mirror of
https://github.com/zeek/zeek.git
synced 2025-10-13 12:08:20 +00:00
Merge remote-tracking branch 'origin/master' into topic/johanna/netcontrol
This commit is contained in:
Johanna Amann
commit
69b62be5d4
42 changed files with 459 additions and 238 deletions
|
|
@ -0,0 +1,10 @@
|
|||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path http
|
||||
#open 2016-02-05-13-13-06
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied orig_fuids orig_mime_types resp_fuids resp_mime_types
|
||||
#types time string addr port addr port count string string string string string string count count count string count string string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string]
|
||||
1452204358.910557 CXWv6p3arKYeMETxOg 192.168.122.130 49157 202.7.177.41 80 1 - - - - 1.1 - 0 14 200 OK - - - (empty) - - - - - FGec0Miu9FfcsYUT4 text/plain
|
||||
#close 2016-02-05-13-13-06
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2016-03-07-21-06-28
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1452204358.172926 CXWv6p3arKYeMETxOg 192.168.122.130 49157 202.7.177.41 80 bad_HTTP_request_with_version - F bro
|
||||
#close 2016-03-07-21-06-28
|
||||
|
|
@ -3,7 +3,7 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2016-01-15-20-54-31
|
||||
#open 2016-03-07-21-06-12
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1354328874.237327 CjhGID4nQcgTWjvg4c 128.2.6.136 46563 173.194.75.103 80 missing_HTTP_uri - F bro
|
||||
|
|
@ -13,9 +13,9 @@
|
|||
1354328882.949510 C7XEbhP654jzLoe3a 128.2.6.136 46570 173.194.75.103 80 bad_HTTP_request - F bro
|
||||
1354328887.094494 CMXxB5GvmoxJFXdTa 128.2.6.136 46572 173.194.75.103 80 bad_HTTP_request - F bro
|
||||
1354328891.141058 Caby8b1slFea8xwSmb 128.2.6.136 46573 173.194.75.103 80 bad_HTTP_request - F bro
|
||||
1354328891.183942 Che1bq3i2rO3KD1Syg 128.2.6.136 46574 173.194.75.103 80 bad_HTTP_request - F bro
|
||||
1354328891.183942 Che1bq3i2rO3KD1Syg 128.2.6.136 46574 173.194.75.103 80 bad_HTTP_request_with_version - F bro
|
||||
1354328891.226199 C3SfNE4BWaU4aSuwkc 128.2.6.136 46575 173.194.75.103 80 bad_HTTP_request - F bro
|
||||
1354328891.267625 CEle3f3zno26fFZkrh 128.2.6.136 46576 173.194.75.103 80 bad_HTTP_request - F bro
|
||||
1354328891.267625 CEle3f3zno26fFZkrh 128.2.6.136 46576 173.194.75.103 80 bad_HTTP_request_with_version - F bro
|
||||
1354328891.309065 CwSkQu4eWZCH7OONC1 128.2.6.136 46577 173.194.75.103 80 unknown_HTTP_method CCM_POST F bro
|
||||
1354328895.355012 CfTOmO0HKorjr8Zp7 128.2.6.136 46578 173.194.75.103 80 unknown_HTTP_method CCM_POST F bro
|
||||
1354328895.396634 CzA03V1VcgagLjnO92 128.2.6.136 46579 173.194.75.103 80 bad_HTTP_request - F bro
|
||||
|
|
@ -33,4 +33,4 @@
|
|||
1354328924.518204 CuChlg202P8sUFuXrg 128.2.6.136 46605 173.194.75.103 80 bad_HTTP_request - F bro
|
||||
1354328932.734579 CY93mM3aViMiLKuSw3 128.2.6.136 46609 173.194.75.103 80 bad_HTTP_request - F bro
|
||||
1354328932.776609 CXgISq6dA2DVPzqp9 128.2.6.136 46610 173.194.75.103 80 bad_HTTP_request - F bro
|
||||
#close 2016-01-15-20-54-32
|
||||
#close 2016-03-07-21-06-12
|
||||
|
|
|
|||
|
|
@ -11,3 +11,10 @@ thenagualII!~affreujoj@THENAGUAL.users.undernet.org -> #easymovies: \x0304,00DVD
|
|||
-> ladyvampress: list
|
||||
-> #easymovies: @ladyvampress
|
||||
gordon1`^!~allu0002@gordon2411.users.undernet.org -> #easymovies: \x0308\x02File Server Online\x02 \x0303Triggers:\xab\x0308\x0308/ctcp gordon1`^ /ctcp gordon1`^ /CTCP gordon1`^ Movies Galore\x0303\xbb Sends:\xab\x03081/30\x0303\xbb Queues:\xab\x03080/30\x0303\xbb Accessed:\xab\x03082556 times\x0303\xbb Online:\xab\x03080/4\x0303\xbb RCPS:\xab\x0308193.8 Kbs by MadDingo\x0303\xbb Served:\xab\x03081.14TB in 1118 files\x0303\xbb Current BW:\xab\x030818.7 Kbs\x0303\xbb AQT:\xab\x0308No Wait\x0303\xbb \x0f\x0303\x97\x0314I\x0303-\x0315n\x0303-\x0315v\x0303-\x0300i\x0303-\x0300s\x0303-\x0315i\x0303-\x0315o\x0303-\x0314n\x0303\x97\x0f
|
||||
quit: ()
|
||||
-> #brotest: test
|
||||
quit: (quitting)
|
||||
quit: brotest (Client Quit)
|
||||
-> #BROTEST: test
|
||||
quit: (quitting)
|
||||
quit: brotest (Client Quit)
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path conn
|
||||
#open 2016-03-07-21-31-43
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1324071333.493287 CXWv6p3arKYeMETxOg 192.168.1.79 51880 131.159.21.1 22 tcp ssh 6.159326 2669 2501 SF - - 0 ShAdDaFf 25 3981 20 3549 (empty)
|
||||
1409516196.337184 CjhGID4nQcgTWjvg4c 10.0.0.18 40184 128.2.6.88 41644 tcp ssh 0.392307 3205 2129 S1 - - 0 ShADad 12 3837 12 2761 (empty)
|
||||
1419870206.101883 CsRx2w45OKnoww6xl4 192.168.2.1 57191 192.168.2.158 22 tcp ssh 3.862198 576 813 SF - - 0 ShAdDaFf 23 1784 16 1653 (empty)
|
||||
1419870189.485611 CCvvfg3TEfuqmmG4bh 192.168.2.1 57189 192.168.2.158 22 tcp ssh 5.267866 4601 2805 S1 - - 0 ShADad 22 5757 18 3749 (empty)
|
||||
1419996264.318569 CRJuHdVW0XPVINV8a 192.168.2.1 55179 192.168.2.158 2200 tcp ssh 1.124642 1909 1161 S1 - - 0 ShADad 16 2753 12 1793 (empty)
|
||||
1420588548.721272 CPbrpk1qSsw6ESzHV4 192.168.2.1 56594 192.168.2.158 22 tcp ssh 8.841749 480 537 SF - - 0 ShAdDaFf 17 1376 14 1273 (empty)
|
||||
1420590124.879760 C6pKV8GSxOnSLghOa 192.168.2.1 56821 192.168.2.158 22 tcp ssh 1.106250 820 1125 SF - - 0 ShAdDaFf 26 2184 20 2173 (empty)
|
||||
1420590308.775525 CIPOse170MGiRM1Qf4 192.168.2.1 56837 192.168.2.158 22 tcp ssh 1.080767 692 997 SF - - 0 ShAdDaFf 25 2004 19 1993 (empty)
|
||||
1420590322.673363 C7XEbhP654jzLoe3a 192.168.2.1 56845 192.168.2.158 22 tcp ssh 1.302395 660 965 SF - - 0 ShAdDaFf 26 2024 20 2013 (empty)
|
||||
1420590636.473213 CJ3xTn1c4Zw9TmAE05 192.168.2.1 56875 192.168.2.158 22 tcp ssh 12.013506 588 549 SF - - 0 ShAdDaFf 19 1588 16 1389 (empty)
|
||||
1420590659.422161 CMXxB5GvmoxJFXdTa 192.168.2.1 56878 192.168.2.158 22 tcp ssh 3.628964 684 825 SF - - 0 ShAdDaFf 25 1996 19 1821 (empty)
|
||||
1420591379.650462 Caby8b1slFea8xwSmb 192.168.2.1 56940 192.168.2.158 22 tcp ssh 0.104978 500 609 SF - - 0 ShAdDaFf 14 1240 10 1137 (empty)
|
||||
1420599430.822385 Che1bq3i2rO3KD1Syg 192.168.2.1 57831 192.168.2.158 22 tcp ssh 2.758790 576 813 SF - - 0 ShAdDaFf 23 1784 18 1757 (empty)
|
||||
1420851448.309629 C3SfNE4BWaU4aSuwkc 192.168.2.1 59246 192.168.2.158 22 tcp ssh 2.046715 2421 3505 S1 - - 0 ShADad 18 3369 13 4189 (empty)
|
||||
1420860616.400297 CwSkQu4eWZCH7OONC1 192.168.1.32 33910 128.2.13.133 22 tcp ssh 0.660753 3383 2645 S1 - - 0 ShADad 18 4327 16 3485 (empty)
|
||||
1420860283.029061 CEle3f3zno26fFZkrh 192.168.1.32 41164 128.2.10.238 22 tcp ssh 7.498828 5479 2327 S1 - - 0 ShADad 21 6579 18 3271 (empty)
|
||||
1420868281.639103 CfTOmO0HKorjr8Zp7 192.168.1.32 41268 128.2.10.238 22 tcp ssh 2.710778 5613 2487 SF - - 0 ShADadFf 24 6869 20 3535 (empty)
|
||||
1420917487.213378 CzA03V1VcgagLjnO92 192.168.1.31 57621 192.168.1.255 57621 udp - - - - S0 - - 0 D 1 72 0 0 (empty)
|
||||
1420917487.213468 CyAhVIzHqb7t7kv28 192.168.1.32 57621 192.168.1.31 57621 udp - - - - S0 - - 0 D 1 72 0 0 (empty)
|
||||
1420917487.220407 Cab0vO1xNYSS2hJkle 192.168.1.31 52294 192.168.1.32 22 tcp ssh 2.807865 3169 1329 S1 - - 0 ShADad 19 4169 13 2013 (empty)
|
||||
1421006072.431795 Cx3C534wEyF3OvvcQe 192.168.1.31 51476 192.168.1.32 8118 tcp - 0.000539 76 0 SF - - 0 DaFfA 6 388 5 284 (empty)
|
||||
1421006072.001012 Cx2FqO23omNawSNrxj 192.168.1.31 51489 192.168.1.32 22 tcp ssh 2.408961 3469 1565 S1 - - 0 ShAdDa 25 4805 16 2421 (empty)
|
||||
1421041176.944687 CkDsfG2YIeWJmXWNWj 192.168.1.32 58641 131.103.20.168 22 tcp ssh 0.587601 2885 2309 SF - - 0 ShADdaFf 16 3725 13 2993 (empty)
|
||||
1421041299.738916 CUKS0W3HFYOnBqSE5e 192.168.1.32 58646 131.103.20.168 22 tcp ssh 0.538385 3517 3197 S1 - - 0 ShADad 18 4461 16 4037 (empty)
|
||||
1421041526.312919 CRrfvP2lalMAYOCLhj 192.168.1.32 58649 131.103.20.168 22 tcp ssh 0.542213 3517 3197 S1 - - 0 ShADad 17 4409 16 4037 (empty)
|
||||
#close 2016-03-07-21-31-43
|
||||
|
|
@ -182,7 +182,6 @@
|
|||
1437831799.764576 x509_extension
|
||||
1437831799.764576 x509_ext_subject_alternative_name
|
||||
1437831799.764576 file_hash
|
||||
1437831799.764576 file_hash
|
||||
1437831799.764576 file_state_remove
|
||||
1437831799.764576 file_new
|
||||
1437831799.764576 file_over_new_connection
|
||||
|
|
@ -197,7 +196,6 @@
|
|||
1437831799.764576 x509_extension
|
||||
1437831799.764576 x509_extension
|
||||
1437831799.764576 file_hash
|
||||
1437831799.764576 file_hash
|
||||
1437831799.764576 file_state_remove
|
||||
1437831799.764576 ssl_handshake_message
|
||||
1437831799.764576 ssl_handshake_message
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
BIN
testing/btest/Traces/http/http-bad-request-with-version.trace
Normal file
BIN
testing/btest/Traces/http/http-bad-request-with-version.trace
Normal file
Binary file not shown.
BIN
testing/btest/Traces/irc-basic.trace
Normal file
BIN
testing/btest/Traces/irc-basic.trace
Normal file
Binary file not shown.
BIN
testing/btest/Traces/irc-whitespace.trace
Normal file
BIN
testing/btest/Traces/irc-whitespace.trace
Normal file
Binary file not shown.
13
testing/btest/core/leaks/irc.test
Normal file
13
testing/btest/core/leaks/irc.test
Normal file
|
|
@ -0,0 +1,13 @@
|
|||
# Needs perftools support.
|
||||
#
|
||||
# @TEST-GROUP: leaks
|
||||
#
|
||||
# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
|
||||
#
|
||||
# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -r $TRACES/irc-dcc-send.trace %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 60
|
||||
|
||||
event irc_names_info(c: connection, is_orig: bool, c_type: string, channel: string, users: string_set)
|
||||
{
|
||||
print channel, users;
|
||||
}
|
||||
15
testing/btest/core/leaks/stats.bro
Normal file
15
testing/btest/core/leaks/stats.bro
Normal file
|
|
@ -0,0 +1,15 @@
|
|||
# Needs perftools support.
|
||||
#
|
||||
# @TEST-GROUP: leaks
|
||||
#
|
||||
# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
|
||||
#
|
||||
# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -r $TRACES/wikipedia.trace %INPUT
|
||||
# @TEST-EXEC: btest-bg-wait 60
|
||||
|
||||
@load policy/misc/stats.bro
|
||||
|
||||
event load_sample(samples: load_sample_info, CPU: interval, dmem: int)
|
||||
{
|
||||
print CPU;
|
||||
}
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
# @TEST-EXEC: bro -Cr $TRACES/http/http-bad-request-with-version.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
# @TEST-EXEC: btest-diff weird.log
|
||||
|
||||
16
testing/btest/scripts/base/protocols/irc/events.test
Normal file
16
testing/btest/scripts/base/protocols/irc/events.test
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
# Test IRC events
|
||||
|
||||
# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT
|
||||
# @TEST-EXEC: bro -r $TRACES/irc-basic.trace %INPUT
|
||||
# @TEST-EXEC: bro -r $TRACES/irc-whitespace.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event irc_privmsg_message(c: connection, is_orig: bool, source: string, target: string, message: string)
|
||||
{
|
||||
print fmt("%s -> %s: %s", source, target, message);
|
||||
}
|
||||
|
||||
event irc_quit_message(c: connection, is_orig: bool, nick: string, message: string)
|
||||
{
|
||||
print fmt("quit: %s (%s)", nick, message);
|
||||
}
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
# Test the privmsg event
|
||||
|
||||
# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event irc_privmsg_message(c: connection, is_orig: bool, source: string, target: string, message: string)
|
||||
{
|
||||
print fmt("%s -> %s: %s", source, target, message);
|
||||
}
|
||||
|
||||
|
|
@ -1,4 +1,5 @@
|
|||
# This tests some SSH connections and the output log.
|
||||
|
||||
# @TEST-EXEC: bro -r $TRACES/ssh/ssh.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff ssh.log
|
||||
# @TEST-EXEC: btest-diff ssh.log
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
|
|
|
|||
|
|
@ -1,7 +1,18 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events.bro >all-events.log
|
||||
# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events.bro DumpEvents::include_args=F >all-events-no-args.log
|
||||
# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events.bro DumpEvents::include=/smtp_/ >smtp-events.log
|
||||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events.bro %INPUT >all-events.log
|
||||
# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events.bro %INPUT DumpEvents::include_args=F >all-events-no-args.log
|
||||
# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events.bro %INPUT DumpEvents::include=/smtp_/ >smtp-events.log
|
||||
#
|
||||
# @TEST-EXEC: btest-diff all-events.log
|
||||
# @TEST-EXEC: btest-diff all-events-no-args.log
|
||||
# @TEST-EXEC: btest-diff smtp-events.log
|
||||
|
||||
# There is some kind of race condition between the MD5 and SHA1 events, which are added
|
||||
# by the SSL parser. Just remove MD5, this is not important for this test.
|
||||
|
||||
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=-5
|
||||
{
|
||||
if ( ! c?$ssl )
|
||||
return;
|
||||
|
||||
Files::remove_analyzer(f, Files::ANALYZER_MD5);
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue