From 6ebfa02199a7cfd72948f4141ae5983e6e1359cf Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Thu, 19 Jan 2023 16:04:32 -0700
Subject: [PATCH] Update scripts.base.frameworks.analyzer.logging btest to use
 a different trace file

---
 .../analyzer.log-include-confirmations        | 46 ++++---------------
 .../analyzer.log-no-confirmations             | 12 +++--
 .../base/frameworks/analyzer/logging.zeek     |  6 +--
 3 files changed, 21 insertions(+), 43 deletions(-)

diff --git a/testing/btest/Baseline/scripts.base.frameworks.analyzer.logging/analyzer.log-include-confirmations b/testing/btest/Baseline/scripts.base.frameworks.analyzer.logging/analyzer.log-include-confirmations
index 499b7c0d51..87e8855b64 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.analyzer.logging/analyzer.log-include-confirmations
+++ b/testing/btest/Baseline/scripts.base.frameworks.analyzer.logging/analyzer.log-include-confirmations
@@ -7,40 +7,14 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	cause	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	failure_reason	failure_data
 #types	time	string	string	string	string	string	addr	port	addr	port	string	string
-XXXXXXXXXX.XXXXXX	violation	packet	TEREDO	CHhAvVGS1DHFjwGM9	-	141.142.220.202	5353	224.0.0.251	5353	Bad Teredo encapsulation	\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x06gemini\x09_sftp-ssh\x04_tcp\x05lo
-XXXXXXXXXX.XXXXXX	confirmation	protocol	DNS	CHhAvVGS1DHFjwGM9	-	141.142.220.202	5353	224.0.0.251	5353	-	-
-XXXXXXXXXX.XXXXXX	violation	packet	TEREDO	ClEkJM2Vm5giqnMf4h	-	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	Bad Teredo encapsulation	\x00\x00\x84\x00\x00\x00\x00\x01\x00\x00\x00\x04\x06gemini\x09_sftp-ssh\x04_tcp\x05local
-XXXXXXXXXX.XXXXXX	confirmation	protocol	DNS	ClEkJM2Vm5giqnMf4h	-	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	-	-
-XXXXXXXXXX.XXXXXX	violation	packet	TEREDO	C4J4Th3PJpwUYZZ6gc	-	141.142.220.50	5353	224.0.0.251	5353	Bad Teredo encapsulation	\x00\x00\x84\x00\x00\x00\x00\x01\x00\x00\x00\x04\x06gemini\x09_sftp-ssh\x04_tcp\x05local
-XXXXXXXXXX.XXXXXX	confirmation	protocol	DNS	C4J4Th3PJpwUYZZ6gc	-	141.142.220.50	5353	224.0.0.251	5353	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	HTTP	CUM0KZ3MLUfNB0cl11	-	141.142.220.118	48649	208.80.152.118	80	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	DNS	CmES5u32sYpV7JYN	-	141.142.220.118	43927	141.142.2.2	53	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	DNS	CP5puj4I8PtEU4qzYg	-	141.142.220.118	37676	141.142.2.2	53	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	DNS	C37jN32gN3y3AZzyf6	-	141.142.220.118	40526	141.142.2.2	53	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	DNS	C0LAHyvtKSQHyJxIl	-	141.142.220.118	32902	141.142.2.2	53	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	DNS	CFLRIC3zaTU1loLGxh	-	141.142.220.118	59816	141.142.2.2	53	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	DNS	C9rXSW3KSpTYvPrlI1	-	141.142.220.118	59714	141.142.2.2	53	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	DNS	C9mvWx3ezztgzcexV7	-	141.142.220.118	58206	141.142.2.2	53	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	DNS	CNnMIj2QSd84NKf7U3	-	141.142.220.118	38911	141.142.2.2	53	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	DNS	C7fIlMZDuRiqjpYbb	-	141.142.220.118	59746	141.142.2.2	53	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	DNS	CpmdRlaUoJLN3uIRa	-	141.142.220.118	45000	141.142.2.2	53	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	DNS	C1Xkzz2MaGtLrc1Tla	-	141.142.220.118	48479	141.142.2.2	53	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	DNS	CqlVyW1YwZ15RhTBc4	-	141.142.220.118	48128	141.142.2.2	53	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	DNS	CBA8792iHmnhPLksKa	-	141.142.220.118	56056	141.142.2.2	53	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	DNS	CGLPPc35OzDQij1XX8	-	141.142.220.118	55092	141.142.2.2	53	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	HTTP	CwjjYJ2WqgTbAqiHl6	-	141.142.220.118	49997	208.80.152.3	80	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	HTTP	C3eiCBGOLw3VtHfOj	-	141.142.220.118	49996	208.80.152.3	80	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	HTTP	Ck51lg1bScffFj34Ri	-	141.142.220.118	49998	208.80.152.3	80	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	HTTP	CykQaM33ztNt0csB9a	-	141.142.220.118	49999	208.80.152.3	80	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	HTTP	CtxTCR2Yer0FR1tIBg	-	141.142.220.118	50000	208.80.152.3	80	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	HTTP	CLNN1k2QMum1aexUK7	-	141.142.220.118	50001	208.80.152.3	80	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	HTTP	CiyBAq1bBLNaTiTAc	-	141.142.220.118	35642	208.80.152.2	80	-	-
-XXXXXXXXXX.XXXXXX	violation	packet	TEREDO	Cipfzj1BEnhejw8cGf	-	141.142.220.44	5353	224.0.0.251	5353	Bad Teredo encapsulation	\x00\x00\x00\x00\x00\x01\x00\x01\x00\x00\x00\x00\x05gomez\x09_sftp-ssh\x04_tcp\x05local\x00
-XXXXXXXXXX.XXXXXX	confirmation	protocol	DNS	Cipfzj1BEnhejw8cGf	-	141.142.220.44	5353	224.0.0.251	5353	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	DNS	CV5WJ42jPYbNW9JNWf	-	141.142.220.226	137	141.142.220.255	137	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	DNS	CPhDKt12KQPUVbQz06	-	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	DNS	CAnFrb2Cvxr5T7quOc	-	141.142.220.226	55131	224.0.0.252	5355	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	DNS	C8rquZ3DjgNW06JGLl	-	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	DNS	CzrZOtXqhwwndQva3	-	141.142.220.226	55671	224.0.0.252	5355	-	-
-XXXXXXXXXX.XXXXXX	confirmation	protocol	DNS	CaGCc13FffXe6RkQl9	-	141.142.220.238	56641	141.142.220.255	137	-	-
+XXXXXXXXXX.XXXXXX	confirmation	protocol	SOCKS	ClEkJM2Vm5giqnMf4h	-	10.0.0.55	53994	60.190.189.214	8124	-	-
+XXXXXXXXXX.XXXXXX	confirmation	protocol	HTTP	ClEkJM2Vm5giqnMf4h	-	10.0.0.55	53994	60.190.189.214	8124	-	-
+XXXXXXXXXX.XXXXXX	violation	protocol	DCE_RPC	ClEkJM2Vm5giqnMf4h	-	10.0.0.55	53994	60.190.189.214	8124	Binpac exception: binpac exception: out_of_bound: DCE_RPC_PDU:frag: -2665 > 31	-
+XXXXXXXXXX.XXXXXX	violation	protocol	DCE_RPC	ClEkJM2Vm5giqnMf4h	-	10.0.0.55	53994	60.190.189.214	8124	Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers	-
+XXXXXXXXXX.XXXXXX	violation	protocol	DCE_RPC	ClEkJM2Vm5giqnMf4h	-	10.0.0.55	53994	60.190.189.214	8124	Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers	-
+XXXXXXXXXX.XXXXXX	violation	protocol	DCE_RPC	ClEkJM2Vm5giqnMf4h	-	10.0.0.55	53994	60.190.189.214	8124	Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers	-
+XXXXXXXXXX.XXXXXX	violation	protocol	DCE_RPC	ClEkJM2Vm5giqnMf4h	-	10.0.0.55	53994	60.190.189.214	8124	Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers	-
+XXXXXXXXXX.XXXXXX	violation	protocol	DCE_RPC	ClEkJM2Vm5giqnMf4h	-	10.0.0.55	53994	60.190.189.214	8124	Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers	-
+XXXXXXXXXX.XXXXXX	violation	protocol	DCE_RPC	ClEkJM2Vm5giqnMf4h	-	10.0.0.55	53994	60.190.189.214	8124	Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers	-
+XXXXXXXXXX.XXXXXX	violation	protocol	DCE_RPC	ClEkJM2Vm5giqnMf4h	-	10.0.0.55	53994	60.190.189.214	8124	Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers	-
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.frameworks.analyzer.logging/analyzer.log-no-confirmations b/testing/btest/Baseline/scripts.base.frameworks.analyzer.logging/analyzer.log-no-confirmations
index a94122aa0c..ef8059b705 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.analyzer.logging/analyzer.log-no-confirmations
+++ b/testing/btest/Baseline/scripts.base.frameworks.analyzer.logging/analyzer.log-no-confirmations
@@ -7,8 +7,12 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	cause	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	failure_reason	failure_data
 #types	time	string	string	string	string	string	addr	port	addr	port	string	string
-XXXXXXXXXX.XXXXXX	violation	packet	TEREDO	CHhAvVGS1DHFjwGM9	-	141.142.220.202	5353	224.0.0.251	5353	Bad Teredo encapsulation	\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x06gemini\x09_sftp-ssh\x04_tcp\x05lo
-XXXXXXXXXX.XXXXXX	violation	packet	TEREDO	ClEkJM2Vm5giqnMf4h	-	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	Bad Teredo encapsulation	\x00\x00\x84\x00\x00\x00\x00\x01\x00\x00\x00\x04\x06gemini\x09_sftp-ssh\x04_tcp\x05local
-XXXXXXXXXX.XXXXXX	violation	packet	TEREDO	C4J4Th3PJpwUYZZ6gc	-	141.142.220.50	5353	224.0.0.251	5353	Bad Teredo encapsulation	\x00\x00\x84\x00\x00\x00\x00\x01\x00\x00\x00\x04\x06gemini\x09_sftp-ssh\x04_tcp\x05local
-XXXXXXXXXX.XXXXXX	violation	packet	TEREDO	Cipfzj1BEnhejw8cGf	-	141.142.220.44	5353	224.0.0.251	5353	Bad Teredo encapsulation	\x00\x00\x00\x00\x00\x01\x00\x01\x00\x00\x00\x00\x05gomez\x09_sftp-ssh\x04_tcp\x05local\x00
+XXXXXXXXXX.XXXXXX	violation	protocol	DCE_RPC	ClEkJM2Vm5giqnMf4h	-	10.0.0.55	53994	60.190.189.214	8124	Binpac exception: binpac exception: out_of_bound: DCE_RPC_PDU:frag: -2665 > 31	-
+XXXXXXXXXX.XXXXXX	violation	protocol	DCE_RPC	ClEkJM2Vm5giqnMf4h	-	10.0.0.55	53994	60.190.189.214	8124	Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers	-
+XXXXXXXXXX.XXXXXX	violation	protocol	DCE_RPC	ClEkJM2Vm5giqnMf4h	-	10.0.0.55	53994	60.190.189.214	8124	Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers	-
+XXXXXXXXXX.XXXXXX	violation	protocol	DCE_RPC	ClEkJM2Vm5giqnMf4h	-	10.0.0.55	53994	60.190.189.214	8124	Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers	-
+XXXXXXXXXX.XXXXXX	violation	protocol	DCE_RPC	ClEkJM2Vm5giqnMf4h	-	10.0.0.55	53994	60.190.189.214	8124	Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers	-
+XXXXXXXXXX.XXXXXX	violation	protocol	DCE_RPC	ClEkJM2Vm5giqnMf4h	-	10.0.0.55	53994	60.190.189.214	8124	Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers	-
+XXXXXXXXXX.XXXXXX	violation	protocol	DCE_RPC	ClEkJM2Vm5giqnMf4h	-	10.0.0.55	53994	60.190.189.214	8124	Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers	-
+XXXXXXXXXX.XXXXXX	violation	protocol	DCE_RPC	ClEkJM2Vm5giqnMf4h	-	10.0.0.55	53994	60.190.189.214	8124	Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers	-
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/scripts/base/frameworks/analyzer/logging.zeek b/testing/btest/scripts/base/frameworks/analyzer/logging.zeek
index 02e5525374..6f8be11f24 100644
--- a/testing/btest/scripts/base/frameworks/analyzer/logging.zeek
+++ b/testing/btest/scripts/base/frameworks/analyzer/logging.zeek
@@ -1,11 +1,11 @@
-# @TEST-EXEC: zeek -b  -r ${TRACES}/wikipedia.trace %INPUT
+# @TEST-EXEC: zeek -r ${TRACES}/socks.trace %INPUT
 # @TEST-EXEC: mv analyzer.log analyzer.log-no-confirmations
 # @TEST-EXEC: btest-diff analyzer.log-no-confirmations
 
-# @TEST-EXEC: zeek -b  -r ${TRACES}/wikipedia.trace %INPUT Analyzer::Logging::include_confirmations=T
+# @TEST-EXEC: zeek -r ${TRACES}/socks.trace %INPUT Analyzer::Logging::include_confirmations=T
 # @TEST-EXEC: mv analyzer.log analyzer.log-include-confirmations
 # @TEST-EXEC: btest-diff analyzer.log-include-confirmations
 
 @load base/protocols/conn
 @load base/protocols/dns
-@load base/protocols/http
+@load base/protocols/socks