diff --git a/CHANGES b/CHANGES index 9ff294055c..93e5c90536 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,98 @@ +2.1-231 | 2012-12-14 14:51:35 -0800 + + * Make const variables actually constant. Both local and global + variables declared with "const" could be modified, but now + expressions that would modify them generate an error message at + parse-time. Addresses #922. (Jon Siwek) + +2.1-229 | 2012-12-14 14:46:12 -0800 + + * Fix memory leak in ASCII reader when encoutering errors in input. + (Bernhard Amann) + + * Improvements for the "bad checksums" detector to make it detect + bad TCP checksums. (Seth Hall) + +2.1-223 | 2012-12-12 14:25:15 -0800 + + * Trick for parallelizing input framework unit tests. Instead of + loading listen.bro to block until files are read, just read a pcap + file in pseudo-realtime. (Jon Siwek) + + * Fix reliability of a unit test that relies on when statements. + (Jon Siwek) + + * Remove unused attributes. (Daniel Thayer) + - Removed attributes &postprocessor and &match from documentation and source code. + - Removed undocumented attribute &attr from source code. + - Removed internal attribute "(&tracked)" from documentation. + +2.1-218 | 2012-12-10 14:45:04 -0800 + + * Add GPRS Tunnelling Protocol (GTPv1) decapsulation. This currently + supports automatic decapsulation of GTP-U packets on UDP port 2152. + The GTPv1 headers for such tunnels can be inspected by handling + the "gtpv1_g_pdu_packet" event, which has a parameter of type + "gtpv1_hdr". Addresses #690. (Jon Siwek; derived from patch by + Carsten Langer) + + * Change BinPAC exceptions in AYIYA/GTP analyzers to do + "protocol_violation". (Jon Siwek) + +2.1-212 | 2012-12-07 19:42:03 -0800 + + * Changing the HTTP parser to accept request methods in alignment + with the RFC. (Robin Sommer) + +2.1-209 | 2012-12-05 16:44:04 -0800 + + * Adapting the HTTP request line parsing to only accept methods + consisting of letters [A-Za-z]. (Robin Sommer) + +2.1-207 | 2012-12-05 15:47:32 -0800 + + * Reporting warnings if kill/waitpid fail in communication system. + (Bill Parker) + + * Replace() bzero with memset(). (Bill Parker) + + * Merge remote-tracking branch 'vlad/topic/vladg/http-verbs' + + * vlad/topic/vladg/http-verbs: + A test for HTTP methods, including some horribly illegal requests. + Remove hardcoded HTTP verbs from the analyzer (#741) + + I added a "bad_HTTP_request" weird for HTTP request lines that don't + have more than a single word. + + Closes #741. (Robin Sommer) + + * A test for HTTP methods, including some horribly illegal requests. (Vlad Grigorescu) + + * Remove hardcoded HTTP verbs from the analyzer (#741) (Vlad Grigorescu) + + +2.1-203 | 2012-12-05 14:36:56 -0800 + + * Fix segfault: Synchronization of state between connecting peers + now skips over identifiers that aren't initialized with a value + yet. Addresses #66. (Jon Siwek) + + * Fix segfault: Delete correct entry in error case in input + framework. (Bernhard Amann) + + * Bad record constructor initializers now give an error. Addresses + #34. (Jon Siwek) + + * Invalid vector indices now generate error message. Addresses #24. + (Jon Siwek) + + * Bump CPack RPM package requirement to Python >= 2.6.0. (Jon Siwek) + + * Interpreter exceptions occurring in "when" blocks are now handled. + Addresses #779 (Jon Siwek) + 2.1-195 | 2012-12-03 14:50:33 -0800 * Catching out-of-memory in patricia tree code. (Bill Parker) diff --git a/CMakeLists.txt b/CMakeLists.txt index 17ba34ab3b..e2a83e10f5 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -195,7 +195,7 @@ CheckOptionalBuildSources(aux/broccoli Broccoli INSTALL_BROCCOLI) if (INSTALL_BROCTL) # CPack RPM Generator may not automatically detect this - set(CPACK_RPM_PACKAGE_REQUIRES "python >= 2.4.0") + set(CPACK_RPM_PACKAGE_REQUIRES "python >= 2.6.0") endif () # If this CMake project is a sub-project of another, we will not diff --git a/NEWS b/NEWS index 63c4d5d6f7..f3fe143362 100644 --- a/NEWS +++ b/NEWS @@ -13,6 +13,8 @@ Bro 2.2 New Functionality ~~~~~~~~~~~~~~~~~ +- GPRS Tunnelling Protocol (GTPv1) decapsulation. + - GridFTP support. TODO: Extend. - ssl.log now also records the subject client and issuer certificates. diff --git a/VERSION b/VERSION index 5f2036da97..b02f44968d 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.1-195 +2.1-231 diff --git a/aux/broccoli b/aux/broccoli index a8846fc5b0..06682dbb15 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit a8846fc5b004ffe4e3d00e826d0077ba19518192 +Subproject commit 06682dbb15d26d2688bdc9ad76efec17d38dc80f diff --git a/aux/broctl b/aux/broctl index 834131cd0e..f4d6a2af15 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 834131cd0ec0f63cce9de818726fe6167dedbf34 +Subproject commit f4d6a2af15404dc1349d12d2ad21a3eebcb2ff1e diff --git a/doc/scripts/builtins.rst b/doc/scripts/builtins.rst index 5418e84f72..d5737c0036 100644 --- a/doc/scripts/builtins.rst +++ b/doc/scripts/builtins.rst @@ -799,20 +799,12 @@ scripting language supports the following built-in attributes. ``&synchronized`` variable is automatically propagated to all peers when it changes. -.. bro:attr:: &postprocessor - -.. TODO: needs to be documented. - .. bro:attr:: &encrypt Encrypts files right before writing them to disk. .. TODO: needs to be documented in more detail. -.. bro:attr:: &match - -.. TODO: needs to be documented. - .. bro:attr:: &raw_output Opens a file in raw mode, i.e., non-ASCII characters are not @@ -846,6 +838,3 @@ scripting language supports the following built-in attributes. .. TODO: needs documented -.. bro:attr:: (&tracked) - -.. TODO: needs documented or removed if it's not used anywhere. diff --git a/scripts/base/frameworks/notice/cluster.bro b/scripts/base/frameworks/notice/cluster.bro index 3ee113acf3..e812c3fdca 100644 --- a/scripts/base/frameworks/notice/cluster.bro +++ b/scripts/base/frameworks/notice/cluster.bro @@ -21,12 +21,10 @@ redef Cluster::manager2worker_events += /Notice::begin_suppression/; redef Cluster::worker2manager_events += /Notice::cluster_notice/; @if ( Cluster::local_node_type() != Cluster::MANAGER ) + # The notice policy is completely handled by the manager and shouldn't be # done by workers or proxies to save time for packet processing. -event bro_init() &priority=11 - { - Notice::policy = table(); - } +redef Notice::policy = table(); event Notice::begin_suppression(n: Notice::Info) { diff --git a/scripts/base/frameworks/tunnels/main.bro b/scripts/base/frameworks/tunnels/main.bro index 0861559558..a3db7061d3 100644 --- a/scripts/base/frameworks/tunnels/main.bro +++ b/scripts/base/frameworks/tunnels/main.bro @@ -88,7 +88,10 @@ redef dpd_config += { [ANALYZER_AYIYA] = [$ports = ayiya_ports] }; const teredo_ports = { 3544/udp }; redef dpd_config += { [ANALYZER_TEREDO] = [$ports = teredo_ports] }; -redef likely_server_ports += { ayiya_ports, teredo_ports }; +const gtpv1u_ports = { 2152/udp }; +redef dpd_config += { [ANALYZER_GTPV1] = [$ports = gtpv1u_ports] }; + +redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1u_ports }; event bro_init() &priority=5 { diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index df3596d31e..e5365a9428 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -1450,6 +1450,44 @@ type teredo_hdr: record { hdr: pkt_hdr; ##< IPv6 and transport protocol headers. }; +## A GTPv1 (GPRS Tunneling Protocol) header. +type gtpv1_hdr: record { + ## The 3-bit version field, which for GTPv1 should be 1. + version: count; + ## Protocol Type value differentiates GTP (value 1) from GTP' (value 0). + pt_flag: bool; + ## Reserved field, should be 0. + rsv: bool; + ## Extension Header flag. When 0, the *next_type* field may or may not + ## be present, but shouldn't be meaningful. When 1, *next_type* is + ## present and meaningful. + e_flag: bool; + ## Sequence Number flag. When 0, the *seq* field may or may not + ## be present, but shouldn't be meaningful. When 1, *seq* is + ## present and meaningful. + s_flag: bool; + ## N-PDU flag. When 0, the *n_pdu* field may or may not + ## be present, but shouldn't be meaningful. When 1, *n_pdu* is + ## present and meaningful. + pn_flag: bool; + ## Message Type. A value of 255 indicates user-plane data is encapsulated. + msg_type: count; + ## Length of the GTP packet payload (the rest of the packet following the + ## mandatory 8-byte GTP header). + length: count; + ## Tunnel Endpoint Identifier. Unambiguously identifies a tunnel endpoint + ## in receiving GTP-U or GTP-C protocol entity. + teid: count; + ## Sequence Number. Set if any *e_flag*, *s_flag*, or *pn_flag* field is + ## set. + seq: count &optional; + ## N-PDU Number. Set if any *e_flag*, *s_flag*, or *pn_flag* field is set. + n_pdu: count &optional; + ## Next Extension Header Type. Set if any *e_flag*, *s_flag*, or *pn_flag* + ## field is set. + next_type: count &optional; +}; + ## Definition of "secondary filters". A secondary filter is a BPF filter given as ## index in this table. For each such filter, the corresponding event is raised for ## all matching packets. @@ -2786,6 +2824,9 @@ export { ## Toggle whether to do IPv6-in-Teredo decapsulation. const enable_teredo = T &redef; + ## Toggle whether to do GTPv1 decapsulation. + const enable_gtpv1 = T &redef; + ## With this option set, the Teredo analysis will first check to see if ## other protocol analyzers have confirmed that they think they're ## parsing the right protocol and only continue with Teredo tunnel @@ -2802,6 +2843,15 @@ export { ## :bro:see:`Tunnel::yielding_teredo_decapsulation`. const delay_teredo_confirmation = T &redef; + ## With this set, the GTP analyzer waits until the most-recent upflow + ## and downflow packets are a valid GTPv1 encapsulation before + ## issuing :bro:see:`protocol_confirmation`. If it's false, the + ## first occurence of a packet with valid GTPv1 encapsulation causes + ## confirmation. Since the same inner connection can be carried + ## differing outer upflow/downflow connections, setting to false + ## may work better. + const delay_gtp_confirmation = F &redef; + ## How often to cleanup internal state for inactive IP tunnels. const ip_tunnel_timeout = 24hrs &redef; } # end export diff --git a/scripts/base/misc/find-checksum-offloading.bro b/scripts/base/misc/find-checksum-offloading.bro index a0a2c692b7..15c1d6661d 100644 --- a/scripts/base/misc/find-checksum-offloading.bro +++ b/scripts/base/misc/find-checksum-offloading.bro @@ -14,7 +14,8 @@ export { } # Keep track of how many bad checksums have been seen. -global bad_checksums = 0; +global bad_ip_checksums = 0; +global bad_tcp_checksums = 0; # Track to see if this script is done so that messages aren't created multiple times. global done = F; @@ -25,10 +26,19 @@ event ChecksumOffloading::check() return; local pkts_recvd = net_stats()$pkts_recvd; - if ( (bad_checksums*1.0 / net_stats()$pkts_recvd*1.0) > 0.05 ) + local bad_ip_checksum_pct = (pkts_recvd != 0) ? (bad_ip_checksums*1.0 / pkts_recvd*1.0) : 0; + local bad_tcp_checksum_pct = (pkts_recvd != 0) ? (bad_tcp_checksums*1.0 / pkts_recvd*1.0) : 0; + if ( bad_ip_checksum_pct > 0.05 || bad_tcp_checksum_pct > 0.05 ) { local packet_src = reading_traces() ? "trace file likely has" : "interface is likely receiving"; - local message = fmt("Your %s invalid IP checksums, most likely from NIC checksum offloading.", packet_src); + local bad_checksum_msg = (bad_ip_checksum_pct > 0.0) ? "IP" : ""; + if ( bad_tcp_checksum_pct > 0.0 ) + { + if ( |bad_checksum_msg| > 0 ) + bad_checksum_msg += " and "; + bad_checksum_msg += "TCP"; + } + local message = fmt("Your %s invalid %s checksums, most likely from NIC checksum offloading.", packet_src, bad_checksum_msg); Reporter::warning(message); done = T; } @@ -48,7 +58,13 @@ event bro_init() event net_weird(name: string) { if ( name == "bad_IP_checksum" ) - ++bad_checksums; + ++bad_ip_checksums; + } + +event conn_weird(name: string, c: connection, addl: string) + { + if ( name == "bad_TCP_checksum" ) + ++bad_tcp_checksums; } event bro_done() diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro index 21b4fb6113..660386f901 100644 --- a/scripts/base/protocols/http/main.bro +++ b/scripts/base/protocols/http/main.bro @@ -94,6 +94,19 @@ export { "XROXY-CONNECTION", "PROXY-CONNECTION", } &redef; + + ## A list of HTTP methods. Other methods will generate a weird. Note + ## that the HTTP analyzer will only accept methods consisting solely + ## of letters ``[A-Za-z]``. + const http_methods: set[string] = { + "GET", "POST", "HEAD", "OPTIONS", + "PUT", "DELETE", "TRACE", "CONNECT", + # HTTP methods for distributed authoring: + "PROPFIND", "PROPPATCH", "MKCOL", + "COPY", "MOVE", "LOCK", "UNLOCK", + "POLL", "REPORT", "SUBSCRIBE", "BMOVE", + "SEARCH" + } &redef; ## Event that can be handled to access the HTTP record as it is sent on ## to the logging framework. @@ -180,6 +193,9 @@ event http_request(c: connection, method: string, original_URI: string, c$http$method = method; c$http$uri = unescaped_URI; + + if ( method !in http_methods ) + event conn_weird("unknown_HTTP_method", c, method); } event http_reply(c: connection, version: string, code: count, reason: string) &priority=5 diff --git a/scripts/base/protocols/smtp/entities.bro b/scripts/base/protocols/smtp/entities.bro index e158d045e0..b4b5fd1f03 100644 --- a/scripts/base/protocols/smtp/entities.bro +++ b/scripts/base/protocols/smtp/entities.bro @@ -177,6 +177,10 @@ event mime_one_header(c: connection, h: mime_header_rec) if ( h$name == "CONTENT-DISPOSITION" && /[fF][iI][lL][eE][nN][aA][mM][eE]/ in h$value ) c$smtp$current_entity$filename = extract_filename_from_content_disposition(h$value); + + if ( h$name == "CONTENT-TYPE" && + /[nN][aA][mM][eE][:blank:]*=/ in h$value ) + c$smtp$current_entity$filename = extract_filename_from_content_disposition(h$value); } event mime_end_entity(c: connection) &priority=-5 diff --git a/scripts/base/utils/files.bro b/scripts/base/utils/files.bro index e1e599b0b6..76d2ecea4f 100644 --- a/scripts/base/utils/files.bro +++ b/scripts/base/utils/files.bro @@ -19,7 +19,7 @@ function generate_extraction_filename(prefix: string, c: connection, suffix: str ## the filename. function extract_filename_from_content_disposition(data: string): string { - local filename = sub(data, /^.*[fF][iI][lL][eE][nN][aA][mM][eE][[:blank:]]*=[[:blank:]]*/, ""); + local filename = sub(data, /^.*[nN][aA][mM][eE][[:blank:]]*=[[:blank:]]*/, ""); # Remove quotes around the filename if they are there. if ( /^\"/ in filename ) filename = split_n(filename, /\"/, F, 2)[2]; diff --git a/src/AYIYA.cc b/src/AYIYA.cc index c525a73b6c..79fa44e743 100644 --- a/src/AYIYA.cc +++ b/src/AYIYA.cc @@ -20,5 +20,13 @@ void AYIYA_Analyzer::Done() void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); - interp->NewData(orig, data, data + len); + + try + { + interp->NewData(orig, data, data + len); + } + catch ( const binpac::Exception& e ) + { + ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); + } } diff --git a/src/Analyzer.cc b/src/Analyzer.cc index 0a5188d76c..15926dfa2a 100644 --- a/src/Analyzer.cc +++ b/src/Analyzer.cc @@ -41,6 +41,7 @@ #include "Syslog-binpac.h" #include "Teredo.h" #include "ConnSizeAnalyzer.h" +#include "GTPv1.h" // Keep same order here as in AnalyzerTag definition! const Analyzer::Config Analyzer::analyzer_configs[] = { @@ -143,6 +144,9 @@ const Analyzer::Config Analyzer::analyzer_configs[] = { { AnalyzerTag::Teredo, "TEREDO", Teredo_Analyzer::InstantiateAnalyzer, Teredo_Analyzer::Available, 0, false }, + { AnalyzerTag::GTPv1, "GTPV1", + GTPv1_Analyzer::InstantiateAnalyzer, + GTPv1_Analyzer::Available, 0, false }, { AnalyzerTag::File, "FILE", File_Analyzer::InstantiateAnalyzer, File_Analyzer::Available, 0, false }, diff --git a/src/AnalyzerTags.h b/src/AnalyzerTags.h index 4dbbcd7499..38e47cf8fc 100644 --- a/src/AnalyzerTags.h +++ b/src/AnalyzerTags.h @@ -38,6 +38,7 @@ namespace AnalyzerTag { AYIYA, SOCKS, Teredo, + GTPv1, // Other File, Backdoor, InterConn, SteppingStone, TCPStats, diff --git a/src/Attr.cc b/src/Attr.cc index 6cc582f053..244d1e1687 100644 --- a/src/Attr.cc +++ b/src/Attr.cc @@ -14,8 +14,8 @@ const char* attr_name(attr_tag t) "&rotate_interval", "&rotate_size", "&add_func", "&delete_func", "&expire_func", "&read_expire", "&write_expire", "&create_expire", - "&persistent", "&synchronized", "&postprocessor", - "&encrypt", "&match", + "&persistent", "&synchronized", + "&encrypt", "&raw_output", "&mergeable", "&priority", "&group", "&log", "&error_handler", "&type_column", "(&tracked)", @@ -337,11 +337,6 @@ void Attributes::CheckAttr(Attr* a) Error("&rotate_size only applicable to files"); break; - case ATTR_POSTPROCESSOR: - if ( type->Tag() != TYPE_FILE ) - Error("&postprocessor only applicable to files"); - break; - case ATTR_ENCRYPT: if ( type->Tag() != TYPE_FILE ) Error("&encrypt only applicable to files"); diff --git a/src/Attr.h b/src/Attr.h index c9a0dedb33..c3e05d4762 100644 --- a/src/Attr.h +++ b/src/Attr.h @@ -25,9 +25,7 @@ typedef enum { ATTR_EXPIRE_CREATE, ATTR_PERSISTENT, ATTR_SYNCHRONIZED, - ATTR_POSTPROCESSOR, ATTR_ENCRYPT, - ATTR_MATCH, ATTR_RAW_OUTPUT, ATTR_MERGEABLE, ATTR_PRIORITY, diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 6867b9639c..d304604dcd 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -203,6 +203,8 @@ binpac_target(dns.pac dns-protocol.pac dns-analyzer.pac) binpac_target(dns_tcp.pac dns.pac) +binpac_target(gtpv1.pac + gtpv1-protocol.pac gtpv1-analyzer.pac) binpac_target(http.pac http-protocol.pac http-analyzer.pac) binpac_target(ncp.pac) @@ -332,6 +334,7 @@ set(bro_SRCS Frame.cc Func.cc Gnutella.cc + GTPv1.cc HTTP.cc HTTP-binpac.cc Hash.cc diff --git a/src/Expr.cc b/src/Expr.cc index 07ee4eb1e1..3a4e8add70 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -229,9 +229,10 @@ bool Expr::DoUnserialize(UnserialInfo* info) } -NameExpr::NameExpr(ID* arg_id) : Expr(EXPR_NAME) +NameExpr::NameExpr(ID* arg_id, bool const_init) : Expr(EXPR_NAME) { id = arg_id; + in_const_init = const_init; SetType(id->Type()->Ref()); EventHandler* h = event_registry->Lookup(id->Name()); @@ -287,6 +288,9 @@ Expr* NameExpr::MakeLvalue() if ( id->AsType() ) ExprError("Type name is not an lvalue"); + if ( id->IsConst() && ! in_const_init ) + ExprError("const is not a modifiable lvalue"); + return new RefExpr(this); } @@ -337,9 +341,11 @@ bool NameExpr::DoSerialize(SerialInfo* info) const // Write out just the name of the function if requested. if ( info->globals_as_names && id->IsGlobal() ) - return SERIALIZE('n') && SERIALIZE(id->Name()); + return SERIALIZE('n') && SERIALIZE(id->Name()) && + SERIALIZE(in_const_init); else - return SERIALIZE('f') && id->Serialize(info); + return SERIALIZE('f') && id->Serialize(info) && + SERIALIZE(in_const_init); } bool NameExpr::DoUnserialize(UnserialInfo* info) @@ -370,6 +376,9 @@ bool NameExpr::DoUnserialize(UnserialInfo* info) if ( ! id ) return false; + if ( ! UNSERIALIZE(&in_const_init) ) + return false; + return true; } @@ -2950,16 +2959,12 @@ Val* IndexExpr::Fold(Val* v1, Val* v2) const if ( IsError() ) return 0; - if ( v1->Type()->Tag() == TYPE_VECTOR ) - { - Val* v = v1->AsVectorVal()->Lookup(v2); - // ### dangerous - this can silently fail larger operations - // due to a missing element - return v ? v->Ref() : 0; - } + Val* v = 0; - TableVal* v_tbl = v1->AsTableVal(); - Val* v = v_tbl->Lookup(v2); + if ( v1->Type()->Tag() == TYPE_VECTOR ) + v = v1->AsVectorVal()->Lookup(v2); + else + v = v1->AsTableVal()->Lookup(v2); if ( v ) return v->Ref(); @@ -3290,20 +3295,22 @@ RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list) Val* RecordConstructorExpr::InitVal(const BroType* t, Val* aggr) const { - RecordVal* rv = Eval(0)->AsRecordVal(); - RecordVal* ar = rv->CoerceTo(t->AsRecordType(), aggr); + Val* v = Eval(0); - if ( ar ) + if ( v ) { - Unref(rv); - return ar; + RecordVal* rv = v->AsRecordVal(); + RecordVal* ar = rv->CoerceTo(t->AsRecordType(), aggr); + + if ( ar ) + { + Unref(rv); + return ar; + } } - else - { - Error("bad record initializer"); - return 0; - } + Error("bad record initializer"); + return 0; } Val* RecordConstructorExpr::Fold(Val* v) const diff --git a/src/Expr.h b/src/Expr.h index afdf02c124..ea17c735b5 100644 --- a/src/Expr.h +++ b/src/Expr.h @@ -198,7 +198,7 @@ protected: class NameExpr : public Expr { public: - NameExpr(ID* id); + NameExpr(ID* id, bool const_init = false); ~NameExpr(); ID* Id() const { return id; } @@ -220,6 +220,7 @@ protected: DECLARE_SERIAL(NameExpr); ID* id; + bool in_const_init; }; class ConstExpr : public Expr { diff --git a/src/File.h b/src/File.h index 8e3d0ca6e7..a37b7fe0a6 100644 --- a/src/File.h +++ b/src/File.h @@ -56,7 +56,7 @@ public: // Rotates the logfile. Returns rotate_info. RecordVal* Rotate(); - // Set &rotate_interval, &rotate_size, &postprocessor, + // Set &rotate_interval, &rotate_size, // and &raw_output attributes. void SetAttrs(Attributes* attrs); diff --git a/src/GTPv1.cc b/src/GTPv1.cc new file mode 100644 index 0000000000..68b6f30a0c --- /dev/null +++ b/src/GTPv1.cc @@ -0,0 +1,31 @@ +#include "GTPv1.h" + +GTPv1_Analyzer::GTPv1_Analyzer(Connection* conn) +: Analyzer(AnalyzerTag::GTPv1, conn) + { + interp = new binpac::GTPv1::GTPv1_Conn(this); + } + +GTPv1_Analyzer::~GTPv1_Analyzer() + { + delete interp; + } + +void GTPv1_Analyzer::Done() + { + Analyzer::Done(); + Event(udp_session_done); + } + +void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) + { + Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + try + { + interp->NewData(orig, data, data + len); + } + catch ( const binpac::Exception& e ) + { + ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); + } + } diff --git a/src/GTPv1.h b/src/GTPv1.h new file mode 100644 index 0000000000..e111158833 --- /dev/null +++ b/src/GTPv1.h @@ -0,0 +1,29 @@ +#ifndef GTPv1_h +#define GTPv1_h + +#include "gtpv1_pac.h" + +class GTPv1_Analyzer : public Analyzer { +public: + GTPv1_Analyzer(Connection* conn); + virtual ~GTPv1_Analyzer(); + + virtual void Done(); + virtual void DeliverPacket(int len, const u_char* data, bool orig, + int seq, const IP_Hdr* ip, int caplen); + + static Analyzer* InstantiateAnalyzer(Connection* conn) + { return new GTPv1_Analyzer(conn); } + + static bool Available() + { return BifConst::Tunnel::enable_gtpv1 && + BifConst::Tunnel::max_depth > 0; } + +protected: + friend class AnalyzerTimer; + void ExpireTimer(double t); + + binpac::GTPv1::GTPv1_Conn* interp; +}; + +#endif diff --git a/src/HTTP.cc b/src/HTTP.cc index 9d9f01be64..7e4079b853 100644 --- a/src/HTTP.cc +++ b/src/HTTP.cc @@ -1116,38 +1116,39 @@ const char* HTTP_Analyzer::PrefixWordMatch(const char* line, return line; } +static bool is_HTTP_token_char(char c) + { + return c > 31 && c != 127 && // CTL per RFC 2616. + c != ' ' && c != '\t' && // Separators. + c != '(' && c != ')' && c != '<' && c != '>' && c != '@' && + c != ',' && c != ';' && c != ':' && c != '\\' && c != '"' && + c != '/' && c != '[' && c != ']' && c != '?' && c != '=' && + c != '{' && c != '}'; + } + +static const char* get_HTTP_token(const char* s, const char* e) + { + while ( s < e && is_HTTP_token_char(*s) ) + ++s; + + return s; + } + + int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line) { const char* rest = 0; - static const char* http_methods[] = { - "GET", "POST", "HEAD", + const char* end_of_method = get_HTTP_token(line, end_of_line); - "OPTIONS", "PUT", "DELETE", "TRACE", "CONNECT", + if ( end_of_method == line ) + goto error; - // HTTP methods for distributed authoring. - "PROPFIND", "PROPPATCH", "MKCOL", "DELETE", "PUT", - "COPY", "MOVE", "LOCK", "UNLOCK", - "POLL", "REPORT", "SUBSCRIBE", "BMOVE", + rest = skip_whitespace(end_of_method, end_of_line); - "SEARCH", + if ( rest == end_of_method ) + goto error; - 0, - }; - - int i; - for ( i = 0; http_methods[i]; ++i ) - if ( (rest = PrefixWordMatch(line, end_of_line, http_methods[i])) != 0 ) - break; - - if ( ! http_methods[i] ) - { - // Weird("HTTP_unknown_method"); - if ( RequestExpected() ) - HTTP_Event("unknown_HTTP_method", new_string_val(line, end_of_line)); - return 0; - } - - request_method = new StringVal(http_methods[i]); + request_method = new StringVal(end_of_method - line, line); if ( ! ParseRequest(rest, end_of_line) ) reporter->InternalError("HTTP ParseRequest failed"); @@ -1157,6 +1158,10 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line) unescaped_URI->AsString()->Len(), true, true, true, true); return 1; + +error: + reporter->Weird(Conn(), "bad_HTTP_request"); + return 0; } int HTTP_Analyzer::ParseRequest(const char* line, const char* end_of_line) diff --git a/src/NetVar.cc b/src/NetVar.cc index 248ae15e1a..1783130f34 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -5,6 +5,7 @@ #include "Var.h" #include "NetVar.h" +RecordType* gtpv1_hdr_type; RecordType* conn_id; RecordType* endpoint; RecordType* endpoint_stats; @@ -308,6 +309,7 @@ void init_net_var() #include "input.bif.netvar_init" #include "reporter.bif.netvar_init" + gtpv1_hdr_type = internal_type("gtpv1_hdr")->AsRecordType(); conn_id = internal_type("conn_id")->AsRecordType(); endpoint = internal_type("endpoint")->AsRecordType(); endpoint_stats = internal_type("endpoint_stats")->AsRecordType(); diff --git a/src/NetVar.h b/src/NetVar.h index 2561fa0ad9..4bb2d2a7f9 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -8,6 +8,7 @@ #include "EventRegistry.h" #include "Stats.h" +extern RecordType* gtpv1_hdr_type; extern RecordType* conn_id; extern RecordType* endpoint; extern RecordType* endpoint_stats; diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc index 564ad2be68..66f8def489 100644 --- a/src/RemoteSerializer.cc +++ b/src/RemoteSerializer.cc @@ -545,8 +545,11 @@ RemoteSerializer::~RemoteSerializer() { if ( child_pid ) { - kill(child_pid, SIGKILL); - waitpid(child_pid, 0, 0); + if ( kill(child_pid, SIGKILL) < 0 ) + reporter->Warning("warning: cannot kill child (pid %d), %s", child_pid, strerror(errno)); + + else if ( waitpid(child_pid, 0, 0) < 0 ) + reporter->Warning("warning: error encountered during waitpid(%d), %s", child_pid, strerror(errno)); } delete io; @@ -1032,6 +1035,14 @@ bool RemoteSerializer::SendAllSynchronized(Peer* peer, SerialInfo* info) for ( ; index < sync_ids.length(); ++index ) { + if ( ! sync_ids[index]->ID_Val() ) + { +#ifdef DEBUG + DBG_LOG(DBG_COMM, "Skip sync of ID with null value: %s\n", + sync_ids[index]->Name()); +#endif + continue; + } cont->SaveContext(); StateAccess sa(OP_ASSIGN, sync_ids[index], @@ -3153,7 +3164,10 @@ void RemoteSerializer::FatalError(const char* msg) reporter->Error("%s", msg); closed = true; - kill(child_pid, SIGQUIT); + + if ( kill(child_pid, SIGQUIT) < 0 ) + reporter->Warning("warning: cannot kill child pid %d, %s", child_pid, strerror(errno)); + child_pid = 0; using_communication = false; io->Clear(); @@ -3963,7 +3977,7 @@ bool SocketComm::Connect(Peer* peer) { int status; addrinfo hints, *res, *res0; - bzero(&hints, sizeof(hints)); + memset(&hints, 0, sizeof(hints)); hints.ai_family = PF_UNSPEC; hints.ai_protocol = IPPROTO_TCP; @@ -4095,7 +4109,7 @@ bool SocketComm::Listen() { int status, on = 1; addrinfo hints, *res, *res0; - bzero(&hints, sizeof(hints)); + memset(&hints, 0, sizeof(hints)); IPAddr listen_ip(listen_if); @@ -4360,7 +4374,8 @@ void SocketComm::Kill() CloseListenFDs(); - kill(getpid(), SIGTERM); + if ( kill(getpid(), SIGTERM) < 0 ) + Log(fmt("warning: cannot kill SocketComm pid %d, %s", getpid(), strerror(errno))); while ( 1 ) ; // loop until killed diff --git a/src/Trigger.cc b/src/Trigger.cc index 164f11b885..b7e08b557e 100644 --- a/src/Trigger.cc +++ b/src/Trigger.cc @@ -217,8 +217,15 @@ bool Trigger::Eval() Name()); Unref(v); + v = 0; stmt_flow_type flow; - v = body->Exec(f, flow); + + try + { + v = body->Exec(f, flow); + } + catch ( InterpreterException& e ) + { /* Already reported. */ } if ( is_return ) { @@ -300,7 +307,14 @@ void Trigger::Timeout() { stmt_flow_type flow; Frame* f = frame->Clone(); - Val* v = timeout_stmts->Exec(f, flow); + Val* v = 0; + + try + { + v = timeout_stmts->Exec(f, flow); + } + catch ( InterpreterException& e ) + { /* Already reported. */ } if ( is_return ) { @@ -382,7 +396,7 @@ void Trigger::Attach(Trigger *trigger) void Trigger::Cache(const CallExpr* expr, Val* v) { - if ( disabled ) + if ( disabled || ! v ) return; ValCache::iterator i = cache.find(expr); diff --git a/src/Var.cc b/src/Var.cc index 2e9fdbe946..b4d76097d3 100644 --- a/src/Var.cc +++ b/src/Var.cc @@ -210,7 +210,6 @@ static void make_var(ID* id, BroType* t, init_class c, Expr* init, // defined. Func* f = new BroFunc(id, 0, 0, 0, 0); id->SetVal(new Val(f)); - id->SetConst(); } } @@ -233,8 +232,9 @@ Stmt* add_local(ID* id, BroType* t, init_class c, Expr* init, Ref(id); + Expr* name_expr = new NameExpr(id, dt == VAR_CONST); Stmt* stmt = - new ExprStmt(new AssignExpr(new NameExpr(id), init, 0, 0, + new ExprStmt(new AssignExpr(name_expr, init, 0, 0, id->Attrs() ? id->Attrs()->Attrs() : 0 )); stmt->SetLocationInfo(init->GetLocationInfo()); diff --git a/src/const.bif b/src/const.bif index 7373403c11..ea7dc03817 100644 --- a/src/const.bif +++ b/src/const.bif @@ -15,8 +15,10 @@ const Tunnel::max_depth: count; const Tunnel::enable_ip: bool; const Tunnel::enable_ayiya: bool; const Tunnel::enable_teredo: bool; +const Tunnel::enable_gtpv1: bool; const Tunnel::yielding_teredo_decapsulation: bool; const Tunnel::delay_teredo_confirmation: bool; +const Tunnel::delay_gtp_confirmation: bool; const Tunnel::ip_tunnel_timeout: interval; const Threading::heartbeat_interval: interval; diff --git a/src/event.bif b/src/event.bif index b965c26ae9..8dd940f38b 100644 --- a/src/event.bif +++ b/src/event.bif @@ -577,6 +577,19 @@ event teredo_origin_indication%(outer: connection, inner: teredo_hdr%); ## it may become particularly expensive for real-time analysis. event teredo_bubble%(outer: connection, inner: teredo_hdr%); +## Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload +## that includes a GTP header followed by an IPv4 or IPv6 packet. +## +## outer: The GTP outer tunnel connection. +## +## inner_gtp: The GTP header. +## +## inner_ip: The inner IP and transport layer packet headers. +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event gtpv1_g_pdu_packet%(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr%); + ## Generated for every packet that has a non-empty transport-layer payload. ## This is a very low-level and expensive event that should be avoided when ## at all possible. It's usually infeasible to handle when processing even @@ -858,7 +871,7 @@ event udp_contents%(u: connection, is_orig: bool, contents: string%); ## Generated when a UDP session for a supported protocol has finished. Some of ## Bro's application-layer UDP analyzers flag the end of a session by raising ## this event. Currently, the analyzers for DNS, NTP, Netbios, Syslog, AYIYA, -## and Teredo support this. +## Teredo, and GTPv1 support this. ## ## u: The connection record for the corresponding UDP flow. ## diff --git a/src/gtpv1-analyzer.pac b/src/gtpv1-analyzer.pac new file mode 100644 index 0000000000..08fbdef74a --- /dev/null +++ b/src/gtpv1-analyzer.pac @@ -0,0 +1,161 @@ + +connection GTPv1_Conn(bro_analyzer: BroAnalyzer) + { + upflow = GTPv1_Flow(true); + downflow = GTPv1_Flow(false); + + %member{ + bool valid_orig; + bool valid_resp; + %} + + %init{ + valid_orig = valid_resp = false; + %} + + function valid(orig: bool): bool + %{ + return orig ? valid_orig : valid_resp; + %} + + function set_valid(orig: bool, val: bool): void + %{ + if ( orig ) + valid_orig = val; + else + valid_resp = val; + %} + } + +%code{ +inline void violate(const char* r, const BroAnalyzer& a, const bytestring& p) + { + a->ProtocolViolation(r, (const char*) p.data(), p.length()); + } +%} + +flow GTPv1_Flow(is_orig: bool) + { + datagram = GTPv1_Header withcontext(connection, this); + + function process_gtpv1(pdu: GTPv1_Header): bool + %{ + BroAnalyzer a = connection()->bro_analyzer(); + Connection *c = a->Conn(); + const EncapsulationStack* e = c->GetEncapsulation(); + + connection()->set_valid(is_orig(), false); + + if ( e && e->Depth() >= BifConst::Tunnel::max_depth ) + { + reporter->Weird(c, "tunnel_depth"); + return false; + } + + if ( e && e->LastType() == BifEnum::Tunnel::GTPv1 ) + { + // GTP is never tunneled in GTP so, this must be a regular packet + violate("GTP-in-GTP", a, ${pdu.packet}); + return false; + } + + if ( ${pdu.version} != 1 ) + { + // Only know of GTPv1 with Version == 1 + violate("GTPv1 bad Version", a, ${pdu.packet}); + return false; + } + + if ( ! ${pdu.pt_flag} ) + { + // Not interested in GTP' + return false; + } + + if ( ${pdu.e_flag} ) + { + // TODO: can't currently parse past extension headers + return false; + } + + if ( ${pdu.msg_type} != 0xff ) + { + // Only interested in decapsulating user plane data beyond here. + return false; + } + + if ( ${pdu.packet}.length() < (int)sizeof(struct ip) ) + { + violate("Truncated GTPv1", a, ${pdu.packet}); + return false; + } + + const struct ip* ip = (const struct ip*) ${pdu.packet}.data(); + + if ( ip->ip_v != 4 && ip->ip_v != 6 ) + { + violate("non-IP packet in GTPv1", a, ${pdu.packet}); + return false; + } + + IP_Hdr* inner = 0; + int result = sessions->ParseIPPacket(${pdu.packet}.length(), + ${pdu.packet}.data(), ip->ip_v == 6 ? IPPROTO_IPV6 : IPPROTO_IPV4, + inner); + + if ( result == 0 ) + { + connection()->set_valid(is_orig(), true); + + if ( (! BifConst::Tunnel::delay_gtp_confirmation) || + (connection()->valid(true) && connection()->valid(false)) ) + a->ProtocolConfirmation(); + } + + else if ( result < 0 ) + violate("Truncated GTPv1", a, ${pdu.packet}); + + else + violate("GTPv1 payload length", a, ${pdu.packet}); + + if ( result != 0 ) + { + delete inner; + return false; + } + + if ( ::gtpv1_g_pdu_packet ) + { + RecordVal* rv = new RecordVal(gtpv1_hdr_type); + + rv->Assign(0, new Val(${pdu.version}, TYPE_COUNT)); + rv->Assign(1, new Val(${pdu.pt_flag}, TYPE_BOOL)); + rv->Assign(2, new Val(${pdu.rsv}, TYPE_BOOL)); + rv->Assign(3, new Val(${pdu.e_flag}, TYPE_BOOL)); + rv->Assign(4, new Val(${pdu.s_flag}, TYPE_BOOL)); + rv->Assign(5, new Val(${pdu.pn_flag}, TYPE_BOOL)); + rv->Assign(6, new Val(${pdu.msg_type}, TYPE_COUNT)); + rv->Assign(7, new Val(ntohs(${pdu.length}), TYPE_COUNT)); + rv->Assign(8, new Val(ntohl(${pdu.teid}), TYPE_COUNT)); + + if ( ${pdu.has_opt} ) + { + rv->Assign(9, new Val(ntohs(${pdu.opt_hdr.seq}), TYPE_COUNT)); + rv->Assign(10, new Val(${pdu.opt_hdr.n_pdu}, TYPE_COUNT)); + rv->Assign(11, new Val(${pdu.opt_hdr.next_type}, TYPE_COUNT)); + } + + BifEvent::generate_gtpv1_g_pdu_packet(a, c, rv, + inner->BuildPktHdrVal()); + } + + EncapsulatingConn ec(c, BifEnum::Tunnel::GTPv1); + + sessions->DoNextInnerPacket(network_time(), 0, inner, e, ec); + + return (result == 0) ? true : false; + %} + + }; + +refine typeattr GTPv1_Header += &let { proc_gtpv1 = $context.flow.process_gtpv1(this); }; diff --git a/src/gtpv1-protocol.pac b/src/gtpv1-protocol.pac new file mode 100644 index 0000000000..5bf31a48ee --- /dev/null +++ b/src/gtpv1-protocol.pac @@ -0,0 +1,27 @@ + +type GTPv1_Header = record { + flags: uint8; + msg_type: uint8; + length: uint16; + teid: uint32; + opt: case has_opt of { + true -> opt_hdr: GTPv1_Opt_Header; + false -> no_opt: empty; + } &requires(has_opt); + packet: bytestring &restofdata; + +} &let { + version: uint8 = (flags & 0xE0) >> 5; + pt_flag: bool = flags & 0x10; + rsv: bool = flags & 0x08; + e_flag: bool = flags & 0x04; + s_flag: bool = flags & 0x02; + pn_flag: bool = flags & 0x01; + has_opt: bool = flags & 0x07; +} &byteorder = littleendian; + +type GTPv1_Opt_Header = record { + seq: uint16; + n_pdu: uint8; + next_type: uint8; +} diff --git a/src/gtpv1.pac b/src/gtpv1.pac new file mode 100644 index 0000000000..d155ecfd67 --- /dev/null +++ b/src/gtpv1.pac @@ -0,0 +1,10 @@ +%include binpac.pac +%include bro.pac + +analyzer GTPv1 withcontext { + connection: GTPv1_Conn; + flow: GTPv1_Flow; +}; + +%include gtpv1-protocol.pac +%include gtpv1-analyzer.pac diff --git a/src/input/readers/Ascii.cc b/src/input/readers/Ascii.cc index e9cba27205..1dba2f0c39 100644 --- a/src/input/readers/Ascii.cc +++ b/src/input/readers/Ascii.cc @@ -273,14 +273,14 @@ Value* Ascii::EntryToVal(string s, FieldMapping field) { Error(Fmt("Field: %s Invalid value for boolean: %s", field.name.c_str(), s.c_str())); - return 0; + goto parse_error; } break; case TYPE_INT: val->val.int_val = strtoll(s.c_str(), &end, 10); if ( CheckNumberError(s, end) ) - return 0; + goto parse_error; break; case TYPE_DOUBLE: @@ -288,20 +288,20 @@ Value* Ascii::EntryToVal(string s, FieldMapping field) case TYPE_INTERVAL: val->val.double_val = strtod(s.c_str(), &end); if ( CheckNumberError(s, end) ) - return 0; + goto parse_error; break; case TYPE_COUNT: case TYPE_COUNTER: val->val.uint_val = strtoull(s.c_str(), &end, 10); if ( CheckNumberError(s, end) ) - return 0; + goto parse_error; break; case TYPE_PORT: val->val.port_val.port = strtoull(s.c_str(), &end, 10); if ( CheckNumberError(s, end) ) - return 0; + goto parse_error; val->val.port_val.proto = TRANSPORT_UNKNOWN; break; @@ -313,13 +313,13 @@ Value* Ascii::EntryToVal(string s, FieldMapping field) if ( pos == s.npos ) { Error(Fmt("Invalid value for subnet: %s", s.c_str())); - return 0; + goto parse_error; } uint8_t width = (uint8_t) strtol(s.substr(pos+1).c_str(), &end, 10); if ( CheckNumberError(s, end) ) - return 0; + goto parse_error; string addr = s.substr(0, pos); @@ -349,6 +349,7 @@ Value* Ascii::EntryToVal(string s, FieldMapping field) } unsigned int pos = 0; + bool error = false; if ( s.compare(empty_field) == 0 ) length = 0; @@ -385,14 +386,16 @@ Value* Ascii::EntryToVal(string s, FieldMapping field) { Error(Fmt("Internal error while parsing set. pos %d >= length %d." " Element: %s", pos, length, element.c_str())); + error = true; break; } Value* newval = EntryToVal(element, field.subType()); if ( newval == 0 ) { - Error("Error while reading set"); - return 0; + Error("Error while reading set or vector"); + error = true; + break; } lvals[pos] = newval; @@ -403,22 +406,32 @@ Value* Ascii::EntryToVal(string s, FieldMapping field) // Test if the string ends with a set_separator... or if the // complete string is empty. In either of these cases we have // to push an empty val on top of it. - if ( s.empty() || *s.rbegin() == set_separator[0] ) + if ( ! error && (s.empty() || *s.rbegin() == set_separator[0]) ) { lvals[pos] = EntryToVal("", field.subType()); if ( lvals[pos] == 0 ) { Error("Error while trying to add empty set element"); - return 0; + goto parse_error; } pos++; } + if ( error ) { + // We had an error while reading a set or a vector. + // Hence we have to clean up the values that have + // been read so far + for ( unsigned int i = 0; i < pos; i++ ) + delete lvals[i]; + + goto parse_error; + } + if ( pos != length ) { Error(Fmt("Internal error while parsing set: did not find all elements: %s", s.c_str())); - return 0; + goto parse_error; } break; @@ -427,10 +440,14 @@ Value* Ascii::EntryToVal(string s, FieldMapping field) default: Error(Fmt("unsupported field format %d for %s", field.type, field.name.c_str())); - return 0; + goto parse_error; } return val; + +parse_error: + delete val; + return 0; } // read the entire file and send appropriate thingies back to InputMgr @@ -572,7 +589,7 @@ bool Ascii::DoUpdate() // array structure. for ( int i = 0; i < fpos; i++ ) - delete fields[fpos]; + delete fields[i]; delete [] fields; continue; diff --git a/src/parse.y b/src/parse.y index 0385c1c4e1..079fc16c43 100644 --- a/src/parse.y +++ b/src/parse.y @@ -17,7 +17,7 @@ %token TOK_STRING TOK_SUBNET TOK_SWITCH TOK_TABLE %token TOK_TIME TOK_TIMEOUT TOK_TIMER TOK_TYPE TOK_UNION TOK_VECTOR TOK_WHEN -%token TOK_ATTR_ADD_FUNC TOK_ATTR_ATTR TOK_ATTR_ENCRYPT TOK_ATTR_DEFAULT +%token TOK_ATTR_ADD_FUNC TOK_ATTR_ENCRYPT TOK_ATTR_DEFAULT %token TOK_ATTR_OPTIONAL TOK_ATTR_REDEF TOK_ATTR_ROTATE_INTERVAL %token TOK_ATTR_ROTATE_SIZE TOK_ATTR_DEL_FUNC TOK_ATTR_EXPIRE_FUNC %token TOK_ATTR_EXPIRE_CREATE TOK_ATTR_EXPIRE_READ TOK_ATTR_EXPIRE_WRITE diff --git a/src/scan.l b/src/scan.l index 4e1a66144e..bf4cd76f23 100644 --- a/src/scan.l +++ b/src/scan.l @@ -319,7 +319,6 @@ vector return TOK_VECTOR; when return TOK_WHEN; &add_func return TOK_ATTR_ADD_FUNC; -&attr return TOK_ATTR_ATTR; &create_expire return TOK_ATTR_EXPIRE_CREATE; &default return TOK_ATTR_DEFAULT; &delete_func return TOK_ATTR_DEL_FUNC; diff --git a/src/types.bif b/src/types.bif index 34e17ce28e..888310419c 100644 --- a/src/types.bif +++ b/src/types.bif @@ -184,6 +184,7 @@ enum Type %{ AYIYA, TEREDO, SOCKS, + GTPv1, %} type EncapsulatingConn: record; diff --git a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log new file mode 100644 index 0000000000..e2861b4ae1 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log @@ -0,0 +1,12 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2012-10-19-17-03-55 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1333458850.321642 arKYeMETxOg 10.131.17.170 51803 173.199.115.168 80 tcp http 0.257902 1138 63424 S3 - 0 ShADadf 29 2310 49 65396 UWkUyAuUGXf,k6kgXLOoSKl +1333458850.325787 k6kgXLOoSKl 207.233.125.40 2152 167.55.105.244 2152 udp gtpv1 0.251127 65788 0 S0 - 0 D 49 67160 0 0 (empty) +1333458850.321642 UWkUyAuUGXf 167.55.105.244 5906 207.233.125.40 2152 udp gtpv1 0.257902 2542 0 S0 - 0 D 29 3354 0 0 (empty) +#close 2012-10-19-17-03-55 diff --git a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log new file mode 100644 index 0000000000..66b17e1200 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#open 2012-10-19-17-03-55 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file +1333458850.340368 arKYeMETxOg 10.131.17.170 51803 173.199.115.168 80 1 GET cdn.epicgameads.com /ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=4&cac=1&t=728x90&cb=1333458879 http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&channel=4&cb=1333458905296 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 0 31461 200 OK - - - (empty) - - - application/x-shockwave-flash - - +1333458850.399501 arKYeMETxOg 10.131.17.170 51803 173.199.115.168 80 2 GET cdn.epicgameads.com /ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=0&cac=1&t=728x90&cb=1333458881 http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&cb=1333458920207 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 0 31461 200 OK - - - (empty) - - - application/x-shockwave-flash - - +#close 2012-10-19-17-03-55 diff --git a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/tunnel.log b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/tunnel.log new file mode 100644 index 0000000000..233ad1c850 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/tunnel.log @@ -0,0 +1,13 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2012-10-19-17-03-55 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1333458850.321642 UWkUyAuUGXf 167.55.105.244 5906 207.233.125.40 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458850.325787 k6kgXLOoSKl 207.233.125.40 2152 167.55.105.244 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458850.579544 k6kgXLOoSKl 207.233.125.40 2152 167.55.105.244 2152 Tunnel::GTPv1 Tunnel::CLOSE +1333458850.579544 UWkUyAuUGXf 167.55.105.244 5906 207.233.125.40 2152 Tunnel::GTPv1 Tunnel::CLOSE +#close 2012-10-19-17-03-55 diff --git a/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log new file mode 100644 index 0000000000..1234558195 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2012-10-19-17-07-44 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1333458871.219794 UWkUyAuUGXf 10.131.24.6 2152 195.178.38.3 53 udp dns - - - S0 - 0 D 1 64 0 0 (empty) +#close 2012-10-19-17-07-44 diff --git a/testing/btest/Baseline/core.tunnels.gtp.false_gtp/dns.log b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/dns.log new file mode 100644 index 0000000000..a293d6ff6a --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/dns.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dns +#open 2012-10-19-17-07-44 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected +#types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool +1333458871.219794 UWkUyAuUGXf 10.131.24.6 2152 195.178.38.3 53 udp 27595 abcd.efg.hijklm.nm 1 C_INTERNET 1 A - - F F T F 0 - - F +#close 2012-10-19-17-07-44 diff --git a/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log b/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log new file mode 100644 index 0000000000..326205172a --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log @@ -0,0 +1,12 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2012-10-19-17-21-27 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1333458851.770000 arKYeMETxOg fe80::224c:4fff:fe43:414c 1234 ff02::1:3 5355 udp dns - - - S0 - 0 D 1 80 0 0 UWkUyAuUGXf +1333458851.770000 UWkUyAuUGXf 118.92.124.41 2152 118.92.124.72 2152 udp gtpv1 0.199236 152 0 S0 - 0 D 2 208 0 0 (empty) +1333458851.969236 k6kgXLOoSKl fe80::224c:4fff:fe43:414c 133 ff02::2 134 icmp - - - - OTH - 0 - 1 56 0 0 UWkUyAuUGXf +#close 2012-10-19-17-21-27 diff --git a/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/tunnel.log b/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/tunnel.log new file mode 100644 index 0000000000..dfae2ba269 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/tunnel.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2012-10-19-17-21-27 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1333458851.770000 UWkUyAuUGXf 118.92.124.41 2152 118.92.124.72 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458851.969236 UWkUyAuUGXf 118.92.124.41 2152 118.92.124.72 2152 Tunnel::GTPv1 Tunnel::CLOSE +#close 2012-10-19-17-21-27 diff --git a/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log b/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log new file mode 100644 index 0000000000..9c3e1f6f66 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log @@ -0,0 +1,26 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2012-10-19-17-34-25 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1333458850.037956 qCaWGmzFtM5 10.131.112.102 51403 94.245.121.253 3544 udp teredo - - - SHR - 0 d 0 0 1 84 GSxOnSLghOa +1333458850.040098 70MGiRM1Qf4 174.94.190.229 2152 190.104.181.57 2152 udp gtpv1 0.003698 192 0 S0 - 0 D 2 248 0 0 (empty) +1333458850.016620 nQcgTWjvg4c 172.24.16.121 61901 94.245.121.251 3544 udp teredo - - - S0 - 0 D 1 80 0 0 k6kgXLOoSKl +1333458850.029781 FrJExwHcSal 172.24.16.67 52298 94.245.121.253 3544 udp teredo - - - S0 - 0 D 1 88 0 0 TEfuqmmG4bh +1333458850.035456 VW0XPVINV8a 190.104.181.210 2152 190.104.181.125 2152 udp gtpv1 0.000004 194 0 S0 - 0 D 2 250 0 0 (empty) +1333458850.016620 k6kgXLOoSKl 174.94.190.229 2152 190.104.181.62 2152 udp gtpv1 0.016267 88 92 SF - 0 Dd 1 116 1 120 (empty) +1333458850.029781 TEfuqmmG4bh 190.104.181.254 2152 190.104.181.62 2152 udp gtpv1 0.000002 192 0 S0 - 0 D 2 248 0 0 (empty) +1333458850.035460 iE6yhOq3SF 172.27.159.9 63912 94.245.121.254 3544 udp teredo - - - S0 - 0 D 1 89 0 0 VW0XPVINV8a +1333458850.037956 GSxOnSLghOa 190.104.181.57 2152 190.104.181.222 2152 udp gtpv1 - - - S0 - 0 D 1 120 0 0 (empty) +1333458850.014199 UWkUyAuUGXf 174.94.190.213 2152 190.104.181.57 2152 udp gtpv1 - - - S0 - 0 D 1 124 0 0 (empty) +1333458850.040098 h5DsfNtYzi1 172.24.203.81 54447 65.55.158.118 3544 udp teredo 0.003698 120 0 S0 - 0 D 2 176 0 0 70MGiRM1Qf4 +1333458850.029783 5OKnoww6xl4 172.24.16.67 52298 65.55.158.118 3544 udp teredo - - - S0 - 0 D 1 88 0 0 TEfuqmmG4bh +1333458850.032887 3PKsZ2Uye21 10.131.42.160 62069 94.245.121.253 3544 udp teredo - - - SHR - 0 d 0 0 1 84 k6kgXLOoSKl +1333458850.014199 arKYeMETxOg 172.24.204.200 56528 65.55.158.118 3544 udp teredo - - - S0 - 0 D 1 88 0 0 UWkUyAuUGXf +1333458850.035456 fRFu0wcOle6 172.27.159.9 63912 94.245.121.253 3544 udp teredo - - - S0 - 0 D 1 89 0 0 VW0XPVINV8a +1333458850.016620 j4u32Pc5bif 2001:0:5ef5:79fb:38b8:1695:2b37:be8e 128 2002:2571:c817::2571:c817 129 icmp - - - - OTH - 0 - 1 52 0 0 nQcgTWjvg4c +1333458850.035456 qSsw6ESzHV4 fe80::ffff:ffff:fffe 133 ff02::2 134 icmp - 0.000004 0 0 OTH - 0 - 2 96 0 0 fRFu0wcOle6,iE6yhOq3SF +#close 2012-10-19-17-34-25 diff --git a/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/tunnel.log b/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/tunnel.log new file mode 100644 index 0000000000..904fcc7db6 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/tunnel.log @@ -0,0 +1,27 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2012-10-19-17-34-25 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1333458850.014199 UWkUyAuUGXf 174.94.190.213 2152 190.104.181.57 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458850.016620 k6kgXLOoSKl 174.94.190.229 2152 190.104.181.62 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458850.016620 nQcgTWjvg4c 172.24.16.121 61901 94.245.121.251 3544 Tunnel::TEREDO Tunnel::DISCOVER +1333458850.029781 TEfuqmmG4bh 190.104.181.254 2152 190.104.181.62 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458850.035456 VW0XPVINV8a 190.104.181.210 2152 190.104.181.125 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458850.035456 fRFu0wcOle6 172.27.159.9 63912 94.245.121.253 3544 Tunnel::TEREDO Tunnel::DISCOVER +1333458850.035460 iE6yhOq3SF 172.27.159.9 63912 94.245.121.254 3544 Tunnel::TEREDO Tunnel::DISCOVER +1333458850.037956 GSxOnSLghOa 190.104.181.57 2152 190.104.181.222 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458850.040098 70MGiRM1Qf4 174.94.190.229 2152 190.104.181.57 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458850.043796 70MGiRM1Qf4 174.94.190.229 2152 190.104.181.57 2152 Tunnel::GTPv1 Tunnel::CLOSE +1333458850.043796 nQcgTWjvg4c 172.24.16.121 61901 94.245.121.251 3544 Tunnel::TEREDO Tunnel::CLOSE +1333458850.043796 VW0XPVINV8a 190.104.181.210 2152 190.104.181.125 2152 Tunnel::GTPv1 Tunnel::CLOSE +1333458850.043796 k6kgXLOoSKl 174.94.190.229 2152 190.104.181.62 2152 Tunnel::GTPv1 Tunnel::CLOSE +1333458850.043796 TEfuqmmG4bh 190.104.181.254 2152 190.104.181.62 2152 Tunnel::GTPv1 Tunnel::CLOSE +1333458850.043796 iE6yhOq3SF 172.27.159.9 63912 94.245.121.254 3544 Tunnel::TEREDO Tunnel::CLOSE +1333458850.043796 GSxOnSLghOa 190.104.181.57 2152 190.104.181.222 2152 Tunnel::GTPv1 Tunnel::CLOSE +1333458850.043796 UWkUyAuUGXf 174.94.190.213 2152 190.104.181.57 2152 Tunnel::GTPv1 Tunnel::CLOSE +1333458850.043796 fRFu0wcOle6 172.27.159.9 63912 94.245.121.253 3544 Tunnel::TEREDO Tunnel::CLOSE +#close 2012-10-19-17-34-25 diff --git a/testing/btest/Baseline/core.tunnels.gtp.non_recursive/out b/testing/btest/Baseline/core.tunnels.gtp.non_recursive/out new file mode 100644 index 0000000000..a299c4d592 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.non_recursive/out @@ -0,0 +1 @@ +protocol_violation, [orig_h=74.125.216.149, orig_p=2152/udp, resp_h=10.131.138.69, resp_p=2152/udp], GTP-in-GTP [n\xd9'|\x00\x00\x01\xb6[\xf6\xdc0\xb7d\xe5\xe6\xa76\x91\xfbk\x0e\x02\xc8A\x05\xa8\xe6\xf3Gi\x80(]\xcew\x84\xae}\xd2...] diff --git a/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log b/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log new file mode 100644 index 0000000000..ad6e4fb2c4 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2012-10-19-17-46-48 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1333458850.532814 UWkUyAuUGXf 247.56.43.90 2152 247.56.43.248 2152 udp - - - - S0 - 0 D 1 52 0 0 (empty) +1333458850.867091 arKYeMETxOg 247.56.43.214 2152 237.56.101.238 2152 udp - 0.028676 12 14 SF - 0 Dd 1 40 1 42 (empty) +#close 2012-10-19-17-46-48 diff --git a/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log b/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log new file mode 100644 index 0000000000..9f250903f2 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2012-10-19-17-19-16 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1333458852.011535 arKYeMETxOg 10.222.10.10 44960 173.194.69.188 5228 tcp ssl 0.573499 704 1026 S1 - 0 ShADad 17 1604 14 1762 UWkUyAuUGXf +1333458852.011535 UWkUyAuUGXf 79.188.154.91 2152 243.149.173.198 2152 udp gtpv1 0.573499 1740 1930 SF - 0 Dd 17 2216 14 2322 (empty) +#close 2012-10-19-17-19-16 diff --git a/testing/btest/Baseline/core.tunnels.gtp.opt_header/out b/testing/btest/Baseline/core.tunnels.gtp.opt_header/out new file mode 100644 index 0000000000..7feeb2a110 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.opt_header/out @@ -0,0 +1,31 @@ +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=60, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=60, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=64, teid=159098, seq=0, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=170, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=56, teid=159098, seq=1, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=194, teid=159098, seq=2, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=111, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=56, teid=159098, seq=3, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=89, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=56, teid=159098, seq=4, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=93, teid=159098, seq=5, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=457, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=157, teid=159098, seq=6, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=173, teid=159098, seq=7, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=137, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=56, teid=159098, seq=8, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=157, teid=159098, seq=9, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=189, teid=159098, seq=10, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=173, teid=159098, seq=11, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=205, teid=159098, seq=12, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=189, teid=159098, seq=13, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] diff --git a/testing/btest/Baseline/core.tunnels.gtp.opt_header/tunnel.log b/testing/btest/Baseline/core.tunnels.gtp.opt_header/tunnel.log new file mode 100644 index 0000000000..a421f399ec --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.opt_header/tunnel.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2012-10-19-17-19-16 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1333458852.011535 UWkUyAuUGXf 79.188.154.91 2152 243.149.173.198 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458852.585034 UWkUyAuUGXf 79.188.154.91 2152 243.149.173.198 2152 Tunnel::GTPv1 Tunnel::CLOSE +#close 2012-10-19-17-19-16 diff --git a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log new file mode 100644 index 0000000000..b5f61564cf --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2012-10-19-16-44-02 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1333458850.364667 arKYeMETxOg 10.131.47.185 1923 79.101.110.141 80 tcp http 0.069783 2100 56702 SF - 0 ShADadfF 27 3204 41 52594 UWkUyAuUGXf +1333458850.364667 UWkUyAuUGXf 239.114.155.111 2152 63.94.149.181 2152 udp gtpv1 0.069813 3420 52922 SF - 0 Dd 27 4176 41 54070 (empty) +#close 2012-10-19-16-44-02 diff --git a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log new file mode 100644 index 0000000000..8a994d56af --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#open 2012-10-19-16-44-02 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file +1333458850.375568 arKYeMETxOg 10.131.47.185 1923 79.101.110.141 80 1 GET o-o.preferred.telekomrs-beg1.v2.lscache8.c.youtube.com /videoplayback?upn=MTU2MDY5NzQ5OTM0NTI3NDY4NDc&sparams=algorithm,burst,cp,factor,id,ip,ipbits,itag,source,upn,expire&fexp=912300,907210&algorithm=throttle-factor&itag=34&ip=212.0.0.0&burst=40&sver=3&signature=832FB1042E20780CFCA77A4DB5EA64AC593E8627.D1166C7E8365732E52DAFD68076DAE0146E0AE01&source=youtube&expire=1333484980&key=yt1&ipbits=8&factor=1.25&cp=U0hSSFRTUl9NSkNOMl9MTVZKOjh5eEN2SG8tZF84&id=ebf1e932d4bd1286&cm2=1 http://s.ytimg.com/yt/swfbin/watch_as3-vflqrJwOA.swf Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko; X-SBLSP) Chrome/17.0.963.83 Safari/535.11 0 56320 206 Partial Content - - - (empty) - - - application/octet-stream - - +#close 2012-10-19-16-44-02 diff --git a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/tunnel.log b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/tunnel.log new file mode 100644 index 0000000000..54c4acd0d6 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/tunnel.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2012-10-19-16-44-02 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1333458850.364667 UWkUyAuUGXf 239.114.155.111 2152 63.94.149.181 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458850.434480 UWkUyAuUGXf 239.114.155.111 2152 63.94.149.181 2152 Tunnel::GTPv1 Tunnel::CLOSE +#close 2012-10-19-16-44-02 diff --git a/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/dpd.log b/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/dpd.log new file mode 100644 index 0000000000..221fa16f4f --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/dpd.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dpd +#open 2012-10-19-17-38-54 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto analyzer failure_reason +#types time string addr port addr port enum string string +1333458853.075889 UWkUyAuUGXf 173.86.159.28 2152 213.72.147.186 2152 udp GTPV1 Truncated GTPv1 [E\x00\x05\xc8G\xea@\x00\x80\x06\xb6\x83\x0a\x83w&\xd9\x14\x9c\x04\xd9\xc2\x00P\xddh\xb4\x8f41eVP\x10\x10\xe0u\xcf\x00\x00...] +#close 2012-10-19-17-38-54 diff --git a/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/tunnel.log b/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/tunnel.log new file mode 100644 index 0000000000..659090a581 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/tunnel.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2012-10-19-17-38-54 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1333458853.034734 UWkUyAuUGXf 173.86.159.28 2152 213.72.147.186 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458853.108391 UWkUyAuUGXf 173.86.159.28 2152 213.72.147.186 2152 Tunnel::GTPv1 Tunnel::CLOSE +#close 2012-10-19-17-38-54 diff --git a/testing/btest/Baseline/core.when-interpreter-exceptions/bro..stderr b/testing/btest/Baseline/core.when-interpreter-exceptions/bro..stderr new file mode 100644 index 0000000000..256600445d --- /dev/null +++ b/testing/btest/Baseline/core.when-interpreter-exceptions/bro..stderr @@ -0,0 +1,5 @@ +1355264617.053514 expression error in /home/jsiwek/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 32: field value missing [p$ip] +1355264617.053514 expression error in /home/jsiwek/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 53: field value missing [p$ip] +1355264617.053514 expression error in /home/jsiwek/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 43: field value missing [p$ip] +1355264617.053514 expression error in /home/jsiwek/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 16: field value missing [p$ip] +1355264617.053514 received termination signal diff --git a/testing/btest/Baseline/core.when-interpreter-exceptions/bro..stdout b/testing/btest/Baseline/core.when-interpreter-exceptions/bro..stdout new file mode 100644 index 0000000000..49eafc365f --- /dev/null +++ b/testing/btest/Baseline/core.when-interpreter-exceptions/bro..stdout @@ -0,0 +1,8 @@ +timeout g(), F +timeout g(), T +timeout +g() done, no exception, T +localhost resolved +localhost resolved from f(), T +localhost resolved from f(), F +f() done, no exception, T diff --git a/testing/btest/Baseline/istate.sync/receiver.vars.log b/testing/btest/Baseline/istate.sync/receiver.vars.log index b28cfbd5c9..192876bd3e 100644 --- a/testing/btest/Baseline/istate.sync/receiver.vars.log +++ b/testing/btest/Baseline/istate.sync/receiver.vars.log @@ -31,3 +31,4 @@ file "test2" of string 6667/tcp [2, 20, 3, 4] [a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666, e=] +122112 diff --git a/testing/btest/Baseline/istate.sync/sender.vars.log b/testing/btest/Baseline/istate.sync/sender.vars.log index b28cfbd5c9..192876bd3e 100644 --- a/testing/btest/Baseline/istate.sync/sender.vars.log +++ b/testing/btest/Baseline/istate.sync/sender.vars.log @@ -31,3 +31,4 @@ file "test2" of string 6667/tcp [2, 20, 3, 4] [a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666, e=] +122112 diff --git a/testing/btest/Baseline/language.const/invalid.stderr b/testing/btest/Baseline/language.const/invalid.stderr new file mode 100644 index 0000000000..b08c472708 --- /dev/null +++ b/testing/btest/Baseline/language.const/invalid.stderr @@ -0,0 +1,13 @@ +error in ./invalid.bro, line 15: const is not a modifiable lvalue (foo) +error in ./invalid.bro, line 16: const is not a modifiable lvalue (foo) +error in ./invalid.bro, line 17: const is not a modifiable lvalue (bar) +error in ./invalid.bro, line 17: const is not a modifiable lvalue (foo) +error in ./invalid.bro, line 18: const is not a modifiable lvalue (foo) +error in ./invalid.bro, line 19: const is not a modifiable lvalue (foo) +error in ./invalid.bro, line 20: const is not a modifiable lvalue (foo) +error in ./invalid.bro, line 22: const is not a modifiable lvalue (foo) +error in ./invalid.bro, line 25: const is not a modifiable lvalue (bar) +error in ./invalid.bro, line 26: const is not a modifiable lvalue (baz) +error in ./invalid.bro, line 27: const is not a modifiable lvalue (bar) +error in ./invalid.bro, line 28: const is not a modifiable lvalue (baz) +error in ./invalid.bro, line 33: const is not a modifiable lvalue (foo) diff --git a/testing/btest/Baseline/language.const/invalid.stdout b/testing/btest/Baseline/language.const/invalid.stdout new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/language.const/valid.stderr b/testing/btest/Baseline/language.const/valid.stderr new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/language.const/valid.stdout b/testing/btest/Baseline/language.const/valid.stdout new file mode 100644 index 0000000000..5e3a76f060 --- /dev/null +++ b/testing/btest/Baseline/language.const/valid.stdout @@ -0,0 +1,10 @@ +40 +enter f, 10 +exit f, 110 +enter f, 9 +exit f, 109 +enter f, 7 +exit f, 107 +foo, 10 +bar, 9 +baz, 7 diff --git a/testing/btest/Baseline/language.invalid_index/out b/testing/btest/Baseline/language.invalid_index/out new file mode 100644 index 0000000000..9110a8979d --- /dev/null +++ b/testing/btest/Baseline/language.invalid_index/out @@ -0,0 +1,7 @@ +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 8: no such index (foo[1]) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 9: no such index (foo[2]) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 12: no such index (foo2[1]) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 13: no such index (foo2[2]) +foo[0], 42 +foo2[0], 13 +done diff --git a/testing/btest/Baseline/language.record-bad-ctor/out b/testing/btest/Baseline/language.record-bad-ctor/out new file mode 100644 index 0000000000..2b890419ae --- /dev/null +++ b/testing/btest/Baseline/language.record-bad-ctor/out @@ -0,0 +1,3 @@ +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.bro, line 6: no type given (asdfasdf) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.bro, line 7: uninitialized list value ($ports=asdfasdf) +error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.bro, line 7: bad record initializer ([$ports=asdfasdf]) diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.invalidnumbers/.stderrwithoutfirstline b/testing/btest/Baseline/scripts.base.frameworks.input.invalidnumbers/.stderrwithoutfirstline index 3ef51e40f2..54005fb4b8 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.input.invalidnumbers/.stderrwithoutfirstline +++ b/testing/btest/Baseline/scripts.base.frameworks.input.invalidnumbers/.stderrwithoutfirstline @@ -1,8 +1,8 @@ -error: ../input.log/Input::READER_ASCII: Number '12129223372036854775800' out of supported range. -error: ../input.log/Input::READER_ASCII: Could not convert line '12129223372036854775800 121218446744073709551612' to Val. Ignoring line. -warning: ../input.log/Input::READER_ASCII: Number '9223372036854775801TEXTHERE' contained non-numeric trailing characters. Ignored trailing characters 'TEXTHERE' -warning: ../input.log/Input::READER_ASCII: Number '1Justtext' contained non-numeric trailing characters. Ignored trailing characters 'Justtext' -error: ../input.log/Input::READER_ASCII: String 'Justtext' contained no parseable number -error: ../input.log/Input::READER_ASCII: Could not convert line 'Justtext 1' to Val. Ignoring line. -received termination signal +1355266097.683599 error: ../input.log/Input::READER_ASCII: Number '12129223372036854775800' out of supported range. +1355266097.683599 error: ../input.log/Input::READER_ASCII: Could not convert line '12129223372036854775800 121218446744073709551612' to Val. Ignoring line. +1355266097.683599 warning: ../input.log/Input::READER_ASCII: Number '9223372036854775801TEXTHERE' contained non-numeric trailing characters. Ignored trailing characters 'TEXTHERE' +1355266097.683599 warning: ../input.log/Input::READER_ASCII: Number '1Justtext' contained non-numeric trailing characters. Ignored trailing characters 'Justtext' +1355266097.683599 error: ../input.log/Input::READER_ASCII: String 'Justtext' contained no parseable number +1355266097.683599 error: ../input.log/Input::READER_ASCII: Could not convert line 'Justtext 1' to Val. Ignoring line. +1355266097.683599 received termination signal >>> diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.invalidtext/.stderrwithoutfirstline b/testing/btest/Baseline/scripts.base.frameworks.input.invalidtext/.stderrwithoutfirstline new file mode 100644 index 0000000000..f0545daeae --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.invalidtext/.stderrwithoutfirstline @@ -0,0 +1,4 @@ +1355265853.593476 error: ../input.log/Input::READER_ASCII: String 'l' contained no parseable number +1355265853.593476 error: ../input.log/Input::READER_ASCII: Could not convert line ' l' to Val. Ignoring line. +1355265853.593476 received termination signal +>>> diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.invalidtext/out b/testing/btest/Baseline/scripts.base.frameworks.input.invalidtext/out new file mode 100644 index 0000000000..4950b6f590 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.invalidtext/out @@ -0,0 +1,3 @@ +{ +[] = [c=5] +} diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file/bro..stderr b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file/bro..stderr index 4380007b93..e61280cdfc 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file/bro..stderr +++ b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file/bro..stderr @@ -1,5 +1,5 @@ -error: does-not-exist.dat/Input::READER_ASCII: Init: cannot open does-not-exist.dat -error: does-not-exist.dat/Input::READER_ASCII: Init failed -warning: Stream input is already queued for removal. Ignoring remove. -error: does-not-exist.dat/Input::READER_ASCII: terminating thread -received termination signal +1355265996.626106 error: does-not-exist.dat/Input::READER_ASCII: Init: cannot open does-not-exist.dat +1355265996.626106 error: does-not-exist.dat/Input::READER_ASCII: Init failed +1355265996.626106 warning: Stream input is already queued for removal. Ignoring remove. +1355265996.626106 error: does-not-exist.dat/Input::READER_ASCII: terminating thread +1355265996.626106 received termination signal diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.time-as-int/conn.ds.txt b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.time-as-int/conn.ds.txt index c4ac546ab6..5d95fdc0c0 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.time-as-int/conn.ds.txt +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.time-as-int/conn.ds.txt @@ -56,20 +56,20 @@ ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes 1300475167096535 UWkUyAuUGXf 141.142.220.202 5353 224.0.0.251 5353 udp dns 0 0 0 S0 F 0 D 1 73 0 0 1300475167097012 arKYeMETxOg fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp 0 0 0 S0 F 0 D 1 199 0 0 1300475167099816 k6kgXLOoSKl 141.142.220.50 5353 224.0.0.251 5353 udp 0 0 0 S0 F 0 D 1 179 0 0 -1300475168853899 TEfuqmmG4bh 141.142.220.118 43927 141.142.2.2 53 udp dns 435 0 89 SHR F 0 Cd 0 0 1 117 -1300475168854378 FrJExwHcSal 141.142.220.118 37676 141.142.2.2 53 udp dns 420 0 99 SHR F 0 Cd 0 0 1 127 -1300475168854837 5OKnoww6xl4 141.142.220.118 40526 141.142.2.2 53 udp dns 391 0 183 SHR F 0 Cd 0 0 1 211 -1300475168857956 fRFu0wcOle6 141.142.220.118 32902 141.142.2.2 53 udp dns 317 0 89 SHR F 0 Cd 0 0 1 117 -1300475168858306 qSsw6ESzHV4 141.142.220.118 59816 141.142.2.2 53 udp dns 343 0 99 SHR F 0 Cd 0 0 1 127 -1300475168858713 iE6yhOq3SF 141.142.220.118 59714 141.142.2.2 53 udp dns 375 0 183 SHR F 0 Cd 0 0 1 211 -1300475168891644 qCaWGmzFtM5 141.142.220.118 58206 141.142.2.2 53 udp dns 339 0 89 SHR F 0 Cd 0 0 1 117 -1300475168892037 70MGiRM1Qf4 141.142.220.118 38911 141.142.2.2 53 udp dns 334 0 99 SHR F 0 Cd 0 0 1 127 -1300475168892414 h5DsfNtYzi1 141.142.220.118 59746 141.142.2.2 53 udp dns 420 0 183 SHR F 0 Cd 0 0 1 211 -1300475168893988 c4Zw9TmAE05 141.142.220.118 45000 141.142.2.2 53 udp dns 384 0 89 SHR F 0 Cd 0 0 1 117 -1300475168894422 EAr0uf4mhq 141.142.220.118 48479 141.142.2.2 53 udp dns 316 0 99 SHR F 0 Cd 0 0 1 127 -1300475168894787 GvmoxJFXdTa 141.142.220.118 48128 141.142.2.2 53 udp dns 422 0 183 SHR F 0 Cd 0 0 1 211 -1300475168901749 slFea8xwSmb 141.142.220.118 56056 141.142.2.2 53 udp dns 402 0 131 SHR F 0 Cd 0 0 1 159 -1300475168902195 UfGkYA2HI2g 141.142.220.118 55092 141.142.2.2 53 udp dns 374 0 198 SHR F 0 Cd 0 0 1 226 +1300475168853899 TEfuqmmG4bh 141.142.220.118 43927 141.142.2.2 53 udp dns 435 38 89 SF F 0 Dd 1 66 1 117 +1300475168854378 FrJExwHcSal 141.142.220.118 37676 141.142.2.2 53 udp dns 420 52 99 SF F 0 Dd 1 80 1 127 +1300475168854837 5OKnoww6xl4 141.142.220.118 40526 141.142.2.2 53 udp dns 391 38 183 SF F 0 Dd 1 66 1 211 +1300475168857956 fRFu0wcOle6 141.142.220.118 32902 141.142.2.2 53 udp dns 317 38 89 SF F 0 Dd 1 66 1 117 +1300475168858306 qSsw6ESzHV4 141.142.220.118 59816 141.142.2.2 53 udp dns 343 52 99 SF F 0 Dd 1 80 1 127 +1300475168858713 iE6yhOq3SF 141.142.220.118 59714 141.142.2.2 53 udp dns 375 38 183 SF F 0 Dd 1 66 1 211 +1300475168891644 qCaWGmzFtM5 141.142.220.118 58206 141.142.2.2 53 udp dns 339 38 89 SF F 0 Dd 1 66 1 117 +1300475168892037 70MGiRM1Qf4 141.142.220.118 38911 141.142.2.2 53 udp dns 334 52 99 SF F 0 Dd 1 80 1 127 +1300475168892414 h5DsfNtYzi1 141.142.220.118 59746 141.142.2.2 53 udp dns 420 38 183 SF F 0 Dd 1 66 1 211 +1300475168893988 c4Zw9TmAE05 141.142.220.118 45000 141.142.2.2 53 udp dns 384 38 89 SF F 0 Dd 1 66 1 117 +1300475168894422 EAr0uf4mhq 141.142.220.118 48479 141.142.2.2 53 udp dns 316 52 99 SF F 0 Dd 1 80 1 127 +1300475168894787 GvmoxJFXdTa 141.142.220.118 48128 141.142.2.2 53 udp dns 422 38 183 SF F 0 Dd 1 66 1 211 +1300475168901749 slFea8xwSmb 141.142.220.118 56056 141.142.2.2 53 udp dns 402 36 131 SF F 0 Dd 1 64 1 159 +1300475168902195 UfGkYA2HI2g 141.142.220.118 55092 141.142.2.2 53 udp dns 374 36 198 SF F 0 Dd 1 64 1 226 1300475169899438 BWaU4aSuwkc 141.142.220.44 5353 224.0.0.251 5353 udp dns 0 0 0 S0 F 0 D 1 85 0 0 1300475170862384 10XodEwRycf 141.142.220.226 137 141.142.220.255 137 udp dns 2613016 350 0 S0 F 0 D 7 546 0 0 1300475171675372 zno26fFZkrh fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp dns 100096 66 0 S0 F 0 D 2 162 0 0 @@ -77,13 +77,13 @@ ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes 1300475173116749 eWZCH7OONC1 fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp dns 99801 66 0 S0 F 0 D 2 162 0 0 1300475173117362 0Pwk3ntf8O3 141.142.220.226 55671 224.0.0.252 5355 udp dns 99848 66 0 S0 F 0 D 2 122 0 0 1300475173153679 0HKorjr8Zp7 141.142.220.238 56641 141.142.220.255 137 udp dns 0 0 0 S0 F 0 D 1 78 0 0 -1300475168859163 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 tcp 215893 1130 734 S1 F 1130 ShACad 4 216 4 950 -1300475168652003 nQcgTWjvg4c 141.142.220.118 35634 208.80.152.2 80 tcp 61328 0 350 OTH F 0 CdA 1 52 1 402 -1300475168895267 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 tcp 227283 1178 734 S1 F 1178 ShACad 4 216 4 950 -1300475168902635 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 tcp 120040 534 412 S1 F 534 ShACad 3 164 3 576 -1300475168892936 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 tcp 229603 1148 734 S1 F 1148 ShACad 4 216 4 950 -1300475168855305 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 tcp 218501 1171 733 S1 F 1171 ShACad 4 216 4 949 -1300475168892913 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 tcp 220960 1137 733 S1 F 1137 ShACad 4 216 4 949 +1300475168859163 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 tcp http 215893 1130 734 S1 F 0 ShADad 6 1450 4 950 +1300475168652003 nQcgTWjvg4c 141.142.220.118 35634 208.80.152.2 80 tcp 61328 463 350 OTH F 0 DdA 2 567 1 402 +1300475168895267 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 tcp http 227283 1178 734 S1 F 0 ShADad 6 1498 4 950 +1300475168902635 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 tcp http 120040 534 412 S1 F 0 ShADad 4 750 3 576 +1300475168892936 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 tcp http 229603 1148 734 S1 F 0 ShADad 6 1468 4 950 +1300475168855305 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 tcp http 218501 1171 733 S1 F 0 ShADad 6 1491 4 949 +1300475168892913 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 tcp http 220960 1137 733 S1 F 0 ShADad 6 1457 4 949 1300475169780331 2cx26uAvUPl 141.142.220.235 6705 173.192.163.128 80 tcp 0 0 0 OTH F 0 h 0 0 1 48 -1300475168724007 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 tcp 119904 525 232 S1 F 525 ShACad 3 164 3 396 -1300475168855330 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 tcp 219720 1125 734 S1 F 1125 ShACad 4 216 4 950 +1300475168724007 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 tcp http 119904 525 232 S1 F 0 ShADad 4 741 3 396 +1300475168855330 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 tcp http 219720 1125 734 S1 F 0 ShADad 6 1445 4 950 diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/conn.ds.txt b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/conn.ds.txt index b74b9fd7e3..5af6f702b8 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/conn.ds.txt +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/conn.ds.txt @@ -56,20 +56,20 @@ ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes 1300475167.096535 UWkUyAuUGXf 141.142.220.202 5353 224.0.0.251 5353 udp dns 0.000000 0 0 S0 F 0 D 1 73 0 0 1300475167.097012 arKYeMETxOg fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp 0.000000 0 0 S0 F 0 D 1 199 0 0 1300475167.099816 k6kgXLOoSKl 141.142.220.50 5353 224.0.0.251 5353 udp 0.000000 0 0 S0 F 0 D 1 179 0 0 -1300475168.853899 TEfuqmmG4bh 141.142.220.118 43927 141.142.2.2 53 udp dns 0.000435 0 89 SHR F 0 Cd 0 0 1 117 -1300475168.854378 FrJExwHcSal 141.142.220.118 37676 141.142.2.2 53 udp dns 0.000420 0 99 SHR F 0 Cd 0 0 1 127 -1300475168.854837 5OKnoww6xl4 141.142.220.118 40526 141.142.2.2 53 udp dns 0.000392 0 183 SHR F 0 Cd 0 0 1 211 -1300475168.857956 fRFu0wcOle6 141.142.220.118 32902 141.142.2.2 53 udp dns 0.000317 0 89 SHR F 0 Cd 0 0 1 117 -1300475168.858306 qSsw6ESzHV4 141.142.220.118 59816 141.142.2.2 53 udp dns 0.000343 0 99 SHR F 0 Cd 0 0 1 127 -1300475168.858713 iE6yhOq3SF 141.142.220.118 59714 141.142.2.2 53 udp dns 0.000375 0 183 SHR F 0 Cd 0 0 1 211 -1300475168.891644 qCaWGmzFtM5 141.142.220.118 58206 141.142.2.2 53 udp dns 0.000339 0 89 SHR F 0 Cd 0 0 1 117 -1300475168.892037 70MGiRM1Qf4 141.142.220.118 38911 141.142.2.2 53 udp dns 0.000335 0 99 SHR F 0 Cd 0 0 1 127 -1300475168.892414 h5DsfNtYzi1 141.142.220.118 59746 141.142.2.2 53 udp dns 0.000421 0 183 SHR F 0 Cd 0 0 1 211 -1300475168.893988 c4Zw9TmAE05 141.142.220.118 45000 141.142.2.2 53 udp dns 0.000384 0 89 SHR F 0 Cd 0 0 1 117 -1300475168.894422 EAr0uf4mhq 141.142.220.118 48479 141.142.2.2 53 udp dns 0.000317 0 99 SHR F 0 Cd 0 0 1 127 -1300475168.894787 GvmoxJFXdTa 141.142.220.118 48128 141.142.2.2 53 udp dns 0.000423 0 183 SHR F 0 Cd 0 0 1 211 -1300475168.901749 slFea8xwSmb 141.142.220.118 56056 141.142.2.2 53 udp dns 0.000402 0 131 SHR F 0 Cd 0 0 1 159 -1300475168.902195 UfGkYA2HI2g 141.142.220.118 55092 141.142.2.2 53 udp dns 0.000374 0 198 SHR F 0 Cd 0 0 1 226 +1300475168.853899 TEfuqmmG4bh 141.142.220.118 43927 141.142.2.2 53 udp dns 0.000435 38 89 SF F 0 Dd 1 66 1 117 +1300475168.854378 FrJExwHcSal 141.142.220.118 37676 141.142.2.2 53 udp dns 0.000420 52 99 SF F 0 Dd 1 80 1 127 +1300475168.854837 5OKnoww6xl4 141.142.220.118 40526 141.142.2.2 53 udp dns 0.000392 38 183 SF F 0 Dd 1 66 1 211 +1300475168.857956 fRFu0wcOle6 141.142.220.118 32902 141.142.2.2 53 udp dns 0.000317 38 89 SF F 0 Dd 1 66 1 117 +1300475168.858306 qSsw6ESzHV4 141.142.220.118 59816 141.142.2.2 53 udp dns 0.000343 52 99 SF F 0 Dd 1 80 1 127 +1300475168.858713 iE6yhOq3SF 141.142.220.118 59714 141.142.2.2 53 udp dns 0.000375 38 183 SF F 0 Dd 1 66 1 211 +1300475168.891644 qCaWGmzFtM5 141.142.220.118 58206 141.142.2.2 53 udp dns 0.000339 38 89 SF F 0 Dd 1 66 1 117 +1300475168.892037 70MGiRM1Qf4 141.142.220.118 38911 141.142.2.2 53 udp dns 0.000335 52 99 SF F 0 Dd 1 80 1 127 +1300475168.892414 h5DsfNtYzi1 141.142.220.118 59746 141.142.2.2 53 udp dns 0.000421 38 183 SF F 0 Dd 1 66 1 211 +1300475168.893988 c4Zw9TmAE05 141.142.220.118 45000 141.142.2.2 53 udp dns 0.000384 38 89 SF F 0 Dd 1 66 1 117 +1300475168.894422 EAr0uf4mhq 141.142.220.118 48479 141.142.2.2 53 udp dns 0.000317 52 99 SF F 0 Dd 1 80 1 127 +1300475168.894787 GvmoxJFXdTa 141.142.220.118 48128 141.142.2.2 53 udp dns 0.000423 38 183 SF F 0 Dd 1 66 1 211 +1300475168.901749 slFea8xwSmb 141.142.220.118 56056 141.142.2.2 53 udp dns 0.000402 36 131 SF F 0 Dd 1 64 1 159 +1300475168.902195 UfGkYA2HI2g 141.142.220.118 55092 141.142.2.2 53 udp dns 0.000374 36 198 SF F 0 Dd 1 64 1 226 1300475169.899438 BWaU4aSuwkc 141.142.220.44 5353 224.0.0.251 5353 udp dns 0.000000 0 0 S0 F 0 D 1 85 0 0 1300475170.862384 10XodEwRycf 141.142.220.226 137 141.142.220.255 137 udp dns 2.613017 350 0 S0 F 0 D 7 546 0 0 1300475171.675372 zno26fFZkrh fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp dns 0.100096 66 0 S0 F 0 D 2 162 0 0 @@ -77,13 +77,13 @@ ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes 1300475173.116749 eWZCH7OONC1 fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp dns 0.099801 66 0 S0 F 0 D 2 162 0 0 1300475173.117362 0Pwk3ntf8O3 141.142.220.226 55671 224.0.0.252 5355 udp dns 0.099849 66 0 S0 F 0 D 2 122 0 0 1300475173.153679 0HKorjr8Zp7 141.142.220.238 56641 141.142.220.255 137 udp dns 0.000000 0 0 S0 F 0 D 1 78 0 0 -1300475168.859163 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 tcp 0.215893 1130 734 S1 F 1130 ShACad 4 216 4 950 -1300475168.652003 nQcgTWjvg4c 141.142.220.118 35634 208.80.152.2 80 tcp 0.061329 0 350 OTH F 0 CdA 1 52 1 402 -1300475168.895267 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 tcp 0.227284 1178 734 S1 F 1178 ShACad 4 216 4 950 -1300475168.902635 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 tcp 0.120041 534 412 S1 F 534 ShACad 3 164 3 576 -1300475168.892936 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 tcp 0.229603 1148 734 S1 F 1148 ShACad 4 216 4 950 -1300475168.855305 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 tcp 0.218501 1171 733 S1 F 1171 ShACad 4 216 4 949 -1300475168.892913 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 tcp 0.220961 1137 733 S1 F 1137 ShACad 4 216 4 949 +1300475168.859163 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 tcp http 0.215893 1130 734 S1 F 0 ShADad 6 1450 4 950 +1300475168.652003 nQcgTWjvg4c 141.142.220.118 35634 208.80.152.2 80 tcp 0.061329 463 350 OTH F 0 DdA 2 567 1 402 +1300475168.895267 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 tcp http 0.227284 1178 734 S1 F 0 ShADad 6 1498 4 950 +1300475168.902635 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 tcp http 0.120041 534 412 S1 F 0 ShADad 4 750 3 576 +1300475168.892936 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 tcp http 0.229603 1148 734 S1 F 0 ShADad 6 1468 4 950 +1300475168.855305 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 tcp http 0.218501 1171 733 S1 F 0 ShADad 6 1491 4 949 +1300475168.892913 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 tcp http 0.220961 1137 733 S1 F 0 ShADad 6 1457 4 949 1300475169.780331 2cx26uAvUPl 141.142.220.235 6705 173.192.163.128 80 tcp 0.000000 0 0 OTH F 0 h 0 0 1 48 -1300475168.724007 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 tcp 0.119905 525 232 S1 F 525 ShACad 3 164 3 396 -1300475168.855330 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 tcp 0.219720 1125 734 S1 F 1125 ShACad 4 216 4 950 +1300475168.724007 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 tcp http 0.119905 525 232 S1 F 0 ShADad 4 741 3 396 +1300475168.855330 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 tcp http 0.219720 1125 734 S1 F 0 ShADad 6 1445 4 950 diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/http.ds.txt b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/http.ds.txt index ae62fbec3d..756a49a427 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/http.ds.txt +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/http.ds.txt @@ -65,17 +65,17 @@ # Extent, type='http' ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file -1300475168.843894 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 0 0 0 304 Not Modified 0 -1300475168.975800 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475168.976327 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475168.979160 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475169.012666 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475169.012730 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475169.014860 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475169.022665 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 0 0 0 304 Not Modified 0 -1300475169.036294 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475169.036798 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475169.039923 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475169.074793 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475169.074938 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 0 0 0 304 Not Modified 0 -1300475169.075065 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 0 0 0 304 Not Modified 0 +1300475168.784020 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 1 GET bits.wikimedia.org /skins-1.5/monobook/main.css http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 +1300475168.916018 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 +1300475168.916183 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 +1300475168.918358 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/b/bd/Bookshelf-40x201_6.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 +1300475168.952307 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 +1300475168.952296 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 +1300475168.954820 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 +1300475168.962687 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 1 GET meta.wikimedia.org /images/wikimedia-button.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 +1300475168.975934 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 +1300475168.976436 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 +1300475168.979264 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 +1300475169.014619 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 +1300475169.014593 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 +1300475169.014927 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log new file mode 100644 index 0000000000..ac84e5ae7a --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log @@ -0,0 +1,58 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#open 2012-12-07-04-43-19 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file +1354328870.191989 UWkUyAuUGXf 128.2.6.136 46562 173.194.75.103 80 1 OPTIONS www.google.com * - - 0 962 405 Method Not Allowed - - - (empty) - - - text/html - - +1354328874.237327 arKYeMETxOg 128.2.6.136 46563 173.194.75.103 80 1 OPTIONS www.google.com HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328874.299063 k6kgXLOoSKl 128.2.6.136 46564 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328874.342591 nQcgTWjvg4c 128.2.6.136 46565 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328874.364020 j4u32Pc5bif 128.2.6.136 46566 173.194.75.103 80 1 GET www.google.com / - - 0 43911 200 OK - - - (empty) - - - text/html - - +1354328878.470424 TEfuqmmG4bh 128.2.6.136 46567 173.194.75.103 80 1 GET www.google.com / - - 0 43983 200 OK - - - (empty) - - - text/html - - +1354328882.575456 FrJExwHcSal 128.2.6.136 46568 173.194.75.103 80 1 GET www.google.com /HTTP/1.1 - - 0 1207 403 Forbidden - - - (empty) - - - text/html - - +1354328882.928027 5OKnoww6xl4 128.2.6.136 46569 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328882.968948 3PKsZ2Uye21 128.2.6.136 46570 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328882.990373 VW0XPVINV8a 128.2.6.136 46571 173.194.75.103 80 1 GET www.google.com / - - 0 43913 200 OK - - - (empty) - - - text/html - - +1354328887.114613 fRFu0wcOle6 128.2.6.136 46572 173.194.75.103 80 0 - - - - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html - - +1354328891.161077 qSsw6ESzHV4 128.2.6.136 46573 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328891.204740 iE6yhOq3SF 128.2.6.136 46574 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328891.245592 GSxOnSLghOa 128.2.6.136 46575 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328891.287655 qCaWGmzFtM5 128.2.6.136 46576 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328891.309065 70MGiRM1Qf4 128.2.6.136 46577 173.194.75.103 80 1 CCM_POST www.google.com / - - 0 963 405 Method Not Allowed - - - (empty) - - - text/html - - +1354328895.355012 h5DsfNtYzi1 128.2.6.136 46578 173.194.75.103 80 1 CCM_POST www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328895.416133 P654jzLoe3a 128.2.6.136 46579 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328895.459490 Tw8jXtpTGu6 128.2.6.136 46580 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328895.480865 c4Zw9TmAE05 128.2.6.136 46581 173.194.75.103 80 1 CCM_POST www.google.com / - - 0 963 405 Method Not Allowed - - - (empty) - - - text/html - - +1354328899.526682 EAr0uf4mhq 128.2.6.136 46582 173.194.75.103 80 1 CONNECT www.google.com / - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328903.572533 GvmoxJFXdTa 128.2.6.136 46583 173.194.75.103 80 1 CONNECT www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328903.634196 0Q4FH8sESw5 128.2.6.136 46584 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328903.676395 slFea8xwSmb 128.2.6.136 46585 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328903.697693 UfGkYA2HI2g 128.2.6.136 46586 173.194.75.103 80 1 CONNECT www.google.com / - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328907.743696 i2rO3KD1Syg 128.2.6.136 46587 173.194.75.103 80 1 TRACE www.google.com / - - 0 960 405 Method Not Allowed - - - (empty) - - - text/html - - +1354328911.790590 2cx26uAvUPl 128.2.6.136 46588 173.194.75.103 80 1 TRACE www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328911.853464 BWaU4aSuwkc 128.2.6.136 46589 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328911.897044 10XodEwRycf 128.2.6.136 46590 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328911.918511 zno26fFZkrh 128.2.6.136 46591 173.194.75.103 80 1 TRACE www.google.com / - - 0 960 405 Method Not Allowed - - - (empty) - - - text/html - - +1354328915.964678 v5rgkJBig5l 128.2.6.136 46592 173.194.75.103 80 1 DELETE www.google.com / - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html - - +1354328920.010458 eWZCH7OONC1 128.2.6.136 46593 173.194.75.103 80 1 DELETE www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328920.072101 0Pwk3ntf8O3 128.2.6.136 46594 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328920.114526 0HKorjr8Zp7 128.2.6.136 46595 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328920.136714 yC2d6kVg709 128.2.6.136 46596 173.194.75.103 80 1 DELETE www.google.com / - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html - - +1354328924.183211 VcgagLjnO92 128.2.6.136 46597 173.194.75.103 80 1 PUT www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html - - +1354328924.224567 bdRoHfaPBo3 128.2.6.136 46598 173.194.75.103 80 1 PUT www.google.com /HTTP/1.1 - - 0 934 411 Length Required - - - (empty) - - - text/html - - +1354328924.287402 zHqb7t7kv28 128.2.6.136 46599 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328924.328257 rrZWoMUQpv8 128.2.6.136 46600 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328924.350343 xNYSS2hJkle 128.2.6.136 46601 173.194.75.103 80 1 PUT www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html - - +1354328924.391728 vMVjlplKKbd 128.2.6.136 46602 173.194.75.103 80 1 POST www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html - - +1354328924.433150 3omNawSNrxj 128.2.6.136 46603 173.194.75.103 80 1 POST www.google.com /HTTP/1.1 - - 0 934 411 Length Required - - - (empty) - - - text/html - - +1354328924.496732 Rv8AJVfi9Zi 128.2.6.136 46604 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328924.537671 wEyF3OvvcQe 128.2.6.136 46605 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328924.559704 E490YZTUozc 128.2.6.136 46606 173.194.75.103 80 1 HEAD www.google.com / - - 0 0 200 OK - - - (empty) - - - - - - +1354328928.625437 YIeWJmXWNWj 128.2.6.136 46607 173.194.75.103 80 1 HEAD www.google.com / - - 0 0 200 OK - - - (empty) - - - - - - +1354328932.692706 ydiZblvsYri 128.2.6.136 46608 173.194.75.103 80 1 HEAD www.google.com /HTTP/1.1 - - 0 0 400 Bad Request - - - (empty) - - - - - - +1354328932.754657 HFYOnBqSE5e 128.2.6.136 46609 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +1354328932.796568 JcUvhfWUMgd 128.2.6.136 46610 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +#close 2012-12-07-04-43-19 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log new file mode 100644 index 0000000000..8b963f00cf --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log @@ -0,0 +1,58 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path weird +#open 2012-12-07-04-43-19 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer +#types time string addr port addr port string string bool string +1354328874.278822 k6kgXLOoSKl 128.2.6.136 46564 173.194.75.103 80 bad_HTTP_request - F bro +1354328874.299063 k6kgXLOoSKl 128.2.6.136 46564 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328874.321792 nQcgTWjvg4c 128.2.6.136 46565 173.194.75.103 80 bad_HTTP_request - F bro +1354328874.342591 nQcgTWjvg4c 128.2.6.136 46565 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328882.908690 5OKnoww6xl4 128.2.6.136 46569 173.194.75.103 80 bad_HTTP_request - F bro +1354328882.928027 5OKnoww6xl4 128.2.6.136 46569 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328882.949510 3PKsZ2Uye21 128.2.6.136 46570 173.194.75.103 80 bad_HTTP_request - F bro +1354328882.968948 3PKsZ2Uye21 128.2.6.136 46570 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328887.094494 fRFu0wcOle6 128.2.6.136 46572 173.194.75.103 80 bad_HTTP_request - F bro +1354328887.114613 fRFu0wcOle6 128.2.6.136 46572 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328891.141058 qSsw6ESzHV4 128.2.6.136 46573 173.194.75.103 80 bad_HTTP_request - F bro +1354328891.161077 qSsw6ESzHV4 128.2.6.136 46573 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328891.183942 iE6yhOq3SF 128.2.6.136 46574 173.194.75.103 80 bad_HTTP_request - F bro +1354328891.204740 iE6yhOq3SF 128.2.6.136 46574 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328891.226199 GSxOnSLghOa 128.2.6.136 46575 173.194.75.103 80 bad_HTTP_request - F bro +1354328891.245592 GSxOnSLghOa 128.2.6.136 46575 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328891.267625 qCaWGmzFtM5 128.2.6.136 46576 173.194.75.103 80 bad_HTTP_request - F bro +1354328891.287655 qCaWGmzFtM5 128.2.6.136 46576 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328891.309065 70MGiRM1Qf4 128.2.6.136 46577 173.194.75.103 80 unknown_HTTP_method CCM_POST F bro +1354328895.355012 h5DsfNtYzi1 128.2.6.136 46578 173.194.75.103 80 unknown_HTTP_method CCM_POST F bro +1354328895.396634 P654jzLoe3a 128.2.6.136 46579 173.194.75.103 80 bad_HTTP_request - F bro +1354328895.416133 P654jzLoe3a 128.2.6.136 46579 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328895.438812 Tw8jXtpTGu6 128.2.6.136 46580 173.194.75.103 80 bad_HTTP_request - F bro +1354328895.459490 Tw8jXtpTGu6 128.2.6.136 46580 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328895.480865 c4Zw9TmAE05 128.2.6.136 46581 173.194.75.103 80 unknown_HTTP_method CCM_POST F bro +1354328903.614145 0Q4FH8sESw5 128.2.6.136 46584 173.194.75.103 80 bad_HTTP_request - F bro +1354328903.634196 0Q4FH8sESw5 128.2.6.136 46584 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328903.656369 slFea8xwSmb 128.2.6.136 46585 173.194.75.103 80 bad_HTTP_request - F bro +1354328903.676395 slFea8xwSmb 128.2.6.136 46585 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328911.832856 BWaU4aSuwkc 128.2.6.136 46589 173.194.75.103 80 bad_HTTP_request - F bro +1354328911.853464 BWaU4aSuwkc 128.2.6.136 46589 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328911.876341 10XodEwRycf 128.2.6.136 46590 173.194.75.103 80 bad_HTTP_request - F bro +1354328911.897044 10XodEwRycf 128.2.6.136 46590 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328920.052085 0Pwk3ntf8O3 128.2.6.136 46594 173.194.75.103 80 bad_HTTP_request - F bro +1354328920.072101 0Pwk3ntf8O3 128.2.6.136 46594 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328920.094072 0HKorjr8Zp7 128.2.6.136 46595 173.194.75.103 80 bad_HTTP_request - F bro +1354328920.114526 0HKorjr8Zp7 128.2.6.136 46595 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328924.266693 zHqb7t7kv28 128.2.6.136 46599 173.194.75.103 80 bad_HTTP_request - F bro +1354328924.287402 zHqb7t7kv28 128.2.6.136 46599 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328924.308714 rrZWoMUQpv8 128.2.6.136 46600 173.194.75.103 80 bad_HTTP_request - F bro +1354328924.328257 rrZWoMUQpv8 128.2.6.136 46600 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328924.476011 Rv8AJVfi9Zi 128.2.6.136 46604 173.194.75.103 80 bad_HTTP_request - F bro +1354328924.496732 Rv8AJVfi9Zi 128.2.6.136 46604 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328924.518204 wEyF3OvvcQe 128.2.6.136 46605 173.194.75.103 80 bad_HTTP_request - F bro +1354328924.537671 wEyF3OvvcQe 128.2.6.136 46605 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328932.734579 HFYOnBqSE5e 128.2.6.136 46609 173.194.75.103 80 bad_HTTP_request - F bro +1354328932.754657 HFYOnBqSE5e 128.2.6.136 46609 173.194.75.103 80 unmatched_HTTP_reply - F bro +1354328932.776609 JcUvhfWUMgd 128.2.6.136 46610 173.194.75.103 80 bad_HTTP_request - F bro +1354328932.796568 JcUvhfWUMgd 128.2.6.136 46610 173.194.75.103 80 unmatched_HTTP_reply - F bro +#close 2012-12-07-04-43-19 diff --git a/testing/btest/Traces/http-methods.trace b/testing/btest/Traces/http-methods.trace new file mode 100644 index 0000000000..323e6ee06a Binary files /dev/null and b/testing/btest/Traces/http-methods.trace differ diff --git a/testing/btest/Traces/tunnels/gtp/gtp10_not_0xff.pcap b/testing/btest/Traces/tunnels/gtp/gtp10_not_0xff.pcap new file mode 100755 index 0000000000..575edf55f9 Binary files /dev/null and b/testing/btest/Traces/tunnels/gtp/gtp10_not_0xff.pcap differ diff --git a/testing/btest/Traces/tunnels/gtp/gtp1_gn_normal_incl_fragmentation.pcap b/testing/btest/Traces/tunnels/gtp/gtp1_gn_normal_incl_fragmentation.pcap new file mode 100755 index 0000000000..7ca3b3b05d Binary files /dev/null and b/testing/btest/Traces/tunnels/gtp/gtp1_gn_normal_incl_fragmentation.pcap differ diff --git a/testing/btest/Traces/tunnels/gtp/gtp2_different_udp_port.pcap b/testing/btest/Traces/tunnels/gtp/gtp2_different_udp_port.pcap new file mode 100755 index 0000000000..fda97cdaf5 Binary files /dev/null and b/testing/btest/Traces/tunnels/gtp/gtp2_different_udp_port.pcap differ diff --git a/testing/btest/Traces/tunnels/gtp/gtp3_false_gtp.pcap b/testing/btest/Traces/tunnels/gtp/gtp3_false_gtp.pcap new file mode 100755 index 0000000000..e623fd7912 Binary files /dev/null and b/testing/btest/Traces/tunnels/gtp/gtp3_false_gtp.pcap differ diff --git a/testing/btest/Traces/tunnels/gtp/gtp4_udp_2152_inside.pcap b/testing/btest/Traces/tunnels/gtp/gtp4_udp_2152_inside.pcap new file mode 100755 index 0000000000..ca67a37046 Binary files /dev/null and b/testing/btest/Traces/tunnels/gtp/gtp4_udp_2152_inside.pcap differ diff --git a/testing/btest/Traces/tunnels/gtp/gtp6_gtp_0x32.pcap b/testing/btest/Traces/tunnels/gtp/gtp6_gtp_0x32.pcap new file mode 100755 index 0000000000..7dd3905c5d Binary files /dev/null and b/testing/btest/Traces/tunnels/gtp/gtp6_gtp_0x32.pcap differ diff --git a/testing/btest/Traces/tunnels/gtp/gtp7_ipv6.pcap b/testing/btest/Traces/tunnels/gtp/gtp7_ipv6.pcap new file mode 100755 index 0000000000..4f358bc374 Binary files /dev/null and b/testing/btest/Traces/tunnels/gtp/gtp7_ipv6.pcap differ diff --git a/testing/btest/Traces/tunnels/gtp/gtp8_teredo.pcap b/testing/btest/Traces/tunnels/gtp/gtp8_teredo.pcap new file mode 100755 index 0000000000..fff0b2ddfb Binary files /dev/null and b/testing/btest/Traces/tunnels/gtp/gtp8_teredo.pcap differ diff --git a/testing/btest/Traces/tunnels/gtp/gtp9_unknown_or_too_short_payload.pcap b/testing/btest/Traces/tunnels/gtp/gtp9_unknown_or_too_short_payload.pcap new file mode 100755 index 0000000000..a39026aeff Binary files /dev/null and b/testing/btest/Traces/tunnels/gtp/gtp9_unknown_or_too_short_payload.pcap differ diff --git a/testing/btest/Traces/wikipedia.trace b/testing/btest/Traces/wikipedia.trace index 68d85e0190..9e21966243 100644 Binary files a/testing/btest/Traces/wikipedia.trace and b/testing/btest/Traces/wikipedia.trace differ diff --git a/testing/btest/core/leaks/gtp_opt_header.test b/testing/btest/core/leaks/gtp_opt_header.test new file mode 100644 index 0000000000..76c65d5762 --- /dev/null +++ b/testing/btest/core/leaks/gtp_opt_header.test @@ -0,0 +1,15 @@ +# Needs perftools support. +# +# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks +# +# @TEST-GROUP: leaks +# +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -r $TRACES/tunnels/gtp/gtp6_gtp_0x32.pcap %INPUT >out + +# Some GTPv1 headers have some optional fields totaling to a 4-byte extension +# of the mandatory header. + +event gtpv1_g_pdu_packet(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr) + { + print "gtpv1_packet", inner_gtp; + } diff --git a/testing/btest/core/tunnels/gtp/different_dl_and_ul.test b/testing/btest/core/tunnels/gtp/different_dl_and_ul.test new file mode 100644 index 0000000000..136853c463 --- /dev/null +++ b/testing/btest/core/tunnels/gtp/different_dl_and_ul.test @@ -0,0 +1,10 @@ +# @TEST-EXEC: bro -C -r $TRACES/tunnels/gtp/gtp2_different_udp_port.pcap +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff http.log +# @TEST-EXEC: btest-diff tunnel.log + +# Uplink GTP tunnel uses src port 5906 and dst port 2152. +# One side on port 2152 qualifies for GTP user plane. +# The Downlink GTP tunnel uses port 2152 for both src and dst. +# (checksums are incorrect because packets were anonymized and tcprewrite +# seems to fail to correct the checksums when there's IP fragmentation). diff --git a/testing/btest/core/tunnels/gtp/false_gtp.test b/testing/btest/core/tunnels/gtp/false_gtp.test new file mode 100644 index 0000000000..6e84be7323 --- /dev/null +++ b/testing/btest/core/tunnels/gtp/false_gtp.test @@ -0,0 +1,8 @@ +# @TEST-EXEC: bro -r $TRACES/tunnels/gtp/gtp3_false_gtp.pcap +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff dns.log +# @TEST-EXEC: test ! -e tunnel.log + +# The fact that udp port 2152 on only one side already qualifies for GTP +# increases the risk for false positives, see this trace. This is not a +# GTP packet, but a DNS packet which just happens to use port 2152 diff --git a/testing/btest/core/tunnels/gtp/inner_ipv6.test b/testing/btest/core/tunnels/gtp/inner_ipv6.test new file mode 100644 index 0000000000..97d8562ecc --- /dev/null +++ b/testing/btest/core/tunnels/gtp/inner_ipv6.test @@ -0,0 +1,6 @@ +# @TEST-EXEC: bro -r $TRACES/tunnels/gtp/gtp7_ipv6.pcap +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff tunnel.log + +# While the majority of user plane traffic inside the GTP tunnel is still IPv4, +# there is sometimes already native IPv6. diff --git a/testing/btest/core/tunnels/gtp/inner_teredo.test b/testing/btest/core/tunnels/gtp/inner_teredo.test new file mode 100644 index 0000000000..9161d31229 --- /dev/null +++ b/testing/btest/core/tunnels/gtp/inner_teredo.test @@ -0,0 +1,7 @@ +# @TEST-EXEC: bro -r $TRACES/tunnels/gtp/gtp8_teredo.pcap "Tunnel::delay_teredo_confirmation=F" +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff tunnel.log + +# GTP packets may carry Teredo packets. Toggled the delay teredo confirmation +# option so that it shows in the service field (in one case the inner +# connection of the teredo packet is carried over differing outer connections). diff --git a/testing/btest/core/tunnels/gtp/non_recursive.test b/testing/btest/core/tunnels/gtp/non_recursive.test new file mode 100644 index 0000000000..d44bfce79d --- /dev/null +++ b/testing/btest/core/tunnels/gtp/non_recursive.test @@ -0,0 +1,11 @@ +# @TEST-EXEC: bro -r $TRACES/tunnels/gtp/gtp4_udp_2152_inside.pcap %INPUT >out +# @TEST-EXEC: btest-diff out + +# In telecoms there is never a GTP tunnel within another GTP tunnel. +# So if we find inside a GTP tunnel anohter IP/UDP packet with port 2152, +# it is just a UDP packet, but not another GTP tunnel. + +event protocol_violation(c: connection, atype: count, aid: count, reason: string) + { + print "protocol_violation", c$id, reason; + } diff --git a/testing/btest/core/tunnels/gtp/not_user_plane_data.test b/testing/btest/core/tunnels/gtp/not_user_plane_data.test new file mode 100644 index 0000000000..a6a3333360 --- /dev/null +++ b/testing/btest/core/tunnels/gtp/not_user_plane_data.test @@ -0,0 +1,9 @@ +# @TEST-EXEC: bro -r $TRACES/tunnels/gtp/gtp10_not_0xff.pcap +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: test ! -e tunnel.log + +# There are GTP tunnel packets, which do not contain user plane data. Only +# those with gtp.message==0xff contain user plane data. Other GTP packets +# without user plane data are echo request, echo reply, error indication +# and stop marker (not included in trace). Those non-user plane GTP +# packets are ignored for now. diff --git a/testing/btest/core/tunnels/gtp/opt_header.test b/testing/btest/core/tunnels/gtp/opt_header.test new file mode 100644 index 0000000000..32329c7ca8 --- /dev/null +++ b/testing/btest/core/tunnels/gtp/opt_header.test @@ -0,0 +1,12 @@ +# @TEST-EXEC: bro -r $TRACES/tunnels/gtp/gtp6_gtp_0x32.pcap %INPUT >out +# @TEST-EXEC: btest-diff out +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff tunnel.log + +# Some GTPv1 headers have some optional fields totaling to a 4-byte extension +# of the mandatory header. + +event gtpv1_g_pdu_packet(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr) + { + print "gtpv1_packet", inner_gtp; + } diff --git a/testing/btest/core/tunnels/gtp/outer_ip_frag.test b/testing/btest/core/tunnels/gtp/outer_ip_frag.test new file mode 100644 index 0000000000..b2badb9c1b --- /dev/null +++ b/testing/btest/core/tunnels/gtp/outer_ip_frag.test @@ -0,0 +1,11 @@ +# @TEST-EXEC: bro -C -r $TRACES/tunnels/gtp/gtp1_gn_normal_incl_fragmentation.pcap +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff http.log +# @TEST-EXEC: btest-diff tunnel.log + +# Normal GTP file, incl. TCP handshake and HTTP message. +# The inner IP packet is put into a GTP tunnel and as the original user payload +# is already 1500 byte, the tunneled packet incl. GTP/UDP/IP payload is +# bigger than 1500 byte and thus the outer IP must be fragmented, as seen here. +# (checksums are incorrect because packets were anonymized and tcprewrite +# seems to fail to correct the checksums when there's IP fragmentation). diff --git a/testing/btest/core/tunnels/gtp/unknown_or_too_short.test b/testing/btest/core/tunnels/gtp/unknown_or_too_short.test new file mode 100644 index 0000000000..e1b3d4ba20 --- /dev/null +++ b/testing/btest/core/tunnels/gtp/unknown_or_too_short.test @@ -0,0 +1,13 @@ +# @TEST-EXEC: bro -C -r $TRACES/tunnels/gtp/gtp9_unknown_or_too_short_payload.pcap +# @TEST-EXEC: btest-diff dpd.log +# @TEST-EXEC: btest-diff tunnel.log + +# Packet 11, epoch time 1333458853.075889 is malformed. Only 222 byte are +# captured, although according to the IP header a full packet should be +# available. In Sessions.cc this throws a weird message at line 710. +# Packet 12, epoch time 1333458853.075904 is malformed. The user plane +# packet is no IPv4 nor IPv6 packet. Very probably this is a follow up +# issue on a problem of the user plane packet before it was put into the +# tunnel. The user plane packet may got corrupt and then put into 2 tunnel +# packets, here packet 11 and 12, and in packet 12 the user plane data is +# part of the remainder of the broken user plane packet of packet 11. diff --git a/testing/btest/core/when-interpreter-exceptions.bro b/testing/btest/core/when-interpreter-exceptions.bro new file mode 100644 index 0000000000..b1880c5139 --- /dev/null +++ b/testing/btest/core/when-interpreter-exceptions.bro @@ -0,0 +1,67 @@ +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/rotation.trace %INPUT +# @TEST-EXEC: btest-bg-wait -k 3 +# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-abspath | $SCRIPTS/diff-remove-timestamps" btest-diff bro/.stderr +# @TEST-EXEC: btest-diff bro/.stdout + +# interpreter exceptions in "when" blocks shouldn't cause termination + +global p: pkt_hdr; + +function f(do_exception: bool): bool + { + return when ( local addrs = lookup_hostname("localhost") ) + { + print "localhost resolved from f()", do_exception; + if ( do_exception ) + print p$ip; + return T; + } + return F; + } + +function g(do_exception: bool): bool + { + return when ( local addrs = lookup_hostname("localhost") ) + { + print "shouldn't get here, g()", do_exception; + } + timeout 0 sec + { + print "timeout g()", do_exception; + if ( do_exception ) + print p$ip; + return T; + } + return F; + } + +event bro_init() + { + when ( local addrs = lookup_hostname("localhost") ) + { + print "localhost resolved"; + print p$ip; + } + + when ( local addrs2 = lookup_hostname("localhost") ) + { + print "shouldn't get here"; + } + timeout 0 sec + { + print "timeout"; + print p$ip; + } + + when ( local b = f(T) ) + print "f() exception done (shouldn't be printed)", b; + + when ( local b2 = g(T) ) + print "g() exception done (shouldn't be printed)", b2; + + when ( local b3 = f(F) ) + print "f() done, no exception", b3; + + when ( local b4 = g(F) ) + print "g() done, no exception", b4; + } diff --git a/testing/btest/istate/sync.bro b/testing/btest/istate/sync.bro index e1364a9553..a297e8a50f 100644 --- a/testing/btest/istate/sync.bro +++ b/testing/btest/istate/sync.bro @@ -1,7 +1,7 @@ # @TEST-SERIALIZE: comm # -# @TEST-EXEC: btest-bg-run sender bro %INPUT ../sender.bro -# @TEST-EXEC: btest-bg-run receiver bro %INPUT ../receiver.bro +# @TEST-EXEC: btest-bg-run sender bro -b %INPUT ../sender.bro +# @TEST-EXEC: btest-bg-run receiver bro -b %INPUT ../receiver.bro # @TEST-EXEC: btest-bg-wait 20 # # @TEST-EXEC: btest-diff sender/vars.log @@ -27,6 +27,7 @@ global foo13 = { [1,"ABC"] = 101, [2,"DEF"] = 102, [3,"GHI"] = 103 } &persiste global foo14 = { [12345] = foo11, [12346] = foo11 } &persistent &synchronized; global foo15 = 42/udp &persistent &synchronized; global foo16: vector of count = [1,2,3] &persistent &synchronized; +global foo18: count &persistent &synchronized; # not initialized type type1: record { a: string; @@ -70,6 +71,7 @@ event bro_done() print out, foo15; print out, foo16; print out, foo17; + print out, foo18; } @@ -128,7 +130,8 @@ function modify() delete foo17$e; foo2 = 1234567; -} + foo18 = 122112; + } @load frameworks/communication/listen @@ -148,6 +151,8 @@ redef Communication::nodes += { @TEST-START-FILE receiver.bro +@load base/frameworks/communication + event bro_init() { capture_events("events.bst"); diff --git a/testing/btest/language/const.bro b/testing/btest/language/const.bro new file mode 100644 index 0000000000..ee938e8d45 --- /dev/null +++ b/testing/btest/language/const.bro @@ -0,0 +1,79 @@ +# @TEST-EXEC: bro -b valid.bro 2>valid.stderr 1>valid.stdout +# @TEST-EXEC: btest-diff valid.stderr +# @TEST-EXEC: btest-diff valid.stdout + +# @TEST-EXEC-FAIL: bro -b invalid.bro 2>invalid.stderr 1>invalid.stdout +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff invalid.stderr +# @TEST-EXEC: btest-diff invalid.stdout + +@TEST-START-FILE valid.bro +# First some simple code that should be valid and error-free. + +function f(c: count) + { + print "enter f", c; + c = c + 100; + print "exit f", c; + } + +const foo = 0 &redef; +redef foo = 10; + +const bar = 9; + +event bro_init() + { + const baz = 7; + local i = foo; + i = i + bar + 2; + i = i + baz + 11; + ++i; + print i; + --i; + f(foo); + f(bar); + f(baz); + print "foo", foo; + print "bar", bar; + print "baz", baz; + } + +@TEST-END-FILE + +@TEST-START-FILE invalid.bro +# Now some const assignments that should generate errors at parse-time. + +const foo = 0 &redef; +redef foo = 10; + +const bar = 9; + +event bro_init() + { + const baz = 7; + local s = 0; + + print "nope"; + + foo = 100; + foo = bar; + foo = bar = baz; + foo = s; + ++foo; + s = foo = bar; + + if ( foo = 0 ) + print "nope"; + + bar = 1 + 1; + baz = s; + ++bar; + --baz; + + print "foo", foo; + print "bar", bar; + print "baz", baz; + print "foo=foo", foo = foo; + } + +@TEST-END-FILE diff --git a/testing/btest/language/invalid_index.bro b/testing/btest/language/invalid_index.bro new file mode 100644 index 0000000000..96b7fa78c5 --- /dev/null +++ b/testing/btest/language/invalid_index.bro @@ -0,0 +1,15 @@ +# @TEST-EXEC: bro -b %INPUT >out 2>&1 +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out + +global foo: vector of count = { 42 }; +global foo2: table[count] of count = { [0] = 13 }; + +print "foo[0]", foo[0]; +print "foo[1]", foo[1]; +print "foo[2]", foo[2]; + +print "foo2[0]", foo2[0]; +print "foo2[1]", foo2[1]; +print "foo2[2]", foo2[2]; + +print "done"; diff --git a/testing/btest/language/record-bad-ctor.bro b/testing/btest/language/record-bad-ctor.bro new file mode 100644 index 0000000000..6b7ae4ff19 --- /dev/null +++ b/testing/btest/language/record-bad-ctor.bro @@ -0,0 +1,8 @@ +# @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1 +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out + +# At least shouldn't crash Bro, just report the invalid record ctor. + +global asdfasdf; +const blah = [$ports=asdfasdf]; +print blah; diff --git a/testing/btest/scripts/base/frameworks/input/basic.bro b/testing/btest/scripts/base/frameworks/input/basic.bro index dfac84d062..fbb320e03f 100644 --- a/testing/btest/scripts/base/frameworks/input/basic.bro +++ b/testing/btest/scripts/base/frameworks/input/basic.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -14,7 +11,6 @@ T -42 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz @TEST-END-FILE @load base/protocols/ssh -@load frameworks/communication/listen global outfile: file; diff --git a/testing/btest/scripts/base/frameworks/input/bignumber.bro b/testing/btest/scripts/base/frameworks/input/bignumber.bro index 5b93472551..098481a518 100644 --- a/testing/btest/scripts/base/frameworks/input/bignumber.bro +++ b/testing/btest/scripts/base/frameworks/input/bignumber.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -13,8 +10,6 @@ -9223372036854775800 18446744073709551612 @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; module A; diff --git a/testing/btest/scripts/base/frameworks/input/binary.bro b/testing/btest/scripts/base/frameworks/input/binary.bro index 8d75abc5a9..7caa734d34 100644 --- a/testing/btest/scripts/base/frameworks/input/binary.bro +++ b/testing/btest/scripts/base/frameworks/input/binary.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -25,8 +22,6 @@ abc\xff\x7cdef|DATA2 #end|2012-07-20-01-49-19 @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; global try: count; diff --git a/testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro b/testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro index c8760b467e..78f3d3a72e 100644 --- a/testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro +++ b/testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro @@ -1,8 +1,5 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# # @TEST-EXEC: cp input1.log input.log -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: sleep 2 # @TEST-EXEC: cp input2.log input.log # @TEST-EXEC: btest-bg-wait -k 5 @@ -23,9 +20,6 @@ 2 TEST TEST @TEST-END-FILE -@load frameworks/communication/listen - - module A; type Idx: record { diff --git a/testing/btest/scripts/base/frameworks/input/emptyvals.bro b/testing/btest/scripts/base/frameworks/input/emptyvals.bro index 94b0f1b620..e5e9bc22e3 100644 --- a/testing/btest/scripts/base/frameworks/input/emptyvals.bro +++ b/testing/btest/scripts/base/frameworks/input/emptyvals.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -14,8 +11,6 @@ T 1 - 2 @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; redef InputAscii::empty_field = "EMPTY"; diff --git a/testing/btest/scripts/base/frameworks/input/event.bro b/testing/btest/scripts/base/frameworks/input/event.bro index ba47d5e3f2..7d553a53e3 100644 --- a/testing/btest/scripts/base/frameworks/input/event.bro +++ b/testing/btest/scripts/base/frameworks/input/event.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -19,8 +16,6 @@ 7 T @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; module A; diff --git a/testing/btest/scripts/base/frameworks/input/executeraw.bro b/testing/btest/scripts/base/frameworks/input/executeraw.bro index 626b9cdfd2..09cd920bee 100644 --- a/testing/btest/scripts/base/frameworks/input/executeraw.bro +++ b/testing/btest/scripts/base/frameworks/input/executeraw.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: cat out.tmp | sed 's/^ *//g' >out # @TEST-EXEC: btest-diff out @@ -17,8 +14,6 @@ sdf 3rw43wRRERLlL#RWERERERE. @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; type Val: record { diff --git a/testing/btest/scripts/base/frameworks/input/invalidnumbers.bro b/testing/btest/scripts/base/frameworks/input/invalidnumbers.bro index 1deec605ae..3c467598ad 100644 --- a/testing/btest/scripts/base/frameworks/input/invalidnumbers.bro +++ b/testing/btest/scripts/base/frameworks/input/invalidnumbers.bro @@ -1,11 +1,8 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out # @TEST-EXEC: sed 1d .stderr > .stderrwithoutfirstline -# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderrwithoutfirstline +# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-abspath | $SCRIPTS/diff-remove-timestamps" btest-diff .stderrwithoutfirstline @TEST-START-FILE input.log #separator \x09 @@ -17,8 +14,6 @@ Justtext 1 9223372036854775800 -18446744073709551612 @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; module A; diff --git a/testing/btest/scripts/base/frameworks/input/invalidtext.bro b/testing/btest/scripts/base/frameworks/input/invalidtext.bro new file mode 100644 index 0000000000..668716d045 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/invalidtext.bro @@ -0,0 +1,41 @@ +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 +# @TEST-EXEC: btest-diff out +# @TEST-EXEC: sed 1d .stderr > .stderrwithoutfirstline +# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-abspath | $SCRIPTS/diff-remove-timestamps" btest-diff .stderrwithoutfirstline + +@TEST-START-FILE input.log +#separator \x09 +#fields i c +#types int count + l + 5 +@TEST-END-FILE + +global outfile: file; + +module A; + +type Idx: record { + i: string; +}; + +type Val: record { + c: count; +}; + +global servers: table[string] of Val = table(); + +event bro_init() + { + outfile = open("../out"); + # first read in the old stuff into the table... + Input::add_table([$source="../input.log", $name="ssh", $idx=Idx, $val=Val, $destination=servers]); + Input::remove("ssh"); + } + +event Input::end_of_data(name: string, source:string) + { + print outfile, servers; + terminate(); + } diff --git a/testing/btest/scripts/base/frameworks/input/missing-file.bro b/testing/btest/scripts/base/frameworks/input/missing-file.bro index aa5acf619e..7048698221 100644 --- a/testing/btest/scripts/base/frameworks/input/missing-file.bro +++ b/testing/btest/scripts/base/frameworks/input/missing-file.bro @@ -1,12 +1,7 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff bro/.stderr -@load frameworks/communication/listen - global outfile: file; global try: count; diff --git a/testing/btest/scripts/base/frameworks/input/onecolumn-norecord.bro b/testing/btest/scripts/base/frameworks/input/onecolumn-norecord.bro index c08b1420fb..505aa2245d 100644 --- a/testing/btest/scripts/base/frameworks/input/onecolumn-norecord.bro +++ b/testing/btest/scripts/base/frameworks/input/onecolumn-norecord.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -13,8 +10,6 @@ T -42 @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; redef InputAscii::empty_field = "EMPTY"; diff --git a/testing/btest/scripts/base/frameworks/input/onecolumn-record.bro b/testing/btest/scripts/base/frameworks/input/onecolumn-record.bro index 9e420e75fe..e85267b4c3 100644 --- a/testing/btest/scripts/base/frameworks/input/onecolumn-record.bro +++ b/testing/btest/scripts/base/frameworks/input/onecolumn-record.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -13,8 +10,6 @@ T -42 @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; redef InputAscii::empty_field = "EMPTY"; diff --git a/testing/btest/scripts/base/frameworks/input/optional.bro b/testing/btest/scripts/base/frameworks/input/optional.bro index 2fe0e5c86f..670f0f48ba 100644 --- a/testing/btest/scripts/base/frameworks/input/optional.bro +++ b/testing/btest/scripts/base/frameworks/input/optional.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -19,8 +16,6 @@ 7 T @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; redef InputAscii::empty_field = "EMPTY"; diff --git a/testing/btest/scripts/base/frameworks/input/port.bro b/testing/btest/scripts/base/frameworks/input/port.bro index 081c59559b..2225132395 100644 --- a/testing/btest/scripts/base/frameworks/input/port.bro +++ b/testing/btest/scripts/base/frameworks/input/port.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -12,8 +9,6 @@ 1.2.3.6 30 unknown @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; redef InputAscii::empty_field = "EMPTY"; diff --git a/testing/btest/scripts/base/frameworks/input/predicate-stream.bro b/testing/btest/scripts/base/frameworks/input/predicate-stream.bro index 8cf927e346..b931bbc41e 100644 --- a/testing/btest/scripts/base/frameworks/input/predicate-stream.bro +++ b/testing/btest/scripts/base/frameworks/input/predicate-stream.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out # @@ -23,8 +20,6 @@ 7 T @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; redef InputAscii::empty_field = "EMPTY"; diff --git a/testing/btest/scripts/base/frameworks/input/predicate.bro b/testing/btest/scripts/base/frameworks/input/predicate.bro index 8fb33242e8..9f2c4362de 100644 --- a/testing/btest/scripts/base/frameworks/input/predicate.bro +++ b/testing/btest/scripts/base/frameworks/input/predicate.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -19,8 +16,6 @@ 7 T @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; redef InputAscii::empty_field = "EMPTY"; diff --git a/testing/btest/scripts/base/frameworks/input/predicatemodify.bro b/testing/btest/scripts/base/frameworks/input/predicatemodify.bro index 17467bbc27..4129a47873 100644 --- a/testing/btest/scripts/base/frameworks/input/predicatemodify.bro +++ b/testing/btest/scripts/base/frameworks/input/predicatemodify.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -14,8 +11,6 @@ 2 T test2 idx2 @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; redef InputAscii::empty_field = "EMPTY"; diff --git a/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro b/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro index 5a9e993651..17e7fa4bf2 100644 --- a/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro +++ b/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro @@ -1,8 +1,5 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# # @TEST-EXEC: cp input1.log input.log -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: sleep 2 # @TEST-EXEC: cp input2.log input.log # @TEST-EXEC: sleep 2 @@ -58,8 +55,6 @@ 1 T test1 idx1 @TEST-END-FILE -@load frameworks/communication/listen - redef InputAscii::empty_field = "EMPTY"; module A; diff --git a/testing/btest/scripts/base/frameworks/input/predicaterefusesecondsamerecord.bro b/testing/btest/scripts/base/frameworks/input/predicaterefusesecondsamerecord.bro index ba0b468cdc..0df8b14dd6 100644 --- a/testing/btest/scripts/base/frameworks/input/predicaterefusesecondsamerecord.bro +++ b/testing/btest/scripts/base/frameworks/input/predicaterefusesecondsamerecord.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -17,8 +14,6 @@ need-to-know 8c864306-d21a-37b1-8705-746a786719bf medium 95 1342569600 1.228.83. need-to-know 8c864306-d21a-37b1-8705-746a786719bf medium 65 1342656000 1.228.83.33 - - 9318 HANARO-AS Hanaro Telecom Inc. 1.224.0.0/13 apnic KR spam infrastructure spamming;malware domain public http://reputation.alienvault.com/reputation.generic @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; redef InputAscii::empty_field = "EMPTY"; diff --git a/testing/btest/scripts/base/frameworks/input/raw.bro b/testing/btest/scripts/base/frameworks/input/raw.bro index d15aec22bb..7201e9ad3a 100644 --- a/testing/btest/scripts/base/frameworks/input/raw.bro +++ b/testing/btest/scripts/base/frameworks/input/raw.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -16,8 +13,6 @@ sdf 3rw43wRRERLlL#RWERERERE. @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; global try: count; diff --git a/testing/btest/scripts/base/frameworks/input/repeat.bro b/testing/btest/scripts/base/frameworks/input/repeat.bro index a966ac064e..f29061fa8b 100644 --- a/testing/btest/scripts/base/frameworks/input/repeat.bro +++ b/testing/btest/scripts/base/frameworks/input/repeat.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff out @@ -13,8 +10,6 @@ 1 T @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; global try: count; diff --git a/testing/btest/scripts/base/frameworks/input/reread.bro b/testing/btest/scripts/base/frameworks/input/reread.bro index 11aa873f9d..bfb7b6fd84 100644 --- a/testing/btest/scripts/base/frameworks/input/reread.bro +++ b/testing/btest/scripts/base/frameworks/input/reread.bro @@ -1,8 +1,5 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# # @TEST-EXEC: cp input1.log input.log -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: sleep 2 # @TEST-EXEC: cp input2.log input.log # @TEST-EXEC: sleep 2 @@ -59,7 +56,6 @@ F -48 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz @TEST-END-FILE @load base/protocols/ssh -@load frameworks/communication/listen redef InputAscii::empty_field = "EMPTY"; diff --git a/testing/btest/scripts/base/frameworks/input/rereadraw.bro b/testing/btest/scripts/base/frameworks/input/rereadraw.bro index 2fdcdc8f9e..d1db2bb049 100644 --- a/testing/btest/scripts/base/frameworks/input/rereadraw.bro +++ b/testing/btest/scripts/base/frameworks/input/rereadraw.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -16,8 +13,6 @@ sdf 3rw43wRRERLlL#RWERERERE. @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; global try: count; diff --git a/testing/btest/scripts/base/frameworks/input/set.bro b/testing/btest/scripts/base/frameworks/input/set.bro index b2b5cea323..a460f6788a 100644 --- a/testing/btest/scripts/base/frameworks/input/set.bro +++ b/testing/btest/scripts/base/frameworks/input/set.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff out @@ -16,8 +13,6 @@ 192.168.17.42 @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; redef InputAscii::empty_field = "EMPTY"; diff --git a/testing/btest/scripts/base/frameworks/input/setseparator.bro b/testing/btest/scripts/base/frameworks/input/setseparator.bro index b7148d80bd..156f566d28 100644 --- a/testing/btest/scripts/base/frameworks/input/setseparator.bro +++ b/testing/btest/scripts/base/frameworks/input/setseparator.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff out @@ -13,8 +10,6 @@ redef InputAscii::set_separator = "|"; -@load frameworks/communication/listen - global outfile: file; module A; diff --git a/testing/btest/scripts/base/frameworks/input/setspecialcases.bro b/testing/btest/scripts/base/frameworks/input/setspecialcases.bro index 022eac9731..86e53feb0a 100644 --- a/testing/btest/scripts/base/frameworks/input/setspecialcases.bro +++ b/testing/btest/scripts/base/frameworks/input/setspecialcases.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff out @@ -16,9 +13,6 @@ 6 @TEST-END-FILE - -@load frameworks/communication/listen - global outfile: file; module A; diff --git a/testing/btest/scripts/base/frameworks/input/stream.bro b/testing/btest/scripts/base/frameworks/input/stream.bro index 1ecd8a2eb0..684f4ea395 100644 --- a/testing/btest/scripts/base/frameworks/input/stream.bro +++ b/testing/btest/scripts/base/frameworks/input/stream.bro @@ -1,8 +1,5 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# # @TEST-EXEC: cp input1.log input.log -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: sleep 3 # @TEST-EXEC: cat input2.log >> input.log # @TEST-EXEC: sleep 3 @@ -25,7 +22,6 @@ F -43 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz @TEST-END-FILE @load base/protocols/ssh -@load frameworks/communication/listen redef InputAscii::empty_field = "EMPTY"; diff --git a/testing/btest/scripts/base/frameworks/input/streamraw.bro b/testing/btest/scripts/base/frameworks/input/streamraw.bro index 3bc06f7dea..d8e43d6386 100644 --- a/testing/btest/scripts/base/frameworks/input/streamraw.bro +++ b/testing/btest/scripts/base/frameworks/input/streamraw.bro @@ -1,8 +1,5 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# # @TEST-EXEC: cp input1.log input.log -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: sleep 3 # @TEST-EXEC: cat input2.log >> input.log # @TEST-EXEC: sleep 3 @@ -27,8 +24,6 @@ sdf 3rw43wRRERLlL#RWERERERE. @TEST-END-FILE -@load frameworks/communication/listen - module A; type Val: record { diff --git a/testing/btest/scripts/base/frameworks/input/subrecord-event.bro b/testing/btest/scripts/base/frameworks/input/subrecord-event.bro index 4e7dc1690a..92ee6dd500 100644 --- a/testing/btest/scripts/base/frameworks/input/subrecord-event.bro +++ b/testing/btest/scripts/base/frameworks/input/subrecord-event.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -14,7 +11,6 @@ T -42 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz @TEST-END-FILE @load base/protocols/ssh -@load frameworks/communication/listen global outfile: file; global try: count; diff --git a/testing/btest/scripts/base/frameworks/input/subrecord.bro b/testing/btest/scripts/base/frameworks/input/subrecord.bro index 512b8ec58f..11f247f764 100644 --- a/testing/btest/scripts/base/frameworks/input/subrecord.bro +++ b/testing/btest/scripts/base/frameworks/input/subrecord.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -14,7 +11,6 @@ T -42 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz @TEST-END-FILE @load base/protocols/ssh -@load frameworks/communication/listen global outfile: file; diff --git a/testing/btest/scripts/base/frameworks/input/tableevent.bro b/testing/btest/scripts/base/frameworks/input/tableevent.bro index 723e519237..db39fdf72b 100644 --- a/testing/btest/scripts/base/frameworks/input/tableevent.bro +++ b/testing/btest/scripts/base/frameworks/input/tableevent.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -19,8 +16,6 @@ 7 T @TEST-END-FILE -@load frameworks/communication/listen - global outfile: file; global try: count; diff --git a/testing/btest/scripts/base/frameworks/input/twotables.bro b/testing/btest/scripts/base/frameworks/input/twotables.bro index 83ae86cd46..5540019971 100644 --- a/testing/btest/scripts/base/frameworks/input/twotables.bro +++ b/testing/btest/scripts/base/frameworks/input/twotables.bro @@ -1,8 +1,5 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# # @TEST-EXEC: cp input1.log input.log -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: sleep 5 # @TEST-EXEC: cp input3.log input.log # @TEST-EXEC: btest-bg-wait -k 10 @@ -34,7 +31,6 @@ F -44 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz @TEST-END-FILE @load base/protocols/ssh -@load frameworks/communication/listen redef InputAscii::empty_field = "EMPTY"; diff --git a/testing/btest/scripts/base/frameworks/input/unsupported_types.bro b/testing/btest/scripts/base/frameworks/input/unsupported_types.bro index e1350f61a9..0651e0693e 100644 --- a/testing/btest/scripts/base/frameworks/input/unsupported_types.bro +++ b/testing/btest/scripts/base/frameworks/input/unsupported_types.bro @@ -1,7 +1,4 @@ -# (uses listen.bro just to ensure input sources are more reliably fully-read). -# @TEST-SERIALIZE: comm -# -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b --pseudo-realtime -r $TRACES/socks.trace %INPUT # @TEST-EXEC: btest-bg-wait -k 5 # @TEST-EXEC: btest-diff out @@ -14,7 +11,6 @@ whatever T -42 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.00 @TEST-END-FILE @load base/protocols/ssh -@load frameworks/communication/listen global outfile: file; diff --git a/testing/btest/scripts/base/protocols/http/http-methods.bro b/testing/btest/scripts/base/protocols/http/http-methods.bro new file mode 100644 index 0000000000..59045c1cc5 --- /dev/null +++ b/testing/btest/scripts/base/protocols/http/http-methods.bro @@ -0,0 +1,9 @@ +# This tests that the HTTP analyzer handles strange HTTP methods properly. +# +# @TEST-EXEC: bro -r $TRACES/http-methods.trace %INPUT +# @TEST-EXEC: btest-diff weird.log +# @TEST-EXEC: btest-diff http.log + +# The base analysis scripts are loaded by default. +#@load base/protocols/http +