mirror of
https://github.com/zeek/zeek.git
synced 2025-10-04 15:48:19 +00:00
Merge remote-tracking branch 'origin/topic/seth/tunnels-merge'
* origin/topic/seth/tunnels-merge: SOCKS DPD fixes. Fix a bug in the SOCKS analyzer. SOCKS and tunnel test updates. Updates for the SOCKS analyzer. Very small updates to the tunnels framework.
This commit is contained in:
Robin Sommer
commit
6cda00c75e
30 changed files with 524 additions and 127 deletions
|
|
@ -3,9 +3,9 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path tunnel
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p action tunnel_type
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action
|
||||
#types time string addr port addr port enum enum
|
||||
1257655293.629048 UWkUyAuUGXf 192.168.3.101 53796 216.14.98.22 5072 Tunnel::DISCOVER Tunnel::AYIYA
|
||||
1257655296.585034 k6kgXLOoSKl 192.168.3.101 53859 216.14.98.22 5072 Tunnel::DISCOVER Tunnel::AYIYA
|
||||
1257655317.464035 k6kgXLOoSKl 192.168.3.101 53859 216.14.98.22 5072 Tunnel::CLOSE Tunnel::AYIYA
|
||||
1257655317.464035 UWkUyAuUGXf 192.168.3.101 53796 216.14.98.22 5072 Tunnel::CLOSE Tunnel::AYIYA
|
||||
1257655293.629048 UWkUyAuUGXf 192.168.3.101 53796 216.14.98.22 5072 Tunnel::AYIYA Tunnel::DISCOVER
|
||||
1257655296.585034 k6kgXLOoSKl 192.168.3.101 53859 216.14.98.22 5072 Tunnel::AYIYA Tunnel::DISCOVER
|
||||
1257655317.464035 k6kgXLOoSKl 192.168.3.101 53859 216.14.98.22 5072 Tunnel::AYIYA Tunnel::CLOSE
|
||||
1257655317.464035 UWkUyAuUGXf 192.168.3.101 53796 216.14.98.22 5072 Tunnel::AYIYA Tunnel::CLOSE
|
||||
|
|
|
|||
|
|
@ -1,8 +0,0 @@
|
|||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path conn
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool count string count count count count table[string]
|
||||
1208299429.265243 UWkUyAuUGXf 127.0.0.1 62270 127.0.0.1 1080 tcp http,socks 0.008138 152 3950 SF - 0 ShAaDdfF 9 632 9 4430 (empty)
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path http
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
||||
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
|
||||
1208299429.270361 UWkUyAuUGXf 127.0.0.1 62270 127.0.0.1 1080 1 GET www.icir.org / - curl/7.16.3 (powerpc-apple-darwin9.0) libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3 0 3677 200 OK - - - (empty) - - - text/html - -
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
[id=[orig_h=127.0.0.1, orig_p=62270/tcp, resp_h=127.0.0.1, resp_p=1080/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=177, flow_label=0], resp=[size=8, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0], start_time=1208299429.265243, duration=0.002565, service={
|
||||
SOCKS
|
||||
}, addl=, hot=0, history=ShAaDd, uid=UWkUyAuUGXf, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, ssh=<uninitialized>, ssl=<uninitialized>, syslog=<uninitialized>]
|
||||
---
|
||||
1
|
||||
192.150.187.12
|
||||
|
||||
80/tcp
|
||||
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path tunnel
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p action tunnel_type
|
||||
#types time string addr port addr port enum enum
|
||||
1208299429.267808 UWkUyAuUGXf 127.0.0.1 62270 127.0.0.1 1080 Tunnel::DISCOVER Tunnel::SOCKS
|
||||
1208299429.273401 UWkUyAuUGXf 127.0.0.1 62270 127.0.0.1 1080 Tunnel::CLOSE Tunnel::SOCKS
|
||||
|
|
@ -3,11 +3,11 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path tunnel
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p action tunnel_type
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action
|
||||
#types time string addr port addr port enum enum
|
||||
1210953052.202579 nQcgTWjvg4c 192.168.2.16 3797 65.55.158.80 3544 Tunnel::DISCOVER Tunnel::TEREDO
|
||||
1210953052.324629 TEfuqmmG4bh 192.168.2.16 3797 65.55.158.81 3544 Tunnel::DISCOVER Tunnel::TEREDO
|
||||
1210953061.292918 GSxOnSLghOa 192.168.2.16 3797 83.170.1.38 32900 Tunnel::DISCOVER Tunnel::TEREDO
|
||||
1210953076.058333 nQcgTWjvg4c 192.168.2.16 3797 65.55.158.80 3544 Tunnel::CLOSE Tunnel::TEREDO
|
||||
1210953076.058333 GSxOnSLghOa 192.168.2.16 3797 83.170.1.38 32900 Tunnel::CLOSE Tunnel::TEREDO
|
||||
1210953076.058333 TEfuqmmG4bh 192.168.2.16 3797 65.55.158.81 3544 Tunnel::CLOSE Tunnel::TEREDO
|
||||
1210953052.202579 nQcgTWjvg4c 192.168.2.16 3797 65.55.158.80 3544 Tunnel::TEREDO Tunnel::DISCOVER
|
||||
1210953052.324629 TEfuqmmG4bh 192.168.2.16 3797 65.55.158.81 3544 Tunnel::TEREDO Tunnel::DISCOVER
|
||||
1210953061.292918 GSxOnSLghOa 192.168.2.16 3797 83.170.1.38 32900 Tunnel::TEREDO Tunnel::DISCOVER
|
||||
1210953076.058333 nQcgTWjvg4c 192.168.2.16 3797 65.55.158.80 3544 Tunnel::TEREDO Tunnel::CLOSE
|
||||
1210953076.058333 GSxOnSLghOa 192.168.2.16 3797 83.170.1.38 32900 Tunnel::TEREDO Tunnel::CLOSE
|
||||
1210953076.058333 TEfuqmmG4bh 192.168.2.16 3797 65.55.158.81 3544 Tunnel::TEREDO Tunnel::CLOSE
|
||||
|
|
|
|||
|
|
@ -3,11 +3,11 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path tunnel
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p action tunnel_type
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action
|
||||
#types time string addr port addr port enum enum
|
||||
1340127577.336558 UWkUyAuUGXf 192.168.2.16 3797 65.55.158.80 3544 Tunnel::DISCOVER Tunnel::TEREDO
|
||||
1340127577.339015 k6kgXLOoSKl 192.168.2.16 3797 65.55.158.81 3544 Tunnel::DISCOVER Tunnel::TEREDO
|
||||
1340127577.351747 j4u32Pc5bif 192.168.2.16 3797 83.170.1.38 32900 Tunnel::DISCOVER Tunnel::TEREDO
|
||||
1340127577.406995 UWkUyAuUGXf 192.168.2.16 3797 65.55.158.80 3544 Tunnel::CLOSE Tunnel::TEREDO
|
||||
1340127577.406995 j4u32Pc5bif 192.168.2.16 3797 83.170.1.38 32900 Tunnel::CLOSE Tunnel::TEREDO
|
||||
1340127577.406995 k6kgXLOoSKl 192.168.2.16 3797 65.55.158.81 3544 Tunnel::CLOSE Tunnel::TEREDO
|
||||
1340127577.336558 UWkUyAuUGXf 192.168.2.16 3797 65.55.158.80 3544 Tunnel::TEREDO Tunnel::DISCOVER
|
||||
1340127577.339015 k6kgXLOoSKl 192.168.2.16 3797 65.55.158.81 3544 Tunnel::TEREDO Tunnel::DISCOVER
|
||||
1340127577.351747 j4u32Pc5bif 192.168.2.16 3797 83.170.1.38 32900 Tunnel::TEREDO Tunnel::DISCOVER
|
||||
1340127577.406995 UWkUyAuUGXf 192.168.2.16 3797 65.55.158.80 3544 Tunnel::TEREDO Tunnel::CLOSE
|
||||
1340127577.406995 j4u32Pc5bif 192.168.2.16 3797 83.170.1.38 32900 Tunnel::TEREDO Tunnel::CLOSE
|
||||
1340127577.406995 k6kgXLOoSKl 192.168.2.16 3797 65.55.158.81 3544 Tunnel::TEREDO Tunnel::CLOSE
|
||||
|
|
|
|||
|
|
@ -0,0 +1,8 @@
|
|||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path socks
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version user status req_h req_name req_p bound_h bound_name bound_p
|
||||
#types time string addr port addr port count string string addr string port addr string port
|
||||
1340213015.276495 UWkUyAuUGXf 10.0.0.55 53994 60.190.189.214 8124 5 - succeeded - www.osnews.com 80 192.168.0.31 - 2688
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path tunnel
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action
|
||||
#types time string addr port addr port enum enum
|
||||
1340213015.276495 - 10.0.0.55 0 60.190.189.214 8124 Tunnel::SOCKS Tunnel::DISCOVER
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path socks
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version user status req_h req_name req_p bound_h bound_name bound_p
|
||||
#types time string addr port addr port count string string addr string port addr string port
|
||||
1340113261.914619 UWkUyAuUGXf 10.0.0.50 59580 85.194.84.197 1080 5 - succeeded - www.google.com 443 0.0.0.0 - 443
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path tunnel
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action
|
||||
#types time string addr port addr port enum enum
|
||||
1340113261.914619 - 10.0.0.50 0 85.194.84.197 1080 Tunnel::SOCKS Tunnel::DISCOVER
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path tunnel
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action
|
||||
#types time string addr port addr port enum enum
|
||||
1208299429.265774 - 127.0.0.1 0 127.0.0.1 1080 Tunnel::SOCKS Tunnel::DISCOVER
|
||||
BIN
testing/btest/Traces/socks-with-ssl.trace
Normal file
BIN
testing/btest/Traces/socks-with-ssl.trace
Normal file
Binary file not shown.
BIN
testing/btest/Traces/socks.trace
Normal file
BIN
testing/btest/Traces/socks.trace
Normal file
Binary file not shown.
|
|
@ -1,19 +0,0 @@
|
|||
# @TEST-EXEC: bro -Cr $TRACES/tunnels/socks.pcap %INPUT >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
# @TEST-EXEC: btest-diff tunnel.log
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
|
||||
event socks_request(c: connection, request_type: count, dstaddr: addr,
|
||||
dstname: string, p: port, user: string)
|
||||
{
|
||||
print c;
|
||||
print "---";
|
||||
print request_type;
|
||||
print dstaddr;
|
||||
print dstname;
|
||||
print p;
|
||||
print user;
|
||||
}
|
||||
|
||||
|
||||
5
testing/btest/scripts/base/protocols/socks/trace1.test
Normal file
5
testing/btest/scripts/base/protocols/socks/trace1.test
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/socks.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff socks.log
|
||||
# @TEST-EXEC: btest-diff tunnel.log
|
||||
|
||||
@load base/protocols/socks
|
||||
5
testing/btest/scripts/base/protocols/socks/trace2.test
Normal file
5
testing/btest/scripts/base/protocols/socks/trace2.test
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/socks-with-ssl.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff socks.log
|
||||
# @TEST-EXEC: btest-diff tunnel.log
|
||||
|
||||
@load base/protocols/socks
|
||||
4
testing/btest/scripts/base/protocols/socks/trace3.test
Normal file
4
testing/btest/scripts/base/protocols/socks/trace3.test
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
# @TEST-EXEC: bro -C -r $TRACES/tunnels/socks.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff tunnel.log
|
||||
|
||||
@load base/protocols/socks
|
||||
Loading…
Add table
Add a link
Reference in a new issue