From efc76fd052b29cc0b23f89868384587b7d809ac3 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 22 Feb 2013 02:36:41 -0500 Subject: [PATCH 001/711] Initial groundwork for analyzer actions in file analysis framework. --- src/CMakeLists.txt | 5 +++ src/binpac_bro.h | 2 ++ src/file_analysis.bif | 1 + src/file_analysis/Info.cc | 2 ++ src/file_analysis/analyzers/PE.cc | 34 +++++++++++++++++++++ src/file_analysis/analyzers/PE.h | 31 +++++++++++++++++++ src/file_analysis/analyzers/pe-analyzer.pac | 16 ++++++++++ src/file_analysis/analyzers/pe-file.pac | 26 ++++++++++++++++ src/file_analysis/analyzers/pe.pac | 20 ++++++++++++ 9 files changed, 137 insertions(+) create mode 100644 src/file_analysis/analyzers/PE.cc create mode 100644 src/file_analysis/analyzers/PE.h create mode 100644 src/file_analysis/analyzers/pe-analyzer.pac create mode 100644 src/file_analysis/analyzers/pe-file.pac create mode 100644 src/file_analysis/analyzers/pe.pac diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 16de055e11..9f8f4106ec 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -176,6 +176,7 @@ macro(BINPAC_TARGET pacFile) COMMAND ${BinPAC_EXE} ARGS -q -d ${CMAKE_CURRENT_BINARY_DIR} -I ${CMAKE_CURRENT_SOURCE_DIR} + -I ${CMAKE_CURRENT_SOURCE_DIR}/file_analysis/analyzers ${CMAKE_CURRENT_SOURCE_DIR}/${pacFile} DEPENDS ${BinPAC_EXE} ${pacFile} ${BINPAC_AUXSRC} ${ARGN} @@ -222,6 +223,9 @@ binpac_target(syslog.pac binpac_target(modbus.pac modbus-protocol.pac modbus-analyzer.pac) +binpac_target(file_analysis/analyzers/pe.pac + file_analysis/analyzers/pe-file.pac file_analysis/analyzers/pe-analyzer.pac) + ######################################################################## ## bro target @@ -453,6 +457,7 @@ set(bro_SRCS file_analysis/InfoTimer.cc file_analysis/Action.h file_analysis/Extract.cc + file_analysis/analyzers/PE.cc nb_dns.c digest.h diff --git a/src/binpac_bro.h b/src/binpac_bro.h index dcdbe94f57..1f63808c10 100644 --- a/src/binpac_bro.h +++ b/src/binpac_bro.h @@ -7,6 +7,7 @@ class PortVal; #include "util.h" #include "Analyzer.h" +#include "file_analysis/Action.h" #include "Val.h" #include "event.bif.func_h" @@ -15,6 +16,7 @@ class PortVal; namespace binpac { typedef Analyzer* BroAnalyzer; +typedef file_analysis::Action BroFileAnalyzer; typedef Val* BroVal; typedef PortVal* BroPortVal; typedef StringVal* BroStringVal; diff --git a/src/file_analysis.bif b/src/file_analysis.bif index 546ac5103c..9afa2d96ab 100644 --- a/src/file_analysis.bif +++ b/src/file_analysis.bif @@ -57,6 +57,7 @@ enum Trigger %{ enum Action %{ ACTION_EXTRACT, + ACTION_PE_ANALYZER, %} function FileAnalysis::postpone_timeout%(file_id: string%): bool diff --git a/src/file_analysis/Info.cc b/src/file_analysis/Info.cc index 60729cd590..e7d8f7ada0 100644 --- a/src/file_analysis/Info.cc +++ b/src/file_analysis/Info.cc @@ -7,12 +7,14 @@ #include "Action.h" #include "Extract.h" +#include "analyzers/PE.h" using namespace file_analysis; // keep in order w/ declared enum values in file_analysis.bif static ActionInstantiator action_factory[] = { Extract::Instantiate, + PE_Analyzer::Instantiate, }; static TableVal* empty_conn_id_set() diff --git a/src/file_analysis/analyzers/PE.cc b/src/file_analysis/analyzers/PE.cc new file mode 100644 index 0000000000..66954ffa3e --- /dev/null +++ b/src/file_analysis/analyzers/PE.cc @@ -0,0 +1,34 @@ +#include + +#include "PE.h" +#include "pe_pac.h" +#include "util.h" + +using namespace file_analysis; + +PE_Analyzer::PE_Analyzer(Info* arg_info) + : Action(arg_info) + { + interp = new binpac::PE::File(this); + + // Close the reverse flow. + interp->FlowEOF(false); + } + +PE_Analyzer::~PE_Analyzer() + { + delete interp; + } + +Action* PE_Analyzer::Instantiate(const RecordVal* args, Info* info) + { + return new PE_Analyzer(info); + } + +void PE_Analyzer::DeliverStream(const u_char* data, uint64 len) + { + Action::DeliverStream(data, len); + + // Data is exclusively sent into the "up" flow. + interp->NewData(true, data, data + len); + } diff --git a/src/file_analysis/analyzers/PE.h b/src/file_analysis/analyzers/PE.h new file mode 100644 index 0000000000..34840c0e3b --- /dev/null +++ b/src/file_analysis/analyzers/PE.h @@ -0,0 +1,31 @@ +#ifndef FILE_ANALYSIS_PE_H +#define FILE_ANALYSIS_PE_H + +#include + +#include "Val.h" +#include "../Info.h" +#include "pe_pac.h" + +namespace file_analysis { + +/** + * An action to simply extract files to disk. + */ +class PE_Analyzer : Action { +public: + static Action* Instantiate(const RecordVal* args, Info* info); + + ~PE_Analyzer(); + + virtual void DeliverStream(const u_char* data, uint64 len); + +protected: + + PE_Analyzer(Info* arg_info); + binpac::PE::File* interp; +}; + +} // namespace file_analysis + +#endif diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzers/pe-analyzer.pac new file mode 100644 index 0000000000..1a295f2d30 --- /dev/null +++ b/src/file_analysis/analyzers/pe-analyzer.pac @@ -0,0 +1,16 @@ + + +refine connection File += { + + function proc_sig(sig: bytestring) : bool + %{ + if ( strcmp("MZ", (const char *) ${sig}.data()) == 0 ) + printf("yep: %s\n", ${sig}.data()); + return true; + %} + +}; + +refine typeattr DOSStub += &let { + proc : bool = $context.connection.proc_sig(signature); +}; diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzers/pe-file.pac new file mode 100644 index 0000000000..4cec173ae3 --- /dev/null +++ b/src/file_analysis/analyzers/pe-file.pac @@ -0,0 +1,26 @@ + +type TheFile() = record { + barf: DOSStub; +} &byteorder=bigendian &length=-1; + +type DOSStub() = record { + signature : bytestring &length=2; + UsedBytesInTheLastPage : uint16; + FileSizeInPages : uint16; + NumberOfRelocationItems : uint16; + HeaderSizeInParagraphs : uint16; + MinimumExtraParagraphs : uint16; + MaximumExtraParagraphs : uint16; + InitialRelativeSS : uint16; + InitialSP : uint16; + Checksum : uint16; + InitialIP : uint16; + InitialRelativeCS : uint16; + AddressOfRelocationTable : uint16; + OverlayNumber : uint16; + Reserved : uint16[4]; + OEMid : uint16; + OEMinfo : uint16; + Reserved2 : uint16[10]; + AddressOfNewExeHeader : uint32; +} &byteorder=bigendian; \ No newline at end of file diff --git a/src/file_analysis/analyzers/pe.pac b/src/file_analysis/analyzers/pe.pac new file mode 100644 index 0000000000..be91643b21 --- /dev/null +++ b/src/file_analysis/analyzers/pe.pac @@ -0,0 +1,20 @@ +%include binpac.pac +%include bro.pac + +analyzer PE withcontext { + connection: File; + flow: Bytes; +}; + +connection File(bro_analyzer: BroFileAnalyzer) { + upflow = Bytes(true); + downflow = Bytes(false); +}; + +%include pe-file.pac + +flow Bytes(is_orig: bool) { + flowunit = TheFile() withcontext(connection, this); +} + +%include pe-analyzer.pac From b1f1b64ddea74d87dec665238ce7d02e58e1e243 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 14 Mar 2013 11:19:39 -0400 Subject: [PATCH 002/711] Checkpoint --- src/file_analysis/analyzers/PE.cc | 6 ++++-- src/file_analysis/analyzers/PE.h | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/file_analysis/analyzers/PE.cc b/src/file_analysis/analyzers/PE.cc index 66954ffa3e..622cbb945f 100644 --- a/src/file_analysis/analyzers/PE.cc +++ b/src/file_analysis/analyzers/PE.cc @@ -7,7 +7,7 @@ using namespace file_analysis; PE_Analyzer::PE_Analyzer(Info* arg_info) - : Action(arg_info) + : Action(arg_info, BifEnum::FileAnalysis::ACTION_PE_ANALYZER) { interp = new binpac::PE::File(this); @@ -25,10 +25,12 @@ Action* PE_Analyzer::Instantiate(const RecordVal* args, Info* info) return new PE_Analyzer(info); } -void PE_Analyzer::DeliverStream(const u_char* data, uint64 len) +bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len) { Action::DeliverStream(data, len); // Data is exclusively sent into the "up" flow. interp->NewData(true, data, data + len); + + return true; } diff --git a/src/file_analysis/analyzers/PE.h b/src/file_analysis/analyzers/PE.h index 34840c0e3b..d511f3e9bf 100644 --- a/src/file_analysis/analyzers/PE.h +++ b/src/file_analysis/analyzers/PE.h @@ -18,7 +18,7 @@ public: ~PE_Analyzer(); - virtual void DeliverStream(const u_char* data, uint64 len); + virtual bool DeliverStream(const u_char* data, uint64 len); protected: From cb040b6da4bde97239552955d3a4c3af1e02dd56 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Mon, 1 Apr 2013 09:00:07 -0400 Subject: [PATCH 003/711] Checkpoint --- src/file_analysis.bif | 4 +++ src/file_analysis/ActionSet.cc | 4 +++ src/file_analysis/analyzers/PE.cc | 33 ++++++++++++++------- src/file_analysis/analyzers/PE.h | 8 +++-- src/file_analysis/analyzers/pe-analyzer.pac | 18 ++++++++--- src/file_analysis/analyzers/pe-file.pac | 6 ++-- src/file_analysis/analyzers/pe.pac | 14 ++++----- 7 files changed, 60 insertions(+), 27 deletions(-) diff --git a/src/file_analysis.bif b/src/file_analysis.bif index ba62e58855..6ded10b251 100644 --- a/src/file_analysis.bif +++ b/src/file_analysis.bif @@ -125,3 +125,7 @@ function FileAnalysis::eof%(source: string%): any file_mgr->EndOfFile(source->CheckString()); return 0; %} + +# Define file analysis framework events. + +event FileAnalysis::windows_pe_sig%(fi: FileAnalysis::Info, sig: string%); diff --git a/src/file_analysis/ActionSet.cc b/src/file_analysis/ActionSet.cc index 51cab26478..dabda1c931 100644 --- a/src/file_analysis/ActionSet.cc +++ b/src/file_analysis/ActionSet.cc @@ -5,6 +5,8 @@ #include "DataEvent.h" #include "Hash.h" +#include "analyzers/PE.h" + using namespace file_analysis; // keep in order w/ declared enum values in file_analysis.bif @@ -14,6 +16,8 @@ static ActionInstantiator action_factory[] = { SHA1::Instantiate, SHA256::Instantiate, DataEvent::Instantiate, + + PE_Analyzer::Instantiate, }; static void action_del_func(void* v) diff --git a/src/file_analysis/analyzers/PE.cc b/src/file_analysis/analyzers/PE.cc index 622cbb945f..e5b924e9fb 100644 --- a/src/file_analysis/analyzers/PE.cc +++ b/src/file_analysis/analyzers/PE.cc @@ -6,13 +6,11 @@ using namespace file_analysis; -PE_Analyzer::PE_Analyzer(Info* arg_info) - : Action(arg_info, BifEnum::FileAnalysis::ACTION_PE_ANALYZER) +PE_Analyzer::PE_Analyzer(RecordVal* args, Info* info, uint64 fsize) + : Action(args, info) { - interp = new binpac::PE::File(this); - - // Close the reverse flow. - interp->FlowEOF(false); + conn = new binpac::PE::MockConnection(this); + interp = new binpac::PE::File(conn, fsize); } PE_Analyzer::~PE_Analyzer() @@ -20,17 +18,32 @@ PE_Analyzer::~PE_Analyzer() delete interp; } -Action* PE_Analyzer::Instantiate(const RecordVal* args, Info* info) +Action* PE_Analyzer::Instantiate(RecordVal* args, Info* info) { - return new PE_Analyzer(info); + using BifType::Record::FileAnalysis::Info; + const char* field = "total_bytes"; + Val* filesize = info->GetVal()->Lookup(Info->FieldOffset(field)); + if ( ! filesize ) + // TODO: this should be a reporter message? or better yet stop relying on the file size. + return 0; + + bro_uint_t fsize = filesize->AsCount(); + return new PE_Analyzer(args, info, fsize); } bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len) { Action::DeliverStream(data, len); - // Data is exclusively sent into the "up" flow. - interp->NewData(true, data, data + len); + try + { + interp->NewData(data, data + len); + } + catch ( const binpac::Exception& e ) + { + printf("Binpac exception: %s\n", e.c_msg()); + } + return true; } diff --git a/src/file_analysis/analyzers/PE.h b/src/file_analysis/analyzers/PE.h index d511f3e9bf..95b5083aff 100644 --- a/src/file_analysis/analyzers/PE.h +++ b/src/file_analysis/analyzers/PE.h @@ -14,16 +14,18 @@ namespace file_analysis { */ class PE_Analyzer : Action { public: - static Action* Instantiate(const RecordVal* args, Info* info); + static Action* Instantiate(RecordVal* args, Info* info); ~PE_Analyzer(); virtual bool DeliverStream(const u_char* data, uint64 len); protected: - - PE_Analyzer(Info* arg_info); + PE_Analyzer(RecordVal* args, Info* info, uint64 fsize); binpac::PE::File* interp; + binpac::PE::MockConnection* conn; + + uint64 fsize; }; } // namespace file_analysis diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzers/pe-analyzer.pac index 1a295f2d30..77edfa3434 100644 --- a/src/file_analysis/analyzers/pe-analyzer.pac +++ b/src/file_analysis/analyzers/pe-analyzer.pac @@ -1,16 +1,26 @@ +%extern{ +#include "Event.h" +#include "file_analysis.bif.func_h" +%} -refine connection File += { +refine flow File += { function proc_sig(sig: bytestring) : bool %{ - if ( strcmp("MZ", (const char *) ${sig}.data()) == 0 ) - printf("yep: %s\n", ${sig}.data()); + //val_list* vl = new val_list; + //StringVal *sigval = new StringVal(${sig}.length(), (const char*) ${sig}.begin()); + //vl->append(sigval); + //mgr.QueueEvent(FileAnalysis::windows_pe_sig, vl); + + BifEvent::FileAnalysis::generate_windows_pe_sig((Analyzer *) connection()->bro_analyzer(), + (Val *) connection()->bro_analyzer()->GetInfo(), + new StringVal(${sig}.length(), (const char*) ${sig}.begin())); return true; %} }; refine typeattr DOSStub += &let { - proc : bool = $context.connection.proc_sig(signature); + proc : bool = $context.flow.proc_sig(signature); }; diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzers/pe-file.pac index 4cec173ae3..33cd1270f7 100644 --- a/src/file_analysis/analyzers/pe-file.pac +++ b/src/file_analysis/analyzers/pe-file.pac @@ -1,7 +1,7 @@ -type TheFile() = record { - barf: DOSStub; -} &byteorder=bigendian &length=-1; +type TheFile(fsize: uint64) = record { + dos_stub: DOSStub; +} &byteorder=bigendian &length=fsize; type DOSStub() = record { signature : bytestring &length=2; diff --git a/src/file_analysis/analyzers/pe.pac b/src/file_analysis/analyzers/pe.pac index be91643b21..9cd4f4f112 100644 --- a/src/file_analysis/analyzers/pe.pac +++ b/src/file_analysis/analyzers/pe.pac @@ -2,19 +2,19 @@ %include bro.pac analyzer PE withcontext { - connection: File; - flow: Bytes; + connection: MockConnection; + flow: File; }; -connection File(bro_analyzer: BroFileAnalyzer) { - upflow = Bytes(true); - downflow = Bytes(false); +connection MockConnection(bro_analyzer: BroFileAnalyzer) { + upflow = File(0); + downflow = File(0); }; %include pe-file.pac -flow Bytes(is_orig: bool) { - flowunit = TheFile() withcontext(connection, this); +flow File(fsize: uint64) { + flowunit = TheFile(fsize) withcontext(connection, this); } %include pe-analyzer.pac From d19b8b0266d6d8581792189d5ab0161ed15bb11b Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 3 Apr 2013 00:51:33 -0400 Subject: [PATCH 004/711] Checkpoint for discussion. --- src/file_analysis.bif | 3 ++- src/file_analysis/analyzers/pe-analyzer.pac | 16 ++++++---------- src/file_analysis/analyzers/pe-file.pac | 5 +++-- 3 files changed, 11 insertions(+), 13 deletions(-) diff --git a/src/file_analysis.bif b/src/file_analysis.bif index 6ded10b251..89845e6f2c 100644 --- a/src/file_analysis.bif +++ b/src/file_analysis.bif @@ -128,4 +128,5 @@ function FileAnalysis::eof%(source: string%): any # Define file analysis framework events. -event FileAnalysis::windows_pe_sig%(fi: FileAnalysis::Info, sig: string%); +#event FileAnalysis::windows_pe_dosstub%(fi: FileAnalysis::Info, sig: string, checksum: count%); +event FileAnalysis::windows_pe_dosstub%(checksum: count%); diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzers/pe-analyzer.pac index 77edfa3434..63f722b18c 100644 --- a/src/file_analysis/analyzers/pe-analyzer.pac +++ b/src/file_analysis/analyzers/pe-analyzer.pac @@ -6,21 +6,17 @@ refine flow File += { - function proc_sig(sig: bytestring) : bool + function proc_dosstub(stub: DOSStub) : bool %{ - //val_list* vl = new val_list; - //StringVal *sigval = new StringVal(${sig}.length(), (const char*) ${sig}.begin()); - //vl->append(sigval); - //mgr.QueueEvent(FileAnalysis::windows_pe_sig, vl); - - BifEvent::FileAnalysis::generate_windows_pe_sig((Analyzer *) connection()->bro_analyzer(), - (Val *) connection()->bro_analyzer()->GetInfo(), - new StringVal(${sig}.length(), (const char*) ${sig}.begin())); + BifEvent::FileAnalysis::generate_windows_pe_dosstub((Analyzer *) connection()->bro_analyzer(), + //(Val *) connection()->bro_analyzer()->GetInfo(), + //new StringVal(${stub.signature}.length(), (const char*) ${stub.signature}.begin()), + ${stub.HeaderSizeInParagraphs}); return true; %} }; refine typeattr DOSStub += &let { - proc : bool = $context.flow.proc_sig(signature); + proc : bool = $context.flow.proc_dosstub(this); }; diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzers/pe-file.pac index 33cd1270f7..50647b7275 100644 --- a/src/file_analysis/analyzers/pe-file.pac +++ b/src/file_analysis/analyzers/pe-file.pac @@ -1,7 +1,8 @@ type TheFile(fsize: uint64) = record { dos_stub: DOSStub; -} &byteorder=bigendian &length=fsize; + blah: bytestring &length=1316134912 &transient; +} &transient &byteorder=littleendian; type DOSStub() = record { signature : bytestring &length=2; @@ -23,4 +24,4 @@ type DOSStub() = record { OEMinfo : uint16; Reserved2 : uint16[10]; AddressOfNewExeHeader : uint32; -} &byteorder=bigendian; \ No newline at end of file +} &byteorder=littleendian &length=64; From 8beb75d985553a6a3cf36b0794f45fd494957e3a Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 10 Apr 2013 22:57:54 -0400 Subject: [PATCH 005/711] Checkpoint. --- src/file_analysis.bif | 2 + src/file_analysis/ActionSet.cc | 2 + src/file_analysis/analyzers/PE.cc | 22 +++---- src/file_analysis/analyzers/PE.h | 4 +- src/file_analysis/analyzers/pe-analyzer.pac | 23 +++++-- src/file_analysis/analyzers/pe-file.pac | 73 +++++++++++++++++++-- src/file_analysis/analyzers/pe.pac | 8 +-- 7 files changed, 107 insertions(+), 27 deletions(-) diff --git a/src/file_analysis.bif b/src/file_analysis.bif index df4ed98a53..43aab3bb4f 100644 --- a/src/file_analysis.bif +++ b/src/file_analysis.bif @@ -153,3 +153,5 @@ function FileAnalysis::__eof%(source: string%): any #event FileAnalysis::windows_pe_dosstub%(fi: FileAnalysis::Info, sig: string, checksum: count%); event FileAnalysis::windows_pe_dosstub%(checksum: count%); +event FileAnalysis::windows_pe_timestamp%(ts: time%); + diff --git a/src/file_analysis/ActionSet.cc b/src/file_analysis/ActionSet.cc index 314650a210..d7b1dc9d11 100644 --- a/src/file_analysis/ActionSet.cc +++ b/src/file_analysis/ActionSet.cc @@ -16,6 +16,8 @@ static ActionInstantiator action_factory[] = { file_analysis::SHA1::Instantiate, file_analysis::SHA256::Instantiate, file_analysis::DataEvent::Instantiate, + + PE_Analyzer::Instantiate, }; static void action_del_func(void* v) diff --git a/src/file_analysis/analyzers/PE.cc b/src/file_analysis/analyzers/PE.cc index e5b924e9fb..daf679ce82 100644 --- a/src/file_analysis/analyzers/PE.cc +++ b/src/file_analysis/analyzers/PE.cc @@ -6,11 +6,11 @@ using namespace file_analysis; -PE_Analyzer::PE_Analyzer(RecordVal* args, Info* info, uint64 fsize) +PE_Analyzer::PE_Analyzer(RecordVal* args, Info* info) : Action(args, info) { conn = new binpac::PE::MockConnection(this); - interp = new binpac::PE::File(conn, fsize); + interp = new binpac::PE::File(conn); } PE_Analyzer::~PE_Analyzer() @@ -21,14 +21,14 @@ PE_Analyzer::~PE_Analyzer() Action* PE_Analyzer::Instantiate(RecordVal* args, Info* info) { using BifType::Record::FileAnalysis::Info; - const char* field = "total_bytes"; - Val* filesize = info->GetVal()->Lookup(Info->FieldOffset(field)); - if ( ! filesize ) - // TODO: this should be a reporter message? or better yet stop relying on the file size. - return 0; - - bro_uint_t fsize = filesize->AsCount(); - return new PE_Analyzer(args, info, fsize); + //const char* field = "total_bytes"; + //Val* filesize = info->GetVal()->Lookup(Info->FieldOffset(field)); + //if ( ! filesize ) + // // TODO: this should be a reporter message? or better yet stop relying on the file size. + // return 0; +// + //bro_uint_t fsize = filesize->AsCount(); + return new PE_Analyzer(args, info); } bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len) @@ -42,8 +42,8 @@ bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len) catch ( const binpac::Exception& e ) { printf("Binpac exception: %s\n", e.c_msg()); + return false; } - return true; } diff --git a/src/file_analysis/analyzers/PE.h b/src/file_analysis/analyzers/PE.h index 95b5083aff..34a76e7e00 100644 --- a/src/file_analysis/analyzers/PE.h +++ b/src/file_analysis/analyzers/PE.h @@ -21,11 +21,9 @@ public: virtual bool DeliverStream(const u_char* data, uint64 len); protected: - PE_Analyzer(RecordVal* args, Info* info, uint64 fsize); + PE_Analyzer(RecordVal* args, Info* info); binpac::PE::File* interp; binpac::PE::MockConnection* conn; - - uint64 fsize; }; } // namespace file_analysis diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzers/pe-analyzer.pac index 63f722b18c..d0407f348a 100644 --- a/src/file_analysis/analyzers/pe-analyzer.pac +++ b/src/file_analysis/analyzers/pe-analyzer.pac @@ -6,17 +6,30 @@ refine flow File += { - function proc_dosstub(stub: DOSStub) : bool + function proc_dos_header(h: DOS_Header) : bool %{ BifEvent::FileAnalysis::generate_windows_pe_dosstub((Analyzer *) connection()->bro_analyzer(), //(Val *) connection()->bro_analyzer()->GetInfo(), - //new StringVal(${stub.signature}.length(), (const char*) ${stub.signature}.begin()), - ${stub.HeaderSizeInParagraphs}); + //new StringVal(${h.signature}.length(), (const char*) ${h.signature}.begin()), + ${h.AddressOfNewExeHeader}-64); return true; %} + function proc_pe_header(h: IMAGE_NT_HEADERS) : bool + %{ + BifEvent::FileAnalysis::generate_windows_pe_timestamp((Analyzer *) connection()->bro_analyzer(), + //(Val *) connection()->bro_analyzer()->GetInfo(), + //new StringVal(${h.signature}.length(), (const char*) ${h.signature}.begin()), + ${h.FileHeader.TimeDateStamp}); + return true; + %} }; -refine typeattr DOSStub += &let { - proc : bool = $context.flow.proc_dosstub(this); +refine typeattr DOS_Header += &let { + proc : bool = $context.flow.proc_dos_header(this); }; + +refine typeattr IMAGE_NT_HEADERS += &let { + proc : bool = $context.flow.proc_pe_header(this); +}; + diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzers/pe-file.pac index 50647b7275..5854fd2bd8 100644 --- a/src/file_analysis/analyzers/pe-file.pac +++ b/src/file_analysis/analyzers/pe-file.pac @@ -1,10 +1,14 @@ -type TheFile(fsize: uint64) = record { - dos_stub: DOSStub; - blah: bytestring &length=1316134912 &transient; +type TheFile = record { + dos_header : DOS_Header; + dos_code : bytestring &length=(dos_header.AddressOfNewExeHeader - 64); + pe_header : IMAGE_NT_HEADERS; + pad : bytestring &length=1316134912 &transient; +} &let { + dos_code_len: uint32 = (dos_header.AddressOfNewExeHeader - 64); } &transient &byteorder=littleendian; -type DOSStub() = record { +type DOS_Header = record { signature : bytestring &length=2; UsedBytesInTheLastPage : uint16; FileSizeInPages : uint16; @@ -25,3 +29,64 @@ type DOSStub() = record { Reserved2 : uint16[10]; AddressOfNewExeHeader : uint32; } &byteorder=littleendian &length=64; + +type IMAGE_NT_HEADERS = record { + PESignature : uint32; + FileHeader : IMAGE_FILE_HEADER; + OptionalHeader : OPTIONAL_HEADER(FileHeader.SizeOfOptionalHeader); +} &byteorder=littleendian &length=FileHeader.SizeOfOptionalHeader+offsetof(OptionalHeader); + +type IMAGE_FILE_HEADER = record { + Machine : uint16; + NumberOfSections : uint16; + TimeDateStamp : uint32; + PointerToSymbolTable : uint32; + NumberOfSymbols : uint32; + SizeOfOptionalHeader : uint16; + Characteristics : uint16; +}; + +type OPTIONAL_HEADER(len: uint16) = record { + OptionalHeaderMagic : uint16; + Header : case OptionalHeaderMagic of { + 0x0b01 -> OptionalHeader32 : IMAGE_OPTIONAL_HEADER32; + 0x0b02 -> OptionalHeader64 : IMAGE_OPTIONAL_HEADER64; + default -> InvalidPEFile : bytestring &restofdata; + }; +} &length=len; + +type IMAGE_OPTIONAL_HEADER32 = record { + major_linker_version : uint8; + minor_linker_version : uint8; + size_of_code : uint32; + size_of_init_data : uint32; + size_of_uninit_data : uint32; + addr_of_entry_point : uint32; + base_of_code : uint32; + base_of_data : uint32; + image_base : uint32; + section_alignment : uint32; + file_alignment : uint32; + os_version_major : uint16; + os_version_minor : uint16; + major_image_version : uint16; + minor_image_version : uint16; + major_subsys_version : uint16; + minor_subsys_version : uint16; + win32_version : uint32; + size_of_image : uint32; + size_of_headers : uint32; + checksum : uint32; + subsystem : uint16; + dll_characteristics : uint16; + size_of_stack_reserve : uint32; + size_of_stack_commit : uint32; + size_of_heap_reserve : uint32; + size_of_heap_commit : uint32; + loader_flags : uint32; + number_of_rva_and_sizes : uint32; +} &byteorder=littleendian; + +type IMAGE_OPTIONAL_HEADER64 = record { + +} &byteorder=littleendian; diff --git a/src/file_analysis/analyzers/pe.pac b/src/file_analysis/analyzers/pe.pac index 9cd4f4f112..8a20fa3c62 100644 --- a/src/file_analysis/analyzers/pe.pac +++ b/src/file_analysis/analyzers/pe.pac @@ -7,14 +7,14 @@ analyzer PE withcontext { }; connection MockConnection(bro_analyzer: BroFileAnalyzer) { - upflow = File(0); - downflow = File(0); + upflow = File; + downflow = File; }; %include pe-file.pac -flow File(fsize: uint64) { - flowunit = TheFile(fsize) withcontext(connection, this); +flow File { + flowunit = TheFile withcontext(connection, this); } %include pe-analyzer.pac From 4cc9ca424322be2f53cf950f35eebe78c929f671 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 24 Apr 2013 12:56:20 -0400 Subject: [PATCH 006/711] Checkpoint --- scripts/base/init-bare.bro | 14 ++++ src/event.bif | 6 ++ src/file_analysis.bif | 7 -- src/file_analysis/ActionSet.cc | 2 +- src/file_analysis/analyzers/PE.cc | 33 +++++--- src/file_analysis/analyzers/PE.h | 9 ++- src/file_analysis/analyzers/pe-analyzer.pac | 56 ++++++++++--- src/file_analysis/analyzers/pe-file.pac | 89 +++++++++++++++------ src/types.bif | 5 ++ 9 files changed, 161 insertions(+), 60 deletions(-) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 7f4d29d26b..8a82fb98b3 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2486,6 +2486,20 @@ type irc_join_info: record { ## .. bro:see:: irc_join_message type irc_join_list: set[irc_join_info]; +## Record for Portable Executable (PE) section headers. +type PESectionHeader: record { + name : string; + virtual_size : count; + virtual_addr : count; + size_of_raw_data : count; + ptr_to_raw_data : count; + non_used_ptr_to_relocs : count; + non_used_ptr_to_line_nums : count; + non_used_num_of_relocs : count; + non_used_num_of_line_nums : count; + characteristics : count; +}; + ## Deprecated. ## ## .. todo:: Remove. It's still declared internally but doesn't seem used anywhere diff --git a/src/event.bif b/src/event.bif index 08a2b64a84..fc9ca8df6a 100644 --- a/src/event.bif +++ b/src/event.bif @@ -7026,6 +7026,12 @@ event file_state_remove%(f: fa_file%); ## FileAnalysis::ACTION_SHA1 FileAnalysis::ACTION_SHA256 event file_hash%(f: fa_file, kind: string, hash: string%); + +event file_pe_dosstub%(f: fa_file, checksum: count%); +event file_pe_timestamp%(f: fa_file, ts: time%); +event file_pe_section_header%(f: fa_file, h: PESectionHeader%); + + ## Deprecated. Will be removed. event stp_create_endp%(c: connection, e: int, is_orig: bool%); diff --git a/src/file_analysis.bif b/src/file_analysis.bif index f7fbe14de9..b3e34f93d2 100644 --- a/src/file_analysis.bif +++ b/src/file_analysis.bif @@ -97,10 +97,3 @@ function set_file_handle%(handle: string%): any file_mgr->SetHandle(handle->CheckString()); return 0; %} - -# Define file analysis framework events. - -#event FileAnalysis::windows_pe_dosstub%(fi: FileAnalysis::Info, sig: string, checksum: count%); -event FileAnalysis::windows_pe_dosstub%(checksum: count%); -event FileAnalysis::windows_pe_timestamp%(ts: time%); - diff --git a/src/file_analysis/ActionSet.cc b/src/file_analysis/ActionSet.cc index fd7fa883eb..d8d057bec5 100644 --- a/src/file_analysis/ActionSet.cc +++ b/src/file_analysis/ActionSet.cc @@ -17,7 +17,7 @@ static ActionInstantiator action_factory[] = { file_analysis::SHA256::Instantiate, file_analysis::DataEvent::Instantiate, - PE_Analyzer::Instantiate, + file_analysis::PE_Analyzer::Instantiate, }; static void action_del_func(void* v) diff --git a/src/file_analysis/analyzers/PE.cc b/src/file_analysis/analyzers/PE.cc index daf679ce82..c15b6ba739 100644 --- a/src/file_analysis/analyzers/PE.cc +++ b/src/file_analysis/analyzers/PE.cc @@ -3,14 +3,16 @@ #include "PE.h" #include "pe_pac.h" #include "util.h" +#include "Event.h" using namespace file_analysis; -PE_Analyzer::PE_Analyzer(RecordVal* args, Info* info) - : Action(args, info) +PE_Analyzer::PE_Analyzer(RecordVal* args, File* file) + : Action(args, file) { conn = new binpac::PE::MockConnection(this); interp = new binpac::PE::File(conn); + done=false; } PE_Analyzer::~PE_Analyzer() @@ -18,23 +20,21 @@ PE_Analyzer::~PE_Analyzer() delete interp; } -Action* PE_Analyzer::Instantiate(RecordVal* args, Info* info) +Action* PE_Analyzer::Instantiate(RecordVal* args, File* file) { - using BifType::Record::FileAnalysis::Info; - //const char* field = "total_bytes"; - //Val* filesize = info->GetVal()->Lookup(Info->FieldOffset(field)); - //if ( ! filesize ) - // // TODO: this should be a reporter message? or better yet stop relying on the file size. - // return 0; -// - //bro_uint_t fsize = filesize->AsCount(); - return new PE_Analyzer(args, info); + return new PE_Analyzer(args, file); } bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len) { - Action::DeliverStream(data, len); + printf("deliver stream\n"); + if (done) + { + printf("analyzer done\n"); + return false; + } + Action::DeliverStream(data, len); try { interp->NewData(data, data + len); @@ -47,3 +47,10 @@ bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len) return true; } + +bool PE_Analyzer::EndOfFile() + { + printf("end of file!\n"); + done=true; + return false; + } diff --git a/src/file_analysis/analyzers/PE.h b/src/file_analysis/analyzers/PE.h index 34a76e7e00..6f25e19723 100644 --- a/src/file_analysis/analyzers/PE.h +++ b/src/file_analysis/analyzers/PE.h @@ -4,7 +4,7 @@ #include #include "Val.h" -#include "../Info.h" +#include "../File.h" #include "pe_pac.h" namespace file_analysis { @@ -14,16 +14,19 @@ namespace file_analysis { */ class PE_Analyzer : Action { public: - static Action* Instantiate(RecordVal* args, Info* info); + static Action* Instantiate(RecordVal* args, File* file); ~PE_Analyzer(); virtual bool DeliverStream(const u_char* data, uint64 len); + virtual bool EndOfFile(); + protected: - PE_Analyzer(RecordVal* args, Info* info); + PE_Analyzer(RecordVal* args, File* file); binpac::PE::File* interp; binpac::PE::MockConnection* conn; + bool done; }; } // namespace file_analysis diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzers/pe-analyzer.pac index d0407f348a..18efc1d54a 100644 --- a/src/file_analysis/analyzers/pe-analyzer.pac +++ b/src/file_analysis/analyzers/pe-analyzer.pac @@ -1,26 +1,55 @@ %extern{ #include "Event.h" +#include "file_analysis/File.h" #include "file_analysis.bif.func_h" %} refine flow File += { - function proc_dos_header(h: DOS_Header) : bool + function proc_the_file(): bool %{ - BifEvent::FileAnalysis::generate_windows_pe_dosstub((Analyzer *) connection()->bro_analyzer(), - //(Val *) connection()->bro_analyzer()->GetInfo(), - //new StringVal(${h.signature}.length(), (const char*) ${h.signature}.begin()), - ${h.AddressOfNewExeHeader}-64); + printf("ending the flow!\n"); + connection()->bro_analyzer()->EndOfFile(); + connection()->FlowEOF(true); + connection()->FlowEOF(false); return true; %} - function proc_pe_header(h: IMAGE_NT_HEADERS) : bool + function proc_dos_header(h: DOS_Header): bool %{ - BifEvent::FileAnalysis::generate_windows_pe_timestamp((Analyzer *) connection()->bro_analyzer(), - //(Val *) connection()->bro_analyzer()->GetInfo(), - //new StringVal(${h.signature}.length(), (const char*) ${h.signature}.begin()), - ${h.FileHeader.TimeDateStamp}); + BifEvent::generate_file_pe_dosstub((Analyzer *) connection()->bro_analyzer(), + connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), + ${h.AddressOfNewExeHeader}-64); + return true; + %} + + function proc_pe_header(h: IMAGE_NT_HEADERS): bool + %{ + BifEvent::generate_file_pe_timestamp((Analyzer *) connection()->bro_analyzer(), + connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), + ${h.file_header.TimeDateStamp}); + return true; + %} + + + function proc_section_header(h: IMAGE_SECTION_HEADER): bool + %{ + RecordVal* section_header = new RecordVal(BifType::Record::PESectionHeader); + section_header->Assign(0, new StringVal(${h.name}.length(), (const char*) ${h.name}.data())); + section_header->Assign(1, new Val(${h.virtual_size}, TYPE_COUNT)); + section_header->Assign(2, new Val(${h.virtual_addr}, TYPE_COUNT)); + section_header->Assign(3, new Val(${h.size_of_raw_data}, TYPE_COUNT)); + section_header->Assign(4, new Val(${h.ptr_to_raw_data}, TYPE_COUNT)); + section_header->Assign(5, new Val(${h.non_used_ptr_to_relocs}, TYPE_COUNT)); + section_header->Assign(6, new Val(${h.non_used_ptr_to_line_nums}, TYPE_COUNT)); + section_header->Assign(7, new Val(${h.non_used_num_of_relocs}, TYPE_COUNT)); + section_header->Assign(8, new Val(${h.non_used_num_of_line_nums}, TYPE_COUNT)); + section_header->Assign(9, new Val(${h.characteristics}, TYPE_COUNT)); + + BifEvent::generate_file_pe_section_header((Analyzer *) connection()->bro_analyzer(), + connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), + section_header); return true; %} }; @@ -33,3 +62,10 @@ refine typeattr IMAGE_NT_HEADERS += &let { proc : bool = $context.flow.proc_pe_header(this); }; +refine typeattr IMAGE_SECTION_HEADER += &let { + proc: bool = $context.flow.proc_section_header(this); +}; + +refine typeattr TheFile += &let { + proc: bool = $context.flow.proc_the_file(); +}; \ No newline at end of file diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzers/pe-file.pac index 5854fd2bd8..bedfb35204 100644 --- a/src/file_analysis/analyzers/pe-file.pac +++ b/src/file_analysis/analyzers/pe-file.pac @@ -1,12 +1,15 @@ type TheFile = record { - dos_header : DOS_Header; - dos_code : bytestring &length=(dos_header.AddressOfNewExeHeader - 64); - pe_header : IMAGE_NT_HEADERS; - pad : bytestring &length=1316134912 &transient; + dos_header : DOS_Header; + dos_code : bytestring &length=dos_code_len; + pe_header : IMAGE_NT_HEADERS; + sections_table : IMAGE_SECTION_HEADER[] &length=pe_header.file_header.NumberOfSections*40 &transient; + #pad : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address); + #data_sections : DATA_SECTIONS[pe_header.file_header.NumberOfSections]; + #pad : bytestring &restofdata; } &let { - dos_code_len: uint32 = (dos_header.AddressOfNewExeHeader - 64); -} &transient &byteorder=littleendian; + dos_code_len: uint32 = dos_header.AddressOfNewExeHeader - 64; +} &byteorder=littleendian; type DOS_Header = record { signature : bytestring &length=2; @@ -32,9 +35,9 @@ type DOS_Header = record { type IMAGE_NT_HEADERS = record { PESignature : uint32; - FileHeader : IMAGE_FILE_HEADER; - OptionalHeader : OPTIONAL_HEADER(FileHeader.SizeOfOptionalHeader); -} &byteorder=littleendian &length=FileHeader.SizeOfOptionalHeader+offsetof(OptionalHeader); + file_header : IMAGE_FILE_HEADER; + OptionalHeader : IMAGE_OPTIONAL_HEADER(file_header.SizeOfOptionalHeader); +} &byteorder=littleendian &length=file_header.SizeOfOptionalHeader+offsetof(OptionalHeader); type IMAGE_FILE_HEADER = record { Machine : uint16; @@ -46,16 +49,8 @@ type IMAGE_FILE_HEADER = record { Characteristics : uint16; }; -type OPTIONAL_HEADER(len: uint16) = record { - OptionalHeaderMagic : uint16; - Header : case OptionalHeaderMagic of { - 0x0b01 -> OptionalHeader32 : IMAGE_OPTIONAL_HEADER32; - 0x0b02 -> OptionalHeader64 : IMAGE_OPTIONAL_HEADER64; - default -> InvalidPEFile : bytestring &restofdata; - }; -} &length=len; - -type IMAGE_OPTIONAL_HEADER32 = record { +type IMAGE_OPTIONAL_HEADER(len: uint16) = record { + magic : uint16; major_linker_version : uint8; minor_linker_version : uint8; size_of_code : uint32; @@ -79,14 +74,56 @@ type IMAGE_OPTIONAL_HEADER32 = record { checksum : uint32; subsystem : uint16; dll_characteristics : uint16; - size_of_stack_reserve : uint32; - size_of_stack_commit : uint32; - size_of_heap_reserve : uint32; - size_of_heap_commit : uint32; + mem: case magic of { + 0x0b01 -> i32 : MEM_INFO32; + 0x0b02 -> i64 : MEM_INFO64; + default -> InvalidPEFile : bytestring &length=0; + }; loader_flags : uint32; number_of_rva_and_sizes : uint32; -} &byteorder=littleendian; +} &byteorder=littleendian &length=len; -type IMAGE_OPTIONAL_HEADER64 = record { +type MEM_INFO32 = record { + size_of_stack_reserve : uint32; + size_of_stack_commit : uint32; + size_of_heap_reserve : uint32; + size_of_heap_commit : uint32; +} &byteorder=littleendian &length=16; -} &byteorder=littleendian; +type MEM_INFO64 = record { + size_of_stack_reserve : uint64; + size_of_stack_commit : uint64; + size_of_heap_reserve : uint64; + size_of_heap_commit : uint64; +} &byteorder=littleendian &length=32; + +type IMAGE_SECTION_HEADER = record { + name : bytestring &length=8; + virtual_size : uint32; + virtual_addr : uint32; + size_of_raw_data : uint32; + ptr_to_raw_data : uint32; + non_used_ptr_to_relocs : uint32; + non_used_ptr_to_line_nums : uint32; + non_used_num_of_relocs : uint16; + non_used_num_of_line_nums : uint16; + characteristics : uint32; +} &byteorder=littleendian &length=40; + + +type IMAGE_DATA_DIRECTORY = record { + virtual_address : uint32; + size : uint16; +}; + +type IMAGE_IMPORT_DIRECTORY = record { + rva_import_lookup_table : uint32; + time_date_stamp : uint32; + forwarder_chain : uint32; + rva_module_name : uint32; + rva_import_addr_table : uint32; +}; + +type DATA_SECTIONS = record { + blah: bytestring &length=10; +}; \ No newline at end of file diff --git a/src/types.bif b/src/types.bif index b69239487b..4999e221e5 100644 --- a/src/types.bif +++ b/src/types.bif @@ -163,6 +163,8 @@ type ModbusHeaders: record; type ModbusCoils: vector; type ModbusRegisters: vector; +type PESectionHeader: record; + module Log; enum Writer %{ @@ -248,6 +250,9 @@ enum Action %{ ## Deliver the file contents to the script-layer in an event. ACTION_DATA_EVENT, + + ## Windows executable analyzer + ACTION_PE_ANALYZER, %} module GLOBAL; From 317252b5aeec2c1e04c46a8bb37af53f6d1e5270 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 25 Apr 2013 13:44:12 -0400 Subject: [PATCH 007/711] Another checkpoint --- scripts/base/init-bare.bro | 35 +++++++++++++++++++++ src/binpac_bro.h | 4 +-- src/file_analysis/AnalyzerSet.cc | 2 ++ src/file_analysis/analyzers/PE.cc | 29 ++++++----------- src/file_analysis/analyzers/PE.h | 9 +++--- src/file_analysis/analyzers/pe-analyzer.pac | 5 +-- src/file_analysis/analyzers/pe-file.pac | 7 ++--- src/types.bif | 4 +++ 8 files changed, 62 insertions(+), 33 deletions(-) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index b8993606d3..e99feeef76 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2489,6 +2489,41 @@ type irc_join_info: record { ## .. bro:see:: irc_join_message type irc_join_list: set[irc_join_info]; +type PEHeader: record { +# Machine : count; +# TimeDateStamp : time; +# magic : uint16; +# major_linker_version : uint8; +# minor_linker_version : uint8; +# size_of_code : uint32; +# size_of_init_data : uint32; +# size_of_uninit_data : uint32; +# addr_of_entry_point : uint32; +# base_of_code : uint32; +# base_of_data : uint32; +# image_base : uint32; +# section_alignment : uint32; +# file_alignment : uint32; +# os_version_major : uint16; +# os_version_minor : uint16; +# major_image_version : uint16; +# minor_image_version : uint16; +# major_subsys_version : uint16; +# minor_subsys_version : uint16; +# win32_version : uint32; +# size_of_image : uint32; +# checksum : uint32; +# subsystem : uint16; +# mem: case magic of { +# 0x0b01 -> i32 : MEM_INFO32; +# 0x0b02 -> i64 : MEM_INFO64; +# default -> InvalidPEFile : empty; +# }; +# loader_flags : uint32; +# number_of_rva_and_sizes : uint32; +# +}; + ## Record for Portable Executable (PE) section headers. type PESectionHeader: record { name : string; diff --git a/src/binpac_bro.h b/src/binpac_bro.h index 1f63808c10..03857179f1 100644 --- a/src/binpac_bro.h +++ b/src/binpac_bro.h @@ -7,7 +7,7 @@ class PortVal; #include "util.h" #include "Analyzer.h" -#include "file_analysis/Action.h" +#include "file_analysis/Analyzer.h" #include "Val.h" #include "event.bif.func_h" @@ -16,7 +16,7 @@ class PortVal; namespace binpac { typedef Analyzer* BroAnalyzer; -typedef file_analysis::Action BroFileAnalyzer; +typedef file_analysis::Analyzer BroFileAnalyzer; typedef Val* BroVal; typedef PortVal* BroPortVal; typedef StringVal* BroStringVal; diff --git a/src/file_analysis/AnalyzerSet.cc b/src/file_analysis/AnalyzerSet.cc index bdf23c2446..5959279f61 100644 --- a/src/file_analysis/AnalyzerSet.cc +++ b/src/file_analysis/AnalyzerSet.cc @@ -4,6 +4,7 @@ #include "Extract.h" #include "DataEvent.h" #include "Hash.h" +#include "analyzers/PE.h" using namespace file_analysis; @@ -14,6 +15,7 @@ static AnalyzerInstantiator analyzer_factory[] = { file_analysis::SHA1::Instantiate, file_analysis::SHA256::Instantiate, file_analysis::DataEvent::Instantiate, + file_analysis::PE::Instantiate, }; static void analyzer_del_func(void* v) diff --git a/src/file_analysis/analyzers/PE.cc b/src/file_analysis/analyzers/PE.cc index c15b6ba739..662ea1f3e4 100644 --- a/src/file_analysis/analyzers/PE.cc +++ b/src/file_analysis/analyzers/PE.cc @@ -7,38 +7,29 @@ using namespace file_analysis; -PE_Analyzer::PE_Analyzer(RecordVal* args, File* file) - : Action(args, file) +PE::PE(RecordVal* args, File* file) + : file_analysis::Analyzer(args, file) { conn = new binpac::PE::MockConnection(this); interp = new binpac::PE::File(conn); done=false; } -PE_Analyzer::~PE_Analyzer() +PE::~PE() { delete interp; } -Action* PE_Analyzer::Instantiate(RecordVal* args, File* file) +bool PE::DeliverStream(const u_char* data, uint64 len) { - return new PE_Analyzer(args, file); - } - -bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len) - { - printf("deliver stream\n"); - if (done) - { - printf("analyzer done\n"); - return false; - } - - Action::DeliverStream(data, len); try { interp->NewData(data, data + len); } + catch ( const binpac::HaltParser &e ) + { + return false; + } catch ( const binpac::Exception& e ) { printf("Binpac exception: %s\n", e.c_msg()); @@ -48,9 +39,9 @@ bool PE_Analyzer::DeliverStream(const u_char* data, uint64 len) return true; } -bool PE_Analyzer::EndOfFile() +bool PE::EndOfFile() { printf("end of file!\n"); - done=true; + //throw binpac::HaltParser(); return false; } diff --git a/src/file_analysis/analyzers/PE.h b/src/file_analysis/analyzers/PE.h index 6f25e19723..1fd67c22db 100644 --- a/src/file_analysis/analyzers/PE.h +++ b/src/file_analysis/analyzers/PE.h @@ -12,18 +12,19 @@ namespace file_analysis { /** * An action to simply extract files to disk. */ -class PE_Analyzer : Action { +class PE : public file_analysis::Analyzer { public: - static Action* Instantiate(RecordVal* args, File* file); + ~PE(); - ~PE_Analyzer(); + static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file) + { return new PE(args, file); } virtual bool DeliverStream(const u_char* data, uint64 len); virtual bool EndOfFile(); protected: - PE_Analyzer(RecordVal* args, File* file); + PE(RecordVal* args, File* file); binpac::PE::File* interp; binpac::PE::MockConnection* conn; bool done; diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzers/pe-analyzer.pac index 18efc1d54a..fdba29a5bb 100644 --- a/src/file_analysis/analyzers/pe-analyzer.pac +++ b/src/file_analysis/analyzers/pe-analyzer.pac @@ -9,10 +9,7 @@ refine flow File += { function proc_the_file(): bool %{ - printf("ending the flow!\n"); - connection()->bro_analyzer()->EndOfFile(); - connection()->FlowEOF(true); - connection()->FlowEOF(false); + throw binpac::HaltParser(); return true; %} diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzers/pe-file.pac index bedfb35204..84b26381b4 100644 --- a/src/file_analysis/analyzers/pe-file.pac +++ b/src/file_analysis/analyzers/pe-file.pac @@ -6,7 +6,6 @@ type TheFile = record { sections_table : IMAGE_SECTION_HEADER[] &length=pe_header.file_header.NumberOfSections*40 &transient; #pad : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address); #data_sections : DATA_SECTIONS[pe_header.file_header.NumberOfSections]; - #pad : bytestring &restofdata; } &let { dos_code_len: uint32 = dos_header.AddressOfNewExeHeader - 64; } &byteorder=littleendian; @@ -75,9 +74,9 @@ type IMAGE_OPTIONAL_HEADER(len: uint16) = record { subsystem : uint16; dll_characteristics : uint16; mem: case magic of { - 0x0b01 -> i32 : MEM_INFO32; - 0x0b02 -> i64 : MEM_INFO64; - default -> InvalidPEFile : bytestring &length=0; + 0x0b01 -> i32 : MEM_INFO32; + 0x0b02 -> i64 : MEM_INFO64; + default -> InvalidPEFile : empty; }; loader_flags : uint32; number_of_rva_and_sizes : uint32; diff --git a/src/types.bif b/src/types.bif index fa9539dcbc..ca84794865 100644 --- a/src/types.bif +++ b/src/types.bif @@ -163,6 +163,7 @@ type ModbusHeaders: record; type ModbusCoils: vector; type ModbusRegisters: vector; +type PEHeader: record; type PESectionHeader: record; module Log; @@ -250,6 +251,9 @@ enum Analyzer %{ ## Deliver the file contents to the script-layer in an event. ANALYZER_DATA_EVENT, + + ## Pass the file to the PE analyzer. + ANALYZER_PE, %} module GLOBAL; From d1dd4cb688d1c3f63ddd00fc465a75a4f9999f64 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 15 May 2013 21:33:14 -0400 Subject: [PATCH 008/711] PE analyzer checkpoint --- scripts/base/init-bare.bro | 96 +++++++---- scripts/base/init-default.bro | 2 + src/event.bif | 8 +- src/file_analysis/analyzers/PE.cc | 2 - src/file_analysis/analyzers/pe-analyzer.pac | 168 +++++++++++++++++--- src/file_analysis/analyzers/pe-file.pac | 12 +- src/types.bif | 6 +- 7 files changed, 224 insertions(+), 70 deletions(-) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index e99feeef76..3150dfc9e0 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2489,43 +2489,67 @@ type irc_join_info: record { ## .. bro:see:: irc_join_message type irc_join_list: set[irc_join_info]; -type PEHeader: record { -# Machine : count; -# TimeDateStamp : time; -# magic : uint16; -# major_linker_version : uint8; -# minor_linker_version : uint8; -# size_of_code : uint32; -# size_of_init_data : uint32; -# size_of_uninit_data : uint32; -# addr_of_entry_point : uint32; -# base_of_code : uint32; -# base_of_data : uint32; -# image_base : uint32; -# section_alignment : uint32; -# file_alignment : uint32; -# os_version_major : uint16; -# os_version_minor : uint16; -# major_image_version : uint16; -# minor_image_version : uint16; -# major_subsys_version : uint16; -# minor_subsys_version : uint16; -# win32_version : uint32; -# size_of_image : uint32; -# checksum : uint32; -# subsystem : uint16; -# mem: case magic of { -# 0x0b01 -> i32 : MEM_INFO32; -# 0x0b02 -> i64 : MEM_INFO64; -# default -> InvalidPEFile : empty; -# }; -# loader_flags : uint32; -# number_of_rva_and_sizes : uint32; -# +module PE; +export { +type PE::DOSHeader: record { + signature : string; + used_bytes_in_last_page : count; + file_in_pages : count; + num_reloc_items : count; + header_in_paragraphs : count; + min_extra_paragraphs : count; + max_extra_paragraphs : count; + init_relative_ss : count; + init_sp : count; + checksum : count; + init_ip : count; + init_relative_cs : count; + addr_of_reloc_table : count; + overlay_num : count; + oem_id : count; + oem_info : count; + addr_of_new_exe_header : count; +}; + +type PE::FileHeader: record { + machine : count; + ts : time; + sym_table_ptr : count; + num_syms : count; + characteristics : set[count]; +}; + +type PE::OptionalHeader: record { + magic : count; + major_linker_version : count; + minor_linker_version : count; + size_of_code : count; + size_of_init_data : count; + size_of_uninit_data : count; + addr_of_entry_point : count; + base_of_code : count; + base_of_data : count; + image_base : count; + section_alignment : count; + file_alignment : count; + os_version_major : count; + os_version_minor : count; + major_image_version : count; + minor_image_version : count; + major_subsys_version : count; + minor_subsys_version : count; + win32_version : count; + size_of_image : count; + size_of_headers : count; + checksum : count; + subsystem : count; + dll_characteristics : set[count]; + loader_flags : count; + number_of_rva_and_sizes : count; }; ## Record for Portable Executable (PE) section headers. -type PESectionHeader: record { +type PE::SectionHeader: record { name : string; virtual_size : count; virtual_addr : count; @@ -2535,8 +2559,10 @@ type PESectionHeader: record { non_used_ptr_to_line_nums : count; non_used_num_of_relocs : count; non_used_num_of_line_nums : count; - characteristics : count; + characteristics : set[count]; }; +} +module GLOBAL; ## Deprecated. ## diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro index 8b36899f10..ad66ab469b 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.bro @@ -44,4 +44,6 @@ @load base/protocols/ssl @load base/protocols/syslog +@load base/files/pe + @load base/misc/find-checksum-offloading diff --git a/src/event.bif b/src/event.bif index 7a99c20e37..30b3191734 100644 --- a/src/event.bif +++ b/src/event.bif @@ -7059,10 +7059,10 @@ event file_state_remove%(f: fa_file%); event file_hash%(f: fa_file, kind: string, hash: string%); -event file_pe_dosstub%(f: fa_file, checksum: count%); -event file_pe_timestamp%(f: fa_file, ts: time%); -event file_pe_section_header%(f: fa_file, h: PESectionHeader%); - +event pe_dos_header%(f: fa_file, h: PE::DOSHeader%); +event pe_file_header%(f: fa_file, h: PE::FileHeader%); +event pe_optional_header%(f: fa_file, h: PE::OptionalHeader%); +event pe_section_header%(f: fa_file, h: PE::SectionHeader%); ## Deprecated. Will be removed. event stp_create_endp%(c: connection, e: int, is_orig: bool%); diff --git a/src/file_analysis/analyzers/PE.cc b/src/file_analysis/analyzers/PE.cc index 662ea1f3e4..51db8fd232 100644 --- a/src/file_analysis/analyzers/PE.cc +++ b/src/file_analysis/analyzers/PE.cc @@ -41,7 +41,5 @@ bool PE::DeliverStream(const u_char* data, uint64 len) bool PE::EndOfFile() { - printf("end of file!\n"); - //throw binpac::HaltParser(); return false; } diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzers/pe-analyzer.pac index fdba29a5bb..e6a39ae1dc 100644 --- a/src/file_analysis/analyzers/pe-analyzer.pac +++ b/src/file_analysis/analyzers/pe-analyzer.pac @@ -13,40 +13,156 @@ refine flow File += { return true; %} + function characteristics_to_bro(c: uint32, len: uint8): TableVal + %{ + uint64 mask = (len==16) ? 0xFFFF : 0xFFFFFFFF; + TableVal* char_set = new TableVal(internal_type("count_set")->AsTableType()); + for ( uint16 i=0; i < len; ++i ) + { + if ( ((c >> i) & 0x1) == 1 ) + { + Val *ch = new Val((1<Assign(ch, 0); + Unref(ch); + } + } + return char_set; + %} + function proc_dos_header(h: DOS_Header): bool %{ - BifEvent::generate_file_pe_dosstub((Analyzer *) connection()->bro_analyzer(), - connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), - ${h.AddressOfNewExeHeader}-64); + if ( pe_dos_header ) + { + RecordVal* dh = new RecordVal(BifType::Record::PE::DOSHeader); + dh->Assign(0, new StringVal(${h.signature}.length(), (const char*) ${h.signature}.data())); + dh->Assign(1, new Val(${h.UsedBytesInTheLastPage}, TYPE_COUNT)); + dh->Assign(2, new Val(${h.FileSizeInPages}, TYPE_COUNT)); + dh->Assign(3, new Val(${h.NumberOfRelocationItems}, TYPE_COUNT)); + dh->Assign(4, new Val(${h.HeaderSizeInParagraphs}, TYPE_COUNT)); + dh->Assign(5, new Val(${h.MinimumExtraParagraphs}, TYPE_COUNT)); + dh->Assign(6, new Val(${h.MaximumExtraParagraphs}, TYPE_COUNT)); + dh->Assign(7, new Val(${h.InitialRelativeSS}, TYPE_COUNT)); + dh->Assign(8, new Val(${h.InitialSP}, TYPE_COUNT)); + dh->Assign(9, new Val(${h.Checksum}, TYPE_COUNT)); + dh->Assign(10, new Val(${h.InitialIP}, TYPE_COUNT)); + dh->Assign(11, new Val(${h.InitialRelativeCS}, TYPE_COUNT)); + dh->Assign(12, new Val(${h.AddressOfRelocationTable}, TYPE_COUNT)); + dh->Assign(13, new Val(${h.OverlayNumber}, TYPE_COUNT)); + dh->Assign(14, new Val(${h.OEMid}, TYPE_COUNT)); + dh->Assign(15, new Val(${h.OEMinfo}, TYPE_COUNT)); + dh->Assign(16, new Val(${h.AddressOfNewExeHeader}, TYPE_COUNT)); + + BifEvent::generate_pe_dos_header((Analyzer *) connection()->bro_analyzer(), + connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), + dh); + } return true; %} - function proc_pe_header(h: IMAGE_NT_HEADERS): bool + function proc_nt_headers(h: IMAGE_NT_HEADERS): bool %{ - BifEvent::generate_file_pe_timestamp((Analyzer *) connection()->bro_analyzer(), - connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), - ${h.file_header.TimeDateStamp}); + if ( ${h.PESignature} != 17744 ) // Number is uint32 version of "PE\0\0" + { + return false; + // FileViolation("PE Header signature is incorrect."); + } return true; %} + function proc_file_header(h: IMAGE_FILE_HEADER): bool + %{ + if ( pe_file_header ) + { + RecordVal* fh = new RecordVal(BifType::Record::PE::FileHeader); + fh->Assign(0, new Val(${h.Machine}, TYPE_COUNT)); + fh->Assign(1, new Val(static_cast(${h.TimeDateStamp}), TYPE_TIME)); + fh->Assign(2, new Val(${h.PointerToSymbolTable}, TYPE_COUNT)); + fh->Assign(3, new Val(${h.NumberOfSymbols}, TYPE_COUNT)); + fh->Assign(4, characteristics_to_bro(${h.Characteristics}, 16)); + BifEvent::generate_pe_file_header((Analyzer *) connection()->bro_analyzer(), + connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), + fh); + } + + return true; + %} + + function proc_optional_header(h: IMAGE_OPTIONAL_HEADER): bool + %{ + if ( ${h.magic} != 0x10b && // normal pe32 executable + ${h.magic} != 0x107 && // rom image + ${h.magic} != 0x20b ) // pe32+ executable + { + return false; + // FileViolation("PE Optional Header magic is invalid."); + } + + if ( pe_optional_header ) + { + RecordVal* oh = new RecordVal(BifType::Record::PE::OptionalHeader); + + oh->Assign(0, new Val(${h.magic}, TYPE_COUNT)); + oh->Assign(1, new Val(${h.major_linker_version}, TYPE_COUNT)); + oh->Assign(2, new Val(${h.minor_linker_version}, TYPE_COUNT)); + oh->Assign(3, new Val(${h.size_of_code}, TYPE_COUNT)); + oh->Assign(4, new Val(${h.size_of_init_data}, TYPE_COUNT)); + oh->Assign(5, new Val(${h.size_of_uninit_data}, TYPE_COUNT)); + oh->Assign(6, new Val(${h.addr_of_entry_point}, TYPE_COUNT)); + oh->Assign(7, new Val(${h.base_of_code}, TYPE_COUNT)); + oh->Assign(8, new Val(${h.base_of_data}, TYPE_COUNT)); + oh->Assign(9, new Val(${h.image_base}, TYPE_COUNT)); + oh->Assign(10, new Val(${h.section_alignment}, TYPE_COUNT)); + oh->Assign(11, new Val(${h.file_alignment}, TYPE_COUNT)); + oh->Assign(12, new Val(${h.os_version_major}, TYPE_COUNT)); + oh->Assign(13, new Val(${h.os_version_minor}, TYPE_COUNT)); + oh->Assign(14, new Val(${h.major_image_version}, TYPE_COUNT)); + oh->Assign(15, new Val(${h.minor_image_version}, TYPE_COUNT)); + oh->Assign(16, new Val(${h.minor_subsys_version}, TYPE_COUNT)); + oh->Assign(17, new Val(${h.minor_subsys_version}, TYPE_COUNT)); + oh->Assign(18, new Val(${h.win32_version}, TYPE_COUNT)); + oh->Assign(19, new Val(${h.size_of_image}, TYPE_COUNT)); + oh->Assign(20, new Val(${h.size_of_headers}, TYPE_COUNT)); + oh->Assign(21, new Val(${h.checksum}, TYPE_COUNT)); + oh->Assign(22, new Val(${h.subsystem}, TYPE_COUNT)); + oh->Assign(23, characteristics_to_bro(${h.dll_characteristics}, 16)); + oh->Assign(24, new Val(${h.loader_flags}, TYPE_COUNT)); + oh->Assign(25, new Val(${h.number_of_rva_and_sizes}, TYPE_COUNT)); + BifEvent::generate_pe_optional_header((Analyzer *) connection()->bro_analyzer(), + connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), + oh); + } + return true; + %} function proc_section_header(h: IMAGE_SECTION_HEADER): bool %{ - RecordVal* section_header = new RecordVal(BifType::Record::PESectionHeader); - section_header->Assign(0, new StringVal(${h.name}.length(), (const char*) ${h.name}.data())); - section_header->Assign(1, new Val(${h.virtual_size}, TYPE_COUNT)); - section_header->Assign(2, new Val(${h.virtual_addr}, TYPE_COUNT)); - section_header->Assign(3, new Val(${h.size_of_raw_data}, TYPE_COUNT)); - section_header->Assign(4, new Val(${h.ptr_to_raw_data}, TYPE_COUNT)); - section_header->Assign(5, new Val(${h.non_used_ptr_to_relocs}, TYPE_COUNT)); - section_header->Assign(6, new Val(${h.non_used_ptr_to_line_nums}, TYPE_COUNT)); - section_header->Assign(7, new Val(${h.non_used_num_of_relocs}, TYPE_COUNT)); - section_header->Assign(8, new Val(${h.non_used_num_of_line_nums}, TYPE_COUNT)); - section_header->Assign(9, new Val(${h.characteristics}, TYPE_COUNT)); + if ( pe_section_header ) + { + RecordVal* section_header = new RecordVal(BifType::Record::PE::SectionHeader); - BifEvent::generate_file_pe_section_header((Analyzer *) connection()->bro_analyzer(), - connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), - section_header); + // Strip null characters from the end of the section name. + u_char* first_null = (u_char*) memchr(${h.name}.data(), 0, ${h.name}.length()); + uint16 name_len; + if ( first_null == NULL ) + name_len = ${h.name}.length(); + else + name_len = first_null - ${h.name}.data(); + section_header->Assign(0, new StringVal(name_len, (const char*) ${h.name}.data())); + + section_header->Assign(1, new Val(${h.virtual_size}, TYPE_COUNT)); + section_header->Assign(2, new Val(${h.virtual_addr}, TYPE_COUNT)); + section_header->Assign(3, new Val(${h.size_of_raw_data}, TYPE_COUNT)); + section_header->Assign(4, new Val(${h.ptr_to_raw_data}, TYPE_COUNT)); + section_header->Assign(5, new Val(${h.non_used_ptr_to_relocs}, TYPE_COUNT)); + section_header->Assign(6, new Val(${h.non_used_ptr_to_line_nums}, TYPE_COUNT)); + section_header->Assign(7, new Val(${h.non_used_num_of_relocs}, TYPE_COUNT)); + section_header->Assign(8, new Val(${h.non_used_num_of_line_nums}, TYPE_COUNT)); + section_header->Assign(9, characteristics_to_bro(${h.characteristics}, 32)); + + BifEvent::generate_pe_section_header((Analyzer *) connection()->bro_analyzer(), + connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), + section_header); + } return true; %} }; @@ -56,7 +172,15 @@ refine typeattr DOS_Header += &let { }; refine typeattr IMAGE_NT_HEADERS += &let { - proc : bool = $context.flow.proc_pe_header(this); + proc : bool = $context.flow.proc_nt_headers(this); +}; + +refine typeattr IMAGE_FILE_HEADER += &let { + proc : bool = $context.flow.proc_file_header(this); +}; + +refine typeattr IMAGE_OPTIONAL_HEADER += &let { + proc : bool = $context.flow.proc_optional_header(this); }; refine typeattr IMAGE_SECTION_HEADER += &let { diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzers/pe-file.pac index 84b26381b4..5c56775538 100644 --- a/src/file_analysis/analyzers/pe-file.pac +++ b/src/file_analysis/analyzers/pe-file.pac @@ -6,8 +6,10 @@ type TheFile = record { sections_table : IMAGE_SECTION_HEADER[] &length=pe_header.file_header.NumberOfSections*40 &transient; #pad : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address); #data_sections : DATA_SECTIONS[pe_header.file_header.NumberOfSections]; + data_sections : DATA_SECTIONS[] &length=data_len; } &let { dos_code_len: uint32 = dos_header.AddressOfNewExeHeader - 64; + data_len: uint32 = pe_header.optional_header.size_of_init_data; } &byteorder=littleendian; type DOS_Header = record { @@ -33,10 +35,10 @@ type DOS_Header = record { } &byteorder=littleendian &length=64; type IMAGE_NT_HEADERS = record { - PESignature : uint32; - file_header : IMAGE_FILE_HEADER; - OptionalHeader : IMAGE_OPTIONAL_HEADER(file_header.SizeOfOptionalHeader); -} &byteorder=littleendian &length=file_header.SizeOfOptionalHeader+offsetof(OptionalHeader); + PESignature : uint32; + file_header : IMAGE_FILE_HEADER; + optional_header : IMAGE_OPTIONAL_HEADER(file_header.SizeOfOptionalHeader) &length=file_header.SizeOfOptionalHeader; +} &byteorder=littleendian &length=file_header.SizeOfOptionalHeader+offsetof(optional_header); type IMAGE_FILE_HEADER = record { Machine : uint16; @@ -124,5 +126,5 @@ type IMAGE_IMPORT_DIRECTORY = record { }; type DATA_SECTIONS = record { - blah: bytestring &length=10; + blah: uint8; }; \ No newline at end of file diff --git a/src/types.bif b/src/types.bif index ca84794865..f43abf9a81 100644 --- a/src/types.bif +++ b/src/types.bif @@ -163,8 +163,10 @@ type ModbusHeaders: record; type ModbusCoils: vector; type ModbusRegisters: vector; -type PEHeader: record; -type PESectionHeader: record; +type PE::DOSHeader: record; +type PE::FileHeader: record; +type PE::OptionalHeader: record; +type PE::SectionHeader: record; module Log; From 7ff8c1ebdd01f69ccd664e347d801beb91ce2a31 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 15 May 2013 23:33:37 -0400 Subject: [PATCH 009/711] Add the PE analyzer back in as a registered file analyzer. --- src/file_analysis.bif | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/file_analysis.bif b/src/file_analysis.bif index cdece0d350..52ede9292e 100644 --- a/src/file_analysis.bif +++ b/src/file_analysis.bif @@ -25,6 +25,9 @@ enum Analyzer %{ ## Deliver the file contents to the script-layer in an event. ANALYZER_DATA_EVENT, + + ## Pass the file to the PE analyzer. + ANALYZER_PE, %} ## :bro:see:`FileAnalysis::postpone_timeout`. From a65966c2d1c500a59f05c48647deeff5a2f4391a Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 15 May 2013 23:34:01 -0400 Subject: [PATCH 010/711] Make the dos code available in script land. --- src/event.bif | 1 + src/file_analysis/analyzers/pe-analyzer.pac | 15 +++++++++++++++ src/file_analysis/analyzers/pe-file.pac | 6 +++++- 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/src/event.bif b/src/event.bif index ae8ede439f..e43f979aa5 100644 --- a/src/event.bif +++ b/src/event.bif @@ -7060,6 +7060,7 @@ event file_hash%(f: fa_file, kind: string, hash: string%); event pe_dos_header%(f: fa_file, h: PE::DOSHeader%); +event pe_dos_code%(f: fa_file, code: string%); event pe_file_header%(f: fa_file, h: PE::FileHeader%); event pe_optional_header%(f: fa_file, h: PE::OptionalHeader%); event pe_section_header%(f: fa_file, h: PE::SectionHeader%); diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzers/pe-analyzer.pac index e6a39ae1dc..341a3efbec 100644 --- a/src/file_analysis/analyzers/pe-analyzer.pac +++ b/src/file_analysis/analyzers/pe-analyzer.pac @@ -59,6 +59,17 @@ refine flow File += { return true; %} + function proc_dos_code(code: bytestring): bool + %{ + if ( pe_dos_code ) + { + BifEvent::generate_pe_dos_code((Analyzer *) connection()->bro_analyzer(), + connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), + new StringVal(code.length(), (const char*) code.data())); + } + return true; + %} + function proc_nt_headers(h: IMAGE_NT_HEADERS): bool %{ if ( ${h.PESignature} != 17744 ) // Number is uint32 version of "PE\0\0" @@ -171,6 +182,10 @@ refine typeattr DOS_Header += &let { proc : bool = $context.flow.proc_dos_header(this); }; +refine typeattr DOS_Code += &let { + proc : bool = $context.flow.proc_dos_code(code); +}; + refine typeattr IMAGE_NT_HEADERS += &let { proc : bool = $context.flow.proc_nt_headers(this); }; diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzers/pe-file.pac index 5c56775538..041f2bbdb4 100644 --- a/src/file_analysis/analyzers/pe-file.pac +++ b/src/file_analysis/analyzers/pe-file.pac @@ -1,7 +1,7 @@ type TheFile = record { dos_header : DOS_Header; - dos_code : bytestring &length=dos_code_len; + dos_code : DOS_Code(dos_code_len); pe_header : IMAGE_NT_HEADERS; sections_table : IMAGE_SECTION_HEADER[] &length=pe_header.file_header.NumberOfSections*40 &transient; #pad : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address); @@ -34,6 +34,10 @@ type DOS_Header = record { AddressOfNewExeHeader : uint32; } &byteorder=littleendian &length=64; +type DOS_Code(len: uint32) = record { + code : bytestring &length=len; +}; + type IMAGE_NT_HEADERS = record { PESignature : uint32; file_header : IMAGE_FILE_HEADER; From 4b81030e3fa1af540aa1537337f7ab5888470720 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Thu, 18 Jul 2013 19:40:34 -0400 Subject: [PATCH 011/711] Merge topic/seth/faf-updates. --- src/analyzer/protocol/sip/CMakeLists.txt | 10 ++ src/analyzer/protocol/sip/Plugin.cc | 10 ++ src/analyzer/protocol/sip/SIP.cc | 36 +++++ src/analyzer/protocol/sip/SIP.h | 34 +++++ src/analyzer/protocol/sip/TODO | 1 + src/analyzer/protocol/sip/events.bif | 24 +++ src/analyzer/protocol/sip/sip-analyzer.pac | 167 +++++++++++++++++++++ src/analyzer/protocol/sip/sip-protocol.pac | 75 +++++++++ src/analyzer/protocol/sip/sip.pac | 27 ++++ 9 files changed, 384 insertions(+) create mode 100644 src/analyzer/protocol/sip/CMakeLists.txt create mode 100644 src/analyzer/protocol/sip/Plugin.cc create mode 100644 src/analyzer/protocol/sip/SIP.cc create mode 100644 src/analyzer/protocol/sip/SIP.h create mode 100644 src/analyzer/protocol/sip/TODO create mode 100644 src/analyzer/protocol/sip/events.bif create mode 100644 src/analyzer/protocol/sip/sip-analyzer.pac create mode 100644 src/analyzer/protocol/sip/sip-protocol.pac create mode 100644 src/analyzer/protocol/sip/sip.pac diff --git a/src/analyzer/protocol/sip/CMakeLists.txt b/src/analyzer/protocol/sip/CMakeLists.txt new file mode 100644 index 0000000000..d571218b31 --- /dev/null +++ b/src/analyzer/protocol/sip/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Bro SIP) +bro_plugin_cc(SIP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(sip.pac sip-analyzer.pac sip-protocol.pac) +bro_plugin_end() diff --git a/src/analyzer/protocol/sip/Plugin.cc b/src/analyzer/protocol/sip/Plugin.cc new file mode 100644 index 0000000000..bd95e3023b --- /dev/null +++ b/src/analyzer/protocol/sip/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "SIP.h" + +BRO_PLUGIN_BEGIN(Bro, SIP) + BRO_PLUGIN_DESCRIPTION("Session Initiation Protocol Analyzer (UDP-only currently)"); + BRO_PLUGIN_ANALYZER("SIP", sip::SIP_Analyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocol/sip/SIP.cc b/src/analyzer/protocol/sip/SIP.cc new file mode 100644 index 0000000000..bfbe3ec156 --- /dev/null +++ b/src/analyzer/protocol/sip/SIP.cc @@ -0,0 +1,36 @@ +#include "SIP.h" + +#include "events.bif.h" + +using namespace analyzer::sip; + +SIP_Analyzer::SIP_Analyzer(Connection* c) +: analyzer::Analyzer("SIP", c) + { + interp = new binpac::SIP::SIP_Conn(this); + } + +SIP_Analyzer::~SIP_Analyzer() + { + delete interp; + } + +void SIP_Analyzer::Done() + { + Analyzer::Done(); + } + +void SIP_Analyzer::DeliverPacket(int len, const u_char* data, + bool orig, int seq, const IP_Hdr* ip, int caplen) + { + Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + + try + { + interp->NewData(orig, data, data + len); + } + catch ( const binpac::Exception& e ) + { + ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); + } + } diff --git a/src/analyzer/protocol/sip/SIP.h b/src/analyzer/protocol/sip/SIP.h new file mode 100644 index 0000000000..8493a29aaa --- /dev/null +++ b/src/analyzer/protocol/sip/SIP.h @@ -0,0 +1,34 @@ +#ifndef ANALYZER_PROTOCOL_SIP_SIP_H +#define ANALYZER_PROTOCOL_SIP_SIP_H + +#include "events.bif.h" + +#include "analyzer/protocol/udp/UDP.h" +#include "sip_pac.h" + +namespace analyzer { namespace sip { + +class SIP_Analyzer : public analyzer::Analyzer { +public: + SIP_Analyzer(Connection* conn); + virtual ~SIP_Analyzer(); + + // Overridden from Analyzer + + virtual void Done(); + virtual void DeliverPacket(int len, const u_char* data, bool orig, + int seq, const IP_Hdr* ip, int caplen); + + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) + { return new SIP_Analyzer(conn); } + + static bool Available() + { return sip_request; } + +protected: + binpac::SIP::SIP_Conn* interp; +}; + +} } // namespace analyzer::* + +#endif diff --git a/src/analyzer/protocol/sip/TODO b/src/analyzer/protocol/sip/TODO new file mode 100644 index 0000000000..840fe5a08d --- /dev/null +++ b/src/analyzer/protocol/sip/TODO @@ -0,0 +1 @@ +- SIP can be either over UDP or TCP. Only UDP is supported currently. diff --git a/src/analyzer/protocol/sip/events.bif b/src/analyzer/protocol/sip/events.bif new file mode 100644 index 0000000000..f62a8986f2 --- /dev/null +++ b/src/analyzer/protocol/sip/events.bif @@ -0,0 +1,24 @@ +## Generated for SIP requests, used in Voice over IP (VoIP). +## +## This event is generated as soon as a request's initial line has been parsed. +## +## See `Wikipedia `__ +## for more information about the SIP protocol. +## +## c: The connection. +## +## method: The SIP method extracted from the request (e.g., ``REGISTER``, ``NOTIFY``). +## +## original_URI: The unprocessed URI as specified in the request. +## +## version: The version number specified in the request (e.g., ``2.0``). +## +event sip_request%(c: connection, method: string, original_URI: string, version: string%); + +event sip_reply%(c: connection, version: string, code: count, reason: string%); +event sip_header%(c: connection, is_orig: bool, name: string, value: string%); +event sip_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%); +event sip_begin_entity%(c: connection, is_orig: bool%); +event sip_end_entity%(c: connection, is_orig: bool%); +event sip_entity_data%(c: connection, is_orig: bool, length: count, data: string%); +event sip_message_done%(c: connection, is_orig: bool%); diff --git a/src/analyzer/protocol/sip/sip-analyzer.pac b/src/analyzer/protocol/sip/sip-analyzer.pac new file mode 100644 index 0000000000..4dcdaf6d54 --- /dev/null +++ b/src/analyzer/protocol/sip/sip-analyzer.pac @@ -0,0 +1,167 @@ +refine flow SIP_Flow += { + + %member{ + int content_length; + bool build_headers; + vector headers; + %} + + %init{ + content_length = 0; + build_headers = (sip_all_headers != 0); + %} + + function get_content_length(): int + %{ + return content_length; + %} + + function proc_sip_request(method: bytestring, uri: bytestring, vers: SIP_Version): bool + %{ + if ( sip_request ) + { + BifEvent::generate_sip_request(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), + bytestring_to_val(method), bytestring_to_val(uri), + bytestring_to_val(${vers.vers_str})); + } + + proc_sip_message_begin(); + + return true; + %} + + function proc_sip_reply(vers: SIP_Version, code: int, reason: bytestring): bool + %{ + if ( sip_reply ) + { + BifEvent::generate_sip_reply(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), + bytestring_to_val(${vers.vers_str}), code, bytestring_to_val(reason)); + } + + proc_sip_message_begin(); + + return true; + %} + + function proc_sip_header(name: bytestring, value: bytestring): bool + %{ + + content_length = bytestring_to_int(value, 10); + + if ( sip_header ) + { + BifEvent::generate_sip_header(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), + is_orig(), bytestring_to_val(name)->ToUpper(), bytestring_to_val(value)); + } + + if ( build_headers ) + { + headers.push_back(build_sip_header_val(name, value)); + } + + return true; + %} + + function build_sip_headers_val(): BroVal + %{ + TableVal* t = new TableVal(mime_header_list); + + for ( unsigned int i = 0; i < headers.size(); ++i ) + { // index starting from 1 + Val* index = new Val(i + 1, TYPE_COUNT); + t->Assign(index, headers[i]); + Unref(index); + } + + return t; + %} + + function gen_sip_all_headers(): void + %{ + if ( sip_all_headers ) + { + BifEvent::generate_sip_all_headers(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), + is_orig(), build_sip_headers_val()); + } + + headers.clear(); + %} + + function proc_sip_end_of_headers(headers: SIP_Headers): bool + %{ + if ( build_headers ) + { + gen_sip_all_headers(); + } + + return true; + %} + + function build_sip_header_val(name: const_bytestring, value: const_bytestring): BroVal + %{ + RecordVal* header_record = new RecordVal(mime_header_rec); + + StringVal* name_val = 0; + if ( name.length() > 0 ) + { + // Make it all uppercase. + name_val = new StringVal(name.length(), (const char*) name.begin()); + name_val->ToUpper(); + } + else + { + name_val = new StringVal(""); + } + + header_record->Assign(0, name_val); + header_record->Assign(1, bytestring_to_val(value)); + + return header_record; + %} + + function proc_sip_message_begin(): void + %{ + if ( sip_begin_entity ) + { + BifEvent::generate_sip_begin_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), + is_orig()); + } + %} + + function proc_sip_message_done(pdu: SIP_PDU): bool + %{ + if ( sip_end_entity ) + { + BifEvent::generate_sip_end_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), + is_orig()); + } + if ( sip_message_done ) + { + BifEvent::generate_sip_message_done(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), + is_orig()); + } + + return true; + %} + +}; + +refine typeattr SIP_RequestLine += &let { + proc: bool = $context.flow.proc_sip_request(method, uri, version); +}; + +refine typeattr SIP_ReplyLine += &let { + proc: bool = $context.flow.proc_sip_reply(version, status.stat_num, reason); +}; + +refine typeattr SIP_Header += &let { + proc: bool = $context.flow.proc_sip_header(name, value); +}; + +refine typeattr SIP_Headers += &let { + proc: bool = $context.flow.proc_sip_end_of_headers(this); +}; + +refine typeattr SIP_PDU += &let { + proc: bool = $context.flow.proc_sip_message_done(this); +}; diff --git a/src/analyzer/protocol/sip/sip-protocol.pac b/src/analyzer/protocol/sip/sip-protocol.pac new file mode 100644 index 0000000000..0475dcceca --- /dev/null +++ b/src/analyzer/protocol/sip/sip-protocol.pac @@ -0,0 +1,75 @@ +enum ExpectBody { + BODY_EXPECTED, + BODY_NOT_EXPECTED, + BODY_MAYBE, +}; + +type SIP_TOKEN = RE/[^()<>@,;:\\"\/\[\]?={} \t]+/; +type SIP_WS = RE/[ \t]*/; +type SIP_COLON = RE/:/; +type SIP_TO_EOL = RE/[^\r\n]*/; +type SIP_URI = RE/[[:alnum:]@[:punct:]]+/; + +type SIP_PDU(is_orig: bool) = case is_orig of { + true -> request: SIP_Request; + false -> reply: SIP_Reply; +}; + +type SIP_Request = record { + request: SIP_RequestLine; + msg: SIP_Message; +}; + +type SIP_Reply = record { + reply: SIP_ReplyLine; + msg: SIP_Message; +}; + +type SIP_RequestLine = record { + method: SIP_TOKEN; + : SIP_WS; + uri: SIP_URI; + : SIP_WS; + version: SIP_Version; +} &oneline; + +type SIP_ReplyLine = record { + version: SIP_Version; + : SIP_WS; + status: SIP_Status; + : SIP_WS; + reason: SIP_TO_EOL; +} &oneline; + +type SIP_Status = record { + stat_str: RE/[0-9]{3}/; +} &let { + stat_num: int = bytestring_to_int(stat_str, 10); +}; + +type SIP_Version = record { + : "SIP/"; + vers_str: RE/[0-9]+\.[0-9]+/; +} &let { + vers_num: double = bytestring_to_double(vers_str); +}; + +type SIP_Headers = SIP_Header[] &until($input.length() == 0); + +type SIP_Message = record { + headers: SIP_Headers; + body: SIP_Body; +}; + +type SIP_HEADER_NAME = RE/([^: \t]+)/; +type SIP_Header = record { + : padding[2]; + name: SIP_HEADER_NAME; + : SIP_COLON; + : SIP_WS; + value: SIP_TO_EOL; +} &oneline &byteorder=bigendian; + +type SIP_Body() = record { + body: bytestring &chunked, &length = $context.flow.get_content_length(); +}; diff --git a/src/analyzer/protocol/sip/sip.pac b/src/analyzer/protocol/sip/sip.pac new file mode 100644 index 0000000000..e7b492db0f --- /dev/null +++ b/src/analyzer/protocol/sip/sip.pac @@ -0,0 +1,27 @@ +# BinPAC file for SIP analyzer +# Based heavily on the HTTP BinPAC analyzer + +%include binpac.pac +%include bro.pac + +%extern{ +#include "events.bif.h" +%} + +analyzer SIP withcontext { + connection: SIP_Conn; + flow: SIP_Flow; +}; + +connection SIP_Conn(bro_analyzer: BroAnalyzer) { + upflow = SIP_Flow(true); + downflow = SIP_Flow(false); +}; + +%include sip-protocol.pac + +flow SIP_Flow(is_orig: bool) { + datagram = SIP_PDU(is_orig) withcontext(connection, this); +}; + +%include sip-analyzer.pac From 1e098bae8d6a96bbfee23d5796014bb19fc8d428 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Sat, 27 Jul 2013 00:07:47 -0400 Subject: [PATCH 012/711] Moving the PE analyzer to the new plugin structure. --- .../{analyzers => analyzer/pe}/PE.cc | 0 .../{analyzers => analyzer/pe}/PE.h | 0 src/file_analysis/analyzer/pe/events.bif | 5 +++++ .../{analyzers => analyzer/pe}/pe-analyzer.pac | 0 .../{analyzers => analyzer/pe}/pe-file.pac | 16 ++++++++-------- .../{analyzers => analyzer/pe}/pe.pac | 0 6 files changed, 13 insertions(+), 8 deletions(-) rename src/file_analysis/{analyzers => analyzer/pe}/PE.cc (100%) rename src/file_analysis/{analyzers => analyzer/pe}/PE.h (100%) create mode 100644 src/file_analysis/analyzer/pe/events.bif rename src/file_analysis/{analyzers => analyzer/pe}/pe-analyzer.pac (100%) rename src/file_analysis/{analyzers => analyzer/pe}/pe-file.pac (88%) rename src/file_analysis/{analyzers => analyzer/pe}/pe.pac (100%) diff --git a/src/file_analysis/analyzers/PE.cc b/src/file_analysis/analyzer/pe/PE.cc similarity index 100% rename from src/file_analysis/analyzers/PE.cc rename to src/file_analysis/analyzer/pe/PE.cc diff --git a/src/file_analysis/analyzers/PE.h b/src/file_analysis/analyzer/pe/PE.h similarity index 100% rename from src/file_analysis/analyzers/PE.h rename to src/file_analysis/analyzer/pe/PE.h diff --git a/src/file_analysis/analyzer/pe/events.bif b/src/file_analysis/analyzer/pe/events.bif new file mode 100644 index 0000000000..b6ce808278 --- /dev/null +++ b/src/file_analysis/analyzer/pe/events.bif @@ -0,0 +1,5 @@ +event pe_dos_header%(f: fa_file, h: PE::DOSHeader%); +event pe_dos_code%(f: fa_file, code: string%); +event pe_file_header%(f: fa_file, h: PE::FileHeader%); +event pe_optional_header%(f: fa_file, h: PE::OptionalHeader%); +event pe_section_header%(f: fa_file, h: PE::SectionHeader%); \ No newline at end of file diff --git a/src/file_analysis/analyzers/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac similarity index 100% rename from src/file_analysis/analyzers/pe-analyzer.pac rename to src/file_analysis/analyzer/pe/pe-analyzer.pac diff --git a/src/file_analysis/analyzers/pe-file.pac b/src/file_analysis/analyzer/pe/pe-file.pac similarity index 88% rename from src/file_analysis/analyzers/pe-file.pac rename to src/file_analysis/analyzer/pe/pe-file.pac index 041f2bbdb4..ab7cdf5f8a 100644 --- a/src/file_analysis/analyzers/pe-file.pac +++ b/src/file_analysis/analyzer/pe/pe-file.pac @@ -1,12 +1,12 @@ -type TheFile = record { - dos_header : DOS_Header; - dos_code : DOS_Code(dos_code_len); - pe_header : IMAGE_NT_HEADERS; - sections_table : IMAGE_SECTION_HEADER[] &length=pe_header.file_header.NumberOfSections*40 &transient; - #pad : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address); - #data_sections : DATA_SECTIONS[pe_header.file_header.NumberOfSections]; - data_sections : DATA_SECTIONS[] &length=data_len; +type TheFile(part: uint8) = record { + dos_header : DOS_Header; + dos_code : DOS_Code(dos_code_len); + pe_header : IMAGE_NT_HEADERS; + section_headers : IMAGE_SECTION_HEADER[] &length=pe_header.optional_header.size_of_headers; + #pad : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address); + #data_sections : DATA_SECTIONS[pe_header.file_header.NumberOfSections]; + #data_sections : DATA_SECTIONS[] &length=data_len; } &let { dos_code_len: uint32 = dos_header.AddressOfNewExeHeader - 64; data_len: uint32 = pe_header.optional_header.size_of_init_data; diff --git a/src/file_analysis/analyzers/pe.pac b/src/file_analysis/analyzer/pe/pe.pac similarity index 100% rename from src/file_analysis/analyzers/pe.pac rename to src/file_analysis/analyzer/pe/pe.pac From 7ba51786e559383e4ad76374d50933c873d99029 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Sat, 27 Jul 2013 08:10:08 -0400 Subject: [PATCH 013/711] In progress checkpoint. Things are starting to work. --- scripts/base/files/pe/__load__.bro | 2 + scripts/base/files/pe/consts.bro | 149 ++++++++++++++++++ scripts/base/files/pe/main.bro | 86 ++++++++++ src/file_analysis/analyzer/CMakeLists.txt | 1 + src/file_analysis/analyzer/pe/CMakeLists.txt | 10 ++ src/file_analysis/analyzer/pe/Plugin.cc | 29 ++++ src/file_analysis/analyzer/pe/pe-analyzer.pac | 11 +- src/file_analysis/analyzer/pe/pe-file.pac | 2 +- 8 files changed, 284 insertions(+), 6 deletions(-) create mode 100644 scripts/base/files/pe/__load__.bro create mode 100644 scripts/base/files/pe/consts.bro create mode 100644 scripts/base/files/pe/main.bro create mode 100644 src/file_analysis/analyzer/pe/CMakeLists.txt create mode 100644 src/file_analysis/analyzer/pe/Plugin.cc diff --git a/scripts/base/files/pe/__load__.bro b/scripts/base/files/pe/__load__.bro new file mode 100644 index 0000000000..0098b81a7a --- /dev/null +++ b/scripts/base/files/pe/__load__.bro @@ -0,0 +1,2 @@ +@load ./consts +@load ./main \ No newline at end of file diff --git a/scripts/base/files/pe/consts.bro b/scripts/base/files/pe/consts.bro new file mode 100644 index 0000000000..4dc21ec179 --- /dev/null +++ b/scripts/base/files/pe/consts.bro @@ -0,0 +1,149 @@ + +module PE; + +export { + const machine_types: table[count] of string = { + [0x00] = "UNKNOWN", + [0x1d3] = "AM33", + [0x8664] = "AMD64", + [0x1c0] = "ARM", + [0x1c4] = "ARMNT", + [0xaa64] = "ARM64", + [0xebc] = "EBC", + [0x14c] = "I386", + [0x200] = "IA64", + [0x9041] = "M32R", + [0x266] = "MIPS16", + [0x366] = "MIPSFPU", + [0x466] = "MIPSFPU16", + [0x1f0] = "POWERPC", + [0x1f1] = "POWERPCFP", + [0x166] = "R4000", + [0x1a2] = "SH3", + [0x1a3] = "SH3DSP", + [0x1a6] = "SH4", + [0x1a8] = "SH5", + [0x1c2] = "THUMB", + [0x169] = "WCEMIPSV2" + } &default=function(i: count):string { return fmt("unknown-%d", i); }; + + const file_characteristics: table[count] of string = { + [0x1] = "RELOCS_STRIPPED", + [0x2] = "EXECUTABLE_IMAGE", + [0x4] = "LINE_NUMS_STRIPPED", + [0x8] = "LOCAL_SYMS_STRIPPED", + [0x10] = "AGGRESSIVE_WS_TRIM", + [0x20] = "LARGE_ADDRESS_AWARE", + [0x80] = "BYTES_REVERSED_LO", + [0x100] = "32BIT_MACHINE", + [0x200] = "DEBUG_STRIPPED", + [0x400] = "REMOVABLE_RUN_FROM_SWAP", + [0x800] = "NET_RUN_FROM_SWAP", + [0x1000] = "SYSTEM", + [0x2000] = "DLL", + [0x4000] = "UP_SYSTEM_ONLY", + [0x8000] = "BYTES_REVERSED_HI" + } &default=function(i: count):string { return fmt("unknown-%d", i); }; + + const dll_characteristics: table[count] of string = { + [0x40] = "DYNAMIC_BASE", + [0x80] = "FORCE_INTEGRITY", + [0x100] = "NX_COMPAT", + [0x200] = "NO_ISOLATION", + [0x400] = "NO_SEH", + [0x800] = "NO_BIND", + [0x2000] = "WDM_DRIVER", + [0x8000] = "TERMINAL_SERVER_AWARE" + } &default=function(i: count):string { return fmt("unknown-%d", i); }; + + const windows_subsystems: table[count] of string = { + [0] = "UNKNOWN", + [1] = "NATIVE", + [2] = "WINDOWS_GUI", + [3] = "WINDOWS_CUI", + [7] = "POSIX_CUI", + [9] = "WINDOWS_CE_GUI", + [10] = "EFI_APPLICATION", + [11] = "EFI_BOOT_SERVICE_DRIVER", + [12] = "EFI_RUNTIME_
DRIVER", + [13] = "EFI_ROM", + [14] = "XBOX" + } &default=function(i: count):string { return fmt("unknown-%d", i); }; + + const section_characteristics: table[count] of string = { + [0x8] = "TYPE_NO_PAD", + [0x20] = "CNT_CODE", + [0x40] = "CNT_INITIALIZED_DATA", + [0x80] = "CNT_UNINITIALIZED_DATA", + [0x100] = "LNK_OTHER", + [0x200] = "LNK_INFO", + [0x800] = "LNK_REMOVE", + [0x1000] = "LNK_COMDAT", + [0x8000] = "GPREL", + [0x20000] = "MEM_16BIT", + [0x40000] = "MEM_LOCKED", + [0x80000] = "MEM_PRELOAD", + [0x100000] = "ALIGN_1BYTES", + [0x200000] = "ALIGN_2BYTES", + [0x300000] = "ALIGN_4BYTES", + [0x400000] = "ALIGN_8BYTES", + [0x500000] = "ALIGN_16BYTES", + [0x600000] = "ALIGN_32BYTES", + [0x700000] = "ALIGN_64BYTES", + [0x800000] = "ALIGN_128BYTES", + [0x900000] = "ALIGN_256BYTES", + [0xa00000] = "ALIGN_512BYTES", + [0xb00000] = "ALIGN_1024BYTES", + [0xc00000] = "ALIGN_2048BYTES", + [0xd00000] = "ALIGN_4096BYTES", + [0xe00000] = "ALIGN_8192BYTES", + [0x1000000] = "LNK_NRELOC_OVFL", + [0x2000000] = "MEM_DISCARDABLE", + [0x4000000] = "MEM_NOT_CACHED", + [0x8000000] = "MEM_NOT_PAGED", + [0x10000000] = "MEM_SHARED", + [0x20000000] = "MEM_EXECUTE", + [0x40000000] = "MEM_READ", + [0x80000000] = "MEM_WRITE" + } &default=function(i: count):string { return fmt("unknown-%d", i); }; + + const os_versions: table[count, count] of string = { + [6,2] = "Windows 8", + [6,1] = "Windows 7", + [6,0] = "Windows Vista", + [5,2] = "Windows XP 64-Bit Edition", + [5,1] = "Windows XP", + [5,0] = "Windows 2000", + [4,90] = "Windows Me", + [4,1] = "Windows 98", + [4,0] = "Windows NT 4.0", + } &default=function(i: count, j: count):string { return fmt("unknown-%d.%d", i, j); }; + + const section_descs: table[string] of string = { + [".bss"] = "Uninitialized data", + [".cormeta"] = "CLR metadata that indicates that the object file contains managed code", + [".data"] = "Initialized data", + [".debug$F"] = "Generated FPO debug information", + [".debug$P"] = "Precompiled debug types", + [".debug$S"] = "Debug symbols", + [".debug$T"] = "Debug types", + [".drective"] = "Linker options", + [".edata"] = "Export tables", + [".idata"] = "Import tables", + [".idlsym"] = "Includes registered SEH to support IDL attributes", + [".pdata"] = "Exception information", + [".rdata"] = "Read-only initialized data", + [".reloc"] = "Image relocations", + [".rsrc"] = "Resource directory", + [".sbss"] = "GP-relative uninitialized data", + [".sdata"] = "GP-relative initialized data", + [".srdata"] = "GP-relative read-only data", + [".sxdata"] = "Registered exception handler data", + [".text"] = "Executable code", + [".tls"] = "Thread-local storage", + [".tls$"] = "Thread-local storage", + [".vsdata"] = "GP-relative initialized data", + [".xdata"] = "Exception information", + } &default=function(i: string):string { return fmt("unknown-%s", i); }; + +} diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro new file mode 100644 index 0000000000..76ba04fc8c --- /dev/null +++ b/scripts/base/files/pe/main.bro @@ -0,0 +1,86 @@ + +module PE; + +export { + redef enum Log::ID += { LOG }; + + type Info: record { + ts: time &log; + fuid: string &log; + machine: string &log &optional; + compile_ts: time &log &optional; + os: string &log &optional; + subsystem: string &log &optional; + characteristics: set[string] &log &optional; + section_names: vector of string &log &optional; + }; + + + global set_file: hook(f: fa_file); +} + +redef record fa_file += { + pe: Info &optional; +}; + +event bro_init() &priority=5 + { + Log::create_stream(LOG, [$columns=Info]); + } + +hook set_file(f: fa_file) &priority=5 + { + if ( ! f?$pe ) + { + local c: set[string] = set(); + f$pe = [$ts=network_time(), $fuid=f$id, $characteristics=c]; + } + } + +event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5 + { + hook set_file(f); + } + +event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5 + { + hook set_file(f); + f$pe$compile_ts = h$ts; + f$pe$machine = machine_types[h$machine]; + for ( c in h$characteristics ) + add f$pe$characteristics[PE::file_characteristics[c]]; + } + +event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5 + { + hook set_file(f); + f$pe$os = os_versions[h$os_version_major, h$os_version_minor]; + f$pe$subsystem = windows_subsystems[h$subsystem]; + } + +event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5 + { + hook set_file(f); + + print h; + if ( ! f$pe?$section_names ) + f$pe$section_names = vector(); + f$pe$section_names[|f$pe$section_names|] = h$name; + } + +event file_state_remove(f: fa_file) + { + if ( f?$pe ) + Log::write(LOG, f$pe); + } + +event file_new(f: fa_file) + { + if ( f?$mime_type && f$mime_type == /application\/x-dosexec.*/ ) + { + #print "found a windows executable"; + FileAnalysis::add_analyzer(f, [$tag=FileAnalysis::ANALYZER_PE]); + #FileAnalysis::add_analyzer(f, [$tag=FileAnalysis::ANALYZER_EXTRACT, + # $extract_filename=fmt("exe-%d", ++blah_counter)]); + } + } diff --git a/src/file_analysis/analyzer/CMakeLists.txt b/src/file_analysis/analyzer/CMakeLists.txt index bfafcd2894..67929b77fd 100644 --- a/src/file_analysis/analyzer/CMakeLists.txt +++ b/src/file_analysis/analyzer/CMakeLists.txt @@ -1,3 +1,4 @@ add_subdirectory(data_event) add_subdirectory(extract) add_subdirectory(hash) +add_subdirectory(pe) diff --git a/src/file_analysis/analyzer/pe/CMakeLists.txt b/src/file_analysis/analyzer/pe/CMakeLists.txt new file mode 100644 index 0000000000..7fc89bfd51 --- /dev/null +++ b/src/file_analysis/analyzer/pe/CMakeLists.txt @@ -0,0 +1,10 @@ +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} + ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Bro PE) +bro_plugin_cc(PE.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(pe.pac pe-file.pac pe-analyzer.pac) +bro_plugin_end() diff --git a/src/file_analysis/analyzer/pe/Plugin.cc b/src/file_analysis/analyzer/pe/Plugin.cc new file mode 100644 index 0000000000..1cc33b5759 --- /dev/null +++ b/src/file_analysis/analyzer/pe/Plugin.cc @@ -0,0 +1,29 @@ +#include "plugin/Plugin.h" +#include "file_analysis/Component.h" + +#include "PE.h" + +namespace plugin { namespace Bro_PE { + +class Plugin : public plugin::Plugin { +protected: + void InitPreScript() + { + SetName("Bro::PE"); + SetVersion(-1); + SetAPIVersion(BRO_PLUGIN_API_VERSION); + SetDynamicPlugin(false); + + SetDescription("Portable Executable analyzer"); + + AddComponent(new ::file_analysis::Component("PE", + ::file_analysis::PE::Instantiate)); + + extern std::list > __bif_events_init(); + AddBifInitFunction(&__bif_events_init); + } +}; + +Plugin __plugin; + +} } diff --git a/src/file_analysis/analyzer/pe/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac index 341a3efbec..045f71c479 100644 --- a/src/file_analysis/analyzer/pe/pe-analyzer.pac +++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac @@ -3,6 +3,7 @@ #include "Event.h" #include "file_analysis/File.h" #include "file_analysis.bif.func_h" +#include "events.bif.h" %} refine flow File += { @@ -52,7 +53,7 @@ refine flow File += { dh->Assign(15, new Val(${h.OEMinfo}, TYPE_COUNT)); dh->Assign(16, new Val(${h.AddressOfNewExeHeader}, TYPE_COUNT)); - BifEvent::generate_pe_dos_header((Analyzer *) connection()->bro_analyzer(), + BifEvent::generate_pe_dos_header((analyzer::Analyzer *) connection()->bro_analyzer(), connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), dh); } @@ -63,7 +64,7 @@ refine flow File += { %{ if ( pe_dos_code ) { - BifEvent::generate_pe_dos_code((Analyzer *) connection()->bro_analyzer(), + BifEvent::generate_pe_dos_code((analyzer::Analyzer *) connection()->bro_analyzer(), connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), new StringVal(code.length(), (const char*) code.data())); } @@ -90,7 +91,7 @@ refine flow File += { fh->Assign(2, new Val(${h.PointerToSymbolTable}, TYPE_COUNT)); fh->Assign(3, new Val(${h.NumberOfSymbols}, TYPE_COUNT)); fh->Assign(4, characteristics_to_bro(${h.Characteristics}, 16)); - BifEvent::generate_pe_file_header((Analyzer *) connection()->bro_analyzer(), + BifEvent::generate_pe_file_header((analyzer::Analyzer *) connection()->bro_analyzer(), connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), fh); } @@ -138,7 +139,7 @@ refine flow File += { oh->Assign(23, characteristics_to_bro(${h.dll_characteristics}, 16)); oh->Assign(24, new Val(${h.loader_flags}, TYPE_COUNT)); oh->Assign(25, new Val(${h.number_of_rva_and_sizes}, TYPE_COUNT)); - BifEvent::generate_pe_optional_header((Analyzer *) connection()->bro_analyzer(), + BifEvent::generate_pe_optional_header((analyzer::Analyzer *) connection()->bro_analyzer(), connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), oh); } @@ -170,7 +171,7 @@ refine flow File += { section_header->Assign(8, new Val(${h.non_used_num_of_line_nums}, TYPE_COUNT)); section_header->Assign(9, characteristics_to_bro(${h.characteristics}, 32)); - BifEvent::generate_pe_section_header((Analyzer *) connection()->bro_analyzer(), + BifEvent::generate_pe_section_header((analyzer::Analyzer *) connection()->bro_analyzer(), connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), section_header); } diff --git a/src/file_analysis/analyzer/pe/pe-file.pac b/src/file_analysis/analyzer/pe/pe-file.pac index ab7cdf5f8a..03a25ce150 100644 --- a/src/file_analysis/analyzer/pe/pe-file.pac +++ b/src/file_analysis/analyzer/pe/pe-file.pac @@ -1,5 +1,5 @@ -type TheFile(part: uint8) = record { +type TheFile = record { dos_header : DOS_Header; dos_code : DOS_Code(dos_code_len); pe_header : IMAGE_NT_HEADERS; From 78b5f6b94b2d78d642165101183cbd7d20a49f75 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Wed, 2 Apr 2014 23:03:24 -0400 Subject: [PATCH 014/711] BinPAC SSH analyzer basic functionality. --- scripts/base/protocols/ssh/README | 1 - scripts/base/protocols/ssh/__load__.bro | 2 +- scripts/base/protocols/ssh/main.bro | 212 +++++---------------- src/analyzer/protocol/CMakeLists.txt | 4 +- src/analyzer/protocol/ssh/CMakeLists.txt | 8 +- src/analyzer/protocol/ssh/Plugin.cc | 7 +- src/analyzer/protocol/ssh/SSH.cc | 198 +++++++++++-------- src/analyzer/protocol/ssh/SSH.h | 51 ++++- src/analyzer/protocol/ssh/events.bif | 51 ++--- src/analyzer/protocol/ssh/ssh-analyzer.pac | 25 +++ src/analyzer/protocol/ssh/ssh-protocol.pac | 175 +++++++++++++++++ src/analyzer/protocol/ssh/ssh.pac | 32 ++++ 12 files changed, 465 insertions(+), 301 deletions(-) delete mode 100644 scripts/base/protocols/ssh/README create mode 100644 src/analyzer/protocol/ssh/ssh-analyzer.pac create mode 100644 src/analyzer/protocol/ssh/ssh-protocol.pac create mode 100644 src/analyzer/protocol/ssh/ssh.pac diff --git a/scripts/base/protocols/ssh/README b/scripts/base/protocols/ssh/README deleted file mode 100644 index c3f68d543f..0000000000 --- a/scripts/base/protocols/ssh/README +++ /dev/null @@ -1 +0,0 @@ -Support for Secure Shell (SSH) protocol analysis. diff --git a/scripts/base/protocols/ssh/__load__.bro b/scripts/base/protocols/ssh/__load__.bro index 0f3cb011f8..9e43682d13 100644 --- a/scripts/base/protocols/ssh/__load__.bro +++ b/scripts/base/protocols/ssh/__load__.bro @@ -1,3 +1,3 @@ +# Generated by binpac_quickstart @load ./main - @load-sigs ./dpd.sig \ No newline at end of file diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro index 33b0c84147..c3f90ec332 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -1,66 +1,31 @@ -##! Base SSH analysis script. The heuristic to blindly determine success or -##! failure for SSH connections is implemented here. At this time, it only -##! uses the size of the data being returned from the server to make the -##! heuristic determination about success of the connection. -##! Requires that :bro:id:`use_conn_size_analyzer` is set to T! The heuristic -##! is not attempted if the connection size analyzer isn't enabled. +##! Implements base functionality for SSH analysis. Generates the ssh.log file. -@load base/protocols/conn -@load base/frameworks/notice -@load base/utils/site -@load base/utils/thresholds -@load base/utils/conn-ids -@load base/utils/directions-and-hosts +# Generated by binpac_quickstart module SSH; export { - ## The SSH protocol logging stream identifier. redef enum Log::ID += { LOG }; type Info: record { - ## Time when the SSH connection began. - ts: time &log; + ## Timestamp for when the event happened. + ts: time &log; ## Unique ID for the connection. - uid: string &log; + uid: string &log; ## The connection's 4-tuple of endpoint addresses/ports. - id: conn_id &log; - ## Indicates if the login was heuristically guessed to be - ## "success", "failure", or "undetermined". - status: string &log &default="undetermined"; - ## Direction of the connection. If the client was a local host - ## logging into an external host, this would be OUTBOUND. INBOUND - ## would be set for the opposite situation. - # TODO: handle local-local and remote-remote better. - direction: Direction &log &optional; - ## Software string from the client. - client: string &log &optional; - ## Software string from the server. - server: string &log &optional; - ## Indicate if the SSH session is done being watched. - done: bool &default=F; + id: conn_id &log; + ## The client's version string + client: string &log &optional; + ## The server's version string + server: string &log &optional; + ## Auth result + result: string &log &optional; + ## Auth method + method: string &log &optional; }; - ## The size in bytes of data sent by the server at which the SSH - ## connection is presumed to be successful. - const authentication_data_size = 4000 &redef; - - ## If true, we tell the event engine to not look at further data - ## packets after the initial SSH handshake. Helps with performance - ## (especially with large file transfers) but precludes some - ## kinds of analyses. - const skip_processing_after_detection = F &redef; - - ## Event that is generated when the heuristic thinks that a login - ## was successful. - global heuristic_successful_login: event(c: connection); - - ## Event that is generated when the heuristic thinks that a login - ## failed. - global heuristic_failed_login: event(c: connection); - - ## Event that can be handled to access the :bro:type:`SSH::Info` - ## record as it is sent on to the logging framework. + ## Event that can be handled to access the SSH record as it is sent on + ## to the loggin framework. global log_ssh: event(rec: Info); } @@ -69,136 +34,55 @@ redef record connection += { }; const ports = { 22/tcp }; -redef likely_server_ports += { ports }; event bro_init() &priority=5 -{ + { Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh]); Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports); -} - -function set_session(c: connection) - { - if ( ! c?$ssh ) - { - local info: Info; - info$ts=network_time(); - info$uid=c$uid; - info$id=c$id; - c$ssh = info; - } } -function check_ssh_connection(c: connection, done: bool) + +event ssh_version(c: connection, is_orig: bool, version: string) { - # If already done watching this connection, just return. - if ( c$ssh$done ) - return; - - if ( done ) + if ( !c?$ssh ) { - # If this connection is done, then we can look to see if - # this matches the conditions for a failed login. Failed - # logins are only detected at connection state removal. - - if ( # Require originators and responders to have sent at least 50 bytes. - c$orig$size > 50 && c$resp$size > 50 && - # Responders must be below 4000 bytes. - c$resp$size < authentication_data_size && - # Responder must have sent fewer than 40 packets. - c$resp$num_pkts < 40 && - # If there was a content gap we can't reliably do this heuristic. - c?$conn && c$conn$missed_bytes == 0 )# && - # Only "normal" connections can count. - #c$conn?$conn_state && c$conn$conn_state in valid_states ) - { - c$ssh$status = "failure"; - event SSH::heuristic_failed_login(c); - } - - if ( c$resp$size >= authentication_data_size ) - { - c$ssh$status = "success"; - event SSH::heuristic_successful_login(c); - } + local s: SSH::Info; + s$ts = network_time(); + s$uid = c$uid; + s$id = c$id; + c$ssh = s; } + if ( is_orig ) + c$ssh$client = version; else - { - # If this connection is still being tracked, then it's possible - # to watch for it to be a successful connection. - if ( c$resp$size >= authentication_data_size ) - { - c$ssh$status = "success"; - event SSH::heuristic_successful_login(c); - } - else - # This connection must be tracked longer. Let the scheduled - # check happen again. - return; - } - - # Set the direction for the log. - c$ssh$direction = Site::is_local_addr(c$id$orig_h) ? OUTBOUND : INBOUND; - - # Set the "done" flag to prevent the watching event from rescheduling - # after detection is done. - c$ssh$done=T; - - if ( skip_processing_after_detection ) - { - # Stop watching this connection, we don't care about it anymore. - skip_further_processing(c$id); - set_record_packets(c$id, F); - } + c$ssh$server = version; +# print c$ssh; } - -event heuristic_successful_login(c: connection) &priority=-5 +event ssh_auth_successful(c: connection, method: string) { - Log::write(SSH::LOG, c$ssh); - } - -event heuristic_failed_login(c: connection) &priority=-5 - { - Log::write(SSH::LOG, c$ssh); - } - -event connection_state_remove(c: connection) &priority=-5 - { - if ( c?$ssh ) - { - check_ssh_connection(c, T); - if ( c$ssh$status == "undetermined" ) - Log::write(SSH::LOG, c$ssh); - } - } - -event ssh_watcher(c: connection) - { - local id = c$id; - # don't go any further if this connection is gone already! - if ( ! connection_exists(id) ) + if ( !c?$ssh ) return; - - lookup_connection(c$id); - check_ssh_connection(c, F); - if ( ! c$ssh$done ) - schedule +15secs { ssh_watcher(c) }; + c$ssh$result = "success"; + c$ssh$method = method; + Log::write(SSH::LOG, c$ssh); } -event ssh_server_version(c: connection, version: string) &priority=5 +event ssh_auth_failed(c: connection, method: string) { - set_session(c); - c$ssh$server = version; + if ( !c?$ssh ) + return; + c$ssh$result = "failure"; + c$ssh$method = method; + Log::write(SSH::LOG, c$ssh); } -event ssh_client_version(c: connection, version: string) &priority=5 +event connection_closed(c: connection) { - set_session(c); - c$ssh$client = version; - - # The heuristic detection for SSH relies on the ConnSize analyzer. - # Don't do the heuristics if it's disabled. - if ( use_conn_size_analyzer ) - schedule +15secs { ssh_watcher(c) }; - } + if ( c?$ssh && !c$ssh?$result ) + { + c$ssh$result = "unknown"; + c$ssh$method = "unknown"; + Log::write(SSH::LOG, c$ssh); + } + } \ No newline at end of file diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt index fc63aa4b66..59e33843ac 100644 --- a/src/analyzer/protocol/CMakeLists.txt +++ b/src/analyzer/protocol/CMakeLists.txt @@ -19,11 +19,11 @@ add_subdirectory(ident) add_subdirectory(interconn) add_subdirectory(irc) add_subdirectory(login) -add_subdirectory(modbus) add_subdirectory(mime) +add_subdirectory(modbus) add_subdirectory(ncp) -add_subdirectory(netflow) add_subdirectory(netbios) +add_subdirectory(netflow) add_subdirectory(ntp) add_subdirectory(pia) add_subdirectory(pop3) diff --git a/src/analyzer/protocol/ssh/CMakeLists.txt b/src/analyzer/protocol/ssh/CMakeLists.txt index 505c89332e..1266e4f496 100644 --- a/src/analyzer/protocol/ssh/CMakeLists.txt +++ b/src/analyzer/protocol/ssh/CMakeLists.txt @@ -1,9 +1,11 @@ +# Generated by binpac_quickstart include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) bro_plugin_begin(Bro SSH) -bro_plugin_cc(SSH.cc Plugin.cc) -bro_plugin_bif(events.bif) -bro_plugin_end() + bro_plugin_cc(SSH.cc Plugin.cc) + bro_plugin_bif(events.bif) + bro_plugin_pac(ssh.pac ssh-analyzer.pac ssh-protocol.pac) +bro_plugin_end() \ No newline at end of file diff --git a/src/analyzer/protocol/ssh/Plugin.cc b/src/analyzer/protocol/ssh/Plugin.cc index 53a0294a88..ddb01964f5 100644 --- a/src/analyzer/protocol/ssh/Plugin.cc +++ b/src/analyzer/protocol/ssh/Plugin.cc @@ -1,10 +1,11 @@ +// Generated by binpac_quickstart #include "plugin/Plugin.h" #include "SSH.h" BRO_PLUGIN_BEGIN(Bro, SSH) - BRO_PLUGIN_DESCRIPTION("SSH analyzer"); - BRO_PLUGIN_ANALYZER("SSH", ssh::SSH_Analyzer); + BRO_PLUGIN_DESCRIPTION("Secure Shell analyzer"); + BRO_PLUGIN_ANALYZER("SSH", SSH::SSH_Analyzer); BRO_PLUGIN_BIF_FILE(events); -BRO_PLUGIN_END +BRO_PLUGIN_END \ No newline at end of file diff --git a/src/analyzer/protocol/ssh/SSH.cc b/src/analyzer/protocol/ssh/SSH.cc index ab3f6a5e5b..caeb5c4ca7 100644 --- a/src/analyzer/protocol/ssh/SSH.cc +++ b/src/analyzer/protocol/ssh/SSH.cc @@ -1,105 +1,135 @@ -// See the file "COPYING" in the main distribution directory for copyright. +// Generated by binpac_quickstart -#include "config.h" - -#include - -#include "NetVar.h" #include "SSH.h" -#include "Event.h" -#include "analyzer/protocol/tcp/ContentLine.h" + +#include "analyzer/protocol/tcp/TCP_Reassembler.h" + +#include "Reporter.h" #include "events.bif.h" -using namespace analyzer::ssh; +using namespace analyzer::SSH; SSH_Analyzer::SSH_Analyzer(Connection* c) + : tcp::TCP_ApplicationAnalyzer("SSH", c) - { - orig = new tcp::ContentLine_Analyzer(c, true); - orig->SetSkipPartial(true); - orig->SetCRLFAsEOL(LF_as_EOL); - AddSupportAnalyzer(orig); - resp = new tcp::ContentLine_Analyzer(c, false); - resp->SetSkipPartial(true); - resp->SetCRLFAsEOL(LF_as_EOL); - AddSupportAnalyzer(resp); + { + interp = new binpac::SSH::SSH_Conn(this); + had_gap = false; + num_encrypted_packets_seen = 0; + } + +SSH_Analyzer::~SSH_Analyzer() + { + delete interp; } -void SSH_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) +void SSH_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig); + + tcp::TCP_ApplicationAnalyzer::Done(); - // We're all done processing this endpoint - flag it as such, - // before we even determine whether we have any event generation - // work to do, to make sure we don't do any further work on it. - if ( is_orig ) - orig->SetSkipDeliveries(true); - else - resp->SetSkipDeliveries(true); + interp->FlowEOF(true); + interp->FlowEOF(false); + + } - if ( TCP() ) +void SSH_Analyzer::EndpointEOF(bool is_orig) + { + tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + interp->FlowEOF(is_orig); + } + +void SSH_Analyzer::DeliverStream(int len, const u_char* data, bool orig) + { + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + + assert(TCP()); + if ( TCP()->IsPartial() ) + return; + + if ( had_gap ) + // If only one side had a content gap, we could still try to + // deliver data to the other side if the script layer can handle this. + return; + + if ( num_encrypted_packets_seen || interp->get_state(orig) == binpac::SSH::ENCRYPTED ) { - // Don't try to parse version if there has already been a gap. - tcp::TCP_Endpoint* endp = is_orig ? TCP()->Orig() : TCP()->Resp(); - if ( endp->HadGap() ) - return; - } - - const char* line = (const char*) data; - - // The SSH identification looks like this: - // - // SSH-.-\n - // - // We're interested in the "version" part here. - - if ( length < 4 || memcmp(line, "SSH-", 4) != 0 ) - { - Weird("malformed_ssh_identification"); - ProtocolViolation("malformed ssh identification", line, length); + ProcessEncrypted(len, orig); return; } - int i; - for ( i = 4; i < length && line[i] != '-'; ++i ) - ; - - if ( TCP() ) + try { - if ( length >= i ) - { - IPAddr dst; - - if ( is_orig ) - dst = TCP()->Orig()->dst_addr; - else - dst = TCP()->Resp()->dst_addr; - - if ( Conn()->VersionFoundEvent(dst, line + i, - length - i) ) - ProtocolConfirmation(); - else - ProtocolViolation("malformed ssh version", - line, length); - } - else - { - Weird("malformed_ssh_version"); - ProtocolViolation("malformed ssh version", line, length); - } + interp->NewData(orig, data, data + len); + } + catch ( const binpac::Exception& e ) + { + printf(" **** %s\n", e.c_msg()); + ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); } - - // Generate SSH events. - EventHandlerPtr event = is_orig ? - ssh_client_version : ssh_server_version; - if ( ! event ) - return; - - val_list* vl = new val_list; - vl->append(BuildConnVal()); - vl->append(new StringVal(length, line)); - - ConnectionEvent(event, vl); + } + +void SSH_Analyzer::Undelivered(int seq, int len, bool orig) + { + tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + had_gap = true; + interp->NewGap(orig, len); + } + +void SSH_Analyzer::ProcessEncrypted(int len, bool orig) + { + if (!num_encrypted_packets_seen) + { + initial_encrypted_packet_size = len; + } + // printf("Encrypted packet of size %d from %s.\n", len, orig?"client":"server"); + int relative_len = len - initial_encrypted_packet_size; + if ( num_encrypted_packets_seen >= 2 ) + { + int auth_result = AuthResult(relative_len, orig); + if ( auth_result > 0 ) + { + StringVal* method = new StringVal(AuthMethod(relative_len, orig)); + if ( auth_result == 1 ) + BifEvent::generate_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), method); + if ( auth_result == 2 ) + BifEvent::generate_ssh_auth_failed(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), method); + } + packet_n_2_is_orig = packet_n_1_is_orig; + packet_n_2_size = packet_n_1_size; + } + packet_n_1_is_orig = orig; + packet_n_1_size = relative_len; + num_encrypted_packets_seen++; + } + + +int SSH_Analyzer::AuthResult(int len, bool orig) + { + if ( orig && !packet_n_1_is_orig && packet_n_2_is_orig ) + { + if ( len == -16 ) + return 1; + else if ( len >= 16 && + len <= 32 ) + return 2; + return 0; + } + return -1; + } + +const char* SSH_Analyzer::AuthMethod(int len, bool orig) + { + if ( packet_n_1_size == 96 ) // Password auth + return "keyboard-interactive"; + if ( packet_n_1_size == 32 ) // Challenge-response auth + return "challenge-response"; + if ( packet_n_2_size >= 112 && + packet_n_2_size <= 432 ) // Public key auth + return "pubkey"; + if ( packet_n_2_size == 16 ) // Host-based auth + return "host-based"; + return fmt("unknown auth method: n-1=%d n-2=%d", packet_n_1_size, packet_n_2_size); } diff --git a/src/analyzer/protocol/ssh/SSH.h b/src/analyzer/protocol/ssh/SSH.h index 3878881693..7d391e8d66 100644 --- a/src/analyzer/protocol/ssh/SSH.h +++ b/src/analyzer/protocol/ssh/SSH.h @@ -1,25 +1,62 @@ -// See the file "COPYING" in the main distribution directory for copyright. +// Generated by binpac_quickstart #ifndef ANALYZER_PROTOCOL_SSH_SSH_H #define ANALYZER_PROTOCOL_SSH_SSH_H +#include "events.bif.h" + + #include "analyzer/protocol/tcp/TCP.h" -#include "analyzer/protocol/tcp/ContentLine.h" -namespace analyzer { namespace ssh { +#include "ssh_pac.h" + +namespace analyzer { namespace SSH { + +class SSH_Analyzer + +: public tcp::TCP_ApplicationAnalyzer { -class SSH_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: SSH_Analyzer(Connection* conn); + virtual ~SSH_Analyzer(); + // Overriden from Analyzer. + virtual void Done(); + virtual void DeliverStream(int len, const u_char* data, bool orig); + virtual void Undelivered(int seq, int len, bool orig); + // Overriden from tcp::TCP_ApplicationAnalyzer. + virtual void EndpointEOF(bool is_orig); + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SSH_Analyzer(conn); } -private: - tcp::ContentLine_Analyzer* orig; - tcp::ContentLine_Analyzer* resp; + static bool Available() + { + // TODO: After you define your events, || them together here. + // See events.bif for more information + return ( ssh_event ); + } + +protected: + binpac::SSH::SSH_Conn* interp; + + void ProcessEncrypted(int len, bool orig); + int AuthResult(int len, bool orig); + const char* AuthMethod(int len, bool orig); + + bool had_gap; + + // Packet analysis stuff + int initial_encrypted_packet_size; + int num_encrypted_packets_seen; + + bool packet_n_1_is_orig; + int packet_n_1_size; + bool packet_n_2_is_orig; + int packet_n_2_size; + }; } } // namespace analyzer::* diff --git a/src/analyzer/protocol/ssh/events.bif b/src/analyzer/protocol/ssh/events.bif index 9d73f5e483..f1fa16919d 100644 --- a/src/analyzer/protocol/ssh/events.bif +++ b/src/analyzer/protocol/ssh/events.bif @@ -1,38 +1,17 @@ -## Generated when seeing an SSH client's version identification. The SSH -## protocol starts with a clear-text handshake message that reports client and -## server protocol/software versions. This event provides access to what the -## client sent. -## -## -## See `Wikipedia `__ for more -## information about the SSH protocol. -## -## c: The connection. -## -## version: The version string the client sent (e.g., `SSH-2.0-libssh-0.11`). -## -## .. bro:see:: ssh_server_version -## -## .. note:: As everything after the initial version handshake proceeds -## encrypted, Bro cannot further analyze SSH sessions. -event ssh_client_version%(c: connection, version: string%); +# Generated by binpac_quickstart -## Generated when seeing an SSH server's version identification. The SSH -## protocol starts with a clear-text handshake message that reports client and -## server protocol/software versions. This event provides access to what the -## server sent. -## -## See `Wikipedia `__ for more -## information about the SSH protocol. -## -## c: The connection. -## -## version: The version string the server sent (e.g., -## ``SSH-1.99-OpenSSH_3.9p1``). -## -## .. bro:see:: ssh_client_version -## -## .. note:: As everything coming after the initial version handshake proceeds -## encrypted, Bro cannot further analyze SSH sessions. -event ssh_server_version%(c: connection, version: string%); +# In this file, you'll define the events that your analyzer will generate. A sample event is included. +## Generated for SSH connections +## +## See `Google `__ for more information about SSH +## +## c: The connection +##3 +event ssh_event%(c: connection%); + +event ssh_version%(c: connection, is_orig: bool, version: string%); + +event ssh_auth_successful%(c: connection, method: string%); + +event ssh_auth_failed%(c: connection, method: string%); \ No newline at end of file diff --git a/src/analyzer/protocol/ssh/ssh-analyzer.pac b/src/analyzer/protocol/ssh/ssh-analyzer.pac new file mode 100644 index 0000000000..5cde754521 --- /dev/null +++ b/src/analyzer/protocol/ssh/ssh-analyzer.pac @@ -0,0 +1,25 @@ +# Generated by binpac_quickstart + +refine flow SSH_Flow += { + function proc_ssh_version(msg: SSH_Version): bool + %{ + BifEvent::generate_ssh_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.is_orig}, + bytestring_to_val(${msg.version})); + return true; + %} + + function proc_newkeys(): bool + %{ + connection()->bro_analyzer()->ProtocolConfirmation(); + return true; + %} + +}; + +refine typeattr SSH_Version += &let { + proc: bool = $context.flow.proc_ssh_version(this); +}; + +refine typeattr SSH_Message += &let { + proc_newkeys: bool = $context.flow.proc_newkeys() &if(msg_type == SSH_MSG_NEWKEYS); +}; diff --git a/src/analyzer/protocol/ssh/ssh-protocol.pac b/src/analyzer/protocol/ssh/ssh-protocol.pac new file mode 100644 index 0000000000..84b1bc1f6a --- /dev/null +++ b/src/analyzer/protocol/ssh/ssh-protocol.pac @@ -0,0 +1,175 @@ +enum state { + VERSION_EXCHANGE = 0, + KEY_EXCHANGE_CLEARTEXT = 1, + ENCRYPTED = 2, +}; + +enum message_id { + SSH_MSG_DISCONNECT = 1, + SSH_MSG_IGNORE = 2, + SSH_MSG_UNIMPLEMENTED = 3, + SSH_MSG_DEBUG = 4, + SSH_MSG_SERVICE_REQUEST = 5, + SSH_MSG_SERVICE_ACCEPT = 6, + SSH_MSG_KEXINIT = 20, + SSH_MSG_NEWKEYS = 21, + SSH_MSG_KEX_DH_GEX_REQUEST_OLD = 30, + SSH_MSG_KEX_DH_GEX_GROUP = 31, + SSH_MSG_KEX_DH_GEX_INIT = 32, + SSH_MSG_KEX_DH_GEX_REPLY = 33, + SSH_MSG_KEX_DH_GEX_REQUEST = 34, + SSH_MSG_USERAUTH_REQUEST = 50, + SSH_MSG_USERAUTH_FAILURE = 51, + SSH_MSG_USERAUTH_SUCCESS = 52, + SSH_MSG_USERAUTH_BANNER = 53, + SSH_MSG_GLOBAL_REQUEST = 80, + SSH_MSG_REQUEST_SUCCESS = 81, + SSH_MSG_REQUEST_FAILURE = 82, + SSH_MSG_CHANNEL_OPEN = 90, + SSH_MSG_CHANNEL_OPEN_CONFIRMATION = 91, + SSH_MSG_CHANNEL_OPEN_FAILURE = 92, + SSH_MSG_CHANNEL_WINDOW_ADJUST = 93, + SSH_MSG_CHANNEL_DATA = 94, + SSH_MSG_CHANNEL_EXTENDED_DATA = 95, + SSH_MSG_CHANNEL_EOF = 96, + SSH_MSG_CHANNEL_CLOSE = 97, + SSH_MSG_CHANNEL_REQUEST = 98, + SSH_MSG_CHANNEL_SUCCESS = 99, + SSH_MSG_CHANNEL_FAILURE = 100, +}; + +type SSH_PDU(is_orig: bool) = case $context.connection.get_state(is_orig) of { + VERSION_EXCHANGE -> version: SSH_Version(is_orig); + KEY_EXCHANGE_CLEARTEXT -> kex: SSH_Key_Exchange(is_orig); + ENCRYPTED -> unk: bytestring &length=100; +} &byteorder=bigendian; + +type SSH_Version(is_orig: bool) = record { + version: bytestring &oneline; +} &let { + update_state: bool = $context.connection.update_state(KEY_EXCHANGE_CLEARTEXT, is_orig); +}; + +type SSH_Key_Exchange_Header(is_orig: bool) = record { + packet_length: uint32; + padding_length: uint8; +} &length=5; + +type SSH_Key_Exchange(is_orig: bool) = record { + header : SSH_Key_Exchange_Header(is_orig); + payload: SSH_Payload(is_orig, header.packet_length - header.padding_length - 2); + pad : bytestring &length=header.padding_length; +}; + +type SSH_Payload_Header(length: uint32) = record { + message_type: uint8; +} &length=1; + +type SSH_Payload(is_orig: bool, packet_length: uint32) = record { + header: SSH_Payload_Header(packet_length); + message: SSH_Message(is_orig, header.message_type, packet_length); +}; + +type SSH_Message(is_orig: bool, msg_type: uint8, packet_length: uint32) = case msg_type of { + SSH_MSG_KEXINIT -> kexinit: SSH_KEXINIT(is_orig, packet_length); + SSH_MSG_KEX_DH_GEX_REQUEST -> dh_gex_request: SSH_DH_GEX_REQUEST(is_orig, packet_length); + SSH_MSG_KEX_DH_GEX_GROUP -> dh_gex_group: SSH_DH_GEX_GROUP(is_orig, packet_length); + SSH_MSG_KEX_DH_GEX_INIT -> dh_gex_init: SSH_DH_GEX_INIT(is_orig, packet_length); + SSH_MSG_KEX_DH_GEX_REPLY -> dh_gex_reply: SSH_DH_GEX_REPLY(is_orig, packet_length); + default -> unknown: bytestring &length=packet_length; +} &let { + detach: bool = $context.connection.update_state(ENCRYPTED, is_orig) &if(msg_type == SSH_MSG_NEWKEYS); +}; + +type SSH_KEXINIT(is_orig: bool, length: uint32) = record { + cookie : bytestring &length=16; + kex_algorithms_len : uint32; + kex_algorithms : bytestring &length=kex_algorithms_len; + server_host_key_algorithms_len : uint32; + server_host_key_algorithms : bytestring &length=server_host_key_algorithms_len; + encryption_algorithms_client_to_server_len : uint32; + encryption_algorithms_client_to_server : bytestring &length=encryption_algorithms_client_to_server_len; + encryption_algorithms_server_to_client_len : uint32; + encryption_algorithms_server_to_client : bytestring &length=encryption_algorithms_server_to_client_len; + mac_algorithms_client_to_server_len : uint32; + mac_algorithms_client_to_server : bytestring &length=mac_algorithms_client_to_server_len; + mac_algorithms_server_to_client_len : uint32; + mac_algorithms_server_to_client : bytestring &length=mac_algorithms_server_to_client_len; + compression_algorithms_client_to_server_len : uint32; + compression_algorithms_client_to_server : bytestring &length=compression_algorithms_client_to_server_len; + compression_algorithms_server_to_client_len : uint32; + compression_algorithms_server_to_client : bytestring &length=compression_algorithms_server_to_client_len; + languages_client_to_server_len : uint32; + languages_client_to_server : bytestring &length=languages_client_to_server_len; + languages_server_to_client_len : uint32; + languages_server_to_client : bytestring &length=languages_server_to_client_len; + first_kex_packet_follows : uint8; + reserved : uint32; +} &length=length; + +type SSH_DH_GEX_REQUEST(is_orig: bool, length: uint32) = record { + min: uint32; + n : uint32; + max: uint32; +} &length=12; + +type SSH_DH_GEX_GROUP(is_orig: bool, length: uint32) = record { + p: mpint; + g: mpint; +} &length=length; + +type SSH_DH_GEX_INIT(is_orig: bool, length: uint32) = record { + e: mpint; +} &length=length; + +type SSH_DH_GEX_REPLY(is_orig: bool, length: uint32) = record { + k_s : ssh_string; + f : mpint; + signature: ssh_string; +} &length=length; + +#type SSH_NEWKEYS(is_orig: bool, length: uint32) = record { +# blah: ; +#} &let { +# detach: bool = $context.connection.detach(); +#} &length=0; + +type mpint = record { + len: uint32; + val: bytestring &length=len; +}; + +type ssh_string = record { + len: uint32; + val: bytestring &length=len; +}; + +refine connection SSH_Conn += { + %member{ + int state_up_; + int state_down_; + %} + + %init{ + state_up_ = VERSION_EXCHANGE; + state_down_ = VERSION_EXCHANGE; + %} + + function get_state(is_orig: bool): int + %{ + if ( is_orig ) + return state_up_; + else + return state_down_; + %} + + function update_state(s: state, is_orig: bool): bool + %{ + if ( is_orig ) + state_up_ = s; + else + state_down_ = s; + return true; + %} + +}; \ No newline at end of file diff --git a/src/analyzer/protocol/ssh/ssh.pac b/src/analyzer/protocol/ssh/ssh.pac new file mode 100644 index 0000000000..b3181c4fa1 --- /dev/null +++ b/src/analyzer/protocol/ssh/ssh.pac @@ -0,0 +1,32 @@ +# Generated by binpac_quickstart + +# Analyzer for Secure Shell +# - ssh-protocol.pac: describes the SSH protocol messages +# - ssh-analyzer.pac: describes the SSH analyzer code + +%include binpac.pac +%include bro.pac + +%extern{ + #include "events.bif.h" +%} + +analyzer SSH withcontext { + connection: SSH_Conn; + flow: SSH_Flow; +}; + +# Our connection consists of two flows, one in each direction. +connection SSH_Conn(bro_analyzer: BroAnalyzer) { + upflow = SSH_Flow(true); + downflow = SSH_Flow(false); +}; + +%include ssh-protocol.pac + +# Now we define the flow: +flow SSH_Flow(is_orig: bool) { + flowunit = SSH_PDU(is_orig) withcontext(connection, this); +}; + +%include ssh-analyzer.pac \ No newline at end of file From 2698fcea8eb5f7e83ddaa6478a20f835bf3b4761 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Tue, 22 Apr 2014 18:26:39 -0400 Subject: [PATCH 015/711] SSH: Various updates. --- scripts/base/protocols/ssh/main.bro | 36 ++++++++++++---- src/analyzer/protocol/ssh/SSH.cc | 42 +++++++++++------- src/analyzer/protocol/ssh/SSH.h | 9 ++-- src/analyzer/protocol/ssh/events.bif | 20 +++------ src/analyzer/protocol/ssh/ssh-analyzer.pac | 50 ++++++++++++++++++++-- src/analyzer/protocol/ssh/ssh-protocol.pac | 19 +++++--- 6 files changed, 126 insertions(+), 50 deletions(-) diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro index c3f90ec332..b9768b6dbb 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -18,6 +18,8 @@ export { client: string &log &optional; ## The server's version string server: string &log &optional; + ## The server's key fingerprint + host_key: string &log &optional; ## Auth result result: string &log &optional; ## Auth method @@ -42,7 +44,7 @@ event bro_init() &priority=5 } -event ssh_version(c: connection, is_orig: bool, version: string) +event ssh_server_version(c: connection, version: string) { if ( !c?$ssh ) { @@ -52,16 +54,25 @@ event ssh_version(c: connection, is_orig: bool, version: string) s$id = c$id; c$ssh = s; } - if ( is_orig ) - c$ssh$client = version; - else - c$ssh$server = version; -# print c$ssh; + c$ssh$server = version; + } + +event ssh_client_version(c: connection, version: string) + { + if ( !c?$ssh ) + { + local s: SSH::Info; + s$ts = network_time(); + s$uid = c$uid; + s$id = c$id; + c$ssh = s; + } + c$ssh$client = version; } event ssh_auth_successful(c: connection, method: string) { - if ( !c?$ssh ) + if ( !c?$ssh || ( c$ssh?$result && c$ssh$result == "success" ) ) return; c$ssh$result = "success"; c$ssh$method = method; @@ -70,7 +81,7 @@ event ssh_auth_successful(c: connection, method: string) event ssh_auth_failed(c: connection, method: string) { - if ( !c?$ssh ) + if ( !c?$ssh || ( c$ssh?$result && c$ssh$result == "success" ) ) return; c$ssh$result = "failure"; c$ssh$method = method; @@ -85,4 +96,13 @@ event connection_closed(c: connection) c$ssh$method = "unknown"; Log::write(SSH::LOG, c$ssh); } + } + +event ssh_server_host_key(c: connection, key: string) + { + if ( !c?$ssh ) + return; + local lx = str_split(md5_hash(key), vector(2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 22, 24, 26, 28, 30)); + lx[0] = ""; + c$ssh$host_key = sub(join_string_vec(lx, ":"), /:/, ""); } \ No newline at end of file diff --git a/src/analyzer/protocol/ssh/SSH.cc b/src/analyzer/protocol/ssh/SSH.cc index caeb5c4ca7..c89a77b9e7 100644 --- a/src/analyzer/protocol/ssh/SSH.cc +++ b/src/analyzer/protocol/ssh/SSH.cc @@ -18,6 +18,8 @@ SSH_Analyzer::SSH_Analyzer(Connection* c) interp = new binpac::SSH::SSH_Conn(this); had_gap = false; num_encrypted_packets_seen = 0; + initial_client_packet_size = 0; + initial_server_packet_size = 0; } SSH_Analyzer::~SSH_Analyzer() @@ -54,7 +56,7 @@ void SSH_Analyzer::DeliverStream(int len, const u_char* data, bool orig) // deliver data to the other side if the script layer can handle this. return; - if ( num_encrypted_packets_seen || interp->get_state(orig) == binpac::SSH::ENCRYPTED ) + if ( interp->get_state(orig) == binpac::SSH::ENCRYPTED ) { ProcessEncrypted(len, orig); return; @@ -80,23 +82,33 @@ void SSH_Analyzer::Undelivered(int seq, int len, bool orig) void SSH_Analyzer::ProcessEncrypted(int len, bool orig) { - if (!num_encrypted_packets_seen) - { - initial_encrypted_packet_size = len; - } - // printf("Encrypted packet of size %d from %s.\n", len, orig?"client":"server"); - int relative_len = len - initial_encrypted_packet_size; - if ( num_encrypted_packets_seen >= 2 ) + if (orig && !initial_client_packet_size) + initial_client_packet_size = len; + if (!orig && !initial_server_packet_size) + initial_server_packet_size = len; + + int relative_len; + if (orig) + relative_len = len - initial_client_packet_size; + else + relative_len = len - initial_server_packet_size; + // printf("Encrypted packet of length %d from %s.\n", len, orig?"client":"server"); + if ( num_encrypted_packets_seen >= 4 ) { int auth_result = AuthResult(relative_len, orig); if ( auth_result > 0 ) { + num_encrypted_packets_seen = 1; + //printf("Have auth\n"); StringVal* method = new StringVal(AuthMethod(relative_len, orig)); if ( auth_result == 1 ) BifEvent::generate_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), method); if ( auth_result == 2 ) BifEvent::generate_ssh_auth_failed(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), method); } + } + if ( num_encrypted_packets_seen >= 2 ) + { packet_n_2_is_orig = packet_n_1_is_orig; packet_n_2_size = packet_n_1_size; } @@ -108,7 +120,7 @@ void SSH_Analyzer::ProcessEncrypted(int len, bool orig) int SSH_Analyzer::AuthResult(int len, bool orig) { - if ( orig && !packet_n_1_is_orig && packet_n_2_is_orig ) + if ( !orig && packet_n_1_is_orig && !packet_n_2_is_orig ) { if ( len == -16 ) return 1; @@ -123,13 +135,13 @@ int SSH_Analyzer::AuthResult(int len, bool orig) const char* SSH_Analyzer::AuthMethod(int len, bool orig) { if ( packet_n_1_size == 96 ) // Password auth - return "keyboard-interactive"; - if ( packet_n_1_size == 32 ) // Challenge-response auth - return "challenge-response"; + return fmt("password (L=%d, L-1=%d, L-2=%d)", len, packet_n_1_size, packet_n_2_size); + if ( packet_n_1_size == 32 && ( packet_n_2_size == 0 || packet_n_2_size == 48 ) ) // Challenge-response auth + return fmt("challenge-response (L=%d, L-1=%d, L-2=%d)", len, packet_n_1_size, packet_n_2_size); if ( packet_n_2_size >= 112 && packet_n_2_size <= 432 ) // Public key auth - return "pubkey"; + return fmt("pubkey (L=%d, L-1=%d, L-2=%d)", len, packet_n_1_size, packet_n_2_size); if ( packet_n_2_size == 16 ) // Host-based auth - return "host-based"; - return fmt("unknown auth method: n-1=%d n-2=%d", packet_n_1_size, packet_n_2_size); + return fmt("host-based (L=%d, L-1=%d, L-2=%d)", len, packet_n_1_size, packet_n_2_size); + return fmt("unknown (L=%d, L-1=%d, L-2=%d)", len, packet_n_1_size, packet_n_2_size); } diff --git a/src/analyzer/protocol/ssh/SSH.h b/src/analyzer/protocol/ssh/SSH.h index 7d391e8d66..b0d8aade57 100644 --- a/src/analyzer/protocol/ssh/SSH.h +++ b/src/analyzer/protocol/ssh/SSH.h @@ -34,9 +34,9 @@ public: static bool Available() { - // TODO: After you define your events, || them together here. - // See events.bif for more information - return ( ssh_event ); + return ( ssh_server_version || ssh_client_version || + ssh_auth_successful || ssh_auth_failed || + ssh_server_capabilities || ssh_server_host_key ); } protected: @@ -49,7 +49,8 @@ protected: bool had_gap; // Packet analysis stuff - int initial_encrypted_packet_size; + int initial_client_packet_size; + int initial_server_packet_size; int num_encrypted_packets_seen; bool packet_n_1_is_orig; diff --git a/src/analyzer/protocol/ssh/events.bif b/src/analyzer/protocol/ssh/events.bif index f1fa16919d..cefb591a6e 100644 --- a/src/analyzer/protocol/ssh/events.bif +++ b/src/analyzer/protocol/ssh/events.bif @@ -1,17 +1,11 @@ -# Generated by binpac_quickstart +event ssh_server_version%(c: connection, version: string%); -# In this file, you'll define the events that your analyzer will generate. A sample event is included. - -## Generated for SSH connections -## -## See `Google `__ for more information about SSH -## -## c: The connection -##3 -event ssh_event%(c: connection%); - -event ssh_version%(c: connection, is_orig: bool, version: string%); +event ssh_client_version%(c: connection, version: string%); event ssh_auth_successful%(c: connection, method: string%); -event ssh_auth_failed%(c: connection, method: string%); \ No newline at end of file +event ssh_auth_failed%(c: connection, method: string%); + +event ssh_server_capabilities%(c: connection, kex_algorithms: string, server_host_key_algorithms: string, encryption_algorithms_client_to_server: string, encryption_algorithms_server_to_client: string, mac_algorithms_client_to_server: string, mac_algorithms_server_to_client: string, compression_algorithms_client_to_server: string, compression_algorithms_server_to_client: string, languages_client_to_server: string, languages_server_to_client: string%); + +event ssh_server_host_key%(c: connection, key: string%); \ No newline at end of file diff --git a/src/analyzer/protocol/ssh/ssh-analyzer.pac b/src/analyzer/protocol/ssh/ssh-analyzer.pac index 5cde754521..05cf20d4b4 100644 --- a/src/analyzer/protocol/ssh/ssh-analyzer.pac +++ b/src/analyzer/protocol/ssh/ssh-analyzer.pac @@ -3,8 +3,34 @@ refine flow SSH_Flow += { function proc_ssh_version(msg: SSH_Version): bool %{ - BifEvent::generate_ssh_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.is_orig}, - bytestring_to_val(${msg.version})); + if ( ssh_client_version && ${msg.is_orig } ) + BifEvent::generate_ssh_client_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(${msg.version})); + else if ( ssh_server_version ) + BifEvent::generate_ssh_server_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(${msg.version})); + return true; + %} + + function proc_ssh_kexinit(msg: SSH_KEXINIT): bool + %{ + if ( ssh_server_capabilities ) + BifEvent::generate_ssh_server_capabilities(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), + bytestring_to_val(${msg.kex_algorithms}), bytestring_to_val(${msg.server_host_key_algorithms}), + bytestring_to_val(${msg.encryption_algorithms_client_to_server}), + bytestring_to_val(${msg.encryption_algorithms_server_to_client}), + bytestring_to_val(${msg.mac_algorithms_client_to_server}), + bytestring_to_val(${msg.mac_algorithms_server_to_client}), + bytestring_to_val(${msg.compression_algorithms_client_to_server}), + bytestring_to_val(${msg.compression_algorithms_server_to_client}), + bytestring_to_val(${msg.languages_client_to_server}), + bytestring_to_val(${msg.languages_server_to_client})); + return true; + %} + + function proc_ssh_server_host_key(key: bytestring): bool + %{ + if ( ssh_server_host_key ) + BifEvent::generate_ssh_server_host_key(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), + bytestring_to_val(${key})); return true; %} @@ -14,12 +40,30 @@ refine flow SSH_Flow += { return true; %} + function debug(loc: uint8): bool + %{ + printf("DEBUG: %d", loc); + return true; + %} + }; refine typeattr SSH_Version += &let { proc: bool = $context.flow.proc_ssh_version(this); }; +refine typeattr SSH_KEXINIT += &let { + proc: bool = $context.flow.proc_ssh_kexinit(this); +}; + +refine typeattr SSH_DH_GEX_REPLY += &let { + proc: bool = $context.flow.proc_ssh_server_host_key(k_s.val); +}; + +refine typeattr SSH_DH_GEX_GROUP += &let { + proc: bool = $context.flow.proc_ssh_server_host_key(p.val); +}; + refine typeattr SSH_Message += &let { proc_newkeys: bool = $context.flow.proc_newkeys() &if(msg_type == SSH_MSG_NEWKEYS); -}; +}; \ No newline at end of file diff --git a/src/analyzer/protocol/ssh/ssh-protocol.pac b/src/analyzer/protocol/ssh/ssh-protocol.pac index 84b1bc1f6a..aea112ff10 100644 --- a/src/analyzer/protocol/ssh/ssh-protocol.pac +++ b/src/analyzer/protocol/ssh/ssh-protocol.pac @@ -41,7 +41,7 @@ enum message_id { type SSH_PDU(is_orig: bool) = case $context.connection.get_state(is_orig) of { VERSION_EXCHANGE -> version: SSH_Version(is_orig); KEY_EXCHANGE_CLEARTEXT -> kex: SSH_Key_Exchange(is_orig); - ENCRYPTED -> unk: bytestring &length=100; + ENCRYPTED -> ciphertext: bytestring &length=1 &transient; } &byteorder=bigendian; type SSH_Version(is_orig: bool) = record { @@ -71,12 +71,13 @@ type SSH_Payload(is_orig: bool, packet_length: uint32) = record { }; type SSH_Message(is_orig: bool, msg_type: uint8, packet_length: uint32) = case msg_type of { - SSH_MSG_KEXINIT -> kexinit: SSH_KEXINIT(is_orig, packet_length); - SSH_MSG_KEX_DH_GEX_REQUEST -> dh_gex_request: SSH_DH_GEX_REQUEST(is_orig, packet_length); - SSH_MSG_KEX_DH_GEX_GROUP -> dh_gex_group: SSH_DH_GEX_GROUP(is_orig, packet_length); - SSH_MSG_KEX_DH_GEX_INIT -> dh_gex_init: SSH_DH_GEX_INIT(is_orig, packet_length); - SSH_MSG_KEX_DH_GEX_REPLY -> dh_gex_reply: SSH_DH_GEX_REPLY(is_orig, packet_length); - default -> unknown: bytestring &length=packet_length; + SSH_MSG_KEXINIT -> kexinit: SSH_KEXINIT(is_orig, packet_length); + SSH_MSG_KEX_DH_GEX_REQUEST -> dh_gex_request: SSH_DH_GEX_REQUEST(is_orig, packet_length); + SSH_MSG_KEX_DH_GEX_REQUEST_OLD -> dh_gex_request_old: SSH_DH_GEX_REQUEST_OLD(is_orig, packet_length); + SSH_MSG_KEX_DH_GEX_GROUP -> dh_gex_group: SSH_DH_GEX_GROUP(is_orig, packet_length); + SSH_MSG_KEX_DH_GEX_INIT -> dh_gex_init: SSH_DH_GEX_INIT(is_orig, packet_length); + SSH_MSG_KEX_DH_GEX_REPLY -> dh_gex_reply: SSH_DH_GEX_REPLY(is_orig, packet_length); + SSH_MSG_NEWKEYS -> new_keys: bytestring &length=packet_length; } &let { detach: bool = $context.connection.update_state(ENCRYPTED, is_orig) &if(msg_type == SSH_MSG_NEWKEYS); }; @@ -113,6 +114,10 @@ type SSH_DH_GEX_REQUEST(is_orig: bool, length: uint32) = record { max: uint32; } &length=12; +type SSH_DH_GEX_REQUEST_OLD(is_orig: bool, length: uint32) = record { + payload: bytestring &length=length; +} &length=length; + type SSH_DH_GEX_GROUP(is_orig: bool, length: uint32) = record { p: mpint; g: mpint; From e67c2c53dde132a72208e3f846a9ec3f141604f0 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Tue, 22 Apr 2014 18:50:49 -0400 Subject: [PATCH 016/711] Enable SIP in CMakeLists.txt --- src/analyzer/protocol/CMakeLists.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt index a4e170f52b..a6cc63fd90 100644 --- a/src/analyzer/protocol/CMakeLists.txt +++ b/src/analyzer/protocol/CMakeLists.txt @@ -27,6 +27,7 @@ add_subdirectory(ntp) add_subdirectory(pia) add_subdirectory(pop3) add_subdirectory(rpc) +add_subdirectory(sip) add_subdirectory(smb) add_subdirectory(smtp) add_subdirectory(socks) From 8744b66b562e321d9c907cee36bc004a6f876397 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Tue, 22 Apr 2014 20:31:53 -0400 Subject: [PATCH 017/711] Rely on content inspection and not just is_orig to determine client/server. --- scripts/base/init-default.bro | 1 + src/analyzer/protocol/sip/SIP.cc | 8 ++++++-- src/analyzer/protocol/sip/sip-analyzer.pac | 13 +++++-------- src/analyzer/protocol/sip/sip-protocol.pac | 11 +++++++---- 4 files changed, 19 insertions(+), 14 deletions(-) diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro index 431b5dfe62..8b276eff0d 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.bro @@ -47,6 +47,7 @@ @load base/protocols/irc @load base/protocols/modbus @load base/protocols/pop3 +@load base/protocols/sip @load base/protocols/snmp @load base/protocols/smtp @load base/protocols/socks diff --git a/src/analyzer/protocol/sip/SIP.cc b/src/analyzer/protocol/sip/SIP.cc index bfbe3ec156..00f8274327 100644 --- a/src/analyzer/protocol/sip/SIP.cc +++ b/src/analyzer/protocol/sip/SIP.cc @@ -23,11 +23,15 @@ void SIP_Analyzer::Done() void SIP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) { - Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + bool real_orig = true; + if ( len > 6 && data[0] == 'S' && data[1] == 'I' && data[2] == 'P' && data[3] == '/' ) + real_orig = false; + + Analyzer::DeliverPacket(len, data, real_orig, seq, ip, caplen); try { - interp->NewData(orig, data, data + len); + interp->NewData(real_orig, data, data + len); } catch ( const binpac::Exception& e ) { diff --git a/src/analyzer/protocol/sip/sip-analyzer.pac b/src/analyzer/protocol/sip/sip-analyzer.pac index 4dcdaf6d54..47fa8ffda2 100644 --- a/src/analyzer/protocol/sip/sip-analyzer.pac +++ b/src/analyzer/protocol/sip/sip-analyzer.pac @@ -45,8 +45,8 @@ refine flow SIP_Flow += { function proc_sip_header(name: bytestring, value: bytestring): bool %{ - - content_length = bytestring_to_int(value, 10); + if ( name == "Content-Length" || name == "L" ) + content_length = bytestring_to_int(value, 10); if ( sip_header ) { @@ -123,8 +123,7 @@ refine flow SIP_Flow += { %{ if ( sip_begin_entity ) { - BifEvent::generate_sip_begin_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), - is_orig()); + BifEvent::generate_sip_begin_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig()); } %} @@ -132,13 +131,11 @@ refine flow SIP_Flow += { %{ if ( sip_end_entity ) { - BifEvent::generate_sip_end_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), - is_orig()); + BifEvent::generate_sip_end_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig()); } if ( sip_message_done ) { - BifEvent::generate_sip_message_done(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), - is_orig()); + BifEvent::generate_sip_message_done(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig()); } return true; diff --git a/src/analyzer/protocol/sip/sip-protocol.pac b/src/analyzer/protocol/sip/sip-protocol.pac index 0475dcceca..958e3921cd 100644 --- a/src/analyzer/protocol/sip/sip-protocol.pac +++ b/src/analyzer/protocol/sip/sip-protocol.pac @@ -8,6 +8,7 @@ type SIP_TOKEN = RE/[^()<>@,;:\\"\/\[\]?={} \t]+/; type SIP_WS = RE/[ \t]*/; type SIP_COLON = RE/:/; type SIP_TO_EOL = RE/[^\r\n]*/; +type SIP_EOL = RE/(\r\n){1,2}/; type SIP_URI = RE/[[:alnum:]@[:punct:]]+/; type SIP_PDU(is_orig: bool) = case is_orig of { @@ -17,11 +18,13 @@ type SIP_PDU(is_orig: bool) = case is_orig of { type SIP_Request = record { request: SIP_RequestLine; + newline: padding[2]; msg: SIP_Message; }; type SIP_Reply = record { reply: SIP_ReplyLine; + newline: padding[2]; msg: SIP_Message; }; @@ -61,15 +64,15 @@ type SIP_Message = record { body: SIP_Body; }; -type SIP_HEADER_NAME = RE/([^: \t]+)/; +type SIP_HEADER_NAME = RE/[^: \t]+/; type SIP_Header = record { - : padding[2]; name: SIP_HEADER_NAME; : SIP_COLON; : SIP_WS; value: SIP_TO_EOL; + : SIP_EOL; } &oneline &byteorder=bigendian; -type SIP_Body() = record { - body: bytestring &chunked, &length = $context.flow.get_content_length(); +type SIP_Body = record { + body: bytestring &length = $context.flow.get_content_length(); }; From 8ffa81f3908bd1634c74472b4b519fdfbbd8fe35 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Sat, 21 Jun 2014 13:30:14 -0400 Subject: [PATCH 018/711] Updated PE analyzer to work with changes in master. --- scripts/base/files/pe/main.bro | 2 +- src/file_analysis/analyzer/pe/PE.cc | 12 ++---------- src/file_analysis/analyzer/pe/pe-analyzer.pac | 2 -- 3 files changed, 3 insertions(+), 13 deletions(-) diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro index 76ba04fc8c..f9ebc57297 100644 --- a/scripts/base/files/pe/main.bro +++ b/scripts/base/files/pe/main.bro @@ -79,7 +79,7 @@ event file_new(f: fa_file) if ( f?$mime_type && f$mime_type == /application\/x-dosexec.*/ ) { #print "found a windows executable"; - FileAnalysis::add_analyzer(f, [$tag=FileAnalysis::ANALYZER_PE]); + Files::add_analyzer(f, Files::ANALYZER_PE); #FileAnalysis::add_analyzer(f, [$tag=FileAnalysis::ANALYZER_EXTRACT, # $extract_filename=fmt("exe-%d", ++blah_counter)]); } diff --git a/src/file_analysis/analyzer/pe/PE.cc b/src/file_analysis/analyzer/pe/PE.cc index 51db8fd232..59fbad91df 100644 --- a/src/file_analysis/analyzer/pe/PE.cc +++ b/src/file_analysis/analyzer/pe/PE.cc @@ -1,14 +1,10 @@ -#include - #include "PE.h" -#include "pe_pac.h" -#include "util.h" -#include "Event.h" +#include "file_analysis/Manager.h" using namespace file_analysis; PE::PE(RecordVal* args, File* file) - : file_analysis::Analyzer(args, file) + : file_analysis::Analyzer(file_mgr->GetComponentTag("PE"), args, file) { conn = new binpac::PE::MockConnection(this); interp = new binpac::PE::File(conn); @@ -26,10 +22,6 @@ bool PE::DeliverStream(const u_char* data, uint64 len) { interp->NewData(data, data + len); } - catch ( const binpac::HaltParser &e ) - { - return false; - } catch ( const binpac::Exception& e ) { printf("Binpac exception: %s\n", e.c_msg()); diff --git a/src/file_analysis/analyzer/pe/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac index 045f71c479..619bffad53 100644 --- a/src/file_analysis/analyzer/pe/pe-analyzer.pac +++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac @@ -2,7 +2,6 @@ %extern{ #include "Event.h" #include "file_analysis/File.h" -#include "file_analysis.bif.func_h" #include "events.bif.h" %} @@ -10,7 +9,6 @@ refine flow File += { function proc_the_file(): bool %{ - throw binpac::HaltParser(); return true; %} From d98b5b88b5e110d146ee3982b3d2210b2f1bbc2b Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Sun, 22 Jun 2014 07:18:12 -0400 Subject: [PATCH 019/711] Parse PE section headers. --- scripts/base/files/pe/main.bro | 11 ++++++--- src/file_analysis/analyzer/pe/pe-analyzer.pac | 4 +++- src/file_analysis/analyzer/pe/pe-file.pac | 24 +++++++++++++++---- 3 files changed, 30 insertions(+), 9 deletions(-) diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro index f9ebc57297..091c322990 100644 --- a/scripts/base/files/pe/main.bro +++ b/scripts/base/files/pe/main.bro @@ -39,11 +39,15 @@ hook set_file(f: fa_file) &priority=5 event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5 { + print "DOS header"; + print h; hook set_file(f); } event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5 { + print "File header"; + print h; hook set_file(f); f$pe$compile_ts = h$ts; f$pe$machine = machine_types[h$machine]; @@ -53,6 +57,8 @@ event pe_file_header(f: fa_file, h: PE::FileHeader) &priority=5 event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5 { + print "Optional header"; + print h; hook set_file(f); f$pe$os = os_versions[h$os_version_major, h$os_version_minor]; f$pe$subsystem = windows_subsystems[h$subsystem]; @@ -60,6 +66,8 @@ event pe_optional_header(f: fa_file, h: PE::OptionalHeader) &priority=5 event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5 { + print "Section header"; + print h; hook set_file(f); print h; @@ -78,9 +86,6 @@ event file_new(f: fa_file) { if ( f?$mime_type && f$mime_type == /application\/x-dosexec.*/ ) { - #print "found a windows executable"; Files::add_analyzer(f, Files::ANALYZER_PE); - #FileAnalysis::add_analyzer(f, [$tag=FileAnalysis::ANALYZER_EXTRACT, - # $extract_filename=fmt("exe-%d", ++blah_counter)]); } } diff --git a/src/file_analysis/analyzer/pe/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac index 619bffad53..2b49cd2c23 100644 --- a/src/file_analysis/analyzer/pe/pe-analyzer.pac +++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac @@ -9,6 +9,7 @@ refine flow File += { function proc_the_file(): bool %{ + printf("Processed\n"); return true; %} @@ -203,4 +204,5 @@ refine typeattr IMAGE_SECTION_HEADER += &let { refine typeattr TheFile += &let { proc: bool = $context.flow.proc_the_file(); -}; \ No newline at end of file +}; + diff --git a/src/file_analysis/analyzer/pe/pe-file.pac b/src/file_analysis/analyzer/pe/pe-file.pac index 03a25ce150..58278a7ffd 100644 --- a/src/file_analysis/analyzer/pe/pe-file.pac +++ b/src/file_analysis/analyzer/pe/pe-file.pac @@ -3,7 +3,7 @@ type TheFile = record { dos_header : DOS_Header; dos_code : DOS_Code(dos_code_len); pe_header : IMAGE_NT_HEADERS; - section_headers : IMAGE_SECTION_HEADER[] &length=pe_header.optional_header.size_of_headers; + section_headers : IMAGE_SECTIONS(pe_header.file_header.NumberOfSections); #pad : bytestring &length=offsetof(pe_header.data_directories + pe_header.data_directories[1].virtual_address); #data_sections : DATA_SECTIONS[pe_header.file_header.NumberOfSections]; #data_sections : DATA_SECTIONS[] &length=data_len; @@ -41,7 +41,7 @@ type DOS_Code(len: uint32) = record { type IMAGE_NT_HEADERS = record { PESignature : uint32; file_header : IMAGE_FILE_HEADER; - optional_header : IMAGE_OPTIONAL_HEADER(file_header.SizeOfOptionalHeader) &length=file_header.SizeOfOptionalHeader; + optional_header : IMAGE_OPTIONAL_HEADER(file_header.SizeOfOptionalHeader, file_header.NumberOfSections) &length=file_header.SizeOfOptionalHeader; } &byteorder=littleendian &length=file_header.SizeOfOptionalHeader+offsetof(optional_header); type IMAGE_FILE_HEADER = record { @@ -54,7 +54,7 @@ type IMAGE_FILE_HEADER = record { Characteristics : uint16; }; -type IMAGE_OPTIONAL_HEADER(len: uint16) = record { +type IMAGE_OPTIONAL_HEADER(len: uint16, number_of_sections: uint16) = record { magic : uint16; major_linker_version : uint8; minor_linker_version : uint8; @@ -80,12 +80,13 @@ type IMAGE_OPTIONAL_HEADER(len: uint16) = record { subsystem : uint16; dll_characteristics : uint16; mem: case magic of { - 0x0b01 -> i32 : MEM_INFO32; - 0x0b02 -> i64 : MEM_INFO64; + 267 -> i32 : MEM_INFO32; + 268 -> i64 : MEM_INFO64; default -> InvalidPEFile : empty; }; loader_flags : uint32; number_of_rva_and_sizes : uint32; + rvas : IMAGE_RVAS(number_of_rva_and_sizes); } &byteorder=littleendian &length=len; type MEM_INFO32 = record { @@ -102,6 +103,10 @@ type MEM_INFO64 = record { size_of_heap_commit : uint64; } &byteorder=littleendian &length=32; +type IMAGE_SECTIONS(num: uint16) = record { + sections : IMAGE_SECTION_HEADER[num]; +} &length=num*40; + type IMAGE_SECTION_HEADER = record { name : bytestring &length=8; virtual_size : uint32; @@ -129,6 +134,15 @@ type IMAGE_IMPORT_DIRECTORY = record { rva_import_addr_table : uint32; }; +type IMAGE_RVAS(num: uint32) = record { + rvas : IMAGE_RVA[num]; +} &length=num*8; + +type IMAGE_RVA = record { + virtual_address : uint32; + size : uint32; +} &length=8; + type DATA_SECTIONS = record { blah: uint8; }; \ No newline at end of file From 9f0bc0fdf1f6353e385b98064638e4c1528b0359 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Sat, 12 Jul 2014 22:34:46 -0700 Subject: [PATCH 020/711] Starting to implement the proposed PACF API. --- scripts/base/frameworks/pacf/__load__.bro | 3 + scripts/base/frameworks/pacf/main.bro | 477 ++++++++++++++++++ scripts/base/frameworks/pacf/plugin.bro | 91 ++++ .../base/frameworks/pacf/plugins/__load__.bro | 1 + .../base/frameworks/pacf/plugins/debug.bro | 119 +++++ scripts/base/frameworks/pacf/types.bro | 122 +++++ scripts/base/init-bare.bro | 12 + scripts/base/init-default.bro | 1 + src/bro.bif | 13 + 9 files changed, 839 insertions(+) create mode 100644 scripts/base/frameworks/pacf/__load__.bro create mode 100644 scripts/base/frameworks/pacf/main.bro create mode 100644 scripts/base/frameworks/pacf/plugin.bro create mode 100644 scripts/base/frameworks/pacf/plugins/__load__.bro create mode 100644 scripts/base/frameworks/pacf/plugins/debug.bro create mode 100644 scripts/base/frameworks/pacf/types.bro diff --git a/scripts/base/frameworks/pacf/__load__.bro b/scripts/base/frameworks/pacf/__load__.bro new file mode 100644 index 0000000000..e2c97f6959 --- /dev/null +++ b/scripts/base/frameworks/pacf/__load__.bro @@ -0,0 +1,3 @@ +@load ./types +@load ./main +@load ./plugins diff --git a/scripts/base/frameworks/pacf/main.bro b/scripts/base/frameworks/pacf/main.bro new file mode 100644 index 0000000000..0e0d930fce --- /dev/null +++ b/scripts/base/frameworks/pacf/main.bro @@ -0,0 +1,477 @@ +##! Bro's packet aquisition and control framework. +##! +##! This plugin-based framework allows to control the traffic that Bro monitors +##! as well as, if having access to the forwarding path, the traffic the network +##! forwards. By default, the framework lets evyerthing through, to both Bro +##! itself as well as on the network. Scripts can then add rules to impose +##! restrictions on entities, such as specific connections or IP addresses. +##! +##! This framework has two API: a high-level and low-level. The high-levem API +##! provides convinience functions for a set of common operations. The +##! low-level API provides full flexibility. + +module Pacf; + +@load ./plugin +@load ./types + +export { + ## The framework's logging stream identifier. + redef enum Log::ID += { LOG }; + + # ### + # ### Generic functions. + # ### + + # Activates a plugin. + # + # plugin: The plugin to acticate. + # + # priority: The higher the priority, the earlier this plugin will be checked + # whether it supports an operation, relative to other plugins. + global activate: function(p: PluginState, priority: int); + + # ### + # ### High-level API. + # ### + + ## Stops all packets involving an IP address from being forwarded. + ## + ## a: The address to be dropped. + ## + ## t: How long to drop it, with 0 being indefinitly. + ## + ## location: An optional string describing where the drop was triggered. + ## + ## Returns: True if a plugin accepted the rule for carrying it out. + global drop_address: function(a: addr, t: interval, location: string &default="") : bool; + + ## Stops forwarding a uni-directional flow's packets to Bro. + ## + ## f: The flow to shunt. + ## + ## t: How long to leave the shunt in place, with 0 being indefinitly. + ## + ## location: An optional string describing where the shunt was triggered. + ## + ## Returns: True if a plugin accepted the rule for carrying it out. + global shunt_flow: function(f: flow_id, t: interval, location: string &default="") : bool; + + ## Removes all rules and notifications for an entity. + ## + ## e: The entity. Note that this will be directly to entities of existing + ## notifications and notifications, which must match exactly field by field. + global reset: function(e: Entity); + + ## Flushes all state. + global clear: function(); + + # ### + # ### Low-level API. + # ### + + ###### Manipulation of rules. + + ## Installs a rule. + ## + ## r: The rule to install. + ## + ## Returns: If succesful, returns an ID string unique to the rule that can later + ## be used to refer to it. If unsuccessful, returns an empty string. The ID is also + ## assigned to ``r$id``. Note that "successful" means "a plugin knew how to handle + ## the rule", it doesn't necessarily mean that it was indeed successfully put in + ## place, because that might happen asynchronously and thus fail only later. + global add_rule: function(r: Rule) : string; + + ## Removes a rule. + ## + ## id: The rule to remove, specified as the ID returned by :bro:id:`add_rule` . + ## + ## Returns: True if succesful, the relevant plugin indicated that ity knew how + ## to handle the removal. Note that again "success" means the plugin accepted the + ## removal. They might still fail to put it into effect, as that might happen + ## asynchronously and thus go wrong at that point. + global remove_rule: function(id: string) : bool; + + ###### Asynchronous feedback on rules. + + ## Confirms that a rule was put in place. + ## + ## r: The rule now in place. + ## + ## plugin: The name of the plugin that put it into place. + ## + ## msg: An optional informational message by the plugin. + global rule_added: event(r: Rule, p: PluginState, msg: string &default=""); + + ## Reports that a rule was removed due to a remove: function() call. + ## + ## r: The rule now removed. + ## + ## plugin: The name of the plugin that had the rule in place and now + ## removed it. + ## + ## msg: An optional informational message by the plugin. + global rule_removed: event(r: Rule, p: PluginState, msg: string &default=""); + + ## Reports that a rule was removed internally due to a timeout. + ## + ## r: The rule now removed. + ## + ## plugin: The name of the plugin that had the rule in place and now + ## removed it. + ## + ## msg: An optional informational message by the plugin. + global rule_timeout: event(r: Rule, p: PluginState); + + ## Reports an error when operating on a rule. + ## + ## r: The rule that encountered an error. + ## + ## plugin: The name of the plugin that reported the error. + ## + ## msg: An optional informational message by the plugin. + global rule_error: event(r: Rule, p: PluginState, msg: string &default=""); + + ## Installs a notification. + ## + ## n: The notification to install. + ## + ## Returns: If succesful, returns an ID string unique to the notification that can later + ## be used to refer to it. If unsuccessful, returns an empty string. The ID is also + ## assigned to ``r$id``. Note that "successful" means "a plugin knew how to handle + ## the notification", it doesn't necessarily mean that it was indeed successfully put in + ## place, because that might happen asynchronously and thus fail only later. + global add_notification: function(n: Notification) : string; + + ## Removes a notification. + ## + ## id: The notification to remove, specified as the ID returned by :bro:id:`add_notification` . + ## + ## Returns: True if succesful, the relevant plugin indicated that ity knew how + ## to handle the removal. Note that again "success" means the plugin accepted the + ## removal. They might still fail to put it into effect, as that might happen + ## asynchronously and thus go wrong at that point. + global remove_notification: function(id: string) : bool; + + ###### Asynchronous feedback on notifications. + + ## Confirms that a notification was put in place. + ## + ## n: The notification now in place. + ## + ## plugin: The name of the plugin that put it into place. + ## + ## msg: An optional informational message by the plugin. + global notification_added: event(n: Notification, p: PluginState, msg: string &default=""); + + ## Reports that a notification was removed due to a remove: function() call. + ## + ## n: The notification now removed. + ## + ## plugin: The name of the plugin that had the notification in place and now + ## removed it. + ## + ## msg: An optional informational message by the plugin. + global notification_removed: event(n: Notification, p: PluginState, msg: string &default=""); + + ## Reports that a notification was removed internally due to a timeout. + ## + ## n: The notification now removed. + ## + ## plugin: The name of the plugin that had the notification in place and now + ## removed it. + ## + ## msg: An optional informational message by the plugin. + global notification_timeout: event(n: Notification, p: PluginState); + + ## Reports an error when operating on a notification. + ## + ## n: The notification that encountered an error. + ## + ## plugin: The name of the plugin that reported the error. + ## + ## msg: An optional informational message by the plugin. + global notification_error: event(n: Notification, p: PluginState, msg: string &default=""); + + ## Type of an entry in the PACF log. + type InfoCategory: enum { + ## A log entry reflecting a framework message. + MESSAGE, + ## A log entry reflecting a framework message. + ERROR, + ## A log entry about about a rule. + RULE, + ## A log entry about about a notification. + NOTIFICATION + }; + + ## State of an entry in the PACF log. + type InfoState: enum { + REQUESTED, + SUCCEEDED, + FAILED, + REMOVED, + TIMEOUT, + }; + + ## The record type which contains column fields of the PACF log. + type Info: record { + ## Time at which the recorded activity occurred. + ts: time &log; + ## Type of the log entry. + category: InfoCategory &log &optional; + ## The command the log entry is about. + cmd: string &log &optional; + ## State the log entry reflects. + state: InfoState &log &optional; + ## String describing an action the entry is about. + action: string &log &optional; + ## The target type of the action. + target: TargetType &log &optional; + ## Type of the entity the log entry is about. + entity_type: string &log &optional; + ## String describing the entity the log entry is about. + entity: string &log &optional; + ## String with an additional message. + msg: string &log &optional; + ## Logcation where the underlying action was triggered. + location: string &log &optional; + ## Plugin triggering the log entry. + plugin: string &log &optional; + }; +} + +redef record Rule += { + ##< Internally set to the plugin handling the rule. + _plugin: PluginState &optional; +}; + +global plugins: vector of PluginState; +global rule_counter: count = 0; +global rules: table[string] of Rule; + +event bro_init() &priority=5 + { + Log::create_stream(Pacf::LOG, [$columns=Info]); + } + +function entity_to_info(info: Info, e: Entity) + { + info$entity_type = fmt("%s", e$ty); + + switch ( e$ty ) { + case ADDRESS, ORIGINATOR, RESPONDER: + info$entity = fmt("%s", e$ip); + break; + + case CONNECTION: + info$entity = fmt("%s/%d<->%s/%d", + e$conn$orig_h, e$conn$orig_p, + e$conn$resp_h, e$conn$resp_p); + break; + + case FLOW: + info$entity = fmt("%s/%d->%s/%d", + e$flow$src_h, e$flow$src_p, + e$flow$dst_h, e$flow$dst_p); + break; + + case MAC: + info$entity = e$mac; + break; + + default: + info$entity = ""; + break; + } + } + +function rule_to_info(info: Info, r: Rule) + { + info$action = fmt("%s", r$ty); + info$target = r$target; + + if ( r?$location ) + info$location = r$location; + + entity_to_info(info, r$entity); + } + +function log_msg(msg: string, p: PluginState) + { + Log::write(LOG, [$ts=network_time(), $category=MESSAGE, $msg=msg, $plugin=p$plugin$name(p)]); + } + +function log_error(msg: string, p: PluginState) + { + Log::write(LOG, [$ts=network_time(), $category=ERROR, $msg=msg, $plugin=p$plugin$name(p)]); + } + +function log_rule(r: Rule, cmd: string, state: InfoState, p: PluginState) + { + local info: Info = [$ts=network_time()]; + info$category = RULE; + info$cmd = cmd; + info$state = state; + info$plugin = p$plugin$name(p); + + rule_to_info(info, r); + + Log::write(LOG, info); + } + +function log_rule_error(r: Rule, msg: string, p: PluginState) + { + local info: Info = [$ts=network_time(), $category=ERROR, $msg=msg, $plugin=p$plugin$name(p)]; + rule_to_info(info, r); + Log::write(LOG, info); + } + +function log_rule_no_plugin(r: Rule, state: InfoState, msg: string) + { + local info: Info = [$ts=network_time()]; + info$category = RULE; + info$state = state; + info$msg = msg; + + rule_to_info(info, r); + + Log::write(LOG, info); + } + +function activate(p: PluginState, priority: int) + { + p$_priority = priority; + plugins[|plugins|] = p; + sort(plugins, function(p1: PluginState, p2: PluginState) : int { return p2$_priority - p1$_priority; }); + + log_msg(fmt("activated plugin with priority %d", priority), p); + } + +function drop_address(a: addr, t: interval, location: string &default="") : bool + { + local e: Entity = [$ty=ADDRESS, $ip=addr_to_subnet(a)]; + local r: Rule = [$ty=DROP, $target=FORWARD, $entity=e, $expire=t, $location=location]; + + local id = add_rule(r); + return |id| > 0; + } + +function shunt_flow(f: flow_id, t: interval, location: string &default="") : bool + { + local e: Entity = [$ty=FLOW, $flow=f]; + local r: Rule = [$ty=DROP, $target=MONITOR, $entity=e, $expire=t, $location=location]; + + local id = add_rule(r); + return |id| > 0; + } + +function reset(e: Entity) + { + print "Pacf::reset not implemented yet"; + } + +function clear() + { + print "Pacf::clear not implemented yet"; + } + +function add_rule(r: Rule) : string + { + r$id = fmt("%d", ++rule_counter); + + for ( i in plugins ) + { + local p = plugins[i]; + + if ( p$plugin$add_rule(p, r) ) + { + r$_plugin = p; + log_rule(r, "ADD", REQUESTED, p); + return r$id; + } + } + + log_rule_no_plugin(r, FAILED, "not supported"); + } + +function remove_rule(id: string) : bool + { + local r = rules[id]; + local p = r$_plugin; + + if ( ! p$plugin$remove_rule(r$_plugin, r) ) + { + log_rule_error(r, "remove failed", p); + return F; + } + + log_rule(r, "REMOVE", REQUESTED, p); + return T; + } + +event rule_expire(r: Rule, p: PluginState) + { + if ( r$id !in rules ) + # Remove already. + return; + + event rule_timeout(r, p); + remove_rule(r$id); + } + +event rule_added(r: Rule, p: PluginState, msg: string &default="") + { + log_rule(r, "ADD", SUCCEEDED, p); + + rules[r$id] = r; + + if ( r?$expire && ! p$plugin$can_expire ) + schedule r$expire { rule_expire(r, p) }; + } + +event rule_removed(r: Rule, p: PluginState, msg: string &default="") + { + delete rules[r$id]; + log_rule(r, "REMOVE", SUCCEEDED, p); + } + +event rule_timeout(r: Rule, p: PluginState) + { + delete rules[r$id]; + log_rule(r, "EXPIRE", TIMEOUT, p); + } + +event rule_error(r: Rule, p: PluginState, msg: string &default="") + { + log_rule_error(r, msg, p); + } + +function add_notification(n: Notification) : string + { + print "Pacf::add_notification not implemented yet"; + } + +function remove_notification(id: string) : bool + { + print "Pacf::remove_notification not implemented yet"; + } + +event notification_added(n: Notification, p: PluginState, msg: string &default="") + { + } + +event notification_removed(n: Notification, p: PluginState, msg: string &default="") + { + } + +event notification_timeout(n: Notification, p: PluginState) + { + } + +event notification_error(n: Notification, p: PluginState, msg: string &default="") + { + } + + diff --git a/scripts/base/frameworks/pacf/plugin.bro b/scripts/base/frameworks/pacf/plugin.bro new file mode 100644 index 0000000000..944705605f --- /dev/null +++ b/scripts/base/frameworks/pacf/plugin.bro @@ -0,0 +1,91 @@ + +module Pacf; + +@load ./types + +export { + ## State for a plugin instance. + type PluginState: record { + ## Table for a plugin to store custom, instance-specfific state. + config: table[string] of string &default=table(); + + ## Set internally. + _priority: int &default=+0; + }; + + # Definitioan of a plugin. + # + # Generally a plugin needs to implement only what it can support. By + # returning failure, it indicates that it can't support something and the + # the framework will then try another plugin, if available; or informn the + # that the operation failed. If a function isn't implemented by a plugin, + # that's considered an implicit failure to support the operation. + # + # If plugin accepts a rule operation, it *must* generate one of the reporting + # events ``rule_{added,remove,error}`` to signal if it indeed worked out; + # this is separate from accepting the operation because often a plugin + # will only know later (i.e., asynchrously) if that was an error for + # something it thought it could handle. The same applies to notifications, + # with the corresponding ``notification_*`` events. + type Plugin: record { + # Returns a descriptive name of the plugin instance, suitable for use in logging + # messages. Note that this function is not optional. + name: function(state: PluginState) : string; + + ## If true, plugin can expire rules/notifications itself. If false, + ## framework will manage rule expiration. + can_expire: bool; + + # One-time initialization functionl called when plugin gets registered, and + # befire any ther methods are called. + init: function(state: PluginState) &optional; + + # One-time finalization function called when a plugin is shutdown; no further + # functions will be called afterwords. + done: function(state: PluginState) &optional; + + # Implements the add_rule() operation. If the plugin accepts the rule, + # it returns true, false otherwise. The rule will already have its + # ``id`` field set, which the plugin may use for identification + # purposes. + add_rule: function(state: PluginState, r: Rule) : bool &optional; + + # Implements the remove_rule() operation. This will only be called for + # rules that the plugins has previously accepted with add_rule(). The + # ``id`` field will match that of the add_rule() call. Generally, + # a plugin that accepts an add_rule() should also accept the + # remove_rule(). + remove_rule: function(state: PluginState, r: Rule) : bool &optional; + + # Implements the add_notification() operation. If the plugin accepts the notification, + # it returns true, false otherwise. The notification will already have its + # ``id`` field set, which the plugin may use for identification + # purposes. + add_notification: function(state: PluginState, r: Notification) : bool &optional; + + # Implements the remove_notification() operation. This will only be called for + # notifications that the plugins has previously accepted with add_notification(). + # The ``id`` field will match that of the add_notification() call. Generally, + # a plugin that accepts an add_notification() should also accept the + # remove_notification(). + remove_notification: function(state: PluginState, r: Notification) : bool &optional; + + # A transaction groups a number of operations. The plugin can add them internally + # and postpone putting them into effect until committed. This allows to build a + # configuration of multiple rules at once, including replaying a previous state. + transaction_begin: function(state: PluginState) &optional; + transaction_end: function(state: PluginState) &optional; + }; + + # Table for a plugin to store instance-specific configuration information. + # + # Note, it would be nicer to pass the Plugin instance to all the below, instead + # of this state table. However Bro's type resolver has trouble with refering to a + # record type from inside itself. + redef record PluginState += { + ## The plugin that the state belongs to. (Defined separately + ## because of cyclic type dependency.) + plugin: Plugin &optional; + }; + +} diff --git a/scripts/base/frameworks/pacf/plugins/__load__.bro b/scripts/base/frameworks/pacf/plugins/__load__.bro new file mode 100644 index 0000000000..0b76aa2b74 --- /dev/null +++ b/scripts/base/frameworks/pacf/plugins/__load__.bro @@ -0,0 +1 @@ +@load ./debug diff --git a/scripts/base/frameworks/pacf/plugins/debug.bro b/scripts/base/frameworks/pacf/plugins/debug.bro new file mode 100644 index 0000000000..09fb87ef3f --- /dev/null +++ b/scripts/base/frameworks/pacf/plugins/debug.bro @@ -0,0 +1,119 @@ + +@load ../plugin + +module Pacf; + +export { + ## Instantiates a debug plugin for the PACF framework. The debug + ## plugin simply logs the operations it receives. + ## + ## do_something: If true, the plugin will claim it supports all operations; if + ## false, it will indicate it doesn't support any. + global create_debug: function(do_something: bool) : PluginState; +} + +function do_something(p: PluginState) : bool + { + return p$config["all"] == "1"; + } + +function debug_name(p: PluginState) : string + { + return fmt("Debug-%s", (do_something(p) ? "All" : "None")); + } + +function debug_log(p: PluginState, msg: string) + { + print fmt("pacf debug (%s): %s", debug_name(p), msg); + } + +function debug_init(p: PluginState) + { + debug_log(p, "init"); + } + +function debug_done(p: PluginState) + { + debug_log(p, "init"); + } + +function debug_add_rule(p: PluginState, r: Rule) : bool + { + local s = fmt("add_rule: %s", r); + debug_log(p, s); + + if ( do_something(p) ) + { + event Pacf::rule_added(r, p); + return T; + } + + return F; + } + +function debug_remove_rule(p: PluginState, r: Rule) : bool + { + local s = fmt("remove_rule: %s", r); + debug_log(p, s); + + event Pacf::rule_removed(r, p); + return T; + } + +function debug_add_notification(p: PluginState, r: Notification) : bool + { + local s = fmt("add_notification: %s", r); + debug_log(p, s); + + if ( do_something(p) ) + { + event Pacf::notification_added(r, p); + return T; + } + + return F; + } + +function debug_remove_notification(p: PluginState, r: Notification) : bool + { + local s = fmt("remove_notification: %s", r); + debug_log(p, s); + + return do_something(p); + } + +function debug_transaction_begin(p: PluginState) + { + debug_log(p, "transaction_begin"); + } + +function debug_transaction_end(p: PluginState) + { + debug_log(p, "transaction_end"); + } + +global debug_plugin = Plugin( + $name=debug_name, + $can_expire = F, + $init = debug_init, + $done = debug_done, + $add_rule = debug_add_rule, + $remove_rule = debug_remove_rule, + $add_notification = debug_add_notification, + $remove_notification = debug_remove_notification, + $transaction_begin = debug_transaction_begin, + $transaction_end = debug_transaction_end + ); + +function create_debug(do_something: bool) : PluginState + { + local p: PluginState = [$plugin=debug_plugin]; + + # FIXME: Why's the default not working? + p$config = table(); + p$config["all"] = (do_something ? "1" : "0"); + + return p; + } + + diff --git a/scripts/base/frameworks/pacf/types.bro b/scripts/base/frameworks/pacf/types.bro new file mode 100644 index 0000000000..8e3a3b999d --- /dev/null +++ b/scripts/base/frameworks/pacf/types.bro @@ -0,0 +1,122 @@ + +module Pacf; + +export { + ## Type of a :bro:id:`Entity` for defining an action. + type EntityType: enum { + ADDRESS, ##< Activity involving a specific IP address. + ORIGINATOR, ##< Activity *from* a source IP address. + RESPONDER, ##< Activity *to* a destination IP address. + CONNECTION, ##< All of a bi-directional connection's activity. + FLOW, ##< All of a uni-directional flow's activity. + MAC, ##< Activity involving a MAC address. + }; + + ## Type defining the enity an :bro:id:`Rule` is operating on. + type Entity: record { + ty: EntityType; ##< Type of entity. + conn: conn_id &optional; ##< Used with :bro:id:`CONNECTION` . + flow: flow_id &optional; ##< Used with :bro:id:`FLOW` . + ip: subnet &optional; ##< Used with :bro:id:`ORIGINATOR`/:bro:id:`RESPONDER`/:bro:id:`ADDRESS`; can specifiy a CIDR subnet. + mac: string &optional; ##< Used with :bro:id:`MAC` . + }; + + ## Target of :bro:id:`Rule` action. + type TargetType: enum { + FORWARD, #< Apply rule actively to traffic on forwarding path. + MONITOR, #< Apply rule passively to traffic sent to Bro for monitoring. + }; + + ## Type of rules that the framework supports. Each type lists the + ## :bro:id:`Rule` argument(s) it uses, if any. + ## + ## Plugins may extend this type to define their own. + type RuleType: enum { + ## Stop forwarding all packets matching entity. + ## + ## No arguments. + DROP, + + ## Begin rate-limiting flows matching entity. + ## + ## d: Percent of available bandwidth. + LIMIT, + + ## Begin modifying all packets matching entity. + ## + ## .. todo:: + ## Define arguments. + MODIFY, + + ## Begin redirecting all packets matching entity. + ## + ## .. todo:: + ## Define arguments. + REDIRECT, + + ## Begin sampling all flows matching entity. + ## + ## d: Probability to include a flow between 0 and 1. + SAMPLE, + + ## Whitelists all packets of an entity, meaning no restrictions will be applied. + ## While whitelisting is the default if no rule matches an this can type can be + ## used to override lower-priority rules that would otherwise take effect for the + ## entity. + WHITELIST, + }; + + ## A rule for the framework to put in place. Of all rules currently in + ## place, the first match will be taken, sorted by priority. All + ## further riles will be ignored. + type Rule: record { + ty: RuleType; ##< Type of rule. + target: TargetType; ##< Where to apply rule. + entity: Entity; ##< Entity to apply rule to. + expire: interval &optional; ##< Timeout after which to expire the rule. + priority: int &default=+0; ##< Priority if multiple rules match an entity (larger value is higher priority). + location: string &optional; ##< Optional string describing where/what installed the rule. + + i: int &optional; ##< Argument for rule types requiring an integer argument. + d: double &optional; ##< Argument for rule types requiring a double argument. + s: string &optional; ##< Argument for rule types requiring a string argument. + + id: string &default=""; ##< Internally determined unique ID for this rule. Will be set when added. + }; + + ## Type of notifications that the framework supports. Each type lists the + ## :bro:id:`Notification` argument(s) it uses, if any. + ## + ## Plugins may extend this type to define their own. + type NotificationType: enum { + ## Notify if threshold of packets has been reached by entity. + ## + ## i: Number of packets. + NUM_PACKETS, + + ## Notify if threshold of bytes has been reached by entity. + ## + ## i: Number of bytes. + NUM_BYTES, + }; + + ## A notification for the framework to raise when a condition has been reached. + ## Different than with rules, all matching conditions will be reported, not only + ## the first match. + type Notification: record { + ty: NotificationType; ##< Type of notification. + entity: Entity; ##< Entity to apply notification to. + expire: interval &optional; ##< Timeout after which to expire the notification. + src: string &optional; ##< Optional string describing where/what installed the notification. + + i: int; ##< Argument for notification types requiring an integer argument. + d: double; ##< Argument for notification types requiring a double argument. + s: string; ##< Argument for notification types requiring a string argument. + + id: string &default=""; ##< Internally determined unique ID for this notification. Will be set when added. + }; +} + + + + diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 65d15dc2cf..a173277f56 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -113,6 +113,18 @@ type conn_id: record { resp_p: port; ##< The responder's port number. } &log; +## The identifying 4-tuple of a uni-directional flow. +## +## .. note:: It's actually a 5-tuple: the transport-layer protocol is stored as +## part of the port values, `src_p` and `dst_p`, and can be extracted from +## them with :bro:id:`get_port_transport_proto`. +type flow_id : record { + src_h: addr; ##< The source IP address. + src_p: port; ##< The source port number. + dst_h: addr; ##< The destination IP address. + dst_p: port; ##< The desintation port number. +}; + ## Specifics about an ICMP conversation. ICMP events typically pass this in ## addition to :bro:type:`conn_id`. ## diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro index 610d205618..d999411944 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.bro @@ -37,6 +37,7 @@ @load base/frameworks/reporter @load base/frameworks/sumstats @load base/frameworks/tunnels +@load base/frameworks/pacf @load base/protocols/conn @load base/protocols/dhcp diff --git a/src/bro.bif b/src/bro.bif index 1029896295..fae364b331 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -2343,6 +2343,19 @@ function to_subnet%(sn: string%): subnet return ret; %} +## Converts a :bro:type:`addr` to a :bro:type:`subnet`. +## +## a: The address to convert. +## +## Returns: The *sn* string as a :bro:type:`subnet`. +## +## .. bro:see:: to_subset +function addr_to_subnet%(a: addr%): subnet + %{ + int width = (a->AsAddr().GetFamily() == IPv4 ? 32 : 128); + return new SubNetVal(a->AsAddr(), width); + %} + ## Converts a :bro:type:`string` to a :bro:type:`double`. ## ## str: The :bro:type:`string` to convert. From ca55d203cbe5460a77c84501e35acb5da698983d Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Thu, 24 Jul 2014 16:01:58 -0400 Subject: [PATCH 021/711] Kerberos analyzer --- scripts/base/init-bare.bro | 152 +++++++ scripts/base/init-default.bro | 1 + scripts/base/protocols/krb/__load__.bro | 2 + scripts/base/protocols/krb/consts.bro | 76 ++++ scripts/base/protocols/krb/dpd.sig | 5 + scripts/base/protocols/krb/main.bro | 190 +++++++++ src/analyzer/protocol/krb/CMakeLists.txt | 11 + src/analyzer/protocol/krb/KRB.cc | 37 ++ src/analyzer/protocol/krb/KRB.h | 28 ++ src/analyzer/protocol/krb/Plugin.cc | 11 + src/analyzer/protocol/krb/events.bif | 39 ++ src/analyzer/protocol/krb/krb-analyzer.pac | 456 +++++++++++++++++++++ src/analyzer/protocol/krb/krb-asn1.pac | 52 +++ src/analyzer/protocol/krb/krb-protocol.pac | 343 ++++++++++++++++ src/analyzer/protocol/krb/krb.pac | 15 + src/analyzer/protocol/krb/types.bif | 14 + 16 files changed, 1432 insertions(+) create mode 100644 scripts/base/protocols/krb/__load__.bro create mode 100644 scripts/base/protocols/krb/consts.bro create mode 100644 scripts/base/protocols/krb/dpd.sig create mode 100644 scripts/base/protocols/krb/main.bro create mode 100644 src/analyzer/protocol/krb/CMakeLists.txt create mode 100644 src/analyzer/protocol/krb/KRB.cc create mode 100644 src/analyzer/protocol/krb/KRB.h create mode 100644 src/analyzer/protocol/krb/Plugin.cc create mode 100644 src/analyzer/protocol/krb/events.bif create mode 100644 src/analyzer/protocol/krb/krb-analyzer.pac create mode 100644 src/analyzer/protocol/krb/krb-asn1.pac create mode 100644 src/analyzer/protocol/krb/krb-protocol.pac create mode 100644 src/analyzer/protocol/krb/krb.pac create mode 100644 src/analyzer/protocol/krb/types.bif diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 65d15dc2cf..309d0aafd4 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2971,6 +2971,158 @@ export { }; } +@load base/bif/plugins/Bro_KRB.types.bif + +module KRB; +export { + ## The data from the ERROR_MSG message. See :rfc:`4120`. + type KRB::Error_Msg: record { + ## Protocol version number (5 for KRB5) + pvno: count; + ## The message type (30 for ERROR_MSG) + msg_type: count; + ## Current time on the client + client_time: time &optional; + ## Current time on the server + server_time: time; + ## The specific error code + error_code: count; + ## Realm of the ticket + client_realm: string &optional; + ## Name on the ticket + client_name: string &optional; + ## Realm of the service + service_realm: string; + ## Name of the service + service_name: string; + ## Additional text to explain the error + error_text: string &optional; + }; + + + ## KDC Options. See :rfc:`4120` + type KRB::KDC_Options: record { + ## The ticket to be issued should have its forwardable flag set. + forwardable : bool; + ## A (TGT) request for forwarding. + forwarded : bool; + ## The ticket to be issued should have its proxiable flag set. + proxiable : bool; + ## A request for a proxy. + proxy : bool; + ## The ticket to be issued should have its may-postdate flag set. + allow_postdate : bool; + ## A request for a postdated ticket. + postdated : bool; + ## The ticket to be issued should have its renewable flag set. + renewable : bool; + ## Reserved for opt_hardware_auth + opt_hardware_auth : bool; + ## Request that the KDC not check the transited field of a TGT against + ## the policy of the local realm before it will issue derivative tickets + ## based on the TGT. + disable_transited_check : bool; + ## If a ticket with the requested lifetime cannot be issued, a renewable + ## ticket is acceptable + renewable_ok : bool; + ## The ticket for the end server is to be encrypted in the session key + ## from the additional TGT provided + enc_tkt_in_skey : bool; + ## The request is for a renewal + renew : bool; + ## The request ist to validate a postdated ticket. + validate : bool; + }; + + ## Used in a few places in the Kerberos analyzer for elements + ## that have a type and a string value. + type KRB::Type_Value: record { + ## The data type + data_type : count; + ## The data value + val : string; + }; + + type KRB::Type_Value_Vector: vector of KRB::Type_Value; + + ## A Kerberos ticket. See :rfc:`4120`. + type KRB::Ticket: record { + ## Protocol version number (5 for KRB5) + pvno : count; + ## Realm + realm : string; + ## Name of the service + service_name: string; + ## Cipher the ticket was encrypted with + cipher : count; + }; + + type KRB::Ticket_Vector: vector of KRB::Ticket; + + ## A Kerberos host address See :rfc:`4120`. + type KRB::Host_Address: record { + ## IPv4 or IPv6 address + ip : addr &optional; + ## NetBIOS address + netbios : string &optional; + ## Some other type that we don't support yet + unknown : KRB::Type_Value &optional; + }; + + type KRB::Host_Address_Vector: vector of KRB::Host_Address; + + ## The data from the AS_REQ and TGS_REQ messages. See :rfc:`4120`. + type KRB::KDC_Request: record { + ## Protocol version number (5 for KRB5) + pvno : count; + ## The message type (10 for AS_REQ, 12 for TGS_REQ) + msg_type : count; + ## Optional pre-authentication data + pa_data : vector of KRB::Type_Value &optional; + ## Options specified in the request + kdc_options : KRB::KDC_Options; + ## Name on the ticket + client_name : string &optional; + + ## Realm of the service + service_realm : string; + ## Name of the service + service_name : string &optional; + ## Time the ticket is good from + from : time &optional; + ## Time the ticket is good till + till : time; + ## The requested renew-till time + rtime : time &optional; + + ## A random nonce generated by the client + nonce : count; + ## The desired encryption algorithms, in order of preference + encryption_types : vector of count; + ## Any additional addresses the ticket should be valid for + host_addrs : vector of KRB::Host_Address &optional; + ## Additional tickets may be included for certain transactions + additional_tickets : vector of KRB::Ticket &optional; + }; + + ## The data from the AS_REQ and TGS_REQ messages. See :rfc:`4120`. + type KRB::KDC_Reply: record { + ## Protocol version number (5 for KRB5) + pvno : count; + ## The message type (11 for AS_REP, 13 for TGS_REP) + msg_type : count; + ## Optional pre-authentication data + pa_data : vector of KRB::Type_Value &optional; + ## Realm on the ticket + client_realm : string &optional; + ## Name on the service + client_name : string; + + ## The ticket that was issued + ticket : KRB::Ticket; + }; +} + module GLOBAL; @load base/bif/event.bif diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro index 610d205618..f439eae4d4 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.bro @@ -45,6 +45,7 @@ @load base/protocols/ftp @load base/protocols/http @load base/protocols/irc +@load base/protocols/krb @load base/protocols/modbus @load base/protocols/pop3 @load base/protocols/radius diff --git a/scripts/base/protocols/krb/__load__.bro b/scripts/base/protocols/krb/__load__.bro new file mode 100644 index 0000000000..9cfbb7a4c4 --- /dev/null +++ b/scripts/base/protocols/krb/__load__.bro @@ -0,0 +1,2 @@ +@load ./main +@load-sigs ./dpd.sig \ No newline at end of file diff --git a/scripts/base/protocols/krb/consts.bro b/scripts/base/protocols/krb/consts.bro new file mode 100644 index 0000000000..b4b60412c8 --- /dev/null +++ b/scripts/base/protocols/krb/consts.bro @@ -0,0 +1,76 @@ +module KRB; + +export { + + const error_msg: table[count] of string = { + [0] = "KDC_ERR_NONE", + [1] = "KDC_ERR_NAME_EXP", + [2] = "KDC_ERR_SERVICE_EXP", + [3] = "KDC_ERR_BAD_PVNO", + [4] = "KDC_ERR_C_OLD_MAST_KVNO", + [5] = "KDC_ERR_S_OLD_MAST_KVNO", + [6] = "KDC_ERR_C_PRINCIPAL_UNKNOWN", + [7] = "KDC_ERR_S_PRINCIPAL_UNKNOWN", + [8] = "KDC_ERR_PRINCIPAL_NOT_UNIQUE", + [9] = "KDC_ERR_NULL_KEY", + [10] = "KDC_ERR_CANNOT_POSTDATE", + [11] = "KDC_ERR_NEVER_VALID", + [12] = "KDC_ERR_POLICY", + [13] = "KDC_ERR_BADOPTION", + [14] = "KDC_ERR_ETYPE_NOSUPP", + [15] = "KDC_ERR_SUMTYPE_NOSUPP", + [16] = "KDC_ERR_PADATA_TYPE_NOSUPP", + [17] = "KDC_ERR_TRTYPE_NOSUPP", + [18] = "KDC_ERR_CLIENT_REVOKED", + [19] = "KDC_ERR_SERVICE_REVOKED", + [20] = "KDC_ERR_TGT_REVOKED", + [21] = "KDC_ERR_CLIENT_NOTYET", + [22] = "KDC_ERR_SERVICE_NOTYET", + [23] = "KDC_ERR_KEY_EXPIRED", + [24] = "KDC_ERR_PREAUTH_FAILED", + [25] = "KDC_ERR_PREAUTH_REQUIRED", + [26] = "KDC_ERR_SERVER_NOMATCH", + [27] = "KDC_ERR_MUST_USE_USER2USER", + [28] = "KDC_ERR_PATH_NOT_ACCEPTED", + [29] = "KDC_ERR_SVC_UNAVAILABLE", + [31] = "KRB_AP_ERR_BAD_INTEGRITY", + [32] = "KRB_AP_ERR_TKT_EXPIRED", + [33] = "KRB_AP_ERR_TKT_NYV", + [34] = "KRB_AP_ERR_REPEAT", + [35] = "KRB_AP_ERR_NOT_US", + [36] = "KRB_AP_ERR_BADMATCH", + [37] = "KRB_AP_ERR_SKEW", + [38] = "KRB_AP_ERR_BADADDR", + [39] = "KRB_AP_ERR_BADVERSION", + [40] = "KRB_AP_ERR_MSG_TYPE", + [41] = "KRB_AP_ERR_MODIFIED", + [42] = "KRB_AP_ERR_BADORDER", + [44] = "KRB_AP_ERR_BADKEYVER", + [45] = "KRB_AP_ERR_NOKEY", + [46] = "KRB_AP_ERR_MUT_FAIL", + [47] = "KRB_AP_ERR_BADDIRECTION", + [48] = "KRB_AP_ERR_METHOD", + [49] = "KRB_AP_ERR_BADSEQ", + [50] = "KRB_AP_ERR_INAPP_CKSUM", + [51] = "KRB_AP_PATH_NOT_ACCEPTED", + [52] = "KRB_ERR_RESPONSE_TOO_BIG", + [60] = "KRB_ERR_GENERIC", + [61] = "KRB_ERR_FIELD_TOOLONG", + [62] = "KDC_ERROR_CLIENT_NOT_TRUSTED", + [63] = "KDC_ERROR_KDC_NOT_TRUSTED", + [64] = "KDC_ERROR_INVALID_SIG", + [65] = "KDC_ERR_KEY_TOO_WEAK", + [66] = "KDC_ERR_CERTIFICATE_MISMATCH", + [67] = "KRB_AP_ERR_NO_TGT", + [68] = "KDC_ERR_WRONG_REALM", + [69] = "KRB_AP_ERR_USER_TO_USER_REQUIRED", + [70] = "KDC_ERR_CANT_VERIFY_CERTIFICATE", + [71] = "KDC_ERR_INVALID_CERTIFICATE", + [72] = "KDC_ERR_REVOKED_CERTIFICATE", + [73] = "KDC_ERR_REVOCATION_STATUS_UNKNOWN", + [74] = "KDC_ERR_REVOCATION_STATUS_UNAVAILABLE", + [75] = "KDC_ERR_CLIENT_NAME_MISMATCH", + [76] = "KDC_ERR_KDC_NAME_MISMATCH", + }; + +} diff --git a/scripts/base/protocols/krb/dpd.sig b/scripts/base/protocols/krb/dpd.sig new file mode 100644 index 0000000000..d928f38b81 --- /dev/null +++ b/scripts/base/protocols/krb/dpd.sig @@ -0,0 +1,5 @@ +signature dpd_krb { + ip-proto == udp + payload /\x6c...\x30...\xa1\x03\x02\x05/ + enable "krb" +} diff --git a/scripts/base/protocols/krb/main.bro b/scripts/base/protocols/krb/main.bro new file mode 100644 index 0000000000..97c324e758 --- /dev/null +++ b/scripts/base/protocols/krb/main.bro @@ -0,0 +1,190 @@ +##! Implements base functionality for KRB analysis. Generates the krb.log file. + +module KRB; + +@load ./consts + +export { + redef enum Log::ID += { LOG }; + + type Info: record { + ## Timestamp for when the event happened. + ts: time &log; + ## Unique ID for the connection. + uid: string &log; + ## The connection's 4-tuple of endpoint addresses/ports. + id: conn_id &log; + ## Client + client: string &log &optional; + ## Service + service:string &log; + ## Ticket valid from + from: time &log &optional; + ## Ticket valid till + till: time &log &optional; + ## Result + result: string &log &default="unknown"; + ## Error code + error_code: count &log &optional; + ## Error message + error_msg: string &log &optional; + ## We've already logged this + logged: bool &default=F; + }; + + ## Event that can be handled to access the KRB record as it is sent on + ## to the loggin framework. + global log_krb: event(rec: Info); +} + +redef record connection += { + krb: Info &optional; +}; + +const ports = { 88/udp }; + +event bro_init() &priority=5 + { + Log::create_stream(KRB::LOG, [$columns=Info, $ev=log_krb]); + Analyzer::register_for_ports(Analyzer::ANALYZER_KRB, ports); + } + +event krb_error(c: connection, msg: Error_Msg) + { + local info: Info; + + if ( c?$krb && c$krb$logged ) + return; + + if ( c?$krb ) + info = c$krb; + + if ( ! info?$ts ) + { + info$ts = network_time(); + info$uid = c$uid; + info$id = c$id; + } + + if ( ! info?$client ) + if ( msg?$client_name || msg?$client_realm ) + info$client = fmt("%s%s", msg?$client_name ? msg$client_name + "/" : "", + msg?$client_realm ? msg$client_realm : ""); + + info$service = msg$service_name; + info$result = "failed"; + + info$error_code = msg$error_code; + + if ( msg?$error_text ) + info$error_msg = msg$error_text; + else + { + if ( msg$error_code in error_msg ) + info$error_msg = error_msg[msg$error_code]; + } + + Log::write(KRB::LOG, info); + info$logged = T; + + c$krb = info; + } + +event krb_as_req(c: connection, msg: KDC_Request) + { + if ( c?$krb && c$krb$logged ) + return; + + local info: Info; + info$ts = network_time(); + info$uid = c$uid; + info$id = c$id; + info$client = fmt("%s/%s", msg$client_name, msg$service_realm); + info$service = msg$service_name; + if ( msg?$from ) + info$from = msg$from; + info$till = msg$till; + + c$krb = info; + } + +event krb_tgs_req(c: connection, msg: KDC_Request) + { + if ( c?$krb && c$krb$logged ) + return; + + local info: Info; + info$ts = network_time(); + info$uid = c$uid; + info$id = c$id; + info$service = msg$service_name; + if ( msg?$from ) + info$from = msg$from; + info$till = msg$till; + + c$krb = info; + } + +event krb_as_rep(c: connection, msg: KDC_Reply) + { + local info: Info; + + if ( c?$krb && c$krb$logged ) + return; + + if ( c?$krb ) + info = c$krb; + + if ( ! info?$ts ) + { + info$ts = network_time(); + info$uid = c$uid; + info$id = c$id; + } + + if ( ! info?$client ) + info$client = fmt("%s/%s", msg$client_name, msg$client_realm); + + info$service = msg$ticket$service_name; + info$result = "success"; + + Log::write(KRB::LOG, info); + info$logged = T; + + c$krb = info; + } + +event krb_tgs_rep(c: connection, msg: KDC_Reply) + { + local info: Info; + + if ( c?$krb && c$krb$logged ) + return; + + if ( c?$krb ) + info = c$krb; + + if ( ! info?$ts ) + { + info$ts = network_time(); + info$uid = c$uid; + info$id = c$id; + } + + if ( ! info?$client ) + info$client = fmt("%s/%s", msg$client_name, msg$client_realm); + + info$service = msg$ticket$service_name; + info$result = "success"; + + Log::write(KRB::LOG, info); + info$logged = T; + + c$krb = info; + } + +event connection_state_remove(c: connection) + { + if ( c?$krb && ! c$krb$logged ) + Log::write(KRB::LOG, c$krb); + } \ No newline at end of file diff --git a/src/analyzer/protocol/krb/CMakeLists.txt b/src/analyzer/protocol/krb/CMakeLists.txt new file mode 100644 index 0000000000..468364e5d5 --- /dev/null +++ b/src/analyzer/protocol/krb/CMakeLists.txt @@ -0,0 +1,11 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Bro KRB) +bro_plugin_cc(KRB.cc Plugin.cc) +bro_plugin_bif(types.bif) +bro_plugin_bif(events.bif) +bro_plugin_pac(krb.pac krb-protocol.pac krb-analyzer.pac) +bro_plugin_end() diff --git a/src/analyzer/protocol/krb/KRB.cc b/src/analyzer/protocol/krb/KRB.cc new file mode 100644 index 0000000000..e9f91d04db --- /dev/null +++ b/src/analyzer/protocol/krb/KRB.cc @@ -0,0 +1,37 @@ +#include "KRB.h" + +#include "types.bif.h" +#include "events.bif.h" + +using namespace analyzer::krb; + +KRB_Analyzer::KRB_Analyzer(Connection* conn) +: Analyzer("KRB", conn) + { + interp = new binpac::KRB::KRB_Conn(this); + } + +KRB_Analyzer::~KRB_Analyzer() + { + delete interp; + } + +void KRB_Analyzer::Done() + { + Analyzer::Done(); + } + +void KRB_Analyzer::DeliverPacket(int len, const u_char* data, + bool orig, uint64 seq, const IP_Hdr* ip, int caplen) + { + Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + try + { + interp->NewData(orig, data, data + len); + } + catch ( const binpac::Exception& e ) + { + printf(fmt("Binpac exception: %s\n", e.c_msg())); + } + } + diff --git a/src/analyzer/protocol/krb/KRB.h b/src/analyzer/protocol/krb/KRB.h new file mode 100644 index 0000000000..905ee43837 --- /dev/null +++ b/src/analyzer/protocol/krb/KRB.h @@ -0,0 +1,28 @@ +#ifndef ANALYZER_PROTOCOL_KRB_KRB_H +#define ANALYZER_PROTOCOL_KRB_KRB_H + +#include "analyzer/protocol/udp/UDP.h" + +#include "krb_pac.h" + +namespace analyzer { namespace krb { + +class KRB_Analyzer : public analyzer::Analyzer { +public: + KRB_Analyzer(Connection* conn); + virtual ~KRB_Analyzer(); + + virtual void Done(); + virtual void DeliverPacket(int len, const u_char* data, bool orig, + uint64 seq, const IP_Hdr* ip, int caplen); + + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) + { return new KRB_Analyzer(conn); } + +protected: + binpac::KRB::KRB_Conn* interp; +}; + +} } // namespace analyzer::* + +#endif diff --git a/src/analyzer/protocol/krb/Plugin.cc b/src/analyzer/protocol/krb/Plugin.cc new file mode 100644 index 0000000000..b4bc01f7a3 --- /dev/null +++ b/src/analyzer/protocol/krb/Plugin.cc @@ -0,0 +1,11 @@ + +#include "plugin/Plugin.h" + +#include "KRB.h" + +BRO_PLUGIN_BEGIN(Bro, KRB) + BRO_PLUGIN_DESCRIPTION("Kerberos analyzer"); + BRO_PLUGIN_ANALYZER("KRB", krb::KRB_Analyzer); + BRO_PLUGIN_BIF_FILE(types); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocol/krb/events.bif b/src/analyzer/protocol/krb/events.bif new file mode 100644 index 0000000000..6655f616b8 --- /dev/null +++ b/src/analyzer/protocol/krb/events.bif @@ -0,0 +1,39 @@ +## A Kerberos 5 ``Authentication Server (AS) Request`` as defined +## in :rfc:`4120`. +## +## c: The connection over which this Kerberos message was sent. +## +## msg: A Kerberos KDC request message data structure. +event krb_as_req%(c: connection, msg: KRB::KDC_Request%); + +## A Kerberos 5 ``Ticket-Granting Service (TGS) Request`` as defined +## in :rfc:`4120`. +## +## c: The connection over which this Kerberos message was sent. +## +## msg: A Kerberos KDC request message data structure. +event krb_tgs_req%(c: connection, msg: KRB::KDC_Request%); + +## A Kerberos 5 ``Authentication Server (AS) Reply`` as defined +## in :rfc:`4120`. +## +## c: The connection over which this Kerberos message was sent. +## +## msg: A Kerberos KDC reply message data structure. +event krb_as_rep%(c: connection, msg: KRB::KDC_Reply%); + +## A Kerberos 5 ``Ticket-Granting Service (TGS) Reply`` as defined +## in :rfc:`4120`. +## +## c: The connection over which this Kerberos message was sent. +## +## msg: A Kerberos KDC reply message data structure. +event krb_tgs_rep%(c: connection, msg: KRB::KDC_Reply%); + +## A Kerberos 5 ``ERROR_MSG`` as defined in :rfc:`4120`. +## +## c: The connection over which this Kerberos message was sent. +## +## msg: A Kerberos error message data structure. +event krb_error%(c: connection, msg: KRB::Error_Msg%); + diff --git a/src/analyzer/protocol/krb/krb-analyzer.pac b/src/analyzer/protocol/krb/krb-analyzer.pac new file mode 100644 index 0000000000..9a6804abba --- /dev/null +++ b/src/analyzer/protocol/krb/krb-analyzer.pac @@ -0,0 +1,456 @@ +connection KRB_Conn(bro_analyzer: BroAnalyzer) { + upflow = KRB_Flow(true); + downflow = KRB_Flow(false); +}; + +flow KRB_Flow(is_orig: bool) { + datagram = KRB_PDU withcontext(connection, this); + +}; + +%header{ +Val* GetTimeFromAsn1(const KRB_Time* atime); +Val* GetStringFromPrincipalName(const KRB_Principal_Name* pname); + +Val* asn1_integer_to_val(const ASN1Encoding* i, TypeTag t); +Val* asn1_integer_to_val(const ASN1Integer* i, TypeTag t); + +RecordVal* proc_krb_kdc_options(const KRB_KDC_Options* opts); +%} + +%code{ +Val* GetTimeFromAsn1(const KRB_Time* atime) + { + time_t lResult = 0; + + char lBuffer[16]; + char* pBuffer = lBuffer; + + size_t lTimeLength = atime->time().length(); + char * pString = (char *) atime->time().data(); + + if ( lTimeLength != 15 ) + return 0; + + memcpy(pBuffer, pString, 15); + *(pBuffer+15) = '\0'; + + tm lTime; + lTime.tm_sec = ((lBuffer[12] - '0') * 10) + (lBuffer[13] - '0'); + lTime.tm_min = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0'); + lTime.tm_hour = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0'); + lTime.tm_mday = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0'); + lTime.tm_mon = (((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0')) - 1; + lTime.tm_year = ((lBuffer[0] - '0') * 1000) + ((lBuffer[1] - '0') * 100) + ((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0') - 1900; + + lTime.tm_wday = 0; + lTime.tm_yday = 0; + lTime.tm_isdst = 0; + + lResult = timegm(&lTime); + + if ( !lResult ) + lResult = 0; + + return new Val(double(lResult), TYPE_TIME); +} + +Val* GetStringFromPrincipalName(const KRB_Principal_Name* pname) +{ + if ( pname->data()->size() == 1 ) + return bytestring_to_val(pname->data()[0][0]->encoding()->content()); + if ( pname->data()->size() == 2 ) + return new StringVal(fmt("%s/%s", (char *) pname->data()[0][0]->encoding()->content().begin(), (char *)pname->data()[0][1]->encoding()->content().begin())); + + return new StringVal("unknown"); +} + +Val* asn1_integer_to_val(const ASN1Integer* i, TypeTag t) +{ + return asn1_integer_to_val(i->encoding(), t); +} + +Val* asn1_integer_to_val(const ASN1Encoding* i, TypeTag t) +{ + return new Val(binary_to_int64(i->content()), t); +} + +RecordVal* proc_krb_kdc_options(const KRB_KDC_Options* opts) +{ + RecordVal* rv = new RecordVal(BifType::Record::KRB::KDC_Options); + + rv->Assign(0, new Val(opts->forwardable(), TYPE_BOOL)); + rv->Assign(1, new Val(opts->forwarded(), TYPE_BOOL)); + rv->Assign(2, new Val(opts->proxiable(), TYPE_BOOL)); + rv->Assign(3, new Val(opts->proxy(), TYPE_BOOL)); + rv->Assign(4, new Val(opts->allow_postdate(), TYPE_BOOL)); + rv->Assign(5, new Val(opts->postdated(), TYPE_BOOL)); + rv->Assign(6, new Val(opts->renewable(), TYPE_BOOL)); + rv->Assign(7, new Val(opts->opt_hardware_auth(), TYPE_BOOL)); + rv->Assign(8, new Val(opts->disable_transited_check(), TYPE_BOOL)); + rv->Assign(9, new Val(opts->renewable_ok(), TYPE_BOOL)); + rv->Assign(10, new Val(opts->enc_tkt_in_skey(), TYPE_BOOL)); + rv->Assign(11, new Val(opts->renew(), TYPE_BOOL)); + rv->Assign(12, new Val(opts->validate(), TYPE_BOOL)); + + return rv; +} + +%} + +refine connection KRB_Conn += { + + function proc_krb_kdc_req(msg: KRB_KDC_REQ): bool + %{ + + if ( ( binary_to_int64(${msg.msg_type.data.content}) == 10 ) && ! krb_as_req ) + return false; + + if ( ( binary_to_int64(${msg.msg_type.data.content}) == 12 ) && ! krb_tgs_req ) + return false; + + + RecordVal* rv = new RecordVal(BifType::Record::KRB::KDC_Request); + + rv->Assign(0, asn1_integer_to_val(${msg.pvno.data}, TYPE_COUNT)); + rv->Assign(1, asn1_integer_to_val(${msg.msg_type.data}, TYPE_COUNT)); + + if ( ${msg.has_padata} ) + { + VectorVal* padata = new VectorVal(internal_type("KRB::Type_Value_Vector")->AsVectorType()); + + for ( uint i = 0; i < ${msg.padata.padata_elems}->size(); ++i) + { + switch( ${msg.padata.padata_elems[i].data_type} ) + { + case 1: + // will be generated as separate event + break; + case 2: + // encrypted timestamp is unreadable + break; + case 3: + { + RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value); + type_val->Assign(0, new Val(${msg.padata.padata_elems[i].data_type}, TYPE_COUNT)); + type_val->Assign(1, bytestring_to_val(${msg.padata.padata_elems[i].pa_data_element.pa_pw_salt.encoding.content})); + padata->Assign(padata->Size(), type_val); + break; + } + default: + { + RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value); + type_val->Assign(0, new Val(${msg.padata.padata_elems[i].data_type}, TYPE_COUNT)); + type_val->Assign(1, bytestring_to_val(${msg.padata.padata_elems[i].pa_data_element.unknown})); + padata->Assign(padata->Size(), type_val); + break; + } + } + } + rv->Assign(2, padata); + } + + for ( uint i = 0; i < ${msg.body.args}->size(); ++i ) + { + switch ( ${msg.body.args[i].seq_meta.index} ) + { + case 0: + rv->Assign(3, proc_krb_kdc_options(${msg.body.args[i].data.options})); + break; + case 1: + rv->Assign(4, GetStringFromPrincipalName(${msg.body.args[i].data.principal})); + break; + case 2: + rv->Assign(5, bytestring_to_val(${msg.body.args[i].data.realm.encoding.content})); + break; + case 3: + rv->Assign(6, GetStringFromPrincipalName(${msg.body.args[i].data.sname})); + break; + case 4: + rv->Assign(7, GetTimeFromAsn1(${msg.body.args[i].data.from})); + break; + case 5: + rv->Assign(8, GetTimeFromAsn1(${msg.body.args[i].data.till})); + break; + case 6: + rv->Assign(9, GetTimeFromAsn1(${msg.body.args[i].data.rtime})); + break; + case 7: + rv->Assign(10, asn1_integer_to_val(${msg.body.args[i].data.nonce}, TYPE_COUNT)); + break; + case 8: + if ( ${msg.body.args[i].data.etype.data}->size() ) + { + VectorVal* ciphers = new VectorVal(internal_type("index_vec")->AsVectorType()); + + for ( uint j = 0; j < ${msg.body.args[i].data.etype.data}->size(); ++j ) + ciphers->Assign(ciphers->Size(), asn1_integer_to_val(${msg.body.args[i].data.etype.data[j]}, TYPE_COUNT)); + + rv->Assign(11, ciphers); + } + break; + case 9: + if ( ${msg.body.args[i].data.addrs.addresses}->size() ) + { + VectorVal* addrs = new VectorVal(internal_type("KRB::Host_Address_Vector")->AsVectorType()); + + for ( uint j = 0; j < ${msg.body.args[i].data.addrs.addresses}->size(); ++j ) + { + RecordVal* addr = new RecordVal(BifType::Record::KRB::Host_Address); + switch ( binary_to_int64(${msg.body.args[i].data.addrs.addresses[j].addr_type.data.content}) ) + { + case 2: + addr->Assign(0, new AddrVal(IPAddr(IPv4, (const uint32_t*) c_str(${msg.body.args[i].data.addrs.addresses[j].address.data.content}), IPAddr::Network))); + break; + case 24: + addr->Assign(0, new AddrVal(IPAddr(IPv6, (const uint32_t*) c_str(${msg.body.args[i].data.addrs.addresses[j].address.data.content}), IPAddr::Network))); + break; + case 20: + addr->Assign(1, bytestring_to_val(${msg.body.args[i].data.addrs.addresses[j].address.data.content})); + break; + default: + RecordVal* unk = new RecordVal(BifType::Record::KRB::Type_Value); + unk->Assign(0, asn1_integer_to_val(${msg.body.args[i].data.addrs.addresses[j].addr_type.data}, TYPE_COUNT)); + unk->Assign(1, bytestring_to_val(${msg.body.args[i].data.addrs.addresses[j].address.data.content})); + addr->Assign(2, unk); + break; + } + addrs->Assign(addrs->Size(), addr); + } + + rv->Assign(12, addrs); + } + break; + case 10: + // TODO + break; + case 11: + if ( ${msg.body.args[i].data.addl_tkts.tickets}->size() ) + { + VectorVal* tickets = new VectorVal(internal_type("KRB::Ticket_Vector")->AsVectorType()); + + for ( uint j = 0; j < ${msg.body.args[i].data.addl_tkts.tickets}->size(); ++j ) + { + RecordVal* ticket = new RecordVal(BifType::Record::KRB::Ticket); + + ticket->Assign(0, asn1_integer_to_val(${msg.body.args[i].data.addl_tkts.tickets[j].tkt_vno.data}, TYPE_COUNT)); + ticket->Assign(1, bytestring_to_val(${msg.body.args[i].data.addl_tkts.tickets[j].realm.data.content})); + ticket->Assign(2, GetStringFromPrincipalName(${msg.body.args[i].data.addl_tkts.tickets[j].sname})); + ticket->Assign(3, asn1_integer_to_val(${msg.body.args[i].data.addl_tkts.tickets[j].enc_part.etype.data}, TYPE_COUNT)); + tickets->Assign(tickets->Size(), ticket); + } + rv->Assign(13, tickets); + } + break; + default: + break; + } + } + + if ( ( binary_to_int64(${msg.msg_type.data.content}) == 10 ) ) + BifEvent::generate_krb_as_req(bro_analyzer(), bro_analyzer()->Conn(), rv); + + if ( ( binary_to_int64(${msg.msg_type.data.content}) == 12 ) ) + BifEvent::generate_krb_tgs_req(bro_analyzer(), bro_analyzer()->Conn(), rv); + + return true; + %} + + function proc_krb_kdc_rep(msg: KRB_KDC_REP): bool + %{ + + if ( ( binary_to_int64(${msg.msg_type.data.content}) == 11 ) && ! krb_as_rep ) + return false; + + if ( ( binary_to_int64(${msg.msg_type.data.content}) == 13 ) && ! krb_tgs_rep ) + return false; + + + RecordVal* rv = new RecordVal(BifType::Record::KRB::KDC_Reply); + + rv->Assign(0, asn1_integer_to_val(${msg.pvno.data}, TYPE_COUNT)); + rv->Assign(1, asn1_integer_to_val(${msg.msg_type.data}, TYPE_COUNT)); + + if ( ${msg.has_padata} ) + { + VectorVal* padata = new VectorVal(internal_type("KRB::Type_Value_Vector")->AsVectorType()); + + for ( uint i = 0; i < ${msg.padata.padata_elems}->size(); ++i) + { + switch( ${msg.padata.padata_elems[i].data_type} ) + { + case 1: + // will be generated as separate event + break; + case 2: + // encrypted timestamp is unreadable + break; + case 3: + { + RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value); + type_val->Assign(0, new Val(${msg.padata.padata_elems[i].data_type}, TYPE_COUNT)); + type_val->Assign(1, bytestring_to_val(${msg.padata.padata_elems[i].pa_data_element.pa_pw_salt.encoding.content})); + padata->Assign(padata->Size(), type_val); + break; + } + default: + { + RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value); + type_val->Assign(0, new Val(${msg.padata.padata_elems[i].data_type}, TYPE_COUNT)); + type_val->Assign(1, bytestring_to_val(${msg.padata.padata_elems[i].pa_data_element.unknown})); + padata->Assign(padata->Size(), type_val); + break; + } + } + } + rv->Assign(2, padata); + } + + rv->Assign(3, bytestring_to_val(${msg.client_realm.encoding.content})); + rv->Assign(4, GetStringFromPrincipalName(${msg.client_name})); + + RecordVal* ticket = new RecordVal(BifType::Record::KRB::Ticket); + + ticket->Assign(0, asn1_integer_to_val(${msg.ticket.tkt_vno.data}, TYPE_COUNT)); + ticket->Assign(1, bytestring_to_val(${msg.ticket.realm.data.content})); + ticket->Assign(2, GetStringFromPrincipalName(${msg.ticket.sname})); + ticket->Assign(3, asn1_integer_to_val(${msg.ticket.enc_part.etype.data}, TYPE_COUNT)); + + rv->Assign(5, ticket); + + if ( ( binary_to_int64(${msg.msg_type.data.content}) == 11 ) ) + BifEvent::generate_krb_as_rep(bro_analyzer(), bro_analyzer()->Conn(), rv); + + if ( ( binary_to_int64(${msg.msg_type.data.content}) == 13 ) ) + BifEvent::generate_krb_tgs_rep(bro_analyzer(), bro_analyzer()->Conn(), rv); + + return true; + %} + + function proc_krb_ap_req(msg: KRB_AP_REQ): bool + %{ + // Not implemented + return true; + %} + + function proc_krb_ap_rep(msg: KRB_AP_REP): bool + %{ + // Not implemented + return true; + %} + + function proc_krb_error_msg(msg: KRB_ERROR_MSG): bool + %{ + if ( krb_error ) + { + RecordVal* rv = new RecordVal(BifType::Record::KRB::Error_Msg); + for ( uint i = 0; i < ${msg.args}->size(); i++ ) + { + switch ( ${msg.args[i].seq_meta.index} ) + { + case 0: + rv->Assign(0, asn1_integer_to_val(${msg.args[i].args.pvno}, TYPE_COUNT)); + break; + case 1: + rv->Assign(1, asn1_integer_to_val(${msg.args[i].args.msg_type}, TYPE_COUNT)); + break; + case 2: + rv->Assign(2, GetTimeFromAsn1(${msg.args[i].args.ctime})); + break; + case 3: +// TODO + break; + case 4: + rv->Assign(3, GetTimeFromAsn1(${msg.args[i].args.stime})); + break; + case 5: +// TODO + break; + case 6: + rv->Assign(4, asn1_integer_to_val(${msg.args[i].args.error_code}, TYPE_COUNT)); + break; + case 7: + rv->Assign(5, bytestring_to_val(${msg.args[i].args.crealm.encoding.content})); + break; + case 8: + rv->Assign(6, GetStringFromPrincipalName(${msg.args[i].args.cname})); + break; + case 9: + rv->Assign(7, bytestring_to_val(${msg.args[i].args.realm.encoding.content})); + break; + case 10: + rv->Assign(8, GetStringFromPrincipalName(${msg.args[i].args.sname})); + break; + case 11: + rv->Assign(9, bytestring_to_val(${msg.args[i].args.e_text.encoding.content})); + break; + default: + break; + } + } + BifEvent::generate_krb_error(bro_analyzer(), bro_analyzer()->Conn(), rv); + } + return true; + %} + + function proc_krb_safe_msg(msg: KRB_SAFE_MSG): bool + %{ + // Not implemented + return true; + %} + + function proc_krb_priv_msg(msg: KRB_PRIV_MSG): bool + %{ + // Not implemented + return true; + %} + + function proc_krb_cred_msg(msg: KRB_CRED_MSG): bool + %{ + // Not implemented + return true; + %} + +} + + +refine typeattr KRB_AS_REQ += &let { + proc: bool = $context.connection.proc_krb_kdc_req(data); + }; + +refine typeattr KRB_TGS_REQ += &let { + proc: bool = $context.connection.proc_krb_kdc_req(data); + }; + +refine typeattr KRB_AS_REP += &let { + proc: bool = $context.connection.proc_krb_kdc_rep(data); + }; + +refine typeattr KRB_TGS_REP += &let { + proc: bool = $context.connection.proc_krb_kdc_rep(data); + }; + +refine typeattr KRB_AP_REQ += &let { + proc: bool = $context.connection.proc_krb_ap_req(this); + }; + +refine typeattr KRB_AP_REP += &let { + proc: bool = $context.connection.proc_krb_ap_rep(this); + }; + +refine typeattr KRB_ERROR_MSG += &let { + proc: bool = $context.connection.proc_krb_error_msg(this); + }; + +refine typeattr KRB_SAFE_MSG += &let { + proc: bool = $context.connection.proc_krb_safe_msg(this); + }; + +refine typeattr KRB_PRIV_MSG += &let { + proc: bool = $context.connection.proc_krb_priv_msg(this); + }; + +refine typeattr KRB_CRED_MSG += &let { + proc: bool = $context.connection.proc_krb_cred_msg(this); + }; + diff --git a/src/analyzer/protocol/krb/krb-asn1.pac b/src/analyzer/protocol/krb/krb-asn1.pac new file mode 100644 index 0000000000..e5e2cd3ece --- /dev/null +++ b/src/analyzer/protocol/krb/krb-asn1.pac @@ -0,0 +1,52 @@ +type ASN1Encoding = record { + meta: ASN1EncodingMeta; + content: bytestring &length = meta.length; +}; + +type ASN1EncodingMeta = record { + tag: uint8; + len: uint8; + more_len: bytestring &length = long_len ? len & 0x7f : 0; +} &let { + long_len: bool = len & 0x80; + length: uint64 = long_len ? binary_to_int64(more_len) : len & 0x7f; + index: uint8 = tag - 160; +}; + +type ASN1Integer = record { + encoding: ASN1Encoding; +}; + +type ASN1OctetString = record { + encoding: ASN1Encoding; +}; + +type SequenceElement(grab_content: bool) = record { + index_meta: ASN1EncodingMeta; + have_content: case grab_content of { + true -> data: ASN1Encoding; + false -> meta: ASN1EncodingMeta; + }; +} &let { + index: uint8 = index_meta.index; + length: uint64 = index_meta.length; +}; + +type Array = record { + array_meta: ASN1EncodingMeta; + data: ASN1Encoding[]; +}; + +function binary_to_int64(bs: bytestring): int64 + %{ + int64 rval = 0; + + for ( int i = 0; i < bs.length(); ++i ) + { + uint64 byte = bs[i]; + rval |= byte << (8 * (bs.length() - (i + 1))); + } + + return rval; + %} + diff --git a/src/analyzer/protocol/krb/krb-protocol.pac b/src/analyzer/protocol/krb/krb-protocol.pac new file mode 100644 index 0000000000..1f85ea0e45 --- /dev/null +++ b/src/analyzer/protocol/krb/krb-protocol.pac @@ -0,0 +1,343 @@ +%include krb-asn1.pac + +enum KRBMessageTypes { + AS_REQ = 10, + AS_REP = 11, + TGS_REQ = 12, + TGS_REP = 13, + AP_REQ = 14, + AP_REP = 15, + KRB_SAFE = 20, + KRB_PRIV = 21, + KRB_CRED = 22, + KRB_ERROR = 30, +}; + +type KRB_PDU = record { + app_meta : ASN1EncodingMeta; + msg_type : case (app_meta.tag - 96) of { + AS_REQ -> as_req : KRB_AS_REQ; + AS_REP -> as_rep : KRB_AS_REP; + TGS_REQ -> tgs_req : KRB_TGS_REQ; + TGS_REP -> tgs_rep : KRB_TGS_REP; + AP_REQ -> ap_req : KRB_AP_REQ; + AP_REP -> ap_rep : KRB_AP_REP; + KRB_SAFE -> krb_safe : KRB_SAFE_MSG; + KRB_PRIV -> krb_priv : KRB_PRIV_MSG; + KRB_CRED -> krb_cred : KRB_CRED_MSG; + KRB_ERROR -> krb_error: KRB_ERROR_MSG; + default -> unknown : bytestring &restofdata; + }; +} &byteorder=bigendian; + +type KRB_AS_REQ = record { + data: KRB_KDC_REQ; +}; + +type KRB_TGS_REQ = record { + data: KRB_KDC_REQ; +}; + +type KRB_AS_REP = record { + data: KRB_KDC_REP; +}; + +type KRB_TGS_REP = record { + data: KRB_KDC_REP; +}; + +### KDC_REQ + +type KRB_KDC_REQ = record { + seq_meta : ASN1EncodingMeta; + pvno : SequenceElement(true); + msg_type : SequenceElement(true); + padata_meta: ASN1EncodingMeta; + tmp1 : case has_padata of { + true -> padata : KRB_PA_Data_Sequence &length=padata_meta.length; + false -> n1 : empty; + }; + tmp2 : case has_padata of { + true -> meta2 : ASN1EncodingMeta; + false -> n2 : empty; + }; + body : KRB_REQ_Body &length=body_length; +} &let { + has_padata : bool = padata_meta.index == 3; + body_length: uint8 = has_padata ? meta2.length : padata_meta.length; +}; + +type KRB_PA_Data_Sequence = record { + seq_meta : ASN1EncodingMeta; + padata_elems: KRB_PA_Data[]; +}; + +type KRB_PA_Data = record { + seq_meta : ASN1EncodingMeta; + pa_data_type : SequenceElement(true); + pa_data_elem_meta : ASN1EncodingMeta; + pa_data_element : KRB_PA_Data_Element(data_type); +} &let { + data_type: int64 = binary_to_int64(pa_data_type.data.content); +}; + +type KRB_PA_Data_Element(type: int64) = case type of { + 1 -> pa_tgs_req : KRB_AP_REQ; + 2 -> pa_enc_timestamp : KRB_Encrypted_Data; + 3 -> pa_pw_salt : ASN1OctetString; + default -> unknown : bytestring &restofdata; +}; + +type KRB_REQ_Body = record { + seq_meta : ASN1EncodingMeta; + args : KRB_REQ_Arg[]; +}; + +type KRB_REQ_Arg = record { + seq_meta : ASN1EncodingMeta; + data : KRB_REQ_Arg_Data(seq_meta.index) &length=seq_meta.length; +}; + +type KRB_REQ_Arg_Data(index: uint8) = case index of { + 0 -> options : KRB_KDC_Options; + 1 -> principal : KRB_Principal_Name; + 2 -> realm : ASN1OctetString; + 3 -> sname : KRB_Principal_Name; + 4 -> from : KRB_Time; + 5 -> till : KRB_Time; + 6 -> rtime : KRB_Time; + 7 -> nonce : ASN1Integer; + 8 -> etype : Array; + 9 -> addrs : KRB_Host_Addresses; + 10 -> auth_data : ASN1OctetString; # TODO + 11 -> addl_tkts : KRB_Ticket_Sequence; + default -> unknown : bytestring &restofdata; +}; + +type KRB_KDC_Options = record { + meta : ASN1EncodingMeta; + flags: uint32; +} &let { + reserved : bool = flags & 0x80000000; + forwardable : bool = flags & 0x40000000; + forwarded : bool = flags & 0x20000000; + proxiable : bool = flags & 0x10000000; + proxy : bool = flags & 0x8000000; + allow_postdate : bool = flags & 0x4000000; + postdated : bool = flags & 0x2000000; + unused7 : bool = flags & 0x1000000; + renewable : bool = flags & 0x800000; + unused9 : bool = flags & 0x400000; + unused10 : bool = flags & 0x200000; + opt_hardware_auth : bool = flags & 0x100000; + unused12 : bool = flags & 0x80000; + unused13 : bool = flags & 0x40000; + # ... + unused15 : bool = flags & 0x10000; + # ... + disable_transited_check : bool = flags & 0x10; + renewable_ok : bool = flags & 0x8; + enc_tkt_in_skey : bool = flags & 0x4; + renew : bool = flags & 0x2; + validate : bool = flags & 0x1; +}; + +type KRB_Principal_Name = record { + seq_meta : ASN1EncodingMeta; + name_meta : ASN1EncodingMeta; + name_type : ASN1Integer; + seq_meta_1: ASN1EncodingMeta; + seq_meta_2: ASN1EncodingMeta; + data : ASN1OctetString[] &length=seq_meta_2.length; +}; + +type KRB_Time = record { + meta: ASN1EncodingMeta; + time: bytestring &restofdata; +}; + +type KRB_Host_Addresses = record { + seq_meta : ASN1EncodingMeta; + addresses: KRB_Host_Address[]; +}; + +type KRB_Host_Address = record { + addr_type: SequenceElement(true); + address : SequenceElement(true); +}; + +type KRB_Ticket(in_sequence: bool) = record { + have_seq : case in_sequence of { + true -> meta: ASN1EncodingMeta; + false -> none: empty; + }; + app_meta : ASN1EncodingMeta; + seq_meta : ASN1EncodingMeta; + tkt_vno : SequenceElement(true); + realm : SequenceElement(true); + sname_meta: ASN1EncodingMeta; + sname : KRB_Principal_Name; + enc_part : KRB_Encrypted_Data; +}; + +type KRB_Ticket_Sequence = record { + seq_meta : ASN1EncodingMeta; + tickets : KRB_Ticket(true)[] &length=seq_meta.length; +}; + +type KRB_Encrypted_Data_in_Seq = record { + index_meta : ASN1EncodingMeta; + data : KRB_Encrypted_Data; +}; + +type KRB_Encrypted_Data = record { + seq_meta : ASN1EncodingMeta; + etype : SequenceElement(true); + kvno_meta : ASN1EncodingMeta; + case_kvno : case have_kvno of { + true -> kvno: ASN1Integer; + false -> none: empty; + }; + grab_next_meta : case have_kvno of { + true -> next_meta: ASN1EncodingMeta; + false -> none_meta: empty; + }; + ciphertext : bytestring &length=have_kvno ? next_meta.length : kvno_meta.length; +} &let { + have_kvno : bool = kvno_meta.index == 1; +}; + +### KDC_REP + +type KRB_KDC_REP = record { + seq_meta : ASN1EncodingMeta; + pvno : SequenceElement(true); + msg_type : SequenceElement(true); + padata_meta : ASN1EncodingMeta; + tmp1 : case has_padata of { + true -> padata : KRB_PA_Data_Sequence &length=padata_meta.length; + false -> n1 : empty; + }; + tmp2 : case has_padata of { + true -> meta2 : ASN1EncodingMeta; + false -> n2 : empty; + }; + client_realm: ASN1OctetString &length=realm_length; + client_name : KRB_Principal_Name; + ticket : KRB_Ticket(true); + enc_part : KRB_Encrypted_Data_in_Seq; +} &let { + has_padata : bool = padata_meta.index == 2; + realm_length: uint8 = has_padata ? meta2.length : padata_meta.length; +}; + +### AP_REQ + +type KRB_AP_REQ = record { + string_meta : ASN1EncodingMeta; + app_meta : ASN1EncodingMeta; + seq_meta : ASN1EncodingMeta; + pvno : SequenceElement(true); + msg_type : SequenceElement(true); + ap_options : KRB_AP_Options; + ticket : KRB_Ticket(true); + enc_part : KRB_Encrypted_Data_in_Seq; +}; + +type KRB_AP_Options = record { + meta : SequenceElement(false); + flags : uint32; + : padding[1]; +} &let { + reserved : bool = flags & 0x80000000; + use_session_key : bool = flags & 0x40000000; + mutual_required : bool = flags & 0x20000000; +}; + + +### AP_REP + +type KRB_AP_REP = record { + pvno : SequenceElement(true); + msg_type: SequenceElement(true); + enc_part: KRB_Encrypted_Data_in_Seq; +}; + +### KRB_ERROR + +type KRB_ERROR_MSG = record { + seq_meta: ASN1EncodingMeta; + args : KRB_ERROR_Arg[]; +}; + +type KRB_ERROR_Arg = record { + seq_meta: ASN1EncodingMeta; + args : KRB_ERROR_Arg_Data(seq_meta.index) &length=seq_meta.length; +}; + +type KRB_ERROR_Arg_Data(index: uint8) = case index of { + 0 -> pvno : ASN1Integer; + 1 -> msg_type : ASN1Integer; + 2 -> ctime : KRB_Time; + 3 -> cusec : ASN1Integer; + 4 -> stime : KRB_Time; + 5 -> susec : ASN1Integer; + 6 -> error_code : ASN1Integer; + 7 -> crealm : ASN1OctetString; + 8 -> cname : KRB_Principal_Name; + 9 -> realm : ASN1OctetString; + 10 -> sname : KRB_Principal_Name; + 11 -> e_text : ASN1OctetString; + 12 -> e_data : ASN1OctetString; +}; + +### KRB_SAFE + +type KRB_SAFE_MSG = record { + pvno : SequenceElement(true); + msg_type : SequenceElement(true); + safe_body: KRB_SAFE_Body; + checksum : KRB_Checksum; +}; + +type KRB_SAFE_Body = record { + seq_meta: ASN1EncodingMeta; + args : KRB_SAFE_Arg[]; +}; + +type KRB_SAFE_Arg = record { + seq_meta: ASN1EncodingMeta; + args : KRB_SAFE_Arg_Data(seq_meta.index) &length=seq_meta.length; +}; + +type KRB_SAFE_Arg_Data(index: uint8) = case index of { + 0 -> user_data : ASN1OctetString; + 1 -> timestamp : KRB_Time; + 2 -> usec : ASN1Integer; + 3 -> seq_number : ASN1Integer; + 4 -> sender_addr: KRB_Host_Address; + 5 -> recp_addr : KRB_Host_Address; +}; + +type KRB_Checksum = record { + checksum_type: SequenceElement(true); + checksum : SequenceElement(true); +}; + +### KRB_PRIV + +type KRB_PRIV_MSG = record { + pvno : SequenceElement(true); + msg_type: SequenceElement(true); + enc_part: KRB_Encrypted_Data_in_Seq; +}; + +### KRB_CRED + +type KRB_CRED_MSG = record { + pvno : SequenceElement(true); + msg_type : SequenceElement(true); + tkts_meta: SequenceElement(false); + tickets : KRB_Ticket_Sequence; + enc_part : KRB_Encrypted_Data_in_Seq; +}; \ No newline at end of file diff --git a/src/analyzer/protocol/krb/krb.pac b/src/analyzer/protocol/krb/krb.pac new file mode 100644 index 0000000000..c2e83be19b --- /dev/null +++ b/src/analyzer/protocol/krb/krb.pac @@ -0,0 +1,15 @@ +%include binpac.pac +%include bro.pac + +%extern{ +#include "types.bif.h" +#include "events.bif.h" +%} + +analyzer KRB withcontext { + connection: KRB_Conn; + flow: KRB_Flow; +}; + +%include krb-protocol.pac +%include krb-analyzer.pac diff --git a/src/analyzer/protocol/krb/types.bif b/src/analyzer/protocol/krb/types.bif new file mode 100644 index 0000000000..5464d03510 --- /dev/null +++ b/src/analyzer/protocol/krb/types.bif @@ -0,0 +1,14 @@ +module KRB; + +type Error_Msg: record; + +type KDC_Options: record; +type Type_Value: record; +type Ticket: record; +type Host_Address: record; + +type KDC_Request: record; + +type KDC_Reply: record; + +module GLOBAL; From e87b2080d1e7c01e79cf20a2f2f5611f3e66d897 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Mon, 25 Aug 2014 11:33:32 -0400 Subject: [PATCH 022/711] Small Kerberos tweaks and fixes. --- src/analyzer/protocol/CMakeLists.txt | 1 + src/analyzer/protocol/krb/CMakeLists.txt | 3 +- src/analyzer/protocol/krb/KRB.cc | 12 +- src/analyzer/protocol/krb/KRB.h | 9 +- src/analyzer/protocol/krb/Plugin.cc | 1 - src/analyzer/protocol/krb/krb-protocol.pac | 124 ++++++++++----------- 6 files changed, 78 insertions(+), 72 deletions(-) diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt index a47447d414..b036caaa4d 100644 --- a/src/analyzer/protocol/CMakeLists.txt +++ b/src/analyzer/protocol/CMakeLists.txt @@ -18,6 +18,7 @@ add_subdirectory(icmp) add_subdirectory(ident) add_subdirectory(interconn) add_subdirectory(irc) +add_subdirectory(krb) add_subdirectory(login) add_subdirectory(mime) add_subdirectory(modbus) diff --git a/src/analyzer/protocol/krb/CMakeLists.txt b/src/analyzer/protocol/krb/CMakeLists.txt index 468364e5d5..05b7c575d2 100644 --- a/src/analyzer/protocol/krb/CMakeLists.txt +++ b/src/analyzer/protocol/krb/CMakeLists.txt @@ -1,7 +1,8 @@ include(BroPlugin) -include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} + ${CMAKE_CURRENT_BINARY_DIR}) bro_plugin_begin(Bro KRB) bro_plugin_cc(KRB.cc Plugin.cc) diff --git a/src/analyzer/protocol/krb/KRB.cc b/src/analyzer/protocol/krb/KRB.cc index e9f91d04db..9dad0bc6ab 100644 --- a/src/analyzer/protocol/krb/KRB.cc +++ b/src/analyzer/protocol/krb/KRB.cc @@ -1,12 +1,13 @@ -#include "KRB.h" +// See the file "COPYING" in the main distribution directory for copyright. +#include "KRB.h" #include "types.bif.h" #include "events.bif.h" using namespace analyzer::krb; KRB_Analyzer::KRB_Analyzer(Connection* conn) -: Analyzer("KRB", conn) + : Analyzer("KRB", conn) { interp = new binpac::KRB::KRB_Conn(this); } @@ -21,17 +22,18 @@ void KRB_Analyzer::Done() Analyzer::Done(); } -void KRB_Analyzer::DeliverPacket(int len, const u_char* data, - bool orig, uint64 seq, const IP_Hdr* ip, int caplen) +void KRB_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, + uint64 seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + try { interp->NewData(orig, data, data + len); } catch ( const binpac::Exception& e ) { - printf(fmt("Binpac exception: %s\n", e.c_msg())); + ProtocolViolation(e.c_msg()); } } diff --git a/src/analyzer/protocol/krb/KRB.h b/src/analyzer/protocol/krb/KRB.h index 905ee43837..e4caf7b25c 100644 --- a/src/analyzer/protocol/krb/KRB.h +++ b/src/analyzer/protocol/krb/KRB.h @@ -1,25 +1,28 @@ +// See the file "COPYING" in the main distribution directory for copyright. + #ifndef ANALYZER_PROTOCOL_KRB_KRB_H #define ANALYZER_PROTOCOL_KRB_KRB_H -#include "analyzer/protocol/udp/UDP.h" - #include "krb_pac.h" namespace analyzer { namespace krb { class KRB_Analyzer : public analyzer::Analyzer { + public: + KRB_Analyzer(Connection* conn); virtual ~KRB_Analyzer(); virtual void Done(); virtual void DeliverPacket(int len, const u_char* data, bool orig, - uint64 seq, const IP_Hdr* ip, int caplen); + uint64 seq, const IP_Hdr* ip, int caplen); static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new KRB_Analyzer(conn); } protected: + binpac::KRB::KRB_Conn* interp; }; diff --git a/src/analyzer/protocol/krb/Plugin.cc b/src/analyzer/protocol/krb/Plugin.cc index b4bc01f7a3..bf7d28c3f0 100644 --- a/src/analyzer/protocol/krb/Plugin.cc +++ b/src/analyzer/protocol/krb/Plugin.cc @@ -1,6 +1,5 @@ #include "plugin/Plugin.h" - #include "KRB.h" BRO_PLUGIN_BEGIN(Bro, KRB) diff --git a/src/analyzer/protocol/krb/krb-protocol.pac b/src/analyzer/protocol/krb/krb-protocol.pac index 1f85ea0e45..1741443b50 100644 --- a/src/analyzer/protocol/krb/krb-protocol.pac +++ b/src/analyzer/protocol/krb/krb-protocol.pac @@ -55,7 +55,7 @@ type KRB_KDC_REQ = record { padata_meta: ASN1EncodingMeta; tmp1 : case has_padata of { true -> padata : KRB_PA_Data_Sequence &length=padata_meta.length; - false -> n1 : empty; + false -> n1 : empty; }; tmp2 : case has_padata of { true -> meta2 : ASN1EncodingMeta; @@ -73,7 +73,7 @@ type KRB_PA_Data_Sequence = record { }; type KRB_PA_Data = record { - seq_meta : ASN1EncodingMeta; + seq_meta : ASN1EncodingMeta; pa_data_type : SequenceElement(true); pa_data_elem_meta : ASN1EncodingMeta; pa_data_element : KRB_PA_Data_Element(data_type); @@ -82,10 +82,10 @@ type KRB_PA_Data = record { }; type KRB_PA_Data_Element(type: int64) = case type of { - 1 -> pa_tgs_req : KRB_AP_REQ; - 2 -> pa_enc_timestamp : KRB_Encrypted_Data; - 3 -> pa_pw_salt : ASN1OctetString; - default -> unknown : bytestring &restofdata; + 1 -> pa_tgs_req : KRB_AP_REQ; + 2 -> pa_enc_timestamp : KRB_Encrypted_Data; + 3 -> pa_pw_salt : ASN1OctetString; + default -> unknown : bytestring &restofdata; }; type KRB_REQ_Body = record { @@ -99,47 +99,47 @@ type KRB_REQ_Arg = record { }; type KRB_REQ_Arg_Data(index: uint8) = case index of { - 0 -> options : KRB_KDC_Options; - 1 -> principal : KRB_Principal_Name; - 2 -> realm : ASN1OctetString; - 3 -> sname : KRB_Principal_Name; - 4 -> from : KRB_Time; - 5 -> till : KRB_Time; - 6 -> rtime : KRB_Time; - 7 -> nonce : ASN1Integer; - 8 -> etype : Array; - 9 -> addrs : KRB_Host_Addresses; - 10 -> auth_data : ASN1OctetString; # TODO - 11 -> addl_tkts : KRB_Ticket_Sequence; - default -> unknown : bytestring &restofdata; + 0 -> options : KRB_KDC_Options; + 1 -> principal : KRB_Principal_Name; + 2 -> realm : ASN1OctetString; + 3 -> sname : KRB_Principal_Name; + 4 -> from : KRB_Time; + 5 -> till : KRB_Time; + 6 -> rtime : KRB_Time; + 7 -> nonce : ASN1Integer; + 8 -> etype : Array; + 9 -> addrs : KRB_Host_Addresses; + 10 -> auth_data : ASN1OctetString; # TODO + 11 -> addl_tkts : KRB_Ticket_Sequence; + default -> unknown : bytestring &restofdata; }; type KRB_KDC_Options = record { meta : ASN1EncodingMeta; flags: uint32; } &let { - reserved : bool = flags & 0x80000000; - forwardable : bool = flags & 0x40000000; - forwarded : bool = flags & 0x20000000; - proxiable : bool = flags & 0x10000000; - proxy : bool = flags & 0x8000000; - allow_postdate : bool = flags & 0x4000000; - postdated : bool = flags & 0x2000000; - unused7 : bool = flags & 0x1000000; - renewable : bool = flags & 0x800000; - unused9 : bool = flags & 0x400000; - unused10 : bool = flags & 0x200000; - opt_hardware_auth : bool = flags & 0x100000; - unused12 : bool = flags & 0x80000; - unused13 : bool = flags & 0x40000; + reserved : bool = flags & 0x80000000; + forwardable : bool = flags & 0x40000000; + forwarded : bool = flags & 0x20000000; + proxiable : bool = flags & 0x10000000; + proxy : bool = flags & 0x8000000; + allow_postdate : bool = flags & 0x4000000; + postdated : bool = flags & 0x2000000; + unused7 : bool = flags & 0x1000000; + renewable : bool = flags & 0x800000; + unused9 : bool = flags & 0x400000; + unused10 : bool = flags & 0x200000; + opt_hardware_auth : bool = flags & 0x100000; + unused12 : bool = flags & 0x80000; + unused13 : bool = flags & 0x40000; # ... - unused15 : bool = flags & 0x10000; + unused15 : bool = flags & 0x10000; # ... disable_transited_check : bool = flags & 0x10; - renewable_ok : bool = flags & 0x8; - enc_tkt_in_skey : bool = flags & 0x4; - renew : bool = flags & 0x2; - validate : bool = flags & 0x1; + renewable_ok : bool = flags & 0x8; + enc_tkt_in_skey : bool = flags & 0x4; + renew : bool = flags & 0x2; + validate : bool = flags & 0x1; }; type KRB_Principal_Name = record { @@ -167,7 +167,7 @@ type KRB_Host_Address = record { }; type KRB_Ticket(in_sequence: bool) = record { - have_seq : case in_sequence of { + have_seq : case in_sequence of { true -> meta: ASN1EncodingMeta; false -> none: empty; }; @@ -187,24 +187,24 @@ type KRB_Ticket_Sequence = record { type KRB_Encrypted_Data_in_Seq = record { index_meta : ASN1EncodingMeta; - data : KRB_Encrypted_Data; + data : KRB_Encrypted_Data; }; type KRB_Encrypted_Data = record { - seq_meta : ASN1EncodingMeta; - etype : SequenceElement(true); - kvno_meta : ASN1EncodingMeta; - case_kvno : case have_kvno of { - true -> kvno: ASN1Integer; - false -> none: empty; + seq_meta : ASN1EncodingMeta; + etype : SequenceElement(true); + kvno_meta : ASN1EncodingMeta; + case_kvno : case have_kvno of { + true -> kvno : ASN1Integer; + false -> none : empty; }; grab_next_meta : case have_kvno of { true -> next_meta: ASN1EncodingMeta; false -> none_meta: empty; }; - ciphertext : bytestring &length=have_kvno ? next_meta.length : kvno_meta.length; + ciphertext : bytestring &length=have_kvno ? next_meta.length : kvno_meta.length; } &let { - have_kvno : bool = kvno_meta.index == 1; + have_kvno : bool = kvno_meta.index == 1; }; ### KDC_REP @@ -216,18 +216,18 @@ type KRB_KDC_REP = record { padata_meta : ASN1EncodingMeta; tmp1 : case has_padata of { true -> padata : KRB_PA_Data_Sequence &length=padata_meta.length; - false -> n1 : empty; + false -> n1 : empty; }; tmp2 : case has_padata of { true -> meta2 : ASN1EncodingMeta; - false -> n2 : empty; + false -> n2 : empty; }; client_realm: ASN1OctetString &length=realm_length; client_name : KRB_Principal_Name; ticket : KRB_Ticket(true); enc_part : KRB_Encrypted_Data_in_Seq; } &let { - has_padata : bool = padata_meta.index == 2; + has_padata : bool = padata_meta.index == 2; realm_length: uint8 = has_padata ? meta2.length : padata_meta.length; }; @@ -247,9 +247,9 @@ type KRB_AP_REQ = record { type KRB_AP_Options = record { meta : SequenceElement(false); flags : uint32; - : padding[1]; + : padding[1]; } &let { - reserved : bool = flags & 0x80000000; + reserved : bool = flags & 0x80000000; use_session_key : bool = flags & 0x40000000; mutual_required : bool = flags & 0x20000000; }; @@ -276,17 +276,17 @@ type KRB_ERROR_Arg = record { }; type KRB_ERROR_Arg_Data(index: uint8) = case index of { - 0 -> pvno : ASN1Integer; + 0 -> pvno : ASN1Integer; 1 -> msg_type : ASN1Integer; - 2 -> ctime : KRB_Time; - 3 -> cusec : ASN1Integer; - 4 -> stime : KRB_Time; - 5 -> susec : ASN1Integer; + 2 -> ctime : KRB_Time; + 3 -> cusec : ASN1Integer; + 4 -> stime : KRB_Time; + 5 -> susec : ASN1Integer; 6 -> error_code : ASN1Integer; 7 -> crealm : ASN1OctetString; - 8 -> cname : KRB_Principal_Name; - 9 -> realm : ASN1OctetString; - 10 -> sname : KRB_Principal_Name; + 8 -> cname : KRB_Principal_Name; + 9 -> realm : ASN1OctetString; + 10 -> sname : KRB_Principal_Name; 11 -> e_text : ASN1OctetString; 12 -> e_data : ASN1OctetString; }; @@ -313,7 +313,7 @@ type KRB_SAFE_Arg = record { type KRB_SAFE_Arg_Data(index: uint8) = case index of { 0 -> user_data : ASN1OctetString; 1 -> timestamp : KRB_Time; - 2 -> usec : ASN1Integer; + 2 -> usec : ASN1Integer; 3 -> seq_number : ASN1Integer; 4 -> sender_addr: KRB_Host_Address; 5 -> recp_addr : KRB_Host_Address; From ee7ebc72e9ca4597d68312417c98468467cc9635 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Tue, 26 Aug 2014 17:44:18 -0400 Subject: [PATCH 023/711] Update baselines. --- .../Baseline/core.print-bpf-filters/output2 | 9 +- .../canonified_loaded_scripts.log | 6 +- .../canonified_loaded_scripts.log | 9 +- .../all-events.log | 224 +++++++++--------- .../smtp-events.log | 52 ++-- 5 files changed, 154 insertions(+), 146 deletions(-) diff --git a/testing/btest/Baseline/core.print-bpf-filters/output2 b/testing/btest/Baseline/core.print-bpf-filters/output2 index a803d83b91..c933da06fb 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/output2 +++ b/testing/btest/Baseline/core.print-bpf-filters/output2 @@ -36,14 +36,15 @@ 1 8000 1 8080 1 81 +1 88 1 8888 1 989 1 990 1 992 1 993 1 995 -46 and -45 or -46 port +47 and +46 or +47 port 32 tcp -14 udp +15 udp diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 8128554281..533677e146 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2014-05-15-14-10-48 +#open 2014-08-26-20-10-29 #fields name #types string scripts/base/init-bare.bro @@ -13,6 +13,7 @@ scripts/base/init-bare.bro build/scripts/base/bif/bro.bif.bro build/scripts/base/bif/reporter.bif.bro build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro + build/scripts/base/bif/plugins/Bro_KRB.types.bif.bro build/scripts/base/bif/event.bif.bro build/scripts/base/bif/plugins/__load__.bro build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro @@ -36,6 +37,7 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_Ident.events.bif.bro build/scripts/base/bif/plugins/Bro_InterConn.events.bif.bro build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro + build/scripts/base/bif/plugins/Bro_KRB.events.bif.bro build/scripts/base/bif/plugins/Bro_Login.events.bif.bro build/scripts/base/bif/plugins/Bro_Login.functions.bif.bro build/scripts/base/bif/plugins/Bro_MIME.events.bif.bro @@ -107,4 +109,4 @@ scripts/base/init-bare.bro build/scripts/base/bif/broxygen.bif.bro scripts/policy/misc/loaded-scripts.bro scripts/base/utils/paths.bro -#close 2014-05-15-14-10-48 +#close 2014-08-26-20-10-29 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 03c299141c..6817f004eb 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2014-05-15-14-12-26 +#open 2014-08-26-20-12-19 #fields name #types string scripts/base/init-bare.bro @@ -13,6 +13,7 @@ scripts/base/init-bare.bro build/scripts/base/bif/bro.bif.bro build/scripts/base/bif/reporter.bif.bro build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro + build/scripts/base/bif/plugins/Bro_KRB.types.bif.bro build/scripts/base/bif/event.bif.bro build/scripts/base/bif/plugins/__load__.bro build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro @@ -36,6 +37,7 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_Ident.events.bif.bro build/scripts/base/bif/plugins/Bro_InterConn.events.bif.bro build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro + build/scripts/base/bif/plugins/Bro_KRB.events.bif.bro build/scripts/base/bif/plugins/Bro_Login.events.bif.bro build/scripts/base/bif/plugins/Bro_Login.functions.bif.bro build/scripts/base/bif/plugins/Bro_MIME.events.bif.bro @@ -207,6 +209,9 @@ scripts/base/init-default.bro scripts/base/protocols/irc/main.bro scripts/base/protocols/irc/dcc-send.bro scripts/base/protocols/irc/files.bro + scripts/base/protocols/krb/__load__.bro + scripts/base/protocols/krb/main.bro + scripts/base/protocols/krb/consts.bro scripts/base/protocols/modbus/__load__.bro scripts/base/protocols/modbus/consts.bro scripts/base/protocols/modbus/main.bro @@ -236,4 +241,4 @@ scripts/base/init-default.bro scripts/base/misc/find-checksum-offloading.bro scripts/base/misc/find-filtered-trace.bro scripts/policy/misc/loaded-scripts.bro -#close 2014-05-15-14-12-26 +#close 2014-08-26-20-12-19 diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log index b8f576e497..5f2a81c339 100644 --- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log +++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log @@ -1,62 +1,62 @@ 0.000000 bro_init 0.000000 filter_change_tracking 1254722767.492060 protocol_confirmation - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] atype: enum = Analyzer::ANALYZER_DNS [2] aid: count = 3 1254722767.492060 ChecksumOffloading::check 1254722767.492060 filter_change_tracking 1254722767.492060 new_connection - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1254722767.492060 dns_message - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] is_orig: bool = T [2] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0] [3] len: count = 34 1254722767.492060 dns_request - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=, qclass=, qclass_name=, qtype=, qtype_name=, rcode=, rcode_name=, AA=F, TC=F, RD=F, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F], dns_state=[pending_queries={^J^I[31062] = [initialized=T, vals={^J^I^I[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=, qclass=, qclass_name=, qtype=, qtype_name=, rcode=, rcode_name=, AA=F, TC=F, RD=F, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F]^J^I}, settings=[max_len=], top=1, bottom=0, size=0]^J}, pending_replies={^J^J}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=, qclass=, qclass_name=, qtype=, qtype_name=, rcode=, rcode_name=, AA=F, TC=F, RD=F, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F], dns_state=[pending_queries={^J^I[31062] = [initialized=T, vals={^J^I^I[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=, qclass=, qclass_name=, qtype=, qtype_name=, rcode=, rcode_name=, AA=F, TC=F, RD=F, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F]^J^I}, settings=[max_len=], top=1, bottom=0, size=0]^J}, pending_replies={^J^J}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0] [2] query: string = mail.patriots.in [3] qtype: count = 1 [4] qclass: count = 1 1254722767.492060 dns_end - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F], dns_state=[pending_queries={^J^I[31062] = [initialized=T, vals={^J^I^I[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F]^J^I}, settings=[max_len=], top=1, bottom=0, size=0]^J}, pending_replies={^J^J}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F], dns_state=[pending_queries={^J^I[31062] = [initialized=T, vals={^J^I^I[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=F, saw_reply=F]^J^I}, settings=[max_len=], top=1, bottom=0, size=0]^J}, pending_replies={^J^J}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0] 1254722767.526085 dns_message - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^I[31062] = [initialized=T, vals={^J^I^I[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=T, saw_reply=F]^J^I}, settings=[max_len=], top=1, bottom=0, size=0]^J}, pending_replies={^J^J}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^I[31062] = [initialized=T, vals={^J^I^I[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=, rcode_name=, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=, total_replies=, saw_query=T, saw_reply=F]^J^I}, settings=[max_len=], top=1, bottom=0, size=0]^J}, pending_replies={^J^J}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] is_orig: bool = F [2] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0] [3] len: count = 100 1254722767.526085 dns_CNAME_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=F, Z=0, answers=, TTLs=, rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0] [2] ans: dns_answer = [answer_type=1, query=mail.patriots.in, qtype=5, qclass=1, TTL=3.0 hrs 27.0 secs] [3] name: string = patriots.in 1254722767.526085 dns_A_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in], TTLs=[3.0 hrs 27.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in], TTLs=[3.0 hrs 27.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0] [2] ans: dns_answer = [answer_type=1, query=patriots.in, qtype=1, qclass=1, TTL=3.0 hrs 28.0 secs] [3] a: addr = 74.53.140.153 1254722767.526085 dns_end - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in, 74.53.140.153], TTLs=[3.0 hrs 27.0 secs, 3.0 hrs 28.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in, 74.53.140.153], TTLs=[3.0 hrs 27.0 secs, 3.0 hrs 28.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0] 1254722767.529046 new_connection - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.529046, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.529046, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1254722767.875996 connection_established - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.529046, duration=0.34695, service={^J^J}, addl=, hot=0, history=Sh, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.529046, duration=0.34695, service={^J^J}, addl=, hot=0, history=Sh, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1254722768.219663 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 220 [3] cmd: string = > @@ -64,7 +64,7 @@ [5] cont_resp: bool = T 1254722768.219663 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 220 [3] cmd: string = > @@ -72,7 +72,7 @@ [5] cont_resp: bool = T 1254722768.219663 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 220 [3] cmd: string = > @@ -80,18 +80,18 @@ [5] cont_resp: bool = F 1254722768.224809 protocol_confirmation - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^J}, addl=, hot=0, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^J}, addl=, hot=0, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] atype: enum = Analyzer::ANALYZER_SMTP [2] aid: count = 7 1254722768.224809 smtp_request - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = T [2] command: string = EHLO [3] arg: string = GP 1254722768.566183 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 250 [3] cmd: string = EHLO @@ -99,7 +99,7 @@ [5] cont_resp: bool = T 1254722768.566183 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 250 [3] cmd: string = EHLO @@ -107,7 +107,7 @@ [5] cont_resp: bool = T 1254722768.566183 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 250 [3] cmd: string = EHLO @@ -115,7 +115,7 @@ [5] cont_resp: bool = T 1254722768.566183 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 250 [3] cmd: string = EHLO @@ -123,7 +123,7 @@ [5] cont_resp: bool = T 1254722768.566183 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 250 [3] cmd: string = EHLO @@ -131,7 +131,7 @@ [5] cont_resp: bool = T 1254722768.566183 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 250 [3] cmd: string = EHLO @@ -139,13 +139,13 @@ [5] cont_resp: bool = F 1254722768.568729 smtp_request - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.039683, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.039683, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = T [2] command: string = AUTH [3] arg: string = LOGIN 1254722768.911081 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.382035, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.382035, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 334 [3] cmd: string = AUTH @@ -153,13 +153,13 @@ [5] cont_resp: bool = F 1254722768.911655 smtp_request - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.382609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.382609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = T [2] command: string = ** [3] arg: string = Z3VycGFydGFwQHBhdHJpb3RzLmlu 1254722769.253544 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.724498, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.724498, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 334 [3] cmd: string = AUTH_ANSWER @@ -167,13 +167,13 @@ [5] cont_resp: bool = F 1254722769.254118 smtp_request - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=1.725072, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=1.725072, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = T [2] command: string = ** [3] arg: string = cHVuamFiQDEyMw== 1254722769.613798 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=2.084752, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=2.084752, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 235 [3] cmd: string = AUTH_ANSWER @@ -181,13 +181,13 @@ [5] cont_resp: bool = F 1254722769.614414 smtp_request - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.085368, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.085368, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = T [2] command: string = MAIL [3] arg: string = FROM: 1254722769.956765 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.427719, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.427719, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 250 [3] cmd: string = MAIL @@ -195,13 +195,13 @@ [5] cont_resp: bool = F 1254722769.957250 smtp_request - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.428204, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.428204, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = T [2] command: string = RCPT [3] arg: string = TO: 1254722770.319708 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.790662, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.790662, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 250 [3] cmd: string = RCPT @@ -209,16 +209,16 @@ [5] cont_resp: bool = F 1254722770.320203 smtp_request - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = T [2] command: string = DATA [3] arg: string = 1254722770.320203 mime_begin_entity - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] 1254722770.661679 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=3.132633, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=3.132633, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 354 [3] cmd: string = DATA @@ -226,286 +226,286 @@ [5] cont_resp: bool = F 1254722770.692743 mime_one_header - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] [1] h: mime_header_rec = [name=FROM, value="Gurpartap Singh" ] 1254722770.692743 mime_one_header - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=, from="Gurpartap Singh" , to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=, from="Gurpartap Singh" , to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] [1] h: mime_header_rec = [name=TO, value=] 1254722770.692743 mime_one_header - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] [1] h: mime_header_rec = [name=SUBJECT, value=SMTP] 1254722770.692743 mime_one_header - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] [1] h: mime_header_rec = [name=DATE, value=Mon, 5 Oct 2009 11:36:07 +0530] 1254722770.692743 mime_one_header - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] [1] h: mime_header_rec = [name=MESSAGE-ID, value=<000301ca4581$ef9e57f0$cedb07d0$@in>] 1254722770.692743 mime_one_header - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] [1] h: mime_header_rec = [name=MIME-VERSION, value=1.0] 1254722770.692743 mime_one_header - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] [1] h: mime_header_rec = [name=CONTENT-TYPE, value=multipart/mixed;^Iboundary="----=_NextPart_000_0004_01CA45B0.095693F0"] 1254722770.692743 mime_one_header - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] [1] h: mime_header_rec = [name=X-MAILER, value=Microsoft Office Outlook 12.0] 1254722770.692743 mime_one_header - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] [1] h: mime_header_rec = [name=THREAD-INDEX, value=AcpFgem9BvjjZEDeR1Kh8i+hUyVo0A==] 1254722770.692743 mime_one_header - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] [1] h: mime_header_rec = [name=CONTENT-LANGUAGE, value=en-us] 1254722770.692743 mime_one_header - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] [1] h: mime_header_rec = [name=X-CR-HASHEDPUZZLE, value=SeA= AAR2 ADaH BpiO C4G1 D1gW FNB1 FPkR Fn+W HFCP HnYJ JO7s Kum6 KytW LFcI LjUt;1;cgBhAGoAXwBkAGUAbwBsADIAMAAwADIAaQBuAEAAeQBhAGgAbwBvAC4AYwBvAC4AaQBuAA==;Sosha1_v1;7;{CAA37F59-1850-45C7-8540-AA27696B5398};ZwB1AHIAcABhAHIAdABhAHAAQABwAGEAdAByAGkAbwB0AHMALgBpAG4A;Mon, 05 Oct 2009 06:06:01 GMT;UwBNAFQAUAA=] 1254722770.692743 mime_one_header - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] [1] h: mime_header_rec = [name=X-CR-PUZZLEID, value={CAA37F59-1850-45C7-8540-AA27696B5398}] 1254722770.692743 mime_begin_entity - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] 1254722770.692743 mime_one_header - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=2], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=2], socks=, ssh=, syslog=] [1] h: mime_header_rec = [name=CONTENT-TYPE, value=multipart/alternative;^Iboundary="----=_NextPart_001_0005_01CA45B0.095693F0"] 1254722770.692743 mime_begin_entity - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=2], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=2], socks=, ssh=, syslog=] 1254722770.692743 mime_one_header - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=] [1] h: mime_header_rec = [name=CONTENT-TYPE, value=text/plain;^Icharset="us-ascii"] 1254722770.692743 mime_one_header - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=] [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=7bit] 1254722770.692743 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP - [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=] + [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=] [2] is_orig: bool = F 1254722770.692743 mime_end_entity - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=] 1254722770.692743 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP - [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=] + [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=] [2] is_orig: bool = T 1254722770.692743 file_new - [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=, u2_events=] + [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=, u2_events=] 1254722770.692743 file_over_new_connection - [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=] - [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=] + [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=] + [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=] [2] is_orig: bool = F 1254722770.692743 file_state_remove - [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=79, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=text/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=] + [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=79, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=text/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=] 1254722770.692743 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP - [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=] + [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=] [2] is_orig: bool = F 1254722770.692743 mime_begin_entity - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=] 1254722770.692743 mime_one_header - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=] [1] h: mime_header_rec = [name=CONTENT-TYPE, value=text/html;^Icharset="us-ascii"] 1254722770.692743 mime_one_header - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=] [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=quoted-printable] 1254722770.692786 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP - [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=] + [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=] [2] is_orig: bool = F 1254722770.692786 file_new - [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]^J}, last_active=1254722770.692786, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J
^M^J^M^J

Hello

^M^J^M^J

 

^M^J^M^J

I send u smtp pcap file

^M^J^M^J

Find the attachment

^M^J^M^J

 

^M^J^M^J

GPS

^M^J^M^J
^M^J^M^J^M^J^M^J^M^J^M^J, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] + [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J
^M^J^M^J

Hello

^M^J^M^J

 

^M^J^M^J

I send u smtp pcap file

^M^J^M^J

Find the attachment

^M^J^M^J

 

^M^J^M^J

GPS

^M^J^M^J
^M^J^M^J^M^J^M^J^M^J^M^J, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] [1] mime_type: string = text/html 1254722770.692804 file_state_remove - [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J
^M^J^M^J

Hello

^M^J^M^J

 

^M^J^M^J

I send u smtp pcap file

^M^J^M^J

Find the attachment

^M^J^M^J

 

^M^J^M^J

GPS

^M^J^M^J
^M^J^M^J^M^J^M^J^M^J^M^J, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=text/html, filename=, duration=61.0 usecs, local_orig=, is_orig=F, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] + [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J
^M^J^M^J

Hello

^M^J^M^J

 

^M^J^M^J

I send u smtp pcap file

^M^J^M^J

Find the attachment

^M^J^M^J

 

^M^J^M^J

GPS

^M^J^M^J
^M^J^M^J^M^J^M^J^M^J^M^J, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=text/html, filename=, duration=61.0 usecs, local_orig=, is_orig=F, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] 1254722770.692804 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP - [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=] + [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=] [2] is_orig: bool = F 1254722770.692804 mime_end_entity - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=] 1254722770.692804 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP - [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=] + [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=] [2] is_orig: bool = T 1254722770.692804 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP - [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=] + [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=] [2] is_orig: bool = F 1254722770.692804 mime_begin_entity - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=] 1254722770.692804 mime_one_header - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] [1] h: mime_header_rec = [name=CONTENT-TYPE, value=text/plain;^Iname="NEWS.txt"] 1254722770.692804 mime_one_header - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=quoted-printable] 1254722770.692804 mime_one_header - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] [1] h: mime_header_rec = [name=CONTENT-DISPOSITION, value=attachment;^Ifilename="NEWS.txt"] 1254722770.692804 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP - [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] + [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] [2] is_orig: bool = F 1254722770.692804 file_new - [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722770.692804, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=] + [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722770.692804, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=, ftp=, http=, irc=, u2_events=] 1254722770.692804 file_over_new_connection - [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722770.692804, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] - [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] + [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722770.692804, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=, info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] + [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] [2] is_orig: bool = F 1254722770.695115 new_connection - [0] c: connection = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722770.695115, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722770.695115, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1254722771.494181 file_mime_type - [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722771.494181, seen_bytes=4027, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories (include, libs and ressources)^M^J* Changed tint of Class browser pictures colors to match the New Look style^M^J* Bug fixes^M^J^M^JVersion 4.9.7.5^M^J* Bug fixes^M^J^M^JVersion 4.9.7.4^M^J* When compiling with debugging symbols, an extra definition is passed to the^M^J compiler: -D__DEBUG__^M^J* Each project creates a _private.h file containing version^M^J information definitions^M^J* When compiling the current file only, no dependency checks are performed^M^J* ~300% Speed-up in class parser^M^J* Added "External programs" in Tools/Environment Options (for units "Open with")^M^J* Added "Open with" in project units context menu^M^J* Added "Classes" toolbar^M^J* Fixed pre-compilation dependency checks to work correctly^M^J* Added new file menu entry: Save Project As^M^J* Bug-fix for double quotes in devcpp.cfg file read by vUpdate^M^J* Other bug fixes^M^J^M^JVersion 4.9.7.3^M^J* When adding debugging symbols on request, remove "-s" option from linker^M^J* Compiling progress window^M^J* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=, filename=NEWS.txt, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] + [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722771.494181, seen_bytes=4027, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories (include, libs and ressources)^M^J* Changed tint of Class browser pictures colors to match the New Look style^M^J* Bug fixes^M^J^M^JVersion 4.9.7.5^M^J* Bug fixes^M^J^M^JVersion 4.9.7.4^M^J* When compiling with debugging symbols, an extra definition is passed to the^M^J compiler: -D__DEBUG__^M^J* Each project creates a _private.h file containing version^M^J information definitions^M^J* When compiling the current file only, no dependency checks are performed^M^J* ~300% Speed-up in class parser^M^J* Added "External programs" in Tools/Environment Options (for units "Open with")^M^J* Added "Open with" in project units context menu^M^J* Added "Classes" toolbar^M^J* Fixed pre-compilation dependency checks to work correctly^M^J* Added new file menu entry: Save Project As^M^J* Bug-fix for double quotes in devcpp.cfg file read by vUpdate^M^J* Other bug fixes^M^J^M^JVersion 4.9.7.3^M^J* When adding debugging symbols on request, remove "-s" option from linker^M^J* Compiling progress window^M^J* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=, filename=NEWS.txt, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] [1] mime_type: string = text/plain 1254722771.858334 mime_end_entity - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] 1254722771.858334 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP - [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] + [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] [2] is_orig: bool = T 1254722771.858334 file_state_remove - [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722771.858316, seen_bytes=10809, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories (include, libs and ressources)^M^J* Changed tint of Class browser pictures colors to match the New Look style^M^J* Bug fixes^M^J^M^JVersion 4.9.7.5^M^J* Bug fixes^M^J^M^JVersion 4.9.7.4^M^J* When compiling with debugging symbols, an extra definition is passed to the^M^J compiler: -D__DEBUG__^M^J* Each project creates a _private.h file containing version^M^J information definitions^M^J* When compiling the current file only, no dependency checks are performed^M^J* ~300% Speed-up in class parser^M^J* Added "External programs" in Tools/Environment Options (for units "Open with")^M^J* Added "Open with" in project units context menu^M^J* Added "Classes" toolbar^M^J* Fixed pre-compilation dependency checks to work correctly^M^J* Added new file menu entry: Save Project As^M^J* Bug-fix for double quotes in devcpp.cfg file read by vUpdate^M^J* Other bug fixes^M^J^M^JVersion 4.9.7.3^M^J* When adding debugging symbols on request, remove "-s" option from linker^M^J* Compiling progress window^M^J* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=text/plain, filename=NEWS.txt, duration=801.0 msecs 376.0 usecs, local_orig=, is_orig=F, seen_bytes=4027, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] + [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722771.858316, seen_bytes=10809, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories (include, libs and ressources)^M^J* Changed tint of Class browser pictures colors to match the New Look style^M^J* Bug fixes^M^J^M^JVersion 4.9.7.5^M^J* Bug fixes^M^J^M^JVersion 4.9.7.4^M^J* When compiling with debugging symbols, an extra definition is passed to the^M^J compiler: -D__DEBUG__^M^J* Each project creates a _private.h file containing version^M^J information definitions^M^J* When compiling the current file only, no dependency checks are performed^M^J* ~300% Speed-up in class parser^M^J* Added "External programs" in Tools/Environment Options (for units "Open with")^M^J* Added "Open with" in project units context menu^M^J* Added "Classes" toolbar^M^J* Fixed pre-compilation dependency checks to work correctly^M^J* Added new file menu entry: Save Project As^M^J* Bug-fix for double quotes in devcpp.cfg file read by vUpdate^M^J* Other bug fixes^M^J^M^JVersion 4.9.7.3^M^J* When adding debugging symbols on request, remove "-s" option from linker^M^J* Compiling progress window^M^J* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=text/plain, filename=NEWS.txt, duration=801.0 msecs 376.0 usecs, local_orig=, is_orig=F, seen_bytes=4027, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], ftp=, http=, irc=, u2_events=] 1254722771.858334 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP - [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] + [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] [2] is_orig: bool = F 1254722771.858334 mime_end_entity - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] 1254722771.858334 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP - [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] + [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] [2] is_orig: bool = T 1254722771.858334 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP - [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] + [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] [2] is_orig: bool = F 1254722771.858334 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP - [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] + [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] [2] is_orig: bool = T 1254722771.858334 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP - [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] + [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] [2] is_orig: bool = F 1254722771.858334 smtp_request - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] [1] is_orig: bool = T [2] command: string = . [3] arg: string = . 1254722772.248789 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0], start_time=1254722767.529046, duration=4.719743, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0], start_time=1254722767.529046, duration=4.719743, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 250 [3] cmd: string = . @@ -470,13 +470,13 @@ [5] cont_resp: bool = F 1254722774.763825 smtp_request - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.234779, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.234779, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] [1] is_orig: bool = T [2] command: string = QUIT [3] arg: string = 1254722775.105467 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.576421, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDaF, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.576421, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDaF, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 221 [3] cmd: string = QUIT @@ -484,24 +484,24 @@ [5] cont_resp: bool = F 1254722776.690444 new_connection - [0] c: connection = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722776.690444, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CsRx2w45OKnoww6xl4, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722776.690444, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CsRx2w45OKnoww6xl4, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1254722776.690444 net_done [0] t: time = 1254722776.690444 1254722776.690444 ChecksumOffloading::check 1254722776.690444 connection_state_remove - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=1, num_bytes_ip=128, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=1, num_bytes_ip=128, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1254722776.690444 filter_change_tracking 1254722776.690444 connection_state_remove - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=28, num_bytes_ip=21673, flow_label=0], resp=[size=538, state=5, num_pkts=25, num_bytes_ip=1546, flow_label=0], start_time=1254722767.529046, duration=7.576953, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDaFf, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=221 xc90.websitewelcome.com closing connection, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=28, num_bytes_ip=21673, flow_label=0], resp=[size=538, state=5, num_pkts=25, num_bytes_ip=1546, flow_label=0], start_time=1254722767.529046, duration=7.576953, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDaFf, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=221 xc90.websitewelcome.com closing connection, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] 1254722776.690444 connection_state_remove - [0] c: connection = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=201, state=1, num_pkts=1, num_bytes_ip=229, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722776.690444, duration=0.0, service={^J^J}, addl=, hot=0, history=D, uid=CsRx2w45OKnoww6xl4, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=201, state=1, num_pkts=1, num_bytes_ip=229, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722776.690444, duration=0.0, service={^J^J}, addl=, hot=0, history=D, uid=CsRx2w45OKnoww6xl4, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1254722776.690444 connection_state_remove - [0] c: connection = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=2192, state=1, num_pkts=4, num_bytes_ip=2304, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722770.695115, duration=0.001519, service={^J^J}, addl=, hot=0, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=2192, state=1, num_pkts=4, num_bytes_ip=2304, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722770.695115, duration=0.001519, service={^J^J}, addl=, hot=0, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] 1254722776.690444 bro_done 1254722776.690444 ChecksumOffloading::check diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log index fbe9032fe7..7a2a9d4137 100644 --- a/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log +++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log @@ -1,5 +1,5 @@ 1254722768.219663 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 220 [3] cmd: string = > @@ -7,7 +7,7 @@ [5] cont_resp: bool = T 1254722768.219663 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 220 [3] cmd: string = > @@ -15,7 +15,7 @@ [5] cont_resp: bool = T 1254722768.219663 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 220 [3] cmd: string = > @@ -23,13 +23,13 @@ [5] cont_resp: bool = F 1254722768.224809 smtp_request - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = T [2] command: string = EHLO [3] arg: string = GP 1254722768.566183 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 250 [3] cmd: string = EHLO @@ -37,7 +37,7 @@ [5] cont_resp: bool = T 1254722768.566183 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 250 [3] cmd: string = EHLO @@ -45,7 +45,7 @@ [5] cont_resp: bool = T 1254722768.566183 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 250 [3] cmd: string = EHLO @@ -53,7 +53,7 @@ [5] cont_resp: bool = T 1254722768.566183 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 250 [3] cmd: string = EHLO @@ -61,7 +61,7 @@ [5] cont_resp: bool = T 1254722768.566183 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 250 [3] cmd: string = EHLO @@ -69,7 +69,7 @@ [5] cont_resp: bool = T 1254722768.566183 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 250 [3] cmd: string = EHLO @@ -77,13 +77,13 @@ [5] cont_resp: bool = F 1254722768.568729 smtp_request - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.039683, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.039683, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = T [2] command: string = AUTH [3] arg: string = LOGIN 1254722768.911081 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.382035, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.382035, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 334 [3] cmd: string = AUTH @@ -91,13 +91,13 @@ [5] cont_resp: bool = F 1254722768.911655 smtp_request - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.382609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.382609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = T [2] command: string = ** [3] arg: string = Z3VycGFydGFwQHBhdHJpb3RzLmlu 1254722769.253544 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.724498, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.724498, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 334 [3] cmd: string = AUTH_ANSWER @@ -105,13 +105,13 @@ [5] cont_resp: bool = F 1254722769.254118 smtp_request - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=1.725072, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=1.725072, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = T [2] command: string = ** [3] arg: string = cHVuamFiQDEyMw== 1254722769.613798 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=2.084752, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=2.084752, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 235 [3] cmd: string = AUTH_ANSWER @@ -119,13 +119,13 @@ [5] cont_resp: bool = F 1254722769.614414 smtp_request - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.085368, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.085368, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = T [2] command: string = MAIL [3] arg: string = FROM: 1254722769.956765 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.427719, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.427719, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 250 [3] cmd: string = MAIL @@ -133,13 +133,13 @@ [5] cont_resp: bool = F 1254722769.957250 smtp_request - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.428204, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.428204, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = T [2] command: string = RCPT [3] arg: string = TO: 1254722770.319708 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.790662, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.790662, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 250 [3] cmd: string = RCPT @@ -147,13 +147,13 @@ [5] cont_resp: bool = F 1254722770.320203 smtp_request - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=0], socks=, ssh=, syslog=] [1] is_orig: bool = T [2] command: string = DATA [3] arg: string = 1254722770.661679 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=3.132633, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=3.132633, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=1], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 354 [3] cmd: string = DATA @@ -161,13 +161,13 @@ [5] cont_resp: bool = F 1254722771.858334 smtp_request - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] [1] is_orig: bool = T [2] command: string = . [3] arg: string = . 1254722772.248789 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0], start_time=1254722767.529046, duration=4.719743, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0], start_time=1254722767.529046, duration=4.719743, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 250 [3] cmd: string = . @@ -175,13 +175,13 @@ [5] cont_resp: bool = F 1254722774.763825 smtp_request - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.234779, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.234779, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] [1] is_orig: bool = T [2] command: string = QUIT [3] arg: string = 1254722775.105467 smtp_reply - [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.576421, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDaF, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, snmp=, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] + [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.576421, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDaF, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, mysql=, radius=, rdp=, snmp=, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=, rcptto=, date=, from=, to=, reply_to=, msg_id=, in_reply_to=, subject=, x_originating_ip=, first_received=, second_received=, last_reply=, path=[74.53.140.153, 10.10.1.4], user_agent=, tls=F, process_received_from=T, has_client_activity=F, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] [1] is_orig: bool = F [2] code: count = 221 [3] cmd: string = QUIT From 371cf10c8635e3a0f6184774ee20df80199b3004 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 5 Mar 2015 16:57:58 -0500 Subject: [PATCH 158/711] Improved transition into SSL/TLS from RDP. --- src/analyzer/protocol/rdp/RDP.cc | 11 ++++++----- src/analyzer/protocol/rdp/rdp-protocol.pac | 9 +++++++++ 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/src/analyzer/protocol/rdp/RDP.cc b/src/analyzer/protocol/rdp/RDP.cc index dafa7f4c2f..25d5429e8d 100644 --- a/src/analyzer/protocol/rdp/RDP.cc +++ b/src/analyzer/protocol/rdp/RDP.cc @@ -47,13 +47,12 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) // deliver data to the other side if the script layer can handle this. return; - // If the data appears (very loosely) to be SSL/TLS - // we'll just move this over to the PIA analyzer. - // Like the comment below says, this is probably the wrong - // way to handle this. if ( interp->is_encrypted() ) { - if ( len > 0 && data[0] >= 0x14 && data[0] <= 0x17 ) + // 0x00 is RDP native encryption which we don't do anything with now. + // 0x01 is SSL/TLS + // 0x03-0x04 is CredSSP which is effectively SSL/TLS + if ( interp->encryption_method() > 0x00 ) { if ( ! pia ) { @@ -67,7 +66,9 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) } if ( pia ) + { ForwardStream(len, data, orig); + } } } else // if not encrypted diff --git a/src/analyzer/protocol/rdp/rdp-protocol.pac b/src/analyzer/protocol/rdp/rdp-protocol.pac index 950744301f..adb13948ef 100644 --- a/src/analyzer/protocol/rdp/rdp-protocol.pac +++ b/src/analyzer/protocol/rdp/rdp-protocol.pac @@ -388,15 +388,19 @@ refine connection RDP_Conn += { %member{ bool is_encrypted_; + uint32 encryption_method_; %} %init{ is_encrypted_ = false; + encryption_method_ = 0; %} function go_encrypted(method: uint32): bool %{ is_encrypted_ = true; + encryption_method_ = method; + if ( rdp_begin_encryption ) { BifEvent::generate_rdp_begin_encryption(bro_analyzer(), @@ -411,4 +415,9 @@ refine connection RDP_Conn += { %{ return is_encrypted_; %} + + function encryption_method(): uint32 + %{ + return encryption_method_; + %} }; \ No newline at end of file From fa08083a92307b35ecf5d01b396661a83674b6bd Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 5 Mar 2015 16:20:51 -0600 Subject: [PATCH 159/711] Rename broker-related namespaces. c++ namespace "comm" -> bro_broker script module "Comm" -> BrokerComm script module "Store" -> BrokerStore --- doc/frameworks/comm.rst | 50 +-- doc/frameworks/comm/connecting-connector.bro | 10 +- doc/frameworks/comm/connecting-listener.bro | 14 +- doc/frameworks/comm/events-connector.bro | 20 +- doc/frameworks/comm/events-listener.bro | 12 +- doc/frameworks/comm/logs-connector.bro | 14 +- doc/frameworks/comm/logs-listener.bro | 12 +- doc/frameworks/comm/printing-connector.bro | 18 +- doc/frameworks/comm/printing-listener.bro | 14 +- doc/frameworks/comm/stores-connector.bro | 40 +-- doc/frameworks/comm/stores-listener.bro | 22 +- doc/frameworks/comm/testlog.bro | 2 +- scripts/base/frameworks/comm/main.bro | 20 +- src/EventHandler.cc | 6 +- src/Net.cc | 2 +- src/Stats.cc | 2 +- src/comm/Data.cc | 118 +++---- src/comm/Data.h | 36 +- src/comm/Manager.cc | 156 ++++----- src/comm/Manager.h | 54 +-- src/comm/Store.cc | 28 +- src/comm/Store.h | 32 +- src/comm/comm.bif | 82 ++--- src/comm/data.bif | 318 +++++++++--------- src/comm/messaging.bif | 80 ++--- src/comm/store.bif | 242 ++++++------- src/logging/Manager.cc | 2 +- src/main.cc | 4 +- .../Baseline/comm.clone_store/clone.clone.out | 10 +- .../comm.connection_updates/recv.recv.out | 4 +- .../comm.connection_updates/send.send.out | 2 +- testing/btest/Baseline/comm.data/out | 32 +- .../Baseline/comm.master_store/master.out | 28 +- .../Baseline/comm.remote_event/send.send.out | 2 +- .../Baseline/comm.remote_log/send.send.out | 2 +- .../Baseline/comm.remote_print/send.send.out | 2 +- .../output | 10 +- .../output | 14 +- .../output | 20 +- .../output | 12 +- .../output | 14 +- .../output | 12 +- .../output | 18 +- .../output | 14 +- .../output | 40 +-- .../output | 22 +- .../output | 2 +- testing/btest/comm/clone_store.bro | 62 ++-- testing/btest/comm/connection_updates.bro | 24 +- testing/btest/comm/data.bro | 228 ++++++------- testing/btest/comm/master_store.bro | 46 +-- testing/btest/comm/remote_event.test | 32 +- testing/btest/comm/remote_log.test | 16 +- testing/btest/comm/remote_print.test | 28 +- ...eworks_comm_connecting-connector_bro.btest | 10 +- ...meworks_comm_connecting-listener_bro.btest | 14 +- ...frameworks_comm_events-connector_bro.btest | 20 +- ..._frameworks_comm_events-listener_bro.btest | 12 +- ...c_frameworks_comm_logs-connector_bro.btest | 14 +- ...oc_frameworks_comm_logs-listener_bro.btest | 12 +- ...ameworks_comm_printing-connector_bro.btest | 18 +- ...rameworks_comm_printing-listener_bro.btest | 14 +- ...frameworks_comm_stores-connector_bro.btest | 40 +-- ..._frameworks_comm_stores-listener_bro.btest | 22 +- ...lude-doc_frameworks_comm_testlog_bro.btest | 2 +- 65 files changed, 1142 insertions(+), 1142 deletions(-) diff --git a/doc/frameworks/comm.rst b/doc/frameworks/comm.rst index 38f1f5b644..0c0dd80845 100644 --- a/doc/frameworks/comm.rst +++ b/doc/frameworks/comm.rst @@ -20,20 +20,20 @@ Connecting to Peers =================== Communication via Broker must first be turned on via -:bro:see:`Comm::enable`. +:bro:see:`BrokerComm::enable`. -Bro can accept incoming connections by calling :bro:see:`Comm::listen` +Bro can accept incoming connections by calling :bro:see:`BrokerComm::listen` and then monitor connection status updates via -:bro:see:`Comm::incoming_connection_established` and -:bro:see:`Comm::incoming_connection_broken`. +:bro:see:`BrokerComm::incoming_connection_established` and +:bro:see:`BrokerComm::incoming_connection_broken`. .. btest-include:: ${DOC_ROOT}/frameworks/comm/connecting-listener.bro -Bro can initiate outgoing connections by calling :bro:see:`Comm::connect` +Bro can initiate outgoing connections by calling :bro:see:`BrokerComm::connect` and then monitor connection status updates via -:bro:see:`Comm::outgoing_connection_established`, -:bro:see:`Comm::outgoing_connection_broken`, and -:bro:see:`Comm::outgoing_connection_incompatible`. +:bro:see:`BrokerComm::outgoing_connection_established`, +:bro:see:`BrokerComm::outgoing_connection_broken`, and +:bro:see:`BrokerComm::outgoing_connection_incompatible`. .. btest-include:: ${DOC_ROOT}/frameworks/comm/connecting-connector.bro @@ -41,14 +41,14 @@ Remote Printing =============== To receive remote print messages, first use -:bro:see:`Comm::subscribe_to_prints` to advertise to peers a topic +:bro:see:`BrokerComm::subscribe_to_prints` to advertise to peers a topic prefix of interest and then create an event handler for -:bro:see:`Comm::print_handler` to handle any print messages that are +:bro:see:`BrokerComm::print_handler` to handle any print messages that are received. .. btest-include:: ${DOC_ROOT}/frameworks/comm/printing-listener.bro -To send remote print messages, just call :bro:see:`Comm::print`. +To send remote print messages, just call :bro:see:`BrokerComm::print`. .. btest-include:: ${DOC_ROOT}/frameworks/comm/printing-connector.bro @@ -72,14 +72,14 @@ Remote Events ============= Receiving remote events is similar to remote prints. Just use -:bro:see:`Comm::subscribe_to_events` and possibly define any new events +:bro:see:`BrokerComm::subscribe_to_events` and possibly define any new events along with handlers that peers may want to send. .. btest-include:: ${DOC_ROOT}/frameworks/comm/events-listener.bro To send events, there are two choices. The first is to use call -:bro:see:`Comm::event` directly. The second option is to use -:bro:see:`Comm::auto_event` to make it so a particular event is +:bro:see:`BrokerComm::event` directly. The second option is to use +:bro:see:`BrokerComm::auto_event` to make it so a particular event is automatically sent to peers whenever it is called locally via the normal event invocation syntax. @@ -107,14 +107,14 @@ Remote Logging .. btest-include:: ${DOC_ROOT}/frameworks/comm/testlog.bro -Use :bro:see:`Comm::subscribe_to_logs` to advertise interest in logs +Use :bro:see:`BrokerComm::subscribe_to_logs` to advertise interest in logs written by peers. The topic names that Bro uses are implicitly of the form "bro/log/". .. btest-include:: ${DOC_ROOT}/frameworks/comm/logs-listener.bro To send remote logs either use :bro:see:`Log::enable_remote_logging` or -:bro:see:`Comm::enable_remote_logs`. The former allows any log stream +:bro:see:`BrokerComm::enable_remote_logs`. The former allows any log stream to be sent to peers while the later toggles remote logging for particular streams. @@ -140,23 +140,23 @@ Tuning Access Control By default, endpoints do not restrict the message topics that it sends to peers and do not restrict what message topics and data store identifiers get advertised to peers. These are the default -:bro:see:`Comm::EndpointFlags` supplied to :bro:see:`Comm::enable`. +:bro:see:`BrokerComm::EndpointFlags` supplied to :bro:see:`BrokerComm::enable`. If not using the ``auto_publish`` flag, one can use the -:bro:see:`Comm::publish_topic` and :bro:see:`Comm::unpublish_topic` +:bro:see:`BrokerComm::publish_topic` and :bro:see:`BrokerComm::unpublish_topic` functions to manipulate the set of message topics (must match exactly) that are allowed to be sent to peer endpoints. These settings take precedence over the per-message ``peers`` flag supplied to functions -that take a :bro:see:`Comm::SendFlags` such as :bro:see:`Comm::print`, -:bro:see:`Comm::event`, :bro:see:`Comm::auto_event` or -:bro:see:`Comm::enable_remote_logs`. +that take a :bro:see:`BrokerComm::SendFlags` such as :bro:see:`BrokerComm::print`, +:bro:see:`BrokerComm::event`, :bro:see:`BrokerComm::auto_event` or +:bro:see:`BrokerComm::enable_remote_logs`. If not using the ``auto_advertise`` flag, one can use the -:bro:see:`Comm::advertise_topic` and :bro:see:`Comm::unadvertise_topic` +:bro:see:`BrokerComm::advertise_topic` and :bro:see:`BrokerComm::unadvertise_topic` to manupulate the set of topic prefixes that are allowed to be advertised to peers. If an endpoint does not advertise a topic prefix, the only way a peers can send messages to it is via the ``unsolicited`` -flag of :bro:see:`Comm::SendFlags` and choosing a topic with a matching +flag of :bro:see:`BrokerComm::SendFlags` and choosing a topic with a matching prefix (i.e. full topic may be longer than receivers prefix, just the prefix needs to match). @@ -194,8 +194,8 @@ last modification time. .. btest-include:: ${DOC_ROOT}/frameworks/comm/stores-connector.bro In the above example, if a local copy of the store contents isn't -needed, just replace the :bro:see:`Store::create_clone` call with -:bro:see:`Store::create_frontend`. Queries will then be made against +needed, just replace the :bro:see:`BrokerStore::create_clone` call with +:bro:see:`BrokerStore::create_frontend`. Queries will then be made against the remote master store instead of the local clone. Note that all queries are made within Bro's asynchrounous ``when`` diff --git a/doc/frameworks/comm/connecting-connector.bro b/doc/frameworks/comm/connecting-connector.bro index d5b191ad38..017f88f214 100644 --- a/doc/frameworks/comm/connecting-connector.bro +++ b/doc/frameworks/comm/connecting-connector.bro @@ -1,19 +1,19 @@ const broker_port: port &redef; redef exit_only_after_terminate = T; -redef Comm::endpoint_name = "connector"; +redef BrokerComm::endpoint_name = "connector"; event bro_init() { - Comm::enable(); - Comm::connect("127.0.0.1", broker_port, 1sec); + BrokerComm::enable(); + BrokerComm::connect("127.0.0.1", broker_port, 1sec); } -event Comm::outgoing_connection_established(peer_address: string, +event BrokerComm::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string) { - print "Comm::outgoing_connection_established", + print "BrokerComm::outgoing_connection_established", peer_address, peer_port, peer_name; terminate(); } diff --git a/doc/frameworks/comm/connecting-listener.bro b/doc/frameworks/comm/connecting-listener.bro index 4e5c3ad86f..2732bed760 100644 --- a/doc/frameworks/comm/connecting-listener.bro +++ b/doc/frameworks/comm/connecting-listener.bro @@ -1,21 +1,21 @@ const broker_port: port &redef; redef exit_only_after_terminate = T; -redef Comm::endpoint_name = "listener"; +redef BrokerComm::endpoint_name = "listener"; event bro_init() { - Comm::enable(); - Comm::listen(broker_port, "127.0.0.1"); + BrokerComm::enable(); + BrokerComm::listen(broker_port, "127.0.0.1"); } -event Comm::incoming_connection_established(peer_name: string) +event BrokerComm::incoming_connection_established(peer_name: string) { - print "Comm::incoming_connection_established", peer_name; + print "BrokerComm::incoming_connection_established", peer_name; } -event Comm::incoming_connection_broken(peer_name: string) +event BrokerComm::incoming_connection_broken(peer_name: string) { - print "Comm::incoming_connection_broken", peer_name; + print "BrokerComm::incoming_connection_broken", peer_name; terminate(); } diff --git a/doc/frameworks/comm/events-connector.bro b/doc/frameworks/comm/events-connector.bro index 28a94f356e..fc0e48769b 100644 --- a/doc/frameworks/comm/events-connector.bro +++ b/doc/frameworks/comm/events-connector.bro @@ -1,30 +1,30 @@ const broker_port: port &redef; redef exit_only_after_terminate = T; -redef Comm::endpoint_name = "connector"; +redef BrokerComm::endpoint_name = "connector"; global my_event: event(msg: string, c: count); global my_auto_event: event(msg: string, c: count); event bro_init() { - Comm::enable(); - Comm::connect("127.0.0.1", broker_port, 1sec); - Comm::auto_event("bro/event/my_auto_event", my_auto_event); + BrokerComm::enable(); + BrokerComm::connect("127.0.0.1", broker_port, 1sec); + BrokerComm::auto_event("bro/event/my_auto_event", my_auto_event); } -event Comm::outgoing_connection_established(peer_address: string, +event BrokerComm::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string) { - print "Comm::outgoing_connection_established", + print "BrokerComm::outgoing_connection_established", peer_address, peer_port, peer_name; - Comm::event("bro/event/my_event", Comm::event_args(my_event, "hi", 0)); + BrokerComm::event("bro/event/my_event", BrokerComm::event_args(my_event, "hi", 0)); event my_auto_event("stuff", 88); - Comm::event("bro/event/my_event", Comm::event_args(my_event, "...", 1)); + BrokerComm::event("bro/event/my_event", BrokerComm::event_args(my_event, "...", 1)); event my_auto_event("more stuff", 51); - Comm::event("bro/event/my_event", Comm::event_args(my_event, "bye", 2)); + BrokerComm::event("bro/event/my_event", BrokerComm::event_args(my_event, "bye", 2)); } -event Comm::outgoing_connection_broken(peer_address: string, +event BrokerComm::outgoing_connection_broken(peer_address: string, peer_port: port) { terminate(); diff --git a/doc/frameworks/comm/events-listener.bro b/doc/frameworks/comm/events-listener.bro index 4d8985d09a..09a99b7c97 100644 --- a/doc/frameworks/comm/events-listener.bro +++ b/doc/frameworks/comm/events-listener.bro @@ -1,21 +1,21 @@ const broker_port: port &redef; redef exit_only_after_terminate = T; -redef Comm::endpoint_name = "listener"; +redef BrokerComm::endpoint_name = "listener"; global msg_count = 0; global my_event: event(msg: string, c: count); global my_auto_event: event(msg: string, c: count); event bro_init() { - Comm::enable(); - Comm::subscribe_to_events("bro/event/"); - Comm::listen(broker_port, "127.0.0.1"); + BrokerComm::enable(); + BrokerComm::subscribe_to_events("bro/event/"); + BrokerComm::listen(broker_port, "127.0.0.1"); } -event Comm::incoming_connection_established(peer_name: string) +event BrokerComm::incoming_connection_established(peer_name: string) { - print "Comm::incoming_connection_established", peer_name; + print "BrokerComm::incoming_connection_established", peer_name; } event my_event(msg: string, c: count) diff --git a/doc/frameworks/comm/logs-connector.bro b/doc/frameworks/comm/logs-connector.bro index 2c02acb188..cdd50b7140 100644 --- a/doc/frameworks/comm/logs-connector.bro +++ b/doc/frameworks/comm/logs-connector.bro @@ -2,16 +2,16 @@ const broker_port: port &redef; redef exit_only_after_terminate = T; -redef Comm::endpoint_name = "connector"; +redef BrokerComm::endpoint_name = "connector"; redef Log::enable_local_logging = F; redef Log::enable_remote_logging = F; global n = 0; event bro_init() { - Comm::enable(); - Comm::enable_remote_logs(Test::LOG); - Comm::connect("127.0.0.1", broker_port, 1sec); + BrokerComm::enable(); + BrokerComm::enable_remote_logs(Test::LOG); + BrokerComm::connect("127.0.0.1", broker_port, 1sec); } event do_write() @@ -24,16 +24,16 @@ event do_write() event do_write(); } -event Comm::outgoing_connection_established(peer_address: string, +event BrokerComm::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string) { - print "Comm::outgoing_connection_established", + print "BrokerComm::outgoing_connection_established", peer_address, peer_port, peer_name; event do_write(); } -event Comm::outgoing_connection_broken(peer_address: string, +event BrokerComm::outgoing_connection_broken(peer_address: string, peer_port: port) { terminate(); diff --git a/doc/frameworks/comm/logs-listener.bro b/doc/frameworks/comm/logs-listener.bro index 5f763be7ee..788d459cc8 100644 --- a/doc/frameworks/comm/logs-listener.bro +++ b/doc/frameworks/comm/logs-listener.bro @@ -2,18 +2,18 @@ const broker_port: port &redef; redef exit_only_after_terminate = T; -redef Comm::endpoint_name = "listener"; +redef BrokerComm::endpoint_name = "listener"; event bro_init() { - Comm::enable(); - Comm::subscribe_to_logs("bro/log/Test::LOG"); - Comm::listen(broker_port, "127.0.0.1"); + BrokerComm::enable(); + BrokerComm::subscribe_to_logs("bro/log/Test::LOG"); + BrokerComm::listen(broker_port, "127.0.0.1"); } -event Comm::incoming_connection_established(peer_name: string) +event BrokerComm::incoming_connection_established(peer_name: string) { - print "Comm::incoming_connection_established", peer_name; + print "BrokerComm::incoming_connection_established", peer_name; } event Test::log_test(rec: Test::Info) diff --git a/doc/frameworks/comm/printing-connector.bro b/doc/frameworks/comm/printing-connector.bro index 76567dbb97..9135f8f4c4 100644 --- a/doc/frameworks/comm/printing-connector.bro +++ b/doc/frameworks/comm/printing-connector.bro @@ -1,25 +1,25 @@ const broker_port: port &redef; redef exit_only_after_terminate = T; -redef Comm::endpoint_name = "connector"; +redef BrokerComm::endpoint_name = "connector"; event bro_init() { - Comm::enable(); - Comm::connect("127.0.0.1", broker_port, 1sec); + BrokerComm::enable(); + BrokerComm::connect("127.0.0.1", broker_port, 1sec); } -event Comm::outgoing_connection_established(peer_address: string, +event BrokerComm::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string) { - print "Comm::outgoing_connection_established", + print "BrokerComm::outgoing_connection_established", peer_address, peer_port, peer_name; - Comm::print("bro/print/hi", "hello"); - Comm::print("bro/print/stuff", "..."); - Comm::print("bro/print/bye", "goodbye"); + BrokerComm::print("bro/print/hi", "hello"); + BrokerComm::print("bro/print/stuff", "..."); + BrokerComm::print("bro/print/bye", "goodbye"); } -event Comm::outgoing_connection_broken(peer_address: string, +event BrokerComm::outgoing_connection_broken(peer_address: string, peer_port: port) { terminate(); diff --git a/doc/frameworks/comm/printing-listener.bro b/doc/frameworks/comm/printing-listener.bro index 9bd3844502..12abf9131e 100644 --- a/doc/frameworks/comm/printing-listener.bro +++ b/doc/frameworks/comm/printing-listener.bro @@ -1,22 +1,22 @@ const broker_port: port &redef; redef exit_only_after_terminate = T; -redef Comm::endpoint_name = "listener"; +redef BrokerComm::endpoint_name = "listener"; global msg_count = 0; event bro_init() { - Comm::enable(); - Comm::subscribe_to_prints("bro/print/"); - Comm::listen(broker_port, "127.0.0.1"); + BrokerComm::enable(); + BrokerComm::subscribe_to_prints("bro/print/"); + BrokerComm::listen(broker_port, "127.0.0.1"); } -event Comm::incoming_connection_established(peer_name: string) +event BrokerComm::incoming_connection_established(peer_name: string) { - print "Comm::incoming_connection_established", peer_name; + print "BrokerComm::incoming_connection_established", peer_name; } -event Comm::print_handler(msg: string) +event BrokerComm::print_handler(msg: string) { ++msg_count; print "got print message", msg; diff --git a/doc/frameworks/comm/stores-connector.bro b/doc/frameworks/comm/stores-connector.bro index 61e863e835..82fb54dcdb 100644 --- a/doc/frameworks/comm/stores-connector.bro +++ b/doc/frameworks/comm/stores-connector.bro @@ -1,42 +1,42 @@ const broker_port: port &redef; redef exit_only_after_terminate = T; -global h: opaque of Store::Handle; +global h: opaque of BrokerStore::Handle; -function dv(d: Comm::Data): Comm::DataVector +function dv(d: BrokerComm::Data): BrokerComm::DataVector { - local rval: Comm::DataVector; + local rval: BrokerComm::DataVector; rval[0] = d; return rval; } global ready: event(); -event Comm::outgoing_connection_broken(peer_address: string, +event BrokerComm::outgoing_connection_broken(peer_address: string, peer_port: port) { terminate(); } -event Comm::outgoing_connection_established(peer_address: string, +event BrokerComm::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string) { local myset: set[string] = {"a", "b", "c"}; local myvec: vector of string = {"alpha", "beta", "gamma"}; - h = Store::create_master("mystore"); - Store::insert(h, Comm::data("one"), Comm::data(110)); - Store::insert(h, Comm::data("two"), Comm::data(223)); - Store::insert(h, Comm::data("myset"), Comm::data(myset)); - Store::insert(h, Comm::data("myvec"), Comm::data(myvec)); - Store::increment(h, Comm::data("one")); - Store::decrement(h, Comm::data("two")); - Store::add_to_set(h, Comm::data("myset"), Comm::data("d")); - Store::remove_from_set(h, Comm::data("myset"), Comm::data("b")); - Store::push_left(h, Comm::data("myvec"), dv(Comm::data("delta"))); - Store::push_right(h, Comm::data("myvec"), dv(Comm::data("omega"))); + h = BrokerStore::create_master("mystore"); + BrokerStore::insert(h, BrokerComm::data("one"), BrokerComm::data(110)); + BrokerStore::insert(h, BrokerComm::data("two"), BrokerComm::data(223)); + BrokerStore::insert(h, BrokerComm::data("myset"), BrokerComm::data(myset)); + BrokerStore::insert(h, BrokerComm::data("myvec"), BrokerComm::data(myvec)); + BrokerStore::increment(h, BrokerComm::data("one")); + BrokerStore::decrement(h, BrokerComm::data("two")); + BrokerStore::add_to_set(h, BrokerComm::data("myset"), BrokerComm::data("d")); + BrokerStore::remove_from_set(h, BrokerComm::data("myset"), BrokerComm::data("b")); + BrokerStore::push_left(h, BrokerComm::data("myvec"), dv(BrokerComm::data("delta"))); + BrokerStore::push_right(h, BrokerComm::data("myvec"), dv(BrokerComm::data("omega"))); - when ( local res = Store::size(h) ) + when ( local res = BrokerStore::size(h) ) { print "master size", res; event ready(); @@ -47,7 +47,7 @@ event Comm::outgoing_connection_established(peer_address: string, event bro_init() { - Comm::enable(); - Comm::connect("127.0.0.1", broker_port, 1secs); - Comm::auto_event("bro/event/ready", ready); + BrokerComm::enable(); + BrokerComm::connect("127.0.0.1", broker_port, 1secs); + BrokerComm::auto_event("bro/event/ready", ready); } diff --git a/doc/frameworks/comm/stores-listener.bro b/doc/frameworks/comm/stores-listener.bro index 89384c2e9d..0a8dc85e13 100644 --- a/doc/frameworks/comm/stores-listener.bro +++ b/doc/frameworks/comm/stores-listener.bro @@ -1,13 +1,13 @@ const broker_port: port &redef; redef exit_only_after_terminate = T; -global h: opaque of Store::Handle; +global h: opaque of BrokerStore::Handle; global expected_key_count = 4; global key_count = 0; function do_lookup(key: string) { - when ( local res = Store::lookup(h, Comm::data(key)) ) + when ( local res = BrokerStore::lookup(h, BrokerComm::data(key)) ) { ++key_count; print "lookup", key, res; @@ -21,15 +21,15 @@ function do_lookup(key: string) event ready() { - h = Store::create_clone("mystore"); + h = BrokerStore::create_clone("mystore"); - when ( local res = Store::keys(h) ) + when ( local res = BrokerStore::keys(h) ) { print "clone keys", res; - do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 0))); - do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 1))); - do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 2))); - do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 3))); + do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 0))); + do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 1))); + do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 2))); + do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 3))); } timeout 10sec { print "timeout"; } @@ -37,7 +37,7 @@ event ready() event bro_init() { - Comm::enable(); - Comm::subscribe_to_events("bro/event/ready"); - Comm::listen(broker_port, "127.0.0.1"); + BrokerComm::enable(); + BrokerComm::subscribe_to_events("bro/event/ready"); + BrokerComm::listen(broker_port, "127.0.0.1"); } diff --git a/doc/frameworks/comm/testlog.bro b/doc/frameworks/comm/testlog.bro index b5f449ae3d..9c04218e85 100644 --- a/doc/frameworks/comm/testlog.bro +++ b/doc/frameworks/comm/testlog.bro @@ -14,6 +14,6 @@ export { event bro_init() &priority=5 { - Comm::enable(); + BrokerComm::enable(); Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test]); } diff --git a/scripts/base/frameworks/comm/main.bro b/scripts/base/frameworks/comm/main.bro index d0f58f585a..e8b57d57d9 100644 --- a/scripts/base/frameworks/comm/main.bro +++ b/scripts/base/frameworks/comm/main.bro @@ -1,11 +1,11 @@ ##! Various data structure definitions for use with Bro's communication system. -module Comm; +module BrokerComm; export { ## A name used to identify this endpoint to peers. - ## .. bro:see:: Comm::connect Comm::listen + ## .. bro:see:: BrokerComm::connect BrokerComm::listen const endpoint_name = "" &redef; ## Change communication behavior. @@ -32,11 +32,11 @@ export { ## Opaque communication data. type Data: record { - d: opaque of Comm::Data &optional; + d: opaque of BrokerComm::Data &optional; }; ## Opaque communication data. - type DataVector: vector of Comm::Data; + type DataVector: vector of BrokerComm::Data; ## Opaque event communication data. type EventArgs: record { @@ -48,13 +48,13 @@ export { ## Opaque communication data used as a convenient way to wrap key-value ## pairs that comprise table entries. - type Comm::TableItem : record { - key: Comm::Data; - val: Comm::Data; + type TableItem : record { + key: BrokerComm::Data; + val: BrokerComm::Data; }; } -module Store; +module BrokerStore; export { @@ -76,11 +76,11 @@ export { ## The result of a data store query. type QueryResult: record { ## Whether the query completed or not. - status: Store::QueryStatus; + status: BrokerStore::QueryStatus; ## The result of the query. Certain queries may use a particular ## data type (e.g. querying store size always returns a count, but ## a lookup may return various data types). - result: Comm::Data; + result: BrokerComm::Data; }; ## Options to tune the SQLite storage backend. diff --git a/src/EventHandler.cc b/src/EventHandler.cc index f063026d9a..2874c56c03 100644 --- a/src/EventHandler.cc +++ b/src/EventHandler.cc @@ -96,7 +96,7 @@ void EventHandler::Call(val_list* vl, bool no_remote) for ( auto i = 0; i < vl->length(); ++i ) { - auto opt_data = comm::val_to_data((*vl)[i]); + auto opt_data = bro_broker::val_to_data((*vl)[i]); if ( opt_data ) msg.emplace_back(move(*opt_data)); @@ -116,9 +116,9 @@ void EventHandler::Call(val_list* vl, bool no_remote) it != auto_remote_send.end(); ++it ) { if ( std::next(it) == auto_remote_send.end() ) - comm_mgr->Event(it->first, move(msg), it->second); + broker_mgr->Event(it->first, move(msg), it->second); else - comm_mgr->Event(it->first, msg, it->second); + broker_mgr->Event(it->first, msg, it->second); } } } diff --git a/src/Net.cc b/src/Net.cc index 3acd4bce9d..820ccd2f76 100644 --- a/src/Net.cc +++ b/src/Net.cc @@ -322,7 +322,7 @@ void net_run() bool communication_enabled = using_communication; #ifdef ENABLE_BROKER - communication_enabled |= comm_mgr->Enabled(); + communication_enabled |= broker_mgr->Enabled(); #endif if ( src ) diff --git a/src/Stats.cc b/src/Stats.cc index 111af52598..437fb6de4b 100644 --- a/src/Stats.cc +++ b/src/Stats.cc @@ -227,7 +227,7 @@ void ProfileLogger::Log() } #ifdef ENABLE_BROKER - auto cs = comm_mgr->ConsumeStatistics(); + auto cs = broker_mgr->ConsumeStatistics(); file->Write(fmt("%0.6f Comm: peers=%zu stores=%zu " "store_queries=%zu store_responses=%zu " diff --git a/src/comm/Data.cc b/src/comm/Data.cc index ad1d6ed647..96377284d1 100644 --- a/src/comm/Data.cc +++ b/src/comm/Data.cc @@ -5,11 +5,11 @@ using namespace std; -OpaqueType* comm::opaque_of_data_type; -OpaqueType* comm::opaque_of_set_iterator; -OpaqueType* comm::opaque_of_table_iterator; -OpaqueType* comm::opaque_of_vector_iterator; -OpaqueType* comm::opaque_of_record_iterator; +OpaqueType* bro_broker::opaque_of_data_type; +OpaqueType* bro_broker::opaque_of_set_iterator; +OpaqueType* bro_broker::opaque_of_table_iterator; +OpaqueType* bro_broker::opaque_of_vector_iterator; +OpaqueType* bro_broker::opaque_of_record_iterator; static broker::port::protocol to_broker_port_proto(TransportProto tp) { @@ -26,7 +26,7 @@ static broker::port::protocol to_broker_port_proto(TransportProto tp) } } -TransportProto comm::to_bro_port_proto(broker::port::protocol tp) +TransportProto bro_broker::to_bro_port_proto(broker::port::protocol tp) { switch ( tp ) { case broker::port::protocol::tcp: @@ -135,7 +135,7 @@ struct val_converter { result_type operator()(broker::port& a) { if ( type->Tag() == TYPE_PORT ) - return new PortVal(a.number(), comm::to_bro_port_proto(a.type())); + return new PortVal(a.number(), bro_broker::to_bro_port_proto(a.type())); return nullptr; } @@ -204,8 +204,8 @@ struct val_converter { for ( auto i = 0u; i < indices->size(); ++i ) { - auto index_val = comm::data_to_val(move((*indices)[i]), - (*expected_index_types)[i]); + auto index_val = bro_broker::data_to_val(move((*indices)[i]), + (*expected_index_types)[i]); if ( ! index_val ) { @@ -257,8 +257,8 @@ struct val_converter { for ( auto i = 0u; i < indices->size(); ++i ) { - auto index_val = comm::data_to_val(move((*indices)[i]), - (*expected_index_types)[i]); + auto index_val = bro_broker::data_to_val(move((*indices)[i]), + (*expected_index_types)[i]); if ( ! index_val ) { @@ -270,8 +270,8 @@ struct val_converter { list_val->Append(index_val); } - auto value_val = comm::data_to_val(move(item.second), - tt->YieldType()); + auto value_val = bro_broker::data_to_val(move(item.second), + tt->YieldType()); if ( ! value_val ) { @@ -297,7 +297,7 @@ struct val_converter { for ( auto& item : a ) { - auto item_val = comm::data_to_val(move(item), vt->YieldType()); + auto item_val = bro_broker::data_to_val(move(item), vt->YieldType()); if ( ! item_val ) { @@ -336,8 +336,8 @@ struct val_converter { continue; } - auto item_val = comm::data_to_val(move(*a.fields[i]), - rt->FieldType(i)); + auto item_val = bro_broker::data_to_val(move(*a.fields[i]), + rt->FieldType(i)); if ( ! item_val ) { @@ -352,12 +352,12 @@ struct val_converter { } }; -Val* comm::data_to_val(broker::data d, BroType* type, bool require_log_attr) +Val* bro_broker::data_to_val(broker::data d, BroType* type, bool require_log_attr) { return broker::visit(val_converter{type, require_log_attr}, d); } -broker::util::optional comm::val_to_data(Val* v) +broker::util::optional bro_broker::val_to_data(Val* v) { switch ( v->Type()->Tag() ) { case TYPE_BOOL: @@ -539,7 +539,7 @@ broker::util::optional comm::val_to_data(Val* v) return {rval}; } default: - reporter->Error("unsupported Comm::Data type: %s", + reporter->Error("unsupported BrokerComm::Data type: %s", type_name(v->Type()->Tag())); break; } @@ -547,9 +547,9 @@ broker::util::optional comm::val_to_data(Val* v) return {}; } -RecordVal* comm::make_data_val(Val* v) +RecordVal* bro_broker::make_data_val(Val* v) { - auto rval = new RecordVal(BifType::Record::Comm::Data); + auto rval = new RecordVal(BifType::Record::BrokerComm::Data); auto data = val_to_data(v); if ( data ) @@ -558,9 +558,9 @@ RecordVal* comm::make_data_val(Val* v) return rval; } -RecordVal* comm::make_data_val(broker::data d) +RecordVal* bro_broker::make_data_val(broker::data d) { - auto rval = new RecordVal(BifType::Record::Comm::Data); + auto rval = new RecordVal(BifType::Record::BrokerComm::Data); rval->Assign(0, new DataVal(move(d))); return rval; } @@ -570,114 +570,114 @@ struct data_type_getter { result_type operator()(bool a) { - return new EnumVal(BifEnum::Comm::BOOL, - BifType::Enum::Comm::DataType); + return new EnumVal(BifEnum::BrokerComm::BOOL, + BifType::Enum::BrokerComm::DataType); } result_type operator()(uint64_t a) { - return new EnumVal(BifEnum::Comm::COUNT, - BifType::Enum::Comm::DataType); + return new EnumVal(BifEnum::BrokerComm::COUNT, + BifType::Enum::BrokerComm::DataType); } result_type operator()(int64_t a) { - return new EnumVal(BifEnum::Comm::INT, - BifType::Enum::Comm::DataType); + return new EnumVal(BifEnum::BrokerComm::INT, + BifType::Enum::BrokerComm::DataType); } result_type operator()(double a) { - return new EnumVal(BifEnum::Comm::DOUBLE, - BifType::Enum::Comm::DataType); + return new EnumVal(BifEnum::BrokerComm::DOUBLE, + BifType::Enum::BrokerComm::DataType); } result_type operator()(const std::string& a) { - return new EnumVal(BifEnum::Comm::STRING, - BifType::Enum::Comm::DataType); + return new EnumVal(BifEnum::BrokerComm::STRING, + BifType::Enum::BrokerComm::DataType); } result_type operator()(const broker::address& a) { - return new EnumVal(BifEnum::Comm::ADDR, - BifType::Enum::Comm::DataType); + return new EnumVal(BifEnum::BrokerComm::ADDR, + BifType::Enum::BrokerComm::DataType); } result_type operator()(const broker::subnet& a) { - return new EnumVal(BifEnum::Comm::SUBNET, - BifType::Enum::Comm::DataType); + return new EnumVal(BifEnum::BrokerComm::SUBNET, + BifType::Enum::BrokerComm::DataType); } result_type operator()(const broker::port& a) { - return new EnumVal(BifEnum::Comm::PORT, - BifType::Enum::Comm::DataType); + return new EnumVal(BifEnum::BrokerComm::PORT, + BifType::Enum::BrokerComm::DataType); } result_type operator()(const broker::time_point& a) { - return new EnumVal(BifEnum::Comm::TIME, - BifType::Enum::Comm::DataType); + return new EnumVal(BifEnum::BrokerComm::TIME, + BifType::Enum::BrokerComm::DataType); } result_type operator()(const broker::time_duration& a) { - return new EnumVal(BifEnum::Comm::INTERVAL, - BifType::Enum::Comm::DataType); + return new EnumVal(BifEnum::BrokerComm::INTERVAL, + BifType::Enum::BrokerComm::DataType); } result_type operator()(const broker::enum_value& a) { - return new EnumVal(BifEnum::Comm::ENUM, - BifType::Enum::Comm::DataType); + return new EnumVal(BifEnum::BrokerComm::ENUM, + BifType::Enum::BrokerComm::DataType); } result_type operator()(const broker::set& a) { - return new EnumVal(BifEnum::Comm::SET, - BifType::Enum::Comm::DataType); + return new EnumVal(BifEnum::BrokerComm::SET, + BifType::Enum::BrokerComm::DataType); } result_type operator()(const broker::table& a) { - return new EnumVal(BifEnum::Comm::TABLE, - BifType::Enum::Comm::DataType); + return new EnumVal(BifEnum::BrokerComm::TABLE, + BifType::Enum::BrokerComm::DataType); } result_type operator()(const broker::vector& a) { - return new EnumVal(BifEnum::Comm::VECTOR, - BifType::Enum::Comm::DataType); + return new EnumVal(BifEnum::BrokerComm::VECTOR, + BifType::Enum::BrokerComm::DataType); } result_type operator()(const broker::record& a) { - return new EnumVal(BifEnum::Comm::RECORD, - BifType::Enum::Comm::DataType); + return new EnumVal(BifEnum::BrokerComm::RECORD, + BifType::Enum::BrokerComm::DataType); } }; -EnumVal* comm::get_data_type(RecordVal* v, Frame* frame) +EnumVal* bro_broker::get_data_type(RecordVal* v, Frame* frame) { return broker::visit(data_type_getter{}, opaque_field_to_data(v, frame)); } -broker::data& comm::opaque_field_to_data(RecordVal* v, Frame* f) +broker::data& bro_broker::opaque_field_to_data(RecordVal* v, Frame* f) { Val* d = v->Lookup(0); if ( ! d ) reporter->RuntimeError(f->GetCall()->GetLocationInfo(), - "Comm::Data's opaque field is not set"); + "BrokerComm::Data's opaque field is not set"); return static_cast(d)->data; } -IMPLEMENT_SERIAL(comm::DataVal, SER_COMM_DATA_VAL); +IMPLEMENT_SERIAL(bro_broker::DataVal, SER_COMM_DATA_VAL); -bool comm::DataVal::DoSerialize(SerialInfo* info) const +bool bro_broker::DataVal::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_COMM_DATA_VAL, OpaqueVal); @@ -691,7 +691,7 @@ bool comm::DataVal::DoSerialize(SerialInfo* info) const return true; } -bool comm::DataVal::DoUnserialize(UnserialInfo* info) +bool bro_broker::DataVal::DoUnserialize(UnserialInfo* info) { DO_UNSERIALIZE(OpaqueVal); diff --git a/src/comm/Data.h b/src/comm/Data.h index cacab3b430..84495056be 100644 --- a/src/comm/Data.h +++ b/src/comm/Data.h @@ -7,7 +7,7 @@ #include "Frame.h" #include "Expr.h" -namespace comm { +namespace bro_broker { extern OpaqueType* opaque_of_data_type; extern OpaqueType* opaque_of_set_iterator; @@ -21,25 +21,25 @@ extern OpaqueType* opaque_of_record_iterator; TransportProto to_bro_port_proto(broker::port::protocol tp); /** - * Create a Comm::Data value from a Bro value. + * Create a BrokerComm::Data value from a Bro value. * @param v the Bro value to convert to a Broker data value. - * @return a Comm::Data value, where the optional field is set if the conversion + * @return a BrokerComm::Data value, where the optional field is set if the conversion * was possible, else it is unset. */ RecordVal* make_data_val(Val* v); /** - * Create a Comm::Data value from a Broker data value. + * Create a BrokerComm::Data value from a Broker data value. * @param d the Broker value to wrap in an opaque type. - * @return a Comm::Data value that wraps the Broker value. + * @return a BrokerComm::Data value that wraps the Broker value. */ RecordVal* make_data_val(broker::data d); /** - * Get the type of Broker data that Comm::Data wraps. - * @param v a Comm::Data value. + * Get the type of Broker data that BrokerComm::Data wraps. + * @param v a BrokerComm::Data value. * @param frame used to get location info upon error. - * @return a Comm::DataType value. + * @return a BrokerComm::DataType value. */ EnumVal* get_data_type(RecordVal* v, Frame* frame); @@ -68,7 +68,7 @@ class DataVal : public OpaqueVal { public: DataVal(broker::data arg_data) - : OpaqueVal(comm::opaque_of_data_type), data(std::move(arg_data)) + : OpaqueVal(bro_broker::opaque_of_data_type), data(std::move(arg_data)) {} void ValDescribe(ODesc* d) const override @@ -141,8 +141,8 @@ struct type_name_getter { }; /** - * Retrieve Broker data value associated with a Comm::Data Bro value. - * @param v a Comm::Data value. + * Retrieve Broker data value associated with a BrokerComm::Data Bro value. + * @param v a BrokerComm::Data value. * @param f used to get location information on error. * @return a reference to the wrapped Broker data value. A runtime interpreter * exception is thrown if the the optional opaque value of \a v is not set. @@ -183,9 +183,9 @@ inline T& require_data_type(RecordVal* v, TypeTag tag, Frame* f) } /** - * Convert a Comm::Data Bro value to a Bro value of a given type. + * Convert a BrokerComm::Data Bro value to a Bro value of a given type. * @tparam a type that a Broker data variant may contain. - * @param v a Comm::Data value. + * @param v a BrokerComm::Data value. * @param tag a Bro type to convert to. * @param f used to get location information on error. * A runtime interpret exception is thrown if trying to access a type which @@ -203,7 +203,7 @@ class SetIterator : public OpaqueVal { public: SetIterator(RecordVal* v, TypeTag tag, Frame* f) - : OpaqueVal(comm::opaque_of_set_iterator), + : OpaqueVal(bro_broker::opaque_of_set_iterator), dat(require_data_type(v, TYPE_TABLE, f)), it(dat.begin()) {} @@ -216,7 +216,7 @@ class TableIterator : public OpaqueVal { public: TableIterator(RecordVal* v, TypeTag tag, Frame* f) - : OpaqueVal(comm::opaque_of_table_iterator), + : OpaqueVal(bro_broker::opaque_of_table_iterator), dat(require_data_type(v, TYPE_TABLE, f)), it(dat.begin()) {} @@ -229,7 +229,7 @@ class VectorIterator : public OpaqueVal { public: VectorIterator(RecordVal* v, TypeTag tag, Frame* f) - : OpaqueVal(comm::opaque_of_vector_iterator), + : OpaqueVal(bro_broker::opaque_of_vector_iterator), dat(require_data_type(v, TYPE_VECTOR, f)), it(dat.begin()) {} @@ -242,7 +242,7 @@ class RecordIterator : public OpaqueVal { public: RecordIterator(RecordVal* v, TypeTag tag, Frame* f) - : OpaqueVal(comm::opaque_of_record_iterator), + : OpaqueVal(bro_broker::opaque_of_record_iterator), dat(require_data_type(v, TYPE_VECTOR, f)), it(dat.fields.begin()) {} @@ -251,6 +251,6 @@ public: decltype(broker::record::fields)::iterator it; }; -} // namespace comm +} // namespace bro_broker #endif // BRO_COMM_DATA_H diff --git a/src/comm/Manager.cc b/src/comm/Manager.cc index b1eb27ce16..3eceba0096 100644 --- a/src/comm/Manager.cc +++ b/src/comm/Manager.cc @@ -18,13 +18,13 @@ using namespace std; -VectorType* comm::Manager::vector_of_data_type; -EnumType* comm::Manager::log_id_type; -int comm::Manager::send_flags_self_idx; -int comm::Manager::send_flags_peers_idx; -int comm::Manager::send_flags_unsolicited_idx; +VectorType* bro_broker::Manager::vector_of_data_type; +EnumType* bro_broker::Manager::log_id_type; +int bro_broker::Manager::send_flags_self_idx; +int bro_broker::Manager::send_flags_peers_idx; +int bro_broker::Manager::send_flags_unsolicited_idx; -comm::Manager::~Manager() +bro_broker::Manager::~Manager() { for ( auto& s : data_stores ) CloseStore(s.first.first, s.first.second); @@ -59,25 +59,25 @@ static int endpoint_flags_to_int(Val* broker_endpoint_flags) return rval; } -bool comm::Manager::Enable(Val* broker_endpoint_flags) +bool bro_broker::Manager::Enable(Val* broker_endpoint_flags) { if ( endpoint != nullptr ) return true; - auto send_flags_type = internal_type("Comm::SendFlags")->AsRecordType(); + auto send_flags_type = internal_type("BrokerComm::SendFlags")->AsRecordType(); send_flags_self_idx = require_field(send_flags_type, "self"); send_flags_peers_idx = require_field(send_flags_type, "peers"); send_flags_unsolicited_idx = require_field(send_flags_type, "unsolicited"); log_id_type = internal_type("Log::ID")->AsEnumType(); - comm::opaque_of_data_type = new OpaqueType("Comm::Data"); - comm::opaque_of_set_iterator = new OpaqueType("Comm::SetIterator"); - comm::opaque_of_table_iterator = new OpaqueType("Comm::TableIterator"); - comm::opaque_of_vector_iterator = new OpaqueType("Comm::VectorIterator"); - comm::opaque_of_record_iterator = new OpaqueType("Comm::RecordIterator"); - comm::opaque_of_store_handle = new OpaqueType("Store::Handle"); - vector_of_data_type = new VectorType(internal_type("Comm::Data")->Ref()); + bro_broker::opaque_of_data_type = new OpaqueType("BrokerComm::Data"); + bro_broker::opaque_of_set_iterator = new OpaqueType("BrokerComm::SetIterator"); + bro_broker::opaque_of_table_iterator = new OpaqueType("BrokerComm::TableIterator"); + bro_broker::opaque_of_vector_iterator = new OpaqueType("BrokerComm::VectorIterator"); + bro_broker::opaque_of_record_iterator = new OpaqueType("BrokerComm::RecordIterator"); + bro_broker::opaque_of_store_handle = new OpaqueType("BrokerStore::Handle"); + vector_of_data_type = new VectorType(internal_type("BrokerComm::Data")->Ref()); auto res = broker::init(); @@ -97,7 +97,7 @@ bool comm::Manager::Enable(Val* broker_endpoint_flags) } const char* name; - auto name_from_script = internal_val("Comm::endpoint_name")->AsString(); + auto name_from_script = internal_val("BrokerComm::endpoint_name")->AsString(); if ( name_from_script->Len() ) name = name_from_script->CheckString(); @@ -117,7 +117,7 @@ bool comm::Manager::Enable(Val* broker_endpoint_flags) return true; } -bool comm::Manager::SetEndpointFlags(Val* broker_endpoint_flags) +bool bro_broker::Manager::SetEndpointFlags(Val* broker_endpoint_flags) { if ( ! Enabled() ) return false; @@ -127,7 +127,7 @@ bool comm::Manager::SetEndpointFlags(Val* broker_endpoint_flags) return true; } -bool comm::Manager::Listen(uint16_t port, const char* addr, bool reuse_addr) +bool bro_broker::Manager::Listen(uint16_t port, const char* addr, bool reuse_addr) { if ( ! Enabled() ) return false; @@ -144,7 +144,7 @@ bool comm::Manager::Listen(uint16_t port, const char* addr, bool reuse_addr) return rval; } -bool comm::Manager::Connect(string addr, uint16_t port, +bool bro_broker::Manager::Connect(string addr, uint16_t port, chrono::duration retry_interval) { if ( ! Enabled() ) @@ -159,7 +159,7 @@ bool comm::Manager::Connect(string addr, uint16_t port, return true; } -bool comm::Manager::Disconnect(const string& addr, uint16_t port) +bool bro_broker::Manager::Disconnect(const string& addr, uint16_t port) { if ( ! Enabled() ) return false; @@ -174,7 +174,7 @@ bool comm::Manager::Disconnect(const string& addr, uint16_t port) return rval; } -bool comm::Manager::Print(string topic, string msg, Val* flags) +bool bro_broker::Manager::Print(string topic, string msg, Val* flags) { if ( ! Enabled() ) return false; @@ -184,7 +184,7 @@ bool comm::Manager::Print(string topic, string msg, Val* flags) return true; } -bool comm::Manager::Event(std::string topic, broker::message msg, int flags) +bool bro_broker::Manager::Event(std::string topic, broker::message msg, int flags) { if ( ! Enabled() ) return false; @@ -193,7 +193,7 @@ bool comm::Manager::Event(std::string topic, broker::message msg, int flags) return true; } -bool comm::Manager::Log(EnumVal* stream, RecordVal* columns, RecordType* info, +bool bro_broker::Manager::Log(EnumVal* stream, RecordVal* columns, RecordType* info, int flags) { if ( ! Enabled() ) @@ -245,7 +245,7 @@ bool comm::Manager::Log(EnumVal* stream, RecordVal* columns, RecordType* info, return true; } -bool comm::Manager::Event(std::string topic, RecordVal* args, Val* flags) +bool bro_broker::Manager::Event(std::string topic, RecordVal* args, Val* flags) { if ( ! Enabled() ) return false; @@ -270,14 +270,14 @@ bool comm::Manager::Event(std::string topic, RecordVal* args, Val* flags) return true; } -bool comm::Manager::AutoEvent(string topic, Val* event, Val* flags) +bool bro_broker::Manager::AutoEvent(string topic, Val* event, Val* flags) { if ( ! Enabled() ) return false; if ( event->Type()->Tag() != TYPE_FUNC ) { - reporter->Error("Comm::auto_event must operate on an event"); + reporter->Error("BrokerComm::auto_event must operate on an event"); return false; } @@ -285,7 +285,7 @@ bool comm::Manager::AutoEvent(string topic, Val* event, Val* flags) if ( event_val->Flavor() != FUNC_FLAVOR_EVENT ) { - reporter->Error("Comm::auto_event must operate on an event"); + reporter->Error("BrokerComm::auto_event must operate on an event"); return false; } @@ -293,7 +293,7 @@ bool comm::Manager::AutoEvent(string topic, Val* event, Val* flags) if ( ! handler ) { - reporter->Error("Comm::auto_event failed to lookup event '%s'", + reporter->Error("BrokerComm::auto_event failed to lookup event '%s'", event_val->Name()); return false; } @@ -302,14 +302,14 @@ bool comm::Manager::AutoEvent(string topic, Val* event, Val* flags) return true; } -bool comm::Manager::AutoEventStop(const string& topic, Val* event) +bool bro_broker::Manager::AutoEventStop(const string& topic, Val* event) { if ( ! Enabled() ) return false; if ( event->Type()->Tag() != TYPE_FUNC ) { - reporter->Error("Comm::auto_event_stop must operate on an event"); + reporter->Error("BrokerComm::auto_event_stop must operate on an event"); return false; } @@ -317,7 +317,7 @@ bool comm::Manager::AutoEventStop(const string& topic, Val* event) if ( event_val->Flavor() != FUNC_FLAVOR_EVENT ) { - reporter->Error("Comm::auto_event_stop must operate on an event"); + reporter->Error("BrokerComm::auto_event_stop must operate on an event"); return false; } @@ -325,7 +325,7 @@ bool comm::Manager::AutoEventStop(const string& topic, Val* event) if ( ! handler ) { - reporter->Error("Comm::auto_event_stop failed to lookup event '%s'", + reporter->Error("BrokerComm::auto_event_stop failed to lookup event '%s'", event_val->Name()); return false; } @@ -335,12 +335,12 @@ bool comm::Manager::AutoEventStop(const string& topic, Val* event) return true; } -RecordVal* comm::Manager::MakeEventArgs(val_list* args) +RecordVal* bro_broker::Manager::MakeEventArgs(val_list* args) { if ( ! Enabled() ) return nullptr; - auto rval = new RecordVal(BifType::Record::Comm::EventArgs); + auto rval = new RecordVal(BifType::Record::BrokerComm::EventArgs); auto arg_vec = new VectorVal(vector_of_data_type); rval->Assign(1, arg_vec); Func* func = 0; @@ -355,7 +355,7 @@ RecordVal* comm::Manager::MakeEventArgs(val_list* args) if ( arg_val->Type()->Tag() != TYPE_FUNC ) { - reporter->Error("1st param of Comm::event_args must be event"); + reporter->Error("1st param of BrokerComm::event_args must be event"); return rval; } @@ -363,7 +363,7 @@ RecordVal* comm::Manager::MakeEventArgs(val_list* args) if ( func->Flavor() != FUNC_FLAVOR_EVENT ) { - reporter->Error("1st param of Comm::event_args must be event"); + reporter->Error("1st param of BrokerComm::event_args must be event"); return rval; } @@ -371,7 +371,7 @@ RecordVal* comm::Manager::MakeEventArgs(val_list* args) if ( num_args != args->length() - 1 ) { - reporter->Error("bad # of Comm::event_args: got %d, expect %d", + reporter->Error("bad # of BrokerComm::event_args: got %d, expect %d", args->length(), num_args + 1); return rval; } @@ -385,7 +385,7 @@ RecordVal* comm::Manager::MakeEventArgs(val_list* args) if ( ! same_type((*args)[i]->Type(), expected_type) ) { rval->Assign(0, 0); - reporter->Error("Comm::event_args param %d type mismatch", i); + reporter->Error("BrokerComm::event_args param %d type mismatch", i); return rval; } @@ -395,7 +395,7 @@ RecordVal* comm::Manager::MakeEventArgs(val_list* args) { Unref(data_val); rval->Assign(0, 0); - reporter->Error("Comm::event_args unsupported event/params"); + reporter->Error("BrokerComm::event_args unsupported event/params"); return rval; } @@ -405,7 +405,7 @@ RecordVal* comm::Manager::MakeEventArgs(val_list* args) return rval; } -bool comm::Manager::SubscribeToPrints(string topic_prefix) +bool bro_broker::Manager::SubscribeToPrints(string topic_prefix) { if ( ! Enabled() ) return false; @@ -419,7 +419,7 @@ bool comm::Manager::SubscribeToPrints(string topic_prefix) return true; } -bool comm::Manager::UnsubscribeToPrints(const string& topic_prefix) +bool bro_broker::Manager::UnsubscribeToPrints(const string& topic_prefix) { if ( ! Enabled() ) return false; @@ -427,7 +427,7 @@ bool comm::Manager::UnsubscribeToPrints(const string& topic_prefix) return print_subscriptions.erase(topic_prefix); } -bool comm::Manager::SubscribeToEvents(string topic_prefix) +bool bro_broker::Manager::SubscribeToEvents(string topic_prefix) { if ( ! Enabled() ) return false; @@ -441,7 +441,7 @@ bool comm::Manager::SubscribeToEvents(string topic_prefix) return true; } -bool comm::Manager::UnsubscribeToEvents(const string& topic_prefix) +bool bro_broker::Manager::UnsubscribeToEvents(const string& topic_prefix) { if ( ! Enabled() ) return false; @@ -449,7 +449,7 @@ bool comm::Manager::UnsubscribeToEvents(const string& topic_prefix) return event_subscriptions.erase(topic_prefix); } -bool comm::Manager::SubscribeToLogs(string topic_prefix) +bool bro_broker::Manager::SubscribeToLogs(string topic_prefix) { if ( ! Enabled() ) return false; @@ -463,7 +463,7 @@ bool comm::Manager::SubscribeToLogs(string topic_prefix) return true; } -bool comm::Manager::UnsubscribeToLogs(const string& topic_prefix) +bool bro_broker::Manager::UnsubscribeToLogs(const string& topic_prefix) { if ( ! Enabled() ) return false; @@ -471,7 +471,7 @@ bool comm::Manager::UnsubscribeToLogs(const string& topic_prefix) return log_subscriptions.erase(topic_prefix); } -bool comm::Manager::PublishTopic(broker::topic t) +bool bro_broker::Manager::PublishTopic(broker::topic t) { if ( ! Enabled() ) return false; @@ -480,7 +480,7 @@ bool comm::Manager::PublishTopic(broker::topic t) return true; } -bool comm::Manager::UnpublishTopic(broker::topic t) +bool bro_broker::Manager::UnpublishTopic(broker::topic t) { if ( ! Enabled() ) return false; @@ -489,7 +489,7 @@ bool comm::Manager::UnpublishTopic(broker::topic t) return true; } -bool comm::Manager::AdvertiseTopic(broker::topic t) +bool bro_broker::Manager::AdvertiseTopic(broker::topic t) { if ( ! Enabled() ) return false; @@ -498,7 +498,7 @@ bool comm::Manager::AdvertiseTopic(broker::topic t) return true; } -bool comm::Manager::UnadvertiseTopic(broker::topic t) +bool bro_broker::Manager::UnadvertiseTopic(broker::topic t) { if ( ! Enabled() ) return false; @@ -507,7 +507,7 @@ bool comm::Manager::UnadvertiseTopic(broker::topic t) return true; } -int comm::Manager::send_flags_to_int(Val* flags) +int bro_broker::Manager::send_flags_to_int(Val* flags) { auto r = flags->AsRecordVal(); int rval = 0; @@ -530,7 +530,7 @@ int comm::Manager::send_flags_to_int(Val* flags) return rval; } -void comm::Manager::GetFds(iosource::FD_Set* read, iosource::FD_Set* write, +void bro_broker::Manager::GetFds(iosource::FD_Set* read, iosource::FD_Set* write, iosource::FD_Set* except) { read->Insert(endpoint->outgoing_connection_status().fd()); @@ -551,7 +551,7 @@ void comm::Manager::GetFds(iosource::FD_Set* read, iosource::FD_Set* write, read->Insert(broker::report::default_queue->fd()); } -double comm::Manager::NextTimestamp(double* local_network_time) +double bro_broker::Manager::NextTimestamp(double* local_network_time) { // TODO: do something better? return timer_mgr->Time(); @@ -569,25 +569,25 @@ struct response_converter { case broker::store::query::tag::lookup: // A boolean result means the key doesn't exist (if it did, then // the result would contain the broker::data value, not a bool). - return new RecordVal(BifType::Record::Comm::Data); + return new RecordVal(BifType::Record::BrokerComm::Data); default: - return comm::make_data_val(broker::data{d}); + return bro_broker::make_data_val(broker::data{d}); } } result_type operator()(uint64_t d) { - return comm::make_data_val(broker::data{d}); + return bro_broker::make_data_val(broker::data{d}); } result_type operator()(broker::data& d) { - return comm::make_data_val(move(d)); + return bro_broker::make_data_val(move(d)); } result_type operator()(std::vector& d) { - return comm::make_data_val(broker::data{move(d)}); + return bro_broker::make_data_val(broker::data{move(d)}); } result_type operator()(broker::store::snapshot& d) @@ -601,7 +601,7 @@ struct response_converter { table[move(key)] = move(val); } - return comm::make_data_val(broker::data{move(table)}); + return bro_broker::make_data_val(broker::data{move(table)}); } }; @@ -610,7 +610,7 @@ static RecordVal* response_to_val(broker::store::response r) return broker::visit(response_converter{r.request.type}, r.reply.value); } -void comm::Manager::Process() +void bro_broker::Manager::Process() { bool idle = true; auto outgoing_connection_updates = @@ -627,36 +627,36 @@ void comm::Manager::Process() switch ( u.status ) { case broker::outgoing_connection_status::tag::established: - if ( Comm::outgoing_connection_established ) + if ( BrokerComm::outgoing_connection_established ) { val_list* vl = new val_list; vl->append(new StringVal(u.relation.remote_tuple().first)); vl->append(new PortVal(u.relation.remote_tuple().second, TRANSPORT_TCP)); vl->append(new StringVal(u.peer_name)); - mgr.QueueEvent(Comm::outgoing_connection_established, vl); + mgr.QueueEvent(BrokerComm::outgoing_connection_established, vl); } break; case broker::outgoing_connection_status::tag::disconnected: - if ( Comm::outgoing_connection_broken ) + if ( BrokerComm::outgoing_connection_broken ) { val_list* vl = new val_list; vl->append(new StringVal(u.relation.remote_tuple().first)); vl->append(new PortVal(u.relation.remote_tuple().second, TRANSPORT_TCP)); - mgr.QueueEvent(Comm::outgoing_connection_broken, vl); + mgr.QueueEvent(BrokerComm::outgoing_connection_broken, vl); } break; case broker::outgoing_connection_status::tag::incompatible: - if ( Comm::outgoing_connection_incompatible ) + if ( BrokerComm::outgoing_connection_incompatible ) { val_list* vl = new val_list; vl->append(new StringVal(u.relation.remote_tuple().first)); vl->append(new PortVal(u.relation.remote_tuple().second, TRANSPORT_TCP)); - mgr.QueueEvent(Comm::outgoing_connection_incompatible, vl); + mgr.QueueEvent(BrokerComm::outgoing_connection_incompatible, vl); } break; @@ -674,20 +674,20 @@ void comm::Manager::Process() switch ( u.status ) { case broker::incoming_connection_status::tag::established: - if ( Comm::incoming_connection_established ) + if ( BrokerComm::incoming_connection_established ) { val_list* vl = new val_list; vl->append(new StringVal(u.peer_name)); - mgr.QueueEvent(Comm::incoming_connection_established, vl); + mgr.QueueEvent(BrokerComm::incoming_connection_established, vl); } break; case broker::incoming_connection_status::tag::disconnected: - if ( Comm::incoming_connection_broken ) + if ( BrokerComm::incoming_connection_broken ) { val_list* vl = new val_list; vl->append(new StringVal(u.peer_name)); - mgr.QueueEvent(Comm::incoming_connection_broken, vl); + mgr.QueueEvent(BrokerComm::incoming_connection_broken, vl); } break; @@ -709,7 +709,7 @@ void comm::Manager::Process() ps.second.received += print_messages.size(); idle = false; - if ( ! Comm::print_handler ) + if ( ! BrokerComm::print_handler ) continue; for ( auto& pm : print_messages ) @@ -732,7 +732,7 @@ void comm::Manager::Process() val_list* vl = new val_list; vl->append(new StringVal(move(*msg))); - mgr.QueueEvent(Comm::print_handler, vl); + mgr.QueueEvent(BrokerComm::print_handler, vl); } } @@ -975,7 +975,7 @@ void comm::Manager::Process() SetIdle(idle); } -bool comm::Manager::AddStore(StoreHandleVal* handle) +bool bro_broker::Manager::AddStore(StoreHandleVal* handle) { if ( ! Enabled() ) return false; @@ -993,9 +993,9 @@ bool comm::Manager::AddStore(StoreHandleVal* handle) return true; } -comm::StoreHandleVal* -comm::Manager::LookupStore(const broker::store::identifier& id, - comm::StoreType type) +bro_broker::StoreHandleVal* +bro_broker::Manager::LookupStore(const broker::store::identifier& id, + bro_broker::StoreType type) { if ( ! Enabled() ) return nullptr; @@ -1009,7 +1009,7 @@ comm::Manager::LookupStore(const broker::store::identifier& id, return it->second; } -bool comm::Manager::CloseStore(const broker::store::identifier& id, +bool bro_broker::Manager::CloseStore(const broker::store::identifier& id, StoreType type) { if ( ! Enabled() ) @@ -1041,13 +1041,13 @@ bool comm::Manager::CloseStore(const broker::store::identifier& id, return true; } -bool comm::Manager::TrackStoreQuery(StoreQueryCallback* cb) +bool bro_broker::Manager::TrackStoreQuery(StoreQueryCallback* cb) { assert(Enabled()); return pending_queries.insert(cb).second; } -comm::Stats comm::Manager::ConsumeStatistics() +bro_broker::Stats bro_broker::Manager::ConsumeStatistics() { statistics.outgoing_peer_count = peers.size(); statistics.data_store_count = data_stores.size(); diff --git a/src/comm/Manager.h b/src/comm/Manager.h index 093d2da4d5..5ba85210db 100644 --- a/src/comm/Manager.h +++ b/src/comm/Manager.h @@ -12,11 +12,11 @@ #include "iosource/IOSource.h" #include "Val.h" -namespace comm { +namespace bro_broker { /** * Communication statistics. Some are tracked in relation to last - * sample (comm::Manager::ConsumeStatistics()). + * sample (bro_broker::Manager::ConsumeStatistics()). */ struct Stats { // Number of outgoing peer connections (at time of sample). @@ -58,20 +58,20 @@ public: /** * Enable use of communication. * @param flags used to tune the local Broker endpoint's behavior. - * See the Comm::EndpointFlags record type. + * See the BrokerComm::EndpointFlags record type. * @return true if communication is successfully initialized. */ bool Enable(Val* flags); /** - * Changes endpoint flags originally supplied to comm::Manager::Enable(). + * Changes endpoint flags originally supplied to bro_broker::Manager::Enable(). * @param flags the new behavior flags to use. * @return true if flags were changed. */ bool SetEndpointFlags(Val* flags); /** - * @return true if comm::Manager::Enable() has previously been called and + * @return true if bro_broker::Manager::Enable() has previously been called and * it succeeded. */ bool Enabled() @@ -103,10 +103,10 @@ public: /** * Remove a remote connection. - * @param addr the address used in comm::Manager::Connect(). - * @param port the port used in comm::Manager::Connect(). + * @param addr the address used in bro_broker::Manager::Connect(). + * @param port the port used in bro_broker::Manager::Connect(). * @return true if the arguments match a previously successful call to - * comm::Manager::Connect(). + * bro_broker::Manager::Connect(). */ bool Disconnect(const std::string& addr, uint16_t port); @@ -117,7 +117,7 @@ public: * of this topic name. * @param msg the string to send to peers. * @param flags tune the behavior of how the message is send. - * See the Comm::SendFlags record type. + * See the BrokerComm::SendFlags record type. * @return true if the message is sent successfully. */ bool Print(std::string topic, std::string msg, Val* flags); @@ -130,7 +130,7 @@ public: * @param msg the event to send to peers, which is the name of the event * as a string followed by all of its arguments. * @param flags tune the behavior of how the message is send. - * See the Comm::SendFlags record type. + * See the BrokerComm::SendFlags record type. * @return true if the message is sent successfully. */ bool Event(std::string topic, broker::message msg, int flags); @@ -141,9 +141,9 @@ public: * Peers advertise interest by registering a subscription to some prefix * of this topic name. * @param args the event and its arguments to send to peers. See the - * Comm::EventArgs record type. + * BrokerComm::EventArgs record type. * @param flags tune the behavior of how the message is send. - * See the Comm::SendFlags record type. + * See the BrokerComm::SendFlags record type. * @return true if the message is sent successfully. */ bool Event(std::string topic, RecordVal* args, Val* flags); @@ -155,7 +155,7 @@ public: * @param columns the data which comprises the log entry. * @param info the record type corresponding to the log's columns. * @param flags tune the behavior of how the message is send. - * See the Comm::SendFlags record type. + * See the BrokerComm::SendFlags record type. * @return true if the message is sent successfully. */ bool Log(EnumVal* stream_id, RecordVal* columns, RecordType* info, @@ -169,15 +169,15 @@ public: * of this topic name. * @param event a Bro event value. * @param flags tune the behavior of how the message is send. - * See the Comm::SendFlags record type. + * See the BrokerComm::SendFlags record type. * @return true if automatic event sending is now enabled. */ bool AutoEvent(std::string topic, Val* event, Val* flags); /** * Stop automatically sending an event to peers upon local dispatch. - * @param topic a topic originally given to comm::Manager::AutoEvent(). - * @param event an event originally given to comm::Manager::AutoEvent(). + * @param topic a topic originally given to bro_broker::Manager::AutoEvent(). + * @param event an event originally given to bro_broker::Manager::AutoEvent(). * @return true if automatic events will no occur for the topic/event pair. */ bool AutoEventStop(const std::string& topic, Val* event); @@ -203,7 +203,7 @@ public: /** * Unregister interest in peer print messages. * @param topic_prefix a prefix previously supplied to a successful call - * to comm::Manager::SubscribeToPrints(). + * to bro_broker::Manager::SubscribeToPrints(). * @return true if interest in topic prefix is no longer advertised. */ bool UnsubscribeToPrints(const std::string& topic_prefix); @@ -220,7 +220,7 @@ public: /** * Unregister interest in peer event messages. * @param topic_prefix a prefix previously supplied to a successful call - * to comm::Manager::SubscribeToEvents(). + * to bro_broker::Manager::SubscribeToEvents(). * @return true if interest in topic prefix is no longer advertised. */ bool UnsubscribeToEvents(const std::string& topic_prefix); @@ -237,7 +237,7 @@ public: /** * Unregister interest in peer log messages. * @param topic_prefix a prefix previously supplied to a successful call - * to comm::Manager::SubscribeToLogs(). + * to bro_broker::Manager::SubscribeToLogs(). * @return true if interest in topic prefix is no longer advertised. */ bool UnsubscribeToLogs(const std::string& topic_prefix); @@ -245,7 +245,7 @@ public: /** * Allow sending messages to peers if associated with the given topic. * This has no effect if auto publication behavior is enabled via the flags - * supplied to comm::Manager::Enable() or comm::Manager::SetEndpointFlags(). + * supplied to bro_broker::Manager::Enable() or bro_broker::Manager::SetEndpointFlags(). * @param t a topic to allow messages to be published under. * @return true if successful. */ @@ -254,7 +254,7 @@ public: /** * Disallow sending messages to peers if associated with the given topic. * This has no effect if auto publication behavior is enabled via the flags - * supplied to comm::Manager::Enable() or comm::Manager::SetEndpointFlags(). + * supplied to bro_broker::Manager::Enable() or bro_broker::Manager::SetEndpointFlags(). * @param t a topic to disallow messages to be published under. * @return true if successful. */ @@ -263,7 +263,7 @@ public: /** * Allow advertising interest in the given topic to peers. * This has no effect if auto advertise behavior is enabled via the flags - * supplied to comm::Manager::Enable() or comm::Manager::SetEndpointFlags(). + * supplied to bro_broker::Manager::Enable() or bro_broker::Manager::SetEndpointFlags(). * @param t a topic to allow advertising interest/subscription to peers. * @return true if successful. */ @@ -272,7 +272,7 @@ public: /** * Disallow advertising interest in the given topic to peers. * This has no effect if auto advertise behavior is enabled via the flags - * supplied to comm::Manager::Enable() or comm::Manager::SetEndpointFlags(). + * supplied to bro_broker::Manager::Enable() or bro_broker::Manager::SetEndpointFlags(). * @param t a topic to disallow advertising interest/subscription to peers. * @return true if successful. */ @@ -315,7 +315,7 @@ public: Stats ConsumeStatistics(); /** - * Convert Comm::SendFlags to int flags for use with broker::send(). + * Convert BrokerComm::SendFlags to int flags for use with broker::send(). */ static int send_flags_to_int(Val* flags); @@ -330,7 +330,7 @@ private: void Process() override; const char* Tag() override - { return "Comm::Manager"; } + { return "BrokerComm::Manager"; } broker::endpoint& Endpoint() { return *endpoint; } @@ -359,8 +359,8 @@ private: static int send_flags_unsolicited_idx; }; -} // namespace comm +} // namespace bro_broker -extern comm::Manager* comm_mgr; +extern bro_broker::Manager* broker_mgr; #endif // BRO_COMM_MANAGER_H diff --git a/src/comm/Store.cc b/src/comm/Store.cc index 453fdee34a..fd24ac7b90 100644 --- a/src/comm/Store.cc +++ b/src/comm/Store.cc @@ -10,16 +10,16 @@ #include #endif -OpaqueType* comm::opaque_of_store_handle; +OpaqueType* bro_broker::opaque_of_store_handle; -comm::StoreHandleVal::StoreHandleVal(broker::store::identifier id, - comm::StoreType arg_type, - broker::util::optional arg_back, +bro_broker::StoreHandleVal::StoreHandleVal(broker::store::identifier id, + bro_broker::StoreType arg_type, + broker::util::optional arg_back, RecordVal* backend_options, std::chrono::duration resync) : OpaqueVal(opaque_of_store_handle), store(), store_type(arg_type), backend_type(arg_back) { - using BifEnum::Store::BackendType; + using BifEnum::BrokerStore::BackendType; std::unique_ptr backend; if ( backend_type ) @@ -73,14 +73,14 @@ comm::StoreHandleVal::StoreHandleVal(broker::store::identifier id, switch ( store_type ) { case StoreType::FRONTEND: - store = new broker::store::frontend(comm_mgr->Endpoint(), move(id)); + store = new broker::store::frontend(broker_mgr->Endpoint(), move(id)); break; case StoreType::MASTER: - store = new broker::store::master(comm_mgr->Endpoint(), move(id), + store = new broker::store::master(broker_mgr->Endpoint(), move(id), move(backend)); break; case StoreType::CLONE: - store = new broker::store::clone(comm_mgr->Endpoint(), move(id), resync, + store = new broker::store::clone(broker_mgr->Endpoint(), move(id), resync, move(backend)); break; default: @@ -89,9 +89,9 @@ comm::StoreHandleVal::StoreHandleVal(broker::store::identifier id, } } -void comm::StoreHandleVal::ValDescribe(ODesc* d) const +void bro_broker::StoreHandleVal::ValDescribe(ODesc* d) const { - using BifEnum::Store::BackendType; + using BifEnum::BrokerStore::BackendType; d->Add("broker::store::"); switch ( store_type ) { @@ -133,9 +133,9 @@ void comm::StoreHandleVal::ValDescribe(ODesc* d) const d->Add("}"); } -IMPLEMENT_SERIAL(comm::StoreHandleVal, SER_COMM_STORE_HANDLE_VAL); +IMPLEMENT_SERIAL(bro_broker::StoreHandleVal, SER_COMM_STORE_HANDLE_VAL); -bool comm::StoreHandleVal::DoSerialize(SerialInfo* info) const +bool bro_broker::StoreHandleVal::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_COMM_STORE_HANDLE_VAL, OpaqueVal); @@ -156,7 +156,7 @@ bool comm::StoreHandleVal::DoSerialize(SerialInfo* info) const return true; } -bool comm::StoreHandleVal::DoUnserialize(UnserialInfo* info) +bool bro_broker::StoreHandleVal::DoUnserialize(UnserialInfo* info) { DO_UNSERIALIZE(OpaqueVal); @@ -185,7 +185,7 @@ bool comm::StoreHandleVal::DoUnserialize(UnserialInfo* info) broker::store::identifier id(id_str, len); delete [] id_str; - auto handle = comm_mgr->LookupStore(id, static_cast(type)); + auto handle = broker_mgr->LookupStore(id, static_cast(type)); if ( ! handle ) { diff --git a/src/comm/Store.h b/src/comm/Store.h index 9a17d617e9..e132bf310d 100644 --- a/src/comm/Store.h +++ b/src/comm/Store.h @@ -10,7 +10,7 @@ #include -namespace comm { +namespace bro_broker { extern OpaqueType* opaque_of_store_handle; @@ -25,9 +25,9 @@ enum StoreType { }; /** - * Create a Store::QueryStatus value. + * Create a BrokerStore::QueryStatus value. * @param success whether the query status should be set to success or failure. - * @return a Store::QueryStatus value. + * @return a BrokerStore::QueryStatus value. */ inline EnumVal* query_status(bool success) { @@ -37,34 +37,34 @@ inline EnumVal* query_status(bool success) if ( ! store_query_status ) { - store_query_status = internal_type("Store::QueryStatus")->AsEnumType(); - success_val = store_query_status->Lookup("Store", "SUCCESS"); - failure_val = store_query_status->Lookup("Store", "FAILURE"); + store_query_status = internal_type("BrokerStore::QueryStatus")->AsEnumType(); + success_val = store_query_status->Lookup("BrokerStore", "SUCCESS"); + failure_val = store_query_status->Lookup("BrokerStore", "FAILURE"); } return new EnumVal(success ? success_val : failure_val, store_query_status); } /** - * @return a Store::QueryResult value that has a Store::QueryStatus indicating + * @return a BrokerStore::QueryResult value that has a BrokerStore::QueryStatus indicating * a failure. */ inline RecordVal* query_result() { - auto rval = new RecordVal(BifType::Record::Store::QueryResult); + auto rval = new RecordVal(BifType::Record::BrokerStore::QueryResult); rval->Assign(0, query_status(false)); - rval->Assign(1, new RecordVal(BifType::Record::Comm::Data)); + rval->Assign(1, new RecordVal(BifType::Record::BrokerComm::Data)); return rval; } /** * @param data the result of the query. - * @return a Store::QueryResult value that has a Store::QueryStatus indicating + * @return a BrokerStore::QueryResult value that has a BrokerStore::QueryStatus indicating * a success. */ inline RecordVal* query_result(RecordVal* data) { - auto rval = new RecordVal(BifType::Record::Store::QueryResult); + auto rval = new RecordVal(BifType::Record::BrokerStore::QueryResult); rval->Assign(0, query_status(true)); rval->Assign(1, data); return rval; @@ -129,8 +129,8 @@ class StoreHandleVal : public OpaqueVal { public: StoreHandleVal(broker::store::identifier id, - comm::StoreType arg_type, - broker::util::optional arg_back, + bro_broker::StoreType arg_type, + broker::util::optional arg_back, RecordVal* backend_options, std::chrono::duration resync = std::chrono::seconds(1)); @@ -139,8 +139,8 @@ public: DECLARE_SERIAL(StoreHandleVal); broker::store::frontend* store; - comm::StoreType store_type; - broker::util::optional backend_type; + bro_broker::StoreType store_type; + broker::util::optional backend_type; protected: @@ -148,6 +148,6 @@ protected: {} }; -} // namespace comm +} // namespace bro_broker #endif // BRO_COMM_STORE_H diff --git a/src/comm/comm.bif b/src/comm/comm.bif index 23e163c748..2c930ba8a9 100644 --- a/src/comm/comm.bif +++ b/src/comm/comm.bif @@ -5,124 +5,124 @@ #include "comm/Manager.h" %%} -module Comm; +module BrokerComm; -type Comm::EndpointFlags: record; +type BrokerComm::EndpointFlags: record; ## Enable use of communication. ## ## flags: used to tune the local Broker endpoint behavior. ## ## Returns: true if communication is successfully initialized. -function Comm::enable%(flags: EndpointFlags &default = EndpointFlags()%): bool +function BrokerComm::enable%(flags: EndpointFlags &default = EndpointFlags()%): bool %{ - return new Val(comm_mgr->Enable(flags), TYPE_BOOL); + return new Val(broker_mgr->Enable(flags), TYPE_BOOL); %} -## Changes endpoint flags originally supplied to :bro:see:`Comm::enable`. +## Changes endpoint flags originally supplied to :bro:see:`BrokerComm::enable`. ## ## flags: the new endpoint behavior flags to use. ## ## Returns: true of flags were changed. -function Comm::set_endpoint_flags%(flags: EndpointFlags &default = EndpointFlags()%): bool +function BrokerComm::set_endpoint_flags%(flags: EndpointFlags &default = EndpointFlags()%): bool %{ - return new Val(comm_mgr->SetEndpointFlags(flags), TYPE_BOOL); + return new Val(broker_mgr->SetEndpointFlags(flags), TYPE_BOOL); %} ## Allow sending messages to peers if associated with the given topic. ## This has no effect if auto publication behavior is enabled via the flags -## supplied to :bro:see:`Comm::enable` or :bro:see:`Comm::set_endpoint_flags`. +## supplied to :bro:see:`BrokerComm::enable` or :bro:see:`BrokerComm::set_endpoint_flags`. ## ## topic: a topic to allow messages to be published under. ## ## Returns: true if successful. -function Comm::publish_topic%(topic: string%): bool +function BrokerComm::publish_topic%(topic: string%): bool %{ - return new Val(comm_mgr->PublishTopic(topic->CheckString()), TYPE_BOOL); + return new Val(broker_mgr->PublishTopic(topic->CheckString()), TYPE_BOOL); %} ## Disallow sending messages to peers if associated with the given topic. ## This has no effect if auto publication behavior is enabled via the flags -## supplied to :bro:see:`Comm::enable` or :bro:see:`Comm::set_endpoint_flags`. +## supplied to :bro:see:`BrokerComm::enable` or :bro:see:`BrokerComm::set_endpoint_flags`. ## ## topic: a topic to disallow messages to be published under. ## ## Returns: true if successful. -function Comm::unpublish_topic%(topic: string%): bool +function BrokerComm::unpublish_topic%(topic: string%): bool %{ - return new Val(comm_mgr->UnpublishTopic(topic->CheckString()), TYPE_BOOL); + return new Val(broker_mgr->UnpublishTopic(topic->CheckString()), TYPE_BOOL); %} ## Allow advertising interest in the given topic to peers. ## This has no effect if auto advertise behavior is enabled via the flags -## supplied to :bro:see:`Comm::enable` or :bro:see:`Comm::set_endpoint_flags`. +## supplied to :bro:see:`BrokerComm::enable` or :bro:see:`BrokerComm::set_endpoint_flags`. ## ## topic: a topic to allow advertising interest/subscription to peers. ## ## Returns: true if successful. -function Comm::advertise_topic%(topic: string%): bool +function BrokerComm::advertise_topic%(topic: string%): bool %{ - return new Val(comm_mgr->AdvertiseTopic(topic->CheckString()), TYPE_BOOL); + return new Val(broker_mgr->AdvertiseTopic(topic->CheckString()), TYPE_BOOL); %} ## Disallow advertising interest in the given topic to peers. ## This has no effect if auto advertise behavior is enabled via the flags -## supplied to :bro:see:`Comm::enable` or :bro:see:`Comm::set_endpoint_flags`. +## supplied to :bro:see:`BrokerComm::enable` or :bro:see:`BrokerComm::set_endpoint_flags`. ## ## topic: a topic to disallow advertising interest/subscription to peers. ## ## Returns: true if successful. -function Comm::unadvertise_topic%(topic: string%): bool +function BrokerComm::unadvertise_topic%(topic: string%): bool %{ - return new Val(comm_mgr->UnadvertiseTopic(topic->CheckString()), TYPE_BOOL); + return new Val(broker_mgr->UnadvertiseTopic(topic->CheckString()), TYPE_BOOL); %} ## Generated when a connection has been established due to a previous call -## to :bro:see:`Comm::connect`. +## to :bro:see:`BrokerComm::connect`. ## ## peer_address: the address used to connect to the peer. ## ## peer_port: the port used to connect to the peer. ## ## peer_name: the name by which the peer identified itself. -event Comm::outgoing_connection_established%(peer_address: string, +event BrokerComm::outgoing_connection_established%(peer_address: string, peer_port: port, peer_name: string%); ## Generated when a previously established connection becomes broken. ## Reconnection will automatically be attempted at a frequency given -## by the original call to :bro:see:`Comm::connect`. +## by the original call to :bro:see:`BrokerComm::connect`. ## ## peer_address: the address used to connect to the peer. ## ## peer_port: the port used to connect to the peer. ## -## .. bro:see:: Comm::outgoing_connection_established -event Comm::outgoing_connection_broken%(peer_address: string, +## .. bro:see:: BrokerComm::outgoing_connection_established +event BrokerComm::outgoing_connection_broken%(peer_address: string, peer_port: port%); -## Generated when a connection via :bro:see:`Comm::connect` has failed +## Generated when a connection via :bro:see:`BrokerComm::connect` has failed ## because the remote side is incompatible. ## ## peer_address: the address used to connect to the peer. ## ## peer_port: the port used to connect to the peer. -event Comm::outgoing_connection_incompatible%(peer_address: string, +event BrokerComm::outgoing_connection_incompatible%(peer_address: string, peer_port: port%); ## Generated when a peer has established a connection with this process -## as a result of previously performing a :bro:see:`Comm::listen`. +## as a result of previously performing a :bro:see:`BrokerComm::listen`. ## ## peer_name: the name by which the peer identified itself. -event Comm::incoming_connection_established%(peer_name: string%); +event BrokerComm::incoming_connection_established%(peer_name: string%); ## Generated when a peer that previously established a connection with this ## process becomes disconnected. ## ## peer_name: the name by which the peer identified itself. ## -## .. bro:see:: Comm::incoming_connection_established -event Comm::incoming_connection_broken%(peer_name: string%); +## .. bro:see:: BrokerComm::incoming_connection_established +event BrokerComm::incoming_connection_broken%(peer_name: string%); ## Listen for remote connections. ## @@ -135,8 +135,8 @@ event Comm::incoming_connection_broken%(peer_name: string%); ## ## Returns: true if the local endpoint is now listening for connections. ## -## .. bro:see:: Comm::incoming_connection_established -function Comm::listen%(p: port, a: string &default = "", +## .. bro:see:: BrokerComm::incoming_connection_established +function BrokerComm::listen%(p: port, a: string &default = "", reuse: bool &default = T%): bool %{ if ( ! p->IsTCP() ) @@ -145,7 +145,7 @@ function Comm::listen%(p: port, a: string &default = "", return new Val(false, TYPE_BOOL); } - auto rval = comm_mgr->Listen(p->Port(), a->Len() ? a->CheckString() : 0, + auto rval = broker_mgr->Listen(p->Port(), a->Len() ? a->CheckString() : 0, reuse); return new Val(rval, TYPE_BOOL); %} @@ -164,8 +164,8 @@ function Comm::listen%(p: port, a: string &default = "", ## it's a new peer. The actual connection may not be established ## a later point in time. ## -## .. bro:see:: Comm::outgoing_connection_established -function Comm::connect%(a: string, p: port, retry: interval%): bool +## .. bro:see:: BrokerComm::outgoing_connection_established +function BrokerComm::connect%(a: string, p: port, retry: interval%): bool %{ if ( ! p->IsTCP() ) { @@ -173,20 +173,20 @@ function Comm::connect%(a: string, p: port, retry: interval%): bool return new Val(false, TYPE_BOOL); } - auto rval = comm_mgr->Connect(a->CheckString(), p->Port(), + auto rval = broker_mgr->Connect(a->CheckString(), p->Port(), std::chrono::duration(retry)); return new Val(rval, TYPE_BOOL); %} ## Remove a remote connection. ## -## a: the address used in previous successful call to :bro:see:`Comm::connect`. +## a: the address used in previous successful call to :bro:see:`BrokerComm::connect`. ## -## p: the port used in previous successful call to :bro:see:`Comm::connect`. +## p: the port used in previous successful call to :bro:see:`BrokerComm::connect`. ## ## Returns: true if the arguments match a previously successful call to -## :bro:see:`Comm::connect`. -function Comm::disconnect%(a: string, p: port%): bool +## :bro:see:`BrokerComm::connect`. +function BrokerComm::disconnect%(a: string, p: port%): bool %{ if ( ! p->IsTCP() ) { @@ -194,6 +194,6 @@ function Comm::disconnect%(a: string, p: port%): bool return new Val(false, TYPE_BOOL); } - auto rval = comm_mgr->Disconnect(a->CheckString(), p->Port()); + auto rval = broker_mgr->Disconnect(a->CheckString(), p->Port()); return new Val(rval, TYPE_BOOL); %} diff --git a/src/comm/data.bif b/src/comm/data.bif index 7120046920..7b2c52cb8c 100644 --- a/src/comm/data.bif +++ b/src/comm/data.bif @@ -5,9 +5,9 @@ #include "comm/Data.h" %%} -module Comm; +module BrokerComm; -## Enumerates the possible types that :bro:see:`Comm::Data` may be in terms of +## Enumerates the possible types that :bro:see:`BrokerComm::Data` may be in terms of ## Bro data types. enum DataType %{ BOOL, @@ -27,9 +27,9 @@ enum DataType %{ RECORD, %} -type Comm::Data: record; +type BrokerComm::Data: record; -type Comm::TableItem: record; +type BrokerComm::TableItem: record; ## Convert any Bro value in to communication data. ## @@ -38,9 +38,9 @@ type Comm::TableItem: record; ## Returns: the converted communication data which may not set its only ## opaque field of the the conversion was not possible (the Bro data ## type does not support being converted to communicaiton data). -function Comm::data%(d: any%): Comm::Data +function BrokerComm::data%(d: any%): BrokerComm::Data %{ - return comm::make_data_val(d); + return bro_broker::make_data_val(d); %} ## Retrieve the type of data associated with communication data. @@ -48,153 +48,153 @@ function Comm::data%(d: any%): Comm::Data ## d: the communication data. ## ## Returns: the data type associated with the communication data. -function Comm::data_type%(d: Comm::Data%): Comm::DataType +function BrokerComm::data_type%(d: BrokerComm::Data%): BrokerComm::DataType %{ - return comm::get_data_type(d->AsRecordVal(), frame); + return bro_broker::get_data_type(d->AsRecordVal(), frame); %} -## Convert communication data with a type of :bro:see:`Comm::BOOL` to +## Convert communication data with a type of :bro:see:`BrokerComm::BOOL` to ## an actual Bro value. ## ## d: the communication data to convert. ## ## Returns: the value retrieved from the communication data. -function Comm::refine_to_bool%(d: Comm::Data%): bool +function BrokerComm::refine_to_bool%(d: BrokerComm::Data%): bool %{ - return comm::refine(d->AsRecordVal(), TYPE_BOOL, frame); + return bro_broker::refine(d->AsRecordVal(), TYPE_BOOL, frame); %} -## Convert communication data with a type of :bro:see:`Comm::INT` to +## Convert communication data with a type of :bro:see:`BrokerComm::INT` to ## an actual Bro value. ## ## d: the communication data to convert. ## ## Returns: the value retrieved from the communication data. -function Comm::refine_to_int%(d: Comm::Data%): int +function BrokerComm::refine_to_int%(d: BrokerComm::Data%): int %{ - return comm::refine(d->AsRecordVal(), TYPE_INT, frame); + return bro_broker::refine(d->AsRecordVal(), TYPE_INT, frame); %} -## Convert communication data with a type of :bro:see:`Comm::COUNT` to +## Convert communication data with a type of :bro:see:`BrokerComm::COUNT` to ## an actual Bro value. ## ## d: the communication data to convert. ## ## Returns: the value retrieved from the communication data. -function Comm::refine_to_count%(d: Comm::Data%): count +function BrokerComm::refine_to_count%(d: BrokerComm::Data%): count %{ - return comm::refine(d->AsRecordVal(), TYPE_COUNT, frame); + return bro_broker::refine(d->AsRecordVal(), TYPE_COUNT, frame); %} -## Convert communication data with a type of :bro:see:`Comm::DOUBLE` to +## Convert communication data with a type of :bro:see:`BrokerComm::DOUBLE` to ## an actual Bro value. ## ## d: the communication data to convert. ## ## Returns: the value retrieved from the communication data. -function Comm::refine_to_double%(d: Comm::Data%): double +function BrokerComm::refine_to_double%(d: BrokerComm::Data%): double %{ - return comm::refine(d->AsRecordVal(), TYPE_DOUBLE, frame); + return bro_broker::refine(d->AsRecordVal(), TYPE_DOUBLE, frame); %} -## Convert communication data with a type of :bro:see:`Comm::STRING` to +## Convert communication data with a type of :bro:see:`BrokerComm::STRING` to ## an actual Bro value. ## ## d: the communication data to convert. ## ## Returns: the value retrieved from the communication data. -function Comm::refine_to_string%(d: Comm::Data%): string +function BrokerComm::refine_to_string%(d: BrokerComm::Data%): string %{ - return new StringVal(comm::require_data_type(d->AsRecordVal(), + return new StringVal(bro_broker::require_data_type(d->AsRecordVal(), TYPE_STRING, frame)); %} -## Convert communication data with a type of :bro:see:`Comm::ADDR` to +## Convert communication data with a type of :bro:see:`BrokerComm::ADDR` to ## an actual Bro value. ## ## d: the communication data to convert. ## ## Returns: the value retrieved from the communication data. -function Comm::refine_to_addr%(d: Comm::Data%): addr +function BrokerComm::refine_to_addr%(d: BrokerComm::Data%): addr %{ - auto& a = comm::require_data_type(d->AsRecordVal(), + auto& a = bro_broker::require_data_type(d->AsRecordVal(), TYPE_ADDR, frame); auto bits = reinterpret_cast(&a.bytes()); return new AddrVal(IPAddr(*bits)); %} -## Convert communication data with a type of :bro:see:`Comm::SUBNET` to +## Convert communication data with a type of :bro:see:`BrokerComm::SUBNET` to ## an actual Bro value. ## ## d: the communication data to convert. ## ## Returns: the value retrieved from the communication data. -function Comm::refine_to_subnet%(d: Comm::Data%): subnet +function BrokerComm::refine_to_subnet%(d: BrokerComm::Data%): subnet %{ - auto& a = comm::require_data_type(d->AsRecordVal(), + auto& a = bro_broker::require_data_type(d->AsRecordVal(), TYPE_SUBNET, frame); auto bits = reinterpret_cast(&a.network().bytes()); return new SubNetVal(IPPrefix(IPAddr(*bits), a.length())); %} -## Convert communication data with a type of :bro:see:`Comm::PORT` to +## Convert communication data with a type of :bro:see:`BrokerComm::PORT` to ## an actual Bro value. ## ## d: the communication data to convert. ## ## Returns: the value retrieved from the communication data. -function Comm::refine_to_port%(d: Comm::Data%): port +function BrokerComm::refine_to_port%(d: BrokerComm::Data%): port %{ - auto& a = comm::require_data_type(d->AsRecordVal(), + auto& a = bro_broker::require_data_type(d->AsRecordVal(), TYPE_SUBNET, frame); - return new PortVal(a.number(), comm::to_bro_port_proto(a.type())); + return new PortVal(a.number(), bro_broker::to_bro_port_proto(a.type())); %} -## Convert communication data with a type of :bro:see:`Comm::TIME` to +## Convert communication data with a type of :bro:see:`BrokerComm::TIME` to ## an actual Bro value. ## ## d: the communication data to convert. ## ## Returns: the value retrieved from the communication data. -function Comm::refine_to_time%(d: Comm::Data%): time +function BrokerComm::refine_to_time%(d: BrokerComm::Data%): time %{ - auto v = comm::require_data_type(d->AsRecordVal(), + auto v = bro_broker::require_data_type(d->AsRecordVal(), TYPE_TIME, frame).value; return new Val(v, TYPE_TIME); %} -## Convert communication data with a type of :bro:see:`Comm::INTERVAL` to +## Convert communication data with a type of :bro:see:`BrokerComm::INTERVAL` to ## an actual Bro value. ## ## d: the communication data to convert. ## ## Returns: the value retrieved from the communication data. -function Comm::refine_to_interval%(d: Comm::Data%): interval +function BrokerComm::refine_to_interval%(d: BrokerComm::Data%): interval %{ - auto v = comm::require_data_type(d->AsRecordVal(), + auto v = bro_broker::require_data_type(d->AsRecordVal(), TYPE_TIME, frame).value; return new Val(v, TYPE_INTERVAL); %} -## Convert communication data with a type of :bro:see:`Comm::ENUM` to +## Convert communication data with a type of :bro:see:`BrokerComm::ENUM` to ## the name of the enum value. :bro:see:`lookup_ID` may be used to convert ## the name to the actual enum value. ## ## d: the communication data to convert. ## ## Returns: the enum name retrieved from the communication data. -function Comm::refine_to_enum_name%(d: Comm::Data%): string +function BrokerComm::refine_to_enum_name%(d: BrokerComm::Data%): string %{ - auto& v = comm::require_data_type(d->AsRecordVal(), + auto& v = bro_broker::require_data_type(d->AsRecordVal(), TYPE_ENUM, frame).name; return new StringVal(v); %} ## Create communication data of type "set". -function Comm::set_create%(%): Comm::Data +function BrokerComm::set_create%(%): BrokerComm::Data %{ - return comm::make_data_val(broker::set()); + return bro_broker::make_data_val(broker::set()); %} ## Remove all elements within a set. @@ -202,9 +202,9 @@ function Comm::set_create%(%): Comm::Data ## s: the set to clear. ## ## Returns: always true. -function Comm::set_clear%(s: Comm::Data%): bool +function BrokerComm::set_clear%(s: BrokerComm::Data%): bool %{ - auto& v = comm::require_data_type(s->AsRecordVal(), TYPE_TABLE, + auto& v = bro_broker::require_data_type(s->AsRecordVal(), TYPE_TABLE, frame); v.clear(); return new Val(true, TYPE_BOOL); @@ -215,9 +215,9 @@ function Comm::set_clear%(s: Comm::Data%): bool ## s: the set to query. ## ## Returns: the number of elements in the set. -function Comm::set_size%(s: Comm::Data%): count +function BrokerComm::set_size%(s: BrokerComm::Data%): count %{ - auto& v = comm::require_data_type(s->AsRecordVal(), TYPE_TABLE, + auto& v = bro_broker::require_data_type(s->AsRecordVal(), TYPE_TABLE, frame); return new Val(static_cast(v.size()), TYPE_COUNT); %} @@ -229,11 +229,11 @@ function Comm::set_size%(s: Comm::Data%): count ## key: the element to check for existence. ## ## Returns: true if the key exists in the set. -function Comm::set_contains%(s: Comm::Data, key: Comm::Data%): bool +function BrokerComm::set_contains%(s: BrokerComm::Data, key: BrokerComm::Data%): bool %{ - auto& v = comm::require_data_type(s->AsRecordVal(), TYPE_TABLE, + auto& v = bro_broker::require_data_type(s->AsRecordVal(), TYPE_TABLE, frame); - auto& k = comm::opaque_field_to_data(key->AsRecordVal(), frame); + auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame); return new Val(v.find(k) != v.end(), TYPE_BOOL); %} @@ -244,11 +244,11 @@ function Comm::set_contains%(s: Comm::Data, key: Comm::Data%): bool ## key: the element to insert. ## ## Returns: true if the key was inserted, or false if it already existed. -function Comm::set_insert%(s: Comm::Data, key: Comm::Data%): bool +function BrokerComm::set_insert%(s: BrokerComm::Data, key: BrokerComm::Data%): bool %{ - auto& v = comm::require_data_type(s->AsRecordVal(), TYPE_TABLE, + auto& v = bro_broker::require_data_type(s->AsRecordVal(), TYPE_TABLE, frame); - auto& k = comm::opaque_field_to_data(key->AsRecordVal(), frame); + auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame); return new Val(v.insert(k).second, TYPE_BOOL); %} @@ -259,11 +259,11 @@ function Comm::set_insert%(s: Comm::Data, key: Comm::Data%): bool ## key: the element to remove. ## ## Returns: true if the element existed in the set and is now removed. -function Comm::set_remove%(s: Comm::Data, key: Comm::Data%): bool +function BrokerComm::set_remove%(s: BrokerComm::Data, key: BrokerComm::Data%): bool %{ - auto& v = comm::require_data_type(s->AsRecordVal(), TYPE_TABLE, + auto& v = bro_broker::require_data_type(s->AsRecordVal(), TYPE_TABLE, frame); - auto& k = comm::opaque_field_to_data(key->AsRecordVal(), frame); + auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame); return new Val(v.erase(k) > 0, TYPE_BOOL); %} @@ -273,9 +273,9 @@ function Comm::set_remove%(s: Comm::Data, key: Comm::Data%): bool ## s: the set to iterate over. ## ## Returns: an iterator. -function Comm::set_iterator%(s: Comm::Data%): opaque of Comm::SetIterator +function BrokerComm::set_iterator%(s: BrokerComm::Data%): opaque of BrokerComm::SetIterator %{ - return new comm::SetIterator(s->AsRecordVal(), TYPE_TABLE, frame); + return new bro_broker::SetIterator(s->AsRecordVal(), TYPE_TABLE, frame); %} ## Check if there are no more elements to iterate over. @@ -284,9 +284,9 @@ function Comm::set_iterator%(s: Comm::Data%): opaque of Comm::SetIterator ## ## Returns: true if there are no more elements to iterator over, i.e. ## the iterator is one-past-the-final-element. -function Comm::set_iterator_last%(it: opaque of Comm::SetIterator%): bool +function BrokerComm::set_iterator_last%(it: opaque of BrokerComm::SetIterator%): bool %{ - auto set_it = static_cast(it); + auto set_it = static_cast(it); return new Val(set_it->it == set_it->dat.end(), TYPE_BOOL); %} @@ -297,9 +297,9 @@ function Comm::set_iterator_last%(it: opaque of Comm::SetIterator%): bool ## Returns: true if the iterator, after advancing, still references an element ## in the collection. False if the iterator, after advancing, is ## one-past-the-final-element. -function Comm::set_iterator_next%(it: opaque of Comm::SetIterator%): bool +function BrokerComm::set_iterator_next%(it: opaque of BrokerComm::SetIterator%): bool %{ - auto set_it = static_cast(it); + auto set_it = static_cast(it); if ( set_it->it == set_it->dat.end() ) return new Val(false, TYPE_BOOL); @@ -313,10 +313,10 @@ function Comm::set_iterator_next%(it: opaque of Comm::SetIterator%): bool ## it: an iterator. ## ## Returns: element in the collection that the iterator currently references. -function Comm::set_iterator_value%(it: opaque of Comm::SetIterator%): Comm::Data +function BrokerComm::set_iterator_value%(it: opaque of BrokerComm::SetIterator%): BrokerComm::Data %{ - auto set_it = static_cast(it); - auto rval = new RecordVal(BifType::Record::Comm::Data); + auto set_it = static_cast(it); + auto rval = new RecordVal(BifType::Record::BrokerComm::Data); if ( set_it->it == set_it->dat.end() ) { @@ -326,14 +326,14 @@ function Comm::set_iterator_value%(it: opaque of Comm::SetIterator%): Comm::Data return rval; } - rval->Assign(0, new comm::DataVal(*set_it->it)); + rval->Assign(0, new bro_broker::DataVal(*set_it->it)); return rval; %} ## Create communication data of type "table". -function Comm::table_create%(%): Comm::Data +function BrokerComm::table_create%(%): BrokerComm::Data %{ - return comm::make_data_val(broker::table()); + return bro_broker::make_data_val(broker::table()); %} ## Remove all elements within a table. @@ -341,9 +341,9 @@ function Comm::table_create%(%): Comm::Data ## t: the table to clear. ## ## Returns: always true. -function Comm::table_clear%(t: Comm::Data%): bool +function BrokerComm::table_clear%(t: BrokerComm::Data%): bool %{ - auto& v = comm::require_data_type(t->AsRecordVal(), + auto& v = bro_broker::require_data_type(t->AsRecordVal(), TYPE_TABLE, frame); v.clear(); return new Val(true, TYPE_BOOL); @@ -354,9 +354,9 @@ function Comm::table_clear%(t: Comm::Data%): bool ## t: the table to query. ## ## Returns: the number of elements in the table. -function Comm::table_size%(t: Comm::Data%): count +function BrokerComm::table_size%(t: BrokerComm::Data%): count %{ - auto& v = comm::require_data_type(t->AsRecordVal(), + auto& v = bro_broker::require_data_type(t->AsRecordVal(), TYPE_TABLE, frame); return new Val(static_cast(v.size()), TYPE_COUNT); %} @@ -368,11 +368,11 @@ function Comm::table_size%(t: Comm::Data%): count ## key: the key to check for existence. ## ## Returns: true if the key exists in the set. -function Comm::table_contains%(t: Comm::Data, key: Comm::Data%): bool +function BrokerComm::table_contains%(t: BrokerComm::Data, key: BrokerComm::Data%): bool %{ - auto& v = comm::require_data_type(t->AsRecordVal(), + auto& v = bro_broker::require_data_type(t->AsRecordVal(), TYPE_TABLE, frame); - auto& k = comm::opaque_field_to_data(key->AsRecordVal(), frame); + auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame); return new Val(v.find(k) != v.end(), TYPE_BOOL); %} @@ -386,24 +386,24 @@ function Comm::table_contains%(t: Comm::Data, key: Comm::Data%): bool ## ## Returns: true if the key-value pair was inserted, or false if the key ## already existed in the table. -function Comm::table_insert%(t: Comm::Data, key: Comm::Data, val: Comm::Data%): Comm::Data +function BrokerComm::table_insert%(t: BrokerComm::Data, key: BrokerComm::Data, val: BrokerComm::Data%): BrokerComm::Data %{ - auto& table = comm::require_data_type(t->AsRecordVal(), + auto& table = bro_broker::require_data_type(t->AsRecordVal(), TYPE_TABLE, frame); - auto& k = comm::opaque_field_to_data(key->AsRecordVal(), frame); - auto& v = comm::opaque_field_to_data(val->AsRecordVal(), frame); + auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame); + auto& v = bro_broker::opaque_field_to_data(val->AsRecordVal(), frame); try { auto& prev = table.at(k); - auto rval = comm::make_data_val(move(prev)); + auto rval = bro_broker::make_data_val(move(prev)); prev = v; return rval; } catch (const std::out_of_range&) { table[k] = v; - return new RecordVal(BifType::Record::Comm::Data); + return new RecordVal(BifType::Record::BrokerComm::Data); } %} @@ -415,18 +415,18 @@ function Comm::table_insert%(t: Comm::Data, key: Comm::Data, val: Comm::Data%): ## ## Returns: the value associated with the key. If the key did not exist, then ## the optional field of the returned record is not set. -function Comm::table_remove%(t: Comm::Data, key: Comm::Data%): Comm::Data +function BrokerComm::table_remove%(t: BrokerComm::Data, key: BrokerComm::Data%): BrokerComm::Data %{ - auto& table = comm::require_data_type(t->AsRecordVal(), + auto& table = bro_broker::require_data_type(t->AsRecordVal(), TYPE_TABLE, frame); - auto& k = comm::opaque_field_to_data(key->AsRecordVal(), frame); + auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame); auto it = table.find(k); if ( it == table.end() ) - return new RecordVal(BifType::Record::Comm::Data); + return new RecordVal(BifType::Record::BrokerComm::Data); else { - auto rval = comm::make_data_val(move(it->second)); + auto rval = bro_broker::make_data_val(move(it->second)); table.erase(it); return rval; } @@ -440,17 +440,17 @@ function Comm::table_remove%(t: Comm::Data, key: Comm::Data%): Comm::Data ## ## Returns: the value associated with the key. If the key did not exist, then ## the optional field of the returned record is not set. -function Comm::table_lookup%(t: Comm::Data, key: Comm::Data%): Comm::Data +function BrokerComm::table_lookup%(t: BrokerComm::Data, key: BrokerComm::Data%): BrokerComm::Data %{ - auto& table = comm::require_data_type(t->AsRecordVal(), + auto& table = bro_broker::require_data_type(t->AsRecordVal(), TYPE_TABLE, frame); - auto& k = comm::opaque_field_to_data(key->AsRecordVal(), frame); + auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame); auto it = table.find(k); if ( it == table.end() ) - return new RecordVal(BifType::Record::Comm::Data); + return new RecordVal(BifType::Record::BrokerComm::Data); else - return comm::make_data_val(it->second); + return bro_broker::make_data_val(it->second); %} ## Create an iterator for a table. Note that this makes a copy of the table @@ -459,9 +459,9 @@ function Comm::table_lookup%(t: Comm::Data, key: Comm::Data%): Comm::Data ## t: the table to iterate over. ## ## Returns: an iterator. -function Comm::table_iterator%(t: Comm::Data%): opaque of Comm::TableIterator +function BrokerComm::table_iterator%(t: BrokerComm::Data%): opaque of BrokerComm::TableIterator %{ - return new comm::TableIterator(t->AsRecordVal(), TYPE_TABLE, frame); + return new bro_broker::TableIterator(t->AsRecordVal(), TYPE_TABLE, frame); %} ## Check if there are no more elements to iterate over. @@ -470,9 +470,9 @@ function Comm::table_iterator%(t: Comm::Data%): opaque of Comm::TableIterator ## ## Returns: true if there are no more elements to iterator over, i.e. ## the iterator is one-past-the-final-element. -function Comm::table_iterator_last%(it: opaque of Comm::TableIterator%): bool +function BrokerComm::table_iterator_last%(it: opaque of BrokerComm::TableIterator%): bool %{ - auto ti = static_cast(it); + auto ti = static_cast(it); return new Val(ti->it == ti->dat.end(), TYPE_BOOL); %} @@ -483,9 +483,9 @@ function Comm::table_iterator_last%(it: opaque of Comm::TableIterator%): bool ## Returns: true if the iterator, after advancing, still references an element ## in the collection. False if the iterator, after advancing, is ## one-past-the-final-element. -function Comm::table_iterator_next%(it: opaque of Comm::TableIterator%): bool +function BrokerComm::table_iterator_next%(it: opaque of BrokerComm::TableIterator%): bool %{ - auto ti = static_cast(it); + auto ti = static_cast(it); if ( ti->it == ti->dat.end() ) return new Val(false, TYPE_BOOL); @@ -499,12 +499,12 @@ function Comm::table_iterator_next%(it: opaque of Comm::TableIterator%): bool ## it: an iterator. ## ## Returns: element in the collection that the iterator currently references. -function Comm::table_iterator_value%(it: opaque of Comm::TableIterator%): Comm::TableItem +function BrokerComm::table_iterator_value%(it: opaque of BrokerComm::TableIterator%): BrokerComm::TableItem %{ - auto ti = static_cast(it); - auto rval = new RecordVal(BifType::Record::Comm::TableItem); - auto key_val = new RecordVal(BifType::Record::Comm::Data); - auto val_val = new RecordVal(BifType::Record::Comm::Data); + auto ti = static_cast(it); + auto rval = new RecordVal(BifType::Record::BrokerComm::TableItem); + auto key_val = new RecordVal(BifType::Record::BrokerComm::Data); + auto val_val = new RecordVal(BifType::Record::BrokerComm::Data); rval->Assign(0, key_val); rval->Assign(1, val_val); @@ -516,15 +516,15 @@ function Comm::table_iterator_value%(it: opaque of Comm::TableIterator%): Comm:: return rval; } - key_val->Assign(0, new comm::DataVal(ti->it->first)); - val_val->Assign(0, new comm::DataVal(ti->it->second)); + key_val->Assign(0, new bro_broker::DataVal(ti->it->first)); + val_val->Assign(0, new bro_broker::DataVal(ti->it->second)); return rval; %} ## Create communication data of type "vector". -function Comm::vector_create%(%): Comm::Data +function BrokerComm::vector_create%(%): BrokerComm::Data %{ - return comm::make_data_val(broker::vector()); + return bro_broker::make_data_val(broker::vector()); %} ## Remove all elements within a vector. @@ -532,9 +532,9 @@ function Comm::vector_create%(%): Comm::Data ## v: the vector to clear. ## ## Returns: always true. -function Comm::vector_clear%(v: Comm::Data%): bool +function BrokerComm::vector_clear%(v: BrokerComm::Data%): bool %{ - auto& vec = comm::require_data_type(v->AsRecordVal(), + auto& vec = bro_broker::require_data_type(v->AsRecordVal(), TYPE_VECTOR, frame); vec.clear(); return new Val(true, TYPE_BOOL); @@ -545,9 +545,9 @@ function Comm::vector_clear%(v: Comm::Data%): bool ## v: the vector to query. ## ## Returns: the number of elements in the vector. -function Comm::vector_size%(v: Comm::Data%): count +function BrokerComm::vector_size%(v: BrokerComm::Data%): count %{ - auto& vec = comm::require_data_type(v->AsRecordVal(), + auto& vec = bro_broker::require_data_type(v->AsRecordVal(), TYPE_VECTOR, frame); return new Val(static_cast(vec.size()), TYPE_COUNT); %} @@ -563,11 +563,11 @@ function Comm::vector_size%(v: Comm::Data%): count ## current size of the vector, the element is inserted at the end. ## ## Returns: always true. -function Comm::vector_insert%(v: Comm::Data, d: Comm::Data, idx: count%): bool +function BrokerComm::vector_insert%(v: BrokerComm::Data, d: BrokerComm::Data, idx: count%): bool %{ - auto& vec = comm::require_data_type(v->AsRecordVal(), + auto& vec = bro_broker::require_data_type(v->AsRecordVal(), TYPE_VECTOR, frame); - auto& item = comm::opaque_field_to_data(d->AsRecordVal(), frame); + auto& item = bro_broker::opaque_field_to_data(d->AsRecordVal(), frame); idx = min(idx, static_cast(vec.size())); vec.insert(vec.begin() + idx, item); return new Val(true, TYPE_BOOL); @@ -583,16 +583,16 @@ function Comm::vector_insert%(v: Comm::Data, d: Comm::Data, idx: count%): bool ## ## Returns: the value that was just evicted. If the index was larger than any ## valid index, the optional field of the returned record is not set. -function Comm::vector_replace%(v: Comm::Data, d: Comm::Data, idx: count%): Comm::Data +function BrokerComm::vector_replace%(v: BrokerComm::Data, d: BrokerComm::Data, idx: count%): BrokerComm::Data %{ - auto& vec = comm::require_data_type(v->AsRecordVal(), + auto& vec = bro_broker::require_data_type(v->AsRecordVal(), TYPE_VECTOR, frame); - auto& item = comm::opaque_field_to_data(d->AsRecordVal(), frame); + auto& item = bro_broker::opaque_field_to_data(d->AsRecordVal(), frame); if ( idx >= vec.size() ) - return new RecordVal(BifType::Record::Comm::Data); + return new RecordVal(BifType::Record::BrokerComm::Data); - auto rval = comm::make_data_val(move(vec[idx])); + auto rval = bro_broker::make_data_val(move(vec[idx])); vec[idx] = item; return rval; %} @@ -605,15 +605,15 @@ function Comm::vector_replace%(v: Comm::Data, d: Comm::Data, idx: count%): Comm: ## ## Returns: the value that was just evicted. If the index was larger than any ## valid index, the optional field of the returned record is not set. -function Comm::vector_remove%(v: Comm::Data, idx: count%): Comm::Data +function BrokerComm::vector_remove%(v: BrokerComm::Data, idx: count%): BrokerComm::Data %{ - auto& vec = comm::require_data_type(v->AsRecordVal(), + auto& vec = bro_broker::require_data_type(v->AsRecordVal(), TYPE_VECTOR, frame); if ( idx >= vec.size() ) - return new RecordVal(BifType::Record::Comm::Data); + return new RecordVal(BifType::Record::BrokerComm::Data); - auto rval = comm::make_data_val(move(vec[idx])); + auto rval = bro_broker::make_data_val(move(vec[idx])); vec.erase(vec.begin() + idx); return rval; %} @@ -626,15 +626,15 @@ function Comm::vector_remove%(v: Comm::Data, idx: count%): Comm::Data ## ## Returns: the value at the index. If the index was larger than any ## valid index, the optional field of the returned record is not set. -function Comm::vector_lookup%(v: Comm::Data, idx: count%): Comm::Data +function BrokerComm::vector_lookup%(v: BrokerComm::Data, idx: count%): BrokerComm::Data %{ - auto& vec = comm::require_data_type(v->AsRecordVal(), + auto& vec = bro_broker::require_data_type(v->AsRecordVal(), TYPE_VECTOR, frame); if ( idx >= vec.size() ) - return new RecordVal(BifType::Record::Comm::Data); + return new RecordVal(BifType::Record::BrokerComm::Data); - return comm::make_data_val(vec[idx]); + return bro_broker::make_data_val(vec[idx]); %} ## Create an iterator for a vector. Note that this makes a copy of the vector @@ -643,9 +643,9 @@ function Comm::vector_lookup%(v: Comm::Data, idx: count%): Comm::Data ## v: the vector to iterate over. ## ## Returns: an iterator. -function Comm::vector_iterator%(v: Comm::Data%): opaque of Comm::VectorIterator +function BrokerComm::vector_iterator%(v: BrokerComm::Data%): opaque of BrokerComm::VectorIterator %{ - return new comm::VectorIterator(v->AsRecordVal(), TYPE_VECTOR, frame); + return new bro_broker::VectorIterator(v->AsRecordVal(), TYPE_VECTOR, frame); %} ## Check if there are no more elements to iterate over. @@ -654,9 +654,9 @@ function Comm::vector_iterator%(v: Comm::Data%): opaque of Comm::VectorIterator ## ## Returns: true if there are no more elements to iterator over, i.e. ## the iterator is one-past-the-final-element. -function Comm::vector_iterator_last%(it: opaque of Comm::VectorIterator%): bool +function BrokerComm::vector_iterator_last%(it: opaque of BrokerComm::VectorIterator%): bool %{ - auto vi = static_cast(it); + auto vi = static_cast(it); return new Val(vi->it == vi->dat.end(), TYPE_BOOL); %} @@ -667,9 +667,9 @@ function Comm::vector_iterator_last%(it: opaque of Comm::VectorIterator%): bool ## Returns: true if the iterator, after advancing, still references an element ## in the collection. False if the iterator, after advancing, is ## one-past-the-final-element. -function Comm::vector_iterator_next%(it: opaque of Comm::VectorIterator%): bool +function BrokerComm::vector_iterator_next%(it: opaque of BrokerComm::VectorIterator%): bool %{ - auto vi = static_cast(it); + auto vi = static_cast(it); if ( vi->it == vi->dat.end() ) return new Val(false, TYPE_BOOL); @@ -683,10 +683,10 @@ function Comm::vector_iterator_next%(it: opaque of Comm::VectorIterator%): bool ## it: an iterator. ## ## Returns: element in the collection that the iterator currently references. -function Comm::vector_iterator_value%(it: opaque of Comm::VectorIterator%): Comm::Data +function BrokerComm::vector_iterator_value%(it: opaque of BrokerComm::VectorIterator%): BrokerComm::Data %{ - auto vi = static_cast(it); - auto rval = new RecordVal(BifType::Record::Comm::Data); + auto vi = static_cast(it); + auto rval = new RecordVal(BifType::Record::BrokerComm::Data); if ( vi->it == vi->dat.end() ) { @@ -696,7 +696,7 @@ function Comm::vector_iterator_value%(it: opaque of Comm::VectorIterator%): Comm return rval; } - rval->Assign(0, new comm::DataVal(*vi->it)); + rval->Assign(0, new bro_broker::DataVal(*vi->it)); return rval; %} @@ -705,9 +705,9 @@ function Comm::vector_iterator_value%(it: opaque of Comm::VectorIterator%): Comm ## sz: the number of fields in the record. ## ## Returns: record data, with all fields uninitialized. -function Comm::record_create%(sz: count%): Comm::Data +function BrokerComm::record_create%(sz: count%): BrokerComm::Data %{ - return comm::make_data_val(broker::record(std::vector(sz))); + return bro_broker::make_data_val(broker::record(std::vector(sz))); %} ## Get the number of fields within a record. @@ -715,9 +715,9 @@ function Comm::record_create%(sz: count%): Comm::Data ## r: the record to query. ## ## Returns: the number of fields in the record. -function Comm::record_size%(r: Comm::Data%): count +function BrokerComm::record_size%(r: BrokerComm::Data%): count %{ - auto& v = comm::require_data_type(r->AsRecordVal(), + auto& v = bro_broker::require_data_type(r->AsRecordVal(), TYPE_RECORD, frame); return new Val(static_cast(v.fields.size()), TYPE_COUNT); %} @@ -731,11 +731,11 @@ function Comm::record_size%(r: Comm::Data%): count ## idx: the index to replace. ## ## Returns: false if the index was larger than any valid index, else true. -function Comm::record_assign%(r: Comm::Data, d: Comm::Data, idx: count%): bool +function BrokerComm::record_assign%(r: BrokerComm::Data, d: BrokerComm::Data, idx: count%): bool %{ - auto& v = comm::require_data_type(r->AsRecordVal(), + auto& v = bro_broker::require_data_type(r->AsRecordVal(), TYPE_RECORD, frame); - auto& item = comm::opaque_field_to_data(d->AsRecordVal(), frame); + auto& item = bro_broker::opaque_field_to_data(d->AsRecordVal(), frame); if ( idx >= v.fields.size() ) return new Val(false, TYPE_BOOL); @@ -753,18 +753,18 @@ function Comm::record_assign%(r: Comm::Data, d: Comm::Data, idx: count%): bool ## Returns: the value at the index. The optional field of the returned record ## may not be set if the field of the record has no value or if the ## the index was not valid. -function Comm::record_lookup%(r: Comm::Data, idx: count%): Comm::Data +function BrokerComm::record_lookup%(r: BrokerComm::Data, idx: count%): BrokerComm::Data %{ - auto& v = comm::require_data_type(r->AsRecordVal(), + auto& v = bro_broker::require_data_type(r->AsRecordVal(), TYPE_RECORD, frame); if ( idx >= v.size() ) - return new RecordVal(BifType::Record::Comm::Data); + return new RecordVal(BifType::Record::BrokerComm::Data); if ( ! v.fields[idx] ) - return new RecordVal(BifType::Record::Comm::Data); + return new RecordVal(BifType::Record::BrokerComm::Data); - return comm::make_data_val(*v.fields[idx]); + return bro_broker::make_data_val(*v.fields[idx]); %} ## Create an iterator for a record. Note that this makes a copy of the record @@ -773,9 +773,9 @@ function Comm::record_lookup%(r: Comm::Data, idx: count%): Comm::Data ## r: the record to iterate over. ## ## Returns: an iterator. -function Comm::record_iterator%(r: Comm::Data%): opaque of Comm::RecordIterator +function BrokerComm::record_iterator%(r: BrokerComm::Data%): opaque of BrokerComm::RecordIterator %{ - return new comm::RecordIterator(r->AsRecordVal(), TYPE_RECORD, frame); + return new bro_broker::RecordIterator(r->AsRecordVal(), TYPE_RECORD, frame); %} ## Check if there are no more elements to iterate over. @@ -784,9 +784,9 @@ function Comm::record_iterator%(r: Comm::Data%): opaque of Comm::RecordIterator ## ## Returns: true if there are no more elements to iterator over, i.e. ## the iterator is one-past-the-final-element. -function Comm::record_iterator_last%(it: opaque of Comm::RecordIterator%): bool +function BrokerComm::record_iterator_last%(it: opaque of BrokerComm::RecordIterator%): bool %{ - auto ri = static_cast(it); + auto ri = static_cast(it); return new Val(ri->it == ri->dat.fields.end(), TYPE_BOOL); %} @@ -797,9 +797,9 @@ function Comm::record_iterator_last%(it: opaque of Comm::RecordIterator%): bool ## Returns: true if the iterator, after advancing, still references an element ## in the collection. False if the iterator, after advancing, is ## one-past-the-final-element. -function Comm::record_iterator_next%(it: opaque of Comm::RecordIterator%): bool +function BrokerComm::record_iterator_next%(it: opaque of BrokerComm::RecordIterator%): bool %{ - auto ri = static_cast(it); + auto ri = static_cast(it); if ( ri->it == ri->dat.fields.end() ) return new Val(false, TYPE_BOOL); @@ -813,10 +813,10 @@ function Comm::record_iterator_next%(it: opaque of Comm::RecordIterator%): bool ## it: an iterator. ## ## Returns: element in the collection that the iterator currently references. -function Comm::record_iterator_value%(it: opaque of Comm::RecordIterator%): Comm::Data +function BrokerComm::record_iterator_value%(it: opaque of BrokerComm::RecordIterator%): BrokerComm::Data %{ - auto ri = static_cast(it); - auto rval = new RecordVal(BifType::Record::Comm::Data); + auto ri = static_cast(it); + auto rval = new RecordVal(BifType::Record::BrokerComm::Data); if ( ri->it == ri->dat.fields.end() ) { @@ -829,6 +829,6 @@ function Comm::record_iterator_value%(it: opaque of Comm::RecordIterator%): Comm if ( ! *ri->it ) return rval; // field isn't set - rval->Assign(0, new comm::DataVal(**ri->it)); + rval->Assign(0, new bro_broker::DataVal(**ri->it)); return rval; %} diff --git a/src/comm/messaging.bif b/src/comm/messaging.bif index faa22c8126..c1d3bfe774 100644 --- a/src/comm/messaging.bif +++ b/src/comm/messaging.bif @@ -6,18 +6,18 @@ #include "logging/Manager.h" %%} -module Comm; +module BrokerComm; -type Comm::SendFlags: record; +type BrokerComm::SendFlags: record; -type Comm::EventArgs: record; +type BrokerComm::EventArgs: record; ## Used to handle remote print messages from peers that call -## :bro:see:`Comm::print`. -event Comm::print_handler%(msg: string%); +## :bro:see:`BrokerComm::print`. +event BrokerComm::print_handler%(msg: string%); ## Print a simple message to any interested peers. The receiver can use -## :bro:see:`Comm::print_handler` to handle messages. +## :bro:see:`BrokerComm::print_handler` to handle messages. ## ## topic: a topic associated with the printed message. ## @@ -26,50 +26,50 @@ event Comm::print_handler%(msg: string%); ## flags: tune the behavior of how the message is sent. ## ## Returns: true if the message is sent. -function Comm::print%(topic: string, msg: string, +function BrokerComm::print%(topic: string, msg: string, flags: SendFlags &default = SendFlags()%): bool %{ - auto rval = comm_mgr->Print(topic->CheckString(), msg->CheckString(), + auto rval = broker_mgr->Print(topic->CheckString(), msg->CheckString(), flags); return new Val(rval, TYPE_BOOL); %} ## Register interest in all peer print messages that use a certain topic prefix. -## use :bro:see:`Comm::print_handler` to handle received messages. +## use :bro:see:`BrokerComm::print_handler` to handle received messages. ## ## topic_prefix: a prefix to match against remote message topics. ## e.g. an empty prefix matches everything and "a" matches ## "alice" and "amy" but not "bob". ## ## Returns: true if it's a new print subscription and it is now registered. -function Comm::subscribe_to_prints%(topic_prefix: string%): bool +function BrokerComm::subscribe_to_prints%(topic_prefix: string%): bool %{ - auto rval = comm_mgr->SubscribeToPrints(topic_prefix->CheckString()); + auto rval = broker_mgr->SubscribeToPrints(topic_prefix->CheckString()); return new Val(rval, TYPE_BOOL); %} ## Unregister interest in all peer print messages that use a topic prefix. ## ## topic_prefix: a prefix previously supplied to a successful call to -## :bro:see:`Comm::subscribe_to_prints`. +## :bro:see:`BrokerComm::subscribe_to_prints`. ## ## Returns: true if interest in the topic prefix is no longer advertised. -function Comm::unsubscribe_to_prints%(topic_prefix: string%): bool +function BrokerComm::unsubscribe_to_prints%(topic_prefix: string%): bool %{ - auto rval = comm_mgr->UnsubscribeToPrints(topic_prefix->CheckString()); + auto rval = broker_mgr->UnsubscribeToPrints(topic_prefix->CheckString()); return new Val(rval, TYPE_BOOL); %} ## Create a data structure that may be used to send a remote event via -## :bro:see:`Comm::event`. +## :bro:see:`BrokerComm::event`. ## ## args: an event, followed by a list of argument values that may be used ## to call it. ## ## Returns: opaque communication data that may be used to send a remote event. -function Comm::event_args%(...%): Comm::EventArgs +function BrokerComm::event_args%(...%): BrokerComm::EventArgs %{ - auto rval = comm_mgr->MakeEventArgs(@ARGS@); + auto rval = broker_mgr->MakeEventArgs(@ARGS@); return rval; %} @@ -77,15 +77,15 @@ function Comm::event_args%(...%): Comm::EventArgs ## ## topic: a topic associated with the event message. ## -## args: event arguments as made by :bro:see:`Comm::event_args`. +## args: event arguments as made by :bro:see:`BrokerComm::event_args`. ## ## flags: tune the behavior of how the message is sent. ## ## Returns: true if the message is sent. -function Comm::event%(topic: string, args: Comm::EventArgs, +function BrokerComm::event%(topic: string, args: BrokerComm::EventArgs, flags: SendFlags &default = SendFlags()%): bool %{ - auto rval = comm_mgr->Event(topic->CheckString(), args->AsRecordVal(), + auto rval = broker_mgr->Event(topic->CheckString(), args->AsRecordVal(), flags); return new Val(rval, TYPE_BOOL); %} @@ -102,23 +102,23 @@ function Comm::event%(topic: string, args: Comm::EventArgs, ## flags: tune the behavior of how the message is send. ## ## Returns: true if automatic event sending is now enabled. -function Comm::auto_event%(topic: string, ev: any, +function BrokerComm::auto_event%(topic: string, ev: any, flags: SendFlags &default = SendFlags()%): bool %{ - auto rval = comm_mgr->AutoEvent(topic->CheckString(), ev, flags); + auto rval = broker_mgr->AutoEvent(topic->CheckString(), ev, flags); return new Val(rval, TYPE_BOOL); %} ## Stop automatically sending an event to peers upon local dispatch. ## -## topic: a topic originally given to :bro:see:`Comm::auto_event`. +## topic: a topic originally given to :bro:see:`BrokerComm::auto_event`. ## -## ev: an event originally given to :bro:see:`Comm::auto_event`. +## ev: an event originally given to :bro:see:`BrokerComm::auto_event`. ## ## Returns: true if automatic events will no occur for the topic/event pair. -function Comm::auto_event_stop%(topic: string, ev: any%): bool +function BrokerComm::auto_event_stop%(topic: string, ev: any%): bool %{ - auto rval = comm_mgr->AutoEventStop(topic->CheckString(), ev); + auto rval = broker_mgr->AutoEventStop(topic->CheckString(), ev); return new Val(rval, TYPE_BOOL); %} @@ -129,21 +129,21 @@ function Comm::auto_event_stop%(topic: string, ev: any%): bool ## "alice" and "amy" but not "bob". ## ## Returns: true if it's a new event subscription and it is now registered. -function Comm::subscribe_to_events%(topic_prefix: string%): bool +function BrokerComm::subscribe_to_events%(topic_prefix: string%): bool %{ - auto rval = comm_mgr->SubscribeToEvents(topic_prefix->CheckString()); + auto rval = broker_mgr->SubscribeToEvents(topic_prefix->CheckString()); return new Val(rval, TYPE_BOOL); %} ## Unregister interest in all peer event messages that use a topic prefix. ## ## topic_prefix: a prefix previously supplied to a successful call to -## :bro:see:`Comm::subscribe_to_events`. +## :bro:see:`BrokerComm::subscribe_to_events`. ## ## Returns: true if interest in the topic prefix is no longer advertised. -function Comm::unsubscribe_to_events%(topic_prefix: string%): bool +function BrokerComm::unsubscribe_to_events%(topic_prefix: string%): bool %{ - auto rval = comm_mgr->UnsubscribeToEvents(topic_prefix->CheckString()); + auto rval = broker_mgr->UnsubscribeToEvents(topic_prefix->CheckString()); return new Val(rval, TYPE_BOOL); %} @@ -155,11 +155,11 @@ function Comm::unsubscribe_to_events%(topic_prefix: string%): bool ## ## Returns: true if remote logs are enabled for the stream. function -Comm::enable_remote_logs%(id: Log::ID, +BrokerComm::enable_remote_logs%(id: Log::ID, flags: SendFlags &default = SendFlags()%): bool %{ auto rval = log_mgr->EnableRemoteLogs(id->AsEnumVal(), - comm::Manager::send_flags_to_int(flags)); + bro_broker::Manager::send_flags_to_int(flags)); return new Val(rval, TYPE_BOOL); %} @@ -168,14 +168,14 @@ Comm::enable_remote_logs%(id: Log::ID, ## id: the log stream to disable remote logs for. ## ## Returns: true if remote logs are disabled for the stream. -function Comm::disable_remote_logs%(id: Log::ID%): bool +function BrokerComm::disable_remote_logs%(id: Log::ID%): bool %{ auto rval = log_mgr->DisableRemoteLogs(id->AsEnumVal()); return new Val(rval, TYPE_BOOL); %} ## Returns: true if remote logs are enabled for the given stream. -function Comm::remote_logs_enabled%(id: Log::ID%): bool +function BrokerComm::remote_logs_enabled%(id: Log::ID%): bool %{ auto rval = log_mgr->RemoteLogsAreEnabled(id->AsEnumVal()); return new Val(rval, TYPE_BOOL); @@ -190,9 +190,9 @@ function Comm::remote_logs_enabled%(id: Log::ID%): bool ## "alice" and "amy" but not "bob". ## ## Returns: true if it's a new log subscription and it is now registered. -function Comm::subscribe_to_logs%(topic_prefix: string%): bool +function BrokerComm::subscribe_to_logs%(topic_prefix: string%): bool %{ - auto rval = comm_mgr->SubscribeToLogs(topic_prefix->CheckString()); + auto rval = broker_mgr->SubscribeToLogs(topic_prefix->CheckString()); return new Val(rval, TYPE_BOOL); %} @@ -201,11 +201,11 @@ function Comm::subscribe_to_logs%(topic_prefix: string%): bool ## receiving side processes them through the logging framework as usual. ## ## topic_prefix: a prefix previously supplied to a successful call to -## :bro:see:`Comm::subscribe_to_logs`. +## :bro:see:`BrokerComm::subscribe_to_logs`. ## ## Returns: true if interest in the topic prefix is no longer advertised. -function Comm::unsubscribe_to_logs%(topic_prefix: string%): bool +function BrokerComm::unsubscribe_to_logs%(topic_prefix: string%): bool %{ - auto rval = comm_mgr->UnsubscribeToLogs(topic_prefix->CheckString()); + auto rval = broker_mgr->UnsubscribeToLogs(topic_prefix->CheckString()); return new Val(rval, TYPE_BOOL); %} diff --git a/src/comm/store.bif b/src/comm/store.bif index 745b044be5..4f6c0570f7 100644 --- a/src/comm/store.bif +++ b/src/comm/store.bif @@ -8,13 +8,13 @@ #include "Trigger.h" %%} -module Store; +module BrokerStore; -type Store::ExpiryTime: record; +type BrokerStore::ExpiryTime: record; -type Store::QueryResult: record; +type BrokerStore::QueryResult: record; -type Store::BackendOptions: record; +type BrokerStore::BackendOptions: record; ## Enumerates the possible storage backends. enum BackendType %{ @@ -32,12 +32,12 @@ enum BackendType %{ ## options: tunes how some storage backends operate. ## ## Returns: a handle to the data store. -function Store::create_master%(id: string, b: BackendType &default = MEMORY, - options: BackendOptions &default = BackendOptions()%): opaque of Store::Handle +function BrokerStore::create_master%(id: string, b: BackendType &default = MEMORY, + options: BackendOptions &default = BackendOptions()%): opaque of BrokerStore::Handle %{ auto id_str = id->CheckString(); - auto type = comm::StoreType::MASTER; - auto rval = comm_mgr->LookupStore(id_str, type); + auto type = bro_broker::StoreType::MASTER; + auto rval = broker_mgr->LookupStore(id_str, type); if ( rval ) { @@ -45,10 +45,10 @@ function Store::create_master%(id: string, b: BackendType &default = MEMORY, return rval; } - rval = new comm::StoreHandleVal(id_str, type, - static_cast(b->AsEnum()), + rval = new bro_broker::StoreHandleVal(id_str, type, + static_cast(b->AsEnum()), options->AsRecordVal()); - assert(comm_mgr->AddStore(rval)); + assert(broker_mgr->AddStore(rval)); return rval; %} @@ -74,13 +74,13 @@ function Store::create_master%(id: string, b: BackendType &default = MEMORY, ## but updates will be lost until the master is once again available. ## ## Returns: a handle to the data store. -function Store::create_clone%(id: string, b: BackendType &default = MEMORY, +function BrokerStore::create_clone%(id: string, b: BackendType &default = MEMORY, options: BackendOptions &default = BackendOptions(), - resync: interval &default = 1sec%): opaque of Store::Handle + resync: interval &default = 1sec%): opaque of BrokerStore::Handle %{ auto id_str = id->CheckString(); - auto type = comm::StoreType::CLONE; - auto rval = comm_mgr->LookupStore(id_str, type); + auto type = bro_broker::StoreType::CLONE; + auto rval = broker_mgr->LookupStore(id_str, type); if ( rval ) { @@ -88,11 +88,11 @@ function Store::create_clone%(id: string, b: BackendType &default = MEMORY, return rval; } - rval = new comm::StoreHandleVal(id_str, type, - static_cast(b->AsEnum()), + rval = new bro_broker::StoreHandleVal(id_str, type, + static_cast(b->AsEnum()), options->AsRecordVal(), std::chrono::duration(resync)); - assert(comm_mgr->AddStore(rval)); + assert(broker_mgr->AddStore(rval)); return rval; %} @@ -102,11 +102,11 @@ function Store::create_clone%(id: string, b: BackendType &default = MEMORY, ## id: the unique name which identifies the master data store. ## ## Returns: a handle to the data store. -function Store::create_frontend%(id: string%): opaque of Store::Handle +function BrokerStore::create_frontend%(id: string%): opaque of BrokerStore::Handle %{ auto id_str = id->CheckString(); - auto type = comm::StoreType::FRONTEND; - auto rval = comm_mgr->LookupStore(id_str, type); + auto type = bro_broker::StoreType::FRONTEND; + auto rval = broker_mgr->LookupStore(id_str, type); if ( rval ) { @@ -114,8 +114,8 @@ function Store::create_frontend%(id: string%): opaque of Store::Handle return rval; } - rval = new comm::StoreHandleVal(id_str, type, {}, nullptr); - assert(comm_mgr->AddStore(rval)); + rval = new bro_broker::StoreHandleVal(id_str, type, {}, nullptr); + assert(broker_mgr->AddStore(rval)); return rval; %} @@ -125,14 +125,14 @@ function Store::create_frontend%(id: string%): opaque of Store::Handle ## ## Returns: true if store was valid and is now closed. The handle can no ## longer be used for data store operations. -function Store::close_by_handle%(h: opaque of Store::Handle%): bool +function BrokerStore::close_by_handle%(h: opaque of BrokerStore::Handle%): bool %{ - auto handle = static_cast(h); + auto handle = static_cast(h); if ( ! handle->store ) return new Val(false, TYPE_BOOL); - return new Val(comm_mgr->CloseStore(handle->store->id(), + return new Val(broker_mgr->CloseStore(handle->store->id(), handle->store_type), TYPE_BOOL); %} @@ -151,17 +151,17 @@ function Store::close_by_handle%(h: opaque of Store::Handle%): bool ## e: the expiration time of the key-value pair. ## ## Returns: false if the store handle was not valid. -function Store::insert%(h: opaque of Store::Handle, - k: Comm::Data, v: Comm::Data, - e: Store::ExpiryTime &default = Store::ExpiryTime()%): bool +function BrokerStore::insert%(h: opaque of BrokerStore::Handle, + k: BrokerComm::Data, v: BrokerComm::Data, + e: BrokerStore::ExpiryTime &default = BrokerStore::ExpiryTime()%): bool %{ - auto handle = static_cast(h); + auto handle = static_cast(h); if ( ! handle->store ) return new Val(false, TYPE_BOOL); - auto& key = comm::opaque_field_to_data(k->AsRecordVal(), frame); - auto& val = comm::opaque_field_to_data(v->AsRecordVal(), frame); + auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame); + auto& val = bro_broker::opaque_field_to_data(v->AsRecordVal(), frame); using broker::store::expiration_time; @@ -195,14 +195,14 @@ function Store::insert%(h: opaque of Store::Handle, ## k: the key to remove. ## ## Returns: false if the store handle was not valid. -function Store::erase%(h: opaque of Store::Handle, k: Comm::Data%): bool +function BrokerStore::erase%(h: opaque of BrokerStore::Handle, k: BrokerComm::Data%): bool %{ - auto handle = static_cast(h); + auto handle = static_cast(h); if ( ! handle->store ) return new Val(false, TYPE_BOOL); - auto& key = comm::opaque_field_to_data(k->AsRecordVal(), frame); + auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame); handle->store->erase(key); return new Val(true, TYPE_BOOL); %} @@ -212,9 +212,9 @@ function Store::erase%(h: opaque of Store::Handle, k: Comm::Data%): bool ## h: the handle of the store to modify. ## ## Returns: false if the store handle was not valid. -function Store::clear%(h: opaque of Store::Handle%): bool +function BrokerStore::clear%(h: opaque of BrokerStore::Handle%): bool %{ - auto handle = static_cast(h); + auto handle = static_cast(h); if ( ! handle->store ) return new Val(false, TYPE_BOOL); @@ -233,15 +233,15 @@ function Store::clear%(h: opaque of Store::Handle%): bool ## create it with an implicit value of zero before incrementing. ## ## Returns: false if the store handle was not valid. -function Store::increment%(h: opaque of Store::Handle, - k: Comm::Data, by: int &default = +1%): bool +function BrokerStore::increment%(h: opaque of BrokerStore::Handle, + k: BrokerComm::Data, by: int &default = +1%): bool %{ - auto handle = static_cast(h); + auto handle = static_cast(h); if ( ! handle->store ) return new Val(false, TYPE_BOOL); - auto& key = comm::opaque_field_to_data(k->AsRecordVal(), frame); + auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame); handle->store->increment(key, by); return new Val(true, TYPE_BOOL); %} @@ -256,15 +256,15 @@ function Store::increment%(h: opaque of Store::Handle, ## create it with an implicit value of zero before decrementing. ## ## Returns: false if the store handle was not valid. -function Store::decrement%(h: opaque of Store::Handle, - k: Comm::Data, by: int &default = +1%): bool +function BrokerStore::decrement%(h: opaque of BrokerStore::Handle, + k: BrokerComm::Data, by: int &default = +1%): bool %{ - auto handle = static_cast(h); + auto handle = static_cast(h); if ( ! handle->store ) return new Val(false, TYPE_BOOL); - auto& key = comm::opaque_field_to_data(k->AsRecordVal(), frame); + auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame); handle->store->decrement(key, by); return new Val(true, TYPE_BOOL); %} @@ -279,16 +279,16 @@ function Store::decrement%(h: opaque of Store::Handle, ## create it with an implicit empty set value before modifying. ## ## Returns: false if the store handle was not valid. -function Store::add_to_set%(h: opaque of Store::Handle, - k: Comm::Data, element: Comm::Data%): bool +function BrokerStore::add_to_set%(h: opaque of BrokerStore::Handle, + k: BrokerComm::Data, element: BrokerComm::Data%): bool %{ - auto handle = static_cast(h); + auto handle = static_cast(h); if ( ! handle->store ) return new Val(false, TYPE_BOOL); - auto& key = comm::opaque_field_to_data(k->AsRecordVal(), frame); - auto& ele = comm::opaque_field_to_data(element->AsRecordVal(), frame); + auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame); + auto& ele = bro_broker::opaque_field_to_data(element->AsRecordVal(), frame); handle->store->add_to_set(key, ele); return new Val(true, TYPE_BOOL); %} @@ -303,16 +303,16 @@ function Store::add_to_set%(h: opaque of Store::Handle, ## implicitly create an empty set value associated with the key. ## ## Returns: false if the store handle was not valid. -function Store::remove_from_set%(h: opaque of Store::Handle, - k: Comm::Data, element: Comm::Data%): bool +function BrokerStore::remove_from_set%(h: opaque of BrokerStore::Handle, + k: BrokerComm::Data, element: BrokerComm::Data%): bool %{ - auto handle = static_cast(h); + auto handle = static_cast(h); if ( ! handle->store ) return new Val(false, TYPE_BOOL); - auto& key = comm::opaque_field_to_data(k->AsRecordVal(), frame); - auto& ele = comm::opaque_field_to_data(element->AsRecordVal(), frame); + auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame); + auto& ele = bro_broker::opaque_field_to_data(element->AsRecordVal(), frame); handle->store->remove_from_set(key, ele); return new Val(true, TYPE_BOOL); %} @@ -327,21 +327,21 @@ function Store::remove_from_set%(h: opaque of Store::Handle, ## create empty vector value before modifying. ## ## Returns: the handle of store to modify. -function Store::push_left%(h: opaque of Store::Handle, k: Comm::Data, - items: Comm::DataVector%): bool +function BrokerStore::push_left%(h: opaque of BrokerStore::Handle, k: BrokerComm::Data, + items: BrokerComm::DataVector%): bool %{ - auto handle = static_cast(h); + auto handle = static_cast(h); if ( ! handle->store ) return new Val(false, TYPE_BOOL); - auto& key = comm::opaque_field_to_data(k->AsRecordVal(), frame); + auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame); broker::vector items_vector; auto items_vv = items->AsVector(); for ( auto i = 0u; i < items_vv->size(); ++i ) { - auto& item = comm::opaque_field_to_data((*items_vv)[i]->AsRecordVal(), + auto& item = bro_broker::opaque_field_to_data((*items_vv)[i]->AsRecordVal(), frame); items_vector.emplace_back(item); } @@ -360,21 +360,21 @@ function Store::push_left%(h: opaque of Store::Handle, k: Comm::Data, ## create empty vector value before modifying. ## ## Returns: the handle of store to modify. -function Store::push_right%(h: opaque of Store::Handle, k: Comm::Data, - items: Comm::DataVector%): bool +function BrokerStore::push_right%(h: opaque of BrokerStore::Handle, k: BrokerComm::Data, + items: BrokerComm::DataVector%): bool %{ - auto handle = static_cast(h); + auto handle = static_cast(h); if ( ! handle->store ) return new Val(false, TYPE_BOOL); - auto& key = comm::opaque_field_to_data(k->AsRecordVal(), frame); + auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame); broker::vector items_vector; auto items_vv = items->AsVector(); for ( auto i = 0u; i < items_vv->size(); ++i ) { - auto& item = comm::opaque_field_to_data((*items_vv)[i]->AsRecordVal(), + auto& item = bro_broker::opaque_field_to_data((*items_vv)[i]->AsRecordVal(), frame); items_vector.emplace_back(item); } @@ -389,11 +389,11 @@ function Store::push_right%(h: opaque of Store::Handle, k: Comm::Data, %%{ static bool prepare_for_query(Val* opaque, Frame* frame, - comm::StoreHandleVal** handle, + bro_broker::StoreHandleVal** handle, double* timeout, - comm::StoreQueryCallback** cb) + bro_broker::StoreQueryCallback** cb) { - *handle = static_cast(opaque); + *handle = static_cast(opaque); if ( ! (*handle)->store ) return false; @@ -403,7 +403,7 @@ static bool prepare_for_query(Val* opaque, Frame* frame, if ( ! trigger ) { reporter->PushLocation(frame->GetCall()->GetLocationInfo()); - reporter->Error("Store queries can only be called inside when-condition"); + reporter->Error("BrokerStore queries can only be called inside when-condition"); reporter->PopLocation(); return false; } @@ -413,17 +413,17 @@ static bool prepare_for_query(Val* opaque, Frame* frame, if ( *timeout < 0 ) { reporter->PushLocation(frame->GetCall()->GetLocationInfo()); - reporter->Error("Store queries must specify a timeout block"); + reporter->Error("BrokerStore queries must specify a timeout block"); reporter->PopLocation(); return false; } frame->SetDelayed(); trigger->Hold(); - *cb = new comm::StoreQueryCallback(trigger, frame->GetCall(), + *cb = new bro_broker::StoreQueryCallback(trigger, frame->GetCall(), (*handle)->store->id(), (*handle)->store_type); - comm_mgr->TrackStoreQuery(*cb); + broker_mgr->TrackStoreQuery(*cb); return true; } @@ -436,25 +436,25 @@ static bool prepare_for_query(Val* opaque, Frame* frame, ## k: the key associated with the vector to modify. ## ## Returns: the result of the query. -function Store::pop_left%(h: opaque of Store::Handle, - k: Comm::Data%): Store::QueryResult +function BrokerStore::pop_left%(h: opaque of BrokerStore::Handle, + k: BrokerComm::Data%): BrokerStore::QueryResult %{ - if ( ! comm_mgr->Enabled() ) - return comm::query_result(); + if ( ! broker_mgr->Enabled() ) + return bro_broker::query_result(); Val* key = k->AsRecordVal()->Lookup(0); if ( ! key ) - return comm::query_result(); + return bro_broker::query_result(); double timeout; - comm::StoreQueryCallback* cb; - comm::StoreHandleVal* handle; + bro_broker::StoreQueryCallback* cb; + bro_broker::StoreHandleVal* handle; if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) ) - return comm::query_result(); + return bro_broker::query_result(); - handle->store->pop_left(static_cast(key)->data, + handle->store->pop_left(static_cast(key)->data, std::chrono::duration(timeout), cb); return 0; %} @@ -466,25 +466,25 @@ function Store::pop_left%(h: opaque of Store::Handle, ## k: the key associated with the vector to modify. ## ## Returns: the result of the query. -function Store::pop_right%(h: opaque of Store::Handle, - k: Comm::Data%): Store::QueryResult +function BrokerStore::pop_right%(h: opaque of BrokerStore::Handle, + k: BrokerComm::Data%): BrokerStore::QueryResult %{ - if ( ! comm_mgr->Enabled() ) - return comm::query_result(); + if ( ! broker_mgr->Enabled() ) + return bro_broker::query_result(); Val* key = k->AsRecordVal()->Lookup(0); if ( ! key ) - return comm::query_result(); + return bro_broker::query_result(); double timeout; - comm::StoreQueryCallback* cb; - comm::StoreHandleVal* handle; + bro_broker::StoreQueryCallback* cb; + bro_broker::StoreHandleVal* handle; if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) ) - return comm::query_result(); + return bro_broker::query_result(); - handle->store->pop_right(static_cast(key)->data, + handle->store->pop_right(static_cast(key)->data, std::chrono::duration(timeout), cb); return 0; %} @@ -496,25 +496,25 @@ function Store::pop_right%(h: opaque of Store::Handle, ## k: the key to lookup. ## ## Returns: the result of the query. -function Store::lookup%(h: opaque of Store::Handle, - k: Comm::Data%): Store::QueryResult +function BrokerStore::lookup%(h: opaque of BrokerStore::Handle, + k: BrokerComm::Data%): BrokerStore::QueryResult %{ - if ( ! comm_mgr->Enabled() ) - return comm::query_result(); + if ( ! broker_mgr->Enabled() ) + return bro_broker::query_result(); Val* key = k->AsRecordVal()->Lookup(0); if ( ! key ) - return comm::query_result(); + return bro_broker::query_result(); double timeout; - comm::StoreQueryCallback* cb; - comm::StoreHandleVal* handle; + bro_broker::StoreQueryCallback* cb; + bro_broker::StoreHandleVal* handle; if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) ) - return comm::query_result(); + return bro_broker::query_result(); - handle->store->lookup(static_cast(key)->data, + handle->store->lookup(static_cast(key)->data, std::chrono::duration(timeout), cb); return 0; %} @@ -525,26 +525,26 @@ function Store::lookup%(h: opaque of Store::Handle, ## ## k: the key to check for existence. ## -## Returns: the result of the query (uses :bro:see:`Comm::BOOL`). -function Store::exists%(h: opaque of Store::Handle, - k: Comm::Data%): Store::QueryResult +## Returns: the result of the query (uses :bro:see:`BrokerComm::BOOL`). +function BrokerStore::exists%(h: opaque of BrokerStore::Handle, + k: BrokerComm::Data%): BrokerStore::QueryResult %{ - if ( ! comm_mgr->Enabled() ) - return comm::query_result(); + if ( ! broker_mgr->Enabled() ) + return bro_broker::query_result(); Val* key = k->AsRecordVal()->Lookup(0); if ( ! key ) - return comm::query_result(); + return bro_broker::query_result(); double timeout; - comm::StoreQueryCallback* cb; - comm::StoreHandleVal* handle; + bro_broker::StoreQueryCallback* cb; + bro_broker::StoreHandleVal* handle; if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) ) - return comm::query_result(); + return bro_broker::query_result(); - handle->store->exists(static_cast(key)->data, + handle->store->exists(static_cast(key)->data, std::chrono::duration(timeout), cb); return 0; %} @@ -553,15 +553,15 @@ function Store::exists%(h: opaque of Store::Handle, ## ## h: the handle of the store to query. ## -## Returns: the result of the query (uses :bro:see:`Comm::VECTOR`). -function Store::keys%(h: opaque of Store::Handle%): Store::QueryResult +## Returns: the result of the query (uses :bro:see:`BrokerComm::VECTOR`). +function BrokerStore::keys%(h: opaque of BrokerStore::Handle%): BrokerStore::QueryResult %{ double timeout; - comm::StoreQueryCallback* cb; - comm::StoreHandleVal* handle; + bro_broker::StoreQueryCallback* cb; + bro_broker::StoreHandleVal* handle; if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) ) - return comm::query_result(); + return bro_broker::query_result(); handle->store->keys(std::chrono::duration(timeout), cb); return 0; @@ -571,18 +571,18 @@ function Store::keys%(h: opaque of Store::Handle%): Store::QueryResult ## ## h: the handle of the store to query. ## -## Returns: the result of the query (uses :bro:see:`Comm::COUNT`). -function Store::size%(h: opaque of Store::Handle%): Store::QueryResult +## Returns: the result of the query (uses :bro:see:`BrokerComm::COUNT`). +function BrokerStore::size%(h: opaque of BrokerStore::Handle%): BrokerStore::QueryResult %{ - if ( ! comm_mgr->Enabled() ) - return comm::query_result(); + if ( ! broker_mgr->Enabled() ) + return bro_broker::query_result(); double timeout; - comm::StoreQueryCallback* cb; - comm::StoreHandleVal* handle; + bro_broker::StoreQueryCallback* cb; + bro_broker::StoreHandleVal* handle; if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) ) - return comm::query_result(); + return bro_broker::query_result(); handle->store->size(std::chrono::duration(timeout), cb); return 0; diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc index 34a8de26ed..63d21a4655 100644 --- a/src/logging/Manager.cc +++ b/src/logging/Manager.cc @@ -844,7 +844,7 @@ bool Manager::Write(EnumVal* id, RecordVal* columns) #ifdef ENABLE_BROKER if ( stream->enable_remote && - ! comm_mgr->Log(id, columns, stream->columns, stream->remote_flags) ) + ! broker_mgr->Log(id, columns, stream->columns, stream->remote_flags) ) stream->enable_remote = false; #endif diff --git a/src/main.cc b/src/main.cc index 13552bbbda..d186e67e4b 100644 --- a/src/main.cc +++ b/src/main.cc @@ -96,7 +96,7 @@ file_analysis::Manager* file_mgr = 0; broxygen::Manager* broxygen_mgr = 0; iosource::Manager* iosource_mgr = 0; #ifdef ENABLE_BROKER -comm::Manager* comm_mgr = 0; +bro_broker::Manager* broker_mgr = 0; #endif const char* prog; @@ -860,7 +860,7 @@ int main(int argc, char** argv) file_mgr = new file_analysis::Manager(); #ifdef ENABLE_BROKER - comm_mgr = new comm::Manager(); + broker_mgr = new bro_broker::Manager(); #endif plugin_mgr->InitPreScript(); diff --git a/testing/btest/Baseline/comm.clone_store/clone.clone.out b/testing/btest/Baseline/comm.clone_store/clone.clone.out index 8a7c89a19b..017537fea9 100644 --- a/testing/btest/Baseline/comm.clone_store/clone.clone.out +++ b/testing/btest/Baseline/comm.clone_store/clone.clone.out @@ -1,5 +1,5 @@ -clone keys, [status=Store::SUCCESS, result=[d=broker::data{[one, two, myset, myvec]}]] -lookup, one, [status=Store::SUCCESS, result=[d=broker::data{111}]] -lookup, two, [status=Store::SUCCESS, result=[d=broker::data{222}]] -lookup, myset, [status=Store::SUCCESS, result=[d=broker::data{{a, c, d}}]] -lookup, myvec, [status=Store::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]] +clone keys, [status=BrokerStore::SUCCESS, result=[d=broker::data{[one, two, myset, myvec]}]] +lookup, one, [status=BrokerStore::SUCCESS, result=[d=broker::data{111}]] +lookup, two, [status=BrokerStore::SUCCESS, result=[d=broker::data{222}]] +lookup, myset, [status=BrokerStore::SUCCESS, result=[d=broker::data{{a, c, d}}]] +lookup, myvec, [status=BrokerStore::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]] diff --git a/testing/btest/Baseline/comm.connection_updates/recv.recv.out b/testing/btest/Baseline/comm.connection_updates/recv.recv.out index 3f2a1a9670..714cbfbac4 100644 --- a/testing/btest/Baseline/comm.connection_updates/recv.recv.out +++ b/testing/btest/Baseline/comm.connection_updates/recv.recv.out @@ -1,2 +1,2 @@ -Comm::incoming_connection_established, connector -Comm::incoming_connection_broken, connector +BrokerComm::incoming_connection_established, connector +BrokerComm::incoming_connection_broken, connector diff --git a/testing/btest/Baseline/comm.connection_updates/send.send.out b/testing/btest/Baseline/comm.connection_updates/send.send.out index e23422e320..61c988d1c8 100644 --- a/testing/btest/Baseline/comm.connection_updates/send.send.out +++ b/testing/btest/Baseline/comm.connection_updates/send.send.out @@ -1 +1 @@ -Comm::outgoing_connection_established, 127.0.0.1, 9999/tcp, listener +BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp, listener diff --git a/testing/btest/Baseline/comm.data/out b/testing/btest/Baseline/comm.data/out index eea78d39a2..628870144a 100644 --- a/testing/btest/Baseline/comm.data/out +++ b/testing/btest/Baseline/comm.data/out @@ -1,18 +1,18 @@ -Comm::BOOL -Comm::INT -Comm::COUNT -Comm::DOUBLE -Comm::STRING -Comm::ADDR -Comm::SUBNET -Comm::PORT -Comm::TIME -Comm::INTERVAL -Comm::ENUM -Comm::SET -Comm::TABLE -Comm::VECTOR -Comm::RECORD +BrokerComm::BOOL +BrokerComm::INT +BrokerComm::COUNT +BrokerComm::DOUBLE +BrokerComm::STRING +BrokerComm::ADDR +BrokerComm::SUBNET +BrokerComm::PORT +BrokerComm::TIME +BrokerComm::INTERVAL +BrokerComm::ENUM +BrokerComm::SET +BrokerComm::TABLE +BrokerComm::VECTOR +BrokerComm::RECORD *************************** T F @@ -29,7 +29,7 @@ hello 22/tcp 42.0 180.0 -Comm::BOOL +BrokerComm::BOOL *************************** { two, diff --git a/testing/btest/Baseline/comm.master_store/master.out b/testing/btest/Baseline/comm.master_store/master.out index defdc9a3e1..4208503151 100644 --- a/testing/btest/Baseline/comm.master_store/master.out +++ b/testing/btest/Baseline/comm.master_store/master.out @@ -1,14 +1,14 @@ -lookup(two): [status=Store::SUCCESS, result=[d=broker::data{222}]] -lookup(four): [status=Store::SUCCESS, result=[d=]] -lookup(myset): [status=Store::SUCCESS, result=[d=broker::data{{a, c, d}}]] -lookup(one): [status=Store::SUCCESS, result=[d=broker::data{111}]] -lookup(myvec): [status=Store::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]] -exists(one): [status=Store::SUCCESS, result=[d=broker::data{1}]] -exists(two): [status=Store::SUCCESS, result=[d=broker::data{0}]] -exists(myset): [status=Store::SUCCESS, result=[d=broker::data{1}]] -exists(four): [status=Store::SUCCESS, result=[d=broker::data{0}]] -pop_right(myvec): [status=Store::SUCCESS, result=[d=broker::data{omega}]] -pop_left(myvec): [status=Store::SUCCESS, result=[d=broker::data{delta}]] -keys: [status=Store::SUCCESS, result=[d=broker::data{[myvec, myset, one]}]] -size: [status=Store::SUCCESS, result=[d=broker::data{3}]] -size (after clear): [status=Store::SUCCESS, result=[d=broker::data{0}]] +lookup(two): [status=BrokerStore::SUCCESS, result=[d=broker::data{222}]] +lookup(four): [status=BrokerStore::SUCCESS, result=[d=]] +lookup(myset): [status=BrokerStore::SUCCESS, result=[d=broker::data{{a, c, d}}]] +lookup(one): [status=BrokerStore::SUCCESS, result=[d=broker::data{111}]] +lookup(myvec): [status=BrokerStore::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]] +exists(one): [status=BrokerStore::SUCCESS, result=[d=broker::data{1}]] +exists(two): [status=BrokerStore::SUCCESS, result=[d=broker::data{0}]] +exists(myset): [status=BrokerStore::SUCCESS, result=[d=broker::data{1}]] +exists(four): [status=BrokerStore::SUCCESS, result=[d=broker::data{0}]] +pop_right(myvec): [status=BrokerStore::SUCCESS, result=[d=broker::data{omega}]] +pop_left(myvec): [status=BrokerStore::SUCCESS, result=[d=broker::data{delta}]] +keys: [status=BrokerStore::SUCCESS, result=[d=broker::data{[myvec, myset, one]}]] +size: [status=BrokerStore::SUCCESS, result=[d=broker::data{3}]] +size (after clear): [status=BrokerStore::SUCCESS, result=[d=broker::data{0}]] diff --git a/testing/btest/Baseline/comm.remote_event/send.send.out b/testing/btest/Baseline/comm.remote_event/send.send.out index 0e529e08fc..a29c1ecd1e 100644 --- a/testing/btest/Baseline/comm.remote_event/send.send.out +++ b/testing/btest/Baseline/comm.remote_event/send.send.out @@ -1,4 +1,4 @@ -Comm::outgoing_connection_established, 127.0.0.1, 9999/tcp +BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp got event msg, pong, 0 got auto event msg, ping, 0 got event msg, pong, 1 diff --git a/testing/btest/Baseline/comm.remote_log/send.send.out b/testing/btest/Baseline/comm.remote_log/send.send.out index e2415290d6..d97ef33af1 100644 --- a/testing/btest/Baseline/comm.remote_log/send.send.out +++ b/testing/btest/Baseline/comm.remote_log/send.send.out @@ -1 +1 @@ -Comm::outgoing_connection_established, 127.0.0.1, 9999/tcp +BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp diff --git a/testing/btest/Baseline/comm.remote_print/send.send.out b/testing/btest/Baseline/comm.remote_print/send.send.out index 777afdc0d2..65d8ee79b7 100644 --- a/testing/btest/Baseline/comm.remote_print/send.send.out +++ b/testing/btest/Baseline/comm.remote_print/send.send.out @@ -1,4 +1,4 @@ -Comm::outgoing_connection_established, 127.0.0.1, 9999/tcp +BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp got print msg, pong 0 got print msg, pong 1 got print msg, pong 2 diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-connector_bro/output index 1921e6596a..94ba920a43 100644 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-connector_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-connector_bro/output @@ -5,19 +5,19 @@ connecting-connector.bro const broker_port: port &redef; redef exit_only_after_terminate = T; -redef Comm::endpoint_name = "connector"; +redef BrokerComm::endpoint_name = "connector"; event bro_init() { - Comm::enable(); - Comm::connect("127.0.0.1", broker_port, 1sec); + BrokerComm::enable(); + BrokerComm::connect("127.0.0.1", broker_port, 1sec); } -event Comm::outgoing_connection_established(peer_address: string, +event BrokerComm::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string) { - print "Comm::outgoing_connection_established", + print "BrokerComm::outgoing_connection_established", peer_address, peer_port, peer_name; terminate(); } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-listener_bro/output index 7516680533..d62ef6d059 100644 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-listener_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-listener_bro/output @@ -5,21 +5,21 @@ connecting-listener.bro const broker_port: port &redef; redef exit_only_after_terminate = T; -redef Comm::endpoint_name = "listener"; +redef BrokerComm::endpoint_name = "listener"; event bro_init() { - Comm::enable(); - Comm::listen(broker_port, "127.0.0.1"); + BrokerComm::enable(); + BrokerComm::listen(broker_port, "127.0.0.1"); } -event Comm::incoming_connection_established(peer_name: string) +event BrokerComm::incoming_connection_established(peer_name: string) { - print "Comm::incoming_connection_established", peer_name; + print "BrokerComm::incoming_connection_established", peer_name; } -event Comm::incoming_connection_broken(peer_name: string) +event BrokerComm::incoming_connection_broken(peer_name: string) { - print "Comm::incoming_connection_broken", peer_name; + print "BrokerComm::incoming_connection_broken", peer_name; terminate(); } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-connector_bro/output index 434e94d977..1a3dd47515 100644 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-connector_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-connector_bro/output @@ -4,31 +4,31 @@ events-connector.bro const broker_port: port &redef; redef exit_only_after_terminate = T; -redef Comm::endpoint_name = "connector"; +redef BrokerComm::endpoint_name = "connector"; global my_event: event(msg: string, c: count); global my_auto_event: event(msg: string, c: count); event bro_init() { - Comm::enable(); - Comm::connect("127.0.0.1", broker_port, 1sec); - Comm::auto_event("bro/event/my_auto_event", my_auto_event); + BrokerComm::enable(); + BrokerComm::connect("127.0.0.1", broker_port, 1sec); + BrokerComm::auto_event("bro/event/my_auto_event", my_auto_event); } -event Comm::outgoing_connection_established(peer_address: string, +event BrokerComm::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string) { - print "Comm::outgoing_connection_established", + print "BrokerComm::outgoing_connection_established", peer_address, peer_port, peer_name; - Comm::event("bro/event/my_event", Comm::event_args(my_event, "hi", 0)); + BrokerComm::event("bro/event/my_event", BrokerComm::event_args(my_event, "hi", 0)); event my_auto_event("stuff", 88); - Comm::event("bro/event/my_event", Comm::event_args(my_event, "...", 1)); + BrokerComm::event("bro/event/my_event", BrokerComm::event_args(my_event, "...", 1)); event my_auto_event("more stuff", 51); - Comm::event("bro/event/my_event", Comm::event_args(my_event, "bye", 2)); + BrokerComm::event("bro/event/my_event", BrokerComm::event_args(my_event, "bye", 2)); } -event Comm::outgoing_connection_broken(peer_address: string, +event BrokerComm::outgoing_connection_broken(peer_address: string, peer_port: port) { terminate(); diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-listener_bro/output index a8b7c133ff..2b542f424b 100644 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-listener_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-listener_bro/output @@ -5,21 +5,21 @@ events-listener.bro const broker_port: port &redef; redef exit_only_after_terminate = T; -redef Comm::endpoint_name = "listener"; +redef BrokerComm::endpoint_name = "listener"; global msg_count = 0; global my_event: event(msg: string, c: count); global my_auto_event: event(msg: string, c: count); event bro_init() { - Comm::enable(); - Comm::subscribe_to_events("bro/event/"); - Comm::listen(broker_port, "127.0.0.1"); + BrokerComm::enable(); + BrokerComm::subscribe_to_events("bro/event/"); + BrokerComm::listen(broker_port, "127.0.0.1"); } -event Comm::incoming_connection_established(peer_name: string) +event BrokerComm::incoming_connection_established(peer_name: string) { - print "Comm::incoming_connection_established", peer_name; + print "BrokerComm::incoming_connection_established", peer_name; } event my_event(msg: string, c: count) diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-connector_bro/output index ae8c3b4ec5..8896075086 100644 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-connector_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-connector_bro/output @@ -6,16 +6,16 @@ logs-connector.bro const broker_port: port &redef; redef exit_only_after_terminate = T; -redef Comm::endpoint_name = "connector"; +redef BrokerComm::endpoint_name = "connector"; redef Log::enable_local_logging = F; redef Log::enable_remote_logging = F; global n = 0; event bro_init() { - Comm::enable(); - Comm::enable_remote_logs(Test::LOG); - Comm::connect("127.0.0.1", broker_port, 1sec); + BrokerComm::enable(); + BrokerComm::enable_remote_logs(Test::LOG); + BrokerComm::connect("127.0.0.1", broker_port, 1sec); } event do_write() @@ -28,16 +28,16 @@ event do_write() event do_write(); } -event Comm::outgoing_connection_established(peer_address: string, +event BrokerComm::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string) { - print "Comm::outgoing_connection_established", + print "BrokerComm::outgoing_connection_established", peer_address, peer_port, peer_name; event do_write(); } -event Comm::outgoing_connection_broken(peer_address: string, +event BrokerComm::outgoing_connection_broken(peer_address: string, peer_port: port) { terminate(); diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-listener_bro/output index 472229ea04..f13bc5ea3f 100644 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-listener_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-listener_bro/output @@ -6,18 +6,18 @@ logs-listener.bro const broker_port: port &redef; redef exit_only_after_terminate = T; -redef Comm::endpoint_name = "listener"; +redef BrokerComm::endpoint_name = "listener"; event bro_init() { - Comm::enable(); - Comm::subscribe_to_logs("bro/log/Test::LOG"); - Comm::listen(broker_port, "127.0.0.1"); + BrokerComm::enable(); + BrokerComm::subscribe_to_logs("bro/log/Test::LOG"); + BrokerComm::listen(broker_port, "127.0.0.1"); } -event Comm::incoming_connection_established(peer_name: string) +event BrokerComm::incoming_connection_established(peer_name: string) { - print "Comm::incoming_connection_established", peer_name; + print "BrokerComm::incoming_connection_established", peer_name; } event Test::log_test(rec: Test::Info) diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-connector_bro/output index b796155c59..c6e5e90727 100644 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-connector_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-connector_bro/output @@ -4,26 +4,26 @@ printing-connector.bro const broker_port: port &redef; redef exit_only_after_terminate = T; -redef Comm::endpoint_name = "connector"; +redef BrokerComm::endpoint_name = "connector"; event bro_init() { - Comm::enable(); - Comm::connect("127.0.0.1", broker_port, 1sec); + BrokerComm::enable(); + BrokerComm::connect("127.0.0.1", broker_port, 1sec); } -event Comm::outgoing_connection_established(peer_address: string, +event BrokerComm::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string) { - print "Comm::outgoing_connection_established", + print "BrokerComm::outgoing_connection_established", peer_address, peer_port, peer_name; - Comm::print("bro/print/hi", "hello"); - Comm::print("bro/print/stuff", "..."); - Comm::print("bro/print/bye", "goodbye"); + BrokerComm::print("bro/print/hi", "hello"); + BrokerComm::print("bro/print/stuff", "..."); + BrokerComm::print("bro/print/bye", "goodbye"); } -event Comm::outgoing_connection_broken(peer_address: string, +event BrokerComm::outgoing_connection_broken(peer_address: string, peer_port: port) { terminate(); diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-listener_bro/output index de6741d3c4..88a6c38f5f 100644 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-listener_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-listener_bro/output @@ -5,22 +5,22 @@ printing-listener.bro const broker_port: port &redef; redef exit_only_after_terminate = T; -redef Comm::endpoint_name = "listener"; +redef BrokerComm::endpoint_name = "listener"; global msg_count = 0; event bro_init() { - Comm::enable(); - Comm::subscribe_to_prints("bro/print/"); - Comm::listen(broker_port, "127.0.0.1"); + BrokerComm::enable(); + BrokerComm::subscribe_to_prints("bro/print/"); + BrokerComm::listen(broker_port, "127.0.0.1"); } -event Comm::incoming_connection_established(peer_name: string) +event BrokerComm::incoming_connection_established(peer_name: string) { - print "Comm::incoming_connection_established", peer_name; + print "BrokerComm::incoming_connection_established", peer_name; } -event Comm::print_handler(msg: string) +event BrokerComm::print_handler(msg: string) { ++msg_count; print "got print message", msg; diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-connector_bro/output index c5268417a6..ec345d5e10 100644 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-connector_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-connector_bro/output @@ -5,42 +5,42 @@ stores-connector.bro const broker_port: port &redef; redef exit_only_after_terminate = T; -global h: opaque of Store::Handle; +global h: opaque of BrokerStore::Handle; -function dv(d: Comm::Data): Comm::DataVector +function dv(d: BrokerComm::Data): BrokerComm::DataVector { - local rval: Comm::DataVector; + local rval: BrokerComm::DataVector; rval[0] = d; return rval; } global ready: event(); -event Comm::outgoing_connection_broken(peer_address: string, +event BrokerComm::outgoing_connection_broken(peer_address: string, peer_port: port) { terminate(); } -event Comm::outgoing_connection_established(peer_address: string, +event BrokerComm::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string) { local myset: set[string] = {"a", "b", "c"}; local myvec: vector of string = {"alpha", "beta", "gamma"}; - h = Store::create_master("mystore"); - Store::insert(h, Comm::data("one"), Comm::data(110)); - Store::insert(h, Comm::data("two"), Comm::data(223)); - Store::insert(h, Comm::data("myset"), Comm::data(myset)); - Store::insert(h, Comm::data("myvec"), Comm::data(myvec)); - Store::increment(h, Comm::data("one")); - Store::decrement(h, Comm::data("two")); - Store::add_to_set(h, Comm::data("myset"), Comm::data("d")); - Store::remove_from_set(h, Comm::data("myset"), Comm::data("b")); - Store::push_left(h, Comm::data("myvec"), dv(Comm::data("delta"))); - Store::push_right(h, Comm::data("myvec"), dv(Comm::data("omega"))); + h = BrokerStore::create_master("mystore"); + BrokerStore::insert(h, BrokerComm::data("one"), BrokerComm::data(110)); + BrokerStore::insert(h, BrokerComm::data("two"), BrokerComm::data(223)); + BrokerStore::insert(h, BrokerComm::data("myset"), BrokerComm::data(myset)); + BrokerStore::insert(h, BrokerComm::data("myvec"), BrokerComm::data(myvec)); + BrokerStore::increment(h, BrokerComm::data("one")); + BrokerStore::decrement(h, BrokerComm::data("two")); + BrokerStore::add_to_set(h, BrokerComm::data("myset"), BrokerComm::data("d")); + BrokerStore::remove_from_set(h, BrokerComm::data("myset"), BrokerComm::data("b")); + BrokerStore::push_left(h, BrokerComm::data("myvec"), dv(BrokerComm::data("delta"))); + BrokerStore::push_right(h, BrokerComm::data("myvec"), dv(BrokerComm::data("omega"))); - when ( local res = Store::size(h) ) + when ( local res = BrokerStore::size(h) ) { print "master size", res; event ready(); @@ -51,7 +51,7 @@ event Comm::outgoing_connection_established(peer_address: string, event bro_init() { - Comm::enable(); - Comm::connect("127.0.0.1", broker_port, 1secs); - Comm::auto_event("bro/event/ready", ready); + BrokerComm::enable(); + BrokerComm::connect("127.0.0.1", broker_port, 1secs); + BrokerComm::auto_event("bro/event/ready", ready); } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-listener_bro/output index 38dc7ef34f..08b0de4aea 100644 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-listener_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-listener_bro/output @@ -5,13 +5,13 @@ stores-listener.bro const broker_port: port &redef; redef exit_only_after_terminate = T; -global h: opaque of Store::Handle; +global h: opaque of BrokerStore::Handle; global expected_key_count = 4; global key_count = 0; function do_lookup(key: string) { - when ( local res = Store::lookup(h, Comm::data(key)) ) + when ( local res = BrokerStore::lookup(h, BrokerComm::data(key)) ) { ++key_count; print "lookup", key, res; @@ -25,15 +25,15 @@ function do_lookup(key: string) event ready() { - h = Store::create_clone("mystore"); + h = BrokerStore::create_clone("mystore"); - when ( local res = Store::keys(h) ) + when ( local res = BrokerStore::keys(h) ) { print "clone keys", res; - do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 0))); - do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 1))); - do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 2))); - do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 3))); + do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 0))); + do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 1))); + do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 2))); + do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 3))); } timeout 10sec { print "timeout"; } @@ -41,7 +41,7 @@ event ready() event bro_init() { - Comm::enable(); - Comm::subscribe_to_events("bro/event/ready"); - Comm::listen(broker_port, "127.0.0.1"); + BrokerComm::enable(); + BrokerComm::subscribe_to_events("bro/event/ready"); + BrokerComm::listen(broker_port, "127.0.0.1"); } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_testlog_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_testlog_bro/output index e37b34c518..e60bd18ecb 100644 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_testlog_bro/output +++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_testlog_bro/output @@ -18,6 +18,6 @@ export { event bro_init() &priority=5 { - Comm::enable(); + BrokerComm::enable(); Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test]); } diff --git a/testing/btest/comm/clone_store.bro b/testing/btest/comm/clone_store.bro index fbf6b82443..769ab8df58 100644 --- a/testing/btest/comm/clone_store.bro +++ b/testing/btest/comm/clone_store.bro @@ -13,7 +13,7 @@ const broker_port: port &redef; redef exit_only_after_terminate = T; -global h: opaque of Store::Handle; +global h: opaque of BrokerStore::Handle; global expected_key_count = 4; global key_count = 0; @@ -21,7 +21,7 @@ global query_timeout = 15sec; function do_lookup(key: string) { - when ( local res = Store::lookup(h, Comm::data(key)) ) + when ( local res = BrokerStore::lookup(h, BrokerComm::data(key)) ) { ++key_count; print "lookup", key, res; @@ -38,15 +38,15 @@ function do_lookup(key: string) event ready() { - h = Store::create_clone("mystore"); + h = BrokerStore::create_clone("mystore"); - when ( local res = Store::keys(h) ) + when ( local res = BrokerStore::keys(h) ) { print "clone keys", res; - do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 0))); - do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 1))); - do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 2))); - do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 3))); + do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 0))); + do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 1))); + do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 2))); + do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 3))); } timeout query_timeout { @@ -57,9 +57,9 @@ event ready() event bro_init() { - Comm::enable(); - Comm::subscribe_to_events("bro/event/ready"); - Comm::listen(broker_port, "127.0.0.1"); + BrokerComm::enable(); + BrokerComm::subscribe_to_events("bro/event/ready"); + BrokerComm::listen(broker_port, "127.0.0.1"); } @TEST-END-FILE @@ -71,42 +71,42 @@ global query_timeout = 15sec; const broker_port: port &redef; redef exit_only_after_terminate = T; -global h: opaque of Store::Handle; +global h: opaque of BrokerStore::Handle; -function dv(d: Comm::Data): Comm::DataVector +function dv(d: BrokerComm::Data): BrokerComm::DataVector { - local rval: Comm::DataVector; + local rval: BrokerComm::DataVector; rval[0] = d; return rval; } global ready: event(); -event Comm::outgoing_connection_broken(peer_address: string, +event BrokerComm::outgoing_connection_broken(peer_address: string, peer_port: port) { terminate(); } -event Comm::outgoing_connection_established(peer_address: string, +event BrokerComm::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string) { local myset: set[string] = {"a", "b", "c"}; local myvec: vector of string = {"alpha", "beta", "gamma"}; - h = Store::create_master("mystore"); - Store::insert(h, Comm::data("one"), Comm::data(110)); - Store::insert(h, Comm::data("two"), Comm::data(223)); - Store::insert(h, Comm::data("myset"), Comm::data(myset)); - Store::insert(h, Comm::data("myvec"), Comm::data(myvec)); - Store::increment(h, Comm::data("one")); - Store::decrement(h, Comm::data("two")); - Store::add_to_set(h, Comm::data("myset"), Comm::data("d")); - Store::remove_from_set(h, Comm::data("myset"), Comm::data("b")); - Store::push_left(h, Comm::data("myvec"), dv(Comm::data("delta"))); - Store::push_right(h, Comm::data("myvec"), dv(Comm::data("omega"))); + h = BrokerStore::create_master("mystore"); + BrokerStore::insert(h, BrokerComm::data("one"), BrokerComm::data(110)); + BrokerStore::insert(h, BrokerComm::data("two"), BrokerComm::data(223)); + BrokerStore::insert(h, BrokerComm::data("myset"), BrokerComm::data(myset)); + BrokerStore::insert(h, BrokerComm::data("myvec"), BrokerComm::data(myvec)); + BrokerStore::increment(h, BrokerComm::data("one")); + BrokerStore::decrement(h, BrokerComm::data("two")); + BrokerStore::add_to_set(h, BrokerComm::data("myset"), BrokerComm::data("d")); + BrokerStore::remove_from_set(h, BrokerComm::data("myset"), BrokerComm::data("b")); + BrokerStore::push_left(h, BrokerComm::data("myvec"), dv(BrokerComm::data("delta"))); + BrokerStore::push_right(h, BrokerComm::data("myvec"), dv(BrokerComm::data("omega"))); - when ( local res = Store::size(h) ) + when ( local res = BrokerStore::size(h) ) { event ready(); } timeout query_timeout { @@ -117,9 +117,9 @@ event Comm::outgoing_connection_established(peer_address: string, event bro_init() { - Comm::enable(); - Comm::auto_event("bro/event/ready", ready); - Comm::connect("127.0.0.1", broker_port, 1secs); + BrokerComm::enable(); + BrokerComm::auto_event("bro/event/ready", ready); + BrokerComm::connect("127.0.0.1", broker_port, 1secs); } @TEST-END-FILE diff --git a/testing/btest/comm/connection_updates.bro b/testing/btest/comm/connection_updates.bro index 67f66646c9..1bbe90ccb5 100644 --- a/testing/btest/comm/connection_updates.bro +++ b/testing/btest/comm/connection_updates.bro @@ -12,22 +12,22 @@ const broker_port: port &redef; redef exit_only_after_terminate = T; -redef Comm::endpoint_name = "listener"; +redef BrokerComm::endpoint_name = "listener"; event bro_init() { - Comm::enable(); - Comm::listen(broker_port, "127.0.0.1"); + BrokerComm::enable(); + BrokerComm::listen(broker_port, "127.0.0.1"); } -event Comm::incoming_connection_established(peer_name: string) +event BrokerComm::incoming_connection_established(peer_name: string) { - print "Comm::incoming_connection_established", peer_name;; + print "BrokerComm::incoming_connection_established", peer_name;; } -event Comm::incoming_connection_broken(peer_name: string) +event BrokerComm::incoming_connection_broken(peer_name: string) { - print "Comm::incoming_connection_broken", peer_name;; + print "BrokerComm::incoming_connection_broken", peer_name;; terminate(); } @@ -37,19 +37,19 @@ event Comm::incoming_connection_broken(peer_name: string) const broker_port: port &redef; redef exit_only_after_terminate = T; -redef Comm::endpoint_name = "connector"; +redef BrokerComm::endpoint_name = "connector"; event bro_init() { - Comm::enable(); - Comm::connect("127.0.0.1", broker_port, 1sec); + BrokerComm::enable(); + BrokerComm::connect("127.0.0.1", broker_port, 1sec); } -event Comm::outgoing_connection_established(peer_address: string, +event BrokerComm::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string) { - print "Comm::outgoing_connection_established", + print "BrokerComm::outgoing_connection_established", peer_address, peer_port, peer_name;; terminate(); } diff --git a/testing/btest/comm/data.bro b/testing/btest/comm/data.bro index a7de41be7a..bac7242c85 100644 --- a/testing/btest/comm/data.bro +++ b/testing/btest/comm/data.bro @@ -13,210 +13,210 @@ type bro_record : record { c: count; }; -function comm_record_to_bro_record_recurse(it: opaque of Comm::RecordIterator, +function comm_record_to_bro_record_recurse(it: opaque of BrokerComm::RecordIterator, rval: bro_record, idx: count): bro_record { - if ( Comm::record_iterator_last(it) ) + if ( BrokerComm::record_iterator_last(it) ) return rval; - local field_value = Comm::record_iterator_value(it); + local field_value = BrokerComm::record_iterator_value(it); if ( field_value?$d ) switch ( idx ) { case 0: - rval$a = Comm::refine_to_string(field_value); + rval$a = BrokerComm::refine_to_string(field_value); break; case 1: - rval$b = Comm::refine_to_string(field_value); + rval$b = BrokerComm::refine_to_string(field_value); break; case 2: - rval$c = Comm::refine_to_count(field_value); + rval$c = BrokerComm::refine_to_count(field_value); break; }; ++idx; - Comm::record_iterator_next(it); + BrokerComm::record_iterator_next(it); return comm_record_to_bro_record_recurse(it, rval, idx); } -function comm_record_to_bro_record(d: Comm::Data): bro_record +function comm_record_to_bro_record(d: BrokerComm::Data): bro_record { - return comm_record_to_bro_record_recurse(Comm::record_iterator(d), + return comm_record_to_bro_record_recurse(BrokerComm::record_iterator(d), bro_record($c = 0), 0); } function -comm_set_to_bro_set_recurse(it: opaque of Comm::SetIterator, +comm_set_to_bro_set_recurse(it: opaque of BrokerComm::SetIterator, rval: bro_set): bro_set { - if ( Comm::set_iterator_last(it) ) + if ( BrokerComm::set_iterator_last(it) ) return rval; - add rval[Comm::refine_to_string(Comm::set_iterator_value(it))]; - Comm::set_iterator_next(it); + add rval[BrokerComm::refine_to_string(BrokerComm::set_iterator_value(it))]; + BrokerComm::set_iterator_next(it); return comm_set_to_bro_set_recurse(it, rval); } -function comm_set_to_bro_set(d: Comm::Data): bro_set +function comm_set_to_bro_set(d: BrokerComm::Data): bro_set { - return comm_set_to_bro_set_recurse(Comm::set_iterator(d), bro_set()); + return comm_set_to_bro_set_recurse(BrokerComm::set_iterator(d), bro_set()); } function -comm_table_to_bro_table_recurse(it: opaque of Comm::TableIterator, +comm_table_to_bro_table_recurse(it: opaque of BrokerComm::TableIterator, rval: bro_table): bro_table { - if ( Comm::table_iterator_last(it) ) + if ( BrokerComm::table_iterator_last(it) ) return rval; - local item = Comm::table_iterator_value(it); - rval[Comm::refine_to_string(item$key)] = Comm::refine_to_count(item$val); - Comm::table_iterator_next(it); + local item = BrokerComm::table_iterator_value(it); + rval[BrokerComm::refine_to_string(item$key)] = BrokerComm::refine_to_count(item$val); + BrokerComm::table_iterator_next(it); return comm_table_to_bro_table_recurse(it, rval); } -function comm_table_to_bro_table(d: Comm::Data): bro_table +function comm_table_to_bro_table(d: BrokerComm::Data): bro_table { - return comm_table_to_bro_table_recurse(Comm::table_iterator(d), + return comm_table_to_bro_table_recurse(BrokerComm::table_iterator(d), bro_table()); } -function comm_vector_to_bro_vector_recurse(it: opaque of Comm::VectorIterator, +function comm_vector_to_bro_vector_recurse(it: opaque of BrokerComm::VectorIterator, rval: bro_vector): bro_vector { - if ( Comm::vector_iterator_last(it) ) + if ( BrokerComm::vector_iterator_last(it) ) return rval; - rval[|rval|] = Comm::refine_to_string(Comm::vector_iterator_value(it)); - Comm::vector_iterator_next(it); + rval[|rval|] = BrokerComm::refine_to_string(BrokerComm::vector_iterator_value(it)); + BrokerComm::vector_iterator_next(it); return comm_vector_to_bro_vector_recurse(it, rval); } -function comm_vector_to_bro_vector(d: Comm::Data): bro_vector +function comm_vector_to_bro_vector(d: BrokerComm::Data): bro_vector { - return comm_vector_to_bro_vector_recurse(Comm::vector_iterator(d), + return comm_vector_to_bro_vector_recurse(BrokerComm::vector_iterator(d), bro_vector()); } event bro_init() { -Comm::enable(); -print Comm::data_type(Comm::data(T)); -print Comm::data_type(Comm::data(+1)); -print Comm::data_type(Comm::data(1)); -print Comm::data_type(Comm::data(1.1)); -print Comm::data_type(Comm::data("1 (how creative)")); -print Comm::data_type(Comm::data(1.1.1.1)); -print Comm::data_type(Comm::data(1.1.1.1/1)); -print Comm::data_type(Comm::data(1/udp)); -print Comm::data_type(Comm::data(double_to_time(1))); -print Comm::data_type(Comm::data(1sec)); -print Comm::data_type(Comm::data(Comm::BOOL)); +BrokerComm::enable(); +print BrokerComm::data_type(BrokerComm::data(T)); +print BrokerComm::data_type(BrokerComm::data(+1)); +print BrokerComm::data_type(BrokerComm::data(1)); +print BrokerComm::data_type(BrokerComm::data(1.1)); +print BrokerComm::data_type(BrokerComm::data("1 (how creative)")); +print BrokerComm::data_type(BrokerComm::data(1.1.1.1)); +print BrokerComm::data_type(BrokerComm::data(1.1.1.1/1)); +print BrokerComm::data_type(BrokerComm::data(1/udp)); +print BrokerComm::data_type(BrokerComm::data(double_to_time(1))); +print BrokerComm::data_type(BrokerComm::data(1sec)); +print BrokerComm::data_type(BrokerComm::data(BrokerComm::BOOL)); local s: bro_set = bro_set("one", "two", "three"); local t: bro_table = bro_table(["one"] = 1, ["two"] = 2, ["three"] = 3); local v: bro_vector = bro_vector("zero", "one", "two"); local r: bro_record = bro_record($c = 1); -print Comm::data_type(Comm::data(s)); -print Comm::data_type(Comm::data(t)); -print Comm::data_type(Comm::data(v)); -print Comm::data_type(Comm::data(r)); +print BrokerComm::data_type(BrokerComm::data(s)); +print BrokerComm::data_type(BrokerComm::data(t)); +print BrokerComm::data_type(BrokerComm::data(v)); +print BrokerComm::data_type(BrokerComm::data(r)); print "***************************"; -print Comm::refine_to_bool(Comm::data(T)); -print Comm::refine_to_bool(Comm::data(F)); -print Comm::refine_to_int(Comm::data(+1)); -print Comm::refine_to_int(Comm::data(+0)); -print Comm::refine_to_int(Comm::data(-1)); -print Comm::refine_to_count(Comm::data(1)); -print Comm::refine_to_count(Comm::data(0)); -print Comm::refine_to_double(Comm::data(1.1)); -print Comm::refine_to_double(Comm::data(-11.1)); -print Comm::refine_to_string(Comm::data("hello")); -print Comm::refine_to_addr(Comm::data(1.2.3.4)); -print Comm::refine_to_subnet(Comm::data(192.168.1.1/16)); -print Comm::refine_to_port(Comm::data(22/tcp)); -print Comm::refine_to_time(Comm::data(double_to_time(42))); -print Comm::refine_to_interval(Comm::data(3min)); -print Comm::refine_to_enum_name(Comm::data(Comm::BOOL)); +print BrokerComm::refine_to_bool(BrokerComm::data(T)); +print BrokerComm::refine_to_bool(BrokerComm::data(F)); +print BrokerComm::refine_to_int(BrokerComm::data(+1)); +print BrokerComm::refine_to_int(BrokerComm::data(+0)); +print BrokerComm::refine_to_int(BrokerComm::data(-1)); +print BrokerComm::refine_to_count(BrokerComm::data(1)); +print BrokerComm::refine_to_count(BrokerComm::data(0)); +print BrokerComm::refine_to_double(BrokerComm::data(1.1)); +print BrokerComm::refine_to_double(BrokerComm::data(-11.1)); +print BrokerComm::refine_to_string(BrokerComm::data("hello")); +print BrokerComm::refine_to_addr(BrokerComm::data(1.2.3.4)); +print BrokerComm::refine_to_subnet(BrokerComm::data(192.168.1.1/16)); +print BrokerComm::refine_to_port(BrokerComm::data(22/tcp)); +print BrokerComm::refine_to_time(BrokerComm::data(double_to_time(42))); +print BrokerComm::refine_to_interval(BrokerComm::data(3min)); +print BrokerComm::refine_to_enum_name(BrokerComm::data(BrokerComm::BOOL)); print "***************************"; -local cs = Comm::data(s); +local cs = BrokerComm::data(s); print comm_set_to_bro_set(cs); -cs = Comm::set_create(); -print Comm::set_size(cs); -print Comm::set_insert(cs, Comm::data("hi")); -print Comm::set_size(cs); -print Comm::set_contains(cs, Comm::data("hi")); -print Comm::set_contains(cs, Comm::data("bye")); -print Comm::set_insert(cs, Comm::data("bye")); -print Comm::set_size(cs); -print Comm::set_remove(cs, Comm::data("hi")); -print Comm::set_size(cs); -print Comm::set_remove(cs, Comm::data("hi")); +cs = BrokerComm::set_create(); +print BrokerComm::set_size(cs); +print BrokerComm::set_insert(cs, BrokerComm::data("hi")); +print BrokerComm::set_size(cs); +print BrokerComm::set_contains(cs, BrokerComm::data("hi")); +print BrokerComm::set_contains(cs, BrokerComm::data("bye")); +print BrokerComm::set_insert(cs, BrokerComm::data("bye")); +print BrokerComm::set_size(cs); +print BrokerComm::set_remove(cs, BrokerComm::data("hi")); +print BrokerComm::set_size(cs); +print BrokerComm::set_remove(cs, BrokerComm::data("hi")); print comm_set_to_bro_set(cs); -Comm::set_clear(cs); -print Comm::set_size(cs); +BrokerComm::set_clear(cs); +print BrokerComm::set_size(cs); print "***************************"; -local ct = Comm::data(t); +local ct = BrokerComm::data(t); print comm_table_to_bro_table(ct); -ct = Comm::table_create(); -print Comm::table_size(ct); -print Comm::table_insert(ct, Comm::data("hi"), Comm::data(42)); -print Comm::table_size(ct); -print Comm::table_contains(ct, Comm::data("hi")); -print Comm::refine_to_count(Comm::table_lookup(ct, Comm::data("hi"))); -print Comm::table_contains(ct, Comm::data("bye")); -print Comm::table_insert(ct, Comm::data("bye"), Comm::data(7)); -print Comm::table_size(ct); -print Comm::table_insert(ct, Comm::data("bye"), Comm::data(37)); -print Comm::table_size(ct); -print Comm::refine_to_count(Comm::table_lookup(ct, Comm::data("bye"))); -print Comm::table_remove(ct, Comm::data("hi")); -print Comm::table_size(ct); +ct = BrokerComm::table_create(); +print BrokerComm::table_size(ct); +print BrokerComm::table_insert(ct, BrokerComm::data("hi"), BrokerComm::data(42)); +print BrokerComm::table_size(ct); +print BrokerComm::table_contains(ct, BrokerComm::data("hi")); +print BrokerComm::refine_to_count(BrokerComm::table_lookup(ct, BrokerComm::data("hi"))); +print BrokerComm::table_contains(ct, BrokerComm::data("bye")); +print BrokerComm::table_insert(ct, BrokerComm::data("bye"), BrokerComm::data(7)); +print BrokerComm::table_size(ct); +print BrokerComm::table_insert(ct, BrokerComm::data("bye"), BrokerComm::data(37)); +print BrokerComm::table_size(ct); +print BrokerComm::refine_to_count(BrokerComm::table_lookup(ct, BrokerComm::data("bye"))); +print BrokerComm::table_remove(ct, BrokerComm::data("hi")); +print BrokerComm::table_size(ct); print "***************************"; -local cv = Comm::data(v); +local cv = BrokerComm::data(v); print comm_vector_to_bro_vector(cv); -cv = Comm::vector_create(); -print Comm::vector_size(cv); -print Comm::vector_insert(cv, Comm::data("hi"), 0); -print Comm::vector_insert(cv, Comm::data("hello"), 1); -print Comm::vector_insert(cv, Comm::data("greetings"), 2); -print Comm::vector_insert(cv, Comm::data("salutations"), 1); +cv = BrokerComm::vector_create(); +print BrokerComm::vector_size(cv); +print BrokerComm::vector_insert(cv, BrokerComm::data("hi"), 0); +print BrokerComm::vector_insert(cv, BrokerComm::data("hello"), 1); +print BrokerComm::vector_insert(cv, BrokerComm::data("greetings"), 2); +print BrokerComm::vector_insert(cv, BrokerComm::data("salutations"), 1); print comm_vector_to_bro_vector(cv); -print Comm::vector_size(cv); -print Comm::vector_replace(cv, Comm::data("bah"), 2); -print Comm::vector_lookup(cv, 2); -print Comm::vector_lookup(cv, 0); +print BrokerComm::vector_size(cv); +print BrokerComm::vector_replace(cv, BrokerComm::data("bah"), 2); +print BrokerComm::vector_lookup(cv, 2); +print BrokerComm::vector_lookup(cv, 0); print comm_vector_to_bro_vector(cv); -print Comm::vector_remove(cv, 2); +print BrokerComm::vector_remove(cv, 2); print comm_vector_to_bro_vector(cv); -print Comm::vector_size(cv); +print BrokerComm::vector_size(cv); print "***************************"; -local cr = Comm::data(r); +local cr = BrokerComm::data(r); print comm_record_to_bro_record(cr); r$a = "test"; -cr = Comm::data(r); +cr = BrokerComm::data(r); print comm_record_to_bro_record(cr); r$b = "testagain"; -cr = Comm::data(r); +cr = BrokerComm::data(r); print comm_record_to_bro_record(cr); -cr = Comm::record_create(3); -print Comm::record_size(cr); -print Comm::record_assign(cr, Comm::data("hi"), 0); -print Comm::record_assign(cr, Comm::data("hello"), 1); -print Comm::record_assign(cr, Comm::data(37), 2); -print Comm::record_lookup(cr, 0); -print Comm::record_lookup(cr, 1); -print Comm::record_lookup(cr, 2); -print Comm::record_size(cr); +cr = BrokerComm::record_create(3); +print BrokerComm::record_size(cr); +print BrokerComm::record_assign(cr, BrokerComm::data("hi"), 0); +print BrokerComm::record_assign(cr, BrokerComm::data("hello"), 1); +print BrokerComm::record_assign(cr, BrokerComm::data(37), 2); +print BrokerComm::record_lookup(cr, 0); +print BrokerComm::record_lookup(cr, 1); +print BrokerComm::record_lookup(cr, 2); +print BrokerComm::record_size(cr); } diff --git a/testing/btest/comm/master_store.bro b/testing/btest/comm/master_store.bro index bf1919a510..2672043f62 100644 --- a/testing/btest/comm/master_store.bro +++ b/testing/btest/comm/master_store.bro @@ -6,7 +6,7 @@ redef exit_only_after_terminate = T; -global h: opaque of Store::Handle; +global h: opaque of BrokerStore::Handle; global lookup_count = 0; const lookup_expect_count = 5; global exists_count = 0; @@ -20,13 +20,13 @@ global query_timeout = 5sec; event test_clear() { - Store::clear(h); + BrokerStore::clear(h); event test_size("after clear"); } event test_size(where: string) { - when ( local res = Store::size(h) ) + when ( local res = BrokerStore::size(h) ) { if ( where == "" ) { @@ -52,7 +52,7 @@ event test_size(where: string) event test_keys() { - when ( local res = Store::keys(h) ) + when ( local res = BrokerStore::keys(h) ) { print fmt("keys: %s", res); event test_size(); @@ -66,7 +66,7 @@ event test_keys() event test_pop(key: string) { - when ( local lres = Store::pop_left(h, Comm::data(key)) ) + when ( local lres = BrokerStore::pop_left(h, BrokerComm::data(key)) ) { print fmt("pop_left(%s): %s", key, lres); ++pop_count; @@ -83,7 +83,7 @@ event test_pop(key: string) event test_keys(); } - when ( local rres = Store::pop_right(h, Comm::data(key)) ) + when ( local rres = BrokerStore::pop_right(h, BrokerComm::data(key)) ) { print fmt("pop_right(%s): %s", key, rres); ++pop_count; @@ -103,7 +103,7 @@ event test_pop(key: string) function do_exists(key: string) { - when ( local res = Store::exists(h, Comm::data(key)) ) + when ( local res = BrokerStore::exists(h, BrokerComm::data(key)) ) { print fmt("exists(%s): %s", key, res); ++exists_count; @@ -123,7 +123,7 @@ function do_exists(key: string) event test_erase() { - Store::erase(h, Comm::data("two")); + BrokerStore::erase(h, BrokerComm::data("two")); do_exists("one"); do_exists("two"); do_exists("myset"); @@ -132,7 +132,7 @@ event test_erase() function do_lookup(key: string) { - when ( local res = Store::lookup(h, Comm::data(key)) ) + when ( local res = BrokerStore::lookup(h, BrokerComm::data(key)) ) { print fmt("lookup(%s): %s", key, res); ++lookup_count; @@ -150,29 +150,29 @@ function do_lookup(key: string) } } -function dv(d: Comm::Data): Comm::DataVector +function dv(d: BrokerComm::Data): BrokerComm::DataVector { - local rval: Comm::DataVector; + local rval: BrokerComm::DataVector; rval[0] = d; return rval; } event bro_init() { - Comm::enable(); + BrokerComm::enable(); local myset: set[string] = {"a", "b", "c"}; local myvec: vector of string = {"alpha", "beta", "gamma"}; - h = Store::create_master("master"); - Store::insert(h, Comm::data("one"), Comm::data(110)); - Store::insert(h, Comm::data("two"), Comm::data(223)); - Store::insert(h, Comm::data("myset"), Comm::data(myset)); - Store::insert(h, Comm::data("myvec"), Comm::data(myvec)); - Store::increment(h, Comm::data("one")); - Store::decrement(h, Comm::data("two")); - Store::add_to_set(h, Comm::data("myset"), Comm::data("d")); - Store::remove_from_set(h, Comm::data("myset"), Comm::data("b")); - Store::push_left(h, Comm::data("myvec"), dv(Comm::data("delta"))); - Store::push_right(h, Comm::data("myvec"), dv(Comm::data("omega"))); + h = BrokerStore::create_master("master"); + BrokerStore::insert(h, BrokerComm::data("one"), BrokerComm::data(110)); + BrokerStore::insert(h, BrokerComm::data("two"), BrokerComm::data(223)); + BrokerStore::insert(h, BrokerComm::data("myset"), BrokerComm::data(myset)); + BrokerStore::insert(h, BrokerComm::data("myvec"), BrokerComm::data(myvec)); + BrokerStore::increment(h, BrokerComm::data("one")); + BrokerStore::decrement(h, BrokerComm::data("two")); + BrokerStore::add_to_set(h, BrokerComm::data("myset"), BrokerComm::data("d")); + BrokerStore::remove_from_set(h, BrokerComm::data("myset"), BrokerComm::data("b")); + BrokerStore::push_left(h, BrokerComm::data("myvec"), dv(BrokerComm::data("delta"))); + BrokerStore::push_right(h, BrokerComm::data("myvec"), dv(BrokerComm::data("omega"))); do_lookup("one"); do_lookup("two"); do_lookup("myset"); diff --git a/testing/btest/comm/remote_event.test b/testing/btest/comm/remote_event.test index 8950cb9e1e..6dbf8e77a0 100644 --- a/testing/btest/comm/remote_event.test +++ b/testing/btest/comm/remote_event.test @@ -18,10 +18,10 @@ global auto_event_handler: event(msg: string, c: count); event bro_init() { - Comm::enable(); - Comm::subscribe_to_events("bro/event/"); - Comm::auto_event("bro/event/my_topic", auto_event_handler); - Comm::listen(broker_port, "127.0.0.1"); + BrokerComm::enable(); + BrokerComm::subscribe_to_events("bro/event/"); + BrokerComm::auto_event("bro/event/my_topic", auto_event_handler); + BrokerComm::listen(broker_port, "127.0.0.1"); } global event_count = 0; @@ -39,8 +39,8 @@ event event_handler(msg: string, n: count) } event auto_event_handler(msg, n); - local args = Comm::event_args(event_handler, "pong", n); - Comm::event("bro/event/my_topic", args); + local args = BrokerComm::event_args(event_handler, "pong", n); + BrokerComm::event("bro/event/my_topic", args); } @TEST-END-FILE @@ -55,24 +55,24 @@ global auto_event_handler: event(msg: string, c: count); event bro_init() { - Comm::enable(); - Comm::subscribe_to_events("bro/event/my_topic"); - Comm::connect("127.0.0.1", broker_port, 1secs); + BrokerComm::enable(); + BrokerComm::subscribe_to_events("bro/event/my_topic"); + BrokerComm::connect("127.0.0.1", broker_port, 1secs); } global event_count = 0; -event Comm::outgoing_connection_established(peer_address: string, +event BrokerComm::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string) { - print "Comm::outgoing_connection_established", peer_address, peer_port; - local args = Comm::event_args(event_handler, "ping", event_count); - Comm::event("bro/event/hi", args); + print "BrokerComm::outgoing_connection_established", peer_address, peer_port; + local args = BrokerComm::event_args(event_handler, "ping", event_count); + BrokerComm::event("bro/event/hi", args); ++event_count; } -event Comm::outgoing_connection_broken(peer_address: string, +event BrokerComm::outgoing_connection_broken(peer_address: string, peer_port: port) { terminate(); @@ -81,8 +81,8 @@ event Comm::outgoing_connection_broken(peer_address: string, event event_handler(msg: string, n: count) { print "got event msg", msg, n; - local args = Comm::event_args(event_handler, "ping", event_count); - Comm::event("bro/event/hi", args); + local args = BrokerComm::event_args(event_handler, "ping", event_count); + BrokerComm::event("bro/event/hi", args); ++event_count; } diff --git a/testing/btest/comm/remote_log.test b/testing/btest/comm/remote_log.test index dbd30e5b0b..d481f0ae25 100644 --- a/testing/btest/comm/remote_log.test +++ b/testing/btest/comm/remote_log.test @@ -28,7 +28,7 @@ export { event bro_init() &priority=5 { - Comm::enable(); + BrokerComm::enable(); Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test]); } @@ -41,8 +41,8 @@ redef exit_only_after_terminate = T; event bro_init() { - Comm::subscribe_to_logs("bro/log/"); - Comm::listen(broker_port, "127.0.0.1"); + BrokerComm::subscribe_to_logs("bro/log/"); + BrokerComm::listen(broker_port, "127.0.0.1"); } event Test::log_test(rec: Test::Info) @@ -62,8 +62,8 @@ redef exit_only_after_terminate = T; event bro_init() { - Comm::enable_remote_logs(Test::LOG); - Comm::connect("127.0.0.1", broker_port, 1secs); + BrokerComm::enable_remote_logs(Test::LOG); + BrokerComm::connect("127.0.0.1", broker_port, 1secs); } global n = 0; @@ -80,15 +80,15 @@ event do_write() } } -event Comm::outgoing_connection_established(peer_address: string, +event BrokerComm::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string) { - print "Comm::outgoing_connection_established", peer_address, peer_port; + print "BrokerComm::outgoing_connection_established", peer_address, peer_port; event do_write(); } -event Comm::outgoing_connection_broken(peer_address: string, +event BrokerComm::outgoing_connection_broken(peer_address: string, peer_port: port) { terminate(); diff --git a/testing/btest/comm/remote_print.test b/testing/btest/comm/remote_print.test index d77bc92e9c..b6430ec3be 100644 --- a/testing/btest/comm/remote_print.test +++ b/testing/btest/comm/remote_print.test @@ -15,16 +15,16 @@ redef exit_only_after_terminate = T; event bro_init() { - Comm::enable(); - Comm::listen(broker_port, "127.0.0.1"); - Comm::subscribe_to_prints("bro/print/"); + BrokerComm::enable(); + BrokerComm::listen(broker_port, "127.0.0.1"); + BrokerComm::subscribe_to_prints("bro/print/"); } global messages_to_recv = 6; global messages_sent = 0; global messages_recv = 0; -event Comm::print_handler(msg: string) +event BrokerComm::print_handler(msg: string) { ++messages_recv; print "got print msg", msg; @@ -35,7 +35,7 @@ event Comm::print_handler(msg: string) return; } - Comm::print("bro/print/my_topic", fmt("pong %d", messages_sent)); + BrokerComm::print("bro/print/my_topic", fmt("pong %d", messages_sent)); ++messages_sent; } @@ -48,35 +48,35 @@ redef exit_only_after_terminate = T; event bro_init() { - Comm::enable(); - Comm::subscribe_to_prints("bro/print/my_topic"); - Comm::connect("127.0.0.1", broker_port, 1secs); + BrokerComm::enable(); + BrokerComm::subscribe_to_prints("bro/print/my_topic"); + BrokerComm::connect("127.0.0.1", broker_port, 1secs); } global messages_sent = 0; global messages_recv = 0; global peer_disconnected = F; -event Comm::outgoing_connection_established(peer_address: string, +event BrokerComm::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string) { - print "Comm::outgoing_connection_established", peer_address, peer_port; - Comm::print("bro/print/hi", fmt("ping %d", messages_sent)); + print "BrokerComm::outgoing_connection_established", peer_address, peer_port; + BrokerComm::print("bro/print/hi", fmt("ping %d", messages_sent)); ++messages_sent; } -event Comm::outgoing_connection_broken(peer_address: string, +event BrokerComm::outgoing_connection_broken(peer_address: string, peer_port: port) { terminate(); } -event Comm::print_handler(msg: string) +event BrokerComm::print_handler(msg: string) { ++messages_recv; print "got print msg", msg; - Comm::print("bro/print/hi", fmt("ping %d", messages_sent)); + BrokerComm::print("bro/print/hi", fmt("ping %d", messages_sent)); ++messages_sent; } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-connector_bro.btest index 1921e6596a..94ba920a43 100644 --- a/testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-connector_bro.btest +++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-connector_bro.btest @@ -5,19 +5,19 @@ connecting-connector.bro const broker_port: port &redef; redef exit_only_after_terminate = T; -redef Comm::endpoint_name = "connector"; +redef BrokerComm::endpoint_name = "connector"; event bro_init() { - Comm::enable(); - Comm::connect("127.0.0.1", broker_port, 1sec); + BrokerComm::enable(); + BrokerComm::connect("127.0.0.1", broker_port, 1sec); } -event Comm::outgoing_connection_established(peer_address: string, +event BrokerComm::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string) { - print "Comm::outgoing_connection_established", + print "BrokerComm::outgoing_connection_established", peer_address, peer_port, peer_name; terminate(); } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-listener_bro.btest index 7516680533..d62ef6d059 100644 --- a/testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-listener_bro.btest +++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-listener_bro.btest @@ -5,21 +5,21 @@ connecting-listener.bro const broker_port: port &redef; redef exit_only_after_terminate = T; -redef Comm::endpoint_name = "listener"; +redef BrokerComm::endpoint_name = "listener"; event bro_init() { - Comm::enable(); - Comm::listen(broker_port, "127.0.0.1"); + BrokerComm::enable(); + BrokerComm::listen(broker_port, "127.0.0.1"); } -event Comm::incoming_connection_established(peer_name: string) +event BrokerComm::incoming_connection_established(peer_name: string) { - print "Comm::incoming_connection_established", peer_name; + print "BrokerComm::incoming_connection_established", peer_name; } -event Comm::incoming_connection_broken(peer_name: string) +event BrokerComm::incoming_connection_broken(peer_name: string) { - print "Comm::incoming_connection_broken", peer_name; + print "BrokerComm::incoming_connection_broken", peer_name; terminate(); } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_events-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_events-connector_bro.btest index 434e94d977..1a3dd47515 100644 --- a/testing/btest/doc/sphinx/include-doc_frameworks_comm_events-connector_bro.btest +++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_events-connector_bro.btest @@ -4,31 +4,31 @@ events-connector.bro const broker_port: port &redef; redef exit_only_after_terminate = T; -redef Comm::endpoint_name = "connector"; +redef BrokerComm::endpoint_name = "connector"; global my_event: event(msg: string, c: count); global my_auto_event: event(msg: string, c: count); event bro_init() { - Comm::enable(); - Comm::connect("127.0.0.1", broker_port, 1sec); - Comm::auto_event("bro/event/my_auto_event", my_auto_event); + BrokerComm::enable(); + BrokerComm::connect("127.0.0.1", broker_port, 1sec); + BrokerComm::auto_event("bro/event/my_auto_event", my_auto_event); } -event Comm::outgoing_connection_established(peer_address: string, +event BrokerComm::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string) { - print "Comm::outgoing_connection_established", + print "BrokerComm::outgoing_connection_established", peer_address, peer_port, peer_name; - Comm::event("bro/event/my_event", Comm::event_args(my_event, "hi", 0)); + BrokerComm::event("bro/event/my_event", BrokerComm::event_args(my_event, "hi", 0)); event my_auto_event("stuff", 88); - Comm::event("bro/event/my_event", Comm::event_args(my_event, "...", 1)); + BrokerComm::event("bro/event/my_event", BrokerComm::event_args(my_event, "...", 1)); event my_auto_event("more stuff", 51); - Comm::event("bro/event/my_event", Comm::event_args(my_event, "bye", 2)); + BrokerComm::event("bro/event/my_event", BrokerComm::event_args(my_event, "bye", 2)); } -event Comm::outgoing_connection_broken(peer_address: string, +event BrokerComm::outgoing_connection_broken(peer_address: string, peer_port: port) { terminate(); diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_events-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_events-listener_bro.btest index a8b7c133ff..2b542f424b 100644 --- a/testing/btest/doc/sphinx/include-doc_frameworks_comm_events-listener_bro.btest +++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_events-listener_bro.btest @@ -5,21 +5,21 @@ events-listener.bro const broker_port: port &redef; redef exit_only_after_terminate = T; -redef Comm::endpoint_name = "listener"; +redef BrokerComm::endpoint_name = "listener"; global msg_count = 0; global my_event: event(msg: string, c: count); global my_auto_event: event(msg: string, c: count); event bro_init() { - Comm::enable(); - Comm::subscribe_to_events("bro/event/"); - Comm::listen(broker_port, "127.0.0.1"); + BrokerComm::enable(); + BrokerComm::subscribe_to_events("bro/event/"); + BrokerComm::listen(broker_port, "127.0.0.1"); } -event Comm::incoming_connection_established(peer_name: string) +event BrokerComm::incoming_connection_established(peer_name: string) { - print "Comm::incoming_connection_established", peer_name; + print "BrokerComm::incoming_connection_established", peer_name; } event my_event(msg: string, c: count) diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-connector_bro.btest index ae8c3b4ec5..8896075086 100644 --- a/testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-connector_bro.btest +++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-connector_bro.btest @@ -6,16 +6,16 @@ logs-connector.bro const broker_port: port &redef; redef exit_only_after_terminate = T; -redef Comm::endpoint_name = "connector"; +redef BrokerComm::endpoint_name = "connector"; redef Log::enable_local_logging = F; redef Log::enable_remote_logging = F; global n = 0; event bro_init() { - Comm::enable(); - Comm::enable_remote_logs(Test::LOG); - Comm::connect("127.0.0.1", broker_port, 1sec); + BrokerComm::enable(); + BrokerComm::enable_remote_logs(Test::LOG); + BrokerComm::connect("127.0.0.1", broker_port, 1sec); } event do_write() @@ -28,16 +28,16 @@ event do_write() event do_write(); } -event Comm::outgoing_connection_established(peer_address: string, +event BrokerComm::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string) { - print "Comm::outgoing_connection_established", + print "BrokerComm::outgoing_connection_established", peer_address, peer_port, peer_name; event do_write(); } -event Comm::outgoing_connection_broken(peer_address: string, +event BrokerComm::outgoing_connection_broken(peer_address: string, peer_port: port) { terminate(); diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-listener_bro.btest index 472229ea04..f13bc5ea3f 100644 --- a/testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-listener_bro.btest +++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-listener_bro.btest @@ -6,18 +6,18 @@ logs-listener.bro const broker_port: port &redef; redef exit_only_after_terminate = T; -redef Comm::endpoint_name = "listener"; +redef BrokerComm::endpoint_name = "listener"; event bro_init() { - Comm::enable(); - Comm::subscribe_to_logs("bro/log/Test::LOG"); - Comm::listen(broker_port, "127.0.0.1"); + BrokerComm::enable(); + BrokerComm::subscribe_to_logs("bro/log/Test::LOG"); + BrokerComm::listen(broker_port, "127.0.0.1"); } -event Comm::incoming_connection_established(peer_name: string) +event BrokerComm::incoming_connection_established(peer_name: string) { - print "Comm::incoming_connection_established", peer_name; + print "BrokerComm::incoming_connection_established", peer_name; } event Test::log_test(rec: Test::Info) diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-connector_bro.btest index b796155c59..c6e5e90727 100644 --- a/testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-connector_bro.btest +++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-connector_bro.btest @@ -4,26 +4,26 @@ printing-connector.bro const broker_port: port &redef; redef exit_only_after_terminate = T; -redef Comm::endpoint_name = "connector"; +redef BrokerComm::endpoint_name = "connector"; event bro_init() { - Comm::enable(); - Comm::connect("127.0.0.1", broker_port, 1sec); + BrokerComm::enable(); + BrokerComm::connect("127.0.0.1", broker_port, 1sec); } -event Comm::outgoing_connection_established(peer_address: string, +event BrokerComm::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string) { - print "Comm::outgoing_connection_established", + print "BrokerComm::outgoing_connection_established", peer_address, peer_port, peer_name; - Comm::print("bro/print/hi", "hello"); - Comm::print("bro/print/stuff", "..."); - Comm::print("bro/print/bye", "goodbye"); + BrokerComm::print("bro/print/hi", "hello"); + BrokerComm::print("bro/print/stuff", "..."); + BrokerComm::print("bro/print/bye", "goodbye"); } -event Comm::outgoing_connection_broken(peer_address: string, +event BrokerComm::outgoing_connection_broken(peer_address: string, peer_port: port) { terminate(); diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-listener_bro.btest index de6741d3c4..88a6c38f5f 100644 --- a/testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-listener_bro.btest +++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-listener_bro.btest @@ -5,22 +5,22 @@ printing-listener.bro const broker_port: port &redef; redef exit_only_after_terminate = T; -redef Comm::endpoint_name = "listener"; +redef BrokerComm::endpoint_name = "listener"; global msg_count = 0; event bro_init() { - Comm::enable(); - Comm::subscribe_to_prints("bro/print/"); - Comm::listen(broker_port, "127.0.0.1"); + BrokerComm::enable(); + BrokerComm::subscribe_to_prints("bro/print/"); + BrokerComm::listen(broker_port, "127.0.0.1"); } -event Comm::incoming_connection_established(peer_name: string) +event BrokerComm::incoming_connection_established(peer_name: string) { - print "Comm::incoming_connection_established", peer_name; + print "BrokerComm::incoming_connection_established", peer_name; } -event Comm::print_handler(msg: string) +event BrokerComm::print_handler(msg: string) { ++msg_count; print "got print message", msg; diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-connector_bro.btest index c5268417a6..ec345d5e10 100644 --- a/testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-connector_bro.btest +++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-connector_bro.btest @@ -5,42 +5,42 @@ stores-connector.bro const broker_port: port &redef; redef exit_only_after_terminate = T; -global h: opaque of Store::Handle; +global h: opaque of BrokerStore::Handle; -function dv(d: Comm::Data): Comm::DataVector +function dv(d: BrokerComm::Data): BrokerComm::DataVector { - local rval: Comm::DataVector; + local rval: BrokerComm::DataVector; rval[0] = d; return rval; } global ready: event(); -event Comm::outgoing_connection_broken(peer_address: string, +event BrokerComm::outgoing_connection_broken(peer_address: string, peer_port: port) { terminate(); } -event Comm::outgoing_connection_established(peer_address: string, +event BrokerComm::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string) { local myset: set[string] = {"a", "b", "c"}; local myvec: vector of string = {"alpha", "beta", "gamma"}; - h = Store::create_master("mystore"); - Store::insert(h, Comm::data("one"), Comm::data(110)); - Store::insert(h, Comm::data("two"), Comm::data(223)); - Store::insert(h, Comm::data("myset"), Comm::data(myset)); - Store::insert(h, Comm::data("myvec"), Comm::data(myvec)); - Store::increment(h, Comm::data("one")); - Store::decrement(h, Comm::data("two")); - Store::add_to_set(h, Comm::data("myset"), Comm::data("d")); - Store::remove_from_set(h, Comm::data("myset"), Comm::data("b")); - Store::push_left(h, Comm::data("myvec"), dv(Comm::data("delta"))); - Store::push_right(h, Comm::data("myvec"), dv(Comm::data("omega"))); + h = BrokerStore::create_master("mystore"); + BrokerStore::insert(h, BrokerComm::data("one"), BrokerComm::data(110)); + BrokerStore::insert(h, BrokerComm::data("two"), BrokerComm::data(223)); + BrokerStore::insert(h, BrokerComm::data("myset"), BrokerComm::data(myset)); + BrokerStore::insert(h, BrokerComm::data("myvec"), BrokerComm::data(myvec)); + BrokerStore::increment(h, BrokerComm::data("one")); + BrokerStore::decrement(h, BrokerComm::data("two")); + BrokerStore::add_to_set(h, BrokerComm::data("myset"), BrokerComm::data("d")); + BrokerStore::remove_from_set(h, BrokerComm::data("myset"), BrokerComm::data("b")); + BrokerStore::push_left(h, BrokerComm::data("myvec"), dv(BrokerComm::data("delta"))); + BrokerStore::push_right(h, BrokerComm::data("myvec"), dv(BrokerComm::data("omega"))); - when ( local res = Store::size(h) ) + when ( local res = BrokerStore::size(h) ) { print "master size", res; event ready(); @@ -51,7 +51,7 @@ event Comm::outgoing_connection_established(peer_address: string, event bro_init() { - Comm::enable(); - Comm::connect("127.0.0.1", broker_port, 1secs); - Comm::auto_event("bro/event/ready", ready); + BrokerComm::enable(); + BrokerComm::connect("127.0.0.1", broker_port, 1secs); + BrokerComm::auto_event("bro/event/ready", ready); } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-listener_bro.btest index 38dc7ef34f..08b0de4aea 100644 --- a/testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-listener_bro.btest +++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-listener_bro.btest @@ -5,13 +5,13 @@ stores-listener.bro const broker_port: port &redef; redef exit_only_after_terminate = T; -global h: opaque of Store::Handle; +global h: opaque of BrokerStore::Handle; global expected_key_count = 4; global key_count = 0; function do_lookup(key: string) { - when ( local res = Store::lookup(h, Comm::data(key)) ) + when ( local res = BrokerStore::lookup(h, BrokerComm::data(key)) ) { ++key_count; print "lookup", key, res; @@ -25,15 +25,15 @@ function do_lookup(key: string) event ready() { - h = Store::create_clone("mystore"); + h = BrokerStore::create_clone("mystore"); - when ( local res = Store::keys(h) ) + when ( local res = BrokerStore::keys(h) ) { print "clone keys", res; - do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 0))); - do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 1))); - do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 2))); - do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 3))); + do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 0))); + do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 1))); + do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 2))); + do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 3))); } timeout 10sec { print "timeout"; } @@ -41,7 +41,7 @@ event ready() event bro_init() { - Comm::enable(); - Comm::subscribe_to_events("bro/event/ready"); - Comm::listen(broker_port, "127.0.0.1"); + BrokerComm::enable(); + BrokerComm::subscribe_to_events("bro/event/ready"); + BrokerComm::listen(broker_port, "127.0.0.1"); } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_testlog_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_comm_testlog_bro.btest index e37b34c518..e60bd18ecb 100644 --- a/testing/btest/doc/sphinx/include-doc_frameworks_comm_testlog_bro.btest +++ b/testing/btest/doc/sphinx/include-doc_frameworks_comm_testlog_bro.btest @@ -18,6 +18,6 @@ export { event bro_init() &priority=5 { - Comm::enable(); + BrokerComm::enable(); Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test]); } From 9e53722b574db4738b82e0d29873c31d60227dca Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 5 Mar 2015 17:02:25 -0600 Subject: [PATCH 160/711] Rename comm/ directories to broker/ --- doc/frameworks/{comm.rst => broker.rst} | 24 +++++++++---------- .../{comm => broker}/connecting-connector.bro | 0 .../{comm => broker}/connecting-listener.bro | 0 .../{comm => broker}/events-connector.bro | 0 .../{comm => broker}/events-listener.bro | 0 .../{comm => broker}/logs-connector.bro | 0 .../{comm => broker}/logs-listener.bro | 0 .../{comm => broker}/printing-connector.bro | 0 .../{comm => broker}/printing-listener.bro | 0 .../{comm => broker}/stores-connector.bro | 0 .../{comm => broker}/stores-listener.bro | 0 doc/frameworks/{comm => broker}/testlog.bro | 0 doc/frameworks/index.rst | 2 +- .../frameworks/{comm => broker}/__load__.bro | 0 .../base/frameworks/{comm => broker}/main.bro | 0 scripts/base/init-bare.bro | 2 +- src/CMakeLists.txt | 4 ++-- src/EventHandler.cc | 4 ++-- src/Net.cc | 2 +- src/Stats.cc | 2 +- .../CMakeLists.txt | 4 ++-- src/{comm-dummy => broker-dummy}/comm.bif | 0 src/{comm-dummy => broker-dummy}/data.bif | 0 .../messaging.bif | 0 src/{comm-dummy => broker-dummy}/store.bif | 0 src/{comm => broker}/CMakeLists.txt | 4 ++-- src/{comm => broker}/Data.cc | 2 +- src/{comm => broker}/Data.h | 0 src/{comm => broker}/Manager.cc | 8 +++---- src/{comm => broker}/Manager.h | 2 +- src/{comm => broker}/Store.cc | 2 +- src/{comm => broker}/Store.h | 4 ++-- src/{comm => broker}/comm.bif | 2 +- src/{comm => broker}/data.bif | 2 +- src/{comm => broker}/messaging.bif | 2 +- src/{comm => broker}/store.bif | 6 ++--- src/logging/Manager.cc | 2 +- src/main.cc | 2 +- .../clone.clone.out | 0 .../master.master.out | 0 .../recv.recv.out | 0 .../send.send.out | 0 .../Baseline/{comm.data => broker.data}/out | 0 .../master.out | 0 .../recv.recv.out | 0 .../send.send.out | 0 .../recv.recv.out | 0 .../recv.test.log | 0 .../send.send.out | 0 .../send.test.log | 0 .../recv.recv.out | 0 .../send.send.out | 0 .../canonified_loaded_scripts.log | 4 ++-- .../canonified_loaded_scripts.log | 4 ++-- .../output | 0 .../output | 0 .../output | 0 .../output | 0 .../output | 0 .../output | 0 .../output | 0 .../output | 0 .../output | 0 .../output | 0 .../output | 0 testing/btest/Baseline/plugins.hooks/output | 22 ++++++++--------- .../btest/{comm => broker}/clone_store.bro | 0 .../{comm => broker}/connection_updates.bro | 0 testing/btest/{comm => broker}/data.bro | 0 .../btest/{comm => broker}/master_store.bro | 0 .../btest/{comm => broker}/remote_event.test | 0 .../btest/{comm => broker}/remote_log.test | 0 .../btest/{comm => broker}/remote_print.test | 0 testing/btest/btest.cfg | 2 +- ...rks_broker_connecting-connector_bro.btest} | 0 ...orks_broker_connecting-listener_bro.btest} | 0 ...meworks_broker_events-connector_bro.btest} | 0 ...ameworks_broker_events-listener_bro.btest} | 0 ...rameworks_broker_logs-connector_bro.btest} | 0 ...frameworks_broker_logs-listener_bro.btest} | 0 ...works_broker_printing-connector_bro.btest} | 0 ...eworks_broker_printing-listener_bro.btest} | 0 ...meworks_broker_stores-connector_bro.btest} | 0 ...ameworks_broker_stores-listener_bro.btest} | 0 ...e-doc_frameworks_broker_testlog_bro.btest} | 0 85 files changed, 57 insertions(+), 57 deletions(-) rename doc/frameworks/{comm.rst => broker.rst} (90%) rename doc/frameworks/{comm => broker}/connecting-connector.bro (100%) rename doc/frameworks/{comm => broker}/connecting-listener.bro (100%) rename doc/frameworks/{comm => broker}/events-connector.bro (100%) rename doc/frameworks/{comm => broker}/events-listener.bro (100%) rename doc/frameworks/{comm => broker}/logs-connector.bro (100%) rename doc/frameworks/{comm => broker}/logs-listener.bro (100%) rename doc/frameworks/{comm => broker}/printing-connector.bro (100%) rename doc/frameworks/{comm => broker}/printing-listener.bro (100%) rename doc/frameworks/{comm => broker}/stores-connector.bro (100%) rename doc/frameworks/{comm => broker}/stores-listener.bro (100%) rename doc/frameworks/{comm => broker}/testlog.bro (100%) rename scripts/base/frameworks/{comm => broker}/__load__.bro (100%) rename scripts/base/frameworks/{comm => broker}/main.bro (100%) rename src/{comm-dummy => broker-dummy}/CMakeLists.txt (73%) rename src/{comm-dummy => broker-dummy}/comm.bif (100%) rename src/{comm-dummy => broker-dummy}/data.bif (100%) rename src/{comm-dummy => broker-dummy}/messaging.bif (100%) rename src/{comm-dummy => broker-dummy}/store.bif (100%) rename src/{comm => broker}/CMakeLists.txt (82%) rename src/{comm => broker}/Data.cc (99%) rename src/{comm => broker}/Data.h (100%) rename src/{comm => broker}/Manager.cc (99%) rename src/{comm => broker}/Manager.h (99%) rename src/{comm => broker}/Store.cc (99%) rename src/{comm => broker}/Store.h (98%) rename src/{comm => broker}/comm.bif (99%) rename src/{comm => broker}/data.bif (99%) rename src/{comm => broker}/messaging.bif (99%) rename src/{comm => broker}/store.bif (99%) rename testing/btest/Baseline/{comm.clone_store => broker.clone_store}/clone.clone.out (100%) rename testing/btest/Baseline/{comm.clone_store => broker.clone_store}/master.master.out (100%) rename testing/btest/Baseline/{comm.connection_updates => broker.connection_updates}/recv.recv.out (100%) rename testing/btest/Baseline/{comm.connection_updates => broker.connection_updates}/send.send.out (100%) rename testing/btest/Baseline/{comm.data => broker.data}/out (100%) rename testing/btest/Baseline/{comm.master_store => broker.master_store}/master.out (100%) rename testing/btest/Baseline/{comm.remote_event => broker.remote_event}/recv.recv.out (100%) rename testing/btest/Baseline/{comm.remote_event => broker.remote_event}/send.send.out (100%) rename testing/btest/Baseline/{comm.remote_log => broker.remote_log}/recv.recv.out (100%) rename testing/btest/Baseline/{comm.remote_log => broker.remote_log}/recv.test.log (100%) rename testing/btest/Baseline/{comm.remote_log => broker.remote_log}/send.send.out (100%) rename testing/btest/Baseline/{comm.remote_log => broker.remote_log}/send.test.log (100%) rename testing/btest/Baseline/{comm.remote_print => broker.remote_print}/recv.recv.out (100%) rename testing/btest/Baseline/{comm.remote_print => broker.remote_print}/send.send.out (100%) rename testing/btest/Baseline/{doc.sphinx.include-doc_frameworks_comm_connecting-connector_bro => doc.sphinx.include-doc_frameworks_broker_connecting-connector_bro}/output (100%) rename testing/btest/Baseline/{doc.sphinx.include-doc_frameworks_comm_connecting-listener_bro => doc.sphinx.include-doc_frameworks_broker_connecting-listener_bro}/output (100%) rename testing/btest/Baseline/{doc.sphinx.include-doc_frameworks_comm_events-connector_bro => doc.sphinx.include-doc_frameworks_broker_events-connector_bro}/output (100%) rename testing/btest/Baseline/{doc.sphinx.include-doc_frameworks_comm_events-listener_bro => doc.sphinx.include-doc_frameworks_broker_events-listener_bro}/output (100%) rename testing/btest/Baseline/{doc.sphinx.include-doc_frameworks_comm_logs-connector_bro => doc.sphinx.include-doc_frameworks_broker_logs-connector_bro}/output (100%) rename testing/btest/Baseline/{doc.sphinx.include-doc_frameworks_comm_logs-listener_bro => doc.sphinx.include-doc_frameworks_broker_logs-listener_bro}/output (100%) rename testing/btest/Baseline/{doc.sphinx.include-doc_frameworks_comm_printing-connector_bro => doc.sphinx.include-doc_frameworks_broker_printing-connector_bro}/output (100%) rename testing/btest/Baseline/{doc.sphinx.include-doc_frameworks_comm_printing-listener_bro => doc.sphinx.include-doc_frameworks_broker_printing-listener_bro}/output (100%) rename testing/btest/Baseline/{doc.sphinx.include-doc_frameworks_comm_stores-connector_bro => doc.sphinx.include-doc_frameworks_broker_stores-connector_bro}/output (100%) rename testing/btest/Baseline/{doc.sphinx.include-doc_frameworks_comm_stores-listener_bro => doc.sphinx.include-doc_frameworks_broker_stores-listener_bro}/output (100%) rename testing/btest/Baseline/{doc.sphinx.include-doc_frameworks_comm_testlog_bro => doc.sphinx.include-doc_frameworks_broker_testlog_bro}/output (100%) rename testing/btest/{comm => broker}/clone_store.bro (100%) rename testing/btest/{comm => broker}/connection_updates.bro (100%) rename testing/btest/{comm => broker}/data.bro (100%) rename testing/btest/{comm => broker}/master_store.bro (100%) rename testing/btest/{comm => broker}/remote_event.test (100%) rename testing/btest/{comm => broker}/remote_log.test (100%) rename testing/btest/{comm => broker}/remote_print.test (100%) rename testing/btest/doc/sphinx/{include-doc_frameworks_comm_connecting-connector_bro.btest => include-doc_frameworks_broker_connecting-connector_bro.btest} (100%) rename testing/btest/doc/sphinx/{include-doc_frameworks_comm_connecting-listener_bro.btest => include-doc_frameworks_broker_connecting-listener_bro.btest} (100%) rename testing/btest/doc/sphinx/{include-doc_frameworks_comm_events-connector_bro.btest => include-doc_frameworks_broker_events-connector_bro.btest} (100%) rename testing/btest/doc/sphinx/{include-doc_frameworks_comm_events-listener_bro.btest => include-doc_frameworks_broker_events-listener_bro.btest} (100%) rename testing/btest/doc/sphinx/{include-doc_frameworks_comm_logs-connector_bro.btest => include-doc_frameworks_broker_logs-connector_bro.btest} (100%) rename testing/btest/doc/sphinx/{include-doc_frameworks_comm_logs-listener_bro.btest => include-doc_frameworks_broker_logs-listener_bro.btest} (100%) rename testing/btest/doc/sphinx/{include-doc_frameworks_comm_printing-connector_bro.btest => include-doc_frameworks_broker_printing-connector_bro.btest} (100%) rename testing/btest/doc/sphinx/{include-doc_frameworks_comm_printing-listener_bro.btest => include-doc_frameworks_broker_printing-listener_bro.btest} (100%) rename testing/btest/doc/sphinx/{include-doc_frameworks_comm_stores-connector_bro.btest => include-doc_frameworks_broker_stores-connector_bro.btest} (100%) rename testing/btest/doc/sphinx/{include-doc_frameworks_comm_stores-listener_bro.btest => include-doc_frameworks_broker_stores-listener_bro.btest} (100%) rename testing/btest/doc/sphinx/{include-doc_frameworks_comm_testlog_bro.btest => include-doc_frameworks_broker_testlog_bro.btest} (100%) diff --git a/doc/frameworks/comm.rst b/doc/frameworks/broker.rst similarity index 90% rename from doc/frameworks/comm.rst rename to doc/frameworks/broker.rst index 0c0dd80845..26006089d1 100644 --- a/doc/frameworks/comm.rst +++ b/doc/frameworks/broker.rst @@ -1,5 +1,5 @@ -.. _comm-framework: +.. _brokercomm-framework: ====================================== Broker-Enabled Communication Framework @@ -27,7 +27,7 @@ and then monitor connection status updates via :bro:see:`BrokerComm::incoming_connection_established` and :bro:see:`BrokerComm::incoming_connection_broken`. -.. btest-include:: ${DOC_ROOT}/frameworks/comm/connecting-listener.bro +.. btest-include:: ${DOC_ROOT}/frameworks/broker/connecting-listener.bro Bro can initiate outgoing connections by calling :bro:see:`BrokerComm::connect` and then monitor connection status updates via @@ -35,7 +35,7 @@ and then monitor connection status updates via :bro:see:`BrokerComm::outgoing_connection_broken`, and :bro:see:`BrokerComm::outgoing_connection_incompatible`. -.. btest-include:: ${DOC_ROOT}/frameworks/comm/connecting-connector.bro +.. btest-include:: ${DOC_ROOT}/frameworks/broker/connecting-connector.bro Remote Printing =============== @@ -46,11 +46,11 @@ prefix of interest and then create an event handler for :bro:see:`BrokerComm::print_handler` to handle any print messages that are received. -.. btest-include:: ${DOC_ROOT}/frameworks/comm/printing-listener.bro +.. btest-include:: ${DOC_ROOT}/frameworks/broker/printing-listener.bro To send remote print messages, just call :bro:see:`BrokerComm::print`. -.. btest-include:: ${DOC_ROOT}/frameworks/comm/printing-connector.bro +.. btest-include:: ${DOC_ROOT}/frameworks/broker/printing-connector.bro Notice that the subscriber only used the prefix "bro/print/", but is able to receive messages with full topics of "bro/print/hi", @@ -75,7 +75,7 @@ Receiving remote events is similar to remote prints. Just use :bro:see:`BrokerComm::subscribe_to_events` and possibly define any new events along with handlers that peers may want to send. -.. btest-include:: ${DOC_ROOT}/frameworks/comm/events-listener.bro +.. btest-include:: ${DOC_ROOT}/frameworks/broker/events-listener.bro To send events, there are two choices. The first is to use call :bro:see:`BrokerComm::event` directly. The second option is to use @@ -83,7 +83,7 @@ To send events, there are two choices. The first is to use call automatically sent to peers whenever it is called locally via the normal event invocation syntax. -.. btest-include:: ${DOC_ROOT}/frameworks/comm/events-connector.bro +.. btest-include:: ${DOC_ROOT}/frameworks/broker/events-connector.bro Again, the subscription model is prefix-based. @@ -105,20 +105,20 @@ parameter of the message. Remote Logging ============== -.. btest-include:: ${DOC_ROOT}/frameworks/comm/testlog.bro +.. btest-include:: ${DOC_ROOT}/frameworks/broker/testlog.bro Use :bro:see:`BrokerComm::subscribe_to_logs` to advertise interest in logs written by peers. The topic names that Bro uses are implicitly of the form "bro/log/". -.. btest-include:: ${DOC_ROOT}/frameworks/comm/logs-listener.bro +.. btest-include:: ${DOC_ROOT}/frameworks/broker/logs-listener.bro To send remote logs either use :bro:see:`Log::enable_remote_logging` or :bro:see:`BrokerComm::enable_remote_logs`. The former allows any log stream to be sent to peers while the later toggles remote logging for particular streams. -.. btest-include:: ${DOC_ROOT}/frameworks/comm/logs-connector.bro +.. btest-include:: ${DOC_ROOT}/frameworks/broker/logs-connector.bro Message Format -------------- @@ -189,9 +189,9 @@ Data stores also support expiration on a per-key basis either using an absolute point in time or a relative amount of time since the entry's last modification time. -.. btest-include:: ${DOC_ROOT}/frameworks/comm/stores-listener.bro +.. btest-include:: ${DOC_ROOT}/frameworks/broker/stores-listener.bro -.. btest-include:: ${DOC_ROOT}/frameworks/comm/stores-connector.bro +.. btest-include:: ${DOC_ROOT}/frameworks/broker/stores-connector.bro In the above example, if a local copy of the store contents isn't needed, just replace the :bro:see:`BrokerStore::create_clone` call with diff --git a/doc/frameworks/comm/connecting-connector.bro b/doc/frameworks/broker/connecting-connector.bro similarity index 100% rename from doc/frameworks/comm/connecting-connector.bro rename to doc/frameworks/broker/connecting-connector.bro diff --git a/doc/frameworks/comm/connecting-listener.bro b/doc/frameworks/broker/connecting-listener.bro similarity index 100% rename from doc/frameworks/comm/connecting-listener.bro rename to doc/frameworks/broker/connecting-listener.bro diff --git a/doc/frameworks/comm/events-connector.bro b/doc/frameworks/broker/events-connector.bro similarity index 100% rename from doc/frameworks/comm/events-connector.bro rename to doc/frameworks/broker/events-connector.bro diff --git a/doc/frameworks/comm/events-listener.bro b/doc/frameworks/broker/events-listener.bro similarity index 100% rename from doc/frameworks/comm/events-listener.bro rename to doc/frameworks/broker/events-listener.bro diff --git a/doc/frameworks/comm/logs-connector.bro b/doc/frameworks/broker/logs-connector.bro similarity index 100% rename from doc/frameworks/comm/logs-connector.bro rename to doc/frameworks/broker/logs-connector.bro diff --git a/doc/frameworks/comm/logs-listener.bro b/doc/frameworks/broker/logs-listener.bro similarity index 100% rename from doc/frameworks/comm/logs-listener.bro rename to doc/frameworks/broker/logs-listener.bro diff --git a/doc/frameworks/comm/printing-connector.bro b/doc/frameworks/broker/printing-connector.bro similarity index 100% rename from doc/frameworks/comm/printing-connector.bro rename to doc/frameworks/broker/printing-connector.bro diff --git a/doc/frameworks/comm/printing-listener.bro b/doc/frameworks/broker/printing-listener.bro similarity index 100% rename from doc/frameworks/comm/printing-listener.bro rename to doc/frameworks/broker/printing-listener.bro diff --git a/doc/frameworks/comm/stores-connector.bro b/doc/frameworks/broker/stores-connector.bro similarity index 100% rename from doc/frameworks/comm/stores-connector.bro rename to doc/frameworks/broker/stores-connector.bro diff --git a/doc/frameworks/comm/stores-listener.bro b/doc/frameworks/broker/stores-listener.bro similarity index 100% rename from doc/frameworks/comm/stores-listener.bro rename to doc/frameworks/broker/stores-listener.bro diff --git a/doc/frameworks/comm/testlog.bro b/doc/frameworks/broker/testlog.bro similarity index 100% rename from doc/frameworks/comm/testlog.bro rename to doc/frameworks/broker/testlog.bro diff --git a/doc/frameworks/index.rst b/doc/frameworks/index.rst index 9819b803f0..028f95af21 100644 --- a/doc/frameworks/index.rst +++ b/doc/frameworks/index.rst @@ -14,4 +14,4 @@ Frameworks notice signatures sumstats - comm + broker diff --git a/scripts/base/frameworks/comm/__load__.bro b/scripts/base/frameworks/broker/__load__.bro similarity index 100% rename from scripts/base/frameworks/comm/__load__.bro rename to scripts/base/frameworks/broker/__load__.bro diff --git a/scripts/base/frameworks/comm/main.bro b/scripts/base/frameworks/broker/main.bro similarity index 100% rename from scripts/base/frameworks/comm/main.bro rename to scripts/base/frameworks/broker/main.bro diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 5dc3345b09..c62549f8b3 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -3360,7 +3360,7 @@ const bits_per_uid: count = 96 &redef; # Load these frameworks here because they use fairly deep integration with # BiFs and script-land defined types. -@load base/frameworks/comm +@load base/frameworks/broker @load base/frameworks/logging @load base/frameworks/input @load base/frameworks/analyzer diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 974c23c3a3..e73324c4d1 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -162,11 +162,11 @@ add_subdirectory(logging) add_subdirectory(probabilistic) if ( ENABLE_BROKER ) - add_subdirectory(comm) + add_subdirectory(broker) else () # Just to satisfy coverage unit tests until new Broker-based # communication is enabled by default. - add_subdirectory(comm-dummy) + add_subdirectory(broker-dummy) endif () set(bro_SUBDIRS diff --git a/src/EventHandler.cc b/src/EventHandler.cc index 2874c56c03..3f1fd71ddf 100644 --- a/src/EventHandler.cc +++ b/src/EventHandler.cc @@ -6,8 +6,8 @@ #include "NetVar.h" #ifdef ENABLE_BROKER -#include "comm/Manager.h" -#include "comm/Data.h" +#include "broker/Manager.h" +#include "broker/Data.h" #endif EventHandler::EventHandler(const char* arg_name) diff --git a/src/Net.cc b/src/Net.cc index 820ccd2f76..af542cb1a6 100644 --- a/src/Net.cc +++ b/src/Net.cc @@ -35,7 +35,7 @@ #include "plugin/Manager.h" #ifdef ENABLE_BROKER -#include "comm/Manager.h" +#include "broker/Manager.h" #endif extern "C" { diff --git a/src/Stats.cc b/src/Stats.cc index 437fb6de4b..00f603cba7 100644 --- a/src/Stats.cc +++ b/src/Stats.cc @@ -11,7 +11,7 @@ #include "threading/Manager.h" #ifdef ENABLE_BROKER -#include "comm/Manager.h" +#include "broker/Manager.h" #endif int killed_by_inactivity = 0; diff --git a/src/comm-dummy/CMakeLists.txt b/src/broker-dummy/CMakeLists.txt similarity index 73% rename from src/comm-dummy/CMakeLists.txt rename to src/broker-dummy/CMakeLists.txt index cddea1342d..08c5f3214c 100644 --- a/src/comm-dummy/CMakeLists.txt +++ b/src/broker-dummy/CMakeLists.txt @@ -9,5 +9,5 @@ bif_target(data.bif) bif_target(messaging.bif) bif_target(store.bif) -bro_add_subdir_library(comm_dummy ${BIF_OUTPUT_CC}) -add_dependencies(bro_comm_dummy generate_outputs) +bro_add_subdir_library(broker_dummy ${BIF_OUTPUT_CC}) +add_dependencies(bro_broker_dummy generate_outputs) diff --git a/src/comm-dummy/comm.bif b/src/broker-dummy/comm.bif similarity index 100% rename from src/comm-dummy/comm.bif rename to src/broker-dummy/comm.bif diff --git a/src/comm-dummy/data.bif b/src/broker-dummy/data.bif similarity index 100% rename from src/comm-dummy/data.bif rename to src/broker-dummy/data.bif diff --git a/src/comm-dummy/messaging.bif b/src/broker-dummy/messaging.bif similarity index 100% rename from src/comm-dummy/messaging.bif rename to src/broker-dummy/messaging.bif diff --git a/src/comm-dummy/store.bif b/src/broker-dummy/store.bif similarity index 100% rename from src/comm-dummy/store.bif rename to src/broker-dummy/store.bif diff --git a/src/comm/CMakeLists.txt b/src/broker/CMakeLists.txt similarity index 82% rename from src/comm/CMakeLists.txt rename to src/broker/CMakeLists.txt index ef41c605c7..7329bfd46e 100644 --- a/src/comm/CMakeLists.txt +++ b/src/broker/CMakeLists.txt @@ -24,5 +24,5 @@ bif_target(data.bif) bif_target(messaging.bif) bif_target(store.bif) -bro_add_subdir_library(comm ${comm_SRCS} ${BIF_OUTPUT_CC}) -add_dependencies(bro_comm generate_outputs) +bro_add_subdir_library(brokercomm ${comm_SRCS} ${BIF_OUTPUT_CC}) +add_dependencies(bro_brokercomm generate_outputs) diff --git a/src/comm/Data.cc b/src/broker/Data.cc similarity index 99% rename from src/comm/Data.cc rename to src/broker/Data.cc index 96377284d1..45f5415b8a 100644 --- a/src/comm/Data.cc +++ b/src/broker/Data.cc @@ -1,5 +1,5 @@ #include "Data.h" -#include "comm/data.bif.h" +#include "broker/data.bif.h" #include #include diff --git a/src/comm/Data.h b/src/broker/Data.h similarity index 100% rename from src/comm/Data.h rename to src/broker/Data.h diff --git a/src/comm/Manager.cc b/src/broker/Manager.cc similarity index 99% rename from src/comm/Manager.cc rename to src/broker/Manager.cc index 3eceba0096..31599ea1fc 100644 --- a/src/comm/Manager.cc +++ b/src/broker/Manager.cc @@ -8,10 +8,10 @@ #include "util.h" #include "Var.h" #include "Reporter.h" -#include "comm/comm.bif.h" -#include "comm/data.bif.h" -#include "comm/messaging.bif.h" -#include "comm/store.bif.h" +#include "broker/comm.bif.h" +#include "broker/data.bif.h" +#include "broker/messaging.bif.h" +#include "broker/store.bif.h" #include "logging/Manager.h" #include "DebugLogger.h" #include "iosource/Manager.h" diff --git a/src/comm/Manager.h b/src/broker/Manager.h similarity index 99% rename from src/comm/Manager.h rename to src/broker/Manager.h index 5ba85210db..63fbba074a 100644 --- a/src/comm/Manager.h +++ b/src/broker/Manager.h @@ -7,7 +7,7 @@ #include #include #include -#include "comm/Store.h" +#include "broker/Store.h" #include "Reporter.h" #include "iosource/IOSource.h" #include "Val.h" diff --git a/src/comm/Store.cc b/src/broker/Store.cc similarity index 99% rename from src/comm/Store.cc rename to src/broker/Store.cc index fd24ac7b90..f9effa6d9e 100644 --- a/src/comm/Store.cc +++ b/src/broker/Store.cc @@ -1,5 +1,5 @@ #include "Store.h" -#include "comm/Manager.h" +#include "broker/Manager.h" #include #include diff --git a/src/comm/Store.h b/src/broker/Store.h similarity index 98% rename from src/comm/Store.h rename to src/broker/Store.h index e132bf310d..5823e0c3f8 100644 --- a/src/comm/Store.h +++ b/src/broker/Store.h @@ -1,8 +1,8 @@ #ifndef BRO_COMM_STORE_H #define BRO_COMM_STORE_H -#include "comm/store.bif.h" -#include "comm/data.bif.h" +#include "broker/store.bif.h" +#include "broker/data.bif.h" #include "Reporter.h" #include "Type.h" #include "Val.h" diff --git a/src/comm/comm.bif b/src/broker/comm.bif similarity index 99% rename from src/comm/comm.bif rename to src/broker/comm.bif index 2c930ba8a9..721f7c259e 100644 --- a/src/comm/comm.bif +++ b/src/broker/comm.bif @@ -2,7 +2,7 @@ ##! General functions regarding Bro's broker communication mechanisms. %%{ -#include "comm/Manager.h" +#include "broker/Manager.h" %%} module BrokerComm; diff --git a/src/comm/data.bif b/src/broker/data.bif similarity index 99% rename from src/comm/data.bif rename to src/broker/data.bif index 7b2c52cb8c..e34e633e3e 100644 --- a/src/comm/data.bif +++ b/src/broker/data.bif @@ -2,7 +2,7 @@ ##! Functions for inspecting and manipulating broker data. %%{ -#include "comm/Data.h" +#include "broker/Data.h" %%} module BrokerComm; diff --git a/src/comm/messaging.bif b/src/broker/messaging.bif similarity index 99% rename from src/comm/messaging.bif rename to src/broker/messaging.bif index c1d3bfe774..a5e661af02 100644 --- a/src/comm/messaging.bif +++ b/src/broker/messaging.bif @@ -2,7 +2,7 @@ ##! Functions for peering and various messaging patterns (e.g. print/log/event). %%{ -#include "comm/Manager.h" +#include "broker/Manager.h" #include "logging/Manager.h" %%} diff --git a/src/comm/store.bif b/src/broker/store.bif similarity index 99% rename from src/comm/store.bif rename to src/broker/store.bif index 4f6c0570f7..6419034b60 100644 --- a/src/comm/store.bif +++ b/src/broker/store.bif @@ -2,9 +2,9 @@ ##! Functions to interface with broker's distributed data store. %%{ -#include "comm/Manager.h" -#include "comm/Store.h" -#include "comm/Data.h" +#include "broker/Manager.h" +#include "broker/Store.h" +#include "broker/Data.h" #include "Trigger.h" %%} diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc index 63d21a4655..9db43518ed 100644 --- a/src/logging/Manager.cc +++ b/src/logging/Manager.cc @@ -17,7 +17,7 @@ #include "logging.bif.h" #ifdef ENABLE_BROKER -#include "comm/Manager.h" +#include "broker/Manager.h" #endif using namespace logging; diff --git a/src/main.cc b/src/main.cc index d186e67e4b..fb48bdc14a 100644 --- a/src/main.cc +++ b/src/main.cc @@ -64,7 +64,7 @@ extern "C" void OPENSSL_add_all_algorithms_conf(void); #include "3rdparty/sqlite3.h" #ifdef ENABLE_BROKER -#include +#include "broker/Manager.h" #endif Brofiler brofiler; diff --git a/testing/btest/Baseline/comm.clone_store/clone.clone.out b/testing/btest/Baseline/broker.clone_store/clone.clone.out similarity index 100% rename from testing/btest/Baseline/comm.clone_store/clone.clone.out rename to testing/btest/Baseline/broker.clone_store/clone.clone.out diff --git a/testing/btest/Baseline/comm.clone_store/master.master.out b/testing/btest/Baseline/broker.clone_store/master.master.out similarity index 100% rename from testing/btest/Baseline/comm.clone_store/master.master.out rename to testing/btest/Baseline/broker.clone_store/master.master.out diff --git a/testing/btest/Baseline/comm.connection_updates/recv.recv.out b/testing/btest/Baseline/broker.connection_updates/recv.recv.out similarity index 100% rename from testing/btest/Baseline/comm.connection_updates/recv.recv.out rename to testing/btest/Baseline/broker.connection_updates/recv.recv.out diff --git a/testing/btest/Baseline/comm.connection_updates/send.send.out b/testing/btest/Baseline/broker.connection_updates/send.send.out similarity index 100% rename from testing/btest/Baseline/comm.connection_updates/send.send.out rename to testing/btest/Baseline/broker.connection_updates/send.send.out diff --git a/testing/btest/Baseline/comm.data/out b/testing/btest/Baseline/broker.data/out similarity index 100% rename from testing/btest/Baseline/comm.data/out rename to testing/btest/Baseline/broker.data/out diff --git a/testing/btest/Baseline/comm.master_store/master.out b/testing/btest/Baseline/broker.master_store/master.out similarity index 100% rename from testing/btest/Baseline/comm.master_store/master.out rename to testing/btest/Baseline/broker.master_store/master.out diff --git a/testing/btest/Baseline/comm.remote_event/recv.recv.out b/testing/btest/Baseline/broker.remote_event/recv.recv.out similarity index 100% rename from testing/btest/Baseline/comm.remote_event/recv.recv.out rename to testing/btest/Baseline/broker.remote_event/recv.recv.out diff --git a/testing/btest/Baseline/comm.remote_event/send.send.out b/testing/btest/Baseline/broker.remote_event/send.send.out similarity index 100% rename from testing/btest/Baseline/comm.remote_event/send.send.out rename to testing/btest/Baseline/broker.remote_event/send.send.out diff --git a/testing/btest/Baseline/comm.remote_log/recv.recv.out b/testing/btest/Baseline/broker.remote_log/recv.recv.out similarity index 100% rename from testing/btest/Baseline/comm.remote_log/recv.recv.out rename to testing/btest/Baseline/broker.remote_log/recv.recv.out diff --git a/testing/btest/Baseline/comm.remote_log/recv.test.log b/testing/btest/Baseline/broker.remote_log/recv.test.log similarity index 100% rename from testing/btest/Baseline/comm.remote_log/recv.test.log rename to testing/btest/Baseline/broker.remote_log/recv.test.log diff --git a/testing/btest/Baseline/comm.remote_log/send.send.out b/testing/btest/Baseline/broker.remote_log/send.send.out similarity index 100% rename from testing/btest/Baseline/comm.remote_log/send.send.out rename to testing/btest/Baseline/broker.remote_log/send.send.out diff --git a/testing/btest/Baseline/comm.remote_log/send.test.log b/testing/btest/Baseline/broker.remote_log/send.test.log similarity index 100% rename from testing/btest/Baseline/comm.remote_log/send.test.log rename to testing/btest/Baseline/broker.remote_log/send.test.log diff --git a/testing/btest/Baseline/comm.remote_print/recv.recv.out b/testing/btest/Baseline/broker.remote_print/recv.recv.out similarity index 100% rename from testing/btest/Baseline/comm.remote_print/recv.recv.out rename to testing/btest/Baseline/broker.remote_print/recv.recv.out diff --git a/testing/btest/Baseline/comm.remote_print/send.send.out b/testing/btest/Baseline/broker.remote_print/send.send.out similarity index 100% rename from testing/btest/Baseline/comm.remote_print/send.send.out rename to testing/btest/Baseline/broker.remote_print/send.send.out diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 7b144198ee..297cd80996 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -14,8 +14,8 @@ scripts/base/init-bare.bro build/scripts/base/bif/reporter.bif.bro build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro build/scripts/base/bif/event.bif.bro - scripts/base/frameworks/comm/__load__.bro - scripts/base/frameworks/comm/main.bro + scripts/base/frameworks/broker/__load__.bro + scripts/base/frameworks/broker/main.bro scripts/base/frameworks/logging/__load__.bro scripts/base/frameworks/logging/main.bro build/scripts/base/bif/logging.bif.bro diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index b102ad26a5..e48f67c348 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -14,8 +14,8 @@ scripts/base/init-bare.bro build/scripts/base/bif/reporter.bif.bro build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro build/scripts/base/bif/event.bif.bro - scripts/base/frameworks/comm/__load__.bro - scripts/base/frameworks/comm/main.bro + scripts/base/frameworks/broker/__load__.bro + scripts/base/frameworks/broker/main.bro scripts/base/frameworks/logging/__load__.bro scripts/base/frameworks/logging/main.bro build/scripts/base/bif/logging.bif.bro diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-connector_bro/output similarity index 100% rename from testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-connector_bro/output rename to testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-connector_bro/output diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-listener_bro/output similarity index 100% rename from testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_connecting-listener_bro/output rename to testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-listener_bro/output diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-connector_bro/output similarity index 100% rename from testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-connector_bro/output rename to testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-connector_bro/output diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-listener_bro/output similarity index 100% rename from testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_events-listener_bro/output rename to testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-listener_bro/output diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-connector_bro/output similarity index 100% rename from testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-connector_bro/output rename to testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-connector_bro/output diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-listener_bro/output similarity index 100% rename from testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_logs-listener_bro/output rename to testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-listener_bro/output diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-connector_bro/output similarity index 100% rename from testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-connector_bro/output rename to testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-connector_bro/output diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-listener_bro/output similarity index 100% rename from testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_printing-listener_bro/output rename to testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-listener_bro/output diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-connector_bro/output similarity index 100% rename from testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-connector_bro/output rename to testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-connector_bro/output diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-listener_bro/output similarity index 100% rename from testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_stores-listener_bro/output rename to testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-listener_bro/output diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_testlog_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_testlog_bro/output similarity index 100% rename from testing/btest/Baseline/doc.sphinx.include-doc_frameworks_comm_testlog_bro/output rename to testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_testlog_bro/output diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 7c2f35b641..6956f013bc 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -192,7 +192,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1425348860.085231, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Communication::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Conn::LOG)) -> @@ -286,8 +286,8 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -> -0.000000 MetaHookPost CallFunction(Log::default_path_func, , (PacketFilter::LOG, , [ts=1425348860.085231, node=bro, filter=ip or not ip, init=T, success=T])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1425348860.085231, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::default_path_func, , (PacketFilter::LOG, , [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> 0.000000 MetaHookPost CallFunction(PacketFilter::build, , ()) -> 0.000000 MetaHookPost CallFunction(PacketFilter::combine_filters, , (ip or not ip, and, )) -> @@ -478,8 +478,8 @@ 0.000000 MetaHookPost LoadFile(base<...>/analyzer) -> -1 0.000000 MetaHookPost LoadFile(base<...>/analyzer.bif) -> -1 0.000000 MetaHookPost LoadFile(base<...>/bro.bif) -> -1 +0.000000 MetaHookPost LoadFile(base<...>/broker) -> -1 0.000000 MetaHookPost LoadFile(base<...>/cluster) -> -1 -0.000000 MetaHookPost LoadFile(base<...>/comm) -> -1 0.000000 MetaHookPost LoadFile(base<...>/communication) -> -1 0.000000 MetaHookPost LoadFile(base<...>/conn) -> -1 0.000000 MetaHookPost LoadFile(base<...>/conn-ids) -> -1 @@ -737,7 +737,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1425348860.085231, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Communication::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Conn::LOG)) @@ -831,8 +831,8 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -0.000000 MetaHookPre CallFunction(Log::default_path_func, , (PacketFilter::LOG, , [ts=1425348860.085231, node=bro, filter=ip or not ip, init=T, success=T])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1425348860.085231, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::default_path_func, , (PacketFilter::LOG, , [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) 0.000000 MetaHookPre CallFunction(PacketFilter::build, , ()) 0.000000 MetaHookPre CallFunction(PacketFilter::combine_filters, , (ip or not ip, and, )) @@ -1023,8 +1023,8 @@ 0.000000 MetaHookPre LoadFile(base<...>/analyzer) 0.000000 MetaHookPre LoadFile(base<...>/analyzer.bif) 0.000000 MetaHookPre LoadFile(base<...>/bro.bif) +0.000000 MetaHookPre LoadFile(base<...>/broker) 0.000000 MetaHookPre LoadFile(base<...>/cluster) -0.000000 MetaHookPre LoadFile(base<...>/comm) 0.000000 MetaHookPre LoadFile(base<...>/communication) 0.000000 MetaHookPre LoadFile(base<...>/conn) 0.000000 MetaHookPre LoadFile(base<...>/conn-ids) @@ -1281,7 +1281,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1425348860.085231, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG) @@ -1375,8 +1375,8 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql]) -0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1425348860.085231, node=bro, filter=ip or not ip, init=T, success=T]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1425348860.085231, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Notice::want_pp() 0.000000 | HookCallFunction PacketFilter::build() 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, ) diff --git a/testing/btest/comm/clone_store.bro b/testing/btest/broker/clone_store.bro similarity index 100% rename from testing/btest/comm/clone_store.bro rename to testing/btest/broker/clone_store.bro diff --git a/testing/btest/comm/connection_updates.bro b/testing/btest/broker/connection_updates.bro similarity index 100% rename from testing/btest/comm/connection_updates.bro rename to testing/btest/broker/connection_updates.bro diff --git a/testing/btest/comm/data.bro b/testing/btest/broker/data.bro similarity index 100% rename from testing/btest/comm/data.bro rename to testing/btest/broker/data.bro diff --git a/testing/btest/comm/master_store.bro b/testing/btest/broker/master_store.bro similarity index 100% rename from testing/btest/comm/master_store.bro rename to testing/btest/broker/master_store.bro diff --git a/testing/btest/comm/remote_event.test b/testing/btest/broker/remote_event.test similarity index 100% rename from testing/btest/comm/remote_event.test rename to testing/btest/broker/remote_event.test diff --git a/testing/btest/comm/remote_log.test b/testing/btest/broker/remote_log.test similarity index 100% rename from testing/btest/comm/remote_log.test rename to testing/btest/broker/remote_log.test diff --git a/testing/btest/comm/remote_print.test b/testing/btest/broker/remote_print.test similarity index 100% rename from testing/btest/comm/remote_print.test rename to testing/btest/broker/remote_print.test diff --git a/testing/btest/btest.cfg b/testing/btest/btest.cfg index 3c91872f5a..0fa862a2dc 100644 --- a/testing/btest/btest.cfg +++ b/testing/btest/btest.cfg @@ -1,5 +1,5 @@ [btest] -TestDirs = doc bifs language core scripts istate coverage signatures plugins comm +TestDirs = doc bifs language core scripts istate coverage signatures plugins broker TmpDir = %(testbase)s/.tmp BaselineDir = %(testbase)s/Baseline IgnoreDirs = .svn CVS .tmp diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-connector_bro.btest similarity index 100% rename from testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-connector_bro.btest rename to testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-connector_bro.btest diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-listener_bro.btest similarity index 100% rename from testing/btest/doc/sphinx/include-doc_frameworks_comm_connecting-listener_bro.btest rename to testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-listener_bro.btest diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_events-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-connector_bro.btest similarity index 100% rename from testing/btest/doc/sphinx/include-doc_frameworks_comm_events-connector_bro.btest rename to testing/btest/doc/sphinx/include-doc_frameworks_broker_events-connector_bro.btest diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_events-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-listener_bro.btest similarity index 100% rename from testing/btest/doc/sphinx/include-doc_frameworks_comm_events-listener_bro.btest rename to testing/btest/doc/sphinx/include-doc_frameworks_broker_events-listener_bro.btest diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-connector_bro.btest similarity index 100% rename from testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-connector_bro.btest rename to testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-connector_bro.btest diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-listener_bro.btest similarity index 100% rename from testing/btest/doc/sphinx/include-doc_frameworks_comm_logs-listener_bro.btest rename to testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-listener_bro.btest diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-connector_bro.btest similarity index 100% rename from testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-connector_bro.btest rename to testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-connector_bro.btest diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-listener_bro.btest similarity index 100% rename from testing/btest/doc/sphinx/include-doc_frameworks_comm_printing-listener_bro.btest rename to testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-listener_bro.btest diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-connector_bro.btest similarity index 100% rename from testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-connector_bro.btest rename to testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-connector_bro.btest diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-listener_bro.btest similarity index 100% rename from testing/btest/doc/sphinx/include-doc_frameworks_comm_stores-listener_bro.btest rename to testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-listener_bro.btest diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_comm_testlog_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_testlog_bro.btest similarity index 100% rename from testing/btest/doc/sphinx/include-doc_frameworks_comm_testlog_bro.btest rename to testing/btest/doc/sphinx/include-doc_frameworks_broker_testlog_bro.btest From 2f626fa602f624e8a1496c489c1108173b7b3724 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 6 Mar 2015 11:07:58 -0600 Subject: [PATCH 161/711] Fix build warnings, clarify broker requirements, update submodule. --- aux/broker | 2 +- doc/frameworks/broker.rst | 4 ++-- src/broker/Data.cc | 2 +- src/broker/Manager.cc | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/aux/broker b/aux/broker index 98da283ba2..694af9d9ed 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit 98da283ba2bc4dc20e67830395299defc21724db +Subproject commit 694af9d9edd188a461cc762bfdb7b61688b93ada diff --git a/doc/frameworks/broker.rst b/doc/frameworks/broker.rst index 26006089d1..3cd8dab6e3 100644 --- a/doc/frameworks/broker.rst +++ b/doc/frameworks/broker.rst @@ -11,8 +11,8 @@ Broker-Enabled Communication Framework <../components/broker/README.html>`_ to exchange information with other Bro processes. To enable it run Bro's ``configure`` script with the ``--enable-broker`` option. Note that a C++11 compatible - compiler is required as well as the `C++ Actor Framework - `_. + compiler (e.g. GCC 4.8+ or Clang 3.3+) is required as well as the + `C++ Actor Framework `_. .. contents:: diff --git a/src/broker/Data.cc b/src/broker/Data.cc index 45f5415b8a..8f66427bb5 100644 --- a/src/broker/Data.cc +++ b/src/broker/Data.cc @@ -319,7 +319,7 @@ struct val_converter { auto rt = type->AsRecordType(); auto rval = new RecordVal(rt); - for ( auto i = 0; i < rt->NumFields(); ++i ) + for ( auto i = 0u; i < static_cast(rt->NumFields()); ++i ) { if ( require_log_attr && ! rt->FieldDecl(i)->FindAttr(ATTR_LOG) ) continue; diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc index 31599ea1fc..eadadea137 100644 --- a/src/broker/Manager.cc +++ b/src/broker/Manager.cc @@ -210,7 +210,7 @@ bool bro_broker::Manager::Log(EnumVal* stream, RecordVal* columns, RecordType* i broker::record column_data; - for ( auto i = 0u; i < info->NumFields(); ++i ) + for ( auto i = 0u; i < static_cast(info->NumFields()); ++i ) { if ( ! info->FieldDecl(i)->FindAttr(ATTR_LOG) ) continue; From b9fa21156e97c3cb722ed5d04c89cfe994d87336 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 6 Mar 2015 14:55:39 -0800 Subject: [PATCH 162/711] Updating submodule(s). [nomail] --- aux/broctl | 2 +- aux/broker | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/aux/broctl b/aux/broctl index f7b9ef4d24..762d272229 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit f7b9ef4d245114180c5932f362310632b8cf5174 +Subproject commit 762d2722290ca0004d0da2b0b96baea6a3a7f3f4 diff --git a/aux/broker b/aux/broker index 694af9d9ed..8cc208192b 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit 694af9d9edd188a461cc762bfdb7b61688b93ada +Subproject commit 8cc208192b4b692a082e22c8dd89c44f69e824d7 From 7870da9028036dc6c0da028b15a8b5b03db123e9 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 6 Mar 2015 14:59:28 -0800 Subject: [PATCH 163/711] Updating submodule(s). [nomail] --- aux/broker | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broker b/aux/broker index 8cc208192b..694af9d9ed 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit 8cc208192b4b692a082e22c8dd89c44f69e824d7 +Subproject commit 694af9d9edd188a461cc762bfdb7b61688b93ada From 867c4379eadb0b75400f0c52e1b82b422e161444 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 9 Mar 2015 13:14:27 -0500 Subject: [PATCH 164/711] Fix a format specifier. --- CHANGES | 4 ++++ VERSION | 2 +- src/analyzer/protocol/ssl/ssl-analyzer.pac | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index d7014fa711..cff111cfca 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.3-529 | 2015-03-09 13:14:27 -0500 + + * Fix format specifier in SSL protocol violation. (Jon Siwek) + 2.3-526 | 2015-03-06 12:48:49 -0600 * Fix build warnings, clarify broker requirements, update submodule. diff --git a/VERSION b/VERSION index 747dc6d532..f5e52782d1 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3-526 +2.3-529 diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac index 2433886d14..c835fd6632 100644 --- a/src/analyzer/protocol/ssl/ssl-analyzer.pac +++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac @@ -207,7 +207,7 @@ refine connection SSL_Conn += { { // This should be impossible due to the binpac parser // and protocol description - bro_analyzer()->ProtocolViolation(fmt("Impossible extension length: %lu", length)); + bro_analyzer()->ProtocolViolation(fmt("Impossible extension length: %zu", length)); bro_analyzer()->SetSkip(true); return true; } From 6ab5701ad023aeaa2d1d2d86902febb1f6fae7b8 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 9 Mar 2015 12:33:56 -0700 Subject: [PATCH 165/711] Update certificate validation script - new version will cache valid intermediate chains that it encounters on the wire and use those to try to validate chains that might be missing intermediate certificates. This vastly improves the number of certificates that Bro can validate. The only drawback is that now validation behavior is not entirely predictable anymore - the certificate of a server can fail to validate when Bro just started up (due to the intermediate missing), and succeed later, when the intermediate can be found in the cache. Has been tested on big-ish clusters and should not introduce any performance problems. --- .../policy/protocols/ssl/validate-certs.bro | 129 +++++++++++++++--- .../ssl.log | 15 ++ .../ssl-all.log | 23 ++++ .../ssl.log | 11 -- .../Traces/tls/missing-intermediate.pcap | Bin 0 -> 13449 bytes .../protocols/ssl/validate-certs-cluster.bro | 37 +++++ .../policy/protocols/ssl/validate-certs.bro | 7 +- 7 files changed, 191 insertions(+), 31 deletions(-) create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs-cluster/ssl.log create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl-all.log delete mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl.log create mode 100644 testing/btest/Traces/tls/missing-intermediate.pcap create mode 100644 testing/btest/scripts/policy/protocols/ssl/validate-certs-cluster.bro diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro index 19b0b70806..d2b3befaed 100644 --- a/scripts/policy/protocols/ssl/validate-certs.bro +++ b/scripts/policy/protocols/ssl/validate-certs.bro @@ -1,4 +1,6 @@ ##! Perform full certificate chain validation for SSL certificates. +# Also caches all intermediate certificates encountered so far and use them +# for future validations. @load base/frameworks/notice @load base/protocols/ssl @@ -19,12 +21,92 @@ export { }; ## MD5 hash values for recently validated chains along with the - ## validation status message are kept in this table to avoid constant + ## validation status are kept in this table to avoid constant ## validation every time the same certificate chain is seen. global recently_validated_certs: table[string] of string = table() - &read_expire=5mins &synchronized &redef; + &read_expire=5mins &redef; + + ## Event from a worker to the manager that it has encountered a new + ## valid intermediate + global intermediate_add: event(key: string, value: vector of opaque of x509); + + ## Event from the manager to the workers that a new intermediate chain + ## is to be added + global new_intermediate: event(key: string, value: vector of opaque of x509); } +global intermediate_cache: table[string] of vector of opaque of x509; + +@if ( Cluster::is_enabled() ) +@load base/frameworks/cluster +redef Cluster::manager2worker_events += /SSL::intermediate_add/; +redef Cluster::worker2manager_events += /SSL::new_intermediate/; +@endif + + +function add_to_cache(key: string, value: vector of opaque of x509) + { + intermediate_cache[key] = value; +@if ( Cluster::is_enabled() ) + event SSL::new_intermediate(key, value); +@endif + } + +@if ( Cluster::is_enabled() && Cluster::local_node_type() != Cluster::MANAGER ) +event SSL::intermediate_add(key: string, value: vector of opaque of x509) + { + intermediate_cache[key] = value; + } +@endif + +@if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER ) +event SSL::new_intermediate(key: string, value: vector of opaque of x509) + { + if ( key in intermediate_cache ) + return; + + intermediate_cache[key] = value; + event SSL::intermediate_add(key, value); + } +@endif + +function cache_validate(chain: vector of opaque of x509): string + { + local chain_hash: vector of string = vector(); + + for ( i in chain ) + chain_hash[i] = sha1_hash(x509_get_certificate_string(chain[i])); + + local chain_id = join_string_vec(chain_hash, "."); + + # If we tried this certificate recently, just return the cached result. + if ( chain_id in recently_validated_certs ) + return recently_validated_certs[chain_id]; + + local result = x509_verify(chain, root_certs); + recently_validated_certs[chain_id] = result$result_string; + + # if we have a working chain where we did not store the intermediate certs + # in our cache yet - do so + if ( result$result_string == "ok" && result?$chain_certs && |result$chain_certs| > 2 ) + { + local result_chain = result$chain_certs; + local icert = x509_parse(result_chain[1]); + if ( icert$subject !in intermediate_cache ) + { + local cachechain: vector of opaque of x509; + for ( i in result_chain ) + { + if ( i >=1 && i<=|result_chain|-2 ) + cachechain[i-1] = result_chain[i]; + } + add_to_cache(icert$subject, cachechain); + } + } + + return result$result_string; + } + event ssl_established(c: connection) &priority=3 { # If there aren't any certs we can't very well do certificate validation. @@ -32,9 +114,30 @@ event ssl_established(c: connection) &priority=3 ! c$ssl$cert_chain[0]?$x509 ) return; - local chain_id = join_string_vec(c$ssl$cert_chain_fuids, "."); - local hash = c$ssl$cert_chain[0]$sha1; + local intermediate_chain: vector of opaque of x509 = vector(); + local issuer = c$ssl$cert_chain[0]$x509$certificate$issuer; + local result: string; + # look if we already have a working chain for the issuer of this cert. + # If yes, try this chain first instead of using the chain supplied from + # the server. + if ( issuer in intermediate_cache ) + { + intermediate_chain[0] = c$ssl$cert_chain[0]$x509$handle; + for ( i in intermediate_cache[issuer] ) + intermediate_chain[i+1] = intermediate_cache[issuer][i]; + + result = cache_validate(intermediate_chain); + if ( result == "ok" ) + { + c$ssl$validation_status = result; + return; + } + } + + # validation with known chains failed or there was no fitting intermediate + # in our store. + # Fall back to validating the certificate with the server-supplied chain local chain: vector of opaque of x509 = vector(); for ( i in c$ssl$cert_chain ) { @@ -42,24 +145,14 @@ event ssl_established(c: connection) &priority=3 chain[i] = c$ssl$cert_chain[i]$x509$handle; } - if ( chain_id in recently_validated_certs ) - { - c$ssl$validation_status = recently_validated_certs[chain_id]; - } - else - { - local result = x509_verify(chain, root_certs); - c$ssl$validation_status = result$result_string; - recently_validated_certs[chain_id] = result$result_string; - } + result = cache_validate(chain); + c$ssl$validation_status = result; - if ( c$ssl$validation_status != "ok" ) + if ( result != "ok" ) { local message = fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status); NOTICE([$note=Invalid_Server_Cert, $msg=message, $sub=c$ssl$subject, $conn=c, - $identifier=cat(c$id$resp_h,c$id$resp_p,hash,c$ssl$validation_status)]); + $identifier=cat(c$id$resp_h,c$id$resp_p,c$ssl$validation_status)]); } } - - diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs-cluster/ssl.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs-cluster/ssl.log new file mode 100644 index 0000000000..df2cdf9732 --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs-cluster/ssl.log @@ -0,0 +1,15 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2015-03-09-19-32-44 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer validation_status +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string +1425929564.247511 CXWv6p3arKYeMETxOg 192.168.4.149 58529 128.32.169.140 443 TLSv10 TLS_RSA_WITH_RC4_128_MD5 - - F - - T FTzCuuqU5y7w85H89 (empty) CN=www.cviis.org,OU=Domain Control Validated CN=Starfield Secure Certificate Authority - G2,OU=http://certs.starfieldtech.com/repository/,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US - - unable to get local issuer certificate +1425929565.270104 CXWv6p3arKYeMETxOg 192.168.4.149 58529 128.32.169.140 443 TLSv10 TLS_RSA_WITH_RC4_128_MD5 - - F - - T FXzQOu1ZSKSF7H8Ez6 (empty) CN=www.cviis.org,OU=Domain Control Validated CN=Starfield Secure Certificate Authority - G2,OU=http://certs.starfieldtech.com/repository/,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US - - unable to get local issuer certificate +1425929566.843026 CjhGID4nQcgTWjvg4c 192.168.4.149 58530 72.167.102.91 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 secp256r1 - F - - T F5l2dVkZHiwiOWR67,Fkw2ETDXfIXIvatba,Fbgf8A3V6m8v33wTcj (empty) CN=valid.sfig2.catest.starfieldtech.com,O=Starfield Technologies\, LLC,L=Scottsdale,ST=Arizona,C=US,serialNumber=R-1724741-6,businessCategory=Private Organization,jurisdictionST=Arizona,jurisdictionC=US CN=Starfield Secure Certificate Authority - G2,OU=http://certs.starfieldtech.com/repository/,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US - - ok +1425929571.372511 CCvvfg3TEfuqmmG4bh 192.168.4.149 58532 128.32.169.140 443 TLSv10 TLS_RSA_WITH_RC4_128_MD5 - - F - - T FhEtvg4pQ90832J56f (empty) CN=www.cviis.org,OU=Domain Control Validated CN=Starfield Secure Certificate Authority - G2,OU=http://certs.starfieldtech.com/repository/,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US - - ok +1425929567.865619 CjhGID4nQcgTWjvg4c 192.168.4.149 58530 72.167.102.91 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 secp256r1 - F - - T Fyc6cQ2rMCAhpIGcM5,FoJ8j735m9ogDYopYj,FHaYhA3ykzVlKPnnsc (empty) CN=valid.sfig2.catest.starfieldtech.com,O=Starfield Technologies\, LLC,L=Scottsdale,ST=Arizona,C=US,serialNumber=R-1724741-6,businessCategory=Private Organization,jurisdictionST=Arizona,jurisdictionC=US CN=Starfield Secure Certificate Authority - G2,OU=http://certs.starfieldtech.com/repository/,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US - - ok +1425929572.395104 CCvvfg3TEfuqmmG4bh 192.168.4.149 58532 128.32.169.140 443 TLSv10 TLS_RSA_WITH_RC4_128_MD5 - - F - - T FwZZ8034tgyXSponwg (empty) CN=www.cviis.org,OU=Domain Control Validated CN=Starfield Secure Certificate Authority - G2,OU=http://certs.starfieldtech.com/repository/,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US - - ok +#close 2015-03-09-19-32-53 diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl-all.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl-all.log new file mode 100644 index 0000000000..77ba9233ae --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl-all.log @@ -0,0 +1,23 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2015-03-09-19-44-42 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer validation_status +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string +1394745602.951961 CXWv6p3arKYeMETxOg 192.168.4.149 60539 87.98.220.10 443 TLSv10 TLS_DHE_RSA_WITH_AES_256_CBC_SHA - - F - - T F1fX1R2cDOzbvg17ye,FqPEQR2eytAQybroyl (empty) CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated CN=COMODO SSL CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB - - certificate has expired +1394745618.791420 CjhGID4nQcgTWjvg4c 192.168.4.149 60540 122.1.240.204 443 TLSv10 TLS_RSA_WITH_AES_256_CBC_SHA - - F - - T F6NAbK127LhNBaEe5c,FDhmPt28vyXlGMTxP7,F0ROCKibhE1KntJ1h (empty) CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US - - ok +#close 2015-03-09-19-44-42 +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2015-03-09-19-44-42 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer validation_status +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string +1417039703.224578 CXWv6p3arKYeMETxOg 192.168.4.149 58529 128.32.169.140 443 TLSv10 TLS_RSA_WITH_RC4_128_MD5 - - F - - T FghNi02cFL9n6ttuMa (empty) CN=www.cviis.org,OU=Domain Control Validated CN=Starfield Secure Certificate Authority - G2,OU=http://certs.starfieldtech.com/repository/,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US - - unable to get local issuer certificate +1417039705.820093 CjhGID4nQcgTWjvg4c 192.168.4.149 58530 72.167.102.91 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 secp256r1 - F - - T Fz7gr4fSm2T2sEyDl,FhjNBG25vvoBO6CS79,FQFHJA20WL56NP6LXk (empty) CN=valid.sfig2.catest.starfieldtech.com,O=Starfield Technologies\, LLC,L=Scottsdale,ST=Arizona,C=US,serialNumber=R-1724741-6,businessCategory=Private Organization,jurisdictionST=Arizona,jurisdictionC=US CN=Starfield Secure Certificate Authority - G2,OU=http://certs.starfieldtech.com/repository/,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US - - ok +1417039710.349578 CCvvfg3TEfuqmmG4bh 192.168.4.149 58532 128.32.169.140 443 TLSv10 TLS_RSA_WITH_RC4_128_MD5 - - F - - T FRcFYq3e3hgYkZ8dS1 (empty) CN=www.cviis.org,OU=Domain Control Validated CN=Starfield Secure Certificate Authority - G2,OU=http://certs.starfieldtech.com/repository/,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US - - ok +#close 2015-03-09-19-44-42 diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl.log deleted file mode 100644 index a464c64670..0000000000 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl.log +++ /dev/null @@ -1,11 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path ssl -#open 2014-08-08-17-13-58 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer validation_status -#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string -1394745602.951961 CXWv6p3arKYeMETxOg 192.168.4.149 60539 87.98.220.10 443 TLSv10 TLS_DHE_RSA_WITH_AES_256_CBC_SHA - - F - - T F1fX1R2cDOzbvg17ye,FqPEQR2eytAQybroyl (empty) CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated CN=COMODO SSL CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB - - certificate has expired -1394745618.791420 CjhGID4nQcgTWjvg4c 192.168.4.149 60540 122.1.240.204 443 TLSv10 TLS_RSA_WITH_AES_256_CBC_SHA - - F - - T F6NAbK127LhNBaEe5c,FDhmPt28vyXlGMTxP7,F0ROCKibhE1KntJ1h (empty) CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US - - ok -#close 2014-08-08-17-13-58 diff --git a/testing/btest/Traces/tls/missing-intermediate.pcap b/testing/btest/Traces/tls/missing-intermediate.pcap new file mode 100644 index 0000000000000000000000000000000000000000..9f44e3e4d25f2f584096819fd7ac4ace9b758455 GIT binary patch literal 13449 zcmeHOc|29y+h1oi3&&XG6v=EK^N=DTWK49ZB;%1OPDGibXfPy=N(hxoQW~y0CEYR< zH&-f(kOn1@S>CmeWW4V0{yy&?@8|v8UF(y*?fre$de(P;_j;c7R9jkj1`F_D;=lt8 zJh8V7vfa1|2Q1*vXaiDv+YdzLk=<99TeAW~0Q8Es>j6C?0E|5R;Yjki{jFy(x5Z+e zOwgMPu%n}$q5xp=gdz+MhsR)8+3^Zz-lD(5W5>`#yeH7daK~(np;Pq$*h%a=fFh$7 zFt=OJxRX=*p#{?dK0R>$-Y;~3qNB*@fx+OhXx}eD^p)@&Z8Q3=dc4O77&^2hAj)?I*;5Y}OFj?;Fs;P*AI1EM!12A$pTz+nKrB3eA z(PkFe601!Lq?(TIngq|PTYN}1TUWYe7XYaYgdxw6W=Jyl8SEenoCaHg7tjKlU@zFi zP-ZAHWEoP7c?<$b2f9EF>}Du2=Rxv0H1%?b` z34@z~2PeTYpajx@K44++GFTX#3@ji3JcEzH3IqX(!NtGf3y8pLoIn`f%nlzHV&2XI9~6KrBR~)mU4v*ydQBmYQHVc5wyd32toCQKIr5yVrSRM|K0}$2$ zf(;;8BGCjhBpR=h!R$YaoaFhI-Xk#x7m-aiZgpHA7Y4&Y07%qB3J1bQ#I3^(h>8QELs^7~k99_Pm7k9@&6jN8=SvUp^CsIld(&JY zq$@=b;U6>26&xI_=n_Pu1uFUlcp%Z3#giR}Apl%7W*&go*|E_W49Jt>@av*`XjLz? z5>F|9(Ds1F`(4d_MK0Y~cyFM;^p6YbBVrrQoIl&R4}D*dI9P(EBLnxw_Gv3<2s*)5^P1+;OW~ z!cKAO$!okn5>IUNa3{V`3=P^~XO`ihv-sltr+NPEt_O!*Kfc@5O&WY{xy7kPohWbp zz=N{)+%{60%|!td8S&%t%OAQPCHf?fvg+6x^3)Uz_fmfo;XYr^$+;)FV<#2|btEeq z^ALLEJ~9vbP>h7ZjN%Ch)EIz>p%<3mQSY+K5itY;3l8(^CoGe3V)M}Z@i;6Y1JOZm z7so>$AV`K{hJ4&F_5^s(!ks{Onul^AML|Q+CBPe@q7RetHi#8sLFCvRw;B^S;)`Js z!XPUU-EpH>j38waBY#rrZ-|LRMUOuZB|ZqDBeLV?2qtdfPdq=DK>t}fi5UI57aOPj zk8Lx@2**cfa#&0PFN_FA@-H!r^0boD)YVatzfMq_cwLIhGVqG==T>G*m>l<1}#YIz9P_vRO*KzU8p4u4m46p7 zXnbARXU|fQzK*Vedw4xn;9$Z29q-D`g6^uBjvi?^pHwtysN}RIT&e@galnETZHd3sWs3XF!Kth#21uDN0{92%G zy7B`}>Pl4kiw{jz{-bA@$}jw*LZWx7@^eEJ6!jrQT?v0i+w`wGP?g}B?W?{y+?{;% zY$T6(^`v#e2lShQBKk+-zz+CrMB8*kj8__V4n$!x_zH*jbLGKAMAr#K9{7dD0J6>A zm0Y_?)DlGV{^>i}_b=M$U0>w8;WW>F!?+F-QrjoRUhkJKuGbe%8?ERRvm4rc%6T{= zv#aHgll?K&;@9Fg{Ic@*9Sfn~v=c9N*zu|}%|cC^?Rj|HHak146%dtu!6F;K#c_Q; zF>8Lgnd9{>N&4DH_N=Y1$q?mLD7oL|-*;A{IV$g|%{#xyT1C*B8?_<{v)1d0s=))m8cJy<3{-i;^y}6FXAYuBRn#aCK5fGjVhtsdI4(khMtWrH%<2>@#Xdos@25;vr!#C@v!xZ2Rr!#yysb@9Wcz~ zM|BPZ9RkS7^q8ZgTeNTK|CxG6EIw=A2?0re$z;toQ;*k6?hv(Kqw|pV5(n2O=o)1f zzBo}0n0(nfjW1`#Vx5a3g+~q#{G5lMD}@h}jAKL2c%KSSvs!Z0p{+`3qcE<5J>~9HD$bc(6Mz? zh8_3pU}989`Gx&`58A|Xh-{s#!V=?XEY};h39CS zF?Q$>J)lgi-Gw6m^k!x(b>2#7VRZ(dX3|MLCb}yg%gWATcCrGmaG@PWXe=mlF+~3B znXd|)wco2Dx&e%tcAgPKucv?w2+7TpW5o z+%a&6-}i@N)~mA@+Tu25&_rC=g5n0Y{Tnm=jG53`aBrTN*BOja_3B0$Lrb2<7=xJm z7k5SSfKbfOmeJi9C1%?*C#K&86;)f2LlEIfZ!_prthAeS_3nt>tsj=*uH3k#~L=L?RN0JOe!$rlP zD{|PcK>Ez}{@+H7_w>tzwLTXJiJ$y(;tuG1jJ(t0b{mQ?oRZkX3{`bet8>F05Mo*SH= z${*p~llI1EW8EHYh0P6DQ^m{z&fb>xEEU@JbpFF?Hv)^`f&H~|neOvq^7~?ih5wKf zQ*+GY^7dd$4Qtu`f?~(G#gRI{Y5kK=S^|IWUQoGG+`jjrnpODaYXU*f16u-5Ygjh2 zMX)&!k_}qcm<1f!FFSgA9z$n5Vyu9k`W@kft{saQu?UzE5B^Q~sDwVui?UAZBVa~@n(n#Vmvuc#vz)B`nVYwC;y7Q|2}gwP2AA15moB`xt01m zQ>itkDmDL!aqXXXYpPO%7IXK6W{+zkE1Y*ST0ivko7xI(>2Q0o=6IP)1+pkCZ&mA4Czh ztvjN$!Uio^G!L;|Qrt;Qs_hyy00cbzuE5+A?)}(z1;aAU@kmtSe^YKY3O&x6Y3)Biu;!N1ECwk5fnbqpA7J4cSW^TGSB>EqS3sO=U$ zlD!o|r2c|!)ZL+5B8lTW$FsP`JBF1-*`H_Sob zdL#GJiU+nmMU+*IhwS!eui11WzCtqQ#9RBY;(9*u$FV*=HIZFbC-z*b<=`O)X70Uyxby(m?){rjK6|1wS6( zULGWLH!MCfa+N{5LX!d8_Lu7KFTRS`{=Sj#paec&aJM=K8PhkvbYEVDY9taEh}@)lGHainhh-M|@FxH#jb5T^rgr-}TK6 zE9c6!)_O8#_j@jBJGG)p&4HhDP2I~>YW1l~Ez&)%)Z4C3RqFDKQk53Y25lquIU4>? z4CD$@OH)2HJDuk-DWy9L;@3{xL4!j>G@PNH)t3OyY`(atDpHNbgJtCwTz^P)f#RZ^%x2%v zs1YPTRQz}9PJnBMqS}Z=W6ORDE12f^|C_=JiKPV>+ROv4yHzwO$|~@$nwFZD!~ek^ z|D8gXe7=Vp?oAxVUh#80z4}FZ$lJ_foU@&9sqyva<+^H$@dkZoXeVAL%pW0+SCcKnk*wAHCB{w$A8ywSRz8{0+SMYP&p zGV5O#V2>5)7urVsv{0IbUY5T4j(1T{c0sqRMo0>y!)Q}Pv(MT!TP|0LbGY2rP9GW$ z0Y{zbPo<*uT)GPbyhON;mDh4_uhbaY7k`i1wI#yos*@YipIdAmO=gRWBU{ilyDiOTbg{HrsajS%wfZPG_q*4_ zr5)l)U1JKl64Co7>NuZWGtLq1zJvfa)Us!w$ zTz~IwX42OGKBrpJQ2#eaUE7FHCO@LUbE?Fh^LjD{t5k=AhXP;P*ZD_X;mG~sJ4}T8 zB4^&$1oJd%rF?CE%6P$^({|{p?1~GTca$oI1h;Yd@&#Vlt62DT^lDM6q=4zS57%jf zYl_tNswH%LIIQdoQA}N^VH1AlyUT?dJBd>!_YbTUZMA;+pylEAhdU~lMI`H{-_R1* ziQk9xo>a?89wIVUHmCiLDm4#O>K8ESfVSz`4^ZLNhbpya?^LB0H)ATbFbMtg%v7cB z@$|t5cVRz+^jybubHjorPc?Dj*2@)=E7kX37zjpkwuYh$81RF;}v|I zrFQ4sTsw@C@XMQExAMHHVC(Q?)lBZ?^g79tX7LtICktB+RK{;H2m z#E-KfN(yiR2J`^hW+a3Qm%-%Lc^%^167;XsJFaacbXqUG1FW?TK(CX4&8UBp6PD9Ynmx)6E3+NRSLqwdwuq-(-7y1s>U9gKu@4dNQ7YdS39$(KaO zQx5Be9>UA=fUz0#Hp=9cdx8XU^pj_%{M%(;E_5z_*t={|^}to?x*bG|foEww#U3uv zY7U7l9frz!Z_L$BE)gAx*zi2eLtrs?|BE4k6T9!Hh>CtW- zE{1WvKum7u;i!6PA}{+_R;<~L2Ne%CUKc&p^txfirNcTEZpwbcCs;|wDfLbFqVp~r zo7<^*Eh;YZ8nQolK|2fZFBNl>wYpO#+owCQaU{NkFRlt3(4`~il(ETzSX2J2L{@#0 zPrt0Z{#I-^WvEVHS9>4`ul`cDSg1l#XN!HU3~MG!)mLZRRv{7F;1j4%Z$qE{b*h|C zU{;O{#!|_xkjI^qSf|Tkmd?HrB3>KD0%u4#w9R1MTA%xKAfl{`9cSH5X%tZa&eHs! zB&l7Z^ZeOmL-WChZLycUYZ5I3TTp{6BiK2HAeKIx!Al~{A;5i}i6M*`WDdar_iG5# zi3Zks4WLA$c~2!8xi#kgrTHk)epebN+IbRQ;ifcm2tVg!*y2cg!Z+*9CUn8?A1ik# z`5ilm8oUJ!j?cmjgQ{MGOoP*yy$HuN$O}SiuTM3IB3e7*fI6H2w9S|W>AkpFoiZQ2 z*$TcBbO!)7K@>wH!WoHLIcdshIP1utHq z(O_g>$I#J459+g5P4a z%~&sJQlBx4Ww29~KXpG-`C;K4i`!J?M`J@2H4UQv^*Vv;#cW@7A6~D*)Fik9o>Vwj z0_%}1cu_VsbUf~wST+4bge%~Q!nrX-be-_Ca86CU*t{giQR3XA)5#Fl3TbUl&SY$pIm2JcUNjp z{OaIG68U>8WJ)_k1cJTa>@v>3uw7f>N&e}g6WfFjY)*GP)y&SgD3M*c;Uzsr%k8&F zleeY8qF)A2?T@)5BSz}?{$Mqlx1{3i;f42Ovw$xd^G1{uZCP2{t@{2Idm=_jhPF`m zk<-g%tMVkm`NirCx(!oxKYa2^EWBdehD&dgE`+XlxYt4$v#-Aaj7Z8bBw zQ{cFwMDvHB|00zy`fbI&JI_(RKCnw=(^7vzx}MN?H+P$BVfve_)st%1Ot@V+uFX#j zx_Zp#wpo4R6>8O&K7TI!cgiDLt?W6^Msyy2dqtS5aIO~R%k`Jj_>#mk>T8S^&dKpj z;Y-dWEuH*qqDT;6Tj8nvRNj# z$Hu%oI^q^;C>$F4>o+0_{?~+={Po?$>^cmnCJN`q455e$Z4-zy-dt4&J?2atn>G_L zmhg2#3+H$hf6c@Kyu!Ua6ft@d;>^`OD>7>zoyOcdrH>b&GZvtTi4YMj!$aGQK1w?< V|3k+0?AiK=mf|_W4d$`qe*hjM$^QTV literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-certs-cluster.bro b/testing/btest/scripts/policy/protocols/ssl/validate-certs-cluster.bro new file mode 100644 index 0000000000..db9c6cd9da --- /dev/null +++ b/testing/btest/scripts/policy/protocols/ssl/validate-certs-cluster.bro @@ -0,0 +1,37 @@ +# @TEST-SERIALIZE: comm +# +# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT" +# @TEST-EXEC: sleep 1 +# @TEST-EXEC: btest-bg-run proxy-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=proxy-1 bro %INPUT" +# @TEST-EXEC: btest-bg-run proxy-2 "cp ../cluster-layout.bro . && CLUSTER_NODE=proxy-2 bro %INPUT" +# @TEST-EXEC: sleep 1 +# @TEST-EXEC: btest-bg-run worker-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/tls/missing-intermediate.pcap %INPUT" +# @TEST-EXEC: btest-bg-run worker-2 "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-2 bro --pseudo-realtime -C -r $TRACES/tls/missing-intermediate.pcap %INPUT" +# @TEST-EXEC: btest-bg-wait 10 +# @TEST-EXEC: cat manager-1/ssl*.log > ssl.log +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-file-ids btest-diff ssl.log +# + +redef Log::default_rotation_interval = 0secs; + +@TEST-START-FILE cluster-layout.bro +redef Cluster::nodes = { + ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")], + ["proxy-1"] = [$node_type=Cluster::PROXY, $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1", $workers=set("worker-1", "worker-2")], + ["proxy-2"] = [$node_type=Cluster::PROXY, $ip=127.0.0.1, $p=37759/tcp, $manager="manager-1", $workers=set("worker-2")], + ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth0"], + ["worker-2"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth1"], +}; +@TEST-END-FILE + +event terminate_me() { + terminate(); +} + +event remote_connection_closed(p: event_peer) { + schedule 1sec { terminate_me() }; +} + + +@load base/frameworks/cluster +@load protocols/ssl/validate-certs.bro diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-certs.bro b/testing/btest/scripts/policy/protocols/ssl/validate-certs.bro index 56408483f0..19fca8cb89 100644 --- a/testing/btest/scripts/policy/protocols/ssl/validate-certs.bro +++ b/testing/btest/scripts/policy/protocols/ssl/validate-certs.bro @@ -1,4 +1,7 @@ # @TEST-EXEC: bro -r $TRACES/tls/tls-expired-cert.trace %INPUT -# @TEST-EXEC: btest-diff ssl.log +# @TEST-EXEC: cat ssl.log > ssl-all.log +# @TEST-EXEC: bro -C -r $TRACES/tls/missing-intermediate.pcap %INPUT +# @TEST-EXEC: cat ssl.log >> ssl-all.log +# @TEST-EXEC: btest-diff ssl-all.log -@load protocols/ssl/validate-certs +@load protocols/ssl/validate-certs.bro From 144302d3e7cb07e2001a10a9c0c4009112254578 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 9 Mar 2015 12:53:17 -0700 Subject: [PATCH 166/711] add knob to revert to old validation behavior --- .../policy/protocols/ssl/validate-certs.bro | 19 +++++++++++++++++-- .../ssl.log | 12 ++++++++++++ .../protocols/ssl/validate-certs-no-cache.bro | 6 ++++++ 3 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs-no-cache/ssl.log create mode 100644 testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.bro diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro index d2b3befaed..09000164aa 100644 --- a/scripts/policy/protocols/ssl/validate-certs.bro +++ b/scripts/policy/protocols/ssl/validate-certs.bro @@ -26,6 +26,18 @@ export { global recently_validated_certs: table[string] of string = table() &read_expire=5mins &redef; + ## Use intermediate CA certificate caching when trying to validate + ## certificates. When this is enabled, Bro keeps track of all valid + ## intermediate CA certificates that it has seen in the past. When + ## encountering a host-certificate that cannot be validated because + ## of missing intermediate CA certificate, the cached list is used + ## to try to validate the cert. This is similar to how Firefox is + ## doing certificate validation. + ## Disabling this will usually greatly increase the number of validation + ## warnings that you encounter. Only disable if you want to find misconfigured + ## servers. + global ssl_cache_intermediate_ca: bool = T &redef; + ## Event from a worker to the manager that it has encountered a new ## valid intermediate global intermediate_add: event(key: string, value: vector of opaque of x509); @@ -88,7 +100,10 @@ function cache_validate(chain: vector of opaque of x509): string # if we have a working chain where we did not store the intermediate certs # in our cache yet - do so - if ( result$result_string == "ok" && result?$chain_certs && |result$chain_certs| > 2 ) + if ( ssl_cache_intermediate_ca && + result$result_string == "ok" && + result?$chain_certs && + |result$chain_certs| > 2 ) { local result_chain = result$chain_certs; local icert = x509_parse(result_chain[1]); @@ -121,7 +136,7 @@ event ssl_established(c: connection) &priority=3 # look if we already have a working chain for the issuer of this cert. # If yes, try this chain first instead of using the chain supplied from # the server. - if ( issuer in intermediate_cache ) + if ( ssl_cache_intermediate_ca && issuer in intermediate_cache ) { intermediate_chain[0] = c$ssl$cert_chain[0]$x509$handle; for ( i in intermediate_cache[issuer] ) diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs-no-cache/ssl.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs-no-cache/ssl.log new file mode 100644 index 0000000000..9f33703649 --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs-no-cache/ssl.log @@ -0,0 +1,12 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2015-03-09-19-51-25 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer validation_status +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string +1417039703.224578 CXWv6p3arKYeMETxOg 192.168.4.149 58529 128.32.169.140 443 TLSv10 TLS_RSA_WITH_RC4_128_MD5 - - F - - T FghNi02cFL9n6ttuMa (empty) CN=www.cviis.org,OU=Domain Control Validated CN=Starfield Secure Certificate Authority - G2,OU=http://certs.starfieldtech.com/repository/,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US - - unable to get local issuer certificate +1417039705.820093 CjhGID4nQcgTWjvg4c 192.168.4.149 58530 72.167.102.91 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 secp256r1 - F - - T Fz7gr4fSm2T2sEyDl,FhjNBG25vvoBO6CS79,FQFHJA20WL56NP6LXk (empty) CN=valid.sfig2.catest.starfieldtech.com,O=Starfield Technologies\, LLC,L=Scottsdale,ST=Arizona,C=US,serialNumber=R-1724741-6,businessCategory=Private Organization,jurisdictionST=Arizona,jurisdictionC=US CN=Starfield Secure Certificate Authority - G2,OU=http://certs.starfieldtech.com/repository/,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US - - ok +1417039710.349578 CCvvfg3TEfuqmmG4bh 192.168.4.149 58532 128.32.169.140 443 TLSv10 TLS_RSA_WITH_RC4_128_MD5 - - F - - T FRcFYq3e3hgYkZ8dS1 (empty) CN=www.cviis.org,OU=Domain Control Validated CN=Starfield Secure Certificate Authority - G2,OU=http://certs.starfieldtech.com/repository/,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US - - unable to get local issuer certificate +#close 2015-03-09-19-51-25 diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.bro b/testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.bro new file mode 100644 index 0000000000..1bca5b5c50 --- /dev/null +++ b/testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.bro @@ -0,0 +1,6 @@ +# @TEST-EXEC: bro -C -r $TRACES/tls/missing-intermediate.pcap %INPUT +# @TEST-EXEC: btest-diff ssl.log + +@load protocols/ssl/validate-certs.bro + +redef SSL::ssl_cache_intermediate_ca = F; From d208c95e9a030142971c1982b101db70677e52f3 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Mon, 9 Mar 2015 12:56:55 -0700 Subject: [PATCH 167/711] and still use the hash for notice suppression. --- scripts/policy/protocols/ssl/validate-certs.bro | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro index 09000164aa..6e4aba704b 100644 --- a/scripts/policy/protocols/ssl/validate-certs.bro +++ b/scripts/policy/protocols/ssl/validate-certs.bro @@ -131,6 +131,7 @@ event ssl_established(c: connection) &priority=3 local intermediate_chain: vector of opaque of x509 = vector(); local issuer = c$ssl$cert_chain[0]$x509$certificate$issuer; + local hash = c$ssl$cert_chain[0]$sha1; local result: string; # look if we already have a working chain for the issuer of this cert. @@ -168,6 +169,6 @@ event ssl_established(c: connection) &priority=3 local message = fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status); NOTICE([$note=Invalid_Server_Cert, $msg=message, $sub=c$ssl$subject, $conn=c, - $identifier=cat(c$id$resp_h,c$id$resp_p,c$ssl$validation_status)]); + $identifier=cat(c$id$resp_h,c$id$resp_p,hash,c$ssl$validation_status)]); } } From d9b4693240309a496e5e75e6c028605fc76c39ba Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Mon, 9 Mar 2015 16:04:35 -0400 Subject: [PATCH 168/711] Some cleanup and refactoring on SSH main.bro. Specifically, an overhaul of how the algorithm negotiation is calculated, to simplify a lot of the code. --- scripts/base/init-bare.bro | 46 +++--- scripts/base/protocols/ssh/main.bro | 171 +++++++++------------ src/analyzer/protocol/ssh/ssh-analyzer.pac | 40 +++-- src/analyzer/protocol/ssh/types.bif | 1 + 4 files changed, 125 insertions(+), 133 deletions(-) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index e8e35c2e3b..ac73ba980d 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2218,37 +2218,31 @@ export { module SSH; export { + ## The client and server each have some preferences for the algorithms used + ## in each direction. + type Algorithm_Prefs: record { + ## The algorithm preferences for client to server communication + client_to_server: vector of string &optional; + ## The algorithm preferences for server to client communication + server_to_client: vector of string &optional; + }; + ## SSH Capability record type Capabilities: record { ## Key exchange algorithms - kex_algorithms : string_vec; + kex_algorithms: string_vec; ## The algorithms supported for the server host key - server_host_key_algorithms : string_vec; - ## Acceptable symmetric encryption algorithms for c->s, - ## in order of preference - encryption_algorithms_client_to_server : string_vec; - ## Acceptable symmetric encryption algorithms for s->c, - ## in order of preference - encryption_algorithms_server_to_client : string_vec; - ## Acceptable MAC algorithms for c->s, - ## in order of preference - mac_algorithms_client_to_server : string_vec; - - ## Acceptable MAC algorithms for s->c, - ## in order of preference - mac_algorithms_server_to_client : string_vec; - ## Acceptable compression algorithms for c->s, - ## in order of preference - compression_algorithms_client_to_server : string_vec; - ## Acceptable compression algorithms for c->s, - ## in order of preference - compression_algorithms_server_to_client : string_vec; - ## Language tags in order of preference for c->s - languages_client_to_server : string_vec &optional; - ## Language tags in order of preference for s->c - languages_server_to_client : string_vec &optional; + server_host_key_algorithms: string_vec; + ## Symmetric encryption algorithm preferences + encryption_algorithms: Algorithm_Prefs; + ## Symmetric MAC algorithm preferences + mac_algorithms: Algorithm_Prefs; + ## Compression algorithm preferences + compression_algorithms: Algorithm_Prefs; + ## Language preferences + languages: Algorithm_Prefs &optional; ## Are these the capabilities of the server? - is_server : bool; + is_server: bool; }; } diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro index 8db2e4d023..706b687131 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -1,56 +1,51 @@ ##! Implements base functionality for SSH analysis. Generates the ssh.log file. +@load base/utils/directions-and-hosts + module SSH; export { + ## The SSH protocol logging stream identifier. redef enum Log::ID += { LOG }; type Info: record { - ## Timestamp for when the event happened. - ts: time &log; + ## Time when the SSH connection began. + ts: time &log; ## Unique ID for the connection. - uid: string &log; + uid: string &log; ## The connection's 4-tuple of endpoint addresses/ports. - id: conn_id &log; + id: conn_id &log; ## SSH major version (1 or 2) - version: count &log; - ## Auth result - auth_success: bool &log &optional; - - ## Auth details - auth_details: string &log &optional; + version: count &log; + ## Authentication result (T=success, F=failure, unset=unknown) + auth_success: bool &log &optional; ## Direction of the connection. If the client was a local host ## logging into an external host, this would be OUTBOUND. INBOUND ## would be set for the opposite situation. - ## TODO: handle local-local and remote-remote better. - direction: Direction &log &optional; - ## The encryption algorithm in use - cipher_alg: string &log &optional; - ## The signing (MAC) algorithm in use - mac_alg: string &log &optional; - ## The compression algorithm in use - compression_alg: string &log &optional; - ## The key exchange algorithm in use - kex_alg: string &log &optional; - - ## The server host key's algorithm - host_key_alg: string &log &optional; - ## The server's key fingerprint - host_key: string &log &optional; + # TODO - handle local-local and remote-remote better. + direction: Direction &log &optional; ## The client's version string - client: string &log &optional; + client: string &log &optional; ## The server's version string - server: string &log &optional; - - ## This connection has been logged (internal use) - logged: bool &default=F; - ## Number of failures seen (internal use) - num_failures: count &default=0; - ## Store capabilities from the first host for - ## comparison with the second (internal use) - capabilities: Capabilities &optional; + server: string &log &optional; + ## The encryption algorithm in use + cipher_alg: string &log &optional; + ## The signing (MAC) algorithm in use + mac_alg: string &log &optional; + ## The compression algorithm in use + compression_alg: string &log &optional; + ## The key exchange algorithm in use + kex_alg: string &log &optional; + ## The server host key's algorithm + host_key_alg: string &log &optional; + ## The server's key fingerprint + host_key: string &log &optional; }; + ## The set of compression algorithms. We can't accurately determine + ## authentication success or failure when compression is enabled. + const compression_algorithms = set("zlib", "zlib@openssh.com") &redef; + ## If true, we tell the event engine to not look at further data ## packets after the initial SSH handshake. Helps with performance ## (especially with large file transfers) but precludes some @@ -62,6 +57,16 @@ export { global log_ssh: event(rec: Info); } +redef record Info += { + ## This connection has been logged (internal use) + logged: bool &default=F; + ## Number of failures seen (internal use) + num_failures: count &default=0; + ## Store capabilities from the first host for + ## comparison with the second (internal use) + capabilities: Capabilities &optional; +}; + redef record connection += { ssh: Info &optional; }; @@ -72,52 +77,47 @@ event bro_init() &priority=5 } -function init_record(c: connection) +function set_session(c: connection) { - local s: SSH::Info; - s$ts = network_time(); - s$uid = c$uid; - s$id = c$id; - c$ssh = s; + if ( ! c?$ssh ) + { + local info: SSH::Info; + info$ts = network_time(); + info$uid = c$uid; + info$id = c$id; + c$ssh = info; + } } - event ssh_server_version(c: connection, version: string) { - if ( !c?$ssh ) - init_record(c); - + set_session(c); c$ssh$server = version; } event ssh_client_version(c: connection, version: string) { - if ( !c?$ssh ) - init_record(c); - + set_session(c); c$ssh$client = version; - if ( version[4] == "1" ) + if ( ( |version| > 3 ) && ( version[4] == "1" ) ) c$ssh$version = 1; - if ( version[4] == "2" ) + if ( ( |version| > 3 ) && ( version[4] == "2" ) ) c$ssh$version = 2; } event ssh_auth_successful(c: connection, auth_method_none: bool) { + # TODO - what to do here? if ( !c?$ssh || ( c$ssh?$auth_success && c$ssh$auth_success ) ) return; # We can't accurately tell for compressed streams - if ( c$ssh?$compression_alg && ( c$ssh$compression_alg == "zlib@openssh.com" || - c$ssh$compression_alg == "zlib" ) ) + if ( c$ssh?$compression_alg && ( c$ssh$compression_alg in compression_algorithms ) ) return; c$ssh$auth_success = T; - if ( auth_method_none ) - c$ssh$auth_details = "method: none"; - if ( skip_processing_after_detection) { skip_further_processing(c$id); @@ -140,39 +140,30 @@ event ssh_auth_failed(c: connection) return; # We can't accurately tell for compressed streams - if ( c$ssh?$compression_alg && ( c$ssh$compression_alg == "zlib@openssh.com" || - c$ssh$compression_alg == "zlib" ) ) + if ( c$ssh?$compression_alg && ( c$ssh$compression_alg == "zlib@openssh.com" || c$ssh$compression_alg == "zlib" ) ) return; c$ssh$auth_success = F; c$ssh$num_failures += 1; } -function array_to_vec(s: string_array): vector of string - { - local r: vector of string; - - for (i in s) - r[i] = s[i]; - return r; - } - -function find_client_preferred_algorithm(client_algorithms: vector of string, server_algorithms: vector of string): string +# Determine the negotiated algorithm +function find_alg(client_algorithms: vector of string, server_algorithms: vector of string): string { for ( i in client_algorithms ) for ( j in server_algorithms ) if ( client_algorithms[i] == server_algorithms[j] ) return client_algorithms[i]; } - -function find_client_preferred_algorithm_bidirectional(client_algorithms_c_to_s: vector of string, - server_algorithms_c_to_s: vector of string, - client_algorithms_s_to_c: vector of string, - server_algorithms_s_to_c: vector of string): string - { - local c_to_s = find_client_preferred_algorithm(client_algorithms_c_to_s, server_algorithms_c_to_s); - local s_to_c = find_client_preferred_algorithm(client_algorithms_s_to_c, server_algorithms_s_to_c); +# This is a simple wrapper around find_alg for cases where client to server and server to client +# negotiate different algorithms. This is rare, but provided for completeness. +function find_bidirectional_alg(client_prefs: Algorithm_Prefs, server_prefs: Algorithm_Prefs): string + { + local c_to_s = find_alg(client_prefs$client_to_server, server_prefs$client_to_server); + local s_to_c = find_alg(client_prefs$server_to_client, server_prefs$server_to_client); + + # Usually these are the same, but if they're not, return the details return c_to_s == s_to_c ? c_to_s : fmt("To server: %s, to client: %s", c_to_s, s_to_c); } @@ -190,33 +181,21 @@ event ssh_capabilities(c: connection, cookie: string, capabilities: Capabilities local client_caps = capabilities$is_server ? c$ssh$capabilities : capabilities; local server_caps = capabilities$is_server ? capabilities : c$ssh$capabilities; - c$ssh$cipher_alg = find_client_preferred_algorithm_bidirectional(client_caps$encryption_algorithms_client_to_server, - server_caps$encryption_algorithms_client_to_server, - client_caps$encryption_algorithms_server_to_client, - server_caps$encryption_algorithms_server_to_client); - - c$ssh$mac_alg = find_client_preferred_algorithm_bidirectional(client_caps$mac_algorithms_client_to_server, - server_caps$mac_algorithms_client_to_server, - client_caps$mac_algorithms_server_to_client, - server_caps$mac_algorithms_server_to_client); - - c$ssh$compression_alg = find_client_preferred_algorithm_bidirectional(client_caps$compression_algorithms_client_to_server, - server_caps$compression_algorithms_client_to_server, - client_caps$compression_algorithms_server_to_client, - server_caps$compression_algorithms_server_to_client); - - c$ssh$kex_alg = find_client_preferred_algorithm(client_caps$kex_algorithms, server_caps$kex_algorithms); - c$ssh$host_key_alg = find_client_preferred_algorithm(client_caps$server_host_key_algorithms, - server_caps$server_host_key_algorithms); + c$ssh$cipher_alg = find_bidirectional_alg(client_caps$encryption_algorithms, + server_caps$encryption_algorithms); + c$ssh$mac_alg = find_bidirectional_alg(client_caps$mac_algorithms, + server_caps$mac_algorithms); + c$ssh$compression_alg = find_bidirectional_alg(client_caps$compression_algorithms, + server_caps$compression_algorithms); + c$ssh$kex_alg = find_alg(client_caps$kex_algorithms, server_caps$kex_algorithms); + c$ssh$host_key_alg = find_alg(client_caps$server_host_key_algorithms, + server_caps$server_host_key_algorithms); } event connection_state_remove(c: connection) &priority=-5 { if ( c?$ssh && !c$ssh$logged && c$ssh?$client && c$ssh?$server ) { - if ( c$ssh?$auth_success && !c$ssh$auth_success ) - c$ssh$auth_details = fmt("%d failure%s", c$ssh$num_failures, c$ssh$num_failures == 1 ? "" : "s"); - c$ssh$logged = T; Log::write(SSH::LOG, c$ssh); } diff --git a/src/analyzer/protocol/ssh/ssh-analyzer.pac b/src/analyzer/protocol/ssh/ssh-analyzer.pac index d448bdae60..71609e7316 100644 --- a/src/analyzer/protocol/ssh/ssh-analyzer.pac +++ b/src/analyzer/protocol/ssh/ssh-analyzer.pac @@ -73,17 +73,35 @@ refine flow SSH_Flow += { RecordVal* result = new RecordVal(BifType::Record::SSH::Capabilities); result->Assign(0, name_list_to_vector(${msg.kex_algorithms.val})); result->Assign(1, name_list_to_vector(${msg.server_host_key_algorithms.val})); - result->Assign(2, name_list_to_vector(${msg.encryption_algorithms_client_to_server.val})); - result->Assign(3, name_list_to_vector(${msg.encryption_algorithms_server_to_client.val})); - result->Assign(4, name_list_to_vector(${msg.mac_algorithms_client_to_server.val})); - result->Assign(5, name_list_to_vector(${msg.mac_algorithms_server_to_client.val})); - result->Assign(6, name_list_to_vector(${msg.compression_algorithms_client_to_server.val})); - result->Assign(7, name_list_to_vector(${msg.compression_algorithms_server_to_client.val})); - if ( ${msg.languages_client_to_server.len} ) - result->Assign(8, name_list_to_vector(${msg.languages_client_to_server.val})); - if ( ${msg.languages_server_to_client.len} ) - result->Assign(9, name_list_to_vector(${msg.languages_server_to_client.val})); - result->Assign(10, new Val(${msg.is_orig}, TYPE_BOOL)); + + RecordVal* encryption_algs = new RecordVal(BifType::Record::SSH::Algorithm_Prefs); + encryption_algs->Assign(0, name_list_to_vector(${msg.encryption_algorithms_client_to_server.val})); + encryption_algs->Assign(1, name_list_to_vector(${msg.encryption_algorithms_server_to_client.val})); + result->Assign(2, encryption_algs); + + RecordVal* mac_algs = new RecordVal(BifType::Record::SSH::Algorithm_Prefs); + mac_algs->Assign(0, name_list_to_vector(${msg.mac_algorithms_client_to_server.val})); + mac_algs->Assign(1, name_list_to_vector(${msg.mac_algorithms_server_to_client.val})); + result->Assign(3, mac_algs); + + RecordVal* compression_algs = new RecordVal(BifType::Record::SSH::Algorithm_Prefs); + compression_algs->Assign(0, name_list_to_vector(${msg.compression_algorithms_client_to_server.val})); + compression_algs->Assign(1, name_list_to_vector(${msg.compression_algorithms_server_to_client.val})); + result->Assign(4, compression_algs); + + if ( ${msg.languages_client_to_server.len} || ${msg.languages_server_to_client.len} ) + { + RecordVal* languages = new RecordVal(BifType::Record::SSH::Algorithm_Prefs); + if ( ${msg.languages_client_to_server.len} ) + languages->Assign(0, name_list_to_vector(${msg.languages_client_to_server.val})); + if ( ${msg.languages_server_to_client.len} ) + languages->Assign(1, name_list_to_vector(${msg.languages_server_to_client.val})); + + result->Assign(5, languages); + } + + + result->Assign(6, new Val(${msg.is_orig}, TYPE_BOOL)); BifEvent::generate_ssh_capabilities(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(${msg.cookie}), diff --git a/src/analyzer/protocol/ssh/types.bif b/src/analyzer/protocol/ssh/types.bif index 38e51600f3..0b2b861723 100644 --- a/src/analyzer/protocol/ssh/types.bif +++ b/src/analyzer/protocol/ssh/types.bif @@ -1,5 +1,6 @@ module SSH; +type Algorithm_Prefs: record; type Capabilities: record; module GLOBAL; \ No newline at end of file From 3ad6b3004b4e4d6946bcfd5de95feb99bbd66eb1 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Tue, 10 Mar 2015 11:57:12 -0400 Subject: [PATCH 169/711] SSH: Use the compression_algorithms const in another place. --- scripts/base/protocols/ssh/main.bro | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro index 706b687131..ea5b60f002 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -140,7 +140,7 @@ event ssh_auth_failed(c: connection) return; # We can't accurately tell for compressed streams - if ( c$ssh?$compression_alg && ( c$ssh$compression_alg == "zlib@openssh.com" || c$ssh$compression_alg == "zlib" ) ) + if ( c$ssh?$compression_alg && ( c$ssh$compression_alg in compression_algorithms ) ) return; c$ssh$auth_success = F; @@ -154,6 +154,7 @@ function find_alg(client_algorithms: vector of string, server_algorithms: vector for ( j in server_algorithms ) if ( client_algorithms[i] == server_algorithms[j] ) return client_algorithms[i]; + return "Algorithm negotiation failed"; } # This is a simple wrapper around find_alg for cases where client to server and server to client From cb5902d1addfbf2455bd9c099ffc66e52b69c713 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 10 Mar 2015 13:22:39 -0500 Subject: [PATCH 170/711] Fix broker data stores in absence of --enable-debug. Oops, put too much inside the assert() macro, so the registering of data stores got preprocessed out of optimized builds. --- CHANGES | 4 ++++ VERSION | 2 +- aux/broker | 2 +- src/broker/Manager.cc | 1 + src/broker/store.bif | 14 +++++++++++--- 5 files changed, 18 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index cff111cfca..836733370a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.3-530 | 2015-03-10 13:22:39 -0500 + + * Fix broker data stores in absence of --enable-debug. (Jon Siwek) + 2.3-529 | 2015-03-09 13:14:27 -0500 * Fix format specifier in SSL protocol violation. (Jon Siwek) diff --git a/VERSION b/VERSION index f5e52782d1..4a351a524e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3-529 +2.3-530 diff --git a/aux/broker b/aux/broker index 694af9d9ed..1a49b0e3d2 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit 694af9d9edd188a461cc762bfdb7b61688b93ada +Subproject commit 1a49b0e3d23fdfe8da3187dddb310883b641e4a3 diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc index eadadea137..ae00134af5 100644 --- a/src/broker/Manager.cc +++ b/src/broker/Manager.cc @@ -1038,6 +1038,7 @@ bool bro_broker::Manager::CloseStore(const broker::store::identifier& id, delete it->second->store; it->second->store = nullptr; Unref(it->second); + data_stores.erase(it); return true; } diff --git a/src/broker/store.bif b/src/broker/store.bif index 6419034b60..e63ae522e6 100644 --- a/src/broker/store.bif +++ b/src/broker/store.bif @@ -48,7 +48,8 @@ function BrokerStore::create_master%(id: string, b: BackendType &default = MEMOR rval = new bro_broker::StoreHandleVal(id_str, type, static_cast(b->AsEnum()), options->AsRecordVal()); - assert(broker_mgr->AddStore(rval)); + auto added = broker_mgr->AddStore(rval); + assert(added); return rval; %} @@ -92,7 +93,8 @@ function BrokerStore::create_clone%(id: string, b: BackendType &default = MEMORY static_cast(b->AsEnum()), options->AsRecordVal(), std::chrono::duration(resync)); - assert(broker_mgr->AddStore(rval)); + auto added = broker_mgr->AddStore(rval); + assert(added); return rval; %} @@ -115,7 +117,8 @@ function BrokerStore::create_frontend%(id: string%): opaque of BrokerStore::Hand } rval = new bro_broker::StoreHandleVal(id_str, type, {}, nullptr); - assert(broker_mgr->AddStore(rval)); + auto added = broker_mgr->AddStore(rval); + assert(added); return rval; %} @@ -396,7 +399,12 @@ static bool prepare_for_query(Val* opaque, Frame* frame, *handle = static_cast(opaque); if ( ! (*handle)->store ) + { + reporter->PushLocation(frame->GetCall()->GetLocationInfo()); + reporter->Error("BrokerStore query has an invalid data store"); + reporter->PopLocation(); return false; + } Trigger* trigger = frame->GetTrigger(); From 31795e7600561511add762951eee6292b186f6d3 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 10 Mar 2015 14:29:40 -0700 Subject: [PATCH 171/711] When setting the SSL analyzer to fail, also stop processing data that already has been delivered to the analyzer, not just future data. No testcase because this is hard to reproduce, this was only found due to mistakenly triggering an error in life traffic at a site... --- src/analyzer/protocol/ssl/ssl-protocol.pac | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac index cb794bd8a4..0569caf321 100644 --- a/src/analyzer/protocol/ssl/ssl-protocol.pac +++ b/src/analyzer/protocol/ssl/ssl-protocol.pac @@ -750,6 +750,12 @@ refine connection SSL_Conn += { function determine_ssl_record_layer(head0 : uint8, head1 : uint8, head2 : uint8, head3: uint8, head4: uint8, is_orig: bool) : int %{ + // stop processing if we already had a protocol violation or otherwhise + // decided that we do not want to parse anymore. Just setting skip is not + // enough for the data that is already in the pipe. + if ( bro_analyzer()->Skipping() ) + return UNKNOWN_VERSION; + // re-check record layer version to be sure that we still are synchronized with // the data stream if ( record_layer_version_ != UNKNOWN_VERSION && record_layer_version_ != SSLv20 ) From 82c4037929391836820bfb561009693a1fe089c7 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Wed, 11 Mar 2015 11:58:31 -0400 Subject: [PATCH 172/711] Refactoring ssh-protocol.pac: - Simplify and unify some types - Fix parsing of the key exchange messages, so we can transition - states properly again. --- src/analyzer/protocol/ssh/events.bif | 2 +- src/analyzer/protocol/ssh/ssh-analyzer.pac | 25 ++-- src/analyzer/protocol/ssh/ssh-protocol.pac | 155 +++++++++------------ 3 files changed, 81 insertions(+), 101 deletions(-) diff --git a/src/analyzer/protocol/ssh/events.bif b/src/analyzer/protocol/ssh/events.bif index 4a8d959de4..c2b4e95673 100644 --- a/src/analyzer/protocol/ssh/events.bif +++ b/src/analyzer/protocol/ssh/events.bif @@ -10,6 +10,6 @@ event ssh_encrypted_packet%(c: connection, orig: bool, len: count%); event ssh_capabilities%(c: connection, cookie: string, capabilities: SSH::Capabilities%); -event ssh_server_host_key%(c: connection, key: string%); +event ssh2_server_host_key%(c: connection, key: string%); event ssh1_server_host_key%(c: connection, p: string, e: string%); \ No newline at end of file diff --git a/src/analyzer/protocol/ssh/ssh-analyzer.pac b/src/analyzer/protocol/ssh/ssh-analyzer.pac index 71609e7316..c62d87f608 100644 --- a/src/analyzer/protocol/ssh/ssh-analyzer.pac +++ b/src/analyzer/protocol/ssh/ssh-analyzer.pac @@ -65,7 +65,7 @@ refine flow SSH_Flow += { return true; %} - function proc_ssh_kexinit(msg: SSH_KEXINIT): bool + function proc_ssh2_kexinit(msg: SSH2_KEXINIT): bool %{ if ( ! ssh_capabilities ) return false; @@ -110,11 +110,11 @@ refine flow SSH_Flow += { return true; %} - function proc_ssh_server_host_key(key: bytestring): bool + function proc_ssh2_server_host_key(key: bytestring): bool %{ - if ( ssh_server_host_key ) + if ( ssh2_server_host_key ) { - BifEvent::generate_ssh_server_host_key(connection()->bro_analyzer(), + BifEvent::generate_ssh2_server_host_key(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(${key})); } @@ -138,15 +138,14 @@ refine flow SSH_Flow += { connection()->bro_analyzer()->ProtocolConfirmation(); return true; %} - }; refine typeattr SSH_Version += &let { proc: bool = $context.flow.proc_ssh_version(this); }; -refine typeattr SSH_KEXINIT += &let { - proc: bool = $context.flow.proc_ssh_kexinit(this); +refine typeattr SSH2_KEXINIT += &let { + proc: bool = $context.flow.proc_ssh2_kexinit(this); }; refine typeattr SSH1_Message += &let { @@ -157,14 +156,14 @@ refine typeattr SSH2_Message += &let { proc_newkeys: bool = $context.flow.proc_newkeys() &if(msg_type == MSG_NEWKEYS); }; -refine typeattr SSH_DH_GEX_REPLY += &let { - proc: bool = $context.flow.proc_ssh_server_host_key(k_s.val); +refine typeattr SSH2_DH_GEX_REPLY += &let { + proc: bool = $context.flow.proc_ssh2_server_host_key(k_s.val); }; -refine typeattr SSH_ECC_REPLY += &let { - proc: bool = $context.flow.proc_ssh_server_host_key(k_s.val); +refine typeattr SSH2_ECC_REPLY += &let { + proc: bool = $context.flow.proc_ssh2_server_host_key(k_s.val); }; refine typeattr SSH1_PUBLIC_KEY += &let { - proc: bool = $context.flow.proc_ssh1_server_host_key(host_key_p.val, host_key_e.val); -}; \ No newline at end of file + proc: bool = $context.flow.proc_ssh1_server_host_key(host_key_p.val, host_key_e.val); +}; diff --git a/src/analyzer/protocol/ssh/ssh-protocol.pac b/src/analyzer/protocol/ssh/ssh-protocol.pac index 6f9b9bf1d8..649db2c613 100644 --- a/src/analyzer/protocol/ssh/ssh-protocol.pac +++ b/src/analyzer/protocol/ssh/ssh-protocol.pac @@ -1,15 +1,17 @@ %include consts.pac -## SSH Generic +# Common constructs across SSH1 and SSH2 +######################################## + +# We have 3 basic types of messages: +# +# - SSH_Version messages just have a string with the banner string of the client or server +# - Encrypted messages have no usable data, but those never get passed in by SSH.cc +# - Finally, key exchange messages have a common format. type SSH_PDU(is_orig: bool) = case $context.connection.get_state(is_orig) of { - VERSION_EXCHANGE -> version : SSH_Version(is_orig); - KEX_INIT -> kex : SSH_Key_Exchange(is_orig); - KEX_DH_GEX -> kex_dh_gex : SSH_Key_Exchange_DH_GEX(is_orig); - KEX_DH -> kex_dh : SSH_Key_Exchange_DH(is_orig); - KEX_ECC -> kex_ecc : SSH_Key_Exchange_ECC(is_orig); - KEX_GSS -> kex_gss : SSH_Key_Exchange_GSS(is_orig); - KEX_RSA -> kex_rsa : SSH_Key_Exchange_RSA(is_orig); + VERSION_EXCHANGE -> version : SSH_Version(is_orig); + default -> kex : SSH_Key_Exchange(is_orig); } &byteorder=bigendian; type SSH_Version(is_orig: bool) = record { @@ -25,7 +27,8 @@ type SSH_Key_Exchange(is_orig: bool) = case $context.connection.get_version() of SSH2 -> ssh2_msg : SSH2_Key_Exchange(is_orig); }; -## SSH1 +# SSH1 constructs +################# type SSH1_Key_Exchange(is_orig: bool) = record { packet_length : uint32; @@ -70,28 +73,32 @@ type ssh1_mp_int = record { ## SSH2 -type SSH2_Key_Exchange_Header = record { +type SSH2_Header(is_orig: bool) = record { packet_length : uint32; padding_length : uint8; msg_type : uint8; } &let { payload_length : uint32 = packet_length - padding_length - 2; -} &length=6; + detach : bool = $context.connection.update_state(ENCRYPTED, is_orig) &if(msg_type == MSG_NEWKEYS); +}; type SSH2_Key_Exchange(is_orig: bool) = record { - header : SSH2_Key_Exchange_Header; + header : SSH2_Header(is_orig); payload : SSH2_Message(is_orig, header.msg_type, header.payload_length); pad : bytestring &length=header.padding_length; } &length=header.packet_length + 4; -type SSH2_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of { - MSG_KEXINIT -> kexinit : SSH_KEXINIT(length, is_orig); - default -> unknown : bytestring &length=length; -} &let { - detach : bool = $context.connection.update_state(ENCRYPTED, is_orig) &if(msg_type == MSG_NEWKEYS); +type SSH2_Message(is_orig: bool, msg_type: uint8, length: uint32) = case $context.connection.get_state(is_orig) of { + KEX_INIT -> kex : SSH2_KEXINIT(length, is_orig); + KEX_DH_GEX -> kex_dh_gex : SSH2_Key_Exchange_DH_GEX_Message(is_orig, msg_type, length); + KEX_DH -> kex_dh : SSH2_Key_Exchange_DH_Message(is_orig, msg_type, length); + KEX_ECC -> kex_ecc : SSH2_Key_Exchange_ECC_Message(is_orig, msg_type, length); + KEX_GSS -> kex_gss : SSH2_Key_Exchange_GSS_Message(is_orig, msg_type, length); + KEX_RSA -> kex_rsa : SSH2_Key_Exchange_RSA_Message(is_orig, msg_type, length); + default -> unknown : bytestring &length=length; }; -type SSH_KEXINIT(length: uint32, is_orig: bool) = record { +type SSH2_KEXINIT(length: uint32, is_orig: bool) = record { cookie : bytestring &length=16; kex_algorithms : ssh_string; server_host_key_algorithms : ssh_string; @@ -111,53 +118,43 @@ type SSH_KEXINIT(length: uint32, is_orig: bool) = record { # KEX_DH exchanges -type SSH_Key_Exchange_DH(is_orig: bool) = record { - header : SSH2_Key_Exchange_Header; - payload : SSH_Key_Exchange_DH_Message(is_orig, header.msg_type, header.payload_length); - pad : bytestring &length=header.padding_length; -} &length=header.packet_length + 4; - -type SSH_Key_Exchange_DH_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of { - SSH_MSG_KEXDH_INIT -> init : SSH_DH_GEX_INIT(length); - SSH_MSG_KEXDH_REPLY -> reply : SSH_DH_GEX_REPLY(length); +type SSH2_Key_Exchange_DH_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of { + SSH_MSG_KEXDH_INIT -> init : SSH2_DH_GEX_INIT(length); + SSH_MSG_KEXDH_REPLY -> reply : SSH2_DH_GEX_REPLY(length); + default -> unknown: bytestring &length=length &transient; }; # KEX_DH_GEX exchanges -type SSH_Key_Exchange_DH_GEX(is_orig: bool) = record { - header : SSH2_Key_Exchange_Header; - payload : SSH_Key_Exchange_DH_GEX_Message(is_orig, header.msg_type, header.payload_length); - pad : bytestring &length=header.padding_length; -} &length=header.packet_length + 4; - -type SSH_Key_Exchange_DH_GEX_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of { - SSH_MSG_KEX_DH_GEX_REQUEST_OLD -> request_old : SSH_DH_GEX_REQUEST_OLD; - SSH_MSG_KEX_DH_GEX_REQUEST -> request : SSH_DH_GEX_REQUEST; - SSH_MSG_KEX_DH_GEX_GROUP -> group : SSH_DH_GEX_GROUP(length); - SSH_MSG_KEX_DH_GEX_INIT -> init : SSH_DH_GEX_INIT(length); - SSH_MSG_KEX_DH_GEX_REPLY -> reply : SSH_DH_GEX_REPLY(length); +type SSH2_Key_Exchange_DH_GEX_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of { + SSH_MSG_KEX_DH_GEX_REQUEST_OLD -> request_old : SSH2_DH_GEX_REQUEST_OLD; + SSH_MSG_KEX_DH_GEX_REQUEST -> request : SSH2_DH_GEX_REQUEST; + SSH_MSG_KEX_DH_GEX_GROUP -> group : SSH2_DH_GEX_GROUP(length); + SSH_MSG_KEX_DH_GEX_INIT -> init : SSH2_DH_GEX_INIT(length); + SSH_MSG_KEX_DH_GEX_REPLY -> reply : SSH2_DH_GEX_REPLY(length); + default -> unknown : bytestring &length=length &transient; }; -type SSH_DH_GEX_REQUEST = record { +type SSH2_DH_GEX_REQUEST = record { min : uint32; n : uint32; max : uint32; } &length=12; -type SSH_DH_GEX_REQUEST_OLD = record { +type SSH2_DH_GEX_REQUEST_OLD = record { n : uint32; } &length=4; -type SSH_DH_GEX_GROUP(length: uint32) = record { +type SSH2_DH_GEX_GROUP(length: uint32) = record { p : ssh_string; g : ssh_string; } &length=length; -type SSH_DH_GEX_INIT(length: uint32) = record { +type SSH2_DH_GEX_INIT(length: uint32) = record { e : ssh_string; } &length=length; -type SSH_DH_GEX_REPLY(length: uint32) = record { +type SSH2_DH_GEX_REPLY(length: uint32) = record { k_s : ssh_string; f : ssh_string; signature : ssh_string; @@ -165,59 +162,47 @@ type SSH_DH_GEX_REPLY(length: uint32) = record { # KEX_RSA exchanges -type SSH_Key_Exchange_RSA(is_orig: bool) = record { - header : SSH2_Key_Exchange_Header; - payload : SSH_Key_Exchange_RSA_Message(is_orig, header.msg_type, header.payload_length); - pad : bytestring &length=header.padding_length; -} &length=header.packet_length + 4; - -type SSH_Key_Exchange_RSA_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of { - SSH_MSG_KEXRSA_PUBKEY -> pubkey : SSH_RSA_PUBKEY(length); - SSH_MSG_KEXRSA_SECRET -> secret : SSH_RSA_SECRET(length); - SSH_MSG_KEXRSA_DONE -> done : SSH_RSA_DONE(length); +type SSH2_Key_Exchange_RSA_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of { + SSH_MSG_KEXRSA_PUBKEY -> pubkey : SSH2_RSA_PUBKEY(length); + SSH_MSG_KEXRSA_SECRET -> secret : SSH2_RSA_SECRET(length); + SSH_MSG_KEXRSA_DONE -> done : SSH2_RSA_DONE(length); }; -type SSH_RSA_PUBKEY(length: uint32) = record { +type SSH2_RSA_PUBKEY(length: uint32) = record { k_s : ssh_string; k_t : ssh_string; } &length=length; -type SSH_RSA_SECRET(length: uint32) = record { +type SSH2_RSA_SECRET(length: uint32) = record { encrypted_payload : ssh_string; } &length=length; -type SSH_RSA_DONE(length: uint32) = record { +type SSH2_RSA_DONE(length: uint32) = record { signature : ssh_string; } &length=length; # KEX_GSS exchanges -type SSH_Key_Exchange_GSS(is_orig: bool) = record { - header : SSH2_Key_Exchange_Header; - payload : SSH_Key_Exchange_GSS_Message(is_orig, header.msg_type, header.payload_length); - pad : bytestring &length=header.padding_length; -} &length=header.packet_length + 4; - -type SSH_Key_Exchange_GSS_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of { - SSH_MSG_KEXGSS_INIT -> init : SSH_GSS_INIT(length); - SSH_MSG_KEXGSS_CONTINUE -> cont : SSH_GSS_CONTINUE(length); - SSH_MSG_KEXGSS_COMPLETE -> complete : SSH_GSS_COMPLETE(length); - SSH_MSG_KEXGSS_HOSTKEY -> hostkey : SSH_GSS_HOSTKEY(length); - SSH_MSG_KEXGSS_ERROR -> error : SSH_GSS_ERROR(length); - SSH_MSG_KEXGSS_GROUPREQ -> groupreq : SSH_DH_GEX_REQUEST; - SSH_MSG_KEXGSS_GROUP -> group : SSH_DH_GEX_GROUP(length); +type SSH2_Key_Exchange_GSS_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of { + SSH_MSG_KEXGSS_INIT -> init : SSH2_GSS_INIT(length); + SSH_MSG_KEXGSS_CONTINUE -> cont : SSH2_GSS_CONTINUE(length); + SSH_MSG_KEXGSS_COMPLETE -> complete : SSH2_GSS_COMPLETE(length); + SSH_MSG_KEXGSS_HOSTKEY -> hostkey : SSH2_GSS_HOSTKEY(length); + SSH_MSG_KEXGSS_ERROR -> error : SSH2_GSS_ERROR(length); + SSH_MSG_KEXGSS_GROUPREQ -> groupreq : SSH2_DH_GEX_REQUEST; + SSH_MSG_KEXGSS_GROUP -> group : SSH2_DH_GEX_GROUP(length); }; -type SSH_GSS_INIT(length: uint32) = record { +type SSH2_GSS_INIT(length: uint32) = record { output_token : ssh_string; e : ssh_string; } &length=length; -type SSH_GSS_CONTINUE(length: uint32) = record { +type SSH2_GSS_CONTINUE(length: uint32) = record { output_token : ssh_string; } &length=length; -type SSH_GSS_COMPLETE(length: uint32) = record { +type SSH2_GSS_COMPLETE(length: uint32) = record { f : ssh_string; per_msg_token : ssh_string; have_token : uint8; @@ -227,11 +212,11 @@ type SSH_GSS_COMPLETE(length: uint32) = record { }; } &length=length; -type SSH_GSS_HOSTKEY(length: uint32) = record { +type SSH2_GSS_HOSTKEY(length: uint32) = record { k_s : ssh_string; } &length=length; -type SSH_GSS_ERROR(length: uint32) = record { +type SSH2_GSS_ERROR(length: uint32) = record { major_status : uint32; minor_status : uint32; message : ssh_string; @@ -240,31 +225,27 @@ type SSH_GSS_ERROR(length: uint32) = record { # KEX_ECDH and KEX_ECMQV exchanges -type SSH_Key_Exchange_ECC(is_orig: bool) = record { - header : SSH2_Key_Exchange_Header; - payload : SSH_Key_Exchange_ECC_Message(is_orig, header.msg_type, header.payload_length); - pad : bytestring &length=header.padding_length; -} &length=header.packet_length + 4; - -type SSH_Key_Exchange_ECC_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of { - SSH_MSG_KEX_ECDH_INIT -> init : SSH_ECC_INIT(length); - SSH_MSG_KEX_ECDH_REPLY -> reply : SSH_ECC_REPLY(length); +type SSH2_Key_Exchange_ECC_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of { + SSH_MSG_KEX_ECDH_INIT -> init : SSH2_ECC_INIT(length); + SSH_MSG_KEX_ECDH_REPLY -> reply : SSH2_ECC_REPLY(length); }; # This deviates from the RFC. SSH_MSG_KEX_ECDH_INIT and # SSH_MSG_KEX_ECMQV_INIT can be parsed the same way. -type SSH_ECC_INIT(length: uint32) = record { +type SSH2_ECC_INIT(length: uint32) = record { q_c : ssh_string; }; # This deviates from the RFC. SSH_MSG_KEX_ECDH_REPLY and # SSH_MSG_KEX_ECMQV_REPLY can be parsed the same way. -type SSH_ECC_REPLY(length: uint32) = record { +type SSH2_ECC_REPLY(length: uint32) = record { k_s : ssh_string; q_s : ssh_string; signature : ssh_string; }; +# Helper types + type ssh_string = record { len : uint32; val : bytestring &length=len; From 2d82cab9989bda7723b390df3df556e55610eba1 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 11 Mar 2015 16:48:38 -0500 Subject: [PATCH 173/711] Updating submodule(s). [nomail] --- aux/broker | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broker b/aux/broker index 1a49b0e3d2..25cf717eca 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit 1a49b0e3d23fdfe8da3187dddb310883b641e4a3 +Subproject commit 25cf717ecad9b3012dbf48a5d5102e89da246753 From 9bb00639bab056f6b257ac815dc1dc8b10f30d39 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 11 Mar 2015 17:01:13 -0500 Subject: [PATCH 174/711] Updating submodule(s). [nomail] --- aux/broker | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broker b/aux/broker index 25cf717eca..78b8d909fa 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit 25cf717ecad9b3012dbf48a5d5102e89da246753 +Subproject commit 78b8d909fadc66dd20ef89bc62b52b4e7c4b6f5f From 038fbf9b9eadb7b9fe79e3af63595002b80b7dc4 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 10 Mar 2015 20:37:33 -0700 Subject: [PATCH 175/711] First step for a DTLS analyzer. This commit mostly does a lot of refactoring of the current SSL analyzer, which is split into several parts. The handshake protocol is completely taken out of the SSL analyzer and was refactored into its own analyzer (called tls-handshake-analyzer). This will also (finally) make it possible to deal with TLS record fragmentation. Apart from that, the parts of the SSL analyzer that are common to DTLS were split into their own pac files. Both the SSL analyzer and the (very basic, mostly nonfunctional) DTLS analyzer use their own pac files and those shared pac files. All SSL tests still pass after refactoring so I hope I did not break anything too badly. At the moment, we have two different modules in one directory and I guess the way I am doing this might be an abuse of the system. It seems to work though... --- scripts/base/protocols/ssl/main.bro | 10 +- src/analyzer/protocol/ssl/CMakeLists.txt | 10 +- src/analyzer/protocol/ssl/DTLS.cc | 32 + src/analyzer/protocol/ssl/DTLS.h | 31 + src/analyzer/protocol/ssl/Plugin_DTLS.cc | 26 + .../protocol/ssl/{Plugin.cc => Plugin_SSL.cc} | 0 src/analyzer/protocol/ssl/SSL.cc | 19 + src/analyzer/protocol/ssl/SSL.h | 8 +- src/analyzer/protocol/ssl/dtls-analyzer.pac | 2 + src/analyzer/protocol/ssl/dtls-protocol.pac | 40 ++ src/analyzer/protocol/ssl/dtls.pac | 30 + .../protocol/ssl/proc-certificate.pac | 30 + .../protocol/ssl/proc-client-hello.pac | 42 ++ .../protocol/ssl/proc-server-hello.pac | 36 + src/analyzer/protocol/ssl/ssl-analyzer.pac | 528 +------------- src/analyzer/protocol/ssl/ssl-defs.pac | 79 +++ .../protocol/ssl/ssl-dtls-analyzer.pac | 106 +++ .../protocol/ssl/ssl-dtls-protocol.pac | 134 ++++ src/analyzer/protocol/ssl/ssl-protocol.pac | 645 +----------------- src/analyzer/protocol/ssl/ssl.pac | 11 +- .../protocol/ssl/tls-handshake-analyzer.pac | 273 ++++++++ .../protocol/ssl/tls-handshake-protocol.pac | 533 +++++++++++++++ src/analyzer/protocol/ssl/tls-handshake.pac | 24 + testing/btest/Traces/tls/dtls-openssl.pcap | Bin 0 -> 3181 bytes 24 files changed, 1487 insertions(+), 1162 deletions(-) create mode 100644 src/analyzer/protocol/ssl/DTLS.cc create mode 100644 src/analyzer/protocol/ssl/DTLS.h create mode 100644 src/analyzer/protocol/ssl/Plugin_DTLS.cc rename src/analyzer/protocol/ssl/{Plugin.cc => Plugin_SSL.cc} (100%) create mode 100644 src/analyzer/protocol/ssl/dtls-analyzer.pac create mode 100644 src/analyzer/protocol/ssl/dtls-protocol.pac create mode 100644 src/analyzer/protocol/ssl/dtls.pac create mode 100644 src/analyzer/protocol/ssl/proc-certificate.pac create mode 100644 src/analyzer/protocol/ssl/proc-client-hello.pac create mode 100644 src/analyzer/protocol/ssl/proc-server-hello.pac create mode 100644 src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac create mode 100644 src/analyzer/protocol/ssl/ssl-dtls-protocol.pac create mode 100644 src/analyzer/protocol/ssl/tls-handshake-analyzer.pac create mode 100644 src/analyzer/protocol/ssl/tls-handshake-protocol.pac create mode 100644 src/analyzer/protocol/ssl/tls-handshake.pac create mode 100644 testing/btest/Traces/tls/dtls-openssl.pcap diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro index a1461db82d..d2b0332756 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -92,16 +92,20 @@ redef record Info += { delay_tokens: set[string] &optional; }; -const ports = { +const ssl_ports = { 443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp, 989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp }; -redef likely_server_ports += { ports }; + +const dtls_ports = { 4433/udp }; + +redef likely_server_ports += { ssl_ports, dtls_ports }; event bro_init() &priority=5 { Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl]); - Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, ports); + Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, ssl_ports); + Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, dtls_ports); } function set_session(c: connection) diff --git a/src/analyzer/protocol/ssl/CMakeLists.txt b/src/analyzer/protocol/ssl/CMakeLists.txt index 2591c5dfec..fab0d30f07 100644 --- a/src/analyzer/protocol/ssl/CMakeLists.txt +++ b/src/analyzer/protocol/ssl/CMakeLists.txt @@ -4,7 +4,13 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) bro_plugin_begin(Bro SSL) -bro_plugin_cc(SSL.cc Plugin.cc) +bro_plugin_cc(SSL.cc Plugin_SSL.cc) bro_plugin_bif(events.bif) -bro_plugin_pac(ssl.pac ssl-analyzer.pac ssl-protocol.pac ssl-defs.pac) +bro_plugin_pac(tls-handshake.pac tls-handshake-protocol.pac tls-handshake-analyzer.pac) +bro_plugin_pac(ssl.pac ssl-dtls-analyzer.pac ssl-analyzer.pac ssl-dtls-protocol.pac ssl-protocol.pac ssl-defs.pac) +bro_plugin_end() + +bro_plugin_begin(Bro DTLS) +bro_plugin_cc(DTLS.cc Plugin_DTLS.cc) +bro_plugin_pac(dtls.pac ssl-dtls-analyzer.pac dtls-analyzer.pac ssl-dtls-protocol.pac dtls-protocol.pac ssl-defs.pac) bro_plugin_end() diff --git a/src/analyzer/protocol/ssl/DTLS.cc b/src/analyzer/protocol/ssl/DTLS.cc new file mode 100644 index 0000000000..7c49dba439 --- /dev/null +++ b/src/analyzer/protocol/ssl/DTLS.cc @@ -0,0 +1,32 @@ + +#include "DTLS.h" +#include "Reporter.h" +#include "util.h" + +#include "events.bif.h" + +using namespace analyzer::dtls; + +DTLS_Analyzer::DTLS_Analyzer(Connection* c) +: analyzer::Analyzer("DTLS", c) + { + interp = new binpac::DTLS::SSL_Conn(this); + fprintf(stderr, "Instantiated :)\n"); + } + +DTLS_Analyzer::~DTLS_Analyzer() + { + delete interp; + } + +void DTLS_Analyzer::Done() + { + Analyzer::Done(); + } + +void DTLS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64 seq, const IP_Hdr* ip, int caplen) + { + Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + fprintf(stderr, "Delivered packet :)\n"); + interp->NewData(orig, data, data + len); + } diff --git a/src/analyzer/protocol/ssl/DTLS.h b/src/analyzer/protocol/ssl/DTLS.h new file mode 100644 index 0000000000..c45a311c8c --- /dev/null +++ b/src/analyzer/protocol/ssl/DTLS.h @@ -0,0 +1,31 @@ +#ifndef ANALYZER_PROTOCOL_SSL_DTLS_H +#define ANALYZER_PROTOCOL_SSL_DTLS_H + +#include "events.bif.h" + +#include "analyzer/protocol/udp/UDP.h" +#include "dtls_pac.h" + +namespace analyzer { namespace dtls { + +class DTLS_Analyzer : public analyzer::Analyzer { +public: + DTLS_Analyzer(Connection* conn); + virtual ~DTLS_Analyzer(); + + // Overriden from Analyzer. + virtual void Done(); + virtual void DeliverPacket(int len, const u_char* data, bool orig, + uint64 seq, const IP_Hdr* ip, int caplen); + + + static analyzer::Analyzer* Instantiate(Connection* conn) + { return new DTLS_Analyzer(conn); } + +protected: + binpac::DTLS::SSL_Conn* interp; +}; + +} } // namespace analyzer::* + +#endif diff --git a/src/analyzer/protocol/ssl/Plugin_DTLS.cc b/src/analyzer/protocol/ssl/Plugin_DTLS.cc new file mode 100644 index 0000000000..6820816e31 --- /dev/null +++ b/src/analyzer/protocol/ssl/Plugin_DTLS.cc @@ -0,0 +1,26 @@ +// See the file in the main distribution directory for copyright. + + +#include "plugin/Plugin.h" + +#include "DTLS.h" + +namespace plugin { +namespace Bro_DTLS { + +class Plugin : public plugin::Plugin { +public: + plugin::Configuration Configure() + { + AddComponent(new ::analyzer::Component("DTLS", ::analyzer::dtls::DTLS_Analyzer::Instantiate)); + + plugin::Configuration config; + config.name = "Bro::DTLS"; + config.description = "DTLS analyzer"; + return config; + } +} plugin; + +} +} + diff --git a/src/analyzer/protocol/ssl/Plugin.cc b/src/analyzer/protocol/ssl/Plugin_SSL.cc similarity index 100% rename from src/analyzer/protocol/ssl/Plugin.cc rename to src/analyzer/protocol/ssl/Plugin_SSL.cc diff --git a/src/analyzer/protocol/ssl/SSL.cc b/src/analyzer/protocol/ssl/SSL.cc index 5e5d24888a..a26807c14b 100644 --- a/src/analyzer/protocol/ssl/SSL.cc +++ b/src/analyzer/protocol/ssl/SSL.cc @@ -5,6 +5,8 @@ #include "util.h" #include "events.bif.h" +#include "ssl_pac.h" +#include "tls-handshake_pac.h" using namespace analyzer::ssl; @@ -12,12 +14,14 @@ SSL_Analyzer::SSL_Analyzer(Connection* c) : tcp::TCP_ApplicationAnalyzer("SSL", c) { interp = new binpac::SSL::SSL_Conn(this); + handshake_interp = new binpac::TLSHandshake::Handshake_Conn(this); had_gap = false; } SSL_Analyzer::~SSL_Analyzer() { delete interp; + delete handshake_interp; } void SSL_Analyzer::Done() @@ -57,6 +61,21 @@ void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig) } } +void SSL_Analyzer::SendHandshake(uint8 msg_type, uint32 length, const u_char* begin, const u_char* end, bool orig) + { + handshake_interp->set_msg_type(msg_type); + handshake_interp->set_msg_length(length); + try + { + handshake_interp->NewData(orig, begin, end); + } + catch ( const binpac::Exception& e ) + { + ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); + fprintf(stderr, "Handshake exception: %s\n", e.c_msg()); + } + } + void SSL_Analyzer::Undelivered(uint64 seq, int len, bool orig) { tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); diff --git a/src/analyzer/protocol/ssl/SSL.h b/src/analyzer/protocol/ssl/SSL.h index 5ef09aa147..a17611846c 100644 --- a/src/analyzer/protocol/ssl/SSL.h +++ b/src/analyzer/protocol/ssl/SSL.h @@ -4,7 +4,10 @@ #include "events.bif.h" #include "analyzer/protocol/tcp/TCP.h" -#include "ssl_pac.h" + +namespace binpac { namespace SSL { class SSL_Conn; } } + +namespace binpac { namespace TLSHandshake { class Handshake_Conn; } } namespace analyzer { namespace ssl { @@ -18,6 +21,8 @@ public: virtual void DeliverStream(int len, const u_char* data, bool orig); virtual void Undelivered(uint64 seq, int len, bool orig); + void SendHandshake(uint8 msg_type, uint32 length, const u_char* begin, const u_char* end, bool orig); + // Overriden from tcp::TCP_ApplicationAnalyzer. virtual void EndpointEOF(bool is_orig); @@ -26,6 +31,7 @@ public: protected: binpac::SSL::SSL_Conn* interp; + binpac::TLSHandshake::Handshake_Conn* handshake_interp; bool had_gap; }; diff --git a/src/analyzer/protocol/ssl/dtls-analyzer.pac b/src/analyzer/protocol/ssl/dtls-analyzer.pac new file mode 100644 index 0000000000..139597f9cb --- /dev/null +++ b/src/analyzer/protocol/ssl/dtls-analyzer.pac @@ -0,0 +1,2 @@ + + diff --git a/src/analyzer/protocol/ssl/dtls-protocol.pac b/src/analyzer/protocol/ssl/dtls-protocol.pac new file mode 100644 index 0000000000..94cddf9cbc --- /dev/null +++ b/src/analyzer/protocol/ssl/dtls-protocol.pac @@ -0,0 +1,40 @@ + +###################################################################### +# initial datatype for binpac +###################################################################### + +type DTLSPDU(is_orig: bool) = record { + records: SSLRecord(is_orig)[] &transient; +}; + +type SSLRecord(is_orig: bool) = record { + content_type: uint8; + version: uint16; + epoch: uint16; + sequence_number: uint48; + length: uint16; + rec: PlaintextRecord(this)[] &length=length; +# data: bytestring &restofdata &transient; +} &byteorder = bigendian, + &let { + parse : bool = $context.connection.proc_dtls(this, to_int()(sequence_number)); +}; + +type Handshake(rec: SSLRecord) = record { + msg_type: uint8; + length: uint24; + message_seq: uint16; + fragment_offset: uint24; + fragment_length: uint24; +} + +refine connection SSL_Conn += { + + function proc_dtls(pdu: SSLRecord, sequence: uint64): bool + %{ + fprintf(stderr, "Type: %d, sequence number: %d, epoch: %d\n", ${pdu.content_type}, sequence, ${pdu.epoch}); + + return true; + %} + +}; diff --git a/src/analyzer/protocol/ssl/dtls.pac b/src/analyzer/protocol/ssl/dtls.pac new file mode 100644 index 0000000000..50424f0d8c --- /dev/null +++ b/src/analyzer/protocol/ssl/dtls.pac @@ -0,0 +1,30 @@ +# binpac file for SSL analyzer + +%include binpac.pac +%include bro.pac + +%extern{ +#include "events.bif.h" +%} + +analyzer DTLS withcontext { + connection: SSL_Conn; + flow: DTLS_Flow; +}; + +connection SSL_Conn(bro_analyzer: BroAnalyzer) { + upflow = DTLS_Flow(true); + downflow = DTLS_Flow(false); +}; + +%include ssl-dtls-protocol.pac +%include dtls-protocol.pac + +flow DTLS_Flow(is_orig: bool) { +# flowunit = SSLRecord(is_orig) withcontext(connection, this); + datagram = DTLSPDU(is_orig) withcontext(connection, this); +} + +%include ssl-dtls-analyzer.pac +%include dtls-analyzer.pac +%include ssl-defs.pac diff --git a/src/analyzer/protocol/ssl/proc-certificate.pac b/src/analyzer/protocol/ssl/proc-certificate.pac new file mode 100644 index 0000000000..c2353e3a88 --- /dev/null +++ b/src/analyzer/protocol/ssl/proc-certificate.pac @@ -0,0 +1,30 @@ + function proc_certificate(is_orig: bool, certificates : bytestring[]) : bool + %{ + if ( certificates->size() == 0 ) + return true; + + ODesc common; + common.AddRaw("Analyzer::ANALYZER_SSL"); + common.Add(bro_analyzer()->Conn()->StartTime()); + common.AddRaw(is_orig ? "T" : "F", 1); + bro_analyzer()->Conn()->IDString(&common); + + for ( unsigned int i = 0; i < certificates->size(); ++i ) + { + const bytestring& cert = (*certificates)[i]; + + ODesc file_handle; + file_handle.Add(common.Description()); + file_handle.Add(i); + + string file_id = file_mgr->HashHandle(file_handle.Description()); + + file_mgr->DataIn(reinterpret_cast(cert.data()), + cert.length(), bro_analyzer()->GetAnalyzerTag(), + bro_analyzer()->Conn(), is_orig, file_id); + file_mgr->EndOfFile(file_id); + } + return true; + %} + + diff --git a/src/analyzer/protocol/ssl/proc-client-hello.pac b/src/analyzer/protocol/ssl/proc-client-hello.pac new file mode 100644 index 0000000000..601d0fce94 --- /dev/null +++ b/src/analyzer/protocol/ssl/proc-client-hello.pac @@ -0,0 +1,42 @@ + function proc_client_hello( + version : uint16, ts : double, + client_random : bytestring, + session_id : uint8[], + cipher_suites16 : uint16[], + cipher_suites24 : uint24[]) : bool + %{ + if ( ! version_ok(version) ) + { + bro_analyzer()->ProtocolViolation(fmt("unsupported client SSL version 0x%04x", version)); + bro_analyzer()->SetSkip(true); + } + else + bro_analyzer()->ProtocolConfirmation(); + + if ( ssl_client_hello ) + { + vector* cipher_suites = new vector(); + if ( cipher_suites16 ) + std::copy(cipher_suites16->begin(), cipher_suites16->end(), std::back_inserter(*cipher_suites)); + else + std::transform(cipher_suites24->begin(), cipher_suites24->end(), std::back_inserter(*cipher_suites), to_int()); + + VectorVal* cipher_vec = new VectorVal(internal_type("index_vec")->AsVectorType()); + for ( unsigned int i = 0; i < cipher_suites->size(); ++i ) + { + Val* ciph = new Val((*cipher_suites)[i], TYPE_COUNT); + cipher_vec->Assign(i, ciph); + } + + BifEvent::generate_ssl_client_hello(bro_analyzer(), bro_analyzer()->Conn(), + version, ts, new StringVal(client_random.length(), + (const char*) client_random.data()), + to_string_val(session_id), + cipher_vec); + + delete cipher_suites; + } + + return true; + %} + diff --git a/src/analyzer/protocol/ssl/proc-server-hello.pac b/src/analyzer/protocol/ssl/proc-server-hello.pac new file mode 100644 index 0000000000..2dfc940774 --- /dev/null +++ b/src/analyzer/protocol/ssl/proc-server-hello.pac @@ -0,0 +1,36 @@ + function proc_server_hello( + version : uint16, ts : double, + server_random : bytestring, + session_id : uint8[], + cipher_suites16 : uint16[], + cipher_suites24 : uint24[], + comp_method : uint8) : bool + %{ + if ( ! version_ok(version) ) + { + bro_analyzer()->ProtocolViolation(fmt("unsupported server SSL version 0x%04x", version)); + bro_analyzer()->SetSkip(true); + } + + if ( ssl_server_hello ) + { + vector* ciphers = new vector(); + + if ( cipher_suites16 ) + std::copy(cipher_suites16->begin(), cipher_suites16->end(), std::back_inserter(*ciphers)); + else + std::transform(cipher_suites24->begin(), cipher_suites24->end(), std::back_inserter(*ciphers), to_int()); + + BifEvent::generate_ssl_server_hello(bro_analyzer(), + bro_analyzer()->Conn(), + version, ts, new StringVal(server_random.length(), + (const char*) server_random.data()), + to_string_val(session_id), + ciphers->size()==0 ? 0 : ciphers->at(0), comp_method); + + delete ciphers; + } + + return true; + %} + diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac index c835fd6632..709e8c32b2 100644 --- a/src/analyzer/protocol/ssl/ssl-analyzer.pac +++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac @@ -1,352 +1,19 @@ # Analyzer for SSL (Bro-specific part). -%extern{ -#include -#include -#include -#include - -#include "util.h" - -#include "file_analysis/Manager.h" -%} - - -%header{ - class extract_certs { - public: - bytestring const& operator() (X509Certificate* cert) const - { - return cert->certificate(); - } - }; - - string orig_label(bool is_orig); - string handshake_type_label(int type); - %} - -%code{ -string orig_label(bool is_orig) - { - return string(is_orig ? "originator" :"responder"); - } - - string handshake_type_label(int type) - { - switch ( type ) { - case HELLO_REQUEST: return string("HELLO_REQUEST"); - case CLIENT_HELLO: return string("CLIENT_HELLO"); - case SERVER_HELLO: return string("SERVER_HELLO"); - case SESSION_TICKET: return string("SESSION_TICKET"); - case CERTIFICATE: return string("CERTIFICATE"); - case SERVER_KEY_EXCHANGE: return string("SERVER_KEY_EXCHANGE"); - case CERTIFICATE_REQUEST: return string("CERTIFICATE_REQUEST"); - case SERVER_HELLO_DONE: return string("SERVER_HELLO_DONE"); - case CERTIFICATE_VERIFY: return string("CERTIFICATE_VERIFY"); - case CLIENT_KEY_EXCHANGE: return string("CLIENT_KEY_EXCHANGE"); - case FINISHED: return string("FINISHED"); - case CERTIFICATE_URL: return string("CERTIFICATE_URL"); - case CERTIFICATE_STATUS: return string("CERTIFICATE_STATUS"); - default: return string(fmt("UNKNOWN (%d)", type)); - } - } - -%} - - -function to_string_val(data : uint8[]) : StringVal - %{ - char tmp[32]; - memset(tmp, 0, sizeof(tmp)); - - // Just return an empty string if the string is longer than 32 bytes - if ( data && data->size() <= 32 ) - { - for ( unsigned int i = data->size(); i > 0; --i ) - tmp[i-1] = (*data)[i-1]; - } - - return new StringVal(32, tmp); - %} - -function version_ok(vers : uint16) : bool - %{ - switch ( vers ) { - case SSLv20: - case SSLv30: - case TLSv10: - case TLSv11: - case TLSv12: - return true; - - default: - return false; - } - %} - refine connection SSL_Conn += { - %member{ - int established_; - %} + %include proc-client-hello.pac + %include proc-server-hello.pac + %include proc-certificate.pac - %init{ - established_ = false; - %} - - %cleanup{ - %} - - function proc_alert(rec: SSLRecord, level : int, desc : int) : bool - %{ - BifEvent::generate_ssl_alert(bro_analyzer(), bro_analyzer()->Conn(), - ${rec.is_orig}, level, desc); - return true; - %} - - function proc_client_hello(rec: SSLRecord, - version : uint16, ts : double, - client_random : bytestring, - session_id : uint8[], - cipher_suites16 : uint16[], - cipher_suites24 : uint24[]) : bool - %{ - if ( ! version_ok(version) ) - { - bro_analyzer()->ProtocolViolation(fmt("unsupported client SSL version 0x%04x", version)); - bro_analyzer()->SetSkip(true); - } - else - bro_analyzer()->ProtocolConfirmation(); - - if ( ssl_client_hello ) - { - vector* cipher_suites = new vector(); - if ( cipher_suites16 ) - std::copy(cipher_suites16->begin(), cipher_suites16->end(), std::back_inserter(*cipher_suites)); - else - std::transform(cipher_suites24->begin(), cipher_suites24->end(), std::back_inserter(*cipher_suites), to_int()); - - VectorVal* cipher_vec = new VectorVal(internal_type("index_vec")->AsVectorType()); - for ( unsigned int i = 0; i < cipher_suites->size(); ++i ) - { - Val* ciph = new Val((*cipher_suites)[i], TYPE_COUNT); - cipher_vec->Assign(i, ciph); - } - - BifEvent::generate_ssl_client_hello(bro_analyzer(), bro_analyzer()->Conn(), - version, ts, new StringVal(client_random.length(), - (const char*) client_random.data()), - to_string_val(session_id), - cipher_vec); - - delete cipher_suites; - } - - return true; - %} - - function proc_server_hello(rec: SSLRecord, - version : uint16, ts : double, - server_random : bytestring, - session_id : uint8[], - cipher_suites16 : uint16[], - cipher_suites24 : uint24[], - comp_method : uint8) : bool - %{ - if ( ! version_ok(version) ) - { - bro_analyzer()->ProtocolViolation(fmt("unsupported server SSL version 0x%04x", version)); - bro_analyzer()->SetSkip(true); - } - - if ( ssl_server_hello ) - { - vector* ciphers = new vector(); - - if ( cipher_suites16 ) - std::copy(cipher_suites16->begin(), cipher_suites16->end(), std::back_inserter(*ciphers)); - else - std::transform(cipher_suites24->begin(), cipher_suites24->end(), std::back_inserter(*ciphers), to_int()); - - BifEvent::generate_ssl_server_hello(bro_analyzer(), - bro_analyzer()->Conn(), - version, ts, new StringVal(server_random.length(), - (const char*) server_random.data()), - to_string_val(session_id), - ciphers->size()==0 ? 0 : ciphers->at(0), comp_method); - - delete ciphers; - } - - return true; - %} - - function proc_session_ticket_handshake(rec: SessionTicketHandshake, is_orig: bool): bool - %{ - if ( ssl_session_ticket_handshake ) - { - BifEvent::generate_ssl_session_ticket_handshake(bro_analyzer(), - bro_analyzer()->Conn(), - ${rec.ticket_lifetime_hint}, - new StringVal(${rec.data}.length(), (const char*) ${rec.data}.data())); - } - return true; - %} - - function proc_ssl_extension(rec: SSLRecord, type: int, sourcedata: const_bytestring) : bool - %{ - // We cheat a little bit here. We want to throw this event - // for every extension we encounter, even those that are - // handled by more specialized events later. To access the - // parsed data, we use sourcedata, which contains the whole - // data blob of the extension, including headers. We skip - // over those (4 bytes). - size_t length = sourcedata.length(); - if ( length < 4 ) - { - // This should be impossible due to the binpac parser - // and protocol description - bro_analyzer()->ProtocolViolation(fmt("Impossible extension length: %zu", length)); - bro_analyzer()->SetSkip(true); - return true; - } - - length -= 4; - const unsigned char* data = sourcedata.begin() + 4; - - if ( ssl_extension ) - BifEvent::generate_ssl_extension(bro_analyzer(), - bro_analyzer()->Conn(), ${rec.is_orig}, type, - new StringVal(length, reinterpret_cast(data))); - return true; - %} - - function proc_ec_point_formats(rec: SSLRecord, point_format_list: uint8[]) : bool - %{ - VectorVal* points = new VectorVal(internal_type("index_vec")->AsVectorType()); - - if ( point_format_list ) - { - for ( unsigned int i = 0; i < point_format_list->size(); ++i ) - points->Assign(i, new Val((*point_format_list)[i], TYPE_COUNT)); - } - - BifEvent::generate_ssl_extension_ec_point_formats(bro_analyzer(), bro_analyzer()->Conn(), - ${rec.is_orig}, points); - - return true; - %} - - function proc_elliptic_curves(rec: SSLRecord, list: uint16[]) : bool - %{ - VectorVal* curves = new VectorVal(internal_type("index_vec")->AsVectorType()); - - if ( list ) - { - for ( unsigned int i = 0; i < list->size(); ++i ) - curves->Assign(i, new Val((*list)[i], TYPE_COUNT)); - } - - BifEvent::generate_ssl_extension_elliptic_curves(bro_analyzer(), bro_analyzer()->Conn(), - ${rec.is_orig}, curves); - - return true; - %} - - function proc_apnl(rec: SSLRecord, protocols: ProtocolName[]) : bool - %{ - VectorVal* plist = new VectorVal(internal_type("string_vec")->AsVectorType()); - - if ( protocols ) - { - for ( unsigned int i = 0; i < protocols->size(); ++i ) - plist->Assign(i, new StringVal((*protocols)[i]->name().length(), (const char*) (*protocols)[i]->name().data())); - } - - BifEvent::generate_ssl_extension_application_layer_protocol_negotiation(bro_analyzer(), bro_analyzer()->Conn(), - ${rec.is_orig}, plist); - - return true; - %} - - function proc_server_name(rec: SSLRecord, list: ServerName[]) : bool - %{ - VectorVal* servers = new VectorVal(internal_type("string_vec")->AsVectorType()); - - if ( list ) - { - for ( unsigned int i = 0, j = 0; i < list->size(); ++i ) - { - ServerName* servername = (*list)[i]; - if ( servername->name_type() != 0 ) - { - bro_analyzer()->Weird(fmt("Encountered unknown type in server name ssl extension: %d", servername->name_type())); - continue; - } - - if ( servername->host_name() ) - servers->Assign(j++, new StringVal(servername->host_name()->host_name().length(), (const char*) servername->host_name()->host_name().data())); - else - bro_analyzer()->Weird("Empty server_name extension in ssl connection"); - } - } - - BifEvent::generate_ssl_extension_server_name(bro_analyzer(), bro_analyzer()->Conn(), - ${rec.is_orig}, servers); - - return true; - %} - - function proc_certificate(rec: SSLRecord, certificates : bytestring[]) : bool - %{ - if ( certificates->size() == 0 ) - return true; - - ODesc common; - common.AddRaw("Analyzer::ANALYZER_SSL"); - common.Add(bro_analyzer()->Conn()->StartTime()); - common.AddRaw(${rec.is_orig} ? "T" : "F", 1); - bro_analyzer()->Conn()->IDString(&common); - - for ( unsigned int i = 0; i < certificates->size(); ++i ) - { - const bytestring& cert = (*certificates)[i]; - - ODesc file_handle; - file_handle.Add(common.Description()); - file_handle.Add(i); - - string file_id = file_mgr->HashHandle(file_handle.Description()); - - file_mgr->DataIn(reinterpret_cast(cert.data()), - cert.length(), bro_analyzer()->GetAnalyzerTag(), - bro_analyzer()->Conn(), ${rec.is_orig}, file_id); - file_mgr->EndOfFile(file_id); - } - return true; - %} - - function proc_v2_certificate(rec: SSLRecord, cert : bytestring) : bool + function proc_v2_certificate(is_orig: bool, cert : bytestring) : bool %{ vector* cert_list = new vector(1,cert); - bool ret = proc_certificate(rec, cert_list); + bool ret = proc_certificate(is_orig, cert_list); delete cert_list; return ret; %} - function proc_v3_certificate(rec: SSLRecord, cl : X509Certificate[]) : bool - %{ - vector* certs = cl; - vector* cert_list = new vector(); - - std::transform(certs->begin(), certs->end(), - std::back_inserter(*cert_list), extract_certs()); - - bool ret = proc_certificate(rec, cert_list); - delete cert_list; - return ret; - %} function proc_v2_client_master_key(rec: SSLRecord, cipher_kind: int) : bool %{ @@ -356,209 +23,40 @@ refine connection SSL_Conn += { return true; %} - function proc_unknown_handshake(hs: Handshake, is_orig: bool) : bool + function proc_handshake(rec: SSLRecord, msg_type: uint8, length: uint24, data: bytestring, is_orig: bool) : bool %{ - bro_analyzer()->ProtocolViolation(fmt("unknown handshake message (%d) from %s", - ${hs.msg_type}, orig_label(is_orig).c_str())); + fprintf(stderr, "Forwarding to Handshake analyzer: msg_type: %u, length: %u\n", msg_type, to_int()(length)); + fprintf(stderr, "%u\n", data.end() - data.begin()); + bro_analyzer()->SendHandshake(msg_type, to_int()(length), data.begin(), data.end(), is_orig); return true; %} - - function proc_unknown_record(rec: SSLRecord) : bool - %{ - bro_analyzer()->ProtocolViolation(fmt("unknown SSL record type (%d) from %s", - ${rec.content_type}, - orig_label(${rec.is_orig}).c_str())); - return true; - %} - - function proc_ciphertext_record(rec : SSLRecord) : bool - %{ - if ( client_state_ == STATE_ENCRYPTED && - server_state_ == STATE_ENCRYPTED && - established_ == false ) - { - established_ = true; - BifEvent::generate_ssl_established(bro_analyzer(), - bro_analyzer()->Conn()); - } - - BifEvent::generate_ssl_encrypted_data(bro_analyzer(), - bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.content_type}, ${rec.length}); - - return true; - %} - - function proc_heartbeat(rec : SSLRecord, type: uint8, payload_length: uint16, data: bytestring) : bool - %{ - BifEvent::generate_ssl_heartbeat(bro_analyzer(), - bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length}, type, payload_length, - new StringVal(data.length(), (const char*) data.data())); - return true; - %} - - function proc_check_v2_server_hello_version(version: uint16) : bool - %{ - if ( version != SSLv20 ) - { - bro_analyzer()->ProtocolViolation(fmt("Invalid version in SSL server hello. Version: %d", version)); - bro_analyzer()->SetSkip(true); - return false; - } - - return true; - %} - - function proc_certificate_status(rec : SSLRecord, status_type: uint8, response: bytestring) : bool - %{ - if ( status_type == 1 ) // ocsp - { - BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(), - bro_analyzer()->Conn(), ${rec.is_orig}, - new StringVal(response.length(), - (const char*) response.data())); - } - - return true; - %} - - function proc_ec_server_key_exchange(rec: SSLRecord, curve_type: uint8, curve: uint16) : bool - %{ - if ( curve_type == NAMED_CURVE ) - BifEvent::generate_ssl_server_curve(bro_analyzer(), - bro_analyzer()->Conn(), curve); - - return true; - %} - - function proc_dh_server_key_exchange(rec: SSLRecord, p: bytestring, g: bytestring, Ys: bytestring) : bool - %{ - BifEvent::generate_ssl_dh_server_params(bro_analyzer(), - bro_analyzer()->Conn(), - new StringVal(p.length(), (const char*) p.data()), - new StringVal(g.length(), (const char*) g.data()), - new StringVal(Ys.length(), (const char*) Ys.data()) - ); - - return true; - %} - - function proc_ccs(rec: SSLRecord) : bool - %{ - BifEvent::generate_ssl_change_cipher_spec(bro_analyzer(), - bro_analyzer()->Conn(), ${rec.is_orig}); - - return true; - %} - - function proc_handshake(rec: SSLRecord, msg_type: uint8, length: uint24) : bool - %{ - BifEvent::generate_ssl_handshake_message(bro_analyzer(), - bro_analyzer()->Conn(), ${rec.is_orig}, msg_type, to_int()(length)); - - return true; - %} - }; -refine typeattr Alert += &let { - proc : bool = $context.connection.proc_alert(rec, level, description); -}; refine typeattr V2Error += &let { proc : bool = $context.connection.proc_alert(rec, -1, error_code); }; -refine typeattr Heartbeat += &let { - proc : bool = $context.connection.proc_heartbeat(rec, type, payload_length, data); -}; - -refine typeattr ClientHello += &let { - proc : bool = $context.connection.proc_client_hello(rec, client_version, - gmt_unix_time, random_bytes, - session_id, csuits, 0); -}; refine typeattr V2ClientHello += &let { - proc : bool = $context.connection.proc_client_hello(rec, client_version, 0, + proc : bool = $context.connection.proc_client_hello(client_version, 0, challenge, session_id, 0, ciphers); }; -refine typeattr ServerHello += &let { - proc : bool = $context.connection.proc_server_hello(rec, server_version, - gmt_unix_time, random_bytes, session_id, cipher_suite, 0, - compression_method); -}; - refine typeattr V2ServerHello += &let { check_v2 : bool = $context.connection.proc_check_v2_server_hello_version(server_version); - proc : bool = $context.connection.proc_server_hello(rec, server_version, 0, + proc : bool = $context.connection.proc_server_hello(server_version, 0, conn_id_data, 0, 0, ciphers, 0) &requires(check_v2) &if(check_v2 == true); - cert : bool = $context.connection.proc_v2_certificate(rec, cert_data) + cert : bool = $context.connection.proc_v2_certificate(rec.is_orig, cert_data) &requires(proc) &requires(check_v2) &if(check_v2 == true); }; -refine typeattr Certificate += &let { - proc : bool = $context.connection.proc_v3_certificate(rec, certificates); -}; - refine typeattr V2ClientMasterKey += &let { proc : bool = $context.connection.proc_v2_client_master_key(rec, cipher_kind); }; -refine typeattr UnknownHandshake += &let { - proc : bool = $context.connection.proc_unknown_handshake(hs, is_orig); -}; - -refine typeattr SessionTicketHandshake += &let { - proc : bool = $context.connection.proc_session_ticket_handshake(this, rec.is_orig); -} - -refine typeattr UnknownRecord += &let { - proc : bool = $context.connection.proc_unknown_record(rec); -}; - -refine typeattr CiphertextRecord += &let { - proc : bool = $context.connection.proc_ciphertext_record(rec); -} - -refine typeattr SSLExtension += &let { - proc : bool = $context.connection.proc_ssl_extension(rec, type, sourcedata); -}; - -refine typeattr EcPointFormats += &let { - proc : bool = $context.connection.proc_ec_point_formats(rec, point_format_list); -}; - -refine typeattr EllipticCurves += &let { - proc : bool = $context.connection.proc_elliptic_curves(rec, elliptic_curve_list); -}; - -refine typeattr ApplicationLayerProtocolNegotiationExtension += &let { - proc : bool = $context.connection.proc_apnl(rec, protocol_name_list); -}; - -refine typeattr ServerNameExt += &let { - proc : bool = $context.connection.proc_server_name(rec, server_names); -}; - -refine typeattr CertificateStatus += &let { - proc : bool = $context.connection.proc_certificate_status(rec, status_type, response); -}; - -refine typeattr EcServerKeyExchange += &let { - proc : bool = $context.connection.proc_ec_server_key_exchange(rec, curve_type, curve); -}; - -refine typeattr DhServerKeyExchange += &let { - proc : bool = $context.connection.proc_dh_server_key_exchange(rec, dh_p, dh_g, dh_Ys); -}; - -refine typeattr ChangeCipherSpec += &let { - proc : bool = $context.connection.proc_ccs(rec); -}; - refine typeattr Handshake += &let { - proc : bool = $context.connection.proc_handshake(rec, msg_type, length); + proc : bool = $context.connection.proc_handshake(rec, msg_type, length, data, rec.is_orig); }; diff --git a/src/analyzer/protocol/ssl/ssl-defs.pac b/src/analyzer/protocol/ssl/ssl-defs.pac index 29eb1d1fb9..c29bbcbabe 100644 --- a/src/analyzer/protocol/ssl/ssl-defs.pac +++ b/src/analyzer/protocol/ssl/ssl-defs.pac @@ -1,5 +1,84 @@ # Some common definitions for the SSL and SSL record-layer analyzers. +type uint24 = record { + byte1 : uint8; + byte2 : uint8; + byte3 : uint8; +}; + +type uint48 = record { + byte1 : uint8; + byte2 : uint8; + byte3 : uint8; + byte4 : uint8; + byte5 : uint8; + byte6 : uint8; +}; + + +%header{ + string orig_label(bool is_orig); + %} + + +%code{ +string orig_label(bool is_orig) + { + return string(is_orig ? "originator" :"responder"); + } +%} + +%header{ + class to_int { + public: + int operator()(uint24 * num) const + { + return (num->byte1() << 16) | (num->byte2() << 8) | num->byte3(); + } + + uint64 operator()(uint48 * num) const + { + return ((uint64)num->byte1() << 40) | ((uint64)num->byte2() << 32) | ((uint64)num->byte3() << 24) | + ((uint64)num->byte4() << 16) | ((uint64)num->byte5() << 8) | (uint64)num->byte6(); + } + }; + + string state_label(int state_nr); +%} + +extern type to_int; + +function to_string_val(data : uint8[]) : StringVal + %{ + char tmp[32]; + memset(tmp, 0, sizeof(tmp)); + + // Just return an empty string if the string is longer than 32 bytes + if ( data && data->size() <= 32 ) + { + for ( unsigned int i = data->size(); i > 0; --i ) + tmp[i-1] = (*data)[i-1]; + } + + return new StringVal(32, tmp); + %} + +function version_ok(vers : uint16) : bool + %{ + switch ( vers ) { + case SSLv20: + case SSLv30: + case TLSv10: + case TLSv11: + case TLSv12: + return true; + + default: + return false; + } + %} + + %extern{ #include using std::string; diff --git a/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac b/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac new file mode 100644 index 0000000000..0e8418644e --- /dev/null +++ b/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac @@ -0,0 +1,106 @@ + +%extern{ +#include +#include +#include +#include + +#include "util.h" + +#include "file_analysis/Manager.h" +%} + +refine connection SSL_Conn += { + + %member{ + int established_; + %} + + %init{ + established_ = false; + %} + + %cleanup{ + %} + + function proc_alert(rec: SSLRecord, level : int, desc : int) : bool + %{ + BifEvent::generate_ssl_alert(bro_analyzer(), bro_analyzer()->Conn(), + ${rec.is_orig}, level, desc); + return true; + %} + function proc_unknown_record(rec: SSLRecord) : bool + %{ + bro_analyzer()->ProtocolViolation(fmt("unknown SSL record type (%d) from %s", + ${rec.content_type}, + orig_label(${rec.is_orig}).c_str())); + return true; + %} + + function proc_ciphertext_record(rec : SSLRecord) : bool + %{ + if ( client_state_ == STATE_ENCRYPTED && + server_state_ == STATE_ENCRYPTED && + established_ == false ) + { + established_ = true; + BifEvent::generate_ssl_established(bro_analyzer(), + bro_analyzer()->Conn()); + } + + BifEvent::generate_ssl_encrypted_data(bro_analyzer(), + bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.content_type}, ${rec.length}); + + return true; + %} + + function proc_heartbeat(rec : SSLRecord, type: uint8, payload_length: uint16, data: bytestring) : bool + %{ + BifEvent::generate_ssl_heartbeat(bro_analyzer(), + bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length}, type, payload_length, + new StringVal(data.length(), (const char*) data.data())); + return true; + %} + + function proc_check_v2_server_hello_version(version: uint16) : bool + %{ + if ( version != SSLv20 ) + { + bro_analyzer()->ProtocolViolation(fmt("Invalid version in SSL server hello. Version: %d", version)); + bro_analyzer()->SetSkip(true); + return false; + } + + return true; + %} + + + function proc_ccs(rec: SSLRecord) : bool + %{ + BifEvent::generate_ssl_change_cipher_spec(bro_analyzer(), + bro_analyzer()->Conn(), ${rec.is_orig}); + + return true; + %} + +}; + +refine typeattr Alert += &let { + proc : bool = $context.connection.proc_alert(rec, level, description); +}; + +refine typeattr Heartbeat += &let { + proc : bool = $context.connection.proc_heartbeat(rec, type, payload_length, data); +}; + +refine typeattr UnknownRecord += &let { + proc : bool = $context.connection.proc_unknown_record(rec); +}; + +refine typeattr CiphertextRecord += &let { + proc : bool = $context.connection.proc_ciphertext_record(rec); +} + +refine typeattr ChangeCipherSpec += &let { + proc : bool = $context.connection.proc_ccs(rec); +}; diff --git a/src/analyzer/protocol/ssl/ssl-dtls-protocol.pac b/src/analyzer/protocol/ssl/ssl-dtls-protocol.pac new file mode 100644 index 0000000000..c3277d150e --- /dev/null +++ b/src/analyzer/protocol/ssl/ssl-dtls-protocol.pac @@ -0,0 +1,134 @@ + +###################################################################### +# General definitions +###################################################################### + +type PlaintextRecord(rec: SSLRecord) = case rec.content_type of { + CHANGE_CIPHER_SPEC -> ch_cipher : ChangeCipherSpec(rec); + ALERT -> alert : Alert(rec); + HEARTBEAT -> heartbeat: Heartbeat(rec); + APPLICATION_DATA -> app_data : ApplicationData(rec); + default -> unknown_record : UnknownRecord(rec); +}; + + +###################################################################### +# Encryption Tracking +###################################################################### + +enum AnalyzerState { + STATE_CLEAR, + STATE_ENCRYPTED +}; + +%code{ + string state_label(int state_nr) + { + switch ( state_nr ) { + case STATE_CLEAR: + return string("CLEAR"); + + case STATE_ENCRYPTED: + return string("ENCRYPTED"); + + default: + return string(fmt("UNKNOWN (%d)", state_nr)); + } + } +%} + +###################################################################### +# Change Cipher Spec Protocol (7.1.) +###################################################################### + +type ChangeCipherSpec(rec: SSLRecord) = record { + type : uint8; +} &length = 1, &let { + state_changed : bool = + $context.connection.startEncryption(rec.is_orig); +}; + + +###################################################################### +# Alert Protocol (7.2.) +###################################################################### + +type Alert(rec: SSLRecord) = record { + level : uint8; + description: uint8; +}; + + +###################################################################### +# V3 Application Data +###################################################################### + +# Application data should always be encrypted, so we should not +# reach this point. +type ApplicationData(rec: SSLRecord) = record { + data : bytestring &restofdata &transient; +}; + +###################################################################### +# V3 Heartbeat +###################################################################### + +type Heartbeat(rec: SSLRecord) = record { + type : uint8; + payload_length : uint16; + data : bytestring &restofdata; +}; + + + +###################################################################### +# Fragmentation (6.2.1.) +###################################################################### + +type UnknownRecord(rec: SSLRecord) = record { + cont : bytestring &restofdata &transient; +}; + +type CiphertextRecord(rec: SSLRecord) = record { + cont : bytestring &restofdata &transient; +}; + +###################################################################### +# binpac analyzer for SSL including +###################################################################### + +refine connection SSL_Conn += { + + %member{ + int client_state_; + int server_state_; + int record_layer_version_; + %} + + %init{ + server_state_ = STATE_CLEAR; + client_state_ = STATE_CLEAR; + record_layer_version_ = UNKNOWN_VERSION; + %} + + function client_state() : int %{ return client_state_; %} + + function server_state() : int %{ return client_state_; %} + + function state(is_orig: bool) : int + %{ + if ( is_orig ) + return client_state_; + else + return server_state_; + %} + + function startEncryption(is_orig: bool) : bool + %{ + if ( is_orig ) + client_state_ = STATE_ENCRYPTED; + else + server_state_ = STATE_ENCRYPTED; + return true; + %} +}; diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac index cb794bd8a4..d5628e9cc7 100644 --- a/src/analyzer/protocol/ssl/ssl-protocol.pac +++ b/src/analyzer/protocol/ssl/ssl-protocol.pac @@ -2,30 +2,6 @@ # To be used in conjunction with an SSL record-layer analyzer. # Separation is necessary due to possible fragmentation of SSL records. -###################################################################### -# General definitions -###################################################################### - -type uint24 = record { - byte1 : uint8; - byte2 : uint8; - byte3 : uint8; -}; - -%header{ - class to_int { - public: - int operator()(uint24 * num) const - { - return (num->byte1() << 16) | (num->byte2() << 8) | num->byte3(); - } - }; - - string state_label(int state_nr); -%} - -extern type to_int; - type SSLRecord(is_orig: bool) = record { head0 : uint8; head1 : uint8; @@ -58,161 +34,20 @@ type RecordText(rec: SSLRecord) = case $context.connection.state(rec.is_orig) of -> plaintext : PlaintextRecord(rec); }; -type PlaintextRecord(rec: SSLRecord) = case rec.content_type of { - CHANGE_CIPHER_SPEC -> ch_cipher : ChangeCipherSpec(rec); - ALERT -> alert : Alert(rec); +refine casetype PlaintextRecord += { HANDSHAKE -> handshake : Handshake(rec); - HEARTBEAT -> heartbeat: Heartbeat(rec); - APPLICATION_DATA -> app_data : ApplicationData(rec); V2_ERROR -> v2_error : V2Error(rec); V2_CLIENT_HELLO -> v2_client_hello : V2ClientHello(rec); V2_CLIENT_MASTER_KEY -> v2_client_master_key : V2ClientMasterKey(rec); V2_SERVER_HELLO -> v2_server_hello : V2ServerHello(rec); - default -> unknown_record : UnknownRecord(rec); }; -###################################################################### -# TLS Extensions -###################################################################### - -type SSLExtension(rec: SSLRecord) = record { - type: uint16; - data_len: uint16; - - # Pretty code ahead. Deal with the fact that perhaps extensions are - # not really present and we do not want to fail because of that. - ext: case type of { - EXT_APPLICATION_LAYER_PROTOCOL_NEGOTIATION -> apnl: ApplicationLayerProtocolNegotiationExtension(rec)[] &until($element == 0 || $element != 0); - EXT_ELLIPTIC_CURVES -> elliptic_curves: EllipticCurves(rec)[] &until($element == 0 || $element != 0); - EXT_EC_POINT_FORMATS -> ec_point_formats: EcPointFormats(rec)[] &until($element == 0 || $element != 0); -# EXT_STATUS_REQUEST -> status_request: StatusRequest(rec)[] &until($element == 0 || $element != 0); - EXT_SERVER_NAME -> server_name: ServerNameExt(rec)[] &until($element == 0 || $element != 0); - default -> data: bytestring &restofdata; - }; -} &length=data_len+4 &exportsourcedata; - -type ServerNameHostName() = record { - length: uint16; - host_name: bytestring &length=length; +type Handshake(rec: SSLRecord) = record { + msg_type: uint8; + length: uint24; + data: bytestring &length=to_int()(length); }; -type ServerName() = record { - name_type: uint8; # has to be 0 for host-name - name: case name_type of { - 0 -> host_name: ServerNameHostName; - default -> data : bytestring &restofdata &transient; # unknown name - }; -}; - -type ServerNameExt(rec: SSLRecord) = record { - length: uint16; - server_names: ServerName[] &until($input.length() == 0); -} &length=length+2; - -# Do not parse for now. Structure is correct, but only contains asn.1 data that we would not use further. -#type OcspStatusRequest(rec: SSLRecord) = record { -# responder_id_list_length: uint16; -# responder_id_list: bytestring &length=responder_id_list_length; -# request_extensions_length: uint16; -# request_extensions: bytestring &length=request_extensions_length; -#}; -# -#type StatusRequest(rec: SSLRecord) = record { -# status_type: uint8; # 1 -> ocsp -# req: case status_type of { -# 1 -> ocsp_status_request: OcspStatusRequest(rec); -# default -> data : bytestring &restofdata &transient; # unknown -# }; -#}; - -type EcPointFormats(rec: SSLRecord) = record { - length: uint8; - point_format_list: uint8[length]; -}; - -type EllipticCurves(rec: SSLRecord) = record { - length: uint16; - elliptic_curve_list: uint16[length/2]; -}; - -type ProtocolName() = record { - length: uint8; - name: bytestring &length=length; -}; - -type ApplicationLayerProtocolNegotiationExtension(rec: SSLRecord) = record { - length: uint16; - protocol_name_list: ProtocolName[] &until($input.length() == 0); -} &length=length+2; - -###################################################################### -# Encryption Tracking -###################################################################### - -enum AnalyzerState { - STATE_CLEAR, - STATE_ENCRYPTED -}; - -%code{ - string state_label(int state_nr) - { - switch ( state_nr ) { - case STATE_CLEAR: - return string("CLEAR"); - - case STATE_ENCRYPTED: - return string("ENCRYPTED"); - - default: - return string(fmt("UNKNOWN (%d)", state_nr)); - } - } -%} - -###################################################################### -# SSLv3 Handshake Protocols (7.) -###################################################################### - -enum HandshakeType { - HELLO_REQUEST = 0, - CLIENT_HELLO = 1, - SERVER_HELLO = 2, - SESSION_TICKET = 4, # RFC 5077 - CERTIFICATE = 11, - SERVER_KEY_EXCHANGE = 12, - CERTIFICATE_REQUEST = 13, - SERVER_HELLO_DONE = 14, - CERTIFICATE_VERIFY = 15, - CLIENT_KEY_EXCHANGE = 16, - FINISHED = 20, - CERTIFICATE_URL = 21, # RFC 3546 - CERTIFICATE_STATUS = 22, # RFC 3546 -}; - - -###################################################################### -# V3 Change Cipher Spec Protocol (7.1.) -###################################################################### - -type ChangeCipherSpec(rec: SSLRecord) = record { - type : uint8; -} &length = 1, &let { - state_changed : bool = - $context.connection.startEncryption(rec.is_orig); -}; - - -###################################################################### -# V3 Alert Protocol (7.2.) -###################################################################### - -type Alert(rec: SSLRecord) = record { - level : uint8; - description: uint8; -}; - - ###################################################################### # V2 Error Records (SSLv2 2.7.) ###################################################################### @@ -224,53 +59,6 @@ type V2Error(rec: SSLRecord) = record { }; -###################################################################### -# V3 Application Data -###################################################################### - -# Application data should always be encrypted, so we should not -# reach this point. -type ApplicationData(rec: SSLRecord) = record { - data : bytestring &restofdata &transient; -}; - -###################################################################### -# V3 Heartbeat -###################################################################### - -type Heartbeat(rec: SSLRecord) = record { - type : uint8; - payload_length : uint16; - data : bytestring &restofdata; -}; - -###################################################################### -# V3 Hello Request (7.4.1.1.) -###################################################################### - -# Hello Request is empty -type HelloRequest(rec: SSLRecord) = empty; - - -###################################################################### -# V3 Client Hello (7.4.1.2.) -###################################################################### - -type ClientHello(rec: SSLRecord) = record { - client_version : uint16; - gmt_unix_time : uint32; - random_bytes : bytestring &length = 28; - session_len : uint8; - session_id : uint8[session_len]; - csuit_len : uint16 &check(csuit_len > 1 && csuit_len % 2 == 0); - csuits : uint16[csuit_len/2]; - cmeth_len : uint8 &check(cmeth_len > 0); - cmeths : uint8[cmeth_len]; - # This weirdness is to deal with the possible existence or absence - # of the following fields. - ext_len: uint16[] &until($element == 0 || $element != 0); - extensions : SSLExtension(rec)[] &until($input.length() == 0); -}; ###################################################################### # V2 Client Hello (SSLv2 2.5.) @@ -288,26 +76,6 @@ type V2ClientHello(rec: SSLRecord) = record { }; -###################################################################### -# V3 Server Hello (7.4.1.3.) -###################################################################### - -type ServerHello(rec: SSLRecord) = record { - server_version : uint16; - gmt_unix_time : uint32; - random_bytes : bytestring &length = 28; - session_len : uint8; - session_id : uint8[session_len]; - cipher_suite : uint16[1]; - compression_method : uint8; - # This weirdness is to deal with the possible existence or absence - # of the following fields. - ext_len: uint16[] &until($element == 0 || $element != 0); - extensions : SSLExtension(rec)[] &until($input.length() == 0); -} &let { - cipher_set : bool = - $context.connection.set_cipher(cipher_suite[0]); -}; ###################################################################### # V2 Server Hello (SSLv2 2.6.) @@ -329,298 +97,6 @@ type V2ServerHello(rec: SSLRecord) = record { }; -###################################################################### -# V3 Server Certificate (7.4.2.) -###################################################################### - -type X509Certificate = record { - length : uint24; - certificate : bytestring &length = to_int()(length); -}; - -type Certificate(rec: SSLRecord) = record { - length : uint24; - certificates : X509Certificate[] &until($input.length() == 0); -} &length = to_int()(length)+3; - -# OCSP Stapling - -type CertificateStatus(rec: SSLRecord) = record { - status_type: uint8; # 1 = ocsp, everything else is undefined - length : uint24; - response: bytestring &restofdata; -}; - -###################################################################### -# V3 Server Key Exchange Message (7.4.3.) -###################################################################### - -# Usually, the server key exchange does not contain any information -# that we are interested in. -# -# The exception is when we are using an ECDHE, DHE or DH-Anon suite. -# In this case, we can extract information about the chosen cipher from -# here. -type ServerKeyExchange(rec: SSLRecord) = case $context.connection.chosen_cipher() of { - TLS_ECDH_ECDSA_WITH_NULL_SHA, - TLS_ECDH_ECDSA_WITH_RC4_128_SHA, - TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, - TLS_ECDHE_ECDSA_WITH_NULL_SHA, - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, - TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - TLS_ECDH_RSA_WITH_NULL_SHA, - TLS_ECDH_RSA_WITH_RC4_128_SHA, - TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, - TLS_ECDHE_RSA_WITH_NULL_SHA, - TLS_ECDHE_RSA_WITH_RC4_128_SHA, - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, - TLS_ECDH_ANON_WITH_NULL_SHA, - TLS_ECDH_ANON_WITH_RC4_128_SHA, - TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA, - TLS_ECDH_ANON_WITH_AES_128_CBC_SHA, - TLS_ECDH_ANON_WITH_AES_256_CBC_SHA, - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, - TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, - TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, - TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, - TLS_ECDHE_PSK_WITH_RC4_128_SHA, - TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, - TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, - TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, - TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, - TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384, - TLS_ECDHE_PSK_WITH_NULL_SHA, - TLS_ECDHE_PSK_WITH_NULL_SHA256, - TLS_ECDHE_PSK_WITH_NULL_SHA384, - TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256, - TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384, - TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256, - TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384, - TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256, - TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384, - TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256, - TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384, - TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256, - TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384, - TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256, - TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384, - TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256, - TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384, - TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256, - TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384, - TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256, - TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384, - TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, - TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, - TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, - TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, - TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, - TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384, - TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256, - TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384, - TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, - TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384, - TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, - TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384, - TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, - TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, - TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256, - TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384, - TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, - TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, - TLS_ECDHE_ECDSA_WITH_AES_128_CCM, - TLS_ECDHE_ECDSA_WITH_AES_256_CCM, - TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, - TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - -> ec_server_key_exchange : EcServerKeyExchange(rec); - - # DHE suites - TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, - TLS_DHE_DSS_WITH_DES_CBC_SHA, - TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, - TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, - TLS_DHE_RSA_WITH_DES_CBC_SHA, - TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, - TLS_DHE_DSS_WITH_AES_128_CBC_SHA, - TLS_DHE_RSA_WITH_AES_128_CBC_SHA, - TLS_DHE_DSS_WITH_AES_256_CBC_SHA, - TLS_DHE_RSA_WITH_AES_256_CBC_SHA, - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, - TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, - TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, - TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, - TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, - TLS_DHE_DSS_WITH_RC4_128_SHA, - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, - TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD, - TLS_DHE_DSS_WITH_AES_128_CBC_RMD, - TLS_DHE_DSS_WITH_AES_256_CBC_RMD, - TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD, - TLS_DHE_RSA_WITH_AES_128_CBC_RMD, - TLS_DHE_RSA_WITH_AES_256_CBC_RMD, - TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, - TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, - TLS_DHE_PSK_WITH_RC4_128_SHA, - TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA, - TLS_DHE_PSK_WITH_AES_128_CBC_SHA, - TLS_DHE_PSK_WITH_AES_256_CBC_SHA, - TLS_DHE_DSS_WITH_SEED_CBC_SHA, - TLS_DHE_RSA_WITH_SEED_CBC_SHA, - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, - TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, - TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, - TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, - TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, - TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, - TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, - TLS_DHE_PSK_WITH_NULL_SHA256, - TLS_DHE_PSK_WITH_NULL_SHA384, - TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256, - TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, - TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256, - TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, - TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256, - TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384, - TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256, - TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384, - TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256, - TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384, - TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256, - TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384, - TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256, - TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384, - TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256, - TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384, - TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, - TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, - TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256, - TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384, - TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256, - TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384, - TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, - TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, - TLS_DHE_RSA_WITH_AES_128_CCM, - TLS_DHE_RSA_WITH_AES_256_CCM, - TLS_DHE_RSA_WITH_AES_128_CCM_8, - TLS_DHE_RSA_WITH_AES_256_CCM_8, - TLS_DHE_PSK_WITH_AES_128_CCM, - TLS_DHE_PSK_WITH_AES_256_CCM, - TLS_PSK_DHE_WITH_AES_128_CCM_8, - TLS_PSK_DHE_WITH_AES_256_CCM_8, - TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, - # DH-anon suites - TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5, - TLS_DH_ANON_WITH_RC4_128_MD5, - TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA, - TLS_DH_ANON_WITH_DES_CBC_SHA, - TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA, - TLS_DH_ANON_WITH_AES_128_CBC_SHA, - TLS_DH_ANON_WITH_AES_256_CBC_SHA, - TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA, - TLS_DH_ANON_WITH_AES_128_CBC_SHA256, - TLS_DH_ANON_WITH_AES_256_CBC_SHA256, - TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA, - TLS_DH_ANON_WITH_SEED_CBC_SHA, - TLS_DH_ANON_WITH_AES_128_GCM_SHA256, - TLS_DH_ANON_WITH_AES_256_GCM_SHA384, - TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256, - TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256, - TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256, - TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384, - TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256, - TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384, - TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256, - TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384 - # DH non-anon suites do not send a ServerKeyExchange - -> dh_server_key_exchange : DhServerKeyExchange(rec); - - default - -> key : bytestring &restofdata &transient; -}; - -# For the moment, we really only are interested in the curve name. If it -# is not set (if the server sends explicit parameters), we do not bother. -# We also do not parse the actual signature data following the named curve. -type EcServerKeyExchange(rec: SSLRecord) = record { - curve_type: uint8; - curve: uint16; # only if curve_type = 3 (NAMED_CURVE) - data: bytestring &restofdata &transient; -}; - -# For both, dh_anon and dhe the ServerKeyExchange starts with a ServerDHParams -# structure. After that, they start to differ, but we do not care about that. -type DhServerKeyExchange(rec: SSLRecord) = record { - dh_p_length: uint16; - dh_p: bytestring &length=dh_p_length; - dh_g_length: uint16; - dh_g: bytestring &length=dh_g_length; - dh_Ys_length: uint16; - dh_Ys: bytestring &length=dh_Ys_length; - data: bytestring &restofdata &transient; -}; - - -###################################################################### -# V3 Certificate Request (7.4.4.) -###################################################################### - -# For now, ignore Certificate Request Details; just eat up message. -type CertificateRequest(rec: SSLRecord) = record { - cont : bytestring &restofdata &transient; -}; - - -###################################################################### -# V3 Server Hello Done (7.4.5.) -###################################################################### - -# Server Hello Done is empty -type ServerHelloDone(rec: SSLRecord) = empty; - - -###################################################################### -# V3 Client Certificate (7.4.6.) -###################################################################### - -# Client Certificate is identical to Server Certificate; -# no further definition here - - -###################################################################### -# V3 Client Key Exchange Message (7.4.7.) -###################################################################### - -# For now ignore details of ClientKeyExchange (most of it is -# encrypted anyway); just eat up message. -type ClientKeyExchange(rec: SSLRecord) = record { - key : bytestring &restofdata &transient; -}; - ###################################################################### # V2 Client Master Key (SSLv2 2.5.) ###################################################################### @@ -641,75 +117,6 @@ type V2ClientMasterKey(rec: SSLRecord) = record { }; -###################################################################### -# V3 Certificate Verify (7.4.8.) -###################################################################### - -# For now, ignore Certificate Verify; just eat up the message. -type CertificateVerify(rec: SSLRecord) = record { - cont : bytestring &restofdata &transient; -}; - - -###################################################################### -# V3 Finished (7.4.9.) -###################################################################### - -# The finished messages are always sent after encryption is in effect, -# so we will not be able to read those messages. -type Finished(rec: SSLRecord) = record { - cont : bytestring &restofdata &transient; -}; - -type SessionTicketHandshake(rec: SSLRecord) = record { - ticket_lifetime_hint: uint32; - data: bytestring &restofdata; -}; - -###################################################################### -# V3 Handshake Protocol (7.) -###################################################################### - -type UnknownHandshake(hs: Handshake, is_orig: bool) = record { - data : bytestring &restofdata &transient; -}; - -type Handshake(rec: SSLRecord) = record { - msg_type : uint8; - length : uint24; - - body : case msg_type of { - HELLO_REQUEST -> hello_request : HelloRequest(rec); - CLIENT_HELLO -> client_hello : ClientHello(rec); - SERVER_HELLO -> server_hello : ServerHello(rec); - SESSION_TICKET -> session_ticket : SessionTicketHandshake(rec); - CERTIFICATE -> certificate : Certificate(rec); - SERVER_KEY_EXCHANGE -> server_key_exchange : ServerKeyExchange(rec); - CERTIFICATE_REQUEST -> certificate_request : CertificateRequest(rec); - SERVER_HELLO_DONE -> server_hello_done : ServerHelloDone(rec); - CERTIFICATE_VERIFY -> certificate_verify : CertificateVerify(rec); - CLIENT_KEY_EXCHANGE -> client_key_exchange : ClientKeyExchange(rec); - FINISHED -> finished : Finished(rec); - CERTIFICATE_URL -> certificate_url : bytestring &restofdata &transient; - CERTIFICATE_STATUS -> certificate_status : CertificateStatus(rec); - default -> unknown_handshake : UnknownHandshake(this, rec.is_orig); - } &length = to_int()(length); -}; - - -###################################################################### -# Fragmentation (6.2.1.) -###################################################################### - -type UnknownRecord(rec: SSLRecord) = record { - cont : bytestring &restofdata &transient; -}; - -type CiphertextRecord(rec: SSLRecord) = record { - cont : bytestring &restofdata &transient; -}; - - ###################################################################### # initial datatype for binpac ###################################################################### @@ -725,28 +132,6 @@ type SSLPDU(is_orig: bool) = record { refine connection SSL_Conn += { - %member{ - int client_state_; - int server_state_; - int record_layer_version_; - uint32 chosen_cipher_; - %} - - %init{ - server_state_ = STATE_CLEAR; - client_state_ = STATE_CLEAR; - record_layer_version_ = UNKNOWN_VERSION; - chosen_cipher_ = NO_CHOSEN_CIPHER; - %} - - function chosen_cipher() : int %{ return chosen_cipher_; %} - - function set_cipher(cipher: uint32) : bool - %{ - chosen_cipher_ = cipher; - return true; - %} - function determine_ssl_record_layer(head0 : uint8, head1 : uint8, head2 : uint8, head3: uint8, head4: uint8, is_orig: bool) : int %{ @@ -818,24 +203,4 @@ refine connection SSL_Conn += { return UNKNOWN_VERSION; %} - function client_state() : int %{ return client_state_; %} - - function server_state() : int %{ return client_state_; %} - - function state(is_orig: bool) : int - %{ - if ( is_orig ) - return client_state_; - else - return server_state_; - %} - - function startEncryption(is_orig: bool) : bool - %{ - if ( is_orig ) - client_state_ = STATE_ENCRYPTED; - else - server_state_ = STATE_ENCRYPTED; - return true; - %} }; diff --git a/src/analyzer/protocol/ssl/ssl.pac b/src/analyzer/protocol/ssl/ssl.pac index 4a32227088..f7e7c17e7f 100644 --- a/src/analyzer/protocol/ssl/ssl.pac +++ b/src/analyzer/protocol/ssl/ssl.pac @@ -10,23 +10,32 @@ %extern{ #include "events.bif.h" + +namespace analyzer { namespace ssl { class SSL_Analyzer; } } +typedef analyzer::ssl::SSL_Analyzer* SSLAnalyzer; + +#include "SSL.h" %} +extern type SSLAnalyzer; + analyzer SSL withcontext { connection: SSL_Conn; flow: SSL_Flow; }; -connection SSL_Conn(bro_analyzer: BroAnalyzer) { +connection SSL_Conn(bro_analyzer: SSLAnalyzer) { upflow = SSL_Flow(true); downflow = SSL_Flow(false); }; +%include ssl-dtls-protocol.pac %include ssl-protocol.pac flow SSL_Flow(is_orig: bool) { flowunit = SSLPDU(is_orig) withcontext(connection, this); } +%include ssl-dtls-analyzer.pac %include ssl-analyzer.pac %include ssl-defs.pac diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac new file mode 100644 index 0000000000..fb6ce2e7a4 --- /dev/null +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -0,0 +1,273 @@ +# Analyzer for SSL/TLS Handshake protocol (Bro-specific part). + +%extern{ +#include +#include +#include +#include + +#include "util.h" + +#include "file_analysis/Manager.h" +%} + +%header{ + class extract_certs { + public: + bytestring const& operator() (X509Certificate* cert) const + { + return cert->certificate(); + } + }; + + string orig_label(bool is_orig); + string handshake_type_label(int type); + %} + +refine connection Handshake_Conn += { + + %include proc-client-hello.pac + %include proc-server-hello.pac + %include proc-certificate.pac + + function proc_session_ticket_handshake(rec: SessionTicketHandshake, is_orig: bool): bool + %{ + if ( ssl_session_ticket_handshake ) + { + BifEvent::generate_ssl_session_ticket_handshake(bro_analyzer(), + bro_analyzer()->Conn(), + ${rec.ticket_lifetime_hint}, + new StringVal(${rec.data}.length(), (const char*) ${rec.data}.data())); + } + return true; + %} + + function proc_ssl_extension(rec: Handshake, type: int, sourcedata: const_bytestring) : bool + %{ + // We cheat a little bit here. We want to throw this event + // for every extension we encounter, even those that are + // handled by more specialized events later. To access the + // parsed data, we use sourcedata, which contains the whole + // data blob of the extension, including headers. We skip + // over those (4 bytes). + size_t length = sourcedata.length(); + if ( length < 4 ) + { + // This should be impossible due to the binpac parser + // and protocol description + bro_analyzer()->ProtocolViolation(fmt("Impossible extension length: %zu", length)); + bro_analyzer()->SetSkip(true); + return true; + } + + length -= 4; + const unsigned char* data = sourcedata.begin() + 4; + + if ( ssl_extension ) + BifEvent::generate_ssl_extension(bro_analyzer(), + bro_analyzer()->Conn(), ${rec.is_orig}, type, + new StringVal(length, reinterpret_cast(data))); + return true; + %} + + function proc_ec_point_formats(rec: Handshake, point_format_list: uint8[]) : bool + %{ + VectorVal* points = new VectorVal(internal_type("index_vec")->AsVectorType()); + + if ( point_format_list ) + { + for ( unsigned int i = 0; i < point_format_list->size(); ++i ) + points->Assign(i, new Val((*point_format_list)[i], TYPE_COUNT)); + } + + BifEvent::generate_ssl_extension_ec_point_formats(bro_analyzer(), bro_analyzer()->Conn(), + ${rec.is_orig}, points); + + return true; + %} + + function proc_elliptic_curves(rec: Handshake, list: uint16[]) : bool + %{ + VectorVal* curves = new VectorVal(internal_type("index_vec")->AsVectorType()); + + if ( list ) + { + for ( unsigned int i = 0; i < list->size(); ++i ) + curves->Assign(i, new Val((*list)[i], TYPE_COUNT)); + } + + BifEvent::generate_ssl_extension_elliptic_curves(bro_analyzer(), bro_analyzer()->Conn(), + ${rec.is_orig}, curves); + + return true; + %} + + function proc_apnl(rec: Handshake, protocols: ProtocolName[]) : bool + %{ + VectorVal* plist = new VectorVal(internal_type("string_vec")->AsVectorType()); + + if ( protocols ) + { + for ( unsigned int i = 0; i < protocols->size(); ++i ) + plist->Assign(i, new StringVal((*protocols)[i]->name().length(), (const char*) (*protocols)[i]->name().data())); + } + + BifEvent::generate_ssl_extension_application_layer_protocol_negotiation(bro_analyzer(), bro_analyzer()->Conn(), + ${rec.is_orig}, plist); + + return true; + %} + + function proc_server_name(rec: Handshake, list: ServerName[]) : bool + %{ + VectorVal* servers = new VectorVal(internal_type("string_vec")->AsVectorType()); + + if ( list ) + { + for ( unsigned int i = 0, j = 0; i < list->size(); ++i ) + { + ServerName* servername = (*list)[i]; + if ( servername->name_type() != 0 ) + { + bro_analyzer()->Weird(fmt("Encountered unknown type in server name ssl extension: %d", servername->name_type())); + continue; + } + + if ( servername->host_name() ) + servers->Assign(j++, new StringVal(servername->host_name()->host_name().length(), (const char*) servername->host_name()->host_name().data())); + else + bro_analyzer()->Weird("Empty server_name extension in ssl connection"); + } + } + + BifEvent::generate_ssl_extension_server_name(bro_analyzer(), bro_analyzer()->Conn(), + ${rec.is_orig}, servers); + + return true; + %} + + function proc_v3_certificate(is_orig: bool, cl : X509Certificate[]) : bool + %{ + vector* certs = cl; + vector* cert_list = new vector(); + + std::transform(certs->begin(), certs->end(), + std::back_inserter(*cert_list), extract_certs()); + + bool ret = proc_certificate(is_orig, cert_list); + delete cert_list; + return ret; + %} + + function proc_unknown_handshake(hs: Handshake, is_orig: bool) : bool + %{ + bro_analyzer()->ProtocolViolation(fmt("unknown handshake message (%d) from %s", + ${hs.msg_type}, orig_label(is_orig).c_str())); + return true; + %} + + function proc_certificate_status(rec : Handshake, status_type: uint8, response: bytestring) : bool + %{ + if ( status_type == 1 ) // ocsp + { + BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(), + bro_analyzer()->Conn(), ${rec.is_orig}, + new StringVal(response.length(), + (const char*) response.data())); + } + + return true; + %} + + function proc_ec_server_key_exchange(rec: Handshake, curve_type: uint8, curve: uint16) : bool + %{ + if ( curve_type == NAMED_CURVE ) + BifEvent::generate_ssl_server_curve(bro_analyzer(), + bro_analyzer()->Conn(), curve); + + return true; + %} + + function proc_dh_server_key_exchange(rec: Handshake, p: bytestring, g: bytestring, Ys: bytestring) : bool + %{ + BifEvent::generate_ssl_dh_server_params(bro_analyzer(), + bro_analyzer()->Conn(), + new StringVal(p.length(), (const char*) p.data()), + new StringVal(g.length(), (const char*) g.data()), + new StringVal(Ys.length(), (const char*) Ys.data()) + ); + + return true; + %} + + function proc_handshake(is_orig: bool, msg_type: uint8, length: uint32) : bool + %{ + BifEvent::generate_ssl_handshake_message(bro_analyzer(), + bro_analyzer()->Conn(), is_orig, msg_type, length); + + return true; + %} + + +}; + +refine typeattr ClientHello += &let { + proc : bool = $context.connection.proc_client_hello(client_version, + gmt_unix_time, random_bytes, + session_id, csuits, 0); +}; + +refine typeattr ServerHello += &let { + proc : bool = $context.connection.proc_server_hello(server_version, + gmt_unix_time, random_bytes, session_id, cipher_suite, 0, + compression_method); +}; + +refine typeattr Certificate += &let { + proc : bool = $context.connection.proc_v3_certificate(rec.is_orig, certificates); +}; + +refine typeattr UnknownHandshake += &let { + proc : bool = $context.connection.proc_unknown_handshake(hs, is_orig); +}; + +refine typeattr SessionTicketHandshake += &let { + proc : bool = $context.connection.proc_session_ticket_handshake(this, rec.is_orig); +} + +refine typeattr SSLExtension += &let { + proc : bool = $context.connection.proc_ssl_extension(rec, type, sourcedata); +}; + +refine typeattr EcPointFormats += &let { + proc : bool = $context.connection.proc_ec_point_formats(rec, point_format_list); +}; + +refine typeattr EllipticCurves += &let { + proc : bool = $context.connection.proc_elliptic_curves(rec, elliptic_curve_list); +}; + +refine typeattr ApplicationLayerProtocolNegotiationExtension += &let { + proc : bool = $context.connection.proc_apnl(rec, protocol_name_list); +}; + +refine typeattr ServerNameExt += &let { + proc : bool = $context.connection.proc_server_name(rec, server_names); +}; + +refine typeattr CertificateStatus += &let { + proc : bool = $context.connection.proc_certificate_status(rec, status_type, response); +}; + +refine typeattr EcServerKeyExchange += &let { + proc : bool = $context.connection.proc_ec_server_key_exchange(rec, curve_type, curve); +}; + +refine typeattr DhServerKeyExchange += &let { + proc : bool = $context.connection.proc_dh_server_key_exchange(rec, dh_p, dh_g, dh_Ys); +}; + +refine typeattr Handshake += &let { + proc : bool = $context.connection.proc_handshake(is_orig, msg_type, msg_length); +}; + diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac new file mode 100644 index 0000000000..723d95d7a4 --- /dev/null +++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac @@ -0,0 +1,533 @@ +###################################################################### +# Handshake Protocols (7.) +###################################################################### + +enum HandshakeType { + HELLO_REQUEST = 0, + CLIENT_HELLO = 1, + SERVER_HELLO = 2, + SESSION_TICKET = 4, # RFC 5077 + CERTIFICATE = 11, + SERVER_KEY_EXCHANGE = 12, + CERTIFICATE_REQUEST = 13, + SERVER_HELLO_DONE = 14, + CERTIFICATE_VERIFY = 15, + CLIENT_KEY_EXCHANGE = 16, + FINISHED = 20, + CERTIFICATE_URL = 21, # RFC 3546 + CERTIFICATE_STATUS = 22, # RFC 3546 +}; + + +###################################################################### +# V3 Handshake Protocol (7.) +###################################################################### + +type UnknownHandshake(hs: Handshake, is_orig: bool) = record { + data : bytestring &restofdata &transient; +}; + +type Handshake(is_orig: bool) = record { + body : case msg_type of { + HELLO_REQUEST -> hello_request : HelloRequest(this); + CLIENT_HELLO -> client_hello : ClientHello(this); + SERVER_HELLO -> server_hello : ServerHello(this); + SESSION_TICKET -> session_ticket : SessionTicketHandshake(this); + CERTIFICATE -> certificate : Certificate(this); + SERVER_KEY_EXCHANGE -> server_key_exchange : ServerKeyExchange(this); + CERTIFICATE_REQUEST -> certificate_request : CertificateRequest(this); + SERVER_HELLO_DONE -> server_hello_done : ServerHelloDone(this); + CERTIFICATE_VERIFY -> certificate_verify : CertificateVerify(this); + CLIENT_KEY_EXCHANGE -> client_key_exchange : ClientKeyExchange(this); + FINISHED -> finished : Finished(this); + CERTIFICATE_URL -> certificate_url : bytestring &restofdata &transient; + CERTIFICATE_STATUS -> certificate_status : CertificateStatus(this); + default -> unknown_handshake : UnknownHandshake(this, is_orig); + } &length = msg_length; +} &byteorder = bigendian, + &let { + msg_type: uint8 = $context.connection.msg_type(); + msg_length: uint32 = $context.connection.msg_length(); +}; + +###################################################################### +# V3 Hello Request (7.4.1.1.) +###################################################################### + +# Hello Request is empty +type HelloRequest(rec: Handshake) = empty; + + +###################################################################### +# V3 Client Hello (7.4.1.2.) +###################################################################### + +type ClientHello(rec: Handshake) = record { + client_version : uint16; + gmt_unix_time : uint32; + random_bytes : bytestring &length = 28; + session_len : uint8; + session_id : uint8[session_len]; + csuit_len : uint16 &check(csuit_len > 1 && csuit_len % 2 == 0); + csuits : uint16[csuit_len/2]; + cmeth_len : uint8 &check(cmeth_len > 0); + cmeths : uint8[cmeth_len]; + # This weirdness is to deal with the possible existence or absence + # of the following fields. + ext_len: uint16[] &until($element == 0 || $element != 0); + extensions : SSLExtension(rec)[] &until($input.length() == 0); +}; + +###################################################################### +# V3 Server Hello (7.4.1.3.) +###################################################################### + +type ServerHello(rec: Handshake) = record { + server_version : uint16; + gmt_unix_time : uint32; + random_bytes : bytestring &length = 28; + session_len : uint8; + session_id : uint8[session_len]; + cipher_suite : uint16[1]; + compression_method : uint8; + # This weirdness is to deal with the possible existence or absence + # of the following fields. + ext_len: uint16[] &until($element == 0 || $element != 0); + extensions : SSLExtension(rec)[] &until($input.length() == 0); +} &let { + cipher_set : bool = + $context.connection.set_cipher(cipher_suite[0]); +}; + +###################################################################### +# V3 Server Certificate (7.4.2.) +###################################################################### + +type X509Certificate = record { + length : uint24; + certificate : bytestring &length = to_int()(length); +}; + +type Certificate(rec: Handshake) = record { + length : uint24; + certificates : X509Certificate[] &until($input.length() == 0); +} &length = to_int()(length)+3; + +# OCSP Stapling + +type CertificateStatus(rec: Handshake) = record { + status_type: uint8; # 1 = ocsp, everything else is undefined + length : uint24; + response: bytestring &restofdata; +}; + +###################################################################### +# V3 Server Key Exchange Message (7.4.3.) +###################################################################### + +# Usually, the server key exchange does not contain any information +# that we are interested in. +# +# The exception is when we are using an ECDHE, DHE or DH-Anon suite. +# In this case, we can extract information about the chosen cipher from +# here. +type ServerKeyExchange(rec: Handshake) = case $context.connection.chosen_cipher() of { + TLS_ECDH_ECDSA_WITH_NULL_SHA, + TLS_ECDH_ECDSA_WITH_RC4_128_SHA, + TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, + TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_NULL_SHA, + TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, + TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS_ECDH_RSA_WITH_NULL_SHA, + TLS_ECDH_RSA_WITH_RC4_128_SHA, + TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_RSA_WITH_NULL_SHA, + TLS_ECDHE_RSA_WITH_RC4_128_SHA, + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + TLS_ECDH_ANON_WITH_NULL_SHA, + TLS_ECDH_ANON_WITH_RC4_128_SHA, + TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA, + TLS_ECDH_ANON_WITH_AES_128_CBC_SHA, + TLS_ECDH_ANON_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, + TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, + TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, + TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, + TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_PSK_WITH_RC4_128_SHA, + TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, + TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, + TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_PSK_WITH_NULL_SHA, + TLS_ECDHE_PSK_WITH_NULL_SHA256, + TLS_ECDHE_PSK_WITH_NULL_SHA384, + TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256, + TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384, + TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256, + TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384, + TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256, + TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384, + TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256, + TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384, + TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384, + TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256, + TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384, + TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384, + TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256, + TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384, + TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256, + TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384, + TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, + TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, + TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, + TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, + TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, + TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384, + TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256, + TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384, + TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384, + TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, + TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384, + TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, + TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256, + TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384, + TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, + TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_128_CCM, + TLS_ECDHE_ECDSA_WITH_AES_256_CCM, + TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, + TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + -> ec_server_key_exchange : EcServerKeyExchange(rec); + + # DHE suites + TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, + TLS_DHE_DSS_WITH_DES_CBC_SHA, + TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, + TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, + TLS_DHE_RSA_WITH_DES_CBC_SHA, + TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_DHE_DSS_WITH_AES_128_CBC_SHA, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA, + TLS_DHE_DSS_WITH_AES_256_CBC_SHA, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA, + TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, + TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, + TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, + TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, + TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, + TLS_DHE_DSS_WITH_RC4_128_SHA, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, + TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD, + TLS_DHE_DSS_WITH_AES_128_CBC_RMD, + TLS_DHE_DSS_WITH_AES_256_CBC_RMD, + TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD, + TLS_DHE_RSA_WITH_AES_128_CBC_RMD, + TLS_DHE_RSA_WITH_AES_256_CBC_RMD, + TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, + TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, + TLS_DHE_PSK_WITH_RC4_128_SHA, + TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA, + TLS_DHE_PSK_WITH_AES_128_CBC_SHA, + TLS_DHE_PSK_WITH_AES_256_CBC_SHA, + TLS_DHE_DSS_WITH_SEED_CBC_SHA, + TLS_DHE_RSA_WITH_SEED_CBC_SHA, + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, + TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, + TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, + TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, + TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, + TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, + TLS_DHE_PSK_WITH_NULL_SHA256, + TLS_DHE_PSK_WITH_NULL_SHA384, + TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256, + TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, + TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256, + TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, + TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256, + TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384, + TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256, + TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384, + TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256, + TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384, + TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256, + TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384, + TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256, + TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384, + TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256, + TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384, + TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, + TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, + TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256, + TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384, + TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256, + TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384, + TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, + TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, + TLS_DHE_RSA_WITH_AES_128_CCM, + TLS_DHE_RSA_WITH_AES_256_CCM, + TLS_DHE_RSA_WITH_AES_128_CCM_8, + TLS_DHE_RSA_WITH_AES_256_CCM_8, + TLS_DHE_PSK_WITH_AES_128_CCM, + TLS_DHE_PSK_WITH_AES_256_CCM, + TLS_PSK_DHE_WITH_AES_128_CCM_8, + TLS_PSK_DHE_WITH_AES_256_CCM_8, + TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + # DH-anon suites + TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5, + TLS_DH_ANON_WITH_RC4_128_MD5, + TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA, + TLS_DH_ANON_WITH_DES_CBC_SHA, + TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA, + TLS_DH_ANON_WITH_AES_128_CBC_SHA, + TLS_DH_ANON_WITH_AES_256_CBC_SHA, + TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA, + TLS_DH_ANON_WITH_AES_128_CBC_SHA256, + TLS_DH_ANON_WITH_AES_256_CBC_SHA256, + TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA, + TLS_DH_ANON_WITH_SEED_CBC_SHA, + TLS_DH_ANON_WITH_AES_128_GCM_SHA256, + TLS_DH_ANON_WITH_AES_256_GCM_SHA384, + TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256, + TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256, + TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256, + TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384, + TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256, + TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384, + TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256, + TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384 + # DH non-anon suites do not send a ServerKeyExchange + -> dh_server_key_exchange : DhServerKeyExchange(rec); + + default + -> key : bytestring &restofdata &transient; +}; + +# For the moment, we really only are interested in the curve name. If it +# is not set (if the server sends explicit parameters), we do not bother. +# We also do not parse the actual signature data following the named curve. +type EcServerKeyExchange(rec: Handshake) = record { + curve_type: uint8; + curve: uint16; # only if curve_type = 3 (NAMED_CURVE) + data: bytestring &restofdata &transient; +}; + +# For both, dh_anon and dhe the ServerKeyExchange starts with a ServerDHParams +# structure. After that, they start to differ, but we do not care about that. +type DhServerKeyExchange(rec: Handshake) = record { + dh_p_length: uint16; + dh_p: bytestring &length=dh_p_length; + dh_g_length: uint16; + dh_g: bytestring &length=dh_g_length; + dh_Ys_length: uint16; + dh_Ys: bytestring &length=dh_Ys_length; + data: bytestring &restofdata &transient; +}; + + +###################################################################### +# V3 Certificate Request (7.4.4.) +###################################################################### + +# For now, ignore Certificate Request Details; just eat up message. +type CertificateRequest(rec: Handshake) = record { + cont : bytestring &restofdata &transient; +}; + + +###################################################################### +# V3 Server Hello Done (7.4.5.) +###################################################################### + +# Server Hello Done is empty +type ServerHelloDone(rec: Handshake) = empty; + + +###################################################################### +# V3 Client Certificate (7.4.6.) +###################################################################### + +# Client Certificate is identical to Server Certificate; +# no further definition here + + +###################################################################### +# V3 Client Key Exchange Message (7.4.7.) +###################################################################### + +# For now ignore details of ClientKeyExchange (most of it is +# encrypted anyway); just eat up message. +type ClientKeyExchange(rec: Handshake) = record { + key : bytestring &restofdata &transient; +}; + + +###################################################################### +# V3 Certificate Verify (7.4.8.) +###################################################################### + +# For now, ignore Certificate Verify; just eat up the message. +type CertificateVerify(rec: Handshake) = record { + cont : bytestring &restofdata &transient; +}; + + +###################################################################### +# V3 Finished (7.4.9.) +###################################################################### + +# The finished messages are always sent after encryption is in effect, +# so we will not be able to read those messages. +type Finished(rec: Handshake) = record { + cont : bytestring &restofdata &transient; +}; + +type SessionTicketHandshake(rec: Handshake) = record { + ticket_lifetime_hint: uint32; + data: bytestring &restofdata; +}; + +###################################################################### +# TLS Extensions +###################################################################### + +type SSLExtension(rec: Handshake) = record { + type: uint16; + data_len: uint16; + + # Pretty code ahead. Deal with the fact that perhaps extensions are + # not really present and we do not want to fail because of that. + ext: case type of { + EXT_APPLICATION_LAYER_PROTOCOL_NEGOTIATION -> apnl: ApplicationLayerProtocolNegotiationExtension(rec)[] &until($element == 0 || $element != 0); + EXT_ELLIPTIC_CURVES -> elliptic_curves: EllipticCurves(rec)[] &until($element == 0 || $element != 0); + EXT_EC_POINT_FORMATS -> ec_point_formats: EcPointFormats(rec)[] &until($element == 0 || $element != 0); +# EXT_STATUS_REQUEST -> status_request: StatusRequest(rec)[] &until($element == 0 || $element != 0); + EXT_SERVER_NAME -> server_name: ServerNameExt(rec)[] &until($element == 0 || $element != 0); + default -> data: bytestring &restofdata; + }; +} &length=data_len+4 &exportsourcedata; + +type ServerNameHostName() = record { + length: uint16; + host_name: bytestring &length=length; +}; + +type ServerName() = record { + name_type: uint8; # has to be 0 for host-name + name: case name_type of { + 0 -> host_name: ServerNameHostName; + default -> data : bytestring &restofdata &transient; # unknown name + }; +}; + +type ServerNameExt(rec: Handshake) = record { + length: uint16; + server_names: ServerName[] &until($input.length() == 0); +} &length=length+2; + +# Do not parse for now. Structure is correct, but only contains asn.1 data that we would not use further. +#type OcspStatusRequest(rec: Handshake) = record { +# responder_id_list_length: uint16; +# responder_id_list: bytestring &length=responder_id_list_length; +# request_extensions_length: uint16; +# request_extensions: bytestring &length=request_extensions_length; +#}; +# +#type StatusRequest(rec: Handshake) = record { +# status_type: uint8; # 1 -> ocsp +# req: case status_type of { +# 1 -> ocsp_status_request: OcspStatusRequest(rec); +# default -> data : bytestring &restofdata &transient; # unknown +# }; +#}; + +type EcPointFormats(rec: Handshake) = record { + length: uint8; + point_format_list: uint8[length]; +}; + +type EllipticCurves(rec: Handshake) = record { + length: uint16; + elliptic_curve_list: uint16[length/2]; +}; + +type ProtocolName() = record { + length: uint8; + name: bytestring &length=length; +}; + +type ApplicationLayerProtocolNegotiationExtension(rec: Handshake) = record { + length: uint16; + protocol_name_list: ProtocolName[] &until($input.length() == 0); +} &length=length+2; + +refine connection Handshake_Conn += { + + %member{ + uint32 chosen_cipher_; + uint8 msg_type_; + uint32 msg_length_; + %} + + %init{ + chosen_cipher_ = NO_CHOSEN_CIPHER; + msg_type_ = 0; + msg_length_ = 0; + %} + + function chosen_cipher() : int %{ return chosen_cipher_; %} + + function msg_type() : uint8 %{ return msg_type_; %} + + function msg_length() : uint32 %{ return msg_length_; %} + + function set_msg_type(type: uint8) : bool + %{ + msg_type_ = type; + return true; + %} + + function set_msg_length(len: uint32) : bool + %{ + msg_length_ = len; + return true; + %} + + function set_cipher(cipher: uint32) : bool + %{ + chosen_cipher_ = cipher; + return true; + %} +}; + + diff --git a/src/analyzer/protocol/ssl/tls-handshake.pac b/src/analyzer/protocol/ssl/tls-handshake.pac new file mode 100644 index 0000000000..a1bd2e3954 --- /dev/null +++ b/src/analyzer/protocol/ssl/tls-handshake.pac @@ -0,0 +1,24 @@ +# Binpac analyzer just for the TLS handshake protocol and nothing else + +%include binpac.pac +%include bro.pac + +analyzer TLSHandshake withcontext { + connection: Handshake_Conn; + flow: Handshake_Flow; +}; + +connection Handshake_Conn(bro_analyzer: BroAnalyzer) { + upflow = Handshake_Flow(true); + downflow = Handshake_Flow(false); +}; + +flow Handshake_Flow(is_orig: bool) { + datagram = Handshake(is_orig) withcontext(connection, this); +} + +%include tls-handshake-protocol.pac +%include tls-handshake-analyzer.pac + +%include ssl-defs.pac + diff --git a/testing/btest/Traces/tls/dtls-openssl.pcap b/testing/btest/Traces/tls/dtls-openssl.pcap new file mode 100644 index 0000000000000000000000000000000000000000..b07e6921a10c25dcfdf1d87bae393b596f360900 GIT binary patch literal 3181 zcmd5;dpwj|7hdl>Gt9{S5{0Sg)1eMCluIFnToXbr2c<;0lViHLgqR4a2;E%1oXW(( zDdETn6}st&qnpyjC7IHR>SX5ZHELAj792 z5CC9k@`69^ZNG|5*%krMXm?4l*DKVq7sU2}D2+q(K5ifd;Z51>!Ibs2~Ia6yGZJn@j=>N2?YiTyYSC z8K8uoih?32pdBJG6M2*WutON_m;1oZJ;aVTikPsk*#U?9Dg-;ts#Dl8>W-ac2ZJ9z zvC{^iL8tRB%Ug!X{*x042l#TLcC=QlU145Co)@ z!HP%uhv;FB+0_kia^*_k&TtOse z`(#RDL#fV_NH`F(|NWti0R9)*zZ=T`VJQ&oyhH3nAQB1tMt0u>^w>mdR{a!q9CGU? z*&%`9Cw7qRjPF&~e=CJYt7$-{zz6%f6v(3!r4Uf?Whsz*J(4Cvz+gEJ=YS*ueZvs~qbpiCUpdFuTa?%}6qD%w) zEg+xp;d>PDSB!X^$B4(e@<}*`<22}hoNgYdeZZR`CPdRnvP>Ei!!Qa37~)J(hKLZ! znM@KT`Gkis=<;IBMGPH=fi{E5Wa_x1sV$1u2U z(Qh*^<#$hZVb<+h5$@8HdMR%o1>vXl4eGq#r@Nn&F}|W%btC=MLtjzdr-g&3p0ci_ z7z8_R3iCRzaKTnyM=e^fi(8V&I-$V1z4mF#{C$z;>P^Gpa(f?$*x&5F=bv7=h9yMS za7^niT}Kr@tY@a+y+wEUcD2rm`{CwwE=`Tl;fZb}_S-&TD(m`3XO}+%!{GOhQFXy&@x0y1GZr zIO|Z3*C=G%`orW}ltqAwLX7OlmiwIYAnCMUJ6u*M8(43p4_sJrKKxmo6Xk)PXscc% zPC}{`*)!}I%7|rUaq@JsENzL=&fnc4k`=N>lwxLRhRPfcJjj?u{H;n>U`&tu{sK{A zfee|#AYqu`OU{vuh;s~nX(}?vZo0SrwOI`NO!tfCH%(HR8ap%f%~W?!OIf9*FqlIv zX^D1pWBOfc^bua;a4~U-ul_N5t@j^2TQBrBS}i%)Gi{srQHx3|wYYvC<@xH(-p#C5 zIn@@Wg508?;zu~$+nzt3G1#M9fxTBdepAw#cT{||ojM$~(AsYii|695WZnipiQ`RqI{5?g?f& z8TgL4#OLYRDDSS`!&5YCFv&V?y3-|E!`U);p~dM|SD%3T?JEnjs_#36nQ|NwEAn2w zKD1w8%8~9=4Du@}67Z5*C*KGXwptW03)IKaz${20zl?0?Wn)e~XTnQqT;--!lRVwb z{aIcGo|NT8FV?I&6ybUD&UoF8ncD{|E^8O-RE;b3vV8YDcbzM^yo*#{tzX5%K;Gq; z`fT4L z_^^NMlWTg-vE@;^sjoP!tzm96{RUsM#Y;E|!b4knH?2ODbAY7;YJ=+}mCI@xay=S< zG;p;h@!~sVB9vbQl~O&Mb8KSUp8vTv%=?^OZDgOB(7DuM)z!u|EBGEuX}S%JUZ1;7 zY5KI+z0|P0(87}n+yVaD-v;(^ob4?IfeUU#wQ7uW8w2l~YUnpmGS1c=uDD__$uAj1 z#R+OZUR#K^oZ&@-2j~%D-?ZhM8q${|x~nxtn7Y4zKJOyEmNdZFw%m*EvV2 zBcS0m<}a^aI&<*)tU-6*;yildkZa;2Esfg>J|V{+%l042OkreaOZ#6;zHAk8E#p#n zSlm$tZwL9eoIJtYtWu8x5msK^{+3N|yZ2S!dFPeF@7SWquO4HvAKeHJY)xP$&aH26 z6?QJLTEK5f2|fM9pA$MWA-Xkw4%hhENwHk%rM@$EO>!#qHK&UtqteJS&8w$vC}^e* zr|a9z&WSM3joR5b*YM3Uzwu!AS0%U379H$c+!Ar*5M#dU0?r~ubXGZzLw!~|jA)R3F`HO&=L4?;>;MM>qqSaWHO=9%!<2=-Ju?KAAxQi9url%d97N(tr> z_ou*)1vOF(>T0iR)yAk*`mz7cJhuLdcYSyW`QU;C4G9a`fyg>wcw0-QTldX-?h}+W zieNh(#XrM-n{7Qh@lB*2t540A<|+3%TO1fAas3aq_q<#-9^>=yNUAUQhv%`zSMAT% dNQVH&hCtjar4{~22S Date: Tue, 10 Mar 2015 14:29:40 -0700 Subject: [PATCH 176/711] When setting the SSL analyzer to fail, also stop processing data that already has been delivered to the analyzer, not just future data. No testcase because this is hard to reproduce, this was only found due to mistakenly triggering an error in life traffic at a site... --- src/analyzer/protocol/ssl/ssl-protocol.pac | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac index d5628e9cc7..b0f51cd54a 100644 --- a/src/analyzer/protocol/ssl/ssl-protocol.pac +++ b/src/analyzer/protocol/ssl/ssl-protocol.pac @@ -135,6 +135,12 @@ refine connection SSL_Conn += { function determine_ssl_record_layer(head0 : uint8, head1 : uint8, head2 : uint8, head3: uint8, head4: uint8, is_orig: bool) : int %{ + // stop processing if we already had a protocol violation or otherwhise + // decided that we do not want to parse anymore. Just setting skip is not + // enough for the data that is already in the pipe. + if ( bro_analyzer()->Skipping() ) + return UNKNOWN_VERSION; + // re-check record layer version to be sure that we still are synchronized with // the data stream if ( record_layer_version_ != UNKNOWN_VERSION && record_layer_version_ != SSLv20 ) From 47de9066126b5f7d33d59b4ac0198b880e464fbc Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 11 Mar 2015 15:53:32 -0700 Subject: [PATCH 177/711] Make handshake analyzer flow-based. This means we can feed data to it in chunks, which makes dealing with fragmentation a little bit more convenient. --- src/analyzer/protocol/ssl/SSL.cc | 5 +- .../protocol/ssl/tls-handshake-analyzer.pac | 20 ++-- .../protocol/ssl/tls-handshake-protocol.pac | 97 ++++++++++--------- src/analyzer/protocol/ssl/tls-handshake.pac | 7 +- 4 files changed, 67 insertions(+), 62 deletions(-) diff --git a/src/analyzer/protocol/ssl/SSL.cc b/src/analyzer/protocol/ssl/SSL.cc index a26807c14b..17df73bd6e 100644 --- a/src/analyzer/protocol/ssl/SSL.cc +++ b/src/analyzer/protocol/ssl/SSL.cc @@ -63,10 +63,11 @@ void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void SSL_Analyzer::SendHandshake(uint8 msg_type, uint32 length, const u_char* begin, const u_char* end, bool orig) { - handshake_interp->set_msg_type(msg_type); - handshake_interp->set_msg_length(length); try { + handshake_interp->NewData(orig, (const unsigned char*) &msg_type, (const unsigned char*) &msg_type + 1); + uint32 host_length = htonl(length); + handshake_interp->NewData(orig, (const unsigned char*) &host_length, (const unsigned char*) &host_length + sizeof(host_length)); handshake_interp->NewData(orig, begin, end); } catch ( const binpac::Exception& e ) diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index fb6ce2e7a4..a52381189b 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -42,7 +42,7 @@ refine connection Handshake_Conn += { return true; %} - function proc_ssl_extension(rec: Handshake, type: int, sourcedata: const_bytestring) : bool + function proc_ssl_extension(rec: HandshakeRecord, type: int, sourcedata: const_bytestring) : bool %{ // We cheat a little bit here. We want to throw this event // for every extension we encounter, even those that are @@ -70,7 +70,7 @@ refine connection Handshake_Conn += { return true; %} - function proc_ec_point_formats(rec: Handshake, point_format_list: uint8[]) : bool + function proc_ec_point_formats(rec: HandshakeRecord, point_format_list: uint8[]) : bool %{ VectorVal* points = new VectorVal(internal_type("index_vec")->AsVectorType()); @@ -86,7 +86,7 @@ refine connection Handshake_Conn += { return true; %} - function proc_elliptic_curves(rec: Handshake, list: uint16[]) : bool + function proc_elliptic_curves(rec: HandshakeRecord, list: uint16[]) : bool %{ VectorVal* curves = new VectorVal(internal_type("index_vec")->AsVectorType()); @@ -102,7 +102,7 @@ refine connection Handshake_Conn += { return true; %} - function proc_apnl(rec: Handshake, protocols: ProtocolName[]) : bool + function proc_apnl(rec: HandshakeRecord, protocols: ProtocolName[]) : bool %{ VectorVal* plist = new VectorVal(internal_type("string_vec")->AsVectorType()); @@ -118,7 +118,7 @@ refine connection Handshake_Conn += { return true; %} - function proc_server_name(rec: Handshake, list: ServerName[]) : bool + function proc_server_name(rec: HandshakeRecord, list: ServerName[]) : bool %{ VectorVal* servers = new VectorVal(internal_type("string_vec")->AsVectorType()); @@ -159,14 +159,14 @@ refine connection Handshake_Conn += { return ret; %} - function proc_unknown_handshake(hs: Handshake, is_orig: bool) : bool + function proc_unknown_handshake(hs: HandshakeRecord, is_orig: bool) : bool %{ bro_analyzer()->ProtocolViolation(fmt("unknown handshake message (%d) from %s", ${hs.msg_type}, orig_label(is_orig).c_str())); return true; %} - function proc_certificate_status(rec : Handshake, status_type: uint8, response: bytestring) : bool + function proc_certificate_status(rec : HandshakeRecord, status_type: uint8, response: bytestring) : bool %{ if ( status_type == 1 ) // ocsp { @@ -179,7 +179,7 @@ refine connection Handshake_Conn += { return true; %} - function proc_ec_server_key_exchange(rec: Handshake, curve_type: uint8, curve: uint16) : bool + function proc_ec_server_key_exchange(rec: HandshakeRecord, curve_type: uint8, curve: uint16) : bool %{ if ( curve_type == NAMED_CURVE ) BifEvent::generate_ssl_server_curve(bro_analyzer(), @@ -188,7 +188,7 @@ refine connection Handshake_Conn += { return true; %} - function proc_dh_server_key_exchange(rec: Handshake, p: bytestring, g: bytestring, Ys: bytestring) : bool + function proc_dh_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring) : bool %{ BifEvent::generate_ssl_dh_server_params(bro_analyzer(), bro_analyzer()->Conn(), @@ -268,6 +268,6 @@ refine typeattr DhServerKeyExchange += &let { }; refine typeattr Handshake += &let { - proc : bool = $context.connection.proc_handshake(is_orig, msg_type, msg_length); + proc : bool = $context.connection.proc_handshake(rec.is_orig, rec.msg_type, rec.msg_length); }; diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac index 723d95d7a4..25f890d089 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac @@ -23,31 +23,36 @@ enum HandshakeType { # V3 Handshake Protocol (7.) ###################################################################### -type UnknownHandshake(hs: Handshake, is_orig: bool) = record { - data : bytestring &restofdata &transient; -}; +type HandshakeRecord(is_orig: bool) = record { + msg_type: uint8; + msg_length: uint32; + rec: Handshake(this); +# rec: bytestring &length=10 &transient; +} &length=(msg_length + 5); -type Handshake(is_orig: bool) = record { - body : case msg_type of { - HELLO_REQUEST -> hello_request : HelloRequest(this); - CLIENT_HELLO -> client_hello : ClientHello(this); - SERVER_HELLO -> server_hello : ServerHello(this); - SESSION_TICKET -> session_ticket : SessionTicketHandshake(this); - CERTIFICATE -> certificate : Certificate(this); - SERVER_KEY_EXCHANGE -> server_key_exchange : ServerKeyExchange(this); - CERTIFICATE_REQUEST -> certificate_request : CertificateRequest(this); - SERVER_HELLO_DONE -> server_hello_done : ServerHelloDone(this); - CERTIFICATE_VERIFY -> certificate_verify : CertificateVerify(this); - CLIENT_KEY_EXCHANGE -> client_key_exchange : ClientKeyExchange(this); - FINISHED -> finished : Finished(this); - CERTIFICATE_URL -> certificate_url : bytestring &restofdata &transient; - CERTIFICATE_STATUS -> certificate_status : CertificateStatus(this); - default -> unknown_handshake : UnknownHandshake(this, is_orig); - } &length = msg_length; -} &byteorder = bigendian, - &let { - msg_type: uint8 = $context.connection.msg_type(); - msg_length: uint32 = $context.connection.msg_length(); +type Handshake(rec: HandshakeRecord) = case rec.msg_type of { + HELLO_REQUEST -> hello_request : HelloRequest(rec); + CLIENT_HELLO -> client_hello : ClientHello(rec); + SERVER_HELLO -> server_hello : ServerHello(rec); + SESSION_TICKET -> session_ticket : SessionTicketHandshake(rec); + CERTIFICATE -> certificate : Certificate(rec); + SERVER_KEY_EXCHANGE -> server_key_exchange : ServerKeyExchange(rec); + CERTIFICATE_REQUEST -> certificate_request : CertificateRequest(rec); + SERVER_HELLO_DONE -> server_hello_done : ServerHelloDone(rec); + CERTIFICATE_VERIFY -> certificate_verify : CertificateVerify(rec); + CLIENT_KEY_EXCHANGE -> client_key_exchange : ClientKeyExchange(rec); + FINISHED -> finished : Finished(rec); + CERTIFICATE_URL -> certificate_url : bytestring &restofdata &transient; + CERTIFICATE_STATUS -> certificate_status : CertificateStatus(rec); + default -> unknown_handshake : UnknownHandshake(rec, rec.is_orig); +} + +type HandshakePDU(is_orig: bool) = record { + records: HandshakeRecord(is_orig)[] &transient; +} &byteorder = bigendian; + +type UnknownHandshake(hs: HandshakeRecord, is_orig: bool) = record { + data : bytestring &restofdata &transient; }; ###################################################################### @@ -55,14 +60,14 @@ type Handshake(is_orig: bool) = record { ###################################################################### # Hello Request is empty -type HelloRequest(rec: Handshake) = empty; +type HelloRequest(rec: HandshakeRecord) = empty; ###################################################################### # V3 Client Hello (7.4.1.2.) ###################################################################### -type ClientHello(rec: Handshake) = record { +type ClientHello(rec: HandshakeRecord) = record { client_version : uint16; gmt_unix_time : uint32; random_bytes : bytestring &length = 28; @@ -82,7 +87,7 @@ type ClientHello(rec: Handshake) = record { # V3 Server Hello (7.4.1.3.) ###################################################################### -type ServerHello(rec: Handshake) = record { +type ServerHello(rec: HandshakeRecord) = record { server_version : uint16; gmt_unix_time : uint32; random_bytes : bytestring &length = 28; @@ -108,14 +113,14 @@ type X509Certificate = record { certificate : bytestring &length = to_int()(length); }; -type Certificate(rec: Handshake) = record { +type Certificate(rec: HandshakeRecord) = record { length : uint24; certificates : X509Certificate[] &until($input.length() == 0); } &length = to_int()(length)+3; # OCSP Stapling -type CertificateStatus(rec: Handshake) = record { +type CertificateStatus(rec: HandshakeRecord) = record { status_type: uint8; # 1 = ocsp, everything else is undefined length : uint24; response: bytestring &restofdata; @@ -131,7 +136,7 @@ type CertificateStatus(rec: Handshake) = record { # The exception is when we are using an ECDHE, DHE or DH-Anon suite. # In this case, we can extract information about the chosen cipher from # here. -type ServerKeyExchange(rec: Handshake) = case $context.connection.chosen_cipher() of { +type ServerKeyExchange(rec: HandshakeRecord) = case $context.connection.chosen_cipher() of { TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, @@ -336,7 +341,7 @@ type ServerKeyExchange(rec: Handshake) = case $context.connection.chosen_cipher( # For the moment, we really only are interested in the curve name. If it # is not set (if the server sends explicit parameters), we do not bother. # We also do not parse the actual signature data following the named curve. -type EcServerKeyExchange(rec: Handshake) = record { +type EcServerKeyExchange(rec: HandshakeRecord) = record { curve_type: uint8; curve: uint16; # only if curve_type = 3 (NAMED_CURVE) data: bytestring &restofdata &transient; @@ -344,7 +349,7 @@ type EcServerKeyExchange(rec: Handshake) = record { # For both, dh_anon and dhe the ServerKeyExchange starts with a ServerDHParams # structure. After that, they start to differ, but we do not care about that. -type DhServerKeyExchange(rec: Handshake) = record { +type DhServerKeyExchange(rec: HandshakeRecord) = record { dh_p_length: uint16; dh_p: bytestring &length=dh_p_length; dh_g_length: uint16; @@ -360,7 +365,7 @@ type DhServerKeyExchange(rec: Handshake) = record { ###################################################################### # For now, ignore Certificate Request Details; just eat up message. -type CertificateRequest(rec: Handshake) = record { +type CertificateRequest(rec: HandshakeRecord) = record { cont : bytestring &restofdata &transient; }; @@ -370,7 +375,7 @@ type CertificateRequest(rec: Handshake) = record { ###################################################################### # Server Hello Done is empty -type ServerHelloDone(rec: Handshake) = empty; +type ServerHelloDone(rec: HandshakeRecord) = empty; ###################################################################### @@ -387,7 +392,7 @@ type ServerHelloDone(rec: Handshake) = empty; # For now ignore details of ClientKeyExchange (most of it is # encrypted anyway); just eat up message. -type ClientKeyExchange(rec: Handshake) = record { +type ClientKeyExchange(rec: HandshakeRecord) = record { key : bytestring &restofdata &transient; }; @@ -397,7 +402,7 @@ type ClientKeyExchange(rec: Handshake) = record { ###################################################################### # For now, ignore Certificate Verify; just eat up the message. -type CertificateVerify(rec: Handshake) = record { +type CertificateVerify(rec: HandshakeRecord) = record { cont : bytestring &restofdata &transient; }; @@ -408,11 +413,11 @@ type CertificateVerify(rec: Handshake) = record { # The finished messages are always sent after encryption is in effect, # so we will not be able to read those messages. -type Finished(rec: Handshake) = record { +type Finished(rec: HandshakeRecord) = record { cont : bytestring &restofdata &transient; }; -type SessionTicketHandshake(rec: Handshake) = record { +type SessionTicketHandshake(rec: HandshakeRecord) = record { ticket_lifetime_hint: uint32; data: bytestring &restofdata; }; @@ -421,7 +426,7 @@ type SessionTicketHandshake(rec: Handshake) = record { # TLS Extensions ###################################################################### -type SSLExtension(rec: Handshake) = record { +type SSLExtension(rec: HandshakeRecord) = record { type: uint16; data_len: uint16; @@ -450,20 +455,20 @@ type ServerName() = record { }; }; -type ServerNameExt(rec: Handshake) = record { +type ServerNameExt(rec: HandshakeRecord) = record { length: uint16; server_names: ServerName[] &until($input.length() == 0); } &length=length+2; # Do not parse for now. Structure is correct, but only contains asn.1 data that we would not use further. -#type OcspStatusRequest(rec: Handshake) = record { +#type OcspStatusRequest(rec: HandshakeRecord) = record { # responder_id_list_length: uint16; # responder_id_list: bytestring &length=responder_id_list_length; # request_extensions_length: uint16; # request_extensions: bytestring &length=request_extensions_length; #}; # -#type StatusRequest(rec: Handshake) = record { +#type StatusRequest(rec: HandshakeRecord) = record { # status_type: uint8; # 1 -> ocsp # req: case status_type of { # 1 -> ocsp_status_request: OcspStatusRequest(rec); @@ -471,12 +476,12 @@ type ServerNameExt(rec: Handshake) = record { # }; #}; -type EcPointFormats(rec: Handshake) = record { +type EcPointFormats(rec: HandshakeRecord) = record { length: uint8; point_format_list: uint8[length]; }; -type EllipticCurves(rec: Handshake) = record { +type EllipticCurves(rec: HandshakeRecord) = record { length: uint16; elliptic_curve_list: uint16[length/2]; }; @@ -486,7 +491,7 @@ type ProtocolName() = record { name: bytestring &length=length; }; -type ApplicationLayerProtocolNegotiationExtension(rec: Handshake) = record { +type ApplicationLayerProtocolNegotiationExtension(rec: HandshakeRecord) = record { length: uint16; protocol_name_list: ProtocolName[] &until($input.length() == 0); } &length=length+2; @@ -509,7 +514,7 @@ refine connection Handshake_Conn += { function msg_type() : uint8 %{ return msg_type_; %} - function msg_length() : uint32 %{ return msg_length_; %} + function msg_length() : uint32 %{ fprintf(stderr, "Got length %d\n", msg_length_); return msg_length_; %} function set_msg_type(type: uint8) : bool %{ diff --git a/src/analyzer/protocol/ssl/tls-handshake.pac b/src/analyzer/protocol/ssl/tls-handshake.pac index a1bd2e3954..36d6999557 100644 --- a/src/analyzer/protocol/ssl/tls-handshake.pac +++ b/src/analyzer/protocol/ssl/tls-handshake.pac @@ -13,12 +13,11 @@ connection Handshake_Conn(bro_analyzer: BroAnalyzer) { downflow = Handshake_Flow(false); }; +%include tls-handshake-protocol.pac + flow Handshake_Flow(is_orig: bool) { - datagram = Handshake(is_orig) withcontext(connection, this); + flowunit = HandshakePDU(is_orig) withcontext(connection, this); } -%include tls-handshake-protocol.pac %include tls-handshake-analyzer.pac - %include ssl-defs.pac - From ba27bb54d48e13b0b972596c0ef51330689b862b Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 11 Mar 2015 18:23:08 -0700 Subject: [PATCH 178/711] Implement correct parsing of TLS record fragmentation. Finally. Our test-case is a >400kb certificate with 10,000 alternative names. :) --- src/analyzer/protocol/ssl/SSL.cc | 6 +---- src/analyzer/protocol/ssl/SSL.h | 2 +- src/analyzer/protocol/ssl/ssl-analyzer.pac | 8 +++--- src/analyzer/protocol/ssl/ssl-protocol.pac | 7 ++--- .../protocol/ssl/tls-handshake-analyzer.pac | 4 +-- .../protocol/ssl/tls-handshake-protocol.pac | 25 ++---------------- src/analyzer/protocol/ssl/tls-handshake.pac | 2 +- .../.stdout | 1 + .../ssl.log | 10 +++++++ .../tls/tls-fragmented-handshake.pcap.gz | Bin 0 -> 37320 bytes .../scripts/base/protocols/ssl/fragment.test | 12 +++++++++ 11 files changed, 37 insertions(+), 40 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.fragment/.stdout create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.fragment/ssl.log create mode 100644 testing/btest/Traces/tls/tls-fragmented-handshake.pcap.gz create mode 100644 testing/btest/scripts/base/protocols/ssl/fragment.test diff --git a/src/analyzer/protocol/ssl/SSL.cc b/src/analyzer/protocol/ssl/SSL.cc index 17df73bd6e..71b7511716 100644 --- a/src/analyzer/protocol/ssl/SSL.cc +++ b/src/analyzer/protocol/ssl/SSL.cc @@ -61,19 +61,15 @@ void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig) } } -void SSL_Analyzer::SendHandshake(uint8 msg_type, uint32 length, const u_char* begin, const u_char* end, bool orig) +void SSL_Analyzer::SendHandshake(const u_char* begin, const u_char* end, bool orig) { try { - handshake_interp->NewData(orig, (const unsigned char*) &msg_type, (const unsigned char*) &msg_type + 1); - uint32 host_length = htonl(length); - handshake_interp->NewData(orig, (const unsigned char*) &host_length, (const unsigned char*) &host_length + sizeof(host_length)); handshake_interp->NewData(orig, begin, end); } catch ( const binpac::Exception& e ) { ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); - fprintf(stderr, "Handshake exception: %s\n", e.c_msg()); } } diff --git a/src/analyzer/protocol/ssl/SSL.h b/src/analyzer/protocol/ssl/SSL.h index a17611846c..3294aa9db5 100644 --- a/src/analyzer/protocol/ssl/SSL.h +++ b/src/analyzer/protocol/ssl/SSL.h @@ -21,7 +21,7 @@ public: virtual void DeliverStream(int len, const u_char* data, bool orig); virtual void Undelivered(uint64 seq, int len, bool orig); - void SendHandshake(uint8 msg_type, uint32 length, const u_char* begin, const u_char* end, bool orig); + void SendHandshake(const u_char* begin, const u_char* end, bool orig); // Overriden from tcp::TCP_ApplicationAnalyzer. virtual void EndpointEOF(bool is_orig); diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac index 709e8c32b2..3d61b215a2 100644 --- a/src/analyzer/protocol/ssl/ssl-analyzer.pac +++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac @@ -23,11 +23,9 @@ refine connection SSL_Conn += { return true; %} - function proc_handshake(rec: SSLRecord, msg_type: uint8, length: uint24, data: bytestring, is_orig: bool) : bool + function proc_handshake(rec: SSLRecord, data: bytestring, is_orig: bool) : bool %{ - fprintf(stderr, "Forwarding to Handshake analyzer: msg_type: %u, length: %u\n", msg_type, to_int()(length)); - fprintf(stderr, "%u\n", data.end() - data.begin()); - bro_analyzer()->SendHandshake(msg_type, to_int()(length), data.begin(), data.end(), is_orig); + bro_analyzer()->SendHandshake(data.begin(), data.end(), is_orig); return true; %} }; @@ -58,5 +56,5 @@ refine typeattr V2ClientMasterKey += &let { }; refine typeattr Handshake += &let { - proc : bool = $context.connection.proc_handshake(rec, msg_type, length, data, rec.is_orig); + proc : bool = $context.connection.proc_handshake(rec, data, rec.is_orig); }; diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac index b0f51cd54a..a90bd03868 100644 --- a/src/analyzer/protocol/ssl/ssl-protocol.pac +++ b/src/analyzer/protocol/ssl/ssl-protocol.pac @@ -43,9 +43,10 @@ refine casetype PlaintextRecord += { }; type Handshake(rec: SSLRecord) = record { - msg_type: uint8; - length: uint24; - data: bytestring &length=to_int()(length); +# msg_type: uint8; +# length: uint24; +# data: bytestring &length=to_int()(length); + data: bytestring &restofdata; }; ###################################################################### diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index a52381189b..17432fa5cb 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -200,10 +200,10 @@ refine connection Handshake_Conn += { return true; %} - function proc_handshake(is_orig: bool, msg_type: uint8, length: uint32) : bool + function proc_handshake(is_orig: bool, msg_type: uint8, length: uint24) : bool %{ BifEvent::generate_ssl_handshake_message(bro_analyzer(), - bro_analyzer()->Conn(), is_orig, msg_type, length); + bro_analyzer()->Conn(), is_orig, msg_type, to_int()(length)); return true; %} diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac index 25f890d089..296df5fb9d 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac @@ -25,10 +25,9 @@ enum HandshakeType { type HandshakeRecord(is_orig: bool) = record { msg_type: uint8; - msg_length: uint32; + msg_length: uint24; rec: Handshake(this); -# rec: bytestring &length=10 &transient; -} &length=(msg_length + 5); +} &length=(to_int()(msg_length) + 4); type Handshake(rec: HandshakeRecord) = case rec.msg_type of { HELLO_REQUEST -> hello_request : HelloRequest(rec); @@ -500,34 +499,14 @@ refine connection Handshake_Conn += { %member{ uint32 chosen_cipher_; - uint8 msg_type_; - uint32 msg_length_; %} %init{ chosen_cipher_ = NO_CHOSEN_CIPHER; - msg_type_ = 0; - msg_length_ = 0; %} function chosen_cipher() : int %{ return chosen_cipher_; %} - function msg_type() : uint8 %{ return msg_type_; %} - - function msg_length() : uint32 %{ fprintf(stderr, "Got length %d\n", msg_length_); return msg_length_; %} - - function set_msg_type(type: uint8) : bool - %{ - msg_type_ = type; - return true; - %} - - function set_msg_length(len: uint32) : bool - %{ - msg_length_ = len; - return true; - %} - function set_cipher(cipher: uint32) : bool %{ chosen_cipher_ = cipher; diff --git a/src/analyzer/protocol/ssl/tls-handshake.pac b/src/analyzer/protocol/ssl/tls-handshake.pac index 36d6999557..a3c45fa492 100644 --- a/src/analyzer/protocol/ssl/tls-handshake.pac +++ b/src/analyzer/protocol/ssl/tls-handshake.pac @@ -13,6 +13,7 @@ connection Handshake_Conn(bro_analyzer: BroAnalyzer) { downflow = Handshake_Flow(false); }; +%include ssl-defs.pac %include tls-handshake-protocol.pac flow Handshake_Flow(is_orig: bool) { @@ -20,4 +21,3 @@ flow Handshake_Flow(is_orig: bool) { } %include tls-handshake-analyzer.pac -%include ssl-defs.pac diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.fragment/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.fragment/.stdout new file mode 100644 index 0000000000..5caff40c4a --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.fragment/.stdout @@ -0,0 +1 @@ +10000 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.fragment/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.fragment/ssl.log new file mode 100644 index 0000000000..c8278858e5 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.fragment/ssl.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2015-03-12-01-22-34 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string +1426117218.083491 CXWv6p3arKYeMETxOg 192.168.6.86 61454 104.236.167.107 4433 TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 secp256r1 104.236.167.107 F - - F FsQdqWuF9t3e4W0d (empty) - - - - +#close 2015-03-12-01-22-34 diff --git a/testing/btest/Traces/tls/tls-fragmented-handshake.pcap.gz b/testing/btest/Traces/tls/tls-fragmented-handshake.pcap.gz new file mode 100644 index 0000000000000000000000000000000000000000..6642502fa068a4c7c98ca20d145b6ae997adce6b GIT binary patch literal 37320 zcmb@Pd0bQ1*7u+1u`N|^r4GowMWIy@5rrxW3M8o`B9c_8AY-a15z&Ns45UsMg<=XQ z2!X^pkSan%P-dbiB0`7~B?2LV010z|03jsgygSq(AfVXykDkx@tYXg2$v%6p@A|E^ zj!x9qUk3>PXaE1r@;mOk*4^hI=EM=K-;u*>j~>Jx_C0#g^N69B+d;4Yxi~tTgJt7Q z6+FGu3(hauwnrm-yUqFA!E4_SBBI-%lr7@Suq$!Ge*N7ZrR(r_oW z4EfmMV$F)GP0yg3{(+CB@ydV11l&BJ$I7?mKr$}U9d zEE4^UgNJqhHX43^#73Q$IY z={*r5*HKPc4=4EbjjH;T2h8xIoJ2da9lrHdz;Tz{(9F3xPJQ(l_%X*m+Q@waS8w4# zv<0D<-zovay5H~v-2)mW@NKhB5};3aw5*qvyUD$R0k27WkF1_Okxv(4jQ(Pi? z@?U0byRV(=PfyRhbl;HfAJ;HDK3(hh((KNJ0GAMUc)>ibnOEm;4LODFJ!q))zG2oq z|D&7CbTn*Xt6v8EvMK+>(ro{}^r#aq2RkF3?CbJdYQhU>u*02=>8Iy$ydPW`4Onsq z3YSqKNmf_^>l;E$&y(U-riEu+j;6fARTj`AMTI_mL2StLk4tlvV;s7wnqq9VS&{7F z=%r3P3op+>N|C)qZ!*&&)UoenE=@xR--|D;5YeF;mjHxY8LhgAz0p-sJ#?3zUn-*v zc@l=Z)G33vLg}I>P*~k^Ea3^RSkB5JuwN1JY%S3erny)xBD_tlOffKI8Z2yi=HY`^ zt$Q|kc|v8~oBTW_5Oif!JIAf8=F1#BXAtU2H&rOi5xrN@#WfpCzJWTs=y0)Uh`^7| z2u_o$q3TECWQ8&^qKHKqmC*^Ey}sz-$Gl*ks7N*>DPU|XW1z(a^iUEs!i#F?UY`^6 zvY=Q>p>}VQjU=e&2 zdNll5grYo$NS8;=GjCI97Izt8g9d%W2TCw7c_W55S}Y9f`U)2=PDdidv4O$;XL)oM z3nAwdLb&xt-d*O*VX>yOOoaApYZiHf=TZ?$E9$ipa)$hAvaW^;1tXUTk|Cn(9(0cS zNdlZj5tisffdLWdq2ER?aLq_INX+_(+I}U?^N1B_WCgma0&Q4<&Zt0R zE6_a^XzeI;@v%+cq1A^&9O`S{8mf`cIJ6bej(A(dicBt#r$+!)VFQp*ZGlvMxDJC%NrLj&WK)P$ zaZ5_e^^cRla9p`{;NuG$x^_MK`{38LtL(zx2a6X=rT#7K81N;RO226_{e$;Y_^fd! z@!|r|L#4-q(slbc?aD6)nMJM+ZlVlEH!JY?Bv^3yAN>)X!% z>;38PA}^KJlw1!-FknZ7OpP8 zwIVI{_U^m-<*6%3vBxKz6vTGzzH3mPv0~hb&#Ll2S46}v*{yoAZX*;k)AD8wCS?UGg!r;T>{y)z=ja-cniWt>kI@% zmoQp7xJD{LTxQ0$lb&NMBKO+;e)rHtjcd36eWY}i!A^&D&;B;8*}d;>RIJOzuB(SN zbqiM2?kG3h9kBN^Or>EJ*kcNoCZ^mMy`B+E49EM%%Lg^7S?9#q;?35IVUwt=mM_yB ze2S!Nq$IrzOgRQR0=KT=oe6Ln`Mnx*5q@ppKR1}G!gjVB@22d1W2%D3-M)OdbcMl6 zhjrzVR(5;t9*WiYEK|Lc_b~;L=k5_-DA>M{JJfwAQX*t_(IQ&$1%h^dFDK#95G9l%|w_KDKvX zD%+#<6>7s;Qz!~dvXo#keXz@4Odnbqs(*;)bPRW$xgu<3yRj9;YGh9}CKetykT_-n zLnt@23b49s9qSU?6?-^gMZt<%T@};a!wI?tYif^_8(IfA+^vXpiSL@qWRcMDQl3-P z9lNY&DBo(nrg@m{d=Wg@tYNtFEGcqRn0KidYmz?Pd+k2jTUdi}EzaWy6YgwEaV<qaDav(GMkH;%b{zHjJO4k^; zJFKgSbg-+udnjHb>-Oc(Gl`9EZ`ueEj7%YGI|k$_7V!KZ=SwA_ZG}>azjb%?K;jMN znlSfvV{3}TNM$u99-gH%-Hv-U^#FpM3^L%~xd&Y0FZy@ZgUeq&S@Wa&$#rvoclfpP z|J)Y8H7!1w`StHReqHl_Zu9>g_29q-*Dx%5R>C6h2bWgv;E0E9b|ib(w8Rn%4-uF3 zth)zg^F5*r$OB}LQZcu1G}1f=?vuvQ2(&orZC2#BF(qRo1&K+%M@B+kRd}=grPY30 z*k6W(KW+Mx=8iZ7()qX|0j#a( zg2jZE>;7WIAROGqFzfl*=dSGdV(qe{^S4BO?YRBS$BQw~E)fhA+%{$=yZSF|wu_69bPL zaJa!-9cI^_wVSekoB5jG4$DZ)8~ zFz^RtT!a{@+GxVl85K9NnDsqohs2{VE-ki~Q&C8R;@-0)gK)v`?a?m_2%)~EG;g-9wi&(rzC( zQo7o}&LQ*jOf@zJNCrW^O%rTV_6#UZEI3JEllukf6ea;5MAL>=`5zn&RuU$}_A3 zT<&(px+HYvA7<+o7}olanW(>g@KKX|`lp!^?vHf6jxbF54^KSGO6*hMURxL|Iu5e* z2edMBgq6c&TNw>ri}x;7(=ksUF7m`>1aW5<*yCFaDg=?1u;U)3JVc;l9~H%Q?kkAc zBdjyp3>-mw3pa0WQOHJ7h8ZQ02RjTCk?{}6!GZmLju}@5w?E5rA$Rv5Prwvd)VJ0e zG6RC|S13(p_FdJO1bD$f?G2`3SU`K0HN|D*b4@5j#H^~^9`SKpJr_%FYWJop2zz*`%E6Bt9Ps9fe_$dk%v)-IV9tAE zGP7Ue^ZJiR|6O9za_5JLZ#Ex)dT`r3txq*wUUGlr`-IlCMbsZn&Sd`Zd$i5(HVmi< zV_1a9uhgPSEOSD6z!Ri!!a~XhZ!<-~1V8%CQG0^gFh5cc8qDVBVX(J@MrX}S=I%K;x|aFRm|wb_g{pH~h$YuxFO>Hxo{l8%I}eSkHR8 zXZ*=JR?$zJH$v**DaF|{2;kPC`GcJTIxE4QL11?Gl)LQa+;}|xQ0ejv-*0TpsN7)8 zs@(JLWUler%IqImC40u7tY+=m5vC6Wps(aIbpGIt5UxXC;Xcj_O%(R%;dK zr>3vwnEsr5vgDgZ*ehPMR7^jtvz_{rKkfPmN!v?#(`M_);h~!A=i-o@UmjmVk(~Q` zB|Uo|kFp~-d3%=%m);u*eTKWQbZWH2MGOt}KyqpOKww(C-&v_&e!oX&`#^O)lgip^ z_)E~0l35zsfA#)!R&BM#&rK)isE;>oaNj-M?U;VhJ3}@Y27&uUOUZvN#~s)RwF()8 z!Dg`j_G}Rg&^+UQ`%B}dE=PBc>Au{UlITU)>t4&xY6bJZYk#qe2tKF!T8wt|z|rfL z%V9G!RauyAgiPZ}P;{CAahxl+biRXCn7RgX<@LO{g6&N^$6ryOvrEO)a^Ca$;Ied0 zkD^_jI~8-y!SFgVo6<-5j1qc zqm+s`>RZ}b6cn=DzeMM__(ErT6sz3^{9<|F7vn~OIc}tL7h?um%Z0F{winxpD?>KS$W-^_8dzAt)p>=-6ctq@#F7H60>$y? z%0nCCN^BNkuX-&!OIpR*uDssf-1Fm2idBVE=W%}TC}}W*U{)j$oU%UY}czQCRRvdO+~hA>frkH1dpOUoktvv z#+wRJoxuI9aZ2FoGz@mIWY?m20piiUFx<$0Zt_B(lO>kw+!SCOSRkY!xhCpYuoF*~+ztu@g*|NoUWjS#kJ>ALh<>*!6Vl*2N3%{_)3*Ocgt3 zgT3tpulV}82ww2M$H5UNR`czINW^mgPA70WJIX-ONkbaI`%Fj%+JVnnVx24w`<9v- zp{RkkQ&~5_29s-B!_wy*gr^L}%%!X-$@{kIte4>#-yf3aHaUMS+`36q)kJieyVvnt z_124vuV#OHVZbv)XG1j!tE2d2v%p7gv=E2tshn zfJ4(=kuMdAyOb`KUf}tXwTrNSdd)rSw2HH}Y4Mz#pL5Tum`dE(yNPxo+11xBX{Qey zydH$hre|P;FuRV-eZ)&4 zw_m#5&^8!6aI4XaE4=n8SKUjD z4mtkP?V7gM;OoE2cEU_LGT)i%iw8h-g9Usg7}!pZa^;fEJ`HjiBA6@J%mcrV_KAU` z*DSSQb!{(p5=}y~UtEh;F+CB#*x9+!k@g}ay2dlx_1fTf>FlFLGct8+);Nv2gi;&; z8Nc+j5fR~pG_Z|;VT{Brwp4V0wTXCHxi-NmE{=U2!aW9DxdX`n-q_XdEMsTf&*Mue zF3Cs&Jqej`8AVk~E+Qj&1r@G_wf2Vi*j1dJO(t`4_U1;HoLGdt=B0JEUe#owGws)# zvNDz0dsO} zRZPL~y7m`HVn9eX>spF-_rOuAr8#V7CQ-NY=_=sJMNS(bBfx^!mjhpfhyXll@(BY- zs`V&BcKSQgSRpAjo!PF`L9=xBj7*XZ8=-6PoY!&@dLvW{m|PE&PJ(m{O>yB|;Eccm zIx=mEDIr}i-Kg5;gRgIvA>WxS7+uOMewA)|v}jA`H;%aHA*XA!vbk42-E=>P+aY2r zIMwA3g%?Q3c?y09Nl#60>AI91&aL_26tgyC_&1b|fkHIb#2(*eRbXGpxFLq<2I1`) ztVmRD<&Z%Sr%rmAp+OMMjS^$o$GA&3Q38oD55S(i4~qm1JK_XcR>tZ{!OtsCyK8R{ zUrAJBSR55>Q86|Cr{{{7+FA2eoGnfB<^=wn+kCaeC2T__+|cdL;hyh()e_C0a<&NO ztq=So?{wwTsZ9aKfyWdDAke60#~?f?lv4bL^QFzv0tOAN178cbY*H@?{}tyOXL>jL12IQZFD2T!J0^N4PfXnFE_=A8Mo&1wq^2YWxYs3mj60dz+(t`0%-SsB{v68K_Q4tLDe|$Kw`jS_)SlBBUlV3;ioav*Oi|PYg5q4BUf!8 z1-c^+99J0IG3Xm{3eBRx204`r~I{5J#TK;MueR1zXEuJuNRf5D_FO~>HxjHcSV~|HF+c0C;l0vqV zSBXvS@ujm_S~qcsgTAF&3NLT7Fs~#eQ`(L)NnG@6<*zl{gKVP9efcNf_FBY?Qj40IXA32^<+ zBtVn-O7|#wIyQRBs+mLe8`@c zZdbJz4qpDNY&&da$2wJ0P*UR5NHWRACNVK?n{I?W5YA?sgX*@h${%6~1aV8_AdXbE zOws)xuz(AJUOY-C+1)Mx>o@x(i}F7Z2TUFdz9m=;27FnOOqjnijuJNH34-RrlG5Nn z!7=XWQMicf-x$IjWs-&}3-tDgv9jyZJBp(%QH`Ytq{6fVP^xrA* z?>&f32Z?jQ@;w*a%;jkUsHsrOlZ*hZV;DrLDdVq}nrO^O_7Lnb#w2ZKRVKPuZSYmX z)8FK>r^$Ve>3Eo#)FikE2&d()sNyMSkHGyMm*sr0Ul;HM@|9Jt}nrSD)|z?Nq;ENeT3v_`mHL1T;v33MHVylrrzRYzhrYu74D_03m(e zb>9s5lF~1E<|8KffU5)GXA>L5!h5(4I7P$Q3OSy?RLKg!RuH^yhBWj6MxAg3D>Rzk z5k435L`ZitGY)U7H)Z}#_j>4;F*@Ybwb?kl|D}QzX^M94`%MdJz%|BY3=g_deY@!} ztZyk5Y`HzYsTyc;B}0Sm&jtVJnR4@e_-e7RfeNOzIhfYzVlb@>C8EI#o}#g3GTI%x z!S`CC7K3wCu+!KyDepz)dlUFlst7d+RejWCQv%$Tm!4}(ASzg;cwknEY}pLDKRa05 zOy=m0zux#EG)s?uKygze)+E%W&nY%iK2RmC0z~L5xsXYM)Jz>rp?ep=a%I$GWgM84 z$Er+m@7dr>O*Ch4JOs$`CZ?tN3?XSET@9j@+pZ?q^f6%5M~emYUJejb1+k%{=1?)v zC$3IprSbSA#%E9b$WLLo_mEXlLrQ{5JlCWwah5Fr>truJ?RVqFrxB?L>Xo#a4$L+5^8@e}mN3%wXeQ)jc#InPJS7q$R_3$g>Nv8K` z&_@vI9mz}uQn_FIQU!Dccwn*M#{~{J|44(J9?ApZrcN-mrUt07k*HgJGOSHHlK&Ne znWa~@MxSp-H`C{@rr*1HZd>uD(IxC=0*1Iu;iGheM+srx@%ZqK)(T&^^*kw`OwSoS zBzCwfEBL-tO&`9iZ%d^5KKvj2(~ESj4}V`8v5I_QacLlWe$b8PsgClZyV88ERql2aPUb$C%Tt!DLa9%4#2{CWTdQ?(-m1QbJHC9 z)1_T4p_ZL0YPDmPvGG4!1yBOm;(WPsdovJ(G8(NZl=`E3_B9)BR37|$_6gq~;&^X) z>>Y-woahh!`>(Q}U|)5t`_q3Jwix2J>|CSU2X$Wi!5O+dJ zMPQc8z$~8*_O5tsb4#6qBR{GZMk@uY=Bt)e0ioPS40Ya;(%0b>o!XgL1&w})Mi8PK zjQi{_1@CCmxMaV<^+oWPA0kXYe#7U;PO6~8sZja^Ba5v?L~>vb08UGzB9O9}Z@CAA z!Rgk=ixC|;&W?RY(lnrhBn_Nb&A`qMSIv6ozW6djB-IEAt!yEy{VPm5m8D1ck%UCm z8fwC=rXww&p^qFnxL`^$Fn@}+?B#!{fV=Yglr zH^(su7YG10W%eu zK2WFFtAM+-lb(0|oR&q{zU?FZsmsDU@09D7xq92q2YT!9kQ2(FSdmmu%k}My7XheA zmw=Es+R27W14|Na>3uSi%EN)Y$*6XD*biW;Uk_SYYOGJT>e~~E*=G^QPh7-QHE9>j zOdp%52OcR0nhPCFHm1u)C_%`8%tb&Z+n51VPYTbt*Ipxd2VW!6ev#`NpTG-D!1pj> z5wLb@IqB0xCxJ2^c1+@QTtTBHLDs;-V$B9&6$uewOE)af`Xf}NU9i}Z_B`ZljX}2S zpM!JK?T;31?bMi&$yOX8TU&%M>mq>UnX(jRMm17z5AOOCBM=QEDBS>ri*sKLD#cDN zpr6PHl59&g-PhhgGElTBfKaXlHWnJ#SR~tOSnUhTnAC++C}i($Te^jJ`sXQR@1?aI zG04S0xL_3o5Y5*FsSTnW5X~R=p+0B#L`obpk#qlare!q+FK`ce9;O0gMwGfii#(2aHYiI>MbiewcRlrWA$S#+0f=6jjCx zgQZ}-1jo%_zU#m||0U=~iGhae&EDN-?N=A>Yq~UtrfT|_usFHs^nt2&6c7*&#>gEWxZ zN+||Xlq^>nKAcSSdWUCE7P4m~)qMb`s3J~Hg)|e;s(d72Z;k#&%3mN{plWN=c z2;z~An>B9(T+hzshhvZi3Z6YSW4KL6$+D!UJ3^?c0}>&KgfG46W1)%Kd5tKM>P-c`SEZ=7DWbbI^vGcjd; zqukbp9s?BMZlgN*R1-}wLJW_Fce75|}vK~UV1GC`S>vEczzfUWfP3#M2>5UN&FRRvX;(SJ{?{rt4++?15Zacfh4Fi96lDOY}IL z`tIa>;!5|V%N~bP$Dh2Vrg!)>cJdCNG&8~EMhEjjUCwEpjUW%RInb1+18Y82)?+ac z=L8i1r>UX_I8FJveB%s@^x^h;5c(-`3#1J{6^SmV4}+4Aq3bs^0vkL*&8s>$yfnp0 zQ{E?tM2(68sHXr>e~IT7^}Ze~ENIsgh_PrZaqSws$y^Gf1e4WUdmC?JKw&(?WcAnH zmXEsrt&olJ+lLC7((<7~rnJ0K$ljpY*4#AaZm?d8znKM0d^pi%v^z`)5@z;Ok%+QEhTiej{9HYw z^q{H^u@!kBw%eYQH^}Hbo-r&TWNu0+&PhT-78E4S%paEG>OD+u_j~qCH&nQlt(Fge zK6o-i-7oA)=PVbUwvnI4nYJDLY}oqd4W$Ky`VD$4qk?GJmq1u}3<|^o*51ys zG(=49%o7Y%N$>g~UmK*ZL016lJ_MVL2~H8149YJ9@j*3mqt|~g^4GPO5B~dR*)G`5 zj&=KpF(JRdbbD_iyYKweJjY29#^Xgu8p17yBZolsXBODwx#05O0*@$PZ&FoERVe%a zz)eGU!76~WI0AMS6q8)_J6&Nq@S^8@@J&)gxPOiGg9H|yWvO}Nn3uQd;__yJ?DT-3?_(QLRVr;=% zg-m85?pPi$KSd!m( z{+h%Ts?^9J+3&hLIH7c_`R3Z$H_s85ZXPY{Zs&pYV>L~CIok!KhXjo((?iTg{{sS^ zLy5pEw*={{0=!vR*V942kQzM!%Y)=Rykfp2F_-x`Y-NwJH|4x+4+q1CFH|uF|3P|_ zaVY-Ybn5iUNir(mnFQejz|RS9JtRhhTc!>|*0vZx?{oD;9ttXo5Po{h*;LJcoFEyh z`>3XCPMfbc1z^Q@!$8{cBd{Bmfko(fp%g*r&zI8tu|fC`=0{Z8;q!rFoeD%6Sjbq?e>VZ_E9v%Ys|qL?f(A9AxW^NdE^J7L!zqCX zRKBm#Fwm-1vkWIB9x|26+*BAgUcZ~-uWItZR)`>EN)ZKs9E`!T#)t!%W9L1YV>&TV z6(?MBeEOq>&RczOiqD^*B2MyG;PQf3AnQL%9T_?NEX`EIThYWqxfFGUk|Ku_N;Po9 zTA)fIZ%FwFhSUPhO3p9^!MmjZjEMk@6-}M(evhI=iAd(<@c5_mda`uw+~!f2x8S|2^%QL zsJvdQt0h_*+`oEvo;6)vxVI^K4(^wrYbvJk>7F}hoUF*p0kL98;3L+#0~W4IP+z|^ z0)!NT=@xGhdHNJd{#ZWbP&X`pfY|5x7&Pg-T7+d#el2X3vZ-+f(cr3 zBaIRRe!5v8x6KozwuXYTJsnvaKnZ1f)JIq=(^GHQ>_hIG&V>6Gf4WiY3*Ps`Up+Kk z`~YORbaM+q*pp3J4{ARz`I>Tdy0H)_@wCO|fY8u7khNV-Lm4Q_20`F+_zd_T3on3p z^!zXD*Vdh(9Z#+|%@HLM$mS@Q-_KxQcJwFF6tdQcEZO4Q(*jOq^}ifce>G9f3N zFkqnLn5>&{fDuclFk>HyipjcxhRV8nP%}Z!6`g-~NR*NDMBpF|)&KucWu`1Q^Se=Y zQ;Hk<^M*q|_tl!sCrA!H!wsM@LPSG=i8Xn1`mns!!RPt0_(BZaI>Wm$B;H~)5h#sv zfbUw8B5$6#q{vtGKrr(EJI_&>)%b?l-knrWQ9(ATnDm;e6p5OA#AuK>Ap-Dz4^77^ zDtgk-{T&&b7TgvX-zg zJ@%lc&0BGovBbv=6mwvtBcFVM?| z7d%Y(x_Eo9?kS`B`16g{q(%5&vy&t{_?o{LJB;w9lXlC5&l_JWH`P`D{wq*Yb)*(NiTJ1oMCGd{fw!p^=%K>WX ze#4k@UDp^DMV_)^b>YuVXXhCG67*-uTn*Qt*UnQg-{OxJcfI+CUCJ^P(Lik}C`f%J z$0eIWMOY9e$w9b-{PVH3WAVhwE>&7=IzN+wvPlP9UH?+f9O;T(=IUK{{hW(V-7k;B zm?`1wyUc{5y^l#XkwIL-nyT0entQpHAgiTV2wL)_hxbYT7alqyj+7hbiZ=LukUROt zo)l!M(ChHQ1 z`C!kEC#A`Di!YyYCnfBgN9Giz=vVfiFIA$>8lSvp=@pD^hF8< z?6;KXdR$=u1Z5mp5Be8^RrF;d(7J|{LD(rv%*KYow0!?X-<96Y$TW0QDgmue(5@RH zPavodF9%uOzlAbL6lLKUC3FA-s$Cn7oS%C{B|R*C**j3u_6Sf>tfnKE_qx`EzY0AG zk`_bpp&)|;rfmYG?M6#bmZME*8PHohPdW^oVH}!{2!Z&K%>3?bJ_3Ehw^WY;EM~eSP?M+Q;xVXbn+JY4vhU-8g*KYS?!c)D z1WrxSVee8}I$YNLq8>j~CT1pacZET5B!l9?P_Pdl1N-nTsb7e~0qnySMb39Gf?rKp z>-HYLKHxE;%SZ0mHtlrFiffZsqbX4>zY%OJyiAVV9;7390J*3gWK0pt9)aLHC>_@K zO87t3gHOV;K>hx5;)IqUla->`R1QD}T~*E4wG|;Jaoa7bdafNj?|?k2ze9bZT83J`o=$O1?M-( z9P(X*hw5Zf#X|y97{c{$h~nL&Gw*Q+-G?@0Q4?W|E)RE+(2) zG6;37Wj!IA3}t6hqhTkyJls%Pp>?nSHf2#$VBK9F7?gQvT`jAM959rvG%f9F{}rVc zYWAA-kUVe5?+*2@Yf3EC$#Vz^ANVgURcNUb{!AdgX3BFP`TZr`^`2DT)+jQB$JBY= z8kRSk7!-HMwx55Qpg5StFT&mzR{Q0Tf*vnDplqu!xW;WzzK1w2Vk}Y&Uf?PR?|5%#4ciU7KvW$;|kZCQ1Q41*~ zf1SQ|pj_O-Yk&psR#o9984K39nV6n4Qg^Ar^~sY3_?X71FVHK7mp#;+UA(Jz$0?)n zruT$49@@IK@oBh_h8TGP?>|tvE~{!dot~3tthiQ0T|0nq&bw!m+putv zVNp52w!uMZVSUF29%*V^8k5NkttRKNDL`rx0WHZAC|Y(ROB}9g7!%hI-R^ros9LOwm{NW@ZbJ^3YgKTC3#52 zHXRF;VkvmG-W1MFQpz@F%3Hyht{=%HElNHxnWlru)ozLg3)8JK6q9I3?*j`HYRTp> zNtqfY7c5L|PHXnd>qSTnrde33%zr-6m5)Bq;bLB(}dy3 z@?1UC`RVvE@6mgB{geh9lkiZ05Ufj-zBud1ppkHp(>}@tno3DioHaMNBz_qjG`+|J z8MV5ybocT!A;|fU01+^;Hk_i%4$-gx^)GLV*Cq!d$+ZvEwMhiG=}Z;G!A-i5XF?nS z0#nNrrJ%WjWs_cu(c9700~W52VCRemFiArWmzw5_a-oqP)L>Um=&_K}6$1Z$LO3zF zp9UVQtJC)w@j?9KingBP%5^&=?S{~js^}V!w^gXu;=>09O;PlMz9-vEC}0<1^4H|a zK-~5i+`8DeEhJt(dJ@EKqwF90Qa>_2lEVz!k9+{D7YavG*02goBefuJ87QaAre^bi512$A&;NTwS=xnF0?kE$&U({FGb_z_^=fvbik2e`w zX+30rUA(h*<0;zwxA}z=I82#xIF+ebtJkKSz?>CN))}QI>|qkg!==$eOY>^Nh+mgA z<=&vYEmnV&8i`p8f^O;5$T9>zi~kMX1Quh~{S8Tj9{hmsw>z!fZwPPJ(CZ0Y{cBm^ z$E*u$GCw~>BH|lZs@j2_xhgjv(u&Vk>r2(Gqsl4v<%AjwX$~a|sc06Np%e|k4}N^l zbE-ZnV?}-$E;H<%GC}dmYtK&)yV<#smb~GHV?Oj`1Tf;MylccZ~Ys^yB$m5>(?W#6H`p|vsGdPcSz%Dzjz1WTWiz($rgWhk^8 zefo*ur#w!U%Utdu753btWVtnPoHmm83HALa9E!zbl=cS6PLHFs>Y26TC^-ct66B+F zn=VyQg_g|VN5E|w%}6S?X<=v3!3t2VKkCwV(GsZvN#hGLa>MG^i8!}|hED>_fAGpL z1hn8NWdWtxEEGiBi6dL5?;Qdpu|uf#>03-rDiEsTT%|>RT@l!jjc$WQQ&7&6@al?m zz*DFM;E(h!IohTF(H55sRC5gjrVCEtvHgTy3OIo=*dQ^>2~O&ms~ z1m-{T^3|Wh<92fSq0$_L+pXa;#B2Z3?)rH}W;~QYBWIul*BBMk@Lxch@eJf zb?r^oXaxG)wOLJC7ric=@m-O;ylKg7;jT@VC7Tyi#k@1+J&it$UE#YtQLCJ@OR#gj zX>49h<;+X~7-(unD-WjkLz4OEh}B9Pu|tHJyLI*4Nz25J*RGyqWV{em(9E9g9y6| z5!Bv>;=tPrwEHSSJY|b1i4kj$(t!8}!T)sy?=q;v$6N3dI~{ypV1!wR`}X&8^rvV| z`3BggXpO0w_cyHu7AOMDVB~-VFL#NBO2sXNffM)PIN7t{ejF&_-adU-62UUl&*}H5 z+9^nKeXL*du&*jar8m~xYB;!U! zIe`b(Y_L+7k?$ZC;tT+8OC@{cH&q&CHR|u3m|loAp8Gi^Vk!xdmuxz1%AtgcawrN! zQkpEJL|$l$ysYRrz`5OdH3YoUh@@Sxd} z6g`BJi&U~HRWCk98`wDpGi>WIu^-5*1_#`3MZE>SowXJ19HuT6BkSea&-W(m;f*Z9 z-W&Azvw}@oJdy}}kRtzEK~!r~18utGLZo^=YpIC=JS3BklM`?9=@uX`nROxT;SecY zTq9$yE_S~)e7!W17dG@u-x*PNK7Z(hjN_igFO67>e2#Xsc`jt?wPjs!K|SZ?_2Eys zc6JS8sngYrtuFLwcAT^o^z}EJf|gjLJ!pER`mk40KqGwWo87$%4Bv ze?*@-zT)umAGBuI?s~d&>-Wi7ksTN;8lzQ`*#Si3^c84f;AVpt1rYH_@Mw^1}50Pz!7uv%OJ@ssr^MHUYPmxMJb3I^R9MPBfcCXxmW)f&2)_k3i9 zgheP}rDLx(lXyYe-7bBx5xN87ab1DPf^!h}KJYPdHB2J+?t#7@%H`FmVp9Wh;PAlq z4q0IB?VtzEAW`A8J*(Xmpk?7Bkf`v8O+x7no)xVa-yd^~>)x7r8teXXCgJO7OMA)% znD;uVx{EFZ!qoJ}4*!0{@CB!Gf?}ZP47*qvnwyZpI9}p!lnCK~u{ zmg?Nyt-vtjpgYlR;3vr&j;VEEPJD3NOb=A>~SWG4OF-19KU88(2xV3&t3 zg;EMH%Olcbp>`lvJ!jXH6P}v7mqTnN7Jo#m%k_?)T24wB$Q@ahpyTr7N$ejnXMSIC zc*PIPXaC3Q>8`Ci7pzw`1=>8-2i{GxoOnPNvI5V4OR|4IW#ISVex_1T*}Z)4cjv2j zUEFzf!-5+ztD?7itWYueSbaCCGBt@L|t4Sl?8a$4BaO zz|)u+9zJjuF?AdYoW&U8g8mIJCSv5?Z%bhbc^-GXw|-|rxp zhN=+Xk|u4(|AE#u^7NuZ=^$_AG8G%5oU!azto9v>WU5wg+x0)TH?@_n){ z!k3GrAn;0l0 z#Vl7@7pih~G4|FlA81bvm|H>hmR(Ak!|2>~=p$i_stU@|1q};9EgfCbFcM{L**);P zrw}PFvU)2#WsGOAHx+iRPwuJqyPPz+aq@mA%0fH;K+x)YW92~E_r2~@m-#*)x`N)xO0XT6;Z3*PK3wY_8AU)weU!bYEc%KY9`FdeHJxEme~zd#30%k@-&S02?pl*ps)Zh+k9>fc?9DGXqrzN@OWy+LGm3I+* zPA7dC76wob4Yn2<(CaP-_d}0$!Rk&_19@0wV_wO$v35 zqN8<(|L>vZ*Tp~eetF91Tl~q!xnH2apWdXJVVCeQXJlzXRJ@5AEmV@ddHAWCiK&_z zXo`?px_qQY&^Wh~@$g8L20C*DS%T8O@6ZPiwJA6ku>_Vj{NJ00LPUH&v+#{6+As=I zLJ)?SHS`Zl{Tv5x-1Qx6R2sNo3RUUp4y-C;O^!AbNo@RIi^*`>a7;pll5A`03l+@1>tOO9BFjsih5C2D{5mcV?cdcoLxC{h{MB#D!E!3+4xAr4q&pMX^s zj#8kZIy0#x1gLF+O5#&_?U-tD+8dNCiT=kmYW>^500=Nf z@oJd9N&`%l{wXSbG-lj6Ulq7Kit9wpvlnC&24t^?%w^UXbbR{8q>Z&>khAeXg|@^L3{whU}(IT zhp*SGQsBU3OR(5^$jz9#9h`n)j)@xD5jPKBc%V;9CuKFfIh~||l2s3Mcbe`dX;efk zmgo{)x~;Lrosso94ZXo64Vv^hzc94s7#HRT7a?WUA>0PY;s3REtualVVR#8K#F@d2 zasEKsEsGMzLZi+Vx%9*=3-J;gBid|08%0EeP!ze@o>Luji?G2aLENC!OSGb5C2kzB z?Kz^uS_G;AL|kuDptev-X=yp_x$J}N2RNt8w!dG#oaE$u=Y8MjeV*@qyrpR0L5#cD zJ|BIps*io1K7T2Fc=tN=bX!eV)4se_1+hP+>5W@P=a&8%Aj>_`2D&pg@rr6@5D>Qy zk_geU(FDSfkPFI}c&g}m5Y(gdk>39f{?ZQu)=YR+3&IU86gI*;gplBf2ka3GgCc~xMlW8!J+ka%h`TCaFXc+N9q92-2;JH_6;F^;^u7S zTtDHp4gvPvt@BOZ7LZtfYX!G(muPYE7Wy9eoExtVL;D&?u~8-`SJ3TAMD1K6e3dJ~ zEV`RBC0hu${&XaJ%`L5YzGZW}o;J;j=Q4LJ&0e`~%}{3|AcmU++Z48-(+)D?7!R$?UK2eu4-uh!Xx1Q3SzqY=k1a8d?hMuZrC26$9tmAvZqhpU>~KjzeT^_a;Tr-ZCNrd7|97!Rm&CD?(gHi`*}<4PZ%Q860#hc^PmRyWd_=%=){0B(;_c`NwIuJ^J{o;^Cb@8(o58*a~K zX0BW_5c*76p`sSvuVNb+J&OOXHXxlc4NVLX4`SS&6Hwb^BrB9AG4GesXCxDCy7OFf zi!Ll+^j8P4i3(x<7&qO0K`jlM@lY)!85E6sQ9g;LS!PyL>T#O%(nMpecKU$;Cak!| zv4;!$PAScfp=yX3kHK7@TQFB43wEv<*}#<=$|6atj909Rj)w2Th&@ZB8IH})pd-WC z9#5^=8YO0Yx;#&rC1E7UFYU!m8*#tgk9j%LP?vxSQW!E4iycPQP{8_G&y1JPVmk$S z(hisNd+exMB@FhmHA4mH?RJKxgG0aN2+4{V#G6qi?Rp1e&UraTjB3?kE~DD~{GMHy z@9AbAq0XOe6z!vZXi_CHFNM#(ByXtW^yT??5dSb-shU8vsBuiOEMpaAMaJ=-J;fT zwVthFzc@vd|7;U#85@DTS67G-j~wz1pt9$c>z@^w>LyBd^j2tW%eSTm`wlOw5n=$cexC Date: Thu, 12 Mar 2015 10:16:12 -0500 Subject: [PATCH 179/711] Give broker python bindings default install path within --prefix. --- CHANGES | 5 +++++ VERSION | 2 +- aux/broker | 2 +- configure | 6 ++++++ 4 files changed, 13 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 836733370a..c93a21c4d3 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,9 @@ +2.3-533 | 2015-03-12 10:18:53 -0500 + + * Give broker python bindings default install path within --prefix. + (Jon Siwek) + 2.3-530 | 2015-03-10 13:22:39 -0500 * Fix broker data stores in absence of --enable-debug. (Jon Siwek) diff --git a/VERSION b/VERSION index 4a351a524e..781ee30b74 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3-530 +2.3-533 diff --git a/aux/broker b/aux/broker index 78b8d909fa..11fd5761a6 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit 78b8d909fadc66dd20ef89bc62b52b4e7c4b6f5f +Subproject commit 11fd5761a651d18d5ab80d7da545a1980c642e6d diff --git a/configure b/configure index 3f7295711c..b139ee2bec 100755 --- a/configure +++ b/configure @@ -149,6 +149,10 @@ while [ $# -ne 0 ]; do append_cache_entry CMAKE_INSTALL_PREFIX PATH $optarg append_cache_entry BRO_ROOT_DIR PATH $optarg append_cache_entry PY_MOD_INSTALL_DIR PATH $optarg/lib/broctl + + if [ -n "$user_enabled_broker" ]; then + append_cache_entry BROKER_PYTHON_HOME PATH $prefix + fi ;; --scriptdir=*) append_cache_entry BRO_SCRIPT_INSTALL_PATH STRING $optarg @@ -189,6 +193,8 @@ while [ $# -ne 0 ]; do --enable-broker) append_cache_entry ENABLE_CXX11 BOOL true append_cache_entry ENABLE_BROKER BOOL true + append_cache_entry BROKER_PYTHON_HOME PATH $prefix + user_enabled_broker="true" ;; --disable-broccoli) append_cache_entry INSTALL_BROCCOLI BOOL false From ccd5387a9fcba63f854b1d19f0b55986d8e89311 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 12 Mar 2015 10:59:49 -0500 Subject: [PATCH 180/711] Update NEWS file. BIT-1338 #close --- CHANGES | 4 ++++ NEWS | 11 +++++++---- VERSION | 2 +- aux/broker | 2 +- 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index c93a21c4d3..627aade078 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.3-534 | 2015-03-12 10:59:49 -0500 + + * Update NEWS file. (Jon Siwek) + 2.3-533 | 2015-03-12 10:18:53 -0500 * Give broker python bindings default install path within --prefix. diff --git a/NEWS b/NEWS index ec94bd10fe..50e5ddd265 100644 --- a/NEWS +++ b/NEWS @@ -46,11 +46,9 @@ New Functionality TODO: Extend with some more information on Broker. Broker support is by default off for now; it can be enabled at - configure time with --enable-broker. It requires CAF + configure time with --enable-broker. It requires CAF version 0.13+ (https://github.com/actor-framework/actor-framework) as well as a - C++11 compiler. - - TODO: Add minumim version for CAF. + C++11 compiler (e.g. GCC 4.8+ or Clang 3.3+). Broker will become a mandatory dependency in future Bro versions. @@ -75,6 +73,11 @@ Changed Functionality have been added which contain the same information. The ``mime_type`` field of ``Files::Info`` also still has this info. + * The earliest point that new mime type information is available is + in the ``file_mime_type`` event which comes after the ``file_new`` + and ``file_over_new_connection`` events. Scripts which inspected + mime type info within those events will need to be adapted. + * Removed ``Files::add_analyzers_for_mime_type`` function. * Removed ``offset`` parameter of the ``file_extraction_limit`` diff --git a/VERSION b/VERSION index 781ee30b74..724cf738c6 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3-533 +2.3-534 diff --git a/aux/broker b/aux/broker index 11fd5761a6..0aa02aa696 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit 11fd5761a651d18d5ab80d7da545a1980c642e6d +Subproject commit 0aa02aa6964e75de75af08ad71067f29cd8d2641 From b47376b8e4de7cc8f44bd746ceeb51b3e65469b7 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 12 Mar 2015 13:09:44 -0500 Subject: [PATCH 181/711] Updating submodule(s). [nomail] --- aux/broker | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broker b/aux/broker index 0aa02aa696..1a2ab9ee7c 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit 0aa02aa6964e75de75af08ad71067f29cd8d2641 +Subproject commit 1a2ab9ee7c80ca905e86a2a11283e7c0477341a9 From c56df225b051edc1a98e23a0917206744d2ab8e3 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 12 Mar 2015 16:16:24 -0500 Subject: [PATCH 182/711] Fix Broker leak tests. Forgot to update Broker module names when they changed. --- CHANGES | 4 + VERSION | 2 +- .../clone.clone.out | 5 + .../bro..stdout | 32 +-- .../bro..stdout | 14 ++ .../recv.recv.out | 0 .../send.send.out | 2 +- .../recv.recv.out | 0 .../recv.test.log | 0 .../send.send.out | 1 + .../send.test.log | 0 .../recv.recv.out | 0 .../send.send.out | 2 +- .../clone.clone.out | 5 - .../core.leaks.comm.master_store/bro..stdout | 14 -- .../core.leaks.comm.remote_log/send.send.out | 1 - .../btest/core/leaks/broker/clone_store.bro | 113 +++++++++ testing/btest/core/leaks/broker/data.bro | 233 ++++++++++++++++++ .../leaks/{comm => broker}/master_store.bro | 46 ++-- .../leaks/{comm => broker}/remote_event.test | 32 +-- .../leaks/{comm => broker}/remote_log.test | 16 +- .../leaks/{comm => broker}/remote_print.test | 28 +-- testing/btest/core/leaks/comm/clone_store.bro | 113 --------- testing/btest/core/leaks/comm/data.bro | 233 ------------------ 24 files changed, 450 insertions(+), 446 deletions(-) create mode 100644 testing/btest/Baseline/core.leaks.broker.clone_store/clone.clone.out rename testing/btest/Baseline/{core.leaks.comm.data => core.leaks.broker.data}/bro..stdout (73%) create mode 100644 testing/btest/Baseline/core.leaks.broker.master_store/bro..stdout rename testing/btest/Baseline/{core.leaks.comm.remote_event => core.leaks.broker.remote_event}/recv.recv.out (100%) rename testing/btest/Baseline/{core.leaks.comm.remote_event => core.leaks.broker.remote_event}/send.send.out (79%) rename testing/btest/Baseline/{core.leaks.comm.remote_log => core.leaks.broker.remote_log}/recv.recv.out (100%) rename testing/btest/Baseline/{core.leaks.comm.remote_log => core.leaks.broker.remote_log}/recv.test.log (100%) create mode 100644 testing/btest/Baseline/core.leaks.broker.remote_log/send.send.out rename testing/btest/Baseline/{core.leaks.comm.remote_log => core.leaks.broker.remote_log}/send.test.log (100%) rename testing/btest/Baseline/{core.leaks.comm.remote_print => core.leaks.broker.remote_print}/recv.recv.out (100%) rename testing/btest/Baseline/{core.leaks.comm.remote_print => core.leaks.broker.remote_print}/send.send.out (62%) delete mode 100644 testing/btest/Baseline/core.leaks.comm.clone_store/clone.clone.out delete mode 100644 testing/btest/Baseline/core.leaks.comm.master_store/bro..stdout delete mode 100644 testing/btest/Baseline/core.leaks.comm.remote_log/send.send.out create mode 100644 testing/btest/core/leaks/broker/clone_store.bro create mode 100644 testing/btest/core/leaks/broker/data.bro rename testing/btest/core/leaks/{comm => broker}/master_store.bro (62%) rename testing/btest/core/leaks/{comm => broker}/remote_event.test (66%) rename testing/btest/core/leaks/{comm => broker}/remote_log.test (80%) rename testing/btest/core/leaks/{comm => broker}/remote_print.test (65%) delete mode 100644 testing/btest/core/leaks/comm/clone_store.bro delete mode 100644 testing/btest/core/leaks/comm/data.bro diff --git a/CHANGES b/CHANGES index 627aade078..926b30c9c0 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.3-536 | 2015-03-12 16:16:24 -0500 + + * Fix Broker leak tests. (Jon Siwek) + 2.3-534 | 2015-03-12 10:59:49 -0500 * Update NEWS file. (Jon Siwek) diff --git a/VERSION b/VERSION index 724cf738c6..c168eac2bd 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3-534 +2.3-536 diff --git a/testing/btest/Baseline/core.leaks.broker.clone_store/clone.clone.out b/testing/btest/Baseline/core.leaks.broker.clone_store/clone.clone.out new file mode 100644 index 0000000000..017537fea9 --- /dev/null +++ b/testing/btest/Baseline/core.leaks.broker.clone_store/clone.clone.out @@ -0,0 +1,5 @@ +clone keys, [status=BrokerStore::SUCCESS, result=[d=broker::data{[one, two, myset, myvec]}]] +lookup, one, [status=BrokerStore::SUCCESS, result=[d=broker::data{111}]] +lookup, two, [status=BrokerStore::SUCCESS, result=[d=broker::data{222}]] +lookup, myset, [status=BrokerStore::SUCCESS, result=[d=broker::data{{a, c, d}}]] +lookup, myvec, [status=BrokerStore::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]] diff --git a/testing/btest/Baseline/core.leaks.comm.data/bro..stdout b/testing/btest/Baseline/core.leaks.broker.data/bro..stdout similarity index 73% rename from testing/btest/Baseline/core.leaks.comm.data/bro..stdout rename to testing/btest/Baseline/core.leaks.broker.data/bro..stdout index eea78d39a2..628870144a 100644 --- a/testing/btest/Baseline/core.leaks.comm.data/bro..stdout +++ b/testing/btest/Baseline/core.leaks.broker.data/bro..stdout @@ -1,18 +1,18 @@ -Comm::BOOL -Comm::INT -Comm::COUNT -Comm::DOUBLE -Comm::STRING -Comm::ADDR -Comm::SUBNET -Comm::PORT -Comm::TIME -Comm::INTERVAL -Comm::ENUM -Comm::SET -Comm::TABLE -Comm::VECTOR -Comm::RECORD +BrokerComm::BOOL +BrokerComm::INT +BrokerComm::COUNT +BrokerComm::DOUBLE +BrokerComm::STRING +BrokerComm::ADDR +BrokerComm::SUBNET +BrokerComm::PORT +BrokerComm::TIME +BrokerComm::INTERVAL +BrokerComm::ENUM +BrokerComm::SET +BrokerComm::TABLE +BrokerComm::VECTOR +BrokerComm::RECORD *************************** T F @@ -29,7 +29,7 @@ hello 22/tcp 42.0 180.0 -Comm::BOOL +BrokerComm::BOOL *************************** { two, diff --git a/testing/btest/Baseline/core.leaks.broker.master_store/bro..stdout b/testing/btest/Baseline/core.leaks.broker.master_store/bro..stdout new file mode 100644 index 0000000000..4208503151 --- /dev/null +++ b/testing/btest/Baseline/core.leaks.broker.master_store/bro..stdout @@ -0,0 +1,14 @@ +lookup(two): [status=BrokerStore::SUCCESS, result=[d=broker::data{222}]] +lookup(four): [status=BrokerStore::SUCCESS, result=[d=]] +lookup(myset): [status=BrokerStore::SUCCESS, result=[d=broker::data{{a, c, d}}]] +lookup(one): [status=BrokerStore::SUCCESS, result=[d=broker::data{111}]] +lookup(myvec): [status=BrokerStore::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]] +exists(one): [status=BrokerStore::SUCCESS, result=[d=broker::data{1}]] +exists(two): [status=BrokerStore::SUCCESS, result=[d=broker::data{0}]] +exists(myset): [status=BrokerStore::SUCCESS, result=[d=broker::data{1}]] +exists(four): [status=BrokerStore::SUCCESS, result=[d=broker::data{0}]] +pop_right(myvec): [status=BrokerStore::SUCCESS, result=[d=broker::data{omega}]] +pop_left(myvec): [status=BrokerStore::SUCCESS, result=[d=broker::data{delta}]] +keys: [status=BrokerStore::SUCCESS, result=[d=broker::data{[myvec, myset, one]}]] +size: [status=BrokerStore::SUCCESS, result=[d=broker::data{3}]] +size (after clear): [status=BrokerStore::SUCCESS, result=[d=broker::data{0}]] diff --git a/testing/btest/Baseline/core.leaks.comm.remote_event/recv.recv.out b/testing/btest/Baseline/core.leaks.broker.remote_event/recv.recv.out similarity index 100% rename from testing/btest/Baseline/core.leaks.comm.remote_event/recv.recv.out rename to testing/btest/Baseline/core.leaks.broker.remote_event/recv.recv.out diff --git a/testing/btest/Baseline/core.leaks.comm.remote_event/send.send.out b/testing/btest/Baseline/core.leaks.broker.remote_event/send.send.out similarity index 79% rename from testing/btest/Baseline/core.leaks.comm.remote_event/send.send.out rename to testing/btest/Baseline/core.leaks.broker.remote_event/send.send.out index 0e529e08fc..a29c1ecd1e 100644 --- a/testing/btest/Baseline/core.leaks.comm.remote_event/send.send.out +++ b/testing/btest/Baseline/core.leaks.broker.remote_event/send.send.out @@ -1,4 +1,4 @@ -Comm::outgoing_connection_established, 127.0.0.1, 9999/tcp +BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp got event msg, pong, 0 got auto event msg, ping, 0 got event msg, pong, 1 diff --git a/testing/btest/Baseline/core.leaks.comm.remote_log/recv.recv.out b/testing/btest/Baseline/core.leaks.broker.remote_log/recv.recv.out similarity index 100% rename from testing/btest/Baseline/core.leaks.comm.remote_log/recv.recv.out rename to testing/btest/Baseline/core.leaks.broker.remote_log/recv.recv.out diff --git a/testing/btest/Baseline/core.leaks.comm.remote_log/recv.test.log b/testing/btest/Baseline/core.leaks.broker.remote_log/recv.test.log similarity index 100% rename from testing/btest/Baseline/core.leaks.comm.remote_log/recv.test.log rename to testing/btest/Baseline/core.leaks.broker.remote_log/recv.test.log diff --git a/testing/btest/Baseline/core.leaks.broker.remote_log/send.send.out b/testing/btest/Baseline/core.leaks.broker.remote_log/send.send.out new file mode 100644 index 0000000000..d97ef33af1 --- /dev/null +++ b/testing/btest/Baseline/core.leaks.broker.remote_log/send.send.out @@ -0,0 +1 @@ +BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp diff --git a/testing/btest/Baseline/core.leaks.comm.remote_log/send.test.log b/testing/btest/Baseline/core.leaks.broker.remote_log/send.test.log similarity index 100% rename from testing/btest/Baseline/core.leaks.comm.remote_log/send.test.log rename to testing/btest/Baseline/core.leaks.broker.remote_log/send.test.log diff --git a/testing/btest/Baseline/core.leaks.comm.remote_print/recv.recv.out b/testing/btest/Baseline/core.leaks.broker.remote_print/recv.recv.out similarity index 100% rename from testing/btest/Baseline/core.leaks.comm.remote_print/recv.recv.out rename to testing/btest/Baseline/core.leaks.broker.remote_print/recv.recv.out diff --git a/testing/btest/Baseline/core.leaks.comm.remote_print/send.send.out b/testing/btest/Baseline/core.leaks.broker.remote_print/send.send.out similarity index 62% rename from testing/btest/Baseline/core.leaks.comm.remote_print/send.send.out rename to testing/btest/Baseline/core.leaks.broker.remote_print/send.send.out index 777afdc0d2..65d8ee79b7 100644 --- a/testing/btest/Baseline/core.leaks.comm.remote_print/send.send.out +++ b/testing/btest/Baseline/core.leaks.broker.remote_print/send.send.out @@ -1,4 +1,4 @@ -Comm::outgoing_connection_established, 127.0.0.1, 9999/tcp +BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp got print msg, pong 0 got print msg, pong 1 got print msg, pong 2 diff --git a/testing/btest/Baseline/core.leaks.comm.clone_store/clone.clone.out b/testing/btest/Baseline/core.leaks.comm.clone_store/clone.clone.out deleted file mode 100644 index 8a7c89a19b..0000000000 --- a/testing/btest/Baseline/core.leaks.comm.clone_store/clone.clone.out +++ /dev/null @@ -1,5 +0,0 @@ -clone keys, [status=Store::SUCCESS, result=[d=broker::data{[one, two, myset, myvec]}]] -lookup, one, [status=Store::SUCCESS, result=[d=broker::data{111}]] -lookup, two, [status=Store::SUCCESS, result=[d=broker::data{222}]] -lookup, myset, [status=Store::SUCCESS, result=[d=broker::data{{a, c, d}}]] -lookup, myvec, [status=Store::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]] diff --git a/testing/btest/Baseline/core.leaks.comm.master_store/bro..stdout b/testing/btest/Baseline/core.leaks.comm.master_store/bro..stdout deleted file mode 100644 index defdc9a3e1..0000000000 --- a/testing/btest/Baseline/core.leaks.comm.master_store/bro..stdout +++ /dev/null @@ -1,14 +0,0 @@ -lookup(two): [status=Store::SUCCESS, result=[d=broker::data{222}]] -lookup(four): [status=Store::SUCCESS, result=[d=]] -lookup(myset): [status=Store::SUCCESS, result=[d=broker::data{{a, c, d}}]] -lookup(one): [status=Store::SUCCESS, result=[d=broker::data{111}]] -lookup(myvec): [status=Store::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]] -exists(one): [status=Store::SUCCESS, result=[d=broker::data{1}]] -exists(two): [status=Store::SUCCESS, result=[d=broker::data{0}]] -exists(myset): [status=Store::SUCCESS, result=[d=broker::data{1}]] -exists(four): [status=Store::SUCCESS, result=[d=broker::data{0}]] -pop_right(myvec): [status=Store::SUCCESS, result=[d=broker::data{omega}]] -pop_left(myvec): [status=Store::SUCCESS, result=[d=broker::data{delta}]] -keys: [status=Store::SUCCESS, result=[d=broker::data{[myvec, myset, one]}]] -size: [status=Store::SUCCESS, result=[d=broker::data{3}]] -size (after clear): [status=Store::SUCCESS, result=[d=broker::data{0}]] diff --git a/testing/btest/Baseline/core.leaks.comm.remote_log/send.send.out b/testing/btest/Baseline/core.leaks.comm.remote_log/send.send.out deleted file mode 100644 index e2415290d6..0000000000 --- a/testing/btest/Baseline/core.leaks.comm.remote_log/send.send.out +++ /dev/null @@ -1 +0,0 @@ -Comm::outgoing_connection_established, 127.0.0.1, 9999/tcp diff --git a/testing/btest/core/leaks/broker/clone_store.bro b/testing/btest/core/leaks/broker/clone_store.bro new file mode 100644 index 0000000000..06df81e1d5 --- /dev/null +++ b/testing/btest/core/leaks/broker/clone_store.bro @@ -0,0 +1,113 @@ +# @TEST-SERIALIZE: brokercomm +# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt +# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks +# @TEST-GROUP: leak + +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run clone "bro -m -b ../clone.bro broker_port=$BROKER_PORT >clone.out" +# @TEST-EXEC: btest-bg-run master "bro -b ../master.bro broker_port=$BROKER_PORT >master.out" + +# @TEST-EXEC: btest-bg-wait 45 +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff clone/clone.out + +@TEST-START-FILE clone.bro + +const broker_port: port &redef; +redef exit_only_after_terminate = T; + +global h: opaque of BrokerStore::Handle; +global expected_key_count = 4; +global key_count = 0; + +function do_lookup(key: string) + { + when ( local res = BrokerStore::lookup(h, BrokerComm::data(key)) ) + { + ++key_count; + print "lookup", key, res; + + if ( key_count == expected_key_count ) + terminate(); + } + timeout 10sec + { print "timeout"; } + } + +event ready() + { + h = BrokerStore::create_clone("mystore"); + + when ( local res = BrokerStore::keys(h) ) + { + print "clone keys", res; + do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 0))); + do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 1))); + do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 2))); + do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 3))); + } + timeout 10sec + { print "timeout"; } + } + +event bro_init() + { + BrokerComm::enable(); + BrokerComm::listen(broker_port, "127.0.0.1"); + BrokerComm::subscribe_to_events("bro/event/ready"); + } + +@TEST-END-FILE + +@TEST-START-FILE master.bro + +const broker_port: port &redef; +redef exit_only_after_terminate = T; + +global h: opaque of BrokerStore::Handle; + +function dv(d: BrokerComm::Data): BrokerComm::DataVector + { + local rval: BrokerComm::DataVector; + rval[0] = d; + return rval; + } + +global ready: event(); + +event BrokerComm::outgoing_connection_broken(peer_address: string, + peer_port: port) + { + terminate(); + } + +event BrokerComm::outgoing_connection_established(peer_address: string, + peer_port: port, + peer_name: string) + { + local myset: set[string] = {"a", "b", "c"}; + local myvec: vector of string = {"alpha", "beta", "gamma"}; + BrokerStore::insert(h, BrokerComm::data("one"), BrokerComm::data(110)); + BrokerStore::insert(h, BrokerComm::data("two"), BrokerComm::data(223)); + BrokerStore::insert(h, BrokerComm::data("myset"), BrokerComm::data(myset)); + BrokerStore::insert(h, BrokerComm::data("myvec"), BrokerComm::data(myvec)); + BrokerStore::increment(h, BrokerComm::data("one")); + BrokerStore::decrement(h, BrokerComm::data("two")); + BrokerStore::add_to_set(h, BrokerComm::data("myset"), BrokerComm::data("d")); + BrokerStore::remove_from_set(h, BrokerComm::data("myset"), BrokerComm::data("b")); + BrokerStore::push_left(h, BrokerComm::data("myvec"), dv(BrokerComm::data("delta"))); + BrokerStore::push_right(h, BrokerComm::data("myvec"), dv(BrokerComm::data("omega"))); + + when ( local res = BrokerStore::size(h) ) + { event ready(); } + timeout 10sec + { print "timeout"; } + } + +event bro_init() + { + BrokerComm::enable(); + h = BrokerStore::create_master("mystore"); + BrokerComm::connect("127.0.0.1", broker_port, 1secs); + BrokerComm::auto_event("bro/event/ready", ready); + } + +@TEST-END-FILE diff --git a/testing/btest/core/leaks/broker/data.bro b/testing/btest/core/leaks/broker/data.bro new file mode 100644 index 0000000000..d4f6402ae3 --- /dev/null +++ b/testing/btest/core/leaks/broker/data.bro @@ -0,0 +1,233 @@ +# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt +# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks +# @TEST-GROUP: leaks + +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b -r $TRACES/http/get.trace %INPUT +# @TEST-EXEC: btest-bg-wait 45 +# @TEST-EXEC: btest-diff bro/.stdout + +type bro_set: set[string]; +type bro_table: table[string] of count; +type bro_vector: vector of string; + +type bro_record : record { + a: string &optional; + b: string &default = "bee"; + c: count; +}; + +function comm_record_to_bro_record_recurse(it: opaque of BrokerComm::RecordIterator, + rval: bro_record, + idx: count): bro_record + { + if ( BrokerComm::record_iterator_last(it) ) + return rval; + + local field_value = BrokerComm::record_iterator_value(it); + + if ( field_value?$d ) + switch ( idx ) { + case 0: + rval$a = BrokerComm::refine_to_string(field_value); + break; + case 1: + rval$b = BrokerComm::refine_to_string(field_value); + break; + case 2: + rval$c = BrokerComm::refine_to_count(field_value); + break; + }; + + ++idx; + BrokerComm::record_iterator_next(it); + return comm_record_to_bro_record_recurse(it, rval, idx); + } + +function comm_record_to_bro_record(d: BrokerComm::Data): bro_record + { + return comm_record_to_bro_record_recurse(BrokerComm::record_iterator(d), + bro_record($c = 0), 0); + } + +function +comm_set_to_bro_set_recurse(it: opaque of BrokerComm::SetIterator, + rval: bro_set): bro_set + { + if ( BrokerComm::set_iterator_last(it) ) + return rval; + + add rval[BrokerComm::refine_to_string(BrokerComm::set_iterator_value(it))]; + BrokerComm::set_iterator_next(it); + return comm_set_to_bro_set_recurse(it, rval); + } + + +function comm_set_to_bro_set(d: BrokerComm::Data): bro_set + { + return comm_set_to_bro_set_recurse(BrokerComm::set_iterator(d), bro_set()); + } + +function +comm_table_to_bro_table_recurse(it: opaque of BrokerComm::TableIterator, + rval: bro_table): bro_table + { + if ( BrokerComm::table_iterator_last(it) ) + return rval; + + local item = BrokerComm::table_iterator_value(it); + rval[BrokerComm::refine_to_string(item$key)] = BrokerComm::refine_to_count(item$val); + BrokerComm::table_iterator_next(it); + return comm_table_to_bro_table_recurse(it, rval); + } + +function comm_table_to_bro_table(d: BrokerComm::Data): bro_table + { + return comm_table_to_bro_table_recurse(BrokerComm::table_iterator(d), + bro_table()); + } + +function comm_vector_to_bro_vector_recurse(it: opaque of BrokerComm::VectorIterator, + rval: bro_vector): bro_vector + { + if ( BrokerComm::vector_iterator_last(it) ) + return rval; + + rval[|rval|] = BrokerComm::refine_to_string(BrokerComm::vector_iterator_value(it)); + BrokerComm::vector_iterator_next(it); + return comm_vector_to_bro_vector_recurse(it, rval); + } + +function comm_vector_to_bro_vector(d: BrokerComm::Data): bro_vector + { + return comm_vector_to_bro_vector_recurse(BrokerComm::vector_iterator(d), + bro_vector()); + } + +event bro_init() + { +BrokerComm::enable(); + } + +global did_it = F; + +event new_connection(c: connection) + { +if ( did_it ) return; +did_it = T; +print BrokerComm::data_type(BrokerComm::data(T)); +print BrokerComm::data_type(BrokerComm::data(+1)); +print BrokerComm::data_type(BrokerComm::data(1)); +print BrokerComm::data_type(BrokerComm::data(1.1)); +print BrokerComm::data_type(BrokerComm::data("1 (how creative)")); +print BrokerComm::data_type(BrokerComm::data(1.1.1.1)); +print BrokerComm::data_type(BrokerComm::data(1.1.1.1/1)); +print BrokerComm::data_type(BrokerComm::data(1/udp)); +print BrokerComm::data_type(BrokerComm::data(double_to_time(1))); +print BrokerComm::data_type(BrokerComm::data(1sec)); +print BrokerComm::data_type(BrokerComm::data(BrokerComm::BOOL)); +local s: bro_set = bro_set("one", "two", "three"); +local t: bro_table = bro_table(["one"] = 1, ["two"] = 2, ["three"] = 3); +local v: bro_vector = bro_vector("zero", "one", "two"); +local r: bro_record = bro_record($c = 1); +print BrokerComm::data_type(BrokerComm::data(s)); +print BrokerComm::data_type(BrokerComm::data(t)); +print BrokerComm::data_type(BrokerComm::data(v)); +print BrokerComm::data_type(BrokerComm::data(r)); + +print "***************************"; + +print BrokerComm::refine_to_bool(BrokerComm::data(T)); +print BrokerComm::refine_to_bool(BrokerComm::data(F)); +print BrokerComm::refine_to_int(BrokerComm::data(+1)); +print BrokerComm::refine_to_int(BrokerComm::data(+0)); +print BrokerComm::refine_to_int(BrokerComm::data(-1)); +print BrokerComm::refine_to_count(BrokerComm::data(1)); +print BrokerComm::refine_to_count(BrokerComm::data(0)); +print BrokerComm::refine_to_double(BrokerComm::data(1.1)); +print BrokerComm::refine_to_double(BrokerComm::data(-11.1)); +print BrokerComm::refine_to_string(BrokerComm::data("hello")); +print BrokerComm::refine_to_addr(BrokerComm::data(1.2.3.4)); +print BrokerComm::refine_to_subnet(BrokerComm::data(192.168.1.1/16)); +print BrokerComm::refine_to_port(BrokerComm::data(22/tcp)); +print BrokerComm::refine_to_time(BrokerComm::data(double_to_time(42))); +print BrokerComm::refine_to_interval(BrokerComm::data(3min)); +print BrokerComm::refine_to_enum_name(BrokerComm::data(BrokerComm::BOOL)); + +print "***************************"; + +local cs = BrokerComm::data(s); +print comm_set_to_bro_set(cs); +cs = BrokerComm::set_create(); +print BrokerComm::set_size(cs); +print BrokerComm::set_insert(cs, BrokerComm::data("hi")); +print BrokerComm::set_size(cs); +print BrokerComm::set_contains(cs, BrokerComm::data("hi")); +print BrokerComm::set_contains(cs, BrokerComm::data("bye")); +print BrokerComm::set_insert(cs, BrokerComm::data("bye")); +print BrokerComm::set_size(cs); +print BrokerComm::set_remove(cs, BrokerComm::data("hi")); +print BrokerComm::set_size(cs); +print BrokerComm::set_remove(cs, BrokerComm::data("hi")); +print comm_set_to_bro_set(cs); +BrokerComm::set_clear(cs); +print BrokerComm::set_size(cs); + +print "***************************"; + +local ct = BrokerComm::data(t); +print comm_table_to_bro_table(ct); +ct = BrokerComm::table_create(); +print BrokerComm::table_size(ct); +print BrokerComm::table_insert(ct, BrokerComm::data("hi"), BrokerComm::data(42)); +print BrokerComm::table_size(ct); +print BrokerComm::table_contains(ct, BrokerComm::data("hi")); +print BrokerComm::refine_to_count(BrokerComm::table_lookup(ct, BrokerComm::data("hi"))); +print BrokerComm::table_contains(ct, BrokerComm::data("bye")); +print BrokerComm::table_insert(ct, BrokerComm::data("bye"), BrokerComm::data(7)); +print BrokerComm::table_size(ct); +print BrokerComm::table_insert(ct, BrokerComm::data("bye"), BrokerComm::data(37)); +print BrokerComm::table_size(ct); +print BrokerComm::refine_to_count(BrokerComm::table_lookup(ct, BrokerComm::data("bye"))); +print BrokerComm::table_remove(ct, BrokerComm::data("hi")); +print BrokerComm::table_size(ct); + +print "***************************"; + +local cv = BrokerComm::data(v); +print comm_vector_to_bro_vector(cv); +cv = BrokerComm::vector_create(); +print BrokerComm::vector_size(cv); +print BrokerComm::vector_insert(cv, BrokerComm::data("hi"), 0); +print BrokerComm::vector_insert(cv, BrokerComm::data("hello"), 1); +print BrokerComm::vector_insert(cv, BrokerComm::data("greetings"), 2); +print BrokerComm::vector_insert(cv, BrokerComm::data("salutations"), 1); +print comm_vector_to_bro_vector(cv); +print BrokerComm::vector_size(cv); +print BrokerComm::vector_replace(cv, BrokerComm::data("bah"), 2); +print BrokerComm::vector_lookup(cv, 2); +print BrokerComm::vector_lookup(cv, 0); +print comm_vector_to_bro_vector(cv); +print BrokerComm::vector_remove(cv, 2); +print comm_vector_to_bro_vector(cv); +print BrokerComm::vector_size(cv); + +print "***************************"; + +local cr = BrokerComm::data(r); +print comm_record_to_bro_record(cr); +r$a = "test"; +cr = BrokerComm::data(r); +print comm_record_to_bro_record(cr); +r$b = "testagain"; +cr = BrokerComm::data(r); +print comm_record_to_bro_record(cr); +cr = BrokerComm::record_create(3); +print BrokerComm::record_size(cr); +print BrokerComm::record_assign(cr, BrokerComm::data("hi"), 0); +print BrokerComm::record_assign(cr, BrokerComm::data("hello"), 1); +print BrokerComm::record_assign(cr, BrokerComm::data(37), 2); +print BrokerComm::record_lookup(cr, 0); +print BrokerComm::record_lookup(cr, 1); +print BrokerComm::record_lookup(cr, 2); +print BrokerComm::record_size(cr); +} diff --git a/testing/btest/core/leaks/comm/master_store.bro b/testing/btest/core/leaks/broker/master_store.bro similarity index 62% rename from testing/btest/core/leaks/comm/master_store.bro rename to testing/btest/core/leaks/broker/master_store.bro index a5c1063e6f..19c63236f5 100644 --- a/testing/btest/core/leaks/comm/master_store.bro +++ b/testing/btest/core/leaks/broker/master_store.bro @@ -8,7 +8,7 @@ redef exit_only_after_terminate = T; -global h: opaque of Store::Handle; +global h: opaque of BrokerStore::Handle; global lookup_count = 0; const lookup_expect_count = 5; global exists_count = 0; @@ -20,13 +20,13 @@ global test_size: event(where: string &default = ""); event test_clear() { - Store::clear(h); + BrokerStore::clear(h); event test_size("after clear"); } event test_size(where: string) { - when ( local res = Store::size(h) ) + when ( local res = BrokerStore::size(h) ) { if ( where == "" ) { @@ -45,7 +45,7 @@ event test_size(where: string) event test_keys() { - when ( local res = Store::keys(h) ) + when ( local res = BrokerStore::keys(h) ) { print fmt("keys: %s", res); event test_size(); @@ -56,7 +56,7 @@ event test_keys() event test_pop(key: string) { - when ( local lres = Store::pop_left(h, Comm::data(key)) ) + when ( local lres = BrokerStore::pop_left(h, BrokerComm::data(key)) ) { print fmt("pop_left(%s): %s", key, lres); ++pop_count; @@ -67,7 +67,7 @@ event test_pop(key: string) timeout 10sec { print "timeout"; } - when ( local rres = Store::pop_right(h, Comm::data(key)) ) + when ( local rres = BrokerStore::pop_right(h, BrokerComm::data(key)) ) { print fmt("pop_right(%s): %s", key, rres); ++pop_count; @@ -81,7 +81,7 @@ event test_pop(key: string) function do_exists(key: string) { - when ( local res = Store::exists(h, Comm::data(key)) ) + when ( local res = BrokerStore::exists(h, BrokerComm::data(key)) ) { print fmt("exists(%s): %s", key, res); ++exists_count; @@ -95,7 +95,7 @@ function do_exists(key: string) event test_erase() { - Store::erase(h, Comm::data("two")); + BrokerStore::erase(h, BrokerComm::data("two")); do_exists("one"); do_exists("two"); do_exists("myset"); @@ -104,7 +104,7 @@ event test_erase() function do_lookup(key: string) { - when ( local res = Store::lookup(h, Comm::data(key)) ) + when ( local res = BrokerStore::lookup(h, BrokerComm::data(key)) ) { print fmt("lookup(%s): %s", key, res); ++lookup_count; @@ -116,9 +116,9 @@ function do_lookup(key: string) { print "timeout"; } } -function dv(d: Comm::Data): Comm::DataVector +function dv(d: BrokerComm::Data): BrokerComm::DataVector { - local rval: Comm::DataVector; + local rval: BrokerComm::DataVector; rval[0] = d; return rval; } @@ -127,8 +127,8 @@ global did_it = F; event bro_init() { - Comm::enable(); - h = Store::create_master("master"); + BrokerComm::enable(); + h = BrokerStore::create_master("master"); } event new_connection(c: connection) @@ -137,16 +137,16 @@ event new_connection(c: connection) did_it = T; local myset: set[string] = {"a", "b", "c"}; local myvec: vector of string = {"alpha", "beta", "gamma"}; - Store::insert(h, Comm::data("one"), Comm::data(110)); - Store::insert(h, Comm::data("two"), Comm::data(223)); - Store::insert(h, Comm::data("myset"), Comm::data(myset)); - Store::insert(h, Comm::data("myvec"), Comm::data(myvec)); - Store::increment(h, Comm::data("one")); - Store::decrement(h, Comm::data("two")); - Store::add_to_set(h, Comm::data("myset"), Comm::data("d")); - Store::remove_from_set(h, Comm::data("myset"), Comm::data("b")); - Store::push_left(h, Comm::data("myvec"), dv(Comm::data("delta"))); - Store::push_right(h, Comm::data("myvec"), dv(Comm::data("omega"))); + BrokerStore::insert(h, BrokerComm::data("one"), BrokerComm::data(110)); + BrokerStore::insert(h, BrokerComm::data("two"), BrokerComm::data(223)); + BrokerStore::insert(h, BrokerComm::data("myset"), BrokerComm::data(myset)); + BrokerStore::insert(h, BrokerComm::data("myvec"), BrokerComm::data(myvec)); + BrokerStore::increment(h, BrokerComm::data("one")); + BrokerStore::decrement(h, BrokerComm::data("two")); + BrokerStore::add_to_set(h, BrokerComm::data("myset"), BrokerComm::data("d")); + BrokerStore::remove_from_set(h, BrokerComm::data("myset"), BrokerComm::data("b")); + BrokerStore::push_left(h, BrokerComm::data("myvec"), dv(BrokerComm::data("delta"))); + BrokerStore::push_right(h, BrokerComm::data("myvec"), dv(BrokerComm::data("omega"))); do_lookup("one"); do_lookup("two"); do_lookup("myset"); diff --git a/testing/btest/core/leaks/comm/remote_event.test b/testing/btest/core/leaks/broker/remote_event.test similarity index 66% rename from testing/btest/core/leaks/comm/remote_event.test rename to testing/btest/core/leaks/broker/remote_event.test index a329b527db..243d3b04d3 100644 --- a/testing/btest/core/leaks/comm/remote_event.test +++ b/testing/btest/core/leaks/broker/remote_event.test @@ -20,10 +20,10 @@ global auto_event_handler: event(msg: string, c: count); event bro_init() { - Comm::enable(); - Comm::listen(broker_port, "127.0.0.1"); - Comm::subscribe_to_events("bro/event/"); - Comm::auto_event("bro/event/my_topic", auto_event_handler); + BrokerComm::enable(); + BrokerComm::listen(broker_port, "127.0.0.1"); + BrokerComm::subscribe_to_events("bro/event/"); + BrokerComm::auto_event("bro/event/my_topic", auto_event_handler); } global event_count = 0; @@ -41,8 +41,8 @@ event event_handler(msg: string, n: count) } event auto_event_handler(msg, n); - local args = Comm::event_args(event_handler, "pong", n); - Comm::event("bro/event/my_topic", args); + local args = BrokerComm::event_args(event_handler, "pong", n); + BrokerComm::event("bro/event/my_topic", args); } @TEST-END-FILE @@ -57,24 +57,24 @@ global auto_event_handler: event(msg: string, c: count); event bro_init() { - Comm::enable(); - Comm::subscribe_to_events("bro/event/my_topic"); - Comm::connect("127.0.0.1", broker_port, 1secs); + BrokerComm::enable(); + BrokerComm::subscribe_to_events("bro/event/my_topic"); + BrokerComm::connect("127.0.0.1", broker_port, 1secs); } global event_count = 0; -event Comm::outgoing_connection_established(peer_address: string, +event BrokerComm::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string) { - print "Comm::outgoing_connection_established", peer_address, peer_port; - local args = Comm::event_args(event_handler, "ping", event_count); - Comm::event("bro/event/hi", args); + print "BrokerComm::outgoing_connection_established", peer_address, peer_port; + local args = BrokerComm::event_args(event_handler, "ping", event_count); + BrokerComm::event("bro/event/hi", args); ++event_count; } -event Comm::outgoing_connection_broken(peer_address: string, +event BrokerComm::outgoing_connection_broken(peer_address: string, peer_port: port) { terminate(); @@ -83,8 +83,8 @@ event Comm::outgoing_connection_broken(peer_address: string, event event_handler(msg: string, n: count) { print "got event msg", msg, n; - local args = Comm::event_args(event_handler, "ping", event_count); - Comm::event("bro/event/hi", args); + local args = BrokerComm::event_args(event_handler, "ping", event_count); + BrokerComm::event("bro/event/hi", args); ++event_count; } diff --git a/testing/btest/core/leaks/comm/remote_log.test b/testing/btest/core/leaks/broker/remote_log.test similarity index 80% rename from testing/btest/core/leaks/comm/remote_log.test rename to testing/btest/core/leaks/broker/remote_log.test index 6f20bf8cd4..f6c0c41fda 100644 --- a/testing/btest/core/leaks/comm/remote_log.test +++ b/testing/btest/core/leaks/broker/remote_log.test @@ -29,7 +29,7 @@ export { event bro_init() &priority=5 { - Comm::enable(); + BrokerComm::enable(); Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test]); } @@ -42,8 +42,8 @@ redef exit_only_after_terminate = T; event bro_init() { - Comm::listen(broker_port, "127.0.0.1"); - Comm::subscribe_to_logs("bro/log/"); + BrokerComm::listen(broker_port, "127.0.0.1"); + BrokerComm::subscribe_to_logs("bro/log/"); } event Test::log_test(rec: Test::Info) @@ -63,8 +63,8 @@ redef exit_only_after_terminate = T; event bro_init() { - Comm::enable_remote_logs(Test::LOG); - Comm::connect("127.0.0.1", broker_port, 1secs); + BrokerComm::enable_remote_logs(Test::LOG); + BrokerComm::connect("127.0.0.1", broker_port, 1secs); } global n = 0; @@ -81,15 +81,15 @@ event do_write() } } -event Comm::outgoing_connection_established(peer_address: string, +event BrokerComm::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string) { - print "Comm::outgoing_connection_established", peer_address, peer_port; + print "BrokerComm::outgoing_connection_established", peer_address, peer_port; event do_write(); } -event Comm::outgoing_connection_broken(peer_address: string, +event BrokerComm::outgoing_connection_broken(peer_address: string, peer_port: port) { terminate(); diff --git a/testing/btest/core/leaks/comm/remote_print.test b/testing/btest/core/leaks/broker/remote_print.test similarity index 65% rename from testing/btest/core/leaks/comm/remote_print.test rename to testing/btest/core/leaks/broker/remote_print.test index 43fe50b632..e77881c694 100644 --- a/testing/btest/core/leaks/comm/remote_print.test +++ b/testing/btest/core/leaks/broker/remote_print.test @@ -17,16 +17,16 @@ redef exit_only_after_terminate = T; event bro_init() { - Comm::enable(); - Comm::listen(broker_port, "127.0.0.1"); - Comm::subscribe_to_prints("bro/print/"); + BrokerComm::enable(); + BrokerComm::listen(broker_port, "127.0.0.1"); + BrokerComm::subscribe_to_prints("bro/print/"); } global messages_to_recv = 6; global messages_sent = 0; global messages_recv = 0; -event Comm::print_handler(msg: string) +event BrokerComm::print_handler(msg: string) { ++messages_recv; print "got print msg", msg; @@ -37,7 +37,7 @@ event Comm::print_handler(msg: string) return; } - Comm::print("bro/print/my_topic", fmt("pong %d", messages_sent)); + BrokerComm::print("bro/print/my_topic", fmt("pong %d", messages_sent)); ++messages_sent; } @@ -50,35 +50,35 @@ redef exit_only_after_terminate = T; event bro_init() { - Comm::enable(); - Comm::subscribe_to_prints("bro/print/my_topic"); - Comm::connect("127.0.0.1", broker_port, 1secs); + BrokerComm::enable(); + BrokerComm::subscribe_to_prints("bro/print/my_topic"); + BrokerComm::connect("127.0.0.1", broker_port, 1secs); } global messages_sent = 0; global messages_recv = 0; global peer_disconnected = F; -event Comm::outgoing_connection_established(peer_address: string, +event BrokerComm::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string) { - print "Comm::outgoing_connection_established", peer_address, peer_port; - Comm::print("bro/print/hi", fmt("ping %d", messages_sent)); + print "BrokerComm::outgoing_connection_established", peer_address, peer_port; + BrokerComm::print("bro/print/hi", fmt("ping %d", messages_sent)); ++messages_sent; } -event Comm::outgoing_connection_broken(peer_address: string, +event BrokerComm::outgoing_connection_broken(peer_address: string, peer_port: port) { terminate(); } -event Comm::print_handler(msg: string) +event BrokerComm::print_handler(msg: string) { ++messages_recv; print "got print msg", msg; - Comm::print("bro/print/hi", fmt("ping %d", messages_sent)); + BrokerComm::print("bro/print/hi", fmt("ping %d", messages_sent)); ++messages_sent; } diff --git a/testing/btest/core/leaks/comm/clone_store.bro b/testing/btest/core/leaks/comm/clone_store.bro deleted file mode 100644 index 2a75bfa62f..0000000000 --- a/testing/btest/core/leaks/comm/clone_store.bro +++ /dev/null @@ -1,113 +0,0 @@ -# @TEST-SERIALIZE: brokercomm -# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt -# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks -# @TEST-GROUP: leak - -# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run clone "bro -m -b ../clone.bro broker_port=$BROKER_PORT >clone.out" -# @TEST-EXEC: btest-bg-run master "bro -b ../master.bro broker_port=$BROKER_PORT >master.out" - -# @TEST-EXEC: btest-bg-wait 45 -# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff clone/clone.out - -@TEST-START-FILE clone.bro - -const broker_port: port &redef; -redef exit_only_after_terminate = T; - -global h: opaque of Store::Handle; -global expected_key_count = 4; -global key_count = 0; - -function do_lookup(key: string) - { - when ( local res = Store::lookup(h, Comm::data(key)) ) - { - ++key_count; - print "lookup", key, res; - - if ( key_count == expected_key_count ) - terminate(); - } - timeout 10sec - { print "timeout"; } - } - -event ready() - { - h = Store::create_clone("mystore"); - - when ( local res = Store::keys(h) ) - { - print "clone keys", res; - do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 0))); - do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 1))); - do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 2))); - do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 3))); - } - timeout 10sec - { print "timeout"; } - } - -event bro_init() - { - Comm::enable(); - Comm::listen(broker_port, "127.0.0.1"); - Comm::subscribe_to_events("bro/event/ready"); - } - -@TEST-END-FILE - -@TEST-START-FILE master.bro - -const broker_port: port &redef; -redef exit_only_after_terminate = T; - -global h: opaque of Store::Handle; - -function dv(d: Comm::Data): Comm::DataVector - { - local rval: Comm::DataVector; - rval[0] = d; - return rval; - } - -global ready: event(); - -event Comm::outgoing_connection_broken(peer_address: string, - peer_port: port) - { - terminate(); - } - -event Comm::outgoing_connection_established(peer_address: string, - peer_port: port, - peer_name: string) - { - local myset: set[string] = {"a", "b", "c"}; - local myvec: vector of string = {"alpha", "beta", "gamma"}; - Store::insert(h, Comm::data("one"), Comm::data(110)); - Store::insert(h, Comm::data("two"), Comm::data(223)); - Store::insert(h, Comm::data("myset"), Comm::data(myset)); - Store::insert(h, Comm::data("myvec"), Comm::data(myvec)); - Store::increment(h, Comm::data("one")); - Store::decrement(h, Comm::data("two")); - Store::add_to_set(h, Comm::data("myset"), Comm::data("d")); - Store::remove_from_set(h, Comm::data("myset"), Comm::data("b")); - Store::push_left(h, Comm::data("myvec"), dv(Comm::data("delta"))); - Store::push_right(h, Comm::data("myvec"), dv(Comm::data("omega"))); - - when ( local res = Store::size(h) ) - { event ready(); } - timeout 10sec - { print "timeout"; } - } - -event bro_init() - { - Comm::enable(); - h = Store::create_master("mystore"); - Comm::connect("127.0.0.1", broker_port, 1secs); - Comm::auto_event("bro/event/ready", ready); - } - -@TEST-END-FILE diff --git a/testing/btest/core/leaks/comm/data.bro b/testing/btest/core/leaks/comm/data.bro deleted file mode 100644 index bf614a2092..0000000000 --- a/testing/btest/core/leaks/comm/data.bro +++ /dev/null @@ -1,233 +0,0 @@ -# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt -# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks -# @TEST-GROUP: leaks - -# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b -r $TRACES/http/get.trace %INPUT -# @TEST-EXEC: btest-bg-wait 45 -# @TEST-EXEC: btest-diff bro/.stdout - -type bro_set: set[string]; -type bro_table: table[string] of count; -type bro_vector: vector of string; - -type bro_record : record { - a: string &optional; - b: string &default = "bee"; - c: count; -}; - -function comm_record_to_bro_record_recurse(it: opaque of Comm::RecordIterator, - rval: bro_record, - idx: count): bro_record - { - if ( Comm::record_iterator_last(it) ) - return rval; - - local field_value = Comm::record_iterator_value(it); - - if ( field_value?$d ) - switch ( idx ) { - case 0: - rval$a = Comm::refine_to_string(field_value); - break; - case 1: - rval$b = Comm::refine_to_string(field_value); - break; - case 2: - rval$c = Comm::refine_to_count(field_value); - break; - }; - - ++idx; - Comm::record_iterator_next(it); - return comm_record_to_bro_record_recurse(it, rval, idx); - } - -function comm_record_to_bro_record(d: Comm::Data): bro_record - { - return comm_record_to_bro_record_recurse(Comm::record_iterator(d), - bro_record($c = 0), 0); - } - -function -comm_set_to_bro_set_recurse(it: opaque of Comm::SetIterator, - rval: bro_set): bro_set - { - if ( Comm::set_iterator_last(it) ) - return rval; - - add rval[Comm::refine_to_string(Comm::set_iterator_value(it))]; - Comm::set_iterator_next(it); - return comm_set_to_bro_set_recurse(it, rval); - } - - -function comm_set_to_bro_set(d: Comm::Data): bro_set - { - return comm_set_to_bro_set_recurse(Comm::set_iterator(d), bro_set()); - } - -function -comm_table_to_bro_table_recurse(it: opaque of Comm::TableIterator, - rval: bro_table): bro_table - { - if ( Comm::table_iterator_last(it) ) - return rval; - - local item = Comm::table_iterator_value(it); - rval[Comm::refine_to_string(item$key)] = Comm::refine_to_count(item$val); - Comm::table_iterator_next(it); - return comm_table_to_bro_table_recurse(it, rval); - } - -function comm_table_to_bro_table(d: Comm::Data): bro_table - { - return comm_table_to_bro_table_recurse(Comm::table_iterator(d), - bro_table()); - } - -function comm_vector_to_bro_vector_recurse(it: opaque of Comm::VectorIterator, - rval: bro_vector): bro_vector - { - if ( Comm::vector_iterator_last(it) ) - return rval; - - rval[|rval|] = Comm::refine_to_string(Comm::vector_iterator_value(it)); - Comm::vector_iterator_next(it); - return comm_vector_to_bro_vector_recurse(it, rval); - } - -function comm_vector_to_bro_vector(d: Comm::Data): bro_vector - { - return comm_vector_to_bro_vector_recurse(Comm::vector_iterator(d), - bro_vector()); - } - -event bro_init() - { -Comm::enable(); - } - -global did_it = F; - -event new_connection(c: connection) - { -if ( did_it ) return; -did_it = T; -print Comm::data_type(Comm::data(T)); -print Comm::data_type(Comm::data(+1)); -print Comm::data_type(Comm::data(1)); -print Comm::data_type(Comm::data(1.1)); -print Comm::data_type(Comm::data("1 (how creative)")); -print Comm::data_type(Comm::data(1.1.1.1)); -print Comm::data_type(Comm::data(1.1.1.1/1)); -print Comm::data_type(Comm::data(1/udp)); -print Comm::data_type(Comm::data(double_to_time(1))); -print Comm::data_type(Comm::data(1sec)); -print Comm::data_type(Comm::data(Comm::BOOL)); -local s: bro_set = bro_set("one", "two", "three"); -local t: bro_table = bro_table(["one"] = 1, ["two"] = 2, ["three"] = 3); -local v: bro_vector = bro_vector("zero", "one", "two"); -local r: bro_record = bro_record($c = 1); -print Comm::data_type(Comm::data(s)); -print Comm::data_type(Comm::data(t)); -print Comm::data_type(Comm::data(v)); -print Comm::data_type(Comm::data(r)); - -print "***************************"; - -print Comm::refine_to_bool(Comm::data(T)); -print Comm::refine_to_bool(Comm::data(F)); -print Comm::refine_to_int(Comm::data(+1)); -print Comm::refine_to_int(Comm::data(+0)); -print Comm::refine_to_int(Comm::data(-1)); -print Comm::refine_to_count(Comm::data(1)); -print Comm::refine_to_count(Comm::data(0)); -print Comm::refine_to_double(Comm::data(1.1)); -print Comm::refine_to_double(Comm::data(-11.1)); -print Comm::refine_to_string(Comm::data("hello")); -print Comm::refine_to_addr(Comm::data(1.2.3.4)); -print Comm::refine_to_subnet(Comm::data(192.168.1.1/16)); -print Comm::refine_to_port(Comm::data(22/tcp)); -print Comm::refine_to_time(Comm::data(double_to_time(42))); -print Comm::refine_to_interval(Comm::data(3min)); -print Comm::refine_to_enum_name(Comm::data(Comm::BOOL)); - -print "***************************"; - -local cs = Comm::data(s); -print comm_set_to_bro_set(cs); -cs = Comm::set_create(); -print Comm::set_size(cs); -print Comm::set_insert(cs, Comm::data("hi")); -print Comm::set_size(cs); -print Comm::set_contains(cs, Comm::data("hi")); -print Comm::set_contains(cs, Comm::data("bye")); -print Comm::set_insert(cs, Comm::data("bye")); -print Comm::set_size(cs); -print Comm::set_remove(cs, Comm::data("hi")); -print Comm::set_size(cs); -print Comm::set_remove(cs, Comm::data("hi")); -print comm_set_to_bro_set(cs); -Comm::set_clear(cs); -print Comm::set_size(cs); - -print "***************************"; - -local ct = Comm::data(t); -print comm_table_to_bro_table(ct); -ct = Comm::table_create(); -print Comm::table_size(ct); -print Comm::table_insert(ct, Comm::data("hi"), Comm::data(42)); -print Comm::table_size(ct); -print Comm::table_contains(ct, Comm::data("hi")); -print Comm::refine_to_count(Comm::table_lookup(ct, Comm::data("hi"))); -print Comm::table_contains(ct, Comm::data("bye")); -print Comm::table_insert(ct, Comm::data("bye"), Comm::data(7)); -print Comm::table_size(ct); -print Comm::table_insert(ct, Comm::data("bye"), Comm::data(37)); -print Comm::table_size(ct); -print Comm::refine_to_count(Comm::table_lookup(ct, Comm::data("bye"))); -print Comm::table_remove(ct, Comm::data("hi")); -print Comm::table_size(ct); - -print "***************************"; - -local cv = Comm::data(v); -print comm_vector_to_bro_vector(cv); -cv = Comm::vector_create(); -print Comm::vector_size(cv); -print Comm::vector_insert(cv, Comm::data("hi"), 0); -print Comm::vector_insert(cv, Comm::data("hello"), 1); -print Comm::vector_insert(cv, Comm::data("greetings"), 2); -print Comm::vector_insert(cv, Comm::data("salutations"), 1); -print comm_vector_to_bro_vector(cv); -print Comm::vector_size(cv); -print Comm::vector_replace(cv, Comm::data("bah"), 2); -print Comm::vector_lookup(cv, 2); -print Comm::vector_lookup(cv, 0); -print comm_vector_to_bro_vector(cv); -print Comm::vector_remove(cv, 2); -print comm_vector_to_bro_vector(cv); -print Comm::vector_size(cv); - -print "***************************"; - -local cr = Comm::data(r); -print comm_record_to_bro_record(cr); -r$a = "test"; -cr = Comm::data(r); -print comm_record_to_bro_record(cr); -r$b = "testagain"; -cr = Comm::data(r); -print comm_record_to_bro_record(cr); -cr = Comm::record_create(3); -print Comm::record_size(cr); -print Comm::record_assign(cr, Comm::data("hi"), 0); -print Comm::record_assign(cr, Comm::data("hello"), 1); -print Comm::record_assign(cr, Comm::data(37), 2); -print Comm::record_lookup(cr, 0); -print Comm::record_lookup(cr, 1); -print Comm::record_lookup(cr, 2); -print Comm::record_size(cr); -} From 991e4f5dc355a699fca1fb0b02b53ec2ec00321a Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 12 Mar 2015 15:46:17 -0700 Subject: [PATCH 183/711] DTLS working. The only thing that is missing is a signature to detect the protocol (it has no well-known port). Reassembly is kind of fidgety - at the moment we only support re-assembling one simultaneous message per direction (which looking at our test-traffic might not be a problem). And I am not quite sure if I got all cases correct... But - it works :) --- scripts/base/protocols/ssl/consts.bro | 7 + src/analyzer/protocol/ssl/CMakeLists.txt | 2 +- src/analyzer/protocol/ssl/DTLS.cc | 39 ++++- src/analyzer/protocol/ssl/DTLS.h | 9 +- src/analyzer/protocol/ssl/SSL.cc | 3 + src/analyzer/protocol/ssl/dtls-analyzer.pac | 148 ++++++++++++++++++ src/analyzer/protocol/ssl/dtls-protocol.pac | 40 +++-- src/analyzer/protocol/ssl/dtls.pac | 10 +- src/analyzer/protocol/ssl/ssl-defs.pac | 11 +- src/analyzer/protocol/ssl/ssl-protocol.pac | 4 +- .../protocol/ssl/tls-handshake-protocol.pac | 49 ++++-- .../scripts.base.protocols.ssl.dtls/ssl.log | 10 ++ .../scripts.base.protocols.ssl.dtls/x509.log | 10 ++ .../scripts/base/protocols/ssl/dtls.test | 5 + 14 files changed, 312 insertions(+), 35 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.dtls/ssl.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.dtls/x509.log create mode 100644 testing/btest/scripts/base/protocols/ssl/dtls.test diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro index 3d115419d4..05559ee5d0 100644 --- a/scripts/base/protocols/ssl/consts.bro +++ b/scripts/base/protocols/ssl/consts.bro @@ -6,6 +6,11 @@ export { const TLSv10 = 0x0301; const TLSv11 = 0x0302; const TLSv12 = 0x0303; + + const DTLSv10 = 0xFEFF; + # DTLSv11 does not exist + const DTLSv12 = 0xFEFD; + ## Mapping between the constants and string values for SSL/TLS versions. const version_strings: table[count] of string = { [SSLv2] = "SSLv2", @@ -13,6 +18,8 @@ export { [TLSv10] = "TLSv10", [TLSv11] = "TLSv11", [TLSv12] = "TLSv12", + [DTLSv10] = "DTLSv10", + [DTLSv12] = "DTLSv12" } &default=function(i: count):string { return fmt("unknown-%d", i); }; ## TLS content types: diff --git a/src/analyzer/protocol/ssl/CMakeLists.txt b/src/analyzer/protocol/ssl/CMakeLists.txt index fab0d30f07..f69b7354e3 100644 --- a/src/analyzer/protocol/ssl/CMakeLists.txt +++ b/src/analyzer/protocol/ssl/CMakeLists.txt @@ -6,7 +6,7 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI bro_plugin_begin(Bro SSL) bro_plugin_cc(SSL.cc Plugin_SSL.cc) bro_plugin_bif(events.bif) -bro_plugin_pac(tls-handshake.pac tls-handshake-protocol.pac tls-handshake-analyzer.pac) +bro_plugin_pac(tls-handshake.pac tls-handshake-protocol.pac tls-handshake-analyzer.pac ssl-defs.pac) bro_plugin_pac(ssl.pac ssl-dtls-analyzer.pac ssl-analyzer.pac ssl-dtls-protocol.pac ssl-protocol.pac ssl-defs.pac) bro_plugin_end() diff --git a/src/analyzer/protocol/ssl/DTLS.cc b/src/analyzer/protocol/ssl/DTLS.cc index 7c49dba439..c90e414031 100644 --- a/src/analyzer/protocol/ssl/DTLS.cc +++ b/src/analyzer/protocol/ssl/DTLS.cc @@ -5,28 +5,61 @@ #include "events.bif.h" +#include "dtls_pac.h" +#include "tls-handshake_pac.h" + using namespace analyzer::dtls; DTLS_Analyzer::DTLS_Analyzer(Connection* c) : analyzer::Analyzer("DTLS", c) { interp = new binpac::DTLS::SSL_Conn(this); - fprintf(stderr, "Instantiated :)\n"); + handshake_interp = new binpac::TLSHandshake::Handshake_Conn(this); } DTLS_Analyzer::~DTLS_Analyzer() { delete interp; + delete handshake_interp; } void DTLS_Analyzer::Done() { - Analyzer::Done(); + Analyzer::Done(); + interp->FlowEOF(true); + interp->FlowEOF(false); + handshake_interp->FlowEOF(true); + handshake_interp->FlowEOF(false); } void DTLS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64 seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); - fprintf(stderr, "Delivered packet :)\n"); interp->NewData(orig, data, data + len); } + +void DTLS_Analyzer::EndOfData(bool is_orig) + { + Analyzer::EndOfData(is_orig); + interp->FlowEOF(is_orig); + handshake_interp->FlowEOF(is_orig); + } + + +void DTLS_Analyzer::SendHandshake(uint8 msg_type, uint32 length, const u_char* begin, const u_char* end, bool orig) + { + try + { + handshake_interp->NewData(orig, (const unsigned char*) &msg_type, (const unsigned char*) &msg_type + 1); + uint32 host_length = htonl(length); + // the parser inspects a uint24 - since it is big-endian, it should be ok to just skip + // the first byte of the uint32. Since we get the data from an uint24 from the dtls-parser, this should + // always yield the correct result. + handshake_interp->NewData(orig, (const unsigned char*) &host_length + 1, (const unsigned char*) &host_length + sizeof(host_length)); + handshake_interp->NewData(orig, begin, end); + } + catch ( const binpac::Exception& e ) + { + ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); + } + } diff --git a/src/analyzer/protocol/ssl/DTLS.h b/src/analyzer/protocol/ssl/DTLS.h index c45a311c8c..6611a6974e 100644 --- a/src/analyzer/protocol/ssl/DTLS.h +++ b/src/analyzer/protocol/ssl/DTLS.h @@ -4,7 +4,10 @@ #include "events.bif.h" #include "analyzer/protocol/udp/UDP.h" -#include "dtls_pac.h" + +namespace binpac { namespace DTLS { class SSL_Conn; } } + +namespace binpac { namespace TLSHandshake { class Handshake_Conn; } } namespace analyzer { namespace dtls { @@ -17,6 +20,9 @@ public: virtual void Done(); virtual void DeliverPacket(int len, const u_char* data, bool orig, uint64 seq, const IP_Hdr* ip, int caplen); + virtual void EndOfData(bool is_orig); + + void SendHandshake(uint8 msg_type, uint32 length, const u_char* begin, const u_char* end, bool orig); static analyzer::Analyzer* Instantiate(Connection* conn) @@ -24,6 +30,7 @@ public: protected: binpac::DTLS::SSL_Conn* interp; + binpac::TLSHandshake::Handshake_Conn* handshake_interp; }; } } // namespace analyzer::* diff --git a/src/analyzer/protocol/ssl/SSL.cc b/src/analyzer/protocol/ssl/SSL.cc index 71b7511716..d571439f19 100644 --- a/src/analyzer/protocol/ssl/SSL.cc +++ b/src/analyzer/protocol/ssl/SSL.cc @@ -30,12 +30,15 @@ void SSL_Analyzer::Done() interp->FlowEOF(true); interp->FlowEOF(false); + handshake_interp->FlowEOF(true); + handshake_interp->FlowEOF(false); } void SSL_Analyzer::EndpointEOF(bool is_orig) { tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); + handshake_interp->FlowEOF(is_orig); } void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig) diff --git a/src/analyzer/protocol/ssl/dtls-analyzer.pac b/src/analyzer/protocol/ssl/dtls-analyzer.pac index 139597f9cb..f4c2df9e3f 100644 --- a/src/analyzer/protocol/ssl/dtls-analyzer.pac +++ b/src/analyzer/protocol/ssl/dtls-analyzer.pac @@ -1,2 +1,150 @@ +refine connection SSL_Conn += { + + %member{ + + struct message_info { + uint64 message_first_sequence; // the minumum dtls sequence number for this handshake fragment + bool first_sequence_seen; // did we actually see the fragment with the smallest number + uint64 message_last_sequence; // the mazimum dtls sequence number for this handshake fragment + uint16 message_handshake_sequence; // the handshake sequence number of this handshake (to identify) + uint32 message_length; // data length of this handshake (data in buffer) + uint32 message_sequence_seen; // a bitfield that shows which sequence numbers we already saw, offset from first_seq. + u_char* buffer; + } server, client; + %} + + %init{ + memset(&server, 0, sizeof(server)); + memset(&client, 0, sizeof(client)); + %} + + %cleanup{ + delete [] server.buffer; + delete [] client.buffer; + %} + + function proc_dtls(pdu: SSLRecord, sequence: uint64): bool + %{ + //fprintf(stderr, "Type: %d, sequence number: %d, epoch: %d\n", ${pdu.content_type}, sequence, ${pdu.epoch}); + + return true; + %} + + function proc_handshake(pdu: SSLRecord, rec: Handshake): bool + %{ + uint32 foffset = to_int()(${rec.fragment_offset}); + uint32 flength = to_int()(${rec.fragment_length}); + uint32 length = to_int()(${rec.length}); + uint64 sequence_number = to_int()(${pdu.sequence_number}); + //fprintf(stderr, "Handshake type: %d, length: %u, seq: %u, foffset: %u, flength: %u\n", ${rec.msg_type}, to_int()(${rec.length}), ${rec.message_seq}, to_int()(${rec.fragment_offset}), to_int()(${rec.fragment_length})); + + if ( foffset == 0 && length == flength ) + { + //fprintf(stderr, "Complete fragment, forwarding...\n"); + bro_analyzer()->SendHandshake(${rec.msg_type}, length, ${rec.data}.begin(), ${rec.data}.end(), ${pdu.is_orig}); + return true; + } + + // if we fall through here, the message has to be reassembled. Let's first get the right info record... + message_info* i; + if ( ${pdu.is_orig} ) + i = &client; + else + i = &server; + + if ( length > MAX_DTLS_HANDSHAKE_RECORD ) + { + bro_analyzer()->ProtocolViolation(fmt("DTLS record length %u larger than allowed maximum.", length)); + return true; + } + + if ( i->message_handshake_sequence != ${rec.message_seq} || i->message_length != length || i->buffer == 0 ) + { + // cannot resume reassembling. Let's abandon the current data and try anew... + delete [] i->buffer; + memset(i, 0, sizeof(message_info)); + i->message_handshake_sequence = ${rec.message_seq}; + i->message_length = length; + i->buffer = new u_char[length]; + // does not have to be the first sequence number - we cannot figure that out at this point. If it is not, + // we will fix that later... + i->message_first_sequence = sequence_number; + } + + // if we arrive here, we are actually ready to resume. + if ( i->message_first_sequence > sequence_number ) + { + if ( i->first_sequence_seen ) + { + bro_analyzer()->ProtocolViolation("Saw second and different first message fragment for handshake."); + return true; + } + // first sequence number was incorrect, let's fix that. + uint64 diff = i->message_first_sequence - sequence_number; + i->message_sequence_seen = i->message_sequence_seen << diff; + i->message_first_sequence = sequence_number; + } + + // if we have offset 0, we know the smallest number... + if ( foffset == 0 ) + i->first_sequence_seen = true; + + // check if we already saw the message + if ( ( i->message_sequence_seen & ( 1 << (sequence_number - i->message_first_sequence) ) ) != 0 ) + return true; // do not handle same message fragment twice + + // copy data from fragment to buffer + if ( ${rec.data}.length() != flength ) + { + bro_analyzer()->ProtocolViolation(fmt("DTLS handshake record length does not match packet length")); + return true; + } + + if ( foffset + flength > length ) + { + bro_analyzer()->ProtocolViolation(fmt("DTLS handshake fragment trying to write past end of buffer")); + return true; + } + + // store that we handled fragment + i->message_sequence_seen |= 1 << (sequence_number - i->message_first_sequence); + memcpy(i->buffer + foffset, ${rec.data}.data(), ${rec.data}.length()); + + //fprintf(stderr, "Copied to buffer offset %u length %u\n", foffset, ${rec.data}.length()); + + // store last fragment information if this is the last fragment... + + // check if we saw all fragments so far. If yes, forward... + if ( foffset + flength == length ) + i->message_last_sequence = sequence_number; + + if ( i->message_last_sequence != 0 && i->first_sequence_seen ) + { + uint64 total_length = i->message_last_sequence - i->message_first_sequence; + if ( total_length > 32 ) + { + bro_analyzer()->ProtocolViolation(fmt("DTLS Message fragmented over more than 32 pieces. Cannot reassemble.")); + return true; + } + + if ( ( ~(i->message_sequence_seen) & ( ( 1<<(total_length+1) ) -1 ) ) == 0 ) + { + //fprintf(stderr, "ALl fragments here. Total length %u\n", length); + bro_analyzer()->SendHandshake(${rec.msg_type}, length, i->buffer, i->buffer + length, ${pdu.is_orig}); + } + } + + + return true; + %} +}; + +refine typeattr SSLRecord += &let { + proc: bool = $context.connection.proc_dtls(this, to_int()(sequence_number)); +}; + +refine typeattr Handshake += &let { + proc: bool = $context.connection.proc_handshake(rec, this); +}; diff --git a/src/analyzer/protocol/ssl/dtls-protocol.pac b/src/analyzer/protocol/ssl/dtls-protocol.pac index 94cddf9cbc..6faa191d18 100644 --- a/src/analyzer/protocol/ssl/dtls-protocol.pac +++ b/src/analyzer/protocol/ssl/dtls-protocol.pac @@ -10,14 +10,27 @@ type DTLSPDU(is_orig: bool) = record { type SSLRecord(is_orig: bool) = record { content_type: uint8; version: uint16; +# the epoch signalizes that a changecipherspec message has been received. Hence, everything with +# an epoch > 0 should be encrypted epoch: uint16; sequence_number: uint48; length: uint16; - rec: PlaintextRecord(this)[] &length=length; -# data: bytestring &restofdata &transient; -} &byteorder = bigendian, - &let { - parse : bool = $context.connection.proc_dtls(this, to_int()(sequence_number)); + cont: case valid of { + true -> rec: RecordText(this)[] &length=length; + false -> swallow: bytestring &restofdata; + }; +} &byteorder = bigendian, &let { +# Do not parse body if packet version invalid + valid: bool = $context.connection.dtls_version_ok(version); +}; + +type RecordText(rec: SSLRecord) = case rec.epoch of { + 0 -> plaintext : PlaintextRecord(rec); + default -> ciphertext : CiphertextRecord(rec); +}; + +refine casetype PlaintextRecord += { + HANDSHAKE -> handshake : Handshake(rec); }; type Handshake(rec: SSLRecord) = record { @@ -26,15 +39,22 @@ type Handshake(rec: SSLRecord) = record { message_seq: uint16; fragment_offset: uint24; fragment_length: uint24; + data: bytestring &restofdata; } refine connection SSL_Conn += { - function proc_dtls(pdu: SSLRecord, sequence: uint64): bool - %{ - fprintf(stderr, "Type: %d, sequence number: %d, epoch: %d\n", ${pdu.content_type}, sequence, ${pdu.epoch}); + function dtls_version_ok(version: uint16): uint16 + %{ + switch ( version ) { + case DTLSv10: + case DTLSv12: + return true; - return true; - %} + default: + bro_analyzer()->ProtocolViolation(fmt("Invalid version in DTLS connection. Packet reported version: %d", version)); + return false; + } + %} }; diff --git a/src/analyzer/protocol/ssl/dtls.pac b/src/analyzer/protocol/ssl/dtls.pac index 50424f0d8c..b08dd61f8f 100644 --- a/src/analyzer/protocol/ssl/dtls.pac +++ b/src/analyzer/protocol/ssl/dtls.pac @@ -5,14 +5,21 @@ %extern{ #include "events.bif.h" + +namespace analyzer { namespace dtls { class DTLS_Analyzer; } } +typedef analyzer::dtls::DTLS_Analyzer* DTLSAnalyzer; + +#include "DTLS.h" %} +extern type DTLSAnalyzer; + analyzer DTLS withcontext { connection: SSL_Conn; flow: DTLS_Flow; }; -connection SSL_Conn(bro_analyzer: BroAnalyzer) { +connection SSL_Conn(bro_analyzer: DTLSAnalyzer) { upflow = DTLS_Flow(true); downflow = DTLS_Flow(false); }; @@ -21,7 +28,6 @@ connection SSL_Conn(bro_analyzer: BroAnalyzer) { %include dtls-protocol.pac flow DTLS_Flow(is_orig: bool) { -# flowunit = SSLRecord(is_orig) withcontext(connection, this); datagram = DTLSPDU(is_orig) withcontext(connection, this); } diff --git a/src/analyzer/protocol/ssl/ssl-defs.pac b/src/analyzer/protocol/ssl/ssl-defs.pac index c29bbcbabe..aefc69a81c 100644 --- a/src/analyzer/protocol/ssl/ssl-defs.pac +++ b/src/analyzer/protocol/ssl/ssl-defs.pac @@ -71,6 +71,8 @@ function version_ok(vers : uint16) : bool case TLSv10: case TLSv11: case TLSv12: + case DTLSv10: + case DTLSv12: return true; default: @@ -86,6 +88,9 @@ using std::string; #include "events.bif.h" %} +# a maximum of 100k for one record seems safe +let MAX_DTLS_HANDSHAKE_RECORD: uint32 = 100000; + enum ContentType { CHANGE_CIPHER_SPEC = 20, ALERT = 21, @@ -106,7 +111,11 @@ enum SSLVersions { SSLv30 = 0x0300, TLSv10 = 0x0301, TLSv11 = 0x0302, - TLSv12 = 0x0303 + TLSv12 = 0x0303, + + DTLSv10 = 0xFEFF, +# DTLSv11 does not exist. + DTLSv12 = 0xFEFD }; enum SSLExtensions { diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac index a90bd03868..7f9799e0bc 100644 --- a/src/analyzer/protocol/ssl/ssl-protocol.pac +++ b/src/analyzer/protocol/ssl/ssl-protocol.pac @@ -42,10 +42,8 @@ refine casetype PlaintextRecord += { V2_SERVER_HELLO -> v2_server_hello : V2ServerHello(rec); }; +# Handshakes are parsed by the handshake analyzer. type Handshake(rec: SSLRecord) = record { -# msg_type: uint8; -# length: uint24; -# data: bytestring &length=to_int()(length); data: bytestring &restofdata; }; diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac index 296df5fb9d..b24352d099 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac @@ -6,6 +6,7 @@ enum HandshakeType { HELLO_REQUEST = 0, CLIENT_HELLO = 1, SERVER_HELLO = 2, + HELLO_VERIFY_REQUEST = 3, # DTLS SESSION_TICKET = 4, # RFC 5077 CERTIFICATE = 11, SERVER_KEY_EXCHANGE = 12, @@ -30,20 +31,21 @@ type HandshakeRecord(is_orig: bool) = record { } &length=(to_int()(msg_length) + 4); type Handshake(rec: HandshakeRecord) = case rec.msg_type of { - HELLO_REQUEST -> hello_request : HelloRequest(rec); - CLIENT_HELLO -> client_hello : ClientHello(rec); - SERVER_HELLO -> server_hello : ServerHello(rec); - SESSION_TICKET -> session_ticket : SessionTicketHandshake(rec); - CERTIFICATE -> certificate : Certificate(rec); - SERVER_KEY_EXCHANGE -> server_key_exchange : ServerKeyExchange(rec); - CERTIFICATE_REQUEST -> certificate_request : CertificateRequest(rec); - SERVER_HELLO_DONE -> server_hello_done : ServerHelloDone(rec); - CERTIFICATE_VERIFY -> certificate_verify : CertificateVerify(rec); - CLIENT_KEY_EXCHANGE -> client_key_exchange : ClientKeyExchange(rec); - FINISHED -> finished : Finished(rec); - CERTIFICATE_URL -> certificate_url : bytestring &restofdata &transient; - CERTIFICATE_STATUS -> certificate_status : CertificateStatus(rec); - default -> unknown_handshake : UnknownHandshake(rec, rec.is_orig); + HELLO_REQUEST -> hello_request : HelloRequest(rec); + CLIENT_HELLO -> client_hello : ClientHello(rec); + SERVER_HELLO -> server_hello : ServerHello(rec); + HELLO_VERIFY_REQUEST -> hello_verify_request : HelloVerifyRequest(rec); + SESSION_TICKET -> session_ticket : SessionTicketHandshake(rec); + CERTIFICATE -> certificate : Certificate(rec); + SERVER_KEY_EXCHANGE -> server_key_exchange : ServerKeyExchange(rec); + CERTIFICATE_REQUEST -> certificate_request : CertificateRequest(rec); + SERVER_HELLO_DONE -> server_hello_done : ServerHelloDone(rec); + CERTIFICATE_VERIFY -> certificate_verify : CertificateVerify(rec); + CLIENT_KEY_EXCHANGE -> client_key_exchange : ClientKeyExchange(rec); + FINISHED -> finished : Finished(rec); + CERTIFICATE_URL -> certificate_url : bytestring &restofdata &transient; + CERTIFICATE_STATUS -> certificate_status : CertificateStatus(rec); + default -> unknown_handshake : UnknownHandshake(rec, rec.is_orig); } type HandshakePDU(is_orig: bool) = record { @@ -72,6 +74,10 @@ type ClientHello(rec: HandshakeRecord) = record { random_bytes : bytestring &length = 28; session_len : uint8; session_id : uint8[session_len]; + dtls_cookie: case client_version of { + DTLSv10 -> cookie: ClientHelloCookie(rec); + default -> nothing: bytestring &length=0; + }; csuit_len : uint16 &check(csuit_len > 1 && csuit_len % 2 == 0); csuits : uint16[csuit_len/2]; cmeth_len : uint8 &check(cmeth_len > 0); @@ -82,6 +88,11 @@ type ClientHello(rec: HandshakeRecord) = record { extensions : SSLExtension(rec)[] &until($input.length() == 0); }; +type ClientHelloCookie(rec: HandshakeRecord) = record { + cookie_len : uint8; + cookie : bytestring &length = cookie_len; +}; + ###################################################################### # V3 Server Hello (7.4.1.3.) ###################################################################### @@ -103,6 +114,16 @@ type ServerHello(rec: HandshakeRecord) = record { $context.connection.set_cipher(cipher_suite[0]); }; +###################################################################### +# DTLS Hello Verify Request +###################################################################### + +type HelloVerifyRequest(rec: HandshakeRecord) = record { + version: uint16; + cookie_length: uint8; + cookie: bytestring &length=cookie_length; +}; + ###################################################################### # V3 Server Certificate (7.4.2.) ###################################################################### diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/ssl.log new file mode 100644 index 0000000000..cd9d04e020 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/ssl.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2015-03-12-22-40-14 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string +1425932016.520157 CXWv6p3arKYeMETxOg 192.168.6.86 63721 104.236.167.107 4433 DTLSv10 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA secp256r1 - F - - T FZi2Ct2AcCswhiIjKe (empty) CN=bro CN=bro - - +#close 2015-03-12-22-40-14 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/x509.log b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/x509.log new file mode 100644 index 0000000000..290c5bfb49 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/x509.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path x509 +#open 2015-03-12-22-40-14 +#fields ts id certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len +#types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count +1425932016.611299 FZi2Ct2AcCswhiIjKe 3 E8E48E456C32945F CN=bro CN=bro 1425931873.000000 1457467873.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - - - - - T - +#close 2015-03-12-22-40-14 diff --git a/testing/btest/scripts/base/protocols/ssl/dtls.test b/testing/btest/scripts/base/protocols/ssl/dtls.test new file mode 100644 index 0000000000..46b74d2b78 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ssl/dtls.test @@ -0,0 +1,5 @@ +# This tests a normal SSL connection and the log it outputs. + +# @TEST-EXEC: bro -r $TRACES/tls/dtls-openssl.pcap %INPUT +# @TEST-EXEC: btest-diff ssl.log +# @TEST-EXEC: btest-diff x509.log From 88beb3127099f24ca0023d437581f25deaac56fb Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 12 Mar 2015 16:09:10 -0700 Subject: [PATCH 184/711] Only force logging of SSL if it actually was the SSL analyzer that failed. --- scripts/base/protocols/ssl/main.bro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro index d2b0332756..2b448fec6c 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -282,6 +282,6 @@ event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &pr event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) &priority=5 { - if ( c?$ssl ) + if ( c?$ssl && atype == Analyzer::ANALYZER_SSL ) finish(c, T); } From 51010eccd4d2746571ae95979a6058d8ee29b3da Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 13 Mar 2015 13:00:29 -0500 Subject: [PATCH 185/711] Add Connection class getter methods for flow labels. BIT-1309 #close --- src/Conn.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/Conn.h b/src/Conn.h index 966c77a9f8..20e60d2617 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -263,6 +263,9 @@ public: void CheckFlowLabel(bool is_orig, uint32 flow_label); + uint32 GetOrigFlowLabel() { return orig_flow_label; } + uint32 GetRespFlowLabel() { return resp_flow_label; } + protected: Connection() { persistent = 0; } From 6fbceb6a987ebbee0321712217f7c4e4d5e52a48 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 13 Mar 2015 13:01:57 -0500 Subject: [PATCH 186/711] Identify GRE tunnels as Tunnel::GRE, not Tunnel::IP. BIT-1311 #close --- NEWS | 3 +++ src/Sessions.cc | 6 +++++- src/TunnelEncapsulation.h | 9 ++++++--- src/types.bif | 1 + .../btest/Baseline/core.tunnels.gre-in-gre/tunnel.log | 4 ++-- testing/btest/Baseline/core.tunnels.gre/tunnel.log | 2 +- 6 files changed, 18 insertions(+), 7 deletions(-) diff --git a/NEWS b/NEWS index 50e5ddd265..981af20370 100644 --- a/NEWS +++ b/NEWS @@ -94,6 +94,9 @@ Changed Functionality - conn.log gained a new field local_resp that works like local_orig, just for the responder address of the connection. +- GRE tunnels are now identified as ``Tunnel::GRE`` instead of + ``Tunnel::IP``. + - [TODO] Add changed BroControl features. Deprecated Functionality diff --git a/src/Sessions.cc b/src/Sessions.cc index ffc2baf944..086216e93d 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -466,6 +466,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, id.src_addr = ip_hdr->SrcAddr(); id.dst_addr = ip_hdr->DstAddr(); Dictionary* d = 0; + BifEnum::Tunnel::Type tunnel_type = BifEnum::Tunnel::IP; switch ( proto ) { case IPPROTO_TCP: @@ -606,6 +607,8 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, // Treat GRE tunnel like IP tunnels, fallthrough to logic below now // that GRE header is stripped and only payload packet remains. + // The only thing different is the tunnel type enum value to use. + tunnel_type = BifEnum::Tunnel::GRE; } case IPPROTO_IPV4: @@ -653,7 +656,8 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, if ( it == ip_tunnels.end() ) { - EncapsulatingConn ec(ip_hdr->SrcAddr(), ip_hdr->DstAddr()); + EncapsulatingConn ec(ip_hdr->SrcAddr(), ip_hdr->DstAddr(), + tunnel_type); ip_tunnels[tunnel_idx] = TunnelActivity(ec, network_time); timer_mgr->Add(new IPTunnelTimer(network_time, tunnel_idx)); } diff --git a/src/TunnelEncapsulation.h b/src/TunnelEncapsulation.h index 23f8966ee7..419a3000b4 100644 --- a/src/TunnelEncapsulation.h +++ b/src/TunnelEncapsulation.h @@ -37,10 +37,12 @@ public: * * @param s The tunnel source address, likely taken from an IP header. * @param d The tunnel destination address, likely taken from an IP header. + * @param t The type of IP tunnel. */ - EncapsulatingConn(const IPAddr& s, const IPAddr& d) + EncapsulatingConn(const IPAddr& s, const IPAddr& d, + BifEnum::Tunnel::Type t = BifEnum::Tunnel::IP) : src_addr(s), dst_addr(d), src_port(0), dst_port(0), - proto(TRANSPORT_UNKNOWN), type(BifEnum::Tunnel::IP), + proto(TRANSPORT_UNKNOWN), type(t), uid(Bro::UID(bits_per_uid)) { } @@ -85,7 +87,8 @@ public: if ( ec1.type != ec2.type ) return false; - if ( ec1.type == BifEnum::Tunnel::IP ) + if ( ec1.type == BifEnum::Tunnel::IP || + ec1.type == BifEnum::Tunnel::GRE ) // Reversing endpoints is still same tunnel. return ec1.uid == ec2.uid && ec1.proto == ec2.proto && ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) || diff --git a/src/types.bif b/src/types.bif index 99df67c9d5..73443a3fd7 100644 --- a/src/types.bif +++ b/src/types.bif @@ -172,6 +172,7 @@ enum Type %{ SOCKS, GTPv1, HTTP, + GRE, %} type EncapsulatingConn: record; diff --git a/testing/btest/Baseline/core.tunnels.gre-in-gre/tunnel.log b/testing/btest/Baseline/core.tunnels.gre-in-gre/tunnel.log index 277d1df679..ad7154d756 100644 --- a/testing/btest/Baseline/core.tunnels.gre-in-gre/tunnel.log +++ b/testing/btest/Baseline/core.tunnels.gre-in-gre/tunnel.log @@ -6,6 +6,6 @@ #open 2014-01-16-21-51-36 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action #types time string addr port addr port enum enum -1341436424.204043 CXWv6p3arKYeMETxOg 72.205.54.70 0 86.106.164.150 0 Tunnel::IP Tunnel::DISCOVER -1341436424.204043 CjhGID4nQcgTWjvg4c 10.10.11.2 0 10.10.13.2 0 Tunnel::IP Tunnel::DISCOVER +1341436424.204043 CXWv6p3arKYeMETxOg 72.205.54.70 0 86.106.164.150 0 Tunnel::GRE Tunnel::DISCOVER +1341436424.204043 CjhGID4nQcgTWjvg4c 10.10.11.2 0 10.10.13.2 0 Tunnel::GRE Tunnel::DISCOVER #close 2014-01-16-21-51-36 diff --git a/testing/btest/Baseline/core.tunnels.gre/tunnel.log b/testing/btest/Baseline/core.tunnels.gre/tunnel.log index f0d87f4964..066e1fe151 100644 --- a/testing/btest/Baseline/core.tunnels.gre/tunnel.log +++ b/testing/btest/Baseline/core.tunnels.gre/tunnel.log @@ -6,5 +6,5 @@ #open 2014-01-16-21-51-12 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action #types time string addr port addr port enum enum -1055289968.793044 CXWv6p3arKYeMETxOg 172.27.1.66 0 66.59.109.137 0 Tunnel::IP Tunnel::DISCOVER +1055289968.793044 CXWv6p3arKYeMETxOg 172.27.1.66 0 66.59.109.137 0 Tunnel::GRE Tunnel::DISCOVER #close 2014-01-16-21-51-12 From 0b957cbe752df7773dad0d5549e9654f92e18cf9 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 13 Mar 2015 14:16:04 -0500 Subject: [PATCH 187/711] Include timestamp in default extracted file names. And add a policy script to extract all files. BIT-1335 #close --- CHANGES | 11 +++++++++ NEWS | 3 +++ VERSION | 2 +- scripts/base/files/extract/main.bro | 3 ++- .../frameworks/files/extract-all-files.bro | 8 +++++++ scripts/test-all-policy.bro | 1 + testing/btest/Baseline/plugins.hooks/output | 24 +++++++++---------- .../policy/frameworks/files/extract-all.bro | 2 ++ 8 files changed, 40 insertions(+), 14 deletions(-) create mode 100644 scripts/policy/frameworks/files/extract-all-files.bro create mode 100644 testing/btest/scripts/policy/frameworks/files/extract-all.bro diff --git a/CHANGES b/CHANGES index 926b30c9c0..84f64034ea 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,15 @@ +2.3-539 | 2015-03-13 14:19:27 -0500 + + * BIT-1335: Include timestamp in default extracted file names. + And add a policy script to extract all files. (Jon Siwek) + + * BIT-1311: Identify GRE tunnels as Tunnel::GRE, not Tunnel::IP. + (Jon Siwek) + + * BIT-1309: Add Connection class getter methods for flow labels. + (Jon Siwek) + 2.3-536 | 2015-03-12 16:16:24 -0500 * Fix Broker leak tests. (Jon Siwek) diff --git a/NEWS b/NEWS index 981af20370..4d1539b33c 100644 --- a/NEWS +++ b/NEWS @@ -97,6 +97,9 @@ Changed Functionality - GRE tunnels are now identified as ``Tunnel::GRE`` instead of ``Tunnel::IP``. +- The default name for extracted files changed from extract-protocol-id + to extract-timestamp-protocol-id. + - [TODO] Add changed BroControl features. Deprecated Functionality diff --git a/VERSION b/VERSION index c168eac2bd..64cd9fa66f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3-536 +2.3-539 diff --git a/scripts/base/files/extract/main.bro b/scripts/base/files/extract/main.bro index 765263a4d8..7f68a8bcce 100644 --- a/scripts/base/files/extract/main.bro +++ b/scripts/base/files/extract/main.bro @@ -53,7 +53,8 @@ function set_limit(f: fa_file, args: Files::AnalyzerArgs, n: count): bool function on_add(f: fa_file, args: Files::AnalyzerArgs) { if ( ! args?$extract_filename ) - args$extract_filename = cat("extract-", f$source, "-", f$id); + args$extract_filename = cat("extract-", f$last_active, "-", f$source, + "-", f$id); f$info$extracted = args$extract_filename; args$extract_filename = build_path_compressed(prefix, args$extract_filename); diff --git a/scripts/policy/frameworks/files/extract-all-files.bro b/scripts/policy/frameworks/files/extract-all-files.bro new file mode 100644 index 0000000000..7bd7b300e9 --- /dev/null +++ b/scripts/policy/frameworks/files/extract-all-files.bro @@ -0,0 +1,8 @@ +##! Extract all files to disk. + +@load base/files/extract + +event file_new(f: fa_file) + { + Files::add_analyzer(f, Files::ANALYZER_EXTRACT); + } diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro index 0fb74f91cf..dc85986172 100644 --- a/scripts/test-all-policy.bro +++ b/scripts/test-all-policy.bro @@ -28,6 +28,7 @@ @load frameworks/intel/seen/where-locations.bro @load frameworks/intel/seen/x509.bro @load frameworks/files/detect-MHR.bro +#@load frameworks/files/extract-all-files.bro @load frameworks/files/hash-all-files.bro @load frameworks/packet-filter/shunt.bro @load frameworks/software/version-changes.bro diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 6956f013bc..63f0a87742 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -124,7 +124,7 @@ 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_TEREDO, {3544/udp})) -> 0.000000 MetaHookPost CallFunction(Cluster::is_enabled, , ()) -> 0.000000 MetaHookPost CallFunction(Cluster::is_enabled, , ()) -> -0.000000 MetaHookPost CallFunction(Files::register_analyzer_add_callback, , (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})) -> +0.000000 MetaHookPost CallFunction(Files::register_analyzer_add_callback, , (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})) -> 0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])) -> 0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])) -> 0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])) -> @@ -192,7 +192,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1426273629.648148, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Communication::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Conn::LOG)) -> @@ -286,8 +286,8 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -> -0.000000 MetaHookPost CallFunction(Log::default_path_func, , (PacketFilter::LOG, , [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::default_path_func, , (PacketFilter::LOG, , [ts=1426273629.648148, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1426273629.648148, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> 0.000000 MetaHookPost CallFunction(PacketFilter::build, , ()) -> 0.000000 MetaHookPost CallFunction(PacketFilter::combine_filters, , (ip or not ip, and, )) -> @@ -669,7 +669,7 @@ 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_TEREDO, {3544/udp})) 0.000000 MetaHookPre CallFunction(Cluster::is_enabled, , ()) 0.000000 MetaHookPre CallFunction(Cluster::is_enabled, , ()) -0.000000 MetaHookPre CallFunction(Files::register_analyzer_add_callback, , (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})) +0.000000 MetaHookPre CallFunction(Files::register_analyzer_add_callback, , (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})) 0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])) 0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])) 0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])) @@ -737,7 +737,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1426273629.648148, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Communication::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Conn::LOG)) @@ -831,8 +831,8 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql])) -0.000000 MetaHookPre CallFunction(Log::default_path_func, , (PacketFilter::LOG, , [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::default_path_func, , (PacketFilter::LOG, , [ts=1426273629.648148, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1426273629.648148, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) 0.000000 MetaHookPre CallFunction(PacketFilter::build, , ()) 0.000000 MetaHookPre CallFunction(PacketFilter::combine_filters, , (ip or not ip, and, )) @@ -1213,7 +1213,7 @@ 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, {514/udp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, {3544/udp}) 0.000000 | HookCallFunction Cluster::is_enabled() -0.000000 | HookCallFunction Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)}) +0.000000 | HookCallFunction Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)}) 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}]) 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}]) 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}]) @@ -1281,7 +1281,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1426273629.648148, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG) @@ -1375,8 +1375,8 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql]) -0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1426273629.648148, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1426273629.648148, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Notice::want_pp() 0.000000 | HookCallFunction PacketFilter::build() 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, ) diff --git a/testing/btest/scripts/policy/frameworks/files/extract-all.bro b/testing/btest/scripts/policy/frameworks/files/extract-all.bro new file mode 100644 index 0000000000..f54b2e299d --- /dev/null +++ b/testing/btest/scripts/policy/frameworks/files/extract-all.bro @@ -0,0 +1,2 @@ +# @TEST-EXEC: bro -r $TRACES/http/get.trace frameworks/files/extract-all-files +# @TEST-EXEC: grep -q EXTRACT files.log From 46f7d238889af63dedf86f6db45caabb1396386f Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 13 Mar 2015 14:53:11 -0500 Subject: [PATCH 188/711] Fix Broxygen coverage. --- scripts/broxygen/__load__.bro | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/broxygen/__load__.bro b/scripts/broxygen/__load__.bro index 8db4a7c1b8..3b78ba8619 100644 --- a/scripts/broxygen/__load__.bro +++ b/scripts/broxygen/__load__.bro @@ -5,6 +5,7 @@ @load frameworks/communication/listen.bro @load frameworks/control/controllee.bro @load frameworks/control/controller.bro +@load frameworks/files/extract-all-files.bro @load policy/misc/dump-events.bro @load ./example.bro From 778b37b5d0cf3612ebbedeb3cb90e9d18fa4adc9 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 13 Mar 2015 14:54:46 -0500 Subject: [PATCH 189/711] Deprecate &rotate_interval, &rotate_size, &encrypt, &mergeable. Addresses BIT-1305. --- doc/script-reference/attributes.rst | 7 ------ src/scan.l | 35 ++++++++++++++++++++++++----- 2 files changed, 29 insertions(+), 13 deletions(-) diff --git a/doc/script-reference/attributes.rst b/doc/script-reference/attributes.rst index ef6c6a54a1..40646f64f4 100644 --- a/doc/script-reference/attributes.rst +++ b/doc/script-reference/attributes.rst @@ -43,8 +43,6 @@ The Bro scripting language supports the following attributes. +-----------------------------+-----------------------------------------------+ | :bro:attr:`&mergeable` |Prefer set union for synchronized state. | +-----------------------------+-----------------------------------------------+ -| :bro:attr:`&group` |Group event handlers to activate/deactivate. | -+-----------------------------+-----------------------------------------------+ | :bro:attr:`&error_handler` |Used internally for reporter framework events. | +-----------------------------+-----------------------------------------------+ | :bro:attr:`&type_column` |Used by input framework for "port" type. | @@ -198,11 +196,6 @@ Here is a more detailed explanation of each attribute: inconsistencies and can be avoided by unifying the two sets, rather than merely overwriting the old value. -.. bro:attr:: &group - - Groups event handlers such that those in the same group can be - jointly activated or deactivated. - .. bro:attr:: &error_handler Internally set on the events that are associated with the reporter diff --git a/src/scan.l b/src/scan.l index b13215e4b8..896264581b 100644 --- a/src/scan.l +++ b/src/scan.l @@ -56,6 +56,11 @@ char last_tok[128]; if ( ((result = fread(buf, 1, max_size, yyin)) == 0) && ferror(yyin) ) \ reporter->Error("read failed with \"%s\"", strerror(errno)); +static void deprecated_attr(const char* attr) + { + reporter->Warning("Use of deprecated attribute: %s", attr); + } + static string find_relative_file(const string& filename, const string& ext) { if ( filename.empty() ) @@ -263,20 +268,38 @@ when return TOK_WHEN; &delete_func return TOK_ATTR_DEL_FUNC; &deprecated return TOK_ATTR_DEPRECATED; &raw_output return TOK_ATTR_RAW_OUTPUT; -&encrypt return TOK_ATTR_ENCRYPT; +&encrypt { + deprecated_attr(yytext); + return TOK_ATTR_ENCRYPT; + } &error_handler return TOK_ATTR_ERROR_HANDLER; &expire_func return TOK_ATTR_EXPIRE_FUNC; &log return TOK_ATTR_LOG; -&mergeable return TOK_ATTR_MERGEABLE; +&mergeable { + deprecated_attr(yytext); + return TOK_ATTR_MERGEABLE; + } &optional return TOK_ATTR_OPTIONAL; -&persistent return TOK_ATTR_PERSISTENT; +&persistent { + //deprecated_attr(yytext); + return TOK_ATTR_PERSISTENT; + } &priority return TOK_ATTR_PRIORITY; &type_column return TOK_ATTR_TYPE_COLUMN; &read_expire return TOK_ATTR_EXPIRE_READ; &redef return TOK_ATTR_REDEF; -&rotate_interval return TOK_ATTR_ROTATE_INTERVAL; -&rotate_size return TOK_ATTR_ROTATE_SIZE; -&synchronized return TOK_ATTR_SYNCHRONIZED; +&rotate_interval { + deprecated_attr(yytext); + return TOK_ATTR_ROTATE_INTERVAL; + } +&rotate_size { + deprecated_attr(yytext); + return TOK_ATTR_ROTATE_SIZE; + } +&synchronized { + //deprecated_attr(yytext); + return TOK_ATTR_SYNCHRONIZED; + } &write_expire return TOK_ATTR_EXPIRE_WRITE; @DEBUG return TOK_DEBUG; // marks input for debugger From 5e2defebe5da4ba98b0dce5a1aa3460a999f4c0f Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 13 Mar 2015 15:44:08 -0500 Subject: [PATCH 190/711] Make INSTALL a symlink to doc/install/install.rst BIT-1275 #close --- CHANGES | 6 ++++++ INSTALL | 4 +--- VERSION | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) mode change 100644 => 120000 INSTALL diff --git a/CHANGES b/CHANGES index 84f64034ea..d491a666e8 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,10 @@ +2.3-541 | 2015-03-13 15:44:08 -0500 + + * Make INSTALL a symlink to doc/install/install.rst (Jon siwek) + + * Fix Broxygen coverage. (Jon Siwek) + 2.3-539 | 2015-03-13 14:19:27 -0500 * BIT-1335: Include timestamp in default extracted file names. diff --git a/INSTALL b/INSTALL deleted file mode 100644 index 385dac93df..0000000000 --- a/INSTALL +++ /dev/null @@ -1,3 +0,0 @@ - -See doc/install/install.rst for installation instructions. - diff --git a/INSTALL b/INSTALL new file mode 120000 index 0000000000..95fcc60eda --- /dev/null +++ b/INSTALL @@ -0,0 +1 @@ +doc/install/install.rst \ No newline at end of file diff --git a/VERSION b/VERSION index 64cd9fa66f..711f7a5631 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3-539 +2.3-541 From ee3e885712ac84f13286a1e2a14ab080c5a537f0 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 13 Mar 2015 22:14:44 -0400 Subject: [PATCH 191/711] Lots of fixes for file type identification. - Plain text now identified with BOMs for UTF8,16,32 (even though 16 and 32 wouldn't get identified as plain text, oh-well) - X.509 certificates are now populating files.log with the mime type application/pkix-cert. - File signatures are split apart into file types to help group and organize signatures a bit better. - Normalized some FILE_ANALYSIS debug messages. - Improved Javascript detection. - Improved HTML detection. - Removed a bunch of bad signatures. - Merged a bunch of signatures that ultimately detected the same mime type. - Added detection for MS LNK files. - Added detection for cross-domain-policy XML files. - Added detection for SOAP envelopes. --- scripts/base/files/x509/main.bro | 3 + .../base/frameworks/files/magic/__load__.bro | 3 + .../base/frameworks/files/magic/archive.sig | 188 ++ .../base/frameworks/files/magic/general.sig | 138 +- scripts/base/frameworks/files/magic/image.sig | 178 ++ .../base/frameworks/files/magic/libmagic.sig | 1838 +---------------- .../base/frameworks/files/magic/msoffice.sig | 6 + scripts/base/frameworks/files/magic/video.sig | 218 ++ src/file_analysis/AnalyzerSet.cc | 36 +- src/file_analysis/File.cc | 6 +- src/file_analysis/Manager.cc | 6 +- .../Baseline/core.tunnels.teredo/http.log | 6 +- .../btest-doc.sphinx.mimestats#1 | 8 +- .../intel-all.log | 10 +- 14 files changed, 750 insertions(+), 1894 deletions(-) create mode 100644 scripts/base/frameworks/files/magic/archive.sig create mode 100644 scripts/base/frameworks/files/magic/image.sig create mode 100644 scripts/base/frameworks/files/magic/video.sig diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.bro index 10445ad846..181607bf6c 100644 --- a/scripts/base/files/x509/main.bro +++ b/scripts/base/files/x509/main.bro @@ -47,6 +47,9 @@ redef record Files::Info += { event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5 { + if ( ! f$info?$mime_type ) + f$info$mime_type = "application/pkix-cert"; + f$info$x509 = [$ts=f$info$ts, $id=f$id, $certificate=cert, $handle=cert_ref]; } diff --git a/scripts/base/frameworks/files/magic/__load__.bro b/scripts/base/frameworks/files/magic/__load__.bro index c6ee799a53..df03616ec2 100644 --- a/scripts/base/frameworks/files/magic/__load__.bro +++ b/scripts/base/frameworks/files/magic/__load__.bro @@ -1,3 +1,6 @@ @load-sigs ./general +@load-sigs ./archive +@load-sigs ./image +@load-sigs ./video @load-sigs ./msoffice @load-sigs ./libmagic diff --git a/scripts/base/frameworks/files/magic/archive.sig b/scripts/base/frameworks/files/magic/archive.sig new file mode 100644 index 0000000000..d8cc727540 --- /dev/null +++ b/scripts/base/frameworks/files/magic/archive.sig @@ -0,0 +1,188 @@ +signature file-tar { + file-magic /^[[:print:]\x00]{100}([[:digit:]\x20]{7}\x00){3}([[:digit:]\x20]{11}\x00){2}([[:digit:]\x00\x20]{7}[\x20\x00])[0-7\x00]/ + file-mime "application/x-tar", 100 +} + +# This is low priority so that files using zip as a +# container will be identified correctly. +signature file-zip { + file-mime "application/zip", 10 + file-magic /^PK\x03\x04.{2}/ +} + +# Multivolume Zip archive +signature file-multi-zip { + file-mime "application/zip", 10 + file-magic /^PK\x07\x08PK\x03\x04/ +} + +signature file-rar { + file-mime "application/x-rar", 70 + file-magic /^Rar!/ +} + +signature file-gzip { + file-mime "application/x-gzip", 100 + file-magic /\x1f\x8b/ +} + +signature file-ms-cab { + file-mime "application/vnd.ms-cab-compressed", 110 + file-magic /^MSCF\x00\x00\x00\x00/ +} + +# Mac OS X DMG files +signature file-dmg { + file-magic /^(\x78\x01\x73\x0D\x62\x62\x60|\x78\xDA\x63\x60\x18\x05|\x78\x01\x63\x60\x18\x05|\x78\xDA\x73\x0D|\x78[\x01\xDA]\xED[\xD0-\xD9])/ + file-mime "application/x-dmg", 100 +} + +# XAR (eXtensible ARchive) format. +# Mac OS X uses this for the .pkg format. +signature file-xar { + file-magic /^xar\!/ + file-mime "application/x-xar", 100 +} + +# RPM +signature file-magic-auto352 { + file-mime "application/x-rpm", 70 + file-magic /^(drpm|\xed\xab\xee\xdb)/ +} + +signature file-stuffit { + file-mime "application/x-stuffit", 70 + file-magic /^(SIT\x21|StuffIt)/ +} + +signature file-x-archive { + file-mime "application/x-archive", 70 + file-magic /^!?/ +} + +# ARC archive data +signature file-arc { + file-mime "application/x-arc", 70 + file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})([\x02-\x0a\x14\x48]\x1a)/ +} + +# EET archive +signature file-eet { + file-mime "application/x-eet", 70 + file-magic /^\x1e\xe7\xff\x00/ +} + +# Zoo archive +signature file-zoo { + file-mime "application/x-zoo", 70 + file-magic /^.{20}\xdc\xa7\xc4\xfd/ +} + +# >0 lelong&,=407642370 (0x184c2102), ["LZ4 compressed data, legacy format"], swap_endian=0 +signature file-magic-auto382 { + file-mime "application/x-lz4", 70 + file-magic /(\x02\x21\x4c\x18)/ +} + +# >0 lelong&,=407708164 (0x184d2204), ["LZ4 compressed data"], swap_endian=0 +signature file-magic-auto383 { + file-mime "application/x-lz4", 70 + file-magic /(\x04\x22\x4d\x18)/ +} + +# >0 string,=LRZI (len=4), ["LRZIP compressed data"], swap_endian=0 +# >>5 byte&,x, [".%d"], swap_endian=0 +signature file-magic-auto384 { + file-mime "application/x-lrzip", 1 + file-magic /(LRZI)(.{1})(.{1})/ +} + +# >0 string,=LZIP (len=4), ["lzip compressed data"], swap_endian=0 +signature file-magic-auto386 { + file-mime "application/x-lzip", 70 + file-magic /(LZIP)/ +} + +# >0 string/b,=MZ (len=2), [""], swap_endian=0 +# >>30 string,=Copyright 1989-1990 PKWARE Inc. (len=31), ["Self-extracting PKZIP archive"], swap_endian=0 +signature file-magic-auto434 { + file-mime "application/zip", 340 + file-magic /(MZ)(.{28})(Copyright 1989\x2d1990 PKWARE Inc\x2e)/ +} + +# >0 string/b,=MZ (len=2), [""], swap_endian=0 +# >>30 string,=PKLITE Copr. (len=12), ["Self-extracting PKZIP archive"], swap_endian=0 +signature file-magic-auto435 { + file-mime "application/zip", 150 + file-magic /(MZ)(.{28})(PKLITE Copr\x2e)/ +} + +# LHA archive (LZH) +signature file-lzh { + file-mime "application/x-lzh", 80 + file-magic /^.{2}-(lh[ abcdex0-9]|lz[s2-8]|lz[s2-8]|pm[s012]|pc1)-/ +} + +# >0 string,=WARC/ (len=5), ["WARC Archive"], swap_endian=0 +# >>5 string,x, ["version %.4s"], swap_endian=0 +signature file-magic-auto177 { + file-mime "application/warc", 1 + file-magic /(WARC\x2f)(.{0})/ +} + +# >0 string,=7z\274\257'\034 (len=6), ["7-zip archive data,"], swap_endian=0 +# >>7 byte&,x, [".%d"], swap_endian=0 +signature file-magic-auto150 { + file-mime "application/x-7z-compressed", 1 + file-magic /(7z\xbc\xaf\x27\x1c)(.{1})(.{1})/ +} + +# >0 ustring,=\3757zXZ\000 (len=6), ["XZ compressed data"], swap_endian=0 +signature file-magic-auto151 { + file-mime "application/x-xz", 90 + file-magic /(\xfd7zXZ\x00)/ +} +# >0 string/b,=MZ (len=2), [""], swap_endian=0 +# >>36 string,=LHa's SFX (len=9), [", LHa self-extracting archive"], swap_endian=0 +signature file-magic-auto436 { + file-mime "application/x-lha", 120 + file-magic /(MZ)(.{34})(LHa\x27s SFX)/ +} + +# >0 string/b,=MZ (len=2), [""], swap_endian=0 +# >>36 string,=LHA's SFX (len=9), [", LHa self-extracting archive"], swap_endian=0 +signature file-magic-auto437 { + file-mime "application/x-lha", 120 + file-magic /(MZ)(.{34})(LHA\x27s SFX)/ +} + +# >0 leshort&,=-5536 (0xea60), ["ARJ archive data"], swap_endian=0 +signature file-magic-auto467 { + file-mime "application/x-arj", 50 + file-magic /(\x60\xea)/ +} + +# >0 short&,=-14479 (0xc771), ["byte-swapped cpio archive"], swap_endian=0 +signature file-magic-auto479 { + file-mime "application/x-cpio", 50 + file-magic /((\x71\xc7)|(\xc7\x71))/ +} + +# >0 short&,=29127 (0x71c7), ["cpio archive"], swap_endian=0 +signature file-magic-auto480 { + file-mime "application/x-cpio", 50 + file-magic /((\xc7\x71)|(\x71\xc7))/ +} + +# >0 string,=\037\235 (len=2), ["compress'd data"], swap_endian=0 +signature file-magic-auto500 { + file-mime "application/x-compress", 50 + file-magic /(\x1f\x9d)/ +} + +# >0 lelong&00ffffff,=93 (0x0000005d), [""], swap_endian=0 +signature file-magic-auto218 { + file-mime "application/x-lzma", 71 + file-magic /(\x5d\x00\x00.)/ +} + diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig index 500c4f7be0..e673fc86b6 100644 --- a/scripts/base/frameworks/files/magic/general.sig +++ b/scripts/base/frameworks/files/magic/general.sig @@ -1,18 +1,51 @@ # General purpose file magic signatures. +# Plaintext +# (Including BOMs for UTF-8, 16, and 32) signature file-plaintext { - file-magic /^([[:print:][:space:]]{10})/ - file-mime "text/plain", -20 + file-magic /^(\xef\xbb\xbf|(\x00\x00)?\xfe\xff|\xff\xfe(\x00\x00)?)?[[:space:]\x20-\x7E]{10}/ + file-mime "text/plain", -20 } -signature file-tar { - file-magic /^[[:print:]\x00]{100}([[:digit:]\x20]{7}\x00){3}([[:digit:]\x20]{11}\x00){2}([[:digit:]\x00\x20]{7}[\x20\x00])[0-7\x00]/ - file-mime "application/x-tar", 100 +signature file-xml { + file-mime "application/xml", 10 + file-magic /^[\x0d\x0a[:blank:]]*<\?xml / } -signature file-zip { - file-mime "application/zip", 10 - file-magic /^PK\x03\x04.{2}/ +signature file-xhtml { + file-mime "text/html", 100 + file-magic /^[\x0d\x0a[:blank:]]*<\?xml version[ =]['"].*<(![dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL]|[hH][tT][mM][lL])/ +} + +signature file-html { + file-mime "text/html", 49 + file-magic /^[\x0d\x0a[:blank:]]*)?/ +} + +signature file-javascript3 { + file-mime "application/javascript", 60 + # This seems to be a somewhat common idiom in javascript. + file-magic /^[\x0d\x0a[:blank:]]*for \(;;\);/ +} + +signature file-javascript4 { + file-mime "application/javascript", 60 + file-magic /^[\x0d\x0a[:blank:]]*document\.write(ln)?[:blank:]?\(/ +} + +signature file-javascript5 { + file-mime "application/javascript", 60 + file-magic /^\(function\(\)[[:blank:]\n]*\{/ +} + signature file-php { + file-mime "text/x-php", 60 + file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?php/ +} + +signature file-php2 { file-magic /^.*<\?php/ file-mime "text/x-php", 40 } @@ -135,3 +191,23 @@ signature file-skp { file-magic /^\xFF\xFE\xFF\x0E\x53\x00\x6B\x00\x65\x00\x74\x00\x63\x00\x68\x00\x55\x00\x70\x00\x20\x00\x4D\x00\x6F\x00\x64\x00\x65\x00\x6C\x00/ file-mime "application/skp", 100 } + +signature file-elf-object { + file-mime "application/x-object", 50 + file-magic /\x7fELF[\x01\x02](\x01.{10}\x01\x00|\x02.{10}\x00\x01)/ +} + +signature file-elf { + file-mime "application/x-executable", 50 + file-magic /\x7fELF[\x01\x02](\x01.{10}\x02\x00|\x02.{10}\x00\x02)/ +} + +signature file-elf-sharedlib { + file-mime "application/x-sharedlib", 50 + file-magic /\x7fELF[\x01\x02](\x01.{10}\x03\x00|\x02.{10}\x00\x03)/ +} + +signature file-elf-coredump { + file-mime "application/x-coredump", 50 + file-magic /\x7fELF[\x01\x02](\x01.{10}\x04\x00|\x02.{10}\x00\x04)/ +} diff --git a/scripts/base/frameworks/files/magic/image.sig b/scripts/base/frameworks/files/magic/image.sig new file mode 100644 index 0000000000..ad4e7bbbe1 --- /dev/null +++ b/scripts/base/frameworks/files/magic/image.sig @@ -0,0 +1,178 @@ + +signature file-tiff { + file-mime "image/tiff", 70 + file-magic /^(MM\x00[\x2a\x2b]|II[\x2a\x2b]\x00)/ +} + +signature file-gif { + file-mime "image/gif", 70 + file-magic /^GIF8/ +} + + +# >0 beshort&,=-40 (0xffd8), ["JPEG image data"], swap_endian=0 +signature file-magic-auto427 { + file-mime "image/jpeg", 52 + file-magic /(\xff\xd8)/ +} + +signature file-bmp { + file-mime "image/x-ms-bmp", 50 + file-magic /BM.{12}[\x0c\x28\x40\x6c\x7c\x80]\x00/ +} + +signature file-ico { + file-magic /^\x00\x00\x01\x00/ + file-mime "image/x-icon", 70 +} + +signature file-cur { + file-magic /^\x00\x00\x02\x00/ + file-mime "image/x-cursor", 70 +} + +# >0 string,=8BPS (len=4), ["Adobe Photoshop Image"], swap_endian=0 +signature file-magic-auto289 { + file-mime "image/vnd.adobe.photoshop", 70 + file-magic /(8BPS)/ +} + +signature file-png { + file-mime "image/png", 110 + file-magic /^\x89PNG\x0d\x0a\x1a\x0a/ +} + +# JPEG 2000 +signature file-jp2 { + file-mime "image/jp2", 60 + file-magic /.{4}ftypjp2/ +} + +# JPEG 2000 +signature file-jp22 { + file-mime "image/jp2", 70 + file-magic /\x00\x00\x00\x0cjP \x0d\x0a\x87\x0a.{8}jp2 / +} + +# JPEG 2000 +signature file-jpx { + file-mime "image/jpx", 70 + file-magic /\x00\x00\x00\x0cjP \x0d\x0a\x87\x0a.{8}jpx / +} + +# JPEG 2000 +signature file-jpm { + file-mime "image/jpm", 70 + file-magic /\x00\x00\x00\x0cjP \x0d\x0a\x87\x0a.{8}jpm / +} + +# >0 string,=Xcur (len=4), ["Xcursor data"], swap_endian=0 +signature file-magic-auto271 { + file-mime "image/x-xcursor", 70 + file-magic /(Xcur)/ +} + +# >0 string,=IIN1 (len=4), ["NIFF image data"], swap_endian=0 +signature file-magic-auto282 { + file-mime "image/x-niff", 70 + file-magic /(IIN1)/ +} + +# >0 lelong&,=20000630 (0x01312f76), ["OpenEXR image data,"], swap_endian=0 +signature file-magic-auto291 { + file-mime "image/x-exr", 70 + file-magic /(\x76\x2f\x31\x01)/ +} + +# >0 string,=SDPX (len=4), ["DPX image data, big-endian,"], swap_endian=0 +signature file-magic-auto292 { + file-mime "image/x-dpx", 70 + file-magic /(SDPX)/ +} + +# >0 string,=CPC\262 (len=4), ["Cartesian Perceptual Compression image"], swap_endian=0 +signature file-magic-auto294 { + file-mime "image/x-cpi", 70 + file-magic /(CPC\xb2)/ +} + + +signature file-orf { + file-mime "image/x-olympus-orf", 70 + file-magic /IIR[OS]|MMOR/ +} + +# >0 string,=FOVb (len=4), ["Foveon X3F raw image data"], swap_endian=0 +signature file-magic-auto298 { + file-mime "image/x-x3f", 70 + file-magic /(FOVb)/ +} + +# >0 string,=PDN3 (len=4), ["Paint.NET image data"], swap_endian=0 +signature file-magic-auto299 { + file-mime "image/x-paintnet", 70 + file-magic /(PDN3)/ +} + +# >0 string,=RIFF (len=4), ["RIFF (little-endian) data"], swap_endian=0 +# >>8 string,=CDRA (len=4), [", Corel Draw Picture"], swap_endian=0 +signature file-magic-auto355 { + file-mime "image/x-coreldraw", 70 + file-magic /(RIFF)(.{4})(CDRA)/ +} + +# >0 string,=RIFF (len=4), ["RIFF (little-endian) data"], swap_endian=0 +# >>8 string,=CDR6 (len=4), [", Corel Draw Picture, version 6"], swap_endian=0 +signature file-magic-auto356 { + file-mime "image/x-coreldraw", 70 + file-magic /(RIFF)(.{4})(CDR6)/ +} + +# >0 string,=P7 (len=2), ["Netpbm PAM image file"], swap_endian=0 +signature file-magic-auto484 { + file-mime "image/x-portable-pixmap", 50 + file-magic /(P7)/ +} + +# >4 string/W,=jP (len=2), ["JPEG 2000 image"], swap_endian=0 +signature file-magic-auto497 { + file-mime "image/jp2", 50 + file-magic /(.{4})(jP)/ +} + +# DjVU Images +signature file-djvu { + file-mime "image/vnd.djvu", 70 + file-magic /AT\x26TFORM.{4}(DJV[MUI]|THUM)/ +} + +# DWG AutoDesk AutoCAD +signature file-dwg { + file-mime "image/vnd.dwg", 90 + file-magic /^(AC[12]\.|AC10)/ +} + +# >0 string,=gimp xcf (len=8), ["GIMP XCF image data,"], swap_endian=0 +signature file-magic-auto115 { + file-mime "image/x-xcf", 110 + file-magic /(gimp xcf)/ +} + +# >0 string/t,=[BitmapInfo2] (len=13), ["Polar Monitor Bitmap text"], swap_endian=0 +signature file-magic-auto62 { + file-mime "image/x-polar-monitor-bitmap", 160 + file-magic /(\x5bBitmapInfo2\x5d)/ +} + +# >0 string,=AWBM (len=4), [""], swap_endian=0 +# >>4 leshort&,<1981 (0x07bd), ["Award BIOS bitmap"], swap_endian=0 +signature file-magic-auto208 { + file-mime "image/x-award-bmp", 20 + file-magic /(AWBM)(.{2})/ +} + +# >0 string,=\021\006 (len=2), ["Award BIOS Logo, 136 x 84"], swap_endian=0 +signature file-magic-auto483 { + file-mime "image/x-award-bioslogo", 50 + file-magic /^\x11[\x06\x09]/ +} diff --git a/scripts/base/frameworks/files/magic/libmagic.sig b/scripts/base/frameworks/files/magic/libmagic.sig index 72ec40dff8..d18f6f01a6 100644 --- a/scripts/base/frameworks/files/magic/libmagic.sig +++ b/scripts/base/frameworks/files/magic/libmagic.sig @@ -56,42 +56,18 @@ signature file-magic-auto11 { file-magic /(\x3cmap ?version\x3d\x22freeplane)/ } -# >0 string/wt,=#! /usr/local/bin/nawk (len=22), ["new awk script text executable"], swap_endian=0 -signature file-magic-auto12 { - file-mime "text/x-nawk", 250 - file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fnawk)/ -} - -# >0 string/wt,=#! /usr/local/bin/gawk (len=22), ["GNU awk script text executable"], swap_endian=0 -signature file-magic-auto13 { - file-mime "text/x-gawk", 250 - file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fgawk)/ -} - # >0 string,=# PaCkAgE DaTaStReAm (len=20), ["pkg Datastream (SVR4)"], swap_endian=0 signature file-magic-auto19 { file-mime "application/x-svr4-package", 230 file-magic /(\x23 PaCkAgE DaTaStReAm)/ } -# >0 string,=Creative Voice File (len=19), ["Creative Labs voice data"], swap_endian=0 -signature file-magic-auto20 { - file-mime "audio/x-unknown", 220 - file-magic /(Creative Voice File)/ -} - # >0 string/t,=[KDE Desktop Entry] (len=19), ["KDE desktop entry"], swap_endian=0 signature file-magic-auto21 { file-mime "application/x-kdelnk", 220 file-magic /(\x5bKDE Desktop Entry\x5d)/ } -# >0 string,=!\n__________E (len=19), ["MIPS archive"], swap_endian=0 -signature file-magic-auto23 { - file-mime "application/x-archive", 220 - file-magic /(\x21\x3carch\x3e\x0a\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5fE)/ -} - # >0 string/t,=# KDE Config File (len=17), ["KDE config file"], swap_endian=0 signature file-magic-auto26 { file-mime "application/x-kdelnk", 200 @@ -111,18 +87,6 @@ signature file-magic-auto28 { file-magic /(riff\x2e\x91\xcf\x11\xa5\xd6\x28\xdb\x04\xc1\x00\x00)(.{8})(wave\xf3\xac\xd3\x11\x8c\xd1\x00\xc0O\x8e\xdb\x8a)/ } -# >0 string/wt,=#! /usr/bin/nawk (len=16), ["new awk script text executable"], swap_endian=0 -signature file-magic-auto29 { - file-mime "text/x-nawk", 190 - file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2fnawk)/ -} - -# >0 string/wt,=#! /usr/bin/gawk (len=16), ["GNU awk script text executable"], swap_endian=0 -signature file-magic-auto31 { - file-mime "text/x-gawk", 190 - file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2fgawk)/ -} - # >369 string,=MICROSOFT PIFEX\000 (len=16), ["Windows Program Information File"], swap_endian=0 signature file-magic-auto32 { file-mime "application/x-dosexec", 190 @@ -147,23 +111,6 @@ signature file-magic-auto36 { file-magic /(Extended Module\x3a)/ } -# >0 string/t,=0 string/t,=0 string,=0 string/t,=>20 search/wc/1000,=0 string/t,=>15 string,>\000 (len=1), [""], swap_endian=0 -# >>>19 search/Wctb/4096,=0 string/t,=>15 string,>\000 (len=1), [""], swap_endian=0 -# >>>19 search/Wctb/4096,=0 string/t,=>15 string,>\000 (len=1), [""], swap_endian=0 # >>>19 search/4096,=0 string/t,=>15 string,>\000 (len=1), [""], swap_endian=0 -# >>>19 search/Wctb/4096,=0 string/c,=BEGIN:VCALENDAR (len=15), ["vCalendar calendar file"], swap_endian=0 signature file-magic-auto47 { file-mime "text/calendar", 180 file-magic /(BEGIN\x3aVCALENDAR)/ } -# >4 string,=Standard Jet DB (len=15), ["Microsoft Access Database"], swap_endian=0 -signature file-magic-auto48 { - file-mime "application/x-msaccess", 180 - file-magic /(.{4})(Standard Jet DB)/ -} - -# >4 string,=Standard ACE DB (len=15), ["Microsoft Access Database"], swap_endian=0 -signature file-magic-auto49 { - file-mime "application/x-msaccess", 180 - file-magic /(.{4})(Standard ACE DB)/ -} - # >0 string/w,=#VRML V2.0 utf8 (len=15), ["ISO/IEC 14772 VRML 97 file"], swap_endian=0 signature file-magic-auto50 { file-mime "model/vrml", 180 file-magic /(\x23VRML ?V2\x2e0 ?utf8)/ } -# >0 string/wt,=#! /usr/bin/awk (len=15), ["awk script text executable"], swap_endian=0 -signature file-magic-auto51 { - file-mime "text/x-awk", 180 - file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2fawk)/ -} - # >0 string,=MAS_UTrack_V00 (len=14), [""], swap_endian=0 # >>14 string,>/0 (len=2), ["ultratracker V1.%.1s module sound data"], swap_endian=0 signature file-magic-auto53 { @@ -309,12 +214,6 @@ signature file-magic-auto61 { file-magic /(.{39})(\x3cgmr\x3aWorkbook)/ } -# >0 string/t,=[BitmapInfo2] (len=13), ["Polar Monitor Bitmap text"], swap_endian=0 -signature file-magic-auto62 { - file-mime "image/x-polar-monitor-bitmap", 160 - file-magic /(\x5bBitmapInfo2\x5d)/ -} - # >0 string,=SplineFontDB: (len=13), ["Spline Font Database "], swap_endian=0 signature file-magic-auto63 { file-mime "application/vnd.font-fontforge-sfd", 160 @@ -333,33 +232,6 @@ signature file-magic-auto65 { file-magic /([rR][eE][tT][uU][rR][nN]\x2d[pP][aA][tT][hH]\x3a)/ } -# >0 string,=\000\000\000\fjP \r\n\207\n (len=12), ["JPEG 2000"], swap_endian=0 -# >>20 string,=jp2 (len=4), ["Part 1 (JP2)"], swap_endian=0 -signature file-magic-auto66 { - file-mime "image/jp2", 70 - file-magic /(\x00\x00\x00\x0cjP \x0d\x0a\x87\x0a)(.{8})(jp2 )/ -} - -# >0 string,=\000\000\000\fjP \r\n\207\n (len=12), ["JPEG 2000"], swap_endian=0 -# >>20 string,=jpx (len=4), ["Part 2 (JPX)"], swap_endian=0 -signature file-magic-auto67 { - file-mime "image/jpx", 70 - file-magic /(\x00\x00\x00\x0cjP \x0d\x0a\x87\x0a)(.{8})(jpx )/ -} - -# >0 string,=\000\000\000\fjP \r\n\207\n (len=12), ["JPEG 2000"], swap_endian=0 -# >>20 string,=jpm (len=4), ["Part 6 (JPM)"], swap_endian=0 -signature file-magic-auto68 { - file-mime "image/jpm", 70 - file-magic /(\x00\x00\x00\x0cjP \x0d\x0a\x87\x0a)(.{8})(jpm )/ -} - -# >0 string,=\000\000\000\fjP \r\n\207\n (len=12), ["JPEG 2000"], swap_endian=0 -# >>20 string,=mjp2 (len=4), ["Part 3 (MJ2)"], swap_endian=0 -signature file-magic-auto69 { - file-mime "video/mj2", 70 - file-magic /(\x00\x00\x00\x0cjP \x0d\x0a\x87\x0a)(.{8})(mjp2)/ -} # >0 string/w,=0 string/wt,=#! /bin/nawk (len=12), ["new awk script text executable"], swap_endian=0 -signature file-magic-auto72 { - file-mime "text/x-nawk", 150 - file-magic /(\x23\x21 ?\x2fbin\x2fnawk)/ -} - -# >0 string/wt,=#! /bin/gawk (len=12), ["GNU awk script text executable"], swap_endian=0 -signature file-magic-auto73 { - file-mime "text/x-gawk", 150 - file-magic /(\x23\x21 ?\x2fbin\x2fgawk)/ -} - -# >0 string/wt,=#! /bin/awk (len=11), ["awk script text executable"], swap_endian=0 -signature file-magic-auto75 { - file-mime "text/x-awk", 140 - file-magic /(\x23\x21 ?\x2fbin\x2fawk)/ -} - # >0 string,=filedesc:// (len=11), ["Internet Archive File"], swap_endian=0 signature file-magic-auto76 { file-mime "application/x-ia-arc", 140 @@ -447,12 +301,6 @@ signature file-magic-auto88 { file-magic /(.*)(\x2d\x2d\x2d )(.*)(\x0a)(.*)(\x2b\x2b\x2b )(.*)(\x0a)(.*)(\x40\x40)/ } -# >0 string/t,=Received: (len=9), ["RFC 822 mail text"], swap_endian=0 -signature file-magic-auto89 { - file-mime "message/rfc822", 120 - file-magic /(Received\x3a)/ -} - # >0 string,=0 string,=AT&TFORM (len=8), [""], swap_endian=0 -# >>12 string,=DJVM (len=4), ["DjVu multiple page document"], swap_endian=0 -signature file-magic-auto95 { - file-mime "image/vnd.djvu", 70 - file-magic /(AT\x26TFORM)(.{4})(DJVM)/ -} - -# >0 string,=AT&TFORM (len=8), [""], swap_endian=0 -# >>12 string,=DJVU (len=4), ["DjVu image or single page document"], swap_endian=0 -signature file-magic-auto96 { - file-mime "image/vnd.djvu", 70 - file-magic /(AT\x26TFORM)(.{4})(DJVU)/ -} - -# >0 string,=AT&TFORM (len=8), [""], swap_endian=0 -# >>12 string,=DJVI (len=4), ["DjVu shared document"], swap_endian=0 -signature file-magic-auto97 { - file-mime "image/vnd.djvu", 70 - file-magic /(AT\x26TFORM)(.{4})(DJVI)/ -} - -# >0 string,=AT&TFORM (len=8), [""], swap_endian=0 -# >>12 string,=THUM (len=4), ["DjVu page thumbnails"], swap_endian=0 -signature file-magic-auto98 { - file-mime "image/vnd.djvu", 70 - file-magic /(AT\x26TFORM)(.{4})(THUM)/ -} - # >0 string/t,=#! rnews (len=8), ["batched news text"], swap_endian=0 signature file-magic-auto99 { file-mime "message/rfc822", 110 file-magic /(\x23\x21 rnews)/ } -# >0 string/b,=MSCF\000\000\000\000 (len=8), ["Microsoft Cabinet archive data"], swap_endian=0 -signature file-magic-auto100 { - file-mime "application/vnd.ms-cab-compressed", 110 - file-magic /(MSCF\x00\x00\x00\x00)/ -} - # >21 string/c,=!SCREAM! (len=8), ["Screamtracker 2 module sound data"], swap_endian=0 signature file-magic-auto102 { file-mime "audio/x-mod", 110 @@ -573,12 +387,6 @@ signature file-magic-auto109 { file-magic /(\x89HDF\x0d\x0a\x1a\x0a)/ } -# >0 string,=\211PNG\r\n\032\n (len=8), ["PNG image data"], swap_endian=0 -signature file-magic-auto110 { - file-mime "image/png", 110 - file-magic /(\x89PNG\x0d\x0a\x1a\x0a)/ -} - # >36 string,=acspSUNW (len=8), ["Sun KCMS ICC Profile"], swap_endian=0 signature file-magic-auto111 { file-mime "application/vnd.iccprofile", 110 @@ -603,36 +411,18 @@ signature file-magic-auto114 { file-magic /(.{36})(acspAPPL)/ } -# >0 string,=gimp xcf (len=8), ["GIMP XCF image data,"], swap_endian=0 -signature file-magic-auto115 { - file-mime "image/x-xcf", 110 - file-magic /(gimp xcf)/ -} - # >512 string,=R\000o\000o\000t\000 (len=8), ["Hangul (Korean) Word Processor File 2000"], swap_endian=0 signature file-magic-auto116 { file-mime "application/x-hwp", 110 file-magic /(.{512})(R\x00o\x00o\x00t\x00)/ } -# >257 string,=ustar \000 (len=8), ["GNU tar archive"], swap_endian=0 -#signature file-magic-auto117 { -# file-mime "application/x-tar", 110 -# file-magic /(.{257})(ustar \x00)/ -#} - # >0 string,=0 string,=PK\a\bPK\003\004 (len=8), ["Zip multi-volume archive data, at least PKZIP v2.50 to extract"], swap_endian=0 -signature file-magic-auto119 { - file-mime "application/zip", 110 - file-magic /(PK\x07\x08PK\x03\x04)/ -} - # >0 string/b,=WordPro\000 (len=8), ["Lotus WordPro"], swap_endian=0 signature file-magic-auto121 { file-mime "application/vnd.lotus-wordpro", 110 @@ -645,12 +435,6 @@ signature file-magic-auto122 { file-magic /(Article)/ } -# >0 string,=\037\213 (len=2), ["gzip compressed data"], swap_endian=0 -signature file-magic-auto123 { - file-mime "application/x-gzip", 100 - file-magic /(\x1f\x8b)/ -} - # >0 string/t,=Pipe to (len=7), ["mail piping text"], swap_endian=0 signature file-magic-auto124 { file-mime "message/rfc822", 100 @@ -663,18 +447,6 @@ signature file-magic-auto125 { file-magic /(\x2eRMF\x00\x00\x00)/ } -# >0 string,=StuffIt (len=7), ["StuffIt Archive"], swap_endian=0 -signature file-magic-auto126 { - file-mime "application/x-stuffit", 100 - file-magic /(StuffIt)/ -} - -# >0 string,=! (len=7), ["current ar archive"], swap_endian=0 -signature file-magic-auto127 { - file-mime "application/x-archive", 100 - file-magic /(\x21\x3carch\x3e)/ -} - # >0 string,=P5 (len=2), [""], swap_endian=0 # >>3 regex,=[0-9]{1,50} (len=12), [", size = %sx"], swap_endian=0 # >>>3 regex,= [0-9]{1,50} (len=12), ["%s"], swap_endian=0 @@ -699,151 +471,12 @@ signature file-magic-auto130 { file-magic /(P4)(.{1})([0-9]{1,50} )( [0-9]{1,50})/ } -# >257 string,=ustar\000 (len=6), ["POSIX tar archive"], swap_endian=0 -#signature file-magic-auto131 { -# file-mime "application/x-tar", 90 -# file-magic /(.{257})(ustar\x00)/ -#} - -# >0 string,=AC1.40 (len=6), ["DWG AutoDesk AutoCAD Release 1.40"], swap_endian=0 -signature file-magic-auto132 { - file-mime "image/vnd.dwg", 90 - file-magic /(AC1\x2e40)/ -} - -# >0 string,=AC1.50 (len=6), ["DWG AutoDesk AutoCAD Release 2.05"], swap_endian=0 -signature file-magic-auto133 { - file-mime "image/vnd.dwg", 90 - file-magic /(AC1\x2e50)/ -} - -# >0 string,=AC2.10 (len=6), ["DWG AutoDesk AutoCAD Release 2.10"], swap_endian=0 -signature file-magic-auto134 { - file-mime "image/vnd.dwg", 90 - file-magic /(AC2\x2e10)/ -} - -# >0 string,=AC2.21 (len=6), ["DWG AutoDesk AutoCAD Release 2.21"], swap_endian=0 -signature file-magic-auto135 { - file-mime "image/vnd.dwg", 90 - file-magic /(AC2\x2e21)/ -} - -# >0 string,=AC2.22 (len=6), ["DWG AutoDesk AutoCAD Release 2.22"], swap_endian=0 -signature file-magic-auto136 { - file-mime "image/vnd.dwg", 90 - file-magic /(AC2\x2e22)/ -} - -# >0 string,=AC1001 (len=6), ["DWG AutoDesk AutoCAD Release 2.22"], swap_endian=0 -signature file-magic-auto137 { - file-mime "image/vnd.dwg", 90 - file-magic /(AC1001)/ -} - -# >0 string,=AC1002 (len=6), ["DWG AutoDesk AutoCAD Release 2.50"], swap_endian=0 -signature file-magic-auto138 { - file-mime "image/vnd.dwg", 90 - file-magic /(AC1002)/ -} - -# >0 string,=AC1003 (len=6), ["DWG AutoDesk AutoCAD Release 2.60"], swap_endian=0 -signature file-magic-auto139 { - file-mime "image/vnd.dwg", 90 - file-magic /(AC1003)/ -} - -# >0 string,=AC1004 (len=6), ["DWG AutoDesk AutoCAD Release 9"], swap_endian=0 -signature file-magic-auto140 { - file-mime "image/vnd.dwg", 90 - file-magic /(AC1004)/ -} - -# >0 string,=AC1006 (len=6), ["DWG AutoDesk AutoCAD Release 10"], swap_endian=0 -signature file-magic-auto141 { - file-mime "image/vnd.dwg", 90 - file-magic /(AC1006)/ -} - -# >0 string,=AC1009 (len=6), ["DWG AutoDesk AutoCAD Release 11/12"], swap_endian=0 -signature file-magic-auto142 { - file-mime "image/vnd.dwg", 90 - file-magic /(AC1009)/ -} - -# >0 string,=AC1012 (len=6), ["DWG AutoDesk AutoCAD Release 13"], swap_endian=0 -signature file-magic-auto143 { - file-mime "image/vnd.dwg", 90 - file-magic /(AC1012)/ -} - -# >0 string,=AC1014 (len=6), ["DWG AutoDesk AutoCAD Release 14"], swap_endian=0 -signature file-magic-auto144 { - file-mime "image/vnd.dwg", 90 - file-magic /(AC1014)/ -} - -# >0 string,=AC1015 (len=6), ["DWG AutoDesk AutoCAD 2000/2002"], swap_endian=0 -signature file-magic-auto145 { - file-mime "image/vnd.dwg", 90 - file-magic /(AC1015)/ -} - -# >0 string,=AC1018 (len=6), ["DWG AutoDesk AutoCAD 2004/2005/2006"], swap_endian=0 -signature file-magic-auto146 { - file-mime "image/vnd.dwg", 90 - file-magic /(AC1018)/ -} - -# >0 string,=AC1021 (len=6), ["DWG AutoDesk AutoCAD 2007/2008/2009"], swap_endian=0 -signature file-magic-auto147 { - file-mime "image/vnd.dwg", 90 - file-magic /(AC1021)/ -} - -# >0 string,=AC1024 (len=6), ["DWG AutoDesk AutoCAD 2010/2011/2012"], swap_endian=0 -signature file-magic-auto148 { - file-mime "image/vnd.dwg", 90 - file-magic /(AC1024)/ -} - -# >0 string,=AC1027 (len=6), ["DWG AutoDesk AutoCAD 2013/2014"], swap_endian=0 -signature file-magic-auto149 { - file-mime "image/vnd.dwg", 90 - file-magic /(AC1027)/ -} - -# >0 string,=7z\274\257'\034 (len=6), ["7-zip archive data,"], swap_endian=0 -# >>7 byte&,x, [".%d"], swap_endian=0 -signature file-magic-auto150 { - file-mime "application/x-7z-compressed", 1 - file-magic /(7z\xbc\xaf\x27\x1c)(.{1})(.{1})/ -} - -# >0 ustring,=\3757zXZ\000 (len=6), ["XZ compressed data"], swap_endian=0 -signature file-magic-auto151 { - file-mime "application/x-xz", 90 - file-magic /(\xfd7zXZ\x00)/ -} - # >0 string,=0 string,=GIF94z (len=6), ["ZIF image (GIF+deflate alpha)"], swap_endian=0 -signature file-magic-auto153 { - file-mime "image/x-unknown", 90 - file-magic /(GIF94z)/ -} - -# >0 string,=FGF95a (len=6), ["FGF image (GIF+deflate beta)"], swap_endian=0 -signature file-magic-auto154 { - file-mime "image/x-unknown", 90 - file-magic /(FGF95a)/ -} - # >0 string/t,=# xmcd (len=6), ["xmcd database file for kscd"], swap_endian=0 signature file-magic-auto155 { file-mime "text/x-xmcd", 90 @@ -968,81 +601,6 @@ signature file-magic-auto174 { file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXO)/ } -# Doubt it's going to be common to have this many bytes buffered. -# >37633 string,=CD001 (len=5), ["ISO 9660 CD-ROM filesystem data (raw 2352 byte sectors)"], swap_endian=0 -#signature file-magic-auto175 { -# file-mime "application/x-iso9660-image", 80 -# file-magic /(.{37633})(CD001)/ -#} - -# >2 string,=-lhd- (len=5), ["LHa 2.x? archive data [lhd]"], swap_endian=0 -signature file-magic-auto176 { - file-mime "application/x-lha", 80 - file-magic /(.{2})(\x2dlhd\x2d)/ -} - -# >0 string,=WARC/ (len=5), ["WARC Archive"], swap_endian=0 -# >>5 string,x, ["version %.4s"], swap_endian=0 -signature file-magic-auto177 { - file-mime "application/warc", 1 - file-magic /(WARC\x2f)(.{0})/ -} - -# >0 string,=AC1.3 (len=5), ["DWG AutoDesk AutoCAD Release 1.3"], swap_endian=0 -signature file-magic-auto178 { - file-mime "image/vnd.dwg", 80 - file-magic /(AC1\x2e3)/ -} - -# >2 string,=-lh - (len=5), ["LHa 2.x? archive data [lh ]"], swap_endian=0 -signature file-magic-auto179 { - file-mime "application/x-lha", 80 - file-magic /(.{2})(\x2dlh \x2d)/ -} - -# >0 string,=AC1.2 (len=5), ["DWG AutoDesk AutoCAD Release 1.2"], swap_endian=0 -signature file-magic-auto180 { - file-mime "image/vnd.dwg", 80 - file-magic /(AC1\x2e2)/ -} - -# >0 string,=MC0.0 (len=5), ["DWG AutoDesk AutoCAD Release 1.0"], swap_endian=0 -signature file-magic-auto181 { - file-mime "image/vnd.dwg", 80 - file-magic /(MC0\x2e0)/ -} - -# >2 string,=-lzs- (len=5), ["LHa/LZS archive data [lzs]"], swap_endian=0 -signature file-magic-auto182 { - file-mime "application/x-lha", 80 - file-magic /(.{2})(\x2dlzs\x2d)/ -} - -# >2 string,=-lz5- (len=5), ["LHarc 1.x archive data [lz5]"], swap_endian=0 -signature file-magic-auto183 { - file-mime "application/x-lharc", 80 - file-magic /(.{2})(\x2dlz5\x2d)/ -} - -# Doubt it's going to be common to have this many bytes buffered. -# >32769 string,=CD001 (len=5), ["#"], swap_endian=0 -#signature file-magic-auto184 { -# file-mime "application/x-iso9660-image", 80 -# file-magic /(.{32769})(CD001)/ -#} - -# >2 string,=-lh3- (len=5), ["LHa 2.x? archive data [lh3]"], swap_endian=0 -signature file-magic-auto185 { - file-mime "application/x-lha", 80 - file-magic /(.{2})(\x2dlh3\x2d)/ -} - -# >2 string,=-lh2- (len=5), ["LHa 2.x? archive data [lh2]"], swap_endian=0 -signature file-magic-auto186 { - file-mime "application/x-lha", 80 - file-magic /(.{2})(\x2dlh2\x2d)/ -} - # >0 string,=\000\001\000\000\000 (len=5), ["TrueType font data"], swap_endian=0 signature file-magic-auto187 { file-mime "application/x-font-ttf", 80 @@ -1073,66 +631,18 @@ signature file-magic-auto194 { file-magic /(From\x3a)/ } -# >2 string,=-lh7- (len=5), ["LHa (2.x)/LHark archive data [lh7]"], swap_endian=0 -signature file-magic-auto195 { - file-mime "application/x-lha", 80 - file-magic /(.{2})(\x2dlh7\x2d)/ -} - # >0 string,={\rtf (len=5), ["Rich Text Format data,"], swap_endian=0 signature file-magic-auto196 { file-mime "text/rtf", 80 file-magic /(\x7b\x5crtf)/ } -# >2 string,=-lh6- (len=5), ["LHa (2.x) archive data [lh6]"], swap_endian=0 -signature file-magic-auto197 { - file-mime "application/x-lha", 80 - file-magic /(.{2})(\x2dlh6\x2d)/ -} - -# >2 string,=-lh5- (len=5), ["LHa (2.x) archive data [lh5]"], swap_endian=0 -signature file-magic-auto198 { - file-mime "application/x-lha", 80 - file-magic /(.{2})(\x2dlh5\x2d)/ -} - -# >2 string,=-lh4- (len=5), ["LHa (2.x) archive data [lh4]"], swap_endian=0 -signature file-magic-auto199 { - file-mime "application/x-lha", 80 - file-magic /(.{2})(\x2dlh4\x2d)/ -} - -# >2 string,=-lz4- (len=5), ["LHarc 1.x archive data [lz4]"], swap_endian=0 -signature file-magic-auto200 { - file-mime "application/x-lharc", 80 - file-magic /(.{2})(\x2dlz4\x2d)/ -} - -# >2 string,=-lh1- (len=5), ["LHarc 1.x/ARX archive data [lh1]"], swap_endian=0 -signature file-magic-auto201 { - file-mime "application/x-lharc", 80 - file-magic /(.{2})(\x2dlh1\x2d)/ -} - -# >2 string,=-lh0- (len=5), ["LHarc 1.x/ARX archive data [lh0]"], swap_endian=0 -signature file-magic-auto202 { - file-mime "application/x-lharc", 80 - file-magic /(.{2})(\x2dlh0\x2d)/ -} - # >0 string,=%FDF- (len=5), ["FDF document"], swap_endian=0 signature file-magic-auto203 { file-mime "application/vnd.fdf", 80 file-magic /(\x25FDF\x2d)/ } -# >0 belong&,=443 (0x000001bb), [""], swap_endian=0 -signature file-magic-auto204 { - file-mime "video/mpeg", 71 - file-magic /(\x00\x00\x01\xbb)/ -} - # The non-sequential offsets and use of bitmask and relational operators # made this difficult to autogenerate. Can see about manually creating # the correct character class later. @@ -1145,31 +655,6 @@ signature file-magic-auto204 { # file-magic /(.{4})(.*)([\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])(.*)([\x00\x01\x02\x03\x04\x05])(.*)([\x00\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/ #} -# >0 belong&,=432 (0x000001b0), [""], swap_endian=0 -signature file-magic-auto206 { - file-mime "video/mp4v-es", 71 - file-magic /(\x00\x00\x01\xb0)/ -} - -# >0 belong&,=437 (0x000001b5), [""], swap_endian=0 -signature file-magic-auto207 { - file-mime "video/mp4v-es", 71 - file-magic /(\x00\x00\x01\xb5)/ -} - -# >0 string,=AWBM (len=4), [""], swap_endian=0 -# >>4 leshort&,<1981 (0x07bd), ["Award BIOS bitmap"], swap_endian=0 -signature file-magic-auto208 { - file-mime "image/x-award-bmp", 20 - file-magic /(AWBM)(.{2})/ -} - -# >0 belong&,=435 (0x000001b3), [""], swap_endian=0 -signature file-magic-auto209 { - file-mime "video/mpv", 71 - file-magic /(\x00\x00\x01\xb3)/ -} - # Converting bitmask to character class might make the regex # unfriendly to humans. # >0 belong&ffffffffff5fff10,=1195376656 (0x47400010), [""], swap_endian=0 @@ -1178,40 +663,6 @@ signature file-magic-auto209 { # file-magic /(.{4})/ #} -# >0 belong&,=1 (0x00000001), [""], swap_endian=0 -# >>4 byte&0000001f,=0x07, [""], swap_endian=0 -signature file-magic-auto211 { - file-mime "video/h264", 41 - file-magic /(\x00\x00\x00\x01)([\x07\x27\x47\x67\x87\xa7\xc7\xe7])/ -} - -# >0 belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0 -# >>3 byte&,=0xba, ["MPEG sequence"], swap_endian=0 -signature file-magic-auto213 { - file-mime "video/mpeg", 40 - file-magic /(\x00\x00\x01\xba)/ -} - -# >0 belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0 -# >>3 byte&,=0xb0, ["MPEG sequence, v4"], swap_endian=0 -signature file-magic-auto214 { - file-mime "video/mpeg4-generic", 40 - file-magic /(\x00\x00\x01\xb0)/ -} - -# >0 belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0 -# >>3 byte&,=0xb5, ["MPEG sequence, v4"], swap_endian=0 -signature file-magic-auto215 { - file-mime "video/mpeg4-generic", 40 - file-magic /(\x00\x00\x01\xb5)/ -} - -# >0 belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0 -# >>3 byte&,=0xb3, ["MPEG sequence"], swap_endian=0 -signature file-magic-auto216 { - file-mime "video/mpeg", 40 - file-magic /(\x00\x00\x01\xb3)/ -} # >0 lelong&,=4 (0x00000004), [""], swap_endian=0 # >>104 lelong&,=4 (0x00000004), ["X11 SNF font data, LSB first"], swap_endian=0 @@ -1220,12 +671,6 @@ signature file-magic-auto217 { file-magic /(\x04\x00\x00\x00)(.{100})(\x04\x00\x00\x00)/ } -# >0 lelong&00ffffff,=93 (0x0000005d), [""], swap_endian=0 -signature file-magic-auto218 { - file-mime "application/x-lzma", 71 - file-magic /(\x5d\x00\x00.)/ -} - # This didn't auto-generate correctly due to non-sequential offsets and # use of bitwise/relational comparisons. At a glance: may not be # that common/useful, leaving for later. @@ -1285,22 +730,6 @@ signature file-magic-auto223 { file-magic /(\x3bELC)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/ } -# >0 belong&,=440786851 (0x1a45dfa3), [""], swap_endian=0 -# >>4 search/4096,=B\202 (len=2), [""], swap_endian=0 -# >>>&1 string,=webm (len=4), ["WebM"], swap_endian=0 -signature file-magic-auto224 { - file-mime "video/webm", 70 - file-magic /(\x1a\x45\xdf\xa3)(.*)(B\x82)(.{1})(webm)/ -} - -# >0 belong&,=440786851 (0x1a45dfa3), [""], swap_endian=0 -# >>4 search/4096,=B\202 (len=2), [""], swap_endian=0 -# >>>&1 string,=matroska (len=8), ["Matroska data"], swap_endian=0 -signature file-magic-auto225 { - file-mime "video/x-matroska", 110 - file-magic /(\x1a\x45\xdf\xa3)(.*)(B\x82)(.{1})(matroska)/ -} - # >0 string,=PK\003\004 (len=4), [""], swap_endian=0 # >>4 byte&,=0x14, [""], swap_endian=0 # >>>30 string,=doc.kml (len=7), ["Compressed Google KML Document, including resources."], swap_endian=0 @@ -1502,37 +931,6 @@ signature file-magic-auto245 { file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(epub\x2bzip)/ } -# >0 belong&,=442 (0x000001ba), [""], swap_endian=0 -# >>4 byte&,&0x40, [""], swap_endian=0 -signature file-magic-auto250 { - file-mime "video/mp2p", 21 - file-magic /(\x00\x00\x01\xba)([\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/ -} - -# >0 belong&,=442 (0x000001ba), [""], swap_endian=0 -# >>4 byte&,^0x40, [""], swap_endian=0 -signature file-magic-auto251 { - file-mime "video/mpeg", 21 - file-magic /(\x00\x00\x01\xba)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf])/ -} - -# >0 string,=MOVI (len=4), ["Silicon Graphics movie file"], swap_endian=0 -signature file-magic-auto252 { - file-mime "video/x-sgi-movie", 70 - file-magic /(MOVI)/ -} - -# >4 string,=moov (len=4), ["Apple QuickTime"], swap_endian=0 -signature file-magic-auto253 { - file-mime "video/quicktime", 70 - file-magic /(.{4})(moov)/ -} - -# >4 string,=mdat (len=4), ["Apple QuickTime movie (unoptimized)"], swap_endian=0 -signature file-magic-auto254 { - file-mime "video/quicktime", 70 - file-magic /(.{4})(mdat)/ -} # >4 string,=idsc (len=4), ["Apple QuickTime image (fast start)"], swap_endian=0 signature file-magic-auto255 { @@ -1546,82 +944,6 @@ signature file-magic-auto256 { file-magic /(.{4})(pckg)/ } -# >4 string,=ftyp (len=4), ["ISO Media"], swap_endian=0 -# >>8 string,=isom (len=4), [", MPEG v4 system, version 1"], swap_endian=0 -signature file-magic-auto257 { - file-mime "video/mp4", 70 - file-magic /(.{4})(ftyp)(isom)/ -} - -# >4 string,=ftyp (len=4), ["ISO Media"], swap_endian=0 -# >>8 string,=mp41 (len=4), [", MPEG v4 system, version 1"], swap_endian=0 -signature file-magic-auto258 { - file-mime "video/mp4", 70 - file-magic /(.{4})(ftyp)(mp41)/ -} - -# >4 string,=ftyp (len=4), ["ISO Media"], swap_endian=0 -# >>8 string,=mp42 (len=4), [", MPEG v4 system, version 2"], swap_endian=0 -signature file-magic-auto259 { - file-mime "video/mp4", 70 - file-magic /(.{4})(ftyp)(mp42)/ -} - -# >4 string,=ftyp (len=4), ["ISO Media"], swap_endian=0 -# >>8 string/W,=jp2 (len=3), [", JPEG 2000"], swap_endian=0 -signature file-magic-auto260 { - file-mime "image/jp2", 60 - file-magic /(.{4})(ftyp)(jp2)/ -} - -# >4 string,=ftyp (len=4), ["ISO Media"], swap_endian=0 -# >>8 string,=3ge (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0 -signature file-magic-auto261 { - file-mime "video/3gpp", 60 - file-magic /(.{4})(ftyp)(3ge)/ -} - -# >4 string,=ftyp (len=4), ["ISO Media"], swap_endian=0 -# >>8 string,=3gg (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0 -signature file-magic-auto262 { - file-mime "video/3gpp", 60 - file-magic /(.{4})(ftyp)(3gg)/ -} - -# >4 string,=ftyp (len=4), ["ISO Media"], swap_endian=0 -# >>8 string,=3gp (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0 -signature file-magic-auto263 { - file-mime "video/3gpp", 60 - file-magic /(.{4})(ftyp)(3gp)/ -} - -# >4 string,=ftyp (len=4), ["ISO Media"], swap_endian=0 -# >>8 string,=3gs (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0 -signature file-magic-auto264 { - file-mime "video/3gpp", 60 - file-magic /(.{4})(ftyp)(3gs)/ -} - -# >4 string,=ftyp (len=4), ["ISO Media"], swap_endian=0 -# >>8 string,=3g2 (len=3), [", MPEG v4 system, 3GPP2"], swap_endian=0 -signature file-magic-auto265 { - file-mime "video/3gpp2", 60 - file-magic /(.{4})(ftyp)(3g2)/ -} - -# >4 string,=ftyp (len=4), ["ISO Media"], swap_endian=0 -# >>8 string,=mmp4 (len=4), [", MPEG v4 system, 3GPP Mobile"], swap_endian=0 -signature file-magic-auto266 { - file-mime "video/mp4", 70 - file-magic /(.{4})(ftyp)(mmp4)/ -} - -# >4 string,=ftyp (len=4), ["ISO Media"], swap_endian=0 -# >>8 string,=avc1 (len=4), [", MPEG v4 system, 3GPP JVT AVC"], swap_endian=0 -signature file-magic-auto267 { - file-mime "video/3gpp", 70 - file-magic /(.{4})(ftyp)(avc1)/ -} # >4 string,=ftyp (len=4), ["ISO Media"], swap_endian=0 # >>8 string/W,=M4A (len=3), [", MPEG v4 system, iTunes AAC-LC"], swap_endian=0 @@ -1644,12 +966,6 @@ signature file-magic-auto270 { file-magic /(.{4})(ftyp)(qt)/ } -# >0 string,=Xcur (len=4), ["Xcursor data"], swap_endian=0 -signature file-magic-auto271 { - file-mime "image/x-xcursor", 70 - file-magic /(Xcur)/ -} - # >0 string,=ADIF (len=4), ["MPEG ADIF, AAC"], swap_endian=0 signature file-magic-auto272 { file-mime "audio/x-hx-aac-adif", 70 @@ -1662,17 +978,6 @@ signature file-magic-auto273 { file-magic /(\x30\x26\xb2\x75)/ } -# >0 string,=\212MNG (len=4), ["MNG video data,"], swap_endian=0 -signature file-magic-auto274 { - file-mime "video/x-mng", 70 - file-magic /(\x8aMNG)/ -} - -# >0 string,=\213JNG (len=4), ["JNG video data,"], swap_endian=0 -signature file-magic-auto275 { - file-mime "video/x-jng", 70 - file-magic /(\x8bJNG)/ -} # >0 string,=MAC (len=4), ["Monkey's Audio compressed format"], swap_endian=0 signature file-magic-auto276 { @@ -1713,114 +1018,24 @@ signature file-magic-auto281 { file-magic /(fLaC)/ } -# >0 string,=IIN1 (len=4), ["NIFF image data"], swap_endian=0 -signature file-magic-auto282 { - file-mime "image/x-niff", 70 - file-magic /(IIN1)/ -} - -# >0 string,=MM\000* (len=4), ["TIFF image data, big-endian"], swap_endian=0 -signature file-magic-auto283 { - file-mime "image/tiff", 70 - file-magic /(MM\x00\x2a)/ -} - -# >0 string,=II*\000 (len=4), ["TIFF image data, little-endian"], swap_endian=0 -signature file-magic-auto284 { - file-mime "image/tiff", 70 - file-magic /(II\x2a\x00)/ -} - -# >0 string,=MM\000+ (len=4), ["Big TIFF image data, big-endian"], swap_endian=0 -signature file-magic-auto285 { - file-mime "image/tiff", 70 - file-magic /(MM\x00\x2b)/ -} - -# >0 string,=II+\000 (len=4), ["Big TIFF image data, little-endian"], swap_endian=0 -signature file-magic-auto286 { - file-mime "image/tiff", 70 - file-magic /(II\x2b\x00)/ -} - -# >0 string,=GIF8 (len=4), ["GIF image data"], swap_endian=0 -signature file-magic-auto287 { - file-mime "image/gif", 70 - file-magic /(GIF8)/ -} - # >128 string,=DICM (len=4), ["DICOM medical imaging data"], swap_endian=0 signature file-magic-auto288 { file-mime "application/dicom", 70 file-magic /(.{128})(DICM)/ } -# >0 string,=8BPS (len=4), ["Adobe Photoshop Image"], swap_endian=0 -signature file-magic-auto289 { - file-mime "image/vnd.adobe.photoshop", 70 - file-magic /(8BPS)/ -} - # >0 string,=IMPM (len=4), ["Impulse Tracker module sound data -"], swap_endian=0 signature file-magic-auto290 { file-mime "audio/x-mod", 70 file-magic /(IMPM)/ } -# >0 lelong&,=20000630 (0x01312f76), ["OpenEXR image data,"], swap_endian=0 -signature file-magic-auto291 { - file-mime "image/x-exr", 70 - file-magic /(\x76\x2f\x31\x01)/ -} - -# >0 string,=SDPX (len=4), ["DPX image data, big-endian,"], swap_endian=0 -signature file-magic-auto292 { - file-mime "image/x-dpx", 70 - file-magic /(SDPX)/ -} - # >0 belong&,=235082497 (0x0e031301), ["Hierarchical Data Format (version 4) data"], swap_endian=0 signature file-magic-auto293 { file-mime "application/x-hdf", 70 file-magic /(\x0e\x03\x13\x01)/ } -# >0 string,=CPC\262 (len=4), ["Cartesian Perceptual Compression image"], swap_endian=0 -signature file-magic-auto294 { - file-mime "image/x-cpi", 70 - file-magic /(CPC\xb2)/ -} - -# >0 string,=MMOR (len=4), ["Olympus ORF raw image data, big-endian"], swap_endian=0 -signature file-magic-auto295 { - file-mime "image/x-olympus-orf", 70 - file-magic /(MMOR)/ -} - -# >0 string,=IIRO (len=4), ["Olympus ORF raw image data, little-endian"], swap_endian=0 -signature file-magic-auto296 { - file-mime "image/x-olympus-orf", 70 - file-magic /(IIRO)/ -} - -# >0 string,=IIRS (len=4), ["Olympus ORF raw image data, little-endian"], swap_endian=0 -signature file-magic-auto297 { - file-mime "image/x-olympus-orf", 70 - file-magic /(IIRS)/ -} - -# >0 string,=FOVb (len=4), ["Foveon X3F raw image data"], swap_endian=0 -signature file-magic-auto298 { - file-mime "image/x-x3f", 70 - file-magic /(FOVb)/ -} - -# >0 string,=PDN3 (len=4), ["Paint.NET image data"], swap_endian=0 -signature file-magic-auto299 { - file-mime "image/x-paintnet", 70 - file-magic /(PDN3)/ -} - # >0 belong&,=-17957139 (0xfeedfeed), ["Java KeyStore"], swap_endian=0 signature file-magic-auto302 { file-mime "application/x-java-keystore", 70 @@ -1911,12 +1126,6 @@ signature file-magic-auto316 { file-magic /(\x2e\x72\x61\xfd)/ } -# >0 string,=CTMF (len=4), ["Creative Music (CMF) data"], swap_endian=0 -signature file-magic-auto317 { - file-mime "audio/x-unknown", 70 - file-magic /(CTMF)/ -} - # >0 string,=MThd (len=4), ["Standard MIDI data"], swap_endian=0 signature file-magic-auto318 { file-mime "audio/midi", 70 @@ -2035,36 +1244,6 @@ signature file-magic-auto334 { file-magic /(\x2esnd)(.{8})(\x00\x00\x00\x17)/ } -# >0 string,=SIT! (len=4), ["StuffIt Archive (data)"], swap_endian=0 -signature file-magic-auto335 { - file-mime "application/x-stuffit", 70 - file-magic /(SIT\x21)/ -} - -# >0 string,= (len=4), ["System V Release 1 ar archive"], swap_endian=0 -signature file-magic-auto337 { - file-mime "application/x-archive", 70 - file-magic /(\x3car\x3e)/ -} - -# >0 lelong&ffffffff8080ffff,=2074 (0x0000081a), ["ARC archive data, dynamic LZW"], swap_endian=0 -signature file-magic-auto338 { - file-mime "application/x-arc", 70 - file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x08\x1a)/ -} - -# >0 lelong&ffffffff8080ffff,=2330 (0x0000091a), ["ARC archive data, squashed"], swap_endian=0 -signature file-magic-auto339 { - file-mime "application/x-arc", 70 - file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x09\x1a)/ -} - -# >0 lelong&ffffffff8080ffff,=538 (0x0000021a), ["ARC archive data, uncompressed"], swap_endian=0 -signature file-magic-auto340 { - file-mime "application/x-arc", 70 - file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x02\x1a)/ -} - # >0 lelong&,=270539386 (0x10201a7a), ["Symbian installation file (Symbian OS 9.x)"], swap_endian=0 signature file-magic-auto341 { file-mime "x-epoc/x-sisx-app", 70 @@ -2077,72 +1256,6 @@ signature file-magic-auto342 { file-magic /(.{8})(\x19\x04\x00\x10)/ } -# >0 lelong&ffffffff8080ffff,=794 (0x0000031a), ["ARC archive data, packed"], swap_endian=0 -signature file-magic-auto343 { - file-mime "application/x-arc", 70 - file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x03\x1a)/ -} - -# >0 belong&,=518520576 (0x1ee7ff00), ["EET archive"], swap_endian=0 -signature file-magic-auto344 { - file-mime "application/x-eet", 70 - file-magic /(\x1e\xe7\xff\x00)/ -} - -# >0 lelong&ffffffff8080ffff,=1050 (0x0000041a), ["ARC archive data, squeezed"], swap_endian=0 -signature file-magic-auto345 { - file-mime "application/x-arc", 70 - file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x04\x1a)/ -} - -# >0 lelong&ffffffff8080ffff,=1562 (0x0000061a), ["ARC archive data, crunched"], swap_endian=0 -signature file-magic-auto346 { - file-mime "application/x-arc", 70 - file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x06\x1a)/ -} - -# >0 lelong&ffffffff8080ffff,=2586 (0x00000a1a), ["PAK archive data"], swap_endian=0 -signature file-magic-auto347 { - file-mime "application/x-arc", 70 - file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x0a\x1a)/ -} - -# >0 lelong&ffffffff8080ffff,=5146 (0x0000141a), ["ARC+ archive data"], swap_endian=0 -signature file-magic-auto348 { - file-mime "application/x-arc", 70 - file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x14\x1a)/ -} - -# >20 lelong&,=-37443620 (0xfdc4a7dc), ["Zoo archive data"], swap_endian=0 -signature file-magic-auto349 { - file-mime "application/x-zoo", 70 - file-magic /(.{20})(\xdc\xa7\xc4\xfd)/ -} - -# >0 string,=Rar! (len=4), ["RAR archive data,"], swap_endian=0 -signature file-magic-auto350 { - file-mime "application/x-rar", 70 - file-magic /(Rar\x21)/ -} - -# >0 lelong&ffffffff8080ffff,=18458 (0x0000481a), ["HYP archive data"], swap_endian=0 -signature file-magic-auto351 { - file-mime "application/x-arc", 70 - file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x48\x1a)/ -} - -# >0 string,=drpm (len=4), ["Delta RPM"], swap_endian=0 -signature file-magic-auto352 { - file-mime "application/x-rpm", 70 - file-magic /(drpm)/ -} - -# >0 belong&,=-307499301 (0xedabeedb), ["RPM"], swap_endian=0 -signature file-magic-auto353 { - file-mime "application/x-rpm", 70 - file-magic /(\xed\xab\xee\xdb)/ -} - # >0 string,=RIFF (len=4), ["RIFF (little-endian) data"], swap_endian=0 # >>8 string,=WAVE (len=4), [", WAVE audio"], swap_endian=0 signature file-magic-auto354 { @@ -2150,20 +1263,6 @@ signature file-magic-auto354 { file-magic /(RIFF)(.{4})(WAVE)/ } -# >0 string,=RIFF (len=4), ["RIFF (little-endian) data"], swap_endian=0 -# >>8 string,=CDRA (len=4), [", Corel Draw Picture"], swap_endian=0 -signature file-magic-auto355 { - file-mime "image/x-coreldraw", 70 - file-magic /(RIFF)(.{4})(CDRA)/ -} - -# >0 string,=RIFF (len=4), ["RIFF (little-endian) data"], swap_endian=0 -# >>8 string,=CDR6 (len=4), [", Corel Draw Picture, version 6"], swap_endian=0 -signature file-magic-auto356 { - file-mime "image/x-coreldraw", 70 - file-magic /(RIFF)(.{4})(CDR6)/ -} - # >0 string,=RIFF (len=4), ["RIFF (little-endian) data"], swap_endian=0 # >>8 string,=AVI (len=4), [", AVI"], swap_endian=0 signature file-magic-auto357 { @@ -2290,36 +1389,12 @@ signature file-magic-auto381 { file-magic /(\x3cMML)/ } -# >0 lelong&,=407642370 (0x184c2102), ["LZ4 compressed data, legacy format"], swap_endian=0 -signature file-magic-auto382 { - file-mime "application/x-lz4", 70 - file-magic /(\x02\x21\x4c\x18)/ -} - -# >0 lelong&,=407708164 (0x184d2204), ["LZ4 compressed data"], swap_endian=0 -signature file-magic-auto383 { - file-mime "application/x-lz4", 70 - file-magic /(\x04\x22\x4d\x18)/ -} - -# >0 string,=LRZI (len=4), ["LRZIP compressed data"], swap_endian=0 -# >>5 byte&,x, [".%d"], swap_endian=0 -signature file-magic-auto384 { - file-mime "application/x-lrzip", 1 - file-magic /(LRZI)(.{1})(.{1})/ -} - # >0 string,=OggS (len=4), ["Ogg data"], swap_endian=0 signature file-magic-auto385 { file-mime "application/ogg", 70 file-magic /(OggS)/ } -# >0 string,=LZIP (len=4), ["lzip compressed data"], swap_endian=0 -signature file-magic-auto386 { - file-mime "application/x-lzip", 70 - file-magic /(LZIP)/ -} # >0 belong&,=-889270259 (0xcafed00d), ["JAR compressed with pack200,"], swap_endian=0 # >>4 byte&,x, ["%d"], swap_endian=0 @@ -2335,13 +1410,6 @@ signature file-magic-auto388 { file-magic /(\xca\xfe\xd0\x0d)(.{1})/ } -# >0 regex,=^( |\t){0,50}def {1,50}[a-zA-Z]{1,100} (len=38), [""], swap_endian=0 -# >>&0 regex,= {0,50}\(([a-zA-Z]|,| ){1,500}\):$ (len=34), ["Python script text executable"], swap_endian=0 -signature file-magic-auto389 { - file-mime "text/x-python", 64 - file-magic /(.*)(( |\t){0,50}def {1,50}[a-zA-Z]{1,100})( {0,50}\(([a-zA-Z]|,| ){1,500}\):$)/ -} - # >0 search/4096,=\documentstyle (len=14), ["LaTeX document text"], swap_endian=0 signature file-magic-auto390 { file-mime "text/x-tex", 62 @@ -2383,56 +1451,12 @@ signature file-magic-auto395 { file-magic /(DOC)(.{40})([\x16])/ } -# >0 search/w/1,=#! /usr/local/bin/php (len=21), ["PHP script text executable"], swap_endian=0 -signature file-magic-auto396 { - file-mime "text/x-php", 61 - file-magic /(.*)(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fphp)/ -} - -# >0 search/1,=eval '(exit $?0)' && eval 'exec (len=31), ["Perl script text"], swap_endian=0 -signature file-magic-auto397 { - file-mime "text/x-perl", 61 - file-magic /(.*)(eval \x27\x28exit \x24\x3f0\x29\x27 \x26\x26 eval \x27exec)/ -} - -# >0 regex,=^[ \t]*require[ \t]'[A-Za-z_/]+' (len=30), [""], swap_endian=0 -# >>0 regex,=include [A-Z]|def [a-z]| do$ (len=28), [""], swap_endian=0 -# >>>0 regex,=^[ \t]*end([ \t]*[;#].*)?$ (len=24), ["Ruby script text"], swap_endian=0 -signature file-magic-auto398 { - file-mime "text/x-ruby", 54 - file-magic /(.*)([ \x09]*require[ \x09]'[A-Za-z_\x2f]+')(include [A-Z]|def [a-z]| do$)(^[ \x09]*end([ \x09]*[;#].*)?$)/ -} - -# >0 search/1,=eval "exec /usr/local/bin/perl (len=30), ["Perl script text"], swap_endian=0 -signature file-magic-auto399 { - file-mime "text/x-perl", 60 - file-magic /(.*)(eval \x22exec \x2fusr\x2flocal\x2fbin\x2fperl)/ -} - -# >0 string,=FLV (len=3), ["Macromedia Flash Video"], swap_endian=0 -signature file-magic-auto400 { - file-mime "video/x-flv", 60 - file-magic /(FLV)/ -} - # >0 string,=MP+ (len=3), ["Musepack audio"], swap_endian=0 signature file-magic-auto401 { file-mime "audio/x-musepack", 60 file-magic /(MP\x2b)/ } -# >0 string,=PBF (len=3), ["PBF image (deflate compression)"], swap_endian=0 -signature file-magic-auto402 { - file-mime "image/x-unknown", 60 - file-magic /(PBF)/ -} - -# >0 string,=SBI (len=3), ["SoundBlaster instrument data"], swap_endian=0 -signature file-magic-auto403 { - file-mime "audio/x-unknown", 60 - file-magic /(SBI)/ -} - # >0 string,=\004%! (len=3), ["PostScript document text"], swap_endian=0 signature file-magic-auto405 { file-mime "application/postscript", 60 @@ -2445,32 +1469,12 @@ signature file-magic-auto406 { file-magic /(BZh)/ } -# >0 regex,=^[ \t]*(class|module)[ \t][A-Z] (len=29), [""], swap_endian=0 -# >>0 regex,=(modul|includ)e [A-Z]|def [a-z] (len=31), [""], swap_endian=0 -# >>>0 regex,=^[ \t]*end([ \t]*[;#].*)?$ (len=24), ["Ruby module source text"], swap_endian=0 -signature file-magic-auto407 { - file-mime "text/x-ruby", 54 - file-magic /(.*)([ \x09]*(class|module)[ \x09][A-Z])((modul|includ)e [A-Z]|def [a-z])(^[ \x09]*end([ \x09]*[;#].*)?$)/ -} - -# >0 regex/20,=^\.[A-Za-z0-9][A-Za-z0-9][ \t] (len=29), ["troff or preprocessor input text"], swap_endian=0 -#signature file-magic-auto411 { -# file-mime "text/troff", 59 -# file-magic /(^\.[A-Za-z0-9][A-Za-z0-9][ \x09])/ -#} - # >0 search/4096,=\documentclass (len=14), ["LaTeX 2e document text"], swap_endian=0 signature file-magic-auto412 { file-mime "text/x-tex", 59 file-magic /(.*)(\x5cdocumentclass)/ } -# >0 regex,=^from\s+(\w|\.)+\s+import.*$ (len=28), ["Python script text executable"], swap_endian=0 -signature file-magic-auto413 { - file-mime "text/x-python", 58 - file-magic /(.*)(from\s+(\w|\.)+\s+import.*$)/ -} - # >0 search/4096,=\contentsline (len=13), ["LaTeX table of contents"], swap_endian=0 signature file-magic-auto414 { file-mime "text/x-tex", 58 @@ -2489,117 +1493,30 @@ signature file-magic-auto416 { file-magic /(.*)(\x5csection)/ } -# >0 regex/20,=^\.[A-Za-z0-9][A-Za-z0-9]$ (len=26), ["troff or preprocessor input text"], swap_endian=0 -#signature file-magic-auto417 { -# file-mime "text/troff", 56 -# file-magic /(^\.[A-Za-z0-9][A-Za-z0-9]$)/ -#} - -# >0 search/w/1,=#! /usr/bin/php (len=15), ["PHP script text executable"], swap_endian=0 -signature file-magic-auto418 { - file-mime "text/x-php", 55 - file-magic /(.*)(\x23\x21 ?\x2fusr\x2fbin\x2fphp)/ -} - # >0 search/4096,=\setlength (len=10), ["LaTeX document text"], swap_endian=0 signature file-magic-auto419 { file-mime "text/x-tex", 55 file-magic /(.*)(\x5csetlength)/ } -# >0 search/1,=eval "exec /usr/bin/perl (len=24), ["Perl script text"], swap_endian=0 -signature file-magic-auto420 { - file-mime "text/x-perl", 54 - file-magic /(.*)(eval \x22exec \x2fusr\x2fbin\x2fperl)/ -} - # >0 search/1,=Common subdirectories: (len=23), ["diff output text"], swap_endian=0 signature file-magic-auto422 { file-mime "text/x-diff", 53 file-magic /(.*)(Common subdirectories\x3a )/ } -# >0 search/w/1,=#! /usr/local/bin/wish (len=22), ["Tcl/Tk script text executable"], swap_endian=0 -signature file-magic-auto425 { - file-mime "text/x-tcl", 52 - file-magic /(.*)(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fwish)/ -} - # >0 search/4096,=(custom-set-variables (len=22), ["Lisp/Scheme program text"], swap_endian=0 signature file-magic-auto426 { file-mime "text/x-lisp", 52 file-magic /(.*)(\x28custom\x2dset\x2dvariables )/ } -# >0 beshort&,=-40 (0xffd8), ["JPEG image data"], swap_endian=0 -signature file-magic-auto427 { - file-mime "image/jpeg", 52 - file-magic /(\xff\xd8)/ -} - -# >0 search/1,=#!/usr/bin/env nodejs (len=21), ["Node.js script text executable"], swap_endian=0 -signature file-magic-auto429 { - file-mime "application/javascript", 51 - file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv nodejs)/ -} - -# >0 search/w/1,=#! /usr/local/bin/tcl (len=21), ["Tcl script text executable"], swap_endian=0 -signature file-magic-auto430 { - file-mime "text/x-tcl", 51 - file-magic /(.*)(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2ftcl)/ -} - -# This didn't autogenerate well due to indirect offset, bitmasking, and -# relational comparisons. -# >0 leshort&fffffffffffffefe,=0 (0x0000), [""], swap_endian=0 -# >>4 ulelong&fcfffe00,=0 (0x00000000), [""], swap_endian=0 -# >>>68 ulelong&,>87 (0x00000057), [""], swap_endian=0 -# >>>>68 (lelong,-1), ubelong&ffe0c519,=4194328 (0x00400018), ["Windows Precompiled iNF"], swap_endian=0 -#signature file-magic-auto431 { -# file-mime "application/x-pnf", 70 -# file-magic /(.{2})(.{2})(.{4})(.{60})(.{4})(.{4})/ -#} - -# >0 search/w/1,=#! /usr/local/bin/lua (len=21), ["Lua script text executable"], swap_endian=0 -signature file-magic-auto432 { - file-mime "text/x-lua", 51 - file-magic /(.*)(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2flua)/ -} - # >0 string/b,=MZ (len=2), [""], swap_endian=0 signature file-magic-auto433 { file-mime "application/x-dosexec", 51 file-magic /(MZ)/ } -# >0 string/b,=MZ (len=2), [""], swap_endian=0 -# >>30 string,=Copyright 1989-1990 PKWARE Inc. (len=31), ["Self-extracting PKZIP archive"], swap_endian=0 -signature file-magic-auto434 { - file-mime "application/zip", 340 - file-magic /(MZ)(.{28})(Copyright 1989\x2d1990 PKWARE Inc\x2e)/ -} - -# >0 string/b,=MZ (len=2), [""], swap_endian=0 -# >>30 string,=PKLITE Copr. (len=12), ["Self-extracting PKZIP archive"], swap_endian=0 -signature file-magic-auto435 { - file-mime "application/zip", 150 - file-magic /(MZ)(.{28})(PKLITE Copr\x2e)/ -} - -# >0 string/b,=MZ (len=2), [""], swap_endian=0 -# >>36 string,=LHa's SFX (len=9), [", LHa self-extracting archive"], swap_endian=0 -signature file-magic-auto436 { - file-mime "application/x-lha", 120 - file-magic /(MZ)(.{34})(LHa\x27s SFX)/ -} - -# >0 string/b,=MZ (len=2), [""], swap_endian=0 -# >>36 string,=LHA's SFX (len=9), [", LHa self-extracting archive"], swap_endian=0 -signature file-magic-auto437 { - file-mime "application/x-lha", 120 - file-magic /(MZ)(.{34})(LHA\x27s SFX)/ -} - # >0 beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0 # >>2 byte&fffffffffffffff0,=0x10, ["MPEG ADTS, layer III, v1, 32 kbps"], swap_endian=0 signature file-magic-auto438 { @@ -2698,64 +1615,6 @@ signature file-magic-auto451 { file-magic /(\xff[\xfa\xfb])([\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef])/ } -# >4 leshort&,=-20719 (0xaf11), [""], swap_endian=0 -# >>8 leshort&,=320 (0x0140), [""], swap_endian=0 -# >>>10 leshort&,=200 (0x00c8), [""], swap_endian=0 -# >>>>12 leshort&,=8 (0x0008), ["FLI animation, 320x200x8"], swap_endian=0 -signature file-magic-auto452 { - file-mime "video/x-fli", 50 - file-magic /(.{4})(\x11\xaf)(.{2})(\x40\x01)(\xc8\x00)(\x08\x00)/ -} - -# >4 leshort&,=-20718 (0xaf12), [""], swap_endian=0 -# >>12 leshort&,=8 (0x0008), ["FLC animation"], swap_endian=0 -signature file-magic-auto453 { - file-mime "video/x-flc", 50 - file-magic /(.{4})(\x12\xaf)(.{6})(\x08\x00)/ -} - -# >0 string,=BM (len=2), [""], swap_endian=0 -# >>14 leshort&,=12 (0x000c), ["PC bitmap, OS/2 1.x format"], swap_endian=0 -signature file-magic-auto454 { - file-mime "image/x-ms-bmp", 50 - file-magic /(BM)(.{12})(\x0c\x00)/ -} - -# >0 string,=BM (len=2), [""], swap_endian=0 -# >>14 leshort&,=64 (0x0040), ["PC bitmap, OS/2 2.x format"], swap_endian=0 -signature file-magic-auto455 { - file-mime "image/x-ms-bmp", 50 - file-magic /(BM)(.{12})(\x40\x00)/ -} - -# >0 string,=BM (len=2), [""], swap_endian=0 -# >>14 leshort&,=40 (0x0028), ["PC bitmap, Windows 3.x format"], swap_endian=0 -signature file-magic-auto456 { - file-mime "image/x-ms-bmp", 50 - file-magic /(BM)(.{12})(\x28\x00)/ -} - -# >0 string,=BM (len=2), [""], swap_endian=0 -# >>14 leshort&,=124 (0x007c), ["PC bitmap, Windows 98/2000 and newer format"], swap_endian=0 -signature file-magic-auto457 { - file-mime "image/x-ms-bmp", 50 - file-magic /(BM)(.{12})(\x7c\x00)/ -} - -# >0 string,=BM (len=2), [""], swap_endian=0 -# >>14 leshort&,=108 (0x006c), ["PC bitmap, Windows 95/NT4 and newer format"], swap_endian=0 -signature file-magic-auto458 { - file-mime "image/x-ms-bmp", 50 - file-magic /(BM)(.{12})(\x6c\x00)/ -} - -# >0 string,=BM (len=2), [""], swap_endian=0 -# >>14 leshort&,=128 (0x0080), ["PC bitmap, Windows NT/2000 format"], swap_endian=0 -signature file-magic-auto459 { - file-mime "image/x-ms-bmp", 50 - file-magic /(BM)(.{12})(\x80\x00)/ -} - # >20 string,=45 (len=2), [""], swap_endian=0 # >>0 regex/1,=(^[0-9]{5})[acdnp][^bhlnqsu-z] (len=30), ["MARC21 Bibliographic"], swap_endian=0 signature file-magic-auto460 { @@ -2786,37 +1645,7 @@ signature file-magic-auto463 { # >0 search/4096,=\begin (len=6), ["LaTeX document text"], swap_endian=0 signature file-magic-auto464 { file-mime "text/x-tex", 51 - file-magic /(.*)(\x5cbegin)/ -} - -# >0 search/4096,=\input (len=6), ["TeX document text"], swap_endian=0 -signature file-magic-auto465 { - file-mime "text/x-tex", 51 - file-magic /(.*)(\x5cinput)/ -} - -# >0 leshort&,=-24712 (0x9f78), ["TNEF"], swap_endian=0 -signature file-magic-auto466 { - file-mime "application/vnd.ms-tnef", 50 - file-magic /(\x78\x9f)/ -} - -# >0 leshort&,=-5536 (0xea60), ["ARJ archive data"], swap_endian=0 -signature file-magic-auto467 { - file-mime "application/x-arj", 50 - file-magic /(\x60\xea)/ -} - -# >0 search/1,=eval "exec /bin/perl (len=20), ["Perl script text"], swap_endian=0 -signature file-magic-auto468 { - file-mime "text/x-perl", 50 - file-magic /(.*)(eval \x22exec \x2fbin\x2fperl)/ -} - -# >0 search/1,=#! /usr/bin/env perl (len=20), ["Perl script text executable"], swap_endian=0 -signature file-magic-auto469 { - file-mime "text/x-perl", 50 - file-magic /(.*)(\x23\x21 \x2fusr\x2fbin\x2fenv perl)/ + file-magic /.*\x5c(input|begin)/ } # >0 beshort&,=-26368 (0x9900), ["PGP key public ring"], swap_endian=0 @@ -2869,42 +1698,6 @@ signature file-magic-auto478 { file-magic /((^[0-9]{5})[acdn][w])((^.{21})([^0]{2}))/ } -# >0 short&,=-14479 (0xc771), ["byte-swapped cpio archive"], swap_endian=0 -signature file-magic-auto479 { - file-mime "application/x-cpio", 50 - file-magic /((\x71\xc7)|(\xc7\x71))/ -} - -# >0 short&,=29127 (0x71c7), ["cpio archive"], swap_endian=0 -signature file-magic-auto480 { - file-mime "application/x-cpio", 50 - file-magic /((\xc7\x71)|(\x71\xc7))/ -} - -# >0 string,=\n( (len=2), ["Emacs v18 byte-compiled Lisp data"], swap_endian=0 -#signature file-magic-auto481 { -# file-mime "application/x-elc", 50 -# file-magic /(\x0a\x28)/ -#} - -# >0 string,=\021\t (len=2), ["Award BIOS Logo, 136 x 126"], swap_endian=0 -signature file-magic-auto482 { - file-mime "image/x-award-bioslogo", 50 - file-magic /(\x11\x09)/ -} - -# >0 string,=\021\006 (len=2), ["Award BIOS Logo, 136 x 84"], swap_endian=0 -signature file-magic-auto483 { - file-mime "image/x-award-bioslogo", 50 - file-magic /(\x11\x06)/ -} - -# >0 string,=P7 (len=2), ["Netpbm PAM image file"], swap_endian=0 -signature file-magic-auto484 { - file-mime "image/x-portable-pixmap", 50 - file-magic /(P7)/ -} - # >0 beshort&ffffffffffffffe0,=22240 (0x56e0), ["MPEG-4 LOAS"], swap_endian=0 signature file-magic-auto485 { file-mime "audio/x-mp4a-latm", 50 @@ -2941,12 +1734,6 @@ signature file-magic-auto490 { file-magic /(\xff[\xfc\xfd])/ } -# >0 search/1,=#! /usr/bin/env wish (len=20), ["Tcl/Tk script text executable"], swap_endian=0 -signature file-magic-auto491 { - file-mime "text/x-tcl", 50 - file-magic /(.*)(\x23\x21 \x2fusr\x2fbin\x2fenv wish)/ -} - # >0 beshort&,=-26367 (0x9901), ["GPG key public ring"], swap_endian=0 signature file-magic-auto492 { file-mime "application/x-gnupg-keyring", 50 @@ -2959,79 +1746,12 @@ signature file-magic-auto493 { file-magic /(\xf7\x02)/ } -## >2 string,=\000\021 (len=2), ["TeX font metric data"], swap_endian=0 -#signature file-magic-auto494 { -# file-mime "application/x-tex-tfm", 50 -# file-magic /(.{2})(\x00\x11)/ -#} -# -## >2 string,=\000\022 (len=2), ["TeX font metric data"], swap_endian=0 -#signature file-magic-auto495 { -# file-mime "application/x-tex-tfm", 50 -# file-magic /(.{2})(\x00\x12)/ -#} - # >0 beshort&,=-31486 (0x8502), ["GPG encrypted data"], swap_endian=0 signature file-magic-auto496 { file-mime "text/PGP", 50 file-magic /(\x85\x02)/ } -# >4 string/W,=jP (len=2), ["JPEG 2000 image"], swap_endian=0 -signature file-magic-auto497 { - file-mime "image/jp2", 50 - file-magic /(.{4})(jP)/ -} - -# Not specific enough. -# >0 regex,=^template[ \t\n]+ (len=15), ["C++ source text"], swap_endian=0 -#signature file-magic-auto498 { -# file-mime "text/x-c++", 50 -# file-magic /(.*)(template[ \x09\x0a]+)/ -#} - -# >0 search/c/1,=0 string,=\037\235 (len=2), ["compress'd data"], swap_endian=0 -signature file-magic-auto500 { - file-mime "application/x-compress", 50 - file-magic /(\x1f\x9d)/ -} - -# >0 string,=\037\036 (len=2), ["packed data"], swap_endian=0 -#signature file-magic-auto501 { -# file-mime "application/octet-stream", 50 -# file-magic /(\x1f\x1e)/ -#} - -# >0 short&,=7967 (0x1f1f), ["old packed data"], swap_endian=0 -#signature file-magic-auto502 { -# file-mime "application/octet-stream", 50 -# file-magic /((\x1f\x1f)|(\x1f\x1f))/ -#} - -# >0 short&,=8191 (0x1fff), ["compacted data"], swap_endian=0 -#signature file-magic-auto503 { -# file-mime "application/octet-stream", 50 -# file-magic /((\xff\x1f)|(\x1f\xff))/ -#} - -# >0 string,=\377\037 (len=2), ["compacted data"], swap_endian=0 -#signature file-magic-auto504 { -# file-mime "application/octet-stream", 50 -# file-magic /(\xff\x1f)/ -#} - -# >0 short&,=-13563 (0xcb05), ["huf output"], swap_endian=0 -#signature file-magic-auto505 { -# file-mime "application/octet-stream", 50 -# file-magic /((\x05\xcb)|(\xcb\x05))/ -#} - # >34 string,=LP (len=2), ["Embedded OpenType (EOT)"], swap_endian=0 signature file-magic-auto506 { file-mime "application/vnd.ms-fontobject", 50 @@ -3044,130 +1764,12 @@ signature file-magic-auto507 { file-magic /(\x0b\x77)/ } -# >0 search/1,=#!/usr/bin/env node (len=19), ["Node.js script text executable"], swap_endian=0 -signature file-magic-auto508 { - file-mime "application/javascript", 49 - file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv node)/ -} - -# >0 search/1,=#!/usr/bin/env wish (len=19), ["Tcl/Tk script text executable"], swap_endian=0 -signature file-magic-auto509 { - file-mime "text/x-tcl", 49 - file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv wish)/ -} - -# >0 regex,=^[ \t]{0,50}\.asciiz (len=19), ["assembler source text"], swap_endian=0 -signature file-magic-auto510 { - file-mime "text/x-asm", 49 - file-magic /(^[ \x09]{0,50}\.(asciiz|asciz|section|globl|align|even|byte|file|type))/ -} - -# >0 regex,=^[ \t]{0,50}\.globl (len=18), ["assembler source text"], swap_endian=0 -#signature file-magic-auto517 { -# file-mime "text/x-asm", 48 -# file-magic /(^[ \x09]{0,50}\.globl)/ -#} - -# >0 regex,=^[ \t]{0,50}\.text (len=17), ["assembler source text"], swap_endian=0 -#signature file-magic-auto523 { -# file-mime "text/x-asm", 47 -# file-magic /(^[ \x09]{0,50}\.text)/ -#} - -# >0 regex,=^[ \t]{0,50}\.even (len=17), ["assembler source text"], swap_endian=0 -#signature file-magic-auto524 { -# file-mime "text/x-asm", 47 -# file-magic /(^[ \x09]{0,50}\.even)/ -#} - -# >0 regex,=^[ \t]{0,50}\.byte (len=17), ["assembler source text"], swap_endian=0 -#signature file-magic-auto525 { -# file-mime "text/x-asm", 47 -# file-magic /(^[ \x09]{0,50}\.byte)/ -#} - -# >0 regex,=^[ \t]{0,50}\.file (len=17), ["assembler source text"], swap_endian=0 -#signature file-magic-auto526 { -# file-mime "text/x-asm", 47 -# file-magic /(^[ \x09]{0,50}\.file)/ -#} - -# >0 regex,=^[ \t]{0,50}\.type (len=17), ["assembler source text"], swap_endian=0 -#signature file-magic-auto527 { -# file-mime "text/x-asm", 47 -# file-magic /(^[ \x09]{0,50}\.type)/ -#} - - -# >0 search/1,=#!/usr/bin/env perl (len=19), ["Perl script text executable"], swap_endian=0 -signature file-magic-auto511 { - file-mime "text/x-perl", 49 - file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv perl)/ -} - -# >0 search/Wct/4096,=0 regex,=^virtual[ \t\n]+ (len=14), ["C++ source text"], swap_endian=0 -#signature file-magic-auto513 { -# file-mime "text/x-c++", 49 -# file-magic /(.*)(virtual[ \x09\x0a]+)/ -#} - -# >0 search/1,=#! /usr/bin/env lua (len=19), ["Lua script text executable"], swap_endian=0 -signature file-magic-auto514 { - file-mime "text/x-lua", 49 - file-magic /(.*)(\x23\x21 \x2fusr\x2fbin\x2fenv lua)/ -} - -# >0 search/1,=#! /usr/bin/env tcl (len=19), ["Tcl script text executable"], swap_endian=0 -signature file-magic-auto516 { - file-mime "text/x-tcl", 49 - file-magic /(.*)(\x23\x21 \x2fusr\x2fbin\x2fenv tcl)/ -} -# >0 search/1,=#!/usr/bin/env tcl (len=18), ["Tcl script text executable"], swap_endian=0 -signature file-magic-auto518 { - file-mime "text/x-tcl", 48 - file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv tcl)/ -} - -# >0 search/1,=#!/usr/bin/env lua (len=18), ["Lua script text executable"], swap_endian=0 -signature file-magic-auto519 { - file-mime "text/x-lua", 48 - file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv lua)/ -} - -# >0 search/w/1,=#!/usr/bin/nodejs (len=17), ["Node.js script text executable"], swap_endian=0 -signature file-magic-auto521 { - file-mime "application/javascript", 47 - file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fnodejs)/ -} - -# >0 regex,=^class[ \t\n]+ (len=12), ["C++ source text"], swap_endian=0 -#signature file-magic-auto522 { -# file-mime "text/x-c++", 47 -# file-magic /(.*)(class[ \x09\x0a]+[[:alnum:]_]+)(.*)(\x7b)(.*)(public:)/ -#} - # >0 search/1,=This is Info file (len=17), ["GNU Info text"], swap_endian=0 signature file-magic-auto528 { file-mime "text/x-info", 47 file-magic /(.*)(This is Info file)/ } -# >0 regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0 -# >>&0 search/8192,=[ (len=1), [""], swap_endian=0 -# >>>&0 regex/c,=^(autorun)]\r\n (len=13), [""], swap_endian=0 -# >>>>&0 ubyte&,=0x5b, ["INItialization configuration"], swap_endian=0 -signature file-magic-auto529 { - file-mime "application/x-wine-extension-ini", 40 - file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([aA][uU][tT][oO][rR][uU][nN])]\x0d\x0a)([\x5b])/ -} - # >0 regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0 # >>&0 search/8192,=[ (len=1), [""], swap_endian=0 # >>>&0 regex/c,=^(autorun)]\r\n (len=13), [""], swap_endian=0 @@ -3185,70 +1787,6 @@ signature file-magic-auto531 { file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([vV][eE][rR][sS][iI][oO][nN]|[sS][tT][rR][iI][nN][gG][sS])])/ } -# >0 regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0 -# >>&0 search/8192,=[ (len=1), [""], swap_endian=0 -# >>>&0 regex/c,=^(WinsockCRCList|OEMCPL)] (len=25), ["Windows setup INFormation"], swap_endian=0 -signature file-magic-auto532 { - file-mime "text/inf", 55 - file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([Ww][iI][nN][sS][oO][cC][kK][Cc][Rr][Cc][Ll][iI][sS][tT]|[Oo][Ee][Mm][Cc][Pp][Ll])])/ -} - -# >0 regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0 -# >>&0 search/8192,=[ (len=1), [""], swap_endian=0 -# >>>&0 regex/c,=^(.ShellClassInfo|DeleteOnCopy|LocalizedFileNames)] (len=51), ["Windows desktop.ini"], swap_endian=0 -signature file-magic-auto533 { - file-mime "application/x-wine-extension-ini", 81 - file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^(.[Ss][hH][eE][lL][lL][Cc][lL][aA][sS][sS][Ii][nN][fF][oO]|[Dd][eE][lL][eE][tT][eE][Oo][nN][Cc][oO][pP][yY]|[Ll][oO][cC][aA][lL][iI][zZ][eE][dD][Ff][iI][lL][eE][Nn][aA][mM][eE][sS])])/ -} - -# >0 regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0 -# >>&0 search/8192,=[ (len=1), [""], swap_endian=0 -# >>>&0 regex/c,=^(don't load)] (len=14), ["Windows CONTROL.INI"], swap_endian=0 -signature file-magic-auto534 { - file-mime "application/x-wine-extension-ini", 44 - file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([dD][oO][nN]'[tT] [lL][oO][aA][dD])])/ -} - -# >0 regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0 -# >>&0 search/8192,=[ (len=1), [""], swap_endian=0 -# >>>&0 regex/c,=^(ndishlp\$|protman\$|NETBEUI\$)] (len=33), ["Windows PROTOCOL.INI"], swap_endian=0 -signature file-magic-auto535 { - file-mime "application/x-wine-extension-ini", 63 - file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([nN][dD][iI][sS][hH][lL][pP]\$|[pP][rR][oO][tT][mM][aA][nN]\$|[Nn][Ee][Tt][Bb][Ee][Uu][Ii]\$)])/ -} - -# >0 regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0 -# >>&0 search/8192,=[ (len=1), [""], swap_endian=0 -# >>>&0 regex/c,=^(windows|Compatibility|embedding)] (len=35), ["Windows WIN.INI"], swap_endian=0 -signature file-magic-auto536 { - file-mime "application/x-wine-extension-ini", 65 - file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([wW][iI][nN][dD][oO][wW][sS]|[Cc][oO][mM][pP][aA][tT][iI][bB][iI][lL][iI][tT][yY]|[eE][mM][bB][eE][dD][dD][iI][nN][gG])])/ -} - -# >0 regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0 -# >>&0 search/8192,=[ (len=1), [""], swap_endian=0 -# >>>&0 regex/c,=^(boot|386enh|drivers)] (len=23), ["Windows SYSTEM.INI"], swap_endian=0 -signature file-magic-auto537 { - file-mime "application/x-wine-extension-ini", 53 - file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([bB][oO][oO][tT]|386[eE][nN][hH]|[dD][rR][iI][vV][eE][rR][sS])])/ -} - -# >0 regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0 -# >>&0 search/8192,=[ (len=1), [""], swap_endian=0 -# >>>&0 regex/c,=^(SafeList)] (len=12), ["Windows IOS.INI"], swap_endian=0 -signature file-magic-auto538 { - file-mime "application/x-wine-extension-ini", 42 - file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([Ss][aA][fF][eE][Ll][iI][sS][tT])])/ -} - -# >0 regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0 -# >>&0 search/8192,=[ (len=1), [""], swap_endian=0 -# >>>&0 regex/c,=^(boot loader)] (len=15), ["Windows boot.ini"], swap_endian=0 -signature file-magic-auto539 { - file-mime "application/x-wine-extension-ini", 45 - file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([bB][oO][oO][tT] [lL][oO][aA][dD][eE][rR])])/ -} - # >0 regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0 # >>&0 search/8192,=[ (len=1), [""], swap_endian=0 # >>>&0 ubequad&ffdfffdfffdfffdf,=24207144355233875 (0x0056004500520053), [""], swap_endian=0 @@ -3288,138 +1826,26 @@ signature file-magic-auto543 { file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(.*)(\x5b)(\x00[\x56\x76]\x00[\x45\x65]\x00[\x52\x72]\x00[\x53\x73])(\x00[\x49\x69]\x00[\x4f\x6f]\x00[\x4e\x6e]\x00\x5d)/ } +# >0 regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0 +# >>&0 search/8192,=[ (len=1), [""], swap_endian=0 +# >>>&0 regex/c,=^(WinsockCRCList|OEMCPL)] (len=25), ["Windows setup INFormation"], swap_endian=0 +signature file-magic-auto532 { + file-mime "text/inf", 55 + file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([Ww][iI][nN][sS][oO][cC][kK][Cc][Rr][Cc][Ll][iI][sS][tT]|[Oo][Ee][Mm][Cc][Pp][Ll])])/ +} + # >0 search/1,=0 search/w/1,=#! /usr/bin/wish (len=16), ["Tcl/Tk script text executable"], swap_endian=0 -signature file-magic-auto545 { - file-mime "text/x-tcl", 46 - file-magic /(.*)(\x23\x21 ?\x2fusr\x2fbin\x2fwish)/ -} - -# >0 search/w/1,=#! /usr/bin/lua (len=15), ["Lua script text executable"], swap_endian=0 -signature file-magic-auto547 { - file-mime "text/x-lua", 45 - file-magic /(.*)(\x23\x21 ?\x2fusr\x2fbin\x2flua)/ -} - -# >0 search/w/1,=#! /usr/bin/tcl (len=15), ["Tcl script text executable"], swap_endian=0 -signature file-magic-auto548 { - file-mime "text/x-tcl", 45 - file-magic /(.*)(\x23\x21 ?\x2fusr\x2fbin\x2ftcl)/ -} - -# >0 search/wct/4096,=0 search/wct/4096,=0 search/w/1,=#!/usr/bin/node (len=15), ["Node.js script text executable"], swap_endian=0 -signature file-magic-auto551 { - file-mime "application/javascript", 45 - file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fnode)/ -} - -# >0 search/wct/1,=0 search/1,=\input texinfo (len=14), ["Texinfo source text"], swap_endian=0 -signature file-magic-auto553 { - file-mime "text/x-texinfo", 44 - file-magic /(.*)(\x5cinput texinfo)/ -} - -# Not specific enough. -# >0 regex,=^private: (len=9), ["C++ source text"], swap_endian=0 -#signature file-magic-auto554 { -# file-mime "text/x-c++", 44 -# file-magic /(.*)(private:)/ -#} - -# >0 search/4096,=def __init__ (len=12), [""], swap_endian=0 -# >>&0 search/64,=self (len=4), ["Python script text executable"], swap_endian=0 -signature file-magic-auto555 { - file-mime "text/x-python", 38 - file-magic /(.*)(def \x5f\x5finit\x5f\x5f)(.*)(self)/ -} - -# >0 search/wct/4096,=0 regex,=^extern[ \t\n]+ (len=13), ["C source text"], swap_endian=0 -#signature file-magic-auto557 { -# file-mime "text/x-c", 43 -# file-magic /(.*)(extern[ \x09\x0a]+)/ -#} - # >0 search/4096,=% -*-latex-*- (len=13), ["LaTeX document text"], swap_endian=0 signature file-magic-auto558 { file-mime "text/x-tex", 43 file-magic /(.*)(\x25 \x2d\x2a\x2dlatex\x2d\x2a\x2d)/ } -# Doesn't seem specific enough. -# >0 regex,=^double[ \t\n]+ (len=13), ["C source text"], swap_endian=0 -#signature file-magic-auto559 { -# file-mime "text/x-c", 43 -# file-magic /(^double[ \x09\x0a]+)/ -#} - -# >0 regex,=^struct[ \t\n]+ (len=13), ["C source text"], swap_endian=0 -#signature file-magic-auto560 { -# file-mime "text/x-c", 43 -# file-magic /(.*)(struct[ \x09\x0a]+)/ -#} - -# >0 search/w/1,=#!/bin/nodejs (len=13), ["Node.js script text executable"], swap_endian=0 -signature file-magic-auto561 { - file-mime "application/javascript", 43 - file-magic /(.*)(\x23\x21\x2fbin\x2fnodejs)/ -} - -# Not specific enough. -# >0 regex,=^public: (len=8), ["C++ source text"], swap_endian=0 -#signature file-magic-auto562 { -# file-mime "text/x-c++", 43 -# file-magic /(.*)(public:)/ -#} - -# >0 search/wct/4096,=