Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

btest/coverage: Add record-fields test

Browse source 
Justin pointed out that the misc/dump-events test shows added fields to
the connection record. Add a new test that prints the connection record
recursively in bare and default mode to cover that use-case
specifically.
This commit is contained in:
Arne Welzel 2023-10-09 12:14:15 +02:00
parent 88bb527026
commit 998ab80385
3 changed files with 961 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

51
testing/btest/Baseline/coverage.record-fields/out.bare Normal file
View file

@ -0,0 +1,51 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
[zeek, -b, <...>/record-fields.zeek]
connection {
* dpd: record DPD::Info, log=F, optional=T
DPD::Info {
* analyzer: string, log=T, optional=F
* failure_reason: string, log=T, optional=F
* id: record conn_id, log=T, optional=F
conn_id {
* orig_h: addr, log=T, optional=F
* orig_p: port, log=T, optional=F
* resp_h: addr, log=T, optional=F
* resp_p: port, log=T, optional=F
}
* proto: enum transport_proto, log=T, optional=F
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
}
* dpd_state: record DPD::State, log=F, optional=T
DPD::State {
* violations: table[count] of count, log=F, optional=F
}
* duration: interval, log=F, optional=F
* history: string, log=F, optional=F
* id: record conn_id, log=F, optional=F
conn_id { ... }
* inner_vlan: int, log=F, optional=T
* orig: record endpoint, log=F, optional=F
endpoint {
* flow_label: count, log=F, optional=F
* l2_addr: string, log=F, optional=T
* num_bytes_ip: count, log=F, optional=T
* num_pkts: count, log=F, optional=T
* size: count, log=F, optional=F
* state: count, log=F, optional=F
}
* resp: record endpoint, log=F, optional=F
endpoint { ... }
* service: set[string], log=F, optional=F
* service_violation: set[string], log=F, optional=T
* start_time: time, log=F, optional=F
* tunnel: vector of record Tunnel::EncapsulatingConn, log=F, optional=T
Tunnel::EncapsulatingConn {
* cid: record conn_id, log=T, optional=F
conn_id { ... }
* tunnel_type: enum Tunnel::Type, log=T, optional=F
* uid: string, log=T, optional=T
}
* uid: string, log=F, optional=F
* vlan: int, log=F, optional=T
}

838
testing/btest/Baseline/coverage.record-fields/out.default Normal file
View file

@ -0,0 +1,838 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
[zeek, <...>/record-fields.zeek]
connection {
* conn: record Conn::Info, log=F, optional=T
Conn::Info {
* conn_state: string, log=T, optional=T
* duration: interval, log=T, optional=T
* history: string, log=T, optional=T
* id: record conn_id, log=T, optional=F
conn_id {
* orig_h: addr, log=T, optional=F
* orig_p: port, log=T, optional=F
* resp_h: addr, log=T, optional=F
* resp_p: port, log=T, optional=F
}
* local_orig: bool, log=T, optional=T
* local_resp: bool, log=T, optional=T
* missed_bytes: count, log=T, optional=T
* orig_bytes: count, log=T, optional=T
* orig_ip_bytes: count, log=T, optional=T
* orig_pkts: count, log=T, optional=T
* proto: enum transport_proto, log=T, optional=F
* resp_bytes: count, log=T, optional=T
* resp_ip_bytes: count, log=T, optional=T
* resp_pkts: count, log=T, optional=T
* service: string, log=T, optional=T
* ts: time, log=T, optional=F
* tunnel_parents: set[string], log=T, optional=T
* uid: string, log=T, optional=F
}
* dce_rpc: record DCE_RPC::Info, log=F, optional=T
DCE_RPC::Info {
* endpoint: string, log=T, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* named_pipe: string, log=T, optional=T
* operation: string, log=T, optional=T
* rtt: interval, log=T, optional=T
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
}
* dce_rpc_backing: table[count] of record DCE_RPC::BackingState, log=F, optional=T
DCE_RPC::BackingState {
* info: record DCE_RPC::Info, log=F, optional=F
DCE_RPC::Info { ... }
* state: record DCE_RPC::State, log=F, optional=F
DCE_RPC::State {
* ctx_to_uuid: table[count] of string, log=F, optional=T
* named_pipe: string, log=F, optional=T
* uuid: string, log=F, optional=T
}
}
* dce_rpc_state: record DCE_RPC::State, log=F, optional=T
DCE_RPC::State { ... }
* dhcp: record DHCP::Info, log=F, optional=T
DHCP::Info {
* assigned_addr: addr, log=T, optional=T
* client_addr: addr, log=T, optional=T
* client_chaddr: string, log=F, optional=T
* client_fqdn: string, log=T, optional=T
* client_message: string, log=T, optional=T
* client_port: port, log=F, optional=T
* domain: string, log=T, optional=T
* duration: interval, log=T, optional=T
* host_name: string, log=T, optional=T
* last_message_ts: time, log=F, optional=T
* lease_time: interval, log=T, optional=T
* mac: string, log=T, optional=T
* msg_types: vector of string, log=T, optional=T
* requested_addr: addr, log=T, optional=T
* server_addr: addr, log=T, optional=T
* server_message: string, log=T, optional=T
* server_port: port, log=F, optional=T
* ts: time, log=T, optional=F
* uids: set[string], log=T, optional=F
}
* dnp3: record DNP3::Info, log=F, optional=T
DNP3::Info {
* fc_reply: string, log=T, optional=T
* fc_request: string, log=T, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* iin: count, log=T, optional=T
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
}
* dns: record DNS::Info, log=F, optional=T
DNS::Info {
* AA: bool, log=T, optional=T
* RA: bool, log=T, optional=T
* RD: bool, log=T, optional=T
* TC: bool, log=T, optional=T
* TTLs: vector of interval, log=T, optional=T
* Z: count, log=T, optional=T
* answers: vector of string, log=T, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* proto: enum transport_proto, log=T, optional=F
* qclass: count, log=T, optional=T
* qclass_name: string, log=T, optional=T
* qtype: count, log=T, optional=T
* qtype_name: string, log=T, optional=T
* query: string, log=T, optional=T
* rcode: count, log=T, optional=T
* rcode_name: string, log=T, optional=T
* rejected: bool, log=T, optional=T
* rtt: interval, log=T, optional=T
* saw_query: bool, log=F, optional=T
* saw_reply: bool, log=F, optional=T
* total_answers: count, log=F, optional=T
* total_replies: count, log=F, optional=T
* trans_id: count, log=T, optional=T
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
}
* dns_state: record DNS::State, log=F, optional=T
DNS::State {
* pending_queries: table[count] of record Queue::Queue, log=F, optional=T
Queue::Queue {
* bottom: count, log=F, optional=T
* initialized: bool, log=F, optional=T
* settings: record Queue::Settings, log=F, optional=T
Queue::Settings {
* max_len: count, log=F, optional=T
}
* size: count, log=F, optional=T
* top: count, log=F, optional=T
* vals: table[count] of any, log=F, optional=T
}
* pending_query: record DNS::Info, log=F, optional=T
DNS::Info { ... }
* pending_replies: table[count] of record Queue::Queue, log=F, optional=T
Queue::Queue { ... }
}
* dpd: record DPD::Info, log=F, optional=T
DPD::Info {
* analyzer: string, log=T, optional=F
* failure_reason: string, log=T, optional=F
* id: record conn_id, log=T, optional=F
conn_id { ... }
* proto: enum transport_proto, log=T, optional=F
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
}
* dpd_state: record DPD::State, log=F, optional=T
DPD::State {
* violations: table[count] of count, log=F, optional=F
}
* duration: interval, log=F, optional=F
* extract_orig: bool, log=F, optional=T
* extract_resp: bool, log=F, optional=T
* ftp: record FTP::Info, log=F, optional=T
FTP::Info {
* arg: string, log=T, optional=T
* capture_password: bool, log=F, optional=T
* cmdarg: record FTP::CmdArg, log=F, optional=T
FTP::CmdArg {
* arg: string, log=F, optional=T
* cmd: string, log=F, optional=T
* cwd_consumed: bool, log=F, optional=T
* seq: count, log=F, optional=T
* ts: time, log=F, optional=F
}
* command: string, log=T, optional=T
* cwd: string, log=F, optional=T
* data_channel: record FTP::ExpectedDataChannel, log=T, optional=T
FTP::ExpectedDataChannel {
* orig_h: addr, log=T, optional=F
* passive: bool, log=T, optional=F
* resp_h: addr, log=T, optional=F
* resp_p: port, log=T, optional=F
}
* file_size: count, log=T, optional=T
* fuid: string, log=T, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* last_auth_requested: string, log=F, optional=T
* mime_type: string, log=T, optional=T
* passive: bool, log=F, optional=T
* password: string, log=T, optional=T
* pending_commands: table[count] of record FTP::CmdArg, log=F, optional=F
FTP::CmdArg { ... }
* reply_code: count, log=T, optional=T
* reply_msg: string, log=T, optional=T
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
* user: string, log=T, optional=T
}
* ftp_data_reuse: bool, log=F, optional=T
* history: string, log=F, optional=F
* http: record HTTP::Info, log=F, optional=T
HTTP::Info {
* capture_password: bool, log=F, optional=T
* current_entity: record HTTP::Entity, log=F, optional=T
HTTP::Entity {
* filename: string, log=F, optional=T
}
* host: string, log=T, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* info_code: count, log=T, optional=T
* info_msg: string, log=T, optional=T
* method: string, log=T, optional=T
* orig_filenames: vector of string, log=T, optional=T
* orig_fuids: vector of string, log=T, optional=T
* orig_mime_depth: count, log=F, optional=T
* orig_mime_types: vector of string, log=T, optional=T
* origin: string, log=T, optional=T
* password: string, log=T, optional=T
* proxied: set[string], log=T, optional=T
* range_request: bool, log=F, optional=T
* referrer: string, log=T, optional=T
* request_body_len: count, log=T, optional=T
* resp_filenames: vector of string, log=T, optional=T
* resp_fuids: vector of string, log=T, optional=T
* resp_mime_depth: count, log=F, optional=T
* resp_mime_types: vector of string, log=T, optional=T
* response_body_len: count, log=T, optional=T
* status_code: count, log=T, optional=T
* status_msg: string, log=T, optional=T
* tags: set[enum HTTP::Tags], log=T, optional=F
* trans_depth: count, log=T, optional=F
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
* uri: string, log=T, optional=T
* user_agent: string, log=T, optional=T
* username: string, log=T, optional=T
* version: string, log=T, optional=T
}
* http_state: record HTTP::State, log=F, optional=T
HTTP::State {
* current_request: count, log=F, optional=T
* current_response: count, log=F, optional=T
* pending: table[count] of record HTTP::Info, log=F, optional=F
HTTP::Info { ... }
* trans_depth: count, log=F, optional=T
}
* id: record conn_id, log=F, optional=F
conn_id { ... }
* inner_vlan: int, log=F, optional=T
* irc: record IRC::Info, log=F, optional=T
IRC::Info {
* addl: string, log=T, optional=T
* command: string, log=T, optional=T
* dcc_file_name: string, log=T, optional=T
* dcc_file_size: count, log=T, optional=T
* dcc_mime_type: string, log=T, optional=T
* fuid: string, log=T, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* nick: string, log=T, optional=T
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
* user: string, log=T, optional=T
* value: string, log=T, optional=T
}
* krb: record KRB::Info, log=F, optional=T
KRB::Info {
* cipher: string, log=T, optional=T
* client: string, log=T, optional=T
* client_cert: record Files::Info, log=F, optional=T
Files::Info {
* analyzers: set[string], log=T, optional=T
* depth: count, log=T, optional=T
* duration: interval, log=T, optional=T
* extracted: string, log=T, optional=T
* extracted_cutoff: bool, log=T, optional=T
* extracted_size: count, log=T, optional=T
* filename: string, log=T, optional=T
* fuid: string, log=T, optional=F
* id: record conn_id, log=T, optional=T
conn_id { ... }
* is_orig: bool, log=T, optional=T
* local_orig: bool, log=T, optional=T
* md5: string, log=T, optional=T
* mime_type: string, log=T, optional=T
* missing_bytes: count, log=T, optional=T
* overflow_bytes: count, log=T, optional=T
* parent_fuid: string, log=T, optional=T
* seen_bytes: count, log=T, optional=T
* sha1: string, log=T, optional=T
* sha256: string, log=T, optional=T
* source: string, log=T, optional=T
* timedout: bool, log=T, optional=T
* total_bytes: count, log=T, optional=T
* ts: time, log=T, optional=F
* uid: string, log=T, optional=T
* x509: record X509::Info, log=F, optional=T
X509::Info {
* basic_constraints: record X509::BasicConstraints, log=T, optional=T
X509::BasicConstraints {
* ca: bool, log=T, optional=F
* path_len: count, log=T, optional=T
}
* certificate: record X509::Certificate, log=T, optional=F
X509::Certificate {
* cn: string, log=F, optional=T
* curve: string, log=T, optional=T
* exponent: string, log=T, optional=T
* issuer: string, log=T, optional=F
* key_alg: string, log=T, optional=F
* key_length: count, log=T, optional=T
* key_type: string, log=T, optional=T
* not_valid_after: time, log=T, optional=F
* not_valid_before: time, log=T, optional=F
* serial: string, log=T, optional=F
* sig_alg: string, log=T, optional=F
* subject: string, log=T, optional=F
* tbs_sig_alg: string, log=F, optional=F
* version: count, log=T, optional=F
}
* client_cert: bool, log=T, optional=T
* deduplication_index: record X509::LogCertHash, log=F, optional=T
X509::LogCertHash {
* client_cert: bool, log=F, optional=F
* fingerprint: string, log=F, optional=F
* host_cert: bool, log=F, optional=F
}
* extensions: vector of record X509::Extension, log=F, optional=T
X509::Extension {
* critical: bool, log=F, optional=F
* name: string, log=F, optional=F
* oid: string, log=F, optional=F
* short_name: string, log=F, optional=T
* value: string, log=F, optional=F
}
* extensions_cache: vector of any, log=F, optional=T
* fingerprint: string, log=T, optional=F
* handle: opaque, log=F, optional=F
* host_cert: bool, log=T, optional=T
* san: record X509::SubjectAlternativeName, log=T, optional=T
X509::SubjectAlternativeName {
* dns: vector of string, log=T, optional=T
* email: vector of string, log=T, optional=T
* ip: vector of addr, log=T, optional=T
* other_fields: bool, log=F, optional=F
* uri: vector of string, log=T, optional=T
}
* ts: time, log=T, optional=F
}
}
* client_cert_fuid: string, log=T, optional=T
* client_cert_subject: string, log=T, optional=T
* error_code: count, log=F, optional=T
* error_msg: string, log=T, optional=T
* forwardable: bool, log=T, optional=T
* from: time, log=T, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* logged: bool, log=F, optional=T
* renewable: bool, log=T, optional=T
* request_type: string, log=T, optional=T
* server_cert: record Files::Info, log=F, optional=T
Files::Info { ... }
* server_cert_fuid: string, log=T, optional=T
* server_cert_subject: string, log=T, optional=T
* service: string, log=T, optional=T
* success: bool, log=T, optional=T
* till: time, log=T, optional=T
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
}
* modbus: record Modbus::Info, log=F, optional=T
Modbus::Info {
* exception: string, log=T, optional=T
* func: string, log=T, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* pdu_type: string, log=T, optional=T
* tid: count, log=T, optional=T
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
* unit: count, log=T, optional=T
}
* mqtt: record MQTT::ConnectInfo, log=F, optional=T
MQTT::ConnectInfo {
* client_id: string, log=T, optional=T
* connect_status: string, log=T, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* proto_name: string, log=T, optional=T
* proto_version: string, log=T, optional=T
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
* will_payload: string, log=T, optional=T
* will_topic: string, log=T, optional=T
}
* mqtt_state: record MQTT::State, log=F, optional=T
MQTT::State {
* publish: table[count] of record MQTT::PublishInfo, log=F, optional=T
MQTT::PublishInfo {
* ack: bool, log=F, optional=T
* comp: bool, log=F, optional=T
* from_client: bool, log=T, optional=F
* id: record conn_id, log=T, optional=F
conn_id { ... }
* payload: string, log=T, optional=F
* payload_len: count, log=T, optional=F
* qos: string, log=T, optional=F
* qos_level: count, log=F, optional=T
* rec: bool, log=F, optional=T
* rel: bool, log=F, optional=T
* retain: bool, log=T, optional=F
* status: string, log=T, optional=T
* topic: string, log=T, optional=F
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
}
* subscribe: table[count] of record MQTT::SubscribeInfo, log=F, optional=T
MQTT::SubscribeInfo {
* ack: bool, log=T, optional=T
* action: enum MQTT::SubUnsub, log=T, optional=F
* granted_qos_level: count, log=T, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* qos_levels: vector of count, log=T, optional=T
* topics: vector of string, log=T, optional=F
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
}
}
* mysql: record MySQL::Info, log=F, optional=T
MySQL::Info {
* arg: string, log=T, optional=F
* cmd: string, log=T, optional=F
* id: record conn_id, log=T, optional=F
conn_id { ... }
* response: string, log=T, optional=T
* rows: count, log=T, optional=T
* success: bool, log=T, optional=T
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
}
* ntlm: record NTLM::Info, log=F, optional=T
NTLM::Info {
* domainname: string, log=T, optional=T
* done: bool, log=F, optional=T
* hostname: string, log=T, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* server_dns_computer_name: string, log=T, optional=T
* server_nb_computer_name: string, log=T, optional=T
* server_tree_name: string, log=T, optional=T
* success: bool, log=T, optional=T
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
* username: string, log=T, optional=T
}
* ntp: record NTP::Info, log=F, optional=T
NTP::Info {
* id: record conn_id, log=T, optional=F
conn_id { ... }
* mode: count, log=T, optional=F
* num_exts: count, log=T, optional=T
* org_time: time, log=T, optional=F
* poll: interval, log=T, optional=F
* precision: interval, log=T, optional=F
* rec_time: time, log=T, optional=F
* ref_id: string, log=T, optional=F
* ref_time: time, log=T, optional=F
* root_delay: interval, log=T, optional=F
* root_disp: interval, log=T, optional=F
* stratum: count, log=T, optional=F
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
* version: count, log=T, optional=F
* xmt_time: time, log=T, optional=F
}
* orig: record endpoint, log=F, optional=F
endpoint {
* flow_label: count, log=F, optional=F
* l2_addr: string, log=F, optional=T
* num_bytes_ip: count, log=F, optional=T
* num_pkts: count, log=F, optional=T
* size: count, log=F, optional=F
* state: count, log=F, optional=F
}
* radius: record RADIUS::Info, log=F, optional=T
RADIUS::Info {
* connect_info: string, log=T, optional=T
* framed_addr: addr, log=T, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* logged: bool, log=F, optional=T
* mac: string, log=T, optional=T
* reply_msg: string, log=T, optional=T
* result: string, log=T, optional=T
* ts: time, log=T, optional=F
* ttl: interval, log=T, optional=T
* tunnel_client: string, log=T, optional=T
* uid: string, log=T, optional=F
* username: string, log=T, optional=T
}
* rdp: record RDP::Info, log=F, optional=T
RDP::Info {
* analyzer_id: count, log=F, optional=T
* cert_count: count, log=T, optional=T
* cert_permanent: bool, log=T, optional=T
* cert_type: string, log=T, optional=T
* client_build: string, log=T, optional=T
* client_channels: vector of string, log=T, optional=T
* client_dig_product_id: string, log=T, optional=T
* client_name: string, log=T, optional=T
* cookie: string, log=T, optional=T
* desktop_height: count, log=T, optional=T
* desktop_width: count, log=T, optional=T
* done: bool, log=F, optional=T
* encryption_level: string, log=T, optional=T
* encryption_method: string, log=T, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* keyboard_layout: string, log=T, optional=T
* requested_color_depth: string, log=T, optional=T
* result: string, log=T, optional=T
* security_protocol: string, log=T, optional=T
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
}
* removal_hooks: set[func], log=F, optional=T
* resp: record endpoint, log=F, optional=F
endpoint { ... }
* rfb: record RFB::Info, log=F, optional=T
RFB::Info {
* auth: bool, log=T, optional=T
* authentication_method: string, log=T, optional=T
* client_major_version: string, log=T, optional=T
* client_minor_version: string, log=T, optional=T
* desktop_name: string, log=T, optional=T
* done: bool, log=F, optional=T
* height: count, log=T, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* server_major_version: string, log=T, optional=T
* server_minor_version: string, log=T, optional=T
* share_flag: bool, log=T, optional=T
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
* width: count, log=T, optional=T
}
* service: set[string], log=F, optional=F
* service_violation: set[string], log=F, optional=T
* sip: record SIP::Info, log=F, optional=T
SIP::Info {
* call_id: string, log=T, optional=T
* content_type: string, log=T, optional=T
* date: string, log=T, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* method: string, log=T, optional=T
* reply_to: string, log=T, optional=T
* request_body_len: count, log=T, optional=T
* request_from: string, log=T, optional=T
* request_path: vector of string, log=T, optional=T
* request_to: string, log=T, optional=T
* response_body_len: count, log=T, optional=T
* response_from: string, log=T, optional=T
* response_path: vector of string, log=T, optional=T
* response_to: string, log=T, optional=T
* seq: string, log=T, optional=T
* status_code: count, log=T, optional=T
* status_msg: string, log=T, optional=T
* subject: string, log=T, optional=T
* trans_depth: count, log=T, optional=F
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
* uri: string, log=T, optional=T
* user_agent: string, log=T, optional=T
* warning: string, log=T, optional=T
}
* sip_state: record SIP::State, log=F, optional=T
SIP::State {
* current_request: count, log=F, optional=T
* current_response: count, log=F, optional=T
* pending: table[count] of record SIP::Info, log=F, optional=F
SIP::Info { ... }
}
* smb_state: record SMB::State, log=F, optional=T
SMB::State {
* current_cmd: record SMB::CmdInfo, log=F, optional=T
SMB::CmdInfo {
* argument: string, log=T, optional=T
* command: string, log=T, optional=F
* id: record conn_id, log=T, optional=F
conn_id { ... }
* referenced_file: record SMB::FileInfo, log=T, optional=T
SMB::FileInfo {
* action: enum SMB::Action, log=T, optional=T
* fid: count, log=F, optional=T
* fuid: string, log=T, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* name: string, log=T, optional=T
* path: string, log=T, optional=T
* prev_name: string, log=T, optional=T
* size: count, log=T, optional=T
* times: record SMB::MACTimes, log=T, optional=T
SMB::MACTimes {
* accessed: time, log=T, optional=F
* accessed_raw: count, log=F, optional=F
* changed: time, log=T, optional=F
* changed_raw: count, log=F, optional=F
* created: time, log=T, optional=F
* created_raw: count, log=F, optional=F
* modified: time, log=T, optional=F
* modified_raw: count, log=F, optional=F
}
* ts: time, log=T, optional=T
* uid: string, log=T, optional=F
* uuid: string, log=F, optional=T
}
* referenced_tree: record SMB::TreeInfo, log=F, optional=T
SMB::TreeInfo {
* id: record conn_id, log=T, optional=F
conn_id { ... }
* native_file_system: string, log=T, optional=T
* path: string, log=T, optional=T
* service: string, log=T, optional=T
* share_type: string, log=T, optional=T
* ts: time, log=T, optional=T
* uid: string, log=T, optional=F
}
* rtt: interval, log=T, optional=T
* smb1_offered_dialects: vector of string, log=F, optional=T
* smb2_create_options: count, log=F, optional=T
* smb2_offered_dialects: vector of count, log=F, optional=T
* status: string, log=T, optional=T
* sub_command: string, log=T, optional=T
* tree: string, log=T, optional=T
* tree_service: string, log=T, optional=T
* ts: time, log=T, optional=T
* uid: string, log=T, optional=F
* username: string, log=T, optional=T
* version: string, log=T, optional=F
}
* current_file: record SMB::FileInfo, log=F, optional=T
SMB::FileInfo { ... }
* current_tree: record SMB::TreeInfo, log=F, optional=T
SMB::TreeInfo { ... }
* fid_map: table[count] of record SMB::FileInfo, log=F, optional=T
SMB::FileInfo { ... }
* pending_cmds: table[count] of record SMB::CmdInfo, log=F, optional=T
SMB::CmdInfo { ... }
* pipe_map: table[count] of string, log=F, optional=T
* recent_files: set[string], log=F, optional=T
* tid_map: table[count] of record SMB::TreeInfo, log=F, optional=T
SMB::TreeInfo { ... }
}
* smtp: record SMTP::Info, log=F, optional=T
SMTP::Info {
* cc: set[string], log=T, optional=T
* date: string, log=T, optional=T
* entity: record SMTP::Entity, log=F, optional=T
SMTP::Entity {
* filename: string, log=F, optional=T
}
* entity_count: count, log=F, optional=T
* first_received: string, log=T, optional=T
* from: string, log=T, optional=T
* fuids: vector of string, log=T, optional=T
* has_client_activity: bool, log=F, optional=T
* helo: string, log=T, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* in_reply_to: string, log=T, optional=T
* last_reply: string, log=T, optional=T
* mailfrom: string, log=T, optional=T
* msg_id: string, log=T, optional=T
* path: vector of addr, log=T, optional=T
* process_received_from: bool, log=F, optional=T
* process_smtp_headers: bool, log=F, optional=T
* rcptto: set[string], log=T, optional=T
* reply_to: string, log=T, optional=T
* second_received: string, log=T, optional=T
* subject: string, log=T, optional=T
* tls: bool, log=T, optional=T
* to: set[string], log=T, optional=T
* trans_depth: count, log=T, optional=F
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
* user_agent: string, log=T, optional=T
* x_originating_ip: addr, log=T, optional=T
}
* smtp_state: record SMTP::State, log=F, optional=T
SMTP::State {
* analyzer_id: count, log=F, optional=T
* helo: string, log=F, optional=T
* invalid_transactions: count, log=F, optional=T
* messages_transferred: count, log=F, optional=T
* mime_depth: count, log=F, optional=T
* pending_messages: set[record SMTP::Info], log=F, optional=T
SMTP::Info] {
}
* trans_mail_from_seen: bool, log=F, optional=T
* trans_rcpt_to_seen: bool, log=F, optional=T
}
* snmp: record SNMP::Info, log=F, optional=T
SNMP::Info {
* community: string, log=T, optional=T
* display_string: string, log=T, optional=T
* duration: interval, log=T, optional=T
* get_bulk_requests: count, log=T, optional=T
* get_requests: count, log=T, optional=T
* get_responses: count, log=T, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* set_requests: count, log=T, optional=T
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
* up_since: time, log=T, optional=T
* version: string, log=T, optional=F
}
* socks: record SOCKS::Info, log=F, optional=T
SOCKS::Info {
* bound: record SOCKS::Address, log=T, optional=T
SOCKS::Address {
* host: addr, log=T, optional=T
* name: string, log=T, optional=T
}
* bound_p: port, log=T, optional=T
* capture_password: bool, log=F, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* password: string, log=T, optional=T
* request: record SOCKS::Address, log=T, optional=T
SOCKS::Address { ... }
* request_p: port, log=T, optional=T
* status: string, log=T, optional=T
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
* user: string, log=T, optional=T
* version: count, log=T, optional=F
}
* ssh: record SSH::Info, log=F, optional=T
SSH::Info {
* analyzer_id: count, log=F, optional=T
* auth_attempts: count, log=T, optional=T
* auth_success: bool, log=T, optional=T
* capabilities: record SSH::Capabilities, log=F, optional=T
SSH::Capabilities {
* compression_algorithms: record SSH::Algorithm_Prefs, log=F, optional=F
SSH::Algorithm_Prefs {
* client_to_server: vector of string, log=F, optional=T
* server_to_client: vector of string, log=F, optional=T
}
* encryption_algorithms: record SSH::Algorithm_Prefs, log=F, optional=F
SSH::Algorithm_Prefs { ... }
* is_server: bool, log=F, optional=F
* kex_algorithms: vector of string, log=F, optional=F
* languages: record SSH::Algorithm_Prefs, log=F, optional=T
SSH::Algorithm_Prefs { ... }
* mac_algorithms: record SSH::Algorithm_Prefs, log=F, optional=F
SSH::Algorithm_Prefs { ... }
* server_host_key_algorithms: vector of string, log=F, optional=F
}
* cipher_alg: string, log=T, optional=T
* client: string, log=T, optional=T
* compression_alg: string, log=T, optional=T
* direction: enum Direction, log=T, optional=T
* host_key: string, log=T, optional=T
* host_key_alg: string, log=T, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* kex_alg: string, log=T, optional=T
* logged: bool, log=F, optional=T
* mac_alg: string, log=T, optional=T
* server: string, log=T, optional=T
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
* version: count, log=T, optional=T
}
* ssl: record SSL::Info, log=F, optional=T
SSL::Info {
* analyzer_id: count, log=F, optional=T
* cert_chain: vector of record Files::Info, log=F, optional=T
Files::Info { ... }
* cert_chain_fps: vector of string, log=T, optional=T
* cipher: string, log=T, optional=T
* client_cert_chain: vector of record Files::Info, log=F, optional=T
Files::Info { ... }
* client_cert_chain_fps: vector of string, log=T, optional=T
* client_depth: count, log=F, optional=T
* client_issuer: string, log=T, optional=T
* client_key_exchange_seen: bool, log=F, optional=T
* client_psk_seen: bool, log=F, optional=T
* client_subject: string, log=T, optional=T
* client_ticket_empty_session_seen: bool, log=F, optional=T
* curve: string, log=T, optional=T
* delay_tokens: set[string], log=F, optional=T
* established: bool, log=T, optional=T
* hrr_seen: bool, log=F, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* issuer: string, log=T, optional=T
* last_alert: string, log=T, optional=T
* logged: bool, log=F, optional=T
* next_protocol: string, log=T, optional=T
* resumed: bool, log=T, optional=T
* server_depth: count, log=F, optional=T
* server_name: string, log=T, optional=T
* session_id: string, log=F, optional=T
* sni_matches_cert: bool, log=T, optional=T
* ssl_history: string, log=T, optional=T
* subject: string, log=T, optional=T
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
* version: string, log=T, optional=T
* version_num: count, log=F, optional=T
}
* start_time: time, log=F, optional=F
* syslog: record Syslog::Info, log=F, optional=T
Syslog::Info {
* facility: string, log=T, optional=F
* id: record conn_id, log=T, optional=F
conn_id { ... }
* message: string, log=T, optional=F
* proto: enum transport_proto, log=T, optional=F
* severity: string, log=T, optional=F
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
}
* thresholds: record ConnThreshold::Thresholds, log=F, optional=T
ConnThreshold::Thresholds {
* duration: set[interval], log=F, optional=T
* orig_byte: set[count], log=F, optional=T
* orig_packet: set[count], log=F, optional=T
* resp_byte: set[count], log=F, optional=T
* resp_packet: set[count], log=F, optional=T
}
* tunnel: vector of record Tunnel::EncapsulatingConn, log=F, optional=T
Tunnel::EncapsulatingConn {
* cid: record conn_id, log=T, optional=F
conn_id { ... }
* tunnel_type: enum Tunnel::Type, log=T, optional=F
* uid: string, log=T, optional=T
}
* uid: string, log=F, optional=F
* vlan: int, log=F, optional=T
}

72
testing/btest/coverage/record-fields.zeek Normal file
View file

@ -0,0 +1,72 @@
# @TEST-DOC: Output interesting record types in bare and default mode recursively. Currently just the connection record type.
#
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
# @TEST-EXEC: zeek -b %INPUT >out.bare
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out.bare
# @TEST-EXEC: zeek %INPUT >out.default
# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out.default
global record_types_seen: set[string];
# Given a type_name string from a field, extract all record type names.
#
# For example, `table[record conn_id] of record Conn::Info` yields `[conn_id, Conn::Info]`.
#
function extract_record_type_names(tn: string): vector of string
{
local names: vector of string;
while ( /.*record [^ ] ?/ in tn )
{
tn = gsub(tn, /.*record /, ""); # strip leading 'record '
local parts = split_string1(tn, / ?/);
names += parts[0];
if ( |parts| == 1 )
break;
tn = parts[1];
}
return names;
}
function render_field(name: string, fr: record_field): string
{
return fmt("%s: %s, log=%s, optional=%s", name, fr$type_name, fr$log, fr$optional);
}
function print_record_type(indent: string, rt: any)
{
local field_names: vector of string;
local fields = record_fields(rt);
for ( fn, _ in fields )
field_names += fn;
sort(field_names, strcmp);
print fmt("%s%s {", indent, rt);
for ( _, fn in field_names )
{
local fr = fields[fn];
print fmt("%s * %s", indent, render_field(fn, fr));
# Recurse into record types of the field and print those as well.
for ( _, frt in extract_record_type_names(fr$type_name) )
{
if ( frt in record_types_seen )
print fmt("%s %s { ... }", indent, frt);
else
{
add record_types_seen[frt];
print_record_type(indent + " ", frt);
}
}
}
print fmt("%s }", indent);
}
event zeek_init()
{
print zeek_args();
print_record_type("", "connection");
}