diff --git a/CHANGES b/CHANGES index cc42fa701b..4a3f7510ae 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,232 @@ +2.1-271 | 2013-01-08 10:18:57 -0800 + + * Change substring index notation to use a colon. String slice + notation is now written as `s[1:2]`. Addresses #422. (Jon Siwek) + +2.1-268 | 2013-01-07 09:43:44 -0800 + + * Fix memory leak in OpaqueType::DoUnserialize. (Jon Siwek) + +2.1-265 | 2012-12-20 17:38:42 -0800 + + * Add array-style index accessor for strings. Addresses #422. (Jon + Siwek) + + The index expression can take up to two indices for the start and + end index of the substring to return (e.g. "mystring[1,3]"). + Negative indices are allowed, with -1 representing the last + character in the string. The indexing is not cyclic -- if the + starting index is >= the length of the string an empty string is + returned, and if the ending index is >= the length of the string + then it's interpreted as the last index of the string. Assigning + to substrings accessed like this isn't allowed. + +2.1-263 | 2012-12-20 16:22:09 -0800 + + * Bro's language now has a new set of types "opaque of X". (Matthias + Vallentin) + + Opaque values can be passed around like other values but they can + only be manipulated with BiF functions, not with other operators. + Currently, the following opaque types are supported: + + - opaque of md5 + - opaque of sha1 + - opaque of sha256 + - opaquey of entropy. + + They go along with the corrsponding BiF functions md5_*, sha1_*, + sha256_*, and entropy_*, respectively. Note that these functions + have changed their signatures to work with opaques types rather + than global state as it was before. + +2.1-240 | 2012-12-20 15:21:07 -0800 + + * Improve error for invalid use of types as values. Addresses #923. + (Jon Siwek) + +2.1-238 | 2012-12-20 15:11:25 -0800 + + * Finish implementation of script-layer switch statement. Addresses + #754. (Jon Siwek) + + They behave like C-style switches except case labels can be + comprised of multiple literal constants delimited by commas. Only + atomic types are allowed for now. Case label bodies that don't + execute a "return" or "break" statement will fall through to + subsequent cases. A default case label is allowed. + + * Fix a case where c$resp$size is misrepresented. Addresses #730. + (Jon Siwek) + +2.1-234 | 2012-12-20 12:12:19 -0800 + + * Fix return value of hook calls that have no handlers. For this + case, the return value is always true. (Jon Siwek) + + * Fix to_port() BIF for port strings with a port number of zero. + (Jon Siwek) + +2.1-231 | 2012-12-14 14:51:35 -0800 + + * Make const variables actually constant. Both local and global + variables declared with "const" could be modified, but now + expressions that would modify them generate an error message at + parse-time. Addresses #922. (Jon Siwek) + +2.1-229 | 2012-12-14 14:46:12 -0800 + + * Fix memory leak in ASCII reader when encoutering errors in input. + (Bernhard Amann) + + * Improvements for the "bad checksums" detector to make it detect + bad TCP checksums. (Seth Hall) + +2.1-223 | 2012-12-12 14:25:15 -0800 + + * Trick for parallelizing input framework unit tests. Instead of + loading listen.bro to block until files are read, just read a pcap + file in pseudo-realtime. (Jon Siwek) + + * Fix reliability of a unit test that relies on when statements. + (Jon Siwek) + + * Remove unused attributes. (Daniel Thayer) + - Removed attributes &postprocessor and &match from documentation and source code. + - Removed undocumented attribute &attr from source code. + - Removed internal attribute "(&tracked)" from documentation. + +2.1-218 | 2012-12-10 14:45:04 -0800 + + * Add GPRS Tunnelling Protocol (GTPv1) decapsulation. This currently + supports automatic decapsulation of GTP-U packets on UDP port 2152. + The GTPv1 headers for such tunnels can be inspected by handling + the "gtpv1_g_pdu_packet" event, which has a parameter of type + "gtpv1_hdr". Addresses #690. (Jon Siwek; derived from patch by + Carsten Langer) + + * Change BinPAC exceptions in AYIYA/GTP analyzers to do + "protocol_violation". (Jon Siwek) + +2.1-212 | 2012-12-07 19:42:03 -0800 + + * Changing the HTTP parser to accept request methods in alignment + with the RFC. (Robin Sommer) + +2.1-209 | 2012-12-05 16:44:04 -0800 + + * Adapting the HTTP request line parsing to only accept methods + consisting of letters [A-Za-z]. (Robin Sommer) + +2.1-207 | 2012-12-05 15:47:32 -0800 + + * Reporting warnings if kill/waitpid fail in communication system. + (Bill Parker) + + * Replace() bzero with memset(). (Bill Parker) + + * Merge remote-tracking branch 'vlad/topic/vladg/http-verbs' + + * vlad/topic/vladg/http-verbs: + A test for HTTP methods, including some horribly illegal requests. + Remove hardcoded HTTP verbs from the analyzer (#741) + + I added a "bad_HTTP_request" weird for HTTP request lines that don't + have more than a single word. + + Closes #741. (Robin Sommer) + + * A test for HTTP methods, including some horribly illegal requests. (Vlad Grigorescu) + + * Remove hardcoded HTTP verbs from the analyzer (#741) (Vlad Grigorescu) + + +2.1-203 | 2012-12-05 14:36:56 -0800 + + * Fix segfault: Synchronization of state between connecting peers + now skips over identifiers that aren't initialized with a value + yet. Addresses #66. (Jon Siwek) + + * Fix segfault: Delete correct entry in error case in input + framework. (Bernhard Amann) + + * Bad record constructor initializers now give an error. Addresses + #34. (Jon Siwek) + + * Invalid vector indices now generate error message. Addresses #24. + (Jon Siwek) + + * Bump CPack RPM package requirement to Python >= 2.6.0. (Jon Siwek) + + * Interpreter exceptions occurring in "when" blocks are now handled. + Addresses #779 (Jon Siwek) + +2.1-195 | 2012-12-03 14:50:33 -0800 + + * Catching out-of-memory in patricia tree code. (Bill Parker) + +2.1-194 | 2012-12-03 14:36:26 -0800 + + * Renaming ASCII writer filter option 'only_single_header_row' to + 'tsv'. Also clarifying usage. Closes #912. (Robin Sommer) + +2.1-193 | 2012-12-03 14:11:14 -0800 + + * Fix a set of bugs with table/set attributes. (Jon Siwek) + + - Identifiers that are initialized with set()/table() constructor + expressions now inherit attributes from the expression. Before, + statements like + + const i: set[string] = set() &redef; + + associated the attribute with the set() constructor, but not the + "i" identifier, preventing redefinition. Addresses #866. + + - Allow &default attribute to apply to tables initialized as empty + (via either "{ }" or "table()") or if the expression supplied to it + can evaluate to a type that's promotable to the same yield type as + the table. + +2.1-191 | 2012-12-03 14:08:56 -0800 + + * Add test of record() constructor to table initializer unit test. + (Jon Siwek) + + * Fix table(), set(), vector() constructors in table initializer + lists. Also adds type checking of yield values to table() + constructor and fixes the type checking of yield values in + vector() constructor. Addresses #5. (Jon Siwek) + +2.1-188 | 2012-12-03 14:04:29 -0800 + + * Hook functions now callable with "hook" expression (i.e., hook is + no longer a statement). The return value of the call is an + implicit boolean value of T if all hook handlers ran, or F if one + hook handler exited as a result of a break statement and + potentially prevented other handlers from running. + + Scripts don't need to declare hooks with an explicit return type of bool + (internally, that's assumed), and any values given to (optional) return + statements in handler definitions are just ignored. + + Addresses #918. (Jon Siwek) + + * Clarification in hook documentation. (Jon Siwek) + +2.1-184 | 2012-12-03 13:59:50 -0800 + + * Slightly fix up file name extraction from Content-Disposition + headers. (Seth Hall) + + * Adding -b flag to bro in unit tests so they run faster. + + * Fixed a DNS attribute issue. Reported by Matt Thompson. (Seth + Hall) + + * Adding NEWS placeholder for hooks and CSV mode. (Robin Sommer) + 2.1-178 | 2012-11-23 19:35:32 -0800 * The ASCII writer now supports a new filter config option diff --git a/CMakeLists.txt b/CMakeLists.txt index 17ba34ab3b..e2a83e10f5 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -195,7 +195,7 @@ CheckOptionalBuildSources(aux/broccoli Broccoli INSTALL_BROCCOLI) if (INSTALL_BROCTL) # CPack RPM Generator may not automatically detect this - set(CPACK_RPM_PACKAGE_REQUIRES "python >= 2.4.0") + set(CPACK_RPM_PACKAGE_REQUIRES "python >= 2.6.0") endif () # If this CMake project is a sub-project of another, we will not diff --git a/NEWS b/NEWS index 63c4d5d6f7..e3f20d0455 100644 --- a/NEWS +++ b/NEWS @@ -13,6 +13,8 @@ Bro 2.2 New Functionality ~~~~~~~~~~~~~~~~~ +- GPRS Tunnelling Protocol (GTPv1) decapsulation. + - GridFTP support. TODO: Extend. - ssl.log now also records the subject client and issuer certificates. @@ -22,6 +24,33 @@ New Functionality - The ASCII writer can now output CSV files on a per filter basis. +- Bro's language now has a working "switch" statement that generally + behaves like C-style switches except case labels can be comprised of + multiple literal constants delimited by commas. Only atomic types + are allowed for now. Case label bodies that don't execute a + "return" or "break" statement will fall through to subsequent cases. + A default case label is allowed. + +- Bro's language now has a new set of types "opaque of X". Opaque + values can be passed around like other values but they can only be + manipulated with BiF functions, not with other operators. Currently, + the following opaque types are supported: + + - opaque of md5 + - opaque of sha1 + - opaque of sha256 + - opaquey of entropy. + + They go along with the corrsponding BiF functions md5_*, sha1_*, + sha256_*, and entropy_*, respectively. Note that these functions + have changed their signatures to work with opaques types rather + than global state as it was before. + +- Strings now support the subscript operator to extract individual + characters and substrings (e.g., s[4], s[1,5]). The index expression + can take up to two indices for the start and end index of the + substring to return (e.g. "mystring[1,3]"). + Changed Functionality ~~~~~~~~~~~~~~~~~~~~~ @@ -35,6 +64,9 @@ Changed Functionality make_connection_persistent(), generate_idmef(), split_complete() + - md5_*, sha1_*, sha256_*, and entropy_* have all changed + their signatures to work with opaque types (see above). + - Removed a now unused argument from "do_split" helper function. - "this" is no longer a reserved keyword. diff --git a/VERSION b/VERSION index 6463a80a16..8bcf1f15dd 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.1-179 +2.1-271 diff --git a/aux/broccoli b/aux/broccoli index a8846fc5b0..073404dd29 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit a8846fc5b004ffe4e3d00e826d0077ba19518192 +Subproject commit 073404dd29dc6e90ff0e4eb8bc836f8adbf3931e diff --git a/aux/broctl b/aux/broctl index 834131cd0e..2bf6b37177 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 834131cd0ec0f63cce9de818726fe6167dedbf34 +Subproject commit 2bf6b37177b895329173acac2bb98f38a8783bc1 diff --git a/aux/btest b/aux/btest index d83e10c5f7..3585dc9a7a 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit d83e10c5f76cbfdf81c843575351fbc7b544fc93 +Subproject commit 3585dc9a7afe20d70cb77fc2472cc6bce3850b67 diff --git a/doc/scripts/builtins.rst b/doc/scripts/builtins.rst index ba786ba0d2..b9febb176c 100644 --- a/doc/scripts/builtins.rst +++ b/doc/scripts/builtins.rst @@ -505,15 +505,14 @@ The Bro scripting language supports the following built-in types. A hook is another flavor of function that shares characteristics of both a :bro:type:`function` and a :bro:type:`event`. They are like events in that many handler bodies can be defined for the same hook - identifier, they have no return vale, and the order of execution - can be enforced with :bro:attr:`&priority`. They are more like - functions in the way they are invoked/called, because, unlike - events, their execution is immediate and they do not get scheduled - through an event queue. Also, a unique feature of a hook is that - a given hook handler body can short-circuit the execution of - remaining hook handlers simply by exiting from the body as a result - of a ``break`` statement (as opposed to a ``return`` or just - reaching the end of the body). + identifier and the order of execution can be enforced with + :bro:attr:`&priority`. They are more like functions in the way they + are invoked/called, because, unlike events, their execution is + immediate and they do not get scheduled through an event queue. + Also, a unique feature of a hook is that a given hook handler body + can short-circuit the execution of remaining hook handlers simply by + exiting from the body as a result of a ``break`` statement (as + opposed to a ``return`` or just reaching the end of the body). A hook type is declared like:: @@ -549,18 +548,26 @@ The Bro scripting language supports the following built-in types. print "not going to happen", s; } - Note that, although the first (forward) declaration of ``myhook`` as - a hook type isn't strictly required, when it is provided, the - argument types must match. + Note that the first (forward) declaration of ``myhook`` as a hook + type isn't strictly required. Argument types must match for all + hook handlers and any forward declaration of a given hook. - To invoke immediate execution of all hook handler bodies, a ``hook`` - statement must be used: + To invoke immediate execution of all hook handler bodies, they + are called similarly to a function, except preceded by the ``hook`` + keyword: .. code:: bro hook myhook("hi"); - And the output would like like:: + or + + .. code:: bro + + if ( hook myhook("hi") ) + print "all handlers ran"; + + And the output would look like:: priority 10 myhook handler, hi break out of myhook handling, bye @@ -568,6 +575,12 @@ The Bro scripting language supports the following built-in types. Note how the modification to arguments can be seen by remaining hook handlers. + The return value of a hook call is an implicit :bro:type:`bool` + value with ``T`` meaning that all handlers for the hook were + executed and ``F`` meaning that only some of the handlers may have + executed due to one handler body exiting as a result of a ``break`` + statement. + Attributes ---------- @@ -650,20 +663,12 @@ scripting language supports the following built-in attributes. ``&synchronized`` variable is automatically propagated to all peers when it changes. -.. bro:attr:: &postprocessor - -.. TODO: needs to be documented. - .. bro:attr:: &encrypt Encrypts files right before writing them to disk. .. TODO: needs to be documented in more detail. -.. bro:attr:: &match - -.. TODO: needs to be documented. - .. bro:attr:: &raw_output Opens a file in raw mode, i.e., non-ASCII characters are not @@ -697,6 +702,3 @@ scripting language supports the following built-in attributes. .. TODO: needs documented -.. bro:attr:: (&tracked) - -.. TODO: needs documented or removed if it's not used anywhere. diff --git a/scripts/base/frameworks/logging/writers/ascii.bro b/scripts/base/frameworks/logging/writers/ascii.bro index dc3910d767..da1cfbde87 100644 --- a/scripts/base/frameworks/logging/writers/ascii.bro +++ b/scripts/base/frameworks/logging/writers/ascii.bro @@ -2,11 +2,14 @@ ##! to tweak the output format of ASCII logs. ##! ##! The ASCII writer supports currently one writer-specific filter option via -##! ``config``: setting ``only_single_header_row`` to ``T`` turns the output into -##! into CSV mode where only a single header row with the column names is printed -##! out as meta information. Example filter using this:: +##! ``config``: setting ``tsv`` to the string ``T`` turns the output into into +##! "tab-separated-value" mode where only a single header row with the column names +##! is printed out as meta information, with no "# fields" prepended; no other meta +##! data gets included in that mode. ##! -##! local my_filter: Log::Filter = [$name = "my-filter", $writer = Log::WRITER_ASCII, $config = table(["only_single_header_row"] = "T")]; +##! Example filter using this:: +##! +##! local my_filter: Log::Filter = [$name = "my-filter", $writer = Log::WRITER_ASCII, $config = table(["tsv"] = "T")]; ##! module LogAscii; diff --git a/scripts/base/frameworks/notice/cluster.bro b/scripts/base/frameworks/notice/cluster.bro index 3ee113acf3..e812c3fdca 100644 --- a/scripts/base/frameworks/notice/cluster.bro +++ b/scripts/base/frameworks/notice/cluster.bro @@ -21,12 +21,10 @@ redef Cluster::manager2worker_events += /Notice::begin_suppression/; redef Cluster::worker2manager_events += /Notice::cluster_notice/; @if ( Cluster::local_node_type() != Cluster::MANAGER ) + # The notice policy is completely handled by the manager and shouldn't be # done by workers or proxies to save time for packet processing. -event bro_init() &priority=11 - { - Notice::policy = table(); - } +redef Notice::policy = table(); event Notice::begin_suppression(n: Notice::Info) { diff --git a/scripts/base/frameworks/tunnels/main.bro b/scripts/base/frameworks/tunnels/main.bro index 0861559558..a3db7061d3 100644 --- a/scripts/base/frameworks/tunnels/main.bro +++ b/scripts/base/frameworks/tunnels/main.bro @@ -88,7 +88,10 @@ redef dpd_config += { [ANALYZER_AYIYA] = [$ports = ayiya_ports] }; const teredo_ports = { 3544/udp }; redef dpd_config += { [ANALYZER_TEREDO] = [$ports = teredo_ports] }; -redef likely_server_ports += { ayiya_ports, teredo_ports }; +const gtpv1u_ports = { 2152/udp }; +redef dpd_config += { [ANALYZER_GTPV1] = [$ports = gtpv1u_ports] }; + +redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1u_ports }; event bro_init() &priority=5 { diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index df3596d31e..e5365a9428 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -1450,6 +1450,44 @@ type teredo_hdr: record { hdr: pkt_hdr; ##< IPv6 and transport protocol headers. }; +## A GTPv1 (GPRS Tunneling Protocol) header. +type gtpv1_hdr: record { + ## The 3-bit version field, which for GTPv1 should be 1. + version: count; + ## Protocol Type value differentiates GTP (value 1) from GTP' (value 0). + pt_flag: bool; + ## Reserved field, should be 0. + rsv: bool; + ## Extension Header flag. When 0, the *next_type* field may or may not + ## be present, but shouldn't be meaningful. When 1, *next_type* is + ## present and meaningful. + e_flag: bool; + ## Sequence Number flag. When 0, the *seq* field may or may not + ## be present, but shouldn't be meaningful. When 1, *seq* is + ## present and meaningful. + s_flag: bool; + ## N-PDU flag. When 0, the *n_pdu* field may or may not + ## be present, but shouldn't be meaningful. When 1, *n_pdu* is + ## present and meaningful. + pn_flag: bool; + ## Message Type. A value of 255 indicates user-plane data is encapsulated. + msg_type: count; + ## Length of the GTP packet payload (the rest of the packet following the + ## mandatory 8-byte GTP header). + length: count; + ## Tunnel Endpoint Identifier. Unambiguously identifies a tunnel endpoint + ## in receiving GTP-U or GTP-C protocol entity. + teid: count; + ## Sequence Number. Set if any *e_flag*, *s_flag*, or *pn_flag* field is + ## set. + seq: count &optional; + ## N-PDU Number. Set if any *e_flag*, *s_flag*, or *pn_flag* field is set. + n_pdu: count &optional; + ## Next Extension Header Type. Set if any *e_flag*, *s_flag*, or *pn_flag* + ## field is set. + next_type: count &optional; +}; + ## Definition of "secondary filters". A secondary filter is a BPF filter given as ## index in this table. For each such filter, the corresponding event is raised for ## all matching packets. @@ -2786,6 +2824,9 @@ export { ## Toggle whether to do IPv6-in-Teredo decapsulation. const enable_teredo = T &redef; + ## Toggle whether to do GTPv1 decapsulation. + const enable_gtpv1 = T &redef; + ## With this option set, the Teredo analysis will first check to see if ## other protocol analyzers have confirmed that they think they're ## parsing the right protocol and only continue with Teredo tunnel @@ -2802,6 +2843,15 @@ export { ## :bro:see:`Tunnel::yielding_teredo_decapsulation`. const delay_teredo_confirmation = T &redef; + ## With this set, the GTP analyzer waits until the most-recent upflow + ## and downflow packets are a valid GTPv1 encapsulation before + ## issuing :bro:see:`protocol_confirmation`. If it's false, the + ## first occurence of a packet with valid GTPv1 encapsulation causes + ## confirmation. Since the same inner connection can be carried + ## differing outer upflow/downflow connections, setting to false + ## may work better. + const delay_gtp_confirmation = F &redef; + ## How often to cleanup internal state for inactive IP tunnels. const ip_tunnel_timeout = 24hrs &redef; } # end export diff --git a/scripts/base/misc/find-checksum-offloading.bro b/scripts/base/misc/find-checksum-offloading.bro index a0a2c692b7..15c1d6661d 100644 --- a/scripts/base/misc/find-checksum-offloading.bro +++ b/scripts/base/misc/find-checksum-offloading.bro @@ -14,7 +14,8 @@ export { } # Keep track of how many bad checksums have been seen. -global bad_checksums = 0; +global bad_ip_checksums = 0; +global bad_tcp_checksums = 0; # Track to see if this script is done so that messages aren't created multiple times. global done = F; @@ -25,10 +26,19 @@ event ChecksumOffloading::check() return; local pkts_recvd = net_stats()$pkts_recvd; - if ( (bad_checksums*1.0 / net_stats()$pkts_recvd*1.0) > 0.05 ) + local bad_ip_checksum_pct = (pkts_recvd != 0) ? (bad_ip_checksums*1.0 / pkts_recvd*1.0) : 0; + local bad_tcp_checksum_pct = (pkts_recvd != 0) ? (bad_tcp_checksums*1.0 / pkts_recvd*1.0) : 0; + if ( bad_ip_checksum_pct > 0.05 || bad_tcp_checksum_pct > 0.05 ) { local packet_src = reading_traces() ? "trace file likely has" : "interface is likely receiving"; - local message = fmt("Your %s invalid IP checksums, most likely from NIC checksum offloading.", packet_src); + local bad_checksum_msg = (bad_ip_checksum_pct > 0.0) ? "IP" : ""; + if ( bad_tcp_checksum_pct > 0.0 ) + { + if ( |bad_checksum_msg| > 0 ) + bad_checksum_msg += " and "; + bad_checksum_msg += "TCP"; + } + local message = fmt("Your %s invalid %s checksums, most likely from NIC checksum offloading.", packet_src, bad_checksum_msg); Reporter::warning(message); done = T; } @@ -48,7 +58,13 @@ event bro_init() event net_weird(name: string) { if ( name == "bad_IP_checksum" ) - ++bad_checksums; + ++bad_ip_checksums; + } + +event conn_weird(name: string, c: connection, addl: string) + { + if ( name == "bad_TCP_checksum" ) + ++bad_tcp_checksums; } event bro_done() diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index 8ae3806ab6..ee0e4166da 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -67,7 +67,7 @@ export { ready: bool &default=F; ## The total number of resource records in a reply message's answer ## section. - total_answers: count &default=0; + total_answers: count &optional; ## The total number of resource records in a reply message's answer, ## authority, and additional sections. total_replies: count &optional; @@ -231,6 +231,7 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) Log::write(DNS::LOG, c$dns); # This record is logged and no longer pending. delete c$dns_state$pending[c$dns$trans_id]; + delete c$dns; } } diff --git a/scripts/base/protocols/http/file-hash.bro b/scripts/base/protocols/http/file-hash.bro index 7e8e5cceaf..bc7547e51a 100644 --- a/scripts/base/protocols/http/file-hash.bro +++ b/scripts/base/protocols/http/file-hash.bro @@ -13,16 +13,16 @@ export { redef record Info += { ## MD5 sum for a file transferred over HTTP calculated from the ## response body. - md5: string &log &optional; + md5: string &log &optional; ## This value can be set per-transfer to determine per request ## if a file should have an MD5 sum generated. It must be ## set to T at the time of or before the first chunk of body data. - calc_md5: bool &default=F; + calc_md5: bool &default=F; ## Indicates if an MD5 sum is being calculated for the current ## request/response pair. - calculating_md5: bool &default=F; + md5_handle: opaque of md5 &optional; }; ## Generate MD5 sums for these filetypes. @@ -41,13 +41,12 @@ event http_entity_data(c: connection, is_orig: bool, length: count, data: string if ( c$http$calc_md5 || (c$http?$mime_type && generate_md5 in c$http$mime_type) ) { - c$http$calculating_md5 = T; - md5_hash_init(c$id); + c$http$md5_handle = md5_hash_init(); } } - if ( c$http$calculating_md5 ) - md5_hash_update(c$id, data); + if ( c$http?$md5_handle ) + md5_hash_update(c$http$md5_handle, data); } ## In the event of a content gap during a file transfer, detect the state for @@ -55,11 +54,11 @@ event http_entity_data(c: connection, is_orig: bool, length: count, data: string ## incorrect anyway. event content_gap(c: connection, is_orig: bool, seq: count, length: count) &priority=5 { - if ( is_orig || ! c?$http || ! c$http$calculating_md5 ) return; + if ( is_orig || ! c?$http || ! c$http?$md5_handle ) return; set_state(c, F, is_orig); - c$http$calculating_md5 = F; - md5_hash_finish(c$id); + md5_hash_finish(c$http$md5_handle); # Ignore return value. + delete c$http$md5_handle; } ## When the file finishes downloading, finish the hash and generate a notice. @@ -67,11 +66,11 @@ event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) & { if ( is_orig || ! c?$http ) return; - if ( c$http$calculating_md5 ) + if ( c$http?$md5_handle ) { local url = build_url_http(c$http); - c$http$calculating_md5 = F; - c$http$md5 = md5_hash_finish(c$id); + c$http$md5 = md5_hash_finish(c$http$md5_handle); + delete c$http$md5_handle; NOTICE([$note=MD5, $msg=fmt("%s %s %s", c$id$orig_h, c$http$md5, url), $sub=c$http$md5, $conn=c, $URL=url]); @@ -82,11 +81,12 @@ event connection_state_remove(c: connection) &priority=-5 { if ( c?$http_state && c$http_state$current_response in c$http_state$pending && - c$http_state$pending[c$http_state$current_response]$calculating_md5 ) + c$http_state$pending[c$http_state$current_response]?$md5_handle ) { # The MD5 sum isn't going to be saved anywhere since the entire # body wouldn't have been seen anyway and we'd just be giving an # incorrect MD5 sum. - md5_hash_finish(c$id); + md5_hash_finish(c$http$md5_handle); + delete c$http$md5_handle; } } diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro index 21b4fb6113..660386f901 100644 --- a/scripts/base/protocols/http/main.bro +++ b/scripts/base/protocols/http/main.bro @@ -94,6 +94,19 @@ export { "XROXY-CONNECTION", "PROXY-CONNECTION", } &redef; + + ## A list of HTTP methods. Other methods will generate a weird. Note + ## that the HTTP analyzer will only accept methods consisting solely + ## of letters ``[A-Za-z]``. + const http_methods: set[string] = { + "GET", "POST", "HEAD", "OPTIONS", + "PUT", "DELETE", "TRACE", "CONNECT", + # HTTP methods for distributed authoring: + "PROPFIND", "PROPPATCH", "MKCOL", + "COPY", "MOVE", "LOCK", "UNLOCK", + "POLL", "REPORT", "SUBSCRIBE", "BMOVE", + "SEARCH" + } &redef; ## Event that can be handled to access the HTTP record as it is sent on ## to the logging framework. @@ -180,6 +193,9 @@ event http_request(c: connection, method: string, original_URI: string, c$http$method = method; c$http$uri = unescaped_URI; + + if ( method !in http_methods ) + event conn_weird("unknown_HTTP_method", c, method); } event http_reply(c: connection, version: string, code: count, reason: string) &priority=5 diff --git a/scripts/base/protocols/smtp/entities.bro b/scripts/base/protocols/smtp/entities.bro index e158d045e0..80d6089ce7 100644 --- a/scripts/base/protocols/smtp/entities.bro +++ b/scripts/base/protocols/smtp/entities.bro @@ -16,33 +16,33 @@ export { type EntityInfo: record { ## This is the timestamp of when the MIME content transfer began. - ts: time &log; - uid: string &log; - id: conn_id &log; + ts: time &log; + uid: string &log; + id: conn_id &log; ## A count to represent the depth of this message transaction in a ## single connection where multiple messages were transferred. - trans_depth: count &log; + trans_depth: count &log; ## The filename seen in the Content-Disposition header. - filename: string &log &optional; + filename: string &log &optional; ## Track how many bytes of the MIME encoded file have been seen. - content_len: count &log &default=0; + content_len: count &log &default=0; ## The mime type of the entity discovered through magic bytes identification. - mime_type: string &log &optional; + mime_type: string &log &optional; ## The calculated MD5 sum for the MIME entity. - md5: string &log &optional; + md5: string &log &optional; ## Optionally calculate the file's MD5 sum. Must be set prior to the ## first data chunk being see in an event. - calc_md5: bool &default=F; + calc_md5: bool &default=F; ## This boolean value indicates if an MD5 sum is being calculated ## for the current file transfer. - calculating_md5: bool &default=F; + md5_handle: opaque of md5 &optional; ## Optionally write the file to disk. Must be set prior to first ## data chunk being seen in an event. - extract_file: bool &default=F; + extract_file: bool &default=F; ## Store the file handle here for the file currently being extracted. - extraction_file: file &log &optional; + extraction_file: file &log &optional; }; redef record Info += { @@ -126,18 +126,16 @@ event mime_segment_data(c: connection, length: count, data: string) &priority=-5 if ( c$smtp$current_entity$content_len == 0 ) { - if ( generate_md5 in c$smtp$current_entity$mime_type && ! never_calc_md5 ) - c$smtp$current_entity$calc_md5 = T; + local entity = c$smtp$current_entity; + if ( generate_md5 in entity$mime_type && ! never_calc_md5 ) + entity$calc_md5 = T; - if ( c$smtp$current_entity$calc_md5 ) - { - c$smtp$current_entity$calculating_md5 = T; - md5_hash_init(c$id); - } + if ( entity$calc_md5 ) + entity$md5_handle = md5_hash_init(); } - if ( c$smtp$current_entity$calculating_md5 ) - md5_hash_update(c$id, data); + if ( c$smtp$current_entity?$md5_handle ) + md5_hash_update(entity$md5_handle, data); } ## In the event of a content gap during the MIME transfer, detect the state for @@ -147,10 +145,11 @@ event content_gap(c: connection, is_orig: bool, seq: count, length: count) &prio { if ( is_orig || ! c?$smtp || ! c$smtp?$current_entity ) return; - if ( c$smtp$current_entity$calculating_md5 ) + local entity = c$smtp$current_entity; + if ( entity?$md5_handle ) { - c$smtp$current_entity$calculating_md5 = F; - md5_hash_finish(c$id); + md5_hash_finish(entity$md5_handle); + delete entity$md5_handle; } } @@ -161,12 +160,14 @@ event mime_end_entity(c: connection) &priority=-3 if ( ! c?$smtp || ! c$smtp?$current_entity ) return; - if ( c$smtp$current_entity$calculating_md5 ) + local entity = c$smtp$current_entity; + if ( entity?$md5_handle ) { - c$smtp$current_entity$md5 = md5_hash_finish(c$id); + entity$md5 = md5_hash_finish(entity$md5_handle); + delete entity$md5_handle; NOTICE([$note=MD5, $msg=fmt("Calculated a hash for a MIME entity from %s", c$id$orig_h), - $sub=c$smtp$current_entity$md5, $conn=c]); + $sub=entity$md5, $conn=c]); } } @@ -177,6 +178,10 @@ event mime_one_header(c: connection, h: mime_header_rec) if ( h$name == "CONTENT-DISPOSITION" && /[fF][iI][lL][eE][nN][aA][mM][eE]/ in h$value ) c$smtp$current_entity$filename = extract_filename_from_content_disposition(h$value); + + if ( h$name == "CONTENT-TYPE" && + /[nN][aA][mM][eE][:blank:]*=/ in h$value ) + c$smtp$current_entity$filename = extract_filename_from_content_disposition(h$value); } event mime_end_entity(c: connection) &priority=-5 diff --git a/scripts/base/utils/files.bro b/scripts/base/utils/files.bro index ccd03df0e6..76d2ecea4f 100644 --- a/scripts/base/utils/files.bro +++ b/scripts/base/utils/files.bro @@ -19,7 +19,7 @@ function generate_extraction_filename(prefix: string, c: connection, suffix: str ## the filename. function extract_filename_from_content_disposition(data: string): string { - local filename = sub(data, /^.*[fF][iI][lL][eE][nN][aA][mM][eE]=/, ""); + local filename = sub(data, /^.*[nN][aA][mM][eE][[:blank:]]*=[[:blank:]]*/, ""); # Remove quotes around the filename if they are there. if ( /^\"/ in filename ) filename = split_n(filename, /\"/, F, 2)[2]; diff --git a/scripts/policy/protocols/http/detect-webapps.bro b/scripts/policy/protocols/http/detect-webapps.bro index fb805bfd33..53d7109468 100644 --- a/scripts/policy/protocols/http/detect-webapps.bro +++ b/scripts/policy/protocols/http/detect-webapps.bro @@ -28,7 +28,7 @@ event signature_match(state: signature_state, msg: string, data: string) &priori if ( /^webapp-/ !in state$sig_id ) return; local c = state$conn; - local si = Software::Info; + local si: Software::Info; si = [$name=msg, $unparsed_version=msg, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=WEB_APPLICATION]; si$url = build_url_http(c$http); if ( c$id$resp_h in Software::tracked && diff --git a/src/AYIYA.cc b/src/AYIYA.cc index c525a73b6c..79fa44e743 100644 --- a/src/AYIYA.cc +++ b/src/AYIYA.cc @@ -20,5 +20,13 @@ void AYIYA_Analyzer::Done() void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); - interp->NewData(orig, data, data + len); + + try + { + interp->NewData(orig, data, data + len); + } + catch ( const binpac::Exception& e ) + { + ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); + } } diff --git a/src/Analyzer.cc b/src/Analyzer.cc index 0a5188d76c..15926dfa2a 100644 --- a/src/Analyzer.cc +++ b/src/Analyzer.cc @@ -41,6 +41,7 @@ #include "Syslog-binpac.h" #include "Teredo.h" #include "ConnSizeAnalyzer.h" +#include "GTPv1.h" // Keep same order here as in AnalyzerTag definition! const Analyzer::Config Analyzer::analyzer_configs[] = { @@ -143,6 +144,9 @@ const Analyzer::Config Analyzer::analyzer_configs[] = { { AnalyzerTag::Teredo, "TEREDO", Teredo_Analyzer::InstantiateAnalyzer, Teredo_Analyzer::Available, 0, false }, + { AnalyzerTag::GTPv1, "GTPV1", + GTPv1_Analyzer::InstantiateAnalyzer, + GTPv1_Analyzer::Available, 0, false }, { AnalyzerTag::File, "FILE", File_Analyzer::InstantiateAnalyzer, File_Analyzer::Available, 0, false }, diff --git a/src/AnalyzerTags.h b/src/AnalyzerTags.h index 4dbbcd7499..38e47cf8fc 100644 --- a/src/AnalyzerTags.h +++ b/src/AnalyzerTags.h @@ -38,6 +38,7 @@ namespace AnalyzerTag { AYIYA, SOCKS, Teredo, + GTPv1, // Other File, Backdoor, InterConn, SteppingStone, TCPStats, diff --git a/src/Attr.cc b/src/Attr.cc index 6e0769c7b0..244d1e1687 100644 --- a/src/Attr.cc +++ b/src/Attr.cc @@ -14,8 +14,8 @@ const char* attr_name(attr_tag t) "&rotate_interval", "&rotate_size", "&add_func", "&delete_func", "&expire_func", "&read_expire", "&write_expire", "&create_expire", - "&persistent", "&synchronized", "&postprocessor", - "&encrypt", "&match", + "&persistent", "&synchronized", + "&encrypt", "&raw_output", "&mergeable", "&priority", "&group", "&log", "&error_handler", "&type_column", "(&tracked)", @@ -260,6 +260,11 @@ void Attributes::CheckAttr(Attr* a) // Ok. break; + if ( type->Tag() == TYPE_TABLE && + type->AsTableType()->IsUnspecifiedTable() ) + // Ok. + break; + a->AttrExpr()->Error("&default value has inconsistent type", type); } @@ -290,6 +295,11 @@ void Attributes::CheckAttr(Attr* a) // Ok. break; + Expr* e = a->AttrExpr(); + if ( check_and_promote_expr(e, ytype) ) + // Ok. + break; + Error("&default value has inconsistent type 2"); } @@ -327,11 +337,6 @@ void Attributes::CheckAttr(Attr* a) Error("&rotate_size only applicable to files"); break; - case ATTR_POSTPROCESSOR: - if ( type->Tag() != TYPE_FILE ) - Error("&postprocessor only applicable to files"); - break; - case ATTR_ENCRYPT: if ( type->Tag() != TYPE_FILE ) Error("&encrypt only applicable to files"); diff --git a/src/Attr.h b/src/Attr.h index c9a0dedb33..c3e05d4762 100644 --- a/src/Attr.h +++ b/src/Attr.h @@ -25,9 +25,7 @@ typedef enum { ATTR_EXPIRE_CREATE, ATTR_PERSISTENT, ATTR_SYNCHRONIZED, - ATTR_POSTPROCESSOR, ATTR_ENCRYPT, - ATTR_MATCH, ATTR_RAW_OUTPUT, ATTR_MERGEABLE, ATTR_PRIORITY, diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index b759f146f7..1f095c64dc 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -203,6 +203,8 @@ binpac_target(dns.pac dns-protocol.pac dns-analyzer.pac) binpac_target(dns_tcp.pac dns.pac) +binpac_target(gtpv1.pac + gtpv1-protocol.pac gtpv1-analyzer.pac) binpac_target(http.pac http-protocol.pac http-analyzer.pac) binpac_target(ncp.pac) @@ -284,7 +286,6 @@ set(bro_SRCS Analyzer.cc Anon.cc ARP.cc - AsciiInputOutput.cc Attr.cc AYIYA.cc BackDoor.cc @@ -333,6 +334,7 @@ set(bro_SRCS Frame.cc Func.cc Gnutella.cc + GTPv1.cc HTTP.cc HTTP-binpac.cc Hash.cc @@ -359,6 +361,7 @@ set(bro_SRCS NetVar.cc NetbiosSSN.cc Obj.cc + OpaqueVal.cc OSFinger.cc PacketFilter.cc PacketSort.cc @@ -423,6 +426,7 @@ set(bro_SRCS strsep.c modp_numtoa.c + threading/AsciiInputOutput.cc threading/BasicThread.cc threading/Manager.cc threading/MsgThread.cc diff --git a/src/Expr.cc b/src/Expr.cc index 733e0fe9a5..9e71f27897 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -229,10 +229,15 @@ bool Expr::DoUnserialize(UnserialInfo* info) } -NameExpr::NameExpr(ID* arg_id) : Expr(EXPR_NAME) +NameExpr::NameExpr(ID* arg_id, bool const_init) : Expr(EXPR_NAME) { id = arg_id; - SetType(id->Type()->Ref()); + in_const_init = const_init; + + if ( id->AsType() ) + SetType(new TypeType(id->AsType())); + else + SetType(id->Type()->Ref()); EventHandler* h = event_registry->Lookup(id->Name()); if ( h ) @@ -287,6 +292,9 @@ Expr* NameExpr::MakeLvalue() if ( id->AsType() ) ExprError("Type name is not an lvalue"); + if ( id->IsConst() && ! in_const_init ) + ExprError("const is not a modifiable lvalue"); + return new RefExpr(this); } @@ -337,9 +345,11 @@ bool NameExpr::DoSerialize(SerialInfo* info) const // Write out just the name of the function if requested. if ( info->globals_as_names && id->IsGlobal() ) - return SERIALIZE('n') && SERIALIZE(id->Name()); + return SERIALIZE('n') && SERIALIZE(id->Name()) && + SERIALIZE(in_const_init); else - return SERIALIZE('f') && id->Serialize(info); + return SERIALIZE('f') && id->Serialize(info) && + SERIALIZE(in_const_init); } bool NameExpr::DoUnserialize(UnserialInfo* info) @@ -370,6 +380,9 @@ bool NameExpr::DoUnserialize(UnserialInfo* info) if ( ! id ) return false; + if ( ! UNSERIALIZE(&in_const_init) ) + return false; + return true; } @@ -2663,7 +2676,7 @@ void AssignExpr::EvalIntoAggregate(const BroType* t, Val* aggr, Frame* f) const TableVal* tv = aggr->AsTableVal(); Val* index = op1->Eval(f); - Val* v = op2->Eval(f); + Val* v = check_and_promote(op2->Eval(f), t->YieldType(), 1); if ( ! index || ! v ) return; @@ -2788,22 +2801,43 @@ bool AssignExpr::DoUnserialize(UnserialInfo* info) return UNSERIALIZE(&is_init); } -IndexExpr::IndexExpr(Expr* arg_op1, ListExpr* arg_op2) +IndexExpr::IndexExpr(Expr* arg_op1, ListExpr* arg_op2, bool is_slice) : BinaryExpr(EXPR_INDEX, arg_op1, arg_op2) { if ( IsError() ) return; + if ( is_slice ) + { + if ( ! IsString(op1->Type()->Tag()) ) + ExprError("slice notation indexing only supported for strings currently"); + } + + else if ( IsString(op1->Type()->Tag()) ) + { + if ( arg_op2->Exprs().length() != 1 ) + ExprError("invalid string index expression"); + } + + if ( IsError() ) + return; + int match_type = op1->Type()->MatchesIndex(arg_op2); if ( match_type == DOES_NOT_MATCH_INDEX ) SetError("not an index type"); else if ( ! op1->Type()->YieldType() ) + { + if ( IsString(op1->Type()->Tag()) && + match_type == MATCHES_INDEX_SCALAR ) + SetType(base_type(TYPE_STRING)); + else // It's a set - so indexing it yields void. We don't // directly generate an error message, though, since this // expression might be part of an add/delete statement, // rather than yielding a value. - SetType(base_type(TYPE_VOID)); + SetType(base_type(TYPE_VOID)); + } else if ( match_type == MATCHES_INDEX_SCALAR ) SetType(op1->Type()->YieldType()->Ref()); @@ -2879,6 +2913,9 @@ void IndexExpr::Delete(Frame* f) Expr* IndexExpr::MakeLvalue() { + if ( IsString(op1->Type()->Tag()) ) + ExprError("cannot assign to string index expression"); + return new RefExpr(this); } @@ -2950,16 +2987,39 @@ Val* IndexExpr::Fold(Val* v1, Val* v2) const if ( IsError() ) return 0; - if ( v1->Type()->Tag() == TYPE_VECTOR ) + Val* v = 0; + + switch ( v1->Type()->Tag() ) { + case TYPE_VECTOR: + v = v1->AsVectorVal()->Lookup(v2); + break; + + case TYPE_TABLE: + v = v1->AsTableVal()->Lookup(v2); + break; + + case TYPE_STRING: { - Val* v = v1->AsVectorVal()->Lookup(v2); - // ### dangerous - this can silently fail larger operations - // due to a missing element - return v ? v->Ref() : 0; + const ListVal* lv = v2->AsListVal(); + const BroString* s = v1->AsString(); + int len = s->Len(); + bro_int_t first = lv->Index(0)->AsInt(); + bro_int_t last = lv->Length() > 1 ? lv->Index(1)->AsInt() : first; + + if ( first < 0 ) + first += len; + + if ( last < 0 ) + last += len; + + BroString* substring = s->GetSubstring(first, last - first + 1); + return new StringVal(substring ? substring : new BroString("")); } - TableVal* v_tbl = v1->AsTableVal(); - Val* v = v_tbl->Lookup(v2); + default: + Error("type cannot be indexed"); + break; + } if ( v ) return v->Ref(); @@ -2986,14 +3046,25 @@ void IndexExpr::Assign(Frame* f, Val* v, Opcode op) return; } - if ( v1->Type()->Tag() == TYPE_VECTOR ) - { + switch ( v1->Type()->Tag() ) { + case TYPE_VECTOR: if ( ! v1->AsVectorVal()->Assign(v2, v, this, op) ) Internal("assignment failed"); - } + break; - else if ( ! v1->AsTableVal()->Assign(v2, v, op) ) - Internal("assignment failed"); + case TYPE_TABLE: + if ( ! v1->AsTableVal()->Assign(v2, v, op) ) + Internal("assignment failed"); + break; + + case TYPE_STRING: + Internal("assignment via string index accessor not allowed"); + break; + + default: + Internal("bad index expression type in assignment"); + break; + } Unref(v1); Unref(v2); @@ -3290,20 +3361,22 @@ RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list) Val* RecordConstructorExpr::InitVal(const BroType* t, Val* aggr) const { - RecordVal* rv = Eval(0)->AsRecordVal(); - RecordVal* ar = rv->CoerceTo(t->AsRecordType(), aggr); + Val* v = Eval(0); - if ( ar ) + if ( v ) { - Unref(rv); - return ar; + RecordVal* rv = v->AsRecordVal(); + RecordVal* ar = rv->CoerceTo(t->AsRecordType(), aggr); + + if ( ar ) + { + Unref(rv); + return ar; + } } - else - { - Error("bad record initializer"); - return 0; - } + Error("bad record initializer"); + return 0; } Val* RecordConstructorExpr::Fold(Val* v) const @@ -3386,7 +3459,14 @@ Val* TableConstructorExpr::InitVal(const BroType* t, Val* aggr) const if ( IsError() ) return 0; - return op->InitVal(t, aggr); + TableType* tt = Type()->AsTableType(); + TableVal* tval = aggr ? aggr->AsTableVal() : new TableVal(tt, attrs); + const expr_list& exprs = op->AsListExpr()->Exprs(); + + loop_over_list(exprs, i) + exprs[i]->EvalIntoAggregate(t, tval, 0); + + return tval; } void TableConstructorExpr::ExprDescribe(ODesc* d) const @@ -3438,7 +3518,7 @@ Val* SetConstructorExpr::Eval(Frame* f) const if ( IsError() ) return 0; - TableVal* aggr = new TableVal(type->AsTableType(), 0); + TableVal* aggr = new TableVal(type->AsTableType(), attrs); const expr_list& exprs = op->AsListExpr()->Exprs(); loop_over_list(exprs, i) @@ -3456,7 +3536,26 @@ Val* SetConstructorExpr::InitVal(const BroType* t, Val* aggr) const if ( IsError() ) return 0; - return op->InitVal(t, aggr); + const BroType* index_type = t->AsTableType()->Indices(); + TableType* tt = Type()->AsTableType(); + TableVal* tval = aggr ? aggr->AsTableVal() : new TableVal(tt, attrs); + const expr_list& exprs = op->AsListExpr()->Exprs(); + + loop_over_list(exprs, i) + { + Expr* e = exprs[i]; + Val* element = check_and_promote(e->Eval(0), index_type, 1); + + if ( ! element || ! tval->Assign(element, 0) ) + { + Error(fmt("initialization type mismatch in set"), e); + return 0; + } + + Unref(element); + } + + return tval; } void SetConstructorExpr::ExprDescribe(ODesc* d) const @@ -3536,14 +3635,14 @@ Val* VectorConstructorExpr::InitVal(const BroType* t, Val* aggr) const if ( IsError() ) return 0; - VectorVal* vec = aggr->AsVectorVal(); - const BroType* vt = vec->Type()->AsVectorType()->YieldType(); + VectorType* vt = Type()->AsVectorType(); + VectorVal* vec = aggr ? aggr->AsVectorVal() : new VectorVal(vt); const expr_list& exprs = op->AsListExpr()->Exprs(); loop_over_list(exprs, i) { Expr* e = exprs[i]; - Val* v = check_and_promote(e->Eval(0), vt, 1); + Val* v = check_and_promote(e->Eval(0), t->YieldType(), 1); if ( ! v || ! vec->Assign(i, v, e) ) { @@ -4394,6 +4493,13 @@ CallExpr::CallExpr(Expr* arg_func, ListExpr* arg_args, bool in_hook) return; } + if ( func_type->AsFuncType()->Flavor() == FUNC_FLAVOR_HOOK && ! in_hook ) + { + func->Error("hook cannot be called directly, use hook operator"); + SetError(); + return; + } + if ( ! func_type->MatchesIndex(args) ) SetError("argument type mismatch in function call"); else @@ -4415,13 +4521,8 @@ CallExpr::CallExpr(Expr* arg_func, ListExpr* arg_args, bool in_hook) break; case FUNC_FLAVOR_HOOK: - // It's fine to not have a yield if it's known that the call - // is being done from a hook statement. - if ( ! in_hook ) - { - Error("hook called in expression, use hook statement instead"); - SetError(); - } + Error("hook has no yield type"); + SetError(); break; default: diff --git a/src/Expr.h b/src/Expr.h index bd4824f8ee..1e07708d14 100644 --- a/src/Expr.h +++ b/src/Expr.h @@ -198,7 +198,7 @@ protected: class NameExpr : public Expr { public: - NameExpr(ID* id); + NameExpr(ID* id, bool const_init = false); ~NameExpr(); ID* Id() const { return id; } @@ -220,6 +220,7 @@ protected: DECLARE_SERIAL(NameExpr); ID* id; + bool in_const_init; }; class ConstExpr : public Expr { @@ -645,7 +646,7 @@ protected: class IndexExpr : public BinaryExpr { public: - IndexExpr(Expr* op1, ListExpr* op2); + IndexExpr(Expr* op1, ListExpr* op2, bool is_slice = false); int CanAdd() const; int CanDel() const; @@ -747,6 +748,8 @@ public: TableConstructorExpr(ListExpr* constructor_list, attr_list* attrs); ~TableConstructorExpr() { Unref(attrs); } + Attributes* Attrs() { return attrs; } + Val* Eval(Frame* f) const; protected: @@ -767,6 +770,8 @@ public: SetConstructorExpr(ListExpr* constructor_list, attr_list* attrs); ~SetConstructorExpr() { Unref(attrs); } + Attributes* Attrs() { return attrs; } + Val* Eval(Frame* f) const; protected: diff --git a/src/File.h b/src/File.h index 8e3d0ca6e7..a37b7fe0a6 100644 --- a/src/File.h +++ b/src/File.h @@ -56,7 +56,7 @@ public: // Rotates the logfile. Returns rotate_info. RecordVal* Rotate(); - // Set &rotate_interval, &rotate_size, &postprocessor, + // Set &rotate_interval, &rotate_size, // and &raw_output attributes. void SetAttrs(Attributes* attrs); diff --git a/src/Func.cc b/src/Func.cc index 27acce4f04..9b94b15d97 100644 --- a/src/Func.cc +++ b/src/Func.cc @@ -282,13 +282,14 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const #ifdef PROFILE_BRO_FUNCTIONS DEBUG_MSG("Function: %s\n", id->Name()); #endif - if ( ! bodies.size() ) + if ( ! bodies.size() ) { // Can only happen for events and hooks. assert(Flavor() == FUNC_FLAVOR_EVENT || Flavor() == FUNC_FLAVOR_HOOK); loop_over_list(*args, i) Unref((*args)[i]); - return 0 ; + + return Flavor() == FUNC_FLAVOR_HOOK ? new Val(true, TYPE_BOOL) : 0; } SegmentProfiler(segment_logger, location); @@ -349,16 +350,31 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const break; } - if ( flow == FLOW_BREAK && Flavor() == FUNC_FLAVOR_HOOK ) + if ( Flavor() == FUNC_FLAVOR_HOOK ) { - // short-circuit execution of remaining hook handler bodies - break; + // Ignore any return values of hook bodies, final return value + // depends on whether a body returns as a result of break statement. + Unref(result); + result = 0; + + if ( flow == FLOW_BREAK ) + { + // Short-circuit execution of remaining hook handler bodies. + result = new Val(false, TYPE_BOOL); + break; + } } } + if ( Flavor() == FUNC_FLAVOR_HOOK ) + { + if ( ! result ) + result = new Val(true, TYPE_BOOL); + } + // Warn if the function returns something, but we returned from // the function without an explicit return, or without a value. - if ( FType()->YieldType() && FType()->YieldType()->Tag() != TYPE_VOID && + else if ( FType()->YieldType() && FType()->YieldType()->Tag() != TYPE_VOID && (flow != FLOW_RETURN /* we fell off the end */ || ! result /* explicit return with no result */) && ! f->HasDelayed() ) diff --git a/src/GTPv1.cc b/src/GTPv1.cc new file mode 100644 index 0000000000..68b6f30a0c --- /dev/null +++ b/src/GTPv1.cc @@ -0,0 +1,31 @@ +#include "GTPv1.h" + +GTPv1_Analyzer::GTPv1_Analyzer(Connection* conn) +: Analyzer(AnalyzerTag::GTPv1, conn) + { + interp = new binpac::GTPv1::GTPv1_Conn(this); + } + +GTPv1_Analyzer::~GTPv1_Analyzer() + { + delete interp; + } + +void GTPv1_Analyzer::Done() + { + Analyzer::Done(); + Event(udp_session_done); + } + +void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) + { + Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + try + { + interp->NewData(orig, data, data + len); + } + catch ( const binpac::Exception& e ) + { + ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); + } + } diff --git a/src/GTPv1.h b/src/GTPv1.h new file mode 100644 index 0000000000..e111158833 --- /dev/null +++ b/src/GTPv1.h @@ -0,0 +1,29 @@ +#ifndef GTPv1_h +#define GTPv1_h + +#include "gtpv1_pac.h" + +class GTPv1_Analyzer : public Analyzer { +public: + GTPv1_Analyzer(Connection* conn); + virtual ~GTPv1_Analyzer(); + + virtual void Done(); + virtual void DeliverPacket(int len, const u_char* data, bool orig, + int seq, const IP_Hdr* ip, int caplen); + + static Analyzer* InstantiateAnalyzer(Connection* conn) + { return new GTPv1_Analyzer(conn); } + + static bool Available() + { return BifConst::Tunnel::enable_gtpv1 && + BifConst::Tunnel::max_depth > 0; } + +protected: + friend class AnalyzerTimer; + void ExpireTimer(double t); + + binpac::GTPv1::GTPv1_Conn* interp; +}; + +#endif diff --git a/src/HTTP.cc b/src/HTTP.cc index 9d9f01be64..7e4079b853 100644 --- a/src/HTTP.cc +++ b/src/HTTP.cc @@ -1116,38 +1116,39 @@ const char* HTTP_Analyzer::PrefixWordMatch(const char* line, return line; } +static bool is_HTTP_token_char(char c) + { + return c > 31 && c != 127 && // CTL per RFC 2616. + c != ' ' && c != '\t' && // Separators. + c != '(' && c != ')' && c != '<' && c != '>' && c != '@' && + c != ',' && c != ';' && c != ':' && c != '\\' && c != '"' && + c != '/' && c != '[' && c != ']' && c != '?' && c != '=' && + c != '{' && c != '}'; + } + +static const char* get_HTTP_token(const char* s, const char* e) + { + while ( s < e && is_HTTP_token_char(*s) ) + ++s; + + return s; + } + + int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line) { const char* rest = 0; - static const char* http_methods[] = { - "GET", "POST", "HEAD", + const char* end_of_method = get_HTTP_token(line, end_of_line); - "OPTIONS", "PUT", "DELETE", "TRACE", "CONNECT", + if ( end_of_method == line ) + goto error; - // HTTP methods for distributed authoring. - "PROPFIND", "PROPPATCH", "MKCOL", "DELETE", "PUT", - "COPY", "MOVE", "LOCK", "UNLOCK", - "POLL", "REPORT", "SUBSCRIBE", "BMOVE", + rest = skip_whitespace(end_of_method, end_of_line); - "SEARCH", + if ( rest == end_of_method ) + goto error; - 0, - }; - - int i; - for ( i = 0; http_methods[i]; ++i ) - if ( (rest = PrefixWordMatch(line, end_of_line, http_methods[i])) != 0 ) - break; - - if ( ! http_methods[i] ) - { - // Weird("HTTP_unknown_method"); - if ( RequestExpected() ) - HTTP_Event("unknown_HTTP_method", new_string_val(line, end_of_line)); - return 0; - } - - request_method = new StringVal(http_methods[i]); + request_method = new StringVal(end_of_method - line, line); if ( ! ParseRequest(rest, end_of_line) ) reporter->InternalError("HTTP ParseRequest failed"); @@ -1157,6 +1158,10 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line) unescaped_URI->AsString()->Len(), true, true, true, true); return 1; + +error: + reporter->Weird(Conn(), "bad_HTTP_request"); + return 0; } int HTTP_Analyzer::ParseRequest(const char* line, const char* end_of_line) diff --git a/src/NetVar.cc b/src/NetVar.cc index 248ae15e1a..1783130f34 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -5,6 +5,7 @@ #include "Var.h" #include "NetVar.h" +RecordType* gtpv1_hdr_type; RecordType* conn_id; RecordType* endpoint; RecordType* endpoint_stats; @@ -308,6 +309,7 @@ void init_net_var() #include "input.bif.netvar_init" #include "reporter.bif.netvar_init" + gtpv1_hdr_type = internal_type("gtpv1_hdr")->AsRecordType(); conn_id = internal_type("conn_id")->AsRecordType(); endpoint = internal_type("endpoint")->AsRecordType(); endpoint_stats = internal_type("endpoint_stats")->AsRecordType(); diff --git a/src/NetVar.h b/src/NetVar.h index 2561fa0ad9..4bb2d2a7f9 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -8,6 +8,7 @@ #include "EventRegistry.h" #include "Stats.h" +extern RecordType* gtpv1_hdr_type; extern RecordType* conn_id; extern RecordType* endpoint; extern RecordType* endpoint_stats; diff --git a/src/OpaqueVal.cc b/src/OpaqueVal.cc new file mode 100644 index 0000000000..51f975edf8 --- /dev/null +++ b/src/OpaqueVal.cc @@ -0,0 +1,501 @@ +#include "OpaqueVal.h" +#include "Reporter.h" +#include "Serializer.h" + +bool HashVal::IsValid() const + { + return valid; + } + +bool HashVal::Init() + { + if ( valid ) + return false; + + valid = DoInit(); + return valid; + } + +StringVal* HashVal::Get() + { + if ( ! valid ) + return new StringVal(""); + + StringVal* result = DoGet(); + valid = false; + return result; + } + +bool HashVal::Feed(const void* data, size_t size) + { + if ( valid ) + return DoFeed(data, size); + + reporter->InternalError("invalid opaque hash value"); + return false; + } + +bool HashVal::DoInit() + { + assert(! "missing implementation of DoInit()"); + return false; + } + +bool HashVal::DoFeed(const void*, size_t) + { + assert(! "missing implementation of DoFeed()"); + return false; + } + +StringVal* HashVal::DoGet() + { + assert(! "missing implementation of DoGet()"); + return new StringVal(""); + } + +HashVal::HashVal(OpaqueType* t) : OpaqueVal(t) + { + valid = false; + } + +IMPLEMENT_SERIAL(HashVal, SER_HASH_VAL); + +bool HashVal::DoSerialize(SerialInfo* info) const + { + DO_SERIALIZE(SER_HASH_VAL, OpaqueVal); + return SERIALIZE(valid); + } + +bool HashVal::DoUnserialize(UnserialInfo* info) + { + DO_UNSERIALIZE(OpaqueVal); + return UNSERIALIZE(&valid); + } + +void MD5Val::digest(val_list& vlist, u_char result[MD5_DIGEST_LENGTH]) + { + MD5_CTX h; + md5_init(&h); + + loop_over_list(vlist, i) + { + Val* v = vlist[i]; + if ( v->Type()->Tag() == TYPE_STRING ) + { + const BroString* str = v->AsString(); + md5_update(&h, str->Bytes(), str->Len()); + } + else + { + ODesc d(DESC_BINARY); + v->Describe(&d); + md5_update(&h, (const u_char *) d.Bytes(), d.Len()); + } + } + + md5_final(&h, result); + } + +void MD5Val::hmac(val_list& vlist, + u_char key[MD5_DIGEST_LENGTH], + u_char result[MD5_DIGEST_LENGTH]) + { + digest(vlist, result); + for ( int i = 0; i < MD5_DIGEST_LENGTH; ++i ) + result[i] ^= key[i]; + + MD5(result, MD5_DIGEST_LENGTH, result); + } + +bool MD5Val::DoInit() + { + assert(! IsValid()); + md5_init(&ctx); + return true; + } + +bool MD5Val::DoFeed(const void* data, size_t size) + { + if ( ! IsValid() ) + return false; + + md5_update(&ctx, data, size); + return true; + } + +StringVal* MD5Val::DoGet() + { + if ( ! IsValid() ) + return new StringVal(""); + + u_char digest[MD5_DIGEST_LENGTH]; + md5_final(&ctx, digest); + return new StringVal(md5_digest_print(digest)); + } + +IMPLEMENT_SERIAL(MD5Val, SER_MD5_VAL); + +bool MD5Val::DoSerialize(SerialInfo* info) const + { + DO_SERIALIZE(SER_MD5_VAL, HashVal); + + if ( ! IsValid() ) + return true; + + if ( ! (SERIALIZE(ctx.A) && + SERIALIZE(ctx.B) && + SERIALIZE(ctx.C) && + SERIALIZE(ctx.D) && + SERIALIZE(ctx.Nl) && + SERIALIZE(ctx.Nh)) ) + return false; + + for ( int i = 0; i < MD5_LBLOCK; ++i ) + { + if ( ! SERIALIZE(ctx.data[i]) ) + return false; + } + + if ( ! SERIALIZE(ctx.num) ) + return false; + + return true; + } + +bool MD5Val::DoUnserialize(UnserialInfo* info) + { + DO_UNSERIALIZE(HashVal); + + if ( ! IsValid() ) + return true; + + if ( ! (UNSERIALIZE(&ctx.A) && + UNSERIALIZE(&ctx.B) && + UNSERIALIZE(&ctx.C) && + UNSERIALIZE(&ctx.D) && + UNSERIALIZE(&ctx.Nl) && + UNSERIALIZE(&ctx.Nh)) ) + return false; + + for ( int i = 0; i < MD5_LBLOCK; ++i ) + { + if ( ! UNSERIALIZE(&ctx.data[i]) ) + return false; + } + + if ( ! UNSERIALIZE(&ctx.num) ) + return false; + + return true; + } + +void SHA1Val::digest(val_list& vlist, u_char result[SHA_DIGEST_LENGTH]) + { + SHA_CTX h; + sha1_init(&h); + + loop_over_list(vlist, i) + { + Val* v = vlist[i]; + if ( v->Type()->Tag() == TYPE_STRING ) + { + const BroString* str = v->AsString(); + sha1_update(&h, str->Bytes(), str->Len()); + } + else + { + ODesc d(DESC_BINARY); + v->Describe(&d); + sha1_update(&h, (const u_char *) d.Bytes(), d.Len()); + } + } + + sha1_final(&h, result); + } + +bool SHA1Val::DoInit() + { + assert(! IsValid()); + sha1_init(&ctx); + return true; + } + +bool SHA1Val::DoFeed(const void* data, size_t size) + { + if ( ! IsValid() ) + return false; + + sha1_update(&ctx, data, size); + return true; + } + +StringVal* SHA1Val::DoGet() + { + if ( ! IsValid() ) + return new StringVal(""); + + u_char digest[SHA_DIGEST_LENGTH]; + sha1_final(&ctx, digest); + return new StringVal(sha1_digest_print(digest)); + } + +IMPLEMENT_SERIAL(SHA1Val, SER_SHA1_VAL); + +bool SHA1Val::DoSerialize(SerialInfo* info) const + { + DO_SERIALIZE(SER_SHA1_VAL, HashVal); + + if ( ! IsValid() ) + return true; + + if ( ! (SERIALIZE(ctx.h0) && + SERIALIZE(ctx.h1) && + SERIALIZE(ctx.h2) && + SERIALIZE(ctx.h3) && + SERIALIZE(ctx.h4) && + SERIALIZE(ctx.Nl) && + SERIALIZE(ctx.Nh)) ) + return false; + + for ( int i = 0; i < SHA_LBLOCK; ++i ) + { + if ( ! SERIALIZE(ctx.data[i]) ) + return false; + } + + if ( ! SERIALIZE(ctx.num) ) + return false; + + return true; + } + +bool SHA1Val::DoUnserialize(UnserialInfo* info) + { + DO_UNSERIALIZE(HashVal); + + if ( ! IsValid() ) + return true; + + if ( ! (UNSERIALIZE(&ctx.h0) && + UNSERIALIZE(&ctx.h1) && + UNSERIALIZE(&ctx.h2) && + UNSERIALIZE(&ctx.h3) && + UNSERIALIZE(&ctx.h4) && + UNSERIALIZE(&ctx.Nl) && + UNSERIALIZE(&ctx.Nh)) ) + return false; + + for ( int i = 0; i < SHA_LBLOCK; ++i ) + { + if ( ! UNSERIALIZE(&ctx.data[i]) ) + return false; + } + + if ( ! UNSERIALIZE(&ctx.num) ) + return false; + + return true; + } + +void SHA256Val::digest(val_list& vlist, u_char result[SHA256_DIGEST_LENGTH]) + { + SHA256_CTX h; + sha256_init(&h); + + loop_over_list(vlist, i) + { + Val* v = vlist[i]; + if ( v->Type()->Tag() == TYPE_STRING ) + { + const BroString* str = v->AsString(); + sha256_update(&h, str->Bytes(), str->Len()); + } + else + { + ODesc d(DESC_BINARY); + v->Describe(&d); + sha256_update(&h, (const u_char *) d.Bytes(), d.Len()); + } + } + + sha256_final(&h, result); + } + +bool SHA256Val::DoInit() + { + assert( ! IsValid() ); + sha256_init(&ctx); + return true; + } + +bool SHA256Val::DoFeed(const void* data, size_t size) + { + if ( ! IsValid() ) + return false; + + sha256_update(&ctx, data, size); + return true; + } + +StringVal* SHA256Val::DoGet() + { + if ( ! IsValid() ) + return new StringVal(""); + + u_char digest[SHA256_DIGEST_LENGTH]; + sha256_final(&ctx, digest); + return new StringVal(sha256_digest_print(digest)); + } + +IMPLEMENT_SERIAL(SHA256Val, SER_SHA256_VAL); + +bool SHA256Val::DoSerialize(SerialInfo* info) const + { + DO_SERIALIZE(SER_SHA256_VAL, HashVal); + + if ( ! IsValid() ) + return true; + + for ( int i = 0; i < 8; ++i ) + { + if ( ! SERIALIZE(ctx.h[i]) ) + return false; + } + + if ( ! (SERIALIZE(ctx.Nl) && + SERIALIZE(ctx.Nh)) ) + return false; + + for ( int i = 0; i < SHA_LBLOCK; ++i ) + { + if ( ! SERIALIZE(ctx.data[i]) ) + return false; + } + + if ( ! (SERIALIZE(ctx.num) && + SERIALIZE(ctx.md_len)) ) + return false; + + return true; + } + +bool SHA256Val::DoUnserialize(UnserialInfo* info) + { + DO_UNSERIALIZE(HashVal); + + if ( ! IsValid() ) + return true; + + for ( int i = 0; i < 8; ++i ) + { + if ( ! UNSERIALIZE(&ctx.h[i]) ) + return false; + } + + if ( ! (UNSERIALIZE(&ctx.Nl) && + UNSERIALIZE(&ctx.Nh)) ) + return false; + + for ( int i = 0; i < SHA_LBLOCK; ++i ) + { + if ( ! UNSERIALIZE(&ctx.data[i]) ) + return false; + } + + + if ( ! (UNSERIALIZE(&ctx.num) && + UNSERIALIZE(&ctx.md_len)) ) + return false; + + return true; + } + + +bool EntropyVal::Feed(const void* data, size_t size) + { + state.add(data, size); + return true; + } + +bool EntropyVal::Get(double *r_ent, double *r_chisq, double *r_mean, + double *r_montepicalc, double *r_scc) + { + state.end(r_ent, r_chisq, r_mean, r_montepicalc, r_scc); + return true; + } + +IMPLEMENT_SERIAL(EntropyVal, SER_ENTROPY_VAL); + +bool EntropyVal::DoSerialize(SerialInfo* info) const + { + DO_SERIALIZE(SER_ENTROPY_VAL, OpaqueVal); + + for ( int i = 0; i < 256; ++i ) + { + if ( ! SERIALIZE(state.ccount[i]) ) + return false; + } + + if ( ! (SERIALIZE(state.totalc) && + SERIALIZE(state.mp) && + SERIALIZE(state.sccfirst)) ) + return false; + + for ( int i = 0; i < RT_MONTEN; ++i ) + { + if ( ! SERIALIZE(state.monte[i]) ) + return false; + } + + if ( ! (SERIALIZE(state.inmont) && + SERIALIZE(state.mcount) && + SERIALIZE(state.cexp) && + SERIALIZE(state.montex) && + SERIALIZE(state.montey) && + SERIALIZE(state.montepi) && + SERIALIZE(state.sccu0) && + SERIALIZE(state.scclast) && + SERIALIZE(state.scct1) && + SERIALIZE(state.scct2) && + SERIALIZE(state.scct3)) ) + return false; + + return true; + } + +bool EntropyVal::DoUnserialize(UnserialInfo* info) + { + DO_UNSERIALIZE(OpaqueVal); + + for ( int i = 0; i < 256; ++i ) + { + if ( ! UNSERIALIZE(&state.ccount[i]) ) + return false; + } + + if ( ! (UNSERIALIZE(&state.totalc) && + UNSERIALIZE(&state.mp) && + UNSERIALIZE(&state.sccfirst)) ) + return false; + + for ( int i = 0; i < RT_MONTEN; ++i ) + { + if ( ! UNSERIALIZE(&state.monte[i]) ) + return false; + } + + if ( ! (UNSERIALIZE(&state.inmont) && + UNSERIALIZE(&state.mcount) && + UNSERIALIZE(&state.cexp) && + UNSERIALIZE(&state.montex) && + UNSERIALIZE(&state.montey) && + UNSERIALIZE(&state.montepi) && + UNSERIALIZE(&state.sccu0) && + UNSERIALIZE(&state.scclast) && + UNSERIALIZE(&state.scct1) && + UNSERIALIZE(&state.scct2) && + UNSERIALIZE(&state.scct3)) ) + return false; + + return true; + } diff --git a/src/OpaqueVal.h b/src/OpaqueVal.h new file mode 100644 index 0000000000..0428e50bdb --- /dev/null +++ b/src/OpaqueVal.h @@ -0,0 +1,110 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#ifndef OPAQUEVAL_H +#define OPAQUEVAL_H + +#include "RandTest.h" +#include "Val.h" +#include "digest.h" + +class HashVal : public OpaqueVal { +public: + virtual bool IsValid() const; + virtual bool Init(); + virtual bool Feed(const void* data, size_t size); + virtual StringVal* Get(); + +protected: + HashVal() { }; + HashVal(OpaqueType* t); + virtual bool DoInit(); + virtual bool DoFeed(const void* data, size_t size); + virtual StringVal* DoGet(); + + DECLARE_SERIAL(HashVal); + +private: + // This flag exists because Get() can only be called once. + bool valid; +}; + +class MD5Val : public HashVal { +public: + static void digest(val_list& vlist, u_char result[MD5_DIGEST_LENGTH]); + + static void hmac(val_list& vlist, + u_char key[MD5_DIGEST_LENGTH], + u_char result[MD5_DIGEST_LENGTH]); + + MD5Val() : HashVal(new OpaqueType("md5")) { } + +protected: + friend class Val; + + virtual bool DoInit() /* override */; + virtual bool DoFeed(const void* data, size_t size) /* override */; + virtual StringVal* DoGet() /* override */; + + DECLARE_SERIAL(MD5Val); + +private: + MD5_CTX ctx; +}; + +class SHA1Val : public HashVal { +public: + static void digest(val_list& vlist, u_char result[SHA_DIGEST_LENGTH]); + + SHA1Val() : HashVal(new OpaqueType("sha1")) { } + +protected: + friend class Val; + + virtual bool DoInit() /* override */; + virtual bool DoFeed(const void* data, size_t size) /* override */; + virtual StringVal* DoGet() /* override */; + + DECLARE_SERIAL(SHA1Val); + +private: + SHA_CTX ctx; +}; + +class SHA256Val : public HashVal { +public: + static void digest(val_list& vlist, u_char result[SHA256_DIGEST_LENGTH]); + + SHA256Val() : HashVal(new OpaqueType("sha256")) { } + +protected: + friend class Val; + + virtual bool DoInit() /* override */; + virtual bool DoFeed(const void* data, size_t size) /* override */; + virtual StringVal* DoGet() /* override */; + + DECLARE_SERIAL(SHA256Val); + +private: + SHA256_CTX ctx; +}; + +class EntropyVal : public OpaqueVal { +public: + EntropyVal() : OpaqueVal(new OpaqueType("entropy")) { } + + bool Feed(const void* data, size_t size); + bool Get(double *r_ent, double *r_chisq, double *r_mean, + double *r_montepicalc, double *r_scc); + +protected: + friend class Val; + EntropyVal(OpaqueType* t); + + DECLARE_SERIAL(EntropyVal); + +private: + RandTest state; +}; + +#endif diff --git a/src/RandTest.cc b/src/RandTest.cc index 638cc6c765..94e76500b5 100644 --- a/src/RandTest.cc +++ b/src/RandTest.cc @@ -12,7 +12,18 @@ Modified for Bro by Seth Hall - July 2010 */ -#include +#include +#include "RandTest.h" + +#define log2of10 3.32192809488736234787 +/* RT_LOG2 -- Calculate log to the base 2 */ +static double rt_log2(double x) +{ + return log2of10 * log10(x); +} + +// RT_INCIRC = pow(pow(256.0, (double) (RT_MONTEN / 2)) - 1, 2.0); +#define RT_INCIRC 281474943156225.0 RandTest::RandTest() { @@ -28,9 +39,9 @@ RandTest::RandTest() } } -void RandTest::add(void *buf, int bufl) +void RandTest::add(const void *buf, int bufl) { - unsigned char *bp = (unsigned char*)buf; + const unsigned char *bp = static_cast(buf); int oc; while (bufl-- > 0) @@ -78,8 +89,8 @@ void RandTest::add(void *buf, int bufl) } } -void RandTest::end(double *r_ent, double *r_chisq, - double *r_mean, double *r_montepicalc, double *r_scc) +void RandTest::end(double* r_ent, double* r_chisq, + double* r_mean, double* r_montepicalc, double* r_scc) { int i; double ent, chisq, scc, datasum; diff --git a/src/RandTest.h b/src/RandTest.h index a4f551b602..bb1eb3c6b4 100644 --- a/src/RandTest.h +++ b/src/RandTest.h @@ -1,34 +1,33 @@ -#include +#ifndef RANDTEST_H +#define RANDTEST_H -#define log2of10 3.32192809488736234787 -/* RT_LOG2 -- Calculate log to the base 2 */ -static double rt_log2(double x) -{ - return log2of10 * log10(x); -} +#include "util.h" #define RT_MONTEN 6 /* Bytes used as Monte Carlo co-ordinates. This should be no more bits than the mantissa of your "double" floating point type. */ +class EntropyVal; -// RT_INCIRC = pow(pow(256.0, (double) (RT_MONTEN / 2)) - 1, 2.0); -#define RT_INCIRC 281474943156225.0 class RandTest { public: RandTest(); - void add(void *buf, int bufl); - void end(double *r_ent, double *r_chisq, double *r_mean, - double *r_montepicalc, double *r_scc); + void add(const void* buf, int bufl); + void end(double* r_ent, double* r_chisq, double* r_mean, + double* r_montepicalc, double* r_scc); private: - long ccount[256]; /* Bins to count occurrences of values */ - long totalc; /* Total bytes counted */ + friend class EntropyVal; + + int64 ccount[256]; /* Bins to count occurrences of values */ + int64 totalc; /* Total bytes counted */ int mp; int sccfirst; unsigned int monte[RT_MONTEN]; - long inmont, mcount; + int64 inmont, mcount; double cexp, montex, montey, montepi, sccu0, scclast, scct1, scct2, scct3; - }; +}; + +#endif diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc index 564ad2be68..66f8def489 100644 --- a/src/RemoteSerializer.cc +++ b/src/RemoteSerializer.cc @@ -545,8 +545,11 @@ RemoteSerializer::~RemoteSerializer() { if ( child_pid ) { - kill(child_pid, SIGKILL); - waitpid(child_pid, 0, 0); + if ( kill(child_pid, SIGKILL) < 0 ) + reporter->Warning("warning: cannot kill child (pid %d), %s", child_pid, strerror(errno)); + + else if ( waitpid(child_pid, 0, 0) < 0 ) + reporter->Warning("warning: error encountered during waitpid(%d), %s", child_pid, strerror(errno)); } delete io; @@ -1032,6 +1035,14 @@ bool RemoteSerializer::SendAllSynchronized(Peer* peer, SerialInfo* info) for ( ; index < sync_ids.length(); ++index ) { + if ( ! sync_ids[index]->ID_Val() ) + { +#ifdef DEBUG + DBG_LOG(DBG_COMM, "Skip sync of ID with null value: %s\n", + sync_ids[index]->Name()); +#endif + continue; + } cont->SaveContext(); StateAccess sa(OP_ASSIGN, sync_ids[index], @@ -3153,7 +3164,10 @@ void RemoteSerializer::FatalError(const char* msg) reporter->Error("%s", msg); closed = true; - kill(child_pid, SIGQUIT); + + if ( kill(child_pid, SIGQUIT) < 0 ) + reporter->Warning("warning: cannot kill child pid %d, %s", child_pid, strerror(errno)); + child_pid = 0; using_communication = false; io->Clear(); @@ -3963,7 +3977,7 @@ bool SocketComm::Connect(Peer* peer) { int status; addrinfo hints, *res, *res0; - bzero(&hints, sizeof(hints)); + memset(&hints, 0, sizeof(hints)); hints.ai_family = PF_UNSPEC; hints.ai_protocol = IPPROTO_TCP; @@ -4095,7 +4109,7 @@ bool SocketComm::Listen() { int status, on = 1; addrinfo hints, *res, *res0; - bzero(&hints, sizeof(hints)); + memset(&hints, 0, sizeof(hints)); IPAddr listen_ip(listen_if); @@ -4360,7 +4374,8 @@ void SocketComm::Kill() CloseListenFDs(); - kill(getpid(), SIGTERM); + if ( kill(getpid(), SIGTERM) < 0 ) + Log(fmt("warning: cannot kill SocketComm pid %d, %s", getpid(), strerror(errno))); while ( 1 ) ; // loop until killed diff --git a/src/SerialTypes.h b/src/SerialTypes.h index a18c9bcc65..e103c1c40e 100644 --- a/src/SerialTypes.h +++ b/src/SerialTypes.h @@ -98,6 +98,12 @@ SERIAL_VAL(RECORD_VAL, 10) SERIAL_VAL(ENUM_VAL, 11) SERIAL_VAL(VECTOR_VAL, 12) SERIAL_VAL(MUTABLE_VAL, 13) +SERIAL_VAL(OPAQUE_VAL, 14) +SERIAL_VAL(HASH_VAL, 15) +SERIAL_VAL(MD5_VAL, 16) +SERIAL_VAL(SHA1_VAL, 17) +SERIAL_VAL(SHA256_VAL, 18) +SERIAL_VAL(ENTROPY_VAL, 19) #define SERIAL_EXPR(name, val) SERIAL_CONST(name, val, EXPR) SERIAL_EXPR(EXPR, 1) @@ -165,7 +171,6 @@ SERIAL_STMT(EVENT_BODY_LIST, 16) SERIAL_STMT(INIT_STMT, 17) SERIAL_STMT(NULL_STMT, 18) SERIAL_STMT(WHEN_STMT, 19) -SERIAL_STMT(HOOK_STMT, 20) #define SERIAL_TYPE(name, val) SERIAL_CONST(name, val, BRO_TYPE) SERIAL_TYPE(BRO_TYPE, 1) @@ -179,6 +184,7 @@ SERIAL_TYPE(SUBNET_TYPE, 8) SERIAL_TYPE(FILE_TYPE, 9) SERIAL_TYPE(ENUM_TYPE, 10) SERIAL_TYPE(VECTOR_TYPE, 11) +SERIAL_TYPE(OPAQUE_TYPE, 12) SERIAL_CONST2(ATTRIBUTES) SERIAL_CONST2(EVENT_HANDLER) diff --git a/src/Stmt.cc b/src/Stmt.cc index 0a5ae16ef6..2cd7117ddb 100644 --- a/src/Stmt.cc +++ b/src/Stmt.cc @@ -23,7 +23,7 @@ const char* stmt_name(BroStmtTag t) "print", "event", "expr", "if", "when", "switch", "for", "next", "break", "return", "add", "delete", "list", "bodylist", - "", "hook", + "", "null", }; @@ -592,6 +592,21 @@ Case::~Case() void Case::Describe(ODesc* d) const { + if ( ! Cases() ) + { + if ( ! d->IsBinary() ) + d->Add("default:"); + + d->AddCount(0); + + d->PushIndent(); + Body()->AccessStats(d); + Body()->Describe(d); + d->PopIndent(); + + return; + } + const expr_list& e = Cases()->Exprs(); if ( ! d->IsBinary() ) @@ -658,13 +673,64 @@ bool Case::DoUnserialize(UnserialInfo* info) return this->s != 0; } -SwitchStmt::SwitchStmt(Expr* index, case_list* arg_cases) : - ExprStmt(STMT_SWITCH, index) +static void int_del_func(void* v) { - cases = arg_cases; + delete (int*) v; + } - //### need to loop over cases and make sure their type matches - //### the index, and they're constant and not redundant +void SwitchStmt::Init() + { + TypeList* t = new TypeList(); + t->Append(e->Type()->Ref()); + comp_hash = new CompositeHash(t); + Unref(t); + + case_label_map.SetDeleteFunc(int_del_func); + } + +SwitchStmt::SwitchStmt(Expr* index, case_list* arg_cases) : + ExprStmt(STMT_SWITCH, index), cases(arg_cases), default_case_idx(-1) + { + Init(); + + if ( ! is_atomic_type(e->Type()) ) + e->Error("switch expression must be of an atomic type"); + + loop_over_list(*cases, i) + { + const Case* c = (*cases)[i]; + const ListExpr* le = c->Cases(); + + if ( le ) + { + if ( ! le->Type()->AsTypeList()->AllMatch(e->Type(), false) ) + { + le->Error("case expression type differs from switch type", e); + continue; + } + + const expr_list& exprs = le->Exprs(); + + loop_over_list(exprs, j) + { + if ( ! exprs[j]->IsConst() ) + exprs[j]->Error("case label expression isn't constant"); + else + { + if ( ! AddCaseLabelMapping(exprs[j]->ExprVal(), i) ) + exprs[j]->Error("duplicate case label"); + } + } + } + + else + { + if ( default_case_idx != -1 ) + c->Error("multiple default labels", (*cases)[default_case_idx]); + else + default_case_idx = i; + } + } } SwitchStmt::~SwitchStmt() @@ -673,12 +739,80 @@ SwitchStmt::~SwitchStmt() Unref((*cases)[i]); delete cases; + delete comp_hash; } -Val* SwitchStmt::DoExec(Frame* /* f */, Val* /* v */, stmt_flow_type& /* flow */) const +bool SwitchStmt::AddCaseLabelMapping(const Val* v, int idx) { - printf("switch statement not implemented\n"); - return 0; + HashKey* hk = comp_hash->ComputeHash(v, 1); + + if ( ! hk ) + { + reporter->PushLocation(e->GetLocationInfo()); + reporter->InternalError("switch expression type mismatch (%s/%s)", + type_name(v->Type()->Tag()), type_name(e->Type()->Tag())); + } + + int* label_idx = case_label_map.Lookup(hk); + + if ( label_idx ) + { + delete hk; + return false; + } + + case_label_map.Insert(hk, new int(idx)); + return true; + } + +int SwitchStmt::FindCaseLabelMatch(const Val* v) const + { + HashKey* hk = comp_hash->ComputeHash(v, 1); + + if ( ! hk ) + { + reporter->PushLocation(e->GetLocationInfo()); + reporter->InternalError("switch expression type mismatch (%s/%s)", + type_name(v->Type()->Tag()), type_name(e->Type()->Tag())); + } + + int* label_idx = case_label_map.Lookup(hk); + + delete hk; + + if ( ! label_idx ) + return default_case_idx; + else + return *label_idx; + } + +Val* SwitchStmt::DoExec(Frame* f, Val* v, stmt_flow_type& flow) const + { + Val* rval = 0; + + int matching_label_idx = FindCaseLabelMatch(v); + + if ( matching_label_idx == -1 ) + return 0; + + for ( int i = matching_label_idx; i < cases->length(); ++i ) + { + const Case* c = (*cases)[i]; + + flow = FLOW_NEXT; + rval = c->Body()->Exec(f, flow); + + if ( flow == FLOW_BREAK ) + { + flow = FLOW_NEXT; + break; + } + + if ( flow == FLOW_RETURN ) + break; + } + + return rval; } Stmt* SwitchStmt::DoSimplify() @@ -697,7 +831,13 @@ Stmt* SwitchStmt::DoSimplify() } if ( e->IsConst() ) - { // ### go through cases and pull out the one it matches + { + // Could possibly remove all case labels before the one + // that will match, but may be tricky to tell if any + // subsequent ones can also be removed since it depends + // on the evaluation of the body executing a break/return + // statement. Then still need a way to bypass the lookup + // DoExec for it to be beneficial. if ( ! optimize ) Warn("constant in switch"); } @@ -770,6 +910,9 @@ bool SwitchStmt::DoSerialize(SerialInfo* info) const if ( ! (*cases)[i]->Serialize(info) ) return false; + if ( ! SERIALIZE(default_case_idx) ) + return false; + return true; } @@ -777,6 +920,8 @@ bool SwitchStmt::DoUnserialize(UnserialInfo* info) { DO_UNSERIALIZE(ExprStmt); + Init(); + int len; if ( ! UNSERIALIZE(&len) ) return false; @@ -790,6 +935,25 @@ bool SwitchStmt::DoUnserialize(UnserialInfo* info) cases->append(c); } + if ( ! UNSERIALIZE(&default_case_idx) ) + return false; + + loop_over_list(*cases, i) + { + const ListExpr* le = (*cases)[i]->Cases(); + + if ( ! le ) + continue; + + const expr_list& exprs = le->Exprs(); + + loop_over_list(exprs, j) + { + if ( ! AddCaseLabelMapping(exprs[j]->ExprVal(), i) ) + return false; + } + } + return true; } @@ -933,52 +1097,6 @@ bool EventStmt::DoUnserialize(UnserialInfo* info) return event_expr != 0; } -HookStmt::HookStmt(CallExpr* arg_e) : ExprStmt(STMT_HOOK, arg_e) - { - call_expr = arg_e; - } - -Val* HookStmt::Exec(Frame* f, stmt_flow_type& flow) const - { - RegisterAccess(); - - Val* ret = call_expr->Eval(f); - Unref(ret); - - flow = FLOW_NEXT; - - return 0; - } - -TraversalCode HookStmt::Traverse(TraversalCallback* cb) const - { - TraversalCode tc = cb->PreStmt(this); - HANDLE_TC_STMT_PRE(tc); - - // call expr is stored in base class's "e" field. - tc = e->Traverse(cb); - HANDLE_TC_STMT_PRE(tc); - - tc = cb->PostStmt(this); - HANDLE_TC_STMT_POST(tc); - } - -IMPLEMENT_SERIAL(HookStmt, SER_HOOK_STMT); - -bool HookStmt::DoSerialize(SerialInfo* info) const - { - DO_SERIALIZE(SER_HOOK_STMT, ExprStmt); - return call_expr->Serialize(info); - } - -bool HookStmt::DoUnserialize(UnserialInfo* info) - { - DO_UNSERIALIZE(ExprStmt); - - call_expr = (CallExpr*) Expr::Unserialize(info, EXPR_CALL); - return call_expr != 0; - } - ForStmt::ForStmt(id_list* arg_loop_vars, Expr* loop_expr) : ExprStmt(STMT_FOR, loop_expr) { @@ -1378,7 +1496,10 @@ ReturnStmt::ReturnStmt(Expr* arg_e) : ExprStmt(STMT_RETURN, arg_e) } else if ( ! e ) - Error("return statement needs expression"); + { + if ( ft->Flavor() != FUNC_FLAVOR_HOOK ) + Error("return statement needs expression"); + } else (void) check_and_promote_expr(e, yt); @@ -1990,7 +2111,6 @@ int same_stmt(const Stmt* s1, const Stmt* s2) case STMT_RETURN: case STMT_EXPR: case STMT_EVENT: - case STMT_HOOK: { const ExprStmt* e1 = (const ExprStmt*) s1; const ExprStmt* e2 = (const ExprStmt*) s2; diff --git a/src/Stmt.h b/src/Stmt.h index 68bb8d6425..497d7c97b1 100644 --- a/src/Stmt.h +++ b/src/Stmt.h @@ -17,6 +17,8 @@ class StmtList; class ForStmt; +declare(PDict, int); + class Stmt : public BroObj { public: BroStmtTag Tag() const { return tag; } @@ -187,7 +189,8 @@ protected: class Case : public BroObj { public: - Case(ListExpr* c, Stmt* arg_s) { cases = c; s = arg_s; } + Case(ListExpr* c, Stmt* arg_s) : + cases(simplify_expr_list(c,SIMPLIFY_GENERAL)), s(arg_s) { } ~Case(); const ListExpr* Cases() const { return cases; } @@ -226,7 +229,7 @@ public: protected: friend class Stmt; - SwitchStmt() { cases = 0; } + SwitchStmt() { cases = 0; default_case_idx = -1; comp_hash = 0; } Val* DoExec(Frame* f, Val* v, stmt_flow_type& flow) const; Stmt* DoSimplify(); @@ -234,7 +237,23 @@ protected: DECLARE_SERIAL(SwitchStmt); + // Initialize composite hash and case label map. + void Init(); + + // Adds an entry in case_label_map for the given value to associate it + // with the given index in the cases list. If the entry already exists, + // returns false, else returns true. + bool AddCaseLabelMapping(const Val* v, int idx); + + // Returns index of a case label that's equal to the value, or + // default_case_idx if no case label matches (which may be -1 if there's + // no default label). + int FindCaseLabelMatch(const Val* v) const; + case_list* cases; + int default_case_idx; + CompositeHash* comp_hash; + PDict(int) case_label_map; }; class AddStmt : public ExprStmt { @@ -286,24 +305,6 @@ protected: EventExpr* event_expr; }; -class HookStmt : public ExprStmt { -public: - HookStmt(CallExpr* e); - - Val* Exec(Frame* f, stmt_flow_type& flow) const; - - TraversalCode Traverse(TraversalCallback* cb) const; - -protected: - friend class Stmt; - - HookStmt() { call_expr = 0; } - - DECLARE_SERIAL(HookStmt); - - CallExpr* call_expr; -}; - class ForStmt : public ExprStmt { public: ForStmt(id_list* loop_vars, Expr* loop_expr); diff --git a/src/StmtEnums.h b/src/StmtEnums.h index fa5b70389d..f431e3fea1 100644 --- a/src/StmtEnums.h +++ b/src/StmtEnums.h @@ -15,7 +15,7 @@ typedef enum { STMT_RETURN, STMT_ADD, STMT_DELETE, STMT_LIST, STMT_EVENT_BODY_LIST, - STMT_INIT, STMT_HOOK, + STMT_INIT, STMT_NULL #define NUM_STMTS (int(STMT_NULL) + 1) } BroStmtTag; diff --git a/src/TCP.cc b/src/TCP.cc index 555adf1b57..da977d8157 100644 --- a/src/TCP.cc +++ b/src/TCP.cc @@ -382,7 +382,7 @@ void TCP_Analyzer::ProcessFIN(double t, TCP_Endpoint* endpoint, endpoint->FIN_seq = base_seq - endpoint->StartSeq() + seq_len; } -bool TCP_Analyzer::ProcessRST(double t, TCP_Endpoint* endpoint, +void TCP_Analyzer::ProcessRST(double t, TCP_Endpoint* endpoint, const IP_Hdr* ip, uint32 base_seq, int len, int& seq_len) { @@ -406,11 +406,9 @@ bool TCP_Analyzer::ProcessRST(double t, TCP_Endpoint* endpoint, } PacketWithRST(); - - return true; } -int TCP_Analyzer::ProcessFlags(double t, +void TCP_Analyzer::ProcessFlags(double t, const IP_Hdr* ip, const struct tcphdr* tp, uint32 tcp_hdr_len, int len, int& seq_len, TCP_Endpoint* endpoint, TCP_Endpoint* peer, @@ -425,14 +423,11 @@ int TCP_Analyzer::ProcessFlags(double t, if ( flags.FIN() ) ProcessFIN(t, endpoint, seq_len, base_seq); - if ( flags.RST() && - ! ProcessRST(t, endpoint, ip, base_seq, len, seq_len) ) - return 0; + if ( flags.RST() ) + ProcessRST(t, endpoint, ip, base_seq, len, seq_len); if ( flags.ACK() ) ProcessACK(endpoint, peer, ack_seq, is_orig, flags); - - return 1; } void TCP_Analyzer::TransitionFromInactive(double t, TCP_Endpoint* endpoint, @@ -825,10 +820,27 @@ void TCP_Analyzer::UpdateClosedState(double t, TCP_Endpoint* endpoint, } } -void TCP_Analyzer::UpdateResetState(int len, TCP_Flags flags) +void TCP_Analyzer::UpdateResetState(int len, TCP_Flags flags, + TCP_Endpoint* endpoint, uint32 base_seq, + uint32 last_seq) { if ( flags.SYN() ) + { Weird("SYN_after_reset"); + + if ( endpoint->prev_state == TCP_ENDPOINT_INACTIVE ) + { + // Seq. numbers were initialized by a RST packet from this endpoint, + // but now that a SYN is seen from it, that could mean the earlier + // RST was spoofed/injected, so re-initialize. This mostly just + // helps prevent misrepresentations of payload sizes that are based + // on bad initial sequence values. + endpoint->InitStartSeq(base_seq); + endpoint->InitAckSeq(base_seq); + endpoint->InitLastSeq(last_seq); + } + } + if ( flags.FIN() ) Weird("FIN_after_reset"); @@ -871,7 +883,7 @@ void TCP_Analyzer::UpdateStateMachine(double t, break; case TCP_ENDPOINT_RESET: - UpdateResetState(len, flags); + UpdateResetState(len, flags, endpoint, base_seq, last_seq); break; } } @@ -996,10 +1008,8 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int seq_len = len; // length in terms of sequence space - if ( ! ProcessFlags(t, ip, tp, tcp_hdr_len, len, seq_len, - endpoint, peer, base_seq, ack_seq, - orig_addr, is_orig, flags) ) - return; + ProcessFlags(t, ip, tp, tcp_hdr_len, len, seq_len, endpoint, peer, base_seq, + ack_seq, orig_addr, is_orig, flags); uint32 last_seq = base_seq + seq_len; diff --git a/src/TCP.h b/src/TCP.h index c84202fcf6..635fda7960 100644 --- a/src/TCP.h +++ b/src/TCP.h @@ -135,13 +135,13 @@ protected: void ProcessFIN(double t, TCP_Endpoint* endpoint, int& seq_len, uint32 base_seq); - bool ProcessRST(double t, TCP_Endpoint* endpoint, const IP_Hdr* ip, + void ProcessRST(double t, TCP_Endpoint* endpoint, const IP_Hdr* ip, uint32 base_seq, int len, int& seq_len); void ProcessACK(TCP_Endpoint* endpoint, TCP_Endpoint* peer, uint32 ack_seq, int is_orig, TCP_Flags flags); - int ProcessFlags(double t, const IP_Hdr* ip, const struct tcphdr* tp, + void ProcessFlags(double t, const IP_Hdr* ip, const struct tcphdr* tp, uint32 tcp_hdr_len, int len, int& seq_len, TCP_Endpoint* endpoint, TCP_Endpoint* peer, uint32 base_seq, uint32 ack_seq, @@ -186,7 +186,8 @@ protected: int delta_last, TCP_Flags flags, int& do_close); - void UpdateResetState(int len, TCP_Flags flags); + void UpdateResetState(int len, TCP_Flags flags, TCP_Endpoint* endpoint, + uint32 base_seq, uint32 last_seq); void GeneratePacketEvent(TCP_Endpoint* endpoint, TCP_Endpoint* peer, uint32 base_seq, uint32 ack_seq, diff --git a/src/Trigger.cc b/src/Trigger.cc index 164f11b885..b7e08b557e 100644 --- a/src/Trigger.cc +++ b/src/Trigger.cc @@ -217,8 +217,15 @@ bool Trigger::Eval() Name()); Unref(v); + v = 0; stmt_flow_type flow; - v = body->Exec(f, flow); + + try + { + v = body->Exec(f, flow); + } + catch ( InterpreterException& e ) + { /* Already reported. */ } if ( is_return ) { @@ -300,7 +307,14 @@ void Trigger::Timeout() { stmt_flow_type flow; Frame* f = frame->Clone(); - Val* v = timeout_stmts->Exec(f, flow); + Val* v = 0; + + try + { + v = timeout_stmts->Exec(f, flow); + } + catch ( InterpreterException& e ) + { /* Already reported. */ } if ( is_return ) { @@ -382,7 +396,7 @@ void Trigger::Attach(Trigger *trigger) void Trigger::Cache(const CallExpr* expr, Val* v) { - if ( disabled ) + if ( disabled || ! v ) return; ValCache::iterator i = cache.find(expr); diff --git a/src/Type.cc b/src/Type.cc index e9b0949d13..1fb813efa1 100644 --- a/src/Type.cc +++ b/src/Type.cc @@ -30,6 +30,7 @@ const char* type_name(TypeTag t) "table", "union", "record", "types", "func", "file", + "opaque", "vector", "type", "error", @@ -96,6 +97,7 @@ BroType::BroType(TypeTag t, bool arg_base_type) case TYPE_LIST: case TYPE_FUNC: case TYPE_FILE: + case TYPE_OPAQUE: case TYPE_VECTOR: case TYPE_TYPE: internal_tag = TYPE_INTERNAL_OTHER; @@ -114,8 +116,17 @@ BroType::~BroType() delete [] type_id; } -int BroType::MatchesIndex(ListExpr*& /* index */) const +int BroType::MatchesIndex(ListExpr*& index) const { + if ( Tag() == TYPE_STRING ) + { + if ( index->Exprs().length() != 1 && index->Exprs().length() != 2 ) + return DOES_NOT_MATCH_INDEX; + + if ( check_and_promote_exprs_to_type(index, ::base_type(TYPE_INT)) ) + return MATCHES_INDEX_SCALAR; + } + return DOES_NOT_MATCH_INDEX; } @@ -1262,6 +1273,42 @@ bool FileType::DoUnserialize(UnserialInfo* info) return yield != 0; } +OpaqueType::OpaqueType(const string& arg_name) : BroType(TYPE_OPAQUE) + { + name = arg_name; + } + +void OpaqueType::Describe(ODesc* d) const + { + if ( d->IsReadable() ) + d->AddSP("opaque of"); + else + d->Add(int(Tag())); + + d->Add(name.c_str()); + } + +IMPLEMENT_SERIAL(OpaqueType, SER_OPAQUE_TYPE); + +bool OpaqueType::DoSerialize(SerialInfo* info) const + { + DO_SERIALIZE(SER_OPAQUE_TYPE, BroType); + return SERIALIZE(name); + } + +bool OpaqueType::DoUnserialize(UnserialInfo* info) + { + DO_UNSERIALIZE(BroType); + + char const* n; + if ( ! UNSERIALIZE_STR(&n, 0) ) + return false; + + name = n; + delete [] n; + return true; + } + EnumType::EnumType(const string& arg_name) : BroType(TYPE_ENUM) { @@ -1716,6 +1763,13 @@ int same_type(const BroType* t1, const BroType* t2, int is_init) case TYPE_FILE: return same_type(t1->YieldType(), t2->YieldType(), is_init); + case TYPE_OPAQUE: + { + const OpaqueType* ot1 = (const OpaqueType*) t1; + const OpaqueType* ot2 = (const OpaqueType*) t2; + return ot1->Name() == ot2->Name() ? 1 : 0; + } + case TYPE_TYPE: return same_type(t1, t2, is_init); @@ -1805,6 +1859,7 @@ int is_assignable(BroType* t) case TYPE_VECTOR: case TYPE_FILE: + case TYPE_OPAQUE: case TYPE_TABLE: case TYPE_TYPE: return 1; @@ -2190,3 +2245,18 @@ BroType* init_type(Expr* init) return new SetType(t->AsTypeList(), 0); } + +bool is_atomic_type(const BroType* t) + { + switch ( t->InternalType() ) { + case TYPE_INTERNAL_INT: + case TYPE_INTERNAL_UNSIGNED: + case TYPE_INTERNAL_DOUBLE: + case TYPE_INTERNAL_STRING: + case TYPE_INTERNAL_ADDR: + case TYPE_INTERNAL_SUBNET: + return true; + default: + return false; + } + } diff --git a/src/Type.h b/src/Type.h index 8e2bb099d8..249d8709c5 100644 --- a/src/Type.h +++ b/src/Type.h @@ -29,6 +29,7 @@ typedef enum { TYPE_LIST, TYPE_FUNC, TYPE_FILE, + TYPE_OPAQUE, TYPE_VECTOR, TYPE_TYPE, TYPE_ERROR @@ -499,6 +500,23 @@ protected: BroType* yield; }; +class OpaqueType : public BroType { +public: + OpaqueType(const string& name); + virtual ~OpaqueType() { }; + + const string& Name() const { return name; } + + void Describe(ODesc* d) const; + +protected: + OpaqueType() { } + + DECLARE_SERIAL(OpaqueType) + + string name; +}; + class EnumType : public BroType { public: EnumType(const string& arg_name); @@ -625,6 +643,9 @@ BroType* merge_type_list(ListExpr* elements); // Given an expression, infer its type when used for an initialization. extern BroType* init_type(Expr* init); +// Returns true if argument is an atomic type. +bool is_atomic_type(const BroType* t); + // True if the given type tag corresponds to an integral type. #define IsIntegral(t) (t == TYPE_INT || t == TYPE_COUNT || t == TYPE_COUNTER) diff --git a/src/Val.cc b/src/Val.cc index 79fa8a0c69..20051aff5f 100644 --- a/src/Val.cc +++ b/src/Val.cc @@ -3114,9 +3114,33 @@ void VectorVal::ValDescribe(ODesc* d) const d->Add("]"); } +OpaqueVal::OpaqueVal(OpaqueType* t) : Val(t) + { + } + +OpaqueVal::~OpaqueVal() + { + } + +IMPLEMENT_SERIAL(OpaqueVal, SER_OPAQUE_VAL); + +bool OpaqueVal::DoSerialize(SerialInfo* info) const + { + DO_SERIALIZE(SER_OPAQUE_VAL, Val); + return true; + } + +bool OpaqueVal::DoUnserialize(UnserialInfo* info) + { + DO_UNSERIALIZE(Val); + return true; + } Val* check_and_promote(Val* v, const BroType* t, int is_init) { + if ( ! v ) + return 0; + BroType* vt = v->Type(); vt = flatten_type(vt); @@ -3206,17 +3230,7 @@ int same_val(const Val* /* v1 */, const Val* /* v2 */) bool is_atomic_val(const Val* v) { - switch ( v->Type()->InternalType() ) { - case TYPE_INTERNAL_INT: - case TYPE_INTERNAL_UNSIGNED: - case TYPE_INTERNAL_DOUBLE: - case TYPE_INTERNAL_STRING: - case TYPE_INTERNAL_ADDR: - case TYPE_INTERNAL_SUBNET: - return true; - default: - return false; - } + return is_atomic_type(v->Type()); } int same_atomic_val(const Val* v1, const Val* v2) diff --git a/src/Val.h b/src/Val.h index c3ec5b04fb..8ebfb2de0e 100644 --- a/src/Val.h +++ b/src/Val.h @@ -1013,6 +1013,20 @@ protected: VectorType* vector_type; }; +// Base class for values with types that are managed completely internally, +// with no further script-level operators provided (other than bif +// functions). See OpaqueVal.h for derived classes. +class OpaqueVal : public Val { +public: + OpaqueVal(OpaqueType* t); + virtual ~OpaqueVal(); + +protected: + friend class Val; + OpaqueVal() { } + + DECLARE_SERIAL(OpaqueVal); +}; // Checks the given value for consistency with the given type. If an // exact match, returns it. If promotable, returns the promoted version, diff --git a/src/Var.cc b/src/Var.cc index 9c4fb5b978..b4d76097d3 100644 --- a/src/Var.cc +++ b/src/Var.cc @@ -109,6 +109,36 @@ static void make_var(ID* id, BroType* t, init_class c, Expr* init, if ( attr ) id->AddAttrs(new Attributes(attr, t, false)); + if ( init ) + { + switch ( init->Tag() ) { + case EXPR_TABLE_CONSTRUCTOR: + { + TableConstructorExpr* ctor = (TableConstructorExpr*) init; + if ( ctor->Attrs() ) + { + ::Ref(ctor->Attrs()); + id->AddAttrs(ctor->Attrs()); + } + } + break; + + case EXPR_SET_CONSTRUCTOR: + { + SetConstructorExpr* ctor = (SetConstructorExpr*) init; + if ( ctor->Attrs() ) + { + ::Ref(ctor->Attrs()); + id->AddAttrs(ctor->Attrs()); + } + } + break; + + default: + break; + } + } + if ( id->FindAttr(ATTR_PERSISTENT) || id->FindAttr(ATTR_SYNCHRONIZED) ) { if ( dt == VAR_CONST ) @@ -180,7 +210,6 @@ static void make_var(ID* id, BroType* t, init_class c, Expr* init, // defined. Func* f = new BroFunc(id, 0, 0, 0, 0); id->SetVal(new Val(f)); - id->SetConst(); } } @@ -203,8 +232,9 @@ Stmt* add_local(ID* id, BroType* t, init_class c, Expr* init, Ref(id); + Expr* name_expr = new NameExpr(id, dt == VAR_CONST); Stmt* stmt = - new ExprStmt(new AssignExpr(new NameExpr(id), init, 0, 0, + new ExprStmt(new AssignExpr(name_expr, init, 0, 0, id->Attrs() ? id->Attrs()->Attrs() : 0 )); stmt->SetLocationInfo(init->GetLocationInfo()); @@ -294,12 +324,12 @@ void add_type(ID* id, BroType* t, attr_list* attr, int /* is_event */) void begin_func(ID* id, const char* module_name, function_flavor flavor, int is_redef, FuncType* t) { - if ( flavor == FUNC_FLAVOR_EVENT || flavor == FUNC_FLAVOR_HOOK ) + if ( flavor == FUNC_FLAVOR_EVENT ) { const BroType* yt = t->YieldType(); if ( yt && yt->Tag() != TYPE_VOID ) - id->Error("event/hook cannot yield a value", t); + id->Error("event cannot yield a value", t); t->ClearYieldType(flavor); } diff --git a/src/bro.bif b/src/bro.bif index d945e54ef4..8cea9d9123 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -530,82 +530,7 @@ function piped_exec%(program: string, to_write: string%): bool %} %%{ -static void hash_md5_val(val_list& vlist, unsigned char digest[16]) - { - MD5_CTX h; - - md5_init(&h); - loop_over_list(vlist, i) - { - Val* v = vlist[i]; - if ( v->Type()->Tag() == TYPE_STRING ) - { - const BroString* str = v->AsString(); - md5_update(&h, str->Bytes(), str->Len()); - } - else - { - ODesc d(DESC_BINARY); - v->Describe(&d); - md5_update(&h, (const u_char *) d.Bytes(), d.Len()); - } - } - md5_final(&h, digest); - } - -static void hmac_md5_val(val_list& vlist, unsigned char digest[16]) - { - hash_md5_val(vlist, digest); - for ( int i = 0; i < 16; ++i ) - digest[i] = digest[i] ^ shared_hmac_md5_key[i]; - MD5(digest, 16, digest); - } - -static void hash_sha1_val(val_list& vlist, unsigned char digest[20]) - { - SHA_CTX h; - - sha1_init(&h); - loop_over_list(vlist, i) - { - Val* v = vlist[i]; - if ( v->Type()->Tag() == TYPE_STRING ) - { - const BroString* str = v->AsString(); - sha1_update(&h, str->Bytes(), str->Len()); - } - else - { - ODesc d(DESC_BINARY); - v->Describe(&d); - sha1_update(&h, (const u_char *) d.Bytes(), d.Len()); - } - } - sha1_final(&h, digest); - } - -static void hash_sha256_val(val_list& vlist, unsigned char digest[32]) - { - SHA256_CTX h; - - sha256_init(&h); - loop_over_list(vlist, i) - { - Val* v = vlist[i]; - if ( v->Type()->Tag() == TYPE_STRING ) - { - const BroString* str = v->AsString(); - sha256_update(&h, str->Bytes(), str->Len()); - } - else - { - ODesc d(DESC_BINARY); - v->Describe(&d); - sha256_update(&h, (const u_char *) d.Bytes(), d.Len()); - } - } - sha256_final(&h, digest); - } +#include "OpaqueVal.h" %%} ## Computes the MD5 hash value of the provided list of arguments. @@ -623,8 +548,8 @@ static void hash_sha256_val(val_list& vlist, unsigned char digest[32]) ## friends. function md5_hash%(...%): string %{ - unsigned char digest[16]; - hash_md5_val(@ARG@, digest); + unsigned char digest[MD5_DIGEST_LENGTH]; + MD5Val::digest(@ARG@, digest); return new StringVal(md5_digest_print(digest)); %} @@ -643,8 +568,8 @@ function md5_hash%(...%): string ## friends. function sha1_hash%(...%): string %{ - unsigned char digest[20]; - hash_sha1_val(@ARG@, digest); + unsigned char digest[SHA_DIGEST_LENGTH]; + SHA1Val::digest(@ARG@, digest); return new StringVal(sha1_digest_print(digest)); %} @@ -663,8 +588,8 @@ function sha1_hash%(...%): string ## friends. function sha256_hash%(...%): string %{ - unsigned char digest[32]; - hash_sha256_val(@ARG@, digest); + unsigned char digest[SHA256_DIGEST_LENGTH]; + SHA256Val::digest(@ARG@, digest); return new StringVal(sha256_digest_print(digest)); %} @@ -679,288 +604,183 @@ function sha256_hash%(...%): string ## sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish function md5_hmac%(...%): string %{ - unsigned char digest[16]; - hmac_md5_val(@ARG@, digest); - return new StringVal(md5_digest_print(digest)); + unsigned char hmac[MD5_DIGEST_LENGTH]; + MD5Val::hmac(@ARG@, shared_hmac_md5_key, hmac); + return new StringVal(md5_digest_print(hmac)); %} -%%{ -static map md5_states; -static map sha1_states; -static map sha256_states; - -BroString* convert_index_to_string(Val* index) - { - ODesc d; - index->Describe(&d); - BroString* s = new BroString(1, d.TakeBytes(), d.Len()); - s->SetUseFreeToDelete(1); - return s; - } -%%} - -## Initializes MD5 state to enable incremental hash computation. After -## initializing the MD5 state with this function, you can feed data to -## :bro:id:`md5_hash_update` and finally need to call :bro:id:`md5_hash_finish` -## to finish the computation and get the final hash value. +## Constructs an MD5 handle to enable incremental hash computation. You can +## feed data to the returned opaque value with :bro:id:`md5_hash_update` and +## eventually need to call :bro:id:`md5_hash_finish` to finish the computation +## and get the hash digest as result. ## ## For example, when computing incremental MD5 values of transferred files in -## multiple concurrent HTTP connections, one would call ``md5_hash_init(c$id)`` -## once before invoking ``md5_hash_update(c$id, some_more_data)`` in the +## multiple concurrent HTTP connections, one keeps an optional handle in the +## HTTP session record. Then, one would call +## ``c$http$md5_handle = md5_hash_init()`` once before invoking +## ``md5_hash_update(c$http$md5_handle, some_more_data)`` in the ## :bro:id:`http_entity_data` event handler. When all data has arrived, a call ## to :bro:id:`md5_hash_finish` returns the final hash value. -## -## index: The unique identifier to associate with this hash computation. +## +## Returns: The opaque handle associated with this hash computation. ## ## .. bro:see:: md5_hmac md5_hash md5_hash_update md5_hash_finish ## sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish ## sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish -function md5_hash_init%(index: any%): bool +function md5_hash_init%(%): opaque of md5 %{ - BroString* s = convert_index_to_string(index); - int status = 0; - - if ( md5_states.count(*s) < 1 ) - { - MD5_CTX h; - md5_init(&h); - md5_states[*s] = h; - status = 1; - } - - delete s; - return new Val(status, TYPE_BOOL); + HashVal* digest = new MD5Val(); + digest->Init(); + return digest; %} -## Initializes SHA1 state to enable incremental hash computation. After -## initializing the SHA1 state with this function, you can feed data to -## :bro:id:`sha1_hash_update` and finally need to call -## :bro:id:`sha1_hash_finish` to finish the computation and get the final hash -## value. +## Constructs an SHA1 handle to enable incremental hash computation. You can +## feed data to the returned opaque value with :bro:id:`sha1_hash_update` and +## finally need to call :bro:id:`sha1_hash_finish` to finish the computation +## and get the hash digest as result. ## ## For example, when computing incremental SHA1 values of transferred files in -## multiple concurrent HTTP connections, one would call ``sha1_hash_init(c$id)`` -## once before invoking ``sha1_hash_update(c$id, some_more_data)`` in the +## multiple concurrent HTTP connections, one keeps an optional handle in the +## HTTP session record. Then, one would call +## ``c$http$sha1_handle = sha1_hash_init()`` ## once before invoking +## ``sha1_hash_update(c$http$sha1_handle, some_more_data)`` in the ## :bro:id:`http_entity_data` event handler. When all data has arrived, a call ## to :bro:id:`sha1_hash_finish` returns the final hash value. ## -## index: The unique identifier to associate with this hash computation. +## Returns: The opaque handle associated with this hash computation. ## ## .. bro:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish ## sha1_hash sha1_hash_update sha1_hash_finish ## sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish -function sha1_hash_init%(index: any%): bool +function sha1_hash_init%(%): opaque of sha1 %{ - BroString* s = convert_index_to_string(index); - int status = 0; - - if ( sha1_states.count(*s) < 1 ) - { - SHA_CTX h; - sha1_init(&h); - sha1_states[*s] = h; - status = 1; - } - - delete s; - return new Val(status, TYPE_BOOL); + HashVal* digest = new SHA1Val(); + digest->Init(); + return digest; %} -## Initializes SHA256 state to enable incremental hash computation. After -## initializing the SHA256 state with this function, you can feed data to -## :bro:id:`sha256_hash_update` and finally need to call -## :bro:id:`sha256_hash_finish` to finish the computation and get the final hash -## value. +## Constructs an SHA256 handle to enable incremental hash computation. You can +## feed data to the returned opaque value with :bro:id:`sha256_hash_update` and +## finally need to call :bro:id:`sha256_hash_finish` to finish the computation +## and get the hash digest as result. ## ## For example, when computing incremental SHA256 values of transferred files in -## multiple concurrent HTTP connections, one would call -## ``sha256_hash_init(c$id)`` once before invoking -## ``sha256_hash_update(c$id, some_more_data)`` in the +## multiple concurrent HTTP connections, one keeps an optional handle in the +## HTTP session record. Then, one would call +## ``c$http$sha256_handle = sha256_hash_init()`` ## once before invoking +## ``sha256_hash_update(c$http$sha256_handle, some_more_data)`` in the ## :bro:id:`http_entity_data` event handler. When all data has arrived, a call ## to :bro:id:`sha256_hash_finish` returns the final hash value. ## -## index: The unique identifier to associate with this hash computation. +## Returns: The opaque handle associated with this hash computation. ## ## .. bro:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish ## sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish ## sha256_hash sha256_hash_update sha256_hash_finish -function sha256_hash_init%(index: any%): bool +function sha256_hash_init%(%): opaque of sha256 %{ - BroString* s = convert_index_to_string(index); - int status = 0; - - if ( sha256_states.count(*s) < 1 ) - { - SHA256_CTX h; - sha256_init(&h); - sha256_states[*s] = h; - status = 1; - } - - delete s; - return new Val(status, TYPE_BOOL); + HashVal* digest = new SHA256Val(); + digest->Init(); + return digest; %} -## Update the MD5 value associated with a given index. It is required to +## Updates the MD5 value associated with a given index. It is required to ## call :bro:id:`md5_hash_init` once before calling this ## function. ## -## index: The unique identifier to associate with this hash computation. +## handle: The opaque handle associated with this hash computation. ## ## data: The data to add to the hash computation. ## +## Returns: True on success. +## ## .. bro:see:: md5_hmac md5_hash md5_hash_init md5_hash_finish ## sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish ## sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish -function md5_hash_update%(index: any, data: string%): bool +function md5_hash_update%(handle: opaque of md5, data: string%): bool %{ - BroString* s = convert_index_to_string(index); - int status = 0; - - if ( md5_states.count(*s) > 0 ) - { - md5_update(&md5_states[*s], data->Bytes(), data->Len()); - status = 1; - } - - delete s; - return new Val(status, TYPE_BOOL); + bool rc = static_cast(handle)->Feed(data->Bytes(), data->Len()); + return new Val(rc, TYPE_BOOL); %} -## Update the SHA1 value associated with a given index. It is required to +## Updates the SHA1 value associated with a given index. It is required to ## call :bro:id:`sha1_hash_init` once before calling this ## function. ## -## index: The unique identifier to associate with this hash computation. +## handle: The opaque handle associated with this hash computation. ## ## data: The data to add to the hash computation. ## +## Returns: True on success. +## ## .. bro:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish ## sha1_hash sha1_hash_init sha1_hash_finish ## sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish -function sha1_hash_update%(index: any, data: string%): bool +function sha1_hash_update%(handle: opaque of sha1, data: string%): bool %{ - BroString* s = convert_index_to_string(index); - int status = 0; - - if ( sha1_states.count(*s) > 0 ) - { - sha1_update(&sha1_states[*s], data->Bytes(), data->Len()); - status = 1; - } - - delete s; - return new Val(status, TYPE_BOOL); + bool rc = static_cast(handle)->Feed(data->Bytes(), data->Len()); + return new Val(rc, TYPE_BOOL); %} -## Update the SHA256 value associated with a given index. It is required to +## Updates the SHA256 value associated with a given index. It is required to ## call :bro:id:`sha256_hash_init` once before calling this ## function. ## -## index: The unique identifier to associate with this hash computation. +## handle: The opaque handle associated with this hash computation. ## ## data: The data to add to the hash computation. ## +## Returns: True on success. +## ## .. bro:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish ## sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish ## sha256_hash sha256_hash_init sha256_hash_finish -function sha256_hash_update%(index: any, data: string%): bool +function sha256_hash_update%(handle: opaque of sha256, data: string%): bool %{ - BroString* s = convert_index_to_string(index); - int status = 0; - - if ( sha256_states.count(*s) > 0 ) - { - sha256_update(&sha256_states[*s], data->Bytes(), data->Len()); - status = 1; - } - - delete s; - return new Val(status, TYPE_BOOL); + bool rc = static_cast(handle)->Feed(data->Bytes(), data->Len()); + return new Val(rc, TYPE_BOOL); %} ## Returns the final MD5 digest of an incremental hash computation. ## -## index: The unique identifier of this hash computation. +## handle: The opaque handle associated with this hash computation. ## -## Returns: The hash value associated with the computation at *index*. +## Returns: The hash value associated with the computation of *handle*. ## ## .. bro:see:: md5_hmac md5_hash md5_hash_init md5_hash_update ## sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish ## sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish -function md5_hash_finish%(index: any%): string +function md5_hash_finish%(handle: opaque of md5%): string %{ - BroString* s = convert_index_to_string(index); - StringVal* printable_digest; - - if ( md5_states.count(*s) > 0 ) - { - unsigned char digest[16]; - md5_final(&md5_states[*s], digest); - md5_states.erase(*s); - printable_digest = new StringVal(md5_digest_print(digest)); - } - else - printable_digest = new StringVal(""); - - delete s; - return printable_digest; + return static_cast(handle)->Get(); %} ## Returns the final SHA1 digest of an incremental hash computation. ## -## index: The unique identifier of this hash computation. +## handle: The opaque handle associated with this hash computation. ## -## Returns: The hash value associated with the computation at *index*. +## Returns: The hash value associated with the computation of *handle*. ## ## .. bro:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish ## sha1_hash sha1_hash_init sha1_hash_update ## sha256_hash sha256_hash_init sha256_hash_update sha256_hash_finish -function sha1_hash_finish%(index: any%): string +function sha1_hash_finish%(handle: opaque of sha1%): string %{ - BroString* s = convert_index_to_string(index); - StringVal* printable_digest; - - if ( sha1_states.count(*s) > 0 ) - { - unsigned char digest[20]; - sha1_final(&sha1_states[*s], digest); - sha1_states.erase(*s); - printable_digest = new StringVal(sha1_digest_print(digest)); - } - else - printable_digest = new StringVal(""); - - delete s; - return printable_digest; + return static_cast(handle)->Get(); %} ## Returns the final SHA256 digest of an incremental hash computation. ## -## index: The unique identifier of this hash computation. +## handle: The opaque handle associated with this hash computation. ## -## Returns: The hash value associated with the computation at *index*. +## Returns: The hash value associated with the computation of *handle*. ## ## .. bro:see:: md5_hmac md5_hash md5_hash_init md5_hash_update md5_hash_finish ## sha1_hash sha1_hash_init sha1_hash_update sha1_hash_finish ## sha256_hash sha256_hash_init sha256_hash_update -function sha256_hash_finish%(index: any%): string +function sha256_hash_finish%(handle: opaque of sha256%): string %{ - BroString* s = convert_index_to_string(index); - StringVal* printable_digest; - - if ( sha256_states.count(*s) > 0 ) - { - unsigned char digest[32]; - sha256_final(&sha256_states[*s], digest); - sha256_states.erase(*s); - printable_digest = new StringVal(sha256_digest_print(digest)); - } - else - printable_digest = new StringVal(""); - - delete s; - return printable_digest; + return static_cast(handle)->Get(); %} ## Generates a random number. @@ -1058,11 +878,6 @@ function identify_data%(data: string, return_mime: bool%): string return new StringVal(descr); %} -%%{ -#include -static map entropy_states; -%%} - ## Performs an entropy test on the given data. ## See http://www.fourmilab.ch/random. ## @@ -1107,13 +922,11 @@ function find_entropy%(data: string%): entropy_test_result %{ double montepi, scc, ent, mean, chisq; montepi = scc = ent = mean = chisq = 0.0; + EntropyVal e; + e.Feed(data->Bytes(), data->Len()); + e.Get(&ent, &chisq, &mean, &montepi, &scc); + RecordVal* ent_result = new RecordVal(entropy_test_result); - RandTest *rt = new RandTest(); - - rt->add((char*) data->Bytes(), data->Len()); - rt->end(&ent, &chisq, &mean, &montepi, &scc); - delete rt; - ent_result->Assign(0, new Val(ent, TYPE_DOUBLE)); ent_result->Assign(1, new Val(chisq, TYPE_DOUBLE)); ent_result->Assign(2, new Val(mean, TYPE_DOUBLE)); @@ -1124,85 +937,52 @@ function find_entropy%(data: string%): entropy_test_result ## Initializes data structures for incremental entropy calculation. ## -## index: An arbitrary unique value per distinct computation. -## -## Returns: True on success. +## Returns: An opaque handle to be used in subsequent operations. ## ## .. bro:see:: find_entropy entropy_test_add entropy_test_finish -function entropy_test_init%(index: any%): bool +function entropy_test_init%(%): opaque of entropy %{ - BroString* s = convert_index_to_string(index); - int status = 0; - - if ( entropy_states.count(*s) < 1 ) - { - entropy_states[*s] = new RandTest(); - status = 1; - } - - delete s; - return new Val(status, TYPE_BOOL); + return new EntropyVal(); %} -## Adds data to an incremental entropy calculation. Before using this function, -## one needs to invoke :bro:id:`entropy_test_init`. +## Adds data to an incremental entropy calculation. +## +## handle: The opaque handle representing the entropy calculation state. ## ## data: The data to add to the entropy calculation. ## -## index: An arbitrary unique value that identifies a particular entropy -## computation. -## ## Returns: True on success. ## ## .. bro:see:: find_entropy entropy_test_add entropy_test_finish -function entropy_test_add%(index: any, data: string%): bool +function entropy_test_add%(handle: opaque of entropy, data: string%): bool %{ - BroString* s = convert_index_to_string(index); - int status = 0; - - if ( entropy_states.count(*s) > 0 ) - { - entropy_states[*s]->add((char*) data->Bytes(), data->Len()); - status = 1; - } - - delete s; + bool status = static_cast(handle)->Feed(data->Bytes(), + data->Len()); return new Val(status, TYPE_BOOL); %} ## Finishes an incremental entropy calculation. Before using this function, -## one needs to initialize the computation with :bro:id:`entropy_test_init` and +## one needs to obtain an opaque handle with :bro:id:`entropy_test_init` and ## add data to it via :bro:id:`entropy_test_add`. ## -## index: An arbitrary unique value that identifies a particular entropy -## computation. +## handle: The opaque handle representing the entropy calculation state. ## ## Returns: The result of the entropy test. See :bro:id:`find_entropy` for a ## description of the individual components. ## ## .. bro:see:: find_entropy entropy_test_init entropy_test_add -function entropy_test_finish%(index: any%): entropy_test_result +function entropy_test_finish%(handle: opaque of entropy%): entropy_test_result %{ - BroString* s = convert_index_to_string(index); double montepi, scc, ent, mean, chisq; montepi = scc = ent = mean = chisq = 0.0; + static_cast(handle)->Get(&ent, &chisq, &mean, &montepi, &scc); + RecordVal* ent_result = new RecordVal(entropy_test_result); - - if ( entropy_states.count(*s) > 0 ) - { - RandTest *rt = entropy_states[*s]; - rt->end(&ent, &chisq, &mean, &montepi, &scc); - entropy_states.erase(*s); - delete rt; - } - ent_result->Assign(0, new Val(ent, TYPE_DOUBLE)); ent_result->Assign(1, new Val(chisq, TYPE_DOUBLE)); ent_result->Assign(2, new Val(mean, TYPE_DOUBLE)); ent_result->Assign(3, new Val(montepi, TYPE_DOUBLE)); ent_result->Assign(4, new Val(scc, TYPE_DOUBLE)); - - delete s; return ent_result; %} @@ -2684,8 +2464,9 @@ function to_port%(s: string%): port if ( s->Len() < 10 ) { char* slash; + errno = 0; port = strtol(s->CheckString(), &slash, 10); - if ( port ) + if ( ! errno ) { ++slash; if ( streq(slash, "tcp") ) diff --git a/src/builtin-func.l b/src/builtin-func.l index 1d61f31734..9baeb1a9f9 100644 --- a/src/builtin-func.l +++ b/src/builtin-func.l @@ -74,7 +74,9 @@ HEX [0-9a-fA-F]+ "set" return check_c_mode(TOK_SET); "table" return check_c_mode(TOK_TABLE); "vector" return check_c_mode(TOK_VECTOR); -"module" return check_c_mode(TOK_MODULE); +"of" return check_c_mode(TOK_OF); +"opaque" return check_c_mode(TOK_OPAQUE); +"module" return check_c_mode(TOK_MODULE); "@ARG@" return TOK_ARG; "@ARGS@" return TOK_ARGS; diff --git a/src/builtin-func.y b/src/builtin-func.y index fd40613236..474f321ccd 100644 --- a/src/builtin-func.y +++ b/src/builtin-func.y @@ -269,15 +269,15 @@ void print_event_c_body(FILE *fp) %token TOK_LPP TOK_RPP TOK_LPB TOK_RPB TOK_LPPB TOK_RPPB TOK_VAR_ARG %token TOK_BOOL -%token TOK_FUNCTION TOK_EVENT TOK_CONST TOK_ENUM -%token TOK_TYPE TOK_RECORD TOK_SET TOK_VECTOR TOK_TABLE TOK_MODULE +%token TOK_FUNCTION TOK_EVENT TOK_CONST TOK_ENUM TOK_OF +%token TOK_TYPE TOK_RECORD TOK_SET TOK_VECTOR TOK_OPAQUE TOK_TABLE TOK_MODULE %token TOK_ARGS TOK_ARG TOK_ARGC %token TOK_ID TOK_ATTR TOK_CSTR TOK_LF TOK_WS TOK_COMMENT %token TOK_ATOM TOK_INT TOK_C_TOKEN %left ',' ':' -%type TOK_C_TOKEN TOK_ID TOK_CSTR TOK_WS TOK_COMMENT TOK_ATTR TOK_INT opt_ws +%type TOK_C_TOKEN TOK_ID TOK_CSTR TOK_WS TOK_COMMENT TOK_ATTR TOK_INT opt_ws type %type TOK_ATOM TOK_BOOL %union { @@ -584,7 +584,17 @@ args_1: args_1 ',' opt_ws arg opt_ws { /* empty */ } ; -arg: TOK_ID opt_ws ':' opt_ws TOK_ID +// TODO: Migrate all other compound types to this rule. Once the BiF language +// can parse all regular Bro types, we can throw out the unnecessary +// boilerplate typedefs for addr_set, string_set, etc. +type: + TOK_OPAQUE opt_ws TOK_OF opt_ws TOK_ID + { $$ = concat("opaque of ", $5); } + | TOK_ID + { $$ = $1; } + ; + +arg: TOK_ID opt_ws ':' opt_ws type { args.push_back(new BuiltinFuncArg($1, $5)); } | TOK_VAR_ARG { @@ -594,7 +604,7 @@ arg: TOK_ID opt_ws ':' opt_ws TOK_ID } ; -return_type: ':' opt_ws TOK_ID opt_ws +return_type: ':' opt_ws type opt_ws { BuiltinFuncArg* ret = new BuiltinFuncArg("", $3); ret->PrintBro(fp_bro_init); diff --git a/src/const.bif b/src/const.bif index 7373403c11..ea7dc03817 100644 --- a/src/const.bif +++ b/src/const.bif @@ -15,8 +15,10 @@ const Tunnel::max_depth: count; const Tunnel::enable_ip: bool; const Tunnel::enable_ayiya: bool; const Tunnel::enable_teredo: bool; +const Tunnel::enable_gtpv1: bool; const Tunnel::yielding_teredo_decapsulation: bool; const Tunnel::delay_teredo_confirmation: bool; +const Tunnel::delay_gtp_confirmation: bool; const Tunnel::ip_tunnel_timeout: interval; const Threading::heartbeat_interval: interval; diff --git a/src/event.bif b/src/event.bif index b965c26ae9..8dd940f38b 100644 --- a/src/event.bif +++ b/src/event.bif @@ -577,6 +577,19 @@ event teredo_origin_indication%(outer: connection, inner: teredo_hdr%); ## it may become particularly expensive for real-time analysis. event teredo_bubble%(outer: connection, inner: teredo_hdr%); +## Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload +## that includes a GTP header followed by an IPv4 or IPv6 packet. +## +## outer: The GTP outer tunnel connection. +## +## inner_gtp: The GTP header. +## +## inner_ip: The inner IP and transport layer packet headers. +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event gtpv1_g_pdu_packet%(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr%); + ## Generated for every packet that has a non-empty transport-layer payload. ## This is a very low-level and expensive event that should be avoided when ## at all possible. It's usually infeasible to handle when processing even @@ -858,7 +871,7 @@ event udp_contents%(u: connection, is_orig: bool, contents: string%); ## Generated when a UDP session for a supported protocol has finished. Some of ## Bro's application-layer UDP analyzers flag the end of a session by raising ## this event. Currently, the analyzers for DNS, NTP, Netbios, Syslog, AYIYA, -## and Teredo support this. +## Teredo, and GTPv1 support this. ## ## u: The connection record for the corresponding UDP flow. ## diff --git a/src/gtpv1-analyzer.pac b/src/gtpv1-analyzer.pac new file mode 100644 index 0000000000..08fbdef74a --- /dev/null +++ b/src/gtpv1-analyzer.pac @@ -0,0 +1,161 @@ + +connection GTPv1_Conn(bro_analyzer: BroAnalyzer) + { + upflow = GTPv1_Flow(true); + downflow = GTPv1_Flow(false); + + %member{ + bool valid_orig; + bool valid_resp; + %} + + %init{ + valid_orig = valid_resp = false; + %} + + function valid(orig: bool): bool + %{ + return orig ? valid_orig : valid_resp; + %} + + function set_valid(orig: bool, val: bool): void + %{ + if ( orig ) + valid_orig = val; + else + valid_resp = val; + %} + } + +%code{ +inline void violate(const char* r, const BroAnalyzer& a, const bytestring& p) + { + a->ProtocolViolation(r, (const char*) p.data(), p.length()); + } +%} + +flow GTPv1_Flow(is_orig: bool) + { + datagram = GTPv1_Header withcontext(connection, this); + + function process_gtpv1(pdu: GTPv1_Header): bool + %{ + BroAnalyzer a = connection()->bro_analyzer(); + Connection *c = a->Conn(); + const EncapsulationStack* e = c->GetEncapsulation(); + + connection()->set_valid(is_orig(), false); + + if ( e && e->Depth() >= BifConst::Tunnel::max_depth ) + { + reporter->Weird(c, "tunnel_depth"); + return false; + } + + if ( e && e->LastType() == BifEnum::Tunnel::GTPv1 ) + { + // GTP is never tunneled in GTP so, this must be a regular packet + violate("GTP-in-GTP", a, ${pdu.packet}); + return false; + } + + if ( ${pdu.version} != 1 ) + { + // Only know of GTPv1 with Version == 1 + violate("GTPv1 bad Version", a, ${pdu.packet}); + return false; + } + + if ( ! ${pdu.pt_flag} ) + { + // Not interested in GTP' + return false; + } + + if ( ${pdu.e_flag} ) + { + // TODO: can't currently parse past extension headers + return false; + } + + if ( ${pdu.msg_type} != 0xff ) + { + // Only interested in decapsulating user plane data beyond here. + return false; + } + + if ( ${pdu.packet}.length() < (int)sizeof(struct ip) ) + { + violate("Truncated GTPv1", a, ${pdu.packet}); + return false; + } + + const struct ip* ip = (const struct ip*) ${pdu.packet}.data(); + + if ( ip->ip_v != 4 && ip->ip_v != 6 ) + { + violate("non-IP packet in GTPv1", a, ${pdu.packet}); + return false; + } + + IP_Hdr* inner = 0; + int result = sessions->ParseIPPacket(${pdu.packet}.length(), + ${pdu.packet}.data(), ip->ip_v == 6 ? IPPROTO_IPV6 : IPPROTO_IPV4, + inner); + + if ( result == 0 ) + { + connection()->set_valid(is_orig(), true); + + if ( (! BifConst::Tunnel::delay_gtp_confirmation) || + (connection()->valid(true) && connection()->valid(false)) ) + a->ProtocolConfirmation(); + } + + else if ( result < 0 ) + violate("Truncated GTPv1", a, ${pdu.packet}); + + else + violate("GTPv1 payload length", a, ${pdu.packet}); + + if ( result != 0 ) + { + delete inner; + return false; + } + + if ( ::gtpv1_g_pdu_packet ) + { + RecordVal* rv = new RecordVal(gtpv1_hdr_type); + + rv->Assign(0, new Val(${pdu.version}, TYPE_COUNT)); + rv->Assign(1, new Val(${pdu.pt_flag}, TYPE_BOOL)); + rv->Assign(2, new Val(${pdu.rsv}, TYPE_BOOL)); + rv->Assign(3, new Val(${pdu.e_flag}, TYPE_BOOL)); + rv->Assign(4, new Val(${pdu.s_flag}, TYPE_BOOL)); + rv->Assign(5, new Val(${pdu.pn_flag}, TYPE_BOOL)); + rv->Assign(6, new Val(${pdu.msg_type}, TYPE_COUNT)); + rv->Assign(7, new Val(ntohs(${pdu.length}), TYPE_COUNT)); + rv->Assign(8, new Val(ntohl(${pdu.teid}), TYPE_COUNT)); + + if ( ${pdu.has_opt} ) + { + rv->Assign(9, new Val(ntohs(${pdu.opt_hdr.seq}), TYPE_COUNT)); + rv->Assign(10, new Val(${pdu.opt_hdr.n_pdu}, TYPE_COUNT)); + rv->Assign(11, new Val(${pdu.opt_hdr.next_type}, TYPE_COUNT)); + } + + BifEvent::generate_gtpv1_g_pdu_packet(a, c, rv, + inner->BuildPktHdrVal()); + } + + EncapsulatingConn ec(c, BifEnum::Tunnel::GTPv1); + + sessions->DoNextInnerPacket(network_time(), 0, inner, e, ec); + + return (result == 0) ? true : false; + %} + + }; + +refine typeattr GTPv1_Header += &let { proc_gtpv1 = $context.flow.process_gtpv1(this); }; diff --git a/src/gtpv1-protocol.pac b/src/gtpv1-protocol.pac new file mode 100644 index 0000000000..5bf31a48ee --- /dev/null +++ b/src/gtpv1-protocol.pac @@ -0,0 +1,27 @@ + +type GTPv1_Header = record { + flags: uint8; + msg_type: uint8; + length: uint16; + teid: uint32; + opt: case has_opt of { + true -> opt_hdr: GTPv1_Opt_Header; + false -> no_opt: empty; + } &requires(has_opt); + packet: bytestring &restofdata; + +} &let { + version: uint8 = (flags & 0xE0) >> 5; + pt_flag: bool = flags & 0x10; + rsv: bool = flags & 0x08; + e_flag: bool = flags & 0x04; + s_flag: bool = flags & 0x02; + pn_flag: bool = flags & 0x01; + has_opt: bool = flags & 0x07; +} &byteorder = littleendian; + +type GTPv1_Opt_Header = record { + seq: uint16; + n_pdu: uint8; + next_type: uint8; +} diff --git a/src/gtpv1.pac b/src/gtpv1.pac new file mode 100644 index 0000000000..d155ecfd67 --- /dev/null +++ b/src/gtpv1.pac @@ -0,0 +1,10 @@ +%include binpac.pac +%include bro.pac + +analyzer GTPv1 withcontext { + connection: GTPv1_Conn; + flow: GTPv1_Flow; +}; + +%include gtpv1-protocol.pac +%include gtpv1-analyzer.pac diff --git a/src/input/readers/Ascii.cc b/src/input/readers/Ascii.cc index e33844244a..ab2c2721a0 100644 --- a/src/input/readers/Ascii.cc +++ b/src/input/readers/Ascii.cc @@ -68,7 +68,7 @@ Ascii::Ascii(ReaderFrontend *frontend) : ReaderBackend(frontend) unset_field.assign( (const char*) BifConst::InputAscii::unset_field->Bytes(), BifConst::InputAscii::unset_field->Len()); - io = new AsciiInputOutput(this, set_separator, unset_field, empty_field); + io = new AsciiInputOutput(this, AsciiInputOutput::SeparatorInfo(set_separator, unset_field, empty_field)); } Ascii::~Ascii() @@ -213,8 +213,6 @@ bool Ascii::GetLine(string& str) return false; } - - // read the entire file and send appropriate thingies back to InputMgr bool Ascii::DoUpdate() { @@ -325,7 +323,7 @@ bool Ascii::DoUpdate() return false; } - Value* val = io->EntryToVal(stringfields[(*fit).position], (*fit).name, (*fit).type, (*fit).subtype); + Value* val = io->StringToVal(stringfields[(*fit).position], (*fit).name, (*fit).type, (*fit).subtype); if ( val == 0 ) { Error(Fmt("Could not convert line '%s' to Val. Ignoring line.", line.c_str())); @@ -354,7 +352,7 @@ bool Ascii::DoUpdate() // array structure. for ( int i = 0; i < fpos; i++ ) - delete fields[fpos]; + delete fields[i]; delete [] fields; continue; diff --git a/src/input/readers/Ascii.h b/src/input/readers/Ascii.h index ed641087c7..52078bf3d6 100644 --- a/src/input/readers/Ascii.h +++ b/src/input/readers/Ascii.h @@ -7,7 +7,7 @@ #include #include "../ReaderBackend.h" -#include "../../AsciiInputOutput.h" +#include "../../threading/AsciiInputOutput.h" namespace input { namespace reader { diff --git a/src/input/readers/Benchmark.cc b/src/input/readers/Benchmark.cc index 4738c6e867..9851f61b70 100644 --- a/src/input/readers/Benchmark.cc +++ b/src/input/readers/Benchmark.cc @@ -26,7 +26,7 @@ Benchmark::Benchmark(ReaderFrontend *frontend) : ReaderBackend(frontend) timedspread = double(BifConst::InputBenchmark::timedspread); heartbeat_interval = double(BifConst::Threading::heartbeat_interval); - io = new AsciiInputOutput(this); + io = new AsciiInputOutput(this, AsciiInputOutput::SeparatorInfo()); } Benchmark::~Benchmark() diff --git a/src/input/readers/Benchmark.h b/src/input/readers/Benchmark.h index d259db463c..e83f446caa 100644 --- a/src/input/readers/Benchmark.h +++ b/src/input/readers/Benchmark.h @@ -4,7 +4,7 @@ #define INPUT_READERS_BENCHMARK_H #include "../ReaderBackend.h" -#include "../../AsciiInputOutput.h" +#include "../../threading/AsciiInputOutput.h" namespace input { namespace reader { diff --git a/src/logging/writers/Ascii.cc b/src/logging/writers/Ascii.cc index 1403effe49..8ed8797f09 100644 --- a/src/logging/writers/Ascii.cc +++ b/src/logging/writers/Ascii.cc @@ -19,7 +19,7 @@ Ascii::Ascii(WriterFrontend* frontend) : WriterBackend(frontend) { fd = 0; ascii_done = false; - only_single_header_row = false; + tsv = false; output_to_stdout = BifConst::LogAscii::output_to_stdout; include_meta = BifConst::LogAscii::include_meta; @@ -52,7 +52,7 @@ Ascii::Ascii(WriterFrontend* frontend) : WriterBackend(frontend) desc.EnableEscaping(); desc.AddEscapeSequence(separator); - io = new AsciiInputOutput(this, set_separator, unset_field, empty_field); + io = new AsciiInputOutput(this, AsciiInputOutput::SeparatorInfo(set_separator, unset_field, empty_field)); } Ascii::~Ascii() @@ -78,7 +78,7 @@ void Ascii::CloseFile(double t) if ( ! fd ) return; - if ( include_meta && ! only_single_header_row ) + if ( include_meta && ! tsv ) WriteHeaderField("close", Timestamp(0)); safe_close(fd); @@ -108,17 +108,17 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const * for ( WriterInfo::config_map::const_iterator i = info.config.begin(); i != info.config.end(); i++ ) { - if ( strcmp(i->first, "only_single_header_row") == 0 ) + if ( strcmp(i->first, "tsv") == 0 ) { if ( strcmp(i->second, "T") == 0 ) - only_single_header_row = true; + tsv = true; else if ( strcmp(i->second, "F") == 0 ) - only_single_header_row = false; + tsv = false; else { - Error("invalid value for 'only_single_header_row', must be boolean (T/F)"); + Error("invalid value for 'tsv', must be a string and either \"T\" or \"F\""); return false; } } @@ -141,9 +141,9 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const * types += fields[i]->TypeName().c_str(); } - if ( only_single_header_row ) + if ( tsv ) { - // A single CSV-style line is all we need. + // A single TSV-style line is all we need. string str = names + "\n"; if ( ! safe_write(fd, str.c_str(), str.length()) ) goto write_error; diff --git a/src/logging/writers/Ascii.h b/src/logging/writers/Ascii.h index 3bd4c5dcf1..f85d240c95 100644 --- a/src/logging/writers/Ascii.h +++ b/src/logging/writers/Ascii.h @@ -6,7 +6,7 @@ #define LOGGING_WRITER_ASCII_H #include "../WriterBackend.h" -#include "../../AsciiInputOutput.h" +#include "../../threading/AsciiInputOutput.h" namespace logging { namespace writer { @@ -45,7 +45,7 @@ private: // Options set from the script-level. bool output_to_stdout; bool include_meta; - bool only_single_header_row; + bool tsv; string separator; string set_separator; diff --git a/src/logging/writers/ElasticSearch.cc b/src/logging/writers/ElasticSearch.cc index a5897e7272..e9f5ab456b 100644 --- a/src/logging/writers/ElasticSearch.cc +++ b/src/logging/writers/ElasticSearch.cc @@ -16,7 +16,7 @@ #include "BroString.h" #include "NetVar.h" #include "threading/SerialTypes.h" -#include "../../AsciiInputOutput.h" +#include "../../threading/AsciiInputOutput.h" #include #include diff --git a/src/parse.y b/src/parse.y index b4eee1a56c..090786647e 100644 --- a/src/parse.y +++ b/src/parse.y @@ -11,13 +11,13 @@ %token TOK_DOUBLE TOK_ELSE TOK_ENUM TOK_EVENT TOK_EXPORT TOK_FILE TOK_FOR %token TOK_FUNCTION TOK_GLOBAL TOK_HOOK TOK_ID TOK_IF TOK_INT %token TOK_INTERVAL TOK_LIST TOK_LOCAL TOK_MODULE -%token TOK_NEXT TOK_OF TOK_PATTERN TOK_PATTERN_TEXT +%token TOK_NEXT TOK_OF TOK_OPAQUE TOK_PATTERN TOK_PATTERN_TEXT %token TOK_PORT TOK_PRINT TOK_RECORD TOK_REDEF %token TOK_REMOVE_FROM TOK_RETURN TOK_SCHEDULE TOK_SET %token TOK_STRING TOK_SUBNET TOK_SWITCH TOK_TABLE %token TOK_TIME TOK_TIMEOUT TOK_TIMER TOK_TYPE TOK_UNION TOK_VECTOR TOK_WHEN -%token TOK_ATTR_ADD_FUNC TOK_ATTR_ATTR TOK_ATTR_ENCRYPT TOK_ATTR_DEFAULT +%token TOK_ATTR_ADD_FUNC TOK_ATTR_ENCRYPT TOK_ATTR_DEFAULT %token TOK_ATTR_OPTIONAL TOK_ATTR_REDEF TOK_ATTR_ROTATE_INTERVAL %token TOK_ATTR_ROTATE_SIZE TOK_ATTR_DEL_FUNC TOK_ATTR_EXPIRE_FUNC %token TOK_ATTR_EXPIRE_CREATE TOK_ATTR_EXPIRE_READ TOK_ATTR_EXPIRE_WRITE @@ -32,6 +32,7 @@ %token TOK_NO_TEST +%nonassoc TOK_HOOK %left ',' '|' %right '=' TOK_ADD_TO TOK_REMOVE_FROM %right '?' ':' @@ -56,7 +57,6 @@ %type pattern %type expr init anonymous_function %type event -%type hook %type stmt stmt_list func_body for_head %type type opt_type enum_body %type func_hdr func_params @@ -119,6 +119,7 @@ extern const char* g_curr_debug_error; #define YYLTYPE yyltype +static int in_hook = 0; int in_init = 0; int in_record = 0; bool resolving_global_ID = false; @@ -212,7 +213,6 @@ static std::list* concat_opt_docs (std::list* pre, Val* val; RE_Matcher* re; Expr* expr; - CallExpr* call_expr; EventExpr* event_expr; Stmt* stmt; ListExpr* list; @@ -418,6 +418,14 @@ expr: $$ = new IndexExpr($1, $3); } + | expr '[' expr ':' expr ']' + { + set_location(@1, @6); + ListExpr* le = new ListExpr($3); + le->Append($5); + $$ = new IndexExpr($1, le, true); + } + | expr '$' TOK_ID { set_location(@1, @3); @@ -517,7 +525,16 @@ expr: | expr '(' opt_expr_list ')' { set_location(@1, @4); - $$ = new CallExpr($1, $3); + $$ = new CallExpr($1, $3, in_hook > 0); + } + + | TOK_HOOK { ++in_hook; } expr + { + --in_hook; + set_location(@1, @3); + if ( $3->Tag() != EXPR_CALL ) + $3->Error("not a valid hook call expression"); + $$ = $3; } | expr TOK_HAS_FIELD TOK_ID @@ -875,7 +892,7 @@ type: | TOK_HOOK '(' formal_args ')' { set_location(@1, @3); - $$ = new FuncType($3, 0, FUNC_FLAVOR_HOOK); + $$ = new FuncType($3, base_type(TYPE_BOOL), FUNC_FLAVOR_HOOK); } | TOK_FILE TOK_OF type @@ -890,6 +907,12 @@ type: $$ = new FileType(base_type(TYPE_STRING)); } + | TOK_OPAQUE TOK_OF TOK_ID + { + set_location(@1, @3); + $$ = new OpaqueType($3); + } + | resolve_id { if ( ! $1 || ! ($$ = $1->AsType()) ) @@ -1209,6 +1232,8 @@ func_hdr: } | TOK_HOOK def_global_id func_params { + $3->ClearYieldType(FUNC_FLAVOR_HOOK); + $3->SetYieldType(base_type(TYPE_BOOL)); begin_func($2, current_module.c_str(), FUNC_FLAVOR_HOOK, 0, $3); $$ = $3; @@ -1372,14 +1397,6 @@ stmt: brofiler.AddStmt($$); } - | TOK_HOOK hook ';' opt_no_test - { - set_location(@1, @4); - $$ = new HookStmt($2); - if ( ! $4 ) - brofiler.AddStmt($$); - } - | TOK_IF '(' expr ')' stmt { set_location(@1, @4); @@ -1533,14 +1550,6 @@ event: } ; -hook: - expr '(' opt_expr_list ')' - { - set_location(@1, @4); - $$ = new CallExpr($1, $3, true); - } - ; - case_list: case_list case { $1->append($2); } diff --git a/src/patricia.c b/src/patricia.c index 1dbc795ab7..6998576fdb 100644 --- a/src/patricia.c +++ b/src/patricia.c @@ -2,7 +2,7 @@ * Dave Plonka * * This product includes software developed by the University of Michigan, - * Merit Network, Inc., and their contributors. + * Merit Network, Inc., and their contributors. * * This file had been called "radix.c" in the MRT sources. * @@ -12,28 +12,28 @@ */ /* From copyright.txt: - * + * * Copyright (c) 1997, 1998, 1999 - * - * + * + * * The Regents of the University of Michigan ("The Regents") and Merit Network, * Inc. All rights reserved. * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: - * 1. Redistributions of source code must retain the above - * copyright notice, this list of conditions and the + * 1. Redistributions of source code must retain the above + * copyright notice, this list of conditions and the * following disclaimer. - * 2. Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the - * following disclaimer in the documentation and/or other + * 2. Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the + * following disclaimer in the documentation and/or other * materials provided with the distribution. - * 3. All advertising materials mentioning features or use of - * this software must display the following acknowledgement: + * 3. All advertising materials mentioning features or use of + * this software must display the following acknowledgement: * This product includes software developed by the University of Michigan, Merit - * Network, Inc., and their contributors. + * Network, Inc., and their contributors. * 4. Neither the name of the University, Merit Network, nor the - * names of their contributors may be used to endorse or - * promote products derived from this software without + * names of their contributors may be used to endorse or + * promote products derived from this software without * specific prior written permission. * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED @@ -44,7 +44,7 @@ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ static char copyright[] = @@ -66,6 +66,9 @@ static char copyright[] = #define Delete free +// From Bro for reporting memory exhaustion. +extern void out_of_memory(const char* where); + /* { from prefix.c */ /* prefix_tochar @@ -80,7 +83,7 @@ prefix_tochar (prefix_t * prefix) return ((u_char *) & prefix->add.sin); } -int +int comp_with_mask (void *addr, void *dest, u_int mask) { @@ -95,15 +98,15 @@ comp_with_mask (void *addr, void *dest, u_int mask) } /* inet_pton substitute implementation - * Uses inet_addr to convert an IP address in dotted decimal notation into + * Uses inet_addr to convert an IP address in dotted decimal notation into * unsigned long and copies the result to dst. - * Only supports AF_INET. Follows standard error return conventions of + * Only supports AF_INET. Follows standard error return conventions of * inet_pton. */ int local_inet_pton (int af, const char *src, void *dst) { - u_long result; + u_long result; if (af == AF_INET) { result = inet_addr(src); @@ -166,7 +169,7 @@ my_inet_pton (int af, const char *src, void *dst) } } -/* +/* * convert prefix information to ascii string with length * thread safe and (almost) re-entrant implementation */ @@ -251,6 +254,9 @@ New_Prefix2 (int family, void *dest, int bitlen, prefix_t *prefix) default_bitlen = 128; if (prefix == NULL) { prefix = calloc(1, sizeof (prefix_t)); + if (prefix == NULL) + out_of_memory("patrica/new_prefix2: unable to allocate memory"); + dynamic_allocated++; } memcpy (&prefix->add.sin6, dest, 16); @@ -260,12 +266,16 @@ New_Prefix2 (int family, void *dest, int bitlen, prefix_t *prefix) if (prefix == NULL) { #ifndef NT prefix = calloc(1, sizeof (prefix4_t)); + if (prefix == NULL) + out_of_memory("patrica/new_prefix2: unable to allocate memory"); #else //for some reason, compiler is getting //prefix4_t size incorrect on NT - prefix = calloc(1, sizeof (prefix_t)); + prefix = calloc(1, sizeof (prefix_t)); + if (prefix == NULL) + out_of_memory("patrica/new_prefix2: unable to allocate memory"); #endif /* NT */ - + dynamic_allocated++; } memcpy (&prefix->add.sin, dest, 4); @@ -368,7 +378,7 @@ Ref_Prefix (prefix_t * prefix) return (prefix); } -void +void Deref_Prefix (prefix_t * prefix) { if (prefix == NULL) @@ -396,6 +406,8 @@ patricia_tree_t * New_Patricia (int maxbits) { patricia_tree_t *patricia = calloc(1, sizeof *patricia); + if (patricia == NULL) + out_of_memory("patrica/new_patricia: unable to allocate memory"); patricia->maxbits = maxbits; patricia->head = NULL; @@ -503,10 +515,10 @@ patricia_search_exact (patricia_tree_t *patricia, prefix_t *prefix) if (BIT_TEST (addr[node->bit >> 3], 0x80 >> (node->bit & 0x07))) { #ifdef PATRICIA_DEBUG if (node->prefix) - fprintf (stderr, "patricia_search_exact: take right %s/%d\n", + fprintf (stderr, "patricia_search_exact: take right %s/%d\n", prefix_toa (node->prefix), node->prefix->bitlen); else - fprintf (stderr, "patricia_search_exact: take right at %d\n", + fprintf (stderr, "patricia_search_exact: take right at %d\n", node->bit); #endif /* PATRICIA_DEBUG */ node = node->r; @@ -514,10 +526,10 @@ patricia_search_exact (patricia_tree_t *patricia, prefix_t *prefix) else { #ifdef PATRICIA_DEBUG if (node->prefix) - fprintf (stderr, "patricia_search_exact: take left %s/%d\n", + fprintf (stderr, "patricia_search_exact: take left %s/%d\n", prefix_toa (node->prefix), node->prefix->bitlen); else - fprintf (stderr, "patricia_search_exact: take left at %d\n", + fprintf (stderr, "patricia_search_exact: take left at %d\n", node->bit); #endif /* PATRICIA_DEBUG */ node = node->l; @@ -529,7 +541,7 @@ patricia_search_exact (patricia_tree_t *patricia, prefix_t *prefix) #ifdef PATRICIA_DEBUG if (node->prefix) - fprintf (stderr, "patricia_search_exact: stop at %s/%d\n", + fprintf (stderr, "patricia_search_exact: stop at %s/%d\n", prefix_toa (node->prefix), node->prefix->bitlen); else fprintf (stderr, "patricia_search_exact: stop at %d\n", node->bit); @@ -541,7 +553,7 @@ patricia_search_exact (patricia_tree_t *patricia, prefix_t *prefix) if (comp_with_mask (prefix_tochar (node->prefix), prefix_tochar (prefix), bitlen)) { #ifdef PATRICIA_DEBUG - fprintf (stderr, "patricia_search_exact: found %s/%d\n", + fprintf (stderr, "patricia_search_exact: found %s/%d\n", prefix_toa (node->prefix), node->prefix->bitlen); #endif /* PATRICIA_DEBUG */ return (node); @@ -575,7 +587,7 @@ patricia_search_best2 (patricia_tree_t *patricia, prefix_t *prefix, int inclusiv if (node->prefix) { #ifdef PATRICIA_DEBUG - fprintf (stderr, "patricia_search_best: push %s/%d\n", + fprintf (stderr, "patricia_search_best: push %s/%d\n", prefix_toa (node->prefix), node->prefix->bitlen); #endif /* PATRICIA_DEBUG */ stack[cnt++] = node; @@ -584,10 +596,10 @@ patricia_search_best2 (patricia_tree_t *patricia, prefix_t *prefix, int inclusiv if (BIT_TEST (addr[node->bit >> 3], 0x80 >> (node->bit & 0x07))) { #ifdef PATRICIA_DEBUG if (node->prefix) - fprintf (stderr, "patricia_search_best: take right %s/%d\n", + fprintf (stderr, "patricia_search_best: take right %s/%d\n", prefix_toa (node->prefix), node->prefix->bitlen); else - fprintf (stderr, "patricia_search_best: take right at %d\n", + fprintf (stderr, "patricia_search_best: take right at %d\n", node->bit); #endif /* PATRICIA_DEBUG */ node = node->r; @@ -595,10 +607,10 @@ patricia_search_best2 (patricia_tree_t *patricia, prefix_t *prefix, int inclusiv else { #ifdef PATRICIA_DEBUG if (node->prefix) - fprintf (stderr, "patricia_search_best: take left %s/%d\n", + fprintf (stderr, "patricia_search_best: take left %s/%d\n", prefix_toa (node->prefix), node->prefix->bitlen); else - fprintf (stderr, "patricia_search_best: take left at %d\n", + fprintf (stderr, "patricia_search_best: take left at %d\n", node->bit); #endif /* PATRICIA_DEBUG */ node = node->l; @@ -615,7 +627,7 @@ patricia_search_best2 (patricia_tree_t *patricia, prefix_t *prefix, int inclusiv if (node == NULL) fprintf (stderr, "patricia_search_best: stop at null\n"); else if (node->prefix) - fprintf (stderr, "patricia_search_best: stop at %s/%d\n", + fprintf (stderr, "patricia_search_best: stop at %s/%d\n", prefix_toa (node->prefix), node->prefix->bitlen); else fprintf (stderr, "patricia_search_best: stop at %d\n", node->bit); @@ -627,14 +639,14 @@ patricia_search_best2 (patricia_tree_t *patricia, prefix_t *prefix, int inclusiv while (--cnt >= 0) { node = stack[cnt]; #ifdef PATRICIA_DEBUG - fprintf (stderr, "patricia_search_best: pop %s/%d\n", + fprintf (stderr, "patricia_search_best: pop %s/%d\n", prefix_toa (node->prefix), node->prefix->bitlen); #endif /* PATRICIA_DEBUG */ - if (comp_with_mask (prefix_tochar (node->prefix), + if (comp_with_mask (prefix_tochar (node->prefix), prefix_tochar (prefix), node->prefix->bitlen)) { #ifdef PATRICIA_DEBUG - fprintf (stderr, "patricia_search_best: found %s/%d\n", + fprintf (stderr, "patricia_search_best: found %s/%d\n", prefix_toa (node->prefix), node->prefix->bitlen); #endif /* PATRICIA_DEBUG */ return (node); @@ -665,6 +677,9 @@ patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix) if (patricia->head == NULL) { node = calloc(1, sizeof *node); + if (node == NULL) + out_of_memory("patrica/patrica_lookup: unable to allocate memory"); + node->bit = prefix->bitlen; node->prefix = Ref_Prefix (prefix); node->parent = NULL; @@ -672,7 +687,7 @@ patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix) node->data = NULL; patricia->head = node; #ifdef PATRICIA_DEBUG - fprintf (stderr, "patricia_lookup: new_node #0 %s/%d (head)\n", + fprintf (stderr, "patricia_lookup: new_node #0 %s/%d (head)\n", prefix_toa (prefix), prefix->bitlen); #endif /* PATRICIA_DEBUG */ patricia->num_active_node++; @@ -691,7 +706,7 @@ patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix) break; #ifdef PATRICIA_DEBUG if (node->prefix) - fprintf (stderr, "patricia_lookup: take right %s/%d\n", + fprintf (stderr, "patricia_lookup: take right %s/%d\n", prefix_toa (node->prefix), node->prefix->bitlen); else fprintf (stderr, "patricia_lookup: take right at %d\n", node->bit); @@ -703,7 +718,7 @@ patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix) break; #ifdef PATRICIA_DEBUG if (node->prefix) - fprintf (stderr, "patricia_lookup: take left %s/%d\n", + fprintf (stderr, "patricia_lookup: take left %s/%d\n", prefix_toa (node->prefix), node->prefix->bitlen); else fprintf (stderr, "patricia_lookup: take left at %d\n", node->bit); @@ -716,7 +731,7 @@ patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix) assert (node->prefix); #ifdef PATRICIA_DEBUG - fprintf (stderr, "patricia_lookup: stop at %s/%d\n", + fprintf (stderr, "patricia_lookup: stop at %s/%d\n", prefix_toa (node->prefix), node->prefix->bitlen); #endif /* PATRICIA_DEBUG */ @@ -751,7 +766,7 @@ patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix) parent = node->parent; #ifdef PATRICIA_DEBUG if (node->prefix) - fprintf (stderr, "patricia_lookup: up to %s/%d\n", + fprintf (stderr, "patricia_lookup: up to %s/%d\n", prefix_toa (node->prefix), node->prefix->bitlen); else fprintf (stderr, "patricia_lookup: up to %d\n", node->bit); @@ -760,8 +775,8 @@ patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix) if (differ_bit == bitlen && node->bit == bitlen) { if (node->prefix) { -#ifdef PATRICIA_DEBUG - fprintf (stderr, "patricia_lookup: found %s/%d\n", +#ifdef PATRICIA_DEBUG + fprintf (stderr, "patricia_lookup: found %s/%d\n", prefix_toa (node->prefix), node->prefix->bitlen); #endif /* PATRICIA_DEBUG */ return (node); @@ -776,6 +791,9 @@ patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix) } new_node = calloc(1, sizeof *new_node); + if (new_node == NULL) + out_of_memory("patrica/patrica_lookup: unable to allocate memory"); + new_node->bit = prefix->bitlen; new_node->prefix = Ref_Prefix (prefix); new_node->parent = NULL; @@ -795,7 +813,7 @@ patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix) node->l = new_node; } #ifdef PATRICIA_DEBUG - fprintf (stderr, "patricia_lookup: new_node #2 %s/%d (child)\n", + fprintf (stderr, "patricia_lookup: new_node #2 %s/%d (child)\n", prefix_toa (prefix), prefix->bitlen); #endif /* PATRICIA_DEBUG */ return (new_node); @@ -822,12 +840,15 @@ patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix) } node->parent = new_node; #ifdef PATRICIA_DEBUG - fprintf (stderr, "patricia_lookup: new_node #3 %s/%d (parent)\n", + fprintf (stderr, "patricia_lookup: new_node #3 %s/%d (parent)\n", prefix_toa (prefix), prefix->bitlen); #endif /* PATRICIA_DEBUG */ } else { glue = calloc(1, sizeof *glue); + if (glue == NULL) + out_of_memory("patrica/patrica_lookup: unable to allocate memory"); + glue->bit = differ_bit; glue->prefix = NULL; glue->parent = node->parent; @@ -856,7 +877,7 @@ patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix) } node->parent = glue; #ifdef PATRICIA_DEBUG - fprintf (stderr, "patricia_lookup: new_node #4 %s/%d (glue+node)\n", + fprintf (stderr, "patricia_lookup: new_node #4 %s/%d (glue+node)\n", prefix_toa (prefix), prefix->bitlen); #endif /* PATRICIA_DEBUG */ } @@ -874,13 +895,13 @@ patricia_remove (patricia_tree_t *patricia, patricia_node_t *node) if (node->r && node->l) { #ifdef PATRICIA_DEBUG - fprintf (stderr, "patricia_remove: #0 %s/%d (r & l)\n", + fprintf (stderr, "patricia_remove: #0 %s/%d (r & l)\n", prefix_toa (node->prefix), node->prefix->bitlen); #endif /* PATRICIA_DEBUG */ - + /* this might be a placeholder node -- have to check and make sure * there is a prefix aossciated with it ! */ - if (node->prefix != NULL) + if (node->prefix != NULL) Deref_Prefix (node->prefix); node->prefix = NULL; /* Also I needed to clear data pointer -- masaki */ @@ -890,7 +911,7 @@ patricia_remove (patricia_tree_t *patricia, patricia_node_t *node) if (node->r == NULL && node->l == NULL) { #ifdef PATRICIA_DEBUG - fprintf (stderr, "patricia_remove: #1 %s/%d (!r & !l)\n", + fprintf (stderr, "patricia_remove: #1 %s/%d (!r & !l)\n", prefix_toa (node->prefix), node->prefix->bitlen); #endif /* PATRICIA_DEBUG */ parent = node->parent; @@ -937,7 +958,7 @@ patricia_remove (patricia_tree_t *patricia, patricia_node_t *node) } #ifdef PATRICIA_DEBUG - fprintf (stderr, "patricia_remove: #2 %s/%d (r ^ l)\n", + fprintf (stderr, "patricia_remove: #2 %s/%d (r ^ l)\n", prefix_toa (node->prefix), node->prefix->bitlen); #endif /* PATRICIA_DEBUG */ if (node->r) { @@ -996,7 +1017,7 @@ try_search_exact (patricia_tree_t *tree, char *string) printf ("try_search_exact: not found\n"); } else { - printf ("try_search_exact: %s/%d found\n", + printf ("try_search_exact: %s/%d found\n", prefix_toa (node->prefix), node->prefix->bitlen); } Deref_Prefix (prefix); @@ -1023,7 +1044,7 @@ try_search_best (patricia_tree_t *tree, char *string) if ((node = patricia_search_best (tree, prefix)) == NULL) printf ("try_search_best: not found\n"); else - printf ("try_search_best: %s/%d found\n", + printf ("try_search_best: %s/%d found\n", prefix_toa (node->prefix), node->prefix->bitlen); Deref_Prefix (prefix); return 0; // [RS] What is supposed to be returned here? diff --git a/src/scan.l b/src/scan.l index 4e1a66144e..efcd273e36 100644 --- a/src/scan.l +++ b/src/scan.l @@ -298,6 +298,7 @@ local return TOK_LOCAL; module return TOK_MODULE; next return TOK_NEXT; of return TOK_OF; +opaque return TOK_OPAQUE; pattern return TOK_PATTERN; port return TOK_PORT; print return TOK_PRINT; @@ -319,7 +320,6 @@ vector return TOK_VECTOR; when return TOK_WHEN; &add_func return TOK_ATTR_ADD_FUNC; -&attr return TOK_ATTR_ATTR; &create_expire return TOK_ATTR_EXPIRE_CREATE; &default return TOK_ATTR_DEFAULT; &delete_func return TOK_ATTR_DEL_FUNC; diff --git a/src/AsciiInputOutput.cc b/src/threading/AsciiInputOutput.cc similarity index 81% rename from src/AsciiInputOutput.cc rename to src/threading/AsciiInputOutput.cc index 74cabecb1d..3d8e1fd169 100644 --- a/src/AsciiInputOutput.cc +++ b/src/threading/AsciiInputOutput.cc @@ -5,26 +5,25 @@ #include #include #include "AsciiInputOutput.h" -#include "bro_inet_ntop.h" +#include "../bro_inet_ntop.h" -AsciiInputOutput::AsciiInputOutput(threading::MsgThread* t) +AsciiInputOutput::AsciiInputOutput(threading::MsgThread* t, const SeparatorInfo info) { thread = t; + this->separators = info; } -AsciiInputOutput::AsciiInputOutput(threading::MsgThread* t, const string & set_separator, +AsciiInputOutput::SeparatorInfo::SeparatorInfo(const string & set_separator, const string & unset_field, const string & empty_field) { - thread = t; this->set_separator = set_separator; this->unset_field = unset_field; this->empty_field = empty_field; } -AsciiInputOutput::AsciiInputOutput(threading::MsgThread* t, const string & set_separator, +AsciiInputOutput::SeparatorInfo::SeparatorInfo(const string & set_separator, const string & unset_field) { - thread = t; this->set_separator = set_separator; this->unset_field = unset_field; } @@ -38,7 +37,7 @@ bool AsciiInputOutput::ValToODesc(ODesc* desc, threading::Value* val, const thre { if ( ! val->present ) { - desc->Add(unset_field); + desc->Add(separators.unset_field); return true; } @@ -94,11 +93,11 @@ bool AsciiInputOutput::ValToODesc(ODesc* desc, threading::Value* val, const thre if ( ! size ) { - desc->Add(empty_field); + desc->Add(separators.empty_field); break; } - if ( size == unset_field.size() && memcmp(data, unset_field.data(), size) == 0 ) + if ( size == separators.unset_field.size() && memcmp(data, separators.unset_field.data(), size) == 0 ) { // The value we'd write out would match exactly the // place-holder we use for unset optional fields. We @@ -124,24 +123,24 @@ bool AsciiInputOutput::ValToODesc(ODesc* desc, threading::Value* val, const thre { if ( ! val->val.set_val.size ) { - desc->Add(empty_field); + desc->Add(separators.empty_field); break; } - desc->AddEscapeSequence(set_separator); + desc->AddEscapeSequence(separators.set_separator); for ( int j = 0; j < val->val.set_val.size; j++ ) { if ( j > 0 ) - desc->AddRaw(set_separator); + desc->AddRaw(separators.set_separator); assert(field != 0); if ( ! ValToODesc(desc, val->val.set_val.vals[j], field) ) { - desc->RemoveEscapeSequence(set_separator); + desc->RemoveEscapeSequence(separators.set_separator); return false; } } - desc->RemoveEscapeSequence(set_separator); + desc->RemoveEscapeSequence(separators.set_separator); break; } @@ -150,24 +149,24 @@ bool AsciiInputOutput::ValToODesc(ODesc* desc, threading::Value* val, const thre { if ( ! val->val.vector_val.size ) { - desc->Add(empty_field); + desc->Add(separators.empty_field); break; } - desc->AddEscapeSequence(set_separator); + desc->AddEscapeSequence(separators.set_separator); for ( int j = 0; j < val->val.vector_val.size; j++ ) { if ( j > 0 ) - desc->AddRaw(set_separator); + desc->AddRaw(separators.set_separator); assert(field != 0); if ( ! ValToODesc(desc, val->val.vector_val.vals[j], field) ) { - desc->RemoveEscapeSequence(set_separator); + desc->RemoveEscapeSequence(separators.set_separator); return false; } } - desc->RemoveEscapeSequence(set_separator); + desc->RemoveEscapeSequence(separators.set_separator); break; } @@ -181,9 +180,9 @@ bool AsciiInputOutput::ValToODesc(ODesc* desc, threading::Value* val, const thre } -threading::Value* AsciiInputOutput::EntryToVal(string s, string name, TypeTag type, TypeTag subtype) const +threading::Value* AsciiInputOutput::StringToVal(string s, string name, TypeTag type, TypeTag subtype) const { - if ( s.compare(unset_field) == 0 ) // field is not set... + if ( s.compare(separators.unset_field) == 0 ) // field is not set... return new threading::Value(type, false); threading::Value* val = new threading::Value(type, true); @@ -207,14 +206,14 @@ threading::Value* AsciiInputOutput::EntryToVal(string s, string name, TypeTag ty { thread->Error(thread->Fmt("Field: %s Invalid value for boolean: %s", name.c_str(), s.c_str())); - return 0; + goto parse_error; } break; case TYPE_INT: val->val.int_val = strtoll(s.c_str(), &end, 10); if ( CheckNumberError(s, end) ) - return 0; + goto parse_error; break; case TYPE_DOUBLE: @@ -222,20 +221,20 @@ threading::Value* AsciiInputOutput::EntryToVal(string s, string name, TypeTag ty case TYPE_INTERVAL: val->val.double_val = strtod(s.c_str(), &end); if ( CheckNumberError(s, end) ) - return 0; + goto parse_error; break; case TYPE_COUNT: case TYPE_COUNTER: val->val.uint_val = strtoull(s.c_str(), &end, 10); if ( CheckNumberError(s, end) ) - return 0; + goto parse_error; break; case TYPE_PORT: val->val.port_val.port = strtoull(s.c_str(), &end, 10); if ( CheckNumberError(s, end) ) - return 0; + goto parse_error; val->val.port_val.proto = TRANSPORT_UNKNOWN; break; @@ -247,13 +246,13 @@ threading::Value* AsciiInputOutput::EntryToVal(string s, string name, TypeTag ty if ( pos == s.npos ) { thread->Error(thread->Fmt("Invalid value for subnet: %s", s.c_str())); - return 0; + goto parse_error; } uint8_t width = (uint8_t) strtol(s.substr(pos+1).c_str(), &end, 10); if ( CheckNumberError(s, end) ) - return 0; + goto parse_error; string addr = s.substr(0, pos); @@ -278,13 +277,14 @@ threading::Value* AsciiInputOutput::EntryToVal(string s, string name, TypeTag ty unsigned int length = 1; for ( unsigned int i = 0; i < s.size(); i++ ) { - if ( s[i] == set_separator[0] ) + if ( s[i] == separators.set_separator[0] ) length++; } unsigned int pos = 0; + bool error = false; - if ( empty_field.size() > 0 && s.compare(empty_field) == 0 ) + if ( separators.empty_field.size() > 0 && s.compare(separators.empty_field) == 0 ) length = 0; threading::Value** lvals = new threading::Value* [length]; @@ -312,21 +312,23 @@ threading::Value* AsciiInputOutput::EntryToVal(string s, string name, TypeTag ty { string element; - if ( ! getline(splitstream, element, set_separator[0]) ) + if ( ! getline(splitstream, element, separators.set_separator[0]) ) break; if ( pos >= length ) { thread->Error(thread->Fmt("Internal error while parsing set. pos %d >= length %d." " Element: %s", pos, length, element.c_str())); + error = true; break; } - threading::Value* newval = EntryToVal(element, name, subtype); + threading::Value* newval = StringToVal(element, name, subtype); if ( newval == 0 ) { - thread->Error("Error while reading set"); - return 0; + thread->Error("Error while reading set or vector"); + error = true; + break; } lvals[pos] = newval; @@ -337,22 +339,32 @@ threading::Value* AsciiInputOutput::EntryToVal(string s, string name, TypeTag ty // Test if the string ends with a set_separator... or if the // complete string is empty. In either of these cases we have // to push an empty val on top of it. - if ( s.empty() || *s.rbegin() == set_separator[0] ) + if ( ! error && (s.empty() || *s.rbegin() == separators.set_separator[0]) ) { - lvals[pos] = EntryToVal("", name, subtype); + lvals[pos] = StringToVal("", name, subtype); if ( lvals[pos] == 0 ) { thread->Error("Error while trying to add empty set element"); - return 0; + goto parse_error; } pos++; } + if ( error ) { + // We had an error while reading a set or a vector. + // Hence we have to clean up the values that have + // been read so far + for ( unsigned int i = 0; i < pos; i++ ) + delete lvals[i]; + + goto parse_error; + } + if ( pos != length ) { thread->Error(thread->Fmt("Internal error while parsing set: did not find all elements: %s", s.c_str())); - return 0; + goto parse_error; } break; @@ -361,10 +373,14 @@ threading::Value* AsciiInputOutput::EntryToVal(string s, string name, TypeTag ty default: thread->Error(thread->Fmt("unsupported field format %d for %s", type, name.c_str())); - return 0; + goto parse_error; } return val; + +parse_error: + delete val; + return 0; } bool AsciiInputOutput::CheckNumberError(const string& s, const char * end) const diff --git a/src/AsciiInputOutput.h b/src/threading/AsciiInputOutput.h similarity index 58% rename from src/AsciiInputOutput.h rename to src/threading/AsciiInputOutput.h index 16198eae54..a8c4493914 100644 --- a/src/AsciiInputOutput.h +++ b/src/threading/AsciiInputOutput.h @@ -3,34 +3,60 @@ #ifndef AsciiInputOutput_h #define AsciiInputOutput_h -#include "Desc.h" -#include "threading/MsgThread.h" +#include "../Desc.h" +#include "MsgThread.h" class AsciiInputOutput { public: - // Constructor that leaves separators, etc empty. - // Use if you just need functionality like StringToAddr, etc. - AsciiInputOutput(threading::MsgThread*); - // Constructor that defines all separators, etc. - // Use if you need either ValToODesc or EntryToVal. - AsciiInputOutput(threading::MsgThread*, const string & set_separator, + /** + * A struct to pass the necessary initialization values to the AsciiInputOutput module + * on startup + */ + struct SeparatorInfo + { + //const string separator; + string set_separator; + string empty_field; + string unset_field; + string meta_prefix; + + // Constructor that leaves separators, etc empty. + // Use if you just need functionality like StringToAddr, etc. + SeparatorInfo() { }; + + // Constructor that defines all separators, etc. + // Use if you need either ValToODesc or EntryToVal. + SeparatorInfo(const string & set_separator, const string & unset_field, const string & empty_field); - - // Constructor that defines all separators, etc, besides empty_field, which is not needed for many - // non-ascii-based io sources. - // Use if you need either ValToODesc or EntryToVal. - AsciiInputOutput(threading::MsgThread*, const string & set_separator, - const string & unset_field); - ~AsciiInputOutput(); + // Constructor that defines all separators, etc, besides empty_field, which is not needed for many + // non-ascii-based io sources. + // Use if you need either ValToODesc or EntryToVal. + SeparatorInfo(const string & set_separator, + const string & unset_field); + }; + + /** + * Constructor + * + * @param t The thread that uses this class instance. Used to access thread + * message passing methods + * + * @param info + * SeparatorInfo structure defining the necessary separators + */ + AsciiInputOutput(threading::MsgThread* t, const SeparatorInfo info); + + // Destructor + ~AsciiInputOutput(); // converts a threading value to the corresponding ascii representation // returns false & logs an error with reporter in case an error occurs bool ValToODesc(ODesc* desc, threading::Value* val, const threading::Field* field) const; // convert the ascii representation of a field into a Value - threading::Value* EntryToVal(string s, string name, TypeTag type, TypeTag subtype = TYPE_ERROR) const; + threading::Value* StringToVal(string s, string name, TypeTag type, TypeTag subtype = TYPE_ERROR) const; /** Helper method to render an IP address as a string. * @@ -75,11 +101,7 @@ class AsciiInputOutput { private: bool CheckNumberError(const string& s, const char * end) const; - string separator; - string set_separator; - string empty_field; - string unset_field; - string meta_prefix; + SeparatorInfo separators; threading::MsgThread* thread; }; diff --git a/src/types.bif b/src/types.bif index 61a28ac0d4..9843a6f73b 100644 --- a/src/types.bif +++ b/src/types.bif @@ -185,6 +185,7 @@ enum Type %{ AYIYA, TEREDO, SOCKS, + GTPv1, %} type EncapsulatingConn: record; diff --git a/src/util.cc b/src/util.cc index 80cd3a0685..c36ff6a31c 100644 --- a/src/util.cc +++ b/src/util.cc @@ -1416,7 +1416,7 @@ void safe_close(int fd) } } -void out_of_memory(const char* where) +extern "C" void out_of_memory(const char* where) { fprintf(stderr, "out of memory in %s.\n", where); diff --git a/src/util.h b/src/util.h index 71b9c494e8..7d65f42fa8 100644 --- a/src/util.h +++ b/src/util.h @@ -303,7 +303,7 @@ extern bool safe_write(int fd, const char* data, int len); // Wraps close(2) to emit error messages and abort on unrecoverable errors. extern void safe_close(int fd); -extern void out_of_memory(const char* where); +extern "C" void out_of_memory(const char* where); inline void* safe_realloc(void* ptr, size_t size) { diff --git a/testing/btest/Baseline/bifs.strptime/.stdout b/testing/btest/Baseline/bifs.strptime/.stdout deleted file mode 100644 index 179612d4c4..0000000000 --- a/testing/btest/Baseline/bifs.strptime/.stdout +++ /dev/null @@ -1,2 +0,0 @@ -1350604800.0 -0.0 diff --git a/testing/btest/Baseline/bifs.strptime/out b/testing/btest/Baseline/bifs.strptime/out new file mode 100644 index 0000000000..5fad7cd8e6 --- /dev/null +++ b/testing/btest/Baseline/bifs.strptime/out @@ -0,0 +1,3 @@ +warning: strptime conversion failed: fmt:%m d:1980-10-24 +1350604800.0 +0.0 diff --git a/testing/btest/Baseline/bifs.strptime/reporter.log b/testing/btest/Baseline/bifs.strptime/reporter.log deleted file mode 100644 index 367dbd63c1..0000000000 --- a/testing/btest/Baseline/bifs.strptime/reporter.log +++ /dev/null @@ -1,10 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path reporter -#open 2012-10-19-06-06-36 -#fields ts level message location -#types time enum string string -0.000000 Reporter::WARNING strptime conversion failed: fmt:%m d:1980-10-24 (empty) -#close 2012-10-19-06-06-36 diff --git a/testing/btest/Baseline/bifs.to_port/out b/testing/btest/Baseline/bifs.to_port/out index 79796d605e..7744914c30 100644 --- a/testing/btest/Baseline/bifs.to_port/out +++ b/testing/btest/Baseline/bifs.to_port/out @@ -1,6 +1,9 @@ 123/tcp 123/udp 123/icmp +0/tcp +0/udp +0/icmp 0/unknown 256/tcp 256/udp diff --git a/testing/btest/Baseline/core.tcp.rst-after-syn/.stdout b/testing/btest/Baseline/core.tcp.rst-after-syn/.stdout new file mode 100644 index 0000000000..25ed566cd0 --- /dev/null +++ b/testing/btest/Baseline/core.tcp.rst-after-syn/.stdout @@ -0,0 +1,3 @@ +[orig_h=1.2.0.2, orig_p=2527/tcp, resp_h=1.2.0.3, resp_p=6649/tcp] +orig:, [size=175, state=1, num_pkts=4, num_bytes_ip=395, flow_label=0] +resp:, [size=0, state=6, num_pkts=5, num_bytes_ip=236, flow_label=0] diff --git a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log new file mode 100644 index 0000000000..e2861b4ae1 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log @@ -0,0 +1,12 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2012-10-19-17-03-55 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1333458850.321642 arKYeMETxOg 10.131.17.170 51803 173.199.115.168 80 tcp http 0.257902 1138 63424 S3 - 0 ShADadf 29 2310 49 65396 UWkUyAuUGXf,k6kgXLOoSKl +1333458850.325787 k6kgXLOoSKl 207.233.125.40 2152 167.55.105.244 2152 udp gtpv1 0.251127 65788 0 S0 - 0 D 49 67160 0 0 (empty) +1333458850.321642 UWkUyAuUGXf 167.55.105.244 5906 207.233.125.40 2152 udp gtpv1 0.257902 2542 0 S0 - 0 D 29 3354 0 0 (empty) +#close 2012-10-19-17-03-55 diff --git a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log new file mode 100644 index 0000000000..66b17e1200 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#open 2012-10-19-17-03-55 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file +1333458850.340368 arKYeMETxOg 10.131.17.170 51803 173.199.115.168 80 1 GET cdn.epicgameads.com /ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=4&cac=1&t=728x90&cb=1333458879 http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&channel=4&cb=1333458905296 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 0 31461 200 OK - - - (empty) - - - application/x-shockwave-flash - - +1333458850.399501 arKYeMETxOg 10.131.17.170 51803 173.199.115.168 80 2 GET cdn.epicgameads.com /ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=0&cac=1&t=728x90&cb=1333458881 http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&cb=1333458920207 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 0 31461 200 OK - - - (empty) - - - application/x-shockwave-flash - - +#close 2012-10-19-17-03-55 diff --git a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/tunnel.log b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/tunnel.log new file mode 100644 index 0000000000..233ad1c850 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/tunnel.log @@ -0,0 +1,13 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2012-10-19-17-03-55 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1333458850.321642 UWkUyAuUGXf 167.55.105.244 5906 207.233.125.40 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458850.325787 k6kgXLOoSKl 207.233.125.40 2152 167.55.105.244 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458850.579544 k6kgXLOoSKl 207.233.125.40 2152 167.55.105.244 2152 Tunnel::GTPv1 Tunnel::CLOSE +1333458850.579544 UWkUyAuUGXf 167.55.105.244 5906 207.233.125.40 2152 Tunnel::GTPv1 Tunnel::CLOSE +#close 2012-10-19-17-03-55 diff --git a/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log new file mode 100644 index 0000000000..1234558195 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2012-10-19-17-07-44 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1333458871.219794 UWkUyAuUGXf 10.131.24.6 2152 195.178.38.3 53 udp dns - - - S0 - 0 D 1 64 0 0 (empty) +#close 2012-10-19-17-07-44 diff --git a/testing/btest/Baseline/core.tunnels.gtp.false_gtp/dns.log b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/dns.log new file mode 100644 index 0000000000..a293d6ff6a --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/dns.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dns +#open 2012-10-19-17-07-44 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected +#types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool +1333458871.219794 UWkUyAuUGXf 10.131.24.6 2152 195.178.38.3 53 udp 27595 abcd.efg.hijklm.nm 1 C_INTERNET 1 A - - F F T F 0 - - F +#close 2012-10-19-17-07-44 diff --git a/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log b/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log new file mode 100644 index 0000000000..326205172a --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log @@ -0,0 +1,12 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2012-10-19-17-21-27 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1333458851.770000 arKYeMETxOg fe80::224c:4fff:fe43:414c 1234 ff02::1:3 5355 udp dns - - - S0 - 0 D 1 80 0 0 UWkUyAuUGXf +1333458851.770000 UWkUyAuUGXf 118.92.124.41 2152 118.92.124.72 2152 udp gtpv1 0.199236 152 0 S0 - 0 D 2 208 0 0 (empty) +1333458851.969236 k6kgXLOoSKl fe80::224c:4fff:fe43:414c 133 ff02::2 134 icmp - - - - OTH - 0 - 1 56 0 0 UWkUyAuUGXf +#close 2012-10-19-17-21-27 diff --git a/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/tunnel.log b/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/tunnel.log new file mode 100644 index 0000000000..dfae2ba269 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/tunnel.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2012-10-19-17-21-27 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1333458851.770000 UWkUyAuUGXf 118.92.124.41 2152 118.92.124.72 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458851.969236 UWkUyAuUGXf 118.92.124.41 2152 118.92.124.72 2152 Tunnel::GTPv1 Tunnel::CLOSE +#close 2012-10-19-17-21-27 diff --git a/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log b/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log new file mode 100644 index 0000000000..9c3e1f6f66 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log @@ -0,0 +1,26 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2012-10-19-17-34-25 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1333458850.037956 qCaWGmzFtM5 10.131.112.102 51403 94.245.121.253 3544 udp teredo - - - SHR - 0 d 0 0 1 84 GSxOnSLghOa +1333458850.040098 70MGiRM1Qf4 174.94.190.229 2152 190.104.181.57 2152 udp gtpv1 0.003698 192 0 S0 - 0 D 2 248 0 0 (empty) +1333458850.016620 nQcgTWjvg4c 172.24.16.121 61901 94.245.121.251 3544 udp teredo - - - S0 - 0 D 1 80 0 0 k6kgXLOoSKl +1333458850.029781 FrJExwHcSal 172.24.16.67 52298 94.245.121.253 3544 udp teredo - - - S0 - 0 D 1 88 0 0 TEfuqmmG4bh +1333458850.035456 VW0XPVINV8a 190.104.181.210 2152 190.104.181.125 2152 udp gtpv1 0.000004 194 0 S0 - 0 D 2 250 0 0 (empty) +1333458850.016620 k6kgXLOoSKl 174.94.190.229 2152 190.104.181.62 2152 udp gtpv1 0.016267 88 92 SF - 0 Dd 1 116 1 120 (empty) +1333458850.029781 TEfuqmmG4bh 190.104.181.254 2152 190.104.181.62 2152 udp gtpv1 0.000002 192 0 S0 - 0 D 2 248 0 0 (empty) +1333458850.035460 iE6yhOq3SF 172.27.159.9 63912 94.245.121.254 3544 udp teredo - - - S0 - 0 D 1 89 0 0 VW0XPVINV8a +1333458850.037956 GSxOnSLghOa 190.104.181.57 2152 190.104.181.222 2152 udp gtpv1 - - - S0 - 0 D 1 120 0 0 (empty) +1333458850.014199 UWkUyAuUGXf 174.94.190.213 2152 190.104.181.57 2152 udp gtpv1 - - - S0 - 0 D 1 124 0 0 (empty) +1333458850.040098 h5DsfNtYzi1 172.24.203.81 54447 65.55.158.118 3544 udp teredo 0.003698 120 0 S0 - 0 D 2 176 0 0 70MGiRM1Qf4 +1333458850.029783 5OKnoww6xl4 172.24.16.67 52298 65.55.158.118 3544 udp teredo - - - S0 - 0 D 1 88 0 0 TEfuqmmG4bh +1333458850.032887 3PKsZ2Uye21 10.131.42.160 62069 94.245.121.253 3544 udp teredo - - - SHR - 0 d 0 0 1 84 k6kgXLOoSKl +1333458850.014199 arKYeMETxOg 172.24.204.200 56528 65.55.158.118 3544 udp teredo - - - S0 - 0 D 1 88 0 0 UWkUyAuUGXf +1333458850.035456 fRFu0wcOle6 172.27.159.9 63912 94.245.121.253 3544 udp teredo - - - S0 - 0 D 1 89 0 0 VW0XPVINV8a +1333458850.016620 j4u32Pc5bif 2001:0:5ef5:79fb:38b8:1695:2b37:be8e 128 2002:2571:c817::2571:c817 129 icmp - - - - OTH - 0 - 1 52 0 0 nQcgTWjvg4c +1333458850.035456 qSsw6ESzHV4 fe80::ffff:ffff:fffe 133 ff02::2 134 icmp - 0.000004 0 0 OTH - 0 - 2 96 0 0 fRFu0wcOle6,iE6yhOq3SF +#close 2012-10-19-17-34-25 diff --git a/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/tunnel.log b/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/tunnel.log new file mode 100644 index 0000000000..904fcc7db6 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/tunnel.log @@ -0,0 +1,27 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2012-10-19-17-34-25 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1333458850.014199 UWkUyAuUGXf 174.94.190.213 2152 190.104.181.57 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458850.016620 k6kgXLOoSKl 174.94.190.229 2152 190.104.181.62 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458850.016620 nQcgTWjvg4c 172.24.16.121 61901 94.245.121.251 3544 Tunnel::TEREDO Tunnel::DISCOVER +1333458850.029781 TEfuqmmG4bh 190.104.181.254 2152 190.104.181.62 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458850.035456 VW0XPVINV8a 190.104.181.210 2152 190.104.181.125 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458850.035456 fRFu0wcOle6 172.27.159.9 63912 94.245.121.253 3544 Tunnel::TEREDO Tunnel::DISCOVER +1333458850.035460 iE6yhOq3SF 172.27.159.9 63912 94.245.121.254 3544 Tunnel::TEREDO Tunnel::DISCOVER +1333458850.037956 GSxOnSLghOa 190.104.181.57 2152 190.104.181.222 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458850.040098 70MGiRM1Qf4 174.94.190.229 2152 190.104.181.57 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458850.043796 70MGiRM1Qf4 174.94.190.229 2152 190.104.181.57 2152 Tunnel::GTPv1 Tunnel::CLOSE +1333458850.043796 nQcgTWjvg4c 172.24.16.121 61901 94.245.121.251 3544 Tunnel::TEREDO Tunnel::CLOSE +1333458850.043796 VW0XPVINV8a 190.104.181.210 2152 190.104.181.125 2152 Tunnel::GTPv1 Tunnel::CLOSE +1333458850.043796 k6kgXLOoSKl 174.94.190.229 2152 190.104.181.62 2152 Tunnel::GTPv1 Tunnel::CLOSE +1333458850.043796 TEfuqmmG4bh 190.104.181.254 2152 190.104.181.62 2152 Tunnel::GTPv1 Tunnel::CLOSE +1333458850.043796 iE6yhOq3SF 172.27.159.9 63912 94.245.121.254 3544 Tunnel::TEREDO Tunnel::CLOSE +1333458850.043796 GSxOnSLghOa 190.104.181.57 2152 190.104.181.222 2152 Tunnel::GTPv1 Tunnel::CLOSE +1333458850.043796 UWkUyAuUGXf 174.94.190.213 2152 190.104.181.57 2152 Tunnel::GTPv1 Tunnel::CLOSE +1333458850.043796 fRFu0wcOle6 172.27.159.9 63912 94.245.121.253 3544 Tunnel::TEREDO Tunnel::CLOSE +#close 2012-10-19-17-34-25 diff --git a/testing/btest/Baseline/core.tunnels.gtp.non_recursive/out b/testing/btest/Baseline/core.tunnels.gtp.non_recursive/out new file mode 100644 index 0000000000..a299c4d592 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.non_recursive/out @@ -0,0 +1 @@ +protocol_violation, [orig_h=74.125.216.149, orig_p=2152/udp, resp_h=10.131.138.69, resp_p=2152/udp], GTP-in-GTP [n\xd9'|\x00\x00\x01\xb6[\xf6\xdc0\xb7d\xe5\xe6\xa76\x91\xfbk\x0e\x02\xc8A\x05\xa8\xe6\xf3Gi\x80(]\xcew\x84\xae}\xd2...] diff --git a/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log b/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log new file mode 100644 index 0000000000..ad6e4fb2c4 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2012-10-19-17-46-48 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1333458850.532814 UWkUyAuUGXf 247.56.43.90 2152 247.56.43.248 2152 udp - - - - S0 - 0 D 1 52 0 0 (empty) +1333458850.867091 arKYeMETxOg 247.56.43.214 2152 237.56.101.238 2152 udp - 0.028676 12 14 SF - 0 Dd 1 40 1 42 (empty) +#close 2012-10-19-17-46-48 diff --git a/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log b/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log new file mode 100644 index 0000000000..9f250903f2 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2012-10-19-17-19-16 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1333458852.011535 arKYeMETxOg 10.222.10.10 44960 173.194.69.188 5228 tcp ssl 0.573499 704 1026 S1 - 0 ShADad 17 1604 14 1762 UWkUyAuUGXf +1333458852.011535 UWkUyAuUGXf 79.188.154.91 2152 243.149.173.198 2152 udp gtpv1 0.573499 1740 1930 SF - 0 Dd 17 2216 14 2322 (empty) +#close 2012-10-19-17-19-16 diff --git a/testing/btest/Baseline/core.tunnels.gtp.opt_header/out b/testing/btest/Baseline/core.tunnels.gtp.opt_header/out new file mode 100644 index 0000000000..7feeb2a110 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.opt_header/out @@ -0,0 +1,31 @@ +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=60, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=60, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=64, teid=159098, seq=0, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=170, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=56, teid=159098, seq=1, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=194, teid=159098, seq=2, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=111, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=56, teid=159098, seq=3, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=89, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=56, teid=159098, seq=4, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=93, teid=159098, seq=5, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=457, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=157, teid=159098, seq=6, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=173, teid=159098, seq=7, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=137, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=56, teid=159098, seq=8, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=157, teid=159098, seq=9, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=189, teid=159098, seq=10, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=173, teid=159098, seq=11, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=205, teid=159098, seq=12, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=189, teid=159098, seq=13, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] diff --git a/testing/btest/Baseline/core.tunnels.gtp.opt_header/tunnel.log b/testing/btest/Baseline/core.tunnels.gtp.opt_header/tunnel.log new file mode 100644 index 0000000000..a421f399ec --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.opt_header/tunnel.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2012-10-19-17-19-16 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1333458852.011535 UWkUyAuUGXf 79.188.154.91 2152 243.149.173.198 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458852.585034 UWkUyAuUGXf 79.188.154.91 2152 243.149.173.198 2152 Tunnel::GTPv1 Tunnel::CLOSE +#close 2012-10-19-17-19-16 diff --git a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log new file mode 100644 index 0000000000..b5f61564cf --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2012-10-19-16-44-02 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1333458850.364667 arKYeMETxOg 10.131.47.185 1923 79.101.110.141 80 tcp http 0.069783 2100 56702 SF - 0 ShADadfF 27 3204 41 52594 UWkUyAuUGXf +1333458850.364667 UWkUyAuUGXf 239.114.155.111 2152 63.94.149.181 2152 udp gtpv1 0.069813 3420 52922 SF - 0 Dd 27 4176 41 54070 (empty) +#close 2012-10-19-16-44-02 diff --git a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log new file mode 100644 index 0000000000..8a994d56af --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#open 2012-10-19-16-44-02 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file +1333458850.375568 arKYeMETxOg 10.131.47.185 1923 79.101.110.141 80 1 GET o-o.preferred.telekomrs-beg1.v2.lscache8.c.youtube.com /videoplayback?upn=MTU2MDY5NzQ5OTM0NTI3NDY4NDc&sparams=algorithm,burst,cp,factor,id,ip,ipbits,itag,source,upn,expire&fexp=912300,907210&algorithm=throttle-factor&itag=34&ip=212.0.0.0&burst=40&sver=3&signature=832FB1042E20780CFCA77A4DB5EA64AC593E8627.D1166C7E8365732E52DAFD68076DAE0146E0AE01&source=youtube&expire=1333484980&key=yt1&ipbits=8&factor=1.25&cp=U0hSSFRTUl9NSkNOMl9MTVZKOjh5eEN2SG8tZF84&id=ebf1e932d4bd1286&cm2=1 http://s.ytimg.com/yt/swfbin/watch_as3-vflqrJwOA.swf Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko; X-SBLSP) Chrome/17.0.963.83 Safari/535.11 0 56320 206 Partial Content - - - (empty) - - - application/octet-stream - - +#close 2012-10-19-16-44-02 diff --git a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/tunnel.log b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/tunnel.log new file mode 100644 index 0000000000..54c4acd0d6 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/tunnel.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2012-10-19-16-44-02 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1333458850.364667 UWkUyAuUGXf 239.114.155.111 2152 63.94.149.181 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458850.434480 UWkUyAuUGXf 239.114.155.111 2152 63.94.149.181 2152 Tunnel::GTPv1 Tunnel::CLOSE +#close 2012-10-19-16-44-02 diff --git a/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/dpd.log b/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/dpd.log new file mode 100644 index 0000000000..221fa16f4f --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/dpd.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dpd +#open 2012-10-19-17-38-54 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto analyzer failure_reason +#types time string addr port addr port enum string string +1333458853.075889 UWkUyAuUGXf 173.86.159.28 2152 213.72.147.186 2152 udp GTPV1 Truncated GTPv1 [E\x00\x05\xc8G\xea@\x00\x80\x06\xb6\x83\x0a\x83w&\xd9\x14\x9c\x04\xd9\xc2\x00P\xddh\xb4\x8f41eVP\x10\x10\xe0u\xcf\x00\x00...] +#close 2012-10-19-17-38-54 diff --git a/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/tunnel.log b/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/tunnel.log new file mode 100644 index 0000000000..659090a581 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/tunnel.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2012-10-19-17-38-54 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1333458853.034734 UWkUyAuUGXf 173.86.159.28 2152 213.72.147.186 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458853.108391 UWkUyAuUGXf 173.86.159.28 2152 213.72.147.186 2152 Tunnel::GTPv1 Tunnel::CLOSE +#close 2012-10-19-17-38-54 diff --git a/testing/btest/Baseline/core.when-interpreter-exceptions/bro..stderr b/testing/btest/Baseline/core.when-interpreter-exceptions/bro..stderr new file mode 100644 index 0000000000..256600445d --- /dev/null +++ b/testing/btest/Baseline/core.when-interpreter-exceptions/bro..stderr @@ -0,0 +1,5 @@ +1355264617.053514 expression error in /home/jsiwek/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 32: field value missing [p$ip] +1355264617.053514 expression error in /home/jsiwek/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 53: field value missing [p$ip] +1355264617.053514 expression error in /home/jsiwek/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 43: field value missing [p$ip] +1355264617.053514 expression error in /home/jsiwek/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 16: field value missing [p$ip] +1355264617.053514 received termination signal diff --git a/testing/btest/Baseline/core.when-interpreter-exceptions/bro..stdout b/testing/btest/Baseline/core.when-interpreter-exceptions/bro..stdout new file mode 100644 index 0000000000..49eafc365f --- /dev/null +++ b/testing/btest/Baseline/core.when-interpreter-exceptions/bro..stdout @@ -0,0 +1,8 @@ +timeout g(), F +timeout g(), T +timeout +g() done, no exception, T +localhost resolved +localhost resolved from f(), T +localhost resolved from f(), F +f() done, no exception, T diff --git a/testing/btest/Baseline/istate.opaque/expected.log b/testing/btest/Baseline/istate.opaque/expected.log new file mode 100644 index 0000000000..1386a47db1 --- /dev/null +++ b/testing/btest/Baseline/istate.opaque/expected.log @@ -0,0 +1,4 @@ +acbd18db4cc2f85cedef654fccc4a4d8 +0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33 +2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae +[entropy=0.918296, chi_square=423.666667, mean=108.0, monte_carlo_pi=nan, serial_correlation=-0.5] diff --git a/testing/btest/Baseline/istate.opaque/output.log b/testing/btest/Baseline/istate.opaque/output.log new file mode 100644 index 0000000000..1386a47db1 --- /dev/null +++ b/testing/btest/Baseline/istate.opaque/output.log @@ -0,0 +1,4 @@ +acbd18db4cc2f85cedef654fccc4a4d8 +0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33 +2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae +[entropy=0.918296, chi_square=423.666667, mean=108.0, monte_carlo_pi=nan, serial_correlation=-0.5] diff --git a/testing/btest/Baseline/istate.sync/receiver.vars.log b/testing/btest/Baseline/istate.sync/receiver.vars.log index b28cfbd5c9..192876bd3e 100644 --- a/testing/btest/Baseline/istate.sync/receiver.vars.log +++ b/testing/btest/Baseline/istate.sync/receiver.vars.log @@ -31,3 +31,4 @@ file "test2" of string 6667/tcp [2, 20, 3, 4] [a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666, e=] +122112 diff --git a/testing/btest/Baseline/istate.sync/sender.vars.log b/testing/btest/Baseline/istate.sync/sender.vars.log index b28cfbd5c9..192876bd3e 100644 --- a/testing/btest/Baseline/istate.sync/sender.vars.log +++ b/testing/btest/Baseline/istate.sync/sender.vars.log @@ -31,3 +31,4 @@ file "test2" of string 6667/tcp [2, 20, 3, 4] [a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666, e=] +122112 diff --git a/testing/btest/Baseline/language.const/invalid.stderr b/testing/btest/Baseline/language.const/invalid.stderr new file mode 100644 index 0000000000..b08c472708 --- /dev/null +++ b/testing/btest/Baseline/language.const/invalid.stderr @@ -0,0 +1,13 @@ +error in ./invalid.bro, line 15: const is not a modifiable lvalue (foo) +error in ./invalid.bro, line 16: const is not a modifiable lvalue (foo) +error in ./invalid.bro, line 17: const is not a modifiable lvalue (bar) +error in ./invalid.bro, line 17: const is not a modifiable lvalue (foo) +error in ./invalid.bro, line 18: const is not a modifiable lvalue (foo) +error in ./invalid.bro, line 19: const is not a modifiable lvalue (foo) +error in ./invalid.bro, line 20: const is not a modifiable lvalue (foo) +error in ./invalid.bro, line 22: const is not a modifiable lvalue (foo) +error in ./invalid.bro, line 25: const is not a modifiable lvalue (bar) +error in ./invalid.bro, line 26: const is not a modifiable lvalue (baz) +error in ./invalid.bro, line 27: const is not a modifiable lvalue (bar) +error in ./invalid.bro, line 28: const is not a modifiable lvalue (baz) +error in ./invalid.bro, line 33: const is not a modifiable lvalue (foo) diff --git a/testing/btest/Baseline/language.const/invalid.stdout b/testing/btest/Baseline/language.const/invalid.stdout new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/language.const/valid.stderr b/testing/btest/Baseline/language.const/valid.stderr new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/language.const/valid.stdout b/testing/btest/Baseline/language.const/valid.stdout new file mode 100644 index 0000000000..5e3a76f060 --- /dev/null +++ b/testing/btest/Baseline/language.const/valid.stdout @@ -0,0 +1,10 @@ +40 +enter f, 10 +exit f, 110 +enter f, 9 +exit f, 109 +enter f, 7 +exit f, 107 +foo, 10 +bar, 9 +baz, 7 diff --git a/testing/btest/Baseline/language.hook/out b/testing/btest/Baseline/language.hook/out index 10688acc3b..d4f367f875 100644 --- a/testing/btest/Baseline/language.hook/out +++ b/testing/btest/Baseline/language.hook/out @@ -1,7 +1,19 @@ myhook, &priority=10, [a=1156, b=hello world] +myhook return F +myhook return T myhook, &priority=5, [a=37, b=goobye world] +F +T myhook3, 8 +T myhook4, 2 myhook4, 1 +T +myhook4, 2 +myhook4, 1 +myhook4 all handlers ran myhook, &priority=10, [a=2, b=it works] +myhook return F +myhook return T myhook, &priority=5, [a=37, b=goobye world] +F diff --git a/testing/btest/Baseline/language.hook_calls/invalid.out b/testing/btest/Baseline/language.hook_calls/invalid.out new file mode 100644 index 0000000000..3412c1900e --- /dev/null +++ b/testing/btest/Baseline/language.hook_calls/invalid.out @@ -0,0 +1,10 @@ +error in ./invalid.bro, line 9: hook cannot be called directly, use hook operator (myhook) +warning in ./invalid.bro, line 9: expression value ignored (myhook(3)) +error in ./invalid.bro, line 10: hook cannot be called directly, use hook operator (myhook) +error in ./invalid.bro, line 11: hook cannot be called directly, use hook operator (myhook) +error in ./invalid.bro, line 12: not a valid hook call expression (2 + 2) +warning in ./invalid.bro, line 12: expression value ignored (2 + 2) +error in ./invalid.bro, line 13: not a valid hook call expression (2 + 2) +error in ./invalid.bro, line 15: hook cannot be called directly, use hook operator (h) +warning in ./invalid.bro, line 15: expression value ignored (h(3)) +error in ./invalid.bro, line 16: hook cannot be called directly, use hook operator (h) diff --git a/testing/btest/Baseline/language.hook_calls/valid.out b/testing/btest/Baseline/language.hook_calls/valid.out new file mode 100644 index 0000000000..c711115315 --- /dev/null +++ b/testing/btest/Baseline/language.hook_calls/valid.out @@ -0,0 +1,42 @@ +myhook(), 3 +other myhook(), 3 +myhook(), 3 +other myhook(), 3 +T +myhook(), 0 +F +----------- +indirect() +myhook(), 3 +other myhook(), 3 +indirect() +myhook(), 3 +other myhook(), 3 +T +----------- +really_indirect() +indirect() +myhook(), 3 +other myhook(), 3 +really_indirect() +indirect() +myhook(), 3 +other myhook(), 3 +T +----------- +myhook(), 3 +other myhook(), 3 +myhook(), 3 +other myhook(), 3 +T +myhook(), 3 +other myhook(), 3 +yes +myhook(), 0 +double yes +----------- +myhook(), 3 +other myhook(), 3 +myhook(), 3 +other myhook(), 3 +T diff --git a/testing/btest/Baseline/language.invalid_hook/out b/testing/btest/Baseline/language.invalid_hook/out deleted file mode 100644 index 167d62ccc8..0000000000 --- a/testing/btest/Baseline/language.invalid_hook/out +++ /dev/null @@ -1 +0,0 @@ -error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.invalid_hook/invalid_hook.bro, line 15: hook called in expression, use hook statement instead (myhook(nope)) diff --git a/testing/btest/Baseline/language.invalid_index/out b/testing/btest/Baseline/language.invalid_index/out new file mode 100644 index 0000000000..9110a8979d --- /dev/null +++ b/testing/btest/Baseline/language.invalid_index/out @@ -0,0 +1,7 @@ +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 8: no such index (foo[1]) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 9: no such index (foo[2]) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 12: no such index (foo2[1]) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 13: no such index (foo2[2]) +foo[0], 42 +foo2[0], 13 +done diff --git a/testing/btest/Baseline/language.record-bad-ctor/out b/testing/btest/Baseline/language.record-bad-ctor/out new file mode 100644 index 0000000000..2b890419ae --- /dev/null +++ b/testing/btest/Baseline/language.record-bad-ctor/out @@ -0,0 +1,3 @@ +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.bro, line 6: no type given (asdfasdf) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.bro, line 7: uninitialized list value ($ports=asdfasdf) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.bro, line 7: bad record initializer ([$ports=asdfasdf]) diff --git a/testing/btest/Baseline/language.string-indexing/out b/testing/btest/Baseline/language.string-indexing/out new file mode 100644 index 0000000000..3359187d4c --- /dev/null +++ b/testing/btest/Baseline/language.string-indexing/out @@ -0,0 +1,13 @@ +1 +12 +123456 +0123456789 +8 +789 +9 +9 +9 + + +2 +1 diff --git a/testing/btest/Baseline/language.switch-statement/out b/testing/btest/Baseline/language.switch-statement/out new file mode 100644 index 0000000000..19f86f493a --- /dev/null +++ b/testing/btest/Baseline/language.switch-statement/out @@ -0,0 +1 @@ +done diff --git a/testing/btest/Baseline/language.table-init-attrs/output b/testing/btest/Baseline/language.table-init-attrs/output new file mode 100644 index 0000000000..55df002ed0 --- /dev/null +++ b/testing/btest/Baseline/language.table-init-attrs/output @@ -0,0 +1,91 @@ +my_set_ctor_init +{ +test2, +test3, +test4, +test1 +} + +my_table_ctor_init +{ +[2] = test2, +[1] = test1, +[3] = test3 +} +nope + +my_set_init +{ +test2, +test3, +test4, +test1 +} + +my_table_init +{ +[2] = test2, +[4] = test4, +[1] = test1, +[3] = test3 +} +nope + +inception +{ +[0] = { +[13] = bar +} +} +{ +[13] = bar +} +bar +forty-two +{ + +} +we need to go deeper +{ +[0] = { +[13] = bar +} +} +{ +[13] = bar +} +bar +forty-two +{ + +} +we need to go deeper + +local table t1 +{ +[1] = foo +} +foo +nope + +local table t2 +{ +[1] = foo +} +foo +nope + +local table t3 +{ + +} +nope +nope + +local table t4 +{ + +} +nope +nope + diff --git a/testing/btest/Baseline/language.table-init-container-ctors/output b/testing/btest/Baseline/language.table-init-container-ctors/output new file mode 100644 index 0000000000..27774a660a --- /dev/null +++ b/testing/btest/Baseline/language.table-init-container-ctors/output @@ -0,0 +1,50 @@ +table of set +{ +[13] = { +[bar, 2] , +[foo, 1] +}, +[5] = { +[bah, 3] , +[baz, 4] +} +} + +table of vector +{ +[13] = [1, 2], +[5] = [3, 4] +} + +table of table +{ +[13] = { +[bar, 2] = 2, +[foo, 1] = 1 +}, +[5] = { +[bah, 3] = 3, +[baz, 4] = 4 +} +} + +table of record +{ +[13] = [a=1, b=foo], +[5] = [a=2, b=bar] +} + +T +T +T +T +T +T +T +T +T +T +T +T +T +T diff --git a/testing/btest/Baseline/language.type-type-error/.stderr b/testing/btest/Baseline/language.type-type-error/.stderr new file mode 100644 index 0000000000..95cb065ece --- /dev/null +++ b/testing/btest/Baseline/language.type-type-error/.stderr @@ -0,0 +1 @@ +error in /home/jsiwek/bro/testing/btest/.tmp/language.type-type-error/type-type-error.bro, line 13: not a record (r$a) diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.invalidnumbers/.stderrwithoutfirstline b/testing/btest/Baseline/scripts.base.frameworks.input.invalidnumbers/.stderrwithoutfirstline index 3ef51e40f2..54005fb4b8 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.input.invalidnumbers/.stderrwithoutfirstline +++ b/testing/btest/Baseline/scripts.base.frameworks.input.invalidnumbers/.stderrwithoutfirstline @@ -1,8 +1,8 @@ -error: ../input.log/Input::READER_ASCII: Number '12129223372036854775800' out of supported range. -error: ../input.log/Input::READER_ASCII: Could not convert line '12129223372036854775800 121218446744073709551612' to Val. Ignoring line. -warning: ../input.log/Input::READER_ASCII: Number '9223372036854775801TEXTHERE' contained non-numeric trailing characters. Ignored trailing characters 'TEXTHERE' -warning: ../input.log/Input::READER_ASCII: Number '1Justtext' contained non-numeric trailing characters. Ignored trailing characters 'Justtext' -error: ../input.log/Input::READER_ASCII: String 'Justtext' contained no parseable number -error: ../input.log/Input::READER_ASCII: Could not convert line 'Justtext 1' to Val. Ignoring line. -received termination signal +1355266097.683599 error: ../input.log/Input::READER_ASCII: Number '12129223372036854775800' out of supported range. +1355266097.683599 error: ../input.log/Input::READER_ASCII: Could not convert line '12129223372036854775800 121218446744073709551612' to Val. Ignoring line. +1355266097.683599 warning: ../input.log/Input::READER_ASCII: Number '9223372036854775801TEXTHERE' contained non-numeric trailing characters. Ignored trailing characters 'TEXTHERE' +1355266097.683599 warning: ../input.log/Input::READER_ASCII: Number '1Justtext' contained non-numeric trailing characters. Ignored trailing characters 'Justtext' +1355266097.683599 error: ../input.log/Input::READER_ASCII: String 'Justtext' contained no parseable number +1355266097.683599 error: ../input.log/Input::READER_ASCII: Could not convert line 'Justtext 1' to Val. Ignoring line. +1355266097.683599 received termination signal >>> diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.invalidtext/.stderrwithoutfirstline b/testing/btest/Baseline/scripts.base.frameworks.input.invalidtext/.stderrwithoutfirstline new file mode 100644 index 0000000000..f0545daeae --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.invalidtext/.stderrwithoutfirstline @@ -0,0 +1,4 @@ +1355265853.593476 error: ../input.log/Input::READER_ASCII: String 'l' contained no parseable number +1355265853.593476 error: ../input.log/Input::READER_ASCII: Could not convert line ' l' to Val. Ignoring line. +1355265853.593476 received termination signal +>>> diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.invalidtext/out b/testing/btest/Baseline/scripts.base.frameworks.input.invalidtext/out new file mode 100644 index 0000000000..4950b6f590 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.invalidtext/out @@ -0,0 +1,3 @@ +{ +[] = [c=5] +} diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file/bro..stderr b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file/bro..stderr index 4380007b93..e61280cdfc 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file/bro..stderr +++ b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file/bro..stderr @@ -1,5 +1,5 @@ -error: does-not-exist.dat/Input::READER_ASCII: Init: cannot open does-not-exist.dat -error: does-not-exist.dat/Input::READER_ASCII: Init failed -warning: Stream input is already queued for removal. Ignoring remove. -error: does-not-exist.dat/Input::READER_ASCII: terminating thread -received termination signal +1355265996.626106 error: does-not-exist.dat/Input::READER_ASCII: Init: cannot open does-not-exist.dat +1355265996.626106 error: does-not-exist.dat/Input::READER_ASCII: Init failed +1355265996.626106 warning: Stream input is already queued for removal. Ignoring remove. +1355265996.626106 error: does-not-exist.dat/Input::READER_ASCII: terminating thread +1355265996.626106 received termination signal diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-csv/ssh-filtered.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-tsv/ssh-filtered.log similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.logging.ascii-csv/ssh-filtered.log rename to testing/btest/Baseline/scripts.base.frameworks.logging.ascii-tsv/ssh-filtered.log diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.time-as-int/conn.ds.txt b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.time-as-int/conn.ds.txt index c4ac546ab6..5d95fdc0c0 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.time-as-int/conn.ds.txt +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.time-as-int/conn.ds.txt @@ -56,20 +56,20 @@ ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes 1300475167096535 UWkUyAuUGXf 141.142.220.202 5353 224.0.0.251 5353 udp dns 0 0 0 S0 F 0 D 1 73 0 0 1300475167097012 arKYeMETxOg fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp 0 0 0 S0 F 0 D 1 199 0 0 1300475167099816 k6kgXLOoSKl 141.142.220.50 5353 224.0.0.251 5353 udp 0 0 0 S0 F 0 D 1 179 0 0 -1300475168853899 TEfuqmmG4bh 141.142.220.118 43927 141.142.2.2 53 udp dns 435 0 89 SHR F 0 Cd 0 0 1 117 -1300475168854378 FrJExwHcSal 141.142.220.118 37676 141.142.2.2 53 udp dns 420 0 99 SHR F 0 Cd 0 0 1 127 -1300475168854837 5OKnoww6xl4 141.142.220.118 40526 141.142.2.2 53 udp dns 391 0 183 SHR F 0 Cd 0 0 1 211 -1300475168857956 fRFu0wcOle6 141.142.220.118 32902 141.142.2.2 53 udp dns 317 0 89 SHR F 0 Cd 0 0 1 117 -1300475168858306 qSsw6ESzHV4 141.142.220.118 59816 141.142.2.2 53 udp dns 343 0 99 SHR F 0 Cd 0 0 1 127 -1300475168858713 iE6yhOq3SF 141.142.220.118 59714 141.142.2.2 53 udp dns 375 0 183 SHR F 0 Cd 0 0 1 211 -1300475168891644 qCaWGmzFtM5 141.142.220.118 58206 141.142.2.2 53 udp dns 339 0 89 SHR F 0 Cd 0 0 1 117 -1300475168892037 70MGiRM1Qf4 141.142.220.118 38911 141.142.2.2 53 udp dns 334 0 99 SHR F 0 Cd 0 0 1 127 -1300475168892414 h5DsfNtYzi1 141.142.220.118 59746 141.142.2.2 53 udp dns 420 0 183 SHR F 0 Cd 0 0 1 211 -1300475168893988 c4Zw9TmAE05 141.142.220.118 45000 141.142.2.2 53 udp dns 384 0 89 SHR F 0 Cd 0 0 1 117 -1300475168894422 EAr0uf4mhq 141.142.220.118 48479 141.142.2.2 53 udp dns 316 0 99 SHR F 0 Cd 0 0 1 127 -1300475168894787 GvmoxJFXdTa 141.142.220.118 48128 141.142.2.2 53 udp dns 422 0 183 SHR F 0 Cd 0 0 1 211 -1300475168901749 slFea8xwSmb 141.142.220.118 56056 141.142.2.2 53 udp dns 402 0 131 SHR F 0 Cd 0 0 1 159 -1300475168902195 UfGkYA2HI2g 141.142.220.118 55092 141.142.2.2 53 udp dns 374 0 198 SHR F 0 Cd 0 0 1 226 +1300475168853899 TEfuqmmG4bh 141.142.220.118 43927 141.142.2.2 53 udp dns 435 38 89 SF F 0 Dd 1 66 1 117 +1300475168854378 FrJExwHcSal 141.142.220.118 37676 141.142.2.2 53 udp dns 420 52 99 SF F 0 Dd 1 80 1 127 +1300475168854837 5OKnoww6xl4 141.142.220.118 40526 141.142.2.2 53 udp dns 391 38 183 SF F 0 Dd 1 66 1 211 +1300475168857956 fRFu0wcOle6 141.142.220.118 32902 141.142.2.2 53 udp dns 317 38 89 SF F 0 Dd 1 66 1 117 +1300475168858306 qSsw6ESzHV4 141.142.220.118 59816 141.142.2.2 53 udp dns 343 52 99 SF F 0 Dd 1 80 1 127 +1300475168858713 iE6yhOq3SF 141.142.220.118 59714 141.142.2.2 53 udp dns 375 38 183 SF F 0 Dd 1 66 1 211 +1300475168891644 qCaWGmzFtM5 141.142.220.118 58206 141.142.2.2 53 udp dns 339 38 89 SF F 0 Dd 1 66 1 117 +1300475168892037 70MGiRM1Qf4 141.142.220.118 38911 141.142.2.2 53 udp dns 334 52 99 SF F 0 Dd 1 80 1 127 +1300475168892414 h5DsfNtYzi1 141.142.220.118 59746 141.142.2.2 53 udp dns 420 38 183 SF F 0 Dd 1 66 1 211 +1300475168893988 c4Zw9TmAE05 141.142.220.118 45000 141.142.2.2 53 udp dns 384 38 89 SF F 0 Dd 1 66 1 117 +1300475168894422 EAr0uf4mhq 141.142.220.118 48479 141.142.2.2 53 udp dns 316 52 99 SF F 0 Dd 1 80 1 127 +1300475168894787 GvmoxJFXdTa 141.142.220.118 48128 141.142.2.2 53 udp dns 422 38 183 SF F 0 Dd 1 66 1 211 +1300475168901749 slFea8xwSmb 141.142.220.118 56056 141.142.2.2 53 udp dns 402 36 131 SF F 0 Dd 1 64 1 159 +1300475168902195 UfGkYA2HI2g 141.142.220.118 55092 141.142.2.2 53 udp dns 374 36 198 SF F 0 Dd 1 64 1 226 1300475169899438 BWaU4aSuwkc 141.142.220.44 5353 224.0.0.251 5353 udp dns 0 0 0 S0 F 0 D 1 85 0 0 1300475170862384 10XodEwRycf 141.142.220.226 137 141.142.220.255 137 udp dns 2613016 350 0 S0 F 0 D 7 546 0 0 1300475171675372 zno26fFZkrh fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp dns 100096 66 0 S0 F 0 D 2 162 0 0 @@ -77,13 +77,13 @@ ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes 1300475173116749 eWZCH7OONC1 fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp dns 99801 66 0 S0 F 0 D 2 162 0 0 1300475173117362 0Pwk3ntf8O3 141.142.220.226 55671 224.0.0.252 5355 udp dns 99848 66 0 S0 F 0 D 2 122 0 0 1300475173153679 0HKorjr8Zp7 141.142.220.238 56641 141.142.220.255 137 udp dns 0 0 0 S0 F 0 D 1 78 0 0 -1300475168859163 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 tcp 215893 1130 734 S1 F 1130 ShACad 4 216 4 950 -1300475168652003 nQcgTWjvg4c 141.142.220.118 35634 208.80.152.2 80 tcp 61328 0 350 OTH F 0 CdA 1 52 1 402 -1300475168895267 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 tcp 227283 1178 734 S1 F 1178 ShACad 4 216 4 950 -1300475168902635 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 tcp 120040 534 412 S1 F 534 ShACad 3 164 3 576 -1300475168892936 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 tcp 229603 1148 734 S1 F 1148 ShACad 4 216 4 950 -1300475168855305 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 tcp 218501 1171 733 S1 F 1171 ShACad 4 216 4 949 -1300475168892913 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 tcp 220960 1137 733 S1 F 1137 ShACad 4 216 4 949 +1300475168859163 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 tcp http 215893 1130 734 S1 F 0 ShADad 6 1450 4 950 +1300475168652003 nQcgTWjvg4c 141.142.220.118 35634 208.80.152.2 80 tcp 61328 463 350 OTH F 0 DdA 2 567 1 402 +1300475168895267 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 tcp http 227283 1178 734 S1 F 0 ShADad 6 1498 4 950 +1300475168902635 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 tcp http 120040 534 412 S1 F 0 ShADad 4 750 3 576 +1300475168892936 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 tcp http 229603 1148 734 S1 F 0 ShADad 6 1468 4 950 +1300475168855305 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 tcp http 218501 1171 733 S1 F 0 ShADad 6 1491 4 949 +1300475168892913 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 tcp http 220960 1137 733 S1 F 0 ShADad 6 1457 4 949 1300475169780331 2cx26uAvUPl 141.142.220.235 6705 173.192.163.128 80 tcp 0 0 0 OTH F 0 h 0 0 1 48 -1300475168724007 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 tcp 119904 525 232 S1 F 525 ShACad 3 164 3 396 -1300475168855330 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 tcp 219720 1125 734 S1 F 1125 ShACad 4 216 4 950 +1300475168724007 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 tcp http 119904 525 232 S1 F 0 ShADad 4 741 3 396 +1300475168855330 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 tcp http 219720 1125 734 S1 F 0 ShADad 6 1445 4 950 diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/conn.ds.txt b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/conn.ds.txt index b74b9fd7e3..5af6f702b8 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/conn.ds.txt +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/conn.ds.txt @@ -56,20 +56,20 @@ ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes 1300475167.096535 UWkUyAuUGXf 141.142.220.202 5353 224.0.0.251 5353 udp dns 0.000000 0 0 S0 F 0 D 1 73 0 0 1300475167.097012 arKYeMETxOg fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp 0.000000 0 0 S0 F 0 D 1 199 0 0 1300475167.099816 k6kgXLOoSKl 141.142.220.50 5353 224.0.0.251 5353 udp 0.000000 0 0 S0 F 0 D 1 179 0 0 -1300475168.853899 TEfuqmmG4bh 141.142.220.118 43927 141.142.2.2 53 udp dns 0.000435 0 89 SHR F 0 Cd 0 0 1 117 -1300475168.854378 FrJExwHcSal 141.142.220.118 37676 141.142.2.2 53 udp dns 0.000420 0 99 SHR F 0 Cd 0 0 1 127 -1300475168.854837 5OKnoww6xl4 141.142.220.118 40526 141.142.2.2 53 udp dns 0.000392 0 183 SHR F 0 Cd 0 0 1 211 -1300475168.857956 fRFu0wcOle6 141.142.220.118 32902 141.142.2.2 53 udp dns 0.000317 0 89 SHR F 0 Cd 0 0 1 117 -1300475168.858306 qSsw6ESzHV4 141.142.220.118 59816 141.142.2.2 53 udp dns 0.000343 0 99 SHR F 0 Cd 0 0 1 127 -1300475168.858713 iE6yhOq3SF 141.142.220.118 59714 141.142.2.2 53 udp dns 0.000375 0 183 SHR F 0 Cd 0 0 1 211 -1300475168.891644 qCaWGmzFtM5 141.142.220.118 58206 141.142.2.2 53 udp dns 0.000339 0 89 SHR F 0 Cd 0 0 1 117 -1300475168.892037 70MGiRM1Qf4 141.142.220.118 38911 141.142.2.2 53 udp dns 0.000335 0 99 SHR F 0 Cd 0 0 1 127 -1300475168.892414 h5DsfNtYzi1 141.142.220.118 59746 141.142.2.2 53 udp dns 0.000421 0 183 SHR F 0 Cd 0 0 1 211 -1300475168.893988 c4Zw9TmAE05 141.142.220.118 45000 141.142.2.2 53 udp dns 0.000384 0 89 SHR F 0 Cd 0 0 1 117 -1300475168.894422 EAr0uf4mhq 141.142.220.118 48479 141.142.2.2 53 udp dns 0.000317 0 99 SHR F 0 Cd 0 0 1 127 -1300475168.894787 GvmoxJFXdTa 141.142.220.118 48128 141.142.2.2 53 udp dns 0.000423 0 183 SHR F 0 Cd 0 0 1 211 -1300475168.901749 slFea8xwSmb 141.142.220.118 56056 141.142.2.2 53 udp dns 0.000402 0 131 SHR F 0 Cd 0 0 1 159 -1300475168.902195 UfGkYA2HI2g 141.142.220.118 55092 141.142.2.2 53 udp dns 0.000374 0 198 SHR F 0 Cd 0 0 1 226 +1300475168.853899 TEfuqmmG4bh 141.142.220.118 43927 141.142.2.2 53 udp dns 0.000435 38 89 SF F 0 Dd 1 66 1 117 +1300475168.854378 FrJExwHcSal 141.142.220.118 37676 141.142.2.2 53 udp dns 0.000420 52 99 SF F 0 Dd 1 80 1 127 +1300475168.854837 5OKnoww6xl4 141.142.220.118 40526 141.142.2.2 53 udp dns 0.000392 38 183 SF F 0 Dd 1 66 1 211 +1300475168.857956 fRFu0wcOle6 141.142.220.118 32902 141.142.2.2 53 udp dns 0.000317 38 89 SF F 0 Dd 1 66 1 117 +1300475168.858306 qSsw6ESzHV4 141.142.220.118 59816 141.142.2.2 53 udp dns 0.000343 52 99 SF F 0 Dd 1 80 1 127 +1300475168.858713 iE6yhOq3SF 141.142.220.118 59714 141.142.2.2 53 udp dns 0.000375 38 183 SF F 0 Dd 1 66 1 211 +1300475168.891644 qCaWGmzFtM5 141.142.220.118 58206 141.142.2.2 53 udp dns 0.000339 38 89 SF F 0 Dd 1 66 1 117 +1300475168.892037 70MGiRM1Qf4 141.142.220.118 38911 141.142.2.2 53 udp dns 0.000335 52 99 SF F 0 Dd 1 80 1 127 +1300475168.892414 h5DsfNtYzi1 141.142.220.118 59746 141.142.2.2 53 udp dns 0.000421 38 183 SF F 0 Dd 1 66 1 211 +1300475168.893988 c4Zw9TmAE05 141.142.220.118 45000 141.142.2.2 53 udp dns 0.000384 38 89 SF F 0 Dd 1 66 1 117 +1300475168.894422 EAr0uf4mhq 141.142.220.118 48479 141.142.2.2 53 udp dns 0.000317 52 99 SF F 0 Dd 1 80 1 127 +1300475168.894787 GvmoxJFXdTa 141.142.220.118 48128 141.142.2.2 53 udp dns 0.000423 38 183 SF F 0 Dd 1 66 1 211 +1300475168.901749 slFea8xwSmb 141.142.220.118 56056 141.142.2.2 53 udp dns 0.000402 36 131 SF F 0 Dd 1 64 1 159 +1300475168.902195 UfGkYA2HI2g 141.142.220.118 55092 141.142.2.2 53 udp dns 0.000374 36 198 SF F 0 Dd 1 64 1 226 1300475169.899438 BWaU4aSuwkc 141.142.220.44 5353 224.0.0.251 5353 udp dns 0.000000 0 0 S0 F 0 D 1 85 0 0 1300475170.862384 10XodEwRycf 141.142.220.226 137 141.142.220.255 137 udp dns 2.613017 350 0 S0 F 0 D 7 546 0 0 1300475171.675372 zno26fFZkrh fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp dns 0.100096 66 0 S0 F 0 D 2 162 0 0 @@ -77,13 +77,13 @@ ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes 1300475173.116749 eWZCH7OONC1 fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp dns 0.099801 66 0 S0 F 0 D 2 162 0 0 1300475173.117362 0Pwk3ntf8O3 141.142.220.226 55671 224.0.0.252 5355 udp dns 0.099849 66 0 S0 F 0 D 2 122 0 0 1300475173.153679 0HKorjr8Zp7 141.142.220.238 56641 141.142.220.255 137 udp dns 0.000000 0 0 S0 F 0 D 1 78 0 0 -1300475168.859163 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 tcp 0.215893 1130 734 S1 F 1130 ShACad 4 216 4 950 -1300475168.652003 nQcgTWjvg4c 141.142.220.118 35634 208.80.152.2 80 tcp 0.061329 0 350 OTH F 0 CdA 1 52 1 402 -1300475168.895267 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 tcp 0.227284 1178 734 S1 F 1178 ShACad 4 216 4 950 -1300475168.902635 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 tcp 0.120041 534 412 S1 F 534 ShACad 3 164 3 576 -1300475168.892936 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 tcp 0.229603 1148 734 S1 F 1148 ShACad 4 216 4 950 -1300475168.855305 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 tcp 0.218501 1171 733 S1 F 1171 ShACad 4 216 4 949 -1300475168.892913 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 tcp 0.220961 1137 733 S1 F 1137 ShACad 4 216 4 949 +1300475168.859163 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 tcp http 0.215893 1130 734 S1 F 0 ShADad 6 1450 4 950 +1300475168.652003 nQcgTWjvg4c 141.142.220.118 35634 208.80.152.2 80 tcp 0.061329 463 350 OTH F 0 DdA 2 567 1 402 +1300475168.895267 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 tcp http 0.227284 1178 734 S1 F 0 ShADad 6 1498 4 950 +1300475168.902635 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 tcp http 0.120041 534 412 S1 F 0 ShADad 4 750 3 576 +1300475168.892936 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 tcp http 0.229603 1148 734 S1 F 0 ShADad 6 1468 4 950 +1300475168.855305 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 tcp http 0.218501 1171 733 S1 F 0 ShADad 6 1491 4 949 +1300475168.892913 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 tcp http 0.220961 1137 733 S1 F 0 ShADad 6 1457 4 949 1300475169.780331 2cx26uAvUPl 141.142.220.235 6705 173.192.163.128 80 tcp 0.000000 0 0 OTH F 0 h 0 0 1 48 -1300475168.724007 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 tcp 0.119905 525 232 S1 F 525 ShACad 3 164 3 396 -1300475168.855330 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 tcp 0.219720 1125 734 S1 F 1125 ShACad 4 216 4 950 +1300475168.724007 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 tcp http 0.119905 525 232 S1 F 0 ShADad 4 741 3 396 +1300475168.855330 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 tcp http 0.219720 1125 734 S1 F 0 ShADad 6 1445 4 950 diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/http.ds.txt b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/http.ds.txt index ae62fbec3d..756a49a427 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/http.ds.txt +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/http.ds.txt @@ -65,17 +65,17 @@ # Extent, type='http' ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file -1300475168.843894 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 0 0 0 304 Not Modified 0 -1300475168.975800 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475168.976327 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475168.979160 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475169.012666 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475169.012730 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475169.014860 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475169.022665 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 0 0 0 304 Not Modified 0 -1300475169.036294 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475169.036798 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475169.039923 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475169.074793 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475169.074938 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475169.075065 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 0 0 0 304 Not Modified 0 +1300475168.784020 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 1 GET bits.wikimedia.org /skins-1.5/monobook/main.css http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 +1300475168.916018 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 +1300475168.916183 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 +1300475168.918358 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/b/bd/Bookshelf-40x201_6.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 +1300475168.952307 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 +1300475168.952296 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 +1300475168.954820 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 +1300475168.962687 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 1 GET meta.wikimedia.org /images/wikimedia-button.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 +1300475168.975934 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 +1300475168.976436 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 +1300475168.979264 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 +1300475169.014619 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 +1300475169.014593 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 +1300475169.014927 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log new file mode 100644 index 0000000000..ac84e5ae7a --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log @@ -0,0 +1,58 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#open 2012-12-07-04-43-19 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file +1354328870.191989 UWkUyAuUGXf 128.2.6.136 46562 173.194.75.103 80 1 OPTIONS www.google.com * - - 0 962 405 Method Not Allowed - - - (empty) - - - text/html - - +1354328874.237327 arKYeMETxOg 128.2.6.136 46563 173.194.75.103 80 1 OPTIONS www.google.com HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328874.299063 k6kgXLOoSKl 128.2.6.136 46564 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328874.342591 nQcgTWjvg4c 128.2.6.136 46565 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328874.364020 j4u32Pc5bif 128.2.6.136 46566 173.194.75.103 80 1 GET www.google.com / - - 0 43911 200 OK - - - (empty) - - - text/html - - +1354328878.470424 TEfuqmmG4bh 128.2.6.136 46567 173.194.75.103 80 1 GET www.google.com / - - 0 43983 200 OK - - - (empty) - - - text/html - - +1354328882.575456 FrJExwHcSal 128.2.6.136 46568 173.194.75.103 80 1 GET www.google.com /HTTP/1.1 - - 0 1207 403 Forbidden - - - (empty) - - - text/html - - +1354328882.928027 5OKnoww6xl4 128.2.6.136 46569 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328882.968948 3PKsZ2Uye21 128.2.6.136 46570 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328882.990373 VW0XPVINV8a 128.2.6.136 46571 173.194.75.103 80 1 GET www.google.com / - - 0 43913 200 OK - - - (empty) - - - text/html - - +1354328887.114613 fRFu0wcOle6 128.2.6.136 46572 173.194.75.103 80 0 - - - - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html - - +1354328891.161077 qSsw6ESzHV4 128.2.6.136 46573 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328891.204740 iE6yhOq3SF 128.2.6.136 46574 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328891.245592 GSxOnSLghOa 128.2.6.136 46575 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328891.287655 qCaWGmzFtM5 128.2.6.136 46576 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328891.309065 70MGiRM1Qf4 128.2.6.136 46577 173.194.75.103 80 1 CCM_POST www.google.com / - - 0 963 405 Method Not Allowed - - - (empty) - - - text/html - - +1354328895.355012 h5DsfNtYzi1 128.2.6.136 46578 173.194.75.103 80 1 CCM_POST www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328895.416133 P654jzLoe3a 128.2.6.136 46579 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328895.459490 Tw8jXtpTGu6 128.2.6.136 46580 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328895.480865 c4Zw9TmAE05 128.2.6.136 46581 173.194.75.103 80 1 CCM_POST www.google.com / - - 0 963 405 Method Not Allowed - - - (empty) - - - text/html - - +1354328899.526682 EAr0uf4mhq 128.2.6.136 46582 173.194.75.103 80 1 CONNECT www.google.com / - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328903.572533 GvmoxJFXdTa 128.2.6.136 46583 173.194.75.103 80 1 CONNECT www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328903.634196 0Q4FH8sESw5 128.2.6.136 46584 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328903.676395 slFea8xwSmb 128.2.6.136 46585 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328903.697693 UfGkYA2HI2g 128.2.6.136 46586 173.194.75.103 80 1 CONNECT www.google.com / - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328907.743696 i2rO3KD1Syg 128.2.6.136 46587 173.194.75.103 80 1 TRACE www.google.com / - - 0 960 405 Method Not Allowed - - - (empty) - - - text/html - - +1354328911.790590 2cx26uAvUPl 128.2.6.136 46588 173.194.75.103 80 1 TRACE www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328911.853464 BWaU4aSuwkc 128.2.6.136 46589 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328911.897044 10XodEwRycf 128.2.6.136 46590 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328911.918511 zno26fFZkrh 128.2.6.136 46591 173.194.75.103 80 1 TRACE www.google.com / - - 0 960 405 Method Not Allowed - - - (empty) - - - text/html - - +1354328915.964678 v5rgkJBig5l 128.2.6.136 46592 173.194.75.103 80 1 DELETE www.google.com / - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html - - +1354328920.010458 eWZCH7OONC1 128.2.6.136 46593 173.194.75.103 80 1 DELETE www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328920.072101 0Pwk3ntf8O3 128.2.6.136 46594 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328920.114526 0HKorjr8Zp7 128.2.6.136 46595 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328920.136714 yC2d6kVg709 128.2.6.136 46596 173.194.75.103 80 1 DELETE www.google.com / - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html - - +1354328924.183211 VcgagLjnO92 128.2.6.136 46597 173.194.75.103 80 1 PUT www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html - - +1354328924.224567 bdRoHfaPBo3 128.2.6.136 46598 173.194.75.103 80 1 PUT www.google.com /HTTP/1.1 - - 0 934 411 Length Required - - - (empty) - - - text/html - - +1354328924.287402 zHqb7t7kv28 128.2.6.136 46599 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328924.328257 rrZWoMUQpv8 128.2.6.136 46600 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328924.350343 xNYSS2hJkle 128.2.6.136 46601 173.194.75.103 80 1 PUT www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html - - +1354328924.391728 vMVjlplKKbd 128.2.6.136 46602 173.194.75.103 80 1 POST www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html - - +1354328924.433150 3omNawSNrxj 128.2.6.136 46603 173.194.75.103 80 1 POST www.google.com /HTTP/1.1 - - 0 934 411 Length Required - - - (empty) - - - text/html - - +1354328924.496732 Rv8AJVfi9Zi 128.2.6.136 46604 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328924.537671 wEyF3OvvcQe 128.2.6.136 46605 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328924.559704 E490YZTUozc 128.2.6.136 46606 173.194.75.103 80 1 HEAD www.google.com / - - 0 0 200 OK - - - (empty) - - - - - - +1354328928.625437 YIeWJmXWNWj 128.2.6.136 46607 173.194.75.103 80 1 HEAD www.google.com / - - 0 0 200 OK - - - (empty) - - - - - - +1354328932.692706 ydiZblvsYri 128.2.6.136 46608 173.194.75.103 80 1 HEAD www.google.com /HTTP/1.1 - - 0 0 400 Bad Request - - - (empty) - - - - - - +1354328932.754657 HFYOnBqSE5e 128.2.6.136 46609 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328932.796568 JcUvhfWUMgd 128.2.6.136 46610 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +#close 2012-12-07-04-43-19 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log new file mode 100644 index 0000000000..8b963f00cf --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log @@ -0,0 +1,58 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path weird +#open 2012-12-07-04-43-19 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer +#types time string addr port addr port string string bool string +1354328874.278822 k6kgXLOoSKl 128.2.6.136 46564 173.194.75.103 80 bad_HTTP_request - F bro +1354328874.299063 k6kgXLOoSKl 128.2.6.136 46564 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328874.321792 nQcgTWjvg4c 128.2.6.136 46565 173.194.75.103 80 bad_HTTP_request - F bro +1354328874.342591 nQcgTWjvg4c 128.2.6.136 46565 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328882.908690 5OKnoww6xl4 128.2.6.136 46569 173.194.75.103 80 bad_HTTP_request - F bro +1354328882.928027 5OKnoww6xl4 128.2.6.136 46569 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328882.949510 3PKsZ2Uye21 128.2.6.136 46570 173.194.75.103 80 bad_HTTP_request - F bro +1354328882.968948 3PKsZ2Uye21 128.2.6.136 46570 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328887.094494 fRFu0wcOle6 128.2.6.136 46572 173.194.75.103 80 bad_HTTP_request - F bro +1354328887.114613 fRFu0wcOle6 128.2.6.136 46572 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328891.141058 qSsw6ESzHV4 128.2.6.136 46573 173.194.75.103 80 bad_HTTP_request - F bro +1354328891.161077 qSsw6ESzHV4 128.2.6.136 46573 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328891.183942 iE6yhOq3SF 128.2.6.136 46574 173.194.75.103 80 bad_HTTP_request - F bro +1354328891.204740 iE6yhOq3SF 128.2.6.136 46574 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328891.226199 GSxOnSLghOa 128.2.6.136 46575 173.194.75.103 80 bad_HTTP_request - F bro +1354328891.245592 GSxOnSLghOa 128.2.6.136 46575 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328891.267625 qCaWGmzFtM5 128.2.6.136 46576 173.194.75.103 80 bad_HTTP_request - F bro +1354328891.287655 qCaWGmzFtM5 128.2.6.136 46576 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328891.309065 70MGiRM1Qf4 128.2.6.136 46577 173.194.75.103 80 unknown_HTTP_method CCM_POST F bro +1354328895.355012 h5DsfNtYzi1 128.2.6.136 46578 173.194.75.103 80 unknown_HTTP_method CCM_POST F bro +1354328895.396634 P654jzLoe3a 128.2.6.136 46579 173.194.75.103 80 bad_HTTP_request - F bro +1354328895.416133 P654jzLoe3a 128.2.6.136 46579 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328895.438812 Tw8jXtpTGu6 128.2.6.136 46580 173.194.75.103 80 bad_HTTP_request - F bro +1354328895.459490 Tw8jXtpTGu6 128.2.6.136 46580 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328895.480865 c4Zw9TmAE05 128.2.6.136 46581 173.194.75.103 80 unknown_HTTP_method CCM_POST F bro +1354328903.614145 0Q4FH8sESw5 128.2.6.136 46584 173.194.75.103 80 bad_HTTP_request - F bro +1354328903.634196 0Q4FH8sESw5 128.2.6.136 46584 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328903.656369 slFea8xwSmb 128.2.6.136 46585 173.194.75.103 80 bad_HTTP_request - F bro +1354328903.676395 slFea8xwSmb 128.2.6.136 46585 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328911.832856 BWaU4aSuwkc 128.2.6.136 46589 173.194.75.103 80 bad_HTTP_request - F bro +1354328911.853464 BWaU4aSuwkc 128.2.6.136 46589 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328911.876341 10XodEwRycf 128.2.6.136 46590 173.194.75.103 80 bad_HTTP_request - F bro +1354328911.897044 10XodEwRycf 128.2.6.136 46590 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328920.052085 0Pwk3ntf8O3 128.2.6.136 46594 173.194.75.103 80 bad_HTTP_request - F bro +1354328920.072101 0Pwk3ntf8O3 128.2.6.136 46594 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328920.094072 0HKorjr8Zp7 128.2.6.136 46595 173.194.75.103 80 bad_HTTP_request - F bro +1354328920.114526 0HKorjr8Zp7 128.2.6.136 46595 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328924.266693 zHqb7t7kv28 128.2.6.136 46599 173.194.75.103 80 bad_HTTP_request - F bro +1354328924.287402 zHqb7t7kv28 128.2.6.136 46599 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328924.308714 rrZWoMUQpv8 128.2.6.136 46600 173.194.75.103 80 bad_HTTP_request - F bro +1354328924.328257 rrZWoMUQpv8 128.2.6.136 46600 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328924.476011 Rv8AJVfi9Zi 128.2.6.136 46604 173.194.75.103 80 bad_HTTP_request - F bro +1354328924.496732 Rv8AJVfi9Zi 128.2.6.136 46604 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328924.518204 wEyF3OvvcQe 128.2.6.136 46605 173.194.75.103 80 bad_HTTP_request - F bro +1354328924.537671 wEyF3OvvcQe 128.2.6.136 46605 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328932.734579 HFYOnBqSE5e 128.2.6.136 46609 173.194.75.103 80 bad_HTTP_request - F bro +1354328932.754657 HFYOnBqSE5e 128.2.6.136 46609 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328932.776609 JcUvhfWUMgd 128.2.6.136 46610 173.194.75.103 80 bad_HTTP_request - F bro +1354328932.796568 JcUvhfWUMgd 128.2.6.136 46610 173.194.75.103 80 unmatched_HTTP_reply - F bro +#close 2012-12-07-04-43-19 diff --git a/testing/btest/Traces/http-methods.trace b/testing/btest/Traces/http-methods.trace new file mode 100644 index 0000000000..323e6ee06a Binary files /dev/null and b/testing/btest/Traces/http-methods.trace differ diff --git a/testing/btest/Traces/tcp/rst-inject-rae.trace b/testing/btest/Traces/tcp/rst-inject-rae.trace new file mode 100644 index 0000000000..7225cc0d35 Binary files /dev/null and b/testing/btest/Traces/tcp/rst-inject-rae.trace differ diff --git a/testing/btest/Traces/tunnels/gtp/gtp10_not_0xff.pcap b/testing/btest/Traces/tunnels/gtp/gtp10_not_0xff.pcap new file mode 100755 index 0000000000..575edf55f9 Binary files /dev/null and b/testing/btest/Traces/tunnels/gtp/gtp10_not_0xff.pcap differ diff --git a/testing/btest/Traces/tunnels/gtp/gtp1_gn_normal_incl_fragmentation.pcap b/testing/btest/Traces/tunnels/gtp/gtp1_gn_normal_incl_fragmentation.pcap new file mode 100755 index 0000000000..7ca3b3b05d Binary files /dev/null and b/testing/btest/Traces/tunnels/gtp/gtp1_gn_normal_incl_fragmentation.pcap differ diff --git a/testing/btest/Traces/tunnels/gtp/gtp2_different_udp_port.pcap b/testing/btest/Traces/tunnels/gtp/gtp2_different_udp_port.pcap new file mode 100755 index 0000000000..fda97cdaf5 Binary files /dev/null and b/testing/btest/Traces/tunnels/gtp/gtp2_different_udp_port.pcap differ diff --git a/testing/btest/Traces/tunnels/gtp/gtp3_false_gtp.pcap b/testing/btest/Traces/tunnels/gtp/gtp3_false_gtp.pcap new file mode 100755 index 0000000000..e623fd7912 Binary files /dev/null and b/testing/btest/Traces/tunnels/gtp/gtp3_false_gtp.pcap differ diff --git a/testing/btest/Traces/tunnels/gtp/gtp4_udp_2152_inside.pcap b/testing/btest/Traces/tunnels/gtp/gtp4_udp_2152_inside.pcap new file mode 100755 index 0000000000..ca67a37046 Binary files /dev/null and b/testing/btest/Traces/tunnels/gtp/gtp4_udp_2152_inside.pcap differ diff --git a/testing/btest/Traces/tunnels/gtp/gtp6_gtp_0x32.pcap b/testing/btest/Traces/tunnels/gtp/gtp6_gtp_0x32.pcap new file mode 100755 index 0000000000..7dd3905c5d Binary files /dev/null and b/testing/btest/Traces/tunnels/gtp/gtp6_gtp_0x32.pcap differ diff --git a/testing/btest/Traces/tunnels/gtp/gtp7_ipv6.pcap b/testing/btest/Traces/tunnels/gtp/gtp7_ipv6.pcap new file mode 100755 index 0000000000..4f358bc374 Binary files /dev/null and b/testing/btest/Traces/tunnels/gtp/gtp7_ipv6.pcap differ diff --git a/testing/btest/Traces/tunnels/gtp/gtp8_teredo.pcap b/testing/btest/Traces/tunnels/gtp/gtp8_teredo.pcap new file mode 100755 index 0000000000..fff0b2ddfb Binary files /dev/null and b/testing/btest/Traces/tunnels/gtp/gtp8_teredo.pcap differ diff --git a/testing/btest/Traces/tunnels/gtp/gtp9_unknown_or_too_short_payload.pcap b/testing/btest/Traces/tunnels/gtp/gtp9_unknown_or_too_short_payload.pcap new file mode 100755 index 0000000000..a39026aeff Binary files /dev/null and b/testing/btest/Traces/tunnels/gtp/gtp9_unknown_or_too_short_payload.pcap differ diff --git a/testing/btest/Traces/wikipedia.trace b/testing/btest/Traces/wikipedia.trace index 68d85e0190..9e21966243 100644 Binary files a/testing/btest/Traces/wikipedia.trace and b/testing/btest/Traces/wikipedia.trace differ diff --git a/testing/btest/bifs/addr_count_conversion.bro b/testing/btest/bifs/addr_count_conversion.bro index 360994a8e5..fb87a0c6a3 100644 --- a/testing/btest/bifs/addr_count_conversion.bro +++ b/testing/btest/bifs/addr_count_conversion.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >output +# @TEST-EXEC: bro -b %INPUT >output # @TEST-EXEC: btest-diff output global v: index_vec; diff --git a/testing/btest/bifs/addr_to_ptr_name.bro b/testing/btest/bifs/addr_to_ptr_name.bro index b9c831d061..ac2391cf9b 100644 --- a/testing/btest/bifs/addr_to_ptr_name.bro +++ b/testing/btest/bifs/addr_to_ptr_name.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >output +# @TEST-EXEC: bro -b %INPUT >output # @TEST-EXEC: btest-diff output print addr_to_ptr_name([2607:f8b0:4009:802::1012]); diff --git a/testing/btest/bifs/addr_version.bro b/testing/btest/bifs/addr_version.bro index 3e0123ef42..bf96c0d1f3 100644 --- a/testing/btest/bifs/addr_version.bro +++ b/testing/btest/bifs/addr_version.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out print is_v4_addr(1.2.3.4); diff --git a/testing/btest/bifs/all_set.bro b/testing/btest/bifs/all_set.bro index 31544eb31e..67ae36622b 100644 --- a/testing/btest/bifs/all_set.bro +++ b/testing/btest/bifs/all_set.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/analyzer_name.bro b/testing/btest/bifs/analyzer_name.bro index 034344f5c4..9297d2ca27 100644 --- a/testing/btest/bifs/analyzer_name.bro +++ b/testing/btest/bifs/analyzer_name.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/any_set.bro b/testing/btest/bifs/any_set.bro index 5fe046cdf4..9f3f364556 100644 --- a/testing/btest/bifs/any_set.bro +++ b/testing/btest/bifs/any_set.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/bro_version.bro b/testing/btest/bifs/bro_version.bro index 7465cbc0f5..35975559a5 100644 --- a/testing/btest/bifs/bro_version.bro +++ b/testing/btest/bifs/bro_version.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: bro -b %INPUT event bro_init() { diff --git a/testing/btest/bifs/byte_len.bro b/testing/btest/bifs/byte_len.bro index 25191fd173..bd15b0c390 100644 --- a/testing/btest/bifs/byte_len.bro +++ b/testing/btest/bifs/byte_len.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/bytestring_to_double.bro b/testing/btest/bifs/bytestring_to_double.bro index cc0a3a69f0..78820b207c 100644 --- a/testing/btest/bifs/bytestring_to_double.bro +++ b/testing/btest/bifs/bytestring_to_double.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/bytestring_to_hexstr.bro b/testing/btest/bifs/bytestring_to_hexstr.bro index 976a4ccf71..4087047f40 100644 --- a/testing/btest/bifs/bytestring_to_hexstr.bro +++ b/testing/btest/bifs/bytestring_to_hexstr.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/capture_state_updates.bro b/testing/btest/bifs/capture_state_updates.bro index 3abfdffdc1..6a44e0f86f 100644 --- a/testing/btest/bifs/capture_state_updates.bro +++ b/testing/btest/bifs/capture_state_updates.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out # @TEST-EXEC: test -f testfile diff --git a/testing/btest/bifs/cat.bro b/testing/btest/bifs/cat.bro index b85b3af550..e923d5d066 100644 --- a/testing/btest/bifs/cat.bro +++ b/testing/btest/bifs/cat.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/cat_string_array.bro b/testing/btest/bifs/cat_string_array.bro index d2c2242411..e799f4b282 100644 --- a/testing/btest/bifs/cat_string_array.bro +++ b/testing/btest/bifs/cat_string_array.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/checkpoint_state.bro b/testing/btest/bifs/checkpoint_state.bro index 2a66bd1729..7a46516ba0 100644 --- a/testing/btest/bifs/checkpoint_state.bro +++ b/testing/btest/bifs/checkpoint_state.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: bro -b %INPUT # @TEST-EXEC: test -f .state/state.bst event bro_init() diff --git a/testing/btest/bifs/clear_table.bro b/testing/btest/bifs/clear_table.bro index 94779285af..9485eba1f5 100644 --- a/testing/btest/bifs/clear_table.bro +++ b/testing/btest/bifs/clear_table.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT > out +# @TEST-EXEC: bro -b %INPUT > out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/convert_for_pattern.bro b/testing/btest/bifs/convert_for_pattern.bro index 11533cd49b..b99b010f97 100644 --- a/testing/btest/bifs/convert_for_pattern.bro +++ b/testing/btest/bifs/convert_for_pattern.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/count_to_addr.bro b/testing/btest/bifs/count_to_addr.bro index ffb2d975bf..993a701bc8 100644 --- a/testing/btest/bifs/count_to_addr.bro +++ b/testing/btest/bifs/count_to_addr.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/create_file.bro b/testing/btest/bifs/create_file.bro index 8f3d6cfdcd..af2cfb4979 100644 --- a/testing/btest/bifs/create_file.bro +++ b/testing/btest/bifs/create_file.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff testfile # @TEST-EXEC: btest-diff testfile2 diff --git a/testing/btest/bifs/current_analyzer.bro b/testing/btest/bifs/current_analyzer.bro index 45b495c046..e221d7aed0 100644 --- a/testing/btest/bifs/current_analyzer.bro +++ b/testing/btest/bifs/current_analyzer.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: bro -b %INPUT event bro_init() { diff --git a/testing/btest/bifs/current_time.bro b/testing/btest/bifs/current_time.bro index 5d16df396d..9d4899aa06 100644 --- a/testing/btest/bifs/current_time.bro +++ b/testing/btest/bifs/current_time.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: bro -b %INPUT event bro_init() { diff --git a/testing/btest/bifs/edit.bro b/testing/btest/bifs/edit.bro index c9a73d17f1..346c0bdbf7 100644 --- a/testing/btest/bifs/edit.bro +++ b/testing/btest/bifs/edit.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/enable_raw_output.test b/testing/btest/bifs/enable_raw_output.test index 92e0037a04..ebaff36c8f 100644 --- a/testing/btest/bifs/enable_raw_output.test +++ b/testing/btest/bifs/enable_raw_output.test @@ -1,7 +1,7 @@ # Files which enable raw output via the BiF shouldn't interpret NUL characters # in strings that are `print`ed to it. -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: bro -b %INPUT # @TEST-EXEC: tr '\000' 'X' output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cmp myfile hookfile diff --git a/testing/btest/bifs/entropy_test.bro b/testing/btest/bifs/entropy_test.bro index ca01c79ed7..2a2dd422d1 100644 --- a/testing/btest/bifs/entropy_test.bro +++ b/testing/btest/bifs/entropy_test.bro @@ -1,24 +1,18 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() { local a = "dh3Hie02uh^s#Sdf9L3frd243h$d78r2G4cM6*Q05d(7rh46f!0|4-f"; - if ( entropy_test_init(1) != T ) + local handle = entropy_test_init(); + if ( ! entropy_test_add(handle, a) ) exit(1); - - if ( entropy_test_add(1, a) != T ) - exit(1); - - print entropy_test_finish(1); + print entropy_test_finish(handle); local b = "0011000aaabbbbcccc000011111000000000aaaabbbbcccc0000000"; - if ( entropy_test_init(2) != T ) + handle = entropy_test_init(); + if ( ! entropy_test_add(handle, b) ) exit(1); - - if ( entropy_test_add(2, b) != T ) - exit(1); - - print entropy_test_finish(2); + print entropy_test_finish(handle); } diff --git a/testing/btest/bifs/escape_string.bro b/testing/btest/bifs/escape_string.bro index 92b7b535d8..fd796497be 100644 --- a/testing/btest/bifs/escape_string.bro +++ b/testing/btest/bifs/escape_string.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/exit.bro b/testing/btest/bifs/exit.bro index e551144caa..b942a5e81c 100644 --- a/testing/btest/bifs/exit.bro +++ b/testing/btest/bifs/exit.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out || test $? -eq 7 +# @TEST-EXEC: bro -b %INPUT >out || test $? -eq 7 # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/file_mode.bro b/testing/btest/bifs/file_mode.bro index c63a2fa188..62bee05c6c 100644 --- a/testing/btest/bifs/file_mode.bro +++ b/testing/btest/bifs/file_mode.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/find_all.bro b/testing/btest/bifs/find_all.bro index edf3530c8a..4fe451a9d4 100644 --- a/testing/btest/bifs/find_all.bro +++ b/testing/btest/bifs/find_all.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/find_entropy.bro b/testing/btest/bifs/find_entropy.bro index 24f1c0ed84..2eb24fe118 100644 --- a/testing/btest/bifs/find_entropy.bro +++ b/testing/btest/bifs/find_entropy.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/find_last.bro b/testing/btest/bifs/find_last.bro index b1a567f73a..00ae2a874d 100644 --- a/testing/btest/bifs/find_last.bro +++ b/testing/btest/bifs/find_last.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/fmt.bro b/testing/btest/bifs/fmt.bro index 53b5f2235d..93607c2740 100644 --- a/testing/btest/bifs/fmt.bro +++ b/testing/btest/bifs/fmt.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out type color: enum { Red, Blue }; diff --git a/testing/btest/bifs/fmt_ftp_port.bro b/testing/btest/bifs/fmt_ftp_port.bro index 09ec5369e2..6a7b4d20c7 100644 --- a/testing/btest/bifs/fmt_ftp_port.bro +++ b/testing/btest/bifs/fmt_ftp_port.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/get_matcher_stats.bro b/testing/btest/bifs/get_matcher_stats.bro index baee49fe1e..eeaa8cb86a 100644 --- a/testing/btest/bifs/get_matcher_stats.bro +++ b/testing/btest/bifs/get_matcher_stats.bro @@ -1,5 +1,14 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: bro -b -s mysig %INPUT + +@TEST-START-FILE mysig.sig +signature my_ftp_client { + ip-proto == tcp + payload /(|.*[\n\r]) *[uU][sS][eE][rR] / + tcp-state originator + event "matched my_ftp_client" +} +@TEST-END-FILE event bro_init() { diff --git a/testing/btest/bifs/get_port_transport_proto.bro b/testing/btest/bifs/get_port_transport_proto.bro index c9b5e626ec..ae3c496d88 100644 --- a/testing/btest/bifs/get_port_transport_proto.bro +++ b/testing/btest/bifs/get_port_transport_proto.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/gethostname.bro b/testing/btest/bifs/gethostname.bro index 97af719745..1d760525cb 100644 --- a/testing/btest/bifs/gethostname.bro +++ b/testing/btest/bifs/gethostname.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: bro -b %INPUT event bro_init() { diff --git a/testing/btest/bifs/getpid.bro b/testing/btest/bifs/getpid.bro index 98edc19a44..1852b1287e 100644 --- a/testing/btest/bifs/getpid.bro +++ b/testing/btest/bifs/getpid.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: bro -b %INPUT event bro_init() { diff --git a/testing/btest/bifs/getsetenv.bro b/testing/btest/bifs/getsetenv.bro index b4ee9a0931..d217a14ea9 100644 --- a/testing/btest/bifs/getsetenv.bro +++ b/testing/btest/bifs/getsetenv.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: TESTBRO=testvalue bro %INPUT >out +# @TEST-EXEC: TESTBRO=testvalue bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/global_ids.bro b/testing/btest/bifs/global_ids.bro index 65f8944ed4..2dcb6e844d 100644 --- a/testing/btest/bifs/global_ids.bro +++ b/testing/btest/bifs/global_ids.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/global_sizes.bro b/testing/btest/bifs/global_sizes.bro index 4862db318b..4b0805172c 100644 --- a/testing/btest/bifs/global_sizes.bro +++ b/testing/btest/bifs/global_sizes.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/hexdump.bro b/testing/btest/bifs/hexdump.bro index 4c248efb77..1c86ce0db8 100644 --- a/testing/btest/bifs/hexdump.bro +++ b/testing/btest/bifs/hexdump.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/identify_data.bro b/testing/btest/bifs/identify_data.bro index 39f289d40b..68cac55c61 100644 --- a/testing/btest/bifs/identify_data.bro +++ b/testing/btest/bifs/identify_data.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT | sed 's/PNG image data/PNG image/g' >out +# @TEST-EXEC: bro -b %INPUT | sed 's/PNG image data/PNG image/g' >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/is_ascii.bro b/testing/btest/bifs/is_ascii.bro index 4d1daf96b4..fa2d39d2d8 100644 --- a/testing/btest/bifs/is_ascii.bro +++ b/testing/btest/bifs/is_ascii.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/is_local_interface.bro b/testing/btest/bifs/is_local_interface.bro index 8befdca385..ac21b04bd3 100644 --- a/testing/btest/bifs/is_local_interface.bro +++ b/testing/btest/bifs/is_local_interface.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/is_port.bro b/testing/btest/bifs/is_port.bro index fe2c3f7c35..2fe4964913 100644 --- a/testing/btest/bifs/is_port.bro +++ b/testing/btest/bifs/is_port.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/join_string.bro b/testing/btest/bifs/join_string.bro index 16222d6303..83917ef322 100644 --- a/testing/btest/bifs/join_string.bro +++ b/testing/btest/bifs/join_string.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/length.bro b/testing/btest/bifs/length.bro index 335223c124..ca82d7eab7 100644 --- a/testing/btest/bifs/length.bro +++ b/testing/btest/bifs/length.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT > out +# @TEST-EXEC: bro -b %INPUT > out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/lookup_ID.bro b/testing/btest/bifs/lookup_ID.bro index b8a29ef41f..e263c192da 100644 --- a/testing/btest/bifs/lookup_ID.bro +++ b/testing/btest/bifs/lookup_ID.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out global a = "bro test"; diff --git a/testing/btest/bifs/lowerupper.bro b/testing/btest/bifs/lowerupper.bro index fcfdcde319..77e6b1c9d1 100644 --- a/testing/btest/bifs/lowerupper.bro +++ b/testing/btest/bifs/lowerupper.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/mask_addr.bro b/testing/btest/bifs/mask_addr.bro index e1e3bccfb6..e69a55f590 100644 --- a/testing/btest/bifs/mask_addr.bro +++ b/testing/btest/bifs/mask_addr.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >output +# @TEST-EXEC: bro -b %INPUT >output # @TEST-EXEC: btest-diff output const one_to_32: vector of count = {1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32}; diff --git a/testing/btest/bifs/math.bro b/testing/btest/bifs/math.bro index 90aed5b4e6..84ace8620c 100644 --- a/testing/btest/bifs/math.bro +++ b/testing/btest/bifs/math.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/md5.test b/testing/btest/bifs/md5.test index 5a9715edf1..b022302c59 100644 --- a/testing/btest/bifs/md5.test +++ b/testing/btest/bifs/md5.test @@ -4,16 +4,16 @@ print md5_hash("one"); print md5_hash("one", "two", "three"); -md5_hash_init("a"); -md5_hash_init("b"); +local a = md5_hash_init(); +local b = md5_hash_init(); -md5_hash_update("a", "one"); -md5_hash_update("b", "one"); -md5_hash_update("b", "two"); -md5_hash_update("b", "three"); +md5_hash_update(a, "one"); +md5_hash_update(b, "one"); +md5_hash_update(b, "two"); +md5_hash_update(b, "three"); -print md5_hash_finish("a"); -print md5_hash_finish("b"); +print md5_hash_finish(a); +print md5_hash_finish(b); print md5_hmac("one"); print md5_hmac("one", "two", "three"); diff --git a/testing/btest/bifs/merge_pattern.bro b/testing/btest/bifs/merge_pattern.bro index b447f9a15b..de4a3afd6a 100644 --- a/testing/btest/bifs/merge_pattern.bro +++ b/testing/btest/bifs/merge_pattern.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/netbios-functions.bro b/testing/btest/bifs/netbios-functions.bro index 1fd033dd59..9b075e8729 100644 --- a/testing/btest/bifs/netbios-functions.bro +++ b/testing/btest/bifs/netbios-functions.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/order.bro b/testing/btest/bifs/order.bro index 333a8acac1..9e59caa827 100644 --- a/testing/btest/bifs/order.bro +++ b/testing/btest/bifs/order.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out function myfunc1(a: addr, b: addr): int diff --git a/testing/btest/bifs/parse_ftp.bro b/testing/btest/bifs/parse_ftp.bro index ffdc941b4b..a8993fa6e0 100644 --- a/testing/btest/bifs/parse_ftp.bro +++ b/testing/btest/bifs/parse_ftp.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/piped_exec.bro b/testing/btest/bifs/piped_exec.bro index 3a76eba8f5..70f8d70523 100644 --- a/testing/btest/bifs/piped_exec.bro +++ b/testing/btest/bifs/piped_exec.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >output +# @TEST-EXEC: bro -b %INPUT >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: btest-diff test.txt diff --git a/testing/btest/bifs/ptr_name_to_addr.bro b/testing/btest/bifs/ptr_name_to_addr.bro index 89679ba57a..d1a7878e3d 100644 --- a/testing/btest/bifs/ptr_name_to_addr.bro +++ b/testing/btest/bifs/ptr_name_to_addr.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >output +# @TEST-EXEC: bro -b %INPUT >output # @TEST-EXEC: btest-diff output global v6 = ptr_name_to_addr("2.1.0.1.0.0.0.0.0.0.0.0.0.0.0.0.2.0.8.0.9.0.0.4.0.b.8.f.7.0.6.2.ip6.arpa"); diff --git a/testing/btest/bifs/raw_bytes_to_v4_addr.bro b/testing/btest/bifs/raw_bytes_to_v4_addr.bro index 754580a5b0..bd685216ef 100644 --- a/testing/btest/bifs/raw_bytes_to_v4_addr.bro +++ b/testing/btest/bifs/raw_bytes_to_v4_addr.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/reading_traces.bro b/testing/btest/bifs/reading_traces.bro index fc83c50ccb..46ad04c25f 100644 --- a/testing/btest/bifs/reading_traces.bro +++ b/testing/btest/bifs/reading_traces.bro @@ -1,5 +1,5 @@ -# @TEST-EXEC: bro %INPUT >out1 +# @TEST-EXEC: bro -b %INPUT >out1 # @TEST-EXEC: btest-diff out1 # @TEST-EXEC: bro -r $TRACES/web.trace %INPUT >out2 # @TEST-EXEC: btest-diff out2 diff --git a/testing/btest/bifs/record_type_to_vector.bro b/testing/btest/bifs/record_type_to_vector.bro index 18ddf35022..9795ce886b 100644 --- a/testing/btest/bifs/record_type_to_vector.bro +++ b/testing/btest/bifs/record_type_to_vector.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out type myrecord: record { diff --git a/testing/btest/bifs/records_fields.bro b/testing/btest/bifs/records_fields.bro index 4f8cc0538a..ccaf5a719d 100644 --- a/testing/btest/bifs/records_fields.bro +++ b/testing/btest/bifs/records_fields.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out type r: record { diff --git a/testing/btest/bifs/remask_addr.bro b/testing/btest/bifs/remask_addr.bro index d387667b6a..7b7e89c018 100644 --- a/testing/btest/bifs/remask_addr.bro +++ b/testing/btest/bifs/remask_addr.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >output +# @TEST-EXEC: bro -b %INPUT >output # @TEST-EXEC: btest-diff output const one_to_32: vector of count = {1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32}; diff --git a/testing/btest/bifs/resize.bro b/testing/btest/bifs/resize.bro index 37e4ac38d9..f4067f31c7 100644 --- a/testing/btest/bifs/resize.bro +++ b/testing/btest/bifs/resize.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/resource_usage.bro b/testing/btest/bifs/resource_usage.bro index 35f5b020d6..5cf3f0f962 100644 --- a/testing/btest/bifs/resource_usage.bro +++ b/testing/btest/bifs/resource_usage.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: bro -b %INPUT event bro_init() { diff --git a/testing/btest/bifs/rotate_file.bro b/testing/btest/bifs/rotate_file.bro index 7132b0aaa8..a6109ff677 100644 --- a/testing/btest/bifs/rotate_file.bro +++ b/testing/btest/bifs/rotate_file.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/rotate_file_by_name.bro b/testing/btest/bifs/rotate_file_by_name.bro index 952b09aff3..f647edefe2 100644 --- a/testing/btest/bifs/rotate_file_by_name.bro +++ b/testing/btest/bifs/rotate_file_by_name.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/same_object.bro b/testing/btest/bifs/same_object.bro index eee8b1621d..dddfd80d3d 100644 --- a/testing/btest/bifs/same_object.bro +++ b/testing/btest/bifs/same_object.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/sha1.test b/testing/btest/bifs/sha1.test index 85c8df99c5..7bbd8b002e 100644 --- a/testing/btest/bifs/sha1.test +++ b/testing/btest/bifs/sha1.test @@ -4,13 +4,13 @@ print sha1_hash("one"); print sha1_hash("one", "two", "three"); -sha1_hash_init("a"); -sha1_hash_init("b"); +local a = sha1_hash_init(); +local b = sha1_hash_init(); -sha1_hash_update("a", "one"); -sha1_hash_update("b", "one"); -sha1_hash_update("b", "two"); -sha1_hash_update("b", "three"); +sha1_hash_update(a, "one"); +sha1_hash_update(b, "one"); +sha1_hash_update(b, "two"); +sha1_hash_update(b, "three"); -print sha1_hash_finish("a"); -print sha1_hash_finish("b"); +print sha1_hash_finish(a); +print sha1_hash_finish(b); diff --git a/testing/btest/bifs/sha256.test b/testing/btest/bifs/sha256.test index 7451f2fad3..a1c17f7113 100644 --- a/testing/btest/bifs/sha256.test +++ b/testing/btest/bifs/sha256.test @@ -4,13 +4,13 @@ print sha256_hash("one"); print sha256_hash("one", "two", "three"); -sha256_hash_init("a"); -sha256_hash_init("b"); +local a = sha256_hash_init(); +local b = sha256_hash_init(); -sha256_hash_update("a", "one"); -sha256_hash_update("b", "one"); -sha256_hash_update("b", "two"); -sha256_hash_update("b", "three"); +sha256_hash_update(a, "one"); +sha256_hash_update(b, "one"); +sha256_hash_update(b, "two"); +sha256_hash_update(b, "three"); -print sha256_hash_finish("a"); -print sha256_hash_finish("b"); +print sha256_hash_finish(a); +print sha256_hash_finish(b); diff --git a/testing/btest/bifs/sort.bro b/testing/btest/bifs/sort.bro index 14aa286021..7b4ac9ba63 100644 --- a/testing/btest/bifs/sort.bro +++ b/testing/btest/bifs/sort.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out function myfunc1(a: addr, b: addr): int diff --git a/testing/btest/bifs/sort_string_array.bro b/testing/btest/bifs/sort_string_array.bro index 23c4f55848..1916f93d0c 100644 --- a/testing/btest/bifs/sort_string_array.bro +++ b/testing/btest/bifs/sort_string_array.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/split.bro b/testing/btest/bifs/split.bro index fc1b5e96a0..4fd994ce41 100644 --- a/testing/btest/bifs/split.bro +++ b/testing/btest/bifs/split.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/str_shell_escape.bro b/testing/btest/bifs/str_shell_escape.bro index a71cb4dcf6..e631458bc1 100644 --- a/testing/btest/bifs/str_shell_escape.bro +++ b/testing/btest/bifs/str_shell_escape.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/strcmp.bro b/testing/btest/bifs/strcmp.bro index af46c7fa96..92d0430f1d 100644 --- a/testing/btest/bifs/strcmp.bro +++ b/testing/btest/bifs/strcmp.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/strftime.bro b/testing/btest/bifs/strftime.bro index 31f9538632..3d9e388c90 100644 --- a/testing/btest/bifs/strftime.bro +++ b/testing/btest/bifs/strftime.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/string_fill.bro b/testing/btest/bifs/string_fill.bro index c47f1916cc..0968215cc0 100644 --- a/testing/btest/bifs/string_fill.bro +++ b/testing/btest/bifs/string_fill.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/string_to_pattern.bro b/testing/btest/bifs/string_to_pattern.bro index 5164c4576f..4bd04bbcea 100644 --- a/testing/btest/bifs/string_to_pattern.bro +++ b/testing/btest/bifs/string_to_pattern.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/strip.bro b/testing/btest/bifs/strip.bro index de6601b83c..e508f20e3d 100644 --- a/testing/btest/bifs/strip.bro +++ b/testing/btest/bifs/strip.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/strptime.bro b/testing/btest/bifs/strptime.bro index 7a58989679..215299b300 100644 --- a/testing/btest/bifs/strptime.bro +++ b/testing/btest/bifs/strptime.bro @@ -1,10 +1,9 @@ # -# @TEST-EXEC: bro %INPUT -# @TEST-EXEC: btest-diff .stdout -# @TEST-EXEC: btest-diff reporter.log +# @TEST-EXEC: bro -b %INPUT >out 2>&1 +# @TEST-EXEC: btest-diff out event bro_init() { print strptime("%Y-%m-%d", "2012-10-19"); print strptime("%m", "1980-10-24"); - } \ No newline at end of file + } diff --git a/testing/btest/bifs/strstr.bro b/testing/btest/bifs/strstr.bro index 58f79d593b..40cd8aa5fd 100644 --- a/testing/btest/bifs/strstr.bro +++ b/testing/btest/bifs/strstr.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/sub.bro b/testing/btest/bifs/sub.bro index f6a956f26a..773530ac74 100644 --- a/testing/btest/bifs/sub.bro +++ b/testing/btest/bifs/sub.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/subst_string.bro b/testing/btest/bifs/subst_string.bro index 81a3f89424..6ebed72321 100644 --- a/testing/btest/bifs/subst_string.bro +++ b/testing/btest/bifs/subst_string.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/system.bro b/testing/btest/bifs/system.bro index ab2642319c..bd27fc3db5 100644 --- a/testing/btest/bifs/system.bro +++ b/testing/btest/bifs/system.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: bro -b %INPUT # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/system_env.bro b/testing/btest/bifs/system_env.bro index 23928e9b10..cfe4e7dd2a 100644 --- a/testing/btest/bifs/system_env.bro +++ b/testing/btest/bifs/system_env.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: bro -b %INPUT # @TEST-EXEC: btest-diff testfile event bro_init() diff --git a/testing/btest/bifs/to_count.bro b/testing/btest/bifs/to_count.bro index c1fe72ce52..33754117d4 100644 --- a/testing/btest/bifs/to_count.bro +++ b/testing/btest/bifs/to_count.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/to_double.bro b/testing/btest/bifs/to_double.bro index f13d34f69a..b6fb9917a7 100644 --- a/testing/btest/bifs/to_double.bro +++ b/testing/btest/bifs/to_double.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/to_int.bro b/testing/btest/bifs/to_int.bro index 9d108a9da7..0562209cd0 100644 --- a/testing/btest/bifs/to_int.bro +++ b/testing/btest/bifs/to_int.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/to_interval.bro b/testing/btest/bifs/to_interval.bro index 8fded315d2..71d73fed62 100644 --- a/testing/btest/bifs/to_interval.bro +++ b/testing/btest/bifs/to_interval.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/to_port.bro b/testing/btest/bifs/to_port.bro index 382bf5d333..b2289b8a21 100644 --- a/testing/btest/bifs/to_port.bro +++ b/testing/btest/bifs/to_port.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() @@ -7,6 +7,9 @@ event bro_init() print to_port("123/tcp"); print to_port("123/udp"); print to_port("123/icmp"); + print to_port("0/tcp"); + print to_port("0/udp"); + print to_port("0/icmp"); print to_port("not a port"); local a: transport_proto = tcp; diff --git a/testing/btest/bifs/to_time.bro b/testing/btest/bifs/to_time.bro index 97b109e647..d5a81b0934 100644 --- a/testing/btest/bifs/to_time.bro +++ b/testing/btest/bifs/to_time.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/type_name.bro b/testing/btest/bifs/type_name.bro index 3ec13fb27d..f331fe6aa9 100644 --- a/testing/btest/bifs/type_name.bro +++ b/testing/btest/bifs/type_name.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out type color: enum { Red, Blue }; diff --git a/testing/btest/bifs/unique_id-rnd.bro b/testing/btest/bifs/unique_id-rnd.bro index 4188725373..02be9fcb92 100644 --- a/testing/btest/bifs/unique_id-rnd.bro +++ b/testing/btest/bifs/unique_id-rnd.bro @@ -1,6 +1,6 @@ # -# @TEST-EXEC: BRO_SEED_FILE= bro %INPUT >out -# @TEST-EXEC: BRO_SEED_FILE= bro %INPUT >>out +# @TEST-EXEC: BRO_SEED_FILE= bro -b %INPUT >out +# @TEST-EXEC: BRO_SEED_FILE= bro -b %INPUT >>out # @TEST-EXEC: cat out | sort | uniq | wc -l | sed 's/ //g' >count # @TEST-EXEC: btest-diff count diff --git a/testing/btest/bifs/unique_id.bro b/testing/btest/bifs/unique_id.bro index 097f5d490d..d87c757f3f 100644 --- a/testing/btest/bifs/unique_id.bro +++ b/testing/btest/bifs/unique_id.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out print unique_id("A-"); diff --git a/testing/btest/bifs/uuid_to_string.bro b/testing/btest/bifs/uuid_to_string.bro index a64e81d783..dc84f349fa 100644 --- a/testing/btest/bifs/uuid_to_string.bro +++ b/testing/btest/bifs/uuid_to_string.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out event bro_init() diff --git a/testing/btest/bifs/val_size.bro b/testing/btest/bifs/val_size.bro index 5b2e535c5c..57b512b776 100644 --- a/testing/btest/bifs/val_size.bro +++ b/testing/btest/bifs/val_size.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: bro -b %INPUT event bro_init() { diff --git a/testing/btest/core/discarder.bro b/testing/btest/core/discarder.bro index 0c87eece18..9e8f5e7a2f 100644 --- a/testing/btest/core/discarder.bro +++ b/testing/btest/core/discarder.bro @@ -1,7 +1,7 @@ -# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace discarder-ip.bro >output -# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace discarder-tcp.bro >>output -# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace discarder-udp.bro >>output -# @TEST-EXEC: bro -C -r $TRACES/icmp/icmp-destunreach-udp.pcap discarder-icmp.bro >>output +# @TEST-EXEC: bro -b -C -r $TRACES/wikipedia.trace discarder-ip.bro >output +# @TEST-EXEC: bro -b -C -r $TRACES/wikipedia.trace discarder-tcp.bro >>output +# @TEST-EXEC: bro -b -C -r $TRACES/wikipedia.trace discarder-udp.bro >>output +# @TEST-EXEC: bro -b -C -r $TRACES/icmp/icmp-destunreach-udp.pcap discarder-icmp.bro >>output # @TEST-EXEC: btest-diff output @TEST-START-FILE discarder-ip.bro diff --git a/testing/btest/core/ipv6_esp.test b/testing/btest/core/ipv6_esp.test index 8744df0036..508a4597f2 100644 --- a/testing/btest/core/ipv6_esp.test +++ b/testing/btest/core/ipv6_esp.test @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -r $TRACES/ip6_esp.trace %INPUT >output +# @TEST-EXEC: bro -b -r $TRACES/ip6_esp.trace %INPUT >output # @TEST-EXEC: btest-diff output # Just check that the event is raised correctly for a packet containing diff --git a/testing/btest/core/ipv6_zero_len_ah.test b/testing/btest/core/ipv6_zero_len_ah.test index dc3acf8443..014ba7b3cc 100644 --- a/testing/btest/core/ipv6_zero_len_ah.test +++ b/testing/btest/core/ipv6_zero_len_ah.test @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -r $TRACES/ipv6_zero_len_ah.trace %INPUT >output +# @TEST-EXEC: bro -b -r $TRACES/ipv6_zero_len_ah.trace %INPUT >output # @TEST-EXEC: btest-diff output # Shouldn't crash, but we also won't have seq and data fields set of the ip6_ah diff --git a/testing/btest/core/leaks/gtp_opt_header.test b/testing/btest/core/leaks/gtp_opt_header.test new file mode 100644 index 0000000000..76c65d5762 --- /dev/null +++ b/testing/btest/core/leaks/gtp_opt_header.test @@ -0,0 +1,15 @@ +# Needs perftools support. +# +# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks +# +# @TEST-GROUP: leaks +# +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -r $TRACES/tunnels/gtp/gtp6_gtp_0x32.pcap %INPUT >out + +# Some GTPv1 headers have some optional fields totaling to a 4-byte extension +# of the mandatory header. + +event gtpv1_g_pdu_packet(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr) + { + print "gtpv1_packet", inner_gtp; + } diff --git a/testing/btest/core/leaks/hook.bro b/testing/btest/core/leaks/hook.bro index eadb406e71..9234184317 100644 --- a/testing/btest/core/leaks/hook.bro +++ b/testing/btest/core/leaks/hook.bro @@ -39,7 +39,25 @@ hook myhook(r: rec) &priority=10 r$b = "goobye world"; # returning from the handler early, is fine, remaining handlers still run. return; - print "ERROR: break statement should return from hook handler body"; + print "ERROR: return statement should return from hook handler body"; + } + +hook myhook(r: rec) &priority=9 + { + print "myhook return F"; + # return value is ignored, remaining handlers still run, final return + # value is whether any hook body returned via break statement + return F; + print "ERROR: return statement should return from hook handler body"; + } + +hook myhook(r: rec) &priority=8 + { + print "myhook return T"; + # return value is ignored, remaining handlers still run, final return + # value is whether any hook body returned via break statement + return T; + print "ERROR: return statement should return from hook handler body"; } # hook function doesn't need a declaration, we can go straight to defining @@ -63,16 +81,20 @@ event new_connection(c: connection) { print "new_connection", c$id; - hook myhook([$a=1156, $b="hello world"]); + print hook myhook([$a=1156, $b="hello world"]); # A hook with no handlers is fine, it's just a no-op. - hook myhook2("nope"); + print hook myhook2("nope"); - hook myhook3(8); - hook myhook4(); + print hook myhook3(8); + print hook myhook4(); + if ( hook myhook4() ) + { + print "myhook4 all handlers ran"; + } # A hook can be treated like other data types and doesn't have to be # invoked directly by name. local h = myhook; - hook h([$a=2, $b="it works"]); + print hook h([$a=2, $b="it works"]); } diff --git a/testing/btest/core/leaks/string-indexing.bro b/testing/btest/core/leaks/string-indexing.bro new file mode 100644 index 0000000000..f9ea000ef9 --- /dev/null +++ b/testing/btest/core/leaks/string-indexing.bro @@ -0,0 +1,26 @@ +# Needs perftools support. +# +# @TEST-GROUP: leaks +# +# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks +# +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -b -r $TRACES/wikipedia.trace %INPUT + + +event new_connection(c: connection) + { + local s = "0123456789"; + print s[1]; + print s[1:2]; + print s[1:6]; + print s[0:20]; + print s[-2]; + print s[-3:1]; + print s[-1:10]; + print s[-1:0]; + print s[-1:5]; + print s[20:23]; + print s[-20:23]; + print s[0:5][2]; + print s[0:5][1:3][0]; + } diff --git a/testing/btest/core/leaks/switch-statement.bro b/testing/btest/core/leaks/switch-statement.bro new file mode 100644 index 0000000000..24829006b5 --- /dev/null +++ b/testing/btest/core/leaks/switch-statement.bro @@ -0,0 +1,289 @@ +# Needs perftools support. +# +# @TEST-GROUP: leaks +# +# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks +# +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -b -r $TRACES/wikipedia.trace %INPUT + +type MyEnum: enum { + RED, + GREEN, + BLUE, + PINK, +}; + +function switch_bool(v: bool): string + { + switch (v) { + case T: + return "true"; + case F: + return "false"; + } + return "n/a"; + } + +function switch_int(v: int): string + { + switch (v) { + case +1: + return "one"; + case +2: + return "two"; + case -3: + return "minus three"; + } + return "n/a"; + } + +function switch_enum(v: MyEnum): string + { + switch (v) { + case RED: + return "red"; + case GREEN: + return "green"; + case BLUE: + return "blue"; + } + return "n/a"; + } + +function switch_count(v: count): string + { + switch (v) { + case 1: + return "1"; + case 2: + return "2"; + case 3: + return "3"; + } + return "n/a"; + } + +function switch_port(v: port): string + { + switch (v) { + case 22/tcp: + return "ssh"; + case 53/udp: + return "dns"; + case 0/icmp: + return "echo"; + } + return "n/a"; + } + +function switch_double(v: double): string + { + switch (v) { + case 1.1: + return "1.1"; + case 2.2: + return "2.2"; + case 3.3: + return "3.3"; + } + return "n/a"; + } + +function switch_interval(v: interval): string + { + switch (v) { + case 1sec: + return "1sec"; + case 2day: + return "2day"; + case 3min: + return "3min"; + } + return "n/a"; + } + +function switch_string(v: string): string + { + switch (v) { + case "one": + return "first"; + case "two": + return "second"; + case "three": + return "third"; + } + return "n/a"; + } + +function switch_addr(v: addr): string + { + switch (v) { + case 1.2.3.4: + return "ipv4"; + case [fe80::1]: + return "ipv6"; + case 0.0.0.0: + return "unspec"; + } + return "n/a"; + } + +function switch_subnet(v: subnet): string + { + switch (v) { + case 1.2.3.0/24: + return "1.2.3.0/24"; + case [fe80::0]/96: + return "[fe80::0]"; + case 192.168.0.0/16: + return "192.168.0.0/16"; + } + return "n/a"; + } + +function switch_empty(v: count): string + { + switch ( v ) { + } + return "n/a"; + } + +function switch_break(v: count): string + { + local rval = ""; + switch ( v ) { + case 1: + rval += "test"; + case 2: + rval += "testing"; + break; + case 3: + rval += "tested"; + } + return rval + "return"; + } + +function switch_default(v: count): string + { + local rval = ""; + switch ( v ) { + case 1: + rval += "1"; + case 2: + rval += "2"; + case 3: + rval += "3"; + default: + rval += "d"; + } + return rval + "r"; + } + +function switch_default_placement(v: count): string + { + local rval = ""; + switch ( v ) { + case 1: + rval += "1"; + default: + rval += "d"; + case 2: + rval += "2"; + break; + case 3: + rval += "3"; + } + return rval + "r"; + } + +function switch_case_list(v: count): string + { + switch ( v ) { + case 1, 2: + return "1,2"; + case 3, 4, 5: + return "3,4,5"; + case 6, 7, 8, 9: + return "6,7,8,9"; + } + return "n/a"; + } + +function test_switch(actual: string, expect: string) + { + if ( actual != expect ) + print fmt("%s != %s", actual, expect); + } + +event new_connection(c: connection) + { + test_switch( switch_bool(T) , "true" ); + test_switch( switch_bool(F) , "false" ); + test_switch( switch_int(+1) , "one" ); + test_switch( switch_int(+2) , "two" ); + test_switch( switch_int(-3) , "minus three" ); + test_switch( switch_int(40) , "n/a" ); + test_switch( switch_enum(RED) , "red" ); + test_switch( switch_enum(BLUE) , "blue" ); + test_switch( switch_enum(GREEN) , "green" ); + test_switch( switch_enum(PINK) , "n/a" ); + test_switch( switch_count(1) , "1" ); + test_switch( switch_count(2) , "2" ); + test_switch( switch_count(3) , "3" ); + test_switch( switch_count(100) , "n/a" ); + test_switch( switch_port(22/tcp) , "ssh" ); + test_switch( switch_port(53/udp) , "dns" ); + test_switch( switch_port(0/icmp) , "echo" ); + test_switch( switch_port(1000/tcp) , "n/a" ); + test_switch( switch_double(1.1) , "1.1" ); + test_switch( switch_double(2.2) , "2.2" ); + test_switch( switch_double(3.3) , "3.3" ); + test_switch( switch_interval(1sec) , "1sec" ); + test_switch( switch_interval(2day) , "2day" ); + test_switch( switch_interval(3min) , "3min" ); + test_switch( switch_string("one") , "first" ); + test_switch( switch_string("two") , "second" ); + test_switch( switch_string("three") , "third" ); + test_switch( switch_addr(1.2.3.4) , "ipv4" ); + test_switch( switch_addr([fe80::1]) , "ipv6" ); + test_switch( switch_addr(0.0.0.0) , "unspec" ); + test_switch( switch_subnet(1.2.3.4/24) , "1.2.3.0/24" ); + test_switch( switch_subnet([fe80::1]/96) , "[fe80::0]" ); + test_switch( switch_subnet(192.168.1.100/16) , "192.168.0.0/16" ); + test_switch( switch_empty(2) , "n/a" ); + test_switch( switch_break(1) , "testtestingreturn" ); + test_switch( switch_break(2) , "testingreturn" ); + test_switch( switch_break(3) , "testedreturn" ); + test_switch( switch_default(1) , "123dr" ); + test_switch( switch_default(2) , "23dr" ); + test_switch( switch_default(3) , "3dr" ); + test_switch( switch_default(4) , "dr" ); + test_switch( switch_default_placement(1) , "1d2r" ); + test_switch( switch_default_placement(2) , "2r" ); + test_switch( switch_default_placement(3) , "3r" ); + test_switch( switch_default_placement(4) , "d2r" ); + + local v = vector(0,1,2,3,4,5,6,7,9,10); + local expect: string; + + for ( i in v ) + { + switch ( v[i] ) { + case 1, 2: + expect = "1,2"; + break; + case 3, 4, 5: + expect = "3,4,5"; + break; + case 6, 7, 8, 9: + expect = "6,7,8,9"; + break; + default: + expect = "n/a"; + break; + } + test_switch( switch_case_list(v[i]) , expect ); + } + + print "done"; + } diff --git a/testing/btest/core/load-duplicates.bro b/testing/btest/core/load-duplicates.bro index e5dd365838..8c86fbc272 100644 --- a/testing/btest/core/load-duplicates.bro +++ b/testing/btest/core/load-duplicates.bro @@ -3,11 +3,11 @@ # @TEST-EXEC: mkdir -p foo/bar # @TEST-EXEC: echo "@load bar/test" >loader.bro # @TEST-EXEC: cp %INPUT foo/bar/test.bro -# @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro misc/loaded-scripts loader bar/test -# @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro misc/loaded-scripts loader bar/test.bro -# @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro misc/loaded-scripts loader foo/bar/test -# @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro misc/loaded-scripts loader foo/bar/test.bro -# @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro misc/loaded-scripts loader `pwd`/foo/bar/test.bro +# @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro -b misc/loaded-scripts loader bar/test +# @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro -b misc/loaded-scripts loader bar/test.bro +# @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro -b misc/loaded-scripts loader foo/bar/test +# @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro -b misc/loaded-scripts loader foo/bar/test.bro +# @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro -b misc/loaded-scripts loader `pwd`/foo/bar/test.bro type Test: enum { TEST, diff --git a/testing/btest/core/load-pkg.bro b/testing/btest/core/load-pkg.bro index 26e190a14c..e6671e038d 100644 --- a/testing/btest/core/load-pkg.bro +++ b/testing/btest/core/load-pkg.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro foo >output +# @TEST-EXEC: bro -b foo >output # @TEST-EXEC: btest-diff output @TEST-START-FILE foo/__load__.bro diff --git a/testing/btest/core/load-relative.bro b/testing/btest/core/load-relative.bro index 4050150d93..3bd082cf8a 100644 --- a/testing/btest/core/load-relative.bro +++ b/testing/btest/core/load-relative.bro @@ -1,6 +1,6 @@ # A test of relative-path-based @load'ing -# @TEST-EXEC: bro foo/foo >output +# @TEST-EXEC: bro -b foo/foo >output # @TEST-EXEC: btest-diff output @TEST-START-FILE foo/foo.bro diff --git a/testing/btest/core/load-unload.bro b/testing/btest/core/load-unload.bro index f76e9e337d..6525a8e8ea 100644 --- a/testing/btest/core/load-unload.bro +++ b/testing/btest/core/load-unload.bro @@ -1,6 +1,6 @@ # This tests the @unload directive # -# @TEST-EXEC: bro %INPUT misc/loaded-scripts dontloadmebro > output +# @TEST-EXEC: bro -b %INPUT misc/loaded-scripts dontloadmebro > output # @TEST-EXEC: btest-diff output # @TEST-EXEC: grep -q dontloadmebro loaded_scripts.log && exit 1 || exit 0 diff --git a/testing/btest/core/tcp/rst-after-syn.bro b/testing/btest/core/tcp/rst-after-syn.bro new file mode 100644 index 0000000000..38976909d7 --- /dev/null +++ b/testing/btest/core/tcp/rst-after-syn.bro @@ -0,0 +1,12 @@ +# @TEST-EXEC: bro -b -r $TRACES/tcp/rst-inject-rae.trace %INPUT +# @TEST-EXEC: btest-diff .stdout + +# Mostly just checking that c$resp$size isn't huge due to the injected +# RST packet being used to initialize sequence number in TCP analyzer. + +event connection_state_remove(c: connection) + { + print c$id; + print "orig:", c$orig; + print "resp:", c$resp; + } diff --git a/testing/btest/core/tunnels/gtp/different_dl_and_ul.test b/testing/btest/core/tunnels/gtp/different_dl_and_ul.test new file mode 100644 index 0000000000..136853c463 --- /dev/null +++ b/testing/btest/core/tunnels/gtp/different_dl_and_ul.test @@ -0,0 +1,10 @@ +# @TEST-EXEC: bro -C -r $TRACES/tunnels/gtp/gtp2_different_udp_port.pcap +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff http.log +# @TEST-EXEC: btest-diff tunnel.log + +# Uplink GTP tunnel uses src port 5906 and dst port 2152. +# One side on port 2152 qualifies for GTP user plane. +# The Downlink GTP tunnel uses port 2152 for both src and dst. +# (checksums are incorrect because packets were anonymized and tcprewrite +# seems to fail to correct the checksums when there's IP fragmentation). diff --git a/testing/btest/core/tunnels/gtp/false_gtp.test b/testing/btest/core/tunnels/gtp/false_gtp.test new file mode 100644 index 0000000000..6e84be7323 --- /dev/null +++ b/testing/btest/core/tunnels/gtp/false_gtp.test @@ -0,0 +1,8 @@ +# @TEST-EXEC: bro -r $TRACES/tunnels/gtp/gtp3_false_gtp.pcap +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff dns.log +# @TEST-EXEC: test ! -e tunnel.log + +# The fact that udp port 2152 on only one side already qualifies for GTP +# increases the risk for false positives, see this trace. This is not a +# GTP packet, but a DNS packet which just happens to use port 2152 diff --git a/testing/btest/core/tunnels/gtp/inner_ipv6.test b/testing/btest/core/tunnels/gtp/inner_ipv6.test new file mode 100644 index 0000000000..97d8562ecc --- /dev/null +++ b/testing/btest/core/tunnels/gtp/inner_ipv6.test @@ -0,0 +1,6 @@ +# @TEST-EXEC: bro -r $TRACES/tunnels/gtp/gtp7_ipv6.pcap +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff tunnel.log + +# While the majority of user plane traffic inside the GTP tunnel is still IPv4, +# there is sometimes already native IPv6. diff --git a/testing/btest/core/tunnels/gtp/inner_teredo.test b/testing/btest/core/tunnels/gtp/inner_teredo.test new file mode 100644 index 0000000000..9161d31229 --- /dev/null +++ b/testing/btest/core/tunnels/gtp/inner_teredo.test @@ -0,0 +1,7 @@ +# @TEST-EXEC: bro -r $TRACES/tunnels/gtp/gtp8_teredo.pcap "Tunnel::delay_teredo_confirmation=F" +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff tunnel.log + +# GTP packets may carry Teredo packets. Toggled the delay teredo confirmation +# option so that it shows in the service field (in one case the inner +# connection of the teredo packet is carried over differing outer connections). diff --git a/testing/btest/core/tunnels/gtp/non_recursive.test b/testing/btest/core/tunnels/gtp/non_recursive.test new file mode 100644 index 0000000000..d44bfce79d --- /dev/null +++ b/testing/btest/core/tunnels/gtp/non_recursive.test @@ -0,0 +1,11 @@ +# @TEST-EXEC: bro -r $TRACES/tunnels/gtp/gtp4_udp_2152_inside.pcap %INPUT >out +# @TEST-EXEC: btest-diff out + +# In telecoms there is never a GTP tunnel within another GTP tunnel. +# So if we find inside a GTP tunnel anohter IP/UDP packet with port 2152, +# it is just a UDP packet, but not another GTP tunnel. + +event protocol_violation(c: connection, atype: count, aid: count, reason: string) + { + print "protocol_violation", c$id, reason; + } diff --git a/testing/btest/core/tunnels/gtp/not_user_plane_data.test b/testing/btest/core/tunnels/gtp/not_user_plane_data.test new file mode 100644 index 0000000000..a6a3333360 --- /dev/null +++ b/testing/btest/core/tunnels/gtp/not_user_plane_data.test @@ -0,0 +1,9 @@ +# @TEST-EXEC: bro -r $TRACES/tunnels/gtp/gtp10_not_0xff.pcap +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: test ! -e tunnel.log + +# There are GTP tunnel packets, which do not contain user plane data. Only +# those with gtp.message==0xff contain user plane data. Other GTP packets +# without user plane data are echo request, echo reply, error indication +# and stop marker (not included in trace). Those non-user plane GTP +# packets are ignored for now. diff --git a/testing/btest/core/tunnels/gtp/opt_header.test b/testing/btest/core/tunnels/gtp/opt_header.test new file mode 100644 index 0000000000..32329c7ca8 --- /dev/null +++ b/testing/btest/core/tunnels/gtp/opt_header.test @@ -0,0 +1,12 @@ +# @TEST-EXEC: bro -r $TRACES/tunnels/gtp/gtp6_gtp_0x32.pcap %INPUT >out +# @TEST-EXEC: btest-diff out +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff tunnel.log + +# Some GTPv1 headers have some optional fields totaling to a 4-byte extension +# of the mandatory header. + +event gtpv1_g_pdu_packet(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr) + { + print "gtpv1_packet", inner_gtp; + } diff --git a/testing/btest/core/tunnels/gtp/outer_ip_frag.test b/testing/btest/core/tunnels/gtp/outer_ip_frag.test new file mode 100644 index 0000000000..b2badb9c1b --- /dev/null +++ b/testing/btest/core/tunnels/gtp/outer_ip_frag.test @@ -0,0 +1,11 @@ +# @TEST-EXEC: bro -C -r $TRACES/tunnels/gtp/gtp1_gn_normal_incl_fragmentation.pcap +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff http.log +# @TEST-EXEC: btest-diff tunnel.log + +# Normal GTP file, incl. TCP handshake and HTTP message. +# The inner IP packet is put into a GTP tunnel and as the original user payload +# is already 1500 byte, the tunneled packet incl. GTP/UDP/IP payload is +# bigger than 1500 byte and thus the outer IP must be fragmented, as seen here. +# (checksums are incorrect because packets were anonymized and tcprewrite +# seems to fail to correct the checksums when there's IP fragmentation). diff --git a/testing/btest/core/tunnels/gtp/unknown_or_too_short.test b/testing/btest/core/tunnels/gtp/unknown_or_too_short.test new file mode 100644 index 0000000000..e1b3d4ba20 --- /dev/null +++ b/testing/btest/core/tunnels/gtp/unknown_or_too_short.test @@ -0,0 +1,13 @@ +# @TEST-EXEC: bro -C -r $TRACES/tunnels/gtp/gtp9_unknown_or_too_short_payload.pcap +# @TEST-EXEC: btest-diff dpd.log +# @TEST-EXEC: btest-diff tunnel.log + +# Packet 11, epoch time 1333458853.075889 is malformed. Only 222 byte are +# captured, although according to the IP header a full packet should be +# available. In Sessions.cc this throws a weird message at line 710. +# Packet 12, epoch time 1333458853.075904 is malformed. The user plane +# packet is no IPv4 nor IPv6 packet. Very probably this is a follow up +# issue on a problem of the user plane packet before it was put into the +# tunnel. The user plane packet may got corrupt and then put into 2 tunnel +# packets, here packet 11 and 12, and in packet 12 the user plane data is +# part of the remainder of the broken user plane packet of packet 11. diff --git a/testing/btest/core/when-interpreter-exceptions.bro b/testing/btest/core/when-interpreter-exceptions.bro new file mode 100644 index 0000000000..b1880c5139 --- /dev/null +++ b/testing/btest/core/when-interpreter-exceptions.bro @@ -0,0 +1,67 @@ +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/rotation.trace %INPUT +# @TEST-EXEC: btest-bg-wait -k 3 +# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-abspath | $SCRIPTS/diff-remove-timestamps" btest-diff bro/.stderr +# @TEST-EXEC: btest-diff bro/.stdout + +# interpreter exceptions in "when" blocks shouldn't cause termination + +global p: pkt_hdr; + +function f(do_exception: bool): bool + { + return when ( local addrs = lookup_hostname("localhost") ) + { + print "localhost resolved from f()", do_exception; + if ( do_exception ) + print p$ip; + return T; + } + return F; + } + +function g(do_exception: bool): bool + { + return when ( local addrs = lookup_hostname("localhost") ) + { + print "shouldn't get here, g()", do_exception; + } + timeout 0 sec + { + print "timeout g()", do_exception; + if ( do_exception ) + print p$ip; + return T; + } + return F; + } + +event bro_init() + { + when ( local addrs = lookup_hostname("localhost") ) + { + print "localhost resolved"; + print p$ip; + } + + when ( local addrs2 = lookup_hostname("localhost") ) + { + print "shouldn't get here"; + } + timeout 0 sec + { + print "timeout"; + print p$ip; + } + + when ( local b = f(T) ) + print "f() exception done (shouldn't be printed)", b; + + when ( local b2 = g(T) ) + print "g() exception done (shouldn't be printed)", b2; + + when ( local b3 = f(F) ) + print "f() done, no exception", b3; + + when ( local b4 = g(F) ) + print "g() done, no exception", b4; + } diff --git a/testing/btest/istate/opaque.bro b/testing/btest/istate/opaque.bro new file mode 100644 index 0000000000..84818a5e70 --- /dev/null +++ b/testing/btest/istate/opaque.bro @@ -0,0 +1,77 @@ +# +# @TEST-EXEC: bro -r $TRACES/empty.trace write.bro +# @TEST-EXEC: bro read.bro +# @TEST-EXEC: btest-diff expected.log +# @TEST-EXEC: btest-diff output.log +# @TEST-EXEC: cmp output.log expected.log + +@TEST-START-FILE read.bro + +global md5_handle: opaque of md5 &persistent &synchronized; +global sha1_handle: opaque of sha1 &persistent &synchronized; +global sha256_handle: opaque of sha256 &persistent &synchronized; +global entropy_handle: opaque of entropy &persistent &synchronized; + +event bro_done() + { + local out = open("output.log"); + + # Finish incremental operations started by a previous Bro. + if ( md5_hash_update(md5_handle, "oo") ) + print out, md5_hash_finish(md5_handle); + else + print out, "md5_hash_update() failed"; + + if ( sha1_hash_update(sha1_handle, "oo") ) + print out, sha1_hash_finish(sha1_handle); + else + print out, "sha1_hash_update() failed"; + + if ( sha256_hash_update(sha256_handle, "oo") ) + print out, sha256_hash_finish(sha256_handle); + else + print out, "sha256_hash_update() failed"; + + if ( entropy_test_add(entropy_handle, "oo") ) + print out, entropy_test_finish(entropy_handle); + else + print out, "entropy_test_add() failed"; + } + +@TEST-END-FILE + +@TEST-START-FILE write.bro + +global md5_handle: opaque of md5 &persistent &synchronized; +global sha1_handle: opaque of sha1 &persistent &synchronized; +global sha256_handle: opaque of sha256 &persistent &synchronized; +global entropy_handle: opaque of entropy &persistent &synchronized; + +event bro_init() + { + local out = open("expected.log"); + print out, md5_hash("foo"); + print out, sha1_hash("foo"); + print out, sha256_hash("foo"); + print out, find_entropy("foo"); + + # Begin incremental operations. Our goal is to feed the data string "foo" to + # the computation, but split into "f" and "oo" in two instances.. + md5_handle = md5_hash_init(); + if ( ! md5_hash_update(md5_handle, "f") ) + print out, "md5_hash_update() failed"; + + sha1_handle = sha1_hash_init(); + if ( ! sha1_hash_update(sha1_handle, "f") ) + print out, "sha1_hash_update() failed"; + + sha256_handle = sha256_hash_init(); + if ( ! sha256_hash_update(sha256_handle, "f") ) + print out, "sha256_hash_update() failed"; + + entropy_handle = entropy_test_init(); + if ( ! entropy_test_add(entropy_handle, "f") ) + print out, "entropy_test_add() failed"; + } + +@TEST-END-FILE diff --git a/testing/btest/istate/sync.bro b/testing/btest/istate/sync.bro index e1364a9553..a297e8a50f 100644 --- a/testing/btest/istate/sync.bro +++ b/testing/btest/istate/sync.bro @@ -1,7 +1,7 @@ # @TEST-SERIALIZE: comm # -# @TEST-EXEC: btest-bg-run sender bro %INPUT ../sender.bro -# @TEST-EXEC: btest-bg-run receiver bro %INPUT ../receiver.bro +# @TEST-EXEC: btest-bg-run sender bro -b %INPUT ../sender.bro +# @TEST-EXEC: btest-bg-run receiver bro -b %INPUT ../receiver.bro # @TEST-EXEC: btest-bg-wait 20 # # @TEST-EXEC: btest-diff sender/vars.log @@ -27,6 +27,7 @@ global foo13 = { [1,"ABC"] = 101, [2,"DEF"] = 102, [3,"GHI"] = 103 } &persiste global foo14 = { [12345] = foo11, [12346] = foo11 } &persistent &synchronized; global foo15 = 42/udp &persistent &synchronized; global foo16: vector of count = [1,2,3] &persistent &synchronized; +global foo18: count &persistent &synchronized; # not initialized type type1: record { a: string; @@ -70,6 +71,7 @@ event bro_done() print out, foo15; print out, foo16; print out, foo17; + print out, foo18; } @@ -128,7 +130,8 @@ function modify() delete foo17$e; foo2 = 1234567; -} + foo18 = 122112; + } @load frameworks/communication/listen @@ -148,6 +151,8 @@ redef Communication::nodes += { @TEST-START-FILE receiver.bro +@load base/frameworks/communication + event bro_init() { capture_events("events.bst"); diff --git a/testing/btest/language/any.bro b/testing/btest/language/any.bro index 7437ee9851..fca23f6db8 100644 --- a/testing/btest/language/any.bro +++ b/testing/btest/language/any.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out function test_case(msg: string, expect: bool) diff --git a/testing/btest/language/at-if.bro b/testing/btest/language/at-if.bro index 979ed0bb9a..0a3e87adfa 100644 --- a/testing/btest/language/at-if.bro +++ b/testing/btest/language/at-if.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out function test_case(msg: string, expect: bool) diff --git a/testing/btest/language/at-ifdef.bro b/testing/btest/language/at-ifdef.bro index c30236f204..e7bb961833 100644 --- a/testing/btest/language/at-ifdef.bro +++ b/testing/btest/language/at-ifdef.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out function test_case(msg: string, expect: bool) diff --git a/testing/btest/language/at-ifndef.bro b/testing/btest/language/at-ifndef.bro index c98287590f..8bff0c456b 100644 --- a/testing/btest/language/at-ifndef.bro +++ b/testing/btest/language/at-ifndef.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out function test_case(msg: string, expect: bool) diff --git a/testing/btest/language/at-load.bro b/testing/btest/language/at-load.bro index b51594be16..7427cd639a 100644 --- a/testing/btest/language/at-load.bro +++ b/testing/btest/language/at-load.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out # In this script, we try to access each object defined in a "@load"ed script diff --git a/testing/btest/language/bool.bro b/testing/btest/language/bool.bro index b75343025f..8a1404459c 100644 --- a/testing/btest/language/bool.bro +++ b/testing/btest/language/bool.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out function test_case(msg: string, expect: bool) diff --git a/testing/btest/language/conditional-expression.bro b/testing/btest/language/conditional-expression.bro index 74648b6ce8..ea0acf009f 100644 --- a/testing/btest/language/conditional-expression.bro +++ b/testing/btest/language/conditional-expression.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out function test_case(msg: string, expect: bool) diff --git a/testing/btest/language/const.bro b/testing/btest/language/const.bro new file mode 100644 index 0000000000..ee938e8d45 --- /dev/null +++ b/testing/btest/language/const.bro @@ -0,0 +1,79 @@ +# @TEST-EXEC: bro -b valid.bro 2>valid.stderr 1>valid.stdout +# @TEST-EXEC: btest-diff valid.stderr +# @TEST-EXEC: btest-diff valid.stdout + +# @TEST-EXEC-FAIL: bro -b invalid.bro 2>invalid.stderr 1>invalid.stdout +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff invalid.stderr +# @TEST-EXEC: btest-diff invalid.stdout + +@TEST-START-FILE valid.bro +# First some simple code that should be valid and error-free. + +function f(c: count) + { + print "enter f", c; + c = c + 100; + print "exit f", c; + } + +const foo = 0 &redef; +redef foo = 10; + +const bar = 9; + +event bro_init() + { + const baz = 7; + local i = foo; + i = i + bar + 2; + i = i + baz + 11; + ++i; + print i; + --i; + f(foo); + f(bar); + f(baz); + print "foo", foo; + print "bar", bar; + print "baz", baz; + } + +@TEST-END-FILE + +@TEST-START-FILE invalid.bro +# Now some const assignments that should generate errors at parse-time. + +const foo = 0 &redef; +redef foo = 10; + +const bar = 9; + +event bro_init() + { + const baz = 7; + local s = 0; + + print "nope"; + + foo = 100; + foo = bar; + foo = bar = baz; + foo = s; + ++foo; + s = foo = bar; + + if ( foo = 0 ) + print "nope"; + + bar = 1 + 1; + baz = s; + ++bar; + --baz; + + print "foo", foo; + print "bar", bar; + print "baz", baz; + print "foo=foo", foo = foo; + } + +@TEST-END-FILE diff --git a/testing/btest/language/copy.bro b/testing/btest/language/copy.bro index 6740a080c7..3ddbc15e23 100644 --- a/testing/btest/language/copy.bro +++ b/testing/btest/language/copy.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out function test_case(msg: string, expect: bool) diff --git a/testing/btest/language/count.bro b/testing/btest/language/count.bro index d6dcf5a97e..b0972e29fa 100644 --- a/testing/btest/language/count.bro +++ b/testing/btest/language/count.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out function test_case(msg: string, expect: bool) diff --git a/testing/btest/language/cross-product-init.bro b/testing/btest/language/cross-product-init.bro index c12f9eb0bd..8cb9c48367 100644 --- a/testing/btest/language/cross-product-init.bro +++ b/testing/btest/language/cross-product-init.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >output 2>&1 +# @TEST-EXEC: bro -b %INPUT >output 2>&1 # @TEST-EXEC: btest-diff output global my_subs = { 1.2.3.4/19, 5.6.7.8/21 }; diff --git a/testing/btest/language/delete-field-set.bro b/testing/btest/language/delete-field-set.bro index ad7cf6e9fb..1f1c5b0c27 100644 --- a/testing/btest/language/delete-field-set.bro +++ b/testing/btest/language/delete-field-set.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >output 2>&1 +# @TEST-EXEC: bro -b %INPUT >output 2>&1 # @TEST-EXEC: btest-diff output type FooBar: record { diff --git a/testing/btest/language/delete-field.bro b/testing/btest/language/delete-field.bro index 477466b76a..99136ff2b9 100644 --- a/testing/btest/language/delete-field.bro +++ b/testing/btest/language/delete-field.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >output 2>&1 +# @TEST-EXEC: bro -b %INPUT >output 2>&1 # @TEST-EXEC: btest-diff output type X: record { diff --git a/testing/btest/language/double.bro b/testing/btest/language/double.bro index 62ca768e22..f85b216828 100644 --- a/testing/btest/language/double.bro +++ b/testing/btest/language/double.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out function test_case(msg: string, expect: bool) diff --git a/testing/btest/language/enum-scope.bro b/testing/btest/language/enum-scope.bro index c8667bfada..82e7c7fd7c 100644 --- a/testing/btest/language/enum-scope.bro +++ b/testing/btest/language/enum-scope.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >output 2>&1 +# @TEST-EXEC: bro -b %INPUT >output 2>&1 # @TEST-EXEC: btest-diff output type foo: enum { a, b } &redef; diff --git a/testing/btest/language/enum.bro b/testing/btest/language/enum.bro index 5cafb323a6..6de7d345da 100644 --- a/testing/btest/language/enum.bro +++ b/testing/btest/language/enum.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out function test_case(msg: string, expect: bool) diff --git a/testing/btest/language/event.bro b/testing/btest/language/event.bro index 1ea5c7b6d8..e251a3e579 100644 --- a/testing/btest/language/event.bro +++ b/testing/btest/language/event.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out diff --git a/testing/btest/language/file.bro b/testing/btest/language/file.bro index 1f631eb4fe..47430b6813 100644 --- a/testing/btest/language/file.bro +++ b/testing/btest/language/file.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: bro -b %INPUT # @TEST-EXEC: btest-diff out1 # @TEST-EXEC: btest-diff out2 diff --git a/testing/btest/language/for.bro b/testing/btest/language/for.bro index f10ef0eb1b..eb99a2705d 100644 --- a/testing/btest/language/for.bro +++ b/testing/btest/language/for.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out function test_case(msg: string, expect: bool) diff --git a/testing/btest/language/function.bro b/testing/btest/language/function.bro index 13efbb91f8..ab60c4fa62 100644 --- a/testing/btest/language/function.bro +++ b/testing/btest/language/function.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out function test_case(msg: string, expect: bool) diff --git a/testing/btest/language/hook.bro b/testing/btest/language/hook.bro index 8f7a85ce95..9c9ab30c18 100644 --- a/testing/btest/language/hook.bro +++ b/testing/btest/language/hook.bro @@ -34,7 +34,25 @@ hook myhook(r: rec) &priority=10 r$b = "goobye world"; # returning from the handler early, is fine, remaining handlers still run. return; - print "ERROR: break statement should return from hook handler body"; + print "ERROR: return statement should return from hook handler body"; + } + +hook myhook(r: rec) &priority=9 + { + print "myhook return F"; + # return value is ignored, remaining handlers still run, final return + # value is whether any hook body returned via break statement + return F; + print "ERROR: return statement should return from hook handler body"; + } + +hook myhook(r: rec) &priority=8 + { + print "myhook return T"; + # return value is ignored, remaining handlers still run, final return + # value is whether any hook body returned via break statement + return T; + print "ERROR: return statement should return from hook handler body"; } # hook function doesn't need a declaration, we can go straight to defining @@ -56,16 +74,20 @@ hook myhook4() &priority=2 event bro_init() { - hook myhook([$a=1156, $b="hello world"]); + print hook myhook([$a=1156, $b="hello world"]); # A hook with no handlers is fine, it's just a no-op. - hook myhook2("nope"); + print hook myhook2("nope"); - hook myhook3(8); - hook myhook4(); + print hook myhook3(8); + print hook myhook4(); + if ( hook myhook4() ) + { + print "myhook4 all handlers ran"; + } # A hook can be treated like other data types and doesn't have to be # invoked directly by name. local h = myhook; - hook h([$a=2, $b="it works"]); + print hook h([$a=2, $b="it works"]); } diff --git a/testing/btest/language/hook_calls.bro b/testing/btest/language/hook_calls.bro new file mode 100644 index 0000000000..41ef6f52ae --- /dev/null +++ b/testing/btest/language/hook_calls.bro @@ -0,0 +1,82 @@ +# @TEST-EXEC: bro -b valid.bro >valid.out +# @TEST-EXEC: btest-diff valid.out +# @TEST-EXEC-FAIL: bro -b invalid.bro > invalid.out 2>&1 +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff invalid.out + +# hook functions must be called using the "hook" keyword as an operator... + +@TEST-START-FILE valid.bro +hook myhook(i: count) + { + print "myhook()", i; + if ( i == 0 ) break; + } + +hook myhook(i: count) &priority=-1 + { + print "other myhook()", i; + } + +function indirect(): hook(i: count) + { + print "indirect()"; + return myhook; + } + +function really_indirect(): function(): hook(i: count) + { + print "really_indirect()"; + return indirect; + } + +global t: table[count] of hook(i: count) = { + [0] = myhook, +}; + +event bro_init() + { + hook myhook(3); + print hook myhook(3); + print hook myhook(0); + print "-----------"; + hook indirect()(3); + print hook indirect()(3); + print "-----------"; + hook really_indirect()()(3); + print hook really_indirect()()(3); + print "-----------"; + local h = t[0]; + hook h(3); + print hook h(3); + if ( hook h(3) ) + print "yes"; + if ( ! hook h(0) ) + print "double yes"; + print "-----------"; + hook t[0](3); + print hook t[0](3); + } + +@TEST-END-FILE + +@TEST-START-FILE invalid.bro +hook myhook(i: count) + { + print "myhook()", i; + if ( i == 0 ) break; + } + +event bro_init() + { + myhook(3); + print myhook(3); + print myhook(0); + hook 2+2; + print hook 2+2; + local h = myhook; + h(3); + if ( h(3) ) + print "hmm"; + print "done"; + } +@TEST-END-FILE diff --git a/testing/btest/language/if.bro b/testing/btest/language/if.bro index e9acea865f..785030a012 100644 --- a/testing/btest/language/if.bro +++ b/testing/btest/language/if.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out function test_case(msg: string, expect: bool) diff --git a/testing/btest/language/int.bro b/testing/btest/language/int.bro index 5cfa1620bd..f511d82bbb 100644 --- a/testing/btest/language/int.bro +++ b/testing/btest/language/int.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out function test_case(msg: string, expect: bool) diff --git a/testing/btest/language/interval.bro b/testing/btest/language/interval.bro index 66d44206d3..660683f5ca 100644 --- a/testing/btest/language/interval.bro +++ b/testing/btest/language/interval.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out function test_case(msg: string, expect: bool) diff --git a/testing/btest/language/invalid_hook.bro b/testing/btest/language/invalid_hook.bro deleted file mode 100644 index 0dbbfd1b6f..0000000000 --- a/testing/btest/language/invalid_hook.bro +++ /dev/null @@ -1,16 +0,0 @@ -# @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1 -# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out - -global myhook: hook(s: string); - -hook myhook(s: string) - { - print "myhook", s; - } - -event bro_init() - { - # hooks must be invoked with a "hook", statement. They have no return - # value and don't make sense to evaluate as arbitrary expressions. - local r = myhook("nope"); - } diff --git a/testing/btest/language/invalid_index.bro b/testing/btest/language/invalid_index.bro new file mode 100644 index 0000000000..96b7fa78c5 --- /dev/null +++ b/testing/btest/language/invalid_index.bro @@ -0,0 +1,15 @@ +# @TEST-EXEC: bro -b %INPUT >out 2>&1 +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out + +global foo: vector of count = { 42 }; +global foo2: table[count] of count = { [0] = 13 }; + +print "foo[0]", foo[0]; +print "foo[1]", foo[1]; +print "foo[2]", foo[2]; + +print "foo2[0]", foo2[0]; +print "foo2[1]", foo2[1]; +print "foo2[2]", foo2[2]; + +print "done"; diff --git a/testing/btest/language/module.bro b/testing/btest/language/module.bro index 4c70546406..3278697a8d 100644 --- a/testing/btest/language/module.bro +++ b/testing/btest/language/module.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT secondtestfile >out +# @TEST-EXEC: bro -b %INPUT secondtestfile >out # @TEST-EXEC: btest-diff out # In this source file, we define a module and export some objects diff --git a/testing/btest/language/next-test.bro b/testing/btest/language/next-test.bro index 7e9626a62c..d46ad187c4 100644 --- a/testing/btest/language/next-test.bro +++ b/testing/btest/language/next-test.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >output 2>&1 +# @TEST-EXEC: bro -b %INPUT >output 2>&1 # @TEST-EXEC: btest-diff output # This script tests "next" being called during the last iteration of a diff --git a/testing/btest/language/no-module.bro b/testing/btest/language/no-module.bro index eadce66c18..24795df0fb 100644 --- a/testing/btest/language/no-module.bro +++ b/testing/btest/language/no-module.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT secondtestfile >out +# @TEST-EXEC: bro -b %INPUT secondtestfile >out # @TEST-EXEC: btest-diff out # This is the same test as "module.bro", but here we omit the module definition diff --git a/testing/btest/language/null-statement.bro b/testing/btest/language/null-statement.bro index 420ebd8a6c..20c70f4876 100644 --- a/testing/btest/language/null-statement.bro +++ b/testing/btest/language/null-statement.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out diff --git a/testing/btest/language/pattern.bro b/testing/btest/language/pattern.bro index ec50dc66fe..b904fe8737 100644 --- a/testing/btest/language/pattern.bro +++ b/testing/btest/language/pattern.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out function test_case(msg: string, expect: bool) diff --git a/testing/btest/language/port.bro b/testing/btest/language/port.bro index 1874e1dca3..a9c7fd33e7 100644 --- a/testing/btest/language/port.bro +++ b/testing/btest/language/port.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out function test_case(msg: string, expect: bool) diff --git a/testing/btest/language/precedence.bro b/testing/btest/language/precedence.bro index da8fef311c..27fc1e024a 100644 --- a/testing/btest/language/precedence.bro +++ b/testing/btest/language/precedence.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out function test_case(msg: string, expect: bool) diff --git a/testing/btest/language/raw_output_attr.test b/testing/btest/language/raw_output_attr.test index 22e565e4b4..8bcd479fbf 100644 --- a/testing/btest/language/raw_output_attr.test +++ b/testing/btest/language/raw_output_attr.test @@ -1,7 +1,7 @@ # Files with the &raw_output attribute shouldn't interpret NUL characters # in strings that are `print`ed to it. -# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: bro -b %INPUT # @TEST-EXEC: tr '\000' 'X' output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cmp myfile hookfile diff --git a/testing/btest/language/rec-comp-init.bro b/testing/btest/language/rec-comp-init.bro index 598c0cf3bd..c65ef69097 100644 --- a/testing/btest/language/rec-comp-init.bro +++ b/testing/btest/language/rec-comp-init.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >output 2>&1 +# @TEST-EXEC: bro -b %INPUT >output 2>&1 # @TEST-EXEC: btest-diff output # Make sure composit types in records are initialized. diff --git a/testing/btest/language/rec-nested-opt.bro b/testing/btest/language/rec-nested-opt.bro index ab1a64dffd..3b4a478f6b 100644 --- a/testing/btest/language/rec-nested-opt.bro +++ b/testing/btest/language/rec-nested-opt.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >output 2>&1 +# @TEST-EXEC: bro -b %INPUT >output 2>&1 # @TEST-EXEC: btest-diff output type Version: record { diff --git a/testing/btest/language/rec-of-tbl.bro b/testing/btest/language/rec-of-tbl.bro index 59d770bb30..8d2c9ab0e0 100644 --- a/testing/btest/language/rec-of-tbl.bro +++ b/testing/btest/language/rec-of-tbl.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >output 2>&1 +# @TEST-EXEC: bro -b %INPUT >output 2>&1 # @TEST-EXEC: btest-diff output type x: record { diff --git a/testing/btest/language/rec-table-default.bro b/testing/btest/language/rec-table-default.bro index ee4a0e25ee..27e0043dc3 100644 --- a/testing/btest/language/rec-table-default.bro +++ b/testing/btest/language/rec-table-default.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >output 2>&1 +# @TEST-EXEC: bro -b %INPUT >output 2>&1 # @TEST-EXEC: btest-diff output type X: record { diff --git a/testing/btest/language/record-bad-ctor.bro b/testing/btest/language/record-bad-ctor.bro new file mode 100644 index 0000000000..6b7ae4ff19 --- /dev/null +++ b/testing/btest/language/record-bad-ctor.bro @@ -0,0 +1,8 @@ +# @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1 +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out + +# At least shouldn't crash Bro, just report the invalid record ctor. + +global asdfasdf; +const blah = [$ports=asdfasdf]; +print blah; diff --git a/testing/btest/language/record-extension.bro b/testing/btest/language/record-extension.bro index 21b704ca7a..78ef929a86 100644 --- a/testing/btest/language/record-extension.bro +++ b/testing/btest/language/record-extension.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >output +# @TEST-EXEC: bro -b %INPUT >output # @TEST-EXEC: btest-diff output type Foo: record { diff --git a/testing/btest/language/record-recursive-coercion.bro b/testing/btest/language/record-recursive-coercion.bro index ad9e41bd3a..0eb24a70d9 100644 --- a/testing/btest/language/record-recursive-coercion.bro +++ b/testing/btest/language/record-recursive-coercion.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >output +# @TEST-EXEC: bro -b %INPUT >output # @TEST-EXEC: btest-diff output type Version: record { diff --git a/testing/btest/language/record-ref-assign.bro b/testing/btest/language/record-ref-assign.bro index f71bc3890c..a9539ab716 100644 --- a/testing/btest/language/record-ref-assign.bro +++ b/testing/btest/language/record-ref-assign.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >output +# @TEST-EXEC: bro -b %INPUT >output # @TEST-EXEC: btest-diff output type State: record { diff --git a/testing/btest/language/set-opt-record-index.bro b/testing/btest/language/set-opt-record-index.bro index 18ec963809..d42de8b041 100644 --- a/testing/btest/language/set-opt-record-index.bro +++ b/testing/btest/language/set-opt-record-index.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >output 2>&1 +# @TEST-EXEC: bro -b %INPUT >output 2>&1 # @TEST-EXEC: btest-diff output # Make sure a set can be indexed with a record that has optional fields diff --git a/testing/btest/language/set.bro b/testing/btest/language/set.bro index 5e56e3b9b8..d1eef7e6f0 100644 --- a/testing/btest/language/set.bro +++ b/testing/btest/language/set.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out function test_case(msg: string, expect: bool) diff --git a/testing/btest/language/short-circuit.bro b/testing/btest/language/short-circuit.bro index f0ba585cea..598ac8da35 100644 --- a/testing/btest/language/short-circuit.bro +++ b/testing/btest/language/short-circuit.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out function test_case(msg: string, expect: bool) diff --git a/testing/btest/language/sizeof.bro b/testing/btest/language/sizeof.bro index 99d7b51ce8..8b29e119bd 100644 --- a/testing/btest/language/sizeof.bro +++ b/testing/btest/language/sizeof.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >output 2>&1 +# @TEST-EXEC: bro -b %INPUT >output 2>&1 # @TEST-EXEC: btest-diff output # Demo policy for the sizeof operator "|x|". diff --git a/testing/btest/language/smith-waterman-test.bro b/testing/btest/language/smith-waterman-test.bro index 50f5c1dae1..2113d88e24 100644 --- a/testing/btest/language/smith-waterman-test.bro +++ b/testing/btest/language/smith-waterman-test.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >output 2>&1 +# @TEST-EXEC: bro -b %INPUT >output 2>&1 # @TEST-EXEC: btest-diff output global params: sw_params = [ $min_strlen = 2, $sw_variant = 0 ]; diff --git a/testing/btest/language/string-indexing.bro b/testing/btest/language/string-indexing.bro new file mode 100644 index 0000000000..f991b3c5fa --- /dev/null +++ b/testing/btest/language/string-indexing.bro @@ -0,0 +1,17 @@ +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + +local s = "0123456789"; +print s[1]; +print s[1:2]; +print s[1:6]; +print s[0:20]; +print s[-2]; +print s[-3:-1]; +print s[-1:-10]; +print s[-1:0]; +print s[-1:5]; +print s[20:23]; +print s[-20:23]; +print s[0:5][2]; +print s[0:5][1:3][0]; diff --git a/testing/btest/language/string.bro b/testing/btest/language/string.bro index 3b9137cda5..abaa556b26 100644 --- a/testing/btest/language/string.bro +++ b/testing/btest/language/string.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out function test_case(msg: string, expect: bool) diff --git a/testing/btest/language/strings.bro b/testing/btest/language/strings.bro index 8e9eef43bf..f601797978 100644 --- a/testing/btest/language/strings.bro +++ b/testing/btest/language/strings.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >output 2>&1 +# @TEST-EXEC: bro -b %INPUT >output 2>&1 # @TEST-EXEC: btest-diff output # Demo policy for string functions diff --git a/testing/btest/language/switch-statement.bro b/testing/btest/language/switch-statement.bro new file mode 100644 index 0000000000..b8c34f77dc --- /dev/null +++ b/testing/btest/language/switch-statement.bro @@ -0,0 +1,284 @@ +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + +type MyEnum: enum { + RED, + GREEN, + BLUE, + PINK, +}; + +function switch_bool(v: bool): string + { + switch (v) { + case T: + return "true"; + case F: + return "false"; + } + return "n/a"; + } + +function switch_int(v: int): string + { + switch (v) { + case +1: + return "one"; + case +2: + return "two"; + case -3: + return "minus three"; + } + return "n/a"; + } + +function switch_enum(v: MyEnum): string + { + switch (v) { + case RED: + return "red"; + case GREEN: + return "green"; + case BLUE: + return "blue"; + } + return "n/a"; + } + +function switch_count(v: count): string + { + switch (v) { + case 1: + return "1"; + case 2: + return "2"; + case 3: + return "3"; + } + return "n/a"; + } + +function switch_port(v: port): string + { + switch (v) { + case 22/tcp: + return "ssh"; + case 53/udp: + return "dns"; + case 0/icmp: + return "echo"; + } + return "n/a"; + } + +function switch_double(v: double): string + { + switch (v) { + case 1.1: + return "1.1"; + case 2.2: + return "2.2"; + case 3.3: + return "3.3"; + } + return "n/a"; + } + +function switch_interval(v: interval): string + { + switch (v) { + case 1sec: + return "1sec"; + case 2day: + return "2day"; + case 3min: + return "3min"; + } + return "n/a"; + } + +function switch_string(v: string): string + { + switch (v) { + case "one": + return "first"; + case "two": + return "second"; + case "three": + return "third"; + } + return "n/a"; + } + +function switch_addr(v: addr): string + { + switch (v) { + case 1.2.3.4: + return "ipv4"; + case [fe80::1]: + return "ipv6"; + case 0.0.0.0: + return "unspec"; + } + return "n/a"; + } + +function switch_subnet(v: subnet): string + { + switch (v) { + case 1.2.3.0/24: + return "1.2.3.0/24"; + case [fe80::0]/96: + return "[fe80::0]"; + case 192.168.0.0/16: + return "192.168.0.0/16"; + } + return "n/a"; + } + +function switch_empty(v: count): string + { + switch ( v ) { + } + return "n/a"; + } + +function switch_break(v: count): string + { + local rval = ""; + switch ( v ) { + case 1: + rval += "test"; + case 2: + rval += "testing"; + break; + case 3: + rval += "tested"; + } + return rval + "return"; + } + +function switch_default(v: count): string + { + local rval = ""; + switch ( v ) { + case 1: + rval += "1"; + case 2: + rval += "2"; + case 3: + rval += "3"; + default: + rval += "d"; + } + return rval + "r"; + } + +function switch_default_placement(v: count): string + { + local rval = ""; + switch ( v ) { + case 1: + rval += "1"; + default: + rval += "d"; + case 2: + rval += "2"; + break; + case 3: + rval += "3"; + } + return rval + "r"; + } + +function switch_case_list(v: count): string + { + switch ( v ) { + case 1, 2: + return "1,2"; + case 3, 4, 5: + return "3,4,5"; + case 6, 7, 8, 9: + return "6,7,8,9"; + } + return "n/a"; + } + +function test_switch(actual: string, expect: string) + { + if ( actual != expect ) + print fmt("%s != %s", actual, expect); + } + +event bro_init() + { + test_switch( switch_bool(T) , "true" ); + test_switch( switch_bool(F) , "false" ); + test_switch( switch_int(+1) , "one" ); + test_switch( switch_int(+2) , "two" ); + test_switch( switch_int(-3) , "minus three" ); + test_switch( switch_int(40) , "n/a" ); + test_switch( switch_enum(RED) , "red" ); + test_switch( switch_enum(BLUE) , "blue" ); + test_switch( switch_enum(GREEN) , "green" ); + test_switch( switch_enum(PINK) , "n/a" ); + test_switch( switch_count(1) , "1" ); + test_switch( switch_count(2) , "2" ); + test_switch( switch_count(3) , "3" ); + test_switch( switch_count(100) , "n/a" ); + test_switch( switch_port(22/tcp) , "ssh" ); + test_switch( switch_port(53/udp) , "dns" ); + test_switch( switch_port(0/icmp) , "echo" ); + test_switch( switch_port(1000/tcp) , "n/a" ); + test_switch( switch_double(1.1) , "1.1" ); + test_switch( switch_double(2.2) , "2.2" ); + test_switch( switch_double(3.3) , "3.3" ); + test_switch( switch_interval(1sec) , "1sec" ); + test_switch( switch_interval(2day) , "2day" ); + test_switch( switch_interval(3min) , "3min" ); + test_switch( switch_string("one") , "first" ); + test_switch( switch_string("two") , "second" ); + test_switch( switch_string("three") , "third" ); + test_switch( switch_addr(1.2.3.4) , "ipv4" ); + test_switch( switch_addr([fe80::1]) , "ipv6" ); + test_switch( switch_addr(0.0.0.0) , "unspec" ); + test_switch( switch_subnet(1.2.3.4/24) , "1.2.3.0/24" ); + test_switch( switch_subnet([fe80::1]/96) , "[fe80::0]" ); + test_switch( switch_subnet(192.168.1.100/16) , "192.168.0.0/16" ); + test_switch( switch_empty(2) , "n/a" ); + test_switch( switch_break(1) , "testtestingreturn" ); + test_switch( switch_break(2) , "testingreturn" ); + test_switch( switch_break(3) , "testedreturn" ); + test_switch( switch_default(1) , "123dr" ); + test_switch( switch_default(2) , "23dr" ); + test_switch( switch_default(3) , "3dr" ); + test_switch( switch_default(4) , "dr" ); + test_switch( switch_default_placement(1) , "1d2r" ); + test_switch( switch_default_placement(2) , "2r" ); + test_switch( switch_default_placement(3) , "3r" ); + test_switch( switch_default_placement(4) , "d2r" ); + + local v = vector(0,1,2,3,4,5,6,7,9,10); + local expect: string; + + for ( i in v ) + { + switch ( v[i] ) { + case 1, 2: + expect = "1,2"; + break; + case 3, 4, 5: + expect = "3,4,5"; + break; + case 6, 7, 8, 9: + expect = "6,7,8,9"; + break; + default: + expect = "n/a"; + break; + } + test_switch( switch_case_list(v[i]) , expect ); + } + + print "done"; + } diff --git a/testing/btest/language/table-init-attrs.bro b/testing/btest/language/table-init-attrs.bro new file mode 100644 index 0000000000..76d98b9fed --- /dev/null +++ b/testing/btest/language/table-init-attrs.bro @@ -0,0 +1,115 @@ +# @TEST-EXEC: bro -b %INPUT >output +# @TEST-EXEC: btest-diff output + +# set()/table() constructors are allowed to have attributes. When initializing +# an identifier, those attributes should also apply to it. + +const my_set_ctor_init: set[string] = set("test1") &redef; + +redef my_set_ctor_init += { + "test2", + "test3", +}; + +redef my_set_ctor_init += set("test4"); + +const my_table_ctor_init: table[count] of string = table([1] = "test1") &redef &default="nope"; + +redef my_table_ctor_init += { + [2] = "test2", + [3] = "test3", +}; + +# initializer list versions work the same way. + +const my_set_init: set[string] = { "test1" } &redef; + +redef my_set_init += { + "test2", + "test3", +}; + +redef my_set_init += set("test4"); + +const my_table_init: table[count] of string = { [1] = "test1" } &redef &default="nope"; + +redef my_table_init += { + [2] = "test2", + [3] = "test3", +}; + +redef my_table_init += table([4] = "test4"); + +# For tables that yield tables, we can apply attributes to the both other and +# inner tables... + +global inception_table: table[count] of table[count] of string = table( + [0] = table([13] = "bar") &default="forty-two" +) &default=table() &default="we need to go deeper"; + +global inception_table2: table[count] of table[count] of string = { + [0] = table([13] = "bar") &default="forty-two", +} &default=table() &default="we need to go deeper"; + +event bro_init() + { + print "my_set_ctor_init"; + print my_set_ctor_init; + print ""; + print "my_table_ctor_init"; + print my_table_ctor_init; + print my_table_ctor_init[5]; + print ""; + print "my_set_init"; + print my_set_init; + print ""; + print "my_table_init"; + print my_table_init; + print my_table_init[5]; + print ""; + print "inception"; + print inception_table; + print inception_table[0]; + print inception_table[0][13]; + print inception_table[0][42]; + print inception_table[1]; + print inception_table[1][2]; + print inception_table2; + print inception_table2[0]; + print inception_table2[0][13]; + print inception_table2[0][42]; + print inception_table2[1]; + print inception_table2[1][2]; + print ""; + + # just checking attributes on locals works, too + print "local table t1"; + local t1: table[count] of string = table([1] = "foo") &default="nope"; + print t1; + print t1[1]; + print t1[2]; + print ""; + + print "local table t2"; + local t2: table[count] of string = {[1] = "foo"} &default="nope"; + print t2; + print t2[1]; + print t2[2]; + print ""; + + # and for empty initializers... + print "local table t3"; + local t3: table[count] of string = table() &default="nope"; + print t3; + print t3[1]; + print t3[2]; + print ""; + + print "local table t4"; + local t4: table[count] of string = {} &default="nope"; + print t4; + print t4[1]; + print t4[2]; + print ""; + + } diff --git a/testing/btest/language/table-init-container-ctors.bro b/testing/btest/language/table-init-container-ctors.bro new file mode 100644 index 0000000000..4829f41688 --- /dev/null +++ b/testing/btest/language/table-init-container-ctors.bro @@ -0,0 +1,95 @@ +# @TEST-EXEC: bro -b %INPUT >output +# @TEST-EXEC: btest-diff output + +# The various container constructor expressions should work in table +# initialization lists. + +type set_yield: set[string, count]; +type vector_yield: vector of count; +type table_yield: table[string, count] of count; +type record_yield: record { + a: count; + b: string; +}; + +global lone_set_ctor: set_yield = set(["foo", 1], ["bar", 2]); +global lone_vector_ctor: vector_yield = vector(1, 2); +global lone_table_ctor: table_yield = table(["foo", 1] = 1, ["bar", 2] = 2); +global lone_record_ctor: record_yield = record($a=1, $b="foo"); + +global table_of_set: table[count] of set_yield = { + [13] = lone_set_ctor, + [5] = set(["bah", 3], ["baz", 4]), +}; + +global table_of_vector: table[count] of vector_yield = { + [13] = lone_vector_ctor, + [5] = vector(3, 4), +}; + +global table_of_table: table[count] of table_yield = { + [13] = lone_table_ctor, + [5] = table(["bah", 3] = 3, ["baz", 4] = 4), +}; + +global table_of_record: table[count] of record_yield = { + [13] = lone_record_ctor, + [5] = record($a=2, $b="bar"), +}; + +# Just copying the inline ctors used in the table initializer lists here +# for later comparisons. +global inline_set_ctor: set_yield = set(["bah", 3], ["baz", 4]); +global inline_vector_ctor: vector_yield = vector(3, 4); +global inline_table_ctor: table_yield = table(["bah", 3] = 3, ["baz", 4] = 4); +global inline_record_ctor: record_yield = record($a=2, $b="bar"); + +function compare_set_yield(a: set_yield, b: set_yield) + { + local s: string; + local c: count; + for ( [s, c] in a ) + print [s, c] in b; + } + +function compare_vector_yield(a: vector_yield, b: vector_yield) + { + local c: count; + for ( c in a ) + print a[c] == b[c]; + } + +function compare_table_yield(a: table_yield, b: table_yield) + { + local s: string; + local c: count; + for ( [s, c] in a ) + print [s, c] in b && a[s, c] == b[s, c]; + } + +function compare_record_yield(a: record_yield, b: record_yield) + { + print a$a == b$a && a$b == b$b; + } + +print "table of set"; +print table_of_set; +print ""; +print "table of vector"; +print table_of_vector; +print ""; +print "table of table"; +print table_of_table; +print ""; +print "table of record"; +print table_of_record; +print ""; + +compare_set_yield(table_of_set[13], lone_set_ctor); +compare_set_yield(table_of_set[5], inline_set_ctor); +compare_vector_yield(table_of_vector[13], lone_vector_ctor); +compare_vector_yield(table_of_vector[5], inline_vector_ctor); +compare_table_yield(table_of_table[13], lone_table_ctor); +compare_table_yield(table_of_table[5], inline_table_ctor); +compare_record_yield(table_of_record[13], lone_record_ctor); +compare_record_yield(table_of_record[5], inline_record_ctor); diff --git a/testing/btest/language/table-init.bro b/testing/btest/language/table-init.bro index 5df682c5d2..7419a50879 100644 --- a/testing/btest/language/table-init.bro +++ b/testing/btest/language/table-init.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >output +# @TEST-EXEC: bro -b %INPUT >output # @TEST-EXEC: btest-diff output global global_table: table[count] of string = { diff --git a/testing/btest/language/time.bro b/testing/btest/language/time.bro index 43b6694101..dd4b6336fe 100644 --- a/testing/btest/language/time.bro +++ b/testing/btest/language/time.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out function test_case(msg: string, expect: bool) diff --git a/testing/btest/language/timeout.bro b/testing/btest/language/timeout.bro index 6bc0419b2f..b16ddd6e7c 100644 --- a/testing/btest/language/timeout.bro +++ b/testing/btest/language/timeout.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out diff --git a/testing/btest/language/type-type-error.bro b/testing/btest/language/type-type-error.bro new file mode 100644 index 0000000000..047e4b34ef --- /dev/null +++ b/testing/btest/language/type-type-error.bro @@ -0,0 +1,14 @@ +# @TEST-EXEC-FAIL: bro -b %INPUT +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr + +type r: record { + a: string; +}; + +event bro_init() + { + # This should generate a parse error indicating that the type identifier + # is incorrectly used in an expression expecting a real value and not + # a value of type TypeType. + print r$a; + } diff --git a/testing/btest/language/vector-coerce-expr.bro b/testing/btest/language/vector-coerce-expr.bro index d58417f226..97f9617665 100644 --- a/testing/btest/language/vector-coerce-expr.bro +++ b/testing/btest/language/vector-coerce-expr.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >output 2>&1 +# @TEST-EXEC: bro -b %INPUT >output 2>&1 # @TEST-EXEC: btest-diff output type X: record { diff --git a/testing/btest/language/vector-list-init-records.bro b/testing/btest/language/vector-list-init-records.bro index ee2b78c4a5..b1eee0ac92 100644 --- a/testing/btest/language/vector-list-init-records.bro +++ b/testing/btest/language/vector-list-init-records.bro @@ -1,7 +1,7 @@ # Initializing a vector with a list of records should promote elements as # necessary to match the vector's yield type. -# @TEST-EXEC: bro %INPUT >output +# @TEST-EXEC: bro -b %INPUT >output # @TEST-EXEC: btest-diff output type Foo: record { diff --git a/testing/btest/language/vector.bro b/testing/btest/language/vector.bro index 928ddcb645..76fc8b69e3 100644 --- a/testing/btest/language/vector.bro +++ b/testing/btest/language/vector.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out function test_case(msg: string, expect: bool) diff --git a/testing/btest/language/wrong-delete-field.bro b/testing/btest/language/wrong-delete-field.bro index e0d0093258..63573faf8a 100644 --- a/testing/btest/language/wrong-delete-field.bro +++ b/testing/btest/language/wrong-delete-field.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC-FAIL: bro %INPUT >output 2>&1 +# @TEST-EXEC-FAIL: bro -b %INPUT >output 2>&1 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output type X: record { diff --git a/testing/btest/language/wrong-record-extension.bro b/testing/btest/language/wrong-record-extension.bro index 4e0210546a..a8ef6a64e9 100644 --- a/testing/btest/language/wrong-record-extension.bro +++ b/testing/btest/language/wrong-record-extension.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC-FAIL: bro %INPUT >output.tmp 2>&1 +# @TEST-EXEC-FAIL: bro -b %INPUT >output.tmp 2>&1 # @TEST-EXEC: sed 's#^.*:##g' output # @TEST-EXEC: btest-diff output diff --git a/testing/btest/scripts/base/frameworks/input/basic.bro b/testing/btest/scripts/base/frameworks/input/basic.bro index dfac84d062..fbb320e03f 100644 --- a/testing/btest/scripts/base/frameworks/input/basic.bro +++ b/testing/btest/scripts/base/frameworks/input/basic.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -14,7 +11,6 @@ T -42 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz @TEST-END-FILE @load base/protocols/ssh -@load frameworks/communication/listen global outfile: file; diff --git a/testing/btest/scripts/base/frameworks/input/bignumber.bro b/testing/btest/scripts/base/frameworks/input/bignumber.bro index 5b93472551..098481a518 100644 --- a/testing/btest/scripts/base/frameworks/input/bignumber.bro +++ b/testing/btest/scripts/base/frameworks/input/bignumber.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -13,8 +10,6 @@ -9223372036854775800 18446744073709551612 @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; module A; diff --git a/testing/btest/scripts/base/frameworks/input/binary.bro b/testing/btest/scripts/base/frameworks/input/binary.bro index 8d75abc5a9..7caa734d34 100644 --- a/testing/btest/scripts/base/frameworks/input/binary.bro +++ b/testing/btest/scripts/base/frameworks/input/binary.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -25,8 +22,6 @@ abc\xff\x7cdef|DATA2 #end|2012-07-20-01-49-19 @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; global try: count; diff --git a/testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro b/testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro index c8760b467e..78f3d3a72e 100644 --- a/testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro +++ b/testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro @@ -1,8 +1,5 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# # @TEST-EXEC: cp input1.log input.log -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: sleep 2 # @TEST-EXEC: cp input2.log input.log # @TEST-EXEC: btest-bg-wait -k 5 @@ -23,9 +20,6 @@ 2 TEST TEST @TEST-END-FILE -@load frameworks/communication/listen - - module A; type Idx: record { diff --git a/testing/btest/scripts/base/frameworks/input/emptyvals.bro b/testing/btest/scripts/base/frameworks/input/emptyvals.bro index 94b0f1b620..e5e9bc22e3 100644 --- a/testing/btest/scripts/base/frameworks/input/emptyvals.bro +++ b/testing/btest/scripts/base/frameworks/input/emptyvals.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -14,8 +11,6 @@ T 1 - 2 @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; redef InputAscii::empty_field = "EMPTY"; diff --git a/testing/btest/scripts/base/frameworks/input/event.bro b/testing/btest/scripts/base/frameworks/input/event.bro index ba47d5e3f2..7d553a53e3 100644 --- a/testing/btest/scripts/base/frameworks/input/event.bro +++ b/testing/btest/scripts/base/frameworks/input/event.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -19,8 +16,6 @@ 7 T @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; module A; diff --git a/testing/btest/scripts/base/frameworks/input/executeraw.bro b/testing/btest/scripts/base/frameworks/input/executeraw.bro index 626b9cdfd2..09cd920bee 100644 --- a/testing/btest/scripts/base/frameworks/input/executeraw.bro +++ b/testing/btest/scripts/base/frameworks/input/executeraw.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: cat out.tmp | sed 's/^ *//g' >out # @TEST-EXEC: btest-diff out @@ -17,8 +14,6 @@ sdf 3rw43wRRERLlL#RWERERERE. @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; type Val: record { diff --git a/testing/btest/scripts/base/frameworks/input/invalidnumbers.bro b/testing/btest/scripts/base/frameworks/input/invalidnumbers.bro index 1deec605ae..3c467598ad 100644 --- a/testing/btest/scripts/base/frameworks/input/invalidnumbers.bro +++ b/testing/btest/scripts/base/frameworks/input/invalidnumbers.bro @@ -1,11 +1,8 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out # @TEST-EXEC: sed 1d .stderr > .stderrwithoutfirstline -# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderrwithoutfirstline +# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-abspath | $SCRIPTS/diff-remove-timestamps" btest-diff .stderrwithoutfirstline @TEST-START-FILE input.log #separator \x09 @@ -17,8 +14,6 @@ Justtext 1 9223372036854775800 -18446744073709551612 @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; module A; diff --git a/testing/btest/scripts/base/frameworks/input/invalidtext.bro b/testing/btest/scripts/base/frameworks/input/invalidtext.bro new file mode 100644 index 0000000000..668716d045 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/invalidtext.bro @@ -0,0 +1,41 @@ +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 +# @TEST-EXEC: btest-diff out +# @TEST-EXEC: sed 1d .stderr > .stderrwithoutfirstline +# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-abspath | $SCRIPTS/diff-remove-timestamps" btest-diff .stderrwithoutfirstline + +@TEST-START-FILE input.log +#separator \x09 +#fields i c +#types int count + l + 5 +@TEST-END-FILE + +global outfile: file; + +module A; + +type Idx: record { + i: string; +}; + +type Val: record { + c: count; +}; + +global servers: table[string] of Val = table(); + +event bro_init() + { + outfile = open("../out"); + # first read in the old stuff into the table... + Input::add_table([$source="../input.log", $name="ssh", $idx=Idx, $val=Val, $destination=servers]); + Input::remove("ssh"); + } + +event Input::end_of_data(name: string, source:string) + { + print outfile, servers; + terminate(); + } diff --git a/testing/btest/scripts/base/frameworks/input/missing-file.bro b/testing/btest/scripts/base/frameworks/input/missing-file.bro index aa5acf619e..7048698221 100644 --- a/testing/btest/scripts/base/frameworks/input/missing-file.bro +++ b/testing/btest/scripts/base/frameworks/input/missing-file.bro @@ -1,12 +1,7 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff bro/.stderr -@load frameworks/communication/listen - global outfile: file; global try: count; diff --git a/testing/btest/scripts/base/frameworks/input/onecolumn-norecord.bro b/testing/btest/scripts/base/frameworks/input/onecolumn-norecord.bro index c08b1420fb..505aa2245d 100644 --- a/testing/btest/scripts/base/frameworks/input/onecolumn-norecord.bro +++ b/testing/btest/scripts/base/frameworks/input/onecolumn-norecord.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -13,8 +10,6 @@ T -42 @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; redef InputAscii::empty_field = "EMPTY"; diff --git a/testing/btest/scripts/base/frameworks/input/onecolumn-record.bro b/testing/btest/scripts/base/frameworks/input/onecolumn-record.bro index 9e420e75fe..e85267b4c3 100644 --- a/testing/btest/scripts/base/frameworks/input/onecolumn-record.bro +++ b/testing/btest/scripts/base/frameworks/input/onecolumn-record.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -13,8 +10,6 @@ T -42 @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; redef InputAscii::empty_field = "EMPTY"; diff --git a/testing/btest/scripts/base/frameworks/input/optional.bro b/testing/btest/scripts/base/frameworks/input/optional.bro index 2fe0e5c86f..670f0f48ba 100644 --- a/testing/btest/scripts/base/frameworks/input/optional.bro +++ b/testing/btest/scripts/base/frameworks/input/optional.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -19,8 +16,6 @@ 7 T @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; redef InputAscii::empty_field = "EMPTY"; diff --git a/testing/btest/scripts/base/frameworks/input/port.bro b/testing/btest/scripts/base/frameworks/input/port.bro index 081c59559b..2225132395 100644 --- a/testing/btest/scripts/base/frameworks/input/port.bro +++ b/testing/btest/scripts/base/frameworks/input/port.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -12,8 +9,6 @@ 1.2.3.6 30 unknown @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; redef InputAscii::empty_field = "EMPTY"; diff --git a/testing/btest/scripts/base/frameworks/input/predicate-stream.bro b/testing/btest/scripts/base/frameworks/input/predicate-stream.bro index 8cf927e346..b931bbc41e 100644 --- a/testing/btest/scripts/base/frameworks/input/predicate-stream.bro +++ b/testing/btest/scripts/base/frameworks/input/predicate-stream.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out # @@ -23,8 +20,6 @@ 7 T @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; redef InputAscii::empty_field = "EMPTY"; diff --git a/testing/btest/scripts/base/frameworks/input/predicate.bro b/testing/btest/scripts/base/frameworks/input/predicate.bro index 8fb33242e8..9f2c4362de 100644 --- a/testing/btest/scripts/base/frameworks/input/predicate.bro +++ b/testing/btest/scripts/base/frameworks/input/predicate.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -19,8 +16,6 @@ 7 T @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; redef InputAscii::empty_field = "EMPTY"; diff --git a/testing/btest/scripts/base/frameworks/input/predicatemodify.bro b/testing/btest/scripts/base/frameworks/input/predicatemodify.bro index 17467bbc27..4129a47873 100644 --- a/testing/btest/scripts/base/frameworks/input/predicatemodify.bro +++ b/testing/btest/scripts/base/frameworks/input/predicatemodify.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -14,8 +11,6 @@ 2 T test2 idx2 @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; redef InputAscii::empty_field = "EMPTY"; diff --git a/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro b/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro index 5a9e993651..17e7fa4bf2 100644 --- a/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro +++ b/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro @@ -1,8 +1,5 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# # @TEST-EXEC: cp input1.log input.log -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: sleep 2 # @TEST-EXEC: cp input2.log input.log # @TEST-EXEC: sleep 2 @@ -58,8 +55,6 @@ 1 T test1 idx1 @TEST-END-FILE -@load frameworks/communication/listen - redef InputAscii::empty_field = "EMPTY"; module A; diff --git a/testing/btest/scripts/base/frameworks/input/predicaterefusesecondsamerecord.bro b/testing/btest/scripts/base/frameworks/input/predicaterefusesecondsamerecord.bro index ba0b468cdc..0df8b14dd6 100644 --- a/testing/btest/scripts/base/frameworks/input/predicaterefusesecondsamerecord.bro +++ b/testing/btest/scripts/base/frameworks/input/predicaterefusesecondsamerecord.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -17,8 +14,6 @@ need-to-know 8c864306-d21a-37b1-8705-746a786719bf medium 95 1342569600 1.228.83. need-to-know 8c864306-d21a-37b1-8705-746a786719bf medium 65 1342656000 1.228.83.33 - - 9318 HANARO-AS Hanaro Telecom Inc. 1.224.0.0/13 apnic KR spam infrastructure spamming;malware domain public http://reputation.alienvault.com/reputation.generic @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; redef InputAscii::empty_field = "EMPTY"; diff --git a/testing/btest/scripts/base/frameworks/input/raw.bro b/testing/btest/scripts/base/frameworks/input/raw.bro index d15aec22bb..7201e9ad3a 100644 --- a/testing/btest/scripts/base/frameworks/input/raw.bro +++ b/testing/btest/scripts/base/frameworks/input/raw.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -16,8 +13,6 @@ sdf 3rw43wRRERLlL#RWERERERE. @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; global try: count; diff --git a/testing/btest/scripts/base/frameworks/input/repeat.bro b/testing/btest/scripts/base/frameworks/input/repeat.bro index a966ac064e..f29061fa8b 100644 --- a/testing/btest/scripts/base/frameworks/input/repeat.bro +++ b/testing/btest/scripts/base/frameworks/input/repeat.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff out @@ -13,8 +10,6 @@ 1 T @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; global try: count; diff --git a/testing/btest/scripts/base/frameworks/input/reread.bro b/testing/btest/scripts/base/frameworks/input/reread.bro index 11aa873f9d..bfb7b6fd84 100644 --- a/testing/btest/scripts/base/frameworks/input/reread.bro +++ b/testing/btest/scripts/base/frameworks/input/reread.bro @@ -1,8 +1,5 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# # @TEST-EXEC: cp input1.log input.log -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: sleep 2 # @TEST-EXEC: cp input2.log input.log # @TEST-EXEC: sleep 2 @@ -59,7 +56,6 @@ F -48 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz @TEST-END-FILE @load base/protocols/ssh -@load frameworks/communication/listen redef InputAscii::empty_field = "EMPTY"; diff --git a/testing/btest/scripts/base/frameworks/input/rereadraw.bro b/testing/btest/scripts/base/frameworks/input/rereadraw.bro index 2fdcdc8f9e..d1db2bb049 100644 --- a/testing/btest/scripts/base/frameworks/input/rereadraw.bro +++ b/testing/btest/scripts/base/frameworks/input/rereadraw.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -16,8 +13,6 @@ sdf 3rw43wRRERLlL#RWERERERE. @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; global try: count; diff --git a/testing/btest/scripts/base/frameworks/input/set.bro b/testing/btest/scripts/base/frameworks/input/set.bro index b2b5cea323..a460f6788a 100644 --- a/testing/btest/scripts/base/frameworks/input/set.bro +++ b/testing/btest/scripts/base/frameworks/input/set.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff out @@ -16,8 +13,6 @@ 192.168.17.42 @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; redef InputAscii::empty_field = "EMPTY"; diff --git a/testing/btest/scripts/base/frameworks/input/setseparator.bro b/testing/btest/scripts/base/frameworks/input/setseparator.bro index b7148d80bd..156f566d28 100644 --- a/testing/btest/scripts/base/frameworks/input/setseparator.bro +++ b/testing/btest/scripts/base/frameworks/input/setseparator.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff out @@ -13,8 +10,6 @@ redef InputAscii::set_separator = "|"; -@load frameworks/communication/listen - global outfile: file; module A; diff --git a/testing/btest/scripts/base/frameworks/input/setspecialcases.bro b/testing/btest/scripts/base/frameworks/input/setspecialcases.bro index 022eac9731..86e53feb0a 100644 --- a/testing/btest/scripts/base/frameworks/input/setspecialcases.bro +++ b/testing/btest/scripts/base/frameworks/input/setspecialcases.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff out @@ -16,9 +13,6 @@ 6 @TEST-END-FILE - -@load frameworks/communication/listen - global outfile: file; module A; diff --git a/testing/btest/scripts/base/frameworks/input/stream.bro b/testing/btest/scripts/base/frameworks/input/stream.bro index 1ecd8a2eb0..684f4ea395 100644 --- a/testing/btest/scripts/base/frameworks/input/stream.bro +++ b/testing/btest/scripts/base/frameworks/input/stream.bro @@ -1,8 +1,5 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# # @TEST-EXEC: cp input1.log input.log -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: sleep 3 # @TEST-EXEC: cat input2.log >> input.log # @TEST-EXEC: sleep 3 @@ -25,7 +22,6 @@ F -43 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz @TEST-END-FILE @load base/protocols/ssh -@load frameworks/communication/listen redef InputAscii::empty_field = "EMPTY"; diff --git a/testing/btest/scripts/base/frameworks/input/streamraw.bro b/testing/btest/scripts/base/frameworks/input/streamraw.bro index 3bc06f7dea..d8e43d6386 100644 --- a/testing/btest/scripts/base/frameworks/input/streamraw.bro +++ b/testing/btest/scripts/base/frameworks/input/streamraw.bro @@ -1,8 +1,5 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# # @TEST-EXEC: cp input1.log input.log -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: sleep 3 # @TEST-EXEC: cat input2.log >> input.log # @TEST-EXEC: sleep 3 @@ -27,8 +24,6 @@ sdf 3rw43wRRERLlL#RWERERERE. @TEST-END-FILE -@load frameworks/communication/listen - module A; type Val: record { diff --git a/testing/btest/scripts/base/frameworks/input/subrecord-event.bro b/testing/btest/scripts/base/frameworks/input/subrecord-event.bro index 4e7dc1690a..92ee6dd500 100644 --- a/testing/btest/scripts/base/frameworks/input/subrecord-event.bro +++ b/testing/btest/scripts/base/frameworks/input/subrecord-event.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -14,7 +11,6 @@ T -42 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz @TEST-END-FILE @load base/protocols/ssh -@load frameworks/communication/listen global outfile: file; global try: count; diff --git a/testing/btest/scripts/base/frameworks/input/subrecord.bro b/testing/btest/scripts/base/frameworks/input/subrecord.bro index 512b8ec58f..11f247f764 100644 --- a/testing/btest/scripts/base/frameworks/input/subrecord.bro +++ b/testing/btest/scripts/base/frameworks/input/subrecord.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -14,7 +11,6 @@ T -42 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz @TEST-END-FILE @load base/protocols/ssh -@load frameworks/communication/listen global outfile: file; diff --git a/testing/btest/scripts/base/frameworks/input/tableevent.bro b/testing/btest/scripts/base/frameworks/input/tableevent.bro index 723e519237..db39fdf72b 100644 --- a/testing/btest/scripts/base/frameworks/input/tableevent.bro +++ b/testing/btest/scripts/base/frameworks/input/tableevent.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -19,8 +16,6 @@ 7 T @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; global try: count; diff --git a/testing/btest/scripts/base/frameworks/input/twotables.bro b/testing/btest/scripts/base/frameworks/input/twotables.bro index 83ae86cd46..5540019971 100644 --- a/testing/btest/scripts/base/frameworks/input/twotables.bro +++ b/testing/btest/scripts/base/frameworks/input/twotables.bro @@ -1,8 +1,5 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# # @TEST-EXEC: cp input1.log input.log -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: sleep 5 # @TEST-EXEC: cp input3.log input.log # @TEST-EXEC: btest-bg-wait -k 10 @@ -34,7 +31,6 @@ F -44 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz @TEST-END-FILE @load base/protocols/ssh -@load frameworks/communication/listen redef InputAscii::empty_field = "EMPTY"; diff --git a/testing/btest/scripts/base/frameworks/input/unsupported_types.bro b/testing/btest/scripts/base/frameworks/input/unsupported_types.bro index e1350f61a9..0651e0693e 100644 --- a/testing/btest/scripts/base/frameworks/input/unsupported_types.bro +++ b/testing/btest/scripts/base/frameworks/input/unsupported_types.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -14,7 +11,6 @@ whatever T -42 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.00 @TEST-END-FILE @load base/protocols/ssh -@load frameworks/communication/listen global outfile: file; diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-csv.bro b/testing/btest/scripts/base/frameworks/logging/ascii-tsv.bro similarity index 94% rename from testing/btest/scripts/base/frameworks/logging/ascii-csv.bro rename to testing/btest/scripts/base/frameworks/logging/ascii-tsv.bro index 1c10f5fc6b..09276a08fd 100644 --- a/testing/btest/scripts/base/frameworks/logging/ascii-csv.bro +++ b/testing/btest/scripts/base/frameworks/logging/ascii-tsv.bro @@ -22,7 +22,7 @@ event bro_init() Log::create_stream(SSH::LOG, [$columns=Log]); local filter = Log::get_filter(SSH::LOG, "default"); - filter$config = table(["only_single_header_row"] = "T"); + filter$config = table(["tsv"] = "T"); Log::add_filter(SSH::LOG, filter); local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp]; diff --git a/testing/btest/scripts/base/protocols/http/http-methods.bro b/testing/btest/scripts/base/protocols/http/http-methods.bro new file mode 100644 index 0000000000..59045c1cc5 --- /dev/null +++ b/testing/btest/scripts/base/protocols/http/http-methods.bro @@ -0,0 +1,9 @@ +# This tests that the HTTP analyzer handles strange HTTP methods properly. +# +# @TEST-EXEC: bro -r $TRACES/http-methods.trace %INPUT +# @TEST-EXEC: btest-diff weird.log +# @TEST-EXEC: btest-diff http.log + +# The base analysis scripts are loaded by default. +#@load base/protocols/http +