Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 18:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'master' into topic/jgras/intel-update

Browse source
This commit is contained in:
Jan Grashoefer 2016-05-11 18:34:15 +02:00
commit 859eb5eac7
306 changed files with 6721 additions and 3148 deletions
Download patch file Download diff file Expand all files Collapse all files

13
testing/btest/scripts/base/files/entropy/basic.test Normal file
View file

@ -0,0 +1,13 @@
# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT
# @TEST-EXEC: btest-diff .stdout
event file_new(f: fa_file)
{
Files::add_analyzer(f, Files::ANALYZER_ENTROPY);
}
event file_entropy(f: fa_file, ent: entropy_test_result)
{
print ent;
}

5
testing/btest/scripts/base/files/x509/1999.test Normal file
View file

@ -0,0 +1,5 @@
# Test that the timestamp of a pre-y-2000 certificate is correctly parsed
# @TEST-EXEC: bro -r $TRACES/tls/telesec.pcap
# @TEST-EXEC: btest-diff x509.log

20
testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro
View file

@ -26,14 +26,14 @@ event NetControl::init_done()
continue_processing();
}
event BrokerComm::outgoing_connection_established(peer_address: string,
event Broker::outgoing_connection_established(peer_address: string,
peer_port: port,
peer_name: string)
{
print "BrokerComm::outgoing_connection_established", peer_address, peer_port;
print "Broker::outgoing_connection_established", peer_address, peer_port;
}
event BrokerComm::outgoing_connection_broken(peer_address: string,
event Broker::outgoing_connection_broken(peer_address: string,
peer_port: port)
{
terminate();
@ -91,28 +91,28 @@ redef exit_only_after_terminate = T;
event bro_init()
{
BrokerComm::enable();
BrokerComm::subscribe_to_events("bro/event/netcontroltest");
BrokerComm::listen(broker_port, "127.0.0.1");
Broker::enable();
Broker::subscribe_to_events("bro/event/netcontroltest");
Broker::listen(broker_port, "127.0.0.1");
}
event BrokerComm::incoming_connection_established(peer_name: string)
event Broker::incoming_connection_established(peer_name: string)
{
print "BrokerComm::incoming_connection_established";
print "Broker::incoming_connection_established";
}
event NetControl::acld_add_rule(id: count, r: NetControl::Rule, ar: NetControl::AclRule)
{
print "add_rule", id, r$entity, r$ty, ar;
BrokerComm::event("bro/event/netcontroltest", BrokerComm::event_args(NetControl::acld_rule_added, id, r, ar$command));
Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_added, id, r, ar$command));
}
event NetControl::acld_remove_rule(id: count, r: NetControl::Rule, ar: NetControl::AclRule)
{
print "remove_rule", id, r$entity, r$ty, ar;
BrokerComm::event("bro/event/netcontroltest", BrokerComm::event_args(NetControl::acld_rule_removed, id, r, ar$command));
Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_removed, id, r, ar$command));
if ( r$cid == 4 )
terminate();

20
testing/btest/scripts/base/frameworks/netcontrol/acld.bro
View file

@ -21,11 +21,11 @@ event NetControl::init()
NetControl::activate(netcontrol_acld, 0);
}
event BrokerComm::outgoing_connection_established(peer_address: string,
event Broker::outgoing_connection_established(peer_address: string,
peer_port: port,
peer_name: string)
{
print "BrokerComm::outgoing_connection_established", peer_address, peer_port;
print "Broker::outgoing_connection_established", peer_address, peer_port;
}
event NetControl::init_done()
@ -33,7 +33,7 @@ event NetControl::init_done()
continue_processing();
}
event BrokerComm::outgoing_connection_broken(peer_address: string,
event Broker::outgoing_connection_broken(peer_address: string,
peer_port: port)
{
terminate();
@ -84,28 +84,28 @@ redef exit_only_after_terminate = T;
event bro_init()
{
BrokerComm::enable();
BrokerComm::subscribe_to_events("bro/event/netcontroltest");
BrokerComm::listen(broker_port, "127.0.0.1");
Broker::enable();
Broker::subscribe_to_events("bro/event/netcontroltest");
Broker::listen(broker_port, "127.0.0.1");
}
event BrokerComm::incoming_connection_established(peer_name: string)
event Broker::incoming_connection_established(peer_name: string)
{
print "BrokerComm::incoming_connection_established";
print "Broker::incoming_connection_established";
}
event NetControl::acld_add_rule(id: count, r: NetControl::Rule, ar: NetControl::AclRule)
{
print "add_rule", id, r$entity, r$ty, ar;
BrokerComm::event("bro/event/netcontroltest", BrokerComm::event_args(NetControl::acld_rule_added, id, r, ar$command));
Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_added, id, r, ar$command));
}
event NetControl::acld_remove_rule(id: count, r: NetControl::Rule, ar: NetControl::AclRule)
{
print "remove_rule", id, r$entity, r$ty, ar;
BrokerComm::event("bro/event/netcontroltest", BrokerComm::event_args(NetControl::acld_rule_removed, id, r, ar$command));
Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_removed, id, r, ar$command));
if ( r$cid == 4 )
terminate();

22
testing/btest/scripts/base/frameworks/netcontrol/broker.bro
View file

@ -27,14 +27,14 @@ event NetControl::init_done()
continue_processing();
}
event BrokerComm::outgoing_connection_established(peer_address: string,
event Broker::outgoing_connection_established(peer_address: string,
peer_port: port,
peer_name: string)
{
print "BrokerComm::outgoing_connection_established", peer_address, peer_port;
print "Broker::outgoing_connection_established", peer_address, peer_port;
}
event BrokerComm::outgoing_connection_broken(peer_address: string,
event Broker::outgoing_connection_broken(peer_address: string,
peer_port: port)
{
terminate();
@ -75,29 +75,29 @@ redef exit_only_after_terminate = T;
event bro_init()
{
BrokerComm::enable();
BrokerComm::subscribe_to_events("bro/event/netcontroltest");
BrokerComm::listen(broker_port, "127.0.0.1");
Broker::enable();
Broker::subscribe_to_events("bro/event/netcontroltest");
Broker::listen(broker_port, "127.0.0.1");
}
event BrokerComm::incoming_connection_established(peer_name: string)
event Broker::incoming_connection_established(peer_name: string)
{
print "BrokerComm::incoming_connection_established";
print "Broker::incoming_connection_established";
}
event NetControl::broker_add_rule(id: count, r: NetControl::Rule)
{
print "add_rule", id, r$entity, r$ty;
BrokerComm::event("bro/event/netcontroltest", BrokerComm::event_args(NetControl::broker_rule_added, id, r, ""));
Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::broker_rule_added, id, r, ""));
}
event NetControl::broker_remove_rule(id: count, r: NetControl::Rule)
{
print "remove_rule", id, r$entity, r$ty;
BrokerComm::event("bro/event/netcontroltest", BrokerComm::event_args(NetControl::broker_rule_timeout, id, r, NetControl::FlowInfo()));
BrokerComm::event("bro/event/netcontroltest", BrokerComm::event_args(NetControl::broker_rule_removed, id, r, ""));
Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::broker_rule_timeout, id, r, NetControl::FlowInfo()));
Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::broker_rule_removed, id, r, ""));
if ( r$cid == 3 )
terminate();

20
testing/btest/scripts/base/frameworks/openflow/broker-basic.bro
View file

@ -23,11 +23,11 @@ event bro_init()
of_controller = OpenFlow::broker_new("broker1", 127.0.0.1, broker_port, "bro/event/openflow", 42);
}
event BrokerComm::outgoing_connection_established(peer_address: string,
event Broker::outgoing_connection_established(peer_address: string,
peer_port: port,
peer_name: string)
{
print "BrokerComm::outgoing_connection_established", peer_address, peer_port;
print "Broker::outgoing_connection_established", peer_address, peer_port;
}
event OpenFlow::controller_activated(name: string, controller: OpenFlow::Controller)
@ -37,7 +37,7 @@ event OpenFlow::controller_activated(name: string, controller: OpenFlow::Control
OpenFlow::flow_mod(of_controller, [], [$cookie=OpenFlow::generate_cookie(1), $command=OpenFlow::OFPFC_ADD, $actions=[$out_ports=vector(3, 7)]]);
}
event BrokerComm::outgoing_connection_broken(peer_address: string,
event Broker::outgoing_connection_broken(peer_address: string,
peer_port: port)
{
terminate();
@ -83,14 +83,14 @@ global msg_count: count = 0;
event bro_init()
{
BrokerComm::enable();
BrokerComm::subscribe_to_events("bro/event/openflow");
BrokerComm::listen(broker_port, "127.0.0.1");
Broker::enable();
Broker::subscribe_to_events("bro/event/openflow");
Broker::listen(broker_port, "127.0.0.1");
}
event BrokerComm::incoming_connection_established(peer_name: string)
event Broker::incoming_connection_established(peer_name: string)
{
print "BrokerComm::incoming_connection_established";
print "Broker::incoming_connection_established";
}
function got_message()
@ -104,8 +104,8 @@ function got_message()
event OpenFlow::broker_flow_mod(name: string, dpid: count, match: OpenFlow::ofp_match, flow_mod: OpenFlow::ofp_flow_mod)
{
print "got flow_mod", dpid, match, flow_mod;
BrokerComm::event("bro/event/openflow", BrokerComm::event_args(OpenFlow::flow_mod_success, name, match, flow_mod, ""));
BrokerComm::event("bro/event/openflow", BrokerComm::event_args(OpenFlow::flow_mod_failure, name, match, flow_mod, ""));
Broker::send_event("bro/event/openflow", Broker::event_args(OpenFlow::flow_mod_success, name, match, flow_mod, ""));
Broker::send_event("bro/event/openflow", Broker::event_args(OpenFlow::flow_mod_failure, name, match, flow_mod, ""));
got_message();
}

13
testing/btest/scripts/base/protocols/arp/basic.test Normal file
View file

@ -0,0 +1,13 @@
# @TEST-EXEC: bro -r $TRACES/arp-who-has.pcap %INPUT
# @TEST-EXEC: btest-diff .stdout
event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
{
print mac_src, mac_dst, SPA, SHA, TPA, THA;
}
event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
{
print mac_src, mac_dst, SPA, SHA, TPA, THA;
}

7
testing/btest/scripts/base/protocols/dns/caa.bro Normal file
View file

@ -0,0 +1,7 @@
# @TEST-EXEC: bro -r $TRACES/dns-caa.pcap %INPUT
# @TEST-EXEC: btest-diff .stdout
event dns_CAA_reply(c: connection, msg: dns_msg, ans: dns_answer, flags: count, tag: string, value: string)
{
print flags,tag,value;
}

7
testing/btest/scripts/base/protocols/dns/huge-ttl.bro Normal file
View file

@ -0,0 +1,7 @@
# @TEST-EXEC: bro -r $TRACES/dns-huge-ttl.pcap %INPUT
# @TEST-EXEC: btest-diff .stdout
event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
{
print ans;
}

12
testing/btest/scripts/base/protocols/imap/capabilities.test Normal file
View file

@ -0,0 +1,12 @@
# @TEST-EXEC: bro -b -C -r $TRACES/tls/imap-starttls.pcap %INPUT
# @TEST-EXEC: btest-diff .stdout
@load base/protocols/ssl
@load base/protocols/conn
@load base/frameworks/dpd
@load base/protocols/imap
event imap_capabilities(c: connection, capabilities: string_vec)
{
print capabilities;
}

15
testing/btest/scripts/base/protocols/imap/starttls.test Normal file
View file

@ -0,0 +1,15 @@
# @TEST-EXEC: bro -b -C -r $TRACES/tls/imap-starttls.pcap %INPUT
# @TEST-EXEC: btest-diff conn.log
# @TEST-EXEC: btest-diff ssl.log
# @TEST-EXEC: btest-diff x509.log
# @TEST-EXEC: btest-diff .stdout
@load base/protocols/ssl
@load base/protocols/conn
@load base/frameworks/dpd
@load base/protocols/imap
event imap_starttls(c: connection)
{
print "Tls started for connection";
}

4
testing/btest/scripts/base/protocols/rfb/rfb-apple-remote-desktop.test Normal file
View file

@ -0,0 +1,4 @@
# @TEST-EXEC: bro -C -r $TRACES/rfb/vncmac.pcap
# @TEST-EXEC: btest-diff rfb.log
@load base/protocols/rfb

4
testing/btest/scripts/base/protocols/rfb/vnc-mac-to-linux.test Normal file
View file

@ -0,0 +1,4 @@
# @TEST-EXEC: bro -C -r $TRACES/rfb/vnc-mac-to-linux.pcap
# @TEST-EXEC: btest-diff rfb.log
@load base/protocols/rfb

8
testing/btest/scripts/base/protocols/xmpp/client-dpd.test Normal file
View file

@ -0,0 +1,8 @@
# @TEST-EXEC: bro -C -b -r $TRACES/tls/xmpp-starttls.pcap %INPUT
# @TEST-EXEC: btest-diff ssl.log
@load base/frameworks/dpd
@load base/frameworks/signatures
@load base/protocols/ssl
@load base/protocols/conn
@load-sigs base/protocols/xmpp/dpd.sig

8
testing/btest/scripts/base/protocols/xmpp/server-dialback-dpd.test Normal file
View file

@ -0,0 +1,8 @@
# @TEST-EXEC: bro -C -b -r $TRACES/tls/xmpp-dialback-starttls.pcap %INPUT
# @TEST-EXEC: btest-diff ssl.log
@load base/frameworks/dpd
@load base/frameworks/signatures
@load base/protocols/ssl
@load base/protocols/conn
@load-sigs base/protocols/xmpp/dpd.sig

9
testing/btest/scripts/base/protocols/xmpp/starttls.test Normal file
View file

@ -0,0 +1,9 @@
# @TEST-EXEC: bro -C -b -r $TRACES/tls/xmpp-starttls.pcap %INPUT
# @TEST-EXEC: btest-diff conn.log
# @TEST-EXEC: btest-diff ssl.log
# @TEST-EXEC: btest-diff x509.log
@load base/protocols/conn
@load base/frameworks/dpd
@load base/protocols/ssl
@load base/protocols/xmpp