diff --git a/NEWS b/NEWS index fa36d249f1..550657d6ef 100644 --- a/NEWS +++ b/NEWS @@ -86,6 +86,20 @@ New Functionality redef LogSQLite::journal_mode=LogSQLite::SQLITE_JOURNAL_MODE_WAL; +* A pseudo protocol analyzer StreamEvent has been added. Attaching this analyzer + to TCP connections allows processing the connection's stream data in the + scripting layer. One example use-case is interactive terminal sessions over + HTTP connections upgraded to TCP. + + redef HTTP::upgrade_analyzers += { + ["tcp"] = Analyzer::ANALYZER_STREAM_EVENT, + }; + + event stream_deliver(c: connection, is_orig: bool, data: string); + + This comes with performance caveats: For use-cases with high-data rates + a native protocol analyzer with dedicated events will be far more efficient. + Changed Functionality --------------------- diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt index 654b1bab03..82cfb58b47 100644 --- a/src/analyzer/protocol/CMakeLists.txt +++ b/src/analyzer/protocol/CMakeLists.txt @@ -41,6 +41,7 @@ add_subdirectory(snmp) add_subdirectory(socks) add_subdirectory(ssh) add_subdirectory(ssl) +add_subdirectory(stream_event) add_subdirectory(syslog) add_subdirectory(tcp) add_subdirectory(websocket) diff --git a/src/analyzer/protocol/stream_event/CMakeLists.txt b/src/analyzer/protocol/stream_event/CMakeLists.txt new file mode 100644 index 0000000000..deae252f9d --- /dev/null +++ b/src/analyzer/protocol/stream_event/CMakeLists.txt @@ -0,0 +1,8 @@ +zeek_add_plugin( + Zeek + StreamEvent + SOURCES + StreamEvent.cc + Plugin.cc + BIFS + events.bif) diff --git a/src/analyzer/protocol/stream_event/Plugin.cc b/src/analyzer/protocol/stream_event/Plugin.cc new file mode 100644 index 0000000000..33d04a299a --- /dev/null +++ b/src/analyzer/protocol/stream_event/Plugin.cc @@ -0,0 +1,23 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "zeek/plugin/Plugin.h" + +#include "zeek/analyzer/Component.h" +#include "zeek/analyzer/protocol/stream_event/StreamEvent.h" + +namespace zeek::plugin::detail::Zeek_StreamEvent { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() override { + AddComponent(new zeek::analyzer::Component("STREAM_EVENT", + zeek::analyzer::stream_event::StreamEvent_Analyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "Zeek::StreamEvent"; + config.description = "Delivers stream data as events"; + return config; + } +} plugin; + +} // namespace zeek::plugin::detail::Zeek_StreamEvent diff --git a/src/analyzer/protocol/stream_event/README b/src/analyzer/protocol/stream_event/README new file mode 100644 index 0000000000..2c4cae867e --- /dev/null +++ b/src/analyzer/protocol/stream_event/README @@ -0,0 +1,9 @@ +TCP application analyzer for handing raw stream data to script-land. + +This analyzer can be added as an upgrade analyzer, registered via the +well-known ports mechanism, or even DPD. It allows script-layer access +to the stream data when no more specific analyzer is available. + +This is similar to the tcp_contents event, but more flexible in that it +can be added to an existing connection, or disabled over the lifetime +of a connection. diff --git a/src/analyzer/protocol/stream_event/StreamEvent.cc b/src/analyzer/protocol/stream_event/StreamEvent.cc new file mode 100644 index 0000000000..94c569efc6 --- /dev/null +++ b/src/analyzer/protocol/stream_event/StreamEvent.cc @@ -0,0 +1,27 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "zeek/analyzer/protocol/stream_event/StreamEvent.h" + +#include "zeek/analyzer/protocol/stream_event/events.bif.h" + +namespace zeek::analyzer::stream_event { + +StreamEvent_Analyzer::StreamEvent_Analyzer(Connection* conn) + : analyzer::tcp::TCP_ApplicationAnalyzer("STREAM_EVENT", conn) {} + + +void StreamEvent_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { + analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + + auto s = len > 0 ? zeek::make_intrusive(len, reinterpret_cast(data)) : + zeek::val_mgr->EmptyString(); + + BifEvent::enqueue_stream_deliver(this, Conn(), orig, std::move(s)); +} +void StreamEvent_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { + analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + + BifEvent::enqueue_stream_undelivered(this, Conn(), orig, seq, len); +} + +} // namespace zeek::analyzer::stream_event diff --git a/src/analyzer/protocol/stream_event/StreamEvent.h b/src/analyzer/protocol/stream_event/StreamEvent.h new file mode 100644 index 0000000000..8ce3ddb64a --- /dev/null +++ b/src/analyzer/protocol/stream_event/StreamEvent.h @@ -0,0 +1,19 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include "zeek/analyzer/protocol/tcp/TCP.h" + +namespace zeek::analyzer::stream_event { + +class StreamEvent_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer { +public: + explicit StreamEvent_Analyzer(Connection* conn); + + void DeliverStream(int len, const u_char* data, bool orig) override; + void Undelivered(uint64_t seq, int len, bool orig) override; + + static analyzer::Analyzer* Instantiate(Connection* conn) { return new StreamEvent_Analyzer(conn); } +}; + +} // namespace zeek::analyzer::stream_event diff --git a/src/analyzer/protocol/stream_event/events.bif b/src/analyzer/protocol/stream_event/events.bif new file mode 100644 index 0000000000..8f4d505f84 --- /dev/null +++ b/src/analyzer/protocol/stream_event/events.bif @@ -0,0 +1,33 @@ +## Generated for each chunk of reassembled TCP payload. +## +## This is a low-level event to inspect stream data from the originator +## and responder endpoints. This can be useful for debugging purposes, or +## for logging of plain-text interactive sessions when no more appropriate +## analyzer is available. +## +## Note that this event is potentially expensive if connections that have +## the stream event analyzer attached carry significant amounts of data. +## Generally, a native protocol parser will have much less overhead than +## passing the complete stream data to the scripting layer. +## +## c: The connection. +## +## is_orig: T if stream data is from the originator-side, else F. +## +## data: The raw payload. +## +## .. zeek:see:: stream_undelivered tcp_contents +event stream_deliver%(c: connection, is_orig: bool, data: string%); + +## Generated when Zeek detects a gap in a reassembled TCP payload stream. +## +## c: The connection. +## +## is_orig: T if the gap is in the originator-side input, else F. +## +## seq: The sequence number of the first byte of the gap. +## +## len: The length of the gap. +## +## .. zeek:see:: stream_deliver content_gap +event stream_undelivered%(c: connection, is_orig: bool, seq: count, len: count%); diff --git a/testing/btest/Baseline/core.analyzer-stream-event-disable/out b/testing/btest/Baseline/core.analyzer-stream-event-disable/out new file mode 100644 index 0000000000..c3e44c0244 --- /dev/null +++ b/testing/btest/Baseline/core.analyzer-stream-event-disable/out @@ -0,0 +1,5 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +CHhAvVGS1DHFjwGM9, new_connection +CHhAvVGS1DHFjwGM9, T, 136, GET /download/CHANGES.bro-aux.tx +CHhAvVGS1DHFjwGM9, F, 1448, HTTP/1.1 200 OK\x0d\x0aDate: Thu, 07 M +CHhAvVGS1DHFjwGM9, connection_state_remove diff --git a/testing/btest/Baseline/core.analyzer-stream-event/out b/testing/btest/Baseline/core.analyzer-stream-event/out new file mode 100644 index 0000000000..7cd9f9d414 --- /dev/null +++ b/testing/btest/Baseline/core.analyzer-stream-event/out @@ -0,0 +1,6 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +CHhAvVGS1DHFjwGM9, T, 136, GET /download/CHANGES.bro-aux.tx +CHhAvVGS1DHFjwGM9, F, 1448, HTTP/1.1 200 OK\x0d\x0aDate: Thu, 07 M +CHhAvVGS1DHFjwGM9, F, 1448, rather than all. (Robin Somme +CHhAvVGS1DHFjwGM9, F, 1448, s/check-release to run before ma +CHhAvVGS1DHFjwGM9, F, 663, thread library when necessary ( diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index b64871a39f..5e88f9d327 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -249,6 +249,7 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek build/scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek build/scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek + build/scripts/base/bif/plugins/Zeek_StreamEvent.events.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 99cb5d53a3..a3f06f9db9 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -249,6 +249,7 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek build/scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek build/scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek + build/scripts/base/bif/plugins/Zeek_StreamEvent.events.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 9c4ee0795b..48ce2af63b 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -441,6 +441,7 @@ 0.000000 MetaHookPost LoadFile(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, ./Zeek_StreamEvent.events.bif.zeek, <...>/Zeek_StreamEvent.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) -> -1 @@ -744,6 +745,7 @@ 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_StreamEvent.events.bif.zeek, <...>/Zeek_StreamEvent.events.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) -> (-1, ) @@ -1379,6 +1381,7 @@ 0.000000 MetaHookPre LoadFile(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek) +0.000000 MetaHookPre LoadFile(0, ./Zeek_StreamEvent.events.bif.zeek, <...>/Zeek_StreamEvent.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) @@ -1682,6 +1685,7 @@ 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_StreamEvent.events.bif.zeek, <...>/Zeek_StreamEvent.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) @@ -2316,6 +2320,7 @@ 0.000000 | HookLoadFile ./Zeek_SSL.events.bif.zeek <...>/Zeek_SSL.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_SSL.functions.bif.zeek <...>/Zeek_SSL.functions.bif.zeek 0.000000 | HookLoadFile ./Zeek_SSL.types.bif.zeek <...>/Zeek_SSL.types.bif.zeek +0.000000 | HookLoadFile ./Zeek_StreamEvent.events.bif.zeek <...>/Zeek_StreamEvent.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_TCP.events.bif.zeek <...>/Zeek_TCP.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek 0.000000 | HookLoadFile ./Zeek_TCP.types.bif.zeek <...>/Zeek_TCP.types.bif.zeek @@ -2619,6 +2624,7 @@ 0.000000 | HookLoadFileExtended ./Zeek_SSL.events.bif.zeek <...>/Zeek_SSL.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_SSL.functions.bif.zeek <...>/Zeek_SSL.functions.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_SSL.types.bif.zeek <...>/Zeek_SSL.types.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_StreamEvent.events.bif.zeek <...>/Zeek_StreamEvent.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_TCP.events.bif.zeek <...>/Zeek_TCP.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_TCP.types.bif.zeek <...>/Zeek_TCP.types.bif.zeek diff --git a/testing/btest/Baseline/scripts.base.files.x509.files/files.log b/testing/btest/Baseline/scripts.base.files.x509.files/files.log index e64dfc52c0..ce19924fa1 100644 --- a/testing/btest/Baseline/scripts.base.files.x509.files/files.log +++ b/testing/btest/Baseline/scripts.base.files.x509.files/files.log @@ -7,10 +7,10 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 #types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string string string string -XXXXXXXXXX.XXXXXX FgN3AE3of2TRIqaeQe CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-user-cert - 0.000000 F F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43 -XXXXXXXXXX.XXXXXX Fv2Agc4z5boBOacQi6 CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d -XXXXXXXXXX.XXXXXX Ftmyeg2qgI2V38Dt3g CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0 -XXXXXXXXXX.XXXXXX FUFNf84cduA0IJCp07 ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-user-cert - 0.000000 F F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43 -XXXXXXXXXX.XXXXXX F1H4bd2OKGbLPEdHm4 ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d -XXXXXXXXXX.XXXXXX Fgsbci2jxFXYMOHOhi ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0 +XXXXXXXXXX.XXXXXX FgN3AE3of2TRIqaeQe CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-user-cert - 0.000000 F F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43 +XXXXXXXXXX.XXXXXX Fv2Agc4z5boBOacQi6 CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d +XXXXXXXXXX.XXXXXX Ftmyeg2qgI2V38Dt3g CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0 +XXXXXXXXXX.XXXXXX FUFNf84cduA0IJCp07 ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-user-cert - 0.000000 F F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43 +XXXXXXXXXX.XXXXXX F1H4bd2OKGbLPEdHm4 ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d +XXXXXXXXXX.XXXXXX Fgsbci2jxFXYMOHOhi ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0 #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/core/analyzer-stream-event-disable.zeek b/testing/btest/core/analyzer-stream-event-disable.zeek new file mode 100644 index 0000000000..a44b86ec8d --- /dev/null +++ b/testing/btest/core/analyzer-stream-event-disable.zeek @@ -0,0 +1,30 @@ +# @TEST-DOC: Show-case disable_analyzer() for ANALYZER_STREAM_EVENT after receiving a few events. +# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT >out +# @TEST-EXEC: btest-diff out + +event zeek_init() + { + Analyzer::register_for_port(Analyzer::ANALYZER_STREAM_EVENT, 80/tcp); + } + + +event new_connection(c: connection) + { + print c$uid, "new_connection"; + } + +global deliveries = 0; + +event stream_deliver(c: connection, is_orig: bool, data: string) + { + ++deliveries; + print c$uid, is_orig, |data|, data[:32]; + + if ( deliveries == 2 ) + disable_analyzer(c$id, current_analyzer()); + } + +event connection_state_remove(c: connection) + { + print c$uid, "connection_state_remove"; + } diff --git a/testing/btest/core/analyzer-stream-event.zeek b/testing/btest/core/analyzer-stream-event.zeek new file mode 100644 index 0000000000..4bf00bbc12 --- /dev/null +++ b/testing/btest/core/analyzer-stream-event.zeek @@ -0,0 +1,12 @@ +# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT >out +# @TEST-EXEC: btest-diff out + +event zeek_init() + { + Analyzer::register_for_port(Analyzer::ANALYZER_STREAM_EVENT, 80/tcp); + } + +event stream_deliver(c: connection, is_orig: bool, data: string) + { + print c$uid, is_orig, |data|, data[:32]; + }