diff --git a/scripts/base/frameworks/notice/actions/email_admin.zeek b/scripts/base/frameworks/notice/actions/email_admin.zeek index 16083760e8..34d8d3cfe1 100644 --- a/scripts/base/frameworks/notice/actions/email_admin.zeek +++ b/scripts/base/frameworks/notice/actions/email_admin.zeek @@ -35,11 +35,6 @@ hook notice(n: Notice::Info) } if ( email != "" ) - { - if ( ! n?$email_dest ) - n$email_dest = set(); - add n$email_dest[email]; - } } } diff --git a/scripts/base/frameworks/notice/actions/page.zeek b/scripts/base/frameworks/notice/actions/page.zeek index 34019b9e45..f682947201 100644 --- a/scripts/base/frameworks/notice/actions/page.zeek +++ b/scripts/base/frameworks/notice/actions/page.zeek @@ -20,10 +20,5 @@ export { hook notice(n: Notice::Info) { if ( ACTION_PAGE in n$actions ) - { - if ( ! n?$email_dest ) - n$email_dest = set(); - add n$email_dest[mail_page_dest]; - } } diff --git a/scripts/base/frameworks/notice/main.zeek b/scripts/base/frameworks/notice/main.zeek index 523fbb7df3..09e3749d2f 100644 --- a/scripts/base/frameworks/notice/main.zeek +++ b/scripts/base/frameworks/notice/main.zeek @@ -137,7 +137,7 @@ export { actions: ActionSet &log &default=ActionSet(); ## The email address(es) where to send this notice - email_dest: set[string] &log &optional; + email_dest: set[string] &log &default=set(); ## By adding chunks of text into this element, other scripts ## can expand on notices that are being emailed. The normal @@ -516,19 +516,13 @@ hook Notice::policy(n: Notice::Info) &priority=10 hook Notice::notice(n: Notice::Info) { if ( ACTION_EMAIL in n$actions ) - { - if ( ! n?$email_dest ) - n$email_dest = set(); - add n$email_dest[mail_dest]; - } } hook Notice::notice(n: Notice::Info) &priority=-5 { - if ( n?$email_dest ) - for ( dest in n$email_dest ) - email_notice_to(n, dest, T); + for ( dest in n$email_dest ) + email_notice_to(n, dest, T); if ( ACTION_LOG in n$actions ) Log::write(Notice::LOG, n); diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.updated-match/output b/testing/btest/Baseline/scripts.base.frameworks.intel.updated-match/output index 4af4b68096..a27a98e66e 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.intel.updated-match/output +++ b/testing/btest/Baseline/scripts.base.frameworks.intel.updated-match/output @@ -21,6 +21,6 @@ XXXXXXXXXX.XXXXXX - - - - - 4.3.2.1 Intel::ADDR SOMEWHERE zeek Intel::ADDR sourc #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double -XXXXXXXXXX.XXXXXX - - - - - - - - - Intel::Notice Intel hit on 1.2.3.4 at SOMEWHERE 1.2.3.4 - - - - - Notice::ACTION_LOG - 3600.000000 - - - - - -XXXXXXXXXX.XXXXXX - - - - - - - - - Intel::Notice Intel hit on 4.3.2.1 at SOMEWHERE 4.3.2.1 - - - - - Notice::ACTION_LOG - 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX - - - - - - - - - Intel::Notice Intel hit on 1.2.3.4 at SOMEWHERE 1.2.3.4 - - - - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX - - - - - - - - - Intel::Notice Intel hit on 4.3.2.1 at SOMEWHERE 4.3.2.1 - - - - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log b/testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log index a9507f208d..cc7cb78d58 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log +++ b/testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double -XXXXXXXXXX.XXXXXX - - - - - - - - - Test_Notice test notice! - - - - - worker-1 Notice::ACTION_LOG - 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX - - - - - - - - - Test_Notice test notice! - - - - - worker-1 Notice::ACTION_LOG (empty) 3600.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log b/testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log index 932432eda1..322c2ce2eb 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log +++ b/testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double -XXXXXXXXXX.XXXXXX - - - - - - - - - Test_Notice test notice! - - - - - worker-2 Notice::ACTION_LOG - 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX - - - - - - - - - Test_Notice test notice! - - - - - worker-2 Notice::ACTION_LOG (empty) 3600.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log b/testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log index faeb03cb5f..6c5a498880 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log +++ b/testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double -XXXXXXXXXX.XXXXXX - - - - - - - - - Test_Notice test - - - - - - Notice::ACTION_LOG - 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX - - - - - - - - - Test_Notice test - - - - - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log index bead40866f..84d04a7971 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double -XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.57.103 35391 192.168.57.101 55968 - - - tcp GridFTP::Data_Channel GridFTP data channel over threshold 2 bytes - 192.168.57.103 192.168.57.101 55968 - - Notice::ACTION_LOG - 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.57.103 35391 192.168.57.101 55968 - - - tcp GridFTP::Data_Channel GridFTP data channel over threshold 2 bytes - 192.168.57.103 192.168.57.101 55968 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.frameworks.software.version-changes/notice.log b/testing/btest/Baseline/scripts.policy.frameworks.software.version-changes/notice.log index f33b35d3c7..541ed24e6d 100644 --- a/testing/btest/Baseline/scripts.policy.frameworks.software.version-changes/notice.log +++ b/testing/btest/Baseline/scripts.policy.frameworks.software.version-changes/notice.log @@ -7,11 +7,11 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double -XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.0.0 to 1.1.0 my_fake_software 1.1.0 127.0.0.1 - - - - Notice::ACTION_LOG - 3600.000000 - - - - - -XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.1.0 to 1.2.0 my_fake_software 1.2.0 127.0.0.1 - - - - Notice::ACTION_LOG - 3600.000000 - - - - - -XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.2.0 to 1.0.0 my_fake_software 1.0.0 127.0.0.1 - - - - Notice::ACTION_LOG - 3600.000000 - - - - - -XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.0.0 to 1.1.0 my_fake_software 1.1.0 127.0.0.1 - - - - Notice::ACTION_LOG - 3600.000000 - - - - - -XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.1.0 to 1.2.0 my_fake_software 1.2.0 127.0.0.1 - - - - Notice::ACTION_LOG - 3600.000000 - - - - - -XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.2.0 to 1.0.0 my_fake_software 1.0.0 127.0.0.1 - - - - Notice::ACTION_LOG - 3600.000000 - - - - - -XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.0.0 to 1.1.0 my_fake_software 1.1.0 127.0.0.1 - - - - Notice::ACTION_LOG - 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.0.0 to 1.1.0 my_fake_software 1.1.0 127.0.0.1 - - - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.1.0 to 1.2.0 my_fake_software 1.2.0 127.0.0.1 - - - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.2.0 to 1.0.0 my_fake_software 1.0.0 127.0.0.1 - - - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.0.0 to 1.1.0 my_fake_software 1.1.0 127.0.0.1 - - - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.1.0 to 1.2.0 my_fake_software 1.2.0 127.0.0.1 - - - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.2.0 to 1.0.0 my_fake_software 1.0.0 127.0.0.1 - - - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.0.0 to 1.1.0 my_fake_software 1.1.0 127.0.0.1 - - - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log b/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log index 8f7b5f5066..e9f1e97af0 100644 --- a/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log +++ b/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log @@ -7,6 +7,6 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double -XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Vulnerable_Version 1.2.3.4 is running Java 1.7.0.15 which is vulnerable. Java 1.7.0.15 1.2.3.4 - - - - Notice::ACTION_LOG - 3600.000000 - - - - - -XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Vulnerable_Version 1.2.3.5 is running Java 1.6.0.43 which is vulnerable. Java 1.6.0.43 1.2.3.5 - - - - Notice::ACTION_LOG - 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Vulnerable_Version 1.2.3.4 is running Java 1.7.0.15 which is vulnerable. Java 1.7.0.15 1.2.3.4 - - - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Vulnerable_Version 1.2.3.5 is running Java 1.6.0.43 which is vulnerable. Java 1.6.0.43 1.2.3.5 - - - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.misc.capture-loss/notice.log b/testing/btest/Baseline/scripts.policy.misc.capture-loss/notice.log index e8d0bb9319..4679b46cce 100644 --- a/testing/btest/Baseline/scripts.policy.misc.capture-loss/notice.log +++ b/testing/btest/Baseline/scripts.policy.misc.capture-loss/notice.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double -XXXXXXXXXX.XXXXXX - - - - - - - - - CaptureLoss::Too_Little_Traffic Only observed 0 TCP ACKs and was expecting at least 1. - - - - - - Notice::ACTION_LOG - 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX - - - - - - - - - CaptureLoss::Too_Little_Traffic Only observed 0 TCP ACKs and was expecting at least 1. - - - - - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssh.detect-bruteforcing/notice.log b/testing/btest/Baseline/scripts.policy.protocols.ssh.detect-bruteforcing/notice.log index be9974c985..a61d5516f8 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssh.detect-bruteforcing/notice.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssh.detect-bruteforcing/notice.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double -XXXXXXXXXX.XXXXXX - - - - - - - - - SSH::Password_Guessing 192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections). Sampled servers: 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103 192.168.56.1 - - - - Notice::ACTION_LOG - 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX - - - - - - - - - SSH::Password_Guessing 192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections). Sampled servers: 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103 192.168.56.1 - - - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.expiring-certs/notice.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.expiring-certs/notice.log index 353d8cd185..90e7d30143 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.expiring-certs/notice.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.expiring-certs/notice.log @@ -7,6 +7,6 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 60539 87.98.220.10 443 FDiucV3BOTYQ5gNgwb - - tcp SSL::Certificate_Expired Certificate CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated expired at 2014-03-04-23:59:59.000000000 - 192.168.4.149 87.98.220.10 443 - - Notice::ACTION_LOG - 86400.000000 - - - - - -XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.4.149 60540 122.1.240.204 443 FxC5Iy4Ds1GrAC8Wi4 - - tcp SSL::Certificate_Expires_Soon Certificate CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP is going to expire at 2014-03-14-23:59:59.000000000 - 192.168.4.149 122.1.240.204 443 - - Notice::ACTION_LOG - 86400.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 60539 87.98.220.10 443 FDiucV3BOTYQ5gNgwb - - tcp SSL::Certificate_Expired Certificate CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated expired at 2014-03-04-23:59:59.000000000 - 192.168.4.149 87.98.220.10 443 - - Notice::ACTION_LOG (empty) 86400.000000 - - - - - +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.4.149 60540 122.1.240.204 443 FxC5Iy4Ds1GrAC8Wi4 - - tcp SSL::Certificate_Expires_Soon Certificate CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP is going to expire at 2014-03-14-23:59:59.000000000 - 192.168.4.149 122.1.240.204 443 - - Notice::ACTION_LOG (empty) 86400.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log index 09970b7acf..1ceb94cfbe 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log @@ -7,7 +7,7 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 54233 162.219.2.166 4443 - - - tcp Heartbleed::SSL_Heartbeat_Attack Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_orig: 1 - 192.168.4.149 162.219.2.166 4443 32 - Notice::ACTION_LOG - 3600.000000 - - - - - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 54233 162.219.2.166 4443 - - - tcp Heartbleed::SSL_Heartbeat_Odd_Length Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/ - 192.168.4.149 162.219.2.166 4443 32 - Notice::ACTION_LOG - 3600.000000 - - - - - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 54233 162.219.2.166 4443 - - - tcp Heartbleed::SSL_Heartbeat_Attack_Success An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 48. Time: 0.351035 - 192.168.4.149 162.219.2.166 4443 - - Notice::ACTION_LOG - 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 54233 162.219.2.166 4443 - - - tcp Heartbleed::SSL_Heartbeat_Attack Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_orig: 1 - 192.168.4.149 162.219.2.166 4443 32 - Notice::ACTION_LOG (empty) 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 54233 162.219.2.166 4443 - - - tcp Heartbleed::SSL_Heartbeat_Odd_Length Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/ - 192.168.4.149 162.219.2.166 4443 32 - Notice::ACTION_LOG (empty) 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 54233 162.219.2.166 4443 - - - tcp Heartbleed::SSL_Heartbeat_Attack_Success An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 48. Time: 0.351035 - 192.168.4.149 162.219.2.166 4443 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log index dab76fff92..0106c7ee75 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log @@ -7,7 +7,7 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59676 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_orig: 1 - 192.168.4.149 107.170.241.107 443 32 - Notice::ACTION_LOG - 3600.000000 - - - - - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59676 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Odd_Length Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/ - 192.168.4.149 107.170.241.107 443 32 - Notice::ACTION_LOG - 3600.000000 - - - - - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59676 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack_Success An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 16416. Time: 0.035413 - 192.168.4.149 107.170.241.107 443 - - Notice::ACTION_LOG - 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59676 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_orig: 1 - 192.168.4.149 107.170.241.107 443 32 - Notice::ACTION_LOG (empty) 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59676 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Odd_Length Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/ - 192.168.4.149 107.170.241.107 443 32 - Notice::ACTION_LOG (empty) 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59676 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack_Success An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 16416. Time: 0.035413 - 192.168.4.149 107.170.241.107 443 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log index e50370eb5a..26e54341b3 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 54.221.166.250 56323 162.219.2.166 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack Heartbeat before ciphertext. Probable attack or scan. Length: 86, is_orig: 1 - 54.221.166.250 162.219.2.166 443 86 - Notice::ACTION_LOG - 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 54.221.166.250 56323 162.219.2.166 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack Heartbeat before ciphertext. Probable attack or scan. Length: 86, is_orig: 1 - 54.221.166.250 162.219.2.166 443 86 - Notice::ACTION_LOG (empty) 3600.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log index 17b2ebf35c..47d5e3f223 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log @@ -7,6 +7,6 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 173.203.79.216 41459 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack An TLS heartbleed attack was detected! Record length 16368. Payload length 16365 - 173.203.79.216 107.170.241.107 443 - - Notice::ACTION_LOG - 3600.000000 - - - - - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 173.203.79.216 41459 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack_Success An TLS heartbleed attack detected before was probably exploited. Message length: 16384. Payload length: 16365 - 173.203.79.216 107.170.241.107 443 - - Notice::ACTION_LOG - 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 173.203.79.216 41459 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack An TLS heartbleed attack was detected! Record length 16368. Payload length 16365 - 173.203.79.216 107.170.241.107 443 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 173.203.79.216 41459 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack_Success An TLS heartbleed attack detected before was probably exploited. Message length: 16384. Payload length: 16365 - 173.203.79.216 107.170.241.107 443 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed.log index 75d652bef5..86f922af7b 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 173.203.79.216 46592 162.219.2.166 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack An TLS heartbleed attack was detected! Record length 16368. Payload length 16365 - 173.203.79.216 162.219.2.166 443 - - Notice::ACTION_LOG - 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 173.203.79.216 46592 162.219.2.166 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack An TLS heartbleed attack was detected! Record length 16368. Payload length 16365 - 173.203.79.216 162.219.2.166 443 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-out.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-out.log index 759dcc49f1..cbaf1096a3 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-out.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-out.log @@ -7,9 +7,9 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::Weak_Key Host uses weak DH parameters with 1024 key bits - 192.168.18.50 162.219.2.166 443 - - Notice::ACTION_LOG - 86400.000000 - - - - - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::Weak_Key DH key length of 1024 bits is smaller certificate key length of 2048 bits - 192.168.18.50 162.219.2.166 443 - - Notice::ACTION_LOG - 86400.000000 - - - - - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::Weak_Key Host uses weak certificate with 2048 bit key - 192.168.18.50 162.219.2.166 443 - - Notice::ACTION_LOG - 86400.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::Weak_Key Host uses weak DH parameters with 1024 key bits - 192.168.18.50 162.219.2.166 443 - - Notice::ACTION_LOG (empty) 86400.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::Weak_Key DH key length of 1024 bits is smaller certificate key length of 2048 bits - 192.168.18.50 162.219.2.166 443 - - Notice::ACTION_LOG (empty) 86400.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::Weak_Key Host uses weak certificate with 2048 bit key - 192.168.18.50 162.219.2.166 443 - - Notice::ACTION_LOG (empty) 86400.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , @@ -19,7 +19,7 @@ XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.18.50 62277 162.219.2.166 443 - - - #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59062 91.227.4.92 443 - - - tcp SSL::Old_Version Host uses protocol version SSLv2 which is lower than the safe minimum TLSv10 - 192.168.4.149 91.227.4.92 443 - - Notice::ACTION_LOG - 86400.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59062 91.227.4.92 443 - - - tcp SSL::Old_Version Host uses protocol version SSLv2 which is lower than the safe minimum TLSv10 - 192.168.4.149 91.227.4.92 443 - - Notice::ACTION_LOG (empty) 86400.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , @@ -29,6 +29,6 @@ XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59062 91.227.4.92 443 - - - tc #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.150.187.164 58868 194.127.84.106 443 - - - tcp SSL::Weak_Cipher Host established connection using unsafe ciper suite TLS_RSA_WITH_RC4_128_MD5 - 192.150.187.164 194.127.84.106 443 - - Notice::ACTION_LOG - 86400.000000 - - - - - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.150.187.164 58868 194.127.84.106 443 - - - tcp SSL::Weak_Key Host uses weak certificate with 1024 bit key - 192.150.187.164 194.127.84.106 443 - - Notice::ACTION_LOG - 86400.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.150.187.164 58868 194.127.84.106 443 - - - tcp SSL::Weak_Cipher Host established connection using unsafe ciper suite TLS_RSA_WITH_RC4_128_MD5 - 192.150.187.164 194.127.84.106 443 - - Notice::ACTION_LOG (empty) 86400.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.150.187.164 58868 194.127.84.106 443 - - - tcp SSL::Weak_Key Host uses weak certificate with 1024 bit key - 192.150.187.164 194.127.84.106 443 - - Notice::ACTION_LOG (empty) 86400.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/external/commit-hash.zeek-testing b/testing/external/commit-hash.zeek-testing index 145dffc1b6..c795769d96 100644 --- a/testing/external/commit-hash.zeek-testing +++ b/testing/external/commit-hash.zeek-testing @@ -1 +1 @@ -b185dbd56445bb56c4791977dfe16319582a2f41 +6981d441611732423f95f2f106034bb8f9df5377 diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private index 379bc95566..1ef1273329 100644 --- a/testing/external/commit-hash.zeek-testing-private +++ b/testing/external/commit-hash.zeek-testing-private @@ -1 +1 @@ -1c819a03c65474cef6d7fe0192e54147f050d78c +87a8b70c109b3dde01805fe95a6fba19033ccd85