Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-03 15:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/master' into topic/vladg/kerberos

Browse source
This commit is contained in:
Vlad Grigorescu 2015-02-05 14:22:29 -05:00
commit 7e1fcb1a10
123 changed files with 7470 additions and 1344 deletions
Download patch file Download diff file Expand all files Collapse all files

81
CHANGES
View file

@ -1,4 +1,85 @@
2.3-411 | 2015-02-05 10:05:48 -0600
* Fix file analysis of files with total size below the bof_buffer size
never delivering content to stream analyzers. (Seth Hall)
* Add/fix log fields in x509 diff canonifier. (Jon Siwek)
* "id" not defined for debug code when using -DPROFILE_BRO_FUNCTIONS
(Mike Smiley)
2.3-406 | 2015-02-03 17:02:45 -0600
* Add x509 canonifier to a unit test. (Jon Siwek)
2.3-405 | 2015-02-02 11:14:24 -0600
* Fix memory leak in new split_string* functions. (Jon Siwek)
2.3-404 | 2015-01-30 14:23:27 -0800
* Update documentation (broken links, outdated tests). (Jon Siwek)
* Deprecate split* family of BIFs. (Jon Siwek)
These functions are now deprecated in favor of alternative versions that
return a vector of strings rather than a table of strings.
Deprecated functions:
- split: use split_string instead.
- split1: use split_string1 instead.
- split_all: use split_string_all instead.
- split_n: use split_string_n instead.
- cat_string_array: see join_string_vec instead.
- cat_string_array_n: see join_string_vec instead.
- join_string_array: see join_string_vec instead.
- sort_string_array: use sort instead instead.
- find_ip_addresses: use extract_ip_addresses instead.
Changed functions:
- has_valid_octets: uses a string_vec parameter instead of string_array.
Addresses BIT-924.
* Add a new attribute: &deprecated. While scripts are parsed, a
warning is raised for each usage of an identifier marked as
&deprecated. This also works for BIFs. Addresses BIT-924,
BIT-757. (Jon Siwek)
2.3-397 | 2015-01-27 10:13:10 -0600
* Handle guess_lexer exceptions in pygments reST directive (Jon Siwek)
2.3-396 | 2015-01-23 10:49:15 -0600
* DNP3: fix reachable assertion and buffer over-read/overflow.
CVE number pending. (Travis Emmert, Jon Siwek)
* Update binpac: Fix potential out-of-bounds memory reads in generated
code. CVE-2014-9586. (John Villamil and Chris Rohlf - Yahoo
Paranoids, Jon Siwek)
* Fixing (harmless) Coverity warning. (Robin Sommer)
2.3-392 | 2015-01-15 09:44:15 -0800
* Small changes to EC curve names in a newer draft. (Johanna Amann)
2.3-390 | 2015-01-14 13:27:34 -0800
* Updating MySQL analyses. (Vlad Grigorescu)
- Use a boolean success instead of a result string.
- Change the affected_rows response detail string to a "rows" count.
- Fix the state tracking to log incomplete command.
* Extend DNP3 to support communication over UDP. (Hui Lin)
* Fix a bug in DNP3 determining the length of an object in some
cases. (Hui Lin)
2.3-376 | 2015-01-12 09:38:10 -0600
* Improve documentation for connection_established event. (Jon Siwek)

32
NEWS
View file

@ -53,6 +53,38 @@ Changed Functionality
record gives the how many bytes have been written so far (i.e.
the "offset").
- has_valid_octets: now uses a string_vec parameter instead of
string_array.
Deprecated Functionality
------------------------
- The split* family of functions are to be replaced with alternate
versions that return a vector of strings rather than a table of
strings. This also allows deprecation for some related string
concatenation/extraction functions. Note that the new functions use
0-based indexing, rather than 1-based.
The full list of now deprecation functions is:
* split: use split_string instead.
* split1: use split_string1 instead.
* split_all: use split_string_all instead.
* split_n: use split_string_n instead.
* cat_string_array: see join_string_vec instead.
* cat_string_array_n: see join_string_vec instead.
* join_string_array: see join_string_vec instead.
* sort_string_array: use sort instead.
* find_ip_addresses: use extract_ip_addresses instead.
Bro 2.3
=======

2
VERSION
View file

@ -1 +1 @@
2.3-376
2.3-411

2
aux/btest

@ -1 +1 @@
Subproject commit d67d89aaee32ad5edb9068db55d1310c2f36970a
Subproject commit 93d4989ed1537e4d143cf09d44077159f869a4b2

5
doc/ext/rst_directive.py
View file

@ -135,7 +135,10 @@ class Pygments(Directive):
# lexer not found, use default.
lexer = TextLexer()
else:
lexer = guess_lexer(content)
try:
lexer = guess_lexer(content)
except:
lexer = TextLexer()
# import sys
# print >>sys.stderr, self.arguments, lexer.__class__

8
doc/script-reference/attributes.rst
View file

@ -49,6 +49,8 @@ The Bro scripting language supports the following attributes.
+-----------------------------+-----------------------------------------------+
| :bro:attr:`&type_column` |Used by input framework for "port" type. |
+-----------------------------+-----------------------------------------------+
| :bro:attr:`&deprecated` |Marks an identifier as deprecated. |
+-----------------------------+-----------------------------------------------+
Here is a more detailed explanation of each attribute:
@ -230,3 +232,9 @@ Here is a more detailed explanation of each attribute:
msg: string;
};
.. bro:attr:: &deprecated
The associated identifier is marked as deprecated and will be
removed in a future version of Bro. Look in the NEWS file for more
explanation and/or instructions to migrate code that uses deprecated
functionality.

22
scripts/base/files/unified2/main.bro
View file

@ -152,26 +152,26 @@ redef record fa_file += {
event Unified2::read_sid_msg_line(desc: Input::EventDescription, tpe: Input::Event, line: string)
{
local parts = split_n(line, / \|\| /, F, 100);
if ( |parts| >= 2 && /^[0-9]+$/ in parts[1] )
sid_map[to_count(parts[1])] = parts[2];
local parts = split_string_n(line, / \|\| /, F, 100);
if ( |parts| >= 2 && /^[0-9]+$/ in parts[0] )
sid_map[to_count(parts[0])] = parts[1];
}
event Unified2::read_gen_msg_line(desc: Input::EventDescription, tpe: Input::Event, line: string)
{
local parts = split_n(line, / \|\| /, F, 3);
if ( |parts| >= 2 && /^[0-9]+$/ in parts[1] )
gen_map[to_count(parts[1])] = parts[3];
local parts = split_string_n(line, / \|\| /, F, 3);
if ( |parts| >= 2 && /^[0-9]+$/ in parts[0] )
gen_map[to_count(parts[0])] = parts[2];
}
event Unified2::read_classification_line(desc: Input::EventDescription, tpe: Input::Event, line: string)
{
local parts = split_n(line, /: /, F, 2);
local parts = split_string_n(line, /: /, F, 2);
if ( |parts| == 2 )
{
local parts2 = split_n(parts[2], /,/, F, 4);
local parts2 = split_string_n(parts[1], /,/, F, 4);
if ( |parts2| > 1 )
classification_map[|classification_map|+1] = parts2[1];
classification_map[|classification_map|+1] = parts2[0];
}
}
@ -249,9 +249,9 @@ event bro_init() &priority=5
event file_new(f: fa_file)
{
local file_dir = "";
local parts = split_all(f$source, /\/[^\/]*$/);
local parts = split_string_all(f$source, /\/[^\/]*$/);
if ( |parts| == 3 )
file_dir = parts[1];
file_dir = parts[0];
if ( (watch_file != "" && f$source == watch_file) ||
(watch_dir != "" && compress_path(watch_dir) == file_dir) )

24
scripts/base/frameworks/logging/main.bro
View file

@ -405,30 +405,30 @@ function default_path_func(id: ID, path: string, rec: any) : string
local id_str = fmt("%s", id);
local parts = split1(id_str, /::/);
local parts = split_string1(id_str, /::/);
if ( |parts| == 2 )
{
# Example: Notice::LOG -> "notice"
if ( parts[2] == "LOG" )
if ( parts[1] == "LOG" )
{
local module_parts = split_n(parts[1], /[^A-Z][A-Z][a-z]*/, T, 4);
local module_parts = split_string_n(parts[0], /[^A-Z][A-Z][a-z]*/, T, 4);
local output = "";
if ( 1 in module_parts )
output = module_parts[1];
if ( 0 in module_parts )
output = module_parts[0];
if ( 1 in module_parts && module_parts[1] != "" )
output = cat(output, sub_bytes(module_parts[1],1,1), "_", sub_bytes(module_parts[1], 2, |module_parts[1]|));
if ( 2 in module_parts && module_parts[2] != "" )
output = cat(output, sub_bytes(module_parts[2],1,1), "_", sub_bytes(module_parts[2], 2, |module_parts[2]|));
output = cat(output, "_", module_parts[2]);
if ( 3 in module_parts && module_parts[3] != "" )
output = cat(output, "_", module_parts[3]);
if ( 4 in module_parts && module_parts[4] != "" )
output = cat(output, sub_bytes(module_parts[4],1,1), "_", sub_bytes(module_parts[4], 2, |module_parts[4]|));
output = cat(output, sub_bytes(module_parts[3],1,1), "_", sub_bytes(module_parts[3], 2, |module_parts[3]|));
return to_lower(output);
}
# Example: Notice::POLICY_LOG -> "notice_policy"
if ( /_LOG$/ in parts[2] )
parts[2] = sub(parts[2], /_LOG$/, "");
if ( /_LOG$/ in parts[1] )
parts[1] = sub(parts[1], /_LOG$/, "");
return cat(to_lower(parts[1]),"_",to_lower(parts[2]));
return cat(to_lower(parts[0]),"_",to_lower(parts[1]));
}
else
return to_lower(id_str);

122
scripts/base/frameworks/software/main.bro
View file

@ -133,62 +133,62 @@ function parse(unparsed_version: string): Description
{
# The regular expression should match the complete version number
# and software name.
local version_parts = split_n(unparsed_version, /\/?( [\(])?v?[0-9\-\._, ]{2,}/, T, 1);
if ( 1 in version_parts )
local version_parts = split_string_n(unparsed_version, /\/?( [\(])?v?[0-9\-\._, ]{2,}/, T, 1);
if ( 0 in version_parts )
{
if ( /^\(/ in version_parts[1] )
software_name = strip(sub(version_parts[1], /[\(]/, ""));
if ( /^\(/ in version_parts[0] )
software_name = strip(sub(version_parts[0], /[\(]/, ""));
else
software_name = strip(version_parts[1]);
software_name = strip(version_parts[0]);
}
if ( |version_parts| >= 2 )
{
# Remove the name/version separator if it's left at the beginning
# of the version number from the previous split_all.
local sv = strip(version_parts[2]);
local sv = strip(version_parts[1]);
if ( /^[\/\-\._v\(]/ in sv )
sv = strip(sub(version_parts[2], /^\(?[\/\-\._v\(]/, ""));
local version_numbers = split_n(sv, /[\-\._,\[\(\{ ]/, F, 3);
if ( 5 in version_numbers && version_numbers[5] != "" )
v$addl = strip(version_numbers[5]);
else if ( 3 in version_parts && version_parts[3] != "" &&
version_parts[3] != ")" )
sv = strip(sub(version_parts[1], /^\(?[\/\-\._v\(]/, ""));
local version_numbers = split_string_n(sv, /[\-\._,\[\(\{ ]/, F, 3);
if ( 4 in version_numbers && version_numbers[4] != "" )
v$addl = strip(version_numbers[4]);
else if ( 2 in version_parts && version_parts[2] != "" &&
version_parts[2] != ")" )
{
if ( /^[[:blank:]]*\([a-zA-Z0-9\-\._[:blank:]]*\)/ in version_parts[3] )
if ( /^[[:blank:]]*\([a-zA-Z0-9\-\._[:blank:]]*\)/ in version_parts[2] )
{
v$addl = split_n(version_parts[3], /[\(\)]/, F, 2)[2];
v$addl = split_string_n(version_parts[2], /[\(\)]/, F, 2)[1];
}
else
{
local vp = split_n(version_parts[3], /[\-\._,;\[\]\(\)\{\} ]/, F, 3);
if ( |vp| >= 1 && vp[1] != "" )
local vp = split_string_n(version_parts[2], /[\-\._,;\[\]\(\)\{\} ]/, F, 3);
if ( |vp| >= 1 && vp[0] != "" )
{
v$addl = strip(vp[0]);
}
else if ( |vp| >= 2 && vp[1] != "" )
{
v$addl = strip(vp[1]);
}
else if ( |vp| >= 2 && vp[2] != "" )
else if ( |vp| >= 3 && vp[2] != "" )
{
v$addl = strip(vp[2]);
}
else if ( |vp| >= 3 && vp[3] != "" )
{
v$addl = strip(vp[3]);
}
else
{
v$addl = strip(version_parts[3]);
v$addl = strip(version_parts[2]);
}
}
}
if ( 4 in version_numbers && version_numbers[4] != "" )
v$minor3 = extract_count(version_numbers[4]);
if ( 3 in version_numbers && version_numbers[3] != "" )
v$minor2 = extract_count(version_numbers[3]);
v$minor3 = extract_count(version_numbers[3]);
if ( 2 in version_numbers && version_numbers[2] != "" )
v$minor = extract_count(version_numbers[2]);
v$minor2 = extract_count(version_numbers[2]);
if ( 1 in version_numbers && version_numbers[1] != "" )
v$major = extract_count(version_numbers[1]);
v$minor = extract_count(version_numbers[1]);
if ( 0 in version_numbers && version_numbers[0] != "" )
v$major = extract_count(version_numbers[0]);
}
}
@ -200,14 +200,14 @@ function parse_mozilla(unparsed_version: string): Description
{
local software_name = "<unknown browser>";
local v: Version;
local parts: table[count] of string;
local parts: string_vec;
if ( /Opera [0-9\.]*$/ in unparsed_version )
{
software_name = "Opera";
parts = split_all(unparsed_version, /Opera [0-9\.]*$/);
if ( 2 in parts )
v = parse(parts[2])$version;
parts = split_string_all(unparsed_version, /Opera [0-9\.]*$/);
if ( 1 in parts )
v = parse(parts[1])$version;
}
else if ( / MSIE |Trident\// in unparsed_version )
{
@ -222,28 +222,28 @@ function parse_mozilla(unparsed_version: string): Description
v = [$major=11,$minor=0];
else
{
parts = split_all(unparsed_version, /MSIE [0-9]{1,2}\.*[0-9]*b?[0-9]*/);
if ( 2 in parts )
v = parse(parts[2])$version;
parts = split_string_all(unparsed_version, /MSIE [0-9]{1,2}\.*[0-9]*b?[0-9]*/);
if ( 1 in parts )
v = parse(parts[1])$version;
}
}
else if ( /Version\/.*Safari\// in unparsed_version )
{
software_name = "Safari";
parts = split_all(unparsed_version, /Version\/[0-9\.]*/);
if ( 2 in parts )
parts = split_string_all(unparsed_version, /Version\/[0-9\.]*/);
if ( 1 in parts )
{
v = parse(parts[2])$version;
v = parse(parts[1])$version;
if ( / Mobile\/?.* Safari/ in unparsed_version )
v$addl = "Mobile";
}
}
else if ( /(Firefox|Netscape|Thunderbird)\/[0-9\.]*/ in unparsed_version )
{
parts = split_all(unparsed_version, /(Firefox|Netscape|Thunderbird)\/[0-9\.]*/);
if ( 2 in parts )
parts = split_string_all(unparsed_version, /(Firefox|Netscape|Thunderbird)\/[0-9\.]*/);
if ( 1 in parts )
{
local tmp_s = parse(parts[2]);
local tmp_s = parse(parts[1]);
software_name = tmp_s$name;
v = tmp_s$version;
}
@ -251,48 +251,48 @@ function parse_mozilla(unparsed_version: string): Description
else if ( /Chrome\/.*Safari\// in unparsed_version )
{
software_name = "Chrome";
parts = split_all(unparsed_version, /Chrome\/[0-9\.]*/);
if ( 2 in parts )
v = parse(parts[2])$version;
parts = split_string_all(unparsed_version, /Chrome\/[0-9\.]*/);
if ( 1 in parts )
v = parse(parts[1])$version;
}
else if ( /^Opera\// in unparsed_version )
{
if ( /Opera M(ini|obi)\// in unparsed_version )
{
parts = split_all(unparsed_version, /Opera M(ini|obi)/);
if ( 2 in parts )
software_name = parts[2];
parts = split_all(unparsed_version, /Version\/[0-9\.]*/);
if ( 2 in parts )
v = parse(parts[2])$version;
parts = split_string_all(unparsed_version, /Opera M(ini|obi)/);
if ( 1 in parts )
software_name = parts[1];
parts = split_string_all(unparsed_version, /Version\/[0-9\.]*/);
if ( 1 in parts )
v = parse(parts[1])$version;
else
{
parts = split_all(unparsed_version, /Opera Mini\/[0-9\.]*/);
if ( 2 in parts )
v = parse(parts[2])$version;
parts = split_string_all(unparsed_version, /Opera Mini\/[0-9\.]*/);
if ( 1 in parts )
v = parse(parts[1])$version;
}
}
else
{
software_name = "Opera";
parts = split_all(unparsed_version, /Version\/[0-9\.]*/);
if ( 2 in parts )
v = parse(parts[2])$version;
parts = split_string_all(unparsed_version, /Version\/[0-9\.]*/);
if ( 1 in parts )
v = parse(parts[1])$version;
}
}
else if ( /AppleWebKit\/[0-9\.]*/ in unparsed_version )
{
software_name = "Unspecified WebKit";
parts = split_all(unparsed_version, /AppleWebKit\/[0-9\.]*/);
if ( 2 in parts )
v = parse(parts[2])$version;
parts = split_string_all(unparsed_version, /AppleWebKit\/[0-9\.]*/);
if ( 1 in parts )
v = parse(parts[1])$version;
}
else if ( / Java\/[0-9]\./ in unparsed_version )
{
software_name = "Java";
parts = split_all(unparsed_version, /Java\/[0-9\._]*/);
if ( 2 in parts )
v = parse(parts[2])$version;
parts = split_string_all(unparsed_version, /Java\/[0-9\._]*/);
if ( 1 in parts )
v = parse(parts[1])$version;
}
return [$version=v, $unparsed_version=unparsed_version, $name=software_name];

4
scripts/base/protocols/dhcp/utils.bro
View file

@ -13,7 +13,7 @@ export {
function reverse_ip(ip: addr): addr
{
local octets = split(cat(ip), /\./);
return to_addr(cat(octets[4], ".", octets[3], ".", octets[2], ".", octets[1]));
local octets = split_string(cat(ip), /\./);
return to_addr(cat(octets[3], ".", octets[2], ".", octets[1], ".", octets[0]));
}

8
scripts/base/protocols/dnp3/dpd.sig
View file

@ -5,5 +5,11 @@ signature dpd_dnp3_server {
ip-proto == tcp
payload /\x05\x64/
tcp-state responder
enable "dnp3"
enable "dnp3_tcp"
}
signature dpd_dnp3_server_udp {
ip-proto == udp
payload /\x05\x64/
enable "dnp3_udp"
}

8
scripts/base/protocols/dnp3/main.bro
View file

@ -31,16 +31,16 @@ redef record connection += {
dnp3: Info &optional;
};
const ports = { 20000/tcp };
const ports = { 20000/tcp , 20000/udp };
redef likely_server_ports += { ports };
event bro_init() &priority=5
{
Log::create_stream(DNP3::LOG, [$columns=Info, $ev=log_dnp3]);
Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3, ports);
Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3_TCP, ports);
}
event dnp3_application_request_header(c: connection, is_orig: bool, fc: count)
event dnp3_application_request_header(c: connection, is_orig: bool, application_control: count, fc: count)
{
if ( ! c?$dnp3 )
c$dnp3 = [$ts=network_time(), $uid=c$uid, $id=c$id];
@ -49,7 +49,7 @@ event dnp3_application_request_header(c: connection, is_orig: bool, fc: count)
c$dnp3$fc_request = function_codes[fc];
}
event dnp3_application_response_header(c: connection, is_orig: bool, fc: count, iin: count)
event dnp3_application_response_header(c: connection, is_orig: bool, application_control: count, fc: count, iin: count)
{
if ( ! c?$dnp3 )
c$dnp3 = [$ts=network_time(), $uid=c$uid, $id=c$id];

2
scripts/base/protocols/ftp/main.bro
View file

@ -274,7 +274,7 @@ event file_transferred(c: connection, prefix: string, descr: string,
if ( [id$resp_h, id$resp_p] in ftp_data_expected )
{
local s = ftp_data_expected[id$resp_h, id$resp_p];
s$mime_type = split1(mime_type, /;/)[1];
s$mime_type = split_string1(mime_type, /;/)[0];
}
}

8
scripts/base/protocols/http/main.bro
View file

@ -242,7 +242,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
else if ( name == "HOST" )
# The split is done to remove the occasional port value that shows up here.
c$http$host = split1(value, /:/)[1];
c$http$host = split_string1(value, /:/)[0];
else if ( name == "RANGE" )
c$http$range_request = T;
@ -262,12 +262,12 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
if ( /^[bB][aA][sS][iI][cC] / in value )
{
local userpass = decode_base64(sub(value, /[bB][aA][sS][iI][cC][[:blank:]]/, ""));
local up = split(userpass, /:/);
local up = split_string(userpass, /:/);
if ( |up| >= 2 )
{
c$http$username = up[1];
c$http$username = up[0];
if ( c$http$capture_password )
c$http$password = up[2];
c$http$password = up[1];
}
else
{

8
scripts/base/protocols/http/utils.bro
View file

@ -42,12 +42,12 @@ function extract_keys(data: string, kv_splitter: pattern): string_vec
{
local key_vec: vector of string = vector();
local parts = split(data, kv_splitter);
local parts = split_string(data, kv_splitter);
for ( part_index in parts )
{
local key_val = split1(parts[part_index], /=/);
if ( 1 in key_val )
key_vec[|key_vec|] = key_val[1];
local key_val = split_string1(parts[part_index], /=/);
if ( 0 in key_val )
key_vec[|key_vec|] = key_val[0];
}
return key_vec;
}

42
scripts/base/protocols/mysql/main.bro
View file

@ -18,8 +18,10 @@ export {
cmd: string &log;
## The argument issued to the command
arg: string &log;
## The result (error, OK, etc.) from the server
result: string &log &optional;
## Did the server tell us that the command succeeded?
success: bool &log &optional;
## The number of affected rows, if any
rows: count &log &optional;
## Server message, if any
response: string &log &optional;
};
@ -57,16 +59,21 @@ event mysql_handshake(c: connection, username: string)
event mysql_command_request(c: connection, command: count, arg: string) &priority=5
{
if ( ! c?$mysql )
if ( c?$mysql )
{
local info: Info;
info$ts = network_time();
info$uid = c$uid;
info$id = c$id;
info$cmd = commands[command];
info$arg = sub(arg, /\0$/, "");
c$mysql = info;
# We got a request, but we haven't logged our
# previous request yet, so let's do that now.
Log::write(mysql::LOG, c$mysql);
delete c$mysql;
}
local info: Info;
info$ts = network_time();
info$uid = c$uid;
info$id = c$id;
info$cmd = commands[command];
info$arg = sub(arg, /\0$/, "");
c$mysql = info;
}
event mysql_command_request(c: connection, command: count, arg: string) &priority=-5
@ -83,7 +90,7 @@ event mysql_error(c: connection, code: count, msg: string) &priority=5
{
if ( c?$mysql )
{
c$mysql$result = "error";
c$mysql$success = F;
c$mysql$response = msg;
}
}
@ -101,8 +108,8 @@ event mysql_ok(c: connection, affected_rows: count) &priority=5
{
if ( c?$mysql )
{
c$mysql$result = "ok";
c$mysql$response = fmt("Affected rows: %d", affected_rows);
c$mysql$success = T;
c$mysql$rows = affected_rows;
}
}
@ -114,3 +121,12 @@ event mysql_ok(c: connection, affected_rows: count) &priority=-5
delete c$mysql;
}
}
event connection_state_remove(c: connection) &priority=-5
{
if ( c?$mysql )
{
Log::write(mysql::LOG, c$mysql);
delete c$mysql;
}
}

12
scripts/base/protocols/smtp/main.bro
View file

@ -98,7 +98,7 @@ event bro_init() &priority=5
function find_address_in_smtp_header(header: string): string
{
local ips = find_ip_addresses(header);
local ips = extract_ip_addresses(header);
# If there are more than one IP address found, return the second.
if ( |ips| > 1 )
return ips[1];
@ -163,7 +163,7 @@ event smtp_request(c: connection, is_orig: bool, command: string, arg: string) &
{
if ( ! c$smtp?$rcptto )
c$smtp$rcptto = set();
add c$smtp$rcptto[split1(arg, /:[[:blank:]]*/)[2]];
add c$smtp$rcptto[split_string1(arg, /:[[:blank:]]*/)[1]];
c$smtp$has_client_activity = T;
}
@ -172,8 +172,8 @@ event smtp_request(c: connection, is_orig: bool, command: string, arg: string) &
# Flush last message in case we didn't see the server's acknowledgement.
smtp_message(c);
local partially_done = split1(arg, /:[[:blank:]]*/)[2];
c$smtp$mailfrom = split1(partially_done, /[[:blank:]]?/)[1];
local partially_done = split_string1(arg, /:[[:blank:]]*/)[1];
c$smtp$mailfrom = split_string1(partially_done, /[[:blank:]]?/)[0];
c$smtp$has_client_activity = T;
}
}
@ -234,14 +234,14 @@ event mime_one_header(c: connection, h: mime_header_rec) &priority=5
if ( ! c$smtp?$to )
c$smtp$to = set();
local to_parts = split(h$value, /[[:blank:]]*,[[:blank:]]*/);
local to_parts = split_string(h$value, /[[:blank:]]*,[[:blank:]]*/);
for ( i in to_parts )
add c$smtp$to[to_parts[i]];
}
else if ( h$name == "X-ORIGINATING-IP" )
{
local addresses = find_ip_addresses(h$value);
local addresses = extract_ip_addresses(h$value);
if ( 1 in addresses )
c$smtp$x_originating_ip = to_addr(addresses[1]);
}

7
scripts/base/protocols/ssl/consts.bro
View file

@ -158,12 +158,11 @@ export {
[26] = "brainpoolP256r1",
[27] = "brainpoolP384r1",
[28] = "brainpoolP512r1",
# draft-ietf-tls-negotiated-ff-dhe-02
[256] = "ffdhe2432",
# draft-ietf-tls-negotiated-ff-dhe-05
[256] = "ffdhe2048",
[257] = "ffdhe3072",
[258] = "ffdhe4096",
[259] = "ffdhe6144",
[260] = "ffdhe8192",
[259] = "ffdhe8192",
[0xFF01] = "arbitrary_explicit_prime_curves",
[0xFF02] = "arbitrary_explicit_char2_curves"
} &default=function(i: count):string { return fmt("unknown-%d", i); };

10
scripts/base/utils/active-http.bro
View file

@ -105,21 +105,21 @@ function request(req: Request): ActiveHTTP::Response
# The reply is the first line.
if ( i == 0 )
{
local response_line = split_n(headers[0], /[[:blank:]]+/, F, 2);
local response_line = split_string_n(headers[0], /[[:blank:]]+/, F, 2);
if ( |response_line| != 3 )
return resp;
resp$code = to_count(response_line[2]);
resp$msg = response_line[3];
resp$code = to_count(response_line[1]);
resp$msg = response_line[2];
resp$body = join_string_vec(result$files[bodyfile], "");
}
else
{
local line = headers[i];
local h = split1(line, /:/);
local h = split_string1(line, /:/);
if ( |h| != 2 )
next;
resp$headers[h[1]] = sub_bytes(h[2], 0, |h[2]|-1);
resp$headers[h[0]] = sub_bytes(h[1], 0, |h[1]|-1);
}
}
return resp;

36
scripts/base/utils/addrs.bro
View file

@ -32,7 +32,7 @@ const ip_addr_regex =
## octets: an array of strings to check for valid octet values.
##
## Returns: T if every element is between 0 and 255, inclusive, else F.
function has_valid_octets(octets: string_array): bool
function has_valid_octets(octets: string_vec): bool
{
local num = 0;
for ( i in octets )
@ -51,10 +51,10 @@ function has_valid_octets(octets: string_array): bool
## Returns: T if the string is a valid IPv4 or IPv6 address format.
function is_valid_ip(ip_str: string): bool
{
local octets: string_array;
local octets: string_vec;
if ( ip_str == ipv4_addr_regex )
{
octets = split(ip_str, /\./);
octets = split_string(ip_str, /\./);
if ( |octets| != 4 )
return F;
@ -67,13 +67,13 @@ function is_valid_ip(ip_str: string): bool
{
# the regexes for hybrid IPv6-IPv4 address formats don't for valid
# octets within the IPv4 part, so do that now
octets = split(ip_str, /\./);
octets = split_string(ip_str, /\./);
if ( |octets| != 4 )
return F;
# get rid of remaining IPv6 stuff in first octet
local tmp = split(octets[1], /:/);
octets[1] = tmp[|tmp|];
local tmp = split_string(octets[0], /:/);
octets[0] = tmp[|tmp| - 1];
return has_valid_octets(octets);
}
@ -92,14 +92,32 @@ function is_valid_ip(ip_str: string): bool
## input: a string that may contain an IP address anywhere within it.
##
## Returns: an array containing all valid IP address strings found in *input*.
function find_ip_addresses(input: string): string_array
function find_ip_addresses(input: string): string_array &deprecated
{
local parts = split_all(input, ip_addr_regex);
local parts = split_string_all(input, ip_addr_regex);
local output: string_array;
for ( i in parts )
{
if ( i % 2 == 0 && is_valid_ip(parts[i]) )
if ( i % 2 == 1 && is_valid_ip(parts[i]) )
output[|output|] = parts[i];
}
return output;
}
## Extracts all IP (v4 or v6) address strings from a given string.
##
## input: a string that may contain an IP address anywhere within it.
##
## Returns: an array containing all valid IP address strings found in *input*.
function extract_ip_addresses(input: string): string_vec
{
local parts = split_string_all(input, ip_addr_regex);
local output: string_vec;
for ( i in parts )
{
if ( i % 2 == 1 && is_valid_ip(parts[i]) )
output[|output|] = parts[i];
}
return output;

12
scripts/base/utils/exec.bro
View file

@ -82,9 +82,9 @@ event Exec::line(description: Input::EventDescription, tpe: Input::Event, s: str
event Exec::file_line(description: Input::EventDescription, tpe: Input::Event, s: string)
{
local parts = split1(description$name, /_/);
local name = parts[1];
local track_file = parts[2];
local parts = split_string1(description$name, /_/);
local name = parts[0];
local track_file = parts[1];
local result = results[name];
if ( ! result?$files )
@ -99,13 +99,13 @@ event Exec::file_line(description: Input::EventDescription, tpe: Input::Event, s
event Input::end_of_data(orig_name: string, source:string)
{
local name = orig_name;
local parts = split1(name, /_/);
name = parts[1];
local parts = split_string1(name, /_/);
name = parts[0];
if ( name !in pending_commands || |parts| < 2 )
return;
local track_file = parts[2];
local track_file = parts[1];
# If the file is empty, still add it to the result$files table. This is needed
# because it is expected that the file was read even if it was empty.

2
scripts/base/utils/files.bro
View file

@ -23,7 +23,7 @@ function extract_filename_from_content_disposition(data: string): string
# Remove quotes around the filename if they are there.
if ( /^\"/ in filename )
filename = split_n(filename, /\"/, F, 2)[2];
filename = split_string_n(filename, /\"/, F, 2)[1];
# Remove the language and encoding if it's there.
if ( /^[a-zA-Z0-9\!#$%&+-^_`{}~]+'[a-zA-Z0-9\!#$%&+-^_`{}~]*'/ in filename )

6
scripts/base/utils/numbers.bro
View file

@ -2,9 +2,9 @@
## If no integer can be found, 0 is returned.
function extract_count(s: string): count
{
local parts = split_n(s, /[0-9]+/, T, 1);
if ( 2 in parts )
return to_count(parts[2]);
local parts = split_string_n(s, /[0-9]+/, T, 1);
if ( 1 in parts )
return to_count(parts[1]);
else
return 0;
}

24
scripts/base/utils/paths.bro
View file

@ -13,12 +13,12 @@ const absolute_path_pat = /(\/|[A-Za-z]:[\\\/]).*/;
function extract_path(input: string): string
{
const dir_pattern = /(\/|[A-Za-z]:[\\\/])([^\"\ ]|(\\\ ))*/;
local parts = split_all(input, dir_pattern);
local parts = split_string_all(input, dir_pattern);
if ( |parts| < 3 )
return "";
return parts[2];
return parts[1];
}
## Compresses a given path by removing '..'s and the parent directory it
@ -31,27 +31,27 @@ function compress_path(dir: string): string
{
const cdup_sep = /((\/)*([^\/]|\\\/)+)?((\/)+\.\.(\/)*)/;
local parts = split_n(dir, cdup_sep, T, 1);
local parts = split_string_n(dir, cdup_sep, T, 1);
if ( |parts| > 1 )
{
# reaching a point with two parent dir references back-to-back means
# we don't know about anything higher in the tree to pop off
if ( parts[2] == "../.." )
return cat_string_array(parts);
if ( sub_bytes(parts[2], 0, 1) == "/" )
parts[2] = "/";
if ( parts[1] == "../.." )
return join_string_vec(parts, "");
if ( sub_bytes(parts[1], 0, 1) == "/" )
parts[1] = "/";
else
parts[2] = "";
dir = cat_string_array(parts);
parts[1] = "";
dir = join_string_vec(parts, "");
return compress_path(dir);
}
const multislash_sep = /(\/\.?){2,}/;
parts = split_all(dir, multislash_sep);
parts = split_string_all(dir, multislash_sep);
for ( i in parts )
if ( i % 2 == 0 )
if ( i % 2 == 1 )
parts[i] = "/";
dir = cat_string_array(parts);
dir = join_string_vec(parts, "");
# remove trailing slashes from path
if ( |dir| > 1 && sub_bytes(dir, |dir|, 1) == "/" )

4
scripts/base/utils/patterns.bro
View file

@ -50,11 +50,11 @@ type PatternMatchResult: record {
## Returns: a record indicating the match status.
function match_pattern(s: string, p: pattern): PatternMatchResult
{
local a = split_n(s, p, T, 1);
local a = split_string_n(s, p, T, 1);
if ( |a| == 1 )
# no match
return [$matched = F, $str = "", $off = 0];
else
return [$matched = T, $str = a[2], $off = |a[1]| + 1];
return [$matched = T, $str = a[1], $off = |a[0]| + 1];
}

42
scripts/base/utils/urls.bro
View file

@ -48,7 +48,7 @@ function find_all_urls_without_scheme(s: string): string_set
function decompose_uri(s: string): URI
{
local parts: string_array;
local parts: string_vec;
local u: URI = [$netlocation="", $path="/"];
if ( /\?/ in s)
@ -56,55 +56,55 @@ function decompose_uri(s: string): URI
# Parse query.
u$params = table();
parts = split1(s, /\?/);
s = parts[1];
local query: string = parts[2];
parts = split_string1(s, /\?/);
s = parts[0];
local query: string = parts[1];
if ( /&/ in query )
{
local opv: table[count] of string = split(query, /&/);
local opv = split_string(query, /&/);
for ( each in opv )
{
if ( /=/ in opv[each] )
{
parts = split1(opv[each], /=/);
u$params[parts[1]] = parts[2];
parts = split_string1(opv[each], /=/);
u$params[parts[0]] = parts[1];
}
}
}
else
{
parts = split1(query, /=/);
u$params[parts[1]] = parts[2];
parts = split_string1(query, /=/);
u$params[parts[0]] = parts[1];
}
}
if ( /:\/\// in s )
{
# Parse scheme and remove from s.
parts = split1(s, /:\/\//);
u$scheme = parts[1];
s = parts[2];
parts = split_string1(s, /:\/\//);
u$scheme = parts[0];
s = parts[1];
}
if ( /\// in s )
{
# Parse path and remove from s.
parts = split1(s, /\//);
s = parts[1];
u$path = fmt("/%s", parts[2]);
parts = split_string1(s, /\//);
s = parts[0];
u$path = fmt("/%s", parts[1]);
if ( |u$path| > 1 && u$path[|u$path| - 1] != "/" )
{
local last_token: string = find_last(u$path, /\/.+/);
local full_filename = split1(last_token, /\//)[2];
local full_filename = split_string1(last_token, /\//)[1];
if ( /\./ in full_filename )
{
u$file_name = full_filename;
u$file_base = split1(full_filename, /\./)[1];
u$file_ext = split1(full_filename, /\./)[2];
u$file_base = split_string1(full_filename, /\./)[0];
u$file_ext = split_string1(full_filename, /\./)[1];
}
else
{
@ -117,9 +117,9 @@ function decompose_uri(s: string): URI
if ( /:/ in s )
{
# Parse location and port.
parts = split1(s, /:/);
u$netlocation = parts[1];
u$portnum = to_count(parts[2]);
parts = split_string1(s, /:/);
u$netlocation = parts[0];
u$portnum = to_count(parts[1]);
}
else
u$netlocation = s;

6
scripts/policy/frameworks/files/detect-MHR.bro
View file

@ -42,15 +42,15 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo)
when ( local MHR_result = lookup_hostname_txt(hash_domain) )
{
# Data is returned as "<dateFirstDetected> <detectionRate>"
local MHR_answer = split1(MHR_result, / /);
local MHR_answer = split_string1(MHR_result, / /);
if ( |MHR_answer| == 2 )
{
local mhr_detect_rate = to_count(MHR_answer[2]);
local mhr_detect_rate = to_count(MHR_answer[1]);
if ( mhr_detect_rate >= notice_threshold )
{
local mhr_first_detected = double_to_time(to_double(MHR_answer[1]));
local mhr_first_detected = double_to_time(to_double(MHR_answer[0]));
local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected);
local virustotal_url = fmt(match_sub_url, hash);

2
scripts/policy/frameworks/intel/seen/http-headers.bro
View file

@ -31,7 +31,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string)
case "X-FORWARDED-FOR":
if ( is_valid_ip(value) )
{
local addrs = find_ip_addresses(value);
local addrs = extract_ip_addresses(value);
for ( i in addrs )
{
Intel::seen([$host=to_addr(addrs[i]),

20
scripts/policy/frameworks/intel/seen/smtp.bro
View file

@ -30,10 +30,10 @@ event mime_end_entity(c: connection)
if ( c$smtp?$mailfrom )
{
local mailfromparts = split_n(c$smtp$mailfrom, /<.+>/, T, 1);
local mailfromparts = split_string_n(c$smtp$mailfrom, /<.+>/, T, 1);
if ( |mailfromparts| > 2 )
{
Intel::seen([$indicator=mailfromparts[2][1:-2],
Intel::seen([$indicator=mailfromparts[1][1:-2],
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_MAIL_FROM]);
@ -44,10 +44,10 @@ event mime_end_entity(c: connection)
{
for ( rcptto in c$smtp$rcptto )
{
local rcpttoparts = split_n(rcptto, /<.+>/, T, 1);
local rcpttoparts = split_string_n(rcptto, /<.+>/, T, 1);
if ( |rcpttoparts| > 2 )
{
Intel::seen([$indicator=rcpttoparts[2][1:-2],
Intel::seen([$indicator=rcpttoparts[1][1:-2],
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_RCPT_TO]);
@ -57,10 +57,10 @@ event mime_end_entity(c: connection)
if ( c$smtp?$from )
{
local fromparts = split_n(c$smtp$from, /<.+>/, T, 1);
local fromparts = split_string_n(c$smtp$from, /<.+>/, T, 1);
if ( |fromparts| > 2 )
{
Intel::seen([$indicator=fromparts[2][1:-2],
Intel::seen([$indicator=fromparts[1][1:-2],
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_FROM]);
@ -71,10 +71,10 @@ event mime_end_entity(c: connection)
{
for ( email_to in c$smtp$to )
{
local toparts = split_n(email_to, /<.+>/, T, 1);
local toparts = split_string_n(email_to, /<.+>/, T, 1);
if ( |toparts| > 2 )
{
Intel::seen([$indicator=toparts[2][1:-2],
Intel::seen([$indicator=toparts[1][1:-2],
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_TO]);
@ -84,10 +84,10 @@ event mime_end_entity(c: connection)
if ( c$smtp?$reply_to )
{
local replytoparts = split_n(c$smtp$reply_to, /<.+>/, T, 1);
local replytoparts = split_string_n(c$smtp$reply_to, /<.+>/, T, 1);
if ( |replytoparts| > 2 )
{
Intel::seen([$indicator=replytoparts[2][1:-2],
Intel::seen([$indicator=replytoparts[1][1:-2],
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_REPLY_TO]);

16
scripts/policy/frameworks/software/vulnerable.bro
View file

@ -55,18 +55,18 @@ function decode_vulnerable_version_range(vuln_sw: string): VulnerableVersionRang
return vvr;
}
local versions = split1(vuln_sw, /\x09/);
local versions = split_string1(vuln_sw, /\x09/);
for ( i in versions )
{
local field_and_ver = split1(versions[i], /=/);
local field_and_ver = split_string1(versions[i], /=/);
if ( |field_and_ver| != 2 )
return vvr; #failure!
local ver = Software::parse(field_and_ver[2])$version;
if ( field_and_ver[1] == "min" )
local ver = Software::parse(field_and_ver[1])$version;
if ( field_and_ver[0] == "min" )
vvr$min = ver;
else if ( field_and_ver[1] == "max" )
else if ( field_and_ver[0] == "max" )
vvr$max = ver;
}
@ -84,15 +84,15 @@ event grab_vulnerable_versions(i: count)
when ( local result = lookup_hostname_txt(cat(i,".",vulnerable_versions_update_endpoint)) )
{
local parts = split1(result, /\x09/);
local parts = split_string1(result, /\x09/);
if ( |parts| != 2 ) #failure or end of list!
{
schedule vulnerable_versions_update_interval { grab_vulnerable_versions(1) };
return;
}
local sw = parts[1];
local vvr = decode_vulnerable_version_range(parts[2]);
local sw = parts[0];
local vvr = decode_vulnerable_version_range(parts[1]);
if ( sw !in internal_vulnerable_versions )
internal_vulnerable_versions[sw] = set();
add internal_vulnerable_versions[sw][vvr];

8
scripts/policy/misc/detect-traceroute/main.bro
View file

@ -74,10 +74,10 @@ event bro_init() &priority=5
$threshold=icmp_time_exceeded_threshold,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local parts = split_n(key$str, /-/, F, 2);
local src = to_addr(parts[1]);
local dst = to_addr(parts[2]);
local proto = parts[3];
local parts = split_string_n(key$str, /-/, F, 2);
local src = to_addr(parts[0]);
local dst = to_addr(parts[1]);
local proto = parts[2];
Log::write(LOG, [$ts=network_time(), $src=src, $dst=dst, $proto=proto]);
NOTICE([$note=Traceroute::Detected,
$msg=fmt("%s seems to be running traceroute using %s", src, proto),

8
scripts/policy/protocols/http/software-browser-plugins.bro
View file

@ -45,13 +45,13 @@ event log_http(rec: Info)
if ( rec$omniture && rec?$uri )
{
# We do {5,} because sometimes we see p=6 in the urls.
local parts = split_n(rec$uri, /&p=([^&]{5,});&/, T, 1);
if ( 2 in parts )
local parts = split_string_n(rec$uri, /&p=([^&]{5,});&/, T, 1);
if ( 1 in parts )
{
# We do sub_bytes here just to remove the extra extracted
# characters from the regex split above.
local sw = sub_bytes(parts[2], 4, |parts[2]|-5);
local plugins = split(sw, /[[:blank:]]*;[[:blank:]]*/);
local sw = sub_bytes(parts[1], 4, |parts[1]|-5);
local plugins = split_string(sw, /[[:blank:]]*;[[:blank:]]*/);
for ( i in plugins )
Software::found(rec$id, [$unparsed_version=plugins[i], $host=rec$id$orig_h, $software_type=BROWSER_PLUGIN]);

2
scripts/policy/protocols/smtp/blocklists.bro
View file

@ -47,7 +47,7 @@ event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string,
local message = fmt("%s received an error message mentioning an SMTP block list", c$id$orig_h);
# Determine if the originator's IP address is in the message.
local ips = find_ip_addresses(msg);
local ips = extract_ip_addresses(msg);
local text_ip = "";
if ( |ips| > 0 && to_addr(ips[0]) == c$id$orig_h )
{

12
scripts/policy/protocols/ssl/notary.bro
View file

@ -70,23 +70,23 @@ event ssl_established(c: connection) &priority=3
clear_waitlist(digest);
return;
}
local fields = split(str, / /);
local fields = split_string(str, / /);
if ( |fields| != 5 ) # version 1 has 5 fields.
{
clear_waitlist(digest);
return;
}
local version = split(fields[1], /=/)[2];
local version = split_string(fields[0], /=/)[1];
if ( version != "1" )
{
clear_waitlist(digest);
return;
}
local r = notary_cache[digest];
r$first_seen = to_count(split(fields[2], /=/)[2]);
r$last_seen = to_count(split(fields[3], /=/)[2]);
r$times_seen = to_count(split(fields[4], /=/)[2]);
r$valid = split(fields[5], /=/)[2] == "1";
r$first_seen = to_count(split_string(fields[1], /=/)[1]);
r$last_seen = to_count(split_string(fields[2], /=/)[1]);
r$times_seen = to_count(split_string(fields[3], /=/)[1]);
r$valid = split_string(fields[4], /=/)[1] == "1";
# Assign notary answer to all records waiting for this digest.
if ( digest in waitlist )

3
src/Attr.cc
View file

@ -18,7 +18,7 @@ const char* attr_name(attr_tag t)
"&encrypt",
"&raw_output", "&mergeable", "&priority",
"&group", "&log", "&error_handler", "&type_column",
"(&tracked)",
"(&tracked)", "&deprecated",
};
return attr_names[int(t)];
@ -212,6 +212,7 @@ void Attributes::DescribeReST(ODesc* d) const
void Attributes::CheckAttr(Attr* a)
{
switch ( a->Tag() ) {
case ATTR_DEPRECATED:
case ATTR_OPTIONAL:
case ATTR_REDEF:
break;

3
src/Attr.h
View file

@ -34,7 +34,8 @@ typedef enum {
ATTR_ERROR_HANDLER,
ATTR_TYPE_COLUMN, // for input framework
ATTR_TRACKED, // hidden attribute, tracked by NotifierRegistry
#define NUM_ATTRS (int(ATTR_TRACKED) + 1)
ATTR_DEPRECATED,
#define NUM_ATTRS (int(ATTR_DEPRECATED) + 1)
} attr_tag;
class Attr : public BroObj {

35
src/Expr.cc
View file

@ -3213,6 +3213,10 @@ FieldExpr::FieldExpr(Expr* arg_op, const char* arg_field_name)
{
SetType(rt->FieldType(field)->Ref());
td = rt->FieldDecl(field);
if ( td->FindAttr(ATTR_DEPRECATED) )
reporter->Warning("deprecated (%s$%s)", rt->GetName().c_str(),
field_name);
}
}
}
@ -3333,6 +3337,9 @@ HasFieldExpr::HasFieldExpr(Expr* arg_op, const char* arg_field_name)
if ( field < 0 )
ExprError("no such field in record");
else if ( rt->FieldDecl(field)->FindAttr(ATTR_DEPRECATED) )
reporter->Warning("deprecated (%s?$%s)", rt->GetName().c_str(),
field_name);
SetType(base_type(TYPE_BOOL));
}
@ -4147,16 +4154,28 @@ RecordCoerceExpr::RecordCoerceExpr(Expr* op, RecordType* r)
}
for ( i = 0; i < map_size; ++i )
if ( map[i] == -1 &&
! t_r->FieldDecl(i)->FindAttr(ATTR_OPTIONAL) )
{
if ( map[i] == -1 )
{
char buf[512];
safe_snprintf(buf, sizeof(buf),
"non-optional field \"%s\" missing", t_r->FieldName(i));
Error(buf);
SetError();
break;
if ( ! t_r->FieldDecl(i)->FindAttr(ATTR_OPTIONAL) )
{
char buf[512];
safe_snprintf(buf, sizeof(buf),
"non-optional field \"%s\" missing",
t_r->FieldName(i));
Error(buf);
SetError();
break;
}
}
else
{
if ( t_r->FieldDecl(i)->FindAttr(ATTR_DEPRECATED) )
reporter->Warning("deprecated (%s$%s)",
t_r->GetName().c_str(),
t_r->FieldName(i));
}
}
}
}

2
src/Func.cc
View file

@ -323,7 +323,7 @@ int BroFunc::IsPure() const
Val* BroFunc::Call(val_list* args, Frame* parent) const
{
#ifdef PROFILE_BRO_FUNCTIONS
DEBUG_MSG("Function: %s\n", id->Name());
DEBUG_MSG("Function: %s\n", Name());
#endif
SegmentProfiler(segment_logger, location);

10
src/ID.cc
View file

@ -248,6 +248,16 @@ void ID::UpdateValAttrs()
}
}
void ID::MakeDeprecated()
{
if ( IsDeprecated() )
return;
attr_list* attr = new attr_list;
attr->append(new Attr(ATTR_DEPRECATED));
AddAttrs(new Attributes(attr, Type(), false));
}
void ID::AddAttrs(Attributes* a)
{
if ( attrs )

5
src/ID.h
View file

@ -80,6 +80,11 @@ public:
Attr* FindAttr(attr_tag t) const
{ return attrs ? attrs->FindAttr(t) : 0; }
bool IsDeprecated() const
{ return FindAttr(ATTR_DEPRECATED) != 0; }
void MakeDeprecated();
void Error(const char* msg, const BroObj* o2 = 0);
void Describe(ODesc* d) const;

14
src/Type.cc
View file

@ -1434,7 +1434,7 @@ EnumType::~EnumType()
// Note, we use reporter->Error() here (not Error()) to include the current script
// location in the error message, rather than the one where the type was
// originally defined.
void EnumType::AddName(const string& module_name, const char* name, bool is_export)
void EnumType::AddName(const string& module_name, const char* name, bool is_export, bool deprecated)
{
/* implicit, auto-increment */
if ( counter < 0)
@ -1443,11 +1443,11 @@ void EnumType::AddName(const string& module_name, const char* name, bool is_expo
SetError();
return;
}
CheckAndAddName(module_name, name, counter, is_export);
CheckAndAddName(module_name, name, counter, is_export, deprecated);
counter++;
}
void EnumType::AddName(const string& module_name, const char* name, bro_int_t val, bool is_export)
void EnumType::AddName(const string& module_name, const char* name, bro_int_t val, bool is_export, bool deprecated)
{
/* explicit value specified */
if ( counter > 0 )
@ -1457,11 +1457,11 @@ void EnumType::AddName(const string& module_name, const char* name, bro_int_t va
return;
}
counter = -1;
CheckAndAddName(module_name, name, val, is_export);
CheckAndAddName(module_name, name, val, is_export, deprecated);
}
void EnumType::CheckAndAddName(const string& module_name, const char* name,
bro_int_t val, bool is_export)
bro_int_t val, bool is_export, bool deprecated)
{
if ( Lookup(val) )
{
@ -1477,6 +1477,10 @@ void EnumType::CheckAndAddName(const string& module_name, const char* name,
id = install_ID(name, module_name.c_str(), true, is_export);
id->SetType(this->Ref());
id->SetEnumConst();
if ( deprecated )
id->MakeDeprecated();
broxygen_mgr->Identifier(id);
}
else

7
src/Type.h
View file

@ -554,12 +554,12 @@ public:
// The value of this name is next internal counter value, starting
// with zero. The internal counter is incremented.
void AddName(const string& module_name, const char* name, bool is_export);
void AddName(const string& module_name, const char* name, bool is_export, bool deprecated);
// The value of this name is set to val. Once a value has been
// explicitly assigned using this method, no further names can be
// added that aren't likewise explicitly initalized.
void AddName(const string& module_name, const char* name, bro_int_t val, bool is_export);
void AddName(const string& module_name, const char* name, bro_int_t val, bool is_export, bool deprecated);
// -1 indicates not found.
bro_int_t Lookup(const string& module_name, const char* name) const;
@ -580,7 +580,8 @@ protected:
const char* name, bro_int_t val, bool is_export);
void CheckAndAddName(const string& module_name,
const char* name, bro_int_t val, bool is_export);
const char* name, bro_int_t val, bool is_export,
bool deprecated);
typedef std::map< const char*, bro_int_t, ltstr > NameMap;
NameMap names;

4
src/Var.cc
View file

@ -435,6 +435,10 @@ void end_func(Stmt* body, attr_list* attrs)
loop_over_list(*attrs, i)
{
Attr* a = (*attrs)[i];
if ( a->Tag() == ATTR_DEPRECATED )
continue;
if ( a->Tag() != ATTR_PRIORITY )
{
a->Error("illegal attribute for function body");

208
src/analyzer/protocol/dnp3/DNP3.cc
View file

@ -97,7 +97,6 @@
// Binpac DNP3 Analyzer
#include "DNP3.h"
#include "analyzer/protocol/tcp/TCP_Reassembler.h"
#include "events.bif.h"
using namespace analyzer::dnp3;
@ -109,12 +108,14 @@ const unsigned int PSEUDO_APP_LAYER_INDEX = 11; // index of first DNP3 app-laye
const unsigned int PSEUDO_TRANSPORT_LEN = 1; // length of DNP3 Transport Layer
const unsigned int PSEUDO_LINK_LAYER_LEN = 8; // length of DNP3 Pseudo Link Layer
bool DNP3_Analyzer::crc_table_initialized = false;
unsigned int DNP3_Analyzer::crc_table[256];
bool DNP3_Base::crc_table_initialized = false;
unsigned int DNP3_Base::crc_table[256];
DNP3_Analyzer::DNP3_Analyzer(Connection* c) : TCP_ApplicationAnalyzer("DNP3", c)
DNP3_Base::DNP3_Base(analyzer::Analyzer* arg_analyzer)
{
interp = new binpac::DNP3::DNP3_Conn(this);
analyzer = arg_analyzer;
interp = new binpac::DNP3::DNP3_Conn(analyzer);
ClearEndpointState(true);
ClearEndpointState(false);
@ -123,49 +124,12 @@ DNP3_Analyzer::DNP3_Analyzer(Connection* c) : TCP_ApplicationAnalyzer("DNP3", c)
PrecomputeCRCTable();
}
DNP3_Analyzer::~DNP3_Analyzer()
DNP3_Base::~DNP3_Base()
{
delete interp;
}
void DNP3_Analyzer::Done()
{
TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true);
interp->FlowEOF(false);
}
void DNP3_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
try
{
if ( ! ProcessData(len, data, orig) )
SetSkip(1);
}
catch ( const binpac::Exception& e )
{
SetSkip(1);
throw;
}
}
void DNP3_Analyzer::Undelivered(uint64 seq, int len, bool orig)
{
TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
interp->NewGap(orig, len);
}
void DNP3_Analyzer::EndpointEOF(bool is_orig)
{
TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig);
}
bool DNP3_Analyzer::ProcessData(int len, const u_char* data, bool orig)
bool DNP3_Base::ProcessData(int len, const u_char* data, bool orig)
{
Endpoint* endp = orig ? &orig_state : &resp_state;
@ -174,25 +138,30 @@ bool DNP3_Analyzer::ProcessData(int len, const u_char* data, bool orig)
if ( endp->in_hdr )
{
// We're parsing the DNP3 header and link layer, get that in full.
if ( ! AddToBuffer(endp, PSEUDO_APP_LAYER_INDEX, &data, &len) )
int res = AddToBuffer(endp, PSEUDO_APP_LAYER_INDEX, &data, &len);
if ( res == 0 )
return true;
if ( res < 0 )
return false;
// The first two bytes must always be 0x0564.
if( endp->buffer[0] != 0x05 || endp->buffer[1] != 0x64 )
{
Weird("dnp3_header_lacks_magic");
analyzer->Weird("dnp3_header_lacks_magic");
return false;
}
// Make sure header checksum is correct.
if ( ! CheckCRC(PSEUDO_LINK_LAYER_LEN, endp->buffer, endp->buffer + PSEUDO_LINK_LAYER_LEN, "header") )
{
ProtocolViolation("broken_checksum");
analyzer->ProtocolViolation("broken_checksum");
return false;
}
// If the checksum works out, we're pretty certainly DNP3.
ProtocolConfirmation();
analyzer->ProtocolConfirmation();
// DNP3 packets without transport and application
// layers can happen, we ignore them.
@ -207,7 +176,7 @@ bool DNP3_Analyzer::ProcessData(int len, const u_char* data, bool orig)
u_char ctrl = endp->buffer[PSEUDO_CONTROL_FIELD_INDEX];
if ( orig != (bool)(ctrl & 0x80) )
Weird("dnp3_unexpected_flow_direction");
analyzer->Weird("dnp3_unexpected_flow_direction");
// Update state.
endp->pkt_length = endp->buffer[PSEUDO_LENGTH_INDEX];
@ -222,7 +191,11 @@ bool DNP3_Analyzer::ProcessData(int len, const u_char* data, bool orig)
if ( ! endp->in_hdr )
{
assert(endp->pkt_length);
if ( endp->pkt_length <= 0 )
{
analyzer->Weird("dnp3_negative_or_zero_length_link_layer");
return false;
}
// We're parsing the DNP3 application layer, get that
// in full now as well. We calculate the number of
@ -230,11 +203,17 @@ bool DNP3_Analyzer::ProcessData(int len, const u_char* data, bool orig)
// the packet length by determining how much 16-byte
// chunks fit in there, and then add 2 bytes CRC for
// each.
int n = PSEUDO_APP_LAYER_INDEX + (endp->pkt_length - 5) + ((endp->pkt_length - 5) / 16) * 2 + 2 - 1;
int n = PSEUDO_APP_LAYER_INDEX + (endp->pkt_length - 5) + ((endp->pkt_length - 5) / 16) * 2
+ 2 * ( ((endp->pkt_length - 5) % 16 == 0) ? 0 : 1) - 1 ;
if ( ! AddToBuffer(endp, n, &data, &len) )
int res = AddToBuffer(endp, n, &data, &len);
if ( res == 0 )
return true;
if ( res < 0 )
return false;
// Parse the the application layer data.
if ( ! ParseAppLayer(endp) )
return false;
@ -248,22 +227,45 @@ bool DNP3_Analyzer::ProcessData(int len, const u_char* data, bool orig)
return true;
}
bool DNP3_Analyzer::AddToBuffer(Endpoint* endp, int target_len, const u_char** data, int* len)
int DNP3_Base::AddToBuffer(Endpoint* endp, int target_len, const u_char** data, int* len)
{
if ( ! target_len )
return true;
return 1;
if ( *len < 0 )
{
reporter->AnalyzerError(analyzer, "dnp3 negative input length: %d", *len);
return -1;
}
if ( target_len < endp->buffer_len )
{
reporter->AnalyzerError(analyzer, "dnp3 invalid target length: %d - %d",
target_len, endp->buffer_len);
return -1;
}
int to_copy = min(*len, target_len - endp->buffer_len);
if ( endp->buffer_len + to_copy > MAX_BUFFER_SIZE )
{
reporter->AnalyzerError(analyzer, "dnp3 buffer length exceeded: %d + %d",
endp->buffer_len, to_copy);
return -1;
}
memcpy(endp->buffer + endp->buffer_len, *data, to_copy);
*data += to_copy;
*len -= to_copy;
endp->buffer_len += to_copy;
return endp->buffer_len == target_len;
if ( endp->buffer_len == target_len )
return 1;
return 0;
}
bool DNP3_Analyzer::ParseAppLayer(Endpoint* endp)
bool DNP3_Base::ParseAppLayer(Endpoint* endp)
{
bool orig = (endp == &orig_state);
binpac::DNP3::DNP3_Flow* flow = orig ? interp->upflow() : interp->downflow();
@ -291,8 +293,15 @@ bool DNP3_Analyzer::ParseAppLayer(Endpoint* endp)
if ( ! CheckCRC(n, data, data + n, "app_chunk") )
return false;
if ( data + n >= endp->buffer + endp->buffer_len )
{
reporter->AnalyzerError(analyzer,
"dnp3 app layer parsing overflow %d - %d",
endp->buffer_len, n);
return false;
}
// Pass on to BinPAC.
assert(data + n < endp->buffer + endp->buffer_len);
flow->flow_buffer()->BufferData(data + transport, data + n);
transport = 0;
@ -306,7 +315,7 @@ bool DNP3_Analyzer::ParseAppLayer(Endpoint* endp)
if ( ! is_first && ! endp->encountered_first_chunk )
{
// We lost the first chunk.
Weird("dnp3_first_application_layer_chunk_missing");
analyzer->Weird("dnp3_first_application_layer_chunk_missing");
return false;
}
@ -320,7 +329,7 @@ bool DNP3_Analyzer::ParseAppLayer(Endpoint* endp)
return true;
}
void DNP3_Analyzer::ClearEndpointState(bool orig)
void DNP3_Base::ClearEndpointState(bool orig)
{
Endpoint* endp = orig ? &orig_state : &resp_state;
binpac::DNP3::DNP3_Flow* flow = orig ? interp->upflow() : interp->downflow();
@ -333,18 +342,18 @@ void DNP3_Analyzer::ClearEndpointState(bool orig)
endp->pkt_cnt = 0;
}
bool DNP3_Analyzer::CheckCRC(int len, const u_char* data, const u_char* crc16, const char* where)
bool DNP3_Base::CheckCRC(int len, const u_char* data, const u_char* crc16, const char* where)
{
unsigned int crc = CalcCRC(len, data);
if ( crc16[0] == (crc & 0xff) && crc16[1] == (crc & 0xff00) >> 8 )
return true;
Weird(fmt("dnp3_corrupt_%s_checksum", where));
analyzer->Weird(fmt("dnp3_corrupt_%s_checksum", where));
return false;
}
void DNP3_Analyzer::PrecomputeCRCTable()
void DNP3_Base::PrecomputeCRCTable()
{
for( unsigned int i = 0; i < 256; i++)
{
@ -362,7 +371,7 @@ void DNP3_Analyzer::PrecomputeCRCTable()
}
}
unsigned int DNP3_Analyzer::CalcCRC(int len, const u_char* data)
unsigned int DNP3_Base::CalcCRC(int len, const u_char* data)
{
unsigned int crc = 0x0000;
@ -374,3 +383,76 @@ unsigned int DNP3_Analyzer::CalcCRC(int len, const u_char* data)
return ~crc & 0xFFFF;
}
DNP3_TCP_Analyzer::DNP3_TCP_Analyzer(Connection* c)
: DNP3_Base(this), TCP_ApplicationAnalyzer("DNP3_TCP", c)
{
}
DNP3_TCP_Analyzer::~DNP3_TCP_Analyzer()
{
}
void DNP3_TCP_Analyzer::Done()
{
TCP_ApplicationAnalyzer::Done();
Interpreter()->FlowEOF(true);
Interpreter()->FlowEOF(false);
}
void DNP3_TCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
try
{
if ( ! ProcessData(len, data, orig) )
SetSkip(1);
}
catch ( const binpac::Exception& e )
{
SetSkip(1);
throw;
}
}
void DNP3_TCP_Analyzer::Undelivered(uint64 seq, int len, bool orig)
{
TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
Interpreter()->NewGap(orig, len);
}
void DNP3_TCP_Analyzer::EndpointEOF(bool is_orig)
{
TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
Interpreter()->FlowEOF(is_orig);
}
DNP3_UDP_Analyzer::DNP3_UDP_Analyzer(Connection* c)
: DNP3_Base(this), Analyzer("DNP3_UDP", c)
{
}
DNP3_UDP_Analyzer::~DNP3_UDP_Analyzer()
{
}
void DNP3_UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64 seq, const IP_Hdr* ip, int caplen)
{
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
try
{
if ( ! ProcessData(len, data, orig) )
SetSkip(1);
}
catch ( const binpac::Exception& e )
{
SetSkip(1);
throw;
}
}

72
src/analyzer/protocol/dnp3/DNP3.h
View file

@ -3,24 +3,20 @@
#define ANALYZER_PROTOCOL_DNP3_DNP3_H
#include "analyzer/protocol/tcp/TCP.h"
#include "analyzer/protocol/udp/UDP.h"
#include "dnp3_pac.h"
namespace analyzer { namespace dnp3 {
class DNP3_Analyzer : public tcp::TCP_ApplicationAnalyzer {
class DNP3_Base {
public:
DNP3_Analyzer(Connection* conn);
virtual ~DNP3_Analyzer();
DNP3_Base(analyzer::Analyzer* analyzer);
virtual ~DNP3_Base();
virtual void Done();
virtual void DeliverStream(int len, const u_char* data, bool orig);
virtual void Undelivered(uint64 seq, int len, bool orig);
virtual void EndpointEOF(bool is_orig);
binpac::DNP3::DNP3_Conn* Interpreter() { return interp; }
static Analyzer* Instantiate(Connection* conn)
{ return new DNP3_Analyzer(conn); }
private:
protected:
static const int MAX_BUFFER_SIZE = 300;
struct Endpoint {
@ -35,22 +31,64 @@ private:
bool ProcessData(int len, const u_char* data, bool orig);
void ClearEndpointState(bool orig);
bool AddToBuffer(Endpoint* endp, int target_len, const u_char** data, int* len);
/**
* Buffers packet data until it reaches a specified length.
* @param endp an endpoint speaking DNP3 to which data will be buffered.
* @param target_len the required length of the buffer
* @param data source buffer to copy bytes from. Will be incremented
* by the number of bytes copied by this function.
* @param len the number of bytes available in \a data. Will be decremented
* by the number of bytes copied by this function.
* @return -1 if invalid input parameters were supplied, 0 if the endpoint's
* buffer is not yet \a target_len bytes in size, or 1 the buffer is the
* required size.
*/
int AddToBuffer(Endpoint* endp, int target_len, const u_char** data, int* len);
bool ParseAppLayer(Endpoint* endp);
bool CheckCRC(int len, const u_char* data, const u_char* crc16, const char* where);
unsigned int CalcCRC(int len, const u_char* data);
binpac::DNP3::DNP3_Conn* interp;
Endpoint orig_state;
Endpoint resp_state;
static void PrecomputeCRCTable();
static bool crc_table_initialized;
static unsigned int crc_table[256];
analyzer::Analyzer* analyzer;
binpac::DNP3::DNP3_Conn* interp;
Endpoint orig_state;
Endpoint resp_state;
};
class DNP3_TCP_Analyzer : public DNP3_Base, public tcp::TCP_ApplicationAnalyzer {
public:
DNP3_TCP_Analyzer(Connection* conn);
virtual ~DNP3_TCP_Analyzer();
virtual void Done();
virtual void DeliverStream(int len, const u_char* data, bool orig);
virtual void Undelivered(uint64 seq, int len, bool orig);
virtual void EndpointEOF(bool is_orig);
static Analyzer* Instantiate(Connection* conn)
{ return new DNP3_TCP_Analyzer(conn); }
};
class DNP3_UDP_Analyzer : public DNP3_Base, public analyzer::Analyzer {
public:
DNP3_UDP_Analyzer(Connection* conn);
virtual ~DNP3_UDP_Analyzer();
virtual void DeliverPacket(int len, const u_char* data, bool orig,
uint64 seq, const IP_Hdr* ip, int caplen);
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new DNP3_UDP_Analyzer(conn); }
};
} } // namespace analyzer::*
#endif

5
src/analyzer/protocol/dnp3/Plugin.cc
View file

@ -12,11 +12,12 @@ class Plugin : public plugin::Plugin {
public:
plugin::Configuration Configure()
{
AddComponent(new ::analyzer::Component("DNP3", ::analyzer::dnp3::DNP3_Analyzer::Instantiate));
AddComponent(new ::analyzer::Component("DNP3_TCP", ::analyzer::dnp3::DNP3_TCP_Analyzer::Instantiate));
AddComponent(new ::analyzer::Component("DNP3_UDP", ::analyzer::dnp3::DNP3_UDP_Analyzer::Instantiate));
plugin::Configuration config;
config.name = "Bro::DNP3";
config.description = "DNP3 analyzer";
config.description = "DNP3 UDP/TCP analyzers";
return config;
}
} plugin;

10
src/analyzer/protocol/dnp3/dnp3-analyzer.pac
View file

@ -38,7 +38,7 @@ flow DNP3_Flow(is_orig: bool) {
return true;
%}
function get_dnp3_application_request_header(fc: uint8): bool
function get_dnp3_application_request_header(application_control: uint8, fc: uint8): bool
%{
if ( ::dnp3_application_request_header )
{
@ -46,13 +46,14 @@ flow DNP3_Flow(is_orig: bool) {
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
application_control,
fc
);
}
return true;
%}
function get_dnp3_application_response_header(fc: uint8, iin: uint16): bool
function get_dnp3_application_response_header(application_control: uint8, fc: uint8, iin: uint16): bool
%{
if ( ::dnp3_application_response_header )
{
@ -60,6 +61,7 @@ flow DNP3_Flow(is_orig: bool) {
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
application_control,
fc,
iin
);
@ -743,11 +745,11 @@ refine typeattr Header_Block += &let {
};
refine typeattr DNP3_Application_Request_Header += &let {
process_request: bool = $context.flow.get_dnp3_application_request_header(function_code);
process_request: bool = $context.flow.get_dnp3_application_request_header(application_control, function_code);
};
refine typeattr DNP3_Application_Response_Header += &let {
process_request: bool = $context.flow.get_dnp3_application_response_header(function_code, internal_indications);
process_request: bool = $context.flow.get_dnp3_application_response_header(application_control, function_code, internal_indications);
};
refine typeattr Object_Header += &let {

10
src/analyzer/protocol/dnp3/dnp3-protocol.pac
View file

@ -90,7 +90,7 @@ type DNP3_Application_Response_Header = record {
type Request_Objects(function_code: uint8) = record {
object_header: Object_Header(function_code);
data: case (object_header.object_type_field) of {
0x0c03 -> bocmd_PM: Request_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1 ];
0x0c03 -> bocmd_PM: Request_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1*( object_header.number_of_item > ( (object_header.number_of_item / 8)*8 ) ) ];
0x3202 -> time_interval_ojbects: Request_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ object_header.number_of_item]
&check( object_header.qualifer_field == 0x0f && object_header.number_of_item == 0x01);
default -> ojbects: Request_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ object_header.number_of_item];
@ -112,10 +112,10 @@ type Request_Objects(function_code: uint8) = record {
type Response_Objects(function_code: uint8) = record {
object_header: Object_Header(function_code);
data: case (object_header.object_type_field) of {
0x0101 -> biwoflag: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1 ];
0x0301 -> diwoflag: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1 ];
0x0a01 -> bowoflag: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1 ];
0x0c03 -> bocmd_PM: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1 ];
0x0101 -> biwoflag: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1*( object_header.number_of_item > ( (object_header.number_of_item / 8)*8 ) ) ];
0x0301 -> diwoflag: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1*( object_header.number_of_item > ( (object_header.number_of_item / 8)*8 ) ) ];
0x0a01 -> bowoflag: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1*( object_header.number_of_item > ( (object_header.number_of_item / 8)*8 ) )];
0x0c03 -> bocmd_PM: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1*( object_header.number_of_item > ( (object_header.number_of_item / 8)*8 ) )];
default -> ojbects: Response_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ object_header.number_of_item];
};
};

4
src/analyzer/protocol/dnp3/events.bif
View file

@ -7,7 +7,7 @@
##
## fc: function code.
##
event dnp3_application_request_header%(c: connection, is_orig: bool, fc: count%);
event dnp3_application_request_header%(c: connection, is_orig: bool, application: count, fc: count%);
## Generated for a DNP3 response header.
##
@ -19,7 +19,7 @@ event dnp3_application_request_header%(c: connection, is_orig: bool, fc: count%)
##
## iin: internal indication number.
##
event dnp3_application_response_header%(c: connection, is_orig: bool, fc: count, iin: count%);
event dnp3_application_response_header%(c: connection, is_orig: bool, application: count, fc: count, iin: count%);
## Generated for the object header found in both DNP3 requests and responses.
##

8
src/analyzer/protocol/mysql/events.bif
View file

@ -9,7 +9,7 @@
##
## arg: The argument for the command (empty string if not provided).
##
## .. bro:see:: mysql_error mysql_ok mysql_server_version mysql_handshake_response
## .. bro:see:: mysql_error mysql_ok mysql_server_version mysql_handshake
event mysql_command_request%(c: connection, command: count, arg: string%);
## Generated for an unsuccessful MySQL response.
@ -23,7 +23,7 @@ event mysql_command_request%(c: connection, command: count, arg: string%);
##
## msg: Any extra details about the error (empty string if not provided).
##
## .. bro:see:: mysql_command_request mysql_ok mysql_server_version mysql_handshake_response
## .. bro:see:: mysql_command_request mysql_ok mysql_server_version mysql_handshake
event mysql_error%(c: connection, code: count, msg: string%);
## Generated for a successful MySQL response.
@ -35,7 +35,7 @@ event mysql_error%(c: connection, code: count, msg: string%);
##
## affected_rows: The number of rows that were affected.
##
## .. bro:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake_response
## .. bro:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake
event mysql_ok%(c: connection, affected_rows: count%);
## Generated for the initial server handshake packet, which includes the MySQL server version.
@ -47,7 +47,7 @@ event mysql_ok%(c: connection, affected_rows: count%);
##
## ver: The server version string.
##
## .. bro:see:: mysql_command_request mysql_error mysql_ok mysql_handshake_response
## .. bro:see:: mysql_command_request mysql_error mysql_ok mysql_handshake
event mysql_server_version%(c: connection, ver: string%);
## Generated for a client handshake response packet, which includes the username the client is attempting

19
src/builtin-func.y
View file

@ -287,7 +287,7 @@ void record_bif_item(const char* id, const char* type)
%left ',' ':'
%type <str> TOK_C_TOKEN TOK_ID TOK_CSTR TOK_WS TOK_COMMENT TOK_ATTR TOK_INT opt_ws type attr_list opt_attr_list
%type <str> TOK_C_TOKEN TOK_ID TOK_CSTR TOK_WS TOK_COMMENT TOK_ATTR TOK_INT opt_ws type attr_list opt_attr_list opt_func_attrs
%type <val> TOK_ATOM TOK_BOOL
%union {
@ -372,7 +372,13 @@ type_def_types: TOK_RECORD
{ set_definition_type(TYPE_DEF, "Table"); }
;
event_def: event_prefix opt_ws plain_head opt_attr_list
opt_func_attrs: attr_list opt_ws
{ $$ = $1; }
| /* nothing */
{ $$ = ""; }
;
event_def: event_prefix opt_ws plain_head opt_func_attrs
{ fprintf(fp_bro_init, "%s", $4); } end_of_head ';'
{
print_event_c_prototype(fp_func_h, true);
@ -380,13 +386,16 @@ event_def: event_prefix opt_ws plain_head opt_attr_list
print_event_c_body(fp_func_def);
}
func_def: func_prefix opt_ws typed_head end_of_head body
func_def: func_prefix opt_ws typed_head opt_func_attrs
{ fprintf(fp_bro_init, "%s", $4); } end_of_head body
;
enum_def: enum_def_1 enum_list TOK_RPB
enum_def: enum_def_1 enum_list TOK_RPB opt_attr_list
{
// First, put an end to the enum type decl.
fprintf(fp_bro_init, "};\n");
fprintf(fp_bro_init, "} ");
fprintf(fp_bro_init, "%s", $4);
fprintf(fp_bro_init, ";\n");
if ( decl.module_name != GLOBAL_MODULE_NAME )
fprintf(fp_netvar_h, "}; } }\n");
else

18
src/file_analysis/File.cc
View file

@ -492,18 +492,22 @@ void File::EndOfFile()
if ( done )
return;
if ( ! did_mime_type &&
LookupFieldDefaultCount(missing_bytes_idx) == 0 )
DetectMIME();
analyzers.DrainModifications();
if ( file_reassembler )
{
file_reassembler->Flush();
analyzers.DrainModifications();
}
// Mark the bof_buffer as full in case it isn't yet
// so that the whole thing can be flushed out to
// any stream analyzers.
if ( ! bof_buffer.full )
{
bof_buffer.full = true;
DeliverStream((const u_char*) "", 0);
}
analyzers.DrainModifications();
done = true;
file_analysis::Analyzer* a = 0;

5
src/file_analysis/FileReassembler.cc
View file

@ -12,6 +12,11 @@ FileReassembler::FileReassembler(File *f, uint64 starting_offset)
{
}
FileReassembler::FileReassembler()
: Reassembler(), the_file(0), flushing(false)
{
}
FileReassembler::~FileReassembler()
{
}

2
src/file_analysis/FileReassembler.h
View file

@ -48,7 +48,7 @@ public:
{ return flushing; }
protected:
FileReassembler() { }
FileReassembler();
DECLARE_SERIAL(FileReassembler);

2
src/file_analysis/file_analysis.bif
View file

@ -29,7 +29,7 @@ function Files::__disable_reassembly%(file_id: string%): bool
return new Val(result, TYPE_BOOL);
%}
## :bro:see:`Files::set_reassembly_buffer`.
## :bro:see:`Files::set_reassembly_buffer_size`.
function Files::__set_reassembly_buffer%(file_id: string, max: count%): bool
%{
bool result = file_mgr->SetReassemblyBuffer(file_id->CheckString(), max);

58
src/parse.y
View file

@ -2,7 +2,7 @@
// See the file "COPYING" in the main distribution directory for copyright.
%}
%expect 75
%expect 78
%token TOK_ADD TOK_ADD_TO TOK_ADDR TOK_ANY
%token TOK_ATENDIF TOK_ATELSE TOK_ATIF TOK_ATIFDEF TOK_ATIFNDEF
@ -24,7 +24,7 @@
%token TOK_ATTR_PERSISTENT TOK_ATTR_SYNCHRONIZED
%token TOK_ATTR_RAW_OUTPUT TOK_ATTR_MERGEABLE
%token TOK_ATTR_PRIORITY TOK_ATTR_LOG TOK_ATTR_ERROR_HANDLER
%token TOK_ATTR_TYPE_COLUMN
%token TOK_ATTR_TYPE_COLUMN TOK_ATTR_DEPRECATED
%token TOK_DEBUG
@ -44,7 +44,7 @@
%right '!'
%left '$' '[' ']' '(' ')' TOK_HAS_FIELD TOK_HAS_ATTR
%type <b> opt_no_test opt_no_test_block
%type <b> opt_no_test opt_no_test_block opt_deprecated
%type <str> TOK_ID TOK_PATTERN_TEXT single_pattern
%type <id> local_id global_id def_global_id event_id global_or_event_id resolve_id begin_func
%type <id_l> local_id_list
@ -227,6 +227,18 @@ static bool expr_is_table_type_name(const Expr* expr)
return false;
}
static bool has_attr(const attr_list* al, attr_tag tag)
{
if ( ! al )
return false;
for ( int i = 0; i < al->length(); ++i )
if ( (*al)[i]->Tag() == tag )
return true;
return false;
}
%}
%union {
@ -671,6 +683,9 @@ expr:
}
else
$$ = new NameExpr(id);
if ( id->IsDeprecated() )
reporter->Warning("deprecated (%s)", id->Name());
}
}
@ -759,7 +774,7 @@ enum_body_elem:
error messages if someboy tries to use constant variables as
enumerator.
*/
TOK_ID '=' TOK_CONSTANT
TOK_ID '=' TOK_CONSTANT opt_deprecated
{
set_location(@1, @3);
assert(cur_enum_type);
@ -768,7 +783,7 @@ enum_body_elem:
reporter->Error("enumerator is not a count constant");
else
cur_enum_type->AddName(current_module, $1,
$3->InternalUnsigned(), is_export);
$3->InternalUnsigned(), is_export, $4);
}
| TOK_ID '=' '-' TOK_CONSTANT
@ -780,11 +795,11 @@ enum_body_elem:
reporter->Error("enumerator is not a count constant");
}
| TOK_ID
| TOK_ID opt_deprecated
{
set_location(@1);
assert(cur_enum_type);
cur_enum_type->AddName(current_module, $1, is_export);
cur_enum_type->AddName(current_module, $1, is_export, $2);
}
;
@ -963,7 +978,12 @@ type:
$$ = error_type();
}
else
{
Ref($$);
if ( $1->IsDeprecated() )
reporter->Warning("deprecated (%s)", $1->Name());
}
}
;
@ -1139,6 +1159,9 @@ func_body:
{
saved_in_init.push_back(in_init);
in_init = 0;
if ( has_attr($1, ATTR_DEPRECATED) )
current_scope()->ScopeID()->MakeDeprecated();
}
stmt_list
@ -1265,6 +1288,8 @@ attr:
{ $$ = new Attr(ATTR_LOG); }
| TOK_ATTR_ERROR_HANDLER
{ $$ = new Attr(ATTR_ERROR_HANDLER); }
| TOK_ATTR_DEPRECATED
{ $$ = new Attr(ATTR_DEPRECATED); }
;
stmt:
@ -1450,6 +1475,10 @@ event:
{
set_location(@1, @4);
$$ = new EventExpr($1, $3);
ID* id = lookup_ID($1, current_module.c_str());
if ( id && id->IsDeprecated() )
reporter->Warning("deprecated (%s)", id->Name());
}
;
@ -1556,6 +1585,15 @@ global_or_event_id:
if ( ! $$->IsGlobal() )
$$->Error("already a local identifier");
if ( $$->IsDeprecated() )
{
BroType* t = $$->Type();
if ( t->Tag() != TYPE_FUNC ||
t->AsFuncType()->Flavor() != FUNC_FLAVOR_FUNCTION )
reporter->Warning("deprecated (%s)", $$->Name());
}
delete [] $1;
}
@ -1597,6 +1635,12 @@ opt_no_test_block:
|
{ $$ = false; }
opt_deprecated:
TOK_ATTR_DEPRECATED
{ $$ = true; }
|
{ $$ = false; }
%%
int yyerror(const char msg[])

3
src/plugin/ComponentManager.h
View file

@ -243,7 +243,8 @@ void ComponentManager<T, C>::RegisterComponent(C* component,
// Install an identfier for enum value
string id = fmt("%s%s", prefix.c_str(), cname.c_str());
tag_enum_type->AddName(module, id.c_str(),
component->Tag().AsEnumVal()->InternalInt(), true);
component->Tag().AsEnumVal()->InternalInt(), true,
false);
}
} // namespace plugin

1
src/scan.l
View file

@ -260,6 +260,7 @@ when return TOK_WHEN;
&create_expire return TOK_ATTR_EXPIRE_CREATE;
&default return TOK_ATTR_DEFAULT;
&delete_func return TOK_ATTR_DEL_FUNC;
&deprecated return TOK_ATTR_DEPRECATED;
&raw_output return TOK_ATTR_RAW_OUTPUT;
&encrypt return TOK_ATTR_ENCRYPT;
&error_handler return TOK_ATTR_ERROR_HANDLER;

162
src/strings.bif
View file

@ -130,7 +130,7 @@ BroString* cat_string_array_n(TableVal* tbl, int start, int end)
## .. bro:see:: cat cat_sep string_cat cat_string_array_n
## fmt
## join_string_vec join_string_array
function cat_string_array%(a: string_array%): string
function cat_string_array%(a: string_array%): string &deprecated
%{
TableVal* tbl = a->AsTableVal();
return new StringVal(cat_string_array_n(tbl, 1, a->AsTable()->Length()));
@ -149,7 +149,7 @@ function cat_string_array%(a: string_array%): string
## .. bro:see:: cat string_cat cat_string_array
## fmt
## join_string_vec join_string_array
function cat_string_array_n%(a: string_array, start: count, end: count%): string
function cat_string_array_n%(a: string_array, start: count, end: count%): string &deprecated
%{
TableVal* tbl = a->AsTableVal();
return new StringVal(cat_string_array_n(tbl, start, end));
@ -168,7 +168,7 @@ function cat_string_array_n%(a: string_array, start: count, end: count%): string
## .. bro:see:: cat cat_sep string_cat cat_string_array cat_string_array_n
## fmt
## join_string_vec
function join_string_array%(sep: string, a: string_array%): string
function join_string_array%(sep: string, a: string_array%): string &deprecated
%{
vector<const BroString*> vs;
TableVal* tbl = a->AsTableVal();
@ -230,7 +230,7 @@ function join_string_vec%(vec: string_vec, sep: string%): string
## Returns: A sorted copy of *a*.
##
## .. bro:see:: sort
function sort_string_array%(a: string_array%): string_array
function sort_string_array%(a: string_array%): string_array &deprecated
%{
TableVal* tbl = a->AsTableVal();
int n = a->AsTable()->Length();
@ -338,6 +338,62 @@ static int match_prefix(int s_len, const char* s, int t_len, const char* t)
return 1;
}
VectorVal* do_split_string(StringVal* str_val, RE_Matcher* re, int incl_sep,
int max_num_sep)
{
VectorVal* rval = new VectorVal(string_vec);
const u_char* s = str_val->Bytes();
int n = str_val->Len();
const u_char* end_of_s = s + n;
int num = 0;
int num_sep = 0;
int offset = 0;
while ( n >= 0 )
{
offset = 0;
// Find next match offset.
int end_of_match = 0;
while ( n > 0 &&
(end_of_match = re->MatchPrefix(s + offset, n)) <= 0 )
{
// Move on to next byte.
++offset;
--n;
}
if ( max_num_sep && num_sep >= max_num_sep )
{
offset = end_of_s - s;
n=0;
}
rval->Assign(num++, new StringVal(offset, (const char*) s));
// No more separators will be needed if this is the end of string.
if ( n <= 0 )
break;
if ( incl_sep )
{ // including the part that matches the pattern
rval->Assign(num++, new StringVal(end_of_match, (const char*) s+offset));
}
if ( max_num_sep && num_sep >= max_num_sep )
break;
++num_sep;
n -= end_of_match;
s += offset + end_of_match;;
if ( s > end_of_s )
reporter->InternalError("RegMatch in split goes beyond the string");
}
return rval;
}
Val* do_split(StringVal* str_val, RE_Matcher* re, int incl_sep, int max_num_sep)
{
TableVal* a = new TableVal(string_array);
@ -493,17 +549,33 @@ Val* do_sub(StringVal* str_val, RE_Matcher* re, StringVal* repl, int do_all)
## Returns: An array of strings where each element corresponds to a substring
## in *str* separated by *re*.
##
## .. bro:see:: split1 split_all split_n str_split
## .. bro:see:: split1 split_all split_n str_split split_string1 split_string_all split_string_n str_split
##
## .. note:: The returned table starts at index 1. Note that conceptually the
## return value is meant to be a vector and this might change in the
## future.
##
function split%(str: string, re: pattern%): string_array
function split%(str: string, re: pattern%): string_array &deprecated
%{
return do_split(str, re, 0, 0);
%}
## Splits a string into an array of strings according to a pattern.
##
## str: The string to split.
##
## re: The pattern describing the element separator in *str*.
##
## Returns: An array of strings where each element corresponds to a substring
## in *str* separated by *re*.
##
## .. bro:see:: split_string1 split_string_all split_string_n str_split
##
function split_string%(str: string, re: pattern%): string_vec
%{
return do_split_string(str, re, 0, 0);
%}
## Splits a string *once* into a two-element array of strings according to a
## pattern. This function is the same as :bro:id:`split`, but *str* is only
## split once (if possible) at the earliest position and an array of two strings
@ -518,12 +590,32 @@ function split%(str: string, re: pattern%): string_array
## second everything after *re*. An array of one string is returned
## when *s* cannot be split.
##
## .. bro:see:: split split_all split_n str_split
function split1%(str: string, re: pattern%): string_array
## .. bro:see:: split split_all split_n str_split split_string split_string_all split_string_n str_split
function split1%(str: string, re: pattern%): string_array &deprecated
%{
return do_split(str, re, 0, 1);
%}
## Splits a string *once* into a two-element array of strings according to a
## pattern. This function is the same as :bro:id:`split_string`, but *str* is
## only split once (if possible) at the earliest position and an array of two
## strings is returned.
##
## str: The string to split.
##
## re: The pattern describing the separator to split *str* in two pieces.
##
## Returns: An array of strings with two elements in which the first represents
## the substring in *str* up to the first occurence of *re*, and the
## second everything after *re*. An array of one string is returned
## when *s* cannot be split.
##
## .. bro:see:: split_string split_string_all split_string_n str_split
function split_string1%(str: string, re: pattern%): string_vec
%{
return do_split_string(str, re, 0, 1);
%}
## Splits a string into an array of strings according to a pattern. This
## function is the same as :bro:id:`split`, except that the separators are
## returned as well. For example, ``split_all("a-b--cd", /(\-)+/)`` returns
@ -538,12 +630,32 @@ function split1%(str: string, re: pattern%): string_array
## to a substring in *str* of the part not matching *re* (odd-indexed)
## and the part that matches *re* (even-indexed).
##
## .. bro:see:: split split1 split_n str_split
function split_all%(str: string, re: pattern%): string_array
## .. bro:see:: split split1 split_n str_split split_string split_string1 split_string_n str_split
function split_all%(str: string, re: pattern%): string_array &deprecated
%{
return do_split(str, re, 1, 0);
%}
## Splits a string into an array of strings according to a pattern. This
## function is the same as :bro:id:`split_string`, except that the separators
## are returned as well. For example, ``split_string_all("a-b--cd", /(\-)+/)``
## returns ``{"a", "-", "b", "--", "cd"}``: odd-indexed elements do match the
## pattern and even-indexed ones do not.
##
## str: The string to split.
##
## re: The pattern describing the element separator in *str*.
##
## Returns: An array of strings where each two successive elements correspond
## to a substring in *str* of the part not matching *re* (even-indexed)
## and the part that matches *re* (odd-indexed).
##
## .. bro:see:: split_string split_string1 split_string_n str_split
function split_string_all%(str: string, re: pattern%): string_vec
%{
return do_split_string(str, re, 1, 0);
%}
## Splits a string a given number of times into an array of strings according
## to a pattern. This function is similar to :bro:id:`split1` and
## :bro:id:`split_all`, but with customizable behavior with respect to
@ -563,13 +675,39 @@ function split_all%(str: string, re: pattern%): string_array
## not matching *re* (odd-indexed) and the part that matches *re*
## (even-indexed).
##
## .. bro:see:: split split1 split_all str_split
## .. bro:see:: split split1 split_all str_split split_string split_string1 split_string_all str_split
function split_n%(str: string, re: pattern,
incl_sep: bool, max_num_sep: count%): string_array
incl_sep: bool, max_num_sep: count%): string_array &deprecated
%{
return do_split(str, re, incl_sep, max_num_sep);
%}
## Splits a string a given number of times into an array of strings according
## to a pattern. This function is similar to :bro:id:`split_string1` and
## :bro:id:`split_string_all`, but with customizable behavior with respect to
## including separators in the result and the number of times to split.
##
## str: The string to split.
##
## re: The pattern describing the element separator in *str*.
##
## incl_sep: A flag indicating whether to include the separator matches in the
## result (as in :bro:id:`split_string_all`).
##
## max_num_sep: The number of times to split *str*.
##
## Returns: An array of strings where, if *incl_sep* is true, each two
## successive elements correspond to a substring in *str* of the part
## not matching *re* (event-indexed) and the part that matches *re*
## (odd-indexed).
##
## .. bro:see:: split_string split_string1 split_string_all str_split
function split_string_n%(str: string, re: pattern,
incl_sep: bool, max_num_sep: count%): string_vec
%{
return do_split_string(str, re, incl_sep, max_num_sep);
%}
## Substitutes a given replacement string for the first occurrence of a pattern
## in a given string.
##

32
testing/btest/Baseline/bifs.split_string/out Normal file
View file

@ -0,0 +1,32 @@
t
s is a t
t
---------------------
t
s is a test
---------------------
t
hi
s is a t
es
t
---------------------
t
s is a test
---------------------
t
hi
s is a test
---------------------
[, thi, s i, s a tes, t]
---------------------
X-Mailer
Testing Test (http://www.example.com)
---------------------
A
=
B
=
C
=
D

10
testing/btest/Baseline/core.print-bpf-filters/output2
View file

@ -4,7 +4,7 @@
1 161
1 162
1 1812
1 20000
2 20000
1 21
1 2123
1 2152
@ -44,8 +44,8 @@
1 992
1 993
1 995
48 and
47 or
48 port
49 and
48 or
49 port
34 tcp
14 udp
15 udp

4
testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output
View file

@ -2,10 +2,10 @@
file_analysis_02.bro
event file_new(f: fa_file)
event file_mime_type(f: fa_file, mime_type: string)
{
print "new file", f$id;
if ( f?$mime_type && f$mime_type == "text/plain" )
if ( mime_type == "text/plain" )
Files::add_analyzer(f, Files::ANALYZER_MD5);
}

9
testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output
View file

@ -11,18 +11,15 @@ global mime_to_ext: table[string] of string = {
["text/html"] = "html",
};
event file_new(f: fa_file)
event file_mime_type(f: fa_file, mime_type: string)
{
if ( f$source != "HTTP" )
return;
if ( ! f?$mime_type )
if ( mime_type !in mime_to_ext )
return;
if ( f$mime_type !in mime_to_ext )
return;
local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[f$mime_type]);
local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[mime_type]);
print fmt("Extracting file %s", fname);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
}

9
testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output
View file

@ -46,15 +46,15 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo)
when ( local MHR_result = lookup_hostname_txt(hash_domain) )
{
# Data is returned as "<dateFirstDetected> <detectionRate>"
local MHR_answer = split1(MHR_result, / /);
local MHR_answer = split_string1(MHR_result, / /);
if ( |MHR_answer| == 2 )
{
local mhr_detect_rate = to_count(MHR_answer[2]);
local mhr_detect_rate = to_count(MHR_answer[1]);
if ( mhr_detect_rate >= notice_threshold )
{
local mhr_first_detected = double_to_time(to_double(MHR_answer[1]));
local mhr_first_detected = double_to_time(to_double(MHR_answer[0]));
local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected);
local virustotal_url = fmt(match_sub_url, hash);
@ -70,6 +70,7 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo)
event file_hash(f: fa_file, kind: string, hash: string)
{
if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type )
if ( kind == "sha1" && f?$info && f$info?$mime_type &&
match_file_types in f$info$mime_type )
do_mhr_lookup(hash, Notice::create_file_info(f));
}

10
testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output
View file

@ -9,15 +9,15 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo)
when ( local MHR_result = lookup_hostname_txt(hash_domain) )
{
# Data is returned as "<dateFirstDetected> <detectionRate>"
local MHR_answer = split1(MHR_result, / /);
local MHR_answer = split_string1(MHR_result, / /);
if ( |MHR_answer| == 2 )
{
local mhr_detect_rate = to_count(MHR_answer[2]);
local mhr_detect_rate = to_count(MHR_answer[1]);
if ( mhr_detect_rate >= notice_threshold )
{
local mhr_first_detected = double_to_time(to_double(MHR_answer[1]));
local mhr_first_detected = double_to_time(to_double(MHR_answer[0]));
local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected);
local virustotal_url = fmt(match_sub_url, hash);
@ -33,6 +33,6 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo)
event file_hash(f: fa_file, kind: string, hash: string)
{
if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type )
if ( kind == "sha1" && f?$info && f$info?$mime_type &&
match_file_types in f$info$mime_type )
do_mhr_lookup(hash, Notice::create_file_info(f));
}

28
testing/btest/Baseline/language.deprecated/out Normal file
View file

@ -0,0 +1,28 @@
warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 30: deprecated (ONE)
warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 31: deprecated (TWO)
warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 33: deprecated (GREEN)
warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 34: deprecated (BLUE)
warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 36: deprecated (blah)
warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 40: deprecated (my_event)
warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 41: deprecated (my_event)
warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 42: deprecated (my_hook)
warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 44: deprecated (my_record$b)
warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 45: deprecated (my_record$b)
warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 46: deprecated (my_record$b)
warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 48: deprecated (my_record?$b)
warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 49: deprecated (my_record$b)
warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 52: deprecated (my_record$b)
warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 55: deprecated (my_event)
warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 60: deprecated (my_hook)
warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 65: deprecated (blah)
warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 74: deprecated (dont_use_me)
warning in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.deprecated/deprecated.bro, line 79: deprecated (dont_use_me_either)
ZERO
ONE
TWO
RED
GREEN
BLUE
generate my_hook please
generate my_event please
schedule my_event please

288
testing/btest/Baseline/plugins.hooks/output
View file

@ -5,7 +5,8 @@
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <null>
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DHCP, 67/udp)) -> <null>
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DHCP, 68/udp)) -> <null>
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNP3, 20000/tcp)) -> <null>
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/tcp)) -> <null>
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/udp)) -> <null>
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 137/udp)) -> <null>
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 53/tcp)) -> <null>
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 53/udp)) -> <null>
@ -57,7 +58,8 @@
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <null>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DHCP, 67/udp)) -> <null>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DHCP, 68/udp)) -> <null>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNP3, 20000/tcp)) -> <null>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/tcp)) -> <null>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/udp)) -> <null>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 137/udp)) -> <null>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 53/tcp)) -> <null>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 53/udp)) -> <null>
@ -104,7 +106,7 @@
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <null>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_AYIYA, {5072/udp})) -> <null>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DHCP, {67<...>/udp})) -> <null>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNP3, {20000/tcp})) -> <null>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp})) -> <null>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNS, {5355<...>/udp})) -> <null>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_FTP, {2811<...>/tcp})) -> <null>
0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp})) -> <null>
@ -127,37 +129,37 @@
0.000000 MetaHookPost CallFunction(Files::register_protocol, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])) -> <null>
0.000000 MetaHookPost CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])) -> <null>
0.000000 MetaHookPost CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__add_filter, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__create_stream, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__create_stream, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__create_stream, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn])) -> <null>
@ -189,7 +191,7 @@
0.000000 MetaHookPost CallFunction(Log::__create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__create_stream, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__write, (PacketFilter::LOG, [ts=1420494303.113424, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
0.000000 MetaHookPost CallFunction(Log::__write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
0.000000 MetaHookPost CallFunction(Log::add_default_filter, (Cluster::LOG)) -> <null>
0.000000 MetaHookPost CallFunction(Log::add_default_filter, (Communication::LOG)) -> <null>
0.000000 MetaHookPost CallFunction(Log::add_default_filter, (Conn::LOG)) -> <null>
@ -283,8 +285,8 @@
0.000000 MetaHookPost CallFunction(Log::create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> <null>
0.000000 MetaHookPost CallFunction(Log::create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> <null>
0.000000 MetaHookPost CallFunction(Log::create_stream, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])) -> <null>
0.000000 MetaHookPost CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1420494303.113424, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
0.000000 MetaHookPost CallFunction(Log::write, (PacketFilter::LOG, [ts=1420494303.113424, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
0.000000 MetaHookPost CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
0.000000 MetaHookPost CallFunction(Log::write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
0.000000 MetaHookPost CallFunction(Notice::want_pp, ()) -> <null>
0.000000 MetaHookPost CallFunction(PacketFilter::build, ()) -> <null>
0.000000 MetaHookPost CallFunction(PacketFilter::combine_filters, (ip or not ip, and, )) -> <null>
@ -317,8 +319,8 @@
0.000000 MetaHookPost CallFunction(reading_live_traffic, ()) -> <null>
0.000000 MetaHookPost CallFunction(reading_traces, ()) -> <null>
0.000000 MetaHookPost CallFunction(set_to_regex, ({}, (^\.?|\.)(~~)$)) -> <null>
0.000000 MetaHookPost CallFunction(split1, (PacketFilter::LOG, <...>/)) -> <null>
0.000000 MetaHookPost CallFunction(split_n, (PacketFilter, <...>/, T, 4)) -> <null>
0.000000 MetaHookPost CallFunction(split_string1, (PacketFilter::LOG, <...>/)) -> <null>
0.000000 MetaHookPost CallFunction(split_string_n, (PacketFilter, <...>/, T, 4)) -> <null>
0.000000 MetaHookPost CallFunction(string_to_pattern, ((^\.?|\.)()$, F)) -> <null>
0.000000 MetaHookPost CallFunction(sub, ((^\.?|\.)(~~)$, <...>/, )) -> <null>
0.000000 MetaHookPost CallFunction(sub_bytes, (tFilter, 1, 1)) -> <null>
@ -542,7 +544,8 @@
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_AYIYA, 5072/udp))
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DHCP, 67/udp))
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DHCP, 68/udp))
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNP3, 20000/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/udp))
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 137/udp))
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 53/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 53/udp))
@ -594,7 +597,8 @@
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_AYIYA, 5072/udp))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DHCP, 67/udp))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DHCP, 68/udp))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNP3, 20000/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/udp))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 137/udp))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 53/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 53/udp))
@ -641,7 +645,7 @@
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_TEREDO, 3544/udp))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_AYIYA, {5072/udp}))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DHCP, {67<...>/udp}))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNP3, {20000/tcp}))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp}))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNS, {5355<...>/udp}))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_FTP, {2811<...>/tcp}))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp}))
@ -664,37 +668,37 @@
0.000000 MetaHookPre CallFunction(Files::register_protocol, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}]))
0.000000 MetaHookPre CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}]))
0.000000 MetaHookPre CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn]))
@ -726,7 +730,7 @@
0.000000 MetaHookPre CallFunction(Log::__create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql]))
0.000000 MetaHookPre CallFunction(Log::__write, (PacketFilter::LOG, [ts=1420494303.113424, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(Log::__write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, (Cluster::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, (Communication::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, (Conn::LOG))
@ -820,8 +824,8 @@
0.000000 MetaHookPre CallFunction(Log::create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird]))
0.000000 MetaHookPre CallFunction(Log::create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509]))
0.000000 MetaHookPre CallFunction(Log::create_stream, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql]))
0.000000 MetaHookPre CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1420494303.113424, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(Log::write, (PacketFilter::LOG, [ts=1420494303.113424, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(Log::write, (PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(Notice::want_pp, ())
0.000000 MetaHookPre CallFunction(PacketFilter::build, ())
0.000000 MetaHookPre CallFunction(PacketFilter::combine_filters, (ip or not ip, and, ))
@ -854,8 +858,8 @@
0.000000 MetaHookPre CallFunction(reading_live_traffic, ())
0.000000 MetaHookPre CallFunction(reading_traces, ())
0.000000 MetaHookPre CallFunction(set_to_regex, ({}, (^\.?|\.)(~~)$))
0.000000 MetaHookPre CallFunction(split1, (PacketFilter::LOG, <...>/))
0.000000 MetaHookPre CallFunction(split_n, (PacketFilter, <...>/, T, 4))
0.000000 MetaHookPre CallFunction(split_string1, (PacketFilter::LOG, <...>/))
0.000000 MetaHookPre CallFunction(split_string_n, (PacketFilter, <...>/, T, 4))
0.000000 MetaHookPre CallFunction(string_to_pattern, ((^\.?|\.)()$, F))
0.000000 MetaHookPre CallFunction(sub, ((^\.?|\.)(~~)$, <...>/, ))
0.000000 MetaHookPre CallFunction(sub_bytes, (tFilter, 1, 1))
@ -1079,7 +1083,8 @@
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp)
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DHCP, 67/udp)
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DHCP, 68/udp)
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNP3, 20000/tcp)
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNP3_TCP, 20000/tcp)
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNP3_TCP, 20000/udp)
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNS, 137/udp)
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNS, 53/tcp)
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNS, 53/udp)
@ -1131,7 +1136,8 @@
0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp)
0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DHCP, 67/udp)
0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DHCP, 68/udp)
0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNP3, 20000/tcp)
0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNP3_TCP, 20000/tcp)
0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNP3_TCP, 20000/udp)
0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNS, 137/udp)
0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNS, 53/tcp)
0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNS, 53/udp)
@ -1178,7 +1184,7 @@
0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp)
0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, {5072/udp})
0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, {67<...>/udp})
0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3, {20000/tcp})
0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp})
0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, {5355<...>/udp})
0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, {2811<...>/tcp})
0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, {2152<...>/udp})
@ -1201,37 +1207,37 @@
0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])
0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])
0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])
0.000000 | HookCallFunction Log::__add_filter(Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[1]), _, to_lower(Log::parts[2])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__add_filter(mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=Log::default_path_func{ if ( != Log::path) return (Log::path)Log::id_str = fmt(%s, Log::id)Log::parts = split_string1(Log::id_str, <...>/, )return (cat(to_lower(Log::parts[0]), _, to_lower(Log::parts[1])))}elsereturn (to_lower(Log::id_str))}, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
0.000000 | HookCallFunction Log::__create_stream(Cluster::LOG, [columns=<no value description>, ev=<uninitialized>])
0.000000 | HookCallFunction Log::__create_stream(Communication::LOG, [columns=<no value description>, ev=<uninitialized>])
0.000000 | HookCallFunction Log::__create_stream(Conn::LOG, [columns=<no value description>, ev=Conn::log_conn])
@ -1263,7 +1269,7 @@
0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])
0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509])
0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])
0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1420494303.113424, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@ -1357,8 +1363,8 @@
0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])
0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509])
0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])
0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1420494303.113424, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1420494303.113424, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1421870896.278622, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction Notice::want_pp()
0.000000 | HookCallFunction PacketFilter::build()
0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )
@ -1391,8 +1397,8 @@
0.000000 | HookCallFunction reading_live_traffic()
0.000000 | HookCallFunction reading_traces()
0.000000 | HookCallFunction set_to_regex({}, (^\.?|\.)(~~)$)
0.000000 | HookCallFunction split1(PacketFilter::LOG, <...>/)
0.000000 | HookCallFunction split_n(PacketFilter, <...>/, T, 4)
0.000000 | HookCallFunction split_string1(PacketFilter::LOG, <...>/)
0.000000 | HookCallFunction split_string_n(PacketFilter, <...>/, T, 4)
0.000000 | HookCallFunction string_to_pattern((^\.?|\.)()$, F)
0.000000 | HookCallFunction sub((^\.?|\.)(~~)$, <...>/, )
0.000000 | HookCallFunction sub_bytes(tFilter, 1, 1)
@ -1480,7 +1486,7 @@
1362692526.939527 MetaHookPost CallFunction(network_time, ()) -> <null>
1362692526.939527 MetaHookPost CallFunction(protocol_confirmation, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> <null>
1362692526.939527 MetaHookPost CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
1362692526.939527 MetaHookPost CallFunction(split1, (bro.org, <...>/)) -> <null>
1362692526.939527 MetaHookPost CallFunction(split_string1, (bro.org, <...>/)) -> <null>
1362692526.939527 MetaHookPost DrainEvents() -> <void>
1362692526.939527 MetaHookPost QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
1362692526.939527 MetaHookPost QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
@ -1517,7 +1523,7 @@
1362692526.939527 MetaHookPre CallFunction(network_time, ())
1362692526.939527 MetaHookPre CallFunction(protocol_confirmation, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
1362692526.939527 MetaHookPre CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80))
1362692526.939527 MetaHookPre CallFunction(split1, (bro.org, <...>/))
1362692526.939527 MetaHookPre CallFunction(split_string1, (bro.org, <...>/))
1362692526.939527 MetaHookPre DrainEvents()
1362692526.939527 MetaHookPre QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
1362692526.939527 MetaHookPre QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
@ -1555,7 +1561,7 @@
1362692526.939527 | HookCallFunction network_time()
1362692526.939527 | HookCallFunction protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
1362692526.939527 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)
1362692526.939527 | HookCallFunction split1(bro.org, <...>/)
1362692526.939527 | HookCallFunction split_string1(bro.org, <...>/)
1362692526.939527 | HookDrainEvents
1362692526.939527 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
1362692526.939527 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
@ -1601,7 +1607,7 @@
1362692527.009512 MetaHookPost CallFunction(http_reply, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> <null>
1362692527.009512 MetaHookPost CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <null>
1362692527.009512 MetaHookPost CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
1362692527.009512 MetaHookPost CallFunction(split_all, (HTTP, <...>/)) -> <null>
1362692527.009512 MetaHookPost CallFunction(split_string_all, (HTTP, <...>/)) -> <null>
1362692527.009512 MetaHookPost DrainEvents() -> <void>
1362692527.009512 MetaHookPost QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])) -> false
1362692527.009512 MetaHookPost QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
@ -1647,7 +1653,7 @@
1362692527.009512 MetaHookPre CallFunction(http_reply, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
1362692527.009512 MetaHookPre CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
1362692527.009512 MetaHookPre CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
1362692527.009512 MetaHookPre CallFunction(split_all, (HTTP, <...>/))
1362692527.009512 MetaHookPre CallFunction(split_string_all, (HTTP, <...>/))
1362692527.009512 MetaHookPre DrainEvents()
1362692527.009512 MetaHookPre QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>]))
1362692527.009512 MetaHookPre QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
@ -1694,7 +1700,7 @@
1362692527.009512 | HookCallFunction http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
1362692527.009512 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
1362692527.009512 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)
1362692527.009512 | HookCallFunction split_all(HTTP, <...>/)
1362692527.009512 | HookCallFunction split_string_all(HTTP, <...>/)
1362692527.009512 | HookDrainEvents
1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, u2_events=<uninitialized>])
1362692527.009512 | HookQueueEvent file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
@ -1744,10 +1750,10 @@
1362692527.009775 MetaHookPost CallFunction(http_message_done, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> <null>
1362692527.009775 MetaHookPost CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <null>
1362692527.009775 MetaHookPost CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
1362692527.009775 MetaHookPost CallFunction(split1, (Files::LOG, <...>/)) -> <null>
1362692527.009775 MetaHookPost CallFunction(split1, (HTTP::LOG, <...>/)) -> <null>
1362692527.009775 MetaHookPost CallFunction(split_n, (Files, <...>/, T, 4)) -> <null>
1362692527.009775 MetaHookPost CallFunction(split_n, (HTTP, <...>/, T, 4)) -> <null>
1362692527.009775 MetaHookPost CallFunction(split_string1, (Files::LOG, <...>/)) -> <null>
1362692527.009775 MetaHookPost CallFunction(split_string1, (HTTP::LOG, <...>/)) -> <null>
1362692527.009775 MetaHookPost CallFunction(split_string_n, (Files, <...>/, T, 4)) -> <null>
1362692527.009775 MetaHookPost CallFunction(split_string_n, (HTTP, <...>/, T, 4)) -> <null>
1362692527.009775 MetaHookPost CallFunction(to_lower, (Files)) -> <null>
1362692527.009775 MetaHookPost CallFunction(to_lower, (HTTP)) -> <null>
1362692527.009775 MetaHookPost DrainEvents() -> <void>
@ -1779,10 +1785,10 @@
1362692527.009775 MetaHookPre CallFunction(http_message_done, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
1362692527.009775 MetaHookPre CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
1362692527.009775 MetaHookPre CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
1362692527.009775 MetaHookPre CallFunction(split1, (Files::LOG, <...>/))
1362692527.009775 MetaHookPre CallFunction(split1, (HTTP::LOG, <...>/))
1362692527.009775 MetaHookPre CallFunction(split_n, (Files, <...>/, T, 4))
1362692527.009775 MetaHookPre CallFunction(split_n, (HTTP, <...>/, T, 4))
1362692527.009775 MetaHookPre CallFunction(split_string1, (Files::LOG, <...>/))
1362692527.009775 MetaHookPre CallFunction(split_string1, (HTTP::LOG, <...>/))
1362692527.009775 MetaHookPre CallFunction(split_string_n, (Files, <...>/, T, 4))
1362692527.009775 MetaHookPre CallFunction(split_string_n, (HTTP, <...>/, T, 4))
1362692527.009775 MetaHookPre CallFunction(to_lower, (Files))
1362692527.009775 MetaHookPre CallFunction(to_lower, (HTTP))
1362692527.009775 MetaHookPre DrainEvents()
@ -1815,10 +1821,10 @@
1362692527.009775 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
1362692527.009775 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
1362692527.009775 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)
1362692527.009775 | HookCallFunction split1(Files::LOG, <...>/)
1362692527.009775 | HookCallFunction split1(HTTP::LOG, <...>/)
1362692527.009775 | HookCallFunction split_n(Files, <...>/, T, 4)
1362692527.009775 | HookCallFunction split_n(HTTP, <...>/, T, 4)
1362692527.009775 | HookCallFunction split_string1(Files::LOG, <...>/)
1362692527.009775 | HookCallFunction split_string1(HTTP::LOG, <...>/)
1362692527.009775 | HookCallFunction split_string_n(Files, <...>/, T, 4)
1362692527.009775 | HookCallFunction split_string_n(HTTP, <...>/, T, 4)
1362692527.009775 | HookCallFunction to_lower(Files)
1362692527.009775 | HookCallFunction to_lower(HTTP)
1362692527.009775 | HookDrainEvents
@ -1873,8 +1879,8 @@
1362692527.080972 MetaHookPost CallFunction(net_stats, ()) -> <null>
1362692527.080972 MetaHookPost CallFunction(reading_traces, ()) -> <null>
1362692527.080972 MetaHookPost CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
1362692527.080972 MetaHookPost CallFunction(split1, (Conn::LOG, <...>/)) -> <null>
1362692527.080972 MetaHookPost CallFunction(split_n, (Conn, <...>/, T, 4)) -> <null>
1362692527.080972 MetaHookPost CallFunction(split_string1, (Conn::LOG, <...>/)) -> <null>
1362692527.080972 MetaHookPost CallFunction(split_string_n, (Conn, <...>/, T, 4)) -> <null>
1362692527.080972 MetaHookPost CallFunction(sub_bytes, (HTTP, 0, 1)) -> <null>
1362692527.080972 MetaHookPost CallFunction(to_lower, (Conn)) -> <null>
1362692527.080972 MetaHookPost CallFunction(to_lower, (HTTP)) -> <null>
@ -1907,8 +1913,8 @@
1362692527.080972 MetaHookPre CallFunction(net_stats, ())
1362692527.080972 MetaHookPre CallFunction(reading_traces, ())
1362692527.080972 MetaHookPre CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80))
1362692527.080972 MetaHookPre CallFunction(split1, (Conn::LOG, <...>/))
1362692527.080972 MetaHookPre CallFunction(split_n, (Conn, <...>/, T, 4))
1362692527.080972 MetaHookPre CallFunction(split_string1, (Conn::LOG, <...>/))
1362692527.080972 MetaHookPre CallFunction(split_string_n, (Conn, <...>/, T, 4))
1362692527.080972 MetaHookPre CallFunction(sub_bytes, (HTTP, 0, 1))
1362692527.080972 MetaHookPre CallFunction(to_lower, (Conn))
1362692527.080972 MetaHookPre CallFunction(to_lower, (HTTP))
@ -1942,8 +1948,8 @@
1362692527.080972 | HookCallFunction net_stats()
1362692527.080972 | HookCallFunction reading_traces()
1362692527.080972 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)
1362692527.080972 | HookCallFunction split1(Conn::LOG, <...>/)
1362692527.080972 | HookCallFunction split_n(Conn, <...>/, T, 4)
1362692527.080972 | HookCallFunction split_string1(Conn::LOG, <...>/)
1362692527.080972 | HookCallFunction split_string_n(Conn, <...>/, T, 4)
1362692527.080972 | HookCallFunction sub_bytes(HTTP, 0, 1)
1362692527.080972 | HookCallFunction to_lower(Conn)
1362692527.080972 | HookCallFunction to_lower(HTTP)

10
testing/btest/Baseline/scripts.base.frameworks.file-analysis.big-bof-buffer/files.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path files
#open 2015-02-05-13-55-41
#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted
#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string
1362692527.009512 FakNcS1Jfe01uljb3 192.150.187.43 141.142.228.5 CXWv6p3arKYeMETxOg HTTP 0 MD5,SHA1 text/plain - 0.000263 - F 4705 4705 0 0 F - 397168fd09991a0e712254df7bc639ac 1dd7ac0398df6cbc0696445a91ec681facf4dc47 - -
#close 2015-02-05-13-55-41

4
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_del_measure/dnp3.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path dnp3
#open 2013-08-26-19-04-04
#open 2014-08-16-15-58-44
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin
#types time string addr port addr port string string count
1324503054.884183 CXWv6p3arKYeMETxOg 130.126.142.250 49413 130.126.140.229 20000 DELAY_MEASURE RESPONSE 0
#close 2013-08-26-19-04-04
#close 2014-08-16-15-58-44

4
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_del_measure/output
View file

@ -1,7 +1,7 @@
dnp3_header_block, T, 25605, 8, 196, 2, 3
dnp3_application_request_header, T, 23
dnp3_application_request_header, T, 196, 23
dnp3_header_block, F, 25605, 16, 68, 3, 2
dnp3_application_response_header, F, 129, 0
dnp3_application_response_header, F, 196, 129, 0
dnp3_object_header, F, 13314, 7, 1, 1, 0
dnp3_object_prefix, F, 0
dnp3_response_data_object, F, 255

4
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_en_spon/dnp3.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path dnp3
#open 2013-08-26-19-04-04
#open 2014-08-16-15-58-46
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin
#types time string addr port addr port string string count
1324916729.150101 CXWv6p3arKYeMETxOg 130.126.142.250 50059 130.126.140.229 20000 ENABLE_UNSOLICITED RESPONSE 0
#close 2013-08-26-19-04-04
#close 2014-08-16-15-58-46

4
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_en_spon/output
View file

@ -1,7 +1,7 @@
dnp3_header_block, T, 25605, 17, 196, 2, 3
dnp3_application_request_header, T, 20
dnp3_application_request_header, T, 203, 20
dnp3_object_header, T, 15362, 6, 0, 65535, 65535
dnp3_object_header, T, 15363, 6, 0, 65535, 65535
dnp3_object_header, T, 15364, 6, 0, 65535, 65535
dnp3_header_block, F, 25605, 10, 68, 3, 2
dnp3_application_response_header, F, 129, 0
dnp3_application_response_header, F, 203, 129, 0

4
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_del/dnp3.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path dnp3
#open 2013-08-26-19-04-05
#open 2014-08-16-15-58-47
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin
#types time string addr port addr port string string count
1325044377.992570 CXWv6p3arKYeMETxOg 130.126.142.250 50301 130.126.140.229 20000 DELETE_FILE RESPONSE 0
#close 2013-08-26-19-04-05
#close 2014-08-16-15-58-47

4
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_del/output
View file

@ -1,9 +1,9 @@
dnp3_header_block, T, 25605, 99, 196, 4, 3
dnp3_application_request_header, T, 27
dnp3_application_request_header, T, 201, 27
dnp3_object_header, T, 17923, 91, 1, 1, 0
dnp3_object_prefix, T, 85
dnp3_header_block, F, 25605, 29, 68, 3, 4
dnp3_application_response_header, F, 129, 0
dnp3_application_response_header, F, 201, 129, 0
dnp3_object_header, F, 17924, 91, 1, 1, 0
dnp3_object_prefix, F, 13
dnp3_response_data_object, F, 255

4
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_read/dnp3.log
View file

@ -3,7 +3,7 @@
#empty_field (empty)
#unset_field -
#path dnp3
#open 2013-08-26-19-04-05
#open 2014-08-16-15-58-48
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin
#types time string addr port addr port string string count
1325036012.621691 CXWv6p3arKYeMETxOg 130.126.142.250 50276 130.126.140.229 20000 OPEN_FILE RESPONSE 4096
@ -11,4 +11,4 @@
1325036019.765502 CXWv6p3arKYeMETxOg 130.126.142.250 50276 130.126.140.229 20000 WRITE RESPONSE 0
1325036022.292689 CXWv6p3arKYeMETxOg 130.126.142.250 50276 130.126.140.229 20000 WRITE RESPONSE 0
1325036024.820857 CXWv6p3arKYeMETxOg 130.126.142.250 50276 130.126.140.229 20000 CLOSE_FILE RESPONSE 0
#close 2013-08-26-19-04-05
#close 2014-08-16-15-58-48

22
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_read/output
View file

@ -1,45 +1,45 @@
dnp3_header_block, T, 25605, 50, 196, 4, 3
dnp3_application_request_header, T, 25
dnp3_application_request_header, T, 206, 25
dnp3_object_header, T, 17923, 91, 1, 1, 0
dnp3_object_prefix, T, 36
dnp3_header_block, F, 25605, 29, 68, 3, 4
dnp3_application_response_header, F, 129, 4096
dnp3_application_response_header, F, 206, 129, 4096
dnp3_object_header, F, 17924, 91, 1, 1, 0
dnp3_object_prefix, F, 13
dnp3_response_data_object, F, 255
dnp3_header_block, T, 25605, 22, 196, 4, 3
dnp3_application_request_header, T, 1
dnp3_application_request_header, T, 207, 1
dnp3_object_header, T, 17925, 91, 1, 1, 0
dnp3_object_prefix, T, 8
dnp3_file_transport, T, 305419896, 0
^J
dnp3_header_block, F, 25605, 255, 68, 3, 4
dnp3_application_response_header, F, 129, 4096
dnp3_application_response_header, F, 239, 129, 4096
dnp3_object_header, F, 17925, 91, 1, 1, 0
dnp3_object_prefix, F, 838
dnp3_file_transport, F, 305419896, 2147483648
0000 ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e ...<?xml version^J0010 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d ="1.0" e ncoding=^J0020 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 3f 78 6d 6c "utf-8"? >..<?xml^J0030 2d 73 74 79 6c 65 73 68 65 65 74 20 74 79 70 65 -stylesh eet type^J0040 3d 27 74 65 78 74 2f 78 73 6c 27 20 68 72 65 66 ='text/x sl' href^J0050 3d 27 44 4e 50 33 44 65 76 69 63 65 50 72 6f 66 ='DNP3De viceProf^J0060 69 6c 65 4a 61 6e 32 30 31 30 2e 78 73 6c 74 27 ileJan20 10.xslt'^J0070 20 6d 65 64 69 61 3d 27 73 63 72 65 65 6e 27 3f media=' screen'?^J0080 3e 0d 0a 3c 44 4e 50 33 44 65 76 69 63 65 50 72 >..<DNP3 DevicePr^J0090 6f 66 69 6c 65 44 6f 63 75 6d 65 6e 74 20 78 6d ofileDoc ument xm^J00a0 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f lns:xsi= "http://^J00b0 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f www.w3.o rg/2001/^J00c0 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e XMLSchem a-instan^J00d0 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 ce" xmln s:xsd="h^J00e0 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 ttp://ww w.w3.org^J00f0 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 /2001/XM LSchema"^J0100 20 73 63 68 65 6d 61 56 65 72 73 69 6f 6e 3d 22 schemaV ersion="^J0110 32 2e 30 37 2e 30 30 22 20 78 6d 6c 6e 73 3d 22 2.07.00" xmlns="^J0120 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6e 70 33 2e http://w ww.dnp3.^J0130 6f 72 67 2f 44 4e 50 33 2f 44 65 76 69 63 65 50 org/DNP3 /DeviceP^J0140 72 6f 66 69 6c 65 2f 4a 61 6e 32 30 31 30 22 3e rofile/J an2010">^J0150 0d 0a 20 20 3c 21 2d 2d 44 6f 63 75 6d 65 6e 74 .. <!-- Document^J0160 20 48 65 61 64 65 72 2d 2d 3e 0d 0a 20 20 3c 64 Header- ->.. <d^J0170 6f 63 75 6d 65 6e 74 48 65 61 64 65 72 3e 0d 0a ocumentH eader>..^J0180 20 20 20 20 3c 64 6f 63 75 6d 65 6e 74 4e 61 6d <doc umentNam^J0190 65 3e 41 20 44 4e 50 33 20 58 4d 4c 20 46 69 6c e>A DNP3 XML Fil^J01a0 65 3c 2f 64 6f 63 75 6d 65 6e 74 4e 61 6d 65 3e e</docum entName>^J01b0 0d 0a 20 20 20 20 3c 64 6f 63 75 6d 65 6e 74 44 .. <d ocumentD^J01c0 65 73 63 72 69 70 74 69 6f 6e 3e 54 68 69 73 20 escripti on>This ^J01d0 69 73 20 61 20 44 4e 50 33 20 43 6f 6d 70 6c 65 is a DNP 3 Comple^J01e0 74 65 20 44 65 76 69 63 65 20 50 72 6f 66 69 6c te Devic e Profil^J01f0 65 20 66 6f 72 20 44 4e 50 20 4f 75 74 73 74 61 e for DN P Outsta^J0200 74 69 6f 6e 20 69 6e 20 74 68 65 20 54 4d 57 20 tion in the TMW ^J0210 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 20 50 72 Communic ation Pr^J0220 6f 74 6f 63 6f 6c 20 54 65 73 74 20 48 61 72 6e otocol T est Harn^J0230 65 73 73 3c 2f 64 6f 63 75 6d 65 6e 74 44 65 73 ess</doc umentDes^J0240 63 72 69 70 74 69 6f 6e 3e 0d 0a 20 20 20 20 3c cription >.. <^J0250 72 65 76 69 73 69 6f 6e 48 69 73 74 6f 72 79 20 revision History ^J0260 76 65 72 73 69 6f 6e 3d 22 32 22 3e 0d 0a 20 20 version= "2">.. ^J0270 20 20 20 20 3c 64 61 74 65 3e 32 30 31 30 2d 31 <dat e>2010-1^J0280 32 2d 30 31 3c 2f 64 61 74 65 3e 0d 0a 20 20 20 2-01</da te>.. ^J0290 20 20 20 3c 61 75 74 68 6f 72 3e 53 74 65 76 65 <auth or>Steve^J02a0 20 4d 63 43 6f 79 3c 2f 61 75 74 68 6f 72 3e 0d McCoy</ author>.^J02b0 0a 20 20 20 20 20 20 3c 72 65 61 73 6f 6e 3e 44 . < reason>D^J02c0 6f 63 75 6d 65 6e 74 65 64 20 54 65 73 74 20 48 ocumente d Test H^J02d0 61 72 6e 65 73 73 20 53 44 4e 50 20 44 65 76 69 arness S DNP Devi^J02e0 63 65 20 50 72 6f 66 69 6c 65 3c 2f 72 65 61 73 ce Profi le</reas^J02f0 6f 6e 3e 0d 0a 20 20 20 20 3c 2f 72 65 76 69 73 on>.. </revis^J0300 69 6f 6e 48 69 73 74 6f 72 79 3e 0d 0a 20 20 3c ionHisto ry>.. <^J0310 2f 64 6f 63 75 6d 65 6e 74 48 65 61 64 65 72 3e /documen tHeader>^J0320 0d 0a 3c 2f 44 4e 50 33 44 65 76 69 63 65 50 72 ..</DNP3 DevicePr^J0330 6f 66 69 6c 65 44 6f 63 75 6d 65 6e 74 3e ofileDoc ument>^J
dnp3_response_data_object, F, 255
dnp3_header_block, T, 25605, 8, 196, 4, 3
dnp3_application_request_header, T, 0
dnp3_application_request_header, T, 207, 0
dnp3_header_block, T, 25605, 18, 196, 4, 3
dnp3_application_request_header, T, 2
dnp3_application_request_header, T, 192, 2
dnp3_object_header, T, 12801, 7, 1, 1, 0
dnp3_object_prefix, T, 0
dnp3_header_block, F, 25605, 10, 68, 3, 4
dnp3_application_response_header, F, 129, 0
dnp3_application_response_header, F, 192, 129, 0
dnp3_header_block, T, 25605, 18, 196, 4, 3
dnp3_application_request_header, T, 2
dnp3_application_request_header, T, 193, 2
dnp3_object_header, T, 12801, 7, 1, 1, 0
dnp3_object_prefix, T, 0
dnp3_header_block, F, 25605, 10, 68, 3, 4
dnp3_application_response_header, F, 129, 0
dnp3_application_response_header, F, 193, 129, 0
dnp3_header_block, T, 25605, 27, 196, 4, 3
dnp3_application_request_header, T, 26
dnp3_application_request_header, T, 194, 26
dnp3_object_header, T, 17924, 91, 1, 1, 0
dnp3_object_prefix, T, 13
dnp3_header_block, F, 25605, 29, 68, 3, 4
dnp3_application_response_header, F, 129, 0
dnp3_application_response_header, F, 194, 129, 0
dnp3_object_header, F, 17924, 91, 1, 1, 0
dnp3_object_prefix, F, 13
dnp3_response_data_object, F, 255

4
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_write/dnp3.log
View file

@ -3,10 +3,10 @@
#empty_field (empty)
#unset_field -
#path dnp3
#open 2013-08-26-19-04-06
#open 2014-08-16-15-58-49
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin
#types time string addr port addr port string string count
1325043635.216629 CXWv6p3arKYeMETxOg 130.126.142.250 50300 130.126.140.229 20000 OPEN_FILE RESPONSE 0
1325043637.790287 CXWv6p3arKYeMETxOg 130.126.142.250 50300 130.126.140.229 20000 WRITE RESPONSE 0
1325043638.820071 CXWv6p3arKYeMETxOg 130.126.142.250 50300 130.126.140.229 20000 CLOSE_FILE RESPONSE 0
#close 2013-08-26-19-04-06
#close 2014-08-16-15-58-49

12
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_write/output
View file

@ -1,29 +1,29 @@
dnp3_header_block, T, 25605, 99, 196, 4, 3
dnp3_application_request_header, T, 25
dnp3_application_request_header, T, 198, 25
dnp3_object_header, T, 17923, 91, 1, 1, 0
dnp3_object_prefix, T, 85
dnp3_header_block, F, 25605, 29, 68, 3, 4
dnp3_application_response_header, F, 129, 0
dnp3_application_response_header, F, 198, 129, 0
dnp3_object_header, F, 17924, 91, 1, 1, 0
dnp3_object_prefix, F, 13
dnp3_response_data_object, F, 255
dnp3_header_block, T, 25605, 255, 196, 4, 3
dnp3_application_request_header, T, 2
dnp3_application_request_header, T, 199, 2
dnp3_object_header, T, 17925, 91, 1, 1, 0
dnp3_object_prefix, T, 838
dnp3_file_transport, T, 305419896, 2147483648
0000 ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e ...<?xml version^J0010 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d ="1.0" e ncoding=^J0020 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 3f 78 6d 6c "utf-8"? >..<?xml^J0030 2d 73 74 79 6c 65 73 68 65 65 74 20 74 79 70 65 -stylesh eet type^J0040 3d 27 74 65 78 74 2f 78 73 6c 27 20 68 72 65 66 ='text/x sl' href^J0050 3d 27 44 4e 50 33 44 65 76 69 63 65 50 72 6f 66 ='DNP3De viceProf^J0060 69 6c 65 4a 61 6e 32 30 31 30 2e 78 73 6c 74 27 ileJan20 10.xslt'^J0070 20 6d 65 64 69 61 3d 27 73 63 72 65 65 6e 27 3f media=' screen'?^J0080 3e 0d 0a 3c 44 4e 50 33 44 65 76 69 63 65 50 72 >..<DNP3 DevicePr^J0090 6f 66 69 6c 65 44 6f 63 75 6d 65 6e 74 20 78 6d ofileDoc ument xm^J00a0 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f lns:xsi= "http://^J00b0 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f www.w3.o rg/2001/^J00c0 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e XMLSchem a-instan^J00d0 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 ce" xmln s:xsd="h^J00e0 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 ttp://ww w.w3.org^J00f0 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 /2001/XM LSchema"^J0100 20 73 63 68 65 6d 61 56 65 72 73 69 6f 6e 3d 22 schemaV ersion="^J0110 32 2e 30 37 2e 30 30 22 20 78 6d 6c 6e 73 3d 22 2.07.00" xmlns="^J0120 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6e 70 33 2e http://w ww.dnp3.^J0130 6f 72 67 2f 44 4e 50 33 2f 44 65 76 69 63 65 50 org/DNP3 /DeviceP^J0140 72 6f 66 69 6c 65 2f 4a 61 6e 32 30 31 30 22 3e rofile/J an2010">^J0150 0d 0a 20 20 3c 21 2d 2d 44 6f 63 75 6d 65 6e 74 .. <!-- Document^J0160 20 48 65 61 64 65 72 2d 2d 3e 0d 0a 20 20 3c 64 Header- ->.. <d^J0170 6f 63 75 6d 65 6e 74 48 65 61 64 65 72 3e 0d 0a ocumentH eader>..^J0180 20 20 20 20 3c 64 6f 63 75 6d 65 6e 74 4e 61 6d <doc umentNam^J0190 65 3e 41 20 44 4e 50 33 20 58 4d 4c 20 46 69 6c e>A DNP3 XML Fil^J01a0 65 3c 2f 64 6f 63 75 6d 65 6e 74 4e 61 6d 65 3e e</docum entName>^J01b0 0d 0a 20 20 20 20 3c 64 6f 63 75 6d 65 6e 74 44 .. <d ocumentD^J01c0 65 73 63 72 69 70 74 69 6f 6e 3e 54 68 69 73 20 escripti on>This ^J01d0 69 73 20 61 20 44 4e 50 33 20 43 6f 6d 70 6c 65 is a DNP 3 Comple^J01e0 74 65 20 44 65 76 69 63 65 20 50 72 6f 66 69 6c te Devic e Profil^J01f0 65 20 66 6f 72 20 44 4e 50 20 4f 75 74 73 74 61 e for DN P Outsta^J0200 74 69 6f 6e 20 69 6e 20 74 68 65 20 54 4d 57 20 tion in the TMW ^J0210 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 20 50 72 Communic ation Pr^J0220 6f 74 6f 63 6f 6c 20 54 65 73 74 20 48 61 72 6e otocol T est Harn^J0230 65 73 73 3c 2f 64 6f 63 75 6d 65 6e 74 44 65 73 ess</doc umentDes^J0240 63 72 69 70 74 69 6f 6e 3e 0d 0a 20 20 20 20 3c cription >.. <^J0250 72 65 76 69 73 69 6f 6e 48 69 73 74 6f 72 79 20 revision History ^J0260 76 65 72 73 69 6f 6e 3d 22 32 22 3e 0d 0a 20 20 version= "2">.. ^J0270 20 20 20 20 3c 64 61 74 65 3e 32 30 31 30 2d 31 <dat e>2010-1^J0280 32 2d 30 31 3c 2f 64 61 74 65 3e 0d 0a 20 20 20 2-01</da te>.. ^J0290 20 20 20 3c 61 75 74 68 6f 72 3e 53 74 65 76 65 <auth or>Steve^J02a0 20 4d 63 43 6f 79 3c 2f 61 75 74 68 6f 72 3e 0d McCoy</ author>.^J02b0 0a 20 20 20 20 20 20 3c 72 65 61 73 6f 6e 3e 44 . < reason>D^J02c0 6f 63 75 6d 65 6e 74 65 64 20 54 65 73 74 20 48 ocumente d Test H^J02d0 61 72 6e 65 73 73 20 53 44 4e 50 20 44 65 76 69 arness S DNP Devi^J02e0 63 65 20 50 72 6f 66 69 6c 65 3c 2f 72 65 61 73 ce Profi le</reas^J02f0 6f 6e 3e 0d 0a 20 20 20 20 3c 2f 72 65 76 69 73 on>.. </revis^J0300 69 6f 6e 48 69 73 74 6f 72 79 3e 0d 0a 20 20 3c ionHisto ry>.. <^J0310 2f 64 6f 63 75 6d 65 6e 74 48 65 61 64 65 72 3e /documen tHeader>^J0320 0d 0a 3c 2f 44 4e 50 33 44 65 76 69 63 65 50 72 ..</DNP3 DevicePr^J0330 6f 66 69 6c 65 44 6f 63 75 6d 65 6e 74 3e ofileDoc ument>^J
dnp3_header_block, F, 25605, 25, 68, 3, 4
dnp3_application_response_header, F, 129, 0
dnp3_application_response_header, F, 199, 129, 0
dnp3_object_header, F, 17926, 91, 1, 1, 0
dnp3_object_prefix, F, 9
dnp3_response_data_object, F, 255
dnp3_header_block, T, 25605, 27, 196, 4, 3
dnp3_application_request_header, T, 26
dnp3_application_request_header, T, 200, 26
dnp3_object_header, T, 17924, 91, 1, 1, 0
dnp3_object_prefix, T, 13
dnp3_header_block, F, 25605, 29, 68, 3, 4
dnp3_application_response_header, F, 129, 0
dnp3_application_response_header, F, 200, 129, 0
dnp3_object_header, F, 17924, 91, 1, 1, 0
dnp3_object_prefix, F, 13
dnp3_response_data_object, F, 255

2348
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_link_only/output
View file

File diff suppressed because it is too large Load diff

4
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_read/dnp3.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path dnp3
#open 2013-08-26-19-04-06
#open 2014-08-16-15-58-51
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin
#types time string addr port addr port string string count
1324327256.650425 CXWv6p3arKYeMETxOg 130.126.142.250 51006 130.126.140.229 20000 READ RESPONSE 0
#close 2013-08-26-19-04-06
#close 2014-08-16-15-58-51

4
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_read/output
View file

@ -1,11 +1,11 @@
dnp3_header_block, T, 25605, 20, 196, 2, 3
dnp3_application_request_header, T, 1
dnp3_application_request_header, T, 200, 1
dnp3_object_header, T, 15362, 6, 0, 65535, 65535
dnp3_object_header, T, 15363, 6, 0, 65535, 65535
dnp3_object_header, T, 15364, 6, 0, 65535, 65535
dnp3_object_header, T, 15361, 6, 0, 65535, 65535
dnp3_header_block, F, 25605, 116, 68, 3, 2
dnp3_application_response_header, F, 129, 0
dnp3_application_response_header, F, 200, 129, 0
dnp3_object_header, F, 258, 0, 9, 0, 8
dnp3_object_prefix, F, 0
dnp3_response_data_object, F, 129

4
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_rec_time/dnp3.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path dnp3
#open 2013-08-26-19-04-06
#open 2014-08-16-15-58-53
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin
#types time string addr port addr port string string count
1324502980.465157 CXWv6p3arKYeMETxOg 130.126.142.250 49412 130.126.140.229 20000 RECORD_CURRENT_TIME RESPONSE 0
#close 2013-08-26-19-04-06
#close 2014-08-16-15-58-53

4
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_rec_time/output
View file

@ -1,4 +1,4 @@
dnp3_header_block, T, 25605, 8, 196, 2, 3
dnp3_application_request_header, T, 24
dnp3_application_request_header, T, 193, 24
dnp3_header_block, F, 25605, 10, 68, 3, 2
dnp3_application_response_header, F, 129, 0
dnp3_application_response_header, F, 193, 129, 0

4
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_select_operate/dnp3.log
View file

@ -3,9 +3,9 @@
#empty_field (empty)
#unset_field -
#path dnp3
#open 2013-08-26-19-04-07
#open 2014-08-16-15-58-54
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin
#types time string addr port addr port string string count
1324501739.752598 CXWv6p3arKYeMETxOg 130.126.142.250 49404 130.126.140.229 20000 SELECT RESPONSE 0
1324501743.758738 CXWv6p3arKYeMETxOg 130.126.142.250 49404 130.126.140.229 20000 OPERATE RESPONSE 0
#close 2013-08-26-19-04-07
#close 2014-08-16-15-58-54

8
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_select_operate/output
View file

@ -1,21 +1,21 @@
dnp3_header_block, T, 25605, 26, 196, 2, 3
dnp3_application_request_header, T, 3
dnp3_application_request_header, T, 199, 3
dnp3_object_header, T, 3073, 40, 1, 256, 0
dnp3_object_prefix, T, 1
dnp3_crob, T, 3, 1, 100, 100, 0
dnp3_header_block, F, 25605, 28, 68, 3, 2
dnp3_application_response_header, F, 129, 0
dnp3_application_response_header, F, 199, 129, 0
dnp3_object_header, F, 3073, 40, 1, 256, 0
dnp3_object_prefix, F, 1
dnp3_crob, F, 3, 1, 100, 100, 0
dnp3_response_data_object, F, 255
dnp3_header_block, T, 25605, 26, 196, 2, 3
dnp3_application_request_header, T, 4
dnp3_application_request_header, T, 200, 4
dnp3_object_header, T, 3073, 40, 1, 256, 0
dnp3_object_prefix, T, 1
dnp3_crob, T, 3, 1, 100, 100, 0
dnp3_header_block, F, 25605, 28, 68, 3, 2
dnp3_application_response_header, F, 129, 0
dnp3_application_response_header, F, 200, 129, 0
dnp3_object_header, F, 3073, 40, 1, 256, 0
dnp3_object_prefix, F, 1
dnp3_crob, F, 3, 1, 100, 100, 0

1
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_en_spon/coverage Normal file
View file

@ -0,0 +1 @@
4 of 51 events triggered by trace

10
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_en_spon/dnp3.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dnp3
#open 2015-01-07-21-02-21
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin
#types time string addr port addr port string string count
1420058797.673799 CXWv6p3arKYeMETxOg 192.168.80.160 1128 192.168.80.12 20000 ENABLE_UNSOLICITED RESPONSE 1
#close 2015-01-07-21-02-21

7
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_en_spon/output Normal file
View file

@ -0,0 +1,7 @@
dnp3_header_block, T, 25605, 17, 196, 1, 100
dnp3_application_request_header, T, 207, 20
dnp3_object_header, T, 15362, 6, 0, 65535, 65535
dnp3_object_header, T, 15363, 6, 0, 65535, 65535
dnp3_object_header, T, 15364, 6, 0, 65535, 65535
dnp3_header_block, F, 25605, 10, 68, 100, 1
dnp3_application_response_header, F, 207, 129, 1

1
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_read/coverage Normal file
View file

@ -0,0 +1 @@
7 of 51 events triggered by trace

11
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_read/dnp3.log Normal file
View file

@ -0,0 +1,11 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dnp3
#open 2015-01-07-21-02-12
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin
#types time string addr port addr port string string count
1420058427.969342 CXWv6p3arKYeMETxOg 192.168.80.160 1128 192.168.80.12 20000 READ RESPONSE 36864
1420058427.972303 CXWv6p3arKYeMETxOg 192.168.80.160 1128 192.168.80.12 20000 - RESPONSE 36864
#close 2015-01-07-21-02-12

2995
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_read/output Normal file
View file

File diff suppressed because it is too large Load diff

1
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_select_operate/coverage Normal file
View file

@ -0,0 +1 @@
7 of 51 events triggered by trace

12
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_select_operate/dnp3.log Normal file
View file

@ -0,0 +1,12 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dnp3
#open 2015-01-07-21-02-26
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin
#types time string addr port addr port string string count
1420058517.353161 CXWv6p3arKYeMETxOg 192.168.80.160 1128 192.168.80.12 20000 SELECT RESPONSE 36864
1420058517.467502 CXWv6p3arKYeMETxOg 192.168.80.160 1128 192.168.80.12 20000 OPERATE RESPONSE 36864
1420058517.574061 CXWv6p3arKYeMETxOg 192.168.80.160 1128 192.168.80.12 20000 READ RESPONSE 36864
#close 2015-01-07-21-02-26

1055
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_select_operate/output Normal file
View file

File diff suppressed because it is too large Load diff

1
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_write/coverage Normal file
View file

@ -0,0 +1 @@
5 of 51 events triggered by trace

10
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_write/dnp3.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dnp3
#open 2015-01-07-21-02-34
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin
#types time string addr port addr port string string count
1420058753.490949 CXWv6p3arKYeMETxOg 192.168.80.160 1128 192.168.80.12 20000 WRITE RESPONSE 0
#close 2015-01-07-21-02-34

6
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_write/output Normal file
View file

@ -0,0 +1,6 @@
dnp3_header_block, T, 25605, 14, 196, 1, 100
dnp3_application_request_header, T, 206, 2
dnp3_object_header, T, 20481, 0, 1, 7, 7
dnp3_object_prefix, T, 0
dnp3_header_block, F, 25605, 10, 68, 100, 1
dnp3_application_response_header, F, 206, 129, 0

4
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_write/dnp3.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path dnp3
#open 2013-08-26-19-04-07
#open 2014-08-16-15-58-55
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin
#types time string addr port addr port string string count
1324502912.898449 CXWv6p3arKYeMETxOg 130.126.142.250 49411 130.126.140.229 20000 WRITE RESPONSE 0
#close 2013-08-26-19-04-07
#close 2014-08-16-15-58-55

4
testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_write/output
View file

@ -1,6 +1,6 @@
dnp3_header_block, T, 25605, 18, 196, 2, 3
dnp3_application_request_header, T, 2
dnp3_application_request_header, T, 192, 2
dnp3_object_header, T, 12801, 7, 1, 1, 0
dnp3_object_prefix, T, 0
dnp3_header_block, F, 25605, 10, 68, 3, 2
dnp3_application_response_header, F, 129, 0
dnp3_application_response_header, F, 192, 129, 0

4
testing/btest/Baseline/scripts.base.protocols.dnp3.events/dnp3.log
View file

@ -3,7 +3,7 @@
#empty_field (empty)
#unset_field -
#path dnp3
#open 2013-08-26-19-47-53
#open 2014-08-16-15-58-56
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fc_request fc_reply iin
#types time string addr port addr port string string count
1097501938.504844 CXWv6p3arKYeMETxOg 10.0.0.8 2789 10.0.0.3 20000 - UNSOLICITED_RESPONSE 4096
@ -72,4 +72,4 @@
1178206045.032815 C7XEbhP654jzLoe3a 192.168.66.33 1167 192.168.66.34 20000 READ RESPONSE 6
1178206045.557097 C7XEbhP654jzLoe3a 192.168.66.33 1167 192.168.66.34 20000 READ RESPONSE 6
1178206046.086403 C7XEbhP654jzLoe3a 192.168.66.33 1167 192.168.66.34 20000 READ RESPONSE 6
#close 2013-08-26-19-47-53
#close 2014-08-16-15-58-56

Some files were not shown because too many files have changed in this diff Show more