diff --git a/testing/btest/Baseline/coverage.record-fields/out.bare b/testing/btest/Baseline/coverage.record-fields/out.bare new file mode 100644 index 0000000000..d1a740bf4f --- /dev/null +++ b/testing/btest/Baseline/coverage.record-fields/out.bare @@ -0,0 +1,51 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +[zeek, -b, <...>/record-fields.zeek] +connection { + * dpd: record DPD::Info, log=F, optional=T + DPD::Info { + * analyzer: string, log=T, optional=F + * failure_reason: string, log=T, optional=F + * id: record conn_id, log=T, optional=F + conn_id { + * orig_h: addr, log=T, optional=F + * orig_p: port, log=T, optional=F + * resp_h: addr, log=T, optional=F + * resp_p: port, log=T, optional=F + } + * proto: enum transport_proto, log=T, optional=F + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + } + * dpd_state: record DPD::State, log=F, optional=T + DPD::State { + * violations: table[count] of count, log=F, optional=F + } + * duration: interval, log=F, optional=F + * history: string, log=F, optional=F + * id: record conn_id, log=F, optional=F + conn_id { ... } + * inner_vlan: int, log=F, optional=T + * orig: record endpoint, log=F, optional=F + endpoint { + * flow_label: count, log=F, optional=F + * l2_addr: string, log=F, optional=T + * num_bytes_ip: count, log=F, optional=T + * num_pkts: count, log=F, optional=T + * size: count, log=F, optional=F + * state: count, log=F, optional=F + } + * resp: record endpoint, log=F, optional=F + endpoint { ... } + * service: set[string], log=F, optional=F + * service_violation: set[string], log=F, optional=T + * start_time: time, log=F, optional=F + * tunnel: vector of record Tunnel::EncapsulatingConn, log=F, optional=T + Tunnel::EncapsulatingConn { + * cid: record conn_id, log=T, optional=F + conn_id { ... } + * tunnel_type: enum Tunnel::Type, log=T, optional=F + * uid: string, log=T, optional=T + } + * uid: string, log=F, optional=F + * vlan: int, log=F, optional=T + } diff --git a/testing/btest/Baseline/coverage.record-fields/out.default b/testing/btest/Baseline/coverage.record-fields/out.default new file mode 100644 index 0000000000..25d9e950bf --- /dev/null +++ b/testing/btest/Baseline/coverage.record-fields/out.default @@ -0,0 +1,838 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +[zeek, <...>/record-fields.zeek] +connection { + * conn: record Conn::Info, log=F, optional=T + Conn::Info { + * conn_state: string, log=T, optional=T + * duration: interval, log=T, optional=T + * history: string, log=T, optional=T + * id: record conn_id, log=T, optional=F + conn_id { + * orig_h: addr, log=T, optional=F + * orig_p: port, log=T, optional=F + * resp_h: addr, log=T, optional=F + * resp_p: port, log=T, optional=F + } + * local_orig: bool, log=T, optional=T + * local_resp: bool, log=T, optional=T + * missed_bytes: count, log=T, optional=T + * orig_bytes: count, log=T, optional=T + * orig_ip_bytes: count, log=T, optional=T + * orig_pkts: count, log=T, optional=T + * proto: enum transport_proto, log=T, optional=F + * resp_bytes: count, log=T, optional=T + * resp_ip_bytes: count, log=T, optional=T + * resp_pkts: count, log=T, optional=T + * service: string, log=T, optional=T + * ts: time, log=T, optional=F + * tunnel_parents: set[string], log=T, optional=T + * uid: string, log=T, optional=F + } + * dce_rpc: record DCE_RPC::Info, log=F, optional=T + DCE_RPC::Info { + * endpoint: string, log=T, optional=T + * id: record conn_id, log=T, optional=F + conn_id { ... } + * named_pipe: string, log=T, optional=T + * operation: string, log=T, optional=T + * rtt: interval, log=T, optional=T + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + } + * dce_rpc_backing: table[count] of record DCE_RPC::BackingState, log=F, optional=T + DCE_RPC::BackingState { + * info: record DCE_RPC::Info, log=F, optional=F + DCE_RPC::Info { ... } + * state: record DCE_RPC::State, log=F, optional=F + DCE_RPC::State { + * ctx_to_uuid: table[count] of string, log=F, optional=T + * named_pipe: string, log=F, optional=T + * uuid: string, log=F, optional=T + } + } + * dce_rpc_state: record DCE_RPC::State, log=F, optional=T + DCE_RPC::State { ... } + * dhcp: record DHCP::Info, log=F, optional=T + DHCP::Info { + * assigned_addr: addr, log=T, optional=T + * client_addr: addr, log=T, optional=T + * client_chaddr: string, log=F, optional=T + * client_fqdn: string, log=T, optional=T + * client_message: string, log=T, optional=T + * client_port: port, log=F, optional=T + * domain: string, log=T, optional=T + * duration: interval, log=T, optional=T + * host_name: string, log=T, optional=T + * last_message_ts: time, log=F, optional=T + * lease_time: interval, log=T, optional=T + * mac: string, log=T, optional=T + * msg_types: vector of string, log=T, optional=T + * requested_addr: addr, log=T, optional=T + * server_addr: addr, log=T, optional=T + * server_message: string, log=T, optional=T + * server_port: port, log=F, optional=T + * ts: time, log=T, optional=F + * uids: set[string], log=T, optional=F + } + * dnp3: record DNP3::Info, log=F, optional=T + DNP3::Info { + * fc_reply: string, log=T, optional=T + * fc_request: string, log=T, optional=T + * id: record conn_id, log=T, optional=F + conn_id { ... } + * iin: count, log=T, optional=T + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + } + * dns: record DNS::Info, log=F, optional=T + DNS::Info { + * AA: bool, log=T, optional=T + * RA: bool, log=T, optional=T + * RD: bool, log=T, optional=T + * TC: bool, log=T, optional=T + * TTLs: vector of interval, log=T, optional=T + * Z: count, log=T, optional=T + * answers: vector of string, log=T, optional=T + * id: record conn_id, log=T, optional=F + conn_id { ... } + * proto: enum transport_proto, log=T, optional=F + * qclass: count, log=T, optional=T + * qclass_name: string, log=T, optional=T + * qtype: count, log=T, optional=T + * qtype_name: string, log=T, optional=T + * query: string, log=T, optional=T + * rcode: count, log=T, optional=T + * rcode_name: string, log=T, optional=T + * rejected: bool, log=T, optional=T + * rtt: interval, log=T, optional=T + * saw_query: bool, log=F, optional=T + * saw_reply: bool, log=F, optional=T + * total_answers: count, log=F, optional=T + * total_replies: count, log=F, optional=T + * trans_id: count, log=T, optional=T + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + } + * dns_state: record DNS::State, log=F, optional=T + DNS::State { + * pending_queries: table[count] of record Queue::Queue, log=F, optional=T + Queue::Queue { + * bottom: count, log=F, optional=T + * initialized: bool, log=F, optional=T + * settings: record Queue::Settings, log=F, optional=T + Queue::Settings { + * max_len: count, log=F, optional=T + } + * size: count, log=F, optional=T + * top: count, log=F, optional=T + * vals: table[count] of any, log=F, optional=T + } + * pending_query: record DNS::Info, log=F, optional=T + DNS::Info { ... } + * pending_replies: table[count] of record Queue::Queue, log=F, optional=T + Queue::Queue { ... } + } + * dpd: record DPD::Info, log=F, optional=T + DPD::Info { + * analyzer: string, log=T, optional=F + * failure_reason: string, log=T, optional=F + * id: record conn_id, log=T, optional=F + conn_id { ... } + * proto: enum transport_proto, log=T, optional=F + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + } + * dpd_state: record DPD::State, log=F, optional=T + DPD::State { + * violations: table[count] of count, log=F, optional=F + } + * duration: interval, log=F, optional=F + * extract_orig: bool, log=F, optional=T + * extract_resp: bool, log=F, optional=T + * ftp: record FTP::Info, log=F, optional=T + FTP::Info { + * arg: string, log=T, optional=T + * capture_password: bool, log=F, optional=T + * cmdarg: record FTP::CmdArg, log=F, optional=T + FTP::CmdArg { + * arg: string, log=F, optional=T + * cmd: string, log=F, optional=T + * cwd_consumed: bool, log=F, optional=T + * seq: count, log=F, optional=T + * ts: time, log=F, optional=F + } + * command: string, log=T, optional=T + * cwd: string, log=F, optional=T + * data_channel: record FTP::ExpectedDataChannel, log=T, optional=T + FTP::ExpectedDataChannel { + * orig_h: addr, log=T, optional=F + * passive: bool, log=T, optional=F + * resp_h: addr, log=T, optional=F + * resp_p: port, log=T, optional=F + } + * file_size: count, log=T, optional=T + * fuid: string, log=T, optional=T + * id: record conn_id, log=T, optional=F + conn_id { ... } + * last_auth_requested: string, log=F, optional=T + * mime_type: string, log=T, optional=T + * passive: bool, log=F, optional=T + * password: string, log=T, optional=T + * pending_commands: table[count] of record FTP::CmdArg, log=F, optional=F + FTP::CmdArg { ... } + * reply_code: count, log=T, optional=T + * reply_msg: string, log=T, optional=T + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + * user: string, log=T, optional=T + } + * ftp_data_reuse: bool, log=F, optional=T + * history: string, log=F, optional=F + * http: record HTTP::Info, log=F, optional=T + HTTP::Info { + * capture_password: bool, log=F, optional=T + * current_entity: record HTTP::Entity, log=F, optional=T + HTTP::Entity { + * filename: string, log=F, optional=T + } + * host: string, log=T, optional=T + * id: record conn_id, log=T, optional=F + conn_id { ... } + * info_code: count, log=T, optional=T + * info_msg: string, log=T, optional=T + * method: string, log=T, optional=T + * orig_filenames: vector of string, log=T, optional=T + * orig_fuids: vector of string, log=T, optional=T + * orig_mime_depth: count, log=F, optional=T + * orig_mime_types: vector of string, log=T, optional=T + * origin: string, log=T, optional=T + * password: string, log=T, optional=T + * proxied: set[string], log=T, optional=T + * range_request: bool, log=F, optional=T + * referrer: string, log=T, optional=T + * request_body_len: count, log=T, optional=T + * resp_filenames: vector of string, log=T, optional=T + * resp_fuids: vector of string, log=T, optional=T + * resp_mime_depth: count, log=F, optional=T + * resp_mime_types: vector of string, log=T, optional=T + * response_body_len: count, log=T, optional=T + * status_code: count, log=T, optional=T + * status_msg: string, log=T, optional=T + * tags: set[enum HTTP::Tags], log=T, optional=F + * trans_depth: count, log=T, optional=F + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + * uri: string, log=T, optional=T + * user_agent: string, log=T, optional=T + * username: string, log=T, optional=T + * version: string, log=T, optional=T + } + * http_state: record HTTP::State, log=F, optional=T + HTTP::State { + * current_request: count, log=F, optional=T + * current_response: count, log=F, optional=T + * pending: table[count] of record HTTP::Info, log=F, optional=F + HTTP::Info { ... } + * trans_depth: count, log=F, optional=T + } + * id: record conn_id, log=F, optional=F + conn_id { ... } + * inner_vlan: int, log=F, optional=T + * irc: record IRC::Info, log=F, optional=T + IRC::Info { + * addl: string, log=T, optional=T + * command: string, log=T, optional=T + * dcc_file_name: string, log=T, optional=T + * dcc_file_size: count, log=T, optional=T + * dcc_mime_type: string, log=T, optional=T + * fuid: string, log=T, optional=T + * id: record conn_id, log=T, optional=F + conn_id { ... } + * nick: string, log=T, optional=T + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + * user: string, log=T, optional=T + * value: string, log=T, optional=T + } + * krb: record KRB::Info, log=F, optional=T + KRB::Info { + * cipher: string, log=T, optional=T + * client: string, log=T, optional=T + * client_cert: record Files::Info, log=F, optional=T + Files::Info { + * analyzers: set[string], log=T, optional=T + * depth: count, log=T, optional=T + * duration: interval, log=T, optional=T + * extracted: string, log=T, optional=T + * extracted_cutoff: bool, log=T, optional=T + * extracted_size: count, log=T, optional=T + * filename: string, log=T, optional=T + * fuid: string, log=T, optional=F + * id: record conn_id, log=T, optional=T + conn_id { ... } + * is_orig: bool, log=T, optional=T + * local_orig: bool, log=T, optional=T + * md5: string, log=T, optional=T + * mime_type: string, log=T, optional=T + * missing_bytes: count, log=T, optional=T + * overflow_bytes: count, log=T, optional=T + * parent_fuid: string, log=T, optional=T + * seen_bytes: count, log=T, optional=T + * sha1: string, log=T, optional=T + * sha256: string, log=T, optional=T + * source: string, log=T, optional=T + * timedout: bool, log=T, optional=T + * total_bytes: count, log=T, optional=T + * ts: time, log=T, optional=F + * uid: string, log=T, optional=T + * x509: record X509::Info, log=F, optional=T + X509::Info { + * basic_constraints: record X509::BasicConstraints, log=T, optional=T + X509::BasicConstraints { + * ca: bool, log=T, optional=F + * path_len: count, log=T, optional=T + } + * certificate: record X509::Certificate, log=T, optional=F + X509::Certificate { + * cn: string, log=F, optional=T + * curve: string, log=T, optional=T + * exponent: string, log=T, optional=T + * issuer: string, log=T, optional=F + * key_alg: string, log=T, optional=F + * key_length: count, log=T, optional=T + * key_type: string, log=T, optional=T + * not_valid_after: time, log=T, optional=F + * not_valid_before: time, log=T, optional=F + * serial: string, log=T, optional=F + * sig_alg: string, log=T, optional=F + * subject: string, log=T, optional=F + * tbs_sig_alg: string, log=F, optional=F + * version: count, log=T, optional=F + } + * client_cert: bool, log=T, optional=T + * deduplication_index: record X509::LogCertHash, log=F, optional=T + X509::LogCertHash { + * client_cert: bool, log=F, optional=F + * fingerprint: string, log=F, optional=F + * host_cert: bool, log=F, optional=F + } + * extensions: vector of record X509::Extension, log=F, optional=T + X509::Extension { + * critical: bool, log=F, optional=F + * name: string, log=F, optional=F + * oid: string, log=F, optional=F + * short_name: string, log=F, optional=T + * value: string, log=F, optional=F + } + * extensions_cache: vector of any, log=F, optional=T + * fingerprint: string, log=T, optional=F + * handle: opaque, log=F, optional=F + * host_cert: bool, log=T, optional=T + * san: record X509::SubjectAlternativeName, log=T, optional=T + X509::SubjectAlternativeName { + * dns: vector of string, log=T, optional=T + * email: vector of string, log=T, optional=T + * ip: vector of addr, log=T, optional=T + * other_fields: bool, log=F, optional=F + * uri: vector of string, log=T, optional=T + } + * ts: time, log=T, optional=F + } + } + * client_cert_fuid: string, log=T, optional=T + * client_cert_subject: string, log=T, optional=T + * error_code: count, log=F, optional=T + * error_msg: string, log=T, optional=T + * forwardable: bool, log=T, optional=T + * from: time, log=T, optional=T + * id: record conn_id, log=T, optional=F + conn_id { ... } + * logged: bool, log=F, optional=T + * renewable: bool, log=T, optional=T + * request_type: string, log=T, optional=T + * server_cert: record Files::Info, log=F, optional=T + Files::Info { ... } + * server_cert_fuid: string, log=T, optional=T + * server_cert_subject: string, log=T, optional=T + * service: string, log=T, optional=T + * success: bool, log=T, optional=T + * till: time, log=T, optional=T + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + } + * modbus: record Modbus::Info, log=F, optional=T + Modbus::Info { + * exception: string, log=T, optional=T + * func: string, log=T, optional=T + * id: record conn_id, log=T, optional=F + conn_id { ... } + * pdu_type: string, log=T, optional=T + * tid: count, log=T, optional=T + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + * unit: count, log=T, optional=T + } + * mqtt: record MQTT::ConnectInfo, log=F, optional=T + MQTT::ConnectInfo { + * client_id: string, log=T, optional=T + * connect_status: string, log=T, optional=T + * id: record conn_id, log=T, optional=F + conn_id { ... } + * proto_name: string, log=T, optional=T + * proto_version: string, log=T, optional=T + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + * will_payload: string, log=T, optional=T + * will_topic: string, log=T, optional=T + } + * mqtt_state: record MQTT::State, log=F, optional=T + MQTT::State { + * publish: table[count] of record MQTT::PublishInfo, log=F, optional=T + MQTT::PublishInfo { + * ack: bool, log=F, optional=T + * comp: bool, log=F, optional=T + * from_client: bool, log=T, optional=F + * id: record conn_id, log=T, optional=F + conn_id { ... } + * payload: string, log=T, optional=F + * payload_len: count, log=T, optional=F + * qos: string, log=T, optional=F + * qos_level: count, log=F, optional=T + * rec: bool, log=F, optional=T + * rel: bool, log=F, optional=T + * retain: bool, log=T, optional=F + * status: string, log=T, optional=T + * topic: string, log=T, optional=F + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + } + * subscribe: table[count] of record MQTT::SubscribeInfo, log=F, optional=T + MQTT::SubscribeInfo { + * ack: bool, log=T, optional=T + * action: enum MQTT::SubUnsub, log=T, optional=F + * granted_qos_level: count, log=T, optional=T + * id: record conn_id, log=T, optional=F + conn_id { ... } + * qos_levels: vector of count, log=T, optional=T + * topics: vector of string, log=T, optional=F + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + } + } + * mysql: record MySQL::Info, log=F, optional=T + MySQL::Info { + * arg: string, log=T, optional=F + * cmd: string, log=T, optional=F + * id: record conn_id, log=T, optional=F + conn_id { ... } + * response: string, log=T, optional=T + * rows: count, log=T, optional=T + * success: bool, log=T, optional=T + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + } + * ntlm: record NTLM::Info, log=F, optional=T + NTLM::Info { + * domainname: string, log=T, optional=T + * done: bool, log=F, optional=T + * hostname: string, log=T, optional=T + * id: record conn_id, log=T, optional=F + conn_id { ... } + * server_dns_computer_name: string, log=T, optional=T + * server_nb_computer_name: string, log=T, optional=T + * server_tree_name: string, log=T, optional=T + * success: bool, log=T, optional=T + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + * username: string, log=T, optional=T + } + * ntp: record NTP::Info, log=F, optional=T + NTP::Info { + * id: record conn_id, log=T, optional=F + conn_id { ... } + * mode: count, log=T, optional=F + * num_exts: count, log=T, optional=T + * org_time: time, log=T, optional=F + * poll: interval, log=T, optional=F + * precision: interval, log=T, optional=F + * rec_time: time, log=T, optional=F + * ref_id: string, log=T, optional=F + * ref_time: time, log=T, optional=F + * root_delay: interval, log=T, optional=F + * root_disp: interval, log=T, optional=F + * stratum: count, log=T, optional=F + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + * version: count, log=T, optional=F + * xmt_time: time, log=T, optional=F + } + * orig: record endpoint, log=F, optional=F + endpoint { + * flow_label: count, log=F, optional=F + * l2_addr: string, log=F, optional=T + * num_bytes_ip: count, log=F, optional=T + * num_pkts: count, log=F, optional=T + * size: count, log=F, optional=F + * state: count, log=F, optional=F + } + * radius: record RADIUS::Info, log=F, optional=T + RADIUS::Info { + * connect_info: string, log=T, optional=T + * framed_addr: addr, log=T, optional=T + * id: record conn_id, log=T, optional=F + conn_id { ... } + * logged: bool, log=F, optional=T + * mac: string, log=T, optional=T + * reply_msg: string, log=T, optional=T + * result: string, log=T, optional=T + * ts: time, log=T, optional=F + * ttl: interval, log=T, optional=T + * tunnel_client: string, log=T, optional=T + * uid: string, log=T, optional=F + * username: string, log=T, optional=T + } + * rdp: record RDP::Info, log=F, optional=T + RDP::Info { + * analyzer_id: count, log=F, optional=T + * cert_count: count, log=T, optional=T + * cert_permanent: bool, log=T, optional=T + * cert_type: string, log=T, optional=T + * client_build: string, log=T, optional=T + * client_channels: vector of string, log=T, optional=T + * client_dig_product_id: string, log=T, optional=T + * client_name: string, log=T, optional=T + * cookie: string, log=T, optional=T + * desktop_height: count, log=T, optional=T + * desktop_width: count, log=T, optional=T + * done: bool, log=F, optional=T + * encryption_level: string, log=T, optional=T + * encryption_method: string, log=T, optional=T + * id: record conn_id, log=T, optional=F + conn_id { ... } + * keyboard_layout: string, log=T, optional=T + * requested_color_depth: string, log=T, optional=T + * result: string, log=T, optional=T + * security_protocol: string, log=T, optional=T + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + } + * removal_hooks: set[func], log=F, optional=T + * resp: record endpoint, log=F, optional=F + endpoint { ... } + * rfb: record RFB::Info, log=F, optional=T + RFB::Info { + * auth: bool, log=T, optional=T + * authentication_method: string, log=T, optional=T + * client_major_version: string, log=T, optional=T + * client_minor_version: string, log=T, optional=T + * desktop_name: string, log=T, optional=T + * done: bool, log=F, optional=T + * height: count, log=T, optional=T + * id: record conn_id, log=T, optional=F + conn_id { ... } + * server_major_version: string, log=T, optional=T + * server_minor_version: string, log=T, optional=T + * share_flag: bool, log=T, optional=T + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + * width: count, log=T, optional=T + } + * service: set[string], log=F, optional=F + * service_violation: set[string], log=F, optional=T + * sip: record SIP::Info, log=F, optional=T + SIP::Info { + * call_id: string, log=T, optional=T + * content_type: string, log=T, optional=T + * date: string, log=T, optional=T + * id: record conn_id, log=T, optional=F + conn_id { ... } + * method: string, log=T, optional=T + * reply_to: string, log=T, optional=T + * request_body_len: count, log=T, optional=T + * request_from: string, log=T, optional=T + * request_path: vector of string, log=T, optional=T + * request_to: string, log=T, optional=T + * response_body_len: count, log=T, optional=T + * response_from: string, log=T, optional=T + * response_path: vector of string, log=T, optional=T + * response_to: string, log=T, optional=T + * seq: string, log=T, optional=T + * status_code: count, log=T, optional=T + * status_msg: string, log=T, optional=T + * subject: string, log=T, optional=T + * trans_depth: count, log=T, optional=F + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + * uri: string, log=T, optional=T + * user_agent: string, log=T, optional=T + * warning: string, log=T, optional=T + } + * sip_state: record SIP::State, log=F, optional=T + SIP::State { + * current_request: count, log=F, optional=T + * current_response: count, log=F, optional=T + * pending: table[count] of record SIP::Info, log=F, optional=F + SIP::Info { ... } + } + * smb_state: record SMB::State, log=F, optional=T + SMB::State { + * current_cmd: record SMB::CmdInfo, log=F, optional=T + SMB::CmdInfo { + * argument: string, log=T, optional=T + * command: string, log=T, optional=F + * id: record conn_id, log=T, optional=F + conn_id { ... } + * referenced_file: record SMB::FileInfo, log=T, optional=T + SMB::FileInfo { + * action: enum SMB::Action, log=T, optional=T + * fid: count, log=F, optional=T + * fuid: string, log=T, optional=T + * id: record conn_id, log=T, optional=F + conn_id { ... } + * name: string, log=T, optional=T + * path: string, log=T, optional=T + * prev_name: string, log=T, optional=T + * size: count, log=T, optional=T + * times: record SMB::MACTimes, log=T, optional=T + SMB::MACTimes { + * accessed: time, log=T, optional=F + * accessed_raw: count, log=F, optional=F + * changed: time, log=T, optional=F + * changed_raw: count, log=F, optional=F + * created: time, log=T, optional=F + * created_raw: count, log=F, optional=F + * modified: time, log=T, optional=F + * modified_raw: count, log=F, optional=F + } + * ts: time, log=T, optional=T + * uid: string, log=T, optional=F + * uuid: string, log=F, optional=T + } + * referenced_tree: record SMB::TreeInfo, log=F, optional=T + SMB::TreeInfo { + * id: record conn_id, log=T, optional=F + conn_id { ... } + * native_file_system: string, log=T, optional=T + * path: string, log=T, optional=T + * service: string, log=T, optional=T + * share_type: string, log=T, optional=T + * ts: time, log=T, optional=T + * uid: string, log=T, optional=F + } + * rtt: interval, log=T, optional=T + * smb1_offered_dialects: vector of string, log=F, optional=T + * smb2_create_options: count, log=F, optional=T + * smb2_offered_dialects: vector of count, log=F, optional=T + * status: string, log=T, optional=T + * sub_command: string, log=T, optional=T + * tree: string, log=T, optional=T + * tree_service: string, log=T, optional=T + * ts: time, log=T, optional=T + * uid: string, log=T, optional=F + * username: string, log=T, optional=T + * version: string, log=T, optional=F + } + * current_file: record SMB::FileInfo, log=F, optional=T + SMB::FileInfo { ... } + * current_tree: record SMB::TreeInfo, log=F, optional=T + SMB::TreeInfo { ... } + * fid_map: table[count] of record SMB::FileInfo, log=F, optional=T + SMB::FileInfo { ... } + * pending_cmds: table[count] of record SMB::CmdInfo, log=F, optional=T + SMB::CmdInfo { ... } + * pipe_map: table[count] of string, log=F, optional=T + * recent_files: set[string], log=F, optional=T + * tid_map: table[count] of record SMB::TreeInfo, log=F, optional=T + SMB::TreeInfo { ... } + } + * smtp: record SMTP::Info, log=F, optional=T + SMTP::Info { + * cc: set[string], log=T, optional=T + * date: string, log=T, optional=T + * entity: record SMTP::Entity, log=F, optional=T + SMTP::Entity { + * filename: string, log=F, optional=T + } + * entity_count: count, log=F, optional=T + * first_received: string, log=T, optional=T + * from: string, log=T, optional=T + * fuids: vector of string, log=T, optional=T + * has_client_activity: bool, log=F, optional=T + * helo: string, log=T, optional=T + * id: record conn_id, log=T, optional=F + conn_id { ... } + * in_reply_to: string, log=T, optional=T + * last_reply: string, log=T, optional=T + * mailfrom: string, log=T, optional=T + * msg_id: string, log=T, optional=T + * path: vector of addr, log=T, optional=T + * process_received_from: bool, log=F, optional=T + * process_smtp_headers: bool, log=F, optional=T + * rcptto: set[string], log=T, optional=T + * reply_to: string, log=T, optional=T + * second_received: string, log=T, optional=T + * subject: string, log=T, optional=T + * tls: bool, log=T, optional=T + * to: set[string], log=T, optional=T + * trans_depth: count, log=T, optional=F + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + * user_agent: string, log=T, optional=T + * x_originating_ip: addr, log=T, optional=T + } + * smtp_state: record SMTP::State, log=F, optional=T + SMTP::State { + * analyzer_id: count, log=F, optional=T + * helo: string, log=F, optional=T + * invalid_transactions: count, log=F, optional=T + * messages_transferred: count, log=F, optional=T + * mime_depth: count, log=F, optional=T + * pending_messages: set[record SMTP::Info], log=F, optional=T + SMTP::Info] { + } + * trans_mail_from_seen: bool, log=F, optional=T + * trans_rcpt_to_seen: bool, log=F, optional=T + } + * snmp: record SNMP::Info, log=F, optional=T + SNMP::Info { + * community: string, log=T, optional=T + * display_string: string, log=T, optional=T + * duration: interval, log=T, optional=T + * get_bulk_requests: count, log=T, optional=T + * get_requests: count, log=T, optional=T + * get_responses: count, log=T, optional=T + * id: record conn_id, log=T, optional=F + conn_id { ... } + * set_requests: count, log=T, optional=T + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + * up_since: time, log=T, optional=T + * version: string, log=T, optional=F + } + * socks: record SOCKS::Info, log=F, optional=T + SOCKS::Info { + * bound: record SOCKS::Address, log=T, optional=T + SOCKS::Address { + * host: addr, log=T, optional=T + * name: string, log=T, optional=T + } + * bound_p: port, log=T, optional=T + * capture_password: bool, log=F, optional=T + * id: record conn_id, log=T, optional=F + conn_id { ... } + * password: string, log=T, optional=T + * request: record SOCKS::Address, log=T, optional=T + SOCKS::Address { ... } + * request_p: port, log=T, optional=T + * status: string, log=T, optional=T + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + * user: string, log=T, optional=T + * version: count, log=T, optional=F + } + * ssh: record SSH::Info, log=F, optional=T + SSH::Info { + * analyzer_id: count, log=F, optional=T + * auth_attempts: count, log=T, optional=T + * auth_success: bool, log=T, optional=T + * capabilities: record SSH::Capabilities, log=F, optional=T + SSH::Capabilities { + * compression_algorithms: record SSH::Algorithm_Prefs, log=F, optional=F + SSH::Algorithm_Prefs { + * client_to_server: vector of string, log=F, optional=T + * server_to_client: vector of string, log=F, optional=T + } + * encryption_algorithms: record SSH::Algorithm_Prefs, log=F, optional=F + SSH::Algorithm_Prefs { ... } + * is_server: bool, log=F, optional=F + * kex_algorithms: vector of string, log=F, optional=F + * languages: record SSH::Algorithm_Prefs, log=F, optional=T + SSH::Algorithm_Prefs { ... } + * mac_algorithms: record SSH::Algorithm_Prefs, log=F, optional=F + SSH::Algorithm_Prefs { ... } + * server_host_key_algorithms: vector of string, log=F, optional=F + } + * cipher_alg: string, log=T, optional=T + * client: string, log=T, optional=T + * compression_alg: string, log=T, optional=T + * direction: enum Direction, log=T, optional=T + * host_key: string, log=T, optional=T + * host_key_alg: string, log=T, optional=T + * id: record conn_id, log=T, optional=F + conn_id { ... } + * kex_alg: string, log=T, optional=T + * logged: bool, log=F, optional=T + * mac_alg: string, log=T, optional=T + * server: string, log=T, optional=T + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + * version: count, log=T, optional=T + } + * ssl: record SSL::Info, log=F, optional=T + SSL::Info { + * analyzer_id: count, log=F, optional=T + * cert_chain: vector of record Files::Info, log=F, optional=T + Files::Info { ... } + * cert_chain_fps: vector of string, log=T, optional=T + * cipher: string, log=T, optional=T + * client_cert_chain: vector of record Files::Info, log=F, optional=T + Files::Info { ... } + * client_cert_chain_fps: vector of string, log=T, optional=T + * client_depth: count, log=F, optional=T + * client_issuer: string, log=T, optional=T + * client_key_exchange_seen: bool, log=F, optional=T + * client_psk_seen: bool, log=F, optional=T + * client_subject: string, log=T, optional=T + * client_ticket_empty_session_seen: bool, log=F, optional=T + * curve: string, log=T, optional=T + * delay_tokens: set[string], log=F, optional=T + * established: bool, log=T, optional=T + * hrr_seen: bool, log=F, optional=T + * id: record conn_id, log=T, optional=F + conn_id { ... } + * issuer: string, log=T, optional=T + * last_alert: string, log=T, optional=T + * logged: bool, log=F, optional=T + * next_protocol: string, log=T, optional=T + * resumed: bool, log=T, optional=T + * server_depth: count, log=F, optional=T + * server_name: string, log=T, optional=T + * session_id: string, log=F, optional=T + * sni_matches_cert: bool, log=T, optional=T + * ssl_history: string, log=T, optional=T + * subject: string, log=T, optional=T + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + * version: string, log=T, optional=T + * version_num: count, log=F, optional=T + } + * start_time: time, log=F, optional=F + * syslog: record Syslog::Info, log=F, optional=T + Syslog::Info { + * facility: string, log=T, optional=F + * id: record conn_id, log=T, optional=F + conn_id { ... } + * message: string, log=T, optional=F + * proto: enum transport_proto, log=T, optional=F + * severity: string, log=T, optional=F + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + } + * thresholds: record ConnThreshold::Thresholds, log=F, optional=T + ConnThreshold::Thresholds { + * duration: set[interval], log=F, optional=T + * orig_byte: set[count], log=F, optional=T + * orig_packet: set[count], log=F, optional=T + * resp_byte: set[count], log=F, optional=T + * resp_packet: set[count], log=F, optional=T + } + * tunnel: vector of record Tunnel::EncapsulatingConn, log=F, optional=T + Tunnel::EncapsulatingConn { + * cid: record conn_id, log=T, optional=F + conn_id { ... } + * tunnel_type: enum Tunnel::Type, log=T, optional=F + * uid: string, log=T, optional=T + } + * uid: string, log=F, optional=F + * vlan: int, log=F, optional=T + } diff --git a/testing/btest/coverage/record-fields.zeek b/testing/btest/coverage/record-fields.zeek new file mode 100644 index 0000000000..3d1275e474 --- /dev/null +++ b/testing/btest/coverage/record-fields.zeek @@ -0,0 +1,72 @@ +# @TEST-DOC: Output interesting record types in bare and default mode recursively. Currently just the connection record type. +# +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy +# @TEST-EXEC: zeek -b %INPUT >out.bare +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out.bare +# @TEST-EXEC: zeek %INPUT >out.default +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out.default + +global record_types_seen: set[string]; + + +# Given a type_name string from a field, extract all record type names. +# +# For example, `table[record conn_id] of record Conn::Info` yields `[conn_id, Conn::Info]`. +# +function extract_record_type_names(tn: string): vector of string + { + local names: vector of string; + while ( /.*record [^ ] ?/ in tn ) + { + tn = gsub(tn, /.*record /, ""); # strip leading 'record ' + local parts = split_string1(tn, / ?/); + names += parts[0]; + if ( |parts| == 1 ) + break; + + tn = parts[1]; + } + + return names; + } + +function render_field(name: string, fr: record_field): string + { + return fmt("%s: %s, log=%s, optional=%s", name, fr$type_name, fr$log, fr$optional); + } + +function print_record_type(indent: string, rt: any) + { + local field_names: vector of string; + local fields = record_fields(rt); + for ( fn, _ in fields ) + field_names += fn; + + sort(field_names, strcmp); + + print fmt("%s%s {", indent, rt); + for ( _, fn in field_names ) + { + local fr = fields[fn]; + print fmt("%s * %s", indent, render_field(fn, fr)); + # Recurse into record types of the field and print those as well. + for ( _, frt in extract_record_type_names(fr$type_name) ) + { + if ( frt in record_types_seen ) + print fmt("%s %s { ... }", indent, frt); + else + { + add record_types_seen[frt]; + print_record_type(indent + " ", frt); + } + } + } + + print fmt("%s }", indent); + } + +event zeek_init() + { + print zeek_args(); + print_record_type("", "connection"); + }