Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-17 14:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Updates for the SOCKS analyzer.

Browse source 
- Now supports SOCKSv5 in the analyzer and the DPD sigs.

- Reworked the core events.

- Tests.

- A SOCKS log!
This commit is contained in:
Seth Hall 2012-06-20 13:58:25 -04:00
parent c30c0d5ff2
commit 896f252a31
16 changed files with 411 additions and 47 deletions
Download patch file Download diff file Expand all files Collapse all files

8
testing/btest/Baseline/scripts.base.protocols.socks.trace1/socks.log Normal file
View file

@ -0,0 +1,8 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path socks
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version user status req_h req_name req_p bound_h bound_name bound_p
#types time string addr port addr port count string string addr string port addr string port
1340213015.276495 UWkUyAuUGXf 10.0.0.55 53994 60.190.189.214 8124 5 - succeeded - www.osnews.com 80 192.168.0.31 - 2688

8
testing/btest/Baseline/scripts.base.protocols.socks.trace1/tunnel.log Normal file
View file

@ -0,0 +1,8 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path tunnel
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action
#types time string addr port addr port enum enum
1340213015.276495 - 10.0.0.55 0 60.190.189.214 8124 Tunnel::SOCKS Tunnel::DISCOVER

8
testing/btest/Baseline/scripts.base.protocols.socks.trace2/socks.log Normal file
View file

@ -0,0 +1,8 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path socks
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version user status req_h req_name req_p bound_h bound_name bound_p
#types time string addr port addr port count string string addr string port addr string port
1340113261.914619 UWkUyAuUGXf 10.0.0.50 59580 85.194.84.197 1080 5 - succeeded - www.google.com 443 0.0.0.0 - 443

8
testing/btest/Baseline/scripts.base.protocols.socks.trace2/tunnel.log Normal file
View file

@ -0,0 +1,8 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path tunnel
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action
#types time string addr port addr port enum enum
1340113261.914619 - 10.0.0.50 0 85.194.84.197 1080 Tunnel::SOCKS Tunnel::DISCOVER

BIN
testing/btest/Traces/socks-with-ssl.trace Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/socks.trace Normal file
View file

Binary file not shown.

6
testing/btest/scripts/base/protocols/socks/trace1.test Normal file
View file

@ -0,0 +1,6 @@
# @TEST-EXEC: bro -r $TRACES/socks.trace %INPUT
# @TEST-EXEC: btest-diff socks.log
# @TEST-EXEC: btest-diff http.log
# @TEST-EXEC: btest-diff tunnel.log
@load base/protocols/socks

5
testing/btest/scripts/base/protocols/socks/trace2.test Normal file
View file

@ -0,0 +1,5 @@
# @TEST-EXEC: bro -r $TRACES/socks-with-ssl.trace %INPUT
# @TEST-EXEC: btest-diff socks.log
# @TEST-EXEC: btest-diff tunnel.log
@load base/protocols/socks