From 661677d452198e3826e8552d9df44b97ad3eafb9 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 20 Mar 2013 11:12:06 -0500 Subject: [PATCH] FileAnalysis: separating IRC/FTP data analyzers. It simplifies the file handle string callbacks. --- .../base/frameworks/file-analysis/main.bro | 21 ------- scripts/base/protocols/ftp/file-analysis.bro | 7 ++- scripts/base/protocols/ftp/main.bro | 6 +- scripts/base/protocols/http/file-analysis.bro | 4 +- scripts/base/protocols/irc/dcc-send.bro | 2 +- scripts/base/protocols/irc/file-analysis.bro | 7 ++- scripts/base/protocols/smtp/file-analysis.bro | 2 +- src/Analyzer.cc | 4 ++ src/AnalyzerTags.h | 2 +- src/FileAnalyzer.cc | 56 +++++++++++++++--- src/FileAnalyzer.h | 38 +++++++++++- .../out | 4 +- .../{KPVibShQgUc-file => Cx92a0ym5R8-file} | 0 .../get-gzip.out | 4 +- .../get.out | 4 +- .../{LMA6EHLacYc-file => kg59rqyYxN-file} | 0 .../a.out | 4 +- .../a.size | 2 +- .../b.out | 8 +-- .../b.size | 2 +- .../c.out | 4 +- .../c.size | 2 +- .../{WLJWC1FMBq9-file => CCU3vUEr06l-file} | 0 .../{Ac8PLL9KL49-file => HCzA0dVwDPj-file} | Bin .../{NV2MvAX0Is4-file => a1Zu1fteVEf-file} | Bin .../{Z3kT1FyLnfk-file => aFQKI8SPOL2-file} | 0 .../out | 20 +++---- .../{YLndcRpw5Ge-file => xXlF7wFdsR-file} | Bin .../{LkolCF6OeHh-file => PZS1XGHkIf1-file} | 0 .../out | 8 +-- .../{WDJLxTGN0m8-file => v5HLI7MxPQh-file} | 0 .../out | 4 +- .../out | 12 ++-- .../frameworks/file-analysis/http/get.bro | 4 +- .../file-analysis/http/partial-content.bro | 6 +- .../file-analysis/http/pipeline.bro | 10 ++-- .../frameworks/file-analysis/http/post.bro | 4 +- 37 files changed, 156 insertions(+), 95 deletions(-) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/{KPVibShQgUc-file => Cx92a0ym5R8-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/{LMA6EHLacYc-file => kg59rqyYxN-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/{WLJWC1FMBq9-file => CCU3vUEr06l-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/{Ac8PLL9KL49-file => HCzA0dVwDPj-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/{NV2MvAX0Is4-file => a1Zu1fteVEf-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/{Z3kT1FyLnfk-file => aFQKI8SPOL2-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/{YLndcRpw5Ge-file => xXlF7wFdsR-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/{LkolCF6OeHh-file => PZS1XGHkIf1-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/{WDJLxTGN0m8-file => v5HLI7MxPQh-file} (100%) diff --git a/scripts/base/frameworks/file-analysis/main.bro b/scripts/base/frameworks/file-analysis/main.bro index 08597aa157..c89f87416a 100644 --- a/scripts/base/frameworks/file-analysis/main.bro +++ b/scripts/base/frameworks/file-analysis/main.bro @@ -107,28 +107,7 @@ export { const handle_callbacks: table[AnalyzerTag] of HandleCallback = {} &redef; - const service_handle_callbacks: table[string] of HandleCallback = {} &redef; - global get_handle: function(c: connection, is_orig: bool): string &redef; # TODO: wrapper functions for BiFs ? } - -function get_file_handle_by_service(c: connection, is_orig: bool): string - { - local handle: string = ""; - - for ( serv in c$service ) - { - if ( serv in service_handle_callbacks ) - { - handle = service_handle_callbacks[serv](c, is_orig); - if ( handle != "" ) return handle; - } - } - return handle; - } - -redef FileAnalysis::handle_callbacks += { - [ANALYZER_FILE] = get_file_handle_by_service, -}; diff --git a/scripts/base/protocols/ftp/file-analysis.bro b/scripts/base/protocols/ftp/file-analysis.bro index 68bde54e1d..016c09838c 100644 --- a/scripts/base/protocols/ftp/file-analysis.bro +++ b/scripts/base/protocols/ftp/file-analysis.bro @@ -2,10 +2,11 @@ @load base/utils/conn-ids @load base/frameworks/file-analysis/main -redef FileAnalysis::service_handle_callbacks += { - ["ftp-data"] = function(c: connection, is_orig: bool): string +redef FileAnalysis::handle_callbacks += { + [ANALYZER_FTP_DATA] = function(c: connection, is_orig: bool): string { if ( is_orig ) return ""; - return fmt("%s ftp-data: %s", c$start_time, id_string(c$id)); + return fmt("%s %s %s", ANALYZER_FTP_DATA, c$start_time, + id_string(c$id)); }, }; diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index 3d7b1fe61a..893ab7ce50 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -228,7 +228,8 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5 { c$ftp$passive=F; ftp_data_expected[data$h, data$p] = c$ftp; - expect_connection(id$resp_h, data$h, data$p, ANALYZER_FILE, 5mins); + expect_connection(id$resp_h, data$h, data$p, ANALYZER_FTP_DATA, + 5mins); } else { @@ -281,7 +282,8 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior data$h = id$resp_h; ftp_data_expected[data$h, data$p] = c$ftp; - expect_connection(id$orig_h, data$h, data$p, ANALYZER_FILE, 5mins); + expect_connection(id$orig_h, data$h, data$p, ANALYZER_FTP_DATA, + 5mins); } else { diff --git a/scripts/base/protocols/http/file-analysis.bro b/scripts/base/protocols/http/file-analysis.bro index b1241b4107..5b0ac79444 100644 --- a/scripts/base/protocols/http/file-analysis.bro +++ b/scripts/base/protocols/http/file-analysis.bro @@ -10,10 +10,10 @@ function get_file_handle(c: connection, is_orig: bool): string if ( ! c?$http ) return ""; if ( c$http$range_request ) - return fmt("http(%s): %s: %s", is_orig, c$id$orig_h, + return fmt("%s %s %s %s", ANALYZER_HTTP, is_orig, c$id$orig_h, build_url(c$http)); - return fmt("%s http(%s, %s): %s", c$start_time, is_orig, + return fmt("%s %s %s %s %s", ANALYZER_HTTP, c$start_time, is_orig, c$http$trans_depth, id_string(c$id)); } diff --git a/scripts/base/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.bro index d07a0edf5a..1f3e20cdaf 100644 --- a/scripts/base/protocols/irc/dcc-send.bro +++ b/scripts/base/protocols/irc/dcc-send.bro @@ -104,7 +104,7 @@ event irc_dcc_message(c: connection, is_orig: bool, c$irc$dcc_file_name = argument; c$irc$dcc_file_size = size; local p = count_to_port(dest_port, tcp); - expect_connection(to_addr("0.0.0.0"), address, p, ANALYZER_FILE, 5 min); + expect_connection(to_addr("0.0.0.0"), address, p, ANALYZER_IRC_DATA, 5 min); dcc_expected_transfers[address, p] = c$irc; } diff --git a/scripts/base/protocols/irc/file-analysis.bro b/scripts/base/protocols/irc/file-analysis.bro index dc6b5e588a..471477bbb1 100644 --- a/scripts/base/protocols/irc/file-analysis.bro +++ b/scripts/base/protocols/irc/file-analysis.bro @@ -2,10 +2,11 @@ @load base/utils/conn-ids @load base/frameworks/file-analysis/main -redef FileAnalysis::service_handle_callbacks += { - ["irc-dcc-data"] = function(c: connection, is_orig: bool): string +redef FileAnalysis::handle_callbacks += { + [ANALYZER_IRC_DATA] = function(c: connection, is_orig: bool): string { if ( is_orig ) return ""; - return fmt("%s irc-dcc-data: %s", c$start_time, id_string(c$id)); + return fmt("%s %s %s", ANALYZER_IRC_DATA, c$start_time, + id_string(c$id)); }, }; diff --git a/scripts/base/protocols/smtp/file-analysis.bro b/scripts/base/protocols/smtp/file-analysis.bro index 6ba6981639..1586b3086f 100644 --- a/scripts/base/protocols/smtp/file-analysis.bro +++ b/scripts/base/protocols/smtp/file-analysis.bro @@ -9,7 +9,7 @@ function get_file_handle(c: connection, is_orig: bool): string { if ( ! c?$smtp ) return ""; - return fmt("%s smtp(%s, %s)", c$start_time, c$smtp$trans_depth, + return fmt("%s %s %s %s", ANALYZER_SMTP, c$start_time, c$smtp$trans_depth, c$smtp_state$mime_level); } diff --git a/src/Analyzer.cc b/src/Analyzer.cc index 15926dfa2a..6864a9b34a 100644 --- a/src/Analyzer.cc +++ b/src/Analyzer.cc @@ -150,6 +150,10 @@ const Analyzer::Config Analyzer::analyzer_configs[] = { { AnalyzerTag::File, "FILE", File_Analyzer::InstantiateAnalyzer, File_Analyzer::Available, 0, false }, + { AnalyzerTag::FTP_Data, "FTP_DATA", FTP_Data::InstantiateAnalyzer, + FTP_Data::Available, 0, false }, + { AnalyzerTag::IRC_Data, "IRC_DATA", IRC_Data::InstantiateAnalyzer, + IRC_Data::Available, 0, false }, { AnalyzerTag::Backdoor, "BACKDOOR", BackDoor_Analyzer::InstantiateAnalyzer, BackDoor_Analyzer::Available, 0, false }, diff --git a/src/AnalyzerTags.h b/src/AnalyzerTags.h index 38e47cf8fc..8429dec335 100644 --- a/src/AnalyzerTags.h +++ b/src/AnalyzerTags.h @@ -41,7 +41,7 @@ namespace AnalyzerTag { GTPv1, // Other - File, Backdoor, InterConn, SteppingStone, TCPStats, + File, IRC_Data, FTP_Data, Backdoor, InterConn, SteppingStone, TCPStats, ConnSize, // Support-analyzers diff --git a/src/FileAnalyzer.cc b/src/FileAnalyzer.cc index c736ebf5c4..8de66d3cb4 100644 --- a/src/FileAnalyzer.cc +++ b/src/FileAnalyzer.cc @@ -8,8 +8,8 @@ magic_t File_Analyzer::magic = 0; magic_t File_Analyzer::magic_mime = 0; -File_Analyzer::File_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::File, conn) +File_Analyzer::File_Analyzer(AnalyzerTag::Tag tag, Connection* conn) +: TCP_ApplicationAnalyzer(tag, conn) { buffer_len = 0; @@ -21,8 +21,6 @@ void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); - file_mgr->DataIn(data, len, Conn(), orig); - int n = min(len, BUFFER_SIZE - buffer_len); if ( n ) @@ -39,16 +37,12 @@ void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void File_Analyzer::Undelivered(int seq, int len, bool orig) { TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); - - file_mgr->Gap(seq, len, Conn(), orig); } void File_Analyzer::Done() { TCP_ApplicationAnalyzer::Done(); - file_mgr->EndOfFile(Conn()); - if ( buffer_len && buffer_len != BUFFER_SIZE ) Identify(); } @@ -71,3 +65,49 @@ void File_Analyzer::Identify() vl->append(new StringVal(mime ? mime : "")); ConnectionEvent(file_transferred, vl); } + +IRC_Data::IRC_Data(Connection* conn) + : File_Analyzer(AnalyzerTag::IRC_Data, conn) + { + } + +void IRC_Data::Done() + { + File_Analyzer::Done(); + file_mgr->EndOfFile(Conn()); + } + +void IRC_Data::DeliverStream(int len, const u_char* data, bool orig) + { + File_Analyzer::DeliverStream(len, data, orig); + file_mgr->DataIn(data, len, Conn(), orig); + } + +void IRC_Data::Undelivered(int seq, int len, bool orig) + { + File_Analyzer::Undelivered(seq, len, orig); + file_mgr->Gap(seq, len, Conn(), orig); + } + +FTP_Data::FTP_Data(Connection* conn) + : File_Analyzer(AnalyzerTag::FTP_Data, conn) + { + } + +void FTP_Data::Done() + { + File_Analyzer::Done(); + file_mgr->EndOfFile(Conn()); + } + +void FTP_Data::DeliverStream(int len, const u_char* data, bool orig) + { + File_Analyzer::DeliverStream(len, data, orig); + file_mgr->DataIn(data, len, Conn(), orig); + } + +void FTP_Data::Undelivered(int seq, int len, bool orig) + { + File_Analyzer::Undelivered(seq, len, orig); + file_mgr->Gap(seq, len, Conn(), orig); + } diff --git a/src/FileAnalyzer.h b/src/FileAnalyzer.h index c7ba3fb5a9..c4bd084cdc 100644 --- a/src/FileAnalyzer.h +++ b/src/FileAnalyzer.h @@ -10,7 +10,7 @@ class File_Analyzer : public TCP_ApplicationAnalyzer { public: - File_Analyzer(Connection* conn); + File_Analyzer(AnalyzerTag::Tag tag, Connection* conn); virtual void Done(); @@ -19,7 +19,7 @@ public: void Undelivered(int seq, int len, bool orig); static Analyzer* InstantiateAnalyzer(Connection* conn) - { return new File_Analyzer(conn); } + { return new File_Analyzer(AnalyzerTag::File, conn); } static bool Available() { return file_transferred; } @@ -36,4 +36,38 @@ protected: static magic_t magic_mime; }; +class IRC_Data : public File_Analyzer { +public: + + IRC_Data(Connection* conn); + + virtual void Done(); + + virtual void DeliverStream(int len, const u_char* data, bool orig); + + void Undelivered(int seq, int len, bool orig); + + static Analyzer* InstantiateAnalyzer(Connection* conn) + { return new IRC_Data(conn); } + + static bool Available() { return true; } +}; + +class FTP_Data : public File_Analyzer { +public: + + FTP_Data(Connection* conn); + + virtual void Done(); + + virtual void DeliverStream(int len, const u_char* data, bool orig); + + void Undelivered(int seq, int len, bool orig); + + static Analyzer* InstantiateAnalyzer(Connection* conn) + { return new FTP_Data(conn); } + + static bool Available() { return true; } +}; + #endif diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.ftp/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.ftp/out index 4492b5a867..3a71ea1241 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.ftp/out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.ftp/out @@ -1,5 +1,5 @@ FileAnalysis::TRIGGER_NEW -XRXY932iwza, 0, 0 +sidhzrR4IT8, 0, 0 FileAnalysis::TRIGGER_BOF FileAnalysis::TRIGGER_BOF_BUFFER The Nationa @@ -7,7 +7,7 @@ FileAnalysis::TRIGGER_TYPE file type is set mime type is set FileAnalysis::TRIGGER_EOF -XRXY932iwza, 16557, 0 +sidhzrR4IT8, 16557, 0 { arKYeMETxOg } diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/KPVibShQgUc-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/Cx92a0ym5R8-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/KPVibShQgUc-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/Cx92a0ym5R8-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/get-gzip.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/get-gzip.out index e7df070a03..8aa5329cfe 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/get-gzip.out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/get-gzip.out @@ -1,5 +1,5 @@ FileAnalysis::TRIGGER_NEW -LMA6EHLacYc, 0, 0 +kg59rqyYxN, 0, 0 FileAnalysis::TRIGGER_BOF FileAnalysis::TRIGGER_BOF_BUFFER {^J "origin @@ -7,7 +7,7 @@ FileAnalysis::TRIGGER_TYPE file type is set mime type is set FileAnalysis::TRIGGER_EOF -LMA6EHLacYc, 197, 0 +kg59rqyYxN, 197, 0 { UWkUyAuUGXf } diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/get.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/get.out index 301d6dd6a7..d8d895385d 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/get.out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/get.out @@ -1,5 +1,5 @@ FileAnalysis::TRIGGER_NEW -KPVibShQgUc, 0, 0 +Cx92a0ym5R8, 0, 0 FileAnalysis::TRIGGER_BOF FileAnalysis::TRIGGER_BOF_BUFFER ^J0.26 | 201 @@ -7,7 +7,7 @@ FileAnalysis::TRIGGER_TYPE file type is set mime type is set FileAnalysis::TRIGGER_DONE -KPVibShQgUc, 4705, 0 +Cx92a0ym5R8, 4705, 0 { UWkUyAuUGXf } diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/LMA6EHLacYc-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/kg59rqyYxN-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/LMA6EHLacYc-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/kg59rqyYxN-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.out index 6ce550d39a..0ce1272201 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.out @@ -1,7 +1,7 @@ FileAnalysis::TRIGGER_NEW -uj9AtyGOiZ8, 0, 0 +7gZBKVUgy4l, 0, 0 FileAnalysis::TRIGGER_DONE -uj9AtyGOiZ8, 555523, 0 +7gZBKVUgy4l, 555523, 0 { UWkUyAuUGXf, arKYeMETxOg diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.size b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.size index 7abf924cb4..10b907508c 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.size +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.size @@ -1 +1 @@ - 555523 uj9AtyGOiZ8-file0 + 555523 7gZBKVUgy4l-file0 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out index 0d4d863157..f88ccd0d50 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out @@ -1,7 +1,7 @@ FileAnalysis::TRIGGER_NEW -ns7As4DOZcj, 0, 0 +oDwT1BbzjM1, 0, 0 FileAnalysis::TRIGGER_DONE -ns7As4DOZcj, 1022920, 0 +oDwT1BbzjM1, 1022920, 0 { UWkUyAuUGXf } @@ -11,10 +11,10 @@ UWkUyAuUGXf total bytes: 1022920 source: HTTP FileAnalysis::TRIGGER_NEW -ns7As4DOZcj, 0, 0 +oDwT1BbzjM1, 0, 0 FileAnalysis::TRIGGER_TIMEOUT FileAnalysis::TRIGGER_EOF -ns7As4DOZcj, 206024, 0 +oDwT1BbzjM1, 206024, 0 { arKYeMETxOg } diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.size b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.size index 9be08e4aab..d4ade48a31 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.size +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.size @@ -1 +1 @@ - 1022920 ns7As4DOZcj-file0 + 1022920 oDwT1BbzjM1-file0 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out index 730a6feae8..5f4e6db178 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out @@ -1,7 +1,7 @@ FileAnalysis::TRIGGER_NEW -MHMkq2nFxej, 0, 0 +uHS14uhRKGe, 0, 0 FileAnalysis::TRIGGER_DONE -MHMkq2nFxej, 498702, 0 +uHS14uhRKGe, 498702, 0 { UWkUyAuUGXf, arKYeMETxOg diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.size b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.size index fbb418c3d3..88415185cd 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.size +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.size @@ -1 +1 @@ - 498668 MHMkq2nFxej-file0 + 498668 uHS14uhRKGe-file0 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/WLJWC1FMBq9-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/CCU3vUEr06l-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/WLJWC1FMBq9-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/CCU3vUEr06l-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/Ac8PLL9KL49-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/HCzA0dVwDPj-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/Ac8PLL9KL49-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/HCzA0dVwDPj-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/NV2MvAX0Is4-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/a1Zu1fteVEf-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/NV2MvAX0Is4-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/a1Zu1fteVEf-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/Z3kT1FyLnfk-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/aFQKI8SPOL2-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/Z3kT1FyLnfk-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/aFQKI8SPOL2-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/out index d400550396..9755b08cc1 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/out @@ -1,5 +1,5 @@ FileAnalysis::TRIGGER_NEW -Z3kT1FyLnfk, 0, 0 +aFQKI8SPOL2, 0, 0 FileAnalysis::TRIGGER_BOF FileAnalysis::TRIGGER_BOF_BUFFER /*^J******** @@ -7,7 +7,7 @@ FileAnalysis::TRIGGER_TYPE file type is set mime type is set FileAnalysis::TRIGGER_EOF -Z3kT1FyLnfk, 2675, 0 +aFQKI8SPOL2, 2675, 0 { UWkUyAuUGXf } @@ -19,7 +19,7 @@ SHA1: 0e42ae17eea9b074981bd3a34535ad3a22d02706 MD5: b932c3310ce47e158d1a5a42e0b01279 SHA256: 5b037a2c5e36f56e63a3012c73e46a04b27741d8ff8f8b62c832fb681fc60f42 FileAnalysis::TRIGGER_NEW -WLJWC1FMBq9, 0, 0 +CCU3vUEr06l, 0, 0 FileAnalysis::TRIGGER_BOF FileAnalysis::TRIGGER_BOF_BUFFER //-- Google @@ -27,7 +27,7 @@ FileAnalysis::TRIGGER_TYPE file type is set mime type is set FileAnalysis::TRIGGER_EOF -WLJWC1FMBq9, 21421, 0 +CCU3vUEr06l, 21421, 0 { UWkUyAuUGXf } @@ -39,7 +39,7 @@ SHA1: 8f241117afaa8ca5f41dc059e66d75c283dcc983 MD5: e732f7bf1d7cb4eedcb1661697d7bc8c SHA256: 6a509fd05aa7c8fa05080198894bb19e638554ffcee0e0b3d7bc8ff54afee1da FileAnalysis::TRIGGER_NEW -Ac8PLL9KL49, 0, 0 +HCzA0dVwDPj, 0, 0 FileAnalysis::TRIGGER_BOF FileAnalysis::TRIGGER_BOF_BUFFER GIF89a^D\0^D\0\xb3 @@ -47,7 +47,7 @@ FileAnalysis::TRIGGER_TYPE file type is set mime type is set FileAnalysis::TRIGGER_DONE -Ac8PLL9KL49, 94, 0 +HCzA0dVwDPj, 94, 0 { UWkUyAuUGXf } @@ -60,7 +60,7 @@ SHA1: 81f5f056ce5e97d940854bb0c48017b45dd9f15e MD5: d903de7e30db1691d3130ba5eae6b9a7 SHA256: 6fb22aa9d780ea63bd7a2e12b92b16fcbf1c4874f1d3e11309a5ba984433c315 FileAnalysis::TRIGGER_NEW -NV2MvAX0Is4, 0, 0 +a1Zu1fteVEf, 0, 0 FileAnalysis::TRIGGER_BOF FileAnalysis::TRIGGER_BOF_BUFFER \x89PNG^M^J^Z^J\0\0\0 @@ -68,7 +68,7 @@ FileAnalysis::TRIGGER_TYPE file type is set mime type is set FileAnalysis::TRIGGER_DONE -NV2MvAX0Is4, 2349, 0 +a1Zu1fteVEf, 2349, 0 { UWkUyAuUGXf } @@ -81,7 +81,7 @@ SHA1: 560eab5a0177246827a94042dd103916d8765ac7 MD5: e0029eea80812e9a8e57b8d05d52938a SHA256: e0b4500c1fd1d675da4137461cbe64d3c8489f4180d194e47683b20e7fb876f4 FileAnalysis::TRIGGER_NEW -YLndcRpw5Ge, 0, 0 +xXlF7wFdsR, 0, 0 FileAnalysis::TRIGGER_BOF FileAnalysis::TRIGGER_BOF_BUFFER \x89PNG^M^J^Z^J\0\0\0 @@ -89,7 +89,7 @@ FileAnalysis::TRIGGER_TYPE file type is set mime type is set FileAnalysis::TRIGGER_DONE -YLndcRpw5Ge, 27579, 0 +xXlF7wFdsR, 27579, 0 { UWkUyAuUGXf } diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/YLndcRpw5Ge-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/xXlF7wFdsR-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/YLndcRpw5Ge-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/xXlF7wFdsR-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/LkolCF6OeHh-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/PZS1XGHkIf1-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/LkolCF6OeHh-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/PZS1XGHkIf1-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/out index 5dc60d1930..bc15e528a8 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/out @@ -1,5 +1,5 @@ FileAnalysis::TRIGGER_NEW -WDJLxTGN0m8, 0, 0 +v5HLI7MxPQh, 0, 0 FileAnalysis::TRIGGER_BOF FileAnalysis::TRIGGER_BOF_BUFFER hello world @@ -7,7 +7,7 @@ FileAnalysis::TRIGGER_TYPE file type is set mime type is set FileAnalysis::TRIGGER_DONE -WDJLxTGN0m8, 11, 0 +v5HLI7MxPQh, 11, 0 { UWkUyAuUGXf } @@ -20,7 +20,7 @@ SHA1: 2aae6c35c94fcfb415dbe95f408b9ce91ee846ed MD5: 5eb63bbbe01eeed093cb22bb8f5acdc3 SHA256: b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9 FileAnalysis::TRIGGER_NEW -LkolCF6OeHh, 0, 0 +PZS1XGHkIf1, 0, 0 FileAnalysis::TRIGGER_BOF FileAnalysis::TRIGGER_BOF_BUFFER {^J "origin @@ -28,7 +28,7 @@ FileAnalysis::TRIGGER_TYPE file type is set mime type is set FileAnalysis::TRIGGER_DONE -LkolCF6OeHh, 366, 0 +PZS1XGHkIf1, 366, 0 { UWkUyAuUGXf } diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/WDJLxTGN0m8-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/v5HLI7MxPQh-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/WDJLxTGN0m8-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/v5HLI7MxPQh-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.irc/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.irc/out index 0934a9c980..fd515304b1 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.irc/out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.irc/out @@ -1,5 +1,5 @@ FileAnalysis::TRIGGER_NEW -6w2n1vAlfzk, 0, 0 +wqKMAamJVSb, 0, 0 FileAnalysis::TRIGGER_BOF FileAnalysis::TRIGGER_BOF_BUFFER PK^C^D^T\0\0\0^H\0\xae @@ -7,7 +7,7 @@ FileAnalysis::TRIGGER_TYPE file type is set mime type is set FileAnalysis::TRIGGER_EOF -6w2n1vAlfzk, 42208, 0 +wqKMAamJVSb, 42208, 0 { arKYeMETxOg } diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out index 2234bba1d7..91093aa577 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out @@ -1,5 +1,5 @@ FileAnalysis::TRIGGER_NEW -wBZuaIADU0b, 0, 0 +9VCisPgrqVj, 0, 0 FileAnalysis::TRIGGER_BOF FileAnalysis::TRIGGER_BOF_BUFFER Hello^M^J^M^J ^M @@ -7,7 +7,7 @@ FileAnalysis::TRIGGER_TYPE file type is set mime type is set FileAnalysis::TRIGGER_EOF -wBZuaIADU0b, 79, 0 +9VCisPgrqVj, 79, 0 { arKYeMETxOg } @@ -19,7 +19,7 @@ SHA1: b7e497be8a9f5e2c4b6980fceb015360f98f4a13 MD5: 92bca2e6cdcde73647125da7dccbdd07 SHA256: 785a8a044d1454ec88837108f443bbb30cc4f529393ffd57118261036bfe59f5 FileAnalysis::TRIGGER_NEW -i3lOtWMsCWb, 0, 0 +ZAOEQmRyxv1, 0, 0 FileAnalysis::TRIGGER_BOF FileAnalysis::TRIGGER_BOF_BUFFER get-gzip.out # @TEST-EXEC: btest-diff get.out # @TEST-EXEC: btest-diff get-gzip.out -# @TEST-EXEC: btest-diff KPVibShQgUc-file -# @TEST-EXEC: btest-diff LMA6EHLacYc-file +# @TEST-EXEC: btest-diff Cx92a0ym5R8-file +# @TEST-EXEC: btest-diff kg59rqyYxN-file global actions: set[FileAnalysis::ActionArgs]; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro index aed7bd1778..7df9db5c0d 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro @@ -1,16 +1,16 @@ # @TEST-EXEC: bro -r $TRACES/http/206_example_a.pcap %INPUT >a.out # @TEST-EXEC: btest-diff a.out -# @TEST-EXEC: wc -c uj9AtyGOiZ8-file0 >a.size +# @TEST-EXEC: wc -c 7gZBKVUgy4l-file0 >a.size # @TEST-EXEC: btest-diff a.size # @TEST-EXEC: bro -r $TRACES/http/206_example_b.pcap %INPUT >b.out # @TEST-EXEC: btest-diff b.out -# @TEST-EXEC: wc -c ns7As4DOZcj-file0 >b.size +# @TEST-EXEC: wc -c oDwT1BbzjM1-file0 >b.size # @TEST-EXEC: btest-diff b.size # @TEST-EXEC: bro -r $TRACES/http/206_example_c.pcap %INPUT >c.out # @TEST-EXEC: btest-diff c.out -# @TEST-EXEC: wc -c MHMkq2nFxej-file0 >c.size +# @TEST-EXEC: wc -c uHS14uhRKGe-file0 >c.size # @TEST-EXEC: btest-diff c.size global actions: set[FileAnalysis::ActionArgs]; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro index 6ca05188b8..f1932426bd 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro @@ -1,10 +1,10 @@ # @TEST-EXEC: bro -r $TRACES/http/pipelined-requests.trace %INPUT >out # @TEST-EXEC: btest-diff out -# @TEST-EXEC: btest-diff Z3kT1FyLnfk-file -# @TEST-EXEC: btest-diff WLJWC1FMBq9-file -# @TEST-EXEC: btest-diff Ac8PLL9KL49-file -# @TEST-EXEC: btest-diff NV2MvAX0Is4-file -# @TEST-EXEC: btest-diff YLndcRpw5Ge-file +# @TEST-EXEC: btest-diff aFQKI8SPOL2-file +# @TEST-EXEC: btest-diff CCU3vUEr06l-file +# @TEST-EXEC: btest-diff HCzA0dVwDPj-file +# @TEST-EXEC: btest-diff a1Zu1fteVEf-file +# @TEST-EXEC: btest-diff xXlF7wFdsR-file global actions: set[FileAnalysis::ActionArgs]; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/post.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/post.bro index 4807edcd3f..35a31a06b2 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/post.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/post.bro @@ -1,7 +1,7 @@ # @TEST-EXEC: bro -r $TRACES/http/post.trace %INPUT >out # @TEST-EXEC: btest-diff out -# @TEST-EXEC: btest-diff WDJLxTGN0m8-file -# @TEST-EXEC: btest-diff LkolCF6OeHh-file +# @TEST-EXEC: btest-diff v5HLI7MxPQh-file +# @TEST-EXEC: btest-diff PZS1XGHkIf1-file global actions: set[FileAnalysis::ActionArgs];