPC.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_DHCP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_DNS.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_FTP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_FTP.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_File.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Finger.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_GTPv1.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Gnutella.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_HTTP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_HTTP.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_ICMP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_IRC.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Ident.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_InterConn.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Login.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Login.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_MIME.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Modbus.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_NCP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_NTP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_NetBIOS.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_NetBIOS.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_NetFlow.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_PIA.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_POP3.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_RPC.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SMB.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SMTP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SMTP.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SOCKS.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SSH.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SSL.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SSL.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SteppingStone.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Syslog.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_TCP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_TCP.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Teredo.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_UDP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_ZIP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/reporter.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/strings.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/types.bif.bro) +rest_target(${psd} base/frameworks/analyzer/main.bro) rest_target(${psd} base/frameworks/cluster/main.bro) rest_target(${psd} base/frameworks/cluster/nodes/manager.bro) rest_target(${psd} base/frameworks/cluster/nodes/proxy.bro) @@ -146,7 +194,6 @@ rest_target(${psd} policy/frameworks/software/vulnerable.bro) rest_target(${psd} policy/integration/barnyard2/main.bro) rest_target(${psd} policy/integration/barnyard2/types.bro) rest_target(${psd} policy/integration/collective-intel/main.bro) -rest_target(${psd} policy/misc/analysis-groups.bro) rest_target(${psd} policy/misc/app-metrics.bro) rest_target(${psd} policy/misc/capture-loss.bro) rest_target(${psd} policy/misc/detect-traceroute/main.bro) diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index 48407e39ab..88e1fbeeb8 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -1,6 +1,6 @@ ##! The logging this script does is primarily focused on logging FTP commands ##! along with metadata. For example, if files are transferred, the argument -##! will take on the full path that the client is at along with the requested +##! will take on the full path that the client is at along with the requested ##! file name. @load ./utils-commands @@ -13,16 +13,16 @@ module FTP; export { ## The FTP protocol logging stream identifier. redef enum Log::ID += { LOG }; - + ## List of commands that should have their command/response pairs logged. const logged_commands = { "APPE", "DELE", "RETR", "STOR", "STOU", "ACCT", "PORT", "PASV", "EPRT", "EPSV" } &redef; - + ## This setting changes if passwords used in FTP sessions are captured or not. const default_capture_password = F &redef; - + ## User IDs that can be considered "anonymous". const guest_ids = { "anonymous", "ftp", "ftpuser", "guest" } &redef; @@ -37,7 +37,7 @@ export { ## The port at which the acceptor is listening for the data connection. resp_p: port &log; }; - + type Info: record { ## Time when the command was sent. ts: time &log; @@ -53,12 +53,12 @@ export { command: string &log &optional; ## Argument for the command if one is given. arg: string &log &optional; - + ## Libmagic "sniffed" file type if the command indicates a file transfer. mime_type: string &log &optional; ## Size of the file if the command indicates a file transfer. file_size: count &log &optional; - + ## Reply code from the server in response to the command. reply_code: count &log &optional; ## Reply message from the server in response to the command. @@ -74,31 +74,31 @@ export { ## more concrete is discovered that the existing but unknown ## directory is ok to use. cwd: string &default="."; - + ## Command that is currently waiting for a response. cmdarg: CmdArg &optional; - ## Queue for commands that have been sent but not yet responded to + ## Queue for commands that have been sent but not yet responded to ## are tracked here. pending_commands: PendingCmds; - + ## Indicates if the session is in active or passive mode. passive: bool &default=F; - + ## Determines if the password will be captured for this request. capture_password: bool &default=default_capture_password; }; - ## This record is to hold a parsed FTP reply code. For example, for the + ## This record is to hold a parsed FTP reply code. For example, for the ## 201 status code, the digits would be parsed as: x->2, y->0, z=>1. type ReplyCode: record { x: count; y: count; z: count; }; - + ## Parse FTP reply codes into the three constituent single digit values. global parse_ftp_reply_code: function(code: count): ReplyCode; - + ## Event that can be handled to access the :bro:type:`FTP::Info` ## record as it is sent on to the logging framework. global log_ftp: event(rec: Info); @@ -166,7 +166,7 @@ function set_ftp_session(c: connection) s$uid=c$uid; s$id=c$id; c$ftp=s; - + # Add a shim command so the server can respond with some init response. add_pending_cmd(c$ftp$pending_commands, "", ""); } @@ -178,13 +178,13 @@ function ftp_message(s: Info) # or it's a deliberately logged command. if ( |s$tags| > 0 || (s?$cmdarg && s$cmdarg$cmd in logged_commands) ) { - if ( s?$password && - ! s$capture_password && + if ( s?$password && + ! s$capture_password && to_lower(s$user) !in guest_ids ) { s$password = ""; } - + local arg = s$cmdarg$arg; if ( s$cmdarg$cmd in file_cmds ) { @@ -194,7 +194,7 @@ function ftp_message(s: Info) arg = fmt("ftp://%s%s", addr_to_uri(s$id$resp_h), comp_path); } - + s$ts=s$cmdarg$ts; s$command=s$cmdarg$cmd; if ( arg == "" ) @@ -204,9 +204,9 @@ function ftp_message(s: Info) Log::write(FTP::LOG, s); } - - # The MIME and file_size fields are specific to file transfer commands - # and may not be used in all commands so they need reset to "blank" + + # The MIME and file_size fields are specific to file transfer commands + # and may not be used in all commands so they need reset to "blank" # values after logging. delete s$mime_type; delete s$file_size; @@ -237,19 +237,19 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5 remove_pending_cmd(c$ftp$pending_commands, c$ftp$cmdarg); ftp_message(c$ftp); } - + local id = c$id; set_ftp_session(c); - + # Queue up the new command and argument add_pending_cmd(c$ftp$pending_commands, command, arg); - + if ( command == "USER" ) c$ftp$user = arg; - + else if ( command == "PASS" ) c$ftp$password = arg; - + else if ( command == "PORT" || command == "EPRT" ) { local data = (command == "PORT") ? @@ -277,7 +277,7 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior # TODO: figure out what to do with continued FTP response (not used much) if ( cont_resp ) return; - + # TODO: do some sort of generic clear text login processing here. local response_xyz = parse_ftp_reply_code(code); #if ( response_xyz$x == 2 && # successful @@ -293,18 +293,20 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior # if that's given as well which would be more correct. c$ftp$file_size = extract_count(msg); } - + # PASV and EPSV processing else if ( (code == 227 || code == 229) && (c$ftp$cmdarg$cmd == "PASV" || c$ftp$cmdarg$cmd == "EPSV") ) { local data = (code == 227) ? parse_ftp_pasv(msg) : parse_ftp_epsv(msg); - + if ( data$valid ) { c$ftp$passive=T; - + if ( code == 229 && data$h == [::] ) + data$h = c$id$resp_h; + add_expected_data_channel(c$ftp, [$passive=T, $orig_h=c$id$orig_h, $resp_h=data$h, $resp_p=data$p]); } @@ -325,9 +327,9 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior else if ( c$ftp$cmdarg$cmd == "PWD" || c$ftp$cmdarg$cmd == "XPWD" ) c$ftp$cwd = extract_path(msg); } - + # In case there are multiple commands queued, go ahead and remove the - # command here and log because we can't do the normal processing pipeline + # command here and log because we can't do the normal processing pipeline # to wait for a new command before logging the command/response pair. if ( |c$ftp$pending_commands| > 1 ) { @@ -359,7 +361,7 @@ event connection_reused(c: connection) &priority=5 if ( "ftp-data" in c$service ) c$ftp_data_reuse = T; } - + event connection_state_remove(c: connection) &priority=-5 { if ( c$ftp_data_reuse ) return; diff --git a/scripts/base/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.bro index 8ec7655202..f5dc72e9ce 100644 --- a/scripts/base/protocols/irc/dcc-send.bro +++ b/scripts/base/protocols/irc/dcc-send.bro @@ -179,7 +179,7 @@ event irc_dcc_message(c: connection, is_orig: bool, dcc_expected_transfers[address, p] = c$irc; } -event expected_connection_seen(c: connection, a: count) &priority=10 +event expected_connection_seen(c: connection, a: Analyzer::Tag) &priority=10 { local id = c$id; if ( [id$resp_h, id$resp_p] in dcc_expected_transfers ) diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro index 7b349b64a3..daad03d9b6 100644 --- a/scripts/test-all-policy.bro +++ b/scripts/test-all-policy.bro @@ -31,7 +31,6 @@ @load integration/barnyard2/types.bro @load integration/collective-intel/__load__.bro @load integration/collective-intel/main.bro -@load misc/analysis-groups.bro @load misc/app-metrics.bro @load misc/capture-loss.bro @load misc/detect-traceroute/__load__.bro diff --git a/src/AnalyzerTags.h b/src/AnalyzerTags.h deleted file mode 100644 index 8429dec335..0000000000 --- a/src/AnalyzerTags.h +++ /dev/null @@ -1,57 +0,0 @@ -#ifndef ANALYZERTAGS_H -#define ANALYZERTAGS_H - -// Each kind of analyzer gets a tag. When adding an analyzer here, also adapt -// the table of analyzers in Analyzer.cc. -// -// Using a namespace here is kind of a hack: ideally this would be in "class -// Analyzer {...}". But then we'd have circular dependencies across the header -// files. - -#include "util.h" - -typedef uint32 AnalyzerID; - -namespace AnalyzerTag { - enum Tag { - Error = 0, // used as error code - - // Analyzer in charge of protocol detection. - PIA_TCP, PIA_UDP, - - // Transport-layer analyzers. - ICMP, TCP, UDP, - - // Application-layer analyzers (hand-written). - BitTorrent, BitTorrentTracker, - DCE_RPC, DNS, Finger, FTP, Gnutella, HTTP, Ident, IRC, - Login, NCP, NetbiosSSN, NFS, NTP, POP3, Portmapper, Rlogin, - RPC, Rsh, SMB, SMTP, SSH, - Telnet, - - // Application-layer analyzers, binpac-generated. - DHCP_BINPAC, DNS_TCP_BINPAC, DNS_UDP_BINPAC, - HTTP_BINPAC, SSL, SYSLOG_BINPAC, - Modbus, - - // Decapsulation analyzers. - AYIYA, - SOCKS, - Teredo, - GTPv1, - - // Other - File, IRC_Data, FTP_Data, Backdoor, InterConn, SteppingStone, TCPStats, - ConnSize, - - // Support-analyzers - Contents, ContentLine, NVT, Zip, Contents_DNS, Contents_NCP, - Contents_NetbiosSSN, Contents_Rlogin, Contents_Rsh, - Contents_DCE_RPC, Contents_SMB, Contents_RPC, Contents_NFS, - FTP_ADAT, - // End-marker. - LastAnalyzer - }; -}; - -#endif diff --git a/src/analyzer/Tag.cc b/src/analyzer/Tag.cc index 09c3c26caf..0459a91a32 100644 --- a/src/analyzer/Tag.cc +++ b/src/analyzer/Tag.cc @@ -6,6 +6,8 @@ using namespace analyzer; +Tag Tag::Error; + Tag::Tag(type_t arg_type, subtype_t arg_subtype) { assert(arg_type > 0); diff --git a/src/analyzer/Tag.h b/src/analyzer/Tag.h index ca3bc8b02f..4d91e19641 100644 --- a/src/analyzer/Tag.h +++ b/src/analyzer/Tag.h @@ -115,6 +115,8 @@ public: return type != other.type ? type < other.type : (subtype < other.subtype); } + static Tag Error; + protected: friend class analyzer::Manager; friend class analyzer::Component; diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h index 7542d31700..40446934e1 100644 --- a/src/file_analysis/File.h +++ b/src/file_analysis/File.h @@ -6,7 +6,6 @@ #include #include -#include "AnalyzerTags.h" #include "Conn.h" #include "Val.h" #include "AnalyzerSet.h" @@ -132,7 +131,7 @@ protected: * Constructor; only file_analysis::Manager should be creating these. */ File(const string& unique, Connection* conn = 0, - analyzer::Tag tag = AnalyzerTag::Error, bool is_orig = false); + analyzer::Tag tag = analyzer::Tag::Error, bool is_orig = false); /** * Updates the "conn_ids" and "conn_uids" fields in #val record with the diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h index d8d434b779..99121b8575 100644 --- a/src/file_analysis/Manager.h +++ b/src/file_analysis/Manager.h @@ -134,7 +134,7 @@ protected: * fields. */ File* GetFile(const string& unique, Connection* conn = 0, - analyzer::Tag tag = AnalyzerTag::Error, + analyzer::Tag tag = analyzer::Tag::Error, bool is_orig = false, bool update_conn = true); /** diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 840f555711..06652e37e7 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,19 +3,19 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-05-15-23-01-21 +#open 2013-05-17-03-57-47 #fields name #types string scripts/base/init-bare.bro - build/src/base/const.bif.bro - build/src/base/types.bif.bro - build/src/base/strings.bif.bro - build/src/base/bro.bif.bro - build/src/base/reporter.bif.bro - build/src/base/event.bif.bro + build/scripts/base/bif/const.bif.bro + build/scripts/base/bif/types.bif.bro + build/scripts/base/bif/strings.bif.bro + build/scripts/base/bif/bro.bif.bro + build/scripts/base/bif/reporter.bif.bro + build/scripts/base/bif/event.bif.bro scripts/base/frameworks/logging/__load__.bro scripts/base/frameworks/logging/main.bro - build/src/base/logging.bif.bro + build/scripts/base/bif/logging.bif.bro scripts/base/frameworks/logging/postprocessors/__load__.bro scripts/base/frameworks/logging/postprocessors/scp.bro scripts/base/frameworks/logging/postprocessors/sftp.bro @@ -26,15 +26,65 @@ scripts/base/init-bare.bro scripts/base/frameworks/logging/writers/none.bro scripts/base/frameworks/input/__load__.bro scripts/base/frameworks/input/main.bro - build/src/base/input.bif.bro + build/scripts/base/bif/input.bif.bro scripts/base/frameworks/input/readers/ascii.bro scripts/base/frameworks/input/readers/raw.bro scripts/base/frameworks/input/readers/benchmark.bro scripts/base/frameworks/input/readers/binary.bro scripts/base/frameworks/input/readers/sqlite.bro + scripts/base/frameworks/analyzer/__load__.bro + scripts/base/frameworks/analyzer/main.bro + build/scripts/base/bif/analyzer.bif.bro scripts/base/frameworks/file-analysis/__load__.bro scripts/base/frameworks/file-analysis/main.bro - build/src/base/file_analysis.bif.bro + build/scripts/base/bif/file_analysis.bif.bro + build/scripts/base/bif/plugins/__load__.bro + build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro + build/scripts/base/bif/plugins/Bro_AYIYA.events.bif.bro + build/scripts/base/bif/plugins/Bro_BackDoor.events.bif.bro + build/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.bro + build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro + build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro + build/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro + build/scripts/base/bif/plugins/Bro_DNS.events.bif.bro + build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro + build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro + build/scripts/base/bif/plugins/Bro_File.events.bif.bro + build/scripts/base/bif/plugins/Bro_Finger.events.bif.bro + build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro + build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro + build/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro + build/scripts/base/bif/plugins/Bro_HTTP.functions.bif.bro + build/scripts/base/bif/plugins/Bro_ICMP.events.bif.bro + build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro + build/scripts/base/bif/plugins/Bro_Ident.events.bif.bro + build/scripts/base/bif/plugins/Bro_InterConn.events.bif.bro + build/scripts/base/bif/plugins/Bro_Login.events.bif.bro + build/scripts/base/bif/plugins/Bro_Login.functions.bif.bro + build/scripts/base/bif/plugins/Bro_MIME.events.bif.bro + build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro + build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro + build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro + build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro + build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro + build/scripts/base/bif/plugins/Bro_NetFlow.events.bif.bro + build/scripts/base/bif/plugins/Bro_PIA.events.bif.bro + build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro + build/scripts/base/bif/plugins/Bro_RPC.events.bif.bro + build/scripts/base/bif/plugins/Bro_SMB.events.bif.bro + build/scripts/base/bif/plugins/Bro_SMTP.events.bif.bro + build/scripts/base/bif/plugins/Bro_SMTP.functions.bif.bro + build/scripts/base/bif/plugins/Bro_SOCKS.events.bif.bro + build/scripts/base/bif/plugins/Bro_SSH.events.bif.bro + build/scripts/base/bif/plugins/Bro_SSL.events.bif.bro + build/scripts/base/bif/plugins/Bro_SSL.functions.bif.bro + build/scripts/base/bif/plugins/Bro_SteppingStone.events.bif.bro + build/scripts/base/bif/plugins/Bro_Syslog.events.bif.bro + build/scripts/base/bif/plugins/Bro_TCP.events.bif.bro + build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro + build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro + build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro + build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro scripts/policy/misc/loaded-scripts.bro scripts/base/utils/paths.bro -#close 2013-05-15-23-01-21 +#close 2013-05-17-03-57-47 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 3cfd9b58a7..cb92b663f0 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,19 +3,19 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-05-16-00-19-22 +#open 2013-05-17-03-58-48 #fields name #types string scripts/base/init-bare.bro - build/src/base/const.bif.bro - build/src/base/types.bif.bro - build/src/base/strings.bif.bro - build/src/base/bro.bif.bro - build/src/base/reporter.bif.bro - build/src/base/event.bif.bro + build/scripts/base/bif/const.bif.bro + build/scripts/base/bif/types.bif.bro + build/scripts/base/bif/strings.bif.bro + build/scripts/base/bif/bro.bif.bro + build/scripts/base/bif/reporter.bif.bro + build/scripts/base/bif/event.bif.bro scripts/base/frameworks/logging/__load__.bro scripts/base/frameworks/logging/main.bro - build/src/base/logging.bif.bro + build/scripts/base/bif/logging.bif.bro scripts/base/frameworks/logging/postprocessors/__load__.bro scripts/base/frameworks/logging/postprocessors/scp.bro scripts/base/frameworks/logging/postprocessors/sftp.bro @@ -26,15 +26,65 @@ scripts/base/init-bare.bro scripts/base/frameworks/logging/writers/none.bro scripts/base/frameworks/input/__load__.bro scripts/base/frameworks/input/main.bro - build/src/base/input.bif.bro + build/scripts/base/bif/input.bif.bro scripts/base/frameworks/input/readers/ascii.bro scripts/base/frameworks/input/readers/raw.bro scripts/base/frameworks/input/readers/benchmark.bro scripts/base/frameworks/input/readers/binary.bro scripts/base/frameworks/input/readers/sqlite.bro + scripts/base/frameworks/analyzer/__load__.bro + scripts/base/frameworks/analyzer/main.bro + build/scripts/base/bif/analyzer.bif.bro scripts/base/frameworks/file-analysis/__load__.bro scripts/base/frameworks/file-analysis/main.bro - build/src/base/file_analysis.bif.bro + build/scripts/base/bif/file_analysis.bif.bro + build/scripts/base/bif/plugins/__load__.bro + build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro + build/scripts/base/bif/plugins/Bro_AYIYA.events.bif.bro + build/scripts/base/bif/plugins/Bro_BackDoor.events.bif.bro + build/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.bro + build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro + build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro + build/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro + build/scripts/base/bif/plugins/Bro_DNS.events.bif.bro + build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro + build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro + build/scripts/base/bif/plugins/Bro_File.events.bif.bro + build/scripts/base/bif/plugins/Bro_Finger.events.bif.bro + build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro + build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro + build/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro + build/scripts/base/bif/plugins/Bro_HTTP.functions.bif.bro + build/scripts/base/bif/plugins/Bro_ICMP.events.bif.bro + build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro + build/scripts/base/bif/plugins/Bro_Ident.events.bif.bro + build/scripts/base/bif/plugins/Bro_InterConn.events.bif.bro + build/scripts/base/bif/plugins/Bro_Login.events.bif.bro + build/scripts/base/bif/plugins/Bro_Login.functions.bif.bro + build/scripts/base/bif/plugins/Bro_MIME.events.bif.bro + build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro + build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro + build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro + build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro + build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro + build/scripts/base/bif/plugins/Bro_NetFlow.events.bif.bro + build/scripts/base/bif/plugins/Bro_PIA.events.bif.bro + build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro + build/scripts/base/bif/plugins/Bro_RPC.events.bif.bro + build/scripts/base/bif/plugins/Bro_SMB.events.bif.bro + build/scripts/base/bif/plugins/Bro_SMTP.events.bif.bro + build/scripts/base/bif/plugins/Bro_SMTP.functions.bif.bro + build/scripts/base/bif/plugins/Bro_SOCKS.events.bif.bro + build/scripts/base/bif/plugins/Bro_SSH.events.bif.bro + build/scripts/base/bif/plugins/Bro_SSL.events.bif.bro + build/scripts/base/bif/plugins/Bro_SSL.functions.bif.bro + build/scripts/base/bif/plugins/Bro_SteppingStone.events.bif.bro + build/scripts/base/bif/plugins/Bro_Syslog.events.bif.bro + build/scripts/base/bif/plugins/Bro_TCP.events.bif.bro + build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro + build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro + build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro + build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro scripts/base/init-default.bro scripts/base/utils/site.bro scripts/base/utils/patterns.bro @@ -141,4 +191,4 @@ scripts/base/init-default.bro scripts/base/protocols/syslog/main.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-05-16-00-19-22 +#close 2013-05-17-03-58-48 diff --git a/testing/btest/Baseline/doc.autogen-reST-example/example.rst b/testing/btest/Baseline/doc.autogen-reST-example/example.rst index 1f60efe70b..2cb75a6b9f 100644 --- a/testing/btest/Baseline/doc.autogen-reST-example/example.rst +++ b/testing/btest/Baseline/doc.autogen-reST-example/example.rst @@ -109,17 +109,6 @@ Notices Configuration Changes ##################### -Port Analysis -^^^^^^^^^^^^^ -Loading this script makes the following changes to :bro:see:`dpd_config`. - -SSL:: - - [ports={ - 443/tcp, - 562/tcp - }] - Packet Filter ^^^^^^^^^^^^^ Loading this script makes the following changes to :bro:see:`capture_filters`. diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.ftp/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.ftp/out index 2e1907c91c..a24c711b36 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.ftp/out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.ftp/out @@ -1,11 +1,11 @@ FILE_NEW -sidhzrR4IT8, 0, 0 +5LcdtqrLA97, 0, 0 FILE_BOF_BUFFER The Nationa MIME_TYPE text/x-pascal FILE_STATE_REMOVE -sidhzrR4IT8, 16557, 0 +5LcdtqrLA97, 16557, 0 [orig_h=141.142.228.5, orig_p=50737/tcp, resp_h=141.142.192.162, resp_p=38141/tcp] source: FTP_DATA MD5: 7192a8075196267203adb3dfaa5c908d diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/Cx92a0ym5R8-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/1-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/Cx92a0ym5R8-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/1-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/kg59rqyYxN-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/2-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/kg59rqyYxN-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/2-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.size b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.size index 13d0c3c958..49f10feff1 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.size +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.size @@ -1 +1 @@ -555523 7gZBKVUgy4l-file0 +555523 file-0 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out index 8ea01332c8..5b892c7e9a 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out @@ -1,19 +1,19 @@ FILE_NEW -oDwT1BbzjM1, 0, 0 +Cvu8OAp0WEd, 0, 0 MIME_TYPE application/x-dosexec FILE_STATE_REMOVE -oDwT1BbzjM1, 1022920, 0 +Cvu8OAp0WEd, 1022920, 0 [orig_h=192.168.72.14, orig_p=3254/tcp, resp_h=65.54.95.206, resp_p=80/tcp] total bytes: 1022920 source: HTTP FILE_NEW -oDwT1BbzjM1, 0, 0 +Cvu8OAp0WEd, 0, 0 MIME_TYPE application/octet-stream FILE_TIMEOUT FILE_STATE_REMOVE -oDwT1BbzjM1, 206024, 0 +Cvu8OAp0WEd, 206024, 0 [orig_h=192.168.72.14, orig_p=3257/tcp, resp_h=65.54.95.14, resp_p=80/tcp] total bytes: 1022920 source: HTTP diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.size b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.size index c1c1d71db7..5066aeab6d 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.size +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.size @@ -1 +1 @@ -1022920 oDwT1BbzjM1-file0 +1022920 file-0 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out index 1ad4f52f36..886abee0f2 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out @@ -1,10 +1,10 @@ FILE_NEW -uHS14uhRKGe, 0, 0 +me4WAjZH0Ik, 0, 0 MIME_TYPE application/octet-stream FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE -uHS14uhRKGe, 498702, 0 +me4WAjZH0Ik, 498702, 0 [orig_h=10.45.179.94, orig_p=19950/tcp, resp_h=129.174.93.170, resp_p=80/tcp] [orig_h=10.45.179.94, orig_p=19953/tcp, resp_h=129.174.93.170, resp_p=80/tcp] total bytes: 498668 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.size b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.size index da0f4d480c..e38aaa1e25 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.size +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.size @@ -1 +1 @@ -498668 uHS14uhRKGe-file0 +498668 file-0 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/aFQKI8SPOL2-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/1-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/aFQKI8SPOL2-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/1-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/CCU3vUEr06l-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/2-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/CCU3vUEr06l-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/2-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/HCzA0dVwDPj-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/3-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/HCzA0dVwDPj-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/3-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/a1Zu1fteVEf-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/4-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/a1Zu1fteVEf-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/4-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/xXlF7wFdsR-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/5-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/xXlF7wFdsR-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/5-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/v5HLI7MxPQh-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/1-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/v5HLI7MxPQh-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/1-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/PZS1XGHkIf1-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/2-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/PZS1XGHkIf1-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/2-file diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-Rqjkzoroau4-0.dat b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-0.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-Rqjkzoroau4-0.dat rename to testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-0.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-BTsa70Ua9x7-1.dat b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-1.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-BTsa70Ua9x7-1.dat rename to testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-1.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-VLQvJybrm38-2.dat b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-2.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-VLQvJybrm38-2.dat rename to testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-2.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-zrfwSs9K1yk-3.dat b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-3.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-zrfwSs9K1yk-3.dat rename to testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-3.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp.log index 27fda32d84..948d737979 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp.log @@ -3,19 +3,19 @@ #empty_field (empty) #unset_field - #path ftp -#open 2013-04-12-16-32-25 +#open 2013-05-18-00-48-19 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p user password command arg mime_type file_size reply_code reply_msg tags data_channel.passive data_channel.orig_h data_channel.resp_h data_channel.resp_p extraction_file #types time string addr port addr port string string string string string count count string table[string] bool addr addr port string 1329843175.680248 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PASV - - - 227 Entering Passive Mode (199,233,217,249,221,90) (empty) T 141.142.220.235 199.233.217.249 56666 - 1329843175.791528 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test LIST - - - 226 Transfer complete. (empty) - - - - - 1329843179.815947 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PASV - - - 227 Entering Passive Mode (199,233,217,249,221,91) (empty) T 141.142.220.235 199.233.217.249 56667 - -1329843193.984222 arKYeMETxOg 141.142.220.235 37604 199.233.217.249 56666 - - - - - - - (empty) - - - - ftp-item-Rqjkzoroau4-0.dat -1329843193.984222 k6kgXLOoSKl 141.142.220.235 59378 199.233.217.249 56667 - - - - - - - (empty) - - - - ftp-item-BTsa70Ua9x7-1.dat +1329843193.984222 arKYeMETxOg 141.142.220.235 37604 199.233.217.249 56666 - - - - - - - (empty) - - - - ftp-item-pVhQhhFsB2b-0.dat +1329843193.984222 k6kgXLOoSKl 141.142.220.235 59378 199.233.217.249 56667 - - - - - - - (empty) - - - - ftp-item-fFCPkV1sEsc-1.dat 1329843179.926563 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test RETR ftp://199.233.217.249/./robots.txt text/plain 77 226 Transfer complete. (empty) - - - - - 1329843194.040188 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PORT 141,142,220,235,131,46 - - 200 PORT command successful. (empty) F 199.233.217.249 141.142.220.235 33582 - 1329843194.095782 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test LIST - - - 226 Transfer complete. (empty) - - - - - 1329843197.672179 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PORT 141,142,220,235,147,203 - - 200 PORT command successful. (empty) F 199.233.217.249 141.142.220.235 37835 - -1329843199.968212 nQcgTWjvg4c 199.233.217.249 61920 141.142.220.235 33582 - - - - - - - (empty) - - - - ftp-item-VLQvJybrm38-2.dat +1329843199.968212 nQcgTWjvg4c 199.233.217.249 61920 141.142.220.235 33582 - - - - - - - (empty) - - - - ftp-item-g3zS3MuJFh-2.dat 1329843197.727769 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test RETR ftp://199.233.217.249/./robots.txt text/plain 77 226 Transfer complete. (empty) - - - - - -1329843200.079930 j4u32Pc5bif 199.233.217.249 61918 141.142.220.235 37835 - - - - - - - (empty) - - - - ftp-item-zrfwSs9K1yk-3.dat -#close 2013-04-12-16-32-25 +1329843200.079930 j4u32Pc5bif 199.233.217.249 61918 141.142.220.235 37835 - - - - - - - (empty) - - - - ftp-item-lMf4UWRkEO5-3.dat +#close 2013-05-18-00-48-19 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item-BFymS6bFgT3-0.dat b/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item-BFymS6bFgT3-0.dat rename to testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log index 789896072f..9c891f4c74 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2013-03-22-14-38-28 +#open 2013-05-17-23-19-09 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file #types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string -1128727435.634189 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - http-item-BFymS6bFgT3-0.dat -#close 2013-03-22-14-38-28 +1128727435.634189 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - http-item-54zlJFqn0x6-0.dat +#close 2013-05-17-23-19-09 diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item-wqKMAamJVSb-0.dat b/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item-wqKMAamJVSb-0.dat rename to testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc.log b/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc.log index 4e70587ff0..2d37e2626f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc.log +++ b/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc.log @@ -3,11 +3,11 @@ #empty_field (empty) #unset_field - #path irc -#open 2013-03-27-18-49-16 +#open 2013-05-17-23-19-21 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p nick user command value addl dcc_file_name dcc_file_size dcc_mime_type extraction_file #types time string addr port addr port string string string string string string count string string 1311189164.119437 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 - - NICK bloed - - - - - 1311189164.119437 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed - USER sdkfje sdkfje Montreal.QC.CA.Undernet.org dkdkrwq - - - - 1311189174.474127 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje JOIN #easymovies (empty) - - - - -1311189316.326025 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje DCC #easymovies (empty) ladyvampress-default(2011-07-07)-OS.zip 42208 FAKE_MIME irc-dcc-item-wqKMAamJVSb-0.dat -#close 2013-03-27-18-49-16 +1311189316.326025 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje DCC #easymovies (empty) ladyvampress-default(2011-07-07)-OS.zip 42208 FAKE_MIME irc-dcc-item-A3OSdqG9zvk-0.dat +#close 2013-05-17-23-19-21 diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-cwR7l6Zctxb-0.dat b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-0.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-cwR7l6Zctxb-0.dat rename to testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-0.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-Ltd7QO7jEv3-1.dat b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-1.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-Ltd7QO7jEv3-1.dat rename to testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-1.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp_entities.log b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp_entities.log index 0051ddba61..039af42a2b 100644 --- a/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp_entities.log +++ b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp_entities.log @@ -3,10 +3,10 @@ #empty_field (empty) #unset_field - #path smtp_entities -#open 2013-03-26-20-43-14 +#open 2013-05-17-23-19-41 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth filename content_len mime_type md5 extraction_file excerpt #types time string addr port addr port count string count string string string string -1254722770.692743 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 - 79 text/plain - smtp-entity-cwR7l6Zctxb-0.dat (empty) +1254722770.692743 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 - 79 text/plain - smtp-entity-mR3f2AAKo11-0.dat (empty) 1254722770.692743 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 - 1918 text/html - - (empty) -1254722770.692804 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 NEWS.txt 10823 text/plain - smtp-entity-Ltd7QO7jEv3-1.dat (empty) -#close 2013-03-26-20-43-14 +1254722770.692804 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 NEWS.txt 10823 text/plain - smtp-entity-ZNp0KBSLByc-1.dat (empty) +#close 2013-05-17-23-19-41 diff --git a/testing/btest/core/tunnels/teredo-known-services.test b/testing/btest/core/tunnels/teredo-known-services.test index 862930758f..c207d9a2ab 100644 --- a/testing/btest/core/tunnels/teredo-known-services.test +++ b/testing/btest/core/tunnels/teredo-known-services.test @@ -1,6 +1,6 @@ -# @TEST-EXEC: bro -b -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd protocols/conn/known-services Tunnel::delay_teredo_confirmation=T "Site::local_nets+={192.168.1.0/24}" +# @TEST-EXEC: bro -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd protocols/conn/known-services Tunnel::delay_teredo_confirmation=T "Site::local_nets+={192.168.1.0/24}" # @TEST-EXEC: test ! -e known_services.log -# @TEST-EXEC: bro -b -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd protocols/conn/known-services Tunnel::delay_teredo_confirmation=F "Site::local_nets+={192.168.1.0/24}" +# @TEST-EXEC: bro -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd protocols/conn/known-services Tunnel::delay_teredo_confirmation=F "Site::local_nets+={192.168.1.0/24}" # @TEST-EXEC: btest-diff known_services.log # The first case using Tunnel::delay_teredo_confirmation=T doesn't produce diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/get.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/get.bro index 317a6276e6..f7f4a0395b 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/get.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/get.bro @@ -1,13 +1,15 @@ -# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT >get.out -# @TEST-EXEC: bro -r $TRACES/http/get-gzip.trace $SCRIPTS/file-analysis-test.bro %INPUT >get-gzip.out +# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT c=1 >get.out +# @TEST-EXEC: bro -r $TRACES/http/get-gzip.trace $SCRIPTS/file-analysis-test.bro %INPUT c=2 >get-gzip.out # @TEST-EXEC: btest-diff get.out # @TEST-EXEC: btest-diff get-gzip.out -# @TEST-EXEC: btest-diff Cx92a0ym5R8-file -# @TEST-EXEC: btest-diff kg59rqyYxN-file +# @TEST-EXEC: btest-diff 1-file +# @TEST-EXEC: btest-diff 2-file redef test_file_analysis_source = "HTTP"; +global c = 0 &redef; + redef test_get_file_name = function(f: fa_file): string { - return fmt("%s-file", f$id); + return fmt("%d-file", c); }; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro index 1f3d54daea..93443f0ca8 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro @@ -1,16 +1,16 @@ # @TEST-EXEC: bro -r $TRACES/http/206_example_a.pcap $SCRIPTS/file-analysis-test.bro %INPUT >a.out # @TEST-EXEC: btest-diff a.out -# @TEST-EXEC: wc -c 7gZBKVUgy4l-file0 | sed 's/^[ \t]* //g' >a.size +# @TEST-EXEC: wc -c file-0 | sed 's/^[ \t]* //g' >a.size # @TEST-EXEC: btest-diff a.size # @TEST-EXEC: bro -r $TRACES/http/206_example_b.pcap $SCRIPTS/file-analysis-test.bro %INPUT >b.out # @TEST-EXEC: btest-diff b.out -# @TEST-EXEC: wc -c oDwT1BbzjM1-file0 | sed 's/^[ \t]* //g' >b.size +# @TEST-EXEC: wc -c file-0 | sed 's/^[ \t]* //g' >b.size # @TEST-EXEC: btest-diff b.size # @TEST-EXEC: bro -r $TRACES/http/206_example_c.pcap $SCRIPTS/file-analysis-test.bro %INPUT >c.out # @TEST-EXEC: btest-diff c.out -# @TEST-EXEC: wc -c uHS14uhRKGe-file0 | sed 's/^[ \t]* //g' >c.size +# @TEST-EXEC: wc -c file-0 | sed 's/^[ \t]* //g' >c.size # @TEST-EXEC: btest-diff c.size global cnt: count = 0; @@ -19,7 +19,7 @@ redef test_file_analysis_source = "HTTP"; redef test_get_file_name = function(f: fa_file): string { - local rval: string = fmt("%s-file%d", f$id, cnt); + local rval: string = fmt("file-%d", cnt); ++cnt; return rval; }; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro index 5135b03786..36743a8bad 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro @@ -1,14 +1,16 @@ # @TEST-EXEC: bro -r $TRACES/http/pipelined-requests.trace $SCRIPTS/file-analysis-test.bro %INPUT >out # @TEST-EXEC: btest-diff out -# @TEST-EXEC: btest-diff aFQKI8SPOL2-file -# @TEST-EXEC: btest-diff CCU3vUEr06l-file -# @TEST-EXEC: btest-diff HCzA0dVwDPj-file -# @TEST-EXEC: btest-diff a1Zu1fteVEf-file -# @TEST-EXEC: btest-diff xXlF7wFdsR-file +# @TEST-EXEC: btest-diff 1-file +# @TEST-EXEC: btest-diff 2-file +# @TEST-EXEC: btest-diff 3-file +# @TEST-EXEC: btest-diff 4-file +# @TEST-EXEC: btest-diff 5-file redef test_file_analysis_source = "HTTP"; +global c = 0; + redef test_get_file_name = function(f: fa_file): string { - return fmt("%s-file", f$id); + return fmt("%d-file", ++c); }; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/post.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/post.bro index 5db64c9ff0..79ac1cb5c1 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/post.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/post.bro @@ -1,11 +1,13 @@ # @TEST-EXEC: bro -r $TRACES/http/post.trace $SCRIPTS/file-analysis-test.bro %INPUT >out # @TEST-EXEC: btest-diff out -# @TEST-EXEC: btest-diff v5HLI7MxPQh-file -# @TEST-EXEC: btest-diff PZS1XGHkIf1-file +# @TEST-EXEC: btest-diff 1-file +# @TEST-EXEC: btest-diff 2-file redef test_file_analysis_source = "HTTP"; +global c = 0; + redef test_get_file_name = function(f: fa_file): string { - return fmt("%s-file", f$id); + return fmt("%d-file", ++c); }; diff --git a/testing/btest/scripts/base/protocols/ftp/ftp-extract.bro b/testing/btest/scripts/base/protocols/ftp/ftp-extract.bro index 9ae5280757..de1025ed82 100644 --- a/testing/btest/scripts/base/protocols/ftp/ftp-extract.bro +++ b/testing/btest/scripts/base/protocols/ftp/ftp-extract.bro @@ -3,10 +3,14 @@ # @TEST-EXEC: bro -r $TRACES/ftp/ipv4.trace %INPUT # @TEST-EXEC: btest-diff conn.log # @TEST-EXEC: btest-diff ftp.log -# @TEST-EXEC: btest-diff ftp-item-Rqjkzoroau4-0.dat -# @TEST-EXEC: btest-diff ftp-item-BTsa70Ua9x7-1.dat -# @TEST-EXEC: btest-diff ftp-item-VLQvJybrm38-2.dat -# @TEST-EXEC: btest-diff ftp-item-zrfwSs9K1yk-3.dat +# @TEST-EXEC: mv ftp-item-*-0.dat ftp-item-0.dat +# @TEST-EXEC: mv ftp-item-*-1.dat ftp-item-1.dat +# @TEST-EXEC: mv ftp-item-*-2.dat ftp-item-2.dat +# @TEST-EXEC: mv ftp-item-*-3.dat ftp-item-3.dat +# @TEST-EXEC: btest-diff ftp-item-0.dat +# @TEST-EXEC: btest-diff ftp-item-1.dat +# @TEST-EXEC: btest-diff ftp-item-2.dat +# @TEST-EXEC: btest-diff ftp-item-3.dat redef FTP::logged_commands += {"LIST"}; redef FTP::extract_file_types=/.*/; diff --git a/testing/btest/scripts/base/protocols/http/http-extract-files.bro b/testing/btest/scripts/base/protocols/http/http-extract-files.bro index ce9d3e7e04..6156009821 100644 --- a/testing/btest/scripts/base/protocols/http/http-extract-files.bro +++ b/testing/btest/scripts/base/protocols/http/http-extract-files.bro @@ -1,5 +1,6 @@ # @TEST-EXEC: bro -C -r $TRACES/web.trace %INPUT # @TEST-EXEC: btest-diff http.log -# @TEST-EXEC: btest-diff http-item-BFymS6bFgT3-0.dat +# @TEST-EXEC: mv http-item-*.dat http-item.dat +# @TEST-EXEC: btest-diff http-item.dat redef HTTP::extract_file_types += /text\/html/; diff --git a/testing/btest/scripts/base/protocols/irc/dcc-extract.test b/testing/btest/scripts/base/protocols/irc/dcc-extract.test index 8a6680f99b..71ab1b0900 100644 --- a/testing/btest/scripts/base/protocols/irc/dcc-extract.test +++ b/testing/btest/scripts/base/protocols/irc/dcc-extract.test @@ -4,9 +4,10 @@ # @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT # @TEST-EXEC: btest-diff irc.log -# @TEST-EXEC: btest-diff irc-dcc-item-wqKMAamJVSb-0.dat +# @TEST-EXEC: mv irc-dcc-item-*-0.dat irc-dcc-item.dat +# @TEST-EXEC: btest-diff irc-dcc-item.dat # @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT IRC::extraction_prefix="test" -# @TEST-EXEC: test -e test-wqKMAamJVSb-0.dat +# @TEST-EXEC: test -e test-*-0.dat redef IRC::extract_file_types=/.*/; diff --git a/testing/btest/scripts/base/protocols/smtp/mime-extract.test b/testing/btest/scripts/base/protocols/smtp/mime-extract.test index 54e50d0459..149fcf67c3 100644 --- a/testing/btest/scripts/base/protocols/smtp/mime-extract.test +++ b/testing/btest/scripts/base/protocols/smtp/mime-extract.test @@ -1,10 +1,12 @@ # @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT # @TEST-EXEC: btest-diff smtp_entities.log -# @TEST-EXEC: btest-diff smtp-entity-cwR7l6Zctxb-0.dat -# @TEST-EXEC: btest-diff smtp-entity-Ltd7QO7jEv3-1.dat +# @TEST-EXEC: mv smtp-entity-*-0.dat smtp-entity-0.dat +# @TEST-EXEC: mv smtp-entity-*-1.dat smtp-entity-1.dat +# @TEST-EXEC: btest-diff smtp-entity-0.dat +# @TEST-EXEC: btest-diff smtp-entity-1.dat # @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT SMTP::extraction_prefix="test" -# @TEST-EXEC: test -e test-cwR7l6Zctxb-0.dat -# @TEST-EXEC: test -e test-Ltd7QO7jEv3-1.dat +# @TEST-EXEC: test -e test-*-0.dat +# @TEST-EXEC: test -e test-*-1.dat @load base/protocols/smtp