From b723ecd0e0a70bf139c4e2642c3e633bc2d2ab06 Mon Sep 17 00:00:00 2001 From: "Gilbert Clark gc355804@ohio.edu" Date: Sat, 13 Aug 2011 21:10:51 -0700 Subject: [PATCH 1/3] Header modification to LogWriterAscii to make it easier for scripts to understand bro log files. --- src/LogWriterAscii.cc | 65 ++++++++++++++++++ .../core.print-bpf-filters-ipv4/conn.log | 3 + .../core.print-bpf-filters-ipv4/output | 20 ++++-- .../btest/Baseline/core.vlan-mpls/conn.log | 3 + .../istate.events-ssl/receiver.http.log | 5 +- .../istate.events-ssl/sender.http.log | 5 +- .../Baseline/istate.events/receiver.http.log | 5 +- .../Baseline/istate.events/sender.http.log | 5 +- .../ssh-new-default.log | 7 +- .../ssh.log | Bin 86 -> 142 bytes .../ssh.log | 13 ++-- .../ssh.log | Bin 376 -> 515 bytes .../test.log | 3 + .../ssh.log | 3 + .../policy.frameworks.logging.attr/ssh.log | 3 + .../ssh.log | 13 ++-- .../policy.frameworks.logging.exclude/ssh.log | 3 + .../policy.frameworks.logging.file/ssh.log | 5 +- .../policy.frameworks.logging.include/ssh.log | 13 ++-- .../output | 35 ++++++++-- .../ssh.failure.log | 5 +- .../ssh.success.log | 5 +- .../receiver.test.log | 5 +- .../sender.test.failure.log | 9 ++- .../sender.test.log | 13 ++-- .../sender.test.success.log | 7 +- .../ssh.failure.log | 7 +- .../policy.frameworks.logging.remove/ssh.log | 9 ++- .../out | 4 ++ .../policy.frameworks.logging.rotate/out | 30 ++++++++ .../policy.frameworks.logging.stdout/output | 13 ++-- .../ssh.log | 13 ++-- .../policy.frameworks.logging.types/ssh.log | Bin 278 -> 457 bytes .../testing.log | 3 + .../policy.frameworks.logging.vec/ssh.log | 3 + .../knownhosts-all.log | 11 +-- .../knownhosts-local.log | 5 +- .../knownhosts-remote.log | 9 ++- .../knownservices-all.log | 13 ++-- .../knownservices-local.log | 9 ++- .../knownservices-remote.log | 7 +- .../dns.log | 3 + .../http.log | 3 + .../http.log | 3 + .../policy.protocols.irc.basic/irc.log | 3 + .../policy.protocols.irc.dcc-extract/irc.log | 3 + .../policy.protocols.smtp.basic/smtp.log | 3 + .../smtp_entities.log | 3 + .../smtp_entities.log | 3 + 49 files changed, 334 insertions(+), 79 deletions(-) diff --git a/src/LogWriterAscii.cc b/src/LogWriterAscii.cc index 446d6c8d65..fc589d8cb9 100644 --- a/src/LogWriterAscii.cc +++ b/src/LogWriterAscii.cc @@ -6,6 +6,54 @@ #include "LogWriterAscii.h" #include "NetVar.h" +/** + * Takes a LogField and returns a human-readable version of its type. Used to output the type to the log file's + * header. + * + * @param field Switches on field->type and returns an appropriate human-readable representation of that type. + * @return A std::string containing the human-readable representation of a given field's type. + */ +static string _GetBroTypeString(const LogField *field) +{ + switch(field->type) + { + case TYPE_BOOL: + return "bool"; + case TYPE_COUNT: + return "count"; + case TYPE_COUNTER: + return "counter"; + case TYPE_PORT: + return "port"; + case TYPE_INT: + return "int"; + case TYPE_TIME: + return "time"; + case TYPE_INTERVAL: + return "interval"; + case TYPE_DOUBLE: + return "double"; + case TYPE_SUBNET: + return "subnet"; + case TYPE_NET: + return "net"; + case TYPE_ADDR: + return "addr"; + case TYPE_ENUM: + return "enum"; + case TYPE_STRING: + return "string"; + case TYPE_FILE: + return "file"; + case TYPE_TABLE: + return "table"; + case TYPE_VECTOR: + return "vector"; + default: + return "???"; + } +} + LogWriterAscii::LogWriterAscii() { file = 0; @@ -87,6 +135,23 @@ bool LogWriterAscii::DoInit(string path, int num_fields, if ( fputc('\n', file) == EOF ) goto write_error; + + string wString = string(header_prefix, header_prefix_len) + string("path:'") + path + string("'\n"); + wString += string(header_prefix, header_prefix_len) + "separator:'" + string(separator, separator_len) + "'\n"; + if(fwrite(wString.c_str(), wString.length(), 1, file) != 1) + goto write_error; + + wString = string(header_prefix, header_prefix_len); + for ( int i = 0; i < num_fields; ++i ) + { + const LogField* field = fields[i]; + wString += ((i > 0) ? string(separator, separator_len) : string("")) + field->name + string("=") + _GetBroTypeString(field); + } + if(fwrite(wString.c_str(), wString.length(), 1, file) != 1) + goto write_error; + if ( fputc('\n', file) == EOF ) + goto write_error; + } return true; diff --git a/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log b/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log index a744346519..830556743a 100644 --- a/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log +++ b/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log @@ -1,2 +1,5 @@ # ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history +# path:'conn' +# separator:' ' +# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port proto=enum service=string duration=interval orig_bytes=count resp_bytes=count conn_state=string local_orig=bool missed_bytes=count history=string 1128727435.450898 UWkUyAuUGXf 141.42.64.125 56730 125.190.109.199 80 tcp http 1.73330307006836 98 9417 SF - 0 ShADdFaf diff --git a/testing/btest/Baseline/core.print-bpf-filters-ipv4/output b/testing/btest/Baseline/core.print-bpf-filters-ipv4/output index 494e1946e7..6ffc30b379 100644 --- a/testing/btest/Baseline/core.print-bpf-filters-ipv4/output +++ b/testing/btest/Baseline/core.print-bpf-filters-ipv4/output @@ -1,8 +1,20 @@ # ts node filter init success -1312570784.336354 - not ip6 F T +# path:'packet_filter' +# separator:' ' +# ts=time node=string filter=string init=bool success=bool +1313294321.706635 - not ip6 F T # ts node filter init success -1312570784.550594 - (((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (udp and port 5353)) or (udp and port 5355)) or (tcp port 22)) or (tcp port 995)) or (port 21)) or (tcp port smtp or tcp port 587)) or (port 6667)) or (tcp port 614)) or (tcp port 990)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666)) and (not ip6) F T +# path:'packet_filter' +# separator:' ' +# ts=time node=string filter=string init=bool success=bool +1313294321.886625 - (((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (udp and port 5353)) or (udp and port 5355)) or (tcp port 22)) or (tcp port 995)) or (port 21)) or (tcp port smtp or tcp port 587)) or (port 6667)) or (tcp port 614)) or (tcp port 990)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666)) and (not ip6) F T # ts node filter init success -1312570784.765990 - port 42 F T +# path:'packet_filter' +# separator:' ' +# ts=time node=string filter=string init=bool success=bool +1313294322.054107 - port 42 F T # ts node filter init success -1312570784.992999 - port 56730 T T +# path:'packet_filter' +# separator:' ' +# ts=time node=string filter=string init=bool success=bool +1313294322.221475 - port 56730 T T diff --git a/testing/btest/Baseline/core.vlan-mpls/conn.log b/testing/btest/Baseline/core.vlan-mpls/conn.log index 1d46bd7ab1..4202037144 100644 --- a/testing/btest/Baseline/core.vlan-mpls/conn.log +++ b/testing/btest/Baseline/core.vlan-mpls/conn.log @@ -1,4 +1,7 @@ # ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history +# path:'conn' +# separator:' ' +# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port proto=enum service=string duration=interval orig_bytes=count resp_bytes=count conn_state=string local_orig=bool missed_bytes=count history=string 952109346.874907 UWkUyAuUGXf 10.1.2.1 11001 10.34.0.1 23 tcp - 2.10255992412567 25 0 SH - 0 - 1128727435.450898 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 tcp http 1.73330307006836 98 9417 SF - 0 ShADdFaf 1278600802.069419 50da4BEzauh 10.20.80.1 50343 10.0.0.15 80 tcp - 0.00415205955505371 9 3429 SF - 0 ShADadfF diff --git a/testing/btest/Baseline/istate.events-ssl/receiver.http.log b/testing/btest/Baseline/istate.events-ssl/receiver.http.log index 2e56522dae..8eeff70133 100644 --- a/testing/btest/Baseline/istate.events-ssl/receiver.http.log +++ b/testing/btest/Baseline/istate.events-ssl/receiver.http.log @@ -1,2 +1,5 @@ # ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file -1310750785.32134 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - +# path:'http' +# separator:' ' +# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port method=string host=string uri=string referrer=string user_agent=string request_content_length=count response_content_length=count status_code=count status_msg=string filename=string tags=table username=string password=string proxied=table mime_type=string md5=string extraction_file=file +1313294803.616197 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - diff --git a/testing/btest/Baseline/istate.events-ssl/sender.http.log b/testing/btest/Baseline/istate.events-ssl/sender.http.log index 2e56522dae..8eeff70133 100644 --- a/testing/btest/Baseline/istate.events-ssl/sender.http.log +++ b/testing/btest/Baseline/istate.events-ssl/sender.http.log @@ -1,2 +1,5 @@ # ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file -1310750785.32134 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - +# path:'http' +# separator:' ' +# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port method=string host=string uri=string referrer=string user_agent=string request_content_length=count response_content_length=count status_code=count status_msg=string filename=string tags=table username=string password=string proxied=table mime_type=string md5=string extraction_file=file +1313294803.616197 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - diff --git a/testing/btest/Baseline/istate.events/receiver.http.log b/testing/btest/Baseline/istate.events/receiver.http.log index 38ba563dc7..9aa3b8b299 100644 --- a/testing/btest/Baseline/istate.events/receiver.http.log +++ b/testing/btest/Baseline/istate.events/receiver.http.log @@ -1,2 +1,5 @@ # ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file -1310750770.8185 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - +# path:'http' +# separator:' ' +# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port method=string host=string uri=string referrer=string user_agent=string request_content_length=count response_content_length=count status_code=count status_msg=string filename=string tags=table username=string password=string proxied=table mime_type=string md5=string extraction_file=file +1313294821.853639 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - diff --git a/testing/btest/Baseline/istate.events/sender.http.log b/testing/btest/Baseline/istate.events/sender.http.log index 38ba563dc7..9aa3b8b299 100644 --- a/testing/btest/Baseline/istate.events/sender.http.log +++ b/testing/btest/Baseline/istate.events/sender.http.log @@ -1,2 +1,5 @@ # ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file -1310750770.8185 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - +# path:'http' +# separator:' ' +# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port method=string host=string uri=string referrer=string user_agent=string request_content_length=count response_content_length=count status_code=count status_msg=string filename=string tags=table username=string password=string proxied=table mime_type=string md5=string extraction_file=file +1313294821.853639 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - diff --git a/testing/btest/Baseline/policy.frameworks.logging.adapt-filter/ssh-new-default.log b/testing/btest/Baseline/policy.frameworks.logging.adapt-filter/ssh-new-default.log index ee274bb0fa..a6801462ef 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.adapt-filter/ssh-new-default.log +++ b/testing/btest/Baseline/policy.frameworks.logging.adapt-filter/ssh-new-default.log @@ -1,3 +1,6 @@ # t id.orig_h id.orig_p id.resp_h id.resp_p status country -1313212563.234939 1.2.3.4 1234 2.3.4.5 80 success unknown -1313212563.234939 1.2.3.4 1234 2.3.4.5 80 failure US +# path:'ssh-new-default' +# separator:' ' +# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port status=string country=string +1313294629.401535 1.2.3.4 1234 2.3.4.5 80 success unknown +1313294629.401535 1.2.3.4 1234 2.3.4.5 80 failure US diff --git a/testing/btest/Baseline/policy.frameworks.logging.ascii-binary/ssh.log b/testing/btest/Baseline/policy.frameworks.logging.ascii-binary/ssh.log index 84a2cc609efabb58fde7117111bb3142d49e967e..12433a10eb52e6ded1c1444ea957994d187ae3de 100644 GIT binary patch delta 75 zcmWIRV{}ngNJ%V7tN{^5T*?Xsi6t3U>czzw>Of9$YC&RAVo83Hm3j?`4^m`XTvC*o Nmk!YYt|id.orig_h|id.orig_p|id.resp_h|id.resp_p|status|country|b -1299718506.56593|1.2.3.4|1234|2.3.4.5|80|success|unknown|NOT-SET -1299718506.56593|1.2.3.4|1234|2.3.4.5|80|NOT-SET|US|NOT-SET -1299718506.56593|1.2.3.4|1234|2.3.4.5|80|failure|UK|NOT-SET -1299718506.56593|1.2.3.4|1234|2.3.4.5|80|NOT-SET|BR|NOT-SET -1299718506.56593|1.2.3.4|1234|2.3.4.5|80|failure|EMPTY|T +PREFIX<>path:'ssh' +PREFIX<>separator:'|' +PREFIX<>t=time|id.orig_h=addr|id.orig_p=port|id.resp_h=addr|id.resp_p=port|status=string|country=string|b=bool +1313294759.195743|1.2.3.4|1234|2.3.4.5|80|success|unknown|NOT-SET +1313294759.195743|1.2.3.4|1234|2.3.4.5|80|NOT-SET|US|NOT-SET +1313294759.195743|1.2.3.4|1234|2.3.4.5|80|failure|UK|NOT-SET +1313294759.195743|1.2.3.4|1234|2.3.4.5|80|NOT-SET|BR|NOT-SET +1313294759.195743|1.2.3.4|1234|2.3.4.5|80|failure|EMPTY|T diff --git a/testing/btest/Baseline/policy.frameworks.logging.ascii-escape/ssh.log b/testing/btest/Baseline/policy.frameworks.logging.ascii-escape/ssh.log index aa08625281cf22112c46686d758ebaf329c49060..bd3dd8d1911ffae8b53562baa26e54c604b2a35c 100644 GIT binary patch literal 515 zcmb79v1-FG5Y6nb2xRakVk?Q$fS0Z%OG=jn%hy!kfv$IQLID1Gw~TAknLpML%}-6D=;@ix~2eYS`#UQcr^o&}B{ F#RCx9rzZda delta 118 zcmZo>`N1^7QNYmHz|7Lp$jrh>&)D4D&}8yWM!AXKg!wQ;)hF9CvSJD=OfF^=!4#I8 LyoFH=Q& test.2011-03-07-03-00-05.log # t id.orig_h id.orig_p id.resp_h id.resp_p +# path:'test' +# separator:' ' +# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port 1299466805.000000 10.0.0.1 20 10.0.0.2 1024 1299470395.000000 10.0.0.2 20 10.0.0.3 0 > test.2011-03-07-04-00-05.log # t id.orig_h id.orig_p id.resp_h id.resp_p +# path:'test' +# separator:' ' +# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port 1299470405.000000 10.0.0.1 20 10.0.0.2 1025 1299473995.000000 10.0.0.2 20 10.0.0.3 1 > test.2011-03-07-05-00-05.log # t id.orig_h id.orig_p id.resp_h id.resp_p +# path:'test' +# separator:' ' +# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port 1299474005.000000 10.0.0.1 20 10.0.0.2 1026 1299477595.000000 10.0.0.2 20 10.0.0.3 2 > test.2011-03-07-06-00-05.log # t id.orig_h id.orig_p id.resp_h id.resp_p +# path:'test' +# separator:' ' +# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port 1299477605.000000 10.0.0.1 20 10.0.0.2 1027 1299481195.000000 10.0.0.2 20 10.0.0.3 3 > test.2011-03-07-07-00-05.log # t id.orig_h id.orig_p id.resp_h id.resp_p +# path:'test' +# separator:' ' +# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port 1299481205.000000 10.0.0.1 20 10.0.0.2 1028 1299484795.000000 10.0.0.2 20 10.0.0.3 4 > test.2011-03-07-08-00-05.log # t id.orig_h id.orig_p id.resp_h id.resp_p +# path:'test' +# separator:' ' +# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port 1299484805.000000 10.0.0.1 20 10.0.0.2 1029 1299488395.000000 10.0.0.2 20 10.0.0.3 5 > test.2011-03-07-09-00-05.log # t id.orig_h id.orig_p id.resp_h id.resp_p +# path:'test' +# separator:' ' +# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port 1299488405.000000 10.0.0.1 20 10.0.0.2 1030 1299491995.000000 10.0.0.2 20 10.0.0.3 6 > test.2011-03-07-10-00-05.log # t id.orig_h id.orig_p id.resp_h id.resp_p +# path:'test' +# separator:' ' +# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port 1299492005.000000 10.0.0.1 20 10.0.0.2 1031 1299495595.000000 10.0.0.2 20 10.0.0.3 7 > test.2011-03-07-11-00-05.log # t id.orig_h id.orig_p id.resp_h id.resp_p +# path:'test' +# separator:' ' +# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port 1299495605.000000 10.0.0.1 20 10.0.0.2 1032 1299499195.000000 10.0.0.2 20 10.0.0.3 8 > test.2011-03-07-12-00-05.log # t id.orig_h id.orig_p id.resp_h id.resp_p +# path:'test' +# separator:' ' +# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port 1299499205.000000 10.0.0.1 20 10.0.0.2 1033 1299502795.000000 10.0.0.2 20 10.0.0.3 9 diff --git a/testing/btest/Baseline/policy.frameworks.logging.stdout/output b/testing/btest/Baseline/policy.frameworks.logging.stdout/output index 4c73aed8e4..8d9b9fde51 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.stdout/output +++ b/testing/btest/Baseline/policy.frameworks.logging.stdout/output @@ -1,6 +1,9 @@ # t id.orig_h id.orig_p id.resp_h id.resp_p status country -1299718506.28824 1.2.3.4 1234 2.3.4.5 80 success unknown -1299718506.28824 1.2.3.4 1234 2.3.4.5 80 failure US -1299718506.28824 1.2.3.4 1234 2.3.4.5 80 failure UK -1299718506.28824 1.2.3.4 1234 2.3.4.5 80 success BR -1299718506.28824 1.2.3.4 1234 2.3.4.5 80 failure MX +# path:'/dev/stdout' +# separator:' ' +# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port status=string country=string +1313294620.928942 1.2.3.4 1234 2.3.4.5 80 success unknown +1313294620.928942 1.2.3.4 1234 2.3.4.5 80 failure US +1313294620.928942 1.2.3.4 1234 2.3.4.5 80 failure UK +1313294620.928942 1.2.3.4 1234 2.3.4.5 80 success BR +1313294620.928942 1.2.3.4 1234 2.3.4.5 80 failure MX diff --git a/testing/btest/Baseline/policy.frameworks.logging.test-logging/ssh.log b/testing/btest/Baseline/policy.frameworks.logging.test-logging/ssh.log index 82523b7c13..746685f27e 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.test-logging/ssh.log +++ b/testing/btest/Baseline/policy.frameworks.logging.test-logging/ssh.log @@ -1,6 +1,9 @@ # t id.orig_h id.orig_p id.resp_h id.resp_p status country -1299718506.1313 1.2.3.4 1234 2.3.4.5 80 success unknown -1299718506.1313 1.2.3.4 1234 2.3.4.5 80 failure US -1299718506.1313 1.2.3.4 1234 2.3.4.5 80 failure UK -1299718506.1313 1.2.3.4 1234 2.3.4.5 80 success BR -1299718506.1313 1.2.3.4 1234 2.3.4.5 80 failure MX +# path:'ssh' +# separator:' ' +# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port status=string country=string +1313294707.543971 1.2.3.4 1234 2.3.4.5 80 success unknown +1313294707.543971 1.2.3.4 1234 2.3.4.5 80 failure US +1313294707.543971 1.2.3.4 1234 2.3.4.5 80 failure UK +1313294707.543971 1.2.3.4 1234 2.3.4.5 80 success BR +1313294707.543971 1.2.3.4 1234 2.3.4.5 80 failure MX diff --git a/testing/btest/Baseline/policy.frameworks.logging.types/ssh.log b/testing/btest/Baseline/policy.frameworks.logging.types/ssh.log index 5666db73c61ea038aee21a2da9238340327da95f..38327e2d997cb76f0d7698d1c532926a59c3b1a6 100644 GIT binary patch delta 205 zcmXwzF%E)25JeNM#&`%43L3RRjF60+Wm!hq1a>z&!?s>Q8f&lPt%O9HpZAiVpa0%` zx3A+fO}vt>%9y)smnKYJ1tl(287$sl<6I90jTImyI}V^xyKz>J-UR`+$YWzkz~Yh$ zRoez=v2|n969|eK2uxfyC`8o*BTF#$0i0_TwX~R5pg%;7k@S28BCT}Cx~`|gZC{>? OvN)Cb^->g5{QLlWaztVP delta 26 icmX@fJdJ6B?!*VSJcdT5CYE|8=EkOGhLbfJ7XSco`Uj=} diff --git a/testing/btest/Baseline/policy.frameworks.logging.unset-record/testing.log b/testing/btest/Baseline/policy.frameworks.logging.unset-record/testing.log index 34f20a588b..3d62164bd4 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.unset-record/testing.log +++ b/testing/btest/Baseline/policy.frameworks.logging.unset-record/testing.log @@ -1,3 +1,6 @@ # a.val1 a.val2 b +# path:'testing' +# separator:' ' +# a.val1=count a.val2=count b=count - - 6 1 2 3 diff --git a/testing/btest/Baseline/policy.frameworks.logging.vec/ssh.log b/testing/btest/Baseline/policy.frameworks.logging.vec/ssh.log index 1602f7d1c0..ffa1f9e94c 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.vec/ssh.log +++ b/testing/btest/Baseline/policy.frameworks.logging.vec/ssh.log @@ -1,2 +1,5 @@ # vec +# path:'ssh' +# separator:' ' +# vec=vector -,2,-,-,5 diff --git a/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-all.log b/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-all.log index 8eae4b3163..4e1a9d3802 100644 --- a/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-all.log +++ b/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-all.log @@ -1,5 +1,8 @@ # ts host -1300475168.78384 141.142.220.118 -1300475168.78384 208.80.152.118 -1300475168.91594 208.80.152.3 -1300475168.96263 208.80.152.2 +# path:'known_hosts' +# separator:' ' +# ts=time host=addr +1300475168.783842 141.142.220.118 +1300475168.783842 208.80.152.118 +1300475168.915940 208.80.152.3 +1300475168.962628 208.80.152.2 diff --git a/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-local.log b/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-local.log index 91e952dc96..50251059d8 100644 --- a/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-local.log +++ b/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-local.log @@ -1,2 +1,5 @@ # ts host -1300475168.78384 141.142.220.118 +# path:'known_hosts' +# separator:' ' +# ts=time host=addr +1300475168.783842 141.142.220.118 diff --git a/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-remote.log b/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-remote.log index 7224058b56..de3d9e0856 100644 --- a/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-remote.log +++ b/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-remote.log @@ -1,4 +1,7 @@ # ts host -1300475168.78384 208.80.152.118 -1300475168.91594 208.80.152.3 -1300475168.96263 208.80.152.2 +# path:'known_hosts' +# separator:' ' +# ts=time host=addr +1300475168.783842 208.80.152.118 +1300475168.915940 208.80.152.3 +1300475168.962628 208.80.152.2 diff --git a/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-all.log b/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-all.log index 9e427cbffe..d7be5f3994 100644 --- a/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-all.log +++ b/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-all.log @@ -1,6 +1,9 @@ # ts host port_num port_proto service -1308930691.03504 172.16.238.131 22 tcp SSH -1308930694.54896 172.16.238.131 80 tcp HTTP -1308930716.45795 74.125.225.81 80 tcp HTTP -1308930703.06815 172.16.238.131 21 tcp FTP -1308930726.86415 141.142.192.39 22 tcp SSH +# path:'known_services' +# separator:' ' +# ts=time host=addr port_num=port port_proto=enum service=table +1308930691.035044 172.16.238.131 22 tcp SSH +1308930694.548964 172.16.238.131 80 tcp HTTP +1308930716.457950 74.125.225.81 80 tcp HTTP +1308930703.068148 172.16.238.131 21 tcp FTP +1308930726.864150 141.142.192.39 22 tcp SSH diff --git a/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-local.log b/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-local.log index 9ff7eb3198..ebe040c18c 100644 --- a/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-local.log +++ b/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-local.log @@ -1,4 +1,7 @@ # ts host port_num port_proto service -1308930691.03504 172.16.238.131 22 tcp SSH -1308930694.54896 172.16.238.131 80 tcp HTTP -1308930703.06815 172.16.238.131 21 tcp FTP +# path:'known_services' +# separator:' ' +# ts=time host=addr port_num=port port_proto=enum service=table +1308930691.035044 172.16.238.131 22 tcp SSH +1308930694.548964 172.16.238.131 80 tcp HTTP +1308930703.068148 172.16.238.131 21 tcp FTP diff --git a/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-remote.log b/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-remote.log index 1adb50ed94..cdb00e1cea 100644 --- a/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-remote.log +++ b/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-remote.log @@ -1,3 +1,6 @@ # ts host port_num port_proto service -1308930716.45795 74.125.225.81 80 tcp HTTP -1308930726.86415 141.142.192.39 22 tcp SSH +# path:'known_services' +# separator:' ' +# ts=time host=addr port_num=port port_proto=enum service=table +1308930716.457950 74.125.225.81 80 tcp HTTP +1308930726.864150 141.142.192.39 22 tcp SSH diff --git a/testing/btest/Baseline/policy.protocols.dns.event-priority/dns.log b/testing/btest/Baseline/policy.protocols.dns.event-priority/dns.log index 6a5b6c6044..b2d843b24d 100644 --- a/testing/btest/Baseline/policy.protocols.dns.event-priority/dns.log +++ b/testing/btest/Baseline/policy.protocols.dns.event-priority/dns.log @@ -1,2 +1,5 @@ # ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name QR AA TC RD RA Z TTL answers auth addl +# path:'dns' +# separator:' ' +# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port proto=enum trans_id=count query=string qclass=count qclass_name=string qtype=count qtype_name=string rcode=count rcode_name=string QR=bool AA=bool TC=bool RD=bool RA=bool Z=count TTL=interval answers=table auth=table addl=table 930613226.529070 UWkUyAuUGXf 212.180.42.100 25000 131.243.64.3 53 tcp 34798 - - - - - 0 NOERROR F F F F T 0 31337.0 4.3.2.1 - - diff --git a/testing/btest/Baseline/policy.protocols.http.http-mime-and-md5/http.log b/testing/btest/Baseline/policy.protocols.http.http-mime-and-md5/http.log index ee07722d92..07649e6100 100644 --- a/testing/btest/Baseline/policy.protocols.http.http-mime-and-md5/http.log +++ b/testing/btest/Baseline/policy.protocols.http.http-mime-and-md5/http.log @@ -1,4 +1,7 @@ # ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file +# path:'http' +# separator:' ' +# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port method=string host=string uri=string referrer=string user_agent=string request_content_length=count response_content_length=count status_code=count status_msg=string filename=string tags=table username=string password=string proxied=table mime_type=string md5=string extraction_file=file 1258577884.844956 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 946 200 OK - - - - - FAKE_MIME - - 1258577884.960135 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 6716 200 OK - - - - - FAKE_MIME - - 1258577885.317160 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 94 200 OK - - - - - FAKE_MIME - - diff --git a/testing/btest/Baseline/policy.protocols.http.http-pipelining/http.log b/testing/btest/Baseline/policy.protocols.http.http-pipelining/http.log index 1c9e7eb7d6..29eeb6eed5 100644 --- a/testing/btest/Baseline/policy.protocols.http.http-pipelining/http.log +++ b/testing/btest/Baseline/policy.protocols.http.http-pipelining/http.log @@ -1,4 +1,7 @@ # ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied md5 extraction_file +# path:'http' +# separator:' ' +# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port method=string host=string uri=string referrer=string user_agent=string request_content_length=count response_content_length=count status_code=count status_msg=string filename=string tags=table username=string password=string proxied=table md5=string extraction_file=file 1258577884.844956 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 946 200 OK - - - - - - - 1258577884.960135 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 6716 200 OK - - - - - - - 1258577885.317160 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 94 200 OK - - - - - - - diff --git a/testing/btest/Baseline/policy.protocols.irc.basic/irc.log b/testing/btest/Baseline/policy.protocols.irc.basic/irc.log index bea67dcf5b..2d77551a78 100644 --- a/testing/btest/Baseline/policy.protocols.irc.basic/irc.log +++ b/testing/btest/Baseline/policy.protocols.irc.basic/irc.log @@ -1,4 +1,7 @@ # ts uid id.orig_h id.orig_p id.resp_h id.resp_p nick user channels command value addl tags dcc_file_name dcc_file_size extraction_file +# path:'irc' +# separator:' ' +# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port nick=string user=string channels=table command=string value=string addl=string tags=table dcc_file_name=string dcc_file_size=count extraction_file=file 1311189164.119437 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 - - - NICK bloed - - - - - 1311189164.119437 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed - - USER sdkfje sdkfje Montreal.QC.CA.Undernet.org dkdkrwq - - - - 1311189174.474127 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje - JOIN #easymovies - - - - - diff --git a/testing/btest/Baseline/policy.protocols.irc.dcc-extract/irc.log b/testing/btest/Baseline/policy.protocols.irc.dcc-extract/irc.log index fcb002698e..863016e969 100644 --- a/testing/btest/Baseline/policy.protocols.irc.dcc-extract/irc.log +++ b/testing/btest/Baseline/policy.protocols.irc.dcc-extract/irc.log @@ -1,4 +1,7 @@ # ts uid id.orig_h id.orig_p id.resp_h id.resp_p nick user channels command value addl tags dcc_file_name dcc_file_size dcc_mime_type extraction_file +# path:'irc' +# separator:' ' +# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port nick=string user=string channels=table command=string value=string addl=string tags=table dcc_file_name=string dcc_file_size=count dcc_mime_type=string extraction_file=file 1311189164.119437 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 - - - NICK bloed - - - - - - 1311189164.119437 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed - - USER sdkfje sdkfje Montreal.QC.CA.Undernet.org dkdkrwq - - - - - 1311189174.474127 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje - JOIN #easymovies - - - - - - diff --git a/testing/btest/Baseline/policy.protocols.smtp.basic/smtp.log b/testing/btest/Baseline/policy.protocols.smtp.basic/smtp.log index ea638d1892..bdb5a1fe1c 100644 --- a/testing/btest/Baseline/policy.protocols.smtp.basic/smtp.log +++ b/testing/btest/Baseline/policy.protocols.smtp.basic/smtp.log @@ -1,2 +1,5 @@ # ts uid id.orig_h id.orig_p id.resp_h id.resp_p mid helo mailfrom rcptto date from to reply_to msg_id in_reply_to subject x_originating_ip first_received second_received last_reply path user_agent +# path:'smtp' +# separator:' ' +# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port mid=string helo=string mailfrom=string rcptto=table date=string from=string to=table reply_to=string msg_id=string in_reply_to=string subject=string x_originating_ip=addr first_received=string second_received=string last_reply=string path=vector user_agent=string 1254722768.219663 56gKBmhBBB6 10.10.1.4 1470 74.53.140.153 25 @50da4BEzauh GP Mon, 5 Oct 2009 11:36:07 +0530 "Gurpartap Singh" - <000301ca4581$ef9e57f0$cedb07d0$@in> - SMTP - - - 250 OK id=1Mugho-0003Dg-Un 74.53.140.153,10.10.1.4 Microsoft Office Outlook 12.0 diff --git a/testing/btest/Baseline/policy.protocols.smtp.mime-extract/smtp_entities.log b/testing/btest/Baseline/policy.protocols.smtp.mime-extract/smtp_entities.log index 9496887d65..4fd0d42f6f 100644 --- a/testing/btest/Baseline/policy.protocols.smtp.mime-extract/smtp_entities.log +++ b/testing/btest/Baseline/policy.protocols.smtp.mime-extract/smtp_entities.log @@ -1,4 +1,7 @@ # ts uid id.orig_h id.orig_p id.resp_h id.resp_p mid filename content_len mime_type md5 extraction_file excerpt +# path:'smtp_entities' +# separator:' ' +# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port mid=string filename=string content_len=count mime_type=string md5=string extraction_file=file excerpt=string 1254722770.692743 56gKBmhBBB6 10.10.1.4 1470 74.53.140.153 25 @50da4BEzauh - 79 FAKE_MIME - smtp-entity_10.10.1.4:1470-74.53.140.153:25_1.dat - 1254722770.692743 56gKBmhBBB6 10.10.1.4 1470 74.53.140.153 25 @50da4BEzauh - 1918 FAKE_MIME - - - 1254722770.692804 56gKBmhBBB6 10.10.1.4 1470 74.53.140.153 25 @50da4BEzauh NEWS.txt 10823 FAKE_MIME - smtp-entity_10.10.1.4:1470-74.53.140.153:25_2.dat - diff --git a/testing/btest/Baseline/policy.protocols.smtp.mime/smtp_entities.log b/testing/btest/Baseline/policy.protocols.smtp.mime/smtp_entities.log index 2b143eacda..a89e3248e8 100644 --- a/testing/btest/Baseline/policy.protocols.smtp.mime/smtp_entities.log +++ b/testing/btest/Baseline/policy.protocols.smtp.mime/smtp_entities.log @@ -1,4 +1,7 @@ # ts uid id.orig_h id.orig_p id.resp_h id.resp_p mid filename content_len mime_type md5 extraction_file excerpt +# path:'smtp_entities' +# separator:' ' +# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port mid=string filename=string content_len=count mime_type=string md5=string extraction_file=file excerpt=string 1254722770.692743 56gKBmhBBB6 10.10.1.4 1470 74.53.140.153 25 @50da4BEzauh - 79 FAKE_MIME 92bca2e6cdcde73647125da7dccbdd07 - - 1254722770.692743 56gKBmhBBB6 10.10.1.4 1470 74.53.140.153 25 @50da4BEzauh - 1918 FAKE_MIME - - - 1254722770.692804 56gKBmhBBB6 10.10.1.4 1470 74.53.140.153 25 @50da4BEzauh NEWS.txt 10823 FAKE_MIME a968bb0f9f9d95835b2e74c845877e87 - - From 3b411b69f3536bccaf22c3aba84a4c27c02226bd Mon Sep 17 00:00:00 2001 From: "Gilbert Clark gc355804@ohio.edu" Date: Tue, 30 Aug 2011 11:20:28 -0700 Subject: [PATCH 2/3] Updated header format (see #558) --- src/LogWriterAscii.cc | 58 ++++++++----- .../core.print-bpf-filters-ipv4/conn.log | 8 +- .../core.print-bpf-filters-ipv4/output | 40 ++++----- .../btest/Baseline/core.vlan-mpls/conn.log | 8 +- .../istate.events-ssl/receiver.http.log | 10 +-- .../istate.events-ssl/sender.http.log | 10 +-- .../Baseline/istate.events/receiver.http.log | 10 +-- .../Baseline/istate.events/sender.http.log | 10 +-- .../ssh-new-default.log | 12 +-- .../ssh.log | Bin 142 -> 143 bytes .../ssh.log | 18 ++-- .../ssh.log | Bin 515 -> 476 bytes .../test.log | 8 +- .../ssh.log | 8 +- .../policy.frameworks.logging.attr/ssh.log | 8 +- .../ssh.log | 18 ++-- .../policy.frameworks.logging.exclude/ssh.log | 8 +- .../policy.frameworks.logging.file/ssh.log | 10 +-- .../policy.frameworks.logging.include/ssh.log | 18 ++-- .../output | 70 +++++++-------- .../ssh.failure.log | 10 +-- .../ssh.success.log | 10 +-- .../receiver.test.log | 10 +-- .../sender.test.failure.log | 14 +-- .../sender.test.log | 18 ++-- .../sender.test.success.log | 12 +-- .../ssh.failure.log | 12 +-- .../policy.frameworks.logging.remove/ssh.log | 14 +-- .../out | 10 +-- .../policy.frameworks.logging.rotate/out | 80 +++++++++--------- .../policy.frameworks.logging.stdout/output | 18 ++-- .../ssh.log | 18 ++-- .../policy.frameworks.logging.types/ssh.log | Bin 457 -> 426 bytes .../testing.log | 8 +- .../policy.frameworks.logging.vec/ssh.log | 8 +- .../knownhosts-all.log | 8 +- .../knownhosts-local.log | 8 +- .../knownhosts-remote.log | 8 +- .../knownservices-all.log | 8 +- .../knownservices-local.log | 8 +- .../knownservices-remote.log | 8 +- .../dns.log | 8 +- .../http.log | 8 +- .../http.log | 8 +- .../policy.protocols.irc.basic/irc.log | 8 +- .../policy.protocols.irc.dcc-extract/irc.log | 8 +- .../policy.protocols.smtp.basic/smtp.log | 8 +- .../smtp_entities.log | 8 +- .../smtp_entities.log | 8 +- testing/btest/btest.cfg | 1 + testing/btest/profiles/default/finish | 2 + testing/btest/profiles/default/setup | 2 + testing/btest/profiles/default/supported | 2 + testing/btest/profiles/default/transform | 2 + 54 files changed, 358 insertions(+), 337 deletions(-) create mode 100755 testing/btest/profiles/default/finish create mode 100755 testing/btest/profiles/default/setup create mode 100755 testing/btest/profiles/default/supported create mode 100755 testing/btest/profiles/default/transform diff --git a/src/LogWriterAscii.cc b/src/LogWriterAscii.cc index fc589d8cb9..9353cea6dd 100644 --- a/src/LogWriterAscii.cc +++ b/src/LogWriterAscii.cc @@ -6,6 +6,25 @@ #include "LogWriterAscii.h" #include "NetVar.h" +/** + * Takes a string, escapes each character into its equivalent hex code (\x##), and + * returns a string containing all escaped values. + * + * @param str string to escape + * @return A std::string containing a list of escaped hex values of the form \x## + */ +static string _GetEscapedString(const std::string str) +{ + char tbuf[128]; + string esc = ""; + for (size_t i = 0; i < str.length(); ++i) + { + snprintf(tbuf, 128, "\\x%02x", str[i]); + esc += tbuf; + } + return esc; +} + /** * Takes a LogField and returns a human-readable version of its type. Used to output the type to the log file's * header. @@ -118,40 +137,33 @@ bool LogWriterAscii::DoInit(string path, int num_fields, if ( include_header ) { - if ( fwrite(header_prefix, header_prefix_len, 1, file) != 1 ) - goto write_error; - - for ( int i = 0; i < num_fields; i++ ) - { - if ( i > 0 && - fwrite(separator, separator_len, 1, file) != 1 ) - goto write_error; - - const LogField* field = fields[i]; - - if ( fputs(field->name.c_str(), file) == EOF ) - goto write_error; - } - - if ( fputc('\n', file) == EOF ) - goto write_error; - - string wString = string(header_prefix, header_prefix_len) + string("path:'") + path + string("'\n"); - wString += string(header_prefix, header_prefix_len) + "separator:'" + string(separator, separator_len) + "'\n"; + string wString = string(header_prefix, header_prefix_len) + "separator " + _GetEscapedString(string(separator, separator_len)) + "\n"; if(fwrite(wString.c_str(), wString.length(), 1, file) != 1) goto write_error; - - wString = string(header_prefix, header_prefix_len); + wString = string(header_prefix, header_prefix_len) + "fields" + string(separator, separator_len); for ( int i = 0; i < num_fields; ++i ) { const LogField* field = fields[i]; - wString += ((i > 0) ? string(separator, separator_len) : string("")) + field->name + string("=") + _GetBroTypeString(field); + wString += ((i > 0) ? string(separator, separator_len) : string("")) + field->name.c_str(); } if(fwrite(wString.c_str(), wString.length(), 1, file) != 1) goto write_error; if ( fputc('\n', file) == EOF ) goto write_error; + wString = string(header_prefix, header_prefix_len) + "types" + string(separator, separator_len); + for ( int i = 0; i < num_fields; ++i ) + { + const LogField* field = fields[i]; + wString += ((i > 0) ? string(separator, separator_len) : string("")) + _GetBroTypeString(field); + } + if(fwrite(wString.c_str(), wString.length(), 1, file) != 1) + goto write_error; + if ( fputc('\n', file) == EOF ) + goto write_error; + wString = string(header_prefix, header_prefix_len) + string("path") + string(separator, separator_len) + path + string("\n"); + if(fwrite(wString.c_str(), wString.length(), 1, file) != 1) + goto write_error; } return true; diff --git a/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log b/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log index 830556743a..0d965a39be 100644 --- a/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log +++ b/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log @@ -1,5 +1,5 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history -# path:'conn' -# separator:' ' -# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port proto=enum service=string duration=interval orig_bytes=count resp_bytes=count conn_state=string local_orig=bool missed_bytes=count history=string +# separator \x09 +# fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history +# types time string addr port addr port enum string interval count count string bool count string +# path conn 1128727435.450898 UWkUyAuUGXf 141.42.64.125 56730 125.190.109.199 80 tcp http 1.73330307006836 98 9417 SF - 0 ShADdFaf diff --git a/testing/btest/Baseline/core.print-bpf-filters-ipv4/output b/testing/btest/Baseline/core.print-bpf-filters-ipv4/output index 6ffc30b379..1fdd9b1cf1 100644 --- a/testing/btest/Baseline/core.print-bpf-filters-ipv4/output +++ b/testing/btest/Baseline/core.print-bpf-filters-ipv4/output @@ -1,20 +1,20 @@ -# ts node filter init success -# path:'packet_filter' -# separator:' ' -# ts=time node=string filter=string init=bool success=bool -1313294321.706635 - not ip6 F T -# ts node filter init success -# path:'packet_filter' -# separator:' ' -# ts=time node=string filter=string init=bool success=bool -1313294321.886625 - (((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (udp and port 5353)) or (udp and port 5355)) or (tcp port 22)) or (tcp port 995)) or (port 21)) or (tcp port smtp or tcp port 587)) or (port 6667)) or (tcp port 614)) or (tcp port 990)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666)) and (not ip6) F T -# ts node filter init success -# path:'packet_filter' -# separator:' ' -# ts=time node=string filter=string init=bool success=bool -1313294322.054107 - port 42 F T -# ts node filter init success -# path:'packet_filter' -# separator:' ' -# ts=time node=string filter=string init=bool success=bool -1313294322.221475 - port 56730 T T +# separator \x09 +# fields ts node filter init success +# types time string string bool bool +# path packet_filter +1314727730.005834 - not ip6 F T +# separator \x09 +# fields ts node filter init success +# types time string string bool bool +# path packet_filter +1314727730.210660 - (((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (udp and port 5353)) or (udp and port 5355)) or (tcp port 22)) or (tcp port 995)) or (port 21)) or (tcp port smtp or tcp port 587)) or (port 6667)) or (tcp port 614)) or (tcp port 990)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666)) and (not ip6) F T +# separator \x09 +# fields ts node filter init success +# types time string string bool bool +# path packet_filter +1314727730.391189 - port 42 F T +# separator \x09 +# fields ts node filter init success +# types time string string bool bool +# path packet_filter +1314727730.576036 - port 56730 T T diff --git a/testing/btest/Baseline/core.vlan-mpls/conn.log b/testing/btest/Baseline/core.vlan-mpls/conn.log index 4202037144..e11386661e 100644 --- a/testing/btest/Baseline/core.vlan-mpls/conn.log +++ b/testing/btest/Baseline/core.vlan-mpls/conn.log @@ -1,7 +1,7 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history -# path:'conn' -# separator:' ' -# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port proto=enum service=string duration=interval orig_bytes=count resp_bytes=count conn_state=string local_orig=bool missed_bytes=count history=string +# separator \x09 +# fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history +# types time string addr port addr port enum string interval count count string bool count string +# path conn 952109346.874907 UWkUyAuUGXf 10.1.2.1 11001 10.34.0.1 23 tcp - 2.10255992412567 25 0 SH - 0 - 1128727435.450898 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 tcp http 1.73330307006836 98 9417 SF - 0 ShADdFaf 1278600802.069419 50da4BEzauh 10.20.80.1 50343 10.0.0.15 80 tcp - 0.00415205955505371 9 3429 SF - 0 ShADadfF diff --git a/testing/btest/Baseline/istate.events-ssl/receiver.http.log b/testing/btest/Baseline/istate.events-ssl/receiver.http.log index 8eeff70133..473aa7526c 100644 --- a/testing/btest/Baseline/istate.events-ssl/receiver.http.log +++ b/testing/btest/Baseline/istate.events-ssl/receiver.http.log @@ -1,5 +1,5 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file -# path:'http' -# separator:' ' -# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port method=string host=string uri=string referrer=string user_agent=string request_content_length=count response_content_length=count status_code=count status_msg=string filename=string tags=table username=string password=string proxied=table mime_type=string md5=string extraction_file=file -1313294803.616197 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - +# separator \x09 +# fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file +# types time string addr port addr port string string string string string count count count string string table string string table string string file +# path http +1314727981.131631 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - diff --git a/testing/btest/Baseline/istate.events-ssl/sender.http.log b/testing/btest/Baseline/istate.events-ssl/sender.http.log index 8eeff70133..473aa7526c 100644 --- a/testing/btest/Baseline/istate.events-ssl/sender.http.log +++ b/testing/btest/Baseline/istate.events-ssl/sender.http.log @@ -1,5 +1,5 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file -# path:'http' -# separator:' ' -# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port method=string host=string uri=string referrer=string user_agent=string request_content_length=count response_content_length=count status_code=count status_msg=string filename=string tags=table username=string password=string proxied=table mime_type=string md5=string extraction_file=file -1313294803.616197 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - +# separator \x09 +# fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file +# types time string addr port addr port string string string string string count count count string string table string string table string string file +# path http +1314727981.131631 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - diff --git a/testing/btest/Baseline/istate.events/receiver.http.log b/testing/btest/Baseline/istate.events/receiver.http.log index 9aa3b8b299..d463a260d3 100644 --- a/testing/btest/Baseline/istate.events/receiver.http.log +++ b/testing/btest/Baseline/istate.events/receiver.http.log @@ -1,5 +1,5 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file -# path:'http' -# separator:' ' -# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port method=string host=string uri=string referrer=string user_agent=string request_content_length=count response_content_length=count status_code=count status_msg=string filename=string tags=table username=string password=string proxied=table mime_type=string md5=string extraction_file=file -1313294821.853639 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - +# separator \x09 +# fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file +# types time string addr port addr port string string string string string count count count string string table string string table string string file +# path http +1314727996.111318 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - diff --git a/testing/btest/Baseline/istate.events/sender.http.log b/testing/btest/Baseline/istate.events/sender.http.log index 9aa3b8b299..d463a260d3 100644 --- a/testing/btest/Baseline/istate.events/sender.http.log +++ b/testing/btest/Baseline/istate.events/sender.http.log @@ -1,5 +1,5 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file -# path:'http' -# separator:' ' -# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port method=string host=string uri=string referrer=string user_agent=string request_content_length=count response_content_length=count status_code=count status_msg=string filename=string tags=table username=string password=string proxied=table mime_type=string md5=string extraction_file=file -1313294821.853639 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - +# separator \x09 +# fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file +# types time string addr port addr port string string string string string count count count string string table string string table string string file +# path http +1314727996.111318 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 GET www.icir.org / - Wget/1.10 - 9130 200 OK - - - - - text/html - - diff --git a/testing/btest/Baseline/policy.frameworks.logging.adapt-filter/ssh-new-default.log b/testing/btest/Baseline/policy.frameworks.logging.adapt-filter/ssh-new-default.log index a6801462ef..5392850f5d 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.adapt-filter/ssh-new-default.log +++ b/testing/btest/Baseline/policy.frameworks.logging.adapt-filter/ssh-new-default.log @@ -1,6 +1,6 @@ -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -# path:'ssh-new-default' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port status=string country=string -1313294629.401535 1.2.3.4 1234 2.3.4.5 80 success unknown -1313294629.401535 1.2.3.4 1234 2.3.4.5 80 failure US +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +# types time addr port addr port string string +# path ssh-new-default +1314727872.290926 1.2.3.4 1234 2.3.4.5 80 success unknown +1314727872.290926 1.2.3.4 1234 2.3.4.5 80 failure US diff --git a/testing/btest/Baseline/policy.frameworks.logging.ascii-binary/ssh.log b/testing/btest/Baseline/policy.frameworks.logging.ascii-binary/ssh.log index 12433a10eb52e6ded1c1444ea957994d187ae3de..79a1c375d6164d00dcf61015768be2c8b7383dca 100644 GIT binary patch delta 77 zcmeBU>}PaURwzy_NGwV$$uClfsW4CGQdUUIOwCCtu1QHONdyx{K(Ug_g4E)g;*z4w VymTl96fH8?*ob literal 142 zcmY#ZNJ%V7tN{^5T*?Xsi6t3U>czzw>Of9$YC&RAVo83Hm3j?`4^m`XTvC*omk!YY sRHUUbFr=iW)wno@I2u7D%#*Q;gOtWp0A&&C0l$tcj{pDw diff --git a/testing/btest/Baseline/policy.frameworks.logging.ascii-empty/ssh.log b/testing/btest/Baseline/policy.frameworks.logging.ascii-empty/ssh.log index 510093520c..c5c542eef5 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.ascii-empty/ssh.log +++ b/testing/btest/Baseline/policy.frameworks.logging.ascii-empty/ssh.log @@ -1,9 +1,9 @@ -PREFIX<>t|id.orig_h|id.orig_p|id.resp_h|id.resp_p|status|country|b -PREFIX<>path:'ssh' -PREFIX<>separator:'|' -PREFIX<>t=time|id.orig_h=addr|id.orig_p=port|id.resp_h=addr|id.resp_p=port|status=string|country=string|b=bool -1313294759.195743|1.2.3.4|1234|2.3.4.5|80|success|unknown|NOT-SET -1313294759.195743|1.2.3.4|1234|2.3.4.5|80|NOT-SET|US|NOT-SET -1313294759.195743|1.2.3.4|1234|2.3.4.5|80|failure|UK|NOT-SET -1313294759.195743|1.2.3.4|1234|2.3.4.5|80|NOT-SET|BR|NOT-SET -1313294759.195743|1.2.3.4|1234|2.3.4.5|80|failure|EMPTY|T +PREFIX<>separator \x7c +PREFIX<>fields|t|id.orig_h|id.orig_p|id.resp_h|id.resp_p|status|country|b +PREFIX<>types|time|addr|port|addr|port|string|string|bool +PREFIX<>path|ssh +1314727948.493595|1.2.3.4|1234|2.3.4.5|80|success|unknown|NOT-SET +1314727948.493595|1.2.3.4|1234|2.3.4.5|80|NOT-SET|US|NOT-SET +1314727948.493595|1.2.3.4|1234|2.3.4.5|80|failure|UK|NOT-SET +1314727948.493595|1.2.3.4|1234|2.3.4.5|80|NOT-SET|BR|NOT-SET +1314727948.493595|1.2.3.4|1234|2.3.4.5|80|failure|EMPTY|T diff --git a/testing/btest/Baseline/policy.frameworks.logging.ascii-escape/ssh.log b/testing/btest/Baseline/policy.frameworks.logging.ascii-escape/ssh.log index bd3dd8d1911ffae8b53562baa26e54c604b2a35c..ccb1542f316e4c4962698f63c69f772cce60bf74 100644 GIT binary patch literal 476 zcmb7=O$)*>42C`LR}8$DeaZCdRlF#I2SLhKwWw`LT6B;fZ(2pYj?(mP!uzD@G)Ltm zNN*uOJlihrY?`06y7frpiF7Y4==1UNlP*b6=swvbIg4KUz_!i?<6&TsADoIDeOE-X z?}5l!VC=s}589lgJ)Z1x(sMh+OIFrp(^l=GD8#&&@ggckC2G;IsA`VsB4$K$u3_jp uh1@WhtFaF=)_;=v7J#3++m5%!zni4+My$pnF#Hf{isfc3;yb{4pS=Kn!I{DU literal 515 zcmb79v1-FG5Y6nb2xRakVk?Q$fS0Z%OG=jn%hy!kfv$IQLID1Gw~TAknLpML%}-6D=;@ix~2eYS`#UQcr^o&}B{ F#RCx9rzZda diff --git a/testing/btest/Baseline/policy.frameworks.logging.ascii-timestamps/test.log b/testing/btest/Baseline/policy.frameworks.logging.ascii-timestamps/test.log index 861e1588e6..ae6b4796ed 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.ascii-timestamps/test.log +++ b/testing/btest/Baseline/policy.frameworks.logging.ascii-timestamps/test.log @@ -1,7 +1,7 @@ -# data -# path:'test' -# separator:' ' -# data=time +# separator \x09 +# fields data +# types time +# path test 1234567890.000000 1234567890.000000 1234567890.010000 diff --git a/testing/btest/Baseline/policy.frameworks.logging.attr-extend/ssh.log b/testing/btest/Baseline/policy.frameworks.logging.attr-extend/ssh.log index 66d3ecd7e5..07477fef25 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.attr-extend/ssh.log +++ b/testing/btest/Baseline/policy.frameworks.logging.attr-extend/ssh.log @@ -1,5 +1,5 @@ -# status country a1 b1 b2 -# path:'ssh' -# separator:' ' -# status=string country=string a1=count b1=count b2=count +# separator \x09 +# fields status country a1 b1 b2 +# types string string count count count +# path ssh success unknown 1 3 4 diff --git a/testing/btest/Baseline/policy.frameworks.logging.attr/ssh.log b/testing/btest/Baseline/policy.frameworks.logging.attr/ssh.log index d8204b80ae..4d1829a3da 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.attr/ssh.log +++ b/testing/btest/Baseline/policy.frameworks.logging.attr/ssh.log @@ -1,7 +1,7 @@ -# status country -# path:'ssh' -# separator:' ' -# status=string country=string +# separator \x09 +# fields status country +# types string string +# path ssh success unknown failure US failure UK diff --git a/testing/btest/Baseline/policy.frameworks.logging.empty-event/ssh.log b/testing/btest/Baseline/policy.frameworks.logging.empty-event/ssh.log index 2bbdfc5598..c61c320438 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.empty-event/ssh.log +++ b/testing/btest/Baseline/policy.frameworks.logging.empty-event/ssh.log @@ -1,9 +1,9 @@ -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -# path:'ssh' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port status=string country=string -1313294569.495672 1.2.3.4 1234 2.3.4.5 80 success unknown -1313294569.495672 1.2.3.4 1234 2.3.4.5 80 failure US -1313294569.495672 1.2.3.4 1234 2.3.4.5 80 failure UK -1313294569.495672 1.2.3.4 1234 2.3.4.5 80 success BR -1313294569.495672 1.2.3.4 1234 2.3.4.5 80 failure MX +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +# types time addr port addr port string string +# path ssh +1314727852.730851 1.2.3.4 1234 2.3.4.5 80 success unknown +1314727852.730851 1.2.3.4 1234 2.3.4.5 80 failure US +1314727852.730851 1.2.3.4 1234 2.3.4.5 80 failure UK +1314727852.730851 1.2.3.4 1234 2.3.4.5 80 success BR +1314727852.730851 1.2.3.4 1234 2.3.4.5 80 failure MX diff --git a/testing/btest/Baseline/policy.frameworks.logging.exclude/ssh.log b/testing/btest/Baseline/policy.frameworks.logging.exclude/ssh.log index b19e940b32..fa8e93a2c2 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.exclude/ssh.log +++ b/testing/btest/Baseline/policy.frameworks.logging.exclude/ssh.log @@ -1,7 +1,7 @@ -# id.orig_p id.resp_h id.resp_p status country -# path:'ssh' -# separator:' ' -# id.orig_p=port id.resp_h=addr id.resp_p=port status=string country=string +# separator \x09 +# fields id.orig_p id.resp_h id.resp_p status country +# types port addr port string string +# path ssh 1234 2.3.4.5 80 success unknown 1234 2.3.4.5 80 failure US 1234 2.3.4.5 80 failure UK diff --git a/testing/btest/Baseline/policy.frameworks.logging.file/ssh.log b/testing/btest/Baseline/policy.frameworks.logging.file/ssh.log index d161b04fee..00ebea6dca 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.file/ssh.log +++ b/testing/btest/Baseline/policy.frameworks.logging.file/ssh.log @@ -1,5 +1,5 @@ -# t f -# path:'ssh' -# separator:' ' -# t=time f=file -1313294659.301877 Foo.log +# separator \x09 +# fields t f +# types time file +# path ssh +1314727892.880049 Foo.log diff --git a/testing/btest/Baseline/policy.frameworks.logging.include/ssh.log b/testing/btest/Baseline/policy.frameworks.logging.include/ssh.log index 63329d38fd..3a767d9992 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.include/ssh.log +++ b/testing/btest/Baseline/policy.frameworks.logging.include/ssh.log @@ -1,9 +1,9 @@ -# t id.orig_h -# path:'ssh' -# separator:' ' -# t=time id.orig_h=addr -1313294779.446569 1.2.3.4 -1313294779.446569 1.2.3.4 -1313294779.446569 1.2.3.4 -1313294779.446569 1.2.3.4 -1313294779.446569 1.2.3.4 +# separator \x09 +# fields t id.orig_h +# types time addr +# path ssh +1314727963.092660 1.2.3.4 +1314727963.092660 1.2.3.4 +1314727963.092660 1.2.3.4 +1314727963.092660 1.2.3.4 +1314727963.092660 1.2.3.4 diff --git a/testing/btest/Baseline/policy.frameworks.logging.path-func/output b/testing/btest/Baseline/policy.frameworks.logging.path-func/output index 93560dad22..4b634aa98f 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.path-func/output +++ b/testing/btest/Baseline/policy.frameworks.logging.path-func/output @@ -5,38 +5,38 @@ static-prefix-1-MX.log static-prefix-1-US.log static-prefix-2-MX2.log static-prefix-2-UK.log -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -# path:'static-prefix-0-BR' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port status=string country=string -1313294713.688145 1.2.3.4 1234 2.3.4.5 80 success BR -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -# path:'static-prefix-0-MX3' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port status=string country=string -1313294713.688145 1.2.3.4 1234 2.3.4.5 80 failure MX3 -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -# path:'static-prefix-0-unknown' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port status=string country=string -1313294713.688145 1.2.3.4 1234 2.3.4.5 80 success unknown -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -# path:'static-prefix-1-MX' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port status=string country=string -1313294713.688145 1.2.3.4 1234 2.3.4.5 80 failure MX -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -# path:'static-prefix-1-US' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port status=string country=string -1313294713.688145 1.2.3.4 1234 2.3.4.5 80 failure US -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -# path:'static-prefix-2-MX2' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port status=string country=string -1313294713.688145 1.2.3.4 1234 2.3.4.5 80 failure MX2 -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -# path:'static-prefix-2-UK' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port status=string country=string -1313294713.688145 1.2.3.4 1234 2.3.4.5 80 failure UK +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +# types time addr port addr port string string +# path static-prefix-0-BR +1314727918.882660 1.2.3.4 1234 2.3.4.5 80 success BR +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +# types time addr port addr port string string +# path static-prefix-0-MX3 +1314727918.882660 1.2.3.4 1234 2.3.4.5 80 failure MX3 +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +# types time addr port addr port string string +# path static-prefix-0-unknown +1314727918.882660 1.2.3.4 1234 2.3.4.5 80 success unknown +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +# types time addr port addr port string string +# path static-prefix-1-MX +1314727918.882660 1.2.3.4 1234 2.3.4.5 80 failure MX +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +# types time addr port addr port string string +# path static-prefix-1-US +1314727918.882660 1.2.3.4 1234 2.3.4.5 80 failure US +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +# types time addr port addr port string string +# path static-prefix-2-MX2 +1314727918.882660 1.2.3.4 1234 2.3.4.5 80 failure MX2 +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +# types time addr port addr port string string +# path static-prefix-2-UK +1314727918.882660 1.2.3.4 1234 2.3.4.5 80 failure UK diff --git a/testing/btest/Baseline/policy.frameworks.logging.pred/ssh.failure.log b/testing/btest/Baseline/policy.frameworks.logging.pred/ssh.failure.log index bfe4b166ba..7d59255100 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.pred/ssh.failure.log +++ b/testing/btest/Baseline/policy.frameworks.logging.pred/ssh.failure.log @@ -1,5 +1,5 @@ -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -# path:'ssh.failure' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port status=string country=string -1313294637.607505 1.2.3.4 1234 2.3.4.5 80 failure US +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +# types time addr port addr port string string +# path ssh.failure +1314727874.590133 1.2.3.4 1234 2.3.4.5 80 failure US diff --git a/testing/btest/Baseline/policy.frameworks.logging.pred/ssh.success.log b/testing/btest/Baseline/policy.frameworks.logging.pred/ssh.success.log index 4288669eb2..eb9102edad 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.pred/ssh.success.log +++ b/testing/btest/Baseline/policy.frameworks.logging.pred/ssh.success.log @@ -1,5 +1,5 @@ -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -# path:'ssh.success' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port status=string country=string -1313294637.607505 1.2.3.4 1234 2.3.4.5 80 success - +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +# types time addr port addr port string string +# path ssh.success +1314727874.590133 1.2.3.4 1234 2.3.4.5 80 success - diff --git a/testing/btest/Baseline/policy.frameworks.logging.remote-types/receiver.test.log b/testing/btest/Baseline/policy.frameworks.logging.remote-types/receiver.test.log index 9fd99886fd..2c2d8328e9 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.remote-types/receiver.test.log +++ b/testing/btest/Baseline/policy.frameworks.logging.remote-types/receiver.test.log @@ -1,5 +1,5 @@ -# b i e c p sn n a d t iv s sc ss se vc ve -# path:'test' -# separator:' ' -# b=bool i=int e=enum c=count p=port sn=subnet n=net a=addr d=double t=time iv=interval s=string sc=table ss=table se=table vc=vector ve=vector -T -42 Test::TEST 21 123 10.0.0.0/24 10.0.0.0 1.2.3.4 3.14 1313294605.568014 100.0 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY +# separator \x09 +# fields b i e c p sn n a d t iv s sc ss se vc ve +# types bool int enum count port subnet net addr double time interval string table table table vector vector +# path test +T -42 Test::TEST 21 123 10.0.0.0/24 10.0.0.0 1.2.3.4 3.14 1314727862.540918 100.0 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY diff --git a/testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.failure.log b/testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.failure.log index 029ea30dc2..81b7ea359f 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.failure.log +++ b/testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.failure.log @@ -1,7 +1,7 @@ -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -# path:'test.failure' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port status=string country=string -1313294726.669862 1.2.3.4 1234 2.3.4.5 80 failure US -1313294726.669862 1.2.3.4 1234 2.3.4.5 80 failure UK -1313294726.669862 1.2.3.4 1234 2.3.4.5 80 failure MX +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +# types time addr port addr port string string +# path test.failure +1314727932.130262 1.2.3.4 1234 2.3.4.5 80 failure US +1314727932.130262 1.2.3.4 1234 2.3.4.5 80 failure UK +1314727932.130262 1.2.3.4 1234 2.3.4.5 80 failure MX diff --git a/testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.log b/testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.log index 70d339700e..6d006897aa 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.log +++ b/testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.log @@ -1,9 +1,9 @@ -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -# path:'test' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port status=string country=string -1313294726.669862 1.2.3.4 1234 2.3.4.5 80 success - -1313294726.669862 1.2.3.4 1234 2.3.4.5 80 failure US -1313294726.669862 1.2.3.4 1234 2.3.4.5 80 failure UK -1313294726.669862 1.2.3.4 1234 2.3.4.5 80 success BR -1313294726.669862 1.2.3.4 1234 2.3.4.5 80 failure MX +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +# types time addr port addr port string string +# path test +1314727932.130262 1.2.3.4 1234 2.3.4.5 80 success - +1314727932.130262 1.2.3.4 1234 2.3.4.5 80 failure US +1314727932.130262 1.2.3.4 1234 2.3.4.5 80 failure UK +1314727932.130262 1.2.3.4 1234 2.3.4.5 80 success BR +1314727932.130262 1.2.3.4 1234 2.3.4.5 80 failure MX diff --git a/testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.success.log b/testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.success.log index be29379d2c..aa59dc2a44 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.success.log +++ b/testing/btest/Baseline/policy.frameworks.logging.remote/sender.test.success.log @@ -1,6 +1,6 @@ -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -# path:'test.success' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port status=string country=string -1313294726.669862 1.2.3.4 1234 2.3.4.5 80 success - -1313294726.669862 1.2.3.4 1234 2.3.4.5 80 success BR +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +# types time addr port addr port string string +# path test.success +1314727932.130262 1.2.3.4 1234 2.3.4.5 80 success - +1314727932.130262 1.2.3.4 1234 2.3.4.5 80 success BR diff --git a/testing/btest/Baseline/policy.frameworks.logging.remove/ssh.failure.log b/testing/btest/Baseline/policy.frameworks.logging.remove/ssh.failure.log index 9b6a4a7d07..79c110714a 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.remove/ssh.failure.log +++ b/testing/btest/Baseline/policy.frameworks.logging.remove/ssh.failure.log @@ -1,6 +1,6 @@ -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -# path:'ssh.failure' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port status=string country=string -1313294785.141559 1.2.3.4 1234 2.3.4.5 80 failure US -1313294785.141559 1.2.3.4 1234 2.3.4.5 80 failure UK +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +# types time addr port addr port string string +# path ssh.failure +1314727967.932172 1.2.3.4 1234 2.3.4.5 80 failure US +1314727967.932172 1.2.3.4 1234 2.3.4.5 80 failure UK diff --git a/testing/btest/Baseline/policy.frameworks.logging.remove/ssh.log b/testing/btest/Baseline/policy.frameworks.logging.remove/ssh.log index 75306f5159..78cbeca160 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.remove/ssh.log +++ b/testing/btest/Baseline/policy.frameworks.logging.remove/ssh.log @@ -1,7 +1,7 @@ -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -# path:'ssh' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port status=string country=string -1313294785.141559 1.2.3.4 1234 2.3.4.5 80 failure US -1313294785.141559 1.2.3.4 1234 2.3.4.5 80 failure UK -1313294785.141559 1.2.3.4 1234 2.3.4.5 80 failure BR +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +# types time addr port addr port string string +# path ssh +1314727967.932172 1.2.3.4 1234 2.3.4.5 80 failure US +1314727967.932172 1.2.3.4 1234 2.3.4.5 80 failure UK +1314727967.932172 1.2.3.4 1234 2.3.4.5 80 failure BR diff --git a/testing/btest/Baseline/policy.frameworks.logging.rotate-custom/out b/testing/btest/Baseline/policy.frameworks.logging.rotate-custom/out index 6c16b06f92..95661849d3 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.rotate-custom/out +++ b/testing/btest/Baseline/policy.frameworks.logging.rotate-custom/out @@ -28,11 +28,11 @@ custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_11.00.05.log, path=tes custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_11.59.55.log, path=test2, open=1299499195.0, close=1299499205.0, terminating=F] custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_12.00.05.log, path=test2, open=1299499205.0, close=1299502795.0, terminating=F] custom rotate, [writer=WRITER_ASCII, fname=test2-11-03-07_12.59.55.log, path=test2, open=1299502795.0, close=1299502795.0, terminating=T] -# path:'test' -# path:'test2' -# separator:' ' -# t id.orig_h id.orig_p id.resp_h id.resp_p -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port +# fields t id.orig_h id.orig_p id.resp_h id.resp_p +# path test +# path test2 +# separator \x09 +# types time addr port addr port 1299466805.000000 10.0.0.1 20 10.0.0.2 1024 1299470395.000000 10.0.0.2 20 10.0.0.3 0 1299470405.000000 10.0.0.1 20 10.0.0.2 1025 diff --git a/testing/btest/Baseline/policy.frameworks.logging.rotate/out b/testing/btest/Baseline/policy.frameworks.logging.rotate/out index 40a9887c13..22624ea09d 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.rotate/out +++ b/testing/btest/Baseline/policy.frameworks.logging.rotate/out @@ -9,72 +9,72 @@ test.2011-03-07-10-00-05.log test 11-03-07_10.00.05 11-03-07_11.00.05 0 test.2011-03-07-11-00-05.log test 11-03-07_11.00.05 11-03-07_12.00.05 0 test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1 > test.2011-03-07-03-00-05.log -# t id.orig_h id.orig_p id.resp_h id.resp_p -# path:'test' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p +# types time addr port addr port +# path test 1299466805.000000 10.0.0.1 20 10.0.0.2 1024 1299470395.000000 10.0.0.2 20 10.0.0.3 0 > test.2011-03-07-04-00-05.log -# t id.orig_h id.orig_p id.resp_h id.resp_p -# path:'test' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p +# types time addr port addr port +# path test 1299470405.000000 10.0.0.1 20 10.0.0.2 1025 1299473995.000000 10.0.0.2 20 10.0.0.3 1 > test.2011-03-07-05-00-05.log -# t id.orig_h id.orig_p id.resp_h id.resp_p -# path:'test' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p +# types time addr port addr port +# path test 1299474005.000000 10.0.0.1 20 10.0.0.2 1026 1299477595.000000 10.0.0.2 20 10.0.0.3 2 > test.2011-03-07-06-00-05.log -# t id.orig_h id.orig_p id.resp_h id.resp_p -# path:'test' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p +# types time addr port addr port +# path test 1299477605.000000 10.0.0.1 20 10.0.0.2 1027 1299481195.000000 10.0.0.2 20 10.0.0.3 3 > test.2011-03-07-07-00-05.log -# t id.orig_h id.orig_p id.resp_h id.resp_p -# path:'test' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p +# types time addr port addr port +# path test 1299481205.000000 10.0.0.1 20 10.0.0.2 1028 1299484795.000000 10.0.0.2 20 10.0.0.3 4 > test.2011-03-07-08-00-05.log -# t id.orig_h id.orig_p id.resp_h id.resp_p -# path:'test' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p +# types time addr port addr port +# path test 1299484805.000000 10.0.0.1 20 10.0.0.2 1029 1299488395.000000 10.0.0.2 20 10.0.0.3 5 > test.2011-03-07-09-00-05.log -# t id.orig_h id.orig_p id.resp_h id.resp_p -# path:'test' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p +# types time addr port addr port +# path test 1299488405.000000 10.0.0.1 20 10.0.0.2 1030 1299491995.000000 10.0.0.2 20 10.0.0.3 6 > test.2011-03-07-10-00-05.log -# t id.orig_h id.orig_p id.resp_h id.resp_p -# path:'test' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p +# types time addr port addr port +# path test 1299492005.000000 10.0.0.1 20 10.0.0.2 1031 1299495595.000000 10.0.0.2 20 10.0.0.3 7 > test.2011-03-07-11-00-05.log -# t id.orig_h id.orig_p id.resp_h id.resp_p -# path:'test' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p +# types time addr port addr port +# path test 1299495605.000000 10.0.0.1 20 10.0.0.2 1032 1299499195.000000 10.0.0.2 20 10.0.0.3 8 > test.2011-03-07-12-00-05.log -# t id.orig_h id.orig_p id.resp_h id.resp_p -# path:'test' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p +# types time addr port addr port +# path test 1299499205.000000 10.0.0.1 20 10.0.0.2 1033 1299502795.000000 10.0.0.2 20 10.0.0.3 9 diff --git a/testing/btest/Baseline/policy.frameworks.logging.stdout/output b/testing/btest/Baseline/policy.frameworks.logging.stdout/output index 8d9b9fde51..54c323572d 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.stdout/output +++ b/testing/btest/Baseline/policy.frameworks.logging.stdout/output @@ -1,9 +1,9 @@ -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -# path:'/dev/stdout' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port status=string country=string -1313294620.928942 1.2.3.4 1234 2.3.4.5 80 success unknown -1313294620.928942 1.2.3.4 1234 2.3.4.5 80 failure US -1313294620.928942 1.2.3.4 1234 2.3.4.5 80 failure UK -1313294620.928942 1.2.3.4 1234 2.3.4.5 80 success BR -1313294620.928942 1.2.3.4 1234 2.3.4.5 80 failure MX +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +# types time addr port addr port string string +# path /dev/stdout +1314727869.880042 1.2.3.4 1234 2.3.4.5 80 success unknown +1314727869.880042 1.2.3.4 1234 2.3.4.5 80 failure US +1314727869.880042 1.2.3.4 1234 2.3.4.5 80 failure UK +1314727869.880042 1.2.3.4 1234 2.3.4.5 80 success BR +1314727869.880042 1.2.3.4 1234 2.3.4.5 80 failure MX diff --git a/testing/btest/Baseline/policy.frameworks.logging.test-logging/ssh.log b/testing/btest/Baseline/policy.frameworks.logging.test-logging/ssh.log index 746685f27e..220955530c 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.test-logging/ssh.log +++ b/testing/btest/Baseline/policy.frameworks.logging.test-logging/ssh.log @@ -1,9 +1,9 @@ -# t id.orig_h id.orig_p id.resp_h id.resp_p status country -# path:'ssh' -# separator:' ' -# t=time id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port status=string country=string -1313294707.543971 1.2.3.4 1234 2.3.4.5 80 success unknown -1313294707.543971 1.2.3.4 1234 2.3.4.5 80 failure US -1313294707.543971 1.2.3.4 1234 2.3.4.5 80 failure UK -1313294707.543971 1.2.3.4 1234 2.3.4.5 80 success BR -1313294707.543971 1.2.3.4 1234 2.3.4.5 80 failure MX +# separator \x09 +# fields t id.orig_h id.orig_p id.resp_h id.resp_p status country +# types time addr port addr port string string +# path ssh +1314727916.553137 1.2.3.4 1234 2.3.4.5 80 success unknown +1314727916.553137 1.2.3.4 1234 2.3.4.5 80 failure US +1314727916.553137 1.2.3.4 1234 2.3.4.5 80 failure UK +1314727916.553137 1.2.3.4 1234 2.3.4.5 80 success BR +1314727916.553137 1.2.3.4 1234 2.3.4.5 80 failure MX diff --git a/testing/btest/Baseline/policy.frameworks.logging.types/ssh.log b/testing/btest/Baseline/policy.frameworks.logging.types/ssh.log index 38327e2d997cb76f0d7698d1c532926a59c3b1a6..b68376c5f6e18e7a46d9745e878ca21fed309e8c 100644 GIT binary patch delta 184 zcmX@fyoy;$S)n+!Ah9U1B)>=@rozCIOIaZ;Gc_lrm~$eNZhc8*L25B)Qht68XJ%dr zXKG$)E@yInDUex^UsS?bT$+@ZTEYp!i76>XoGJOGNja&UC7HRYAoZz5Wr;bQ#U(|V zdFh-biC`%tvMeK6?nI3(W}JW~2pR+F-xUb-rz;jk XF}yF!be|uxJlp2!>6m4YX!iU9dqG7a diff --git a/testing/btest/Baseline/policy.frameworks.logging.unset-record/testing.log b/testing/btest/Baseline/policy.frameworks.logging.unset-record/testing.log index 3d62164bd4..8d69793df4 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.unset-record/testing.log +++ b/testing/btest/Baseline/policy.frameworks.logging.unset-record/testing.log @@ -1,6 +1,6 @@ -# a.val1 a.val2 b -# path:'testing' -# separator:' ' -# a.val1=count a.val2=count b=count +# separator \x09 +# fields a.val1 a.val2 b +# types count count count +# path testing - - 6 1 2 3 diff --git a/testing/btest/Baseline/policy.frameworks.logging.vec/ssh.log b/testing/btest/Baseline/policy.frameworks.logging.vec/ssh.log index ffa1f9e94c..9134ac32db 100644 --- a/testing/btest/Baseline/policy.frameworks.logging.vec/ssh.log +++ b/testing/btest/Baseline/policy.frameworks.logging.vec/ssh.log @@ -1,5 +1,5 @@ -# vec -# path:'ssh' -# separator:' ' -# vec=vector +# separator \x09 +# fields vec +# types vector +# path ssh -,2,-,-,5 diff --git a/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-all.log b/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-all.log index 4e1a9d3802..7752ad99b3 100644 --- a/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-all.log +++ b/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-all.log @@ -1,7 +1,7 @@ -# ts host -# path:'known_hosts' -# separator:' ' -# ts=time host=addr +# separator \x09 +# fields ts host +# types time addr +# path known_hosts 1300475168.783842 141.142.220.118 1300475168.783842 208.80.152.118 1300475168.915940 208.80.152.3 diff --git a/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-local.log b/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-local.log index 50251059d8..246c45fbc2 100644 --- a/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-local.log +++ b/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-local.log @@ -1,5 +1,5 @@ -# ts host -# path:'known_hosts' -# separator:' ' -# ts=time host=addr +# separator \x09 +# fields ts host +# types time addr +# path known_hosts 1300475168.783842 141.142.220.118 diff --git a/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-remote.log b/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-remote.log index de3d9e0856..be10c277c9 100644 --- a/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-remote.log +++ b/testing/btest/Baseline/policy.protocols.conn.known-hosts/knownhosts-remote.log @@ -1,7 +1,7 @@ -# ts host -# path:'known_hosts' -# separator:' ' -# ts=time host=addr +# separator \x09 +# fields ts host +# types time addr +# path known_hosts 1300475168.783842 208.80.152.118 1300475168.915940 208.80.152.3 1300475168.962628 208.80.152.2 diff --git a/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-all.log b/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-all.log index d7be5f3994..99048de8cd 100644 --- a/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-all.log +++ b/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-all.log @@ -1,7 +1,7 @@ -# ts host port_num port_proto service -# path:'known_services' -# separator:' ' -# ts=time host=addr port_num=port port_proto=enum service=table +# separator \x09 +# fields ts host port_num port_proto service +# types time addr port enum table +# path known_services 1308930691.035044 172.16.238.131 22 tcp SSH 1308930694.548964 172.16.238.131 80 tcp HTTP 1308930716.457950 74.125.225.81 80 tcp HTTP diff --git a/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-local.log b/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-local.log index ebe040c18c..bc94a1b815 100644 --- a/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-local.log +++ b/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-local.log @@ -1,7 +1,7 @@ -# ts host port_num port_proto service -# path:'known_services' -# separator:' ' -# ts=time host=addr port_num=port port_proto=enum service=table +# separator \x09 +# fields ts host port_num port_proto service +# types time addr port enum table +# path known_services 1308930691.035044 172.16.238.131 22 tcp SSH 1308930694.548964 172.16.238.131 80 tcp HTTP 1308930703.068148 172.16.238.131 21 tcp FTP diff --git a/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-remote.log b/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-remote.log index cdb00e1cea..407bb18b3f 100644 --- a/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-remote.log +++ b/testing/btest/Baseline/policy.protocols.conn.known-services/knownservices-remote.log @@ -1,6 +1,6 @@ -# ts host port_num port_proto service -# path:'known_services' -# separator:' ' -# ts=time host=addr port_num=port port_proto=enum service=table +# separator \x09 +# fields ts host port_num port_proto service +# types time addr port enum table +# path known_services 1308930716.457950 74.125.225.81 80 tcp HTTP 1308930726.864150 141.142.192.39 22 tcp SSH diff --git a/testing/btest/Baseline/policy.protocols.dns.event-priority/dns.log b/testing/btest/Baseline/policy.protocols.dns.event-priority/dns.log index b2d843b24d..e558d4498f 100644 --- a/testing/btest/Baseline/policy.protocols.dns.event-priority/dns.log +++ b/testing/btest/Baseline/policy.protocols.dns.event-priority/dns.log @@ -1,5 +1,5 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name QR AA TC RD RA Z TTL answers auth addl -# path:'dns' -# separator:' ' -# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port proto=enum trans_id=count query=string qclass=count qclass_name=string qtype=count qtype_name=string rcode=count rcode_name=string QR=bool AA=bool TC=bool RD=bool RA=bool Z=count TTL=interval answers=table auth=table addl=table +# separator \x09 +# fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name QR AA TC RD RA Z TTL answers auth addl +# types time string addr port addr port enum count string count string count string count string bool bool bool bool bool count interval table table table +# path dns 930613226.529070 UWkUyAuUGXf 212.180.42.100 25000 131.243.64.3 53 tcp 34798 - - - - - 0 NOERROR F F F F T 0 31337.0 4.3.2.1 - - diff --git a/testing/btest/Baseline/policy.protocols.http.http-mime-and-md5/http.log b/testing/btest/Baseline/policy.protocols.http.http-mime-and-md5/http.log index 07649e6100..39eebd2d17 100644 --- a/testing/btest/Baseline/policy.protocols.http.http-mime-and-md5/http.log +++ b/testing/btest/Baseline/policy.protocols.http.http-mime-and-md5/http.log @@ -1,7 +1,7 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file -# path:'http' -# separator:' ' -# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port method=string host=string uri=string referrer=string user_agent=string request_content_length=count response_content_length=count status_code=count status_msg=string filename=string tags=table username=string password=string proxied=table mime_type=string md5=string extraction_file=file +# separator \x09 +# fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied mime_type md5 extraction_file +# types time string addr port addr port string string string string string count count count string string table string string table string string file +# path http 1258577884.844956 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 946 200 OK - - - - - FAKE_MIME - - 1258577884.960135 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 6716 200 OK - - - - - FAKE_MIME - - 1258577885.317160 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 94 200 OK - - - - - FAKE_MIME - - diff --git a/testing/btest/Baseline/policy.protocols.http.http-pipelining/http.log b/testing/btest/Baseline/policy.protocols.http.http-pipelining/http.log index 29eeb6eed5..f3dbf1c0e0 100644 --- a/testing/btest/Baseline/policy.protocols.http.http-pipelining/http.log +++ b/testing/btest/Baseline/policy.protocols.http.http-pipelining/http.log @@ -1,7 +1,7 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied md5 extraction_file -# path:'http' -# separator:' ' -# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port method=string host=string uri=string referrer=string user_agent=string request_content_length=count response_content_length=count status_code=count status_msg=string filename=string tags=table username=string password=string proxied=table md5=string extraction_file=file +# separator \x09 +# fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri referrer user_agent request_content_length response_content_length status_code status_msg filename tags username password proxied md5 extraction_file +# types time string addr port addr port string string string string string count count count string string table string string table string file +# path http 1258577884.844956 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 946 200 OK - - - - - - - 1258577884.960135 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 6716 200 OK - - - - - - - 1258577885.317160 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 - 94 200 OK - - - - - - - diff --git a/testing/btest/Baseline/policy.protocols.irc.basic/irc.log b/testing/btest/Baseline/policy.protocols.irc.basic/irc.log index 2d77551a78..45b3e63971 100644 --- a/testing/btest/Baseline/policy.protocols.irc.basic/irc.log +++ b/testing/btest/Baseline/policy.protocols.irc.basic/irc.log @@ -1,7 +1,7 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p nick user channels command value addl tags dcc_file_name dcc_file_size extraction_file -# path:'irc' -# separator:' ' -# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port nick=string user=string channels=table command=string value=string addl=string tags=table dcc_file_name=string dcc_file_size=count extraction_file=file +# separator \x09 +# fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p nick user channels command value addl tags dcc_file_name dcc_file_size extraction_file +# types time string addr port addr port string string table string string string table string count file +# path irc 1311189164.119437 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 - - - NICK bloed - - - - - 1311189164.119437 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed - - USER sdkfje sdkfje Montreal.QC.CA.Undernet.org dkdkrwq - - - - 1311189174.474127 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje - JOIN #easymovies - - - - - diff --git a/testing/btest/Baseline/policy.protocols.irc.dcc-extract/irc.log b/testing/btest/Baseline/policy.protocols.irc.dcc-extract/irc.log index 863016e969..eadec9c089 100644 --- a/testing/btest/Baseline/policy.protocols.irc.dcc-extract/irc.log +++ b/testing/btest/Baseline/policy.protocols.irc.dcc-extract/irc.log @@ -1,7 +1,7 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p nick user channels command value addl tags dcc_file_name dcc_file_size dcc_mime_type extraction_file -# path:'irc' -# separator:' ' -# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port nick=string user=string channels=table command=string value=string addl=string tags=table dcc_file_name=string dcc_file_size=count dcc_mime_type=string extraction_file=file +# separator \x09 +# fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p nick user channels command value addl tags dcc_file_name dcc_file_size dcc_mime_type extraction_file +# types time string addr port addr port string string table string string string table string count string file +# path irc 1311189164.119437 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 - - - NICK bloed - - - - - - 1311189164.119437 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed - - USER sdkfje sdkfje Montreal.QC.CA.Undernet.org dkdkrwq - - - - - 1311189174.474127 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje - JOIN #easymovies - - - - - - diff --git a/testing/btest/Baseline/policy.protocols.smtp.basic/smtp.log b/testing/btest/Baseline/policy.protocols.smtp.basic/smtp.log index bdb5a1fe1c..e726b26c41 100644 --- a/testing/btest/Baseline/policy.protocols.smtp.basic/smtp.log +++ b/testing/btest/Baseline/policy.protocols.smtp.basic/smtp.log @@ -1,5 +1,5 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p mid helo mailfrom rcptto date from to reply_to msg_id in_reply_to subject x_originating_ip first_received second_received last_reply path user_agent -# path:'smtp' -# separator:' ' -# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port mid=string helo=string mailfrom=string rcptto=table date=string from=string to=table reply_to=string msg_id=string in_reply_to=string subject=string x_originating_ip=addr first_received=string second_received=string last_reply=string path=vector user_agent=string +# separator \x09 +# fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p mid helo mailfrom rcptto date from to reply_to msg_id in_reply_to subject x_originating_ip first_received second_received last_reply path user_agent +# types time string addr port addr port string string string table string string table string string string string addr string string string vector string +# path smtp 1254722768.219663 56gKBmhBBB6 10.10.1.4 1470 74.53.140.153 25 @50da4BEzauh GP Mon, 5 Oct 2009 11:36:07 +0530 "Gurpartap Singh" - <000301ca4581$ef9e57f0$cedb07d0$@in> - SMTP - - - 250 OK id=1Mugho-0003Dg-Un 74.53.140.153,10.10.1.4 Microsoft Office Outlook 12.0 diff --git a/testing/btest/Baseline/policy.protocols.smtp.mime-extract/smtp_entities.log b/testing/btest/Baseline/policy.protocols.smtp.mime-extract/smtp_entities.log index 4fd0d42f6f..5fcd20ea5e 100644 --- a/testing/btest/Baseline/policy.protocols.smtp.mime-extract/smtp_entities.log +++ b/testing/btest/Baseline/policy.protocols.smtp.mime-extract/smtp_entities.log @@ -1,7 +1,7 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p mid filename content_len mime_type md5 extraction_file excerpt -# path:'smtp_entities' -# separator:' ' -# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port mid=string filename=string content_len=count mime_type=string md5=string extraction_file=file excerpt=string +# separator \x09 +# fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p mid filename content_len mime_type md5 extraction_file excerpt +# types time string addr port addr port string string count string string file string +# path smtp_entities 1254722770.692743 56gKBmhBBB6 10.10.1.4 1470 74.53.140.153 25 @50da4BEzauh - 79 FAKE_MIME - smtp-entity_10.10.1.4:1470-74.53.140.153:25_1.dat - 1254722770.692743 56gKBmhBBB6 10.10.1.4 1470 74.53.140.153 25 @50da4BEzauh - 1918 FAKE_MIME - - - 1254722770.692804 56gKBmhBBB6 10.10.1.4 1470 74.53.140.153 25 @50da4BEzauh NEWS.txt 10823 FAKE_MIME - smtp-entity_10.10.1.4:1470-74.53.140.153:25_2.dat - diff --git a/testing/btest/Baseline/policy.protocols.smtp.mime/smtp_entities.log b/testing/btest/Baseline/policy.protocols.smtp.mime/smtp_entities.log index a89e3248e8..e8d94c968f 100644 --- a/testing/btest/Baseline/policy.protocols.smtp.mime/smtp_entities.log +++ b/testing/btest/Baseline/policy.protocols.smtp.mime/smtp_entities.log @@ -1,7 +1,7 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p mid filename content_len mime_type md5 extraction_file excerpt -# path:'smtp_entities' -# separator:' ' -# ts=time uid=string id.orig_h=addr id.orig_p=port id.resp_h=addr id.resp_p=port mid=string filename=string content_len=count mime_type=string md5=string extraction_file=file excerpt=string +# separator \x09 +# fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p mid filename content_len mime_type md5 extraction_file excerpt +# types time string addr port addr port string string count string string file string +# path smtp_entities 1254722770.692743 56gKBmhBBB6 10.10.1.4 1470 74.53.140.153 25 @50da4BEzauh - 79 FAKE_MIME 92bca2e6cdcde73647125da7dccbdd07 - - 1254722770.692743 56gKBmhBBB6 10.10.1.4 1470 74.53.140.153 25 @50da4BEzauh - 1918 FAKE_MIME - - - 1254722770.692804 56gKBmhBBB6 10.10.1.4 1470 74.53.140.153 25 @50da4BEzauh NEWS.txt 10823 FAKE_MIME a968bb0f9f9d95835b2e74c845877e87 - - diff --git a/testing/btest/btest.cfg b/testing/btest/btest.cfg index 1aa7b28f25..b8e471a5f5 100644 --- a/testing/btest/btest.cfg +++ b/testing/btest/btest.cfg @@ -1,4 +1,5 @@ [btest] +ProfileDir = profiles TestDirs = doc bifs language core policy istate TmpDir = %(testbase)s/.tmp BaselineDir = %(testbase)s/Baseline diff --git a/testing/btest/profiles/default/finish b/testing/btest/profiles/default/finish new file mode 100755 index 0000000000..20d602bdd3 --- /dev/null +++ b/testing/btest/profiles/default/finish @@ -0,0 +1,2 @@ +#!/usr/bin/env bash + diff --git a/testing/btest/profiles/default/setup b/testing/btest/profiles/default/setup new file mode 100755 index 0000000000..20d602bdd3 --- /dev/null +++ b/testing/btest/profiles/default/setup @@ -0,0 +1,2 @@ +#!/usr/bin/env bash + diff --git a/testing/btest/profiles/default/supported b/testing/btest/profiles/default/supported new file mode 100755 index 0000000000..20d602bdd3 --- /dev/null +++ b/testing/btest/profiles/default/supported @@ -0,0 +1,2 @@ +#!/usr/bin/env bash + diff --git a/testing/btest/profiles/default/transform b/testing/btest/profiles/default/transform new file mode 100755 index 0000000000..20d602bdd3 --- /dev/null +++ b/testing/btest/profiles/default/transform @@ -0,0 +1,2 @@ +#!/usr/bin/env bash + From 728c0b5b3532a47f64f513cc69b0df19efb6df76 Mon Sep 17 00:00:00 2001 From: "Gilbert Clark gc355804@ohio.edu" Date: Tue, 30 Aug 2011 11:40:50 -0700 Subject: [PATCH 3/3] Updated tests; removed net type from type conversion code. --- src/LogWriterAscii.cc | 2 -- .../core.print-bpf-filters-ipv4/conn.log | 6 +++--- testing/btest/Baseline/core.vlan-mpls/conn.log | 10 +++++----- .../receiver.test.log | 7 +++++-- .../ssh.log | Bin 267 -> 411 bytes .../metrics.log | 11 +++++++---- .../notice.log | 9 ++++++--- 7 files changed, 26 insertions(+), 19 deletions(-) diff --git a/src/LogWriterAscii.cc b/src/LogWriterAscii.cc index 1dcfeba7d9..cf90249226 100644 --- a/src/LogWriterAscii.cc +++ b/src/LogWriterAscii.cc @@ -54,8 +54,6 @@ static string _GetBroTypeString(const LogField *field) return "double"; case TYPE_SUBNET: return "subnet"; - case TYPE_NET: - return "net"; case TYPE_ADDR: return "addr"; case TYPE_ENUM: diff --git a/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log b/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log index 0d965a39be..db33b4c312 100644 --- a/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log +++ b/testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log @@ -1,5 +1,5 @@ # separator \x09 -# fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history -# types time string addr port addr port enum string interval count count string bool count string +# fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes +# types time string addr port addr port enum string interval count count string bool count string count count count count # path conn -1128727435.450898 UWkUyAuUGXf 141.42.64.125 56730 125.190.109.199 80 tcp http 1.73330307006836 98 9417 SF - 0 ShADdFaf +1128727435.450898 UWkUyAuUGXf 141.42.64.125 56730 125.190.109.199 80 tcp http 1.73330307006836 98 9417 SF - 0 ShADdFaf 12 710 10 9945 diff --git a/testing/btest/Baseline/core.vlan-mpls/conn.log b/testing/btest/Baseline/core.vlan-mpls/conn.log index e11386661e..1c1f5695ed 100644 --- a/testing/btest/Baseline/core.vlan-mpls/conn.log +++ b/testing/btest/Baseline/core.vlan-mpls/conn.log @@ -1,7 +1,7 @@ # separator \x09 -# fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history -# types time string addr port addr port enum string interval count count string bool count string +# fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes +# types time string addr port addr port enum string interval count count string bool count string count count count count # path conn -952109346.874907 UWkUyAuUGXf 10.1.2.1 11001 10.34.0.1 23 tcp - 2.10255992412567 25 0 SH - 0 - -1128727435.450898 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 tcp http 1.73330307006836 98 9417 SF - 0 ShADdFaf -1278600802.069419 50da4BEzauh 10.20.80.1 50343 10.0.0.15 80 tcp - 0.00415205955505371 9 3429 SF - 0 ShADadfF +952109346.874907 UWkUyAuUGXf 10.1.2.1 11001 10.34.0.1 23 tcp - 2.10255992412567 25 0 SH - 0 - 11 280 0 0 +1128727435.450898 56gKBmhBBB6 141.42.64.125 56730 125.190.109.199 80 tcp http 1.73330307006836 98 9417 SF - 0 ShADdFaf 12 710 10 9945 +1278600802.069419 50da4BEzauh 10.20.80.1 50343 10.0.0.15 80 tcp - 0.00415205955505371 9 3429 SF - 0 ShADadfF 7 361 7 3801 diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log index eee707f89f..c1b71dd52e 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log @@ -1,2 +1,5 @@ -# b i e c p sn a d t iv s sc ss se vc ve -T -42 Test::TEST 21 123 10.0.0.0/24 1.2.3.4 3.14 1313623666.027768 100.0 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY +# separator \x09 +# fields b i e c p sn a d t iv s sc ss se vc ve +# types bool int enum count port subnet addr double time interval string table table table vector vector +# path test +T -42 Test::TEST 21 123 10.0.0.0/24 1.2.3.4 3.14 1314729588.035807 100.0 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.types/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.types/ssh.log index e5633026b23d6c58469a26747b1a6126020cb1ca..b02fec712ac850d7019a9f83ab201d5d68072a81 100644 GIT binary patch delta 182 zcmYj~u?oU46h)yeeuR!LY4fy^G%3kT(a8^R>g?p7TE)TT-V5i# zc|_02EMXoy;RIR7j@NY&C+wt9OAkXdzbA}t9eSv&)u0Rkn$SXR!#F$Z2z;mv5(p_B zNE<4RK&r*h7hNwjcyh{|fy5X6WsmjfgkP0qIhs2`4S3(g2Uw;Y_5)u`(~K9}EMMij J4KIev>kW+5I;j8v delta 30 mcmbQu+|9(KtT0hZbK-6zUSl&OV{=mrJxeolOXG>Z76Jfw@d&N} diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log index fb4a2c4528..4833007c2d 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log +++ b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log @@ -1,4 +1,7 @@ -# ts metric_id filter_name index.host index.str index.network value -1313430544.678529 TEST_METRIC foo-bar 6.5.4.3 - - 2 -1313430544.678529 TEST_METRIC foo-bar 1.2.3.4 - - 3 -1313430544.678529 TEST_METRIC foo-bar 7.2.1.5 - - 1 +# separator \x09 +# fields ts metric_id filter_name index.host index.str index.network value +# types time enum string addr string subnet count +# path metrics +1314729506.922865 TEST_METRIC foo-bar 6.5.4.3 - - 2 +1314729506.922865 TEST_METRIC foo-bar 1.2.3.4 - - 3 +1314729506.922865 TEST_METRIC foo-bar 7.2.1.5 - - 1 diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log index 1e0e6a572b..368722ae7d 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log +++ b/testing/btest/Baseline/scripts.base.frameworks.metrics.notice/notice.log @@ -1,3 +1,6 @@ -# ts uid id.orig_h id.orig_p id.resp_h id.resp_p note msg sub src dst p n peer_descr actions policy_items dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network -1313685819.326521 - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 3/2 - 1.2.3.4 - - 3 bro Notice::ACTION_LOG 4 - - - - - - 1.2.3.4 - - -1313685819.326521 - - - - - Test_Notice Threshold crossed by metric_index(host=6.5.4.3) 2/2 - 6.5.4.3 - - 2 bro Notice::ACTION_LOG 4 - - - - - - 6.5.4.3 - - +# separator \x09 +# fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p note msg sub src dst p n peer_descr actions policy_items dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network +# types time string addr port addr port enum string string addr addr port count string table table bool string string string double double addr string subnet +# path notice +1314729528.972185 - - - - - Test_Notice Threshold crossed by metric_index(host=1.2.3.4) 3/2 - 1.2.3.4 - - 3 bro Notice::ACTION_LOG 4 - - - - - - 1.2.3.4 - - +1314729528.972185 - - - - - Test_Notice Threshold crossed by metric_index(host=6.5.4.3) 2/2 - 6.5.4.3 - - 2 bro Notice::ACTION_LOG 4 - - - - - - 6.5.4.3 - -