diff --git a/CHANGES b/CHANGES index 6b81d44a0e..1789bed0cc 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,139 @@ +2.5-679 | 2018-06-21 16:00:48 -0500 + + * Add support for bitwise operations (&, |, ^, ~) on "count" values. + (Vern Paxson) + +2.5-671 | 2018-06-21 11:55:39 -0500 + + * Add ability for BroControl to skip cluster setup (Corelight) + + * BIT-1938: fix crash in Broker manager shutdown (Corelight) + + * Disable broxygen when running unit tests (Daniel Thayer) + +2.5-668 | 2018-06-15 17:14:33 -0500 + + * Make old comm. system usages an error unless old_comm_usage_is_ok is set + (Corelight) + +2.5-667 | 2018-06-15 15:30:11 -0500 + + * Add --disable-broker-tests configure option (Corelight) + +2.5-663 | 2018-06-14 12:51:28 -0500 + + * Add Broker::max_threads and Broker::max_sleep tuning options, + remove Broker::max_live_threads and Broker::max_pcap threads (Corelight) + + * Minor optimization to bro_broker::Manager::FlushPendingQueries (Corelight) + +2.5-660 | 2018-06-12 13:49:39 -0500 + + * Add Broker::max_live_threads and Broker::max_pcap_threads tunables + (Corelight) + +2.5-658 | 2018-06-08 16:41:07 +0000 + + * Allow BRO_DEFAULT_LISTEN_ADDRESS to control broker listen address. + This environment variable is now set to listen only on IPv4 + loopback when running unit tests (instead of using the default + INADDR_ANY). (Corelight) + + * Move some of the @loads out from init-bare.bro into a new + init-frameworks-and-bifs.bro in order to better support calling BIFs + (like `getenv`) from variable initializations in those particular + frameworks. (Corelight) + +2.5-655 | 2018-06-08 10:43:03 -0500 + + * Correct conn history field documentation (Corelight) + +2.5-652 | 2018-06-07 13:57:23 -0500 + + * GH-131: disable krb ticket decryption on non-Linux (Corelight) + +2.5-651 | 2018-06-07 09:57:29 -0500 + + * Fix signed/unsigned comparison compiler warning (Corelight) + +2.5-650 | 2018-06-06 16:20:18 -0500 + + * Improve Broker performance (Corelight) + +2.5-648 | 2018-06-05 17:32:47 -0500 + + * BIT-1936: improve Broxygen warnings (Corelight) + +2.5-647 | 2018-06-05 15:19:16 -0500 + + * Update `make doc`: don't copy broker docs (Corelight) + +2.5-646 | 2018-06-05 11:31:43 -0500 + + * Add NCP::max_frame_size tuning option (Corelight) + + * Migrate NCP analyzer to use latest analyzer API (Corelight) + + * Fix read at invalid address in X509 extension parser (Johanna Amann) + +2.5-642 | 2018-06-04 13:52:46 -0500 + + * Make 0 be a valid packet source timestamp (Corelight) + +2.5-641 | 2018-06-04 09:18:59 -0700 + + * Add Broker::publish_and_relay BIF + + Like Broker::relay, except the relaying-node also calls event handlers. (Corelight) + + * Document variable argument list BIFs using ellipsis. (Corelight). + + * Support unserializing broker data into type 'any' + + The receiver side will wrap the data as a Broker::Data value, which + can then be type-checked/cast via 'is' or 'as' operators to a specific + Bro type. For example: + + Sender: + + Broker::publish("topic", my_event, "hello") + + Receiver: + + event my_event(arg: any) + { + if ( arg is string ) + print arg as string; + } + + (Corelight) + + * Fix a bug in broker data type-casting check (Corelight) + + * Remove dead code in broker data/val conversion function (Corelight) + + * SSH protocol now assesses the packet length at an earlier stage within binpac + (Andrew Woodford). + + * Remove some UTF-8 characters that snuck into a few scripts. (Corelight) + + * Decrypt the krb ticket and extract authentication data. (Julien Wallior) + +2.5-619 | 2018-06-01 11:29:15 -0500 + + * Relocate temporary script coverage files (Corelight) + +2.5-618 | 2018-06-01 10:03:24 -0500 + + * BIT-1635: fix `make doc` warnings (Corelight) + + * Add smb2_file_sattr event (Devin Trejo) + + * Add bad ARP tests (Pierre LATET) + + * Fix SCT validation when invalid certificates are in chain. (Johanna Amann) + 2.5-611 | 2018-05-29 10:13:17 -0500 * Fix NEWS file formatting (Corelight) diff --git a/CMakeLists.txt b/CMakeLists.txt index fabeb5ae64..d0ea236330 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -143,6 +143,15 @@ if (LIBGEOIP_FOUND) list(APPEND OPTLIBS ${LibGeoIP_LIBRARY}) endif () +set(USE_KRB5 false) +if ( ${CMAKE_SYSTEM_NAME} MATCHES Linux ) + find_package(LibKrb5) + if (LibKrb5_FOUND) + set(USE_KRB5 true) + list(APPEND OPTLIBS ${LibKrb5_LIBRARY}) + endif () +endif () + set(HAVE_PERFTOOLS false) set(USE_PERFTOOLS_DEBUG false) set(USE_PERFTOOLS_TCMALLOC false) @@ -294,6 +303,7 @@ message( "\nAux. Tools: ${INSTALL_AUX_TOOLS}" "\n" "\nGeoIP: ${USE_GEOIP}" + "\nKerberos: ${USE_KRB5}" "\ngperftools found: ${HAVE_PERFTOOLS}" "\n tcmalloc: ${USE_PERFTOOLS_TCMALLOC}" "\n debugging: ${USE_PERFTOOLS_DEBUG}" diff --git a/NEWS b/NEWS index 6f3c047f40..93a28cb200 100644 --- a/NEWS +++ b/NEWS @@ -242,6 +242,13 @@ New Functionality - Added new SMB events: smb1_transaction_secondary_request, smb1_transaction2_secondary_request, smb1_transaction_response +- Bro can now decrypt Kerberos tickets, and retrieve the authentication from + them, given a suitable keytab file. + +- Added support for bitwise operations on "count" values. '&', '|' and + '^' are binary "and", "or" and "xor" operators, and '~' is a unary + ones-complement operator. + Changed Functionality --------------------- diff --git a/VERSION b/VERSION index 67d2dc9fde..6aaa39f82a 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-611 +2.5-679 diff --git a/aux/binpac b/aux/binpac index 0b2ef114fd..951aeae8e4 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 0b2ef114fdac4c135d357693d7e74a441dee8db3 +Subproject commit 951aeae8e4a08c598203cf61387f015ec4e0849d diff --git a/aux/bro-aux b/aux/bro-aux index ad99dc534f..eeb677ff69 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit ad99dc534f2574a47a808d677fc76098f42a1b54 +Subproject commit eeb677ff696f8ea3eaa43a765fe40da07ed5281d diff --git a/aux/broccoli b/aux/broccoli index 701a539f29..d9041cc95d 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 701a539f295f138bb1c44953310e083a4210fe1b +Subproject commit d9041cc95d2232dbbcf36647f34537da22e360ff diff --git a/aux/broctl b/aux/broctl index 7e68ad436e..c5dd2ba83d 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 7e68ad436e122fa95c87b6caca0e2e7b20dd5b97 +Subproject commit c5dd2ba83dda185d2008731a5cd25b2b8131ac78 diff --git a/aux/broker b/aux/broker index 7b84848bde..08f41ccc24 160000 --- a/aux/broker +++ b/aux/broker @@ -1 +1 @@ -Subproject commit 7b84848bded443637fa34e76f7d8558bd1cafbee +Subproject commit 08f41ccc2497f4c6567da0b95488593c39a12a01 diff --git a/bro-config.h.in b/bro-config.h.in index 003eea88b7..19ab863a3f 100644 --- a/bro-config.h.in +++ b/bro-config.h.in @@ -108,6 +108,9 @@ /* GeoIP geographic lookup functionality */ #cmakedefine USE_GEOIP +/* Define if KRB5 is available */ +#cmakedefine USE_KRB5 + /* Whether the found GeoIP API supports IPv6 Country Edition */ #cmakedefine HAVE_GEOIP_COUNTRY_EDITION_V6 diff --git a/cmake b/cmake index 5080aef1ae..1600554d1d 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 5080aef1aeeea5bc6b0d8c481ef42f5be2b391a9 +Subproject commit 1600554d1d907f4f252f19cf1f55e13d368a936f diff --git a/configure b/configure index cf1c901449..fdbca263c6 100755 --- a/configure +++ b/configure @@ -55,6 +55,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]... --disable-auxtools don't build or install auxiliary tools --disable-perftools don't try to build with Google Perftools --disable-python don't try to build python bindings for broker + --disable-broker-tests don'e try to build Broker unit tests Required Packages in Non-Standard Locations: --with-openssl=PATH path to OpenSSL install root @@ -72,6 +73,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]... Optional Packages in Non-Standard Locations: --with-geoip=PATH path to the libGeoIP install root + --with-krb5=PATH path to krb5 install root --with-perftools=PATH path to Google Perftools install root --with-jemalloc=PATH path to jemalloc install root --with-python-lib=PATH path to libpython @@ -226,6 +228,9 @@ while [ $# -ne 0 ]; do --disable-python) append_cache_entry DISABLE_PYTHON_BINDINGS BOOL true ;; + --disable-broker-tests) + append_cache_entry BROKER_DISABLE_TESTS BOOL true + ;; --with-openssl=*) append_cache_entry OPENSSL_ROOT_DIR PATH $optarg ;; @@ -250,6 +255,9 @@ while [ $# -ne 0 ]; do --with-geoip=*) append_cache_entry LibGeoIP_ROOT_DIR PATH $optarg ;; + --with-krb5=*) + append_cache_entry LibKrb5_ROOT_DIR PATH $optarg + ;; --with-perftools=*) append_cache_entry GooglePerftools_ROOT_DIR PATH $optarg ;; diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt index 2563375dcc..0edf2429ab 100644 --- a/doc/CMakeLists.txt +++ b/doc/CMakeLists.txt @@ -4,8 +4,6 @@ set(BROXYGEN_SCRIPT_OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/broxygen_script_output) set(BROXYGEN_CACHE_DIR ${CMAKE_CURRENT_BINARY_DIR}/broxygen_cache) set(BROCCOLI_DOCS_SRC ${CMAKE_BINARY_DIR}/aux/broccoli/doc/html) set(BROCCOLI_DOCS_DST ${CMAKE_BINARY_DIR}/html/broccoli-api) -set(BROKER_DOCS_SRC ${CMAKE_BINARY_DIR}/aux/broker/doc/html) -set(BROKER_DOCS_DST ${CMAKE_BINARY_DIR}/html/broker-manual) # Find out what BROPATH to use when executing bro. execute_process(COMMAND ${CMAKE_BINARY_DIR}/bro-path-dev @@ -63,9 +61,6 @@ add_custom_target(sphinxdoc COMMAND "${CMAKE_COMMAND}" -E create_symlink ${SPHINX_OUTPUT_DIR}/html ${CMAKE_BINARY_DIR}/html - # Copy Broker manual into output dir. - COMMAND rm -rf ${BROKER_DOCS_DST} && - cp -r ${BROKER_DOCS_SRC} ${BROKER_DOCS_DST} WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR} COMMENT "[Sphinx] Generate HTML documentation in ${CMAKE_BINARY_DIR}/html") diff --git a/doc/conf.py.in b/doc/conf.py.in index ef9367483a..f7243b4527 100644 --- a/doc/conf.py.in +++ b/doc/conf.py.in @@ -195,8 +195,6 @@ html_sidebars = { # Output file base name for HTML help builder. htmlhelp_basename = 'Broxygen' -html_add_permalinks = None - # -- Options for LaTeX output -------------------------------------------------- # The paper size ('letter' or 'a4'). diff --git a/doc/frameworks/broker.rst b/doc/frameworks/broker.rst index 807ce9a07a..6943a0a698 100644 --- a/doc/frameworks/broker.rst +++ b/doc/frameworks/broker.rst @@ -50,6 +50,13 @@ General Porting Tips - The ``&synchronized`` and ``&persistent`` attributes are deprecated, consider using `Data Stores`_ instead. +- Usages of the old communications system features are all deprecated, + however, they also do not work in the default Bro configuration unless + you manually take action to set up the old communication system. + To aid in porting, such usages will default to raising a fatal error + unless you explicitly acknowledge that such usages of the old system + are ok. Set the :bro:see:`old_comm_usage_is_ok`` flag in this case. + - Instead of using e.g. ``Cluster::manager2worker_events`` (and all permutations for every node type), what you'd now use is either :bro:see:`Broker::publish` or :bro:see:`Broker::auto_publish` with diff --git a/doc/script-reference/types.rst b/doc/script-reference/types.rst index 34388e9958..44dcbbdfb8 100644 --- a/doc/script-reference/types.rst +++ b/doc/script-reference/types.rst @@ -91,6 +91,10 @@ Here is a more detailed description of each type: type, but a unary plus or minus applied to a "count" results in an "int". + In addition, "count" types support bitwise operations. You can use + ``&``, ``|``, and ``^`` for bitwise ``and'', ``or'', and ``xor''. You + can also use ``~`` for bitwise (one's) complement. + .. bro:type:: double A numeric type representing a double-precision floating-point @@ -233,6 +237,14 @@ Here is a more detailed description of each type: is false since "oob" does not appear at the start of "foobar". The ``!in`` operator would yield the negation of ``in``. + Finally, you can create a disjunction (either-or) of two literal patterns + using the ``|`` operator. For example:: + + /foo/ | /bar/ in "foobar" + + yields true, like in the similar example above. (This does not presently + work for variables whose values are patterns, however.) + .. bro:type:: port A type representing transport-level port numbers (besides TCP and @@ -585,6 +597,9 @@ Here is a more detailed description of each type: The resulting vector of bool is the logical "and" (or logical "or") of each element of the operand vectors. + Vectors of type ``count`` can also be operands for the bitwise and/or/xor + operators, ``&``, ``|`` and ``^``. + See the :bro:keyword:`for` statement for info on how to iterate over the elements in a vector. diff --git a/scripts/base/files/pe/consts.bro b/scripts/base/files/pe/consts.bro index 35ad9c3c61..3dcfddec79 100644 --- a/scripts/base/files/pe/consts.bro +++ b/scripts/base/files/pe/consts.bro @@ -65,7 +65,7 @@ export { [9] = "WINDOWS_CE_GUI", [10] = "EFI_APPLICATION", [11] = "EFI_BOOT_SERVICE_DRIVER", - [12] = "EFI_RUNTIME_
DRIVER", + [12] = "EFI_RUNTIME_DRIVER", [13] = "EFI_ROM", [14] = "XBOX" } &default=function(i: count):string { return fmt("unknown-%d", i); }; diff --git a/scripts/base/frameworks/broker/main.bro b/scripts/base/frameworks/broker/main.bro index 451d4cf86b..23a701c3ef 100644 --- a/scripts/base/frameworks/broker/main.bro +++ b/scripts/base/frameworks/broker/main.bro @@ -14,7 +14,7 @@ export { ## Default address on which to listen. ## ## .. bro:see:: Broker::listen - const default_listen_address = "" &redef; + const default_listen_address = getenv("BRO_DEFAULT_LISTEN_ADDRESS") &redef; ## Default interval to retry connecting to a peer if it cannot be made to work ## initially, or if it ever becomes disconnected. @@ -51,6 +51,16 @@ export { ## all peers. const ssl_keyfile = "" &redef; + ## Max number of threads to use for Broker/CAF functionality. + ## Using zero will cause this to be automatically determined + ## based on number of available CPUs. + const max_threads = 0 &redef; + + ## Max number of microseconds for under-utilized Broker/CAF + ## threads to sleep. Using zero will cause this to be automatically + ## determined or just use CAF's default setting. + const max_sleep = 0 &redef; + ## Forward all received messages to subscribing peers. const forward_messages = F &redef; diff --git a/scripts/base/frameworks/cluster/setup-connections.bro b/scripts/base/frameworks/cluster/setup-connections.bro index a06d66bc0c..63ddbdd8b0 100644 --- a/scripts/base/frameworks/cluster/setup-connections.bro +++ b/scripts/base/frameworks/cluster/setup-connections.bro @@ -44,6 +44,9 @@ function connect_peers_with_type(node_type: NodeType) event bro_init() &priority=-10 { + if ( getenv("BROCTL_CHECK_CONFIG") != "" ) + return; + local self = nodes[node]; for ( i in registered_pools ) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index d5bb8f2be9..c502607cbd 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -1,4 +1,4 @@ -@load base/bif/const.bif.bro +@load base/bif/const.bif @load base/bif/types.bif # Type declarations @@ -1797,9 +1797,11 @@ type gtp_delete_pdp_ctx_response_elements: record { }; # Prototypes of Bro built-in functions. -@load base/bif/strings.bif @load base/bif/bro.bif +@load base/bif/stats.bif @load base/bif/reporter.bif +@load base/bif/strings.bif +@load base/bif/option.bif ## Deprecated. This is superseded by the new logging framework. global log_file_name: function(tag: string): string &redef; @@ -4245,6 +4247,8 @@ export { module KRB; export { + ## Kerberos keytab file name. Used to decrypt tickets encountered on the wire. + const keytab = "" &redef; ## KDC Options. See :rfc:`4120` type KRB::KDC_Options: record { ## The ticket to be issued should have its forwardable flag set. @@ -4367,6 +4371,8 @@ export { cipher : count; ## Cipher text of the ticket ciphertext : string &optional; + ## Authentication info + authenticationinfo: string &optional; }; type KRB::Ticket_Vector: vector of KRB::Ticket; @@ -4806,6 +4812,12 @@ export { const max_frag_data = 30000 &redef; } +module NCP; +export { + ## The maximum number of bytes to allocate when parsing NCP frames. + const max_frame_size = 65536 &redef; +} + module Cluster; export { type Cluster::Pool: record {}; @@ -4823,16 +4835,9 @@ const global_hash_seed: string = "" &redef; ## The maximum is currently 128 bits. const bits_per_uid: count = 96 &redef; -# Load these frameworks here because they use fairly deep integration with -# BiFs and script-land defined types. -@load base/frameworks/logging -@load base/frameworks/broker -@load base/frameworks/input -@load base/frameworks/analyzer -@load base/frameworks/files - -@load base/bif - -# Load BiFs defined by plugins. -@load base/bif/plugins - +## Whether usage of the old communication system is considered an error or +## not. The default Bro configuration no longer works with the non-Broker +## communication system unless you have manually taken action to initialize +## and set up the old comm. system. Deprecation warnings are still emitted +## when setting this flag, but they will not result in a fatal error. +const old_comm_usage_is_ok: bool = F &redef; diff --git a/scripts/base/init-frameworks-and-bifs.bro b/scripts/base/init-frameworks-and-bifs.bro new file mode 100644 index 0000000000..f772e2d223 --- /dev/null +++ b/scripts/base/init-frameworks-and-bifs.bro @@ -0,0 +1,15 @@ +# Load these frameworks here because they use fairly deep integration with +# BiFs and script-land defined types. They are also more likely to +# make use of calling BIFs for variable initializations, and that +# can't be done until init-bare.bro has been loaded completely (hence +# the separate file). +@load base/frameworks/logging +@load base/frameworks/broker +@load base/frameworks/input +@load base/frameworks/analyzer +@load base/frameworks/files + +@load base/bif + +# Load BiFs defined by plugins. +@load base/bif/plugins diff --git a/scripts/base/protocols/conn/main.bro b/scripts/base/protocols/conn/main.bro index c806a017e0..0e9661dea3 100644 --- a/scripts/base/protocols/conn/main.bro +++ b/scripts/base/protocols/conn/main.bro @@ -95,9 +95,12 @@ export { ## ## If the event comes from the originator, the letter is in ## upper-case; if it comes from the responder, it's in - ## lower-case. Multiple packets of the same type will only be - ## noted once (e.g. we only record one "d" in each direction, - ## regardless of how many data packets were seen.) + ## lower-case. The 'a', 'c', 'd', 'i', 'q', and 't' flags are + ## recorded a maximum of one time in either direction regardless + ## of how many are actually seen. However, 'f', 'h', 'r', or + ## 's' may be recorded multiple times for either direction and + ## only compressed when sharing a sequence number with the + ## last-seen packet of the same flag type. history: string &log &optional; ## Number of packets that the originator sent. ## Only set if :bro:id:`use_conn_size_analyzer` = T. diff --git a/scripts/base/protocols/smb/const-nt-status.bro b/scripts/base/protocols/smb/const-nt-status.bro index 8804522ed9..f985e72a3b 100644 --- a/scripts/base/protocols/smb/const-nt-status.bro +++ b/scripts/base/protocols/smb/const-nt-status.bro @@ -64,8 +64,8 @@ redef SMB::statuses += { [0x40000007] = [$id="BAD_CURRENT_DIRECTORY", $desc="{Invalid Current Directory} The process cannot switch to the startup current directory %hs. Select OK to set the current directory to %hs, or select CANCEL to exit."], [0x40000008] = [$id="SERIAL_MORE_WRITES", $desc="{Serial IOCTL Complete} A serial I/O operation was completed by another write to a serial port. (The IOCTL_SERIAL_XOFF_COUNTER reached zero.)"], [0x40000009] = [$id="REGISTRY_RECOVERED", $desc="{Registry Recovery} One of the files that contains the system registry data had to be recovered by using a log or alternate copy. The recovery was successful."], - [0x4000000A] = [$id="FT_READ_RECOVERY_FROM_BACKUP", $desc="{Redundant Read} To satisfy a read request, the Windows NT fault-tolerant file system successfully read the requested data from a redundant copy. This was done because the file system encountered a failure on a member of the fault-tolerant volume but was unable to reassign the failing area of the device."], - [0x4000000B] = [$id="FT_WRITE_RECOVERY", $desc="{Redundant Write} To satisfy a write request, the Windows NT fault-tolerant file system successfully wrote a redundant copy of the information. This was done because the file system encountered a failure on a member of the fault-tolerant volume but was unable to reassign the failing area of the device."], + [0x4000000A] = [$id="FT_READ_RECOVERY_FROM_BACKUP", $desc="{Redundant Read} To satisfy a read request, the Windows NT fault-tolerant file system successfully read the requested data from a redundant copy. This was done because the file system encountered a failure on a member of the fault-tolerant volume but was unable to reassign the failing area of the device."], + [0x4000000B] = [$id="FT_WRITE_RECOVERY", $desc="{Redundant Write} To satisfy a write request, the Windows NT fault-tolerant file system successfully wrote a redundant copy of the information. This was done because the file system encountered a failure on a member of the fault-tolerant volume but was unable to reassign the failing area of the device."], [0x4000000C] = [$id="SERIAL_COUNTER_TIMEOUT", $desc="{Serial IOCTL Timeout} A serial I/O operation completed because the time-out period expired. (The IOCTL_SERIAL_XOFF_COUNTER had not reached zero.)"], [0x4000000D] = [$id="NULL_LM_PASSWORD", $desc="{Password Too Complex} The Windows password is too complex to be converted to a LAN Manager password. The LAN Manager password that returned is a NULL string."], [0x4000000E] = [$id="IMAGE_MACHINE_TYPE_MISMATCH", $desc="{Machine Type Mismatch} The image file %hs is valid but is for a machine type other than the current machine. Select OK to continue, or CANCEL to fail the DLL load."], @@ -494,7 +494,7 @@ redef SMB::statuses += { [0xC0000131] = [$id="INVALID_IMAGE_WIN_16", $desc="The specified image file did not have the correct format: it appears to be a 16-bit Windows image."], [0xC0000132] = [$id="LOGON_SERVER_CONFLICT", $desc="The Netlogon service cannot start because another Netlogon service running in the domain conflicts with the specified role."], [0xC0000133] = [$id="TIME_DIFFERENCE_AT_DC", $desc="The time at the primary domain controller is different from the time at the backup domain controller or member server by too large an amount."], - [0xC0000134] = [$id="SYNCHRONIZATION_REQUIRED", $desc="The SAM database on a Windows Server is significantly out of synchronization with the copy on the domain controller. A complete synchronization is required."], + [0xC0000134] = [$id="SYNCHRONIZATION_REQUIRED", $desc="The SAM database on a Windows Server is significantly out of synchronization with the copy on the domain controller. A complete synchronization is required."], [0xC0000135] = [$id="DLL_NOT_FOUND", $desc="{Unable To Locate Component} This application has failed to start because %hs was not found. Reinstalling the application may fix this problem."], [0xC0000136] = [$id="OPEN_FAILED", $desc="The NtCreateFile API failed. This error should never be returned to an application; it is a place holder for the Windows LAN Manager Redirector to use in its internal error-mapping routines."], [0xC0000137] = [$id="IO_PRIVILEGE_FAILED", $desc="{Privilege Failed} The I/O permissions for the process could not be changed."], @@ -536,7 +536,7 @@ redef SMB::statuses += { [0xC000015B] = [$id="LOGON_TYPE_NOT_GRANTED", $desc="A user has requested a type of logon (for example, interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network."], [0xC000015C] = [$id="NOT_REGISTRY_FILE", $desc="The system has attempted to load or restore a file into the registry, and the specified file is not in the format of a registry file."], [0xC000015D] = [$id="NT_CROSS_ENCRYPTION_REQUIRED", $desc="An attempt was made to change a user password in the security account manager without providing the necessary Windows cross-encrypted password."], - [0xC000015E] = [$id="DOMAIN_CTRLR_CONFIG_ERROR", $desc="A Windows Server has an incorrect configuration."], + [0xC000015E] = [$id="DOMAIN_CTRLR_CONFIG_ERROR", $desc="A Windows Server has an incorrect configuration."], [0xC000015F] = [$id="FT_MISSING_MEMBER", $desc="An attempt was made to explicitly access the secondary copy of information via a device control to the fault tolerance driver and the secondary copy is not present in the system."], [0xC0000160] = [$id="ILL_FORMED_SERVICE_ENTRY", $desc="A configuration registry node that represents a driver service entry was ill-formed and did not contain the required value entries."], [0xC0000161] = [$id="ILLEGAL_CHARACTER", $desc="An illegal character was encountered. For a multibyte character set, this includes a lead byte without a succeeding trail byte. For the Unicode character set this includes the characters 0xFFFF and 0xFFFE."], @@ -577,7 +577,7 @@ redef SMB::statuses += { [0xC0000188] = [$id="LOG_FILE_FULL", $desc="The log file space is insufficient to support this operation."], [0xC0000189] = [$id="TOO_LATE", $desc="A write operation was attempted to a volume after it was dismounted."], [0xC000018A] = [$id="NO_TRUST_LSA_SECRET", $desc="The workstation does not have a trust secret for the primary domain in the local LSA database."], - [0xC000018B] = [$id="NO_TRUST_SAM_ACCOUNT", $desc="The SAM database on the Windows Server does not have a computer account for this workstation trust relationship."], + [0xC000018B] = [$id="NO_TRUST_SAM_ACCOUNT", $desc="The SAM database on the Windows Server does not have a computer account for this workstation trust relationship."], [0xC000018C] = [$id="TRUSTED_DOMAIN_FAILURE", $desc="The logon request failed because the trust relationship between the primary domain and the trusted domain failed."], [0xC000018D] = [$id="TRUSTED_RELATIONSHIP_FAILURE", $desc="The logon request failed because the trust relationship between this workstation and the primary domain failed."], [0xC000018E] = [$id="EVENTLOG_FILE_CORRUPT", $desc="The Eventlog log file is corrupt."], @@ -833,18 +833,18 @@ redef SMB::statuses += { [0xC00002FD] = [$id="KDC_UNKNOWN_ETYPE", $desc="The encryption type requested is not supported by the KDC."], [0xC00002FE] = [$id="SHUTDOWN_IN_PROGRESS", $desc="A system shutdown is in progress."], [0xC00002FF] = [$id="SERVER_SHUTDOWN_IN_PROGRESS", $desc="The server machine is shutting down."], - [0xC0000300] = [$id="NOT_SUPPORTED_ON_SBS", $desc="This operation is not supported on a computer running Windows Server 2003 for Small Business Server."], + [0xC0000300] = [$id="NOT_SUPPORTED_ON_SBS", $desc="This operation is not supported on a computer running Windows Server 2003 for Small Business Server."], [0xC0000301] = [$id="WMI_GUID_DISCONNECTED", $desc="The WMI GUID is no longer available."], [0xC0000302] = [$id="WMI_ALREADY_DISABLED", $desc="Collection or events for the WMI GUID is already disabled."], [0xC0000303] = [$id="WMI_ALREADY_ENABLED", $desc="Collection or events for the WMI GUID is already enabled."], [0xC0000304] = [$id="MFT_TOO_FRAGMENTED", $desc="The master file table on the volume is too fragmented to complete this operation."], [0xC0000305] = [$id="COPY_PROTECTION_FAILURE", $desc="Copy protection failure."], - [0xC0000306] = [$id="CSS_AUTHENTICATION_FAILURE", $desc="Copy protection error—DVD CSS Authentication failed."], - [0xC0000307] = [$id="CSS_KEY_NOT_PRESENT", $desc="Copy protection error—The specified sector does not contain a valid key."], - [0xC0000308] = [$id="CSS_KEY_NOT_ESTABLISHED", $desc="Copy protection error—DVD session key not established."], - [0xC0000309] = [$id="CSS_SCRAMBLED_SECTOR", $desc="Copy protection error—The read failed because the sector is encrypted."], - [0xC000030A] = [$id="CSS_REGION_MISMATCH", $desc="Copy protection error—The region of the specified DVD does not correspond to the region setting of the drive."], - [0xC000030B] = [$id="CSS_RESETS_EXHAUSTED", $desc="Copy protection error—The region setting of the drive may be permanent."], + [0xC0000306] = [$id="CSS_AUTHENTICATION_FAILURE", $desc="Copy protection error-DVD CSS Authentication failed."], + [0xC0000307] = [$id="CSS_KEY_NOT_PRESENT", $desc="Copy protection error-The specified sector does not contain a valid key."], + [0xC0000308] = [$id="CSS_KEY_NOT_ESTABLISHED", $desc="Copy protection error-DVD session key not established."], + [0xC0000309] = [$id="CSS_SCRAMBLED_SECTOR", $desc="Copy protection error-The read failed because the sector is encrypted."], + [0xC000030A] = [$id="CSS_REGION_MISMATCH", $desc="Copy protection error-The region of the specified DVD does not correspond to the region setting of the drive."], + [0xC000030B] = [$id="CSS_RESETS_EXHAUSTED", $desc="Copy protection error-The region setting of the drive may be permanent."], [0xC0000320] = [$id="PKINIT_FAILURE", $desc="The Kerberos protocol encountered an error while validating the KDC certificate during smart card logon. There is more information in the system event log."], [0xC0000321] = [$id="SMARTCARD_SUBSYSTEM_FAILURE", $desc="The Kerberos protocol encountered an error while attempting to use the smart card subsystem."], [0xC0000322] = [$id="NO_KERB_KEY", $desc="The target server does not have acceptable Kerberos credentials."], @@ -855,7 +855,7 @@ redef SMB::statuses += { [0xC0000354] = [$id="DEBUGGER_INACTIVE", $desc="An attempt to do an operation on a debug port failed because the port is in the process of being deleted."], [0xC0000355] = [$id="DS_VERSION_CHECK_FAILURE", $desc="This version of Windows is not compatible with the behavior version of the directory forest, domain, or domain controller."], [0xC0000356] = [$id="AUDITING_DISABLED", $desc="The specified event is currently not being audited."], - [0xC0000357] = [$id="PRENT4_MACHINE_ACCOUNT", $desc="The machine account was created prior to Windows NT 4.0. The account needs to be recreated."], + [0xC0000357] = [$id="PRENT4_MACHINE_ACCOUNT", $desc="The machine account was created prior to Windows NT 4.0. The account needs to be recreated."], [0xC0000358] = [$id="DS_AG_CANT_HAVE_UNIVERSAL_MEMBER", $desc="An account group cannot have a universal group as a member."], [0xC0000359] = [$id="INVALID_IMAGE_WIN_32", $desc="The specified image file did not have the correct format; it appears to be a 32-bit Windows image."], [0xC000035A] = [$id="INVALID_IMAGE_WIN_64", $desc="The specified image file did not have the correct format; it appears to be a 64-bit Windows image."], @@ -1790,4 +1790,4 @@ redef SMB::statuses += { [0xC03A0017] = [$id="VHD_CHILD_PARENT_SIZE_MISMATCH", $desc="The chain of virtual hard disks is corrupted. There is a mismatch in the virtual sizes of the parent virtual hard disk and differencing disk."], [0xC03A0018] = [$id="VHD_DIFFERENCING_CHAIN_CYCLE_DETECTED", $desc="The chain of virtual hard disks is corrupted. A differencing disk is indicated in its own parent chain."], [0xC03A0019] = [$id="VHD_DIFFERENCING_CHAIN_ERROR_IN_PARENT", $desc="The chain of virtual hard disks is inaccessible. There was an error opening a virtual hard disk further up the chain."], -}; \ No newline at end of file +}; diff --git a/scripts/policy/protocols/smb/main.bro b/scripts/policy/protocols/smb/main.bro index f94db17f38..51aab775c0 100644 --- a/scripts/policy/protocols/smb/main.bro +++ b/scripts/policy/protocols/smb/main.bro @@ -18,6 +18,7 @@ export { FILE_CLOSE, FILE_DELETE, FILE_RENAME, + FILE_SET_ATTRIBUTE, PIPE_READ, PIPE_WRITE, diff --git a/scripts/policy/protocols/smb/smb2-main.bro b/scripts/policy/protocols/smb/smb2-main.bro index 3257df72e1..2411502815 100644 --- a/scripts/policy/protocols/smb/smb2-main.bro +++ b/scripts/policy/protocols/smb/smb2-main.bro @@ -239,6 +239,26 @@ event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, SMB::write_file_log(c$smb_state); } +event smb2_file_sattr(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=-5 + { + SMB::write_file_log(c$smb_state); + } + +event smb2_file_sattr(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=5 + { + SMB::set_current_file(c$smb_state, file_id$persistent+file_id$volatile); + + switch ( c$smb_state$current_tree$share_type ) + { + case "DISK": + c$smb_state$current_file$action = SMB::FILE_SET_ATTRIBUTE; + break; + default: + c$smb_state$current_file$action = SMB::FILE_SET_ATTRIBUTE; + break; + } + } + event smb2_file_rename(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, dst_filename: string) &priority=5 { SMB::set_current_file(c$smb_state, file_id$persistent+file_id$volatile); diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.bro index a89a5e5b19..f4d1646ae8 100644 --- a/scripts/policy/protocols/ssl/validate-sct.bro +++ b/scripts/policy/protocols/ssl/validate-sct.bro @@ -180,6 +180,8 @@ hook ssl_finishing(c: connection) &priority=19 { if ( i == 0 ) # end-host-cert next; + if ( ! c$ssl$cert_chain[i]?$x509 || ! c$ssl$cert_chain[i]$x509?$handle ) + next; issuer_key_hash = x509_spki_hash(c$ssl$cert_chain[i]$x509$handle, 4); valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash); diff --git a/src/3rdparty b/src/3rdparty index 6511cd6e45..c78abc8454 160000 --- a/src/3rdparty +++ b/src/3rdparty @@ -1 +1 @@ -Subproject commit 6511cd6e45811af0904947a36e565dcb9eee61dd +Subproject commit c78abc8454932019f030045340348560a8ac9b23 diff --git a/src/Brofiler.cc b/src/Brofiler.cc index e7d8c8fdeb..a31ec469f0 100644 --- a/src/Brofiler.cc +++ b/src/Brofiler.cc @@ -50,10 +50,18 @@ bool Brofiler::WriteStats() char* bf = getenv("BRO_PROFILER_FILE"); if ( ! bf ) return false; - FILE* f; - const char* p = strstr(bf, ".XXXXXX"); + SafeDirname dirname{bf}; - if ( p && ! p[7] ) + if ( ! ensure_intermediate_dirs(dirname.result.data()) ) + { + reporter->Error("Failed to open BRO_PROFILER_FILE destination '%s' for writing", bf); + return false; + } + + FILE* f; + const char* p = strstr(bf, "XXXXXX"); + + if ( p && ! p[6] ) { mode_t old_umask = umask(S_IXUSR | S_IRWXO | S_IRWXG); int fd = mkstemp(bf); diff --git a/src/Expr.cc b/src/Expr.cc index 1a4ab25661..1ab82853c3 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -21,8 +21,10 @@ const char* expr_name(BroExprTag t) static const char* expr_names[int(NUM_EXPRS)] = { "name", "const", "(*)", - "++", "--", "!", "+", "-", - "+", "-", "+=", "-=", "*", "/", "%", "&&", "||", + "++", "--", "!", "~", "+", "-", + "+", "-", "+=", "-=", "*", "/", "%", + "&", "|", "^", + "&&", "||", "<", "<=", "==", "!=", ">=", ">", "?:", "ref", "=", "~", "[]", "$", "?$", "[=]", "table()", "set()", "vector()", @@ -702,6 +704,12 @@ Val* BinaryExpr::Fold(Val* v1, Val* v2) const else \ Internal("bad type in BinaryExpr::Fold"); +#define DO_UINT_FOLD(op) \ + if ( is_unsigned ) \ + u3 = u1 op u2; \ + else \ + Internal("bad type in BinaryExpr::Fold"); + #define DO_FOLD(op) \ if ( is_integral ) \ i3 = i1 op i2; \ @@ -775,8 +783,12 @@ Val* BinaryExpr::Fold(Val* v1, Val* v2) const break; - case EXPR_AND: DO_INT_FOLD(&&); break; - case EXPR_OR: DO_INT_FOLD(||); break; + case EXPR_AND: DO_UINT_FOLD(&); break; + case EXPR_OR: DO_UINT_FOLD(|); break; + case EXPR_XOR: DO_UINT_FOLD(^); break; + + case EXPR_AND_AND: DO_INT_FOLD(&&); break; + case EXPR_OR_OR: DO_INT_FOLD(||); break; case EXPR_LT: DO_INT_VAL_FOLD(<); break; case EXPR_LE: DO_INT_VAL_FOLD(<=); break; @@ -1077,6 +1089,39 @@ bool IncrExpr::DoUnserialize(UnserialInfo* info) return true; } +ComplementExpr::ComplementExpr(Expr* arg_op) : UnaryExpr(EXPR_COMPLEMENT, arg_op) + { + if ( IsError() ) + return; + + BroType* t = op->Type(); + TypeTag bt = t->Tag(); + + if ( bt != TYPE_COUNT ) + ExprError("requires \"count\" operand"); + else + SetType(base_type(TYPE_COUNT)); + } + +Val* ComplementExpr::Fold(Val* v) const + { + return new Val(~ v->InternalUnsigned(), type->Tag()); + } + +IMPLEMENT_SERIAL(ComplementExpr, SER_COMPLEMENT_EXPR); + +bool ComplementExpr::DoSerialize(SerialInfo* info) const + { + DO_SERIALIZE(SER_COMPLEMENT_EXPR, UnaryExpr); + return true; + } + +bool ComplementExpr::DoUnserialize(UnserialInfo* info) + { + DO_UNSERIALIZE(UnaryExpr); + return true; + } + NotExpr::NotExpr(Expr* arg_op) : UnaryExpr(EXPR_NOT, arg_op) { if ( IsError() ) @@ -1670,14 +1715,14 @@ Val* BoolExpr::DoSingleEval(Frame* f, Val* v1, Expr* op2) const RE_Matcher* re1 = v1->AsPattern(); RE_Matcher* re2 = v2->AsPattern(); - RE_Matcher* res = tag == EXPR_AND ? + RE_Matcher* res = tag == EXPR_AND_AND ? RE_Matcher_conjunction(re1, re2) : RE_Matcher_disjunction(re1, re2); return new PatternVal(res); } - if ( tag == EXPR_AND ) + if ( tag == EXPR_AND_AND ) { if ( v1->IsZero() ) return v1; @@ -1741,8 +1786,8 @@ Val* BoolExpr::Eval(Frame* f) const VectorVal* result = 0; - // It's either and EXPR_AND or an EXPR_OR. - bool is_and = (tag == EXPR_AND); + // It's either and EXPR_AND_AND or an EXPR_OR_OR. + bool is_and = (tag == EXPR_AND_AND); if ( scalar_v->IsZero() == is_and ) { @@ -1783,7 +1828,7 @@ Val* BoolExpr::Eval(Frame* f) const Val* op2 = vec_v2->Lookup(i); if ( op1 && op2 ) { - bool local_result = (tag == EXPR_AND) ? + bool local_result = (tag == EXPR_AND_AND) ? (! op1->IsZero() && ! op2->IsZero()) : (! op1->IsZero() || ! op2->IsZero()); @@ -1813,6 +1858,49 @@ bool BoolExpr::DoUnserialize(UnserialInfo* info) return true; } +BitExpr::BitExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2) +: BinaryExpr(arg_tag, arg_op1, arg_op2) + { + if ( IsError() ) + return; + + TypeTag bt1 = op1->Type()->Tag(); + if ( IsVector(bt1) ) + bt1 = op1->Type()->AsVectorType()->YieldType()->Tag(); + + TypeTag bt2 = op2->Type()->Tag(); + if ( IsVector(bt2) ) + bt2 = op2->Type()->AsVectorType()->YieldType()->Tag(); + + if ( (bt1 == TYPE_COUNT || bt1 == TYPE_COUNTER) && + (bt2 == TYPE_COUNT || bt2 == TYPE_COUNTER) ) + { + if ( bt1 == TYPE_COUNTER && bt2 == TYPE_COUNTER ) + ExprError("cannot apply a bitwise operator to two \"counter\" operands"); + else if ( is_vector(op1) || is_vector(op2) ) + SetType(new VectorType(base_type(TYPE_COUNT))); + else + SetType(base_type(TYPE_COUNT)); + } + + else + ExprError("requires \"count\" operands"); + } + +IMPLEMENT_SERIAL(BitExpr, SER_BIT_EXPR); + +bool BitExpr::DoSerialize(SerialInfo* info) const + { + DO_SERIALIZE(SER_BIT_EXPR, BinaryExpr); + return true; + } + +bool BitExpr::DoUnserialize(UnserialInfo* info) + { + DO_UNSERIALIZE(BinaryExpr); + return true; + } + EqExpr::EqExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2) : BinaryExpr(arg_tag, arg_op1, arg_op2) { diff --git a/src/Expr.h b/src/Expr.h index 9acc546b31..9fc9aa15ed 100644 --- a/src/Expr.h +++ b/src/Expr.h @@ -17,10 +17,13 @@ typedef enum { EXPR_ANY = -1, EXPR_NAME, EXPR_CONST, EXPR_CLONE, - EXPR_INCR, EXPR_DECR, EXPR_NOT, EXPR_POSITIVE, EXPR_NEGATE, + EXPR_INCR, EXPR_DECR, + EXPR_NOT, EXPR_COMPLEMENT, + EXPR_POSITIVE, EXPR_NEGATE, EXPR_ADD, EXPR_SUB, EXPR_ADD_TO, EXPR_REMOVE_FROM, EXPR_TIMES, EXPR_DIVIDE, EXPR_MOD, - EXPR_AND, EXPR_OR, + EXPR_AND, EXPR_OR, EXPR_XOR, + EXPR_AND_AND, EXPR_OR_OR, EXPR_LT, EXPR_LE, EXPR_EQ, EXPR_NE, EXPR_GE, EXPR_GT, EXPR_COND, EXPR_REF, @@ -379,6 +382,19 @@ protected: DECLARE_SERIAL(IncrExpr); }; +class ComplementExpr : public UnaryExpr { +public: + explicit ComplementExpr(Expr* op); + +protected: + friend class Expr; + ComplementExpr() { } + + Val* Fold(Val* v) const override; + + DECLARE_SERIAL(ComplementExpr); +}; + class NotExpr : public UnaryExpr { public: explicit NotExpr(Expr* op); @@ -532,6 +548,17 @@ protected: DECLARE_SERIAL(BoolExpr); }; +class BitExpr : public BinaryExpr { +public: + BitExpr(BroExprTag tag, Expr* op1, Expr* op2); + +protected: + friend class Expr; + BitExpr() { } + + DECLARE_SERIAL(BitExpr); +}; + class EqExpr : public BinaryExpr { public: EqExpr(BroExprTag tag, Expr* op1, Expr* op2); diff --git a/src/NFA.cc b/src/NFA.cc index 43ec3d2a90..8fb78a7131 100644 --- a/src/NFA.cc +++ b/src/NFA.cc @@ -55,7 +55,10 @@ void NFA_State::AddXtionsTo(NFA_state_list* ns) NFA_State* NFA_State::DeepCopy() { if ( mark ) + { + Ref(mark); return mark; + } NFA_State* copy = ccl ? new NFA_State(ccl) : new NFA_State(sym, 0); SetMark(copy); diff --git a/src/Net.h b/src/Net.h index caea61c436..bdc84ec74f 100644 --- a/src/Net.h +++ b/src/Net.h @@ -83,6 +83,8 @@ extern iosource::PktDumper* pkt_dumper; // where to save packets extern char* writefile; +extern int old_comm_usage_count; + // Script file we have already scanned (or are in the process of scanning). // They are identified by inode number. struct ScannedFile { diff --git a/src/SerialObj.h b/src/SerialObj.h index 77dc28aefd..b502414f71 100644 --- a/src/SerialObj.h +++ b/src/SerialObj.h @@ -3,7 +3,7 @@ // How to make objects of class Foo serializable: // // 1. Derive Foo (directly or indirectly) from SerialObj. -// 2. Add a SER_FOO constant to SerialTypes below. +// 2. Add a SER_FOO constant to SerialTypes in SerialTypes.h. // 3. Add DECLARE_SERIAL(Foo) into class definition. // 4. Add a (preferably protected) default ctor if it doesn't already exist. // 5. For non-abstract classes, add IMPLEMENT_SERIAL(Foo, SER_FOO) to *.cc diff --git a/src/SerialTypes.h b/src/SerialTypes.h index 44c8b91f00..029048a80f 100644 --- a/src/SerialTypes.h +++ b/src/SerialTypes.h @@ -164,6 +164,8 @@ SERIAL_EXPR(TABLE_COERCE_EXPR, 43) SERIAL_EXPR(VECTOR_COERCE_EXPR, 44) SERIAL_EXPR(CAST_EXPR, 45) SERIAL_EXPR(IS_EXPR_, 46) // Name conflict with internal SER_IS_EXPR constant. +SERIAL_EXPR(BIT_EXPR, 47) +SERIAL_EXPR(COMPLEMENT_EXPR, 48) #define SERIAL_STMT(name, val) SERIAL_CONST(name, val, STMT) SERIAL_STMT(STMT, 1) diff --git a/src/Serializer.cc b/src/Serializer.cc index b759334b4d..0366c36c81 100644 --- a/src/Serializer.cc +++ b/src/Serializer.cc @@ -1017,7 +1017,7 @@ double EventPlayer::NextTimestamp(double* local_network_time) return ne_time; if ( ! io ) - return 0; + return -1; // Read next event if we don't have one waiting. if ( ! ne_time ) @@ -1028,7 +1028,7 @@ double EventPlayer::NextTimestamp(double* local_network_time) } if ( ! ne_time ) - return 0; + return -1; if ( ! network_time ) { diff --git a/src/Type.cc b/src/Type.cc index aa9388d64e..7ddca8f907 100644 --- a/src/Type.cc +++ b/src/Type.cc @@ -1185,7 +1185,14 @@ void RecordType::DescribeFieldsReST(ODesc* d, bool func_args) const if ( d->FindType(td->type) ) d->Add(""); else - td->DescribeReST(d); + { + if ( num_fields == 1 && streq(td->id, "va_args") && + td->type->Tag() == TYPE_ANY ) + // This was a BIF using variable argument list + d->Add("..."); + else + td->DescribeReST(d); + } if ( func_args ) continue; diff --git a/src/analyzer/protocol/krb/KRB.cc b/src/analyzer/protocol/krb/KRB.cc index ba7dbd9ccd..4ee663dcf1 100644 --- a/src/analyzer/protocol/krb/KRB.cc +++ b/src/analyzer/protocol/krb/KRB.cc @@ -6,12 +6,52 @@ using namespace analyzer::krb; +bool KRB_Analyzer::krb_available = false; +#ifdef USE_KRB5 +krb5_context KRB_Analyzer::krb_context = nullptr; +krb5_keytab KRB_Analyzer::krb_keytab = nullptr; +std::once_flag KRB_Analyzer::krb_initialized; +#endif + KRB_Analyzer::KRB_Analyzer(Connection* conn) : Analyzer("KRB", conn) { interp = new binpac::KRB::KRB_Conn(this); +#ifdef USE_KRB5 + std::call_once(krb_initialized, Initialize_Krb); +#endif } +#ifdef USE_KRB5 +void KRB_Analyzer::Initialize_Krb() + { + if ( BifConst::KRB::keytab->Len() == 0 ) + return; // no keytab set + + const char* keytab_filename = BifConst::KRB::keytab->CheckString(); + if ( access(keytab_filename, R_OK) != 0 ) + { + reporter->Warning("KRB: Can't access keytab (%s)", keytab_filename); + return; + } + + krb5_error_code retval = krb5_init_context(&krb_context); + if ( retval ) + { + reporter->Warning("KRB: Couldn't initialize the context (%s)", krb5_get_error_message(krb_context, retval)); + return; + } + + retval = krb5_kt_resolve(krb_context, keytab_filename, &krb_keytab); + if ( retval ) + { + reporter->Warning("KRB: Couldn't resolve keytab (%s)", krb5_get_error_message(krb_context, retval)); + return; + } + krb_available = true; + } +#endif + KRB_Analyzer::~KRB_Analyzer() { delete interp; @@ -37,3 +77,60 @@ void KRB_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, } } +StringVal* KRB_Analyzer::GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype) + { +#ifdef USE_KRB5 + if ( !krb_available ) + return nullptr; + + BroString delim("/"); + int pos = principal->FindSubstring(&delim); + if ( pos == -1 ) + { + reporter->Warning("KRB: Couldn't parse principal (%s)", principal->CheckString()); + return nullptr; + } + std::unique_ptr service = unique_ptr(principal->GetSubstring(0, pos)); + std::unique_ptr hostname = unique_ptr(principal->GetSubstring(pos + 1, -1)); + if ( !service || !hostname ) + { + reporter->Warning("KRB: Couldn't parse principal (%s)", principal->CheckString()); + return nullptr; + } + krb5_principal sprinc; + krb5_error_code retval = krb5_sname_to_principal(krb_context, hostname->CheckString(), service->CheckString(), KRB5_NT_SRV_HST, &sprinc); + if ( retval ) + { + reporter->Warning("KRB: Couldn't generate principal name (%s)", krb5_get_error_message(krb_context, retval)); + return nullptr; + } + + krb5_ticket tkt; + tkt.server = sprinc; + tkt.enc_part.enctype = enctype; + tkt.enc_part.ciphertext.data = reinterpret_cast(ciphertext->Bytes()); + tkt.enc_part.ciphertext.length = ciphertext->Len(); + + retval = krb5_server_decrypt_ticket_keytab(krb_context, krb_keytab, &tkt); + if ( retval ) + { + reporter->Warning("KRB: Couldn't decrypt ticket (%s)", krb5_get_error_message(krb_context, retval)); + return nullptr; + } + + char* cp; + retval = krb5_unparse_name(krb_context, tkt.enc_part2->client, &cp); + if ( retval ) + { + reporter->Warning("KRB: Couldn't unparse name (%s)", krb5_get_error_message(krb_context, retval)); + return nullptr; + } + StringVal* ret = new StringVal(cp); + + krb5_free_unparsed_name(krb_context, cp); + + return ret; +#else + return nullptr; +#endif + } diff --git a/src/analyzer/protocol/krb/KRB.h b/src/analyzer/protocol/krb/KRB.h index 99e0529ff1..7eee46d838 100644 --- a/src/analyzer/protocol/krb/KRB.h +++ b/src/analyzer/protocol/krb/KRB.h @@ -5,6 +5,10 @@ #include "krb_pac.h" +#ifdef USE_KRB5 +#include +#endif + namespace analyzer { namespace krb { class KRB_Analyzer : public analyzer::Analyzer { @@ -20,9 +24,20 @@ public: static analyzer::Analyzer* Instantiate(Connection* conn) { return new KRB_Analyzer(conn); } + StringVal* GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype); + protected: binpac::KRB::KRB_Conn* interp; + +private: + static bool krb_available; +#ifdef USE_KRB5 + static std::once_flag krb_initialized; + static void Initialize_Krb(); + static krb5_context krb_context; + static krb5_keytab krb_keytab; +#endif }; } } // namespace analyzer::* diff --git a/src/analyzer/protocol/krb/KRB_TCP.h b/src/analyzer/protocol/krb/KRB_TCP.h index 0ce4d5f65d..f6c679be63 100644 --- a/src/analyzer/protocol/krb/KRB_TCP.h +++ b/src/analyzer/protocol/krb/KRB_TCP.h @@ -22,6 +22,8 @@ public: // Overriden from tcp::TCP_ApplicationAnalyzer. void EndpointEOF(bool is_orig) override; + StringVal* GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype) { return new StringVal(""); } + static analyzer::Analyzer* Instantiate(Connection* conn) { return new KRB_Analyzer(conn); } diff --git a/src/analyzer/protocol/krb/krb-analyzer.pac b/src/analyzer/protocol/krb/krb-analyzer.pac index 6390fb8fd0..7c59a6a99e 100644 --- a/src/analyzer/protocol/krb/krb-analyzer.pac +++ b/src/analyzer/protocol/krb/krb-analyzer.pac @@ -245,8 +245,12 @@ refine connection KRB_Conn += { rv->Assign(0, new Val(${msg.ap_options.use_session_key}, TYPE_BOOL)); rv->Assign(1, new Val(${msg.ap_options.mutual_required}, TYPE_BOOL)); + RecordVal* rvticket = proc_ticket(${msg.ticket}); + StringVal* authenticationinfo = bro_analyzer()->GetAuthenticationInfo(rvticket->Lookup(2)->AsString(), rvticket->Lookup(4)->AsString(), rvticket->Lookup(3)->AsCount()); + if ( authenticationinfo ) + rvticket->Assign(5, authenticationinfo); BifEvent::generate_krb_ap_request(bro_analyzer(), bro_analyzer()->Conn(), - proc_ticket(${msg.ticket}), rv); + rvticket, rv); } return true; %} diff --git a/src/analyzer/protocol/krb/krb.pac b/src/analyzer/protocol/krb/krb.pac index 508fb78a7a..9a3b290ad1 100644 --- a/src/analyzer/protocol/krb/krb.pac +++ b/src/analyzer/protocol/krb/krb.pac @@ -4,14 +4,22 @@ %extern{ #include "types.bif.h" #include "events.bif.h" + +namespace analyzer { namespace krb { class KRB_Analyzer; } } +namespace binpac { namespace KRB { class KRB_Conn; } } +typedef analyzer::krb::KRB_Analyzer* KRBAnalyzer; + +#include "KRB.h" %} +extern type KRBAnalyzer; + analyzer KRB withcontext { connection: KRB_Conn; flow: KRB_Flow; }; -connection KRB_Conn(bro_analyzer: BroAnalyzer) { +connection KRB_Conn(bro_analyzer: KRBAnalyzer) { upflow = KRB_Flow(true); downflow = KRB_Flow(false); }; diff --git a/src/analyzer/protocol/krb/krb_TCP.pac b/src/analyzer/protocol/krb/krb_TCP.pac index 6748c5fcbb..6611a549e4 100644 --- a/src/analyzer/protocol/krb/krb_TCP.pac +++ b/src/analyzer/protocol/krb/krb_TCP.pac @@ -4,14 +4,22 @@ %extern{ #include "types.bif.h" #include "events.bif.h" + +namespace analyzer { namespace krb_tcp { class KRB_Analyzer; } } +namespace binpac { namespace KRB_TCP { class KRB_Conn; } } +typedef analyzer::krb_tcp::KRB_Analyzer* KRBTCPAnalyzer; + +#include "KRB_TCP.h" %} +extern type KRBTCPAnalyzer; + analyzer KRB_TCP withcontext { connection: KRB_Conn; flow: KRB_Flow; }; -connection KRB_Conn(bro_analyzer: BroAnalyzer) { +connection KRB_Conn(bro_analyzer: KRBTCPAnalyzer) { upflow = KRB_Flow(true); downflow = KRB_Flow(false); }; diff --git a/src/analyzer/protocol/krb/types.bif b/src/analyzer/protocol/krb/types.bif index 8393adbf3c..11a80781f8 100644 --- a/src/analyzer/protocol/krb/types.bif +++ b/src/analyzer/protocol/krb/types.bif @@ -1,5 +1,7 @@ module KRB; +const keytab: string; + type Error_Msg: record; type SAFE_Msg: record; diff --git a/src/analyzer/protocol/ncp/CMakeLists.txt b/src/analyzer/protocol/ncp/CMakeLists.txt index bd06d4e426..1ec5cf2e67 100644 --- a/src/analyzer/protocol/ncp/CMakeLists.txt +++ b/src/analyzer/protocol/ncp/CMakeLists.txt @@ -5,6 +5,6 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI bro_plugin_begin(Bro NCP) bro_plugin_cc(NCP.cc Plugin.cc) -bro_plugin_bif(events.bif) +bro_plugin_bif(events.bif consts.bif) bro_plugin_pac(ncp.pac) bro_plugin_end() diff --git a/src/analyzer/protocol/ncp/NCP.cc b/src/analyzer/protocol/ncp/NCP.cc index add7841908..e8672e7ebe 100644 --- a/src/analyzer/protocol/ncp/NCP.cc +++ b/src/analyzer/protocol/ncp/NCP.cc @@ -9,6 +9,7 @@ #include "NCP.h" #include "events.bif.h" +#include "consts.bif.h" using namespace std; using namespace analyzer::ncp; @@ -79,7 +80,7 @@ void NCP_Session::DeliverFrame(const binpac::NCP::ncp_frame* frame) } } -FrameBuffer::FrameBuffer(int header_length) +FrameBuffer::FrameBuffer(size_t header_length) { hdr_len = header_length; msg_buf = 0; @@ -105,13 +106,12 @@ void FrameBuffer::Reset() msg_len = 0; } -// Returns true if we have a complete frame -bool FrameBuffer::Deliver(int &len, const u_char* &data) +int FrameBuffer::Deliver(int &len, const u_char* &data) { ASSERT(buf_len >= hdr_len); if ( len == 0 ) - return false; + return -1; if ( buf_n < hdr_len ) { @@ -123,13 +123,16 @@ bool FrameBuffer::Deliver(int &len, const u_char* &data) } if ( buf_n < hdr_len ) - return false; + return -1; compute_msg_length(); if ( msg_len > buf_len ) { - buf_len = msg_len * 2; + if ( msg_len > BifConst::NCP::max_frame_size ) + return 1; + + buf_len = msg_len; u_char* new_buf = new u_char[buf_len]; memcpy(new_buf, msg_buf, buf_n); delete [] msg_buf; @@ -143,7 +146,13 @@ bool FrameBuffer::Deliver(int &len, const u_char* &data) ++buf_n; ++data; --len; } - return buf_n >= msg_len; + if ( buf_n < msg_len ) + return -1; + + if ( buf_n == msg_len ) + return 0; + + return 1; } void NCP_FrameBuffer::compute_msg_length() @@ -159,11 +168,7 @@ Contents_NCP_Analyzer::Contents_NCP_Analyzer(Connection* conn, bool orig, NCP_Se { session = arg_session; resync = true; - - tcp::TCP_Analyzer* tcp = static_cast(Parent())->TCP(); - if ( tcp ) - resync = (orig ? tcp->OrigState() : tcp->RespState()) != - tcp::TCP_ENDPOINT_ESTABLISHED; + resync_set = false; } Contents_NCP_Analyzer::~Contents_NCP_Analyzer() @@ -174,20 +179,23 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig { tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); - tcp::TCP_Analyzer* tcp = static_cast(Parent())->TCP(); + auto tcp = static_cast(Parent())->TCP(); + + if ( ! resync_set ) + { + resync_set = true; + resync = (IsOrig() ? tcp->OrigState() : tcp->RespState()) != + tcp::TCP_ENDPOINT_ESTABLISHED; + } if ( tcp && tcp->HadGap(orig) ) return; - DEBUG_MSG("NCP deliver: len = %d resync = %d buffer.empty = %d\n", - len, resync, buffer.empty()); - if ( buffer.empty() && resync ) { // Assume NCP frames align with packet boundary. if ( (IsOrig() && len < 22) || (! IsOrig() && len < 16) ) { // ignore small fragmeents - DEBUG_MSG("NCP discard small pieces: %d\n", len); return; } @@ -204,10 +212,27 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig resync = false; } - while ( buffer.Deliver(len, data) ) + for ( ; ; ) { - session->Deliver(IsOrig(), buffer.Len(), buffer.Data()); - buffer.Reset(); + auto result = buffer.Deliver(len, data); + + if ( result < 0 ) + break; + + if ( result == 0 ) + { + session->Deliver(IsOrig(), buffer.Len(), buffer.Data()); + buffer.Reset(); + } + else + { + // The rest of the data available in this delivery will + // be discarded and will need to resync to a new frame header. + Weird("ncp_large_frame"); + buffer.Reset(); + resync = true; + break; + } } } @@ -224,13 +249,13 @@ NCP_Analyzer::NCP_Analyzer(Connection* conn) { session = new NCP_Session(this); o_ncp = new Contents_NCP_Analyzer(conn, true, session); + AddSupportAnalyzer(o_ncp); r_ncp = new Contents_NCP_Analyzer(conn, false, session); + AddSupportAnalyzer(r_ncp); } NCP_Analyzer::~NCP_Analyzer() { delete session; - delete o_ncp; - delete r_ncp; } diff --git a/src/analyzer/protocol/ncp/NCP.h b/src/analyzer/protocol/ncp/NCP.h index 713eca756d..ff64db9077 100644 --- a/src/analyzer/protocol/ncp/NCP.h +++ b/src/analyzer/protocol/ncp/NCP.h @@ -51,11 +51,12 @@ protected: class FrameBuffer { public: - explicit FrameBuffer(int header_length); + explicit FrameBuffer(size_t header_length); virtual ~FrameBuffer(); - // Returns true if a frame is ready - bool Deliver(int& len, const u_char* &data); + // Returns -1 if frame is not ready, 0 if it else, and 1 if + // the frame would require too large of a buffer allocation. + int Deliver(int& len, const u_char* &data); void Reset(); @@ -66,11 +67,11 @@ public: protected: virtual void compute_msg_length() = 0; - int hdr_len; + size_t hdr_len; u_char* msg_buf; - int msg_len; - int buf_n; // number of bytes in msg_buf - int buf_len; // size off msg_buf + uint64 msg_len; + size_t buf_n; // number of bytes in msg_buf + size_t buf_len; // size off msg_buf }; #define NCP_TCPIP_HEADER_LENGTH 8 @@ -97,6 +98,7 @@ protected: // Re-sync for partial connections (or after a content gap). bool resync; + bool resync_set; }; class NCP_Analyzer : public tcp::TCP_ApplicationAnalyzer { diff --git a/src/analyzer/protocol/ncp/consts.bif b/src/analyzer/protocol/ncp/consts.bif new file mode 100644 index 0000000000..452dd9a2b6 --- /dev/null +++ b/src/analyzer/protocol/ncp/consts.bif @@ -0,0 +1 @@ +const NCP::max_frame_size: count; diff --git a/src/analyzer/protocol/smb/smb2-com-set-info.pac b/src/analyzer/protocol/smb/smb2-com-set-info.pac index 379c919d7d..6874808da9 100644 --- a/src/analyzer/protocol/smb/smb2-com-set-info.pac +++ b/src/analyzer/protocol/smb/smb2-com-set-info.pac @@ -6,12 +6,29 @@ enum smb2_set_info_type { }; enum smb_file_info_type { + SMB2_FILE_BASIC_INFO = 0x04, SMB2_FILE_RENAME_INFO = 0x0a, SMB2_FILE_DISPOSITION_INFO = 0x0d, } refine connection SMB_Conn += { + function proc_smb2_set_info_request_file(val: SMB2_file_basic_info): bool + %{ + if ( smb2_file_sattr ) + BifEvent::generate_smb2_file_sattr(bro_analyzer(), + bro_analyzer()->Conn(), + BuildSMB2HeaderVal(${val.sir.header}), + BuildSMB2GUID(${val.sir.file_id}), + SMB_BuildMACTimes(${val.last_write_time}, + ${val.last_access_time}, + ${val.creation_time}, + ${val.change_time}), + smb2_file_attrs_to_bro(${val.file_attrs})); + + return true; + %} + function proc_smb2_set_info_request_file_rename(val: SMB2_file_rename_info): bool %{ if ( smb2_file_rename ) @@ -38,6 +55,16 @@ refine connection SMB_Conn += { }; +type SMB2_file_basic_info(sir: SMB2_set_info_request) = record { + creation_time : SMB_timestamp; + last_access_time : SMB_timestamp; + last_write_time : SMB_timestamp; + change_time : SMB_timestamp; + file_attrs : SMB2_file_attributes; +} &let { + proc: bool = $context.connection.proc_smb2_set_info_request_file(this); +}; + type SMB2_file_rename_info(sir: SMB2_set_info_request) = record { replace_if_exists : uint8; reserved : uint8[7]; @@ -55,6 +82,7 @@ type SMB2_file_disposition_info(sir: SMB2_set_info_request) = record { }; type SMB2_set_info_file_class(sir: SMB2_set_info_request) = case sir.info_level of { + SMB2_FILE_BASIC_INFO -> file_basic : SMB2_file_basic_info(sir); SMB2_FILE_RENAME_INFO -> file_rename : SMB2_file_rename_info(sir); SMB2_FILE_DISPOSITION_INFO -> file_disposition : SMB2_file_disposition_info(sir); default -> info_file_unhandled : empty; diff --git a/src/analyzer/protocol/smb/smb2_com_set_info.bif b/src/analyzer/protocol/smb/smb2_com_set_info.bif index 3aeeb579fe..1f6d9386f8 100644 --- a/src/analyzer/protocol/smb/smb2_com_set_info.bif +++ b/src/analyzer/protocol/smb/smb2_com_set_info.bif @@ -11,7 +11,7 @@ ## ## dst_filename: The filename to rename the file into. ## -## .. bro:see:: smb2_message smb2_file_delete +## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr event smb2_file_rename%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, dst_filename: string%); ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` @@ -23,12 +23,32 @@ event smb2_file_rename%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, d ## ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. ## +## file_id: The SMB2 GUID for the file. +## ## delete_pending: A boolean value to indicate that a file should be deleted ## when it's closed if set to T. ## -## .. bro:see:: smb2_message smb2_file_rename +## .. bro:see:: smb2_message smb2_file_rename smb2_file_sattr event smb2_file_delete%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, delete_pending: bool%); +## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` +## version 2 requests of type *set_info* of the *file* subtype +## +## For more infomation, see MS-SMB2:2.2.39 +## +## c: The connection. +## +## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message. +## +## file_id: The SMB2 GUID for the file. +## +## times: Timestamps associated with the file in question. +## +## attrs: File attributes. +## +## .. bro:see:: smb2_message smb2_file_rename smb2_file_delete +event smb2_file_sattr%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs%); + # TODO - Not implemented # Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` diff --git a/src/analyzer/protocol/ssh/ssh-analyzer.pac b/src/analyzer/protocol/ssh/ssh-analyzer.pac index 598dc869ab..0ee0b92569 100644 --- a/src/analyzer/protocol/ssh/ssh-analyzer.pac +++ b/src/analyzer/protocol/ssh/ssh-analyzer.pac @@ -173,6 +173,18 @@ refine flow SSH_Flow += { connection()->bro_analyzer()->ProtocolConfirmation(); return true; %} + + function get_kex_length(v: int, packet_length: uint32): int + %{ + switch (v) { + case SSH1: + return packet_length + 4 + 8 - (packet_length % 8); + case SSH2: + return packet_length + 4; + default: + return 1; //currently causes the rest of the packet to dump + } + %} }; refine typeattr SSH_Version += &let { diff --git a/src/analyzer/protocol/ssh/ssh-protocol.pac b/src/analyzer/protocol/ssh/ssh-protocol.pac index 3b147f6b6e..bf09f6e168 100644 --- a/src/analyzer/protocol/ssh/ssh-protocol.pac +++ b/src/analyzer/protocol/ssh/ssh-protocol.pac @@ -22,21 +22,23 @@ type SSH_Version(is_orig: bool) = record { update_version : bool = $context.connection.update_version(version, is_orig); }; -type SSH_Key_Exchange(is_orig: bool) = case $context.connection.get_version() of { - SSH1 -> ssh1_msg : SSH1_Key_Exchange(is_orig); - SSH2 -> ssh2_msg : SSH2_Key_Exchange(is_orig); -}; +type SSH_Key_Exchange(is_orig: bool) = record { + packet_length: uint32; + key_ex: case $context.connection.get_version() of { + SSH1 -> ssh1_msg : SSH1_Key_Exchange(is_orig, packet_length); + SSH2 -> ssh2_msg : SSH2_Key_Exchange(is_orig, packet_length); + }; +} &length = $context.flow.get_kex_length($context.connection.get_version(), packet_length); # SSH1 constructs ################# -type SSH1_Key_Exchange(is_orig: bool) = record { - packet_length : uint32; +type SSH1_Key_Exchange(is_orig: bool, packet_length: uint32) = record { pad_fill : bytestring &length = 8 - (packet_length % 8); msg_type : uint8; message : SSH1_Message(is_orig, msg_type, packet_length - 5); crc : uint32; -} &length = packet_length + 4 + 8 - (packet_length % 8); +} &length = $context.flow.get_kex_length($context.connection.get_version(), packet_length) - 4; type SSH1_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of { SSH_SMSG_PUBLIC_KEY -> public_key : SSH1_PUBLIC_KEY(length); @@ -73,8 +75,7 @@ type ssh1_mp_int = record { ## SSH2 -type SSH2_Header(is_orig: bool) = record { - packet_length : uint32; +type SSH2_Header(is_orig: bool, packet_length: uint32) = record { padding_length : uint8; msg_type : uint8; } &let { @@ -82,11 +83,11 @@ type SSH2_Header(is_orig: bool) = record { detach : bool = $context.connection.update_state(ENCRYPTED, is_orig) &if(msg_type == MSG_NEWKEYS); }; -type SSH2_Key_Exchange(is_orig: bool) = record { - header : SSH2_Header(is_orig); +type SSH2_Key_Exchange(is_orig: bool, packet_length: uint32) = record { + header : SSH2_Header(is_orig, packet_length); payload : SSH2_Message(is_orig, header.msg_type, header.payload_length); pad : bytestring &length=header.padding_length; -} &length=header.packet_length + 4; +} &length=packet_length; type SSH2_Message(is_orig: bool, msg_type: uint8, length: uint32) = case $context.connection.get_state(is_orig) of { KEX_INIT -> kex : SSH2_KEXINIT(length, is_orig); diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc index 47f7c95722..20bba4426d 100644 --- a/src/broker/Manager.cc +++ b/src/broker/Manager.cc @@ -113,21 +113,18 @@ static inline Val* get_option(const char* option) return id->ID_Val(); } -class configuration : public broker::configuration { -public: - configuration(broker::broker_options options) - : broker::configuration(options) - { - openssl_cafile = get_option("Broker::ssl_cafile")->AsString()->CheckString(); - openssl_capath = get_option("Broker::ssl_capath")->AsString()->CheckString(); - openssl_certificate = get_option("Broker::ssl_certificate")->AsString()->CheckString(); - openssl_key = get_option("Broker::ssl_keyfile")->AsString()->CheckString(); - openssl_passphrase = get_option("Broker::ssl_passphrase")->AsString()->CheckString(); - } -}; +Manager::BrokerConfig::BrokerConfig(broker::broker_options options) + : broker::configuration(options) + { + openssl_cafile = get_option("Broker::ssl_cafile")->AsString()->CheckString(); + openssl_capath = get_option("Broker::ssl_capath")->AsString()->CheckString(); + openssl_certificate = get_option("Broker::ssl_certificate")->AsString()->CheckString(); + openssl_key = get_option("Broker::ssl_keyfile")->AsString()->CheckString(); + openssl_passphrase = get_option("Broker::ssl_passphrase")->AsString()->CheckString(); + } -Manager::BrokerState::BrokerState(broker::broker_options options) - : endpoint(configuration(options)), +Manager::BrokerState::BrokerState(BrokerConfig config) + : endpoint(std::move(config)), subscriber(endpoint.make_subscriber({}, SUBSCRIBER_MAX_QSIZE)), status_subscriber(endpoint.make_status_subscriber(true)) { @@ -136,6 +133,7 @@ Manager::BrokerState::BrokerState(broker::broker_options options) Manager::Manager(bool reading_pcaps) { bound_port = 0; + peer_count = 0; next_timestamp = 1; SetIdle(false); @@ -172,7 +170,43 @@ void Manager::InitPostScript() options.forward = get_option("Broker::forward_messages")->AsBool(); options.use_real_time = ! reading_pcaps; - bstate = std::make_shared(options); + BrokerConfig config{std::move(options)}; + auto max_threads = get_option("Broker::max_threads")->AsCount(); + auto max_sleep = get_option("Broker::max_sleep")->AsCount(); + + if ( max_threads ) + config.scheduler_max_threads = max_threads; + else + { + // On high-core-count systems, spawning one thread per core + // can lead to significant performance problems even if most + // threads are under-utilized. Related: + // https://github.com/actor-framework/actor-framework/issues/699 + if ( reading_pcaps ) + config.scheduler_max_threads = 2u; + else + { + auto hc = std::thread::hardware_concurrency(); + + if ( hc > 8u ) + hc = 8u; + else if ( hc < 4u) + hc = 4u; + + config.scheduler_max_threads = hc; + } + } + + if ( max_sleep ) + config.work_stealing_relaxed_sleep_duration_us = max_sleep; + else + // 64ms is just an arbitrary amount derived from testing + // the overhead of a unused CAF actor system on a 32-core system. + // Performance was within 2% of baseline timings (w/o CAF) + // when using this sleep duration. + config.work_stealing_relaxed_sleep_duration_us = 64000; + + bstate = std::make_shared(std::move(config)); } void Manager::Terminate() @@ -192,7 +226,9 @@ void Manager::Terminate() FlushLogBuffers(); for ( auto& p : bstate->endpoint.peers() ) - bstate->endpoint.unpeer(p.peer.network->address, p.peer.network->port); + if ( p.peer.network ) + bstate->endpoint.unpeer(p.peer.network->address, + p.peer.network->port); bstate->endpoint.shutdown(); } @@ -205,7 +241,7 @@ bool Manager::Active() if ( bound_port > 0 ) return true; - return bstate->endpoint.peers().size(); + return peer_count > 0; } void Manager::AdvanceTime(double seconds_since_unix_epoch) @@ -228,8 +264,17 @@ void Manager::FlushPendingQueries() { // possibly an infinite loop if a query can recursively // generate more queries... - Process(); + for ( auto& s : data_stores ) + { + while ( ! s.second->proxy.mailbox().empty() ) + { + auto response = s.second->proxy.receive(); + ProcessStoreResponse(s.second, move(response)); + } + } } + + SetIdle(false); } uint16_t Manager::Listen(const string& addr, uint16_t port) @@ -301,7 +346,7 @@ bool Manager::PublishEvent(string topic, std::string name, broker::vector args) if ( bstate->endpoint.is_shutdown() ) return true; - if ( ! bstate->endpoint.peers().size() ) + if ( peer_count == 0 ) return true; DBG_LOG(DBG_BROKER, "Publishing event: %s", @@ -317,7 +362,7 @@ bool Manager::PublishEvent(string topic, RecordVal* args) if ( bstate->endpoint.is_shutdown() ) return true; - if ( ! bstate->endpoint.peers().size() ) + if ( peer_count == 0 ) return true; if ( ! args->Lookup(0) ) @@ -341,31 +386,47 @@ bool Manager::PublishEvent(string topic, RecordVal* args) bool Manager::RelayEvent(std::string first_topic, broker::set relay_topics, std::string name, - broker::vector args) + broker::vector args, + bool handle_on_relayer) { if ( bstate->endpoint.is_shutdown() ) return true; - if ( ! bstate->endpoint.peers().size() ) + if ( peer_count == 0 ) return true; - DBG_LOG(DBG_BROKER, "Publishing relay event: %s", + DBG_LOG(DBG_BROKER, "Publishing %s-relay event: %s", + handle_on_relayer ? "handle" : "", RenderEvent(first_topic, name, args).c_str()); - broker::bro::RelayEvent msg(std::move(relay_topics), std::move(name), - std::move(args)); - bstate->endpoint.publish(std::move(first_topic), std::move(msg)); + + if ( handle_on_relayer ) + { + broker::bro::HandleAndRelayEvent msg(std::move(relay_topics), + std::move(name), + std::move(args)); + bstate->endpoint.publish(std::move(first_topic), std::move(msg)); + } + else + { + broker::bro::RelayEvent msg(std::move(relay_topics), + std::move(name), + std::move(args)); + bstate->endpoint.publish(std::move(first_topic), std::move(msg)); + } + ++statistics.num_events_outgoing; return true; } bool Manager::RelayEvent(std::string first_topic, std::set relay_topics, - RecordVal* args) + RecordVal* args, + bool handle_on_relayer) { if ( bstate->endpoint.is_shutdown() ) return true; - if ( ! bstate->endpoint.peers().size() ) + if ( peer_count == 0 ) return true; if ( ! args->Lookup(0) ) @@ -389,7 +450,7 @@ bool Manager::RelayEvent(std::string first_topic, topic_set.emplace(std::move(t)); return RelayEvent(first_topic, std::move(topic_set), event_name, - std::move(xs)); + std::move(xs), handle_on_relayer); } bool Manager::PublishIdentifier(std::string topic, std::string id) @@ -397,7 +458,7 @@ bool Manager::PublishIdentifier(std::string topic, std::string id) if ( bstate->endpoint.is_shutdown() ) return true; - if ( ! bstate->endpoint.peers().size() ) + if ( peer_count == 0 ) return true; ID* i = global_scope()->Lookup(id.c_str()); @@ -437,7 +498,7 @@ bool Manager::PublishLogCreate(EnumVal* stream, EnumVal* writer, if ( bstate->endpoint.is_shutdown() ) return true; - if ( ! bstate->endpoint.peers().size() ) + if ( peer_count == 0 ) return true; auto stream_id = stream->Type()->AsEnumType()->Lookup(stream->AsEnum()); @@ -491,7 +552,7 @@ bool Manager::PublishLogWrite(EnumVal* stream, EnumVal* writer, string path, int if ( bstate->endpoint.is_shutdown() ) return true; - if ( ! bstate->endpoint.peers().size() ) + if ( peer_count == 0 ) return true; auto stream_id_num = stream->AsEnum(); @@ -820,6 +881,10 @@ void Manager::DispatchMessage(broker::data msg) ProcessRelayEvent(std::move(msg)); break; + case broker::bro::Message::Type::HandleAndRelayEvent: + ProcessHandleAndRelayEvent(std::move(msg)); + break; + case broker::bro::Message::Type::LogCreate: ProcessLogCreate(std::move(msg)); break; @@ -907,23 +972,23 @@ void Manager::Process() SetIdle(! had_input); } -void Manager::ProcessEvent(broker::bro::Event ev) + +void Manager::ProcessEvent(std::string name, broker::vector args) { - DBG_LOG(DBG_BROKER, "Received event: %s", RenderMessage(ev).c_str()); - + DBG_LOG(DBG_BROKER, "Process event: %s %s", + name.data(), RenderMessage(args).data()); ++statistics.num_events_incoming; + auto handler = event_registry->Lookup(name.data()); - auto handler = event_registry->Lookup(ev.name().c_str()); if ( ! handler ) return; - auto& args = ev.args(); auto arg_types = handler->FType(false)->ArgTypes()->Types(); if ( static_cast(arg_types->length()) != args.size() ) { reporter->Warning("got event message '%s' with invalid # of args," - " got %zd, expected %d", ev.name().data(), args.size(), + " got %zd, expected %d", name.data(), args.size(), arg_types->length()); return; } @@ -942,7 +1007,7 @@ void Manager::ProcessEvent(broker::bro::Event ev) { reporter->Warning("failed to convert remote event '%s' arg #%d," " got %s, expected %s", - ev.name().data(), i, got_type, + name.data(), i, got_type, type_name(expected_type->Tag())); break; } @@ -954,6 +1019,11 @@ void Manager::ProcessEvent(broker::bro::Event ev) delete_vals(vl); } +void Manager::ProcessEvent(broker::bro::Event ev) + { + ProcessEvent(std::move(ev.name()), std::move(ev.args())); + } + void Manager::ProcessRelayEvent(broker::bro::RelayEvent ev) { DBG_LOG(DBG_BROKER, "Received relay event: %s", RenderMessage(ev).c_str()); @@ -965,6 +1035,18 @@ void Manager::ProcessRelayEvent(broker::bro::RelayEvent ev) std::move(ev.args())); } +void Manager::ProcessHandleAndRelayEvent(broker::bro::HandleAndRelayEvent ev) + { + DBG_LOG(DBG_BROKER, "Received handle-relay event: %s", + RenderMessage(ev).c_str()); + ProcessEvent(ev.name(), ev.args()); + + for ( auto& t : ev.topics() ) + PublishEvent(std::move(broker::get(t)), + std::move(ev.name()), + std::move(ev.args())); + } + bool bro_broker::Manager::ProcessLogCreate(broker::bro::LogCreate lc) { DBG_LOG(DBG_BROKER, "Received log-create: %s", RenderMessage(lc).c_str()); @@ -1148,16 +1230,19 @@ void Manager::ProcessStatus(broker::status stat) break; case broker::sc::peer_added: - assert(ctx); - log_mgr->SendAllWritersTo(*ctx); + ++peer_count; + assert(ctx); + log_mgr->SendAllWritersTo(*ctx); event = Broker::peer_added; break; case broker::sc::peer_removed: + --peer_count; event = Broker::peer_removed; break; case broker::sc::peer_lost: + --peer_count; event = Broker::peer_lost; break; } @@ -1453,11 +1538,7 @@ bool Manager::TrackStoreQuery(StoreHandleVal* handle, broker::request_id id, const Stats& Manager::GetStatistics() { - if ( bstate->endpoint.is_shutdown() ) - statistics.num_peers = 0; - else - statistics.num_peers = bstate->endpoint.peers().size(); - + statistics.num_peers = peer_count; statistics.num_stores = data_stores.size(); statistics.num_pending_queries = pending_queries.size(); diff --git a/src/broker/Manager.h b/src/broker/Manager.h index 996859636d..8c5ab09dc6 100644 --- a/src/broker/Manager.h +++ b/src/broker/Manager.h @@ -148,33 +148,41 @@ public: bool PublishEvent(std::string topic, RecordVal* ev); /** - * Sends an event to any interested peers, who, upon receipt, immediately - * republish the event to a new set of topics. + * Sends an event to any interested peers, who, upon receipt, + * republishes the event to a new set of topics and optionally + * calls event handlers. * @param first_topic the first topic to use when publishing the event * @param relay_topics the set of topics the receivers will use to * republish the event. The event is relayed at most a single hop. * @param name the name of the event * @param args the event's arguments + * @param handle_on_relayer whether they relaying-node should call event + * handlers. * @return true if the message is sent successfully. */ bool RelayEvent(std::string first_topic, broker::set relay_topics, std::string name, - broker::vector args); + broker::vector args, + bool handle_on_relayer); /** - * Sends an event to any interested peers, who, upon receipt, immediately - * republish the event to a new set of topics. + * Sends an event to any interested peers, who, upon receipt, + * republishes the event to a new set of topics and optionally + * calls event handlers. * @param first_topic the first topic to use when publishing the event * @param relay_topics the set of topics the receivers will use to * republish the event. The event is relayed at most a single hop. * @param ev the event and its arguments to send to peers, in the form of * a Broker::Event record type. + * @param handle_on_relayer whether they relaying-node should call event + * handlers. * @return true if the message is sent successfully. */ bool RelayEvent(std::string first_topic, std::set relay_topics, - RecordVal* ev); + RecordVal* ev, + bool handle_on_relayer); /** * Send a message to create a log stream to any interested peers. @@ -331,17 +339,24 @@ public: private: + class BrokerConfig : public broker::configuration { + public: + BrokerConfig(broker::broker_options options); + }; + class BrokerState { public: - BrokerState(broker::broker_options options); + BrokerState(BrokerConfig config); broker::endpoint endpoint; broker::subscriber subscriber; broker::status_subscriber status_subscriber; }; void DispatchMessage(broker::data msg); + void ProcessEvent(std::string name, broker::vector args); void ProcessEvent(broker::bro::Event ev); void ProcessRelayEvent(broker::bro::RelayEvent re); + void ProcessHandleAndRelayEvent(broker::bro::HandleAndRelayEvent ev); bool ProcessLogCreate(broker::bro::LogCreate lc); bool ProcessLogWrite(broker::bro::LogWrite lw); bool ProcessIdentifierUpdate(broker::bro::IdentifierUpdate iu); @@ -404,6 +419,8 @@ private: Stats statistics; double next_timestamp; bool reading_pcaps; + int peer_count; + static int script_scope; static VectorType* vector_of_data_type; diff --git a/src/broker/messaging.bif b/src/broker/messaging.bif index 8b2c64e86f..c7b16dba72 100644 --- a/src/broker/messaging.bif +++ b/src/broker/messaging.bif @@ -76,13 +76,13 @@ static bool relay_event_args(val_list& args, const BroString* topic, if ( args[0]->Type()->Tag() == TYPE_RECORD ) rval = broker_mgr->RelayEvent(topic->CheckString(), std::move(topic_set), - args[0]->AsRecordVal()); + args[0]->AsRecordVal(), false); else { auto ev = broker_mgr->MakeEvent(&args, frame); rval = broker_mgr->RelayEvent(topic->CheckString(), std::move(topic_set), - ev); + ev, false); Unref(ev); } @@ -133,7 +133,7 @@ function Broker::publish%(topic: string, ...%): bool ## Publishes an event at a given topic, with any receivers automatically ## forwarding it to its peers with a different topic. The event is relayed -## at most a single hop. +## at most a single hop and the relayer does not call any local event handlers. ## ## first_topic: the initial topic to use for publishing the event. ## @@ -181,12 +181,74 @@ function Broker::relay%(first_topic: string, ...%): bool if ( args[0]->Type()->Tag() == TYPE_RECORD ) rval = broker_mgr->RelayEvent(first_topic->CheckString(), std::move(topic_set), - args[0]->AsRecordVal()); + args[0]->AsRecordVal(), false); else { auto ev = broker_mgr->MakeEvent(&args, frame); rval = broker_mgr->RelayEvent(first_topic->CheckString(), - std::move(topic_set), ev); + std::move(topic_set), ev, false); + Unref(ev); + } + + return new Val(rval, TYPE_BOOL); + %} + +## Publishes an event at a given topic, with any receivers automatically +## forwarding it to its peers with a different topic. The event is relayed +## at most a single hop and the relayer does call local event handlers. +## +## first_topic: the initial topic to use for publishing the event. +## +## args: the first member of the argument list may be either a string or +## a set of strings indicating the secondary topic that the first +## set of receivers will use to re-publish the event. The remaining +## members of the argument list are either the return value of a +## previously-made call to :bro:see:`Broker::make_event` or the +## argument list that should be passed along to it, so that it can +## be called as part of executing this function. +## +## Returns: true if the message is sent. +function Broker::publish_and_relay%(first_topic: string, ...%): bool + %{ + bro_broker::Manager::ScriptScopeGuard ssg; + val_list* bif_args = @ARGS@; + + if ( bif_args->length() < 3 ) + { + builtin_error("Broker::publish_and_relay requires at least 3 arguments"); + return new Val(false, TYPE_BOOL); + } + + auto second_topic = (*bif_args)[1]; + + if ( second_topic->Type()->Tag() != TYPE_STRING && + ! is_string_set(second_topic->Type()) ) + { + builtin_error("Broker::publish_and_relay requires a string or string_set as 2nd argument"); + return new Val(false, TYPE_BOOL); + } + + auto topic_set = val_to_topic_set(second_topic); + + if ( topic_set.empty() ) + return new Val(false, TYPE_BOOL); + + val_list args(bif_args->length() - 2); + + for ( auto i = 2; i < bif_args->length(); ++i ) + args.append((*bif_args)[i]); + + auto rval = false; + + if ( args[0]->Type()->Tag() == TYPE_RECORD ) + rval = broker_mgr->RelayEvent(first_topic->CheckString(), + std::move(topic_set), + args[0]->AsRecordVal(), true); + else + { + auto ev = broker_mgr->MakeEvent(&args, frame); + rval = broker_mgr->RelayEvent(first_topic->CheckString(), + std::move(topic_set), ev, true); Unref(ev); } diff --git a/src/broxygen/Manager.cc b/src/broxygen/Manager.cc index 9e33e6919b..4fd28d60f5 100644 --- a/src/broxygen/Manager.cc +++ b/src/broxygen/Manager.cc @@ -12,7 +12,13 @@ using namespace std; static void DbgAndWarn(const char* msg) { - reporter->InternalWarning("%s", msg); + if ( reporter->Errors() ) + // We've likely already reported to real source of the problem + // as an error, avoid adding an additional warning which may + // be confusing. + return; + + reporter->Warning("%s", msg); DBG_LOG(DBG_BROXYGEN, "%s", msg); } @@ -22,7 +28,8 @@ static void WarnMissingScript(const char* type, const ID* id, if ( script == "" ) return; - DbgAndWarn(fmt("Can't document %s %s, lookup of %s failed", + DbgAndWarn(fmt("Can't generate Broxygen doumentation for %s %s, " + "lookup of %s failed", type, id->Name(), script.c_str())); } @@ -122,7 +129,8 @@ void Manager::Script(const string& path) if ( scripts.GetInfo(name) ) { - DbgAndWarn(fmt("Duplicate script documentation: %s", name.c_str())); + DbgAndWarn(fmt("Duplicate Broxygen script documentation: %s", + name.c_str())); return; } @@ -138,7 +146,8 @@ void Manager::Script(const string& path) if ( packages.GetInfo(name) ) { - DbgAndWarn(fmt("Duplicate package documentation: %s", name.c_str())); + DbgAndWarn(fmt("Duplicate Broxygen package documentation: %s", + name.c_str())); return; } @@ -155,7 +164,8 @@ void Manager::ScriptDependency(const string& path, const string& dep) if ( dep.empty() ) { - DbgAndWarn(fmt("Empty script doc dependency: %s", path.c_str())); + DbgAndWarn(fmt("Empty Broxygen script doc dependency: %s", + path.c_str())); return; } @@ -165,8 +175,8 @@ void Manager::ScriptDependency(const string& path, const string& dep) if ( ! script_info ) { - DbgAndWarn(fmt("Failed to add script doc dependency %s for %s", - depname.c_str(), name.c_str())); + DbgAndWarn(fmt("Failed to add Broxygen script doc dependency %s " + "for %s", depname.c_str(), name.c_str())); return; } @@ -189,7 +199,7 @@ void Manager::ModuleUsage(const string& path, const string& module) if ( ! script_info ) { - DbgAndWarn(fmt("Failed to add module usage %s in %s", + DbgAndWarn(fmt("Failed to add Broxygen module usage %s in %s", module.c_str(), name.c_str())); return; } @@ -231,7 +241,8 @@ void Manager::StartType(ID* id) if ( id->GetLocationInfo() == &no_location ) { - DbgAndWarn(fmt("Can't document %s, no location available", id->Name())); + DbgAndWarn(fmt("Can't generate broxygen doumentation for %s, " + "no location available", id->Name())); return; } @@ -323,7 +334,8 @@ void Manager::RecordField(const ID* id, const TypeDecl* field, if ( ! idd ) { - DbgAndWarn(fmt("Can't document record field %s, unknown record: %s", + DbgAndWarn(fmt("Can't generate broxygen doumentation for " + "record field %s, unknown record: %s", field->id, id->Name())); return; } @@ -348,7 +360,8 @@ void Manager::Redef(const ID* id, const string& path) if ( ! id_info ) { - DbgAndWarn(fmt("Can't document redef of %s, identifier lookup failed", + DbgAndWarn(fmt("Can't generate broxygen doumentation for " + "redef of %s, identifier lookup failed", id->Name())); return; } diff --git a/src/broxygen/ScriptInfo.cc b/src/broxygen/ScriptInfo.cc index 0a57991969..2c054ea9b1 100644 --- a/src/broxygen/ScriptInfo.cc +++ b/src/broxygen/ScriptInfo.cc @@ -250,6 +250,19 @@ void ScriptInfo::DoInitPostScript() id->Name(), name.c_str()); state_vars.push_back(info); } + + // The following enum types are automatically created internally in Bro, + // so just manually associating them with scripts for now. + if ( name == "base/frameworks/input/main.bro" ) + { + auto id = global_scope()->Lookup("Input::Reader"); + types.push_back(new IdentifierInfo(id, this)); + } + else if ( name == "base/frameworks/logging/main.bro" ) + { + auto id = global_scope()->Lookup("Log::Writer"); + types.push_back(new IdentifierInfo(id, this)); + } } vector ScriptInfo::GetComments() const diff --git a/src/file_analysis/analyzer/x509/X509Common.cc b/src/file_analysis/analyzer/x509/X509Common.cc index b101f502ff..38102ed97e 100644 --- a/src/file_analysis/analyzer/x509/X509Common.cc +++ b/src/file_analysis/analyzer/x509/X509Common.cc @@ -244,7 +244,7 @@ void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, EventHandlerP int len = i2d_ASN1_OCTET_STRING(X509_EXTENSION_get_data(ex), &buf); if ( len >=0 ) { - BIO_write(bio, &buf, len); + BIO_write(bio, buf, len); OPENSSL_free(buf); } } diff --git a/src/input.h b/src/input.h index f0f402b23b..3d0caa459a 100644 --- a/src/input.h +++ b/src/input.h @@ -14,6 +14,7 @@ extern int yydebug; extern int brolex(); extern char last_tok[128]; +extern void add_essential_input_file(const char* file); extern void add_input_file(const char* file); extern void add_input_file_at_front(const char* file); diff --git a/src/iosource/Manager.cc b/src/iosource/Manager.cc index 80fa5fe860..390449da81 100644 --- a/src/iosource/Manager.cc +++ b/src/iosource/Manager.cc @@ -81,7 +81,7 @@ IOSource* Manager::FindSoonest(double* ts) all_idle = false; double local_network_time = 0; double ts = (*i)->src->NextTimestamp(&local_network_time); - if ( ts > 0 && ts < soonest_ts ) + if ( ts >= 0 && ts < soonest_ts ) { soonest_ts = ts; soonest_src = (*i)->src; @@ -162,7 +162,7 @@ IOSource* Manager::FindSoonest(double* ts) { double local_network_time = 0; double ts = src->src->NextTimestamp(&local_network_time); - if ( ts > 0.0 && ts < soonest_ts ) + if ( ts >= 0.0 && ts < soonest_ts ) { soonest_ts = ts; soonest_src = src->src; diff --git a/src/main.cc b/src/main.cc index 2277ab0cba..2e9a89ddd1 100644 --- a/src/main.cc +++ b/src/main.cc @@ -44,6 +44,7 @@ extern "C" { #include "EventRegistry.h" #include "Stats.h" #include "Brofiler.h" +#include "Traverse.h" #include "threading/Manager.h" #include "input/Manager.h" @@ -114,6 +115,7 @@ char* command_line_policy = 0; vector params; set requested_plugins; char* proc_status_file = 0; +int old_comm_usage_count = 0; OpaqueType* md5_type = 0; OpaqueType* sha1_type = 0; @@ -424,6 +426,70 @@ static void bro_new_handler() out_of_memory("new"); } +static auto old_comm_ids = std::set{ + "connect", + "disconnect", + "request_remote_events", + "request_remote_sync", + "request_remote_logs", + "set_accept_state", + "set_compression_level", + "listen", + "send_id", + "terminate_communication", + "complete_handshake", + "send_ping", + "send_current_packet", + "get_event_peer", + "send_capture_filter", + "suspend_state_updates", + "resume_state_updates", +}; + +static bool is_old_comm_usage(const ID* id) + { + auto name = id->Name(); + + if ( old_comm_ids.find(name) == old_comm_ids.end() ) + return false; + + return true; + } + +class OldCommUsageTraversalCallback : public TraversalCallback { +public: + virtual TraversalCode PreExpr(const Expr* expr) override + { + switch ( expr->Tag() ) { + case EXPR_CALL: + { + const CallExpr* call = static_cast(expr); + auto func = call->Func(); + + if ( func->Tag() == EXPR_NAME ) + { + const NameExpr* ne = static_cast(func); + auto id = ne->Id(); + + if ( is_old_comm_usage(id) ) + ++old_comm_usage_count; + } + } + break; + default: + break; + } + + return TC_CONTINUE; + } +}; + +static void find_old_comm_usages() + { + OldCommUsageTraversalCallback cb; + traverse_all(&cb); + } + int main(int argc, char** argv) { std::set_new_handler(bro_new_handler); @@ -755,7 +821,9 @@ int main(int argc, char** argv) broxygen_mgr = new broxygen::Manager(broxygen_config, bro_argv[0]); - add_input_file("base/init-bare.bro"); + add_essential_input_file("base/init-bare.bro"); + add_essential_input_file("base/init-frameworks-and-bifs.bro"); + if ( ! bare_mode ) add_input_file("base/init-default.bro"); @@ -852,6 +920,22 @@ int main(int argc, char** argv) yyparse(); is_parsing = false; + find_old_comm_usages(); + + if ( old_comm_usage_count ) + { + auto old_comm_ack_id = global_scope()->Lookup("old_comm_usage_is_ok"); + + if ( ! old_comm_ack_id->ID_Val()->AsBool() ) + reporter->FatalError("Detected old, deprecated communication " + "system usages that will not work unless " + "you explicitly take action to initizialize " + "and set up the old comm. system. " + "Set the 'old_comm_usage_is_ok' flag " + "to bypass this error if you've taken such " + "actions."); + } + RecordVal::ResizeParseTimeRecords(); init_general_global_var(); diff --git a/src/parse.y b/src/parse.y index cc976c5b2d..8145b66809 100644 --- a/src/parse.y +++ b/src/parse.y @@ -34,18 +34,21 @@ %token TOK_NO_TEST -%left ',' '|' +%left ',' %right '=' TOK_ADD_TO TOK_REMOVE_FROM %right '?' ':' -%left TOK_OR -%left TOK_AND +%left TOK_OR_OR +%left TOK_AND_AND %nonassoc TOK_HOOK %nonassoc '<' '>' TOK_LE TOK_GE TOK_EQ TOK_NE %left TOK_IN TOK_NOT_IN +%left '|' +%left '^' +%left '&' %left '+' '-' %left '*' '/' '%' %left TOK_INCR TOK_DECR -%right '!' +%right '!' '~' %left '$' '[' ']' '(' ')' TOK_HAS_FIELD TOK_HAS_ATTR %nonassoc TOK_AS TOK_IS @@ -338,6 +341,12 @@ expr: $$ = new NotExpr($2); } + | '~' expr + { + set_location(@1, @2); + $$ = new ComplementExpr($2); + } + | '-' expr %prec '!' { set_location(@1, @2); @@ -392,16 +401,34 @@ expr: $$ = new ModExpr($1, $3); } - | expr TOK_AND expr + | expr '&' expr { set_location(@1, @3); - $$ = new BoolExpr(EXPR_AND, $1, $3); + $$ = new BitExpr(EXPR_AND, $1, $3); } - | expr TOK_OR expr + | expr '|' expr { set_location(@1, @3); - $$ = new BoolExpr(EXPR_OR, $1, $3); + $$ = new BitExpr(EXPR_OR, $1, $3); + } + + | expr '^' expr + { + set_location(@1, @3); + $$ = new BitExpr(EXPR_XOR, $1, $3); + } + + | expr TOK_AND_AND expr + { + set_location(@1, @3); + $$ = new BoolExpr(EXPR_AND_AND, $1, $3); + } + + | expr TOK_OR_OR expr + { + set_location(@1, @3); + $$ = new BoolExpr(EXPR_OR_OR, $1, $3); } | expr TOK_EQ expr @@ -704,7 +731,7 @@ expr: $$ = new ConstExpr(new PatternVal($1)); } - | '|' expr '|' + | '|' expr '|' %prec '(' { set_location(@1, @3); $$ = new SizeExpr($2); diff --git a/src/scan.l b/src/scan.l index 41fb758bc6..3bbf6ec999 100644 --- a/src/scan.l +++ b/src/scan.l @@ -193,7 +193,7 @@ ESCSEQ (\\([^\n]|[0-7]+|x[[:xdigit:]]+)) RET_CONST(new SubNetVal(IPPrefix(IPAddr(ip), len))) } -[!%*/+\-,:;<=>?()\[\]{}~$|] return yytext[0]; +[!%*/+\-,:;<=>?()\[\]{}~$|&^] return yytext[0]; "--" return TOK_DECR; "++" return TOK_INCR; @@ -206,8 +206,8 @@ ESCSEQ (\\([^\n]|[0-7]+|x[[:xdigit:]]+)) ">=" return TOK_GE; "<=" return TOK_LE; -"&&" return TOK_AND; -"||" return TOK_OR; +"&&" return TOK_AND_AND; +"||" return TOK_OR_OR; add return TOK_ADD; addr return TOK_ADDR; @@ -310,6 +310,7 @@ when return TOK_WHEN; } &synchronized { + ++old_comm_usage_count; deprecated_attr(yytext); return TOK_ATTR_SYNCHRONIZED; } @@ -821,6 +822,18 @@ void do_atendif() // are referred to (in order to save the locations of tokens and statements, // for error reporting and debugging). static name_list input_files; +static name_list essential_input_files; + +void add_essential_input_file(const char* file) + { + if ( ! file ) + reporter->InternalError("empty filename"); + + if ( ! filename ) + (void) load_files(file); + else + essential_input_files.append(copy_string(file)); + } void add_input_file(const char* file) { @@ -869,7 +882,7 @@ int yywrap() if ( ! did_builtin_init && file_stack.length() == 1 ) { // ### This is a gross hack - we know that the first file - // we parse is bro.init, and after it it's safe to initialize + // we parse is init-bare.bro, and after it it's safe to initialize // the built-ins. Furthermore, we want to initialize the // built-in's *right* after parsing bro.init, so that other // source files can use built-in's when initializing globals. @@ -885,19 +898,22 @@ int yywrap() return 0; // Stack is now empty. - while ( input_files.length() > 0 ) + while ( essential_input_files.length() > 0 || input_files.length() > 0 ) { - if ( load_files(input_files[0]) ) + name_list& files = essential_input_files.length() > 0 ? + essential_input_files : input_files; + + if ( load_files(files[0]) ) { // Don't delete the filename - it's pointed to by // every BroObj created when parsing it. - (void) input_files.remove_nth(0); + (void) files.remove_nth(0); return 0; } // We already scanned the file. Pop it and try the next, // if any. - (void) input_files.remove_nth(0); + (void) files.remove_nth(0); } // For each file scanned so far, and for each @prefix, look for a diff --git a/testing/btest/Baseline/broker.remote_publish_and_relay_event/one.one.out b/testing/btest/Baseline/broker.remote_publish_and_relay_event/one.one.out new file mode 100644 index 0000000000..45c18d28be --- /dev/null +++ b/testing/btest/Baseline/broker.remote_publish_and_relay_event/one.one.out @@ -0,0 +1,3 @@ +sender added peer: endpoint=127.0.0.1 msg=received handshake from remote core +got ready event +sender lost peer: endpoint=127.0.0.1 msg=lost remote peer diff --git a/testing/btest/Baseline/broker.remote_publish_and_relay_event/three.three.out b/testing/btest/Baseline/broker.remote_publish_and_relay_event/three.three.out new file mode 100644 index 0000000000..8193829fd4 --- /dev/null +++ b/testing/btest/Baseline/broker.remote_publish_and_relay_event/three.three.out @@ -0,0 +1,2 @@ +receiver added peer: endpoint=127.0.0.1 msg=handshake successful +got my_event, hello world diff --git a/testing/btest/Baseline/broker.remote_publish_and_relay_event/two.two.out b/testing/btest/Baseline/broker.remote_publish_and_relay_event/two.two.out new file mode 100644 index 0000000000..7bedece7d2 --- /dev/null +++ b/testing/btest/Baseline/broker.remote_publish_and_relay_event/two.two.out @@ -0,0 +1,5 @@ +receiver added peer: endpoint=127.0.0.1 msg=received handshake from remote core +receiver added peer: endpoint=127.0.0.1 msg=handshake successful +sending ready event +got my_event, hello world +receiver lost peer: endpoint=127.0.0.1 msg=lost remote peer diff --git a/testing/btest/Baseline/core.old_comm_usage/out b/testing/btest/Baseline/core.old_comm_usage/out new file mode 100644 index 0000000000..28585d78ba --- /dev/null +++ b/testing/btest/Baseline/core.old_comm_usage/out @@ -0,0 +1,2 @@ +warning in /Users/jon/projects/bro/bro/testing/btest/.tmp/core.old_comm_usage/old_comm_usage.bro, line 6: deprecated (terminate_communication) +fatal error: Detected old, deprecated communication system usages that will not work unless you explicitly take action to initizialize and set up the old comm. system. Set the 'old_comm_usage_is_ok' flag to bypass this error if you've taken such actions. diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 768eb520ea..02e6855308 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,18 +3,21 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2018-03-01-16-07-03 +#open 2018-06-08-16-37-15 #fields name #types string scripts/base/init-bare.bro build/scripts/base/bif/const.bif.bro build/scripts/base/bif/types.bif.bro - build/scripts/base/bif/strings.bif.bro build/scripts/base/bif/bro.bif.bro + build/scripts/base/bif/stats.bif.bro build/scripts/base/bif/reporter.bif.bro + build/scripts/base/bif/strings.bif.bro + build/scripts/base/bif/option.bif.bro build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro build/scripts/base/bif/plugins/Bro_KRB.types.bif.bro build/scripts/base/bif/event.bif.bro +scripts/base/init-frameworks-and-bifs.bro scripts/base/frameworks/logging/__load__.bro scripts/base/frameworks/logging/main.bro build/scripts/base/bif/logging.bif.bro @@ -52,8 +55,6 @@ scripts/base/init-bare.bro scripts/base/utils/patterns.bro scripts/base/frameworks/files/magic/__load__.bro build/scripts/base/bif/__load__.bro - build/scripts/base/bif/stats.bif.bro - build/scripts/base/bif/option.bif.bro build/scripts/base/bif/broxygen.bif.bro build/scripts/base/bif/pcap.bif.bro build/scripts/base/bif/bloom-filter.bif.bro @@ -93,6 +94,7 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro build/scripts/base/bif/plugins/Bro_MySQL.events.bif.bro build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro + build/scripts/base/bif/plugins/Bro_NCP.consts.bif.bro build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro build/scripts/base/bif/plugins/Bro_NTLM.types.bif.bro @@ -175,4 +177,4 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro scripts/policy/misc/loaded-scripts.bro scripts/base/utils/paths.bro -#close 2018-03-01-16-07-03 +#close 2018-06-08-16-37-15 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 5ca6cdd812..4742280a26 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,18 +3,21 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2018-05-17-23-49-59 +#open 2018-06-08-16-37-20 #fields name #types string scripts/base/init-bare.bro build/scripts/base/bif/const.bif.bro build/scripts/base/bif/types.bif.bro - build/scripts/base/bif/strings.bif.bro build/scripts/base/bif/bro.bif.bro + build/scripts/base/bif/stats.bif.bro build/scripts/base/bif/reporter.bif.bro + build/scripts/base/bif/strings.bif.bro + build/scripts/base/bif/option.bif.bro build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro build/scripts/base/bif/plugins/Bro_KRB.types.bif.bro build/scripts/base/bif/event.bif.bro +scripts/base/init-frameworks-and-bifs.bro scripts/base/frameworks/logging/__load__.bro scripts/base/frameworks/logging/main.bro build/scripts/base/bif/logging.bif.bro @@ -52,8 +55,6 @@ scripts/base/init-bare.bro scripts/base/utils/patterns.bro scripts/base/frameworks/files/magic/__load__.bro build/scripts/base/bif/__load__.bro - build/scripts/base/bif/stats.bif.bro - build/scripts/base/bif/option.bif.bro build/scripts/base/bif/broxygen.bif.bro build/scripts/base/bif/pcap.bif.bro build/scripts/base/bif/bloom-filter.bif.bro @@ -93,6 +94,7 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro build/scripts/base/bif/plugins/Bro_MySQL.events.bif.bro build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro + build/scripts/base/bif/plugins/Bro_NCP.consts.bif.bro build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro build/scripts/base/bif/plugins/Bro_NTLM.types.bif.bro @@ -364,4 +366,4 @@ scripts/base/init-default.bro scripts/base/misc/find-filtered-trace.bro scripts/base/misc/version.bro scripts/policy/misc/loaded-scripts.bro -#close 2018-05-17-23-49-59 +#close 2018-06-08-16-37-20 diff --git a/testing/btest/Baseline/language.count/out b/testing/btest/Baseline/language.count/out index 4ef65b6098..f1e1eef587 100644 --- a/testing/btest/Baseline/language.count/out +++ b/testing/btest/Baseline/language.count/out @@ -14,5 +14,16 @@ modulus operator (PASS) division operator (PASS) assignment operator (PASS) assignment operator (PASS) +bitwise and (PASS) +bitwise and (PASS) +bitwise and (PASS) +bitwise or (PASS) +bitwise or (PASS) +bitwise or (PASS) +bitwise xor (PASS) +bitwise xor (PASS) +bitwise xor (PASS) +bitwise complement (PASS) +bitwise complement (PASS) max count value = 18446744073709551615 (PASS) max count value = 18446744073709551615 (PASS) diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 37a613347c..a8ebd497b9 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -264,7 +264,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) -> @@ -441,7 +441,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -469,6 +469,7 @@ 0.000000 MetaHookPost CallFunction(bro_init, , ()) -> 0.000000 MetaHookPost CallFunction(current_time, , ()) -> 0.000000 MetaHookPost CallFunction(filter_change_tracking, , ()) -> +0.000000 MetaHookPost CallFunction(getenv, , (BRO_DEFAULT_LISTEN_ADDRESS)) -> 0.000000 MetaHookPost CallFunction(getenv, , (CLUSTER_NODE)) -> 0.000000 MetaHookPost CallFunction(global_ids, , ()) -> 0.000000 MetaHookPost CallFunction(network_time, , ()) -> @@ -522,6 +523,7 @@ 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_MIME.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Modbus.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_MySQL.events.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NCP.consts.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NCP.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NTLM.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NTLM.types.bif.bro) -> -1 @@ -727,6 +729,7 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/http) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/imap) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/init-default.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/init-frameworks-and-bifs.bro) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/input) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/input.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/intel) -> -1 @@ -744,6 +747,7 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/ntlm) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/numbers.bro) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/openflow) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/option.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/packet-filter) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/paths.bro) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/patterns.bro) -> -1 @@ -766,6 +770,7 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/software) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/ssh) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/ssl) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/stats.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/store.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/strings.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/strings.bro) -> -1 @@ -1062,7 +1067,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Config::LOG)) @@ -1239,7 +1244,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1267,6 +1272,7 @@ 0.000000 MetaHookPre CallFunction(bro_init, , ()) 0.000000 MetaHookPre CallFunction(current_time, , ()) 0.000000 MetaHookPre CallFunction(filter_change_tracking, , ()) +0.000000 MetaHookPre CallFunction(getenv, , (BRO_DEFAULT_LISTEN_ADDRESS)) 0.000000 MetaHookPre CallFunction(getenv, , (CLUSTER_NODE)) 0.000000 MetaHookPre CallFunction(global_ids, , ()) 0.000000 MetaHookPre CallFunction(network_time, , ()) @@ -1320,6 +1326,7 @@ 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_MIME.events.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Modbus.events.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_MySQL.events.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NCP.consts.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NCP.events.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NTLM.events.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NTLM.types.bif.bro) @@ -1525,6 +1532,7 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/http) 0.000000 MetaHookPre LoadFile(0, base<...>/imap) 0.000000 MetaHookPre LoadFile(0, base<...>/init-default.bro) +0.000000 MetaHookPre LoadFile(0, base<...>/init-frameworks-and-bifs.bro) 0.000000 MetaHookPre LoadFile(0, base<...>/input) 0.000000 MetaHookPre LoadFile(0, base<...>/input.bif.bro) 0.000000 MetaHookPre LoadFile(0, base<...>/intel) @@ -1542,6 +1550,7 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/ntlm) 0.000000 MetaHookPre LoadFile(0, base<...>/numbers.bro) 0.000000 MetaHookPre LoadFile(0, base<...>/openflow) +0.000000 MetaHookPre LoadFile(0, base<...>/option.bif.bro) 0.000000 MetaHookPre LoadFile(0, base<...>/packet-filter) 0.000000 MetaHookPre LoadFile(0, base<...>/paths.bro) 0.000000 MetaHookPre LoadFile(0, base<...>/patterns.bro) @@ -1564,6 +1573,7 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/software) 0.000000 MetaHookPre LoadFile(0, base<...>/ssh) 0.000000 MetaHookPre LoadFile(0, base<...>/ssl) +0.000000 MetaHookPre LoadFile(0, base<...>/stats.bif.bro) 0.000000 MetaHookPre LoadFile(0, base<...>/store.bif.bro) 0.000000 MetaHookPre LoadFile(0, base<...>/strings.bif.bro) 0.000000 MetaHookPre LoadFile(0, base<...>/strings.bro) @@ -1859,7 +1869,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG) @@ -2036,7 +2046,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2064,6 +2074,7 @@ 0.000000 | HookCallFunction bro_init() 0.000000 | HookCallFunction current_time() 0.000000 | HookCallFunction filter_change_tracking() +0.000000 | HookCallFunction getenv(BRO_DEFAULT_LISTEN_ADDRESS) 0.000000 | HookCallFunction getenv(CLUSTER_NODE) 0.000000 | HookCallFunction global_ids() 0.000000 | HookCallFunction network_time() @@ -2117,6 +2128,7 @@ 0.000000 | HookLoadFile .<...>/Bro_MIME.events.bif.bro 0.000000 | HookLoadFile .<...>/Bro_Modbus.events.bif.bro 0.000000 | HookLoadFile .<...>/Bro_MySQL.events.bif.bro +0.000000 | HookLoadFile .<...>/Bro_NCP.consts.bif.bro 0.000000 | HookLoadFile .<...>/Bro_NCP.events.bif.bro 0.000000 | HookLoadFile .<...>/Bro_NTLM.events.bif.bro 0.000000 | HookLoadFile .<...>/Bro_NTLM.types.bif.bro @@ -2331,6 +2343,7 @@ 0.000000 | HookLoadFile base<...>/http 0.000000 | HookLoadFile base<...>/imap 0.000000 | HookLoadFile base<...>/init-default.bro +0.000000 | HookLoadFile base<...>/init-frameworks-and-bifs.bro 0.000000 | HookLoadFile base<...>/input 0.000000 | HookLoadFile base<...>/input.bif.bro 0.000000 | HookLoadFile base<...>/intel @@ -2348,6 +2361,7 @@ 0.000000 | HookLoadFile base<...>/ntlm 0.000000 | HookLoadFile base<...>/numbers.bro 0.000000 | HookLoadFile base<...>/openflow +0.000000 | HookLoadFile base<...>/option.bif.bro 0.000000 | HookLoadFile base<...>/packet-filter 0.000000 | HookLoadFile base<...>/paths.bro 0.000000 | HookLoadFile base<...>/patterns.bro @@ -2370,6 +2384,7 @@ 0.000000 | HookLoadFile base<...>/software 0.000000 | HookLoadFile base<...>/ssh 0.000000 | HookLoadFile base<...>/ssl +0.000000 | HookLoadFile base<...>/stats.bif.bro 0.000000 | HookLoadFile base<...>/store.bif.bro 0.000000 | HookLoadFile base<...>/strings.bif.bro 0.000000 | HookLoadFile base<...>/strings.bro @@ -2387,7 +2402,7 @@ 0.000000 | HookLoadFile base<...>/x509 0.000000 | HookLoadFile base<...>/xmpp 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} -0.000000 | HookLogWrite packet_filter [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T] +0.000000 | HookLogWrite packet_filter [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() 0.000000 | HookQueueEvent bro_init() 0.000000 | HookQueueEvent filter_change_tracking() diff --git a/testing/btest/Baseline/scripts.base.protocols.arp.bad/.stdout b/testing/btest/Baseline/scripts.base.protocols.arp.bad/.stdout new file mode 100644 index 0000000000..4c6945ec64 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.arp.bad/.stdout @@ -0,0 +1,6 @@ +BAD, 192.168.123.1, 7e:8e:20:d8:23:a7, 192.168.123.2, 00:00:00:00:00:00, corrupt-arp-header (hrd=1, hln=255) +BAD, 192.168.123.2, 52:54:00:12:34:57, 192.168.123.1, 7e:8e:20:d8:23:a7, corrupt-arp-header (hrd=1, hln=255) +BAD, 192.168.123.1, 7e:8e:20:d8:23:a7, 192.168.123.2, 00:00:00:00:00:00, corrupt-arp-header (pro=2048, pln=255) +BAD, 192.168.123.2, 52:54:00:12:34:57, 192.168.123.1, 7e:8e:20:d8:23:a7, corrupt-arp-header (pro=2048, pln=255) +BAD, 192.168.123.1, 7e:8e:20:d8:23:a7, 192.168.123.2, 00:00:00:00:00:00, corrupt-arp-header (hrd=1, hln=255) +BAD, 192.168.123.2, 52:54:00:12:34:57, 192.168.123.1, 7e:8e:20:d8:23:a7, corrupt-arp-header (hrd=1, hln=255) diff --git a/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output b/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output index c42038b5d0..20b0b568c3 100644 --- a/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output +++ b/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output @@ -1,3 +1,3 @@ KRB_AP_REQUEST -[pvno=5, realm=VLADG.NET, service_name=krbtgt/VLADG.NET, cipher=18, ciphertext={\x9fY\xd0f\x8dS\xf4I\x88\x04\xfa\xc1\xd8m\xa2\xb7+\xbb\x19\xcag\x0c\x13\xd1g*\xfc\x18\xd1\xb1\x80!\xbd\x85\xec\xf9\x9b\xfa-\x18\xb6\xf5h\x91\xe7\x99\xf4\xdb\x93\xa0\xc7\x90\x1e\xa9\x95v\xd3\x12\xfa,9\x1d\x0b\xd0\xa1\xd25\x0f\x1f[G\xdf\xd0\xbbd\x06$2\xd1\xae\x130qZiY\x07@\xe9\xf9\xff\xa4\x9a\xd4\x09\xf0\x0d\xc1R\x10M\xbdKOV\xfd\xf6\x13\xf6\x9a\x95N\xdf!\xf6x\x94\xd8j\xa5\xdcp\xa8\x04\x99\x02x\xdb$\xd8\xfa_o\x8dV\xc8\x0a\xfe\x00\xf3&c\x0c8\xd1\xd0\xe9\x8e\xab\xfe&\xfe\x00\x8d$\x98I\xe5\x8d\x94rM4%\xd8\xfe\xa9\x08\x06\xc6\x95H7\xf7HCq\xb9\x0d$\x95?\x83B\x82\xdd\xea\xc3f3\xcc\xbb\x09\x0d-\x09;\xa6i%\xcd\xba\x11\xd4\xe0\x12w\xd0G&\xdaj\x82\x7f;\xf3\x1d\x10\xa4l\x06\x16l\x1bc\xa1\xd1\x15!\x00\x8a\xff\x8a\x06\xe7U^:] [use_session_key=F, mutual_required=F] diff --git a/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb/.stdout b/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb/.stdout new file mode 100644 index 0000000000..cd2430defe --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb/.stdout @@ -0,0 +1 @@ +wallior@DS.SUSQ.COM diff --git a/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb_nokeytab/.stderr b/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb_nokeytab/.stderr new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb_nokeytab/.stdout b/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb_nokeytab/.stdout new file mode 100644 index 0000000000..cf84443e49 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb_nokeytab/.stdout @@ -0,0 +1 @@ +F diff --git a/testing/btest/Baseline/scripts.base.protocols.ncp.event/out b/testing/btest/Baseline/scripts.base.protocols.ncp.event/out new file mode 100644 index 0000000000..6374c60f5d --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ncp.event/out @@ -0,0 +1,468 @@ +ncp reply, 13107, 70, 0, 0, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 86, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 79, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 86, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 79, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 86, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 79, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 86, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 79, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 86, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 79, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 86, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 59, 89 +ncp reply, 13107, 2, 8738, 89, 255 +ncp request, 8738, 59, 89 +ncp reply, 13107, 2, 8738, 89, 255 +ncp request, 8738, 79, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 86, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 66, 89 +ncp reply, 13107, 92, 8738, 89, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 66, 89 +ncp reply, 13107, 92, 8738, 89, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 46, 89 +ncp reply, 13107, 88, 8738, 89, 0 +ncp request, 8738, 40, 89 +ncp reply, 13107, 11, 8738, 89, 0 +ncp request, 8738, 40, 89 +ncp reply, 13107, 102, 8738, 89, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 6, 22338 +ncp reply, 13107, 10, 8738, 22338, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 163, 8738, 72, 0 +ncp request, 8738, 14, 72 diff --git a/testing/btest/Baseline/scripts.base.protocols.ncp.frame_size_tuning/out b/testing/btest/Baseline/scripts.base.protocols.ncp.frame_size_tuning/out new file mode 100644 index 0000000000..cfb805ee70 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ncp.frame_size_tuning/out @@ -0,0 +1,418 @@ +ncp reply, 13107, 70, 0, 0, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 86, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 79, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 86, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 79, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 86, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 79, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 86, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 79, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 86, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 79, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 86, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 59, 89 +ncp reply, 13107, 2, 8738, 89, 255 +ncp request, 8738, 59, 89 +ncp reply, 13107, 2, 8738, 89, 255 +ncp request, 8738, 79, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp reply, 13107, 86, 8738, 72, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 66, 89 +ncp reply, 13107, 92, 8738, 89, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 66, 89 +ncp reply, 13107, 92, 8738, 89, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 46, 89 +ncp reply, 13107, 88, 8738, 89, 0 +ncp request, 8738, 40, 89 +ncp reply, 13107, 11, 8738, 89, 0 +ncp request, 8738, 40, 89 +ncp reply, 13107, 102, 8738, 89, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 6, 22338 +ncp reply, 13107, 10, 8738, 22338, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 8, 66 +ncp reply, 13107, 2, 8738, 66, 0 +ncp request, 8738, 72, 89 +ncp reply, 13107, 70, 8738, 89, 0 +ncp request, 8738, 7, 22306 +ncp reply, 13107, 2, 8738, 22306, 0 +ncp request, 8738, 14, 72 +ncp request, 8738, 14, 72 diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout index bc605dcbb2..299b36fd33 100644 --- a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout @@ -5,6 +5,7 @@ smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=73, volatil smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=, disposition=2, create_options=2097185] smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=WP_SMBPlugin.pdf, disposition=2, create_options=68] smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=77, volatile=18446744069414584329], size=0, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=T, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=2] +smb2_file_sattr 10.0.0.11 -> 10.0.0.12:445 [persistent=77, volatile=18446744069414584329] MACTimes:[modified=1319047808.3125, accessed=-1.164447e+10, created=-1.164447e+10, changed=-1.164447e+10] FileAttrs:[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F] smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=, disposition=1, create_options=32] smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=81, volatile=18446744069414584333], size=8192, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1] smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=, disposition=1, create_options=32] diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.x509-invalid-extension/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.x509-invalid-extension/.stdout new file mode 100644 index 0000000000..a56a7a6080 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.x509-invalid-extension/.stdout @@ -0,0 +1,4 @@ +UNDEF +\x04a0_\xa1]\xa0[0Y0W0U\x16\x09image/gif0!0\x1f0\x07\x06\x05+\x0e\x03\x02\x1a\x04\x14\x8f\xe5\xd3\x1a\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H\x18,{\x19.0%\x16#http://logo.verisign.com/vslogo.gif +UNDEF +\x04a0_\xa1]\xa0[0Y0W0U\x16\x09image/gif0!0\x1f0\x07\x06\x05+\x0e\x03\x02\x1a\x04\x14\x8f\xe5\xd3\x1a\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H\x18,{\x19.0%\x16#http://logo.verisign.com/vslogo.gif diff --git a/testing/btest/Makefile b/testing/btest/Makefile index 56bf8f0a7e..c9bcfff5ee 100644 --- a/testing/btest/Makefile +++ b/testing/btest/Makefile @@ -1,6 +1,7 @@ DIAG=diag.log BTEST=../../aux/btest/btest +SCRIPT_COV=.tmp/script-coverage all: cleanup btest-verbose coverage @@ -15,11 +16,11 @@ btest-brief: @$(BTEST) -j -b -f $(DIAG) coverage: - @../scripts/coverage-calc ".tmp/script-coverage*" coverage.log `pwd`/../../scripts + @../scripts/coverage-calc "$(SCRIPT_COV)/*" coverage.log `pwd`/../../scripts cleanup: @rm -f $(DIAG) - @rm -f .tmp/script-coverage* + @rm -rf $(SCRIPT_COV)* distclean: cleanup @rm -rf .btest.failed.dat \ diff --git a/testing/btest/Traces/arp-leak.pcap b/testing/btest/Traces/arp-leak.pcap new file mode 100644 index 0000000000..a49919258d Binary files /dev/null and b/testing/btest/Traces/arp-leak.pcap differ diff --git a/testing/btest/Traces/krb/smb2_krb.keytab b/testing/btest/Traces/krb/smb2_krb.keytab new file mode 100644 index 0000000000..0f637c1ef0 Binary files /dev/null and b/testing/btest/Traces/krb/smb2_krb.keytab differ diff --git a/testing/btest/Traces/krb/smb2_krb.pcap b/testing/btest/Traces/krb/smb2_krb.pcap new file mode 100755 index 0000000000..0f726f45d7 Binary files /dev/null and b/testing/btest/Traces/krb/smb2_krb.pcap differ diff --git a/testing/btest/Traces/ncp.pcap b/testing/btest/Traces/ncp.pcap new file mode 100644 index 0000000000..d8c61b3683 Binary files /dev/null and b/testing/btest/Traces/ncp.pcap differ diff --git a/testing/btest/broker/remote_publish_and_relay_event.bro b/testing/btest/broker/remote_publish_and_relay_event.bro new file mode 100644 index 0000000000..493e673af2 --- /dev/null +++ b/testing/btest/broker/remote_publish_and_relay_event.bro @@ -0,0 +1,125 @@ +# @TEST-SERIALIZE: comm +# +# @TEST-EXEC: btest-bg-run three "bro -B broker -b ../three.bro >three.out" +# @TEST-EXEC: btest-bg-run two "bro -B broker -b ../two.bro >two.out" +# @TEST-EXEC: btest-bg-run one "bro -B broker -b ../one.bro >one.out" +# +# @TEST-EXEC: btest-bg-wait 20 +# @TEST-EXEC: btest-diff one/one.out +# @TEST-EXEC: btest-diff two/two.out +# @TEST-EXEC: btest-diff three/three.out + +@TEST-START-FILE one.bro + +redef Broker::default_connect_retry=1secs; +redef Broker::default_listen_retry=1secs; +redef exit_only_after_terminate = T; + +event my_event(s: string) + { + print "got my_event", s; + } + +event ready_event() + { + print "got ready event"; + + Broker::publish_and_relay("bro/event/pre-relay", "bro/event/post-relay", + my_event, "hello world"); + } + +event bro_init() + { + Broker::subscribe("bro/event/ready"); + Broker::peer("127.0.0.1", 10000/tcp); + } + +event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) + { + print fmt("sender added peer: endpoint=%s msg=%s", + endpoint$network$address, msg); + } + +event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) + { + print fmt("sender lost peer: endpoint=%s msg=%s", + endpoint$network$address, msg); + terminate(); + } + +@TEST-END-FILE + + +@TEST-START-FILE two.bro + +redef Broker::default_connect_retry=1secs; +redef Broker::default_listen_retry=1secs; +redef exit_only_after_terminate = T; + +global peers_added = 0; + +event my_event(s: string) + { + print "got my_event", s; + } + +event ready_event() + { + } + +event bro_init() + { + Broker::subscribe("bro/event/pre-relay"); + Broker::listen("127.0.0.1", 10000/tcp); + Broker::peer("127.0.0.1", 9999/tcp); + } + +event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) + { + print fmt("receiver added peer: endpoint=%s msg=%s", endpoint$network$address, msg); + ++peers_added; + + if ( peers_added == 2 ) + { + print "sending ready event"; + Broker::publish("bro/event/ready", ready_event); + } + } + +event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) + { + print fmt("receiver lost peer: endpoint=%s msg=%s", endpoint$network$address, msg); + terminate(); + } + +@TEST-END-FILE + +@TEST-START-FILE three.bro + +redef Broker::default_connect_retry=1secs; +redef Broker::default_listen_retry=1secs; +redef exit_only_after_terminate = T; + +event my_event(s: string) + { + print "got my_event", s; + terminate(); + } + +event bro_init() + { + Broker::subscribe("bro/event/post-relay"); + Broker::listen("127.0.0.1", 9999/tcp); + } + +event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) + { + print fmt("receiver added peer: endpoint=%s msg=%s", endpoint$network$address, msg); + } + +event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) + { + print fmt("receiver lost peer: endpoint=%s msg=%s", endpoint$network$address, msg); + } + +@TEST-END-FILE diff --git a/testing/btest/btest.cfg b/testing/btest/btest.cfg index 2b9d75287f..6671d70b64 100644 --- a/testing/btest/btest.cfg +++ b/testing/btest/btest.cfg @@ -22,6 +22,8 @@ DIST=%(testbase)s/../.. BUILD=%(testbase)s/../../build TEST_DIFF_CANONIFIER=%(testbase)s/../scripts/diff-canonifier TMPDIR=%(testbase)s/.tmp -BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage.XXXXXX +BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage/XXXXXX BTEST_RST_FILTER=$SCRIPTS/rst-filter BRO_DNS_FAKE=1 +BRO_DEFAULT_LISTEN_ADDRESS=127.0.0.1 +BRO_DISABLE_BROXYGEN=1 diff --git a/testing/btest/core/old_comm_usage.bro b/testing/btest/core/old_comm_usage.bro new file mode 100644 index 0000000000..0e9ae2f1f6 --- /dev/null +++ b/testing/btest/core/old_comm_usage.bro @@ -0,0 +1,7 @@ +# @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1 +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out + +event bro_init() + { + terminate_communication(); + } diff --git a/testing/btest/doc/broxygen/all_scripts.test b/testing/btest/doc/broxygen/all_scripts.test index c0cb07b750..dc009044da 100644 --- a/testing/btest/doc/broxygen/all_scripts.test +++ b/testing/btest/doc/broxygen/all_scripts.test @@ -5,7 +5,7 @@ # listen.bro in order to document it. # @TEST-SERIALIZE: comm -# @TEST-EXEC: bro -X broxygen.config broxygen DumpEvents::include=/NOTHING_MATCHES/ +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -X broxygen.config broxygen DumpEvents::include=/NOTHING_MATCHES/ # @TEST-EXEC: btest-diff .stdout # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr diff --git a/testing/btest/doc/broxygen/command_line.bro b/testing/btest/doc/broxygen/command_line.bro index 95558f7461..d009667b7e 100644 --- a/testing/btest/doc/broxygen/command_line.bro +++ b/testing/btest/doc/broxygen/command_line.bro @@ -1,7 +1,7 @@ # Shouldn't emit any warnings about not being able to document something # that's supplied via command line script. -# @TEST-EXEC: bro %INPUT -e 'redef myvar=10; print myvar' >output 2>&1 +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro %INPUT -e 'redef myvar=10; print myvar' >output 2>&1 # @TEST-EXEC: btest-diff output const myvar = 5 &redef; diff --git a/testing/btest/doc/broxygen/comment_retrieval_bifs.bro b/testing/btest/doc/broxygen/comment_retrieval_bifs.bro index 77a6058d71..f3c1be6b14 100644 --- a/testing/btest/doc/broxygen/comment_retrieval_bifs.bro +++ b/testing/btest/doc/broxygen/comment_retrieval_bifs.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b %INPUT >out # @TEST-EXEC: btest-diff out ##! This is a test script. diff --git a/testing/btest/doc/broxygen/enums.bro b/testing/btest/doc/broxygen/enums.bro index e8b4c741c2..8fbdb11ab6 100644 --- a/testing/btest/doc/broxygen/enums.bro +++ b/testing/btest/doc/broxygen/enums.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -b -X broxygen.config %INPUT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT # @TEST-EXEC: btest-diff autogen-reST-enums.rst @TEST-START-FILE broxygen.config diff --git a/testing/btest/doc/broxygen/example.bro b/testing/btest/doc/broxygen/example.bro index e7212f3c5f..22a6fc7418 100644 --- a/testing/btest/doc/broxygen/example.bro +++ b/testing/btest/doc/broxygen/example.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -X broxygen.config %INPUT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -X broxygen.config %INPUT # @TEST-EXEC: btest-diff example.rst @TEST-START-FILE broxygen.config diff --git a/testing/btest/doc/broxygen/func-params.bro b/testing/btest/doc/broxygen/func-params.bro index 42d1308151..e53ca475f1 100644 --- a/testing/btest/doc/broxygen/func-params.bro +++ b/testing/btest/doc/broxygen/func-params.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -b -X broxygen.config %INPUT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT # @TEST-EXEC: btest-diff autogen-reST-func-params.rst @TEST-START-FILE broxygen.config diff --git a/testing/btest/doc/broxygen/identifier.bro b/testing/btest/doc/broxygen/identifier.bro index db5c2528ee..9225ab8db0 100644 --- a/testing/btest/doc/broxygen/identifier.bro +++ b/testing/btest/doc/broxygen/identifier.bro @@ -1,5 +1,5 @@ # @TEST-SERIALIZE: comm -# @TEST-EXEC: bro -b -X broxygen.config %INPUT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT # @TEST-EXEC: btest-diff test.rst @TEST-START-FILE broxygen.config diff --git a/testing/btest/doc/broxygen/package.bro b/testing/btest/doc/broxygen/package.bro index fd75a1ce21..0d8d790361 100644 --- a/testing/btest/doc/broxygen/package.bro +++ b/testing/btest/doc/broxygen/package.bro @@ -1,5 +1,5 @@ # @TEST-SERIALIZE: comm -# @TEST-EXEC: bro -b -X broxygen.config %INPUT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT # @TEST-EXEC: btest-diff test.rst @TEST-START-FILE broxygen.config diff --git a/testing/btest/doc/broxygen/package_index.bro b/testing/btest/doc/broxygen/package_index.bro index ef6cc4ab29..4b98290f20 100644 --- a/testing/btest/doc/broxygen/package_index.bro +++ b/testing/btest/doc/broxygen/package_index.bro @@ -1,5 +1,5 @@ # @TEST-SERIALIZE: comm -# @TEST-EXEC: bro -b -X broxygen.config %INPUT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT # @TEST-EXEC: btest-diff test.rst @TEST-START-FILE broxygen.config diff --git a/testing/btest/doc/broxygen/records.bro b/testing/btest/doc/broxygen/records.bro index 0cc7d27500..fbaa957a9f 100644 --- a/testing/btest/doc/broxygen/records.bro +++ b/testing/btest/doc/broxygen/records.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -b -X broxygen.config %INPUT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT # @TEST-EXEC: btest-diff autogen-reST-records.rst @TEST-START-FILE broxygen.config diff --git a/testing/btest/doc/broxygen/script_index.bro b/testing/btest/doc/broxygen/script_index.bro index 86e1909863..c987c005be 100644 --- a/testing/btest/doc/broxygen/script_index.bro +++ b/testing/btest/doc/broxygen/script_index.bro @@ -1,5 +1,5 @@ # @TEST-SERIALIZE: comm -# @TEST-EXEC: bro -b -X broxygen.config %INPUT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT # @TEST-EXEC: btest-diff test.rst @TEST-START-FILE broxygen.config diff --git a/testing/btest/doc/broxygen/script_summary.bro b/testing/btest/doc/broxygen/script_summary.bro index a7aafc65a0..7fc89c3735 100644 --- a/testing/btest/doc/broxygen/script_summary.bro +++ b/testing/btest/doc/broxygen/script_summary.bro @@ -1,5 +1,5 @@ # @TEST-SERIALIZE: comm -# @TEST-EXEC: bro -b -X broxygen.config %INPUT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT # @TEST-EXEC: btest-diff test.rst @TEST-START-FILE broxygen.config diff --git a/testing/btest/doc/broxygen/type-aliases.bro b/testing/btest/doc/broxygen/type-aliases.bro index 28c2cc5568..0971327c2b 100644 --- a/testing/btest/doc/broxygen/type-aliases.bro +++ b/testing/btest/doc/broxygen/type-aliases.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -b -X broxygen.config %INPUT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT # @TEST-EXEC: btest-diff autogen-reST-type-aliases.rst @TEST-START-FILE broxygen.config diff --git a/testing/btest/doc/broxygen/vectors.bro b/testing/btest/doc/broxygen/vectors.bro index 62fb31d436..7c18225357 100644 --- a/testing/btest/doc/broxygen/vectors.bro +++ b/testing/btest/doc/broxygen/vectors.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -b -X broxygen.config %INPUT +# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT # @TEST-EXEC: btest-diff autogen-reST-vectors.rst @TEST-START-FILE broxygen.config diff --git a/testing/btest/language/count.bro b/testing/btest/language/count.bro index b0972e29fa..39a3786dfb 100644 --- a/testing/btest/language/count.bro +++ b/testing/btest/language/count.bro @@ -47,6 +47,17 @@ event bro_init() test_case( "assignment operator", c2 == 8 ); c2 -= 2; test_case( "assignment operator", c2 == 6 ); + test_case( "bitwise and", c2 & 0x4 == 0x4 ); + test_case( "bitwise and", c4 & 0x4 == 0x4 ); + test_case( "bitwise and", c8 & 0x4 == 0x0 ); + test_case( "bitwise or", c2 | 0x4 == c2 ); + test_case( "bitwise or", c4 | 0x4 == c4 ); + test_case( "bitwise or", c8 | 0x4 == c7 ); + test_case( "bitwise xor", c7 ^ 0x4 == c8 ); + test_case( "bitwise xor", c4 ^ 0x4 == 251 ); + test_case( "bitwise xor", c8 ^ 0x4 == c7 ); + test_case( "bitwise complement", ~c6 == 0 ); + test_case( "bitwise complement", ~~c4 == c4 ); # Max. value tests diff --git a/testing/btest/scripts/base/protocols/arp/bad.test b/testing/btest/scripts/base/protocols/arp/bad.test new file mode 100644 index 0000000000..efe9b1d15a --- /dev/null +++ b/testing/btest/scripts/base/protocols/arp/bad.test @@ -0,0 +1,17 @@ +# @TEST-EXEC: bro -r $TRACES/arp-leak.pcap %INPUT +# @TEST-EXEC: btest-diff .stdout + +event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string) + { + print "REQ", mac_src, mac_dst, SPA, SHA, TPA, THA; + } + +event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string) + { + print "REP", mac_src, mac_dst, SPA, SHA, TPA, THA; + } + +event bad_arp(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string) + { + print "BAD", SPA, SHA, TPA, THA, explanation; + } diff --git a/testing/btest/scripts/base/protocols/krb/smb2_krb.test b/testing/btest/scripts/base/protocols/krb/smb2_krb.test new file mode 100644 index 0000000000..08c05d83f1 --- /dev/null +++ b/testing/btest/scripts/base/protocols/krb/smb2_krb.test @@ -0,0 +1,21 @@ +# This test verifies that given the proper keytab file, the +# Kerberos analyzer can open the AD ticket in the Negociate +# Protocol Request and find the user. +# +# @TEST-REQUIRES: grep -q "#define USE_KRB5" $BUILD/bro-config.h +# +# @TEST-COPY-FILE: ${TRACES}/krb/smb2_krb.keytab +# @TEST-EXEC: bro -b -C -r $TRACES/krb/smb2_krb.pcap %INPUT +# @TEST-EXEC: btest-diff .stdout + +redef KRB::keytab = "smb2_krb.keytab"; +global monitor_ports: set[port] = { 445/tcp, 139/tcp } &redef; + +event bro_init() &priority=5{ + Analyzer::register_for_ports(Analyzer::ANALYZER_SMB, monitor_ports); +} + +event krb_ap_request(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options){ + print ticket$authenticationinfo; +} + diff --git a/testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test b/testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test new file mode 100644 index 0000000000..0d2c68d142 --- /dev/null +++ b/testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test @@ -0,0 +1,20 @@ +# This test verifies that without a keytab file no entries are +# created and no errors happen. +# +# @TEST-REQUIRES: grep -q "#define USE_KRB5" $BUILD/bro-config.h +# +# @TEST-COPY-FILE: ${TRACES}/krb/smb2_krb.keytab +# @TEST-EXEC: bro -C -r $TRACES/krb/smb2_krb.pcap %INPUT +# @TEST-EXEC: btest-diff .stdout +# @TEST-EXEC: btest-diff .stderr + +global monitor_ports: set[port] = { 445/tcp, 139/tcp } &redef; + +event bro_init() &priority=5{ + Analyzer::register_for_ports(Analyzer::ANALYZER_SMB, monitor_ports); +} + +event krb_ap_request(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options){ + print ticket?$authenticationinfo; +} + diff --git a/testing/btest/scripts/base/protocols/ncp/event.bro b/testing/btest/scripts/base/protocols/ncp/event.bro new file mode 100644 index 0000000000..acb4bf0a0c --- /dev/null +++ b/testing/btest/scripts/base/protocols/ncp/event.bro @@ -0,0 +1,20 @@ +# @TEST-EXEC: bro -C -r $TRACES/ncp.pcap %INPUT >out +# @TEST-EXEC: btest-diff out + +redef likely_server_ports += { 524/tcp }; + +event bro_init() + { + const ports = { 524/tcp }; + Analyzer::register_for_ports(Analyzer::ANALYZER_NCP, ports); + } + +event ncp_request(c: connection, frame_type: count, length: count, func: count) + { + print "ncp request", frame_type, length, func; + } + +event ncp_reply(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count) + { + print "ncp reply", frame_type, length, req_frame, req_func, completion_code; + } diff --git a/testing/btest/scripts/base/protocols/ncp/frame_size_tuning.bro b/testing/btest/scripts/base/protocols/ncp/frame_size_tuning.bro new file mode 100644 index 0000000000..46ad87e752 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ncp/frame_size_tuning.bro @@ -0,0 +1,20 @@ +# @TEST-EXEC: bro -C -r $TRACES/ncp.pcap %INPUT NCP::max_frame_size=150 >out +# @TEST-EXEC: btest-diff out + +redef likely_server_ports += { 524/tcp }; + +event bro_init() + { + const ports = { 524/tcp }; + Analyzer::register_for_ports(Analyzer::ANALYZER_NCP, ports); + } + +event ncp_request(c: connection, frame_type: count, length: count, func: count) + { + print "ncp request", frame_type, length, func; + } + +event ncp_reply(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count) + { + print "ncp reply", frame_type, length, req_frame, req_func, completion_code; + } diff --git a/testing/btest/scripts/base/protocols/smb/smb2.test b/testing/btest/scripts/base/protocols/smb/smb2.test index 33ce0e29a3..67539b5e5a 100644 --- a/testing/btest/scripts/base/protocols/smb/smb2.test +++ b/testing/btest/scripts/base/protocols/smb/smb2.test @@ -19,3 +19,8 @@ event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::Cre print fmt("smb2_create_response %s -> %s:%d %s", c$id$orig_h, c$id$resp_h, c$id$resp_p, response); } +event smb2_file_sattr(c: connection, hdr: SMB2::Header, file_id: + SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs) + { + print fmt("smb2_file_sattr %s -> %s:%d %s MACTimes:%s FileAttrs:%s", c$id$orig_h, c$id$resp_h, c$id$resp_p, file_id, times, attrs); + } diff --git a/testing/btest/scripts/base/protocols/ssl/x509-invalid-extension.test b/testing/btest/scripts/base/protocols/ssl/x509-invalid-extension.test new file mode 100644 index 0000000000..de0dc9e59f --- /dev/null +++ b/testing/btest/scripts/base/protocols/ssl/x509-invalid-extension.test @@ -0,0 +1,11 @@ +# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling.trace %INPUT +# @TEST-EXEC: btest-diff .stdout + +event x509_extension(f: fa_file, ext: X509::Extension) + { + if ( ext$oid != "1.3.6.1.5.5.7.1.12" ) + return; + + print ext$short_name; + print ext$value; + } diff --git a/testing/external/subdir-btest.cfg b/testing/external/subdir-btest.cfg index 4315ade850..39aaead17a 100644 --- a/testing/external/subdir-btest.cfg +++ b/testing/external/subdir-btest.cfg @@ -18,7 +18,7 @@ SCRIPTS=%(testbase)s/../scripts SCRIPTS_LOCAL=%(testbase)s/scripts DIST=%(testbase)s/../../.. BUILD=%(testbase)s/../../../build -BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage.XXXXXX +BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage/XXXXXX BRO_DNS_FAKE=1 # For fedora 21 - they disable MD5 for certificate verification and need setting an environment variable to permit it. OPENSSL_ENABLE_MD5_VERIFY=1