Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-16 05:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/master' into topic/johanna/config-cluster

Browse source
This commit is contained in:
Johanna Amann 2018-06-22 10:43:09 -07:00
commit 948bb4b9ec
110 changed files with 2354 additions and 240 deletions
Download patch file Download diff file Expand all files Collapse all files

135
CHANGES
View file

@ -1,4 +1,139 @@
2.5-679 | 2018-06-21 16:00:48 -0500
* Add support for bitwise operations (&, |, ^, ~) on "count" values.
(Vern Paxson)
2.5-671 | 2018-06-21 11:55:39 -0500
* Add ability for BroControl to skip cluster setup (Corelight)
* BIT-1938: fix crash in Broker manager shutdown (Corelight)
* Disable broxygen when running unit tests (Daniel Thayer)
2.5-668 | 2018-06-15 17:14:33 -0500
* Make old comm. system usages an error unless old_comm_usage_is_ok is set
(Corelight)
2.5-667 | 2018-06-15 15:30:11 -0500
* Add --disable-broker-tests configure option (Corelight)
2.5-663 | 2018-06-14 12:51:28 -0500
* Add Broker::max_threads and Broker::max_sleep tuning options,
remove Broker::max_live_threads and Broker::max_pcap threads (Corelight)
* Minor optimization to bro_broker::Manager::FlushPendingQueries (Corelight)
2.5-660 | 2018-06-12 13:49:39 -0500
* Add Broker::max_live_threads and Broker::max_pcap_threads tunables
(Corelight)
2.5-658 | 2018-06-08 16:41:07 +0000
* Allow BRO_DEFAULT_LISTEN_ADDRESS to control broker listen address.
This environment variable is now set to listen only on IPv4
loopback when running unit tests (instead of using the default
INADDR_ANY). (Corelight)
* Move some of the @loads out from init-bare.bro into a new
init-frameworks-and-bifs.bro in order to better support calling BIFs
(like `getenv`) from variable initializations in those particular
frameworks. (Corelight)
2.5-655 | 2018-06-08 10:43:03 -0500
* Correct conn history field documentation (Corelight)
2.5-652 | 2018-06-07 13:57:23 -0500
* GH-131: disable krb ticket decryption on non-Linux (Corelight)
2.5-651 | 2018-06-07 09:57:29 -0500
* Fix signed/unsigned comparison compiler warning (Corelight)
2.5-650 | 2018-06-06 16:20:18 -0500
* Improve Broker performance (Corelight)
2.5-648 | 2018-06-05 17:32:47 -0500
* BIT-1936: improve Broxygen warnings (Corelight)
2.5-647 | 2018-06-05 15:19:16 -0500
* Update `make doc`: don't copy broker docs (Corelight)
2.5-646 | 2018-06-05 11:31:43 -0500
* Add NCP::max_frame_size tuning option (Corelight)
* Migrate NCP analyzer to use latest analyzer API (Corelight)
* Fix read at invalid address in X509 extension parser (Johanna Amann)
2.5-642 | 2018-06-04 13:52:46 -0500
* Make 0 be a valid packet source timestamp (Corelight)
2.5-641 | 2018-06-04 09:18:59 -0700
* Add Broker::publish_and_relay BIF
Like Broker::relay, except the relaying-node also calls event handlers. (Corelight)
* Document variable argument list BIFs using ellipsis. (Corelight).
* Support unserializing broker data into type 'any'
The receiver side will wrap the data as a Broker::Data value, which
can then be type-checked/cast via 'is' or 'as' operators to a specific
Bro type. For example:
Sender:
Broker::publish("topic", my_event, "hello")
Receiver:
event my_event(arg: any)
{
if ( arg is string )
print arg as string;
}
(Corelight)
* Fix a bug in broker data type-casting check (Corelight)
* Remove dead code in broker data/val conversion function (Corelight)
* SSH protocol now assesses the packet length at an earlier stage within binpac
(Andrew Woodford).
* Remove some UTF-8 characters that snuck into a few scripts. (Corelight)
* Decrypt the krb ticket and extract authentication data. (Julien Wallior)
2.5-619 | 2018-06-01 11:29:15 -0500
* Relocate temporary script coverage files (Corelight)
2.5-618 | 2018-06-01 10:03:24 -0500
* BIT-1635: fix `make doc` warnings (Corelight)
* Add smb2_file_sattr event (Devin Trejo)
* Add bad ARP tests (Pierre LATET)
* Fix SCT validation when invalid certificates are in chain. (Johanna Amann)
2.5-611 | 2018-05-29 10:13:17 -0500
* Fix NEWS file formatting (Corelight)

10
CMakeLists.txt
View file

@ -143,6 +143,15 @@ if (LIBGEOIP_FOUND)
list(APPEND OPTLIBS ${LibGeoIP_LIBRARY})
endif ()
set(USE_KRB5 false)
if ( ${CMAKE_SYSTEM_NAME} MATCHES Linux )
find_package(LibKrb5)
if (LibKrb5_FOUND)
set(USE_KRB5 true)
list(APPEND OPTLIBS ${LibKrb5_LIBRARY})
endif ()
endif ()
set(HAVE_PERFTOOLS false)
set(USE_PERFTOOLS_DEBUG false)
set(USE_PERFTOOLS_TCMALLOC false)
@ -294,6 +303,7 @@ message(
"\nAux. Tools: ${INSTALL_AUX_TOOLS}"
"\n"
"\nGeoIP: ${USE_GEOIP}"
"\nKerberos: ${USE_KRB5}"
"\ngperftools found: ${HAVE_PERFTOOLS}"
"\n tcmalloc: ${USE_PERFTOOLS_TCMALLOC}"
"\n debugging: ${USE_PERFTOOLS_DEBUG}"

7
NEWS
View file

@ -242,6 +242,13 @@ New Functionality
- Added new SMB events: smb1_transaction_secondary_request,
smb1_transaction2_secondary_request, smb1_transaction_response
- Bro can now decrypt Kerberos tickets, and retrieve the authentication from
them, given a suitable keytab file.
- Added support for bitwise operations on "count" values. '&', '|' and
'^' are binary "and", "or" and "xor" operators, and '~' is a unary
ones-complement operator.
Changed Functionality
---------------------

2
VERSION
View file

@ -1 +1 @@
2.5-611
2.5-679

2
aux/binpac

@ -1 +1 @@
Subproject commit 0b2ef114fdac4c135d357693d7e74a441dee8db3
Subproject commit 951aeae8e4a08c598203cf61387f015ec4e0849d

2
aux/bro-aux

@ -1 +1 @@
Subproject commit ad99dc534f2574a47a808d677fc76098f42a1b54
Subproject commit eeb677ff696f8ea3eaa43a765fe40da07ed5281d

2
aux/broccoli

@ -1 +1 @@
Subproject commit 701a539f295f138bb1c44953310e083a4210fe1b
Subproject commit d9041cc95d2232dbbcf36647f34537da22e360ff

2
aux/broctl

@ -1 +1 @@
Subproject commit 7e68ad436e122fa95c87b6caca0e2e7b20dd5b97
Subproject commit c5dd2ba83dda185d2008731a5cd25b2b8131ac78

2
aux/broker

@ -1 +1 @@
Subproject commit 7b84848bded443637fa34e76f7d8558bd1cafbee
Subproject commit 08f41ccc2497f4c6567da0b95488593c39a12a01

3
bro-config.h.in
View file

@ -108,6 +108,9 @@
/* GeoIP geographic lookup functionality */
#cmakedefine USE_GEOIP
/* Define if KRB5 is available */
#cmakedefine USE_KRB5
/* Whether the found GeoIP API supports IPv6 Country Edition */
#cmakedefine HAVE_GEOIP_COUNTRY_EDITION_V6

2
cmake

@ -1 +1 @@
Subproject commit 5080aef1aeeea5bc6b0d8c481ef42f5be2b391a9
Subproject commit 1600554d1d907f4f252f19cf1f55e13d368a936f

8
configure vendored
View file

@ -55,6 +55,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
--disable-auxtools don't build or install auxiliary tools
--disable-perftools don't try to build with Google Perftools
--disable-python don't try to build python bindings for broker
--disable-broker-tests don'e try to build Broker unit tests
Required Packages in Non-Standard Locations:
--with-openssl=PATH path to OpenSSL install root
@ -72,6 +73,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
Optional Packages in Non-Standard Locations:
--with-geoip=PATH path to the libGeoIP install root
--with-krb5=PATH path to krb5 install root
--with-perftools=PATH path to Google Perftools install root
--with-jemalloc=PATH path to jemalloc install root
--with-python-lib=PATH path to libpython
@ -226,6 +228,9 @@ while [ $# -ne 0 ]; do
--disable-python)
append_cache_entry DISABLE_PYTHON_BINDINGS BOOL true
;;
--disable-broker-tests)
append_cache_entry BROKER_DISABLE_TESTS BOOL true
;;
--with-openssl=*)
append_cache_entry OPENSSL_ROOT_DIR PATH $optarg
;;
@ -250,6 +255,9 @@ while [ $# -ne 0 ]; do
--with-geoip=*)
append_cache_entry LibGeoIP_ROOT_DIR PATH $optarg
;;
--with-krb5=*)
append_cache_entry LibKrb5_ROOT_DIR PATH $optarg
;;
--with-perftools=*)
append_cache_entry GooglePerftools_ROOT_DIR PATH $optarg
;;

5
doc/CMakeLists.txt
View file

@ -4,8 +4,6 @@ set(BROXYGEN_SCRIPT_OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/broxygen_script_output)
set(BROXYGEN_CACHE_DIR ${CMAKE_CURRENT_BINARY_DIR}/broxygen_cache)
set(BROCCOLI_DOCS_SRC ${CMAKE_BINARY_DIR}/aux/broccoli/doc/html)
set(BROCCOLI_DOCS_DST ${CMAKE_BINARY_DIR}/html/broccoli-api)
set(BROKER_DOCS_SRC ${CMAKE_BINARY_DIR}/aux/broker/doc/html)
set(BROKER_DOCS_DST ${CMAKE_BINARY_DIR}/html/broker-manual)
# Find out what BROPATH to use when executing bro.
execute_process(COMMAND ${CMAKE_BINARY_DIR}/bro-path-dev
@ -63,9 +61,6 @@ add_custom_target(sphinxdoc
COMMAND "${CMAKE_COMMAND}" -E create_symlink
${SPHINX_OUTPUT_DIR}/html
${CMAKE_BINARY_DIR}/html
# Copy Broker manual into output dir.
COMMAND rm -rf ${BROKER_DOCS_DST} &&
cp -r ${BROKER_DOCS_SRC} ${BROKER_DOCS_DST}
WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
COMMENT "[Sphinx] Generate HTML documentation in ${CMAKE_BINARY_DIR}/html")

2
doc/conf.py.in
View file

@ -195,8 +195,6 @@ html_sidebars = {
# Output file base name for HTML help builder.
htmlhelp_basename = 'Broxygen'
html_add_permalinks = None
# -- Options for LaTeX output --------------------------------------------------
# The paper size ('letter' or 'a4').

7
doc/frameworks/broker.rst
View file

@ -50,6 +50,13 @@ General Porting Tips
- The ``&synchronized`` and ``&persistent`` attributes are deprecated,
consider using `Data Stores`_ instead.
- Usages of the old communications system features are all deprecated,
however, they also do not work in the default Bro configuration unless
you manually take action to set up the old communication system.
To aid in porting, such usages will default to raising a fatal error
unless you explicitly acknowledge that such usages of the old system
are ok. Set the :bro:see:`old_comm_usage_is_ok`` flag in this case.
- Instead of using e.g. ``Cluster::manager2worker_events`` (and all
permutations for every node type), what you'd now use is either
:bro:see:`Broker::publish` or :bro:see:`Broker::auto_publish` with

15
doc/script-reference/types.rst
View file

@ -91,6 +91,10 @@ Here is a more detailed description of each type:
type, but a unary plus or minus applied to a "count" results in an
"int".
In addition, "count" types support bitwise operations. You can use
``&``, ``|``, and ``^`` for bitwise ``and'', ``or'', and ``xor''. You
can also use ``~`` for bitwise (one's) complement.
.. bro:type:: double
A numeric type representing a double-precision floating-point
@ -233,6 +237,14 @@ Here is a more detailed description of each type:
is false since "oob" does not appear at the start of "foobar". The
``!in`` operator would yield the negation of ``in``.
Finally, you can create a disjunction (either-or) of two literal patterns
using the ``|`` operator. For example::
/foo/ | /bar/ in "foobar"
yields true, like in the similar example above. (This does not presently
work for variables whose values are patterns, however.)
.. bro:type:: port
A type representing transport-level port numbers (besides TCP and
@ -585,6 +597,9 @@ Here is a more detailed description of each type:
The resulting vector of bool is the logical "and" (or logical "or") of
each element of the operand vectors.
Vectors of type ``count`` can also be operands for the bitwise and/or/xor
operators, ``&``, ``|`` and ``^``.
See the :bro:keyword:`for` statement for info on how to iterate over
the elements in a vector.

2
scripts/base/files/pe/consts.bro
View file

@ -65,7 +65,7 @@ export {
[9] = "WINDOWS_CE_GUI",
[10] = "EFI_APPLICATION",
[11] = "EFI_BOOT_SERVICE_DRIVER",
[12] = "EFI_RUNTIME_DRIVER",
[12] = "EFI_RUNTIME_DRIVER",
[13] = "EFI_ROM",
[14] = "XBOX"
} &default=function(i: count):string { return fmt("unknown-%d", i); };

12
scripts/base/frameworks/broker/main.bro
View file

@ -14,7 +14,7 @@ export {
## Default address on which to listen.
##
## .. bro:see:: Broker::listen
const default_listen_address = "" &redef;
const default_listen_address = getenv("BRO_DEFAULT_LISTEN_ADDRESS") &redef;
## Default interval to retry connecting to a peer if it cannot be made to work
## initially, or if it ever becomes disconnected.
@ -51,6 +51,16 @@ export {
## all peers.
const ssl_keyfile = "" &redef;
## Max number of threads to use for Broker/CAF functionality.
## Using zero will cause this to be automatically determined
## based on number of available CPUs.
const max_threads = 0 &redef;
## Max number of microseconds for under-utilized Broker/CAF
## threads to sleep. Using zero will cause this to be automatically
## determined or just use CAF's default setting.
const max_sleep = 0 &redef;
## Forward all received messages to subscribing peers.
const forward_messages = F &redef;

3
scripts/base/frameworks/cluster/setup-connections.bro
View file

@ -44,6 +44,9 @@ function connect_peers_with_type(node_type: NodeType)
event bro_init() &priority=-10
{
if ( getenv("BROCTL_CHECK_CONFIG") != "" )
return;
local self = nodes[node];
for ( i in registered_pools )

35
scripts/base/init-bare.bro
View file

@ -1,4 +1,4 @@
@load base/bif/const.bif.bro
@load base/bif/const.bif
@load base/bif/types.bif
# Type declarations
@ -1797,9 +1797,11 @@ type gtp_delete_pdp_ctx_response_elements: record {
};
# Prototypes of Bro built-in functions.
@load base/bif/strings.bif
@load base/bif/bro.bif
@load base/bif/stats.bif
@load base/bif/reporter.bif
@load base/bif/strings.bif
@load base/bif/option.bif
## Deprecated. This is superseded by the new logging framework.
global log_file_name: function(tag: string): string &redef;
@ -4245,6 +4247,8 @@ export {
module KRB;
export {
## Kerberos keytab file name. Used to decrypt tickets encountered on the wire.
const keytab = "" &redef;
## KDC Options. See :rfc:`4120`
type KRB::KDC_Options: record {
## The ticket to be issued should have its forwardable flag set.
@ -4367,6 +4371,8 @@ export {
cipher : count;
## Cipher text of the ticket
ciphertext : string &optional;
## Authentication info
authenticationinfo: string &optional;
};
type KRB::Ticket_Vector: vector of KRB::Ticket;
@ -4806,6 +4812,12 @@ export {
const max_frag_data = 30000 &redef;
}
module NCP;
export {
## The maximum number of bytes to allocate when parsing NCP frames.
const max_frame_size = 65536 &redef;
}
module Cluster;
export {
type Cluster::Pool: record {};
@ -4823,16 +4835,9 @@ const global_hash_seed: string = "" &redef;
## The maximum is currently 128 bits.
const bits_per_uid: count = 96 &redef;
# Load these frameworks here because they use fairly deep integration with
# BiFs and script-land defined types.
@load base/frameworks/logging
@load base/frameworks/broker
@load base/frameworks/input
@load base/frameworks/analyzer
@load base/frameworks/files
@load base/bif
# Load BiFs defined by plugins.
@load base/bif/plugins
## Whether usage of the old communication system is considered an error or
## not. The default Bro configuration no longer works with the non-Broker
## communication system unless you have manually taken action to initialize
## and set up the old comm. system. Deprecation warnings are still emitted
## when setting this flag, but they will not result in a fatal error.
const old_comm_usage_is_ok: bool = F &redef;

15
scripts/base/init-frameworks-and-bifs.bro Normal file
View file

@ -0,0 +1,15 @@
# Load these frameworks here because they use fairly deep integration with
# BiFs and script-land defined types. They are also more likely to
# make use of calling BIFs for variable initializations, and that
# can't be done until init-bare.bro has been loaded completely (hence
# the separate file).
@load base/frameworks/logging
@load base/frameworks/broker
@load base/frameworks/input
@load base/frameworks/analyzer
@load base/frameworks/files
@load base/bif
# Load BiFs defined by plugins.
@load base/bif/plugins

9
scripts/base/protocols/conn/main.bro
View file

@ -95,9 +95,12 @@ export {
##
## If the event comes from the originator, the letter is in
## upper-case; if it comes from the responder, it's in
## lower-case. Multiple packets of the same type will only be
## noted once (e.g. we only record one "d" in each direction,
## regardless of how many data packets were seen.)
## lower-case. The 'a', 'c', 'd', 'i', 'q', and 't' flags are
## recorded a maximum of one time in either direction regardless
## of how many are actually seen. However, 'f', 'h', 'r', or
## 's' may be recorded multiple times for either direction and
## only compressed when sharing a sequence number with the
## last-seen packet of the same flag type.
history: string &log &optional;
## Number of packets that the originator sent.
## Only set if :bro:id:`use_conn_size_analyzer` = T.

26
scripts/base/protocols/smb/const-nt-status.bro
View file

@ -64,8 +64,8 @@ redef SMB::statuses += {
[0x40000007] = [$id="BAD_CURRENT_DIRECTORY", $desc="{Invalid Current Directory} The process cannot switch to the startup current directory %hs. Select OK to set the current directory to %hs, or select CANCEL to exit."],
[0x40000008] = [$id="SERIAL_MORE_WRITES", $desc="{Serial IOCTL Complete} A serial I/O operation was completed by another write to a serial port. (The IOCTL_SERIAL_XOFF_COUNTER reached zero.)"],
[0x40000009] = [$id="REGISTRY_RECOVERED", $desc="{Registry Recovery} One of the files that contains the system registry data had to be recovered by using a log or alternate copy. The recovery was successful."],
[0x4000000A] = [$id="FT_READ_RECOVERY_FROM_BACKUP", $desc="{Redundant Read} To satisfy a read request, the Windows NT fault-tolerant file system successfully read the requested data from a redundant copy. This was done because the file system encountered a failure on a member of the fault-tolerant volume but was unable to reassign the failing area of the device."],
[0x4000000B] = [$id="FT_WRITE_RECOVERY", $desc="{Redundant Write} To satisfy a write request, the Windows NT fault-tolerant file system successfully wrote a redundant copy of the information. This was done because the file system encountered a failure on a member of the fault-tolerant volume but was unable to reassign the failing area of the device."],
[0x4000000A] = [$id="FT_READ_RECOVERY_FROM_BACKUP", $desc="{Redundant Read} To satisfy a read request, the Windows NT fault-tolerant file system successfully read the requested data from a redundant copy. This was done because the file system encountered a failure on a member of the fault-tolerant volume but was unable to reassign the failing area of the device."],
[0x4000000B] = [$id="FT_WRITE_RECOVERY", $desc="{Redundant Write} To satisfy a write request, the Windows NT fault-tolerant file system successfully wrote a redundant copy of the information. This was done because the file system encountered a failure on a member of the fault-tolerant volume but was unable to reassign the failing area of the device."],
[0x4000000C] = [$id="SERIAL_COUNTER_TIMEOUT", $desc="{Serial IOCTL Timeout} A serial I/O operation completed because the time-out period expired. (The IOCTL_SERIAL_XOFF_COUNTER had not reached zero.)"],
[0x4000000D] = [$id="NULL_LM_PASSWORD", $desc="{Password Too Complex} The Windows password is too complex to be converted to a LAN Manager password. The LAN Manager password that returned is a NULL string."],
[0x4000000E] = [$id="IMAGE_MACHINE_TYPE_MISMATCH", $desc="{Machine Type Mismatch} The image file %hs is valid but is for a machine type other than the current machine. Select OK to continue, or CANCEL to fail the DLL load."],
@ -494,7 +494,7 @@ redef SMB::statuses += {
[0xC0000131] = [$id="INVALID_IMAGE_WIN_16", $desc="The specified image file did not have the correct format: it appears to be a 16-bit Windows image."],
[0xC0000132] = [$id="LOGON_SERVER_CONFLICT", $desc="The Netlogon service cannot start because another Netlogon service running in the domain conflicts with the specified role."],
[0xC0000133] = [$id="TIME_DIFFERENCE_AT_DC", $desc="The time at the primary domain controller is different from the time at the backup domain controller or member server by too large an amount."],
[0xC0000134] = [$id="SYNCHRONIZATION_REQUIRED", $desc="The SAM database on a Windows Server is significantly out of synchronization with the copy on the domain controller. A complete synchronization is required."],
[0xC0000134] = [$id="SYNCHRONIZATION_REQUIRED", $desc="The SAM database on a Windows Server is significantly out of synchronization with the copy on the domain controller. A complete synchronization is required."],
[0xC0000135] = [$id="DLL_NOT_FOUND", $desc="{Unable To Locate Component} This application has failed to start because %hs was not found. Reinstalling the application may fix this problem."],
[0xC0000136] = [$id="OPEN_FAILED", $desc="The NtCreateFile API failed. This error should never be returned to an application; it is a place holder for the Windows LAN Manager Redirector to use in its internal error-mapping routines."],
[0xC0000137] = [$id="IO_PRIVILEGE_FAILED", $desc="{Privilege Failed} The I/O permissions for the process could not be changed."],
@ -536,7 +536,7 @@ redef SMB::statuses += {
[0xC000015B] = [$id="LOGON_TYPE_NOT_GRANTED", $desc="A user has requested a type of logon (for example, interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network."],
[0xC000015C] = [$id="NOT_REGISTRY_FILE", $desc="The system has attempted to load or restore a file into the registry, and the specified file is not in the format of a registry file."],
[0xC000015D] = [$id="NT_CROSS_ENCRYPTION_REQUIRED", $desc="An attempt was made to change a user password in the security account manager without providing the necessary Windows cross-encrypted password."],
[0xC000015E] = [$id="DOMAIN_CTRLR_CONFIG_ERROR", $desc="A Windows Server has an incorrect configuration."],
[0xC000015E] = [$id="DOMAIN_CTRLR_CONFIG_ERROR", $desc="A Windows Server has an incorrect configuration."],
[0xC000015F] = [$id="FT_MISSING_MEMBER", $desc="An attempt was made to explicitly access the secondary copy of information via a device control to the fault tolerance driver and the secondary copy is not present in the system."],
[0xC0000160] = [$id="ILL_FORMED_SERVICE_ENTRY", $desc="A configuration registry node that represents a driver service entry was ill-formed and did not contain the required value entries."],
[0xC0000161] = [$id="ILLEGAL_CHARACTER", $desc="An illegal character was encountered. For a multibyte character set, this includes a lead byte without a succeeding trail byte. For the Unicode character set this includes the characters 0xFFFF and 0xFFFE."],
@ -577,7 +577,7 @@ redef SMB::statuses += {
[0xC0000188] = [$id="LOG_FILE_FULL", $desc="The log file space is insufficient to support this operation."],
[0xC0000189] = [$id="TOO_LATE", $desc="A write operation was attempted to a volume after it was dismounted."],
[0xC000018A] = [$id="NO_TRUST_LSA_SECRET", $desc="The workstation does not have a trust secret for the primary domain in the local LSA database."],
[0xC000018B] = [$id="NO_TRUST_SAM_ACCOUNT", $desc="The SAM database on the Windows Server does not have a computer account for this workstation trust relationship."],
[0xC000018B] = [$id="NO_TRUST_SAM_ACCOUNT", $desc="The SAM database on the Windows Server does not have a computer account for this workstation trust relationship."],
[0xC000018C] = [$id="TRUSTED_DOMAIN_FAILURE", $desc="The logon request failed because the trust relationship between the primary domain and the trusted domain failed."],
[0xC000018D] = [$id="TRUSTED_RELATIONSHIP_FAILURE", $desc="The logon request failed because the trust relationship between this workstation and the primary domain failed."],
[0xC000018E] = [$id="EVENTLOG_FILE_CORRUPT", $desc="The Eventlog log file is corrupt."],
@ -833,18 +833,18 @@ redef SMB::statuses += {
[0xC00002FD] = [$id="KDC_UNKNOWN_ETYPE", $desc="The encryption type requested is not supported by the KDC."],
[0xC00002FE] = [$id="SHUTDOWN_IN_PROGRESS", $desc="A system shutdown is in progress."],
[0xC00002FF] = [$id="SERVER_SHUTDOWN_IN_PROGRESS", $desc="The server machine is shutting down."],
[0xC0000300] = [$id="NOT_SUPPORTED_ON_SBS", $desc="This operation is not supported on a computer running Windows Server 2003 for Small Business Server."],
[0xC0000300] = [$id="NOT_SUPPORTED_ON_SBS", $desc="This operation is not supported on a computer running Windows Server 2003 for Small Business Server."],
[0xC0000301] = [$id="WMI_GUID_DISCONNECTED", $desc="The WMI GUID is no longer available."],
[0xC0000302] = [$id="WMI_ALREADY_DISABLED", $desc="Collection or events for the WMI GUID is already disabled."],
[0xC0000303] = [$id="WMI_ALREADY_ENABLED", $desc="Collection or events for the WMI GUID is already enabled."],
[0xC0000304] = [$id="MFT_TOO_FRAGMENTED", $desc="The master file table on the volume is too fragmented to complete this operation."],
[0xC0000305] = [$id="COPY_PROTECTION_FAILURE", $desc="Copy protection failure."],
[0xC0000306] = [$id="CSS_AUTHENTICATION_FAILURE", $desc="Copy protection errorDVD CSS Authentication failed."],
[0xC0000307] = [$id="CSS_KEY_NOT_PRESENT", $desc="Copy protection errorThe specified sector does not contain a valid key."],
[0xC0000308] = [$id="CSS_KEY_NOT_ESTABLISHED", $desc="Copy protection errorDVD session key not established."],
[0xC0000309] = [$id="CSS_SCRAMBLED_SECTOR", $desc="Copy protection errorThe read failed because the sector is encrypted."],
[0xC000030A] = [$id="CSS_REGION_MISMATCH", $desc="Copy protection errorThe region of the specified DVD does not correspond to the region setting of the drive."],
[0xC000030B] = [$id="CSS_RESETS_EXHAUSTED", $desc="Copy protection errorThe region setting of the drive may be permanent."],
[0xC0000306] = [$id="CSS_AUTHENTICATION_FAILURE", $desc="Copy protection error-DVD CSS Authentication failed."],
[0xC0000307] = [$id="CSS_KEY_NOT_PRESENT", $desc="Copy protection error-The specified sector does not contain a valid key."],
[0xC0000308] = [$id="CSS_KEY_NOT_ESTABLISHED", $desc="Copy protection error-DVD session key not established."],
[0xC0000309] = [$id="CSS_SCRAMBLED_SECTOR", $desc="Copy protection error-The read failed because the sector is encrypted."],
[0xC000030A] = [$id="CSS_REGION_MISMATCH", $desc="Copy protection error-The region of the specified DVD does not correspond to the region setting of the drive."],
[0xC000030B] = [$id="CSS_RESETS_EXHAUSTED", $desc="Copy protection error-The region setting of the drive may be permanent."],
[0xC0000320] = [$id="PKINIT_FAILURE", $desc="The Kerberos protocol encountered an error while validating the KDC certificate during smart card logon. There is more information in the system event log."],
[0xC0000321] = [$id="SMARTCARD_SUBSYSTEM_FAILURE", $desc="The Kerberos protocol encountered an error while attempting to use the smart card subsystem."],
[0xC0000322] = [$id="NO_KERB_KEY", $desc="The target server does not have acceptable Kerberos credentials."],
@ -855,7 +855,7 @@ redef SMB::statuses += {
[0xC0000354] = [$id="DEBUGGER_INACTIVE", $desc="An attempt to do an operation on a debug port failed because the port is in the process of being deleted."],
[0xC0000355] = [$id="DS_VERSION_CHECK_FAILURE", $desc="This version of Windows is not compatible with the behavior version of the directory forest, domain, or domain controller."],
[0xC0000356] = [$id="AUDITING_DISABLED", $desc="The specified event is currently not being audited."],
[0xC0000357] = [$id="PRENT4_MACHINE_ACCOUNT", $desc="The machine account was created prior to Windows NT 4.0. The account needs to be recreated."],
[0xC0000357] = [$id="PRENT4_MACHINE_ACCOUNT", $desc="The machine account was created prior to Windows NT 4.0. The account needs to be recreated."],
[0xC0000358] = [$id="DS_AG_CANT_HAVE_UNIVERSAL_MEMBER", $desc="An account group cannot have a universal group as a member."],
[0xC0000359] = [$id="INVALID_IMAGE_WIN_32", $desc="The specified image file did not have the correct format; it appears to be a 32-bit Windows image."],
[0xC000035A] = [$id="INVALID_IMAGE_WIN_64", $desc="The specified image file did not have the correct format; it appears to be a 64-bit Windows image."],

1
scripts/policy/protocols/smb/main.bro
View file

@ -18,6 +18,7 @@ export {
FILE_CLOSE,
FILE_DELETE,
FILE_RENAME,
FILE_SET_ATTRIBUTE,
PIPE_READ,
PIPE_WRITE,

20
scripts/policy/protocols/smb/smb2-main.bro
View file

@ -239,6 +239,26 @@ event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID,
SMB::write_file_log(c$smb_state);
}
event smb2_file_sattr(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=-5
{
SMB::write_file_log(c$smb_state);
}
event smb2_file_sattr(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=5
{
SMB::set_current_file(c$smb_state, file_id$persistent+file_id$volatile);
switch ( c$smb_state$current_tree$share_type )
{
case "DISK":
c$smb_state$current_file$action = SMB::FILE_SET_ATTRIBUTE;
break;
default:
c$smb_state$current_file$action = SMB::FILE_SET_ATTRIBUTE;
break;
}
}
event smb2_file_rename(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, dst_filename: string) &priority=5
{
SMB::set_current_file(c$smb_state, file_id$persistent+file_id$volatile);

2
scripts/policy/protocols/ssl/validate-sct.bro
View file

@ -180,6 +180,8 @@ hook ssl_finishing(c: connection) &priority=19
{
if ( i == 0 ) # end-host-cert
next;
if ( ! c$ssl$cert_chain[i]?$x509 || ! c$ssl$cert_chain[i]$x509?$handle )
next;
issuer_key_hash = x509_spki_hash(c$ssl$cert_chain[i]$x509$handle, 4);
valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash);

2
src/3rdparty

@ -1 +1 @@
Subproject commit 6511cd6e45811af0904947a36e565dcb9eee61dd
Subproject commit c78abc8454932019f030045340348560a8ac9b23

14
src/Brofiler.cc
View file

@ -50,10 +50,18 @@ bool Brofiler::WriteStats()
char* bf = getenv("BRO_PROFILER_FILE");
if ( ! bf ) return false;
FILE* f;
const char* p = strstr(bf, ".XXXXXX");
SafeDirname dirname{bf};
if ( p && ! p[7] )
if ( ! ensure_intermediate_dirs(dirname.result.data()) )
{
reporter->Error("Failed to open BRO_PROFILER_FILE destination '%s' for writing", bf);
return false;
}
FILE* f;
const char* p = strstr(bf, "XXXXXX");
if ( p && ! p[6] )
{
mode_t old_umask = umask(S_IXUSR | S_IRWXO | S_IRWXG);
int fd = mkstemp(bf);

106
src/Expr.cc
View file

@ -21,8 +21,10 @@ const char* expr_name(BroExprTag t)
static const char* expr_names[int(NUM_EXPRS)] = {
"name", "const",
"(*)",
"++", "--", "!", "+", "-",
"+", "-", "+=", "-=", "*", "/", "%", "&&", "||",
"++", "--", "!", "~", "+", "-",
"+", "-", "+=", "-=", "*", "/", "%",
"&", "|", "^",
"&&", "||",
"<", "<=", "==", "!=", ">=", ">", "?:", "ref",
"=", "~", "[]", "$", "?$", "[=]",
"table()", "set()", "vector()",
@ -702,6 +704,12 @@ Val* BinaryExpr::Fold(Val* v1, Val* v2) const
else \
Internal("bad type in BinaryExpr::Fold");
#define DO_UINT_FOLD(op) \
if ( is_unsigned ) \
u3 = u1 op u2; \
else \
Internal("bad type in BinaryExpr::Fold");
#define DO_FOLD(op) \
if ( is_integral ) \
i3 = i1 op i2; \
@ -775,8 +783,12 @@ Val* BinaryExpr::Fold(Val* v1, Val* v2) const
break;
case EXPR_AND: DO_INT_FOLD(&&); break;
case EXPR_OR: DO_INT_FOLD(||); break;
case EXPR_AND: DO_UINT_FOLD(&); break;
case EXPR_OR: DO_UINT_FOLD(|); break;
case EXPR_XOR: DO_UINT_FOLD(^); break;
case EXPR_AND_AND: DO_INT_FOLD(&&); break;
case EXPR_OR_OR: DO_INT_FOLD(||); break;
case EXPR_LT: DO_INT_VAL_FOLD(<); break;
case EXPR_LE: DO_INT_VAL_FOLD(<=); break;
@ -1077,6 +1089,39 @@ bool IncrExpr::DoUnserialize(UnserialInfo* info)
return true;
}
ComplementExpr::ComplementExpr(Expr* arg_op) : UnaryExpr(EXPR_COMPLEMENT, arg_op)
{
if ( IsError() )
return;
BroType* t = op->Type();
TypeTag bt = t->Tag();
if ( bt != TYPE_COUNT )
ExprError("requires \"count\" operand");
else
SetType(base_type(TYPE_COUNT));
}
Val* ComplementExpr::Fold(Val* v) const
{
return new Val(~ v->InternalUnsigned(), type->Tag());
}
IMPLEMENT_SERIAL(ComplementExpr, SER_COMPLEMENT_EXPR);
bool ComplementExpr::DoSerialize(SerialInfo* info) const
{
DO_SERIALIZE(SER_COMPLEMENT_EXPR, UnaryExpr);
return true;
}
bool ComplementExpr::DoUnserialize(UnserialInfo* info)
{
DO_UNSERIALIZE(UnaryExpr);
return true;
}
NotExpr::NotExpr(Expr* arg_op) : UnaryExpr(EXPR_NOT, arg_op)
{
if ( IsError() )
@ -1670,14 +1715,14 @@ Val* BoolExpr::DoSingleEval(Frame* f, Val* v1, Expr* op2) const
RE_Matcher* re1 = v1->AsPattern();
RE_Matcher* re2 = v2->AsPattern();
RE_Matcher* res = tag == EXPR_AND ?
RE_Matcher* res = tag == EXPR_AND_AND ?
RE_Matcher_conjunction(re1, re2) :
RE_Matcher_disjunction(re1, re2);
return new PatternVal(res);
}
if ( tag == EXPR_AND )
if ( tag == EXPR_AND_AND )
{
if ( v1->IsZero() )
return v1;
@ -1741,8 +1786,8 @@ Val* BoolExpr::Eval(Frame* f) const
VectorVal* result = 0;
// It's either and EXPR_AND or an EXPR_OR.
bool is_and = (tag == EXPR_AND);
// It's either and EXPR_AND_AND or an EXPR_OR_OR.
bool is_and = (tag == EXPR_AND_AND);
if ( scalar_v->IsZero() == is_and )
{
@ -1783,7 +1828,7 @@ Val* BoolExpr::Eval(Frame* f) const
Val* op2 = vec_v2->Lookup(i);
if ( op1 && op2 )
{
bool local_result = (tag == EXPR_AND) ?
bool local_result = (tag == EXPR_AND_AND) ?
(! op1->IsZero() && ! op2->IsZero()) :
(! op1->IsZero() || ! op2->IsZero());
@ -1813,6 +1858,49 @@ bool BoolExpr::DoUnserialize(UnserialInfo* info)
return true;
}
BitExpr::BitExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
: BinaryExpr(arg_tag, arg_op1, arg_op2)
{
if ( IsError() )
return;
TypeTag bt1 = op1->Type()->Tag();
if ( IsVector(bt1) )
bt1 = op1->Type()->AsVectorType()->YieldType()->Tag();
TypeTag bt2 = op2->Type()->Tag();
if ( IsVector(bt2) )
bt2 = op2->Type()->AsVectorType()->YieldType()->Tag();
if ( (bt1 == TYPE_COUNT || bt1 == TYPE_COUNTER) &&
(bt2 == TYPE_COUNT || bt2 == TYPE_COUNTER) )
{
if ( bt1 == TYPE_COUNTER && bt2 == TYPE_COUNTER )
ExprError("cannot apply a bitwise operator to two \"counter\" operands");
else if ( is_vector(op1) || is_vector(op2) )
SetType(new VectorType(base_type(TYPE_COUNT)));
else
SetType(base_type(TYPE_COUNT));
}
else
ExprError("requires \"count\" operands");
}
IMPLEMENT_SERIAL(BitExpr, SER_BIT_EXPR);
bool BitExpr::DoSerialize(SerialInfo* info) const
{
DO_SERIALIZE(SER_BIT_EXPR, BinaryExpr);
return true;
}
bool BitExpr::DoUnserialize(UnserialInfo* info)
{
DO_UNSERIALIZE(BinaryExpr);
return true;
}
EqExpr::EqExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
: BinaryExpr(arg_tag, arg_op1, arg_op2)
{

31
src/Expr.h
View file

@ -17,10 +17,13 @@ typedef enum {
EXPR_ANY = -1,
EXPR_NAME, EXPR_CONST,
EXPR_CLONE,
EXPR_INCR, EXPR_DECR, EXPR_NOT, EXPR_POSITIVE, EXPR_NEGATE,
EXPR_INCR, EXPR_DECR,
EXPR_NOT, EXPR_COMPLEMENT,
EXPR_POSITIVE, EXPR_NEGATE,
EXPR_ADD, EXPR_SUB, EXPR_ADD_TO, EXPR_REMOVE_FROM,
EXPR_TIMES, EXPR_DIVIDE, EXPR_MOD,
EXPR_AND, EXPR_OR,
EXPR_AND, EXPR_OR, EXPR_XOR,
EXPR_AND_AND, EXPR_OR_OR,
EXPR_LT, EXPR_LE, EXPR_EQ, EXPR_NE, EXPR_GE, EXPR_GT,
EXPR_COND,
EXPR_REF,
@ -379,6 +382,19 @@ protected:
DECLARE_SERIAL(IncrExpr);
};
class ComplementExpr : public UnaryExpr {
public:
explicit ComplementExpr(Expr* op);
protected:
friend class Expr;
ComplementExpr() { }
Val* Fold(Val* v) const override;
DECLARE_SERIAL(ComplementExpr);
};
class NotExpr : public UnaryExpr {
public:
explicit NotExpr(Expr* op);
@ -532,6 +548,17 @@ protected:
DECLARE_SERIAL(BoolExpr);
};
class BitExpr : public BinaryExpr {
public:
BitExpr(BroExprTag tag, Expr* op1, Expr* op2);
protected:
friend class Expr;
BitExpr() { }
DECLARE_SERIAL(BitExpr);
};
class EqExpr : public BinaryExpr {
public:
EqExpr(BroExprTag tag, Expr* op1, Expr* op2);

3
src/NFA.cc
View file

@ -55,7 +55,10 @@ void NFA_State::AddXtionsTo(NFA_state_list* ns)
NFA_State* NFA_State::DeepCopy()
{
if ( mark )
{
Ref(mark);
return mark;
}
NFA_State* copy = ccl ? new NFA_State(ccl) : new NFA_State(sym, 0);
SetMark(copy);

2
src/Net.h
View file

@ -83,6 +83,8 @@ extern iosource::PktDumper* pkt_dumper; // where to save packets
extern char* writefile;
extern int old_comm_usage_count;
// Script file we have already scanned (or are in the process of scanning).
// They are identified by inode number.
struct ScannedFile {

2
src/SerialObj.h
View file

@ -3,7 +3,7 @@
// How to make objects of class Foo serializable:
//
// 1. Derive Foo (directly or indirectly) from SerialObj.
// 2. Add a SER_FOO constant to SerialTypes below.
// 2. Add a SER_FOO constant to SerialTypes in SerialTypes.h.
// 3. Add DECLARE_SERIAL(Foo) into class definition.
// 4. Add a (preferably protected) default ctor if it doesn't already exist.
// 5. For non-abstract classes, add IMPLEMENT_SERIAL(Foo, SER_FOO) to *.cc

2
src/SerialTypes.h
View file

@ -164,6 +164,8 @@ SERIAL_EXPR(TABLE_COERCE_EXPR, 43)
SERIAL_EXPR(VECTOR_COERCE_EXPR, 44)
SERIAL_EXPR(CAST_EXPR, 45)
SERIAL_EXPR(IS_EXPR_, 46) // Name conflict with internal SER_IS_EXPR constant.
SERIAL_EXPR(BIT_EXPR, 47)
SERIAL_EXPR(COMPLEMENT_EXPR, 48)
#define SERIAL_STMT(name, val) SERIAL_CONST(name, val, STMT)
SERIAL_STMT(STMT, 1)

4
src/Serializer.cc
View file

@ -1017,7 +1017,7 @@ double EventPlayer::NextTimestamp(double* local_network_time)
return ne_time;
if ( ! io )
return 0;
return -1;
// Read next event if we don't have one waiting.
if ( ! ne_time )
@ -1028,7 +1028,7 @@ double EventPlayer::NextTimestamp(double* local_network_time)
}
if ( ! ne_time )
return 0;
return -1;
if ( ! network_time )
{

7
src/Type.cc
View file

@ -1184,8 +1184,15 @@ void RecordType::DescribeFieldsReST(ODesc* d, bool func_args) const
if ( d->FindType(td->type) )
d->Add("<recursion>");
else
{
if ( num_fields == 1 && streq(td->id, "va_args") &&
td->type->Tag() == TYPE_ANY )
// This was a BIF using variable argument list
d->Add("...");
else
td->DescribeReST(d);
}
if ( func_args )
continue;

97
src/analyzer/protocol/krb/KRB.cc
View file

@ -6,12 +6,52 @@
using namespace analyzer::krb;
bool KRB_Analyzer::krb_available = false;
#ifdef USE_KRB5
krb5_context KRB_Analyzer::krb_context = nullptr;
krb5_keytab KRB_Analyzer::krb_keytab = nullptr;
std::once_flag KRB_Analyzer::krb_initialized;
#endif
KRB_Analyzer::KRB_Analyzer(Connection* conn)
: Analyzer("KRB", conn)
{
interp = new binpac::KRB::KRB_Conn(this);
#ifdef USE_KRB5
std::call_once(krb_initialized, Initialize_Krb);
#endif
}
#ifdef USE_KRB5
void KRB_Analyzer::Initialize_Krb()
{
if ( BifConst::KRB::keytab->Len() == 0 )
return; // no keytab set
const char* keytab_filename = BifConst::KRB::keytab->CheckString();
if ( access(keytab_filename, R_OK) != 0 )
{
reporter->Warning("KRB: Can't access keytab (%s)", keytab_filename);
return;
}
krb5_error_code retval = krb5_init_context(&krb_context);
if ( retval )
{
reporter->Warning("KRB: Couldn't initialize the context (%s)", krb5_get_error_message(krb_context, retval));
return;
}
retval = krb5_kt_resolve(krb_context, keytab_filename, &krb_keytab);
if ( retval )
{
reporter->Warning("KRB: Couldn't resolve keytab (%s)", krb5_get_error_message(krb_context, retval));
return;
}
krb_available = true;
}
#endif
KRB_Analyzer::~KRB_Analyzer()
{
delete interp;
@ -37,3 +77,60 @@ void KRB_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
}
}
StringVal* KRB_Analyzer::GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype)
{
#ifdef USE_KRB5
if ( !krb_available )
return nullptr;
BroString delim("/");
int pos = principal->FindSubstring(&delim);
if ( pos == -1 )
{
reporter->Warning("KRB: Couldn't parse principal (%s)", principal->CheckString());
return nullptr;
}
std::unique_ptr<BroString> service = unique_ptr<BroString>(principal->GetSubstring(0, pos));
std::unique_ptr<BroString> hostname = unique_ptr<BroString>(principal->GetSubstring(pos + 1, -1));
if ( !service || !hostname )
{
reporter->Warning("KRB: Couldn't parse principal (%s)", principal->CheckString());
return nullptr;
}
krb5_principal sprinc;
krb5_error_code retval = krb5_sname_to_principal(krb_context, hostname->CheckString(), service->CheckString(), KRB5_NT_SRV_HST, &sprinc);
if ( retval )
{
reporter->Warning("KRB: Couldn't generate principal name (%s)", krb5_get_error_message(krb_context, retval));
return nullptr;
}
krb5_ticket tkt;
tkt.server = sprinc;
tkt.enc_part.enctype = enctype;
tkt.enc_part.ciphertext.data = reinterpret_cast<char*>(ciphertext->Bytes());
tkt.enc_part.ciphertext.length = ciphertext->Len();
retval = krb5_server_decrypt_ticket_keytab(krb_context, krb_keytab, &tkt);
if ( retval )
{
reporter->Warning("KRB: Couldn't decrypt ticket (%s)", krb5_get_error_message(krb_context, retval));
return nullptr;
}
char* cp;
retval = krb5_unparse_name(krb_context, tkt.enc_part2->client, &cp);
if ( retval )
{
reporter->Warning("KRB: Couldn't unparse name (%s)", krb5_get_error_message(krb_context, retval));
return nullptr;
}
StringVal* ret = new StringVal(cp);
krb5_free_unparsed_name(krb_context, cp);
return ret;
#else
return nullptr;
#endif
}

15
src/analyzer/protocol/krb/KRB.h
View file

@ -5,6 +5,10 @@
#include "krb_pac.h"
#ifdef USE_KRB5
#include <krb5.h>
#endif
namespace analyzer { namespace krb {
class KRB_Analyzer : public analyzer::Analyzer {
@ -20,9 +24,20 @@ public:
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new KRB_Analyzer(conn); }
StringVal* GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype);
protected:
binpac::KRB::KRB_Conn* interp;
private:
static bool krb_available;
#ifdef USE_KRB5
static std::once_flag krb_initialized;
static void Initialize_Krb();
static krb5_context krb_context;
static krb5_keytab krb_keytab;
#endif
};
} } // namespace analyzer::*

2
src/analyzer/protocol/krb/KRB_TCP.h
View file

@ -22,6 +22,8 @@ public:
// Overriden from tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override;
StringVal* GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype) { return new StringVal(""); }
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new KRB_Analyzer(conn); }

6
src/analyzer/protocol/krb/krb-analyzer.pac
View file

@ -245,8 +245,12 @@ refine connection KRB_Conn += {
rv->Assign(0, new Val(${msg.ap_options.use_session_key}, TYPE_BOOL));
rv->Assign(1, new Val(${msg.ap_options.mutual_required}, TYPE_BOOL));
RecordVal* rvticket = proc_ticket(${msg.ticket});
StringVal* authenticationinfo = bro_analyzer()->GetAuthenticationInfo(rvticket->Lookup(2)->AsString(), rvticket->Lookup(4)->AsString(), rvticket->Lookup(3)->AsCount());
if ( authenticationinfo )
rvticket->Assign(5, authenticationinfo);
BifEvent::generate_krb_ap_request(bro_analyzer(), bro_analyzer()->Conn(),
proc_ticket(${msg.ticket}), rv);
rvticket, rv);
}
return true;
%}

10
src/analyzer/protocol/krb/krb.pac
View file

@ -4,14 +4,22 @@
%extern{
#include "types.bif.h"
#include "events.bif.h"
namespace analyzer { namespace krb { class KRB_Analyzer; } }
namespace binpac { namespace KRB { class KRB_Conn; } }
typedef analyzer::krb::KRB_Analyzer* KRBAnalyzer;
#include "KRB.h"
%}
extern type KRBAnalyzer;
analyzer KRB withcontext {
connection: KRB_Conn;
flow: KRB_Flow;
};
connection KRB_Conn(bro_analyzer: BroAnalyzer) {
connection KRB_Conn(bro_analyzer: KRBAnalyzer) {
upflow = KRB_Flow(true);
downflow = KRB_Flow(false);
};

10
src/analyzer/protocol/krb/krb_TCP.pac
View file

@ -4,14 +4,22 @@
%extern{
#include "types.bif.h"
#include "events.bif.h"
namespace analyzer { namespace krb_tcp { class KRB_Analyzer; } }
namespace binpac { namespace KRB_TCP { class KRB_Conn; } }
typedef analyzer::krb_tcp::KRB_Analyzer* KRBTCPAnalyzer;
#include "KRB_TCP.h"
%}
extern type KRBTCPAnalyzer;
analyzer KRB_TCP withcontext {
connection: KRB_Conn;
flow: KRB_Flow;
};
connection KRB_Conn(bro_analyzer: BroAnalyzer) {
connection KRB_Conn(bro_analyzer: KRBTCPAnalyzer) {
upflow = KRB_Flow(true);
downflow = KRB_Flow(false);
};

2
src/analyzer/protocol/krb/types.bif
View file

@ -1,5 +1,7 @@
module KRB;
const keytab: string;
type Error_Msg: record;
type SAFE_Msg: record;

2
src/analyzer/protocol/ncp/CMakeLists.txt
View file

@ -5,6 +5,6 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
bro_plugin_begin(Bro NCP)
bro_plugin_cc(NCP.cc Plugin.cc)
bro_plugin_bif(events.bif)
bro_plugin_bif(events.bif consts.bif)
bro_plugin_pac(ncp.pac)
bro_plugin_end()

65
src/analyzer/protocol/ncp/NCP.cc
View file

@ -9,6 +9,7 @@
#include "NCP.h"
#include "events.bif.h"
#include "consts.bif.h"
using namespace std;
using namespace analyzer::ncp;
@ -79,7 +80,7 @@ void NCP_Session::DeliverFrame(const binpac::NCP::ncp_frame* frame)
}
}
FrameBuffer::FrameBuffer(int header_length)
FrameBuffer::FrameBuffer(size_t header_length)
{
hdr_len = header_length;
msg_buf = 0;
@ -105,13 +106,12 @@ void FrameBuffer::Reset()
msg_len = 0;
}
// Returns true if we have a complete frame
bool FrameBuffer::Deliver(int &len, const u_char* &data)
int FrameBuffer::Deliver(int &len, const u_char* &data)
{
ASSERT(buf_len >= hdr_len);
if ( len == 0 )
return false;
return -1;
if ( buf_n < hdr_len )
{
@ -123,13 +123,16 @@ bool FrameBuffer::Deliver(int &len, const u_char* &data)
}
if ( buf_n < hdr_len )
return false;
return -1;
compute_msg_length();
if ( msg_len > buf_len )
{
buf_len = msg_len * 2;
if ( msg_len > BifConst::NCP::max_frame_size )
return 1;
buf_len = msg_len;
u_char* new_buf = new u_char[buf_len];
memcpy(new_buf, msg_buf, buf_n);
delete [] msg_buf;
@ -143,7 +146,13 @@ bool FrameBuffer::Deliver(int &len, const u_char* &data)
++buf_n; ++data; --len;
}
return buf_n >= msg_len;
if ( buf_n < msg_len )
return -1;
if ( buf_n == msg_len )
return 0;
return 1;
}
void NCP_FrameBuffer::compute_msg_length()
@ -159,11 +168,7 @@ Contents_NCP_Analyzer::Contents_NCP_Analyzer(Connection* conn, bool orig, NCP_Se
{
session = arg_session;
resync = true;
tcp::TCP_Analyzer* tcp = static_cast<tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
if ( tcp )
resync = (orig ? tcp->OrigState() : tcp->RespState()) !=
tcp::TCP_ENDPOINT_ESTABLISHED;
resync_set = false;
}
Contents_NCP_Analyzer::~Contents_NCP_Analyzer()
@ -174,20 +179,23 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig
{
tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
tcp::TCP_Analyzer* tcp = static_cast<tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
auto tcp = static_cast<NCP_Analyzer*>(Parent())->TCP();
if ( ! resync_set )
{
resync_set = true;
resync = (IsOrig() ? tcp->OrigState() : tcp->RespState()) !=
tcp::TCP_ENDPOINT_ESTABLISHED;
}
if ( tcp && tcp->HadGap(orig) )
return;
DEBUG_MSG("NCP deliver: len = %d resync = %d buffer.empty = %d\n",
len, resync, buffer.empty());
if ( buffer.empty() && resync )
{
// Assume NCP frames align with packet boundary.
if ( (IsOrig() && len < 22) || (! IsOrig() && len < 16) )
{ // ignore small fragmeents
DEBUG_MSG("NCP discard small pieces: %d\n", len);
return;
}
@ -204,11 +212,28 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig
resync = false;
}
while ( buffer.Deliver(len, data) )
for ( ; ; )
{
auto result = buffer.Deliver(len, data);
if ( result < 0 )
break;
if ( result == 0 )
{
session->Deliver(IsOrig(), buffer.Len(), buffer.Data());
buffer.Reset();
}
else
{
// The rest of the data available in this delivery will
// be discarded and will need to resync to a new frame header.
Weird("ncp_large_frame");
buffer.Reset();
resync = true;
break;
}
}
}
void Contents_NCP_Analyzer::Undelivered(uint64 seq, int len, bool orig)
@ -224,13 +249,13 @@ NCP_Analyzer::NCP_Analyzer(Connection* conn)
{
session = new NCP_Session(this);
o_ncp = new Contents_NCP_Analyzer(conn, true, session);
AddSupportAnalyzer(o_ncp);
r_ncp = new Contents_NCP_Analyzer(conn, false, session);
AddSupportAnalyzer(r_ncp);
}
NCP_Analyzer::~NCP_Analyzer()
{
delete session;
delete o_ncp;
delete r_ncp;
}

16
src/analyzer/protocol/ncp/NCP.h
View file

@ -51,11 +51,12 @@ protected:
class FrameBuffer {
public:
explicit FrameBuffer(int header_length);
explicit FrameBuffer(size_t header_length);
virtual ~FrameBuffer();
// Returns true if a frame is ready
bool Deliver(int& len, const u_char* &data);
// Returns -1 if frame is not ready, 0 if it else, and 1 if
// the frame would require too large of a buffer allocation.
int Deliver(int& len, const u_char* &data);
void Reset();
@ -66,11 +67,11 @@ public:
protected:
virtual void compute_msg_length() = 0;
int hdr_len;
size_t hdr_len;
u_char* msg_buf;
int msg_len;
int buf_n; // number of bytes in msg_buf
int buf_len; // size off msg_buf
uint64 msg_len;
size_t buf_n; // number of bytes in msg_buf
size_t buf_len; // size off msg_buf
};
#define NCP_TCPIP_HEADER_LENGTH 8
@ -97,6 +98,7 @@ protected:
// Re-sync for partial connections (or after a content gap).
bool resync;
bool resync_set;
};
class NCP_Analyzer : public tcp::TCP_ApplicationAnalyzer {

1
src/analyzer/protocol/ncp/consts.bif Normal file
View file

@ -0,0 +1 @@
const NCP::max_frame_size: count;

28
src/analyzer/protocol/smb/smb2-com-set-info.pac
View file

@ -6,12 +6,29 @@ enum smb2_set_info_type {
};
enum smb_file_info_type {
SMB2_FILE_BASIC_INFO = 0x04,
SMB2_FILE_RENAME_INFO = 0x0a,
SMB2_FILE_DISPOSITION_INFO = 0x0d,
}
refine connection SMB_Conn += {
function proc_smb2_set_info_request_file(val: SMB2_file_basic_info): bool
%{
if ( smb2_file_sattr )
BifEvent::generate_smb2_file_sattr(bro_analyzer(),
bro_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
SMB_BuildMACTimes(${val.last_write_time},
${val.last_access_time},
${val.creation_time},
${val.change_time}),
smb2_file_attrs_to_bro(${val.file_attrs}));
return true;
%}
function proc_smb2_set_info_request_file_rename(val: SMB2_file_rename_info): bool
%{
if ( smb2_file_rename )
@ -38,6 +55,16 @@ refine connection SMB_Conn += {
};
type SMB2_file_basic_info(sir: SMB2_set_info_request) = record {
creation_time : SMB_timestamp;
last_access_time : SMB_timestamp;
last_write_time : SMB_timestamp;
change_time : SMB_timestamp;
file_attrs : SMB2_file_attributes;
} &let {
proc: bool = $context.connection.proc_smb2_set_info_request_file(this);
};
type SMB2_file_rename_info(sir: SMB2_set_info_request) = record {
replace_if_exists : uint8;
reserved : uint8[7];
@ -55,6 +82,7 @@ type SMB2_file_disposition_info(sir: SMB2_set_info_request) = record {
};
type SMB2_set_info_file_class(sir: SMB2_set_info_request) = case sir.info_level of {
SMB2_FILE_BASIC_INFO -> file_basic : SMB2_file_basic_info(sir);
SMB2_FILE_RENAME_INFO -> file_rename : SMB2_file_rename_info(sir);
SMB2_FILE_DISPOSITION_INFO -> file_disposition : SMB2_file_disposition_info(sir);
default -> info_file_unhandled : empty;

24
src/analyzer/protocol/smb/smb2_com_set_info.bif
View file

@ -11,7 +11,7 @@
##
## dst_filename: The filename to rename the file into.
##
## .. bro:see:: smb2_message smb2_file_delete
## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr
event smb2_file_rename%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, dst_filename: string%);
## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
@ -23,12 +23,32 @@ event smb2_file_rename%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, d
##
## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
##
## file_id: The SMB2 GUID for the file.
##
## delete_pending: A boolean value to indicate that a file should be deleted
## when it's closed if set to T.
##
## .. bro:see:: smb2_message smb2_file_rename
## .. bro:see:: smb2_message smb2_file_rename smb2_file_sattr
event smb2_file_delete%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, delete_pending: bool%);
## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
## version 2 requests of type *set_info* of the *file* subtype
##
## For more infomation, see MS-SMB2:2.2.39
##
## c: The connection.
##
## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
##
## file_id: The SMB2 GUID for the file.
##
## times: Timestamps associated with the file in question.
##
## attrs: File attributes.
##
## .. bro:see:: smb2_message smb2_file_rename smb2_file_delete
event smb2_file_sattr%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs%);
# TODO - Not implemented
# Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`

12
src/analyzer/protocol/ssh/ssh-analyzer.pac
View file

@ -173,6 +173,18 @@ refine flow SSH_Flow += {
connection()->bro_analyzer()->ProtocolConfirmation();
return true;
%}
function get_kex_length(v: int, packet_length: uint32): int
%{
switch (v) {
case SSH1:
return packet_length + 4 + 8 - (packet_length % 8);
case SSH2:
return packet_length + 4;
default:
return 1; //currently causes the rest of the packet to dump
}
%}
};
refine typeattr SSH_Version += &let {

25
src/analyzer/protocol/ssh/ssh-protocol.pac
View file

@ -22,21 +22,23 @@ type SSH_Version(is_orig: bool) = record {
update_version : bool = $context.connection.update_version(version, is_orig);
};
type SSH_Key_Exchange(is_orig: bool) = case $context.connection.get_version() of {
SSH1 -> ssh1_msg : SSH1_Key_Exchange(is_orig);
SSH2 -> ssh2_msg : SSH2_Key_Exchange(is_orig);
};
type SSH_Key_Exchange(is_orig: bool) = record {
packet_length: uint32;
key_ex: case $context.connection.get_version() of {
SSH1 -> ssh1_msg : SSH1_Key_Exchange(is_orig, packet_length);
SSH2 -> ssh2_msg : SSH2_Key_Exchange(is_orig, packet_length);
};
} &length = $context.flow.get_kex_length($context.connection.get_version(), packet_length);
# SSH1 constructs
#################
type SSH1_Key_Exchange(is_orig: bool) = record {
packet_length : uint32;
type SSH1_Key_Exchange(is_orig: bool, packet_length: uint32) = record {
pad_fill : bytestring &length = 8 - (packet_length % 8);
msg_type : uint8;
message : SSH1_Message(is_orig, msg_type, packet_length - 5);
crc : uint32;
} &length = packet_length + 4 + 8 - (packet_length % 8);
} &length = $context.flow.get_kex_length($context.connection.get_version(), packet_length) - 4;
type SSH1_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of {
SSH_SMSG_PUBLIC_KEY -> public_key : SSH1_PUBLIC_KEY(length);
@ -73,8 +75,7 @@ type ssh1_mp_int = record {
## SSH2
type SSH2_Header(is_orig: bool) = record {
packet_length : uint32;
type SSH2_Header(is_orig: bool, packet_length: uint32) = record {
padding_length : uint8;
msg_type : uint8;
} &let {
@ -82,11 +83,11 @@ type SSH2_Header(is_orig: bool) = record {
detach : bool = $context.connection.update_state(ENCRYPTED, is_orig) &if(msg_type == MSG_NEWKEYS);
};
type SSH2_Key_Exchange(is_orig: bool) = record {
header : SSH2_Header(is_orig);
type SSH2_Key_Exchange(is_orig: bool, packet_length: uint32) = record {
header : SSH2_Header(is_orig, packet_length);
payload : SSH2_Message(is_orig, header.msg_type, header.payload_length);
pad : bytestring &length=header.padding_length;
} &length=header.packet_length + 4;
} &length=packet_length;
type SSH2_Message(is_orig: bool, msg_type: uint8, length: uint32) = case $context.connection.get_state(is_orig) of {
KEX_INIT -> kex : SSH2_KEXINIT(length, is_orig);

149
src/broker/Manager.cc
View file

@ -113,9 +113,7 @@ static inline Val* get_option(const char* option)
return id->ID_Val();
}
class configuration : public broker::configuration {
public:
configuration(broker::broker_options options)
Manager::BrokerConfig::BrokerConfig(broker::broker_options options)
: broker::configuration(options)
{
openssl_cafile = get_option("Broker::ssl_cafile")->AsString()->CheckString();
@ -124,10 +122,9 @@ public:
openssl_key = get_option("Broker::ssl_keyfile")->AsString()->CheckString();
openssl_passphrase = get_option("Broker::ssl_passphrase")->AsString()->CheckString();
}
};
Manager::BrokerState::BrokerState(broker::broker_options options)
: endpoint(configuration(options)),
Manager::BrokerState::BrokerState(BrokerConfig config)
: endpoint(std::move(config)),
subscriber(endpoint.make_subscriber({}, SUBSCRIBER_MAX_QSIZE)),
status_subscriber(endpoint.make_status_subscriber(true))
{
@ -136,6 +133,7 @@ Manager::BrokerState::BrokerState(broker::broker_options options)
Manager::Manager(bool reading_pcaps)
{
bound_port = 0;
peer_count = 0;
next_timestamp = 1;
SetIdle(false);
@ -172,7 +170,43 @@ void Manager::InitPostScript()
options.forward = get_option("Broker::forward_messages")->AsBool();
options.use_real_time = ! reading_pcaps;
bstate = std::make_shared<BrokerState>(options);
BrokerConfig config{std::move(options)};
auto max_threads = get_option("Broker::max_threads")->AsCount();
auto max_sleep = get_option("Broker::max_sleep")->AsCount();
if ( max_threads )
config.scheduler_max_threads = max_threads;
else
{
// On high-core-count systems, spawning one thread per core
// can lead to significant performance problems even if most
// threads are under-utilized. Related:
// https://github.com/actor-framework/actor-framework/issues/699
if ( reading_pcaps )
config.scheduler_max_threads = 2u;
else
{
auto hc = std::thread::hardware_concurrency();
if ( hc > 8u )
hc = 8u;
else if ( hc < 4u)
hc = 4u;
config.scheduler_max_threads = hc;
}
}
if ( max_sleep )
config.work_stealing_relaxed_sleep_duration_us = max_sleep;
else
// 64ms is just an arbitrary amount derived from testing
// the overhead of a unused CAF actor system on a 32-core system.
// Performance was within 2% of baseline timings (w/o CAF)
// when using this sleep duration.
config.work_stealing_relaxed_sleep_duration_us = 64000;
bstate = std::make_shared<BrokerState>(std::move(config));
}
void Manager::Terminate()
@ -192,7 +226,9 @@ void Manager::Terminate()
FlushLogBuffers();
for ( auto& p : bstate->endpoint.peers() )
bstate->endpoint.unpeer(p.peer.network->address, p.peer.network->port);
if ( p.peer.network )
bstate->endpoint.unpeer(p.peer.network->address,
p.peer.network->port);
bstate->endpoint.shutdown();
}
@ -205,7 +241,7 @@ bool Manager::Active()
if ( bound_port > 0 )
return true;
return bstate->endpoint.peers().size();
return peer_count > 0;
}
void Manager::AdvanceTime(double seconds_since_unix_epoch)
@ -228,9 +264,18 @@ void Manager::FlushPendingQueries()
{
// possibly an infinite loop if a query can recursively
// generate more queries...
Process();
for ( auto& s : data_stores )
{
while ( ! s.second->proxy.mailbox().empty() )
{
auto response = s.second->proxy.receive();
ProcessStoreResponse(s.second, move(response));
}
}
}
SetIdle(false);
}
uint16_t Manager::Listen(const string& addr, uint16_t port)
{
@ -301,7 +346,7 @@ bool Manager::PublishEvent(string topic, std::string name, broker::vector args)
if ( bstate->endpoint.is_shutdown() )
return true;
if ( ! bstate->endpoint.peers().size() )
if ( peer_count == 0 )
return true;
DBG_LOG(DBG_BROKER, "Publishing event: %s",
@ -317,7 +362,7 @@ bool Manager::PublishEvent(string topic, RecordVal* args)
if ( bstate->endpoint.is_shutdown() )
return true;
if ( ! bstate->endpoint.peers().size() )
if ( peer_count == 0 )
return true;
if ( ! args->Lookup(0) )
@ -341,31 +386,47 @@ bool Manager::PublishEvent(string topic, RecordVal* args)
bool Manager::RelayEvent(std::string first_topic,
broker::set relay_topics,
std::string name,
broker::vector args)
broker::vector args,
bool handle_on_relayer)
{
if ( bstate->endpoint.is_shutdown() )
return true;
if ( ! bstate->endpoint.peers().size() )
if ( peer_count == 0 )
return true;
DBG_LOG(DBG_BROKER, "Publishing relay event: %s",
DBG_LOG(DBG_BROKER, "Publishing %s-relay event: %s",
handle_on_relayer ? "handle" : "",
RenderEvent(first_topic, name, args).c_str());
broker::bro::RelayEvent msg(std::move(relay_topics), std::move(name),
if ( handle_on_relayer )
{
broker::bro::HandleAndRelayEvent msg(std::move(relay_topics),
std::move(name),
std::move(args));
bstate->endpoint.publish(std::move(first_topic), std::move(msg));
}
else
{
broker::bro::RelayEvent msg(std::move(relay_topics),
std::move(name),
std::move(args));
bstate->endpoint.publish(std::move(first_topic), std::move(msg));
}
++statistics.num_events_outgoing;
return true;
}
bool Manager::RelayEvent(std::string first_topic,
std::set<std::string> relay_topics,
RecordVal* args)
RecordVal* args,
bool handle_on_relayer)
{
if ( bstate->endpoint.is_shutdown() )
return true;
if ( ! bstate->endpoint.peers().size() )
if ( peer_count == 0 )
return true;
if ( ! args->Lookup(0) )
@ -389,7 +450,7 @@ bool Manager::RelayEvent(std::string first_topic,
topic_set.emplace(std::move(t));
return RelayEvent(first_topic, std::move(topic_set), event_name,
std::move(xs));
std::move(xs), handle_on_relayer);
}
bool Manager::PublishIdentifier(std::string topic, std::string id)
@ -397,7 +458,7 @@ bool Manager::PublishIdentifier(std::string topic, std::string id)
if ( bstate->endpoint.is_shutdown() )
return true;
if ( ! bstate->endpoint.peers().size() )
if ( peer_count == 0 )
return true;
ID* i = global_scope()->Lookup(id.c_str());
@ -437,7 +498,7 @@ bool Manager::PublishLogCreate(EnumVal* stream, EnumVal* writer,
if ( bstate->endpoint.is_shutdown() )
return true;
if ( ! bstate->endpoint.peers().size() )
if ( peer_count == 0 )
return true;
auto stream_id = stream->Type()->AsEnumType()->Lookup(stream->AsEnum());
@ -491,7 +552,7 @@ bool Manager::PublishLogWrite(EnumVal* stream, EnumVal* writer, string path, int
if ( bstate->endpoint.is_shutdown() )
return true;
if ( ! bstate->endpoint.peers().size() )
if ( peer_count == 0 )
return true;
auto stream_id_num = stream->AsEnum();
@ -820,6 +881,10 @@ void Manager::DispatchMessage(broker::data msg)
ProcessRelayEvent(std::move(msg));
break;
case broker::bro::Message::Type::HandleAndRelayEvent:
ProcessHandleAndRelayEvent(std::move(msg));
break;
case broker::bro::Message::Type::LogCreate:
ProcessLogCreate(std::move(msg));
break;
@ -907,23 +972,23 @@ void Manager::Process()
SetIdle(! had_input);
}
void Manager::ProcessEvent(broker::bro::Event ev)
void Manager::ProcessEvent(std::string name, broker::vector args)
{
DBG_LOG(DBG_BROKER, "Received event: %s", RenderMessage(ev).c_str());
DBG_LOG(DBG_BROKER, "Process event: %s %s",
name.data(), RenderMessage(args).data());
++statistics.num_events_incoming;
auto handler = event_registry->Lookup(name.data());
auto handler = event_registry->Lookup(ev.name().c_str());
if ( ! handler )
return;
auto& args = ev.args();
auto arg_types = handler->FType(false)->ArgTypes()->Types();
if ( static_cast<size_t>(arg_types->length()) != args.size() )
{
reporter->Warning("got event message '%s' with invalid # of args,"
" got %zd, expected %d", ev.name().data(), args.size(),
" got %zd, expected %d", name.data(), args.size(),
arg_types->length());
return;
}
@ -942,7 +1007,7 @@ void Manager::ProcessEvent(broker::bro::Event ev)
{
reporter->Warning("failed to convert remote event '%s' arg #%d,"
" got %s, expected %s",
ev.name().data(), i, got_type,
name.data(), i, got_type,
type_name(expected_type->Tag()));
break;
}
@ -954,6 +1019,11 @@ void Manager::ProcessEvent(broker::bro::Event ev)
delete_vals(vl);
}
void Manager::ProcessEvent(broker::bro::Event ev)
{
ProcessEvent(std::move(ev.name()), std::move(ev.args()));
}
void Manager::ProcessRelayEvent(broker::bro::RelayEvent ev)
{
DBG_LOG(DBG_BROKER, "Received relay event: %s", RenderMessage(ev).c_str());
@ -965,6 +1035,18 @@ void Manager::ProcessRelayEvent(broker::bro::RelayEvent ev)
std::move(ev.args()));
}
void Manager::ProcessHandleAndRelayEvent(broker::bro::HandleAndRelayEvent ev)
{
DBG_LOG(DBG_BROKER, "Received handle-relay event: %s",
RenderMessage(ev).c_str());
ProcessEvent(ev.name(), ev.args());
for ( auto& t : ev.topics() )
PublishEvent(std::move(broker::get<std::string>(t)),
std::move(ev.name()),
std::move(ev.args()));
}
bool bro_broker::Manager::ProcessLogCreate(broker::bro::LogCreate lc)
{
DBG_LOG(DBG_BROKER, "Received log-create: %s", RenderMessage(lc).c_str());
@ -1148,16 +1230,19 @@ void Manager::ProcessStatus(broker::status stat)
break;
case broker::sc::peer_added:
++peer_count;
assert(ctx);
log_mgr->SendAllWritersTo(*ctx);
event = Broker::peer_added;
break;
case broker::sc::peer_removed:
--peer_count;
event = Broker::peer_removed;
break;
case broker::sc::peer_lost:
--peer_count;
event = Broker::peer_lost;
break;
}
@ -1453,11 +1538,7 @@ bool Manager::TrackStoreQuery(StoreHandleVal* handle, broker::request_id id,
const Stats& Manager::GetStatistics()
{
if ( bstate->endpoint.is_shutdown() )
statistics.num_peers = 0;
else
statistics.num_peers = bstate->endpoint.peers().size();
statistics.num_peers = peer_count;
statistics.num_stores = data_stores.size();
statistics.num_pending_queries = pending_queries.size();

31
src/broker/Manager.h
View file

@ -148,33 +148,41 @@ public:
bool PublishEvent(std::string topic, RecordVal* ev);
/**
* Sends an event to any interested peers, who, upon receipt, immediately
* republish the event to a new set of topics.
* Sends an event to any interested peers, who, upon receipt,
* republishes the event to a new set of topics and optionally
* calls event handlers.
* @param first_topic the first topic to use when publishing the event
* @param relay_topics the set of topics the receivers will use to
* republish the event. The event is relayed at most a single hop.
* @param name the name of the event
* @param args the event's arguments
* @param handle_on_relayer whether they relaying-node should call event
* handlers.
* @return true if the message is sent successfully.
*/
bool RelayEvent(std::string first_topic,
broker::set relay_topics,
std::string name,
broker::vector args);
broker::vector args,
bool handle_on_relayer);
/**
* Sends an event to any interested peers, who, upon receipt, immediately
* republish the event to a new set of topics.
* Sends an event to any interested peers, who, upon receipt,
* republishes the event to a new set of topics and optionally
* calls event handlers.
* @param first_topic the first topic to use when publishing the event
* @param relay_topics the set of topics the receivers will use to
* republish the event. The event is relayed at most a single hop.
* @param ev the event and its arguments to send to peers, in the form of
* a Broker::Event record type.
* @param handle_on_relayer whether they relaying-node should call event
* handlers.
* @return true if the message is sent successfully.
*/
bool RelayEvent(std::string first_topic,
std::set<std::string> relay_topics,
RecordVal* ev);
RecordVal* ev,
bool handle_on_relayer);
/**
* Send a message to create a log stream to any interested peers.
@ -331,17 +339,24 @@ public:
private:
class BrokerConfig : public broker::configuration {
public:
BrokerConfig(broker::broker_options options);
};
class BrokerState {
public:
BrokerState(broker::broker_options options);
BrokerState(BrokerConfig config);
broker::endpoint endpoint;
broker::subscriber subscriber;
broker::status_subscriber status_subscriber;
};
void DispatchMessage(broker::data msg);
void ProcessEvent(std::string name, broker::vector args);
void ProcessEvent(broker::bro::Event ev);
void ProcessRelayEvent(broker::bro::RelayEvent re);
void ProcessHandleAndRelayEvent(broker::bro::HandleAndRelayEvent ev);
bool ProcessLogCreate(broker::bro::LogCreate lc);
bool ProcessLogWrite(broker::bro::LogWrite lw);
bool ProcessIdentifierUpdate(broker::bro::IdentifierUpdate iu);
@ -404,6 +419,8 @@ private:
Stats statistics;
double next_timestamp;
bool reading_pcaps;
int peer_count;
static int script_scope;
static VectorType* vector_of_data_type;

72
src/broker/messaging.bif
View file

@ -76,13 +76,13 @@ static bool relay_event_args(val_list& args, const BroString* topic,
if ( args[0]->Type()->Tag() == TYPE_RECORD )
rval = broker_mgr->RelayEvent(topic->CheckString(),
std::move(topic_set),
args[0]->AsRecordVal());
args[0]->AsRecordVal(), false);
else
{
auto ev = broker_mgr->MakeEvent(&args, frame);
rval = broker_mgr->RelayEvent(topic->CheckString(),
std::move(topic_set),
ev);
ev, false);
Unref(ev);
}
@ -133,7 +133,7 @@ function Broker::publish%(topic: string, ...%): bool
## Publishes an event at a given topic, with any receivers automatically
## forwarding it to its peers with a different topic. The event is relayed
## at most a single hop.
## at most a single hop and the relayer does not call any local event handlers.
##
## first_topic: the initial topic to use for publishing the event.
##
@ -181,12 +181,74 @@ function Broker::relay%(first_topic: string, ...%): bool
if ( args[0]->Type()->Tag() == TYPE_RECORD )
rval = broker_mgr->RelayEvent(first_topic->CheckString(),
std::move(topic_set),
args[0]->AsRecordVal());
args[0]->AsRecordVal(), false);
else
{
auto ev = broker_mgr->MakeEvent(&args, frame);
rval = broker_mgr->RelayEvent(first_topic->CheckString(),
std::move(topic_set), ev);
std::move(topic_set), ev, false);
Unref(ev);
}
return new Val(rval, TYPE_BOOL);
%}
## Publishes an event at a given topic, with any receivers automatically
## forwarding it to its peers with a different topic. The event is relayed
## at most a single hop and the relayer does call local event handlers.
##
## first_topic: the initial topic to use for publishing the event.
##
## args: the first member of the argument list may be either a string or
## a set of strings indicating the secondary topic that the first
## set of receivers will use to re-publish the event. The remaining
## members of the argument list are either the return value of a
## previously-made call to :bro:see:`Broker::make_event` or the
## argument list that should be passed along to it, so that it can
## be called as part of executing this function.
##
## Returns: true if the message is sent.
function Broker::publish_and_relay%(first_topic: string, ...%): bool
%{
bro_broker::Manager::ScriptScopeGuard ssg;
val_list* bif_args = @ARGS@;
if ( bif_args->length() < 3 )
{
builtin_error("Broker::publish_and_relay requires at least 3 arguments");
return new Val(false, TYPE_BOOL);
}
auto second_topic = (*bif_args)[1];
if ( second_topic->Type()->Tag() != TYPE_STRING &&
! is_string_set(second_topic->Type()) )
{
builtin_error("Broker::publish_and_relay requires a string or string_set as 2nd argument");
return new Val(false, TYPE_BOOL);
}
auto topic_set = val_to_topic_set(second_topic);
if ( topic_set.empty() )
return new Val(false, TYPE_BOOL);
val_list args(bif_args->length() - 2);
for ( auto i = 2; i < bif_args->length(); ++i )
args.append((*bif_args)[i]);
auto rval = false;
if ( args[0]->Type()->Tag() == TYPE_RECORD )
rval = broker_mgr->RelayEvent(first_topic->CheckString(),
std::move(topic_set),
args[0]->AsRecordVal(), true);
else
{
auto ev = broker_mgr->MakeEvent(&args, frame);
rval = broker_mgr->RelayEvent(first_topic->CheckString(),
std::move(topic_set), ev, true);
Unref(ev);
}

35
src/broxygen/Manager.cc
View file

@ -12,7 +12,13 @@ using namespace std;
static void DbgAndWarn(const char* msg)
{
reporter->InternalWarning("%s", msg);
if ( reporter->Errors() )
// We've likely already reported to real source of the problem
// as an error, avoid adding an additional warning which may
// be confusing.
return;
reporter->Warning("%s", msg);
DBG_LOG(DBG_BROXYGEN, "%s", msg);
}
@ -22,7 +28,8 @@ static void WarnMissingScript(const char* type, const ID* id,
if ( script == "<command line>" )
return;
DbgAndWarn(fmt("Can't document %s %s, lookup of %s failed",
DbgAndWarn(fmt("Can't generate Broxygen doumentation for %s %s, "
"lookup of %s failed",
type, id->Name(), script.c_str()));
}
@ -122,7 +129,8 @@ void Manager::Script(const string& path)
if ( scripts.GetInfo(name) )
{
DbgAndWarn(fmt("Duplicate script documentation: %s", name.c_str()));
DbgAndWarn(fmt("Duplicate Broxygen script documentation: %s",
name.c_str()));
return;
}
@ -138,7 +146,8 @@ void Manager::Script(const string& path)
if ( packages.GetInfo(name) )
{
DbgAndWarn(fmt("Duplicate package documentation: %s", name.c_str()));
DbgAndWarn(fmt("Duplicate Broxygen package documentation: %s",
name.c_str()));
return;
}
@ -155,7 +164,8 @@ void Manager::ScriptDependency(const string& path, const string& dep)
if ( dep.empty() )
{
DbgAndWarn(fmt("Empty script doc dependency: %s", path.c_str()));
DbgAndWarn(fmt("Empty Broxygen script doc dependency: %s",
path.c_str()));
return;
}
@ -165,8 +175,8 @@ void Manager::ScriptDependency(const string& path, const string& dep)
if ( ! script_info )
{
DbgAndWarn(fmt("Failed to add script doc dependency %s for %s",
depname.c_str(), name.c_str()));
DbgAndWarn(fmt("Failed to add Broxygen script doc dependency %s "
"for %s", depname.c_str(), name.c_str()));
return;
}
@ -189,7 +199,7 @@ void Manager::ModuleUsage(const string& path, const string& module)
if ( ! script_info )
{
DbgAndWarn(fmt("Failed to add module usage %s in %s",
DbgAndWarn(fmt("Failed to add Broxygen module usage %s in %s",
module.c_str(), name.c_str()));
return;
}
@ -231,7 +241,8 @@ void Manager::StartType(ID* id)
if ( id->GetLocationInfo() == &no_location )
{
DbgAndWarn(fmt("Can't document %s, no location available", id->Name()));
DbgAndWarn(fmt("Can't generate broxygen doumentation for %s, "
"no location available", id->Name()));
return;
}
@ -323,7 +334,8 @@ void Manager::RecordField(const ID* id, const TypeDecl* field,
if ( ! idd )
{
DbgAndWarn(fmt("Can't document record field %s, unknown record: %s",
DbgAndWarn(fmt("Can't generate broxygen doumentation for "
"record field %s, unknown record: %s",
field->id, id->Name()));
return;
}
@ -348,7 +360,8 @@ void Manager::Redef(const ID* id, const string& path)
if ( ! id_info )
{
DbgAndWarn(fmt("Can't document redef of %s, identifier lookup failed",
DbgAndWarn(fmt("Can't generate broxygen doumentation for "
"redef of %s, identifier lookup failed",
id->Name()));
return;
}

13
src/broxygen/ScriptInfo.cc
View file

@ -250,6 +250,19 @@ void ScriptInfo::DoInitPostScript()
id->Name(), name.c_str());
state_vars.push_back(info);
}
// The following enum types are automatically created internally in Bro,
// so just manually associating them with scripts for now.
if ( name == "base/frameworks/input/main.bro" )
{
auto id = global_scope()->Lookup("Input::Reader");
types.push_back(new IdentifierInfo(id, this));
}
else if ( name == "base/frameworks/logging/main.bro" )
{
auto id = global_scope()->Lookup("Log::Writer");
types.push_back(new IdentifierInfo(id, this));
}
}
vector<string> ScriptInfo::GetComments() const

2
src/file_analysis/analyzer/x509/X509Common.cc
View file

@ -244,7 +244,7 @@ void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, EventHandlerP
int len = i2d_ASN1_OCTET_STRING(X509_EXTENSION_get_data(ex), &buf);
if ( len >=0 )
{
BIO_write(bio, &buf, len);
BIO_write(bio, buf, len);
OPENSSL_free(buf);
}
}

1
src/input.h
View file

@ -14,6 +14,7 @@ extern int yydebug;
extern int brolex();
extern char last_tok[128];
extern void add_essential_input_file(const char* file);
extern void add_input_file(const char* file);
extern void add_input_file_at_front(const char* file);

4
src/iosource/Manager.cc
View file

@ -81,7 +81,7 @@ IOSource* Manager::FindSoonest(double* ts)
all_idle = false;
double local_network_time = 0;
double ts = (*i)->src->NextTimestamp(&local_network_time);
if ( ts > 0 && ts < soonest_ts )
if ( ts >= 0 && ts < soonest_ts )
{
soonest_ts = ts;
soonest_src = (*i)->src;
@ -162,7 +162,7 @@ IOSource* Manager::FindSoonest(double* ts)
{
double local_network_time = 0;
double ts = src->src->NextTimestamp(&local_network_time);
if ( ts > 0.0 && ts < soonest_ts )
if ( ts >= 0.0 && ts < soonest_ts )
{
soonest_ts = ts;
soonest_src = src->src;

86
src/main.cc
View file

@ -44,6 +44,7 @@ extern "C" {
#include "EventRegistry.h"
#include "Stats.h"
#include "Brofiler.h"
#include "Traverse.h"
#include "threading/Manager.h"
#include "input/Manager.h"
@ -114,6 +115,7 @@ char* command_line_policy = 0;
vector<string> params;
set<string> requested_plugins;
char* proc_status_file = 0;
int old_comm_usage_count = 0;
OpaqueType* md5_type = 0;
OpaqueType* sha1_type = 0;
@ -424,6 +426,70 @@ static void bro_new_handler()
out_of_memory("new");
}
static auto old_comm_ids = std::set<const char*, CompareString>{
"connect",
"disconnect",
"request_remote_events",
"request_remote_sync",
"request_remote_logs",
"set_accept_state",
"set_compression_level",
"listen",
"send_id",
"terminate_communication",
"complete_handshake",
"send_ping",
"send_current_packet",
"get_event_peer",
"send_capture_filter",
"suspend_state_updates",
"resume_state_updates",
};
static bool is_old_comm_usage(const ID* id)
{
auto name = id->Name();
if ( old_comm_ids.find(name) == old_comm_ids.end() )
return false;
return true;
}
class OldCommUsageTraversalCallback : public TraversalCallback {
public:
virtual TraversalCode PreExpr(const Expr* expr) override
{
switch ( expr->Tag() ) {
case EXPR_CALL:
{
const CallExpr* call = static_cast<const CallExpr*>(expr);
auto func = call->Func();
if ( func->Tag() == EXPR_NAME )
{
const NameExpr* ne = static_cast<const NameExpr*>(func);
auto id = ne->Id();
if ( is_old_comm_usage(id) )
++old_comm_usage_count;
}
}
break;
default:
break;
}
return TC_CONTINUE;
}
};
static void find_old_comm_usages()
{
OldCommUsageTraversalCallback cb;
traverse_all(&cb);
}
int main(int argc, char** argv)
{
std::set_new_handler(bro_new_handler);
@ -755,7 +821,9 @@ int main(int argc, char** argv)
broxygen_mgr = new broxygen::Manager(broxygen_config, bro_argv[0]);
add_input_file("base/init-bare.bro");
add_essential_input_file("base/init-bare.bro");
add_essential_input_file("base/init-frameworks-and-bifs.bro");
if ( ! bare_mode )
add_input_file("base/init-default.bro");
@ -852,6 +920,22 @@ int main(int argc, char** argv)
yyparse();
is_parsing = false;
find_old_comm_usages();
if ( old_comm_usage_count )
{
auto old_comm_ack_id = global_scope()->Lookup("old_comm_usage_is_ok");
if ( ! old_comm_ack_id->ID_Val()->AsBool() )
reporter->FatalError("Detected old, deprecated communication "
"system usages that will not work unless "
"you explicitly take action to initizialize "
"and set up the old comm. system. "
"Set the 'old_comm_usage_is_ok' flag "
"to bypass this error if you've taken such "
"actions.");
}
RecordVal::ResizeParseTimeRecords();
init_general_global_var();

45
src/parse.y
View file

@ -34,18 +34,21 @@
%token TOK_NO_TEST
%left ',' '|'
%left ','
%right '=' TOK_ADD_TO TOK_REMOVE_FROM
%right '?' ':'
%left TOK_OR
%left TOK_AND
%left TOK_OR_OR
%left TOK_AND_AND
%nonassoc TOK_HOOK
%nonassoc '<' '>' TOK_LE TOK_GE TOK_EQ TOK_NE
%left TOK_IN TOK_NOT_IN
%left '|'
%left '^'
%left '&'
%left '+' '-'
%left '*' '/' '%'
%left TOK_INCR TOK_DECR
%right '!'
%right '!' '~'
%left '$' '[' ']' '(' ')' TOK_HAS_FIELD TOK_HAS_ATTR
%nonassoc TOK_AS TOK_IS
@ -338,6 +341,12 @@ expr:
$$ = new NotExpr($2);
}
| '~' expr
{
set_location(@1, @2);
$$ = new ComplementExpr($2);
}
| '-' expr %prec '!'
{
set_location(@1, @2);
@ -392,16 +401,34 @@ expr:
$$ = new ModExpr($1, $3);
}
| expr TOK_AND expr
| expr '&' expr
{
set_location(@1, @3);
$$ = new BoolExpr(EXPR_AND, $1, $3);
$$ = new BitExpr(EXPR_AND, $1, $3);
}
| expr TOK_OR expr
| expr '|' expr
{
set_location(@1, @3);
$$ = new BoolExpr(EXPR_OR, $1, $3);
$$ = new BitExpr(EXPR_OR, $1, $3);
}
| expr '^' expr
{
set_location(@1, @3);
$$ = new BitExpr(EXPR_XOR, $1, $3);
}
| expr TOK_AND_AND expr
{
set_location(@1, @3);
$$ = new BoolExpr(EXPR_AND_AND, $1, $3);
}
| expr TOK_OR_OR expr
{
set_location(@1, @3);
$$ = new BoolExpr(EXPR_OR_OR, $1, $3);
}
| expr TOK_EQ expr
@ -704,7 +731,7 @@ expr:
$$ = new ConstExpr(new PatternVal($1));
}
| '|' expr '|'
| '|' expr '|' %prec '('
{
set_location(@1, @3);
$$ = new SizeExpr($2);

32
src/scan.l
View file

@ -193,7 +193,7 @@ ESCSEQ (\\([^\n]|[0-7]+|x[[:xdigit:]]+))
RET_CONST(new SubNetVal(IPPrefix(IPAddr(ip), len)))
}
[!%*/+\-,:;<=>?()\[\]{}~$|] return yytext[0];
[!%*/+\-,:;<=>?()\[\]{}~$|&^] return yytext[0];
"--" return TOK_DECR;
"++" return TOK_INCR;
@ -206,8 +206,8 @@ ESCSEQ (\\([^\n]|[0-7]+|x[[:xdigit:]]+))
">=" return TOK_GE;
"<=" return TOK_LE;
"&&" return TOK_AND;
"||" return TOK_OR;
"&&" return TOK_AND_AND;
"||" return TOK_OR_OR;
add return TOK_ADD;
addr return TOK_ADDR;
@ -310,6 +310,7 @@ when return TOK_WHEN;
}
&synchronized {
++old_comm_usage_count;
deprecated_attr(yytext);
return TOK_ATTR_SYNCHRONIZED;
}
@ -821,6 +822,18 @@ void do_atendif()
// are referred to (in order to save the locations of tokens and statements,
// for error reporting and debugging).
static name_list input_files;
static name_list essential_input_files;
void add_essential_input_file(const char* file)
{
if ( ! file )
reporter->InternalError("empty filename");
if ( ! filename )
(void) load_files(file);
else
essential_input_files.append(copy_string(file));
}
void add_input_file(const char* file)
{
@ -869,7 +882,7 @@ int yywrap()
if ( ! did_builtin_init && file_stack.length() == 1 )
{
// ### This is a gross hack - we know that the first file
// we parse is bro.init, and after it it's safe to initialize
// we parse is init-bare.bro, and after it it's safe to initialize
// the built-ins. Furthermore, we want to initialize the
// built-in's *right* after parsing bro.init, so that other
// source files can use built-in's when initializing globals.
@ -885,19 +898,22 @@ int yywrap()
return 0;
// Stack is now empty.
while ( input_files.length() > 0 )
while ( essential_input_files.length() > 0 || input_files.length() > 0 )
{
if ( load_files(input_files[0]) )
name_list& files = essential_input_files.length() > 0 ?
essential_input_files : input_files;
if ( load_files(files[0]) )
{
// Don't delete the filename - it's pointed to by
// every BroObj created when parsing it.
(void) input_files.remove_nth(0);
(void) files.remove_nth(0);
return 0;
}
// We already scanned the file. Pop it and try the next,
// if any.
(void) input_files.remove_nth(0);
(void) files.remove_nth(0);
}
// For each file scanned so far, and for each @prefix, look for a

3
testing/btest/Baseline/broker.remote_publish_and_relay_event/one.one.out Normal file
View file

@ -0,0 +1,3 @@
sender added peer: endpoint=127.0.0.1 msg=received handshake from remote core
got ready event
sender lost peer: endpoint=127.0.0.1 msg=lost remote peer

2
testing/btest/Baseline/broker.remote_publish_and_relay_event/three.three.out Normal file
View file

@ -0,0 +1,2 @@
receiver added peer: endpoint=127.0.0.1 msg=handshake successful
got my_event, hello world

5
testing/btest/Baseline/broker.remote_publish_and_relay_event/two.two.out Normal file
View file

@ -0,0 +1,5 @@
receiver added peer: endpoint=127.0.0.1 msg=received handshake from remote core
receiver added peer: endpoint=127.0.0.1 msg=handshake successful
sending ready event
got my_event, hello world
receiver lost peer: endpoint=127.0.0.1 msg=lost remote peer

2
testing/btest/Baseline/core.old_comm_usage/out Normal file
View file

@ -0,0 +1,2 @@
warning in /Users/jon/projects/bro/bro/testing/btest/.tmp/core.old_comm_usage/old_comm_usage.bro, line 6: deprecated (terminate_communication)
fatal error: Detected old, deprecated communication system usages that will not work unless you explicitly take action to initizialize and set up the old comm. system. Set the 'old_comm_usage_is_ok' flag to bypass this error if you've taken such actions.

12
testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
View file

@ -3,18 +3,21 @@
#empty_field (empty)
#unset_field -
#path loaded_scripts
#open 2018-03-01-16-07-03
#open 2018-06-08-16-37-15
#fields name
#types string
scripts/base/init-bare.bro
build/scripts/base/bif/const.bif.bro
build/scripts/base/bif/types.bif.bro
build/scripts/base/bif/strings.bif.bro
build/scripts/base/bif/bro.bif.bro
build/scripts/base/bif/stats.bif.bro
build/scripts/base/bif/reporter.bif.bro
build/scripts/base/bif/strings.bif.bro
build/scripts/base/bif/option.bif.bro
build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro
build/scripts/base/bif/plugins/Bro_KRB.types.bif.bro
build/scripts/base/bif/event.bif.bro
scripts/base/init-frameworks-and-bifs.bro
scripts/base/frameworks/logging/__load__.bro
scripts/base/frameworks/logging/main.bro
build/scripts/base/bif/logging.bif.bro
@ -52,8 +55,6 @@ scripts/base/init-bare.bro
scripts/base/utils/patterns.bro
scripts/base/frameworks/files/magic/__load__.bro
build/scripts/base/bif/__load__.bro
build/scripts/base/bif/stats.bif.bro
build/scripts/base/bif/option.bif.bro
build/scripts/base/bif/broxygen.bif.bro
build/scripts/base/bif/pcap.bif.bro
build/scripts/base/bif/bloom-filter.bif.bro
@ -93,6 +94,7 @@ scripts/base/init-bare.bro
build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro
build/scripts/base/bif/plugins/Bro_MySQL.events.bif.bro
build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro
build/scripts/base/bif/plugins/Bro_NCP.consts.bif.bro
build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro
build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro
build/scripts/base/bif/plugins/Bro_NTLM.types.bif.bro
@ -175,4 +177,4 @@ scripts/base/init-bare.bro
build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro
scripts/policy/misc/loaded-scripts.bro
scripts/base/utils/paths.bro
#close 2018-03-01-16-07-03
#close 2018-06-08-16-37-15

12
testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
View file

@ -3,18 +3,21 @@
#empty_field (empty)
#unset_field -
#path loaded_scripts
#open 2018-05-17-23-49-59
#open 2018-06-08-16-37-20
#fields name
#types string
scripts/base/init-bare.bro
build/scripts/base/bif/const.bif.bro
build/scripts/base/bif/types.bif.bro
build/scripts/base/bif/strings.bif.bro
build/scripts/base/bif/bro.bif.bro
build/scripts/base/bif/stats.bif.bro
build/scripts/base/bif/reporter.bif.bro
build/scripts/base/bif/strings.bif.bro
build/scripts/base/bif/option.bif.bro
build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro
build/scripts/base/bif/plugins/Bro_KRB.types.bif.bro
build/scripts/base/bif/event.bif.bro
scripts/base/init-frameworks-and-bifs.bro
scripts/base/frameworks/logging/__load__.bro
scripts/base/frameworks/logging/main.bro
build/scripts/base/bif/logging.bif.bro
@ -52,8 +55,6 @@ scripts/base/init-bare.bro
scripts/base/utils/patterns.bro
scripts/base/frameworks/files/magic/__load__.bro
build/scripts/base/bif/__load__.bro
build/scripts/base/bif/stats.bif.bro
build/scripts/base/bif/option.bif.bro
build/scripts/base/bif/broxygen.bif.bro
build/scripts/base/bif/pcap.bif.bro
build/scripts/base/bif/bloom-filter.bif.bro
@ -93,6 +94,7 @@ scripts/base/init-bare.bro
build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro
build/scripts/base/bif/plugins/Bro_MySQL.events.bif.bro
build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro
build/scripts/base/bif/plugins/Bro_NCP.consts.bif.bro
build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro
build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro
build/scripts/base/bif/plugins/Bro_NTLM.types.bif.bro
@ -364,4 +366,4 @@ scripts/base/init-default.bro
scripts/base/misc/find-filtered-trace.bro
scripts/base/misc/version.bro
scripts/policy/misc/loaded-scripts.bro
#close 2018-05-17-23-49-59
#close 2018-06-08-16-37-20

11
testing/btest/Baseline/language.count/out
View file

@ -14,5 +14,16 @@ modulus operator (PASS)
division operator (PASS)
assignment operator (PASS)
assignment operator (PASS)
bitwise and (PASS)
bitwise and (PASS)
bitwise and (PASS)
bitwise or (PASS)
bitwise or (PASS)
bitwise or (PASS)
bitwise xor (PASS)
bitwise xor (PASS)
bitwise xor (PASS)
bitwise complement (PASS)
bitwise complement (PASS)
max count value = 18446744073709551615 (PASS)
max count value = 18446744073709551615 (PASS)

29
testing/btest/Baseline/plugins.hooks/output
View file

@ -264,7 +264,7 @@
0.000000 MetaHookPost CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::add_default_filter, <frame>, (Broker::LOG)) -> <no result>
0.000000 MetaHookPost CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
0.000000 MetaHookPost CallFunction(Log::add_default_filter, <frame>, (Config::LOG)) -> <no result>
@ -441,7 +441,7 @@
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
0.000000 MetaHookPost CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
0.000000 MetaHookPost CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
0.000000 MetaHookPost CallFunction(NetControl::init, <null>, ()) -> <no result>
0.000000 MetaHookPost CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@ -469,6 +469,7 @@
0.000000 MetaHookPost CallFunction(bro_init, <null>, ()) -> <no result>
0.000000 MetaHookPost CallFunction(current_time, <frame>, ()) -> <no result>
0.000000 MetaHookPost CallFunction(filter_change_tracking, <null>, ()) -> <no result>
0.000000 MetaHookPost CallFunction(getenv, <null>, (BRO_DEFAULT_LISTEN_ADDRESS)) -> <no result>
0.000000 MetaHookPost CallFunction(getenv, <null>, (CLUSTER_NODE)) -> <no result>
0.000000 MetaHookPost CallFunction(global_ids, <frame>, ()) -> <no result>
0.000000 MetaHookPost CallFunction(network_time, <frame>, ()) -> <no result>
@ -522,6 +523,7 @@
0.000000 MetaHookPost LoadFile(0, .<...>/Bro_MIME.events.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Modbus.events.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(0, .<...>/Bro_MySQL.events.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NCP.consts.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NCP.events.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NTLM.events.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(0, .<...>/Bro_NTLM.types.bif.bro) -> -1
@ -727,6 +729,7 @@
0.000000 MetaHookPost LoadFile(0, base<...>/http) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/imap) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/init-default.bro) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/init-frameworks-and-bifs.bro) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/input) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/input.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/intel) -> -1
@ -744,6 +747,7 @@
0.000000 MetaHookPost LoadFile(0, base<...>/ntlm) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/numbers.bro) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/openflow) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/option.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/packet-filter) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/paths.bro) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/patterns.bro) -> -1
@ -766,6 +770,7 @@
0.000000 MetaHookPost LoadFile(0, base<...>/software) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/ssh) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/ssl) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/stats.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/store.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/strings.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(0, base<...>/strings.bro) -> -1
@ -1062,7 +1067,7 @@
0.000000 MetaHookPre CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
0.000000 MetaHookPre CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, <frame>, (Broker::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, <frame>, (Config::LOG))
@ -1239,7 +1244,7 @@
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
0.000000 MetaHookPre CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
0.000000 MetaHookPre CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(NetControl::check_plugins, <frame>, ())
0.000000 MetaHookPre CallFunction(NetControl::init, <null>, ())
0.000000 MetaHookPre CallFunction(Notice::want_pp, <frame>, ())
@ -1267,6 +1272,7 @@
0.000000 MetaHookPre CallFunction(bro_init, <null>, ())
0.000000 MetaHookPre CallFunction(current_time, <frame>, ())
0.000000 MetaHookPre CallFunction(filter_change_tracking, <null>, ())
0.000000 MetaHookPre CallFunction(getenv, <null>, (BRO_DEFAULT_LISTEN_ADDRESS))
0.000000 MetaHookPre CallFunction(getenv, <null>, (CLUSTER_NODE))
0.000000 MetaHookPre CallFunction(global_ids, <frame>, ())
0.000000 MetaHookPre CallFunction(network_time, <frame>, ())
@ -1320,6 +1326,7 @@
0.000000 MetaHookPre LoadFile(0, .<...>/Bro_MIME.events.bif.bro)
0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Modbus.events.bif.bro)
0.000000 MetaHookPre LoadFile(0, .<...>/Bro_MySQL.events.bif.bro)
0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NCP.consts.bif.bro)
0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NCP.events.bif.bro)
0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NTLM.events.bif.bro)
0.000000 MetaHookPre LoadFile(0, .<...>/Bro_NTLM.types.bif.bro)
@ -1525,6 +1532,7 @@
0.000000 MetaHookPre LoadFile(0, base<...>/http)
0.000000 MetaHookPre LoadFile(0, base<...>/imap)
0.000000 MetaHookPre LoadFile(0, base<...>/init-default.bro)
0.000000 MetaHookPre LoadFile(0, base<...>/init-frameworks-and-bifs.bro)
0.000000 MetaHookPre LoadFile(0, base<...>/input)
0.000000 MetaHookPre LoadFile(0, base<...>/input.bif.bro)
0.000000 MetaHookPre LoadFile(0, base<...>/intel)
@ -1542,6 +1550,7 @@
0.000000 MetaHookPre LoadFile(0, base<...>/ntlm)
0.000000 MetaHookPre LoadFile(0, base<...>/numbers.bro)
0.000000 MetaHookPre LoadFile(0, base<...>/openflow)
0.000000 MetaHookPre LoadFile(0, base<...>/option.bif.bro)
0.000000 MetaHookPre LoadFile(0, base<...>/packet-filter)
0.000000 MetaHookPre LoadFile(0, base<...>/paths.bro)
0.000000 MetaHookPre LoadFile(0, base<...>/patterns.bro)
@ -1564,6 +1573,7 @@
0.000000 MetaHookPre LoadFile(0, base<...>/software)
0.000000 MetaHookPre LoadFile(0, base<...>/ssh)
0.000000 MetaHookPre LoadFile(0, base<...>/ssl)
0.000000 MetaHookPre LoadFile(0, base<...>/stats.bif.bro)
0.000000 MetaHookPre LoadFile(0, base<...>/store.bif.bro)
0.000000 MetaHookPre LoadFile(0, base<...>/strings.bif.bro)
0.000000 MetaHookPre LoadFile(0, base<...>/strings.bro)
@ -1859,7 +1869,7 @@
0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG)
0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
0.000000 | HookCallFunction Log::add_default_filter(Config::LOG)
@ -2036,7 +2046,7 @@
0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction NetControl::check_plugins()
0.000000 | HookCallFunction NetControl::init()
0.000000 | HookCallFunction Notice::want_pp()
@ -2064,6 +2074,7 @@
0.000000 | HookCallFunction bro_init()
0.000000 | HookCallFunction current_time()
0.000000 | HookCallFunction filter_change_tracking()
0.000000 | HookCallFunction getenv(BRO_DEFAULT_LISTEN_ADDRESS)
0.000000 | HookCallFunction getenv(CLUSTER_NODE)
0.000000 | HookCallFunction global_ids()
0.000000 | HookCallFunction network_time()
@ -2117,6 +2128,7 @@
0.000000 | HookLoadFile .<...>/Bro_MIME.events.bif.bro
0.000000 | HookLoadFile .<...>/Bro_Modbus.events.bif.bro
0.000000 | HookLoadFile .<...>/Bro_MySQL.events.bif.bro
0.000000 | HookLoadFile .<...>/Bro_NCP.consts.bif.bro
0.000000 | HookLoadFile .<...>/Bro_NCP.events.bif.bro
0.000000 | HookLoadFile .<...>/Bro_NTLM.events.bif.bro
0.000000 | HookLoadFile .<...>/Bro_NTLM.types.bif.bro
@ -2331,6 +2343,7 @@
0.000000 | HookLoadFile base<...>/http
0.000000 | HookLoadFile base<...>/imap
0.000000 | HookLoadFile base<...>/init-default.bro
0.000000 | HookLoadFile base<...>/init-frameworks-and-bifs.bro
0.000000 | HookLoadFile base<...>/input
0.000000 | HookLoadFile base<...>/input.bif.bro
0.000000 | HookLoadFile base<...>/intel
@ -2348,6 +2361,7 @@
0.000000 | HookLoadFile base<...>/ntlm
0.000000 | HookLoadFile base<...>/numbers.bro
0.000000 | HookLoadFile base<...>/openflow
0.000000 | HookLoadFile base<...>/option.bif.bro
0.000000 | HookLoadFile base<...>/packet-filter
0.000000 | HookLoadFile base<...>/paths.bro
0.000000 | HookLoadFile base<...>/patterns.bro
@ -2370,6 +2384,7 @@
0.000000 | HookLoadFile base<...>/software
0.000000 | HookLoadFile base<...>/ssh
0.000000 | HookLoadFile base<...>/ssl
0.000000 | HookLoadFile base<...>/stats.bif.bro
0.000000 | HookLoadFile base<...>/store.bif.bro
0.000000 | HookLoadFile base<...>/strings.bif.bro
0.000000 | HookLoadFile base<...>/strings.bro
@ -2387,7 +2402,7 @@
0.000000 | HookLoadFile base<...>/x509
0.000000 | HookLoadFile base<...>/xmpp
0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
0.000000 | HookLogWrite packet_filter [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T]
0.000000 | HookLogWrite packet_filter [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T]
0.000000 | HookQueueEvent NetControl::init()
0.000000 | HookQueueEvent bro_init()
0.000000 | HookQueueEvent filter_change_tracking()

6
testing/btest/Baseline/scripts.base.protocols.arp.bad/.stdout Normal file
View file

@ -0,0 +1,6 @@
BAD, 192.168.123.1, 7e:8e:20:d8:23:a7, 192.168.123.2, 00:00:00:00:00:00, corrupt-arp-header (hrd=1, hln=255)
BAD, 192.168.123.2, 52:54:00:12:34:57, 192.168.123.1, 7e:8e:20:d8:23:a7, corrupt-arp-header (hrd=1, hln=255)
BAD, 192.168.123.1, 7e:8e:20:d8:23:a7, 192.168.123.2, 00:00:00:00:00:00, corrupt-arp-header (pro=2048, pln=255)
BAD, 192.168.123.2, 52:54:00:12:34:57, 192.168.123.1, 7e:8e:20:d8:23:a7, corrupt-arp-header (pro=2048, pln=255)
BAD, 192.168.123.1, 7e:8e:20:d8:23:a7, 192.168.123.2, 00:00:00:00:00:00, corrupt-arp-header (hrd=1, hln=255)
BAD, 192.168.123.2, 52:54:00:12:34:57, 192.168.123.1, 7e:8e:20:d8:23:a7, corrupt-arp-header (hrd=1, hln=255)

2
testing/btest/Baseline/scripts.base.protocols.krb.kinit/output
View file

@ -1,3 +1,3 @@
KRB_AP_REQUEST
[pvno=5, realm=VLADG.NET, service_name=krbtgt/VLADG.NET, cipher=18, ciphertext={\x9fY\xd0f\x8dS\xf4I\x88\x04\xfa\xc1\xd8m\xa2\xb7+\xbb\x19\xcag\x0c\x13\xd1g*\xfc\x18\xd1\xb1\x80!\xbd\x85\xec\xf9\x9b\xfa-\x18\xb6\xf5h\x91\xe7\x99\xf4\xdb\x93\xa0\xc7\x90\x1e\xa9\x95v\xd3\x12\xfa,9\x1d\x0b\xd0\xa1\xd25\x0f\x1f[G\xdf\xd0\xbbd\x06$2\xd1\xae\x130qZiY\x07@\xe9\xf9\xff\xa4\x9a\xd4\x09\xf0\x0d\xc1R\x10M\xbdKOV\xfd\xf6\x13\xf6\x9a\x95N\xdf!\xf6x\x94\xd8j\xa5\xdcp\xa8\x04\x99\x02x\xdb$\xd8\xfa_o\x8dV\xc8\x0a\xfe\x00\xf3&c\x0c8\xd1\xd0\xe9\x8e\xab\xfe&\xfe\x00\x8d$\x98I\xe5\x8d\x94rM4%\xd8\xfe\xa9\x08\x06\xc6\x95H7\xf7HCq\xb9\x0d$\x95?\x83B\x82\xdd\xea\xc3f3\xcc\xbb\x09\x0d-\x09;\xa6i%\xcd\xba\x11\xd4\xe0\x12w\xd0G&\xdaj\x82\x7f;\xf3\x1d\x10\xa4l\x06\x16l\x1bc\xa1\xd1\x15!\x00\x8a\xff\x8a\x06\xe7U^:<d\xba"\x02I\xf0\xce\xc7\xad\xb2]
[pvno=5, realm=VLADG.NET, service_name=krbtgt/VLADG.NET, cipher=18, ciphertext={\x9fY\xd0f\x8dS\xf4I\x88\x04\xfa\xc1\xd8m\xa2\xb7+\xbb\x19\xcag\x0c\x13\xd1g*\xfc\x18\xd1\xb1\x80!\xbd\x85\xec\xf9\x9b\xfa-\x18\xb6\xf5h\x91\xe7\x99\xf4\xdb\x93\xa0\xc7\x90\x1e\xa9\x95v\xd3\x12\xfa,9\x1d\x0b\xd0\xa1\xd25\x0f\x1f[G\xdf\xd0\xbbd\x06$2\xd1\xae\x130qZiY\x07@\xe9\xf9\xff\xa4\x9a\xd4\x09\xf0\x0d\xc1R\x10M\xbdKOV\xfd\xf6\x13\xf6\x9a\x95N\xdf!\xf6x\x94\xd8j\xa5\xdcp\xa8\x04\x99\x02x\xdb$\xd8\xfa_o\x8dV\xc8\x0a\xfe\x00\xf3&c\x0c8\xd1\xd0\xe9\x8e\xab\xfe&\xfe\x00\x8d$\x98I\xe5\x8d\x94rM4%\xd8\xfe\xa9\x08\x06\xc6\x95H7\xf7HCq\xb9\x0d$\x95?\x83B\x82\xdd\xea\xc3f3\xcc\xbb\x09\x0d-\x09;\xa6i%\xcd\xba\x11\xd4\xe0\x12w\xd0G&\xdaj\x82\x7f;\xf3\x1d\x10\xa4l\x06\x16l\x1bc\xa1\xd1\x15!\x00\x8a\xff\x8a\x06\xe7U^:<d\xba"\x02I\xf0\xce\xc7\xad\xb2, authenticationinfo=<uninitialized>]
[use_session_key=F, mutual_required=F]

1
testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb/.stdout Normal file
View file

@ -0,0 +1 @@
wallior@DS.SUSQ.COM

0
testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb_nokeytab/.stderr Normal file
View file

1
testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb_nokeytab/.stdout Normal file
View file

@ -0,0 +1 @@
F

468
testing/btest/Baseline/scripts.base.protocols.ncp.event/out Normal file
View file

@ -0,0 +1,468 @@
ncp reply, 13107, 70, 0, 0, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 86, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 79, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 86, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 79, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 86, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 79, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 86, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 79, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 86, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 79, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 86, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 59, 89
ncp reply, 13107, 2, 8738, 89, 255
ncp request, 8738, 59, 89
ncp reply, 13107, 2, 8738, 89, 255
ncp request, 8738, 79, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 86, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 66, 89
ncp reply, 13107, 92, 8738, 89, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 66, 89
ncp reply, 13107, 92, 8738, 89, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 46, 89
ncp reply, 13107, 88, 8738, 89, 0
ncp request, 8738, 40, 89
ncp reply, 13107, 11, 8738, 89, 0
ncp request, 8738, 40, 89
ncp reply, 13107, 102, 8738, 89, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 6, 22338
ncp reply, 13107, 10, 8738, 22338, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 163, 8738, 72, 0
ncp request, 8738, 14, 72

418
testing/btest/Baseline/scripts.base.protocols.ncp.frame_size_tuning/out Normal file
View file

@ -0,0 +1,418 @@
ncp reply, 13107, 70, 0, 0, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 86, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 79, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 86, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 79, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 86, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 79, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 86, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 79, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 86, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 79, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 86, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 59, 89
ncp reply, 13107, 2, 8738, 89, 255
ncp request, 8738, 59, 89
ncp reply, 13107, 2, 8738, 89, 255
ncp request, 8738, 79, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp reply, 13107, 86, 8738, 72, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 66, 89
ncp reply, 13107, 92, 8738, 89, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 66, 89
ncp reply, 13107, 92, 8738, 89, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 14, 72
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 46, 89
ncp reply, 13107, 88, 8738, 89, 0
ncp request, 8738, 40, 89
ncp reply, 13107, 11, 8738, 89, 0
ncp request, 8738, 40, 89
ncp reply, 13107, 102, 8738, 89, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 6, 22338
ncp reply, 13107, 10, 8738, 22338, 0
ncp request, 8738, 14, 72
ncp request, 8738, 8, 66
ncp reply, 13107, 2, 8738, 66, 0
ncp request, 8738, 72, 89
ncp reply, 13107, 70, 8738, 89, 0
ncp request, 8738, 7, 22306
ncp reply, 13107, 2, 8738, 22306, 0
ncp request, 8738, 14, 72
ncp request, 8738, 14, 72

1
testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout
View file

@ -5,6 +5,7 @@ smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=73, volatil
smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=<share_root>, disposition=2, create_options=2097185]
smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=WP_SMBPlugin.pdf, disposition=2, create_options=68]
smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=77, volatile=18446744069414584329], size=0, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=T, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=2]
smb2_file_sattr 10.0.0.11 -> 10.0.0.12:445 [persistent=77, volatile=18446744069414584329] MACTimes:[modified=1319047808.3125, accessed=-1.164447e+10, created=-1.164447e+10, changed=-1.164447e+10] FileAttrs:[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F]
smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=<share_root>, disposition=1, create_options=32]
smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=81, volatile=18446744069414584333], size=8192, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=<share_root>, disposition=1, create_options=32]

4
testing/btest/Baseline/scripts.base.protocols.ssl.x509-invalid-extension/.stdout Normal file
View file

@ -0,0 +1,4 @@
UNDEF
\x04a0_\xa1]\xa0[0Y0W0U\x16\x09image/gif0!0\x1f0\x07\x06\x05+\x0e\x03\x02\x1a\x04\x14\x8f\xe5\xd3\x1a\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H\x18,{\x19.0%\x16#http://logo.verisign.com/vslogo.gif
UNDEF
\x04a0_\xa1]\xa0[0Y0W0U\x16\x09image/gif0!0\x1f0\x07\x06\x05+\x0e\x03\x02\x1a\x04\x14\x8f\xe5\xd3\x1a\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H\x18,{\x19.0%\x16#http://logo.verisign.com/vslogo.gif

5
testing/btest/Makefile
View file

@ -1,6 +1,7 @@
DIAG=diag.log
BTEST=../../aux/btest/btest
SCRIPT_COV=.tmp/script-coverage
all: cleanup btest-verbose coverage
@ -15,11 +16,11 @@ btest-brief:
@$(BTEST) -j -b -f $(DIAG)
coverage:
@../scripts/coverage-calc ".tmp/script-coverage*" coverage.log `pwd`/../../scripts
@../scripts/coverage-calc "$(SCRIPT_COV)/*" coverage.log `pwd`/../../scripts
cleanup:
@rm -f $(DIAG)
@rm -f .tmp/script-coverage*
@rm -rf $(SCRIPT_COV)*
distclean: cleanup
@rm -rf .btest.failed.dat \

BIN
testing/btest/Traces/arp-leak.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/krb/smb2_krb.keytab Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/krb/smb2_krb.pcap Executable file
View file

Binary file not shown.

BIN
testing/btest/Traces/ncp.pcap Normal file
View file

Binary file not shown.

125
testing/btest/broker/remote_publish_and_relay_event.bro Normal file
View file

@ -0,0 +1,125 @@
# @TEST-SERIALIZE: comm
#
# @TEST-EXEC: btest-bg-run three "bro -B broker -b ../three.bro >three.out"
# @TEST-EXEC: btest-bg-run two "bro -B broker -b ../two.bro >two.out"
# @TEST-EXEC: btest-bg-run one "bro -B broker -b ../one.bro >one.out"
#
# @TEST-EXEC: btest-bg-wait 20
# @TEST-EXEC: btest-diff one/one.out
# @TEST-EXEC: btest-diff two/two.out
# @TEST-EXEC: btest-diff three/three.out
@TEST-START-FILE one.bro
redef Broker::default_connect_retry=1secs;
redef Broker::default_listen_retry=1secs;
redef exit_only_after_terminate = T;
event my_event(s: string)
{
print "got my_event", s;
}
event ready_event()
{
print "got ready event";
Broker::publish_and_relay("bro/event/pre-relay", "bro/event/post-relay",
my_event, "hello world");
}
event bro_init()
{
Broker::subscribe("bro/event/ready");
Broker::peer("127.0.0.1", 10000/tcp);
}
event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
{
print fmt("sender added peer: endpoint=%s msg=%s",
endpoint$network$address, msg);
}
event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
{
print fmt("sender lost peer: endpoint=%s msg=%s",
endpoint$network$address, msg);
terminate();
}
@TEST-END-FILE
@TEST-START-FILE two.bro
redef Broker::default_connect_retry=1secs;
redef Broker::default_listen_retry=1secs;
redef exit_only_after_terminate = T;
global peers_added = 0;
event my_event(s: string)
{
print "got my_event", s;
}
event ready_event()
{
}
event bro_init()
{
Broker::subscribe("bro/event/pre-relay");
Broker::listen("127.0.0.1", 10000/tcp);
Broker::peer("127.0.0.1", 9999/tcp);
}
event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
{
print fmt("receiver added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
++peers_added;
if ( peers_added == 2 )
{
print "sending ready event";
Broker::publish("bro/event/ready", ready_event);
}
}
event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
{
print fmt("receiver lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
terminate();
}
@TEST-END-FILE
@TEST-START-FILE three.bro
redef Broker::default_connect_retry=1secs;
redef Broker::default_listen_retry=1secs;
redef exit_only_after_terminate = T;
event my_event(s: string)
{
print "got my_event", s;
terminate();
}
event bro_init()
{
Broker::subscribe("bro/event/post-relay");
Broker::listen("127.0.0.1", 9999/tcp);
}
event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
{
print fmt("receiver added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
}
event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
{
print fmt("receiver lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
}
@TEST-END-FILE

4
testing/btest/btest.cfg
View file

@ -22,6 +22,8 @@ DIST=%(testbase)s/../..
BUILD=%(testbase)s/../../build
TEST_DIFF_CANONIFIER=%(testbase)s/../scripts/diff-canonifier
TMPDIR=%(testbase)s/.tmp
BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage.XXXXXX
BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage/XXXXXX
BTEST_RST_FILTER=$SCRIPTS/rst-filter
BRO_DNS_FAKE=1
BRO_DEFAULT_LISTEN_ADDRESS=127.0.0.1
BRO_DISABLE_BROXYGEN=1

7
testing/btest/core/old_comm_usage.bro Normal file
View file

@ -0,0 +1,7 @@
# @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
event bro_init()
{
terminate_communication();
}

2
testing/btest/doc/broxygen/all_scripts.test
View file

@ -5,7 +5,7 @@
# listen.bro in order to document it.
# @TEST-SERIALIZE: comm
# @TEST-EXEC: bro -X broxygen.config broxygen DumpEvents::include=/NOTHING_MATCHES/
# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -X broxygen.config broxygen DumpEvents::include=/NOTHING_MATCHES/
# @TEST-EXEC: btest-diff .stdout
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr

2
testing/btest/doc/broxygen/command_line.bro
View file

@ -1,7 +1,7 @@
# Shouldn't emit any warnings about not being able to document something
# that's supplied via command line script.
# @TEST-EXEC: bro %INPUT -e 'redef myvar=10; print myvar' >output 2>&1
# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro %INPUT -e 'redef myvar=10; print myvar' >output 2>&1
# @TEST-EXEC: btest-diff output
const myvar = 5 &redef;

2
testing/btest/doc/broxygen/comment_retrieval_bifs.bro
View file

@ -1,4 +1,4 @@
# @TEST-EXEC: bro -b %INPUT >out
# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b %INPUT >out
# @TEST-EXEC: btest-diff out
##! This is a test script.

2
testing/btest/doc/broxygen/enums.bro
View file

@ -1,4 +1,4 @@
# @TEST-EXEC: bro -b -X broxygen.config %INPUT
# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
# @TEST-EXEC: btest-diff autogen-reST-enums.rst
@TEST-START-FILE broxygen.config

2
testing/btest/doc/broxygen/example.bro
View file

@ -1,4 +1,4 @@
# @TEST-EXEC: bro -X broxygen.config %INPUT
# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -X broxygen.config %INPUT
# @TEST-EXEC: btest-diff example.rst
@TEST-START-FILE broxygen.config

2
testing/btest/doc/broxygen/func-params.bro
View file

@ -1,4 +1,4 @@
# @TEST-EXEC: bro -b -X broxygen.config %INPUT
# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
# @TEST-EXEC: btest-diff autogen-reST-func-params.rst
@TEST-START-FILE broxygen.config

2
testing/btest/doc/broxygen/identifier.bro
View file

@ -1,5 +1,5 @@
# @TEST-SERIALIZE: comm
# @TEST-EXEC: bro -b -X broxygen.config %INPUT
# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
# @TEST-EXEC: btest-diff test.rst
@TEST-START-FILE broxygen.config

2
testing/btest/doc/broxygen/package.bro
View file

@ -1,5 +1,5 @@
# @TEST-SERIALIZE: comm
# @TEST-EXEC: bro -b -X broxygen.config %INPUT
# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
# @TEST-EXEC: btest-diff test.rst
@TEST-START-FILE broxygen.config

2
testing/btest/doc/broxygen/package_index.bro
View file

@ -1,5 +1,5 @@
# @TEST-SERIALIZE: comm
# @TEST-EXEC: bro -b -X broxygen.config %INPUT
# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
# @TEST-EXEC: btest-diff test.rst
@TEST-START-FILE broxygen.config

2
testing/btest/doc/broxygen/records.bro
View file

@ -1,4 +1,4 @@
# @TEST-EXEC: bro -b -X broxygen.config %INPUT
# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
# @TEST-EXEC: btest-diff autogen-reST-records.rst
@TEST-START-FILE broxygen.config

2
testing/btest/doc/broxygen/script_index.bro
View file

@ -1,5 +1,5 @@
# @TEST-SERIALIZE: comm
# @TEST-EXEC: bro -b -X broxygen.config %INPUT
# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
# @TEST-EXEC: btest-diff test.rst
@TEST-START-FILE broxygen.config

2
testing/btest/doc/broxygen/script_summary.bro
View file

@ -1,5 +1,5 @@
# @TEST-SERIALIZE: comm
# @TEST-EXEC: bro -b -X broxygen.config %INPUT
# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
# @TEST-EXEC: btest-diff test.rst
@TEST-START-FILE broxygen.config

2
testing/btest/doc/broxygen/type-aliases.bro
View file

@ -1,4 +1,4 @@
# @TEST-EXEC: bro -b -X broxygen.config %INPUT
# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
# @TEST-EXEC: btest-diff autogen-reST-type-aliases.rst
@TEST-START-FILE broxygen.config

Some files were not shown because too many files have changed in this diff Show more