diff --git a/CHANGES b/CHANGES index 597a8faddd..08b513b83f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,180 @@ +7.2.0-dev.156 | 2025-02-05 09:05:00 +0000 + + * IPv6 support for detect-external-names and testcase (Johanna Amann, Corelight) + + * Add `skip_resp_host_port_pairs` option to policy/protocols/dns/detect-external-names.zeek. + This option allows to skip the detection of external names for certain addresses. + By default this is set so that mDNS broadcasts no longer are logged as extenal. (jbaggs) + +7.2.0-dev.152 | 2025-02-04 14:50:36 -0800 + + * Bump cluster testsuite to pull in resilience to agent connection timing [skip ci] (Christian Kreibich, Corelight) + +7.2.0-dev.150 | 2025-02-04 16:50:44 +0100 + + * GH-4209: util/init_random_seed: write_file implies deterministic (Johanna Amann, Corelight) + + This makes Zeek run in deterministic mode with --save-seeds usage + and reworks all the extra indirections used in init_random_seed() + to make it easier to follow the control flow. + +7.2.0-dev.148 | 2025-02-04 09:52:29 +0100 + + * external/subdir-btest.cfg: Set OPENSSL_ENABLE_SHA1_SIGNATURES=1 (Arne Welzel, Corelight) + + We already do something similar for OPENSSL_ENABLE_MD5_VERIFY=1 + + * btest/x509_verify: Drop OpenSSL 1.0 hack (Arne Welzel, Corelight) + + We do not have a distro in CI anymore that ships OpenSSL 1.0, + drop the hack. + + * GH-4035: testing/btest: Use OPENSSL_ENABLE_SHA1_SIGNATURES (Arne Welzel, Corelight) + + This reverts the call to update-crypto-policies in the Fedora 41 image + and instead sets OPENSSL_ENABLE_SHA1_SIGNATURES in the individual tests. + This allows RHEL 10 or Fedora 41 users to run the tests in question + without needing to fiddle with system settings. + + Fixes #4035 + +7.2.0-dev.144 | 2025-02-04 09:18:25 +0100 + + * Add ZAM baseline for new scripts.base.protocols.quic.analyzer-confirmations btest (Tim Wojtulewicz, Corelight) + +7.2.0-dev.142 | 2025-02-03 18:41:40 -0700 + + * Make enc_part value from kerberos response available to scripts (Philipp Tekeser-Glasz) + +7.2.0-dev.140 | 2025-02-03 18:34:00 -0700 + + * Add note to Traces/README about possible malware in pe/pe.trace (Tim Wojtulewicz, Corelight) + + * Fix formatting of Traces/README entry for modbus-eit.trace (Tim Wojtulewicz, Corelight) + +7.2.0-dev.137 | 2025-02-03 16:53:04 -0800 + + * Remove unused SupervisedNode::InitCluster declaration (Christian Kreibich, Corelight) + +7.2.0-dev.135 | 2025-02-03 17:50:31 +0100 + + * QUIC/decrypt_crypto: Rename all_data to data (Arne Welzel, Corelight) + + ...for consistency. + + * GH-4201: QUIC: Confirm before forwarding data to SSL (Arne Welzel, Corelight) + + Fixes #4201 + + * GH-4198: QUIC: Parse all QUIC packets in a UDP datagram (Arne Welzel, Corelight) + + A UDP datagram may contain multiple QUIC packets, but the parser so far + handled only the very first packet, ignoring any subsequent packets. + + Fixes #4198 + + * QUIC: Only slurp till packet end, not till &eod (Arne Welzel, Corelight) + + This doesn't change behavior, but avoids slurping in more data than + needed. A UDP packet an contain multiple QUIC packets and we'd read + all following ones instead just the one we're interested in. + +7.2.0-dev.129 | 2025-01-31 15:58:37 -0800 + + * Management framework: + + - Bump cluster testsuite to pull in updated Prometheus tests (Christian Kreibich, Corelight) + - move up addition of agent IPs into deployable cluster configs (Christian Kreibich, Corelight) + - Support multiple instances per host addr in auto metrics generation (Michael Dopheide) + - When auto-generating metrics ports for worker nodes, get them more uniform across instances. (Michael Dopheide) + +7.2.0-dev.124 | 2025-01-30 10:51:14 -0700 + + * Pack some classes for better memory usages (Tim Wojtulewicz, Corelight) + + - Analyzer: Reduce from 208 bytes to 192 bytes, remove one cache line + - EventGroup: Reduce from 104 bytes to 96 bytes + - Packet: Reduce from 200 bytes to 184 bytes, remove one cache line + - threading::Value: Reduce from 48 bytes to 40 bytes + - ConnTuple: push hole to the end of struct + - TCP_Reassembler: Reduce from 240 bytes to 232 bytes + +7.2.0-dev.122 | 2025-01-24 15:47:15 -0700 + + * Make types into constants (Evan Typanski, Corelight) + + This allows types to be used in expressions, but they can't be + reassigned. Note that this was meant to be a special "type expression" - + but that is unnecessary complexity. + + Type expressions would allow access to the type without going through + its constant value, but the constant value is never changed, so it's + simply a few more checks if necessary when functionality gets expanded. + This way, ZAM and other code will not need updates, so the potential for + increased work in the future is probably not worth caring about. + +7.2.0-dev.116 | 2025-01-24 11:42:14 -0700 + + * Fix errors from rst linting on the generated docs (Tim Wojtulewicz, Corelight) + +7.2.0-dev.113 | 2025-01-23 11:49:23 -0700 + + * Fix options parsing segfault (Evan Typanski, Corelight) + + A command like this would segfault: + + zeek -b test.zeek --debug + + The issue was that `getopt_long` was using a null element to determine + what the end of the options array is. If it saw a non-null element after + `--debug` it would say it's the argument for optarg, even if it's beyond + `zeek_args.size()`. Instead, just make sure the array is + null-terminated. + +7.2.0-dev.111 | 2025-01-23 11:21:21 -0700 + + * Minor whitespace cleanup in init-bare.zeek (Tim Wojtulewicz, Corelight) + + * Add missing export blocks to init-bare.zeek (Tim Wojtulewicz, Corelight) + + * Merge some GLOBAL module sections in init-bare (Tim Wojtulewicz, Corelight) + + * Merge Tunnel module sections in init-bare (Tim Wojtulewicz, Corelight) + +7.2.0-dev.106 | 2025-01-23 16:46:33 +0100 + + * script_opt: Use emit_builtin_error() for Lookup-Conn (Arne Welzel, Corelight) + + Still create a separate baseline file because ZAM doesn't provide + detailed location information. + + Patch for ZBI.op provided by @vpax + +7.2.0-dev.104 | 2025-01-21 16:48:56 -0700 + + * session/Manager: Emit explicit errors for FindConnection() with proto=65535 (Arne Welzel, Corelight) + + We silently broke users constructing conn_id records manually and + subsequently using them with lookup_connection() or connection_exists(). + + This is an attempt to at least report a runtime error about the situation + so it doesn't go completely unnoticed. + + * IPAddr/ConnKey: Protect from uninitialized conn_id (Arne Welzel, Corelight) + + Check if the non-default fields exist using HasField() + and use GetField() for proto such that it'll initialize + the default value which GetFieldAs<> doesn't do. + default + + * IPAddr/ConnKey: Promote transport to uint16_t (Arne Welzel, Corelight) + + Instead of a separate bool field which is also stored in the session + table, promote the transport field to uint16_t and encode an invalid + ConnKey as transport 2**16-2 + + * session/Manager: Header cleanup (Arne Welzel, Corelight) + 7.2.0-dev.99 | 2025-01-20 10:27:32 +0100 * fixes for -O gen-standalone-C++ generation of lambdas (Vern Paxson, Corelight) diff --git a/NEWS b/NEWS index b0e99cb9c3..74a5faf1b7 100644 --- a/NEWS +++ b/NEWS @@ -16,6 +16,9 @@ New Functionality Zeek now raises a warning when a script declares these events while this option is set to true. +- Types can now be used as constants in Zeek script. This allows types to be + directly passed into BIFs without aliasing. + Changed Functionality --------------------- @@ -24,6 +27,16 @@ Changed Functionality then prompt to use --help. The --help usage will now print to standard output rather than standard error. +- Saving seeds with ``--save-seeds`` will now put Zeek into deterministic mode. + A subsequent ``--load-seeds`` run with the same scripts and traces will produce + identical UID values as the original ``--save-seeds` run. + +- The `policy/protocols/dns/detect-external-names.zeek` script now no longer logs + names that were found in mDNS broadcasts by default. This is configurable with + the new `DNS::skip_resp_host_port_pairs` option. + + Furthermore, the script now supports and logs IPv6 results. + Removed Functionality --------------------- diff --git a/VERSION b/VERSION index b72def6ac0..dfeac73a4f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -7.2.0-dev.99 +7.2.0-dev.156 diff --git a/ci/fedora-41/Dockerfile b/ci/fedora-41/Dockerfile index e98cd500bd..e3d737a562 100644 --- a/ci/fedora-41/Dockerfile +++ b/ci/fedora-41/Dockerfile @@ -2,7 +2,7 @@ FROM fedora:41 # A version field to invalidate Cirrus's build cache when needed, as suggested in # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822 -ENV DOCKERFILE_VERSION 20241115 +ENV DOCKERFILE_VERSION 20250203 RUN dnf -y install \ bison \ @@ -33,7 +33,3 @@ RUN dnf -y install \ && dnf clean all && rm -rf /var/cache/dnf RUN pip3 install websockets junit2html - -# Required to allow validation of certificates with SHA1 signatures -# See: https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer -RUN update-crypto-policies --set FEDORA40 diff --git a/doc b/doc index c3ce915021..565cb03005 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit c3ce915021ec818c786410d4500fa6de428d590a +Subproject commit 565cb03005d09370e1e4864fb00fad64aa71aa95 diff --git a/scripts/base/frameworks/broker/main.zeek b/scripts/base/frameworks/broker/main.zeek index 2990f3f297..21d3cdaf74 100644 --- a/scripts/base/frameworks/broker/main.zeek +++ b/scripts/base/frameworks/broker/main.zeek @@ -83,12 +83,12 @@ export { const log_batch_interval = 1sec &redef; ## Max number of threads to use for Broker/CAF functionality. The - ## ZEEK_BROKER_MAX_THREADS environment variable overrides this setting. + ## ``ZEEK_BROKER_MAX_THREADS`` environment variable overrides this setting. const max_threads = 1 &redef; ## Max number of items we buffer at most per peer. What action to take when ## the buffer reaches its maximum size is determined by - ## `peer_overflow_policy`. + ## :zeek:see:`Broker::peer_overflow_policy`. const peer_buffer_size = 2048 &redef; ## Configures how Broker responds to peers that cannot keep up with the @@ -98,10 +98,10 @@ export { ## - drop_oldest: removed the olsted message from the buffer, then append const peer_overflow_policy = "disconnect" &redef; - ## Same as `peer_buffer_size` but for WebSocket clients. + ## Same as :zeek:see:`Broker::peer_buffer_size` but for WebSocket clients. const web_socket_buffer_size = 512 &redef; - ## Same as `peer_overflow_policy` but for WebSocket clients. + ## Same as :zeek:see:`Broker::peer_overflow_policy` but for WebSocket clients. const web_socket_overflow_policy = "disconnect" &redef; ## The CAF scheduling policy to use. Available options are "sharing" and diff --git a/scripts/base/frameworks/input/main.zeek b/scripts/base/frameworks/input/main.zeek index 973661f871..b1fa455a18 100644 --- a/scripts/base/frameworks/input/main.zeek +++ b/scripts/base/frameworks/input/main.zeek @@ -24,10 +24,10 @@ export { STREAM = 2 }; - ## The default input reader used. Defaults to `READER_ASCII`. + ## The default input reader used. Defaults to :zeek:see:`Input::READER_ASCII`. option default_reader = READER_ASCII; - ## The default reader mode used. Defaults to `MANUAL`. + ## The default reader mode used. Defaults to :zeek:see:`Input::MANUAL`. option default_mode = MANUAL; ## Separator between fields. @@ -60,7 +60,7 @@ export { # Common definitions for tables and events ## String that allows the reader to find the source of the data. - ## For `READER_ASCII`, this is the filename. + ## For :zeek:see:`Input::READER_ASCII`, this is the filename. source: string; ## Reader to use for this stream. @@ -112,7 +112,7 @@ export { ## ## The event is raised like if it had been declared as follows: ## error_ev: function(desc: TableDescription, message: string, level: Reporter::Level) &optional; - ## The actual declaration uses the ``any`` type because of deficiencies of the Zeek type system. + ## The actual declaration uses the :zeek:type:`any` type because of deficiencies of the Zeek type system. error_ev: any &optional; ## A key/value table that will be passed to the reader. @@ -126,7 +126,7 @@ export { # Common definitions for tables and events ## String that allows the reader to find the source. - ## For `READER_ASCII`, this is the filename. + ## For :zeek:see:`Input::READER_ASCII`, this is the filename. source: string; ## Reader to use for this stream. @@ -151,8 +151,8 @@ export { want_record: bool &default=T; ## The event that is raised each time a new line is received from the - ## reader. The event will receive an Input::EventDescription record - ## as the first argument, an Input::Event enum as the second + ## reader. The event will receive an :zeek:see:`Input::EventDescription` record + ## as the first argument, an :zeek:see:`Input::Event` enum as the second ## argument, and the fields (as specified in *fields*) as the following ## arguments (this will either be a single record value containing ## all fields, or each field value as a separate argument). @@ -161,12 +161,12 @@ export { ## Error event that is raised when an information, warning or error ## is raised by the input stream. If the level is error, the stream will automatically ## be closed. - ## The event receives the Input::EventDescription as the first argument, the - ## message as the second argument and the Reporter::Level as the third argument. + ## The event receives the :zeek:see:`Input::EventDescription` as the first argument, the + ## message as the second argument and the :zeek:see:`Reporter::Level` as the third argument. ## ## The event is raised like it had been declared as follows: ## error_ev: function(desc: EventDescription, message: string, level: Reporter::Level) &optional; - ## The actual declaration uses the ``any`` type because of deficiencies of the Zeek type system. + ## The actual declaration uses the :zeek:type:`any` type because of deficiencies of the Zeek type system. error_ev: any &optional; ## A key/value table that will be passed to the reader. @@ -179,7 +179,7 @@ export { ## file analysis framework. type AnalysisDescription: record { ## String that allows the reader to find the source. - ## For `READER_ASCII`, this is the filename. + ## For :zeek:see:`Input::READER_ASCII`, this is the filename. source: string; ## Reader to use for this stream. Compatible readers must be @@ -205,14 +205,14 @@ export { ## Create a new table input stream from a given source. ## - ## description: `TableDescription` record describing the source. + ## description: :zeek:see:`Input::TableDescription` record describing the source. ## ## Returns: true on success. global add_table: function(description: Input::TableDescription) : bool; ## Create a new event input stream from a given source. ## - ## description: `EventDescription` record describing the source. + ## description: :zeek:see:`Input::EventDescription` record describing the source. ## ## Returns: true on success. global add_event: function(description: Input::EventDescription) : bool; @@ -278,4 +278,3 @@ function force_update(id: string) : bool { return __force_update(id); } - diff --git a/scripts/base/frameworks/logging/main.zeek b/scripts/base/frameworks/logging/main.zeek index 953b6a51de..b9f46f4aae 100644 --- a/scripts/base/frameworks/logging/main.zeek +++ b/scripts/base/frameworks/logging/main.zeek @@ -198,12 +198,12 @@ export { ## Default separator for log field scopes when logs are unrolled and ## flattened. This will be the string between field name components. - ## For example, setting this to "_" will cause the typical field - ## "id.orig_h" to turn into "id_orig_h". + ## For example, setting this to ``_`` will cause the typical field + ## ``id.orig_h`` to turn into ``id_orig_h``. const default_scope_sep = "." &redef; ## A prefix for extension fields which can be optionally prefixed - ## on all log lines by setting the `ext_func` field in the + ## on all log lines by setting the ``ext_func`` field in the ## log filter. const Log::default_ext_prefix: string = "_" &redef; diff --git a/scripts/base/frameworks/notice/main.zeek b/scripts/base/frameworks/notice/main.zeek index d6e43b7357..26b3c1b9d0 100644 --- a/scripts/base/frameworks/notice/main.zeek +++ b/scripts/base/frameworks/notice/main.zeek @@ -203,7 +203,7 @@ export { ## on rotation with :zeek:enum:`Notice::ACTION_ALARM`. ## ## Note that this is overridden by the ZeekControl MailTo option or by - ## the `email_dest` field in the :zeek:see:`Notice::Info` record. + ## the ``email_dest`` field in the :zeek:see:`Notice::Info` record. const mail_dest = "" &redef; ## Address that emails will be from. diff --git a/scripts/base/frameworks/spicy/init-bare.zeek b/scripts/base/frameworks/spicy/init-bare.zeek index a9f9d2dbd7..e01f4adafd 100644 --- a/scripts/base/frameworks/spicy/init-bare.zeek +++ b/scripts/base/frameworks/spicy/init-bare.zeek @@ -23,7 +23,7 @@ export { # doc-options-end # doc-types-start - ## Result type for `Spicy::resource_usage()`. The values reflect resource + ## Result type for :zeek:see:`Spicy::resource_usage`. The values reflect resource ## usage as reported by the Spicy runtime system. type ResourceUsage: record { user_time : interval; ##< user CPU time of the Zeek process diff --git a/scripts/base/frameworks/supervisor/api.zeek b/scripts/base/frameworks/supervisor/api.zeek index e3a6d06c9b..c53988967a 100644 --- a/scripts/base/frameworks/supervisor/api.zeek +++ b/scripts/base/frameworks/supervisor/api.zeek @@ -135,7 +135,7 @@ export { global node: function(): NodeConfig; ## Hooks into the stdout stream for all supervisor's child processes. - ## If a hook terminates with `break`, that will suppress output to the + ## If a hook terminates with ``break``, that will suppress output to the ## associated stream. ## ## node: the name of a previously created node via @@ -149,7 +149,7 @@ export { global stdout_hook: hook(node: string, msg: string); ## Hooks into the stderr stream for all supervisor's child processes. - ## If a hook terminates with `break`, that will suppress output to the + ## If a hook terminates with ``break``, that will suppress output to the ## associated stream. ## ## node: the name of a previously created node via diff --git a/scripts/base/frameworks/telemetry/main.zeek b/scripts/base/frameworks/telemetry/main.zeek index 9c255cb40c..2480cd4b88 100644 --- a/scripts/base/frameworks/telemetry/main.zeek +++ b/scripts/base/frameworks/telemetry/main.zeek @@ -42,8 +42,8 @@ export { global counter_with: function(cf: CounterFamily, label_values: labels_vector &default=vector()): Counter; - ## Increment a :zeek:see:`Telemetry::Counter` by `amount`. - ## Using a negative `amount` is an error. + ## Increment a :zeek:see:`Telemetry::Counter` by ``amount``. + ## Using a negative ``amount`` is an error. ## ## c: The counter instance. ## @@ -52,7 +52,7 @@ export { ## Returns: True if the counter was incremented successfully. global counter_inc: function(c: Counter, amount: double &default=1.0): bool; - ## Helper to set a :zeek:see:`Telemetry::Counter` to the given `value`. + ## Helper to set a :zeek:see:`Telemetry::Counter` to the given ``value``. ## This can be useful for mirroring counter metrics in an ## :zeek:see:`Telemetry::sync` hook implementation. ## Setting a value that is less than the current value of the @@ -126,7 +126,7 @@ export { global gauge_with: function(gf: GaugeFamily, label_values: labels_vector &default=vector()): Gauge; - ## Increment a :zeek:see:`Telemetry::Gauge` by `amount`. + ## Increment a :zeek:see:`Telemetry::Gauge` by ``amount``. ## ## g: The gauge instance. ## @@ -135,7 +135,7 @@ export { ## Returns: True if the gauge was incremented successfully. global gauge_inc: function(g: Gauge, amount: double &default=1.0): bool; - ## Decrement a :zeek:see:`Telemetry::Gauge` by `amount`. + ## Decrement a :zeek:see:`Telemetry::Gauge` by ``amount``. ## ## g: The gauge instance. ## @@ -144,7 +144,7 @@ export { ## Returns: True if the gauge was incremented successfully. global gauge_dec: function(g: Gauge, amount: double &default=1.0): bool; - ## Helper to set a :zeek:see:`Telemetry::Gauge` to the given `value`. + ## Helper to set a :zeek:see:`Telemetry::Gauge` to the given ``value``. ## ## g: The gauge instance. ## @@ -153,7 +153,7 @@ export { ## Returns: True if the gauge value was set successfully. global gauge_set: function(g: Gauge, value: double): bool; - ## Increment a :zeek:see:`Telemetry::Gauge` by the given `amount` through + ## Increment a :zeek:see:`Telemetry::Gauge` by the given ``amount`` through ## the :zeek:see:`Telemetry::GaugeFamily`. ## This is a short-cut for :zeek:see:`Telemetry::gauge_inc`. ## Using a negative amount is an error. @@ -169,7 +169,7 @@ export { label_values: labels_vector &default=vector(), amount: double &default=1.0): bool; - ## Decrement a :zeek:see:`Telemetry::Gauge` by the given `amount` through + ## Decrement a :zeek:see:`Telemetry::Gauge` by the given ``amount`` through ## the :zeek:see:`Telemetry::GaugeFamily`. ## This is a short-cut for :zeek:see:`Telemetry::gauge_dec`. ## @@ -184,7 +184,7 @@ export { label_values: labels_vector &default=vector(), amount: double &default=1.0): bool; - ## Set a :zeek:see:`Telemetry::Gauge` to the given `value` through + ## Set a :zeek:see:`Telemetry::Gauge` to the given ``value`` through ## the :zeek:see:`Telemetry::GaugeFamily`. ## This is a short-cut for :zeek:see:`Telemetry::gauge_set`. ## diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 3f6a311e85..06fc0283d3 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -144,8 +144,8 @@ type string_mapper: function(s: string): string; ## :zeek:see:`file_magic` type mime_match: record { strength: int; ##< How strongly the signature matched. Used for - ##< prioritization when multiple file magic signatures - ##< match. + ##< prioritization when multiple file magic signatures + ##< match. mime: string; ##< The MIME type of the file magic signature match. }; @@ -197,10 +197,10 @@ const allow_network_time_forward = T &redef; ## A connection's transport-layer protocol. Note that Zeek uses the term ## "connection" broadly, using flow semantics for ICMP and UDP. type transport_proto: enum { - unknown_transport, ##< An unknown transport-layer protocol. - tcp, ##< TCP. - udp, ##< UDP. - icmp ##< ICMP. + unknown_transport, ##< An unknown transport-layer protocol. + tcp, ##< TCP. + udp, ##< UDP. + icmp ##< ICMP. }; ## A connection's identifying 4-tuple of endpoints and ports. @@ -356,22 +356,6 @@ type ftp_port: record { valid: bool; ##< True if format was right. Only then are *h* and *p* valid. }; - -module FTP; - -## Limits the size of commands accepted by the FTP analyzer. Longer commands -## raise a FTP_max_command_length_exceeded weird and are discarded. -const max_command_length = 100 &redef; - -module SMTP; - -## The maximum line length within a BDAT chunk before a forceful linebreak -## is introduced and a weird is raised. Conventionally, MIME messages -## have a maximum line length of 1000 octets when properly encoded. -const bdat_max_line_length = 4096 &redef; - -module GLOBAL; - ## Statistics about what a TCP endpoint sent. ## ## .. zeek:see:: conn_stats @@ -389,7 +373,231 @@ type endpoint_stats: record { endian_type: count; }; +## Arguments given to Zeek from the command line. In order to use this, Zeek +## must use a ``--`` command line argument immediately followed by a script +## file and additional arguments after that. For example:: +## +## zeek --bare-mode -- myscript.zeek -a -b -c +## +## To use Zeek as an executable interpreter, include a line at the top of a script +## like the following and make the script executable:: +## +## #!/usr/local/zeek/bin/zeek -- +const zeek_script_args: vector of string = vector(); + +## BPF filter the user has set via the -f command line options. Empty if none. +const cmd_line_bpf_filter = "" &redef; + +## Base time of log rotations in 24-hour time format (``%H:%M``), e.g. "12:00". +const log_rotate_base_time = "0:00" &redef; + +## Whether to attempt to automatically detect SYN/FIN/RST-filtered trace +## and not report missing segments for such connections. +## If this is enabled, then missing data at the end of connections may not +## be reported via :zeek:see:`content_gap`. +const detect_filtered_trace = F &redef; + +## Whether we want :zeek:see:`content_gap` for partial +## connections. A connection is partial if it is missing a full handshake. Note +## that gap reports for partial connections might not be reliable. +## +## .. zeek:see:: content_gap partial_connection +const report_gaps_for_partial = F &redef; + +## Flag to prevent Zeek from exiting automatically when input is exhausted. +## Normally Zeek terminates when all packet sources have gone dry +## and communication isn't enabled. If this flag is set, Zeek's main loop will +## instead keep idling until :zeek:see:`terminate` is explicitly called. +## +## This is mainly for testing purposes when termination behaviour needs to be +## controlled for reproducing results. +const exit_only_after_terminate = F &redef; + +## Default mode for Zeek's user-space dynamic packet filter. If true, packets +## that aren't explicitly allowed through, are dropped from any further +## processing. +## +## .. note:: This is not the BPF packet filter but an additional dynamic filter +## that Zeek optionally applies just before normal processing starts. +## +## .. zeek:see:: install_dst_addr_filter install_dst_net_filter +## install_src_addr_filter install_src_net_filter uninstall_dst_addr_filter +## uninstall_dst_net_filter uninstall_src_addr_filter uninstall_src_net_filter +const packet_filter_default = F &redef; + +## Maximum size of regular expression groups for signature matching. +const sig_max_group_size = 50 &redef; + +## Description transmitted to remote communication peers for identification. +const peer_description = "zeek" &redef; + +## Reassemble the beginning of all TCP connections before doing +## signature matching. Enabling this provides more accurate matching at the +## expense of CPU cycles. +## +## .. zeek:see:: dpd_buffer_size +## dpd_match_only_beginning dpd_ignore_ports +## +## .. note:: Despite the name, this option affects *all* signature matching, not +## only signatures used for dynamic protocol detection. +const dpd_reassemble_first_packets = T &redef; + +## Size of per-connection buffer used for dynamic protocol detection. For each +## connection, Zeek buffers this initial amount of payload in memory so that +## complete protocol analysis can start even after the initial packets have +## already passed through (i.e., when a DPD signature matches only later). +## However, once the buffer is full, data is deleted and lost to analyzers that +## are activated afterwards. Then only analyzers that can deal with partial +## connections will be able to analyze the session. +## +## .. zeek:see:: dpd_reassemble_first_packets dpd_match_only_beginning +## dpd_ignore_ports dpd_max_packets +const dpd_buffer_size = 1024 &redef; + +## Maximum number of per-connection packets that will be buffered for dynamic +## protocol detection. For each connection, Zeek buffers up to this amount +## of packets in memory so that complete protocol analysis can start even after +## the initial packets have already passed through (i.e., when a DPD signature +## matches only later). However, once the buffer is full, data is deleted and lost +## to analyzers that are activated afterwards. Then only analyzers that can deal +## with partial connections will be able to analyze the session. +## +## .. zeek:see:: dpd_reassemble_first_packets dpd_match_only_beginning +## dpd_ignore_ports dpd_buffer_size +const dpd_max_packets = 100 &redef; + +## If true, stops signature matching if :zeek:see:`dpd_buffer_size` has been +## reached. +## +## .. zeek:see:: dpd_reassemble_first_packets dpd_buffer_size +## dpd_ignore_ports +## +## .. note:: Despite the name, this option affects *all* signature matching, not +## only signatures used for dynamic protocol detection. +const dpd_match_only_beginning = T &redef; + +## If true, stops signature matching after a late match. A late match may occur +## in case the DPD buffer is exhausted but a protocol signature matched. To +## allow late matching, :zeek:see:`dpd_match_only_beginning` must be disabled. +## +## .. zeek:see:: dpd_reassemble_first_packets dpd_buffer_size +## dpd_match_only_beginning +## +## .. note:: Despite the name, this option stops *all* signature matching, not +## only signatures used for dynamic protocol detection but is triggered by +## DPD signatures only. +const dpd_late_match_stop = F &redef; + +## If true, don't consider any ports for deciding which protocol analyzer to +## use. +## +## .. zeek:see:: dpd_reassemble_first_packets dpd_buffer_size +## dpd_match_only_beginning +const dpd_ignore_ports = F &redef; + +## Ports which the core considers being likely used by servers. For ports in +## this set, it may heuristically decide to flip the direction of the +## connection if it misses the initial handshake. +const likely_server_ports: set[port] &redef; + +## Holds the filename of the trace file given with ``-w`` (empty if none). +## +## .. zeek:see:: record_all_packets +const trace_output_file = ""; + +## If a trace file is given with ``-w``, dump *all* packets seen by Zeek into it. +## By default, Zeek applies (very few) heuristics to reduce the volume. A side +## effect of setting this to true is that we can write the packets out before we +## actually process them, which can be helpful for debugging in case the +## analysis triggers a crash. +## +## .. zeek:see:: trace_output_file +const record_all_packets = F &redef; + +## Ignore certain TCP retransmissions for :zeek:see:`conn_stats`. Some +## connections (e.g., SSH) retransmit the acknowledged last byte to keep the +## connection alive. If *ignore_keep_alive_rexmit* is set to true, such +## retransmissions will be excluded in the rexmit counter in +## :zeek:see:`conn_stats`. +## +## .. zeek:see:: conn_stats +const ignore_keep_alive_rexmit = F &redef; + + + +## Seed for hashes computed internally for probabilistic data structures. Using +## the same value here will make the hashes compatible between independent Zeek +## instances. If left unset, Zeek will use a temporary local seed. +const global_hash_seed: string = "" &redef; + +## Number of bits in UIDs that are generated to identify connections and +## files. The larger the value, the more confidence in UID uniqueness. +## The maximum is currently 128 bits. +const bits_per_uid: count = 96 &redef; + +## This salt value is used for several message digests in Zeek. We +## use a salt to help mitigate the possibility of an attacker +## manipulating source data to, e.g., mount complexity attacks or +## cause ID collisions. +## This salt is, for example, used by :zeek:see:`get_file_handle` +## to generate installation-unique file IDs (the *id* field of :zeek:see:`fa_file`). +const digest_salt = "Please change this value." &redef; + +## Maximum string length allowed for calls to the :zeek:see:`find_all` and +## :zeek:see:`find_all_ordered` BIFs. +const max_find_all_string_length: int = 10000 &redef; + +## How many rounds to go without checking IO sources with file descriptors +## for readiness by default. This is used when reading from traces. +## +## Very roughly, when reading from a pcap, setting this to 100 results in +## 100 packets being processed without checking FD based IO sources. +## +## .. note:: This should not be changed outside of development or when +## debugging problems with the main-loop, or developing features with +## tight main-loop interaction. +## +## .. zeek:see:: io_poll_interval_live +const io_poll_interval_default = 100 &redef; + +## How often to check IO sources with file descriptors for readiness when +## monitoring with a live packet source. +## +## The poll interval gets defaulted to 100 which is good for cases like reading +## from pcap files and when there isn't a packet source, but is a little too +## infrequent for live sources (especially fast live sources). Set it down a +## little bit for those sources. +## +## .. note:: This should not be changed outside of development or when +## debugging problems with the main-loop, or developing features with +## tight main-loop interaction. +## +## .. zeek:see:: io_poll_interval_default +const io_poll_interval_live = 10 &redef; + +## Whether Zeek is being run under test. This can be used to alter functionality +## while testing, but should be used sparingly. +const running_under_test: bool = F &redef; + +module FTP; + +export { + ## Limits the size of commands accepted by the FTP analyzer. Longer commands + ## raise a FTP_max_command_length_exceeded weird and are discarded. + const max_command_length = 100 &redef; +} + +module SMTP; + +export { + ## The maximum line length within a BDAT chunk before a forceful linebreak + ## is introduced and a weird is raised. Conventionally, MIME messages + ## have a maximum line length of 1000 octets when properly encoded. + const bdat_max_line_length = 4096 &redef; +} + module TCP; + export { ## A TCP Option field parsed from a TCP header. type Option: record { @@ -426,6 +634,7 @@ export { } module Tunnel; + export { ## Records the identity of an encapsulating parent of a tunneled connection. type EncapsulatingConn: record { @@ -448,9 +657,40 @@ export { ## this limiting. const max_changes_per_connection: count = 5 &redef; -} # end export + ## The maximum depth of a tunnel to decapsulate until giving up. + ## Setting this to zero will disable all types of tunnel decapsulation. + const max_depth: count = 4 &redef; + + ## With this set, the Teredo analyzer waits until it sees both sides + ## of a connection using a valid Teredo encapsulation before issuing + ## a :zeek:see:`analyzer_confirmation_info`. If it's false, the first + ## occurrence of a packet with valid Teredo encapsulation causes a + ## confirmation. + const delay_teredo_confirmation = T &redef; + + ## With this set, the GTP analyzer waits until the most-recent upflow + ## and downflow packets are a valid GTPv1 encapsulation before + ## issuing :zeek:see:`analyzer_confirmation_info`. If it's false, the + ## first occurrence of a packet with valid GTPv1 encapsulation causes + ## confirmation. Since the same inner connection can be carried + ## differing outer upflow/downflow connections, setting to false + ## may work better. + const delay_gtp_confirmation = F &redef; + + ## How often to cleanup internal state for inactive IP tunnels + ## (includes GRE tunnels). + const ip_tunnel_timeout = 24hrs &redef; + + ## Whether to validate the checksum supplied in the outer UDP header + ## of a VXLAN encapsulation. The spec says the checksum should be + ## transmitted as zero, but if not, then the decapsulating destination + ## may choose whether to perform the validation. + const validate_vxlan_checksums = T &redef; + +} module HTTP; + export { ## Lookup table for Upgrade analyzers. First, a case sensitive lookup ## is done using the client's Upgrade header. If no match is found, @@ -460,6 +700,7 @@ export { } module WebSocket; + export { ## The WebSocket analyzer consumes and forwards ## frame payload in chunks to keep memory usage @@ -575,18 +816,6 @@ type connection: record { inner_vlan: int &optional; }; -## Arguments given to Zeek from the command line. In order to use this, Zeek -## must use a ``--`` command line argument immediately followed by a script -## file and additional arguments after that. For example:: -## -## zeek --bare-mode -- myscript.zeek -a -b -c -## -## To use Zeek as an executable interpreter, include a line at the top of a script -## like the following and make the script executable:: -## -## #!/usr/local/zeek/bin/zeek -- -const zeek_script_args: vector of string = vector(); - ## Default amount of time a file can be inactive before the file analysis ## gives up and discards any internal state related to the file. option default_file_timeout_interval: interval = 2 mins; @@ -673,28 +902,60 @@ type fa_metadata: record { inferred: bool &default=T; }; -module Analyzer; -export { - ## A hook taking a connection, analyzer tag and analyzer id that can be - ## used to veto disabling protocol analyzers. Specifically, an analyzer - ## can be prevented from being disabled by using a :zeek:see:`break` - ## statement within the hook. - ## This hook is invoked synchronously during a :zeek:see:`disable_analyzer` call. - ## - ## Scripts implementing this hook should have other logic that will eventually - ## disable the analyzer for the given connection. That is, if a script vetoes - ## disabling an analyzer, it takes responsibility for a later call to - ## :zeek:see:`disable_analyzer`, which may be never. - ## - ## c: The connection - ## - ## atype: The type / tag of the analyzer being disabled. - ## - ## aid: The analyzer ID. - type disabling_analyzer: hook(c: connection, atype: AllAnalyzers::Tag, aid: count) &redef; -} -module GLOBAL; +## Generic analyzer confirmation info record. +## +## .. zeek:see:: analyzer_confirmation_info +type AnalyzerConfirmationInfo: record { + ## The connection related to this confirmation, if any. + ## This field may be set if there's any connection related information + ## available for this confirmation. For protocol analyzers it is guaranteed + ## to be set, but may also be added by file analyzers as additional + ## contextual information. + c: connection &optional; + + ## The file object related to this confirmation, if any. + f: fa_file &optional; + + ## Specific analyzer instance that can be used to reference the analyzer + ## when using builtin functions like :zeek:id:`disable_analyzer`. + aid: count &optional; +}; + +## Generic analyzer violation info record. +## +## .. zeek:see:: analyzer_violation_info +type AnalyzerViolationInfo: record { + ## The reason for the violation - should be user readable. + reason: string; + + ## The connection related to this violation, if any. + ## This field may be set if there's any connection related information + ## available for this violation. For protocol analyzers it is guaranteed + ## to be set, but may also be added by file analyzers as additional + ## contextual information. + c: connection &optional; + + ## The file object related to this violation, if any. + f: fa_file &optional; + + ## Specific analyzer instance that can be used to reference the analyzer + ## when using builtin functions like :zeek:id:`disable_analyzer`. + aid: count &optional; + + ## Piece of binary data that was parsed and caused the violation. + data: string &optional; +}; + +## The maximum number of analyzer violations the core generates before +## suppressing them for a given analyzer instance. A weird providing +## information about the analyzer and connection is generated once the +## limit is reached. +## +## An analyzer generating this many violations is unlikely parsing +## the right protocol or potentially buggy. +const max_analyzer_violations = 1000 &redef; + ## Fields of a SYN packet. ## ## .. zeek:see:: connection_SYN_packet @@ -894,6 +1155,7 @@ type EventNameCounter: record { ## Times it was called, as counted by the event handlers. times_called: count &log; } &log; + type EventNameStats: vector of EventNameCounter; ## Table type used to map variable names to their memory allocation. @@ -1960,12 +2222,12 @@ type raw_pkt_hdr: record { type teredo_auth: record { id: string; ##< Teredo client identifier. value: string; ##< HMAC-SHA1 over shared secret key between client and - ##< server, nonce, confirmation byte, origin indication - ##< (if present), and the IPv6 packet. + ##< server, nonce, confirmation byte, origin indication + ##< (if present), and the IPv6 packet. nonce: count; ##< Nonce chosen by Teredo client to be repeated by - ##< Teredo server. + ##< Teredo server. confirm: count; ##< Confirmation byte to be set to 0 by Teredo client - ##< and non-zero by server if client needs new key. + ##< and non-zero by server if client needs new key. }; ## A Teredo authentication header. See :rfc:`4380` for more information @@ -2462,59 +2724,501 @@ const RPC_status = { [RPC_UNKNOWN_ERROR] = "unknown" }; -## Generic analyzer confirmation info record. +## Write profiling info into this file in regular intervals. The easiest way to +## activate profiling is loading :doc:`/scripts/policy/misc/profiling.zeek`. ## -## .. zeek:see:: analyzer_confirmation_info -type AnalyzerConfirmationInfo: record { - ## The connection related to this confirmation, if any. - ## This field may be set if there's any connection related information - ## available for this confirmation. For protocol analyzers it is guaranteed - ## to be set, but may also be added by file analyzers as additional - ## contextual information. - c: connection &optional; +## .. zeek:see:: profiling_interval expensive_profiling_multiple +global profiling_file: file &redef; - ## The file object related to this confirmation, if any. - f: fa_file &optional; +## Update interval for profiling (0 disables). The easiest way to activate +## profiling is loading :doc:`/scripts/policy/misc/profiling.zeek`. +## +## .. zeek:see:: profiling_file expensive_profiling_multiple +const profiling_interval = 0 secs &redef; - ## Specific analyzer instance that can be used to reference the analyzer - ## when using builtin functions like :zeek:id:`disable_analyzer`. - aid: count &optional; +## Multiples of :zeek:see:`profiling_interval` at which (more expensive) memory +## profiling is done (0 disables). +## +## .. zeek:see:: profiling_interval profiling_file +const expensive_profiling_multiple = 0 &redef; + +## Output modes for packet profiling information. +## +## .. zeek:see:: pkt_profile_mode pkt_profile_freq pkt_profile_file +type pkt_profile_modes: enum { + PKT_PROFILE_MODE_NONE, ##< No output. + PKT_PROFILE_MODE_SECS, ##< Output every :zeek:see:`pkt_profile_freq` seconds. + PKT_PROFILE_MODE_PKTS, ##< Output every :zeek:see:`pkt_profile_freq` packets. + PKT_PROFILE_MODE_BYTES, ##< Output every :zeek:see:`pkt_profile_freq` bytes. }; -## Generic analyzer violation info record. +## Output mode for packet profiling information. ## -## .. zeek:see:: analyzer_violation_info -type AnalyzerViolationInfo: record { - ## The reason for the violation - should be user readable. - reason: string; +## .. zeek:see:: pkt_profile_modes pkt_profile_freq pkt_profile_file +const pkt_profile_mode = PKT_PROFILE_MODE_NONE &redef; - ## The connection related to this violation, if any. - ## This field may be set if there's any connection related information - ## available for this violation. For protocol analyzers it is guaranteed - ## to be set, but may also be added by file analyzers as additional - ## contextual information. - c: connection &optional; +## Frequency associated with packet profiling. +## +## .. zeek:see:: pkt_profile_modes pkt_profile_mode pkt_profile_file +const pkt_profile_freq = 0.0 &redef; - ## The file object related to this violation, if any. - f: fa_file &optional; +## File where packet profiles are logged. +## +## .. zeek:see:: pkt_profile_modes pkt_profile_freq pkt_profile_mode +global pkt_profile_file: file &redef; - ## Specific analyzer instance that can be used to reference the analyzer - ## when using builtin functions like :zeek:id:`disable_analyzer`. - aid: count &optional; - ## Piece of binary data that was parsed and caused the violation. - data: string &optional; +## A DNS message. +## +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_message dns_query_reply dns_rejected dns_request +type dns_msg: record { + id: count; ##< Transaction ID. + + opcode: count; ##< Operation code. + rcode: count; ##< Return code. + + QR: bool; ##< Query response flag. + AA: bool; ##< Authoritative answer flag. + TC: bool; ##< Truncated packet flag. + RD: bool; ##< Recursion desired flag. + RA: bool; ##< Recursion available flag. + Z: count; ##< 3 bit field (includes AD and CD) + AD: bool; ##< authentic data + CD: bool; ##< checking disabled + + num_queries: count; ##< Number of query records. + num_answers: count; ##< Number of answer records. + num_auth: count; ##< Number of authoritative records. + num_addl: count; ##< Number of additional records. }; -## The maximum number of analyzer violations the core generates before -## suppressing them for a given analyzer instance. A weird providing -## information about the analyzer and connection is generated once the -## limit is reached. +## A DNS SOA record. ## -## An analyzer generating this many violations is unlikely parsing -## the right protocol or potentially buggy. -const max_analyzer_violations = 1000 &redef; +## .. zeek:see:: dns_SOA_reply +type dns_soa: record { + mname: string; ##< Primary source of data for zone. + rname: string; ##< Mailbox for responsible person. + serial: count; ##< Version number of zone. + refresh: interval; ##< Seconds before refreshing. + retry: interval; ##< How long before retrying failed refresh. + expire: interval; ##< When zone no longer authoritative. + minimum: interval; ##< Minimum TTL to use when exporting. +}; +## An additional DNS EDNS record. +## +## .. zeek:see:: dns_EDNS_addl +type dns_edns_additional: record { + query: string; ##< Query. + qtype: count; ##< Query type. + t: count; ##< TODO. + payload_size: count; ##< TODO. + extended_rcode: count; ##< Extended return code. + version: count; ##< Version. + z_field: count; ##< TODO. + TTL: interval; ##< Time-to-live. + is_query: count; ##< TODO. +}; + +## An DNS EDNS Client Subnet (ECS) record. +## +## .. zeek:see:: dns_EDNS_ecs +type dns_edns_ecs: record { + family: string; ##< IP Family + source_prefix_len: count; ##< Source Prefix Length. + scope_prefix_len: count; ##< Scope Prefix Length. + address: addr; ##< Client Subnet Address. +}; + +## An DNS EDNS TCP KEEPALIVE (TCP KEEPALIVE) record. +## +## .. zeek:see:: dns_EDNS_tcp_keepalive +type dns_edns_tcp_keepalive: record { + keepalive_timeout_omitted: bool; ##< Whether timeout value is omitted. + keepalive_timeout: count; ##< Timeout value, in 100ms. +}; + +## An DNS EDNS COOKIE (COOKIE) record. +## +## .. zeek:see:: dns_EDNS_cookie +type dns_edns_cookie: record { + client_cookie: string; ##< Cookie from the client (fixed 8 bytes). + server_cookie: string &default=""; ##< Cookie from the server (0 bytes if missing, or 8 to 32 bytes). +}; + +## A DNS TKEY record. +## +## .. zeek:see:: dns_TKEY +type dns_tkey: record { + query: string; ##< Query. + qtype: count; ##< Query type. + alg_name: string; ##< Algorithm name. + inception: time; ##< Requested or provided start of validity interval for keying material. + expiration: time; ##< Requested or provided end of validity interval for keying material. + mode: count; ##< Key agreement or purpose of the message. + rr_error: count; ##< Error code. + key_data: string; ##< Key exchange data field. + is_query: count; ##< The RR is a query/Response. +}; + +## An additional DNS TSIG record. +## +## .. zeek:see:: dns_TSIG_addl +type dns_tsig_additional: record { + query: string; ##< Query. + qtype: count; ##< Query type. + alg_name: string; ##< Algorithm name. + sig: string; ##< Signature. + time_signed: time; ##< Time when signed. + fudge: time; ##< TODO. + orig_id: count; ##< TODO. + rr_error: count; ##< TODO. + is_query: count; ##< TODO. +}; + +## A DNSSEC RRSIG record. +## +## .. zeek:see:: dns_RRSIG +type dns_rrsig_rr: record { + query: string; ##< Query. + answer_type: count; ##< Ans type. + type_covered: count; ##< qtype covered by RRSIG RR. + algorithm: count; ##< Algorithm. + labels: count; ##< Labels in the owner's name. + orig_ttl: interval; ##< Original TTL. + sig_exp: time; ##< Time when signed RR expires. + sig_incep: time; ##< Time when signed. + key_tag: count; ##< Key tag value. + signer_name: string; ##< Signature. + signature: string; ##< Hash of the RRDATA. + is_query: count; ##< The RR is a query/Response. +}; + +## A DNSSEC DNSKEY record. +## +## .. zeek:see:: dns_DNSKEY +type dns_dnskey_rr: record { + query: string; ##< Query. + answer_type: count; ##< Ans type. + flags: count; ##< flags filed. + protocol: count; ##< Protocol, should be always 3 for DNSSEC. + algorithm: count; ##< Algorithm for Public Key. + public_key: string; ##< Public Key + is_query: count; ##< The RR is a query/Response. +}; + +## A DNSSEC NSEC3 record. +## +## .. zeek:see:: dns_NSEC3 +type dns_nsec3_rr: record { + query: string; ##< Query. + answer_type: count; ##< Ans type. + nsec_flags: count; ##< flags field. + nsec_hash_algo: count; ##< Hash algorithm. + nsec_iter: count; ##< Iterations. + nsec_salt_len: count; ##< Salt length. + nsec_salt: string; ##< Salt value + nsec_hlen: count; ##< Hash length. + nsec_hash: string; ##< Hash value. + bitmaps: string_vec; ##< Type Bit Maps. + is_query: count; ##< The RR is a query/Response. +}; + +## A DNSSEC NSEC3PARAM record. +## +## .. zeek:see:: dns_NSEC3PARAM +type dns_nsec3param_rr: record { + query: string; ##< Query. + answer_type: count; ##< Ans type. + nsec_flags: count; ##< flags field. + nsec_hash_algo: count; ##< Hash algorithm. + nsec_iter: count; ##< Iterations. + nsec_salt_len: count; ##< Salt length. + nsec_salt: string; ##< Salt value + is_query: count; ##< The RR is a query/Response. +}; + +## A DNSSEC DS record. +## +## .. zeek:see:: dns_DS +type dns_ds_rr: record { + query: string; ##< Query. + answer_type: count; ##< Ans type. + key_tag: count; ##< flags filed. + algorithm: count; ##< Algorithm for Public Key. + digest_type: count; ##< Digest Type. + digest_val: string; ##< Digest Value. + is_query: count; ##< The RR is a query/Response. +}; + +## A Private RR type BINDS record. +## +## .. zeek:see:: dns_BINDS +type dns_binds_rr: record { + query: string; ##< Query. + answer_type: count; ##< Ans type. + algorithm: count; ##< Algorithm for Public Key. + key_id: count; ##< key tag. + removal_flag: count; ##< rm flag. + complte_flag: string &deprecated="Remove in v8.1: Use complete_flag instead."; ##< complete flag. + is_query: count; ##< The RR is a query/Response. + complete_flag: count; ##< complete flag. +}; + +## A Private RR type LOC record. +## +## .. zeek:see:: dns_LOC +type dns_loc_rr: record { + query: string; ##< Query. + answer_type: count; ##< Ans type. + version: count; ##< version number of the representation. + size: count; ##< Diameter of a sphere enclosing the entity. + horiz_pre: count; ##< The horizontal precision of the data, in centimeters. + vert_pre: count; ##< The vertical precision of the data, in centimeters. + latitude: count; ##< The latitude of the center of the sphere. + longitude: count; ##< The longitude of the center of the sphere. + altitude: count; ##< The altitude of the center of the sphere. + is_query: count; ##< The RR is a query/Response. +}; + +## DNS SVCB and HTTPS RRs +## +## .. zeek:see:: dns_SVCB dns_HTTPS +type dns_svcb_rr: record { + svc_priority: count; ##< Service priority for the current record, 0 indicates that this record is in AliasMode and cannot carry svc_params; otherwise this is in ServiceMode, and may include svc_params + target_name: string; ##< Target name, the hostname of the service endpoint. +}; + +# DNS answer types. +# +# .. zeek:see:: dns_answer +# +# todo:: use enum to make them autodoc'able +const DNS_QUERY = 0; ##< A query. This shouldn't occur, just for completeness. +const DNS_ANS = 1; ##< An answer record. +const DNS_AUTH = 2; ##< An authoritative record. +const DNS_ADDL = 3; ##< An additional record. + +## The general part of a DNS reply. +## +## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply +## dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply +## dns_TXT_reply dns_WKS_reply +type dns_answer: record { + ## Answer type. One of :zeek:see:`DNS_QUERY`, :zeek:see:`DNS_ANS`, + ## :zeek:see:`DNS_AUTH` and :zeek:see:`DNS_ADDL`. + answer_type: count; + query: string; ##< Query. + qtype: count; ##< Query type. + qclass: count; ##< Query class. + TTL: interval; ##< Time-to-live. +}; + +## For DNS servers in these sets, omit processing the AUTH records they include +## in their replies. +## +## .. zeek:see:: dns_skip_all_auth dns_skip_addl +global dns_skip_auth: set[addr] &redef; + +## For DNS servers in these sets, omit processing the ADDL records they include +## in their replies. +## +## .. zeek:see:: dns_skip_all_addl dns_skip_auth +global dns_skip_addl: set[addr] &redef; + +## If true, all DNS AUTH records are skipped. +## +## .. zeek:see:: dns_skip_all_addl dns_skip_auth +global dns_skip_all_auth = T &redef; + +## If true, all DNS ADDL records are skipped. +## +## .. zeek:see:: dns_skip_all_auth dns_skip_addl +global dns_skip_all_addl = T &redef; + +## If a DNS request includes more than this many queries, assume it's non-DNS +## traffic and do not process it. Set to 0 to turn off this functionality. +global dns_max_queries = 25 &redef; + +## HTTP session statistics. +## +## .. zeek:see:: http_stats +type http_stats_rec: record { + num_requests: count; ##< Number of requests. + num_replies: count; ##< Number of replies. + request_version: double; ##< HTTP version of the requests. + reply_version: double; ##< HTTP Version of the replies. +}; + +## HTTP message statistics. +## +## .. zeek:see:: http_message_done +type http_message_stat: record { + ## When the request/reply line was complete. + start: time; + ## Whether the message was interrupted. + interrupted: bool; + ## Reason phrase if interrupted. + finish_msg: string; + ## Length of body processed (before finished/interrupted). + body_length: count; + ## Total length of gaps within *body_length*. + content_gap_length: count; + ## Length of headers (including the req/reply line, but not CR/LF's). + header_length: count; +}; + +## Maximum number of HTTP entity data delivered to events. +## +## .. zeek:see:: http_entity_data skip_http_entity_data skip_http_data +global http_entity_data_delivery_size = 1500 &redef; + +## Skip HTTP data for performance considerations. The skipped +## portion will not go through TCP reassembly. +## +## .. zeek:see:: http_entity_data skip_http_entity_data http_entity_data_delivery_size +const skip_http_data = F &redef; + +## Maximum length of HTTP URIs passed to events. Longer ones will be truncated +## to prevent over-long URIs (usually sent by worms) from slowing down event +## processing. A value of -1 means "do not truncate". +## +## .. zeek:see:: http_request +const truncate_http_URI = -1 &redef; + +## IRC join information. +## +## .. zeek:see:: irc_join_list +type irc_join_info: record { + nick: string; + channel: string; + password: string; + usermode: string; +}; + +## Set of IRC join information. +## +## .. zeek:see:: irc_join_message +type irc_join_list: set[irc_join_info]; + +## Description of a signature match. +## +## .. zeek:see:: signature_match +type signature_state: record { + sig_id: string; ##< ID of the matching signature. + conn: connection; ##< Matching connection. + is_orig: bool; ##< True if matching endpoint is originator. + payload_size: count; ##< Payload size of the first matching packet of current endpoint. +}; + +## A BitTorrent peer. +## +## .. zeek:see:: bittorrent_peer_set +type bittorrent_peer: record { + h: addr; ##< The peer's address. + p: port; ##< The peer's port. +}; + +## A set of BitTorrent peers. +## +## .. zeek:see:: bt_tracker_response +type bittorrent_peer_set: set[bittorrent_peer]; + +## BitTorrent "benc" value. Note that "benc" = Bencode ("Bee-Encode"), per +## http://en.wikipedia.org/wiki/Bencode. +## +## .. zeek:see:: bittorrent_benc_dir +type bittorrent_benc_value: record { + i: int &optional; ##< TODO. + s: string &optional; ##< TODO. + d: string &optional; ##< TODO. + l: string &optional; ##< TODO. +}; + +## A table of BitTorrent "benc" values. +## +## .. zeek:see:: bt_tracker_response +type bittorrent_benc_dir: table[string] of bittorrent_benc_value; + +## Header table type used by BitTorrent analyzer. +## +## .. zeek:see:: bt_tracker_request bt_tracker_response +## bt_tracker_response_not_ok +type bt_tracker_headers: table[string] of string; + +## A vector of boolean values that indicate the setting +## for a range of modbus coils. +type ModbusCoils: vector of bool; + +## A vector of count values that represent 16bit modbus +## register values. +type ModbusRegisters: vector of count; + +type ModbusHeaders: record { + ## Transaction identifier + tid: count; + ## Protocol identifier + pid: count; + ## Unit identifier (previously 'slave address') + uid: count; + ## MODBUS function code + function_code: count; + ## Length of the application PDU following the header plus + ## one byte for the uid field. + len: count; +}; + +type ModbusFileRecordRequest: record { + ref_type: count; + file_num: count; + record_num: count; + record_len: count; +}; + +type ModbusFileRecordRequests: vector of ModbusFileRecordRequest; + +type ModbusFileRecordResponse: record { + file_len: count; + ref_type: count; + record_data: string; +}; + +type ModbusFileRecordResponses: vector of ModbusFileRecordResponse; + +type ModbusFileReference: record { + ref_type: count; + file_num: count; + record_num: count; + record_len: count; + record_data: string; +}; + +type ModbusFileReferences: vector of ModbusFileReference; + +module Analyzer; + +export { + ## A hook taking a connection, analyzer tag and analyzer id that can be + ## used to veto disabling protocol analyzers. Specifically, an analyzer + ## can be prevented from being disabled by using a :zeek:see:`break` + ## statement within the hook. + ## This hook is invoked synchronously during a :zeek:see:`disable_analyzer` call. + ## + ## Scripts implementing this hook should have other logic that will eventually + ## disable the analyzer for the given connection. That is, if a script vetoes + ## disabling an analyzer, it takes responsibility for a later call to + ## :zeek:see:`disable_analyzer`, which may be never. + ## + ## c: The connection + ## + ## atype: The type / tag of the analyzer being disabled. + ## + ## aid: The analyzer ID. + type disabling_analyzer: hook(c: connection, atype: AllAnalyzers::Tag, aid: count) &redef; +} module NFS3; @@ -2830,20 +3534,19 @@ export { afiles: double; ##< TODO. invarsec: interval; ##< TODO. }; -} # end export - +} module MIME; + export { ## Stop analysis of nested multipart MIME entities if this depth is ## reached. Setting this value to 0 removes the limit. const max_depth = 100 &redef; -} # end export - - +} module MOUNT3; + export { ## Record summarizing the general results and status of MOUNT3 @@ -2904,7 +3607,7 @@ export { auth_flavors: vector of auth_flavor_t &optional; ##< Returned authentication flavors }; -} # end export +} module Log; @@ -2931,7 +3634,7 @@ export { ## .. :zeek:see:`Log::flush_interval` const write_buffer_size = 1000 &redef; -} # end export +} module POP3; @@ -2948,7 +3651,7 @@ export { ## Setting this value to 0 removes the limit. const max_unknown_client_commands = 10 &redef; -} # end export +} module Threading; @@ -3887,8 +4590,6 @@ export { }; } -module GLOBAL; - module DHCP; export { @@ -4050,578 +4751,147 @@ export { }; } -module GLOBAL; -## A DNS message. -## -## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_message dns_query_reply dns_rejected dns_request -type dns_msg: record { - id: count; ##< Transaction ID. - - opcode: count; ##< Operation code. - rcode: count; ##< Return code. - - QR: bool; ##< Query response flag. - AA: bool; ##< Authoritative answer flag. - TC: bool; ##< Truncated packet flag. - RD: bool; ##< Recursion desired flag. - RA: bool; ##< Recursion available flag. - Z: count; ##< 3 bit field (includes AD and CD) - AD: bool; ##< authentic data - CD: bool; ##< checking disabled - - num_queries: count; ##< Number of query records. - num_answers: count; ##< Number of answer records. - num_auth: count; ##< Number of authoritative records. - num_addl: count; ##< Number of additional records. -}; - -## A DNS SOA record. -## -## .. zeek:see:: dns_SOA_reply -type dns_soa: record { - mname: string; ##< Primary source of data for zone. - rname: string; ##< Mailbox for responsible person. - serial: count; ##< Version number of zone. - refresh: interval; ##< Seconds before refreshing. - retry: interval; ##< How long before retrying failed refresh. - expire: interval; ##< When zone no longer authoritative. - minimum: interval; ##< Minimum TTL to use when exporting. -}; - -## An additional DNS EDNS record. -## -## .. zeek:see:: dns_EDNS_addl -type dns_edns_additional: record { - query: string; ##< Query. - qtype: count; ##< Query type. - t: count; ##< TODO. - payload_size: count; ##< TODO. - extended_rcode: count; ##< Extended return code. - version: count; ##< Version. - z_field: count; ##< TODO. - TTL: interval; ##< Time-to-live. - is_query: count; ##< TODO. -}; - -## An DNS EDNS Client Subnet (ECS) record. -## -## .. zeek:see:: dns_EDNS_ecs -type dns_edns_ecs: record { - family: string; ##< IP Family - source_prefix_len: count; ##< Source Prefix Length. - scope_prefix_len: count; ##< Scope Prefix Length. - address: addr; ##< Client Subnet Address. -}; - -## An DNS EDNS TCP KEEPALIVE (TCP KEEPALIVE) record. -## -## .. zeek:see:: dns_EDNS_tcp_keepalive -type dns_edns_tcp_keepalive: record { - keepalive_timeout_omitted: bool; ##< Whether timeout value is omitted. - keepalive_timeout: count; ##< Timeout value, in 100ms. -}; - -## An DNS EDNS COOKIE (COOKIE) record. -## -## .. zeek:see:: dns_EDNS_cookie -type dns_edns_cookie: record { - client_cookie: string; ##< Cookie from the client (fixed 8 bytes). - server_cookie: string &default=""; ##< Cookie from the server (0 bytes if missing, or 8 to 32 bytes). -}; - -## A DNS TKEY record. -## -## .. zeek:see:: dns_TKEY -type dns_tkey: record { - query: string; ##< Query. - qtype: count; ##< Query type. - alg_name: string; ##< Algorithm name. - inception: time; ##< Requested or provided start of validity interval for keying material. - expiration: time; ##< Requested or provided end of validity interval for keying material. - mode: count; ##< Key agreement or purpose of the message. - rr_error: count; ##< Error code. - key_data: string; ##< Key exchange data field. - is_query: count; ##< The RR is a query/Response. -}; - -## An additional DNS TSIG record. -## -## .. zeek:see:: dns_TSIG_addl -type dns_tsig_additional: record { - query: string; ##< Query. - qtype: count; ##< Query type. - alg_name: string; ##< Algorithm name. - sig: string; ##< Signature. - time_signed: time; ##< Time when signed. - fudge: time; ##< TODO. - orig_id: count; ##< TODO. - rr_error: count; ##< TODO. - is_query: count; ##< TODO. -}; - -## A DNSSEC RRSIG record. -## -## .. zeek:see:: dns_RRSIG -type dns_rrsig_rr: record { - query: string; ##< Query. - answer_type: count; ##< Ans type. - type_covered: count; ##< qtype covered by RRSIG RR. - algorithm: count; ##< Algorithm. - labels: count; ##< Labels in the owner's name. - orig_ttl: interval; ##< Original TTL. - sig_exp: time; ##< Time when signed RR expires. - sig_incep: time; ##< Time when signed. - key_tag: count; ##< Key tag value. - signer_name: string; ##< Signature. - signature: string; ##< Hash of the RRDATA. - is_query: count; ##< The RR is a query/Response. -}; - -## A DNSSEC DNSKEY record. -## -## .. zeek:see:: dns_DNSKEY -type dns_dnskey_rr: record { - query: string; ##< Query. - answer_type: count; ##< Ans type. - flags: count; ##< flags filed. - protocol: count; ##< Protocol, should be always 3 for DNSSEC. - algorithm: count; ##< Algorithm for Public Key. - public_key: string; ##< Public Key - is_query: count; ##< The RR is a query/Response. -}; - -## A DNSSEC NSEC3 record. -## -## .. zeek:see:: dns_NSEC3 -type dns_nsec3_rr: record { - query: string; ##< Query. - answer_type: count; ##< Ans type. - nsec_flags: count; ##< flags field. - nsec_hash_algo: count; ##< Hash algorithm. - nsec_iter: count; ##< Iterations. - nsec_salt_len: count; ##< Salt length. - nsec_salt: string; ##< Salt value - nsec_hlen: count; ##< Hash length. - nsec_hash: string; ##< Hash value. - bitmaps: string_vec; ##< Type Bit Maps. - is_query: count; ##< The RR is a query/Response. -}; - -## A DNSSEC NSEC3PARAM record. -## -## .. zeek:see:: dns_NSEC3PARAM -type dns_nsec3param_rr: record { - query: string; ##< Query. - answer_type: count; ##< Ans type. - nsec_flags: count; ##< flags field. - nsec_hash_algo: count; ##< Hash algorithm. - nsec_iter: count; ##< Iterations. - nsec_salt_len: count; ##< Salt length. - nsec_salt: string; ##< Salt value - is_query: count; ##< The RR is a query/Response. -}; - -## A DNSSEC DS record. -## -## .. zeek:see:: dns_DS -type dns_ds_rr: record { - query: string; ##< Query. - answer_type: count; ##< Ans type. - key_tag: count; ##< flags filed. - algorithm: count; ##< Algorithm for Public Key. - digest_type: count; ##< Digest Type. - digest_val: string; ##< Digest Value. - is_query: count; ##< The RR is a query/Response. -}; - -## A Private RR type BINDS record. -## -## .. zeek:see:: dns_BINDS -type dns_binds_rr: record { - query: string; ##< Query. - answer_type: count; ##< Ans type. - algorithm: count; ##< Algorithm for Public Key. - key_id: count; ##< key tag. - removal_flag: count; ##< rm flag. - complte_flag: string &deprecated="Remove in v8.1: Use complete_flag instead."; ##< complete flag. - is_query: count; ##< The RR is a query/Response. - complete_flag: count; ##< complete flag. -}; - -## A Private RR type LOC record. -## -## .. zeek:see:: dns_LOC -type dns_loc_rr: record { - query: string; ##< Query. - answer_type: count; ##< Ans type. - version: count; ##< version number of the representation. - size: count; ##< Diameter of a sphere enclosing the entity. - horiz_pre: count; ##< The horizontal precision of the data, in centimeters. - vert_pre: count; ##< The vertical precision of the data, in centimeters. - latitude: count; ##< The latitude of the center of the sphere. - longitude: count; ##< The longitude of the center of the sphere. - altitude: count; ##< The altitude of the center of the sphere. - is_query: count; ##< The RR is a query/Response. -}; - -## DNS SVCB and HTTPS RRs -## -## .. zeek:see:: dns_SVCB dns_HTTPS -type dns_svcb_rr: record { - svc_priority: count; ##< Service priority for the current record, 0 indicates that this record is in AliasMode and cannot carry svc_params; otherwise this is in ServiceMode, and may include svc_params - target_name: string; ##< Target name, the hostname of the service endpoint. -}; - -# DNS answer types. -# -# .. zeek:see:: dns_answer -# -# todo:: use enum to make them autodoc'able -const DNS_QUERY = 0; ##< A query. This shouldn't occur, just for completeness. -const DNS_ANS = 1; ##< An answer record. -const DNS_AUTH = 2; ##< An authoritative record. -const DNS_ADDL = 3; ##< An additional record. - -## The general part of a DNS reply. -## -## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply -## dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply -## dns_TXT_reply dns_WKS_reply -type dns_answer: record { - ## Answer type. One of :zeek:see:`DNS_QUERY`, :zeek:see:`DNS_ANS`, - ## :zeek:see:`DNS_AUTH` and :zeek:see:`DNS_ADDL`. - answer_type: count; - query: string; ##< Query. - qtype: count; ##< Query type. - qclass: count; ##< Query class. - TTL: interval; ##< Time-to-live. -}; - -## For DNS servers in these sets, omit processing the AUTH records they include -## in their replies. -## -## .. zeek:see:: dns_skip_all_auth dns_skip_addl -global dns_skip_auth: set[addr] &redef; - -## For DNS servers in these sets, omit processing the ADDL records they include -## in their replies. -## -## .. zeek:see:: dns_skip_all_addl dns_skip_auth -global dns_skip_addl: set[addr] &redef; - -## If true, all DNS AUTH records are skipped. -## -## .. zeek:see:: dns_skip_all_addl dns_skip_auth -global dns_skip_all_auth = T &redef; - -## If true, all DNS ADDL records are skipped. -## -## .. zeek:see:: dns_skip_all_auth dns_skip_addl -global dns_skip_all_addl = T &redef; - -## If a DNS request includes more than this many queries, assume it's non-DNS -## traffic and do not process it. Set to 0 to turn off this functionality. -global dns_max_queries = 25 &redef; - -## HTTP session statistics. -## -## .. zeek:see:: http_stats -type http_stats_rec: record { - num_requests: count; ##< Number of requests. - num_replies: count; ##< Number of replies. - request_version: double; ##< HTTP version of the requests. - reply_version: double; ##< HTTP Version of the replies. -}; - -## HTTP message statistics. -## -## .. zeek:see:: http_message_done -type http_message_stat: record { - ## When the request/reply line was complete. - start: time; - ## Whether the message was interrupted. - interrupted: bool; - ## Reason phrase if interrupted. - finish_msg: string; - ## Length of body processed (before finished/interrupted). - body_length: count; - ## Total length of gaps within *body_length*. - content_gap_length: count; - ## Length of headers (including the req/reply line, but not CR/LF's). - header_length: count; -}; - -## Maximum number of HTTP entity data delivered to events. -## -## .. zeek:see:: http_entity_data skip_http_entity_data skip_http_data -global http_entity_data_delivery_size = 1500 &redef; - -## Skip HTTP data for performance considerations. The skipped -## portion will not go through TCP reassembly. -## -## .. zeek:see:: http_entity_data skip_http_entity_data http_entity_data_delivery_size -const skip_http_data = F &redef; - -## Maximum length of HTTP URIs passed to events. Longer ones will be truncated -## to prevent over-long URIs (usually sent by worms) from slowing down event -## processing. A value of -1 means "do not truncate". -## -## .. zeek:see:: http_request -const truncate_http_URI = -1 &redef; - -## IRC join information. -## -## .. zeek:see:: irc_join_list -type irc_join_info: record { - nick: string; - channel: string; - password: string; - usermode: string; -}; - -## Set of IRC join information. -## -## .. zeek:see:: irc_join_message -type irc_join_list: set[irc_join_info]; - module PE; + export { -type PE::DOSHeader: record { - ## The magic number of a portable executable file ("MZ"). - signature : string; - ## The number of bytes in the last page that are used. - used_bytes_in_last_page : count; - ## The number of pages in the file that are part of the PE file itself. - file_in_pages : count; - ## Number of relocation entries stored after the header. - num_reloc_items : count; - ## Number of paragraphs in the header. - header_in_paragraphs : count; - ## Number of paragraphs of additional memory that the program will need. - min_extra_paragraphs : count; - ## Maximum number of paragraphs of additional memory. - max_extra_paragraphs : count; - ## Relative value of the stack segment. - init_relative_ss : count; - ## Initial value of the SP register. - init_sp : count; - ## Checksum. The 16-bit sum of all words in the file should be 0. Normally not set. - checksum : count; - ## Initial value of the IP register. - init_ip : count; - ## Initial value of the CS register (relative to the initial segment). - init_relative_cs : count; - ## Offset of the first relocation table. - addr_of_reloc_table : count; - ## Overlays allow you to append data to the end of the file. If this is the main program, - ## this will be 0. - overlay_num : count; - ## OEM identifier. - oem_id : count; - ## Additional OEM info, specific to oem_id. - oem_info : count; - ## Address of the new EXE header. - addr_of_new_exe_header : count; -}; + type PE::DOSHeader: record { + ## The magic number of a portable executable file ("MZ"). + signature : string; + ## The number of bytes in the last page that are used. + used_bytes_in_last_page : count; + ## The number of pages in the file that are part of the PE file itself. + file_in_pages : count; + ## Number of relocation entries stored after the header. + num_reloc_items : count; + ## Number of paragraphs in the header. + header_in_paragraphs : count; + ## Number of paragraphs of additional memory that the program will need. + min_extra_paragraphs : count; + ## Maximum number of paragraphs of additional memory. + max_extra_paragraphs : count; + ## Relative value of the stack segment. + init_relative_ss : count; + ## Initial value of the SP register. + init_sp : count; + ## Checksum. The 16-bit sum of all words in the file should be 0. Normally not set. + checksum : count; + ## Initial value of the IP register. + init_ip : count; + ## Initial value of the CS register (relative to the initial segment). + init_relative_cs : count; + ## Offset of the first relocation table. + addr_of_reloc_table : count; + ## Overlays allow you to append data to the end of the file. If this is the main program, + ## this will be 0. + overlay_num : count; + ## OEM identifier. + oem_id : count; + ## Additional OEM info, specific to oem_id. + oem_info : count; + ## Address of the new EXE header. + addr_of_new_exe_header : count; + }; -type PE::FileHeader: record { - ## The target machine that the file was compiled for. - machine : count; - ## The time that the file was created at. - ts : time; - ## Pointer to the symbol table. - sym_table_ptr : count; - ## Number of symbols. - num_syms : count; - ## The size of the optional header. - optional_header_size : count; - ## Bit flags that determine if this file is executable, non-relocatable, and/or a DLL. - characteristics : set[count]; -}; + type PE::FileHeader: record { + ## The target machine that the file was compiled for. + machine : count; + ## The time that the file was created at. + ts : time; + ## Pointer to the symbol table. + sym_table_ptr : count; + ## Number of symbols. + num_syms : count; + ## The size of the optional header. + optional_header_size : count; + ## Bit flags that determine if this file is executable, non-relocatable, and/or a DLL. + characteristics : set[count]; + }; -type PE::OptionalHeader: record { - ## PE32 or PE32+ indicator. - magic : count; - ## The major version of the linker used to create the PE. - major_linker_version : count; - ## The minor version of the linker used to create the PE. - minor_linker_version : count; - ## Size of the .text section. - size_of_code : count; - ## Size of the .data section. - size_of_init_data : count; - ## Size of the .bss section. - size_of_uninit_data : count; - ## The relative virtual address (RVA) of the entry point. - addr_of_entry_point : count; - ## The relative virtual address (RVA) of the .text section. - base_of_code : count; - ## The relative virtual address (RVA) of the .data section. - base_of_data : count &optional; - ## Preferred memory location for the image to be based at. - image_base : count; - ## The alignment (in bytes) of sections when they're loaded in memory. - section_alignment : count; - ## The alignment (in bytes) of the raw data of sections. - file_alignment : count; - ## The major version of the required OS. - os_version_major : count; - ## The minor version of the required OS. - os_version_minor : count; - ## The major version of this image. - major_image_version : count; - ## The minor version of this image. - minor_image_version : count; - ## The major version of the subsystem required to run this file. - major_subsys_version : count; - ## The minor version of the subsystem required to run this file. - minor_subsys_version : count; - ## The size (in bytes) of the image as the image is loaded in memory. - size_of_image : count; - ## The size (in bytes) of the headers, rounded up to file_alignment. - size_of_headers : count; - ## The image file checksum. - checksum : count; - ## The subsystem that's required to run this image. - subsystem : count; - ## Bit flags that determine how to execute or load this file. - dll_characteristics : set[count]; - ## A vector with the sizes of various tables and strings that are - ## defined in the optional header data directories. Examples include - ## the import table, the resource table, and debug information. - table_sizes : vector of count; + type PE::OptionalHeader: record { + ## PE32 or PE32+ indicator. + magic : count; + ## The major version of the linker used to create the PE. + major_linker_version : count; + ## The minor version of the linker used to create the PE. + minor_linker_version : count; + ## Size of the .text section. + size_of_code : count; + ## Size of the .data section. + size_of_init_data : count; + ## Size of the .bss section. + size_of_uninit_data : count; + ## The relative virtual address (RVA) of the entry point. + addr_of_entry_point : count; + ## The relative virtual address (RVA) of the .text section. + base_of_code : count; + ## The relative virtual address (RVA) of the .data section. + base_of_data : count &optional; + ## Preferred memory location for the image to be based at. + image_base : count; + ## The alignment (in bytes) of sections when they're loaded in memory. + section_alignment : count; + ## The alignment (in bytes) of the raw data of sections. + file_alignment : count; + ## The major version of the required OS. + os_version_major : count; + ## The minor version of the required OS. + os_version_minor : count; + ## The major version of this image. + major_image_version : count; + ## The minor version of this image. + minor_image_version : count; + ## The major version of the subsystem required to run this file. + major_subsys_version : count; + ## The minor version of the subsystem required to run this file. + minor_subsys_version : count; + ## The size (in bytes) of the image as the image is loaded in memory. + size_of_image : count; + ## The size (in bytes) of the headers, rounded up to file_alignment. + size_of_headers : count; + ## The image file checksum. + checksum : count; + ## The subsystem that's required to run this image. + subsystem : count; + ## Bit flags that determine how to execute or load this file. + dll_characteristics : set[count]; + ## A vector with the sizes of various tables and strings that are + ## defined in the optional header data directories. Examples include + ## the import table, the resource table, and debug information. + table_sizes : vector of count; -}; + }; -## Record for Portable Executable (PE) section headers. -type PE::SectionHeader: record { - ## The name of the section - name : string; - ## The total size of the section when loaded into memory. - virtual_size : count; - ## The relative virtual address (RVA) of the section. - virtual_addr : count; - ## The size of the initialized data for the section, as it is - ## in the file on disk. - size_of_raw_data : count; - ## The virtual address of the initialized dat for the section, - ## as it is in the file on disk. - ptr_to_raw_data : count; - ## The file pointer to the beginning of relocation entries for - ## the section. - ptr_to_relocs : count; - ## The file pointer to the beginning of line-number entries for - ## the section. - ptr_to_line_nums : count; - ## The number of relocation entries for the section. - num_of_relocs : count; - ## The number of line-number entries for the section. - num_of_line_nums : count; - ## Bit-flags that describe the characteristics of the section. - characteristics : set[count]; -}; + ## Record for Portable Executable (PE) section headers. + type PE::SectionHeader: record { + ## The name of the section + name : string; + ## The total size of the section when loaded into memory. + virtual_size : count; + ## The relative virtual address (RVA) of the section. + virtual_addr : count; + ## The size of the initialized data for the section, as it is + ## in the file on disk. + size_of_raw_data : count; + ## The virtual address of the initialized dat for the section, + ## as it is in the file on disk. + ptr_to_raw_data : count; + ## The file pointer to the beginning of relocation entries for + ## the section. + ptr_to_relocs : count; + ## The file pointer to the beginning of line-number entries for + ## the section. + ptr_to_line_nums : count; + ## The number of relocation entries for the section. + num_of_relocs : count; + ## The number of line-number entries for the section. + num_of_line_nums : count; + ## Bit-flags that describe the characteristics of the section. + characteristics : set[count]; + }; } -module GLOBAL; - -## Description of a signature match. -## -## .. zeek:see:: signature_match -type signature_state: record { - sig_id: string; ##< ID of the matching signature. - conn: connection; ##< Matching connection. - is_orig: bool; ##< True if matching endpoint is originator. - payload_size: count; ##< Payload size of the first matching packet of current endpoint. -}; - -## A BitTorrent peer. -## -## .. zeek:see:: bittorrent_peer_set -type bittorrent_peer: record { - h: addr; ##< The peer's address. - p: port; ##< The peer's port. -}; - -## A set of BitTorrent peers. -## -## .. zeek:see:: bt_tracker_response -type bittorrent_peer_set: set[bittorrent_peer]; - -## BitTorrent "benc" value. Note that "benc" = Bencode ("Bee-Encode"), per -## http://en.wikipedia.org/wiki/Bencode. -## -## .. zeek:see:: bittorrent_benc_dir -type bittorrent_benc_value: record { - i: int &optional; ##< TODO. - s: string &optional; ##< TODO. - d: string &optional; ##< TODO. - l: string &optional; ##< TODO. -}; - -## A table of BitTorrent "benc" values. -## -## .. zeek:see:: bt_tracker_response -type bittorrent_benc_dir: table[string] of bittorrent_benc_value; - -## Header table type used by BitTorrent analyzer. -## -## .. zeek:see:: bt_tracker_request bt_tracker_response -## bt_tracker_response_not_ok -type bt_tracker_headers: table[string] of string; - -## A vector of boolean values that indicate the setting -## for a range of modbus coils. -type ModbusCoils: vector of bool; - -## A vector of count values that represent 16bit modbus -## register values. -type ModbusRegisters: vector of count; - -type ModbusHeaders: record { - ## Transaction identifier - tid: count; - ## Protocol identifier - pid: count; - ## Unit identifier (previously 'slave address') - uid: count; - ## MODBUS function code - function_code: count; - ## Length of the application PDU following the header plus - ## one byte for the uid field. - len: count; -}; - -type ModbusFileRecordRequest: record { - ref_type: count; - file_num: count; - record_num: count; - record_len: count; -}; - -type ModbusFileRecordRequests: vector of ModbusFileRecordRequest; - -type ModbusFileRecordResponse: record { - file_len: count; - ref_type: count; - record_data: string; -}; - -type ModbusFileRecordResponses: vector of ModbusFileRecordResponse; - -type ModbusFileReference: record { - ref_type: count; - file_num: count; - record_num: count; - record_len: count; - record_data: string; -}; - -type ModbusFileReferences: vector of ModbusFileReference; - module SSL; + export { type SignatureAndHashAlgorithm: record { HashAlgorithm: count; ##< Hash algorithm number @@ -4633,20 +4903,19 @@ export { obfuscated_ticket_age: count; }; -## Number of non-DTLS frames that can occur in a DTLS connection before -## parsing of the connection is suspended. -## DTLS does not immediately stop parsing a connection because other protocols -## might be interleaved in the same UDP "connection". -const SSL::dtls_max_version_errors = 10 &redef; + ## Number of non-DTLS frames that can occur in a DTLS connection before + ## parsing of the connection is suspended. + ## DTLS does not immediately stop parsing a connection because other protocols + ## might be interleaved in the same UDP "connection". + const SSL::dtls_max_version_errors = 10 &redef; -## Maximum number of invalid version errors to report in one DTLS connection. -const SSL::dtls_max_reported_version_errors = 1 &redef; - -## Maximum number of Alert messages parsed from an SSL record with -## content_type alert (21). The remaining alerts are discarded. For -## TLS 1.3 connections, this is implicitly 1 as defined by RFC 8446. -const SSL::max_alerts_per_record = 10 &redef; + ## Maximum number of invalid version errors to report in one DTLS connection. + const SSL::dtls_max_reported_version_errors = 1 &redef; + ## Maximum number of Alert messages parsed from an SSL record with + ## content_type alert (21). The remaining alerts are discarded. For + ## TLS 1.3 connections, this is implicitly 1 as defined by RFC 8446. + const SSL::max_alerts_per_record = 10 &redef; } module GLOBAL; @@ -4661,13 +4930,14 @@ type signature_and_hashalgorithm_vec: vector of SSL::SignatureAndHashAlgorithm; type psk_identity_vec: vector of SSL::PSKIdentity; module X509; + export { type Certificate: record { version: count &log; ##< Version number. serial: string &log; ##< Serial number. subject: string &log; ##< Subject. issuer: string &log; ##< Issuer. - cn: string &optional; ##< Last (most specific) common name. + cn: string &optional; ##< Last (most specific) common name. not_valid_before: time &log; ##< Timestamp before when certificate is not valid. not_valid_after: time &log; ##< Timestamp after when certificate is not valid. key_alg: string &log; ##< Name of the key algorithm @@ -4712,6 +4982,7 @@ export { } module SOCKS; + export { ## This record is for a SOCKS client or server to provide either a ## name or an address to represent a desired or established connection. @@ -4740,6 +5011,7 @@ export { } module RDP; + export { type RDP::EarlyCapabilityFlags: record { support_err_info_pdu: bool; @@ -4854,6 +5126,7 @@ export { @load base/bif/plugins/Zeek_SNMP.types.bif module SNMP; + export { ## The top-level message data structure of an SNMPv1 datagram, not ## including the PDU data. See :rfc:`1157`. @@ -4976,6 +5249,7 @@ export { @load base/bif/plugins/Zeek_KRB.types.bif module KRB; + export { ## Kerberos keytab file name. Used to decrypt tickets encountered on the wire. const keytab = "" &redef; @@ -5032,6 +5306,15 @@ export { type KRB::Type_Value_Vector: vector of KRB::Type_Value; + type KRB::Encrypted_Data: record { + ## The key version number + kvno : count &optional; + ## The cipher the data was encrypted with + cipher : count; + ## The encrypted data + ciphertext : string; + }; + ## A Kerberos host address See :rfc:`4120`. type KRB::Host_Address: record { ## IPv4 or IPv6 address @@ -5156,195 +5439,13 @@ export { ## The ticket that was issued ticket : KRB::Ticket; + ## The encrypted session key for the client + enc_part : KRB::Encrypted_Data; }; } -module GLOBAL; - -@load base/bif/event.bif - -## BPF filter the user has set via the -f command line options. Empty if none. -const cmd_line_bpf_filter = "" &redef; - -## Base time of log rotations in 24-hour time format (``%H:%M``), e.g. "12:00". -const log_rotate_base_time = "0:00" &redef; - -## Write profiling info into this file in regular intervals. The easiest way to -## activate profiling is loading :doc:`/scripts/policy/misc/profiling.zeek`. -## -## .. zeek:see:: profiling_interval expensive_profiling_multiple -global profiling_file: file &redef; - -## Update interval for profiling (0 disables). The easiest way to activate -## profiling is loading :doc:`/scripts/policy/misc/profiling.zeek`. -## -## .. zeek:see:: profiling_file expensive_profiling_multiple -const profiling_interval = 0 secs &redef; - -## Multiples of :zeek:see:`profiling_interval` at which (more expensive) memory -## profiling is done (0 disables). -## -## .. zeek:see:: profiling_interval profiling_file -const expensive_profiling_multiple = 0 &redef; - -## Output modes for packet profiling information. -## -## .. zeek:see:: pkt_profile_mode pkt_profile_freq pkt_profile_file -type pkt_profile_modes: enum { - PKT_PROFILE_MODE_NONE, ##< No output. - PKT_PROFILE_MODE_SECS, ##< Output every :zeek:see:`pkt_profile_freq` seconds. - PKT_PROFILE_MODE_PKTS, ##< Output every :zeek:see:`pkt_profile_freq` packets. - PKT_PROFILE_MODE_BYTES, ##< Output every :zeek:see:`pkt_profile_freq` bytes. -}; - -## Output mode for packet profiling information. -## -## .. zeek:see:: pkt_profile_modes pkt_profile_freq pkt_profile_file -const pkt_profile_mode = PKT_PROFILE_MODE_NONE &redef; - -## Frequency associated with packet profiling. -## -## .. zeek:see:: pkt_profile_modes pkt_profile_mode pkt_profile_file -const pkt_profile_freq = 0.0 &redef; - -## File where packet profiles are logged. -## -## .. zeek:see:: pkt_profile_modes pkt_profile_freq pkt_profile_mode -global pkt_profile_file: file &redef; - -## Whether to attempt to automatically detect SYN/FIN/RST-filtered trace -## and not report missing segments for such connections. -## If this is enabled, then missing data at the end of connections may not -## be reported via :zeek:see:`content_gap`. -const detect_filtered_trace = F &redef; - -## Whether we want :zeek:see:`content_gap` for partial -## connections. A connection is partial if it is missing a full handshake. Note -## that gap reports for partial connections might not be reliable. -## -## .. zeek:see:: content_gap partial_connection -const report_gaps_for_partial = F &redef; - -## Flag to prevent Zeek from exiting automatically when input is exhausted. -## Normally Zeek terminates when all packet sources have gone dry -## and communication isn't enabled. If this flag is set, Zeek's main loop will -## instead keep idling until :zeek:see:`terminate` is explicitly called. -## -## This is mainly for testing purposes when termination behaviour needs to be -## controlled for reproducing results. -const exit_only_after_terminate = F &redef; - -## Default mode for Zeek's user-space dynamic packet filter. If true, packets -## that aren't explicitly allowed through, are dropped from any further -## processing. -## -## .. note:: This is not the BPF packet filter but an additional dynamic filter -## that Zeek optionally applies just before normal processing starts. -## -## .. zeek:see:: install_dst_addr_filter install_dst_net_filter -## install_src_addr_filter install_src_net_filter uninstall_dst_addr_filter -## uninstall_dst_net_filter uninstall_src_addr_filter uninstall_src_net_filter -const packet_filter_default = F &redef; - -## Maximum size of regular expression groups for signature matching. -const sig_max_group_size = 50 &redef; - -## Description transmitted to remote communication peers for identification. -const peer_description = "zeek" &redef; - -## Reassemble the beginning of all TCP connections before doing -## signature matching. Enabling this provides more accurate matching at the -## expense of CPU cycles. -## -## .. zeek:see:: dpd_buffer_size -## dpd_match_only_beginning dpd_ignore_ports -## -## .. note:: Despite the name, this option affects *all* signature matching, not -## only signatures used for dynamic protocol detection. -const dpd_reassemble_first_packets = T &redef; - -## Size of per-connection buffer used for dynamic protocol detection. For each -## connection, Zeek buffers this initial amount of payload in memory so that -## complete protocol analysis can start even after the initial packets have -## already passed through (i.e., when a DPD signature matches only later). -## However, once the buffer is full, data is deleted and lost to analyzers that -## are activated afterwards. Then only analyzers that can deal with partial -## connections will be able to analyze the session. -## -## .. zeek:see:: dpd_reassemble_first_packets dpd_match_only_beginning -## dpd_ignore_ports dpd_max_packets -const dpd_buffer_size = 1024 &redef; - -## Maximum number of per-connection packets that will be buffered for dynamic -## protocol detection. For each connection, Zeek buffers up to this amount -## of packets in memory so that complete protocol analysis can start even after -## the initial packets have already passed through (i.e., when a DPD signature -## matches only later). However, once the buffer is full, data is deleted and lost -## to analyzers that are activated afterwards. Then only analyzers that can deal -## with partial connections will be able to analyze the session. -## -## .. zeek:see:: dpd_reassemble_first_packets dpd_match_only_beginning -## dpd_ignore_ports dpd_buffer_size -const dpd_max_packets = 100 &redef; - -## If true, stops signature matching if :zeek:see:`dpd_buffer_size` has been -## reached. -## -## .. zeek:see:: dpd_reassemble_first_packets dpd_buffer_size -## dpd_ignore_ports -## -## .. note:: Despite the name, this option affects *all* signature matching, not -## only signatures used for dynamic protocol detection. -const dpd_match_only_beginning = T &redef; - -## If true, stops signature matching after a late match. A late match may occur -## in case the DPD buffer is exhausted but a protocol signature matched. To -## allow late matching, :zeek:see:`dpd_match_only_beginning` must be disabled. -## -## .. zeek:see:: dpd_reassemble_first_packets dpd_buffer_size -## dpd_match_only_beginning -## -## .. note:: Despite the name, this option stops *all* signature matching, not -## only signatures used for dynamic protocol detection but is triggered by -## DPD signatures only. -const dpd_late_match_stop = F &redef; - -## If true, don't consider any ports for deciding which protocol analyzer to -## use. -## -## .. zeek:see:: dpd_reassemble_first_packets dpd_buffer_size -## dpd_match_only_beginning -const dpd_ignore_ports = F &redef; - -## Ports which the core considers being likely used by servers. For ports in -## this set, it may heuristically decide to flip the direction of the -## connection if it misses the initial handshake. -const likely_server_ports: set[port] &redef; - -## Holds the filename of the trace file given with ``-w`` (empty if none). -## -## .. zeek:see:: record_all_packets -const trace_output_file = ""; - -## If a trace file is given with ``-w``, dump *all* packets seen by Zeek into it. -## By default, Zeek applies (very few) heuristics to reduce the volume. A side -## effect of setting this to true is that we can write the packets out before we -## actually process them, which can be helpful for debugging in case the -## analysis triggers a crash. -## -## .. zeek:see:: trace_output_file -const record_all_packets = F &redef; - -## Ignore certain TCP retransmissions for :zeek:see:`conn_stats`. Some -## connections (e.g., SSH) retransmit the acknowledged last byte to keep the -## connection alive. If *ignore_keep_alive_rexmit* is set to true, such -## retransmissions will be excluded in the rexmit counter in -## :zeek:see:`conn_stats`. -## -## .. zeek:see:: conn_stats -const ignore_keep_alive_rexmit = F &redef; - module JSON; + export { type TimestampFormat: enum { ## Timestamps will be formatted as UNIX epoch doubles. This is @@ -5362,41 +5463,8 @@ export { }; } -module Tunnel; -export { - ## The maximum depth of a tunnel to decapsulate until giving up. - ## Setting this to zero will disable all types of tunnel decapsulation. - const max_depth: count = 4 &redef; - - ## With this set, the Teredo analyzer waits until it sees both sides - ## of a connection using a valid Teredo encapsulation before issuing - ## a :zeek:see:`analyzer_confirmation_info`. If it's false, the first - ## occurrence of a packet with valid Teredo encapsulation causes a - ## confirmation. - const delay_teredo_confirmation = T &redef; - - ## With this set, the GTP analyzer waits until the most-recent upflow - ## and downflow packets are a valid GTPv1 encapsulation before - ## issuing :zeek:see:`analyzer_confirmation_info`. If it's false, the - ## first occurrence of a packet with valid GTPv1 encapsulation causes - ## confirmation. Since the same inner connection can be carried - ## differing outer upflow/downflow connections, setting to false - ## may work better. - const delay_gtp_confirmation = F &redef; - - ## How often to cleanup internal state for inactive IP tunnels - ## (includes GRE tunnels). - const ip_tunnel_timeout = 24hrs &redef; - - ## Whether to validate the checksum supplied in the outer UDP header - ## of a VXLAN encapsulation. The spec says the checksum should be - ## transmitted as zero, but if not, then the decapsulating destination - ## may choose whether to perform the validation. - const validate_vxlan_checksums = T &redef; - -} # end export - module Reporter; + export { ## Tunable for sending reporter info messages to STDERR. The option to ## turn it off is presented here in case Zeek is being run by some @@ -5415,6 +5483,7 @@ export { } module Pcap; + export { ## Number of bytes per packet to capture from live interfaces. const snaplen = 9216 &redef; @@ -5480,9 +5549,10 @@ export { fatal, # fatal issue, something that would prevent zeek from continuing warning # non-fatal issue that should just be logged }; -} # end export +} module DCE_RPC; + export { ## The maximum number of simultaneous fragmented commands that ## the DCE_RPC analyzer will tolerate before the it will generate @@ -5496,12 +5566,14 @@ export { } module NCP; + export { ## The maximum number of bytes to allocate when parsing NCP frames. const max_frame_size = 65536 &redef; } module NTP; + export { ## NTP standard message as defined in :rfc:`5905` for modes 1-5 ## This record contains the standard fields used by the NTP protocol @@ -5676,6 +5748,7 @@ export { } module MQTT; + export { type MQTT::ConnectMsg: record { ## Protocol name @@ -5751,6 +5824,7 @@ export { } module Cluster; + export { type Cluster::Pool: record {}; @@ -5769,6 +5843,7 @@ export { } module Weird; + export { ## Prevents rate-limiting sampling of any weirds named in the table. option sampling_whitelist: set[string] = {}; @@ -5802,6 +5877,7 @@ export { } module UnknownProtocol; + export { ## How many reports for an analyzer/protocol pair will be allowed to ## raise events before becoming rate-limited. @@ -5824,6 +5900,7 @@ export { } module BinPAC; + export { ## Maximum capacity, in bytes, that the BinPAC flowbuffer is allowed to ## grow to for use with incremental parsing of a given connection/analyzer. @@ -5847,6 +5924,7 @@ export { @load base/bif/telemetry_types.bif module Telemetry; + export { ## Type that captures options used to create metrics. type MetricOpts: record { @@ -6134,63 +6212,13 @@ export { module GLOBAL; -## Seed for hashes computed internally for probabilistic data structures. Using -## the same value here will make the hashes compatible between independent Zeek -## instances. If left unset, Zeek will use a temporary local seed. -const global_hash_seed: string = "" &redef; - -## Number of bits in UIDs that are generated to identify connections and -## files. The larger the value, the more confidence in UID uniqueness. -## The maximum is currently 128 bits. -const bits_per_uid: count = 96 &redef; - -## This salt value is used for several message digests in Zeek. We -## use a salt to help mitigate the possibility of an attacker -## manipulating source data to, e.g., mount complexity attacks or -## cause ID collisions. -## This salt is, for example, used by :zeek:see:`get_file_handle` -## to generate installation-unique file IDs (the *id* field of :zeek:see:`fa_file`). -const digest_salt = "Please change this value." &redef; - -## Maximum string length allowed for calls to the :zeek:see:`find_all` and -## :zeek:see:`find_all_ordered` BIFs. -const max_find_all_string_length: int = 10000 &redef; - -## How many rounds to go without checking IO sources with file descriptors -## for readiness by default. This is used when reading from traces. -## -## Very roughly, when reading from a pcap, setting this to 100 results in -## 100 packets being processed without checking FD based IO sources. -## -## .. note:: This should not be changed outside of development or when -## debugging problems with the main-loop, or developing features with -## tight main-loop interaction. -## -## .. zeek:see:: io_poll_interval_live -const io_poll_interval_default = 100 &redef; - -## How often to check IO sources with file descriptors for readiness when -## monitoring with a live packet source. -## -## The poll interval gets defaulted to 100 which is good for cases like reading -## from pcap files and when there isn't a packet source, but is a little too -## infrequent for live sources (especially fast live sources). Set it down a -## little bit for those sources. -## -## .. note:: This should not be changed outside of development or when -## debugging problems with the main-loop, or developing features with -## tight main-loop interaction. -## -## .. zeek:see:: io_poll_interval_default -const io_poll_interval_live = 10 &redef; - -## Whether Zeek is being run under test. This can be used to alter functionality -## while testing, but should be used sparingly. -const running_under_test: bool = F &redef; +@load base/bif/event.bif global done_with_network = F; event net_done(t: time) - { done_with_network = T; } + { + done_with_network = T; + } # This sets up primary BIFs such that they can be used by any # further scripts within their global initializations and is intended to be diff --git a/scripts/base/misc/version.zeek b/scripts/base/misc/version.zeek index 36d8ab1fc3..475593760f 100644 --- a/scripts/base/misc/version.zeek +++ b/scripts/base/misc/version.zeek @@ -1,6 +1,6 @@ -##! Provide information about the currently running Zeek version. -##! The most convenient way to access this are the Version::number -##! and Version::info constants. +##! Provide information about the currently running Zeek version. The most +##! convenient way to access this are the :zeek:see:`Version::number` and +##! :zeek:see:`Version::info` constants. module Version; @@ -41,11 +41,11 @@ export { ## ## version_string: Zeek version string. ## - ## Returns: `VersionDescription` record. + ## Returns: :zeek:see:`Version::VersionDescription` record. global parse: function(version_string: string): VersionDescription; - ## Test if the current running version of Zeek is greater or equal to the given version - ## string. + ## Test if the current running version of Zeek is greater or equal to + ## the given version string. ## ## version_string: Version to check against the current running version. ## @@ -118,13 +118,15 @@ function parse(version_string: string): VersionDescription } export { - ## `VersionDescription` record pertaining to the currently running version of Zeek. + ## :zeek:see:`Version::VersionDescription` record pertaining to the currently + ## running version of Zeek. const info = Version::parse(zeek_version()); - ## version number of the currently running version of Zeek as a numeric representation. - ## The format of the number is ABBCC with A being the major version, - ## bb being the minor version (2 digits) and CC being the patchlevel (2 digits). - ## As an example, Zeek 2.4.1 results in the number 20401 + ## version number of the currently running version of Zeek as a numeric + ## representation. The format of the number is ABBCC with A being the + ## major version, bb being the minor version (2 digits) and CC being the + ## patchlevel (2 digits). As an example, Zeek 2.4.1 results in the + ## number 20401 const number = info$version_number; } diff --git a/scripts/base/utils/exec.zeek b/scripts/base/utils/exec.zeek index 7f87bb7bb4..1fa7743325 100644 --- a/scripts/base/utils/exec.zeek +++ b/scripts/base/utils/exec.zeek @@ -6,7 +6,7 @@ module Exec; export { type Command: record { - ## The command line to execute. Use care to avoid injection + ## The command line to execute. Use care to avoid injection ## attacks (i.e., if the command uses untrusted/variable data, ## sanitize it with :zeek:see:`safe_shell_quote`). cmd: string; @@ -34,10 +34,10 @@ export { }; ## Function for running command line programs and getting - ## output. This is an asynchronous function which is meant - ## to be run with the `when` statement. + ## output. This is an asynchronous function which is meant + ## to be run with the ``when`` statement. ## - ## cmd: The command to run. Use care to avoid injection attacks! + ## cmd: The command to run. Use care to avoid injection attacks! ## ## Returns: A record representing the full results from the ## external program execution. diff --git a/scripts/base/utils/numbers.zeek b/scripts/base/utils/numbers.zeek index 41b8e601bb..114757f888 100644 --- a/scripts/base/utils/numbers.zeek +++ b/scripts/base/utils/numbers.zeek @@ -2,9 +2,9 @@ ## ## s: The string to search for a number. ## -## get_first: Provide `F` if you would like the last number found. +## get_first: Provide ``F`` if you would like the last number found. ## -## Returns: The request integer from the given string or 0 if +## Returns: The request integer from the given string or ``0`` if ## no integer was found. function extract_count(s: string, get_first: bool &default=T): count { diff --git a/scripts/policy/frameworks/management/controller/main.zeek b/scripts/policy/frameworks/management/controller/main.zeek index efc603e227..b2407d532f 100644 --- a/scripts/policy/frameworks/management/controller/main.zeek +++ b/scripts/policy/frameworks/management/controller/main.zeek @@ -186,24 +186,6 @@ global g_configs: table[ConfigState] of Management::Configuration function config_deploy_to_agents(config: Management::Configuration, req: Management::Request::Request) { - # Make any final changes to the configuration we send off. - - # If needed, fill in agent IP address info as learned from their peerings. - # XXX this will need revisiting when we support host names. - local instances: set[Management::Instance]; - - for ( inst in config$instances ) - { - if ( inst$name in g_instances_known - && inst$host == 0.0.0.0 - && g_instances_known[inst$name]$host != 0.0.0.0 ) - inst$host = g_instances_known[inst$name]$host; - - add instances[inst]; - } - - config$instances = instances; - for ( name in g_instances ) { if ( name !in g_instances_ready ) @@ -414,27 +396,34 @@ function config_assign_metrics_ports(config: Management::Configuration) [Supervisor::WORKER] = 3, }; - local p = port_to_count(Management::Controller::auto_assign_metrics_start_port); - local ports_set: set[count]; + local instance_metrics_start_port: table[addr] of count; + local instance_ports_set: table[addr] of set[count]; + local instance_addr_lookup: table[string] of addr; local node: Management::Node; + local node_addr: addr; # Pre-populate agents ports, if we have them: for ( inst in config$instances ) { + # build instance name -> addr lookup table + instance_addr_lookup[inst$name] = inst$host; + + instance_metrics_start_port[inst$host] = port_to_count(Management::Controller::auto_assign_metrics_start_port); + instance_ports_set[inst$host] = {}; if ( inst?$listen_port ) - add ports_set[port_to_count(inst$listen_port)]; + add instance_ports_set[inst$host][port_to_count(inst$listen_port)]; } # Pre-populate nodes with pre-defined metrics ports, as well # as their Broker ports: for ( node in config$nodes ) + node_addr = instance_addr_lookup[node$instance]; { if ( node?$p ) - add ports_set[port_to_count(node$p)]; - + add instance_ports_set[node_addr][port_to_count(node$p)]; if ( node?$metrics_port ) { - add ports_set[port_to_count(node$metrics_port)]; + add instance_ports_set[node_addr][port_to_count(node$metrics_port)]; add new_nodes[node]; } } @@ -466,17 +455,18 @@ function config_assign_metrics_ports(config: Management::Configuration) for ( i in nodes ) { node = nodes[i]; + node_addr = instance_addr_lookup[node$instance]; # Find next available port ... - while ( p in ports_set ) - ++p; + while ( instance_metrics_start_port[node_addr] in instance_ports_set[node_addr] ) + ++instance_metrics_start_port[node_addr]; - node$metrics_port = count_to_port(p, tcp); + node$metrics_port = count_to_port(instance_metrics_start_port[node_addr], tcp); add new_nodes[node]; - add ports_set[p]; + add instance_ports_set[node_addr][instance_metrics_start_port[node_addr]]; # ... and consume it. - ++p; + ++instance_metrics_start_port[node_addr]; } config$nodes = new_nodes; @@ -1029,6 +1019,27 @@ event Management::Controller::API::stage_configuration_request(reqid: string, co g_configs[STAGED] = config; config_copy = copy(config); + # The staged config is preserved as the client sent it to us. For the + # ready-to-deploy version we fill in additional details here. + # + # One such bit of information is that we know the IP addresses of + # instances that connected to the controller from their Broker peering. + # + # XXX this will need revisiting when we support host names. + local instances: set[Management::Instance]; + + for ( inst in config_copy$instances ) + { + if ( inst$name in g_instances_known + && inst$host == 0.0.0.0 + && g_instances_known[inst$name]$host != 0.0.0.0 ) + inst$host = g_instances_known[inst$name]$host; + + add instances[inst]; + } + + config_copy$instances = instances; + if ( Management::Controller::auto_assign_broker_ports ) config_assign_broker_ports(config_copy); if ( Management::Controller::auto_assign_metrics_ports ) diff --git a/scripts/policy/frameworks/packet-filter/shunt.zeek b/scripts/policy/frameworks/packet-filter/shunt.zeek index 8fd2596fdc..86c162da3f 100644 --- a/scripts/policy/frameworks/packet-filter/shunt.zeek +++ b/scripts/policy/frameworks/packet-filter/shunt.zeek @@ -8,19 +8,19 @@ export { const max_bpf_shunts = 100 &redef; ## Call this function to use BPF to shunt a connection (to prevent the - ## data packets from reaching Zeek). For TCP connections, control + ## data packets from reaching Zeek). For TCP connections, control ## packets are still allowed through so that Zeek can continue logging ## the connection and it can stop shunting once the connection ends. global shunt_conn: function(id: conn_id): bool; ## This function will use a BPF expression to shunt traffic between - ## the two hosts given in the `conn_id` so that the traffic is never + ## the two hosts given in the ``conn_id`` so that the traffic is never ## exposed to Zeek's traffic processing. global shunt_host_pair: function(id: conn_id): bool; - ## Remove shunting for a host pair given as a `conn_id`. The filter + ## Remove shunting for a host pair given as a ``conn_id``. The filter ## is not immediately removed. It waits for the occasional filter - ## update done by the `PacketFilter` framework. + ## update done by the ``PacketFilter`` framework. global unshunt_host_pair: function(id: conn_id): bool; ## Performs the same function as the :zeek:id:`PacketFilter::unshunt_host_pair` @@ -40,7 +40,7 @@ export { No_More_Conn_Shunts_Available, ## Limitations in BPF make shunting some connections with BPF - ## impossible. This notice encompasses those various cases. + ## impossible. This notice encompasses those various cases. Cannot_BPF_Shunt_Conn, }; } diff --git a/scripts/policy/frameworks/telemetry/log.zeek b/scripts/policy/frameworks/telemetry/log.zeek index 8ee376eee4..a360a7ed4f 100644 --- a/scripts/policy/frameworks/telemetry/log.zeek +++ b/scripts/policy/frameworks/telemetry/log.zeek @@ -1,5 +1,5 @@ -##! Implementation of a telemetry.log and telemetry_histogram.log file -##! using metrics accessible via the Telemetry module. +##! Implementation of a :file:`telemetry.log` and :file:`telemetry_histogram.log` +##! file using metrics accessible via the Telemetry module. @load base/frameworks/telemetry @@ -12,8 +12,9 @@ export { option log_interval = 60sec; ## Only metrics with prefixes in this set will be included in the - ## `telemetry.log` and `telemetry_histogram.log` files by default. - ## Setting this option to an empty set includes all prefixes. + ## :file:`telemetry.log` and :file:`telemetry_histogram.log` files + ## by default. Setting this option to an empty set includes all + ## prefixes. ## ## For more fine-grained customization, setting this option to an ## empty set and implementing the :zeek:see:`Telemetry::log_policy` diff --git a/scripts/policy/protocols/dns/detect-external-names.zeek b/scripts/policy/protocols/dns/detect-external-names.zeek index 8798df6361..78ec8829ab 100644 --- a/scripts/policy/protocols/dns/detect-external-names.zeek +++ b/scripts/policy/protocols/dns/detect-external-names.zeek @@ -15,13 +15,19 @@ export { ## **must** be set appropriately for this detection. External_Name, }; + + ## Default is to ignore mDNS broadcasts. + option skip_resp_host_port_pairs: set[addr, port] = { [[224.0.0.251, [ff02::fb]], 5353/udp] }; } -event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priority=-3 +function detect_external_names(c: connection, msg: dns_msg, ans: dns_answer, a: addr) { if ( |Site::local_zones| == 0 ) return; + if ( [c$id$resp_h, c$id$resp_p] in skip_resp_host_port_pairs ) + return; + # Check for responses from remote hosts that point at local hosts # but the name is not considered to be within a "local" zone. if ( Site::is_local_addr(a) && # referring to a local host @@ -33,3 +39,13 @@ event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priori $identifier=cat(a,ans$query)]); } } + +event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) + { + detect_external_names(c, msg, ans, a); + } + +event dns_AAAA_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) + { + detect_external_names(c, msg, ans, a); + } diff --git a/src/Conn.h b/src/Conn.h index 528d76f49b..fb0289a470 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -59,8 +59,8 @@ struct ConnTuple { IPAddr dst_addr; uint32_t src_port = 0; uint32_t dst_port = 0; - bool is_one_way = false; // if true, don't canonicalize order uint16_t proto = UNKNOWN_IP_PROTO; + bool is_one_way = false; // if true, don't canonicalize order }; static inline int addr_port_canon_lt(const IPAddr& addr1, uint32_t p1, const IPAddr& addr2, uint32_t p2) { diff --git a/src/EventRegistry.h b/src/EventRegistry.h index 727ba9eb0c..b125cfda3a 100644 --- a/src/EventRegistry.h +++ b/src/EventRegistry.h @@ -164,8 +164,8 @@ private: void UpdateFuncBodies(); EventGroupKind kind; - std::string name; bool enabled = true; + std::string name; std::unordered_set funcs; }; diff --git a/src/IPAddr.cc b/src/IPAddr.cc index ea32a2f755..1df6e26a4e 100644 --- a/src/IPAddr.cc +++ b/src/IPAddr.cc @@ -4,14 +4,12 @@ #include #include -#include #include "zeek/3rdparty/zeek_inet_ntop.h" #include "zeek/Conn.h" #include "zeek/Hash.h" #include "zeek/Reporter.h" #include "zeek/ZeekString.h" -#include "zeek/analyzer/Manager.h" namespace zeek { @@ -20,7 +18,7 @@ const IPAddr IPAddr::v6_unspecified = IPAddr(); namespace detail { -ConnKey::ConnKey(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port, uint8_t proto, +ConnKey::ConnKey(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port, uint16_t proto, bool one_way) { Init(src, dst, src_port, dst_port, proto, one_way); } @@ -43,7 +41,6 @@ ConnKey& ConnKey::operator=(const ConnKey& rhs) { port1 = rhs.port1; port2 = rhs.port2; transport = rhs.transport; - valid = rhs.valid; return *this; } @@ -51,7 +48,7 @@ ConnKey& ConnKey::operator=(const ConnKey& rhs) { ConnKey::ConnKey(Val* v) { const auto& vt = v->GetType(); if ( ! IsRecord(vt->Tag()) ) { - valid = false; + transport = INVALID_CONN_KEY_IP_PROTO; return; } @@ -78,7 +75,7 @@ ConnKey::ConnKey(Val* v) { proto = vr->FieldOffset("proto"); if ( orig_h < 0 || resp_h < 0 || orig_p < 0 || resp_p < 0 || proto < 0 ) { - valid = false; + transport = INVALID_CONN_KEY_IP_PROTO; return; } @@ -86,19 +83,24 @@ ConnKey::ConnKey(Val* v) { // types, too. } + if ( ! vl->HasField(orig_h) || ! vl->HasField(resp_h) || ! vl->HasField(orig_p) || ! vl->HasField(resp_p) ) { + transport = INVALID_CONN_KEY_IP_PROTO; + return; + } + const IPAddr& orig_addr = vl->GetFieldAs(orig_h); const IPAddr& resp_addr = vl->GetFieldAs(resp_h); - auto orig_portv = vl->GetFieldAs(orig_p); - auto resp_portv = vl->GetFieldAs(resp_p); + const auto& orig_portv = vl->GetFieldAs(orig_p); + const auto& resp_portv = vl->GetFieldAs(resp_p); - auto protov = vl->GetFieldAs(proto); + const auto& protov = vl->GetField(proto); Init(orig_addr, resp_addr, htons((unsigned short)orig_portv->Port()), htons((unsigned short)resp_portv->Port()), - protov, false); + protov->AsCount(), false); } -void ConnKey::Init(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port, uint8_t proto, +void ConnKey::Init(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port, uint16_t proto, bool one_way) { // Because of padding in the object, this needs to memset to clear out // the extra memory used by padding. Otherwise, the session key stuff @@ -122,7 +124,6 @@ void ConnKey::Init(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint } transport = proto; - valid = true; } } // namespace detail diff --git a/src/IPAddr.h b/src/IPAddr.h index b8323fb7a3..64e489ac62 100644 --- a/src/IPAddr.h +++ b/src/IPAddr.h @@ -20,6 +20,9 @@ class Val; namespace detail { +// UNKNOWN_IP_PROTO is 65535 +constexpr uint16_t INVALID_CONN_KEY_IP_PROTO = 65534; + class HashKey; class ConnKey { @@ -28,10 +31,9 @@ public: in6_addr ip2; uint16_t port1 = 0; uint16_t port2 = 0; - uint8_t transport; - bool valid = true; + uint16_t transport = INVALID_CONN_KEY_IP_PROTO; - ConnKey(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port, uint8_t proto, bool one_way); + ConnKey(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port, uint16_t proto, bool one_way); ConnKey(const ConnTuple& conn); ConnKey(const ConnKey& rhs) { *this = rhs; } ConnKey(Val* v); @@ -45,8 +47,10 @@ public: ConnKey& operator=(const ConnKey& rhs); + bool Valid() const { return transport <= 0xFF; }; + private: - void Init(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port, uint8_t proto, bool one_way); + void Init(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port, uint16_t proto, bool one_way); }; } // namespace detail diff --git a/src/Options.cc b/src/Options.cc index 9a21eae1d1..de49298435 100644 --- a/src/Options.cc +++ b/src/Options.cc @@ -424,11 +424,17 @@ Options parse_cmdline(int argc, char** argv) { opterr = 0; // getopt may permute the array, so need yet another array - auto zargs = std::make_unique(zeek_args.size()); + // + // Make sure this array is one greater than zeek_args and ends in nullptr, otherwise + // getopt may go beyond the end of the array + auto zargs = std::make_unique(zeek_args.size() + 1); for ( size_t i = 0; i < zeek_args.size(); ++i ) zargs[i] = zeek_args[i].data(); + // Make sure getopt doesn't go past the end + zargs[zeek_args.size()] = nullptr; + while ( (op = getopt_long(zeek_args.size(), zargs.get(), opts, long_opts, &long_optsind)) != EOF ) switch ( op ) { case 'a': rval.parse_only = true; break; diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h index 9631a8a1be..78b7bfadfa 100644 --- a/src/analyzer/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -747,6 +747,12 @@ private: zeek::Tag tag; ID id; + bool skip; + bool finished; + bool removing; + bool timers_canceled; + TimerPList timers; + Connection* conn; Analyzer* parent; const zeek::detail::Rule* signature; @@ -762,12 +768,6 @@ private: bool protocol_confirmed; bool analyzer_confirmed; - TimerPList timers; - bool timers_canceled; - bool skip; - bool finished; - bool removing; - uint64_t analyzer_violations = 0; static ID id_counter; diff --git a/src/analyzer/protocol/krb/krb-analyzer.pac b/src/analyzer/protocol/krb/krb-analyzer.pac index 91b55c255c..3df0367a9b 100644 --- a/src/analyzer/protocol/krb/krb-analyzer.pac +++ b/src/analyzer/protocol/krb/krb-analyzer.pac @@ -215,6 +215,7 @@ refine connection KRB_Conn += { rv->Assign(4, GetStringFromPrincipalName(${msg.client_name})); rv->Assign(5, proc_ticket(${msg.ticket})); + rv->Assign(6, proc_encrypted_data(${msg.enc_part.data})); return rv; }; diff --git a/src/analyzer/protocol/krb/krb-types.pac b/src/analyzer/protocol/krb/krb-types.pac index 397924c4bb..64fabec380 100644 --- a/src/analyzer/protocol/krb/krb-types.pac +++ b/src/analyzer/protocol/krb/krb-types.pac @@ -10,6 +10,8 @@ zeek::RecordValPtr proc_host_address(const ZeekAnalyzer a, const KRB_Host_Addres zeek::VectorValPtr proc_tickets(const KRB_Ticket_Sequence* list); zeek::RecordValPtr proc_ticket(const KRB_Ticket* ticket); + +zeek::RecordValPtr proc_encrypted_data(const KRB_Encrypted_Data* encrypted_data); %} %code{ @@ -115,6 +117,19 @@ zeek::RecordValPtr proc_ticket(const KRB_Ticket* ticket) rv->Assign(3, asn1_integer_to_val(ticket->enc_part()->data()->etype()->data(), zeek::TYPE_COUNT)); rv->Assign(4, to_stringval(ticket->enc_part()->data()->ciphertext()->encoding()->content())); + return rv; + } + +zeek::RecordValPtr proc_encrypted_data(const KRB_Encrypted_Data* encrypted_data) + { + auto rv = zeek::make_intrusive(zeek::BifType::Record::KRB::Encrypted_Data); + if ( encrypted_data->have_kvno() ) + { + rv->Assign(0, asn1_integer_to_val(encrypted_data->kvno(), zeek::TYPE_COUNT)); + } + rv->Assign(1, asn1_integer_to_val(encrypted_data->etype()->data(), zeek::TYPE_COUNT)); + rv->Assign(2, to_stringval(encrypted_data->ciphertext()->encoding()->content())); + return rv; } %} diff --git a/src/analyzer/protocol/krb/types.bif b/src/analyzer/protocol/krb/types.bif index 11a80781f8..0c1d595267 100644 --- a/src/analyzer/protocol/krb/types.bif +++ b/src/analyzer/protocol/krb/types.bif @@ -8,6 +8,7 @@ type SAFE_Msg: record; type KDC_Options: record; type AP_Options: record; type Type_Value: record; +type Encrypted_Data: record; type Ticket: record; type Ticket_Vector: vector; type Host_Address: record; diff --git a/src/analyzer/protocol/quic/QUIC.spicy b/src/analyzer/protocol/quic/QUIC.spicy index 03ab0c1c7f..0d6064d4c6 100644 --- a/src/analyzer/protocol/quic/QUIC.spicy +++ b/src/analyzer/protocol/quic/QUIC.spicy @@ -9,7 +9,7 @@ import zeek; # The interface to the C++ code that handles the decryption of the INITIAL packet payload using well-known keys public function decrypt_crypto_payload( version: uint32, - all_data: bytes, + data: bytes, connection_id: bytes, encrypted_offset: uint64, payload_offset: uint64, @@ -417,7 +417,7 @@ type CryptoBuffer = unit() { ############## type Packet = unit(from_client: bool, context: ConnectionIDInfo&) { var decrypted_data: bytes; - var full_packet: bytes; + var packet_size: uint64 = 0; var start: iterator; sink crypto_sink; @@ -464,8 +464,15 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) { } }; - # Slurp in the whole packet if we determined we have a chance to decrypt. - all_data: bytes &parse-at=self.start &eod if ( self?.long_header && can_decrypt(self.long_header, context, from_client) ) { + : void { + if (self?.long_header && can_decrypt(self.long_header, context, from_client)) + # If we have parsed an initial packet that we can decrypt the payload, + # determine the size to store into a buffer. + self.packet_size = self.offset(); + } + + # Buffer the whole packet if we determined we have a chance to decrypt. + packet_data: bytes &parse-at=self.start &size=self.packet_size if ( self.packet_size > 0 ) { self.crypto_buffer = new CryptoBuffer(); self.crypto_sink.connect(self.crypto_buffer); @@ -477,7 +484,7 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) { # All data is accessible via the `long_header` unit self.decrypted_data = decrypt_crypto_payload( self.long_header.version, - self.all_data, + self.packet_data, self.long_header.dest_conn_id, self.long_header.encrypted_offset, self.long_header.payload_length, @@ -496,7 +503,7 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) { self.decrypted_data = decrypt_crypto_payload( self.long_header.version, - self.all_data, + self.packet_data, context.initial_destination_conn_id, self.long_header.encrypted_offset, self.long_header.payload_length, @@ -509,6 +516,9 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) { # connection. if ( |self.decrypted_data| == 0 ) throw "decryption failed"; + + # We were able to decrypt the INITIAL packet. Confirm QUIC! + spicy::accept_input(); } # Depending on the type of header and whether we were able to decrypt @@ -543,9 +553,6 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) { context.client_initial_processed = True; else context.server_initial_processed = True; - - # Take buffered crypto data as confirmation signal. - spicy::accept_input(); } } }; @@ -555,10 +562,10 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) { ############## public type RequestFrame = unit { %context = ConnectionIDInfo; - : Packet(True, self.context()); + : Packet(True, self.context())[]; }; public type ResponseFrame = unit { %context = ConnectionIDInfo; - : Packet(False, self.context()); + : Packet(False, self.context())[]; }; diff --git a/src/analyzer/protocol/quic/decrypt_crypto.cc b/src/analyzer/protocol/quic/decrypt_crypto.cc index 0eb8ad2277..477ae6c140 100644 --- a/src/analyzer/protocol/quic/decrypt_crypto.cc +++ b/src/analyzer/protocol/quic/decrypt_crypto.cc @@ -86,7 +86,7 @@ Removes the header protection from the INITIAL packet and returns a DecryptionIn that is partially filled */ DecryptionInformation remove_header_protection(const std::vector& client_hp, uint64_t encrypted_offset, - const hilti::rt::Bytes& all_data) { + const hilti::rt::Bytes& data) { DecryptionInformation decryptInfo; int outlen; auto* ctx = get_aes_128_ecb(); @@ -95,16 +95,16 @@ DecryptionInformation remove_header_protection(const std::vector& clien EVP_CipherInit_ex(ctx, NULL, NULL, client_hp.data(), NULL, 1); static_assert(AEAD_SAMPLE_LENGTH > 0); - assert(all_data.size() >= encrypted_offset + MAXIMUM_PACKET_NUMBER_LENGTH + AEAD_SAMPLE_LENGTH); + assert(data.size() >= encrypted_offset + MAXIMUM_PACKET_NUMBER_LENGTH + AEAD_SAMPLE_LENGTH); - const uint8_t* sample = data_as_uint8(all_data) + encrypted_offset + MAXIMUM_PACKET_NUMBER_LENGTH; + const uint8_t* sample = data_as_uint8(data) + encrypted_offset + MAXIMUM_PACKET_NUMBER_LENGTH; std::array mask; EVP_CipherUpdate(ctx, mask.data(), &outlen, sample, AEAD_SAMPLE_LENGTH); // To determine the actual packet number length, // we have to remove the mask from the first byte - uint8_t first_byte = data_as_uint8(all_data)[0]; + uint8_t first_byte = data_as_uint8(data)[0]; if ( first_byte & 0x80 ) { first_byte ^= mask[0] & 0x0F; @@ -117,8 +117,8 @@ DecryptionInformation remove_header_protection(const std::vector& clien int recovered_packet_number_length = (first_byte & 0x03) + 1; // .. and use this to reconstruct the (partially) unprotected header - std::vector unprotected_header(data_as_uint8(all_data), data_as_uint8(all_data) + encrypted_offset + - recovered_packet_number_length); + std::vector unprotected_header(data_as_uint8(data), + data_as_uint8(data) + encrypted_offset + recovered_packet_number_length); uint32_t decoded_packet_number = 0; @@ -149,8 +149,8 @@ std::vector calculate_nonce(std::vector client_iv, uint64_t pa /* Function that calls the AEAD decryption routine, and returns the decrypted data. */ -hilti::rt::Bytes decrypt(const std::vector& client_key, const hilti::rt::Bytes& all_data, - uint64_t payload_length, const DecryptionInformation& decryptInfo) { +hilti::rt::Bytes decrypt(const std::vector& client_key, const hilti::rt::Bytes& data, uint64_t payload_length, + const DecryptionInformation& decryptInfo) { int out, out2; if ( payload_length < decryptInfo.packet_number_length + AEAD_TAG_LENGTH ) @@ -162,18 +162,18 @@ hilti::rt::Bytes decrypt(const std::vector& client_key, const hilti::rt if ( payload_length > 10000 ) throw hilti::rt::RuntimeError(hilti::rt::fmt("payload_length too large %ld", payload_length)); - const uint8_t* encrypted_payload = data_as_uint8(all_data) + decryptInfo.unprotected_header.size(); + const uint8_t* encrypted_payload = data_as_uint8(data) + decryptInfo.unprotected_header.size(); int encrypted_payload_size = payload_length - decryptInfo.packet_number_length - AEAD_TAG_LENGTH; if ( encrypted_payload_size < 0 ) throw hilti::rt::RuntimeError(hilti::rt::fmt("encrypted_payload_size underflow %ld", encrypted_payload_size)); - if ( all_data.size() < decryptInfo.unprotected_header.size() + encrypted_payload_size + AEAD_TAG_LENGTH ) - throw hilti::rt::RuntimeError(hilti::rt::fmt("all_data too short %ld < %ld", all_data.size(), + if ( data.size() < decryptInfo.unprotected_header.size() + encrypted_payload_size + AEAD_TAG_LENGTH ) + throw hilti::rt::RuntimeError(hilti::rt::fmt("data too short %ld < %ld", data.size(), decryptInfo.unprotected_header.size() + encrypted_payload_size)); - const void* tag_to_check = all_data.data() + decryptInfo.unprotected_header.size() + encrypted_payload_size; + const void* tag_to_check = data.data() + decryptInfo.unprotected_header.size() + encrypted_payload_size; int tag_to_check_length = AEAD_TAG_LENGTH; // Allocate memory for decryption. @@ -443,7 +443,7 @@ Function that is called from Spicy, decrypting an INITIAL packet and returning the decrypted payload back to the analyzer. */ hilti::rt::Bytes QUIC_decrypt_crypto_payload(const hilti::rt::integer::safe& version, - const hilti::rt::Bytes& all_data, const hilti::rt::Bytes& connection_id, + const hilti::rt::Bytes& data, const hilti::rt::Bytes& connection_id, const hilti::rt::integer::safe& encrypted_offset, const hilti::rt::integer::safe& payload_length, const hilti::rt::Bool& from_client) { @@ -457,9 +457,9 @@ hilti::rt::Bytes QUIC_decrypt_crypto_payload(const hilti::rt::integer::safe iv = qpp->GetIv(secret); std::vector hp = qpp->GetHp(secret); - DecryptionInformation decryptInfo = remove_header_protection(hp, encrypted_offset, all_data); + DecryptionInformation decryptInfo = remove_header_protection(hp, encrypted_offset, data); // Calculate the correct nonce for the decryption decryptInfo.nonce = calculate_nonce(std::move(iv), decryptInfo.packet_number); - return decrypt(key, all_data, payload_length, decryptInfo); + return decrypt(key, data, payload_length, decryptInfo); } diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.h b/src/analyzer/protocol/tcp/TCP_Reassembler.h index 3a8f626862..75292e8941 100644 --- a/src/analyzer/protocol/tcp/TCP_Reassembler.h +++ b/src/analyzer/protocol/tcp/TCP_Reassembler.h @@ -105,10 +105,10 @@ private: bool did_EOF; bool skip_deliveries; - uint64_t seq_to_skip; - - bool in_delivery; analyzer::tcp::TCP_Flags flags; + bool in_delivery; + + uint64_t seq_to_skip; FilePtr record_contents_file; // file on which to reassemble contents diff --git a/src/event.bif b/src/event.bif index e45c9c76a9..f89b099fa1 100644 --- a/src/event.bif +++ b/src/event.bif @@ -724,8 +724,8 @@ event file_over_new_connection%(f: fa_file, c: connection, is_orig: bool%); ## of the file. The analysis can be augmented at this time via ## :zeek:see:`Files::add_analyzer`. The amount of data fed into the file ## sniffing can be increased or decreased by changing either -## :zeek:see:`default_file_bof_buffer_size` or the `bof_buffer_size` field -## in an `fa_file` record. The event will be raised even if content inspection +## :zeek:see:`default_file_bof_buffer_size` or the ``bof_buffer_size`` field +## in an :zeek:type:`fa_file` record. The event will be raised even if content inspection ## has been unable to infer any metadata, in which case the fields in *meta* ## will be left all unset. ## diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h index a3796d19df..3a7f57b2cd 100644 --- a/src/iosource/Packet.h +++ b/src/iosource/Packet.h @@ -160,16 +160,6 @@ public: */ uint32_t eth_type; - /** - * Layer 2 source address. - */ - const u_char* l2_src = nullptr; - - /** - * Layer 2 destination address. - */ - const u_char* l2_dst = nullptr; - /** * (Outermost) VLAN tag if any, else 0. */ @@ -208,6 +198,24 @@ public: */ bool l4_checksummed = false; + /** + * Layer 2 source address. + */ + const u_char* l2_src = nullptr; + + /** + * Layer 2 destination address. + */ + const u_char* l2_dst = nullptr; + + /** + * This flag indicates whether a packet has been processed. This can + * mean different things depending on the traffic, but generally it + * means that a packet has been logged in some way. We default to + * false, and this can be set to true for any number of reasons. + */ + bool processed = false; + /** * Indicates whether this packet should be recorded. */ @@ -264,14 +272,6 @@ public: */ int gre_link_type = DLT_RAW; - /** - * This flag indicates whether a packet has been processed. This can - * mean different things depending on the traffic, but generally it - * means that a packet has been logged in some way. We default to - * false, and this can be set to true for any number of reasons. - */ - bool processed = false; - /** * The session related to this packet, if one exists. */ @@ -283,7 +283,7 @@ private: // True if we need to delete associated packet memory upon // destruction. - bool copy; + bool copy = false; }; } // namespace zeek diff --git a/src/packet_analysis/packet_analysis.bif b/src/packet_analysis/packet_analysis.bif index c90e2665c9..77766d1185 100644 --- a/src/packet_analysis/packet_analysis.bif +++ b/src/packet_analysis/packet_analysis.bif @@ -28,7 +28,7 @@ function register_packet_analyzer%(parent: PacketAnalyzer::Tag, identifier: coun return zeek::val_mgr->True(); %} -## Attempts to add an entry to `parent`'s dispatcher that maps a protocol/index to a next-stage `child` +## Attempts to add an entry to ``parent``'s dispatcher that maps a protocol/index to a next-stage ``child`` ## analyzer. This may fail if either of the two names does not respond to a known analyzer. ## ## parent: The parent analyzer being modified @@ -49,7 +49,7 @@ function try_register_packet_analyzer_by_name%(parent: string, identifier: count return zeek::val_mgr->True(); %} -## Internal function that is used to update the core-mirror of the script-level `ignore_checksums_nets` variable. +## Internal function that is used to update the core-mirror of the script-level ``ignore_checksums_nets`` variable. function PacketAnalyzer::__set_ignore_checksums_nets%(v: subnet_set%) : bool %{ if ( v->GetType()->Tag() != zeek::TYPE_TABLE ) diff --git a/src/parse.y b/src/parse.y index eac4d95c4e..e02f2316e3 100644 --- a/src/parse.y +++ b/src/parse.y @@ -64,7 +64,7 @@ %type expr opt_expr rhs opt_init anonymous_function lambda_body index_slice opt_deprecated when_condition %type event %type stmt stmt_list func_body for_head -%type type opt_type enum_body +%type simple_type type opt_type enum_body %type func_hdr func_params %type type_list %type type_decl formal_args_decl @@ -1026,6 +1026,13 @@ expr: $$ = new ConstExpr({AdoptRef{}, $1}); } + | simple_type + { + set_location(@1); + TypePtr ty{AdoptRef(), $1}; + $$ = new ConstExpr(make_intrusive(ty, true)); + } + | '/' { begin_RE(); } TOK_PATTERN_TEXT TOK_PATTERN_END { set_location(@3); @@ -1153,63 +1160,75 @@ enum_body_elem: } ; -type: - TOK_BOOL { +simple_type: + TOK_BOOL + { set_location(@1); $$ = base_type(TYPE_BOOL)->Ref(); } - | TOK_INT { + | TOK_INT + { set_location(@1); $$ = base_type(TYPE_INT)->Ref(); } - | TOK_COUNT { + | TOK_COUNT + { set_location(@1); $$ = base_type(TYPE_COUNT)->Ref(); } - | TOK_DOUBLE { + | TOK_DOUBLE + { set_location(@1); $$ = base_type(TYPE_DOUBLE)->Ref(); } - | TOK_TIME { + | TOK_TIME + { set_location(@1); $$ = base_type(TYPE_TIME)->Ref(); } - | TOK_INTERVAL { + | TOK_INTERVAL + { set_location(@1); $$ = base_type(TYPE_INTERVAL)->Ref(); } - | TOK_STRING { + | TOK_STRING + { set_location(@1); $$ = base_type(TYPE_STRING)->Ref(); } - | TOK_PATTERN { + | TOK_PATTERN + { set_location(@1); $$ = base_type(TYPE_PATTERN)->Ref(); } - | TOK_PORT { + | TOK_PORT + { set_location(@1); $$ = base_type(TYPE_PORT)->Ref(); } - | TOK_ADDR { + | TOK_ADDR + { set_location(@1); $$ = base_type(TYPE_ADDR)->Ref(); } - | TOK_SUBNET { + | TOK_SUBNET + { set_location(@1); $$ = base_type(TYPE_SUBNET)->Ref(); } - | TOK_ANY { + | TOK_ANY + { set_location(@1); $$ = base_type(TYPE_ANY)->Ref(); } @@ -1265,24 +1284,6 @@ type: $$ = new VectorType({AdoptRef{}, $3}); } - | TOK_FUNCTION func_params - { - set_location(@1, @2); - $$ = $2; - } - - | TOK_EVENT '(' formal_args ')' - { - set_location(@1, @3); - $$ = new FuncType({AdoptRef{}, $3}, nullptr, FUNC_FLAVOR_EVENT); - } - - | TOK_HOOK '(' formal_args ')' - { - set_location(@1, @3); - $$ = new FuncType({AdoptRef{}, $3}, base_type(TYPE_BOOL), FUNC_FLAVOR_HOOK); - } - | TOK_FILE TOK_OF type { set_location(@1, @3); @@ -1301,6 +1302,26 @@ type: $$ = new OpaqueType($3); } +type: + simple_type + | TOK_FUNCTION func_params + { + set_location(@1, @2); + $$ = $2; + } + + | TOK_HOOK '(' formal_args ')' + { + set_location(@1, @3); + $$ = new FuncType({AdoptRef{}, $3}, base_type(TYPE_BOOL), FUNC_FLAVOR_HOOK); + } + + | TOK_EVENT '(' formal_args ')' + { + set_location(@1, @3); + $$ = new FuncType({AdoptRef{}, $3}, nullptr, FUNC_FLAVOR_EVENT); + } + | resolve_id { if ( ! $1 || ! ($$ = $1->IsType() ? $1->GetType().get() : nullptr) ) diff --git a/src/script_opt/ZAM/OPs/ZBI.op b/src/script_opt/ZAM/OPs/ZBI.op index ed0e0c58a1..be13f0f082 100644 --- a/src/script_opt/ZAM/OPs/ZBI.op +++ b/src/script_opt/ZAM/OPs/ZBI.op @@ -130,7 +130,7 @@ eval auto cid = $1; res = conn->GetVal(); else { - ERROR2("connection ID not a known connection", cid); + emit_builtin_error("connection ID not a known connection", cid); res = build_dummy_conn_record(); } AssignTarget($$, ZVal(res, res->GetType())); diff --git a/src/session/Manager.cc b/src/session/Manager.cc index ef5ce4a76d..131805ef85 100644 --- a/src/session/Manager.cc +++ b/src/session/Manager.cc @@ -2,27 +2,25 @@ #include "zeek/session/Manager.h" -#include "zeek/zeek-config.h" - #include #include #include #include #include -#include "zeek/Desc.h" -#include "zeek/Event.h" +#include "zeek/Conn.h" +#include "zeek/Func.h" +#include "zeek/IP.h" #include "zeek/NetVar.h" #include "zeek/Reporter.h" #include "zeek/RuleMatcher.h" #include "zeek/RunState.h" #include "zeek/Timer.h" #include "zeek/TunnelEncapsulation.h" -#include "zeek/analyzer/Manager.h" -#include "zeek/iosource/IOSource.h" #include "zeek/packet_analysis/Manager.h" #include "zeek/session/Session.h" #include "zeek/telemetry/Manager.h" +#include "zeek/util.h" zeek::session::Manager* zeek::session_mgr = nullptr; @@ -94,8 +92,15 @@ void Manager::Done() {} Connection* Manager::FindConnection(Val* v) { zeek::detail::ConnKey conn_key(v); - if ( ! conn_key.valid ) + if ( ! conn_key.Valid() ) { + // Produce a loud error for invalid script-layer conn_id records. + const char* extra = ""; + if ( conn_key.transport == UNKNOWN_IP_PROTO ) + extra = ": the proto field has the \"unknown\" 65535 value. Did you forget to set it?"; + + zeek::emit_builtin_error(zeek::util::fmt("invalid connection ID record encountered%s", extra)); return nullptr; + } return FindConnection(conn_key); } diff --git a/src/supervisor/Supervisor.h b/src/supervisor/Supervisor.h index 641618dfde..0224fb3d7b 100644 --- a/src/supervisor/Supervisor.h +++ b/src/supervisor/Supervisor.h @@ -367,17 +367,6 @@ struct SupervisorStemHandle { * State which defines a Supervised Zeek node's understanding of itself. */ struct SupervisedNode { - /** - * Initialize the Supervised node within the Zeek Cluster Framework. - * This function populates the "Cluster::nodes" script-layer variable - * that otherwise is expected to be populated by a - * "cluster-layout.zeek" script in other context (e.g. ZeekCtl - * generates that cluster layout). - * @return true if the supervised node is using the Cluster Framework - * else false. - */ - bool InitCluster() const; - /** * Initialize the Supervised node. * @param options the Zeek options to extend/modify as appropriate diff --git a/src/threading/SerialTypes.h b/src/threading/SerialTypes.h index 2e7fbb0e37..2346d266b5 100644 --- a/src/threading/SerialTypes.h +++ b/src/threading/SerialTypes.h @@ -126,9 +126,8 @@ struct Field { * those Vals supported). */ struct Value { - TypeTag type; //! The type of the value. - TypeTag subtype; //! Inner type for sets and vectors. - bool present = false; //! False for optional record fields that are not set. + TypeTag type; //! The type of the value. + TypeTag subtype; //! Inner type for sets and vectors. struct set_t { zeek_int_t size; @@ -183,6 +182,8 @@ struct Value { _val() { memset(this, 0, sizeof(_val)); } } val; + bool present = false; //! False for optional record fields that are not set. + /** * Constructor. * diff --git a/src/util.cc b/src/util.cc index edc424fb4a..34691a9f38 100644 --- a/src/util.cc +++ b/src/util.cc @@ -363,9 +363,8 @@ static long int zeek_rand_state = 0; static bool first_seed_saved = false; static unsigned int first_seed = 0; -static void zeek_srandom(unsigned int seed, bool deterministic) { +static void zeek_srandom(unsigned int seed) { zeek_rand_state = seed == 0 ? 1 : seed; - zeek_rand_deterministic = deterministic; srandom(seed); } @@ -380,26 +379,28 @@ void seed_random(unsigned int seed) { void init_random_seed(const char* read_file, const char* write_file, bool use_empty_seeds, const std::string& seed_string) { std::array buf = {}; - size_t pos = 0; // accumulates entropy - bool seeds_done = false; uint32_t seed = 0; - if ( read_file ) { - if ( ! read_random_seeds(read_file, &seed, buf) ) - reporter->FatalError("Could not load seeds from file '%s'.", read_file); - else - seeds_done = true; - } - else if ( ! seed_string.empty() ) { - if ( ! fill_random_seeds(seed_string, &seed, buf) ) - reporter->FatalError("Could not load seeds from string"); - else - seeds_done = true; - } - else if ( use_empty_seeds ) - seeds_done = true; + if ( write_file ) + // run in deterministic mode when we write a file + zeek_rand_deterministic = true; + + if ( read_file || use_empty_seeds || ! seed_string.empty() ) { + // if a seed is provided - run Zeek in deterministic mode + zeek_rand_deterministic = true; + + if ( read_file ) { + if ( ! read_random_seeds(read_file, &seed, buf) ) + reporter->FatalError("Could not load seeds from file '%s'.", read_file); + } + else if ( ! seed_string.empty() ) { + if ( ! fill_random_seeds(seed_string, &seed, buf) ) + reporter->FatalError("Could not load seeds from string"); + } + } + else { // no seed provided + size_t pos = 0; // accumulates entropy - if ( ! seeds_done ) { #ifdef HAVE_GETRANDOM // getrandom() guarantees reads up to 256 bytes are always successful, assert(sizeof(buf) < 256); @@ -437,17 +438,13 @@ void init_random_seed(const char* read_file, const char* write_file, bool use_em reporter->FatalError("Could not read enough random data. Wanted %d, got %zu", zeek::detail::KeyedHash::SEED_INIT_SIZE, pos); - if ( ! seed ) { - for ( size_t i = 0; i < pos; ++i ) { - seed ^= buf[i]; - seed = (seed << 1) | (seed >> 31); - } + for ( size_t i = 0; i < pos; ++i ) { + seed ^= buf[i]; + seed = (seed << 1) | (seed >> 31); } - else - seeds_done = true; } - zeek_srandom(seed, seeds_done); + zeek_srandom(seed); if ( ! first_seed_saved ) { first_seed = seed; diff --git a/testing/btest/Baseline.zam/bifs.lookup_connection/.stderr b/testing/btest/Baseline.zam/bifs.lookup_connection/.stderr new file mode 100644 index 0000000000..a3d89ea788 --- /dev/null +++ b/testing/btest/Baseline.zam/bifs.lookup_connection/.stderr @@ -0,0 +1,7 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +1362692526.869344 error: invalid connection ID record encountered: the proto field has the "unknown" 65535 value. Did you forget to set it? +1362692526.869344 error in : connection ID not a known connection ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=65535]) +1362692526.869344 error: invalid connection ID record encountered: the proto field has the "unknown" 65535 value. Did you forget to set it? +1362692526.869344 error: invalid connection ID record encountered +1362692526.869344 error in : connection ID not a known connection ([orig_h=, orig_p=, resp_h=, resp_p=, proto=65535]) +1362692526.869344 error: invalid connection ID record encountered diff --git a/testing/btest/Baseline.zam/scripts.base.protocols.quic.analyzer-confirmations/conn.log.cut b/testing/btest/Baseline.zam/scripts.base.protocols.quic.analyzer-confirmations/conn.log.cut new file mode 100644 index 0000000000..f95a354194 --- /dev/null +++ b/testing/btest/Baseline.zam/scripts.base.protocols.quic.analyzer-confirmations/conn.log.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid history service +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic diff --git a/testing/btest/Baseline.zam/scripts.base.protocols.quic.analyzer-confirmations/out b/testing/btest/Baseline.zam/scripts.base.protocols.quic.analyzer-confirmations/out new file mode 100644 index 0000000000..594e75d111 --- /dev/null +++ b/testing/btest/Baseline.zam/scripts.base.protocols.quic.analyzer-confirmations/out @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +analyzer_confirmation, 1692198386.837988, CHhAvVGS1DHFjwGM9, AllAnalyzers::ANALYZER_ANALYZER_QUIC +analyzer_confirmation, 1692198386.837988, CHhAvVGS1DHFjwGM9, AllAnalyzers::ANALYZER_ANALYZER_SSL diff --git a/testing/btest/Baseline/bifs.lookup_connection/.stderr b/testing/btest/Baseline/bifs.lookup_connection/.stderr new file mode 100644 index 0000000000..0b20847532 --- /dev/null +++ b/testing/btest/Baseline/bifs.lookup_connection/.stderr @@ -0,0 +1,7 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +1362692526.869344 error in <...>/lookup_connection.zeek, line 19: invalid connection ID record encountered: the proto field has the "unknown" 65535 value. Did you forget to set it? (lookup_connection(cid)) +1362692526.869344 error in <...>/lookup_connection.zeek, line 19: connection ID not a known connection (lookup_connection(cid) and [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=65535]) +1362692526.869344 error in <...>/lookup_connection.zeek, line 41: invalid connection ID record encountered: the proto field has the "unknown" 65535 value. Did you forget to set it? (connection_exists(my_id)) +1362692526.869344 error in <...>/lookup_connection.zeek, line 51: invalid connection ID record encountered (lookup_connection(my_id)) +1362692526.869344 error in <...>/lookup_connection.zeek, line 51: connection ID not a known connection (lookup_connection(my_id) and [orig_h=, orig_p=, resp_h=, resp_p=, proto=65535]) +1362692526.869344 error in <...>/lookup_connection.zeek, line 57: invalid connection ID record encountered (connection_exists(my_id)) diff --git a/testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.0 b/testing/btest/Baseline/bifs.x509_verify/out similarity index 100% rename from testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.0 rename to testing/btest/Baseline/bifs.x509_verify/out diff --git a/testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.1 b/testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.1 deleted file mode 100644 index 35d46a3393..0000000000 --- a/testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.1 +++ /dev/null @@ -1,8 +0,0 @@ -### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -Validation result: certificate has expired -Validation result: ok -Resulting chain: -Fingerprint: 70829f77ff4b6e908324a3f4e1940fce6c489098, Subject: CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP -Fingerprint: 5deb8f339e264c19f6686f5f8f32b54a4c46b476, Subject: CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US -Fingerprint: 32f30882622b87cf8856c63db873df0853b4dd27, Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US -Fingerprint: 742c3192e607e424eb4549542be1bbc53e6174e2, Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US diff --git a/testing/btest/Baseline/core.save-load-seeds/load.conn.log.cut b/testing/btest/Baseline/core.save-load-seeds/load.conn.log.cut new file mode 100644 index 0000000000..4d75476d4e --- /dev/null +++ b/testing/btest/Baseline/core.save-load-seeds/load.conn.log.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +uid history service +CHhAvVGS1DHFjwGM9 ShADadFf http diff --git a/testing/btest/Baseline/core.save-load-seeds/save.conn.log.cut b/testing/btest/Baseline/core.save-load-seeds/save.conn.log.cut new file mode 100644 index 0000000000..4d75476d4e --- /dev/null +++ b/testing/btest/Baseline/core.save-load-seeds/save.conn.log.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +uid history service +CHhAvVGS1DHFjwGM9 ShADadFf http diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index ad6adb5cb9..e850f78e20 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -23,9 +23,9 @@ scripts/base/init-bare.zeek build/scripts/base/bif/mmdb.bif.zeek build/scripts/base/bif/plugins/Zeek_SNMP.types.bif.zeek build/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek - build/scripts/base/bif/event.bif.zeek build/scripts/base/bif/telemetry_functions.bif.zeek build/scripts/base/bif/telemetry_types.bif.zeek + build/scripts/base/bif/event.bif.zeek scripts/base/packet-protocols/__load__.zeek scripts/base/packet-protocols/main.zeek scripts/base/frameworks/analyzer/main.zeek diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index a7ed97effa..8c5022c70d 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -23,9 +23,9 @@ scripts/base/init-bare.zeek build/scripts/base/bif/mmdb.bif.zeek build/scripts/base/bif/plugins/Zeek_SNMP.types.bif.zeek build/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek - build/scripts/base/bif/event.bif.zeek build/scripts/base/bif/telemetry_functions.bif.zeek build/scripts/base/bif/telemetry_types.bif.zeek + build/scripts/base/bif/event.bif.zeek scripts/base/packet-protocols/__load__.zeek scripts/base/packet-protocols/main.zeek scripts/base/frameworks/analyzer/main.zeek diff --git a/testing/btest/Baseline/language.type-expr/.stdout b/testing/btest/Baseline/language.type-expr/.stdout new file mode 100644 index 0000000000..893a7b5d8f --- /dev/null +++ b/testing/btest/Baseline/language.type-expr/.stdout @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +[v=aoeu, valid=T] +type diff --git a/testing/btest/Baseline/scripts.base.protocols.krb.enc_part/output b/testing/btest/Baseline/scripts.base.protocols.krb.enc_part/output new file mode 100644 index 0000000000..1bbf55f113 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.krb.enc_part/output @@ -0,0 +1,102 @@ +as_response, CHhAvVGS1DHFjwGM9 +[kvno=, cipher=18, ciphertext=\xc0\xe9\xbc\x01\x95\x9d\x9e\x9f\x9f\xeeY\x93O\xb4\xf1-W\xfb\x18\x90\xbb\x0d\x86\xa8\xd3\xc3\xc8\x8f\xfa\x8a\x95:\xbd\x0a\x0a\x0c\x1e<\xf3gb\xe8\xaf\x14\xc6O\xca\x04%L\x93+\xa0C&\xcb\xc9\xe7\xe0\x13c\xb6\xee\xa0\xbf\xc1\x14]\x03+\x04\xdc\x13"\x99O\xbb\xce\xf4`\x18oS\x96\x08\x19\xa0\xd3\x7f\x05\x07\xe4\x9a6\xa4K\x8ae]\xc7\x02,k\xabv\x07A$v\x81\xba\x83?\x07\xaa\x0a\x85\x89a[\x89+\xbe\xf7\xe5d&Z\x9c\x87\xee=a\xef\xe4\x18\x1fp\x95\x0f=K\xa2&\xb3s5\xc1\xefTx\x9b\xc8\xf3\x82G\x92\xa6\xa9\x8a\xb6\xc2E\xaf\xe8\xad\xec\x16\x10,\xd5\xb6\xf5\xc4\x84\xfc\xf5\xb21\x13\xb3\x06\xf8/\xf7sY\xf5T.Ou\xcf\xf2*2\xb6<\x1d`Y\xe3\xd8\x88iLA\x07!(@.}}\xe9 ;\x90\xd3\xe0\xd2\xeb&\x02\xaa\xc9\xd3\xcd\xe6ba\x0d|-\xdf\x88\xf3\xd3\xb9\xe4S\xd4\xd7\x04\xbc\x96p\x17YS\x15-\xf9\xc8\x9b\xfd\x00<\xc1C] +as_response, ClEkJM2Vm5giqnMf4h +[kvno=, cipher=18, ciphertext=~\xcd4\xbf\xed\xa8\xff\xc4X\x04\x8b\x0e\x7f\xe4I0O\x93\xc3\x95\xc3rN`\xb2\xfb(\xaa\xbda\xc7\xef!\xcf]y\x8a\xcd\xa9k[#\xe8\xec=W&\xe6V+\xea\xbb\xa5=\xaa\xd6\xc6\xe5\x9e\xeb;\x04_\x81\xbeE=P\x1fs\xee4\xe8,\xa0\xda<\xc9\x84K\x0c\xb0sl\xbdw@\x83\x0cL^]%\xc71\xc6\xf8\xe3\x043i\xf1W9\xcb\xd8\x03\x8a\xc9\xd8 \xb0\x1b\xb4\xac\xe9RB\x83\\xc7\xe7r]\xd4\x90\xe3\xf0\xcf}\xae*\xa1\xaa1\xc9i\xf5L\xe7\xc9\xdbR\x00\xa3Y\xc0\x84\x83\x93r\xa6>\x09\xd88\xbc\x98\xbb\xe6\x07\xfb\xcb\xf0\xc7\x9f\xf5\x89\x04\x8c5(\x0ej\xd9\xbf\xdb\xee\x07:yi\xfcm\x1a\x19\xba$\xf3\xd4\x99\x9d\xcb\x95`|\xb8\xf2l\xa0ma\xab\x83\xd9W\xbf\xe1\xa9u\xdd\xd0#\xf4\xb9\x94w, cipher=18, ciphertext=\x96\x8b\x97q\x0a\xb4\x0ct\xe7t\xad~\xcc\x86/\xd2g\x83\xbc[\x1ft\xf2|\xd1[=\x1f\\xaf\xe2\xea\xb0\x07\x82\xe7&\xd8%X\x9a\x9a\xa7\x86\xe9\xc1GF\xe1\x9a\x09e\x0b\xfeg\x8eR*\x8e\xf2\x8d\xfcr\x17\xf0\x9bq\xf4\xd9\xd1\xd4\xaf\x93}\xbbM\x8bA&+'\xab%C\x96UJS\xc3d\xc6{r\xcf\xa6\x9a\xee?J\xcc'\xacm]\xa0\xc4^R\x0a\xff\xea"1FV\xfd\xd4\x06\xf5\xd0v\xd4b\xd5M\xa7A\x88\x06;\xc5\xd5g\x8c\xe1WL\xfb\xa3\x8c\x0a\xef\xd0i\xea@\xb2R\xb2,\x1d\xee\xa3\xfb\x89\x8dR\x8f\xa5\xbd*\x07N\x93K \H\xfe\xbb\xf6\x09\xb0\xe5\x9b\xb8\x17\x88\xda\x8d\xa7\xce=\xc4\xa0\xc6t5\xe4W5\x07D\xdf\x92-\xefmD\xcc_L7\xbe Wh\x92\x09\x8f\xfb;\xeb\x98\x17\xcf>e\x16\x8er\xf5[\x88\xee;Z)\x03\xbcP\xbe\x96&:"E\xd0^\x16\x00dqA\xc6\xaf\xbd\xbb5\x14\x85QXf\xc3\x16~\xa7\xae\xf3] +as_response, CtPZjS20MLrsMUOJi2 +[kvno=, cipher=18, ciphertext=\xf5\xd6\xd2\x9f\x82\xdd\x17\xceve) 5@k\x8eE\x91\xad\xf2m\xc7\xea\xc2\xf3\x0f]\xcf\x9c\xbc\\x1flwp=\xe8\xa4\xc5\xb8\xad\xb9\xf8\x9b\x04\xa3\x15\x82\xd1\x9b\xc1\xa8!\x1c5\xb2\x06zX\x05\xfa\xfe,\x0a\x07\xa5vx\x15\x0f\x10\x80\x01\xee\xb8$\xd5\xc9/~\xae\xbd\xc5\x89\xc2\x86\x9e\x056\xc4\x13+W\xb0i\x14\xde\xba\x07\x1c\xea\xc9\xa7\xc6[}>\xdcSt\xbf\xc0s\x81a\x1d\xa1\x1b'\x18)\xdeb\x11A<\x90\x15\x00fX\x0c(J\x00W\xc8\xc3?\x86\xc7\x99\x98\xb8j\xbe\xe9K\xc6k_G\xc7\x1e\xe8Y\xceX"] +as_response, CUM0KZ3MLUfNB0cl11 +[kvno=, cipher=18, ciphertext=C\x9fo\x95\xcb\x86`v\xc2\x83RVF4{\x9fb\xc1O\xe4\xdc%\xac\xef(Q9%\xa6\x01\x1e9I\x90U\x02\xc2\x90!6\xeb(c\xef\x02b\xe2\xb1\xac\x97\xb8n#R\xdd~\xbe\x1d\xb7\x95\xf3\xe6)\x9d\xc0]m\xc4]\xc3\xa3\x8f\xd2\x16/;\xaf\x16\x80\xf3\x16\x0c^\xb1\xa4\xf8\x1a\xc2\xc3\x0f\xad\xc7\x08><5SL\xf1+q\xa2\x1f, cipher=18, ciphertext=\xdekoJ\x96\xfb\x83\xac\x11\xbd\x0bn\xdb'\xc6\x11N,\xbcp\xac\x00=\xc1\xa0\xfb\xa4`\xf7uY>w\xac\xa3\xfa\x0f\x1f\x99\x937z\xd5\x08\xa8\x0c\x8d\x08\x06\x88Gv\x97W66\x1e\x82Y\xea\x1a\x07\xa3\xae/i\x97L\xb37H\x9b\xcc\x88\xeag\xd5\x8cm+\x9b\xe0=R#\xc2\x955\x99\xbc\x01\xfd\x89\x09\x13\x110"]\x7f\x0dO\xe0\x7f\\x00\xb7\xb1\x0e\x0b\xb4\xb1\xfe\x08\xe0\xacQ\x8ch\xee\xbb\xba\xe6\xc2\x0c\xe4\x87F\x00\x88{\x1a}\x1cp#m\xfa\x07(\xa7\xd7\x9b\xeb\xb4M\x01\xb8K\?\xfe\x81\x10%\xdc%\x0b\xc8.~\x86xT\x9d\x14\xa5p\xa6m?\x1c\x85\xbfj;\x96\xddaN\x99\x13\xc1\xb2;\xb6\xb6\x87h\x89\x10\x0b\xfa8\xcf\x92\x88\x9e\x15_y\xc0\x82g\xe5e\xaa\xec|-a\x07l\xa7G\xe2k2\x80\xbc\xees\x10u\xe2\xc9\xa4\xc4\xc1D,\xa2\xa4\x9cD\x1d6\xf4] +as_response, CP5puj4I8PtEU4qzYg +[kvno=, cipher=18, ciphertext=p\xb5\x91?~!\x80@\xe5\x8e\x00D$}\x90M\x17\xf0#A\xbfG\xad\xe0\xe9&xK5\xdf\xe1\xee\x08\xf7\xbb\x82\xa2\x0aw{\x15\xdd\x9d\x8dC\x7f\x8fvp %\xb2\x17"\x87\x1a\x89\x91j\xe9\x8a\x12\x1b\xf0\x8eM\xc8\x1a\xc1\x8c\xcb\xc5aC\x1d.\xae\x99\x8f\x9e\xe1\x8fN\\xac\x0f\x1atzU\x1f\x9a\x0f.\xd9\x18\x1f\x8d\x83PBJ}\xd6u\xe1\x13a\x89\x7f\xab\xa9\xdb\x0c\xd6%\x9e\x06\x90"\xd2R\xecLS\xda\x99g\x1c\x95t\xc7\xc8W\xa0\xd4\x8d;\x16X\x93\x1a;\xd3\x93\xbaGe\x99\x80\xca\xd6\x0d\x0d\xbd\xdc"\x0c\xf9[\x15\xf8\Q\xec*m\xf8]\xbdl\xc0\x9fQ\xa8\xf5z\x00\xe0l+\xe5\xa5\xb5xy\xf8+\xe0\xc3t\xda\xdc\xf1{\xd8\xd1T\xee\xbe\xe3\x07`\x84\xf8\xfcoxU=]\x1dXl<\xd0iAz\xb3iY\xbe\x97u\xef\xeb\x8d\x00\xd4\x9a\xf8<'\xec\x05P\xbd\x92P\xd3\xa4\xb4\x91\xdc\x0e\xc3\x82h\xe3(\xac\xa8\xddC2 @\xe2<\xaf\x05\xc5\x13\xfd>X\x99#\x00m\x9c% B<\x09(\xfd] +as_response, C37jN32gN3y3AZzyf6 +[kvno=, cipher=18, ciphertext=n\xa4\xfc\x84\x1aG=C\xd2\xef\xd6j\xc2\x05v., cipher=18, ciphertext=i0\xcb\xf6\xaf4\xc0\x95\xe7y\xf6Ry/\xff\xf1GLu%\xea\x17?\x06\xa8\xadU\xb0\xc5\x16\xee\x9b\xd7\xfd\xabRy=\xaf\xb2\x85\xcdLx\x8d\x0a\x01#T'\x1bF\xc0\x04\xae\xba\xcf[:lN\x0eII\xd3N\x18C\x1a\xd6\xb3[\xcc\xdeU\x8c\xae#\xa3J}\xe8\x0b>\x82O\xa9\x17\x8bE\xcb\x95\xbd\xe2\x8d\x91~\xf5\x06\xe8\xd6\xf2\x00v\xfb%P\xbb4\x0ao\x1a\x87\x86F\x9f\xb5\x8c\x9f=M\x04\x81>\xa7\x97\xe2\xe9\x85\x89\x13\xaeA\xf1Od\x9cT\xca\xe8'\xdd\xe0P\x8c\xcbaG\x00W%i\xa9\xb3\x06\xd9\xca4Bz#tN&\xf5\xb0\xa7\xdb3H\x0f\xa0\x9d\x15;\xc1\xe6\xe0\xaa\xeb1\xfdv?\x8c$\x97\xd0kC\x15\x83\xfc\xe9d\xcb\x1eK\xa1x\x17\xdb\x96\xccb\x93\x94T0\x09Y\x83p\xbe\xd9C\xa2\xe0\xc9\x94\xb7\xcbA\x87\xeb\x14\x04\xf9\xd8\x8cn=\xfd\x14E\x9b\x8d\xa7hy\xb4\xd5\x94\x89\x04\xcdaG\xa6\xe2\x9e\xa7MBSC\x88Ay\xd7>[L\x99~\xdc\x06\xbf\xbe@\x84\xd0WM\x19 \xfa\x9a)] +as_response, CwjjYJ2WqgTbAqiHl6 +[kvno=, cipher=18, ciphertext=\x9d\x8d\xa1\xbf\xda\xa6\xd7%\x9d\xfaVM=\x9b\x0c\xce\x14z\x90e\xdc\xfe\x8e\x1f\xab\xb0\x95<\x0a'\xac\xfd\xfa\x13\xcc7U&\xc3L\xdb\x1ez}\xec<\xc2_\xc9\xc5"\xda\xc8w<\xdf\xa2f1\xf7\x8a\xd4\x19\xd7\xee\x922\xfe\x89\x93\xc4\x80\x11\xe93\xb2\x1b\xf2 \xb8\xa5\x9db\xe9]\xc1X\xde>\x838\xfb,\x05T\xe4o\xa3\x9a\x85K\xf7\x93\x93\xaf\xd2\x7fc,\xe6\xa4x\x86X\xd8\x02\n\xc5\x81\x13i\x81{\x04\x84\x84\xbdR\x80\xea\x13.uw\xd2Ac\xbaL\xce*\x90\xfb\x7f\xae2\x8b\x0e\xfbU\xc6n]a\x9c\xea\x1f\xf8\xfb\x124f, cipher=18, ciphertext=\x90\x89\x96\xb7\xd2\x92N\xc5\xa5y\x8a\x0bq\x0e\x80\xbe\xed\xdbv\xefG\x8bt5uCP\xa4\x1a\xa5\xc6\xe1R\xae\xd4\x94\xfcg0\x01K\xc6\xd5\xcbI\xe1\xda\xc3\xdcX,\xe7\xb7\x8e\xe16N\x9d\xbf\x89\x8258,\xd0\x94h4\xd6\xa6\x8c\xcc\xd5\x00F\x1a\xc1\x14e:\xd4c\x09-_\x92\x86\x01x\xc6y1\x81\xd3\xac\x14\xdc^\x7f\xe6,_a\xe0\xb9\xeaS\xd8\xa1\xe9\xf0>\x8b\xab\xbc\xbf\x9e\xc6\xfd\xc3\x80\xde\x82\xc5\x085nY\x15\xac"\x04\x8f\xf6\xc9\xe5\xceY\x15F[\xa6\x17m\xf9\xb2Ox\xb8\xd5%\x83.\x8c/(\xcb\xb92\x04Ek~\x0dq,\xb8+3X\x0a\x184\x16(r\xc6\xa2H\xc5K\xf4q\xb7\x9e2\xe6\xd9\xad\xcbFL\xab\xb2g\xd4*\xda\x86mz\xfc\xed\xa9\xde\xf5\x80\x91\x9a.\x17\x87\xab\xd2\x7fQ\xd2FJU7HN\xd27\xe9\xe7\x9d. \xc2\xda\xba\x82)\xdb\xbdGJ\xb8\xd8\xe8r\x01\x0d,5\xfb\xb8\x17\x996K\x95lU*\xab"J] +as_response, CFLRIC3zaTU1loLGxh +[kvno=, cipher=18, ciphertext=4Q\xe2\x17\xae\x16\x94\xdd\xa4\xa6\xc226\xd1\x12\xe5\xe3\xca\xd3n\x9e\x0a\xb1B\xd6\x1e\x0b\x05\x95\xf4\x0a\x02(*L\xe2\x93\x09\xaa\xd8\x9e$\xa8\x14\x80\xdc\xaf\xe0,Um\x87\x97r\x92Iz\xfe\xc1\x84\x8b\x8bK\xb7\x0d\x9aRf\x89\xd6]V\x97\x04\xd8o\xcd\xd3\xb62\x08\x02\x15\xe7\xed\xc4\xdaZMRlS*m%\x1a\xbe\x1e\xc8\xdf\x0e\xa2\xdbX- \xcaW(\xe4\xcb\xe0\xaa\x8e\xa5c\xed\x92\xfa\xa6\x91s\x16\xbd\xec\xcfz\x8b\xbeJ|\xd7A\xcc\x84\xf1\x98J\xd20\xd2\x1f\xa3\x8d\xc1\xe8\x08\xaf\xde#\xaamH\xa2{\xd4\xd5\x92 J\x1b\xa5\x92\xd8w\x81y\x1b\xc2\xfc\xec*\x18\xfa\x15\xd1\xa9\xf8S\x19^\xf45#\xb1\x05\xb2\xb0\xd5\x86\xc2\xcbM\x8er{\xb4\x9a\xce\x04n\xf8\x8f\x8e\x17\xb1\x895\x81\xd1\x84\xf0j"\xff\x11\xadO{2G\x16G\x01m-\xf8\xdc\xd3x\xa9\xda\xaa92\xa8\xa2\xb3\xaf\x96\x80J\x82\xcc#a\x96\x17\x8emX\xa4X\x0aA\xadR\xd3S\xc3] +as_response, C9rXSW3KSpTYvPrlI1 +[kvno=, cipher=18, ciphertext=JC\x11\x04\x15\xdf\x1cKH\xb4\xf1B\x098G\x8c-\x0f\xc2\xca\x99\xfc\x916c\xc8\xd3\xf0\x0c\xe5\xc7\x8aV?\xcf\xdb\xf66^\x16>p\x81U\x84$)\x0f\xfc#\xcdP\x06\xe7\x16\xa1w;\x8bi\xd6\x09]\x99!\x01d\x81\xf3\xe5n\xf2\x02wAB\x1d\xfe~\xeeW]\x96F"\xbao+\x97U\xa2X\xca\xf5b\xc5\x92R\xd38\xceO\xe2S\xe9\xbc\x17\xa4H\xa4\xdc\xb1\xad%PM9\x8eH\x9c\xb8\xa7,\xfb\xf6JD\xa2`\x1acO\x0b\xb6\x8e\xd1\xb9%\xbf\x0d\xb1Vf\xb7@*p\x15\xa6\xecYO\xbdq\xd4\xc2\x0d3U*\xe40\x0c\xbd\x0d@|B\x0b\xa9\xe39\x8a`\x80\x14"x\xeaA-I\xa3=O\xb2\xa2\xe7\xd8m>\xff\x97\xf4\xbe\x06\xfb\xf1\xeb\\xc1]\xd0\xfe\x9a\x11\xd3V\xb3N\x00\xcfKZM'\xb1\x95\x88t5rb\xd5\x0a5W\xd7\x0b;\x0c\xe8Z\xaf\x93p\x8a\x8c\xa3\x0b9d\xda\xe1\xec\xcc\xa1\x12\xa1>\x0a?\xbc\xce\x94\xa7\x9d.Q\xd0] +as_response, Ck51lg1bScffFj34Ri +[kvno=, cipher=18, ciphertext=\x1a\xcf\xc6\xcfD\xba\x88m,;\xef\x8f\xc7\xb5\xfb[\xc5S\x9c7\xf3.X\xc9nf\xbb\xdbF\xe2\x02p\xfeQ1\x0d\xa6\x9f\xc9,\x87\x1f\x9f\xb1\x04\xb6v\x00\xb9j\xdc\x8d\xf0c_\\x00\xd0\xd5\xd15\x9c\xd3\xe4\xe5\xcc\xcdJ\xdc\xa5\x07]j\x80\xf25T\xdf\x0f\x93\x95\xa5://\x9f\x0b\x0b\xe9Np4\xe9\xeb\xb6\x87\xf4\xa4bl\xb1\xee\xc2\xee\xcd\x09\xe3\xdaCSt\xe3[ VP\x07\xf4\x9b}\x890c\xd5o\x12\xa6 \xba\x84\xbd\xed\x13\x0f\xe0x\xdc5v*\x18\x06@Y\x09gs~\x0d\xc0\x80\x806a\xb7\xce\x96\xce`\x92\xb1\x0c/\xaa\x01\x91\xbc!h\xc2\x81\x8e\x89'DsMD\!\x08Z*\xb8\x023\x9a<\xf9\xfa\x94\x0e\xe6} \xc6\xae\xd6\x95\xe6II\x1c\xbf\xeb\x9fD-\x80A\xfd\xfb\xba\xd0N+\xccJ\xe5Q[\x0a\x9d\xa1g\x1cn\\x01\\xf7\x92\xd9\xcaB\xcdQ\xc9\xcd\x84|\x14\xd686g\xd6\x1fYm\x95\x09\xb0\xa8\x14\xc8\xf2;\xf5\xd3] +as_response, C9mvWx3ezztgzcexV7 +[kvno=, cipher=18, ciphertext=\xf0s{[\xee\xeb\xde\xa2i\xdf\xc1\xbc\x7f\xe8\xb6\x8c\x8c|\xf2\xad\xf2Z\xdfE\xb1\xb4\xdc\xf9gT\xb8\x02\x11\xd6\xcb\xedH\x91?=A\xc4\xc4\xfc[\xed<\xd6\x0a\xabrf\x19\x9e\x0c\x83\x91\xeb\xb4\xc78\x8e(\xdd\xdb*\xbb0\x00S\xdfS\xab\x0aJ\xfa\xf2\xd0\xa2\xa7\x8c\xb9\xbb\xf4\xe1\x1f\xe6\xedH\x1d\xc1\x0d\x0c!F\x97\xa5\xedWi\xfc\xb9eC\x84)V\x1a\xb3\xf9@&\x89\xe3\x95R{\xf3\xb7\x83\xba\xf4\xc8\xff[%\xb1\x8e\x03_\xb9d\xefxh5\x02tm`Z\xb2\xc6\x02^wptO\xebb\xfbV\x88\x98\x11o'\xce2\x8d\xa8\xdfK\xf2@w\xcb\xe4\xd3j|zf\xb6.\x92\xe3[\xed\xe5\xb8\xf79\xf2\x0a#P\xb9\xfd\xd098\x84_\xeaGA^\x87d\x0fL!\xf4\x12\x17:'\xce\xc6\xd5\xaciM\xe8\xd7\xf0\x1c\x18_\x8e\xa0t5\x98\x1f3\x83^1E\xda\x91\x0b\xb6\xfd]\x91aEP\xc4\xb2F\x18\x89O"_\xc7\xb0r\x16WY\x82<"lD\x83.\x01\xc9\xc3$c\x00\xbd\x11\x02r\xed;i\x11\x9b\xdb] +as_response, CNnMIj2QSd84NKf7U3 +[kvno=, cipher=18, ciphertext=\xad\xcdst\xea0\xf9\x97\x8c!\xcc\xd5R'q\xe7\xfb\xe3\x9b(\xb4Z\x1b'\xaf\xcc\xf6\xebf\x10\xc0\x1a\x1f\x17\x1b\xf0\x9ebp+\xb3\x16\x95e\x9c\xc6JM\xd5\x1d\xcc-ah\x92s\x9ea(9r\x91;\xe8\xa0\x7fQ\x16\xc4}=\xd1BA<\x8c/\xf6\xd5\x09nb\x8b\xd4.\x96:\x09\x10\x03\x83T\xe9E\x15\x82\xe9"\x9a\x9b\x10)\xd6 \x10\x92>>y\xcf@-\xf3\xce\xaa\xc9e\x89x\x9fTOc\x10\xcd\xd46\x12\xf2\xdf\xd2a\xd1\xd8\xfd\x09n\x8f\xe8\xbd\x18\\xad\x8b\xfe\x9a\xcb\xc5\xc0\x0e\x7f\xbb\xe8\x9a\x02\xdb\x0e\x0eB\x7ff\xa3\xa3w\xba\xe1\xf0\x87B\x9dq\x15\xc6\xbd\xd7\x8d\xa7\xab\xe6\x93\xdb?\xbb\xc6\x1d\x9dk\xdbZ\x18\x83e\xdf\xd3\xdb\xa6\x00\xfc\x81\xb8\x16*"[\xea\xb6x7\xb1\xe1T0]\xc7\xfd\x09\xf1c\x7f\x96Cd\x05\x8f\x833(',\xd6\x12\x0f\x00R\xea\xb5\xd1_\xd8\xb5\x9e\x1f\x14\x05\xdfv\xe7\xca\x07\xb8T\xbe\xcc3\xe1K\x92\x93p\xf3\xc2'qV2\xfc\xed1\xd8s[\xe7q6\x87b\x15\xea ] +as_response, C7fIlMZDuRiqjpYbb +[kvno=, cipher=18, ciphertext=\x04\xcf\xe0\x0br_\x00\x14\xe7\x88\x9e\xa5\xc9\x0a\x96\xacA\xf3\xc1\xa9\x8eI\xc4\xb1I\xc2\x88\x1e\x06sF\xdd\xee\xe7\x04r\x97\x1dv\xb9\xac\xf254\xd2{s\x94No\x17m\x0db\xcd>\xc984`\xf0GG\x1d:\xb2Y\xda\xb7Q\xef,\x9f;g7\xbc\x8a\x13\x83\x98$\x02\xda\xe1t5\xb6\xc0u\xfd\x9a1\x15J\x1fL\xf5\xbe\xeci\xf2z\x17\xa9\xcd\x1c*V1\x1c\xbbF\x10\xdes\xc5j\x98\xd0\xe5v\x90W\xdd\x00\xba:m\xedM2]\xa1v\xa4\x95\xae0\xf2\xabG\xbbB\x90Kk\x02><\x09^l9Ppc\xe6+,\xaf0\x85\xee6Yk\xe4j\x88\x06\x16\xb2d\xe1-\xcb\x1d=\x93v\xa7\xa1\xfds\xe7\xce\xa9~P\xb5!I\x91\x0e\xf4A\xc0\x8el"v\x10\x1b\x9c\x00\x12\x0f\x8c\x04\x95\xe5\x0c\xf2\xe64\xd4\xa6\xcb] +as_response, CykQaM33ztNt0csB9a +[kvno=, cipher=18, ciphertext=t\xcd\x0e)p@n%,\xc8\xf6\x9e\xa9\x1f\x83\xd6\xbc\xf6\xc73DM\xb3\xc0\xf7e\xe0\xea\x12\x87\xe7#\xc8\x8e\xd5T+=\x82\x12\x8b^\xb3\x83\x9e\x96\xf8u\x8d[\xf0\xe6\xc7\x80\xf8\x15\x96\x00q\xe4/\xeb\x9d\x84\xe7\xe8\x8b\x17\xd4\x8a\xf7g\xee\xbdz/\x0c2\xbe\xda&KF\x81-B|\xd0f\xce&\xecv\x16c\x9b3\xed\x84#\x01JrS\xf5\x1fD[g5\xee\xbd\x98\xc89\xdb\xd0\xf9\x98\xe2\xd9\xa2\x1d\xed\x10\x0dUX\xffk&\xbf\xb8{\x01\xac\x97\xd5\xab\x813oB\xedt?9|\x9d}%u\xb8y*\xaa2RF\x8c\xdc\x886\xb5\x9b'\x12;+\\x93\x92\xf1\xef\x1eT;\xf0\xee\x03\x04\xf9\xbc\xf8\xc7\x96#34+\xa4L\x16N\xab\x85H\x18\xd4\x01\xac\xc8i\x98\xc9\x1bB\x94\A\xcf\xb0\xcc\xb6\xb3\x10\xc8j?g\x19\xa3\xf0 \x9c\xab\xd0\xb1\xe7\xe6b\x0dh\x8d9\xa8U\xa3n\xfa\xef\x96\xa1\x87dm1\xf2a\xfcL(T\x0a\xba\xfd\xb3\xbfW\xce\x93k\x8a-:\x19)\x84\x06i\x10\x82\x8b8^%\x1c\xd2N] +as_response, CtxTCR2Yer0FR1tIBg +[kvno=, cipher=18, ciphertext=\x1b\xe2\xe0/\xb2W\x96\xbeM\xec\xed*\x03\x04(H\xc2k\x95j\xa9\x98\xdf\xaa\xfe\xa3n\xf9\`2A\x12x\xf4\xaez\xb4K\xe7c;\xb7l\xc4\xe5\x1c\xafdo'\xd9\x16\x98\xdb*\x07M\xccw\xa3V*9\xfe\xf0\xfc\x8f\x91\xd7\x94l\xc6\xea\xc2\xfcX\xd4\xa5\xb9\xa5pY\xeb\x83\x9dk8\x02O\xb9ey\x9c0'.n\xb9\xb9c\x96\xf1\xe9&\xbdT`;@-]\x0e2\x80\xces\x09\xf9r1\x81\x0c\x93\x8bz\xb6\x96\x97\xd6\x01\xb3\xd2\xe1\xa08\x0d\xe2qH\xe6!\x11cCp\xc5\xac\x1bB\x1e\xa37\xc7\x08)0\xfa{\x80\xf0\xc5\x8fq\x94\x81\x8c\xd5\x87\x16\x14\x15\x96Z\xab\xe8R\x94T\xcc\xec\x86_\x88X[\x94\xb3\x1d\x1eS\xcaR\x06BI\xb4U\xcb\xef\xd7w\xb9\xcb0\xb8\xf1\t>\xae\xf1\x7f:\x9c\x08\x9e\xb1K\xa4\xb1,_k\x8e\x19\x9f\xb8\x90\x04\x07\x1eN\xb8\xa4\xb4\xe8\xd5\xf8Te\x94\xec\xfa\x9a\xd0\x17:{\x08\xc1\xfb\xd92\xffNX\xca\xb6l] +as_response, CpmdRlaUoJLN3uIRa +[kvno=, cipher=18, ciphertext=\xa8V\x9c\xa8\xd7\xe2\x12W\xbf\x909\xa5\xc8\xa6\x93\x05\x19\xbe\x93\xc0\x90\x0cM\x81%\xaa-\x12\xd2y\xf7\xa77\x99\x05"\x84.\x95\xb8&i+uf\xad.*7b\xa7\xe3\xd5\xdf\xceV\x87w\x00I\xddH\x03\x86)\xb3\x9do\xd4\x05\xda%h\xddL\xac\x99\xa4\xea&\xc52\x15NxnT\xf2\xa5\xe6\xdf3:\x9c1\xba\xcf\x00\x0c\x89\x7f\xa1\xe4\xb7\x9e2I\xbc>\xf2b\xfc.\x9c\xa3\x98\xe5mX\x11S\xc8Na\x9e\xe2S|\x12eb\xd7D\x132\xee\x91W\xc6_\x88\xd4\x92\xe5\xab\xbb\xa2\xa4q!\x86!\x98\xb6\x16\xb7\xa1\x84;\x03n:\,\x93Z\xb9/\x02d^}\x99\x14\xe5\x92)\x89\xe4%\xbdn\x88\x1a\xffRi\xb7\xc3XB\xf8\x89/<\xa8\x9dz/V\xfdC>Y\x8dq\x19n] +as_response, C1Xkzz2MaGtLrc1Tla +[kvno=, cipher=18, ciphertext=^y\x8a\x8e\xa2\xc4\x01\x7f\xeer\xe6T\xcc\x98\xf1\x11\xe7\xe9[\xccR\x93\xebB\xe7T\xfc~\xab\x194y\xae\xde\x0c\xf5\x18L^\xe4\xba"'K\x1a07y\xaf\x05\xd5\x96\xed\x10\xe6\xafs[\xeb\xe5Z\x18\xa7\x9e\xd8\x91\x8b\xd2\\xfe_\xee\xc6}#\x87\\x99\x84p\xe4.g\x99}\xc6PZ\xc0\xc3\xcfrZS\xa5\x97'Z\xff\xb8\x1f\xc0`\x0dzJ\x9b%\x09\x88\xca\xf3\xf0\x9967th:z\x82b\xb7Q\xa1\xc5d\x0b\x97|\xe3\xf05\xb8n1\x03\x9f"E\xab_\x94\xd1\x92\xc3\x98Bd]+I3\x051\x18G\xcbV\xbfS/D:\x87\xb1\xd1K\x15\xa67\xe3&O\xff\xc5\xe7\xad\xd5U\xd6A!\xe2<\xb0'\x09\x07\xb0\x1a&\x01\xea\xf6\xb7\xc5H\xbaU\x96Q\xdc\x92\xef\xc7\xa3\x99\xb7\x1a\x9a|\xa2&\xc0K3\xbd\xeca\x13\xe9\x98N\xa5\x18\xc9\xcc\xf0\xd1G\xdc$\x03\xa6\xec\xd7u"\xf4,\xeb\xb5\x03\xcaEj\xb9E\x88\xa4\xc4F\xb0\x04\x13,>\x82*] +as_response, CqlVyW1YwZ15RhTBc4 +[kvno=, cipher=18, ciphertext=\xban\xe1U?s\xdbb\xbb\xc4\xe0`\x18\x7fQ>\xd5.U\x85\x1cq\x16\x92\x8f-#J\x9b\xf4'\x01U7\x9f\x1d\x84\\xeb\xb7\x85\x0b\xb0m\x14\xbeje\xc5\xc7\xd3\xe8\xe8\xae\xa6\x04\x08\x87\x97A\x91\xc7\x85\x1d-\xaah4\x09Z%WW\S\xb8\xcd\x1c\xd2t`&\xd9j;SH\xcd\xe9\xd3\xa5\x81\xb2&\xfc\xda,\xa1\x0f%f\xfc\xc4h\x85\x94h\x86\xbc\xa0\x0dAu\x06I\xa8^\xc8\xdc.})\xb3Pf0\x9e\x8b\x86\x18/Um\x91\x06E\xe2\xe3\x98uTYvE\xb6Gf\xfb\xf3\xf5\xfb\xe4\x11A\xaf\x83e\x0f\xc0Y\xf1e\xe78\x1f\xefuM7~f*\xf83\xbeG\x9b2\xc5\xc72\xd3~\x9f\x96~\xc6H\x19M|m"\x0c\xad\x8b$)K9\xb4@\x9e\xa0\xb7\xabD\x0d\x7fs\xb8\xe5NJC\x07\xc7\xcd\xd8\xef\xa4\xb7\xedb\x99\xab@o|\x06\xa9oN57\xf71-\x1c"y\x8cC\xa7\xf6\x83\xbe\xbf\xb3\xea\x91\xce\xed\x16\xfc\xec6t\x18\xec] +as_response, CLNN1k2QMum1aexUK7 +[kvno=, cipher=18, ciphertext=\xd2\xaaJ\xbb\xb2\xce&1h0\xa4\xc3@\xb53\xb3\xba\x0b\xe4\xf4\xb3\xf3\x9a\x0a00\x81\x1b\xff\xcfs`\xb9\x0a\xe8\x1c\xa3\xfb=G\\x18\x07\x88T\xefL\C*\xf2\F\xf9\xef1\xa8@\x0chJ&{q\x92\xa8\xd5\xf7V\xf4=n\xea\x92\x9b\x80\xb9bt\x0d\xdf\xe4Af\xbf\xda\x08\x0b\xdb\x0d\xcdY\xe6\x9e\x09\x13C\xdd_$\xb2&\xcd\x11\xa722fi\xfe\x924\xe0\xe4LK\xab\xff]o\x917\x90H\xed\xca\xf7.r0\xcd\x17\x08\x1e\x1dxB|\x85\xc9\x81\x17\xb7\x05\xcf\xca7\xbd\xb5\xb9r\x95L\xfb\xc73E\x1a:"\x18\xca\xdf\xd3l\xba_\xc9\xeb\xfb\xbc\x7f\x18\xedh-%\xd1Z9\xfbcr\x89\xde\x99\xc8\xcb\xf0\x17\xb6\p\xb8FO\x18\xe7\x97\x19\xea]7\xf1\xd0\xa6Z\x0bk\x85:\xf0\x99m\xef$\xe3\xdb\x8c\xb4\xf3l\x99\xbf\xbb\x92\xaf\x0a7\xd9\x19X\x03+t\x9cD\xcc\x1c\xa5\xa1\x90$\xbaV\x15\x09\xa0\xbd\xe4\x13hZ\xb9&\xb4qh\x8e\xa7^\xdaP!\xfe\xc2\x87\xba\xef\xd9\xcf\xef\x18a\xdcH\xcb\xbd\x09] +as_response, CBA8792iHmnhPLksKa +[kvno=, cipher=18, ciphertext=\xba\xcf\xb1\x14\x9e^#M\x09\xb5\xda\x8a\xd8\x07\xcd\xc4\xe5Kp\xd2!\x19\xc40\xfb\xcf\xbd6^\xc6]\x98\xa1}\xf6D\xa7\x0a\xcb\x07\xbe\xbf\xfe\xa6\xf3\xa3\xe1G\x99\xb9\xaf\xce\xda6)/\xff\xcd=\x99\x86\xb0v\xe0\x9c\xe8\x80\xc9\x1f\xa4\xe0?\xa9\xe3\xb7\xe98\xb8\xd0\x88~1\xe7i1)F}a^uMt\x86m\xa4\x95Ye\xdd\xc0r\x08r\x93\xb3\x0a\xc0\xc6\xd7,\xfct\x90\x8cU\x88W\xd8o\xbe\xe6F\xf0\x16\xff\x81B\x1a|\x8dj\xd1\x0e\x8d\xde,d\x86\xc6\xa7\x86\x9a\x0d-O\xa7H5\xc0\x96\xf5\xebX\x18B\x04\xd5'\xa2\x9b\xd8\xc9q\x1f\x11\xd3\x9dw\x08\xc8\xde\xc57\x0eJg\xac\xe6\xd0\xa0\xaf4s"\xf4\xfc\xc2\x18\x06i\xe3\xea\x91cF\xfe\xc3\xaa\x12\xe7\xf1$V\x1c\xf8\x91\x02\x0c\xbe\x12\x8c\x12\xe8\xd6\x096K\x86\xee\x8b5\xc2>EY\x9b\xec\xb6\xee\x91\xb8)VZ3N#K\xa7\x15\xb3Z.X\x87\xb1\xe4\xb3\x87\xed\x0c\xc8\x82g\xbc\x15\xc6\x94\x12\xa9A\xd4\xd4\xfd\xc6kB\x0f\xe1\xeaR\x9bN7\x07\x14\xbfR] +as_response, CGLPPc35OzDQij1XX8 +[kvno=, cipher=18, ciphertext=\xaf\xcd\xcb\xe7L\x0d\x02\xcf\xfc\x0f\xbeCz\xb5\xf1\xb4\x14\xb0m\x87\x82].\x04+\x03\xa1n\x0ap\xd4*\x01\x8bn!B\x98\x7f\xa2\xe8i\xcd\x15S\xa8\xa2\x80\xf8%j\xfeMs\x9agcG\xd4\xaf\x06h\x8d\xf5\x02\xff\xe0\x8aS\xd3\xbe\x9c5\xb5\x90\xc9\xbc=@\xce\xe3p\x13\xca:b\x0a+\x98\x0c<\xb1\x09O\x9cr\x8e\xb3\xff\x0c\x1d\xed\x86w$\xe7"\x9e\xb2\xd5N\x80i\xd8\x0b\xe0\xbb\\x92\x07\xf8\x84\xfb\xaf\xf1\xc3\xc1\x95\x18\x0f\x9d\xe7(\xae\x98$\xca\x03\xfao\x9b\xc133\x07\xb7\x8e#\xd7d\xc2\xfb\x86\x0d\x02\x1c\xe8\x0f\xd8/\xd6\xd6\x00P\x1c\x0c\xea\x82\xa0\xc8\xee\x0f\xca<\x18\xe9\xc5\x19\x80zGb\xc07\xe9\x86\xe6f\xde\x18\x94\xc5\xe4R\x16\xce\x10#\x87\x0c\xd3\xad\x8e\xfc^\x9d\xc1\xb72\xffKx\xbd\x1a\x15\xa0\xa7\xd7u\x85\xbc\x7f\xd9\xf8\xe3\xe7%\xc0)\xf53\x9eN\x1d\x06~\x18\x91\xf9\xb9\xd7\xd4\x85\x8b\x08\x03\x89j1\xc8\x82\x86\xbb\xda,\xd1\xd1\x86\xec\xec\xca\x80\x91\x14\x0a\x83\xe6\xf2\x9c\xba\x8f\x17\x1f;+\xf49\x01\xdf] +as_response, CiyBAq1bBLNaTiTAc +[kvno=, cipher=18, ciphertext=\xe7\xba`\xfa\x0b\x1e\xc9\xfa\xf3~\xe4\xdf\xf9\x1fq\xdb\xd4\x06\xa1\xe7\xae\x15\x86\x05\x95\xef\x97\\xa9\xed`\xb4}\x0a\x05\xdf \x9c\xe2\x7f^\x09\xe4\x08J\x82\xa6\xfd\xc7\xdeS\xa9\x87\x02\xda\xd4GW5 0\x02\xc1\xe5\xf2-+2A\xa9\xb9\xb0\x08\xfc_ \x1e\xe7\xa2\x98\x18D\x05@i\xd3\x19\xa9\x83q^\xe8\xa4\xa5wq@38\x02\xa8\xcd\x8f\xfak\x0bs\xa4\x9e_\x08\xd0\xdf\x8c\xd1\x080\xa1\xe9\xcdIXQ\xf1\xa8=\x18<)\xe5\xc9\xb1hh\x905\xd0\x86\xbf\xd3o\xbe\xc1\xc9'F\xb7\x14\x90V\xf6\x15\xd4T\x07\x19\x97\x85v\xae|\x1b#\xfa\x09L-k\xcc\xd6\xda\xd0[\xd9x\xb0Ai\xa0\x90\xce\xafWB\x0f\xafO\x9b\xa3\x9d\xf7\xad\x02] +as_response, CFSwNi4CNGxcuffo49 +[kvno=, cipher=18, ciphertext=\xf1\xe7\xf5\x9c>\xdeQ%\xfb\x8b\xee +9\x81\xc0\x9d%:KUf\x02\x94\x04\xa9\xa3\x19\x89\x8f\xa0\xbb\x95\xaa\xd5\xef3\x19f\x9e\x1c8GI\xf6\xe6w\xe6\xcb\xf7\xcb\xc9\x97\xa1\xd7\{\x19\x1em\x91\2\xfcF\x85\x13\xbdB\xd3\xec\xff\xddf\xd8\xa7\xe1\xda\x98W\xe6Q\x9d\xdfU\xba\xad\xb4\xfan\xb50\xceYK\xd2q\xc2\xc8 \x15\xa6 \x8a\xfe\xc0~\xa40\xceM|\xf3\x1d9sVoj`\xfdXTrI\xf8G\x0a\xc5\x14\x0e\x04\x92\x07I.J\x1a\xaa\xbfx\xa1\xfb2\xc0\x9ftT\xaes\xc9q\xa2\x08y\xe3\x158\xc4\x07D\xd6\x986\x1b\xdaE\x88_\x95\x8b\x91\x0a\x15Y]\x803\xeaQ\xdcP\xde\xf5\x0c\xe2\xd5 \xf5\x83\x04\xebd\xd5\x94\xc2\xb4E\xa9Czf\xfa\xd1\xac\xfb\xdd\xf9\xfe\xad\xb0\x04g\x96R\xc7\xc8\xf0\x03N\xf6\xe7\x97Z\xcf\x8f\xf6\x11\xff-{\xf1N] +as_response, Cipfzj1BEnhejw8cGf +[kvno=, cipher=18, ciphertext=\xa7\x18\xe0\xa5\x96\xce\xf7\xa2m!\x9cN5\xcf\xff\xd3\xbd'DT\x19\xa8\x91#}\xc1\x15\x09\x98\xe7\x92\i?\x85/\x05\xa7\x80\xa1|\x94w\xc2\xb36*\x04\xac\xd9#[\xdd\xb1\x1cqC=\xd5>Z\xb5\x93\xb8]z`\xd6\xd4 \x1bBz\x07o2,\x86\xfb\xd6\xa9\xc6whB\xed\"\xcf\xcd\x87\xc0\x15\x13\x81-L\xe3\xd4N\#\xa1\xee\xd58)\x1fN\xc6\x0b\x93\x07o\x8f\xd8\xb3\xe2\x08\xc6U}\xec\xc2\x1bG\xf7Z\xb9\x05\xf6\x07\\xd6\x0b[\xcf\xe9,I4\x95>4&`N%a\x97\x8b\xfc4\x906C?\xd69\xa4\xc7\xf7\xa6/\xd21t\xaek\xe5z\xa1c\xa8\x126\xc2\x09 \x0e\xebf\xb4$\x98Q\x13U\xeb1\x02e\x8e\x830\xc9s\xd3\x97\x9c\xde b\x06\x95v{\xe6{\xe6x\xbeL\xb6\x04Nk\x1cG\x85\xe3m\xb5\xcdh[#\x05\xf4\xd8\xdf\x0a\xb1\x06D\xf1\xfe\xd6\x9a\xcd\xab\xb1\xbbw\x9a\xf3$\xc9_\xc2\xee{\xc5,\xd7\xc3\x00\xd6\xcfU] +as_response, CV5WJ42jPYbNW9JNWf +[kvno=, cipher=18, ciphertext=\xa2B\x840\xcc\x83\xc93RM|\xa4\x9f\xbe\xe2\xf1\x0a\x99\xd4k0\xbe\xcb\x09\x86lW\xf4\xfd\xf00"\xf5\xbf\x8bE\xf7\x9a6H\x10\x08\x93\xd5\x9f\xd3\xbf\x0b\xe1w\x047\xe0\xb2G<\x84\x0a\xca\xd0\xd9f\xfc\x8d:)\x8b\xd2R\xda\xbe\xbd\xd1\x95H\xa9\xfd\x96C\xbb\xa6\xe5I?\x8a\xc0\xbb\xcc=>\x1b\x16R\x85\x87R\xa3\xfbV\xb66\xda\x18\xc4\x85B\x06:hLA\xcdE\xb2\xbd\xa6\x99\xa8Dy\xfb\x0c&\x84\xca\xc4\\xa1\x03\xae\xce\xa20u\x95\xd10\xb8\x16\xcd\xa2c\xb3\xb8\xfb\xec\xa5\xfc\x938\xc4\x93\x9b\xe9\x86\xa1\xd5\xc0\x19`\x85\xe7\xb2v(\xffr\xea\xf4\xa1\x98\x08\xea\x95@\xbb\xf7\xe5\x94~\x0c\xc2t\x8a\x83\xbe\x80\xbe\xf9\x9a\xf7\xf8\xad\x13h\x8bhxs\xee\xaf\xb8S\xe0\xd4\xbcF!\x9co\x0eF32\x90\x91a.0d\xa8\x9dF\xe4\xdbTQ\xc6W\xad\xad\x98\x16\x87 B\xa4\x1ay\xfb\xb7o\xbfJ\x854\x12W\x03\x16\xad=`\x14\xe9\x92\x08U\xf88] +as_response, CPhDKt12KQPUVbQz06 +[kvno=, cipher=18, ciphertext=\xd3(RO-0@wH\xe8c\xd63\xc3\x92\xb5\xf6!\x04\xd3d\xca@\xc5e\xd8\xe4\xfb\xb2\xddo\x18\xb7\x89\x88+\x01\xb9\x8d>%q+2\x80\xd6O\xe8_\x9b\xf9X\xbb\xab\x16|\xbe\xbb\xd1\xa0\xeb\xc5\xdb\xcd\x97\xcb\xd9\x9d\xa6b\xa4\xeb\xe5\x04\xef\xa9\x1b\x9dIL\xa3\x04\xe5m\x1d\x00\xcd}i\x07\xf1\x9eI\x8ea\x1d\xad\xa2\xa7a\xfcA\xb8\xe9\xff\x95\xa1\xcdj\xc9\xcf\xff~\xf01Q\xdcFqJ\xdb\x05\x93"7\x99#\xe6\xaa\x81\xce\x0d\x1c7G{\xebq\xe5\x88\xf0\xeaU\xe65\x8d*\xf8h\xda\xc0\xc4\xf2\x0d2\xd0\xdbe\xae\xc3\xbd+\x9d\x08^Z\xba\x1f\xa2\xeao\xd0\xbbU\x85Bd\xf9v\x93^HGD[\x050?\xd2\xaa\xf0\x0a#}\xb0y\xb4\xcf\xe3l\xc9\x7f&\xe5\x8bS\xe1\xae\x1f><\xaa\xc0\xebV(V1\x1b\xf0\xac\xa3\xa1\xc9{\xd5\xeaqPBi_^\xaf\x96\xeefJ\xd7\x06Bx\xba\x01\xff@AGG\x9dA\x84o\xf0\x1f\x0d\x07\x0f\x93q] +as_response, CAnFrb2Cvxr5T7quOc +[kvno=, cipher=18, ciphertext=\xd0\xb1\xde\xed\xdc-\xbf\x91\xa7E\xd9\x15S\xdd\x1e\x9d\xad#@q\xed\xf1\x93\xd6\xb8S1\xdc\xbb\xeb,\x93Y,P\xed\x93Z\xa8\x8e\xc9\x84mqu\xb5\xce\xcc1~\xc7\xd5\xc2u\x1co\x03b\xa5-\xac\xa4\xf8\x94M\xc3\xe2Hw\x91\xd1\x0e.\xf0\x94\xfc^N\xba/\xf1k\x16\x1e4\xd5\x1f@\xdd\x18\xceg\xcev\xa0o\x10\xbc\x1e82\xbf\xd1[\xcd\xaa\x14^z\xbd\xbbz\xa41\xf4\xfb\xb4m6\xbb\x17\xb1\xe1\xcf\xa2\xfe\x19Q?\x8e\xe0\xcb\x8b\x91Ks(\xba\x0e\x83\xf5\xaa\x9c\xa4\x8dv{\xc3G\x06f\xa40E\x1d\x0f\xac\x8a8\x17\xa5s\xddA\x9f\x03#\xdf\x92W\x1af\x91\xe6\xda\x1c\xb9\xbe\xb3\x12za\xbe\xcaf\x8ej\xb0\x97|\x8c~\x8b\xf6\xa70D\x9eU\xae\xf6\xf9$?\xfd\x89Wv\xfe!\xf1\x18\x97J\xa4\x84<\xb8\xf84\xdd=\xa4\xdd\x0a.\xab\xf6\xba\x1bF\xfb2\xfcN\xcf\xceu0&\xc7\xc9\xa7\x08\xa5\xf4E\xe4\x92\xc0&D=-\xc2-\xf1:\xa8\x0ae\x07\xae\xa4\xc3JF\xec\xb1>\x12\xcb\xde\xcd\x09\x15\xad\xffr] +as_response, C8rquZ3DjgNW06JGLl +[kvno=, cipher=18, ciphertext=Zu\xc8\x949\xeb7, cipher=18, ciphertext=,\x18:\x8cqA*\xfak\xdf\xf6\xa3\x09\xe2\x14hMU(]\xcc\xae\x13\xa5\xb7\xa1e,\x05c\xc9\xc1\x8d\xdeys\xae\xb0_\xa3\x1b9."\xb2f\xca>\x138\xe3\xe7RI\x86\xd8\xa6\xad\x8a\x12\xf7\xfa\xd4%^N\xa0\x1bB\xec[\x0fg\xdbP\xdd\xc4\x88\xf6zE -\xd4\xd9\xdeA\xack\xc0L\xa5+\xe7@f\xdfg\xa7\xa9o\x0a~&<\x94-V\xf5v\xf6W\x0dU\xf3\xfd\xd8R!\xcb\xad \\x00\xdc\xa8wI\x0c\x0aw\xa6\xf1\x11G.A\x16)\x80\xda~7\x09v,\xdb\xed\\x9c\xcb\x8fv\x0a\xf3Bi\x85\xb8\x80\xd9G\xb0"\x11\xd2\x97\x8eB\xbe\xa5"*c\xbe[6\xa2\xbc\xd0xL\x04'?\xf8\x83\xcd\xe7\xad\xff\x0d\x04\xe8"\xb9\xcfT\x0f\xd8\x15Kw\xddw\xc7h\xea\x14\x99\xdd\xa4\x9b\x7f\x1fM\xad\x92\xa2\x06\xe3\xcb\x98\xfe\x16~nb\xc1{\x1a\x852!\xb4^4\xc0\xd5\xa5(\x9b{\xfc\xdaa\xf0A\xb1\xde\xba\x08\xb8\xcb0\xa2\xb0\xec\x8f\xc0\xd4\xda\xdb\x0e\x04\xbfR\xccA\xf8\xf48\x1b\x04\x1f\xa8\x0a\xc1]] +as_response, CaGCc13FffXe6RkQl9 +[kvno=, cipher=18, ciphertext=\xbap\xd1\xa3P\xdc(\x9f6\xca_}\xd9\xf5\x02\x82O>F\xd2\xab\xf6\xa3S\x12\xe1}\x7f\xb6\xba\xd23grL/\xa5XQ\xbe\xe8eWb\xc0\xa4\xa4%X\xdb\xc1\x92\xa4\x07\xd9B\xc5V\xcdQ]N\xdb\x9b\xc1J\x9f\x14\xb1a\x1dKZ\xf3\xb0s\x9f\x0b\x0b\xf0\xcd\xe3.;GFBhX\xf4M\xd3\xe0>\xf5%\x876\x00E\xcaR\x96|\x9f<\xc9\x1b#\xa61\x7f\x8e\xb4\xdd\x17\xd4\xad\x061%\xa2\xb2\xd1\x85\xb7\xb5\xa5\xaf\xd4\xae\x1d\xcd-\xd8!i\x07\x8a`\xfe\x03\xdc3\xce\x07\x17\x0b\xa3fU\xb5\x84\x0c\xed\xf5,\x03\xa0\xac\xef\x97\xb1\x83r\xd1\x99\x07wb\x8aAo:\xc3\x08\xb3\xf9\x88\xe6\i\xd7t\xdc \x08\xfd\x01\xe8\xe3\xf16\xe2\xe4\xab\x1c4\x04\x0e'\x0a\x9b]\x04|h\x03/\xa2S\xb5\x0f\xac\x0d\x0b\xeb\x9f~A6n\xc4W\xae\xdeC\x1e\xd7\xe6\xce\\x0eTMH\x9e\x8f\x8e\x0f\x8bL~e\x99>\xbc\xdeJ\x06\xb6v\x09x\xf3\x11\xeeT\x17\xb6\x8f+\xf4\xd9\x01\x8c\xafP\xbb\xach\x10H}\xb3\xd3y\xe7\xac] +as_response, CNdne23ox8SQTgPoy3 +[kvno=, cipher=18, ciphertext=c\x03E\xa9c$\x0b\xd7\x93g\xcf"\xcaPP\x0fL}\x02k\xc7\x1c\xfblp\xe9D\xe7{ag\xbc\xee\xa8x@\xac;\x00\xa1"\x03\xb2\xa3nM\x18\xfc\xc3\xfe\xbd\x8e\xd5Ea\x85\x1c\x07P\xafV\xb8h\x06\x99\xd0\xd7\xd1\x0e\x1dY\x12x\xd7\xce\xc3I\x9f\x8f\xa8<\xdf\xf4\x14\xac\xecK@\xa7\xbb\xcf\xad\x0e\x02\xf7\x7f\xc0\xae\x90()8)\xd9\x00\xae\xa3:\x8f\x84q\x12O\xbdP\xc4v\x8d\xd0\xec\xe6\x0fx)\x86\xf9\xdb)4\xae\xe3\x02Nub\x8f\xa0\xd1\x98\xda\xf3\x90W\xe2\x03\xdb\xba5\x94V\xddY\xe1\xb3\xe8;\xe9\xe1\xe7#T\x8f\x09Od\x92\x97\x91\x1f\x00\xd7\xc32c\x92!1-\xb1 N\xa3"U\x99X\xe9\xe1\xdd.\xd4\xb2t\x93\xa8\xd2\x91\xab\xdc\xd5\xd0\xf6\xea\x91\xe7.\xe4K\xd0\x95\x97|\x82*\x86B;\xc9+M\x9e\x1dL-\x8d\xb8\x85\x97\xb2\xf3r\x10\x8c|b\xd4\x03\xd0\xaf\xbd4\xc0\xde\xc1\xd8+.\xf8\xf3[V~3j\x09\x08\xe0\xa1M\xc4] +as_response, CTrywc2ra7tcWn2af +[kvno=, cipher=18, ciphertext=&Q\xcd\x9d\x90%h\x83\xac]\x1c\x82\x19\x88\xea\x08\xef\xd9I\xe4^&\x88J\x8c\x1e\xb7\x09\xaf\xde\x16\x0ak\xd59\x82\xd4w\x95/\xc3\xbe\xdb\x1f\xa5<\xdf\x1e\xe4x:P\xee\xe4\xb5\xab\x1dS[D\x9aI\x7f\xf8\xe3\\xf9\xde\xf3\x97\x15IE\x03,\xa2\xfa\x9c\x80Y|\x08\xa2\x15\xb3\xba\xfc\xeeo\x8d\xb9\xa6\x1c4_\xddI\x1f\xed\xe2OW\x96\xf4\xa0C\xeb\xf9;\x19B\xdaP+l?\xae\xf7\xe5'\x96$g\xf7\xd6\x02P@t\xf6u\x87\x82\xe2(\x1cK\xc1\xc8\xfc\xc8\xf9or{\x9c\xb9\xeb\xe7F+YZ\x9ba\xe5$\xc4\xb2\xeb\x07\x0aC\x1e\x7f\x9a\xd7U\xcew\x13\xb4\xd5\x01\xad\xd1\x98\xbdlyA#\xe5\x03;\x13\x16\x8b\xe4\xe8n\xe5\x87\xd2\x8f\xda\x80\xd8p \xf8\x07W1P\x90\xe8[5\xa6\xc9\xd8\xdb@\x13\xfdt/u\xd0"\xb5:\x15\x09M\xc1\xcb\x9fK\xbb-&\xa9\x0f\xf9\x9b0Bm\xd2\xa4?]\x0f\xde\x9f\x17\xe9"\x09\xbd\xf6\x0d\x07D?]+\xc9{\x87C\xa2m/\xa0-y\xd89\xea3\xbe\x9e\x06\xfd\xb4\x04] +as_response, CM4z3Z2rdNfyHYQ0Df +[kvno=, cipher=18, ciphertext=O|'\xf1\x05\xc1\x86\xb2w\x03\x04\xfei\xe1\x14\xe9;V\xb8\xe4\x8cUSU\xf2\xfb\x9fR\xccC\xe8\xb9(\xc9 \x98\xe5qxtM\xee\xe9\xb3LF\xc3^\xea\x04\xe3\x85\xf1Up\x8c5\xde{\x06\xf4y\x16#\xd8\xf5\x18\xd6\xae\xd8\x8d:i=\xdcg,\xd1\x9c7\x0d\xc5\xb5)\x8el\x18\x9a\x08\xc5\xc6"\xae\xaa#\xb17B\x838\xaf\xd0R\x81K\xb7I.\x1d\xf0 \xc7\xd3\xee~\x0f\xe7\xb5g\xbc\x9b\xe6\x1f:(\x00\xb2\x95<\xdb\x8f\xd2\x15\\x1b\xcaw\xd3\xe2*X\xac\x9a\\xda\xbd\xb5\xf7"\xeb\xe7\xd4\xb6\x068\x88\x13\xa9n\x1fC.\x94\\x1c\x83\xdb\xaa\xba!!V\xef\x88\x1c\x85p\xe6\xc9\x859\x9f\xec\xc8(\xb1\xc3\x84\x15\x80Gk\x85\xe5, cipher=18, ciphertext=\x98\xfa[\x06\x0cc\xf1\xc4\xa9\xa9B\xb4\xd67\x89+\xa4\x06\x99\xfb\x9c\x08\x87r\xf41g\x13\xe6\xee\xe14\xe2sQ\xc4\x14\x07\xb4?\xb0\x84\xbdM\xdb\xe9\x8eA\xe6\xa2\x911\xe8\xd0\x18\xdf\xca\xbf,\xc736\xc2E\xd9\xd4\xca\xe0E}\xbcB\xd7\xe2\xb3\x891)\x06Op\xe0\xf2\xb9\xa6l\x0f\xabu\x80\xa8j\x00\x81_\xebz\xb6\xde\xe56\x1bGr\xe7\xc6\x9c\x9f\xf9\x9c\xb67>\x0c5\x1cj\xa5\xe0\xcf.-V\x17>\xc1Q\xc4\xffr\xe92\xe2\x039\xccQ\xfcA9\xd0{t\xb9\x14\xd9[\x9ft\xc8v\x96\xf4\xe1\xe2\x10g0v\x07'8^\xcf[\xd6$\xe2\xbd\xbf3\x94e\xfe4\xc4&\x1c\xfdV=#K6\xdd\xc7G\xff:T]\xe3\xe3]\x81\xaeYRl9\xeeA\xd6\xfbx5\xa6J#;\xfe\xb8\xcdF\x82\xf6lh2\x03E\x87\x1ag\x1a`v\x13wt\xdc\xf3X\xde\x14\xb8\xa1F\x95\x1bl\x98\xc0\xac\xd9\xe7\xcd\x88\xde\x82\xad3\xad_)I\x17\xcc\x16^x\xda\xef\x83\x19\x06\xd4\xea\x97\x08\x8b\x94T\xdd\xe3\xa2\xf6\xa9] +as_response, CjGaD11BLkmCG5cEVf +[kvno=, cipher=18, ciphertext=\x1cM\x16}c~\xd0\xfc\xc3\x84\xbf\xc7{\xabM?\xab\xdd\xfa\x97\x99\xd48\xa6\xb4&\x1d)\xde\xb7\x8f\xad\xd9\xa5)\x86(\xb42-\x8dm\xb1Rw2\xb1\xb1\x92\xdf!\xc5q\x17\xaa\xabE\x04\x0aQ\x9d\x92\x0b\x8c*\xe2\x086"%U\x1dW\x14R\xe9\x1bz\x7f\xc8\xb1\x041;l\xb8@\xa2p?yv\x8eh\x8bR\xd1\x08\xb3\x9e\xe6\x88\xc3+l\xe5\xb1w\xe5A\xe0*l\xb7\xbb\x1ar.\x83@\xa3\xbbWxPG\xac\xec\x03n\xd6/\x90j\x09\x911n5Cy\xc3\xc3\xc8#\x8a\xdd\xfb\x9f\x12\xea\x83\xb9\x8e_\xc5\xce\x16, cipher=18, ciphertext=\x0dW/\x18s\x19\xcf|\x89\xf9\xbb\xc4:'\xef\xf9z\xe4A\x8dC\x9c\xabj3\xf9J\xc6^k\xfc\xa0\xc7\xc0B\xd21S\x96_\x1c(h\xde\xc9\xfd*D\xa8/Z\xcc^\xe74\xef\xecA,\xa1\x90n]\xdb\xa5K\xa0hy\xf5}\xeak<\xd1+~\xc7\xe2\x0a\xd4Z\xed\xa2]ik\x8a\x1b\xc6\x0ev0- V\x9e\x8df\x14\xf15\xdb\xec\x81\x7f\x0a\xe7\x96\xe6\x01NB\xa8\x09;\x83\x9b\xe24\xff\x15m\x91\xdbl\x9d\xec}&p\x1c\x94\xcc\x9d5\xa9\x97\xee\x88d\x96V\x06\xf1\x99\x0a\x8c\x0aT\xed\xd3\x14\xbd\xa98$S\xdaiKx\xe4\xb0\xbc\xb8\x88\x14\xc2\xa9SV]\xd4\x19\xd2\xab\xa3X,\xb2\xb2\xa9xz\xc0o\x99\xd0\xb5\x9a\x82\x18\x82\xa8w\x93\x15\x95#D0\x8d\xab/\x8dZ\x0ca\x95A\xd7\x84\xf4)\x9c\x15\xcdc\x8ayvC\xa0\xda\x0a,D\x85S4Cw\x89>\xc3\x9dy\xc8\xb5)A^Y\xa8P\x9dA\x80B\xac\x18\xf7\xc8\xff_\xb5\xa3\xff\xed] +as_response, CKvlqe4bTVu5HNGrb1 +[kvno=, cipher=18, ciphertext=\x06\x1dA.\x8d\xba\xe1\xc54\xa4\x05\x96\x93\x93q\xe9\x16Wvf\xa8\x88\xc7\x97\x84\x0c%@\xd70\x1fAq\x8cZrX\x1bM\xe3\xf1'S\xe7\xceY\xf5\xdb\x88\xd6\xc8\xf9\x10n\x9e\x06\x1dD\xd4\x9ah\x03\x1e\xd7V8\xef\x13\xee+\xa8L\xf7q\xb1\xe9/\xac2U\xa1\x1fZs\x8432A\xfd],\xa1\xe9b.\xaf\xe1F\xd4\xc4\xdb\xce\xc0\x1eZ\xb1\xdfi\x06Q\xcaS\x98PQ\xa3\xf4]<\xe5\x8a\xf0\xc7\xa0^\xe9\x1dMN\xe9C\xfd\x7f\xb6?n\xfc= \x8e\xd5r*\xa7\x09\xc7\x0b\xf9\xe9\xbca\x1b\xe0M\xea\xff\x0a\xca\x94N\x0d\xd48\\x1aE\xc7\xfa\xc8\xccY\x04N\xf1\x16\xc3\xc7\xa7\xac\x83\x16l\xb0l\x9f\xf8?\x9c\x16\xbd\xe1\x82\x9c\xd5\xd58\xd3\x14\xb8\x93v|\x1e5\xe7f\xda\x81\x0e\xabO\x02\x15\xaa\xf78E\x192o\xf0\xd7\x9b\x80} \xeb\x0dk\xeeu(\xd22\xf0.\xae\x9b\x88\x14\xe91\xf5\x1f\xbb31\x0d\\xff6\xb3\x8d\xcbE\x09\xa9\xf5\xf2<] +as_response, C04EG53Yaw6dgjGT3k +[kvno=, cipher=18, ciphertext=N\xfd\xa3\x0b\xa0#H\xaa\xf3K\xaaJ\xc6\x11]\x0f\xeb\xc9`\x92~\xd9\x0b~\x0b\xa0x\xaeV"\xd8ww\x04\x1b\x96\xbf\xee^\xbd4\xf6\xad\xfb\xc9V~4~\x80\xf3\xa8\xef\x8bB\xa9\xeb\xdd\x86\xb7\x0dO\x0c\xce\xfcq\x9d%\xce\x84\x9aJ\xc2\xc5\xa2\x85\x05\x1b\xc4\x1d\xaf\xe1e=\xb0y\xfby2\xb0$W\xe7\xb0\xd6x\xe2\x14\xd3\xfa\x9b\x03wV_0\xca8\xa5\x03\x98p\xe5\xe3\xcc\x09\xa3yQ\xbbS\x0cp\xc9\x7f\x1b\x0am(\x0a\x89\xbbA\x7f\x08\x9b\xbeS\x89\xca\xa0\xd1!\xca] +as_response, CdzNo91LLZlfe0pmT8 +[kvno=, cipher=18, ciphertext=/jq\xf7\xad\x92L\xe5:T\x7f\x9b\xe5\x17h=\x82 \x86\xb9\xeda\x17\xc6x\xd8F\x8f\x10\xc4\x11\x9e\x04\xc4o<\xebNR\xb3\xd4\xc1;9\xd3go\xe6\\xf9\xab\xe6HZ\xc5[\xa2$\x8ar\xdf\x9a\xb5\x19\xfa\xe6\x10\x97\x1d\xbe\x0f\xfe\xfc\xf8g\xae\xe7\xa1\xf5^\xa6[^Bed\xe4?\xaa\xf4\x9b\x95\xed\xe4\xec\xaf\x18\x05\x14O\xd1\xd4i[\xb3\xab\xf6)K\x8fx\xc2\xf8\x94\xb0\x856\xe7\x04\x87\x98a\xde\x97`"i\xb28\xe6\xf7m\xf9&E+\x17m$\xecA\xdc,,\xefC\x11\x84\x86\xf7\x06\xc7\x9f'\xd8\xd5Xc\x9f[\x92n\xb7\xb3)\xd8g\xee\xb8\xbe\xa26G\x0a\xf1e\xc7W\x0f\x1a\x83 >\x0cE\x8dy\x95u\xa6d\xe7\x7f\x9c\x05oS\x99\xb4[\xe4\x07\xb3=\xa3\xc4\xc6\xe2 \xd3\xb2\x90\xef\xc46\xadUx\x14\x98&JJZ\xfc\xf9\xff\x14\xee\xc7\x841o\xb0\xb6\xf7\xe2\xceZ\x14\xbe\xfcU\x11x\x18\x83\xe1\x15-\xe8\xe7|\x1a.\xc6\xa1\xb44\xae] +as_response, Cb2Rv3Wek35VDwxDk +[kvno=, cipher=18, ciphertext==x\xdd\x86+G\xda,au()+zNX\xac*_3 \x02\x17r\x1e@R\x9bJ\x8e \x05\x14\xde\xfd\x18\x17\xeb\xa0\xf8\x13S\xf5b\x1e\xb3\xcda^\x94_\xb1'=Ryi\x06Jy)\x8a\xd3\x11ti\xfdv\x86\xed\xb5\xd8}?\xb7\x05\xec\K\xbal\x9e\xea\xaf\xc0\x16^\xedJ\xb4\x95\xfa\xf3\xb3G\x9f\x16\x03\x97B\xf6[y\xb9\xfd\xc4;\xbe\xa2\xc4E\x8b\x1eM\xaaHa\xae\x9f\x9d\xd0\xbe\xe1.}\xf5\x09\xccT\xefi\xe5\x1d?/\x8d\x05\xe8'\xf6\x8el\x04\x9a\xc6\x94\xb1k-q\xd7\xaa\xa9\xb4\xea\xc4\x82c\x09k\xd5\xc4\xb2xZ\xc7&\x1e\xc4\xaej\x83\xed\x14\xfd\x86\x05\xcf4\xe5r\x0b\xc1WS\x88\x1el\xca\x9e\x86^/\x9b\xaeO\x9f\xfd\x81Q\xa1\x8b\xc9Q\xb4\x98\xc1a\x97\x8c\x95\xfd\x87D~4w\xe75\xb5@\xd0\x10a\x972\xf8V\xca\xd3\xc1\xd1@\\x7f>\x99\xe4\xbc\x14f\x14\x8f"[P,|\x96\x9b\x82AVc\xfb\x89,P*\x05\xe8\xd1\xfa$P\xe6>,\xfdW\x7f}.\xad\x06\xc3\x02\xa5b\xd2A\xae] +as_response, CsLUyBLEs5x3GKtgk +[kvno=, cipher=18, ciphertext=\xad#\x8a-h\xab\xc1\xd9\x105\xb1\x88\x11\xe4\xa3]c4Sa&\xe8t\xb6!\xe8h\xd8\xfa.\xd9\xea\x9e\xf9\\xbb\xf2\xbb\xb1\xfe\x91\x1340\x8e\x89\x0e\x1d\xd8\x1d\xd2\xf4a+C\xb7b\xaf\x91\x93\xdb\xf6\xae\xfc\x99\xd9\xbd4\xd7\xd4>\x8e:p\x80\xd4\x03\xdai\xa9\x08z\xc95\xe0\x0f,\xf6\xfe\x11TM\x80\x0aE"D\x81\x14\xc7\xbb\xed?\xb1\x9eR+\xdcj\xbep\x12\x147\xc7\x9e\x94\xd0\xb4\x05\x8d,\xd2]\x1d\xaf\x8e\x8a8\xa2\xfa\xf6\xd1\x0e\xb8,\xa2\xd9\xfd\x18!\xc7\xda\x11{\xadV[q1\xa2)\x1b\x00I\x8c\xbex\xd2\xd6\xd6\xda\x1953\xfb\x14\xf6\xa7L\xa9uLZ\xd8\xb6sEK\xa4\xdd\xdf\xbd\x82\x8ak\x1emx%&\x9e\xa8\x9ea\xb4\xed\x92*\xa8\x0cO\xb9\x05\x96\x8e\xf7\x92\xca\x89\xd4s\x97&0?\xff<=Re\\x1cD`\x06|\x17\x08\xad\xecL^&{B\x96N\xe1"y\xb3\x83\x8b\xddj\x15\xca\xe1\xb8\xadF\xd3\x82\x00\x93\x02Z\xf8=] +as_response, CkVqlMyWLZSpdNcPa +[kvno=, cipher=18, ciphertext=mjK4\xa4+\x03XCf?\xdakS\xfccy\x97=\xba\x81*SG\x912\xe5 \x10\x9dV\x13\x8a\x18bF#TCe"D\xd5\xb5\xdf\x92\x9e\x88\xab\xf3\xc3\x97N\xb5?\xd5<\xa9\xdf\xe9,F \xb5\xfa\xa5\xa1#\x15\xec\xee\x918[\x1f\xe4\xc4\x8f\xb3\x0a\x1cd\xc3\x92\x1e\xea\xfc\x13\xdd2\xaf\xfe\xeaKA\x07\xd4I|R)\xac\xe5c8'S\xabn\x06\xb1\x06\x0a\xc0\xc7\xa0\x8dU\x99\xb4\xf0\x14\xb4gs\n0\xb4\xdf4\xec\x90\x01\xcd\xaa\xb0\x0d\x0b\xac\xf3t&\xb5\xacG9z\x96E\xfcK\xca\xd3]\x95\xb9\xfc`\x94|hazI\xa6\x04\x0cJa+&+{\xadB\xb6#\xc97K\xadD\x92l\x0e\xa1\xeb\x06\xbbab\x8eb\xcd\xeb\x14\xd8\xd0#\xb7\xa3\xd1\xfe\xbe/\x9a\x12\xd7\xd9\x8c\xac\xfb\x8c;'\xb8\x039a\xe5\xdc\x94\xa8\xe5\x1d\x08\xcf\xda\xcc\xf4E5\xf9r7\x04\xf5\x93cc\xc1\xc4\x83s\x1b*\x01Y\x9f9\xbdK\x00\x9c\xf4\xaa\xf0\x90\x11] +as_response, CQCAYJ2zCov16vZwf +[kvno=, cipher=18, ciphertext=\xc5\xc2\xbfkP\xd3\xach\x03\x1e\x0b7\xef\xaf\x95L_-0Q\xf5\xbf\x0c\x86d5\xd3\x9fd\xf7\xda\xe1\x9f\x8e\xe0\x04\x85\xd0\xdbU\x84\xbc~\x8c\xa5\xe4\xee\xff\xdf\xe6lv\xb4\xea/\xa8\xf0\x96\x9fT\xa3\x9dL\x18\x17\x0d\xb9g\xda\xb7\xc5\xab\x0a7\x09\xe4\xb1\xe2\xb1#06\x90\xb7\x9c\xf5\xfc\xe2s3\xb7\x95\xf3\xcb\xc1\xa6;G\xbe\xce\xba\x02\xe8\xe09\x94\x0d\x88\x83\xf0\xc0.\x03z\x1e\x97\xc1X\x8a\xc3\x8f L\x82\xab\xec\xd21\xcb5\x99\xc8e\x8b\x06xB\x97\xf8\xcd\x17zwI\x14\xfc\xa3@t\x99\xee\xa4?\x81\xa3\x85l\x06\xb1r\xe4\xda\xbb\xaaf\x82G\x05\xb0\xc0\xbf\x19\x04\xb8;\x87\x1d\xd7e$\xd1\x85\xc4v\x9e.t\xc7\x19\x16\xe7dOiU\x1d\xc1\xe8\x0cKK\xc0?A\x85\xd6Besz\x03\x13\x89t7\xfbj\x8b\xb5\xf1\xfe\xe7"\xc4\x82\xa0\xce\x0e\xa3\xa4-,e\xf8\xab\xc7\xc0\xc2I\xd9\xf4a\xd5%\xa7t\x9a\xe7\x1a \xca\xb0\x0bZ\xfb\x17\x9e\xb8\xfb\x04] +as_response, Cil9Tc1rwfQS9uqdsb +[kvno=, cipher=18, ciphertext=_g\xc5q\xef\x977>\xef\x97dl\xb0\xaeP\xc3N\xde\x00!\x84\xa4MG\xfc9\xe0\xc0\xee9K\xcb\x89\x0aZ2N1,\xd4\x8d\xcf\x0cW\xb7\xfa(~x\xb6\x08\xc9\xa8\xee\xc4G/\xea\xd3\x94\xca\xd0\xf7\xc0\x1c\x97\x90\xfe\xb3\xa6,\x14\x11\xef\x98=v\x8dO\xcd'>\x90\x85\xa9\xe5\x9e\xa5\x97[[G\x8e\x973\x1a(\xb7\x8a\xa9Nm\xbd\xcd0\xe8\x04\xa9\x85\x14\x91\x8b\x82\x8c\xc0\x10{\x1d\x98\xcb\x1aL\xf2\xbe\xc8;\xa1\xda\x05\xa3)\xda\x048\x88>\xdf\x12[\x07\x89\xea+[IjG\xe3\x10\xa3\x06\xa6\xbf\xf9"Ty\xe8\xdd$\x13\xf2w\xd5\xe5#\xf4:\xb0f\xd3\x0dQu\xb5\x1bl\x91\xc7A\xec,{\xfan\xff\xbb@\xdb0nJ>\xc20c\xd61D\xe7\xcb~\x88YbO\x99\xba|L\x81\xd7\x06!d\xea51\xaf\xd5-)\xab\x14\xa4 \xf31\x0b\x1a\x16\xb0\xb2\x07\x97&@\x82\x9e@\xd1\xd9H1W\xaa!\xc5\xedg\xb9B.\x7f\x1e\xa1\xf4W\xd9\xe7K\xd6k*\xd6\x00\xfa5\x19\xe4T\x7f\xe7\xe3D\xfd\xe5\x93\x9bi\x98\xd3] +as_response, CoVJDI3K3qTiTnPoV9 +[kvno=, cipher=18, ciphertext=\x9e\x7f\x11\x7f\x88RO\xc7\x01N8\x91\x0f\xf4\x1d\x91\xde\x06\\xd7JQ\xda\xe9\xfa\xab\x9a7T@z\xe0\x0c\x16\x81\xbe\xe5;A;\xa6\xb8T`\xeb\xd8R:\x16\x03\xc0A\xc6 :\xe7]\xd9>J\xc2\xb9\x89gv\xa5|\x94\x8bgo\x8c\x94d\xabu\xe0C\xa1\x16\xc3\x12\x02\x0el\x8a\xc8\xc3\x88I\xb9\x01\x96\xc1t\xc8p\xda\xa7\x0cK\xf6\x89=\xaa\xc57%\xf5\xc3U`(\xcc\xfb\x9c?N\x8b\x12\xf3\x01\x12\x1eI\x92\xd7\xb9*\xae\xbc\x14\xad\xf1\xae\xd7q\xf78\xe6\x91$aF\xe9\x8fb\xda\xeb\x06\xe8\x1f\x9a\x8e_\xc4\xaf=\x03\xe0\x80\x0b\xf2\x0f\x91\xd7n\xa6\xdb\x1b\xeb?gZ:\xc7\x82\x80\xa4\xba\xa7\xa0\xf8\xc3\xc7\x05, cipher=18, ciphertext=\x9e\x7f\x11\x7f\x88RO\xc7\x01N8\x91\x0f\xf4\x1d\x91\xde\x06\\xd7JQ\xda\xe9\xfa\xab\x9a7T@z\xe0\x0c\x16\x81\xbe\xe5;A;\xa6\xb8T`\xeb\xd8R:\x16\x03\xc0A\xc6 :\xe7]\xd9>J\xc2\xb9\x89gv\xa5|\x94\x8bgo\x8c\x94d\xabu\xe0C\xa1\x16\xc3\x12\x02\x0el\x8a\xc8\xc3\x88I\xb9\x01\x96\xc1t\xc8p\xda\xa7\x0cK\xf6\x89=\xaa\xc57%\xf5\xc3U`(\xcc\xfb\x9c?N\x8b\x12\xf3\x01\x12\x1eI\x92\xd7\xb9*\xae\xbc\x14\xad\xf1\xae\xd7q\xf78\xe6\x91$aF\xe9\x8fb\xda\xeb\x06\xe8\x1f\x9a\x8e_\xc4\xaf=\x03\xe0\x80\x0b\xf2\x0f\x91\xd7n\xa6\xdb\x1b\xeb?gZ:\xc7\x82\x80\xa4\xba\xa7\xa0\xf8\xc3\xc7\x05, cipher=18, ciphertext=\x9d\x9f\x87\xb7\xa4_\xbesaey\xa3\xc3\x01\xe3\xec{\xa5b`k\x88m\xfc\x0b\xc8\xc8\x0b\x7f\xe6\xfc\xe9\x1a\xe2\xb2>Jo\xc6\xd02D,\x13\xe0\xe1E\xa7kX/\xdb\xd7\xa46w\xf3\x8e\xa14@\xb9|x~\x93\xf4\xdf(\xef\xed\xff<\xd2\x97%(9\x0dT\x08})\xd3\xb4\xea\x97^\xd0\xb2G\xb9&V\xf2\xfa{UQ\x10\xb6u\xbdZK\xce\xb7\xc2\xa3\xfep\xd0\xe0\xa4x-\x15d\xd0\x8a\x97\x7fw\xf0\xbaS\xdb'\xe0L\xa6tx%\xf3z\xb9T \x99\xbd\xc7\xdb\xb4\xe8F[#s,\xa0\xce\x0f\xb0"f\xb9sX3xM\x8f9]\xcfj'\x9e\xb6\x08SD\x1e6A\x03\x9f,\x9d\xd7\x8dD0I\xd62\xa4\xf4h&\x18\x88\xa3\xf1g|\x13xu\xb2Q\x84L2\x1d\x07Lk\xd4\xfc\xd7\xc8\x0fF\xcel\xfa\xb7\xf4\xefV\xa8\xf9\x00a*\xdd\x19h\xbf{\x98\xc0Q\xbd\xb1\x8c1\xc9Y\x97\xdcg\xe3\xd4!\xb5\x95\x96\xfb"\x18\xa4\xba\xa1\x813\x129] diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.analyzer-confirmations/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.analyzer-confirmations/conn.log.cut new file mode 100644 index 0000000000..46d72b1541 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.quic.analyzer-confirmations/conn.log.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid history service +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.analyzer-confirmations/out b/testing/btest/Baseline/scripts.base.protocols.quic.analyzer-confirmations/out new file mode 100644 index 0000000000..9985d45318 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.quic.analyzer-confirmations/out @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +analyzer_confirmation, 1692198386.837988, CHhAvVGS1DHFjwGM9, Analyzer::ANALYZER_QUIC +analyzer_confirmation, 1692198386.837988, CHhAvVGS1DHFjwGM9, Analyzer::ANALYZER_SSL diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.chromium/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.chromium/conn.log.cut index f95a354194..46d72b1541 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.chromium/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.chromium/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.chromium/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.chromium/quic.log index ecaaed9815..ad6abaf8cc 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.chromium/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.chromium/quic.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history #types time string addr port addr port string string string string string string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.54.117 53727 110.213.53.115 443 1 95412c47018cdfe8 (empty) d5412c47018cdfe8 api.cirrus-ci.com h3 ISisH +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.54.117 53727 110.213.53.115 443 1 95412c47018cdfe8 (empty) d5412c47018cdfe8 api.cirrus-ci.com h3 ISishH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.curl-http3/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.curl-http3/conn.log.cut index f95a354194..46d72b1541 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.curl-http3/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.curl-http3/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.events/out b/testing/btest/Baseline/scripts.base.protocols.quic.events/out index 7b074d32a9..e377ed39d4 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.events/out +++ b/testing/btest/Baseline/scripts.base.protocols.quic.events/out @@ -4,17 +4,20 @@ 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, 1b036a11, 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, F, 1, , fc674735 1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , fc674735 +1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , fc674735 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, fc674735, 1.0, handshake_packet, T, C4J4Th3PJpwUYZZ6gc, 1, ef3a4e06, zerortt.pcap 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, b7c7841c64883e3261d840, 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, F, 1, , 8d2041ac 1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , 8d2041ac +1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , 8d2041ac 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, 8d2041ac, 1.0, handshake_packet, T, C4J4Th3PJpwUYZZ6gc, 1, 5b7bc400, 1.0, initial_packet, CtPZjS20MLrsMUOJi2, T, 1, 15ae5e5e4962163f410b5529fc125bbc, 1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc, 1.0, initial_packet, CtPZjS20MLrsMUOJi2, F, 1, , e483a751 +1.0, handshake_packet, F, CtPZjS20MLrsMUOJi2, 1, , e483a751 1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc, 1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc, 1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc, diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.firefox/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.firefox/conn.log.cut index f95a354194..46d72b1541 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.firefox/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.firefox/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.fragmented-crypto/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.fragmented-crypto/conn.log.cut index f95a354194..46d72b1541 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.fragmented-crypto/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.fragmented-crypto/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/conn.log.cut index 91c6575829..6eadcd2f9d 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/conn.log.cut @@ -2,4 +2,4 @@ ts uid history service 0.015059 ClEkJM2Vm5giqnMf4h - - 0.001000 CHhAvVGS1DHFjwGM9 - - -0.648580 C4J4Th3PJpwUYZZ6gc Dd ssl,quic +0.648580 C4J4Th3PJpwUYZZ6gc Dd quic,ssl diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/quic.log index 23623d6a05..6d37e079ea 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/quic.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history #types time string addr port addr port string string string string string string string -1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 40084 193.167.100.100 443 1 a771f6161a4072c0bf10 (empty) 5911deff server4:443 hq-interop ISishIH +1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 40084 193.167.100.100 443 1 a771f6161a4072c0bf10 (empty) 5911deff server4:443 hq-interop ISishhIH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/conn.log.cut index 82447e238b..f60a9d33e6 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/conn.log.cut @@ -2,4 +2,4 @@ ts uid history service 0.000000 CHhAvVGS1DHFjwGM9 - - 0.016059 ClEkJM2Vm5giqnMf4h - - -0.669020 C4J4Th3PJpwUYZZ6gc Dd ssl,quic +0.669020 C4J4Th3PJpwUYZZ6gc Dd quic,ssl diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/quic.log index 74e8b2a29a..0caca791d3 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/quic.log @@ -8,5 +8,5 @@ #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history #types time string addr port addr port string string string string string string string 1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 42834 193.167.100.100 443 1 4a8294bf9201d6cf (empty) - server4:443 hq-interop ISr -1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 42834 193.167.100.100 443 1 1b036a11 (empty) fc674735 server4:443 hq-interop ISishIH +1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 42834 193.167.100.100 443 1 1b036a11 (empty) fc674735 server4:443 hq-interop ISishhIH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/conn.log.cut index 8fa1c1ad8f..01d1a432a4 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/conn.log.cut @@ -2,5 +2,5 @@ ts uid history service 0.015059 ClEkJM2Vm5giqnMf4h - - 0.001000 CHhAvVGS1DHFjwGM9 - - -0.790739 CtPZjS20MLrsMUOJi2 Dd ssl,quic -0.718160 C4J4Th3PJpwUYZZ6gc Dd ssl,quic +0.790739 CtPZjS20MLrsMUOJi2 Dd quic,ssl +0.718160 C4J4Th3PJpwUYZZ6gc Dd quic,ssl diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/quic.log index 6884c599e4..f2f8098294 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/quic.log @@ -7,6 +7,6 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history #types time string addr port addr port string string string string string string string -1.000000 CtPZjS20MLrsMUOJi2 193.167.0.100 49394 193.167.100.100 443 1 15ae5e5e4962163f410b5529fc125bbc (empty) e483a751 server4:443 hq-interop ISZisZZZZZZZZZZZZZZZZZZZZZZZZZZZIH -1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 60492 193.167.100.100 443 1 b7c7841c64883e3261d840 (empty) 8d2041ac server4:443 hq-interop ISishIH +1.000000 CtPZjS20MLrsMUOJi2 193.167.0.100 49394 193.167.100.100 443 1 15ae5e5e4962163f410b5529fc125bbc (empty) e483a751 server4:443 hq-interop ISZishZZZZZZZZZZZZZZZZZZZZZZZZZZZIH +1.000000 C4J4Th3PJpwUYZZ6gc 193.167.0.100 60492 193.167.100.100 443 1 b7c7841c64883e3261d840 (empty) 8d2041ac server4:443 hq-interop ISishhIH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/conn.log.cut new file mode 100644 index 0000000000..46d72b1541 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/conn.log.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid history service +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/quic.log new file mode 100644 index 0000000000..5d580eb317 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/quic.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path quic +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history +#types time string addr port addr port string string string string string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.4 53241 24.199.110.233 443 1 f21fdf87f736f235846c7f460ca017 1b3ff910 eab5f6f4 - h3 ISishhIH +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/ssl.log b/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/ssl.log new file mode 100644 index 0000000000..fb2a422f10 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/ssl.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established ssl_history cert_chain_fps client_cert_chain_fps sni_matches_cert +#types time string addr port addr port string string string string bool string string bool string vector[string] vector[string] bool +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.4 53241 24.199.110.233 443 TLSv13 TLS_AES_128_GCM_SHA256 x25519 - F - - F Cs - - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/conn.log.cut index f95a354194..46d72b1541 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/quic.log index ff45b6d535..3dfdfee132 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/quic.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history #types time string addr port addr port string string string string string string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 46907 127.0.0.1 853 1 fda05288ab9ff546 0fb934775f247b8e a31f4933d8727231 - doq ISishH +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 46907 127.0.0.1 853 1 fda05288ab9ff546 0fb934775f247b8e a31f4933d8727231 - doq ISishhH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/conn.log.cut index f95a354194..46d72b1541 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/quic.log index d5dfb05bc4..a460e7fec8 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/quic.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history #types time string addr port addr port string string string string string string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 49320 127.0.0.1 443 quicv2 fa603212c8688817af3d3238735bc7 (empty) b168b5cc localhost quic-echo-example ISIIisIH +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 49320 127.0.0.1 443 quicv2 fa603212c8688817af3d3238735bc7 (empty) b168b5cc localhost quic-echo-example ISIIishIH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/conn.log.cut index f95a354194..46d72b1541 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/quic.log b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/quic.log index f7b06b5570..45411b3839 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/quic.log +++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/quic.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version client_initial_dcid client_scid server_scid server_name client_protocol history #types time string addr port addr port string string string string string string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 50841 127.0.0.1 443 quicv2 bdf0c5b27927cc667e58d95b 71b8f3f4 cdc8b6e6 - h3 ISishIHH +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 50841 127.0.0.1 443 quicv2 bdf0c5b27927cc667e58d95b 71b8f3f4 cdc8b6e6 - h3 ISishhIHH #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.run-pcap/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.run-pcap/conn.log.cut index f95a354194..46d72b1541 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.run-pcap/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.run-pcap/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl diff --git a/testing/btest/Baseline/scripts.policy.protocols.dns.detect-external-names-mdns-broadcast-2/notice.log b/testing/btest/Baseline/scripts.policy.protocols.dns.detect-external-names-mdns-broadcast-2/notice.log new file mode 100644 index 0000000000..89adca5668 --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.protocols.dns.detect-external-names-mdns-broadcast-2/notice.log @@ -0,0 +1,13 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path notice +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude +#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 fd52:429e:c03c:8235:883c:d6ff:fee1:4dc4 5353 ff02::fb 5353 - - - udp DNS::External_Name johanna-qemu-virtual-machine.local is pointing to a local host - fd52:429e:c03c:8235:883c:d6ff:fee1:4dc4. - fd52:429e:c03c:8235:883c:d6ff:fee1:4dc4 ff02::fb 5353 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 fd52:429e:c03c:8235:883c:d6ff:fee1:4dc4 5353 ff02::fb 5353 - - - udp DNS::External_Name johanna-qemu-virtual-machine.local is pointing to a local host - fd52:429e:c03c:8235:5968:5bc6:1563:f82f. - fd52:429e:c03c:8235:883c:d6ff:fee1:4dc4 ff02::fb 5353 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.0.2.7 5353 224.0.0.251 5353 - - - udp DNS::External_Name johanna-qemu-virtual-machine.local is pointing to a local host - 10.0.2.7. - 10.0.2.7 224.0.0.251 5353 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.protocols.dns.detect-external-names-mdns-broadcast/notice.log b/testing/btest/Baseline/scripts.policy.protocols.dns.detect-external-names-mdns-broadcast/notice.log new file mode 100644 index 0000000000..49d861c74c --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.protocols.dns.detect-external-names-mdns-broadcast/notice.log @@ -0,0 +1 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. diff --git a/testing/btest/Traces/README b/testing/btest/Traces/README index 53b0ea4c12..ca555b15aa 100644 --- a/testing/btest/Traces/README +++ b/testing/btest/Traces/README @@ -6,8 +6,9 @@ depend on them for tests. Trace Index/Sources: -- modbus/modbus-eit.trace: Sourced from https://www.netresec.com/?page=PCAP4SICS, credit to https://cs3sthlm.se/. The packets in this trace were pulled from the 4SICS-GeekLounge-151021.pcap file. - +- modbus/modbus-eit.trace: + Sourced from https://www.netresec.com/?page=PCAP4SICS, credit to https://cs3sthlm.se/. + The packets in this trace were pulled from the 4SICS-GeekLounge-151021.pcap file. - [ldap/simpleauth.pcap](https://github.com/arkime/arkime/blob/main/tests/pcap/ldap-simpleauth.pcap) - ldap/simpleauth-diff-port.pcap: made with `tcprewrite -r 3268:32681 -i simpleauth.pcap -o simpleauth-diff-port.pcap` @@ -38,3 +39,10 @@ Trace Index/Sources: - http/docker-http-upgrade.pcap Provided by blightzero on #4068 https://github.com/zeek/zeek/issues/4068 +- quic/merlinc2_Zeek_example.pcapng + Provided by Faan Rossouw on #4198 + https://github.com/zeek/zeek/issues/4198 +- pe/pe.trace + VirusTotal reports that this file contains malware. The PE analyzer was originally added + to decode info for malware, so this is expected. See + https://zeekorg.slack.com/archives/CSZBXF6TH/p1738261449655049 diff --git a/testing/btest/Traces/dns/mdns.pcap b/testing/btest/Traces/dns/mdns.pcap new file mode 100644 index 0000000000..02eb4e84f8 Binary files /dev/null and b/testing/btest/Traces/dns/mdns.pcap differ diff --git a/testing/btest/Traces/quic/merlinc2_Zeek_example.pcapng b/testing/btest/Traces/quic/merlinc2_Zeek_example.pcapng new file mode 100644 index 0000000000..2aba2f1afb Binary files /dev/null and b/testing/btest/Traces/quic/merlinc2_Zeek_example.pcapng differ diff --git a/testing/btest/bifs/lookup_connection.zeek b/testing/btest/bifs/lookup_connection.zeek new file mode 100644 index 0000000000..c8c8b72a9f --- /dev/null +++ b/testing/btest/bifs/lookup_connection.zeek @@ -0,0 +1,58 @@ +# @TEST-DOC: Test lookup_connection() and connection_exists() +# +# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr + +event new_connection(c: connection) + { + local c2 = lookup_connection(c$id); + assert c$uid == c2$uid; + + local cid: conn_id; + cid$orig_h = c$id$orig_h; + cid$orig_p = c$id$orig_p; + cid$resp_h = c$id$resp_h; + cid$resp_p = c$id$resp_p; + + # Produces an error on .stderr because cid$proto wasn't + # initialized and then returns a dummy record. + local c3 = lookup_connection(cid); + assert c3$history == ""; + assert c3$id$orig_h == 0.0.0.0; + assert c3$id$orig_p == 0/udp; + + cid$proto = c$id$proto; + local c4 = lookup_connection(cid); + assert c$uid == c4$uid; + } + +event new_connection(c: connection) + { + # This needs to hold. + assert connection_exists(c$id); + + local my_id: conn_id; + my_id$orig_h = c$id$orig_h; + my_id$orig_p = c$id$orig_p; + my_id$resp_h = c$id$resp_h; + my_id$resp_p = c$id$resp_p; + + # Produces an error because cid$proto wasn't initialized. + assert ! connection_exists(my_id); + + my_id$proto = c$id$proto; + assert connection_exists(my_id); + } + +event new_connection(c: connection) + { + # This crashed previously! + local my_id: conn_id; + local c2 = lookup_connection(my_id); + assert c2$history == ""; + assert c2$id$orig_h == 0.0.0.0; + assert c2$id$orig_p == 0/udp; + + # This also crashed! + assert ! connection_exists(my_id); + } diff --git a/testing/btest/bifs/x509_verify.zeek b/testing/btest/bifs/x509_verify.zeek index cb59d3f4aa..aabb3496a6 100644 --- a/testing/btest/bifs/x509_verify.zeek +++ b/testing/btest/bifs/x509_verify.zeek @@ -1,14 +1,7 @@ -# @TEST-EXEC: zeek -b -r $TRACES/tls/tls-expired-cert.trace %INPUT - -# This is a hack: the results of OpenSSL 1.1's vs 1.0's -# X509_verify_cert() -> X509_STORE_CTX_get1_chain() calls -# differ. Word seems to be that OpenSSL 1.1's cert-chain-building -# code is significantly different/rewritten so may be the reason... - -# @TEST-EXEC: cp .stdout stdout-openssl-1.0 -# @TEST-EXEC: cp .stdout stdout-openssl-1.1 - -# @TEST-EXEC: grep -q "ZEEK_HAVE_OPENSSL_1_1" $BUILD/CMakeCache.txt && btest-diff stdout-openssl-1.1 || btest-diff stdout-openssl-1.0 +# Fedora/RedHat have SHA1 disabled for certificate verification, re-enable it for testing by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1 +# +# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b -r $TRACES/tls/tls-expired-cert.trace %INPUT >out +# @TEST-EXEC: btest-diff out @load base/protocols/ssl diff --git a/testing/btest/core/save-load-seeds.zeek b/testing/btest/core/save-load-seeds.zeek new file mode 100644 index 0000000000..f51f16bb2e --- /dev/null +++ b/testing/btest/core/save-load-seeds.zeek @@ -0,0 +1,16 @@ +# @TEST-DOC: Save seeds and read and assure the UIDs are the same. Regression test for #4209 +# +# @TEST-EXEC: zeek --save-seeds myseeds -r $TRACES/http/get.trace %INPUT +# @TEST-EXEC: mkdir save && mv *log save +# @TEST-EXEC: zeek-cut -m uid history service < save/conn.log >save/conn.log.cut +# +# @TEST-EXEC: zeek --load-seeds myseeds -r $TRACES/http/get.trace %INPUT +# @TEST-EXEC: mkdir load && mv *log load +# @TEST-EXEC: zeek-cut -m uid history service < load/conn.log >load/conn.log.cut +# +# @TEST-EXEC: btest-diff load/conn.log.cut +# @TEST-EXEC: btest-diff save/conn.log.cut +# @TEST-EXEC: diff load/conn.log.cut save/conn.log.cut + +@load base/protocols/conn +@load base/protocols/http diff --git a/testing/btest/language/type-expr.zeek b/testing/btest/language/type-expr.zeek new file mode 100644 index 0000000000..bf95e4b2df --- /dev/null +++ b/testing/btest/language/type-expr.zeek @@ -0,0 +1,10 @@ +# @TEST-DOC: Test valid use of type expressions in scripts +# @TEST-EXEC: zeek -b %INPUT +# @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff .stdout + +event zeek_init() + { + # Try a couple of functions that take types + print from_json("\"aoeu\"", string); + print type_name(string); + } diff --git a/testing/btest/scripts/base/protocols/krb/enc_part.test b/testing/btest/scripts/base/protocols/krb/enc_part.test new file mode 100644 index 0000000000..6510f432a8 --- /dev/null +++ b/testing/btest/scripts/base/protocols/krb/enc_part.test @@ -0,0 +1,12 @@ +# This test prints the enc_part value from the KRB::KDC_Response + +# @TEST-EXEC: zeek -b -r $TRACES/krb/kinit.trace %INPUT > output +# @TEST-EXEC: btest-diff output + +@load base/protocols/krb + +event krb_as_response(c: connection, rep: KRB::KDC_Response) + { + print "as_response", c$uid; + print rep$enc_part; + } diff --git a/testing/btest/scripts/base/protocols/quic/analyzer-confirmations.zeek b/testing/btest/scripts/base/protocols/quic/analyzer-confirmations.zeek new file mode 100644 index 0000000000..790bea7ff2 --- /dev/null +++ b/testing/btest/scripts/base/protocols/quic/analyzer-confirmations.zeek @@ -0,0 +1,15 @@ +# @TEST-DOC: Test the order of analyzer confirmations for QUIC and SSL, QUIC should come first. + +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy +# @TEST-EXEC: zeek -Cr $TRACES/quic/chromium-115.0.5790.110-api-cirrus-com.pcap %INPUT >out +# @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut +# @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff out +# @TEST-EXEC: btest-diff conn.log.cut + +@load base/protocols/quic + + +event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo) + { + print "analyzer_confirmation", network_time(), info$c$uid, atype; + } diff --git a/testing/btest/scripts/base/protocols/quic/merlinc2.zeek b/testing/btest/scripts/base/protocols/quic/merlinc2.zeek new file mode 100644 index 0000000000..733cf8cd25 --- /dev/null +++ b/testing/btest/scripts/base/protocols/quic/merlinc2.zeek @@ -0,0 +1,8 @@ +# @TEST-DOC: Test PCAP for Merlin C2 from issue #4198 + +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy +# @TEST-EXEC: zeek -Cr $TRACES/quic/merlinc2_Zeek_example.pcapng base/protocols/quic +# @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut +# @TEST-EXEC: btest-diff conn.log.cut +# @TEST-EXEC: btest-diff ssl.log +# @TEST-EXEC: btest-diff quic.log diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test index 4e5a20a2ce..6b5992f640 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test @@ -1,4 +1,6 @@ -# @TEST-EXEC: zeek -b -C -r $TRACES/tls/ocsp-stapling.trace %INPUT +# Fedora/RedHat have SHA1 disabled for certificate verification, re-enable it for testing by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1 +# +# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b -C -r $TRACES/tls/ocsp-stapling.trace %INPUT # @TEST-EXEC: btest-diff .stdout @load base/protocols/ssl diff --git a/testing/btest/scripts/policy/protocols/dns/detect-external-names-mdns-broadcast.zeek b/testing/btest/scripts/policy/protocols/dns/detect-external-names-mdns-broadcast.zeek new file mode 100644 index 0000000000..4b1f35cd56 --- /dev/null +++ b/testing/btest/scripts/policy/protocols/dns/detect-external-names-mdns-broadcast.zeek @@ -0,0 +1,27 @@ +# Test verifies that mDNS broadcasts are not logged by default. +# @TEST-EXEC: zeek -b -C -r $TRACES/dns/mdns.pcap %INPUT +# @TEST-EXEC: touch notice.log +# @TEST-EXEC: btest-diff notice.log + +##! First test - no log + +@load base/protocols/dns +@load policy/protocols/dns/detect-external-names + +redef Site::local_zones += {"example.inalid"}; + +@TEST-START-NEXT + +##! second test - should output log due to changed config + +@load base/protocols/dns +@load policy/protocols/dns/detect-external-names +@load base/frameworks/config + +redef Site::local_zones += {"example.inalid"}; + +event zeek_init() + { + print Site::local_nets; + Config::set_value("DNS::skip_resp_host_port_pairs", set()); + } diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-certs.zeek b/testing/btest/scripts/policy/protocols/ssl/validate-certs.zeek index f878ead3db..763c2fa24f 100644 --- a/testing/btest/scripts/policy/protocols/ssl/validate-certs.zeek +++ b/testing/btest/scripts/policy/protocols/ssl/validate-certs.zeek @@ -1,4 +1,6 @@ -# @TEST-EXEC: zeek -b -r $TRACES/tls/tls-expired-cert.trace $SCRIPTS/external-ca-list.zeek %INPUT +# Fedora/RedHat have SHA1 disabled for certificate verification, re-enable it for testing by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1 +# +# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b -r $TRACES/tls/tls-expired-cert.trace $SCRIPTS/external-ca-list.zeek %INPUT # @TEST-EXEC: cat ssl.log > ssl-all.log # @TEST-EXEC: zeek -b -C -r $TRACES/tls/missing-intermediate.pcap $SCRIPTS/external-ca-list.zeek %INPUT # @TEST-EXEC: cat ssl.log >> ssl-all.log diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.zeek b/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.zeek index c3a32da70d..835261172d 100644 --- a/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.zeek +++ b/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.zeek @@ -1,6 +1,8 @@ -# @TEST-EXEC: zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling.trace %INPUT +# Fedora/RedHat have SHA1 disabled for certificate verification, re-enable it for testing by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1 +# +# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling.trace %INPUT # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl.log -# @TEST-EXEC: zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling-twimg.trace %INPUT +# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling-twimg.trace %INPUT # @TEST-EXEC: mv ssl.log ssl-twimg.log # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl-twimg.log # @TEST-EXEC: zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling-digicert.trace %INPUT diff --git a/testing/external/commit-hash.zeek-testing b/testing/external/commit-hash.zeek-testing index b26d66fbd3..71bb23074a 100644 --- a/testing/external/commit-hash.zeek-testing +++ b/testing/external/commit-hash.zeek-testing @@ -1 +1 @@ -6a1cb339d394fe8d73c0f46e79bd13fbee507313 +fe1c3a18274c2deaf060fa7c90e679d5244a99b1 diff --git a/testing/external/commit-hash.zeek-testing-cluster b/testing/external/commit-hash.zeek-testing-cluster index c12bacc038..929da9460c 100644 --- a/testing/external/commit-hash.zeek-testing-cluster +++ b/testing/external/commit-hash.zeek-testing-cluster @@ -1 +1 @@ -43966c3a8c1a1a9d2cc3c77aebdbded602bf2cb3 +2d1f0ae518b26938e24bd26f701dab17e174a626 diff --git a/testing/external/subdir-btest.cfg b/testing/external/subdir-btest.cfg index 20c8500948..9c7a1e2f5e 100644 --- a/testing/external/subdir-btest.cfg +++ b/testing/external/subdir-btest.cfg @@ -25,4 +25,6 @@ BUILD=%(testbase)s/../../../%(build_dir)s ZEEK_DNS_FAKE=1 # Fedora/CentOS/RedHat have MD5 disabled for certificate verification and need setting an environment variable to permit it: OPENSSL_ENABLE_MD5_VERIFY=1 +# Fedora/RedHat have SHA1 disabled for certificate verification and need setting an environment variable to permit it: +OPENSSL_ENABLE_SHA1_SIGNATURES=1 UBSAN_OPTIONS=print_stacktrace=1