Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Changing what's escaped when printing.

Browse source 
With this patch the model is:

    - "print" cleans the data so that non-printable characters get
      escaped. This is not necessarily reversible.

    - to print in a reversible way, one can go through
      escape_string(); this escapes backslashes as well to make the
      decoding non-ambigious.

    - Logging always escapes similar to escape_string(), making it
      reversible.

Compared to master, we also change the escaping as follows:

    - We now only escape with "\xXX", no more "^X" or "\0". Exception:
      backslashes.

    - We escape backlashes as "\\".

    - There's no "alternative" output style anymore, i.e., fmt() '%A'
      qualifier is gone.

Baselines in testing/btest are updated, external tests not yet.

Addresses BIT-1333.
This commit is contained in:
Robin Sommer 2015-04-15 09:59:09 -07:00
parent e41c623ad0
commit 7344052b50
66 changed files with 397 additions and 349 deletions
Download patch file Download diff file Expand all files Collapse all files

15
src/BroString.cc
View file

@ -194,21 +194,6 @@ char* BroString::Render(int format, int* len) const
for ( int i = 0; i < n; ++i )
{
//if ( b[i] == '\0' && (format & ESC_NULL) )
// {
// *sp++ = '\\'; *sp++ = 'x'; *sp++ = '0'; *sp++ = '0';
// }
//
//else if ( b[i] == '\x7f' && (format & ESC_DEL) )
// {
// *sp++ = '^'; *sp++ = '?';
// }
//
//else if ( b[i] <= 26 && (format & ESC_LOW) )
// {
// *sp++ = '^'; *sp++ = b[i] + 'A' - 1;
// }
if ( b[i] == '\\' && (format & ESC_ESC) )
{
*sp++ = '\\'; *sp++ = '\\';

14
src/BroString.h
View file

@ -75,21 +75,17 @@ public:
enum render_style {
ESC_NONE = 0,
//ESC_NULL = (1 << 0), // 0 -> "\0"
//ESC_DEL = (1 << 1), // DEL -> "^?"
//ESC_LOW = (1 << 2), // values <= 26 mapped into "^[A-Z]"
ESC_ESC = (1 << 3), // '\' -> "\\"
ESC_QUOT = (1 << 4), // '"' -> "\"", ''' -> "\'"
ESC_HEX = (1 << 5), // Not in [32, 126]? -> "%XX"
ESC_DOT = (1 << 6), // Not in [32, 126]? -> "."
ESC_ESC = (1 << 1), // '\' -> "\\"
ESC_QUOT = (1 << 2), // '"' -> "\"", ''' -> "\'"
ESC_HEX = (1 << 3), // Not in [32, 126]? -> "\xXX"
ESC_DOT = (1 << 4), // Not in [32, 126]? -> "."
// For serialization: '<string len> <string>'
ESC_SER = (1 << 7),
};
static const int EXPANDED_STRING = // the original style
ESC_ESC | ESC_HEX;
ESC_HEX;
static const int BRO_STRING_LITERAL = // as in a Bro string literal
ESC_ESC | ESC_QUOT | ESC_HEX;

10
src/Desc.cc
View file

@ -181,13 +181,7 @@ void ODesc::AddBytes(const BroString* s)
AddBytes(reinterpret_cast<const char*>(s->Bytes()), s->Len());
else
{
int render_style = BroString::EXPANDED_STRING;
//if ( Style() == ALTERNATIVE_STYLE )
// // Only change NULs, since we can't in any case
// // cope with them.
// render_style = BroString::ESC_NULL;
const char* str = s->Render(render_style);
const char* str = s->Render(BroString::EXPANDED_STRING);
Add(str);
delete [] str;
}
@ -256,7 +250,7 @@ pair<const char*, size_t> ODesc::FirstEscapeLoc(const char* bytes, size_t n)
for ( size_t i = 0; i < n; ++i )
{
if ( ! isprint(bytes[i]) )
if ( ! isprint(bytes[i]) || bytes[i] == '\\' )
return escape_pos(bytes + i, 1);
size_t len = StartsWithEscapeSequence(bytes + i, bytes + n);

1
src/Desc.h
View file

@ -17,7 +17,6 @@ typedef enum {
typedef enum {
STANDARD_STYLE,
ALTERNATIVE_STYLE,
RAW_STYLE,
} desc_style;

6
src/bro.bif
View file

@ -129,12 +129,6 @@ static void do_fmt(const char*& fmt, Val* v, ODesc* d)
ODesc s;
if ( *fmt == 'A' )
{
s.SetStyle(ALTERNATIVE_STYLE);
++fmt;
}
if ( precision >= 0 && *fmt != 'e' && *fmt != 'f' && *fmt != 'g' )
builtin_error("precision specified for non-floating point");

29
src/strings.bif
View file

@ -888,12 +888,11 @@ function to_upper%(str: string%): string
## Replaces non-printable characters in a string with escaped sequences. The
## mappings are:
##
## - ``NUL`` to ``\0``
## - ``DEL`` to ``^?``
## - values <= 26 to ``^[A-Z]``
## - values not in *[32, 126]* to ``%XX``
## - values not in *[32, 126]* to ``\xXX``
##
## If the string does not yet have a trailing NUL, one is added.
## If the string does not yet have a trailing NUL, one is added internally.
##
## In contrast to :bro:id:`escape_string`, this encoding is *not* fully reversible.`
##
## str: The string to escape.
##
@ -909,10 +908,9 @@ function clean%(str: string%): string
## Replaces non-printable characters in a string with escaped sequences. The
## mappings are:
##
## - ``NUL`` to ``\0``
## - ``DEL`` to ``^?``
## - values <= 26 to ``^[A-Z]``
## - values not in *[32, 126]* to ``%XX``
## - values not in *[32, 126]* to ``\xXX``
## - ``\`` to ``\\``
## - ``'`` and ``""`` to ``\'`` and ``\"``, respectively.
##
## str: The string to escape.
##
@ -945,17 +943,22 @@ function is_ascii%(str: string%): bool
return new Val(1, TYPE_BOOL);
%}
## Creates a printable version of a string. This function is the same as
## :bro:id:`clean` except that non-printable characters are removed.
## Replaces non-printable characters in a string with escaped sequences. The
## mappings are:
##
## s: The string to escape.
## - values not in *[32, 126]* to ``\xXX``
## - ``\`` to ``\\``
##
## In contrast to :bro:id:`clean`, this encoding is fully reversible.`
##
## str: The string to escape.
##
## Returns: The escaped string.
##
## .. bro:see:: clean to_string_literal
function escape_string%(s: string%): string
%{
char* escstr = s->AsString()->Render();
char* escstr = s->AsString()->Render(BroString::ESC_HEX | BroString::ESC_ESC);
Val* val = new StringVal(escstr);
delete [] escstr;
return val;

12
src/util.cc
View file

@ -141,10 +141,16 @@ ODesc* get_escaped_string(ODesc* d, const char* str, size_t len,
if ( escape_all || isspace(c) || ! isascii(c) || ! isprint(c) )
{
char hex[4] = {'\\', 'x', '0', '0' };
bytetohex(c, hex + 2);
d->AddRaw(hex, 4);
if ( c == '\\' )
d->AddRaw("\\\\", 2);
else
{
char hex[4] = {'\\', 'x', '0', '0' };
bytetohex(c, hex + 2);
d->AddRaw(hex, 4);
}
}
else
d->AddRaw(&c, 1);
}

10
testing/btest/Baseline/bifs.escape_string/out
View file

@ -1,10 +1,10 @@
12
Test \0string
13
Test \0string
Test \x00string
15
Test \x00string
15
Test \x00string
15
Test \x00string
13
Test \0string
24
546573742000737472696e67

16
testing/btest/Baseline/bifs.fmt/out
View file

@ -35,8 +35,8 @@ test
*/^?(^foo|bar)$?/*
* Blue*
* [1, 2, 3]*
*{^J^I2,^J^I1,^J^I3^J}*
*{^J^I[2] = bro,^J^I[1] = test^J}*
*{\x0a\x092,\x0a\x091,\x0a\x093\x0a}*
*{\x0a\x09[2] = bro,\x0a\x09[1] = test\x0a}*
3.100000e+02
310.000000
310
@ -45,11 +45,11 @@ test
310
310
2
3
4
1
8
2
1
8
2
6
2
2
6
1
8

2
testing/btest/Baseline/bifs.hexdump/out
View file

@ -1 +1 @@
0000 61 62 63 ff 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f abc.defg hijklmno^J0010 70 71 72 73 74 75 76 77 78 79 7a pqrstuvw xyz^J
0000 61 62 63 ff 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f abc.defg hijklmno\x0a0010 70 71 72 73 74 75 76 77 78 79 7a pqrstuvw xyz\x0a

2
testing/btest/Baseline/bifs.hexstr_to_bytestring/out
View file

@ -1,4 +1,4 @@
04
\0
\x00

2
testing/btest/Baseline/bifs.netbios-functions/out
View file

@ -4,5 +4,5 @@ WORKGROUP
27
ISATAP
0
^A^B__MSBROWSE__^B
\x01\x02__MSBROWSE__\x02
1

6
testing/btest/Baseline/bifs.string_fill/out
View file

@ -1,3 +1,3 @@
*\0* 1
*t\0* 2
*test test\0* 10
*\x00* 1
*t\x00* 2
*test test\x00* 10

2
testing/btest/Baseline/broker.clone_store/clone.clone.out
View file

@ -1,5 +1,5 @@
clone keys, [status=BrokerStore::SUCCESS, result=[d=broker::data{[one, two, myset, myvec]}]]
lookup, one, [status=BrokerStore::SUCCESS, result=[d=broker::data{111}]]
lookup, two, [status=BrokerStore::SUCCESS, result=[d=broker::data{222}]]
lookup, myset, [status=BrokerStore::SUCCESS, result=[d=broker::data{{a, c, d}}]]
lookup, two, [status=BrokerStore::SUCCESS, result=[d=broker::data{222}]]
lookup, myvec, [status=BrokerStore::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]

8
testing/btest/Baseline/core.icmp.icmp-events/output
View file

@ -6,15 +6,15 @@ icmp_time_exceeded (code=0)
conn_id: [orig_h=10.0.0.1, orig_p=11/icmp, resp_h=10.0.0.2, resp_p=0/icmp]
icmp_conn: [orig_h=10.0.0.1, resp_h=10.0.0.2, itype=11, icode=0, len=32, hlim=64, v6=F]
icmp_context: [id=[orig_h=10.0.0.2, orig_p=30000/udp, resp_h=10.0.0.1, resp_p=13000/udp], len=32, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F]
icmp_echo_request (id=34844, seq=0, payload=O\x85\xe0C\0^N\xeb\xff^H^I^J^K^L^M^N^O^P^Q^R^S^T^U^V^W^X^Y^Z\x1b\x1c\x1d\x1e\x1f !"#$%&'()*+,-./01234567)
icmp_echo_request (id=34844, seq=0, payload=O\x85\xe0C\x00\x0e\xeb\xff\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&'()*+,-./01234567)
conn_id: [orig_h=10.0.0.1, orig_p=8/icmp, resp_h=74.125.225.99, resp_p=0/icmp]
icmp_conn: [orig_h=10.0.0.1, resp_h=74.125.225.99, itype=8, icode=0, len=56, hlim=64, v6=F]
icmp_echo_reply (id=34844, seq=0, payload=O\x85\xe0C\0^N\xeb\xff^H^I^J^K^L^M^N^O^P^Q^R^S^T^U^V^W^X^Y^Z\x1b\x1c\x1d\x1e\x1f !"#$%&'()*+,-./01234567)
icmp_echo_reply (id=34844, seq=0, payload=O\x85\xe0C\x00\x0e\xeb\xff\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&'()*+,-./01234567)
conn_id: [orig_h=10.0.0.1, orig_p=8/icmp, resp_h=74.125.225.99, resp_p=0/icmp]
icmp_conn: [orig_h=10.0.0.1, resp_h=74.125.225.99, itype=8, icode=0, len=56, hlim=64, v6=F]
icmp_echo_request (id=34844, seq=1, payload=O\x85\xe0D\0^N\xf0}^H^I^J^K^L^M^N^O^P^Q^R^S^T^U^V^W^X^Y^Z\x1b\x1c\x1d\x1e\x1f !"#$%&'()*+,-./01234567)
icmp_echo_request (id=34844, seq=1, payload=O\x85\xe0D\x00\x0e\xf0}\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&'()*+,-./01234567)
conn_id: [orig_h=10.0.0.1, orig_p=8/icmp, resp_h=74.125.225.99, resp_p=0/icmp]
icmp_conn: [orig_h=10.0.0.1, resp_h=74.125.225.99, itype=8, icode=0, len=56, hlim=64, v6=F]
icmp_echo_reply (id=34844, seq=1, payload=O\x85\xe0D\0^N\xf0}^H^I^J^K^L^M^N^O^P^Q^R^S^T^U^V^W^X^Y^Z\x1b\x1c\x1d\x1e\x1f !"#$%&'()*+,-./01234567)
icmp_echo_reply (id=34844, seq=1, payload=O\x85\xe0D\x00\x0e\xf0}\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&'()*+,-./01234567)
conn_id: [orig_h=10.0.0.1, orig_p=8/icmp, resp_h=74.125.225.99, resp_p=0/icmp]
icmp_conn: [orig_h=10.0.0.1, resp_h=74.125.225.99, itype=8, icode=0, len=56, hlim=64, v6=F]

12
testing/btest/Baseline/core.icmp.icmp6-nd-options/output
View file

@ -1,28 +1,28 @@
icmp_redirect options
[otype=4, len=8, link_address=<uninitialized>, prefix=<uninitialized>, redirect=[id=[orig_h=fe80::aaaa, orig_p=30000/udp, resp_h=fe80::bbbb, resp_p=13000/udp], len=56, proto=2, frag_offset=0, bad_hdr_len=F, bad_checksum=F, MF=F, DF=F], mtu=<uninitialized>, payload=<uninitialized>]
icmp_neighbor_advertisement options
[otype=2, len=1, link_address=\xc2\0T\xf5\0\0, prefix=<uninitialized>, redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
[otype=2, len=1, link_address=\xc2\x00T\xf5\x00\x00, prefix=<uninitialized>, redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
MAC: c20054f50000
icmp_router_advertisement options
[otype=1, len=1, link_address=\xc2\0T\xf5\0\0, prefix=<uninitialized>, redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
[otype=1, len=1, link_address=\xc2\x00T\xf5\x00\x00, prefix=<uninitialized>, redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
MAC: c20054f50000
[otype=5, len=1, link_address=<uninitialized>, prefix=<uninitialized>, redirect=<uninitialized>, mtu=1500, payload=<uninitialized>]
[otype=3, len=4, link_address=<uninitialized>, prefix=[prefix_len=64, L_flag=T, A_flag=T, valid_lifetime=30.0 days, preferred_lifetime=7.0 days, prefix=2001:db8:0:1::], redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
icmp_neighbor_advertisement options
[otype=2, len=1, link_address=\xc2\0T\xf5\0\0, prefix=<uninitialized>, redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
[otype=2, len=1, link_address=\xc2\x00T\xf5\x00\x00, prefix=<uninitialized>, redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
MAC: c20054f50000
icmp_router_advertisement options
[otype=1, len=1, link_address=\xc2\0T\xf5\0\0, prefix=<uninitialized>, redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
[otype=1, len=1, link_address=\xc2\x00T\xf5\x00\x00, prefix=<uninitialized>, redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
MAC: c20054f50000
[otype=5, len=1, link_address=<uninitialized>, prefix=<uninitialized>, redirect=<uninitialized>, mtu=1500, payload=<uninitialized>]
[otype=3, len=4, link_address=<uninitialized>, prefix=[prefix_len=64, L_flag=T, A_flag=T, valid_lifetime=30.0 days, preferred_lifetime=7.0 days, prefix=2001:db8:0:1::], redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
icmp_router_advertisement options
[otype=1, len=1, link_address=\xc2\0T\xf5\0\0, prefix=<uninitialized>, redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
[otype=1, len=1, link_address=\xc2\x00T\xf5\x00\x00, prefix=<uninitialized>, redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
MAC: c20054f50000
[otype=5, len=1, link_address=<uninitialized>, prefix=<uninitialized>, redirect=<uninitialized>, mtu=1500, payload=<uninitialized>]
[otype=3, len=4, link_address=<uninitialized>, prefix=[prefix_len=64, L_flag=T, A_flag=T, valid_lifetime=30.0 days, preferred_lifetime=7.0 days, prefix=2001:db8:0:1::], redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
icmp_router_advertisement options
[otype=1, len=1, link_address=\xc2\0T\xf5\0\0, prefix=<uninitialized>, redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
[otype=1, len=1, link_address=\xc2\x00T\xf5\x00\x00, prefix=<uninitialized>, redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]
MAC: c20054f50000
[otype=5, len=1, link_address=<uninitialized>, prefix=<uninitialized>, redirect=<uninitialized>, mtu=1500, payload=<uninitialized>]
[otype=3, len=4, link_address=<uninitialized>, prefix=[prefix_len=64, L_flag=T, A_flag=T, valid_lifetime=30.0 days, preferred_lifetime=7.0 days, prefix=2001:db8:0:1::], redirect=<uninitialized>, mtu=<uninitialized>, payload=<uninitialized>]

2
testing/btest/Baseline/core.ipv6_ext_headers/output
View file

@ -1,3 +1,3 @@
weird routing0_hdr from 2001:4f8:4:7:2e0:81ff:fe52:ffff to 2001:78:1:32::2
[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=53/udp, resp_h=2001:78:1:32::2, resp_p=53/udp]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=59, nxt=0, hlim=64, src=2001:4f8:4:7:2e0:81ff:fe52:ffff, dst=2001:4f8:4:7:2e0:81ff:fe52:9a6b, exts=[[id=0, hopopts=[nxt=43, len=0, options=[[otype=1, len=4, data=\0\0\0\0]]], dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=<uninitialized>, mobility=<uninitialized>], [id=43, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=[nxt=17, len=4, rtype=0, segleft=2, data=\0\0\0\0 ^A\0x\0^A\02\0\0\0\0\0\0\0^A ^A\0x\0^A\02\0\0\0\0\0\0\0^B], fragment=<uninitialized>, ah=<uninitialized>, esp=<uninitialized>, mobility=<uninitialized>]]], tcp=<uninitialized>, udp=[sport=53/udp, dport=53/udp, ulen=11], icmp=<uninitialized>]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=59, nxt=0, hlim=64, src=2001:4f8:4:7:2e0:81ff:fe52:ffff, dst=2001:4f8:4:7:2e0:81ff:fe52:9a6b, exts=[[id=0, hopopts=[nxt=43, len=0, options=[[otype=1, len=4, data=\x00\x00\x00\x00]]], dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=<uninitialized>, mobility=<uninitialized>], [id=43, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=[nxt=17, len=4, rtype=0, segleft=2, data=\x00\x00\x00\x00 \x01\x00x\x00\x01\x002\x00\x00\x00\x00\x00\x00\x00\x01 \x01\x00x\x00\x01\x002\x00\x00\x00\x00\x00\x00\x00\x02], fragment=<uninitialized>, ah=<uninitialized>, esp=<uninitialized>, mobility=<uninitialized>]]], tcp=<uninitialized>, udp=[sport=53/udp, dport=53/udp, ulen=11], icmp=<uninitialized>]

4
testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log
View file

@ -3,10 +3,10 @@
#empty_field (empty)
#unset_field -
#path conn
#open 2015-02-23-21-32-56
#open 2015-04-15-23-53-28
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1395939406.175845 CjhGID4nQcgTWjvg4c 192.168.56.1 59763 192.168.56.101 63988 tcp ftp-data 0.001676 0 270 SF - - 0 ShAdfFa 5 272 4 486 (empty)
1395939411.361078 CCvvfg3TEfuqmmG4bh 192.168.56.1 59764 192.168.56.101 37150 tcp ftp-data 150.496065 0 5416666670 SF - - 4675708816 ShAdfFa 13 688 12 24454 (empty)
1395939399.984671 CXWv6p3arKYeMETxOg 192.168.56.1 59762 192.168.56.101 21 tcp ftp 169.634297 104 1041 SF - - 0 ShAdDaFf 31 1728 18 1985 (empty)
#close 2015-02-23-21-32-56
#close 2015-04-15-23-53-28

4
testing/btest/Baseline/core.tcp.large-file-reassembly/files.log
View file

@ -3,9 +3,9 @@
#empty_field (empty)
#unset_field -
#path files
#open 2014-04-09-16-44-53
#open 2015-04-15-23-53-28
#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted
#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string
1395939406.177079 FAb5m22Dhe2Zi95anf 192.168.56.101 192.168.56.1 CjhGID4nQcgTWjvg4c FTP_DATA 0 DATA_EVENT text/plain - 0.000000 - F 270 - 0 0 F - - - - -
1395939411.364462 FhI0ao2FNTjabdfSBd 192.168.56.101 192.168.56.1 CCvvfg3TEfuqmmG4bh FTP_DATA 0 DATA_EVENT text/plain - 150.490904 - F 23822 - 5416642848 0 F - - - - -
#close 2014-04-09-16-44-54
#close 2015-04-15-23-53-28

22
testing/btest/Baseline/core.tcp.large-file-reassembly/out
View file

File diff suppressed because one or more lines are too long

8
testing/btest/Baseline/core.tunnels.gtp.pdp_ctx_messages/out
View file

@ -2,12 +2,12 @@ gtpv1_message, [orig_h=192.169.100.1, orig_p=34273/udp, resp_h=10.100.200.33, re
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=16, length=137, teid=0, seq=4875, n_pdu=0, next_type=0]
gtp create request, [orig_h=192.169.100.1, orig_p=34273/udp, resp_h=10.100.200.33, resp_p=2123/udp]
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=16, length=137, teid=0, seq=4875, n_pdu=0, next_type=0]
[imsi=460004100000101, rai=[mcc=460, mnc=6, lac=65534, rac=255], recovery=176, select_mode=1, data1=854600697, cp=854600697, nsapi=5, linked_nsapi=<uninitialized>, charge_character=<uninitialized>, trace_ref=<uninitialized>, trace_type=<uninitialized>, end_user_addr=[pdp_type_org=1, pdp_type_num=33, pdp_ip=<uninitialized>, pdp_other_addr=<uninitialized>], ap_name=^Feetest, opts=\x80\x80!^V^A^A\0^V^C^F\0\0\0\0\x81^F\0\0\0\0\x83^F\0\0\0\0, signal_addr=[ip=192.169.100.1, other=<uninitialized>], user_addr=[ip=192.169.100.1, other=<uninitialized>], msisdn=\x91hQ"^A\0^A\xf1, qos_prof=[priority=2, data=\x1bB\x1fs\x8c@@tK@@], tft=<uninitialized>, trigger_id=<uninitialized>, omc_id=<uninitialized>, ext=[id=10923, value=^B^A^C]]
[imsi=460004100000101, rai=[mcc=460, mnc=6, lac=65534, rac=255], recovery=176, select_mode=1, data1=854600697, cp=854600697, nsapi=5, linked_nsapi=<uninitialized>, charge_character=<uninitialized>, trace_ref=<uninitialized>, trace_type=<uninitialized>, end_user_addr=[pdp_type_org=1, pdp_type_num=33, pdp_ip=<uninitialized>, pdp_other_addr=<uninitialized>], ap_name=\x06eetest, opts=\x80\x80!\x16\x01\x01\x00\x16\x03\x06\x00\x00\x00\x00\x81\x06\x00\x00\x00\x00\x83\x06\x00\x00\x00\x00, signal_addr=[ip=192.169.100.1, other=<uninitialized>], user_addr=[ip=192.169.100.1, other=<uninitialized>], msisdn=\x91hQ"\x01\x00\x01\xf1, qos_prof=[priority=2, data=\x1bB\x1fs\x8c@@tK@@], tft=<uninitialized>, trigger_id=<uninitialized>, omc_id=<uninitialized>, ext=[id=10923, value=\x02\x01\x03]]
gtpv1_message, [orig_h=192.169.100.1, orig_p=34273/udp, resp_h=10.100.200.33, resp_p=2123/udp]
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=17, length=101, teid=854600697, seq=4875, n_pdu=0, next_type=0]
gtp create response, [orig_h=192.169.100.1, orig_p=34273/udp, resp_h=10.100.200.33, resp_p=2123/udp]
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=17, length=101, teid=854600697, seq=4875, n_pdu=0, next_type=0]
[cause=128, reorder_req=F, recovery=24, data1=268435589, cp=268435584, charging_id=103000009, end_user_addr=[pdp_type_org=1, pdp_type_num=33, pdp_ip=192.168.252.130, pdp_other_addr=<uninitialized>], opts=\x80\x80!^P^D^A\0^P\x81^F\0\0\0\0\x83^F\0\0\0\0\x80!^J^C^A\0^J^C^F\xc0\xa8\xfc\x82, cp_addr=[ip=10.100.200.34, other=<uninitialized>], user_addr=[ip=10.100.200.49, other=<uninitialized>], qos_prof=[priority=2, data=\x1bB\x1fs\x8c@@tK@@], charge_gateway=<uninitialized>, ext=<uninitialized>]
[cause=128, reorder_req=F, recovery=24, data1=268435589, cp=268435584, charging_id=103000009, end_user_addr=[pdp_type_org=1, pdp_type_num=33, pdp_ip=192.168.252.130, pdp_other_addr=<uninitialized>], opts=\x80\x80!\x10\x04\x01\x00\x10\x81\x06\x00\x00\x00\x00\x83\x06\x00\x00\x00\x00\x80!\x0a\x03\x01\x00\x0a\x03\x06\xc0\xa8\xfc\x82, cp_addr=[ip=10.100.200.34, other=<uninitialized>], user_addr=[ip=10.100.200.49, other=<uninitialized>], qos_prof=[priority=2, data=\x1bB\x1fs\x8c@@tK@@], charge_gateway=<uninitialized>, ext=<uninitialized>]
gtpv1_message, [orig_h=127.0.0.2, orig_p=2123/udp, resp_h=127.0.0.1, resp_p=2123/udp]
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=1, length=4, teid=0, seq=3072, n_pdu=0, next_type=0]
gtpv1_message, [orig_h=127.0.0.2, orig_p=2123/udp, resp_h=127.0.0.1, resp_p=2123/udp]
@ -16,9 +16,9 @@ gtpv1_message, [orig_h=127.0.0.2, orig_p=2123/udp, resp_h=127.0.0.1, resp_p=2123
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=16, length=104, teid=0, seq=3073, n_pdu=0, next_type=0]
gtp create request, [orig_h=127.0.0.2, orig_p=2123/udp, resp_h=127.0.0.1, resp_p=2123/udp]
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=16, length=104, teid=0, seq=3073, n_pdu=0, next_type=0]
[imsi=240010123456789, rai=<uninitialized>, recovery=3, select_mode=1, data1=1, cp=1, nsapi=0, linked_nsapi=<uninitialized>, charge_character=2048, trace_ref=<uninitialized>, trace_type=<uninitialized>, end_user_addr=[pdp_type_org=1, pdp_type_num=33, pdp_ip=<uninitialized>, pdp_other_addr=<uninitialized>], ap_name=^Hinternet, opts=\x80\xc0#^Q^A^A\0^Q^Cmig^Hhemmelig, signal_addr=[ip=127.0.0.2, other=<uninitialized>], user_addr=[ip=127.0.0.2, other=<uninitialized>], msisdn=\x91d^G^R2T\xf6, qos_prof=[priority=0, data=^K\x92\x1f], tft=<uninitialized>, trigger_id=<uninitialized>, omc_id=<uninitialized>, ext=<uninitialized>]
[imsi=240010123456789, rai=<uninitialized>, recovery=3, select_mode=1, data1=1, cp=1, nsapi=0, linked_nsapi=<uninitialized>, charge_character=2048, trace_ref=<uninitialized>, trace_type=<uninitialized>, end_user_addr=[pdp_type_org=1, pdp_type_num=33, pdp_ip=<uninitialized>, pdp_other_addr=<uninitialized>], ap_name=\x08internet, opts=\x80\xc0#\x11\x01\x01\x00\x11\x03mig\x08hemmelig, signal_addr=[ip=127.0.0.2, other=<uninitialized>], user_addr=[ip=127.0.0.2, other=<uninitialized>], msisdn=\x91d\x07\x122T\xf6, qos_prof=[priority=0, data=\x0b\x92\x1f], tft=<uninitialized>, trigger_id=<uninitialized>, omc_id=<uninitialized>, ext=<uninitialized>]
gtpv1_message, [orig_h=127.0.0.2, orig_p=2123/udp, resp_h=127.0.0.1, resp_p=2123/udp]
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=17, length=78, teid=1, seq=3073, n_pdu=0, next_type=0]
gtp create response, [orig_h=127.0.0.2, orig_p=2123/udp, resp_h=127.0.0.1, resp_p=2123/udp]
[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=17, length=78, teid=1, seq=3073, n_pdu=0, next_type=0]
[cause=128, reorder_req=F, recovery=1, data1=1, cp=1, charging_id=1, end_user_addr=[pdp_type_org=1, pdp_type_num=33, pdp_ip=192.168.0.2, pdp_other_addr=<uninitialized>], opts=\x80\x80!^P^B\0\0^P\x81^F\0\0\0\0\x83^F\0\0\0\0, cp_addr=[ip=127.0.0.1, other=<uninitialized>], user_addr=[ip=127.0.0.1, other=<uninitialized>], qos_prof=[priority=0, data=^K\x92\x1f], charge_gateway=<uninitialized>, ext=<uninitialized>]
[cause=128, reorder_req=F, recovery=1, data1=1, cp=1, charging_id=1, end_user_addr=[pdp_type_org=1, pdp_type_num=33, pdp_ip=192.168.0.2, pdp_other_addr=<uninitialized>], opts=\x80\x80!\x10\x02\x00\x00\x10\x81\x06\x00\x00\x00\x00\x83\x06\x00\x00\x00\x00, cp_addr=[ip=127.0.0.1, other=<uninitialized>], user_addr=[ip=127.0.0.1, other=<uninitialized>], qos_prof=[priority=0, data=\x0b\x92\x1f], charge_gateway=<uninitialized>, ext=<uninitialized>]

6
testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/dpd.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path dpd
#open 2013-08-26-19-02-18
#open 2015-04-15-23-53-30
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto analyzer failure_reason
#types time string addr port addr port enum string string
1333458853.075889 CXWv6p3arKYeMETxOg 173.86.159.28 2152 213.72.147.186 2152 udp GTPV1 Truncated GTPv1 [0\xff\x00\xac\x98\x13\x01LE\x00\x05\xc8G\xea@\x00\x80\x06\xb6\x83\x0a\x83w&\xd9\x14\x9c\x04\xd9\xc2\x00P\xddh\xb4\x8f41eV...]
#close 2013-08-26-19-02-18
1333458853.075889 CXWv6p3arKYeMETxOg 173.86.159.28 2152 213.72.147.186 2152 udp GTPV1 Truncated GTPv1 [0\\xff\\x00\\xac\\x98\\x13\\x01LE\\x00\\x05\\xc8G\\xea@\\x00\\x80\\x06\\xb6\\x83\\x0a\\x83w&\\xd9\\x14\\x9c\\x04\\xd9\\xc2\\x00P\\xddh\\xb4\\x8f41eV...]
#close 2015-04-15-23-53-30

4
testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/tunnel.log
View file

@ -3,9 +3,9 @@
#empty_field (empty)
#unset_field -
#path tunnel
#open 2013-08-26-19-35-01
#open 2015-04-15-23-53-30
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action
#types time string addr port addr port enum enum
1333458853.034734 CXWv6p3arKYeMETxOg 173.86.159.28 2152 213.72.147.186 2152 Tunnel::GTPv1 Tunnel::DISCOVER
1333458853.108391 CXWv6p3arKYeMETxOg 173.86.159.28 2152 213.72.147.186 2152 Tunnel::GTPv1 Tunnel::CLOSE
#close 2013-08-26-19-35-01
#close 2015-04-15-23-53-30

18
testing/btest/Baseline/doc.sphinx.data_type_time/btest-doc.sphinx.data_type_time#1
View file

@ -5,13 +5,13 @@
:emphasize-lines: 1,1
# bro -r wikipedia.trace data_type_time.bro
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.118^J
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3^J
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3^J
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3^J
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3^J
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3^J
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3^J
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.2^J
2011/06/18 19:03:09: New connection established from 141.142.220.235 to 173.192.163.128^J
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.118\x0a
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3\x0a
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3\x0a
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3\x0a
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3\x0a
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3\x0a
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3\x0a
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.2\x0a
2011/06/18 19:03:09: New connection established from 141.142.220.235 to 173.192.163.128\x0a

4
testing/btest/Baseline/plugins.file/output
View file

@ -6,7 +6,7 @@ Demo::Foo - A Foo test analyzer (dynamic, version 1.0)
foo_piece, FGy9Oo9JLY8SFxMJ2, The National Center
foo_piece, FGy9Oo9JLY8SFxMJ2, net, consult your lo
foo_piece, FGy9Oo9JLY8SFxMJ2, most everything else
foo_piece, FGy9Oo9JLY8SFxMJ2, low:^J^J /Mac
foo_piece, FGy9Oo9JLY8SFxMJ2, low:\x0a\x0a /Mac
foo_piece, FGy9Oo9JLY8SFxMJ2, es and directories o
foo_piece, FGy9Oo9JLY8SFxMJ2, r example, here is a
foo_piece, FGy9Oo9JLY8SFxMJ2, application, StuffIt
@ -14,4 +14,4 @@ foo_piece, FGy9Oo9JLY8SFxMJ2, tion BinHex by doubl
foo_piece, FGy9Oo9JLY8SFxMJ2, laced, or are going
foo_piece, FGy9Oo9JLY8SFxMJ2, sers several documen
foo_piece, FGy9Oo9JLY8SFxMJ2, er or can be printed
foo_piece, FGy9Oo9JLY8SFxMJ2, ^J^JBug reports shoul
foo_piece, FGy9Oo9JLY8SFxMJ2, \x0a\x0aBug reports shoul

2
testing/btest/Baseline/plugins.protocol/output
View file

@ -3,4 +3,4 @@ Demo::Foo - A Foo test analyzer (dynamic, version 1.0)
[Event] foo_message
===
foo_message, [orig_h=::1, orig_p=37927/tcp, resp_h=::1, resp_p=4242/tcp], Hello, Foo!^J
foo_message, [orig_h=::1, orig_p=37927/tcp, resp_h=::1, resp_p=4242/tcp], Hello, Foo!\x0a

6
testing/btest/Baseline/scripts.base.files.unified2.alert/unified2.log
View file

@ -3,9 +3,9 @@
#empty_field (empty)
#unset_field -
#path unified2
#open 2013-08-13-07-16-01
#open 2015-04-15-23-53-40
#fields ts id.src_ip id.src_p id.dst_ip id.dst_p sensor_id signature_id signature generator_id generator signature_revision classification_id classification priority_id event_id packet
#types time addr port addr port count count string count string count count string count count string
1323827323.000000 192.168.1.72 50185 74.125.225.49 80 0 2003058 ET MALWARE 180solutions (Zango) Spyware Installer Download 1 snort general alert 5 21 trojan-activity 1 2 \xd80bH\xc5\xb5x\xca9\xb7\xe4r\x08\x00E\x10\x00\\x1a\xce@\x00@\x062\x1f\xc0\xa8\x01HJ}\xe11\xc4\x09\x00P*\xa8bv]z/\xde\x80\x18\x82+\x88,\x00\x00\x01\x01\x08\x0a\x17J\x83Q\xfe\xad\xac\x1aGET /Zango/ZangoInstaller.exe HTTP/1.0\x0d\x0a
1323827323.000000 192.168.1.72 50185 74.125.225.49 80 0 2003058 ET MALWARE 180solutions (Zango) Spyware Installer Download 1 snort general alert 5 21 trojan-activity 1 2 \xd80bH\xc5\xb5x\xca9\xb7\xe4r\x08\x00E\x10\x00\\\x1a\xce@\x00@\x062\x1f\xc0\xa8\x01HJ}\xe11\xc4\x09\x00P*\xa8bv]z/\xde\x80\x18\x82+\x88,\x00\x00\x01\x01\x08\x0a\x17J\x83Q\xfe\xad\xac\x1aGET /Zango/ZangoInstaller.exe HTTP/1.0\x0d\x0a
1323827344.000000 192.168.1.72 49862 199.47.216.144 80 0 2012647 ET POLICY Dropbox.com Offsite File Backup in Use 1 snort general alert 3 33 policy-violation 1 3 \xd80bH\xc5\xb5x\xca9\xb7\xe4r\x08\x00E\x00\x00\xf8Q\xdf@\x00@\x06\x86p\xc0\xa8\x01H\xc7/\xd8\x90\xc2\xc6\x00P\x9cm\x97U\xf07\x084\x80\x18\x82\x18%<\x00\x00\x01\x01\x08\x0a\x17J\xd7\xde\x00\x92\x81\xc5GET /subscribe?host_int=43112345&ns_map=123456_1234524412104916591&ts=1323827344 HTTP/1.1\x0d\x0aHost: notify1.dropbox.com\x0d\x0aAccept-Encoding: identity\x0d\x0aConnection: keep-alive\x0d\x0aX-Dropbox-Locale: en_US\x0d\x0a\x0d\x0a
#close 2013-08-13-07-16-01
#close 2015-04-15-23-53-40

18
testing/btest/Baseline/scripts.base.frameworks.file-analysis.actions.data_event/out
View file

@ -1,19 +1,19 @@
FILE_NEW
file #0, 0, 0
FILE_OVER_NEW_CONNECTION
file_stream, file #0, 1146, ^J0.26 | 2012-08-24 15:10:04 -0700^J^J * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J * Tweaks to release scripts, plus a new one for signing files.^J (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J * Tweaks for OpenBSD support. (Jon Siwek)^J^J * bro-cut extensions and fixes. (Robin Sommer)^J ^J - If no field names are given on the command line, we now pass through^J all fields. Adresses #657.^J^J - Removing some GNUism from awk script. Addresses #653.^J^J - Added option for time output in UTC. Addresses #668.^J^J - Added output field separator option -F. Addresses #649.^J^J - Fixing option -c: only some header lines were passed through^J
file_chunk, file #0, 1146, 0, ^J0.26 | 2012-08-24 15:10:04 -0700^J^J * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J * Tweaks to release scripts, plus a new one for signing files.^J (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J * Tweaks for OpenBSD support. (Jon Siwek)^J^J * bro-cut extensions and fixes. (Robin Sommer)^J ^J - If no field names are given on the command line, we now pass through^J all fields. Adresses #657.^J^J - Removing some GNUism from awk script. Addresses #653.^J^J - Added option for time output in UTC. Addresses #668.^J^J - Added output field separator option -F. Addresses #649.^J^J - Fixing option -c: only some header lines were passed through^J
file_stream, file #0, 1448, rather than all. (Robin Sommer)^J^J * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J * Little fix for make-release script, which could pick out the wrong^J tag. (Robin Sommer)^J^J0.21 | 2011-10-27 17:40:45 -0700^J^J * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)^J^J * Bugfix in update-changes script. (Robin Sommer)^J^J * update-changes now ignores commits it did itself. (Robin Sommer)^J^J * Fix a bug in the update-changes script. (Robin Sommer)^J^J * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)^J^J * Options to adjust time format for bro-cut. (Robin Sommer)^J^J The default with -d is now ISO format. The new option "-D <fmt>"^J specifies a custom strftime()-style format string. Alternatively,^J the environment variable BRO_CUT_TIMEFMT can set the format as^J well.^J^J * bro-cut now understands the field separator header. (Robin Sommer)^J^J * Renaming options -h/-H -> -c/-C, and doing some general cleanup.^J^J0.2 | 2011-10-25 19:53:57 -0700^J^J * Adding support for replacing version string in a setup.py. (Robin^J Sommer)^J^J * Change generated root cert DN indices format for RFC2253^J compliance. (Jon Siwek)^J^J * New tool devel-tool
file_chunk, file #0, 1448, 1146, rather than all. (Robin Sommer)^J^J * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J * Little fix for make-release script, which could pick out the wrong^J tag. (Robin Sommer)^J^J0.21 | 2011-10-27 17:40:45 -0700^J^J * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)^J^J * Bugfix in update-changes script. (Robin Sommer)^J^J * update-changes now ignores commits it did itself. (Robin Sommer)^J^J * Fix a bug in the update-changes script. (Robin Sommer)^J^J * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)^J^J * Options to adjust time format for bro-cut. (Robin Sommer)^J^J The default with -d is now ISO format. The new option "-D <fmt>"^J specifies a custom strftime()-style format string. Alternatively,^J the environment variable BRO_CUT_TIMEFMT can set the format as^J well.^J^J * bro-cut now understands the field separator header. (Robin Sommer)^J^J * Renaming options -h/-H -> -c/-C, and doing some general cleanup.^J^J0.2 | 2011-10-25 19:53:57 -0700^J^J * Adding support for replacing version string in a setup.py. (Robin^J Sommer)^J^J * Change generated root cert DN indices format for RFC2253^J compliance. (Jon Siwek)^J^J * New tool devel-tool
file_stream, file #0, 1448, s/check-release to run before making releases.^J (Robin Sommer)^J^J * devel-tools/update-changes gets a new option -a to amend to^J previous commit if possible. Default is now not to (used to be the^J opposite). (Robin Sommer)^J^J * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)^J^J * Change distclean to only remove build dir. (Jon Siwek)^J^J * Make dist now cleans the copied source (Jon Siwek)^J^J * Small tweak to make-release for forced git-clean. (Jon Siwek)^J^J * Fix to not let updates scripts loose their executable permissions.^J (Robin Sommer)^J^J * devel-tools/update-changes now looks for a 'release' tag to^J idenfify the stable version, and 'beta' for the beta versions.^J (Robin Sommer).^J^J * Distribution cleanup. (Robin Sommer)^J^J * New script devel-tools/make-release to create source tar balls.^J (Robin Sommer)^J^J * Removing bdcat. With the new log format, this isn't very useful^J anymore. (Robin Sommer)^J^J * Adding script that shows all pending git fastpath commits. (Robin^J Sommer)^J^J * Script to measure CPU time by loading an increasing set of^J scripts. (Robin Sommer)^J^J * extract-conn script now deals wit *.gz files. (Robin Sommer)^J^J * Tiny update to output a valid CA list file for SSL cert^J validation. (Seth Hall)^J^J * Adding "install-aux" target. Addresses #622. (Jon Siwek)^J^J * Distribution cleanup. (Jon Siwek and Robin Sommer)^J^J * FindPCAP now links against
file_chunk, file #0, 1448, 2594, s/check-release to run before making releases.^J (Robin Sommer)^J^J * devel-tools/update-changes gets a new option -a to amend to^J previous commit if possible. Default is now not to (used to be the^J opposite). (Robin Sommer)^J^J * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)^J^J * Change distclean to only remove build dir. (Jon Siwek)^J^J * Make dist now cleans the copied source (Jon Siwek)^J^J * Small tweak to make-release for forced git-clean. (Jon Siwek)^J^J * Fix to not let updates scripts loose their executable permissions.^J (Robin Sommer)^J^J * devel-tools/update-changes now looks for a 'release' tag to^J idenfify the stable version, and 'beta' for the beta versions.^J (Robin Sommer).^J^J * Distribution cleanup. (Robin Sommer)^J^J * New script devel-tools/make-release to create source tar balls.^J (Robin Sommer)^J^J * Removing bdcat. With the new log format, this isn't very useful^J anymore. (Robin Sommer)^J^J * Adding script that shows all pending git fastpath commits. (Robin^J Sommer)^J^J * Script to measure CPU time by loading an increasing set of^J scripts. (Robin Sommer)^J^J * extract-conn script now deals wit *.gz files. (Robin Sommer)^J^J * Tiny update to output a valid CA list file for SSL cert^J validation. (Seth Hall)^J^J * Adding "install-aux" target. Addresses #622. (Jon Siwek)^J^J * Distribution cleanup. (Jon Siwek and Robin Sommer)^J^J * FindPCAP now links against
file_stream, file #0, 663, thread library when necessary (e.g.^J PF_RING's libpcap) (Jon Siwek)^J^J * Install binaries with an RPATH (Jon Siwek)^J^J * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)^J^J * Rewrite of the update-changes script. (Robin Sommer)^J^J0.1-1 | 2011-06-14 21:12:41 -0700^J^J * Add a script for generating Mozilla's CA list for the SSL analyzer.^J (Seth Hall)^J^J0.1 | 2011-04-01 16:28:22 -0700^J^J * Converting build process to CMake. (Jon Siwek)^J^J * Removing cf/hf/ca-* from distribution. The README has a note where^J to find them now. (Robin Sommer)^J^J * General cleanup. (Robin Sommer)^J^J * Initial import of bro/aux from SVN r7088. (Jon Siwek)^J
file_chunk, file #0, 663, 4042, thread library when necessary (e.g.^J PF_RING's libpcap) (Jon Siwek)^J^J * Install binaries with an RPATH (Jon Siwek)^J^J * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)^J^J * Rewrite of the update-changes script. (Robin Sommer)^J^J0.1-1 | 2011-06-14 21:12:41 -0700^J^J * Add a script for generating Mozilla's CA list for the SSL analyzer.^J (Seth Hall)^J^J0.1 | 2011-04-01 16:28:22 -0700^J^J * Converting build process to CMake. (Jon Siwek)^J^J * Removing cf/hf/ca-* from distribution. The README has a note where^J to find them now. (Robin Sommer)^J^J * General cleanup. (Robin Sommer)^J^J * Initial import of bro/aux from SVN r7088. (Jon Siwek)^J
file_stream, file #0, 1146, \x0a0.26 | 2012-08-24 15:10:04 -0700\x0a\x0a * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)\x0a\x0a * Fixing GPG signing script. (Robin Sommer)\x0a\x0a0.25 | 2012-08-01 13:55:46 -0500\x0a\x0a * Fix configure script to exit with non-zero status on error (Jon Siwek)\x0a\x0a0.24 | 2012-07-05 12:50:43 -0700\x0a\x0a * Raise minimum required CMake version to 2.6.3 (Jon Siwek)\x0a\x0a * Adding script to delete old fully-merged branches. (Robin Sommer)\x0a\x0a0.23-2 | 2012-01-25 13:24:01 -0800\x0a\x0a * Fix a bro-cut error message. (Daniel Thayer)\x0a\x0a0.23 | 2012-01-11 12:16:11 -0800\x0a\x0a * Tweaks to release scripts, plus a new one for signing files.\x0a (Robin Sommer)\x0a\x0a0.22 | 2012-01-10 16:45:19 -0800\x0a\x0a * Tweaks for OpenBSD support. (Jon Siwek)\x0a\x0a * bro-cut extensions and fixes. (Robin Sommer)\x0a \x0a - If no field names are given on the command line, we now pass through\x0a all fields. Adresses #657.\x0a\x0a - Removing some GNUism from awk script. Addresses #653.\x0a\x0a - Added option for time output in UTC. Addresses #668.\x0a\x0a - Added output field separator option -F. Addresses #649.\x0a\x0a - Fixing option -c: only some header lines were passed through\x0a
file_chunk, file #0, 1146, 0, \x0a0.26 | 2012-08-24 15:10:04 -0700\x0a\x0a * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)\x0a\x0a * Fixing GPG signing script. (Robin Sommer)\x0a\x0a0.25 | 2012-08-01 13:55:46 -0500\x0a\x0a * Fix configure script to exit with non-zero status on error (Jon Siwek)\x0a\x0a0.24 | 2012-07-05 12:50:43 -0700\x0a\x0a * Raise minimum required CMake version to 2.6.3 (Jon Siwek)\x0a\x0a * Adding script to delete old fully-merged branches. (Robin Sommer)\x0a\x0a0.23-2 | 2012-01-25 13:24:01 -0800\x0a\x0a * Fix a bro-cut error message. (Daniel Thayer)\x0a\x0a0.23 | 2012-01-11 12:16:11 -0800\x0a\x0a * Tweaks to release scripts, plus a new one for signing files.\x0a (Robin Sommer)\x0a\x0a0.22 | 2012-01-10 16:45:19 -0800\x0a\x0a * Tweaks for OpenBSD support. (Jon Siwek)\x0a\x0a * bro-cut extensions and fixes. (Robin Sommer)\x0a \x0a - If no field names are given on the command line, we now pass through\x0a all fields. Adresses #657.\x0a\x0a - Removing some GNUism from awk script. Addresses #653.\x0a\x0a - Added option for time output in UTC. Addresses #668.\x0a\x0a - Added output field separator option -F. Addresses #649.\x0a\x0a - Fixing option -c: only some header lines were passed through\x0a
file_stream, file #0, 1448, rather than all. (Robin Sommer)\x0a\x0a * Fix parallel make portability. (Jon Siwek)\x0a\x0a0.21-9 | 2011-11-07 05:44:14 -0800\x0a\x0a * Fixing compiler warnings. Addresses #388. (Jon Siwek)\x0a\x0a0.21-2 | 2011-11-02 18:12:13 -0700\x0a\x0a * Fix for misnaming temp file in update-changes script. (Robin Sommer)\x0a\x0a0.21-1 | 2011-11-02 18:10:39 -0700\x0a\x0a * Little fix for make-release script, which could pick out the wrong\x0a tag. (Robin Sommer)\x0a\x0a0.21 | 2011-10-27 17:40:45 -0700\x0a\x0a * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)\x0a\x0a * Bugfix in update-changes script. (Robin Sommer)\x0a\x0a * update-changes now ignores commits it did itself. (Robin Sommer)\x0a\x0a * Fix a bug in the update-changes script. (Robin Sommer)\x0a\x0a * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)\x0a\x0a * Options to adjust time format for bro-cut. (Robin Sommer)\x0a\x0a The default with -d is now ISO format. The new option "-D <fmt>"\x0a specifies a custom strftime()-style format string. Alternatively,\x0a the environment variable BRO_CUT_TIMEFMT can set the format as\x0a well.\x0a\x0a * bro-cut now understands the field separator header. (Robin Sommer)\x0a\x0a * Renaming options -h/-H -> -c/-C, and doing some general cleanup.\x0a\x0a0.2 | 2011-10-25 19:53:57 -0700\x0a\x0a * Adding support for replacing version string in a setup.py. (Robin\x0a Sommer)\x0a\x0a * Change generated root cert DN indices format for RFC2253\x0a compliance. (Jon Siwek)\x0a\x0a * New tool devel-tool
file_chunk, file #0, 1448, 1146, rather than all. (Robin Sommer)\x0a\x0a * Fix parallel make portability. (Jon Siwek)\x0a\x0a0.21-9 | 2011-11-07 05:44:14 -0800\x0a\x0a * Fixing compiler warnings. Addresses #388. (Jon Siwek)\x0a\x0a0.21-2 | 2011-11-02 18:12:13 -0700\x0a\x0a * Fix for misnaming temp file in update-changes script. (Robin Sommer)\x0a\x0a0.21-1 | 2011-11-02 18:10:39 -0700\x0a\x0a * Little fix for make-release script, which could pick out the wrong\x0a tag. (Robin Sommer)\x0a\x0a0.21 | 2011-10-27 17:40:45 -0700\x0a\x0a * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)\x0a\x0a * Bugfix in update-changes script. (Robin Sommer)\x0a\x0a * update-changes now ignores commits it did itself. (Robin Sommer)\x0a\x0a * Fix a bug in the update-changes script. (Robin Sommer)\x0a\x0a * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)\x0a\x0a * Options to adjust time format for bro-cut. (Robin Sommer)\x0a\x0a The default with -d is now ISO format. The new option "-D <fmt>"\x0a specifies a custom strftime()-style format string. Alternatively,\x0a the environment variable BRO_CUT_TIMEFMT can set the format as\x0a well.\x0a\x0a * bro-cut now understands the field separator header. (Robin Sommer)\x0a\x0a * Renaming options -h/-H -> -c/-C, and doing some general cleanup.\x0a\x0a0.2 | 2011-10-25 19:53:57 -0700\x0a\x0a * Adding support for replacing version string in a setup.py. (Robin\x0a Sommer)\x0a\x0a * Change generated root cert DN indices format for RFC2253\x0a compliance. (Jon Siwek)\x0a\x0a * New tool devel-tool
file_stream, file #0, 1448, s/check-release to run before making releases.\x0a (Robin Sommer)\x0a\x0a * devel-tools/update-changes gets a new option -a to amend to\x0a previous commit if possible. Default is now not to (used to be the\x0a opposite). (Robin Sommer)\x0a\x0a * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)\x0a\x0a * Change distclean to only remove build dir. (Jon Siwek)\x0a\x0a * Make dist now cleans the copied source (Jon Siwek)\x0a\x0a * Small tweak to make-release for forced git-clean. (Jon Siwek)\x0a\x0a * Fix to not let updates scripts loose their executable permissions.\x0a (Robin Sommer)\x0a\x0a * devel-tools/update-changes now looks for a 'release' tag to\x0a idenfify the stable version, and 'beta' for the beta versions.\x0a (Robin Sommer).\x0a\x0a * Distribution cleanup. (Robin Sommer)\x0a\x0a * New script devel-tools/make-release to create source tar balls.\x0a (Robin Sommer)\x0a\x0a * Removing bdcat. With the new log format, this isn't very useful\x0a anymore. (Robin Sommer)\x0a\x0a * Adding script that shows all pending git fastpath commits. (Robin\x0a Sommer)\x0a\x0a * Script to measure CPU time by loading an increasing set of\x0a scripts. (Robin Sommer)\x0a\x0a * extract-conn script now deals wit *.gz files. (Robin Sommer)\x0a\x0a * Tiny update to output a valid CA list file for SSL cert\x0a validation. (Seth Hall)\x0a\x0a * Adding "install-aux" target. Addresses #622. (Jon Siwek)\x0a\x0a * Distribution cleanup. (Jon Siwek and Robin Sommer)\x0a\x0a * FindPCAP now links against
file_chunk, file #0, 1448, 2594, s/check-release to run before making releases.\x0a (Robin Sommer)\x0a\x0a * devel-tools/update-changes gets a new option -a to amend to\x0a previous commit if possible. Default is now not to (used to be the\x0a opposite). (Robin Sommer)\x0a\x0a * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)\x0a\x0a * Change distclean to only remove build dir. (Jon Siwek)\x0a\x0a * Make dist now cleans the copied source (Jon Siwek)\x0a\x0a * Small tweak to make-release for forced git-clean. (Jon Siwek)\x0a\x0a * Fix to not let updates scripts loose their executable permissions.\x0a (Robin Sommer)\x0a\x0a * devel-tools/update-changes now looks for a 'release' tag to\x0a idenfify the stable version, and 'beta' for the beta versions.\x0a (Robin Sommer).\x0a\x0a * Distribution cleanup. (Robin Sommer)\x0a\x0a * New script devel-tools/make-release to create source tar balls.\x0a (Robin Sommer)\x0a\x0a * Removing bdcat. With the new log format, this isn't very useful\x0a anymore. (Robin Sommer)\x0a\x0a * Adding script that shows all pending git fastpath commits. (Robin\x0a Sommer)\x0a\x0a * Script to measure CPU time by loading an increasing set of\x0a scripts. (Robin Sommer)\x0a\x0a * extract-conn script now deals wit *.gz files. (Robin Sommer)\x0a\x0a * Tiny update to output a valid CA list file for SSL cert\x0a validation. (Seth Hall)\x0a\x0a * Adding "install-aux" target. Addresses #622. (Jon Siwek)\x0a\x0a * Distribution cleanup. (Jon Siwek and Robin Sommer)\x0a\x0a * FindPCAP now links against
file_stream, file #0, 663, thread library when necessary (e.g.\x0a PF_RING's libpcap) (Jon Siwek)\x0a\x0a * Install binaries with an RPATH (Jon Siwek)\x0a\x0a * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)\x0a\x0a * Rewrite of the update-changes script. (Robin Sommer)\x0a\x0a0.1-1 | 2011-06-14 21:12:41 -0700\x0a\x0a * Add a script for generating Mozilla's CA list for the SSL analyzer.\x0a (Seth Hall)\x0a\x0a0.1 | 2011-04-01 16:28:22 -0700\x0a\x0a * Converting build process to CMake. (Jon Siwek)\x0a\x0a * Removing cf/hf/ca-* from distribution. The README has a note where\x0a to find them now. (Robin Sommer)\x0a\x0a * General cleanup. (Robin Sommer)\x0a\x0a * Initial import of bro/aux from SVN r7088. (Jon Siwek)\x0a
file_chunk, file #0, 663, 4042, thread library when necessary (e.g.\x0a PF_RING's libpcap) (Jon Siwek)\x0a\x0a * Install binaries with an RPATH (Jon Siwek)\x0a\x0a * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)\x0a\x0a * Rewrite of the update-changes script. (Robin Sommer)\x0a\x0a0.1-1 | 2011-06-14 21:12:41 -0700\x0a\x0a * Add a script for generating Mozilla's CA list for the SSL analyzer.\x0a (Seth Hall)\x0a\x0a0.1 | 2011-04-01 16:28:22 -0700\x0a\x0a * Converting build process to CMake. (Jon Siwek)\x0a\x0a * Removing cf/hf/ca-* from distribution. The README has a note where\x0a to find them now. (Robin Sommer)\x0a\x0a * General cleanup. (Robin Sommer)\x0a\x0a * Initial import of bro/aux from SVN r7088. (Jon Siwek)\x0a
FILE_STATE_REMOVE
file #0, 4705, 0
[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]
FILE_BOF_BUFFER
^J0.26 | 201
\x0a0.26 | 201
MIME_TYPE
text/plain
total bytes: 4705

2
testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.remove_action/get.out
View file

@ -5,7 +5,7 @@ FILE_STATE_REMOVE
file #0, 4705, 0
[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]
FILE_BOF_BUFFER
^J0.26 | 201
\x0a0.26 | 201
MIME_TYPE
text/plain
total bytes: 4705

4
testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.set_timeout_interval/bro..stdout
View file

@ -5,7 +5,7 @@ FILE_STATE_REMOVE
file #0, 1022920, 0
[orig_h=192.168.72.14, orig_p=3254/tcp, resp_h=65.54.95.206, resp_p=80/tcp]
FILE_BOF_BUFFER
MZ\x90\0^C\0\0\0^D\0\0
MZ\x90\x00\x03\x00\x00\x00\x04\x00\x00
MIME_TYPE
application/x-dosexec
total bytes: 1022920
@ -23,6 +23,6 @@ FILE_STATE_REMOVE
file #1, 206024, 816896
[orig_h=192.168.72.14, orig_p=3257/tcp, resp_h=65.54.95.14, resp_p=80/tcp]
FILE_BOF_BUFFER
\x1b\xb8=\xb1\xff^PU^P\xce\xc3^
\x1b\xb8=\xb1\xff\x10U\x10\xce\xc3^
total bytes: 1022920
source: HTTP

2
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/get-gzip.out
View file

@ -5,7 +5,7 @@ FILE_STATE_REMOVE
file #0, 197, 0
[orig_h=141.142.228.5, orig_p=50153/tcp, resp_h=54.243.118.187, resp_p=80/tcp]
FILE_BOF_BUFFER
{^J "origin
{\x0a "origin
MIME_TYPE
text/plain
source: HTTP

2
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/get.out
View file

@ -5,7 +5,7 @@ FILE_STATE_REMOVE
file #0, 4705, 0
[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]
FILE_BOF_BUFFER
^J0.26 | 201
\x0a0.26 | 201
MIME_TYPE
text/plain
total bytes: 4705

2
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out
View file

@ -41,7 +41,7 @@ FILE_STATE_REMOVE
file #3, 465, 0
[orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp]
FILE_BOF_BUFFER
{^J "data":
{\x0a "data":
MIME_TYPE
text/plain
total bytes: 465

2
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.out
View file

@ -7,7 +7,7 @@ file #0, 555523, 0
[orig_h=10.101.84.70, orig_p=10978/tcp, resp_h=129.174.93.161, resp_p=80/tcp]
[orig_h=10.101.84.70, orig_p=10977/tcp, resp_h=129.174.93.161, resp_p=80/tcp]
FILE_BOF_BUFFER
%PDF-1.4^J%\xd0
%PDF-1.4\x0a%\xd0
MIME_TYPE
application/pdf
total bytes: 555523

4
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out
View file

@ -5,7 +5,7 @@ FILE_STATE_REMOVE
file #0, 1022920, 0
[orig_h=192.168.72.14, orig_p=3254/tcp, resp_h=65.54.95.206, resp_p=80/tcp]
FILE_BOF_BUFFER
MZ\x90\0^C\0\0\0^D\0\0
MZ\x90\x00\x03\x00\x00\x00\x04\x00\x00
MIME_TYPE
application/x-dosexec
total bytes: 1022920
@ -22,6 +22,6 @@ FILE_STATE_REMOVE
file #1, 206024, 816896
[orig_h=192.168.72.14, orig_p=3257/tcp, resp_h=65.54.95.14, resp_p=80/tcp]
FILE_BOF_BUFFER
\x1b\xb8=\xb1\xff^PU^P\xce\xc3^
\x1b\xb8=\xb1\xff\x10U\x10\xce\xc3^
total bytes: 1022920
source: HTTP

2
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out
View file

@ -7,7 +7,7 @@ file #0, 498668, 0
[orig_h=10.45.179.94, orig_p=19950/tcp, resp_h=129.174.93.170, resp_p=80/tcp]
[orig_h=10.45.179.94, orig_p=19953/tcp, resp_h=129.174.93.170, resp_p=80/tcp]
FILE_BOF_BUFFER
%PDF-1.4^M%\xe2
%PDF-1.4\x0d%\xe2
MIME_TYPE
application/pdf
total bytes: 498668

8
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/out
View file

@ -5,7 +5,7 @@ FILE_STATE_REMOVE
file #0, 2675, 0
[orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp]
FILE_BOF_BUFFER
/*^J********
/*\x0a********
MIME_TYPE
text/plain
source: HTTP
@ -33,7 +33,7 @@ FILE_STATE_REMOVE
file #2, 94, 0
[orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp]
FILE_BOF_BUFFER
GIF89a^D\0^D\0\xb3
GIF89a\x04\x00\x04\x00\xb3
MIME_TYPE
image/gif
total bytes: 94
@ -48,7 +48,7 @@ FILE_STATE_REMOVE
file #3, 2349, 0
[orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp]
FILE_BOF_BUFFER
\x89PNG^M^J^Z^J\0\0\0
\x89PNG\x0d\x0a\x1a\x0a\x00\x00\x00
MIME_TYPE
image/png
total bytes: 2349
@ -63,7 +63,7 @@ FILE_STATE_REMOVE
file #4, 27579, 0
[orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp]
FILE_BOF_BUFFER
\x89PNG^M^J^Z^J\0\0\0
\x89PNG\x0d\x0a\x1a\x0a\x00\x00\x00
MIME_TYPE
image/png
total bytes: 27579

2
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/out
View file

@ -20,7 +20,7 @@ FILE_STATE_REMOVE
file #1, 366, 0
[orig_h=141.142.228.5, orig_p=53595/tcp, resp_h=54.243.55.129, resp_p=80/tcp]
FILE_BOF_BUFFER
{^J "origin
{\x0a "origin
MIME_TYPE
text/plain
total bytes: 366

4
testing/btest/Baseline/scripts.base.frameworks.file-analysis.irc/out
View file

@ -8,7 +8,7 @@ FILE_STATE_REMOVE
file #1, 124, 0
[orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp]
FILE_BOF_BUFFER
\0\0^Ex\0\0^J\xf0\0\0^P
\x00\x00\x05x\x00\x00\x0a\xf0\x00\x00\x10
source: IRC_DATA
MD5: 35288fd50a74c7d675909ff83424d7a1
SHA1: 8a98f177cb47e6bf771bf57c2f7e94c4b5e79ffa
@ -17,7 +17,7 @@ FILE_STATE_REMOVE
file #0, 42208, 0
[orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp]
FILE_BOF_BUFFER
PK^C^D^T\0\0\0^H\0\xae
PK\x03\x04\x14\x00\x00\x00\x08\x00\xae
MIME_TYPE
application/zip
source: IRC_DATA

2
testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out
View file

@ -5,7 +5,7 @@ FILE_STATE_REMOVE
file #0, 77, 0
[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]
FILE_BOF_BUFFER
Hello^M^J^M^J ^M
Hello\x0d\x0a\x0d\x0a \x0d
MIME_TYPE
text/plain
source: SMTP

2
testing/btest/Baseline/scripts.base.frameworks.input.binary/out
View file

@ -1,4 +1,4 @@
abc^J\xffdef
abc\x0a\xffdef
DATA2
abc|\xffdef
DATA2

10
testing/btest/Baseline/scripts.base.frameworks.input.raw.executestdin/out
View file

@ -1,20 +1,20 @@
Input::EVENT_NEW, cat |, input0
hello
Input::EVENT_NEW, cat |, input0
there^A^B^C^D^E^A^B^Cyay0
there\x01\x02\x03\x04\x05\x01\x02\x03yay0
Input::EVENT_NEW, cat |, input1
hello
Input::EVENT_NEW, cat |, input1
there^A^B^C^D^E^A^B^Cyay01
there\x01\x02\x03\x04\x05\x01\x02\x03yay01
Input::EVENT_NEW, cat |, input2
hello
Input::EVENT_NEW, cat |, input2
there^A^B^C^D^E^A^B^Cyay012
there\x01\x02\x03\x04\x05\x01\x02\x03yay012
Input::EVENT_NEW, cat |, input3
hello
Input::EVENT_NEW, cat |, input3
there^A^B^C^D^E^A^B^Cyay0123
there\x01\x02\x03\x04\x05\x01\x02\x03yay0123
Input::EVENT_NEW, cat |, input4
hello
Input::EVENT_NEW, cat |, input4
there^A^B^C^D^E^A^B^Cyay01234
there\x01\x02\x03\x04\x05\x01\x02\x03yay01234

10
testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-binary/output Normal file
View file

@ -0,0 +1,10 @@
AB\x00CD\x00
AB\xffCD\x00
AB\xffCD\x00
abc\x00def
foo \xc2\xae bar \xc2\xae baz
foo\x00bar\0baz
foo \x0e bar ^N baz

18
testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-binary/test.log Normal file
View file

@ -0,0 +1,18 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test
#open 2015-04-15-23-47-40
#fields s
#types string
AB\x00CD\x00
AB\xffCD\x00
AB\\xffCD\x00
abc\\x00def
foo \xc2\xae bar \\xc2\\xae baz
foo\x00bar\\0baz
foo \x0e bar ^N baz
#close 2015-04-15-23-47-40

4
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_read/dnp3.log
View file

@ -3,7 +3,7 @@
#empty_field (empty)
#unset_field -
#path dnp3
#open 2014-08-16-15-58-48
#open 2015-04-15-23-54-06
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin
#types time string addr port addr port string string count
1325036012.621691 CXWv6p3arKYeMETxOg 130.126.142.250 50276 130.126.140.229 20000 OPEN_FILE RESPONSE 4096
@ -11,4 +11,4 @@
1325036019.765502 CXWv6p3arKYeMETxOg 130.126.142.250 50276 130.126.140.229 20000 WRITE RESPONSE 0
1325036022.292689 CXWv6p3arKYeMETxOg 130.126.142.250 50276 130.126.140.229 20000 WRITE RESPONSE 0
1325036024.820857 CXWv6p3arKYeMETxOg 130.126.142.250 50276 130.126.140.229 20000 CLOSE_FILE RESPONSE 0
#close 2014-08-16-15-58-48
#close 2015-04-15-23-54-06

4
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_read/output
View file

@ -12,13 +12,13 @@ dnp3_application_request_header, T, 207, 1
dnp3_object_header, T, 17925, 91, 1, 1, 0
dnp3_object_prefix, T, 8
dnp3_file_transport, T, 305419896, 0
^J
\x0a
dnp3_header_block, F, 25605, 255, 68, 3, 4
dnp3_application_response_header, F, 239, 129, 4096
dnp3_object_header, F, 17925, 91, 1, 1, 0
dnp3_object_prefix, F, 838
dnp3_file_transport, F, 305419896, 2147483648
0000 ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e ...<?xml version^J0010 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d ="1.0" e ncoding=^J0020 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 3f 78 6d 6c "utf-8"? >..<?xml^J0030 2d 73 74 79 6c 65 73 68 65 65 74 20 74 79 70 65 -stylesh eet type^J0040 3d 27 74 65 78 74 2f 78 73 6c 27 20 68 72 65 66 ='text/x sl' href^J0050 3d 27 44 4e 50 33 44 65 76 69 63 65 50 72 6f 66 ='DNP3De viceProf^J0060 69 6c 65 4a 61 6e 32 30 31 30 2e 78 73 6c 74 27 ileJan20 10.xslt'^J0070 20 6d 65 64 69 61 3d 27 73 63 72 65 65 6e 27 3f media=' screen'?^J0080 3e 0d 0a 3c 44 4e 50 33 44 65 76 69 63 65 50 72 >..<DNP3 DevicePr^J0090 6f 66 69 6c 65 44 6f 63 75 6d 65 6e 74 20 78 6d ofileDoc ument xm^J00a0 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f lns:xsi= "http://^J00b0 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f www.w3.o rg/2001/^J00c0 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e XMLSchem a-instan^J00d0 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 ce" xmln s:xsd="h^J00e0 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 ttp://ww w.w3.org^J00f0 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 /2001/XM LSchema"^J0100 20 73 63 68 65 6d 61 56 65 72 73 69 6f 6e 3d 22 schemaV ersion="^J0110 32 2e 30 37 2e 30 30 22 20 78 6d 6c 6e 73 3d 22 2.07.00" xmlns="^J0120 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6e 70 33 2e http://w ww.dnp3.^J0130 6f 72 67 2f 44 4e 50 33 2f 44 65 76 69 63 65 50 org/DNP3 /DeviceP^J0140 72 6f 66 69 6c 65 2f 4a 61 6e 32 30 31 30 22 3e rofile/J an2010">^J0150 0d 0a 20 20 3c 21 2d 2d 44 6f 63 75 6d 65 6e 74 .. <!-- Document^J0160 20 48 65 61 64 65 72 2d 2d 3e 0d 0a 20 20 3c 64 Header- ->.. <d^J0170 6f 63 75 6d 65 6e 74 48 65 61 64 65 72 3e 0d 0a ocumentH eader>..^J0180 20 20 20 20 3c 64 6f 63 75 6d 65 6e 74 4e 61 6d <doc umentNam^J0190 65 3e 41 20 44 4e 50 33 20 58 4d 4c 20 46 69 6c e>A DNP3 XML Fil^J01a0 65 3c 2f 64 6f 63 75 6d 65 6e 74 4e 61 6d 65 3e e</docum entName>^J01b0 0d 0a 20 20 20 20 3c 64 6f 63 75 6d 65 6e 74 44 .. <d ocumentD^J01c0 65 73 63 72 69 70 74 69 6f 6e 3e 54 68 69 73 20 escripti on>This ^J01d0 69 73 20 61 20 44 4e 50 33 20 43 6f 6d 70 6c 65 is a DNP 3 Comple^J01e0 74 65 20 44 65 76 69 63 65 20 50 72 6f 66 69 6c te Devic e Profil^J01f0 65 20 66 6f 72 20 44 4e 50 20 4f 75 74 73 74 61 e for DN P Outsta^J0200 74 69 6f 6e 20 69 6e 20 74 68 65 20 54 4d 57 20 tion in the TMW ^J0210 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 20 50 72 Communic ation Pr^J0220 6f 74 6f 63 6f 6c 20 54 65 73 74 20 48 61 72 6e otocol T est Harn^J0230 65 73 73 3c 2f 64 6f 63 75 6d 65 6e 74 44 65 73 ess</doc umentDes^J0240 63 72 69 70 74 69 6f 6e 3e 0d 0a 20 20 20 20 3c cription >.. <^J0250 72 65 76 69 73 69 6f 6e 48 69 73 74 6f 72 79 20 revision History ^J0260 76 65 72 73 69 6f 6e 3d 22 32 22 3e 0d 0a 20 20 version= "2">.. ^J0270 20 20 20 20 3c 64 61 74 65 3e 32 30 31 30 2d 31 <dat e>2010-1^J0280 32 2d 30 31 3c 2f 64 61 74 65 3e 0d 0a 20 20 20 2-01</da te>.. ^J0290 20 20 20 3c 61 75 74 68 6f 72 3e 53 74 65 76 65 <auth or>Steve^J02a0 20 4d 63 43 6f 79 3c 2f 61 75 74 68 6f 72 3e 0d McCoy</ author>.^J02b0 0a 20 20 20 20 20 20 3c 72 65 61 73 6f 6e 3e 44 . < reason>D^J02c0 6f 63 75 6d 65 6e 74 65 64 20 54 65 73 74 20 48 ocumente d Test H^J02d0 61 72 6e 65 73 73 20 53 44 4e 50 20 44 65 76 69 arness S DNP Devi^J02e0 63 65 20 50 72 6f 66 69 6c 65 3c 2f 72 65 61 73 ce Profi le</reas^J02f0 6f 6e 3e 0d 0a 20 20 20 20 3c 2f 72 65 76 69 73 on>.. </revis^J0300 69 6f 6e 48 69 73 74 6f 72 79 3e 0d 0a 20 20 3c ionHisto ry>.. <^J0310 2f 64 6f 63 75 6d 65 6e 74 48 65 61 64 65 72 3e /documen tHeader>^J0320 0d 0a 3c 2f 44 4e 50 33 44 65 76 69 63 65 50 72 ..</DNP3 DevicePr^J0330 6f 66 69 6c 65 44 6f 63 75 6d 65 6e 74 3e ofileDoc ument>^J
0000 ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e ...<?xml version\x0a0010 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d ="1.0" e ncoding=\x0a0020 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 3f 78 6d 6c "utf-8"? >..<?xml\x0a0030 2d 73 74 79 6c 65 73 68 65 65 74 20 74 79 70 65 -stylesh eet type\x0a0040 3d 27 74 65 78 74 2f 78 73 6c 27 20 68 72 65 66 ='text/x sl' href\x0a0050 3d 27 44 4e 50 33 44 65 76 69 63 65 50 72 6f 66 ='DNP3De viceProf\x0a0060 69 6c 65 4a 61 6e 32 30 31 30 2e 78 73 6c 74 27 ileJan20 10.xslt'\x0a0070 20 6d 65 64 69 61 3d 27 73 63 72 65 65 6e 27 3f media=' screen'?\x0a0080 3e 0d 0a 3c 44 4e 50 33 44 65 76 69 63 65 50 72 >..<DNP3 DevicePr\x0a0090 6f 66 69 6c 65 44 6f 63 75 6d 65 6e 74 20 78 6d ofileDoc ument xm\x0a00a0 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f lns:xsi= "http://\x0a00b0 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f www.w3.o rg/2001/\x0a00c0 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e XMLSchem a-instan\x0a00d0 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 ce" xmln s:xsd="h\x0a00e0 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 ttp://ww w.w3.org\x0a00f0 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 /2001/XM LSchema"\x0a0100 20 73 63 68 65 6d 61 56 65 72 73 69 6f 6e 3d 22 schemaV ersion="\x0a0110 32 2e 30 37 2e 30 30 22 20 78 6d 6c 6e 73 3d 22 2.07.00" xmlns="\x0a0120 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6e 70 33 2e http://w ww.dnp3.\x0a0130 6f 72 67 2f 44 4e 50 33 2f 44 65 76 69 63 65 50 org/DNP3 /DeviceP\x0a0140 72 6f 66 69 6c 65 2f 4a 61 6e 32 30 31 30 22 3e rofile/J an2010">\x0a0150 0d 0a 20 20 3c 21 2d 2d 44 6f 63 75 6d 65 6e 74 .. <!-- Document\x0a0160 20 48 65 61 64 65 72 2d 2d 3e 0d 0a 20 20 3c 64 Header- ->.. <d\x0a0170 6f 63 75 6d 65 6e 74 48 65 61 64 65 72 3e 0d 0a ocumentH eader>..\x0a0180 20 20 20 20 3c 64 6f 63 75 6d 65 6e 74 4e 61 6d <doc umentNam\x0a0190 65 3e 41 20 44 4e 50 33 20 58 4d 4c 20 46 69 6c e>A DNP3 XML Fil\x0a01a0 65 3c 2f 64 6f 63 75 6d 65 6e 74 4e 61 6d 65 3e e</docum entName>\x0a01b0 0d 0a 20 20 20 20 3c 64 6f 63 75 6d 65 6e 74 44 .. <d ocumentD\x0a01c0 65 73 63 72 69 70 74 69 6f 6e 3e 54 68 69 73 20 escripti on>This \x0a01d0 69 73 20 61 20 44 4e 50 33 20 43 6f 6d 70 6c 65 is a DNP 3 Comple\x0a01e0 74 65 20 44 65 76 69 63 65 20 50 72 6f 66 69 6c te Devic e Profil\x0a01f0 65 20 66 6f 72 20 44 4e 50 20 4f 75 74 73 74 61 e for DN P Outsta\x0a0200 74 69 6f 6e 20 69 6e 20 74 68 65 20 54 4d 57 20 tion in the TMW \x0a0210 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 20 50 72 Communic ation Pr\x0a0220 6f 74 6f 63 6f 6c 20 54 65 73 74 20 48 61 72 6e otocol T est Harn\x0a0230 65 73 73 3c 2f 64 6f 63 75 6d 65 6e 74 44 65 73 ess</doc umentDes\x0a0240 63 72 69 70 74 69 6f 6e 3e 0d 0a 20 20 20 20 3c cription >.. <\x0a0250 72 65 76 69 73 69 6f 6e 48 69 73 74 6f 72 79 20 revision History \x0a0260 76 65 72 73 69 6f 6e 3d 22 32 22 3e 0d 0a 20 20 version= "2">.. \x0a0270 20 20 20 20 3c 64 61 74 65 3e 32 30 31 30 2d 31 <dat e>2010-1\x0a0280 32 2d 30 31 3c 2f 64 61 74 65 3e 0d 0a 20 20 20 2-01</da te>.. \x0a0290 20 20 20 3c 61 75 74 68 6f 72 3e 53 74 65 76 65 <auth or>Steve\x0a02a0 20 4d 63 43 6f 79 3c 2f 61 75 74 68 6f 72 3e 0d McCoy</ author>.\x0a02b0 0a 20 20 20 20 20 20 3c 72 65 61 73 6f 6e 3e 44 . < reason>D\x0a02c0 6f 63 75 6d 65 6e 74 65 64 20 54 65 73 74 20 48 ocumente d Test H\x0a02d0 61 72 6e 65 73 73 20 53 44 4e 50 20 44 65 76 69 arness S DNP Devi\x0a02e0 63 65 20 50 72 6f 66 69 6c 65 3c 2f 72 65 61 73 ce Profi le</reas\x0a02f0 6f 6e 3e 0d 0a 20 20 20 20 3c 2f 72 65 76 69 73 on>.. </revis\x0a0300 69 6f 6e 48 69 73 74 6f 72 79 3e 0d 0a 20 20 3c ionHisto ry>.. <\x0a0310 2f 64 6f 63 75 6d 65 6e 74 48 65 61 64 65 72 3e /documen tHeader>\x0a0320 0d 0a 3c 2f 44 4e 50 33 44 65 76 69 63 65 50 72 ..</DNP3 DevicePr\x0a0330 6f 66 69 6c 65 44 6f 63 75 6d 65 6e 74 3e ofileDoc ument>\x0a
dnp3_response_data_object, F, 255
dnp3_header_block, T, 25605, 8, 196, 4, 3
dnp3_application_request_header, T, 207, 0

4
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_write/dnp3.log
View file

@ -3,10 +3,10 @@
#empty_field (empty)
#unset_field -
#path dnp3
#open 2014-08-16-15-58-49
#open 2015-04-15-23-54-07
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin
#types time string addr port addr port string string count
1325043635.216629 CXWv6p3arKYeMETxOg 130.126.142.250 50300 130.126.140.229 20000 OPEN_FILE RESPONSE 0
1325043637.790287 CXWv6p3arKYeMETxOg 130.126.142.250 50300 130.126.140.229 20000 WRITE RESPONSE 0
1325043638.820071 CXWv6p3arKYeMETxOg 130.126.142.250 50300 130.126.140.229 20000 CLOSE_FILE RESPONSE 0
#close 2014-08-16-15-58-49
#close 2015-04-15-23-54-07

2
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_write/output
View file

@ -12,7 +12,7 @@ dnp3_application_request_header, T, 199, 2
dnp3_object_header, T, 17925, 91, 1, 1, 0
dnp3_object_prefix, T, 838
dnp3_file_transport, T, 305419896, 2147483648
0000 ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e ...<?xml version^J0010 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d ="1.0" e ncoding=^J0020 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 3f 78 6d 6c "utf-8"? >..<?xml^J0030 2d 73 74 79 6c 65 73 68 65 65 74 20 74 79 70 65 -stylesh eet type^J0040 3d 27 74 65 78 74 2f 78 73 6c 27 20 68 72 65 66 ='text/x sl' href^J0050 3d 27 44 4e 50 33 44 65 76 69 63 65 50 72 6f 66 ='DNP3De viceProf^J0060 69 6c 65 4a 61 6e 32 30 31 30 2e 78 73 6c 74 27 ileJan20 10.xslt'^J0070 20 6d 65 64 69 61 3d 27 73 63 72 65 65 6e 27 3f media=' screen'?^J0080 3e 0d 0a 3c 44 4e 50 33 44 65 76 69 63 65 50 72 >..<DNP3 DevicePr^J0090 6f 66 69 6c 65 44 6f 63 75 6d 65 6e 74 20 78 6d ofileDoc ument xm^J00a0 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f lns:xsi= "http://^J00b0 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f www.w3.o rg/2001/^J00c0 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e XMLSchem a-instan^J00d0 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 ce" xmln s:xsd="h^J00e0 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 ttp://ww w.w3.org^J00f0 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 /2001/XM LSchema"^J0100 20 73 63 68 65 6d 61 56 65 72 73 69 6f 6e 3d 22 schemaV ersion="^J0110 32 2e 30 37 2e 30 30 22 20 78 6d 6c 6e 73 3d 22 2.07.00" xmlns="^J0120 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6e 70 33 2e http://w ww.dnp3.^J0130 6f 72 67 2f 44 4e 50 33 2f 44 65 76 69 63 65 50 org/DNP3 /DeviceP^J0140 72 6f 66 69 6c 65 2f 4a 61 6e 32 30 31 30 22 3e rofile/J an2010">^J0150 0d 0a 20 20 3c 21 2d 2d 44 6f 63 75 6d 65 6e 74 .. <!-- Document^J0160 20 48 65 61 64 65 72 2d 2d 3e 0d 0a 20 20 3c 64 Header- ->.. <d^J0170 6f 63 75 6d 65 6e 74 48 65 61 64 65 72 3e 0d 0a ocumentH eader>..^J0180 20 20 20 20 3c 64 6f 63 75 6d 65 6e 74 4e 61 6d <doc umentNam^J0190 65 3e 41 20 44 4e 50 33 20 58 4d 4c 20 46 69 6c e>A DNP3 XML Fil^J01a0 65 3c 2f 64 6f 63 75 6d 65 6e 74 4e 61 6d 65 3e e</docum entName>^J01b0 0d 0a 20 20 20 20 3c 64 6f 63 75 6d 65 6e 74 44 .. <d ocumentD^J01c0 65 73 63 72 69 70 74 69 6f 6e 3e 54 68 69 73 20 escripti on>This ^J01d0 69 73 20 61 20 44 4e 50 33 20 43 6f 6d 70 6c 65 is a DNP 3 Comple^J01e0 74 65 20 44 65 76 69 63 65 20 50 72 6f 66 69 6c te Devic e Profil^J01f0 65 20 66 6f 72 20 44 4e 50 20 4f 75 74 73 74 61 e for DN P Outsta^J0200 74 69 6f 6e 20 69 6e 20 74 68 65 20 54 4d 57 20 tion in the TMW ^J0210 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 20 50 72 Communic ation Pr^J0220 6f 74 6f 63 6f 6c 20 54 65 73 74 20 48 61 72 6e otocol T est Harn^J0230 65 73 73 3c 2f 64 6f 63 75 6d 65 6e 74 44 65 73 ess</doc umentDes^J0240 63 72 69 70 74 69 6f 6e 3e 0d 0a 20 20 20 20 3c cription >.. <^J0250 72 65 76 69 73 69 6f 6e 48 69 73 74 6f 72 79 20 revision History ^J0260 76 65 72 73 69 6f 6e 3d 22 32 22 3e 0d 0a 20 20 version= "2">.. ^J0270 20 20 20 20 3c 64 61 74 65 3e 32 30 31 30 2d 31 <dat e>2010-1^J0280 32 2d 30 31 3c 2f 64 61 74 65 3e 0d 0a 20 20 20 2-01</da te>.. ^J0290 20 20 20 3c 61 75 74 68 6f 72 3e 53 74 65 76 65 <auth or>Steve^J02a0 20 4d 63 43 6f 79 3c 2f 61 75 74 68 6f 72 3e 0d McCoy</ author>.^J02b0 0a 20 20 20 20 20 20 3c 72 65 61 73 6f 6e 3e 44 . < reason>D^J02c0 6f 63 75 6d 65 6e 74 65 64 20 54 65 73 74 20 48 ocumente d Test H^J02d0 61 72 6e 65 73 73 20 53 44 4e 50 20 44 65 76 69 arness S DNP Devi^J02e0 63 65 20 50 72 6f 66 69 6c 65 3c 2f 72 65 61 73 ce Profi le</reas^J02f0 6f 6e 3e 0d 0a 20 20 20 20 3c 2f 72 65 76 69 73 on>.. </revis^J0300 69 6f 6e 48 69 73 74 6f 72 79 3e 0d 0a 20 20 3c ionHisto ry>.. <^J0310 2f 64 6f 63 75 6d 65 6e 74 48 65 61 64 65 72 3e /documen tHeader>^J0320 0d 0a 3c 2f 44 4e 50 33 44 65 76 69 63 65 50 72 ..</DNP3 DevicePr^J0330 6f 66 69 6c 65 44 6f 63 75 6d 65 6e 74 3e ofileDoc ument>^J
0000 ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e ...<?xml version\x0a0010 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d ="1.0" e ncoding=\x0a0020 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 3f 78 6d 6c "utf-8"? >..<?xml\x0a0030 2d 73 74 79 6c 65 73 68 65 65 74 20 74 79 70 65 -stylesh eet type\x0a0040 3d 27 74 65 78 74 2f 78 73 6c 27 20 68 72 65 66 ='text/x sl' href\x0a0050 3d 27 44 4e 50 33 44 65 76 69 63 65 50 72 6f 66 ='DNP3De viceProf\x0a0060 69 6c 65 4a 61 6e 32 30 31 30 2e 78 73 6c 74 27 ileJan20 10.xslt'\x0a0070 20 6d 65 64 69 61 3d 27 73 63 72 65 65 6e 27 3f media=' screen'?\x0a0080 3e 0d 0a 3c 44 4e 50 33 44 65 76 69 63 65 50 72 >..<DNP3 DevicePr\x0a0090 6f 66 69 6c 65 44 6f 63 75 6d 65 6e 74 20 78 6d ofileDoc ument xm\x0a00a0 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f lns:xsi= "http://\x0a00b0 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f www.w3.o rg/2001/\x0a00c0 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e XMLSchem a-instan\x0a00d0 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 ce" xmln s:xsd="h\x0a00e0 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 ttp://ww w.w3.org\x0a00f0 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 /2001/XM LSchema"\x0a0100 20 73 63 68 65 6d 61 56 65 72 73 69 6f 6e 3d 22 schemaV ersion="\x0a0110 32 2e 30 37 2e 30 30 22 20 78 6d 6c 6e 73 3d 22 2.07.00" xmlns="\x0a0120 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6e 70 33 2e http://w ww.dnp3.\x0a0130 6f 72 67 2f 44 4e 50 33 2f 44 65 76 69 63 65 50 org/DNP3 /DeviceP\x0a0140 72 6f 66 69 6c 65 2f 4a 61 6e 32 30 31 30 22 3e rofile/J an2010">\x0a0150 0d 0a 20 20 3c 21 2d 2d 44 6f 63 75 6d 65 6e 74 .. <!-- Document\x0a0160 20 48 65 61 64 65 72 2d 2d 3e 0d 0a 20 20 3c 64 Header- ->.. <d\x0a0170 6f 63 75 6d 65 6e 74 48 65 61 64 65 72 3e 0d 0a ocumentH eader>..\x0a0180 20 20 20 20 3c 64 6f 63 75 6d 65 6e 74 4e 61 6d <doc umentNam\x0a0190 65 3e 41 20 44 4e 50 33 20 58 4d 4c 20 46 69 6c e>A DNP3 XML Fil\x0a01a0 65 3c 2f 64 6f 63 75 6d 65 6e 74 4e 61 6d 65 3e e</docum entName>\x0a01b0 0d 0a 20 20 20 20 3c 64 6f 63 75 6d 65 6e 74 44 .. <d ocumentD\x0a01c0 65 73 63 72 69 70 74 69 6f 6e 3e 54 68 69 73 20 escripti on>This \x0a01d0 69 73 20 61 20 44 4e 50 33 20 43 6f 6d 70 6c 65 is a DNP 3 Comple\x0a01e0 74 65 20 44 65 76 69 63 65 20 50 72 6f 66 69 6c te Devic e Profil\x0a01f0 65 20 66 6f 72 20 44 4e 50 20 4f 75 74 73 74 61 e for DN P Outsta\x0a0200 74 69 6f 6e 20 69 6e 20 74 68 65 20 54 4d 57 20 tion in the TMW \x0a0210 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 20 50 72 Communic ation Pr\x0a0220 6f 74 6f 63 6f 6c 20 54 65 73 74 20 48 61 72 6e otocol T est Harn\x0a0230 65 73 73 3c 2f 64 6f 63 75 6d 65 6e 74 44 65 73 ess</doc umentDes\x0a0240 63 72 69 70 74 69 6f 6e 3e 0d 0a 20 20 20 20 3c cription >.. <\x0a0250 72 65 76 69 73 69 6f 6e 48 69 73 74 6f 72 79 20 revision History \x0a0260 76 65 72 73 69 6f 6e 3d 22 32 22 3e 0d 0a 20 20 version= "2">.. \x0a0270 20 20 20 20 3c 64 61 74 65 3e 32 30 31 30 2d 31 <dat e>2010-1\x0a0280 32 2d 30 31 3c 2f 64 61 74 65 3e 0d 0a 20 20 20 2-01</da te>.. \x0a0290 20 20 20 3c 61 75 74 68 6f 72 3e 53 74 65 76 65 <auth or>Steve\x0a02a0 20 4d 63 43 6f 79 3c 2f 61 75 74 68 6f 72 3e 0d McCoy</ author>.\x0a02b0 0a 20 20 20 20 20 20 3c 72 65 61 73 6f 6e 3e 44 . < reason>D\x0a02c0 6f 63 75 6d 65 6e 74 65 64 20 54 65 73 74 20 48 ocumente d Test H\x0a02d0 61 72 6e 65 73 73 20 53 44 4e 50 20 44 65 76 69 arness S DNP Devi\x0a02e0 63 65 20 50 72 6f 66 69 6c 65 3c 2f 72 65 61 73 ce Profi le</reas\x0a02f0 6f 6e 3e 0d 0a 20 20 20 20 3c 2f 72 65 76 69 73 on>.. </revis\x0a0300 69 6f 6e 48 69 73 74 6f 72 79 3e 0d 0a 20 20 3c ionHisto ry>.. <\x0a0310 2f 64 6f 63 75 6d 65 6e 74 48 65 61 64 65 72 3e /documen tHeader>\x0a0320 0d 0a 3c 2f 44 4e 50 33 44 65 76 69 63 65 50 72 ..</DNP3 DevicePr\x0a0330 6f 66 69 6c 65 44 6f 63 75 6d 65 6e 74 3e ofileDoc ument>\x0a
dnp3_header_block, F, 25605, 25, 68, 3, 4
dnp3_application_response_header, F, 199, 129, 0
dnp3_object_header, F, 17926, 91, 1, 1, 0

2
testing/btest/Baseline/scripts.base.protocols.dns.tsig/out
View file

@ -1,2 +1,2 @@
[query=secret-key, qtype=3, alg_name=hmac-md5.sig-alg.reg.int, sig=F\xbd\xbf1\xef^B6\xb8\xeb\xae1u,\x87\xdb^?, time_signed=21513.794, fudge=300.0, orig_id=9703, rr_error=0, is_query=1]
[query=secret-key, qtype=3, alg_name=hmac-md5.sig-alg.reg.int, sig=F\xbd\xbf1\xef\x026\xb8\xeb\xae1u,\x87\xdb\x7f, time_signed=21513.794, fudge=300.0, orig_id=9703, rr_error=0, is_query=1]
16

6
testing/btest/Baseline/scripts.base.protocols.http.entity-gap/entity_data
View file

@ -1,4 +1,4 @@
^J0.26 | 2012-08-24 15:10:04 -0700^J^J * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J * Tweaks to release scripts, plus a new one for signing files.^J (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J * Tweaks for OpenBSD support. (Jon Siwek)^J^J * bro-cut extensions and fixes. (Robin Sommer)^J ^J - If no field names are given on the command line, we now pass through^J all fields. Adresses #657.^J^J - Removing some GNUism from awk script. Addresses #653.^J^J - Added option for time output in UTC. Addresses #668.^J^J - Added output field separator option -F. Addresses #649.^J^J - Fixing option -c: only some header lines were passed through^J
\x0a0.26 | 2012-08-24 15:10:04 -0700\x0a\x0a * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)\x0a\x0a * Fixing GPG signing script. (Robin Sommer)\x0a\x0a0.25 | 2012-08-01 13:55:46 -0500\x0a\x0a * Fix configure script to exit with non-zero status on error (Jon Siwek)\x0a\x0a0.24 | 2012-07-05 12:50:43 -0700\x0a\x0a * Raise minimum required CMake version to 2.6.3 (Jon Siwek)\x0a\x0a * Adding script to delete old fully-merged branches. (Robin Sommer)\x0a\x0a0.23-2 | 2012-01-25 13:24:01 -0800\x0a\x0a * Fix a bro-cut error message. (Daniel Thayer)\x0a\x0a0.23 | 2012-01-11 12:16:11 -0800\x0a\x0a * Tweaks to release scripts, plus a new one for signing files.\x0a (Robin Sommer)\x0a\x0a0.22 | 2012-01-10 16:45:19 -0800\x0a\x0a * Tweaks for OpenBSD support. (Jon Siwek)\x0a\x0a * bro-cut extensions and fixes. (Robin Sommer)\x0a \x0a - If no field names are given on the command line, we now pass through\x0a all fields. Adresses #657.\x0a\x0a - Removing some GNUism from awk script. Addresses #653.\x0a\x0a - Added option for time output in UTC. Addresses #668.\x0a\x0a - Added output field separator option -F. Addresses #649.\x0a\x0a - Fixing option -c: only some header lines were passed through\x0a
<1448 byte gap>
s/check-release to run before making releases.^J (Robin Sommer)^J^J * devel-tools/update-changes gets a new option -a to amend to^J previous commit if possible. Default is now not to (used to be the^J opposite). (Robin Sommer)^J^J * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)^J^J * Change distclean to only remove build dir. (Jon Siwek)^J^J * Make dist now cleans the copied source (Jon Siwek)^J^J * Small tweak to make-release for forced git-clean. (Jon Siwek)^J^J * Fix to not let updates scripts loose their executable permissions.^J (Robin Sommer)^J^J * devel-tools/update-changes now looks for a 'release' tag to^J idenfify the stable version, and 'beta' for the beta versions.^J (Robin Sommer).^J^J * Distribution cleanup. (Robin Sommer)^J^J * New script devel-tools/make-release to create source tar balls.^J (Robin Sommer)^J^J * Removing bdcat. With the new log format, this isn't very useful^J anymore. (Robin Sommer)^J^J * Adding script that shows all pending git fastpath commits. (Robin^J Sommer)^J^J * Script to measure CPU time by loading an increasing set of^J scripts. (Robin Sommer)^J^J * extract-conn script now deals wit *.gz files. (Robin Sommer)^J^J * Tiny update to output a valid CA list file for SSL cert^J validation. (Seth Hall)^J^J * Adding "install-aux" target. Addresses #622. (Jon Siwek)^J^J * Distribution cleanup. (Jon Siwek and Robin Sommer)^J^J * FindPCAP now links against
thread library when necessary (e.g.^J PF_RING's libpcap) (Jon Siwek)^J^J * Install binaries with an RPATH (Jon Siwek)^J^J * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)^J^J * Rewrite of the update-changes script. (Robin Sommer)^J^J0.1-1 | 2011-06-14 21:12:41 -0700^J^J * Add a script for generating Mozilla's CA list for the SSL analyzer.^J (Seth Hall)^J^J0.1 | 2011-04-01 16:28:22 -0700^J^J * Converting build process to CMake. (Jon Siwek)^J^J * Removing cf/hf/ca-* from distribution. The README has a note where^J to find them now. (Robin Sommer)^J^J * General cleanup. (Robin Sommer)^J^J * Initial import of bro/aux from SVN r7088. (Jon Siwek)^J
s/check-release to run before making releases.\x0a (Robin Sommer)\x0a\x0a * devel-tools/update-changes gets a new option -a to amend to\x0a previous commit if possible. Default is now not to (used to be the\x0a opposite). (Robin Sommer)\x0a\x0a * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)\x0a\x0a * Change distclean to only remove build dir. (Jon Siwek)\x0a\x0a * Make dist now cleans the copied source (Jon Siwek)\x0a\x0a * Small tweak to make-release for forced git-clean. (Jon Siwek)\x0a\x0a * Fix to not let updates scripts loose their executable permissions.\x0a (Robin Sommer)\x0a\x0a * devel-tools/update-changes now looks for a 'release' tag to\x0a idenfify the stable version, and 'beta' for the beta versions.\x0a (Robin Sommer).\x0a\x0a * Distribution cleanup. (Robin Sommer)\x0a\x0a * New script devel-tools/make-release to create source tar balls.\x0a (Robin Sommer)\x0a\x0a * Removing bdcat. With the new log format, this isn't very useful\x0a anymore. (Robin Sommer)\x0a\x0a * Adding script that shows all pending git fastpath commits. (Robin\x0a Sommer)\x0a\x0a * Script to measure CPU time by loading an increasing set of\x0a scripts. (Robin Sommer)\x0a\x0a * extract-conn script now deals wit *.gz files. (Robin Sommer)\x0a\x0a * Tiny update to output a valid CA list file for SSL cert\x0a validation. (Seth Hall)\x0a\x0a * Adding "install-aux" target. Addresses #622. (Jon Siwek)\x0a\x0a * Distribution cleanup. (Jon Siwek and Robin Sommer)\x0a\x0a * FindPCAP now links against
thread library when necessary (e.g.\x0a PF_RING's libpcap) (Jon Siwek)\x0a\x0a * Install binaries with an RPATH (Jon Siwek)\x0a\x0a * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)\x0a\x0a * Rewrite of the update-changes script. (Robin Sommer)\x0a\x0a0.1-1 | 2011-06-14 21:12:41 -0700\x0a\x0a * Add a script for generating Mozilla's CA list for the SSL analyzer.\x0a (Seth Hall)\x0a\x0a0.1 | 2011-04-01 16:28:22 -0700\x0a\x0a * Converting build process to CMake. (Jon Siwek)\x0a\x0a * Removing cf/hf/ca-* from distribution. The README has a note where\x0a to find them now. (Robin Sommer)\x0a\x0a * General cleanup. (Robin Sommer)\x0a\x0a * Initial import of bro/aux from SVN r7088. (Jon Siwek)\x0a

6
testing/btest/Baseline/scripts.base.protocols.http.entity-gap2/entity_data
View file

@ -1,4 +1,4 @@
^J0.26 | 2012-08-24 15:10:04 -0700^J^J * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J * Tweaks to release scripts, plus a new one for signing files.^J (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J * Tweaks for OpenBSD support. (Jon Siwek)^J^J * bro-cut extensions and fixes. (Robin Sommer)^J ^J - If no field names are given on the command line, we now pass through^J all fields. Adresses #657.^J^J - Removing some GNUism from awk script. Addresses #653.^J^J - Added option for time output in UTC. Addresses #668.^J^J - Added output field separator option -F. Addresses #649.^J^J - Fixing option -c: only some header lines were passed through^J
rather than all. (Robin Sommer)^J^J * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J * Little fix for make-release script, which could pick out the wrong^J tag. (Robin Sommer)^J^J0.21 | 2011-10-27 17:40:45 -0700^J^J * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)^J^J * Bugfix in update-changes script. (Robin Sommer)^J^J * update-changes now ignores commits it did itself. (Robin Sommer)^J^J * Fix a bug in the update-changes script. (Robin Sommer)^J^J * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)^J^J * Options to adjust time format for bro-cut. (Robin Sommer)^J^J The default with -d is now ISO format. The new option "-D <fmt>"^J specifies a custom strftime()-style format string. Alternatively,^J the environment variable BRO_CUT_TIMEFMT can set the format as^J well.^J^J * bro-cut now understands the field separator header. (Robin Sommer)^J^J * Renaming options -h/-H -> -c/-C, and doing some general cleanup.^J^J0.2 | 2011-10-25 19:53:57 -0700^J^J * Adding support for replacing version string in a setup.py. (Robin^J Sommer)^J^J * Change generated root cert DN indices format for RFC2253^J compliance. (Jon Siwek)^J^J * New tool devel-tool
\x0a0.26 | 2012-08-24 15:10:04 -0700\x0a\x0a * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)\x0a\x0a * Fixing GPG signing script. (Robin Sommer)\x0a\x0a0.25 | 2012-08-01 13:55:46 -0500\x0a\x0a * Fix configure script to exit with non-zero status on error (Jon Siwek)\x0a\x0a0.24 | 2012-07-05 12:50:43 -0700\x0a\x0a * Raise minimum required CMake version to 2.6.3 (Jon Siwek)\x0a\x0a * Adding script to delete old fully-merged branches. (Robin Sommer)\x0a\x0a0.23-2 | 2012-01-25 13:24:01 -0800\x0a\x0a * Fix a bro-cut error message. (Daniel Thayer)\x0a\x0a0.23 | 2012-01-11 12:16:11 -0800\x0a\x0a * Tweaks to release scripts, plus a new one for signing files.\x0a (Robin Sommer)\x0a\x0a0.22 | 2012-01-10 16:45:19 -0800\x0a\x0a * Tweaks for OpenBSD support. (Jon Siwek)\x0a\x0a * bro-cut extensions and fixes. (Robin Sommer)\x0a \x0a - If no field names are given on the command line, we now pass through\x0a all fields. Adresses #657.\x0a\x0a - Removing some GNUism from awk script. Addresses #653.\x0a\x0a - Added option for time output in UTC. Addresses #668.\x0a\x0a - Added output field separator option -F. Addresses #649.\x0a\x0a - Fixing option -c: only some header lines were passed through\x0a
rather than all. (Robin Sommer)\x0a\x0a * Fix parallel make portability. (Jon Siwek)\x0a\x0a0.21-9 | 2011-11-07 05:44:14 -0800\x0a\x0a * Fixing compiler warnings. Addresses #388. (Jon Siwek)\x0a\x0a0.21-2 | 2011-11-02 18:12:13 -0700\x0a\x0a * Fix for misnaming temp file in update-changes script. (Robin Sommer)\x0a\x0a0.21-1 | 2011-11-02 18:10:39 -0700\x0a\x0a * Little fix for make-release script, which could pick out the wrong\x0a tag. (Robin Sommer)\x0a\x0a0.21 | 2011-10-27 17:40:45 -0700\x0a\x0a * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)\x0a\x0a * Bugfix in update-changes script. (Robin Sommer)\x0a\x0a * update-changes now ignores commits it did itself. (Robin Sommer)\x0a\x0a * Fix a bug in the update-changes script. (Robin Sommer)\x0a\x0a * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)\x0a\x0a * Options to adjust time format for bro-cut. (Robin Sommer)\x0a\x0a The default with -d is now ISO format. The new option "-D <fmt>"\x0a specifies a custom strftime()-style format string. Alternatively,\x0a the environment variable BRO_CUT_TIMEFMT can set the format as\x0a well.\x0a\x0a * bro-cut now understands the field separator header. (Robin Sommer)\x0a\x0a * Renaming options -h/-H -> -c/-C, and doing some general cleanup.\x0a\x0a0.2 | 2011-10-25 19:53:57 -0700\x0a\x0a * Adding support for replacing version string in a setup.py. (Robin\x0a Sommer)\x0a\x0a * Change generated root cert DN indices format for RFC2253\x0a compliance. (Jon Siwek)\x0a\x0a * New tool devel-tool
<1448 byte gap>
thread library when necessary (e.g.^J PF_RING's libpcap) (Jon Siwek)^J^J * Install binaries with an RPATH (Jon Siwek)^J^J * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)^J^J * Rewrite of the update-changes script. (Robin Sommer)^J^J0.1-1 | 2011-06-14 21:12:41 -0700^J^J * Add a script for generating Mozilla's CA list for the SSL analyzer.^J (Seth Hall)^J^J0.1 | 2011-04-01 16:28:22 -0700^J^J * Converting build process to CMake. (Jon Siwek)^J^J * Removing cf/hf/ca-* from distribution. The README has a note where^J to find them now. (Robin Sommer)^J^J * General cleanup. (Robin Sommer)^J^J * Initial import of bro/aux from SVN r7088. (Jon Siwek)^J
thread library when necessary (e.g.\x0a PF_RING's libpcap) (Jon Siwek)\x0a\x0a * Install binaries with an RPATH (Jon Siwek)\x0a\x0a * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)\x0a\x0a * Rewrite of the update-changes script. (Robin Sommer)\x0a\x0a0.1-1 | 2011-06-14 21:12:41 -0700\x0a\x0a * Add a script for generating Mozilla's CA list for the SSL analyzer.\x0a (Seth Hall)\x0a\x0a0.1 | 2011-04-01 16:28:22 -0700\x0a\x0a * Converting build process to CMake. (Jon Siwek)\x0a\x0a * Removing cf/hf/ca-* from distribution. The README has a note where\x0a to find them now. (Robin Sommer)\x0a\x0a * General cleanup. (Robin Sommer)\x0a\x0a * Initial import of bro/aux from SVN r7088. (Jon Siwek)\x0a

8
testing/btest/Baseline/scripts.base.protocols.rdp.rdp-proprietary-encryption/rdp.log
View file

@ -3,9 +3,9 @@
#empty_field (empty)
#unset_field -
#path rdp
#open 2015-03-05-18-37-55
#open 2015-04-15-23-54-11
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p cookie result security_protocol keyboard_layout client_build client_name client_dig_product_id desktop_width desktop_height requested_color_depth cert_type cert_count cert_permanent encryption_level encryption_method
#types time string addr port addr port string string string string string string string count count string string count bool string string
1193369795.014346 CXWv6p3arKYeMETxOg 172.21.128.16 1311 10.226.24.52 3389 FTBCO\A70 SSL_NOT_ALLOWED_BY_SERVER - - - - - - - - - 0 - - -
1193369797.582740 CjhGID4nQcgTWjvg4c 172.21.128.16 1312 10.226.24.52 3389 FTBCO\A70 Success RDP English - United States RDP 6.0 FROG-POND (empty) 1152 864 32bit RSA 1 T High 128bit
#close 2015-03-05-18-37-55
1193369795.014346 CXWv6p3arKYeMETxOg 172.21.128.16 1311 10.226.24.52 3389 FTBCO\\A70 SSL_NOT_ALLOWED_BY_SERVER - - - - - - - - - 0 - - -
1193369797.582740 CjhGID4nQcgTWjvg4c 172.21.128.16 1312 10.226.24.52 3389 FTBCO\\A70 Success RDP English - United States RDP 6.0 FROG-POND (empty) 1152 864 32bit RSA 1 T High 128bit
#close 2015-04-15-23-54-11

4
testing/btest/Baseline/scripts.base.protocols.rdp.rdp-x509/rdp.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path rdp
#open 2015-03-05-18-38-10
#open 2015-04-15-23-54-11
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p cookie result security_protocol keyboard_layout client_build client_name client_dig_product_id desktop_width desktop_height requested_color_depth cert_type cert_count cert_permanent encryption_level encryption_method
#types time string addr port addr port string string string string string string string count count string string count bool string string
1423755598.202845 CXWv6p3arKYeMETxOg 192.168.1.1 54990 192.168.1.2 3389 JOHN-PC Success RDP English - United States RDP 8.1 JOHN-PC-LAPTOP 3c571ed0-3415-474b-ae94-74e151b 1920 1080 16bit X.509 2 F Client compatible 128bit
#close 2015-03-05-18-38-10
#close 2015-04-15-23-54-11

6
testing/btest/Baseline/scripts.base.protocols.rdp.rdp-x509/x509.log
View file

@ -3,9 +3,9 @@
#empty_field (empty)
#unset_field -
#path x509
#open 2015-03-05-20-58-46
#open 2015-04-15-23-54-11
#fields ts id certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len
#types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count
1423755602.103140 F71ADVSn3rOqVhNh1 3 59EB28CB02B1A0D4 L=TURNBKL+CN=SERVR L=TURNBKL+CN=SERVR 1423664106.000000 1431388800.000000 rsaEncryption sha1WithRSA rsa 512 65537 - - - - - T 0
1423755602.103140 F71ADVSn3rOqVhNh1 3 0100000001 serialNumber=1BcKefYSF97EvkaiCqahPY8uPd0=\0D\0A+L=ncalrpc:SERVR+CN=ncalrpc:SERVR L=TURNBKL+CN=SERVR 1365174955.000000 1483228799.000000 md5WithRSAEncryption sha1WithRSA rsa 512 65537 - - - - - - -
#close 2015-03-05-20-58-46
1423755602.103140 F71ADVSn3rOqVhNh1 3 0100000001 serialNumber=1BcKefYSF97EvkaiCqahPY8uPd0=\\0D\\0A+L=ncalrpc:SERVR+CN=ncalrpc:SERVR L=TURNBKL+CN=SERVR 1365174955.000000 1483228799.000000 md5WithRSAEncryption sha1WithRSA rsa 512 65537 - - - - - - -
#close 2015-04-15-23-54-11

6
testing/btest/Baseline/scripts.base.protocols.snmp.v1/out1
View file

@ -55,7 +55,7 @@ snmp_response
error_stat: 0
error_idx: 0
oid: 1.3.6.1.2.1.2.2.1.6.1
value (tag=0x04): ^H\07^U\xe6\xbc
value (tag=0x04): \x08\x007\x15\xe6\xbc
snmp_get_request
[orig_h=172.31.19.54, orig_p=15919/udp, resp_h=172.31.19.73, resp_p=161/udp]
is_orig: T
@ -175,7 +175,7 @@ snmp_response
error_stat: 0
error_idx: 0
oid: 1.3.6.1.2.1.2.2.1.6.1
value (tag=0x04): ^H\07^U\xe6\xbc
value (tag=0x04): \x08\x007\x15\xe6\xbc
snmp_get_request
[orig_h=172.31.19.54, orig_p=15925/udp, resp_h=172.31.19.73, resp_p=161/udp]
is_orig: T
@ -295,7 +295,7 @@ snmp_response
error_stat: 0
error_idx: 0
oid: 1.3.6.1.2.1.2.2.1.6.1
value (tag=0x04): ^H\07^U\xe6\xbc
value (tag=0x04): \x08\x007\x15\xe6\xbc
snmp_get_request
[orig_h=172.31.19.54, orig_p=15931/udp, resp_h=172.31.19.73, resp_p=161/udp]
is_orig: T

8
testing/btest/Baseline/scripts.base.protocols.snmp.v3/out1
View file

@ -1,14 +1,14 @@
snmp_get_request
[orig_h=127.0.0.1, orig_p=54211/udp, resp_h=127.0.0.1, resp_p=161/udp]
is_orig: T
[id=544943986, max_size=16384, flags=4, auth_flag=F, priv_flag=F, reportable_flag=T, security_model=3, security_params=0^N^D\0^B^A*^B^A*^D\0^D\0^D\0, pdu_context=[engine_id=, name=]]
[id=544943986, max_size=16384, flags=4, auth_flag=F, priv_flag=F, reportable_flag=T, security_model=3, security_params=0\x0e\x04\x00\x02\x01*\x02\x01*\x04\x00\x04\x00\x04\x00, pdu_context=[engine_id=, name=]]
request_id: 544943986
error_stat: 0
error_idx: 0
snmp_report
[orig_h=127.0.0.1, orig_p=54211/udp, resp_h=127.0.0.1, resp_p=161/udp]
is_orig: F
[id=544943986, max_size=16384, flags=0, auth_flag=F, priv_flag=F, reportable_flag=F, security_model=3, security_params=0\x1b^D^M\x80\0\x1f\x88\x80\xa9I\x8e^:,0C^B^A\xdd^B^A\xdd^D\0^D\0^D\0, pdu_context=[engine_id=\x80\0\x1f\x88\x80\xa9I\x8e^:,0C, name=]]
[id=544943986, max_size=16384, flags=0, auth_flag=F, priv_flag=F, reportable_flag=F, security_model=3, security_params=0\x1b\x04\x0d\x80\x00\x1f\x88\x80\xa9I\x8e^:,0C\x02\x01\xdd\x02\x01\xdd\x04\x00\x04\x00\x04\x00, pdu_context=[engine_id=\x80\x00\x1f\x88\x80\xa9I\x8e^:,0C, name=]]
request_id: 544943986
error_stat: 0
error_idx: 0
@ -17,7 +17,7 @@ snmp_report
snmp_get_request
[orig_h=127.0.0.1, orig_p=54211/udp, resp_h=127.0.0.1, resp_p=161/udp]
is_orig: T
[id=544943986, max_size=16384, flags=4, auth_flag=F, priv_flag=F, reportable_flag=T, security_model=3, security_params=0/^D^M\x80\0\x1f\x88\x80\xa9I\x8e^:,0C^B^A\xdd^B^A\xdd^D^Husername^D^L\0\0\0\0\0\0\0\0\0\0\0\0^D\0, pdu_context=[engine_id=\x80\0\x1f\x88\x80\xa9I\x8e^:,0C, name=]]
[id=544943986, max_size=16384, flags=4, auth_flag=F, priv_flag=F, reportable_flag=T, security_model=3, security_params=0/\x04\x0d\x80\x00\x1f\x88\x80\xa9I\x8e^:,0C\x02\x01\xdd\x02\x01\xdd\x04\x08username\x04\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00, pdu_context=[engine_id=\x80\x00\x1f\x88\x80\xa9I\x8e^:,0C, name=]]
request_id: 544943986
error_stat: 0
error_idx: 0
@ -26,7 +26,7 @@ snmp_get_request
snmp_response
[orig_h=127.0.0.1, orig_p=54211/udp, resp_h=127.0.0.1, resp_p=161/udp]
is_orig: F
[id=544943986, max_size=16384, flags=0, auth_flag=F, priv_flag=F, reportable_flag=F, security_model=3, security_params=0#^D^M\x80\0\x1f\x88\x80\xa9I\x8e^:,0C^B^A\xdd^B^A\xdd^D^Husername^D\0^D\0, pdu_context=[engine_id=\x80\0\x1f\x88\x80\xa9I\x8e^:,0C, name=]]
[id=544943986, max_size=16384, flags=0, auth_flag=F, priv_flag=F, reportable_flag=F, security_model=3, security_params=0#\x04\x0d\x80\x00\x1f\x88\x80\xa9I\x8e^:,0C\x02\x01\xdd\x02\x01\xdd\x04\x08username\x04\x00\x04\x00, pdu_context=[engine_id=\x80\x00\x1f\x88\x80\xa9I\x8e^:,0C, name=]]
request_id: 544943986
error_stat: 0
error_idx: 0

4
testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-random/.stdout
View file

@ -1,2 +1,2 @@
8\xd0U@\xf1\xaamI\xb5SE^K\x82\xa4\xe0\x9eG\xf3\xdd\x1f\xeey\xa6[\xcc\xd7^D\x90
\xa7^B\xf4'&^E]|c\x83KN\xb0^N6F\xbez\xbb^Ny\xbf^O\x85p\x83\x8dX
8\xd0U@\xf1\xaamI\xb5SE\x0b\x82\xa4\xe0\x9eG\xf3\xdd\x1f\xeey\xa6[\xcc\xd7\x04\x90
\xa7\x02\xf4'&\x05]|c\x83KN\xb0\x0e6F\xbez\xbb\x0ey\xbf\x0f\x85p\x83\x8dX

14
testing/btest/Baseline/scripts.base.protocols.ssl.x509_extensions/.stdout
View file

@ -1,18 +1,18 @@
[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:3F:D5:B5:D0:D6:44:79:50:4A:17:A3:9B:8C:4A:DC:B8:B0:22:64:6B^J]
[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:3F:D5:B5:D0:D6:44:79:50:4A:17:A3:9B:8C:4A:DC:B8:B0:22:64:6B\x0a]
[name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=A2:76:09:20:A8:40:FD:A1:AC:C8:E9:35:B9:11:A6:61:FF:8C:FF:A3]
[name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]
[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]
[name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]
[name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.3.6.1.4.1.6449.1.2.1.3.4^J CPS: https://secure.comodo.com/CPS^J]
[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=CA Issuers - URI:http://crt.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crt^JOCSP - URI:http://ocsp.comodoca.com^J]
[name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.3.6.1.4.1.6449.1.2.1.3.4\x0a CPS: https://secure.comodo.com/CPS\x0a]
[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=CA Issuers - URI:http://crt.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crt\x0aOCSP - URI:http://ocsp.comodoca.com\x0a]
[name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.taleo.net, DNS:taleo.net]
[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A^J]
[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A\x0a]
[name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=3F:D5:B5:D0:D6:44:79:50:4A:17:A3:9B:8C:4A:DC:B8:B0:22:64:6B]
[name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]
[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]
[name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: X509v3 Any Policy^J]
[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=CA Issuers - URI:http://crt.usertrust.com/AddTrustExternalCARoot.p7c^JCA Issuers - URI:http://crt.usertrust.com/AddTrustUTNSGCCA.crt^JOCSP - URI:http://ocsp.usertrust.com^J]
[name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: X509v3 Any Policy\x0a]
[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=CA Issuers - URI:http://crt.usertrust.com/AddTrustExternalCARoot.p7c\x0aCA Issuers - URI:http://crt.usertrust.com/AddTrustUTNSGCCA.crt\x0aOCSP - URI:http://ocsp.usertrust.com\x0a]
[name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A]
[name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign]
[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE]
[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A^JDirName:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root^Jserial:01^J]
[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A\x0aDirName:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root\x0aserial:01\x0a]

4
testing/btest/Baseline/scripts.base.utils.active-http/output
View file

@ -4,7 +4,7 @@
[Date] = July 22, 2013
[Server] = 1.0,
[Server] = 1.0,
test1, [code=200, msg=OK^M, body=It works!, headers={
test2, [code=200, msg=OK^M, body=, headers={
test1, [code=200, msg=OK\x0d, body=It works!, headers={
test2, [code=200, msg=OK\x0d, body=, headers={
}]
}]

14
testing/btest/Baseline/scripts.base.utils.decompose_uri/output
View file

@ -1,5 +1,5 @@
https://www.bro.org:42/documentation/faq.html?k1=v1&k2=v2
-> [scheme=https, netlocation=www.bro.org, portnum=42, path=/documentation/faq.html, file_name=faq.html, file_base=faq, file_ext=html, params={^J^I[k2] = v2,^J^I[k1] = v1^J}]
-> [scheme=https, netlocation=www.bro.org, portnum=42, path=/documentation/faq.html, file_name=faq.html, file_base=faq, file_ext=html, params={\x0a\x09[k2] = v2,\x0a\x09[k1] = v1\x0a}]
-> [scheme=<uninitialized>, netlocation=, portnum=<uninitialized>, path=/, file_name=<uninitialized>, file_base=<uninitialized>, file_ext=<uninitialized>, params=<uninitialized>]
@ -32,20 +32,20 @@ https://www.bro.org/documentation/faq.html
-> [scheme=https, netlocation=www.bro.org, portnum=<uninitialized>, path=/documentation/faq.html, file_name=faq.html, file_base=faq, file_ext=html, params=<uninitialized>]
https://www.bro.org/documentation/faq.html?
-> [scheme=https, netlocation=www.bro.org, portnum=<uninitialized>, path=/documentation/faq.html, file_name=faq.html, file_base=faq, file_ext=html, params={^J^J}]
-> [scheme=https, netlocation=www.bro.org, portnum=<uninitialized>, path=/documentation/faq.html, file_name=faq.html, file_base=faq, file_ext=html, params={\x0a\x0a}]
https://www.bro.org/documentation/faq.html?k=v
-> [scheme=https, netlocation=www.bro.org, portnum=<uninitialized>, path=/documentation/faq.html, file_name=faq.html, file_base=faq, file_ext=html, params={^J^I[k] = v^J}]
-> [scheme=https, netlocation=www.bro.org, portnum=<uninitialized>, path=/documentation/faq.html, file_name=faq.html, file_base=faq, file_ext=html, params={\x0a\x09[k] = v\x0a}]
https://www.bro.org/documentation/faq.html?k=
-> [scheme=https, netlocation=www.bro.org, portnum=<uninitialized>, path=/documentation/faq.html, file_name=faq.html, file_base=faq, file_ext=html, params={^J^I[k] = ^J}]
-> [scheme=https, netlocation=www.bro.org, portnum=<uninitialized>, path=/documentation/faq.html, file_name=faq.html, file_base=faq, file_ext=html, params={\x0a\x09[k] = \x0a}]
https://www.bro.org/documentation/faq.html?=v
-> [scheme=https, netlocation=www.bro.org, portnum=<uninitialized>, path=/documentation/faq.html, file_name=faq.html, file_base=faq, file_ext=html, params={^J^I[] = v^J}]
-> [scheme=https, netlocation=www.bro.org, portnum=<uninitialized>, path=/documentation/faq.html, file_name=faq.html, file_base=faq, file_ext=html, params={\x0a\x09[] = v\x0a}]
file:///documentation/faq.html?=v
-> [scheme=file, netlocation=, portnum=<uninitialized>, path=/documentation/faq.html, file_name=faq.html, file_base=faq, file_ext=html, params={^J^I[] = v^J}]
-> [scheme=file, netlocation=, portnum=<uninitialized>, path=/documentation/faq.html, file_name=faq.html, file_base=faq, file_ext=html, params={\x0a\x09[] = v\x0a}]
www.bro.org/?foo=bar
-> [scheme=<uninitialized>, netlocation=www.bro.org, portnum=<uninitialized>, path=/, file_name=<uninitialized>, file_base=<uninitialized>, file_ext=<uninitialized>, params={^J^I[foo] = bar^J}]
-> [scheme=<uninitialized>, netlocation=www.bro.org, portnum=<uninitialized>, path=/, file_name=<uninitialized>, file_base=<uninitialized>, file_ext=<uninitialized>, params={\x0a\x09[foo] = bar\x0a}]

6
testing/btest/Baseline/scripts.base.utils.strings/output
View file

@ -1,7 +1,7 @@
'hello' is NOT considered binary
'\xff\xff\xff\0' IS considered binary
'\0\0\xff\0' IS considered binary
'\0\0\0\0' is NOT considered binary
'\xff\xff\xff\x00' IS considered binary
'\x00\x00\xff\x00' IS considered binary
'\x00\x00\x00\x00' is NOT considered binary
two, one, three
one
hell\o w\orl\d

220
testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
View file

File diff suppressed because one or more lines are too long

52
testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
View file

@ -1,5 +1,5 @@
1254722768.219663 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 220
[3] cmd: string = >
@ -7,7 +7,7 @@
[5] cont_resp: bool = T
1254722768.219663 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 220
[3] cmd: string = >
@ -15,7 +15,7 @@
[5] cont_resp: bool = T
1254722768.219663 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 220
[3] cmd: string = >
@ -23,13 +23,13 @@
[5] cont_resp: bool = F
1254722768.224809 smtp_request
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={\x0a\x09SMTP\x0a}, addl=, hot=0, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = T
[2] command: string = EHLO
[3] arg: string = GP
1254722768.566183 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={\x0a\x09SMTP\x0a}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 250
[3] cmd: string = EHLO
@ -37,7 +37,7 @@
[5] cont_resp: bool = T
1254722768.566183 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={\x0a\x09SMTP\x0a}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 250
[3] cmd: string = EHLO
@ -45,7 +45,7 @@
[5] cont_resp: bool = T
1254722768.566183 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={\x0a\x09SMTP\x0a}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 250
[3] cmd: string = EHLO
@ -53,7 +53,7 @@
[5] cont_resp: bool = T
1254722768.566183 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={\x0a\x09SMTP\x0a}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 250
[3] cmd: string = EHLO
@ -61,7 +61,7 @@
[5] cont_resp: bool = T
1254722768.566183 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={\x0a\x09SMTP\x0a}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 250
[3] cmd: string = EHLO
@ -69,7 +69,7 @@
[5] cont_resp: bool = T
1254722768.566183 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={\x0a\x09SMTP\x0a}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 250
[3] cmd: string = EHLO
@ -77,13 +77,13 @@
[5] cont_resp: bool = F
1254722768.568729 smtp_request
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.039683, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.039683, service={\x0a\x09SMTP\x0a}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = T
[2] command: string = AUTH
[3] arg: string = LOGIN
1254722768.911081 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.382035, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.382035, service={\x0a\x09SMTP\x0a}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 334
[3] cmd: string = AUTH
@ -91,13 +91,13 @@
[5] cont_resp: bool = F
1254722768.911655 smtp_request
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.382609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.382609, service={\x0a\x09SMTP\x0a}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = T
[2] command: string = **
[3] arg: string = Z3VycGFydGFwQHBhdHJpb3RzLmlu
1254722769.253544 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.724498, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.724498, service={\x0a\x09SMTP\x0a}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 334
[3] cmd: string = AUTH_ANSWER
@ -105,13 +105,13 @@
[5] cont_resp: bool = F
1254722769.254118 smtp_request
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=1.725072, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=1.725072, service={\x0a\x09SMTP\x0a}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = T
[2] command: string = **
[3] arg: string = cHVuamFiQDEyMw==
1254722769.613798 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=2.084752, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=2.084752, service={\x0a\x09SMTP\x0a}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 235
[3] cmd: string = AUTH_ANSWER
@ -119,13 +119,13 @@
[5] cont_resp: bool = F
1254722769.614414 smtp_request
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.085368, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.085368, service={\x0a\x09SMTP\x0a}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = T
[2] command: string = MAIL
[3] arg: string = FROM: <gurpartap@patriots.in>
1254722769.956765 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.427719, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.427719, service={\x0a\x09SMTP\x0a}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 250
[3] cmd: string = MAIL
@ -133,13 +133,13 @@
[5] cont_resp: bool = F
1254722769.957250 smtp_request
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.428204, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.428204, service={\x0a\x09SMTP\x0a}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = T
[2] command: string = RCPT
[3] arg: string = TO: <raj_deol2002in@yahoo.co.in>
1254722770.319708 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.790662, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.790662, service={\x0a\x09SMTP\x0a}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a\x09<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 250
[3] cmd: string = RCPT
@ -147,13 +147,13 @@
[5] cont_resp: bool = F
1254722770.320203 smtp_request
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={\x0a\x09SMTP\x0a}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a\x09<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = T
[2] command: string = DATA
[3] arg: string =
1254722770.661679 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=3.132633, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=3.132633, service={\x0a\x09SMTP\x0a}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a\x09<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 354
[3] cmd: string = DATA
@ -161,13 +161,13 @@
[5] cont_resp: bool = F
1254722771.858334 smtp_request
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={\x0a\x09SMTP\x0a}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a\x09<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a\x09<raj_deol2002in@yahoo.co.in>\x0a}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = T
[2] command: string = .
[3] arg: string = .
1254722772.248789 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0], start_time=1254722767.529046, duration=4.719743, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0], start_time=1254722767.529046, duration=4.719743, service={\x0a\x09SMTP\x0a}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a\x09<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a\x09<raj_deol2002in@yahoo.co.in>\x0a}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 250
[3] cmd: string = .
@ -175,13 +175,13 @@
[5] cont_resp: bool = F
1254722774.763825 smtp_request
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.234779, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.234779, service={\x0a\x09SMTP\x0a}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = T
[2] command: string = QUIT
[3] arg: string =
1254722775.105467 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.576421, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDaF, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.576421, service={\x0a\x09SMTP\x0a}, addl=, hot=0, history=ShAdDaF, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 221
[3] cmd: string = QUIT

6
testing/btest/Baseline/scripts.policy.protocols.ssl.expiring-certs/notice.log
View file

@ -3,9 +3,9 @@
#empty_field (empty)
#unset_field -
#path notice
#open 2014-04-01-23-16-27
#open 2015-04-15-23-54-27
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double
1394745603.293028 CXWv6p3arKYeMETxOg 192.168.4.149 60539 87.98.220.10 443 F1fX1R2cDOzbvg17ye - - tcp SSL::Certificate_Expired Certificate CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated expired at 2014-03-04-23:59:59.000000000 - 192.168.4.149 87.98.220.10 443 - bro Notice::ACTION_LOG 86400.000000 F - - - - -
1394745619.197766 CjhGID4nQcgTWjvg4c 192.168.4.149 60540 122.1.240.204 443 F6NAbK127LhNBaEe5c - - tcp SSL::Certificate_Expires_Soon Certificate CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP is going to expire at 2014-03-14-23:59:59.000000000 - 192.168.4.149 122.1.240.204 443 - bro Notice::ACTION_LOG 86400.000000 F - - - - -
#close 2014-04-01-23-16-27
1394745619.197766 CjhGID4nQcgTWjvg4c 192.168.4.149 60540 122.1.240.204 443 F6NAbK127LhNBaEe5c - - tcp SSL::Certificate_Expires_Soon Certificate CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP is going to expire at 2014-03-14-23:59:59.000000000 - 192.168.4.149 122.1.240.204 443 - bro Notice::ACTION_LOG 86400.000000 F - - - - -
#close 2015-04-15-23-54-27

2
testing/btest/Baseline/signatures.load-sigs/output
View file

@ -1,3 +1,3 @@
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
works
GET /images/wikimedia-button.png HTTP/1.1^M^JHost: meta.wikimedia.org^M^JUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Geck...
GET /images/wikimedia-button.png HTTP/1.1\x0d\x0aHost: meta.wikimedia.org\x0d\x0aUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Geck...

43
testing/btest/scripts/base/frameworks/logging/ascii-escape-binary.bro Normal file
View file

@ -0,0 +1,43 @@
# @TEST-EXEC: bro -b %INPUT >output
# @TEST-EXEC: btest-diff test.log
# @TEST-EXEC: btest-diff output
module Test;
export {
redef enum Log::ID += { LOG };
type Log: record {
s: string;
} &log;
}
event bro_init()
{
local a = "abc\0def";
local b = escape_string(a);
Log::create_stream(Test::LOG, [$columns=Log]);
Log::write(Test::LOG, [$s="AB\0CD\0"]);
Log::write(Test::LOG, [$s="AB\xffCD\0"]);
Log::write(Test::LOG, [$s="AB\\xffCD\0"]);
Log::write(Test::LOG, [$s=" "]);
Log::write(Test::LOG, [$s=b]);
Log::write(Test::LOG, [$s=" "]);
Log::write(Test::LOG, [$s="foo \xc2\xae bar \\xc2\\xae baz"]);
Log::write(Test::LOG, [$s="foo\x00bar\\0baz"]);
Log::write(Test::LOG, [$s="foo \16 bar ^N baz"]);
print "AB\0CD\0";
print "AB\xffCD\0";
print "AB\\xffCD\0";
print "";
print b;
print "";
print "foo \xc2\xae bar \\xc2\\xae baz";
print "foo\x00bar\\0baz";
print "foo \16 bar ^N baz";
print "";
}