From 42d6440bb26e331ee3007a6ef189287644ed996a Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Thu, 9 Feb 2012 18:34:41 -0600 Subject: [PATCH 1/5] Fix parsing of FTP EPRT command and EPSV response --- src/bro.bif | 61 ++++++++++++++++++++++++++++++++++------------------- 1 file changed, 39 insertions(+), 22 deletions(-) diff --git a/src/bro.bif b/src/bro.bif index 00d77e510d..2a0cc914d1 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -2532,7 +2532,7 @@ static Val* parse_eftp(const char* line) RecordVal* r = new RecordVal(ftp_port); int net_proto = 0; // currently not used - uint32 addr = 0; + IPAddr addr = IPAddr(); // unspecified IPv6 address (all 128 bits zero) int port = 0; int good = 0; @@ -2542,33 +2542,50 @@ static Val* parse_eftp(const char* line) ++line; char delimiter = *line; - good = 1; char* next_delim; - ++line; // cut off delimiter - net_proto = strtol(line, &next_delim, 10); // currently ignored - if ( *next_delim != delimiter ) - good = 0; - - line = next_delim + 1; - if ( *line != delimiter ) // default of 0 is ok + if ( *line ) { - string s(line); - IPAddr tmp(s); - uint32* bytes; - tmp.GetBytes(&bytes); - addr = *bytes; - if ( addr == 0 ) + good = 1; + ++line; // skip delimiter + + net_proto = strtol(line, &next_delim, 10); + if ( *next_delim != delimiter ) good = 0; + + line = next_delim; + if ( *line ) + ++line; + + if ( *line && *line != delimiter ) + { + const char* nptr = strchr(line, delimiter); + if ( nptr == NULL ) + { + nptr = line + strlen(line); + good = 0; + } + + string s(line, nptr-line); // extract IP address + IPAddr tmp(s); + // on error, "tmp" will have all 128 bits zero + if ( tmp == addr ) + good = 0; + + addr = tmp; + } + + line = strchr(line, delimiter); + if ( line != NULL ) + { + ++line; // now the port + port = strtol(line, &next_delim, 10); + if ( *next_delim != delimiter ) + good = 0; + } + } - // FIXME: check for garbage between IP and delimiter. - line = strchr(line, delimiter); - - ++line; // now the port - port = strtol(line, &next_delim, 10); - if ( *next_delim != delimiter ) - good = 0; } r->Assign(0, new AddrVal(addr)); From 74899e29febcb8f76561ed12b5b5dfaa44c047fc Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Fri, 10 Feb 2012 16:55:15 -0600 Subject: [PATCH 2/5] Update FTP EPSV response processing for IPv6 --- scripts/base/protocols/ftp/main.bro | 2 +- src/bro.bif | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index 9e16804a32..e9783e4df7 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -270,7 +270,7 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior { c$ftp$passive=T; - if ( code == 229 && data$h == 0.0.0.0 ) + if ( code == 229 && data$h == :: ) data$h = id$resp_h; ftp_data_expected[data$h, data$p] = c$ftp; diff --git a/src/bro.bif b/src/bro.bif index 2a0cc914d1..54038f330d 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -2613,7 +2613,7 @@ function parse_ftp_port%(s: string%): ftp_port ## The format is ``EPRT``, ## where ```` is a delimiter in the ASCII range 33-126 (usually ``|``). ## -## s: The string of the FTP PORT command, e.g., ``"10,0,0,1,4,31"``. +## s: The string of the FTP EPRT command, e.g., ``"|1|10.0.0.1|1055|"``. ## ## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]`` ## @@ -2653,7 +2653,7 @@ function parse_ftp_pasv%(str: string%): ftp_port ## The format is `` ()``, where ```` is a ## delimiter in the ASCII range 33-126 (usually ``|``). ## -## str: The string containing the result of the FTP PASV command. +## str: The string containing the result of the FTP EPSV command. ## ## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]`` ## From 278704f7a366546f915d8638f9fdef5caa8c177f Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Thu, 16 Feb 2012 15:17:55 -0600 Subject: [PATCH 3/5] Add a test for FTP over IPv6 --- .../conn.log | 13 +++++++++++++ .../scripts.base.protocols.ftp.ftp-ipv6/ftp.log | 9 +++++++++ testing/btest/Traces/ipv6-ftp.trace | Bin 0 -> 18679 bytes .../scripts/base/protocols/ftp/ftp-ipv6.bro | 6 ++++++ 4 files changed, 28 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/ftp.log create mode 100644 testing/btest/Traces/ipv6-ftp.trace create mode 100644 testing/btest/scripts/base/protocols/ftp/ftp-ipv6.bro diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log new file mode 100644 index 0000000000..6bab9332c8 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log @@ -0,0 +1,13 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes +#types time string addr port addr port enum string interval count count string bool count string count count count count +1329327783.316897 arKYeMETxOg 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49186 2001:470:4867:99::21 57086 tcp ftp-data 0.219721 0 342 SF - 0 ShAdfFa 5 372 4 642 +1329327786.524332 k6kgXLOoSKl 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49187 2001:470:4867:99::21 57087 tcp ftp-data 0.217501 0 43 SF - 0 ShAdfFa 5 372 4 343 +1329327787.289095 nQcgTWjvg4c 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49188 2001:470:4867:99::21 57088 tcp ftp-data 0.217941 0 77 SF - 0 ShAdfFa 5 372 4 377 +1329327795.571921 j4u32Pc5bif 2001:470:4867:99::21 55785 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49189 tcp ftp-data 0.109813 77 0 SF - 0 ShADFaf 5 449 4 300 +1329327800.017649 TEfuqmmG4bh 2001:470:4867:99::21 55647 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49190 tcp ftp-data 0.109181 342 0 SF - 0 ShADFaf 5 714 4 300 +1329327777.822004 UWkUyAuUGXf 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21 21 tcp ftp 26.658219 310 3448 SF - 0 ShAdDfFa 57 4426 34 5908 diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/ftp.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/ftp.log new file mode 100644 index 0000000000..670855414e --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/ftp.log @@ -0,0 +1,9 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ftp +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p user password command arg mime_type mime_desc file_size reply_code reply_msg tags extraction_file +#types time string addr port addr port string string string string string string count count string table[string] file +1329327787.396984 UWkUyAuUGXf 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21 21 anonymous test RETR ftp://2001:470:4867:99::21/robots.txt - - 77 226 Transfer complete. - - +1329327795.463946 UWkUyAuUGXf 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21 21 anonymous test RETR ftp://2001:470:4867:99::21/robots.txt - - 77 226 Transfer complete. - - diff --git a/testing/btest/Traces/ipv6-ftp.trace b/testing/btest/Traces/ipv6-ftp.trace new file mode 100644 index 0000000000000000000000000000000000000000..81313fac11b5270986b03b04c0aaeb8e7ef6fbd3 GIT binary patch literal 18679 zcmeHPdwdjCmagt}0we?wQ5bdC%Oj9Lclwc#M+2G=fRGqRCiaBmVVjQAqixM zs5?FY-y_QEsQB1*#C7oPPmzf-?u_n?KW7D%aX^^`M;@z-JGv|CWWQ6ltNM{ficS5w z{YxdO>hAm9^PO|g{qE^oy?4*E+s%SSP#*&Wf?&eQ_RnW6{>!G3f*1eO@u9=J;LR6) zWzCrteDcNvYj8!d=G8EhC3^8W!!LeoTj5Wi>@B^7&KI-`+vsULCiYJh&YQaF$E)dN zr+Hvt-YtS)w&Xr+%E>XAOvCftrejU?oW;x$ueFZS5IGjd)ex&P5i)xqoYy}wFZMrE zfVyVq*fB!+A2h@~LIjwJP%UPYiEKOt#AUchM;05IZX4GCwWx1QU!&y^Ah>NW6WSv{ zIsT#`+>H}DGVQwP3t?5BUb~9OuD%IEUH^?7g%DuR%PyCLwZ)^QO;UWWXI^O}*3Ra) zHZxg@t&?J`m|wQx6@KP&I312Mm!pKmB+=hfT9{8=T=xd>e6P~0a z3;j!U)9(fSQKEnM^BffoTHL0S_m-78*=3!Q9B08udmzjrYppEa6O~v`q%+3CVn|}5 z%%Y+!cST};P)^T!wcR#$6fOFgxP`P2rY z&>NMRFA@&p{eg9O1x`9+@JebXF>s4EtVYAs-U1uyNh2y~< z=IM+^(I>Fd92Dbikr?`kSJ-BxW7%yC?X0oc8JniI)XSLYi^Re!Tou+b*D5O$gYA(R z{fTyn_!IJ1l!FtzEag#bUukFP7cSXXrnH2Y2inCI)@am6EyaBJ6&GUxEAvX;NVmdm zdP{a#MXj%)*3+7Tmt`ySNpf2N&G;f-F&MWpKT>tbC(8IYvr~)NVq7ax8cZ?;IBA`C zg%}H2LxHGFU9-v^W$0cW6XQZ95veaZIZ4!k>1 zR#l+|PFhpNt4m85v5w!&o=O$Y1Kv=$3q}TdBH;ko33i6XiYjEx#3QXG#!3+e_BHfe zdP5=6w<1LE!+sbGNAwZ958SO9@S{IU1n?l@o1;TzQhECE0?aZck zmMUimN;^{`GtF^fsY~XKP*1>4Sn7@|W<}bF{gifk=isrpq@-ldoD#MYuA}oLNztH) zK_|uok+93kq9G9+MPpLb%49L@k46Gvgn`gwclO;P01^g!X5tg`#}sX6%62G%WwiA;KAMvgM(=?N_aDHZ8> zq^2UoF&@RN7~=wYL^)Hv?vW%$QlU%o%7Hl4LY#HP<59QW-qqEWqUtDZC=Ym=S(Oe@ z1gQPhB9bkaNQxkz1(jJO9uvcI8zLIo$d9xV3gNHJ16pYhA+$m1k@5?}ws?Lcf)n=g z*_K{Ze?{}+mR8oZxV53Kp7)&pZVpPKEU|C|J&$*w@06AizB0`@@s5DZ#V8qusVOdE z67$7+qVY(3OpJB}e7qGo(iZO$WBfI-NHB=R-bup{O-QW1n;K=c{!kzskYNu2U@mO$ zMDACxitB4zN}#Q%tNeFUBn(;;UC^2ji9JZn%pd6r2P2{%D3KV803+5FfEAJgq+I2# z#3Y+`4P!6Dit&2<5h3gdSqxGGF-Z>iF)snH1ap)Zvq%F-x3b27w?|A&tDa6jU21|Q z9c*C)S>1{mHWm=61u={{nz}(#b~qmEA&@T6)1eTswA53|Iz(t%GEfS6#aMd;-E4;z zkkibb+oKs52)9$yoihC+ivd4VX|R$u#bkw8YmZ41Jr6j*^Y$^DO6^EB2q6TF`ch;e z*a<7uC*Us_shlc~S6_%w;O!)Ji#5fW6b0}wxUwpipN>i5gtsGif(DfrSOnh_U&`em z;sFF8PzQ-{(TAy2Cg;Rs0VpDhNiiA?(z1uriuHPvQOQd-&FvfWW6ytFqb09DtI2Ek zPfVI5&Z5Dm>ek>J@(2YQyz;4Z6wj5OR&LR%X*otLc7TIKc^%2`2insT<)2;7nQUoO z!xgL*D;zg#tYXWMSU{~ip#C#W}_heH|!}X|Z$cGnImGTU4SiD#Gp@5sWCDj?L$FJ%xVN`=W~HO5qPK+iYSmtY#`s;}xg0!~ANd!Jfrnsj0r7lj zpG7OWW{F@uW!^~#|60&=crRL1%DlPbw4!UG%sW76N|~1s<=#9EF_Ue)%z9?F5B{}( z(g!ZvT|nKpb8Mfmu|h*kDf13IL}gw=topkl=K^lyKA=*mt?`$$6HJ-~rKn6OyMUrr zzOpc>f12n1Lc~_xmWEQ$*g(@fVZB^5T(}iv(UHj^O3KU6%%M^$M_eFc@1ux)Em1r~ zgCpIr$~n`)7DuHp1#GRSuAza2C`$b(ZIFsr3QSO85Q=P?-5UtogYq<}D(akPszC|j zJ_PPs(Cs+L8&UE*&mBg*qo485Ed*vBjiga!Q2J-4sTB6U@0+v~m<6n23US zBo1+3UE!>B73K$HUETC!>!vzeEE0(`sB=jQk{nkaWiD3R+0L953`KTFH7gB4dy4H6 zvt7cXonAYy?%6SO&0ADo%GVUOgcL5!_w&YW)P7mE_GdaX+Lz*3IoV=e$`2}I=vIZp zfv%u{;g$W2l~=o*<>i;T)|jMEMHQ5b zem=q&`NI8$h%M<&LmAtIMIMihyhR1V?Et1DlS9atE6<#n6Y}LbMC@Y}u@@v3XJ`-+ zJMyNpkuPn5Aj+kvB9VY0!W+=NArj6L(PIeR6Cm9F!4n!4C#j2svY@FzxDF?DWRQ^i z-=l?vXC~nw4yY|C3qlC~It zf?2tsQA7C>aiK8w@X3+J%*rR!(Q@-fjWHT6Cr>vk6O#vlKE$Zd215=l_iH{lPqnd- z>L$uyVBaQDh7=X65ET%+$R=cC&7ruja zhEg@dPMD$g8{)I4VCMw*Z0`F%Qtcd71(VJtlxr?D2`COLM;11ny4mC? zU~`XJJvVa{D(_)kl3Y9x?9zU-=EN+t7VD;U0%(1WXniV?rpPcipk2-~R$0lZ{1ea& zq4G6Q$w1|TeVFyQj2ZQ)N@ddX?D?@nR1D>0~bNN2Cs%RcPO6B>oz>uq5Q$7~1{q;xGRYfk|_qZnB z5^_;NQ{*DqHFnfct6d)p{Zp0{_>Kd0Imt!uRt+&lE{+~Wa*+_P2I3Hzws5l2A4I6_$j6v`uXWH6F@$95rfW=0YLc7g(oWaJx1HAXOVj$XeM`$%mlWQF5y zHa&k{K*qL$NEiMujkm8)JI^?cd()rxu6HTKY#TZ;T7>$mK}^vjsKWA`I+}=4B6J`H zB?~b+geE7(U#$=Wp~(`HJs}V=ij!X&vXhgxxD{Kl0L`@JfnA28Kxl6NL__&hW$eyn z#*}|@wyJ~c?|;EjfIx%m$mxV8G5I~vhnTmx(4^t=G?=V;Z@y~d7>IX1T%_eAjLBOZ z1$pbYccr7yN1B83R=1cmZb-rCMlfDM`j!=I)KV~hN)#SHm2ZsVd>RfsLfP@g%QX}@ za7+_PBdTsYs+<*0r^``R#dF>L-{u?Ryd!Yl8*tv-f75FIV`wM+xaVNssyB0taUMs3 z^B#Fqb)M}TLK&nu33l~0xyC5YH$dyxMC)dh@Df6PvfFI?Mpc}Ib^vIGjDxR1<=dcg z!SjDqjV$%S$jOAVb8W7$87FjP5${WNi+7F!Du4D-I!b*rc8m48dJ!&8cX_45?QC;8 z-Br#ux39Xo+U>6{cZ*`B&+U@Rq~7vsXH_-!98%Xl8aqsgqg!-jj1^ipU2^6bEwOHT zd+Mf*Gl=f%f2Pqr#ceM2(Yi_LUSca8Z6uLHgg?nxhAn50a;t)(Rels(6qLMnLs1|{_xz`33p^w!C_D0use4*V z)xqWagrks8$Tz2xqr_zOuw+FtgGszym%oxxF&|9UJlm<-=sm4JFVe=}mxs=$v?|h9-tJ{2OWo9|K7Gj8yr#O?*lEqFvsf!PV zrC>8mY(8?IX6JU;X(g1^u91c)(v2JiY;O98bdij?~BF8W|dNN<7@X#SY9U0W8^P=VA&DBBJuZ{N(~YTcXIHgXg=;j8hg z6F3Ur#P%|i*R|zq|ewp!Smty|Pq8Ovuoh4d{#_LkV%&@#H5lS!~oJL%EIpKz)@G?bc7U z$bk&4*+3|<6DC8p16sBqKJTFT?0H2)L44MXN|m8!u^o^)_Z2#4NZ{Uqz}j$HRzeqAR zWLw75cEI!BAB^(#9XW<jY~9YkybuEod72$ue;Njdxkbr-uMW4qvm1M z3`jk?&9zI^ydiE)q6{ha#v}H2QG&kbZ#W7NC~tha3%0nP%r)fm-GnWeRzJH+wPguO zY}=Bh4cJ^oSeLg9)37ouqVk#EZ(smt@Y+_I3?6z&v#7#tUUH4g<-|8I5Y`*O8f(J7 z2OL?j{;0Q9XTeP=!1|F;*VdPgMO&-q(WZ0U^Vx>G;*}le%1xy*3U;{djCJ9=HJmfc z`DbtR4GAtrJG#`HB3qSR+&}p4a!PEY2Uzt_Yy2o; Ii>ZD83rTW1%m4rY literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/ftp/ftp-ipv6.bro b/testing/btest/scripts/base/protocols/ftp/ftp-ipv6.bro new file mode 100644 index 0000000000..7ce31808c9 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ftp/ftp-ipv6.bro @@ -0,0 +1,6 @@ +# This tests both active and passive FTP over IPv6. +# +# @TEST-EXEC: bro -r $TRACES/ipv6-ftp.trace +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff ftp.log + From d61fad4f9ebb338129264586bb7330a4d69a2a6c Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Fri, 17 Feb 2012 10:55:17 -0600 Subject: [PATCH 4/5] Fix IPv6 URLs --- scripts/base/protocols/ftp/main.bro | 7 ++++++- .../Baseline/scripts.base.protocols.ftp.ftp-ipv6/ftp.log | 4 ++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index e9783e4df7..db9e030c33 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -165,7 +165,12 @@ function ftp_message(s: Info) local arg = s$cmdarg$arg; if ( s$cmdarg$cmd in file_cmds ) - arg = fmt("ftp://%s%s", s$id$resp_h, build_path_compressed(s$cwd, arg)); + { + if ( is_v4_addr(s$id$resp_h) ) + arg = fmt("ftp://%s%s", s$id$resp_h, build_path_compressed(s$cwd, arg)); + else + arg = fmt("ftp://[%s]%s", s$id$resp_h, build_path_compressed(s$cwd, arg)); + } s$ts=s$cmdarg$ts; s$command=s$cmdarg$cmd; diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/ftp.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/ftp.log index 670855414e..8bc2ef2cb7 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/ftp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/ftp.log @@ -5,5 +5,5 @@ #path ftp #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p user password command arg mime_type mime_desc file_size reply_code reply_msg tags extraction_file #types time string addr port addr port string string string string string string count count string table[string] file -1329327787.396984 UWkUyAuUGXf 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21 21 anonymous test RETR ftp://2001:470:4867:99::21/robots.txt - - 77 226 Transfer complete. - - -1329327795.463946 UWkUyAuUGXf 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21 21 anonymous test RETR ftp://2001:470:4867:99::21/robots.txt - - 77 226 Transfer complete. - - +1329327787.396984 UWkUyAuUGXf 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21 21 anonymous test RETR ftp://[2001:470:4867:99::21]/robots.txt - - 77 226 Transfer complete. - - +1329327795.463946 UWkUyAuUGXf 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21 21 anonymous test RETR ftp://[2001:470:4867:99::21]/robots.txt - - 77 226 Transfer complete. - - From 96df1bac408d150a6269fafa1fbcaf25a60a2839 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Tue, 21 Feb 2012 11:18:43 -0600 Subject: [PATCH 5/5] Add test case for FTP over IPv4 --- .../conn.log | 12 ++++++++++++ .../scripts.base.protocols.ftp.ftp-ipv4/ftp.log | 9 +++++++++ testing/btest/Traces/ftp-ipv4.trace | Bin 0 -> 12078 bytes .../scripts/base/protocols/ftp/ftp-ipv4.bro | 6 ++++++ 4 files changed, 27 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/ftp.log create mode 100644 testing/btest/Traces/ftp-ipv4.trace create mode 100644 testing/btest/scripts/base/protocols/ftp/ftp-ipv4.bro diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log new file mode 100644 index 0000000000..bcb05ef415 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log @@ -0,0 +1,12 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes +#types time string addr port addr port enum string interval count count string bool count string count count count count +1329843175.736107 arKYeMETxOg 141.142.220.235 37604 199.233.217.249 56666 tcp ftp-data 0.112432 0 342 SF - 0 ShAdfFa 4 216 4 562 +1329843179.871641 k6kgXLOoSKl 141.142.220.235 59378 199.233.217.249 56667 tcp ftp-data 0.111218 0 77 SF - 0 ShAdfFa 4 216 4 297 +1329843194.151526 nQcgTWjvg4c 199.233.217.249 61920 141.142.220.235 33582 tcp ftp-data 0.056211 342 0 SF - 0 ShADaFf 5 614 3 164 +1329843197.783443 j4u32Pc5bif 199.233.217.249 61918 141.142.220.235 37835 tcp ftp-data 0.056005 77 0 SF - 0 ShADaFf 5 349 3 164 +1329843161.968492 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 tcp ftp 38.055625 180 3146 SF - 0 ShAdDfFa 38 2164 25 4458 diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/ftp.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/ftp.log new file mode 100644 index 0000000000..debc093771 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/ftp.log @@ -0,0 +1,9 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ftp +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p user password command arg mime_type mime_desc file_size reply_code reply_msg tags extraction_file +#types time string addr port addr port string string string string string string count count string table[string] file +1329843179.926563 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test RETR ftp://199.233.217.249/./robots.txt text/plain ASCII text 77 226 Transfer complete. - - +1329843197.727769 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test RETR ftp://199.233.217.249/./robots.txt text/plain ASCII text, with CRLF line terminators 77 226 Transfer complete. - - diff --git a/testing/btest/Traces/ftp-ipv4.trace b/testing/btest/Traces/ftp-ipv4.trace new file mode 100644 index 0000000000000000000000000000000000000000..02cac6f46457d75fec4ef38d4bfc577be97c8721 GIT binary patch literal 12078 zcmeHNdvp_5dLNlb9D}JL;goIJo=XbY4w5a)wlFRPY-5Up!Njsdh#l})8p{GnBW6a} z26p3wY#t<#Jxk7R357tjZAecxgavQOCT+7N4evY`0)$rrge1E?3#8dRP6+*dcQj+o z$Woza|E!L$r5TNW_xpa|^WK@??)l}`EMc%pebUbmaU$t)+{%WKGH5Fjf$< z1`pXaI4e8H(fZ@rblx#&(9jb=K7OAd%)>Da9aG2W$TI|ChTtB0M+>16x-fc=Z~SiQ zOQ5fNX;hvt0ly|>LUTB>bAaKX83t!L9EAQ2zOTkf8Yyy@dEel2Z?Va}4l{h!na6b-c*yPOoD|e9nFMg(bivW= zt8HXrRF3vU-w>! zr6ufdgr0JM<^zkvuDXxq<~Tx(Nu z^Z4Bz9You*bEcBFlNhIgxN!7M!dx8CNTF@I_W(zHU_eCBw(oTV@u?RGaekH0$22IF zn?vARFWn?i)bPmRfoBFuo=_U z^y4<6p9c+Lq9Hcj6#CZ?j!Sy=@=d~LLj*qTwjFZv!WSfI2bj3EAkS_ukjG^=^+x9{h}rX7!2Pi1-fK8z-mHTkCW9@Ia#x>DmRBP;34fXmHFjp z6u%EG#}zn;D`2>X$sKgbz%Qq9+NlH8MKwu@N*eR^sG1Z}S&bZ3Wkn0cBgU2H`-0l~ znufWx}6I18I`W)tf|XS# z^Gj++2rz!RT?}hZ7CO4Lkx)z}(VS{$Da7lH zwUoNu&dF{!4y;nOxfZ!x`E654C<|5mL}$$3kEeFx*P+r1ujx1zsDi~sg^XCoe^#7K z6^=vgk!Tl`4E4y-5ZDRFqoTJ0*(~w0ATd@1Hz;nS@2o%((ccoG-|4iInts{IA`z)a z(y?qnZ~=Pd+i)0*ERRUZQ1JV%P&6PZ5RzWNnM%Jb;zw}GV#YnwVz{W(rRpFg3D}8B z-5OU*?jZJ)a8^yjtD&&4aN4v&)(X?naX(41u!x`&wU8Y3I9V(rf}@xs#hgqPqk)(l zioy*Hnes^{D3;IKK$J7z;!SEhH$GE?p~QzyQ326v3{KkO^p>T#K$3TvQJ0`mjU!r| z-|KiKhc9f8R{<-4FCq5$k-?Ntk{Fe~E~#A& zX{df0>(sPZWpQy=S65P}L7~Q9V23%m0K{5Ct$xDT0*Oj1azL18UQH3BY6rXkbv=Mk zj6_7LQGb3VV=XzvYss3_S`xmsH_tI@$&%Dsa`8a6P%}v2!(K}Um4EyV)siM#YZ$)O zs3oJ&Q6^eKs(QbU22|Zqxz2Enm7F#H58+ras~%1Vo9NY%E~>p}enVpuo7d1(S5vFA ztN))LmPA!zQ5o!No#29JxI7LAa_N>vKYWDvchD{p>&0yg~TV~XLS@sa+&84Q!*>S^>`D}Owr6@m;e+> z4FyndFkc~RPdlnZ9UQ~S>O<{4VxnC7;sH7}51MqcIWn@f6O~g5iG(0VQF}=YD#cMv z>7hxwKu;$ppt;Cb#5zUvjHI9xX&05C3^9YK@v24b>K;?MP&7!;ag{!(Vkp228l2P* zq6i@#f{G;3_m~dT>-eaWQV=NwZVsn5E=6{Mp3u_x0``KE{E!>oxDc+OiP$0Tv0n7*^q zis)PDYtkj%^p7`ZSR{Nhm4d(dQ)?qB)2eejwY(cfTY`U|r=*-U&#SwKHDP5?$?7ZE z-AG`dr!vu7TGv>*2rH^`GLiKbSM3p-YTL)}mS+)J9cN6{&JtM{L4SpqlZmXiIb!dC zh#>11egkn6EfR9DNVq$fa@pT{85c*)Q^C zjwWwAa8$nSK*)=48GZxX4yW$@$$9m~#{EE__R^?cVLEC{>bAqCmucI9&>shS8YTpx z?4gIb+-GfaPs0ocXkB&9X)>`Fs&K?lfJm!98Y#=mO7FXzTl=b9=N6vx(jP5|W9#cE z%t+Ga-wzkCC&5RG=PcFEk>~86YV({G@SIo3bAI)hjthYA!*lkQl)G6&Op21@RQYP^ z>R5!_CV;k|Dj{EdA(J85vi#!qP_#I#<|8waAl(oo4P~^E@g7%jwLw{8hv^kK&kpW9 zZKi@pNEkx={PJ+&@34VI!={?xSfiaM)%H0J)eOoQ z+f$L76IQyq>Ce?oYfD9zHHOM1Nnt8g{8j2nqyg#@ecxb8CzAdh1G*iQJrk4(=lS(t+^HOKkX(hOWY;bn!o|1|gQ$?S?35+S}Ct zW99CW@(S;iayCn9XPy$~F0Cwav#{z4H&zt|SD15hohE0R6I)igPSC?X=Rj0Uo@}K; zk=tcWEz-JCGRaO?VJFk_*3AtBiy)Al?g(1#)Wo=*MrIBF_C>3m2(jc!5~8&xWh49^ z;oi6{21V9y zd1TouG)2~a9$A&9?AZ0vBkS1%Nr=~Lv2n229ld$5*k)69imao*gT?-^A#I}1!~XIS zE@O|uZ&LK{??rlh1Urd(>DaoBWNcbEzn0bI<`D8BWw>xRPSQx>dG-!J@%+RY8_)Z} z^BziYd)rJ|CpcQSZbK~d76Lo88ugEL;FxB~Q`34JaeS1^Z!he7!0{>Kc;QS_et3#7 zfe_~aF+;+Ce?UfbL@=`LDJ!DhDiH3Y^|={Zg&lpIkBE(rQ{V$k3o~DIS@`I?(N>`Z ztpZ7L98%l~RcYAD8SW=6`vYnBs%+T%;+0b^KdgTnWl=Beb9N;c_N{y9Jlz2xbHZi%6PJ>o`Mg_es~zRP;z-yyGyT7}?;1GNfU z_fV@q@{R|3n&?FKTXu;vvE0Ul3p2b%twR25ro8VE354heq7Mf&Y~1Dvwcg{Lfv|y? zh$Wo?c+T7z7Q_jSwM~tv2K_0Urnq`_gzzZPX`}?zik+v)iPm_mP81snCptk+^qVF6 z6!uLv`J}s>X#G+J=5n@>u~&OM4GCacLP$a*h6OgzzL_Y1rfvga>w>;c`_P za-Gsm^%|LqO8&lQOu3Mlw!YJh+b}NF?5I}BZqJz+Qn3Rfcj0r97F=ODwjFBi*00-F zc({1uAYK|NGPxc96wWK4L^3B=C=9zThO5cH9ZdM3M;QR^#QYttW-v>t)lc_H6i^l(JS z?;+#c>yz&4U9Z+7pmh<|pNUu?Bx)y_`3xa`4#f1;c-M#IIFH?DIF4S8V+#z2UK2GD z$)V4rtHv}_0WxzMAD~L{0q1w+0Q}0F-+ng!i}?K-h?@uhS-Mi$GLJyjVPZJ{F z1S}~lah8;Mu;6uL0bK4ZDJ^l9d36Oojyr@lTuH;0b@GJ9jejJX{-N6DJgY&|HKJ)9 z){+T#B$}Qkn)sA_XBC@K*z=)HosM`oLDgUKa-JGDs;D*1%`QQ@F|2ePIE zq}7Dni*0g02=qQm2hv}f{39J~?<2&Ow+~9Ubj)_F*))lmc;?iAh^QkPLetQm5dVMa zXe?L%luJjl(_^qxHC%y)Ezr?Cl`kis`s$L+r~2NVbm15Z>gR#C%}Cfo{zQoDk`b@d zmo6ORzJ!A6f8A<%Li{-p)9!&ZLMWkAGmJq)*dsn?zcy0(15$JbJuY1o# zq+Xk6?!Ou`xZj}HOaF1u|0@b*|1OiPEReN_v<|KxoT0LBuH~WpwT=E`2K_4&djXKI z8i-u(h3jRs1gB8(X@_#>yqIl1omxtJUOrwxf0D7<*->RWZ$SSLO}$ zb6kGa#z^k?-OC0OBeQ0h@=t*Lvk7r05ZiD-!xr!;wO+^#k82tb5sU;!n1~bc``H6m z_A+d3yGwNqHvGk~{`su_i22_80eR1oSFAiO8w{Q%5l?Fp^U+-3X=3KmPWm0kd_G)G zBSpVj?**=3n@zt-VC*(3?UmRtpu&T>N@>oNwHr<0`|n{lQsqytKiGEeUpq)1s`5j& zrLXdY-UamZ3wuEz1^TP}`h%BGKRNwu1TzGw%2)nJa+Tj%g-LmpC*=1J56`gXJQ62U zbZ)en;x?FKDw*QNWjZxLtRs4o^XUJ5%}H{dgIs3VTU}(J?nCD@2(6=(vbKyg<@6kXpqGVuqs zhL0vp9EFK@q3E95f;KVXqYY$ULcBK_@p>uT#VJJ5eP)kUVL}}9R$3Wh6yI%J#;F6y z*oRtoZp*1u8Cw=*+*kUT5WkEWh>2W06_MFVxvaL^L|jNNNHVV2mV|h{TK7R~tOTKT zf2||OX&}Uf6(cg#x}$H9;{>~HA<}7tNEe=!O*jsP$ij5Bj%HFZQyL$jT6dANVea20 zvC+%fKzd8~040{XYe2m9jS-m^HJ@u`fhI8@W{vlb*m zoT8DkII9!{;^Yq7qm#>e!AUixjrS5=4}Lq>(b^Zl{Z2eONw_D0n}LB(xxD6HPJ)4I z_`}1*Kuv`yFA|e5mk?`ERlmaljTA{Qed{1et2WrI_b`|Ad${Ah-LxK;l!r2B4o zbfg0h&GDOV{Mi&0i%H!1W?gtJwxqmF-$A1XC_Str6qbx@jQ^(McH!Ea?n(xcMWc!SR-JYj*AU!?~8)*x@qtkEp|D*prbJfZ0T literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/ftp/ftp-ipv4.bro b/testing/btest/scripts/base/protocols/ftp/ftp-ipv4.bro new file mode 100644 index 0000000000..5cb8b808d5 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ftp/ftp-ipv4.bro @@ -0,0 +1,6 @@ +# This tests both active and passive FTP over IPv4. +# +# @TEST-EXEC: bro -r $TRACES/ftp-ipv4.trace +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff ftp.log +