Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-13 12:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'master' into topic/tunnels

Browse source 
Conflicts:
	scripts/base/init-bare.bro
This commit is contained in:
Jon Siwek 2012-06-06 14:53:57 -05:00
commit 9ddb70b109
154 changed files with 1900 additions and 95 deletions
Download patch file Download diff file Expand all files Collapse all files

32
CHANGES
View file

@ -1,4 +1,36 @@
2.0-598 | 2012-06-06 11:47:00 -0700
* Add @load-sigs directive for loading signature files (addresses
#551). This can be used to load signatures relative to the current
scripts (e.g., "@load-sigs ./foo.sig"). (Jon Siwek)
2.0-596 | 2012-06-06 11:41:00 -0700
* Fixes for some BiFs and their documentation. (Daniel Thayer)
* Many new unit tests for BiFs. (Daniel Thayer)
2.0-579 | 2012-06-06 11:04:46 -0700
* Memory leak fixes for bad usages of VectorVal ctor. (Jon Siwek)
* Fixed a bug with the MIME analyzer not removing whitespace on
wrapped headers. (Seth Hall)
* Change Input::update_finished lookup to happen at init time. (Jon Siwek)
* Fix going through the internal_handler() function which will now
set the event as "used" (i.e. it's marked as being raised
somewhere). Addresses #823. (Jon Siwek)
* Fix format specifier on RemoteSerializer::Connect. This caused
32-bit systems to show a warning at compile-time, and fail when
connecting to peers. (Jon Siwek)
* Fixes for running tests in parallel. (Robin Sommer)
2.0-571 | 2012-05-30 19:12:43 -0700
* Updating submodule(s).

5
NEWS
View file

@ -55,6 +55,11 @@ Bro 2.1
of that script, you need to adapt it. See the shipped version for
details.
- Signature files can now be loaded via the new "@load-sigs"
directive. In contrast to the existing (and still supported)
signature_files constant, this can be used to load signatures
relative to the current script (e.g., "@load-sigs ./foo.sig").
TODO: Extend.
Bro 2.0

2
VERSION
View file

@ -1 +1 @@
2.0-571
2.0-598

2
aux/broctl

@ -1 +1 @@
Subproject commit 892b60edb967bb456872638f22ba994e84530137
Subproject commit 589cb04c3d7e28a81aa07454e2b9b6b092f0e1af

19
doc/signatures.rst
View file

@ -51,13 +51,18 @@ This script contains a default event handler that raises
:bro:enum:`Signatures::Sensitive_Signature` :doc:`Notices <notice>`
(as well as others; see the beginning of the script).
As signatures are independent of Bro's policy scripts, they are put
into their own file(s). There are two ways to specify which files
contain signatures: By using the ``-s`` flag when you invoke Bro, or
by extending the Bro variable :bro:id:`signature_files` using the ``+=``
operator. If a signature file is given without a path, it is searched
along the normal ``BROPATH``. The default extension of the file name
is ``.sig``, and Bro appends that automatically when necessary.
As signatures are independent of Bro's policy scripts, they are put into
their own file(s). There are three ways to specify which files contain
signatures: By using the ``-s`` flag when you invoke Bro, or by
extending the Bro variable :bro:id:`signature_files` using the ``+=``
operator, or by using the ``@load-sigs`` directive inside a Bro script.
If a signature file is given without a full path, it is searched for
along the normal ``BROPATH``. Additionally, the ``@load-sigs``
directive can be used to load signature files in a path relative to the
Bro script in which it's placed, e.g. ``@load-sigs ./mysigs.sig`` will
expect that signature file in the same directory as the Bro script. The
default extension of the file name is ``.sig``, and Bro appends that
automatically when necessary.
Signature language
==================

3
scripts/base/frameworks/dpd/main.bro
View file

@ -3,8 +3,7 @@
module DPD;
## Add the DPD signatures to the signature framework.
redef signature_files += "base/frameworks/dpd/dpd.sig";
@load-sigs ./dpd.sig
export {
## Add the DPD logging stream identifier.

11
scripts/base/init-bare.bro
View file

@ -647,7 +647,9 @@ function add_signature_file(sold: string, snew: string): string
}
## Signature files to read. Use ``redef signature_files += "foo.sig"`` to
## extend. Signature files will be searched relative to ``BROPATH``.
## extend. Signature files added this way will be searched relative to
## ``BROPATH``. Using the ``@load-sigs`` directive instead is preferred
## since that can search paths relative to the current script.
global signature_files = "" &add_func = add_signature_file;
## ``p0f`` fingerprint file to use. Will be searched relative to ``BROPATH``.
@ -996,6 +998,9 @@ type ip6_option: record {
data: string; ##< Option data.
};
## A type alias for a vector of IPv6 options.
type ip6_options: vector of ip6_option;
## Values extracted from an IPv6 Hop-by-Hop options extension header.
##
## .. bro:see:: pkt_hdr ip4_hdr ip6_hdr ip6_ext_hdr ip6_option
@ -1006,7 +1011,7 @@ type ip6_hopopts: record {
## Length of header in 8-octet units, excluding first unit.
len: count;
## The TLV encoded options;
options: vector of ip6_option;
options: ip6_options;
};
## Values extracted from an IPv6 Destination options extension header.
@ -1019,7 +1024,7 @@ type ip6_dstopts: record {
## Length of header in 8-octet units, excluding first unit.
len: count;
## The TLV encoded options;
options: vector of ip6_option;
options: ip6_options;
};
## Values extracted from an IPv6 Routing extension header.

3
scripts/base/protocols/http/file-ident.bro
View file

@ -6,7 +6,8 @@
@load ./utils
# Add the magic number signatures to the core signature set.
redef signature_files += "base/protocols/http/file-ident.sig";
@load-sigs ./file-ident.sig
# Ignore the signatures used to match files
redef Signatures::ignored_ids += /^matchfile-/;

3
scripts/policy/protocols/http/detect-webapps.bro
View file

@ -4,9 +4,10 @@
@load base/frameworks/software
@load base/protocols/http
@load-sigs ./detect-webapps.sig
module HTTP;
redef signature_files += "protocols/http/detect-webapps.sig";
# Ignore the signatures used to match webapps
redef Signatures::ignored_ids += /^webapp-/;

2
scripts/site/local.bro
View file

@ -25,7 +25,7 @@ redef Software::vulnerable_versions += {
@load frameworks/software/version-changes
# This adds signatures to detect cleartext forward and reverse windows shells.
redef signature_files += "frameworks/signatures/detect-windows-shells.sig";
@load-sigs frameworks/signatures/detect-windows-shells
# Uncomment the following line to begin receiving (by default hourly) emails
# containing all of your notices.

9
src/IP.cc
View file

@ -36,13 +36,12 @@ static inline RecordType* hdrType(RecordType*& type, const char* name)
static VectorVal* BuildOptionsVal(const u_char* data, int len)
{
VectorVal* vv = new VectorVal(new VectorType(
hdrType(ip6_option_type, "ip6_option")->Ref()));
VectorVal* vv = new VectorVal(internal_type("ip6_options")->AsVectorType());
while ( len > 0 )
{
const struct ip6_opt* opt = (const struct ip6_opt*) data;
RecordVal* rv = new RecordVal(ip6_option_type);
RecordVal* rv = new RecordVal(hdrType(ip6_option_type, "ip6_option"));
rv->Assign(0, new Val(opt->ip6o_type, TYPE_COUNT));
if ( opt->ip6o_type == 0 )
@ -87,8 +86,8 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
rv->Assign(5, new AddrVal(IPAddr(ip6->ip6_src)));
rv->Assign(6, new AddrVal(IPAddr(ip6->ip6_dst)));
if ( ! chain )
chain = new VectorVal(new VectorType(
hdrType(ip6_ext_hdr_type, "ip6_ext_hdr")->Ref()));
chain = new VectorVal(
internal_type("ip6_ext_hdr_chain")->AsVectorType());
rv->Assign(7, chain);
}
break;

1
src/Net.cc
View file

@ -69,6 +69,7 @@ PktSrc* current_pktsrc = 0;
IOSource* current_iosrc;
std::list<ScannedFile> files_scanned;
std::vector<string> sig_files;
RETSIGTYPE watchdog(int /* signo */)
{

1
src/Net.h
View file

@ -111,5 +111,6 @@ struct ScannedFile {
};
extern std::list<ScannedFile> files_scanned;
extern std::vector<string> sig_files;
#endif

10
src/Type.cc
View file

@ -1467,6 +1467,16 @@ bool VectorType::DoUnserialize(UnserialInfo* info)
return yield_type != 0;
}
void VectorType::Describe(ODesc* d) const
{
if ( d->IsReadable() )
d->AddSP("vector of");
else
d->Add(int(Tag()));
yield_type->Describe(d);
}
BroType* base_type(TypeTag tag)
{
static BroType* base_types[NUM_TYPES];

2
src/Type.h
View file

@ -564,6 +564,8 @@ public:
// gets using an empty "vector()" constructor.
bool IsUnspecifiedVector() const;
void Describe(ODesc* d) const;
protected:
VectorType() { yield_type = 0; }

86
src/bro.bif
View file

@ -466,17 +466,18 @@ function system%(str: string%): int
##
## str: The command to execute.
##
## env: A :bro:type:`set` or :bro:type:`table` with the environment variables
## in the form of key-value pairs (where the value is optional).
## env: A :bro:type:`table` with the environment variables in the form
## of key-value pairs. Each specified environment variable name
## will be automatically prepended with ``BRO_ARG_``.
##
## Returns: The return value from the OS ``system`` function.
##
## .. bro:see:: system str_shell_escape piped_exec
function system_env%(str: string, env: any%): int
function system_env%(str: string, env: table_string_of_string%): int
%{
if ( env->Type()->Tag() != TYPE_TABLE )
{
builtin_error("system_env() requires a table/set argument");
builtin_error("system_env() requires a table argument");
return new Val(-1, TYPE_INT);
}
@ -1422,12 +1423,15 @@ bool indirect_int_sort_function(int a, int b)
## Sorts a vector in place. The second argument is a comparison function that
## takes two arguments: if the vector type is ``vector of T``, then the
## comparison function must be ``function(a: T, b: T): bool``, which returns
## ``a < b`` for some type-specific notion of the less-than operator.
## comparison function must be ``function(a: T, b: T): int``, which returns
## a value less than zero if ``a < b`` for some type-specific notion of the
## less-than operator. The comparison function is optional if the type
## is an integral type (int, count, etc.).
##
## v: The vector instance to sort.
##
## Returns: The original vector.
## Returns: The vector, sorted from minimum to maximum value. If the vector
## could not be sorted, then the original vector is returned instead.
##
## .. bro:see:: order
function sort%(v: any, ...%) : any
@ -1494,8 +1498,8 @@ function sort%(v: any, ...%) : any
## .. bro:see:: sort
function order%(v: any, ...%) : index_vec
%{
VectorVal* result_v =
new VectorVal(new VectorType(base_type(TYPE_COUNT)));
VectorVal* result_v = new VectorVal(
internal_type("index_vec")->AsVectorType());
if ( v->Type()->Tag() != TYPE_VECTOR )
{
@ -1522,13 +1526,13 @@ function order%(v: any, ...%) : index_vec
}
if ( ! comp && ! IsIntegral(elt_type->Tag()) )
builtin_error("comparison function required for sort() with non-integral types");
builtin_error("comparison function required for order() with non-integral types");
vector<Val*>& vv = *v->AsVector();
int n = vv.size();
// Set up initial mapping of indices directly to corresponding
// elements. We stay zero-based until after the sorting.
// elements.
vector<int> ind_vv(n);
index_map = new Val*[n];
int i;
@ -1544,7 +1548,7 @@ function order%(v: any, ...%) : index_vec
if ( comp_type->YieldType()->Tag() != TYPE_INT ||
! comp_type->ArgTypes()->AllMatch(elt_type, 0) )
{
builtin_error("invalid comparison function in call to sort()");
builtin_error("invalid comparison function in call to order()");
return v;
}
@ -1558,8 +1562,7 @@ function order%(v: any, ...%) : index_vec
delete [] index_map;
index_map = 0;
// Now spin through ind_vv to read out the rearrangement,
// adjusting indices as we do so.
// Now spin through ind_vv to read out the rearrangement.
for ( i = 0; i < n; ++i )
{
int ind = ind_vv[i];
@ -1649,7 +1652,7 @@ function cat_sep%(sep: string, def: string, ...%): string
##
## - ``.``: Precision of floating point specifiers ``[efg]`` (< 128)
##
## - ``A``: Escape NUL bytes, i.e., replace ``0`` with ``\0``
## - ``A``: Escape only NUL bytes (each one replaced with ``\0``) in a string
##
## - ``[DTdxsefg]``: Format specifier
##
@ -1661,15 +1664,14 @@ function cat_sep%(sep: string, def: string, ...%): string
## - ``x``: Unsigned hexadecimal (using C-style ``%llx``);
## addresses/ports are converted to host-byte order
##
## - ``s``: Escaped string
## - ``s``: String (byte values less than 32 or greater than 126
## will be escaped)
##
## - ``[efg]``: Double
##
## Returns: Given no arguments, :bro:id:`fmt` returns an empty string. Given a
## non-string first argument, :bro:id:`fmt` returns the concatenation
## of all its arguments, per :bro:id:`cat`. Finally, given the wrong
## number of additional arguments for the given format specifier,
## :bro:id:`fmt` generates a run-time error.
## Returns: Returns the formatted string. Given no arguments, :bro:id:`fmt`. Given
## no format string or the wrong number of additional arguments for the
## given format specifier, :bro:id:`fmt` generates a run-time error.
##
## .. bro:see:: cat cat_sep string_cat cat_string_array cat_string_array_n
function fmt%(...%): string
@ -1678,8 +1680,9 @@ function fmt%(...%): string
return new StringVal("");
Val* fmt_v = @ARG@[0];
if ( fmt_v->Type()->Tag() != TYPE_STRING )
return bro_cat(frame, @ARGS@);
// Type of fmt_v will be string here, check_built_in_call() in Func.cc
// checks that.
const char* fmt = fmt_v->AsString()->CheckString();
ODesc d;
@ -1689,10 +1692,16 @@ function fmt%(...%): string
;
if ( n < @ARGC@ - 1 )
{
builtin_error("too many arguments for format", fmt_v);
return new StringVal("");
}
else if ( n >= @ARGC@ )
{
builtin_error("too few arguments for format", fmt_v);
return new StringVal("");
}
BroString* s = new BroString(1, d.TakeBytes(), d.Len());
s->SetUseFreeToDelete(true);
@ -2331,7 +2340,7 @@ function is_v6_addr%(a: addr%): bool
## Returns: The vector of addresses contained in the routing header data.
function routing0_data_to_addrs%(s: string%): addr_vec
%{
VectorVal* rval = new VectorVal(new VectorType(base_type(TYPE_ADDR)));
VectorVal* rval = new VectorVal(internal_type("addr_vec")->AsVectorType());
int len = s->Len();
const u_char* bytes = s->Bytes();
@ -2362,7 +2371,7 @@ function routing0_data_to_addrs%(s: string%): addr_vec
## .. bro:see:: counts_to_addr
function addr_to_counts%(a: addr%): index_vec
%{
VectorVal* rval = new VectorVal(new VectorType(base_type(TYPE_COUNT)));
VectorVal* rval = new VectorVal(internal_type("index_vec")->AsVectorType());
const uint32* bytes;
int len = a->AsAddr().GetBytes(&bytes);
@ -2670,7 +2679,7 @@ function to_port%(s: string%): port
##
## Returns: The IP address corresponding to *s*.
##
## .. bro:see:: addr_to_ptr_name parse_dotted_addr
## .. bro:see:: addr_to_ptr_name to_addr
function ptr_name_to_addr%(s: string%): addr
%{
if ( s->Len() != 72 )
@ -2734,27 +2743,12 @@ function ptr_name_to_addr%(s: string%): addr
##
## Returns: The reverse pointer representation of *a*.
##
## .. bro:see:: ptr_name_to_addr parse_dotted_addr
## .. bro:see:: ptr_name_to_addr to_addr
function addr_to_ptr_name%(a: addr%): string
%{
return new StringVal(a->AsAddr().PtrName().c_str());
%}
# Transforms n0.n1.n2.n3 -> addr.
## Converts a decimal dotted IP address in a :bro:type:`string` to an
## :bro:type:`addr` type.
##
## s: The IP address in the form ``n0.n1.n2.n3``.
##
## Returns: The IP address as type :bro:type:`addr`.
##
## .. bro:see:: addr_to_ptr_name parse_dotted_addr
function parse_dotted_addr%(s: string%): addr
%{
IPAddr a(s->CheckString());
return new AddrVal(a);
%}
%%{
static Val* parse_port(const char* line)
@ -5659,6 +5653,14 @@ function match_signatures%(c: connection, pattern_type: int, s: string,
#
# ===========================================================================
## Deprecated. Will be removed.
function parse_dotted_addr%(s: string%): addr
%{
IPAddr a(s->CheckString());
return new AddrVal(a);
%}
%%{
#include "Anon.h"
%%}

4
src/main.cc
View file

@ -838,6 +838,10 @@ int main(int argc, char** argv)
if ( *s )
rule_files.append(s);
// Append signature files defined in @load-sigs
for ( size_t i = 0; i < sig_files.size(); ++i )
rule_files.append(copy_string(sig_files[i].c_str()));
if ( rule_files.length() > 0 )
{
rule_matcher = new RuleMatcher(RE_level);

16
src/scan.l
View file

@ -358,6 +358,22 @@ when return TOK_WHEN;
(void) load_files(new_file);
}
@load-sigs{WS}{FILE} {
const char* new_sig_file = skip_whitespace(yytext + 10);
const char* full_filename = 0;
FILE* f = search_for_file(new_sig_file, "sig", &full_filename, false, 0);
if ( f )
{
sig_files.push_back(full_filename);
fclose(f);
delete [] full_filename;
}
else
reporter->Error("failed to find file associated with @load-sigs %s",
new_sig_file);
}
@unload{WS}{FILE} {
// Skip "@unload".
const char* new_file = skip_whitespace(yytext + 7);

6
src/strings.bif
View file

@ -175,7 +175,7 @@ function join_string_vec%(vec: string_vec, sep: string%): string
if ( i > 0 )
d.Add(sep->CheckString(), 0);
v->Lookup(i+1)->Describe(&d);
v->Lookup(i)->Describe(&d);
}
BroString* s = new BroString(1, d.TakeBytes(), d.Len());
@ -875,8 +875,8 @@ function str_split%(s: string, idx: index_vec%): string_vec
indices[i] = (*idx_v)[i]->AsCount();
BroString::Vec* result = s->AsString()->Split(indices);
VectorVal* result_v =
new VectorVal(new VectorType(base_type(TYPE_STRING)));
VectorVal* result_v = new VectorVal(
internal_type("string_vec")->AsVectorType());
if ( result )
{

3
testing/btest/Baseline/bifs.all_set/out Normal file
View file

@ -0,0 +1,3 @@
F
F
T

3
testing/btest/Baseline/bifs.any_set/out Normal file
View file

@ -0,0 +1,3 @@
T
F
F

1
testing/btest/Baseline/bifs.byte_len/out Normal file
View file

@ -0,0 +1 @@
11

3
testing/btest/Baseline/bifs.bytestring_to_hexstr/out Normal file
View file

@ -0,0 +1,3 @@
3034
00

6
testing/btest/Baseline/bifs.cat/out Normal file
View file

@ -0,0 +1,6 @@
foo3T
3T
foo|3|T
<empty>|3|T

3
testing/btest/Baseline/bifs.cat_string_array/out Normal file
View file

@ -0,0 +1,3 @@
isatest
thisisatest
isa

2
testing/btest/Baseline/bifs.clear_table/out Normal file
View file

@ -0,0 +1,2 @@
1
0

3
testing/btest/Baseline/bifs.convert_for_pattern/out Normal file
View file

@ -0,0 +1,3 @@
foo
b\[a\-z\]\+

15
testing/btest/Baseline/bifs.create_file/out Normal file
View file

@ -0,0 +1,15 @@
T
testfile
F
15.0
T
F
28.0
-1.0
15.0
0.0
T
15.0
T
testdir/testfile4
F

2
testing/btest/Baseline/bifs.create_file/testfile Normal file
View file

@ -0,0 +1,2 @@
This is a test
another test

1
testing/btest/Baseline/bifs.create_file/testfile2 Normal file
View file

@ -0,0 +1 @@
new text

1
testing/btest/Baseline/bifs.edit/out Normal file
View file

@ -0,0 +1 @@
llo t

10
testing/btest/Baseline/bifs.escape_string/out Normal file
View file

@ -0,0 +1,10 @@
12
Test \0string
13
Test \0string
15
Test \x00string
13
Test \0string
24
546573742000737472696e67

1
testing/btest/Baseline/bifs.exit/out Normal file
View file

@ -0,0 +1 @@
hello

10
testing/btest/Baseline/bifs.file_mode/out Normal file
View file

@ -0,0 +1,10 @@
rw-r--r--
rwxrwxrwx
rwxrwxrwt
rwxr-x--T
rwsr-xr-x
r-S------
rwxr-sr-x
r--r-S---
--xr-xrwx
---------

4
testing/btest/Baseline/bifs.find_all/out Normal file
View file

@ -0,0 +1,4 @@
es
hi
-------------------
0

2
testing/btest/Baseline/bifs.find_entropy/out Normal file
View file

@ -0,0 +1,2 @@
[entropy=4.715374, chi_square=591.981818, mean=75.472727, monte_carlo_pi=4.0, serial_correlation=-0.11027]
[entropy=2.083189, chi_square=3906.018182, mean=69.054545, monte_carlo_pi=4.0, serial_correlation=0.849402]

3
testing/btest/Baseline/bifs.find_last/out Normal file
View file

@ -0,0 +1,3 @@
es
-------------------
0

55
testing/btest/Baseline/bifs.fmt/out Normal file
View file

@ -0,0 +1,55 @@
test
%
*test *
* test*
* T*
*T *
* 3.14e+00*
*3.14e+00 *
* 3.14*
* 3.1*
* -3.14e+00*
* -3.14*
* -3.1*
*-3.14e+00 *
*-3.14 *
*-3.1 *
* -128*
*-128 *
* 128*
*0000000128*
*128 *
* a0*
*00000000a0*
* a0*
* 160/tcp*
* 127.0.0.1*
* 7f000001*
*192.168.0.0/16*
* ::1*
*fe000000000000000000000000000001*
*fe80:1234::1*
*fe80:1234::/32*
* 3.0 hrs*
*/^?(^foo|bar)$?/*
* Blue*
* [1, 2, 3]*
*{^J^I2,^J^I1,^J^I3^J}*
*{^J^I[2] = bro,^J^I[1] = test^J}*
3.100000e+02
310.000000
310
3.100e+02
310.000
310
310
2
3
4
2
2
6
2
2
6

2
testing/btest/Baseline/bifs.fmt_ftp_port/out Normal file
View file

@ -0,0 +1,2 @@
192,168,0,2,1,1

3
testing/btest/Baseline/bifs.get_port_transport_proto/out Normal file
View file

@ -0,0 +1,3 @@
tcp
udp
icmp

3
testing/btest/Baseline/bifs.getsetenv/out Normal file
View file

@ -0,0 +1,3 @@
OK
OK
OK

1
testing/btest/Baseline/bifs.global_ids/out Normal file
View file

@ -0,0 +1 @@
func

1
testing/btest/Baseline/bifs.hexdump/out Normal file
View file

@ -0,0 +1 @@
0000 61 62 63 ff 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f abc.defg hijklmno^J0010 70 71 72 73 74 75 76 77 78 79 7a pqrstuvw xyz^J

2
testing/btest/Baseline/bifs.is_ascii/out Normal file
View file

@ -0,0 +1,2 @@
F
T

9
testing/btest/Baseline/bifs.is_port/out Normal file
View file

@ -0,0 +1,9 @@
T
F
F
F
T
F
F
F
T

6
testing/btest/Baseline/bifs.join_string/out Normal file
View file

@ -0,0 +1,6 @@
this * is * a * test
thisisatest
mytest
this__is__another__test
thisisanothertest
Test

6
testing/btest/Baseline/bifs.length/out Normal file
View file

@ -0,0 +1,6 @@
1
4
2
0
0
0

5
testing/btest/Baseline/bifs.lookup_ID/out Normal file
View file

@ -0,0 +1,5 @@
bro test
<unknown id>
<unknown id>
<unknown id>
event()

2
testing/btest/Baseline/bifs.lowerupper/out Normal file
View file

@ -0,0 +1,2 @@
this is a test
THIS IS A TEST

8
testing/btest/Baseline/bifs.math/out Normal file
View file

@ -0,0 +1,8 @@
3.0
2.0
-4.0
-3.0
1.772005
23.103867
1.144223
0.49693

2
testing/btest/Baseline/bifs.md5/output
View file

@ -2,3 +2,5 @@ f97c5d29941bfb1b2fdab0874906ab82
7b0391feb2e0cd271f1cf39aafb4376f
f97c5d29941bfb1b2fdab0874906ab82
7b0391feb2e0cd271f1cf39aafb4376f
571c0a35c7858ad5a0e16b8fdb41adcd
1751cbd623726f423f734e23a8c7ec06

2
testing/btest/Baseline/bifs.merge_pattern/out Normal file
View file

@ -0,0 +1,2 @@
match
match

8
testing/btest/Baseline/bifs.order/out Normal file
View file

@ -0,0 +1,8 @@
[5, 2, 8, 3]
[1, 3, 0, 2]
[5.0 hrs, 2.0 days, 1.0 sec, -7.0 mins]
[3, 2, 0, 1]
[192.168.123.200, 10.0.0.157, 192.168.0.3]
[1, 2, 0]
[3.03, 3.01, 3.02, 3.015]
[1, 3, 2, 0]

5
testing/btest/Baseline/bifs.parse_ftp/out Normal file
View file

@ -0,0 +1,5 @@
[h=192.168.0.2, p=257/tcp, valid=T]
[h=192.168.0.2, p=257/tcp, valid=T]
[h=fe80::12, p=1234/tcp, valid=T]
[h=192.168.0.2, p=257/tcp, valid=T]
[h=::, p=1234/tcp, valid=T]

6
testing/btest/Baseline/bifs.rand/out Normal file
View file

@ -0,0 +1,6 @@
185
236
805
47
996
498

2
testing/btest/Baseline/bifs.raw_bytes_to_v4_addr/out Normal file
View file

@ -0,0 +1,2 @@
65.66.67.68
0.0.0.0

1
testing/btest/Baseline/bifs.record_type_to_vector/out Normal file
View file

@ -0,0 +1 @@
[, ct, str1]

4
testing/btest/Baseline/bifs.resize/out Normal file
View file

@ -0,0 +1,4 @@
3
5
0
7

3
testing/btest/Baseline/bifs.rotate_file/out Normal file
View file

@ -0,0 +1,3 @@
file rotated
15.0
0.0

3
testing/btest/Baseline/bifs.rotate_file_by_name/out Normal file
View file

@ -0,0 +1,3 @@
file rotated
15.0
0.0

3
testing/btest/Baseline/bifs.same_object/out Normal file
View file

@ -0,0 +1,3 @@
T
F
F

16
testing/btest/Baseline/bifs.sort/out Normal file
View file

@ -0,0 +1,16 @@
[2, 3, 5, 8]
[2, 3, 5, 8]
[-7.0 mins, 1.0 sec, 5.0 hrs, 2.0 days]
[-7.0 mins, 1.0 sec, 5.0 hrs, 2.0 days]
[F, F, T, T]
[F, F, T, T]
[57/tcp, 123/tcp, 7/udp, 500/udp, 12/icmp]
[57/tcp, 123/tcp, 7/udp, 500/udp, 12/icmp]
[3.03, 3.01, 3.02, 3.015]
[3.03, 3.01, 3.02, 3.015]
[192.168.123.200, 10.0.0.157, 192.168.0.3]
[192.168.123.200, 10.0.0.157, 192.168.0.3]
[10.0.0.157, 192.168.0.3, 192.168.123.200]
[10.0.0.157, 192.168.0.3, 192.168.123.200]
[3.01, 3.015, 3.02, 3.03]
[3.01, 3.015, 3.02, 3.03]

4
testing/btest/Baseline/bifs.sort_string_array/out Normal file
View file

@ -0,0 +1,4 @@
a
is
test
this

32
testing/btest/Baseline/bifs.split/out Normal file
View file

@ -0,0 +1,32 @@
t
s is a t
t
---------------------
t
s is a test
---------------------
t
hi
s is a t
es
t
---------------------
t
s is a test
---------------------
t
hi
s is a test
---------------------
[, thi, s i, s a tes, t]
---------------------
X-Mailer
Testing Test (http://www.example.com)
---------------------
A
=
B
=
C
=
D

4
testing/btest/Baseline/bifs.str_shell_escape/out Normal file
View file

@ -0,0 +1,4 @@
24
echo ${TEST} > "my file"
27
echo \${TEST} > \"my file\"

3
testing/btest/Baseline/bifs.strcmp/out Normal file
View file

@ -0,0 +1,3 @@
T
T
T

3
testing/btest/Baseline/bifs.string_fill/out Normal file
View file

@ -0,0 +1,3 @@
*\0* 1
*t\0* 2
*test test\0* 10

13
testing/btest/Baseline/bifs.string_splitting/out
View file

@ -1,13 +0,0 @@
{
[2] = Testing Test (http://www.example.com),
[1] = X-Mailer
}
{
[2] = =,
[4] = =,
[6] = =,
[7] = D,
[1] = A ,
[5] = C ,
[3] = B
}

6
testing/btest/Baseline/bifs.string_to_pattern/out Normal file
View file

@ -0,0 +1,6 @@
/^?(foo)$?/
/^?()$?/
/^?(b[a-z]+)$?/
/^?(foo)$?/
/^?()$?/
/^?(b\[a\-z\]\+)$?/

6
testing/btest/Baseline/bifs.strip/out Normal file
View file

@ -0,0 +1,6 @@
* this is a test *
*this is a test*
**
**
* *
**

2
testing/btest/Baseline/bifs.strstr/out Normal file
View file

@ -0,0 +1,2 @@
2
0

2
testing/btest/Baseline/bifs.sub/out Normal file
View file

@ -0,0 +1,2 @@
that is a test
that at a test

1
testing/btest/Baseline/bifs.subst_string/out Normal file
View file

@ -0,0 +1 @@
that at another test

1
testing/btest/Baseline/bifs.system/out Normal file
View file

@ -0,0 +1 @@
thistest

1
testing/btest/Baseline/bifs.system_env/testfile Normal file
View file

@ -0,0 +1 @@
helloworld

9
testing/btest/Baseline/bifs.to_count/out Normal file
View file

@ -0,0 +1,9 @@
0
2
3
4
7
0
18446744073709551611
0
123

6
testing/btest/Baseline/bifs.to_double/out Normal file
View file

@ -0,0 +1,6 @@
0.000001
1.0
-60.0
3600.0
86400.0
1337982322.762159

3
testing/btest/Baseline/bifs.to_int/out Normal file
View file

@ -0,0 +1,3 @@
1
-1
0

2
testing/btest/Baseline/bifs.to_interval/out Normal file
View file

@ -0,0 +1,2 @@
1234563.14
-1234563.14

7
testing/btest/Baseline/bifs.to_port/out Normal file
View file

@ -0,0 +1,7 @@
123/tcp
123/udp
123/icmp
0/unknown
256/tcp
256/udp
256/icmp

2
testing/btest/Baseline/bifs.to_time/out Normal file
View file

@ -0,0 +1,2 @@
1234563.14
-1234563.14

26
testing/btest/Baseline/bifs.type_name/out Normal file
View file

@ -0,0 +1,26 @@
string
count
int
double
bool
time
interval
pattern
enum
port
addr
addr
subnet
subnet
vector of count
vector of table[count] of string
set[count]
set[port,string]
table[count] of string
table[string] of table[addr,port] of string
record { c:count; s:string; }
function(aa:int; bb:int;) : bool
function() : any
function() : void
file of string
event()

2
testing/btest/Baseline/bifs.uuid_to_string/out Normal file
View file

@ -0,0 +1,2 @@
626180fe-6463-6665-6730-313233343536
<Invalid UUID>

2
testing/btest/Baseline/bifs.val_size/out Normal file
View file

@ -0,0 +1,2 @@
72
72

4
testing/btest/Baseline/core.leaks.ipv6_ext_headers/output Normal file
View file

@ -0,0 +1,4 @@
weird routing0_hdr from 2001:4f8:4:7:2e0:81ff:fe52:ffff to 2001:78:1:32::2
[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=53/udp, resp_h=2001:78:1:32::2, resp_p=53/udp]
[ip=<uninitialized>, ip6=[class=0, flow=0, len=59, nxt=0, hlim=64, src=2001:4f8:4:7:2e0:81ff:fe52:ffff, dst=2001:4f8:4:7:2e0:81ff:fe52:9a6b, exts=[[id=0, hopopts=[nxt=43, len=0, options=[[otype=1, len=4, data=\0\0\0\0]]], dstopts=<uninitialized>, routing=<uninitialized>, fragment=<uninitialized>, ah=<uninitialized>, esp=<uninitialized>, mobility=<uninitialized>], [id=43, hopopts=<uninitialized>, dstopts=<uninitialized>, routing=[nxt=17, len=4, rtype=0, segleft=2, data=\0\0\0\0 ^A\0x\0^A\02\0\0\0\0\0\0\0^A ^A\0x\0^A\02\0\0\0\0\0\0\0^B], fragment=<uninitialized>, ah=<uninitialized>, esp=<uninitialized>, mobility=<uninitialized>]]], tcp=<uninitialized>, udp=[sport=53/udp, dport=53/udp, ulen=11], icmp=<uninitialized>]
[2001:78:1:32::1, 2001:78:1:32::2]

10
testing/btest/Baseline/core.leaks.vector-val-bifs/output Normal file
View file

@ -0,0 +1,10 @@
[1, 3, 0, 2]
[2374950123]
[1, 3, 0, 2]
[2374950123]
[1, 3, 0, 2]
[2374950123]
[1, 3, 0, 2]
[3353991673]
[1, 3, 0, 2]
[3353991673]

3
testing/btest/Baseline/core.load-sigs/output Normal file
View file

@ -0,0 +1,3 @@
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
works
GET /images/wikimedia-button.png HTTP/1.1^M^JHost: meta.wikimedia.org^M^JUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Geck...

15
testing/btest/bifs/all_set.bro Normal file
View file

@ -0,0 +1,15 @@
#
# @TEST-EXEC: bro %INPUT >out
# @TEST-EXEC: btest-diff out
event bro_init()
{
local a = vector( T, F, T );
print all_set(a);
local b = vector();
print all_set(b);
local c = vector( T );
print all_set(c);
}

15
testing/btest/bifs/any_set.bro Normal file
View file

@ -0,0 +1,15 @@
#
# @TEST-EXEC: bro %INPUT >out
# @TEST-EXEC: btest-diff out
event bro_init()
{
local a = vector( F, T, F );
print any_set(a);
local b = vector();
print any_set(b);
local c = vector( F );
print any_set(c);
}

10
testing/btest/bifs/byte_len.bro Normal file
View file

@ -0,0 +1,10 @@
#
# @TEST-EXEC: bro %INPUT >out
# @TEST-EXEC: btest-diff out
event bro_init()
{
local a = "hello\0there";
print byte_len(a);
}

10
testing/btest/bifs/bytestring_to_hexstr.bro Normal file
View file

@ -0,0 +1,10 @@
#
# @TEST-EXEC: bro %INPUT >out
# @TEST-EXEC: btest-diff out
event bro_init()
{
print bytestring_to_hexstr("04");
print bytestring_to_hexstr("");
print bytestring_to_hexstr("\0");
}

22
testing/btest/bifs/cat.bro Normal file
View file

@ -0,0 +1,22 @@
#
# @TEST-EXEC: bro %INPUT >out
# @TEST-EXEC: btest-diff out
event bro_init()
{
local a = "foo";
local b = 3;
local c = T;
print cat(a, b, c);
print cat();
print cat("", 3, T);
print cat_sep("|", "<empty>", a, b, c);
print cat_sep("|", "<empty>");
print cat_sep("|", "<empty>", "", b, c);
}

14
testing/btest/bifs/cat_string_array.bro Normal file
View file

@ -0,0 +1,14 @@
#
# @TEST-EXEC: bro %INPUT >out
# @TEST-EXEC: btest-diff out
event bro_init()
{
local a: string_array = {
[0] = "this", [1] = "is", [2] = "a", [3] = "test"
};
print cat_string_array(a);
print cat_string_array_n(a, 0, |a|-1);
print cat_string_array_n(a, 1, 2);
}

14
testing/btest/bifs/clear_table.bro Normal file
View file

@ -0,0 +1,14 @@
#
# @TEST-EXEC: bro %INPUT > out
# @TEST-EXEC: btest-diff out
event bro_init()
{
local mytable: table[string] of string = { ["key1"] = "val1" };
print |mytable|;
clear_table(mytable);
print |mytable|;
}

10
testing/btest/bifs/convert_for_pattern.bro Normal file
View file

@ -0,0 +1,10 @@
#
# @TEST-EXEC: bro %INPUT >out
# @TEST-EXEC: btest-diff out
event bro_init()
{
print convert_for_pattern("foo");
print convert_for_pattern("");
print convert_for_pattern("b[a-z]+");
}

65
testing/btest/bifs/create_file.bro Normal file
View file

@ -0,0 +1,65 @@
#
# @TEST-EXEC: bro %INPUT >out
# @TEST-EXEC: btest-diff out
# @TEST-EXEC: btest-diff testfile
# @TEST-EXEC: btest-diff testfile2
# @TEST-EXEC: test -f testdir/testfile4
event bro_init()
{
# Test that creating a file works as expected
local a = open("testfile");
print active_file(a);
print get_file_name(a);
write_file(a, "This is a test\n");
close(a);
print active_file(a);
print file_size("testfile");
# Test that "open_for_append" doesn't overwrite an existing file
a = open_for_append("testfile");
print active_file(a);
write_file(a, "another test\n");
close(a);
print active_file(a);
print file_size("testfile");
# This should fail
print file_size("doesnotexist");
# Test that "open" overwrites existing file
a = open("testfile2");
write_file(a, "this will be overwritten\n");
close(a);
a = open("testfile2");
write_file(a, "new text\n");
close(a);
# Test that set_buf and flush_all work correctly
a = open("testfile3");
set_buf(a, F);
write_file(a, "This is a test\n");
print file_size("testfile3");
close(a);
a = open("testfile3");
set_buf(a, T);
write_file(a, "This is a test\n");
print file_size("testfile3");
print flush_all();
print file_size("testfile3");
close(a);
# Create a new directory
print mkdir("testdir");
# Create a file in the new directory
a = open("testdir/testfile4");
print get_file_name(a);
write_file(a, "This is a test\n");
close(a);
# This should fail
print mkdir("/thisdoesnotexist/dir");
}

10
testing/btest/bifs/edit.bro Normal file
View file

@ -0,0 +1,10 @@
#
# @TEST-EXEC: bro %INPUT >out
# @TEST-EXEC: btest-diff out
event bro_init()
{
local a = "hello there";
print edit(a, "e");
}

27
testing/btest/bifs/escape_string.bro Normal file
View file

@ -0,0 +1,27 @@
#
# @TEST-EXEC: bro %INPUT >out
# @TEST-EXEC: btest-diff out
event bro_init()
{
local a = "Test \0string";
print |a|;
print a;
local b = clean(a);
print |b|;
print b;
local c = to_string_literal(a);
print |c|;
print c;
local d = escape_string(a);
print |d|;
print d;
local e = string_to_ascii_hex(a);
print |e|;
print e;
}

9
testing/btest/bifs/exit.bro Normal file
View file

@ -0,0 +1,9 @@
#
# @TEST-EXEC: bro %INPUT >out || test $? -eq 7
# @TEST-EXEC: btest-diff out
event bro_init()
{
print "hello";
exit(7);
}

36
testing/btest/bifs/file_mode.bro Normal file
View file

@ -0,0 +1,36 @@
#
# @TEST-EXEC: bro %INPUT >out
# @TEST-EXEC: btest-diff out
event bro_init()
{
local a = 420; # octal: 0644
print file_mode(a);
a = 511; # octal: 0777
print file_mode(a);
a = 1023; # octal: 01777
print file_mode(a);
a = 1000; # octal: 01750
print file_mode(a);
a = 2541; # octal: 04755
print file_mode(a);
a = 2304; # octal: 04400
print file_mode(a);
a = 1517; # octal: 02755
print file_mode(a);
a = 1312; # octal: 02440
print file_mode(a);
a = 111; # octal: 0157
print file_mode(a);
a = 0;
print file_mode(a);
}

Some files were not shown because too many files have changed in this diff Show more