Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'origin/master' into topic/johanna/tls13-details

Browse source
This commit is contained in:
Johanna Amann 2019-06-07 16:52:38 +10:00
commit 6707328c55
182 changed files with 2281 additions and 1613 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.gitignore vendored
View file

@ -1,3 +1,7 @@
build
tmp
*.gcov
# Configuration and build directories for CLion
.idea
cmake-build-debug

76
CHANGES
View file

@ -1,4 +1,80 @@
2.6-389 | 2019-06-06 20:02:19 -0700
* Update plugin unit tests to use --zeek-dist (Jon Siwek, Corelight)
2.6-388 | 2019-06-06 19:48:55 -0700
* Change default value of peer_description "zeek" (Jon Siwek, Corelight)
2.6-387 | 2019-06-06 18:51:09 -0700
* Rename Bro to Zeek in Zeekygen-generated documentation (Jon Siwek, Corelight)
2.6-386 | 2019-06-06 17:17:55 -0700
* Add new RDP event: rdp_native_encrytped_data (Anthony Kasza, Corelight)
2.6-384 | 2019-06-06 16:49:14 -0700
* Add new RDP event: rdp_client_security_data (Jeff Atkinson)
2.6-379 | 2019-06-06 11:56:58 -0700
* Improve sqlite logging unit tests (Jon Siwek, Corelight)
2.6-378 | 2019-06-05 16:23:04 -0700
* Rename BRO_DEPRECATED macro to ZEEK_DEPRECATED (Jon Siwek, Corelight)
2.6-377 | 2019-06-05 16:15:58 -0700
* Deprecate functions with "bro" in them. (Jon Siwek, Corelight)
* "bro_is_terminating" is now "zeek_is_terminating"
* "bro_version" is now "zeek_version"
The old functions still exist for now, but are deprecated.
2.6-376 | 2019-06-05 13:29:57 -0700
* GH-379: move catch-and-release and unified2 scripts to policy/ (Jon Siwek, Corelight)
These are no longer loaded by default due to the performance impact they
cause simply by being loaded (they have event handlers for commonly
generated events) and they aren't generally useful enough to justify it.
2.6-375 | 2019-06-04 19:28:06 -0700
* Simplify threading::Value destructor (Jon Siwek, Corelight)
* Add pattern support to input framework. (Zeke Medley, Corelight)
2.6-369 | 2019-06-04 17:53:10 -0700
* GH-155: Improve coercion of expression lists to vector types (Tim Wojtulewicz, Corelight)
* GH-159: Allow coercion of numeric record field values to other types (Tim Wojtulewicz, Corelight)
* Allow passing a location to BroObj::Warning and BroObj::Error. (Tim Wojtulewicz, Corelight)
This allows callers (such as check_and_promote) to pass an expression
location to be logged if the location doesn't exist in the value being
promoted.
* Add CLion directories to gitignore (Tim Wojtulewicz, Corelight)
* Move #define outside of max_type for clarity (Tim Wojtulewicz, Corelight)
2.6-361 | 2019-06-04 10:30:21 -0700
* GH-293: Protect copy() against reference cycles. (Robin Sommer, Corelight)
Reference cycles shouldn't occur but there's nothing really preventing
people from creating them, so may just as well be safe and deal with
them when cloning values.
2.6-359 | 2019-05-31 13:37:17 -0700
* Remove old documentation reference to rotate_interval (Jon Siwek, Corelight)

43
NEWS
View file

@ -79,9 +79,16 @@ New Functionality
- The ``/<re>/i`` convenience syntax for case-insensitive patterns is now
also allowed when specifying patterns used in signature files.
- Add a new "client_channels" field to rdp.log based on data parsed from
the Client Network Data (TS_UD_CS_NET) packet. The channel list is also
available in a new event, "rdp_client_network_data".
- New RDP functionality.
- New events:
- rdp_client_network_data
- rdp_client_security_data
- rdp_native_encrypted_data
- Add a new "client_channels" field to rdp.log based on data parsed from
the Client Network Data (TS_UD_CS_NET) packet. The channel list is also
available in the new ``rdp_client_network_data`` event.
Changed Functionality
---------------------
@ -216,6 +223,33 @@ Changed Functionality
in scripts has also been updated to replace Sphinx cross-referencing roles
and directives like ":bro:see:" with ":zeek:zee:".
- The catch-and-release and unified2 scripts are no longer loaded by
default. Because there was a performance impact simply from loading
them and it's unlikely a majority of user make use of their features,
they've been moved from the scripts/base/ directory into
scripts/policy/ and must be manually loaded to use their
functionality. The "drop" action for the notice framework is likewise
moved since it was implemented via catch-and-release. As a result,
the default notice.log no longer contains a "dropped" field.
If you previously used the catch-and-release functionality add this:
@load policy/frameworks/netcontrol/catch-and-release
If you previously used Notice::ACTION_DROP add:
@load policy/frameworks/notice/actions/drop
If you previously used the Unified2 file analysis support add:
@load policy/files/unified2
- The default value of ``peer_description`` has changed from "bro"
to "zeek". This won't effect most users, except for the fact that
this value may appear in several log files, so any external plugins
that have written unit tests that compare baselines of such log
files may need to be updated.
Removed Functionality
---------------------
@ -340,6 +374,9 @@ Deprecated Functionality
such that existing code will not break, but will emit a deprecation
warning.
- The ``bro_is_terminating`` and ``bro_version`` function are deprecated and
replaced by functions named ``zeek_is_terminating`` and ``zeek_version``.
- The ``rotate_file``, ``rotate_file_by_name`` and ``calc_next_rotate`` functions
were marked as deprecated. These functions were used with the old pre-2.0 logging
framework and are no longer used. They also were marked as deprecated in their

2
VERSION
View file

@ -1 +1 @@
2.6-359
2.6-389

2
aux/zeek-aux

@ -1 +1 @@
Subproject commit e5b766fa0cc4e07a8a8275cab271170558f6bd2b
Subproject commit bac443d6cebca567d3d0da52a25ff4e0bcdd1edd

2
doc

@ -1 +1 @@
Subproject commit 7f64a90d86fc53506f93fb4c327fdb8c4e3aab0a
Subproject commit 7b81005333a5416e1da6a4c83df678e75dccd6be

1
scripts/base/frameworks/netcontrol/__load__.zeek
View file

@ -3,7 +3,6 @@
@load ./plugins
@load ./drop
@load ./shunt
@load ./catch-and-release
# The cluster framework must be loaded first.
@load base/frameworks/cluster

4
scripts/base/frameworks/netcontrol/drop.zeek
View file

@ -1,9 +1,9 @@
##! Implementation of the drop functionality for NetControl.
module NetControl;
@load ./main
module NetControl;
export {
redef enum Log::ID += { DROP };

6
scripts/base/frameworks/netcontrol/main.zeek
View file

@ -10,11 +10,11 @@
##! provides convenience functions for a set of common operations. The
##! low-level API provides full flexibility.
module NetControl;
@load ./plugin
@load ./types
module NetControl;
export {
## The framework's logging stream identifier.
redef enum Log::ID += { LOG };
@ -889,7 +889,7 @@ function remove_rule_impl(id: string, reason: string) : bool
function rule_expire_impl(r: Rule, p: PluginState) &priority=-5
{
# do not emit timeout events on shutdown
if ( bro_is_terminating() )
if ( zeek_is_terminating() )
return;
if ( r$id !in rules )

3
scripts/base/frameworks/netcontrol/non-cluster.zeek
View file

@ -1,7 +1,8 @@
module NetControl;
@load ./main
module NetControl;
function activate(p: PluginState, priority: int)
{
activate_impl(p, priority);

4
scripts/base/frameworks/netcontrol/plugin.zeek
View file

@ -1,9 +1,9 @@
##! This file defines the plugin interface for NetControl.
module NetControl;
@load ./types
module NetControl;
export {
## This record keeps the per instance state of a plugin.
##

4
scripts/base/frameworks/netcontrol/plugins/acld.zeek
View file

@ -1,11 +1,11 @@
##! Acld plugin for the netcontrol framework.
module NetControl;
@load ../main
@load ../plugin
@load base/frameworks/broker
module NetControl;
export {
type AclRule : record {
command: string;

4
scripts/base/frameworks/netcontrol/plugins/broker.zeek
View file

@ -2,12 +2,12 @@
##! used in NetControl on to Broker to allow for easy handling, e.g., of
##! command-line scripts.
module NetControl;
@load ../main
@load ../plugin
@load base/frameworks/broker
module NetControl;
export {
## This record specifies the configuration that is passed to :zeek:see:`NetControl::create_broker`.
type BrokerConfig: record {

4
scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek
View file

@ -3,10 +3,10 @@
##! and can only add/remove filters for addresses, this is quite
##! limited in scope at the moment.
module NetControl;
@load ../plugin
module NetControl;
export {
## Instantiates the packetfilter plugin.
global create_packetfilter: function() : PluginState;

1
scripts/base/frameworks/notice/__load__.zeek
View file

@ -3,7 +3,6 @@
# There should be no overhead imposed by loading notice actions so we
# load them all.
@load ./actions/drop
@load ./actions/email_admin
@load ./actions/page
@load ./actions/add-geodata

2
scripts/base/frameworks/notice/main.zeek
View file

@ -405,7 +405,7 @@ function email_headers(subject_desc: string, dest: string): string
"From: ", mail_from, "\n",
"Subject: ", mail_subject_prefix, " ", subject_desc, "\n",
"To: ", dest, "\n",
"User-Agent: Bro-IDS/", bro_version(), "\n");
"User-Agent: Bro-IDS/", zeek_version(), "\n");
if ( reply_to != "" )
header_text = string_cat(header_text, "Reply-To: ", reply_to, "\n");
return header_text;

2
scripts/base/frameworks/openflow/consts.zeek
View file

@ -11,7 +11,7 @@ const COOKIE_BID_SIZE = 16777216;
# start at bit 40 (1 << 40)
const COOKIE_BID_START = 1099511627776;
# Zeek specific cookie ID shall have the 42 bit set (1 << 42)
const BRO_COOKIE_ID = 4;
const ZEEK_COOKIE_ID = 4;
# 8 bits group identifier
const COOKIE_GID_SIZE = 256;
# start at bit 32 (1 << 32)

6
scripts/base/frameworks/openflow/main.zeek
View file

@ -198,7 +198,7 @@ function match_conn(id: conn_id, reverse: bool &default=F): ofp_match
# 42 bit of the cookie set.
function generate_cookie(cookie: count &default=0): count
{
local c = BRO_COOKIE_ID * COOKIE_BID_START;
local c = ZEEK_COOKIE_ID * COOKIE_BID_START;
if ( cookie >= COOKIE_UID_SIZE )
Reporter::warning(fmt("The given cookie uid '%d' is > 32bit and will be discarded", cookie));
@ -211,7 +211,7 @@ function generate_cookie(cookie: count &default=0): count
# local function to check if a given flow_mod cookie is forged from this framework.
function is_valid_cookie(cookie: count): bool
{
if ( cookie / COOKIE_BID_START == BRO_COOKIE_ID )
if ( cookie / COOKIE_BID_START == ZEEK_COOKIE_ID )
return T;
Reporter::warning(fmt("The given Openflow cookie '%d' is not valid", cookie));
@ -231,7 +231,7 @@ function get_cookie_gid(cookie: count): count
{
if( is_valid_cookie(cookie) )
return (
(cookie - (COOKIE_BID_START * BRO_COOKIE_ID) -
(cookie - (COOKIE_BID_START * ZEEK_COOKIE_ID) -
(cookie - ((cookie / COOKIE_GID_START) * COOKIE_GID_START))) /
COOKIE_GID_START
);

2
scripts/base/frameworks/openflow/types.zeek
View file

@ -89,7 +89,7 @@ export {
## Opaque controller-issued identifier.
# This is optional in the specification - but let's force
# it so we always can identify our flows...
cookie: count; # &default=BRO_COOKIE_ID * COOKIE_BID_START;
cookie: count; # &default=ZEEK_COOKIE_ID * COOKIE_BID_START;
# Flow actions
## Table to put the flow in. OFPTT_ALL can be used for delete,
## to delete flows from all matching tables.

2
scripts/base/frameworks/sumstats/non-cluster.zeek
View file

@ -35,7 +35,7 @@ event SumStats::finish_epoch(ss: SumStat)
{
local data = result_store[ss$name];
local now = network_time();
if ( bro_is_terminating() )
if ( zeek_is_terminating() )
{
for ( key, val in data )
ss$epoch_result(now, key, val);

18
scripts/base/init-bare.zeek
View file

@ -4282,6 +4282,22 @@ export {
dig_product_id: string &optional;
};
## The TS_UD_CS_SEC data block contains security-related information used
## to advertise client cryptographic support.
type RDP::ClientSecurityData: record {
## Cryptographic encryption methods supported by the client and used in
## conjunction with Standard RDP Security. Known flags:
##
## - 0x00000001: support for 40-bit session encryption keys
## - 0x00000002: support for 128-bit session encryption keys
## - 0x00000008: support for 56-bit session encryption keys
## - 0x00000010: support for FIPS compliant encryption and MAC methods
encryption_methods: count;
## Only used in French locale and designates the encryption method. If
## non-zero, then encryption_methods should be set to 0.
ext_encryption_methods: count;
};
## Name and flags for a single channel requested by the client.
type RDP::ClientChannelDef: record {
## A unique name for the channel
@ -4749,7 +4765,7 @@ const packet_filter_default = F &redef;
const sig_max_group_size = 50 &redef;
## Description transmitted to remote communication peers for identification.
const peer_description = "bro" &redef;
const peer_description = "zeek" &redef;
## The number of IO chunks allowed to be buffered between the child
## and parent process of remote communication before Zeek starts dropping

1
scripts/base/init-default.zeek
View file

@ -74,7 +74,6 @@
@load base/files/pe
@load base/files/hash
@load base/files/extract
@load base/files/unified2
@load base/files/x509
@load base/misc/find-checksum-offloading

4
scripts/base/misc/version.zeek
View file

@ -78,10 +78,10 @@ export {
## The format of the number is ABBCC with A being the major version,
## bb being the minor version (2 digits) and CC being the patchlevel (2 digits).
## As an example, Zeek 2.4.1 results in the number 20401
const number = Version::parse(bro_version())$version_number;
const number = Version::parse(zeek_version())$version_number;
## `VersionDescription` record pertaining to the currently running version of Zeek.
const info = Version::parse(bro_version());
const info = Version::parse(zeek_version());
}
function at_least(version_string: string): bool

2
scripts/base/protocols/dhcp/main.zeek
View file

@ -141,7 +141,7 @@ function join_data_expiration(t: table[count] of Info, idx: count): interval
# Also, if Zeek is shutting down.
if ( (now - info$last_message_ts) > 5sec ||
(now - info$ts) > max_txid_watch_time ||
bro_is_terminating() )
zeek_is_terminating() )
{
Log::write(LOG, info);

0
scripts/base/files/unified2/README → scripts/policy/files/unified2/README
View file

0
scripts/base/files/unified2/__load__.zeek → scripts/policy/files/unified2/__load__.zeek
View file

0
scripts/base/files/unified2/main.zeek → scripts/policy/files/unified2/main.zeek
View file

7
scripts/base/frameworks/netcontrol/catch-and-release.zeek → scripts/policy/frameworks/netcontrol/catch-and-release.zeek
View file

@ -1,10 +1,9 @@
##! Implementation of catch-and-release functionality for NetControl.
module NetControl;
@load base/frameworks/netcontrol
@load base/frameworks/cluster
@load ./main
@load ./drop
module NetControl;
export {

3
scripts/base/frameworks/notice/actions/drop.zeek → scripts/policy/frameworks/notice/actions/drop.zeek
View file

@ -1,8 +1,9 @@
##! This script extends the built in notice code to implement the IP address
##! dropping functionality.
@load ../main
@load base/frameworks/notice/main
@load base/frameworks/netcontrol
@load policy/frameworks/netcontrol/catch-and-release
module Notice;

2
scripts/policy/misc/stats.zeek
View file

@ -99,7 +99,7 @@ event check_stats(then: time, last_ns: NetStats, last_cs: ConnStats, last_ps: Pr
local fs = get_file_analysis_stats();
local ds = get_dns_stats();
if ( bro_is_terminating() )
if ( zeek_is_terminating() )
# No more stats will be written or scheduled when Zeek is
# shutting down.
return;

2
scripts/policy/misc/trim-trace-file.zeek
View file

@ -17,7 +17,7 @@ export {
event TrimTraceFile::go(first_trim: bool)
{
if ( bro_is_terminating() || trace_output_file == "" )
if ( zeek_is_terminating() || trace_output_file == "" )
return;
if ( ! first_trim )

4
scripts/test-all-policy.zeek
View file

@ -31,12 +31,16 @@
@load frameworks/intel/seen/ssl.zeek
@load frameworks/intel/seen/where-locations.zeek
@load frameworks/intel/seen/x509.zeek
@load frameworks/netcontrol/catch-and-release.zeek
@load frameworks/files/detect-MHR.zeek
@load frameworks/files/entropy-test-all-files.zeek
#@load frameworks/files/extract-all-files.zeek
@load frameworks/files/hash-all-files.zeek
@load frameworks/notice/__load__.zeek
@load frameworks/notice/actions/drop.zeek
@load frameworks/notice/extend-email/hostnames.zeek
@load files/unified2/__load__.zeek
@load files/unified2/main.zeek
@load files/x509/log-ocsp.zeek
@load frameworks/packet-filter/shunt.zeek
@load frameworks/software/version-changes.zeek

64
src/Expr.cc
View file

@ -2591,7 +2591,7 @@ bool AssignExpr::TypeCheck(attr_list* attrs)
if ( op2->Tag() == EXPR_LIST )
{
op2 = new VectorConstructorExpr(op2->AsListExpr());
op2 = new VectorConstructorExpr(op2->AsListExpr(), op1->Type());
return true;
}
}
@ -4136,15 +4136,41 @@ RecordCoerceExpr::RecordCoerceExpr(Expr* op, RecordType* r)
if ( ! same_type(sup_t_i, sub_t_i) )
{
if ( sup_t_i->Tag() != TYPE_RECORD ||
sub_t_i->Tag() != TYPE_RECORD ||
! record_promotion_compatible(sup_t_i->AsRecordType(),
sub_t_i->AsRecordType()) )
auto is_arithmetic_promotable = [](BroType* sup, BroType* sub) -> bool
{
char buf[512];
safe_snprintf(buf, sizeof(buf),
auto sup_tag = sup->Tag();
auto sub_tag = sub->Tag();
if ( ! BothArithmetic(sup_tag, sub_tag) )
return false;
if ( sub_tag == TYPE_DOUBLE && IsIntegral(sup_tag) )
return false;
if ( sub_tag == TYPE_INT && sup_tag == TYPE_COUNT )
return false;
return true;
};
auto is_record_promotable = [](BroType* sup, BroType* sub) -> bool
{
if ( sup->Tag() != TYPE_RECORD )
return false;
if ( sub->Tag() != TYPE_RECORD )
return false;
return record_promotion_compatible(sup->AsRecordType(),
sub->AsRecordType());
};
if ( ! is_arithmetic_promotable(sup_t_i, sub_t_i) &&
! is_record_promotable(sup_t_i, sub_t_i) )
{
string error_msg = fmt(
"type clash for field \"%s\"", sub_r->FieldName(i));
Error(buf, sub_t_i);
Error(error_msg.c_str(), sub_t_i);
SetError();
break;
}
@ -4162,11 +4188,9 @@ RecordCoerceExpr::RecordCoerceExpr(Expr* op, RecordType* r)
{
if ( ! t_r->FieldDecl(i)->FindAttr(ATTR_OPTIONAL) )
{
char buf[512];
safe_snprintf(buf, sizeof(buf),
"non-optional field \"%s\" missing",
t_r->FieldName(i));
Error(buf);
string error_msg = fmt(
"non-optional field \"%s\" missing", t_r->FieldName(i));
Error(error_msg.c_str());
SetError();
break;
}
@ -4254,6 +4278,20 @@ Val* RecordCoerceExpr::Fold(Val* v) const
rhs = new_val;
}
}
else if ( BothArithmetic(rhs_type->Tag(), field_type->Tag()) &&
! same_type(rhs_type, field_type) )
{
if ( Val* new_val = check_and_promote(rhs, field_type, false, op->GetLocationInfo()) )
{
// Don't call unref here on rhs because check_and_promote already called it.
rhs = new_val;
}
else
{
Unref(val);
RuntimeError("Failed type conversion");
}
}
val->Assign(i, rhs);
}

12
src/Obj.cc
View file

@ -100,21 +100,21 @@ BroObj::~BroObj()
delete location;
}
void BroObj::Warn(const char* msg, const BroObj* obj2, int pinpoint_only) const
void BroObj::Warn(const char* msg, const BroObj* obj2, int pinpoint_only, const Location* expr_location) const
{
ODesc d;
DoMsg(&d, msg, obj2, pinpoint_only);
DoMsg(&d, msg, obj2, pinpoint_only, expr_location);
reporter->Warning("%s", d.Description());
reporter->PopLocation();
}
void BroObj::Error(const char* msg, const BroObj* obj2, int pinpoint_only) const
void BroObj::Error(const char* msg, const BroObj* obj2, int pinpoint_only, const Location* expr_location) const
{
if ( suppress_errors )
return;
ODesc d;
DoMsg(&d, msg, obj2, pinpoint_only);
DoMsg(&d, msg, obj2, pinpoint_only, expr_location);
reporter->Error("%s", d.Description());
reporter->PopLocation();
}
@ -200,7 +200,7 @@ void BroObj::UpdateLocationEndInfo(const Location& end)
}
void BroObj::DoMsg(ODesc* d, const char s1[], const BroObj* obj2,
int pinpoint_only) const
int pinpoint_only, const Location* expr_location) const
{
d->SetShort();
@ -211,6 +211,8 @@ void BroObj::DoMsg(ODesc* d, const char s1[], const BroObj* obj2,
if ( obj2 && obj2->GetLocationInfo() != &no_location &&
*obj2->GetLocationInfo() != *GetLocationInfo() )
loc2 = obj2->GetLocationInfo();
else if ( expr_location )
loc2 = expr_location;
reporter->PushLocation(GetLocationInfo(), loc2);
}

6
src/Obj.h
View file

@ -118,9 +118,9 @@ public:
// included in the message, though if pinpoint_only is non-zero,
// then obj2 is only used to pinpoint the location.
void Warn(const char* msg, const BroObj* obj2 = 0,
int pinpoint_only = 0) const;
int pinpoint_only = 0, const Location* expr_location = 0) const;
void Error(const char* msg, const BroObj* obj2 = 0,
int pinpoint_only = 0) const;
int pinpoint_only = 0, const Location* expr_location = 0) const;
// Report internal errors.
void BadTag(const char* msg, const char* t1 = 0,
@ -178,7 +178,7 @@ private:
friend class SuppressErrors;
void DoMsg(ODesc* d, const char s1[], const BroObj* obj2 = 0,
int pinpoint_only = 0) const;
int pinpoint_only = 0, const Location* expr_location = 0) const;
void PinPoint(ODesc* d, const BroObj* obj2 = 0,
int pinpoint_only = 0) const;

15
src/OpaqueVal.cc
View file

@ -97,7 +97,7 @@ Val* MD5Val::DoClone(CloneState* state)
EVP_MD_CTX_copy_ex(out->ctx, ctx);
}
return out;
return state->NewClone(this, out);
}
void MD5Val::digest(val_list& vlist, u_char result[MD5_DIGEST_LENGTH])
@ -241,7 +241,7 @@ Val* SHA1Val::DoClone(CloneState* state)
EVP_MD_CTX_copy_ex(out->ctx, ctx);
}
return out;
return state->NewClone(this, out);
}
void SHA1Val::digest(val_list& vlist, u_char result[SHA_DIGEST_LENGTH])
@ -376,7 +376,7 @@ Val* SHA256Val::DoClone(CloneState* state)
EVP_MD_CTX_copy_ex(out->ctx, ctx);
}
return out;
return state->NewClone(this, out);
}
void SHA256Val::digest(val_list& vlist, u_char result[SHA256_DIGEST_LENGTH])
@ -517,7 +517,7 @@ Val* EntropyVal::DoClone(CloneState* state)
uinfo.cache = false;
Val* clone = Unserialize(&uinfo, type);
free(data);
return clone;
return state->NewClone(this, clone);
}
bool EntropyVal::Feed(const void* data, size_t size)
@ -639,10 +639,10 @@ Val* BloomFilterVal::DoClone(CloneState* state)
{
auto bf = new BloomFilterVal(bloom_filter->Clone());
bf->Typify(type);
return bf;
return state->NewClone(this, bf);
}
return new BloomFilterVal();
return state->NewClone(this, new BloomFilterVal());
}
bool BloomFilterVal::Typify(BroType* arg_type)
@ -801,7 +801,8 @@ CardinalityVal::~CardinalityVal()
Val* CardinalityVal::DoClone(CloneState* state)
{
return new CardinalityVal(new probabilistic::CardinalityCounter(*c));
return state->NewClone(this,
new CardinalityVal(new probabilistic::CardinalityCounter(*c)));
}
IMPLEMENT_SERIAL(CardinalityVal, SER_CARDINALITY_VAL);

8
src/Type.cc
View file

@ -2123,6 +2123,10 @@ int is_assignable(BroType* t)
return 0;
}
#define CHECK_TYPE(t) \
if ( t1 == t || t2 == t ) \
return t;
TypeTag max_type(TypeTag t1, TypeTag t2)
{
if ( t1 == TYPE_INTERVAL || t1 == TYPE_TIME )
@ -2132,10 +2136,6 @@ TypeTag max_type(TypeTag t1, TypeTag t2)
if ( BothArithmetic(t1, t2) )
{
#define CHECK_TYPE(t) \
if ( t1 == t || t2 == t ) \
return t;
CHECK_TYPE(TYPE_DOUBLE);
CHECK_TYPE(TYPE_INT);
CHECK_TYPE(TYPE_COUNT);

76
src/Val.cc
View file

@ -86,8 +86,6 @@ Val* Val::Clone(CloneState* state)
auto c = DoClone(state);
assert(c);
state->clones.insert(std::make_pair(this, c));
return c;
}
@ -566,6 +564,35 @@ void Val::ValDescribeReST(ODesc* d) const
}
}
bool Val::WouldOverflow(const BroType* from_type, const BroType* to_type, const Val* val)
{
if ( !to_type || !from_type )
return true;
else if ( same_type(to_type, from_type) )
return false;
if ( to_type->InternalType() == TYPE_INTERNAL_DOUBLE )
return false;
else if ( to_type->InternalType() == TYPE_INTERNAL_UNSIGNED )
{
if ( from_type->InternalType() == TYPE_INTERNAL_DOUBLE )
return (val->InternalDouble() < 0.0 || val->InternalDouble() > static_cast<double>(UINT64_MAX));
else if ( from_type->InternalType() == TYPE_INTERNAL_INT )
return (val->InternalInt() < 0);
}
else if ( to_type->InternalType() == TYPE_INTERNAL_INT )
{
if ( from_type->InternalType() == TYPE_INTERNAL_DOUBLE )
return (val->InternalDouble() < static_cast<double>(INT64_MIN) ||
val->InternalDouble() > static_cast<double>(INT64_MAX));
else if ( from_type->InternalType() == TYPE_INTERNAL_UNSIGNED )
return (val->InternalUnsigned() > INT64_MAX);
}
return false;
}
MutableVal::~MutableVal()
{
for ( list<ID*>::iterator i = aliases.begin(); i != aliases.end(); ++i )
@ -1155,8 +1182,12 @@ unsigned int StringVal::MemoryAllocation() const
Val* StringVal::DoClone(CloneState* state)
{
return new StringVal(new BroString((u_char*) val.string_val->Bytes(),
val.string_val->Len(), 1));
// We could likely treat this type as immutable and return a reference
// instead of creating a new copy, but we first need to be careful and
// audit whether anything internal actually does mutate it.
return state->NewClone(this, new StringVal(
new BroString((u_char*) val.string_val->Bytes(),
val.string_val->Len(), 1)));
}
IMPLEMENT_SERIAL(StringVal, SER_STRING_VAL);
@ -1223,10 +1254,13 @@ unsigned int PatternVal::MemoryAllocation() const
Val* PatternVal::DoClone(CloneState* state)
{
// We could likely treat this type as immutable and return a reference
// instead of creating a new copy, but we first need to be careful and
// audit whether anything internal actually does mutate it.
auto re = new RE_Matcher(val.re_val->PatternText(),
val.re_val->AnywherePatternText());
re->Compile();
return new PatternVal(re);
return state->NewClone(this, new PatternVal(re));
}
IMPLEMENT_SERIAL(PatternVal, SER_PATTERN_VAL);
@ -1331,6 +1365,7 @@ Val* ListVal::DoClone(CloneState* state)
{
auto lv = new ListVal(tag);
lv->vals.resize(vals.length());
state->NewClone(this, lv);
loop_over_list(vals, i)
lv->Append(vals[i]->Clone(state));
@ -2541,6 +2576,7 @@ void TableVal::ReadOperation(Val* index, TableEntryVal* v)
Val* TableVal::DoClone(CloneState* state)
{
auto tv = new TableVal(table_type);
state->NewClone(this, tv);
const PDict(TableEntryVal)* tbl = AsTable();
IterCookie* cookie = tbl->InitForIteration();
@ -3158,6 +3194,7 @@ Val* RecordVal::DoClone(CloneState* state)
// we don't touch it.
auto rv = new RecordVal(Type()->AsRecordType(), false);
rv->origin = nullptr;
state->NewClone(this, rv);
loop_over_list(*val.val_list_val, i)
{
@ -3454,6 +3491,7 @@ Val* VectorVal::DoClone(CloneState* state)
{
auto vv = new VectorVal(vector_type);
vv->val.vector_val->reserve(val.vector_val->size());
state->NewClone(this, vv);
for ( unsigned int i = 0; i < val.vector_val->size(); ++i )
{
@ -3556,7 +3594,7 @@ bool OpaqueVal::DoUnserialize(UnserialInfo* info)
return true;
}
Val* check_and_promote(Val* v, const BroType* t, int is_init)
Val* check_and_promote(Val* v, const BroType* t, int is_init, const Location* expr_location)
{
if ( ! v )
return 0;
@ -3580,7 +3618,7 @@ Val* check_and_promote(Val* v, const BroType* t, int is_init)
if ( same_type(t, vt, is_init) )
return v;
t->Error("type clash", v);
t->Error("type clash", v, 0, expr_location);
Unref(v);
return 0;
}
@ -3589,9 +3627,9 @@ Val* check_and_promote(Val* v, const BroType* t, int is_init)
(! IsArithmetic(v_tag) || t_tag != TYPE_TIME || ! v->IsZero()) )
{
if ( t_tag == TYPE_LIST || v_tag == TYPE_LIST )
t->Error("list mixed with scalar", v);
t->Error("list mixed with scalar", v, 0, expr_location);
else
t->Error("arithmetic mixed with non-arithmetic", v);
t->Error("arithmetic mixed with non-arithmetic", v, 0, expr_location);
Unref(v);
return 0;
}
@ -3599,12 +3637,12 @@ Val* check_and_promote(Val* v, const BroType* t, int is_init)
if ( v_tag == t_tag )
return v;
if ( t_tag != TYPE_TIME )
if ( t_tag != TYPE_TIME && ! BothArithmetic(t_tag, v_tag) )
{
TypeTag mt = max_type(t_tag, v_tag);
if ( mt != t_tag )
{
t->Error("over-promotion of arithmetic value", v);
t->Error("over-promotion of arithmetic value", v, 0, expr_location);
Unref(v);
return 0;
}
@ -3621,7 +3659,13 @@ Val* check_and_promote(Val* v, const BroType* t, int is_init)
Val* promoted_v;
switch ( it ) {
case TYPE_INTERNAL_INT:
if ( t_tag == TYPE_INT )
if ( ( vit == TYPE_INTERNAL_UNSIGNED || vit == TYPE_INTERNAL_DOUBLE ) && Val::WouldOverflow(vt, t, v) )
{
t->Error("overflow promoting from unsigned/double to signed arithmetic value", v, 0, expr_location);
Unref(v);
return 0;
}
else if ( t_tag == TYPE_INT )
promoted_v = val_mgr->GetInt(v->CoerceToInt());
else if ( t_tag == TYPE_BOOL )
promoted_v = val_mgr->GetBool(v->CoerceToInt());
@ -3635,7 +3679,13 @@ Val* check_and_promote(Val* v, const BroType* t, int is_init)
break;
case TYPE_INTERNAL_UNSIGNED:
if ( t_tag == TYPE_COUNT || t_tag == TYPE_COUNTER )
if ( ( vit == TYPE_INTERNAL_DOUBLE || vit == TYPE_INTERNAL_INT) && Val::WouldOverflow(vt, t, v) )
{
t->Error("overflow promoting from signed/double to unsigned arithmetic value", v, 0, expr_location);
Unref(v);
return 0;
}
else if ( t_tag == TYPE_COUNT || t_tag == TYPE_COUNTER )
promoted_v = val_mgr->GetCount(v->CoerceToUnsigned());
else // port
{

37
src/Val.h
View file

@ -87,7 +87,7 @@ typedef union {
class Val : public BroObj {
public:
BRO_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
ZEEK_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
Val(bool b, TypeTag t)
{
val.int_val = b;
@ -97,7 +97,7 @@ public:
#endif
}
BRO_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
ZEEK_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
Val(int32 i, TypeTag t)
{
val.int_val = bro_int_t(i);
@ -107,7 +107,7 @@ public:
#endif
}
BRO_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
ZEEK_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
Val(uint32 u, TypeTag t)
{
val.uint_val = bro_uint_t(u);
@ -117,7 +117,7 @@ public:
#endif
}
BRO_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
ZEEK_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
Val(int64 i, TypeTag t)
{
val.int_val = i;
@ -127,7 +127,7 @@ public:
#endif
}
BRO_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
ZEEK_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
Val(uint64 u, TypeTag t)
{
val.uint_val = u;
@ -367,6 +367,8 @@ public:
}
#endif
static bool WouldOverflow(const BroType* from_type, const BroType* to_type, const Val* val);
protected:
friend class EnumType;
@ -424,7 +426,16 @@ protected:
// For internal use by the Val::Clone() methods.
struct CloneState {
std::unordered_map<const Val*, Val*> clones;
// Caches a cloned value for later reuse during the same
// cloning operation. For recursive types, call this *before*
// descending down.
Val* NewClone(Val *src, Val* dst)
{
clones.insert(std::make_pair(src, dst));
return dst;
}
std::unordered_map<Val*, Val*> clones;
};
Val* Clone(CloneState* state);
@ -443,15 +454,15 @@ protected:
class PortManager {
public:
// Port number given in host order.
BRO_DEPRECATED("use val_mgr->GetPort() instead")
ZEEK_DEPRECATED("use val_mgr->GetPort() instead")
PortVal* Get(uint32 port_num, TransportProto port_type) const;
// Host-order port number already masked with port space protocol mask.
BRO_DEPRECATED("use val_mgr->GetPort() instead")
ZEEK_DEPRECATED("use val_mgr->GetPort() instead")
PortVal* Get(uint32 port_num) const;
// Returns a masked port number
BRO_DEPRECATED("use PortVal::Mask() instead")
ZEEK_DEPRECATED("use PortVal::Mask() instead")
uint32 Mask(uint32 port_num, TransportProto port_type) const;
};
@ -608,11 +619,11 @@ protected:
class PortVal : public Val {
public:
// Port number given in host order.
BRO_DEPRECATED("use val_mgr->GetPort() instead")
ZEEK_DEPRECATED("use val_mgr->GetPort() instead")
PortVal(uint32 p, TransportProto port_type);
// Host-order port number already masked with port space protocol mask.
BRO_DEPRECATED("use val_mgr->GetPort() instead")
ZEEK_DEPRECATED("use val_mgr->GetPort() instead")
explicit PortVal(uint32 p);
Val* SizeVal() const override { return val_mgr->GetInt(val.uint_val); }
@ -1109,7 +1120,7 @@ protected:
class EnumVal : public Val {
public:
BRO_DEPRECATED("use t->GetVal(i) instead")
ZEEK_DEPRECATED("use t->GetVal(i) instead")
EnumVal(int i, EnumType* t) : Val(t)
{
val.int_val = i;
@ -1219,7 +1230,7 @@ protected:
// Unref()'ing the original. If not a match, generates an error message
// and returns nil, also Unref()'ing v. If is_init is true, then
// the checking is done in the context of an initialization.
extern Val* check_and_promote(Val* v, const BroType* t, int is_init);
extern Val* check_and_promote(Val* v, const BroType* t, int is_init, const Location* expr_location = nullptr);
// Given a pointer to where a Val's core (i.e., its BRO value) resides,
// returns a corresponding newly-created or Ref()'d Val. ptr must already

6
src/analyzer/protocol/arp/events.bif
View file

@ -40,7 +40,7 @@ event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
TPA: addr, THA: string%);
## Generated for ARP packets that Bro cannot interpret. Examples are packets
## Generated for ARP packets that Zeek cannot interpret. Examples are packets
## with non-standard hardware address formats or hardware addresses that do not
## match the originator of the packet.
##
@ -56,8 +56,8 @@ event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
##
## .. zeek:see:: arp_reply arp_request
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event bad_arp%(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string%);

42
src/analyzer/protocol/dns/events.bif
View file

@ -1,7 +1,7 @@
## Generated for all DNS messages.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -26,7 +26,7 @@ event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%);
## is raised once for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -55,7 +55,7 @@ event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qcl
## the reply; there's no stateful correlation with the query.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -81,7 +81,7 @@ event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qc
## Generated for each entry in the Question section of a DNS reply.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -109,7 +109,7 @@ event dns_query_reply%(c: connection, msg: dns_msg, query: string,
## individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -134,7 +134,7 @@ event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -159,7 +159,7 @@ event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
## individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -184,7 +184,7 @@ event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
## individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -209,7 +209,7 @@ event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%)
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -234,7 +234,7 @@ event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: strin
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -259,7 +259,7 @@ event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -284,7 +284,7 @@ event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -307,7 +307,7 @@ event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -330,7 +330,7 @@ event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
## individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -357,7 +357,7 @@ event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string,
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -401,7 +401,7 @@ event dns_CAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, flags: count,
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -433,7 +433,7 @@ event dns_CAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, flags: count,
event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer, target: string, priority: count, weight: count, p: count%);
## Generated on DNS reply resource records when the type of record is not one
## that Bro knows how to parse and generate another more specific event.
## that Zeek knows how to parse and generate another more specific event.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
@ -451,7 +451,7 @@ event dns_unknown_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -474,7 +474,7 @@ event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%);
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -565,7 +565,7 @@ event dns_DS%(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr%);
## all resource records have been passed on.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -590,6 +590,6 @@ event dns_full_request%(%);
## msg: The raw DNS payload.
##
## .. note:: This event is deprecated and superseded by Bro's dynamic protocol
## .. note:: This event is deprecated and superseded by Zeek's dynamic protocol
## detection framework.
event non_dns_request%(c: connection, msg: string%);

8
src/analyzer/protocol/finger/events.bif
View file

@ -13,9 +13,9 @@
##
## .. zeek:see:: finger_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event finger_request%(c: connection, full: bool, username: string, hostname: string%);
@ -30,9 +30,9 @@ event finger_request%(c: connection, full: bool, username: string, hostname: str
##
## .. zeek:see:: finger_request
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event finger_reply%(c: connection, reply_line: string%);

24
src/analyzer/protocol/gnutella/events.bif
View file

@ -7,9 +7,9 @@
## gnutella_not_establish gnutella_partial_binary_msg gnutella_signature_found
##
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event gnutella_text_msg%(c: connection, orig: bool, headers: string%);
@ -21,9 +21,9 @@ event gnutella_text_msg%(c: connection, orig: bool, headers: string%);
## .. zeek:see:: gnutella_establish gnutella_http_notify gnutella_not_establish
## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count,
ttl: count, hops: count, msg_len: count,
@ -38,9 +38,9 @@ event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count,
## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
## gnutella_not_establish gnutella_signature_found gnutella_text_msg
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event gnutella_partial_binary_msg%(c: connection, orig: bool,
msg: string, len: count%);
@ -53,9 +53,9 @@ event gnutella_partial_binary_msg%(c: connection, orig: bool,
## .. zeek:see:: gnutella_binary_msg gnutella_http_notify gnutella_not_establish
## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event gnutella_establish%(c: connection%);
@ -67,9 +67,9 @@ event gnutella_establish%(c: connection%);
## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event gnutella_not_establish%(c: connection%);
@ -81,8 +81,8 @@ event gnutella_not_establish%(c: connection%);
## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish
## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event gnutella_http_notify%(c: connection%);

14
src/analyzer/protocol/http/events.bif
View file

@ -1,5 +1,5 @@
## Generated for HTTP requests. Bro supports persistent and pipelined HTTP
## Generated for HTTP requests. Zeek supports persistent and pipelined HTTP
## sessions and raises corresponding events as it parses client/server
## dialogues. This event is generated as soon as a request's initial line has
## been parsed, and before any :zeek:id:`http_header` events are raised.
@ -22,7 +22,7 @@
## truncate_http_URI http_connection_upgrade
event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%);
## Generated for HTTP replies. Bro supports persistent and pipelined HTTP
## Generated for HTTP replies. Zeek supports persistent and pipelined HTTP
## sessions and raises corresponding events as it parses client/server
## dialogues. This event is generated as soon as a reply's initial line has
## been parsed, and before any :zeek:id:`http_header` events are raised.
@ -43,7 +43,7 @@ event http_request%(c: connection, method: string, original_URI: string, unescap
## http_stats http_connection_upgrade
event http_reply%(c: connection, version: string, code: count, reason: string%);
## Generated for HTTP headers. Bro supports persistent and pipelined HTTP
## Generated for HTTP headers. Zeek supports persistent and pipelined HTTP
## sessions and raises corresponding events as it parses client/server
## dialogues.
##
@ -67,7 +67,7 @@ event http_reply%(c: connection, version: string, code: count, reason: string%);
event http_header%(c: connection, is_orig: bool, name: string, value: string%);
## Generated for HTTP headers, passing on all headers of an HTTP message at
## once. Bro supports persistent and pipelined HTTP sessions and raises
## once. Zeek supports persistent and pipelined HTTP sessions and raises
## corresponding events as it parses client/server dialogues.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
@ -92,7 +92,7 @@ event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%);
## Generated when starting to parse an HTTP body entity. This event is generated
## at least once for each non-empty (client or server) HTTP body; and
## potentially more than once if the body contains further nested MIME
## entities. Bro raises this event just before it starts parsing each entity's
## entities. Zeek raises this event just before it starts parsing each entity's
## content.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
@ -111,7 +111,7 @@ event http_begin_entity%(c: connection, is_orig: bool%);
## Generated when finishing parsing an HTTP body entity. This event is generated
## at least once for each non-empty (client or server) HTTP body; and
## potentially more than once if the body contains further nested MIME
## entities. Bro raises this event at the point when it has finished parsing an
## entities. Zeek raises this event at the point when it has finished parsing an
## entity's content.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
@ -181,7 +181,7 @@ event http_entity_data%(c: connection, is_orig: bool, length: count, data: strin
## entities.
event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string%);
## Generated once at the end of parsing an HTTP message. Bro supports persistent
## Generated once at the end of parsing an HTTP message. Zeek supports persistent
## and pipelined HTTP sessions and raises corresponding events as it parses
## client/server dialogues. A "message" is one top-level HTTP entity, such as a
## complete request or reply. Each message can have further nested sub-entities

12
src/analyzer/protocol/icmp/events.bif
View file

@ -1,5 +1,5 @@
## Generated for all ICMP messages that are not handled separately with
## dedicated ICMP events. Bro's ICMP analyzer handles a number of ICMP messages
## dedicated ICMP events. Zeek's ICMP analyzer handles a number of ICMP messages
## directly with dedicated events. This event acts as a fallback for those it
## doesn't.
##
@ -70,7 +70,7 @@ event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count,
event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%);
## Generated for all ICMPv6 error messages that are not handled
## separately with dedicated events. Bro's ICMP analyzer handles a number
## separately with dedicated events. Zeek's ICMP analyzer handles a number
## of ICMP error messages directly with dedicated events. This event acts
## as a fallback for those it doesn't.
##
@ -107,7 +107,7 @@ event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context:
##
## context: A record with specifics of the original packet that the message
## refers to. *Unreachable* messages should include the original IP
## header from the packet that triggered them, and Bro parses that
## header from the packet that triggered them, and Zeek parses that
## into the *context* structure. Note that if the *unreachable*
## includes only a partial IP header for some reason, no
## fields of *context* will be filled out.
@ -131,7 +131,7 @@ event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: ic
##
## context: A record with specifics of the original packet that the message
## refers to. *Too big* messages should include the original IP header
## from the packet that triggered them, and Bro parses that into
## from the packet that triggered them, and Zeek parses that into
## the *context* structure. Note that if the *too big* includes only
## a partial IP header for some reason, no fields of *context* will
## be filled out.
@ -155,7 +155,7 @@ event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context:
##
## context: A record with specifics of the original packet that the message
## refers to. *Unreachable* messages should include the original IP
## header from the packet that triggered them, and Bro parses that
## header from the packet that triggered them, and Zeek parses that
## into the *context* structure. Note that if the *exceeded* includes
## only a partial IP header for some reason, no fields of *context*
## will be filled out.
@ -179,7 +179,7 @@ event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context:
##
## context: A record with specifics of the original packet that the message
## refers to. *Parameter problem* messages should include the original
## IP header from the packet that triggered them, and Bro parses that
## IP header from the packet that triggered them, and Zeek parses that
## into the *context* structure. Note that if the *parameter problem*
## includes only a partial IP header for some reason, no fields
## of *context* will be filled out.

12
src/analyzer/protocol/ident/events.bif
View file

@ -11,9 +11,9 @@
##
## .. zeek:see:: ident_error ident_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event ident_request%(c: connection, lport: port, rport: port%);
@ -34,9 +34,9 @@ event ident_request%(c: connection, lport: port, rport: port%);
##
## .. zeek:see:: ident_error ident_request
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event ident_reply%(c: connection, lport: port, rport: port, user_id: string, system: string%);
@ -55,9 +55,9 @@ event ident_reply%(c: connection, lport: port, rport: port, user_id: string, sys
##
## .. zeek:see:: ident_reply ident_request
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event ident_error%(c: connection, lport: port, rport: port, line: string%);

72
src/analyzer/protocol/login/events.bif
View file

@ -21,9 +21,9 @@
## .. note:: For historical reasons, these events are separate from the
## ``login_`` events. Ideally, they would all be handled uniquely.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event rsh_request%(c: connection, client_user: string, server_user: string, line: string, new_session: bool%);
@ -48,9 +48,9 @@ event rsh_request%(c: connection, client_user: string, server_user: string, line
## .. note:: For historical reasons, these events are separate from the
## ``login_`` events. Ideally, they would all be handled uniquely.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event rsh_reply%(c: connection, client_user: string, server_user: string, line: string%);
@ -79,12 +79,12 @@ event rsh_reply%(c: connection, client_user: string, server_user: string, line:
##
## .. note:: The login analyzer depends on a set of script-level variables that
## need to be configured with patterns identifying login attempts. This
## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and
## configuration has not yet been ported, and
## the analyzer is therefore not directly usable at the moment.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeeks's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event login_failure%(c: connection, user: string, client_user: string, password: string, line: string%);
@ -114,12 +114,12 @@ event login_failure%(c: connection, user: string, client_user: string, password:
##
## .. note:: The login analyzer depends on a set of script-level variables that
## need to be configured with patterns identifying login attempts. This
## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and
## configuration has not yet been ported, and
## the analyzer is therefore not directly usable at the moment.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event login_success%(c: connection, user: string, client_user: string, password: string, line: string%);
@ -134,9 +134,9 @@ event login_success%(c: connection, user: string, client_user: string, password:
## .. zeek:see:: login_confused login_confused_text login_display login_failure
## login_output_line login_prompt login_success login_terminal rsh_request
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event login_input_line%(c: connection, line: string%);
@ -151,14 +151,14 @@ event login_input_line%(c: connection, line: string%);
## .. zeek:see:: login_confused login_confused_text login_display login_failure
## login_input_line login_prompt login_success login_terminal rsh_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event login_output_line%(c: connection, line: string%);
## Generated when tracking of Telnet/Rlogin authentication failed. As Bro's
## Generated when tracking of Telnet/Rlogin authentication failed. As Zeek's
## *login* analyzer uses a number of heuristics to extract authentication
## information, it may become confused. If it can no longer correctly track
## the authentication dialog, it raises this event.
@ -178,9 +178,9 @@ event login_output_line%(c: connection, line: string%);
## login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs
## login_timeouts set_login_state
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event login_confused%(c: connection, msg: string, line: string%);
@ -199,9 +199,9 @@ event login_confused%(c: connection, msg: string, line: string%);
## get_login_state login_failure_msgs login_non_failure_msgs login_prompts
## login_success_msgs login_timeouts set_login_state
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event login_confused_text%(c: connection, line: string%);
@ -216,9 +216,9 @@ event login_confused_text%(c: connection, line: string%);
## .. zeek:see:: login_confused login_confused_text login_display login_failure
## login_input_line login_output_line login_prompt login_success
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event login_terminal%(c: connection, terminal: string%);
@ -233,9 +233,9 @@ event login_terminal%(c: connection, terminal: string%);
## .. zeek:see:: login_confused login_confused_text login_failure login_input_line
## login_output_line login_prompt login_success login_terminal
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event login_display%(c: connection, display: string%);
@ -258,9 +258,9 @@ event login_display%(c: connection, display: string%);
## while :zeek:id:`login_success` heuristically determines success by watching
## session data.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event authentication_accepted%(name: string, c: connection%);
@ -283,9 +283,9 @@ event authentication_accepted%(name: string, c: connection%);
## while :zeek:id:`login_success` heuristically determines failure by watching
## session data.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event authentication_rejected%(name: string, c: connection%);
@ -304,12 +304,12 @@ event authentication_rejected%(name: string, c: connection%);
##
## .. note:: The login analyzer depends on a set of script-level variables that
## need to be configured with patterns identifying activity. This
## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and
## configuration has not yet been ported, and
## the analyzer is therefore not directly usable at the moment.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event authentication_skipped%(c: connection%);
@ -328,9 +328,9 @@ event authentication_skipped%(c: connection%);
## .. zeek:see:: login_confused login_confused_text login_display login_failure
## login_input_line login_output_line login_success login_terminal
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event login_prompt%(c: connection, prompt: string%);
@ -380,9 +380,9 @@ event inconsistent_option%(c: connection%);
## login_confused_text login_display login_failure login_input_line
## login_output_line login_prompt login_success login_terminal
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event bad_option%(c: connection%);
@ -399,9 +399,9 @@ event bad_option%(c: connection%);
## login_confused_text login_display login_failure login_input_line
## login_output_line login_prompt login_success login_terminal
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event bad_option_termination%(c: connection%);

48
src/analyzer/protocol/mime/events.bif
View file

@ -1,9 +1,9 @@
## Generated when starting to parse an email MIME entity. MIME is a
## protocol-independent data format for encoding text and files, along with
## corresponding metadata, for transmission. Bro raises this event when it
## corresponding metadata, for transmission. Zeek raises this event when it
## begins parsing a MIME entity extracted from an email protocol.
##
## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
## about MIME.
##
@ -13,16 +13,16 @@
## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data
## http_begin_entity
##
## .. note:: Bro also extracts MIME entities from HTTP sessions. For those,
## .. note:: Zeek also extracts MIME entities from HTTP sessions. For those,
## however, it raises :zeek:id:`http_begin_entity` instead.
event mime_begin_entity%(c: connection%);
## Generated when finishing parsing an email MIME entity. MIME is a
## protocol-independent data format for encoding text and files, along with
## corresponding metadata, for transmission. Bro raises this event when it
## corresponding metadata, for transmission. Zeek raises this event when it
## finished parsing a MIME entity extracted from an email protocol.
##
## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
## about MIME.
##
@ -32,7 +32,7 @@ event mime_begin_entity%(c: connection%);
## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data
## http_end_entity
##
## .. note:: Bro also extracts MIME entities from HTTP sessions. For those,
## .. note:: Zeek also extracts MIME entities from HTTP sessions. For those,
## however, it raises :zeek:id:`http_end_entity` instead.
event mime_end_entity%(c: connection%);
@ -40,7 +40,7 @@ event mime_end_entity%(c: connection%);
## entities. MIME is a protocol-independent data format for encoding text and
## files, along with corresponding metadata, for transmission.
##
## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
## about MIME.
##
@ -52,7 +52,7 @@ event mime_end_entity%(c: connection%);
## mime_end_entity mime_entity_data mime_event mime_segment_data
## http_header http_all_headers
##
## .. note:: Bro also extracts MIME headers from HTTP sessions. For those,
## .. note:: Zeek also extracts MIME headers from HTTP sessions. For those,
## however, it raises :zeek:id:`http_header` instead.
event mime_one_header%(c: connection, h: mime_header_rec%);
@ -60,7 +60,7 @@ event mime_one_header%(c: connection, h: mime_header_rec%);
## headers at once. MIME is a protocol-independent data format for encoding
## text and files, along with corresponding metadata, for transmission.
##
## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
## about MIME.
##
@ -74,21 +74,21 @@ event mime_one_header%(c: connection, h: mime_header_rec%);
## mime_entity_data mime_event mime_one_header mime_segment_data
## http_header http_all_headers
##
## .. note:: Bro also extracts MIME headers from HTTP sessions. For those,
## .. note:: Zeek also extracts MIME headers from HTTP sessions. For those,
## however, it raises :zeek:id:`http_header` instead.
event mime_all_headers%(c: connection, hlist: mime_header_list%);
## Generated for chunks of decoded MIME data from email MIME entities. MIME
## is a protocol-independent data format for encoding text and files, along with
## corresponding metadata, for transmission. As Bro parses the data of an
## corresponding metadata, for transmission. As Zeek parses the data of an
## entity, it raises a sequence of these events, each coming as soon as a new
## chunk of data is available. In contrast, there is also
## :zeek:id:`mime_entity_data`, which passes all of an entities data at once
## in a single block. While the latter is more convenient to handle,
## ``mime_segment_data`` is more efficient as Bro does not need to buffer
## ``mime_segment_data`` is more efficient as Zeek does not need to buffer
## the data. Thus, if possible, this event should be preferred.
##
## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
## about MIME.
##
@ -102,7 +102,7 @@ event mime_all_headers%(c: connection, hlist: mime_header_list%);
## mime_end_entity mime_entity_data mime_event mime_one_header http_entity_data
## mime_segment_length mime_segment_overlap_length
##
## .. note:: Bro also extracts MIME data from HTTP sessions. For those,
## .. note:: Zeek also extracts MIME data from HTTP sessions. For those,
## however, it raises :zeek:id:`http_entity_data` (sic!) instead.
event mime_segment_data%(c: connection, length: count, data: string%);
@ -111,10 +111,10 @@ event mime_segment_data%(c: connection, length: count, data: string%);
## and base64 data decoded. In contrast, there is also :zeek:id:`mime_segment_data`,
## which passes on a sequence of data chunks as they come in. While
## ``mime_entity_data`` is more convenient to handle, ``mime_segment_data`` is
## more efficient as Bro does not need to buffer the data. Thus, if possible,
## more efficient as Zeek does not need to buffer the data. Thus, if possible,
## the latter should be preferred.
##
## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
## about MIME.
##
@ -127,7 +127,7 @@ event mime_segment_data%(c: connection, length: count, data: string%);
## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
## mime_end_entity mime_event mime_one_header mime_segment_data
##
## .. note:: While Bro also decodes MIME entities extracted from HTTP
## .. note:: While Zeek also decodes MIME entities extracted from HTTP
## sessions, there's no corresponding event for that currently.
event mime_entity_data%(c: connection, length: count, data: string%);
@ -137,7 +137,7 @@ event mime_entity_data%(c: connection, length: count, data: string%);
## of the potentially significant buffering necessary, using this event can be
## expensive.
##
## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
## about MIME.
##
@ -150,13 +150,13 @@ event mime_entity_data%(c: connection, length: count, data: string%);
## .. zeek:see:: mime_all_headers mime_begin_entity mime_content_hash mime_end_entity
## mime_entity_data mime_event mime_one_header mime_segment_data
##
## .. note:: While Bro also decodes MIME entities extracted from HTTP
## .. note:: While Zeek also decodes MIME entities extracted from HTTP
## sessions, there's no corresponding event for that currently.
event mime_all_data%(c: connection, length: count, data: string%);
## Generated for errors found when decoding email MIME entities.
##
## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
## about MIME.
##
@ -170,15 +170,15 @@ event mime_all_data%(c: connection, length: count, data: string%);
## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
## mime_end_entity mime_entity_data mime_one_header mime_segment_data http_event
##
## .. note:: Bro also extracts MIME headers from HTTP sessions. For those,
## .. note:: Zeek also extracts MIME headers from HTTP sessions. For those,
## however, it raises :zeek:id:`http_event` instead.
event mime_event%(c: connection, event_type: string, detail: string%);
## Generated for decoded MIME entities extracted from email messages, passing on
## their MD5 checksums. Bro computes the MD5 over the complete decoded data of
## their MD5 checksums. Zeek computes the MD5 over the complete decoded data of
## each MIME entity.
##
## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
## about MIME.
##
@ -191,7 +191,7 @@ event mime_event%(c: connection, event_type: string, detail: string%);
## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_end_entity
## mime_entity_data mime_event mime_one_header mime_segment_data
##
## .. note:: While Bro also decodes MIME entities extracted from HTTP
## .. note:: While Zeek also decodes MIME entities extracted from HTTP
## sessions, there's no corresponding event for that currently.
event mime_content_hash%(c: connection, content_len: count, hash_value: string%);

8
src/analyzer/protocol/ncp/events.bif
View file

@ -13,9 +13,9 @@
##
## .. zeek:see:: ncp_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event ncp_request%(c: connection, frame_type: count, length: count, func: count%);
@ -38,9 +38,9 @@ event ncp_request%(c: connection, frame_type: count, length: count, func: count%
##
## .. zeek:see:: ncp_request
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event ncp_reply%(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count%);

68
src/analyzer/protocol/netbios/events.bif
View file

@ -1,10 +1,10 @@
## Generated for all NetBIOS SSN and DGM messages. Bro's NetBIOS analyzer
## Generated for all NetBIOS SSN and DGM messages. Zeek's NetBIOS analyzer
## processes the NetBIOS session service running on TCP port 139, and (despite
## its name!) the NetBIOS datagram service on UDP port 138.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
## about NetBIOS. :rfc:`1002` describes
## the packet format for NetBIOS over TCP/IP, which Bro parses.
## the packet format for NetBIOS over TCP/IP, which Zeek parses.
##
## c: The connection, which may be TCP or UDP, depending on the type of the
## NetBIOS session.
@ -21,22 +21,22 @@
## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
##
## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, data_len: count%);
## Generated for NetBIOS messages of type *session request*. Bro's NetBIOS
## Generated for NetBIOS messages of type *session request*. Zeek's NetBIOS
## analyzer processes the NetBIOS session service running on TCP port 139, and
## (despite its name!) the NetBIOS datagram service on UDP port 138.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
## about NetBIOS. :rfc:`1002` describes
## the packet format for NetBIOS over TCP/IP, which Bro parses.
## the packet format for NetBIOS over TCP/IP, which Zeek parses.
##
## c: The connection, which may be TCP or UDP, depending on the type of the
## NetBIOS session.
@ -49,22 +49,22 @@ event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, da
## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
##
## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event netbios_session_request%(c: connection, msg: string%);
## Generated for NetBIOS messages of type *positive session response*. Bro's
## Generated for NetBIOS messages of type *positive session response*. Zeek's
## NetBIOS analyzer processes the NetBIOS session service running on TCP port
## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
## about NetBIOS. :rfc:`1002` describes
## the packet format for NetBIOS over TCP/IP, which Bro parses.
## the packet format for NetBIOS over TCP/IP, which Zeek parses.
##
## c: The connection, which may be TCP or UDP, depending on the type of the
## NetBIOS session.
@ -77,22 +77,22 @@ event netbios_session_request%(c: connection, msg: string%);
## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
##
## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event netbios_session_accepted%(c: connection, msg: string%);
## Generated for NetBIOS messages of type *negative session response*. Bro's
## Generated for NetBIOS messages of type *negative session response*. Zeek's
## NetBIOS analyzer processes the NetBIOS session service running on TCP port
## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
## about NetBIOS. :rfc:`1002` describes
## the packet format for NetBIOS over TCP/IP, which Bro parses.
## the packet format for NetBIOS over TCP/IP, which Zeek parses.
##
## c: The connection, which may be TCP or UDP, depending on the type of the
## NetBIOS session.
@ -105,12 +105,12 @@ event netbios_session_accepted%(c: connection, msg: string%);
## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
##
## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event netbios_session_rejected%(c: connection, msg: string%);
@ -122,7 +122,7 @@ event netbios_session_rejected%(c: connection, msg: string%);
##
## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
## about NetBIOS. :rfc:`1002` describes
## the packet format for NetBIOS over TCP/IP, which Bro parses.
## the packet format for NetBIOS over TCP/IP, which Zeek parses.
##
## c: The connection, which may be TCP or UDP, depending on the type of the
## NetBIOS session.
@ -137,25 +137,25 @@ event netbios_session_rejected%(c: connection, msg: string%);
## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
##
## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
##
## .. todo:: This is an oddly named event. In fact, it's probably an odd event
## to have to begin with.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%);
## Generated for NetBIOS messages of type *retarget response*. Bro's NetBIOS
## Generated for NetBIOS messages of type *retarget response*. Zeek's NetBIOS
## analyzer processes the NetBIOS session service running on TCP port 139, and
## (despite its name!) the NetBIOS datagram service on UDP port 138.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
## about NetBIOS. :rfc:`1002` describes
## the packet format for NetBIOS over TCP/IP, which Bro parses.
## the packet format for NetBIOS over TCP/IP, which Zeek parses.
##
## c: The connection, which may be TCP or UDP, depending on the type of the
## NetBIOS session.
@ -168,24 +168,24 @@ event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%);
## netbios_session_request decode_netbios_name decode_netbios_name_type
##
## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
##
## .. todo:: This is an oddly named event.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event netbios_session_ret_arg_resp%(c: connection, msg: string%);
## Generated for NetBIOS messages of type *keep-alive*. Bro's NetBIOS analyzer
## Generated for NetBIOS messages of type *keep-alive*. Zeek's NetBIOS analyzer
## processes the NetBIOS session service running on TCP port 139, and (despite
## its name!) the NetBIOS datagram service on UDP port 138.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
## about NetBIOS. :rfc:`1002` describes
## the packet format for NetBIOS over TCP/IP, which Bro parses.
## the packet format for NetBIOS over TCP/IP, which Zeek parses.
##
## c: The connection, which may be TCP or UDP, depending on the type of the
## NetBIOS session.
@ -198,12 +198,12 @@ event netbios_session_ret_arg_resp%(c: connection, msg: string%);
## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
##
## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
## `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event netbios_session_keepalive%(c: connection, msg: string%);

8
src/analyzer/protocol/ntp/events.bif
View file

@ -1,4 +1,4 @@
## Generated for all NTP messages. Different from many other of Bro's events,
## Generated for all NTP messages. Different from many other of Zeek's events,
## this one is generated for both client-side and server-side messages.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Network_Time_Protocol>`__ for
@ -8,14 +8,14 @@
##
## msg: The parsed NTP message.
##
## excess: The raw bytes of any optional parts of the NTP packet. Bro does not
## excess: The raw bytes of any optional parts of the NTP packet. Zeek does not
## further parse any optional fields.
##
## .. zeek:see:: ntp_session_timeout
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event ntp_message%(u: connection, msg: ntp_msg, excess: string%);

28
src/analyzer/protocol/pop3/events.bif
View file

@ -15,9 +15,9 @@
## .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
## pop3_unexpected
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pop3_request%(c: connection, is_orig: bool,
command: string, arg: string%);
@ -42,9 +42,9 @@ event pop3_request%(c: connection, is_orig: bool,
##
## .. todo:: This event is receiving odd parameters, should unify.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%);
@ -65,9 +65,9 @@ event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%);
## .. zeek:see:: pop3_login_failure pop3_login_success pop3_reply pop3_request
## pop3_unexpected
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pop3_data%(c: connection, is_orig: bool, data: string%);
@ -88,9 +88,9 @@ event pop3_data%(c: connection, is_orig: bool, data: string%);
##
## .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pop3_unexpected%(c: connection, is_orig: bool,
msg: string, detail: string%);
@ -108,9 +108,9 @@ event pop3_unexpected%(c: connection, is_orig: bool,
## .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
## pop3_request pop3_unexpected
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pop3_starttls%(c: connection%);
@ -131,9 +131,9 @@ event pop3_starttls%(c: connection%);
## .. zeek:see:: pop3_data pop3_login_failure pop3_reply pop3_request
## pop3_unexpected
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pop3_login_success%(c: connection, is_orig: bool,
user: string, password: string%);
@ -155,9 +155,9 @@ event pop3_login_success%(c: connection, is_orig: bool,
## .. zeek:see:: pop3_data pop3_login_success pop3_reply pop3_request
## pop3_unexpected
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pop3_login_failure%(c: connection, is_orig: bool,
user: string, password: string%);

7
src/analyzer/protocol/rdp/RDP.cc
View file

@ -72,6 +72,13 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
ForwardStream(len, data, orig);
}
else
{
if ( rdp_native_encrypted_data )
BifEvent::generate_rdp_native_encrypted_data(
interp->bro_analyzer(), interp->bro_analyzer()->Conn(),
orig, len);
}
}
else // if not encrypted
{

16
src/analyzer/protocol/rdp/events.bif
View file

@ -1,3 +1,12 @@
## Generated for each packet after RDP native encryption begins
##
## c: The connection record for the underlying transport-layer session/flow.
##
## orig: True if the packet was sent by the originator of the connection.
##
## len: The length of the encrypted data.
event rdp_native_encrypted_data%(c: connection, orig: bool, len: count%);
## Generated for X.224 client requests.
##
## c: The connection record for the underlying transport-layer session/flow.
@ -26,6 +35,13 @@ event rdp_negotiation_failure%(c: connection, failure_code: count%);
## data: The data contained in the client core data structure.
event rdp_client_core_data%(c: connection, data: RDP::ClientCoreData%);
## Generated for client security data packets.
##
## c: The connection record for the underlying transport-layer session/flow.
##
## data: The data contained in the client security data structure.
event rdp_client_security_data%(c: connection, data: RDP::ClientSecurityData%);
## Generated for Client Network Data (TS_UD_CS_NET) packets
##
## c: The connection record for the underlying transport-layer session/flow.

19
src/analyzer/protocol/rdp/rdp-analyzer.pac
View file

@ -101,6 +101,21 @@ refine flow RDP_Flow += {
return true;
%}
function proc_rdp_client_security_data(csec: Client_Security_Data): bool
%{
if ( ! rdp_client_security_data )
return false;
RecordVal* csd = new RecordVal(BifType::Record::RDP::ClientSecurityData);
csd->Assign(0, val_mgr->GetCount(${csec.encryption_methods}));
csd->Assign(1, val_mgr->GetCount(${csec.ext_encryption_methods}));
BifEvent::generate_rdp_client_security_data(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
csd);
return true;
%}
function proc_rdp_client_network_data(cnetwork: Client_Network_Data): bool
%{
if ( ! rdp_client_network_data )
@ -203,6 +218,10 @@ refine typeattr Client_Core_Data += &let {
proc: bool = $context.flow.proc_rdp_client_core_data(this);
};
refine typeattr Client_Security_Data += &let {
proc: bool = $context.flow.proc_rdp_client_security_data(this);
};
refine typeattr Client_Network_Data += &let {
proc: bool = $context.flow.proc_rdp_client_network_data(this);
};

7
src/analyzer/protocol/rdp/rdp-protocol.pac
View file

@ -52,7 +52,7 @@ type Data_Block = record {
header: Data_Header;
block: case header.type of {
0xc001 -> client_core: Client_Core_Data;
#0xc002 -> client_security: Client_Security_Data;
0xc002 -> client_security: Client_Security_Data;
0xc003 -> client_network: Client_Network_Data;
#0xc004 -> client_cluster: Client_Cluster_Data;
#0xc005 -> client_monitor: Client_Monitor_Data;
@ -220,6 +220,11 @@ type Client_Core_Data = record {
SUPPORT_HEARTBEAT_PDU: bool = early_capability_flags & 0x0400;
} &byteorder=littleendian;
type Client_Security_Data = record {
encryption_methods: uint32;
ext_encryption_methods: uint32;
} &byteorder=littleendian;
type Client_Network_Data = record {
channel_count: uint32;
channel_def_array: Client_Channel_Def[channel_count];

2
src/analyzer/protocol/rdp/types.bif
View file

@ -4,5 +4,7 @@ module RDP;
type EarlyCapabilityFlags: record;
type ClientCoreData: record;
type ClientSecurityData: record;
type ClientChannelList: vector;
type ClientChannelDef: record;

164
src/analyzer/protocol/rpc/events.bif
View file

@ -15,9 +15,9 @@
## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_null%(c: connection, info: NFS3::info_t%);
@ -43,9 +43,9 @@ event nfs_proc_null%(c: connection, info: NFS3::info_t%);
## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
## rpc_call rpc_dialogue rpc_reply file_mode
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t%);
@ -71,9 +71,9 @@ event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NF
## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
## rpc_call rpc_dialogue rpc_reply file_mode
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_sattr%(c: connection, info: NFS3::info_t, req: NFS3::sattrargs_t, rep: NFS3::sattr_reply_t%);
@ -99,9 +99,9 @@ event nfs_proc_sattr%(c: connection, info: NFS3::info_t, req: NFS3::sattrargs_t,
## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
## rpc_call rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::lookup_reply_t%);
@ -127,9 +127,9 @@ event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t
## nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply
## NFS3::return_data NFS3::return_data_first_only NFS3::return_data_max
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, rep: NFS3::read_reply_t%);
@ -155,9 +155,9 @@ event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, r
## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
## nfs_proc_symlink rpc_call rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t%);
@ -183,9 +183,9 @@ event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS
## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
## nfs_proc_link rpc_call rpc_dialogue rpc_reply file_mode
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_symlink%(c: connection, info: NFS3::info_t, req: NFS3::symlinkargs_t, rep: NFS3::newobj_reply_t%);
@ -211,9 +211,9 @@ event nfs_proc_symlink%(c: connection, info: NFS3::info_t, req: NFS3::symlinkarg
## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
## nfs_proc_symlink rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_link%(c: connection, info: NFS3::info_t, req: NFS3::linkargs_t, rep: NFS3::link_reply_t%);
@ -240,9 +240,9 @@ event nfs_proc_link%(c: connection, info: NFS3::info_t, req: NFS3::linkargs_t, r
## rpc_dialogue rpc_reply NFS3::return_data NFS3::return_data_first_only
## NFS3::return_data_max
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, rep: NFS3::write_reply_t%);
@ -268,9 +268,9 @@ event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t,
## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
## rpc_call rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%);
@ -296,9 +296,9 @@ event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t
## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
## rpc_call rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%);
@ -324,9 +324,9 @@ event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t,
## nfs_proc_readlink nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%);
@ -352,9 +352,9 @@ event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t
## nfs_proc_readlink nfs_proc_remove nfs_proc_write nfs_reply_status rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%);
@ -380,9 +380,9 @@ event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t,
## nfs_proc_readlink nfs_proc_remove nfs_proc_rename nfs_proc_write
## nfs_reply_status rpc_call rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_rename%(c: connection, info: NFS3::info_t, req: NFS3::renameopargs_t, rep: NFS3::renameobj_reply_t%);
@ -408,13 +408,13 @@ event nfs_proc_rename%(c: connection, info: NFS3::info_t, req: NFS3::renameoparg
## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirargs_t, rep: NFS3::readdir_reply_t%);
## Generated for NFSv3 request/reply dialogues of a type that Bro's NFSv3
## Generated for NFSv3 request/reply dialogues of a type that Zeek's NFSv3
## analyzer does not implement.
##
## NFS is a service running on top of RPC. See `Wikipedia
@ -425,15 +425,15 @@ event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirarg
##
## info: Reports the status of the dialogue, along with some meta information.
##
## proc: The procedure called that Bro does not implement.
## proc: The procedure called that Zeek does not implement.
##
## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
## nfs_proc_null nfs_proc_read nfs_proc_readdir nfs_proc_readlink nfs_proc_remove
## nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::proc_t%);
@ -449,9 +449,9 @@ event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::p
## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event nfs_reply_status%(n: connection, info: NFS3::info_t%);
@ -468,9 +468,9 @@ event nfs_reply_status%(n: connection, info: NFS3::info_t%);
## pm_attempt_unset pm_attempt_getport pm_attempt_dump
## pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pm_request_null%(r: connection%);
@ -493,9 +493,9 @@ event pm_request_null%(r: connection%);
## pm_attempt_unset pm_attempt_getport pm_attempt_dump
## pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pm_request_set%(r: connection, m: pm_mapping, success: bool%);
@ -518,9 +518,9 @@ event pm_request_set%(r: connection, m: pm_mapping, success: bool%);
## pm_attempt_unset pm_attempt_getport pm_attempt_dump
## pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pm_request_unset%(r: connection, m: pm_mapping, success: bool%);
@ -541,9 +541,9 @@ event pm_request_unset%(r: connection, m: pm_mapping, success: bool%);
## pm_attempt_unset pm_attempt_getport pm_attempt_dump
## pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pm_request_getport%(r: connection, pr: pm_port_request, p: port%);
@ -563,9 +563,9 @@ event pm_request_getport%(r: connection, pr: pm_port_request, p: port%);
## pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pm_request_dump%(r: connection, m: pm_mappings%);
@ -587,9 +587,9 @@ event pm_request_dump%(r: connection, m: pm_mappings%);
## pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pm_request_callit%(r: connection, call: pm_callit_request, p: port%);
@ -610,9 +610,9 @@ event pm_request_callit%(r: connection, call: pm_callit_request, p: port%);
## pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pm_attempt_null%(r: connection, status: rpc_status%);
@ -635,9 +635,9 @@ event pm_attempt_null%(r: connection, status: rpc_status%);
## pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%);
@ -660,9 +660,9 @@ event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%);
## pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%);
@ -684,9 +684,9 @@ event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%);
## pm_attempt_null pm_attempt_set pm_attempt_unset pm_attempt_dump
## pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request%);
@ -707,9 +707,9 @@ event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request
## pm_attempt_getport pm_attempt_callit pm_bad_port rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pm_attempt_dump%(r: connection, status: rpc_status%);
@ -732,9 +732,9 @@ event pm_attempt_dump%(r: connection, status: rpc_status%);
## pm_attempt_getport pm_attempt_dump pm_bad_port rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_request%);
@ -757,9 +757,9 @@ event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_requ
## pm_attempt_getport pm_attempt_dump pm_attempt_callit rpc_call
## rpc_dialogue rpc_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event pm_bad_port%(r: connection, bad_p: count%);
@ -792,9 +792,9 @@ event pm_bad_port%(r: connection, bad_p: count%);
## .. zeek:see:: rpc_call rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request
## dce_rpc_response rpc_timeout
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count%);
@ -819,9 +819,9 @@ event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status:
## .. zeek:see:: rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request
## dce_rpc_response rpc_timeout
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count%);
@ -843,9 +843,9 @@ event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count,
## .. zeek:see:: rpc_call rpc_dialogue dce_rpc_bind dce_rpc_message dce_rpc_request
## dce_rpc_response rpc_timeout
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to add a
## been ported. To still enable this event, one needs to add a
## call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
## signature.
event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count%);
@ -862,9 +862,9 @@ event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count
## .. zeek:see:: mount_proc_mnt mount_proc_umnt
## mount_proc_umnt_all mount_proc_not_implemented
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event mount_proc_null%(c: connection, info: MOUNT3::info_t%);
@ -885,9 +885,9 @@ event mount_proc_null%(c: connection, info: MOUNT3::info_t%);
## .. zeek:see:: mount_proc_mnt mount_proc_umnt
## mount_proc_umnt_all mount_proc_not_implemented
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event mount_proc_mnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t, rep: MOUNT3::mnt_reply_t%);
@ -905,9 +905,9 @@ event mount_proc_mnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntar
## .. zeek:see:: mount_proc_mnt mount_proc_umnt
## mount_proc_umnt_all mount_proc_not_implemented
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event mount_proc_umnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t%);
@ -925,27 +925,27 @@ event mount_proc_umnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmnta
## .. zeek:see:: mount_proc_mnt mount_proc_umnt
## mount_proc_umnt_all mount_proc_not_implemented
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event mount_proc_umnt_all%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t%);
## Generated for MOUNT3 request/reply dialogues of a type that Bro's MOUNTv3
## Generated for MOUNT3 request/reply dialogues of a type that Zeek's MOUNTv3
## analyzer does not implement.
##
## c: The RPC connection.
##
## info: Reports the status of the dialogue, along with some meta information.
##
## proc: The procedure called that Bro does not implement.
## proc: The procedure called that Zeek does not implement.
##
## .. zeek:see:: mount_proc_mnt mount_proc_umnt
## mount_proc_umnt_all mount_proc_not_implemented
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event mount_proc_not_implemented%(c: connection, info: MOUNT3::info_t, proc: MOUNT3::proc_t%);
@ -959,8 +959,8 @@ event mount_proc_not_implemented%(c: connection, info: MOUNT3::info_t, proc: MOU
## .. zeek:see:: mount_proc_mnt mount_proc_umnt
## mount_proc_umnt_all mount_proc_not_implemented
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event mount_reply_status%(n: connection, info: MOUNT3::info_t%);

2
src/analyzer/protocol/smb/smb1_events.bif
View file

@ -2,7 +2,7 @@
## messages.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more information about the
## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Bro's
## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Zeek's
## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` analyzer parses
## both :abbr:`SMB (Server Message Block)`-over-:abbr:`NetBIOS (Network Basic Input/Output System)` on
## ports 138/139 and :abbr:`SMB (Server Message Block)`-over-TCP on port 445.

2
src/analyzer/protocol/smb/smb2_events.bif
View file

@ -2,7 +2,7 @@
## version 2 messages.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more information about the
## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Bro's
## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Zeek's
## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` analyzer parses
## both :abbr:`SMB (Server Message Block)`-over-:abbr:`NetBIOS (Network Basic Input/Output System)` on
## ports 138/139 and :abbr:`SMB (Server Message Block)`-over-TCP on port 445.

4
src/analyzer/protocol/smtp/events.bif
View file

@ -20,7 +20,7 @@
## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data
## smtp_data smtp_reply
##
## .. note:: Bro does not support the newer ETRN extension yet.
## .. note:: Zeek does not support the newer ETRN extension yet.
event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%);
## Generated for server-side SMTP commands.
@ -51,7 +51,7 @@ event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%)
## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data
## smtp_data smtp_request
##
## .. note:: Bro doesn't support the newer ETRN extension yet.
## .. note:: Zeek doesn't support the newer ETRN extension yet.
event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: string, cont_resp: bool%);
## Generated for DATA transmitted on SMTP sessions. This event is raised for

16
src/analyzer/protocol/ssl/events.bif
View file

@ -1,5 +1,5 @@
## Generated for an SSL/TLS client's initial *hello* message. SSL/TLS sessions
## start with an unencrypted handshake, and Bro extracts as much information out
## start with an unencrypted handshake, and Zeek extracts as much information out
## of that as it can. This event provides access to the initial information
## sent by the client.
##
@ -38,7 +38,7 @@
event ssl_client_hello%(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec%);
## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions
## start with an unencrypted handshake, and Bro extracts as much information out
## start with an unencrypted handshake, and Zeek extracts as much information out
## of that as it can. This event provides access to the initial information
## sent by the client.
##
@ -82,11 +82,11 @@ event ssl_client_hello%(c: connection, version: count, record_version: count, po
event ssl_server_hello%(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%);
## Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS
## sessions start with an unencrypted handshake, and Bro extracts as much
## sessions start with an unencrypted handshake, and Zeek extracts as much
## information out of that as it can. This event provides access to any
## extensions either side sends as part of an extended *hello* message.
##
## Note that Bro offers more specialized events for a few extensions.
## Note that Zeek offers more specialized events for a few extensions.
##
## c: The connection.
##
@ -437,7 +437,7 @@ event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions:
event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes: index_vec%);
## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
## an unencrypted handshake, and Bro extracts as much information out of that
## an unencrypted handshake, and Zeek extracts as much information out of that
## as it can. This event signals the time when an SSL/TLS has finished the
## handshake and its endpoints consider it as fully established. Typically,
## everything from now on will be encrypted.
@ -452,7 +452,7 @@ event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes:
event ssl_established%(c: connection%);
## Generated for SSL/TLS alert records. SSL/TLS sessions start with an
## unencrypted handshake, and Bro extracts as much information out of that as
## unencrypted handshake, and Zeek extracts as much information out of that as
## it can. If during that handshake, an endpoint encounters a fatal error, it
## sends an *alert* record, that in turn triggers this event. After an *alert*,
## any endpoint may close the connection immediately.
@ -476,7 +476,7 @@ event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%);
## Generated for SSL/TLS handshake messages that are a part of the
## stateless-server session resumption mechanism. SSL/TLS sessions start with
## an unencrypted handshake, and Bro extracts as much information out of that
## an unencrypted handshake, and Zeek extracts as much information out of that
## as it can. This event is raised when an SSL/TLS server passes a session
## ticket to the client that can later be used for resuming the session. The
## mechanism is described in :rfc:`4507`.
@ -520,7 +520,7 @@ event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type
## Generated for SSL/TLS messages that are sent before full session encryption
## starts. Note that "full encryption" is a bit fuzzy, especially for TLSv1.3;
## here this event will be raised for early packets that are already using
## pre-encryption. # This event is also used by Bro internally to determine if
## pre-encryption. # This event is also used by Zeek internally to determine if
## the connection has been completely setup. This is necessary as TLS 1.3 does
## not have CCS anymore.
##

2
src/analyzer/protocol/syslog/events.bif
View file

@ -12,6 +12,6 @@
##
## msg: The message logged.
##
## .. note:: Bro currently parses only UDP syslog traffic. Support for TCP
## .. note:: Zeek currently parses only UDP syslog traffic. Support for TCP
## syslog will be added soon.
event syslog_message%(c: connection, facility: count, severity: count, msg: string%);

34
src/analyzer/protocol/tcp/events.bif
View file

@ -1,6 +1,6 @@
## Generated when reassembly starts for a TCP connection. This event is raised
## at the moment when Bro's TCP analyzer enables stream reassembly for a
## at the moment when Zeek's TCP analyzer enables stream reassembly for a
## connection.
##
## c: The connection.
@ -47,8 +47,8 @@ event connection_attempt%(c: connection%);
## new_connection new_connection_contents partial_connection
event connection_established%(c: connection%);
## Generated for a new active TCP connection if Bro did not see the initial
## handshake. This event is raised when Bro has observed traffic from each
## Generated for a new active TCP connection if Zeek did not see the initial
## handshake. This event is raised when Zeek has observed traffic from each
## endpoint, but the activity did not begin with the usual connection
## establishment.
##
@ -65,7 +65,7 @@ event partial_connection%(c: connection%);
## Generated when a previously inactive endpoint attempts to close a TCP
## connection via a normal FIN handshake or an abort RST sequence. When the
## endpoint sent one of these packets, Bro waits
## endpoint sent one of these packets, Zeek waits
## :zeek:id:`tcp_partial_close_delay` prior to generating the event, to give
## the other endpoint a chance to close the connection normally.
##
@ -94,7 +94,7 @@ event connection_finished%(c: connection%);
## Generated when one endpoint of a TCP connection attempted to gracefully close
## the connection, but the other endpoint is in the TCP_INACTIVE state. This can
## happen due to split routing, in which Bro only sees one side of a connection.
## happen due to split routing, in which Zeek only sees one side of a connection.
##
## c: The connection.
##
@ -123,7 +123,7 @@ event connection_half_finished%(c: connection%);
##
## If the responder does not respond at all, :zeek:id:`connection_attempt` is
## raised instead. If the responder initially accepts the connection but
## aborts it later, Bro first generates :zeek:id:`connection_established`
## aborts it later, Zeek first generates :zeek:id:`connection_established`
## and then :zeek:id:`connection_reset`.
event connection_rejected%(c: connection%);
@ -142,7 +142,7 @@ event connection_rejected%(c: connection%);
## partial_connection
event connection_reset%(c: connection%);
## Generated for each still-open TCP connection when Bro terminates.
## Generated for each still-open TCP connection when Zeek terminates.
##
## c: The connection.
##
@ -154,7 +154,7 @@ event connection_reset%(c: connection%);
## new_connection new_connection_contents partial_connection zeek_done
event connection_pending%(c: connection%);
## Generated for a SYN packet. Bro raises this event for every SYN packet seen
## Generated for a SYN packet. Zeek raises this event for every SYN packet seen
## by its TCP analyzer.
##
## c: The connection.
@ -283,11 +283,25 @@ event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%);
## application-layer protocol analyzers internally. Subsequent invocations of
## this event for the same connection receive non-overlapping in-order chunks
## of its TCP payload stream. It is however undefined what size each chunk
## has; while Bro passes the data on as soon as possible, specifics depend on
## has; while Zeek passes the data on as soon as possible, specifics depend on
## network-level effects such as latency, acknowledgements, reordering, etc.
event tcp_contents%(c: connection, is_orig: bool, seq: count, contents: string%);
## TODO.
## Generated for each detected TCP segment retransmission.
##
## c: The connection the packet is part of.
##
## is_orig: True if the packet was sent by the connection's originator.
##
## seq: The segment's relative TCP sequence number.
##
## len: The length of the TCP segment, as specified in the packet header.
##
## data_in_flight: The number of bytes corresponding to the difference between
## the last sequence number and last acknowledgement number
## we've seen for a given endpoint.
##
## window: the TCP window size.
event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_flight: count, window: count%);
## Generated if a TCP flow crosses a checksum-error threshold, per

2
src/analyzer/protocol/tcp/functions.bif
View file

@ -77,7 +77,7 @@ function get_resp_seq%(cid: conn_id%): count
## responder (often the server).
## - ``CONTENTS_BOTH``: Record the data sent in both directions.
## Results in the two directions being intermixed in the file,
## in the order the data was seen by Bro.
## in the order the data was seen by Zeek.
##
## f: The file handle of the file to write the contents to.
##

94
src/bro.bif
View file

@ -4,7 +4,7 @@
##! filtering, interprocess communication and controlling protocol analyzer
##! behavior.
##!
##! You'll find most of Bro's built-in functions that aren't protocol-specific
##! You'll find most of Zeek's built-in functions that aren't protocol-specific
##! in this file.
%%{ // C segment
@ -304,7 +304,7 @@ static int next_fmt(const char*& fmt, val_list* args, ODesc* d, int& n)
## Returns the current wall-clock time.
##
## In general, you should use :zeek:id:`network_time` instead
## unless you are using Bro for non-networking uses (such as general
## unless you are using Zeek for non-networking uses (such as general
## scripting; not particularly recommended), because otherwise your script
## may behave very differently on live traffic versus played-back traffic
## from a save file.
@ -364,7 +364,7 @@ function setenv%(var: string, val: string%): bool
return val_mgr->GetBool(1);
%}
## Shuts down the Bro process immediately.
## Shuts down the Zeek process immediately.
##
## code: The exit code to return with.
##
@ -375,12 +375,12 @@ function exit%(code: int%): any
return 0;
%}
## Gracefully shut down Bro by terminating outstanding processing.
## Gracefully shut down Zeek by terminating outstanding processing.
##
## Returns: True after successful termination and false when Bro is still in
## Returns: True after successful termination and false when Zeek is still in
## the process of shutting down.
##
## .. zeek:see:: exit bro_is_terminating
## .. zeek:see:: exit zeek_is_terminating
function terminate%(%): bool
%{
if ( terminating )
@ -600,7 +600,7 @@ function sha256_hash%(...%): string
%}
## Computes an HMAC-MD5 hash value of the provided list of arguments. The HMAC
## secret key is generated from available entropy when Bro starts up, or it can
## secret key is generated from available entropy when Zeek starts up, or it can
## be specified for repeatability using the ``-K`` command line flag.
##
## Returns: The HMAC-MD5 hash value of the concatenated arguments.
@ -893,7 +893,7 @@ function syslog%(s: string%): any
return 0;
%}
## Determines the MIME type of a piece of data using Bro's file magic
## Determines the MIME type of a piece of data using Zeek's file magic
## signatures.
##
## data: The data to find the MIME type for.
@ -918,7 +918,7 @@ function identify_data%(data: string, return_mime: bool &default=T%): string
return new StringVal(strongest_match);
%}
## Determines the MIME type of a piece of data using Bro's file magic
## Determines the MIME type of a piece of data using Zeek's file magic
## signatures.
##
## data: The data for which to find matching MIME types.
@ -1705,7 +1705,7 @@ function log10%(d: double%): double
# ===========================================================================
## Determines whether a connection has been received externally. For example,
## Broccoli or the Time Machine can send packets to Bro via a mechanism that is
## Broccoli or the Time Machine can send packets to Zeek via a mechanism that is
## one step lower than sending events. This function checks whether the packets
## of a connection stem from one of these external *packet sources*.
##
@ -1726,24 +1726,33 @@ function current_analyzer%(%) : count
return val_mgr->GetCount(mgr.CurrentAnalyzer());
%}
## Returns Bro's process ID.
## Returns Zeek's process ID.
##
## Returns: Bro's process ID.
## Returns: Zeek's process ID.
function getpid%(%) : count
%{
return val_mgr->GetCount(getpid());
%}
%%{
extern const char* bro_version();
extern const char* zeek_version();
%%}
## Returns the Bro version string.
## Returns the Zeek version string. This function is deprecated, use
## :zeek:see:`zeek_version` instead.
##
## Returns: Bro's version, e.g., 2.0-beta-47-debug.
function bro_version%(%): string
## Returns: Zeek's version, e.g., 2.0-beta-47-debug.
function bro_version%(%): string &deprecated
%{
return new StringVal(bro_version());
return new StringVal(zeek_version());
%}
## Returns the Zeek version string.
##
## Returns: Zeek's version, e.g., 2.0-beta-47-debug.
function zeek_version%(%): string
%{
return new StringVal(zeek_version());
%}
## Converts a record type name to a vector of strings, where each element is
@ -1771,7 +1780,7 @@ function record_type_to_vector%(rt: string%): string_vec
return result;
%}
## Returns the type name of an arbitrary Bro variable.
## Returns the type name of an arbitrary Zeek variable.
##
## t: An arbitrary object.
##
@ -1787,9 +1796,9 @@ function type_name%(t: any%): string
return new StringVal(s);
%}
## Checks whether Bro reads traffic from one or more network interfaces (as
## Checks whether Zeek reads traffic from one or more network interfaces (as
## opposed to from a network trace in a file). Note that this function returns
## true even after Bro has stopped reading network traffic, for example due to
## true even after Zeek has stopped reading network traffic, for example due to
## receiving a termination signal.
##
## Returns: True if reading traffic from a network interface.
@ -1800,7 +1809,7 @@ function reading_live_traffic%(%): bool
return val_mgr->GetBool(reading_live);
%}
## Checks whether Bro reads traffic from a trace file (as opposed to from a
## Checks whether Zeek reads traffic from a trace file (as opposed to from a
## network interface).
##
## Returns: True if reading traffic from a network trace.
@ -2068,19 +2077,30 @@ function dump_rule_stats%(f: file%): bool
return val_mgr->GetBool(1);
%}
## Checks if Bro is terminating.
## Checks if Zeek is terminating. This function is deprecated, use
## :zeek:see:`zeek_is_terminating` instead.
##
## Returns: True if Bro is in the process of shutting down.
## Returns: True if Zeek is in the process of shutting down.
##
## .. zeek:see:: terminate
function bro_is_terminating%(%): bool
function bro_is_terminating%(%): bool &deprecated
%{
return val_mgr->GetBool(terminating);
%}
## Returns the hostname of the machine Bro runs on.
## Checks if Zeek is terminating.
##
## Returns: The hostname of the machine Bro runs on.
## Returns: True if Zeek is in the process of shutting down.
##
## .. zeek:see:: terminate
function zeek_is_terminating%(%): bool
%{
return val_mgr->GetBool(terminating);
%}
## Returns the hostname of the machine Zeek runs on.
##
## Returns: The hostname of the machine Zeek runs on.
function gethostname%(%) : string
%{
char buffer[MAXHOSTNAMELEN];
@ -3891,7 +3911,7 @@ static bool mmdb_try_open_asn ()
%%}
## Initializes MMDB for later use of lookup_location.
## Requires Bro to be built with ``libmaxminddb``.
## Requires Zeek to be built with ``libmaxminddb``.
##
## f: The filename of the MaxMind City or Country DB.
##
@ -3908,7 +3928,7 @@ function mmdb_open_location_db%(f: string%) : bool
%}
## Initializes MMDB for later use of lookup_asn.
## Requires Bro to be built with ``libmaxminddb``.
## Requires Zeek to be built with ``libmaxminddb``.
##
## f: The filename of the MaxMind ASN DB.
##
@ -3925,7 +3945,7 @@ function mmdb_open_asn_db%(f: string%) : bool
%}
## Performs a geo-lookup of an IP address.
## Requires Bro to be built with ``libmaxminddb``.
## Requires Zeek to be built with ``libmaxminddb``.
##
## a: The IP address to lookup.
##
@ -4010,7 +4030,7 @@ function lookup_location%(a: addr%) : geo_location
%}
## Performs an ASN lookup of an IP address.
## Requires Bro to be built with ``libmaxminddb``.
## Requires Zeek to be built with ``libmaxminddb``.
##
## a: The IP address to lookup.
##
@ -4228,8 +4248,8 @@ function disable_analyzer%(cid: conn_id, aid: count, err_if_no_conn: bool &defau
return val_mgr->GetBool(1);
%}
## Informs Bro that it should skip any further processing of the contents of
## a given connection. In particular, Bro will refrain from reassembling the
## Informs Zeek that it should skip any further processing of the contents of
## a given connection. In particular, Zeek will refrain from reassembling the
## TCP byte stream and from generating events relating to any analyzers that
## have been processing the connection.
##
@ -4240,7 +4260,7 @@ function disable_analyzer%(cid: conn_id, aid: count, err_if_no_conn: bool &defau
##
## .. note::
##
## Bro will still generate connection-oriented events such as
## Zeek will still generate connection-oriented events such as
## :zeek:id:`connection_finished`.
function skip_further_processing%(cid: conn_id%): bool
%{
@ -4267,7 +4287,7 @@ function skip_further_processing%(cid: conn_id%): bool
##
## .. note::
##
## This is independent of whether Bro processes the packets of this
## This is independent of whether Zeek processes the packets of this
## connection, which is controlled separately by
## :zeek:id:`skip_further_processing`.
##
@ -4651,7 +4671,7 @@ function file_size%(f: string%) : double
## Disables sending :zeek:id:`print_hook` events to remote peers for a given
## file. In a
## distributed setup, communicating Bro instances generate the event
## distributed setup, communicating Zeek instances generate the event
## :zeek:id:`print_hook` for each print statement and send it to the remote
## side. When disabled for a particular file, these events will not be
## propagated to other peers.
@ -4938,7 +4958,7 @@ function is_remote_event%(%) : bool
return val_mgr->GetBool(mgr.CurrentSource() != SOURCE_LOCAL);
%}
## Stops Bro's packet processing. This function is used to synchronize
## Stops Zeek's packet processing. This function is used to synchronize
## distributed trace processing with communication enabled
## (*pseudo-realtime* mode).
##
@ -4949,7 +4969,7 @@ function suspend_processing%(%) : any
return 0;
%}
## Resumes Bro's packet processing.
## Resumes Zeek's packet processing.
##
## .. zeek:see:: suspend_processing
function continue_processing%(%) : any

2
src/broker/data.bif
View file

@ -8,7 +8,7 @@
module Broker;
## Enumerates the possible types that :zeek:see:`Broker::Data` may be in
## terms of Bro data types.
## terms of Zeek data types.
enum DataType %{
NONE,
BOOL,

2
src/const.bif
View file

@ -1,4 +1,4 @@
##! Declaration of various scripting-layer constants that the Bro core uses
##! Declaration of various scripting-layer constants that the Zeek core uses
##! internally. Documentation and default values for the scripting-layer
##! variables themselves are found in :doc:`/scripts/base/init-bare.zeek`.

100
src/event.bif
View file

@ -1,4 +1,4 @@
##! The protocol-independent events that the C/C++ core of Bro can generate.
##! The protocol-independent events that the C/C++ core of Zeek can generate.
##!
##! This is mostly events not related to a specific transport- or
##! application-layer protocol, but also includes a few that may be generated
@ -68,7 +68,7 @@ event zeek_done%(%);
event bro_done%(%) &deprecated;
## Generated for every new connection. This event is raised with the first
## packet of a previously unknown connection. Bro uses a flow-based definition
## packet of a previously unknown connection. Zeek uses a flow-based definition
## of "connection" here that includes not only TCP sessions but also UDP and
## ICMP flows.
##
@ -94,7 +94,7 @@ event new_connection%(c: connection%);
## *tunnel* field is NOT automatically/internally assigned to the new
## encapsulation value of *e* after this event is raised. If the desired
## behavior is to track the latest tunnel encapsulation per-connection,
## then a handler of this event should assign *e* to ``c$tunnel`` (which Bro's
## then a handler of this event should assign *e* to ``c$tunnel`` (which Zeek's
## default scripts are doing).
##
## c: The connection whose tunnel/encapsulation changed.
@ -128,7 +128,7 @@ event tunnel_changed%(c: connection, e: EncapsulatingConnVector%);
event connection_timeout%(c: connection%);
## Generated when a connection's internal state is about to be removed from
## memory. Bro generates this event reliably once for every connection when it
## memory. Zeek generates this event reliably once for every connection when it
## is about to delete the internal state. As such, the event is well-suited for
## script-level cleanup that needs to be performed for every connection. This
## event is generated not only for TCP sessions but also for UDP and ICMP
@ -145,7 +145,7 @@ event connection_timeout%(c: connection%);
## tcp_inactivity_timeout icmp_inactivity_timeout conn_stats
event connection_state_remove%(c: connection%);
## Generated when a connection 4-tuple is reused. This event is raised when Bro
## Generated when a connection 4-tuple is reused. This event is raised when Zeek
## sees a new TCP session or UDP flow using a 4-tuple matching that of an
## earlier connection it still considers active.
##
@ -188,7 +188,7 @@ event connection_status_update%(c: connection%);
event connection_flow_label_changed%(c: connection, is_orig: bool, old_label: count, new_label: count%);
## Generated for a new connection received from the communication subsystem.
## Remote peers can inject packets into Bro's packet loop, for example via
## Remote peers can inject packets into Zeek's packet loop, for example via
## Broccoli. The communication system
## raises this event with the first packet of a connection coming in this way.
##
@ -198,7 +198,7 @@ event connection_flow_label_changed%(c: connection, is_orig: bool, old_label: co
event connection_external%(c: connection, tag: string%);
## Generated when a UDP session for a supported protocol has finished. Some of
## Bro's application-layer UDP analyzers flag the end of a session by raising
## Zeek's application-layer UDP analyzers flag the end of a session by raising
## this event. Currently, the analyzers for DNS, NTP, Netbios, Syslog, AYIYA,
## Teredo, and GTPv1 support this.
##
@ -208,7 +208,7 @@ event connection_external%(c: connection, tag: string%);
event udp_session_done%(u: connection%);
## Generated when a connection is seen that is marked as being expected.
## The function :zeek:id:`Analyzer::schedule_analyzer` tells Bro to expect a
## The function :zeek:id:`Analyzer::schedule_analyzer` tells Zeek to expect a
## particular connection to come up, and which analyzer to associate with it.
## Once the first packet of such a connection is indeed seen, this event is
## raised.
@ -231,7 +231,7 @@ event udp_session_done%(u: connection%);
## ``ANALYZER_*`` constants right now.
event scheduled_analyzer_applied%(c: connection, a: Analyzer::Tag%);
## Generated for every packet Bro sees that have a valid link-layer header. This
## Generated for every packet Zeek sees that have a valid link-layer header. This
## is a very very low-level and expensive event that should be avoided when at all
## possible. It's usually infeasible to handle when processing even medium volumes
## of traffic in real-time. That said, if you work from a trace and want to do some
@ -242,7 +242,7 @@ event scheduled_analyzer_applied%(c: connection, a: Analyzer::Tag%);
## .. zeek:see:: new_packet packet_contents
event raw_packet%(p: raw_pkt_hdr%);
## Generated for all packets that make it into Bro's connection processing. In
## Generated for all packets that make it into Zeek's connection processing. In
## contrast to :zeek:id:`raw_packet` this filters out some more packets that don't
## pass certain sanity checks.
##
@ -298,8 +298,8 @@ event mobile_ipv6_message%(p: pkt_hdr%);
## .. zeek:see:: new_packet tcp_packet
event packet_contents%(c: connection, contents: string%);
## Generated when Bro detects a TCP retransmission inconsistency. When
## reassembling a TCP stream, Bro buffers all payload until it sees the
## Generated when Zeek detects a TCP retransmission inconsistency. When
## reassembling a TCP stream, Zeek buffers all payload until it sees the
## responder acking it. If during that time, the sender resends a chunk of
## payload but with different content than originally, this event will be
## raised. In addition, if :zeek:id:`tcp_max_old_segments` is larger than zero,
@ -320,10 +320,10 @@ event packet_contents%(c: connection, contents: string%);
## .. zeek:see:: tcp_rexmit tcp_contents
event rexmit_inconsistency%(c: connection, t1: string, t2: string, tcp_flags: string%);
## Generated when Bro detects a gap in a reassembled TCP payload stream. This
## event is raised when Bro, while reassembling a payload stream, determines
## Generated when Zeek detects a gap in a reassembled TCP payload stream. This
## event is raised when Zeek, while reassembling a payload stream, determines
## that a chunk of payload is missing (e.g., because the responder has already
## acknowledged it, even though Bro didn't see it).
## acknowledged it, even though Zeek didn't see it).
##
## c: The connection.
##
@ -343,7 +343,7 @@ event rexmit_inconsistency%(c: connection, t1: string, t2: string, tcp_flags: st
event content_gap%(c: connection, is_orig: bool, seq: count, length: count%);
## Generated when a protocol analyzer confirms that a connection is indeed
## using that protocol. Bro's dynamic protocol detection heuristically activates
## using that protocol. Zeek's dynamic protocol detection heuristically activates
## analyzers as soon as it believes a connection *could* be using a particular
## protocol. It is then left to the corresponding analyzer to verify whether
## that is indeed the case; if so, this event will be generated.
@ -364,13 +364,13 @@ event content_gap%(c: connection, is_orig: bool, seq: count, length: count%);
##
## .. note::
##
## Bro's default scripts use this event to determine the ``service`` column
## Zeek's default scripts use this event to determine the ``service`` column
## of :zeek:type:`Conn::Info`: once confirmed, the protocol will be listed
## there (and thus in ``conn.log``).
event protocol_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%);
## Generated when a protocol analyzer determines that a connection it is parsing
## is not conforming to the protocol it expects. Bro's dynamic protocol
## is not conforming to the protocol it expects. Zeek's dynamic protocol
## detection heuristically activates analyzers as soon as it believes a
## connection *could* be using a particular protocol. It is then left to the
## corresponding analyzer to verify whether that is indeed the case; if not,
@ -394,14 +394,14 @@ event protocol_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%);
##
## .. note::
##
## Bro's default scripts use this event to disable an analyzer via
## Zeek's default scripts use this event to disable an analyzer via
## :zeek:id:`disable_analyzer` if it's parsing the wrong protocol. That's
## however a script-level decision and not done automatically by the event
## engine.
event protocol_violation%(c: connection, atype: Analyzer::Tag, aid: count, reason: string%);
## Generated when a TCP connection terminated, passing on statistics about the
## two endpoints. This event is always generated when Bro flushes the internal
## two endpoints. This event is always generated when Zeek flushes the internal
## connection state, independent of how a connection terminates.
##
## c: The connection.
@ -414,12 +414,12 @@ event protocol_violation%(c: connection, atype: Analyzer::Tag, aid: count, reaso
event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%);
## Generated for unexpected activity related to a specific connection. When
## Bro's packet analysis encounters activity that does not conform to a
## Zeek's packet analysis encounters activity that does not conform to a
## protocol's specification, it raises one of the ``*_weird`` events to report
## that. This event is raised if the activity is tied directly to a specific
## connection.
##
## name: A unique name for the specific type of "weird" situation. Bro's default
## name: A unique name for the specific type of "weird" situation. Zeek's default
## scripts use this name in filtering policies that specify which
## "weirds" are worth reporting.
##
@ -436,13 +436,13 @@ event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%);
event conn_weird%(name: string, c: connection, addl: string%);
## Generated for unexpected activity related to a pair of hosts, but independent
## of a specific connection. When Bro's packet analysis encounters activity
## of a specific connection. When Zeek's packet analysis encounters activity
## that does not conform to a protocol's specification, it raises one of
## the ``*_weird`` events to report that. This event is raised if the activity
## is related to a pair of hosts, yet not to a specific connection between
## them.
##
## name: A unique name for the specific type of "weird" situation. Bro's default
## name: A unique name for the specific type of "weird" situation. Zeek's default
## scripts use this name in filtering policies that specify which
## "weirds" are worth reporting.
##
@ -459,12 +459,12 @@ event conn_weird%(name: string, c: connection, addl: string%);
event flow_weird%(name: string, src: addr, dst: addr%);
## Generated for unexpected activity that is not tied to a specific connection
## or pair of hosts. When Bro's packet analysis encounters activity that
## or pair of hosts. When Zeek's packet analysis encounters activity that
## does not conform to a protocol's specification, it raises one of the
## ``*_weird`` events to report that. This event is raised if the activity is
## not tied directly to a specific connection or pair of hosts.
##
## name: A unique name for the specific type of "weird" situation. Bro's default
## name: A unique name for the specific type of "weird" situation. Zeek's default
## scripts use this name in filtering policies that specify which
## "weirds" are worth reporting.
##
@ -477,11 +477,11 @@ event flow_weird%(name: string, src: addr, dst: addr%);
event net_weird%(name: string%);
## Generated for unexpected activity that is tied to a file.
## When Bro's packet analysis encounters activity that
## When Zeek's packet analysis encounters activity that
## does not conform to a protocol's specification, it raises one of the
## ``*_weird`` events to report that.
##
## name: A unique name for the specific type of "weird" situation. Bro's default
## name: A unique name for the specific type of "weird" situation. Zeek's default
## scripts use this name in filtering policies that specify which
## "weirds" are worth reporting.
##
@ -497,11 +497,11 @@ event net_weird%(name: string%);
## endpoint's implementation interprets an RFC quite liberally.
event file_weird%(name: string, f: fa_file, addl: string%);
## Generated regularly for the purpose of profiling Bro's processing. This event
## Generated regularly for the purpose of profiling Zeek's processing. This event
## is raised for every :zeek:id:`load_sample_freq` packet. For these packets,
## Bro records script-level functions executed during their processing as well
## Zeek records script-level functions executed during their processing as well
## as further internal locations. By sampling the processing in this form, one
## can understand where Bro spends its time.
## can understand where Zeek spends its time.
##
## samples: A set with functions and locations seen during the processing of
## the sampled packet.
@ -511,13 +511,13 @@ event file_weird%(name: string, f: fa_file, addl: string%);
## dmem: The difference in memory usage caused by processing the sampled packet.
event load_sample%(samples: load_sample_info, CPU: interval, dmem: int%);
## Generated when a signature matches. Bro's signature engine provides
## Generated when a signature matches. Zeek's signature engine provides
## high-performance pattern matching separately from the normal script
## processing. If a signature with an ``event`` action matches, this event is
## raised.
##
## See the :doc:`user manual </frameworks/signatures>` for more information
## about Bro's signature engine.
## about Zeek's signature engine.
##
## state: Context about the match, including which signatures triggered the
## event and the connection for which the match was found.
@ -525,7 +525,7 @@ event load_sample%(samples: load_sample_info, CPU: interval, dmem: int%);
## msg: The message passed to the ``event`` signature action.
##
## data: The last chunk of input that triggered the match. Note that the
## specifics here are not well-defined as Bro does not buffer any input.
## specifics here are not well-defined as Zeek does not buffer any input.
## If a match is split across packet boundaries, only the last chunk
## triggering the match will be passed on to the event.
event signature_match%(state: signature_state, msg: string, data: string%);
@ -572,7 +572,7 @@ event software_parse_error%(c: connection, host: addr, descr: string%);
## different analyzers. For example, the HTTP analyzer reports user-agent and
## server software by raising this event. Different from
## :zeek:id:`software_version_found` and :zeek:id:`software_parse_error`, this
## event is always raised, independent of whether Bro can parse the version
## event is always raised, independent of whether Zeek can parse the version
## string.
##
## c: The connection.
@ -584,7 +584,7 @@ event software_parse_error%(c: connection, host: addr, descr: string%);
## .. zeek:see:: software_parse_error software_version_found OS_version_found
event software_unparsed_version_found%(c: connection, host: addr, str: string%);
## Generated when an operating system has been fingerprinted. Bro uses `p0f
## Generated when an operating system has been fingerprinted. Zeek uses `p0f
## <http://lcamtuf.coredump.cx/p0f.shtml>`__ to fingerprint endpoints passively,
## and it raises this event for each system identified. The p0f fingerprints are
## defined by :zeek:id:`passive_fingerprint_file`.
@ -600,7 +600,7 @@ event software_unparsed_version_found%(c: connection, host: addr, str: string%);
## generate_OS_version_event
event OS_version_found%(c: connection, host: addr, OS: OS_version%);
## Generated each time Bro's internal profiling log is updated. The file is
## Generated each time Zeek's internal profiling log is updated. The file is
## defined by :zeek:id:`profiling_file`, and its update frequency by
## :zeek:id:`profiling_interval` and :zeek:id:`expensive_profiling_multiple`.
##
@ -612,7 +612,7 @@ event OS_version_found%(c: connection, host: addr, OS: OS_version%);
## .. zeek:see:: profiling_interval expensive_profiling_multiple
event profiling_update%(f: file, expensive: bool%);
## Raised for informational messages reported via Bro's reporter framework. Such
## Raised for informational messages reported via Zeek's reporter framework. Such
## messages may be generated internally by the event engine and also by other
## scripts calling :zeek:id:`Reporter::info`.
##
@ -626,12 +626,12 @@ event profiling_update%(f: file, expensive: bool%);
## .. zeek:see:: reporter_warning reporter_error Reporter::info Reporter::warning
## Reporter::error
##
## .. note:: Bro will not call reporter events recursively. If the handler of
## .. note:: Zeek will not call reporter events recursively. If the handler of
## any reporter event triggers a new reporter message itself, the output
## will go to ``stderr`` instead.
event reporter_info%(t: time, msg: string, location: string%) &error_handler;
## Raised for warnings reported via Bro's reporter framework. Such messages may
## Raised for warnings reported via Zeek's reporter framework. Such messages may
## be generated internally by the event engine and also by other scripts calling
## :zeek:id:`Reporter::warning`.
##
@ -645,12 +645,12 @@ event reporter_info%(t: time, msg: string, location: string%) &error_handler;
## .. zeek:see:: reporter_info reporter_error Reporter::info Reporter::warning
## Reporter::error
##
## .. note:: Bro will not call reporter events recursively. If the handler of
## .. note:: Zeek will not call reporter events recursively. If the handler of
## any reporter event triggers a new reporter message itself, the output
## will go to ``stderr`` instead.
event reporter_warning%(t: time, msg: string, location: string%) &error_handler;
## Raised for errors reported via Bro's reporter framework. Such messages may
## Raised for errors reported via Zeek's reporter framework. Such messages may
## be generated internally by the event engine and also by other scripts calling
## :zeek:id:`Reporter::error`.
##
@ -664,7 +664,7 @@ event reporter_warning%(t: time, msg: string, location: string%) &error_handler;
## .. zeek:see:: reporter_info reporter_warning Reporter::info Reporter::warning
## Reporter::error
##
## .. note:: Bro will not call reporter events recursively. If the handler of
## .. note:: Zeek will not call reporter events recursively. If the handler of
## any reporter event triggers a new reporter message itself, the output
## will go to ``stderr`` instead.
event reporter_error%(t: time, msg: string, location: string%) &error_handler;
@ -680,7 +680,7 @@ event zeek_script_loaded%(path: string, level: count%);
## Deprecated synonym for :zeek:see:`zeek_script_loaded`.
event bro_script_loaded%(path: string, level: count%) &deprecated;
## Generated each time Bro's script interpreter opens a file. This event is
## Generated each time Zeek's script interpreter opens a file. This event is
## triggered only for files opened via :zeek:id:`open`, and in particular not for
## normal log files as created by log writers.
##
@ -796,7 +796,7 @@ event file_reassembly_overflow%(f: fa_file, offset: count, skipped: count%);
event file_state_remove%(f: fa_file%);
## Generated when an internal DNS lookup produces the same result as last time.
## Bro keeps an internal DNS cache for host names and IP addresses it has
## Zeek keeps an internal DNS cache for host names and IP addresses it has
## already resolved. This event is generated when a subsequent lookup returns
## the same result as stored in the cache.
##
@ -807,7 +807,7 @@ event file_state_remove%(f: fa_file%);
event dns_mapping_valid%(dm: dns_mapping%);
## Generated when an internal DNS lookup got no answer even though it had
## succeeded in the past. Bro keeps an internal DNS cache for host names and IP
## succeeded in the past. Zeek keeps an internal DNS cache for host names and IP
## addresses it has already resolved. This event is generated when a
## subsequent lookup does not produce an answer even though we have
## already stored a result in the cache.
@ -819,7 +819,7 @@ event dns_mapping_valid%(dm: dns_mapping%);
event dns_mapping_unverified%(dm: dns_mapping%);
## Generated when an internal DNS lookup succeeded but an earlier attempt
## did not. Bro keeps an internal DNS cache for host names and IP
## did not. Zeek keeps an internal DNS cache for host names and IP
## addresses it has already resolved. This event is generated when a subsequent
## lookup produces an answer for a query that was marked as failed in the cache.
##
@ -830,7 +830,7 @@ event dns_mapping_unverified%(dm: dns_mapping%);
event dns_mapping_new_name%(dm: dns_mapping%);
## Generated when an internal DNS lookup returned zero answers even though it
## had succeeded in the past. Bro keeps an internal DNS cache for host names
## had succeeded in the past. Zeek keeps an internal DNS cache for host names
## and IP addresses it has already resolved. This event is generated when
## on a subsequent lookup we receive an answer that is empty even
## though we have already stored a result in the cache.
@ -842,7 +842,7 @@ event dns_mapping_new_name%(dm: dns_mapping%);
event dns_mapping_lost_name%(dm: dns_mapping%);
## Generated when an internal DNS lookup produced a different result than in
## the past. Bro keeps an internal DNS cache for host names and IP addresses
## the past. Zeek keeps an internal DNS cache for host names and IP addresses
## it has already resolved. This event is generated when a subsequent lookup
## returns a different answer than we have stored in the cache.
##
@ -858,7 +858,7 @@ event dns_mapping_lost_name%(dm: dns_mapping%);
## dns_mapping_valid
event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr_set%);
## A meta event generated for events that Bro raises. This will report all
## A meta event generated for events that Zeek raises. This will report all
## events for which at least one handler is defined.
##
## Note that handling this meta event is expensive and should be limited to

2
src/file_analysis/analyzer/x509/X509.cc
View file

@ -483,7 +483,7 @@ Val* X509Val::DoClone(CloneState* state)
if ( certificate )
copy->certificate = X509_dup(certificate);
return copy;
return state->NewClone(this, copy);
}
::X509* X509Val::GetCertificate() const

33
src/input/Manager.cc
View file

@ -224,7 +224,7 @@ ReaderBackend* Manager::CreateBackend(ReaderFrontend* frontend, EnumVal* tag)
return backend;
}
// Create a new input reader object to be used at whomevers leisure lateron.
// Create a new input reader object to be used at whomevers leisure later on.
bool Manager::CreateStream(Stream* info, RecordVal* description)
{
RecordType* rtype = description->Type()->AsRecordType();
@ -232,7 +232,7 @@ bool Manager::CreateStream(Stream* info, RecordVal* description)
|| same_type(rtype, BifType::Record::Input::EventDescription, 0)
|| same_type(rtype, BifType::Record::Input::AnalysisDescription, 0) ) )
{
reporter->Error("Streamdescription argument not of right type for new input stream");
reporter->Error("Stream description argument not of right type for new input stream");
return false;
}
@ -824,6 +824,7 @@ bool Manager::IsCompatibleType(BroType* t, bool atomic_only)
case TYPE_INTERVAL:
case TYPE_ENUM:
case TYPE_STRING:
case TYPE_PATTERN:
return true;
case TYPE_RECORD:
@ -2074,6 +2075,12 @@ int Manager::GetValueLength(const Value* val) const
}
break;
case TYPE_PATTERN:
{
length += strlen(val->val.pattern_text_val) + 1;
break;
}
case TYPE_TABLE:
{
for ( int i = 0; i < val->val.set_val.size; i++ )
@ -2193,6 +2200,14 @@ int Manager::CopyValue(char *data, const int startpos, const Value* val) const
return length;
}
case TYPE_PATTERN:
{
// include null-terminator
int length = strlen(val->val.pattern_text_val) + 1;
memcpy(data + startpos, val->val.pattern_text_val, length);
return length;
}
case TYPE_TABLE:
{
int length = 0;
@ -2350,6 +2365,13 @@ Val* Manager::ValueToVal(const Stream* i, const Value* val, BroType* request_typ
return subnetval;
}
case TYPE_PATTERN:
{
RE_Matcher* re = new RE_Matcher(val->val.pattern_text_val);
re->Compile();
return new PatternVal(re);
}
case TYPE_TABLE:
{
// all entries have to have the same type...
@ -2492,6 +2514,13 @@ Val* Manager::ValueToVal(const Stream* i, const Value* val, bool& have_error) co
return subnetval;
}
case TYPE_PATTERN:
{
RE_Matcher* re = new RE_Matcher(val->val.pattern_text_val);
re->Compile();
return new PatternVal(re);
}
case TYPE_TABLE:
{
TypeList* set_index;

6
src/main.cc
View file

@ -127,7 +127,7 @@ OpaqueType* ocsp_resp_opaque_type = 0;
int bro_argc;
char** bro_argv;
const char* bro_version()
const char* zeek_version()
{
#ifdef DEBUG
static char* debug_version = 0;
@ -152,7 +152,7 @@ bool bro_dns_fake()
void usage(int code = 1)
{
fprintf(stderr, "bro version %s\n", bro_version());
fprintf(stderr, "zeek version %s\n", zeek_version());
fprintf(stderr, "usage: %s [options] [file ...]\n", prog);
fprintf(stderr, " <file> | policy file, or read stdin\n");
fprintf(stderr, " -a|--parse-only | exit immediately after parsing scripts\n");
@ -569,7 +569,7 @@ int main(int argc, char** argv)
break;
case 'v':
fprintf(stdout, "%s version %s\n", prog, bro_version());
fprintf(stdout, "%s version %s\n", prog, zeek_version());
exit(0);
break;

2
src/plugin/Plugin.h
View file

@ -69,7 +69,7 @@ extern const char* hook_name(HookType h);
struct VersionNumber {
int major; //< Major version number.
int minor; //< Minor version number.
int patch; //< Patch version number (available since Bro 2.7).
int patch; //< Patch version number (available since Zeek 3.0).
/**
* Constructor.

2
src/probabilistic/Topk.cc
View file

@ -187,7 +187,7 @@ Val* TopkVal::DoClone(CloneState* state)
{
auto clone = new TopkVal(size);
clone->Merge(this);
return clone;
return state->NewClone(this, clone);
}
bool TopkVal::DoSerialize(SerialInfo* info) const

8
src/probabilistic/bloom-filter.bif
View file

@ -23,7 +23,7 @@ module GLOBAL;
##
## name: A name that uniquely identifies and seeds the Bloom filter. If empty,
## the filter will use :zeek:id:`global_hash_seed` if that's set, and
## otherwise use a local seed tied to the current Bro process. Only
## otherwise use a local seed tied to the current Zeek process. Only
## filters with the same seed can be merged with
## :zeek:id:`bloomfilter_merge`.
##
@ -60,7 +60,7 @@ function bloomfilter_basic_init%(fp: double, capacity: count,
##
## name: A name that uniquely identifies and seeds the Bloom filter. If empty,
## the filter will use :zeek:id:`global_hash_seed` if that's set, and
## otherwise use a local seed tied to the current Bro process. Only
## otherwise use a local seed tied to the current Zeek process. Only
## filters with the same seed can be merged with
## :zeek:id:`bloomfilter_merge`.
##
@ -104,7 +104,7 @@ function bloomfilter_basic_init2%(k: count, cells: count,
##
## name: A name that uniquely identifies and seeds the Bloom filter. If empty,
## the filter will use :zeek:id:`global_hash_seed` if that's set, and
## otherwise use a local seed tied to the current Bro process. Only
## otherwise use a local seed tied to the current Zeek process. Only
## filters with the same seed can be merged with
## :zeek:id:`bloomfilter_merge`.
##
@ -206,7 +206,7 @@ function bloomfilter_clear%(bf: opaque of bloomfilter%): any
## Merges two Bloom filters.
##
## .. note:: Currently Bloom filters created by different Bro instances cannot
## .. note:: Currently Bloom filters created by different Zeek instances cannot
## be merged. In the future, this will be supported as long as both filters
## are created with the same name.
##

6
src/stats.bif
View file

@ -20,7 +20,7 @@ RecordType* ReporterStats;
%%}
## Returns packet capture statistics. Statistics include the number of
## packets *(i)* received by Bro, *(ii)* dropped, and *(iii)* seen on the
## packets *(i)* received by Zeek, *(ii)* dropped, and *(iii)* seen on the
## link (not always available).
##
## Returns: A record of packet statistics.
@ -70,7 +70,7 @@ function get_net_stats%(%): NetStats
return r;
%}
## Returns Bro traffic statistics.
## Returns Zeek traffic statistics.
##
## Returns: A record with connection and packet statistics.
##
@ -121,7 +121,7 @@ function get_conn_stats%(%): ConnStats
return r;
%}
## Returns Bro process statistics.
## Returns Zeek process statistics.
##
## Returns: A record with process statistics.
##

2
src/strings.bif
View file

@ -160,7 +160,7 @@ function join_string_vec%(vec: string_vec, sep: string%): string
## arg_s: The string to edit.
##
## arg_edit_char: A string of exactly one character that represents the
## "backspace character". If it is longer than one character Bro
## "backspace character". If it is longer than one character Zeek
## generates a run-time error and uses the first character in
## the string.
##

14
src/threading/SerialTypes.cc
View file

@ -87,11 +87,16 @@ string Field::TypeName() const
Value::~Value()
{
if ( (type == TYPE_ENUM || type == TYPE_STRING || type == TYPE_FILE || type == TYPE_FUNC)
&& present )
if ( ! present )
return;
if ( type == TYPE_ENUM || type == TYPE_STRING || type == TYPE_FILE || type == TYPE_FUNC )
delete [] val.string_val.data;
if ( type == TYPE_TABLE && present )
else if ( type == TYPE_PATTERN )
delete [] val.pattern_text_val;
else if ( type == TYPE_TABLE )
{
for ( int i = 0; i < val.set_val.size; i++ )
delete val.set_val.vals[i];
@ -99,7 +104,7 @@ Value::~Value()
delete [] val.set_val.vals;
}
if ( type == TYPE_VECTOR && present )
else if ( type == TYPE_VECTOR )
{
for ( int i = 0; i < val.vector_val.size; i++ )
delete val.vector_val.vals[i];
@ -414,4 +419,3 @@ bool Value::Write(SerializationFormat* fmt) const
return false;
}

1
src/threading/SerialTypes.h
View file

@ -126,6 +126,7 @@ struct Value {
vec_t vector_val;
addr_t addr_val;
subnet_t subnet_val;
const char* pattern_text_val;
struct {
char* data;

23
src/threading/formatters/Ascii.cc
View file

@ -325,6 +325,29 @@ threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag
break;
}
case TYPE_PATTERN:
{
string candidate = get_unescaped_string(s);
// A string is a candidate pattern iff it begins and ends with
// a '/'. Rather or not the rest of the string is legal will
// be determined later when it is given to the RE engine.
if ( candidate.size() >= 2 )
{
if ( candidate.front() == candidate.back() &&
candidate.back() == '/' )
{
// Remove the '/'s
candidate.erase(0, 1);
candidate.erase(candidate.size() - 1);
val->val.pattern_text_val = copy_string(candidate.c_str());
break;
}
}
GetThread()->Error(GetThread()->Fmt("String '%s' contained no parseable pattern.", candidate.c_str()));
goto parse_error;
}
case TYPE_TABLE:
case TYPE_VECTOR:
// First - common initialization

2
src/types.bif
View file

@ -1,4 +1,4 @@
##! Declaration of various types that the Bro core uses internally.
##! Declaration of various types that the Zeek core uses internally.
enum rpc_status %{
RPC_SUCCESS,

8
src/util.h
View file

@ -4,12 +4,12 @@
#define util_h
#ifdef __GNUC__
#define BRO_DEPRECATED(msg) __attribute__ ((deprecated(msg)))
#define ZEEK_DEPRECATED(msg) __attribute__ ((deprecated(msg)))
#elif defined(_MSC_VER)
#define BRO_DEPRECATED(msg) __declspec(deprecated(msg)) func
#define ZEEK_DEPRECATED(msg) __declspec(deprecated(msg)) func
#else
#pragma message("Warning: BRO_DEPRECATED macro not implemented")
#define BRO_DEPRECATED(msg)
#pragma message("Warning: ZEEK_DEPRECATED macro not implemented")
#define ZEEK_DEPRECATED(msg)
#endif
// Expose C99 functionality from inttypes.h, which would otherwise not be

4
src/zeekygen/zeekygen.bif
View file

@ -31,7 +31,7 @@ function get_identifier_comments%(name: string%): string
%}
## Retrieve the Zeekygen-style summary comments (``##!``) associated with
## a Bro script.
## a Zeek script.
##
## name: the name of a Zeek script. It must be a relative path to where
## it is located within a particular component of ZEEKPATH and use
@ -50,7 +50,7 @@ function get_script_comments%(name: string%): string
return comments_to_val(d->GetComments());
%}
## Retrieve the contents of a Bro script package's README file.
## Retrieve the contents of a Zeek script package's README file.
##
## name: the name of a Zeek script package. It must be a relative path
## to where it is located within a particular component of ZEEKPATH.

10
testing/btest/Baseline/bifs.decode_base64_conn/weird.log
View file

@ -3,10 +3,10 @@
#empty_field (empty)
#unset_field -
#path weird
#open 2016-07-13-16-12-36
#open 2019-06-07-01-59-08
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1254722767.875996 ClEkJM2Vm5giqnMf4h 10.10.1.4 1470 74.53.140.153 25 base64_illegal_encoding incomplete base64 group, padding with 12 bits of 0 F bro
1437831787.861602 CmES5u32sYpV7JYN 192.168.133.100 49648 192.168.133.102 25 base64_illegal_encoding incomplete base64 group, padding with 12 bits of 0 F bro
1437831799.610433 C3eiCBGOLw3VtHfOj 192.168.133.100 49655 17.167.150.73 443 base64_illegal_encoding incomplete base64 group, padding with 12 bits of 0 F bro
#close 2016-07-13-16-12-36
1254722767.875996 ClEkJM2Vm5giqnMf4h 10.10.1.4 1470 74.53.140.153 25 base64_illegal_encoding incomplete base64 group, padding with 12 bits of 0 F zeek
1437831787.861602 CmES5u32sYpV7JYN 192.168.133.100 49648 192.168.133.102 25 base64_illegal_encoding incomplete base64 group, padding with 12 bits of 0 F zeek
1437831799.610433 C3eiCBGOLw3VtHfOj 192.168.133.100 49655 17.167.150.73 443 base64_illegal_encoding incomplete base64 group, padding with 12 bits of 0 F zeek
#close 2019-06-07-01-59-08

66
testing/btest/Baseline/core.checksums/bad.out
View file

@ -3,101 +3,101 @@
#empty_field (empty)
#unset_field -
#path weird
#open 2016-07-13-16-12-42
#open 2019-06-07-02-20-03
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1332784981.078396 - - - - - bad_IP_checksum - F bro
#close 2016-07-13-16-12-42
1332784981.078396 - - - - - bad_IP_checksum - F zeek
#close 2019-06-07-02-20-03
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-07-13-16-12-42
#open 2019-06-07-02-20-03
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1332784885.686428 CHhAvVGS1DHFjwGM9 127.0.0.1 30000 127.0.0.1 80 bad_TCP_checksum - F bro
#close 2016-07-13-16-12-42
1332784885.686428 CHhAvVGS1DHFjwGM9 127.0.0.1 30000 127.0.0.1 80 bad_TCP_checksum - F zeek
#close 2019-06-07-02-20-03
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-07-13-16-12-43
#open 2019-06-07-02-20-04
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1332784933.501023 CHhAvVGS1DHFjwGM9 127.0.0.1 30000 127.0.0.1 13000 bad_UDP_checksum - F bro
#close 2016-07-13-16-12-43
1332784933.501023 CHhAvVGS1DHFjwGM9 127.0.0.1 30000 127.0.0.1 13000 bad_UDP_checksum - F zeek
#close 2019-06-07-02-20-04
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-07-13-16-12-43
#open 2019-06-07-02-20-04
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1334075363.536871 CHhAvVGS1DHFjwGM9 192.168.1.100 8 192.168.1.101 0 bad_ICMP_checksum - F bro
#close 2016-07-13-16-12-43
1334075363.536871 CHhAvVGS1DHFjwGM9 192.168.1.100 8 192.168.1.101 0 bad_ICMP_checksum - F zeek
#close 2019-06-07-02-20-04
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-07-13-16-12-44
#open 2019-06-07-02-20-05
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1332785210.013051 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F bro
1332785210.013051 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:78:1:32::2 80 bad_TCP_checksum - F bro
#close 2016-07-13-16-12-44
1332785210.013051 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F zeek
1332785210.013051 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:78:1:32::2 80 bad_TCP_checksum - F zeek
#close 2019-06-07-02-20-05
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-07-13-16-12-44
#open 2019-06-07-02-20-05
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1332782580.798420 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F bro
1332782580.798420 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:78:1:32::2 13000 bad_UDP_checksum - F bro
#close 2016-07-13-16-12-44
1332782580.798420 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F zeek
1332782580.798420 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:78:1:32::2 13000 bad_UDP_checksum - F zeek
#close 2019-06-07-02-20-05
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-07-13-16-12-45
#open 2019-06-07-02-20-06
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1334075111.800086 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F bro
1334075111.800086 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 128 2001:78:1:32::1 129 bad_ICMP_checksum - F bro
#close 2016-07-13-16-12-45
1334075111.800086 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek
1334075111.800086 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 128 2001:78:1:32::1 129 bad_ICMP_checksum - F zeek
#close 2019-06-07-02-20-06
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-07-13-16-12-45
#open 2019-06-07-02-20-06
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1332785250.469132 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:4f8:4:7:2e0:81ff:fe52:9a6b 80 bad_TCP_checksum - F bro
#close 2016-07-13-16-12-45
1332785250.469132 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:4f8:4:7:2e0:81ff:fe52:9a6b 80 bad_TCP_checksum - F zeek
#close 2019-06-07-02-20-06
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-07-13-16-12-46
#open 2019-06-07-02-20-06
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1332781342.923813 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:4f8:4:7:2e0:81ff:fe52:9a6b 13000 bad_UDP_checksum - F bro
#close 2016-07-13-16-12-46
1332781342.923813 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:4f8:4:7:2e0:81ff:fe52:9a6b 13000 bad_UDP_checksum - F zeek
#close 2019-06-07-02-20-07
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-07-13-16-12-46
#open 2019-06-07-02-20-07
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1334074939.467194 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 128 2001:4f8:4:7:2e0:81ff:fe52:9a6b 129 bad_ICMP_checksum - F bro
#close 2016-07-13-16-12-47
1334074939.467194 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 128 2001:4f8:4:7:2e0:81ff:fe52:9a6b 129 bad_ICMP_checksum - F zeek
#close 2019-06-07-02-20-07

42
testing/btest/Baseline/core.checksums/good.out
View file

@ -3,68 +3,68 @@
#empty_field (empty)
#unset_field -
#path weird
#open 2016-07-13-16-12-46
#open 2019-06-07-02-20-07
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1334074939.467194 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 128 2001:4f8:4:7:2e0:81ff:fe52:9a6b 129 bad_ICMP_checksum - F bro
#close 2016-07-13-16-12-47
1334074939.467194 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 128 2001:4f8:4:7:2e0:81ff:fe52:9a6b 129 bad_ICMP_checksum - F zeek
#close 2019-06-07-02-20-07
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-07-13-16-12-49
#open 2019-06-07-02-20-08
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1332785125.596793 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F bro
#close 2016-07-13-16-12-49
1332785125.596793 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F zeek
#close 2019-06-07-02-20-08
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-07-13-16-12-49
#open 2019-06-07-02-20-09
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1332782508.592037 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F bro
#close 2016-07-13-16-12-49
1332782508.592037 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F zeek
#close 2019-06-07-02-20-09
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-07-13-16-12-50
#open 2019-06-07-02-20-09
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1334075027.053380 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F bro
#close 2016-07-13-16-12-50
1334075027.053380 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek
#close 2019-06-07-02-20-09
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-07-13-16-12-50
#open 2019-06-07-02-20-09
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1334075027.053380 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F bro
#close 2016-07-13-16-12-50
1334075027.053380 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek
#close 2019-06-07-02-20-09
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-07-13-16-12-50
#open 2019-06-07-02-20-09
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1334075027.053380 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F bro
#close 2016-07-13-16-12-50
1334075027.053380 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek
#close 2019-06-07-02-20-09
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2016-07-13-16-12-50
#open 2019-06-07-02-20-09
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1334075027.053380 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F bro
#close 2016-07-13-16-12-50
1334075027.053380 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek
#close 2019-06-07-02-20-09

6
testing/btest/Baseline/core.disable-mobile-ipv6/weird.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path weird
#open 2012-04-05-21-56-51
#open 2019-06-07-01-59-20
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1333663011.602839 - - - - - unknown_protocol - F bro
#close 2012-04-05-21-56-51
1333663011.602839 - - - - - unknown_protocol - F zeek
#close 2019-06-07-01-59-20

916
testing/btest/Baseline/core.ip-broken-header/weird.log
View file

@ -3,463 +3,463 @@
#empty_field (empty)
#unset_field -
#path weird
#open 2017-10-19-17-20-30
#open 2019-06-07-01-59-22
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1500557630.000000 - b100:7265::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557630.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
1500557630.000000 - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557630.000000 - b100:7265:6300::8004:ef 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557630.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557630.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:ff:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557630.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557630.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557630.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557630.000000 - 255.255.0.0 0 255.255.255.223 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:722a:6374:6929:1000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:40:0:ffff:9ff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6900:0:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6300:2304:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:28fd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:6500:72:6369:2a29:: 0 0:80:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6900:0:400:2a29:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fb2a:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffbf:fbfd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:fcff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff02:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff32:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:722a:6374:6929:1000:0:6904:27ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:3afd:ffff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:69ff:ffff:ffff:ffff:ffff 0 3b1e:400:ff:0:6929:c200:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:700:fe:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 40:3bff:bf:0:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:840:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00:40:0:21ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929:ffff:ffff:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929:: 0 80:ff00:40:0:ff7f:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:ff3a 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:0:ff00:69:2980:0:69 0 c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:7265:e374:6929::6927:ff 0 0:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6300:2705:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:63ce:80:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:2a29:0:4:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:3af7 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7df 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:840:0:ffff:ff01:: 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:71fd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:2:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 0:7265:6374:6929:ff:0:27ff:28 0 126:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:fffe:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:69ff:ff00:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:fef9:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ff3a:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6300:69:7429:0:6904:40 0 bf:ff3b:0:ff00:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:8000::ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 38bf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:69ff:ffff:ffff:ffff:ffff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:80:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:5:1ff:f7ff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929:ff:ff00:6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929:180:: 0 bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:0:ff00:69:2980:0:29 0 c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:7265:6374:6929:600:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:7463:2a72:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b000:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 255.255.0.0 0 255.255.255.237 0 invalid_inner_IP_version - F bro
1500557631.000000 - 0:7265:6374:6929:ff:27:a800:ff 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:f9fe:ffbf:ffff:0:ff28:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - - - - - ip_hdr_len_zero - F bro
1500557631.000000 - 0.0.0.0 0 0.0.65.95 0 invalid_IP_header_size - F bro
1500557631.000000 - b100:7265:6374:7129:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b101:0:74:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7fd 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fb03:12ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 400:fffe:bfff::ecec:ecfc:ecec 0 ecec:ecec:ecec:ec00:ffff:ffff:fffd:ffff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:6500:72:6369:aa29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929:2600:0:8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:8000:40:0:16ef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929:0:1000:6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 ff00:bf3b:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b800:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:f2:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:3a40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6300:91:8bd6:ff00:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:5445:52ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:8b:0:ffff:ffff:f7fd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fff7:820 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:9d8b:d5d5:ffff:fffc:ffff:ffff 0 3bbf:ff00:40:6e:756d:5f70:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b198:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:7265:6374:6929:0:100:6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6300:0:100:0:480:ffbf 0 3bff:0:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:2a29:2:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:fff8:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9cc2:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:f8fe:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:2a29:ffff:ffff:ff21:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6b74:6929::6904:ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:ffff:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:7229:6374:6929::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:f7fd:ffff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b104:7265:6374:2a29::6904:ff 0 3bbf:ff03:40:0:ffff:ffff:f5fd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929:8000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 0.0.0.0 0 0.0.255.255 0 invalid_IP_header_size - F bro
1500557631.000000 - b100:7265:6374:6900:8000:400:2a29:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:4900:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:636f:6d29::5704:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:723a:6374:6929::6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00::ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 0:7265:6374:6929:ff:0:27ff:28 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:7265:6374:6929:100:0:6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929:0:ffff:6804:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:7265:6374:6929::6927:0 0 80bf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:7265:6374:6929::6827:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:440:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff00:40::80ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:908 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00::ffff:ff03:bffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:6500:72:6300:0:8000:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:8e00:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:9f74:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929:: 0 80:ff00:40:0:ffff:ffff:fffd:f701 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6300::8004:ff 0 3b3f:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:6e:7d6d:5f70:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:fbff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:7265:6374:6929::ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:9529:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:3600:82b:0:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bb7:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 0.0.0.0 0 0.53.0.0 0 invalid_IP_header_size - F bro
1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:39:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:ffff:fbfd:ffff:0:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:7265:6374:6929:0:8000:6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7228:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff80::ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7fc 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 100:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7200:6300:4:ff27:65fe:bfff:ff 0 ffff:0:ffff:ff3a:f700:8000:20:8ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:47:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f706 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:6500:72:e369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265::6904:2aff 0 c540:ff:ffbf:ffde:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6300::8001:0 0 ::40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 0:7265:6374:6929:ff:27:2800:ff 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:f8:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:900:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7d8 0 invalid_inner_IP_version - F bro
1500557631.000000 - ffff:ff27:ffff:ffff::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:f7ff:fdff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929:0:3a00:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:0:ff40:ff00:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:63ce:29:69:7400:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:6500:72:6369:2a:2900:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:2100::8004:ef 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:6e:756d:5f70:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:100:: 0 invalid_inner_IP_version - F bro
1500557631.000000 - 0.0.0.0 0 0.0.0.0 0 invalid_IP_header_size - F bro
1500557631.000000 - b100:7265:6374:6929:1:0:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:ff:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929:0:69:4:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557631.000000 - b100:7265:6374:6929::ff:3bff 0 4bf:8080:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:0:4ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:63f4:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6900:0:400:2a29:2aff 0 3bbf:ff00:3a:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:637b:6929::6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:340:80:ffef:ffff:fffd:f7fb 0 invalid_inner_IP_version - F bro
1500557632.000000 - b300:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - 9c00:7265:ae74:6929:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6374:6929::6904:1 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929:ff:ffff:ffff:ffff 0 ffbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ff01:1:ffff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929:0:4:0:80ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:0:40ff:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ff7a:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:434f:4e54:454e:5453:5f44 0 4ebf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:ff:ff:fff7:ffff:fdff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:0:80::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:900 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3b01::ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929:3a00:0:6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929::692a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffd8:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6300::8004:ff 0 3bbf:40:8:ff00:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - 9c00:7265:6374:6929::6927:bf 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:69a9::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:5265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929::97fb:ff00 0 c440:108:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:8000 0 invalid_inner_IP_version - F bro
1500557632.000000 - 32.0.8.99 0 0.0.0.0 0 invalid_IP_header_size - F bro
1500557632.000000 - b100:6500:72:6369:2a29:0:6980:ff 0 3bbf:8000:40:0:16ef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929::693b:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - 0.0.0.0 0 0.255.255.255 0 invalid_IP_header_size - F bro
1500557632.000000 - b100:7265:6374:6929::6928:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:5049:415f:5544:5000:0:6904:5544 0 50bf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929:0:1000:8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:3c0:ffff::fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - 9c00:7265:6374:6929::6927:ff 0 fe:8d9a:948b:96d6:ff00:21:6904:ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929::8014:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6301::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:63ce:69:7421:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6300:69:d529:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff27:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff02:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - ffff:ffff:ffff:ffff::8004:ff 0 ffff:ffff:ffff:ff00:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - 7200:65:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - 9c00:7263:692a:7429::6904:ff 0 3b:bf00:40ff:0:ffff:ffff:ffff:3af7 0 invalid_inner_IP_version - F bro
1500557632.000000 - 9c00:7265:6306:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffe:1ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - 50ff:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - 9c00:7265:6374:6900:2900:0:6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6305:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - 101.99.116.105 0 41.0.255.0 0 invalid_IP_header_size - F bro
1500557632.000000 - 9c00:7265:6374:6929::6927:ff 0 ::40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - 0:7265:6374:6900:0:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - 2700:7265:6300:0:100:0:8004:ff00 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7200:400:65:6327:101:3ffe:ff 0 ffff:0:ffff:ff3a:2000:f8d4:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:ff:ff00:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:637c:6900:0:400:2a29:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:e374:6929::6904:ff 0 3bbf:ff00:40:a:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929:: 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:fd00:40:0:fffc:ffff:f720:fd3a 0 invalid_inner_IP_version - F bro
1500557632.000000 - 9c00:722a:2374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ef 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:2a29:ffff:ffff:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:ff01:0 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:fff2:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6300:2704:40:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6300::8004:ff 0 6800:f265:6374:6929:11:27:c00:68 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:725f:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7200:400:65:6327:fffe:bfff:0 0 5000:ff:ffff:ffff:fdf7:ff3a:2000:800 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:8000:0 0 invalid_inner_IP_version - F bro
1500557632.000000 - 9c00:722a:6374:6929:400:4:0:ff69 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 7dbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6300::8084:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929:0:ffff:ffff:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:2a29:100:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ff00:ffff:3a20:82b:0:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ff7d:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:6500:72:6369:2a22:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b300:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40::ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:80:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6300::8004:3a 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff00:0:8080 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2008:2b:0:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:3b00:ff:0:6929:0:f7fd:ffff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929:9:0:9704:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:80fd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ffcc:c219:aa00:0:c9:640d:eb3c 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:a78b:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bff:4000:bf00:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:5265:6300::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7218:400:65:6327:fffe:bfff:ff 0 ffff:20:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - 71.97.99.109 0 0.16.0.41 0 invalid_IP_header_size - F bro
1500557632.000000 - b100:7221:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929:ffff:ffff:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:7fef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:d0d6:ffff:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:29ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:40:6:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:0:ecff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffef:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:e929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:27ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - 3a00:7265:6374:6929::8004:ff 0 c540:fe:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:40:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f728 0 invalid_inner_IP_version - F bro
1500557632.000000 - 65:63b1:7274:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6300::2104:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6328:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - f100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:6500:72:6328:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7200:400:65:ffff:ffff:ffff:ffff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:fdff:ffff:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:6500:6fd:188:4747:4747:61fd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - 0.0.0.255 0 11.0.255.0 0 invalid_IP_header_size_in_tunnel - F bro
1500557632.000000 - b100:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:7fff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:27ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff4e:5654:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374::80:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6300::8004:3b 0 ff:ffbf:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:6500:91:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:840:ff:ffff:feff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6301::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:ffff:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6300:69:7429:0:690a:ff 0 40:0:ff3b:bf:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - 9c00:7265:6374:6929::6927:10ff 0 0:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6329:ffff:2a74:ffff:ffff:ffff 0 3bbf:ff00:40:6e:756d:3b70:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - 143.9.0.0 0 0.98.0.237 0 invalid_IP_header_size - F bro
1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:feff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 fffb:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7200:6365::8004:ff 0 3bbf:ff00:840:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - 0:7265:6374:6929:ff:27:2800:ff 0 100:0:143:4f4e:5445:4e00:0:704c 0 invalid_inner_IP_version - F bro
1500557632.000000 - 9c00:7265:6374:6929::6927:ff 0 3bbf:ff02:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
1500557632.000000 - b100:7265:6374:6909::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00:40:0:feff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:2a29::6904:2a60 0 3bbf:ff00:40:21:ffff:ffff:ffbd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:8040:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - 2a72:6300:b165:7429:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:639a:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::ff00:480 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929:0:8:: 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b000:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:21e6:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6301:0:29:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:ff:ff40:0:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::3b04:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::8804:ff 0 3bbf:ff80:40:0:ffff:ffff:102:800 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 33bf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:60:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:2a29::6904:ff 0 3b9f:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b13b:bfff:0:4000:ff:ffff:ffff:fdf7 0 ff3a:2000:800:1e04:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::6904:0 0 ::80:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b165:6300:7274:6929::400:ff 0 3bbf:ff00:40:0:ffff:ffff:f7fd:ffff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::6904:ff3b 0 0:bfff:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::3b:bfff 0 ff04:0:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6300:69:74a9:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:2aff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:6374:65:69:7229:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6377:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6300::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b128:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929:4:0:6904:ff 0 3b1e:400:ff:0:6929:2700:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:fd00:40:0:ffff:ffff:ffff:3af7 0 invalid_inner_IP_version - F bro
1500557633.000000 - 9c00:722a:6374:6929::6968:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bff:bf00:40:0:ffff:ffff:fffd:e7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7261:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:7929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:df00::80ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7263:65ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:f8:0:ff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - 9c00:7265:6374:692d::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::4:fd 0 c3bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:2a29::6904:3b 0 bf:ffff:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6900:ec00:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::6904:ff 0 e21e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6928:ffff:fd00:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff3b:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::ff00:bfff 0 3b00:400:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:520:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::6904:ffff 0 ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:28:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::80fb:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - 9c2a:7200:6374:6929:1000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - 9c00:7265:6374:693a::6127:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ff7f:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - 9c00:7265:6374:6929:0:fffe:bfff:ff 0 ffff:ff68:0:4000:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ef 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::4:ff 0 3bbf:2700:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - 9c00:7265:6374:6929::6904:ff 0 3bbf:ff00:40:27:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::2a:0 0 ::6a:ffff:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6900:a:400:2a29:3b2a 0 ffbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b1ff:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:6500:72:6369:2a29:3b00:690a:ff 0 3bbf:fb00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - 9c00:722a:6374:: 0 ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - 9c00:722a:6374:6929:1000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:2aff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:60:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:9500:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7200:63:65::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6300:2704:0:fffe:bfff:fc 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::6900:0 0 80bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:63ce:69:2129:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:3a:ffef:ff:ffff:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:c1:800:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:9265:6300:69:7429:0:690a:ff 0 40:3bff:bf:0:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:ffff:dffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929:: 0 80:ff00:40:0:1ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:724a:6374:6929:: 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::6904:f6 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6300:2704:0:fffe:bfff:0 0 ffff:ff:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6500:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929:0:a:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6900::2900:0 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - 68.80.95.104 0 109.115.117.0 0 invalid_IP_header_size - F bro
1500557633.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6374:692b::6904:ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6900:29:0:6914:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:6500:72:e369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f728 0 invalid_inner_IP_version - F bro
1500557633.000000 - 8:1e:400:ff00:0:3200:8004:ff 0 3bff:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:f7fd 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:8ba:0:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6300::8004:ff 0 48bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7365:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:5600:800:2b00:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:4021:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - 0:7265:6374:6929:ff:6:27ff:28 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F bro
1500557633.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6b74:6909::6904:ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ff48:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6300:7400:2969:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6300:69:7429:0:690a:ff 0 40:3bff:c5:0:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265::6904:2a3a 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::6904:f9ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7261:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:9fd6:ffff:2:800 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6300:69:7429:8000:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - ffff:ffff:ffff:ffff:: 0 ::40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:400:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - 9c00:7265:6374:6929::ff00:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:fffe:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:ffff::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - 4f00:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:8000::6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929:1:400:8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - 0.255.255.0 0 0.0.0.0 0 invalid_IP_header_size - F bro
1500557633.000000 - b100:7265:6374:6929:4:0:6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:342b:0:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:6929:400:0:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - 9c00:7265:6374:6929::6927:ff 0 3bbf:ffa8:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffdd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - b100:7265:1::69 0 c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557633.000000 - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:ffff 0 invalid_inner_IP_version - F bro
1500557634.000000 - b100::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557634.000000 - 9c00:722a:6374:6929:1001:900:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557634.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:40:0:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557634.000000 - 9c00:722a:6374:6929::6904:eff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557634.000000 - ffdb:ffff:3b00::ff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557634.000000 - b100:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:60:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557634.000000 - b100:7265:6374:6929:ffff:ffff:8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557634.000000 - b100:7265:6300:669:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557634.000000 - b100:7265:6374:6929::693b:bdff 0 0:4000:ff:ffff:fdff:fff7:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557634.000000 - 0.71.103.97 0 99.116.0.128 0 invalid_IP_header_size - F bro
1500557634.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:40:ff00:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557634.000000 - b100:7265:63ce:69:7429:0:690a:b1 0 3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff 0 invalid_inner_IP_version - F bro
1500557634.000000 - b100:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:40:0:29ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557634.000000 - 6500:0:6fd:188:4747:4747:6163:7400 0 0:2c29:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557634.000000 - 9c00:722a:6374:6929:8000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557634.000000 - b100:6500:72:6369:2900:2a00:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557634.000000 - b100:7265:6374:2a29::6904:ff 0 29bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557634.000000 - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:10:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557634.000000 - 9c00:7265:6374:6929::612f:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F bro
1500557634.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ffc3:2000:82b:0:f7ff 0 invalid_inner_IP_version - F bro
1500557634.000000 - 9c00:722a:6374:6929:1000:100:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f728 0 invalid_inner_IP_version - F bro
1500557634.000000 - b100:7265:6374:6929:ff:ffff:ff04:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557634.000000 - b100:7265:0:ff00:69:2980:0:69 0 c4ff:bf00:ff00:3b:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
1500557634.000000 - 9c00:7265:6374:69d1::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
#close 2017-10-19-17-20-30
1500557630.000000 - b100:7265::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557630.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek
1500557630.000000 - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557630.000000 - b100:7265:6300::8004:ef 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557630.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557630.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:ff:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557630.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557630.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557630.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557630.000000 - 255.255.0.0 0 255.255.255.223 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:722a:6374:6929:1000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:40:0:ffff:9ff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6900:0:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6300:2304:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:28fd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:6500:72:6369:2a29:: 0 0:80:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6900:0:400:2a29:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fb2a:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffbf:fbfd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:fcff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff02:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff32:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:722a:6374:6929:1000:0:6904:27ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:3afd:ffff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:69ff:ffff:ffff:ffff:ffff 0 3b1e:400:ff:0:6929:c200:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:700:fe:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 40:3bff:bf:0:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:840:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00:40:0:21ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929:ffff:ffff:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929:: 0 80:ff00:40:0:ff7f:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:ff3a 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:0:ff00:69:2980:0:69 0 c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:7265:e374:6929::6927:ff 0 0:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6300:2705:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:63ce:80:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:2a29:0:4:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:3af7 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7df 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:840:0:ffff:ff01:: 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:71fd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:2:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 0:7265:6374:6929:ff:0:27ff:28 0 126:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:fffe:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:69ff:ff00:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:fef9:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ff3a:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6300:69:7429:0:6904:40 0 bf:ff3b:0:ff00:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:8000::ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 38bf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:69ff:ffff:ffff:ffff:ffff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:80:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:5:1ff:f7ff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929:ff:ff00:6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929:180:: 0 bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:0:ff00:69:2980:0:29 0 c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:7265:6374:6929:600:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:7463:2a72:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b000:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 255.255.0.0 0 255.255.255.237 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 0:7265:6374:6929:ff:27:a800:ff 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:f9fe:ffbf:ffff:0:ff28:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - - - - - ip_hdr_len_zero - F zeek
1500557631.000000 - 0.0.0.0 0 0.0.65.95 0 invalid_IP_header_size - F zeek
1500557631.000000 - b100:7265:6374:7129:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b101:0:74:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7fd 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fb03:12ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 400:fffe:bfff::ecec:ecfc:ecec 0 ecec:ecec:ecec:ec00:ffff:ffff:fffd:ffff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:6500:72:6369:aa29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929:2600:0:8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:8000:40:0:16ef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929:0:1000:6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 ff00:bf3b:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b800:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:f2:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:3a40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6300:91:8bd6:ff00:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:5445:52ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:8b:0:ffff:ffff:f7fd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fff7:820 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:9d8b:d5d5:ffff:fffc:ffff:ffff 0 3bbf:ff00:40:6e:756d:5f70:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b198:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:7265:6374:6929:0:100:6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6300:0:100:0:480:ffbf 0 3bff:0:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:2a29:2:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:fff8:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9cc2:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:f8fe:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:2a29:ffff:ffff:ff21:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6b74:6929::6904:ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:ffff:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:7229:6374:6929::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:f7fd:ffff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b104:7265:6374:2a29::6904:ff 0 3bbf:ff03:40:0:ffff:ffff:f5fd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929:8000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 0.0.0.0 0 0.0.255.255 0 invalid_IP_header_size - F zeek
1500557631.000000 - b100:7265:6374:6900:8000:400:2a29:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:4900:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:636f:6d29::5704:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:723a:6374:6929::6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00::ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 0:7265:6374:6929:ff:0:27ff:28 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:7265:6374:6929:100:0:6127:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929:0:ffff:6804:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:7265:6374:6929::6927:0 0 80bf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:7265:6374:6929::6827:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:440:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff00:40::80ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:908 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00::ffff:ff03:bffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:6500:72:6300:0:8000:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:8e00:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:9f74:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929:: 0 80:ff00:40:0:ffff:ffff:fffd:f701 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6300::8004:ff 0 3b3f:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:6e:7d6d:5f70:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:fbff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:7265:6374:6929::ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:9529:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:3600:82b:0:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bb7:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 0.0.0.0 0 0.53.0.0 0 invalid_IP_header_size - F zeek
1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:39:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:ffff:fbfd:ffff:0:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:7265:6374:6929:0:8000:6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7228:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff80::ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7fc 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c00:7265:6374:6929::6927:ff 0 100:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7200:6300:4:ff27:65fe:bfff:ff 0 ffff:0:ffff:ff3a:f700:8000:20:8ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:47:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f706 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:6500:72:e369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265::6904:2aff 0 c540:ff:ffbf:ffde:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6300::8001:0 0 ::40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 0:7265:6374:6929:ff:27:2800:ff 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:f8:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:900:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7d8 0 invalid_inner_IP_version - F zeek
1500557631.000000 - ffff:ff27:ffff:ffff::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:f7ff:fdff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929:0:3a00:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:0:ff40:ff00:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:63ce:29:69:7400:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:6500:72:6369:2a:2900:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:2100::8004:ef 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:6e:756d:5f70:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:100:: 0 invalid_inner_IP_version - F zeek
1500557631.000000 - 0.0.0.0 0 0.0.0.0 0 invalid_IP_header_size - F zeek
1500557631.000000 - b100:7265:6374:6929:1:0:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:ff:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929:0:69:4:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557631.000000 - b100:7265:6374:6929::ff:3bff 0 4bf:8080:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:0:4ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:63f4:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6900:0:400:2a29:2aff 0 3bbf:ff00:3a:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:637b:6929::6904:ff 0 3b00:40:ffbf:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:340:80:ffef:ffff:fffd:f7fb 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b300:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 9c00:7265:ae74:6929:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6374:6929::6904:1 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929:ff:ffff:ffff:ffff 0 ffbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ff01:1:ffff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929:0:4:0:80ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:0:40ff:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ff7a:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:434f:4e54:454e:5453:5f44 0 4ebf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:ff:ff:fff7:ffff:fdff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:0:80::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:900 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3b01::ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929:3a00:0:6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929::692a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:ffff:ffd8:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6300::8004:ff 0 3bbf:40:8:ff00:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 9c00:7265:6374:6929::6927:bf 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:69a9::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:5265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929::97fb:ff00 0 c440:108:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:8000 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 32.0.8.99 0 0.0.0.0 0 invalid_IP_header_size - F zeek
1500557632.000000 - b100:6500:72:6369:2a29:0:6980:ff 0 3bbf:8000:40:0:16ef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929::693b:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 0.0.0.0 0 0.255.255.255 0 invalid_IP_header_size - F zeek
1500557632.000000 - b100:7265:6374:6929::6928:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:5049:415f:5544:5000:0:6904:5544 0 50bf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929:0:1000:8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:3c0:ffff::fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 9c00:7265:6374:6929::6927:ff 0 fe:8d9a:948b:96d6:ff00:21:6904:ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929::8014:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6301::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:63ce:69:7421:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6300:69:d529:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff27:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff02:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - ffff:ffff:ffff:ffff::8004:ff 0 ffff:ffff:ffff:ff00:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 7200:65:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 9c00:7263:692a:7429::6904:ff 0 3b:bf00:40ff:0:ffff:ffff:ffff:3af7 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 9c00:7265:6306:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffe:1ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 50ff:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 9c00:7265:6374:6900:2900:0:6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6305:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 101.99.116.105 0 41.0.255.0 0 invalid_IP_header_size - F zeek
1500557632.000000 - 9c00:7265:6374:6929::6927:ff 0 ::40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 0:7265:6374:6900:0:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 2700:7265:6300:0:100:0:8004:ff00 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7200:400:65:6327:101:3ffe:ff 0 ffff:0:ffff:ff3a:2000:f8d4:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:ff:ff00:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:637c:6900:0:400:2a29:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:e374:6929::6904:ff 0 3bbf:ff00:40:a:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929:: 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:fd00:40:0:fffc:ffff:f720:fd3a 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 9c00:722a:2374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ef 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:2a29:ffff:ffff:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:ff01:0 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:fff2:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6300:2704:40:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6300::8004:ff 0 6800:f265:6374:6929:11:27:c00:68 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:725f:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7200:400:65:6327:fffe:bfff:0 0 5000:ff:ffff:ffff:fdf7:ff3a:2000:800 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:8000:0 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 9c00:722a:6374:6929:400:4:0:ff69 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 7dbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6300::8084:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929:0:ffff:ffff:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:2a29:100:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ff00:ffff:3a20:82b:0:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ff7d:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:6500:72:6369:2a22:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b300:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40::ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:80:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6300::8004:3a 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff00:0:8080 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2008:2b:0:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:3b00:ff:0:6929:0:f7fd:ffff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929:9:0:9704:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:80fd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ffcc:c219:aa00:0:c9:640d:eb3c 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:a78b:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bff:4000:bf00:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:5265:6300::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7218:400:65:6327:fffe:bfff:ff 0 ffff:20:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 71.97.99.109 0 0.16.0.41 0 invalid_IP_header_size - F zeek
1500557632.000000 - b100:7221:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929:ffff:ffff:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:7fef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:d0d6:ffff:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:29ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:40:6:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:0:ecff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffef:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:e929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:27ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 3a00:7265:6374:6929::8004:ff 0 c540:fe:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:40:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f728 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 65:63b1:7274:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6300::2104:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6328:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - f100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:6500:72:6328:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7200:400:65:ffff:ffff:ffff:ffff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:fdff:ffff:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 9c00:7265:6374:6929::6127:fb 0 3bbf:6500:6fd:188:4747:4747:61fd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 0.0.0.255 0 11.0.255.0 0 invalid_IP_header_size_in_tunnel - F zeek
1500557632.000000 - b100:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:7fff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:27ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff4e:5654:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374::80:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6300::8004:3b 0 ff:ffbf:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:6500:91:6369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:840:ff:ffff:feff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6301::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:ffff:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6300:69:7429:0:690a:ff 0 40:0:ff3b:bf:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 9c00:7265:6374:6929::6927:10ff 0 0:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6329:ffff:2a74:ffff:ffff:ffff 0 3bbf:ff00:40:6e:756d:3b70:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 143.9.0.0 0 0.98.0.237 0 invalid_IP_header_size - F zeek
1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:feff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 fffb:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7200:6365::8004:ff 0 3bbf:ff00:840:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 0:7265:6374:6929:ff:27:2800:ff 0 100:0:143:4f4e:5445:4e00:0:704c 0 invalid_inner_IP_version - F zeek
1500557632.000000 - 9c00:7265:6374:6929::6927:ff 0 3bbf:ff02:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek
1500557632.000000 - b100:7265:6374:6909::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929:100:0:4:ff 0 3bbf:ff00:40:0:feff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:2a29::6904:2a60 0 3bbf:ff00:40:21:ffff:ffff:ffbd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - 9c00:7265:6374:6929::6127:ff 0 3bbf:ff00:8040:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - 2a72:6300:b165:7429:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:639a:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::ff00:480 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929:0:8:: 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b000:7265:63ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:21e6:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6301:0:29:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:ff:ff40:0:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::3b04:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::8804:ff 0 3bbf:ff80:40:0:ffff:ffff:102:800 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 33bf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:60:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:2a29::6904:ff 0 3b9f:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b13b:bfff:0:4000:ff:ffff:ffff:fdf7 0 ff3a:2000:800:1e04:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::6904:0 0 ::80:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b165:6300:7274:6929::400:ff 0 3bbf:ff00:40:0:ffff:ffff:f7fd:ffff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::6904:ff3b 0 0:bfff:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::3b:bfff 0 ff04:0:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6300:69:74a9:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:2aff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:6374:65:69:7229:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6377:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6300::4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b128:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929:4:0:6904:ff 0 3b1e:400:ff:0:6929:2700:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:fd00:40:0:ffff:ffff:ffff:3af7 0 invalid_inner_IP_version - F zeek
1500557633.000000 - 9c00:722a:6374:6929::6968:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bff:bf00:40:0:ffff:ffff:fffd:e7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7261:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:7929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:df00::80ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7263:65ce:69:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - ffff:ffff:ffff:ffff::8004:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:f8:0:ff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - 9c00:7265:6374:692d::6927:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::4:fd 0 c3bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:2a29::6904:3b 0 bf:ffff:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6900:ec00:400:2a29:6aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::6904:ff 0 e21e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6928:ffff:fd00:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ff3b:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::ff00:bfff 0 3b00:400:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:520:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::6904:ffff 0 ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6300:69:7429:0:690a:ff 0 3bbf:ff00:28:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::80fb:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - 9c2a:7200:6374:6929:1000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - 9c00:7265:6374:693a::6127:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - 9c20:722a:6374:6929:800:0:6904:ff 0 3bbf:ff00:40:0:ffff:ff7f:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - 9c00:7265:6374:6929:0:fffe:bfff:ff 0 ffff:ff68:0:4000:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:82b:0:f7ef 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::4:ff 0 3bbf:2700:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - 9c00:7265:6374:6929::6904:ff 0 3bbf:ff00:40:27:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::2a:0 0 ::6a:ffff:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6900:a:400:2a29:3b2a 0 ffbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b1ff:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:6500:72:6369:2a29:3b00:690a:ff 0 3bbf:fb00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - 9c00:722a:6374:: 0 ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - 9c00:722a:6374:6929:1000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:2aff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:60:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:9500:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7200:63:65::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6300:2704:0:fffe:bfff:fc 0 ffff:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::6900:0 0 80bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:63ce:69:2129:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:6500:72:6369:2a29:0:690a:ff 0 3bbf:ff00:40:3a:ffef:ff:ffff:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:c1:800:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:9265:6300:69:7429:0:690a:ff 0 40:3bff:bf:0:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:ffff:dffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929:: 0 80:ff00:40:0:1ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:724a:6374:6929:: 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::6904:f6 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6300:2704:0:fffe:bfff:0 0 ffff:ff:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6500:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929:0:a:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6900::2900:0 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - 68.80.95.104 0 109.115.117.0 0 invalid_IP_header_size - F zeek
1500557633.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6374:692b::6904:ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6900:29:0:6914:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:6500:72:e369:2a29:0:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f728 0 invalid_inner_IP_version - F zeek
1500557633.000000 - 8:1e:400:ff00:0:3200:8004:ff 0 3bff:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:f7fd 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:8ba:0:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6300::8004:ff 0 48bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7365:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ff3a:5600:800:2b00:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:4021:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - 0:7265:6374:6929:ff:6:27ff:28 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F zeek
1500557633.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6b74:6909::6904:ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ff48:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6300:7400:2969:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6300:69:7429:0:690a:ff 0 40:3bff:c5:0:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265::6904:2a3a 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::6904:f9ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7261:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:9fd6:ffff:2:800 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6300:69:7429:8000:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - ffff:ffff:ffff:ffff:: 0 ::40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff80:40:400:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - 9c00:7265:6374:6929::ff00:ff 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:fffe:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:ffff::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - 4f00:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:8000::6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929:1:400:8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - 0.255.255.0 0 0.0.0.0 0 invalid_IP_header_size - F zeek
1500557633.000000 - b100:7265:6374:6929:4:0:6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:342b:0:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:6929:400:0:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - 9c00:7265:6374:6929::6927:ff 0 3bbf:ffa8:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:6374:2a29::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffdd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - b100:7265:1::69 0 c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557633.000000 - 9c00:722a:6374:6929:400:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:ffff:ffff 0 invalid_inner_IP_version - F zeek
1500557634.000000 - b100::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557634.000000 - 9c00:722a:6374:6929:1001:900:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557634.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:40:0:40:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557634.000000 - 9c00:722a:6374:6929::6904:eff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557634.000000 - ffdb:ffff:3b00::ff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557634.000000 - b100:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:60:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557634.000000 - b100:7265:6374:6929:ffff:ffff:8004:ff 0 3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557634.000000 - b100:7265:6300:669:7429:0:690a:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557634.000000 - b100:7265:6374:6929::693b:bdff 0 0:4000:ff:ffff:fdff:fff7:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557634.000000 - 0.71.103.97 0 99.116.0.128 0 invalid_IP_header_size - F zeek
1500557634.000000 - b100:7265:6300::8004:ff 0 3bbf:ff00:40:ff00:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557634.000000 - b100:7265:63ce:69:7429:0:690a:b1 0 3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff 0 invalid_inner_IP_version - F zeek
1500557634.000000 - b100:7265:63ce:69:7429:db00:690a:ff 0 3bbf:ff00:40:0:29ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557634.000000 - 6500:0:6fd:188:4747:4747:6163:7400 0 0:2c29:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557634.000000 - 9c00:722a:6374:6929:8000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557634.000000 - b100:6500:72:6369:2900:2a00:690a:ff 0 3bbf:ff00:40:0:ffef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557634.000000 - b100:7265:6374:2a29::6904:ff 0 29bf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557634.000000 - b100:7265:6374:6929::6904:ff 0 3b00:40:ffbf:10:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557634.000000 - 9c00:7265:6374:6929::612f:fb 0 3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff 0 invalid_inner_IP_version - F zeek
1500557634.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 ffff:0:ffff:ffc3:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek
1500557634.000000 - 9c00:722a:6374:6929:1000:100:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f728 0 invalid_inner_IP_version - F zeek
1500557634.000000 - b100:7265:6374:6929:ff:ffff:ff04:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557634.000000 - b100:7265:0:ff00:69:2980:0:69 0 c4ff:bf00:ff00:3b:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
1500557634.000000 - 9c00:7265:6374:69d1::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
#close 2019-06-07-01-59-22

6
testing/btest/Baseline/core.negative-time/weird.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path weird
#open 2016-05-23-20-20-21
#open 2019-06-07-01-59-25
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1425182592.408334 - - - - - negative_packet_timestamp - F bro
#close 2016-05-23-20-20-21
1425182592.408334 - - - - - negative_packet_timestamp - F zeek
#close 2019-06-07-01-59-25

6
testing/btest/Baseline/core.pcap.read-trace-with-filter/packet_filter.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path packet_filter
#open 2016-07-13-16-12-56
#open 2019-06-07-01-59-28
#fields ts node filter init success
#types time string string bool bool
1468426376.541368 bro port 50000 T T
#close 2016-07-13-16-12-56
1559872768.563861 zeek port 50000 T T
#close 2019-06-07-01-59-28

4
testing/btest/Baseline/core.print-bpf-filters/conn.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path conn
#open 2019-03-12-03-25-14
#open 2019-06-07-02-20-04
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1278600802.069419 CHhAvVGS1DHFjwGM9 10.20.80.1 50343 10.0.0.15 80 tcp - 0.004152 9 3429 SF - - 0 ShADadfF 7 381 7 3801 -
#close 2019-03-12-03-25-14
#close 2019-06-07-02-20-04

18
testing/btest/Baseline/core.print-bpf-filters/output
View file

@ -3,28 +3,28 @@
#empty_field (empty)
#unset_field -
#path packet_filter
#open 2019-03-12-03-25-12
#open 2019-06-07-02-20-03
#fields ts node filter init success
#types time string string bool bool
1552361112.763592 bro ip or not ip T T
#close 2019-03-12-03-25-12
1559874003.309984 zeek ip or not ip T T
#close 2019-06-07-02-20-03
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path packet_filter
#open 2019-03-12-03-25-13
#open 2019-06-07-02-20-03
#fields ts node filter init success
#types time string string bool bool
1552361113.442916 bro port 42 T T
#close 2019-03-12-03-25-13
1559874003.872388 zeek port 42 T T
#close 2019-06-07-02-20-03
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path packet_filter
#open 2019-03-12-03-25-14
#open 2019-06-07-02-20-04
#fields ts node filter init success
#types time string string bool bool
1552361114.111534 bro (vlan) and (ip or not ip) T T
#close 2019-03-12-03-25-14
1559874004.312190 zeek (vlan) and (ip or not ip) T T
#close 2019-06-07-02-20-04

48
testing/btest/Baseline/core.truncation/output
View file

@ -3,78 +3,78 @@
#empty_field (empty)
#unset_field -
#path weird
#open 2017-10-19-17-18-27
#open 2019-06-07-02-20-03
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1334160095.895421 - - - - - truncated_IP - F bro
#close 2017-10-19-17-18-28
1334160095.895421 - - - - - truncated_IP - F zeek
#close 2019-06-07-02-20-03
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2017-10-19-17-18-29
#open 2019-06-07-02-20-03
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1334156241.519125 - - - - - truncated_IP - F bro
#close 2017-10-19-17-18-30
1334156241.519125 - - - - - truncated_IP - F zeek
#close 2019-06-07-02-20-03
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2017-10-19-17-18-32
#open 2019-06-07-02-20-04
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1334094648.590126 - - - - - truncated_IP - F bro
#close 2017-10-19-17-18-32
1334094648.590126 - - - - - truncated_IP - F zeek
#close 2019-06-07-02-20-04
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2017-10-19-17-18-36
#open 2019-06-07-02-20-05
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1338328954.078361 - - - - - internally_truncated_header - F bro
#close 2017-10-19-17-18-36
1338328954.078361 - - - - - internally_truncated_header - F zeek
#close 2019-06-07-02-20-05
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2017-10-19-17-18-37
#open 2019-06-07-02-20-05
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
0.000000 - - - - - truncated_link_header - F bro
#close 2017-10-19-17-18-38
0.000000 - - - - - truncated_link_header - F zeek
#close 2019-06-07-02-20-05
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2017-10-19-17-18-39
#open 2019-06-07-02-20-06
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1508360735.834163 - 163.253.48.183 0 192.150.187.43 0 invalid_IP_header_size - F bro
#close 2017-10-19-17-18-40
1508360735.834163 - 163.253.48.183 0 192.150.187.43 0 invalid_IP_header_size - F zeek
#close 2019-06-07-02-20-06
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2017-10-19-17-18-41
#open 2019-06-07-02-20-06
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1508360735.834163 - 163.253.48.183 0 192.150.187.43 0 internally_truncated_header - F bro
#close 2017-10-19-17-18-42
1508360735.834163 - 163.253.48.183 0 192.150.187.43 0 internally_truncated_header - F zeek
#close 2019-06-07-02-20-06
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2017-10-19-17-18-43
#open 2019-06-07-02-20-07
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1500557630.000000 - 0.255.0.255 0 15.254.2.1 0 invalid_IP_header_size_in_tunnel - F bro
#close 2017-10-19-17-18-44
1500557630.000000 - 0.255.0.255 0 15.254.2.1 0 invalid_IP_header_size_in_tunnel - F zeek
#close 2019-06-07-02-20-07

12
testing/btest/Baseline/core.tunnels.ip-in-ip-version/output
View file

@ -3,18 +3,18 @@
#empty_field (empty)
#unset_field -
#path weird
#open 2017-10-19-17-26-34
#open 2019-06-07-02-20-03
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1500557630.000000 - ff00:0:6929::6904:ff:3bbf 0 ffff:0:69:2900:0:69:400:ff3b 0 invalid_inner_IP_version_in_tunnel - F bro
#close 2017-10-19-17-26-35
1500557630.000000 - ff00:0:6929::6904:ff:3bbf 0 ffff:0:69:2900:0:69:400:ff3b 0 invalid_inner_IP_version_in_tunnel - F zeek
#close 2019-06-07-02-20-03
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2017-10-19-17-26-36
#open 2019-06-07-02-20-03
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1500557630.000000 - b100:7265::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F bro
#close 2017-10-19-17-26-37
1500557630.000000 - b100:7265::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
#close 2019-06-07-02-20-03

8
testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/weird.log
View file

@ -3,9 +3,9 @@
#empty_field (empty)
#unset_field -
#path weird
#open 2016-07-13-16-13-14
#open 2019-06-07-01-59-35
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1340127577.341510 CUM0KZ3MLUfNB0cl11 192.168.2.16 3797 83.170.1.38 32900 Teredo_bubble_with_payload - F bro
1340127577.346849 CHhAvVGS1DHFjwGM9 192.168.2.16 3797 65.55.158.80 3544 Teredo_bubble_with_payload - F bro
#close 2016-07-13-16-13-14
1340127577.341510 CUM0KZ3MLUfNB0cl11 192.168.2.16 3797 83.170.1.38 32900 Teredo_bubble_with_payload - F zeek
1340127577.346849 CHhAvVGS1DHFjwGM9 192.168.2.16 3797 65.55.158.80 3544 Teredo_bubble_with_payload - F zeek
#close 2019-06-07-01-59-35

54
testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
View file

@ -3,7 +3,7 @@
#empty_field (empty)
#unset_field -
#path loaded_scripts
#open 2019-04-16-17-02-20
#open 2019-06-05-18-41-18
#fields name
#types string
scripts/base/init-bare.zeek
@ -206,31 +206,6 @@ scripts/base/init-default.zeek
scripts/base/frameworks/control/main.zeek
scripts/base/frameworks/cluster/pools.zeek
scripts/base/frameworks/notice/weird.zeek
scripts/base/frameworks/notice/actions/drop.zeek
scripts/base/frameworks/netcontrol/__load__.zeek
scripts/base/frameworks/netcontrol/types.zeek
scripts/base/frameworks/netcontrol/main.zeek
scripts/base/frameworks/netcontrol/plugin.zeek
scripts/base/frameworks/netcontrol/plugins/__load__.zeek
scripts/base/frameworks/netcontrol/plugins/debug.zeek
scripts/base/frameworks/netcontrol/plugins/openflow.zeek
scripts/base/frameworks/openflow/__load__.zeek
scripts/base/frameworks/openflow/consts.zeek
scripts/base/frameworks/openflow/types.zeek
scripts/base/frameworks/openflow/main.zeek
scripts/base/frameworks/openflow/plugins/__load__.zeek
scripts/base/frameworks/openflow/plugins/ryu.zeek
scripts/base/utils/json.zeek
scripts/base/frameworks/openflow/plugins/log.zeek
scripts/base/frameworks/openflow/plugins/broker.zeek
scripts/base/frameworks/openflow/non-cluster.zeek
scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek
scripts/base/frameworks/netcontrol/plugins/broker.zeek
scripts/base/frameworks/netcontrol/plugins/acld.zeek
scripts/base/frameworks/netcontrol/drop.zeek
scripts/base/frameworks/netcontrol/shunt.zeek
scripts/base/frameworks/netcontrol/catch-and-release.zeek
scripts/base/frameworks/netcontrol/non-cluster.zeek
scripts/base/frameworks/notice/actions/email_admin.zeek
scripts/base/frameworks/notice/actions/page.zeek
scripts/base/frameworks/notice/actions/add-geodata.zeek
@ -269,6 +244,29 @@ scripts/base/init-default.zeek
scripts/base/frameworks/sumstats/non-cluster.zeek
scripts/base/frameworks/tunnels/__load__.zeek
scripts/base/frameworks/tunnels/main.zeek
scripts/base/frameworks/openflow/__load__.zeek
scripts/base/frameworks/openflow/consts.zeek
scripts/base/frameworks/openflow/types.zeek
scripts/base/frameworks/openflow/main.zeek
scripts/base/frameworks/openflow/plugins/__load__.zeek
scripts/base/frameworks/openflow/plugins/ryu.zeek
scripts/base/utils/json.zeek
scripts/base/frameworks/openflow/plugins/log.zeek
scripts/base/frameworks/openflow/plugins/broker.zeek
scripts/base/frameworks/openflow/non-cluster.zeek
scripts/base/frameworks/netcontrol/__load__.zeek
scripts/base/frameworks/netcontrol/types.zeek
scripts/base/frameworks/netcontrol/main.zeek
scripts/base/frameworks/netcontrol/plugin.zeek
scripts/base/frameworks/netcontrol/plugins/__load__.zeek
scripts/base/frameworks/netcontrol/plugins/debug.zeek
scripts/base/frameworks/netcontrol/plugins/openflow.zeek
scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek
scripts/base/frameworks/netcontrol/plugins/broker.zeek
scripts/base/frameworks/netcontrol/plugins/acld.zeek
scripts/base/frameworks/netcontrol/drop.zeek
scripts/base/frameworks/netcontrol/shunt.zeek
scripts/base/frameworks/netcontrol/non-cluster.zeek
scripts/base/protocols/conn/__load__.zeek
scripts/base/protocols/conn/main.zeek
scripts/base/protocols/conn/contents.zeek
@ -368,10 +366,8 @@ scripts/base/init-default.zeek
scripts/base/files/pe/main.zeek
scripts/base/files/extract/__load__.zeek
scripts/base/files/extract/main.zeek
scripts/base/files/unified2/__load__.zeek
scripts/base/files/unified2/main.zeek
scripts/base/misc/find-checksum-offloading.zeek
scripts/base/misc/find-filtered-trace.zeek
scripts/base/misc/version.zeek
scripts/policy/misc/loaded-scripts.zeek
#close 2019-04-16-17-02-20
#close 2019-06-05-18-41-19

3
testing/btest/Baseline/language.copy-cycle/out Normal file
View file

@ -0,0 +1,3 @@
F (expected: F)
T (expected: T)
T (expected: T)

4
testing/btest/Baseline/language.expire_subnet/output
View file

@ -15,11 +15,11 @@ Accessed table nums: two; three
Accessed table nets: two; zero, three
Time: 7.0 secs 518.0 msecs 828.0 usecs
Expired Subnet: 192.168.4.0/24 --> four at 8.0 secs 835.0 msecs 30.0 usecs
Expired Subnet: 192.168.1.0/24 --> one at 8.0 secs 835.0 msecs 30.0 usecs
Expired Num: 4 --> four at 8.0 secs 835.0 msecs 30.0 usecs
Expired Num: 1 --> one at 8.0 secs 835.0 msecs 30.0 usecs
Expired Num: 0 --> zero at 8.0 secs 835.0 msecs 30.0 usecs
Expired Subnet: 192.168.4.0/24 --> four at 8.0 secs 835.0 msecs 30.0 usecs
Expired Subnet: 192.168.1.0/24 --> one at 8.0 secs 835.0 msecs 30.0 usecs
Expired Subnet: 192.168.0.0/16 --> zero at 15.0 secs 150.0 msecs 681.0 usecs
Expired Subnet: 192.168.3.0/24 --> three at 15.0 secs 150.0 msecs 681.0 usecs
Expired Subnet: 192.168.2.0/24 --> two at 15.0 secs 150.0 msecs 681.0 usecs

1
testing/btest/Baseline/language.type-coerce-numerics/double_convert_failure1.out Normal file
View file

@ -0,0 +1 @@
error in ./double_convert_failure1.zeek, line 7 and double: type clash for field "cc" ((coerce [$cc=5.0] to myrecord) and double)

1
testing/btest/Baseline/language.type-coerce-numerics/double_convert_failure2.out Normal file
View file

@ -0,0 +1 @@
error in ./double_convert_failure2.zeek, line 7 and double: type clash for field "cc" ((coerce [$cc=-5.0] to myrecord) and double)

Some files were not shown because too many files have changed in this diff Show more