Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

FileAnalysis: add unit tests covering current protocol integration.

Browse source 
And had to make various fixes/refinements after scrutinizing results.
This commit is contained in:
Jon Siwek 2013-03-19 15:50:05 -05:00
parent b30211c178
commit 59ed5c75f1
72 changed files with 2605 additions and 53 deletions
Download patch file Download diff file Expand all files Collapse all files

4
scripts/base/frameworks/file-analysis/main.bro
View file

@ -22,9 +22,7 @@ export {
## The default amount of time file analysis will wait for new file data
## before giving up.
## TODO: what's a reasonable default?
#const default_timeout_interval: interval = 2 mins &redef;
const default_timeout_interval: interval = 10 sec &redef;
const default_timeout_interval: interval = 2 mins &redef;
# Needed a forward declaration for event parameters...
type Info: record {};

1
scripts/base/protocols/ftp/file-analysis.bro
View file

@ -5,6 +5,7 @@
redef FileAnalysis::service_handle_callbacks += {
["ftp-data"] = function(c: connection, is_orig: bool): string
{
if ( is_orig ) return "";
return fmt("%s ftp-data: %s", c$start_time, id_string(c$id));
},
};

4
scripts/base/protocols/http/file-analysis.bro
View file

@ -10,8 +10,8 @@ function get_file_handle(c: connection, is_orig: bool): string
if ( ! c?$http ) return "";
if ( c$http$range_request )
return fmt("%s http(%s): %s: %s", c$start_time, is_orig,
c$id$orig_h, build_url(c$http));
return fmt("http(%s): %s: %s", is_orig, c$id$orig_h,
build_url(c$http));
return fmt("%s http(%s, %s): %s", c$start_time, is_orig,
c$http$trans_depth, id_string(c$id));

1
scripts/base/protocols/irc/file-analysis.bro
View file

@ -5,6 +5,7 @@
redef FileAnalysis::service_handle_callbacks += {
["irc-dcc-data"] = function(c: connection, is_orig: bool): string
{
if ( is_orig ) return "";
return fmt("%s irc-dcc-data: %s", c$start_time, id_string(c$id));
},
};

58
src/HTTP.cc
View file

@ -47,7 +47,8 @@ HTTP_Entity::HTTP_Entity(HTTP_Message *arg_message, MIME_Entity* parent_entity,
zip = 0;
is_partial_content = false;
offset = 0;
content_size = -1; // unspecified
instance_length = -1; // unspecified
send_size = true;
}
void HTTP_Entity::EndOfData()
@ -282,27 +283,33 @@ void HTTP_Entity::SubmitData(int len, const char* buf)
if ( deliver_body )
MIME_Entity::SubmitData(len, buf);
if ( send_size && ( encoding == GZIP || encoding == DEFLATE ) )
// Auto-decompress in DeliverBody invalidates sizes derived from headers
send_size = false;
if ( is_partial_content )
{
if ( send_size && instance_length > 0 )
file_mgr->SetSize(instance_length,
http_message->MyHTTP_Analyzer()->Conn(),
http_message->IsOrig());
file_mgr->DataIn(reinterpret_cast<const u_char*>(buf), len, offset,
http_message->MyHTTP_Analyzer()->Conn(),
http_message->IsOrig());
offset += len;
if ( content_size >= 0 )
file_mgr->SetSize(content_size,
http_message->MyHTTP_Analyzer()->Conn(),
http_message->IsOrig());
}
else
{
file_mgr->DataIn(reinterpret_cast<const u_char*>(buf), len,
http_message->MyHTTP_Analyzer()->Conn(),
http_message->IsOrig());
if ( content_length >= 0 )
if ( send_size && content_length > 0 )
file_mgr->SetSize(content_length,
http_message->MyHTTP_Analyzer()->Conn(),
http_message->IsOrig());
file_mgr->DataIn(reinterpret_cast<const u_char*>(buf), len,
http_message->MyHTTP_Analyzer()->Conn(),
http_message->IsOrig());
}
send_size = false;
}
void HTTP_Entity::SetPlainDelivery(int64_t length)
@ -333,9 +340,7 @@ void HTTP_Entity::SubmitHeader(MIME_Header* h)
}
// Figure out content-length for HTTP 206 Partial Content response
// that uses multipart/byteranges content-type.
else if ( strcasecmp_n(h->get_name(), "content-range") == 0 && Parent() &&
Parent()->MIMEContentType() == CONTENT_TYPE_MULTIPART &&
else if ( strcasecmp_n(h->get_name(), "content-range") == 0 &&
http_message->MyHTTP_Analyzer()->HTTP_ReplyCode() == 206 )
{
data_chunk_t vt = h->get_value_token();
@ -359,7 +364,7 @@ void HTTP_Entity::SubmitHeader(MIME_Header* h)
}
string byte_range_resp_spec = byte_range.substr(0, p);
string instance_length = byte_range.substr(p + 1);
string instance_length_str = byte_range.substr(p + 1);
p = byte_range_resp_spec.find("-");
if ( p == string::npos )
@ -374,7 +379,7 @@ void HTTP_Entity::SubmitHeader(MIME_Header* h)
if ( DEBUG_http )
DEBUG_MSG("Parsed Content-Range: %s %s-%s/%s\n", byte_unit.c_str(),
first_byte_pos.c_str(), last_byte_pos.c_str(),
instance_length.c_str());
instance_length_str.c_str());
int64_t f, l;
atoi_n(first_byte_pos.size(), first_byte_pos.c_str(), 0, 10, f);
@ -386,9 +391,13 @@ void HTTP_Entity::SubmitHeader(MIME_Header* h)
if ( len > 0 )
{
if ( instance_length != "*" )
atoi_n(instance_length.size(), instance_length.c_str(), 0, 10,
content_size);
if ( instance_length_str != "*" )
{
if ( ! atoi_n(instance_length_str.size(),
instance_length_str.c_str(), 0, 10,
instance_length) )
instance_length = 0;
}
is_partial_content = true;
offset = f;
content_length = len;
@ -554,9 +563,12 @@ void HTTP_Message::Done(const int interrupted, const char* detail)
GetAnalyzer()->ConnectionEvent(http_message_done, vl);
}
MyHTTP_Analyzer()->HTTP_MessageDone(is_orig, this);
if ( is_orig || MyHTTP_Analyzer()->HTTP_ReplyCode() != 206 )
// multipart/byteranges may span multiple connections
file_mgr->EndOfFile(MyHTTP_Analyzer()->Conn(), is_orig);
MyHTTP_Analyzer()->HTTP_MessageDone(is_orig, this);
delete_strings(buffers);
if ( data_buffer )
@ -620,8 +632,7 @@ void HTTP_Message::EndEntity(MIME_Entity* entity)
// SubmitAllHeaders (through EndOfData).
if ( entity == top_level )
Done();
else if ( ! ( current_entity->MIMEContentType() == CONTENT_TYPE_MULTIPART &&
MyHTTP_Analyzer()->HTTP_ReplyCode() == 206 ) )
else if ( is_orig || MyHTTP_Analyzer()->HTTP_ReplyCode() != 206 )
file_mgr->EndOfFile(MyHTTP_Analyzer()->Conn(), is_orig);
}
@ -884,7 +895,12 @@ void HTTP_Analyzer::Done()
unanswered_requests.pop();
}
file_mgr->EndOfFile(Conn());
file_mgr->EndOfFile(Conn(), true);
/* TODO: this might be nice to have, but reply code is cleared by now.
if ( HTTP_ReplyCode() != 206 )
// multipart/byteranges may span multiple connections
file_mgr->EndOfFile(Conn(), false);
*/
}
void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)

3
src/HTTP.h
View file

@ -57,7 +57,8 @@ protected:
ZIP_Analyzer* zip;
bool is_partial_content;
uint64_t offset;
int64_t content_size; // total size of content specified by content-range
int64_t instance_length; // total length indicated by content-range
bool send_size; // whether to send size indication to FAF
MIME_Entity* NewChildEntity() { return new HTTP_Entity(http_message, this, 1); }

2
src/MIME.cc
View file

@ -1068,6 +1068,8 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
vl->append(analyzer->BuildConnVal());
analyzer->ConnectionEvent(mime_end_entity, vl);
}
file_mgr->EndOfFile(analyzer->Conn());
}
void MIME_Mail::SubmitHeader(MIME_Header* h)

7
src/file_analysis/Hash.cc
View file

@ -6,7 +6,7 @@
using namespace file_analysis;
Hash::Hash(RecordVal* args, Info* info, HashVal* hv, const char* field)
: Action(args, info), hash(hv)
: Action(args, info), hash(hv), fed(false)
{
using BifType::Record::FileAnalysis::ActionResults;
if ( (result_field_idx = ActionResults->FieldOffset(field)) < 0 )
@ -23,6 +23,9 @@ bool Hash::DeliverStream(const u_char* data, uint64 len)
{
if ( ! hash->IsValid() ) return false;
if ( ! fed )
fed = len > 0;
hash->Feed(data, len);
return true;
}
@ -40,7 +43,7 @@ bool Hash::Undelivered(uint64 offset, uint64 len)
void Hash::Finalize()
{
if ( ! hash->IsValid() ) return;
if ( ! hash->IsValid() || ! fed ) return;
StringVal* sv = hash->Get();
info->GetResults(args)->Assign(result_field_idx, sv);

1
src/file_analysis/Hash.h
View file

@ -31,6 +31,7 @@ protected:
void Finalize();
HashVal* hash;
bool fed;
int result_field_idx;
};

3
src/file_analysis/Info.cc
View file

@ -97,7 +97,8 @@ Info::Info(const string& unique, Connection* conn)
reinterpret_cast<u_char*>(hash));
uitoa_n(hash[0], id, sizeof(id), 62);
DBG_LOG(DBG_FILE_ANALYSIS, "Creating new Info object %s", id);
DBG_LOG(DBG_FILE_ANALYSIS, "Creating new Info object %s (%s)", id,
unique.c_str());
val = new RecordVal(BifType::Record::FileAnalysis::Info);
val->Assign(file_id_idx, new StringVal(id));

20
testing/btest/Baseline/scripts.base.frameworks.file-analysis.ftp/out Normal file
View file

@ -0,0 +1,20 @@
FileAnalysis::TRIGGER_NEW
XRXY932iwza, 0, 0
FileAnalysis::TRIGGER_BOF
FileAnalysis::TRIGGER_BOF_BUFFER
The Nationa
FileAnalysis::TRIGGER_TYPE
file type is set
mime type is set
FileAnalysis::TRIGGER_EOF
XRXY932iwza, 16557, 0
{
arKYeMETxOg
}
{
[orig_h=141.142.228.5, orig_p=50737/tcp, resp_h=141.142.192.162, resp_p=38141/tcp]
}
source: ftp-data
SHA1: 44586aed07cfe19cad25076af98f535585cd5797
MD5: 7192a8075196267203adb3dfaa5c908d
SHA256: 202674eba48e832690a4475113acf8b16a3f6c82c04c94b36bb2c7ce457ac8d2

425
testing/btest/Baseline/scripts.base.frameworks.file-analysis.ftp/thefile Normal file
View file

@ -0,0 +1,425 @@
The National Center for Supercomputing Applications 1/28/92
Anonymous FTP Server General Information
This file contains information about the general structure, as well as
information on how to obtain files and documentation from the FTP server.
NCSA software and documentation can also be obtained through the the U.S.
Mail. Instructions are included for using this method as well.
Information about the Software Development Group and NCSA software can be
found in the /ncsapubs directory in a file called TechResCatalog.
THE UNIVERSITY OF ILLINOIS GIVES NO WARRANTY, EXPRESSED OR IMPLIED, FOR THE
SOFTWARE AND/OR DOCUMENTATION PROVIDED, INCLUDING, WITHOUT LIMITATION,
WARRANTY OF MERCHANTABILITY AND WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE.
_____________________________________________________________
FTP INSTRUCTIONS
Most NCSA Software is released into the public domain. That is, for these
programs, the public domain has all rights for future licensing, resale,
and publication of available packages. If you are connected to Internet
(NSFNET, ARPANET, MILNET, etc) you may download NCSA software and documentation and source code if it is available, at no charge from the anonymous file
transfer protocol (FTP) server at NCSA where you got this file. The procedure
you should follow to do so is presented below. If you have any questions
regarding this procedure or whether you are connected to Internet, consult your local system administration or network expert.
1. Log on to a host at your site that is connected to the Internet and is
running software supporting the FTP command.
2. Invoke FTP on most systems by entering the Internet address of the server.
Type the following at the shell (usually "%") prompt:
% ftp ftp.ncsa.uiuc.edu
3. Log in by entering anonymous for the name.
4. Enter your local email address (login@host) for the password.
5. Enter the following at the "ftp>" prompt to copy a text file from our
server to your local host:
ftp> get filename
where "filename" is the name of the file you want a copy of. For example,
to get a copy of this file from the server enter:
ftp> get README.FIRST
To get a copy of our software brochure, enter:
ftp> cd ncsapubs
get TechResCatalog
NOTE: Some of the filenames on the server are rather long to aid in
identification. Some operating systems may have problems with names
this long. To change the name the file will have on your local
machine type the following at the "ftp>" prompt ("remoteName" is the
name of the file on the server and "localName" is the name you want
the file to have on your local machine):
ftp> get remoteName localName
Example:
ftp> get TechResCatalog catalog.txt
6. For files that are not text files (almost everything else) you will need to
specify that you want to transfer binary files. Do this by typing the
following at the "ftp>" prompt:
ftp> type binary
You can now use the "get" command to download binary files. To switch back
to ASCII text transfers type:
ftp> type ascii
7. The "ls" and "cd" commands can be used at the "ftp>" prompt to list and
change directories as in the shell.
8. Enter "quit" or "bye" to exit FTP and return to your local host.
_____________________________________________________________
FTP SOFTWARE BY MAIL
To obtain an order form, send your request to the following address:
FTP Archive Tapes
c/o Debbie Shirley
152 Computing Applications Building
605 East Springfield Avenue
Champaign, IL 61820
or call:
Debbie at (217) 244-4130
_____________________________________________________________
VIRUS INFORMATION
The Software Development Group at NCSA is very virus-conscious. We routinely
check our machines for viruses and recommend that you do so also. For the
Macintoshes we use Disinfectant. You can obtain a copy of Disinfectant from
the /Mac/Utilities directory.
If you use Microsoft DOS or Windows you can find the latest virus scan from
the anonymous site oak.oakland.edu in the /SimTel/msdos/virus directory.
_____________________________________________________________
GENERAL INFORMATION
DIRECTORY STRUCTURE
The FTP server is organized as specified below:
/Mac Macintosh software
/PC IBM PC software
/Unix Software for machines running UNIX or equivalent OS
/Unix/SGI Software that primarily runs on Silicon Graphics
machines only
/Visualization Software tools for data visualization.
/Web World Wide Web tools, including Mosaic, httpd,
and html editors.
/HDF Hierarchical Data Format applications and tools
/Samples Samples that can be used with most of NCSA software
tools
/Documentation Currently being constructed, check each application's
directory for documentation
/ncsapubs Information produced by the Publications group,
including Metacenter announcements, data link & access,
a software listing, start-up guides, and other
reference documents.
/misc Miscellaneous documentation and software
/incoming directory for contributions
/outgoing swap directory
Information for a particular application can be found in the README file,
located in the same directory as the application. The README files contain
information on new features, known bugs, compile information, and other
important notes.
All directories on the FTP server contain an INDEX file. These files outline
the hierarchical structure of the directory and (recursively) all files and
directories contained within it. The INDEX at the root level contains the
structure of the enire server listing all files and directories on it. The
INDEX file in each software directory contains additional information about
each file. The letter in parenthesis after the file name indicates how the
file should be downloaded: ascii (a), binary (b), or mac binary (m).
The "misc" directories found in some software tool directories contain
supplementary code or other information. Refer to the README file in that
directory for a description of what is contained within the "misc" directory.
The "contrib" directories contain contributed software. This directory usually
contains NCSA source that has been modified by people outside of NCSA as well
as binaries compiled on different platforms not available to the Software
Development Group. If you have modified NCSA software or would like to share
some code please contact the developer of the source so arrangemnts can be
made to upload it to the "incoming" directory. If you are downloading
software from the "contrib" directory please note that this software is not
supported by NCSA and has not been checked for viruses (see statement on
viruses above). NCSA may not be held responsible for anything resulting from
use of the contributed software. *** RUN AT YOUR OWN RISK ***
FILE NAMES
All file names consist of the name of the tool, the version number, and one or
more extensions. The extensions identify what type of information is contained
in the file, and what format it is in. For example, here is a list of files in
the /Mac/DataScope directory:
DataScope2.0.1.asc.tar.Z
DataScope2.0.1.src.sit.hqx
DataScope2.0.1.smp.sit.hqx
DataScope2.0.1.mac.sit.hqx
DataScope2.0.1.msw.sit.hqx
The first three character extension indicates what type of data can be found in
that file (ASCII documentation, source, samples, etc.). The other extensions
indicate what format the files are in. The extensions ".tar" and ".sit"
indicate types of archives, and the ".Z" and ".hqx" indicate compression and
encoding schemes. (See below for instructions on extracting files that have
been archived and/or compressed.) Following are a list of extensions and their
meanings:
.sn3 Sun 3 executables
.sn4 Sun 4 executables
.386 Sun 386i executables
.sgi Silicon Graphics Iris executables
.dgl Silicon Graphics Iris using DGL executables
.rs6 IBM RS6000 executables
.cv2 Convex 2 executables
.cv3 Convex 3 executables
.cr2 Cray 2 executables
.crY CrayYMP executables
.d31 DEC 3100 executables
.m88 Motorola 88k executables
.m68 Motorola 68k executables
.exe IBM PC executables
.mac Macintosh executables
.src source code
.smp sample files
.asc ASCII text documentation
.msw Microsoft Word documentation
.ps postscript documentation
.man formatted man page
.shar Bourne shell archive
.sit archive created by Macintosh application, StuffIt
.hqx encoded with Macintosh application, BinHex
.sea Self extracting Macintosh archive
.tar archive created with UNIX tar command
.Z compressed with UNIX compress command
The files in the PC directory are the only exception to this naming convention.
In order to conform with the DOS convention of eight character file names and
one, three character extension, the names for PC files are slightly different.
Whenever possible the scheme outlined above is used, but the names are usually
abbreviated and all but one of the dots "." have been omitted.
_______________________________________________________________________________
EXTRACTING ARCHIVED FILES
INSTRUCTIONS FOR MACINTOSH FILES
If a file ends with the extension ".sit" it must be unstuffed with either the
shareware program StuffIt or the Public Domain program UnStuffIt. Files ending
with the ".hqx" must be decoded with BinHex. These programs can be found on
the FTP server in the /Mac/Utilities directory. Note that the BinHex program
must be downloaded with MacBinary enabled, and the StuffIt program must be
decoded before it can be used. Files downloaded from the server may be both
Stuffed (".sit" extension) and BinHexed (".hqx" extension). These files must
be first decoded and then unstuffed.
To decode a file with the ".hqx" extension (a BinHexed file):
1. Download the file to your Macintosh.
2. Start the application BinHex by double-clicking on it.
3. From the "File" menu in BinHex, choose "UpLoad -> Application".
4. Choose the ".hqx" file to be decoded and select "Open".
5. The suggested file name will appear in a dialog box.
6. Select "Save" to decode the file.
To uncompress a file with the ".sit" extension (a Stuffed file):
1. Download the file to your Macintosh.
2. Start the application Stuffit by double-clicking on it.
3. From the "File" menu in Stuffit, choose "Open Archive...".
4. Choose the ".sit" file to be unstuffed and select "Open". A window with
all the files contained in the stuffed file will appear.
5. Choose "Select All" in the "Edit" menu to select all of the files.
6. Click on the "Extract" box at the bottom of the window.
7. Select "Save All" in the dialog box to save all the selected files in
the current directory.
INSTRUCTIONS FOR PC FILES
Most IBM PC files are archived and compressed using the pkzip utility.
(If you do not have the pkzip utility on your PC, you may obtain it from the
FTP server by anonymous ftp. The file you need is called pkz110.exe and it
is located in /PC/Telnet/contributions. Set the ftp mode to binary and "get"
the file pkz110.exe. Then, on your PC, run PKZ110.EXE with no arguments and
several files will be self-extracted, including one called PKUNZIP.EXE. It
may then be convenient to copy PKUNZIP.EXE to the directory where you have
placed, or are going to place, your Telnet files.)
To extract these files, first download the file with the ".zip" extension to
your PC and then type the following at the DOS prompt:
> pkunzip -d filename.zip
where "filename" is the name of the file you want to unarchive.
INSTRUCTIONS FOR UNIX FILES
Most files on the FTP server will be both tarred and compressed. For more
information on the "tar" and "compress" commands you can type "man tar" and
"man compress" at your shell prompt to see the online manual page for these
commands, or ask your system administrator for help. You should first
uncompress and then unarchive files ending in ".tar.Z" with the following
procedure.
Files with the ".Z" extension have been compressed with the UNIX "compress"
command. To uncompress these files type the following at the shell prompt:
% uncompress filename.Z
where "filename.Z" is the name of the file ending with the ".Z" extension that
you wish to uncompress.
Files with the ".tar" extension have been archived with the UNIX "tar" command.
To extract the files type the following at the shell prompt:
% tar xf filename.tar
Some files are archived using a shell archive utility and are indicated as such
with the ".shar" extension. To extract the files type the following at the
shell prompt:
% sh filename.shar
_______________________________________________________________________________
DOCUMENTATION
NCSA offers users several documentation formats for its programs including
ASCII text, Microsoft Word, and postscript. If one of these formats does not
fit your needs, documentaion can be obtained through the mail at the following
address:
Documentation Orders
c/o Debbie Shirley
152 Computing Applications Building
605 East Springfield Avenue
Champaign, IL 61820
or call:
(217) 244-4130
Members of the Software Development Group within NCSA are currently working
on videotapes that demonstrate and also offer tutorials for NCSA programs. A
note will be posted here when these tapes are available for distribution.
ASCII FORMAT
ASCII text files are provided for all software and are indicated with the
".asc" extension. Helpful figures and diagrams obviously cannot be included
in this form of documentation. We suggest you use the other forms of
documentation if possible.
MICROSOFT WORD FORMAT
If you are a Macintosh user, please download documents with the ".msw"
extension. These files should also be stuffed and BinHexed (information on
extracting these files from the archive is contained earlier in this file).
The documents can be previewed and printed using the Microsoft Word
application. Word documents contain text, images, and formatting.
POSTSCRIPT FORMAT
If you are a UNIX user and/or have access to a postscript printer, please
download files with the ".pos" extension. The documents can be previewed using
a poscript previewer or can be printed directly to a poscript printer using a
command like "lpr".
_______________________________________________________________________________
BUG REPORTS AND SUPPORT
The Software Development Group at NCSA is very interested in how the software
tools developed here are being used. Please send any comments or suggestions
you may have to the appropriate address.
NOTE: This is a new kind of shareware. You share your science and
successes with us, and we can get more resources to share more
NCSA software with you.
If you want to see more NCSA software, please send us a letter,
email or US Mail, telling us what you are doing with our software.
We need to know:
(1) What science you are working on - an abstract of your
work would be fine.
(2) How NCSA software has helped you, for example, by increasing
your productivity or allowing you to do things you could
not do before.
We encourage you to cite the use of any NCSA software you have used in
your publications. A bibliography of your work would be extremely
helpful.
NCSA Telnet for the Macintosh: Please allow ***time*** for a response.
Bug reports, questions, suggestions may be sent to the addresses below.
mactelnet@ncsa.uiuc.edu (Internet)
NCSA Telnet for PCs: Please allow ***time*** for a response.
Bug reports, questions, suggestions may be sent to:
pctelnet@ncsa.uiuc.edu (Internet)
All other NCSA software:
Bug reports should be emailed to the adresses below. Be sure to check the
BUGS NOTES section of the README file before sending email.
Please allow ***time*** for a response.
bugs@ncsa.uiuc.edu (Internet)
Questions regarding NCSA developed software tools may be sent to the address
below. Please allow ***time*** for a response.
softdev@ncsa.uiuc.edu (Internet)
_______________________________________________________________________________
COPYRIGHTS AND TRADEMARKS
Apple
Motorola
Digital Equipment Corp.
Silicon Graphics Inc.
International Business Machines
Sun Microsystems
UNIX
StuffIt
Microsoft

159
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/KPVibShQgUc-file Normal file
View file

@ -0,0 +1,159 @@
0.26 | 2012-08-24 15:10:04 -0700
* Fixing update-changes, which could pick the wrong control file. (Robin Sommer)
* Fixing GPG signing script. (Robin Sommer)
0.25 | 2012-08-01 13:55:46 -0500
* Fix configure script to exit with non-zero status on error (Jon Siwek)
0.24 | 2012-07-05 12:50:43 -0700
* Raise minimum required CMake version to 2.6.3 (Jon Siwek)
* Adding script to delete old fully-merged branches. (Robin Sommer)
0.23-2 | 2012-01-25 13:24:01 -0800
* Fix a bro-cut error message. (Daniel Thayer)
0.23 | 2012-01-11 12:16:11 -0800
* Tweaks to release scripts, plus a new one for signing files.
(Robin Sommer)
0.22 | 2012-01-10 16:45:19 -0800
* Tweaks for OpenBSD support. (Jon Siwek)
* bro-cut extensions and fixes. (Robin Sommer)
- If no field names are given on the command line, we now pass through
all fields. Adresses #657.
- Removing some GNUism from awk script. Addresses #653.
- Added option for time output in UTC. Addresses #668.
- Added output field separator option -F. Addresses #649.
- Fixing option -c: only some header lines were passed through
rather than all. (Robin Sommer)
* Fix parallel make portability. (Jon Siwek)
0.21-9 | 2011-11-07 05:44:14 -0800
* Fixing compiler warnings. Addresses #388. (Jon Siwek)
0.21-2 | 2011-11-02 18:12:13 -0700
* Fix for misnaming temp file in update-changes script. (Robin Sommer)
0.21-1 | 2011-11-02 18:10:39 -0700
* Little fix for make-release script, which could pick out the wrong
tag. (Robin Sommer)
0.21 | 2011-10-27 17:40:45 -0700
* Fixing bro-cut's usage message and argument error handling. (Robin Sommer)
* Bugfix in update-changes script. (Robin Sommer)
* update-changes now ignores commits it did itself. (Robin Sommer)
* Fix a bug in the update-changes script. (Robin Sommer)
* bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)
* Options to adjust time format for bro-cut. (Robin Sommer)
The default with -d is now ISO format. The new option "-D <fmt>"
specifies a custom strftime()-style format string. Alternatively,
the environment variable BRO_CUT_TIMEFMT can set the format as
well.
* bro-cut now understands the field separator header. (Robin Sommer)
* Renaming options -h/-H -> -c/-C, and doing some general cleanup.
0.2 | 2011-10-25 19:53:57 -0700
* Adding support for replacing version string in a setup.py. (Robin
Sommer)
* Change generated root cert DN indices format for RFC2253
compliance. (Jon Siwek)
* New tool devel-tools/check-release to run before making releases.
(Robin Sommer)
* devel-tools/update-changes gets a new option -a to amend to
previous commit if possible. Default is now not to (used to be the
opposite). (Robin Sommer)
* Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)
* Change distclean to only remove build dir. (Jon Siwek)
* Make dist now cleans the copied source (Jon Siwek)
* Small tweak to make-release for forced git-clean. (Jon Siwek)
* Fix to not let updates scripts loose their executable permissions.
(Robin Sommer)
* devel-tools/update-changes now looks for a 'release' tag to
idenfify the stable version, and 'beta' for the beta versions.
(Robin Sommer).
* Distribution cleanup. (Robin Sommer)
* New script devel-tools/make-release to create source tar balls.
(Robin Sommer)
* Removing bdcat. With the new log format, this isn't very useful
anymore. (Robin Sommer)
* Adding script that shows all pending git fastpath commits. (Robin
Sommer)
* Script to measure CPU time by loading an increasing set of
scripts. (Robin Sommer)
* extract-conn script now deals wit *.gz files. (Robin Sommer)
* Tiny update to output a valid CA list file for SSL cert
validation. (Seth Hall)
* Adding "install-aux" target. Addresses #622. (Jon Siwek)
* Distribution cleanup. (Jon Siwek and Robin Sommer)
* FindPCAP now links against thread library when necessary (e.g.
PF_RING's libpcap) (Jon Siwek)
* Install binaries with an RPATH (Jon Siwek)
* Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)
* Rewrite of the update-changes script. (Robin Sommer)
0.1-1 | 2011-06-14 21:12:41 -0700
* Add a script for generating Mozilla's CA list for the SSL analyzer.
(Seth Hall)
0.1 | 2011-04-01 16:28:22 -0700
* Converting build process to CMake. (Jon Siwek)
* Removing cf/hf/ca-* from distribution. The README has a note where
to find them now. (Robin Sommer)
* General cleanup. (Robin Sommer)
* Initial import of bro/aux from SVN r7088. (Jon Siwek)

11
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/LMA6EHLacYc-file Normal file
View file

@ -0,0 +1,11 @@
{
"origin": "10.224.189.238",
"headers": {
"Host": "httpbin.org",
"Connection": "close",
"Accept": "*/*",
"User-Agent": "curl/7.29.0"
},
"gzipped": true,
"method": "GET"
}

20
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/get-gzip.out Normal file
View file

@ -0,0 +1,20 @@
FileAnalysis::TRIGGER_NEW
LMA6EHLacYc, 0, 0
FileAnalysis::TRIGGER_BOF
FileAnalysis::TRIGGER_BOF_BUFFER
{^J "origin
FileAnalysis::TRIGGER_TYPE
file type is set
mime type is set
FileAnalysis::TRIGGER_EOF
LMA6EHLacYc, 197, 0
{
UWkUyAuUGXf
}
{
[orig_h=141.142.228.5, orig_p=50153/tcp, resp_h=54.243.118.187, resp_p=80/tcp]
}
source: HTTP
SHA1: e351b8c693c3353716787c02e2923f4d12ebbb31
MD5: 5baba7eea57bc8a42a92c817ed566d72
SHA256: 202b775be087f5af98e95120e42769a9b3488f84c5aa79c4f4c1093d348f849c

21
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/get.out Normal file
View file

@ -0,0 +1,21 @@
FileAnalysis::TRIGGER_NEW
KPVibShQgUc, 0, 0
FileAnalysis::TRIGGER_BOF
FileAnalysis::TRIGGER_BOF_BUFFER
^J0.26 | 201
FileAnalysis::TRIGGER_TYPE
file type is set
mime type is set
FileAnalysis::TRIGGER_DONE
KPVibShQgUc, 4705, 0
{
UWkUyAuUGXf
}
{
[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]
}
total bytes: 4705
source: HTTP
SHA1: 1dd7ac0398df6cbc0696445a91ec681facf4dc47
MD5: 397168fd09991a0e712254df7bc639ac
SHA256: 4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18

14
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.out Normal file
View file

@ -0,0 +1,14 @@
FileAnalysis::TRIGGER_NEW
uj9AtyGOiZ8, 0, 0
FileAnalysis::TRIGGER_DONE
uj9AtyGOiZ8, 555523, 0
{
UWkUyAuUGXf,
arKYeMETxOg
}
{
[orig_h=10.101.84.70, orig_p=10978/tcp, resp_h=129.174.93.161, resp_p=80/tcp],
[orig_h=10.101.84.70, orig_p=10977/tcp, resp_h=129.174.93.161, resp_p=80/tcp]
}
total bytes: 555523
source: HTTP

1
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.size Normal file
View file

@ -0,0 +1 @@
555523 uj9AtyGOiZ8-file0

25
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out Normal file
View file

@ -0,0 +1,25 @@
FileAnalysis::TRIGGER_NEW
ns7As4DOZcj, 0, 0
FileAnalysis::TRIGGER_DONE
ns7As4DOZcj, 1022920, 0
{
UWkUyAuUGXf
}
{
[orig_h=192.168.72.14, orig_p=3254/tcp, resp_h=65.54.95.206, resp_p=80/tcp]
}
total bytes: 1022920
source: HTTP
FileAnalysis::TRIGGER_NEW
ns7As4DOZcj, 0, 0
FileAnalysis::TRIGGER_TIMEOUT
FileAnalysis::TRIGGER_EOF
ns7As4DOZcj, 206024, 0
{
arKYeMETxOg
}
{
[orig_h=192.168.72.14, orig_p=3257/tcp, resp_h=65.54.95.14, resp_p=80/tcp]
}
total bytes: 1022920
source: HTTP

1
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.size Normal file
View file

@ -0,0 +1 @@
1022920 ns7As4DOZcj-file0

14
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out Normal file
View file

@ -0,0 +1,14 @@
FileAnalysis::TRIGGER_NEW
MHMkq2nFxej, 0, 0
FileAnalysis::TRIGGER_DONE
MHMkq2nFxej, 498702, 0
{
UWkUyAuUGXf,
arKYeMETxOg
}
{
[orig_h=10.45.179.94, orig_p=19950/tcp, resp_h=129.174.93.170, resp_p=80/tcp],
[orig_h=10.45.179.94, orig_p=19953/tcp, resp_h=129.174.93.170, resp_p=80/tcp]
}
total bytes: 498668
source: HTTP

1
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.size Normal file
View file

@ -0,0 +1 @@
498668 MHMkq2nFxej-file0

BIN
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/Ac8PLL9KL49-file Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 94 B

BIN
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/NV2MvAX0Is4-file Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 2.3 KiB

636
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/WLJWC1FMBq9-file Normal file
View file

@ -0,0 +1,636 @@
//-- Google Analytics Urchin Module
//-- Copyright 2007 Google, All Rights Reserved.
//-- Urchin On Demand Settings ONLY
var _uacct=""; // set up the Urchin Account
var _userv=0; // service mode (0=local,1=remote,2=both)
//-- UTM User Settings
var _ufsc=1; // set client info flag (1=on|0=off)
var _udn="auto"; // (auto|none|domain) set the domain name for cookies
var _uhash="on"; // (on|off) unique domain hash for cookies
var _utimeout="1800"; // set the inactive session timeout in seconds
var _ugifpath="/images/__utm.gif"; // set the web path to the __utm.gif file
var _utsp="|"; // transaction field separator
var _uflash=1; // set flash version detect option (1=on|0=off)
var _utitle=1; // set the document title detect option (1=on|0=off)
var _ulink=0; // enable linker functionality (1=on|0=off)
var _uanchor=0; // enable use of anchors for campaign (1=on|0=off)
var _utcp="/"; // the cookie path for tracking
var _usample=100; // The sampling % of visitors to track (1-100).
//-- UTM Campaign Tracking Settings
var _uctm=1; // set campaign tracking module (1=on|0=off)
var _ucto="15768000"; // set timeout in seconds (6 month default)
var _uccn="utm_campaign"; // name
var _ucmd="utm_medium"; // medium (cpc|cpm|link|email|organic)
var _ucsr="utm_source"; // source
var _uctr="utm_term"; // term/keyword
var _ucct="utm_content"; // content
var _ucid="utm_id"; // id number
var _ucno="utm_nooverride"; // don't override
//-- Auto/Organic Sources and Keywords
var _uOsr=new Array();
var _uOkw=new Array();
_uOsr[0]="google"; _uOkw[0]="q";
_uOsr[1]="yahoo"; _uOkw[1]="p";
_uOsr[2]="msn"; _uOkw[2]="q";
_uOsr[3]="aol"; _uOkw[3]="query";
_uOsr[4]="aol"; _uOkw[4]="encquery";
_uOsr[5]="lycos"; _uOkw[5]="query";
_uOsr[6]="ask"; _uOkw[6]="q";
_uOsr[7]="altavista"; _uOkw[7]="q";
_uOsr[8]="netscape"; _uOkw[8]="query";
_uOsr[9]="cnn"; _uOkw[9]="query";
_uOsr[10]="looksmart"; _uOkw[10]="qt";
_uOsr[11]="about"; _uOkw[11]="terms";
_uOsr[12]="mamma"; _uOkw[12]="query";
_uOsr[13]="alltheweb"; _uOkw[13]="q";
_uOsr[14]="gigablast"; _uOkw[14]="q";
_uOsr[15]="voila"; _uOkw[15]="rdata";
_uOsr[16]="virgilio"; _uOkw[16]="qs";
_uOsr[17]="live"; _uOkw[17]="q";
_uOsr[18]="baidu"; _uOkw[18]="wd";
_uOsr[19]="alice"; _uOkw[19]="qs";
_uOsr[20]="yandex"; _uOkw[20]="text";
_uOsr[21]="najdi"; _uOkw[21]="q";
_uOsr[22]="aol"; _uOkw[22]="q";
_uOsr[23]="club-internet"; _uOkw[23]="q";
_uOsr[24]="mama"; _uOkw[24]="query";
_uOsr[25]="seznam"; _uOkw[25]="q";
_uOsr[26]="search"; _uOkw[26]="q";
_uOsr[27]="szukaj"; _uOkw[27]="szukaj";
_uOsr[28]="szukaj"; _uOkw[28]="qt";
_uOsr[29]="netsprint"; _uOkw[29]="q";
_uOsr[30]="google.interia"; _uOkw[30]="q";
_uOsr[31]="szukacz"; _uOkw[31]="q";
_uOsr[32]="yam"; _uOkw[32]="k";
_uOsr[33]="pchome"; _uOkw[33]="q";
//-- Auto/Organic Keywords to Ignore
var _uOno=new Array();
//_uOno[0]="urchin";
//_uOno[1]="urchin.com";
//_uOno[2]="www.urchin.com";
//-- Referral domains to Ignore
var _uRno=new Array();
//_uRno[0]=".urchin.com";
//-- **** Don't modify below this point ***
var _uff,_udh,_udt,_ubl=0,_udo="",_uu,_ufns=0,_uns=0,_ur="-",_ufno=0,_ust=0,_ubd=document,_udl=_ubd.location,_udlh="",_uwv="1";
var _ugifpath2="http://www.google-analytics.com/__utm.gif";
if (_udl.hash) _udlh=_udl.href.substring(_udl.href.indexOf('#'));
if (_udl.protocol=="https:") _ugifpath2="https://ssl.google-analytics.com/__utm.gif";
if (!_utcp || _utcp=="") _utcp="/";
function urchinTracker(page) {
if (_udl.protocol=="file:") return;
if (_uff && (!page || page=="")) return;
var a,b,c,xx,v,z,k,x="",s="",f=0;
var nx=" expires="+_uNx()+";";
var dc=_ubd.cookie;
_udh=_uDomain();
if (!_uVG()) return;
_uu=Math.round(Math.random()*2147483647);
_udt=new Date();
_ust=Math.round(_udt.getTime()/1000);
a=dc.indexOf("__utma="+_udh);
b=dc.indexOf("__utmb="+_udh);
c=dc.indexOf("__utmc="+_udh);
if (_udn && _udn!="") { _udo=" domain="+_udn+";"; }
if (_utimeout && _utimeout!="") {
x=new Date(_udt.getTime()+(_utimeout*1000));
x=" expires="+x.toGMTString()+";";
}
if (_ulink) {
if (_uanchor && _udlh && _udlh!="") s=_udlh+"&";
s+=_udl.search;
if(s && s!="" && s.indexOf("__utma=")>=0) {
if (!(_uIN(a=_uGC(s,"__utma=","&")))) a="-";
if (!(_uIN(b=_uGC(s,"__utmb=","&")))) b="-";
if (!(_uIN(c=_uGC(s,"__utmc=","&")))) c="-";
v=_uGC(s,"__utmv=","&");
z=_uGC(s,"__utmz=","&");
k=_uGC(s,"__utmk=","&");
xx=_uGC(s,"__utmx=","&");
if ((k*1) != ((_uHash(a+b+c+xx+z+v)*1)+(_udh*1))) {_ubl=1;a="-";b="-";c="-";xx="-";z="-";v="-";}
if (a!="-" && b!="-" && c!="-") f=1;
else if(a!="-") f=2;
}
}
if(f==1) {
_ubd.cookie="__utma="+a+"; path="+_utcp+";"+nx+_udo;
_ubd.cookie="__utmb="+b+"; path="+_utcp+";"+x+_udo;
_ubd.cookie="__utmc="+c+"; path="+_utcp+";"+_udo;
} else if (f==2) {
a=_uFixA(s,"&",_ust);
_ubd.cookie="__utma="+a+"; path="+_utcp+";"+nx+_udo;
_ubd.cookie="__utmb="+_udh+"; path="+_utcp+";"+x+_udo;
_ubd.cookie="__utmc="+_udh+"; path="+_utcp+";"+_udo;
_ufns=1;
} else if (a>=0 && b>=0 && c>=0) {
_ubd.cookie="__utmb="+_udh+"; path="+_utcp+";"+x+_udo;
} else {
if (a>=0) a=_uFixA(_ubd.cookie,";",_ust);
else a=_udh+"."+_uu+"."+_ust+"."+_ust+"."+_ust+".1";
_ubd.cookie="__utma="+a+"; path="+_utcp+";"+nx+_udo;
_ubd.cookie="__utmb="+_udh+"; path="+_utcp+";"+x+_udo;
_ubd.cookie="__utmc="+_udh+"; path="+_utcp+";"+_udo;
_ufns=1;
}
if (_ulink && xx && xx!="" && xx!="-") {
xx=_uUES(xx);
if (xx.indexOf(";")==-1) _ubd.cookie="__utmx="+xx+"; path="+_utcp+";"+nx+_udo;
}
if (_ulink && v && v!="" && v!="-") {
v=_uUES(v);
if (v.indexOf(";")==-1) _ubd.cookie="__utmv="+v+"; path="+_utcp+";"+nx+_udo;
}
_uInfo(page);
_ufns=0;
_ufno=0;
if (!page || page=="") _uff=1;
}
function _uInfo(page) {
var p,s="",dm="",pg=_udl.pathname+_udl.search;
if (page && page!="") pg=_uES(page,1);
_ur=_ubd.referrer;
if (!_ur || _ur=="") { _ur="-"; }
else {
dm=_ubd.domain;
if(_utcp && _utcp!="/") dm+=_utcp;
p=_ur.indexOf(dm);
if ((p>=0) && (p<=8)) { _ur="0"; }
if (_ur.indexOf("[")==0 && _ur.lastIndexOf("]")==(_ur.length-1)) { _ur="-"; }
}
s+="&utmn="+_uu;
if (_ufsc) s+=_uBInfo();
if (_uctm) s+=_uCInfo();
if (_utitle && _ubd.title && _ubd.title!="") s+="&utmdt="+_uES(_ubd.title);
if (_udl.hostname && _udl.hostname!="") s+="&utmhn="+_uES(_udl.hostname);
s+="&utmr="+_ur;
s+="&utmp="+pg;
if ((_userv==0 || _userv==2) && _uSP()) {
var i=new Image(1,1);
i.src=_ugifpath+"?"+"utmwv="+_uwv+s;
i.onload=function() {_uVoid();}
}
if ((_userv==1 || _userv==2) && _uSP()) {
var i2=new Image(1,1);
i2.src=_ugifpath2+"?"+"utmwv="+_uwv+s+"&utmac="+_uacct+"&utmcc="+_uGCS();
i2.onload=function() { _uVoid(); }
}
return;
}
function _uVoid() { return; }
function _uCInfo() {
if (!_ucto || _ucto=="") { _ucto="15768000"; }
if (!_uVG()) return;
var c="",t="-",t2="-",t3="-",o=0,cs=0,cn=0,i=0,z="-",s="";
if (_uanchor && _udlh && _udlh!="") s=_udlh+"&";
s+=_udl.search;
var x=new Date(_udt.getTime()+(_ucto*1000));
var dc=_ubd.cookie;
x=" expires="+x.toGMTString()+";";
if (_ulink && !_ubl) {
z=_uUES(_uGC(s,"__utmz=","&"));
if (z!="-" && z.indexOf(";")==-1) { _ubd.cookie="__utmz="+z+"; path="+_utcp+";"+x+_udo; return ""; }
}
z=dc.indexOf("__utmz="+_udh);
if (z>-1) { z=_uGC(dc,"__utmz="+_udh,";"); }
else { z="-"; }
t=_uGC(s,_ucid+"=","&");
t2=_uGC(s,_ucsr+"=","&");
t3=_uGC(s,"gclid=","&");
if ((t!="-" && t!="") || (t2!="-" && t2!="") || (t3!="-" && t3!="")) {
if (t!="-" && t!="") c+="utmcid="+_uEC(t);
if (t2!="-" && t2!="") { if (c != "") c+="|"; c+="utmcsr="+_uEC(t2); }
if (t3!="-" && t3!="") { if (c != "") c+="|"; c+="utmgclid="+_uEC(t3); }
t=_uGC(s,_uccn+"=","&");
if (t!="-" && t!="") c+="|utmccn="+_uEC(t);
else c+="|utmccn=(not+set)";
t=_uGC(s,_ucmd+"=","&");
if (t!="-" && t!="") c+="|utmcmd="+_uEC(t);
else c+="|utmcmd=(not+set)";
t=_uGC(s,_uctr+"=","&");
if (t!="-" && t!="") c+="|utmctr="+_uEC(t);
else { t=_uOrg(1); if (t!="-" && t!="") c+="|utmctr="+_uEC(t); }
t=_uGC(s,_ucct+"=","&");
if (t!="-" && t!="") c+="|utmcct="+_uEC(t);
t=_uGC(s,_ucno+"=","&");
if (t=="1") o=1;
if (z!="-" && o==1) return "";
}
if (c=="-" || c=="") { c=_uOrg(); if (z!="-" && _ufno==1) return ""; }
if (c=="-" || c=="") { if (_ufns==1) c=_uRef(); if (z!="-" && _ufno==1) return ""; }
if (c=="-" || c=="") {
if (z=="-" && _ufns==1) { c="utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)"; }
if (c=="-" || c=="") return "";
}
if (z!="-") {
i=z.indexOf(".");
if (i>-1) i=z.indexOf(".",i+1);
if (i>-1) i=z.indexOf(".",i+1);
if (i>-1) i=z.indexOf(".",i+1);
t=z.substring(i+1,z.length);
if (t.toLowerCase()==c.toLowerCase()) cs=1;
t=z.substring(0,i);
if ((i=t.lastIndexOf(".")) > -1) {
t=t.substring(i+1,t.length);
cn=(t*1);
}
}
if (cs==0 || _ufns==1) {
t=_uGC(dc,"__utma="+_udh,";");
if ((i=t.lastIndexOf(".")) > 9) {
_uns=t.substring(i+1,t.length);
_uns=(_uns*1);
}
cn++;
if (_uns==0) _uns=1;
_ubd.cookie="__utmz="+_udh+"."+_ust+"."+_uns+"."+cn+"."+c+"; path="+_utcp+"; "+x+_udo;
}
if (cs==0 || _ufns==1) return "&utmcn=1";
else return "&utmcr=1";
}
function _uRef() {
if (_ur=="0" || _ur=="" || _ur=="-") return "";
var i=0,h,k,n;
if ((i=_ur.indexOf("://"))<0) return "";
h=_ur.substring(i+3,_ur.length);
if (h.indexOf("/") > -1) {
k=h.substring(h.indexOf("/"),h.length);
if (k.indexOf("?") > -1) k=k.substring(0,k.indexOf("?"));
h=h.substring(0,h.indexOf("/"));
}
h=h.toLowerCase();
n=h;
if ((i=n.indexOf(":")) > -1) n=n.substring(0,i);
for (var ii=0;ii<_uRno.length;ii++) {
if ((i=n.indexOf(_uRno[ii].toLowerCase())) > -1 && n.length==(i+_uRno[ii].length)) { _ufno=1; break; }
}
if (h.indexOf("www.")==0) h=h.substring(4,h.length);
return "utmccn=(referral)|utmcsr="+_uEC(h)+"|"+"utmcct="+_uEC(k)+"|utmcmd=referral";
}
function _uOrg(t) {
if (_ur=="0" || _ur=="" || _ur=="-") return "";
var i=0,h,k;
if ((i=_ur.indexOf("://")) < 0) return "";
h=_ur.substring(i+3,_ur.length);
if (h.indexOf("/") > -1) {
h=h.substring(0,h.indexOf("/"));
}
for (var ii=0;ii<_uOsr.length;ii++) {
if (h.toLowerCase().indexOf(_uOsr[ii].toLowerCase()) > -1) {
if ((i=_ur.indexOf("?"+_uOkw[ii]+"=")) > -1 || (i=_ur.indexOf("&"+_uOkw[ii]+"=")) > -1) {
k=_ur.substring(i+_uOkw[ii].length+2,_ur.length);
if ((i=k.indexOf("&")) > -1) k=k.substring(0,i);
for (var yy=0;yy<_uOno.length;yy++) {
if (_uOno[yy].toLowerCase()==k.toLowerCase()) { _ufno=1; break; }
}
if (t) return _uEC(k);
else return "utmccn=(organic)|utmcsr="+_uEC(_uOsr[ii])+"|"+"utmctr="+_uEC(k)+"|utmcmd=organic";
}
}
}
return "";
}
function _uBInfo() {
var sr="-",sc="-",ul="-",fl="-",cs="-",je=1;
var n=navigator;
if (self.screen) {
sr=screen.width+"x"+screen.height;
sc=screen.colorDepth+"-bit";
} else if (self.java) {
var j=java.awt.Toolkit.getDefaultToolkit();
var s=j.getScreenSize();
sr=s.width+"x"+s.height;
}
if (n.language) { ul=n.language.toLowerCase(); }
else if (n.browserLanguage) { ul=n.browserLanguage.toLowerCase(); }
je=n.javaEnabled()?1:0;
if (_uflash) fl=_uFlash();
if (_ubd.characterSet) cs=_uES(_ubd.characterSet);
else if (_ubd.charset) cs=_uES(_ubd.charset);
return "&utmcs="+cs+"&utmsr="+sr+"&utmsc="+sc+"&utmul="+ul+"&utmje="+je+"&utmfl="+fl;
}
function __utmSetTrans() {
var e;
if (_ubd.getElementById) e=_ubd.getElementById("utmtrans");
else if (_ubd.utmform && _ubd.utmform.utmtrans) e=_ubd.utmform.utmtrans;
if (!e) return;
var l=e.value.split("UTM:");
var i,i2,c;
if (_userv==0 || _userv==2) i=new Array();
if (_userv==1 || _userv==2) { i2=new Array(); c=_uGCS(); }
for (var ii=0;ii<l.length;ii++) {
l[ii]=_uTrim(l[ii]);
if (l[ii].charAt(0)!='T' && l[ii].charAt(0)!='I') continue;
var r=Math.round(Math.random()*2147483647);
if (!_utsp || _utsp=="") _utsp="|";
var f=l[ii].split(_utsp),s="";
if (f[0].charAt(0)=='T') {
s="&utmt=tran"+"&utmn="+r;
f[1]=_uTrim(f[1]); if(f[1]&&f[1]!="") s+="&utmtid="+_uES(f[1]);
f[2]=_uTrim(f[2]); if(f[2]&&f[2]!="") s+="&utmtst="+_uES(f[2]);
f[3]=_uTrim(f[3]); if(f[3]&&f[3]!="") s+="&utmtto="+_uES(f[3]);
f[4]=_uTrim(f[4]); if(f[4]&&f[4]!="") s+="&utmttx="+_uES(f[4]);
f[5]=_uTrim(f[5]); if(f[5]&&f[5]!="") s+="&utmtsp="+_uES(f[5]);
f[6]=_uTrim(f[6]); if(f[6]&&f[6]!="") s+="&utmtci="+_uES(f[6]);
f[7]=_uTrim(f[7]); if(f[7]&&f[7]!="") s+="&utmtrg="+_uES(f[7]);
f[8]=_uTrim(f[8]); if(f[8]&&f[8]!="") s+="&utmtco="+_uES(f[8]);
} else {
s="&utmt=item"+"&utmn="+r;
f[1]=_uTrim(f[1]); if(f[1]&&f[1]!="") s+="&utmtid="+_uES(f[1]);
f[2]=_uTrim(f[2]); if(f[2]&&f[2]!="") s+="&utmipc="+_uES(f[2]);
f[3]=_uTrim(f[3]); if(f[3]&&f[3]!="") s+="&utmipn="+_uES(f[3]);
f[4]=_uTrim(f[4]); if(f[4]&&f[4]!="") s+="&utmiva="+_uES(f[4]);
f[5]=_uTrim(f[5]); if(f[5]&&f[5]!="") s+="&utmipr="+_uES(f[5]);
f[6]=_uTrim(f[6]); if(f[6]&&f[6]!="") s+="&utmiqt="+_uES(f[6]);
}
if ((_userv==0 || _userv==2) && _uSP()) {
i[ii]=new Image(1,1);
i[ii].src=_ugifpath+"?"+"utmwv="+_uwv+s;
i[ii].onload=function() { _uVoid(); }
}
if ((_userv==1 || _userv==2) && _uSP()) {
i2[ii]=new Image(1,1);
i2[ii].src=_ugifpath2+"?"+"utmwv="+_uwv+s+"&utmac="+_uacct+"&utmcc="+c;
i2[ii].onload=function() { _uVoid(); }
}
}
return;
}
function _uFlash() {
var f="-",n=navigator;
if (n.plugins && n.plugins.length) {
for (var ii=0;ii<n.plugins.length;ii++) {
if (n.plugins[ii].name.indexOf('Shockwave Flash')!=-1) {
f=n.plugins[ii].description.split('Shockwave Flash ')[1];
break;
}
}
} else if (window.ActiveXObject) {
for (var ii=10;ii>=2;ii--) {
try {
var fl=eval("new ActiveXObject('ShockwaveFlash.ShockwaveFlash."+ii+"');");
if (fl) { f=ii + '.0'; break; }
}
catch(e) {}
}
}
return f;
}
function __utmLinker(l,h) {
if (!_ulink) return;
var p,k,a="-",b="-",c="-",x="-",z="-",v="-";
var dc=_ubd.cookie;
if (!l || l=="") return;
var iq = l.indexOf("?");
var ih = l.indexOf("#");
if (dc) {
a=_uES(_uGC(dc,"__utma="+_udh,";"));
b=_uES(_uGC(dc,"__utmb="+_udh,";"));
c=_uES(_uGC(dc,"__utmc="+_udh,";"));
x=_uES(_uGC(dc,"__utmx="+_udh,";"));
z=_uES(_uGC(dc,"__utmz="+_udh,";"));
v=_uES(_uGC(dc,"__utmv="+_udh,";"));
k=(_uHash(a+b+c+x+z+v)*1)+(_udh*1);
p="__utma="+a+"&__utmb="+b+"&__utmc="+c+"&__utmx="+x+"&__utmz="+z+"&__utmv="+v+"&__utmk="+k;
}
if (p) {
if (h && ih>-1) return;
if (h) { _udl.href=l+"#"+p; }
else {
if (iq==-1 && ih==-1) _udl.href=l+"?"+p;
else if (ih==-1) _udl.href=l+"&"+p;
else if (iq==-1) _udl.href=l.substring(0,ih-1)+"?"+p+l.substring(ih);
else _udl.href=l.substring(0,ih-1)+"&"+p+l.substring(ih);
}
} else { _udl.href=l; }
}
function __utmLinkPost(f,h) {
if (!_ulink) return;
var p,k,a="-",b="-",c="-",x="-",z="-",v="-";
var dc=_ubd.cookie;
if (!f || !f.action) return;
var iq = f.action.indexOf("?");
var ih = f.action.indexOf("#");
if (dc) {
a=_uES(_uGC(dc,"__utma="+_udh,";"));
b=_uES(_uGC(dc,"__utmb="+_udh,";"));
c=_uES(_uGC(dc,"__utmc="+_udh,";"));
x=_uES(_uGC(dc,"__utmx="+_udh,";"));
z=_uES(_uGC(dc,"__utmz="+_udh,";"));
v=_uES(_uGC(dc,"__utmv="+_udh,";"));
k=(_uHash(a+b+c+x+z+v)*1)+(_udh*1);
p="__utma="+a+"&__utmb="+b+"&__utmc="+c+"&__utmx="+x+"&__utmz="+z+"&__utmv="+v+"&__utmk="+k;
}
if (p) {
if (h && ih>-1) return;
if (h) { f.action+="#"+p; }
else {
if (iq==-1 && ih==-1) f.action+="?"+p;
else if (ih==-1) f.action+="&"+p;
else if (iq==-1) f.action=f.action.substring(0,ih-1)+"?"+p+f.action.substring(ih);
else f.action=f.action.substring(0,ih-1)+"&"+p+f.action.substring(ih);
}
}
return;
}
function __utmSetVar(v) {
if (!v || v=="") return;
if (!_udo || _udo == "") {
_udh=_uDomain();
if (_udn && _udn!="") { _udo=" domain="+_udn+";"; }
}
if (!_uVG()) return;
var r=Math.round(Math.random() * 2147483647);
_ubd.cookie="__utmv="+_udh+"."+_uES(v)+"; path="+_utcp+"; expires="+_uNx()+";"+_udo;
var s="&utmt=var&utmn="+r;
if ((_userv==0 || _userv==2) && _uSP()) {
var i=new Image(1,1);
i.src=_ugifpath+"?"+"utmwv="+_uwv+s;
i.onload=function() { _uVoid(); }
}
if ((_userv==1 || _userv==2) && _uSP()) {
var i2=new Image(1,1);
i2.src=_ugifpath2+"?"+"utmwv="+_uwv+s+"&utmac="+_uacct+"&utmcc="+_uGCS();
i2.onload=function() { _uVoid(); }
}
}
function _uGCS() {
var t,c="",dc=_ubd.cookie;
if ((t=_uGC(dc,"__utma="+_udh,";"))!="-") c+=_uES("__utma="+t+";+");
if ((t=_uGC(dc,"__utmb="+_udh,";"))!="-") c+=_uES("__utmb="+t+";+");
if ((t=_uGC(dc,"__utmc="+_udh,";"))!="-") c+=_uES("__utmc="+t+";+");
if ((t=_uGC(dc,"__utmx="+_udh,";"))!="-") c+=_uES("__utmx="+t+";+");
if ((t=_uGC(dc,"__utmz="+_udh,";"))!="-") c+=_uES("__utmz="+t+";+");
if ((t=_uGC(dc,"__utmv="+_udh,";"))!="-") c+=_uES("__utmv="+t+";");
if (c.charAt(c.length-1)=="+") c=c.substring(0,c.length-1);
return c;
}
function _uGC(l,n,s) {
if (!l || l=="" || !n || n=="" || !s || s=="") return "-";
var i,i2,i3,c="-";
i=l.indexOf(n);
i3=n.indexOf("=")+1;
if (i > -1) {
i2=l.indexOf(s,i); if (i2 < 0) { i2=l.length; }
c=l.substring((i+i3),i2);
}
return c;
}
function _uDomain() {
if (!_udn || _udn=="" || _udn=="none") { _udn=""; return 1; }
if (_udn=="auto") {
var d=_ubd.domain;
if (d.substring(0,4)=="www.") {
d=d.substring(4,d.length);
}
_udn=d;
}
_udn = _udn.toLowerCase();
if (_uhash=="off") return 1;
return _uHash(_udn);
}
function _uHash(d) {
if (!d || d=="") return 1;
var h=0,g=0;
for (var i=d.length-1;i>=0;i--) {
var c=parseInt(d.charCodeAt(i));
h=((h << 6) & 0xfffffff) + c + (c << 14);
if ((g=h & 0xfe00000)!=0) h=(h ^ (g >> 21));
}
return h;
}
function _uFixA(c,s,t) {
if (!c || c=="" || !s || s=="" || !t || t=="") return "-";
var a=_uGC(c,"__utma="+_udh,s);
var lt=0,i=0;
if ((i=a.lastIndexOf(".")) > 9) {
_uns=a.substring(i+1,a.length);
_uns=(_uns*1)+1;
a=a.substring(0,i);
if ((i=a.lastIndexOf(".")) > 7) {
lt=a.substring(i+1,a.length);
a=a.substring(0,i);
}
if ((i=a.lastIndexOf(".")) > 5) {
a=a.substring(0,i);
}
a+="."+lt+"."+t+"."+_uns;
}
return a;
}
function _uTrim(s) {
if (!s || s=="") return "";
while ((s.charAt(0)==' ') || (s.charAt(0)=='\n') || (s.charAt(0,1)=='\r')) s=s.substring(1,s.length);
while ((s.charAt(s.length-1)==' ') || (s.charAt(s.length-1)=='\n') || (s.charAt(s.length-1)=='\r')) s=s.substring(0,s.length-1);
return s;
}
function _uEC(s) {
var n="";
if (!s || s=="") return "";
for (var i=0;i<s.length;i++) {if (s.charAt(i)==" ") n+="+"; else n+=s.charAt(i);}
return n;
}
function __utmVisitorCode(f) {
var r=0,t=0,i=0,i2=0,m=31;
var a=_uGC(_ubd.cookie,"__utma="+_udh,";");
if ((i=a.indexOf(".",0))<0) return;
if ((i2=a.indexOf(".",i+1))>0) r=a.substring(i+1,i2); else return "";
if ((i=a.indexOf(".",i2+1))>0) t=a.substring(i2+1,i); else return "";
if (f) {
return r;
} else {
var c=new Array('A','B','C','D','E','F','G','H','J','K','L','M','N','P','R','S','T','U','V','W','X','Y','Z','1','2','3','4','5','6','7','8','9');
return c[r>>28&m]+c[r>>23&m]+c[r>>18&m]+c[r>>13&m]+"-"+c[r>>8&m]+c[r>>3&m]+c[((r&7)<<2)+(t>>30&3)]+c[t>>25&m]+c[t>>20&m]+"-"+c[t>>15&m]+c[t>>10&m]+c[t>>5&m]+c[t&m];
}
}
function _uIN(n) {
if (!n) return false;
for (var i=0;i<n.length;i++) {
var c=n.charAt(i);
if ((c<"0" || c>"9") && (c!=".")) return false;
}
return true;
}
function _uES(s,u) {
if (typeof(encodeURIComponent) == 'function') {
if (u) return encodeURI(s);
else return encodeURIComponent(s);
} else {
return escape(s);
}
}
function _uUES(s) {
if (typeof(decodeURIComponent) == 'function') {
return decodeURIComponent(s);
} else {
return unescape(s);
}
}
function _uVG() {
if((_udn.indexOf("www.google.") == 0 || _udn.indexOf(".google.") == 0 || _udn.indexOf("google.") == 0) && _utcp=='/' && _udn.indexOf("google.org")==-1) {
return false;
}
return true;
}
function _uSP() {
var s=100;
if (_usample) s=_usample;
if(s>=100 || s<=0) return true;
return ((__utmVisitorCode(1)%10000)<(s*100));
}
function urchinPathCopy(p){
var d=document,nx,tx,sx,i,c,cs,t,h,o;
cs=new Array("a","b","c","v","x","z");
h=_uDomain(); if (_udn && _udn!="") o=" domain="+_udn+";";
nx=_uNx()+";";
tx=new Date(); tx.setTime(tx.getTime()+(_utimeout*1000));
tx=tx.toGMTString()+";";
sx=new Date(); sx.setTime(sx.getTime()+(_ucto*1000));
sx=sx.toGMTString()+";";
for (i=0;i<6;i++){
t=" expires=";
if (i==1) t+=tx; else if (i==2) t=""; else if (i==5) t+=sx; else t+=nx;
c=_uGC(d.cookie,"__utm"+cs[i]+"="+h,";");
if (c!="-") d.cookie="__utm"+cs[i]+"="+c+"; path="+p+";"+t+o;
}
}
function _uCO() {
if (!_utk || _utk=="" || _utk.length<10) return;
var d='www.google.com';
if (_utk.charAt(0)=='!') d='analytics.corp.google.com';
_ubd.cookie="GASO="+_utk+"; path="+_utcp+";"+_udo;
var sc=document.createElement('script');
sc.type='text/javascript';
sc.id="_gasojs";
sc.src='https://'+d+'/analytics/reporting/overlay_js?gaso='+_utk+'&'+Math.random();
document.getElementsByTagName('head')[0].appendChild(sc);
}
function _uGT() {
var h=location.hash, a;
if (h && h!="" && h.indexOf("#gaso=")==0) {
a=_uGC(h,"gaso=","&");
} else {
a=_uGC(_ubd.cookie,"GASO=",";");
}
return a;
}
var _utk=_uGT();
if (_utk && _utk!="" && _utk.length>10) {
if (window.addEventListener) {
window.addEventListener('load', _uCO, false);
} else if (window.attachEvent) {
window.attachEvent('onload', _uCO);
}
}
function _uNx() {
return (new Date((new Date()).getTime()+63072000000)).toGMTString();
}

BIN
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/YLndcRpw5Ge-file Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 27 KiB

63
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/Z3kT1FyLnfk-file Normal file
View file

@ -0,0 +1,63 @@
/*
*************************************************
MOZILLA.ORG
Enhanced Screen Styles
(Only applicable if JavaScript is enabled)
Created by the friendly folks at Happy Cog
http://www.happycog.com/
*************************************************
*/
#quick-search label { position:absolute; left: 48px; top:14px; text-transform:uppercase; font-weight:bold; color:#dddfe0; font-size: 85%; /* 14px x 0.85 = 12px */}
/* community feed */
#community-sub .rows li.over { background-color: #f5f6f6; }
#community-sub { position:relative; z-index:200; }
/* project carousel */
.project-carousel { background:#CBCCCC url(/images/template/screen/bg_project_carousel.png) repeat-y right top; margin-right:-461px; padding:6px 0 6px 6px; position:relative; }
.project-carousel .pagination { position:absolute; right:471px; top:1em; padding-right:47px; }
.project-carousel .prev, .project-carousel .next { width:18px; height:21px; float:left; overflow:hidden; background:transparent url(/images/template/widgets/carousel-arrows.png) no-repeat 0 -21px; text-indent:-999px; position:absolute; top:0; right:0; }
.project-carousel .prev:hover, .project-carousel .next:hover { border-bottom:none; }
.project-carousel .prev { width:19px; right:18px; }
.project-carousel .next { background-position:-18px -21px; width:19px; }
.project-carousel .next.disabled { background-position:-18px top; }
.project-carousel .prev.disabled { background-position:left top; }
.projects-wrap { background: #dee0e1 url(/images/template/screen/bg_projects.png) repeat-y right center; height:14em; }
.projects-wrap .projects-fade-left { background:transparent url(/images/template/widgets/carousel-fade.png) repeat-y 0 0; position:absolute; padding:0 0 0 20px; height:10em; z-index:100; }
.projects-wrap .projects-fade-right { background:transparent url(/images/template/widgets/carousel-fade.png) repeat-y 0 100%; position:absolute; padding:0 0 0 20px; height:10em; z-index:100; }
.projects { background:none; height:10em; margin:0 451px 0 0; overflow:hidden; padding:2em 0; position:relative; }
.project { overflow:visible; height:auto; margin:0; }
.project-first { padding-left:20px; }
/* project carousel */
#home #sub { position:relative; }
/* browser specific css */
.projects {
border-radius:0;
-moz-border-radius:0;
-webkit-border-radius:0;
}
.projects-wrap {
border-radius:10px;
-moz-border-radius:10px;
-webkit-border-radius:10px;
border-top-right-radius:0;
-moz-border-top-right-radius:0;
-webkit-border-top-right-radius:0;
border-bottom-right-radius:0;
-moz-border-bottom-right-radius:0;
-webkit-border-bottom-right-radius:0;
}
/* debug */
/*#sub { display:none; }*/

103
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/out Normal file
View file

@ -0,0 +1,103 @@
FileAnalysis::TRIGGER_NEW
Z3kT1FyLnfk, 0, 0
FileAnalysis::TRIGGER_BOF
FileAnalysis::TRIGGER_BOF_BUFFER
/*^J********
FileAnalysis::TRIGGER_TYPE
file type is set
mime type is set
FileAnalysis::TRIGGER_EOF
Z3kT1FyLnfk, 2675, 0
{
UWkUyAuUGXf
}
{
[orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp]
}
source: HTTP
SHA1: 0e42ae17eea9b074981bd3a34535ad3a22d02706
MD5: b932c3310ce47e158d1a5a42e0b01279
SHA256: 5b037a2c5e36f56e63a3012c73e46a04b27741d8ff8f8b62c832fb681fc60f42
FileAnalysis::TRIGGER_NEW
WLJWC1FMBq9, 0, 0
FileAnalysis::TRIGGER_BOF
FileAnalysis::TRIGGER_BOF_BUFFER
//-- Google
FileAnalysis::TRIGGER_TYPE
file type is set
mime type is set
FileAnalysis::TRIGGER_EOF
WLJWC1FMBq9, 21421, 0
{
UWkUyAuUGXf
}
{
[orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp]
}
source: HTTP
SHA1: 8f241117afaa8ca5f41dc059e66d75c283dcc983
MD5: e732f7bf1d7cb4eedcb1661697d7bc8c
SHA256: 6a509fd05aa7c8fa05080198894bb19e638554ffcee0e0b3d7bc8ff54afee1da
FileAnalysis::TRIGGER_NEW
Ac8PLL9KL49, 0, 0
FileAnalysis::TRIGGER_BOF
FileAnalysis::TRIGGER_BOF_BUFFER
GIF89a^D\0^D\0\xb3
FileAnalysis::TRIGGER_TYPE
file type is set
mime type is set
FileAnalysis::TRIGGER_DONE
Ac8PLL9KL49, 94, 0
{
UWkUyAuUGXf
}
{
[orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp]
}
total bytes: 94
source: HTTP
SHA1: 81f5f056ce5e97d940854bb0c48017b45dd9f15e
MD5: d903de7e30db1691d3130ba5eae6b9a7
SHA256: 6fb22aa9d780ea63bd7a2e12b92b16fcbf1c4874f1d3e11309a5ba984433c315
FileAnalysis::TRIGGER_NEW
NV2MvAX0Is4, 0, 0
FileAnalysis::TRIGGER_BOF
FileAnalysis::TRIGGER_BOF_BUFFER
\x89PNG^M^J^Z^J\0\0\0
FileAnalysis::TRIGGER_TYPE
file type is set
mime type is set
FileAnalysis::TRIGGER_DONE
NV2MvAX0Is4, 2349, 0
{
UWkUyAuUGXf
}
{
[orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp]
}
total bytes: 2349
source: HTTP
SHA1: 560eab5a0177246827a94042dd103916d8765ac7
MD5: e0029eea80812e9a8e57b8d05d52938a
SHA256: e0b4500c1fd1d675da4137461cbe64d3c8489f4180d194e47683b20e7fb876f4
FileAnalysis::TRIGGER_NEW
YLndcRpw5Ge, 0, 0
FileAnalysis::TRIGGER_BOF
FileAnalysis::TRIGGER_BOF_BUFFER
\x89PNG^M^J^Z^J\0\0\0
FileAnalysis::TRIGGER_TYPE
file type is set
mime type is set
FileAnalysis::TRIGGER_DONE
YLndcRpw5Ge, 27579, 0
{
UWkUyAuUGXf
}
{
[orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp]
}
total bytes: 27579
source: HTTP
SHA1: ee2b41bdef85de14ef332da14fc392f110b84249
MD5: 30aa926344f58019d047e85ba049ca1e
SHA256: eb482bda230a215b90aedbfe1eee72b8193608df76a319aaf11fb85511579a1e

17
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/LkolCF6OeHh-file Normal file
View file

@ -0,0 +1,17 @@
{
"origin": "10.142.133.148",
"files": {},
"form": null,
"url": "http://httpbin.org/post",
"args": {},
"headers": {
"Content-Length": "11",
"Connection": "close",
"Accept": "*/*",
"User-Agent": "curl/7.29.0",
"Host": "httpbin.org",
"Content-Type": "application/x-www-form-urlencoded"
},
"json": null,
"data": "hello world"
}

1
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/WDJLxTGN0m8-file Normal file
View file

@ -0,0 +1 @@
hello world

42
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/out Normal file
View file

@ -0,0 +1,42 @@
FileAnalysis::TRIGGER_NEW
WDJLxTGN0m8, 0, 0
FileAnalysis::TRIGGER_BOF
FileAnalysis::TRIGGER_BOF_BUFFER
hello world
FileAnalysis::TRIGGER_TYPE
file type is set
mime type is set
FileAnalysis::TRIGGER_DONE
WDJLxTGN0m8, 11, 0
{
UWkUyAuUGXf
}
{
[orig_h=141.142.228.5, orig_p=53595/tcp, resp_h=54.243.55.129, resp_p=80/tcp]
}
total bytes: 11
source: HTTP
SHA1: 2aae6c35c94fcfb415dbe95f408b9ce91ee846ed
MD5: 5eb63bbbe01eeed093cb22bb8f5acdc3
SHA256: b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9
FileAnalysis::TRIGGER_NEW
LkolCF6OeHh, 0, 0
FileAnalysis::TRIGGER_BOF
FileAnalysis::TRIGGER_BOF_BUFFER
{^J "origin
FileAnalysis::TRIGGER_TYPE
file type is set
mime type is set
FileAnalysis::TRIGGER_DONE
LkolCF6OeHh, 366, 0
{
UWkUyAuUGXf
}
{
[orig_h=141.142.228.5, orig_p=53595/tcp, resp_h=54.243.55.129, resp_p=80/tcp]
}
total bytes: 366
source: HTTP
SHA1: 6a1582672c203210c6d18d700322060b676365e7
MD5: c9337794df612aeaa901dcf9fa446bca
SHA256: 8eb24c16df7cb45cb6a1790b0d26ad2571f754228d0ac111b3ac59adbfecbeb8

20
testing/btest/Baseline/scripts.base.frameworks.file-analysis.irc/out Normal file
View file

@ -0,0 +1,20 @@
FileAnalysis::TRIGGER_NEW
6w2n1vAlfzk, 0, 0
FileAnalysis::TRIGGER_BOF
FileAnalysis::TRIGGER_BOF_BUFFER
PK^C^D^T\0\0\0^H\0\xae
FileAnalysis::TRIGGER_TYPE
file type is set
mime type is set
FileAnalysis::TRIGGER_EOF
6w2n1vAlfzk, 42208, 0
{
arKYeMETxOg
}
{
[orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp]
}
source: irc-dcc-data
SHA1: 8abe0239263fd7326eb803d4465cf494f8bea218
MD5: 8c0803242f549c2780cb88b9a9215c65
SHA256: e4f0b0b9d7580e7a22dc1093c8db4df7d0115a4f3b03cc2875cc69705f0d0204

BIN
testing/btest/Baseline/scripts.base.frameworks.file-analysis.irc/thefile Normal file
View file

Binary file not shown.

60
testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out Normal file
View file

@ -0,0 +1,60 @@
FileAnalysis::TRIGGER_NEW
wBZuaIADU0b, 0, 0
FileAnalysis::TRIGGER_BOF
FileAnalysis::TRIGGER_BOF_BUFFER
Hello^M^J^M^J ^M
FileAnalysis::TRIGGER_TYPE
file type is set
mime type is set
FileAnalysis::TRIGGER_EOF
wBZuaIADU0b, 79, 0
{
arKYeMETxOg
}
{
[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]
}
source: SMTP
SHA1: b7e497be8a9f5e2c4b6980fceb015360f98f4a13
MD5: 92bca2e6cdcde73647125da7dccbdd07
SHA256: 785a8a044d1454ec88837108f443bbb30cc4f529393ffd57118261036bfe59f5
FileAnalysis::TRIGGER_NEW
i3lOtWMsCWb, 0, 0
FileAnalysis::TRIGGER_BOF
FileAnalysis::TRIGGER_BOF_BUFFER
<html xmlns
FileAnalysis::TRIGGER_TYPE
file type is set
mime type is set
FileAnalysis::TRIGGER_EOF
i3lOtWMsCWb, 1918, 0
{
arKYeMETxOg
}
{
[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]
}
source: SMTP
SHA1: e54af6c6616525611364b80bd6557a7ea21dae94
MD5: d194c6359c85bb88b54caee18b1e9b44
SHA256: b9556e92ddbe52379b64804136f830d111cafe7fcd78e54817fe40f3bc24268d
FileAnalysis::TRIGGER_NEW
LgCRm1TGd09, 0, 0
FileAnalysis::TRIGGER_BOF
FileAnalysis::TRIGGER_BOF_BUFFER
Version 4.9
FileAnalysis::TRIGGER_TYPE
file type is set
mime type is set
FileAnalysis::TRIGGER_EOF
LgCRm1TGd09, 10823, 0
{
arKYeMETxOg
}
{
[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]
}
source: SMTP
SHA1: 43bf1cea1cd4b7d15243e15611859aa49d515665
MD5: a968bb0f9f9d95835b2e74c845877e87
SHA256: d5c4e7248840932b9d74ea2f3b3ae142c723a863abf5fd0599f9dd1171697e12

13
testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/thefile0 Normal file
View file

@ -0,0 +1,13 @@
Hello
I send u smtp pcap file
Find the attachment
GPS

71
testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/thefile1 Normal file
View file

@ -0,0 +1,71 @@
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-microsoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal>Hello<o:p></o:p></p>
<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>
<p class=3DMsoNormal>I send u smtp pcap file <o:p></o:p></p>
<p class=3DMsoNormal>Find the attachment<o:p></o:p></p>
<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>
<p class=3DMsoNormal>GPS<o:p></o:p></p>
</div>
</body>
</html>

264
testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/thefile2 Normal file
View file

@ -0,0 +1,264 @@
Version 4.9.9.1
* Many bug fixes
* Improved editor
Version 4.9.9.0
* Support for latest Mingw compiler system builds
* Bug fixes
Version 4.9.8.9
* New code tooltip display
* Improved Indent/Unindent and Remove Comment
* Improved automatic indent
* Added support for the "interface" keyword
* WebUpdate should now report installation problems from PackMan
* New splash screen and association icons
* Improved installer
* Many bug fixes
Version 4.9.8.7
* Added support for GCC > 3.2
* Debug variables are now resent during next debug session
* Watched Variables not in correct context are now kept and updated when it is needed
* Added new compiler/linker options: 20
- Strip executable
- Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, 20
k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)
- Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)
* "Default" button in Compiler Options is back
* Error messages parsing improved
* Bug fixes
Version 4.9.8.5
* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")
* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.
* Many bug fixes
Version 4.9.8.4
* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup
* Improved code completion cache
* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP
* Big speed up in function parameters listing while editing
* Bug fixes
Version 4.9.8.3
* On Dev-C++ first time configuration dialog, a code completion cache of all the standard 20
include files can now be generated.
* Improved WebUpdate module
* Many bug fixes
Version 4.9.8.2
* New debug feature for DLLs: attach to a running process
* New project option: Use custom Makefile. 20
* New WebUpdater module.
* Allow user to specify an alternate configuration file in Environment Options 20
(still can be overriden by using "-c" command line parameter).
* Lots of bug fixes.
Version 4.9.8.1
* When creating a DLL, the created static lib respects now the project-defined output directory
Version 4.9.8.0
* Changed position of compiler/linker parameters in Project Options.
* Improved help file
* Bug fixes
Version 4.9.7.9
* Resource errors are now reported in the Resource sheet
* Many bug fixes
Version 4.9.7.8
* Made whole bottom report control floating instead of only debug output.
* Many bug fixes
Version 4.9.7.7
* Printing settings are now saved
* New environment options : "watch variable under mouse" and "Report watch errors"
* Bug fixes
Version 4.9.7.6
* Debug variable browser
* Added possibility to include in a Template the Project's directories (include, libs and ressources)
* Changed tint of Class browser pictures colors to match the New Look style
* Bug fixes
Version 4.9.7.5
* Bug fixes
Version 4.9.7.4
* When compiling with debugging symbols, an extra definition is passed to the
compiler: -D__DEBUG__
* Each project creates a <project_name>_private.h file containing version
information definitions
* When compiling the current file only, no dependency checks are performed
* ~300% Speed-up in class parser
* Added "External programs" in Tools/Environment Options (for units "Open with")
* Added "Open with" in project units context menu
* Added "Classes" toolbar
* Fixed pre-compilation dependency checks to work correctly
* Added new file menu entry: Save Project As
* Bug-fix for double quotes in devcpp.cfg file read by vUpdate
* Other bug fixes
Version 4.9.7.3
* When adding debugging symbols on request, remove "-s" option from linker
* Compiling progress window
* Environment options : "Show progress window" and "Auto-close progress window"
* Bug fixes
Version 4.9.7.2
* Bug fixes
Version 4.9.7.1
* "Build priority" per-unit
* "Include file in linking process" per-unit
* New feature: compile current file only
* Separated C++ compiler options from C compiler options in Makefile (see bug report #654744)
* Separated C++ include dirs from C include dirs in Makefile (see bug report #654744)
* Necessary UI changes in Project Options
* Added display of project filename, project output and a summary of the project files in Project Options General tab.
* Fixed the "compiler-dirs-with-spaces" bug that crept-in in 4.9.7.0
* Multi-select files in project-view (when "double-click to open" is configured in Environment Settings)
* Resource files are treated as ordinary files now
* Updates in "Project Options/Files" code
* MSVC import now creates the folders structure of the original VC project
* Bug fixes
Version 4.9.7.0
* Allow customizing of per-unit compile command in projects
* Added two new macros: <DATE> and <DATETIME>
* Added support for macros in the "default source code" (Tools/Editor Options/Code)
* Separated layout info from project file. It is now kept in a different file
(the same filename as the project's but with extension ".layout"). If you
have your project under CVS control, you ''ll know why this had to happen...
* Compiler settings per-project
* Compiler set per-project
* Implemented new compiler settings framework
* "Compile as C++" per-unit
* "Include file in compilation process" per-unit
* Project version info (creates the relevant VERSIONINFO struct in the private
resource)
* Support XP Themes (creates the CommonControls 6.0 manifest file and includes
it in the private resource)
* Added CVS "login" and "logout" commands
* Project manager and debugging window (in Debug tab) can now be trasnformed into floating windows.
* Added "Add Library" button in Project Options
* Bug fixes
Version 4.9.6.9
* Implemented search in help files for the word at cursor (context sensitive help)
* Implemented "compiler sets" infrastructure to switch between different compilers easily (e.g. gcc-2.95 and gcc-3.2)
* Added "Files" tab in CVS form to allow selection of more than one file for
the requested CVS action
20
Version 4.9.6.8
* support for DLL application hosting, for debugging and executing DLLs under Dev-C++.
* New class browser option: "Show inherited members"
* Added support for the '::' member access operator in code-completion
* Added *working* function arguments hint
* Added bracket highlighting. When the caret is on a bracket, that bracket and
its counterpart are highlighted
* Nested folders in project view
Version 4.9.6.7
* XP Theme support
* Added CVS commands "Add" and "Remove"
* Added configuration option for "Templates Directory" in "Environment Options"
* Code-completion updates
* Bug fixes
Version 4.9.6.6
* Editor colors are initialized properly on Dev-C++ first-run
* Added doxygen-style comments in NewClass, NewMemberFunction and NewMemberVariable wizards
* Added file's date/time stamp in File/Properties window
* Current windows listing in Window menu
* Bug fixes
Version 4.9.6.5
* CVS support
* Window list (in Window menu)
* bug fixes
version 4.9.6.4
* added ENTER key for opening file in project browser, DEL to delete from the project.
* bug fixes
version 4.9.6.3
* Bug fixes
version 4.9.6.2
* Bug fixes
version 4.9.6.1
* New "Abort compilation" button
* Bug fixes
* Now checks for vRoach existance when sending a crash report
Version 4.9.5.5
* New option in Editor Options: Show editor hints. User can disable the hints
displayed in the editor when the mouse moves over a word. Since this was the
cause of many errors (although it should be fixed by now), we are giving the
user the option to disable this feature.
* New option in Editor Options (code-completion): Use code-completion cache.
Well, it adds caching to code-completion. Depending on the cache size,
the program may take a bit longer to start-up, but provides very fast
code-completion and the user has all the commands (belonging to the files
he added in the cache) at his fingertips. If, for example, the user adds
"windows.h", he gets all the WinAPI! If he adds "wx/wx.h", he gets all of
wxWindows! You get the picture...
* Removed "Only show classes from current file" option in class browser settings.
It used to be a checkbox, allowing only two states (on or off), but there is
a third relevant option now: "Project classes" so it didn't fit the purpose...
The user can define this in the class browser's context menu under "View mode".
* Fixed the dreaded "Clock skew detected" compiler warning!
* Fixed many class browser bugs, including some that had to do with class folders.
Version 4.9.5.4
* Under NT, 2000 and XP, user application data directory will be used to store config files (i.e : C:\Documents and Settings\Username\Local Settings\Application Data)
Version 4.9.5.3
* Added ExceptionsAnalyzer. If the devcpp.map file is in the devcpp.exe directory
then we even get a stack trace in the bug report!
* Added new WebUpdate module (inactive temporarily).
* Added new code for code-completion caching of files (disabled - work in progress).
Version 4.9.5.2
* Added new option in class-browser: Use colors
(available when right-clicking the class-browser
and selecting "View mode").
* Dev-C++ now traps access violation of your programs (and of itself too ;)
Version 4.9.5.1
* Implemented the "File/Export/Project to HTML" function.
* Added "Tip of the day" system.
* When running a source file in explorer, don't spawn new instance.
Instead open the file in an already launched Dev-C++.
* Class-parser speed-up (50% to 85% improvement timed!!!)
* Many code-completion updates. Now takes into account context,
class inheritance and visibility (shows items only from files
#included directly or indirectly)!
* Caching of result set of code-completion for speed-up.
* New option "Execution/Parameters" (and "Debug/Parameters").
Version 4.9.5.0 (5.0 beta 5):
* CPU Window (still in development)
* ToDo list
* Backtrace in debugging
* Run to cursor
* Folders in Project and Class Browser
* Send custom commands to GDB
* Makefile can now be customized.
* Modified the behaviour of the -c param : 20
-c <config file directory>
* Saving of custom syntax parameter group
* Possibility of changing compilers and tools filename.
* Many bug fixes
Version 4.9.4.1 (5.0 beta 4.1):
* back to gcc 2.95.3
* Profiling support
* new update/packages checker (vUpdate)
* Lots of bugfixes

0
testing/btest/Traces/ftp-ipv4.trace → testing/btest/Traces/ftp/ipv4.trace
View file

0
testing/btest/Traces/ipv6-ftp.trace → testing/btest/Traces/ftp/ipv6.trace
View file

BIN
testing/btest/Traces/ftp/retr.trace Normal file
View file

Binary file not shown.

0
testing/btest/Traces/http-100-continue.trace → testing/btest/Traces/http/100-continue.trace
View file

BIN
testing/btest/Traces/http/206_example_a.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/http/206_example_b.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/http/206_example_c.pcap Normal file
View file

Binary file not shown.

0
testing/btest/Traces/http-byteranges.trace → testing/btest/Traces/http/byteranges.trace
View file

BIN
testing/btest/Traces/http/get-gzip.trace Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/http/get.trace Normal file
View file

Binary file not shown.

0
testing/btest/Traces/http-methods.trace → testing/btest/Traces/http/methods.trace
View file

0
testing/btest/Traces/http-pipelined-requests.trace → testing/btest/Traces/http/pipelined-requests.trace
View file

BIN
testing/btest/Traces/http/post.trace Normal file
View file

Binary file not shown.

2
testing/btest/core/ipv6-flow-labels.test
View file

@ -1,4 +1,4 @@
# @TEST-EXEC: bro -b -r $TRACES/ipv6-ftp.trace %INPUT >output
# @TEST-EXEC: bro -b -r $TRACES/ftp/ipv6.trace %INPUT >output
# @TEST-EXEC: btest-diff output
function print_connection(c: connection, event_name: string)

2
testing/btest/core/leaks/vector-val-bifs.test
View file

@ -8,7 +8,7 @@
# assuming that it didn't automatically Ref the VectorType argument and thus
# leaked that memeory.
#
# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -b -r $TRACES/ftp-ipv4.trace %INPUT >output
# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -b -r $TRACES/ftp/ipv4.trace %INPUT >output
# @TEST-EXEC: btest-diff output
function myfunc(aa: interval, bb: interval): int

68
testing/btest/scripts/base/frameworks/file-analysis/ftp.bro Normal file
View file

@ -0,0 +1,68 @@
# @TEST-EXEC: bro -r $TRACES/ftp/retr.trace %INPUT >out
# @TEST-EXEC: btest-diff out
# @TEST-EXEC: btest-diff thefile
global actions: set[FileAnalysis::ActionArgs];
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
{
print trig;
switch ( trig ) {
case FileAnalysis::TRIGGER_NEW:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info$source == "ftp-data" )
{
for ( act in actions )
FileAnalysis::add_action(info$file_id, act);
}
break;
case FileAnalysis::TRIGGER_BOF_BUFFER:
if ( info?$bof_buffer )
print info$bof_buffer[0:10];
break;
case FileAnalysis::TRIGGER_TYPE:
# not actually printing the values due to libmagic variances
if ( info?$file_type )
print "file type is set";
if ( info?$mime_type )
print "mime type is set";
break;
case FileAnalysis::TRIGGER_EOF:
print info$file_id, info$seen_bytes, info$missing_bytes;
print info$conn_uids;
print info$conn_ids;
if ( info?$total_bytes )
print "total bytes: " + fmt("%s", info$total_bytes);
if ( info?$source )
print "source: " + info$source;
for ( act in info$actions )
switch ( act$act ) {
case FileAnalysis::ACTION_MD5:
print fmt("MD5: %s", info$actions[act]$md5);
break;
case FileAnalysis::ACTION_SHA1:
print fmt("SHA1: %s", info$actions[act]$sha1);
break;
case FileAnalysis::ACTION_SHA256:
print fmt("SHA256: %s", info$actions[act]$sha256);
break;
}
break;
}
}
event bro_init()
{
add actions[[$act=FileAnalysis::ACTION_EXTRACT,
$extract_filename="thefile"]];
add actions[[$act=FileAnalysis::ACTION_MD5]];
add actions[[$act=FileAnalysis::ACTION_SHA1]];
add actions[[$act=FileAnalysis::ACTION_SHA256]];
}

76
testing/btest/scripts/base/frameworks/file-analysis/http/get.bro Normal file
View file

@ -0,0 +1,76 @@
# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT >get.out
# @TEST-EXEC: bro -r $TRACES/http/get-gzip.trace %INPUT >get-gzip.out
# @TEST-EXEC: btest-diff get.out
# @TEST-EXEC: btest-diff get-gzip.out
# @TEST-EXEC: btest-diff KPVibShQgUc-file
# @TEST-EXEC: btest-diff LMA6EHLacYc-file
global actions: set[FileAnalysis::ActionArgs];
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
{
print trig;
switch ( trig ) {
case FileAnalysis::TRIGGER_NEW:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info$source == "HTTP" )
{
for ( act in actions )
FileAnalysis::add_action(info$file_id, act);
local filename: string = fmt("%s-file", info$file_id);
FileAnalysis::add_action(info$file_id,
[$act=FileAnalysis::ACTION_EXTRACT,
$extract_filename=filename]);
}
break;
case FileAnalysis::TRIGGER_BOF_BUFFER:
if ( info?$bof_buffer )
print info$bof_buffer[0:10];
break;
case FileAnalysis::TRIGGER_TYPE:
# not actually printing the values due to libmagic variances
if ( info?$file_type )
print "file type is set";
if ( info?$mime_type )
print "mime type is set";
break;
case FileAnalysis::TRIGGER_EOF:
fallthrough;
case FileAnalysis::TRIGGER_DONE:
print info$file_id, info$seen_bytes, info$missing_bytes;
print info$conn_uids;
print info$conn_ids;
if ( info?$total_bytes )
print "total bytes: " + fmt("%s", info$total_bytes);
if ( info?$source )
print "source: " + info$source;
for ( act in info$actions )
switch ( act$act ) {
case FileAnalysis::ACTION_MD5:
print fmt("MD5: %s", info$actions[act]$md5);
break;
case FileAnalysis::ACTION_SHA1:
print fmt("SHA1: %s", info$actions[act]$sha1);
break;
case FileAnalysis::ACTION_SHA256:
print fmt("SHA256: %s", info$actions[act]$sha256);
break;
}
break;
}
}
event bro_init()
{
add actions[[$act=FileAnalysis::ACTION_MD5]];
add actions[[$act=FileAnalysis::ACTION_SHA1]];
add actions[[$act=FileAnalysis::ACTION_SHA256]];
}

89
testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro Normal file
View file

@ -0,0 +1,89 @@
# @TEST-EXEC: bro -r $TRACES/http/206_example_a.pcap %INPUT >a.out
# @TEST-EXEC: btest-diff a.out
# @TEST-EXEC: wc -c uj9AtyGOiZ8-file0 >a.size
# @TEST-EXEC: btest-diff a.size
# @TEST-EXEC: bro -r $TRACES/http/206_example_b.pcap %INPUT >b.out
# @TEST-EXEC: btest-diff b.out
# @TEST-EXEC: wc -c ns7As4DOZcj-file0 >b.size
# @TEST-EXEC: btest-diff b.size
# @TEST-EXEC: bro -r $TRACES/http/206_example_c.pcap %INPUT >c.out
# @TEST-EXEC: btest-diff c.out
# @TEST-EXEC: wc -c MHMkq2nFxej-file0 >c.size
# @TEST-EXEC: btest-diff c.size
global actions: set[FileAnalysis::ActionArgs];
global cnt: count = 0;
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
{
print trig;
switch ( trig ) {
case FileAnalysis::TRIGGER_NEW:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info$source == "HTTP" )
{
for ( act in actions )
FileAnalysis::add_action(info$file_id, act);
local filename: string = fmt("%s-file%d", info$file_id, cnt);
++cnt;
FileAnalysis::add_action(info$file_id,
[$act=FileAnalysis::ACTION_EXTRACT,
$extract_filename=filename]);
}
break;
case FileAnalysis::TRIGGER_BOF_BUFFER:
if ( info?$bof_buffer )
print info$bof_buffer[0:10];
break;
case FileAnalysis::TRIGGER_TYPE:
# not actually printing the values due to libmagic variances
if ( info?$file_type )
print "file type is set";
if ( info?$mime_type )
print "mime type is set";
break;
case FileAnalysis::TRIGGER_EOF:
fallthrough;
case FileAnalysis::TRIGGER_DONE:
print info$file_id, info$seen_bytes, info$missing_bytes;
print info$conn_uids;
print info$conn_ids;
if ( info?$total_bytes )
print "total bytes: " + fmt("%s", info$total_bytes);
if ( info?$source )
print "source: " + info$source;
for ( act in info$actions )
switch ( act$act ) {
case FileAnalysis::ACTION_MD5:
if ( info$actions[act]?$md5 )
print fmt("MD5: %s", info$actions[act]$md5);
break;
case FileAnalysis::ACTION_SHA1:
if ( info$actions[act]?$sha1 )
print fmt("SHA1: %s", info$actions[act]$sha1);
break;
case FileAnalysis::ACTION_SHA256:
if ( info$actions[act]?$sha256 )
print fmt("SHA256: %s", info$actions[act]$sha256);
break;
}
break;
}
}
event bro_init()
{
add actions[[$act=FileAnalysis::ACTION_MD5]];
add actions[[$act=FileAnalysis::ACTION_SHA1]];
add actions[[$act=FileAnalysis::ACTION_SHA256]];
}

77
testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro Normal file
View file

@ -0,0 +1,77 @@
# @TEST-EXEC: bro -r $TRACES/http/pipelined-requests.trace %INPUT >out
# @TEST-EXEC: btest-diff out
# @TEST-EXEC: btest-diff Z3kT1FyLnfk-file
# @TEST-EXEC: btest-diff WLJWC1FMBq9-file
# @TEST-EXEC: btest-diff Ac8PLL9KL49-file
# @TEST-EXEC: btest-diff NV2MvAX0Is4-file
# @TEST-EXEC: btest-diff YLndcRpw5Ge-file
global actions: set[FileAnalysis::ActionArgs];
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
{
print trig;
switch ( trig ) {
case FileAnalysis::TRIGGER_NEW:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info$source == "HTTP" )
{
for ( act in actions )
FileAnalysis::add_action(info$file_id, act);
local filename: string = fmt("%s-file", info$file_id);
FileAnalysis::add_action(info$file_id,
[$act=FileAnalysis::ACTION_EXTRACT,
$extract_filename=filename]);
}
break;
case FileAnalysis::TRIGGER_BOF_BUFFER:
if ( info?$bof_buffer )
print info$bof_buffer[0:10];
break;
case FileAnalysis::TRIGGER_TYPE:
# not actually printing the values due to libmagic variances
if ( info?$file_type )
print "file type is set";
if ( info?$mime_type )
print "mime type is set";
break;
case FileAnalysis::TRIGGER_EOF:
fallthrough;
case FileAnalysis::TRIGGER_DONE:
print info$file_id, info$seen_bytes, info$missing_bytes;
print info$conn_uids;
print info$conn_ids;
if ( info?$total_bytes )
print "total bytes: " + fmt("%s", info$total_bytes);
if ( info?$source )
print "source: " + info$source;
for ( act in info$actions )
switch ( act$act ) {
case FileAnalysis::ACTION_MD5:
print fmt("MD5: %s", info$actions[act]$md5);
break;
case FileAnalysis::ACTION_SHA1:
print fmt("SHA1: %s", info$actions[act]$sha1);
break;
case FileAnalysis::ACTION_SHA256:
print fmt("SHA256: %s", info$actions[act]$sha256);
break;
}
break;
}
}
event bro_init()
{
add actions[[$act=FileAnalysis::ACTION_MD5]];
add actions[[$act=FileAnalysis::ACTION_SHA1]];
add actions[[$act=FileAnalysis::ACTION_SHA256]];
}

74
testing/btest/scripts/base/frameworks/file-analysis/http/post.bro Normal file
View file

@ -0,0 +1,74 @@
# @TEST-EXEC: bro -r $TRACES/http/post.trace %INPUT >out
# @TEST-EXEC: btest-diff out
# @TEST-EXEC: btest-diff WDJLxTGN0m8-file
# @TEST-EXEC: btest-diff LkolCF6OeHh-file
global actions: set[FileAnalysis::ActionArgs];
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
{
print trig;
switch ( trig ) {
case FileAnalysis::TRIGGER_NEW:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info$source == "HTTP" )
{
for ( act in actions )
FileAnalysis::add_action(info$file_id, act);
local filename: string = fmt("%s-file", info$file_id);
FileAnalysis::add_action(info$file_id,
[$act=FileAnalysis::ACTION_EXTRACT,
$extract_filename=filename]);
}
break;
case FileAnalysis::TRIGGER_BOF_BUFFER:
if ( info?$bof_buffer )
print info$bof_buffer[0:10];
break;
case FileAnalysis::TRIGGER_TYPE:
# not actually printing the values due to libmagic variances
if ( info?$file_type )
print "file type is set";
if ( info?$mime_type )
print "mime type is set";
break;
case FileAnalysis::TRIGGER_EOF:
fallthrough;
case FileAnalysis::TRIGGER_DONE:
print info$file_id, info$seen_bytes, info$missing_bytes;
print info$conn_uids;
print info$conn_ids;
if ( info?$total_bytes )
print "total bytes: " + fmt("%s", info$total_bytes);
if ( info?$source )
print "source: " + info$source;
for ( act in info$actions )
switch ( act$act ) {
case FileAnalysis::ACTION_MD5:
print fmt("MD5: %s", info$actions[act]$md5);
break;
case FileAnalysis::ACTION_SHA1:
print fmt("SHA1: %s", info$actions[act]$sha1);
break;
case FileAnalysis::ACTION_SHA256:
print fmt("SHA256: %s", info$actions[act]$sha256);
break;
}
break;
}
}
event bro_init()
{
add actions[[$act=FileAnalysis::ACTION_MD5]];
add actions[[$act=FileAnalysis::ACTION_SHA1]];
add actions[[$act=FileAnalysis::ACTION_SHA256]];
}

68
testing/btest/scripts/base/frameworks/file-analysis/irc.bro Normal file
View file

@ -0,0 +1,68 @@
# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT >out
# @TEST-EXEC: btest-diff out
# @TEST-EXEC: btest-diff thefile
global actions: set[FileAnalysis::ActionArgs];
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
{
print trig;
switch ( trig ) {
case FileAnalysis::TRIGGER_NEW:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info$source == "irc-dcc-data" )
{
for ( act in actions )
FileAnalysis::add_action(info$file_id, act);
}
break;
case FileAnalysis::TRIGGER_BOF_BUFFER:
if ( info?$bof_buffer )
print info$bof_buffer[0:10];
break;
case FileAnalysis::TRIGGER_TYPE:
# not actually printing the values due to libmagic variances
if ( info?$file_type )
print "file type is set";
if ( info?$mime_type )
print "mime type is set";
break;
case FileAnalysis::TRIGGER_EOF:
print info$file_id, info$seen_bytes, info$missing_bytes;
print info$conn_uids;
print info$conn_ids;
if ( info?$total_bytes )
print "total bytes: " + fmt("%s", info$total_bytes);
if ( info?$source )
print "source: " + info$source;
for ( act in info$actions )
switch ( act$act ) {
case FileAnalysis::ACTION_MD5:
print fmt("MD5: %s", info$actions[act]$md5);
break;
case FileAnalysis::ACTION_SHA1:
print fmt("SHA1: %s", info$actions[act]$sha1);
break;
case FileAnalysis::ACTION_SHA256:
print fmt("SHA256: %s", info$actions[act]$sha256);
break;
}
break;
}
}
event bro_init()
{
add actions[[$act=FileAnalysis::ACTION_EXTRACT,
$extract_filename="thefile"]];
add actions[[$act=FileAnalysis::ACTION_MD5]];
add actions[[$act=FileAnalysis::ACTION_SHA1]];
add actions[[$act=FileAnalysis::ACTION_SHA256]];
}

74
testing/btest/scripts/base/frameworks/file-analysis/smtp.bro Normal file
View file

@ -0,0 +1,74 @@
# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT >out
# @TEST-EXEC: btest-diff out
# @TEST-EXEC: btest-diff thefile0
# @TEST-EXEC: btest-diff thefile1
# @TEST-EXEC: btest-diff thefile2
global actions: set[FileAnalysis::ActionArgs];
global cnt: count = 0;
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
{
print trig;
switch ( trig ) {
case FileAnalysis::TRIGGER_NEW:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info$source == "SMTP" )
{
for ( act in actions )
FileAnalysis::add_action(info$file_id, act);
local filename: string = fmt("thefile%d", cnt);
++cnt;
FileAnalysis::add_action(info$file_id,
[$act=FileAnalysis::ACTION_EXTRACT,
$extract_filename=filename]);
}
break;
case FileAnalysis::TRIGGER_BOF_BUFFER:
if ( info?$bof_buffer )
print info$bof_buffer[0:10];
break;
case FileAnalysis::TRIGGER_TYPE:
# not actually printing the values due to libmagic variances
if ( info?$file_type )
print "file type is set";
if ( info?$mime_type )
print "mime type is set";
break;
case FileAnalysis::TRIGGER_EOF:
print info$file_id, info$seen_bytes, info$missing_bytes;
print info$conn_uids;
print info$conn_ids;
if ( info?$total_bytes )
print "total bytes: " + fmt("%s", info$total_bytes);
if ( info?$source )
print "source: " + info$source;
for ( act in info$actions )
switch ( act$act ) {
case FileAnalysis::ACTION_MD5:
print fmt("MD5: %s", info$actions[act]$md5);
break;
case FileAnalysis::ACTION_SHA1:
print fmt("SHA1: %s", info$actions[act]$sha1);
break;
case FileAnalysis::ACTION_SHA256:
print fmt("SHA256: %s", info$actions[act]$sha256);
break;
}
break;
}
}
event bro_init()
{
add actions[[$act=FileAnalysis::ACTION_MD5]];
add actions[[$act=FileAnalysis::ACTION_SHA1]];
add actions[[$act=FileAnalysis::ACTION_SHA256]];
}

2
testing/btest/scripts/base/protocols/conn/contents-default-extract.test
View file

@ -1,3 +1,3 @@
# @TEST-EXEC: bro -f "tcp port 21" -r $TRACES/ipv6-ftp.trace "Conn::default_extract=T"
# @TEST-EXEC: bro -f "tcp port 21" -r $TRACES/ftp/ipv6.trace "Conn::default_extract=T"
# @TEST-EXEC: btest-diff contents_[2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185-[2001:470:4867:99::21]:21_orig.dat
# @TEST-EXEC: btest-diff contents_[2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185-[2001:470:4867:99::21]:21_resp.dat

4
testing/btest/scripts/base/protocols/conn/polling.test
View file

@ -1,6 +1,6 @@
# @TEST-EXEC: bro -b -r $TRACES/http-100-continue.trace %INPUT >out1
# @TEST-EXEC: bro -b -r $TRACES/http/100-continue.trace %INPUT >out1
# @TEST-EXEC: btest-diff out1
# @TEST-EXEC: bro -b -r $TRACES/http-100-continue.trace %INPUT stop_cnt=2 >out2
# @TEST-EXEC: bro -b -r $TRACES/http/100-continue.trace %INPUT stop_cnt=2 >out2
# @TEST-EXEC: btest-diff out2
@load base/protocols/conn

2
testing/btest/scripts/base/protocols/ftp/ftp-ipv4.bro
View file

@ -1,6 +1,6 @@
# This tests both active and passive FTP over IPv4.
#
# @TEST-EXEC: bro -r $TRACES/ftp-ipv4.trace
# @TEST-EXEC: bro -r $TRACES/ftp/ipv4.trace
# @TEST-EXEC: btest-diff conn.log
# @TEST-EXEC: btest-diff ftp.log

2
testing/btest/scripts/base/protocols/ftp/ftp-ipv6.bro
View file

@ -1,6 +1,6 @@
# This tests both active and passive FTP over IPv6.
#
# @TEST-EXEC: bro -r $TRACES/ipv6-ftp.trace
# @TEST-EXEC: bro -r $TRACES/ftp/ipv6.trace
# @TEST-EXEC: btest-diff conn.log
# @TEST-EXEC: btest-diff ftp.log

2
testing/btest/scripts/base/protocols/http/100-continue.bro
View file

@ -3,7 +3,7 @@
# a given request. The http scripts should also be able log such replies
# in a way that correlates the final response with the request.
#
# @TEST-EXEC: bro -r $TRACES/http-100-continue.trace %INPUT
# @TEST-EXEC: bro -r $TRACES/http/100-continue.trace %INPUT
# @TEST-EXEC: test ! -f weird.log
# @TEST-EXEC: btest-diff http.log

2
testing/btest/scripts/base/protocols/http/http-header-crlf.bro
View file

@ -2,7 +2,7 @@
# it gets confused whether it's in a header or not; it shouldn't report
# the http_no_crlf_in_header_list wierd.
#
# @TEST-EXEC: bro -r $TRACES/http-byteranges.trace %INPUT
# @TEST-EXEC: bro -r $TRACES/http/byteranges.trace %INPUT
# @TEST-EXEC: test ! -f weird.log
# The base analysis scripts are loaded by default.

2
testing/btest/scripts/base/protocols/http/http-methods.bro
View file

@ -1,6 +1,6 @@
# This tests that the HTTP analyzer handles strange HTTP methods properly.
#
# @TEST-EXEC: bro -r $TRACES/http-methods.trace %INPUT
# @TEST-EXEC: bro -r $TRACES/http/methods.trace %INPUT
# @TEST-EXEC: btest-diff weird.log
# @TEST-EXEC: btest-diff http.log

2
testing/btest/scripts/base/protocols/http/http-mime-and-md5.bro
View file

@ -2,7 +2,7 @@
# will normalize mime types other than the target type to prevent sensitivity
# to varying versions of libmagic.
# @TEST-EXEC: bro -r $TRACES/http-pipelined-requests.trace %INPUT > output
# @TEST-EXEC: bro -r $TRACES/http/pipelined-requests.trace %INPUT > output
# @TEST-EXEC: btest-diff http.log
redef HTTP::generate_md5 += /image\/png/;

2
testing/btest/scripts/base/protocols/http/http-pipelining.bro
View file

@ -1,4 +1,4 @@
# @TEST-EXEC: bro -r $TRACES/http-pipelined-requests.trace %INPUT > output
# @TEST-EXEC: bro -r $TRACES/http/pipelined-requests.trace %INPUT > output
# @TEST-EXEC: btest-diff http.log
# mime type is irrelevant to this test, so filter it out

2
testing/btest/signatures/bad-eval-condition.bro
View file

@ -1,4 +1,4 @@
# @TEST-EXEC-FAIL: bro -r $TRACES/ftp-ipv4.trace %INPUT
# @TEST-EXEC-FAIL: bro -r $TRACES/ftp/ipv4.trace %INPUT
# @TEST-EXEC: btest-diff .stderr
@load-sigs blah.sig

8
testing/btest/signatures/dpd.bro
View file

@ -1,7 +1,7 @@
# @TEST-EXEC: bro -b -s myftp -r $TRACES/ftp-ipv4.trace %INPUT >dpd-ipv4.out
# @TEST-EXEC: bro -b -s myftp -r $TRACES/ipv6-ftp.trace %INPUT >dpd-ipv6.out
# @TEST-EXEC: bro -b -r $TRACES/ftp-ipv4.trace %INPUT >nosig-ipv4.out
# @TEST-EXEC: bro -b -r $TRACES/ipv6-ftp.trace %INPUT >nosig-ipv6.out
# @TEST-EXEC: bro -b -s myftp -r $TRACES/ftp/ipv4.trace %INPUT >dpd-ipv4.out
# @TEST-EXEC: bro -b -s myftp -r $TRACES/ftp/ipv6.trace %INPUT >dpd-ipv6.out
# @TEST-EXEC: bro -b -r $TRACES/ftp/ipv4.trace %INPUT >nosig-ipv4.out
# @TEST-EXEC: bro -b -r $TRACES/ftp/ipv6.trace %INPUT >nosig-ipv6.out
# @TEST-EXEC: btest-diff dpd-ipv4.out
# @TEST-EXEC: btest-diff dpd-ipv6.out
# @TEST-EXEC: btest-diff nosig-ipv4.out

2
testing/btest/signatures/eval-condition.bro
View file

@ -1,4 +1,4 @@
# @TEST-EXEC: bro -r $TRACES/ftp-ipv4.trace %INPUT
# @TEST-EXEC: bro -r $TRACES/ftp/ipv4.trace %INPUT
# @TEST-EXEC: btest-diff conn.log
@load-sigs blah.sig