Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge branch 'master' of ssh://git.bro-ids.org/bro

Browse source
This commit is contained in:
Robin Sommer 2011-07-14 11:08:38 -07:00
commit 5c2ffab892
34 changed files with 423 additions and 225 deletions
Download patch file Download diff file Expand all files Collapse all files

11
policy/frameworks/cluster/base/__load__.bro
View file

@ -1,12 +1,16 @@
@if ( Cluster::node != "" )
# Load the core cluster support.
@load frameworks/cluster/base/main
@if ( Cluster::node != "" )
# Only load the communication framework if it really looks like someone is
# trying to start up a cluster node.
@load frameworks/communication
# Make this a controllable node since all cluster nodes are inherently
# controllable.
@load frameworks/control/controllee
## If this script isn't found anywhere, the cluster bombs out.
## Loading the cluster framework requires that a script by this name exists
## somewhere in the BROPATH. The only thing in the file should be the
@ -21,6 +25,9 @@
# cluster framework is actually being enabled.
@load frameworks/communication/listen-clear
## Set the port that this node is supposed to listen on.
redef Communication::listen_port_clear = Cluster::nodes[Cluster::node]$p;
@if ( Cluster::nodes[Cluster::node]$node_type == Cluster::MANAGER )
@load frameworks/cluster/base/node/manager
@endif

12
policy/frameworks/cluster/base/main.bro
View file

@ -1,5 +1,8 @@
@load utils/numbers
@load frameworks/notice
@load frameworks/control
module Cluster;
export {
@ -26,14 +29,14 @@ export {
## Events raised by workers and handled by the manager.
const worker_events = /(Notice::notice|TimeMachine::command|Drop::.*)/ &redef;
## Events sent by the manager host (i.e. BroControl) when dynamically
## Events sent by the control host (i.e. BroControl) when dynamically
## connecting to a running instance to update settings or request data.
const control_events = /Remote::(configuration_update|id_request|net_stats_request|peer_status_request)/ &redef;
const control_events = Control::controller_events &redef;
## Directory where the cluster is archiving logs.
## TODO: we need a sane default here.
const log_dir = "/not/set" &redef;
## Record type to indicate a node in a cluster.
type Node: record {
node_type: NodeType;
@ -62,9 +65,6 @@ export {
# Give the node being started up it's peer name.
redef peer_description = Cluster::node;
## Set the port that this node is supposed to listen on.
redef Communication::listen_port_clear = Cluster::nodes[Cluster::node]$p;
event bro_init()
{
if ( node != "" && node !in nodes )

2
policy/frameworks/cluster/base/node/manager.bro
View file

@ -4,8 +4,6 @@
##! the manager registers for the events on the workers that are needed
##! to get the desired data from the workers.
@load frameworks/notice
##! This is where the cluster manager sets it's specific settings for other
##! frameworks and in the core.

22
policy/frameworks/communication/base/main.bro
View file

@ -16,11 +16,14 @@ export {
global default_compression = 0 &redef;
type Info: record {
ts: time &log;
peer: string &log &optional;
level: string &log &optional;
src_name: string &log &optional;
msg: string &log;
ts: time &log;
peer: string &log &optional;
src_name: string &log &optional;
connected_peer_desc: string &log &optional;
connected_peer_addr: addr &log &optional;
connected_peer_port: port &log &optional;
level: string &log &optional;
message: string &log;
};
## A remote peer to which we would like to talk.
@ -115,7 +118,7 @@ function do_script_log_common(level: count, src: count, msg: string)
$level = (level == REMOTE_LOG_INFO ? "info" : "error"),
$src_name = src_names[src],
$peer = get_event_peer()$descr,
$msg = msg]);
$message = msg]);
}
# This is a core generated event.
@ -126,8 +129,7 @@ event remote_log(level: count, src: count, msg: string)
function do_script_log(p: event_peer, msg: string)
{
do_script_log_common(REMOTE_LOG_INFO, REMOTE_SRC_SCRIPT,
fmt("[#%d/%s:%d] %s", p$id, p$host, p$p, msg));
do_script_log_common(REMOTE_LOG_INFO, REMOTE_SRC_SCRIPT, msg);
}
function connect_peer(peer: string)
@ -144,7 +146,7 @@ function connect_peer(peer: string)
if ( id == PEER_ID_NONE )
Log::write(COMMUNICATION, [$ts = network_time(),
$peer = get_event_peer()$descr,
$msg = "can't trigger connect"]);
$message = "can't trigger connect"]);
pending_peers[id] = node;
}
@ -272,7 +274,7 @@ event remote_state_inconsistency(operation: string, id: string,
id, expected_old, real_old, operation);
Log::write(COMMUNICATION, [$ts = network_time(),
$peer = get_event_peer()$descr,
$msg = msg]);
$message = msg]);
}

1
policy/frameworks/control/__load__.bro Normal file
View file

@ -0,0 +1 @@
@load frameworks/control/base

2
policy/frameworks/control/base/__load__.bro Normal file
View file

@ -0,0 +1,2 @@
@load frameworks/control/base/main

83
policy/frameworks/control/base/main.bro Normal file
View file

@ -0,0 +1,83 @@
##! This is a utility script that sends the current values of all &redef'able
##! consts to a remote Bro then sends the :bro:id:`configuration_update` event
##! and terminates processing.
##!
##! Intended to be used from the command line like this when starting a controller:
##! bro <scripts> frameworks/control/controller Control::host=<host_addr> Control::port=<host_port> Control::cmd=<command> [Control::arg=<arg>]
##!
##! To use the framework as a controllee, it only needs to be loaded and
##! the controlled node need to accept all events in the "Control::" namespace
##! from the host where the control actions will be performed from along with
##! using the "control" class.
module Control;
export {
## This is the address of the host that will be controlled.
const host = 0.0.0.0 &redef;
## This is the port of the host that will be controlled.
const host_port = 0/tcp &redef;
## This is the command that is being done. It's typically set on the
## command line and influences whether this instance starts up as a
## controller or controllee. If left blank this node will start as a
## controllee and a controller if there is a given command.
const cmd = "" &redef;
## This can be used by commands that take an argument.
const arg = "" &redef;
const controller_events = /Control::.*_request/ &redef;
const controllee_events = /Control::.*_response/ &redef;
## These are the commands that can be given on the command line for
## remote control.
const commands: set[string] = {
"id_value",
"peer_status",
"net_stats",
"configuration_update",
"shutdown",
};
## Variable IDs that are to be ignored by the update process.
const ignore_ids: set[string] = {
# FIXME: Bro crashes if it tries to send this ID.
"Log::rotation_control",
};
## Event for requesting the value of an ID (a variable).
global id_value_request: event(id: string);
## Event for returning the value of an ID after an :bro:id:`id_request` event.
global id_value_response: event(id: string, val: string);
## Requests the current communication status.
global peer_status_request: event();
## Returns the current communication status.
global peer_status_response: event(s: string);
## Requests the current net_stats.
global net_stats_request: event();
## Returns the current net_stats.
global net_stats_response: event(s: string);
## Inform the remote Bro instance that it's configuration may have been updated.
global configuration_update_request: event();
## This event is a wrapper and alias for the :bro:id:`configuration_update_request` event.
## This event is also a primary hooking point for the control framework.
global configuration_update: event();
## Message in response to a configuration update request.
global configuration_update_response: event();
## Requests that the Bro instance begins shutting down.
global shutdown_request: event();
## Message in response to a shutdown request.
global shutdown_response: event();
}
event terminate_event()
{
terminate_communication();
}

58
policy/frameworks/control/controllee.bro Normal file
View file

@ -0,0 +1,58 @@
@load frameworks/control
# If an instance is a controllee, it implicitly needs to listen for remote
# connections.
@load frameworks/communication/listen-clear
module Control;
event Control::id_value_request(id: string)
{
local val = lookup_ID(id);
event Control::id_value_response(id, fmt("%s", val));
}
event Control::peer_status_request()
{
local status = "";
for ( p in Communication::nodes )
{
local peer = Communication::nodes[p];
if ( ! peer$connected )
next;
status += fmt("peer=%s host=%s events_in=? events_out=? ops_in=? ops_out=? bytes_in=? bytes_out=?\n",
peer$peer$descr, peer$host);
}
event Control::peer_status_response(status);
}
event Control::net_stats_request()
{
local ns = net_stats();
local reply = fmt("%.6f recvd=%d dropped=%d link=%d\n", network_time(),
ns$pkts_recvd, ns$pkts_dropped, ns$pkts_link);
event Control::net_stats_response(reply);
}
event Control::configuration_update_request()
{
# Generate the alias event.
event Control::configuration_update();
# Don't need to do anything in particular here, it's just indicating that
# the configuration is going to be updated. This event could be handled
# by other scripts if they need to do some ancilliary processing if
# redef-able consts are modified at runtime.
event Control::configuration_update_response();
}
event Control::shutdown_request()
{
# Send the acknowledgement event.
event Control::shutdown_response();
# Schedule the shutdown to let the current event queue flush itself first.
event terminate_event();
}

105
policy/frameworks/control/controller.bro Normal file
View file

@ -0,0 +1,105 @@
@load frameworks/control
@load frameworks/communication
module Control;
# Do some sanity checking and rework the communication nodes.
event bro_init() &priority=5
{
# We know that some command was given because this script wouldn't be
# loaded if there wasn't so we can feel free to throw an error here and
# shutdown.
if ( cmd !in commands )
{
# TODO: do an actual error here. Maybe through the reporter events?
print fmt("The '%s' control command is unknown.", cmd);
terminate();
}
# Establish the communication configuration and only request response
# messages.
Communication::nodes["control"] = [$host=host, $p=host_port,
$sync=F, $connect=T,
$class="control", $events=Control::controllee_events];
}
event Control::id_value_response(id: string, val: string) &priority=-10
{
event terminate_event();
}
event Control::peer_status_response(s: string) &priority=-10
{
event terminate_event();
}
event Control::net_stats_response(s: string) &priority=-10
{
event terminate_event();
}
event Control::configuration_update_response() &priority=-10
{
event terminate_event();
}
event Control::shutdown_response() &priority=-10
{
event terminate_event();
}
function configuration_update_func(p: event_peer)
{
# Send all &redef'able consts to the peer.
local globals = global_ids();
local cnt = 0;
for ( id in globals )
{
if ( id in ignore_ids )
next;
local t = globals[id];
# Skip it if the variable isn't redefinable or not const.
# We don't want to update non-const globals because that's usually
# where state is stored and those values will frequently be declared
# with &redef so that attributes can be redefined.
if ( t$constant && t$redefinable )
{
send_id(p, id);
++cnt;
}
}
print fmt("sent %d IDs", cnt);
event terminate_event();
}
event remote_connection_handshake_done(p: event_peer) &priority=-10
{
if ( cmd == "id_value" )
{
if ( arg != "" )
event Control::id_value_request(arg);
else
{
# TODO: do an actual error here. Maybe through the reporter events?
print "The id_value command requires that Control::arg have some value.";
terminate();
}
}
else if ( cmd == "peer_status" )
event Control::peer_status_request();
else if ( cmd == "net_stats" )
event Control::net_stats_request();
else if ( cmd == "shutdown" )
event Control::shutdown_request();
else if ( cmd == "configuration_update" )
{
configuration_update_func(p);
# Signal configuration update to peer.
event Control::configuration_update_request();
}
}

14
policy/misc/remote/analysis-groups.bro → policy/misc/analysis-groups.bro
View file

@ -2,29 +2,29 @@
##! groups at runtime. No events will be raised for all memmbers of a disabled
##! event group.
@load support/remote
@load frameworks/control
module Remote;
module AnalysisGroups;
export {
# By default, all event groups are enabled. We disable all groups in this table.
const disabled_analysis_groups: set[string] &redef; # = { "ftp" }
const disabled: set[string] &redef; # = { "ftp" }
}
# Set to remember all groups which were disabled by the last update().
global currently_disabled: set[string];
event configuration_update()
event Control::configuration_update()
{
# Reenable those which are not to be disabled anymore.
for ( g in currently_disabled )
if ( g !in disabled_analysis_groups )
if ( g !in disabled )
enable_event_group(g);
# Disable those which are not already.
for ( g in disabled_analysis_groups )
for ( g in disable_event_group )
if ( g !in currently_disabled )
disable_event_group(g);
currently_disabled = copy(disabled_analysis_groups);
currently_disabled = copy(disabled);
}

1
policy/misc/remote/__load__.bro
View file

@ -1 +0,0 @@
@load frameworks/communication/events

92
policy/misc/remote/config.bro
View file

@ -1,92 +0,0 @@
##! This is a utility script that sends the current values of all &redef'able
##! consts to a remote Bro then sends the :bro:id:`configuration_update` event
##! and terminates processing.
##!
##! Intended to be used from the command line like this:
##! bro Remote::config_node=<node> <scripts> support/remote/send-config
##!
##! The :bro:id:`Remote::config_node` value should contain the node name of one of the
##! nodes of the configured communications.
@load frameworks/communication
@load support/remote
module Remote;
export {
## This is the name of the node configured in the communication framework
## that you want to send new variables to.
const config_node = "" &redef;
## Variable IDs that are to be ignored by the update process.
const ignore_ids: set[string] = {
# TODO: Bro crashes if it tries to send this ID.
"Log::rotation_control",
};
##
}
event terminate_event()
{
terminate_communication();
}
event remote_connection_handshake_done(p: event_peer)
{
local peer = Communication::nodes[config_node];
if ( peer$host != p$host )
return;
# Send all &redef'able consts to the peer.
local globals = global_ids();
local cnt = 0;
for ( id in globals )
{
if ( id in ignore_ids )
next;
local t = globals[id];
# Skip it if the variable isn't redefinable or not const.
# We don't want to update non-const globals because that's usually
# where state is stored and those values will frequently be declared
# with &redef so that attributes can be redefined.
if ( t$constant && t$redefinable )
{
send_id(p, id);
++cnt;
}
}
print fmt("sent %d IDs", cnt);
# Signal configuration update to peer.
event configuration_update();
# We can't terminate the communication right away here since the
# event configuration_update is only queued but not send at this
# point. Therefore we raise another events which will trigger
# termination only after the previous has been raised.
event terminate_event();
}
event bro_init() &priority=-3
{
if ( config_node == "" )
return;
if ( config_node !in Communication::nodes )
{
print fmt("Unknown peer '%s'", config_node);
terminate();
return;
}
local n = Communication::nodes[config_node];
n$connect=T;
n$sync=F;
n$class="control";
Communication::nodes = table(["control"] = n);
}

79
policy/misc/remote/events.bro
View file

@ -1,79 +0,0 @@
##! Events which can be sent dynamically to Bro instances to retrieve
##! information about the running process.
module Remote;
export {
# This event is generated when Bro's configuration may have been updated.
global configuration_update: event();
## Event for requesting the value of an ID (a variable).
global id_request: event(id: string);
## Event for returning the value of an ID after an :bro:id:`id_request` event.
global id_response: event(id: string, val: string);
## Requests the current communication status.
global peer_status_request: event();
## Returns the current communication status.
global peer_status_response: event(s: string);
## Requests the current net_stats.
global net_stats_request: event();
## Returns the current net_stats.
global net_stats_response: event(s: string);
}
event id_request(id: string)
{
#local msg = fmt("%.6f got event id_request(%s)", network_time(), id);
#Log::write(CLUSTER, [$ts=network_time(), $msg=msg]);
local val = lookup_ID(id);
event id_response(id, fmt("%s", val));
}
event id_response(id: string, val: string)
{
#local msg = fmt("%.6f raised event id_response(%s, %s)", network_time(), id, val);
#Log::write(CLUSTER, [$ts=network_time(), $peer=peer_description, $msg=msg]);
}
event peer_status_request()
{
#local msg = fmt("%.6f got event peer_status_request()", network_time());
#Log::write(CLUSTER, [$ts=network_time(), $peer=peer_description, $msg=msg]);
local status = "";
for ( p in Communication::nodes )
{
local peer = Communication::nodes[p];
if ( ! peer$connected )
next;
status += fmt("peer=%s host=%s events_in=? events_out=? ops_in=? ops_out=? bytes_in=? bytes_out=?\n",
peer$peer$descr, peer$host);
}
event peer_status_response(status);
}
event peer_status_response(s: string)
{
#local msg = fmt("%.6f raised event peer_status_response(%s)", network_time(), s);
#Log::write(CLUSTER, [$ts=network_time(), $peer=peer_description, $msg=msg]);
}
event net_stats_request()
{
local ns = net_stats();
local reply = fmt("%.6f recvd=%d dropped=%d link=%d\n", network_time(),
ns$pkts_recvd, ns$pkts_dropped, ns$pkts_link);
event net_stats_response(reply);
}
event net_stats_response(s: string)
{
#local msg = fmt("%.6f raised event net_stats_response(%s)", network_time(), s);
#Log::write(CLUSTER, [$ts=network_time(), $peer=peer_description, $msg=msg]);
}

4
testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log
View file

@ -1,2 +1,2 @@
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history notice_tags
1128727435.4509 UWkUyAuUGXf 141.42.64.125 56730 125.190.109.199 80 tcp - 1.73330307006836 98 9417 SF - 0 ShADdFaf -
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history
1128727435.4509 UWkUyAuUGXf 141.42.64.125 56730 125.190.109.199 80 tcp - 1.73330307006836 98 9417 SF - 0 ShADdFaf

8
testing/btest/Baseline/core.print-bpf-filters-ipv4/output
View file

@ -1,8 +1,8 @@
# ts node filter init success
1308602779.63662 - not ip6 F T
1310591294.19008 - not ip6 F T
# ts node filter init success
1308602779.68967 - (tcp port 22) and (not ip6) F T
1310591294.28313 - (tcp port 22) and (not ip6) F T
# ts node filter init success
1308602779.73049 - port 42 F T
1310591294.36249 - port 42 F T
# ts node filter init success
1308602779.77495 - port 56730 T T
1310591294.47815 - port 56730 T T

8
testing/btest/Baseline/core.vlan-mpls/conn.log
View file

@ -1,4 +1,4 @@
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history notice_tags
952109346.874907 UWkUyAuUGXf 10.1.2.1 11001 10.34.0.1 23 tcp - 2.10255992412567 25 0 SH - 0 - -
1128727435.4509 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 tcp - 1.73330307006836 98 9417 SF - 0 ShADdFaf -
1278600802.06942 50da4BEzauh 10.20.80.1 50343 10.0.0.15 80 tcp - 0.00415205955505371 9 3429 SF - 0 ShADadfF -
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history
952109346.874907 UWkUyAuUGXf 10.1.2.1 11001 10.34.0.1 23 tcp - 2.10255992412567 25 0 SH - 0 -
1128727435.4509 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 tcp - 1.73330307006836 98 9417 SF - 0 ShADdFaf
1278600802.06942 50da4BEzauh 10.20.80.1 50343 10.0.0.15 80 tcp - 0.00415205955505371 9 3429 SF - 0 ShADadfF

4
testing/btest/Baseline/istate.events-ssl/receiver.http.log
View file

@ -1,2 +1,2 @@
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied
1309569685.50375 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - -
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file
1310590727.30137 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - - - -

4
testing/btest/Baseline/istate.events-ssl/sender.http.log
View file

@ -1,2 +1,2 @@
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied
1309569685.50375 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - -
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file
1310590727.30137 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - -

4
testing/btest/Baseline/istate.events/receiver.http.log
View file

@ -1,2 +1,2 @@
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied
1309568070.32496 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - -
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file
1310590707.11117 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - - - -

4
testing/btest/Baseline/istate.events/sender.http.log
View file

@ -1,2 +1,2 @@
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied
1309568070.32496 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - -
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file
1310590707.11117 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - -

2
testing/btest/Baseline/policy.frameworks.cluster.start-it-up/manager-1..stdout Normal file
View file

@ -0,0 +1,2 @@
Successfully connected to all of my peers
Successfully connected to all of my peers

1
testing/btest/Baseline/policy.frameworks.cluster.start-it-up/proxy-1..stdout Normal file
View file

@ -0,0 +1 @@
Successfully connected to all of my peers

1
testing/btest/Baseline/policy.frameworks.cluster.start-it-up/proxy-2..stdout Normal file
View file

@ -0,0 +1 @@
Successfully connected to all of my peers

1
testing/btest/Baseline/policy.frameworks.cluster.start-it-up/worker-1..stdout Normal file
View file

@ -0,0 +1 @@
Successfully connected to all of my peers

1
testing/btest/Baseline/policy.frameworks.cluster.start-it-up/worker-2..stdout Normal file
View file

@ -0,0 +1 @@
Successfully connected to all of my peers

2
testing/btest/Baseline/policy.frameworks.control.configuration_update/controllee..stdout Normal file
View file

@ -0,0 +1,2 @@
ORIGINAL VALUE (this should be printed out first)
NEW VALUE (this should be printed out second)

1
testing/btest/Baseline/policy.frameworks.control.id_value/controller..stdout Normal file
View file

@ -0,0 +1 @@
Got an id_value_response(test_var, This is the value from the controllee) event

12
testing/btest/Baseline/policy.protocols.http.http-pipelining-and-md5/http.log
View file

@ -1,6 +1,6 @@
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file headers
1258577884.84496 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 946 200 OK - - - - - text/x-c - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER
1258577884.96013 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 6716 200 OK - - - - - text/x-c++ - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER
1258577885.31716 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 94 200 OK - - - - - image/gif - - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,COOKIE
1258577885.34964 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /images/template/screen/key-point-top.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 2349 200 OK - - - - - image/png e0029eea80812e9a8e57b8d05d52938a - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,COOKIE
1258577885.39461 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /projects/calendar/images/header-sunbird.png http://www.mozilla.org/projects/calendar/calendar.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 27579 200 OK - - - - - image/png 30aa926344f58019d047e85ba049ca1e - HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,COOKIE
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file
1258577884.84496 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 946 200 OK - - - - - text/x-c - -
1258577884.96013 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 6716 200 OK - - - - - text/x-c++ - -
1258577885.31716 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 94 200 OK - - - - - image/gif - -
1258577885.34964 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /images/template/screen/key-point-top.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 2349 200 OK - - - - - image/png e0029eea80812e9a8e57b8d05d52938a -
1258577885.39461 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /projects/calendar/images/header-sunbird.png http://www.mozilla.org/projects/calendar/calendar.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 27579 200 OK - - - - - image/png 30aa926344f58019d047e85ba049ca1e -

2
testing/btest/btest.cfg
View file

@ -11,8 +11,8 @@ BRO_SEED_FILE=%(testbase)s/random.seed
TZ=UTC
LC_ALL=C
PATH=%(testbase)s/../../build/src:%(testbase)s/../../aux/btest:%(default_path)s
TEST_DIFF_CANONIFIER=%(testbase)s/Scripts/diff-canonifier
TRACES=%(testbase)s/Traces
SCRIPTS=%(testbase)s/../scripts
DIST=%(testbase)s/../..
BUILD=%(testbase)s/../../build
TEST_DIFF_CANONIFIER=$SCRIPTS/diff-canonifier

39
testing/btest/policy/frameworks/cluster/start-it-up.bro Normal file
View file

@ -0,0 +1,39 @@
# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
# @TEST-EXEC: btest-bg-run proxy-1 BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
# @TEST-EXEC: btest-bg-run proxy-2 BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-2 bro %INPUT
# @TEST-EXEC: btest-bg-run worker-1 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
# @TEST-EXEC: btest-bg-run worker-2 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
# @TEST-EXEC: btest-bg-wait -k 2
# @TEST-EXEC: btest-diff manager-1/.stdout
# @TEST-EXEC: btest-diff proxy-1/.stdout
# @TEST-EXEC: btest-diff proxy-2/.stdout
# @TEST-EXEC: btest-diff worker-1/.stdout
# @TEST-EXEC: btest-diff worker-2/.stdout
@TEST-START-FILE cluster-layout.bro
redef Cluster::nodes = {
["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1")],
["proxy-1"] = [$node_type=Cluster::PROXY, $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1", $workers=set("worker-1")],
["proxy-2"] = [$node_type=Cluster::PROXY, $ip=127.0.0.1, $p=37759/tcp, $manager="manager-1", $workers=set("worker-2")],
["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth0"],
["worker-2"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $proxy="proxy-2", $interface="eth1"],
["control"] = [$node_type=Cluster::CONTROL, $ip=127.0.0.1, $p=37762/tcp],
["time-machine"] = [$node_type=Cluster::TIME_MACHINE, $ip=127.0.0.1, $p=37763/tcp],
};
@TEST-END-FILE
@load frameworks/cluster
# Enable local logging on every node so that we can get the loaded_scripts log.
redef Log::enable_local_logging = T;
event remote_connection_handshake_done(p: event_peer)
{
local me = Cluster::nodes[Cluster::node];
if ( ( me$node_type == Cluster::MANAGER &&
|Communication::connected_peers| == 4 ) ||
( |Communication::connected_peers| == 2 ) )
{
print "Successfully connected to all of my peers";
}
}

29
testing/btest/policy/frameworks/control/configuration_update.bro Normal file
View file

@ -0,0 +1,29 @@
# @TEST-EXEC: btest-bg-run controllee BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controllee Communication::listen_port_clear=65531/tcp
# @TEST-EXEC: btest-bg-run controller BROPATH=$BROPATH:.. bro %INPUT test-redef frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65531/tcp Control::cmd=configuration_update
# @TEST-EXEC: btest-bg-run controller2 BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65531/tcp Control::cmd=shutdown
# @TEST-EXEC: btest-bg-wait 1
# @TEST-EXEC: btest-diff controllee/.stdout
@load frameworks/control
@load frameworks/communication
redef Communication::nodes = {
# We're waiting for connections from this host for control.
["control"] = [$host=127.0.0.1, $class="control", $events=Control::controller_events],
};
const test_var = "ORIGINAL VALUE (this should be printed out first)" &redef;
@TEST-START-FILE test-redef.bro
redef test_var = "NEW VALUE (this should be printed out second)";
@TEST-END-FILE
event bro_init()
{
print test_var;
}
event bro_done()
{
print test_var;
}

26
testing/btest/policy/frameworks/control/id_value.bro Normal file
View file

@ -0,0 +1,26 @@
# @TEST-EXEC: btest-bg-run controllee BROPATH=$BROPATH:.. bro %INPUT only-for-controllee frameworks/control/controllee Communication::listen_port_clear=65532/tcp
# @TEST-EXEC: btest-bg-run controller BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65532/tcp Control::cmd=id_value Control::arg=test_var
# @TEST-EXEC: btest-bg-wait -k 1
# @TEST-EXEC: btest-diff controller/.stdout
@load frameworks/control
@load frameworks/communication
redef Communication::nodes = {
# We're waiting for connections from this host for control.
["control"] = [$host=127.0.0.1, $class="control", $events=Control::controller_events],
};
# This value shouldn't ever be printed to the controllers stdout.
const test_var = "Original value" &redef;
@TEST-START-FILE only-for-controllee.bro
# This is only loaded on the controllee, but it's sent to the controller
# and should be printed there.
redef test_var = "This is the value from the controllee";
@TEST-END-FILE
event Control::id_value_response(id: string, val: string)
{
print fmt("Got an id_value_response(%s, %s) event", id, val);
}

11
testing/btest/policy/frameworks/control/shutdown.bro Normal file
View file

@ -0,0 +1,11 @@
# @TEST-EXEC: btest-bg-run controllee BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controllee Communication::listen_port_clear=65530/tcp
# @TEST-EXEC: btest-bg-run controller BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65530/tcp Control::cmd=shutdown
# @TEST-EXEC: btest-bg-wait 1
@load frameworks/control
@load frameworks/communication
redef Communication::nodes = {
# We're waiting for connections from this host for control.
["control"] = [$host=127.0.0.1, $class="control", $events=Control::controller_events],
};

2
testing/btest/policy/frameworks/software/version-parsing.bro
View file

@ -1,7 +1,7 @@
# @TEST-EXEC: bro %INPUT > output
# @TEST-EXEC: btest-diff output
@load software
@load frameworks/software
global ts = network_time();
global host = 0.0.0.0;