From 83d5243cf68e5e2506cbdf58c3ae6bf35f21bd66 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 23 Jul 2025 10:46:31 +0100 Subject: [PATCH] Optimize Conn::set_conn to minimize operations Now that Conn::set_conn is guaranteed to be called at the beginning and at the end of the connection, we can skip re-setting the elements that we know will not have changed. This prevents repeated lookups, e.g. to check that addresses are in the local networks. During `connection_state_remove`, only the duration, number of packets, service, and history fields are updated. local_orig and local_resp are updated when the connection is flipped. A test was added for that purpose. It uses the already existing http.zeek-image-post-1080-8000-x.pcap, which was slightly rewritten for this, so that one side of the connection has IP addresses different from 127.0.0.1. The existing history-flip test also was updated to have one side being in a local-net, to check that the flipping of local_orig and local_resp works correctly at the beginning of a connection. --- scripts/base/protocols/conn/main.zeek | 54 +++++++++++------- .../btest/Baseline/core.history-flip/conn.log | 2 +- .../btest/Baseline/core.local-flip/conn.log | 11 ++++ testing/btest/Baseline/plugins.hooks/output | 6 -- .../conn.log.cut | 2 +- .../files.log.cut | 4 +- .../http.log.cut | 2 +- .../http/zeek-image-post-1080-8000-x.pcap | Bin 8180 -> 7730 bytes testing/btest/core/history-flip.zeek | 3 + testing/btest/core/local-flip.zeek | 6 ++ 10 files changed, 58 insertions(+), 32 deletions(-) create mode 100644 testing/btest/Baseline/core.local-flip/conn.log create mode 100644 testing/btest/core/local-flip.zeek diff --git a/scripts/base/protocols/conn/main.zeek b/scripts/base/protocols/conn/main.zeek index f948b440c5..7c80c4b0bb 100644 --- a/scripts/base/protocols/conn/main.zeek +++ b/scripts/base/protocols/conn/main.zeek @@ -243,26 +243,31 @@ function conn_state(c: connection, trans: transport_proto): string ## Fill out the c$conn record for logging function set_conn(c: connection, eoc: bool) { - if ( ! c?$conn ) - { - local p = get_port_transport_proto(c$id$resp_p); - c$conn = Info($ts=c$start_time, $uid=c$uid, $proto=p); - } + if ( ! eoc ) { + if ( ! c?$conn ) + { + local p = get_port_transport_proto(c$id$resp_p); + c$conn = Info($ts=c$start_time, $uid=c$uid, $proto=p); + } - c$conn$id=c$id; - if ( c?$tunnel && |c$tunnel| > 0 ) - { - if ( ! c$conn?$tunnel_parents ) - c$conn$tunnel_parents = set(); - add c$conn$tunnel_parents[c$tunnel[|c$tunnel|-1]$uid]; - } - if( |Site::local_nets| > 0 ) - { - c$conn$local_orig=Site::is_local_addr(c$id$orig_h); - c$conn$local_resp=Site::is_local_addr(c$id$resp_h); - } + c$conn$id=c$id; + if ( c?$tunnel && |c$tunnel| > 0 ) + { + if ( ! c$conn?$tunnel_parents ) + c$conn$tunnel_parents = set(); + add c$conn$tunnel_parents[c$tunnel[|c$tunnel|-1]$uid]; + } - if ( eoc ) + if ( c$id$proto != 65535 ) + c$conn$ip_proto = c$id$proto; + + if( |Site::local_nets| > 0 ) + { + c$conn$local_orig = Site::is_local_addr(c$id$orig_h); + c$conn$local_resp = Site::is_local_addr(c$id$resp_h); + } + } + else { if ( c$duration > 0secs ) { @@ -288,9 +293,6 @@ function set_conn(c: connection, eoc: bool) if ( c$history != "" ) c$conn$history=c$history; } - - if ( c$id$proto != 65535 ) - c$conn$ip_proto = c$id$proto; } event content_gap(c: connection, is_orig: bool, seq: count, length: count) &priority=5 @@ -314,6 +316,16 @@ event new_connection(c: connection) &priority=100 set_conn(c, F); } +event connection_flipped(c: connection) &priority=5 + { + # otherwise, set-conn has not been called yet. In that case we don't have to do anything + if ( c?$conn ) + { + c$conn$local_orig = Site::is_local_addr(c$id$orig_h); + c$conn$local_resp = Site::is_local_addr(c$id$resp_h); + } + } + event connection_state_remove(c: connection) &priority=5 { set_conn(c, T); diff --git a/testing/btest/Baseline/core.history-flip/conn.log b/testing/btest/Baseline/core.history-flip/conn.log index 26f8b8917f..89713442ea 100644 --- a/testing/btest/Baseline/core.history-flip/conn.log +++ b/testing/btest/Baseline/core.history-flip/conn.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents ip_proto orig_l2_addr resp_l2_addr #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] count string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 141.42.64.125 56730 125.190.109.199 80 tcp http 1.550793 98 9417 SF F F 0 ^hADdFaf 11 670 10 9945 - 6 00:d0:03:3b:f4:00 00:b0:c2:86:ec:00 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 141.42.64.125 56730 125.190.109.199 80 tcp http 1.550793 98 9417 SF F T 0 ^hADdFaf 11 670 10 9945 - 6 00:d0:03:3b:f4:00 00:b0:c2:86:ec:00 #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.local-flip/conn.log b/testing/btest/Baseline/core.local-flip/conn.log new file mode 100644 index 0000000000..dc8990428d --- /dev/null +++ b/testing/btest/Baseline/core.local-flip/conn.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents ip_proto orig_l2_addr resp_l2_addr +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] count string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 1080 44.1.1.1 8000 tcp http 0.020403 5958 182 SF T F 0 ^hADadFf 10 6486 9 650 - 6 - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 69a2c34488..49ea442278 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -3295,8 +3295,6 @@ XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(HTTP::get_file_handle, , ( XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(Log::__write, , (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6, ctx=[]], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=, ip_proto=6])) -> XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(Log::log_stream_policy, , ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6, ctx=[]], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=, ip_proto=6], Conn::LOG)) -> XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(Log::write, , (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6, ctx=[]], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=, ip_proto=6])) -> -XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(Site::is_local_addr, , (141.142.228.5)) -> -XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(Site::is_local_addr, , (192.150.187.43)) -> XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(cat, ..., ...) -> XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(connection_state_remove, , ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6, ctx=[]], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, removal_hooks={HTTP::finalize_http: Conn::RemovalHook{ if (HTTP::c?$http_state) { for ([HTTP::r], HTTP::info in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerce HTTP::info)}}}}, service_violation={}, failed_analyzers={}, conn=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6, ctx=[]], proto=tcp, service=, duration=, orig_bytes=, resp_bytes=, conn_state=, local_orig=F, local_resp=F, missed_bytes=0, history=, orig_pkts=, orig_ip_bytes=, resp_pkts=, resp_ip_bytes=, tunnel_parents=, ip_proto=6], extract_orig=F, extract_resp=F, thresholds=, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6, ctx=[]], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=, resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1]])) -> XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(fmt, , (%s:%d > %s:%d, 141.142.228.5, 59856/tcp, 192.150.187.43, 80/tcp)) -> @@ -3326,8 +3324,6 @@ XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(HTTP::get_file_handle, , ( XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(Log::__write, , (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6, ctx=[]], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=, ip_proto=6])) XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(Log::log_stream_policy, , ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6, ctx=[]], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=, ip_proto=6], Conn::LOG)) XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(Log::write, , (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6, ctx=[]], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=, ip_proto=6])) -XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(Site::is_local_addr, , (141.142.228.5)) -XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(Site::is_local_addr, , (192.150.187.43)) XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(cat, ..., ...) XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(connection_state_remove, , ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6, ctx=[]], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, removal_hooks={HTTP::finalize_http: Conn::RemovalHook{ if (HTTP::c?$http_state) { for ([HTTP::r], HTTP::info in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerce HTTP::info)}}}}, service_violation={}, failed_analyzers={}, conn=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6, ctx=[]], proto=tcp, service=, duration=, orig_bytes=, resp_bytes=, conn_state=, local_orig=F, local_resp=F, missed_bytes=0, history=, orig_pkts=, orig_ip_bytes=, resp_pkts=, resp_ip_bytes=, tunnel_parents=, ip_proto=6], extract_orig=F, extract_resp=F, thresholds=, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6, ctx=[]], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=, resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1]])) XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(fmt, , (%s:%d > %s:%d, 141.142.228.5, 59856/tcp, 192.150.187.43, 80/tcp)) @@ -3358,8 +3354,6 @@ XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.2 XXXXXXXXXX.XXXXXX | HookCallFunction Log::__write(Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6, ctx=[]], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=, ip_proto=6]) XXXXXXXXXX.XXXXXX | HookCallFunction Log::log_stream_policy([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6, ctx=[]], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=, ip_proto=6], Conn::LOG) XXXXXXXXXX.XXXXXX | HookCallFunction Log::write(Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6, ctx=[]], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=F, local_resp=F, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=, ip_proto=6]) -XXXXXXXXXX.XXXXXX | HookCallFunction Site::is_local_addr(141.142.228.5) -XXXXXXXXXX.XXXXXX | HookCallFunction Site::is_local_addr(192.150.187.43) XXXXXXXXXX.XXXXXX | HookCallFunction cat(...) XXXXXXXXXX.XXXXXX | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6, ctx=[]], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, removal_hooks={HTTP::finalize_http: Conn::RemovalHook{ if (HTTP::c?$http_state) { for ([HTTP::r], HTTP::info in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerce HTTP::info)}}}}, service_violation={}, failed_analyzers={}, conn=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6, ctx=[]], proto=tcp, service=, duration=, orig_bytes=, resp_bytes=, conn_state=, local_orig=F, local_resp=F, missed_bytes=0, history=, orig_pkts=, orig_ip_bytes=, resp_pkts=, resp_ip_bytes=, tunnel_parents=, ip_proto=6], extract_orig=F, extract_resp=F, thresholds=, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp, proto=6, ctx=[]], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=, resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1]]) XXXXXXXXXX.XXXXXX | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856/tcp, 192.150.187.43, 80/tcp) diff --git a/testing/btest/Baseline/scripts.base.protocols.http.flip-content-line-orig/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.http.flip-content-line-orig/conn.log.cut index 197f268773..f96e63943c 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.flip-content-line-orig/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.http.flip-content-line-orig/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. id.orig_h id.orig_p id.resp_h id.resp_p history service -127.0.0.1 1080 127.0.0.1 8000 ^hADadFf http +127.0.0.1 1080 44.1.1.1 8000 ^hADadFf http diff --git a/testing/btest/Baseline/scripts.base.protocols.http.flip-content-line-orig/files.log.cut b/testing/btest/Baseline/scripts.base.protocols.http.flip-content-line-orig/files.log.cut index b0788b8a39..11b1881967 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.flip-content-line-orig/files.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.http.flip-content-line-orig/files.log.cut @@ -1,4 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. id.orig_h id.orig_p id.resp_h id.resp_p analyzers mime_type sha1 -127.0.0.1 1080 127.0.0.1 8000 SHA1 image/png 1991cedee47909e324ac1b8bee2020d5690891e1 -127.0.0.1 1080 127.0.0.1 8000 SHA1 text/json eae909a9c2827d827ef30a6675a6388770ddc88d +127.0.0.1 1080 44.1.1.1 8000 SHA1 image/png 1991cedee47909e324ac1b8bee2020d5690891e1 +127.0.0.1 1080 44.1.1.1 8000 SHA1 text/json eae909a9c2827d827ef30a6675a6388770ddc88d diff --git a/testing/btest/Baseline/scripts.base.protocols.http.flip-content-line-orig/http.log.cut b/testing/btest/Baseline/scripts.base.protocols.http.flip-content-line-orig/http.log.cut index a8665ed118..0cb8892469 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.flip-content-line-orig/http.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.http.flip-content-line-orig/http.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. id.orig_h id.orig_p id.resp_h id.resp_p host method uri version user_agent status_code status_msg -127.0.0.1 1080 127.0.0.1 8000 localhost:8000 POST / 1.1 curl/7.81.0 200 OK +127.0.0.1 1080 44.1.1.1 8000 localhost:8000 POST / 1.1 curl/7.81.0 200 OK diff --git a/testing/btest/Traces/http/zeek-image-post-1080-8000-x.pcap b/testing/btest/Traces/http/zeek-image-post-1080-8000-x.pcap index 184888de8ce6d3617c16756a26d3df9324a7513f..d0947b39c78fc88fa1156a3ed279470fd93b1cf6 100644 GIT binary patch delta 1058 zcmexjzsW}7%Hd55nHX3YVBr6M1_nkT=Y?Ktn*R)LhKX|&So?PBFfvX&D5@a7oq>Ug zg>?%H69?CtD=|_a%*f2l4pN)|R6O~Dw3Nj}Ne2c8w!h2kfd&EfF|t_5JD9Rm&lf!3 z`?NuT@td<4P=XO*07!H5OrYio!qN&-AidxJ;nM56c{$^DRt}JsZm1STX|R^Rs9GA` zVbZQjDZ4WefPRL|u3ysR?c|DbAVdk@nxO=0r^UZ|ES5G@Ka-+!Yj@0ku$-hF)Y z8DXgM=^*8EBo$=-pqW0&9;{q~@ms~w$u}gofc-EFr22xi^yK|gtVU;NfI0J-dOw+;z|=bjs+UU(talnv z@8pTnq7p`Gm}=)j)G8RAor-D2BzvG0&vaTawatV1%wLAp{OlAgT0v>ynf5(QtxS)& z87>1;;N^)6MU;;o)CIed39AVbj9(|6nS4cNJ~%X$fEpnwP#&b`??TiFoAgxhd|w$T zJhi3Zw(0`IQx_DTYe1Sm$SO#m%|*4UugsKX($fZ@RbG>|sUa delta 1536 zcma*mUr19?90%}wx4T^#lTtLcdpCAnATx1OabYmn9xRz8`VtXDwN#e)hoRG#f!ZHL z$fWI7t7d6|5a~-zob*%=g)bsu57|TX(1uW8mP!w%{mwb}x<78P3wL*S<9yEdcYf!* zc5FF^HHC#5KSfc^j!KS(=e~3?R5NwDz0=?3@d=jmoqZks*F1e)6+)f0)@m0ljh%jB zkbL)f+PXa6j&{M*PyVf{85+1c(CZ(lt+iIyS*wS9K2J>r*yuuYp?ONk(+Cri7d8CQ z4L7>Z8PrsZnT-Vn;jH7$FpNOA$;H$ct=#!;X982x#d~A#V-%%eRP&6YKr{F0B8P5T zsbq_RT(E>Q%-%)fMCbVCLj z%A&j4oWMOfh7rfuO;^UlvT|xEx>LNMG9`;CK&_NkBn-+rd|ww|=}W|A9cy@*ktgKD zl8)Xf{~-R-&Fj$c%sxFvVOlv}V?kj8k06ZrQD1uEN6$f9c<3~rY)fjFBhqMh1s?rS zE=AfqaXT}*0ZslLU&=?DB%06=2p@*V!vOvKR-O;^M2=O7V?8*mg`A)zzTC=3dn#$- z5nkmE+|PocjhtBfnhV>)O(Ppw(apwI;e8di?K00A0?MqSj^1`Hi#PZwJ%z?+_RS0q zI$te86RL6cxr~tW6^a+FObkM-?KLUyg?CoGaJ_(v z(}q&|uee~S(^F_fW{^cGNK;V2L7rs^5sNbXKegFj$l9 zRi$EzKC-#pHe60f*2wmph}fA>VgzZM2bwK?jZ!r;(YTXAGp=+>=A-hmN;lFt H8(H%IiT7@e diff --git a/testing/btest/core/history-flip.zeek b/testing/btest/core/history-flip.zeek index b14c3671c0..9020e60694 100644 --- a/testing/btest/core/history-flip.zeek +++ b/testing/btest/core/history-flip.zeek @@ -1,5 +1,8 @@ +# @TEST-DOC: Check that connection flip appears in history. Also check that local-orig is flipped correctly. # @TEST-EXEC: zeek -b -C -r $TRACES/tcp/missing-syn.pcap %INPUT # @TEST-EXEC: btest-diff conn.log @load base/protocols/http @load policy/protocols/conn/mac-logging + +redef Site::local_nets = { 125.190.109.0/24 }; diff --git a/testing/btest/core/local-flip.zeek b/testing/btest/core/local-flip.zeek new file mode 100644 index 0000000000..08352efa56 --- /dev/null +++ b/testing/btest/core/local-flip.zeek @@ -0,0 +1,6 @@ +# @TEST-DOC: This check that local origin/responders are correctly flipped when the flip occurs later in the connection. +# @TEST-EXEC: zeek -b -C -r $TRACES/http/zeek-image-post-1080-8000-x.pcap %INPUT +# @TEST-EXEC: btest-diff conn.log + +@load base/protocols/http +@load policy/protocols/conn/mac-logging