diff --git a/CHANGES b/CHANGES index 429184c9fd..3b039e9835 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,173 @@ +2.1-beta | 2012-07-06 07:36:29 -0700 + + * Remove a non-portable test case. (Daniel Thayer) + + * Fix typos in input framework doc. (Daniel Thayer) + + * Fix typos in DataSeries documentation. (Daniel Thayer) + + * Bugfix making custom rotate functions work again. (Robin Sommer) + + * Tiny bugfix for returning writer name. (Robin Sommer) + + * Moving make target update-doc-sources from top-level Makefile to + btest Makefile. (Robin Sommer) + +2.0-733 | 2012-07-02 15:31:24 -0700 + + * Extending the input reader DoInit() API. (Bernhard Amann). It now + provides a Info struct similar to what we introduced for log + writers, including a corresponding "config" key/value table. + + * Fix to make writer-info work when debugging is enabled. (Bernhard + Amann) + +2.0-726 | 2012-07-02 15:19:15 -0700 + + * Extending the log writer DoInit() API. (Robin Sommer) + + We now pass in a Info struct that contains: + + - the path name (as before) + - the rotation interval + - the log_rotate_base_time in seconds + - a table of key/value pairs with further configuration options. + + To fill the table, log filters have a new field "config: table[string] + of strings". This gives a way to pass arbitrary values from + script-land to writers. Interpretation is left up to the writer. + + * Split calc_next_rotate() into two functions, one of which is + thread-safe and can be used with the log_rotate_base_time value + from DoInit(). + + * Updates to the None writer. (Robin Sommer) + + - It gets its own script writers/none.bro. + + - New bool option LogNone::debug to enable debug output. It then + prints out all the values passed to DoInit(). + + - Fixed a bug that prevented Bro from terminating. + +2.0-723 | 2012-07-02 15:02:56 -0700 + + * Extract ICMPv6 NDP options and include in ICMP events. This adds + a new parameter of type "icmp6_nd_options" to the ICMPv6 neighbor + discovery events. Addresses #833. (Jon Siwek) + + * Set input frontend type before starting the thread. This means + that the thread type will be output correctly in the error + message. (Bernhard Amann) + +2.0-719 | 2012-07-02 14:49:03 -0700 + + * Fix inconsistencies in random number generation. The + srand()/rand() interface was being intermixed with the + srandom()/random() one. The later is now used throughout. (Jon + Siwek) + + * Changed the srand() and rand() BIFs to work deterministically if + Bro was given a seed file. Addresses #825. (Jon Siwek) + + * Updating input framework unit tests to make them more reliable and + execute quicker. (Jon Siwek) + + * Fixed race condition in writer and reader initializations. (Jon + Siwek) + + * Small tweak to make test complete quicker. (Jon Siwek) + + * Drain events before terminating log/thread managers. (Jon Siwek) + + * Fix strict-aliasing warning in RemoteSerializer.cc. Addresses + #834. (Jon Siwek) + + * Fix typos in event documentation. (Daniel Thayer) + + * Fix typos in NEWS for Bro 2.1 beta. (Daniel Thayer) + +2.0-709 | 2012-06-21 10:14:24 -0700 + + * Fix exceptions thrown in event handlers preventing others from running. (Jon Siwek) + + * Add another SOCKS command. (Seth Hall) + + * Fixed some problems with the SOCKS analyzer and tests. (Seth Hall) + + * Updating NEWS in preparation for beta. (Robin Sommer) + + * Accepting different AF_INET6 values for loopback link headers. + (Robin Sommer) + +2.0-698 | 2012-06-20 14:30:40 -0700 + + * Updates for the SOCKS analyzer (Seth Hall). + + - A SOCKS log! + + - Now supports SOCKSv5 in the analyzer and the DPD sigs. + + - Added protocol violations. + + * Updates to the tunnels framework. (Seth Hall) + + - Make the uid field optional since it's conceptually incorrect + for proxies being treated as tunnels to have it. + + - Reordered two fields in the log. + + - Reduced the default tunnel expiration interface to something + more reasonable (1 hour). + + * Make Teredo bubble packet parsing more lenient. (Jon Siwek) + + * Fix a crash in NetSessions::ParseIPPacket(). (Jon Siwek) + +2.0-690 | 2012-06-18 16:01:33 -0700 + + * Support for decapsulating tunnels via the new tunnel framework in + base/frameworks/tunnels. + + Bro currently supports Teredo, AYIYA, IP-in-IP (both IPv4 and + IPv6), and SOCKS. For all these, it logs the outher tunnel + connections in both conn.log and tunnel.log, and proceeds to + analyze the inner payload as if it were not tunneled, including + also logging it in conn.log (with a new tunnel_parents column + pointing back to the outer connection(s)). (Jon Siwek, Seth Hall, + Gregor Maier) + + * The options "tunnel_port" and "parse_udp_tunnels" have been + removed. (Jon Siwek) + +2.0-623 | 2012-06-15 16:24:52 -0700 + + * Changing an error in the input framework to a warning. (Robin + Sommer) + +2.0-622 | 2012-06-15 15:38:43 -0700 + + * Input framework updates. (Bernhard Amann) + + - Disable streaming reads from executed commands. This lead to + hanging Bros because pclose apparently can wait for eternity if + things go wrong. + + - Automatically delete disabled input streams. + + - Documentation. + +2.0-614 | 2012-06-15 15:19:49 -0700 + + * Remove an old, unused diff canonifier. (Jon Siwek) + + * Improve an error message in ICMP analyzer. (Jon Siwek) + + * Fix a warning message when building docs. (Daniel Thayer) + + * Fix many errors in the event documentation. (Daniel Thayer) + 2.0-608 | 2012-06-11 15:59:00 -0700 * Add more error handling code to logging of enum vals. Addresses diff --git a/Makefile b/Makefile index 8633c736a4..455fa6ed88 100644 --- a/Makefile +++ b/Makefile @@ -41,9 +41,6 @@ broxygen: configured broxygenclean: configured $(MAKE) -C $(BUILD) $@ -update-doc-sources: - ./doc/scripts/genDocSourcesList.sh ./doc/scripts/DocSourcesList.cmake - dist: @rm -rf $(VERSION_FULL) $(VERSION_FULL).tgz @rm -rf $(VERSION_MIN) $(VERSION_MIN).tgz diff --git a/NEWS b/NEWS index 83f7c5bc8b..d9410e1c7c 100644 --- a/NEWS +++ b/NEWS @@ -3,13 +3,90 @@ Release Notes ============= This document summarizes the most important changes in the current Bro -release. For a complete list of changes, see the ``CHANGES`` file. +release. For a complete list of changes, see the ``CHANGES`` file +(note that submodules, such as BroControl and Broccoli, come with +their own CHANGES.) + +Bro 2.1 Beta +------------ + +New Functionality +~~~~~~~~~~~~~~~~~ + +- Bro now comes with extensive IPv6 support. Past versions offered + only basic IPv6 functionality that was rarely used in practice as it + had to be enabled explicitly. IPv6 support is now fully integrated + into all parts of Bro including protocol analysis and the scripting + language. It's on by default and no longer requires any special + configuration. + + Some of the most significant enhancements include support for IPv6 + fragment reassembly, support for following IPv6 extension header + chains, and support for tunnel decapsulation (6to4 and Teredo). The + DNS analyzer now handles AAAA records properly, and DNS lookups that + Bro itself performs now include AAAA queries, so that, for example, + the result returned by script-level lookups is a set that can + contain both IPv4 and IPv6 addresses. Support for the most common + ICMPv6 message types has been added. Also, the FTP EPSV and EPRT + commands are now handled properly. Internally, the way IP addresses + are stored has been improved, so Bro can handle both IPv4 + and IPv6 by default without any special configuration. + + In addition to Bro itself, the other Bro components have also been + made IPv6-aware by default. In particular, significant changes were + made to trace-summary, PySubnetTree, and Broccoli to support IPv6. + +- Bro now decapsulates tunnels via its new tunnel framework located in + scripts/base/frameworks/tunnels. It currently supports Teredo, + AYIYA, IP-in-IP (both IPv4 and IPv6), and SOCKS. For all these, it + logs the outer tunnel connections in both conn.log and tunnel.log, + and then proceeds to analyze the inner payload as if it were not + tunneled, including also logging that session in conn.log. For + SOCKS, it generates a new socks.log in addition with more + information. + +- Bro now features a flexible input framework that allows users to + integrate external information in real-time into Bro while it's + processing network traffic. The most direct use-case at the moment + is reading data from ASCII files into Bro tables, with updates + picked up automatically when the file changes during runtime. See + doc/input.rst for more information. + + Internally, the input framework is structured around the notion of + "reader plugins" that make it easy to interface to different data + sources. We will add more in the future. + +- Bro's default ASCII log format is not exactly the most efficient way + for storing and searching large volumes of data. An an alternative, + Bro now comes with experimental support for DataSeries output, an + efficient binary format for recording structured bulk data. + DataSeries is developed and maintained at HP Labs. See + doc/logging-dataseries for more information. + +- BroControl now has built-in support for host-based load-balancing + when using either PF_RING, Myricom cards, or individual interfaces. + Instead of adding a separate worker entry in node.cfg for each Bro + worker process on each worker host, it is now possible to just + specify the number of worker processes on each host and BroControl + configures everything correctly (including any neccessary enviroment + variables for the balancers). + + This change adds three new keywords to the node.cfg file (to be used + with worker entries): lb_procs (specifies number of workers on a + host), lb_method (specifies what type of load balancing to use: + pf_ring, myricom, or interfaces), and lb_interfaces (used only with + "lb_method=interfaces" to specify which interfaces to load-balance + on). -Bro 2.1 -------- +Changed Functionality +~~~~~~~~~~~~~~~~~~~~~ -- Dependencies: +The following summarizes the most important differences in existing +functionality. Note that this list is not complete, see CHANGES for +the full set. + +- Changes in dependencies: * Bro now requires CMake >= 2.6.3. @@ -17,8 +94,7 @@ Bro 2.1 configure time. Doing so can significantly improve memory and CPU use. -- Bro now supports IPv6 out of the box; the configure switch - --enable-brov6 is gone. +- The configure switch --enable-brov6 is gone. - DNS name lookups performed by Bro now also query AAAA records. The results of the A and AAAA queries for a given hostname are combined @@ -35,12 +111,12 @@ Bro 2.1 - The syntax for IPv6 literals changed from "2607:f8b0:4009:802::1012" to "[2607:f8b0:4009:802::1012]". -- Bro now spawn threads for doing its logging. From a user's +- Bro now spawns threads for doing its logging. From a user's perspective not much should change, except that the OS may now show a bunch of Bro threads. - We renamed the configure option --enable-perftools to - --enable-perftool-debug to indicate that the switch is only relevant + --enable-perftools-debug to indicate that the switch is only relevant for debugging the heap. - Bro's ICMP analyzer now handles both IPv4 and IPv6 messages with a @@ -50,8 +126,8 @@ Bro 2.1 - Log postprocessor scripts get an additional argument indicating the type of the log writer in use (e.g., "ascii"). -- BroControl's make-archive-name scripts also receives the writer - type, but as it's 2nd(!) argument. If you're using a custom version +- BroControl's make-archive-name script also receives the writer + type, but as its 2nd(!) argument. If you're using a custom version of that script, you need to adapt it. See the shipped version for details. @@ -60,7 +136,10 @@ Bro 2.1 signature_files constant, this can be used to load signatures relative to the current script (e.g., "@load-sigs ./foo.sig"). -TODO: Extend. +- The options "tunnel_port" and "parse_udp_tunnels" have been removed. + Bro now supports decapsulating tunnels directly for protocols it + understands. + Bro 2.0 ------- @@ -93,7 +172,7 @@ final release are: ASCII logger now respects to add a suffix to the log files it creates. - * The ASCII logs now include further header information, and + * The ASCII logs now include further header information, and fields set to an empty value are now logged as ``(empty)`` by default (instead of ``-``, which is already used for fields that are not set at all). diff --git a/VERSION b/VERSION index c6723b4d6c..0fb956a360 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.0-608 +2.1-beta diff --git a/aux/binpac b/aux/binpac index b4094cb75e..4ad8d15b63 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit b4094cb75e0a7769123f7db1f5d73f3f9f1c3977 +Subproject commit 4ad8d15b6395925c9875c9d2912a6cc3b4918e0a diff --git a/aux/bro-aux b/aux/bro-aux index 2038e3de04..c691c01e9c 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 2038e3de042115c3caa706426e16c830c1fd1e9e +Subproject commit c691c01e9cefae5a79bcd4b0f84ca387c8c587a7 diff --git a/aux/broccoli b/aux/broccoli index 4e17842743..bd9d698f70 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 4e17842743fef8df6abf0588c7ca86c6937a2b6d +Subproject commit bd9d698f708908f7258211b534c91467d486983b diff --git a/aux/broctl b/aux/broctl index 892b60edb9..6bfc0bfae0 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 892b60edb967bb456872638f22ba994e84530137 +Subproject commit 6bfc0bfae0406deddf207475582bf7a17f1787af diff --git a/aux/btest b/aux/btest index 4697bf4c80..44441a6c91 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit 4697bf4c8046a3ab7d5e00e926c5db883cb44664 +Subproject commit 44441a6c912c7c9f8d4771e042306ec5f44e461d diff --git a/config.h.in b/config.h.in index aa286736fd..2d065f755e 100644 --- a/config.h.in +++ b/config.h.in @@ -171,6 +171,10 @@ #ifndef HAVE_IPPROTO_IPV6 #define IPPROTO_IPV6 41 #endif +#cmakedefine HAVE_IPPROTO_IPV4 +#ifndef HAVE_IPPROTO_IPV4 +#define IPPROTO_IPV4 4 +#endif #cmakedefine HAVE_IPPROTO_ROUTING #ifndef HAVE_IPPROTO_ROUTING #define IPPROTO_ROUTING 43 diff --git a/doc/input.rst b/doc/input.rst index d9fe8aa6b8..6a089c0635 100644 --- a/doc/input.rst +++ b/doc/input.rst @@ -1,183 +1,407 @@ -===================== -Loading Data into Bro -===================== +============================================== +Loading Data into Bro with the Input Framework +============================================== .. rst-class:: opening - Bro comes with a flexible input interface that allows to read - previously stored data. Data is either read into bro tables or - sent to scripts using events. - This document describes how the input framework can be used. + Bro now features a flexible input framework that allows users + to import data into Bro. Data is either read into Bro tables or + converted to events which can then be handled by scripts. + This document gives an overview of how to use the input framework + with some examples. For more complex scenarios it is + worthwhile to take a look at the unit tests in + ``testing/btest/scripts/base/frameworks/input/``. .. contents:: -Terminology -=========== +Reading Data into Tables +======================== -Bro's input framework is built around three main abstracts, that are -very similar to the abstracts used in the logging framework: +Probably the most interesting use-case of the input framework is to +read data into a Bro table. - Input Streams - An input stream corresponds to a single input source - (usually a textfile). It defined the information necessary - to find the source (e.g. the filename), the reader that it used - to get data from it (see below). - It also defines exactly what data is read from the input source. - There are two different kind of streams, event streams and table - streams. - By default, event streams generate an event for each line read - from the input source. - Table streams on the other hand read the input source in a bro - table for easy later access. +By default, the input framework reads the data in the same format +as it is written by the logging framework in Bro - a tab-separated +ASCII file. - Readers - A reader defines the input format for the specific input stream. - At the moment, Bro comes with two types of reader. The default reader is READER_ASCII, - which can read the tab seperated ASCII logfiles that were generated by the - logging framework. - READER_RAW can files containing records separated by a character(like e.g. newline) and send - one event per line. +We will show the ways to read files into Bro with a simple example. +For this example we assume that we want to import data from a blacklist +that contains server IP addresses as well as the timestamp and the reason +for the block. +An example input file could look like this: -Event Streams -============= +:: -For examples, please look at the unit tests in -``testing/btest/scripts/base/frameworks/input/``. + #fields ip timestamp reason + 192.168.17.1 1333252748 Malware host + 192.168.27.2 1330235733 Botnet server + 192.168.250.3 1333145108 Virus detected -Event Streams are streams that generate an event for each line in of the input source. +To read a file into a Bro table, two record types have to be defined. +One contains the types and names of the columns that should constitute the +table keys and the second contains the types and names of the columns that +should constitute the table values. -For example, a simple stream retrieving the fields ``i`` and ``b`` from an inputSource -could be defined as follows: +In our case, we want to be able to lookup IPs. Hence, our key record +only contains the server IP. All other elements should be stored as +the table content. + +The two records are defined as: .. code:: bro - type Val: record { - i: int; - b: bool; + type Idx: record { + ip: addr; }; - event line(description: Input::EventDescription, tpe: Input::Event, i: int, b: bool) { - # work with event data - } - - event bro_init { - Input::add_event([$source="input.log", $name="input", $fields=Val, $ev=line]); + type Val: record { + timestamp: time; + reason: string; + }; + +Note that the names of the fields in the record definitions have to correspond +to the column names listed in the '#fields' line of the log file, in this +case 'ip', 'timestamp', and 'reason'. + +The log file is read into the table with a simple call of the ``add_table`` +function: + +.. code:: bro + + global blacklist: table[addr] of Val = table(); + + Input::add_table([$source="blacklist.file", $name="blacklist", $idx=Idx, $val=Val, $destination=blacklist]); + Input::remove("blacklist"); + +With these three lines we first create an empty table that should contain the +blacklist data and then instruct the input framework to open an input stream +named ``blacklist`` to read the data into the table. The third line removes the +input stream again, because we do not need it any more after the data has been +read. + +Because some data files can - potentially - be rather big, the input framework +works asynchronously. A new thread is created for each new input stream. +This thread opens the input data file, converts the data into a Bro format and +sends it back to the main Bro thread. + +Because of this, the data is not immediately accessible. Depending on the +size of the data source it might take from a few milliseconds up to a few +seconds until all data is present in the table. Please note that this means +that when Bro is running without an input source or on very short captured +files, it might terminate before the data is present in the system (because +Bro already handled all packets before the import thread finished). + +Subsequent calls to an input source are queued until the previous action has +been completed. Because of this, it is, for example, possible to call +``add_table`` and ``remove`` in two subsequent lines: the ``remove`` action +will remain queued until the first read has been completed. + +Once the input framework finishes reading from a data source, it fires +the ``update_finished`` event. Once this event has been received all data +from the input file is available in the table. + +.. code:: bro + + event Input::update_finished(name: string, source: string) { + # now all data is in the table + print blacklist; } -The fields that can be set for an event stream are: +The table can also already be used while the data is still being read - it +just might not contain all lines in the input file when the event has not +yet fired. After it has been populated it can be used like any other Bro +table and blacklist entries can easily be tested: - ``want_record`` - Boolean value, that defines if the event wants to receive the fields inside of - a single record value, or individually (default). +.. code:: bro + + if ( 192.168.18.12 in blacklist ) + # take action + + +Re-reading and streaming data +----------------------------- + +For many data sources, like for many blacklists, the source data is continually +changing. For these cases, the Bro input framework supports several ways to +deal with changing data files. + +The first, very basic method is an explicit refresh of an input stream. When +an input stream is open, the function ``force_update`` can be called. This +will trigger a complete refresh of the table; any changed elements from the +file will be updated. After the update is finished the ``update_finished`` +event will be raised. + +In our example the call would look like: + +.. code:: bro + + Input::force_update("blacklist"); + +The input framework also supports two automatic refresh modes. The first mode +continually checks if a file has been changed. If the file has been changed, it +is re-read and the data in the Bro table is updated to reflect the current +state. Each time a change has been detected and all the new data has been +read into the table, the ``update_finished`` event is raised. + +The second mode is a streaming mode. This mode assumes that the source data +file is an append-only file to which new data is continually appended. Bro +continually checks for new data at the end of the file and will add the new +data to the table. If newer lines in the file have the same index as previous +lines, they will overwrite the values in the output table. Because of the +nature of streaming reads (data is continually added to the table), +the ``update_finished`` event is never raised when using streaming reads. + +The reading mode can be selected by setting the ``mode`` option of the +add_table call. Valid values are ``MANUAL`` (the default), ``REREAD`` +and ``STREAM``. + +Hence, when adding ``$mode=Input::REREAD`` to the previous example, the +blacklist table will always reflect the state of the blacklist input file. + +.. code:: bro + + Input::add_table([$source="blacklist.file", $name="blacklist", $idx=Idx, $val=Val, $destination=blacklist, $mode=Input::REREAD]); + +Receiving change events +----------------------- + +When re-reading files, it might be interesting to know exactly which lines in +the source files have changed. + +For this reason, the input framework can raise an event each time when a data +item is added to, removed from or changed in a table. + +The event definition looks like this: + +.. code:: bro + + event entry(description: Input::TableDescription, tpe: Input::Event, left: Idx, right: Val) { + # act on values + } + +The event has to be specified in ``$ev`` in the ``add_table`` call: + +.. code:: bro + + Input::add_table([$source="blacklist.file", $name="blacklist", $idx=Idx, $val=Val, $destination=blacklist, $mode=Input::REREAD, $ev=entry]); + +The ``description`` field of the event contains the arguments that were +originally supplied to the add_table call. Hence, the name of the stream can, +for example, be accessed with ``description$name``. ``tpe`` is an enum +containing the type of the change that occurred. + +If a line that was not previously present in the table has been added, +then ``tpe`` will contain ``Input::EVENT_NEW``. In this case ``left`` contains +the index of the added table entry and ``right`` contains the values of the +added entry. + +If a table entry that already was present is altered during the re-reading or +streaming read of a file, ``tpe`` will contain ``Input::EVENT_CHANGED``. In +this case ``left`` contains the index of the changed table entry and ``right`` +contains the values of the entry before the change. The reason for this is +that the table already has been updated when the event is raised. The current +value in the table can be ascertained by looking up the current table value. +Hence it is possible to compare the new and the old values of the table. + +If a table element is removed because it was no longer present during a +re-read, then ``tpe`` will contain ``Input::REMOVED``. In this case ``left`` +contains the index and ``right`` the values of the removed element. + + +Filtering data during import +---------------------------- + +The input framework also allows a user to filter the data during the import. +To this end, predicate functions are used. A predicate function is called +before a new element is added/changed/removed from a table. The predicate +can either accept or veto the change by returning true for an accepted +change and false for a rejected change. Furthermore, it can alter the data +before it is written to the table. + +The following example filter will reject to add entries to the table when +they were generated over a month ago. It will accept all changes and all +removals of values that are already present in the table. + +.. code:: bro + + Input::add_table([$source="blacklist.file", $name="blacklist", $idx=Idx, $val=Val, $destination=blacklist, $mode=Input::REREAD, + $pred(typ: Input::Event, left: Idx, right: Val) = { + if ( typ != Input::EVENT_NEW ) { + return T; + } + return ( ( current_time() - right$timestamp ) < (30 day) ); + }]); + +To change elements while they are being imported, the predicate function can +manipulate ``left`` and ``right``. Note that predicate functions are called +before the change is committed to the table. Hence, when a table element is +changed (``tpe`` is ``INPUT::EVENT_CHANGED``), ``left`` and ``right`` +contain the new values, but the destination (``blacklist`` in our example) +still contains the old values. This allows predicate functions to examine +the changes between the old and the new version before deciding if they +should be allowed. + +Different readers +----------------- + +The input framework supports different kinds of readers for different kinds +of source data files. At the moment, the default reader reads ASCII files +formatted in the Bro log file format (tab-separated values). At the moment, +Bro comes with two other readers. The ``RAW`` reader reads a file that is +split by a specified record separator (usually newline). The contents are +returned line-by-line as strings; it can, for example, be used to read +configuration files and the like and is probably +only useful in the event mode and not for reading data to tables. + +Another included reader is the ``BENCHMARK`` reader, which is being used +to optimize the speed of the input framework. It can generate arbitrary +amounts of semi-random data in all Bro data types supported by the input +framework. + +In the future, the input framework will get support for new data sources +like, for example, different databases. + +Add_table options +----------------- + +This section lists all possible options that can be used for the add_table +function and gives a short explanation of their use. Most of the options +already have been discussed in the previous sections. + +The possible fields that can be set for a table stream are: ``source`` A mandatory string identifying the source of the data. For the ASCII reader this is the filename. + ``name`` + A mandatory name for the filter that can later be used + to manipulate it further. + + ``idx`` + Record type that defines the index of the table. + + ``val`` + Record type that defines the values of the table. + ``reader`` The reader used for this stream. Default is ``READER_ASCII``. ``mode`` - The mode in which the stream is opened. Possible values are ``MANUAL``, ``REREAD`` and ``STREAM``. - Default is ``MANUAL``. - ``MANUAL`` means, that the files is not updated after it has been read. Changes to the file will not - be reflected in the data bro knows. - ``REREAD`` means that the whole file is read again each time a change is found. This should be used for - files that are mapped to a table where individual lines can change. - ``STREAM`` means that the data from the file is streamed. Events / table entries will be generated as new - data is added to the file. + The mode in which the stream is opened. Possible values are + ``MANUAL``, ``REREAD`` and ``STREAM``. Default is ``MANUAL``. + ``MANUAL`` means that the file is not updated after it has + been read. Changes to the file will not be reflected in the + data Bro knows. ``REREAD`` means that the whole file is read + again each time a change is found. This should be used for + files that are mapped to a table where individual lines can + change. ``STREAM`` means that the data from the file is + streamed. Events / table entries will be generated as new + data is appended to the file. + + ``destination`` + The destination table. + + ``ev`` + Optional event that is raised, when values are added to, + changed in, or deleted from the table. Events are passed an + Input::Event description as the first argument, the index + record as the second argument and the values as the third + argument. + + ``pred`` + Optional predicate, that can prevent entries from being added + to the table and events from being sent. + + ``want_record`` + Boolean value, that defines if the event wants to receive the + fields inside of a single record value, or individually + (default). This can be used if ``val`` is a record + containing only one type. In this case, if ``want_record`` is + set to false, the table will contain elements of the type + contained in ``val``. + +Reading Data to Events +====================== + +The second supported mode of the input framework is reading data to Bro +events instead of reading them to a table using event streams. + +Event streams work very similarly to table streams that were already +discussed in much detail. To read the blacklist of the previous example +into an event stream, the following Bro code could be used: + +.. code:: bro + + type Val: record { + ip: addr; + timestamp: time; + reason: string; + }; + + event blacklistentry(description: Input::EventDescription, tpe: Input::Event, ip: addr, timestamp: time, reason: string) { + # work with event data + } + + event bro_init() { + Input::add_event([$source="blacklist.file", $name="blacklist", $fields=Val, $ev=blacklistentry]); + } + + +The main difference in the declaration of the event stream is, that an event +stream needs no separate index and value declarations -- instead, all source +data types are provided in a single record definition. + +Apart from this, event streams work exactly the same as table streams and +support most of the options that are also supported for table streams. + +The options that can be set when creating an event stream with +``add_event`` are: + + ``source`` + A mandatory string identifying the source of the data. + For the ASCII reader this is the filename. ``name`` A mandatory name for the stream that can later be used to remove it. ``fields`` - Name of a record type containing the fields, which should be retrieved from - the input stream. + Name of a record type containing the fields, which should be + retrieved from the input stream. ``ev`` - The event which is fired, after a line has been read from the input source. - The first argument that is passed to the event is an Input::Event structure, - followed by the data, either inside of a record (if ``want_record is set``) or as - individual fields. - The Input::Event structure can contain information, if the received line is ``NEW``, has - been ``CHANGED`` or ``DELETED``. Singe the ascii reader cannot track this information - for event filters, the value is always ``NEW`` at the moment. + The event which is fired, after a line has been read from the + input source. The first argument that is passed to the event + is an Input::Event structure, followed by the data, either + inside of a record (if ``want_record is set``) or as + individual fields. The Input::Event structure can contain + information, if the received line is ``NEW``, has been + ``CHANGED`` or ``DELETED``. Since the ASCII reader cannot + track this information for event filters, the value is + always ``NEW`` at the moment. - - -Table Streams -============= - -Table streams are the second, more complex type of input streams. - -Table streams store the information they read from an input source in a bro table. For example, -when reading a file that contains ip addresses and connection attemt information one could use -an approach similar to this: - -.. code:: bro - - type Idx: record { - a: addr; - }; - - type Val: record { - tries: count; - }; - - global conn_attempts: table[addr] of count = table(); - - event bro_init { - Input::add_table([$source="input.txt", $name="input", $idx=Idx, $val=Val, $destination=conn_attempts]); - } - -The table conn_attempts will then contain the information about connection attemps. - -The possible fields that can be set for an table stream are: - - ``want_record`` - Boolean value, that defines if the event wants to receive the fields inside of - a single record value, or individually (default). - - ``source`` - A mandatory string identifying the source of the data. - For the ASCII reader this is the filename. + ``mode`` + The mode in which the stream is opened. Possible values are + ``MANUAL``, ``REREAD`` and ``STREAM``. Default is ``MANUAL``. + ``MANUAL`` means that the file is not updated after it has + been read. Changes to the file will not be reflected in the + data Bro knows. ``REREAD`` means that the whole file is read + again each time a change is found. This should be used for + files that are mapped to a table where individual lines can + change. ``STREAM`` means that the data from the file is + streamed. Events / table entries will be generated as new + data is appended to the file. ``reader`` The reader used for this stream. Default is ``READER_ASCII``. - ``mode`` - The mode in which the stream is opened. Possible values are ``MANUAL``, ``REREAD`` and ``STREAM``. - Default is ``MANUAL``. - ``MANUAL`` means, that the files is not updated after it has been read. Changes to the file will not - be reflected in the data bro knows. - ``REREAD`` means that the whole file is read again each time a change is found. This should be used for - files that are mapped to a table where individual lines can change. - ``STREAM`` means that the data from the file is streamed. Events / table entries will be generated as new - data is added to the file. - - ``name`` - A mandatory name for the filter that can later be used - to manipulate it further. - - ``idx`` - Record type that defines the index of the table - - ``val`` - Record type that defines the values of the table - ``want_record`` - Defines if the values of the table should be stored as a record (default), - or as a simple value. Has to be set if Val contains more than one element. + Boolean value, that defines if the event wants to receive the + fields inside of a single record value, or individually + (default). If this is set to true, the event will receive a + single record of the type provided in ``fields``. - ``destination`` - The destination table - ``ev`` - Optional event that is raised, when values are added to, changed in or deleted from the table. - Events are passed an Input::Event description as the first argument, the index record as the second argument - and the values as the third argument. - ``pred`` - Optional predicate, that can prevent entries from being added to the table and events from being sent. diff --git a/doc/logging-dataseries.rst b/doc/logging-dataseries.rst index 554600f055..139a13f813 100644 --- a/doc/logging-dataseries.rst +++ b/doc/logging-dataseries.rst @@ -21,7 +21,7 @@ To use DataSeries, its libraries must be available at compile-time, along with the supporting *Lintel* package. Generally, both are distributed on `HP Labs' web site `_. Currently, however, you need -to use recent developments versions for both packages, which you can +to use recent development versions for both packages, which you can download from github like this:: git clone http://github.com/dataseries/Lintel @@ -76,7 +76,7 @@ tools, which its installation process installs into ``/bin``. For example, to convert a file back into an ASCII representation:: $ ds2txt conn.log - [... We skip a bunch of meta data here ...] + [... We skip a bunch of metadata here ...] ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes 1300475167.096535 CRCC5OdDlXe 141.142.220.202 5353 224.0.0.251 5353 udp dns 0.000000 0 0 S0 F 0 D 1 73 0 0 1300475167.097012 o7XBsfvo3U1 fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp 0.000000 0 0 S0 F 0 D 1 199 0 0 @@ -86,13 +86,13 @@ For example, to convert a file back into an ASCII representation:: 1300475168.854837 k6T92WxgNAh 141.142.220.118 40526 141.142.2.2 53 udp dns 0.000392 38 183 SF F 0 Dd 1 66 1 211 [...] -(``--skip-all`` suppresses the meta data.) +(``--skip-all`` suppresses the metadata.) Note that the ASCII conversion is *not* equivalent to Bro's default output format. You can also switch only individual files over to DataSeries by adding -code like this to your ``local.bro``:: +code like this to your ``local.bro``: .. code:: bro @@ -109,7 +109,7 @@ Bro's DataSeries writer comes with a few tuning options, see Working with DataSeries ======================= -Here are few examples of using DataSeries command line tools to work +Here are a few examples of using DataSeries command line tools to work with the output files. * Printing CSV:: @@ -147,7 +147,7 @@ with the output files. * Calculate some statistics: - Mean/stdev/min/max over a column:: + Mean/stddev/min/max over a column:: $ dsstatgroupby '*' basic duration from conn.ds # Begin DSStatGroupByModule @@ -158,7 +158,7 @@ with the output files. Quantiles of total connection volume:: - > dsstatgroupby '*' quantile 'orig_bytes + resp_bytes' from conn.ds + $ dsstatgroupby '*' quantile 'orig_bytes + resp_bytes' from conn.ds [...] 2159 data points, mean 24616 +- 343295 [0,1.26615e+07] quantiles about every 216 data points: @@ -166,7 +166,7 @@ with the output files. tails: 90%: 1469, 95%: 7302, 99%: 242629, 99.5%: 1226262 [...] -The ``man`` pages for these tool show further options, and their +The ``man`` pages for these tools show further options, and their ``-h`` option gives some more information (either can be a bit cryptic unfortunately though). @@ -175,7 +175,7 @@ Deficiencies Due to limitations of the DataSeries format, one cannot inspect its files before they have been fully written. In other words, when using -DataSeries, it's currently it's not possible to inspect the live log +DataSeries, it's currently not possible to inspect the live log files inside the spool directory before they are rotated to their final location. It seems that this could be fixed with some effort, and we will work with DataSeries development team on that if the diff --git a/doc/logging.rst b/doc/logging.rst index 384996c28a..cc6cb1e54d 100644 --- a/doc/logging.rst +++ b/doc/logging.rst @@ -377,7 +377,7 @@ uncommon to need to delete that data before the end of the connection. Other Writers ------------- -Bro support the following output formats other than ASCII: +Bro supports the following output formats other than ASCII: .. toctree:: :maxdepth: 1 diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index 4c01dc73e5..c5eb3d724b 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -42,6 +42,7 @@ rest_target(${psd} base/frameworks/logging/postprocessors/scp.bro) rest_target(${psd} base/frameworks/logging/postprocessors/sftp.bro) rest_target(${psd} base/frameworks/logging/writers/ascii.bro) rest_target(${psd} base/frameworks/logging/writers/dataseries.bro) +rest_target(${psd} base/frameworks/logging/writers/none.bro) rest_target(${psd} base/frameworks/metrics/cluster.bro) rest_target(${psd} base/frameworks/metrics/main.bro) rest_target(${psd} base/frameworks/metrics/non-cluster.bro) @@ -59,6 +60,7 @@ rest_target(${psd} base/frameworks/packet-filter/netstats.bro) rest_target(${psd} base/frameworks/reporter/main.bro) rest_target(${psd} base/frameworks/signatures/main.bro) rest_target(${psd} base/frameworks/software/main.bro) +rest_target(${psd} base/frameworks/tunnels/main.bro) rest_target(${psd} base/protocols/conn/contents.bro) rest_target(${psd} base/protocols/conn/inactivity.bro) rest_target(${psd} base/protocols/conn/main.bro) @@ -77,6 +79,8 @@ rest_target(${psd} base/protocols/irc/main.bro) rest_target(${psd} base/protocols/smtp/entities-excerpt.bro) rest_target(${psd} base/protocols/smtp/entities.bro) rest_target(${psd} base/protocols/smtp/main.bro) +rest_target(${psd} base/protocols/socks/consts.bro) +rest_target(${psd} base/protocols/socks/main.bro) rest_target(${psd} base/protocols/ssh/main.bro) rest_target(${psd} base/protocols/ssl/consts.bro) rest_target(${psd} base/protocols/ssl/main.bro) diff --git a/scripts/base/frameworks/communication/main.bro b/scripts/base/frameworks/communication/main.bro index b9b15bfd22..ceae357f78 100644 --- a/scripts/base/frameworks/communication/main.bro +++ b/scripts/base/frameworks/communication/main.bro @@ -11,7 +11,8 @@ export { ## The communication logging stream identifier. redef enum Log::ID += { LOG }; - ## Which interface to listen on (``0.0.0.0`` or ``[::]`` are wildcards). + ## Which interface to listen on. The addresses ``0.0.0.0`` and ``[::]`` + ## are wildcards. const listen_interface = 0.0.0.0 &redef; ## Which port to listen on. diff --git a/scripts/base/frameworks/dpd/dpd.sig b/scripts/base/frameworks/dpd/dpd.sig index adda0ce54e..49e24cefc6 100644 --- a/scripts/base/frameworks/dpd/dpd.sig +++ b/scripts/base/frameworks/dpd/dpd.sig @@ -149,3 +149,64 @@ signature dpd_ssl_client { payload /^(\x16\x03[\x00\x01\x02]..\x01...\x03[\x00\x01\x02]|...?\x01[\x00\x01\x02][\x02\x03]).*/ tcp-state originator } + +signature dpd_ayiya { + ip-proto = udp + payload /^..\x11\x29/ + enable "ayiya" +} + +signature dpd_teredo { + ip-proto = udp + payload /^(\x00\x00)|(\x00\x01)|([\x60-\x6f])/ + enable "teredo" +} + +signature dpd_socks4_client { + ip-proto == tcp + # '32' is a rather arbitrary max length for the user name. + payload /^\x04[\x01\x02].{0,32}\x00/ + tcp-state originator +} + +signature dpd_socks4_server { + ip-proto == tcp + requires-reverse-signature dpd_socks4_client + payload /^\x00[\x5a\x5b\x5c\x5d]/ + tcp-state responder + enable "socks" +} + +signature dpd_socks4_reverse_client { + ip-proto == tcp + # '32' is a rather arbitrary max length for the user name. + payload /^\x04[\x01\x02].{0,32}\x00/ + tcp-state responder +} + +signature dpd_socks4_reverse_server { + ip-proto == tcp + requires-reverse-signature dpd_socks4_reverse_client + payload /^\x00[\x5a\x5b\x5c\x5d]/ + tcp-state originator + enable "socks" +} + +signature dpd_socks5_client { + ip-proto == tcp + # Watch for a few authentication methods to reduce false positives. + payload /^\x05.[\x00\x01\x02]/ + tcp-state originator +} + +signature dpd_socks5_server { + ip-proto == tcp + requires-reverse-signature dpd_socks5_client + # Watch for a single authentication method to be chosen by the server or + # the server to indicate the no authentication is required. + payload /^\x05(\x00|\x01[\x00\x01\x02])/ + tcp-state responder + enable "socks" +} + + diff --git a/scripts/base/frameworks/input/main.bro b/scripts/base/frameworks/input/main.bro index f5df72473f..c31f92dba5 100644 --- a/scripts/base/frameworks/input/main.bro +++ b/scripts/base/frameworks/input/main.bro @@ -53,6 +53,11 @@ export { ## really be executed. Parameters are the same as for the event. If true is ## returned, the update is performed. If false is returned, it is skipped. pred: function(typ: Input::Event, left: any, right: any): bool &optional; + + ## A key/value table that will be passed on the reader. + ## Interpretation of the values is left to the writer, but + ## usually they will be used for configuration purposes. + config: table[string] of string &default=table(); }; ## EventFilter description type used for the `event` method. @@ -85,6 +90,10 @@ export { ## The event will receive an Input::Event enum as the first element, and the fields as the following arguments. ev: any; + ## A key/value table that will be passed on the reader. + ## Interpretation of the values is left to the writer, but + ## usually they will be used for configuration purposes. + config: table[string] of string &default=table(); }; ## Create a new table input from a given source. Returns true on success. diff --git a/scripts/base/frameworks/logging/__load__.bro b/scripts/base/frameworks/logging/__load__.bro index 7dafc45397..2c2a6d2f59 100644 --- a/scripts/base/frameworks/logging/__load__.bro +++ b/scripts/base/frameworks/logging/__load__.bro @@ -2,4 +2,4 @@ @load ./postprocessors @load ./writers/ascii @load ./writers/dataseries -@load ./writers/elasticsearch \ No newline at end of file +@load ./writers/elasticsearch@load ./writers/none diff --git a/scripts/base/frameworks/logging/main.bro b/scripts/base/frameworks/logging/main.bro index bec5f31dc6..cc0d341605 100644 --- a/scripts/base/frameworks/logging/main.bro +++ b/scripts/base/frameworks/logging/main.bro @@ -138,6 +138,11 @@ export { ## Callback function to trigger for rotated files. If not set, the ## default comes out of :bro:id:`Log::default_rotation_postprocessors`. postprocessor: function(info: RotationInfo) : bool &optional; + + ## A key/value table that will be passed on to the writer. + ## Interpretation of the values is left to the writer, but + ## usually they will be used for configuration purposes. + config: table[string] of string &default=table(); }; ## Sentinel value for indicating that a filter was not found when looked up. @@ -327,6 +332,8 @@ function __default_rotation_postprocessor(info: RotationInfo) : bool { if ( info$writer in default_rotation_postprocessors ) return default_rotation_postprocessors[info$writer](info); + + return F; } function default_path_func(id: ID, path: string, rec: any) : string diff --git a/scripts/base/frameworks/logging/writers/none.bro b/scripts/base/frameworks/logging/writers/none.bro new file mode 100644 index 0000000000..869d7246c7 --- /dev/null +++ b/scripts/base/frameworks/logging/writers/none.bro @@ -0,0 +1,17 @@ +##! Interface for the None log writer. Thiis writer is mainly for debugging. + +module LogNone; + +export { + ## If true, output debugging output that can be useful for unit + ## testing the logging framework. + const debug = F &redef; +} + +function default_rotation_postprocessor_func(info: Log::RotationInfo) : bool + { + return T; + } + +redef Log::default_rotation_postprocessors += { [Log::WRITER_NONE] = default_rotation_postprocessor_func }; + diff --git a/scripts/base/frameworks/tunnels/__load__.bro b/scripts/base/frameworks/tunnels/__load__.bro new file mode 100644 index 0000000000..a10fe855df --- /dev/null +++ b/scripts/base/frameworks/tunnels/__load__.bro @@ -0,0 +1 @@ +@load ./main diff --git a/scripts/base/frameworks/tunnels/main.bro b/scripts/base/frameworks/tunnels/main.bro new file mode 100644 index 0000000000..0861559558 --- /dev/null +++ b/scripts/base/frameworks/tunnels/main.bro @@ -0,0 +1,149 @@ +##! This script handles the tracking/logging of tunnels (e.g. Teredo, +##! AYIYA, or IP-in-IP such as 6to4 where "IP" is either IPv4 or IPv6). +##! +##! For any connection that occurs over a tunnel, information about its +##! encapsulating tunnels is also found in the *tunnel* field of +##! :bro:type:`connection`. + +module Tunnel; + +export { + ## The tunnel logging stream identifier. + redef enum Log::ID += { LOG }; + + ## Types of interesting activity that can occur with a tunnel. + type Action: enum { + ## A new tunnel (encapsulating "connection") has been seen. + DISCOVER, + ## A tunnel connection has closed. + CLOSE, + ## No new connections over a tunnel happened in the amount of + ## time indicated by :bro:see:`Tunnel::expiration_interval`. + EXPIRE, + }; + + ## The record type which contains column fields of the tunnel log. + type Info: record { + ## Time at which some tunnel activity occurred. + ts: time &log; + ## The unique identifier for the tunnel, which may correspond + ## to a :bro:type:`connection`'s *uid* field for non-IP-in-IP tunnels. + ## This is optional because there could be numerous connections + ## for payload proxies like SOCKS but we should treat it as a single + ## tunnel. + uid: string &log &optional; + ## The tunnel "connection" 4-tuple of endpoint addresses/ports. + ## For an IP tunnel, the ports will be 0. + id: conn_id &log; + ## The type of tunnel. + tunnel_type: Tunnel::Type &log; + ## The type of activity that occurred. + action: Action &log; + }; + + ## Logs all tunnels in an encapsulation chain with action + ## :bro:see:`Tunnel::DISCOVER` that aren't already in the + ## :bro:id:`Tunnel::active` table and adds them if not. + global register_all: function(ecv: EncapsulatingConnVector); + + ## Logs a single tunnel "connection" with action + ## :bro:see:`Tunnel::DISCOVER` if it's not already in the + ## :bro:id:`Tunnel::active` table and adds it if not. + global register: function(ec: EncapsulatingConn); + + ## Logs a single tunnel "connection" with action + ## :bro:see:`Tunnel::EXPIRE` and removes it from the + ## :bro:id:`Tunnel::active` table. + ## + ## t: A table of tunnels. + ## + ## idx: The index of the tunnel table corresponding to the tunnel to expire. + ## + ## Returns: 0secs, which when this function is used as an + ## :bro:attr:`&expire_func`, indicates to remove the element at + ## *idx* immediately. + global expire: function(t: table[conn_id] of Info, idx: conn_id): interval; + + ## Removes a single tunnel from the :bro:id:`Tunnel::active` table + ## and logs the closing/expiration of the tunnel. + ## + ## tunnel: The tunnel which has closed or expired. + ## + ## action: The specific reason for the tunnel ending. + global close: function(tunnel: Info, action: Action); + + ## The amount of time a tunnel is not used in establishment of new + ## connections before it is considered inactive/expired. + const expiration_interval = 1hrs &redef; + + ## Currently active tunnels. That is, tunnels for which new, encapsulated + ## connections have been seen in the interval indicated by + ## :bro:see:`Tunnel::expiration_interval`. + global active: table[conn_id] of Info = table() &read_expire=expiration_interval &expire_func=expire; +} + +const ayiya_ports = { 5072/udp }; +redef dpd_config += { [ANALYZER_AYIYA] = [$ports = ayiya_ports] }; + +const teredo_ports = { 3544/udp }; +redef dpd_config += { [ANALYZER_TEREDO] = [$ports = teredo_ports] }; + +redef likely_server_ports += { ayiya_ports, teredo_ports }; + +event bro_init() &priority=5 + { + Log::create_stream(Tunnel::LOG, [$columns=Info]); + } + +function register_all(ecv: EncapsulatingConnVector) + { + for ( i in ecv ) + register(ecv[i]); + } + +function register(ec: EncapsulatingConn) + { + if ( ec$cid !in active ) + { + local tunnel: Info; + tunnel$ts = network_time(); + if ( ec?$uid ) + tunnel$uid = ec$uid; + tunnel$id = ec$cid; + tunnel$action = DISCOVER; + tunnel$tunnel_type = ec$tunnel_type; + active[ec$cid] = tunnel; + Log::write(LOG, tunnel); + } + } + +function close(tunnel: Info, action: Action) + { + tunnel$action = action; + tunnel$ts = network_time(); + Log::write(LOG, tunnel); + delete active[tunnel$id]; + } + +function expire(t: table[conn_id] of Info, idx: conn_id): interval + { + close(t[idx], EXPIRE); + return 0secs; + } + +event new_connection(c: connection) &priority=5 + { + if ( c?$tunnel ) + register_all(c$tunnel); + } + +event tunnel_changed(c: connection, e: EncapsulatingConnVector) &priority=5 + { + register_all(e); + } + +event connection_state_remove(c: connection) &priority=-5 + { + if ( c$id in active ) + close(active[c$id], CLOSE); + } diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 701c2f8fce..ec75c76beb 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -115,6 +115,61 @@ type icmp_context: record { DF: bool; ##< True if the packets *don't fragment* flag is set. }; +## Values extracted from a Prefix Information option in an ICMPv6 neighbor +## discovery message as specified by :rfc:`4861`. +## +## .. bro:see:: icmp6_nd_option +type icmp6_nd_prefix_info: record { + ## Number of leading bits of the *prefix* that are valid. + prefix_len: count; + ## Flag indicating the prefix can be used for on-link determination. + L_flag: bool; + ## Autonomous address-configuration flag. + A_flag: bool; + ## Length of time in seconds that the prefix is valid for purpose of + ## on-link determination (0xffffffff represents infinity). + valid_lifetime: interval; + ## Length of time in seconds that the addresses generated from the prefix + ## via stateless address autoconfiguration remain preferred + ## (0xffffffff represents infinity). + preferred_lifetime: interval; + ## An IP address or prefix of an IP address. Use the *prefix_len* field + ## to convert this into a :bro:type:`subnet`. + prefix: addr; +}; + +## Options extracted from ICMPv6 neighbor discovery messages as specified +## by :rfc:`4861`. +## +## .. bro:see:: icmp_router_solicitation icmp_router_advertisement +## icmp_neighbor_advertisement icmp_neighbor_solicitation icmp_redirect +## icmp6_nd_options +type icmp6_nd_option: record { + ## 8-bit identifier of the type of option. + otype: count; + ## 8-bit integer representing the length of the option (including the type + ## and length fields) in units of 8 octets. + len: count; + ## Source Link-Layer Address (Type 1) or Target Link-Layer Address (Type 2). + ## Byte ordering of this is dependent on the actual link-layer. + link_address: string &optional; + ## Prefix Information (Type 3). + prefix: icmp6_nd_prefix_info &optional; + ## Redirected header (Type 4). This field contains the context of the + ## original, redirected packet. + redirect: icmp_context &optional; + ## Recommended MTU for the link (Type 5). + mtu: count &optional; + ## The raw data of the option (everything after type & length fields), + ## useful for unknown option types or when the full option payload is + ## truncated in the captured packet. In those cases, option fields + ## won't be pre-extracted into the fields above. + payload: string &optional; +}; + +## A type alias for a vector of ICMPv6 neighbor discovery message options. +type icmp6_nd_options: vector of icmp6_nd_option; + # A DNS mapping between IP address and hostname resolved by Bro's internal # resolver. # @@ -178,6 +233,32 @@ type endpoint_stats: record { ## use ``count``. That should be changed. type AnalyzerID: count; +module Tunnel; +export { + ## Records the identity of an encapsulating parent of a tunneled connection. + type EncapsulatingConn: record { + ## The 4-tuple of the encapsulating "connection". In case of an IP-in-IP + ## tunnel the ports will be set to 0. The direction (i.e., orig and + ## resp) are set according to the first tunneled packet seen + ## and not according to the side that established the tunnel. + cid: conn_id; + ## The type of tunnel. + tunnel_type: Tunnel::Type; + ## A globally unique identifier that, for non-IP-in-IP tunnels, + ## cross-references the *uid* field of :bro:type:`connection`. + uid: string &optional; + } &log; +} # end export +module GLOBAL; + +## A type alias for a vector of encapsulating "connections", i.e for when +## there are tunnels within tunnels. +## +## .. todo:: We need this type definition only for declaring builtin functions +## via ``bifcl``. We should extend ``bifcl`` to understand composite types +## directly and then remove this alias. +type EncapsulatingConnVector: vector of Tunnel::EncapsulatingConn; + ## Statistics about a :bro:type:`connection` endpoint. ## ## .. bro:see:: connection @@ -199,10 +280,10 @@ type endpoint: record { flow_label: count; }; -# A connection. This is Bro's basic connection type describing IP- and -# transport-layer information about the conversation. Note that Bro uses a -# liberal interpreation of "connection" and associates instances of this type -# also with UDP and ICMP flows. +## A connection. This is Bro's basic connection type describing IP- and +## transport-layer information about the conversation. Note that Bro uses a +## liberal interpreation of "connection" and associates instances of this type +## also with UDP and ICMP flows. type connection: record { id: conn_id; ##< The connection's identifying 4-tuple. orig: endpoint; ##< Statistics about originator side. @@ -227,6 +308,12 @@ type connection: record { ## that is very likely unique across independent Bro runs. These IDs can thus be ## used to tag and locate information associated with that connection. uid: string; + ## If the connection is tunneled, this field contains information about + ## the encapsulating "connection(s)" with the outermost one starting + ## at index zero. It's also always the first such enapsulation seen + ## for the connection unless the :bro:id:`tunnel_changed` event is handled + ## and re-assigns this field to the new encapsulation. + tunnel: EncapsulatingConnVector &optional; }; ## Fields of a SYN packet. @@ -884,18 +971,9 @@ const frag_timeout = 0.0 sec &redef; const packet_sort_window = 0 usecs &redef; ## If positive, indicates the encapsulation header size that should -## be skipped. This either applies to all packets, or if -## :bro:see:`tunnel_port` is set, only to packets on that port. -## -## .. :bro:see:: tunnel_port +## be skipped. This applies to all packets. const encap_hdr_size = 0 &redef; -## A UDP port that specifies which connections to apply :bro:see:`encap_hdr_size` -## to. -## -## .. :bro:see:: encap_hdr_size -const tunnel_port = 0/udp &redef; - ## Whether to use the ``ConnSize`` analyzer to count the number of packets and ## IP-level bytes transfered by each endpoint. If true, these values are returned ## in the connection's :bro:see:`endpoint` record value. @@ -1250,7 +1328,7 @@ type ip6_ext_hdr: record { mobility: ip6_mobility_hdr &optional; }; -## A type alias for a vector of IPv6 extension headers +## A type alias for a vector of IPv6 extension headers. type ip6_ext_hdr_chain: vector of ip6_ext_hdr; ## Values extracted from an IPv6 header. @@ -1336,6 +1414,42 @@ type pkt_hdr: record { icmp: icmp_hdr &optional; ##< The ICMP header if an ICMP packet. }; +## A Teredo origin indication header. See :rfc:`4380` for more information +## about the Teredo protocol. +## +## .. bro:see:: teredo_bubble teredo_origin_indication teredo_authentication +## teredo_hdr +type teredo_auth: record { + id: string; ##< Teredo client identifier. + value: string; ##< HMAC-SHA1 over shared secret key between client and + ##< server, nonce, confirmation byte, origin indication + ##< (if present), and the IPv6 packet. + nonce: count; ##< Nonce chosen by Teredo client to be repeated by + ##< Teredo server. + confirm: count; ##< Confirmation byte to be set to 0 by Teredo client + ##< and non-zero by server if client needs new key. +}; + +## A Teredo authentication header. See :rfc:`4380` for more information +## about the Teredo protocol. +## +## .. bro:see:: teredo_bubble teredo_origin_indication teredo_authentication +## teredo_hdr +type teredo_origin: record { + p: port; ##< Unobfuscated UDP port of Teredo client. + a: addr; ##< Unobfuscated IPv4 address of Teredo client. +}; + +## A Teredo packet header. See :rfc:`4380` for more information about the +## Teredo protocol. +## +## .. bro:see:: teredo_bubble teredo_origin_indication teredo_authentication +type teredo_hdr: record { + auth: teredo_auth &optional; ##< Teredo authentication header. + origin: teredo_origin &optional; ##< Teredo origin indication header. + hdr: pkt_hdr; ##< IPv6 and transport protocol headers. +}; + ## Definition of "secondary filters". A secondary filter is a BPF filter given as ## index in this table. For each such filter, the corresponding event is raised for ## all matching packets. @@ -2343,6 +2457,17 @@ type bittorrent_benc_dir: table[string] of bittorrent_benc_value; ## bt_tracker_response_not_ok type bt_tracker_headers: table[string] of string; +module SOCKS; +export { + ## This record is for a SOCKS client or server to provide either a + ## name or an address to represent a desired or established connection. + type Address: record { + host: addr &optional; + name: string &optional; + } &log; +} +module GLOBAL; + @load base/event.bif ## BPF filter the user has set via the -f command line options. Empty if none. @@ -2636,11 +2761,33 @@ const record_all_packets = F &redef; ## .. bro:see:: conn_stats const ignore_keep_alive_rexmit = F &redef; -## Whether the analysis engine parses IP packets encapsulated in -## UDP tunnels. -## -## .. bro:see:: tunnel_port -const parse_udp_tunnels = F &redef; +module Tunnel; +export { + ## The maximum depth of a tunnel to decapsulate until giving up. + ## Setting this to zero will disable all types of tunnel decapsulation. + const max_depth: count = 2 &redef; + + ## Toggle whether to do IPv{4,6}-in-IPv{4,6} decapsulation. + const enable_ip = T &redef; + + ## Toggle whether to do IPv{4,6}-in-AYIYA decapsulation. + const enable_ayiya = T &redef; + + ## Toggle whether to do IPv6-in-Teredo decapsulation. + const enable_teredo = T &redef; + + ## With this option set, the Teredo analysis will first check to see if + ## other protocol analyzers have confirmed that they think they're + ## parsing the right protocol and only continue with Teredo tunnel + ## decapsulation if nothing else has yet confirmed. This can help + ## reduce false positives of UDP traffic (e.g. DNS) that also happens + ## to have a valid Teredo encapsulation. + const yielding_teredo_decapsulation = T &redef; + + ## How often to cleanup internal state for inactive IP tunnels. + const ip_tunnel_timeout = 24hrs &redef; +} # end export +module GLOBAL; ## Number of bytes per packet to capture from live interfaces. const snaplen = 8192 &redef; diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro index 1cf125c3ab..91011738d1 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.bro @@ -29,6 +29,7 @@ @load base/frameworks/metrics @load base/frameworks/intel @load base/frameworks/reporter +@load base/frameworks/tunnels @load base/protocols/conn @load base/protocols/dns @@ -36,6 +37,7 @@ @load base/protocols/http @load base/protocols/irc @load base/protocols/smtp +@load base/protocols/socks @load base/protocols/ssh @load base/protocols/ssl @load base/protocols/syslog diff --git a/scripts/base/protocols/conn/main.bro b/scripts/base/protocols/conn/main.bro index c526681f2a..5796c3c6b1 100644 --- a/scripts/base/protocols/conn/main.bro +++ b/scripts/base/protocols/conn/main.bro @@ -101,6 +101,10 @@ export { resp_pkts: count &log &optional; ## Number IP level bytes the responder sent. See ``orig_pkts``. resp_ip_bytes: count &log &optional; + ## If this connection was over a tunnel, indicate the + ## *uid* values for any encapsulating parent connections + ## used over the lifetime of this inner connection. + tunnel_parents: set[string] &log; }; ## Event that can be handled to access the :bro:type:`Conn::Info` @@ -190,6 +194,8 @@ function set_conn(c: connection, eoc: bool) c$conn$ts=c$start_time; c$conn$uid=c$uid; c$conn$id=c$id; + if ( c?$tunnel && |c$tunnel| > 0 ) + add c$conn$tunnel_parents[c$tunnel[|c$tunnel|-1]$uid]; c$conn$proto=get_port_transport_proto(c$id$resp_p); if( |Site::local_nets| > 0 ) c$conn$local_orig=Site::is_local_addr(c$id$orig_h); @@ -227,6 +233,14 @@ event content_gap(c: connection, is_orig: bool, seq: count, length: count) &prio c$conn$missed_bytes = c$conn$missed_bytes + length; } + +event tunnel_changed(c: connection, e: EncapsulatingConnVector) &priority=5 + { + set_conn(c, F); + if ( |e| > 0 ) + add c$conn$tunnel_parents[e[|e|-1]$uid]; + c$tunnel = e; + } event connection_state_remove(c: connection) &priority=5 { diff --git a/scripts/base/protocols/socks/__load__.bro b/scripts/base/protocols/socks/__load__.bro new file mode 100644 index 0000000000..0098b81a7a --- /dev/null +++ b/scripts/base/protocols/socks/__load__.bro @@ -0,0 +1,2 @@ +@load ./consts +@load ./main \ No newline at end of file diff --git a/scripts/base/protocols/socks/consts.bro b/scripts/base/protocols/socks/consts.bro new file mode 100644 index 0000000000..7b7cd58df5 --- /dev/null +++ b/scripts/base/protocols/socks/consts.bro @@ -0,0 +1,40 @@ +module SOCKS; + +export { + type RequestType: enum { + CONNECTION = 1, + PORT = 2, + UDP_ASSOCIATE = 3, + }; + + const v5_authentication_methods: table[count] of string = { + [0] = "No Authentication Required", + [1] = "GSSAPI", + [2] = "Username/Password", + [3] = "Challenge-Handshake Authentication Protocol", + [5] = "Challenge-Response Authentication Method", + [6] = "Secure Sockets Layer", + [7] = "NDS Authentication", + [8] = "Multi-Authentication Framework", + [255] = "No Acceptable Methods", + } &default=function(i: count):string { return fmt("unknown-%d", i); }; + + const v4_status: table[count] of string = { + [0x5a] = "succeeded", + [0x5b] = "general SOCKS server failure", + [0x5c] = "request failed because client is not running identd", + [0x5d] = "request failed because client's identd could not confirm the user ID string in the request", + } &default=function(i: count):string { return fmt("unknown-%d", i); }; + + const v5_status: table[count] of string = { + [0] = "succeeded", + [1] = "general SOCKS server failure", + [2] = "connection not allowed by ruleset", + [3] = "Network unreachable", + [4] = "Host unreachable", + [5] = "Connection refused", + [6] = "TTL expired", + [7] = "Command not supported", + [8] = "Address type not supported", + } &default=function(i: count):string { return fmt("unknown-%d", i); }; +} diff --git a/scripts/base/protocols/socks/main.bro b/scripts/base/protocols/socks/main.bro new file mode 100644 index 0000000000..ca35a3f5e4 --- /dev/null +++ b/scripts/base/protocols/socks/main.bro @@ -0,0 +1,87 @@ +@load base/frameworks/tunnels +@load ./consts + +module SOCKS; + +export { + redef enum Log::ID += { LOG }; + + type Info: record { + ## Time when the proxy connection was first detected. + ts: time &log; + uid: string &log; + id: conn_id &log; + ## Protocol version of SOCKS. + version: count &log; + ## Username for the proxy if extracted from the network. + user: string &log &optional; + ## Server status for the attempt at using the proxy. + status: string &log &optional; + ## Client requested SOCKS address. Could be an address, a name or both. + request: SOCKS::Address &log &optional; + ## Client requested port. + request_p: port &log &optional; + ## Server bound address. Could be an address, a name or both. + bound: SOCKS::Address &log &optional; + ## Server bound port. + bound_p: port &log &optional; + }; + + ## Event that can be handled to access the SOCKS + ## record as it is sent on to the logging framework. + global log_socks: event(rec: Info); +} + +event bro_init() &priority=5 + { + Log::create_stream(SOCKS::LOG, [$columns=Info, $ev=log_socks]); + } + +redef record connection += { + socks: SOCKS::Info &optional; +}; + +# Configure DPD +redef capture_filters += { ["socks"] = "tcp port 1080" }; +redef dpd_config += { [ANALYZER_SOCKS] = [$ports = set(1080/tcp)] }; +redef likely_server_ports += { 1080/tcp }; + +function set_session(c: connection, version: count) + { + if ( ! c?$socks ) + c$socks = [$ts=network_time(), $id=c$id, $uid=c$uid, $version=version]; + } + +event socks_request(c: connection, version: count, request_type: count, + sa: SOCKS::Address, p: port, user: string) &priority=5 + { + set_session(c, version); + + c$socks$request = sa; + c$socks$request_p = p; + + # Copy this conn_id and set the orig_p to zero because in the case of SOCKS proxies there will + # be potentially many source ports since a new proxy connection is established for each + # proxied connection. We treat this as a singular "tunnel". + local cid = copy(c$id); + cid$orig_p = 0/tcp; + Tunnel::register([$cid=cid, $tunnel_type=Tunnel::SOCKS, $payload_proxy=T]); + } + +event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port) &priority=5 + { + set_session(c, version); + + if ( version == 5 ) + c$socks$status = v5_status[reply]; + else if ( version == 4 ) + c$socks$status = v4_status[reply]; + + c$socks$bound = sa; + c$socks$bound_p = p; + } + +event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port) &priority=-5 + { + Log::write(SOCKS::LOG, c$socks); + } diff --git a/src/AYIYA.cc b/src/AYIYA.cc new file mode 100644 index 0000000000..c525a73b6c --- /dev/null +++ b/src/AYIYA.cc @@ -0,0 +1,24 @@ +#include "AYIYA.h" + +AYIYA_Analyzer::AYIYA_Analyzer(Connection* conn) +: Analyzer(AnalyzerTag::AYIYA, conn) + { + interp = new binpac::AYIYA::AYIYA_Conn(this); + } + +AYIYA_Analyzer::~AYIYA_Analyzer() + { + delete interp; + } + +void AYIYA_Analyzer::Done() + { + Analyzer::Done(); + Event(udp_session_done); + } + +void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) + { + Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + interp->NewData(orig, data, data + len); + } diff --git a/src/AYIYA.h b/src/AYIYA.h new file mode 100644 index 0000000000..79b41553c7 --- /dev/null +++ b/src/AYIYA.h @@ -0,0 +1,29 @@ +#ifndef AYIYA_h +#define AYIYA_h + +#include "ayiya_pac.h" + +class AYIYA_Analyzer : public Analyzer { +public: + AYIYA_Analyzer(Connection* conn); + virtual ~AYIYA_Analyzer(); + + virtual void Done(); + virtual void DeliverPacket(int len, const u_char* data, bool orig, + int seq, const IP_Hdr* ip, int caplen); + + static Analyzer* InstantiateAnalyzer(Connection* conn) + { return new AYIYA_Analyzer(conn); } + + static bool Available() + { return BifConst::Tunnel::enable_ayiya && + BifConst::Tunnel::max_depth > 0; } + +protected: + friend class AnalyzerTimer; + void ExpireTimer(double t); + + binpac::AYIYA::AYIYA_Conn* interp; +}; + +#endif diff --git a/src/Analyzer.cc b/src/Analyzer.cc index a2a35490e8..9e30da0066 100644 --- a/src/Analyzer.cc +++ b/src/Analyzer.cc @@ -4,6 +4,7 @@ #include "PIA.h" #include "Event.h" +#include "AYIYA.h" #include "BackDoor.h" #include "BitTorrent.h" #include "BitTorrentTracker.h" @@ -33,9 +34,11 @@ #include "NFS.h" #include "Portmap.h" #include "POP3.h" +#include "SOCKS.h" #include "SSH.h" #include "SSL.h" #include "Syslog-binpac.h" +#include "Teredo.h" #include "ConnSizeAnalyzer.h" // Keep same order here as in AnalyzerTag definition! @@ -127,6 +130,16 @@ const Analyzer::Config Analyzer::analyzer_configs[] = { Syslog_Analyzer_binpac::InstantiateAnalyzer, Syslog_Analyzer_binpac::Available, 0, false }, + { AnalyzerTag::AYIYA, "AYIYA", + AYIYA_Analyzer::InstantiateAnalyzer, + AYIYA_Analyzer::Available, 0, false }, + { AnalyzerTag::SOCKS, "SOCKS", + SOCKS_Analyzer::InstantiateAnalyzer, + SOCKS_Analyzer::Available, 0, false }, + { AnalyzerTag::Teredo, "TEREDO", + Teredo_Analyzer::InstantiateAnalyzer, + Teredo_Analyzer::Available, 0, false }, + { AnalyzerTag::File, "FILE", File_Analyzer::InstantiateAnalyzer, File_Analyzer::Available, 0, false }, { AnalyzerTag::Backdoor, "BACKDOOR", diff --git a/src/Analyzer.h b/src/Analyzer.h index 7797e215fe..6ccd7648d3 100644 --- a/src/Analyzer.h +++ b/src/Analyzer.h @@ -215,6 +215,11 @@ public: // analyzer, even if the method is called multiple times. virtual void ProtocolConfirmation(); + // Return whether the analyzer previously called ProtocolConfirmation() + // at least once before. + bool ProtocolConfirmed() const + { return protocol_confirmed; } + // Report that we found a significant protocol violation which might // indicate that the analyzed data is in fact not the expected // protocol. The protocol_violation event is raised once per call to @@ -338,6 +343,10 @@ private: for ( analyzer_list::iterator var = the_kids.begin(); \ var != the_kids.end(); var++ ) +#define LOOP_OVER_GIVEN_CONST_CHILDREN(var, the_kids) \ + for ( analyzer_list::const_iterator var = the_kids.begin(); \ + var != the_kids.end(); var++ ) + class SupportAnalyzer : public Analyzer { public: SupportAnalyzer(AnalyzerTag::Tag tag, Connection* conn, bool arg_orig) diff --git a/src/AnalyzerTags.h b/src/AnalyzerTags.h index dc10a55f22..7fad4d35bb 100644 --- a/src/AnalyzerTags.h +++ b/src/AnalyzerTags.h @@ -33,11 +33,15 @@ namespace AnalyzerTag { DHCP_BINPAC, DNS_TCP_BINPAC, DNS_UDP_BINPAC, HTTP_BINPAC, SSL, SYSLOG_BINPAC, + // Decapsulation analyzers. + AYIYA, + SOCKS, + Teredo, + // Other File, Backdoor, InterConn, SteppingStone, TCPStats, ConnSize, - // Support-analyzers Contents, ContentLine, NVT, Zip, Contents_DNS, Contents_NCP, Contents_NetbiosSSN, Contents_Rlogin, Contents_Rsh, diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index fbbb01fd22..ce440852d7 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -187,6 +187,9 @@ endmacro(BINPAC_TARGET) binpac_target(binpac-lib.pac) binpac_target(binpac_bro-lib.pac) + +binpac_target(ayiya.pac + ayiya-protocol.pac ayiya-analyzer.pac) binpac_target(bittorrent.pac bittorrent-protocol.pac bittorrent-analyzer.pac) binpac_target(dce_rpc.pac @@ -206,6 +209,8 @@ binpac_target(netflow.pac netflow-protocol.pac netflow-analyzer.pac) binpac_target(smb.pac smb-protocol.pac smb-pipe.pac smb-mailslot.pac) +binpac_target(socks.pac + socks-protocol.pac socks-analyzer.pac) binpac_target(ssl.pac ssl-defs.pac ssl-protocol.pac ssl-analyzer.pac) binpac_target(syslog.pac @@ -277,6 +282,7 @@ set(bro_SRCS Anon.cc ARP.cc Attr.cc + AYIYA.cc BackDoor.cc Base64.cc BitTorrent.cc @@ -375,6 +381,7 @@ set(bro_SRCS SmithWaterman.cc SMB.cc SMTP.cc + SOCKS.cc SSH.cc SSL.cc Scope.cc @@ -391,9 +398,11 @@ set(bro_SRCS TCP_Endpoint.cc TCP_Reassembler.cc Telnet.cc + Teredo.cc Timer.cc Traverse.cc Trigger.cc + TunnelEncapsulation.cc Type.cc UDP.cc Val.cc diff --git a/src/Conn.cc b/src/Conn.cc index 3835097b6a..bc2e7fb5cf 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -13,6 +13,7 @@ #include "Timer.h" #include "PIA.h" #include "binpac.h" +#include "TunnelEncapsulation.h" void ConnectionTimer::Init(Connection* arg_conn, timer_func arg_timer, int arg_do_expire) @@ -112,7 +113,7 @@ unsigned int Connection::external_connections = 0; IMPLEMENT_SERIAL(Connection, SER_CONNECTION); Connection::Connection(NetSessions* s, HashKey* k, double t, const ConnID* id, - uint32 flow) + uint32 flow, const EncapsulationStack* arg_encap) { sessions = s; key = k; @@ -160,6 +161,11 @@ Connection::Connection(NetSessions* s, HashKey* k, double t, const ConnID* id, uid = 0; // Will set later. + if ( arg_encap ) + encapsulation = new EncapsulationStack(*arg_encap); + else + encapsulation = 0; + if ( conn_timer_mgr ) { ++external_connections; @@ -187,12 +193,40 @@ Connection::~Connection() delete key; delete root_analyzer; delete conn_timer_mgr; + delete encapsulation; --current_connections; if ( conn_timer_mgr ) --external_connections; } +void Connection::CheckEncapsulation(const EncapsulationStack* arg_encap) + { + if ( encapsulation && arg_encap ) + { + if ( *encapsulation != *arg_encap ) + { + Event(tunnel_changed, 0, arg_encap->GetVectorVal()); + delete encapsulation; + encapsulation = new EncapsulationStack(*arg_encap); + } + } + + else if ( encapsulation ) + { + EncapsulationStack empty; + Event(tunnel_changed, 0, empty.GetVectorVal()); + delete encapsulation; + encapsulation = 0; + } + + else if ( arg_encap ) + { + Event(tunnel_changed, 0, arg_encap->GetVectorVal()); + encapsulation = new EncapsulationStack(*arg_encap); + } + } + void Connection::Done() { finished = 1; @@ -349,6 +383,9 @@ RecordVal* Connection::BuildConnVal() char tmp[20]; conn_val->Assign(9, new StringVal(uitoa_n(uid, tmp, sizeof(tmp), 62))); + + if ( encapsulation && encapsulation->Depth() > 0 ) + conn_val->Assign(10, encapsulation->GetVectorVal()); } if ( root_analyzer ) diff --git a/src/Conn.h b/src/Conn.h index 7404721968..782d41a801 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -13,6 +13,7 @@ #include "RuleMatcher.h" #include "AnalyzerTags.h" #include "IPAddr.h" +#include "TunnelEncapsulation.h" class Connection; class ConnectionTimer; @@ -51,9 +52,16 @@ class Analyzer; class Connection : public BroObj { public: Connection(NetSessions* s, HashKey* k, double t, const ConnID* id, - uint32 flow); + uint32 flow, const EncapsulationStack* arg_encap); virtual ~Connection(); + // Invoked when an encapsulation is discovered. It records the + // encapsulation with the connection and raises a "tunnel_changed" + // event if it's different from the previous encapsulation (or the + // first encountered). encap can be null to indicate no + // encapsulation. + void CheckEncapsulation(const EncapsulationStack* encap); + // Invoked when connection is about to be removed. Use Ref(this) // inside Done to keep the connection object around (though it'll // no longer be accessible from the dictionary of active @@ -242,6 +250,11 @@ public: void SetUID(uint64 arg_uid) { uid = arg_uid; } + uint64 GetUID() const { return uid; } + + const EncapsulationStack* GetEncapsulation() const + { return encapsulation; } + void CheckFlowLabel(bool is_orig, uint32 flow_label); protected: @@ -279,6 +292,7 @@ protected: double inactivity_timeout; RecordVal* conn_val; LoginConn* login_conn; // either nil, or this + const EncapsulationStack* encapsulation; // tunnels int suppress_event; // suppress certain events to once per conn. unsigned int installed_status_timer:1; diff --git a/src/File.cc b/src/File.cc index 8b432f4428..20e845c09f 100644 --- a/src/File.cc +++ b/src/File.cc @@ -572,8 +572,9 @@ void BroFile::InstallRotateTimer() const char* base_time = log_rotate_base_time ? log_rotate_base_time->AsString()->CheckString() : 0; + double base = parse_rotate_base_time(base_time); double delta_t = - calc_next_rotate(rotate_interval, base_time); + calc_next_rotate(network_time, rotate_interval, base); rotate_timer = new RotateTimer(network_time + delta_t, this, true); } diff --git a/src/Func.cc b/src/Func.cc index b6fc7f0785..30689d4c26 100644 --- a/src/Func.cc +++ b/src/Func.cc @@ -329,7 +329,17 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const bodies[i].stmts->GetLocationInfo()); Unref(result); - result = bodies[i].stmts->Exec(f, flow); + + try + { + result = bodies[i].stmts->Exec(f, flow); + } + + catch ( InterpreterException& e ) + { + // Already reported, but we continue exec'ing remaining bodies. + continue; + } if ( f->HasDelayed() ) { diff --git a/src/ICMP.cc b/src/ICMP.cc index b06c6440e1..b9b4e89404 100644 --- a/src/ICMP.cc +++ b/src/ICMP.cc @@ -64,7 +64,8 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data, break; default: - reporter->InternalError("unexpected IP proto in ICMP analyzer"); + reporter->InternalError("unexpected IP proto in ICMP analyzer: %d", + ip->NextProto()); break; } @@ -168,8 +169,10 @@ void ICMP_Analyzer::NextICMP6(double t, const struct icmp* icmpp, int len, int c NeighborSolicit(t, icmpp, len, caplen, data, ip_hdr); break; case ND_ROUTER_SOLICIT: + RouterSolicit(t, icmpp, len, caplen, data, ip_hdr); + break; case ICMP6_ROUTER_RENUMBERING: - Router(t, icmpp, len, caplen, data, ip_hdr); + ICMPEvent(icmp_sent, icmpp, len, 1, ip_hdr); break; #if 0 @@ -514,10 +517,13 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr) { EventHandlerPtr f = icmp_router_advertisement; - uint32 reachable, retrans; + uint32 reachable = 0, retrans = 0; - memcpy(&reachable, data, sizeof(reachable)); - memcpy(&retrans, data + sizeof(reachable), sizeof(retrans)); + if ( caplen >= (int)sizeof(reachable) ) + memcpy(&reachable, data, sizeof(reachable)); + + if ( caplen >= (int)sizeof(reachable) + (int)sizeof(retrans) ) + memcpy(&retrans, data + sizeof(reachable), sizeof(retrans)); val_list* vl = new val_list; vl->append(BuildConnVal()); @@ -533,6 +539,9 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len, vl->append(new IntervalVal((double)ntohl(reachable), Milliseconds)); vl->append(new IntervalVal((double)ntohl(retrans), Milliseconds)); + int opt_offset = sizeof(reachable) + sizeof(retrans); + vl->append(BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)); + ConnectionEvent(f, vl); } @@ -541,9 +550,10 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr) { EventHandlerPtr f = icmp_neighbor_advertisement; - in6_addr tgtaddr; + IPAddr tgtaddr; - memcpy(&tgtaddr.s6_addr, data, sizeof(tgtaddr.s6_addr)); + if ( caplen >= (int)sizeof(in6_addr) ) + tgtaddr = IPAddr(*((const in6_addr*)data)); val_list* vl = new val_list; vl->append(BuildConnVal()); @@ -551,7 +561,10 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len, vl->append(new Val(icmpp->icmp_num_addrs & 0x80, TYPE_BOOL)); // Router vl->append(new Val(icmpp->icmp_num_addrs & 0x40, TYPE_BOOL)); // Solicited vl->append(new Val(icmpp->icmp_num_addrs & 0x20, TYPE_BOOL)); // Override - vl->append(new AddrVal(IPAddr(tgtaddr))); + vl->append(new AddrVal(tgtaddr)); + + int opt_offset = sizeof(in6_addr); + vl->append(BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)); ConnectionEvent(f, vl); } @@ -561,14 +574,18 @@ void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr) { EventHandlerPtr f = icmp_neighbor_solicitation; - in6_addr tgtaddr; + IPAddr tgtaddr; - memcpy(&tgtaddr.s6_addr, data, sizeof(tgtaddr.s6_addr)); + if ( caplen >= (int)sizeof(in6_addr) ) + tgtaddr = IPAddr(*((const in6_addr*)data)); val_list* vl = new val_list; vl->append(BuildConnVal()); vl->append(BuildICMPVal(icmpp, len, 1, ip_hdr)); - vl->append(new AddrVal(IPAddr(tgtaddr))); + vl->append(new AddrVal(tgtaddr)); + + int opt_offset = sizeof(in6_addr); + vl->append(BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)); ConnectionEvent(f, vl); } @@ -578,40 +595,36 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr) { EventHandlerPtr f = icmp_redirect; - in6_addr tgtaddr, dstaddr; + IPAddr tgtaddr, dstaddr; - memcpy(&tgtaddr.s6_addr, data, sizeof(tgtaddr.s6_addr)); - memcpy(&dstaddr.s6_addr, data + sizeof(tgtaddr.s6_addr), sizeof(dstaddr.s6_addr)); + if ( caplen >= (int)sizeof(in6_addr) ) + tgtaddr = IPAddr(*((const in6_addr*)data)); + + if ( caplen >= 2 * (int)sizeof(in6_addr) ) + dstaddr = IPAddr(*((const in6_addr*)(data + sizeof(in6_addr)))); val_list* vl = new val_list; vl->append(BuildConnVal()); vl->append(BuildICMPVal(icmpp, len, 1, ip_hdr)); - vl->append(new AddrVal(IPAddr(tgtaddr))); - vl->append(new AddrVal(IPAddr(dstaddr))); + vl->append(new AddrVal(tgtaddr)); + vl->append(new AddrVal(dstaddr)); + + int opt_offset = 2 * sizeof(in6_addr); + vl->append(BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)); ConnectionEvent(f, vl); } -void ICMP_Analyzer::Router(double t, const struct icmp* icmpp, int len, +void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr) { - EventHandlerPtr f = 0; - - switch ( icmpp->icmp_type ) - { - case ND_ROUTER_SOLICIT: - f = icmp_router_solicitation; - break; - case ICMP6_ROUTER_RENUMBERING: - default: - ICMPEvent(icmp_sent, icmpp, len, 1, ip_hdr); - return; - } + EventHandlerPtr f = icmp_router_solicitation; val_list* vl = new val_list; vl->append(BuildConnVal()); vl->append(BuildICMPVal(icmpp, len, 1, ip_hdr)); + vl->append(BuildNDOptionsVal(caplen, data)); ConnectionEvent(f, vl); } @@ -684,6 +697,144 @@ void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp, } } +VectorVal* ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data) + { + static RecordType* icmp6_nd_option_type = 0; + static RecordType* icmp6_nd_prefix_info_type = 0; + + if ( ! icmp6_nd_option_type ) + { + icmp6_nd_option_type = internal_type("icmp6_nd_option")->AsRecordType(); + icmp6_nd_prefix_info_type = + internal_type("icmp6_nd_prefix_info")->AsRecordType(); + } + + VectorVal* vv = new VectorVal( + internal_type("icmp6_nd_options")->AsVectorType()); + + while ( caplen > 0 ) + { + // Must have at least type & length to continue parsing options. + if ( caplen < 2 ) + { + Weird("truncated_ICMPv6_ND_options"); + break; + } + + uint8 type = *((const uint8*)data); + uint8 length = *((const uint8*)(data + 1)); + + if ( length == 0 ) + { + Weird("zero_length_ICMPv6_ND_option"); + break; + } + + RecordVal* rv = new RecordVal(icmp6_nd_option_type); + rv->Assign(0, new Val(type, TYPE_COUNT)); + rv->Assign(1, new Val(length, TYPE_COUNT)); + + // Adjust length to be in units of bytes, exclude type/length fields. + length = length * 8 - 2; + + data += 2; + caplen -= 2; + + bool set_payload_field = false; + + // Only parse out known options that are there in full. + switch ( type ) { + case 1: + case 2: + // Source/Target Link-layer Address option + { + if ( caplen >= length ) + { + BroString* link_addr = new BroString(data, length, 0); + rv->Assign(2, new StringVal(link_addr)); + } + else + set_payload_field = true; + + break; + } + + case 3: + // Prefix Information option + { + if ( caplen >= 30 ) + { + RecordVal* info = new RecordVal(icmp6_nd_prefix_info_type); + uint8 prefix_len = *((const uint8*)(data)); + bool L_flag = (*((const uint8*)(data + 1)) & 0x80) != 0; + bool A_flag = (*((const uint8*)(data + 1)) & 0x40) != 0; + uint32 valid_life = *((const uint32*)(data + 2)); + uint32 prefer_life = *((const uint32*)(data + 6)); + in6_addr prefix = *((const in6_addr*)(data + 14)); + info->Assign(0, new Val(prefix_len, TYPE_COUNT)); + info->Assign(1, new Val(L_flag, TYPE_BOOL)); + info->Assign(2, new Val(A_flag, TYPE_BOOL)); + info->Assign(3, new IntervalVal((double)ntohl(valid_life), Seconds)); + info->Assign(4, new IntervalVal((double)ntohl(prefer_life), Seconds)); + info->Assign(5, new AddrVal(IPAddr(prefix))); + rv->Assign(3, info); + } + + else + set_payload_field = true; + break; + } + + case 4: + // Redirected Header option + { + if ( caplen >= length ) + { + const u_char* hdr = data + 6; + rv->Assign(4, ExtractICMP6Context(length - 6, hdr)); + } + + else + set_payload_field = true; + + break; + } + + case 5: + // MTU option + { + if ( caplen >= 6 ) + rv->Assign(5, new Val(ntohl(*((const uint32*)(data + 2))), + TYPE_COUNT)); + else + set_payload_field = true; + + break; + } + + default: + { + set_payload_field = true; + break; + } + } + + if ( set_payload_field ) + { + BroString* payload = + new BroString(data, min((int)length, caplen), 0); + rv->Assign(6, new StringVal(payload)); + } + + data += length; + caplen -= length; + + vv->Assign(vv->Size(), rv, 0); + } + + return vv; + } + int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way) { is_one_way = false; diff --git a/src/ICMP.h b/src/ICMP.h index 33773b9762..1e30b7ff54 100644 --- a/src/ICMP.h +++ b/src/ICMP.h @@ -48,7 +48,7 @@ protected: int caplen, const u_char*& data, const IP_Hdr* ip_hdr); void NeighborSolicit(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr); - void Router(double t, const struct icmp* icmpp, int len, + void RouterSolicit(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr); void Describe(ODesc* d) const; @@ -75,6 +75,9 @@ protected: void Context6(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr); + // RFC 4861 Neighbor Discover message options + VectorVal* BuildNDOptionsVal(int caplen, const u_char* data); + RecordVal* icmp_conn_val; int type; int code; diff --git a/src/NetVar.cc b/src/NetVar.cc index ab13ec7001..248ae15e1a 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -31,7 +31,6 @@ int tcp_SYN_ack_ok; int tcp_match_undelivered; int encap_hdr_size; -int udp_tunnel_port; double frag_timeout; @@ -49,6 +48,8 @@ int tcp_excessive_data_without_further_acks; RecordType* x509_type; +RecordType* socks_address; + double non_analyzed_lifetime; double tcp_inactivity_timeout; double udp_inactivity_timeout; @@ -328,8 +329,6 @@ void init_net_var() encap_hdr_size = opt_internal_int("encap_hdr_size"); - udp_tunnel_port = opt_internal_int("udp_tunnel_port") & ~UDP_PORT_MASK; - frag_timeout = opt_internal_double("frag_timeout"); tcp_SYN_timeout = opt_internal_double("tcp_SYN_timeout"); @@ -347,6 +346,8 @@ void init_net_var() opt_internal_int("tcp_excessive_data_without_further_acks"); x509_type = internal_type("X509")->AsRecordType(); + + socks_address = internal_type("SOCKS::Address")->AsRecordType(); non_analyzed_lifetime = opt_internal_double("non_analyzed_lifetime"); tcp_inactivity_timeout = opt_internal_double("tcp_inactivity_timeout"); diff --git a/src/NetVar.h b/src/NetVar.h index 1e6c758740..2561fa0ad9 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -34,7 +34,6 @@ extern int tcp_SYN_ack_ok; extern int tcp_match_undelivered; extern int encap_hdr_size; -extern int udp_tunnel_port; extern double frag_timeout; @@ -52,6 +51,8 @@ extern int tcp_excessive_data_without_further_acks; extern RecordType* x509_type; +extern RecordType* socks_address; + extern double non_analyzed_lifetime; extern double tcp_inactivity_timeout; extern double udp_inactivity_timeout; diff --git a/src/PktSrc.cc b/src/PktSrc.cc index 615815b41b..9b974f7e53 100644 --- a/src/PktSrc.cc +++ b/src/PktSrc.cc @@ -193,7 +193,18 @@ void PktSrc::Process() { protocol = (data[3] << 24) + (data[2] << 16) + (data[1] << 8) + data[0]; - if ( protocol != AF_INET && protocol != AF_INET6 ) + // From the Wireshark Wiki: "AF_INET6, unfortunately, has + // different values in {NetBSD,OpenBSD,BSD/OS}, + // {FreeBSD,DragonFlyBSD}, and {Darwin/Mac OS X}, so an IPv6 + // packet might have a link-layer header with 24, 28, or 30 + // as the AF_ value." As we may be reading traces captured on + // platforms other than what we're running on, we accept them + // all here. + if ( protocol != AF_INET + && protocol != AF_INET6 + && protocol != 24 + && protocol != 28 + && protocol != 30 ) { sessions->Weird("non_ip_packet_in_null_transport", &hdr, data); data = 0; diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc index 838bafb0d6..9409a34634 100644 --- a/src/RemoteSerializer.cc +++ b/src/RemoteSerializer.cc @@ -2503,17 +2503,17 @@ bool RemoteSerializer::ProcessRemotePrint() return true; } -bool RemoteSerializer::SendLogCreateWriter(EnumVal* id, EnumVal* writer, string path, int num_fields, const threading::Field* const * fields) +bool RemoteSerializer::SendLogCreateWriter(EnumVal* id, EnumVal* writer, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const * fields) { loop_over_list(peers, i) { - SendLogCreateWriter(peers[i]->id, id, writer, path, num_fields, fields); + SendLogCreateWriter(peers[i]->id, id, writer, info, num_fields, fields); } return true; } -bool RemoteSerializer::SendLogCreateWriter(PeerID peer_id, EnumVal* id, EnumVal* writer, string path, int num_fields, const threading::Field* const * fields) +bool RemoteSerializer::SendLogCreateWriter(PeerID peer_id, EnumVal* id, EnumVal* writer, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const * fields) { SetErrorDescr("logging"); @@ -2535,8 +2535,8 @@ bool RemoteSerializer::SendLogCreateWriter(PeerID peer_id, EnumVal* id, EnumVal* bool success = fmt.Write(id->AsEnum(), "id") && fmt.Write(writer->AsEnum(), "writer") && - fmt.Write(path, "path") && - fmt.Write(num_fields, "num_fields"); + fmt.Write(num_fields, "num_fields") && + info.Write(&fmt); if ( ! success ) goto error; @@ -2691,13 +2691,13 @@ bool RemoteSerializer::ProcessLogCreateWriter() fmt.StartRead(current_args->data, current_args->len); int id, writer; - string path; int num_fields; + logging::WriterBackend::WriterInfo info; bool success = fmt.Read(&id, "id") && fmt.Read(&writer, "writer") && - fmt.Read(&path, "path") && - fmt.Read(&num_fields, "num_fields"); + fmt.Read(&num_fields, "num_fields") && + info.Read(&fmt); if ( ! success ) goto error; @@ -2716,7 +2716,7 @@ bool RemoteSerializer::ProcessLogCreateWriter() id_val = new EnumVal(id, BifType::Enum::Log::ID); writer_val = new EnumVal(writer, BifType::Enum::Log::Writer); - if ( ! log_mgr->CreateWriter(id_val, writer_val, path, num_fields, fields, true, false) ) + if ( ! log_mgr->CreateWriter(id_val, writer_val, info, num_fields, fields, true, false) ) goto error; Unref(id_val); @@ -4208,32 +4208,38 @@ bool SocketComm::Listen() bool SocketComm::AcceptConnection(int fd) { - sockaddr_storage client; - socklen_t len = sizeof(client); + union { + sockaddr_storage ss; + sockaddr_in s4; + sockaddr_in6 s6; + } client; - int clientfd = accept(fd, (sockaddr*) &client, &len); + socklen_t len = sizeof(client.ss); + + int clientfd = accept(fd, (sockaddr*) &client.ss, &len); if ( clientfd < 0 ) { Error(fmt("accept failed, %s %d", strerror(errno), errno)); return false; } - if ( client.ss_family != AF_INET && client.ss_family != AF_INET6 ) + if ( client.ss.ss_family != AF_INET && client.ss.ss_family != AF_INET6 ) { - Error(fmt("accept fail, unknown address family %d", client.ss_family)); + Error(fmt("accept fail, unknown address family %d", + client.ss.ss_family)); close(clientfd); return false; } Peer* peer = new Peer; peer->id = id_counter++; - peer->ip = client.ss_family == AF_INET ? - IPAddr(((sockaddr_in*)&client)->sin_addr) : - IPAddr(((sockaddr_in6*)&client)->sin6_addr); + peer->ip = client.ss.ss_family == AF_INET ? + IPAddr(client.s4.sin_addr) : + IPAddr(client.s6.sin6_addr); - peer->port = client.ss_family == AF_INET ? - ntohs(((sockaddr_in*)&client)->sin_port) : - ntohs(((sockaddr_in6*)&client)->sin6_port); + peer->port = client.ss.ss_family == AF_INET ? + ntohs(client.s4.sin_port) : + ntohs(client.s6.sin6_port); peer->connected = true; peer->ssl = listen_ssl; diff --git a/src/RemoteSerializer.h b/src/RemoteSerializer.h index 4ebf15e68d..1d7feef585 100644 --- a/src/RemoteSerializer.h +++ b/src/RemoteSerializer.h @@ -9,6 +9,7 @@ #include "IOSource.h" #include "Stats.h" #include "File.h" +#include "logging/WriterBackend.h" #include #include @@ -104,10 +105,10 @@ public: bool SendPrintHookEvent(BroFile* f, const char* txt, size_t len); // Send a request to create a writer on a remote side. - bool SendLogCreateWriter(PeerID peer, EnumVal* id, EnumVal* writer, string path, int num_fields, const threading::Field* const * fields); + bool SendLogCreateWriter(PeerID peer, EnumVal* id, EnumVal* writer, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const * fields); // Broadcasts a request to create a writer. - bool SendLogCreateWriter(EnumVal* id, EnumVal* writer, string path, int num_fields, const threading::Field* const * fields); + bool SendLogCreateWriter(EnumVal* id, EnumVal* writer, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const * fields); // Broadcast a log entry to everybody interested. bool SendLogWrite(EnumVal* id, EnumVal* writer, string path, int num_fields, const threading::Value* const * vals); diff --git a/src/SOCKS.cc b/src/SOCKS.cc new file mode 100644 index 0000000000..0064f6e700 --- /dev/null +++ b/src/SOCKS.cc @@ -0,0 +1,79 @@ +#include "SOCKS.h" +#include "socks_pac.h" +#include "TCP_Reassembler.h" + +SOCKS_Analyzer::SOCKS_Analyzer(Connection* conn) +: TCP_ApplicationAnalyzer(AnalyzerTag::SOCKS, conn) + { + interp = new binpac::SOCKS::SOCKS_Conn(this); + orig_done = resp_done = false; + pia = 0; + } + +SOCKS_Analyzer::~SOCKS_Analyzer() + { + delete interp; + } + +void SOCKS_Analyzer::EndpointDone(bool orig) + { + if ( orig ) + orig_done = true; + else + resp_done = true; + } + +void SOCKS_Analyzer::Done() + { + TCP_ApplicationAnalyzer::Done(); + + interp->FlowEOF(true); + interp->FlowEOF(false); + } + +void SOCKS_Analyzer::EndpointEOF(TCP_Reassembler* endp) + { + TCP_ApplicationAnalyzer::EndpointEOF(endp); + interp->FlowEOF(endp->IsOrig()); + } + +void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig) + { + TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + + assert(TCP()); + + if ( TCP()->IsPartial() ) + // punt on partial. + return; + + if ( orig_done && resp_done ) + { + // Finished decapsulating tunnel layer. Now do standard processing + // with the rest of the conneciton. + // + // Note that we assume that no payload data arrives before both endpoints + // are done with there part of the SOCKS protocol. + + if ( ! pia ) + { + pia = new PIA_TCP(Conn()); + AddChildAnalyzer(pia); + pia->FirstPacket(true, 0); + pia->FirstPacket(false, 0); + } + + ForwardStream(len, data, orig); + } + else + { + interp->NewData(orig, data, data + len); + } + } + +void SOCKS_Analyzer::Undelivered(int seq, int len, bool orig) + { + TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + interp->NewGap(orig, len); + } + diff --git a/src/SOCKS.h b/src/SOCKS.h new file mode 100644 index 0000000000..c9a7338496 --- /dev/null +++ b/src/SOCKS.h @@ -0,0 +1,45 @@ +#ifndef socks_h +#define socks_h + +// SOCKS v4 analyzer. + +#include "TCP.h" +#include "PIA.h" + +namespace binpac { + namespace SOCKS { + class SOCKS_Conn; + } +} + + +class SOCKS_Analyzer : public TCP_ApplicationAnalyzer { +public: + SOCKS_Analyzer(Connection* conn); + ~SOCKS_Analyzer(); + + void EndpointDone(bool orig); + + virtual void Done(); + virtual void DeliverStream(int len, const u_char* data, bool orig); + virtual void Undelivered(int seq, int len, bool orig); + virtual void EndpointEOF(TCP_Reassembler* endp); + + static Analyzer* InstantiateAnalyzer(Connection* conn) + { return new SOCKS_Analyzer(conn); } + + static bool Available() + { + return socks_request || socks_reply; + } + +protected: + + bool orig_done; + bool resp_done; + + PIA_TCP *pia; + binpac::SOCKS::SOCKS_Conn* interp; +}; + +#endif diff --git a/src/Sessions.cc b/src/Sessions.cc index 4419936fbd..6f42e5726b 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -30,6 +30,7 @@ #include "DPM.h" #include "PacketSort.h" +#include "TunnelEncapsulation.h" // These represent NetBIOS services on ephemeral ports. They're numbered // so that we can use a single int to hold either an actual TCP/UDP server @@ -67,6 +68,26 @@ void TimerMgrExpireTimer::Dispatch(double t, int is_expire) } } +void IPTunnelTimer::Dispatch(double t, int is_expire) + { + NetSessions::IPTunnelMap::const_iterator it = + sessions->ip_tunnels.find(tunnel_idx); + + if ( it == sessions->ip_tunnels.end() ) + return; + + double last_active = it->second.second; + double inactive_time = t > last_active ? t - last_active : 0; + + if ( inactive_time >= BifConst::Tunnel::ip_tunnel_timeout ) + // tunnel activity timed out, delete it from map + sessions->ip_tunnels.erase(tunnel_idx); + + else if ( ! is_expire ) + // tunnel activity didn't timeout, schedule another timer + timer_mgr->Add(new IPTunnelTimer(t, tunnel_idx)); + } + NetSessions::NetSessions() { TypeList* t = new TypeList(); @@ -142,16 +163,6 @@ void NetSessions::Done() { } -namespace // private namespace - { - bool looks_like_IPv4_packet(int len, const struct ip* ip_hdr) - { - if ( len < int(sizeof(struct ip)) ) - return false; - return ip_hdr->ip_v == 4 && ntohs(ip_hdr->ip_len) == len; - } - } - void NetSessions::DispatchPacket(double t, const struct pcap_pkthdr* hdr, const u_char* pkt, int hdr_size, PktSrc* src_ps, PacketSortElement* pkt_elem) @@ -168,60 +179,8 @@ void NetSessions::DispatchPacket(double t, const struct pcap_pkthdr* hdr, } if ( encap_hdr_size > 0 && ip_data ) - { - // We're doing tunnel encapsulation. Check whether there's - // a particular associated port. - // - // Should we discourage the use of encap_hdr_size for UDP - // tunnneling? It is probably better handled by enabling - // BifConst::parse_udp_tunnels instead of specifying a fixed - // encap_hdr_size. - if ( udp_tunnel_port > 0 ) - { - ASSERT(ip_hdr); - if ( ip_hdr->ip_p == IPPROTO_UDP ) - { - const struct udphdr* udp_hdr = - reinterpret_cast - (ip_data); - - if ( ntohs(udp_hdr->uh_dport) == udp_tunnel_port ) - { - // A match. - hdr_size += encap_hdr_size; - } - } - } - - else - // Blanket encapsulation - hdr_size += encap_hdr_size; - } - - // Check IP packets encapsulated through UDP tunnels. - // Specifying a udp_tunnel_port is optional but recommended (to avoid - // the cost of checking every UDP packet). - else if ( BifConst::parse_udp_tunnels && ip_data && ip_hdr->ip_p == IPPROTO_UDP ) - { - const struct udphdr* udp_hdr = - reinterpret_cast(ip_data); - - if ( udp_tunnel_port == 0 || // 0 matches any port - udp_tunnel_port == ntohs(udp_hdr->uh_dport) ) - { - const u_char* udp_data = - ip_data + sizeof(struct udphdr); - const struct ip* ip_encap = - reinterpret_cast(udp_data); - const int ip_encap_len = - ntohs(udp_hdr->uh_ulen) - sizeof(struct udphdr); - const int ip_encap_caplen = - hdr->caplen - (udp_data - pkt); - - if ( looks_like_IPv4_packet(ip_encap_len, ip_encap) ) - hdr_size = udp_data - pkt; - } - } + // Blanket encapsulation + hdr_size += encap_hdr_size; if ( src_ps->FilterType() == TYPE_FILTER_NORMAL ) NextPacket(t, hdr, pkt, hdr_size, pkt_elem); @@ -251,7 +210,7 @@ void NetSessions::NextPacket(double t, const struct pcap_pkthdr* hdr, // difference here is that header extraction in // PacketSort does not generate Weird events. - DoNextPacket(t, hdr, pkt_elem->IPHdr(), pkt, hdr_size); + DoNextPacket(t, hdr, pkt_elem->IPHdr(), pkt, hdr_size, 0); else { @@ -276,7 +235,7 @@ void NetSessions::NextPacket(double t, const struct pcap_pkthdr* hdr, if ( ip->ip_v == 4 ) { IP_Hdr ip_hdr(ip, false); - DoNextPacket(t, hdr, &ip_hdr, pkt, hdr_size); + DoNextPacket(t, hdr, &ip_hdr, pkt, hdr_size, 0); } else if ( ip->ip_v == 6 ) @@ -288,7 +247,7 @@ void NetSessions::NextPacket(double t, const struct pcap_pkthdr* hdr, } IP_Hdr ip_hdr((const struct ip6_hdr*) (pkt + hdr_size), false, caplen); - DoNextPacket(t, hdr, &ip_hdr, pkt, hdr_size); + DoNextPacket(t, hdr, &ip_hdr, pkt, hdr_size, 0); } else if ( ARP_Analyzer::IsARP(pkt, hdr_size) ) @@ -410,7 +369,7 @@ int NetSessions::CheckConnectionTag(Connection* conn) void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, const IP_Hdr* ip_hdr, const u_char* const pkt, - int hdr_size) + int hdr_size, const EncapsulationStack* encapsulation) { uint32 caplen = hdr->caplen - hdr_size; const struct ip* ip4 = ip_hdr->IP4_Hdr(); @@ -418,7 +377,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, uint32 len = ip_hdr->TotalLen(); if ( hdr->len < len + hdr_size ) { - Weird("truncated_IP", hdr, pkt); + Weird("truncated_IP", hdr, pkt, encapsulation); return; } @@ -430,7 +389,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, if ( ! ignore_checksums && ip4 && ones_complement_checksum((void*) ip4, ip_hdr_len, 0) != 0xffff ) { - Weird("bad_IP_checksum", hdr, pkt); + Weird("bad_IP_checksum", hdr, pkt, encapsulation); return; } @@ -445,7 +404,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, if ( caplen < len ) { - Weird("incompletely_captured_fragment", ip_hdr); + Weird("incompletely_captured_fragment", ip_hdr, encapsulation); // Don't try to reassemble, that's doomed. // Discard all except the first fragment (which @@ -472,7 +431,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, len -= ip_hdr_len; // remove IP header caplen -= ip_hdr_len; - // We stop building the chain when seeing IPPROTO_ESP so if it's + // We stop building the chain when seeing IPPROTO_ESP so if it's // there, it's always the last. if ( ip_hdr->LastHeader() == IPPROTO_ESP ) { @@ -497,7 +456,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, if ( ! ignore_checksums && mobility_header_checksum(ip_hdr) != 0xffff ) { - Weird("bad_MH_checksum", hdr, pkt); + Weird("bad_MH_checksum", hdr, pkt, encapsulation); Remove(f); return; } @@ -510,7 +469,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, } if ( ip_hdr->NextProto() != IPPROTO_NONE ) - Weird("mobility_piggyback", hdr, pkt); + Weird("mobility_piggyback", hdr, pkt, encapsulation); Remove(f); return; @@ -519,7 +478,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, int proto = ip_hdr->NextProto(); - if ( CheckHeaderTrunc(proto, len, caplen, hdr, pkt) ) + if ( CheckHeaderTrunc(proto, len, caplen, hdr, pkt, encapsulation) ) { Remove(f); return; @@ -585,8 +544,83 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, break; } + case IPPROTO_IPV4: + case IPPROTO_IPV6: + { + if ( ! BifConst::Tunnel::enable_ip ) + { + Weird("IP_tunnel", ip_hdr, encapsulation); + Remove(f); + return; + } + + if ( encapsulation && + encapsulation->Depth() >= BifConst::Tunnel::max_depth ) + { + Weird("exceeded_tunnel_max_depth", ip_hdr, encapsulation); + Remove(f); + return; + } + + // Check for a valid inner packet first. + IP_Hdr* inner = 0; + int result = ParseIPPacket(caplen, data, proto, inner); + + if ( result < 0 ) + Weird("truncated_inner_IP", ip_hdr, encapsulation); + + else if ( result > 0 ) + Weird("inner_IP_payload_length_mismatch", ip_hdr, encapsulation); + + if ( result != 0 ) + { + delete inner; + Remove(f); + return; + } + + // Look up to see if we've already seen this IP tunnel, identified + // by the pair of IP addresses, so that we can always associate the + // same UID with it. + IPPair tunnel_idx; + if ( ip_hdr->SrcAddr() < ip_hdr->DstAddr() ) + tunnel_idx = IPPair(ip_hdr->SrcAddr(), ip_hdr->DstAddr()); + else + tunnel_idx = IPPair(ip_hdr->DstAddr(), ip_hdr->SrcAddr()); + + IPTunnelMap::iterator it = ip_tunnels.find(tunnel_idx); + + if ( it == ip_tunnels.end() ) + { + EncapsulatingConn ec(ip_hdr->SrcAddr(), ip_hdr->DstAddr()); + ip_tunnels[tunnel_idx] = TunnelActivity(ec, network_time); + timer_mgr->Add(new IPTunnelTimer(network_time, tunnel_idx)); + } + else + it->second.second = network_time; + + DoNextInnerPacket(t, hdr, inner, encapsulation, + ip_tunnels[tunnel_idx].first); + + Remove(f); + return; + } + + case IPPROTO_NONE: + { + // If the packet is encapsulated in Teredo, then it was a bubble and + // the Teredo analyzer may have raised an event for that, else we're + // not sure the reason for the No Next header in the packet. + if ( ! ( encapsulation && + encapsulation->LastType() == BifEnum::Tunnel::TEREDO ) ) + Weird("ipv6_no_next", hdr, pkt); + + Remove(f); + return; + } + default: - Weird(fmt("unknown_protocol_%d", proto), hdr, pkt); + Weird(fmt("unknown_protocol_%d", proto), hdr, pkt, encapsulation); Remove(f); return; } @@ -602,7 +636,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, conn = (Connection*) d->Lookup(h); if ( ! conn ) { - conn = NewConn(h, t, &id, data, proto, ip_hdr->FlowLabel()); + conn = NewConn(h, t, &id, data, proto, ip_hdr->FlowLabel(), encapsulation); if ( conn ) d->Insert(h, conn); } @@ -623,12 +657,15 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, conn->Event(connection_reused, 0); Remove(conn); - conn = NewConn(h, t, &id, data, proto, ip_hdr->FlowLabel()); + conn = NewConn(h, t, &id, data, proto, ip_hdr->FlowLabel(), encapsulation); if ( conn ) d->Insert(h, conn); } else + { delete h; + conn->CheckEncapsulation(encapsulation); + } } if ( ! conn ) @@ -682,8 +719,70 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, } } +void NetSessions::DoNextInnerPacket(double t, const struct pcap_pkthdr* hdr, + const IP_Hdr* inner, const EncapsulationStack* prev, + const EncapsulatingConn& ec) + { + struct pcap_pkthdr fake_hdr; + fake_hdr.caplen = fake_hdr.len = inner->TotalLen(); + + if ( hdr ) + fake_hdr.ts = hdr->ts; + else + { + fake_hdr.ts.tv_sec = (time_t) network_time; + fake_hdr.ts.tv_usec = (suseconds_t) + ((network_time - (double)fake_hdr.ts.tv_sec) * 1000000); + } + + const u_char* pkt = 0; + + if ( inner->IP4_Hdr() ) + pkt = (const u_char*) inner->IP4_Hdr(); + else + pkt = (const u_char*) inner->IP6_Hdr(); + + EncapsulationStack* outer = prev ? + new EncapsulationStack(*prev) : new EncapsulationStack(); + outer->Add(ec); + + DoNextPacket(t, &fake_hdr, inner, pkt, 0, outer); + + delete inner; + delete outer; + } + +int NetSessions::ParseIPPacket(int caplen, const u_char* const pkt, int proto, + IP_Hdr*& inner) + { + if ( proto == IPPROTO_IPV6 ) + { + if ( caplen < (int)sizeof(struct ip6_hdr) ) + return -1; + + inner = new IP_Hdr((const struct ip6_hdr*) pkt, false, caplen); + } + + else if ( proto == IPPROTO_IPV4 ) + { + if ( caplen < (int)sizeof(struct ip) ) + return -1; + + inner = new IP_Hdr((const struct ip*) pkt, false); + } + + else + reporter->InternalError("Bad IP protocol version in DoNextInnerPacket"); + + if ( (uint32)caplen != inner->TotalLen() ) + return (uint32)caplen < inner->TotalLen() ? -1 : 1; + + return 0; + } + bool NetSessions::CheckHeaderTrunc(int proto, uint32 len, uint32 caplen, - const struct pcap_pkthdr* h, const u_char* p) + const struct pcap_pkthdr* h, + const u_char* p, const EncapsulationStack* encap) { uint32 min_hdr_len = 0; switch ( proto ) { @@ -693,22 +792,32 @@ bool NetSessions::CheckHeaderTrunc(int proto, uint32 len, uint32 caplen, case IPPROTO_UDP: min_hdr_len = sizeof(struct udphdr); break; + case IPPROTO_IPV4: + min_hdr_len = sizeof(struct ip); + break; + case IPPROTO_IPV6: + min_hdr_len = sizeof(struct ip6_hdr); + break; + case IPPROTO_NONE: + min_hdr_len = 0; + break; case IPPROTO_ICMP: case IPPROTO_ICMPV6: default: // Use for all other packets. min_hdr_len = ICMP_MINLEN; + break; } if ( len < min_hdr_len ) { - Weird("truncated_header", h, p); + Weird("truncated_header", h, p, encap); return true; } if ( caplen < min_hdr_len ) { - Weird("internally_truncated_header", h, p); + Weird("internally_truncated_header", h, p, encap); return true; } @@ -1004,7 +1113,8 @@ void NetSessions::GetStats(SessionStats& s) const } Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id, - const u_char* data, int proto, uint32 flow_label) + const u_char* data, int proto, uint32 flow_label, + const EncapsulationStack* encapsulation) { // FIXME: This should be cleaned up a bit, it's too protocol-specific. // But I'm not yet sure what the right abstraction for these things is. @@ -1060,7 +1170,7 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id, id = &flip_id; } - Connection* conn = new Connection(this, k, t, id, flow_label); + Connection* conn = new Connection(this, k, t, id, flow_label, encapsulation); conn->SetTransport(tproto); dpm->BuildInitialAnalyzerTree(tproto, conn, data); @@ -1224,18 +1334,26 @@ void NetSessions::Internal(const char* msg, const struct pcap_pkthdr* hdr, reporter->InternalError("%s", msg); } -void NetSessions::Weird(const char* name, - const struct pcap_pkthdr* hdr, const u_char* pkt) +void NetSessions::Weird(const char* name, const struct pcap_pkthdr* hdr, + const u_char* pkt, const EncapsulationStack* encap) { if ( hdr ) dump_this_packet = 1; - reporter->Weird(name); + if ( encap && encap->LastType() != BifEnum::Tunnel::NONE ) + reporter->Weird(fmt("%s_in_tunnel", name)); + else + reporter->Weird(name); } -void NetSessions::Weird(const char* name, const IP_Hdr* ip) +void NetSessions::Weird(const char* name, const IP_Hdr* ip, + const EncapsulationStack* encap) { - reporter->Weird(ip->SrcAddr(), ip->DstAddr(), name); + if ( encap && encap->LastType() != BifEnum::Tunnel::NONE ) + reporter->Weird(ip->SrcAddr(), ip->DstAddr(), + fmt("%s_in_tunnel", name)); + else + reporter->Weird(ip->SrcAddr(), ip->DstAddr(), name); } unsigned int NetSessions::ConnectionMemoryUsage() diff --git a/src/Sessions.h b/src/Sessions.h index d29ab0eeab..a7d7b1272f 100644 --- a/src/Sessions.h +++ b/src/Sessions.h @@ -11,9 +11,12 @@ #include "PacketFilter.h" #include "Stats.h" #include "NetVar.h" +#include "TunnelEncapsulation.h" +#include struct pcap_pkthdr; +class EncapsulationStack; class Connection; class ConnID; class OSFingerprint; @@ -105,9 +108,10 @@ public: void GetStats(SessionStats& s) const; - void Weird(const char* name, - const struct pcap_pkthdr* hdr, const u_char* pkt); - void Weird(const char* name, const IP_Hdr* ip); + void Weird(const char* name, const struct pcap_pkthdr* hdr, + const u_char* pkt, const EncapsulationStack* encap = 0); + void Weird(const char* name, const IP_Hdr* ip, + const EncapsulationStack* encap = 0); PacketFilter* GetPacketFilter() { @@ -131,6 +135,51 @@ public: icmp_conns.Length(); } + void DoNextPacket(double t, const struct pcap_pkthdr* hdr, + const IP_Hdr* ip_hdr, const u_char* const pkt, + int hdr_size, const EncapsulationStack* encapsulation); + + /** + * Wrapper that recurses on DoNextPacket for encapsulated IP packets. + * + * @param t Network time. + * @param hdr If the outer pcap header is available, this pointer can be set + * so that the fake pcap header passed to DoNextPacket will use + * the same timeval. The caplen and len fields of the fake pcap + * header are always set to the TotalLength() of \a inner. + * @param inner Pointer to IP header wrapper of the inner packet, ownership + * of the pointer's memory is assumed by this function. + * @param prev Any previous encapsulation stack of the caller, not including + * the most-recently found depth of encapsulation. + * @param ec The most-recently found depth of encapsulation. + */ + void DoNextInnerPacket(double t, const struct pcap_pkthdr* hdr, + const IP_Hdr* inner, const EncapsulationStack* prev, + const EncapsulatingConn& ec); + + /** + * Returns a wrapper IP_Hdr object if \a pkt appears to be a valid IPv4 + * or IPv6 header based on whether it's long enough to contain such a header + * and also that the payload length field of that header matches the actual + * length of \a pkt given by \a caplen. + * + * @param caplen The length of \a pkt in bytes. + * @param pkt The inner IP packet data. + * @param proto Either IPPROTO_IPV6 or IPPROTO_IPV4 to indicate which IP + * protocol \a pkt corresponds to. + * @param inner The inner IP packet wrapper pointer to be allocated/assigned + * if \a pkt looks like a valid IP packet or at least long enough + * to hold an IP header. + * @return 0 If the inner IP packet appeared valid, else -1 if \a caplen + * is greater than the supposed IP packet's payload length field or + * 1 if \a caplen is less than the supposed packet's payload length. + * In the -1 case, \a inner may still be non-null if \a caplen was + * long enough to be an IP header, and \a inner is always non-null + * for other return values. + */ + int ParseIPPacket(int caplen, const u_char* const pkt, int proto, + IP_Hdr*& inner); + unsigned int ConnectionMemoryUsage(); unsigned int ConnectionMemoryUsageConnVals(); unsigned int MemoryAllocation(); @@ -140,9 +189,11 @@ protected: friend class RemoteSerializer; friend class ConnCompressor; friend class TimerMgrExpireTimer; + friend class IPTunnelTimer; Connection* NewConn(HashKey* k, double t, const ConnID* id, - const u_char* data, int proto, uint32 flow_label); + const u_char* data, int proto, uint32 flow_lable, + const EncapsulationStack* encapsulation); // Check whether the tag of the current packet is consistent with // the given connection. Returns: @@ -173,10 +224,6 @@ protected: const u_char* const pkt, int hdr_size, PacketSortElement* pkt_elem); - void DoNextPacket(double t, const struct pcap_pkthdr* hdr, - const IP_Hdr* ip_hdr, const u_char* const pkt, - int hdr_size); - void NextPacketSecondary(double t, const struct pcap_pkthdr* hdr, const u_char* const pkt, int hdr_size, const PktSrc* src_ps); @@ -194,7 +241,8 @@ protected: // from lower-level headers or the length actually captured is less // than that protocol's minimum header size. bool CheckHeaderTrunc(int proto, uint32 len, uint32 caplen, - const struct pcap_pkthdr* hdr, const u_char* pkt); + const struct pcap_pkthdr* hdr, const u_char* pkt, + const EncapsulationStack* encap); CompositeHash* ch; PDict(Connection) tcp_conns; @@ -202,6 +250,11 @@ protected: PDict(Connection) icmp_conns; PDict(FragReassembler) fragments; + typedef pair IPPair; + typedef pair TunnelActivity; + typedef std::map IPTunnelMap; + IPTunnelMap ip_tunnels; + ARP_Analyzer* arp_analyzer; SteppingStoneManager* stp_manager; @@ -219,6 +272,21 @@ protected: TimerMgrMap timer_mgrs; }; + +class IPTunnelTimer : public Timer { +public: + IPTunnelTimer(double t, NetSessions::IPPair p) + : Timer(t + BifConst::Tunnel::ip_tunnel_timeout, + TIMER_IP_TUNNEL_INACTIVITY), tunnel_idx(p) {} + + ~IPTunnelTimer() {} + + void Dispatch(double t, int is_expire); + +protected: + NetSessions::IPPair tunnel_idx; +}; + // Manager for the currently active sessions. extern NetSessions* sessions; diff --git a/src/Teredo.cc b/src/Teredo.cc new file mode 100644 index 0000000000..54676c3255 --- /dev/null +++ b/src/Teredo.cc @@ -0,0 +1,246 @@ + +#include "Teredo.h" +#include "IP.h" +#include "Reporter.h" + +void Teredo_Analyzer::Done() + { + Analyzer::Done(); + Event(udp_session_done); + } + +bool TeredoEncapsulation::DoParse(const u_char* data, int& len, + bool found_origin, bool found_auth) + { + if ( len < 2 ) + { + Weird("truncated_Teredo"); + return false; + } + + uint16 tag = ntohs((*((const uint16*)data))); + + if ( tag == 0 ) + { + // Origin Indication + if ( found_origin ) + // can't have multiple origin indications + return false; + + if ( len < 8 ) + { + Weird("truncated_Teredo_origin_indication"); + return false; + } + + origin_indication = data; + len -= 8; + data += 8; + return DoParse(data, len, true, found_auth); + } + + else if ( tag == 1 ) + { + // Authentication + if ( found_origin || found_auth ) + // can't have multiple authentication headers and can't come after + // an origin indication + return false; + + if ( len < 4 ) + { + Weird("truncated_Teredo_authentication"); + return false; + } + + uint8 id_len = data[2]; + uint8 au_len = data[3]; + uint16 tot_len = 4 + id_len + au_len + 8 + 1; + + if ( len < tot_len ) + { + Weird("truncated_Teredo_authentication"); + return false; + } + + auth = data; + len -= tot_len; + data += tot_len; + return DoParse(data, len, found_origin, true); + } + + else if ( ((tag & 0xf000)>>12) == 6 ) + { + // IPv6 + if ( len < 40 ) + { + Weird("truncated_IPv6_in_Teredo"); + return false; + } + + // There's at least a possible IPv6 header, we'll decide what to do + // later if the payload length field doesn't match the actual length + // of the packet. + inner_ip = data; + return true; + } + + return false; + } + +RecordVal* TeredoEncapsulation::BuildVal(const IP_Hdr* inner) const + { + static RecordType* teredo_hdr_type = 0; + static RecordType* teredo_auth_type = 0; + static RecordType* teredo_origin_type = 0; + + if ( ! teredo_hdr_type ) + { + teredo_hdr_type = internal_type("teredo_hdr")->AsRecordType(); + teredo_auth_type = internal_type("teredo_auth")->AsRecordType(); + teredo_origin_type = internal_type("teredo_origin")->AsRecordType(); + } + + RecordVal* teredo_hdr = new RecordVal(teredo_hdr_type); + + if ( auth ) + { + RecordVal* teredo_auth = new RecordVal(teredo_auth_type); + uint8 id_len = *((uint8*)(auth + 2)); + uint8 au_len = *((uint8*)(auth + 3)); + uint64 nonce = ntohll(*((uint64*)(auth + 4 + id_len + au_len))); + uint8 conf = *((uint8*)(auth + 4 + id_len + au_len + 8)); + teredo_auth->Assign(0, new StringVal( + new BroString(auth + 4, id_len, 1))); + teredo_auth->Assign(1, new StringVal( + new BroString(auth + 4 + id_len, au_len, 1))); + teredo_auth->Assign(2, new Val(nonce, TYPE_COUNT)); + teredo_auth->Assign(3, new Val(conf, TYPE_COUNT)); + teredo_hdr->Assign(0, teredo_auth); + } + + if ( origin_indication ) + { + RecordVal* teredo_origin = new RecordVal(teredo_origin_type); + uint16 port = ntohs(*((uint16*)(origin_indication + 2))) ^ 0xFFFF; + uint32 addr = ntohl(*((uint32*)(origin_indication + 4))) ^ 0xFFFFFFFF; + teredo_origin->Assign(0, new PortVal(port, TRANSPORT_UDP)); + teredo_origin->Assign(1, new AddrVal(htonl(addr))); + teredo_hdr->Assign(1, teredo_origin); + } + + teredo_hdr->Assign(2, inner->BuildPktHdrVal()); + return teredo_hdr; + } + +void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, + int seq, const IP_Hdr* ip, int caplen) + { + Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + + TeredoEncapsulation te(this); + + if ( ! te.Parse(data, len) ) + { + ProtocolViolation("Bad Teredo encapsulation", (const char*) data, len); + return; + } + + const EncapsulationStack* e = Conn()->GetEncapsulation(); + + if ( e && e->Depth() >= BifConst::Tunnel::max_depth ) + { + Weird("tunnel_depth"); + return; + } + + IP_Hdr* inner = 0; + int rslt = sessions->ParseIPPacket(len, te.InnerIP(), IPPROTO_IPV6, inner); + + if ( rslt > 0 ) + { + if ( inner->NextProto() == IPPROTO_NONE && inner->PayloadLen() == 0 ) + // Teredo bubbles having data after IPv6 header isn't strictly a + // violation, but a little weird. + Weird("Teredo_bubble_with_payload"); + else + { + delete inner; + ProtocolViolation("Teredo payload length", (const char*) data, len); + return; + } + } + + if ( rslt == 0 || rslt > 0 ) + { + if ( BifConst::Tunnel::yielding_teredo_decapsulation && + ! ProtocolConfirmed() ) + { + // Only confirm the Teredo tunnel and start decapsulating packets + // when no other sibling analyzer thinks it's already parsing the + // right protocol. + bool sibling_has_confirmed = false; + if ( Parent() ) + { + LOOP_OVER_GIVEN_CONST_CHILDREN(i, Parent()->GetChildren()) + { + if ( (*i)->ProtocolConfirmed() ) + { + sibling_has_confirmed = true; + break; + } + } + } + + if ( ! sibling_has_confirmed ) + ProtocolConfirmation(); + else + { + delete inner; + return; + } + } + else + { + // Aggressively decapsulate anything with valid Teredo encapsulation + ProtocolConfirmation(); + } + } + + else + { + delete inner; + ProtocolViolation("Truncated Teredo", (const char*) data, len); + return; + } + + Val* teredo_hdr = 0; + + if ( teredo_packet ) + { + teredo_hdr = te.BuildVal(inner); + Conn()->Event(teredo_packet, 0, teredo_hdr); + } + + if ( te.Authentication() && teredo_authentication ) + { + teredo_hdr = teredo_hdr ? teredo_hdr->Ref() : te.BuildVal(inner); + Conn()->Event(teredo_authentication, 0, teredo_hdr); + } + + if ( te.OriginIndication() && teredo_origin_indication ) + { + teredo_hdr = teredo_hdr ? teredo_hdr->Ref() : te.BuildVal(inner); + Conn()->Event(teredo_origin_indication, 0, teredo_hdr); + } + + if ( inner->NextProto() == IPPROTO_NONE && teredo_bubble ) + { + teredo_hdr = teredo_hdr ? teredo_hdr->Ref() : te.BuildVal(inner); + Conn()->Event(teredo_bubble, 0, teredo_hdr); + } + + EncapsulatingConn ec(Conn(), BifEnum::Tunnel::TEREDO); + + sessions->DoNextInnerPacket(network_time, 0, inner, e, ec); + } diff --git a/src/Teredo.h b/src/Teredo.h new file mode 100644 index 0000000000..84ff8ddf38 --- /dev/null +++ b/src/Teredo.h @@ -0,0 +1,79 @@ +#ifndef Teredo_h +#define Teredo_h + +#include "Analyzer.h" +#include "NetVar.h" + +class Teredo_Analyzer : public Analyzer { +public: + Teredo_Analyzer(Connection* conn) : Analyzer(AnalyzerTag::Teredo, conn) + {} + + virtual ~Teredo_Analyzer() + {} + + virtual void Done(); + + virtual void DeliverPacket(int len, const u_char* data, bool orig, + int seq, const IP_Hdr* ip, int caplen); + + static Analyzer* InstantiateAnalyzer(Connection* conn) + { return new Teredo_Analyzer(conn); } + + static bool Available() + { return BifConst::Tunnel::enable_teredo && + BifConst::Tunnel::max_depth > 0; } + + /** + * Emits a weird only if the analyzer has previously been able to + * decapsulate a Teredo packet since otherwise the weirds could happen + * frequently enough to be less than helpful. + */ + void Weird(const char* name) const + { + if ( ProtocolConfirmed() ) + reporter->Weird(Conn(), name); + } + +protected: + friend class AnalyzerTimer; + void ExpireTimer(double t); +}; + +class TeredoEncapsulation { +public: + TeredoEncapsulation(const Teredo_Analyzer* ta) + : inner_ip(0), origin_indication(0), auth(0), analyzer(ta) + {} + + /** + * Returns whether input data parsed as a valid Teredo encapsulation type. + * If it was valid, the len argument is decremented appropriately. + */ + bool Parse(const u_char* data, int& len) + { return DoParse(data, len, false, false); } + + const u_char* InnerIP() const + { return inner_ip; } + + const u_char* OriginIndication() const + { return origin_indication; } + + const u_char* Authentication() const + { return auth; } + + RecordVal* BuildVal(const IP_Hdr* inner) const; + +protected: + bool DoParse(const u_char* data, int& len, bool found_orig, bool found_au); + + void Weird(const char* name) const + { analyzer->Weird(name); } + + const u_char* inner_ip; + const u_char* origin_indication; + const u_char* auth; + const Teredo_Analyzer* analyzer; +}; + +#endif diff --git a/src/Timer.cc b/src/Timer.cc index 2e2fb09c6b..c2a8bb3421 100644 --- a/src/Timer.cc +++ b/src/Timer.cc @@ -20,6 +20,7 @@ const char* TimerNames[] = { "IncrementalSendTimer", "IncrementalWriteTimer", "InterconnTimer", + "IPTunnelInactivityTimer", "NetbiosExpireTimer", "NetworkTimer", "NTPExpireTimer", diff --git a/src/Timer.h b/src/Timer.h index bb6b8d56ae..310e72bdc9 100644 --- a/src/Timer.h +++ b/src/Timer.h @@ -26,6 +26,7 @@ enum TimerType { TIMER_INCREMENTAL_SEND, TIMER_INCREMENTAL_WRITE, TIMER_INTERCONN, + TIMER_IP_TUNNEL_INACTIVITY, TIMER_NB_EXPIRE, TIMER_NETWORK, TIMER_NTP_EXPIRE, diff --git a/src/TunnelEncapsulation.cc b/src/TunnelEncapsulation.cc new file mode 100644 index 0000000000..edbabef81f --- /dev/null +++ b/src/TunnelEncapsulation.cc @@ -0,0 +1,55 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "TunnelEncapsulation.h" +#include "util.h" +#include "Conn.h" + +EncapsulatingConn::EncapsulatingConn(Connection* c, BifEnum::Tunnel::Type t) + : src_addr(c->OrigAddr()), dst_addr(c->RespAddr()), + src_port(c->OrigPort()), dst_port(c->RespPort()), + proto(c->ConnTransport()), type(t), uid(c->GetUID()) + { + if ( ! uid ) + { + uid = calculate_unique_id(); + c->SetUID(uid); + } + } + +RecordVal* EncapsulatingConn::GetRecordVal() const + { + RecordVal *rv = new RecordVal(BifType::Record::Tunnel::EncapsulatingConn); + + RecordVal* id_val = new RecordVal(conn_id); + id_val->Assign(0, new AddrVal(src_addr)); + id_val->Assign(1, new PortVal(ntohs(src_port), proto)); + id_val->Assign(2, new AddrVal(dst_addr)); + id_val->Assign(3, new PortVal(ntohs(dst_port), proto)); + rv->Assign(0, id_val); + rv->Assign(1, new EnumVal(type, BifType::Enum::Tunnel::Type)); + + char tmp[20]; + rv->Assign(2, new StringVal(uitoa_n(uid, tmp, sizeof(tmp), 62))); + + return rv; + } + +bool operator==(const EncapsulationStack& e1, const EncapsulationStack& e2) + { + if ( ! e1.conns ) + return e2.conns; + + if ( ! e2.conns ) + return false; + + if ( e1.conns->size() != e2.conns->size() ) + return false; + + for ( size_t i = 0; i < e1.conns->size(); ++i ) + { + if ( (*e1.conns)[i] != (*e2.conns)[i] ) + return false; + } + + return true; + } diff --git a/src/TunnelEncapsulation.h b/src/TunnelEncapsulation.h new file mode 100644 index 0000000000..e8ca7a48b6 --- /dev/null +++ b/src/TunnelEncapsulation.h @@ -0,0 +1,208 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#ifndef TUNNELS_H +#define TUNNELS_H + +#include "config.h" +#include "NetVar.h" +#include "IPAddr.h" +#include "Val.h" +#include + +class Connection; + +/** + * Represents various types of tunnel "connections", that is, a pair of + * endpoints whose communication encapsulates inner IP packets. This could + * mean IP packets nested inside IP packets or IP packets nested inside a + * transport layer protocol. EncapsulatingConn's are assigned a UID, which can + * be shared with Connection's in the case the tunnel uses a transport-layer. + */ +class EncapsulatingConn { +public: + /** + * Default tunnel connection constructor. + */ + EncapsulatingConn() + : src_port(0), dst_port(0), proto(TRANSPORT_UNKNOWN), + type(BifEnum::Tunnel::NONE), uid(0) + {} + + /** + * Construct an IP tunnel "connection" with its own UID. + * The assignment of "source" and "destination" addresses here can be + * arbitrary, comparison between EncapsulatingConn objects will treat IP + * tunnels as equivalent as long as the same two endpoints are involved. + * + * @param s The tunnel source address, likely taken from an IP header. + * @param d The tunnel destination address, likely taken from an IP header. + */ + EncapsulatingConn(const IPAddr& s, const IPAddr& d) + : src_addr(s), dst_addr(d), src_port(0), dst_port(0), + proto(TRANSPORT_UNKNOWN), type(BifEnum::Tunnel::IP) + { + uid = calculate_unique_id(); + } + + /** + * Construct a tunnel connection using information from an already existing + * transport-layer-aware connection object. + * + * @param c The connection from which endpoint information can be extracted. + * If it already has a UID associated with it, that gets inherited, + * otherwise a new UID is created for this tunnel and \a c. + * @param t The type of tunneling that is occurring over the connection. + */ + EncapsulatingConn(Connection* c, BifEnum::Tunnel::Type t); + + /** + * Copy constructor. + */ + EncapsulatingConn(const EncapsulatingConn& other) + : src_addr(other.src_addr), dst_addr(other.dst_addr), + src_port(other.src_port), dst_port(other.dst_port), + proto(other.proto), type(other.type), uid(other.uid) + {} + + /** + * Destructor. + */ + ~EncapsulatingConn() + {} + + BifEnum::Tunnel::Type Type() const + { return type; } + + /** + * Returns record value of type "EncapsulatingConn" representing the tunnel. + */ + RecordVal* GetRecordVal() const; + + friend bool operator==(const EncapsulatingConn& ec1, + const EncapsulatingConn& ec2) + { + if ( ec1.type != ec2.type ) + return false; + + if ( ec1.type == BifEnum::Tunnel::IP ) + // Reversing endpoints is still same tunnel. + return ec1.uid == ec2.uid && ec1.proto == ec2.proto && + ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) || + (ec1.src_addr == ec2.dst_addr && ec1.dst_addr == ec2.src_addr)); + + return ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr && + ec1.src_port == ec2.src_port && ec1.dst_port == ec2.dst_port && + ec1.uid == ec2.uid && ec1.proto == ec2.proto; + } + + friend bool operator!=(const EncapsulatingConn& ec1, + const EncapsulatingConn& ec2) + { + return ! ( ec1 == ec2 ); + } + +protected: + IPAddr src_addr; + IPAddr dst_addr; + uint16 src_port; + uint16 dst_port; + TransportProto proto; + BifEnum::Tunnel::Type type; + uint64 uid; +}; + +/** + * Abstracts an arbitrary amount of nested tunneling. + */ +class EncapsulationStack { +public: + EncapsulationStack() : conns(0) + {} + + EncapsulationStack(const EncapsulationStack& other) + { + if ( other.conns ) + conns = new vector(*(other.conns)); + else + conns = 0; + } + + EncapsulationStack& operator=(const EncapsulationStack& other) + { + if ( this == &other ) + return *this; + + delete conns; + + if ( other.conns ) + conns = new vector(*(other.conns)); + else + conns = 0; + + return *this; + } + + ~EncapsulationStack() { delete conns; } + + /** + * Add a new inner-most tunnel to the EncapsulationStack. + * + * @param c The new inner-most tunnel to append to the tunnel chain. + */ + void Add(const EncapsulatingConn& c) + { + if ( ! conns ) + conns = new vector(); + + conns->push_back(c); + } + + /** + * Return how many nested tunnels are involved in a encapsulation, zero + * meaning no tunnels are present. + */ + size_t Depth() const + { + return conns ? conns->size() : 0; + } + + /** + * Return the tunnel type of the inner-most tunnel. + */ + BifEnum::Tunnel::Type LastType() const + { + return conns ? (*conns)[conns->size()-1].Type() : BifEnum::Tunnel::NONE; + } + + /** + * Get the value of type "EncapsulatingConnVector" represented by the + * entire encapsulation chain. + */ + VectorVal* GetVectorVal() const + { + VectorVal* vv = new VectorVal( + internal_type("EncapsulatingConnVector")->AsVectorType()); + + if ( conns ) + { + for ( size_t i = 0; i < conns->size(); ++i ) + vv->Assign(i, (*conns)[i].GetRecordVal(), 0); + } + + return vv; + } + + friend bool operator==(const EncapsulationStack& e1, + const EncapsulationStack& e2); + + friend bool operator!=(const EncapsulationStack& e1, + const EncapsulationStack& e2) + { + return ! ( e1 == e2 ); + } + +protected: + vector* conns; +}; + +#endif diff --git a/src/Val.cc b/src/Val.cc index 32a3c367bb..8a8c2b18c0 100644 --- a/src/Val.cc +++ b/src/Val.cc @@ -1651,6 +1651,7 @@ int TableVal::RemoveFrom(Val* val) const while ( (v = tbl->NextEntry(k, c)) ) { Val* index = RecoverIndex(k); + Unref(index); Unref(t->Delete(k)); delete k; diff --git a/src/ayiya-analyzer.pac b/src/ayiya-analyzer.pac new file mode 100644 index 0000000000..7a151453c1 --- /dev/null +++ b/src/ayiya-analyzer.pac @@ -0,0 +1,89 @@ + +connection AYIYA_Conn(bro_analyzer: BroAnalyzer) + { + upflow = AYIYA_Flow; + downflow = AYIYA_Flow; + }; + +flow AYIYA_Flow + { + datagram = PDU withcontext(connection, this); + + function process_ayiya(pdu: PDU): bool + %{ + Connection *c = connection()->bro_analyzer()->Conn(); + const EncapsulationStack* e = c->GetEncapsulation(); + + if ( e && e->Depth() >= BifConst::Tunnel::max_depth ) + { + reporter->Weird(c, "tunnel_depth"); + return false; + } + + if ( ${pdu.op} != 1 ) + { + // 1 is the "forward" command. + return false; + } + + if ( ${pdu.next_header} != IPPROTO_IPV6 && + ${pdu.next_header} != IPPROTO_IPV4 ) + { + reporter->Weird(c, "ayiya_tunnel_non_ip"); + return false; + } + + if ( ${pdu.packet}.length() < (int)sizeof(struct ip) ) + { + connection()->bro_analyzer()->ProtocolViolation( + "Truncated AYIYA", (const char*) ${pdu.packet}.data(), + ${pdu.packet}.length()); + return false; + } + + const struct ip* ip = (const struct ip*) ${pdu.packet}.data(); + + if ( ( ${pdu.next_header} == IPPROTO_IPV6 && ip->ip_v != 6 ) || + ( ${pdu.next_header} == IPPROTO_IPV4 && ip->ip_v != 4) ) + { + connection()->bro_analyzer()->ProtocolViolation( + "AYIYA next header mismatch", (const char*)${pdu.packet}.data(), + ${pdu.packet}.length()); + return false; + } + + IP_Hdr* inner = 0; + int result = sessions->ParseIPPacket(${pdu.packet}.length(), + ${pdu.packet}.data(), ${pdu.next_header}, inner); + + if ( result == 0 ) + connection()->bro_analyzer()->ProtocolConfirmation(); + + else if ( result < 0 ) + connection()->bro_analyzer()->ProtocolViolation( + "Truncated AYIYA", (const char*) ${pdu.packet}.data(), + ${pdu.packet}.length()); + + else + connection()->bro_analyzer()->ProtocolViolation( + "AYIYA payload length", (const char*) ${pdu.packet}.data(), + ${pdu.packet}.length()); + + if ( result != 0 ) + { + delete inner; + return false; + } + + EncapsulatingConn ec(c, BifEnum::Tunnel::AYIYA); + + sessions->DoNextInnerPacket(network_time(), 0, inner, e, ec); + + return (result == 0) ? true : false; + %} + + }; + +refine typeattr PDU += &let { + proc_ayiya = $context.flow.process_ayiya(this); +}; diff --git a/src/ayiya-protocol.pac b/src/ayiya-protocol.pac new file mode 100644 index 0000000000..328d44ece7 --- /dev/null +++ b/src/ayiya-protocol.pac @@ -0,0 +1,16 @@ + +type PDU = record { + identity_byte: uint8; + signature_byte: uint8; + auth_and_op: uint8; + next_header: uint8; + epoch: uint32; + identity: bytestring &length=identity_len; + signature: bytestring &length=signature_len; + packet: bytestring &restofdata; +} &let { + identity_len = (1 << (identity_byte >> 4)); + signature_len = (signature_byte >> 4) * 4; + auth = auth_and_op >> 4; + op = auth_and_op & 0xF; +} &byteorder = littleendian; diff --git a/src/ayiya.pac b/src/ayiya.pac new file mode 100644 index 0000000000..58fa196c15 --- /dev/null +++ b/src/ayiya.pac @@ -0,0 +1,10 @@ +%include binpac.pac +%include bro.pac + +analyzer AYIYA withcontext { + connection: AYIYA_Conn; + flow: AYIYA_Flow; +}; + +%include ayiya-protocol.pac +%include ayiya-analyzer.pac diff --git a/src/bro.bif b/src/bro.bif index 1feccb8639..f18d3ba1b5 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -972,12 +972,12 @@ function sha256_hash_finish%(index: any%): string ## ## .. note:: ## -## This function is a wrapper about the function ``rand`` provided by -## the OS. +## This function is a wrapper about the function ``random`` +## provided by the OS. function rand%(max: count%): count %{ int result; - result = bro_uint_t(double(max) * double(rand()) / (RAND_MAX + 1.0)); + result = bro_uint_t(double(max) * double(bro_random()) / (RAND_MAX + 1.0)); return new Val(result, TYPE_COUNT); %} @@ -989,11 +989,11 @@ function rand%(max: count%): count ## ## .. note:: ## -## This function is a wrapper about the function ``srand`` provided -## by the OS. +## This function is a wrapper about the function ``srandom`` +## provided by the OS. function srand%(seed: count%): any %{ - srand(seed); + bro_srandom(seed); return 0; %} @@ -1700,7 +1700,7 @@ function fmt%(...%): string return new StringVal(""); } - else if ( n >= @ARGC@ ) + else if ( n >= @ARGC@ ) { builtin_error("too few arguments for format", fmt_v); return new StringVal(""); @@ -4814,7 +4814,9 @@ function calc_next_rotate%(i: interval%) : interval %{ const char* base_time = log_rotate_base_time ? log_rotate_base_time->AsString()->CheckString() : 0; - return new Val(calc_next_rotate(i, base_time), TYPE_INTERVAL); + + double base = parse_rotate_base_time(base_time); + return new Val(calc_next_rotate(network_time, i, base), TYPE_INTERVAL); %} ## Returns the size of a given file. diff --git a/src/const.bif b/src/const.bif index f815b40480..499dc63314 100644 --- a/src/const.bif +++ b/src/const.bif @@ -4,7 +4,6 @@ const ignore_keep_alive_rexmit: bool; const skip_http_data: bool; -const parse_udp_tunnels: bool; const use_conn_size_analyzer: bool; const report_gaps_for_partial: bool; @@ -12,4 +11,11 @@ const NFS3::return_data: bool; const NFS3::return_data_max: count; const NFS3::return_data_first_only: bool; +const Tunnel::max_depth: count; +const Tunnel::enable_ip: bool; +const Tunnel::enable_ayiya: bool; +const Tunnel::enable_teredo: bool; +const Tunnel::yielding_teredo_decapsulation: bool; +const Tunnel::ip_tunnel_timeout: interval; + const Threading::heartbeat_interval: interval; diff --git a/src/event.bif b/src/event.bif index af2381ecf6..0c79c6159d 100644 --- a/src/event.bif +++ b/src/event.bif @@ -10,7 +10,7 @@ # # - List parameters with an empty line in between. # -# - Within the description, reference other parameters of the same events +# - Within the description, reference other parameters of the same event # as *arg*. # # - Order: @@ -31,17 +31,18 @@ ## Generated at Bro initialization time. The event engine generates this ## event just before normal input processing begins. It can be used to execute ## one-time initialization code at startup. At the time a handler runs, Bro will -## have executed any global initializations and statements. +## have executed any global initializations and statements. ## ## .. bro:see:: bro_done ## ## .. note:: ## -## When a ``bro_init`` handler executes, Bro has not yet seen any input packets -## and therefore :bro:id:`network_time` is not initialized yet. An artifact -## of that is that any timer installed in a ``bro_init`` handler will fire -## immediately with the first packet. The standard way to work around that is to -## ignore the first time the timer fires and immediately reschedule. +## When a ``bro_init`` handler executes, Bro has not yet seen any input +## packets and therefore :bro:id:`network_time` is not initialized yet. An +## artifact of that is that any timer installed in a ``bro_init`` handler +## will fire immediately with the first packet. The standard way to work +## around that is to ignore the first time the timer fires and immediately +## reschedule. ## event bro_init%(%); @@ -54,13 +55,13 @@ event bro_init%(%); ## ## .. note:: ## -## If Bro terminates due to an invocation of :bro:id:`exit`, then this event is -## not generated. +## If Bro terminates due to an invocation of :bro:id:`exit`, then this event +## is not generated. event bro_done%(%); -## Generated when an internal DNS lookup reduces the same result as last time. +## Generated when an internal DNS lookup produces the same result as last time. ## Bro keeps an internal DNS cache for host names and IP addresses it has -## already resolved. This event is generated when subsequent lookup returns +## already resolved. This event is generated when a subsequent lookup returns ## the same result as stored in the cache. ## ## dm: A record describing the new resolver result (which matches the old one). @@ -69,10 +70,11 @@ event bro_done%(%); ## dns_mapping_unverified event dns_mapping_valid%(dm: dns_mapping%); -## Generated when an internal DNS lookup got no answer even though it had succeeded he -## past. Bro keeps an internal DNS cache for host names and IP addresses it has -## already resolved. This event is generated when a subsequent lookup does not -## produce an answer even though we have already stored a result in the cache. +## Generated when an internal DNS lookup got no answer even though it had +## succeeded in the past. Bro keeps an internal DNS cache for host names and IP +## addresses it has already resolved. This event is generated when a +## subsequent lookup does not produce an answer even though we have +## already stored a result in the cache. ## ## dm: A record describing the old resolver result. ## @@ -80,8 +82,8 @@ event dns_mapping_valid%(dm: dns_mapping%); ## dns_mapping_valid event dns_mapping_unverified%(dm: dns_mapping%); -## Generated when an internal DNS lookup succeeed but an earlier attempt not. had -## had succeeded he past. Bro keeps an internal DNS cache for host names and IP +## Generated when an internal DNS lookup succeeded but an earlier attempt +## did not. Bro keeps an internal DNS cache for host names and IP ## addresses it has already resolved. This event is generated when a subsequent ## lookup produces an answer for a query that was marked as failed in the cache. ## @@ -92,10 +94,10 @@ event dns_mapping_unverified%(dm: dns_mapping%); event dns_mapping_new_name%(dm: dns_mapping%); ## Generated when an internal DNS lookup returned zero answers even though it -## had succeeded he past. Bro keeps an internal DNS cache for host names and IP -## addresses it has already resolved. This event is generated when for a subsequent -## lookup we received answer that however was empty even though we have -## already stored a result in the cache. +## had succeeded in the past. Bro keeps an internal DNS cache for host names +## and IP addresses it has already resolved. This event is generated when +## on a subsequent lookup we receive an answer that is empty even +## though we have already stored a result in the cache. ## ## dm: A record describing the old resolver result. ## @@ -104,26 +106,26 @@ event dns_mapping_new_name%(dm: dns_mapping%); event dns_mapping_lost_name%(dm: dns_mapping%); ## Generated when an internal DNS lookup produced a different result than in -## past. Bro keeps an internal DNS cache for host names and IP addresses it has -## already resolved. This event is generated when a subsequent lookup returns -## a different answer than we have stored in the cache. +## the past. Bro keeps an internal DNS cache for host names and IP addresses +## it has already resolved. This event is generated when a subsequent lookup +## returns a different answer than we have stored in the cache. ## ## dm: A record describing the new resolver result. ## ## old_addrs: Addresses that used to be part of the returned set for the query ## described by *dm*, but are not anymore. ## -## new_addrs: Addresses that did not use to be part of the returned set for the -## query described by *dm*, but now are. +## new_addrs: Addresses that were not part of the returned set for the query +## described by *dm*, but now are. ## ## .. bro:see:: dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified ## dns_mapping_valid event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr_set%); -## Generated for every new connection. The event is raised with the first packet -## of a previously unknown connection. Bro uses a flow-based definition of -## "connection" here that includes not only TCP sessions but also UDP and ICMP -## flows. +## Generated for every new connection. This event is raised with the first +## packet of a previously unknown connection. Bro uses a flow-based definition +## of "connection" here that includes not only TCP sessions but also UDP and +## ICMP flows. ## ## c: The connection. ## @@ -141,7 +143,21 @@ event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr ## event. event new_connection%(c: connection%); -## Generated when reassembly starts for a TCP connection. The event is raised +## Generated for a connection whose tunneling has changed. This could +## be from a previously seen connection now being encapsulated in a tunnel, +## or from the outer encapsulation changing. Note that connection *c*'s +## *tunnel* field is NOT automatically/internally assigned to the new +## encapsulation value of *e* after this event is raised. If the desired +## behavior is to track the latest tunnel encapsulation per-connection, +## then a handler of this event should assign *e* to ``c$tunnel`` (which Bro's +## default scripts are doing). +## +## c: The connection whose tunnel/encapsulation changed. +## +## e: The new encapsulation. +event tunnel_changed%(c: connection, e: EncapsulatingConnVector%); + +## Generated when reassembly starts for a TCP connection. This event is raised ## at the moment when Bro's TCP analyzer enables stream reassembly for a ## connection. ## @@ -155,11 +171,11 @@ event new_connection%(c: connection%); ## expected_connection_seen new_connection partial_connection event new_connection_contents%(c: connection%); -## Generated for an unsuccessful connection attempt. The event is raised when an -## originator unsuccessfully attempted to establish a connection. "Unsuccessful" -## is defined as at least :bro:id:`tcp_attempt_delay` seconds having elapsed since -## the originator first sent a connection establishment packet to the destination -## without seeing a reply. +## Generated for an unsuccessful connection attempt. This event is raised when +## an originator unsuccessfully attempted to establish a connection. +## "Unsuccessful" is defined as at least :bro:id:`tcp_attempt_delay` seconds +## having elapsed since the originator first sent a connection establishment +## packet to the destination without seeing a reply. ## ## c: The connection. ## @@ -171,7 +187,7 @@ event new_connection_contents%(c: connection%); ## new_connection new_connection_contents partial_connection event connection_attempt%(c: connection%); -## Generated when a SYN-ACK packet is seen in response to SYN a packet during +## Generated when a SYN-ACK packet is seen in response to a SYN packet during ## a TCP handshake. The final ACK of the handshake in response to SYN-ACK may ## or may not occur later, one way to tell is to check the *history* field of ## :bro:type:`connection` to see if the originator sent an ACK, indicated by @@ -188,8 +204,9 @@ event connection_attempt%(c: connection%); event connection_established%(c: connection%); ## Generated for a new active TCP connection if Bro did not see the initial -## handshake. The event is raised when Bro has observed traffic from each endpoint, -## but the activity did not begin with the usual connection establishment. +## handshake. This event is raised when Bro has observed traffic from each +## endpoint, but the activity did not begin with the usual connection +## establishment. ## ## c: The connection. ## @@ -202,11 +219,11 @@ event connection_established%(c: connection%); ## event partial_connection%(c: connection%); -## Generated when a previously inactive endpoint attempts to close a TCP connection -## via a normal FIN handshake or an abort RST sequence. When the endpoint sent -## one of these packets, Bro waits :bro:id:`tcp_partial_close_delay` prior -## to generating the event, to give the other endpoint a chance to close the -## connection normally. +## Generated when a previously inactive endpoint attempts to close a TCP +## connection via a normal FIN handshake or an abort RST sequence. When the +## endpoint sent one of these packets, Bro waits +## :bro:id:`tcp_partial_close_delay` prior to generating the event, to give +## the other endpoint a chance to close the connection normally. ## ## c: The connection. ## @@ -245,9 +262,9 @@ event connection_finished%(c: connection%); ## new_connection new_connection_contents partial_connection event connection_half_finished%(c: connection%); -## Generated for a rejected TCP connection. The event is raised when an originator -## attempted to setup a TCP connection but the responder replied with a RST packet -## denying it. +## Generated for a rejected TCP connection. This event is raised when an +## originator attempted to setup a TCP connection but the responder replied +## with a RST packet denying it. ## ## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt ## connection_established connection_external connection_finished @@ -261,9 +278,9 @@ event connection_half_finished%(c: connection%); ## .. note:: ## ## If the responder does not respond at all, :bro:id:`connection_attempt` is -## raised instead. If the responder initially accepts the connection but aborts -## it later, Bro first generates :bro:id:`connection_established` and then -## :bro:id:`connection_reset`. +## raised instead. If the responder initially accepts the connection but +## aborts it later, Bro first generates :bro:id:`connection_established` +## and then :bro:id:`connection_reset`. event connection_rejected%(c: connection%); ## Generated when an endpoint aborted a TCP connection. The event is raised @@ -296,9 +313,9 @@ event connection_pending%(c: connection%); ## Generated when a connection's internal state is about to be removed from ## memory. Bro generates this event reliably once for every connection when it ## is about to delete the internal state. As such, the event is well-suited for -## scrip-level cleanup that needs to be performed for every connection. The -## ``connection_state_remove`` event is generated not only for TCP sessions but -## also for UDP and ICMP flows. +## script-level cleanup that needs to be performed for every connection. This +## event is generated not only for TCP sessions but also for UDP and ICMP +## flows. ## ## c: The connection. ## @@ -311,8 +328,8 @@ event connection_pending%(c: connection%); ## tcp_inactivity_timeout icmp_inactivity_timeout conn_stats event connection_state_remove%(c: connection%); -## Generated for a SYN packet. Bro raises this event for every SYN packet seen by -## its TCP analyzer. +## Generated for a SYN packet. Bro raises this event for every SYN packet seen +## by its TCP analyzer. ## ## c: The connection. ## @@ -327,14 +344,15 @@ event connection_state_remove%(c: connection%); ## ## .. note:: ## -## This event has quite low-level semantics and can potentially be expensive to -## generate. It should only be used if one really needs the specific information -## passed into the handler via the ``pkt`` argument. If not, handling one of the -## other ``connection_*`` events is typically the better approach. +## This event has quite low-level semantics and can potentially be expensive +## to generate. It should only be used if one really needs the specific +## information passed into the handler via the ``pkt`` argument. If not, +## handling one of the other ``connection_*`` events is typically the +## better approach. event connection_SYN_packet%(c: connection, pkt: SYN_packet%); ## Generated for the first ACK packet seen for a TCP connection from -## its *orginator*. +## its *originator*. ## ## c: The connection. ## @@ -350,10 +368,10 @@ event connection_SYN_packet%(c: connection, pkt: SYN_packet%); ## This event has quite low-level semantics and should be used only rarely. event connection_first_ACK%(c: connection%); -## Generated when a TCP connection timed out. This event is raised when no activity -## was seen for an interval of at least :bro:id:`tcp_connection_linger`, and -## either one endpoint has already closed the connection or one side never -## never became active. +## Generated when a TCP connection timed out. This event is raised when +## no activity was seen for an interval of at least +## :bro:id:`tcp_connection_linger`, and either one endpoint has already +## closed the connection or one side never became active. ## ## c: The connection. ## @@ -366,17 +384,17 @@ event connection_first_ACK%(c: connection%); ## ## .. note:: ## -## The precise semantics of this event can be unintuitive as it only +## The precise semantics of this event can be unintuitive as it only ## covers a subset of cases where a connection times out. Often, handling ## :bro:id:`connection_state_remove` is the better option. That one will be -## generated reliably when an interval of ``tcp_inactivity_timeout`` has passed -## with out any activity seen (but also for all other ways a connection may -## terminate). +## generated reliably when an interval of ``tcp_inactivity_timeout`` has +## passed without any activity seen (but also for all other ways a +## connection may terminate). event connection_timeout%(c: connection%); -## Generated when a connection 4-tuple is reused. The event is raised when Bro -## sees a new TCP session or UDP flow using a 4-tuple matching that of an earlier -## connection it still consideres active. +## Generated when a connection 4-tuple is reused. This event is raised when Bro +## sees a new TCP session or UDP flow using a 4-tuple matching that of an +## earlier connection it still considers active. ## ## c: The connection. ## @@ -388,8 +406,8 @@ event connection_timeout%(c: connection%); ## new_connection new_connection_contents partial_connection event connection_reused%(c: connection%); -## Generated in regular intervals during the life time of a connection. The -## events is raised each ``connection_status_update_interval`` seconds +## Generated in regular intervals during the lifetime of a connection. The +## event is raised each ``connection_status_update_interval`` seconds ## and can be used to check conditions on a regular basis. ## ## c: The connection. @@ -432,13 +450,17 @@ event connection_flow_label_changed%(c: connection, is_orig: bool, old_label: co ## new_connection new_connection_contents partial_connection event connection_EOF%(c: connection, is_orig: bool%); -## Generated for a new connection received from the communication subsystem. Remote -## peers can inject packets into Bro's packet loop, for example via :doc:`Broccoli -## `. The communication systems raises this event -## with the first packet of a connection coming in this way. +## Generated for a new connection received from the communication subsystem. +## Remote peers can inject packets into Bro's packet loop, for example via +## :doc:`Broccoli `. The communication system +## raises this event with the first packet of a connection coming in this way. +## +## c: The connection. +## +## tag: TODO. event connection_external%(c: connection, tag: string%); -## Generated when a connected is seen that has previously marked as being expected. +## Generated when a connection is seen that is marked as being expected. ## The function :bro:id:`expect_connection` tells Bro to expect a particular ## connection to come up, and which analyzer to associate with it. Once the ## first packet of such a connection is indeed seen, this event is raised. @@ -457,12 +479,12 @@ event connection_external%(c: connection, tag: string%); ## connection_state_remove connection_status_update connection_timeout ## new_connection new_connection_contents partial_connection ## -## .. todo: We don't have a good way to document the automatically generated +## .. todo:: We don't have a good way to document the automatically generated ## ``ANALYZER_*`` constants right now. event expected_connection_seen%(c: connection, a: count%); ## Generated for every packet Bro sees. This is a very low-level and expensive -## event that should be avoided when at all possible. Is's usually infeasible to +## event that should be avoided when at all possible. It's usually infeasible to ## handle when processing even medium volumes of traffic in real-time. That ## said, if you work from a trace and want to do some packet-level analysis, ## it may come in handy. @@ -475,7 +497,7 @@ event expected_connection_seen%(c: connection, a: count%); event new_packet%(c: connection, p: pkt_hdr%); ## Generated for every IPv6 packet that contains extension headers. -## This is potentially an expensive event to handle if analysiing IPv6 traffic +## This is potentially an expensive event to handle if analysing IPv6 traffic ## that happens to utilize extension headers frequently. ## ## c: The connection the packet is part of. @@ -500,26 +522,81 @@ event esp_packet%(p: pkt_hdr%); ## .. bro:see:: new_packet tcp_packet ipv6_ext_headers event mobile_ipv6_message%(p: pkt_hdr%); -## Generated for every packet that has non-empty transport-layer payload. This is a -## very low-level and expensive event that should be avoided when at all possible. -## It's usually infeasible to handle when processing even medium volumes of -## traffic in real-time. It's even worse than :bro:id:`new_packet`. That said, if -## you work from a trace and want to do some packet-level analysis, it may come in -## handy. +## Generated for any IPv6 packet encapsulated in a Teredo tunnel. +## See :rfc:`4380` for more information about the Teredo protocol. +## +## outer: The Teredo tunnel connection. +## +## inner: The Teredo-encapsulated IPv6 packet header and transport header. +## +## .. bro:see:: teredo_authentication teredo_origin_indication teredo_bubble +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event teredo_packet%(outer: connection, inner: teredo_hdr%); + +## Generated for IPv6 packets encapsulated in a Teredo tunnel that +## use the Teredo authentication encapsulation method. +## See :rfc:`4380` for more information about the Teredo protocol. +## +## outer: The Teredo tunnel connection. +## +## inner: The Teredo-encapsulated IPv6 packet header and transport header. +## +## .. bro:see:: teredo_packet teredo_origin_indication teredo_bubble +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event teredo_authentication%(outer: connection, inner: teredo_hdr%); + +## Generated for IPv6 packets encapsulated in a Teredo tunnel that +## use the Teredo origin indication encapsulation method. +## See :rfc:`4380` for more information about the Teredo protocol. +## +## outer: The Teredo tunnel connection. +## +## inner: The Teredo-encapsulated IPv6 packet header and transport header. +## +## .. bro:see:: teredo_packet teredo_authentication teredo_bubble +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event teredo_origin_indication%(outer: connection, inner: teredo_hdr%); + +## Generated for Teredo bubble packets. That is, IPv6 packets encapsulated +## in a Teredo tunnel that have a Next Header value of :bro:id:`IPPROTO_NONE`. +## See :rfc:`4380` for more information about the Teredo protocol. +## +## outer: The Teredo tunnel connection. +## +## inner: The Teredo-encapsulated IPv6 packet header and transport header. +## +## .. bro:see:: teredo_packet teredo_authentication teredo_origin_indication +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event teredo_bubble%(outer: connection, inner: teredo_hdr%); + +## Generated for every packet that has a non-empty transport-layer payload. +## This is a very low-level and expensive event that should be avoided when +## at all possible. It's usually infeasible to handle when processing even +## medium volumes of traffic in real-time. It's even worse than +## :bro:id:`new_packet`. That said, if you work from a trace and want to +## do some packet-level analysis, it may come in handy. ## ## c: The connection the packet is part of. ## -## contants: The raw transport-layer payload. +## contents: The raw transport-layer payload. ## ## .. bro:see:: new_packet tcp_packet event packet_contents%(c: connection, contents: string%); ## Generated for every TCP packet. This is a very low-level and expensive event -## that should be avoided when at all possible. It's usually infeasible to handle -## when processing even medium volumes of traffic in real-time. It's slightly -## better than :bro:id:`new_packet` because it affects only TCP, but not much. That -## said, if you work from a trace and want to do some packet-level analysis, it may -## come in handy. +## that should be avoided when at all possible. It's usually infeasible to +## handle when processing even medium volumes of traffic in real-time. It's +## slightly better than :bro:id:`new_packet` because it affects only TCP, but +## not much. That said, if you work from a trace and want to do some +## packet-level analysis, it may come in handy. ## ## c: The connection the packet is part of. ## @@ -535,8 +612,8 @@ event packet_contents%(c: connection, contents: string%); ## ## len: The length of the TCP payload, as specified in the packet header. ## -## payload: The raw TCP payload. Note that this may less than *len* if the packet -## was not fully captured. +## payload: The raw TCP payload. Note that this may be shorter than *len* if +## the packet was not fully captured. ## ## .. bro:see:: new_packet packet_contents tcp_option tcp_contents tcp_rexmit event tcp_packet%(c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string%); @@ -563,9 +640,9 @@ event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%); ## :bro:id:`tcp_content_delivery_ports_resp`, ## :bro:id:`tcp_content_deliver_all_orig`, ## :bro:id:`tcp_content_deliver_all_resp`), this event is raised for each chunk -## of in-order payload reconstructed from the packet stream. Note that this event -## is potentially expensive if many connections carry signficant amounts of data as -## then all that needs to be passed on to the scripting layer. +## of in-order payload reconstructed from the packet stream. Note that this +## event is potentially expensive if many connections carry significant amounts +## of data as then all that data needs to be passed on to the scripting layer. ## ## c: The connection the payload is part of. ## @@ -574,7 +651,7 @@ event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%); ## seq: The sequence number corresponding to the first byte of the payload ## chunk. ## -## payload: The raw payload, which will be non-empty. +## contents: The raw payload, which will be non-empty. ## ## .. bro:see:: tcp_packet tcp_option tcp_rexmit ## tcp_content_delivery_ports_orig tcp_content_delivery_ports_resp @@ -590,13 +667,14 @@ event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%); ## network-level effects such as latency, acknowledgements, reordering, etc. event tcp_contents%(c: connection, is_orig: bool, seq: count, contents: string%); -## Generated +## TODO. event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_flight: count, window: count%); ## Generated when Bro detects a TCP retransmission inconsistency. When -## reassemling TCP stream, Bro buffers all payload until it seens the responder -## acking it. If during time, the sender resends a chunk of payload but with -## content than originally, this event will be raised. +## reassembling a TCP stream, Bro buffers all payload until it sees the +## responder acking it. If during that time, the sender resends a chunk of +## payload but with different content than originally, this event will be +## raised. ## ## c: The connection showing the inconsistency. ## @@ -607,7 +685,7 @@ event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_ ## .. bro:see:: tcp_rexmit tcp_contents event rexmit_inconsistency%(c: connection, t1: string, t2: string%); -## Generated when a TCP endpoint acknowledges payload that Bro did never see. +## Generated when a TCP endpoint acknowledges payload that Bro never saw. ## ## c: The connection. ## @@ -621,19 +699,19 @@ event rexmit_inconsistency%(c: connection, t1: string, t2: string%); ## (which isn't unheard of). In practice, one will always see a few of these ## events in any larger volume of network traffic. If there are lots of them, ## however, that typically means that there is a problem with the monitoring -## infrastructure such as a tap dropping packets, split routing on the path, or -## reordering at the tap. +## infrastructure such as a tap dropping packets, split routing on the path, +## or reordering at the tap. ## -## This event reports similar situations as :bro:id:`content_gap`, though their -## specifics differ slightly. Often, however, both will be raised for the same -## connection if some of its data is missing. We should eventually merge -## the two. +## This event reports similar situations as :bro:id:`content_gap`, though +## their specifics differ slightly. Often, however, both will be raised for +## the same connection if some of its data is missing. We should eventually +## merge the two. event ack_above_hole%(c: connection%); -## Generated when Bro detects a gap in a reassembled TCP payload stream. This event -## is raised when Bro, while reassemling a payload stream, determines that a chunk -## of payload is missing (e.g., because the responder has already acknowledged it, -## even though Bro didn't see it). +## Generated when Bro detects a gap in a reassembled TCP payload stream. This +## event is raised when Bro, while reassembling a payload stream, determines +## that a chunk of payload is missing (e.g., because the responder has already +## acknowledged it, even though Bro didn't see it). ## ## c: The connection. ## @@ -647,25 +725,26 @@ event ack_above_hole%(c: connection%); ## ## .. note:: ## -## Content gaps tend to occur occasionally for various reasons, including broken -## TCP stacks. If, however, one finds lots of them, that typically means that -## there is a problem with the monitoring infrastructure such as a tap dropping -## packets, split routing on the path, or reordering at the tap. +## Content gaps tend to occur occasionally for various reasons, including +## broken TCP stacks. If, however, one finds lots of them, that typically +## means that there is a problem with the monitoring infrastructure such as +## a tap dropping packets, split routing on the path, or reordering at the +## tap. ## ## This event reports similar situations as :bro:id:`ack_above_hole`, though ## their specifics differ slightly. Often, however, both will be raised for -## connection if some of its data is missing. We should eventually merge the -## two. +## a connection if some of its data is missing. We should eventually merge +## the two. event content_gap%(c: connection, is_orig: bool, seq: count, length: count%); -## Summarizes the amount of missing TCP payload at regular intervals. Internally, -## Bro tracks (1) the number of :bro:id:`ack_above_hole` events, including the -## numer of bytes missing; and (2) the total number of TCP acks seen, with the -## total volume of bytes that have been acked. This event reports these statistics -## in :bro:id:`gap_report_freq` intervals for the purpose of determining packet -## loss. +## Summarizes the amount of missing TCP payload at regular intervals. +## Internally, Bro tracks (1) the number of :bro:id:`ack_above_hole` events, +## including the number of bytes missing; and (2) the total number of TCP +## acks seen, with the total volume of bytes that have been acked. This event +## reports these statistics in :bro:id:`gap_report_freq` intervals for the +## purpose of determining packet loss. ## -## dt: The time that has past since the last ``gap_report`` interval. +## dt: The time that has passed since the last ``gap_report`` interval. ## ## info: The gap statistics. ## @@ -673,17 +752,17 @@ event content_gap%(c: connection, is_orig: bool, seq: count, length: count%); ## ## .. note:: ## -## Bro comes with a script :doc:`/scripts/policy/misc/capture-loss` that uses -## this event to estimate packet loss and report when a predefined threshold is -## exceeded. +## Bro comes with a script :doc:`/scripts/policy/misc/capture-loss` that uses +## this event to estimate packet loss and report when a predefined threshold +## is exceeded. event gap_report%(dt: interval, info: gap_info%); ## Generated when a protocol analyzer confirms that a connection is indeed ## using that protocol. Bro's dynamic protocol detection heuristically activates -## analyzers as soon as it believe a connection *could* be using a particular -## protocol. It is then left to the corresponding analyzer to verify whether that -## is indeed the case; if so, this event will be generated. +## analyzers as soon as it believes a connection *could* be using a particular +## protocol. It is then left to the corresponding analyzer to verify whether +## that is indeed the case; if so, this event will be generated. ## ## c: The connection. ## @@ -694,24 +773,24 @@ event gap_report%(dt: interval, info: gap_info%); ## ## aid: A unique integer ID identifying the specific *instance* of the ## analyzer *atype* that is analyzing the connection ``c``. The ID can -## be used to reference the analyzer when using builtin functions like +## be used to reference the analyzer when using builtin functions like ## :bro:id:`disable_analyzer`. ## ## .. bro:see:: protocol_violation ## ## .. note:: ## -## Bro's default scripts use this event to determine the ``service`` column of -## :bro:type:`Conn::Info`: once confirmed, the protocol will be listed there -## (and thus in ``conn.log``). +## Bro's default scripts use this event to determine the ``service`` column +## of :bro:type:`Conn::Info`: once confirmed, the protocol will be listed +## there (and thus in ``conn.log``). event protocol_confirmation%(c: connection, atype: count, aid: count%); ## Generated when a protocol analyzer determines that a connection it is parsing -## is not conforming to the protocol it expects. Bro's dynamic protocol detection -## heuristically activates analyzers as soon as it believe a connection *could* be -## using a particular protocol. It is then left to the corresponding analyzer to -## verify whether that is indeed the case; if not, the analyzer will trigger this -## event. +## is not conforming to the protocol it expects. Bro's dynamic protocol +## detection heuristically activates analyzers as soon as it believes a +## connection *could* be using a particular protocol. It is then left to the +## corresponding analyzer to verify whether that is indeed the case; if not, +## the analyzer will trigger this event. ## ## c: The connection. ## @@ -722,20 +801,24 @@ event protocol_confirmation%(c: connection, atype: count, aid: count%); ## ## aid: A unique integer ID identifying the specific *instance* of the ## analyzer *atype* that is analyzing the connection ``c``. The ID can -## be used to reference the analyzer when using builtin functions like +## be used to reference the analyzer when using builtin functions like ## :bro:id:`disable_analyzer`. ## +## reason: TODO. +## ## .. bro:see:: protocol_confirmation ## ## .. note:: ## ## Bro's default scripts use this event to disable an analyzer via -## :bro:id:`disable_analyzer` if it's parsing the wrong protocol. That's however -## a script-level decision and not done automatically by the event eninge. +## :bro:id:`disable_analyzer` if it's parsing the wrong protocol. That's +## however a script-level decision and not done automatically by the event +## engine. event protocol_violation%(c: connection, atype: count, aid: count, reason: string%); ## Generated for each packet sent by a UDP flow's originator. This a potentially -## expsensive event due to the volume of UDP traffic and should be used with care. +## expensive event due to the volume of UDP traffic and should be used with +## care. ## ## u: The connection record for the corresponding UDP flow. ## @@ -743,7 +826,8 @@ event protocol_violation%(c: connection, atype: count, aid: count, reason: strin event udp_request%(u: connection%); ## Generated for each packet sent by a UDP flow's responder. This a potentially -## expsensive event due to the volume of UDP traffic and should be used with care. +## expensive event due to the volume of UDP traffic and should be used with +## care. ## ## u: The connection record for the corresponding UDP flow. ## @@ -751,35 +835,40 @@ event udp_request%(u: connection%); event udp_reply%(u: connection%); ## Generated for UDP packets to pass on their payload. As the number of UDP -## packets can be very large, this event is normally raised only for those on -## ports configured in :bro:id:`udp_content_delivery_ports_orig` (for packets sent -## by the flow's orgininator) or :bro:id:`udp_content_delivery_ports_resp` (for -## packets sent by the flow's responder). However, delivery can be enabled for all -## UDP request and reply packets by setting :bro:id:`udp_content_deliver_all_orig` -## or :bro:id:`udp_content_deliver_all_resp`, respectively. Note that this event is -## also raised for all matching UDP packets, including empty ones. +## packets can be very large, this event is normally raised only for those on +## ports configured in :bro:id:`udp_content_delivery_ports_orig` (for packets +## sent by the flow's originator) or :bro:id:`udp_content_delivery_ports_resp` +## (for packets sent by the flow's responder). However, delivery can be enabled +## for all UDP request and reply packets by setting +## :bro:id:`udp_content_deliver_all_orig` or +## :bro:id:`udp_content_deliver_all_resp`, respectively. Note that this +## event is also raised for all matching UDP packets, including empty ones. ## ## u: The connection record for the corresponding UDP flow. ## ## is_orig: True if the event is raised for the originator side. ## +## contents: TODO. +## ## .. bro:see:: udp_reply udp_request udp_session_done ## udp_content_deliver_all_orig udp_content_deliver_all_resp ## udp_content_delivery_ports_orig udp_content_delivery_ports_resp event udp_contents%(u: connection, is_orig: bool, contents: string%); ## Generated when a UDP session for a supported protocol has finished. Some of -## Bro's application-layer UDP analyzers flag the end of a session by raising this -## event. Currently, the analyzers for DNS, NTP, Netbios, and Syslog support this. +## Bro's application-layer UDP analyzers flag the end of a session by raising +## this event. Currently, the analyzers for DNS, NTP, Netbios, Syslog, AYIYA, +## and Teredo support this. ## ## u: The connection record for the corresponding UDP flow. ## ## .. bro:see:: udp_contents udp_reply udp_request event udp_session_done%(u: connection%); -## Generated for all ICMP messages that are not handled separately with dedicated -## ICMP events. Bro's ICMP analyzer handles a number of ICMP messages directly -## with dedicated events. This event acts as a fallback for those it doesn't. +## Generated for all ICMP messages that are not handled separately with +## dedicated ICMP events. Bro's ICMP analyzer handles a number of ICMP messages +## directly with dedicated events. This event acts as a fallback for those it +## doesn't. ## ## See `Wikipedia ## `__ for more @@ -808,8 +897,8 @@ event icmp_sent%(c: connection, icmp: icmp_conn%); ## ## seq: The *echo request* sequence number. ## -## payload: The message-specific data of the packet payload, i.e., everything after -## the first 8 bytes of the ICMP header. +## payload: The message-specific data of the packet payload, i.e., everything +## after the first 8 bytes of the ICMP header. ## ## .. bro:see:: icmp_echo_reply event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); @@ -829,8 +918,8 @@ event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, ## ## seq: The *echo reply* sequence number. ## -## payload: The message-specific data of the packet payload, i.e., everything after -## the first 8 bytes of the ICMP header. +## payload: The message-specific data of the packet payload, i.e., everything +## after the first 8 bytes of the ICMP header. ## ## .. bro:see:: icmp_echo_request event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); @@ -851,8 +940,8 @@ event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, pa ## ## code: The ICMP code of the error message. ## -## context: A record with specifics of the original packet that the message refers -## to. +## context: A record with specifics of the original packet that the message +## refers to. ## ## .. bro:see:: icmp_unreachable icmp_packet_too_big ## icmp_time_exceeded icmp_parameter_problem @@ -871,10 +960,11 @@ event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context: ## ## code: The ICMP code of the *unreachable* message. ## -## context: A record with specifics of the original packet that the message refers -## to. *Unreachable* messages should include the original IP header from the packet -## that triggered them, and Bro parses that into the *context* structure. Note -## that if the *unreachable* includes only a partial IP header for some reason, no +## context: A record with specifics of the original packet that the message +## refers to. *Unreachable* messages should include the original IP +## header from the packet that triggered them, and Bro parses that +## into the *context* structure. Note that if the *unreachable* +## includes only a partial IP header for some reason, no ## fields of *context* will be filled out. ## ## .. bro:see:: icmp_error_message icmp_packet_too_big @@ -894,11 +984,12 @@ event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: ic ## ## code: The ICMP code of the *too big* message. ## -## context: A record with specifics of the original packet that the message refers -## to. *Too big* messages should include the original IP header from the packet -## that triggered them, and Bro parses that into the *context* structure. Note -## that if the *too big* includes only a partial IP header for some reason, no -## fields of *context* will be filled out. +## context: A record with specifics of the original packet that the message +## refers to. *Too big* messages should include the original IP header +## from the packet that triggered them, and Bro parses that into +## the *context* structure. Note that if the *too big* includes only +## a partial IP header for some reason, no fields of *context* will +## be filled out. ## ## .. bro:see:: icmp_error_message icmp_unreachable ## icmp_time_exceeded icmp_parameter_problem @@ -917,11 +1008,12 @@ event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context: ## ## code: The ICMP code of the *exceeded* message. ## -## context: A record with specifics of the original packet that the message refers -## to. *Unreachable* messages should include the original IP header from the packet -## that triggered them, and Bro parses that into the *context* structure. Note that -## if the *exceeded* includes only a partial IP header for some reason, no fields -## of *context* will be filled out. +## context: A record with specifics of the original packet that the message +## refers to. *Unreachable* messages should include the original IP +## header from the packet that triggered them, and Bro parses that +## into the *context* structure. Note that if the *exceeded* includes +## only a partial IP header for some reason, no fields of *context* +## will be filled out. ## ## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big ## icmp_parameter_problem @@ -940,10 +1032,11 @@ event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: ## ## code: The ICMP code of the *parameter problem* message. ## -## context: A record with specifics of the original packet that the message refers -## to. *Parameter problem* messages should include the original IP header from the packet -## that triggered them, and Bro parses that into the *context* structure. Note that -## if the *parameter problem* includes only a partial IP header for some reason, no fields +## context: A record with specifics of the original packet that the message +## refers to. *Parameter problem* messages should include the original +## IP header from the packet that triggered them, and Bro parses that +## into the *context* structure. Note that if the *parameter problem* +## includes only a partial IP header for some reason, no fields ## of *context* will be filled out. ## ## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big @@ -961,9 +1054,11 @@ event icmp_parameter_problem%(c: connection, icmp: icmp_conn, code: count, conte ## icmp: Additional ICMP-specific information augmenting the standard connection ## record *c*. ## +## options: Any Neighbor Discovery options included with message (:rfc:`4861`). +## ## .. bro:see:: icmp_router_advertisement ## icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect -event icmp_router_solicitation%(c: connection, icmp: icmp_conn%); +event icmp_router_solicitation%(c: connection, icmp: icmp_conn, options: icmp6_nd_options%); ## Generated for ICMP *router advertisement* messages. ## @@ -997,9 +1092,11 @@ event icmp_router_solicitation%(c: connection, icmp: icmp_conn%); ## ## retrans_timer: How long a host should wait before retransmitting. ## +## options: Any Neighbor Discovery options included with message (:rfc:`4861`). +## ## .. bro:see:: icmp_router_solicitation ## icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect -event icmp_router_advertisement%(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval%); +event icmp_router_advertisement%(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options%); ## Generated for ICMP *neighbor solicitation* messages. ## @@ -1014,9 +1111,11 @@ event icmp_router_advertisement%(c: connection, icmp: icmp_conn, cur_hop_limit: ## ## tgt: The IP address of the target of the solicitation. ## +## options: Any Neighbor Discovery options included with message (:rfc:`4861`). +## ## .. bro:see:: icmp_router_solicitation icmp_router_advertisement ## icmp_neighbor_advertisement icmp_redirect -event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt:addr%); +event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options%); ## Generated for ICMP *neighbor advertisement* messages. ## @@ -1038,9 +1137,11 @@ event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt:addr%); ## tgt: the Target Address in the soliciting message or the address whose ## link-layer address has changed for unsolicited adverts. ## +## options: Any Neighbor Discovery options included with message (:rfc:`4861`). +## ## .. bro:see:: icmp_router_solicitation icmp_router_advertisement ## icmp_neighbor_solicitation icmp_redirect -event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt:addr%); +event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options%); ## Generated for ICMP *redirect* messages. ## @@ -1058,9 +1159,11 @@ event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool, ## ## dest: The address of the destination which is redirected to the target. ## +## options: Any Neighbor Discovery options included with message (:rfc:`4861`). +## ## .. bro:see:: icmp_router_solicitation icmp_router_advertisement ## icmp_neighbor_solicitation icmp_neighbor_advertisement -event icmp_redirect%(c: connection, icmp: icmp_conn, tgt: addr, dest: addr%); +event icmp_redirect%(c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options%); ## Generated when a TCP connection terminated, passing on statistics about the ## two endpoints. This event is always generated when Bro flushes the internal @@ -1076,13 +1179,14 @@ event icmp_redirect%(c: connection, icmp: icmp_conn, tgt: addr, dest: addr%); event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%); ## Generated for unexpected activity related to a specific connection. When -## Bro's packet analysis encounters activity that does not conform to a protocol's -## specification, it raises one of the ``*_weird`` events to report that. This -## event is raised if the activity is tied directly to a specific connection. +## Bro's packet analysis encounters activity that does not conform to a +## protocol's specification, it raises one of the ``*_weird`` events to report +## that. This event is raised if the activity is tied directly to a specific +## connection. ## ## name: A unique name for the specific type of "weird" situation. Bro's default -## scripts use this name in filtering policies that specify which "weirds" are -## worth reporting. +## scripts use this name in filtering policies that specify which +## "weirds" are worth reporting. ## ## c: The corresponding connection. ## @@ -1091,20 +1195,21 @@ event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%); ## .. bro:see:: flow_weird net_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic -## than one would intuitively expect. While in principle, any protocol violation -## could be an attack attempt, it's much more likely that an endpoint's -## implementation interprets an RFC quite liberally. +## than one would intuitively expect. While in principle, any protocol +## violation could be an attack attempt, it's much more likely that an +## endpoint's implementation interprets an RFC quite liberally. event conn_weird%(name: string, c: connection, addl: string%); ## Generated for unexpected activity related to a pair of hosts, but independent -## of a specific connection. When Bro's packet analysis encounters activity that -## does not conform to a protocol's specification, it raises one of the ``*_weird`` -## event to report that. This event is raised if the activity is related to a -## pair of hosts, yet not to a specific connection between them. +## of a specific connection. When Bro's packet analysis encounters activity +## that does not conform to a protocol's specification, it raises one of +## the ``*_weird`` events to report that. This event is raised if the activity +## is related to a pair of hosts, yet not to a specific connection between +## them. ## ## name: A unique name for the specific type of "weird" situation. Bro's default -## scripts use this name in filtering policies that specify which "weirds" are -## worth reporting. +## scripts use this name in filtering policies that specify which +## "weirds" are worth reporting. ## ## src: The source address corresponding to the activity. ## @@ -1113,47 +1218,47 @@ event conn_weird%(name: string, c: connection, addl: string%); ## .. bro:see:: conn_weird net_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic -## than one would intuitively expect. While in principle, any protocol violation -## could be an attack attempt, it's much more likely that an endpoint's -## implementation interprets an RFC quite liberally. +## than one would intuitively expect. While in principle, any protocol +## violation could be an attack attempt, it's much more likely that an +## endpoint's implementation interprets an RFC quite liberally. event flow_weird%(name: string, src: addr, dst: addr%); ## Generated for unexpected activity that is not tied to a specific connection ## or pair of hosts. When Bro's packet analysis encounters activity that ## does not conform to a protocol's specification, it raises one of the -## ``*_weird`` event to report that. This event is raised if the activity is +## ``*_weird`` events to report that. This event is raised if the activity is ## not tied directly to a specific connection or pair of hosts. ## ## name: A unique name for the specific type of "weird" situation. Bro's default -## scripts use this name in filtering policies that specify which "weirds" are -## worth reporting. +## scripts use this name in filtering policies that specify which +## "weirds" are worth reporting. ## ## .. bro:see:: flow_weird ## ## .. note:: "Weird" activity is much more common in real-world network traffic -## than one would intuitively expect. While in principle, any protocol violation -## could be an attack attempt, it's much more likely that an endpoint's -## implementation interprets an RFC quite liberally. +## than one would intuitively expect. While in principle, any protocol +## violation could be an attack attempt, it's much more likely that an +## endpoint's implementation interprets an RFC quite liberally. event net_weird%(name: string%); ## Generated regularly for the purpose of profiling Bro's processing. This event ## is raised for every :bro:id:`load_sample_freq` packet. For these packets, -## Bro records script-level functions executed during their processing as well as -## further internal locations. By sampling the processing in this form, one can -## understand where Bro spends its time. +## Bro records script-level functions executed during their processing as well +## as further internal locations. By sampling the processing in this form, one +## can understand where Bro spends its time. ## -## samples: A set with functions and locations seens during the processing of +## samples: A set with functions and locations seen during the processing of ## the sampled packet. ## -## CPU: The CPU time spent on processing the sampled. +## CPU: The CPU time spent on processing the sampled packet. ## ## dmem: The difference in memory usage caused by processing the sampled packet. event load_sample%(samples: load_sample_info, CPU: interval, dmem: int%); ## Generated for ARP requests. ## -## See `Wikipedia `__ for -## more information about the ARP protocol. +## See `Wikipedia `__ +## for more information about the ARP protocol. ## ## mac_src: The request's source MAC address. ## @@ -1173,12 +1278,12 @@ event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, ## Generated for ARP replies. ## -## See `Wikipedia `__ for -## more information about the ARP protocol. +## See `Wikipedia `__ +## for more information about the ARP protocol. ## -## mac_src: The replies's source MAC address. +## mac_src: The reply's source MAC address. ## -## mac_dst: The replies's destination MAC address. +## mac_dst: The reply's destination MAC address. ## ## SPA: The sender protocol address. ## @@ -1192,9 +1297,9 @@ event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string%); -## Generated for ARP packets that Bro cannot interpret. Examples are packets with -## non-standard hardware address formats or hardware addresses that not match the -## originator of the packet. +## Generated for ARP packets that Bro cannot interpret. Examples are packets +## with non-standard hardware address formats or hardware addresses that do not +## match the originator of the packet. ## ## SPA: The sender protocol address. ## @@ -1216,8 +1321,8 @@ event bad_arp%(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: stri ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive @@ -1229,8 +1334,8 @@ event bittorrent_peer_handshake%(c: connection, is_orig: bool, ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1241,8 +1346,8 @@ event bittorrent_peer_keep_alive%(c: connection, is_orig: bool%); ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1253,8 +1358,8 @@ event bittorrent_peer_choke%(c: connection, is_orig: bool%); ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1265,8 +1370,8 @@ event bittorrent_peer_unchoke%(c: connection, is_orig: bool%); ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_keep_alive @@ -1277,8 +1382,8 @@ event bittorrent_peer_interested%(c: connection, is_orig: bool%); ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1289,8 +1394,8 @@ event bittorrent_peer_not_interested%(c: connection, is_orig: bool%); ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_interested bittorrent_peer_keep_alive @@ -1301,8 +1406,8 @@ event bittorrent_peer_have%(c: connection, is_orig: bool, piece_index: count%); ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake ## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive @@ -1313,8 +1418,8 @@ event bittorrent_peer_bitfield%(c: connection, is_orig: bool, bitfield: string%) ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1326,8 +1431,8 @@ event bittorrent_peer_request%(c: connection, is_orig: bool, index: count, ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1339,8 +1444,8 @@ event bittorrent_peer_piece%(c: connection, is_orig: bool, index: count, ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1352,8 +1457,8 @@ event bittorrent_peer_cancel%(c: connection, is_orig: bool, index: count, ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1364,8 +1469,8 @@ event bittorrent_peer_port%(c: connection, is_orig: bool, listen_port: port%); ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1377,8 +1482,8 @@ event bittorrent_peer_unknown%(c: connection, is_orig: bool, message_id: count, ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1389,8 +1494,8 @@ event bittorrent_peer_weird%(c: connection, is_orig: bool, msg: string%); ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1402,8 +1507,8 @@ event bt_tracker_request%(c: connection, uri: string, ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1417,8 +1522,8 @@ event bt_tracker_response%(c: connection, status: count, ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1430,8 +1535,8 @@ event bt_tracker_response_not_ok%(c: connection, status: count, ## TODO. ## -## See `Wikipedia `__ for more -## information about the BitTorrent protocol. +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. ## ## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke ## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested @@ -1570,7 +1675,7 @@ event gnutella_http_notify%(c: connection%); ## Generated for Ident requests. ## -## See `Wikipedia `__ for more +## See `Wikipedia `__ for more ## information about the Ident protocol. ## ## c: The connection. @@ -1589,7 +1694,7 @@ event ident_request%(c: connection, lport: port, rport: port%); ## Generated for Ident replies. ## -## See `Wikipedia `__ for more +## See `Wikipedia `__ for more ## information about the Ident protocol. ## ## c: The connection. @@ -1612,7 +1717,7 @@ event ident_reply%(c: connection, lport: port, rport: port, user_id: string, sys ## Generated for Ident error replies. ## -## See `Wikipedia `__ for more +## See `Wikipedia `__ for more ## information about the Ident protocol. ## ## c: The connection. @@ -1646,7 +1751,7 @@ event ident_error%(c: connection, lport: port, rport: port, line: string%); ## ## password: The password tried. ## -## line: line is the line of text that led the analyzer to conclude that the +## line: The line of text that led the analyzer to conclude that the ## authentication had failed. ## ## .. bro:see:: login_confused login_confused_text login_display login_input_line @@ -1655,14 +1760,9 @@ event ident_error%(c: connection, lport: port, rport: port, line: string%); ## login_timeouts set_login_state ## ## .. note:: The login analyzer depends on a set of script-level variables that -## need to configured with patterns identifying login attempts. This configuration -## has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is -## therefore not directly usable at the moment. -## -## .. todo: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## need to be configured with patterns identifying login attempts. This +## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and +## the analyzer is therefore not directly usable at the moment. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -1685,7 +1785,7 @@ event login_failure%(c: connection, user: string, client_user: string, password: ## ## password: The password used. ## -## line: line is the line of text that led the analyzer to conclude that the +## line: The line of text that led the analyzer to conclude that the ## authentication had succeeded. ## ## .. bro:see:: login_confused login_confused_text login_display login_failure @@ -1694,9 +1794,9 @@ event login_failure%(c: connection, user: string, client_user: string, password: ## login_prompts login_success_msgs login_timeouts set_login_state ## ## .. note:: The login analyzer depends on a set of script-level variables that -## need to configured with patterns identifying login attempts. This configuration -## has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is -## therefore not directly usable at the moment. +## need to be configured with patterns identifying login attempts. This +## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and +## the analyzer is therefore not directly usable at the moment. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -1736,17 +1836,17 @@ event login_input_line%(c: connection, line: string%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event login_output_line%(c: connection, line: string%); -## Generated when tracking of Telnet/Rlogin authentication failed. As Bro's *login* -## analyzer uses a number of heuristics to extract authentication information, it -## may become confused. If it can no longer correctly track the authentication -## dialog, it raised this event. +## Generated when tracking of Telnet/Rlogin authentication failed. As Bro's +## *login* analyzer uses a number of heuristics to extract authentication +## information, it may become confused. If it can no longer correctly track +## the authentication dialog, it raises this event. ## ## c: The connection. ## ## msg: Gives the particular problem the heuristics detected (for example, -## ``multiple_login_prompts`` means that the engine saw several login prompts in -## a row, without the type-ahead from the client side presumed necessary to cause -## them) +## ``multiple_login_prompts`` means that the engine saw several login +## prompts in a row, without the type-ahead from the client side presumed +## necessary to cause them) ## ## line: The line of text that caused the heuristics to conclude they were ## confused. @@ -1762,9 +1862,10 @@ event login_output_line%(c: connection, line: string%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event login_confused%(c: connection, msg: string, line: string%); -## Generated after getting confused while tracking a Telnet/Rlogin authentication -## dialog. The *login* analyzer generates this even for every line of user input -## after it has reported :bro:id:`login_confused` for a connection. +## Generated after getting confused while tracking a Telnet/Rlogin +## authentication dialog. The *login* analyzer generates this even for every +## line of user input after it has reported :bro:id:`login_confused` for a +## connection. ## ## c: The connection. ## @@ -1781,7 +1882,7 @@ event login_confused%(c: connection, msg: string, line: string%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event login_confused_text%(c: connection, line: string%); -## Generated for clients transmitting a terminal type in an Telnet session. This +## Generated for clients transmitting a terminal type in a Telnet session. This ## information is extracted out of environment variables sent as Telnet options. ## ## c: The connection. @@ -1797,12 +1898,12 @@ event login_confused_text%(c: connection, line: string%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event login_terminal%(c: connection, terminal: string%); -## Generated for clients transmitting a X11 DISPLAY in a Telnet session. This +## Generated for clients transmitting an X11 DISPLAY in a Telnet session. This ## information is extracted out of environment variables sent as Telnet options. ## ## c: The connection. ## -## terminal: The DISPLAY transmitted. +## display: The DISPLAY transmitted. ## ## .. bro:see:: login_confused login_confused_text login_failure login_input_line ## login_output_line login_prompt login_success login_terminal @@ -1813,10 +1914,10 @@ event login_terminal%(c: connection, terminal: string%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event login_display%(c: connection, display: string%); -## Generated when a Telnet authentication has been successful. The Telnet protocol -## includes options for negotiating authentication. When such an option is sent -## from client to server and the server replies that it accepts the authentication, -## then the event engine generates this event. +## Generated when a Telnet authentication has been successful. The Telnet +## protocol includes options for negotiating authentication. When such an +## option is sent from client to server and the server replies that it accepts +## the authentication, then the event engine generates this event. ## ## See `Wikipedia `__ for more information ## about the Telnet protocol. @@ -1827,8 +1928,9 @@ event login_display%(c: connection, display: string%); ## ## .. bro:see:: authentication_rejected authentication_skipped login_success ## -## .. note:: This event inspects the corresponding Telnet option while :bro:id:`login_success` -## heuristically determines success by watching session data. +## .. note:: This event inspects the corresponding Telnet option +## while :bro:id:`login_success` heuristically determines success by watching +## session data. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -1838,8 +1940,8 @@ event authentication_accepted%(name: string, c: connection%); ## Generated when a Telnet authentication has been unsuccessful. The Telnet ## protocol includes options for negotiating authentication. When such an option -## is sent from client to server and the server replies that it did not accept the -## authentication, then the event engine generates this event. +## is sent from client to server and the server replies that it did not accept +## the authentication, then the event engine generates this event. ## ## See `Wikipedia `__ for more information ## about the Telnet protocol. @@ -1850,9 +1952,9 @@ event authentication_accepted%(name: string, c: connection%); ## ## .. bro:see:: authentication_accepted authentication_skipped login_failure ## -## .. note:: This event inspects the corresponding Telnet option while :bro:id:`login_success` -## heuristically determines failure by watching session -## data. +## .. note:: This event inspects the corresponding Telnet option +## while :bro:id:`login_success` heuristically determines failure by watching +## session data. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -1860,7 +1962,7 @@ event authentication_accepted%(name: string, c: connection%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event authentication_rejected%(name: string, c: connection%); -## Generated when for Telnet/Rlogin sessions when a pattern match indicates +## Generated for Telnet/Rlogin sessions when a pattern match indicates ## that no authentication is performed. ## ## See `Wikipedia `__ for more information @@ -1873,9 +1975,9 @@ event authentication_rejected%(name: string, c: connection%); ## login_success_msgs login_timeouts set_login_state ## ## .. note:: The login analyzer depends on a set of script-level variables that -## need to be configured with patterns identifying actvity. This configuration has -## not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is therefore -## not directly usable at the moment. +## need to be configured with patterns identifying activity. This +## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and +## the analyzer is therefore not directly usable at the moment. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -1883,15 +1985,16 @@ event authentication_rejected%(name: string, c: connection%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event authentication_skipped%(c: connection%); -## Generated for clients transmitting a terminal prompt in a Telnet session. This -## information is extracted out of environment variables sent as Telnet options. +## Generated for clients transmitting a terminal prompt in a Telnet session. +## This information is extracted out of environment variables sent as Telnet +## options. ## ## See `Wikipedia `__ for more information ## about the Telnet protocol. ## ## c: The connection. ## -## terminal: The TTYPROMPT transmitted. +## prompt: The TTYPROMPT transmitted. ## ## .. bro:see:: login_confused login_confused_text login_display login_failure ## login_input_line login_output_line login_success login_terminal @@ -1902,9 +2005,9 @@ event authentication_skipped%(c: connection%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event login_prompt%(c: connection, prompt: string%); -## Generated for Telnet sessions when encryption is activated. The Telnet protoco; -## includes options for negotiating encryption. When such a series of options is -## successfully negotiated, the event engine generates this event. +## Generated for Telnet sessions when encryption is activated. The Telnet +## protocol includes options for negotiating encryption. When such a series of +## options is successfully negotiated, the event engine generates this event. ## ## See `Wikipedia `__ for more information ## about the Telnet protocol. @@ -1916,13 +2019,13 @@ event login_prompt%(c: connection, prompt: string%); ## login_output_line login_prompt login_success login_terminal event activating_encryption%(c: connection%); -## Generated for inconsistent Telnet options observed. Telnet options are specified -## by the client and server stating which options they are willing to support -## vs. which they are not, and then instructing one another which in fact they -## should or should not use for the current connection. If the event engine sees -## a peer violate either what the other peer has instructed it to do, or what it -## itself offered in terms of options in the past, then the engine generates an -## inconsistent_option event. +## Generated for an inconsistent Telnet option. Telnet options are specified +## by the client and server stating which options they are willing to +## support vs. which they are not, and then instructing one another which in +## fact they should or should not use for the current connection. If the event +## engine sees a peer violate either what the other peer has instructed it to +## do, or what it itself offered in terms of options in the past, then the +## engine generates this event. ## ## See `Wikipedia `__ for more information ## about the Telnet protocol. @@ -1958,6 +2061,8 @@ event bad_option%(c: connection%); ## See `Wikipedia `__ for more information ## about the Telnet protocol. ## +## c: The connection. +## ## .. bro:see:: inconsistent_option bad_option authentication_accepted ## authentication_rejected authentication_skipped login_confused ## login_confused_text login_display login_failure login_input_line @@ -1971,15 +2076,15 @@ event bad_option_termination%(c: connection%); ## Generated for client side commands on an RSH connection. ## -## See `RFC 1258 `__ for more information about -## the Rlogin/Rsh protocol. +## See `RFC 1258 `__ for more information +## about the Rlogin/Rsh protocol. ## ## c: The connection. ## ## client_user: The client-side user name as sent in the initial protocol ## handshake. ## -## client_user: The server-side user name as sent in the initial protocol +## server_user: The server-side user name as sent in the initial protocol ## handshake. ## ## line: The command line sent in the request. @@ -1990,8 +2095,8 @@ event bad_option_termination%(c: connection%); ## login_failure login_input_line login_output_line login_prompt login_success ## login_terminal ## -## .. note: For historical reasons, these events are separate from the ``login_`` -## events. Ideally, they would all be handled uniquely. +## .. note:: For historical reasons, these events are separate from the +## ``login_`` events. Ideally, they would all be handled uniquely. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -2001,27 +2106,25 @@ event rsh_request%(c: connection, client_user: string, server_user: string, line ## Generated for client side commands on an RSH connection. ## -## See `RFC 1258 `__ for more information about -## the Rlogin/Rsh protocol. +## See `RFC 1258 `__ for more information +## about the Rlogin/Rsh protocol. ## ## c: The connection. ## ## client_user: The client-side user name as sent in the initial protocol ## handshake. ## -## client_user: The server-side user name as sent in the initial protocol +## server_user: The server-side user name as sent in the initial protocol ## handshake. ## ## line: The command line sent in the request. ## -## new_session: True if this is the first command of the Rsh session. -## ## .. bro:see:: rsh_request login_confused login_confused_text login_display ## login_failure login_input_line login_output_line login_prompt login_success ## login_terminal ## -## .. note: For historical reasons, these events are separate from the ``login_`` -## events. Ideally, they would all be handled uniquely. +## .. note:: For historical reasons, these events are separate from the +## ``login_`` events. Ideally, they would all be handled uniquely. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -2031,8 +2134,8 @@ event rsh_reply%(c: connection, client_user: string, server_user: string, line: ## Generated for client-side FTP commands. ## -## See `Wikipedia `__ for more -## information about the FTP protocol. +## See `Wikipedia `__ for +## more information about the FTP protocol. ## ## c: The connection. ## @@ -2046,8 +2149,8 @@ event ftp_request%(c: connection, command: string, arg: string%) &group="ftp"; ## Generated for server-side FTP replies. ## -## See `Wikipedia `__ for more -## information about the FTP protocol. +## See `Wikipedia `__ for +## more information about the FTP protocol. ## ## c: The connection. ## @@ -2055,9 +2158,10 @@ event ftp_request%(c: connection, command: string, arg: string%) &group="ftp"; ## ## msg: The textual message of the response. ## -## cont_resp: True if the reply line is tagged as being continued to the next line. -## If so, further events will be raised and a handler may want to reassemle the -## pieces before processing the response any further. +## cont_resp: True if the reply line is tagged as being continued to the next +## line. If so, further events will be raised and a handler may want +## to reassemble the pieces before processing the response any +## further. ## ## .. bro:see:: ftp_request fmt_ftp_port parse_eftp_port ## parse_ftp_epsv parse_ftp_pasv parse_ftp_port @@ -2071,10 +2175,11 @@ event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%) &gro ## c: The connection. ## ## is_orig: True if the sender of the command is the originator of the TCP -## connection. Note that this is not redundant: the SMTP ``TURN`` command allows -## client and server to flip roles on established SMTP sessions, and hence a -## "request" might still come from the TCP-level responder. In practice, however, -## that will rarely happen as TURN is considered insecure and rarely used. +## connection. Note that this is not redundant: the SMTP ``TURN`` command +## allows client and server to flip roles on established SMTP sessions, +## and hence a "request" might still come from the TCP-level responder. +## In practice, however, that will rarely happen as TURN is considered +## insecure and rarely used. ## ## command: The request's command, without any arguments. ## @@ -2098,16 +2203,18 @@ event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%) ## connection. Note that this is not redundant: the SMTP ``TURN`` command ## allows client and server to flip roles on established SMTP sessions, ## and hence a "reply" might still come from the TCP-level originator. In -## practice, however, that will rarely happen as TURN is considered insecure -## and rarely used. +## practice, however, that will rarely happen as TURN is considered +## insecure and rarely used. ## ## code: The reply's numerical code. ## +## cmd: TODO. +## ## msg: The reply's textual description. ## -## cont_resp: True if the reply line is tagged as being continued to the next line. -## If so, further events will be raised and a handler may want to reassemle the -## pieces before processing the response any further. +## cont_resp: True if the reply line is tagged as being continued to the next +## line. If so, further events will be raised and a handler may want to +## reassemble the pieces before processing the response any further. ## ## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data @@ -2118,7 +2225,7 @@ event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: s ## Generated for DATA transmitted on SMTP sessions. This event is raised for ## subsequent chunks of raw data following the ``DATA`` SMTP command until the -## corresponding end marker ``.`` is seen. A handler may want to reassembly +## corresponding end marker ``.`` is seen. A handler may want to reassemble ## the pieces as they come in if stream-analysis is required. ## ## See `Wikipedia `__ @@ -2136,23 +2243,23 @@ event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: s ## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data ## smtp_reply smtp_request skip_smtp_data ## -## .. note:: This event received the unprocessed raw data. There is a separate -## set ``mime_*`` events that strip out the outer MIME-layer of emails and provide -## structured access to their content. +## .. note:: This event receives the unprocessed raw data. There is a separate +## set of ``mime_*`` events that strip out the outer MIME-layer of emails and +## provide structured access to their content. event smtp_data%(c: connection, is_orig: bool, data: string%) &group="smtp"; -## Generated for unexpected activity on SMTP sessions. The SMTP analyzer tracks the -## state of SMTP sessions and reports commands and other activity with this event -## that it sees even though it would not expect so at the current point of the -## communication. +## Generated for unexpected activity on SMTP sessions. The SMTP analyzer tracks +## the state of SMTP sessions and reports commands and other activity with this +## event that it sees even though it would not expect so at the current point +## of the communication. ## ## See `Wikipedia `__ ## for more information about the SMTP protocol. ## ## c: The connection. ## -## is_orig: True if the sender of the unexpected activity is the originator of the -## TCP connection. +## is_orig: True if the sender of the unexpected activity is the originator of +## the TCP connection. ## ## msg: A descriptive message of what was unexpected. ## @@ -2161,14 +2268,14 @@ event smtp_data%(c: connection, is_orig: bool, data: string%) &group="smtp"; ## .. bro:see:: smtp_data smtp_request smtp_reply event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%) &group="smtp"; -## Generated when starting to parse a email MIME entity. MIME is a +## Generated when starting to parse an email MIME entity. MIME is a ## protocol-independent data format for encoding text and files, along with -## corresponding meta-data, for transmission. Bro raises this event when it begin -## parsing a MIME entity extracted from an email protocol. +## corresponding metadata, for transmission. Bro raises this event when it +## begins parsing a MIME entity extracted from an email protocol. ## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia -## `__ for more information about the ARP -## protocol. +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. ## ## c: The connection. ## @@ -2176,18 +2283,18 @@ event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string ## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data ## http_begin_entity ## -## .. note:: Bro also extracts MIME entities from HTTP session. For those, however, -## it raises :bro:id:`http_begin_entity` instead. +## .. note:: Bro also extracts MIME entities from HTTP sessions. For those, +## however, it raises :bro:id:`http_begin_entity` instead. event mime_begin_entity%(c: connection%); -## Generated when finishing parsing an email MIME entity. MIME is a +## Generated when finishing parsing an email MIME entity. MIME is a ## protocol-independent data format for encoding text and files, along with -## corresponding meta-data, for transmission. Bro raises this event when it +## corresponding metadata, for transmission. Bro raises this event when it ## finished parsing a MIME entity extracted from an email protocol. ## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia -## `__ for more information about the ARP -## protocol. +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. ## ## c: The connection. ## @@ -2195,17 +2302,17 @@ event mime_begin_entity%(c: connection%); ## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data ## http_end_entity ## -## .. note:: Bro also extracts MIME entities from HTTP session. For those, however, -## it raises :bro:id:`http_end_entity` instead. +## .. note:: Bro also extracts MIME entities from HTTP sessions. For those, +## however, it raises :bro:id:`http_end_entity` instead. event mime_end_entity%(c: connection%); ## Generated for individual MIME headers extracted from email MIME ## entities. MIME is a protocol-independent data format for encoding text and -## files, along with corresponding meta-data, for transmission. +## files, along with corresponding metadata, for transmission. ## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia -## `__ for more information about the ARP -## protocol. +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. ## ## c: The connection. ## @@ -2215,44 +2322,45 @@ event mime_end_entity%(c: connection%); ## mime_end_entity mime_entity_data mime_event mime_segment_data ## http_header http_all_headers ## -## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, however, -## it raises :bro:id:`http_header` instead. +## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, +## however, it raises :bro:id:`http_header` instead. event mime_one_header%(c: connection, h: mime_header_rec%); ## Generated for MIME headers extracted from email MIME entities, passing all -## headers at once. MIME is a protocol-independent data format for encoding text -## and files, along with corresponding meta-data, for transmission. +## headers at once. MIME is a protocol-independent data format for encoding +## text and files, along with corresponding metadata, for transmission. ## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia -## `__ for more information about the ARP -## protocol. +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. ## ## c: The connection. ## ## hlist: A *table* containing all headers extracted from the current entity. -## The table is indexed by the position of the header (1 for the first, 2 for the -## second, etc.). +## The table is indexed by the position of the header (1 for the first, +## 2 for the second, etc.). ## ## .. bro:see:: mime_all_data mime_begin_entity mime_content_hash mime_end_entity ## mime_entity_data mime_event mime_one_header mime_segment_data ## http_header http_all_headers ## -## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, however, -## it raises :bro:id:`http_header` instead. +## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, +## however, it raises :bro:id:`http_header` instead. event mime_all_headers%(c: connection, hlist: mime_header_list%); -## Generated for chunks of decoded MIME data from email MIME entities. MIME +## Generated for chunks of decoded MIME data from email MIME entities. MIME ## is a protocol-independent data format for encoding text and files, along with -## corresponding meta-data, for transmission. As Bro parses the data of an entity, -## it raises a sequence of these events, each coming as soon as a new chunk of -## data is available. In contrast, there is also :bro:id:`mime_entity_data`, which -## passes all of an entities data at once in a single block. While the latter is -## more convinient to handle, ``mime_segment_data`` is more efficient as Bro does -## not need to buffer the data. Thus, if possible, this event should be prefered. +## corresponding metadata, for transmission. As Bro parses the data of an +## entity, it raises a sequence of these events, each coming as soon as a new +## chunk of data is available. In contrast, there is also +## :bro:id:`mime_entity_data`, which passes all of an entities data at once +## in a single block. While the latter is more convenient to handle, +## ``mime_segment_data`` is more efficient as Bro does not need to buffer +## the data. Thus, if possible, this event should be preferred. ## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia -## `__ for more information about the ARP -## protocol. +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. ## ## c: The connection. ## @@ -2264,20 +2372,20 @@ event mime_all_headers%(c: connection, hlist: mime_header_list%); ## mime_end_entity mime_entity_data mime_event mime_one_header http_entity_data ## mime_segment_length mime_segment_overlap_length ## -## .. note:: Bro also extracts MIME data from HTTP sessions. For those, however, it -## raises :bro:id:`http_entity_data` (sic!) instead. +## .. note:: Bro also extracts MIME data from HTTP sessions. For those, +## however, it raises :bro:id:`http_entity_data` (sic!) instead. event mime_segment_data%(c: connection, length: count, data: string%); ## Generated for data decoded from an email MIME entity. This event delivers ## the complete content of a single MIME entity. In contrast, there is also ## :bro:id:`mime_segment_data`, which passes on a sequence of data chunks as -## they. come in. While ``mime_entity_data`` is more convinient to handle, -## ``mime_segment_data`` is more efficient as Bro does not need to buffer the data. -## Thus, if possible, the latter should be prefered. +## they come in. While ``mime_entity_data`` is more convenient to handle, +## ``mime_segment_data`` is more efficient as Bro does not need to buffer the +## data. Thus, if possible, the latter should be preferred. ## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia -## `__ for more information about the ARP -## protocol. +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. ## ## c: The connection. ## @@ -2292,15 +2400,15 @@ event mime_segment_data%(c: connection, length: count, data: string%); ## sessions, there's no corresponding event for that currently. event mime_entity_data%(c: connection, length: count, data: string%); -## Generated for passing on all data decoded from an single email MIME +## Generated for passing on all data decoded from a single email MIME ## message. If an email message has more than one MIME entity, this event ## combines all their data into a single value for analysis. Note that because ## of the potentially significant buffering necessary, using this event can be ## expensive. ## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia -## `__ for more information about the ARP -## protocol. +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. ## ## c: The connection. ## @@ -2315,35 +2423,37 @@ event mime_entity_data%(c: connection, length: count, data: string%); ## sessions, there's no corresponding event for that currently. event mime_all_data%(c: connection, length: count, data: string%); -## Generated for errors found when decoding email MIME entities. +## Generated for errors found when decoding email MIME entities. ## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia -## `__ for more information about the ARP -## protocol. +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. ## -## event_type: A string describing the general category of the problem found (e.g., -## ``illegal format``). +## c: The connection. +## +## event_type: A string describing the general category of the problem found +## (e.g., ``illegal format``). ## ## detail: Further more detailed description of the error. ## ## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash ## mime_end_entity mime_entity_data mime_one_header mime_segment_data http_event ## -## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, however, -## it raises :bro:id:`http_event` instead. +## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, +## however, it raises :bro:id:`http_event` instead. event mime_event%(c: connection, event_type: string, detail: string%); -## Generated for decoded MIME entities extracted from email meessage, passing on +## Generated for decoded MIME entities extracted from email messages, passing on ## their MD5 checksums. Bro computes the MD5 over the complete decoded data of ## each MIME entity. ## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See `Wikipedia -## `__ for more information about the ARP -## protocol. +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. ## ## c: The connection. ## -## content_len: The length of entity being hashed. +## content_len: The length of the entity being hashed. ## ## hash_value: The MD5 hash. ## @@ -2355,15 +2465,15 @@ event mime_event%(c: connection, event_type: string, detail: string%); event mime_content_hash%(c: connection, content_len: count, hash_value: string%); ## Generated for RPC request/reply *pairs*. The RPC analyzer associates request -## and reply by their transactions identifiers and raise this event once both -## have been seen. If there's not reply, the will still be generated eventually -## on timeout. In that case, *status* will be set to :bro:enum:`RPC_TIMEOUT`. +## and reply by their transaction identifiers and raises this event once both +## have been seen. If there's not a reply, this event will still be generated +## eventually on timeout. In that case, *status* will be set to +## :bro:enum:`RPC_TIMEOUT`. ## ## See `Wikipedia `__ for more information ## about the ONC RPC protocol. -## c: The connection. ## -## xid: The transaction identifier allowing to match requests with replies. +## c: The connection. ## ## prog: The remote program to call. ## @@ -2374,7 +2484,7 @@ event mime_content_hash%(c: connection, content_len: count, hash_value: string%) ## status: The status of the reply, which should be one of the index values of ## :bro:id:`RPC_status`. ## -## start_time: Then time when the *call* was seen. +## start_time: The time when the *call* was seen. ## ## call_len: The size of the *call_body* PDU. ## @@ -2441,7 +2551,8 @@ event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count ## Generated for Portmapper requests of type *null*. ## ## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the service. +## `__ for more information about the +## service. ## ## r: The RPC connection. ## @@ -2459,14 +2570,16 @@ event pm_request_null%(r: connection%); ## Generated for Portmapper request/reply dialogues of type *set*. ## ## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the service. +## `__ for more information about the +## service. ## ## r: The RPC connection. ## ## m: The argument to the request. ## ## success: True if the request was successful, according to the corresponding -## reply. If no reply was seen, this will be false once the request times out. +## reply. If no reply was seen, this will be false once the request +## times out. ## ## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport ## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit @@ -2482,14 +2595,16 @@ event pm_request_set%(r: connection, m: pm_mapping, success: bool%); ## Generated for Portmapper request/reply dialogues of type *unset*. ## ## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the service. +## `__ for more information about the +## service. ## ## r: The RPC connection. ## ## m: The argument to the request. ## ## success: True if the request was successful, according to the corresponding -## reply. If no reply was seen, this will be false once the request times out. +## reply. If no reply was seen, this will be false once the request +## times out. ## ## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport ## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit @@ -2505,7 +2620,8 @@ event pm_request_unset%(r: connection, m: pm_mapping, success: bool%); ## Generated for Portmapper request/reply dialogues of type *getport*. ## ## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the service. +## `__ for more information about the +## service. ## ## r: The RPC connection. ## @@ -2513,9 +2629,6 @@ event pm_request_unset%(r: connection, m: pm_mapping, success: bool%); ## ## p: The port returned by the server. ## -## success: True if the request was successful, according to the corresponding -## reply. If no reply was seen, this will be false once the request times out. -## ## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport ## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit ## pm_request_dump pm_request_null pm_request_set pm_request_unset rpc_call @@ -2530,7 +2643,8 @@ event pm_request_getport%(r: connection, pr: pm_port_request, p: port%); ## Generated for Portmapper request/reply dialogues of type *dump*. ## ## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the service. +## `__ for more information about the +## service. ## ## r: The RPC connection. ## @@ -2555,7 +2669,7 @@ event pm_request_dump%(r: connection, m: pm_mappings%); ## ## r: The RPC connection. ## -## m: The argument to the request. +## call: The argument to the request. ## ## p: The port value returned by the call. ## @@ -2711,9 +2825,9 @@ event pm_attempt_dump%(r: connection, status: rpc_status%); event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_request%); ## Generated for Portmapper requests or replies that include an invalid port -## number. Since ports are represented by unsigned 4-byte integers, they can stray -## outside the allowed range of 0--65535 by being >= 65536. If so, this event is -## generated. +## number. Since ports are represented by unsigned 4-byte integers, they can +## stray outside the allowed range of 0--65535 by being >= 65536. If so, this +## event is generated. ## ## Portmapper is a service running on top of RPC. See `Wikipedia ## `__ for more information about the @@ -2735,8 +2849,8 @@ event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_requ event pm_bad_port%(r: connection, bad_p: count%); ## Generated for NFSv3 request/reply dialogues of type *null*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2758,8 +2872,8 @@ event pm_bad_port%(r: connection, bad_p: count%); event nfs_proc_null%(c: connection, info: NFS3::info_t%); ## Generated for NFSv3 request/reply dialogues of type *getattr*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2769,8 +2883,10 @@ event nfs_proc_null%(c: connection, info: NFS3::info_t%); ## ## info: Reports the status of the dialogue, along with some meta information. ## -## attr: The attributes returned in the reply. The values may not be valid if the -## request was unsuccessful. +## fh: TODO. +## +## attrs: The attributes returned in the reply. The values may not be valid if +## the request was unsuccessful. ## ## .. bro:see:: nfs_proc_create nfs_proc_lookup nfs_proc_mkdir ## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir @@ -2784,8 +2900,8 @@ event nfs_proc_null%(c: connection, info: NFS3::info_t%); event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t%); ## Generated for NFSv3 request/reply dialogues of type *lookup*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2812,8 +2928,8 @@ event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NF event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::lookup_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *read*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2840,8 +2956,8 @@ event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, rep: NFS3::read_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *readlink*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2868,8 +2984,8 @@ event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, r event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *write*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2879,7 +2995,7 @@ event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS ## ## info: Reports the status of the dialogue, along with some meta information. ## -## fh: The file handle passed in the request. +## req: TODO. ## ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. @@ -2897,8 +3013,8 @@ event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, rep: NFS3::write_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *create*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2908,7 +3024,7 @@ event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, ## ## info: Reports the status of the dialogue, along with some meta information. ## -## fh: The file handle passed in the request. +## req: TODO. ## ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. @@ -2925,8 +3041,8 @@ event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *mkdir*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2936,7 +3052,7 @@ event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t ## ## info: Reports the status of the dialogue, along with some meta information. ## -## fh: The file handle passed in the request. +## req: TODO. ## ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. @@ -2953,8 +3069,8 @@ event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *remove*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2964,7 +3080,7 @@ event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, ## ## info: Reports the status of the dialogue, along with some meta information. ## -## fh: The file handle passed in the request. +## req: TODO. ## ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. @@ -2981,8 +3097,8 @@ event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *rmdir*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -2992,7 +3108,7 @@ event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t ## ## info: Reports the status of the dialogue, along with some meta information. ## -## fh: The file handle passed in the request. +## req: TODO. ## ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. @@ -3009,8 +3125,8 @@ event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *readdir*. The event is -## generated once we have either seen both the request and its corresponding reply, -## or an unanswered request has timed out. +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -3020,7 +3136,7 @@ event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, ## ## info: Reports the status of the dialogue, along with some meta information. ## -## fh: The file handle passed in the request. +## req: TODO. ## ## rep: The response returned in the reply. The values may not be valid if the ## request was unsuccessful. @@ -3036,8 +3152,8 @@ event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirargs_t, rep: NFS3::readdir_reply_t%); -## Generated for NFS3 request/reply dialogues of a type that Bro's NFS3 analyzer -## does not implement. +## Generated for NFSv3 request/reply dialogues of a type that Bro's NFSv3 +## analyzer does not implement. ## ## NFS is a service running on top of RPC. See `Wikipedia ## `__ for more @@ -3059,9 +3175,11 @@ event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirarg ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::proc_t%); -## Generated for each NFS3 reply message received, reporting just the +## Generated for each NFSv3 reply message received, reporting just the ## status included. ## +## n: The connection. +## ## info: Reports the status included in the reply. ## ## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir @@ -3075,11 +3193,11 @@ event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::p ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event nfs_reply_status%(n: connection, info: NFS3::info_t%); -## Generated for all NTP messages. Different from many other of Bro's events, this -## one is generated for both client-side and server-side messages. +## Generated for all NTP messages. Different from many other of Bro's events, +## this one is generated for both client-side and server-side messages. ## -## See `Wikipedia `__ for more -## information about the NTP protocol. +## See `Wikipedia `__ for +## more information about the NTP protocol. ## ## u: The connection record describing the corresponding UDP flow. ## @@ -3096,21 +3214,21 @@ event nfs_reply_status%(n: connection, info: NFS3::info_t%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event ntp_message%(u: connection, msg: ntp_msg, excess: string%); -## Generated for all NetBIOS SSN and DGM messages. Bro's NetBIOS analyzer processes -## the NetBIOS session service running on TCP port 139, and (despite its name!) the -## NetBIOS datagram service on UDP port 138. +## Generated for all NetBIOS SSN and DGM messages. Bro's NetBIOS analyzer +## processes the NetBIOS session service running on TCP port 139, and (despite +## its name!) the NetBIOS datagram service on UDP port 138. ## ## See `Wikipedia `__ for more information ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## -## c: The connection, which may be a TCP or UDP, depending on the type of the +## c: The connection, which may be TCP or UDP, depending on the type of the ## NetBIOS session. ## ## is_orig: True if the message was sent by the originator of the connection. ## -## msg_type: The general type of message, as defined in Section 4.3.1 of `RFC 1002 -## `__. +## msg_type: The general type of message, as defined in Section 4.3.1 of +## `RFC 1002 `__. ## ## data_len: The length of the message's payload. ## @@ -3119,8 +3237,8 @@ event ntp_message%(u: connection, msg: ntp_msg, excess: string%); ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's SMB -## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -3128,15 +3246,15 @@ event ntp_message%(u: connection, msg: ntp_msg, excess: string%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, data_len: count%); -## Generated for NetBIOS messages of type *session request*. Bro's NetBIOS analyzer -## processes the NetBIOS session service running on TCP port 139, and (despite its -## name!) the NetBIOS datagram service on UDP port 138. +## Generated for NetBIOS messages of type *session request*. Bro's NetBIOS +## analyzer processes the NetBIOS session service running on TCP port 139, and +## (despite its name!) the NetBIOS datagram service on UDP port 138. ## ## See `Wikipedia `__ for more information ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## -## c: The connection, which may be a TCP or UDP, depending on the type of the +## c: The connection, which may be TCP or UDP, depending on the type of the ## NetBIOS session. ## ## msg: The raw payload of the message sent, excluding the common NetBIOS @@ -3147,8 +3265,8 @@ event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, da ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's SMB -## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -3157,14 +3275,14 @@ event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, da event netbios_session_request%(c: connection, msg: string%); ## Generated for NetBIOS messages of type *positive session response*. Bro's -## NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, -## and (despite its name!) the NetBIOS datagram service on UDP port 138. +## NetBIOS analyzer processes the NetBIOS session service running on TCP port +## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138. ## ## See `Wikipedia `__ for more information ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## -## c: The connection, which may be a TCP or UDP, depending on the type of the +## c: The connection, which may be TCP or UDP, depending on the type of the ## NetBIOS session. ## ## msg: The raw payload of the message sent, excluding the common NetBIOS @@ -3175,8 +3293,8 @@ event netbios_session_request%(c: connection, msg: string%); ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's SMB -## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -3185,14 +3303,14 @@ event netbios_session_request%(c: connection, msg: string%); event netbios_session_accepted%(c: connection, msg: string%); ## Generated for NetBIOS messages of type *negative session response*. Bro's -## NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, -## and (despite its name!) the NetBIOS datagram service on UDP port 138. +## NetBIOS analyzer processes the NetBIOS session service running on TCP port +## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138. ## ## See `Wikipedia `__ for more information ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## -## c: The connection, which may be a TCP or UDP, depending on the type of the +## c: The connection, which may be TCP or UDP, depending on the type of the ## NetBIOS session. ## ## msg: The raw payload of the message sent, excluding the common NetBIOS @@ -3203,8 +3321,8 @@ event netbios_session_accepted%(c: connection, msg: string%); ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's SMB -## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -3212,17 +3330,17 @@ event netbios_session_accepted%(c: connection, msg: string%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event netbios_session_rejected%(c: connection, msg: string%); -## Generated for NetBIOS message of type *session message* that are not carrying -## SMB payload. +## Generated for NetBIOS messages of type *session message* that are not +## carrying an SMB payload. ## -## NetBIOS analyzer processes the NetBIOS session service running on TCP port 139, -## and (despite its name!) the NetBIOS datagram service on UDP port 138. +## NetBIOS analyzer processes the NetBIOS session service running on TCP port +## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138. ## ## See `Wikipedia `__ for more information ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## -## c: The connection, which may be a TCP or UDP, depending on the type of the +## c: The connection, which may be TCP or UDP, depending on the type of the ## NetBIOS session. ## ## is_orig: True if the message was sent by the originator of the connection. @@ -3235,11 +3353,11 @@ event netbios_session_rejected%(c: connection, msg: string%); ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's SMB -## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## -## .. todo:: This is an oddly named event. In fact, it's probably an odd event to -## have to begin with. +## .. todo:: This is an oddly named event. In fact, it's probably an odd event +## to have to begin with. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -3255,20 +3373,21 @@ event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%); ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## -## c: The connection, which may be a TCP or UDP, depending on the type of the +## c: The connection, which may be TCP or UDP, depending on the type of the ## NetBIOS session. ## -## msg: The raw payload of the message sent, excluding the common NetBIOS header. +## msg: The raw payload of the message sent, excluding the common NetBIOS +## header. ## ## .. bro:see:: netbios_session_accepted netbios_session_keepalive ## netbios_session_message netbios_session_raw_message netbios_session_rejected ## netbios_session_request decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's SMB -## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## -## .. todo: This is an oddly named event. +## .. todo:: This is an oddly named event. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -3277,25 +3396,26 @@ event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%); event netbios_session_ret_arg_resp%(c: connection, msg: string%); ## Generated for NetBIOS messages of type *keep-alive*. Bro's NetBIOS analyzer -## processes the NetBIOS session service running on TCP port 139, and (despite its -## name!) the NetBIOS datagram service on UDP port 138. +## processes the NetBIOS session service running on TCP port 139, and (despite +## its name!) the NetBIOS datagram service on UDP port 138. ## ## See `Wikipedia `__ for more information ## about NetBIOS. `RFC 1002 `__ describes ## the packet format for NetBIOS over TCP/IP, which Bro parses. ## -## c: The connection, which may be a TCP or UDP, depending on the type of the +## c: The connection, which may be TCP or UDP, depending on the type of the ## NetBIOS session. ## -## msg: The raw payload of the message sent, excluding the common NetBIOS header. +## msg: The raw payload of the message sent, excluding the common NetBIOS +## header. ## ## .. bro:see:: netbios_session_accepted netbios_session_message ## netbios_session_raw_message netbios_session_rejected netbios_session_request ## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type ## ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's SMB -## anlyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -3305,9 +3425,9 @@ event netbios_session_keepalive%(c: connection, msg: string%); ## Generated for all SMB/CIFS messages. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3316,7 +3436,7 @@ event netbios_session_keepalive%(c: connection, msg: string%); ## is_orig: True if the message was sent by the originator of the underlying ## transport-level connection. ## -## cmd: A string mmenonic of the SMB command code. +## cmd: A string mnemonic of the SMB command code. ## ## body_length: The length of the SMB message body, i.e. the data starting after ## the SMB header. @@ -3338,15 +3458,15 @@ event smb_message%(c: connection, hdr: smb_hdr, is_orig: bool, cmd: string, body ## Generated for SMB/CIFS messages of type *tree connect andx*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## -## path: The ``path`` attribute specified in the message. +## path: The ``path`` attribute specified in the message. ## ## service: The ``service`` attribute specified in the message. ## @@ -3365,16 +3485,14 @@ event smb_com_tree_connect_andx%(c: connection, hdr: smb_hdr, path: string, serv ## Generated for SMB/CIFS messages of type *tree disconnect*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## -## path: The ``path`` attribute specified in the message. -## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx ## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot @@ -3390,15 +3508,15 @@ event smb_com_tree_disconnect%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *nt create andx*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## ## hdr: The parsed header of the SMB message. ## -## name: The ``name`` attribute specified in the message. +## name: The ``name`` attribute specified in the message. ## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_read_andx @@ -3415,9 +3533,9 @@ event smb_com_nt_create_andx%(c: connection, hdr: smb_hdr, name: string%); ## Generated for SMB/CIFS messages of type *nt transaction*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3444,9 +3562,9 @@ event smb_com_transaction%(c: connection, hdr: smb_hdr, trans: smb_trans, data: ## Generated for SMB/CIFS messages of type *nt transaction 2*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3473,9 +3591,9 @@ event smb_com_transaction2%(c: connection, hdr: smb_hdr, trans: smb_trans, data: ## Generated for SMB/CIFS messages of type *transaction mailslot*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3502,9 +3620,9 @@ event smb_com_trans_mailslot%(c: connection, hdr: smb_hdr, trans: smb_trans, dat ## Generated for SMB/CIFS messages of type *transaction rap*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3531,9 +3649,9 @@ event smb_com_trans_rap%(c: connection, hdr: smb_hdr, trans: smb_trans, data: sm ## Generated for SMB/CIFS messages of type *transaction pipe*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3560,9 +3678,9 @@ event smb_com_trans_pipe%(c: connection, hdr: smb_hdr, trans: smb_trans, data: s ## Generated for SMB/CIFS messages of type *read andx*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3570,8 +3688,6 @@ event smb_com_trans_pipe%(c: connection, hdr: smb_hdr, trans: smb_trans, data: s ## ## data: Always empty. ## -## is_orig: True if the message was sent by the originator of the connection. -## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx ## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap @@ -3587,9 +3703,9 @@ event smb_com_read_andx%(c: connection, hdr: smb_hdr, data: string%); ## Generated for SMB/CIFS messages of type *read andx*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3597,8 +3713,6 @@ event smb_com_read_andx%(c: connection, hdr: smb_hdr, data: string%); ## ## data: Always empty. ## -## is_orig: True if the message was sent by the originator of the connection. -## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx ## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot @@ -3614,9 +3728,9 @@ event smb_com_write_andx%(c: connection, hdr: smb_hdr, data: string%); ## Generated for SMB/CIFS messages of type *get dfs referral*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3642,9 +3756,9 @@ event smb_get_dfs_referral%(c: connection, hdr: smb_hdr, max_referral_level: cou ## Generated for SMB/CIFS messages of type *negotiate*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3664,9 +3778,9 @@ event smb_com_negotiate%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *negotiate response*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3688,9 +3802,9 @@ event smb_com_negotiate_response%(c: connection, hdr: smb_hdr, dialect_index: co ## Generated for SMB/CIFS messages of type *setup andx*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3711,9 +3825,9 @@ event smb_com_setup_andx%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *generic andx*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3734,9 +3848,9 @@ event smb_com_generic_andx%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *close*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3757,9 +3871,9 @@ event smb_com_close%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *logoff andx*. ## -## See `Wikipedia `__ for more -## information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses both -## SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. ## ## c: The connection. ## @@ -3778,8 +3892,8 @@ event smb_com_close%(c: connection, hdr: smb_hdr%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event smb_com_logoff_andx%(c: connection, hdr: smb_hdr%); -## Generated for SMB/CIFS messages that indicate an error. This event is triggered -## by an SMB header including a status that signals an error. +## Generated for SMB/CIFS messages that indicate an error. This event is +## triggered by an SMB header including a status that signals an error. ## ## c: The connection. ## @@ -3787,9 +3901,9 @@ event smb_com_logoff_andx%(c: connection, hdr: smb_hdr%); ## ## cmd: The SMB command code. ## -## cmd_str: A string mmenonic of the SMB command code. +## cmd_str: A string mnemonic of the SMB command code. ## -## body: The raw SMB message body, i.e., the data starting after the SMB header. +## data: The raw SMB message body, i.e., the data starting after the SMB header. ## ## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx ## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx @@ -3807,7 +3921,8 @@ event smb_error%(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data: ## Generated for all DNS messages. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -3816,7 +3931,7 @@ event smb_error%(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data: ## ## msg: The parsed DNS message header. ## -## len: The length of the message's raw representation (i.e, the DNS payload). +## len: The length of the message's raw representation (i.e., the DNS payload). ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply @@ -3831,7 +3946,8 @@ event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%) &gro ## is raised once for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -3855,11 +3971,12 @@ event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qcl ## Generated for DNS replies that reject a query. This event is raised if a DNS ## reply either indicates failure via its status code or does not pass on any -## answers to a query. Note that all of the event's paramaters are parsed out of +## answers to a query. Note that all of the event's parameters are parsed out of ## the reply; there's no stateful correlation with the query. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -3884,7 +4001,8 @@ event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qc ## Generated for DNS replies with an *ok* status code but no question section. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -3907,7 +4025,7 @@ event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qc event dns_query_reply%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%) &group="dns"; -## Generated when the DNS analyzer processes what seems to be a non-DNS packets. +## Generated when the DNS analyzer processes what seems to be a non-DNS packet. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -3922,7 +4040,8 @@ event non_dns_request%(c: connection, msg: string%) &group="dns"; ## individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -3942,11 +4061,12 @@ event non_dns_request%(c: connection, msg: string%) &group="dns"; ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &group="dns"; -## Generated for DNS replies of type *AAAA*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. +## Generated for DNS replies of type *AAAA*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -3970,7 +4090,8 @@ event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &g ## individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -3994,7 +4115,8 @@ event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &gro ## individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4018,7 +4140,8 @@ event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) ## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4042,7 +4165,8 @@ event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: strin ## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4066,7 +4190,8 @@ event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string% ## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4075,7 +4200,7 @@ event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string% ## ## ans: The type-independent part of the parsed answer record. ## -## soa: The parsed SOA value +## soa: The parsed SOA value. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SRV_reply @@ -4086,11 +4211,12 @@ event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string% ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%) &group="dns"; -## Generated for DNS replies of type *WKS*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. +## Generated for DNS replies of type *WKS*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4108,11 +4234,12 @@ event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa% ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns"; -## Generated for DNS replies of type *HINFO*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. +## Generated for DNS replies of type *HINFO*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4121,8 +4248,6 @@ event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns" ## ## ans: The type-independent part of the parsed answer record. ## -## name: The name returned by the reply. -## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply ## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl ## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered @@ -4136,7 +4261,8 @@ event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dn ## individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4147,7 +4273,7 @@ event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dn ## ## name: The name returned by the reply. ## -## preference: The preference for *name* specificed by the reply. +## preference: The preference for *name* specified by the reply. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply @@ -4158,11 +4284,12 @@ event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dn ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count%) &group="dns"; -## Generated for DNS replies of type *TXT*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. +## Generated for DNS replies of type *TXT*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4182,11 +4309,12 @@ event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%) &group="dns"; -## Generated for DNS replies of type *SRV*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. +## Generated for DNS replies of type *SRV*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4204,11 +4332,12 @@ event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%) ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns"; -## Generated for DNS replies of type *EDNS*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. +## Generated for DNS replies of type *EDNS*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4226,11 +4355,12 @@ event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns" ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%) &group="dns"; -## Generated for DNS replies of type *TSIG*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. +## Generated for DNS replies of type *TSIG*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4253,7 +4383,8 @@ event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%) &gr ## all resource records have been passed on. ## ## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions. +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. ## ## c: The connection, which may be UDP or TCP depending on the type of the ## transport-layer session being analyzed. @@ -4272,12 +4403,12 @@ event dns_end%(c: connection, msg: dns_msg%) &group="dns"; ## Generated for DHCP messages of type *discover*. ## ## See `Wikipedia -## `__ for more -## information about the DHCP protocol. +## `__ for +## more information about the DHCP protocol. ## -## c: The connection record describing the underlying UDP flow.. +## c: The connection record describing the underlying UDP flow. ## -## msg: The parsed type-indepedent part of the DHCP message. +## msg: The parsed type-independent part of the DHCP message. ## ## req_addr: The specific address requested by the client. ## @@ -4289,9 +4420,9 @@ event dns_end%(c: connection, msg: dns_msg%) &group="dns"; ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth ## -## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). -## It treats broadcast addresses just like any other and associates packets into -## transport-level flows in the same way as usual. +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -4302,16 +4433,18 @@ event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr%); ## Generated for DHCP messages of type *offer*. ## ## See `Wikipedia -## `__ for more -## information about the DHCP protocol. +## `__ for +## more information about the DHCP protocol. ## -## c: The connection record describing the underlying UDP flow.. +## c: The connection record describing the underlying UDP flow. ## -## mask: The subnet mask specified by the mesage. +## msg: TODO. +## +## mask: The subnet mask specified by the message. ## ## router: The list of routers specified by the message. ## -## lease: The least interval specificed by the message. +## lease: The least interval specified by the message. ## ## serv_addr: The server address specified by the message. ## @@ -4322,9 +4455,9 @@ event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr%); ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## -## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). -## It treats broadcast addresses just like any other and associates packets into -## transport-level flows in the same way as usual. +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -4335,12 +4468,12 @@ event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_ ## Generated for DHCP messages of type *request*. ## ## See `Wikipedia -## `__ for more -## information about the DHCP protocol. +## `__ for +## more information about the DHCP protocol. ## -## c: The connection record describing the underlying UDP flow.. +## c: The connection record describing the underlying UDP flow. ## -## msg: The parsed type-indepedent part of the DHCP message. +## msg: The parsed type-independent part of the DHCP message. ## ## req_addr: The client address specified by the message. ## @@ -4353,9 +4486,9 @@ event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_ ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## -## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). -## It treats broadcast addresses just like any other and associates packets into -## transport-level flows in the same way as usual. +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -4366,12 +4499,12 @@ event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: add ## Generated for DHCP messages of type *decline*. ## ## See `Wikipedia -## `__ for more -## information about the DHCP protocol. +## `__ for +## more information about the DHCP protocol. ## -## c: The connection record describing the underlying UDP flow.. +## c: The connection record describing the underlying UDP flow. ## -## msg: The parsed type-indepedent part of the DHCP message. +## msg: The parsed type-independent part of the DHCP message. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply @@ -4380,9 +4513,9 @@ event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: add ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## -## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). -## It treats broadcast addresses just like any other and associates packets into -## transport-level flows in the same way as usual. +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -4393,18 +4526,18 @@ event dhcp_decline%(c: connection, msg: dhcp_msg%); ## Generated for DHCP messages of type *acknowledgment*. ## ## See `Wikipedia -## `__ for more -## information about the DHCP protocol. +## `__ for +## more information about the DHCP protocol. ## -## c: The connection record describing the underlying UDP flow.. +## c: The connection record describing the underlying UDP flow. ## -## msg: The parsed type-indepedent part of the DHCP message. +## msg: The parsed type-independent part of the DHCP message. ## -## mask: The subnet mask specified by the mesage. +## mask: The subnet mask specified by the message. ## ## router: The list of routers specified by the message. ## -## lease: The least interval specificed by the message. +## lease: The least interval specified by the message. ## ## serv_addr: The server address specified by the message. ## @@ -4415,9 +4548,9 @@ event dhcp_decline%(c: connection, msg: dhcp_msg%); ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## -## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). -## It treats broadcast addresses just like any other and associates packets into -## transport-level flows in the same way as usual. +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -4428,12 +4561,12 @@ event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_li ## Generated for DHCP messages of type *negative acknowledgment*. ## ## See `Wikipedia -## `__ for more -## information about the DHCP protocol. +## `__ for +## more information about the DHCP protocol. ## -## c: The connection record describing the underlying UDP flow.. +## c: The connection record describing the underlying UDP flow. ## -## msg: The parsed type-indepedent part of the DHCP message. +## msg: The parsed type-independent part of the DHCP message. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply @@ -4442,9 +4575,9 @@ event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_li ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## -## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). -## It treats broadcast addresses just like any other and associates packets into -## transport-level flows in the same way as usual. +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -4455,12 +4588,12 @@ event dhcp_nak%(c: connection, msg: dhcp_msg%); ## Generated for DHCP messages of type *release*. ## ## See `Wikipedia -## `__ for more -## information about the DHCP protocol. +## `__ for +## more information about the DHCP protocol. ## -## c: The connection record describing the underlying UDP flow.. +## c: The connection record describing the underlying UDP flow. ## -## msg: The parsed type-indepedent part of the DHCP message. +## msg: The parsed type-independent part of the DHCP message. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply @@ -4469,9 +4602,9 @@ event dhcp_nak%(c: connection, msg: dhcp_msg%); ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## -## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). -## It treats broadcast addresses just like any other and associates packets into -## transport-level flows in the same way as usual. +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -4482,12 +4615,12 @@ event dhcp_release%(c: connection, msg: dhcp_msg%); ## Generated for DHCP messages of type *inform*. ## ## See `Wikipedia -## `__ for more -## information about the DHCP protocol. +## `__ for +## more information about the DHCP protocol. ## -## c: The connection record describing the underlying UDP flow.. +## c: The connection record describing the underlying UDP flow. ## -## msg: The parsed type-indepedent part of the DHCP message. +## msg: The parsed type-independent part of the DHCP message. ## ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply @@ -4496,9 +4629,9 @@ event dhcp_release%(c: connection, msg: dhcp_msg%); ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request ## -## .. note: Bro does not support broadcast packets (as used by the DHCP protocol). -## It treats broadcast addresses just like any other and associates packets into -## transport-level flows in the same way as usual. +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -4506,13 +4639,13 @@ event dhcp_release%(c: connection, msg: dhcp_msg%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event dhcp_inform%(c: connection, msg: dhcp_msg%); -## Generated for HTTP requests. Bro supports persistent and pipelined HTTP sessions -## and raises corresponding events as it parses client/server dialogues. This event -## is generated as soon as a request's initial line has been parsed, and before any -## :bro:id:`http_header` events are raised. +## Generated for HTTP requests. Bro supports persistent and pipelined HTTP +## sessions and raises corresponding events as it parses client/server +## dialogues. This event is generated as soon as a request's initial line has +## been parsed, and before any :bro:id:`http_header` events are raised. ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## @@ -4529,13 +4662,13 @@ event dhcp_inform%(c: connection, msg: dhcp_msg%); ## truncate_http_URI event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%) &group="http-request"; -## Generated for HTTP replies. Bro supports persistent and pipelined HTTP sessions -## and raises corresponding events as it parses client/server dialogues. This event -## is generated as soon as a reply's initial line has been parsed, and before any -## :bro:id:`http_header` events are raised. +## Generated for HTTP replies. Bro supports persistent and pipelined HTTP +## sessions and raises corresponding events as it parses client/server +## dialogues. This event is generated as soon as a reply's initial line has +## been parsed, and before any :bro:id:`http_header` events are raised. ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## @@ -4550,11 +4683,12 @@ event http_request%(c: connection, method: string, original_URI: string, unescap ## http_stats event http_reply%(c: connection, version: string, code: count, reason: string%) &group="http-reply"; -## Generated for HTTP headers. Bro supports persistent and pipelined HTTP sessions -## and raises corresponding events as it parses client/server dialogues. +## Generated for HTTP headers. Bro supports persistent and pipelined HTTP +## sessions and raises corresponding events as it parses client/server +## dialogues. ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## @@ -4568,41 +4702,44 @@ event http_reply%(c: connection, version: string, code: count, reason: string%) ## http_entity_data http_event http_message_done http_reply http_request ## http_stats ## -## .. note:: This event is also raised for headers found in nested body entities. +## .. note:: This event is also raised for headers found in nested body +## entities. event http_header%(c: connection, is_orig: bool, name: string, value: string%) &group="http-header"; -## Generated for HTTP headers, passing on all headers of an HTTP message at once. -## Bro supports persistent and pipelined HTTP sessions and raises corresponding -## events as it parses client/server dialogues. +## Generated for HTTP headers, passing on all headers of an HTTP message at +## once. Bro supports persistent and pipelined HTTP sessions and raises +## corresponding events as it parses client/server dialogues. ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## ## is_orig: True if the header was sent by the originator of the TCP connection. ## ## hlist: A *table* containing all headers extracted from the current entity. -## The table is indexed by the position of the header (1 for the first, 2 for the -## second, etc.). +## The table is indexed by the position of the header (1 for the first, +## 2 for the second, etc.). ## ## .. bro:see:: http_begin_entity http_content_type http_end_entity http_entity_data ## http_event http_header http_message_done http_reply http_request http_stats ## -## .. note:: This event is also raised for headers found in nested body entities. +## .. note:: This event is also raised for headers found in nested body +## entities. event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%) &group="http-header"; -## Generated when starting to parse an HTTP body entity. This event is generated -## at least once for each non-empty (client or server) HTTP body; and potentially -## more than once if the body contains further nested MIME entities. Bro raises -## this event just before it starts parsing each entity's content. +## Generated when starting to parse an HTTP body entity. This event is generated +## at least once for each non-empty (client or server) HTTP body; and +## potentially more than once if the body contains further nested MIME +## entities. Bro raises this event just before it starts parsing each entity's +## content. ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## -## is_orig: True if the entity was was sent by the originator of the TCP +## is_orig: True if the entity was sent by the originator of the TCP ## connection. ## ## .. bro:see:: http_all_headers http_content_type http_end_entity http_entity_data @@ -4610,17 +4747,18 @@ event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%) ## mime_begin_entity event http_begin_entity%(c: connection, is_orig: bool%) &group="http-body"; -## Generated when finishing parsing an HTTP body entity. This event is generated -## at least once for each non-empty (client or server) HTTP body; and potentially -## more than once if the body contains further nested MIME entities. Bro raises -## this event at the point when it has finished parsing an entity's content. +## Generated when finishing parsing an HTTP body entity. This event is generated +## at least once for each non-empty (client or server) HTTP body; and +## potentially more than once if the body contains further nested MIME +## entities. Bro raises this event at the point when it has finished parsing an +## entity's content. ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## -## is_orig: True if the entity was was sent by the originator of the TCP +## is_orig: True if the entity was sent by the originator of the TCP ## connection. ## ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_entity_data @@ -4633,18 +4771,18 @@ event http_end_entity%(c: connection, is_orig: bool%) &group="http-body"; ## chunk of the data of not further defined size. ## ## A common idiom for using this event is to first *reassemble* the data -## at the scripting layer by concatening it to a successvily growing +## at the scripting layer by concatenating it to a successively growing ## string; and only perform further content analysis once the corresponding -## :bro:id:`http_end_entity` event has been raised. Note, however, that doing so +## :bro:id:`http_end_entity` event has been raised. Note, however, that doing so ## can be quite expensive for HTTP tranders. At the very least, one should ## impose an upper size limit on how much data is being buffered. ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## -## is_orig: True if the entity was was sent by the originator of the TCP +## is_orig: True if the entity was sent by the originator of the TCP ## connection. ## ## length: The length of *data*. @@ -4656,17 +4794,17 @@ event http_end_entity%(c: connection, is_orig: bool%) &group="http-body"; ## mime_entity_data http_entity_data_delivery_size skip_http_data event http_entity_data%(c: connection, is_orig: bool, length: count, data: string%) &group="http-body"; -## Generated for reporting an HTTP bodie's content type. This event is +## Generated for reporting an HTTP body's content type. This event is ## generated at the end of parsing an HTTP header, passing on the MIME ## type as specified by the ``Content-Type`` header. If that header is ## missing, this event is still raised with a default value of ``text/plain``. ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## -## is_orig: True if the entity was was sent by the originator of the TCP +## is_orig: True if the entity was sent by the originator of the TCP ## connection. ## ## ty: The main type. @@ -4688,12 +4826,12 @@ event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string ## message have been processed (and their corresponding ``http_entity_*`` events ## generated). ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## -## is_orig: True if the entity was was sent by the originator of the TCP +## is_orig: True if the entity was sent by the originator of the TCP ## connection. ## ## stat: Further meta information about the message. @@ -4704,13 +4842,13 @@ event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%) ## Generated for errors found when decoding HTTP requests or replies. ## -## See `Wikipedia `__ for -## more information about the HTTP protocol. +## See `Wikipedia `__ +## for more information about the HTTP protocol. ## ## c: The connection. ## -## event_type: A string describing the general category of the problem found (e.g., -## ``illegal format``). +## event_type: A string describing the general category of the problem found +## (e.g., ``illegal format``). ## ## detail: Further more detailed description of the error. ## @@ -4725,17 +4863,18 @@ event http_event%(c: connection, event_type: string, detail: string%); ## ## c: The connection. ## -## stats: Statistics summarizing HTTP-level properties of the finished connection. +## stats: Statistics summarizing HTTP-level properties of the finished +## connection. ## ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_event http_header http_message_done http_reply ## http_request event http_stats%(c: connection, stats: http_stats_rec%); -## Generated when seeing an SSH client's version identification. The SSH protocol -## starts with a clear-test handshake message that reports client and server -## protocol/software versions. This event provides access to what the client -## sent. +## Generated when seeing an SSH client's version identification. The SSH +## protocol starts with a clear-text handshake message that reports client and +## server protocol/software versions. This event provides access to what the +## client sent. ## ## ## See `Wikipedia `__ for more @@ -4747,14 +4886,14 @@ event http_stats%(c: connection, stats: http_stats_rec%); ## ## .. bro:see:: ssh_server_version ## -## .. note:: As everything after the initial version handshake proceeds encrypted, -## Bro cannot further analyze SSH sessions. +## .. note:: As everything after the initial version handshake proceeds +## encrypted, Bro cannot further analyze SSH sessions. event ssh_client_version%(c: connection, version: string%); -## Generated when seeing an SSH server's version identification. The SSH protocol -## starts with a clear-test handshake message that reports client and server -## protocol/software versions. This event provides access to what the server -## sent. +## Generated when seeing an SSH server's version identification. The SSH +## protocol starts with a clear-text handshake message that reports client and +## server protocol/software versions. This event provides access to what the +## server sent. ## ## See `Wikipedia `__ for more ## information about the SSH protocol. @@ -4772,53 +4911,53 @@ event ssh_server_version%(c: connection, version: string%); ## Generated for an SSL/TLS client's initial *hello* message. SSL/TLS sessions ## start with an unencrypted handshake, and Bro extracts as much information out -## that it as it can. This event provides access to the initial information sent by -## the client. +## of that as it can. This event provides access to the initial information +## sent by the client. ## ## See `Wikipedia `__ for ## more information about the SSL/TLS protocol. ## ## c: The connection. ## -## version: The protocol version as extracted from the client's -## message. The values are standardized as part of the SSL/TLS protocol. The +## version: The protocol version as extracted from the client's message. The +## values are standardized as part of the SSL/TLS protocol. The ## :bro:id:`SSL::version_strings` table maps them to descriptive names. ## -## possible_ts: The current time as sent by the client. Note that SSL/TLS does not -## require clocks to be set correctly, so treat with care. +## possible_ts: The current time as sent by the client. Note that SSL/TLS does +## not require clocks to be set correctly, so treat with care. ## ## session_id: The session ID sent by the client (if any). ## ## ciphers: The list of ciphers the client offered to use. The values are -## standardized as part of the SSL/TLS protocol. The :bro:id:`SSL::cipher_desc` table -## maps them to descriptive names. +## standardized as part of the SSL/TLS protocol. The +## :bro:id:`SSL::cipher_desc` table maps them to descriptive names. ## ## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello ## ssl_session_ticket_handshake x509_certificate x509_error x509_extension event ssl_client_hello%(c: connection, version: count, possible_ts: time, session_id: string, ciphers: count_set%); -## Generated for an SSL/TLS servers's initial *hello* message. SSL/TLS sessions +## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions ## start with an unencrypted handshake, and Bro extracts as much information out -## of that as it can. This event provides access to the initial information sent by -## the client. +## of that as it can. This event provides access to the initial information +## sent by the client. ## ## See `Wikipedia `__ for ## more information about the SSL/TLS protocol. ## ## c: The connection. ## -## version: The protocol version as extracted from the servers's message. +## version: The protocol version as extracted from the server's message. ## The values are standardized as part of the SSL/TLS protocol. The ## :bro:id:`SSL::version_strings` table maps them to descriptive names. ## -## possible_ts: The current time as sent by the server. Note that SSL/TLS does not -## require clocks to be set correctly, so treat with care. +## possible_ts: The current time as sent by the server. Note that SSL/TLS does +## not require clocks to be set correctly, so treat with care. ## ## session_id: The session ID as sent back by the server (if any). ## ## cipher: The cipher chosen by the server. The values are standardized as part -## of the SSL/TLS protocol. The :bro:id:`SSL::cipher_desc` table maps them to -## descriptive names. +## of the SSL/TLS protocol. The :bro:id:`SSL::cipher_desc` table maps +## them to descriptive names. ## ## comp_method: The compression method chosen by the client. The values are ## standardized as part of the SSL/TLS protocol. @@ -4827,18 +4966,18 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, sessio ## ssl_session_ticket_handshake x509_certificate x509_error x509_extension event ssl_server_hello%(c: connection, version: count, possible_ts: time, session_id: string, cipher: count, comp_method: count%); -## Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS sessions -## start with an unencrypted handshake, and Bro extracts as much information out of -## that as it can. This event provides access to any extensions either side sents -## as part of extended *hello* message. +## Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS +## sessions start with an unencrypted handshake, and Bro extracts as much +## information out of that as it can. This event provides access to any +## extensions either side sends as part of an extended *hello* message. ## ## c: The connection. ## ## is_orig: True if event is raised for originator side of the connection. ## ## code: The numerical code of the extension. The values are standardized as -## part of the SSL/TLS protocol. The :bro:id:`SSL::extensions` table maps them to -## descriptive names. +## part of the SSL/TLS protocol. The :bro:id:`SSL::extensions` table maps +## them to descriptive names. ## ## val: The raw extension value that was sent in the message. ## @@ -4847,10 +4986,10 @@ event ssl_server_hello%(c: connection, version: count, possible_ts: time, sessio event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%); ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with -## an unencrypted handshake, and Bro extracts as much information out of that as -## it can. This event signals the time when an SSL/TLS has finished the handshake -## and its endpoints consider it as fully established. Typically, everything from -## now on will be encrypted. +## an unencrypted handshake, and Bro extracts as much information out of that +## as it can. This event signals the time when an SSL/TLS has finished the +## handshake and its endpoints consider it as fully established. Typically, +## everything from now on will be encrypted. ## ## See `Wikipedia `__ for ## more information about the SSL/TLS protocol. @@ -4861,11 +5000,11 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%); ## ssl_session_ticket_handshake x509_certificate x509_error x509_extension event ssl_established%(c: connection%); -## Generated for SSL/TLS alert records. SSL/TLS sessions start with an unencrypted -## handshake, and Bro extracts as much information out of that as it can. If during -## that handshake, an endpoint encounteres a fatal error, it sends an *alert* -## record, that it turns triggers this event. After an *alert*, any endpoint -## may close the connection immediately. +## Generated for SSL/TLS alert records. SSL/TLS sessions start with an +## unencrypted handshake, and Bro extracts as much information out of that as +## it can. If during that handshake, an endpoint encounters a fatal error, it +## sends an *alert* record, that in turn triggers this event. After an *alert*, +## any endpoint may close the connection immediately. ## ## See `Wikipedia `__ for ## more information about the SSL/TLS protocol. @@ -4884,12 +5023,12 @@ event ssl_established%(c: connection%); ## ssl_session_ticket_handshake x509_certificate x509_error x509_extension event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%); -## Generated for SSL/TLS handshake messages that are a part of the stateless-server -## session resumption mechanism. SSL/TLS sessions start with an unencrypted -## handshake, and Bro extracts as much information out of that as it can. This -## event is raised when an SSL/TLS server passes session ticket to the client that -## can later be used for resuming the session. The mechanism is described in -## :rfc:`4507` +## Generated for SSL/TLS handshake messages that are a part of the +## stateless-server session resumption mechanism. SSL/TLS sessions start with +## an unencrypted handshake, and Bro extracts as much information out of that +## as it can. This event is raised when an SSL/TLS server passes a session +## ticket to the client that can later be used for resuming the session. The +## mechanism is described in :rfc:`4507` ## ## See `Wikipedia `__ for ## more information about the SSL/TLS protocol. @@ -4905,13 +5044,13 @@ event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%); ## x509_certificate x509_error x509_extension ssl_alert event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ticket: string%); -## Generated for x509 certificates seen in SSL/TLS connections. During the initial -## SSL/TLS handshake, certificates are exchanged in the clear. Bro raises this -## event for each certificate seen (including both a site's primary cert, and -## further certs sent as part of the validation chain). +## Generated for X509 certificates seen in SSL/TLS connections. During the +## initial SSL/TLS handshake, certificates are exchanged in the clear. Bro +## raises this event for each certificate seen (including both a site's primary +## cert, and further certs sent as part of the validation chain). ## -## See `Wikipedia `__ for more information about -## the X.509 format. +## See `Wikipedia `__ for more information +## about the X.509 format. ## ## c: The connection. ## @@ -4920,7 +5059,7 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ## cert: The parsed certificate. ## ## chain_idx: The index in the validation chain that this cert has. Index zero -## indicates an endpoints primary cert, while higher indices +## indicates an endpoint's primary cert, while higher indices ## indicate the place in the validation chain (which has length ## *chain_len*). ## @@ -4928,16 +5067,17 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ## of. ## ## der_cert: The complete cert encoded in `DER -## `__ format. +## `__ +## format. ## ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension ## ssl_server_hello x509_error x509_extension x509_verify event x509_certificate%(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string%); -## Generated for X.509 extensions seen in a certificate. +## Generated for X509 extensions seen in a certificate. ## -## See `Wikipedia `__ for more information about -## the X.509 format. +## See `Wikipedia `__ for more information +## about the X.509 format. ## ## c: The connection. ## @@ -4949,17 +5089,17 @@ event x509_certificate%(c: connection, is_orig: bool, cert: X509, chain_idx: cou ## ssl_server_hello x509_certificate x509_error x509_verify event x509_extension%(c: connection, is_orig: bool, data: string%); -## Generated when errors occur during parsing an X.509 certificate. +## Generated when errors occur during parsing an X509 certificate. ## -## See `Wikipedia `__ for more information about -## the X.509 format. +## See `Wikipedia `__ for more information +## about the X.509 format. ## ## c: The connection. ## ## is_orig: True if event is raised for originator side of the connection. ## -## err: An error code describing what went wrong. :bro:id:`SSL::x509_errors` maps -## error codes to a textual description. +## err: An error code describing what went wrong. :bro:id:`SSL::x509_errors` +## maps error codes to a textual description. ## ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension ## ssl_server_hello x509_certificate x509_extension x509_err2str x509_verify @@ -5022,16 +5162,16 @@ event epm_map_response%(c: connection, uuid: string, p: port, h: addr%); ## Generated for NCP requests (Netware Core Protocol). ## -## See `Wikipedia `__ for more -## information about the NCP protocol. +## See `Wikipedia `__ for +## more information about the NCP protocol. ## ## c: The connection. ## ## frame_type: The frame type, as specified by the protocol. ## -## length: The length of the request body, excluding the frame header, +## length: The length of the request body, excluding the frame header. ## -## func: The requested function, as specified by the protocol. +## func: The requested function, as specified by the protocol. ## ## .. bro:see:: ncp_reply ## @@ -5043,20 +5183,20 @@ event ncp_request%(c: connection, frame_type: count, length: count, func: count% ## Generated for NCP replies (Netware Core Protocol). ## -## See `Wikipedia `__ for more -## information about the NCP protocol. +## See `Wikipedia `__ for +## more information about the NCP protocol. ## ## c: The connection. ## ## frame_type: The frame type, as specified by the protocol. ## -## length: The length of the request body, excluding the frame header, +## length: The length of the request body, excluding the frame header. ## ## req_frame: The frame type from the corresponding request. ## -## req_frame: The function code from the corresponding request. +## req_func: The function code from the corresponding request. ## -## completion_code: The replie's completion code, as specified by the protocol. +## completion_code: The reply's completion code, as specified by the protocol. ## ## .. bro:see:: ncp_request ## @@ -5068,12 +5208,13 @@ event ncp_reply%(c: connection, frame_type: count, length: count, req_frame: cou ## Generated for client-side commands on POP3 connections. ## -## See `Wikipedia `__ for more information about -## the POP3 protocol. +## See `Wikipedia `__ for more information +## about the POP3 protocol. ## ## c: The connection. ## -## is_orig: True if the command was sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## command: The command sent. ## @@ -5091,24 +5232,23 @@ event pop3_request%(c: connection, is_orig: bool, ## Generated for server-side replies to commands on POP3 connections. ## -## See `Wikipedia `__ for more information about -## the POP3 protocol. +## See `Wikipedia `__ for more information +## about the POP3 protocol. ## ## c: The connection. ## -## is_orig: True if the command was sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## cmd: The success indicator sent by the server. This corresponds to the ## first token on the line sent, and should be either ``OK`` or ``ERR``. ## ## msg: The textual description the server sent along with *cmd*. ## -## arg: The argument to the command. -## ## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_request ## pop3_terminate pop3_unexpected ## -## .. todo: This event is receiving odd parameters, should unify. +## .. todo:: This event is receiving odd parameters, should unify. ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -5116,13 +5256,13 @@ event pop3_request%(c: connection, is_orig: bool, ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%); -## Generated for server-side multi-lines responses on POP3 connections. POP3 -## connection use multi-line responses to send buld data, such as the actual +## Generated for server-side multi-line responses on POP3 connections. POP3 +## connections use multi-line responses to send bulk data, such as the actual ## mails. This event is generated once for each line that's part of such a ## response. ## -## See `Wikipedia `__ for more information about -## the POP3 protocol. +## See `Wikipedia `__ for more information +## about the POP3 protocol. ## ## c: The connection. ## @@ -5139,12 +5279,12 @@ event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%); ## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. event pop3_data%(c: connection, is_orig: bool, data: string%); -## Generated for errors encountered on POP3 sessions. If the POP3 analyzers finds -## state transition that do not confirm to the protocol specification, or other -## situations it can't handle, it raises this event. +## Generated for errors encountered on POP3 sessions. If the POP3 analyzer +## finds state transitions that do not conform to the protocol specification, +## or other situations it can't handle, it raises this event. ## -## See `Wikipedia `__ for more information about -## the POP3 protocol. +## See `Wikipedia `__ for more information +## about the POP3 protocol. ## ## c: The connection. ## @@ -5164,13 +5304,13 @@ event pop3_data%(c: connection, is_orig: bool, data: string%); event pop3_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%); -## Generated when POP3 connection go encrypted. While POP3 is by default a +## Generated when a POP3 connection goes encrypted. While POP3 is by default a ## clear-text protocol, extensions exist to switch to encryption. This event is -## generated if that happens and the analyzers then stops processing the +## generated if that happens and the analyzer then stops processing the ## connection. ## -## See `Wikipedia `__ for more information about -## the POP3 protocol. +## See `Wikipedia `__ for more information +## about the POP3 protocol. ## ## c: The connection. ## @@ -5192,8 +5332,8 @@ event pop3_terminate%(c: connection, is_orig: bool, msg: string%); ## Generated for successful authentications on POP3 connections. ## -## See `Wikipedia `__ for more information about -## the POP3 protocol. +## See `Wikipedia `__ for more information +## about the POP3 protocol. ## ## c: The connection. ## @@ -5216,15 +5356,15 @@ event pop3_login_success%(c: connection, is_orig: bool, ## Generated for unsuccessful authentications on POP3 connections. ## -## See `Wikipedia `__ for more information about -## the POP3 protocol. +## See `Wikipedia `__ for more information +## about the POP3 protocol. ## ## c: The connection. ## ## is_orig: Always false. ## -## user: The user name attempted for authentication. The event is only generated if -## a non-empty user name was used. +## user: The user name attempted for authentication. The event is only +## generated if a non-empty user name was used. ## ## password: The password attempted for authentication. ## @@ -5261,9 +5401,9 @@ event pop3_login_failure%(c: connection, is_orig: bool, ## irc_nick_message irc_notice_message irc_oper_message irc_oper_response ## irc_part_message irc_password_message ## -## .. note:: This event is generated only for message that originate at the -## clients-side. Commands coming in from remote trigger the ge:bro:id:`irc_message` -## event instead. +## .. note:: This event is generated only for messages that originate +## at the client-side. Commands coming in from remote trigger +## the :bro:id:`irc_message` event instead. event irc_request%(c: connection, is_orig: bool, prefix: string, command: string, arguments: string%); @@ -5275,9 +5415,10 @@ event irc_request%(c: connection, is_orig: bool, prefix: string, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## -## prefix: The optional prefix comming with the reply. IRC uses the prefix to +## prefix: The optional prefix coming with the reply. IRC uses the prefix to ## indicate the true origin of a message. ## ## code: The reply code, as specified by the protocol. @@ -5306,7 +5447,7 @@ event irc_reply%(c: connection, is_orig: bool, prefix: string, ## ## command: The command. ## -## arguments: The arguments for the command. +## message: TODO. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message @@ -5317,22 +5458,23 @@ event irc_reply%(c: connection, is_orig: bool, prefix: string, ## .. note:: ## ## This event is generated only for messages that are forwarded by the server -## to the client. Commands coming from client trigger the :bro:id:`irc_request` -## event instead. +## to the client. Commands coming from client trigger the +## :bro:id:`irc_request` event instead. event irc_message%(c: connection, is_orig: bool, prefix: string, command: string, message: string%); -## Generated for IRC messages of type *quit*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *quit*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## -## nick: The nick name coming with the message. +## nick: The nickname coming with the message. ## ## message: The text included with the message. ## @@ -5343,15 +5485,16 @@ event irc_message%(c: connection, is_orig: bool, prefix: string, ## irc_part_message irc_password_message event irc_quit_message%(c: connection, is_orig: bool, nick: string, message: string%); -## Generated for IRC messages of type *privmsg*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *privmsg*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## source: The source of the private communication. ## @@ -5375,7 +5518,8 @@ event irc_privmsg_message%(c: connection, is_orig: bool, source: string, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## source: The source of the private communication. ## @@ -5399,7 +5543,8 @@ event irc_notice_message%(c: connection, is_orig: bool, source: string, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## source: The source of the private communication. ## @@ -5423,12 +5568,11 @@ event irc_squery_message%(c: connection, is_orig: bool, source: string, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## info_list: The user information coming with the command. ## -## message: The text of communication. -## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_kick_message ## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message @@ -5436,15 +5580,16 @@ event irc_squery_message%(c: connection, is_orig: bool, source: string, ## irc_password_message event irc_join_message%(c: connection, is_orig: bool, info_list: irc_join_list%); -## Generated for IRC messages of type *part*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *part*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## nick: The nickname coming with the message. ## @@ -5460,15 +5605,16 @@ event irc_join_message%(c: connection, is_orig: bool, info_list: irc_join_list%) event irc_part_message%(c: connection, is_orig: bool, nick: string, chans: string_set, message: string%); -## Generated for IRC messages of type *nick*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *nick*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## who: The user changing its nickname. ## @@ -5488,7 +5634,8 @@ event irc_nick_message%(c: connection, is_orig: bool, who: string, newnick: stri ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invite_message irc_join_message irc_kick_message @@ -5504,7 +5651,8 @@ event irc_invalid_nick%(c: connection, is_orig: bool%); ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## users: The number of users as returned in the reply. ## @@ -5527,7 +5675,8 @@ event irc_network_info%(c: connection, is_orig: bool, users: count, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## users: The number of users as returned in the reply. ## @@ -5550,7 +5699,8 @@ event irc_server_info%(c: connection, is_orig: bool, users: count, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## chans: The number of channels as returned in the reply. ## @@ -5568,9 +5718,10 @@ event irc_channel_info%(c: connection, is_orig: bool, chans: count%); ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## -## target_nick: The target nick name. +## target_nick: The target nickname. ## ## channel: The channel. ## @@ -5580,7 +5731,7 @@ event irc_channel_info%(c: connection, is_orig: bool, chans: count%); ## ## server: The server. ## -## nick: The nick name. +## nick: The nickname. ## ## params: The parameters. ## @@ -5606,7 +5757,8 @@ event irc_who_line%(c: connection, is_orig: bool, target_nick: string, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## c_type: The channel type. ## @@ -5629,9 +5781,10 @@ event irc_names_info%(c: connection, is_orig: bool, c_type: string, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## -## nick: The nick name specified in the reply. +## nick: The nickname specified in the reply. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message @@ -5647,9 +5800,10 @@ event irc_whois_operator_line%(c: connection, is_orig: bool, nick: string%); ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## -## nick: The nick name specified in the reply. +## nick: The nickname specified in the reply. ## ## chans: The set of channels returned. ## @@ -5668,16 +5822,15 @@ event irc_whois_channel_line%(c: connection, is_orig: bool, nick: string, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## -## nick: The nick name specified in the reply. +## nick: The nickname specified in the reply. ## ## user: The user name specified in the reply. ## ## host: The host name specified in the reply. ## -## user: The user name specified in the reply. -## ## real_name: The real name specified in the reply. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message @@ -5695,7 +5848,8 @@ event irc_whois_user_line%(c: connection, is_orig: bool, nick: string, ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## got_oper: True if the *oper* command was executed successfully ## (*youreport*) and false otherwise (*nooperhost*). @@ -5714,7 +5868,8 @@ event irc_oper_response%(c: connection, is_orig: bool, got_oper: bool%); ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. @@ -5735,6 +5890,9 @@ event irc_global_users%(c: connection, is_orig: bool, prefix: string, msg: strin ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## channel: The channel name specified in the reply. ## ## topic: The topic specified in the reply. @@ -5746,15 +5904,16 @@ event irc_global_users%(c: connection, is_orig: bool, prefix: string, msg: strin ## irc_password_message event irc_channel_topic%(c: connection, is_orig: bool, channel: string, topic: string%); -## Generated for IRC messages of type *who*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *who*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## -## is_orig: True if the command what sent by the originator of the TCP connection. +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## ## mask: The mask specified in the message. ## @@ -5767,15 +5926,20 @@ event irc_channel_topic%(c: connection, is_orig: bool, channel: string, topic: s ## irc_part_message irc_password_message event irc_who_message%(c: connection, is_orig: bool, mask: string, oper: bool%); -## Generated for IRC messages of type *whois*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *whois*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. ## +## server: TODO. +## +## users: TODO. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message @@ -5784,14 +5948,17 @@ event irc_who_message%(c: connection, is_orig: bool, mask: string, oper: bool%); ## irc_part_message irc_password_message event irc_whois_message%(c: connection, is_orig: bool, server: string, users: string%); -## Generated for IRC messages of type *oper*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *oper*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## user: The user specified in the message. ## ## password: The password specified in the message. @@ -5803,14 +5970,17 @@ event irc_whois_message%(c: connection, is_orig: bool, server: string, users: st ## irc_password_message event irc_oper_message%(c: connection, is_orig: bool, user: string, password: string%); -## Generated for IRC messages of type *kick*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *kick*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. ## @@ -5828,14 +5998,17 @@ event irc_oper_message%(c: connection, is_orig: bool, user: string, password: st event irc_kick_message%(c: connection, is_orig: bool, prefix: string, chans: string, users: string, comment: string%); -## Generated for IRC messages of type *error*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *error*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. ## @@ -5856,10 +6029,13 @@ event irc_error_message%(c: connection, is_orig: bool, prefix: string, message: ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. ## -## nickname: The nick name specified in the message. +## nickname: The nickname specified in the message. ## ## channel: The channel specified in the message. ## @@ -5871,14 +6047,17 @@ event irc_error_message%(c: connection, is_orig: bool, prefix: string, message: event irc_invite_message%(c: connection, is_orig: bool, prefix: string, nickname: string, channel: string%); -## Generated for IRC messages of type *mode*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *mode*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. ## @@ -5891,20 +6070,23 @@ event irc_invite_message%(c: connection, is_orig: bool, prefix: string, ## irc_password_message event irc_mode_message%(c: connection, is_orig: bool, prefix: string, params: string%); -## Generated for IRC messages of type *squit*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *squit*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. ## ## server: The server specified in the message. ## -## messate: The textual description specified in the message. +## message: The textual description specified in the message. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message ## irc_global_users irc_invalid_nick irc_invite_message irc_join_message @@ -5914,14 +6096,17 @@ event irc_mode_message%(c: connection, is_orig: bool, prefix: string, params: st event irc_squit_message%(c: connection, is_orig: bool, prefix: string, server: string, message: string%); -## Generated for IRC messages of type *dcc*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *dcc*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## prefix: The optional prefix coming with the command. IRC uses the prefix to ## indicate the true origin of a message. ## @@ -5947,14 +6132,17 @@ event irc_dcc_message%(c: connection, is_orig: bool, dcc_type: string, argument: string, address: addr, dest_port: count, size: count%); -## Generated for IRC messages of type *user*. This event is generated for messages -## coming from both the client and the server. +## Generated for IRC messages of type *user*. This event is generated for +## messages coming from both the client and the server. ## ## See `Wikipedia `__ for more ## information about the IRC protocol. ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## user: The user specified in the message. ## ## host: The host name specified in the message. @@ -5978,6 +6166,9 @@ event irc_user_message%(c: connection, is_orig: bool, user: string, host: string ## ## c: The connection. ## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## ## password: The password specified in the message. ## ## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message @@ -5989,7 +6180,6 @@ event irc_password_message%(c: connection, is_orig: bool, password: string%); ## TODO. ## -## .. bro:see:: event file_transferred%(c: connection, prefix: string, descr: string, mime_type: string%); ## Generated for monitored Syslog messages. @@ -6005,13 +6195,14 @@ event file_transferred%(c: connection, prefix: string, descr: string, mime_type: ## ## msg: The message logged. ## -## .. note:: Bro currently parses only UDP syslog traffic. Support for TCP syslog -## will be added soon. +## .. note:: Bro currently parses only UDP syslog traffic. Support for TCP +## syslog will be added soon. event syslog_message%(c: connection, facility: count, severity: count, msg: string%); -## Generated when a signature matches. Bro's signature engine provide -## high-performance pattern matching separately from the normal script processing. -## If a signature with an ``event`` action matches, this event is raised. +## Generated when a signature matches. Bro's signature engine provides +## high-performance pattern matching separately from the normal script +## processing. If a signature with an ``event`` action matches, this event is +## raised. ## ## See the :doc:`user manual ` for more information about Bro's ## signature engine. @@ -6021,12 +6212,41 @@ event syslog_message%(c: connection, facility: count, severity: count, msg: stri ## ## msg: The message passed to the ``event`` signature action. ## -## data; The last chunk of input that triggered the match. Note that the specifics -## here are no well-defined as Bro does not buffer any input. If a match is split -## across packet boundaries, only the last chunk triggering the will be passed on -## to the event. +## data: The last chunk of input that triggered the match. Note that the +## specifics here are not well-defined as Bro does not buffer any input. +## If a match is split across packet boundaries, only the last chunk +## triggering the match will be passed on to the event. event signature_match%(state: signature_state, msg: string, data: string%); +## Generated when a SOCKS request is analyzed. +## +## c: The parent connection of the proxy. +## +## version: The version of SOCKS this message used. +## +## request_type: The type of the request. +## +## sa: Address that the tunneled traffic should be sent to. +## +## p: The destination port for the proxied traffic. +## +## user: Username given for the SOCKS connection. This is not yet implemented +## for SOCKSv5. +event socks_request%(c: connection, version: count, request_type: count, sa: SOCKS::Address, p: port, user: string%); + +## Generated when a SOCKS reply is analyzed. +## +## c: The parent connection of the proxy. +## +## version: The version of SOCKS this message used. +## +## reply: The status reply from the server. +## +## sa: The address that the server sent the traffic to. +## +## p: The destination port for the proxied traffic. +event socks_reply%(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port%); + ## Generated when a protocol analyzer finds an identification of a software ## used on a system. This is a protocol-independent event that is fed by ## different analyzers. For example, the HTTP analyzer reports user-agent and @@ -6039,25 +6259,26 @@ event signature_match%(state: signature_state, msg: string, data: string%); ## ## s: A description of the software found. ## -## descr: The raw (unparsed) software identification string as extracted from the -## protocol. +## descr: The raw (unparsed) software identification string as extracted from +## the protocol. ## ## .. bro:see:: software_parse_error software_unparsed_version_found OS_version_found event software_version_found%(c: connection, host: addr, s: software, descr: string%); -## Generated when a protocol analyzer finds an identification of a software used on -## a system but cannot parse it. This is a protocol-independent event that is fed -## by different analyzers. For example, the HTTP analyzer reports user-agent and -## server software by raising this event if it cannot parse them directly (if canit -## :bro:id:`software_version_found` will be generated instead). +## Generated when a protocol analyzer finds an identification of a software +## used on a system but cannot parse it. This is a protocol-independent event +## that is fed by different analyzers. For example, the HTTP analyzer reports +## user-agent and server software by raising this event if it cannot parse them +## directly (if it can :bro:id:`software_version_found` will be generated +## instead). ## ## c: The connection. ## ## host: The host running the reported software. ## -## descr: The raw (unparsed) software identification string as extracted from the -## protocol. +## descr: The raw (unparsed) software identification string as extracted from +## the protocol. ## ## .. bro:see:: software_version_found software_unparsed_version_found ## OS_version_found @@ -6075,7 +6296,7 @@ event software_parse_error%(c: connection, host: addr, descr: string%); ## ## host: The host running the reported software. ## -## descr: The software identification string as extracted from the protocol. +## str: The software identification string as extracted from the protocol. ## ## .. bro:see:: software_parse_error software_version_found OS_version_found event software_unparsed_version_found%(c: connection, host: addr, str: string%); @@ -6085,14 +6306,16 @@ event software_unparsed_version_found%(c: connection, host: addr, str: string%); ## and it raises this event for each system identified. The p0f fingerprints are ## defined by :bro:id:`passive_fingerprint_file`. ## +## TODO. +## ## .. bro:see:: passive_fingerprint_file software_parse_error ## software_version_found software_unparsed_version_found ## generate_OS_version_event event OS_version_found%(c: connection, host: addr, OS: OS_version%); ## Generated when a connection to a remote Bro has been established. This event -## is intended primarily for use by Bro's communication framework, but it can also -## trigger additional code if helpful. +## is intended primarily for use by Bro's communication framework, but it can +## also trigger additional code if helpful. ## ## p: A record describing the peer. ## @@ -6113,9 +6336,9 @@ event remote_connection_established%(p: event_peer%); ## remote_state_inconsistency print_hook event remote_connection_closed%(p: event_peer%); -## Generated when a remote connection's initial handshake has been completed. This -## event is intended primarily for use by Bro's communication framework, but it can -## also trigger additional code if helpful. +## Generated when a remote connection's initial handshake has been completed. +## This event is intended primarily for use by Bro's communication framework, +## but it can also trigger additional code if helpful. ## ## p: A record describing the peer. ## @@ -6130,6 +6353,8 @@ event remote_connection_handshake_done%(p: event_peer%); ## ## p: A record describing the peer. ## +## name: TODO. +## ## .. bro:see:: remote_capture_filter remote_connection_closed ## remote_connection_error remote_connection_established ## remote_connection_handshake_done remote_log remote_pong @@ -6137,8 +6362,8 @@ event remote_connection_handshake_done%(p: event_peer%); event remote_event_registered%(p: event_peer, name: string%); ## Generated when a connection to a remote Bro encountered an error. This event -## is intended primarily for use by Bro's communication framework, but it can also -## trigger additional code if helpful. +## is intended primarily for use by Bro's communication framework, but it can +## also trigger additional code if helpful. ## ## p: A record describing the peer. ## @@ -6153,8 +6378,8 @@ event remote_connection_error%(p: event_peer, reason: string%); ## Generated when a remote peer sent us a capture filter. While this event is -## intended primarily for use by Bro's communication framework, it can also trigger -## additional code if helpful. +## intended primarily for use by Bro's communication framework, it can also +## trigger additional code if helpful. ## ## p: A record describing the peer. ## @@ -6168,8 +6393,8 @@ event remote_capture_filter%(p: event_peer, filter: string%); ## Generated after a call to :bro:id:`send_state` when all data has been ## successfully sent to the remote side. While this event is -## intended primarily for use by Bro's communication framework, it can also trigger -## additional code if helpful. +## intended primarily for use by Bro's communication framework, it can also +## trigger additional code if helpful. ## ## p: A record describing the remote peer. ## @@ -6179,20 +6404,20 @@ event remote_capture_filter%(p: event_peer, filter: string%); ## remote_state_access_performed remote_state_inconsistency print_hook event finished_send_state%(p: event_peer%); -## Generated if state synchronization detects an inconsistency. While this event -## is intended primarily for use by Bro's communication framework, it can also -## trigger additional code if helpful. This event is only raised if +## Generated if state synchronization detects an inconsistency. While this +## event is intended primarily for use by Bro's communication framework, it can +## also trigger additional code if helpful. This event is only raised if ## :bro:id:`remote_check_sync_consistency` is false. ## ## operation: The textual description of the state operation performed. ## ## id: The name of the Bro script identifier that was operated on. ## -## expected_old: A textual representation of the value of *id* that was expected to -## be found before the operation was carried out. +## expected_old: A textual representation of the value of *id* that was +## expected to be found before the operation was carried out. ## -## real_old: A textual representation of the value of *id* that was actually found -## before the operation was carried out. The difference between +## real_old: A textual representation of the value of *id* that was actually +## found before the operation was carried out. The difference between ## *real_old* and *expected_old* is the inconsistency being reported. ## ## .. bro:see:: remote_capture_filter remote_connection_closed @@ -6203,13 +6428,13 @@ event remote_state_inconsistency%(operation: string, id: string, expected_old: string, real_old: string%); ## Generated for communication log messages. While this event is -## intended primarily for use by Bro's communication framework, it can also trigger -## additional code if helpful. +## intended primarily for use by Bro's communication framework, it can also +## trigger additional code if helpful. ## ## level: The log level, which is either :bro:id:`REMOTE_LOG_INFO` or ## :bro:id:`REMOTE_LOG_ERROR`. ## -## src: The component of the comminication system that logged the message. +## src: The component of the communication system that logged the message. ## Currently, this will be one of :bro:id:`REMOTE_SRC_CHILD` (Bro's ## child process), :bro:id:`REMOTE_SRC_PARENT` (Bro's main process), or ## :bro:id:`REMOTE_SRC_SCRIPT` (the script level). @@ -6223,8 +6448,8 @@ event remote_state_inconsistency%(operation: string, id: string, event remote_log%(level: count, src: count, msg: string%); ## Generated for communication log messages. While this event is -## intended primarily for use by Bro's communication framework, it can also trigger -## additional code if helpful. This event is equivalent to +## intended primarily for use by Bro's communication framework, it can also +## trigger additional code if helpful. This event is equivalent to ## :bro:see:`remote_log` except the message is with respect to a certain peer. ## ## p: A record describing the remote peer. @@ -6232,7 +6457,7 @@ event remote_log%(level: count, src: count, msg: string%); ## level: The log level, which is either :bro:id:`REMOTE_LOG_INFO` or ## :bro:id:`REMOTE_LOG_ERROR`. ## -## src: The component of the comminication system that logged the message. +## src: The component of the communication system that logged the message. ## Currently, this will be one of :bro:id:`REMOTE_SRC_CHILD` (Bro's ## child process), :bro:id:`REMOTE_SRC_PARENT` (Bro's main process), or ## :bro:id:`REMOTE_SRC_SCRIPT` (the script level). @@ -6247,12 +6472,12 @@ event remote_log_peer%(p: event_peer, level: count, src: count, msg: string%); ## Generated when a remote peer has answered to our ping. This event is part of ## Bro's infrastructure for measuring communication latency. One can send a ping -## by calling :bro:id:`send_ping` and when a corresponding reply is received, this -## event will be raised. +## by calling :bro:id:`send_ping` and when a corresponding reply is received, +## this event will be raised. ## ## p: The peer sending us the pong. ## -## seq: The sequence number passed to the original :bro:id:`send_ping` call. +## seq: The sequence number passed to the original :bro:id:`send_ping` call. ## The number is sent back by the peer in its response. ## ## d1: The time interval between sending the ping and receiving the pong. This @@ -6263,7 +6488,7 @@ event remote_log_peer%(p: event_peer, level: count, src: count, msg: string%); ## ## d3: The time interval between when the peer's child process received the ## ping and when its parent process sent the pong. This is the -## processing latency at the the peer. +## processing latency at the peer. ## ## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error ## remote_connection_established remote_connection_handshake_done @@ -6272,8 +6497,8 @@ event remote_log_peer%(p: event_peer, level: count, src: count, msg: string%); event remote_pong%(p: event_peer, seq: count, d1: interval, d2: interval, d3: interval%); -## Generated each time a remote state access has been replayed locally. This event -## is primarily intended for debugging. measurments. +## Generated each time a remote state access has been replayed locally. This +## event is primarily intended for debugging. ## ## id: The name of the Bro script variable that's being operated on. ## @@ -6287,7 +6512,7 @@ event remote_state_access_performed%(id: string, v: any%); ## Generated each time Bro's internal profiling log is updated. The file is ## defined by :bro:id:`profiling_file`, and its update frequency by -## :bro:id:`profiling_interval` and :bro:id:`expensive_profiling_multiple`. +## :bro:id:`profiling_interval` and :bro:id:`expensive_profiling_multiple`. ## ## f: The profiling file. ## @@ -6299,25 +6524,25 @@ event profiling_update%(f: file, expensive: bool%); ## Generated each time Bro's script interpreter opens a file. This event is ## triggered only for files opened via :bro:id:`open`, and in particular not for -## normal log files as created by a log writers. +## normal log files as created by log writers. ## ## f: The opened file. event file_opened%(f: file%); -## Generated for a received NetFlow v5 header. Bro's NetFlow processor raises this -## event whenever it either receives a NetFlow header on the port it's listening -## on, or reads one from a trace file. +## Generated for a received NetFlow v5 header. Bro's NetFlow processor raises +## this event whenever it either receives a NetFlow header on the port it's +## listening on, or reads one from a trace file. ## ## h: The parsed NetFlow header. ## ## .. bro:see:: netflow_v5_record event netflow_v5_header%(h: nf_v5_header%); -## Generated for a received NetFlow v5 record. Bro's NetFlow processor raises this -## event whenever it either receives a NetFlow record on the port it's listening -## on, or reads one from a trace file. +## Generated for a received NetFlow v5 record. Bro's NetFlow processor raises +## this event whenever it either receives a NetFlow record on the port it's +## listening on, or reads one from a trace file. ## -## h: The parsed NetFlow header. +## r: The parsed NetFlow record. ## ## .. bro:see:: netflow_v5_record event netflow_v5_record%(r: nf_v5_record%); @@ -6330,15 +6555,15 @@ event netflow_v5_record%(r: nf_v5_record%); ## ## msg: The message itself. ## -## location: A (potentially empty) string describing a location associated with the -## message. +## location: A (potentially empty) string describing a location associated with +## the message. ## ## .. bro:see:: reporter_warning reporter_error Reporter::info Reporter::warning ## Reporter::error ## -## .. note:: Bro will not call reporter events recursively. If the handler of any -## reporter event triggers a new reporter message itself, the output will go to -## ``stderr`` instead. +## .. note:: Bro will not call reporter events recursively. If the handler of +## any reporter event triggers a new reporter message itself, the output +## will go to ``stderr`` instead. event reporter_info%(t: time, msg: string, location: string%) &error_handler; ## Raised for warnings reported via Bro's reporter framework. Such messages may @@ -6349,15 +6574,15 @@ event reporter_info%(t: time, msg: string, location: string%) &error_handler; ## ## msg: The warning message. ## -## location: A (potentially empty) string describing a location associated with the -## warning. +## location: A (potentially empty) string describing a location associated with +## the warning. ## ## .. bro:see:: reporter_info reporter_error Reporter::info Reporter::warning ## Reporter::error ## -## .. note:: Bro will not call reporter events recursively. If the handler of any -## reporter event triggers a new reporter message itself, the output will go to -## ``stderr`` instead. +## .. note:: Bro will not call reporter events recursively. If the handler of +## any reporter event triggers a new reporter message itself, the output +## will go to ``stderr`` instead. event reporter_warning%(t: time, msg: string, location: string%) &error_handler; ## Raised for errors reported via Bro's reporter framework. Such messages may @@ -6368,15 +6593,15 @@ event reporter_warning%(t: time, msg: string, location: string%) &error_handler; ## ## msg: The error message. ## -## location: A (potentially empty) string describing a location associated with the -## error. +## location: A (potentially empty) string describing a location associated with +## the error. ## ## .. bro:see:: reporter_info reporter_warning Reporter::info Reporter::warning ## Reporter::error ## -## .. note:: Bro will not call reporter events recursively. If the handler of any -## reporter event triggers a new reporter message itself, the output will go to -## ``stderr`` instead. +## .. note:: Bro will not call reporter events recursively. If the handler of +## any reporter event triggers a new reporter message itself, the output +## will go to ``stderr`` instead. event reporter_error%(t: time, msg: string, location: string%) &error_handler; ## Raised for each policy script loaded by the script interpreter. diff --git a/src/input/Manager.cc b/src/input/Manager.cc index f35071081b..fc68343813 100644 --- a/src/input/Manager.cc +++ b/src/input/Manager.cc @@ -71,15 +71,14 @@ declare(PDict, InputHash); class Manager::Stream { public: string name; - string source; + ReaderBackend::ReaderInfo info; bool removed; - ReaderMode mode; - StreamType stream_type; // to distinguish between event and table streams EnumVal* type; ReaderFrontend* reader; + TableVal* config; RecordVal* description; @@ -103,6 +102,9 @@ Manager::Stream::~Stream() if ( description ) Unref(description); + if ( config ) + Unref(config); + if ( reader ) delete(reader); } @@ -255,10 +257,10 @@ ReaderBackend* Manager::CreateBackend(ReaderFrontend* frontend, bro_int_t type) assert(ir->factory); + frontend->SetTypeName(ir->name); ReaderBackend* backend = (*ir->factory)(frontend); assert(backend); - frontend->ty_name = ir->name; return backend; } @@ -300,19 +302,20 @@ bool Manager::CreateStream(Stream* info, RecordVal* description) Unref(sourceval); EnumVal* mode = description->LookupWithDefault(rtype->FieldOffset("mode"))->AsEnumVal(); + Val* config = description->LookupWithDefault(rtype->FieldOffset("config")); - switch ( mode->InternalInt() ) + switch ( mode->InternalInt() ) { case 0: - info->mode = MODE_MANUAL; + info->info.mode = MODE_MANUAL; break; case 1: - info->mode = MODE_REREAD; + info->info.mode = MODE_REREAD; break; case 2: - info->mode = MODE_STREAM; + info->info.mode = MODE_STREAM; break; default: @@ -324,10 +327,30 @@ bool Manager::CreateStream(Stream* info, RecordVal* description) info->reader = reader_obj; info->type = reader->AsEnumVal(); // ref'd by lookupwithdefault info->name = name; - info->source = source; + info->config = config->AsTableVal(); // ref'd by LookupWithDefault + + info->info.source = source; + Ref(description); info->description = description; + { + HashKey* k; + IterCookie* c = info->config->AsTable()->InitForIteration(); + + TableEntryVal* v; + while ( (v = info->config->AsTable()->NextEntry(k, c)) ) + { + ListVal* index = info->config->RecoverIndex(k); + string key = index->Index(0)->AsString()->CheckString(); + string value = v->Value()->AsString()->CheckString(); + info->info.config.insert(std::make_pair(key, value)); + Unref(index); + delete k; + } + + } + DBG_LOG(DBG_INPUT, "Successfully created new input stream %s", name.c_str()); @@ -451,7 +474,8 @@ bool Manager::CreateEventStream(RecordVal* fval) Unref(want_record); // ref'd by lookupwithdefault assert(stream->reader); - stream->reader->Init(stream->source, stream->mode, stream->num_fields, logf ); + + stream->reader->Init(stream->info, stream->num_fields, logf ); readers[stream->reader] = stream; @@ -628,7 +652,7 @@ bool Manager::CreateTableStream(RecordVal* fval) assert(stream->reader); - stream->reader->Init(stream->source, stream->mode, fieldsV.size(), fields ); + stream->reader->Init(stream->info, fieldsV.size(), fields ); readers[stream->reader] = stream; @@ -689,31 +713,39 @@ bool Manager::IsCompatibleType(BroType* t, bool atomic_only) } -bool Manager::RemoveStream(const string &name) +bool Manager::RemoveStream(Stream *i) { - Stream *i = FindStream(name); - if ( i == 0 ) return false; // not found if ( i->removed ) { - reporter->Error("Stream %s is already queued for removal. Ignoring remove.", name.c_str()); - return false; + reporter->Warning("Stream %s is already queued for removal. Ignoring remove.", i->name.c_str()); + return true; } i->removed = true; i->reader->Close(); -#ifdef DEBUG - DBG_LOG(DBG_INPUT, "Successfully queued removal of stream %s", - name.c_str()); -#endif + DBG_LOG(DBG_INPUT, "Successfully queued removal of stream %s", + i->name.c_str()); return true; } +bool Manager::RemoveStream(ReaderFrontend* frontend) + { + return RemoveStream(FindStream(frontend)); + } + + +bool Manager::RemoveStream(const string &name) + { + return RemoveStream(FindStream(name)); + } + + bool Manager::RemoveStreamContinuation(ReaderFrontend* reader) { Stream *i = FindStream(reader); @@ -1200,7 +1232,7 @@ void Manager::EndCurrentSend(ReaderFrontend* reader) #endif // Send event that the current update is indeed finished. - SendEvent(update_finished, 2, new StringVal(i->name.c_str()), new StringVal(i->source.c_str())); + SendEvent(update_finished, 2, new StringVal(i->name.c_str()), new StringVal(i->info.source.c_str())); } void Manager::Put(ReaderFrontend* reader, Value* *vals) diff --git a/src/input/Manager.h b/src/input/Manager.h index 400918366e..1590042183 100644 --- a/src/input/Manager.h +++ b/src/input/Manager.h @@ -72,7 +72,7 @@ public: /** * Deletes an existing input stream. * - * @param id The enum value corresponding the input stream. + * @param id The name of the input stream to be removed. * * This method corresponds directly to the internal BiF defined in * input.bif, which just forwards here. @@ -88,6 +88,7 @@ protected: friend class SendEntryMessage; friend class EndCurrentSendMessage; friend class ReaderClosedMessage; + friend class DisableMessage; // For readers to write to input stream in direct mode (reporting // new/deleted values directly). Functions take ownership of @@ -118,12 +119,26 @@ protected: // main thread. This makes sure all data that has ben queued for a // stream is still received. bool RemoveStreamContinuation(ReaderFrontend* reader); + + /** + * Deletes an existing input stream. + * + * @param frontend pointer to the frontend of the input stream to be removed. + * + * This method is used by the reader backends to remove a reader when it fails + * for some reason. + */ + bool RemoveStream(ReaderFrontend* frontend); private: class Stream; class TableStream; class EventStream; + // Actual RemoveStream implementation -- the function's public and + // protected definitions are wrappers around this function. + bool RemoveStream(Stream* i); + bool CreateStream(Stream*, RecordVal* description); // SendEntry implementation for Table stream. diff --git a/src/input/ReaderBackend.cc b/src/input/ReaderBackend.cc index b5d898fedd..dea554251e 100644 --- a/src/input/ReaderBackend.cc +++ b/src/input/ReaderBackend.cc @@ -113,6 +113,7 @@ public: virtual bool Process() { + Object()->SetDisable(); return input_mgr->RemoveStreamContinuation(Object()); } @@ -129,10 +130,17 @@ public: virtual bool Process() { Object()->SetDisable(); + // And - because we do not need disabled objects any more - + // there is no way to re-enable them, so simply delete them. + // This avoids the problem of having to periodically check if + // there are any disabled readers out there. As soon as a + // reader disables itself, it deletes itself. + input_mgr->RemoveStream(Object()); return true; } }; +using namespace logging; ReaderBackend::ReaderBackend(ReaderFrontend* arg_frontend) : MsgThread() { @@ -176,18 +184,17 @@ void ReaderBackend::SendEntry(Value* *vals) SendOut(new SendEntryMessage(frontend, vals)); } -bool ReaderBackend::Init(string arg_source, ReaderMode arg_mode, const int arg_num_fields, +bool ReaderBackend::Init(const ReaderInfo& arg_info, const int arg_num_fields, const threading::Field* const* arg_fields) { - source = arg_source; - mode = arg_mode; + info = arg_info; num_fields = arg_num_fields; fields = arg_fields; - SetName("InputReader/"+source); + SetName("InputReader/"+info.source); // disable if DoInit returns error. - int success = DoInit(arg_source, mode, arg_num_fields, arg_fields); + int success = DoInit(arg_info, arg_num_fields, arg_fields); if ( ! success ) { @@ -203,8 +210,7 @@ bool ReaderBackend::Init(string arg_source, ReaderMode arg_mode, const int arg_n void ReaderBackend::Close() { DoClose(); - disabled = true; - DisableFrontend(); + disabled = true; // frontend disables itself when it gets the Close-message. SendOut(new ReaderClosedMessage(frontend)); if ( fields != 0 ) diff --git a/src/input/ReaderBackend.h b/src/input/ReaderBackend.h index 8b5e7d674b..820633254a 100644 --- a/src/input/ReaderBackend.h +++ b/src/input/ReaderBackend.h @@ -11,21 +11,28 @@ namespace input { /** - * The modes a reader can be in. + * The modes a reader can be in. */ enum ReaderMode { /** - * TODO Bernhard. + * Manual refresh reader mode. The reader will read the file once, + * and send all read data back to the manager. After that, no automatic + * refresh should happen. Manual refreshes can be triggered from the + * scripting layer using force_update. */ MODE_MANUAL, /** - * TODO Bernhard. + * Automatic rereading mode. The reader should monitor the + * data source for changes continually. When the data source changes, + * either the whole file has to be resent using the SendEntry/EndCurrentSend functions. */ MODE_REREAD, /** - * TODO Bernhard. + * Streaming reading mode. The reader should monitor the data source + * for new appended data. When new data is appended is has to be sent + * using the Put api functions. */ MODE_STREAM }; @@ -58,23 +65,48 @@ public: */ virtual ~ReaderBackend(); + /** + * A struct passing information to the reader at initialization time. + */ + struct ReaderInfo + { + typedef std::map config_map; + + /** + * A string left to the interpretation of the reader + * implementation; it corresponds to the value configured on + * the script-level for the logging filter. + */ + string source; + + /** + * A map of key/value pairs corresponding to the relevant + * filter's "config" table. + */ + config_map config; + + /** + * The opening mode for the input source. + */ + ReaderMode mode; + }; + /** * One-time initialization of the reader to define the input source. * - * @param source A string left to the interpretation of the - * reader implementation; it corresponds to the value configured on - * the script-level for the input stream. - * - * @param mode The opening mode for the input source. + * @param @param info Meta information for the writer. * * @param num_fields Number of fields contained in \a fields. * * @param fields The types and names of the fields to be retrieved * from the input source. * + * @param config A string map containing additional configuration options + * for the reader. + * * @return False if an error occured. */ - bool Init(string source, ReaderMode mode, int num_fields, const threading::Field* const* fields); + bool Init(const ReaderInfo& info, int num_fields, const threading::Field* const* fields); /** * Finishes reading from this input stream in a regular fashion. Must @@ -102,6 +134,22 @@ public: */ void DisableFrontend(); + /** + * Returns the log fields as passed into the constructor. + */ + const threading::Field* const * Fields() const { return fields; } + + /** + * Returns the additional reader information into the constructor. + */ + const ReaderInfo& Info() const { return info; } + + /** + * Returns the number of log fields as passed into the constructor. + */ + int NumFields() const { return num_fields; } + + protected: // Methods that have to be overwritten by the individual readers @@ -123,7 +171,7 @@ protected: * provides accessor methods to get them later, and they are passed * in here only for convinience. */ - virtual bool DoInit(string path, ReaderMode mode, int arg_num_fields, const threading::Field* const* fields) = 0; + virtual bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* fields) = 0; /** * Reader-specific method implementing input finalization at @@ -152,26 +200,6 @@ protected: */ virtual bool DoUpdate() = 0; - /** - * Returns the input source as passed into Init()/. - */ - const string Source() const { return source; } - - /** - * Returns the reader mode as passed into Init(). - */ - const ReaderMode Mode() const { return mode; } - - /** - * Returns the number of log fields as passed into Init(). - */ - unsigned int NumFields() const { return num_fields; } - - /** - * Returns the log fields as passed into Init(). - */ - const threading::Field* const * Fields() const { return fields; } - /** * Method allowing a reader to send a specified Bro event. Vals must * match the values expected by the bro event. @@ -272,8 +300,7 @@ private: // from this class, it's running in a different thread! ReaderFrontend* frontend; - string source; - ReaderMode mode; + ReaderInfo info; unsigned int num_fields; const threading::Field* const * fields; // raw mapping diff --git a/src/input/ReaderFrontend.cc b/src/input/ReaderFrontend.cc index 0236ac83be..e489147d36 100644 --- a/src/input/ReaderFrontend.cc +++ b/src/input/ReaderFrontend.cc @@ -6,27 +6,23 @@ #include "threading/MsgThread.h" -// FIXME: cleanup of disabled inputreaders is missing. we need this, because -// stuff can e.g. fail in init and might never be removed afterwards. - namespace input { class InitMessage : public threading::InputMessage { public: - InitMessage(ReaderBackend* backend, const string source, ReaderMode mode, + InitMessage(ReaderBackend* backend, const ReaderBackend::ReaderInfo& info, const int num_fields, const threading::Field* const* fields) : threading::InputMessage("Init", backend), - source(source), mode(mode), num_fields(num_fields), fields(fields) { } + info(info), num_fields(num_fields), fields(fields) { } virtual bool Process() { - return Object()->Init(source, mode, num_fields, fields); + return Object()->Init(info, num_fields, fields); } private: - const string source; - const ReaderMode mode; + const ReaderBackend::ReaderInfo info; const int num_fields; const threading::Field* const* fields; }; @@ -66,8 +62,8 @@ ReaderFrontend::~ReaderFrontend() { } -void ReaderFrontend::Init(string arg_source, ReaderMode mode, const int num_fields, - const threading::Field* const* fields) +void ReaderFrontend::Init(const ReaderBackend::ReaderInfo& arg_info, const int arg_num_fields, + const threading::Field* const* arg_fields) { if ( disabled ) return; @@ -75,10 +71,12 @@ void ReaderFrontend::Init(string arg_source, ReaderMode mode, const int num_fiel if ( initialized ) reporter->InternalError("reader initialize twice"); - source = arg_source; + info = arg_info; + num_fields = arg_num_fields; + fields = arg_fields; initialized = true; - backend->SendIn(new InitMessage(backend, arg_source, mode, num_fields, fields)); + backend->SendIn(new InitMessage(backend, info, num_fields, fields)); } void ReaderFrontend::Update() @@ -106,15 +104,16 @@ void ReaderFrontend::Close() return; } + disabled = true; backend->SendIn(new CloseMessage(backend)); } string ReaderFrontend::Name() const { - if ( source.size() ) + if ( ! info.source.size() ) return ty_name; - return ty_name + "/" + source; + return ty_name + "/" + info.source; } } diff --git a/src/input/ReaderFrontend.h b/src/input/ReaderFrontend.h index c61b194e24..93e416e65b 100644 --- a/src/input/ReaderFrontend.h +++ b/src/input/ReaderFrontend.h @@ -52,7 +52,7 @@ public: * * This method must only be called from the main thread. */ - void Init(string arg_source, ReaderMode mode, const int arg_num_fields, const threading::Field* const* fields); + void Init(const ReaderBackend::ReaderInfo& info, const int arg_num_fields, const threading::Field* const* fields); /** * Force an update of the current input source. Actual action depends @@ -102,22 +102,39 @@ public: */ string Name() const; -protected: - friend class Manager; + /** + * Returns the additional reader information passed into the constructor. + */ + const ReaderBackend::ReaderInfo& Info() const { return info; } /** - * Returns the source as passed into the constructor. + * Returns the number of log fields as passed into the constructor. */ - const string& Source() const { return source; }; + int NumFields() const { return num_fields; } + + /** + * Returns the log fields as passed into the constructor. + */ + const threading::Field* const * Fields() const { return fields; } + +protected: + friend class Manager; /** * Returns the name of the backend's type. */ const string& TypeName() const { return ty_name; } + /** + * Sets the name of the backend's type. + */ + void SetTypeName(const string& name) { ty_name = name; } + private: ReaderBackend* backend; // The backend we have instanatiated. - string source; + ReaderBackend::ReaderInfo info; // Meta information as passed to Init(). + const threading::Field* const* fields; // The input fields. + int num_fields; // Information as passed to Init(). string ty_name; // Backend type, set by manager. bool disabled; // True if disabled. bool initialized; // True if initialized. diff --git a/src/input/readers/Ascii.cc b/src/input/readers/Ascii.cc index 186d765d21..1731bba872 100644 --- a/src/input/readers/Ascii.cc +++ b/src/input/readers/Ascii.cc @@ -83,14 +83,14 @@ void Ascii::DoClose() } } -bool Ascii::DoInit(string path, ReaderMode mode, int num_fields, const Field* const* fields) +bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fields) { mtime = 0; - file = new ifstream(path.c_str()); + file = new ifstream(info.source.c_str()); if ( ! file->is_open() ) { - Error(Fmt("Init: cannot open %s", path.c_str())); + Error(Fmt("Init: cannot open %s", info.source.c_str())); delete(file); file = 0; return false; @@ -98,7 +98,7 @@ bool Ascii::DoInit(string path, ReaderMode mode, int num_fields, const Field* co if ( ReadHeader(false) == false ) { - Error(Fmt("Init: cannot open %s; headers are incorrect", path.c_str())); + Error(Fmt("Init: cannot open %s; headers are incorrect", info.source.c_str())); file->close(); delete(file); file = 0; @@ -147,7 +147,7 @@ bool Ascii::ReadHeader(bool useCached) //printf("Updating fields from description %s\n", line.c_str()); columnMap.clear(); - for ( unsigned int i = 0; i < NumFields(); i++ ) + for ( int i = 0; i < NumFields(); i++ ) { const Field* field = Fields()[i]; @@ -164,7 +164,7 @@ bool Ascii::ReadHeader(bool useCached) } Error(Fmt("Did not find requested field %s in input data file %s.", - field->name.c_str(), Source().c_str())); + field->name.c_str(), Info().source.c_str())); return false; } @@ -362,14 +362,14 @@ Value* Ascii::EntryToVal(string s, FieldMapping field) // read the entire file and send appropriate thingies back to InputMgr bool Ascii::DoUpdate() { - switch ( Mode() ) { + switch ( Info().mode ) { case MODE_REREAD: { // check if the file has changed struct stat sb; - if ( stat(Source().c_str(), &sb) == -1 ) + if ( stat(Info().source.c_str(), &sb) == -1 ) { - Error(Fmt("Could not get stat for %s", Source().c_str())); + Error(Fmt("Could not get stat for %s", Info().source.c_str())); return false; } @@ -389,7 +389,7 @@ bool Ascii::DoUpdate() // - this is not that bad) if ( file && file->is_open() ) { - if ( Mode() == MODE_STREAM ) + if ( Info().mode == MODE_STREAM ) { file->clear(); // remove end of file evil bits if ( !ReadHeader(true) ) @@ -403,10 +403,10 @@ bool Ascii::DoUpdate() file = 0; } - file = new ifstream(Source().c_str()); + file = new ifstream(Info().source.c_str()); if ( ! file->is_open() ) { - Error(Fmt("cannot open %s", Source().c_str())); + Error(Fmt("cannot open %s", Info().source.c_str())); return false; } @@ -490,15 +490,15 @@ bool Ascii::DoUpdate() } //printf("fpos: %d, second.num_fields: %d\n", fpos, (*it).second.num_fields); - assert ( (unsigned int) fpos == NumFields() ); + assert ( fpos == NumFields() ); - if ( Mode() == MODE_STREAM ) + if ( Info().mode == MODE_STREAM ) Put(fields); else SendEntry(fields); } - if ( Mode () != MODE_STREAM ) + if ( Info().mode != MODE_STREAM ) EndCurrentSend(); return true; @@ -508,7 +508,7 @@ bool Ascii::DoHeartbeat(double network_time, double current_time) { ReaderBackend::DoHeartbeat(network_time, current_time); - switch ( Mode() ) { + switch ( Info().mode ) { case MODE_MANUAL: // yay, we do nothing :) break; diff --git a/src/input/readers/Ascii.h b/src/input/readers/Ascii.h index 335616abfb..e1506cbe82 100644 --- a/src/input/readers/Ascii.h +++ b/src/input/readers/Ascii.h @@ -38,7 +38,7 @@ public: static ReaderBackend* Instantiate(ReaderFrontend* frontend) { return new Ascii(frontend); } protected: - virtual bool DoInit(string path, ReaderMode mode, int arg_num_fields, const threading::Field* const* fields); + virtual bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* fields); virtual void DoClose(); virtual bool DoUpdate(); virtual bool DoHeartbeat(double network_time, double current_time); diff --git a/src/input/readers/Benchmark.cc b/src/input/readers/Benchmark.cc index 5e4ef090f7..d71901fa66 100644 --- a/src/input/readers/Benchmark.cc +++ b/src/input/readers/Benchmark.cc @@ -36,9 +36,9 @@ void Benchmark::DoClose() { } -bool Benchmark::DoInit(string path, ReaderMode mode, int num_fields, const Field* const* fields) +bool Benchmark::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fields) { - num_lines = atoi(path.c_str()); + num_lines = atoi(info.source.c_str()); if ( autospread != 0.0 ) autospread_time = (int) ( (double) 1000000 / (autospread * (double) num_lines) ); @@ -59,7 +59,7 @@ string Benchmark::RandomString(const int len) "abcdefghijklmnopqrstuvwxyz"; for (int i = 0; i < len; ++i) - s[i] = values[rand() / (RAND_MAX / sizeof(values))]; + s[i] = values[random() / (RAND_MAX / sizeof(values))]; return s; } @@ -80,10 +80,10 @@ bool Benchmark::DoUpdate() for ( int i = 0; i < linestosend; i++ ) { Value** field = new Value*[NumFields()]; - for (unsigned int j = 0; j < NumFields(); j++ ) + for (int j = 0; j < NumFields(); j++ ) field[j] = EntryToVal(Fields()[j]->type, Fields()[j]->subtype); - if ( Mode() == MODE_STREAM ) + if ( Info().mode == MODE_STREAM ) // do not do tracking, spread out elements over the second that we have... Put(field); else @@ -109,7 +109,7 @@ bool Benchmark::DoUpdate() } - if ( Mode() != MODE_STREAM ) + if ( Info().mode != MODE_STREAM ) EndCurrentSend(); return true; @@ -134,7 +134,7 @@ threading::Value* Benchmark::EntryToVal(TypeTag type, TypeTag subtype) break; case TYPE_INT: - val->val.int_val = rand(); + val->val.int_val = random(); break; case TYPE_TIME: @@ -148,11 +148,11 @@ threading::Value* Benchmark::EntryToVal(TypeTag type, TypeTag subtype) case TYPE_COUNT: case TYPE_COUNTER: - val->val.uint_val = rand(); + val->val.uint_val = random(); break; case TYPE_PORT: - val->val.port_val.port = rand() / (RAND_MAX / 60000); + val->val.port_val.port = random() / (RAND_MAX / 60000); val->val.port_val.proto = TRANSPORT_UNKNOWN; break; @@ -175,7 +175,7 @@ threading::Value* Benchmark::EntryToVal(TypeTag type, TypeTag subtype) // Then - common stuff { // how many entries do we have... - unsigned int length = rand() / (RAND_MAX / 15); + unsigned int length = random() / (RAND_MAX / 15); Value** lvals = new Value* [length]; @@ -227,7 +227,7 @@ bool Benchmark::DoHeartbeat(double network_time, double current_time) num_lines += add; heartbeatstarttime = CurrTime(); - switch ( Mode() ) { + switch ( Info().mode ) { case MODE_MANUAL: // yay, we do nothing :) break; diff --git a/src/input/readers/Benchmark.h b/src/input/readers/Benchmark.h index 6bb70781fd..bab564b12a 100644 --- a/src/input/readers/Benchmark.h +++ b/src/input/readers/Benchmark.h @@ -18,7 +18,7 @@ public: static ReaderBackend* Instantiate(ReaderFrontend* frontend) { return new Benchmark(frontend); } protected: - virtual bool DoInit(string path, ReaderMode mode, int arg_num_fields, const threading::Field* const* fields); + virtual bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* fields); virtual void DoClose(); virtual bool DoUpdate(); virtual bool DoHeartbeat(double network_time, double current_time); diff --git a/src/input/readers/Raw.cc b/src/input/readers/Raw.cc index fa1b09da7c..1bae6cfa0c 100644 --- a/src/input/readers/Raw.cc +++ b/src/input/readers/Raw.cc @@ -66,7 +66,7 @@ bool Raw::OpenInput() // This is defined in input/fdstream.h in = new boost::fdistream(fileno(file)); - if ( execute && Mode() == MODE_STREAM ) + if ( execute && Info().mode == MODE_STREAM ) fcntl(fileno(file), F_SETFL, O_NONBLOCK); return true; @@ -79,6 +79,9 @@ bool Raw::CloseInput() InternalError(Fmt("Trying to close closed file for stream %s", fname.c_str())); return false; } +#ifdef DEBUG + Debug(DBG_INPUT, "Raw reader starting close"); +#endif delete in; @@ -90,18 +93,22 @@ bool Raw::CloseInput() in = NULL; file = NULL; +#ifdef DEBUG + Debug(DBG_INPUT, "Raw reader finished close"); +#endif + return true; } -bool Raw::DoInit(string path, ReaderMode mode, int num_fields, const Field* const* fields) +bool Raw::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fields) { - fname = path; + fname = info.source; mtime = 0; execute = false; firstrun = true; bool result; - if ( path.length() == 0 ) + if ( info.source.length() == 0 ) { Error("No source path provided"); return false; @@ -122,16 +129,16 @@ bool Raw::DoInit(string path, ReaderMode mode, int num_fields, const Field* cons } // do Initialization - char last = path[path.length()-1]; + char last = info.source[info.source.length()-1]; if ( last == '|' ) { execute = true; - fname = path.substr(0, fname.length() - 1); + fname = info.source.substr(0, fname.length() - 1); - if ( (mode != MODE_MANUAL) && (mode != MODE_STREAM) ) + if ( (info.mode != MODE_MANUAL) ) { Error(Fmt("Unsupported read mode %d for source %s in execution mode", - mode, fname.c_str())); + info.mode, fname.c_str())); return false; } @@ -180,7 +187,7 @@ bool Raw::DoUpdate() else { - switch ( Mode() ) { + switch ( Info().mode ) { case MODE_REREAD: { // check if the file has changed @@ -203,7 +210,7 @@ bool Raw::DoUpdate() case MODE_MANUAL: case MODE_STREAM: - if ( Mode() == MODE_STREAM && file != NULL && in != NULL ) + if ( Info().mode == MODE_STREAM && file != NULL && in != NULL ) { //fpurge(file); in->clear(); // remove end of file evil bits @@ -247,15 +254,21 @@ bool Raw::DoHeartbeat(double network_time, double current_time) { ReaderBackend::DoHeartbeat(network_time, current_time); - switch ( Mode() ) { + switch ( Info().mode ) { case MODE_MANUAL: // yay, we do nothing :) break; case MODE_REREAD: case MODE_STREAM: +#ifdef DEBUG + Debug(DBG_INPUT, "Starting Heartbeat update"); +#endif Update(); // call update and not DoUpdate, because update // checks disabled. +#ifdef DEBUG + Debug(DBG_INPUT, "Finished with heartbeat update"); +#endif break; default: assert(false); diff --git a/src/input/readers/Raw.h b/src/input/readers/Raw.h index b9b45f0b20..48912b70a7 100644 --- a/src/input/readers/Raw.h +++ b/src/input/readers/Raw.h @@ -22,7 +22,7 @@ public: static ReaderBackend* Instantiate(ReaderFrontend* frontend) { return new Raw(frontend); } protected: - virtual bool DoInit(string path, ReaderMode mode, int arg_num_fields, const threading::Field* const* fields); + virtual bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* fields); virtual void DoClose(); virtual bool DoUpdate(); virtual bool DoHeartbeat(double network_time, double current_time); diff --git a/src/logging.bif b/src/logging.bif index cbae66efdb..23b9378b26 100644 --- a/src/logging.bif +++ b/src/logging.bif @@ -94,3 +94,9 @@ const type_prefix: string; const max_batch_size: count; const max_batch_interval: interval; const max_byte_size: count; + +# Options for the None writer. + +module LogNone; + +const debug: bool; diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc index 5562b3b867..f10f707156 100644 --- a/src/logging/Manager.cc +++ b/src/logging/Manager.cc @@ -60,6 +60,7 @@ struct Manager::Filter { string path; Val* path_val; EnumVal* writer; + TableVal* config; bool local; bool remote; double interval; @@ -83,6 +84,7 @@ struct Manager::WriterInfo { double interval; Func* postprocessor; WriterFrontend* writer; + WriterBackend::WriterInfo info; }; struct Manager::Stream { @@ -200,10 +202,10 @@ WriterBackend* Manager::CreateBackend(WriterFrontend* frontend, bro_int_t type) assert(ld->factory); + frontend->ty_name = ld->name; WriterBackend* backend = (*ld->factory)(frontend); assert(backend); - frontend->ty_name = ld->name; return backend; } @@ -527,6 +529,7 @@ bool Manager::AddFilter(EnumVal* id, RecordVal* fval) Val* log_remote = fval->LookupWithDefault(rtype->FieldOffset("log_remote")); Val* interv = fval->LookupWithDefault(rtype->FieldOffset("interv")); Val* postprocessor = fval->LookupWithDefault(rtype->FieldOffset("postprocessor")); + Val* config = fval->LookupWithDefault(rtype->FieldOffset("config")); Filter* filter = new Filter; filter->name = name->AsString()->CheckString(); @@ -538,6 +541,7 @@ bool Manager::AddFilter(EnumVal* id, RecordVal* fval) filter->remote = log_remote->AsBool(); filter->interval = interv->AsInterval(); filter->postprocessor = postprocessor ? postprocessor->AsFunc() : 0; + filter->config = config->Ref()->AsTableVal(); Unref(name); Unref(pred); @@ -546,6 +550,7 @@ bool Manager::AddFilter(EnumVal* id, RecordVal* fval) Unref(log_remote); Unref(interv); Unref(postprocessor); + Unref(config); // Build the list of fields that the filter wants included, including // potentially rolling out fields. @@ -773,8 +778,27 @@ bool Manager::Write(EnumVal* id, RecordVal* columns) for ( int j = 0; j < filter->num_fields; ++j ) arg_fields[j] = new threading::Field(*filter->fields[j]); + WriterBackend::WriterInfo info; + info.path = path; + + HashKey* k; + IterCookie* c = filter->config->AsTable()->InitForIteration(); + + TableEntryVal* v; + while ( (v = filter->config->AsTable()->NextEntry(k, c)) ) + { + ListVal* index = filter->config->RecoverIndex(k); + string key = index->Index(0)->AsString()->CheckString(); + string value = v->Value()->AsString()->CheckString(); + info.config.insert(std::make_pair(key, value)); + Unref(index); + delete k; + } + + // CreateWriter() will set the other fields in info. + writer = CreateWriter(stream->id, filter->writer, - path, filter->num_fields, + info, filter->num_fields, arg_fields, filter->local, filter->remote); if ( ! writer ) @@ -782,7 +806,6 @@ bool Manager::Write(EnumVal* id, RecordVal* columns) Unref(columns); return false; } - } // Alright, can do the write now. @@ -962,7 +985,7 @@ threading::Value** Manager::RecordToFilterVals(Stream* stream, Filter* filter, return vals; } -WriterFrontend* Manager::CreateWriter(EnumVal* id, EnumVal* writer, string path, +WriterFrontend* Manager::CreateWriter(EnumVal* id, EnumVal* writer, const WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, bool local, bool remote) { Stream* stream = FindStream(id); @@ -972,25 +995,21 @@ WriterFrontend* Manager::CreateWriter(EnumVal* id, EnumVal* writer, string path, return false; Stream::WriterMap::iterator w = - stream->writers.find(Stream::WriterPathPair(writer->AsEnum(), path)); + stream->writers.find(Stream::WriterPathPair(writer->AsEnum(), info.path)); if ( w != stream->writers.end() ) // If we already have a writer for this. That's fine, we just // return it. return w->second->writer; - WriterFrontend* writer_obj = new WriterFrontend(id, writer, local, remote); - assert(writer_obj); - - writer_obj->Init(path, num_fields, fields); - WriterInfo* winfo = new WriterInfo; winfo->type = writer->Ref()->AsEnumVal(); - winfo->writer = writer_obj; + winfo->writer = 0; winfo->open_time = network_time; winfo->rotation_timer = 0; winfo->interval = 0; winfo->postprocessor = 0; + winfo->info = info; // Search for a corresponding filter for the writer/path pair and use its // rotation settings. If no matching filter is found, fall back on @@ -1002,7 +1021,7 @@ WriterFrontend* Manager::CreateWriter(EnumVal* id, EnumVal* writer, string path, { Filter* f = *it; if ( f->writer->AsEnum() == writer->AsEnum() && - f->path == winfo->writer->Path() ) + f->path == info.path ) { found_filter_match = true; winfo->interval = f->interval; @@ -1018,13 +1037,24 @@ WriterFrontend* Manager::CreateWriter(EnumVal* id, EnumVal* writer, string path, winfo->interval = id->ID_Val()->AsInterval(); } - InstallRotationTimer(winfo); - stream->writers.insert( - Stream::WriterMap::value_type(Stream::WriterPathPair(writer->AsEnum(), path), + Stream::WriterMap::value_type(Stream::WriterPathPair(writer->AsEnum(), info.path), winfo)); - return writer_obj; + // Still need to set the WriterInfo's rotation parameters, which we + // computed above. + const char* base_time = log_rotate_base_time ? + log_rotate_base_time->AsString()->CheckString() : 0; + + winfo->info.rotation_interval = winfo->interval; + winfo->info.rotation_base = parse_rotate_base_time(base_time); + + winfo->writer = new WriterFrontend(id, writer, local, remote); + winfo->writer->Init(winfo->info, num_fields, fields); + + InstallRotationTimer(winfo); + + return winfo->writer; } void Manager::DeleteVals(int num_fields, threading::Value** vals) @@ -1102,7 +1132,7 @@ void Manager::SendAllWritersTo(RemoteSerializer::PeerID peer) EnumVal writer_val(i->first.first, BifType::Enum::Log::Writer); remote_serializer->SendLogCreateWriter(peer, (*s)->id, &writer_val, - i->first.second, + i->second->info, writer->NumFields(), writer->Fields()); } @@ -1227,8 +1257,9 @@ void Manager::InstallRotationTimer(WriterInfo* winfo) const char* base_time = log_rotate_base_time ? log_rotate_base_time->AsString()->CheckString() : 0; + double base = parse_rotate_base_time(base_time); double delta_t = - calc_next_rotate(rotation_interval, base_time); + calc_next_rotate(network_time, rotation_interval, base); winfo->rotation_timer = new RotationTimer(network_time + delta_t, winfo, true); @@ -1237,14 +1268,14 @@ void Manager::InstallRotationTimer(WriterInfo* winfo) timer_mgr->Add(winfo->rotation_timer); DBG_LOG(DBG_LOGGING, "Scheduled rotation timer for %s to %.6f", - winfo->writer->Path().c_str(), winfo->rotation_timer->Time()); + winfo->writer->Name().c_str(), winfo->rotation_timer->Time()); } } void Manager::Rotate(WriterInfo* winfo) { DBG_LOG(DBG_LOGGING, "Rotating %s at %.6f", - winfo->writer->Path().c_str(), network_time); + winfo->writer->Name().c_str(), network_time); // Build a temporary path for the writer to move the file to. struct tm tm; @@ -1255,7 +1286,7 @@ void Manager::Rotate(WriterInfo* winfo) localtime_r(&teatime, &tm); strftime(buf, sizeof(buf), date_fmt, &tm); - string tmp = string(fmt("%s-%s", winfo->writer->Path().c_str(), buf)); + string tmp = string(fmt("%s-%s", winfo->writer->Info().path.c_str(), buf)); // Trigger the rotation. winfo->writer->Rotate(tmp, winfo->open_time, network_time, terminating); @@ -1273,7 +1304,7 @@ bool Manager::FinishedRotation(WriterFrontend* writer, string new_name, string o return true; DBG_LOG(DBG_LOGGING, "Finished rotating %s at %.6f, new name %s", - writer->Path().c_str(), network_time, new_name.c_str()); + writer->Name().c_str(), network_time, new_name.c_str()); WriterInfo* winfo = FindWriter(writer); if ( ! winfo ) @@ -1283,7 +1314,7 @@ bool Manager::FinishedRotation(WriterFrontend* writer, string new_name, string o RecordVal* info = new RecordVal(BifType::Record::Log::RotationInfo); info->Assign(0, winfo->type->Ref()); info->Assign(1, new StringVal(new_name.c_str())); - info->Assign(2, new StringVal(winfo->writer->Path().c_str())); + info->Assign(2, new StringVal(winfo->writer->Info().path.c_str())); info->Assign(3, new Val(open, TYPE_TIME)); info->Assign(4, new Val(close, TYPE_TIME)); info->Assign(5, new Val(terminating, TYPE_BOOL)); diff --git a/src/logging/Manager.h b/src/logging/Manager.h index f5e62b0683..38dd9258b3 100644 --- a/src/logging/Manager.h +++ b/src/logging/Manager.h @@ -9,13 +9,14 @@ #include "../EventHandler.h" #include "../RemoteSerializer.h" +#include "WriterBackend.h" + class SerializationFormat; class RemoteSerializer; class RotationTimer; namespace logging { -class WriterBackend; class WriterFrontend; class RotationFinishedMessage; @@ -162,7 +163,7 @@ protected: //// Function also used by the RemoteSerializer. // Takes ownership of fields. - WriterFrontend* CreateWriter(EnumVal* id, EnumVal* writer, string path, + WriterFrontend* CreateWriter(EnumVal* id, EnumVal* writer, const WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, bool local, bool remote); diff --git a/src/logging/WriterBackend.cc b/src/logging/WriterBackend.cc index 23a95279d7..00590208d5 100644 --- a/src/logging/WriterBackend.cc +++ b/src/logging/WriterBackend.cc @@ -4,6 +4,7 @@ #include "bro_inet_ntop.h" #include "threading/SerialTypes.h" +#include "Manager.h" #include "WriterBackend.h" #include "WriterFrontend.h" @@ -60,14 +61,61 @@ public: using namespace logging; +bool WriterBackend::WriterInfo::Read(SerializationFormat* fmt) + { + int size; + + if ( ! (fmt->Read(&path, "path") && + fmt->Read(&rotation_base, "rotation_base") && + fmt->Read(&rotation_interval, "rotation_interval") && + fmt->Read(&size, "config_size")) ) + return false; + + config.clear(); + + while ( size ) + { + string value; + string key; + + if ( ! (fmt->Read(&value, "config-value") && fmt->Read(&value, "config-key")) ) + return false; + + config.insert(std::make_pair(value, key)); + } + + return true; + } + + +bool WriterBackend::WriterInfo::Write(SerializationFormat* fmt) const + { + int size = config.size(); + + if ( ! (fmt->Write(path, "path") && + fmt->Write(rotation_base, "rotation_base") && + fmt->Write(rotation_interval, "rotation_interval") && + fmt->Write(size, "config_size")) ) + return false; + + for ( config_map::const_iterator i = config.begin(); i != config.end(); ++i ) + { + if ( ! (fmt->Write(i->first, "config-value") && fmt->Write(i->second, "config-key")) ) + return false; + } + + return true; + } + WriterBackend::WriterBackend(WriterFrontend* arg_frontend) : MsgThread() { - path = ""; num_fields = 0; fields = 0; buffering = true; frontend = arg_frontend; + info.path = ""; + SetName(frontend->Name()); } @@ -108,17 +156,17 @@ void WriterBackend::DisableFrontend() SendOut(new DisableMessage(frontend)); } -bool WriterBackend::Init(string arg_path, int arg_num_fields, const Field* const* arg_fields) +bool WriterBackend::Init(const WriterInfo& arg_info, int arg_num_fields, const Field* const* arg_fields, const string& frontend_name) { - path = arg_path; + info = arg_info; num_fields = arg_num_fields; fields = arg_fields; - string name = Fmt("%s/%s", path.c_str(), frontend->Name().c_str()); + string name = Fmt("%s/%s", info.path.c_str(), frontend_name.c_str()); SetName(name); - if ( ! DoInit(arg_path, arg_num_fields, arg_fields) ) + if ( ! DoInit(arg_info, arg_num_fields, arg_fields) ) { DisableFrontend(); return false; diff --git a/src/logging/WriterBackend.h b/src/logging/WriterBackend.h index 1269976aee..6e65a8151a 100644 --- a/src/logging/WriterBackend.h +++ b/src/logging/WriterBackend.h @@ -5,12 +5,14 @@ #ifndef LOGGING_WRITERBACKEND_H #define LOGGING_WRITERBACKEND_H -#include "Manager.h" - #include "threading/MsgThread.h" +class RemoteSerializer; + namespace logging { +class WriterFrontend; + /** * Base class for writer implementation. When the logging::Manager creates a * new logging filter, it instantiates a WriterFrontend. That then in turn @@ -41,21 +43,59 @@ public: */ virtual ~WriterBackend(); + /** + * A struct passing information to the writer at initialization time. + */ + struct WriterInfo + { + typedef std::map config_map; + + /** + * A string left to the interpretation of the writer + * implementation; it corresponds to the 'path' value configured + * on the script-level for the logging filter. + */ + string path; + + /** + * The rotation interval as configured for this writer. + */ + double rotation_interval; + + /** + * The parsed value of log_rotate_base_time in seconds. + */ + double rotation_base; + + /** + * A map of key/value pairs corresponding to the relevant + * filter's "config" table. + */ + std::map config; + + private: + friend class ::RemoteSerializer; + + // Note, these need to be adapted when changing the struct's + // fields. They serialize/deserialize the struct. + bool Read(SerializationFormat* fmt); + bool Write(SerializationFormat* fmt) const; + }; + /** * One-time initialization of the writer to define the logged fields. * - * @param path A string left to the interpretation of the writer - * implementation; it corresponds to the value configured on the - * script-level for the logging filter. - * - * @param num_fields The number of log fields for the stream. + * @param info Meta information for the writer. + * @param num_fields * * @param fields An array of size \a num_fields with the log fields. * The methods takes ownership of the array. * + * @param frontend_name The name of the front-end writer implementation. + * * @return False if an error occured. */ - bool Init(string path, int num_fields, const threading::Field* const* fields); + bool Init(const WriterInfo& info, int num_fields, const threading::Field* const* fields, const string& frontend_name); /** * Writes one log entry. @@ -108,9 +148,9 @@ public: void DisableFrontend(); /** - * Returns the log path as passed into the constructor. + * Returns the additional writer information passed into the constructor. */ - const string Path() const { return path; } + const WriterInfo& Info() const { return info; } /** * Returns the number of log fields as passed into the constructor. @@ -185,7 +225,7 @@ protected: * disabled and eventually deleted. When returning false, an * implementation should also call Error() to indicate what happened. */ - virtual bool DoInit(string path, int num_fields, + virtual bool DoInit(const WriterInfo& info, int num_fields, const threading::Field* const* fields) = 0; /** @@ -299,7 +339,7 @@ private: // this class, it's running in a different thread! WriterFrontend* frontend; - string path; // Log path. + WriterInfo info; // Meta information as passed to Init(). int num_fields; // Number of log fields. const threading::Field* const* fields; // Log fields. bool buffering; // True if buffering is enabled. diff --git a/src/logging/WriterFrontend.cc b/src/logging/WriterFrontend.cc index 33c9c04c63..21bde0d43c 100644 --- a/src/logging/WriterFrontend.cc +++ b/src/logging/WriterFrontend.cc @@ -2,6 +2,7 @@ #include "Net.h" #include "threading/SerialTypes.h" +#include "Manager.h" #include "WriterFrontend.h" #include "WriterBackend.h" @@ -15,16 +16,18 @@ namespace logging { class InitMessage : public threading::InputMessage { public: - InitMessage(WriterBackend* backend, const string path, const int num_fields, const Field* const* fields) + InitMessage(WriterBackend* backend, const WriterBackend::WriterInfo& info, const int num_fields, const Field* const* fields, const string& frontend_name) : threading::InputMessage("Init", backend), - path(path), num_fields(num_fields), fields(fields) { } + info(info), num_fields(num_fields), fields(fields), + frontend_name(frontend_name) { } - virtual bool Process() { return Object()->Init(path, num_fields, fields); } + virtual bool Process() { return Object()->Init(info, num_fields, fields, frontend_name); } private: - const string path; + WriterBackend::WriterInfo info; const int num_fields; const Field * const* fields; + const string frontend_name; }; class RotateMessage : public threading::InputMessage @@ -134,10 +137,10 @@ WriterFrontend::~WriterFrontend() string WriterFrontend::Name() const { - if ( path.size() ) + if ( ! info.path.size() ) return ty_name; - return ty_name + "/" + path; + return ty_name + "/" + info.path; } void WriterFrontend::Stop() @@ -149,7 +152,7 @@ void WriterFrontend::Stop() backend->Stop(); } -void WriterFrontend::Init(string arg_path, int arg_num_fields, const Field* const * arg_fields) +void WriterFrontend::Init(const WriterBackend::WriterInfo& arg_info, int arg_num_fields, const Field* const * arg_fields) { if ( disabled ) return; @@ -157,19 +160,19 @@ void WriterFrontend::Init(string arg_path, int arg_num_fields, const Field* cons if ( initialized ) reporter->InternalError("writer initialize twice"); - path = arg_path; + info = arg_info; num_fields = arg_num_fields; fields = arg_fields; initialized = true; if ( backend ) - backend->SendIn(new InitMessage(backend, arg_path, arg_num_fields, arg_fields)); + backend->SendIn(new InitMessage(backend, arg_info, arg_num_fields, arg_fields, Name())); if ( remote ) remote_serializer->SendLogCreateWriter(stream, writer, - arg_path, + arg_info, arg_num_fields, arg_fields); @@ -183,7 +186,7 @@ void WriterFrontend::Write(int num_fields, Value** vals) if ( remote ) remote_serializer->SendLogWrite(stream, writer, - path, + info.path, num_fields, vals); diff --git a/src/logging/WriterFrontend.h b/src/logging/WriterFrontend.h index b83250a5b8..8a0dce4645 100644 --- a/src/logging/WriterFrontend.h +++ b/src/logging/WriterFrontend.h @@ -3,13 +3,13 @@ #ifndef LOGGING_WRITERFRONTEND_H #define LOGGING_WRITERFRONTEND_H -#include "Manager.h" +#include "WriterBackend.h" #include "threading/MsgThread.h" namespace logging { -class WriterBackend; +class Manager; /** * Bridge class between the logging::Manager and backend writer threads. The @@ -68,7 +68,7 @@ public: * * This method must only be called from the main thread. */ - void Init(string path, int num_fields, const threading::Field* const* fields); + void Init(const WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields); /** * Write out a record. @@ -169,9 +169,9 @@ public: bool Disabled() { return disabled; } /** - * Returns the log path as passed into the constructor. + * Returns the additional writer information as passed into the constructor. */ - const string Path() const { return path; } + const WriterBackend::WriterInfo& Info() const { return info; } /** * Returns the number of log fields as passed into the constructor. @@ -207,7 +207,7 @@ protected: bool remote; // True if loggin remotely. string ty_name; // Name of the backend type. Set by the manager. - string path; // The log path. + WriterBackend::WriterInfo info; // The writer information. int num_fields; // The number of log fields. const threading::Field* const* fields; // The log fields. diff --git a/src/logging/writers/Ascii.cc b/src/logging/writers/Ascii.cc index 1e7a55c34c..6e5ceef678 100644 --- a/src/logging/writers/Ascii.cc +++ b/src/logging/writers/Ascii.cc @@ -69,8 +69,10 @@ bool Ascii::WriteHeaderField(const string& key, const string& val) return (fwrite(str.c_str(), str.length(), 1, file) == 1); } -bool Ascii::DoInit(string path, int num_fields, const Field* const * fields) +bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const * fields) { + string path = info.path; + if ( output_to_stdout ) path = "/dev/stdout"; @@ -290,7 +292,7 @@ bool Ascii::DoWrite(int num_fields, const Field* const * fields, Value** vals) { if ( ! file ) - DoInit(Path(), NumFields(), Fields()); + DoInit(Info(), NumFields(), Fields()); desc.Clear(); @@ -320,7 +322,7 @@ bool Ascii::DoWrite(int num_fields, const Field* const * fields, bool Ascii::DoRotate(string rotated_path, double open, double close, bool terminating) { // Don't rotate special files or if there's not one currently open. - if ( ! file || IsSpecial(Path()) ) + if ( ! file || IsSpecial(Info().path) ) return true; fclose(file); diff --git a/src/logging/writers/Ascii.h b/src/logging/writers/Ascii.h index 6f507aff01..a95e644d49 100644 --- a/src/logging/writers/Ascii.h +++ b/src/logging/writers/Ascii.h @@ -19,7 +19,7 @@ public: static string LogExt(); protected: - virtual bool DoInit(string path, int num_fields, + virtual bool DoInit(const WriterInfo& info, int num_fields, const threading::Field* const* fields); virtual bool DoWrite(int num_fields, const threading::Field* const* fields, threading::Value** vals); diff --git a/src/logging/writers/DataSeries.cc b/src/logging/writers/DataSeries.cc index 1d5a6ea4da..b34ea3412a 100644 --- a/src/logging/writers/DataSeries.cc +++ b/src/logging/writers/DataSeries.cc @@ -263,7 +263,7 @@ bool DataSeries::OpenLog(string path) return true; } -bool DataSeries::DoInit(string path, int num_fields, const threading::Field* const * fields) +bool DataSeries::DoInit(const WriterInfo& info, int num_fields, const threading::Field* const * fields) { // We first construct an XML schema thing (and, if ds_dump_schema is // set, dump it to path + ".ds.xml"). Assuming that goes well, we @@ -298,11 +298,11 @@ bool DataSeries::DoInit(string path, int num_fields, const threading::Field* con schema_list.push_back(val); } - string schema = BuildDSSchemaFromFieldTypes(schema_list, path); + string schema = BuildDSSchemaFromFieldTypes(schema_list, info.path); if( ds_dump_schema ) { - FILE* pFile = fopen ( string(path + ".ds.xml").c_str() , "wb" ); + FILE* pFile = fopen ( string(info.path + ".ds.xml").c_str() , "wb" ); if( pFile ) { @@ -340,7 +340,7 @@ bool DataSeries::DoInit(string path, int num_fields, const threading::Field* con log_type = log_types.registerTypePtr(schema); log_series.setType(log_type); - return OpenLog(path); + return OpenLog(info.path); } bool DataSeries::DoFlush() @@ -401,7 +401,7 @@ bool DataSeries::DoRotate(string rotated_path, double open, double close, bool t // size will be (much) larger. CloseLog(); - string dsname = Path() + ".ds"; + string dsname = Info().path + ".ds"; string nname = rotated_path + ".ds"; rename(dsname.c_str(), nname.c_str()); @@ -411,7 +411,7 @@ bool DataSeries::DoRotate(string rotated_path, double open, double close, bool t return false; } - return OpenLog(Path()); + return OpenLog(Info().path); } bool DataSeries::DoSetBuf(bool enabled) diff --git a/src/logging/writers/DataSeries.h b/src/logging/writers/DataSeries.h index 0d9ab67e95..0ae3572b76 100644 --- a/src/logging/writers/DataSeries.h +++ b/src/logging/writers/DataSeries.h @@ -26,7 +26,7 @@ public: protected: // Overidden from WriterBackend. - virtual bool DoInit(string path, int num_fields, + virtual bool DoInit(const WriterInfo& info, int num_fields, const threading::Field* const * fields); virtual bool DoWrite(int num_fields, const threading::Field* const* fields, diff --git a/src/logging/writers/None.cc b/src/logging/writers/None.cc index a9a7872f85..acf9355cf7 100644 --- a/src/logging/writers/None.cc +++ b/src/logging/writers/None.cc @@ -1,14 +1,41 @@ #include "None.h" +#include "NetVar.h" using namespace logging; using namespace writer; +bool None::DoInit(const WriterInfo& info, int num_fields, + const threading::Field* const * fields) + { + if ( BifConst::LogNone::debug ) + { + std::cout << "[logging::writer::None]" << std::endl; + std::cout << " path=" << info.path << std::endl; + std::cout << " rotation_interval=" << info.rotation_interval << std::endl; + std::cout << " rotation_base=" << info.rotation_base << std::endl; + + for ( std::map::const_iterator i = info.config.begin(); i != info.config.end(); i++ ) + std::cout << " config[" << i->first << "] = " << i->second << std::endl; + + for ( int i = 0; i < num_fields; i++ ) + { + const threading::Field* field = fields[i]; + std::cout << " field " << field->name << ": " + << type_name(field->type) << std::endl; + } + + std::cout << std::endl; + } + + return true; + } + bool None::DoRotate(string rotated_path, double open, double close, bool terminating) { - if ( ! FinishedRotation(string("/dev/null"), Path(), open, close, terminating)) + if ( ! FinishedRotation(string("/dev/null"), Info().path, open, close, terminating)) { - Error(Fmt("error rotating %s", Path().c_str())); + Error(Fmt("error rotating %s", Info().path.c_str())); return false; } diff --git a/src/logging/writers/None.h b/src/logging/writers/None.h index cce48953d1..7e2e4ef4eb 100644 --- a/src/logging/writers/None.h +++ b/src/logging/writers/None.h @@ -18,8 +18,8 @@ public: { return new None(frontend); } protected: - virtual bool DoInit(string path, int num_fields, - const threading::Field* const * fields) { return true; } + virtual bool DoInit(const WriterInfo& info, int num_fields, + const threading::Field* const * fields); virtual bool DoWrite(int num_fields, const threading::Field* const* fields, threading::Value** vals) { return true; } @@ -27,7 +27,7 @@ protected: virtual bool DoRotate(string rotated_path, double open, double close, bool terminating); virtual bool DoFlush() { return true; } - virtual bool DoFinish() { return true; } + virtual bool DoFinish() { WriterBackend::DoFinish(); return true; } }; } diff --git a/src/main.cc b/src/main.cc index 04aa83b832..9936004361 100644 --- a/src/main.cc +++ b/src/main.cc @@ -317,6 +317,8 @@ void terminate_bro() if ( remote_serializer ) remote_serializer->LogStats(); + mgr.Drain(); + log_mgr->Terminate(); thread_mgr->Terminate(); diff --git a/src/socks-analyzer.pac b/src/socks-analyzer.pac new file mode 100644 index 0000000000..7ce364670b --- /dev/null +++ b/src/socks-analyzer.pac @@ -0,0 +1,170 @@ + +%header{ +StringVal* array_to_string(vector *a); +%} + +%code{ +StringVal* array_to_string(vector *a) + { + int len = a->size(); + char tmp[len]; + char *s = tmp; + for ( vector::iterator i = a->begin(); i != a->end(); *s++ = *i++ ); + + while ( len > 0 && tmp[len-1] == '\0' ) + --len; + + return new StringVal(len, tmp); + } +%} + +refine connection SOCKS_Conn += { + + function socks4_request(request: SOCKS4_Request): bool + %{ + RecordVal* sa = new RecordVal(socks_address); + sa->Assign(0, new AddrVal(htonl(${request.addr}))); + if ( ${request.v4a} ) + sa->Assign(1, array_to_string(${request.name})); + + BifEvent::generate_socks_request(bro_analyzer(), + bro_analyzer()->Conn(), + 4, + ${request.command}, + sa, + new PortVal(${request.port} | TCP_PORT_MASK), + array_to_string(${request.user})); + + static_cast(bro_analyzer())->EndpointDone(true); + + return true; + %} + + function socks4_reply(reply: SOCKS4_Reply): bool + %{ + RecordVal* sa = new RecordVal(socks_address); + sa->Assign(0, new AddrVal(htonl(${reply.addr}))); + + BifEvent::generate_socks_reply(bro_analyzer(), + bro_analyzer()->Conn(), + 4, + ${reply.status}, + sa, + new PortVal(${reply.port} | TCP_PORT_MASK)); + + bro_analyzer()->ProtocolConfirmation(); + static_cast(bro_analyzer())->EndpointDone(false); + return true; + %} + + function socks5_request(request: SOCKS5_Request): bool + %{ + if ( ${request.reserved} != 0 ) + { + bro_analyzer()->ProtocolViolation(fmt("invalid value in reserved field: %d", ${request.reserved})); + return false; + } + + RecordVal* sa = new RecordVal(socks_address); + + // This is dumb and there must be a better way (checking for presence of a field)... + switch ( ${request.remote_name.addr_type} ) + { + case 1: + sa->Assign(0, new AddrVal(htonl(${request.remote_name.ipv4}))); + break; + + case 3: + sa->Assign(1, new StringVal(${request.remote_name.domain_name.name}.length(), + (const char*) ${request.remote_name.domain_name.name}.data())); + break; + + case 4: + sa->Assign(0, new AddrVal(IPAddr(IPv6, (const uint32_t*) ${request.remote_name.ipv6}, IPAddr::Network))); + break; + + default: + bro_analyzer()->ProtocolViolation(fmt("invalid SOCKSv5 addr type: %d", ${request.remote_name.addr_type})); + return false; + break; + } + + BifEvent::generate_socks_request(bro_analyzer(), + bro_analyzer()->Conn(), + 5, + ${request.command}, + sa, + new PortVal(${request.port} | TCP_PORT_MASK), + new StringVal("")); + + static_cast(bro_analyzer())->EndpointDone(true); + + return true; + %} + + function socks5_reply(reply: SOCKS5_Reply): bool + %{ + RecordVal* sa = new RecordVal(socks_address); + + // This is dumb and there must be a better way (checking for presence of a field)... + switch ( ${reply.bound.addr_type} ) + { + case 1: + sa->Assign(0, new AddrVal(htonl(${reply.bound.ipv4}))); + break; + + case 3: + sa->Assign(1, new StringVal(${reply.bound.domain_name.name}.length(), + (const char*) ${reply.bound.domain_name.name}.data())); + break; + + case 4: + sa->Assign(0, new AddrVal(IPAddr(IPv6, (const uint32_t*) ${reply.bound.ipv6}, IPAddr::Network))); + break; + + default: + bro_analyzer()->ProtocolViolation(fmt("invalid SOCKSv5 addr type: %d", ${reply.bound.addr_type})); + return false; + break; + } + + BifEvent::generate_socks_reply(bro_analyzer(), + bro_analyzer()->Conn(), + 5, + ${reply.reply}, + sa, + new PortVal(${reply.port} | TCP_PORT_MASK)); + + bro_analyzer()->ProtocolConfirmation(); + static_cast(bro_analyzer())->EndpointDone(false); + return true; + %} + + function version_error(version: uint8): bool + %{ + bro_analyzer()->ProtocolViolation(fmt("unsupported/unknown SOCKS version %d", version)); + return true; + %} + + +}; + +refine typeattr SOCKS_Version_Error += &let { + proc: bool = $context.connection.version_error(version); +}; + +refine typeattr SOCKS4_Request += &let { + proc: bool = $context.connection.socks4_request(this); +}; + +refine typeattr SOCKS4_Reply += &let { + proc: bool = $context.connection.socks4_reply(this); +}; + +refine typeattr SOCKS5_Request += &let { + proc: bool = $context.connection.socks5_request(this); +}; + +refine typeattr SOCKS5_Reply += &let { + proc: bool = $context.connection.socks5_reply(this); +}; diff --git a/src/socks-protocol.pac b/src/socks-protocol.pac new file mode 100644 index 0000000000..05ca4bc861 --- /dev/null +++ b/src/socks-protocol.pac @@ -0,0 +1,119 @@ + +type SOCKS_Version(is_orig: bool) = record { + version: uint8; + msg: case version of { + 4 -> socks4_msg: SOCKS4_Message(is_orig); + 5 -> socks5_msg: SOCKS5_Message(is_orig); + default -> socks_msg_fail: SOCKS_Version_Error(version); + }; +}; + +type SOCKS_Version_Error(version: uint8) = record { + nothing: empty; +}; + +# SOCKS5 Implementation +type SOCKS5_Message(is_orig: bool) = case $context.connection.v5_past_authentication() of { + true -> msg: SOCKS5_Real_Message(is_orig); + false -> auth: SOCKS5_Auth_Negotiation(is_orig); +}; + +type SOCKS5_Auth_Negotiation(is_orig: bool) = case is_orig of { + true -> req: SOCKS5_Auth_Negotiation_Request; + false -> rep: SOCKS5_Auth_Negotiation_Reply; +}; + +type SOCKS5_Auth_Negotiation_Request = record { + method_count: uint8; + methods: uint8[method_count]; +}; + +type SOCKS5_Auth_Negotiation_Reply = record { + selected_auth_method: uint8; +} &let { + past_auth = $context.connection.set_v5_past_authentication(); +}; + +type SOCKS5_Real_Message(is_orig: bool) = case is_orig of { + true -> request: SOCKS5_Request; + false -> reply: SOCKS5_Reply; +}; + +type Domain_Name = record { + len: uint8; + name: bytestring &length=len; +} &byteorder = bigendian; + +type SOCKS5_Address = record { + addr_type: uint8; + addr: case addr_type of { + 1 -> ipv4: uint32; + 3 -> domain_name: Domain_Name; + 4 -> ipv6: uint32[4]; + default -> err: bytestring &restofdata &transient; + }; +} &byteorder = bigendian; + +type SOCKS5_Request = record { + command: uint8; + reserved: uint8; + remote_name: SOCKS5_Address; + port: uint16; +} &byteorder = bigendian; + +type SOCKS5_Reply = record { + reply: uint8; + reserved: uint8; + bound: SOCKS5_Address; + port: uint16; +} &byteorder = bigendian; + + +# SOCKS4 Implementation +type SOCKS4_Message(is_orig: bool) = case is_orig of { + true -> request: SOCKS4_Request; + false -> reply: SOCKS4_Reply; +}; + +type SOCKS4_Request = record { + command: uint8; + port: uint16; + addr: uint32; + user: uint8[] &until($element == 0); + host: case v4a of { + true -> name: uint8[] &until($element == 0); # v4a + false -> empty: uint8[] &length=0; + } &requires(v4a); +} &byteorder = bigendian &let { + v4a: bool = (addr <= 0x000000ff); +}; + +type SOCKS4_Reply = record { + zero: uint8; + status: uint8; + port: uint16; + addr: uint32; +} &byteorder = bigendian; + + +refine connection SOCKS_Conn += { + %member{ + bool v5_authenticated_; + %} + + %init{ + v5_authenticated_ = false; + %} + + function v5_past_authentication(): bool + %{ + return v5_authenticated_; + %} + + function set_v5_past_authentication(): bool + %{ + v5_authenticated_ = true; + return true; + %} +}; + diff --git a/src/socks.pac b/src/socks.pac new file mode 100644 index 0000000000..15d3580674 --- /dev/null +++ b/src/socks.pac @@ -0,0 +1,24 @@ +%include binpac.pac +%include bro.pac + +%extern{ +#include "SOCKS.h" +%} + +analyzer SOCKS withcontext { + connection: SOCKS_Conn; + flow: SOCKS_Flow; +}; + +connection SOCKS_Conn(bro_analyzer: BroAnalyzer) { + upflow = SOCKS_Flow(true); + downflow = SOCKS_Flow(false); +}; + +%include socks-protocol.pac + +flow SOCKS_Flow(is_orig: bool) { + datagram = SOCKS_Version(is_orig) withcontext(connection, this); +}; + +%include socks-analyzer.pac \ No newline at end of file diff --git a/src/threading/BasicThread.cc b/src/threading/BasicThread.cc index e590b13434..e5a4dc5dbe 100644 --- a/src/threading/BasicThread.cc +++ b/src/threading/BasicThread.cc @@ -80,18 +80,22 @@ const char* BasicThread::Fmt(const char* format, ...) void BasicThread::Start() { + if ( started ) return; - if ( pthread_mutex_init(&terminate, 0) != 0 ) - reporter->FatalError("Cannot create terminate mutex for thread %s", name.c_str()); + int err = pthread_mutex_init(&terminate, 0); + if ( err != 0 ) + reporter->FatalError("Cannot create terminate mutex for thread %s:%s", name.c_str(), strerror(err)); // We use this like a binary semaphore and acquire it immediately. - if ( pthread_mutex_lock(&terminate) != 0 ) - reporter->FatalError("Cannot aquire terminate mutex for thread %s", name.c_str()); + err = pthread_mutex_lock(&terminate); + if ( err != 0 ) + reporter->FatalError("Cannot aquire terminate mutex for thread %s:%s", name.c_str(), strerror(err)); - if ( pthread_create(&pthread, 0, BasicThread::launcher, this) != 0 ) - reporter->FatalError("Cannot create thread %s", name.c_str()); + err = pthread_create(&pthread, 0, BasicThread::launcher, this); + if ( err != 0 ) + reporter->FatalError("Cannot create thread %s:%s", name.c_str(), strerror(err)); DBG_LOG(DBG_THREADING, "Started thread %s", name.c_str()); diff --git a/src/types.bif b/src/types.bif index 9b387b2c52..92cc8db551 100644 --- a/src/types.bif +++ b/src/types.bif @@ -170,6 +170,17 @@ enum ID %{ Unknown, %} +module Tunnel; +enum Type %{ + NONE, + IP, + AYIYA, + TEREDO, + SOCKS, +%} + +type EncapsulatingConn: record; + module Input; enum Reader %{ diff --git a/src/util.cc b/src/util.cc index 798be400d1..3cfa5fca1c 100644 --- a/src/util.cc +++ b/src/util.cc @@ -633,12 +633,20 @@ static bool write_random_seeds(const char* write_file, uint32 seed, static bool bro_rand_determistic = false; static unsigned int bro_rand_state = 0; -static void bro_srand(unsigned int seed, bool deterministic) +static void bro_srandom(unsigned int seed, bool deterministic) { bro_rand_state = seed; bro_rand_determistic = deterministic; - srand(seed); + srandom(seed); + } + +void bro_srandom(unsigned int seed) + { + if ( bro_rand_determistic ) + bro_rand_state = seed; + else + srandom(seed); } void init_random_seed(uint32 seed, const char* read_file, const char* write_file) @@ -705,7 +713,7 @@ void init_random_seed(uint32 seed, const char* read_file, const char* write_file seeds_done = true; } - bro_srand(seed, seeds_done); + bro_srandom(seed, seeds_done); if ( ! hmac_key_set ) { @@ -1082,18 +1090,8 @@ const char* log_file_name(const char* tag) return fmt("%s.%s", tag, (env ? env : "log")); } -double calc_next_rotate(double interval, const char* rotate_base_time) +double parse_rotate_base_time(const char* rotate_base_time) { - double current = network_time; - - // Calculate start of day. - time_t teatime = time_t(current); - - struct tm t; - t = *localtime(&teatime); - t.tm_hour = t.tm_min = t.tm_sec = 0; - double startofday = mktime(&t); - double base = -1; if ( rotate_base_time && rotate_base_time[0] != '\0' ) @@ -1105,6 +1103,19 @@ double calc_next_rotate(double interval, const char* rotate_base_time) base = t.tm_min * 60 + t.tm_hour * 60 * 60; } + return base; + } + +double calc_next_rotate(double current, double interval, double base) + { + // Calculate start of day. + time_t teatime = time_t(current); + + struct tm t; + t = *localtime_r(&teatime, &t); + t.tm_hour = t.tm_min = t.tm_sec = 0; + double startofday = mktime(&t); + if ( base < 0 ) // No base time given. To get nice timestamps, we round // the time up to the next multiple of the rotation interval. diff --git a/src/util.h b/src/util.h index 559a155626..c97518d427 100644 --- a/src/util.h +++ b/src/util.h @@ -160,6 +160,10 @@ extern bool have_random_seed(); // predictable PRNG. long int bro_random(); +// Calls the system srandom() function with the given seed if not running +// in deterministic mode, else it updates the state of the deterministic PRNG. +void bro_srandom(unsigned int seed); + extern uint64 rand64bit(); // Each event source that may generate events gets an internally unique ID. @@ -194,9 +198,22 @@ extern FILE* rotate_file(const char* name, RecordVal* rotate_info); // This mimics the script-level function with the same name. const char* log_file_name(const char* tag); +// Parse a time string of the form "HH:MM" (as used for the rotation base +// time) into a double representing the number of seconds. Returns -1 if the +// string cannot be parsed. The function's result is intended to be used with +// calc_next_rotate(). +// +// This function is not thread-safe. +double parse_rotate_base_time(const char* rotate_base_time); + // Calculate the duration until the next time a file is to be rotated, based -// on the given rotate_interval and rotate_base_time. -double calc_next_rotate(double rotate_interval, const char* rotate_base_time); +// on the given rotate_interval and rotate_base_time. 'current' the the +// current time to be used as base, 'rotate_interval' the rotation interval, +// and 'base' the value returned by parse_rotate_base_time(). For the latter, +// if the function returned -1, that's fine, calc_next_rotate() handles that. +// +// This function is thread-safe. +double calc_next_rotate(double current, double rotate_interval, double base); // Terminates processing gracefully, similar to pressing CTRL-C. void terminate_processing(); diff --git a/testing/btest/Baseline/bifs.rand/out b/testing/btest/Baseline/bifs.rand/out index 367833f80a..a016eb6f15 100644 --- a/testing/btest/Baseline/bifs.rand/out +++ b/testing/btest/Baseline/bifs.rand/out @@ -1,6 +1,6 @@ -185 -236 -805 -47 -996 -498 +985 +474 +738 +4 +634 +473 diff --git a/testing/btest/Baseline/bifs.rand/out.2 b/testing/btest/Baseline/bifs.rand/out.2 new file mode 100644 index 0000000000..2cd43d985c --- /dev/null +++ b/testing/btest/Baseline/bifs.rand/out.2 @@ -0,0 +1,6 @@ +985 +474 +738 +974 +371 +638 diff --git a/testing/btest/Baseline/core.expr-exception/output b/testing/btest/Baseline/core.expr-exception/output new file mode 100644 index 0000000000..45abb333c6 --- /dev/null +++ b/testing/btest/Baseline/core.expr-exception/output @@ -0,0 +1,18 @@ +ftp field missing +[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp] +ftp field missing +[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp] +ftp field missing +[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp] +ftp field missing +[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp] +ftp field missing +[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp] +ftp field missing +[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp] +ftp field missing +[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp] +ftp field missing +[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp] +ftp field missing +[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp] diff --git a/testing/btest/Baseline/core.expr-exception/reporter.log b/testing/btest/Baseline/core.expr-exception/reporter.log index 3767de37d8..2d0441f48a 100644 --- a/testing/btest/Baseline/core.expr-exception/reporter.log +++ b/testing/btest/Baseline/core.expr-exception/reporter.log @@ -5,12 +5,12 @@ #path reporter #fields ts level message location #types time enum string string -1300475168.783842 Reporter::ERROR field value missing [c$ftp] /Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8 -1300475168.915940 Reporter::ERROR field value missing [c$ftp] /Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8 -1300475168.916118 Reporter::ERROR field value missing [c$ftp] /Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8 -1300475168.918295 Reporter::ERROR field value missing [c$ftp] /Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8 -1300475168.952193 Reporter::ERROR field value missing [c$ftp] /Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8 -1300475168.952228 Reporter::ERROR field value missing [c$ftp] /Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8 -1300475168.954761 Reporter::ERROR field value missing [c$ftp] /Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8 -1300475168.962628 Reporter::ERROR field value missing [c$ftp] /Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8 -1300475169.780331 Reporter::ERROR field value missing [c$ftp] /Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8 +1300475168.783842 Reporter::ERROR field value missing [c$ftp] /home/jsiwek/bro/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 10 +1300475168.915940 Reporter::ERROR field value missing [c$ftp] /home/jsiwek/bro/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 10 +1300475168.916118 Reporter::ERROR field value missing [c$ftp] /home/jsiwek/bro/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 10 +1300475168.918295 Reporter::ERROR field value missing [c$ftp] /home/jsiwek/bro/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 10 +1300475168.952193 Reporter::ERROR field value missing [c$ftp] /home/jsiwek/bro/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 10 +1300475168.952228 Reporter::ERROR field value missing [c$ftp] /home/jsiwek/bro/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 10 +1300475168.954761 Reporter::ERROR field value missing [c$ftp] /home/jsiwek/bro/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 10 +1300475168.962628 Reporter::ERROR field value missing [c$ftp] /home/jsiwek/bro/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 10 +1300475169.780331 Reporter::ERROR field value missing [c$ftp] /home/jsiwek/bro/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 10 diff --git a/testing/btest/Baseline/core.icmp.icmp6-events/output b/testing/btest/Baseline/core.icmp.icmp6-events/output index 81075b716a..fdb58e5be1 100644 --- a/testing/btest/Baseline/core.icmp.icmp6-events/output +++ b/testing/btest/Baseline/core.icmp.icmp6-events/output @@ -41,6 +41,7 @@ icmp_echo_reply (id=1, seq=6, payload=abcdefghijklmnopqrstuvwabcdefghi) icmp_redirect (tgt=fe80::cafe, dest=fe80::babe) conn_id: [orig_h=fe80::dead, orig_p=137/icmp, resp_h=fe80::beef, resp_p=0/icmp] icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=137, icode=0, len=32, hlim=255, v6=T] + options: [] icmp_router_advertisement cur_hop_limit=13 managed=T @@ -54,15 +55,19 @@ icmp_router_advertisement retrans_timer=1.0 sec 300.0 msecs conn_id: [orig_h=fe80::dead, orig_p=134/icmp, resp_h=fe80::beef, resp_p=133/icmp] icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=134, icode=0, len=8, hlim=255, v6=T] + options: [] icmp_neighbor_advertisement (tgt=fe80::babe) router=T solicited=F override=T conn_id: [orig_h=fe80::dead, orig_p=136/icmp, resp_h=fe80::beef, resp_p=135/icmp] icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=136, icode=0, len=16, hlim=255, v6=T] + options: [] icmp_router_solicitation conn_id: [orig_h=fe80::dead, orig_p=133/icmp, resp_h=fe80::beef, resp_p=134/icmp] icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=133, icode=0, len=0, hlim=255, v6=T] + options: [] icmp_neighbor_solicitation (tgt=fe80::babe) conn_id: [orig_h=fe80::dead, orig_p=135/icmp, resp_h=fe80::beef, resp_p=136/icmp] icmp_conn: [orig_h=fe80::dead, resp_h=fe80::beef, itype=135, icode=0, len=16, hlim=255, v6=T] + options: [] diff --git a/testing/btest/Baseline/core.icmp.icmp6-nd-options/output b/testing/btest/Baseline/core.icmp.icmp6-nd-options/output new file mode 100644 index 0000000000..1a3958f32d --- /dev/null +++ b/testing/btest/Baseline/core.icmp.icmp6-nd-options/output @@ -0,0 +1,28 @@ +icmp_redirect options + [otype=4, len=8, link_address=, prefix=, redirect=[id=[orig_h=fe80::aaaa, orig_p=30000/udp, resp_h=fe80::bbbb, resp_p=13000/udp], len=56, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F], mtu=, payload=] +icmp_neighbor_advertisement options + [otype=2, len=1, link_address=\xc2\0T\xf5\0\0, prefix=, redirect=, mtu=, payload=] + MAC: c20054f50000 +icmp_router_advertisement options + [otype=1, len=1, link_address=\xc2\0T\xf5\0\0, prefix=, redirect=, mtu=, payload=] + MAC: c20054f50000 + [otype=5, len=1, link_address=, prefix=, redirect=, mtu=1500, payload=] + [otype=3, len=4, link_address=, prefix=[prefix_len=64, L_flag=T, A_flag=T, valid_lifetime=30.0 days, preferred_lifetime=7.0 days, prefix=2001:db8:0:1::], redirect=, mtu=, payload=] +icmp_neighbor_advertisement options + [otype=2, len=1, link_address=\xc2\0T\xf5\0\0, prefix=, redirect=, mtu=, payload=] + MAC: c20054f50000 +icmp_router_advertisement options + [otype=1, len=1, link_address=\xc2\0T\xf5\0\0, prefix=, redirect=, mtu=, payload=] + MAC: c20054f50000 + [otype=5, len=1, link_address=, prefix=, redirect=, mtu=1500, payload=] + [otype=3, len=4, link_address=, prefix=[prefix_len=64, L_flag=T, A_flag=T, valid_lifetime=30.0 days, preferred_lifetime=7.0 days, prefix=2001:db8:0:1::], redirect=, mtu=, payload=] +icmp_router_advertisement options + [otype=1, len=1, link_address=\xc2\0T\xf5\0\0, prefix=, redirect=, mtu=, payload=] + MAC: c20054f50000 + [otype=5, len=1, link_address=, prefix=, redirect=, mtu=1500, payload=] + [otype=3, len=4, link_address=, prefix=[prefix_len=64, L_flag=T, A_flag=T, valid_lifetime=30.0 days, preferred_lifetime=7.0 days, prefix=2001:db8:0:1::], redirect=, mtu=, payload=] +icmp_router_advertisement options + [otype=1, len=1, link_address=\xc2\0T\xf5\0\0, prefix=, redirect=, mtu=, payload=] + MAC: c20054f50000 + [otype=5, len=1, link_address=, prefix=, redirect=, mtu=1500, payload=] + [otype=3, len=4, link_address=, prefix=[prefix_len=64, L_flag=T, A_flag=T, valid_lifetime=30.0 days, preferred_lifetime=7.0 days, prefix=2001:db8:0:1::], redirect=, mtu=, payload=] diff --git a/testing/btest/Baseline/core.leaks.ayiya/conn.log b/testing/btest/Baseline/core.leaks.ayiya/conn.log new file mode 100644 index 0000000000..5c23b4c404 --- /dev/null +++ b/testing/btest/Baseline/core.leaks.ayiya/conn.log @@ -0,0 +1,15 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1257655301.595604 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 tcp http 2.101052 2981 4665 S1 - 0 ShADad 10 3605 11 5329 k6kgXLOoSKl +1257655296.585034 k6kgXLOoSKl 192.168.3.101 53859 216.14.98.22 5072 udp ayiya 20.879001 5129 6109 SF - 0 Dd 21 5717 13 6473 (empty) +1257655293.629048 UWkUyAuUGXf 192.168.3.101 53796 216.14.98.22 5072 udp ayiya - - - SHR - 0 d 0 0 1 176 (empty) +1257655296.585333 FrJExwHcSal :: 135 ff02::1:ff00:2 136 icmp - - - - OTH - 0 - 1 64 0 0 k6kgXLOoSKl +1257655293.629048 arKYeMETxOg 2001:4978:f:4c::1 128 2001:4978:f:4c::2 129 icmp - 23.834987 168 56 OTH - 0 - 3 312 1 104 UWkUyAuUGXf,k6kgXLOoSKl +1257655296.585188 TEfuqmmG4bh fe80::216:cbff:fe9a:4cb9 131 ff02::1:ff00:2 130 icmp - 0.919988 32 0 OTH - 0 - 2 144 0 0 k6kgXLOoSKl +1257655296.585151 j4u32Pc5bif fe80::216:cbff:fe9a:4cb9 131 ff02::2:f901:d225 130 icmp - 0.719947 32 0 OTH - 0 - 2 144 0 0 k6kgXLOoSKl +1257655296.585034 nQcgTWjvg4c fe80::216:cbff:fe9a:4cb9 131 ff02::1:ff9a:4cb9 130 icmp - 4.922880 32 0 OTH - 0 - 2 144 0 0 k6kgXLOoSKl diff --git a/testing/btest/Baseline/core.leaks.ayiya/http.log b/testing/btest/Baseline/core.leaks.ayiya/http.log new file mode 100644 index 0000000000..7cef1a1b8e --- /dev/null +++ b/testing/btest/Baseline/core.leaks.ayiya/http.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file +1257655301.652206 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 1 GET ipv6.google.com / - Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 10102 200 OK - - - (empty) - - - text/html - - +1257655302.514424 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 2 GET ipv6.google.com /csi?v=3&s=webhp&action=&tran=undefined&e=17259,19771,21517,21766,21887,22212&ei=BUz2Su7PMJTglQfz3NzCAw&rt=prt.77,xjs.565,ol.645 http://ipv6.google.com/ Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 0 204 No Content - - - (empty) - - - - - - +1257655303.603569 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 3 GET ipv6.google.com /gen_204?atyp=i&ct=fade&cad=1254&ei=BUz2Su7PMJTglQfz3NzCAw&zx=1257655303600 http://ipv6.google.com/ Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 0 204 No Content - - - (empty) - - - - - - diff --git a/testing/btest/Baseline/core.leaks.ayiya/tunnel.log b/testing/btest/Baseline/core.leaks.ayiya/tunnel.log new file mode 100644 index 0000000000..512f49b6ee --- /dev/null +++ b/testing/btest/Baseline/core.leaks.ayiya/tunnel.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p action tunnel_type +#types time string addr port addr port enum enum +1257655293.629048 UWkUyAuUGXf 192.168.3.101 53796 216.14.98.22 5072 Tunnel::DISCOVER Tunnel::AYIYA +1257655296.585034 k6kgXLOoSKl 192.168.3.101 53859 216.14.98.22 5072 Tunnel::DISCOVER Tunnel::AYIYA +1257655317.464035 k6kgXLOoSKl 192.168.3.101 53859 216.14.98.22 5072 Tunnel::CLOSE Tunnel::AYIYA +1257655317.464035 UWkUyAuUGXf 192.168.3.101 53796 216.14.98.22 5072 Tunnel::CLOSE Tunnel::AYIYA diff --git a/testing/btest/Baseline/core.leaks.ip-in-ip/output b/testing/btest/Baseline/core.leaks.ip-in-ip/output new file mode 100644 index 0000000000..d8c6bee223 --- /dev/null +++ b/testing/btest/Baseline/core.leaks.ip-in-ip/output @@ -0,0 +1,13 @@ +new_connection: tunnel + conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp] + encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]] +new_connection: tunnel + conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp] + encap: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf], [cid=[orig_h=babe::beef, orig_p=0/unknown, resp_h=dead::babe, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=arKYeMETxOg]] +new_connection: tunnel + conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp] + encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]] +tunnel_changed: + conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp] + old: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]] + new: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=k6kgXLOoSKl]] diff --git a/testing/btest/Baseline/core.leaks.teredo/conn.log b/testing/btest/Baseline/core.leaks.teredo/conn.log new file mode 100644 index 0000000000..151230886b --- /dev/null +++ b/testing/btest/Baseline/core.leaks.teredo/conn.log @@ -0,0 +1,28 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1210953047.736921 arKYeMETxOg 192.168.2.16 1576 75.126.130.163 80 tcp - 0.000357 0 0 SHR - 0 fA 1 40 1 40 (empty) +1210953050.867067 k6kgXLOoSKl 192.168.2.16 1577 75.126.203.78 80 tcp - 0.000387 0 0 SHR - 0 fA 1 40 1 40 (empty) +1210953057.833364 5OKnoww6xl4 192.168.2.16 1577 75.126.203.78 80 tcp - 0.079208 0 0 SH - 0 Fa 1 40 1 40 (empty) +1210953058.007081 VW0XPVINV8a 192.168.2.16 1576 75.126.130.163 80 tcp - - - - RSTOS0 - 0 R 1 40 0 0 (empty) +1210953057.834454 3PKsZ2Uye21 192.168.2.16 1578 75.126.203.78 80 tcp http 0.407908 790 171 RSTO - 0 ShADadR 6 1038 4 335 (empty) +1210953058.350065 fRFu0wcOle6 192.168.2.16 1920 192.168.2.1 53 udp dns 0.223055 66 438 SF - 0 Dd 2 122 2 494 (empty) +1210953058.577231 qSsw6ESzHV4 192.168.2.16 137 192.168.2.255 137 udp dns 1.499261 150 0 S0 - 0 D 3 234 0 0 (empty) +1210953074.264819 Tw8jXtpTGu6 192.168.2.16 1920 192.168.2.1 53 udp dns 0.297723 123 598 SF - 0 Dd 3 207 3 682 (empty) +1210953061.312379 70MGiRM1Qf4 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 tcp http 12.810848 1675 10467 S1 - 0 ShADad 10 2279 12 11191 GSxOnSLghOa +1210953076.058333 EAr0uf4mhq 192.168.2.16 1578 75.126.203.78 80 tcp - - - - RSTRH - 0 r 0 0 1 40 (empty) +1210953074.055744 h5DsfNtYzi1 192.168.2.16 1577 75.126.203.78 80 tcp - - - - RSTRH - 0 r 0 0 1 40 (empty) +1210953074.057124 P654jzLoe3a 192.168.2.16 1576 75.126.130.163 80 tcp - - - - RSTRH - 0 r 0 0 1 40 (empty) +1210953074.570439 c4Zw9TmAE05 192.168.2.16 1580 67.228.110.120 80 tcp http 0.466677 469 3916 SF - 0 ShADadFf 7 757 6 4164 (empty) +1210953052.202579 nQcgTWjvg4c 192.168.2.16 3797 65.55.158.80 3544 udp teredo 8.928880 129 48 SF - 0 Dd 2 185 1 76 (empty) +1210953060.829233 GSxOnSLghOa 192.168.2.16 3797 83.170.1.38 32900 udp teredo 13.293994 2359 11243 SF - 0 Dd 12 2695 13 11607 (empty) +1210953058.933954 iE6yhOq3SF 0.0.0.0 68 255.255.255.255 67 udp - - - - S0 - 0 D 1 328 0 0 (empty) +1210953052.324629 TEfuqmmG4bh 192.168.2.16 3797 65.55.158.81 3544 udp teredo - - - SHR - 0 d 0 0 1 137 (empty) +1210953046.591933 UWkUyAuUGXf 192.168.2.16 138 192.168.2.255 138 udp - 28.448321 416 0 S0 - 0 D 2 472 0 0 (empty) +1210953052.324629 FrJExwHcSal fe80::8000:f227:bec8:61af 134 fe80::8000:ffff:ffff:fffd 133 icmp - - - - OTH - 0 - 1 88 0 0 TEfuqmmG4bh +1210953060.829303 qCaWGmzFtM5 2001:0:4137:9e50:8000:f12a:b9c8:2815 128 2001:4860:0:2001::68 129 icmp - 0.463615 4 4 OTH - 0 - 1 52 1 52 GSxOnSLghOa,nQcgTWjvg4c +1210953052.202579 j4u32Pc5bif fe80::8000:ffff:ffff:fffd 133 ff02::2 134 icmp - - - - OTH - 0 - 1 64 0 0 nQcgTWjvg4c diff --git a/testing/btest/Baseline/core.leaks.teredo/http.log b/testing/btest/Baseline/core.leaks.teredo/http.log new file mode 100644 index 0000000000..b3cf832083 --- /dev/null +++ b/testing/btest/Baseline/core.leaks.teredo/http.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file +1210953057.917183 3PKsZ2Uye21 192.168.2.16 1578 75.126.203.78 80 1 POST download913.avast.com /cgi-bin/iavs4stats.cgi - Syncer/4.80 (av_pro-1169;f) 589 0 204 - - - (empty) - - - text/plain - - +1210953061.585996 70MGiRM1Qf4 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 1 GET ipv6.google.com / - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 6640 200 OK - - - (empty) - - - text/html - - +1210953073.381474 70MGiRM1Qf4 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 2 GET ipv6.google.com /search?hl=en&q=Wireshark+!&btnG=Google+Search http://ipv6.google.com/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 25119 200 OK - - - (empty) - - - text/html - - +1210953074.674817 c4Zw9TmAE05 192.168.2.16 1580 67.228.110.120 80 1 GET www.wireshark.org / http://ipv6.google.com/search?hl=en&q=Wireshark+%21&btnG=Google+Search Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 11845 200 OK - - - (empty) - - - text/xml - - diff --git a/testing/btest/Baseline/core.leaks.teredo/output b/testing/btest/Baseline/core.leaks.teredo/output new file mode 100644 index 0000000000..02d5a41e74 --- /dev/null +++ b/testing/btest/Baseline/core.leaks.teredo/output @@ -0,0 +1,83 @@ +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp] + ip6: [class=0, flow=0, len=24, nxt=58, hlim=255, src=fe80::8000:ffff:ffff:fffd, dst=ff02::2, exts=[]] + auth: [id=, value=, nonce=14796129349558001544, confirm=0] +auth: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp] + ip6: [class=0, flow=0, len=24, nxt=58, hlim=255, src=fe80::8000:ffff:ffff:fffd, dst=ff02::2, exts=[]] + auth: [id=, value=, nonce=14796129349558001544, confirm=0] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.81, resp_p=3544/udp] + ip6: [class=0, flow=0, len=48, nxt=58, hlim=255, src=fe80::8000:f227:bec8:61af, dst=fe80::8000:ffff:ffff:fffd, exts=[]] + auth: [id=, value=, nonce=14796129349558001544, confirm=0] + origin: [p=3797/udp, a=70.55.215.234] +auth: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.81, resp_p=3544/udp] + ip6: [class=0, flow=0, len=48, nxt=58, hlim=255, src=fe80::8000:f227:bec8:61af, dst=fe80::8000:ffff:ffff:fffd, exts=[]] + auth: [id=, value=, nonce=14796129349558001544, confirm=0] + origin: [p=3797/udp, a=70.55.215.234] +origin: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.81, resp_p=3544/udp] + ip6: [class=0, flow=0, len=48, nxt=58, hlim=255, src=fe80::8000:f227:bec8:61af, dst=fe80::8000:ffff:ffff:fffd, exts=[]] + auth: [id=, value=, nonce=14796129349558001544, confirm=0] + origin: [p=3797/udp, a=70.55.215.234] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=0, nxt=59, hlim=21, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +bubble: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=0, nxt=59, hlim=21, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp] + ip6: [class=0, flow=0, len=12, nxt=58, hlim=21, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp] + ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=fe80::708d:fe83:4114:a512, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] + origin: [p=32900/udp, a=83.170.1.38] +origin: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp] + ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=fe80::708d:fe83:4114:a512, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] + origin: [p=32900/udp, a=83.170.1.38] +bubble: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp] + ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=fe80::708d:fe83:4114:a512, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] + origin: [p=32900/udp, a=83.170.1.38] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=fe80::708d:fe83:4114:a512, exts=[]] +bubble: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=fe80::708d:fe83:4114:a512, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=12, nxt=58, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=24, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=24, nxt=6, hlim=245, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=817, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=20, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=514, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=898, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=812, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=717, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] diff --git a/testing/btest/Baseline/core.leaks.teredo/tunnel.log b/testing/btest/Baseline/core.leaks.teredo/tunnel.log new file mode 100644 index 0000000000..5a2114dd1c --- /dev/null +++ b/testing/btest/Baseline/core.leaks.teredo/tunnel.log @@ -0,0 +1,13 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p action tunnel_type +#types time string addr port addr port enum enum +1210953052.202579 nQcgTWjvg4c 192.168.2.16 3797 65.55.158.80 3544 Tunnel::DISCOVER Tunnel::TEREDO +1210953052.324629 TEfuqmmG4bh 192.168.2.16 3797 65.55.158.81 3544 Tunnel::DISCOVER Tunnel::TEREDO +1210953061.292918 GSxOnSLghOa 192.168.2.16 3797 83.170.1.38 32900 Tunnel::DISCOVER Tunnel::TEREDO +1210953076.058333 nQcgTWjvg4c 192.168.2.16 3797 65.55.158.80 3544 Tunnel::CLOSE Tunnel::TEREDO +1210953076.058333 GSxOnSLghOa 192.168.2.16 3797 83.170.1.38 32900 Tunnel::CLOSE Tunnel::TEREDO +1210953076.058333 TEfuqmmG4bh 192.168.2.16 3797 65.55.158.81 3544 Tunnel::CLOSE Tunnel::TEREDO diff --git a/testing/btest/Baseline/core.print-bpf-filters/conn.log b/testing/btest/Baseline/core.print-bpf-filters/conn.log index 5ce968d5e6..b563c4a3ed 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/conn.log +++ b/testing/btest/Baseline/core.print-bpf-filters/conn.log @@ -3,6 +3,6 @@ #empty_field (empty) #unset_field - #path conn -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes -#types time string addr port addr port enum string interval count count string bool count string count count count count -1128727435.450898 UWkUyAuUGXf 141.42.64.125 56730 125.190.109.199 80 tcp http 1.733303 98 9417 SF - 0 ShADdFaf 12 730 10 9945 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1128727435.450898 UWkUyAuUGXf 141.42.64.125 56730 125.190.109.199 80 tcp http 1.733303 98 9417 SF - 0 ShADdFaf 12 730 10 9945 (empty) diff --git a/testing/btest/Baseline/core.print-bpf-filters/output b/testing/btest/Baseline/core.print-bpf-filters/output index a2bf430fb4..d1c2d47893 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/output +++ b/testing/btest/Baseline/core.print-bpf-filters/output @@ -5,7 +5,7 @@ #path packet_filter #fields ts node filter init success #types time string string bool bool -1328294052.330721 - ip or not ip T T +1340229717.179155 - ip or not ip T T #separator \x09 #set_separator , #empty_field (empty) @@ -13,7 +13,7 @@ #path packet_filter #fields ts node filter init success #types time string string bool bool -1328294052.542418 - ((((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (port 6669)) or (udp and port 5353)) or (port 6668)) or (udp and port 5355)) or (tcp port 22)) or (tcp port 995)) or (port 21)) or (tcp port 25 or tcp port 587)) or (port 6667)) or (tcp port 614)) or (tcp port 990)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666) T T +1340229717.462355 - (((((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (port 6669)) or (udp and port 5353)) or (port 6668)) or (tcp port 1080)) or (udp and port 5355)) or (tcp port 22)) or (tcp port 995)) or (port 21)) or (tcp port 25 or tcp port 587)) or (port 6667)) or (tcp port 614)) or (tcp port 990)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666) T T #separator \x09 #set_separator , #empty_field (empty) @@ -21,7 +21,7 @@ #path packet_filter #fields ts node filter init success #types time string string bool bool -1328294052.748480 - port 42 T T +1340229717.733007 - port 42 T T #separator \x09 #set_separator , #empty_field (empty) @@ -29,4 +29,4 @@ #path packet_filter #fields ts node filter init success #types time string string bool bool -1328294052.952845 - port 56730 T T +1340229718.001009 - port 56730 T T diff --git a/testing/btest/Baseline/core.tunnels.ayiya/conn.log b/testing/btest/Baseline/core.tunnels.ayiya/conn.log new file mode 100644 index 0000000000..db54a8a475 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.ayiya/conn.log @@ -0,0 +1,15 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1257655301.595604 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 tcp http 2.101052 2981 4665 S1 - 0 ShADad 10 3605 11 5329 k6kgXLOoSKl +1257655296.585034 k6kgXLOoSKl 192.168.3.101 53859 216.14.98.22 5072 udp ayiya 20.879001 5129 6109 SF - 0 Dd 21 5717 13 6473 (empty) +1257655293.629048 UWkUyAuUGXf 192.168.3.101 53796 216.14.98.22 5072 udp ayiya - - - SHR - 0 d 0 0 1 176 (empty) +1257655296.585333 FrJExwHcSal :: 135 ff02::1:ff00:2 136 icmp - - - - OTH - 0 - 1 64 0 0 k6kgXLOoSKl +1257655293.629048 arKYeMETxOg 2001:4978:f:4c::1 128 2001:4978:f:4c::2 129 icmp - 23.834987 168 56 OTH - 0 - 3 312 1 104 UWkUyAuUGXf,k6kgXLOoSKl +1257655296.585188 TEfuqmmG4bh fe80::216:cbff:fe9a:4cb9 131 ff02::1:ff00:2 130 icmp - 0.919988 32 0 OTH - 0 - 2 144 0 0 k6kgXLOoSKl +1257655296.585151 j4u32Pc5bif fe80::216:cbff:fe9a:4cb9 131 ff02::2:f901:d225 130 icmp - 0.719947 32 0 OTH - 0 - 2 144 0 0 k6kgXLOoSKl +1257655296.585034 nQcgTWjvg4c fe80::216:cbff:fe9a:4cb9 131 ff02::1:ff9a:4cb9 130 icmp - 4.922880 32 0 OTH - 0 - 2 144 0 0 k6kgXLOoSKl diff --git a/testing/btest/Baseline/core.tunnels.ayiya/http.log b/testing/btest/Baseline/core.tunnels.ayiya/http.log new file mode 100644 index 0000000000..7cef1a1b8e --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.ayiya/http.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file +1257655301.652206 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 1 GET ipv6.google.com / - Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 10102 200 OK - - - (empty) - - - text/html - - +1257655302.514424 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 2 GET ipv6.google.com /csi?v=3&s=webhp&action=&tran=undefined&e=17259,19771,21517,21766,21887,22212&ei=BUz2Su7PMJTglQfz3NzCAw&rt=prt.77,xjs.565,ol.645 http://ipv6.google.com/ Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 0 204 No Content - - - (empty) - - - - - - +1257655303.603569 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 3 GET ipv6.google.com /gen_204?atyp=i&ct=fade&cad=1254&ei=BUz2Su7PMJTglQfz3NzCAw&zx=1257655303600 http://ipv6.google.com/ Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 0 204 No Content - - - (empty) - - - - - - diff --git a/testing/btest/Baseline/core.tunnels.ayiya/tunnel.log b/testing/btest/Baseline/core.tunnels.ayiya/tunnel.log new file mode 100644 index 0000000000..b4ef2781c6 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.ayiya/tunnel.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1257655293.629048 UWkUyAuUGXf 192.168.3.101 53796 216.14.98.22 5072 Tunnel::AYIYA Tunnel::DISCOVER +1257655296.585034 k6kgXLOoSKl 192.168.3.101 53859 216.14.98.22 5072 Tunnel::AYIYA Tunnel::DISCOVER +1257655317.464035 k6kgXLOoSKl 192.168.3.101 53859 216.14.98.22 5072 Tunnel::AYIYA Tunnel::CLOSE +1257655317.464035 UWkUyAuUGXf 192.168.3.101 53796 216.14.98.22 5072 Tunnel::AYIYA Tunnel::CLOSE diff --git a/testing/btest/Baseline/core.tunnels.false-teredo/dpd.log b/testing/btest/Baseline/core.tunnels.false-teredo/dpd.log new file mode 100644 index 0000000000..4949f16e62 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.false-teredo/dpd.log @@ -0,0 +1,13 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dpd +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto analyzer failure_reason +#types time string addr port addr port enum string string +1258567191.486869 UWkUyAuUGXf 192.168.1.105 57696 192.168.1.1 53 udp TEREDO Teredo payload length [c\x1d\x81\x80\x00\x01\x00\x02\x00\x02\x00\x00\x04amch\x0equestionmarket\x03com\x00\x00\x01\x00...] +1258578181.516140 nQcgTWjvg4c 192.168.1.104 64838 192.168.1.1 53 udp TEREDO Teredo payload length [h\xfd\x81\x80\x00\x01\x00\x02\x00\x03\x00\x02\x08football\x02uk\x07reuters\x03com\x00\x00\x01\x00...] +1258579063.784919 j4u32Pc5bif 192.168.1.104 55778 192.168.1.1 53 udp TEREDO Teredo payload length [j\x12\x81\x80\x00\x01\x00\x02\x00\x04\x00\x00\x08fastflip\x0agooglelabs\x03com\x00\x00\x01\x00...] +1258581768.898165 TEfuqmmG4bh 192.168.1.104 50798 192.168.1.1 53 udp TEREDO Teredo payload length [o\xe3\x81\x80\x00\x01\x00\x02\x00\x04\x00\x04\x03www\x0fnashuatelegraph\x03com\x00\x00\x01\x00...] +1258584478.989528 FrJExwHcSal 192.168.1.104 64963 192.168.1.1 53 udp TEREDO Teredo payload length [e\xbd\x81\x80\x00\x01\x00\x08\x00\x06\x00\x06\x08wellness\x05blogs\x04time\x03com\x00\x00\x01\x00...] +1258600683.934672 5OKnoww6xl4 192.168.1.103 59838 192.168.1.1 53 udp TEREDO Teredo payload length [h\xf0\x81\x80\x00\x01\x00\x01\x00\x02\x00\x00\x06update\x0csanasecurity\x03com\x00\x00\x01\x00...] diff --git a/testing/btest/Baseline/core.tunnels.false-teredo/weird.log b/testing/btest/Baseline/core.tunnels.false-teredo/weird.log new file mode 100644 index 0000000000..0ec1d0a7cf --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.false-teredo/weird.log @@ -0,0 +1,13 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path weird +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer +#types time string addr port addr port string string bool string +1258567191.405770 - - - - - truncated_header_in_tunnel - F bro +1258578181.260420 - - - - - truncated_header_in_tunnel - F bro +1258579063.557927 - - - - - truncated_header_in_tunnel - F bro +1258581768.568451 - - - - - truncated_header_in_tunnel - F bro +1258584478.859853 - - - - - truncated_header_in_tunnel - F bro +1258600683.934458 - - - - - truncated_header_in_tunnel - F bro diff --git a/testing/btest/Baseline/core.tunnels.ip-in-ip/output b/testing/btest/Baseline/core.tunnels.ip-in-ip/output new file mode 100644 index 0000000000..4c8738290f --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.ip-in-ip/output @@ -0,0 +1,22 @@ +new_connection: tunnel + conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp] + encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]] +new_connection: tunnel + conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp] + encap: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf], [cid=[orig_h=babe::beef, orig_p=0/unknown, resp_h=dead::babe, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=arKYeMETxOg]] +new_connection: tunnel + conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp] + encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]] +new_connection: tunnel + conn_id: [orig_h=70.55.213.211, orig_p=31337/tcp, resp_h=192.88.99.1, resp_p=80/tcp] + encap: [[cid=[orig_h=2002:4637:d5d3::4637:d5d3, orig_p=0/unknown, resp_h=2001:4860:0:2001::68, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]] +new_connection: tunnel + conn_id: [orig_h=10.0.0.1, orig_p=30000/udp, resp_h=10.0.0.2, resp_p=13000/udp] + encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]] +new_connection: tunnel + conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp] + encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]] +tunnel_changed: + conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp] + old: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]] + new: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=k6kgXLOoSKl]] diff --git a/testing/btest/Baseline/core.tunnels.ip-tunnel-uid/output b/testing/btest/Baseline/core.tunnels.ip-tunnel-uid/output new file mode 100644 index 0000000000..afb5837b23 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.ip-tunnel-uid/output @@ -0,0 +1,33 @@ +new_connection: tunnel + conn_id: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp] + encap: [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]] +NEW_PACKET: + [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]] +NEW_PACKET: + [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]] +NEW_PACKET: + [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]] +NEW_PACKET: + [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]] +NEW_PACKET: + [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]] +NEW_PACKET: + [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]] +NEW_PACKET: + [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]] +NEW_PACKET: + [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]] +NEW_PACKET: + [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]] +NEW_PACKET: + [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp] + [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown], tunnel_type=Tunnel::IP, uid=UWkUyAuUGXf]] diff --git a/testing/btest/Baseline/core.tunnels.teredo/conn.log b/testing/btest/Baseline/core.tunnels.teredo/conn.log new file mode 100644 index 0000000000..cefc8f3e84 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.teredo/conn.log @@ -0,0 +1,28 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1210953047.736921 arKYeMETxOg 192.168.2.16 1576 75.126.130.163 80 tcp - 0.000357 0 0 SHR - 0 fA 1 40 1 40 (empty) +1210953050.867067 k6kgXLOoSKl 192.168.2.16 1577 75.126.203.78 80 tcp - 0.000387 0 0 SHR - 0 fA 1 40 1 40 (empty) +1210953057.833364 5OKnoww6xl4 192.168.2.16 1577 75.126.203.78 80 tcp - 0.079208 0 0 SH - 0 Fa 1 40 1 40 (empty) +1210953058.007081 VW0XPVINV8a 192.168.2.16 1576 75.126.130.163 80 tcp - - - - RSTOS0 - 0 R 1 40 0 0 (empty) +1210953057.834454 3PKsZ2Uye21 192.168.2.16 1578 75.126.203.78 80 tcp http 0.407908 790 171 RSTO - 0 ShADadR 6 1038 4 335 (empty) +1210953058.350065 fRFu0wcOle6 192.168.2.16 1920 192.168.2.1 53 udp dns 0.223055 66 438 SF - 0 Dd 2 122 2 494 (empty) +1210953058.577231 qSsw6ESzHV4 192.168.2.16 137 192.168.2.255 137 udp dns 1.499261 150 0 S0 - 0 D 3 234 0 0 (empty) +1210953074.264819 Tw8jXtpTGu6 192.168.2.16 1920 192.168.2.1 53 udp dns 0.297723 123 598 SF - 0 Dd 3 207 3 682 (empty) +1210953061.312379 70MGiRM1Qf4 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 tcp http 12.810848 1675 10467 S1 - 0 ShADad 10 2279 12 11191 GSxOnSLghOa +1210953076.058333 EAr0uf4mhq 192.168.2.16 1578 75.126.203.78 80 tcp - - - - RSTRH - 0 r 0 0 1 40 (empty) +1210953074.055744 h5DsfNtYzi1 192.168.2.16 1577 75.126.203.78 80 tcp - - - - RSTRH - 0 r 0 0 1 40 (empty) +1210953074.057124 P654jzLoe3a 192.168.2.16 1576 75.126.130.163 80 tcp - - - - RSTRH - 0 r 0 0 1 40 (empty) +1210953074.570439 c4Zw9TmAE05 192.168.2.16 1580 67.228.110.120 80 tcp http 0.466677 469 3916 SF - 0 ShADadFf 7 757 6 4164 (empty) +1210953052.202579 nQcgTWjvg4c 192.168.2.16 3797 65.55.158.80 3544 udp teredo 8.928880 129 48 SF - 0 Dd 2 185 1 76 (empty) +1210953060.829233 GSxOnSLghOa 192.168.2.16 3797 83.170.1.38 32900 udp teredo 13.293994 2359 11243 SF - 0 Dd 12 2695 13 11607 (empty) +1210953058.933954 iE6yhOq3SF 0.0.0.0 68 255.255.255.255 67 udp - - - - S0 - 0 D 1 328 0 0 (empty) +1210953052.324629 TEfuqmmG4bh 192.168.2.16 3797 65.55.158.81 3544 udp teredo - - - SHR - 0 d 0 0 1 137 (empty) +1210953046.591933 UWkUyAuUGXf 192.168.2.16 138 192.168.2.255 138 udp - 28.448321 416 0 S0 - 0 D 2 472 0 0 (empty) +1210953052.324629 FrJExwHcSal fe80::8000:f227:bec8:61af 134 fe80::8000:ffff:ffff:fffd 133 icmp - - - - OTH - 0 - 1 88 0 0 TEfuqmmG4bh +1210953060.829303 qCaWGmzFtM5 2001:0:4137:9e50:8000:f12a:b9c8:2815 128 2001:4860:0:2001::68 129 icmp - 0.463615 4 4 OTH - 0 - 1 52 1 52 GSxOnSLghOa,nQcgTWjvg4c +1210953052.202579 j4u32Pc5bif fe80::8000:ffff:ffff:fffd 133 ff02::2 134 icmp - - - - OTH - 0 - 1 64 0 0 nQcgTWjvg4c diff --git a/testing/btest/Baseline/core.tunnels.teredo/http.log b/testing/btest/Baseline/core.tunnels.teredo/http.log new file mode 100644 index 0000000000..b3cf832083 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.teredo/http.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file +1210953057.917183 3PKsZ2Uye21 192.168.2.16 1578 75.126.203.78 80 1 POST download913.avast.com /cgi-bin/iavs4stats.cgi - Syncer/4.80 (av_pro-1169;f) 589 0 204 - - - (empty) - - - text/plain - - +1210953061.585996 70MGiRM1Qf4 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 1 GET ipv6.google.com / - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 6640 200 OK - - - (empty) - - - text/html - - +1210953073.381474 70MGiRM1Qf4 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 2 GET ipv6.google.com /search?hl=en&q=Wireshark+!&btnG=Google+Search http://ipv6.google.com/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 25119 200 OK - - - (empty) - - - text/html - - +1210953074.674817 c4Zw9TmAE05 192.168.2.16 1580 67.228.110.120 80 1 GET www.wireshark.org / http://ipv6.google.com/search?hl=en&q=Wireshark+%21&btnG=Google+Search Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 11845 200 OK - - - (empty) - - - text/xml - - diff --git a/testing/btest/Baseline/core.tunnels.teredo/output b/testing/btest/Baseline/core.tunnels.teredo/output new file mode 100644 index 0000000000..02d5a41e74 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.teredo/output @@ -0,0 +1,83 @@ +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp] + ip6: [class=0, flow=0, len=24, nxt=58, hlim=255, src=fe80::8000:ffff:ffff:fffd, dst=ff02::2, exts=[]] + auth: [id=, value=, nonce=14796129349558001544, confirm=0] +auth: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp] + ip6: [class=0, flow=0, len=24, nxt=58, hlim=255, src=fe80::8000:ffff:ffff:fffd, dst=ff02::2, exts=[]] + auth: [id=, value=, nonce=14796129349558001544, confirm=0] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.81, resp_p=3544/udp] + ip6: [class=0, flow=0, len=48, nxt=58, hlim=255, src=fe80::8000:f227:bec8:61af, dst=fe80::8000:ffff:ffff:fffd, exts=[]] + auth: [id=, value=, nonce=14796129349558001544, confirm=0] + origin: [p=3797/udp, a=70.55.215.234] +auth: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.81, resp_p=3544/udp] + ip6: [class=0, flow=0, len=48, nxt=58, hlim=255, src=fe80::8000:f227:bec8:61af, dst=fe80::8000:ffff:ffff:fffd, exts=[]] + auth: [id=, value=, nonce=14796129349558001544, confirm=0] + origin: [p=3797/udp, a=70.55.215.234] +origin: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.81, resp_p=3544/udp] + ip6: [class=0, flow=0, len=48, nxt=58, hlim=255, src=fe80::8000:f227:bec8:61af, dst=fe80::8000:ffff:ffff:fffd, exts=[]] + auth: [id=, value=, nonce=14796129349558001544, confirm=0] + origin: [p=3797/udp, a=70.55.215.234] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=0, nxt=59, hlim=21, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +bubble: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=0, nxt=59, hlim=21, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp] + ip6: [class=0, flow=0, len=12, nxt=58, hlim=21, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp] + ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=fe80::708d:fe83:4114:a512, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] + origin: [p=32900/udp, a=83.170.1.38] +origin: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp] + ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=fe80::708d:fe83:4114:a512, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] + origin: [p=32900/udp, a=83.170.1.38] +bubble: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp] + ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=fe80::708d:fe83:4114:a512, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] + origin: [p=32900/udp, a=83.170.1.38] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=fe80::708d:fe83:4114:a512, exts=[]] +bubble: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=fe80::708d:fe83:4114:a512, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=12, nxt=58, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=24, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=24, nxt=6, hlim=245, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=817, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=20, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=514, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=898, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=812, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=717, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] diff --git a/testing/btest/Baseline/core.tunnels.teredo/tunnel.log b/testing/btest/Baseline/core.tunnels.teredo/tunnel.log new file mode 100644 index 0000000000..9cead25be1 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.teredo/tunnel.log @@ -0,0 +1,13 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1210953052.202579 nQcgTWjvg4c 192.168.2.16 3797 65.55.158.80 3544 Tunnel::TEREDO Tunnel::DISCOVER +1210953052.324629 TEfuqmmG4bh 192.168.2.16 3797 65.55.158.81 3544 Tunnel::TEREDO Tunnel::DISCOVER +1210953061.292918 GSxOnSLghOa 192.168.2.16 3797 83.170.1.38 32900 Tunnel::TEREDO Tunnel::DISCOVER +1210953076.058333 nQcgTWjvg4c 192.168.2.16 3797 65.55.158.80 3544 Tunnel::TEREDO Tunnel::CLOSE +1210953076.058333 GSxOnSLghOa 192.168.2.16 3797 83.170.1.38 32900 Tunnel::TEREDO Tunnel::CLOSE +1210953076.058333 TEfuqmmG4bh 192.168.2.16 3797 65.55.158.81 3544 Tunnel::TEREDO Tunnel::CLOSE diff --git a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/conn.log b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/conn.log new file mode 100644 index 0000000000..6ceb4efcb3 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/conn.log @@ -0,0 +1,14 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1340127577.354166 FrJExwHcSal 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 tcp http 0.052829 1675 10467 S1 - 0 ShADad 10 2279 12 11191 j4u32Pc5bif +1340127577.336558 UWkUyAuUGXf 192.168.2.16 3797 65.55.158.80 3544 udp teredo 0.010291 129 52 SF - 0 Dd 2 185 1 80 (empty) +1340127577.341510 j4u32Pc5bif 192.168.2.16 3797 83.170.1.38 32900 udp teredo 0.065485 2367 11243 SF - 0 Dd 12 2703 13 11607 (empty) +1340127577.339015 k6kgXLOoSKl 192.168.2.16 3797 65.55.158.81 3544 udp teredo - - - SHR - 0 d 0 0 1 137 (empty) +1340127577.339015 nQcgTWjvg4c fe80::8000:f227:bec8:61af 134 fe80::8000:ffff:ffff:fffd 133 icmp - - - - OTH - 0 - 1 88 0 0 k6kgXLOoSKl +1340127577.343969 TEfuqmmG4bh 2001:0:4137:9e50:8000:f12a:b9c8:2815 128 2001:4860:0:2001::68 129 icmp - 0.007778 4 4 OTH - 0 - 1 52 1 52 UWkUyAuUGXf,j4u32Pc5bif +1340127577.336558 arKYeMETxOg fe80::8000:ffff:ffff:fffd 133 ff02::2 134 icmp - - - - OTH - 0 - 1 64 0 0 UWkUyAuUGXf diff --git a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/http.log b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/http.log new file mode 100644 index 0000000000..869476d7db --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/http.log @@ -0,0 +1,9 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file +1340127577.361683 FrJExwHcSal 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 1 GET ipv6.google.com / - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 6640 200 OK - - - (empty) - - - text/html - - +1340127577.379360 FrJExwHcSal 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 2 GET ipv6.google.com /search?hl=en&q=Wireshark+!&btnG=Google+Search http://ipv6.google.com/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 25119 200 OK - - - (empty) - - - text/html - - diff --git a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/output b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/output new file mode 100644 index 0000000000..02d5a41e74 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/output @@ -0,0 +1,83 @@ +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp] + ip6: [class=0, flow=0, len=24, nxt=58, hlim=255, src=fe80::8000:ffff:ffff:fffd, dst=ff02::2, exts=[]] + auth: [id=, value=, nonce=14796129349558001544, confirm=0] +auth: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp] + ip6: [class=0, flow=0, len=24, nxt=58, hlim=255, src=fe80::8000:ffff:ffff:fffd, dst=ff02::2, exts=[]] + auth: [id=, value=, nonce=14796129349558001544, confirm=0] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.81, resp_p=3544/udp] + ip6: [class=0, flow=0, len=48, nxt=58, hlim=255, src=fe80::8000:f227:bec8:61af, dst=fe80::8000:ffff:ffff:fffd, exts=[]] + auth: [id=, value=, nonce=14796129349558001544, confirm=0] + origin: [p=3797/udp, a=70.55.215.234] +auth: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.81, resp_p=3544/udp] + ip6: [class=0, flow=0, len=48, nxt=58, hlim=255, src=fe80::8000:f227:bec8:61af, dst=fe80::8000:ffff:ffff:fffd, exts=[]] + auth: [id=, value=, nonce=14796129349558001544, confirm=0] + origin: [p=3797/udp, a=70.55.215.234] +origin: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.81, resp_p=3544/udp] + ip6: [class=0, flow=0, len=48, nxt=58, hlim=255, src=fe80::8000:f227:bec8:61af, dst=fe80::8000:ffff:ffff:fffd, exts=[]] + auth: [id=, value=, nonce=14796129349558001544, confirm=0] + origin: [p=3797/udp, a=70.55.215.234] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=0, nxt=59, hlim=21, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +bubble: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=0, nxt=59, hlim=21, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp] + ip6: [class=0, flow=0, len=12, nxt=58, hlim=21, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp] + ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=fe80::708d:fe83:4114:a512, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] + origin: [p=32900/udp, a=83.170.1.38] +origin: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp] + ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=fe80::708d:fe83:4114:a512, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] + origin: [p=32900/udp, a=83.170.1.38] +bubble: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=65.55.158.80, resp_p=3544/udp] + ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=fe80::708d:fe83:4114:a512, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] + origin: [p=32900/udp, a=83.170.1.38] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=fe80::708d:fe83:4114:a512, exts=[]] +bubble: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=0, nxt=59, hlim=0, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=fe80::708d:fe83:4114:a512, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=12, nxt=58, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=24, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=24, nxt=6, hlim=245, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=817, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=20, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=514, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=898, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=812, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=1232, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=717, nxt=6, hlim=58, src=2001:4860:0:2001::68, dst=2001:0:4137:9e50:8000:f12a:b9c8:2815, exts=[]] +packet: [orig_h=192.168.2.16, orig_p=3797/udp, resp_h=83.170.1.38, resp_p=32900/udp] + ip6: [class=0, flow=0, len=20, nxt=6, hlim=128, src=2001:0:4137:9e50:8000:f12a:b9c8:2815, dst=2001:4860:0:2001::68, exts=[]] diff --git a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/tunnel.log b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/tunnel.log new file mode 100644 index 0000000000..30f88ed251 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/tunnel.log @@ -0,0 +1,13 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1340127577.336558 UWkUyAuUGXf 192.168.2.16 3797 65.55.158.80 3544 Tunnel::TEREDO Tunnel::DISCOVER +1340127577.339015 k6kgXLOoSKl 192.168.2.16 3797 65.55.158.81 3544 Tunnel::TEREDO Tunnel::DISCOVER +1340127577.351747 j4u32Pc5bif 192.168.2.16 3797 83.170.1.38 32900 Tunnel::TEREDO Tunnel::DISCOVER +1340127577.406995 UWkUyAuUGXf 192.168.2.16 3797 65.55.158.80 3544 Tunnel::TEREDO Tunnel::CLOSE +1340127577.406995 j4u32Pc5bif 192.168.2.16 3797 83.170.1.38 32900 Tunnel::TEREDO Tunnel::CLOSE +1340127577.406995 k6kgXLOoSKl 192.168.2.16 3797 65.55.158.81 3544 Tunnel::TEREDO Tunnel::CLOSE diff --git a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/weird.log b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/weird.log new file mode 100644 index 0000000000..e01fa49d45 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/weird.log @@ -0,0 +1,9 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path weird +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer +#types time string addr port addr port string string bool string +1340127577.346849 UWkUyAuUGXf 192.168.2.16 3797 65.55.158.80 3544 Teredo_bubble_with_payload - F bro +1340127577.349292 j4u32Pc5bif 192.168.2.16 3797 83.170.1.38 32900 Teredo_bubble_with_payload - F bro diff --git a/testing/btest/Baseline/core.vlan-mpls/conn.log b/testing/btest/Baseline/core.vlan-mpls/conn.log index f3c958ea99..e165df621a 100644 --- a/testing/btest/Baseline/core.vlan-mpls/conn.log +++ b/testing/btest/Baseline/core.vlan-mpls/conn.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path conn -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes -#types time string addr port addr port enum string interval count count string bool count string count count count count -952109346.874907 UWkUyAuUGXf 10.1.2.1 11001 10.34.0.1 23 tcp - 2.102560 26 0 SH - 0 SADF 11 470 0 0 -1128727435.450898 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 tcp http 1.733303 98 9417 SF - 0 ShADdFaf 12 730 10 9945 -1278600802.069419 k6kgXLOoSKl 10.20.80.1 50343 10.0.0.15 80 tcp - 0.004152 9 3429 SF - 0 ShADadfF 7 381 7 3801 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +952109346.874907 UWkUyAuUGXf 10.1.2.1 11001 10.34.0.1 23 tcp - 2.102560 26 0 SH - 0 SADF 11 470 0 0 (empty) +1128727435.450898 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 tcp http 1.733303 98 9417 SF - 0 ShADdFaf 12 730 10 9945 (empty) +1278600802.069419 k6kgXLOoSKl 10.20.80.1 50343 10.0.0.15 80 tcp - 0.004152 9 3429 SF - 0 ShADadfF 7 381 7 3801 (empty) diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index a7b369e337..0f12ce4ead 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -20,6 +20,7 @@ scripts/base/init-bare.bro scripts/base/frameworks/logging/./postprocessors/./sftp.bro scripts/base/frameworks/logging/./writers/ascii.bro scripts/base/frameworks/logging/./writers/dataseries.bro + scripts/base/frameworks/logging/./writers/none.bro scripts/base/frameworks/input/__load__.bro scripts/base/frameworks/input/./main.bro build/src/base/input.bif.bro diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 552c40e177..f1f9791fc3 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -20,6 +20,7 @@ scripts/base/init-bare.bro scripts/base/frameworks/logging/./postprocessors/./sftp.bro scripts/base/frameworks/logging/./writers/ascii.bro scripts/base/frameworks/logging/./writers/dataseries.bro + scripts/base/frameworks/logging/./writers/none.bro scripts/base/frameworks/input/__load__.bro scripts/base/frameworks/input/./main.bro build/src/base/input.bif.bro @@ -68,6 +69,8 @@ scripts/base/init-default.bro scripts/base/frameworks/intel/./main.bro scripts/base/frameworks/reporter/__load__.bro scripts/base/frameworks/reporter/./main.bro + scripts/base/frameworks/tunnels/__load__.bro + scripts/base/frameworks/tunnels/./main.bro scripts/base/protocols/conn/__load__.bro scripts/base/protocols/conn/./main.bro scripts/base/protocols/conn/./contents.bro @@ -92,6 +95,9 @@ scripts/base/init-default.bro scripts/base/protocols/smtp/./main.bro scripts/base/protocols/smtp/./entities.bro scripts/base/protocols/smtp/./entities-excerpt.bro + scripts/base/protocols/socks/__load__.bro + scripts/base/protocols/socks/./consts.bro + scripts/base/protocols/socks/./main.bro scripts/base/protocols/ssh/__load__.bro scripts/base/protocols/ssh/./main.bro scripts/base/protocols/ssl/__load__.bro diff --git a/testing/btest/Baseline/scripts.base.frameworks.communication.communication_log_baseline/send.log b/testing/btest/Baseline/scripts.base.frameworks.communication.communication_log_baseline/send.log index d3c14c8603..94e0403238 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.communication.communication_log_baseline/send.log +++ b/testing/btest/Baseline/scripts.base.frameworks.communication.communication_log_baseline/send.log @@ -5,17 +5,18 @@ #path communication #fields ts peer src_name connected_peer_desc connected_peer_addr connected_peer_port level message #types time string string string addr port string string -1326492291.485390 bro parent - - - info [#1/127.0.0.1:47757] added peer -1326492291.491731 bro child - - - info [#1/127.0.0.1:47757] connected -1326492291.492024 bro parent - - - info [#1/127.0.0.1:47757] peer connected -1326492291.492024 bro parent - - - info [#1/127.0.0.1:47757] phase: version -1326492291.492740 bro script - - - info connection established -1326492291.492740 bro script - - - info requesting events matching /^?(NOTHING)$?/ -1326492291.492740 bro script - - - info accepting state -1326492291.493800 bro parent - - - info [#1/127.0.0.1:47757] phase: handshake -1326492291.493800 bro parent - - - info warning: no events to request -1326492291.494161 bro parent - - - info [#1/127.0.0.1:47757] peer_description is bro -1326492291.494404 bro parent - - - info [#1/127.0.0.1:47757] peer supports keep-in-cache; using that -1326492291.494404 bro parent - - - info [#1/127.0.0.1:47757] phase: running -1326492291.494404 bro parent - - - info terminating... -1326492291.494404 bro parent - - - info [#1/127.0.0.1:47757] closing connection +1340904724.781527 bro parent - - - info [#1/127.0.0.1:47757] added peer +1340904724.784954 bro child - - - info [#1/127.0.0.1:47757] connected +1340904724.786168 bro parent - - - info [#1/127.0.0.1:47757] peer connected +1340904724.786168 bro parent - - - info [#1/127.0.0.1:47757] phase: version +1340904724.786168 bro script - - - info connection established +1340904724.786168 bro script - - - info requesting events matching /^?(NOTHING)$?/ +1340904724.786168 bro script - - - info accepting state +1340904724.787645 bro parent - - - info [#1/127.0.0.1:47757] phase: handshake +1340904724.787645 bro parent - - - info warning: no events to request +1340904724.788857 bro parent - - - info [#1/127.0.0.1:47757] peer_description is bro +1340904724.829480 bro parent - - - info [#1/127.0.0.1:47757] peer supports keep-in-cache; using that +1340904724.829480 bro parent - - - info [#1/127.0.0.1:47757] phase: running +1340904724.829480 bro parent - - - info terminating... +1340904724.832952 bro child - - - info terminating +1340904724.834082 bro parent - - - info [#1/127.0.0.1:47757] closing connection diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.event/out b/testing/btest/Baseline/scripts.base.frameworks.input.event/out index bb3b6d0a9e..49c1015198 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.input.event/out +++ b/testing/btest/Baseline/scripts.base.frameworks.input.event/out @@ -1,69 +1,132 @@ -[source=input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::i; -print A::b; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::i; +print outfile, A::b; +try = try + 1; +if (7 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW 1 T -[source=input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::i; -print A::b; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::i; +print outfile, A::b; +try = try + 1; +if (7 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW 2 T -[source=input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::i; -print A::b; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::i; +print outfile, A::b; +try = try + 1; +if (7 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW 3 F -[source=input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::i; -print A::b; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::i; +print outfile, A::b; +try = try + 1; +if (7 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW 4 F -[source=input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::i; -print A::b; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::i; +print outfile, A::b; +try = try + 1; +if (7 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW 5 F -[source=input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::i; -print A::b; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::i; +print outfile, A::b; +try = try + 1; +if (7 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW 6 F -[source=input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::i; -print A::b; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::i; +print outfile, A::b; +try = try + 1; +if (7 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW 7 diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.executeraw/out b/testing/btest/Baseline/scripts.base.frameworks.input.executeraw/out index a38f3fce84..e08ca8ba08 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.input.executeraw/out +++ b/testing/btest/Baseline/scripts.base.frameworks.input.executeraw/out @@ -4,6 +4,9 @@ print outfile, description; print outfile, tpe; print outfile, s; close(outfile); +terminate(); +}, config={ + }] Input::EVENT_NEW 8 ../input.log diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.executestreamraw/out b/testing/btest/Baseline/scripts.base.frameworks.input.executestreamraw/out deleted file mode 100644 index bb69da3267..0000000000 --- a/testing/btest/Baseline/scripts.base.frameworks.input.executestreamraw/out +++ /dev/null @@ -1,145 +0,0 @@ -[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line -{ -print A::outfile, A::description; -print A::outfile, A::tpe; -print A::outfile, A::s; -A::try = A::try + 1; -if (9 == A::try) -{ -print A::outfile, done; -close(A::outfile); -Input::remove(input); -} - -}] -Input::EVENT_NEW -sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF -[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line -{ -print A::outfile, A::description; -print A::outfile, A::tpe; -print A::outfile, A::s; -A::try = A::try + 1; -if (9 == A::try) -{ -print A::outfile, done; -close(A::outfile); -Input::remove(input); -} - -}] -Input::EVENT_NEW -DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF -[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line -{ -print A::outfile, A::description; -print A::outfile, A::tpe; -print A::outfile, A::s; -A::try = A::try + 1; -if (9 == A::try) -{ -print A::outfile, done; -close(A::outfile); -Input::remove(input); -} - -}] -Input::EVENT_NEW -q3r3057fdf -[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line -{ -print A::outfile, A::description; -print A::outfile, A::tpe; -print A::outfile, A::s; -A::try = A::try + 1; -if (9 == A::try) -{ -print A::outfile, done; -close(A::outfile); -Input::remove(input); -} - -}] -Input::EVENT_NEW -sdfs\d -[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line -{ -print A::outfile, A::description; -print A::outfile, A::tpe; -print A::outfile, A::s; -A::try = A::try + 1; -if (9 == A::try) -{ -print A::outfile, done; -close(A::outfile); -Input::remove(input); -} - -}] -Input::EVENT_NEW - -[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line -{ -print A::outfile, A::description; -print A::outfile, A::tpe; -print A::outfile, A::s; -A::try = A::try + 1; -if (9 == A::try) -{ -print A::outfile, done; -close(A::outfile); -Input::remove(input); -} - -}] -Input::EVENT_NEW -dfsdf -[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line -{ -print A::outfile, A::description; -print A::outfile, A::tpe; -print A::outfile, A::s; -A::try = A::try + 1; -if (9 == A::try) -{ -print A::outfile, done; -close(A::outfile); -Input::remove(input); -} - -}] -Input::EVENT_NEW -sdf -[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line -{ -print A::outfile, A::description; -print A::outfile, A::tpe; -print A::outfile, A::s; -A::try = A::try + 1; -if (9 == A::try) -{ -print A::outfile, done; -close(A::outfile); -Input::remove(input); -} - -}] -Input::EVENT_NEW -3rw43wRRERLlL#RWERERERE. -[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line -{ -print A::outfile, A::description; -print A::outfile, A::tpe; -print A::outfile, A::s; -A::try = A::try + 1; -if (9 == A::try) -{ -print A::outfile, done; -close(A::outfile); -Input::remove(input); -} - -}] -Input::EVENT_NEW - -done diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.raw/out b/testing/btest/Baseline/scripts.base.frameworks.input.raw/out index 55e7610e1e..fa3625ca74 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.input.raw/out +++ b/testing/btest/Baseline/scripts.base.frameworks.input.raw/out @@ -1,64 +1,136 @@ -[source=input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::s; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::s; +try = try + 1; +if (8 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF -[source=input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::s; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::s; +try = try + 1; +if (8 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF -[source=input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::s; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::s; +try = try + 1; +if (8 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW q3r3057fdf -[source=input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::s; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::s; +try = try + 1; +if (8 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW sdfs\d -[source=input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::s; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::s; +try = try + 1; +if (8 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW -[source=input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::s; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::s; +try = try + 1; +if (8 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW dfsdf -[source=input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::s; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::s; +try = try + 1; +if (8 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW sdf -[source=input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::s; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::s; +try = try + 1; +if (8 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW 3rw43wRRERLlL#RWERERERE. diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.repeat/out b/testing/btest/Baseline/scripts.base.frameworks.input.repeat/out index 71de0d2570..12a8c5f581 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.input.repeat/out +++ b/testing/btest/Baseline/scripts.base.frameworks.input.repeat/out @@ -1,160 +1,160 @@ input0 -input.log +../input.log { [1] = T } input1 -input.log +../input.log { [1] = T } input2 -input.log +../input.log { [1] = T } input3 -input.log +../input.log { [1] = T } input4 -input.log +../input.log { [1] = T } input5 -input.log +../input.log { [1] = T } input6 -input.log +../input.log { [1] = T } input7 -input.log +../input.log { [1] = T } input8 -input.log +../input.log { [1] = T } input9 -input.log +../input.log { [1] = T } input10 -input.log +../input.log { [1] = T } input11 -input.log +../input.log { [1] = T } input12 -input.log +../input.log { [1] = T } input13 -input.log +../input.log { [1] = T } input14 -input.log +../input.log { [1] = T } input15 -input.log +../input.log { [1] = T } input16 -input.log +../input.log { [1] = T } input17 -input.log +../input.log { [1] = T } input18 -input.log +../input.log { [1] = T } input19 -input.log +../input.log { [1] = T } input20 -input.log +../input.log { [1] = T } input21 -input.log +../input.log { [1] = T } input22 -input.log +../input.log { [1] = T } input23 -input.log +../input.log { [1] = T } input24 -input.log +../input.log { [1] = T } input25 -input.log +../input.log { [1] = T } input26 -input.log +../input.log { [1] = T } input27 -input.log +../input.log { [1] = T } input28 -input.log +../input.log { [1] = T } input29 -input.log +../input.log { [1] = T } input30 -input.log +../input.log { [1] = T } input31 -input.log +../input.log { [1] = T } diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.reread/out b/testing/btest/Baseline/scripts.base.frameworks.input.reread/out index 5cce15f6c7..8b55ced2ac 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.input.reread/out +++ b/testing/btest/Baseline/scripts.base.frameworks.input.reread/out @@ -46,6 +46,8 @@ print A::outfile, A::typ; print A::outfile, A::left; print A::outfile, A::right; return (T); +}, config={ + }] Type Input::EVENT_NEW @@ -139,6 +141,8 @@ print A::outfile, A::typ; print A::outfile, A::left; print A::outfile, A::right; return (T); +}, config={ + }] Type Input::EVENT_NEW @@ -244,6 +248,8 @@ print A::outfile, A::typ; print A::outfile, A::left; print A::outfile, A::right; return (T); +}, config={ + }] Type Input::EVENT_CHANGED @@ -469,6 +475,8 @@ print A::outfile, A::typ; print A::outfile, A::left; print A::outfile, A::right; return (T); +}, config={ + }] Type Input::EVENT_NEW @@ -592,6 +600,8 @@ print A::outfile, A::typ; print A::outfile, A::left; print A::outfile, A::right; return (T); +}, config={ + }] Type Input::EVENT_NEW @@ -715,6 +725,8 @@ print A::outfile, A::typ; print A::outfile, A::left; print A::outfile, A::right; return (T); +}, config={ + }] Type Input::EVENT_NEW @@ -838,6 +850,8 @@ print A::outfile, A::typ; print A::outfile, A::left; print A::outfile, A::right; return (T); +}, config={ + }] Type Input::EVENT_NEW @@ -961,6 +975,8 @@ print A::outfile, A::typ; print A::outfile, A::left; print A::outfile, A::right; return (T); +}, config={ + }] Type Input::EVENT_NEW diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.rereadraw/out b/testing/btest/Baseline/scripts.base.frameworks.input.rereadraw/out index 9d62fdbef4..b7f79e5754 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.input.rereadraw/out +++ b/testing/btest/Baseline/scripts.base.frameworks.input.rereadraw/out @@ -1,128 +1,272 @@ -[source=input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::s; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::s; +try = try + 1; +if (16 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF -[source=input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::s; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::s; +try = try + 1; +if (16 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF -[source=input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::s; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::s; +try = try + 1; +if (16 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW q3r3057fdf -[source=input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::s; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::s; +try = try + 1; +if (16 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW sdfs\d -[source=input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::s; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::s; +try = try + 1; +if (16 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW -[source=input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::s; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::s; +try = try + 1; +if (16 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW dfsdf -[source=input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::s; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::s; +try = try + 1; +if (16 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW sdf -[source=input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::s; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::s; +try = try + 1; +if (16 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW 3rw43wRRERLlL#RWERERERE. -[source=input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::s; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::s; +try = try + 1; +if (16 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF -[source=input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::s; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::s; +try = try + 1; +if (16 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF -[source=input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::s; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::s; +try = try + 1; +if (16 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW q3r3057fdf -[source=input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::s; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::s; +try = try + 1; +if (16 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW sdfs\d -[source=input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::s; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::s; +try = try + 1; +if (16 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW -[source=input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::s; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::s; +try = try + 1; +if (16 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW dfsdf -[source=input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::s; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::s; +try = try + 1; +if (16 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW sdf -[source=input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line +[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=, want_record=F, ev=line { -print A::description; -print A::tpe; -print A::s; +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::s; +try = try + 1; +if (16 == try) +{ +close(outfile); +terminate(); +} + +}, config={ + }] Input::EVENT_NEW 3rw43wRRERLlL#RWERERERE. diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.streamraw/out b/testing/btest/Baseline/scripts.base.frameworks.input.streamraw/out index 07a3ffdba5..d97e09adfa 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.input.streamraw/out +++ b/testing/btest/Baseline/scripts.base.frameworks.input.streamraw/out @@ -3,13 +3,17 @@ print A::outfile, A::description; print A::outfile, A::tpe; print A::outfile, A::s; -if (3 == A::try) +A::try = A::try + 1; +if (8 == A::try) { print A::outfile, done; close(A::outfile); Input::remove(input); +terminate(); } +}, config={ + }] Input::EVENT_NEW sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF @@ -18,13 +22,17 @@ sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF print A::outfile, A::description; print A::outfile, A::tpe; print A::outfile, A::s; -if (3 == A::try) +A::try = A::try + 1; +if (8 == A::try) { print A::outfile, done; close(A::outfile); Input::remove(input); +terminate(); } +}, config={ + }] Input::EVENT_NEW DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF @@ -33,13 +41,17 @@ DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF print A::outfile, A::description; print A::outfile, A::tpe; print A::outfile, A::s; -if (3 == A::try) +A::try = A::try + 1; +if (8 == A::try) { print A::outfile, done; close(A::outfile); Input::remove(input); +terminate(); } +}, config={ + }] Input::EVENT_NEW q3r3057fdf @@ -48,13 +60,17 @@ q3r3057fdf print A::outfile, A::description; print A::outfile, A::tpe; print A::outfile, A::s; -if (3 == A::try) +A::try = A::try + 1; +if (8 == A::try) { print A::outfile, done; close(A::outfile); Input::remove(input); +terminate(); } +}, config={ + }] Input::EVENT_NEW sdfs\d @@ -63,13 +79,17 @@ sdfs\d print A::outfile, A::description; print A::outfile, A::tpe; print A::outfile, A::s; -if (3 == A::try) +A::try = A::try + 1; +if (8 == A::try) { print A::outfile, done; close(A::outfile); Input::remove(input); +terminate(); } +}, config={ + }] Input::EVENT_NEW @@ -78,13 +98,17 @@ Input::EVENT_NEW print A::outfile, A::description; print A::outfile, A::tpe; print A::outfile, A::s; -if (3 == A::try) +A::try = A::try + 1; +if (8 == A::try) { print A::outfile, done; close(A::outfile); Input::remove(input); +terminate(); } +}, config={ + }] Input::EVENT_NEW dfsdf @@ -93,13 +117,17 @@ dfsdf print A::outfile, A::description; print A::outfile, A::tpe; print A::outfile, A::s; -if (3 == A::try) +A::try = A::try + 1; +if (8 == A::try) { print A::outfile, done; close(A::outfile); Input::remove(input); +terminate(); } +}, config={ + }] Input::EVENT_NEW sdf @@ -108,13 +136,18 @@ sdf print A::outfile, A::description; print A::outfile, A::tpe; print A::outfile, A::s; -if (3 == A::try) +A::try = A::try + 1; +if (8 == A::try) { print A::outfile, done; close(A::outfile); Input::remove(input); +terminate(); } +}, config={ + }] Input::EVENT_NEW 3rw43wRRERLlL#RWERERERE. +done diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.tableevent/out b/testing/btest/Baseline/scripts.base.frameworks.input.tableevent/out index a1bbb9bbe4..d76c63ef31 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.input.tableevent/out +++ b/testing/btest/Baseline/scripts.base.frameworks.input.tableevent/out @@ -1,4 +1,4 @@ -[source=input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={ +[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={ [2] = T, [4] = F, [6] = F, @@ -8,15 +8,24 @@ [3] = F }, idx=, val=, want_record=F, ev=line { -print description; -print tpe; -print left; -print right; -}, pred=] +print outfile, description; +print outfile, tpe; +print outfile, left; +print outfile, right; +try = try + 1; +if (7 == try) +{ +close(outfile); +terminate(); +} + +}, pred=, config={ + +}] Input::EVENT_NEW [i=1] T -[source=input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={ +[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={ [2] = T, [4] = F, [6] = F, @@ -26,15 +35,24 @@ T [3] = F }, idx=, val=, want_record=F, ev=line { -print description; -print tpe; -print left; -print right; -}, pred=] +print outfile, description; +print outfile, tpe; +print outfile, left; +print outfile, right; +try = try + 1; +if (7 == try) +{ +close(outfile); +terminate(); +} + +}, pred=, config={ + +}] Input::EVENT_NEW [i=2] T -[source=input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={ +[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={ [2] = T, [4] = F, [6] = F, @@ -44,15 +62,24 @@ T [3] = F }, idx=, val=, want_record=F, ev=line { -print description; -print tpe; -print left; -print right; -}, pred=] +print outfile, description; +print outfile, tpe; +print outfile, left; +print outfile, right; +try = try + 1; +if (7 == try) +{ +close(outfile); +terminate(); +} + +}, pred=, config={ + +}] Input::EVENT_NEW [i=3] F -[source=input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={ +[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={ [2] = T, [4] = F, [6] = F, @@ -62,15 +89,24 @@ F [3] = F }, idx=, val=, want_record=F, ev=line { -print description; -print tpe; -print left; -print right; -}, pred=] +print outfile, description; +print outfile, tpe; +print outfile, left; +print outfile, right; +try = try + 1; +if (7 == try) +{ +close(outfile); +terminate(); +} + +}, pred=, config={ + +}] Input::EVENT_NEW [i=4] F -[source=input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={ +[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={ [2] = T, [4] = F, [6] = F, @@ -80,15 +116,24 @@ F [3] = F }, idx=, val=, want_record=F, ev=line { -print description; -print tpe; -print left; -print right; -}, pred=] +print outfile, description; +print outfile, tpe; +print outfile, left; +print outfile, right; +try = try + 1; +if (7 == try) +{ +close(outfile); +terminate(); +} + +}, pred=, config={ + +}] Input::EVENT_NEW [i=5] F -[source=input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={ +[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={ [2] = T, [4] = F, [6] = F, @@ -98,15 +143,24 @@ F [3] = F }, idx=, val=, want_record=F, ev=line { -print description; -print tpe; -print left; -print right; -}, pred=] +print outfile, description; +print outfile, tpe; +print outfile, left; +print outfile, right; +try = try + 1; +if (7 == try) +{ +close(outfile); +terminate(); +} + +}, pred=, config={ + +}] Input::EVENT_NEW [i=6] F -[source=input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={ +[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={ [2] = T, [4] = F, [6] = F, @@ -116,11 +170,20 @@ F [3] = F }, idx=, val=, want_record=F, ev=line { -print description; -print tpe; -print left; -print right; -}, pred=] +print outfile, description; +print outfile, tpe; +print outfile, left; +print outfile, right; +try = try + 1; +if (7 == try) +{ +close(outfile); +terminate(); +} + +}, pred=, config={ + +}] Input::EVENT_NEW [i=7] T diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.twotables/event.out b/testing/btest/Baseline/scripts.base.frameworks.input.twotables/event.out new file mode 100644 index 0000000000..ebf210031f --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.twotables/event.out @@ -0,0 +1,4 @@ +============EVENT============ +============EVENT============ +============EVENT============ +============EVENT============ diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.twotables/fin.out b/testing/btest/Baseline/scripts.base.frameworks.input.twotables/fin.out new file mode 100644 index 0000000000..b7e1031867 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.twotables/fin.out @@ -0,0 +1,30 @@ +==========SERVERS============ +==========SERVERS============ +==========SERVERS============ +done +{ +[-43] = [b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={ +2, +4, +1, +3 +}, ss={ +CC, +AA, +BB +}, se={ + +}, vc=[10, 20, 30], ve=[]], +[-44] = [b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={ +2, +4, +1, +3 +}, ss={ +CC, +AA, +BB +}, se={ + +}, vc=[10, 20, 30], ve=[]] +} diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.twotables/out b/testing/btest/Baseline/scripts.base.frameworks.input.twotables/out deleted file mode 100644 index e9e03add3a..0000000000 --- a/testing/btest/Baseline/scripts.base.frameworks.input.twotables/out +++ /dev/null @@ -1,172 +0,0 @@ -============PREDICATE============ -Input::EVENT_NEW -[i=-42] -[b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={ -2, -4, -1, -3 -}, ss={ -CC, -AA, -BB -}, se={ - -}, vc=[10, 20, 30], ve=[]] -============PREDICATE 2============ -Input::EVENT_NEW -[i=-43] -[b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={ -2, -4, -1, -3 -}, ss={ -CC, -AA, -BB -}, se={ - -}, vc=[10, 20, 30], ve=[]] -============EVENT============ -==========SERVERS============ -{ -[-43] = [b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={ -2, -4, -1, -3 -}, ss={ -CC, -AA, -BB -}, se={ - -}, vc=[10, 20, 30], ve=[]], -[-42] = [b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={ -2, -4, -1, -3 -}, ss={ -CC, -AA, -BB -}, se={ - -}, vc=[10, 20, 30], ve=[]] -} -============EVENT============ -==========SERVERS============ -{ -[-43] = [b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={ -2, -4, -1, -3 -}, ss={ -CC, -AA, -BB -}, se={ - -}, vc=[10, 20, 30], ve=[]], -[-42] = [b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={ -2, -4, -1, -3 -}, ss={ -CC, -AA, -BB -}, se={ - -}, vc=[10, 20, 30], ve=[]] -} -============PREDICATE============ -Input::EVENT_NEW -[i=-44] -[b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={ -2, -4, -1, -3 -}, ss={ -CC, -AA, -BB -}, se={ - -}, vc=[10, 20, 30], ve=[]] -============PREDICATE============ -Input::EVENT_REMOVED -[i=-42] -[b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={ -2, -4, -1, -3 -}, ss={ -CC, -AA, -BB -}, se={ - -}, vc=[10, 20, 30], ve=[]] -============EVENT============ -============EVENT============ -==========SERVERS============ -{ -[-43] = [b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={ -2, -4, -1, -3 -}, ss={ -CC, -AA, -BB -}, se={ - -}, vc=[10, 20, 30], ve=[]], -[-44] = [b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={ -2, -4, -1, -3 -}, ss={ -CC, -AA, -BB -}, se={ - -}, vc=[10, 20, 30], ve=[]] -} -done -{ -[-43] = [b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={ -2, -4, -1, -3 -}, ss={ -CC, -AA, -BB -}, se={ - -}, vc=[10, 20, 30], ve=[]], -[-44] = [b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={ -2, -4, -1, -3 -}, ss={ -CC, -AA, -BB -}, se={ - -}, vc=[10, 20, 30], ve=[]] -} diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.twotables/pred1.out b/testing/btest/Baseline/scripts.base.frameworks.input.twotables/pred1.out new file mode 100644 index 0000000000..84d1465428 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.twotables/pred1.out @@ -0,0 +1,45 @@ +============PREDICATE============ +Input::EVENT_NEW +[i=-42] +[b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={ +2, +4, +1, +3 +}, ss={ +CC, +AA, +BB +}, se={ + +}, vc=[10, 20, 30], ve=[]] +============PREDICATE============ +Input::EVENT_NEW +[i=-44] +[b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={ +2, +4, +1, +3 +}, ss={ +CC, +AA, +BB +}, se={ + +}, vc=[10, 20, 30], ve=[]] +============PREDICATE============ +Input::EVENT_REMOVED +[i=-42] +[b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={ +2, +4, +1, +3 +}, ss={ +CC, +AA, +BB +}, se={ + +}, vc=[10, 20, 30], ve=[]] diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.twotables/pred2.out b/testing/btest/Baseline/scripts.base.frameworks.input.twotables/pred2.out new file mode 100644 index 0000000000..ef38fa3210 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.twotables/pred2.out @@ -0,0 +1,15 @@ +============PREDICATE 2============ +Input::EVENT_NEW +[i=-43] +[b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={ +2, +4, +1, +3 +}, ss={ +CC, +AA, +BB +}, se={ + +}, vc=[10, 20, 30], ve=[]] diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.time-as-int/conn.ds.txt b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.time-as-int/conn.ds.txt index 1d7cba3b3c..c4ac546ab6 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.time-as-int/conn.ds.txt +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.time-as-int/conn.ds.txt @@ -28,6 +28,7 @@ + @@ -48,40 +49,41 @@ + # Extent, type='conn' -ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes -1300475167096535 UWkUyAuUGXf 141.142.220.202 5353 224.0.0.251 5353 udp dns 0 0 0 S0 F 0 D 1 73 0 0 -1300475167097012 arKYeMETxOg fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp 0 0 0 S0 F 0 D 1 199 0 0 -1300475167099816 k6kgXLOoSKl 141.142.220.50 5353 224.0.0.251 5353 udp 0 0 0 S0 F 0 D 1 179 0 0 -1300475168853899 TEfuqmmG4bh 141.142.220.118 43927 141.142.2.2 53 udp dns 435 0 89 SHR F 0 Cd 0 0 1 117 -1300475168854378 FrJExwHcSal 141.142.220.118 37676 141.142.2.2 53 udp dns 420 0 99 SHR F 0 Cd 0 0 1 127 -1300475168854837 5OKnoww6xl4 141.142.220.118 40526 141.142.2.2 53 udp dns 391 0 183 SHR F 0 Cd 0 0 1 211 -1300475168857956 3PKsZ2Uye21 141.142.220.118 32902 141.142.2.2 53 udp dns 317 0 89 SHR F 0 Cd 0 0 1 117 -1300475168858306 VW0XPVINV8a 141.142.220.118 59816 141.142.2.2 53 udp dns 343 0 99 SHR F 0 Cd 0 0 1 127 -1300475168858713 fRFu0wcOle6 141.142.220.118 59714 141.142.2.2 53 udp dns 375 0 183 SHR F 0 Cd 0 0 1 211 -1300475168891644 qSsw6ESzHV4 141.142.220.118 58206 141.142.2.2 53 udp dns 339 0 89 SHR F 0 Cd 0 0 1 117 -1300475168892037 iE6yhOq3SF 141.142.220.118 38911 141.142.2.2 53 udp dns 334 0 99 SHR F 0 Cd 0 0 1 127 -1300475168892414 GSxOnSLghOa 141.142.220.118 59746 141.142.2.2 53 udp dns 420 0 183 SHR F 0 Cd 0 0 1 211 -1300475168893988 qCaWGmzFtM5 141.142.220.118 45000 141.142.2.2 53 udp dns 384 0 89 SHR F 0 Cd 0 0 1 117 -1300475168894422 70MGiRM1Qf4 141.142.220.118 48479 141.142.2.2 53 udp dns 316 0 99 SHR F 0 Cd 0 0 1 127 -1300475168894787 h5DsfNtYzi1 141.142.220.118 48128 141.142.2.2 53 udp dns 422 0 183 SHR F 0 Cd 0 0 1 211 -1300475168901749 P654jzLoe3a 141.142.220.118 56056 141.142.2.2 53 udp dns 402 0 131 SHR F 0 Cd 0 0 1 159 -1300475168902195 Tw8jXtpTGu6 141.142.220.118 55092 141.142.2.2 53 udp dns 374 0 198 SHR F 0 Cd 0 0 1 226 -1300475169899438 BWaU4aSuwkc 141.142.220.44 5353 224.0.0.251 5353 udp dns 0 0 0 S0 F 0 D 1 85 0 0 -1300475170862384 10XodEwRycf 141.142.220.226 137 141.142.220.255 137 udp dns 2613016 350 0 S0 F 0 D 7 546 0 0 -1300475171675372 zno26fFZkrh fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp dns 100096 66 0 S0 F 0 D 2 162 0 0 -1300475171677081 v5rgkJBig5l 141.142.220.226 55131 224.0.0.252 5355 udp dns 100020 66 0 S0 F 0 D 2 122 0 0 -1300475173116749 eWZCH7OONC1 fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp dns 99801 66 0 S0 F 0 D 2 162 0 0 -1300475173117362 0Pwk3ntf8O3 141.142.220.226 55671 224.0.0.252 5355 udp dns 99848 66 0 S0 F 0 D 2 122 0 0 -1300475173153679 0HKorjr8Zp7 141.142.220.238 56641 141.142.220.255 137 udp dns 0 0 0 S0 F 0 D 1 78 0 0 -1300475168859163 GvmoxJFXdTa 141.142.220.118 49998 208.80.152.3 80 tcp 215893 1130 734 S1 F 1130 ShACad 4 216 4 950 -1300475168652003 nQcgTWjvg4c 141.142.220.118 35634 208.80.152.2 80 tcp 61328 0 350 OTH F 0 CdA 1 52 1 402 -1300475168895267 UfGkYA2HI2g 141.142.220.118 50001 208.80.152.3 80 tcp 227283 1178 734 S1 F 1178 ShACad 4 216 4 950 -1300475168902635 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 tcp 120040 534 412 S1 F 534 ShACad 3 164 3 576 -1300475168892936 0Q4FH8sESw5 141.142.220.118 50000 208.80.152.3 80 tcp 229603 1148 734 S1 F 1148 ShACad 4 216 4 950 -1300475168855305 EAr0uf4mhq 141.142.220.118 49996 208.80.152.3 80 tcp 218501 1171 733 S1 F 1171 ShACad 4 216 4 949 -1300475168892913 slFea8xwSmb 141.142.220.118 49999 208.80.152.3 80 tcp 220960 1137 733 S1 F 1137 ShACad 4 216 4 949 -1300475169780331 2cx26uAvUPl 141.142.220.235 6705 173.192.163.128 80 tcp 0 0 0 OTH F 0 h 0 0 1 48 -1300475168724007 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 tcp 119904 525 232 S1 F 525 ShACad 3 164 3 396 -1300475168855330 c4Zw9TmAE05 141.142.220.118 49997 208.80.152.3 80 tcp 219720 1125 734 S1 F 1125 ShACad 4 216 4 950 +ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +1300475167096535 UWkUyAuUGXf 141.142.220.202 5353 224.0.0.251 5353 udp dns 0 0 0 S0 F 0 D 1 73 0 0 +1300475167097012 arKYeMETxOg fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp 0 0 0 S0 F 0 D 1 199 0 0 +1300475167099816 k6kgXLOoSKl 141.142.220.50 5353 224.0.0.251 5353 udp 0 0 0 S0 F 0 D 1 179 0 0 +1300475168853899 TEfuqmmG4bh 141.142.220.118 43927 141.142.2.2 53 udp dns 435 0 89 SHR F 0 Cd 0 0 1 117 +1300475168854378 FrJExwHcSal 141.142.220.118 37676 141.142.2.2 53 udp dns 420 0 99 SHR F 0 Cd 0 0 1 127 +1300475168854837 5OKnoww6xl4 141.142.220.118 40526 141.142.2.2 53 udp dns 391 0 183 SHR F 0 Cd 0 0 1 211 +1300475168857956 fRFu0wcOle6 141.142.220.118 32902 141.142.2.2 53 udp dns 317 0 89 SHR F 0 Cd 0 0 1 117 +1300475168858306 qSsw6ESzHV4 141.142.220.118 59816 141.142.2.2 53 udp dns 343 0 99 SHR F 0 Cd 0 0 1 127 +1300475168858713 iE6yhOq3SF 141.142.220.118 59714 141.142.2.2 53 udp dns 375 0 183 SHR F 0 Cd 0 0 1 211 +1300475168891644 qCaWGmzFtM5 141.142.220.118 58206 141.142.2.2 53 udp dns 339 0 89 SHR F 0 Cd 0 0 1 117 +1300475168892037 70MGiRM1Qf4 141.142.220.118 38911 141.142.2.2 53 udp dns 334 0 99 SHR F 0 Cd 0 0 1 127 +1300475168892414 h5DsfNtYzi1 141.142.220.118 59746 141.142.2.2 53 udp dns 420 0 183 SHR F 0 Cd 0 0 1 211 +1300475168893988 c4Zw9TmAE05 141.142.220.118 45000 141.142.2.2 53 udp dns 384 0 89 SHR F 0 Cd 0 0 1 117 +1300475168894422 EAr0uf4mhq 141.142.220.118 48479 141.142.2.2 53 udp dns 316 0 99 SHR F 0 Cd 0 0 1 127 +1300475168894787 GvmoxJFXdTa 141.142.220.118 48128 141.142.2.2 53 udp dns 422 0 183 SHR F 0 Cd 0 0 1 211 +1300475168901749 slFea8xwSmb 141.142.220.118 56056 141.142.2.2 53 udp dns 402 0 131 SHR F 0 Cd 0 0 1 159 +1300475168902195 UfGkYA2HI2g 141.142.220.118 55092 141.142.2.2 53 udp dns 374 0 198 SHR F 0 Cd 0 0 1 226 +1300475169899438 BWaU4aSuwkc 141.142.220.44 5353 224.0.0.251 5353 udp dns 0 0 0 S0 F 0 D 1 85 0 0 +1300475170862384 10XodEwRycf 141.142.220.226 137 141.142.220.255 137 udp dns 2613016 350 0 S0 F 0 D 7 546 0 0 +1300475171675372 zno26fFZkrh fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp dns 100096 66 0 S0 F 0 D 2 162 0 0 +1300475171677081 v5rgkJBig5l 141.142.220.226 55131 224.0.0.252 5355 udp dns 100020 66 0 S0 F 0 D 2 122 0 0 +1300475173116749 eWZCH7OONC1 fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp dns 99801 66 0 S0 F 0 D 2 162 0 0 +1300475173117362 0Pwk3ntf8O3 141.142.220.226 55671 224.0.0.252 5355 udp dns 99848 66 0 S0 F 0 D 2 122 0 0 +1300475173153679 0HKorjr8Zp7 141.142.220.238 56641 141.142.220.255 137 udp dns 0 0 0 S0 F 0 D 1 78 0 0 +1300475168859163 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 tcp 215893 1130 734 S1 F 1130 ShACad 4 216 4 950 +1300475168652003 nQcgTWjvg4c 141.142.220.118 35634 208.80.152.2 80 tcp 61328 0 350 OTH F 0 CdA 1 52 1 402 +1300475168895267 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 tcp 227283 1178 734 S1 F 1178 ShACad 4 216 4 950 +1300475168902635 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 tcp 120040 534 412 S1 F 534 ShACad 3 164 3 576 +1300475168892936 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 tcp 229603 1148 734 S1 F 1148 ShACad 4 216 4 950 +1300475168855305 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 tcp 218501 1171 733 S1 F 1171 ShACad 4 216 4 949 +1300475168892913 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 tcp 220960 1137 733 S1 F 1137 ShACad 4 216 4 949 +1300475169780331 2cx26uAvUPl 141.142.220.235 6705 173.192.163.128 80 tcp 0 0 0 OTH F 0 h 0 0 1 48 +1300475168724007 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 tcp 119904 525 232 S1 F 525 ShACad 3 164 3 396 +1300475168855330 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 tcp 219720 1125 734 S1 F 1125 ShACad 4 216 4 950 diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/conn.ds.txt b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/conn.ds.txt index 3cafa078de..b74b9fd7e3 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/conn.ds.txt +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/conn.ds.txt @@ -28,6 +28,7 @@ + @@ -48,40 +49,41 @@ + # Extent, type='conn' -ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes -1300475167.096535 UWkUyAuUGXf 141.142.220.202 5353 224.0.0.251 5353 udp dns 0.000000 0 0 S0 F 0 D 1 73 0 0 -1300475167.097012 arKYeMETxOg fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp 0.000000 0 0 S0 F 0 D 1 199 0 0 -1300475167.099816 k6kgXLOoSKl 141.142.220.50 5353 224.0.0.251 5353 udp 0.000000 0 0 S0 F 0 D 1 179 0 0 -1300475168.853899 TEfuqmmG4bh 141.142.220.118 43927 141.142.2.2 53 udp dns 0.000435 0 89 SHR F 0 Cd 0 0 1 117 -1300475168.854378 FrJExwHcSal 141.142.220.118 37676 141.142.2.2 53 udp dns 0.000420 0 99 SHR F 0 Cd 0 0 1 127 -1300475168.854837 5OKnoww6xl4 141.142.220.118 40526 141.142.2.2 53 udp dns 0.000392 0 183 SHR F 0 Cd 0 0 1 211 -1300475168.857956 3PKsZ2Uye21 141.142.220.118 32902 141.142.2.2 53 udp dns 0.000317 0 89 SHR F 0 Cd 0 0 1 117 -1300475168.858306 VW0XPVINV8a 141.142.220.118 59816 141.142.2.2 53 udp dns 0.000343 0 99 SHR F 0 Cd 0 0 1 127 -1300475168.858713 fRFu0wcOle6 141.142.220.118 59714 141.142.2.2 53 udp dns 0.000375 0 183 SHR F 0 Cd 0 0 1 211 -1300475168.891644 qSsw6ESzHV4 141.142.220.118 58206 141.142.2.2 53 udp dns 0.000339 0 89 SHR F 0 Cd 0 0 1 117 -1300475168.892037 iE6yhOq3SF 141.142.220.118 38911 141.142.2.2 53 udp dns 0.000335 0 99 SHR F 0 Cd 0 0 1 127 -1300475168.892414 GSxOnSLghOa 141.142.220.118 59746 141.142.2.2 53 udp dns 0.000421 0 183 SHR F 0 Cd 0 0 1 211 -1300475168.893988 qCaWGmzFtM5 141.142.220.118 45000 141.142.2.2 53 udp dns 0.000384 0 89 SHR F 0 Cd 0 0 1 117 -1300475168.894422 70MGiRM1Qf4 141.142.220.118 48479 141.142.2.2 53 udp dns 0.000317 0 99 SHR F 0 Cd 0 0 1 127 -1300475168.894787 h5DsfNtYzi1 141.142.220.118 48128 141.142.2.2 53 udp dns 0.000423 0 183 SHR F 0 Cd 0 0 1 211 -1300475168.901749 P654jzLoe3a 141.142.220.118 56056 141.142.2.2 53 udp dns 0.000402 0 131 SHR F 0 Cd 0 0 1 159 -1300475168.902195 Tw8jXtpTGu6 141.142.220.118 55092 141.142.2.2 53 udp dns 0.000374 0 198 SHR F 0 Cd 0 0 1 226 -1300475169.899438 BWaU4aSuwkc 141.142.220.44 5353 224.0.0.251 5353 udp dns 0.000000 0 0 S0 F 0 D 1 85 0 0 -1300475170.862384 10XodEwRycf 141.142.220.226 137 141.142.220.255 137 udp dns 2.613017 350 0 S0 F 0 D 7 546 0 0 -1300475171.675372 zno26fFZkrh fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp dns 0.100096 66 0 S0 F 0 D 2 162 0 0 -1300475171.677081 v5rgkJBig5l 141.142.220.226 55131 224.0.0.252 5355 udp dns 0.100021 66 0 S0 F 0 D 2 122 0 0 -1300475173.116749 eWZCH7OONC1 fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp dns 0.099801 66 0 S0 F 0 D 2 162 0 0 -1300475173.117362 0Pwk3ntf8O3 141.142.220.226 55671 224.0.0.252 5355 udp dns 0.099849 66 0 S0 F 0 D 2 122 0 0 -1300475173.153679 0HKorjr8Zp7 141.142.220.238 56641 141.142.220.255 137 udp dns 0.000000 0 0 S0 F 0 D 1 78 0 0 -1300475168.859163 GvmoxJFXdTa 141.142.220.118 49998 208.80.152.3 80 tcp 0.215893 1130 734 S1 F 1130 ShACad 4 216 4 950 -1300475168.652003 nQcgTWjvg4c 141.142.220.118 35634 208.80.152.2 80 tcp 0.061329 0 350 OTH F 0 CdA 1 52 1 402 -1300475168.895267 UfGkYA2HI2g 141.142.220.118 50001 208.80.152.3 80 tcp 0.227284 1178 734 S1 F 1178 ShACad 4 216 4 950 -1300475168.902635 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 tcp 0.120041 534 412 S1 F 534 ShACad 3 164 3 576 -1300475168.892936 0Q4FH8sESw5 141.142.220.118 50000 208.80.152.3 80 tcp 0.229603 1148 734 S1 F 1148 ShACad 4 216 4 950 -1300475168.855305 EAr0uf4mhq 141.142.220.118 49996 208.80.152.3 80 tcp 0.218501 1171 733 S1 F 1171 ShACad 4 216 4 949 -1300475168.892913 slFea8xwSmb 141.142.220.118 49999 208.80.152.3 80 tcp 0.220961 1137 733 S1 F 1137 ShACad 4 216 4 949 -1300475169.780331 2cx26uAvUPl 141.142.220.235 6705 173.192.163.128 80 tcp 0.000000 0 0 OTH F 0 h 0 0 1 48 -1300475168.724007 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 tcp 0.119905 525 232 S1 F 525 ShACad 3 164 3 396 -1300475168.855330 c4Zw9TmAE05 141.142.220.118 49997 208.80.152.3 80 tcp 0.219720 1125 734 S1 F 1125 ShACad 4 216 4 950 +ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +1300475167.096535 UWkUyAuUGXf 141.142.220.202 5353 224.0.0.251 5353 udp dns 0.000000 0 0 S0 F 0 D 1 73 0 0 +1300475167.097012 arKYeMETxOg fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp 0.000000 0 0 S0 F 0 D 1 199 0 0 +1300475167.099816 k6kgXLOoSKl 141.142.220.50 5353 224.0.0.251 5353 udp 0.000000 0 0 S0 F 0 D 1 179 0 0 +1300475168.853899 TEfuqmmG4bh 141.142.220.118 43927 141.142.2.2 53 udp dns 0.000435 0 89 SHR F 0 Cd 0 0 1 117 +1300475168.854378 FrJExwHcSal 141.142.220.118 37676 141.142.2.2 53 udp dns 0.000420 0 99 SHR F 0 Cd 0 0 1 127 +1300475168.854837 5OKnoww6xl4 141.142.220.118 40526 141.142.2.2 53 udp dns 0.000392 0 183 SHR F 0 Cd 0 0 1 211 +1300475168.857956 fRFu0wcOle6 141.142.220.118 32902 141.142.2.2 53 udp dns 0.000317 0 89 SHR F 0 Cd 0 0 1 117 +1300475168.858306 qSsw6ESzHV4 141.142.220.118 59816 141.142.2.2 53 udp dns 0.000343 0 99 SHR F 0 Cd 0 0 1 127 +1300475168.858713 iE6yhOq3SF 141.142.220.118 59714 141.142.2.2 53 udp dns 0.000375 0 183 SHR F 0 Cd 0 0 1 211 +1300475168.891644 qCaWGmzFtM5 141.142.220.118 58206 141.142.2.2 53 udp dns 0.000339 0 89 SHR F 0 Cd 0 0 1 117 +1300475168.892037 70MGiRM1Qf4 141.142.220.118 38911 141.142.2.2 53 udp dns 0.000335 0 99 SHR F 0 Cd 0 0 1 127 +1300475168.892414 h5DsfNtYzi1 141.142.220.118 59746 141.142.2.2 53 udp dns 0.000421 0 183 SHR F 0 Cd 0 0 1 211 +1300475168.893988 c4Zw9TmAE05 141.142.220.118 45000 141.142.2.2 53 udp dns 0.000384 0 89 SHR F 0 Cd 0 0 1 117 +1300475168.894422 EAr0uf4mhq 141.142.220.118 48479 141.142.2.2 53 udp dns 0.000317 0 99 SHR F 0 Cd 0 0 1 127 +1300475168.894787 GvmoxJFXdTa 141.142.220.118 48128 141.142.2.2 53 udp dns 0.000423 0 183 SHR F 0 Cd 0 0 1 211 +1300475168.901749 slFea8xwSmb 141.142.220.118 56056 141.142.2.2 53 udp dns 0.000402 0 131 SHR F 0 Cd 0 0 1 159 +1300475168.902195 UfGkYA2HI2g 141.142.220.118 55092 141.142.2.2 53 udp dns 0.000374 0 198 SHR F 0 Cd 0 0 1 226 +1300475169.899438 BWaU4aSuwkc 141.142.220.44 5353 224.0.0.251 5353 udp dns 0.000000 0 0 S0 F 0 D 1 85 0 0 +1300475170.862384 10XodEwRycf 141.142.220.226 137 141.142.220.255 137 udp dns 2.613017 350 0 S0 F 0 D 7 546 0 0 +1300475171.675372 zno26fFZkrh fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp dns 0.100096 66 0 S0 F 0 D 2 162 0 0 +1300475171.677081 v5rgkJBig5l 141.142.220.226 55131 224.0.0.252 5355 udp dns 0.100021 66 0 S0 F 0 D 2 122 0 0 +1300475173.116749 eWZCH7OONC1 fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp dns 0.099801 66 0 S0 F 0 D 2 162 0 0 +1300475173.117362 0Pwk3ntf8O3 141.142.220.226 55671 224.0.0.252 5355 udp dns 0.099849 66 0 S0 F 0 D 2 122 0 0 +1300475173.153679 0HKorjr8Zp7 141.142.220.238 56641 141.142.220.255 137 udp dns 0.000000 0 0 S0 F 0 D 1 78 0 0 +1300475168.859163 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 tcp 0.215893 1130 734 S1 F 1130 ShACad 4 216 4 950 +1300475168.652003 nQcgTWjvg4c 141.142.220.118 35634 208.80.152.2 80 tcp 0.061329 0 350 OTH F 0 CdA 1 52 1 402 +1300475168.895267 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 tcp 0.227284 1178 734 S1 F 1178 ShACad 4 216 4 950 +1300475168.902635 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 tcp 0.120041 534 412 S1 F 534 ShACad 3 164 3 576 +1300475168.892936 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 tcp 0.229603 1148 734 S1 F 1148 ShACad 4 216 4 950 +1300475168.855305 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 tcp 0.218501 1171 733 S1 F 1171 ShACad 4 216 4 949 +1300475168.892913 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 tcp 0.220961 1137 733 S1 F 1137 ShACad 4 216 4 949 +1300475169.780331 2cx26uAvUPl 141.142.220.235 6705 173.192.163.128 80 tcp 0.000000 0 0 OTH F 0 h 0 0 1 48 +1300475168.724007 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 tcp 0.119905 525 232 S1 F 525 ShACad 3 164 3 396 +1300475168.855330 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 tcp 0.219720 1125 734 S1 F 1125 ShACad 4 216 4 950 diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/http.ds.txt b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/http.ds.txt index adb7bb3f7b..ae62fbec3d 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/http.ds.txt +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/http.ds.txt @@ -66,16 +66,16 @@ # Extent, type='http' ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file 1300475168.843894 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 0 0 0 304 Not Modified 0 -1300475168.975800 c4Zw9TmAE05 141.142.220.118 49997 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475168.976327 EAr0uf4mhq 141.142.220.118 49996 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475168.979160 GvmoxJFXdTa 141.142.220.118 49998 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475169.012666 0Q4FH8sESw5 141.142.220.118 50000 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475169.012730 slFea8xwSmb 141.142.220.118 49999 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475169.014860 UfGkYA2HI2g 141.142.220.118 50001 208.80.152.3 80 0 0 0 304 Not Modified 0 +1300475168.975800 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 0 0 0 304 Not Modified 0 +1300475168.976327 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 0 0 0 304 Not Modified 0 +1300475168.979160 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 0 0 0 304 Not Modified 0 +1300475169.012666 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 0 0 0 304 Not Modified 0 +1300475169.012730 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 0 0 0 304 Not Modified 0 +1300475169.014860 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 0 0 0 304 Not Modified 0 1300475169.022665 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 0 0 0 304 Not Modified 0 -1300475169.036294 c4Zw9TmAE05 141.142.220.118 49997 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475169.036798 EAr0uf4mhq 141.142.220.118 49996 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475169.039923 GvmoxJFXdTa 141.142.220.118 49998 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475169.074793 0Q4FH8sESw5 141.142.220.118 50000 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475169.074938 slFea8xwSmb 141.142.220.118 49999 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475169.075065 UfGkYA2HI2g 141.142.220.118 50001 208.80.152.3 80 0 0 0 304 Not Modified 0 +1300475169.036294 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 0 0 0 304 Not Modified 0 +1300475169.036798 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 0 0 0 304 Not Modified 0 +1300475169.039923 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 0 0 0 304 Not Modified 0 +1300475169.074793 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 0 0 0 304 Not Modified 0 +1300475169.074938 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 0 0 0 304 Not Modified 0 +1300475169.075065 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 0 0 0 304 Not Modified 0 diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.none-debug/output b/testing/btest/Baseline/scripts.base.frameworks.logging.none-debug/output new file mode 100644 index 0000000000..b2a8921c38 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.none-debug/output @@ -0,0 +1,12 @@ +[logging::writer::None] + path=ssh + rotation_interval=3600 + rotation_base=300 + config[foo] = bar + config[foo2] = bar2 + field id.orig_p: port + field id.resp_h: addr + field id.resp_p: port + field status: string + field country: string + diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log index bcb05ef415..4a20ec39b4 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log @@ -3,10 +3,10 @@ #empty_field (empty) #unset_field - #path conn -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes -#types time string addr port addr port enum string interval count count string bool count string count count count count -1329843175.736107 arKYeMETxOg 141.142.220.235 37604 199.233.217.249 56666 tcp ftp-data 0.112432 0 342 SF - 0 ShAdfFa 4 216 4 562 -1329843179.871641 k6kgXLOoSKl 141.142.220.235 59378 199.233.217.249 56667 tcp ftp-data 0.111218 0 77 SF - 0 ShAdfFa 4 216 4 297 -1329843194.151526 nQcgTWjvg4c 199.233.217.249 61920 141.142.220.235 33582 tcp ftp-data 0.056211 342 0 SF - 0 ShADaFf 5 614 3 164 -1329843197.783443 j4u32Pc5bif 199.233.217.249 61918 141.142.220.235 37835 tcp ftp-data 0.056005 77 0 SF - 0 ShADaFf 5 349 3 164 -1329843161.968492 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 tcp ftp 38.055625 180 3146 SF - 0 ShAdDfFa 38 2164 25 4458 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1329843175.736107 arKYeMETxOg 141.142.220.235 37604 199.233.217.249 56666 tcp ftp-data 0.112432 0 342 SF - 0 ShAdfFa 4 216 4 562 (empty) +1329843179.871641 k6kgXLOoSKl 141.142.220.235 59378 199.233.217.249 56667 tcp ftp-data 0.111218 0 77 SF - 0 ShAdfFa 4 216 4 297 (empty) +1329843194.151526 nQcgTWjvg4c 199.233.217.249 61920 141.142.220.235 33582 tcp ftp-data 0.056211 342 0 SF - 0 ShADaFf 5 614 3 164 (empty) +1329843197.783443 j4u32Pc5bif 199.233.217.249 61918 141.142.220.235 37835 tcp ftp-data 0.056005 77 0 SF - 0 ShADaFf 5 349 3 164 (empty) +1329843161.968492 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 tcp ftp 38.055625 180 3146 SF - 0 ShAdDfFa 38 2164 25 4458 (empty) diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log index c4a515710d..9d19ffaf85 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log @@ -3,11 +3,11 @@ #empty_field (empty) #unset_field - #path conn -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes -#types time string addr port addr port enum string interval count count string bool count string count count count count -1329327783.316897 arKYeMETxOg 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49186 2001:470:4867:99::21 57086 tcp ftp-data 0.219721 0 342 SF - 0 ShAdfFa 5 372 4 642 -1329327786.524332 k6kgXLOoSKl 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49187 2001:470:4867:99::21 57087 tcp ftp-data 0.217501 0 43 SF - 0 ShAdfFa 5 372 4 343 -1329327787.289095 nQcgTWjvg4c 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49188 2001:470:4867:99::21 57088 tcp ftp-data 0.217941 0 77 SF - 0 ShAdfFa 5 372 4 377 -1329327795.571921 j4u32Pc5bif 2001:470:4867:99::21 55785 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49189 tcp ftp-data 0.109813 77 0 SF - 0 ShADFaf 5 449 4 300 -1329327777.822004 UWkUyAuUGXf 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21 21 tcp ftp 26.658219 310 3448 SF - 0 ShAdDfFa 57 4426 34 5908 -1329327800.017649 TEfuqmmG4bh 2001:470:4867:99::21 55647 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49190 tcp ftp-data 0.109181 342 0 SF - 0 ShADFaf 5 714 4 300 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1329327783.316897 arKYeMETxOg 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49186 2001:470:4867:99::21 57086 tcp ftp-data 0.219721 0 342 SF - 0 ShAdfFa 5 372 4 642 (empty) +1329327786.524332 k6kgXLOoSKl 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49187 2001:470:4867:99::21 57087 tcp ftp-data 0.217501 0 43 SF - 0 ShAdfFa 5 372 4 343 (empty) +1329327787.289095 nQcgTWjvg4c 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49188 2001:470:4867:99::21 57088 tcp ftp-data 0.217941 0 77 SF - 0 ShAdfFa 5 372 4 377 (empty) +1329327795.571921 j4u32Pc5bif 2001:470:4867:99::21 55785 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49189 tcp ftp-data 0.109813 77 0 SF - 0 ShADFaf 5 449 4 300 (empty) +1329327777.822004 UWkUyAuUGXf 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21 21 tcp ftp 26.658219 310 3448 SF - 0 ShAdDfFa 57 4426 34 5908 (empty) +1329327800.017649 TEfuqmmG4bh 2001:470:4867:99::21 55647 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49190 tcp ftp-data 0.109181 342 0 SF - 0 ShADFaf 5 714 4 300 (empty) diff --git a/testing/btest/Baseline/scripts.base.protocols.socks.trace1/socks.log b/testing/btest/Baseline/scripts.base.protocols.socks.trace1/socks.log new file mode 100644 index 0000000000..08d31fdb69 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.socks.trace1/socks.log @@ -0,0 +1,8 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path socks +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version user status request.host request.name request_p bound.host bound.name bound_p +#types time string addr port addr port count string string addr string port addr string port +1340213015.276495 UWkUyAuUGXf 10.0.0.55 53994 60.190.189.214 8124 5 - succeeded - www.osnews.com 80 192.168.0.31 - 2688 diff --git a/testing/btest/Baseline/scripts.base.protocols.socks.trace1/tunnel.log b/testing/btest/Baseline/scripts.base.protocols.socks.trace1/tunnel.log new file mode 100644 index 0000000000..a7068cd0da --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.socks.trace1/tunnel.log @@ -0,0 +1,8 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1340213015.276495 - 10.0.0.55 0 60.190.189.214 8124 Tunnel::SOCKS Tunnel::DISCOVER diff --git a/testing/btest/Baseline/scripts.base.protocols.socks.trace2/socks.log b/testing/btest/Baseline/scripts.base.protocols.socks.trace2/socks.log new file mode 100644 index 0000000000..8fd109f3a4 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.socks.trace2/socks.log @@ -0,0 +1,8 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path socks +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version user status request.host request.name request_p bound.host bound.name bound_p +#types time string addr port addr port count string string addr string port addr string port +1340113261.914619 UWkUyAuUGXf 10.0.0.50 59580 85.194.84.197 1080 5 - succeeded - www.google.com 443 0.0.0.0 - 443 diff --git a/testing/btest/Baseline/scripts.base.protocols.socks.trace2/tunnel.log b/testing/btest/Baseline/scripts.base.protocols.socks.trace2/tunnel.log new file mode 100644 index 0000000000..5eac3ae7ad --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.socks.trace2/tunnel.log @@ -0,0 +1,8 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1340113261.914619 - 10.0.0.50 0 85.194.84.197 1080 Tunnel::SOCKS Tunnel::DISCOVER diff --git a/testing/btest/Baseline/scripts.base.protocols.socks.trace3/tunnel.log b/testing/btest/Baseline/scripts.base.protocols.socks.trace3/tunnel.log new file mode 100644 index 0000000000..4723cb99c4 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.socks.trace3/tunnel.log @@ -0,0 +1,8 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1208299429.265774 - 127.0.0.1 0 127.0.0.1 1080 Tunnel::SOCKS Tunnel::DISCOVER diff --git a/testing/btest/Makefile b/testing/btest/Makefile index 257146daa0..93ccc8d5ec 100644 --- a/testing/btest/Makefile +++ b/testing/btest/Makefile @@ -21,4 +21,7 @@ cleanup: @rm -f $(DIAG) @rm -f .tmp/script-coverage* +update-doc-sources: + ../../doc/scripts/genDocSourcesList.sh ../../doc/scripts/DocSourcesList.cmake + .PHONY: all btest-verbose brief btest-brief coverage cleanup diff --git a/testing/btest/Traces/icmp/icmp6-nd-options.pcap b/testing/btest/Traces/icmp/icmp6-nd-options.pcap new file mode 100644 index 0000000000..1103d9bf9c Binary files /dev/null and b/testing/btest/Traces/icmp/icmp6-nd-options.pcap differ diff --git a/testing/btest/Traces/icmp/icmp6-redirect-hdr-opt.pcap b/testing/btest/Traces/icmp/icmp6-redirect-hdr-opt.pcap new file mode 100644 index 0000000000..d053519108 Binary files /dev/null and b/testing/btest/Traces/icmp/icmp6-redirect-hdr-opt.pcap differ diff --git a/testing/btest/Traces/socks-with-ssl.trace b/testing/btest/Traces/socks-with-ssl.trace new file mode 100644 index 0000000000..da27cc8873 Binary files /dev/null and b/testing/btest/Traces/socks-with-ssl.trace differ diff --git a/testing/btest/Traces/socks.trace b/testing/btest/Traces/socks.trace new file mode 100644 index 0000000000..00bf07e458 Binary files /dev/null and b/testing/btest/Traces/socks.trace differ diff --git a/testing/btest/Traces/tunnels/4in4.pcap b/testing/btest/Traces/tunnels/4in4.pcap new file mode 100644 index 0000000000..b0d89eedda Binary files /dev/null and b/testing/btest/Traces/tunnels/4in4.pcap differ diff --git a/testing/btest/Traces/tunnels/4in6.pcap b/testing/btest/Traces/tunnels/4in6.pcap new file mode 100644 index 0000000000..5c813b9b75 Binary files /dev/null and b/testing/btest/Traces/tunnels/4in6.pcap differ diff --git a/testing/btest/Traces/tunnels/6in4.pcap b/testing/btest/Traces/tunnels/6in4.pcap new file mode 100644 index 0000000000..2d0cd5c8c7 Binary files /dev/null and b/testing/btest/Traces/tunnels/6in4.pcap differ diff --git a/testing/btest/Traces/tunnels/6in6-tunnel-change.pcap b/testing/btest/Traces/tunnels/6in6-tunnel-change.pcap new file mode 100644 index 0000000000..c5838fd136 Binary files /dev/null and b/testing/btest/Traces/tunnels/6in6-tunnel-change.pcap differ diff --git a/testing/btest/Traces/tunnels/6in6.pcap b/testing/btest/Traces/tunnels/6in6.pcap new file mode 100644 index 0000000000..ff8aa607bb Binary files /dev/null and b/testing/btest/Traces/tunnels/6in6.pcap differ diff --git a/testing/btest/Traces/tunnels/6in6in6.pcap b/testing/btest/Traces/tunnels/6in6in6.pcap new file mode 100644 index 0000000000..192524aa78 Binary files /dev/null and b/testing/btest/Traces/tunnels/6in6in6.pcap differ diff --git a/testing/btest/Traces/tunnels/Teredo.pcap b/testing/btest/Traces/tunnels/Teredo.pcap new file mode 100644 index 0000000000..2eff14469d Binary files /dev/null and b/testing/btest/Traces/tunnels/Teredo.pcap differ diff --git a/testing/btest/Traces/tunnels/ayiya3.trace b/testing/btest/Traces/tunnels/ayiya3.trace new file mode 100644 index 0000000000..83193050dc Binary files /dev/null and b/testing/btest/Traces/tunnels/ayiya3.trace differ diff --git a/testing/btest/Traces/tunnels/false-teredo.pcap b/testing/btest/Traces/tunnels/false-teredo.pcap new file mode 100644 index 0000000000..e82a6f4169 Binary files /dev/null and b/testing/btest/Traces/tunnels/false-teredo.pcap differ diff --git a/testing/btest/Traces/tunnels/ping6-in-ipv4.pcap b/testing/btest/Traces/tunnels/ping6-in-ipv4.pcap new file mode 100644 index 0000000000..5e0995f80e Binary files /dev/null and b/testing/btest/Traces/tunnels/ping6-in-ipv4.pcap differ diff --git a/testing/btest/Traces/tunnels/socks.pcap b/testing/btest/Traces/tunnels/socks.pcap new file mode 100644 index 0000000000..d70e2cb7dc Binary files /dev/null and b/testing/btest/Traces/tunnels/socks.pcap differ diff --git a/testing/btest/Traces/tunnels/teredo_bubble_with_payload.pcap b/testing/btest/Traces/tunnels/teredo_bubble_with_payload.pcap new file mode 100644 index 0000000000..5036a52b56 Binary files /dev/null and b/testing/btest/Traces/tunnels/teredo_bubble_with_payload.pcap differ diff --git a/testing/btest/bifs/rand.bro b/testing/btest/bifs/rand.bro index 229645944e..caf3f16031 100644 --- a/testing/btest/bifs/rand.bro +++ b/testing/btest/bifs/rand.bro @@ -1,6 +1,10 @@ # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: bro -b %INPUT do_seed=F >out.2 # @TEST-EXEC: btest-diff out +# @TEST-EXEC: btest-diff out.2 + +const do_seed = T &redef; event bro_init() { @@ -12,7 +16,8 @@ event bro_init() print b; print c; - srand(575); + if ( do_seed ) + srand(575); local d = rand(1000); local e = rand(1000); diff --git a/testing/btest/bifs/system.bro b/testing/btest/bifs/system.bro index b73aed4d79..ab2642319c 100644 --- a/testing/btest/bifs/system.bro +++ b/testing/btest/bifs/system.bro @@ -7,9 +7,4 @@ event bro_init() local a = system("echo thistest > out"); if ( a != 0 ) exit(1); - - local b = system(""); - if ( b == 0 ) - exit(1); - } diff --git a/testing/btest/core/expr-exception.bro b/testing/btest/core/expr-exception.bro index 5225f092ba..66f9b78c4b 100644 --- a/testing/btest/core/expr-exception.bro +++ b/testing/btest/core/expr-exception.bro @@ -1,9 +1,25 @@ -# Bro shouldn't crash when doing nothing, nor outputting anything. +# Expressions in an event handler that raise interpreter exceptions +# shouldn't abort Bro entirely, but just return from the function body. # -# @TEST-EXEC: cat /dev/null | bro -r $TRACES/wikipedia.trace %INPUT +# @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT >output # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff reporter.log +# @TEST-EXEC: btest-diff output event connection_established(c: connection) { print c$ftp; + print "not reached"; + } + +event connection_established(c: connection) + { + if ( c?$ftp ) + print c$ftp; + else + print "ftp field missing"; + } + +event connection_established(c: connection) + { + print c$id; } diff --git a/testing/btest/core/icmp/icmp6-events.test b/testing/btest/core/icmp/icmp6-events.test index 052ba91ee6..5263dd6e7f 100644 --- a/testing/btest/core/icmp/icmp6-events.test +++ b/testing/btest/core/icmp/icmp6-events.test @@ -66,11 +66,12 @@ event icmp_parameter_problem(c: connection, icmp: icmp_conn, code: count, contex print " icmp_context: " + fmt("%s", context); } -event icmp_redirect(c: connection, icmp: icmp_conn, tgt: addr, dest: addr) +event icmp_redirect(c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options) { print "icmp_redirect (tgt=" + fmt("%s", tgt) + ", dest=" + fmt("%s", dest) + ")"; print " conn_id: " + fmt("%s", c$id); print " icmp_conn: " + fmt("%s", icmp); + print " options: " + fmt("%s", options); } event icmp_error_message(c: connection, icmp: icmp_conn, code: count, context: icmp_context) @@ -81,14 +82,15 @@ event icmp_error_message(c: connection, icmp: icmp_conn, code: count, context: i print " icmp_context: " + fmt("%s", context); } -event icmp_neighbor_solicitation(c: connection, icmp: icmp_conn, tgt: addr) +event icmp_neighbor_solicitation(c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options) { print "icmp_neighbor_solicitation (tgt=" + fmt("%s", tgt) + ")"; print " conn_id: " + fmt("%s", c$id); print " icmp_conn: " + fmt("%s", icmp); + print " options: " + fmt("%s", options); } -event icmp_neighbor_advertisement(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr) +event icmp_neighbor_advertisement(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options) { print "icmp_neighbor_advertisement (tgt=" + fmt("%s", tgt) + ")"; print " router=" + fmt("%s", router); @@ -96,16 +98,18 @@ event icmp_neighbor_advertisement(c: connection, icmp: icmp_conn, router: bool, print " override=" + fmt("%s", override); print " conn_id: " + fmt("%s", c$id); print " icmp_conn: " + fmt("%s", icmp); + print " options: " + fmt("%s", options); } -event icmp_router_solicitation(c: connection, icmp: icmp_conn) +event icmp_router_solicitation(c: connection, icmp: icmp_conn, options: icmp6_nd_options) { print "icmp_router_solicitation"; print " conn_id: " + fmt("%s", c$id); print " icmp_conn: " + fmt("%s", icmp); + print " options: " + fmt("%s", options); } -event icmp_router_advertisement(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval) +event icmp_router_advertisement(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options) { print "icmp_router_advertisement"; print " cur_hop_limit=" + fmt("%s", cur_hop_limit); @@ -120,4 +124,5 @@ event icmp_router_advertisement(c: connection, icmp: icmp_conn, cur_hop_limit: c print " retrans_timer=" + fmt("%s", retrans_timer); print " conn_id: " + fmt("%s", c$id); print " icmp_conn: " + fmt("%s", icmp); + print " options: " + fmt("%s", options); } diff --git a/testing/btest/core/icmp/icmp6-nd-options.test b/testing/btest/core/icmp/icmp6-nd-options.test new file mode 100644 index 0000000000..64543852a3 --- /dev/null +++ b/testing/btest/core/icmp/icmp6-nd-options.test @@ -0,0 +1,35 @@ +# These tests all check that ICMP6 events get raised with correct arguments. + +# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-redirect-hdr-opt.pcap %INPUT >>output 2>&1 +# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-nd-options.pcap %INPUT >>output 2>&1 + +# @TEST-EXEC: btest-diff output + +event icmp_router_advertisement(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options) + { + print "icmp_router_advertisement options"; + for ( o in options ) + { + print fmt(" %s", options[o]); + if ( options[o]$otype == 1 && options[o]?$link_address ) + print fmt(" MAC: %s", + string_to_ascii_hex(options[o]$link_address)); + } + } + +event icmp_neighbor_advertisement(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options) + { + print "icmp_neighbor_advertisement options"; + for ( o in options ) + { + print fmt(" %s", options[o]); + if ( options[o]$otype == 2 && options[o]?$link_address ) print fmt(" MAC: %s", string_to_ascii_hex(options[o]$link_address)); + } + } + +event icmp_redirect(c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options) + { + print "icmp_redirect options"; + for ( o in options ) + print fmt(" %s", options[o]); + } diff --git a/testing/btest/core/leaks/ayiya.test b/testing/btest/core/leaks/ayiya.test new file mode 100644 index 0000000000..adad42a822 --- /dev/null +++ b/testing/btest/core/leaks/ayiya.test @@ -0,0 +1,10 @@ +# Needs perftools support. +# +# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks +# +# @TEST-GROUP: leaks +# +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -r $TRACES/tunnels/ayiya3.trace +# @TEST-EXEC: btest-diff tunnel.log +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff http.log diff --git a/testing/btest/core/leaks/ip-in-ip.test b/testing/btest/core/leaks/ip-in-ip.test new file mode 100644 index 0000000000..64fdf739f6 --- /dev/null +++ b/testing/btest/core/leaks/ip-in-ip.test @@ -0,0 +1,33 @@ +# Needs perftools support. +# +# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks +# +# @TEST-GROUP: leaks +# +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -b -r $TRACES/tunnels/6in6.pcap %INPUT >>output +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -b -r $TRACES/tunnels/6in6in6.pcap %INPUT >>output +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -b -r $TRACES/tunnels/6in6-tunnel-change.pcap %INPUT >>output +# @TEST-EXEC: btest-diff output + +event new_connection(c: connection) + { + if ( c?$tunnel ) + { + print "new_connection: tunnel"; + print fmt(" conn_id: %s", c$id); + print fmt(" encap: %s", c$tunnel); + } + else + { + print "new_connection: no tunnel"; + } + } + +event tunnel_changed(c: connection, e: EncapsulatingConnVector) + { + print "tunnel_changed:"; + print fmt(" conn_id: %s", c$id); + if ( c?$tunnel ) + print fmt(" old: %s", c$tunnel); + print fmt(" new: %s", e); + } diff --git a/testing/btest/core/leaks/teredo.bro b/testing/btest/core/leaks/teredo.bro new file mode 100644 index 0000000000..9902f1258b --- /dev/null +++ b/testing/btest/core/leaks/teredo.bro @@ -0,0 +1,41 @@ +# Needs perftools support. +# +# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks +# +# @TEST-GROUP: leaks +# +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -r $TRACES/tunnels/Teredo.pcap %INPUT >output +# @TEST-EXEC: btest-diff output +# @TEST-EXEC: btest-diff tunnel.log +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff http.log + +function print_teredo(name: string, outer: connection, inner: teredo_hdr) + { + print fmt("%s: %s", name, outer$id); + print fmt(" ip6: %s", inner$hdr$ip6); + if ( inner?$auth ) + print fmt(" auth: %s", inner$auth); + if ( inner?$origin ) + print fmt(" origin: %s", inner$origin); + } + +event teredo_packet(outer: connection, inner: teredo_hdr) + { + print_teredo("packet", outer, inner); + } + +event teredo_authentication(outer: connection, inner: teredo_hdr) + { + print_teredo("auth", outer, inner); + } + +event teredo_origin_indication(outer: connection, inner: teredo_hdr) + { + print_teredo("origin", outer, inner); + } + +event teredo_bubble(outer: connection, inner: teredo_hdr) + { + print_teredo("bubble", outer, inner); + } diff --git a/testing/btest/core/tunnels/ayiya.test b/testing/btest/core/tunnels/ayiya.test new file mode 100644 index 0000000000..043e06c621 --- /dev/null +++ b/testing/btest/core/tunnels/ayiya.test @@ -0,0 +1,4 @@ +# @TEST-EXEC: bro -r $TRACES/tunnels/ayiya3.trace +# @TEST-EXEC: btest-diff tunnel.log +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff http.log diff --git a/testing/btest/core/tunnels/false-teredo.bro b/testing/btest/core/tunnels/false-teredo.bro new file mode 100644 index 0000000000..37088e9535 --- /dev/null +++ b/testing/btest/core/tunnels/false-teredo.bro @@ -0,0 +1,35 @@ +# @TEST-EXEC: bro -r $TRACES/tunnels/false-teredo.pcap %INPUT >output +# @TEST-EXEC: test ! -e weird.log +# @TEST-EXEC: bro -r $TRACES/tunnels/false-teredo.pcap %INPUT Tunnel::yielding_teredo_decapsulation=F >output +# @TEST-EXEC: btest-diff weird.log +# @TEST-EXEC: btest-diff dpd.log + +function print_teredo(name: string, outer: connection, inner: teredo_hdr) + { + print fmt("%s: %s", name, outer$id); + print fmt(" ip6: %s", inner$hdr$ip6); + if ( inner?$auth ) + print fmt(" auth: %s", inner$auth); + if ( inner?$origin ) + print fmt(" origin: %s", inner$origin); + } + +event teredo_packet(outer: connection, inner: teredo_hdr) + { + print_teredo("packet", outer, inner); + } + +event teredo_authentication(outer: connection, inner: teredo_hdr) + { + print_teredo("auth", outer, inner); + } + +event teredo_origin_indication(outer: connection, inner: teredo_hdr) + { + print_teredo("origin", outer, inner); + } + +event teredo_bubble(outer: connection, inner: teredo_hdr) + { + print_teredo("bubble", outer, inner); + } diff --git a/testing/btest/core/tunnels/ip-in-ip.test b/testing/btest/core/tunnels/ip-in-ip.test new file mode 100644 index 0000000000..38f4610445 --- /dev/null +++ b/testing/btest/core/tunnels/ip-in-ip.test @@ -0,0 +1,30 @@ +# @TEST-EXEC: bro -b -r $TRACES/tunnels/6in6.pcap %INPUT >>output 2>&1 +# @TEST-EXEC: bro -b -r $TRACES/tunnels/6in6in6.pcap %INPUT >>output 2>&1 +# @TEST-EXEC: bro -b -r $TRACES/tunnels/6in4.pcap %INPUT >>output 2>&1 +# @TEST-EXEC: bro -b -r $TRACES/tunnels/4in6.pcap %INPUT >>output 2>&1 +# @TEST-EXEC: bro -b -r $TRACES/tunnels/4in4.pcap %INPUT >>output 2>&1 +# @TEST-EXEC: bro -b -r $TRACES/tunnels/6in6-tunnel-change.pcap %INPUT >>output 2>&1 +# @TEST-EXEC: btest-diff output + +event new_connection(c: connection) + { + if ( c?$tunnel ) + { + print "new_connection: tunnel"; + print fmt(" conn_id: %s", c$id); + print fmt(" encap: %s", c$tunnel); + } + else + { + print "new_connection: no tunnel"; + } + } + +event tunnel_changed(c: connection, e: EncapsulatingConnVector) + { + print "tunnel_changed:"; + print fmt(" conn_id: %s", c$id); + if ( c?$tunnel ) + print fmt(" old: %s", c$tunnel); + print fmt(" new: %s", e); + } diff --git a/testing/btest/core/tunnels/ip-tunnel-uid.test b/testing/btest/core/tunnels/ip-tunnel-uid.test new file mode 100644 index 0000000000..f86fd126c9 --- /dev/null +++ b/testing/btest/core/tunnels/ip-tunnel-uid.test @@ -0,0 +1,33 @@ +# @TEST-EXEC: bro -b -r $TRACES/tunnels/ping6-in-ipv4.pcap %INPUT >>output 2>&1 +# @TEST-EXEC: btest-diff output + +event new_connection(c: connection) + { + if ( c?$tunnel ) + { + print "new_connection: tunnel"; + print fmt(" conn_id: %s", c$id); + print fmt(" encap: %s", c$tunnel); + } + else + { + print "new_connection: no tunnel"; + } + } + +event tunnel_changed(c: connection, e: EncapsulatingConnVector) + { + print "tunnel_changed:"; + print fmt(" conn_id: %s", c$id); + if ( c?$tunnel ) + print fmt(" old: %s", c$tunnel); + print fmt(" new: %s", e); + } + +event new_packet(c: connection, p: pkt_hdr) + { + print "NEW_PACKET:"; + print fmt(" %s", c$id); + if ( c?$tunnel ) + print fmt(" %s", c$tunnel); + } diff --git a/testing/btest/core/tunnels/teredo.bro b/testing/btest/core/tunnels/teredo.bro new file mode 100644 index 0000000000..c457decd98 --- /dev/null +++ b/testing/btest/core/tunnels/teredo.bro @@ -0,0 +1,35 @@ +# @TEST-EXEC: bro -r $TRACES/tunnels/Teredo.pcap %INPUT >output +# @TEST-EXEC: btest-diff output +# @TEST-EXEC: btest-diff tunnel.log +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff http.log + +function print_teredo(name: string, outer: connection, inner: teredo_hdr) + { + print fmt("%s: %s", name, outer$id); + print fmt(" ip6: %s", inner$hdr$ip6); + if ( inner?$auth ) + print fmt(" auth: %s", inner$auth); + if ( inner?$origin ) + print fmt(" origin: %s", inner$origin); + } + +event teredo_packet(outer: connection, inner: teredo_hdr) + { + print_teredo("packet", outer, inner); + } + +event teredo_authentication(outer: connection, inner: teredo_hdr) + { + print_teredo("auth", outer, inner); + } + +event teredo_origin_indication(outer: connection, inner: teredo_hdr) + { + print_teredo("origin", outer, inner); + } + +event teredo_bubble(outer: connection, inner: teredo_hdr) + { + print_teredo("bubble", outer, inner); + } diff --git a/testing/btest/core/tunnels/teredo_bubble_with_payload.test b/testing/btest/core/tunnels/teredo_bubble_with_payload.test new file mode 100644 index 0000000000..f45d8ca585 --- /dev/null +++ b/testing/btest/core/tunnels/teredo_bubble_with_payload.test @@ -0,0 +1,36 @@ +# @TEST-EXEC: bro -r $TRACES/tunnels/teredo_bubble_with_payload.pcap %INPUT >output +# @TEST-EXEC: btest-diff output +# @TEST-EXEC: btest-diff tunnel.log +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff http.log +# @TEST-EXEC: btest-diff weird.log + +function print_teredo(name: string, outer: connection, inner: teredo_hdr) + { + print fmt("%s: %s", name, outer$id); + print fmt(" ip6: %s", inner$hdr$ip6); + if ( inner?$auth ) + print fmt(" auth: %s", inner$auth); + if ( inner?$origin ) + print fmt(" origin: %s", inner$origin); + } + +event teredo_packet(outer: connection, inner: teredo_hdr) + { + print_teredo("packet", outer, inner); + } + +event teredo_authentication(outer: connection, inner: teredo_hdr) + { + print_teredo("auth", outer, inner); + } + +event teredo_origin_indication(outer: connection, inner: teredo_hdr) + { + print_teredo("origin", outer, inner); + } + +event teredo_bubble(outer: connection, inner: teredo_hdr) + { + print_teredo("bubble", outer, inner); + } diff --git a/testing/btest/coverage/bare-mode-errors.test b/testing/btest/coverage/bare-mode-errors.test index 9fd18308ce..21e7d4f4a9 100644 --- a/testing/btest/coverage/bare-mode-errors.test +++ b/testing/btest/coverage/bare-mode-errors.test @@ -5,6 +5,8 @@ # Commonly, this test may fail if one forgets to @load some base/ scripts # when writing a new bro scripts. # +# @TEST-SERIALIZE: comm +# # @TEST-EXEC: test -d $DIST/scripts # @TEST-EXEC: for script in `find $DIST/scripts -name \*\.bro -not -path '*/site/*'`; do echo $script; if echo "$script" | egrep -q 'communication/listen|controllee'; then rm -rf load_attempt .bgprocs; btest-bg-run load_attempt bro -b $script; btest-bg-wait -k 2; cat load_attempt/.stderr >>allerrors; else bro -b $script 2>>allerrors; fi done || exit 0 # @TEST-EXEC: cat allerrors | grep -v "received termination signal" | sort | uniq > unique_errors diff --git a/testing/btest/coverage/doc.test b/testing/btest/coverage/doc.test index d99122575d..074e397d88 100644 --- a/testing/btest/coverage/doc.test +++ b/testing/btest/coverage/doc.test @@ -1,10 +1,8 @@ # This tests that we're generating bro script documentation for all the # available bro scripts. If this fails, then the genDocSources.sh needs # to be run to produce a new DocSourcesList.cmake or genDocSources.sh needs -# to be updated to blacklist undesired scripts. To update, run the -# top-level Makefile: -# -# make update-doc-sources +# to be updated to blacklist undesired scripts. To update, run +# "make update-doc-sources" # # @TEST-EXEC: $DIST/doc/scripts/genDocSourcesList.sh # @TEST-EXEC: cmp $DIST/doc/scripts/DocSourcesList.cmake ./DocSourcesList.cmake diff --git a/testing/btest/scripts/base/frameworks/communication/communication_log_baseline.bro b/testing/btest/scripts/base/frameworks/communication/communication_log_baseline.bro index 3d80ef7777..4a2ed735ef 100644 --- a/testing/btest/scripts/base/frameworks/communication/communication_log_baseline.bro +++ b/testing/btest/scripts/base/frameworks/communication/communication_log_baseline.bro @@ -5,7 +5,7 @@ # @TEST-EXEC: btest-bg-wait -k 10 # # Don't diff the receiver log just because port is always going to change -# @TEST-EXEC: egrep -v 'pid|socket buffer size' sender/communication.log >send.log +# @TEST-EXEC: egrep -v 'CPU|bytes|pid|socket buffer size' sender/communication.log >send.log # @TEST-EXEC: btest-diff send.log @TEST-START-FILE sender.bro @@ -19,6 +19,10 @@ redef Communication::nodes += { event remote_connection_handshake_done(p: event_peer) { terminate_communication(); + } + +event remote_connection_closed(p: event_peer) + { terminate(); } @@ -30,9 +34,8 @@ event remote_connection_handshake_done(p: event_peer) @load frameworks/communication/listen -event remote_connection_handshake_done(p: event_peer) +event remote_connection_closed(p: event_peer) { - terminate_communication(); terminate(); } diff --git a/testing/btest/scripts/base/frameworks/control/id_value.bro b/testing/btest/scripts/base/frameworks/control/id_value.bro index c5d1d063f5..ffbb9a10cf 100644 --- a/testing/btest/scripts/base/frameworks/control/id_value.bro +++ b/testing/btest/scripts/base/frameworks/control/id_value.bro @@ -22,4 +22,5 @@ redef test_var = "This is the value from the controllee"; event Control::id_value_response(id: string, val: string) { print fmt("Got an id_value_response(%s, %s) event", id, val); + terminate(); } diff --git a/testing/btest/scripts/base/frameworks/input/basic.bro b/testing/btest/scripts/base/frameworks/input/basic.bro index 8d4028a12e..df2ab676b8 100644 --- a/testing/btest/scripts/base/frameworks/input/basic.bro +++ b/testing/btest/scripts/base/frameworks/input/basic.bro @@ -1,5 +1,8 @@ +# (uses listen.bro just to ensure input sources are more reliably fully-read). +# @TEST-SERIALIZE: comm # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @TEST-START-FILE input.log @@ -10,6 +13,11 @@ T -42 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a} @TEST-END-FILE +@load base/protocols/ssh +@load frameworks/communication/listen + +global outfile: file; + redef InputAscii::empty_field = "EMPTY"; module A; @@ -39,12 +47,16 @@ type Val: record { global servers: table[int] of Val = table(); event bro_init() -{ + { + outfile = open("../out"); # first read in the old stuff into the table... - Input::add_table([$source="input.log", $name="ssh", $idx=Idx, $val=Val, $destination=servers]); + Input::add_table([$source="../input.log", $name="ssh", $idx=Idx, $val=Val, $destination=servers]); Input::remove("ssh"); -} + } -event Input::update_finished(name: string, source:string) { - print servers; -} +event Input::update_finished(name: string, source:string) + { + print outfile, servers; + close(outfile); + terminate(); + } diff --git a/testing/btest/scripts/base/frameworks/input/emptyvals.bro b/testing/btest/scripts/base/frameworks/input/emptyvals.bro index 77659d13ec..a2a9ba3070 100644 --- a/testing/btest/scripts/base/frameworks/input/emptyvals.bro +++ b/testing/btest/scripts/base/frameworks/input/emptyvals.bro @@ -1,5 +1,8 @@ +# (uses listen.bro just to ensure input sources are more reliably fully-read). +# @TEST-SERIALIZE: comm # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @TEST-START-FILE input.log @@ -11,6 +14,10 @@ T 1 - 2 @TEST-END-FILE +@load frameworks/communication/listen + +global outfile: file; + redef InputAscii::empty_field = "EMPTY"; module A; @@ -26,12 +33,16 @@ type Val: record { global servers: table[int] of Val = table(); event bro_init() -{ + { + outfile = open("../out"); # first read in the old stuff into the table... - Input::add_table([$source="input.log", $name="ssh", $idx=Idx, $val=Val, $destination=servers]); + Input::add_table([$source="../input.log", $name="ssh", $idx=Idx, $val=Val, $destination=servers]); Input::remove("ssh"); -} + } -event Input::update_finished(name: string, source:string) { - print servers; -} +event Input::update_finished(name: string, source:string) + { + print outfile, servers; + close(outfile); + terminate(); + } diff --git a/testing/btest/scripts/base/frameworks/input/event.bro b/testing/btest/scripts/base/frameworks/input/event.bro index dca75334d0..d275cee59c 100644 --- a/testing/btest/scripts/base/frameworks/input/event.bro +++ b/testing/btest/scripts/base/frameworks/input/event.bro @@ -1,5 +1,8 @@ +# (uses listen.bro just to ensure input sources are more reliably fully-read). +# @TEST-SERIALIZE: comm # -# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @TEST-START-FILE input.log @@ -16,6 +19,10 @@ 7 T @TEST-END-FILE +@load frameworks/communication/listen + +global outfile: file; +global try: count; module A; @@ -24,15 +31,24 @@ type Val: record { b: bool; }; -event line(description: Input::EventDescription, tpe: Input::Event, i: int, b: bool) { - print description; - print tpe; - print i; - print b; -} +event line(description: Input::EventDescription, tpe: Input::Event, i: int, b: bool) + { + print outfile, description; + print outfile, tpe; + print outfile, i; + print outfile, b; + try = try + 1; + if ( try == 7 ) + { + close(outfile); + terminate(); + } + } event bro_init() -{ - Input::add_event([$source="input.log", $name="input", $fields=Val, $ev=line]); + { + try = 0; + outfile = open("../out"); + Input::add_event([$source="../input.log", $name="input", $fields=Val, $ev=line]); Input::remove("input"); -} + } diff --git a/testing/btest/scripts/base/frameworks/input/executeraw.bro b/testing/btest/scripts/base/frameworks/input/executeraw.bro index 6df28d08ea..222b4256d1 100644 --- a/testing/btest/scripts/base/frameworks/input/executeraw.bro +++ b/testing/btest/scripts/base/frameworks/input/executeraw.bro @@ -1,6 +1,8 @@ +# (uses listen.bro just to ensure input sources are more reliably fully-read). +# @TEST-SERIALIZE: comm # # @TEST-EXEC: btest-bg-run bro bro -b %INPUT -# @TEST-EXEC: btest-bg-wait -k 1 +# @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: cat out.tmp | sed 's/^ *//g' >out # @TEST-EXEC: btest-diff out @@ -23,16 +25,18 @@ type Val: record { s: string; }; -event line(description: Input::EventDescription, tpe: Input::Event, s: string) { +event line(description: Input::EventDescription, tpe: Input::Event, s: string) + { print outfile, description; print outfile, tpe; print outfile, s; close(outfile); -} + terminate(); + } event bro_init() -{ - outfile = open ("../out.tmp"); + { + outfile = open("../out.tmp"); Input::add_event([$source="wc -l ../input.log |", $reader=Input::READER_RAW, $name="input", $fields=Val, $ev=line]); Input::remove("input"); -} + } diff --git a/testing/btest/scripts/base/frameworks/input/executestreamraw.bro b/testing/btest/scripts/base/frameworks/input/executestreamraw.bro deleted file mode 100644 index d97a7b26a0..0000000000 --- a/testing/btest/scripts/base/frameworks/input/executestreamraw.bro +++ /dev/null @@ -1,58 +0,0 @@ -# -# @TEST-EXEC: cp input1.log input.log -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT -# @TEST-EXEC: sleep 3 -# @TEST-EXEC: cat input2.log >> input.log -# @TEST-EXEC: sleep 3 -# @TEST-EXEC: cat input3.log >> input.log -# @TEST-EXEC: btest-bg-wait -k 3 -# @TEST-EXEC: btest-diff out - -@TEST-START-FILE input1.log -sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF -@TEST-END-FILE - -@TEST-START-FILE input2.log -DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF -q3r3057fdf -@TEST-END-FILE - -@TEST-START-FILE input3.log -sdfs\d - -dfsdf -sdf -3rw43wRRERLlL#RWERERERE. - -@TEST-END-FILE - -@load frameworks/communication/listen - -module A; - -type Val: record { - s: string; -}; - -global try: count; -global outfile: file; - -event line(description: Input::EventDescription, tpe: Input::Event, s: string) { - print outfile, description; - print outfile, tpe; - print outfile, s; - try = try + 1; - - if ( try == 9 ) { - print outfile, "done"; - close(outfile); - Input::remove("input"); - } -} - -event bro_init() -{ - outfile = open ("../out"); - try = 0; - Input::add_event([$source="tail -f ../input.log |", $reader=Input::READER_RAW, $mode=Input::STREAM, $name="input", $fields=Val, $ev=line]); -} diff --git a/testing/btest/scripts/base/frameworks/input/onecolumn-norecord.bro b/testing/btest/scripts/base/frameworks/input/onecolumn-norecord.bro index d6c81cb2db..9707af7f94 100644 --- a/testing/btest/scripts/base/frameworks/input/onecolumn-norecord.bro +++ b/testing/btest/scripts/base/frameworks/input/onecolumn-norecord.bro @@ -1,5 +1,8 @@ +# (uses listen.bro just to ensure input sources are more reliably fully-read). +# @TEST-SERIALIZE: comm # -# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @TEST-START-FILE input.log @@ -10,6 +13,10 @@ T -42 @TEST-END-FILE +@load frameworks/communication/listen + +global outfile: file; + redef InputAscii::empty_field = "EMPTY"; module A; @@ -25,12 +32,16 @@ type Val: record { global servers: table[int] of Val = table(); event bro_init() -{ - Input::add_table([$source="input.log", $name="input", $idx=Idx, $val=Val, $destination=servers, $want_record=F]); + { + outfile = open("../out"); + Input::add_table([$source="../input.log", $name="input", $idx=Idx, $val=Val, $destination=servers, $want_record=F]); Input::remove("input"); -} + } -event Input::update_finished(name: string, source: string) { - print servers; -} +event Input::update_finished(name: string, source: string) + { + print outfile, servers; + close(outfile); + terminate(); + } diff --git a/testing/btest/scripts/base/frameworks/input/onecolumn-record.bro b/testing/btest/scripts/base/frameworks/input/onecolumn-record.bro index ca1e956f35..18349f1515 100644 --- a/testing/btest/scripts/base/frameworks/input/onecolumn-record.bro +++ b/testing/btest/scripts/base/frameworks/input/onecolumn-record.bro @@ -1,5 +1,8 @@ +# (uses listen.bro just to ensure input sources are more reliably fully-read). +# @TEST-SERIALIZE: comm # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @TEST-START-FILE input.log @@ -10,6 +13,10 @@ T -42 @TEST-END-FILE +@load frameworks/communication/listen + +global outfile: file; + redef InputAscii::empty_field = "EMPTY"; module A; @@ -25,12 +32,16 @@ type Val: record { global servers: table[int] of Val = table(); event bro_init() -{ - Input::add_table([$name="input", $source="input.log", $idx=Idx, $val=Val, $destination=servers]); + { + outfile = open("../out"); + Input::add_table([$name="input", $source="../input.log", $idx=Idx, $val=Val, $destination=servers]); Input::remove("input"); -} + } -event Input::update_finished(name: string, source: string) { - print servers; -} +event Input::update_finished(name: string, source: string) + { + print outfile, servers; + close(outfile); + terminate(); + } diff --git a/testing/btest/scripts/base/frameworks/input/optional.bro b/testing/btest/scripts/base/frameworks/input/optional.bro index c354f7c3ab..23e0b1e4d1 100644 --- a/testing/btest/scripts/base/frameworks/input/optional.bro +++ b/testing/btest/scripts/base/frameworks/input/optional.bro @@ -1,5 +1,8 @@ +# (uses listen.bro just to ensure input sources are more reliably fully-read). +# @TEST-SERIALIZE: comm # -# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @TEST-START-FILE input.log @@ -16,6 +19,10 @@ 7 T @TEST-END-FILE +@load frameworks/communication/listen + +global outfile: file; + redef InputAscii::empty_field = "EMPTY"; module A; @@ -32,14 +39,18 @@ type Val: record { global servers: table[int] of Val = table(); event bro_init() -{ + { + outfile = open("../out"); # first read in the old stuff into the table... - Input::add_table([$source="input.log", $name="input", $idx=Idx, $val=Val, $destination=servers, + Input::add_table([$source="../input.log", $name="input", $idx=Idx, $val=Val, $destination=servers, $pred(typ: Input::Event, left: Idx, right: Val) = { right$notb = !right$b; return T; } ]); Input::remove("input"); -} + } -event Input::update_finished(name: string, source: string) { - print servers; -} +event Input::update_finished(name: string, source: string) + { + print outfile, servers; + close(outfile); + terminate(); + } diff --git a/testing/btest/scripts/base/frameworks/input/port.bro b/testing/btest/scripts/base/frameworks/input/port.bro index 88e86eb5dc..2f061e9507 100644 --- a/testing/btest/scripts/base/frameworks/input/port.bro +++ b/testing/btest/scripts/base/frameworks/input/port.bro @@ -1,5 +1,8 @@ +# (uses listen.bro just to ensure input sources are more reliably fully-read). +# @TEST-SERIALIZE: comm # -# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @TEST-START-FILE input.log @@ -9,6 +12,10 @@ 1.2.3.6 30 unknown @TEST-END-FILE +@load frameworks/communication/listen + +global outfile: file; + redef InputAscii::empty_field = "EMPTY"; module A; @@ -24,17 +31,23 @@ type Val: record { global servers: table[addr] of Val = table(); event bro_init() -{ - Input::add_table([$source="input.log", $name="input", $idx=Idx, $val=Val, $destination=servers]); - print servers[1.2.3.4]; - print servers[1.2.3.5]; - print servers[1.2.3.6]; + { + outfile = open("../out"); + Input::add_table([$source="../input.log", $name="input", $idx=Idx, $val=Val, $destination=servers]); + if ( 1.2.3.4 in servers ) + print outfile, servers[1.2.3.4]; + if ( 1.2.3.5 in servers ) + print outfile, servers[1.2.3.5]; + if ( 1.2.3.6 in servers ) + print outfile, servers[1.2.3.6]; Input::remove("input"); -} - -event Input::update_finished(name: string, source: string) { - print servers[1.2.3.4]; - print servers[1.2.3.5]; - print servers[1.2.3.6]; -} + } +event Input::update_finished(name: string, source: string) + { + print outfile, servers[1.2.3.4]; + print outfile, servers[1.2.3.5]; + print outfile, servers[1.2.3.6]; + close(outfile); + terminate(); + } diff --git a/testing/btest/scripts/base/frameworks/input/predicate-stream.bro b/testing/btest/scripts/base/frameworks/input/predicate-stream.bro index 20c69131cb..8cf927e346 100644 --- a/testing/btest/scripts/base/frameworks/input/predicate-stream.bro +++ b/testing/btest/scripts/base/frameworks/input/predicate-stream.bro @@ -1,9 +1,13 @@ +# (uses listen.bro just to ensure input sources are more reliably fully-read). +# @TEST-SERIALIZE: comm # -# @TEST-EXEC: bro %INPUT >out +# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out # # only difference from predicate.bro is, that this one uses a stream source. -# the reason is, that the code-paths are quite different, because then the ascii reader uses the put and not the sendevent interface +# the reason is, that the code-paths are quite different, because then the +# ascii reader uses the put and not the sendevent interface @TEST-START-FILE input.log #separator \x09 @@ -19,6 +23,10 @@ 7 T @TEST-END-FILE +@load frameworks/communication/listen + +global outfile: file; + redef InputAscii::empty_field = "EMPTY"; module A; @@ -34,47 +42,38 @@ type Val: record { global servers: table[int] of Val = table(); global ct: int; -event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, right: bool) { +event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, right: bool) + { ct = ct + 1; - if ( ct < 3 ) { + if ( ct < 3 ) return; - } - if ( ct > 3 ) { - print "Too many events"; - return; - } - if ( 1 in servers ) { - print "VALID"; + if ( 1 in servers ) + print outfile, "VALID"; + if ( 2 in servers ) + print outfile, "VALID"; + if ( !(3 in servers) ) + print outfile, "VALID"; + if ( !(4 in servers) ) + print outfile, "VALID"; + if ( !(5 in servers) ) + print outfile, "VALID"; + if ( !(6 in servers) ) + print outfile, "VALID"; + if ( 7 in servers ) + print outfile, "VALID"; + close(outfile); + terminate(); } - if ( 2 in servers ) { - print "VALID"; - } - if ( !(3 in servers) ) { - print "VALID"; - } - if ( !(4 in servers) ) { - print "VALID"; - } - if ( !(5 in servers) ) { - print "VALID"; - } - if ( !(6 in servers) ) { - print "VALID"; - } - if ( 7 in servers ) { - print "VALID"; - } -} event bro_init() -{ + { + outfile = open("../out"); ct = 0; # first read in the old stuff into the table... - Input::add_table([$source="input.log", $mode=Input::STREAM, $name="input", $idx=Idx, $val=Val, $destination=servers, $want_record=F, $ev=line, + Input::add_table([$source="../input.log", $mode=Input::STREAM, $name="input", $idx=Idx, $val=Val, $destination=servers, $want_record=F, $ev=line, $pred(typ: Input::Event, left: Idx, right: bool) = { return right; } ]); Input::remove("input"); - -} + } diff --git a/testing/btest/scripts/base/frameworks/input/predicate.bro b/testing/btest/scripts/base/frameworks/input/predicate.bro index 278ac7418e..2cda6f5fb9 100644 --- a/testing/btest/scripts/base/frameworks/input/predicate.bro +++ b/testing/btest/scripts/base/frameworks/input/predicate.bro @@ -1,5 +1,8 @@ +# (uses listen.bro just to ensure input sources are more reliably fully-read). +# @TEST-SERIALIZE: comm # -# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @TEST-START-FILE input.log @@ -16,6 +19,10 @@ 7 T @TEST-END-FILE +@load frameworks/communication/listen + +global outfile: file; + redef InputAscii::empty_field = "EMPTY"; module A; @@ -31,34 +38,31 @@ type Val: record { global servers: table[int] of Val = table(); event bro_init() -{ + { + outfile = open("../out"); # first read in the old stuff into the table... - Input::add_table([$source="input.log", $name="input", $idx=Idx, $val=Val, $destination=servers, $want_record=F, + Input::add_table([$source="../input.log", $name="input", $idx=Idx, $val=Val, $destination=servers, $want_record=F, $pred(typ: Input::Event, left: Idx, right: bool) = { return right; } ]); Input::remove("input"); -} + } -event Input::update_finished(name: string, source: string) { - if ( 1 in servers ) { - print "VALID"; +event Input::update_finished(name: string, source: string) + { + if ( 1 in servers ) + print outfile, "VALID"; + if ( 2 in servers ) + print outfile, "VALID"; + if ( !(3 in servers) ) + print outfile, "VALID"; + if ( !(4 in servers) ) + print outfile, "VALID"; + if ( !(5 in servers) ) + print outfile, "VALID"; + if ( !(6 in servers) ) + print outfile, "VALID"; + if ( 7 in servers ) + print outfile, "VALID"; + close(outfile); + terminate(); } - if ( 2 in servers ) { - print "VALID"; - } - if ( !(3 in servers) ) { - print "VALID"; - } - if ( !(4 in servers) ) { - print "VALID"; - } - if ( !(5 in servers) ) { - print "VALID"; - } - if ( !(6 in servers) ) { - print "VALID"; - } - if ( 7 in servers ) { - print "VALID"; - } -} diff --git a/testing/btest/scripts/base/frameworks/input/predicatemodify.bro b/testing/btest/scripts/base/frameworks/input/predicatemodify.bro index c3198d8483..1d6a54fe38 100644 --- a/testing/btest/scripts/base/frameworks/input/predicatemodify.bro +++ b/testing/btest/scripts/base/frameworks/input/predicatemodify.bro @@ -1,5 +1,8 @@ +# (uses listen.bro just to ensure input sources are more reliably fully-read). +# @TEST-SERIALIZE: comm # -# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @TEST-START-FILE input.log @@ -11,6 +14,10 @@ 2 T test2 idx2 @TEST-END-FILE +@load frameworks/communication/listen + +global outfile: file; + redef InputAscii::empty_field = "EMPTY"; module A; @@ -28,23 +35,25 @@ type Val: record { global servers: table[int, string] of Val = table(); event bro_init() -{ - # first read in the old stuff into the table... - Input::add_table([$source="input.log", $name="input", $idx=Idx, $val=Val, $destination=servers, - $pred(typ: Input::Event, left: Idx, right: Val) = { - if ( left$i == 1 ) { - right$s = "testmodified"; - } + { + outfile = open("../out"); - if ( left$i == 2 ) { + # first read in the old stuff into the table... + Input::add_table([$source="../input.log", $name="input", $idx=Idx, $val=Val, $destination=servers, + $pred(typ: Input::Event, left: Idx, right: Val) = { + if ( left$i == 1 ) + right$s = "testmodified"; + if ( left$i == 2 ) left$ss = "idxmodified"; - } return T; } ]); Input::remove("input"); -} + } -event Input::update_finished(name: string, source: string) { - print servers; -} +event Input::update_finished(name: string, source: string) + { + print outfile, servers; + close(outfile); + terminate(); + } diff --git a/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro b/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro index 1606ff6a27..9b8758bf3f 100644 --- a/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro +++ b/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro @@ -1,6 +1,8 @@ +# (uses listen.bro just to ensure input sources are more reliably fully-read). +# @TEST-SERIALIZE: comm # # @TEST-EXEC: cp input1.log input.log -# @TEST-EXEC: btest-bg-run bro bro %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b %INPUT # @TEST-EXEC: sleep 2 # @TEST-EXEC: cp input2.log input.log # @TEST-EXEC: sleep 2 @@ -9,7 +11,7 @@ # @TEST-EXEC: cp input4.log input.log # @TEST-EXEC: sleep 2 # @TEST-EXEC: cp input5.log input.log -# @TEST-EXEC: btest-bg-wait -k 3 +# @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out # @@ -77,31 +79,31 @@ global outfile: file; global try: count; event bro_init() -{ + { try = 0; - outfile = open ("../out"); + outfile = open("../out"); # first read in the old stuff into the table... Input::add_table([$source="../input.log", $name="input", $idx=Idx, $val=Val, $destination=servers, $mode=Input::REREAD, $pred(typ: Input::Event, left: Idx, right: Val) = { - if ( left$i == 1 ) { + if ( left$i == 1 ) right$s = "testmodified"; - } - - if ( left$i == 2 ) { + if ( left$i == 2 ) left$ss = "idxmodified"; - } return T; } ]); -} + } -event Input::update_finished(name: string, source: string) { +event Input::update_finished(name: string, source: string) + { try = try + 1; print outfile, fmt("Update_finished for %s, try %d", name, try); print outfile, servers; - if ( try == 5 ) { - close (outfile); + if ( try == 5 ) + { + close(outfile); Input::remove("input"); + terminate(); + } } -} diff --git a/testing/btest/scripts/base/frameworks/input/raw.bro b/testing/btest/scripts/base/frameworks/input/raw.bro index 8ec6c12a78..cb19213173 100644 --- a/testing/btest/scripts/base/frameworks/input/raw.bro +++ b/testing/btest/scripts/base/frameworks/input/raw.bro @@ -1,5 +1,8 @@ +# (uses listen.bro just to ensure input sources are more reliably fully-read). +# @TEST-SERIALIZE: comm # -# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @TEST-START-FILE input.log @@ -13,6 +16,10 @@ sdf 3rw43wRRERLlL#RWERERERE. @TEST-END-FILE +@load frameworks/communication/listen + +global outfile: file; +global try: count; module A; @@ -20,14 +27,23 @@ type Val: record { s: string; }; -event line(description: Input::EventDescription, tpe: Input::Event, s: string) { - print description; - print tpe; - print s; -} +event line(description: Input::EventDescription, tpe: Input::Event, s: string) + { + print outfile, description; + print outfile, tpe; + print outfile, s; + try = try + 1; + if ( try == 8 ) + { + close(outfile); + terminate(); + } + } event bro_init() -{ - Input::add_event([$source="input.log", $reader=Input::READER_RAW, $mode=Input::STREAM, $name="input", $fields=Val, $ev=line]); + { + try = 0; + outfile = open("../out"); + Input::add_event([$source="../input.log", $reader=Input::READER_RAW, $mode=Input::STREAM, $name="input", $fields=Val, $ev=line]); Input::remove("input"); -} + } diff --git a/testing/btest/scripts/base/frameworks/input/repeat.bro b/testing/btest/scripts/base/frameworks/input/repeat.bro index 58ce9a1675..a5a914932c 100644 --- a/testing/btest/scripts/base/frameworks/input/repeat.bro +++ b/testing/btest/scripts/base/frameworks/input/repeat.bro @@ -1,6 +1,9 @@ +# (uses listen.bro just to ensure input sources are more reliably fully-read). +# @TEST-SERIALIZE: comm # -# @TEST-EXEC: bro -b %INPUT >out -# @TEST-EXEC: btest-diff out +# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff out @TEST-START-FILE input.log #separator \x09 @@ -10,6 +13,11 @@ 1 T @TEST-END-FILE +@load frameworks/communication/listen + +global outfile: file; +global try: count; + redef InputAscii::empty_field = "EMPTY"; module A; @@ -27,15 +35,25 @@ global destination: table[int] of Val = table(); const one_to_32: vector of count = {1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32}; event bro_init() -{ - for ( i in one_to_32 ) { - Input::add_table([$source="input.log", $name=fmt("input%d", i), $idx=Idx, $val=Val, $destination=destination, $want_record=F]); + { + try = 0; + outfile = open("../out"); + for ( i in one_to_32 ) + { + Input::add_table([$source="../input.log", $name=fmt("input%d", i), $idx=Idx, $val=Val, $destination=destination, $want_record=F]); Input::remove(fmt("input%d", i)); + } } -} -event Input::update_finished(name: string, source: string) { - print name; - print source; - print destination; -} +event Input::update_finished(name: string, source: string) + { + print outfile, name; + print outfile, source; + print outfile, destination; + try = try + 1; + if ( try == 32 ) + { + close(outfile); + terminate(); + } + } diff --git a/testing/btest/scripts/base/frameworks/input/reread.bro b/testing/btest/scripts/base/frameworks/input/reread.bro index f33b060fe0..2db58fc6b0 100644 --- a/testing/btest/scripts/base/frameworks/input/reread.bro +++ b/testing/btest/scripts/base/frameworks/input/reread.bro @@ -1,6 +1,8 @@ +# (uses listen.bro just to ensure input sources are more reliably fully-read). +# @TEST-SERIALIZE: comm # # @TEST-EXEC: cp input1.log input.log -# @TEST-EXEC: btest-bg-run bro bro %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b %INPUT # @TEST-EXEC: sleep 2 # @TEST-EXEC: cp input2.log input.log # @TEST-EXEC: sleep 2 @@ -9,7 +11,7 @@ # @TEST-EXEC: cp input4.log input.log # @TEST-EXEC: sleep 2 # @TEST-EXEC: cp input5.log input.log -# @TEST-EXEC: btest-bg-wait -k 2 +# @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @TEST-START-FILE input1.log @@ -56,6 +58,7 @@ F -48 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz F -48 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a} @TEST-END-FILE +@load base/protocols/ssh @load frameworks/communication/listen redef InputAscii::empty_field = "EMPTY"; @@ -90,7 +93,8 @@ global outfile: file; global try: count; -event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, right: Val) { +event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, right: Val) + { print outfile, "============EVENT============"; print outfile, "Description"; print outfile, description; @@ -100,11 +104,11 @@ event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, r print outfile, left; print outfile, "Right"; print outfile, right; -} + } event bro_init() -{ - outfile = open ("../out"); + { + outfile = open("../out"); try = 0; # first read in the old stuff into the table... Input::add_table([$source="../input.log", $mode=Input::REREAD, $name="ssh", $idx=Idx, $val=Val, $destination=servers, $ev=line, @@ -116,17 +120,20 @@ event bro_init() return T; } ]); -} + } -event Input::update_finished(name: string, source: string) { +event Input::update_finished(name: string, source: string) + { print outfile, "==========SERVERS============"; print outfile, servers; try = try + 1; - if ( try == 5 ) { + if ( try == 5 ) + { print outfile, "done"; close(outfile); Input::remove("input"); + terminate(); + } } -} diff --git a/testing/btest/scripts/base/frameworks/input/rereadraw.bro b/testing/btest/scripts/base/frameworks/input/rereadraw.bro index 33361ad27e..1051351c2b 100644 --- a/testing/btest/scripts/base/frameworks/input/rereadraw.bro +++ b/testing/btest/scripts/base/frameworks/input/rereadraw.bro @@ -1,5 +1,8 @@ +# (uses listen.bro just to ensure input sources are more reliably fully-read). +# @TEST-SERIALIZE: comm # -# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @TEST-START-FILE input.log @@ -13,6 +16,10 @@ sdf 3rw43wRRERLlL#RWERERERE. @TEST-END-FILE +@load frameworks/communication/listen + +global outfile: file; +global try: count; module A; @@ -20,15 +27,24 @@ type Val: record { s: string; }; -event line(description: Input::EventDescription, tpe: Input::Event, s: string) { - print description; - print tpe; - print s; -} +event line(description: Input::EventDescription, tpe: Input::Event, s: string) + { + print outfile, description; + print outfile, tpe; + print outfile, s; + try = try + 1; + if ( try == 16 ) + { + close(outfile); + terminate(); + } + } event bro_init() -{ - Input::add_event([$source="input.log", $reader=Input::READER_RAW, $mode=Input::REREAD, $name="input", $fields=Val, $ev=line]); + { + try = 0; + outfile = open("../out"); + Input::add_event([$source="../input.log", $reader=Input::READER_RAW, $mode=Input::REREAD, $name="input", $fields=Val, $ev=line]); Input::force_update("input"); Input::remove("input"); -} + } diff --git a/testing/btest/scripts/base/frameworks/input/stream.bro b/testing/btest/scripts/base/frameworks/input/stream.bro index 571a2273c1..1ecd8a2eb0 100644 --- a/testing/btest/scripts/base/frameworks/input/stream.bro +++ b/testing/btest/scripts/base/frameworks/input/stream.bro @@ -1,11 +1,13 @@ +# (uses listen.bro just to ensure input sources are more reliably fully-read). +# @TEST-SERIALIZE: comm # # @TEST-EXEC: cp input1.log input.log -# @TEST-EXEC: btest-bg-run bro bro %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b %INPUT # @TEST-EXEC: sleep 3 # @TEST-EXEC: cat input2.log >> input.log # @TEST-EXEC: sleep 3 # @TEST-EXEC: cat input3.log >> input.log -# @TEST-EXEC: btest-bg-wait -k 3 +# @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @TEST-START-FILE input1.log @@ -22,6 +24,7 @@ T -43 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz F -43 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a} @TEST-END-FILE +@load base/protocols/ssh @load frameworks/communication/listen redef InputAscii::empty_field = "EMPTY"; @@ -56,7 +59,8 @@ global outfile: file; global try: count; -event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, right: Val) { +event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, right: Val) + { print outfile, "============EVENT============"; print outfile, tpe; print outfile, left; @@ -66,18 +70,19 @@ event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, r try = try + 1; - if ( try == 3 ) { + if ( try == 3 ) + { print outfile, "done"; close(outfile); Input::remove("input"); + terminate(); + } } -} event bro_init() -{ - outfile = open ("../out"); + { + outfile = open("../out"); try = 0; # first read in the old stuff into the table... Input::add_table([$source="../input.log", $mode=Input::STREAM, $name="ssh", $idx=Idx, $val=Val, $destination=servers, $ev=line]); -} - + } diff --git a/testing/btest/scripts/base/frameworks/input/streamraw.bro b/testing/btest/scripts/base/frameworks/input/streamraw.bro index cc0afd5ae8..a6aba88c5f 100644 --- a/testing/btest/scripts/base/frameworks/input/streamraw.bro +++ b/testing/btest/scripts/base/frameworks/input/streamraw.bro @@ -1,3 +1,5 @@ +# (uses listen.bro just to ensure input sources are more reliably fully-read). +# @TEST-SERIALIZE: comm # # @TEST-EXEC: cp input1.log input.log # @TEST-EXEC: btest-bg-run bro bro -b %INPUT @@ -5,7 +7,7 @@ # @TEST-EXEC: cat input2.log >> input.log # @TEST-EXEC: sleep 3 # @TEST-EXEC: cat input3.log >> input.log -# @TEST-EXEC: btest-bg-wait -k 3 +# @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @TEST-START-FILE input1.log @@ -36,21 +38,25 @@ type Val: record { global try: count; global outfile: file; -event line(description: Input::EventDescription, tpe: Input::Event, s: string) { +event line(description: Input::EventDescription, tpe: Input::Event, s: string) + { print outfile, description; print outfile, tpe; print outfile, s; - - if ( try == 3 ) { + + try = try + 1; + if ( try == 8 ) + { print outfile, "done"; close(outfile); Input::remove("input"); + terminate(); + } } -} event bro_init() -{ - outfile = open ("../out"); + { + outfile = open("../out"); try = 0; Input::add_event([$source="../input.log", $reader=Input::READER_RAW, $mode=Input::STREAM, $name="input", $fields=Val, $ev=line]); -} + } diff --git a/testing/btest/scripts/base/frameworks/input/tableevent.bro b/testing/btest/scripts/base/frameworks/input/tableevent.bro index e40485dd12..723e519237 100644 --- a/testing/btest/scripts/base/frameworks/input/tableevent.bro +++ b/testing/btest/scripts/base/frameworks/input/tableevent.bro @@ -1,5 +1,8 @@ +# (uses listen.bro just to ensure input sources are more reliably fully-read). +# @TEST-SERIALIZE: comm # -# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @TEST-START-FILE input.log @@ -16,6 +19,11 @@ 7 T @TEST-END-FILE +@load frameworks/communication/listen + +global outfile: file; +global try: count; + redef InputAscii::empty_field = "EMPTY"; type Idx: record { @@ -28,15 +36,24 @@ type Val: record { global destination: table[int] of Val = table(); -event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, right: bool) { - print description; - print tpe; - print left; - print right; -} +event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, right: bool) + { + print outfile, description; + print outfile, tpe; + print outfile, left; + print outfile, right; + try = try + 1; + if ( try == 7 ) + { + close(outfile); + terminate(); + } + } event bro_init() -{ - Input::add_table([$source="input.log", $name="input", $idx=Idx, $val=Val, $destination=destination, $want_record=F,$ev=line]); + { + try = 0; + outfile = open("../out"); + Input::add_table([$source="../input.log", $name="input", $idx=Idx, $val=Val, $destination=destination, $want_record=F,$ev=line]); Input::remove("input"); -} + } diff --git a/testing/btest/scripts/base/frameworks/input/twotables.bro b/testing/btest/scripts/base/frameworks/input/twotables.bro index 1413275e63..f404416049 100644 --- a/testing/btest/scripts/base/frameworks/input/twotables.bro +++ b/testing/btest/scripts/base/frameworks/input/twotables.bro @@ -1,10 +1,15 @@ +# (uses listen.bro just to ensure input sources are more reliably fully-read). +# @TEST-SERIALIZE: comm # # @TEST-EXEC: cp input1.log input.log -# @TEST-EXEC: btest-bg-run bro bro %INPUT -# @TEST-EXEC: sleep 2 +# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: sleep 5 # @TEST-EXEC: cp input3.log input.log -# @TEST-EXEC: btest-bg-wait -k 2 -# @TEST-EXEC: btest-diff out +# @TEST-EXEC: btest-bg-wait -k 10 +# @TEST-EXEC: btest-diff event.out +# @TEST-EXEC: btest-diff pred1.out +# @TEST-EXEC: btest-diff pred2.out +# @TEST-EXEC: btest-diff fin.out @TEST-START-FILE input1.log #separator \x09 @@ -28,6 +33,7 @@ T -43 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz F -44 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a} @TEST-END-FILE +@load base/protocols/ssh @load frameworks/communication/listen redef InputAscii::empty_field = "EMPTY"; @@ -58,59 +64,71 @@ type Val: record { global servers: table[int] of Val = table(); -global outfile: file; +global event_out: file; +global pred1_out: file; +global pred2_out: file; +global fin_out: file; global try: count; -event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, right: Val) { - print outfile, "============EVENT============"; -# print outfile, "Description"; -# print outfile, description; -# print outfile, "Type"; -# print outfile, tpe; -# print outfile, "Left"; -# print outfile, left; -# print outfile, "Right"; -# print outfile, right; -} +event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, right: Val) + { + print event_out, "============EVENT============"; +# print event_out, "Description"; +# print event_out, description; +# print event_out, "Type"; +# print event_out, tpe; +# print event_out, "Left"; +# print event_out, left; +# print event_out, "Right"; +# print event_out, right; + } event bro_init() -{ - outfile = open ("../out"); + { + event_out = open ("../event.out"); + pred1_out = open ("../pred1.out"); + pred2_out = open ("../pred2.out"); + fin_out = open ("../fin.out"); try = 0; # first read in the old stuff into the table... Input::add_table([$source="../input.log", $mode=Input::REREAD, $name="ssh", $idx=Idx, $val=Val, $destination=servers, $ev=line, $pred(typ: Input::Event, left: Idx, right: Val) = { - print outfile, "============PREDICATE============"; - print outfile, typ; - print outfile, left; - print outfile, right; + print pred1_out, "============PREDICATE============"; + print pred1_out, typ; + print pred1_out, left; + print pred1_out, right; return T; } ]); Input::add_table([$source="../input2.log", $mode=Input::REREAD, $name="ssh2", $idx=Idx, $val=Val, $destination=servers, $ev=line, $pred(typ: Input::Event, left: Idx, right: Val) = { - print outfile, "============PREDICATE 2============"; - print outfile, typ; - print outfile, left; - print outfile, right; + print pred2_out, "============PREDICATE 2============"; + print pred2_out, typ; + print pred2_out, left; + print pred2_out, right; return T; } ]); -} + } -event Input::update_finished(name: string, source: string) { - print outfile, "==========SERVERS============"; - print outfile, servers; +event Input::update_finished(name: string, source: string) + { + print fin_out, "==========SERVERS============"; + #print fin_out, servers; try = try + 1; - if ( try == 3 ) { - print outfile, "done"; - print outfile, servers; - close(outfile); + if ( try == 3 ) + { + print fin_out, "done"; + print fin_out, servers; + close(event_out); + close(pred1_out); + close(pred2_out); + close(fin_out); Input::remove("input"); Input::remove("input2"); terminate(); + } } -} diff --git a/testing/btest/scripts/base/frameworks/logging/none-debug.bro b/testing/btest/scripts/base/frameworks/logging/none-debug.bro new file mode 100644 index 0000000000..5d2e98323a --- /dev/null +++ b/testing/btest/scripts/base/frameworks/logging/none-debug.bro @@ -0,0 +1,37 @@ +# +# @TEST-EXEC: bro -b %INPUT >output +# @TEST-EXEC: btest-diff output + +redef Log::default_writer = Log::WRITER_NONE; +redef LogNone::debug = T; +redef Log::default_rotation_interval= 1hr; +redef log_rotate_base_time = "00:05"; + +module SSH; + +export { + redef enum Log::ID += { LOG }; + + type Log: record { + t: time; + id: conn_id; # Will be rolled out into individual columns. + status: string &optional; + country: string &default="unknown"; + } &log; +} + +event bro_init() +{ + local config: table[string] of string; + config["foo"]="bar"; + config["foo2"]="bar2"; + + local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp]; + + Log::create_stream(SSH::LOG, [$columns=Log]); + + Log::remove_default_filter(SSH::LOG); + Log::add_filter(SSH::LOG, [$name="f1", $exclude=set("t", "id.orig_h"), $config=config]); + Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]); +} + diff --git a/testing/btest/scripts/base/protocols/socks/trace1.test b/testing/btest/scripts/base/protocols/socks/trace1.test new file mode 100644 index 0000000000..fb1d9ebaf2 --- /dev/null +++ b/testing/btest/scripts/base/protocols/socks/trace1.test @@ -0,0 +1,5 @@ +# @TEST-EXEC: bro -r $TRACES/socks.trace %INPUT +# @TEST-EXEC: btest-diff socks.log +# @TEST-EXEC: btest-diff tunnel.log + +@load base/protocols/socks diff --git a/testing/btest/scripts/base/protocols/socks/trace2.test b/testing/btest/scripts/base/protocols/socks/trace2.test new file mode 100644 index 0000000000..5e3a449120 --- /dev/null +++ b/testing/btest/scripts/base/protocols/socks/trace2.test @@ -0,0 +1,5 @@ +# @TEST-EXEC: bro -r $TRACES/socks-with-ssl.trace %INPUT +# @TEST-EXEC: btest-diff socks.log +# @TEST-EXEC: btest-diff tunnel.log + +@load base/protocols/socks diff --git a/testing/btest/scripts/base/protocols/socks/trace3.test b/testing/btest/scripts/base/protocols/socks/trace3.test new file mode 100644 index 0000000000..c3b3b091eb --- /dev/null +++ b/testing/btest/scripts/base/protocols/socks/trace3.test @@ -0,0 +1,4 @@ +# @TEST-EXEC: bro -C -r $TRACES/tunnels/socks.pcap %INPUT +# @TEST-EXEC: btest-diff tunnel.log + +@load base/protocols/socks diff --git a/testing/scripts/doc/example-diff-canonifier.py b/testing/scripts/doc/example-diff-canonifier.py deleted file mode 100755 index e0b8c110cc..0000000000 --- a/testing/scripts/doc/example-diff-canonifier.py +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/python - -import sys -import re - -# MutableVal derivatives (e.g. sets/tables) don't always generate the same -# ordering in the reST documentation, so just don't bother diffing -# the places where example.bro uses them. - -RE1 = "\d*/tcp" -RE2 = "tcp port \d*" - -for line in sys.stdin.readlines(): - if re.search(RE1, line) is None and re.search(RE2, line) is None: - print line