Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 15:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/master' into topic/matthias/opaque

Browse source
This commit is contained in:
Matthias Vallentin 2012-12-11 16:32:01 -08:00
commit 816965f3c7
268 changed files with 2216 additions and 463 deletions
Download patch file Download diff file Expand all files Collapse all files

130
CHANGES
View file

@ -1,4 +1,134 @@
2.1-218 | 2012-12-10 14:45:04 -0800
* Add GPRS Tunnelling Protocol (GTPv1) decapsulation. This currently
supports automatic decapsulation of GTP-U packets on UDP port 2152.
The GTPv1 headers for such tunnels can be inspected by handling
the "gtpv1_g_pdu_packet" event, which has a parameter of type
"gtpv1_hdr". Addresses #690. (Jon Siwek; derived from patch by
Carsten Langer)
* Change BinPAC exceptions in AYIYA/GTP analyzers to do
"protocol_violation". (Jon Siwek)
2.1-212 | 2012-12-07 19:42:03 -0800
* Changing the HTTP parser to accept request methods in alignment
with the RFC. (Robin Sommer)
2.1-209 | 2012-12-05 16:44:04 -0800
* Adapting the HTTP request line parsing to only accept methods
consisting of letters [A-Za-z]. (Robin Sommer)
2.1-207 | 2012-12-05 15:47:32 -0800
* Reporting warnings if kill/waitpid fail in communication system.
(Bill Parker)
* Replace() bzero with memset(). (Bill Parker)
* Merge remote-tracking branch 'vlad/topic/vladg/http-verbs'
* vlad/topic/vladg/http-verbs:
A test for HTTP methods, including some horribly illegal requests.
Remove hardcoded HTTP verbs from the analyzer (#741)
I added a "bad_HTTP_request" weird for HTTP request lines that don't
have more than a single word.
Closes #741. (Robin Sommer)
* A test for HTTP methods, including some horribly illegal requests. (Vlad Grigorescu)
* Remove hardcoded HTTP verbs from the analyzer (#741) (Vlad Grigorescu)
2.1-203 | 2012-12-05 14:36:56 -0800
* Fix segfault: Synchronization of state between connecting peers
now skips over identifiers that aren't initialized with a value
yet. Addresses #66. (Jon Siwek)
* Fix segfault: Delete correct entry in error case in input
framework. (Bernhard Amann)
* Bad record constructor initializers now give an error. Addresses
#34. (Jon Siwek)
* Invalid vector indices now generate error message. Addresses #24.
(Jon Siwek)
* Bump CPack RPM package requirement to Python >= 2.6.0. (Jon Siwek)
* Interpreter exceptions occurring in "when" blocks are now handled.
Addresses #779 (Jon Siwek)
2.1-195 | 2012-12-03 14:50:33 -0800
* Catching out-of-memory in patricia tree code. (Bill Parker)
2.1-194 | 2012-12-03 14:36:26 -0800
* Renaming ASCII writer filter option 'only_single_header_row' to
'tsv'. Also clarifying usage. Closes #912. (Robin Sommer)
2.1-193 | 2012-12-03 14:11:14 -0800
* Fix a set of bugs with table/set attributes. (Jon Siwek)
- Identifiers that are initialized with set()/table() constructor
expressions now inherit attributes from the expression. Before,
statements like
const i: set[string] = set() &redef;
associated the attribute with the set() constructor, but not the
"i" identifier, preventing redefinition. Addresses #866.
- Allow &default attribute to apply to tables initialized as empty
(via either "{ }" or "table()") or if the expression supplied to it
can evaluate to a type that's promotable to the same yield type as
the table.
2.1-191 | 2012-12-03 14:08:56 -0800
* Add test of record() constructor to table initializer unit test.
(Jon Siwek)
* Fix table(), set(), vector() constructors in table initializer
lists. Also adds type checking of yield values to table()
constructor and fixes the type checking of yield values in
vector() constructor. Addresses #5. (Jon Siwek)
2.1-188 | 2012-12-03 14:04:29 -0800
* Hook functions now callable with "hook" expression (i.e., hook is
no longer a statement). The return value of the call is an
implicit boolean value of T if all hook handlers ran, or F if one
hook handler exited as a result of a break statement and
potentially prevented other handlers from running.
Scripts don't need to declare hooks with an explicit return type of bool
(internally, that's assumed), and any values given to (optional) return
statements in handler definitions are just ignored.
Addresses #918. (Jon Siwek)
* Clarification in hook documentation. (Jon Siwek)
2.1-184 | 2012-12-03 13:59:50 -0800
* Slightly fix up file name extraction from Content-Disposition
headers. (Seth Hall)
* Adding -b flag to bro in unit tests so they run faster.
* Fixed a DNS attribute issue. Reported by Matt Thompson. (Seth
Hall)
* Adding NEWS placeholder for hooks and CSV mode. (Robin Sommer)
2.1-178 | 2012-11-23 19:35:32 -0800 2.1-178 | 2012-11-23 19:35:32 -0800
* The ASCII writer now supports a new filter config option * The ASCII writer now supports a new filter config option

2
CMakeLists.txt
View file

@ -195,7 +195,7 @@ CheckOptionalBuildSources(aux/broccoli Broccoli INSTALL_BROCCOLI)
if (INSTALL_BROCTL) if (INSTALL_BROCTL)
# CPack RPM Generator may not automatically detect this # CPack RPM Generator may not automatically detect this
set(CPACK_RPM_PACKAGE_REQUIRES "python >= 2.4.0") set(CPACK_RPM_PACKAGE_REQUIRES "python >= 2.6.0")
endif () endif ()
# If this CMake project is a sub-project of another, we will not # If this CMake project is a sub-project of another, we will not

2
NEWS
View file

@ -13,6 +13,8 @@ Bro 2.2
New Functionality New Functionality
~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~
- GPRS Tunnelling Protocol (GTPv1) decapsulation.
- GridFTP support. TODO: Extend. - GridFTP support. TODO: Extend.
- ssl.log now also records the subject client and issuer certificates. - ssl.log now also records the subject client and issuer certificates.

2
VERSION
View file

@ -1 +1 @@
2.1-179 2.1-218

2
aux/broccoli

@ -1 +1 @@
Subproject commit a8846fc5b004ffe4e3d00e826d0077ba19518192 Subproject commit 06682dbb15d26d2688bdc9ad76efec17d38dc80f

2
aux/broctl

@ -1 +1 @@
Subproject commit 834131cd0ec0f63cce9de818726fe6167dedbf34 Subproject commit 91e3b8ad445cb4d8919b4ee1cc6f0753c3fa0a55

43
doc/scripts/builtins.rst
View file

@ -505,15 +505,14 @@ The Bro scripting language supports the following built-in types.
A hook is another flavor of function that shares characteristics of A hook is another flavor of function that shares characteristics of
both a :bro:type:`function` and a :bro:type:`event`. They are like both a :bro:type:`function` and a :bro:type:`event`. They are like
events in that many handler bodies can be defined for the same hook events in that many handler bodies can be defined for the same hook
identifier, they have no return vale, and the order of execution identifier and the order of execution can be enforced with
can be enforced with :bro:attr:`&priority`. They are more like :bro:attr:`&priority`. They are more like functions in the way they
functions in the way they are invoked/called, because, unlike are invoked/called, because, unlike events, their execution is
events, their execution is immediate and they do not get scheduled immediate and they do not get scheduled through an event queue.
through an event queue. Also, a unique feature of a hook is that Also, a unique feature of a hook is that a given hook handler body
a given hook handler body can short-circuit the execution of can short-circuit the execution of remaining hook handlers simply by
remaining hook handlers simply by exiting from the body as a result exiting from the body as a result of a ``break`` statement (as
of a ``break`` statement (as opposed to a ``return`` or just opposed to a ``return`` or just reaching the end of the body).
reaching the end of the body).
A hook type is declared like:: A hook type is declared like::
@ -549,18 +548,26 @@ The Bro scripting language supports the following built-in types.
print "not going to happen", s; print "not going to happen", s;
} }
Note that, although the first (forward) declaration of ``myhook`` as Note that the first (forward) declaration of ``myhook`` as a hook
a hook type isn't strictly required, when it is provided, the type isn't strictly required. Argument types must match for all
argument types must match. hook handlers and any forward declaration of a given hook.
To invoke immediate execution of all hook handler bodies, a ``hook`` To invoke immediate execution of all hook handler bodies, they
statement must be used: are called similarly to a function, except preceded by the ``hook``
keyword:
.. code:: bro .. code:: bro
hook myhook("hi"); hook myhook("hi");
And the output would like like:: or
.. code:: bro
if ( hook myhook("hi") )
print "all handlers ran";
And the output would look like::
priority 10 myhook handler, hi priority 10 myhook handler, hi
break out of myhook handling, bye break out of myhook handling, bye
@ -568,6 +575,12 @@ The Bro scripting language supports the following built-in types.
Note how the modification to arguments can be seen by remaining Note how the modification to arguments can be seen by remaining
hook handlers. hook handlers.
The return value of a hook call is an implicit :bro:type:`bool`
value with ``T`` meaning that all handlers for the hook were
executed and ``F`` meaning that only some of the handlers may have
executed due to one handler body exiting as a result of a ``break``
statement.
Attributes Attributes
---------- ----------

11
scripts/base/frameworks/logging/writers/ascii.bro
View file

@ -2,11 +2,14 @@
##! to tweak the output format of ASCII logs. ##! to tweak the output format of ASCII logs.
##! ##!
##! The ASCII writer supports currently one writer-specific filter option via ##! The ASCII writer supports currently one writer-specific filter option via
##! ``config``: setting ``only_single_header_row`` to ``T`` turns the output into ##! ``config``: setting ``tsv`` to the string ``T`` turns the output into into
##! into CSV mode where only a single header row with the column names is printed ##! "tab-separated-value" mode where only a single header row with the column names
##! out as meta information. Example filter using this:: ##! is printed out as meta information, with no "# fields" prepended; no other meta
##! data gets included in that mode.
##! ##!
##! local my_filter: Log::Filter = [$name = "my-filter", $writer = Log::WRITER_ASCII, $config = table(["only_single_header_row"] = "T")]; ##! Example filter using this::
##!
##! local my_filter: Log::Filter = [$name = "my-filter", $writer = Log::WRITER_ASCII, $config = table(["tsv"] = "T")];
##! ##!
module LogAscii; module LogAscii;

5
scripts/base/frameworks/tunnels/main.bro
View file

@ -88,7 +88,10 @@ redef dpd_config += { [ANALYZER_AYIYA] = [$ports = ayiya_ports] };
const teredo_ports = { 3544/udp }; const teredo_ports = { 3544/udp };
redef dpd_config += { [ANALYZER_TEREDO] = [$ports = teredo_ports] }; redef dpd_config += { [ANALYZER_TEREDO] = [$ports = teredo_ports] };
redef likely_server_ports += { ayiya_ports, teredo_ports }; const gtpv1u_ports = { 2152/udp };
redef dpd_config += { [ANALYZER_GTPV1] = [$ports = gtpv1u_ports] };
redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1u_ports };
event bro_init() &priority=5 event bro_init() &priority=5
{ {

50
scripts/base/init-bare.bro
View file

@ -1450,6 +1450,44 @@ type teredo_hdr: record {
hdr: pkt_hdr; ##< IPv6 and transport protocol headers. hdr: pkt_hdr; ##< IPv6 and transport protocol headers.
}; };
## A GTPv1 (GPRS Tunneling Protocol) header.
type gtpv1_hdr: record {
## The 3-bit version field, which for GTPv1 should be 1.
version: count;
## Protocol Type value differentiates GTP (value 1) from GTP' (value 0).
pt_flag: bool;
## Reserved field, should be 0.
rsv: bool;
## Extension Header flag. When 0, the *next_type* field may or may not
## be present, but shouldn't be meaningful. When 1, *next_type* is
## present and meaningful.
e_flag: bool;
## Sequence Number flag. When 0, the *seq* field may or may not
## be present, but shouldn't be meaningful. When 1, *seq* is
## present and meaningful.
s_flag: bool;
## N-PDU flag. When 0, the *n_pdu* field may or may not
## be present, but shouldn't be meaningful. When 1, *n_pdu* is
## present and meaningful.
pn_flag: bool;
## Message Type. A value of 255 indicates user-plane data is encapsulated.
msg_type: count;
## Length of the GTP packet payload (the rest of the packet following the
## mandatory 8-byte GTP header).
length: count;
## Tunnel Endpoint Identifier. Unambiguously identifies a tunnel endpoint
## in receiving GTP-U or GTP-C protocol entity.
teid: count;
## Sequence Number. Set if any *e_flag*, *s_flag*, or *pn_flag* field is
## set.
seq: count &optional;
## N-PDU Number. Set if any *e_flag*, *s_flag*, or *pn_flag* field is set.
n_pdu: count &optional;
## Next Extension Header Type. Set if any *e_flag*, *s_flag*, or *pn_flag*
## field is set.
next_type: count &optional;
};
## Definition of "secondary filters". A secondary filter is a BPF filter given as ## Definition of "secondary filters". A secondary filter is a BPF filter given as
## index in this table. For each such filter, the corresponding event is raised for ## index in this table. For each such filter, the corresponding event is raised for
## all matching packets. ## all matching packets.
@ -2786,6 +2824,9 @@ export {
## Toggle whether to do IPv6-in-Teredo decapsulation. ## Toggle whether to do IPv6-in-Teredo decapsulation.
const enable_teredo = T &redef; const enable_teredo = T &redef;
## Toggle whether to do GTPv1 decapsulation.
const enable_gtpv1 = T &redef;
## With this option set, the Teredo analysis will first check to see if ## With this option set, the Teredo analysis will first check to see if
## other protocol analyzers have confirmed that they think they're ## other protocol analyzers have confirmed that they think they're
## parsing the right protocol and only continue with Teredo tunnel ## parsing the right protocol and only continue with Teredo tunnel
@ -2802,6 +2843,15 @@ export {
## :bro:see:`Tunnel::yielding_teredo_decapsulation`. ## :bro:see:`Tunnel::yielding_teredo_decapsulation`.
const delay_teredo_confirmation = T &redef; const delay_teredo_confirmation = T &redef;
## With this set, the GTP analyzer waits until the most-recent upflow
## and downflow packets are a valid GTPv1 encapsulation before
## issuing :bro:see:`protocol_confirmation`. If it's false, the
## first occurence of a packet with valid GTPv1 encapsulation causes
## confirmation. Since the same inner connection can be carried
## differing outer upflow/downflow connections, setting to false
## may work better.
const delay_gtp_confirmation = F &redef;
## How often to cleanup internal state for inactive IP tunnels. ## How often to cleanup internal state for inactive IP tunnels.
const ip_tunnel_timeout = 24hrs &redef; const ip_tunnel_timeout = 24hrs &redef;
} # end export } # end export

3
scripts/base/protocols/dns/main.bro
View file

@ -67,7 +67,7 @@ export {
ready: bool &default=F; ready: bool &default=F;
## The total number of resource records in a reply message's answer ## The total number of resource records in a reply message's answer
## section. ## section.
total_answers: count &default=0; total_answers: count &optional;
## The total number of resource records in a reply message's answer, ## The total number of resource records in a reply message's answer,
## authority, and additional sections. ## authority, and additional sections.
total_replies: count &optional; total_replies: count &optional;
@ -231,6 +231,7 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
Log::write(DNS::LOG, c$dns); Log::write(DNS::LOG, c$dns);
# This record is logged and no longer pending. # This record is logged and no longer pending.
delete c$dns_state$pending[c$dns$trans_id]; delete c$dns_state$pending[c$dns$trans_id];
delete c$dns;
} }
} }

16
scripts/base/protocols/http/main.bro
View file

@ -94,6 +94,19 @@ export {
"XROXY-CONNECTION", "XROXY-CONNECTION",
"PROXY-CONNECTION", "PROXY-CONNECTION",
} &redef; } &redef;
## A list of HTTP methods. Other methods will generate a weird. Note
## that the HTTP analyzer will only accept methods consisting solely
## of letters ``[A-Za-z]``.
const http_methods: set[string] = {
"GET", "POST", "HEAD", "OPTIONS",
"PUT", "DELETE", "TRACE", "CONNECT",
# HTTP methods for distributed authoring:
"PROPFIND", "PROPPATCH", "MKCOL",
"COPY", "MOVE", "LOCK", "UNLOCK",
"POLL", "REPORT", "SUBSCRIBE", "BMOVE",
"SEARCH"
} &redef;
## Event that can be handled to access the HTTP record as it is sent on ## Event that can be handled to access the HTTP record as it is sent on
## to the logging framework. ## to the logging framework.
@ -180,6 +193,9 @@ event http_request(c: connection, method: string, original_URI: string,
c$http$method = method; c$http$method = method;
c$http$uri = unescaped_URI; c$http$uri = unescaped_URI;
if ( method !in http_methods )
event conn_weird("unknown_HTTP_method", c, method);
} }
event http_reply(c: connection, version: string, code: count, reason: string) &priority=5 event http_reply(c: connection, version: string, code: count, reason: string) &priority=5

2
scripts/base/utils/files.bro
View file

@ -19,7 +19,7 @@ function generate_extraction_filename(prefix: string, c: connection, suffix: str
## the filename. ## the filename.
function extract_filename_from_content_disposition(data: string): string function extract_filename_from_content_disposition(data: string): string
{ {
local filename = sub(data, /^.*[fF][iI][lL][eE][nN][aA][mM][eE]=/, ""); local filename = sub(data, /^.*[fF][iI][lL][eE][nN][aA][mM][eE][[:blank:]]*=[[:blank:]]*/, "");
# Remove quotes around the filename if they are there. # Remove quotes around the filename if they are there.
if ( /^\"/ in filename ) if ( /^\"/ in filename )
filename = split_n(filename, /\"/, F, 2)[2]; filename = split_n(filename, /\"/, F, 2)[2];

10
src/AYIYA.cc
View file

@ -20,5 +20,13 @@ void AYIYA_Analyzer::Done()
void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen)
{ {
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
interp->NewData(orig, data, data + len);
try
{
interp->NewData(orig, data, data + len);
}
catch ( const binpac::Exception& e )
{
ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
}
} }

4
src/Analyzer.cc
View file

@ -41,6 +41,7 @@
#include "Syslog-binpac.h" #include "Syslog-binpac.h"
#include "Teredo.h" #include "Teredo.h"
#include "ConnSizeAnalyzer.h" #include "ConnSizeAnalyzer.h"
#include "GTPv1.h"
// Keep same order here as in AnalyzerTag definition! // Keep same order here as in AnalyzerTag definition!
const Analyzer::Config Analyzer::analyzer_configs[] = { const Analyzer::Config Analyzer::analyzer_configs[] = {
@ -143,6 +144,9 @@ const Analyzer::Config Analyzer::analyzer_configs[] = {
{ AnalyzerTag::Teredo, "TEREDO", { AnalyzerTag::Teredo, "TEREDO",
Teredo_Analyzer::InstantiateAnalyzer, Teredo_Analyzer::InstantiateAnalyzer,
Teredo_Analyzer::Available, 0, false }, Teredo_Analyzer::Available, 0, false },
{ AnalyzerTag::GTPv1, "GTPV1",
GTPv1_Analyzer::InstantiateAnalyzer,
GTPv1_Analyzer::Available, 0, false },
{ AnalyzerTag::File, "FILE", File_Analyzer::InstantiateAnalyzer, { AnalyzerTag::File, "FILE", File_Analyzer::InstantiateAnalyzer,
File_Analyzer::Available, 0, false }, File_Analyzer::Available, 0, false },

1
src/AnalyzerTags.h
View file

@ -38,6 +38,7 @@ namespace AnalyzerTag {
AYIYA, AYIYA,
SOCKS, SOCKS,
Teredo, Teredo,
GTPv1,
// Other // Other
File, Backdoor, InterConn, SteppingStone, TCPStats, File, Backdoor, InterConn, SteppingStone, TCPStats,

10
src/Attr.cc
View file

@ -260,6 +260,11 @@ void Attributes::CheckAttr(Attr* a)
// Ok. // Ok.
break; break;
if ( type->Tag() == TYPE_TABLE &&
type->AsTableType()->IsUnspecifiedTable() )
// Ok.
break;
a->AttrExpr()->Error("&default value has inconsistent type", type); a->AttrExpr()->Error("&default value has inconsistent type", type);
} }
@ -290,6 +295,11 @@ void Attributes::CheckAttr(Attr* a)
// Ok. // Ok.
break; break;
Expr* e = a->AttrExpr();
if ( check_and_promote_expr(e, ytype) )
// Ok.
break;
Error("&default value has inconsistent type 2"); Error("&default value has inconsistent type 2");
} }

3
src/CMakeLists.txt
View file

@ -203,6 +203,8 @@ binpac_target(dns.pac
dns-protocol.pac dns-analyzer.pac) dns-protocol.pac dns-analyzer.pac)
binpac_target(dns_tcp.pac binpac_target(dns_tcp.pac
dns.pac) dns.pac)
binpac_target(gtpv1.pac
gtpv1-protocol.pac gtpv1-analyzer.pac)
binpac_target(http.pac binpac_target(http.pac
http-protocol.pac http-analyzer.pac) http-protocol.pac http-analyzer.pac)
binpac_target(ncp.pac) binpac_target(ncp.pac)
@ -332,6 +334,7 @@ set(bro_SRCS
Frame.cc Frame.cc
Func.cc Func.cc
Gnutella.cc Gnutella.cc
GTPv1.cc
HTTP.cc HTTP.cc
HTTP-binpac.cc HTTP-binpac.cc
Hash.cc Hash.cc

92
src/Expr.cc
View file

@ -2663,7 +2663,7 @@ void AssignExpr::EvalIntoAggregate(const BroType* t, Val* aggr, Frame* f) const
TableVal* tv = aggr->AsTableVal(); TableVal* tv = aggr->AsTableVal();
Val* index = op1->Eval(f); Val* index = op1->Eval(f);
Val* v = op2->Eval(f); Val* v = check_and_promote(op2->Eval(f), t->YieldType(), 1);
if ( ! index || ! v ) if ( ! index || ! v )
return; return;
@ -2950,16 +2950,12 @@ Val* IndexExpr::Fold(Val* v1, Val* v2) const
if ( IsError() ) if ( IsError() )
return 0; return 0;
if ( v1->Type()->Tag() == TYPE_VECTOR ) Val* v = 0;
{
Val* v = v1->AsVectorVal()->Lookup(v2);
// ### dangerous - this can silently fail larger operations
// due to a missing element
return v ? v->Ref() : 0;
}
TableVal* v_tbl = v1->AsTableVal(); if ( v1->Type()->Tag() == TYPE_VECTOR )
Val* v = v_tbl->Lookup(v2); v = v1->AsVectorVal()->Lookup(v2);
else
v = v1->AsTableVal()->Lookup(v2);
if ( v ) if ( v )
return v->Ref(); return v->Ref();
@ -3290,20 +3286,22 @@ RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list)
Val* RecordConstructorExpr::InitVal(const BroType* t, Val* aggr) const Val* RecordConstructorExpr::InitVal(const BroType* t, Val* aggr) const
{ {
RecordVal* rv = Eval(0)->AsRecordVal(); Val* v = Eval(0);
RecordVal* ar = rv->CoerceTo(t->AsRecordType(), aggr);
if ( ar ) if ( v )
{ {
Unref(rv); RecordVal* rv = v->AsRecordVal();
return ar; RecordVal* ar = rv->CoerceTo(t->AsRecordType(), aggr);
if ( ar )
{
Unref(rv);
return ar;
}
} }
else Error("bad record initializer");
{ return 0;
Error("bad record initializer");
return 0;
}
} }
Val* RecordConstructorExpr::Fold(Val* v) const Val* RecordConstructorExpr::Fold(Val* v) const
@ -3386,7 +3384,14 @@ Val* TableConstructorExpr::InitVal(const BroType* t, Val* aggr) const
if ( IsError() ) if ( IsError() )
return 0; return 0;
return op->InitVal(t, aggr); TableType* tt = Type()->AsTableType();
TableVal* tval = aggr ? aggr->AsTableVal() : new TableVal(tt, attrs);
const expr_list& exprs = op->AsListExpr()->Exprs();
loop_over_list(exprs, i)
exprs[i]->EvalIntoAggregate(t, tval, 0);
return tval;
} }
void TableConstructorExpr::ExprDescribe(ODesc* d) const void TableConstructorExpr::ExprDescribe(ODesc* d) const
@ -3438,7 +3443,7 @@ Val* SetConstructorExpr::Eval(Frame* f) const
if ( IsError() ) if ( IsError() )
return 0; return 0;
TableVal* aggr = new TableVal(type->AsTableType(), 0); TableVal* aggr = new TableVal(type->AsTableType(), attrs);
const expr_list& exprs = op->AsListExpr()->Exprs(); const expr_list& exprs = op->AsListExpr()->Exprs();
loop_over_list(exprs, i) loop_over_list(exprs, i)
@ -3456,7 +3461,26 @@ Val* SetConstructorExpr::InitVal(const BroType* t, Val* aggr) const
if ( IsError() ) if ( IsError() )
return 0; return 0;
return op->InitVal(t, aggr); const BroType* index_type = t->AsTableType()->Indices();
TableType* tt = Type()->AsTableType();
TableVal* tval = aggr ? aggr->AsTableVal() : new TableVal(tt, attrs);
const expr_list& exprs = op->AsListExpr()->Exprs();
loop_over_list(exprs, i)
{
Expr* e = exprs[i];
Val* element = check_and_promote(e->Eval(0), index_type, 1);
if ( ! element || ! tval->Assign(element, 0) )
{
Error(fmt("initialization type mismatch in set"), e);
return 0;
}
Unref(element);
}
return tval;
} }
void SetConstructorExpr::ExprDescribe(ODesc* d) const void SetConstructorExpr::ExprDescribe(ODesc* d) const
@ -3536,14 +3560,14 @@ Val* VectorConstructorExpr::InitVal(const BroType* t, Val* aggr) const
if ( IsError() ) if ( IsError() )
return 0; return 0;
VectorVal* vec = aggr->AsVectorVal(); VectorType* vt = Type()->AsVectorType();
const BroType* vt = vec->Type()->AsVectorType()->YieldType(); VectorVal* vec = aggr ? aggr->AsVectorVal() : new VectorVal(vt);
const expr_list& exprs = op->AsListExpr()->Exprs(); const expr_list& exprs = op->AsListExpr()->Exprs();
loop_over_list(exprs, i) loop_over_list(exprs, i)
{ {
Expr* e = exprs[i]; Expr* e = exprs[i];
Val* v = check_and_promote(e->Eval(0), vt, 1); Val* v = check_and_promote(e->Eval(0), t->YieldType(), 1);
if ( ! v || ! vec->Assign(i, v, e) ) if ( ! v || ! vec->Assign(i, v, e) )
{ {
@ -4394,6 +4418,13 @@ CallExpr::CallExpr(Expr* arg_func, ListExpr* arg_args, bool in_hook)
return; return;
} }
if ( func_type->AsFuncType()->Flavor() == FUNC_FLAVOR_HOOK && ! in_hook )
{
func->Error("hook cannot be called directly, use hook operator");
SetError();
return;
}
if ( ! func_type->MatchesIndex(args) ) if ( ! func_type->MatchesIndex(args) )
SetError("argument type mismatch in function call"); SetError("argument type mismatch in function call");
else else
@ -4415,13 +4446,8 @@ CallExpr::CallExpr(Expr* arg_func, ListExpr* arg_args, bool in_hook)
break; break;
case FUNC_FLAVOR_HOOK: case FUNC_FLAVOR_HOOK:
// It's fine to not have a yield if it's known that the call Error("hook has no yield type");
// is being done from a hook statement. SetError();
if ( ! in_hook )
{
Error("hook called in expression, use hook statement instead");
SetError();
}
break; break;
default: default:

4
src/Expr.h
View file

@ -747,6 +747,8 @@ public:
TableConstructorExpr(ListExpr* constructor_list, attr_list* attrs); TableConstructorExpr(ListExpr* constructor_list, attr_list* attrs);
~TableConstructorExpr() { Unref(attrs); } ~TableConstructorExpr() { Unref(attrs); }
Attributes* Attrs() { return attrs; }
Val* Eval(Frame* f) const; Val* Eval(Frame* f) const;
protected: protected:
@ -767,6 +769,8 @@ public:
SetConstructorExpr(ListExpr* constructor_list, attr_list* attrs); SetConstructorExpr(ListExpr* constructor_list, attr_list* attrs);
~SetConstructorExpr() { Unref(attrs); } ~SetConstructorExpr() { Unref(attrs); }
Attributes* Attrs() { return attrs; }
Val* Eval(Frame* f) const; Val* Eval(Frame* f) const;
protected: protected:

23
src/Func.cc
View file

@ -349,16 +349,31 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const
break; break;
} }
if ( flow == FLOW_BREAK && Flavor() == FUNC_FLAVOR_HOOK ) if ( Flavor() == FUNC_FLAVOR_HOOK )
{ {
// short-circuit execution of remaining hook handler bodies // Ignore any return values of hook bodies, final return value
break; // depends on whether a body returns as a result of break statement.
Unref(result);
result = 0;
if ( flow == FLOW_BREAK )
{
// Short-circuit execution of remaining hook handler bodies.
result = new Val(false, TYPE_BOOL);
break;
}
} }
} }
if ( Flavor() == FUNC_FLAVOR_HOOK )
{
if ( ! result )
result = new Val(true, TYPE_BOOL);
}
// Warn if the function returns something, but we returned from // Warn if the function returns something, but we returned from
// the function without an explicit return, or without a value. // the function without an explicit return, or without a value.
if ( FType()->YieldType() && FType()->YieldType()->Tag() != TYPE_VOID && else if ( FType()->YieldType() && FType()->YieldType()->Tag() != TYPE_VOID &&
(flow != FLOW_RETURN /* we fell off the end */ || (flow != FLOW_RETURN /* we fell off the end */ ||
! result /* explicit return with no result */) && ! result /* explicit return with no result */) &&
! f->HasDelayed() ) ! f->HasDelayed() )

31
src/GTPv1.cc Normal file
View file

@ -0,0 +1,31 @@
#include "GTPv1.h"
GTPv1_Analyzer::GTPv1_Analyzer(Connection* conn)
: Analyzer(AnalyzerTag::GTPv1, conn)
{
interp = new binpac::GTPv1::GTPv1_Conn(this);
}
GTPv1_Analyzer::~GTPv1_Analyzer()
{
delete interp;
}
void GTPv1_Analyzer::Done()
{
Analyzer::Done();
Event(udp_session_done);
}
void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen)
{
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
try
{
interp->NewData(orig, data, data + len);
}
catch ( const binpac::Exception& e )
{
ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
}
}

29
src/GTPv1.h Normal file
View file

@ -0,0 +1,29 @@
#ifndef GTPv1_h
#define GTPv1_h
#include "gtpv1_pac.h"
class GTPv1_Analyzer : public Analyzer {
public:
GTPv1_Analyzer(Connection* conn);
virtual ~GTPv1_Analyzer();
virtual void Done();
virtual void DeliverPacket(int len, const u_char* data, bool orig,
int seq, const IP_Hdr* ip, int caplen);
static Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new GTPv1_Analyzer(conn); }
static bool Available()
{ return BifConst::Tunnel::enable_gtpv1 &&
BifConst::Tunnel::max_depth > 0; }
protected:
friend class AnalyzerTimer;
void ExpireTimer(double t);
binpac::GTPv1::GTPv1_Conn* interp;
};
#endif

55
src/HTTP.cc
View file

@ -1116,38 +1116,39 @@ const char* HTTP_Analyzer::PrefixWordMatch(const char* line,
return line; return line;
} }
static bool is_HTTP_token_char(char c)
{
return c > 31 && c != 127 && // CTL per RFC 2616.
c != ' ' && c != '\t' && // Separators.
c != '(' && c != ')' && c != '<' && c != '>' && c != '@' &&
c != ',' && c != ';' && c != ':' && c != '\\' && c != '"' &&
c != '/' && c != '[' && c != ']' && c != '?' && c != '=' &&
c != '{' && c != '}';
}
static const char* get_HTTP_token(const char* s, const char* e)
{
while ( s < e && is_HTTP_token_char(*s) )
++s;
return s;
}
int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line) int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
{ {
const char* rest = 0; const char* rest = 0;
static const char* http_methods[] = { const char* end_of_method = get_HTTP_token(line, end_of_line);
"GET", "POST", "HEAD",
"OPTIONS", "PUT", "DELETE", "TRACE", "CONNECT", if ( end_of_method == line )
goto error;
// HTTP methods for distributed authoring. rest = skip_whitespace(end_of_method, end_of_line);
"PROPFIND", "PROPPATCH", "MKCOL", "DELETE", "PUT",
"COPY", "MOVE", "LOCK", "UNLOCK",
"POLL", "REPORT", "SUBSCRIBE", "BMOVE",
"SEARCH", if ( rest == end_of_method )
goto error;
0, request_method = new StringVal(end_of_method - line, line);
};
int i;
for ( i = 0; http_methods[i]; ++i )
if ( (rest = PrefixWordMatch(line, end_of_line, http_methods[i])) != 0 )
break;
if ( ! http_methods[i] )
{
// Weird("HTTP_unknown_method");
if ( RequestExpected() )
HTTP_Event("unknown_HTTP_method", new_string_val(line, end_of_line));
return 0;
}
request_method = new StringVal(http_methods[i]);
if ( ! ParseRequest(rest, end_of_line) ) if ( ! ParseRequest(rest, end_of_line) )
reporter->InternalError("HTTP ParseRequest failed"); reporter->InternalError("HTTP ParseRequest failed");
@ -1157,6 +1158,10 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
unescaped_URI->AsString()->Len(), true, true, true, true); unescaped_URI->AsString()->Len(), true, true, true, true);
return 1; return 1;
error:
reporter->Weird(Conn(), "bad_HTTP_request");
return 0;
} }
int HTTP_Analyzer::ParseRequest(const char* line, const char* end_of_line) int HTTP_Analyzer::ParseRequest(const char* line, const char* end_of_line)

2
src/NetVar.cc
View file

@ -5,6 +5,7 @@
#include "Var.h" #include "Var.h"
#include "NetVar.h" #include "NetVar.h"
RecordType* gtpv1_hdr_type;
RecordType* conn_id; RecordType* conn_id;
RecordType* endpoint; RecordType* endpoint;
RecordType* endpoint_stats; RecordType* endpoint_stats;
@ -308,6 +309,7 @@ void init_net_var()
#include "input.bif.netvar_init" #include "input.bif.netvar_init"
#include "reporter.bif.netvar_init" #include "reporter.bif.netvar_init"
gtpv1_hdr_type = internal_type("gtpv1_hdr")->AsRecordType();
conn_id = internal_type("conn_id")->AsRecordType(); conn_id = internal_type("conn_id")->AsRecordType();
endpoint = internal_type("endpoint")->AsRecordType(); endpoint = internal_type("endpoint")->AsRecordType();
endpoint_stats = internal_type("endpoint_stats")->AsRecordType(); endpoint_stats = internal_type("endpoint_stats")->AsRecordType();

1
src/NetVar.h
View file

@ -8,6 +8,7 @@
#include "EventRegistry.h" #include "EventRegistry.h"
#include "Stats.h" #include "Stats.h"
extern RecordType* gtpv1_hdr_type;
extern RecordType* conn_id; extern RecordType* conn_id;
extern RecordType* endpoint; extern RecordType* endpoint;
extern RecordType* endpoint_stats; extern RecordType* endpoint_stats;

27
src/RemoteSerializer.cc
View file

@ -545,8 +545,11 @@ RemoteSerializer::~RemoteSerializer()
{ {
if ( child_pid ) if ( child_pid )
{ {
kill(child_pid, SIGKILL); if ( kill(child_pid, SIGKILL) < 0 )
waitpid(child_pid, 0, 0); reporter->Warning("warning: cannot kill child (pid %d), %s", child_pid, strerror(errno));
else if ( waitpid(child_pid, 0, 0) < 0 )
reporter->Warning("warning: error encountered during waitpid(%d), %s", child_pid, strerror(errno));
} }
delete io; delete io;
@ -1032,6 +1035,14 @@ bool RemoteSerializer::SendAllSynchronized(Peer* peer, SerialInfo* info)
for ( ; index < sync_ids.length(); ++index ) for ( ; index < sync_ids.length(); ++index )
{ {
if ( ! sync_ids[index]->ID_Val() )
{
#ifdef DEBUG
DBG_LOG(DBG_COMM, "Skip sync of ID with null value: %s\n",
sync_ids[index]->Name());
#endif
continue;
}
cont->SaveContext(); cont->SaveContext();
StateAccess sa(OP_ASSIGN, sync_ids[index], StateAccess sa(OP_ASSIGN, sync_ids[index],
@ -3153,7 +3164,10 @@ void RemoteSerializer::FatalError(const char* msg)
reporter->Error("%s", msg); reporter->Error("%s", msg);
closed = true; closed = true;
kill(child_pid, SIGQUIT);
if ( kill(child_pid, SIGQUIT) < 0 )
reporter->Warning("warning: cannot kill child pid %d, %s", child_pid, strerror(errno));
child_pid = 0; child_pid = 0;
using_communication = false; using_communication = false;
io->Clear(); io->Clear();
@ -3963,7 +3977,7 @@ bool SocketComm::Connect(Peer* peer)
{ {
int status; int status;
addrinfo hints, *res, *res0; addrinfo hints, *res, *res0;
bzero(&hints, sizeof(hints)); memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC; hints.ai_family = PF_UNSPEC;
hints.ai_protocol = IPPROTO_TCP; hints.ai_protocol = IPPROTO_TCP;
@ -4095,7 +4109,7 @@ bool SocketComm::Listen()
{ {
int status, on = 1; int status, on = 1;
addrinfo hints, *res, *res0; addrinfo hints, *res, *res0;
bzero(&hints, sizeof(hints)); memset(&hints, 0, sizeof(hints));
IPAddr listen_ip(listen_if); IPAddr listen_ip(listen_if);
@ -4360,7 +4374,8 @@ void SocketComm::Kill()
CloseListenFDs(); CloseListenFDs();
kill(getpid(), SIGTERM); if ( kill(getpid(), SIGTERM) < 0 )
Log(fmt("warning: cannot kill SocketComm pid %d, %s", getpid(), strerror(errno)));
while ( 1 ) while ( 1 )
; // loop until killed ; // loop until killed

1
src/SerialTypes.h
View file

@ -170,7 +170,6 @@ SERIAL_STMT(EVENT_BODY_LIST, 16)
SERIAL_STMT(INIT_STMT, 17) SERIAL_STMT(INIT_STMT, 17)
SERIAL_STMT(NULL_STMT, 18) SERIAL_STMT(NULL_STMT, 18)
SERIAL_STMT(WHEN_STMT, 19) SERIAL_STMT(WHEN_STMT, 19)
SERIAL_STMT(HOOK_STMT, 20)
#define SERIAL_TYPE(name, val) SERIAL_CONST(name, val, BRO_TYPE) #define SERIAL_TYPE(name, val) SERIAL_CONST(name, val, BRO_TYPE)
SERIAL_TYPE(BRO_TYPE, 1) SERIAL_TYPE(BRO_TYPE, 1)

54
src/Stmt.cc
View file

@ -23,7 +23,7 @@ const char* stmt_name(BroStmtTag t)
"print", "event", "expr", "if", "when", "switch", "print", "event", "expr", "if", "when", "switch",
"for", "next", "break", "return", "add", "delete", "for", "next", "break", "return", "add", "delete",
"list", "bodylist", "list", "bodylist",
"<init>", "hook", "<init>",
"null", "null",
}; };
@ -933,52 +933,6 @@ bool EventStmt::DoUnserialize(UnserialInfo* info)
return event_expr != 0; return event_expr != 0;
} }
HookStmt::HookStmt(CallExpr* arg_e) : ExprStmt(STMT_HOOK, arg_e)
{
call_expr = arg_e;
}
Val* HookStmt::Exec(Frame* f, stmt_flow_type& flow) const
{
RegisterAccess();
Val* ret = call_expr->Eval(f);
Unref(ret);
flow = FLOW_NEXT;
return 0;
}
TraversalCode HookStmt::Traverse(TraversalCallback* cb) const
{
TraversalCode tc = cb->PreStmt(this);
HANDLE_TC_STMT_PRE(tc);
// call expr is stored in base class's "e" field.
tc = e->Traverse(cb);
HANDLE_TC_STMT_PRE(tc);
tc = cb->PostStmt(this);
HANDLE_TC_STMT_POST(tc);
}
IMPLEMENT_SERIAL(HookStmt, SER_HOOK_STMT);
bool HookStmt::DoSerialize(SerialInfo* info) const
{
DO_SERIALIZE(SER_HOOK_STMT, ExprStmt);
return call_expr->Serialize(info);
}
bool HookStmt::DoUnserialize(UnserialInfo* info)
{
DO_UNSERIALIZE(ExprStmt);
call_expr = (CallExpr*) Expr::Unserialize(info, EXPR_CALL);
return call_expr != 0;
}
ForStmt::ForStmt(id_list* arg_loop_vars, Expr* loop_expr) ForStmt::ForStmt(id_list* arg_loop_vars, Expr* loop_expr)
: ExprStmt(STMT_FOR, loop_expr) : ExprStmt(STMT_FOR, loop_expr)
{ {
@ -1378,7 +1332,10 @@ ReturnStmt::ReturnStmt(Expr* arg_e) : ExprStmt(STMT_RETURN, arg_e)
} }
else if ( ! e ) else if ( ! e )
Error("return statement needs expression"); {
if ( ft->Flavor() != FUNC_FLAVOR_HOOK )
Error("return statement needs expression");
}
else else
(void) check_and_promote_expr(e, yt); (void) check_and_promote_expr(e, yt);
@ -1990,7 +1947,6 @@ int same_stmt(const Stmt* s1, const Stmt* s2)
case STMT_RETURN: case STMT_RETURN:
case STMT_EXPR: case STMT_EXPR:
case STMT_EVENT: case STMT_EVENT:
case STMT_HOOK:
{ {
const ExprStmt* e1 = (const ExprStmt*) s1; const ExprStmt* e1 = (const ExprStmt*) s1;
const ExprStmt* e2 = (const ExprStmt*) s2; const ExprStmt* e2 = (const ExprStmt*) s2;

18
src/Stmt.h
View file

@ -286,24 +286,6 @@ protected:
EventExpr* event_expr; EventExpr* event_expr;
}; };
class HookStmt : public ExprStmt {
public:
HookStmt(CallExpr* e);
Val* Exec(Frame* f, stmt_flow_type& flow) const;
TraversalCode Traverse(TraversalCallback* cb) const;
protected:
friend class Stmt;
HookStmt() { call_expr = 0; }
DECLARE_SERIAL(HookStmt);
CallExpr* call_expr;
};
class ForStmt : public ExprStmt { class ForStmt : public ExprStmt {
public: public:
ForStmt(id_list* loop_vars, Expr* loop_expr); ForStmt(id_list* loop_vars, Expr* loop_expr);

2
src/StmtEnums.h
View file

@ -15,7 +15,7 @@ typedef enum {
STMT_RETURN, STMT_RETURN,
STMT_ADD, STMT_DELETE, STMT_ADD, STMT_DELETE,
STMT_LIST, STMT_EVENT_BODY_LIST, STMT_LIST, STMT_EVENT_BODY_LIST,
STMT_INIT, STMT_HOOK, STMT_INIT,
STMT_NULL STMT_NULL
#define NUM_STMTS (int(STMT_NULL) + 1) #define NUM_STMTS (int(STMT_NULL) + 1)
} BroStmtTag; } BroStmtTag;

20
src/Trigger.cc
View file

@ -217,8 +217,15 @@ bool Trigger::Eval()
Name()); Name());
Unref(v); Unref(v);
v = 0;
stmt_flow_type flow; stmt_flow_type flow;
v = body->Exec(f, flow);
try
{
v = body->Exec(f, flow);
}
catch ( InterpreterException& e )
{ /* Already reported. */ }
if ( is_return ) if ( is_return )
{ {
@ -300,7 +307,14 @@ void Trigger::Timeout()
{ {
stmt_flow_type flow; stmt_flow_type flow;
Frame* f = frame->Clone(); Frame* f = frame->Clone();
Val* v = timeout_stmts->Exec(f, flow); Val* v = 0;
try
{
v = timeout_stmts->Exec(f, flow);
}
catch ( InterpreterException& e )
{ /* Already reported. */ }
if ( is_return ) if ( is_return )
{ {
@ -382,7 +396,7 @@ void Trigger::Attach(Trigger *trigger)
void Trigger::Cache(const CallExpr* expr, Val* v) void Trigger::Cache(const CallExpr* expr, Val* v)
{ {
if ( disabled ) if ( disabled || ! v )
return; return;
ValCache::iterator i = cache.find(expr); ValCache::iterator i = cache.find(expr);

3
src/Val.cc
View file

@ -3149,6 +3149,9 @@ bool OpaqueVal::DoUnserialize(UnserialInfo* info)
Val* check_and_promote(Val* v, const BroType* t, int is_init) Val* check_and_promote(Val* v, const BroType* t, int is_init)
{ {
if ( ! v )
return 0;
BroType* vt = v->Type(); BroType* vt = v->Type();
vt = flatten_type(vt); vt = flatten_type(vt);

34
src/Var.cc
View file

@ -109,6 +109,36 @@ static void make_var(ID* id, BroType* t, init_class c, Expr* init,
if ( attr ) if ( attr )
id->AddAttrs(new Attributes(attr, t, false)); id->AddAttrs(new Attributes(attr, t, false));
if ( init )
{
switch ( init->Tag() ) {
case EXPR_TABLE_CONSTRUCTOR:
{
TableConstructorExpr* ctor = (TableConstructorExpr*) init;
if ( ctor->Attrs() )
{
::Ref(ctor->Attrs());
id->AddAttrs(ctor->Attrs());
}
}
break;
case EXPR_SET_CONSTRUCTOR:
{
SetConstructorExpr* ctor = (SetConstructorExpr*) init;
if ( ctor->Attrs() )
{
::Ref(ctor->Attrs());
id->AddAttrs(ctor->Attrs());
}
}
break;
default:
break;
}
}
if ( id->FindAttr(ATTR_PERSISTENT) || id->FindAttr(ATTR_SYNCHRONIZED) ) if ( id->FindAttr(ATTR_PERSISTENT) || id->FindAttr(ATTR_SYNCHRONIZED) )
{ {
if ( dt == VAR_CONST ) if ( dt == VAR_CONST )
@ -294,12 +324,12 @@ void add_type(ID* id, BroType* t, attr_list* attr, int /* is_event */)
void begin_func(ID* id, const char* module_name, function_flavor flavor, void begin_func(ID* id, const char* module_name, function_flavor flavor,
int is_redef, FuncType* t) int is_redef, FuncType* t)
{ {
if ( flavor == FUNC_FLAVOR_EVENT || flavor == FUNC_FLAVOR_HOOK ) if ( flavor == FUNC_FLAVOR_EVENT )
{ {
const BroType* yt = t->YieldType(); const BroType* yt = t->YieldType();
if ( yt && yt->Tag() != TYPE_VOID ) if ( yt && yt->Tag() != TYPE_VOID )
id->Error("event/hook cannot yield a value", t); id->Error("event cannot yield a value", t);
t->ClearYieldType(flavor); t->ClearYieldType(flavor);
} }

2
src/const.bif
View file

@ -15,8 +15,10 @@ const Tunnel::max_depth: count;
const Tunnel::enable_ip: bool; const Tunnel::enable_ip: bool;
const Tunnel::enable_ayiya: bool; const Tunnel::enable_ayiya: bool;
const Tunnel::enable_teredo: bool; const Tunnel::enable_teredo: bool;
const Tunnel::enable_gtpv1: bool;
const Tunnel::yielding_teredo_decapsulation: bool; const Tunnel::yielding_teredo_decapsulation: bool;
const Tunnel::delay_teredo_confirmation: bool; const Tunnel::delay_teredo_confirmation: bool;
const Tunnel::delay_gtp_confirmation: bool;
const Tunnel::ip_tunnel_timeout: interval; const Tunnel::ip_tunnel_timeout: interval;
const Threading::heartbeat_interval: interval; const Threading::heartbeat_interval: interval;

15
src/event.bif
View file

@ -577,6 +577,19 @@ event teredo_origin_indication%(outer: connection, inner: teredo_hdr%);
## it may become particularly expensive for real-time analysis. ## it may become particularly expensive for real-time analysis.
event teredo_bubble%(outer: connection, inner: teredo_hdr%); event teredo_bubble%(outer: connection, inner: teredo_hdr%);
## Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload
## that includes a GTP header followed by an IPv4 or IPv6 packet.
##
## outer: The GTP outer tunnel connection.
##
## inner_gtp: The GTP header.
##
## inner_ip: The inner IP and transport layer packet headers.
##
## .. note:: Since this event may be raised on a per-packet basis, handling
## it may become particularly expensive for real-time analysis.
event gtpv1_g_pdu_packet%(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr%);
## Generated for every packet that has a non-empty transport-layer payload. ## Generated for every packet that has a non-empty transport-layer payload.
## This is a very low-level and expensive event that should be avoided when ## This is a very low-level and expensive event that should be avoided when
## at all possible. It's usually infeasible to handle when processing even ## at all possible. It's usually infeasible to handle when processing even
@ -858,7 +871,7 @@ event udp_contents%(u: connection, is_orig: bool, contents: string%);
## Generated when a UDP session for a supported protocol has finished. Some of ## Generated when a UDP session for a supported protocol has finished. Some of
## Bro's application-layer UDP analyzers flag the end of a session by raising ## Bro's application-layer UDP analyzers flag the end of a session by raising
## this event. Currently, the analyzers for DNS, NTP, Netbios, Syslog, AYIYA, ## this event. Currently, the analyzers for DNS, NTP, Netbios, Syslog, AYIYA,
## and Teredo support this. ## Teredo, and GTPv1 support this.
## ##
## u: The connection record for the corresponding UDP flow. ## u: The connection record for the corresponding UDP flow.
## ##

161
src/gtpv1-analyzer.pac Normal file
View file

@ -0,0 +1,161 @@
connection GTPv1_Conn(bro_analyzer: BroAnalyzer)
{
upflow = GTPv1_Flow(true);
downflow = GTPv1_Flow(false);
%member{
bool valid_orig;
bool valid_resp;
%}
%init{
valid_orig = valid_resp = false;
%}
function valid(orig: bool): bool
%{
return orig ? valid_orig : valid_resp;
%}
function set_valid(orig: bool, val: bool): void
%{
if ( orig )
valid_orig = val;
else
valid_resp = val;
%}
}
%code{
inline void violate(const char* r, const BroAnalyzer& a, const bytestring& p)
{
a->ProtocolViolation(r, (const char*) p.data(), p.length());
}
%}
flow GTPv1_Flow(is_orig: bool)
{
datagram = GTPv1_Header withcontext(connection, this);
function process_gtpv1(pdu: GTPv1_Header): bool
%{
BroAnalyzer a = connection()->bro_analyzer();
Connection *c = a->Conn();
const EncapsulationStack* e = c->GetEncapsulation();
connection()->set_valid(is_orig(), false);
if ( e && e->Depth() >= BifConst::Tunnel::max_depth )
{
reporter->Weird(c, "tunnel_depth");
return false;
}
if ( e && e->LastType() == BifEnum::Tunnel::GTPv1 )
{
// GTP is never tunneled in GTP so, this must be a regular packet
violate("GTP-in-GTP", a, ${pdu.packet});
return false;
}
if ( ${pdu.version} != 1 )
{
// Only know of GTPv1 with Version == 1
violate("GTPv1 bad Version", a, ${pdu.packet});
return false;
}
if ( ! ${pdu.pt_flag} )
{
// Not interested in GTP'
return false;
}
if ( ${pdu.e_flag} )
{
// TODO: can't currently parse past extension headers
return false;
}
if ( ${pdu.msg_type} != 0xff )
{
// Only interested in decapsulating user plane data beyond here.
return false;
}
if ( ${pdu.packet}.length() < (int)sizeof(struct ip) )
{
violate("Truncated GTPv1", a, ${pdu.packet});
return false;
}
const struct ip* ip = (const struct ip*) ${pdu.packet}.data();
if ( ip->ip_v != 4 && ip->ip_v != 6 )
{
violate("non-IP packet in GTPv1", a, ${pdu.packet});
return false;
}
IP_Hdr* inner = 0;
int result = sessions->ParseIPPacket(${pdu.packet}.length(),
${pdu.packet}.data(), ip->ip_v == 6 ? IPPROTO_IPV6 : IPPROTO_IPV4,
inner);
if ( result == 0 )
{
connection()->set_valid(is_orig(), true);
if ( (! BifConst::Tunnel::delay_gtp_confirmation) ||
(connection()->valid(true) && connection()->valid(false)) )
a->ProtocolConfirmation();
}
else if ( result < 0 )
violate("Truncated GTPv1", a, ${pdu.packet});
else
violate("GTPv1 payload length", a, ${pdu.packet});
if ( result != 0 )
{
delete inner;
return false;
}
if ( ::gtpv1_g_pdu_packet )
{
RecordVal* rv = new RecordVal(gtpv1_hdr_type);
rv->Assign(0, new Val(${pdu.version}, TYPE_COUNT));
rv->Assign(1, new Val(${pdu.pt_flag}, TYPE_BOOL));
rv->Assign(2, new Val(${pdu.rsv}, TYPE_BOOL));
rv->Assign(3, new Val(${pdu.e_flag}, TYPE_BOOL));
rv->Assign(4, new Val(${pdu.s_flag}, TYPE_BOOL));
rv->Assign(5, new Val(${pdu.pn_flag}, TYPE_BOOL));
rv->Assign(6, new Val(${pdu.msg_type}, TYPE_COUNT));
rv->Assign(7, new Val(ntohs(${pdu.length}), TYPE_COUNT));
rv->Assign(8, new Val(ntohl(${pdu.teid}), TYPE_COUNT));
if ( ${pdu.has_opt} )
{
rv->Assign(9, new Val(ntohs(${pdu.opt_hdr.seq}), TYPE_COUNT));
rv->Assign(10, new Val(${pdu.opt_hdr.n_pdu}, TYPE_COUNT));
rv->Assign(11, new Val(${pdu.opt_hdr.next_type}, TYPE_COUNT));
}
BifEvent::generate_gtpv1_g_pdu_packet(a, c, rv,
inner->BuildPktHdrVal());
}
EncapsulatingConn ec(c, BifEnum::Tunnel::GTPv1);
sessions->DoNextInnerPacket(network_time(), 0, inner, e, ec);
return (result == 0) ? true : false;
%}
};
refine typeattr GTPv1_Header += &let { proc_gtpv1 = $context.flow.process_gtpv1(this); };

27
src/gtpv1-protocol.pac Normal file
View file

@ -0,0 +1,27 @@
type GTPv1_Header = record {
flags: uint8;
msg_type: uint8;
length: uint16;
teid: uint32;
opt: case has_opt of {
true -> opt_hdr: GTPv1_Opt_Header;
false -> no_opt: empty;
} &requires(has_opt);
packet: bytestring &restofdata;
} &let {
version: uint8 = (flags & 0xE0) >> 5;
pt_flag: bool = flags & 0x10;
rsv: bool = flags & 0x08;
e_flag: bool = flags & 0x04;
s_flag: bool = flags & 0x02;
pn_flag: bool = flags & 0x01;
has_opt: bool = flags & 0x07;
} &byteorder = littleendian;
type GTPv1_Opt_Header = record {
seq: uint16;
n_pdu: uint8;
next_type: uint8;
}

10
src/gtpv1.pac Normal file
View file

@ -0,0 +1,10 @@
%include binpac.pac
%include bro.pac
analyzer GTPv1 withcontext {
connection: GTPv1_Conn;
flow: GTPv1_Flow;
};
%include gtpv1-protocol.pac
%include gtpv1-analyzer.pac

2
src/input/readers/Ascii.cc
View file

@ -572,7 +572,7 @@ bool Ascii::DoUpdate()
// array structure. // array structure.
for ( int i = 0; i < fpos; i++ ) for ( int i = 0; i < fpos; i++ )
delete fields[fpos]; delete fields[i];
delete [] fields; delete [] fields;
continue; continue;

16
src/logging/writers/Ascii.cc
View file

@ -19,7 +19,7 @@ Ascii::Ascii(WriterFrontend* frontend) : WriterBackend(frontend)
{ {
fd = 0; fd = 0;
ascii_done = false; ascii_done = false;
only_single_header_row = false; tsv = false;
output_to_stdout = BifConst::LogAscii::output_to_stdout; output_to_stdout = BifConst::LogAscii::output_to_stdout;
include_meta = BifConst::LogAscii::include_meta; include_meta = BifConst::LogAscii::include_meta;
@ -81,7 +81,7 @@ void Ascii::CloseFile(double t)
if ( ! fd ) if ( ! fd )
return; return;
if ( include_meta && ! only_single_header_row ) if ( include_meta && ! tsv )
WriteHeaderField("close", Timestamp(0)); WriteHeaderField("close", Timestamp(0));
safe_close(fd); safe_close(fd);
@ -111,17 +111,17 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const *
for ( WriterInfo::config_map::const_iterator i = info.config.begin(); i != info.config.end(); i++ ) for ( WriterInfo::config_map::const_iterator i = info.config.begin(); i != info.config.end(); i++ )
{ {
if ( strcmp(i->first, "only_single_header_row") == 0 ) if ( strcmp(i->first, "tsv") == 0 )
{ {
if ( strcmp(i->second, "T") == 0 ) if ( strcmp(i->second, "T") == 0 )
only_single_header_row = true; tsv = true;
else if ( strcmp(i->second, "F") == 0 ) else if ( strcmp(i->second, "F") == 0 )
only_single_header_row = false; tsv = false;
else else
{ {
Error("invalid value for 'only_single_header_row', must be boolean (T/F)"); Error("invalid value for 'tsv', must be a string and either \"T\" or \"F\"");
return false; return false;
} }
} }
@ -144,9 +144,9 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const *
types += fields[i]->TypeName().c_str(); types += fields[i]->TypeName().c_str();
} }
if ( only_single_header_row ) if ( tsv )
{ {
// A single CSV-style line is all we need. // A single TSV-style line is all we need.
string str = names + "\n"; string str = names + "\n";
if ( ! safe_write(fd, str.c_str(), str.length()) ) if ( ! safe_write(fd, str.c_str(), str.length()) )
goto write_error; goto write_error;

2
src/logging/writers/Ascii.h
View file

@ -45,7 +45,7 @@ private:
// Options set from the script-level. // Options set from the script-level.
bool output_to_stdout; bool output_to_stdout;
bool include_meta; bool include_meta;
bool only_single_header_row; bool tsv;
char* separator; char* separator;
int separator_len; int separator_len;

35
src/parse.y
View file

@ -32,6 +32,7 @@
%token TOK_NO_TEST %token TOK_NO_TEST
%nonassoc TOK_HOOK
%left ',' '|' %left ',' '|'
%right '=' TOK_ADD_TO TOK_REMOVE_FROM %right '=' TOK_ADD_TO TOK_REMOVE_FROM
%right '?' ':' %right '?' ':'
@ -56,7 +57,6 @@
%type <re> pattern %type <re> pattern
%type <expr> expr init anonymous_function %type <expr> expr init anonymous_function
%type <event_expr> event %type <event_expr> event
%type <call_expr> hook
%type <stmt> stmt stmt_list func_body for_head %type <stmt> stmt stmt_list func_body for_head
%type <type> type opt_type enum_body %type <type> type opt_type enum_body
%type <func_type> func_hdr func_params %type <func_type> func_hdr func_params
@ -119,6 +119,7 @@ extern const char* g_curr_debug_error;
#define YYLTYPE yyltype #define YYLTYPE yyltype
static int in_hook = 0;
int in_init = 0; int in_init = 0;
int in_record = 0; int in_record = 0;
bool resolving_global_ID = false; bool resolving_global_ID = false;
@ -212,7 +213,6 @@ static std::list<std::string>* concat_opt_docs (std::list<std::string>* pre,
Val* val; Val* val;
RE_Matcher* re; RE_Matcher* re;
Expr* expr; Expr* expr;
CallExpr* call_expr;
EventExpr* event_expr; EventExpr* event_expr;
Stmt* stmt; Stmt* stmt;
ListExpr* list; ListExpr* list;
@ -517,7 +517,16 @@ expr:
| expr '(' opt_expr_list ')' | expr '(' opt_expr_list ')'
{ {
set_location(@1, @4); set_location(@1, @4);
$$ = new CallExpr($1, $3); $$ = new CallExpr($1, $3, in_hook > 0);
}
| TOK_HOOK { ++in_hook; } expr
{
--in_hook;
set_location(@1, @3);
if ( $3->Tag() != EXPR_CALL )
$3->Error("not a valid hook call expression");
$$ = $3;
} }
| expr TOK_HAS_FIELD TOK_ID | expr TOK_HAS_FIELD TOK_ID
@ -874,7 +883,7 @@ type:
| TOK_HOOK '(' formal_args ')' | TOK_HOOK '(' formal_args ')'
{ {
set_location(@1, @3); set_location(@1, @3);
$$ = new FuncType($3, 0, FUNC_FLAVOR_HOOK); $$ = new FuncType($3, base_type(TYPE_BOOL), FUNC_FLAVOR_HOOK);
} }
| TOK_FILE TOK_OF type | TOK_FILE TOK_OF type
@ -1214,6 +1223,8 @@ func_hdr:
} }
| TOK_HOOK def_global_id func_params | TOK_HOOK def_global_id func_params
{ {
$3->ClearYieldType(FUNC_FLAVOR_HOOK);
$3->SetYieldType(base_type(TYPE_BOOL));
begin_func($2, current_module.c_str(), begin_func($2, current_module.c_str(),
FUNC_FLAVOR_HOOK, 0, $3); FUNC_FLAVOR_HOOK, 0, $3);
$$ = $3; $$ = $3;
@ -1377,14 +1388,6 @@ stmt:
brofiler.AddStmt($$); brofiler.AddStmt($$);
} }
| TOK_HOOK hook ';' opt_no_test
{
set_location(@1, @4);
$$ = new HookStmt($2);
if ( ! $4 )
brofiler.AddStmt($$);
}
| TOK_IF '(' expr ')' stmt | TOK_IF '(' expr ')' stmt
{ {
set_location(@1, @4); set_location(@1, @4);
@ -1538,14 +1541,6 @@ event:
} }
; ;
hook:
expr '(' opt_expr_list ')'
{
set_location(@1, @4);
$$ = new CallExpr($1, $3, true);
}
;
case_list: case_list:
case_list case case_list case
{ $1->append($2); } { $1->append($2); }

131
src/patricia.c
View file

@ -2,7 +2,7 @@
* Dave Plonka <plonka@doit.wisc.edu> * Dave Plonka <plonka@doit.wisc.edu>
* *
* This product includes software developed by the University of Michigan, * This product includes software developed by the University of Michigan,
* Merit Network, Inc., and their contributors. * Merit Network, Inc., and their contributors.
* *
* This file had been called "radix.c" in the MRT sources. * This file had been called "radix.c" in the MRT sources.
* *
@ -12,28 +12,28 @@
*/ */
/* From copyright.txt: /* From copyright.txt:
* *
* Copyright (c) 1997, 1998, 1999 * Copyright (c) 1997, 1998, 1999
* *
* *
* The Regents of the University of Michigan ("The Regents") and Merit Network, * The Regents of the University of Michigan ("The Regents") and Merit Network,
* Inc. All rights reserved. * Inc. All rights reserved.
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met: * modification, are permitted provided that the following conditions are met:
* 1. Redistributions of source code must retain the above * 1. Redistributions of source code must retain the above
* copyright notice, this list of conditions and the * copyright notice, this list of conditions and the
* following disclaimer. * following disclaimer.
* 2. Redistributions in binary form must reproduce the above * 2. Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the * copyright notice, this list of conditions and the
* following disclaimer in the documentation and/or other * following disclaimer in the documentation and/or other
* materials provided with the distribution. * materials provided with the distribution.
* 3. All advertising materials mentioning features or use of * 3. All advertising materials mentioning features or use of
* this software must display the following acknowledgement: * this software must display the following acknowledgement:
* This product includes software developed by the University of Michigan, Merit * This product includes software developed by the University of Michigan, Merit
* Network, Inc., and their contributors. * Network, Inc., and their contributors.
* 4. Neither the name of the University, Merit Network, nor the * 4. Neither the name of the University, Merit Network, nor the
* names of their contributors may be used to endorse or * names of their contributors may be used to endorse or
* promote products derived from this software without * promote products derived from this software without
* specific prior written permission. * specific prior written permission.
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
@ -44,7 +44,7 @@
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/ */
static char copyright[] = static char copyright[] =
@ -66,6 +66,9 @@ static char copyright[] =
#define Delete free #define Delete free
// From Bro for reporting memory exhaustion.
extern void out_of_memory(const char* where);
/* { from prefix.c */ /* { from prefix.c */
/* prefix_tochar /* prefix_tochar
@ -80,7 +83,7 @@ prefix_tochar (prefix_t * prefix)
return ((u_char *) & prefix->add.sin); return ((u_char *) & prefix->add.sin);
} }
int int
comp_with_mask (void *addr, void *dest, u_int mask) comp_with_mask (void *addr, void *dest, u_int mask)
{ {
@ -95,15 +98,15 @@ comp_with_mask (void *addr, void *dest, u_int mask)
} }
/* inet_pton substitute implementation /* inet_pton substitute implementation
* Uses inet_addr to convert an IP address in dotted decimal notation into * Uses inet_addr to convert an IP address in dotted decimal notation into
* unsigned long and copies the result to dst. * unsigned long and copies the result to dst.
* Only supports AF_INET. Follows standard error return conventions of * Only supports AF_INET. Follows standard error return conventions of
* inet_pton. * inet_pton.
*/ */
int int
local_inet_pton (int af, const char *src, void *dst) local_inet_pton (int af, const char *src, void *dst)
{ {
u_long result; u_long result;
if (af == AF_INET) { if (af == AF_INET) {
result = inet_addr(src); result = inet_addr(src);
@ -166,7 +169,7 @@ my_inet_pton (int af, const char *src, void *dst)
} }
} }
/* /*
* convert prefix information to ascii string with length * convert prefix information to ascii string with length
* thread safe and (almost) re-entrant implementation * thread safe and (almost) re-entrant implementation
*/ */
@ -251,6 +254,9 @@ New_Prefix2 (int family, void *dest, int bitlen, prefix_t *prefix)
default_bitlen = 128; default_bitlen = 128;
if (prefix == NULL) { if (prefix == NULL) {
prefix = calloc(1, sizeof (prefix_t)); prefix = calloc(1, sizeof (prefix_t));
if (prefix == NULL)
out_of_memory("patrica/new_prefix2: unable to allocate memory");
dynamic_allocated++; dynamic_allocated++;
} }
memcpy (&prefix->add.sin6, dest, 16); memcpy (&prefix->add.sin6, dest, 16);
@ -260,12 +266,16 @@ New_Prefix2 (int family, void *dest, int bitlen, prefix_t *prefix)
if (prefix == NULL) { if (prefix == NULL) {
#ifndef NT #ifndef NT
prefix = calloc(1, sizeof (prefix4_t)); prefix = calloc(1, sizeof (prefix4_t));
if (prefix == NULL)
out_of_memory("patrica/new_prefix2: unable to allocate memory");
#else #else
//for some reason, compiler is getting //for some reason, compiler is getting
//prefix4_t size incorrect on NT //prefix4_t size incorrect on NT
prefix = calloc(1, sizeof (prefix_t)); prefix = calloc(1, sizeof (prefix_t));
if (prefix == NULL)
out_of_memory("patrica/new_prefix2: unable to allocate memory");
#endif /* NT */ #endif /* NT */
dynamic_allocated++; dynamic_allocated++;
} }
memcpy (&prefix->add.sin, dest, 4); memcpy (&prefix->add.sin, dest, 4);
@ -368,7 +378,7 @@ Ref_Prefix (prefix_t * prefix)
return (prefix); return (prefix);
} }
void void
Deref_Prefix (prefix_t * prefix) Deref_Prefix (prefix_t * prefix)
{ {
if (prefix == NULL) if (prefix == NULL)
@ -396,6 +406,8 @@ patricia_tree_t *
New_Patricia (int maxbits) New_Patricia (int maxbits)
{ {
patricia_tree_t *patricia = calloc(1, sizeof *patricia); patricia_tree_t *patricia = calloc(1, sizeof *patricia);
if (patricia == NULL)
out_of_memory("patrica/new_patricia: unable to allocate memory");
patricia->maxbits = maxbits; patricia->maxbits = maxbits;
patricia->head = NULL; patricia->head = NULL;
@ -503,10 +515,10 @@ patricia_search_exact (patricia_tree_t *patricia, prefix_t *prefix)
if (BIT_TEST (addr[node->bit >> 3], 0x80 >> (node->bit & 0x07))) { if (BIT_TEST (addr[node->bit >> 3], 0x80 >> (node->bit & 0x07))) {
#ifdef PATRICIA_DEBUG #ifdef PATRICIA_DEBUG
if (node->prefix) if (node->prefix)
fprintf (stderr, "patricia_search_exact: take right %s/%d\n", fprintf (stderr, "patricia_search_exact: take right %s/%d\n",
prefix_toa (node->prefix), node->prefix->bitlen); prefix_toa (node->prefix), node->prefix->bitlen);
else else
fprintf (stderr, "patricia_search_exact: take right at %d\n", fprintf (stderr, "patricia_search_exact: take right at %d\n",
node->bit); node->bit);
#endif /* PATRICIA_DEBUG */ #endif /* PATRICIA_DEBUG */
node = node->r; node = node->r;
@ -514,10 +526,10 @@ patricia_search_exact (patricia_tree_t *patricia, prefix_t *prefix)
else { else {
#ifdef PATRICIA_DEBUG #ifdef PATRICIA_DEBUG
if (node->prefix) if (node->prefix)
fprintf (stderr, "patricia_search_exact: take left %s/%d\n", fprintf (stderr, "patricia_search_exact: take left %s/%d\n",
prefix_toa (node->prefix), node->prefix->bitlen); prefix_toa (node->prefix), node->prefix->bitlen);
else else
fprintf (stderr, "patricia_search_exact: take left at %d\n", fprintf (stderr, "patricia_search_exact: take left at %d\n",
node->bit); node->bit);
#endif /* PATRICIA_DEBUG */ #endif /* PATRICIA_DEBUG */
node = node->l; node = node->l;
@ -529,7 +541,7 @@ patricia_search_exact (patricia_tree_t *patricia, prefix_t *prefix)
#ifdef PATRICIA_DEBUG #ifdef PATRICIA_DEBUG
if (node->prefix) if (node->prefix)
fprintf (stderr, "patricia_search_exact: stop at %s/%d\n", fprintf (stderr, "patricia_search_exact: stop at %s/%d\n",
prefix_toa (node->prefix), node->prefix->bitlen); prefix_toa (node->prefix), node->prefix->bitlen);
else else
fprintf (stderr, "patricia_search_exact: stop at %d\n", node->bit); fprintf (stderr, "patricia_search_exact: stop at %d\n", node->bit);
@ -541,7 +553,7 @@ patricia_search_exact (patricia_tree_t *patricia, prefix_t *prefix)
if (comp_with_mask (prefix_tochar (node->prefix), prefix_tochar (prefix), if (comp_with_mask (prefix_tochar (node->prefix), prefix_tochar (prefix),
bitlen)) { bitlen)) {
#ifdef PATRICIA_DEBUG #ifdef PATRICIA_DEBUG
fprintf (stderr, "patricia_search_exact: found %s/%d\n", fprintf (stderr, "patricia_search_exact: found %s/%d\n",
prefix_toa (node->prefix), node->prefix->bitlen); prefix_toa (node->prefix), node->prefix->bitlen);
#endif /* PATRICIA_DEBUG */ #endif /* PATRICIA_DEBUG */
return (node); return (node);
@ -575,7 +587,7 @@ patricia_search_best2 (patricia_tree_t *patricia, prefix_t *prefix, int inclusiv
if (node->prefix) { if (node->prefix) {
#ifdef PATRICIA_DEBUG #ifdef PATRICIA_DEBUG
fprintf (stderr, "patricia_search_best: push %s/%d\n", fprintf (stderr, "patricia_search_best: push %s/%d\n",
prefix_toa (node->prefix), node->prefix->bitlen); prefix_toa (node->prefix), node->prefix->bitlen);
#endif /* PATRICIA_DEBUG */ #endif /* PATRICIA_DEBUG */
stack[cnt++] = node; stack[cnt++] = node;
@ -584,10 +596,10 @@ patricia_search_best2 (patricia_tree_t *patricia, prefix_t *prefix, int inclusiv
if (BIT_TEST (addr[node->bit >> 3], 0x80 >> (node->bit & 0x07))) { if (BIT_TEST (addr[node->bit >> 3], 0x80 >> (node->bit & 0x07))) {
#ifdef PATRICIA_DEBUG #ifdef PATRICIA_DEBUG
if (node->prefix) if (node->prefix)
fprintf (stderr, "patricia_search_best: take right %s/%d\n", fprintf (stderr, "patricia_search_best: take right %s/%d\n",
prefix_toa (node->prefix), node->prefix->bitlen); prefix_toa (node->prefix), node->prefix->bitlen);
else else
fprintf (stderr, "patricia_search_best: take right at %d\n", fprintf (stderr, "patricia_search_best: take right at %d\n",
node->bit); node->bit);
#endif /* PATRICIA_DEBUG */ #endif /* PATRICIA_DEBUG */
node = node->r; node = node->r;
@ -595,10 +607,10 @@ patricia_search_best2 (patricia_tree_t *patricia, prefix_t *prefix, int inclusiv
else { else {
#ifdef PATRICIA_DEBUG #ifdef PATRICIA_DEBUG
if (node->prefix) if (node->prefix)
fprintf (stderr, "patricia_search_best: take left %s/%d\n", fprintf (stderr, "patricia_search_best: take left %s/%d\n",
prefix_toa (node->prefix), node->prefix->bitlen); prefix_toa (node->prefix), node->prefix->bitlen);
else else
fprintf (stderr, "patricia_search_best: take left at %d\n", fprintf (stderr, "patricia_search_best: take left at %d\n",
node->bit); node->bit);
#endif /* PATRICIA_DEBUG */ #endif /* PATRICIA_DEBUG */
node = node->l; node = node->l;
@ -615,7 +627,7 @@ patricia_search_best2 (patricia_tree_t *patricia, prefix_t *prefix, int inclusiv
if (node == NULL) if (node == NULL)
fprintf (stderr, "patricia_search_best: stop at null\n"); fprintf (stderr, "patricia_search_best: stop at null\n");
else if (node->prefix) else if (node->prefix)
fprintf (stderr, "patricia_search_best: stop at %s/%d\n", fprintf (stderr, "patricia_search_best: stop at %s/%d\n",
prefix_toa (node->prefix), node->prefix->bitlen); prefix_toa (node->prefix), node->prefix->bitlen);
else else
fprintf (stderr, "patricia_search_best: stop at %d\n", node->bit); fprintf (stderr, "patricia_search_best: stop at %d\n", node->bit);
@ -627,14 +639,14 @@ patricia_search_best2 (patricia_tree_t *patricia, prefix_t *prefix, int inclusiv
while (--cnt >= 0) { while (--cnt >= 0) {
node = stack[cnt]; node = stack[cnt];
#ifdef PATRICIA_DEBUG #ifdef PATRICIA_DEBUG
fprintf (stderr, "patricia_search_best: pop %s/%d\n", fprintf (stderr, "patricia_search_best: pop %s/%d\n",
prefix_toa (node->prefix), node->prefix->bitlen); prefix_toa (node->prefix), node->prefix->bitlen);
#endif /* PATRICIA_DEBUG */ #endif /* PATRICIA_DEBUG */
if (comp_with_mask (prefix_tochar (node->prefix), if (comp_with_mask (prefix_tochar (node->prefix),
prefix_tochar (prefix), prefix_tochar (prefix),
node->prefix->bitlen)) { node->prefix->bitlen)) {
#ifdef PATRICIA_DEBUG #ifdef PATRICIA_DEBUG
fprintf (stderr, "patricia_search_best: found %s/%d\n", fprintf (stderr, "patricia_search_best: found %s/%d\n",
prefix_toa (node->prefix), node->prefix->bitlen); prefix_toa (node->prefix), node->prefix->bitlen);
#endif /* PATRICIA_DEBUG */ #endif /* PATRICIA_DEBUG */
return (node); return (node);
@ -665,6 +677,9 @@ patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix)
if (patricia->head == NULL) { if (patricia->head == NULL) {
node = calloc(1, sizeof *node); node = calloc(1, sizeof *node);
if (node == NULL)
out_of_memory("patrica/patrica_lookup: unable to allocate memory");
node->bit = prefix->bitlen; node->bit = prefix->bitlen;
node->prefix = Ref_Prefix (prefix); node->prefix = Ref_Prefix (prefix);
node->parent = NULL; node->parent = NULL;
@ -672,7 +687,7 @@ patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix)
node->data = NULL; node->data = NULL;
patricia->head = node; patricia->head = node;
#ifdef PATRICIA_DEBUG #ifdef PATRICIA_DEBUG
fprintf (stderr, "patricia_lookup: new_node #0 %s/%d (head)\n", fprintf (stderr, "patricia_lookup: new_node #0 %s/%d (head)\n",
prefix_toa (prefix), prefix->bitlen); prefix_toa (prefix), prefix->bitlen);
#endif /* PATRICIA_DEBUG */ #endif /* PATRICIA_DEBUG */
patricia->num_active_node++; patricia->num_active_node++;
@ -691,7 +706,7 @@ patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix)
break; break;
#ifdef PATRICIA_DEBUG #ifdef PATRICIA_DEBUG
if (node->prefix) if (node->prefix)
fprintf (stderr, "patricia_lookup: take right %s/%d\n", fprintf (stderr, "patricia_lookup: take right %s/%d\n",
prefix_toa (node->prefix), node->prefix->bitlen); prefix_toa (node->prefix), node->prefix->bitlen);
else else
fprintf (stderr, "patricia_lookup: take right at %d\n", node->bit); fprintf (stderr, "patricia_lookup: take right at %d\n", node->bit);
@ -703,7 +718,7 @@ patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix)
break; break;
#ifdef PATRICIA_DEBUG #ifdef PATRICIA_DEBUG
if (node->prefix) if (node->prefix)
fprintf (stderr, "patricia_lookup: take left %s/%d\n", fprintf (stderr, "patricia_lookup: take left %s/%d\n",
prefix_toa (node->prefix), node->prefix->bitlen); prefix_toa (node->prefix), node->prefix->bitlen);
else else
fprintf (stderr, "patricia_lookup: take left at %d\n", node->bit); fprintf (stderr, "patricia_lookup: take left at %d\n", node->bit);
@ -716,7 +731,7 @@ patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix)
assert (node->prefix); assert (node->prefix);
#ifdef PATRICIA_DEBUG #ifdef PATRICIA_DEBUG
fprintf (stderr, "patricia_lookup: stop at %s/%d\n", fprintf (stderr, "patricia_lookup: stop at %s/%d\n",
prefix_toa (node->prefix), node->prefix->bitlen); prefix_toa (node->prefix), node->prefix->bitlen);
#endif /* PATRICIA_DEBUG */ #endif /* PATRICIA_DEBUG */
@ -751,7 +766,7 @@ patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix)
parent = node->parent; parent = node->parent;
#ifdef PATRICIA_DEBUG #ifdef PATRICIA_DEBUG
if (node->prefix) if (node->prefix)
fprintf (stderr, "patricia_lookup: up to %s/%d\n", fprintf (stderr, "patricia_lookup: up to %s/%d\n",
prefix_toa (node->prefix), node->prefix->bitlen); prefix_toa (node->prefix), node->prefix->bitlen);
else else
fprintf (stderr, "patricia_lookup: up to %d\n", node->bit); fprintf (stderr, "patricia_lookup: up to %d\n", node->bit);
@ -760,8 +775,8 @@ patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix)
if (differ_bit == bitlen && node->bit == bitlen) { if (differ_bit == bitlen && node->bit == bitlen) {
if (node->prefix) { if (node->prefix) {
#ifdef PATRICIA_DEBUG #ifdef PATRICIA_DEBUG
fprintf (stderr, "patricia_lookup: found %s/%d\n", fprintf (stderr, "patricia_lookup: found %s/%d\n",
prefix_toa (node->prefix), node->prefix->bitlen); prefix_toa (node->prefix), node->prefix->bitlen);
#endif /* PATRICIA_DEBUG */ #endif /* PATRICIA_DEBUG */
return (node); return (node);
@ -776,6 +791,9 @@ patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix)
} }
new_node = calloc(1, sizeof *new_node); new_node = calloc(1, sizeof *new_node);
if (new_node == NULL)
out_of_memory("patrica/patrica_lookup: unable to allocate memory");
new_node->bit = prefix->bitlen; new_node->bit = prefix->bitlen;
new_node->prefix = Ref_Prefix (prefix); new_node->prefix = Ref_Prefix (prefix);
new_node->parent = NULL; new_node->parent = NULL;
@ -795,7 +813,7 @@ patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix)
node->l = new_node; node->l = new_node;
} }
#ifdef PATRICIA_DEBUG #ifdef PATRICIA_DEBUG
fprintf (stderr, "patricia_lookup: new_node #2 %s/%d (child)\n", fprintf (stderr, "patricia_lookup: new_node #2 %s/%d (child)\n",
prefix_toa (prefix), prefix->bitlen); prefix_toa (prefix), prefix->bitlen);
#endif /* PATRICIA_DEBUG */ #endif /* PATRICIA_DEBUG */
return (new_node); return (new_node);
@ -822,12 +840,15 @@ patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix)
} }
node->parent = new_node; node->parent = new_node;
#ifdef PATRICIA_DEBUG #ifdef PATRICIA_DEBUG
fprintf (stderr, "patricia_lookup: new_node #3 %s/%d (parent)\n", fprintf (stderr, "patricia_lookup: new_node #3 %s/%d (parent)\n",
prefix_toa (prefix), prefix->bitlen); prefix_toa (prefix), prefix->bitlen);
#endif /* PATRICIA_DEBUG */ #endif /* PATRICIA_DEBUG */
} }
else { else {
glue = calloc(1, sizeof *glue); glue = calloc(1, sizeof *glue);
if (glue == NULL)
out_of_memory("patrica/patrica_lookup: unable to allocate memory");
glue->bit = differ_bit; glue->bit = differ_bit;
glue->prefix = NULL; glue->prefix = NULL;
glue->parent = node->parent; glue->parent = node->parent;
@ -856,7 +877,7 @@ patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix)
} }
node->parent = glue; node->parent = glue;
#ifdef PATRICIA_DEBUG #ifdef PATRICIA_DEBUG
fprintf (stderr, "patricia_lookup: new_node #4 %s/%d (glue+node)\n", fprintf (stderr, "patricia_lookup: new_node #4 %s/%d (glue+node)\n",
prefix_toa (prefix), prefix->bitlen); prefix_toa (prefix), prefix->bitlen);
#endif /* PATRICIA_DEBUG */ #endif /* PATRICIA_DEBUG */
} }
@ -874,13 +895,13 @@ patricia_remove (patricia_tree_t *patricia, patricia_node_t *node)
if (node->r && node->l) { if (node->r && node->l) {
#ifdef PATRICIA_DEBUG #ifdef PATRICIA_DEBUG
fprintf (stderr, "patricia_remove: #0 %s/%d (r & l)\n", fprintf (stderr, "patricia_remove: #0 %s/%d (r & l)\n",
prefix_toa (node->prefix), node->prefix->bitlen); prefix_toa (node->prefix), node->prefix->bitlen);
#endif /* PATRICIA_DEBUG */ #endif /* PATRICIA_DEBUG */
/* this might be a placeholder node -- have to check and make sure /* this might be a placeholder node -- have to check and make sure
* there is a prefix aossciated with it ! */ * there is a prefix aossciated with it ! */
if (node->prefix != NULL) if (node->prefix != NULL)
Deref_Prefix (node->prefix); Deref_Prefix (node->prefix);
node->prefix = NULL; node->prefix = NULL;
/* Also I needed to clear data pointer -- masaki */ /* Also I needed to clear data pointer -- masaki */
@ -890,7 +911,7 @@ patricia_remove (patricia_tree_t *patricia, patricia_node_t *node)
if (node->r == NULL && node->l == NULL) { if (node->r == NULL && node->l == NULL) {
#ifdef PATRICIA_DEBUG #ifdef PATRICIA_DEBUG
fprintf (stderr, "patricia_remove: #1 %s/%d (!r & !l)\n", fprintf (stderr, "patricia_remove: #1 %s/%d (!r & !l)\n",
prefix_toa (node->prefix), node->prefix->bitlen); prefix_toa (node->prefix), node->prefix->bitlen);
#endif /* PATRICIA_DEBUG */ #endif /* PATRICIA_DEBUG */
parent = node->parent; parent = node->parent;
@ -937,7 +958,7 @@ patricia_remove (patricia_tree_t *patricia, patricia_node_t *node)
} }
#ifdef PATRICIA_DEBUG #ifdef PATRICIA_DEBUG
fprintf (stderr, "patricia_remove: #2 %s/%d (r ^ l)\n", fprintf (stderr, "patricia_remove: #2 %s/%d (r ^ l)\n",
prefix_toa (node->prefix), node->prefix->bitlen); prefix_toa (node->prefix), node->prefix->bitlen);
#endif /* PATRICIA_DEBUG */ #endif /* PATRICIA_DEBUG */
if (node->r) { if (node->r) {
@ -996,7 +1017,7 @@ try_search_exact (patricia_tree_t *tree, char *string)
printf ("try_search_exact: not found\n"); printf ("try_search_exact: not found\n");
} }
else { else {
printf ("try_search_exact: %s/%d found\n", printf ("try_search_exact: %s/%d found\n",
prefix_toa (node->prefix), node->prefix->bitlen); prefix_toa (node->prefix), node->prefix->bitlen);
} }
Deref_Prefix (prefix); Deref_Prefix (prefix);
@ -1023,7 +1044,7 @@ try_search_best (patricia_tree_t *tree, char *string)
if ((node = patricia_search_best (tree, prefix)) == NULL) if ((node = patricia_search_best (tree, prefix)) == NULL)
printf ("try_search_best: not found\n"); printf ("try_search_best: not found\n");
else else
printf ("try_search_best: %s/%d found\n", printf ("try_search_best: %s/%d found\n",
prefix_toa (node->prefix), node->prefix->bitlen); prefix_toa (node->prefix), node->prefix->bitlen);
Deref_Prefix (prefix); Deref_Prefix (prefix);
return 0; // [RS] What is supposed to be returned here? return 0; // [RS] What is supposed to be returned here?

1
src/types.bif
View file

@ -184,6 +184,7 @@ enum Type %{
AYIYA, AYIYA,
TEREDO, TEREDO,
SOCKS, SOCKS,
GTPv1,
%} %}
type EncapsulatingConn: record; type EncapsulatingConn: record;

2
src/util.cc
View file

@ -1416,7 +1416,7 @@ void safe_close(int fd)
} }
} }
void out_of_memory(const char* where) extern "C" void out_of_memory(const char* where)
{ {
fprintf(stderr, "out of memory in %s.\n", where); fprintf(stderr, "out of memory in %s.\n", where);

2
src/util.h
View file

@ -303,7 +303,7 @@ extern bool safe_write(int fd, const char* data, int len);
// Wraps close(2) to emit error messages and abort on unrecoverable errors. // Wraps close(2) to emit error messages and abort on unrecoverable errors.
extern void safe_close(int fd); extern void safe_close(int fd);
extern void out_of_memory(const char* where); extern "C" void out_of_memory(const char* where);
inline void* safe_realloc(void* ptr, size_t size) inline void* safe_realloc(void* ptr, size_t size)
{ {

2
testing/btest/Baseline/bifs.strptime/.stdout
View file

@ -1,2 +0,0 @@
1350604800.0
0.0

3
testing/btest/Baseline/bifs.strptime/out Normal file
View file

@ -0,0 +1,3 @@
warning: strptime conversion failed: fmt:%m d:1980-10-24
1350604800.0
0.0

10
testing/btest/Baseline/bifs.strptime/reporter.log
View file

@ -1,10 +0,0 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path reporter
#open 2012-10-19-06-06-36
#fields ts level message location
#types time enum string string
0.000000 Reporter::WARNING strptime conversion failed: fmt:%m d:1980-10-24 (empty)
#close 2012-10-19-06-06-36

12
testing/btest/Baseline/core.dns-interpreter-exceptions/out Normal file
View file

@ -0,0 +1,12 @@
1300475167.096535 expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.dns-interpreter-exceptions/dns-interpreter-exceptions.bro, line 28: field value missing [p$ip]
1300475167.096535 expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.dns-interpreter-exceptions/dns-interpreter-exceptions.bro, line 49: field value missing [p$ip]
1300475168.902195 expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.dns-interpreter-exceptions/dns-interpreter-exceptions.bro, line 39: field value missing [p$ip]
1300475168.902195 expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.dns-interpreter-exceptions/dns-interpreter-exceptions.bro, line 12: field value missing [p$ip]
timeout g(), F
timeout g(), T
timeout
g() done, no exception, T
localhost resolved
localhost resolved from f(), T
localhost resolved from f(), F
f() done, no exception, T

12
testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log Normal file
View file

@ -0,0 +1,12 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2012-10-19-17-03-55
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool count string count count count count table[string]
1333458850.321642 arKYeMETxOg 10.131.17.170 51803 173.199.115.168 80 tcp http 0.257902 1138 63424 S3 - 0 ShADadf 29 2310 49 65396 UWkUyAuUGXf,k6kgXLOoSKl
1333458850.325787 k6kgXLOoSKl 207.233.125.40 2152 167.55.105.244 2152 udp gtpv1 0.251127 65788 0 S0 - 0 D 49 67160 0 0 (empty)
1333458850.321642 UWkUyAuUGXf 167.55.105.244 5906 207.233.125.40 2152 udp gtpv1 0.257902 2542 0 S0 - 0 D 29 3354 0 0 (empty)
#close 2012-10-19-17-03-55

11
testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log Normal file
View file

@ -0,0 +1,11 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http
#open 2012-10-19-17-03-55
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
1333458850.340368 arKYeMETxOg 10.131.17.170 51803 173.199.115.168 80 1 GET cdn.epicgameads.com /ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=4&cac=1&t=728x90&cb=1333458879 http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&channel=4&cb=1333458905296 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 0 31461 200 OK - - - (empty) - - - application/x-shockwave-flash - -
1333458850.399501 arKYeMETxOg 10.131.17.170 51803 173.199.115.168 80 2 GET cdn.epicgameads.com /ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=0&cac=1&t=728x90&cb=1333458881 http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&cb=1333458920207 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 0 31461 200 OK - - - (empty) - - - application/x-shockwave-flash - -
#close 2012-10-19-17-03-55

13
testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/tunnel.log Normal file
View file

@ -0,0 +1,13 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path tunnel
#open 2012-10-19-17-03-55
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action
#types time string addr port addr port enum enum
1333458850.321642 UWkUyAuUGXf 167.55.105.244 5906 207.233.125.40 2152 Tunnel::GTPv1 Tunnel::DISCOVER
1333458850.325787 k6kgXLOoSKl 207.233.125.40 2152 167.55.105.244 2152 Tunnel::GTPv1 Tunnel::DISCOVER
1333458850.579544 k6kgXLOoSKl 207.233.125.40 2152 167.55.105.244 2152 Tunnel::GTPv1 Tunnel::CLOSE
1333458850.579544 UWkUyAuUGXf 167.55.105.244 5906 207.233.125.40 2152 Tunnel::GTPv1 Tunnel::CLOSE
#close 2012-10-19-17-03-55

10
testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2012-10-19-17-07-44
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool count string count count count count table[string]
1333458871.219794 UWkUyAuUGXf 10.131.24.6 2152 195.178.38.3 53 udp dns - - - S0 - 0 D 1 64 0 0 (empty)
#close 2012-10-19-17-07-44

10
testing/btest/Baseline/core.tunnels.gtp.false_gtp/dns.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dns
#open 2012-10-19-17-07-44
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
1333458871.219794 UWkUyAuUGXf 10.131.24.6 2152 195.178.38.3 53 udp 27595 abcd.efg.hijklm.nm 1 C_INTERNET 1 A - - F F T F 0 - - F
#close 2012-10-19-17-07-44

12
testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log Normal file
View file

@ -0,0 +1,12 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2012-10-19-17-21-27
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool count string count count count count table[string]
1333458851.770000 arKYeMETxOg fe80::224c:4fff:fe43:414c 1234 ff02::1:3 5355 udp dns - - - S0 - 0 D 1 80 0 0 UWkUyAuUGXf
1333458851.770000 UWkUyAuUGXf 118.92.124.41 2152 118.92.124.72 2152 udp gtpv1 0.199236 152 0 S0 - 0 D 2 208 0 0 (empty)
1333458851.969236 k6kgXLOoSKl fe80::224c:4fff:fe43:414c 133 ff02::2 134 icmp - - - - OTH - 0 - 1 56 0 0 UWkUyAuUGXf
#close 2012-10-19-17-21-27

11
testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/tunnel.log Normal file
View file

@ -0,0 +1,11 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path tunnel
#open 2012-10-19-17-21-27
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action
#types time string addr port addr port enum enum
1333458851.770000 UWkUyAuUGXf 118.92.124.41 2152 118.92.124.72 2152 Tunnel::GTPv1 Tunnel::DISCOVER
1333458851.969236 UWkUyAuUGXf 118.92.124.41 2152 118.92.124.72 2152 Tunnel::GTPv1 Tunnel::CLOSE
#close 2012-10-19-17-21-27

26
testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log Normal file
View file

@ -0,0 +1,26 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2012-10-19-17-34-25
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool count string count count count count table[string]
1333458850.037956 qCaWGmzFtM5 10.131.112.102 51403 94.245.121.253 3544 udp teredo - - - SHR - 0 d 0 0 1 84 GSxOnSLghOa
1333458850.040098 70MGiRM1Qf4 174.94.190.229 2152 190.104.181.57 2152 udp gtpv1 0.003698 192 0 S0 - 0 D 2 248 0 0 (empty)
1333458850.016620 nQcgTWjvg4c 172.24.16.121 61901 94.245.121.251 3544 udp teredo - - - S0 - 0 D 1 80 0 0 k6kgXLOoSKl
1333458850.029781 FrJExwHcSal 172.24.16.67 52298 94.245.121.253 3544 udp teredo - - - S0 - 0 D 1 88 0 0 TEfuqmmG4bh
1333458850.035456 VW0XPVINV8a 190.104.181.210 2152 190.104.181.125 2152 udp gtpv1 0.000004 194 0 S0 - 0 D 2 250 0 0 (empty)
1333458850.016620 k6kgXLOoSKl 174.94.190.229 2152 190.104.181.62 2152 udp gtpv1 0.016267 88 92 SF - 0 Dd 1 116 1 120 (empty)
1333458850.029781 TEfuqmmG4bh 190.104.181.254 2152 190.104.181.62 2152 udp gtpv1 0.000002 192 0 S0 - 0 D 2 248 0 0 (empty)
1333458850.035460 iE6yhOq3SF 172.27.159.9 63912 94.245.121.254 3544 udp teredo - - - S0 - 0 D 1 89 0 0 VW0XPVINV8a
1333458850.037956 GSxOnSLghOa 190.104.181.57 2152 190.104.181.222 2152 udp gtpv1 - - - S0 - 0 D 1 120 0 0 (empty)
1333458850.014199 UWkUyAuUGXf 174.94.190.213 2152 190.104.181.57 2152 udp gtpv1 - - - S0 - 0 D 1 124 0 0 (empty)
1333458850.040098 h5DsfNtYzi1 172.24.203.81 54447 65.55.158.118 3544 udp teredo 0.003698 120 0 S0 - 0 D 2 176 0 0 70MGiRM1Qf4
1333458850.029783 5OKnoww6xl4 172.24.16.67 52298 65.55.158.118 3544 udp teredo - - - S0 - 0 D 1 88 0 0 TEfuqmmG4bh
1333458850.032887 3PKsZ2Uye21 10.131.42.160 62069 94.245.121.253 3544 udp teredo - - - SHR - 0 d 0 0 1 84 k6kgXLOoSKl
1333458850.014199 arKYeMETxOg 172.24.204.200 56528 65.55.158.118 3544 udp teredo - - - S0 - 0 D 1 88 0 0 UWkUyAuUGXf
1333458850.035456 fRFu0wcOle6 172.27.159.9 63912 94.245.121.253 3544 udp teredo - - - S0 - 0 D 1 89 0 0 VW0XPVINV8a
1333458850.016620 j4u32Pc5bif 2001:0:5ef5:79fb:38b8:1695:2b37:be8e 128 2002:2571:c817::2571:c817 129 icmp - - - - OTH - 0 - 1 52 0 0 nQcgTWjvg4c
1333458850.035456 qSsw6ESzHV4 fe80::ffff:ffff:fffe 133 ff02::2 134 icmp - 0.000004 0 0 OTH - 0 - 2 96 0 0 fRFu0wcOle6,iE6yhOq3SF
#close 2012-10-19-17-34-25

27
testing/btest/Baseline/core.tunnels.gtp.inner_teredo/tunnel.log Normal file
View file

@ -0,0 +1,27 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path tunnel
#open 2012-10-19-17-34-25
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action
#types time string addr port addr port enum enum
1333458850.014199 UWkUyAuUGXf 174.94.190.213 2152 190.104.181.57 2152 Tunnel::GTPv1 Tunnel::DISCOVER
1333458850.016620 k6kgXLOoSKl 174.94.190.229 2152 190.104.181.62 2152 Tunnel::GTPv1 Tunnel::DISCOVER
1333458850.016620 nQcgTWjvg4c 172.24.16.121 61901 94.245.121.251 3544 Tunnel::TEREDO Tunnel::DISCOVER
1333458850.029781 TEfuqmmG4bh 190.104.181.254 2152 190.104.181.62 2152 Tunnel::GTPv1 Tunnel::DISCOVER
1333458850.035456 VW0XPVINV8a 190.104.181.210 2152 190.104.181.125 2152 Tunnel::GTPv1 Tunnel::DISCOVER
1333458850.035456 fRFu0wcOle6 172.27.159.9 63912 94.245.121.253 3544 Tunnel::TEREDO Tunnel::DISCOVER
1333458850.035460 iE6yhOq3SF 172.27.159.9 63912 94.245.121.254 3544 Tunnel::TEREDO Tunnel::DISCOVER
1333458850.037956 GSxOnSLghOa 190.104.181.57 2152 190.104.181.222 2152 Tunnel::GTPv1 Tunnel::DISCOVER
1333458850.040098 70MGiRM1Qf4 174.94.190.229 2152 190.104.181.57 2152 Tunnel::GTPv1 Tunnel::DISCOVER
1333458850.043796 70MGiRM1Qf4 174.94.190.229 2152 190.104.181.57 2152 Tunnel::GTPv1 Tunnel::CLOSE
1333458850.043796 nQcgTWjvg4c 172.24.16.121 61901 94.245.121.251 3544 Tunnel::TEREDO Tunnel::CLOSE
1333458850.043796 VW0XPVINV8a 190.104.181.210 2152 190.104.181.125 2152 Tunnel::GTPv1 Tunnel::CLOSE
1333458850.043796 k6kgXLOoSKl 174.94.190.229 2152 190.104.181.62 2152 Tunnel::GTPv1 Tunnel::CLOSE
1333458850.043796 TEfuqmmG4bh 190.104.181.254 2152 190.104.181.62 2152 Tunnel::GTPv1 Tunnel::CLOSE
1333458850.043796 iE6yhOq3SF 172.27.159.9 63912 94.245.121.254 3544 Tunnel::TEREDO Tunnel::CLOSE
1333458850.043796 GSxOnSLghOa 190.104.181.57 2152 190.104.181.222 2152 Tunnel::GTPv1 Tunnel::CLOSE
1333458850.043796 UWkUyAuUGXf 174.94.190.213 2152 190.104.181.57 2152 Tunnel::GTPv1 Tunnel::CLOSE
1333458850.043796 fRFu0wcOle6 172.27.159.9 63912 94.245.121.253 3544 Tunnel::TEREDO Tunnel::CLOSE
#close 2012-10-19-17-34-25

1
testing/btest/Baseline/core.tunnels.gtp.non_recursive/out Normal file
View file

@ -0,0 +1 @@
protocol_violation, [orig_h=74.125.216.149, orig_p=2152/udp, resp_h=10.131.138.69, resp_p=2152/udp], GTP-in-GTP [n\xd9'|\x00\x00\x01\xb6[\xf6\xdc0\xb7d\xe5\xe6\xa76\x91\xfbk\x0e\x02\xc8A\x05\xa8\xe6\xf3Gi\x80(]\xcew\x84\xae}\xd2...]

11
testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log Normal file
View file

@ -0,0 +1,11 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2012-10-19-17-46-48
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool count string count count count count table[string]
1333458850.532814 UWkUyAuUGXf 247.56.43.90 2152 247.56.43.248 2152 udp - - - - S0 - 0 D 1 52 0 0 (empty)
1333458850.867091 arKYeMETxOg 247.56.43.214 2152 237.56.101.238 2152 udp - 0.028676 12 14 SF - 0 Dd 1 40 1 42 (empty)
#close 2012-10-19-17-46-48

11
testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log Normal file
View file

@ -0,0 +1,11 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2012-10-19-17-19-16
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool count string count count count count table[string]
1333458852.011535 arKYeMETxOg 10.222.10.10 44960 173.194.69.188 5228 tcp ssl 0.573499 704 1026 S1 - 0 ShADad 17 1604 14 1762 UWkUyAuUGXf
1333458852.011535 UWkUyAuUGXf 79.188.154.91 2152 243.149.173.198 2152 udp gtpv1 0.573499 1740 1930 SF - 0 Dd 17 2216 14 2322 (empty)
#close 2012-10-19-17-19-16

31
testing/btest/Baseline/core.tunnels.gtp.opt_header/out Normal file
View file

@ -0,0 +1,31 @@
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=60, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=60, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=64, teid=159098, seq=0, n_pdu=0, next_type=0]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=170, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=56, teid=159098, seq=1, n_pdu=0, next_type=0]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=194, teid=159098, seq=2, n_pdu=0, next_type=0]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=111, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=56, teid=159098, seq=3, n_pdu=0, next_type=0]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=89, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=56, teid=159098, seq=4, n_pdu=0, next_type=0]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=93, teid=159098, seq=5, n_pdu=0, next_type=0]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=457, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=157, teid=159098, seq=6, n_pdu=0, next_type=0]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=173, teid=159098, seq=7, n_pdu=0, next_type=0]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=137, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=56, teid=159098, seq=8, n_pdu=0, next_type=0]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=157, teid=159098, seq=9, n_pdu=0, next_type=0]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=189, teid=159098, seq=10, n_pdu=0, next_type=0]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=173, teid=159098, seq=11, n_pdu=0, next_type=0]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=205, teid=159098, seq=12, n_pdu=0, next_type=0]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=189, teid=159098, seq=13, n_pdu=0, next_type=0]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]

11
testing/btest/Baseline/core.tunnels.gtp.opt_header/tunnel.log Normal file
View file

@ -0,0 +1,11 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path tunnel
#open 2012-10-19-17-19-16
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action
#types time string addr port addr port enum enum
1333458852.011535 UWkUyAuUGXf 79.188.154.91 2152 243.149.173.198 2152 Tunnel::GTPv1 Tunnel::DISCOVER
1333458852.585034 UWkUyAuUGXf 79.188.154.91 2152 243.149.173.198 2152 Tunnel::GTPv1 Tunnel::CLOSE
#close 2012-10-19-17-19-16

11
testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log Normal file
View file

@ -0,0 +1,11 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2012-10-19-16-44-02
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool count string count count count count table[string]
1333458850.364667 arKYeMETxOg 10.131.47.185 1923 79.101.110.141 80 tcp http 0.069783 2100 56702 SF - 0 ShADadfF 27 3204 41 52594 UWkUyAuUGXf
1333458850.364667 UWkUyAuUGXf 239.114.155.111 2152 63.94.149.181 2152 udp gtpv1 0.069813 3420 52922 SF - 0 Dd 27 4176 41 54070 (empty)
#close 2012-10-19-16-44-02

10
testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http
#open 2012-10-19-16-44-02
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
1333458850.375568 arKYeMETxOg 10.131.47.185 1923 79.101.110.141 80 1 GET o-o.preferred.telekomrs-beg1.v2.lscache8.c.youtube.com /videoplayback?upn=MTU2MDY5NzQ5OTM0NTI3NDY4NDc&sparams=algorithm,burst,cp,factor,id,ip,ipbits,itag,source,upn,expire&fexp=912300,907210&algorithm=throttle-factor&itag=34&ip=212.0.0.0&burst=40&sver=3&signature=832FB1042E20780CFCA77A4DB5EA64AC593E8627.D1166C7E8365732E52DAFD68076DAE0146E0AE01&source=youtube&expire=1333484980&key=yt1&ipbits=8&factor=1.25&cp=U0hSSFRTUl9NSkNOMl9MTVZKOjh5eEN2SG8tZF84&id=ebf1e932d4bd1286&cm2=1 http://s.ytimg.com/yt/swfbin/watch_as3-vflqrJwOA.swf Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko; X-SBLSP) Chrome/17.0.963.83 Safari/535.11 0 56320 206 Partial Content - - - (empty) - - - application/octet-stream - -
#close 2012-10-19-16-44-02

11
testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/tunnel.log Normal file
View file

@ -0,0 +1,11 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path tunnel
#open 2012-10-19-16-44-02
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action
#types time string addr port addr port enum enum
1333458850.364667 UWkUyAuUGXf 239.114.155.111 2152 63.94.149.181 2152 Tunnel::GTPv1 Tunnel::DISCOVER
1333458850.434480 UWkUyAuUGXf 239.114.155.111 2152 63.94.149.181 2152 Tunnel::GTPv1 Tunnel::CLOSE
#close 2012-10-19-16-44-02

10
testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/dpd.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dpd
#open 2012-10-19-17-38-54
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto analyzer failure_reason
#types time string addr port addr port enum string string
1333458853.075889 UWkUyAuUGXf 173.86.159.28 2152 213.72.147.186 2152 udp GTPV1 Truncated GTPv1 [E\x00\x05\xc8G\xea@\x00\x80\x06\xb6\x83\x0a\x83w&\xd9\x14\x9c\x04\xd9\xc2\x00P\xddh\xb4\x8f41eVP\x10\x10\xe0u\xcf\x00\x00...]
#close 2012-10-19-17-38-54

11
testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/tunnel.log Normal file
View file

@ -0,0 +1,11 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path tunnel
#open 2012-10-19-17-38-54
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action
#types time string addr port addr port enum enum
1333458853.034734 UWkUyAuUGXf 173.86.159.28 2152 213.72.147.186 2152 Tunnel::GTPv1 Tunnel::DISCOVER
1333458853.108391 UWkUyAuUGXf 173.86.159.28 2152 213.72.147.186 2152 Tunnel::GTPv1 Tunnel::CLOSE
#close 2012-10-19-17-38-54

1
testing/btest/Baseline/istate.sync/receiver.vars.log
View file

@ -31,3 +31,4 @@ file "test2" of string
6667/tcp 6667/tcp
[2, 20, 3, 4] [2, 20, 3, 4]
[a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666, e=<uninitialized>] [a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666, e=<uninitialized>]
122112

1
testing/btest/Baseline/istate.sync/sender.vars.log
View file

@ -31,3 +31,4 @@ file "test2" of string
6667/tcp 6667/tcp
[2, 20, 3, 4] [2, 20, 3, 4]
[a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666, e=<uninitialized>] [a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666, e=<uninitialized>]
122112

11
testing/btest/Baseline/language.hook/out
View file

@ -1,7 +1,18 @@
myhook, &priority=10, [a=1156, b=hello world] myhook, &priority=10, [a=1156, b=hello world]
myhook return F
myhook return T
myhook, &priority=5, [a=37, b=goobye world] myhook, &priority=5, [a=37, b=goobye world]
F
myhook3, 8 myhook3, 8
T
myhook4, 2 myhook4, 2
myhook4, 1 myhook4, 1
T
myhook4, 2
myhook4, 1
myhook4 all handlers ran
myhook, &priority=10, [a=2, b=it works] myhook, &priority=10, [a=2, b=it works]
myhook return F
myhook return T
myhook, &priority=5, [a=37, b=goobye world] myhook, &priority=5, [a=37, b=goobye world]
F

10
testing/btest/Baseline/language.hook_calls/invalid.out Normal file
View file

@ -0,0 +1,10 @@
error in ./invalid.bro, line 9: hook cannot be called directly, use hook operator (myhook)
warning in ./invalid.bro, line 9: expression value ignored (myhook(3))
error in ./invalid.bro, line 10: hook cannot be called directly, use hook operator (myhook)
error in ./invalid.bro, line 11: hook cannot be called directly, use hook operator (myhook)
error in ./invalid.bro, line 12: not a valid hook call expression (2 + 2)
warning in ./invalid.bro, line 12: expression value ignored (2 + 2)
error in ./invalid.bro, line 13: not a valid hook call expression (2 + 2)
error in ./invalid.bro, line 15: hook cannot be called directly, use hook operator (h)
warning in ./invalid.bro, line 15: expression value ignored (h(3))
error in ./invalid.bro, line 16: hook cannot be called directly, use hook operator (h)

42
testing/btest/Baseline/language.hook_calls/valid.out Normal file
View file

@ -0,0 +1,42 @@
myhook(), 3
other myhook(), 3
myhook(), 3
other myhook(), 3
T
myhook(), 0
F
-----------
indirect()
myhook(), 3
other myhook(), 3
indirect()
myhook(), 3
other myhook(), 3
T
-----------
really_indirect()
indirect()
myhook(), 3
other myhook(), 3
really_indirect()
indirect()
myhook(), 3
other myhook(), 3
T
-----------
myhook(), 3
other myhook(), 3
myhook(), 3
other myhook(), 3
T
myhook(), 3
other myhook(), 3
yes
myhook(), 0
double yes
-----------
myhook(), 3
other myhook(), 3
myhook(), 3
other myhook(), 3
T

1
testing/btest/Baseline/language.invalid_hook/out
View file

@ -1 +0,0 @@
error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.invalid_hook/invalid_hook.bro, line 15: hook called in expression, use hook statement instead (myhook(nope))

7
testing/btest/Baseline/language.invalid_index/out Normal file
View file

@ -0,0 +1,7 @@
error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 8: no such index (foo[1])
error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 9: no such index (foo[2])
error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 12: no such index (foo2[1])
error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 13: no such index (foo2[2])
foo[0], 42
foo2[0], 13
done

3
testing/btest/Baseline/language.record-bad-ctor/out Normal file
View file

@ -0,0 +1,3 @@
error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.bro, line 6: no type given (asdfasdf)
error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.bro, line 7: uninitialized list value ($ports=asdfasdf)
error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.bro, line 7: bad record initializer ([$ports=asdfasdf])

91
testing/btest/Baseline/language.table-init-attrs/output Normal file
View file

@ -0,0 +1,91 @@
my_set_ctor_init
{
test2,
test3,
test4,
test1
}
my_table_ctor_init
{
[2] = test2,
[1] = test1,
[3] = test3
}
nope
my_set_init
{
test2,
test3,
test4,
test1
}
my_table_init
{
[2] = test2,
[4] = test4,
[1] = test1,
[3] = test3
}
nope
inception
{
[0] = {
[13] = bar
}
}
{
[13] = bar
}
bar
forty-two
{
}
we need to go deeper
{
[0] = {
[13] = bar
}
}
{
[13] = bar
}
bar
forty-two
{
}
we need to go deeper
local table t1
{
[1] = foo
}
foo
nope
local table t2
{
[1] = foo
}
foo
nope
local table t3
{
}
nope
nope
local table t4
{
}
nope
nope

50
testing/btest/Baseline/language.table-init-container-ctors/output Normal file
View file

@ -0,0 +1,50 @@
table of set
{
[13] = {
[bar, 2] ,
[foo, 1]
},
[5] = {
[bah, 3] ,
[baz, 4]
}
}
table of vector
{
[13] = [1, 2],
[5] = [3, 4]
}
table of table
{
[13] = {
[bar, 2] = 2,
[foo, 1] = 1
},
[5] = {
[bah, 3] = 3,
[baz, 4] = 4
}
}
table of record
{
[13] = [a=1, b=foo],
[5] = [a=2, b=bar]
}
T
T
T
T
T
T
T
T
T
T
T
T
T
T

4
testing/btest/Baseline/scripts.base.frameworks.input.invalidtext/.stderrwithoutfirstline Normal file
View file

@ -0,0 +1,4 @@
error: ../input.log/Input::READER_ASCII: String 'l' contained no parseable number
error: ../input.log/Input::READER_ASCII: Could not convert line ' l' to Val. Ignoring line.
received termination signal
>>>

3
testing/btest/Baseline/scripts.base.frameworks.input.invalidtext/out Normal file
View file

@ -0,0 +1,3 @@
{
[] = [c=5]
}

0
testing/btest/Baseline/scripts.base.frameworks.logging.ascii-csv/ssh-filtered.log → testing/btest/Baseline/scripts.base.frameworks.logging.ascii-tsv/ssh-filtered.log
View file

58
testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log Normal file
View file

@ -0,0 +1,58 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http
#open 2012-12-07-04-43-19
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
1354328870.191989 UWkUyAuUGXf 128.2.6.136 46562 173.194.75.103 80 1 OPTIONS www.google.com * - - 0 962 405 Method Not Allowed - - - (empty) - - - text/html - -
1354328874.237327 arKYeMETxOg 128.2.6.136 46563 173.194.75.103 80 1 OPTIONS www.google.com HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328874.299063 k6kgXLOoSKl 128.2.6.136 46564 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328874.342591 nQcgTWjvg4c 128.2.6.136 46565 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328874.364020 j4u32Pc5bif 128.2.6.136 46566 173.194.75.103 80 1 GET www.google.com / - - 0 43911 200 OK - - - (empty) - - - text/html - -
1354328878.470424 TEfuqmmG4bh 128.2.6.136 46567 173.194.75.103 80 1 GET www.google.com / - - 0 43983 200 OK - - - (empty) - - - text/html - -
1354328882.575456 FrJExwHcSal 128.2.6.136 46568 173.194.75.103 80 1 GET www.google.com /HTTP/1.1 - - 0 1207 403 Forbidden - - - (empty) - - - text/html - -
1354328882.928027 5OKnoww6xl4 128.2.6.136 46569 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328882.968948 3PKsZ2Uye21 128.2.6.136 46570 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328882.990373 VW0XPVINV8a 128.2.6.136 46571 173.194.75.103 80 1 GET www.google.com / - - 0 43913 200 OK - - - (empty) - - - text/html - -
1354328887.114613 fRFu0wcOle6 128.2.6.136 46572 173.194.75.103 80 0 - - - - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html - -
1354328891.161077 qSsw6ESzHV4 128.2.6.136 46573 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328891.204740 iE6yhOq3SF 128.2.6.136 46574 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328891.245592 GSxOnSLghOa 128.2.6.136 46575 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328891.287655 qCaWGmzFtM5 128.2.6.136 46576 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328891.309065 70MGiRM1Qf4 128.2.6.136 46577 173.194.75.103 80 1 CCM_POST www.google.com / - - 0 963 405 Method Not Allowed - - - (empty) - - - text/html - -
1354328895.355012 h5DsfNtYzi1 128.2.6.136 46578 173.194.75.103 80 1 CCM_POST www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328895.416133 P654jzLoe3a 128.2.6.136 46579 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328895.459490 Tw8jXtpTGu6 128.2.6.136 46580 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328895.480865 c4Zw9TmAE05 128.2.6.136 46581 173.194.75.103 80 1 CCM_POST www.google.com / - - 0 963 405 Method Not Allowed - - - (empty) - - - text/html - -
1354328899.526682 EAr0uf4mhq 128.2.6.136 46582 173.194.75.103 80 1 CONNECT www.google.com / - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328903.572533 GvmoxJFXdTa 128.2.6.136 46583 173.194.75.103 80 1 CONNECT www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328903.634196 0Q4FH8sESw5 128.2.6.136 46584 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328903.676395 slFea8xwSmb 128.2.6.136 46585 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328903.697693 UfGkYA2HI2g 128.2.6.136 46586 173.194.75.103 80 1 CONNECT www.google.com / - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328907.743696 i2rO3KD1Syg 128.2.6.136 46587 173.194.75.103 80 1 TRACE www.google.com / - - 0 960 405 Method Not Allowed - - - (empty) - - - text/html - -
1354328911.790590 2cx26uAvUPl 128.2.6.136 46588 173.194.75.103 80 1 TRACE www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328911.853464 BWaU4aSuwkc 128.2.6.136 46589 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328911.897044 10XodEwRycf 128.2.6.136 46590 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328911.918511 zno26fFZkrh 128.2.6.136 46591 173.194.75.103 80 1 TRACE www.google.com / - - 0 960 405 Method Not Allowed - - - (empty) - - - text/html - -
1354328915.964678 v5rgkJBig5l 128.2.6.136 46592 173.194.75.103 80 1 DELETE www.google.com / - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html - -
1354328920.010458 eWZCH7OONC1 128.2.6.136 46593 173.194.75.103 80 1 DELETE www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328920.072101 0Pwk3ntf8O3 128.2.6.136 46594 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328920.114526 0HKorjr8Zp7 128.2.6.136 46595 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328920.136714 yC2d6kVg709 128.2.6.136 46596 173.194.75.103 80 1 DELETE www.google.com / - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html - -
1354328924.183211 VcgagLjnO92 128.2.6.136 46597 173.194.75.103 80 1 PUT www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html - -
1354328924.224567 bdRoHfaPBo3 128.2.6.136 46598 173.194.75.103 80 1 PUT www.google.com /HTTP/1.1 - - 0 934 411 Length Required - - - (empty) - - - text/html - -
1354328924.287402 zHqb7t7kv28 128.2.6.136 46599 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328924.328257 rrZWoMUQpv8 128.2.6.136 46600 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328924.350343 xNYSS2hJkle 128.2.6.136 46601 173.194.75.103 80 1 PUT www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html - -
1354328924.391728 vMVjlplKKbd 128.2.6.136 46602 173.194.75.103 80 1 POST www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html - -
1354328924.433150 3omNawSNrxj 128.2.6.136 46603 173.194.75.103 80 1 POST www.google.com /HTTP/1.1 - - 0 934 411 Length Required - - - (empty) - - - text/html - -
1354328924.496732 Rv8AJVfi9Zi 128.2.6.136 46604 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328924.537671 wEyF3OvvcQe 128.2.6.136 46605 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328924.559704 E490YZTUozc 128.2.6.136 46606 173.194.75.103 80 1 HEAD www.google.com / - - 0 0 200 OK - - - (empty) - - - - - -
1354328928.625437 YIeWJmXWNWj 128.2.6.136 46607 173.194.75.103 80 1 HEAD www.google.com / - - 0 0 200 OK - - - (empty) - - - - - -
1354328932.692706 ydiZblvsYri 128.2.6.136 46608 173.194.75.103 80 1 HEAD www.google.com /HTTP/1.1 - - 0 0 400 Bad Request - - - (empty) - - - - - -
1354328932.754657 HFYOnBqSE5e 128.2.6.136 46609 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
1354328932.796568 JcUvhfWUMgd 128.2.6.136 46610 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - -
#close 2012-12-07-04-43-19

58
testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log Normal file
View file

@ -0,0 +1,58 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2012-12-07-04-43-19
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1354328874.278822 k6kgXLOoSKl 128.2.6.136 46564 173.194.75.103 80 bad_HTTP_request - F bro
1354328874.299063 k6kgXLOoSKl 128.2.6.136 46564 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328874.321792 nQcgTWjvg4c 128.2.6.136 46565 173.194.75.103 80 bad_HTTP_request - F bro
1354328874.342591 nQcgTWjvg4c 128.2.6.136 46565 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328882.908690 5OKnoww6xl4 128.2.6.136 46569 173.194.75.103 80 bad_HTTP_request - F bro
1354328882.928027 5OKnoww6xl4 128.2.6.136 46569 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328882.949510 3PKsZ2Uye21 128.2.6.136 46570 173.194.75.103 80 bad_HTTP_request - F bro
1354328882.968948 3PKsZ2Uye21 128.2.6.136 46570 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328887.094494 fRFu0wcOle6 128.2.6.136 46572 173.194.75.103 80 bad_HTTP_request - F bro
1354328887.114613 fRFu0wcOle6 128.2.6.136 46572 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328891.141058 qSsw6ESzHV4 128.2.6.136 46573 173.194.75.103 80 bad_HTTP_request - F bro
1354328891.161077 qSsw6ESzHV4 128.2.6.136 46573 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328891.183942 iE6yhOq3SF 128.2.6.136 46574 173.194.75.103 80 bad_HTTP_request - F bro
1354328891.204740 iE6yhOq3SF 128.2.6.136 46574 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328891.226199 GSxOnSLghOa 128.2.6.136 46575 173.194.75.103 80 bad_HTTP_request - F bro
1354328891.245592 GSxOnSLghOa 128.2.6.136 46575 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328891.267625 qCaWGmzFtM5 128.2.6.136 46576 173.194.75.103 80 bad_HTTP_request - F bro
1354328891.287655 qCaWGmzFtM5 128.2.6.136 46576 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328891.309065 70MGiRM1Qf4 128.2.6.136 46577 173.194.75.103 80 unknown_HTTP_method CCM_POST F bro
1354328895.355012 h5DsfNtYzi1 128.2.6.136 46578 173.194.75.103 80 unknown_HTTP_method CCM_POST F bro
1354328895.396634 P654jzLoe3a 128.2.6.136 46579 173.194.75.103 80 bad_HTTP_request - F bro
1354328895.416133 P654jzLoe3a 128.2.6.136 46579 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328895.438812 Tw8jXtpTGu6 128.2.6.136 46580 173.194.75.103 80 bad_HTTP_request - F bro
1354328895.459490 Tw8jXtpTGu6 128.2.6.136 46580 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328895.480865 c4Zw9TmAE05 128.2.6.136 46581 173.194.75.103 80 unknown_HTTP_method CCM_POST F bro
1354328903.614145 0Q4FH8sESw5 128.2.6.136 46584 173.194.75.103 80 bad_HTTP_request - F bro
1354328903.634196 0Q4FH8sESw5 128.2.6.136 46584 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328903.656369 slFea8xwSmb 128.2.6.136 46585 173.194.75.103 80 bad_HTTP_request - F bro
1354328903.676395 slFea8xwSmb 128.2.6.136 46585 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328911.832856 BWaU4aSuwkc 128.2.6.136 46589 173.194.75.103 80 bad_HTTP_request - F bro
1354328911.853464 BWaU4aSuwkc 128.2.6.136 46589 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328911.876341 10XodEwRycf 128.2.6.136 46590 173.194.75.103 80 bad_HTTP_request - F bro
1354328911.897044 10XodEwRycf 128.2.6.136 46590 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328920.052085 0Pwk3ntf8O3 128.2.6.136 46594 173.194.75.103 80 bad_HTTP_request - F bro
1354328920.072101 0Pwk3ntf8O3 128.2.6.136 46594 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328920.094072 0HKorjr8Zp7 128.2.6.136 46595 173.194.75.103 80 bad_HTTP_request - F bro
1354328920.114526 0HKorjr8Zp7 128.2.6.136 46595 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328924.266693 zHqb7t7kv28 128.2.6.136 46599 173.194.75.103 80 bad_HTTP_request - F bro
1354328924.287402 zHqb7t7kv28 128.2.6.136 46599 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328924.308714 rrZWoMUQpv8 128.2.6.136 46600 173.194.75.103 80 bad_HTTP_request - F bro
1354328924.328257 rrZWoMUQpv8 128.2.6.136 46600 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328924.476011 Rv8AJVfi9Zi 128.2.6.136 46604 173.194.75.103 80 bad_HTTP_request - F bro
1354328924.496732 Rv8AJVfi9Zi 128.2.6.136 46604 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328924.518204 wEyF3OvvcQe 128.2.6.136 46605 173.194.75.103 80 bad_HTTP_request - F bro
1354328924.537671 wEyF3OvvcQe 128.2.6.136 46605 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328932.734579 HFYOnBqSE5e 128.2.6.136 46609 173.194.75.103 80 bad_HTTP_request - F bro
1354328932.754657 HFYOnBqSE5e 128.2.6.136 46609 173.194.75.103 80 unmatched_HTTP_reply - F bro
1354328932.776609 JcUvhfWUMgd 128.2.6.136 46610 173.194.75.103 80 bad_HTTP_request - F bro
1354328932.796568 JcUvhfWUMgd 128.2.6.136 46610 173.194.75.103 80 unmatched_HTTP_reply - F bro
#close 2012-12-07-04-43-19

BIN
testing/btest/Traces/http-methods.trace Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/tunnels/gtp/gtp10_not_0xff.pcap Executable file
View file

Binary file not shown.

BIN
testing/btest/Traces/tunnels/gtp/gtp1_gn_normal_incl_fragmentation.pcap Executable file
View file

Binary file not shown.

BIN
testing/btest/Traces/tunnels/gtp/gtp2_different_udp_port.pcap Executable file
View file

Binary file not shown.

BIN
testing/btest/Traces/tunnels/gtp/gtp3_false_gtp.pcap Executable file
View file

Binary file not shown.

BIN
testing/btest/Traces/tunnels/gtp/gtp4_udp_2152_inside.pcap Executable file
View file

Binary file not shown.

BIN
testing/btest/Traces/tunnels/gtp/gtp6_gtp_0x32.pcap Executable file
View file

Binary file not shown.

BIN
testing/btest/Traces/tunnels/gtp/gtp7_ipv6.pcap Executable file
View file

Binary file not shown.

BIN
testing/btest/Traces/tunnels/gtp/gtp8_teredo.pcap Executable file
View file

Binary file not shown.

BIN
testing/btest/Traces/tunnels/gtp/gtp9_unknown_or_too_short_payload.pcap Executable file
View file

Binary file not shown.

2
testing/btest/bifs/addr_count_conversion.bro
View file

@ -1,4 +1,4 @@
# @TEST-EXEC: bro %INPUT >output # @TEST-EXEC: bro -b %INPUT >output
# @TEST-EXEC: btest-diff output # @TEST-EXEC: btest-diff output
global v: index_vec; global v: index_vec;

2
testing/btest/bifs/addr_to_ptr_name.bro
View file

@ -1,4 +1,4 @@
# @TEST-EXEC: bro %INPUT >output # @TEST-EXEC: bro -b %INPUT >output
# @TEST-EXEC: btest-diff output # @TEST-EXEC: btest-diff output
print addr_to_ptr_name([2607:f8b0:4009:802::1012]); print addr_to_ptr_name([2607:f8b0:4009:802::1012]);

2
testing/btest/bifs/addr_version.bro
View file

@ -1,4 +1,4 @@
# @TEST-EXEC: bro %INPUT >out # @TEST-EXEC: bro -b %INPUT >out
# @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff out
print is_v4_addr(1.2.3.4); print is_v4_addr(1.2.3.4);

2
testing/btest/bifs/all_set.bro
View file

@ -1,5 +1,5 @@
# #
# @TEST-EXEC: bro %INPUT >out # @TEST-EXEC: bro -b %INPUT >out
# @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff out
event bro_init() event bro_init()

2
testing/btest/bifs/analyzer_name.bro
View file

@ -1,5 +1,5 @@
# #
# @TEST-EXEC: bro %INPUT >out # @TEST-EXEC: bro -b %INPUT >out
# @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff out
event bro_init() event bro_init()

Some files were not shown because too many files have changed in this diff Show more