diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt index 0edf2429ab..d552620184 100644 --- a/doc/CMakeLists.txt +++ b/doc/CMakeLists.txt @@ -23,13 +23,14 @@ configure_file(${CMAKE_CURRENT_SOURCE_DIR}/broxygen.conf.in ${CMAKE_CURRENT_BINARY_DIR}/broxygen.conf @ONLY) -add_custom_target(sphinxdoc +add_custom_target(rstdoc # Copy the template documentation to build directory to use as input tree # for Sphinx. This is needed because some parts are dynamically generated # in to that tree by Bro/Broxygen. COMMAND rsync -q -r --copy-links --times --delete --filter='protect scripts/*' - ${CMAKE_CURRENT_SOURCE_DIR}/ ${SPHINX_INPUT_DIR} + ${CMAKE_CURRENT_SOURCE_DIR}/ + ${SPHINX_INPUT_DIR} # Use Bro/Broxygen to dynamically generate reST for all Bro scripts. COMMAND BROPATH=${BROPATH} ${CMAKE_BINARY_DIR}/src/bro @@ -37,19 +38,26 @@ add_custom_target(sphinxdoc broxygen >/dev/null # Rsync over the generated reST to the Sphinx source tree in the build dir. COMMAND rsync -q -r --copy-links --times --delete --filter='protect *.bro' - ${BROXYGEN_SCRIPT_OUTPUT}/ ${SPHINX_INPUT_DIR}/scripts + ${BROXYGEN_SCRIPT_OUTPUT}/ + ${SPHINX_INPUT_DIR}/scripts # Rsync over Bro scripts to the Sphinx source tree in the build dir. # These are used by :download: references in the generated script docs. COMMAND rsync -q -r --copy-links --times --delete --filter='protect /base/bif/*' --filter='protect *.rst' --filter='include */' --filter='include *.bro' --filter='exclude *' - ${CMAKE_SOURCE_DIR}/scripts/ ${SPHINX_INPUT_DIR}/scripts + ${CMAKE_SOURCE_DIR}/scripts/ + ${SPHINX_INPUT_DIR}/scripts # Rsync over Bro scripts created by BIF compiler to the Sphinx source tree. COMMAND rsync -q -r --copy-links --times --delete --filter='protect *.rst' --filter='include */' --filter='include *.bro' --filter='exclude *' ${CMAKE_BINARY_DIR}/scripts/base/bif/ ${SPHINX_INPUT_DIR}/scripts/base/bif +) + +add_dependencies(rstdoc bro) + +add_custom_target(sphinxdoc # Use Sphinx to build HTML. COMMAND sphinx-build -b html @@ -64,19 +72,21 @@ add_custom_target(sphinxdoc WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR} COMMENT "[Sphinx] Generate HTML documentation in ${CMAKE_BINARY_DIR}/html") -add_dependencies(sphinxdoc bro) +add_dependencies(sphinxdoc rstdoc) -add_custom_target(sphinxdoc_clean +add_custom_target(rstdoc_clean COMMAND "${CMAKE_COMMAND}" -E remove_directory ${SPHINX_INPUT_DIR} - COMMAND "${CMAKE_COMMAND}" -E remove_directory ${SPHINX_OUTPUT_DIR} COMMAND "${CMAKE_COMMAND}" -E remove_directory ${BROXYGEN_SCRIPT_OUTPUT} COMMAND "${CMAKE_COMMAND}" -E remove_directory ${BROXYGEN_CACHE_DIR} VERBATIM) +add_custom_target(sphinxdoc_clean + COMMAND "${CMAKE_COMMAND}" -E remove_directory ${SPHINX_OUTPUT_DIR}) + if (NOT TARGET doc) add_custom_target(doc) endif () add_custom_target(docclean) add_dependencies(doc sphinxdoc) -add_dependencies(docclean sphinxdoc_clean) +add_dependencies(docclean sphinxdoc_clean rstdoc_clean) diff --git a/doc/broids/index.rst b/doc/broids/index.rst index 96f50f8fa5..7f4c45623d 100644 --- a/doc/broids/index.rst +++ b/doc/broids/index.rst @@ -24,8 +24,26 @@ rejected usernames and passwords occurring from a single address. We start by defining a threshold for the number of attempts, a monitoring interval (in minutes), and a new notice type. -.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ftp/detect-bruteforcing.bro - :lines: 9-25 +.. code-block:: bro + :caption: detect-bruteforcing.bro + + module FTP; + + export { + redef enum Notice::Type += { + ## Indicates a host bruteforcing FTP logins by watching for too + ## many rejected usernames or failed passwords. + Bruteforcing + }; + + ## How many rejected usernames or passwords are required before being + ## considered to be bruteforcing. + const bruteforce_threshold: double = 20 &redef; + + ## The time period in which the threshold needs to be crossed before + ## being reset. + const bruteforce_measurement_interval = 15mins &redef; + } Using the ftp_reply event, we check for error codes from the `500 series `_ @@ -35,24 +53,130 @@ function to break down the reply code and check if the first digit is a "5" or not. If true, we then use the :ref:`Summary Statistics Framework ` to keep track of the number of failed attempts. -.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ftp/detect-bruteforcing.bro - :lines: 52-60 +.. code-block:: bro + :caption: detect-bruteforcing.bro + + event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) + { + local cmd = c$ftp$cmdarg$cmd; + if ( cmd == "USER" || cmd == "PASS" ) + { + if ( FTP::parse_ftp_reply_code(code)$x == 5 ) + SumStats::observe("ftp.failed_auth", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]); + } + } Next, we use the SumStats framework to raise a notice of the attack when the number of failed attempts exceeds the specified threshold during the measuring interval. -.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ftp/detect-bruteforcing.bro - :lines: 28-50 +.. code-block:: bro + :caption: detect-bruteforcing.bro + + event bro_init() + { + local r1: SumStats::Reducer = [$stream="ftp.failed_auth", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(bruteforce_threshold+2)]; + SumStats::create([$name="ftp-detect-bruteforcing", + $epoch=bruteforce_measurement_interval, + $reducers=set(r1), + $threshold_val(key: SumStats::Key, result: SumStats::Result) = + { + return result["ftp.failed_auth"]$num+0.0; + }, + $threshold=bruteforce_threshold, + $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = + { + local r = result["ftp.failed_auth"]; + local dur = duration_to_mins_secs(r$end-r$begin); + local plural = r$unique>1 ? "s" : ""; + local message = fmt("%s had %d failed logins on %d FTP server%s in %s", key$host, r$num, r$unique, plural, dur); + NOTICE([$note=FTP::Bruteforcing, + $src=key$host, + $msg=message, + $identifier=cat(key$host)]); + }]); + } Below is the final code for our script. -.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ftp/detect-bruteforcing.bro +.. code-block:: bro + :caption: detect-bruteforcing.bro -.. btest:: ftp-bruteforce + ##! FTP brute-forcing detector, triggering when too many rejected usernames or + ##! failed passwords have occurred from a single address. - @TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/ftp/bruteforce.pcap protocols/ftp/detect-bruteforcing.bro - @TEST-EXEC: btest-rst-include notice.log + @load base/protocols/ftp + @load base/frameworks/sumstats + + @load base/utils/time + + module FTP; + + export { + redef enum Notice::Type += { + ## Indicates a host bruteforcing FTP logins by watching for too + ## many rejected usernames or failed passwords. + Bruteforcing + }; + + ## How many rejected usernames or passwords are required before being + ## considered to be bruteforcing. + const bruteforce_threshold: double = 20 &redef; + + ## The time period in which the threshold needs to be crossed before + ## being reset. + const bruteforce_measurement_interval = 15mins &redef; + } + + + event bro_init() + { + local r1: SumStats::Reducer = [$stream="ftp.failed_auth", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(bruteforce_threshold+2)]; + SumStats::create([$name="ftp-detect-bruteforcing", + $epoch=bruteforce_measurement_interval, + $reducers=set(r1), + $threshold_val(key: SumStats::Key, result: SumStats::Result) = + { + return result["ftp.failed_auth"]$num+0.0; + }, + $threshold=bruteforce_threshold, + $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = + { + local r = result["ftp.failed_auth"]; + local dur = duration_to_mins_secs(r$end-r$begin); + local plural = r$unique>1 ? "s" : ""; + local message = fmt("%s had %d failed logins on %d FTP server%s in %s", key$host, r$num, r$unique, plural, dur); + NOTICE([$note=FTP::Bruteforcing, + $src=key$host, + $msg=message, + $identifier=cat(key$host)]); + }]); + } + + event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) + { + local cmd = c$ftp$cmdarg$cmd; + if ( cmd == "USER" || cmd == "PASS" ) + { + if ( FTP::parse_ftp_reply_code(code)$x == 5 ) + SumStats::observe("ftp.failed_auth", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]); + } + } + +.. code-block:: console + + $ bro -r ftp/bruteforce.pcap protocols/ftp/detect-bruteforcing.bro + $ cat notice.log + #separator \x09 + #set_separator , + #empty_field (empty) + #unset_field - + #path notice + #open 2018-12-13-22-56-21 + #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude + #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double + 1389721084.522861 - - - - - - - - - FTP::Bruteforcing 192.168.56.1 had 20 failed logins on 1 FTP server in 0m37s - 192.168.56.1 - - - - Notice::ACTION_LOG 3600.000000 F - - - - - + #close 2018-12-13-22-56-21 As a final note, the :doc:`detect-bruteforcing.bro ` script above is diff --git a/doc/conf.py.in b/doc/conf.py.in index f7243b4527..f6ea0c6036 100644 --- a/doc/conf.py.in +++ b/doc/conf.py.in @@ -19,20 +19,6 @@ extensions = [] # documentation root, use os.path.abspath to make it absolute, like shown here. sys.path.insert(0, os.path.abspath('sphinx_input/ext')) -# ----- Begin of BTest configuration. ----- -btest = os.path.abspath("@CMAKE_SOURCE_DIR@/aux/btest") -brocut = os.path.abspath("@CMAKE_SOURCE_DIR@/build/aux/bro-aux/bro-cut") -bro = os.path.abspath("@CMAKE_SOURCE_DIR@/build/src") - -os.environ["PATH"] += (":%s:%s/sphinx:%s:%s" % (btest, btest, bro, brocut)) -sys.path.append(os.path.join(btest, "sphinx")) - -extensions += ["btest-sphinx"] - -btest_base="@CMAKE_SOURCE_DIR@/testing/btest" -btest_tests="doc/sphinx" -# ----- End of BTest configuration. ----- - # ----- Begin of Broxygen configuration. ----- extensions += ["broxygen"] bro_binary = os.path.abspath("@CMAKE_SOURCE_DIR@/build/src/bro") @@ -49,9 +35,6 @@ os.environ["BROPATH"] = "@BROPATH@" # coming with Sphinx (named 'sphinx.ext.*') or your custom ones. extensions += ['bro', 'rst_directive', 'sphinx.ext.todo', 'adapt-toc'] -os.environ["BRO_SRC_ROOT"] = "@CMAKE_SOURCE_DIR@" -os.environ["DOC_ROOT"] = "@CMAKE_SOURCE_DIR@/doc" - # Add any paths that contain templates here, relative to this directory. templates_path = ['sphinx_input/_templates', 'sphinx_input/_static'] @@ -108,6 +91,8 @@ show_authors = True # The name of the Pygments (syntax highlighting) style to use. pygments_style = 'sphinx' +highlight_language = 'none' + # A list of ignored prefixes for module index sorting. #modindex_common_prefix = [] diff --git a/doc/frameworks/broker.rst b/doc/frameworks/broker.rst index 191b8178cc..09463510b9 100644 --- a/doc/frameworks/broker.rst +++ b/doc/frameworks/broker.rst @@ -296,11 +296,17 @@ Connecting to Peers Bro can accept incoming connections by calling :bro:see:`Broker::listen`. -.. btest-include:: ${DOC_ROOT}/frameworks/broker/connecting-listener.bro +.. literalinclude:: broker/connecting-listener.bro + :caption: connecting-listener.bro + :language: bro + :linenos: Bro can initiate outgoing connections by calling :bro:see:`Broker::peer`. -.. btest-include:: ${DOC_ROOT}/frameworks/broker/connecting-connector.bro +.. literalinclude:: broker/connecting-connector.bro + :caption: connecting-connector.bro + :language: bro + :linenos: In either case, connection status updates are monitored via the :bro:see:`Broker::peer_added` and :bro:see:`Broker::peer_lost` events. @@ -317,7 +323,10 @@ more on how topics work and are chosen. Use the :bro:see:`Broker::subscribe` function to subscribe to topics and define any event handlers for events that peers will send. -.. btest-include:: ${DOC_ROOT}/frameworks/broker/events-listener.bro +.. literalinclude:: broker/events-listener.bro + :caption: events-listener.bro + :language: bro + :linenos: There are two different ways to send events. @@ -333,7 +342,10 @@ whenever the event is called locally via the normal event invocation syntax. When auto-publishing events, local event handlers for the event are called in addition to sending the event to any subscribed peers. -.. btest-include:: ${DOC_ROOT}/frameworks/broker/events-connector.bro +.. literalinclude:: broker/events-connector.bro + :caption: events-connector.bro + :language: bro + :linenos: Note that the subscription model is prefix-based, meaning that if you subscribe to the "bro/events" topic prefix you would receive events that are published @@ -342,16 +354,25 @@ to topic names "bro/events/foo" and "bro/events/bar" but not "bro/misc". Remote Logging -------------- -.. btest-include:: ${DOC_ROOT}/frameworks/broker/testlog.bro +.. literalinclude:: broker/testlog.bro + :caption: testlog.bro + :language: bro + :linenos: To toggle remote logs, redef :bro:see:`Log::enable_remote_logging`. Use the :bro:see:`Broker::subscribe` function to advertise interest in logs written by peers. The topic names that Bro uses are determined by :bro:see:`Broker::log_topic`. -.. btest-include:: ${DOC_ROOT}/frameworks/broker/logs-listener.bro +.. literalinclude:: broker/logs-listener.bro + :caption: logs-listener.bro + :language: bro + :linenos: -.. btest-include:: ${DOC_ROOT}/frameworks/broker/logs-connector.bro +.. literalinclude:: broker/logs-connector.bro + :caption: logs-connector.bro + :language: bro + :linenos: Note that logging events are only raised locally on the node that performs the :bro:see:`Log::write` and not automatically published to peers. @@ -379,9 +400,15 @@ use. E.g. In-memory versus SQLite for persistence. Data stores also support expiration on a per-key basis using an amount of time relative to the entry's last modification time. -.. btest-include:: ${DOC_ROOT}/frameworks/broker/stores-listener.bro +.. literalinclude:: broker/stores-listener.bro + :caption: stores-listener.bro + :language: bro + :linenos: -.. btest-include:: ${DOC_ROOT}/frameworks/broker/stores-connector.bro +.. literalinclude:: broker/stores-connector.bro + :caption: stores-connector.bro + :language: bro + :linenos: Note that all data store queries must be made within Bro's asynchronous ``when`` statements and must specify a timeout block. diff --git a/doc/frameworks/file-analysis.rst b/doc/frameworks/file-analysis.rst index e70b124af7..855d51858a 100644 --- a/doc/frameworks/file-analysis.rst +++ b/doc/frameworks/file-analysis.rst @@ -36,11 +36,23 @@ bytes have been transferred so far, and its MIME type. Here's a simple example: -.. btest-include:: ${DOC_ROOT}/frameworks/file_analysis_01.bro +.. literalinclude:: file_analysis_01.bro + :caption: + :language: bro + :linenos: -.. btest:: file-analysis-01 +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/http/get.trace ${DOC_ROOT}/frameworks/file_analysis_01.bro + $ bro -r http/get.trace file_analysis_01.bro + file_state_remove + FakNcS1Jfe01uljb3 + CHhAvVGS1DHFjwGM9 + [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp] + HTTP + connection_state_remove + CHhAvVGS1DHFjwGM9 + [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp] + HTTP This doesn't perform any interesting analysis yet, but does highlight the similarity between analysis of connections and files. Connections @@ -71,11 +83,16 @@ explicit attachment decision. Here's a simple example of how to use the MD5 file analyzer to calculate the MD5 of plain text files: -.. btest-include:: ${DOC_ROOT}/frameworks/file_analysis_02.bro +.. literalinclude:: file_analysis_02.bro + :caption: + :language: bro + :linenos: -.. btest:: file-analysis-02 +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/http/get.trace ${DOC_ROOT}/frameworks/file_analysis_02.bro + $ bro -r http/get.trace file_analysis_02.bro + new file, FakNcS1Jfe01uljb3 + file_hash, FakNcS1Jfe01uljb3, md5, 397168fd09991a0e712254df7bc639ac Some file analyzers might have tunable parameters that need to be specified in the call to :bro:see:`Files::add_analyzer`: @@ -109,19 +126,24 @@ in the same way it analyzes files that it sees coming over traffic from a network interface it's monitoring. It only requires a call to :bro:see:`Input::add_analysis`: -.. btest-include:: ${DOC_ROOT}/frameworks/file_analysis_03.bro +.. literalinclude:: file_analysis_03.bro + :caption: + :language: bro + :linenos: Note that the "source" field of :bro:see:`fa_file` corresponds to the "name" field of :bro:see:`Input::AnalysisDescription` since that is what the input framework uses to uniquely identify an input stream. -The output of the above script may be (assuming a file called "myfile" -exists): +Example output of the above script may be: -.. btest:: file-analysis-03 +.. code-block:: console - @TEST-EXEC: echo "Hello world" > myfile - @TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/frameworks/file_analysis_03.bro + $ echo "Hello world" > myfile + $ bro file_analysis_03.bro + new file, FZedLu4Ajcvge02jA8 + file_hash, FZedLu4Ajcvge02jA8, md5, f0ef7081e1539ac00ef5b761b4fb01b3 + file_state_remove Nothing that special, but it at least verifies the MD5 file analyzer saw all the bytes of the input file and calculated the checksum diff --git a/doc/frameworks/logging-input-sqlite.rst b/doc/frameworks/logging-input-sqlite.rst index e0f10308ae..52befb504f 100644 --- a/doc/frameworks/logging-input-sqlite.rst +++ b/doc/frameworks/logging-input-sqlite.rst @@ -38,12 +38,10 @@ You have to define a filter which specifies SQLite as the writer. The following example code adds SQLite as a filter for the connection log: -.. btest-include:: ${DOC_ROOT}/frameworks/sqlite-conn-filter.bro - -.. btest:: sqlite-conn-filter-check - - # Make sure this parses correctly at least. - @TEST-EXEC: bro ${DOC_ROOT}/frameworks/sqlite-conn-filter.bro +.. literalinclude:: sqlite-conn-filter.bro + :caption: + :language: bro + :linenos: Bro will create the database file ``/var/db/conn.sqlite``, if it does not already exist. It will also create a table with the name ``conn`` (if it @@ -115,12 +113,10 @@ The SQLite commands to create the schema are as follows:: After creating a file called ``hosts.sqlite`` with this content, we can read the resulting table into Bro: -.. btest-include:: ${DOC_ROOT}/frameworks/sqlite-read-table.bro - -.. btest:: sqlite-read-table-check - - # Make sure this parses correctly at least. - @TEST-EXEC: bro ${DOC_ROOT}/frameworks/sqlite-read-table.bro +.. literalinclude:: sqlite-read-table.bro + :caption: + :language: bro + :linenos: Afterwards, that table can be used to check logins into hosts against the available userlist. @@ -164,12 +160,10 @@ of files that are transmitted over the network. For each hash, a SQL-query is run against SQLite. If the query returns with a result, we had a hit against our malware-database and output the matching hash. -.. btest-include:: ${DOC_ROOT}/frameworks/sqlite-read-events.bro - -.. btest:: sqlite-read-events-check - - # Make sure this parses correctly at least. - @TEST-EXEC: bro ${DOC_ROOT}/frameworks/sqlite-read-events.bro +.. literalinclude:: sqlite-read-events.bro + :caption: + :language: bro + :linenos: If you run this script against the trace in ``testing/btest/Traces/ftp/ipv4.trace``, you will get one hit. diff --git a/doc/frameworks/netcontrol.rst b/doc/frameworks/netcontrol.rst index ccb659c223..309c74418c 100644 --- a/doc/frameworks/netcontrol.rst +++ b/doc/frameworks/netcontrol.rst @@ -133,17 +133,37 @@ start sending the rules to the added backend(s). To give a very simple example, the following script will simply block the traffic of all connections that it sees being established: -.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-1-drop-with-debug.bro +.. literalinclude:: netcontrol-1-drop-with-debug.bro + :caption: + :language: bro + :linenos: Running this script on a file containing one connection will cause the debug plugin to print one line to the standard output, which contains information about the rule that was added. It will also cause creation of `netcontrol.log`, which contains information about all actions that are taken by NetControl: -.. btest:: netcontrol-1-drop-with-debug.bro +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-1-drop-with-debug.bro - @TEST-EXEC: btest-rst-cmd cat netcontrol.log + $ bro -C -r tls/ecdhe.pcap netcontrol-1-drop-with-debug.bro + netcontrol debug (Debug-All): init + netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.18.50, orig_p=56981/tcp, resp_h=74.125.239.97, resp_p=443/tcp], flow=, ip=, mac=], expire=20.0 secs, priority=0, location=, out_port=, mod=, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F] + + $ cat netcontrol.log + #separator \x09 + #set_separator , + #empty_field (empty) + #unset_field - + #path netcontrol + #open 2018-12-14-18-50-53 + #fields ts rule_id category cmd state action target entity_type entity mod msg priority expire location plugin + #types time string enum string enum string enum string string string string int interval string string + 0.000000 - NetControl::MESSAGE - - - - - - - activating plugin with priority 0 - - - Debug-All + 0.000000 - NetControl::MESSAGE - - - - - - - activation finished - - - Debug-All + 0.000000 - NetControl::MESSAGE - - - - - - - plugin initialization done - - - - + 1398529018.678276 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::CONNECTION 192.168.18.50/56981<->74.125.239.97/443 - - 0 20.000000 - Debug-All + 1398529018.678276 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::CONNECTION 192.168.18.50/56981<->74.125.239.97/443 - - 0 20.000000 - Debug-All + #close 2018-12-14-18-50-53 In our case, `netcontrol.log` contains several :bro:see:`NetControl::MESSAGE` entries, which show that the debug plugin has been initialized and added. @@ -159,39 +179,99 @@ additional log called `netcontrol_drop.log`. This log file is much more succinct only contains information that is specific to drops that are enacted by NetControl: -.. btest:: netcontrol-1-drop-with-debug.bro +.. code-block:: console - @TEST-EXEC: btest-rst-cmd cat netcontrol_drop.log + $ cat netcontrol_drop.log + #separator \x09 + #set_separator , + #empty_field (empty) + #unset_field - + #path netcontrol_drop + #open 2018-12-14-18-50-53 + #fields ts rule_id orig_h orig_p resp_h resp_p expire location + #types time string addr port addr port interval string + 1398529018.678276 2 192.168.18.50 56981 74.125.239.97 443 20.000000 - + #close 2018-12-14-18-50-53 While this example of blocking all connections is usually not very useful, the high-level API gives an easy way to take action, for example when a host is identified doing some harmful activity. To give a more realistic example, the following code automatically blocks a recognized SSH guesser: -.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-2-ssh-guesser.bro +.. literalinclude:: netcontrol-2-ssh-guesser.bro + :caption: + :language: bro + :linenos: -.. btest:: netcontrol-2-ssh-guesser.bro +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/ssh/sshguess.pcap ${DOC_ROOT}/frameworks/netcontrol-2-ssh-guesser.bro - @TEST-EXEC: btest-rst-cmd cat netcontrol.log + $ bro -C -r ssh/sshguess.pcap netcontrol-2-ssh-guesser.bro + netcontrol debug (Debug-All): init + netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=, flow=, ip=192.168.56.1/32, mac=], expire=1.0 hr, priority=0, location=, out_port=, mod=, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F] + + $ cat netcontrol.log + #separator \x09 + #set_separator , + #empty_field (empty) + #unset_field - + #path netcontrol + #open 2018-12-14-18-50-54 + #fields ts rule_id category cmd state action target entity_type entity mod msg priority expire location plugin + #types time string enum string enum string enum string string string string int interval string string + 0.000000 - NetControl::MESSAGE - - - - - - - activating plugin with priority 0 - - - Debug-All + 0.000000 - NetControl::MESSAGE - - - - - - - activation finished - - - Debug-All + 0.000000 - NetControl::MESSAGE - - - - - - - plugin initialization done - - - - + 1427726759.303199 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.56.1/32 - - 0 3600.000000 - Debug-All + 1427726759.303199 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.56.1/32 - - 0 3600.000000 - Debug-All + #close 2018-12-14-18-50-54 Note that in this case, instead of calling NetControl directly, we also can use the :bro:see:`Notice::ACTION_DROP` action of the notice framework: -.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-3-ssh-guesser.bro +.. literalinclude:: netcontrol-3-ssh-guesser.bro + :caption: + :language: bro + :linenos: -.. btest:: netcontrol-3-ssh-guesser.bro +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/ssh/sshguess.pcap ${DOC_ROOT}/frameworks/netcontrol-3-ssh-guesser.bro - @TEST-EXEC: btest-rst-cmd cat netcontrol.log + $ bro -C -r ssh/sshguess.pcap netcontrol-3-ssh-guesser.bro + netcontrol debug (Debug-All): init + netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=, flow=, ip=192.168.56.1/32, mac=], expire=10.0 mins, priority=0, location=ACTION_DROP: T, out_port=, mod=, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F] + + $ cat netcontrol.log + #separator \x09 + #set_separator , + #empty_field (empty) + #unset_field - + #path netcontrol + #open 2018-12-14-18-50-55 + #fields ts rule_id category cmd state action target entity_type entity mod msg priority expire location plugin + #types time string enum string enum string enum string string string string int interval string string + 0.000000 - NetControl::MESSAGE - - - - - - - activating plugin with priority 0 - - - Debug-All + 0.000000 - NetControl::MESSAGE - - - - - - - activation finished - - - Debug-All + 0.000000 - NetControl::MESSAGE - - - - - - - plugin initialization done - - - - + 1427726759.303199 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.56.1/32 - - 0 600.000000 ACTION_DROP: T Debug-All + 1427726759.303199 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.56.1/32 - - 0 600.000000 ACTION_DROP: T Debug-All + #close 2018-12-14-18-50-55 Using the :bro:see:`Notice::ACTION_DROP` action of the notice framework also will cause the `dropped` column in `notice.log` to be set to true each time that the NetControl framework enacts a block: -.. btest:: netcontrol-3-ssh-guesser.bro +.. code-block:: console - @TEST-EXEC: btest-rst-cmd cat notice.log + $ cat notice.log + #separator \x09 + #set_separator , + #empty_field (empty) + #unset_field - + #path notice + #open 2018-12-14-18-50-55 + #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude + #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double + 1427726759.303199 - - - - - - - - - SSH::Password_Guessing 192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections). Sampled servers: 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103 192.168.56.1 - - - - Notice::ACTION_DROP,Notice::ACTION_LOG 3600.000000 F - - - - - + #close 2018-12-14-18-50-55 Rule API -------- @@ -241,12 +321,32 @@ that the NetControl function has additional functionality, e.g. for logging. Once again, we are going to test our function with a simple example that simply drops all connections on the network: -.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-4-drop.bro +.. literalinclude:: netcontrol-4-drop.bro + :caption: + :language: bro + :linenos: -.. btest:: netcontrol-4-drop.bro +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-4-drop.bro - @TEST-EXEC: btest-rst-cmd cat netcontrol.log + $ bro -C -r tls/ecdhe.pcap netcontrol-4-drop.bro + netcontrol debug (Debug-All): init + netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.18.50, orig_p=56981/tcp, resp_h=74.125.239.97, resp_p=443/tcp], flow=, ip=, mac=], expire=20.0 secs, priority=0, location=, out_port=, mod=, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F] + + $ cat netcontrol.log + #separator \x09 + #set_separator , + #empty_field (empty) + #unset_field - + #path netcontrol + #open 2018-12-14-18-50-55 + #fields ts rule_id category cmd state action target entity_type entity mod msg priority expire location plugin + #types time string enum string enum string enum string string string string int interval string string + 0.000000 - NetControl::MESSAGE - - - - - - - activating plugin with priority 0 - - - Debug-All + 0.000000 - NetControl::MESSAGE - - - - - - - activation finished - - - Debug-All + 0.000000 - NetControl::MESSAGE - - - - - - - plugin initialization done - - - - + 1398529018.678276 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::CONNECTION 192.168.18.50/56981<->74.125.239.97/443 - - 0 20.000000 - Debug-All + 1398529018.678276 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::CONNECTION 192.168.18.50/56981<->74.125.239.97/443 - - 0 20.000000 - Debug-All + #close 2018-12-14-18-50-55 The last example shows that :bro:see:`NetControl::add_rule` returns a string identifier that is unique for each rule (uniqueness is not preserved across @@ -281,11 +381,16 @@ discarded before further processing. Here is a simple example which tells Bro to discard all rules for connections originating from the 192.168.* network: -.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-5-hook.bro +.. literalinclude:: netcontrol-5-hook.bro + :caption: + :language: bro + :linenos: -.. btest:: netcontrol-5-hook.bro +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-5-hook.bro + $ bro -C -r tls/ecdhe.pcap netcontrol-5-hook.bro + netcontrol debug (Debug-All): init + Ignored connection from, 192.168.18.50 NetControl Events ***************** @@ -355,11 +460,18 @@ Here is a simple example, which uses a trace that contains two connections from the same IP address. After the first connection, the script recognizes that the address is already blocked in the second connection. -.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-6-find.bro +.. literalinclude:: netcontrol-6-find.bro + :caption: + :language: bro + :linenos: -.. btest:: netcontrol-6-find.bro +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/google-duplicate.trace ${DOC_ROOT}/frameworks/netcontrol-6-find.bro + $ bro -C -r tls/google-duplicate.trace netcontrol-6-find.bro + netcontrol debug (Debug-All): init + netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.4.149, orig_p=60623/tcp, resp_h=74.125.239.129, resp_p=443/tcp], flow=, ip=, mac=], expire=20.0 secs, priority=0, location=, out_port=, mod=, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F] + Rule added + Rule already exists Notice that the functions return vectors because it is possible that several rules exist simultaneously that affect one IP; either there could be @@ -402,11 +514,16 @@ release is contained in the file Using catch and release in your scripts is easy; just use :bro:see:`NetControl::drop_address_catch_release` like in this example: -.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-7-catch-release.bro +.. literalinclude:: netcontrol-7-catch-release.bro + :caption: + :language: bro + :linenos: -.. btest:: netcontrol-7-catch-release.bro +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-7-catch-release.bro + $ bro -C -r tls/ecdhe.pcap netcontrol-7-catch-release.bro + netcontrol debug (Debug-All): init + netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=, flow=, ip=192.168.18.50/32, mac=], expire=10.0 mins, priority=0, location=, out_port=, mod=, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F] Note that you do not have to provide the block time for catch and release; instead, catch and release uses the time intervals specified in @@ -418,9 +535,20 @@ first 10 minutes, it is blocked for 1 hour and then monitored for 24 hours, etc. Catch and release adds its own new logfile in addition to the already existing ones (netcontrol_catch_release.log): -.. btest:: netcontrol-7-catch-release.bro +.. code-block:: console - @TEST-EXEC: btest-rst-cmd cat netcontrol_catch_release.log + $ cat netcontrol_catch_release.log + #separator \x09 + #set_separator , + #empty_field (empty) + #unset_field - + #path netcontrol_catch_release + #open 2018-12-14-18-50-58 + #fields ts rule_id ip action block_interval watch_interval blocked_until watched_until num_blocked location message + #types time string addr enum interval interval time time count string string + 1398529018.678276 2 192.168.18.50 NetControl::DROP 600.000000 3600.000000 1398529618.678276 1398532618.678276 1 - - + 1398529018.678276 2 192.168.18.50 NetControl::DROPPED 600.000000 3600.000000 1398529618.678276 1398532618.678276 1 - - + #close 2018-12-14-18-50-58 In addition to the blocking function, catch and release comes with the :bro:see:`NetControl::get_catch_release_info` function to @@ -531,27 +659,65 @@ the 192.168.17.0/24 network; all other rules will be passed on to the debug plugin. We manually block a few addresses in the :bro:see:`NetControl::init_done` event to verify the correct functionality. -.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-8-multiple.bro +.. literalinclude:: netcontrol-8-multiple.bro + :caption: + :language: bro + :linenos: -.. btest:: netcontrol-8-multiple.bro +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/frameworks/netcontrol-8-multiple.bro + $ bro netcontrol-8-multiple.bro + netcontrol debug (Debug-All): init + netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=, flow=, ip=192.168.17.2/32, mac=], expire=1.0 min, priority=0, location=, out_port=, mod=, id=3, cid=3, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F] As you can see, only the single block affecting the 192.168.17.0/24 network is output to the command line. The other two lines are handled by the OpenFlow plugin. We can verify this by looking at netcontrol.log. The plugin column shows which plugin handled a rule and reveals that two rules were handled by OpenFlow: -.. btest:: netcontrol-8-multiple.bro +.. code-block:: console - @TEST-EXEC: btest-rst-cmd cat netcontrol.log + $ cat netcontrol.log + #separator \x09 + #set_separator , + #empty_field (empty) + #unset_field - + #path netcontrol + #open 2018-12-14-18-50-58 + #fields ts rule_id category cmd state action target entity_type entity mod msg priority expire location plugin + #types time string enum string enum string enum string string string string int interval string string + 1544813458.913148 - NetControl::MESSAGE - - - - - - - activating plugin with priority 0 - - - Debug-All + 1544813458.913148 - NetControl::MESSAGE - - - - - - - activation finished - - - Debug-All + 1544813458.913148 - NetControl::MESSAGE - - - - - - - activating plugin with priority 10 - - - Openflow-Log-42 + 1544813458.913148 - NetControl::MESSAGE - - - - - - - activation finished - - - Openflow-Log-42 + 1544813458.913148 - NetControl::MESSAGE - - - - - - - plugin initialization done - - - - + 1544813458.913148 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 10.0.0.1/32 - - 0 60.000000 - Openflow-Log-42 + 1544813458.913148 3 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.17.2/32 - - 0 60.000000 - Debug-All + 1544813458.913148 4 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.2/32 - - 0 60.000000 - Openflow-Log-42 + 1544813458.913148 3 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.17.2/32 - - 0 60.000000 - Debug-All + 1544813458.913148 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 10.0.0.1/32 - - 0 60.000000 - Openflow-Log-42 + 1544813458.913148 4 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.2/32 - - 0 60.000000 - Openflow-Log-42 + #close 2018-12-14-18-50-58 Furthermore, openflow.log also shows the two added rules, converted to OpenFlow flow mods: -.. btest:: netcontrol-8-multiple.bro +.. code-block:: console - @TEST-EXEC: btest-rst-cmd cat openflow.log + $ cat openflow.log + #separator \x09 + #set_separator , + #empty_field (empty) + #unset_field - + #path openflow + #open 2018-12-14-18-50-58 + #fields ts dpid match.in_port match.dl_src match.dl_dst match.dl_vlan match.dl_vlan_pcp match.dl_type match.nw_tos match.nw_proto match.nw_src match.nw_dst match.tp_src match.tp_dst flow_mod.cookie flow_mod.table_id flow_mod.command flow_mod.idle_timeout flow_mod.hard_timeout flow_mod.priority flow_mod.out_port flow_mod.out_group flow_mod.flags flow_mod.actions.out_ports flow_mod.actions.vlan_vid flow_mod.actions.vlan_pcp flow_mod.actions.vlan_strip flow_mod.actions.dl_src flow_mod.actions.dl_dst flow_mod.actions.nw_tos flow_mod.actions.nw_src flow_mod.actions.nw_dst flow_mod.actions.tp_src flow_mod.actions.tp_dst + #types time count count string string count count count count count subnet subnet count count count count enum count count count count count count vector[count] count count bool string string count addr addr count count + 1544813458.913148 42 - - - - - 2048 - - 10.0.0.1/32 - - - 4398046511108 - OpenFlow::OFPFC_ADD 0 60 0 - - 1 (empty) - - F - - - - - - - + 1544813458.913148 42 - - - - - 2048 - - - 10.0.0.1/32 - - 4398046511109 - OpenFlow::OFPFC_ADD 0 60 0 - - 1 (empty) - - F - - - - - - - + 1544813458.913148 42 - - - - - 2048 - - 192.168.18.2/32 - - - 4398046511112 - OpenFlow::OFPFC_ADD 0 60 0 - - 1 (empty) - - F - - - - - - - + 1544813458.913148 42 - - - - - 2048 - - - 192.168.18.2/32 - - 4398046511113 - OpenFlow::OFPFC_ADD 0 60 0 - - 1 (empty) - - F - - - - - - - + #close 2018-12-14-18-50-58 .. note:: @@ -613,16 +779,29 @@ raise the :bro:see:`NetControl::rule_added` and :bro:see:`NetControl::rule_removed` events in your plugin to let NetControl know when a rule was added and removed successfully. -.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-9-skeleton.bro +.. literalinclude:: netcontrol-9-skeleton.bro + :caption: + :language: bro + :linenos: This example is already fully functional and we can use it with a script similar to our very first example: -.. btest-include:: ${DOC_ROOT}/frameworks/netcontrol-10-use-skeleton.bro +.. literalinclude:: netcontrol-10-use-skeleton.bro + :caption: + :language: bro + :linenos: -.. btest:: netcontrol-9-skeleton.bro +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-9-skeleton.bro ${DOC_ROOT}/frameworks/netcontrol-10-use-skeleton.bro + $ bro -C -r tls/ecdhe.pcap netcontrol-10-use-skeleton.bro + add, [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.18.50, orig_p=56981/tcp, resp_h=74.125.239.97, resp_p=443/tcp], flow=, ip=, mac=], expire=20.0 secs, priority=0, location=, out_port=, mod=, id=2, cid=2, _plugin_ids={ + + }, _active_plugin_ids={ + + }, _no_expire_plugins={ + + }, _added=F] If you want to write your own plugins, it will be worthwhile to look at the plugins that ship with the NetControl framework to see how they define the diff --git a/doc/frameworks/notice.rst b/doc/frameworks/notice.rst index e37740dee1..a6b27e92b5 100644 --- a/doc/frameworks/notice.rst +++ b/doc/frameworks/notice.rst @@ -91,12 +91,25 @@ Here's a simple example which tells Bro to send an email for all notices of type :bro:see:`SSH::Password_Guessing` if the guesser attempted to log in to the server at 192.168.56.103: -.. btest-include:: ${DOC_ROOT}/frameworks/notice_ssh_guesser.bro +.. literalinclude:: notice_ssh_guesser.bro + :caption: + :language: bro + :linenos: -.. btest:: notice_ssh_guesser.bro +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/ssh/sshguess.pcap ${DOC_ROOT}/frameworks/notice_ssh_guesser.bro - @TEST-EXEC: btest-rst-cmd cat notice.log + $ bro -C -r ssh/sshguess.pcap notice_ssh_guesser.bro + $ cat notice.log + #separator \x09 + #set_separator , + #empty_field (empty) + #unset_field - + #path notice + #open 2018-12-13-22-56-35 + #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude + #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double + 1427726759.303199 - - - - - - - - - SSH::Password_Guessing 192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections). Sampled servers: 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103 192.168.56.1 - - - - Notice::ACTION_EMAIL,Notice::ACTION_LOG 3600.000000 F - - - - - + #close 2018-12-13-22-56-35 .. note:: diff --git a/doc/frameworks/sumstats.rst b/doc/frameworks/sumstats.rst index aaed35be29..79b8eeaad9 100644 --- a/doc/frameworks/sumstats.rst +++ b/doc/frameworks/sumstats.rst @@ -73,15 +73,18 @@ Sumstats provides a simple way of approaching the problem of trying to count the number of connections over a given time interval. Here is a script with inline documentation that does this with the Sumstats framework: -.. btest-include:: ${DOC_ROOT}/frameworks/sumstats-countconns.bro +.. literalinclude:: sumstats-countconns.bro + :caption: + :language: bro + :linenos: When run on a sample PCAP file from the Bro test suite, the following output is created: -.. btest:: sumstats-countconns - - @TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/workshop_2011_browse.trace ${DOC_ROOT}/frameworks/sumstats-countconns.bro +.. code-block:: console + $ bro -r workshop_2011_browse.trace sumstats-countconns.bro + Number of connections established: 6 Toy scan detection ------------------ @@ -92,14 +95,18 @@ demonstrate how thresholding works in Sumstats and is not meant to be a real-world functional example, that is left to the :doc:`/scripts/policy/misc/scan.bro` script that is included with Bro. -.. btest-include:: ${DOC_ROOT}/frameworks/sumstats-toy-scan.bro +.. literalinclude:: sumstats-toy-scan.bro + :caption: + :language: bro + :linenos: Let's see if there are any hosts that crossed the threshold in a PCAP file containing a host running nmap: -.. btest:: sumstats-toy-scan +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/nmap-vsn.trace ${DOC_ROOT}/frameworks/sumstats-toy-scan.bro + $ bro -r nmap-vsn.trace sumstats-toy-scan.bro + 192.168.1.71 attempted 5 or more connections It seems the host running nmap was detected! diff --git a/doc/httpmonitor/index.rst b/doc/httpmonitor/index.rst index 5a4f28ebfe..9e8374bf44 100644 --- a/doc/httpmonitor/index.rst +++ b/doc/httpmonitor/index.rst @@ -84,31 +84,43 @@ use this to identify a proxy server. We can write a basic script in Bro to handle the http_reply event and detect a reply for a ``GET http://`` request. -.. btest-include:: ${DOC_ROOT}/httpmonitor/http_proxy_01.bro +.. literalinclude:: http_proxy_01.bro + :caption: + :language: bro + :linenos: -.. btest:: http_proxy_01 +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/http/proxy.pcap ${DOC_ROOT}/httpmonitor/http_proxy_01.bro + $ bro -r http/proxy.pcap http_proxy_01.bro + A local server is acting as an open proxy: 192.168.56.101 Basically, the script is checking for a "200 OK" status code on a reply for a request that includes "http:" (case insensitive). In reality, the HTTP protocol defines several success status codes other than 200, so we will extend our basic script to also consider the additional codes. -.. btest-include:: ${DOC_ROOT}/httpmonitor/http_proxy_02.bro +.. literalinclude:: http_proxy_02.bro + :caption: + :language: bro + :linenos: -.. btest:: http_proxy_02 +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/http/proxy.pcap ${DOC_ROOT}/httpmonitor/http_proxy_02.bro + $ bro -r http/proxy.pcap http_proxy_02.bro + A local server is acting as an open proxy: 192.168.56.101 Next, we will make sure that the responding proxy is part of our local network. -.. btest-include:: ${DOC_ROOT}/httpmonitor/http_proxy_03.bro +.. literalinclude:: http_proxy_03.bro + :caption: + :language: bro + :linenos: -.. btest:: http_proxy_03 +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/http/proxy.pcap ${DOC_ROOT}/httpmonitor/http_proxy_03.bro + $ bro -r http/proxy.pcap http_proxy_03.bro + A local server is acting as an open proxy: 192.168.56.101 .. note:: @@ -123,12 +135,25 @@ we will tag the traffic accordingly and define a new ``Open_Proxy`` notification has been fired, we will further suppress it for one day. Below is the complete script. -.. btest-include:: ${DOC_ROOT}/httpmonitor/http_proxy_04.bro +.. literalinclude:: http_proxy_04.bro + :caption: + :language: bro + :linenos: -.. btest:: http_proxy_04 +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/http/proxy.pcap ${DOC_ROOT}/httpmonitor/http_proxy_04.bro - @TEST-EXEC: btest-rst-include notice.log + $ bro -r http/proxy.pcap http_proxy_04.bro + $ cat notice.log + #separator \x09 + #set_separator , + #empty_field (empty) + #unset_field - + #path notice + #open 2018-12-13-22-56-39 + #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude + #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double + 1389654450.449603 CHhAvVGS1DHFjwGM9 192.168.56.1 52679 192.168.56.101 80 - - - tcp HTTP::Open_Proxy A local server is acting as an open proxy: 192.168.56.101 - 192.168.56.1 192.168.56.101 80 - - Notice::ACTION_LOG 86400.000000 F - - - - - + #close 2018-12-13-22-56-40 Note that this script only logs the presence of the proxy to ``notice.log``, but if an additional email is desired (and email @@ -148,11 +173,20 @@ instruct Bro to create a copy of all files of certain types that it sees using the :ref:`File Analysis Framework ` (introduced with Bro 2.2): -.. btest-include:: ${DOC_ROOT}/httpmonitor/file_extraction.bro +.. literalinclude:: file_extraction.bro + :caption: + :language: bro + :linenos: -.. btest:: file_extraction +.. code-block:: console - @TEST-EXEC: btest-rst-cmd -n 5 bro -r ${TRACES}/http/bro.org.pcap ${DOC_ROOT}/httpmonitor/file_extraction.bro + $ bro -r bro.org.pcap file_extraction.bro + Extracting file HTTP-FiIpIB2hRQSDBOSJRg.html + Extracting file HTTP-FMG4bMmVV64eOsCb.txt + Extracting file HTTP-FnaT2a3UDd093opCB9.txt + Extracting file HTTP-FfQGqj4Fhh3pH7nVQj.txt + Extracting file HTTP-FsvATF146kf1Emc21j.txt + [...] Here, the ``mime_to_ext`` table serves two purposes. It defines which mime types to extract and also the file suffix of the extracted files. diff --git a/doc/logs/index.rst b/doc/logs/index.rst index 6532b0f844..315549a87a 100644 --- a/doc/logs/index.rst +++ b/doc/logs/index.rst @@ -39,13 +39,23 @@ to the appropriate log file. As the fields of the log entries can be further customized by the user, the Logging Framework makes use of a header block to ensure that -it remains self-describing. This header entry can be see by running -the Unix utility ``head`` and outputting the first lines of the file: +it remains self-describing. Here's the first few lines of a ``conn.log``. -.. btest:: using_bro - - @TEST-EXEC: btest-rst-cmd bro -r $TRACES/wikipedia.trace - @TEST-EXEC: btest-rst-include -n 15 conn.log +.. code-block:: console + + $ cat conn.log + #separator \x09 + #set_separator , + #empty_field (empty) + #unset_field - + #path conn + #open 2018-12-10-22-18-00 + #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents + #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] + 1300475167.096535 CHhAvVGS1DHFjwGM9 141.142.220.202 5353 224.0.0.251 5353 udp dns - - - S0 - - 0 D 1 73 0 0 - + 1300475167.097012 ClEkJM2Vm5giqnMf4h fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp dns - - - S0 - - 0 D 1 199 0 0 - + 1300475167.099816 C4J4Th3PJpwUYZZ6gc 141.142.220.50 5353 224.0.0.251 5353 udp dns - - - S0 - - 0 D 1 179 0 0 - + [...] As you can see, the header consists of lines prefixed by ``#`` and includes information such as what separators are being used for @@ -129,15 +139,37 @@ require the user to refer to fields referenced by their position). For example, the following command extracts just the given columns from a ``conn.log``: -.. btest:: using_bro +.. code-block:: console - @TEST-EXEC: btest-rst-cmd -n 10 "cat conn.log | bro-cut id.orig_h id.orig_p id.resp_h duration" + $ cat conn.log | bro-cut id.orig_h id.orig_p id.resp_h duration + 141.142.220.202 5353 224.0.0.251 - + fe80::217:f2ff:fed7:cf65 5353 ff02::fb - + 141.142.220.50 5353 224.0.0.251 - + 141.142.220.118 43927 141.142.2.2 0.000435 + 141.142.220.118 37676 141.142.2.2 0.000420 + 141.142.220.118 40526 141.142.2.2 0.000392 + 141.142.220.118 32902 141.142.2.2 0.000317 + 141.142.220.118 59816 141.142.2.2 0.000343 + 141.142.220.118 59714 141.142.2.2 0.000375 + 141.142.220.118 58206 141.142.2.2 0.000339 + [...] The corresponding ``awk`` command will look like this: -.. btest:: using_bro +.. code-block:: console - @TEST-EXEC: btest-rst-cmd -n 10 awk \'/^[^#]/ {print \$3, \$4, \$5, \$6, \$9}\' conn.log + $ awk '/^[^#]/ {print $3, $4, $5, $6, $9}' conn.log + 141.142.220.202 5353 224.0.0.251 5353 - + fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 - + 141.142.220.50 5353 224.0.0.251 5353 - + 141.142.220.118 43927 141.142.2.2 53 0.000435 + 141.142.220.118 37676 141.142.2.2 53 0.000420 + 141.142.220.118 40526 141.142.2.2 53 0.000392 + 141.142.220.118 32902 141.142.2.2 53 0.000317 + 141.142.220.118 59816 141.142.2.2 53 0.000343 + 141.142.220.118 59714 141.142.2.2 53 0.000375 + 141.142.220.118 58206 141.142.2.2 53 0.000339 + [...] While the output is similar, the advantages to using bro-cut over ``awk`` lay in that, while ``awk`` is flexible and powerful, ``bro-cut`` @@ -191,17 +223,29 @@ includes the human readable time stamp, the unique identifier, the HTTP ``Host``, and HTTP ``URI`` as extracted from the ``http.log`` file: -.. btest:: using_bro +.. code-block:: console - @TEST-EXEC: btest-rst-cmd -n 5 "bro-cut -d ts uid host uri < http.log" + $ bro-cut -d ts uid host uri < http.log + 2011-03-18T19:06:08+0000 CUM0KZ3MLUfNB0cl11 bits.wikimedia.org /skins-1.5/monobook/main.css + 2011-03-18T19:06:08+0000 CwjjYJ2WqgTbAqiHl6 upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png + 2011-03-18T19:06:08+0000 C3eiCBGOLw3VtHfOj upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png + 2011-03-18T19:06:08+0000 Ck51lg1bScffFj34Ri upload.wikimedia.org /wikipedia/commons/b/bd/Bookshelf-40x201_6.png + 2011-03-18T19:06:08+0000 CtxTCR2Yer0FR1tIBg upload.wikimedia.org /wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png + [...] Often times log files from multiple sources are stored in UTC time to allow easy correlation. Converting the timestamp from a log file to UTC can be accomplished with the ``-u`` option: -.. btest:: using_bro +.. code-block:: console - @TEST-EXEC: btest-rst-cmd -n 5 "bro-cut -u ts uid host uri < http.log" + $ bro-cut -u ts uid host uri < http.log + 2011-03-18T19:06:08+0000 CUM0KZ3MLUfNB0cl11 bits.wikimedia.org /skins-1.5/monobook/main.css + 2011-03-18T19:06:08+0000 CwjjYJ2WqgTbAqiHl6 upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png + 2011-03-18T19:06:08+0000 C3eiCBGOLw3VtHfOj upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png + 2011-03-18T19:06:08+0000 Ck51lg1bScffFj34Ri upload.wikimedia.org /wikipedia/commons/b/bd/Bookshelf-40x201_6.png + 2011-03-18T19:06:08+0000 CtxTCR2Yer0FR1tIBg upload.wikimedia.org /wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png + [...] The default time format when using the ``-d`` or ``-u`` is the ``strftime`` format string ``%Y-%m-%dT%H:%M:%S%z`` which results in a @@ -211,9 +255,15 @@ using the ``-D`` and ``-U`` flags, using the standard ``strftime`` syntax. For example, to format the timestamp in the US-typical "Middle Endian" you could use a format string of: ``%d-%m-%YT%H:%M:%S%z`` -.. btest:: using_bro +.. code-block:: console - @TEST-EXEC: btest-rst-cmd -n 5 "bro-cut -D %d-%m-%YT%H:%M:%S%z ts uid host uri < http.log" + $ bro-cut -D %d-%m-%YT%H:%M:%S%z ts uid host uri < http.log + 18-03-2011T19:06:08+0000 CUM0KZ3MLUfNB0cl11 bits.wikimedia.org /skins-1.5/monobook/main.css + 18-03-2011T19:06:08+0000 CwjjYJ2WqgTbAqiHl6 upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png + 18-03-2011T19:06:08+0000 C3eiCBGOLw3VtHfOj upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png + 18-03-2011T19:06:08+0000 Ck51lg1bScffFj34Ri upload.wikimedia.org /wikipedia/commons/b/bd/Bookshelf-40x201_6.png + 18-03-2011T19:06:08+0000 CtxTCR2Yer0FR1tIBg upload.wikimedia.org /wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png + [...] See ``man strfime`` for more options for the format string. @@ -235,16 +285,22 @@ largest number of bytes from the responder by redirecting the output for ``cat conn.log`` into bro-cut to extract the UID and the resp_bytes, then sorting that output by the resp_bytes field. -.. btest:: using_bro +.. code-block:: console - @TEST-EXEC: btest-rst-cmd "cat conn.log | bro-cut uid resp_bytes | sort -nrk2 | head -5" + $ cat conn.log | bro-cut uid resp_bytes | sort -nrk2 | head -5 + CwjjYJ2WqgTbAqiHl6 734 + CtxTCR2Yer0FR1tIBg 734 + Ck51lg1bScffFj34Ri 734 + CLNN1k2QMum1aexUK7 734 + CykQaM33ztNt0csB9a 733 Taking the UID of the first of the top responses, we can now crossreference that with the UIDs in the ``http.log`` file. -.. btest:: using_bro +.. code-block:: console - @TEST-EXEC: btest-rst-cmd "cat http.log | bro-cut uid id.resp_h method status_code host uri | grep UM0KZ3MLUfNB0cl11" + $ cat http.log | bro-cut uid id.resp_h method status_code host uri | grep UM0KZ3MLUfNB0cl11 + CUM0KZ3MLUfNB0cl11 208.80.152.118 GET 304 bits.wikimedia.org /skins-1.5/monobook/main.css As you can see there are two HTTP ``GET`` requests within the session that Bro identified and logged. Given that HTTP is a stream diff --git a/doc/mimestats/index.rst b/doc/mimestats/index.rst index dd2e039e8a..928cefe871 100644 --- a/doc/mimestats/index.rst +++ b/doc/mimestats/index.rst @@ -37,32 +37,69 @@ in the MIME type, size of the file ("response_body_len"), and the originator host ("orig_h"). We use the MIME type as our key and create observers for the other two values. -.. btest-include:: ${DOC_ROOT}/mimestats/mimestats.bro - :lines: 6-29, 54-64 +.. literalinclude:: mimestats.bro + :caption: + :language: bro + :linenos: + :lines: 6-29 + :lineno-start: 6 + +.. literalinclude:: mimestats.bro + :caption: + :language: bro + :linenos: + :lines: 54-64 + :lineno-start: 54 Next, we create the reducers. The first will accumulate file sizes and the second will make sure we only store a host ID once. Below is the partial code from a :bro:see:`bro_init` handler. -.. btest-include:: ${DOC_ROOT}/mimestats/mimestats.bro - :lines: 34-37 +.. literalinclude:: mimestats.bro + :caption: + :language: bro + :linenos: + :lines: 34-37 + :lineno-start: 34 In our final step, we create the SumStats where we check for the observation interval. Once it expires, we populate the record (defined above) with all the relevant data and write it to a log. -.. btest-include:: ${DOC_ROOT}/mimestats/mimestats.bro - :lines: 38-51 +.. literalinclude:: mimestats.bro + :caption: + :language: bro + :linenos: + :lines: 38-51 + :lineno-start: 38 -After putting the three pieces together we end up with the following final code for -our script. +After putting the three pieces together we end up with the following +final code for our script. -.. btest-include:: ${DOC_ROOT}/mimestats/mimestats.bro +.. literalinclude:: mimestats.bro + :caption: + :language: bro + :linenos: -.. btest:: mimestats +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/http/bro.org.pcap ${DOC_ROOT}/mimestats/mimestats.bro - @TEST-EXEC: btest-rst-include mime_metrics.log + $ bro -r http/bro.org.pcap mimestats.bro + #separator \x09 + #set_separator , + #empty_field (empty) + #unset_field - + #path mime_metrics + #open 2018-12-14-16-25-06 + #fields ts ts_delta mtype uniq_hosts hits bytes + #types time interval string count count count + 1389719059.311698 300.000000 image/png 1 9 82176 + 1389719059.311698 300.000000 image/gif 1 1 172 + 1389719059.311698 300.000000 image/x-icon 1 2 2300 + 1389719059.311698 300.000000 text/html 1 2 42231 + 1389719059.311698 300.000000 text/plain 1 15 128001 + 1389719059.311698 300.000000 image/jpeg 1 1 186859 + 1389719059.311698 300.000000 application/pgp-signature 1 1 836 + #close 2018-12-14-16-25-06 .. note:: diff --git a/doc/quickstart/index.rst b/doc/quickstart/index.rst index d7e0491501..e6fe82c850 100644 --- a/doc/quickstart/index.rst +++ b/doc/quickstart/index.rst @@ -255,12 +255,25 @@ action taken on notices can be user-defined. In ``local.bro``, let's define a new ``policy`` hook handler body: -.. btest-include:: ${DOC_ROOT}/quickstart/conditional-notice.bro +.. literalinclude:: conditional-notice.bro + :caption: + :language: bro + :linenos: -.. btest:: conditional-notice +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/tls/tls-expired-cert.trace ${DOC_ROOT}/quickstart/conditional-notice.bro - @TEST-EXEC: btest-rst-cmd cat notice.log + $ bro -r tls/tls-expired-cert.trace conditional-notice.bro + $ cat notice.log + #separator \x09 + #set_separator , + #empty_field (empty) + #unset_field - + #path notice + #open 2018-12-14-17-36-05 + #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude + #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double + 1394745603.293028 CHhAvVGS1DHFjwGM9 192.168.4.149 60539 87.98.220.10 443 F1fX1R2cDOzbvg17ye - - tcp SSL::Certificate_Expired Certificate CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated expired at 2014-03-04-23:59:59.000000000 - 192.168.4.149 87.98.220.10 443 - - Notice::ACTION_EMAIL,Notice::ACTION_LOG 86400.000000 F - - - - - + #close 2018-12-14-17-36-05 You'll just have to trust the syntax for now, but what we've done is first declare our own variable to hold a set of watched addresses, diff --git a/doc/scripting/index.rst b/doc/scripting/index.rst index 54ae83bf81..a3e59b45c7 100644 --- a/doc/scripting/index.rst +++ b/doc/scripting/index.rst @@ -37,10 +37,85 @@ Hash registry includes the ability to do a host lookup on a domain with the form Team Cymru also populates the TXT record of their DNS responses with both a "first seen" timestamp and a numerical "detection rate". The important aspect to understand is Bro already generating hashes for files via the Files framework, but it is the -script ``detect-MHR.bro`` that is responsible for generating the +script :doc:`/scripts/policy/frameworks/files/detect-MHR.bro` +that is responsible for generating the appropriate DNS lookup, parsing the response, and generating a notice if appropriate. -.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/frameworks/files/detect-MHR.bro +.. code-block:: bro + :caption: detect-MHR.bro + + ##! Detect file downloads that have hash values matching files in Team + ##! Cymru's Malware Hash Registry (http://www.team-cymru.org/Services/MHR/). + + @load base/frameworks/files + @load base/frameworks/notice + @load frameworks/files/hash-all-files + + module TeamCymruMalwareHashRegistry; + + export { + redef enum Notice::Type += { + ## The hash value of a file transferred over HTTP matched in the + ## malware hash registry. + Match + }; + + ## File types to attempt matching against the Malware Hash Registry. + option match_file_types = /application\/x-dosexec/ | + /application\/vnd.ms-cab-compressed/ | + /application\/pdf/ | + /application\/x-shockwave-flash/ | + /application\/x-java-applet/ | + /application\/jar/ | + /video\/mp4/; + + ## The Match notice has a sub message with a URL where you can get more + ## information about the file. The %s will be replaced with the SHA-1 + ## hash of the file. + option match_sub_url = "https://www.virustotal.com/en/search/?query=%s"; + + ## The malware hash registry runs each malware sample through several + ## A/V engines. Team Cymru returns a percentage to indicate how + ## many A/V engines flagged the sample as malicious. This threshold + ## allows you to require a minimum detection rate. + option notice_threshold = 10; + } + + function do_mhr_lookup(hash: string, fi: Notice::FileInfo) + { + local hash_domain = fmt("%s.malware.hash.cymru.com", hash); + + when ( local MHR_result = lookup_hostname_txt(hash_domain) ) + { + # Data is returned as " " + local MHR_answer = split_string1(MHR_result, / /); + + if ( |MHR_answer| == 2 ) + { + local mhr_detect_rate = to_count(MHR_answer[1]); + + if ( mhr_detect_rate >= notice_threshold ) + { + local mhr_first_detected = double_to_time(to_double(MHR_answer[0])); + local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected); + local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); + local virustotal_url = fmt(match_sub_url, hash); + # We don't have the full fa_file record here in order to + # avoid the "when" statement cloning it (expensive!). + local n: Notice::Info = Notice::Info($note=Match, $msg=message, $sub=virustotal_url); + Notice::populate_file_info2(fi, n); + NOTICE(n); + } + } + } + } + + event file_hash(f: fa_file, kind: string, hash: string) + { + if ( kind == "sha1" && f?$info && f$info?$mime_type && + match_file_types in f$info$mime_type ) + do_mhr_lookup(hash, Notice::create_file_info(f)); + } Visually, there are three distinct sections of the script. First, there is a base level with no indentation where libraries are included in the script through ``@load`` @@ -51,8 +126,12 @@ specific event (``event file_hash``). Don't get discouraged if you don't understand every section of the script; we'll cover the basics of the script and much more in following sections. -.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/frameworks/files/detect-MHR.bro - :lines: 4-6 +.. code-block:: bro + :caption: detect-MHR.bro + + @load base/frameworks/files + @load base/frameworks/notice + @load frameworks/files/hash-all-files The first part of the script consists of ``@load`` directives which process the ``__load__.bro`` script in the @@ -66,8 +145,36 @@ this level of granularity might not be entirely necessary. The ``@load`` direct are ensuring the Files framework, the Notice framework and the script to hash all files has been loaded by Bro. -.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/frameworks/files/detect-MHR.bro - :lines: 10-36 +.. code-block:: bro + :caption: detect-MHR.bro + + export { + redef enum Notice::Type += { + ## The hash value of a file transferred over HTTP matched in the + ## malware hash registry. + Match + }; + + ## File types to attempt matching against the Malware Hash Registry. + option match_file_types = /application\/x-dosexec/ | + /application\/vnd.ms-cab-compressed/ | + /application\/pdf/ | + /application\/x-shockwave-flash/ | + /application\/x-java-applet/ | + /application\/jar/ | + /video\/mp4/; + + ## The Match notice has a sub message with a URL where you can get more + ## information about the file. The %s will be replaced with the SHA-1 + ## hash of the file. + option match_sub_url = "https://www.virustotal.com/en/search/?query=%s"; + + ## The malware hash registry runs each malware sample through several + ## A/V engines. Team Cymru returns a percentage to indicate how + ## many A/V engines flagged the sample as malicious. This threshold + ## allows you to require a minimum detection rate. + option notice_threshold = 10; + } The export section redefines an enumerable constant that describes the type of notice we will generate with the Notice framework. Bro @@ -89,8 +196,43 @@ Up until this point, the script has merely done some basic setup. With the next section, the script starts to define instructions to take in a given event. -.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/frameworks/files/detect-MHR.bro - :lines: 38-71 +.. code-block:: bro + :caption: detect-MHR.bro + + function do_mhr_lookup(hash: string, fi: Notice::FileInfo) + { + local hash_domain = fmt("%s.malware.hash.cymru.com", hash); + + when ( local MHR_result = lookup_hostname_txt(hash_domain) ) + { + # Data is returned as " " + local MHR_answer = split_string1(MHR_result, / /); + + if ( |MHR_answer| == 2 ) + { + local mhr_detect_rate = to_count(MHR_answer[1]); + + if ( mhr_detect_rate >= notice_threshold ) + { + local mhr_first_detected = double_to_time(to_double(MHR_answer[0])); + local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected); + local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); + local virustotal_url = fmt(match_sub_url, hash); + # We don't have the full fa_file record here in order to + # avoid the "when" statement cloning it (expensive!). + local n: Notice::Info = Notice::Info($note=Match, $msg=message, $sub=virustotal_url); + Notice::populate_file_info2(fi, n); + NOTICE(n); + } + } + } + } + + event file_hash(f: fa_file, kind: string, hash: string) + { + if ( kind == "sha1" && f?$info && f$info?$mime_type && + match_file_types in f$info$mime_type ) + do_mhr_lookup(hash, Notice::create_file_info(f)); The workhorse of the script is contained in the event handler for ``file_hash``. The :bro:see:`file_hash` event allows scripts to access @@ -182,8 +324,34 @@ This effort resulted in built-in-function files organized such that each entry contains a descriptive event name, the arguments passed to the event, and a concise explanation of the functions use. -.. btest-include:: ${BRO_SRC_ROOT}/build/scripts/base/bif/plugins/Bro_DNS.events.bif.bro - :lines: 29-54 +.. code-block:: bro + + ## Generated for DNS requests. For requests with multiple queries, this event + ## is raised once for each. + ## + ## See `Wikipedia `__ for more + ## information about the DNS protocol. Bro analyzes both UDP and TCP DNS + ## sessions. + ## + ## c: The connection, which may be UDP or TCP depending on the type of the + ## transport-layer session being analyzed. + ## + ## msg: The parsed DNS message header. + ## + ## query: The queried name. + ## + ## qtype: The queried resource record type. + ## + ## qclass: The queried resource record class. + ## + ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl + ## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply + ## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end + ## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name + ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply + ## dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl + ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth + event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%); Above is a segment of the documentation for the event :bro:id:`dns_request` (and the preceding link points to the @@ -226,7 +394,10 @@ remove this event from memory, effectively forgetting about it. Let's take a look at a simple example script, that will output the connection record for a single connection. -.. btest-include:: ${DOC_ROOT}/scripting/connection_record_01.bro +.. literalinclude:: connection_record_01.bro + :caption: + :language: bro + :linenos: Again, we start with ``@load``, this time importing the :doc:`/scripts/base/protocols/conn/index` scripts which supply the tracking @@ -242,9 +413,12 @@ more layers of information about a connection. This will give us a chance to see the contents of the connection record without it being overly populated. -.. btest:: connection-record-01 +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro -b -r ${TRACES}/http/get.trace ${DOC_ROOT}/scripting/connection_record_01.bro + $ bro -b -r http/get.trace connection_record_01.bro + [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.211484, service={ + + }, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, conn=[ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=], extract_orig=F, extract_resp=F, thresholds=] As you can see from the output, the connection record is something of a jumble when printed on its own. Regularly taking a peek at a @@ -270,11 +444,21 @@ proper format of a dereferenced variable in scripts. In the output of the script above, groups of information are collected between brackets, which would correspond to the ``$``-delimiter in a Bro script. -.. btest-include:: ${DOC_ROOT}/scripting/connection_record_02.bro +.. literalinclude:: connection_record_02.bro + :caption: + :language: bro + :linenos: -.. btest:: connection-record-02 +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro -b -r ${TRACES}/http/get.trace ${DOC_ROOT}/scripting/connection_record_02.bro + $bro -b -r http/get.trace connection_record_02.bro + [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.211484, service={ + + }, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, conn=[ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=], extract_orig=F, extract_resp=F, thresholds=, http=[ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, tags={ + + }, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_filenames=, resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={ + + }, current_request=1, current_response=1, trans_depth=1]] The addition of the ``base/protocols/http`` scripts populates the ``http=[]`` member of the connection record. While Bro is doing a @@ -306,7 +490,10 @@ each of which produce the same result if ``EXPRESSION`` evaluates to the same type as ``TYPE``. The decision as to which type of declaration to use is likely to be dictated by personal preference and readability. -.. btest-include:: ${DOC_ROOT}/scripting/data_type_declaration.bro +.. literalinclude:: data_type_declaration.bro + :caption: + :language: bro + :linenos: Global Variables ~~~~~~~~~~~~~~~~ @@ -347,13 +534,19 @@ decrypted from HTTP streams is stored in :bro:see:`HTTP::default_capture_password` as shown in the stripped down excerpt from :doc:`/scripts/base/protocols/http/main.bro` below. -.. btest-include:: ${DOC_ROOT}/scripting/http_main.bro +.. literalinclude:: http_main.bro + :caption: + :language: bro + :linenos: Because the constant was declared with the ``&redef`` attribute, if we needed to turn this option on globally, we could do so by adding the following line to our ``site/local.bro`` file before firing up Bro. -.. btest-include:: ${DOC_ROOT}/scripting/data_type_const_simple.bro +.. literalinclude:: data_type_const_simple.bro + :caption: + :language: bro + :linenos: While the idea of a re-definable constant might be odd, the constraint that constants can only be altered at parse-time remains even with the @@ -364,11 +557,18 @@ in a :bro:id:`bro_init` event. Were we to try to alter the table in an event handler, Bro would notify the user of an error and the script would fail. -.. btest-include:: ${DOC_ROOT}/scripting/data_type_const.bro +.. literalinclude:: data_type_const.bro + :caption: + :language: bro + :linenos: -.. btest:: data_type_const.bro +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro -b ${DOC_ROOT}/scripting/data_type_const.bro + $ bro -b data_type_const.bro + { + [80/tcp] = WWW, + [6666/tcp] = IRC + } Local Variables ~~~~~~~~~~~~~~~ @@ -382,7 +582,10 @@ of a script passes beyond that scope and no longer used, the variable is deleted. Bro maintains names of locals separately from globally visible ones, an example of which is illustrated below. -.. btest-include:: ${DOC_ROOT}/scripting/data_type_local.bro +.. literalinclude:: data_type_local.bro + :caption: + :language: bro + :linenos: The script executes the event handler :bro:id:`bro_init` which in turn calls the function ``add_two(i: count)`` with an argument of ``10``. Once Bro @@ -455,7 +658,10 @@ for information that is already naturally unique such as ports or IP addresses. The code snippet below shows both an explicit and implicit declaration of a locally scoped set. -.. btest-include:: ${DOC_ROOT}/scripting/data_struct_set_declaration.bro +.. literalinclude:: data_struct_set_declaration.bro + :caption: + :language: bro + :linenos: :lines: 1-4,22 As you can see, sets are declared using the format ``SCOPE var_name: @@ -467,8 +673,12 @@ the ``in`` operator. In the case of iterating over a set, combining the ``for`` statement and the ``in`` operator will allow you to sequentially process each element of the set as seen below. -.. btest-include:: ${DOC_ROOT}/scripting/data_struct_set_declaration.bro +.. literalinclude:: data_struct_set_declaration.bro + :caption: + :language: bro + :linenos: :lines: 17-21 + :lineno-start: 17 Here, the ``for`` statement loops over the contents of the set storing each element in the temporary variable ``i``. With each iteration of @@ -487,16 +697,31 @@ negate the in operator itself. While the functionality is the same, using the ``!in`` is more efficient as well as a more natural construct which will aid in the readability of your script. -.. btest-include:: ${DOC_ROOT}/scripting/data_struct_set_declaration.bro +.. literalinclude:: data_struct_set_declaration.bro + :caption: + :language: bro + :linenos: :lines: 13-15 + :lineno-start: 13 You can see the full script and its output below. -.. btest-include:: ${DOC_ROOT}/scripting/data_struct_set_declaration.bro +.. literalinclude:: data_struct_set_declaration.bro + :caption: + :language: bro + :linenos: -.. btest:: data_struct_set_declaration +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/data_struct_set_declaration.bro + $ bro data_struct_set_declaration.bro + SSL Port: 22/tcp + SSL Port: 443/tcp + SSL Port: 587/tcp + SSL Port: 993/tcp + Non-SSL Port: 80/tcp + Non-SSL Port: 25/tcp + Non-SSL Port: 143/tcp + Non-SSL Port: 23/tcp Tables ~~~~~~ @@ -505,11 +730,18 @@ A table in Bro is a mapping of a key to a value or yield. While the values don't have to be unique, each key in the table must be unique to preserve a one-to-one mapping of keys to values. -.. btest-include:: ${DOC_ROOT}/scripting/data_struct_table_declaration.bro +.. literalinclude:: data_struct_table_declaration.bro + :caption: + :language: bro + :linenos: -.. btest:: data_struct_table_declaration +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/data_struct_table_declaration.bro + $ bro data_struct_table_declaration.bro + Service Name: SSH - Common Port: 22/tcp + Service Name: HTTPS - Common Port: 443/tcp + Service Name: SMTPS - Common Port: 587/tcp + Service Name: IMAPS - Common Port: 993/tcp In this example, we've compiled a table of SSL-enabled services and their common @@ -534,11 +766,18 @@ Bro implies a cost in complexity for the person writing the scripts but pays off in effectiveness given the power of Bro as a network security platform. -.. btest-include:: ${DOC_ROOT}/scripting/data_struct_table_complex.bro +.. literalinclude:: data_struct_table_complex.bro + :caption: + :language: bro + :linenos: -.. btest:: data_struct_table_complex +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro -b ${DOC_ROOT}/scripting/data_struct_table_complex.bro + $ bro -b data_struct_table_complex.bro + Harakiri was released in 1962 by Shochiku Eiga studios, directed by Masaki Kobayashi and starring Tatsuya Nakadai + Goyokin was released in 1969 by Fuji studios, directed by Hideo Gosha and starring Tatsuya Nakadai + Tasogare Seibei was released in 2002 by Eisei Gekijo studios, directed by Yoji Yamada and starring Hiroyuki Sanada + Kiru was released in 1968 by Toho studios, directed by Kihachi Okamoto and starring Tatsuya Nakadai This script shows a sample table of strings indexed by two strings, a count, and a final string. With a tuple acting as an @@ -580,11 +819,18 @@ the vector name between two vertical pipes to get the vector's current length before printing the contents of both Vectors and their current lengths. -.. btest-include:: ${DOC_ROOT}/scripting/data_struct_vector_declaration.bro +.. literalinclude:: data_struct_vector_declaration.bro + :caption: + :language: bro + :linenos: -.. btest:: data_struct_vector_declaration +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/data_struct_vector_declaration.bro + $ bro data_struct_vector_declaration.bro + contents of v1: [1, 2, 3, 4] + length of v1: 4 + contents of v2: [1, 2, 3, 4] + length of v2: 4 In a lot of cases, storing elements in a vector is simply a precursor to then iterating over them. Iterating over a vector is easy with the @@ -595,12 +841,17 @@ called ``i`` which will hold the index of the current element in the vector. Using ``i`` as an index to addr_vector we can access the current item in the vector with ``addr_vector[i]``. -.. btest-include:: ${DOC_ROOT}/scripting/data_struct_vector_iter.bro +.. literalinclude:: data_struct_vector_iter.bro + :caption: + :language: bro + :linenos: -.. btest:: data_struct_vector_iter - - @TEST-EXEC: btest-rst-cmd bro -b ${DOC_ROOT}/scripting/data_struct_vector_iter.bro +.. code-block:: console + $ bro -b data_struct_vector_iter.bro + 1.2.0.0/18 + 2.3.0.0/18 + 3.4.0.0/18 Data Types Revisited -------------------- @@ -653,7 +904,10 @@ your scripts. The following example below uses a Bro script to determine if a series of IP addresses are within a set of subnets using a 20 bit subnet mask. -.. btest-include:: ${DOC_ROOT}/scripting/data_type_subnets.bro +.. literalinclude:: data_type_subnets.bro + :caption: + :language: bro + :linenos: Because this is a script that doesn't use any kind of network analysis, we can handle the event :bro:id:`bro_init` which is always @@ -669,9 +923,13 @@ For example, ``10.0.0.1 in 10.0.0.0/8`` would return true while script, we get the output listing the IP address and the subnet in which it belongs. -.. btest:: data_type_subnets +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/data_type_subnets.bro + $ bro data_type_subnets.bro + 172.16.4.56 belongs to subnet 172.16.0.0/20 + 172.16.47.254 belongs to subnet 172.16.32.0/20 + 172.16.22.45 belongs to subnet 172.16.16.0/20 + 172.16.1.1 belongs to subnet 172.16.0.0/20 time ~~~~ @@ -693,14 +951,26 @@ timestamp and an indication of who the originator and responder were. We use the ``strftime`` format string of ``%Y%M%d %H:%m:%S`` to produce a common date time formatted time stamp. -.. btest-include:: ${DOC_ROOT}/scripting/data_type_time.bro +.. literalinclude:: data_type_time.bro + :caption: + :language: bro + :linenos: When the script is executed we get an output showing the details of established connections. -.. btest:: data_type_time +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/wikipedia.trace ${DOC_ROOT}/scripting/data_type_time.bro + $ bro -r wikipedia.trace data_type_time.bro + 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.118\x0a + 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3\x0a + 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3\x0a + 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3\x0a + 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3\x0a + 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3\x0a + 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3\x0a + 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.2\x0a + 2011/06/18 19:03:09: New connection established from 141.142.220.235 to 173.192.163.128\x0a interval ~~~~~~~~ @@ -730,15 +1000,35 @@ operator. The script below amends the script started in the section above to include a time delta value printed along with the connection establishment report. -.. btest-include:: ${DOC_ROOT}/scripting/data_type_interval.bro +.. literalinclude:: data_type_interval.bro + :caption: + :language: bro + :linenos: This time, when we execute the script we see an additional line in the output to display the time delta since the last fully established connection. -.. btest:: data_type_interval +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/wikipedia.trace ${DOC_ROOT}/scripting/data_type_interval.bro + $ bro -r wikipedia.trace data_type_interval.bro + 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.118 + 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3 + Time since last connection: 132.0 msecs 97.0 usecs + 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3 + Time since last connection: 177.0 usecs + 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3 + Time since last connection: 2.0 msecs 177.0 usecs + 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3 + Time since last connection: 33.0 msecs 898.0 usecs + 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3 + Time since last connection: 35.0 usecs + 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3 + Time since last connection: 2.0 msecs 532.0 usecs + 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.2 + Time since last connection: 7.0 msecs 866.0 usecs + 2011/06/18 19:03:09: New connection established from 141.142.220.235 to 173.192.163.128 + Time since last connection: 817.0 msecs 703.0 usecs Pattern @@ -755,7 +1045,10 @@ adheres to a strict format, requiring the regular expression or pattern constant to be on the left side of the ``in`` operator and the string against which it will be tested to be on the right. -.. btest-include:: ${DOC_ROOT}/scripting/data_type_pattern_01.bro +.. literalinclude:: data_type_pattern_01.bro + :caption: + :language: bro + :linenos: In the sample above, two local variables are declared to hold our sample sentence and regular expression. Our regular expression in @@ -771,9 +1064,12 @@ excluding the actual matches. In this case, our pattern matches twice, and results in a table with three entries. The ``print`` statements in the script will print the contents of the table in order. -.. btest:: data_type_pattern +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/data_type_pattern_01.bro + $ bro data_type_pattern_01.bro + The + brown fox jumps over the + dog. Patterns can also be used to compare strings using equality and inequality operators through the ``==`` and ``!=`` operators @@ -783,13 +1079,13 @@ ternary conditional statements to illustrate the use of the ``==`` operator with patterns. The output is altered based on the result of the comparison between the pattern and the string. -.. btest-include:: ${DOC_ROOT}/scripting/data_type_pattern_02.bro - -.. btest:: data_type_pattern_02 - - @TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/data_type_pattern_02.bro +.. literalinclude:: data_type_pattern_02.bro +.. code-block:: console + $ bro data_type_pattern_02.bro + equality and /^?(equal)$?/ are not equal + equality and /^?(equality)$?/ are equal Record Data Type ---------------- @@ -809,7 +1105,10 @@ example of the ``record`` data type in the earlier sections, the :bro:type:`Conn::Info`, which corresponds to the fields logged into ``conn.log``, is shown by the excerpt below. -.. btest-include:: ${DOC_ROOT}/scripting/data_type_record.bro +.. literalinclude:: data_type_record.bro + :caption: + :language: bro + :linenos: Looking at the structure of the definition, a new collection of data types is being defined as a type called ``Info``. Since this type @@ -822,11 +1121,20 @@ that make up the record. The individual fields that make up the new record are not limited in type or number as long as the name for each field is unique. -.. btest-include:: ${DOC_ROOT}/scripting/data_struct_record_01.bro +.. literalinclude:: data_struct_record_01.bro + :caption: + :language: bro + :linenos: -.. btest:: data_struct_record_01 +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/data_struct_record_01.bro + $ bro data_struct_record_01.bro + Service: dns(RFC1035) + port: 53/udp + port: 53/tcp + Service: http(RFC2616) + port: 8080/tcp + port: 80/tcp The sample above shows a simple type definition that includes a string, a set of ports, and a count to define a service type. Also @@ -843,11 +1151,18 @@ records are even valid as fields within another record. We can extend the example above to include another record that contains a Service record. -.. btest-include:: ${DOC_ROOT}/scripting/data_struct_record_02.bro +.. literalinclude:: data_struct_record_02.bro -.. btest:: data_struct_record_02 +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/data_struct_record_02.bro + $ bro data_struct_record_02.bro + System: morlock + Service: http(RFC2616) + port: 8080/tcp + port: 80/tcp + Service: dns(RFC1035) + port: 53/udp + port: 53/tcp The example above includes a second record type in which a field is used as the data type for a set. Records can be repeatedly nested @@ -858,8 +1173,12 @@ It's also common to see a ``type`` used to simply alias a data structure to a more descriptive name. The example below shows an example of this from Bro's own type definitions file. -.. btest-include:: ${BRO_SRC_ROOT}/scripts/base/init-bare.bro - :lines: 12,19,26 +.. code-block:: bro + :caption: init-bare.bro + + type string_array: table[count] of string; + type string_set: set[string]; + type addr_set: set[addr]; The three lines above alias a type of data structure to a descriptive name. Functionally, the operations are the same, however, each of the @@ -916,11 +1235,24 @@ It's always best to work through the problem once, simulating the desired output with ``print`` and ``fmt`` before attempting to dive into the Logging Framework. -.. btest-include:: ${DOC_ROOT}/scripting/framework_logging_factorial_01.bro +.. literalinclude:: framework_logging_factorial_01.bro + :caption: + :language: bro + :linenos: -.. btest:: framework_logging_factorial +.. code-block:: console - @TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/framework_logging_factorial_01.bro + $ bro framework_logging_factorial_01.bro + 1 + 2 + 6 + 24 + 120 + 720 + 5040 + 40320 + 362880 + 3628800 This script defines a factorial function to recursively calculate the factorial of a unsigned integer passed as an argument to the function. Using @@ -930,7 +1262,10 @@ calculations correctly as well get an idea of the answers ourselves. The output of the script aligns with what we expect so now it's time to integrate the Logging Framework. -.. btest-include:: ${DOC_ROOT}/scripting/framework_logging_factorial_02.bro +.. literalinclude:: framework_logging_factorial_02.bro + :caption: + :language: bro + :linenos: As mentioned above we have to perform a few steps before we can issue the :bro:id:`Log::write` method and produce a logfile. @@ -962,10 +1297,29 @@ Now, if we run this script, instead of generating logging information to stdout, no output is created. Instead the output is all in ``factor.log``, properly formatted and organized. -.. btest:: framework_logging_factorial-2 - - @TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/framework_logging_factorial_02.bro - @TEST-EXEC: btest-rst-include factor.log +.. code-block:: console + + $ bro framework_logging_factorial_02.bro + $ cat factor.log + #separator \x09 + #set_separator , + #empty_field (empty) + #unset_field - + #path factor + #open 2018-12-14-21-47-18 + #fields num factorial_num + #types count count + 1 1 + 2 2 + 3 6 + 4 24 + 5 120 + 6 720 + 7 5040 + 8 40320 + 9 362880 + 10 3628800 + #close 2018-12-14-21-47-18 While the previous example is a simplistic one, it serves to demonstrate the small pieces of script code hat need to be in place in @@ -993,7 +1347,10 @@ example we've been using, let's extend it so as to write any factorial which is a factor of 5 to an alternate file, while writing the remaining logs to factor.log. -.. btest-include:: ${DOC_ROOT}/scripting/framework_logging_factorial_03.bro +.. literalinclude:: framework_logging_factorial_03.bro + :caption: + :language: bro + :linenos: To dynamically alter the file in which a stream writes its logs, a filter can specify a function that returns a string to be used as the @@ -1014,10 +1371,25 @@ factorials that are a factors of 5, ``factor-non5.log`` with the factorials that are not factors of 5, and ``factor.log`` which would have included all factorials. -.. btest:: framework_logging_factorial-3 - - @TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/framework_logging_factorial_03.bro - @TEST-EXEC: btest-rst-include factor-mod5.log +.. code-block:: console + + $ bro framework_logging_factorial_03.bro + $ cat factor-mod5.log + #separator \x09 + #set_separator , + #empty_field (empty) + #unset_field - + #path factor-mod5 + #open 2018-12-14-21-47-18 + #fields num factorial_num + #types count count + 5 120 + 6 720 + 7 5040 + 8 40320 + 9 362880 + 10 3628800 + #close 2018-12-14-21-47-1 The ability of Bro to generate easily customizable and extensible logs which remain easily parsable is a big part of the reason Bro has @@ -1047,7 +1419,10 @@ block and define the value to be passed to it, in this case the ``Factor::Info`` record. We then list the ``log_factor`` function as the ``$ev`` field in the call to ``Log::create_stream`` -.. btest-include:: ${DOC_ROOT}/scripting/framework_logging_factorial_04.bro +.. literalinclude:: framework_logging_factorial_04.bro + :caption: + :language: bro + :linenos: Raising Notices @@ -1098,8 +1473,60 @@ or not that notice is acted upon is decided by the local Notice Policy, but the script attempts to supply as much information as possible while staying concise. -.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ssh/interesting-hostnames.bro - :lines: 1-52 +.. code-block:: bro + :caption: scripts/policy/protocols/ssh/interesting-hostnames.bro + + ##! This script will generate a notice if an apparent SSH login originates + ##! or heads to a host with a reverse hostname that looks suspicious. By + ##! default, the regular expression to match "interesting" hostnames includes + ##! names that are typically used for infrastructure hosts like nameservers, + ##! mail servers, web servers and ftp servers. + + @load base/frameworks/notice + + module SSH; + + export { + redef enum Notice::Type += { + ## Generated if a login originates or responds with a host where + ## the reverse hostname lookup resolves to a name matched by the + ## :bro:id:`SSH::interesting_hostnames` regular expression. + Interesting_Hostname_Login, + }; + + ## Strange/bad host names to see successful SSH logins from or to. + option interesting_hostnames = + /^d?ns[0-9]*\./ | + /^smtp[0-9]*\./ | + /^mail[0-9]*\./ | + /^pop[0-9]*\./ | + /^imap[0-9]*\./ | + /^www[0-9]*\./ | + /^ftp[0-9]*\./; + } + + function check_ssh_hostname(id: conn_id, uid: string, host: addr) + { + when ( local hostname = lookup_addr(host) ) + { + if ( interesting_hostnames in hostname ) + { + NOTICE([$note=Interesting_Hostname_Login, + $msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.", + Site::is_local_addr(host) ? "local" : "remote", + host == id$orig_h ? "client" : "server"), + $sub=hostname, $id=id, $uid=uid]); + } + } + } + + event ssh_auth_successful(c: connection, auth_method_none: bool) + { + for ( host in set(c$id$orig_h, c$id$resp_h) ) + { + check_ssh_hostname(c$id, c$uid, host); + } + } While much of the script relates to the actual detection, the parts specific to the Notice Framework are actually quite interesting in @@ -1137,7 +1564,10 @@ action based on the answer. The hook below adds the ``SSH::Interesting_Hostname_Login`` notice raised in the :doc:`/scripts/policy/protocols/ssh/interesting-hostnames.bro` script. -.. btest-include:: ${DOC_ROOT}/scripting/framework_notice_hook_01.bro +.. literalinclude:: framework_notice_hook_01.bro + :caption: + :language: bro + :linenos: In the example above we've added ``Notice::ACTION_EMAIL`` to the ``n$actions`` set. This set, defined in the Notice Framework scripts, @@ -1174,8 +1604,14 @@ identifier. An identifier is a unique string of information collected from the connection relative to the behavior that has been observed by Bro. -.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ssl/expiring-certs.bro - :lines: 64-68 +.. code-block:: bro + :caption: scripts/policy/protocols/ssl/expiring-certs.bro + + NOTICE([$note=Certificate_Expires_Soon, + $msg=fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after), + $conn=c, $suppress_for=1day, + $identifier=cat(c$id$resp_h, c$id$resp_p, hash), + $fuid=fuid]); In the :doc:`/scripts/policy/protocols/ssl/expiring-certs.bro` script which identifies when SSL certificates are set to expire and raises @@ -1206,7 +1642,10 @@ environment in which it is be run. Using the example of ``SSL::Certificate_Expires_Soon`` to configure the ``$suppress_for`` variable to a shorter time. -.. btest-include:: ${DOC_ROOT}/scripting/framework_notice_hook_suppression_01.bro +.. literalinclude:: framework_notice_hook_suppression_01.bro + :caption: + :language: bro + :linenos: While ``Notice::policy`` hooks allow you to build custom predicate-based policies for a deployment, there are bound to be times @@ -1253,11 +1692,17 @@ suppression from a notice while ``Notice::type_suppression_intervals`` can be used to alter the suppression interval defined by $suppress_for in the call to ``NOTICE``. -.. btest-include:: ${DOC_ROOT}/scripting/framework_notice_shortcuts_01.bro +.. literalinclude:: framework_notice_shortcuts_01.bro + :caption: + :language: bro + :linenos: The Notice Policy shortcut above adds the ``Notice::Type`` of ``SSH::Interesting_Hostname_Login`` to the ``Notice::emailed_types`` set while the shortcut below alters the length of time for which those notices will be suppressed. -.. btest-include:: ${DOC_ROOT}/scripting/framework_notice_shortcuts_02.bro +.. literalinclude:: framework_notice_shortcuts_02.bro + :caption: + :language: bro + :linenos: diff --git a/testing/btest/Baseline/doc.sphinx.conditional-notice/btest-doc.sphinx.conditional-notice#1 b/testing/btest/Baseline/doc.sphinx.conditional-notice/btest-doc.sphinx.conditional-notice#1 deleted file mode 100644 index 0cb081d6fb..0000000000 --- a/testing/btest/Baseline/doc.sphinx.conditional-notice/btest-doc.sphinx.conditional-notice#1 +++ /dev/null @@ -1,26 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -r tls/tls-expired-cert.trace conditional-notice.bro - -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # cat notice.log - #separator \x09 - #set_separator , - #empty_field (empty) - #unset_field - - #path notice - #open 2017-12-21-02-23-46 - #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude - #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double - 1394745603.293028 CHhAvVGS1DHFjwGM9 192.168.4.149 60539 87.98.220.10 443 F1fX1R2cDOzbvg17ye - - tcp SSL::Certificate_Expired Certificate CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated expired at 2014-03-04-23:59:59.000000000 - 192.168.4.149 87.98.220.10 443 - - Notice::ACTION_EMAIL,Notice::ACTION_LOG 86400.000000 F - - - - - - #close 2017-12-21-02-23-46 - diff --git a/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1 b/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1 deleted file mode 100644 index fcc4c8f846..0000000000 --- a/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1 +++ /dev/null @@ -1,11 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -b -r http/get.trace connection_record_01.bro - [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.211484, service={ - - }, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, conn=[ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=], extract_orig=F, extract_resp=F, thresholds=] - diff --git a/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1 b/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1 deleted file mode 100644 index db5b18beeb..0000000000 --- a/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1 +++ /dev/null @@ -1,15 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -b -r http/get.trace connection_record_02.bro - [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.211484, service={ - - }, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, conn=[ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=], extract_orig=F, extract_resp=F, thresholds=, http=[ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, tags={ - - }, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=[FakNcS1Jfe01uljb3], resp_filenames=, resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={ - - }, current_request=1, current_response=1, trans_depth=1]] - diff --git a/testing/btest/Baseline/doc.sphinx.data_struct_record_01/btest-doc.sphinx.data_struct_record_01#1 b/testing/btest/Baseline/doc.sphinx.data_struct_record_01/btest-doc.sphinx.data_struct_record_01#1 deleted file mode 100644 index 24b6631c40..0000000000 --- a/testing/btest/Baseline/doc.sphinx.data_struct_record_01/btest-doc.sphinx.data_struct_record_01#1 +++ /dev/null @@ -1,14 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro data_struct_record_01.bro - Service: dns(RFC1035) - port: 53/udp - port: 53/tcp - Service: http(RFC2616) - port: 8080/tcp - port: 80/tcp - diff --git a/testing/btest/Baseline/doc.sphinx.data_struct_record_02/btest-doc.sphinx.data_struct_record_02#1 b/testing/btest/Baseline/doc.sphinx.data_struct_record_02/btest-doc.sphinx.data_struct_record_02#1 deleted file mode 100644 index 17988360aa..0000000000 --- a/testing/btest/Baseline/doc.sphinx.data_struct_record_02/btest-doc.sphinx.data_struct_record_02#1 +++ /dev/null @@ -1,15 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro data_struct_record_02.bro - System: morlock - Service: http(RFC2616) - port: 8080/tcp - port: 80/tcp - Service: dns(RFC1035) - port: 53/udp - port: 53/tcp - diff --git a/testing/btest/Baseline/doc.sphinx.data_struct_set_declaration/btest-doc.sphinx.data_struct_set_declaration#1 b/testing/btest/Baseline/doc.sphinx.data_struct_set_declaration/btest-doc.sphinx.data_struct_set_declaration#1 deleted file mode 100644 index 01b42e5c86..0000000000 --- a/testing/btest/Baseline/doc.sphinx.data_struct_set_declaration/btest-doc.sphinx.data_struct_set_declaration#1 +++ /dev/null @@ -1,16 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro data_struct_set_declaration.bro - SSL Port: 22/tcp - SSL Port: 443/tcp - SSL Port: 587/tcp - SSL Port: 993/tcp - Non-SSL Port: 80/tcp - Non-SSL Port: 25/tcp - Non-SSL Port: 143/tcp - Non-SSL Port: 23/tcp - diff --git a/testing/btest/Baseline/doc.sphinx.data_struct_table_complex/btest-doc.sphinx.data_struct_table_complex#1 b/testing/btest/Baseline/doc.sphinx.data_struct_table_complex/btest-doc.sphinx.data_struct_table_complex#1 deleted file mode 100644 index 144a76e9f4..0000000000 --- a/testing/btest/Baseline/doc.sphinx.data_struct_table_complex/btest-doc.sphinx.data_struct_table_complex#1 +++ /dev/null @@ -1,12 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -b data_struct_table_complex.bro - Harakiri was released in 1962 by Shochiku Eiga studios, directed by Masaki Kobayashi and starring Tatsuya Nakadai - Goyokin was released in 1969 by Fuji studios, directed by Hideo Gosha and starring Tatsuya Nakadai - Tasogare Seibei was released in 2002 by Eisei Gekijo studios, directed by Yoji Yamada and starring Hiroyuki Sanada - Kiru was released in 1968 by Toho studios, directed by Kihachi Okamoto and starring Tatsuya Nakadai - diff --git a/testing/btest/Baseline/doc.sphinx.data_struct_table_declaration/btest-doc.sphinx.data_struct_table_declaration#1 b/testing/btest/Baseline/doc.sphinx.data_struct_table_declaration/btest-doc.sphinx.data_struct_table_declaration#1 deleted file mode 100644 index 83bcdbaf5d..0000000000 --- a/testing/btest/Baseline/doc.sphinx.data_struct_table_declaration/btest-doc.sphinx.data_struct_table_declaration#1 +++ /dev/null @@ -1,12 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro data_struct_table_declaration.bro - Service Name: SSH - Common Port: 22/tcp - Service Name: HTTPS - Common Port: 443/tcp - Service Name: SMTPS - Common Port: 587/tcp - Service Name: IMAPS - Common Port: 993/tcp - diff --git a/testing/btest/Baseline/doc.sphinx.data_struct_vector_declaration/btest-doc.sphinx.data_struct_vector_declaration#1 b/testing/btest/Baseline/doc.sphinx.data_struct_vector_declaration/btest-doc.sphinx.data_struct_vector_declaration#1 deleted file mode 100644 index e8bb16ee00..0000000000 --- a/testing/btest/Baseline/doc.sphinx.data_struct_vector_declaration/btest-doc.sphinx.data_struct_vector_declaration#1 +++ /dev/null @@ -1,12 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro data_struct_vector_declaration.bro - contents of v1: [1, 2, 3, 4] - length of v1: 4 - contents of v2: [1, 2, 3, 4] - length of v2: 4 - diff --git a/testing/btest/Baseline/doc.sphinx.data_struct_vector_iter/btest-doc.sphinx.data_struct_vector_iter#1 b/testing/btest/Baseline/doc.sphinx.data_struct_vector_iter/btest-doc.sphinx.data_struct_vector_iter#1 deleted file mode 100644 index 4ee9351803..0000000000 --- a/testing/btest/Baseline/doc.sphinx.data_struct_vector_iter/btest-doc.sphinx.data_struct_vector_iter#1 +++ /dev/null @@ -1,11 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -b data_struct_vector_iter.bro - 1.2.0.0/18 - 2.3.0.0/18 - 3.4.0.0/18 - diff --git a/testing/btest/Baseline/doc.sphinx.data_type_const.bro/btest-doc.sphinx.data_type_const.bro#1 b/testing/btest/Baseline/doc.sphinx.data_type_const.bro/btest-doc.sphinx.data_type_const.bro#1 deleted file mode 100644 index 15cf20c1c4..0000000000 --- a/testing/btest/Baseline/doc.sphinx.data_type_const.bro/btest-doc.sphinx.data_type_const.bro#1 +++ /dev/null @@ -1,12 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -b data_type_const.bro - { - [80/tcp] = WWW, - [6666/tcp] = IRC - } - diff --git a/testing/btest/Baseline/doc.sphinx.data_type_interval/btest-doc.sphinx.data_type_interval#1 b/testing/btest/Baseline/doc.sphinx.data_type_interval/btest-doc.sphinx.data_type_interval#1 deleted file mode 100644 index cba6436e3d..0000000000 --- a/testing/btest/Baseline/doc.sphinx.data_type_interval/btest-doc.sphinx.data_type_interval#1 +++ /dev/null @@ -1,25 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -r wikipedia.trace data_type_interval.bro - 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.118 - 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3 - Time since last connection: 132.0 msecs 97.0 usecs - 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3 - Time since last connection: 177.0 usecs - 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3 - Time since last connection: 2.0 msecs 177.0 usecs - 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3 - Time since last connection: 33.0 msecs 898.0 usecs - 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3 - Time since last connection: 35.0 usecs - 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3 - Time since last connection: 2.0 msecs 532.0 usecs - 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.2 - Time since last connection: 7.0 msecs 866.0 usecs - 2011/06/18 19:03:09: New connection established from 141.142.220.235 to 173.192.163.128 - Time since last connection: 817.0 msecs 703.0 usecs - diff --git a/testing/btest/Baseline/doc.sphinx.data_type_pattern/btest-doc.sphinx.data_type_pattern#1 b/testing/btest/Baseline/doc.sphinx.data_type_pattern/btest-doc.sphinx.data_type_pattern#1 deleted file mode 100644 index a05d4cdabc..0000000000 --- a/testing/btest/Baseline/doc.sphinx.data_type_pattern/btest-doc.sphinx.data_type_pattern#1 +++ /dev/null @@ -1,11 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro data_type_pattern_01.bro - The - brown fox jumps over the - dog. - diff --git a/testing/btest/Baseline/doc.sphinx.data_type_pattern_02/btest-doc.sphinx.data_type_pattern_02#1 b/testing/btest/Baseline/doc.sphinx.data_type_pattern_02/btest-doc.sphinx.data_type_pattern_02#1 deleted file mode 100644 index 9c0cfee2d4..0000000000 --- a/testing/btest/Baseline/doc.sphinx.data_type_pattern_02/btest-doc.sphinx.data_type_pattern_02#1 +++ /dev/null @@ -1,10 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro data_type_pattern_02.bro - equality and /^?(equal)$?/ are not equal - equality and /^?(equality)$?/ are equal - diff --git a/testing/btest/Baseline/doc.sphinx.data_type_subnets/btest-doc.sphinx.data_type_subnets#1 b/testing/btest/Baseline/doc.sphinx.data_type_subnets/btest-doc.sphinx.data_type_subnets#1 deleted file mode 100644 index f7a3f918fa..0000000000 --- a/testing/btest/Baseline/doc.sphinx.data_type_subnets/btest-doc.sphinx.data_type_subnets#1 +++ /dev/null @@ -1,12 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro data_type_subnets.bro - 172.16.4.56 belongs to subnet 172.16.0.0/20 - 172.16.47.254 belongs to subnet 172.16.32.0/20 - 172.16.22.45 belongs to subnet 172.16.16.0/20 - 172.16.1.1 belongs to subnet 172.16.0.0/20 - diff --git a/testing/btest/Baseline/doc.sphinx.data_type_time/btest-doc.sphinx.data_type_time#1 b/testing/btest/Baseline/doc.sphinx.data_type_time/btest-doc.sphinx.data_type_time#1 deleted file mode 100644 index 179367ab12..0000000000 --- a/testing/btest/Baseline/doc.sphinx.data_type_time/btest-doc.sphinx.data_type_time#1 +++ /dev/null @@ -1,17 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -r wikipedia.trace data_type_time.bro - 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.118\x0a - 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3\x0a - 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3\x0a - 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3\x0a - 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3\x0a - 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3\x0a - 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3\x0a - 2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.2\x0a - 2011/06/18 19:03:09: New connection established from 141.142.220.235 to 173.192.163.128\x0a - diff --git a/testing/btest/Baseline/doc.sphinx.file-analysis-01/btest-doc.sphinx.file-analysis-01#1 b/testing/btest/Baseline/doc.sphinx.file-analysis-01/btest-doc.sphinx.file-analysis-01#1 deleted file mode 100644 index 5712208760..0000000000 --- a/testing/btest/Baseline/doc.sphinx.file-analysis-01/btest-doc.sphinx.file-analysis-01#1 +++ /dev/null @@ -1,17 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -r http/get.trace file_analysis_01.bro - file_state_remove - FakNcS1Jfe01uljb3 - CHhAvVGS1DHFjwGM9 - [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp] - HTTP - connection_state_remove - CHhAvVGS1DHFjwGM9 - [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp] - HTTP - diff --git a/testing/btest/Baseline/doc.sphinx.file-analysis-02/btest-doc.sphinx.file-analysis-02#1 b/testing/btest/Baseline/doc.sphinx.file-analysis-02/btest-doc.sphinx.file-analysis-02#1 deleted file mode 100644 index ec727a39d5..0000000000 --- a/testing/btest/Baseline/doc.sphinx.file-analysis-02/btest-doc.sphinx.file-analysis-02#1 +++ /dev/null @@ -1,10 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -r http/get.trace file_analysis_02.bro - new file, FakNcS1Jfe01uljb3 - file_hash, FakNcS1Jfe01uljb3, md5, 397168fd09991a0e712254df7bc639ac - diff --git a/testing/btest/Baseline/doc.sphinx.file-analysis-03/btest-doc.sphinx.file-analysis-03#1 b/testing/btest/Baseline/doc.sphinx.file-analysis-03/btest-doc.sphinx.file-analysis-03#1 deleted file mode 100644 index 9a01c7c4af..0000000000 --- a/testing/btest/Baseline/doc.sphinx.file-analysis-03/btest-doc.sphinx.file-analysis-03#1 +++ /dev/null @@ -1,11 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro file_analysis_03.bro - new file, FZedLu4Ajcvge02jA8 - file_hash, FZedLu4Ajcvge02jA8, md5, f0ef7081e1539ac00ef5b761b4fb01b3 - file_state_remove - diff --git a/testing/btest/Baseline/doc.sphinx.file_extraction/btest-doc.sphinx.file_extraction#1 b/testing/btest/Baseline/doc.sphinx.file_extraction/btest-doc.sphinx.file_extraction#1 deleted file mode 100644 index a3bec06fc1..0000000000 --- a/testing/btest/Baseline/doc.sphinx.file_extraction/btest-doc.sphinx.file_extraction#1 +++ /dev/null @@ -1,14 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -r http/bro.org.pcap file_extraction.bro - Extracting file HTTP-FiIpIB2hRQSDBOSJRg.html - Extracting file HTTP-FMG4bMmVV64eOsCb.txt - Extracting file HTTP-FnaT2a3UDd093opCB9.txt - Extracting file HTTP-FfQGqj4Fhh3pH7nVQj.txt - Extracting file HTTP-FsvATF146kf1Emc21j.txt - [...] - diff --git a/testing/btest/Baseline/doc.sphinx.framework_logging_factorial-2/btest-doc.sphinx.framework_logging_factorial-2#1 b/testing/btest/Baseline/doc.sphinx.framework_logging_factorial-2/btest-doc.sphinx.framework_logging_factorial-2#1 deleted file mode 100644 index 9edd79d146..0000000000 --- a/testing/btest/Baseline/doc.sphinx.framework_logging_factorial-2/btest-doc.sphinx.framework_logging_factorial-2#1 +++ /dev/null @@ -1,33 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro framework_logging_factorial_02.bro - -.. rst-class:: btest-include - - .. code-block:: guess - :linenos: - - #separator \x09 - #set_separator , - #empty_field (empty) - #unset_field - - #path factor - #open 2013-10-07-23-48-11 - #fields num factorial_num - #types count count - 1 1 - 2 2 - 3 6 - 4 24 - 5 120 - 6 720 - 7 5040 - 8 40320 - 9 362880 - 10 3628800 - #close 2013-10-07-23-48-11 - diff --git a/testing/btest/Baseline/doc.sphinx.framework_logging_factorial-3/btest-doc.sphinx.framework_logging_factorial-3#1 b/testing/btest/Baseline/doc.sphinx.framework_logging_factorial-3/btest-doc.sphinx.framework_logging_factorial-3#1 deleted file mode 100644 index cc0f1c1444..0000000000 --- a/testing/btest/Baseline/doc.sphinx.framework_logging_factorial-3/btest-doc.sphinx.framework_logging_factorial-3#1 +++ /dev/null @@ -1,29 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro framework_logging_factorial_03.bro - -.. rst-class:: btest-include - - .. code-block:: guess - :linenos: - - #separator \x09 - #set_separator , - #empty_field (empty) - #unset_field - - #path factor-mod5 - #open 2013-10-07-23-48-12 - #fields num factorial_num - #types count count - 5 120 - 6 720 - 7 5040 - 8 40320 - 9 362880 - 10 3628800 - #close 2013-10-07-23-48-12 - diff --git a/testing/btest/Baseline/doc.sphinx.framework_logging_factorial/btest-doc.sphinx.framework_logging_factorial#1 b/testing/btest/Baseline/doc.sphinx.framework_logging_factorial/btest-doc.sphinx.framework_logging_factorial#1 deleted file mode 100644 index bd6c14f966..0000000000 --- a/testing/btest/Baseline/doc.sphinx.framework_logging_factorial/btest-doc.sphinx.framework_logging_factorial#1 +++ /dev/null @@ -1,18 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro framework_logging_factorial_01.bro - 1 - 2 - 6 - 24 - 120 - 720 - 5040 - 40320 - 362880 - 3628800 - diff --git a/testing/btest/Baseline/doc.sphinx.ftp-bruteforce/btest-doc.sphinx.ftp-bruteforce#1 b/testing/btest/Baseline/doc.sphinx.ftp-bruteforce/btest-doc.sphinx.ftp-bruteforce#1 deleted file mode 100644 index 3d3ad09013..0000000000 --- a/testing/btest/Baseline/doc.sphinx.ftp-bruteforce/btest-doc.sphinx.ftp-bruteforce#1 +++ /dev/null @@ -1,24 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -r ftp/bruteforce.pcap protocols/ftp/detect-bruteforcing.bro - -.. rst-class:: btest-include - - .. code-block:: guess - :linenos: - - #separator \x09 - #set_separator , - #empty_field (empty) - #unset_field - - #path notice - #open 2017-12-21-02-24-08 - #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude - #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double - 1389721084.522861 - - - - - - - - - FTP::Bruteforcing 192.168.56.1 had 20 failed logins on 1 FTP server in 0m37s - 192.168.56.1 - - - - Notice::ACTION_LOG 3600.000000 F - - - - - - #close 2017-12-21-02-24-08 - diff --git a/testing/btest/Baseline/doc.sphinx.http_proxy_01/btest-doc.sphinx.http_proxy_01#1 b/testing/btest/Baseline/doc.sphinx.http_proxy_01/btest-doc.sphinx.http_proxy_01#1 deleted file mode 100644 index d14ba4102a..0000000000 --- a/testing/btest/Baseline/doc.sphinx.http_proxy_01/btest-doc.sphinx.http_proxy_01#1 +++ /dev/null @@ -1,9 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -r http/proxy.pcap http_proxy_01.bro - A local server is acting as an open proxy: 192.168.56.101 - diff --git a/testing/btest/Baseline/doc.sphinx.http_proxy_02/btest-doc.sphinx.http_proxy_02#1 b/testing/btest/Baseline/doc.sphinx.http_proxy_02/btest-doc.sphinx.http_proxy_02#1 deleted file mode 100644 index 48f5d8719b..0000000000 --- a/testing/btest/Baseline/doc.sphinx.http_proxy_02/btest-doc.sphinx.http_proxy_02#1 +++ /dev/null @@ -1,9 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -r http/proxy.pcap http_proxy_02.bro - A local server is acting as an open proxy: 192.168.56.101 - diff --git a/testing/btest/Baseline/doc.sphinx.http_proxy_03/btest-doc.sphinx.http_proxy_03#1 b/testing/btest/Baseline/doc.sphinx.http_proxy_03/btest-doc.sphinx.http_proxy_03#1 deleted file mode 100644 index 09b2137d42..0000000000 --- a/testing/btest/Baseline/doc.sphinx.http_proxy_03/btest-doc.sphinx.http_proxy_03#1 +++ /dev/null @@ -1,9 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -r http/proxy.pcap http_proxy_03.bro - A local server is acting as an open proxy: 192.168.56.101 - diff --git a/testing/btest/Baseline/doc.sphinx.http_proxy_04/btest-doc.sphinx.http_proxy_04#1 b/testing/btest/Baseline/doc.sphinx.http_proxy_04/btest-doc.sphinx.http_proxy_04#1 deleted file mode 100644 index 7ec214a1a9..0000000000 --- a/testing/btest/Baseline/doc.sphinx.http_proxy_04/btest-doc.sphinx.http_proxy_04#1 +++ /dev/null @@ -1,24 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -r http/proxy.pcap http_proxy_04.bro - -.. rst-class:: btest-include - - .. code-block:: guess - :linenos: - - #separator \x09 - #set_separator , - #empty_field (empty) - #unset_field - - #path notice - #open 2017-12-21-02-24-33 - #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude - #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double - 1389654450.449603 CHhAvVGS1DHFjwGM9 192.168.56.1 52679 192.168.56.101 80 - - - tcp HTTP::Open_Proxy A local server is acting as an open proxy: 192.168.56.101 - 192.168.56.1 192.168.56.101 80 - - Notice::ACTION_LOG 86400.000000 F - - - - - - #close 2017-12-21-02-24-33 - diff --git a/testing/btest/Baseline/doc.sphinx.include-build_scripts_base_bif_plugins_Bro_DNS_events_bif_bro/output b/testing/btest/Baseline/doc.sphinx.include-build_scripts_base_bif_plugins_Bro_DNS_events_bif_bro/output deleted file mode 100644 index 6e15ece5e0..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-build_scripts_base_bif_plugins_Bro_DNS_events_bif_bro/output +++ /dev/null @@ -1,30 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -Bro_DNS.events.bif.bro - -## Generated for DNS requests. For requests with multiple queries, this event -## is raised once for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## query: The queried name. -## -## qtype: The queried resource record type. -## -## qclass: The queried resource record class. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -global dns_request: event(c: connection , msg: dns_msg , query: string , qtype: count , qclass: count ); diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-connector_bro/output deleted file mode 100644 index d2916a4c4f..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-connector_bro/output +++ /dev/null @@ -1,16 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -connecting-connector.bro - -redef exit_only_after_terminate = T; - -event bro_init() - { - Broker::peer("127.0.0.1"); - } - -event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) - { - print "peer added", endpoint; - terminate(); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-listener_bro/output deleted file mode 100644 index b15bac75c0..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-listener_bro/output +++ /dev/null @@ -1,21 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -connecting-listener.bro - -redef exit_only_after_terminate = T; - -event bro_init() - { - Broker::listen("127.0.0.1"); - } - -event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) - { - print "peer added", endpoint; - } - -event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) - { - print "peer lost", endpoint; - terminate(); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-connector_bro/output deleted file mode 100644 index 96616dbd3c..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-connector_bro/output +++ /dev/null @@ -1,39 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -events-connector.bro - -redef exit_only_after_terminate = T; -global my_event: event(msg: string, c: count); -global my_auto_event: event(msg: string, c: count); - -event bro_init() - { - Broker::peer("127.0.0.1"); - Broker::auto_publish("bro/event/my_auto_event", my_auto_event); - } - -event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) - { - print "peer added", endpoint; - Broker::publish("bro/event/my_event", my_event, "hi", 0); - event my_auto_event("stuff", 88); - Broker::publish("bro/event/my_event", my_event, "...", 1); - event my_auto_event("more stuff", 51); - local e = Broker::make_event(my_event, "bye", 2); - Broker::publish("bro/event/my_event", e); - } - -event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) - { - terminate(); - } - -event my_event(msg: string, c: count) - { - print "got my_event", msg, c; - } - -event my_auto_event(msg: string, c: count) - { - print "got my_auto_event", msg, c; - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-listener_bro/output deleted file mode 100644 index 928ba60311..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-listener_bro/output +++ /dev/null @@ -1,37 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -events-listener.bro - -redef exit_only_after_terminate = T; -global msg_count = 0; -global my_event: event(msg: string, c: count); -global my_auto_event: event(msg: string, c: count); - -event bro_init() - { - Broker::subscribe("bro/event/"); - Broker::listen("127.0.0.1"); - } - -event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) - { - print "peer added", endpoint; - } - -event my_event(msg: string, c: count) - { - ++msg_count; - print "got my_event", msg, c; - - if ( msg_count == 5 ) - terminate(); - } - -event my_auto_event(msg: string, c: count) - { - ++msg_count; - print "got my_auto_event", msg, c; - - if ( msg_count == 5 ) - terminate(); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-connector_bro/output deleted file mode 100644 index 84d0a60391..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-connector_bro/output +++ /dev/null @@ -1,40 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -logs-connector.bro - -@load ./testlog - -redef exit_only_after_terminate = T; -global n = 0; - -event bro_init() - { - Broker::peer("127.0.0.1"); - } - -event do_write() - { - if ( n == 6 ) - return; - - Log::write(Test::LOG, [$msg = "ping", $num = n]); - ++n; - event do_write(); - } - -event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) - { - print "peer added", endpoint; - event do_write(); - } - -event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) - { - terminate(); - } - -event Test::log_test(rec: Test::Info) - { - print "wrote log", rec; - Broker::publish("bro/logs/forward/test", Test::log_test, rec); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-listener_bro/output deleted file mode 100644 index 359a88b476..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-listener_bro/output +++ /dev/null @@ -1,26 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -logs-listener.bro - -@load ./testlog - -redef exit_only_after_terminate = T; - -event bro_init() - { - Broker::subscribe("bro/logs"); - Broker::listen("127.0.0.1"); - } - -event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) - { - print "peer added", endpoint; - } - -event Test::log_test(rec: Test::Info) - { - print "got log event", rec; - - if ( rec$num == 5 ) - terminate(); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-connector_bro/output deleted file mode 100644 index 8ef4dca1f5..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-connector_bro/output +++ /dev/null @@ -1,33 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -stores-connector.bro - -redef exit_only_after_terminate = T; - -global h: opaque of Broker::Store; - -global ready: event(); - -event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) - { - terminate(); - } - -event bro_init() - { - h = Broker::create_master("mystore"); - - local myset: set[string] = {"a", "b", "c"}; - local myvec: vector of string = {"alpha", "beta", "gamma"}; - Broker::put(h, "one", 110); - Broker::put(h, "two", 223); - Broker::put(h, "myset", myset); - Broker::put(h, "myvec", myvec); - Broker::increment(h, "one"); - Broker::decrement(h, "two"); - Broker::insert_into_set(h, "myset", "d"); - Broker::remove_from(h, "myset", "b"); - Broker::push(h, "myvec", "delta"); - - Broker::peer("127.0.0.1"); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-listener_bro/output deleted file mode 100644 index 571ede2687..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-listener_bro/output +++ /dev/null @@ -1,83 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -stores-listener.bro - -redef exit_only_after_terminate = T; - -global h: opaque of Broker::Store; -global expected_key_count = 4; -global key_count = 0; - -# Lookup a value in the store based on an arbitrary key string. -function do_lookup(key: string) - { - when ( local res = Broker::get(h, key) ) - { - ++key_count; - print "lookup", key, res; - - # End after we iterated over looking up each key in the store twice. - if ( key_count == expected_key_count * 2 ) - terminate(); - } - # All data store queries must specify a timeout - timeout 3sec - { print "timeout", key; } - } - -event check_keys() - { - # Here we just query for the list of keys in the store, and show how to - # look up each one's value. - when ( local res = Broker::keys(h) ) - { - print "clone keys", res; - - if ( res?$result ) - { - # Since we know that the keys we are storing are all strings, - # we can conveniently cast the result of Broker::keys to - # a native Bro type, namely 'set[string]'. - for ( k in res$result as string_set ) - do_lookup(k); - - # Alternatively, we can use a generic iterator to iterate - # over the results (which we know is of the 'set' type because - # that's what Broker::keys() always returns). If the keys - # we stored were not all of the same type, then you would - # likely want to use this method of inspecting the store's keys. - local i = Broker::set_iterator(res$result); - - while ( ! Broker::set_iterator_last(i) ) - { - do_lookup(Broker::set_iterator_value(i) as string); - Broker::set_iterator_next(i); - } - } - } - # All data store queries must specify a timeout. - # You also might see timeouts on connecting/initializing a clone since - # it hasn't had time to get fully set up yet. - timeout 1sec - { - print "timeout"; - schedule 1sec { check_keys() }; - } - } - -event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) - { - print "peer added"; - # We could create a clone early, like in bro_init and it will periodically - # try to synchronize with its master once it connects, however, we just - # create it now since we know the peer w/ the master store has just - # connected. - h = Broker::create_clone("mystore"); - - event check_keys(); - } - -event bro_init() - { - Broker::listen("127.0.0.1"); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_testlog_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_testlog_bro/output deleted file mode 100644 index 8d779a1b92..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_testlog_bro/output +++ /dev/null @@ -1,21 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -testlog.bro - -module Test; - -export { - redef enum Log::ID += { LOG }; - - type Info: record { - msg: string &log; - num: count &log; - }; - - global log_test: event(rec: Test::Info); -} - -event bro_init() &priority=5 - { - Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test, $path="test"]); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_01_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_01_bro/output deleted file mode 100644 index 045fa5ff9f..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_01_bro/output +++ /dev/null @@ -1,24 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -file_analysis_01.bro - -event connection_state_remove(c: connection) - { - print "connection_state_remove"; - print c$uid; - print c$id; - for ( s in c$service ) - print s; - } - -event file_state_remove(f: fa_file) - { - print "file_state_remove"; - print f$id; - for ( cid in f$conns ) - { - print f$conns[cid]$uid; - print cid; - } - print f$source; - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output deleted file mode 100644 index 7c0b7eb8f0..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_02_bro/output +++ /dev/null @@ -1,16 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -file_analysis_02.bro - -event file_sniff(f: fa_file, meta: fa_metadata) - { - if ( ! meta?$mime_type ) return; - print "new file", f$id; - if ( meta$mime_type == "text/plain" ) - Files::add_analyzer(f, Files::ANALYZER_MD5); - } - -event file_hash(f: fa_file, kind: string, hash: string) - { - print "file_hash", f$id, kind, hash; - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_03_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_03_bro/output deleted file mode 100644 index 4084169945..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_file_analysis_03_bro/output +++ /dev/null @@ -1,29 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -file_analysis_03.bro - -redef exit_only_after_terminate = T; - -event file_new(f: fa_file) - { - print "new file", f$id; - Files::add_analyzer(f, Files::ANALYZER_MD5); - } - -event file_state_remove(f: fa_file) - { - print "file_state_remove"; - Input::remove(f$source); - terminate(); - } - -event file_hash(f: fa_file, kind: string, hash: string) - { - print "file_hash", f$id, kind, hash; - } - -event bro_init() - { - local source: string = "./myfile"; - Input::add_analysis([$source=source, $name=source]); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-1-drop-with-debug_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-1-drop-with-debug_bro/output deleted file mode 100644 index b451d5aa4f..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-1-drop-with-debug_bro/output +++ /dev/null @@ -1,14 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -netcontrol-1-drop-with-debug.bro - -event NetControl::init() - { - local debug_plugin = NetControl::create_debug(T); - NetControl::activate(debug_plugin, 0); - } - -event connection_established(c: connection) - { - NetControl::drop_connection(c$id, 20 secs); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-10-use-skeleton_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-10-use-skeleton_bro/output deleted file mode 100644 index 331afbc80d..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-10-use-skeleton_bro/output +++ /dev/null @@ -1,14 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -netcontrol-10-use-skeleton.bro - -event NetControl::init() - { - local skeleton_plugin = NetControl::create_skeleton(""); - NetControl::activate(skeleton_plugin, 0); - } - -event connection_established(c: connection) - { - NetControl::drop_connection(c$id, 20 secs); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-2-ssh-guesser_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-2-ssh-guesser_bro/output deleted file mode 100644 index 87c8cdda7a..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-2-ssh-guesser_bro/output +++ /dev/null @@ -1,20 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -netcontrol-2-ssh-guesser.bro - - -@load protocols/ssh/detect-bruteforcing - -redef SSH::password_guesses_limit=10; - -event NetControl::init() - { - local debug_plugin = NetControl::create_debug(T); - NetControl::activate(debug_plugin, 0); - } - -hook Notice::policy(n: Notice::Info) - { - if ( n$note == SSH::Password_Guessing ) - NetControl::drop_address(n$src, 60min); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-3-ssh-guesser_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-3-ssh-guesser_bro/output deleted file mode 100644 index 228856f00a..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-3-ssh-guesser_bro/output +++ /dev/null @@ -1,20 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -netcontrol-3-ssh-guesser.bro - - -@load protocols/ssh/detect-bruteforcing - -redef SSH::password_guesses_limit=10; - -event NetControl::init() - { - local debug_plugin = NetControl::create_debug(T); - NetControl::activate(debug_plugin, 0); - } - -hook Notice::policy(n: Notice::Info) - { - if ( n$note == SSH::Password_Guessing ) - add n$actions[Notice::ACTION_DROP]; - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-4-drop_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-4-drop_bro/output deleted file mode 100644 index e7b15fd91b..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-4-drop_bro/output +++ /dev/null @@ -1,30 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -netcontrol-4-drop.bro - -function our_drop_connection(c: conn_id, t: interval) - { - # As a first step, create the NetControl::Entity that we want to block - local e = NetControl::Entity($ty=NetControl::CONNECTION, $conn=c); - # Then, use the entity to create the rule to drop the entity in the forward path - local r = NetControl::Rule($ty=NetControl::DROP, - $target=NetControl::FORWARD, $entity=e, $expire=t); - - # Add the rule - local id = NetControl::add_rule(r); - - if ( id == "" ) - print "Error while dropping"; - } - -event NetControl::init() - { - local debug_plugin = NetControl::create_debug(T); - NetControl::activate(debug_plugin, 0); - } - -event connection_established(c: connection) - { - our_drop_connection(c$id, 20 secs); - } - diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-5-hook_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-5-hook_bro/output deleted file mode 100644 index d27e3f9a6a..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-5-hook_bro/output +++ /dev/null @@ -1,26 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -netcontrol-5-hook.bro - -hook NetControl::rule_policy(r: NetControl::Rule) - { - if ( r$ty == NetControl::DROP && - r$entity$ty == NetControl::CONNECTION && - r$entity$conn$orig_h in 192.168.0.0/16 ) - { - print "Ignored connection from", r$entity$conn$orig_h; - break; - } - } - -event NetControl::init() - { - local debug_plugin = NetControl::create_debug(T); - NetControl::activate(debug_plugin, 0); - } - -event connection_established(c: connection) - { - NetControl::drop_connection(c$id, 20 secs); - } - diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-6-find_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-6-find_bro/output deleted file mode 100644 index bcc5199590..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-6-find_bro/output +++ /dev/null @@ -1,21 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -netcontrol-6-find.bro - -event NetControl::init() - { - local netcontrol_debug = NetControl::create_debug(T); - NetControl::activate(netcontrol_debug, 0); - } - -event connection_established(c: connection) - { - if ( |NetControl::find_rules_addr(c$id$orig_h)| > 0 ) - { - print "Rule already exists"; - return; - } - - NetControl::drop_connection(c$id, 20 secs); - print "Rule added"; - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-7-catch-release_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-7-catch-release_bro/output deleted file mode 100644 index aa10d8cc01..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-7-catch-release_bro/output +++ /dev/null @@ -1,14 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -netcontrol-7-catch-release.bro - -event NetControl::init() - { - local debug_plugin = NetControl::create_debug(T); - NetControl::activate(debug_plugin, 0); - } - -event connection_established(c: connection) - { - NetControl::drop_address_catch_release(c$id$orig_h); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-8-multiple_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-8-multiple_bro/output deleted file mode 100644 index f9bac69f44..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-8-multiple_bro/output +++ /dev/null @@ -1,33 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -netcontrol-8-multiple.bro - -function our_openflow_check(p: NetControl::PluginState, r: NetControl::Rule): bool - { - if ( r$ty == NetControl::DROP && - r$entity$ty == NetControl::ADDRESS && - subnet_width(r$entity$ip) == 32 && - subnet_to_addr(r$entity$ip) in 192.168.17.0/24 ) - return F; - - return T; - } - -event NetControl::init() - { - # Add debug plugin with low priority - local debug_plugin = NetControl::create_debug(T); - NetControl::activate(debug_plugin, 0); - - # Instantiate OpenFlow debug plugin with higher priority - local of_controller = OpenFlow::log_new(42); - local netcontrol_of = NetControl::create_openflow(of_controller, [$check_pred=our_openflow_check]); - NetControl::activate(netcontrol_of, 10); - } - -event NetControl::init_done() - { - NetControl::drop_address(10.0.0.1, 1min); - NetControl::drop_address(192.168.17.2, 1min); - NetControl::drop_address(192.168.18.2, 1min); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-9-skeleton_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-9-skeleton_bro/output deleted file mode 100644 index 0fed26184f..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_netcontrol-9-skeleton_bro/output +++ /dev/null @@ -1,43 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -netcontrol-9-skeleton.bro - -module NetControl; - -export { - ## Instantiates the plugin. - global create_skeleton: function(argument: string) : PluginState; -} - -function skeleton_name(p: PluginState) : string - { - return "NetControl skeleton plugin"; - } - -function skeleton_add_rule_fun(p: PluginState, r: Rule) : bool - { - print "add", r; - event NetControl::rule_added(r, p); - return T; - } - -function skeleton_remove_rule_fun(p: PluginState, r: Rule, reason: string &default="") : bool - { - print "remove", r; - event NetControl::rule_removed(r, p); - return T; - } - -global skeleton_plugin = Plugin( - $name = skeleton_name, - $can_expire = F, - $add_rule = skeleton_add_rule_fun, - $remove_rule = skeleton_remove_rule_fun - ); - -function create_skeleton(argument: string) : PluginState - { - local p = PluginState($plugin=skeleton_plugin); - - return p; - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_notice_ssh_guesser_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_notice_ssh_guesser_bro/output deleted file mode 100644 index 11b77dd1ba..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_notice_ssh_guesser_bro/output +++ /dev/null @@ -1,14 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -notice_ssh_guesser.bro - - -@load protocols/ssh/detect-bruteforcing - -redef SSH::password_guesses_limit=10; - -hook Notice::policy(n: Notice::Info) - { - if ( n$note == SSH::Password_Guessing && /192\.168\.56\.103/ in n$sub ) - add n$actions[Notice::ACTION_EMAIL]; - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_sqlite-conn-filter_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_sqlite-conn-filter_bro/output deleted file mode 100644 index dc42f0bce1..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_sqlite-conn-filter_bro/output +++ /dev/null @@ -1,16 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -sqlite-conn-filter.bro - -event bro_init() - { - local filter: Log::Filter = - [ - $name="sqlite", - $path="/var/db/conn", - $config=table(["tablename"] = "conn"), - $writer=Log::WRITER_SQLITE - ]; - - Log::add_filter(Conn::LOG, filter); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_sqlite-read-events_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_sqlite-read-events_bro/output deleted file mode 100644 index 6703c4ca7e..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_sqlite-read-events_bro/output +++ /dev/null @@ -1,44 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -sqlite-read-events.bro - -@load frameworks/files/hash-all-files - -type Val: record { - hash: string; - description: string; -}; - -event line(description: Input::EventDescription, tpe: Input::Event, r: Val) - { - print fmt("malware-hit with hash %s, description %s", r$hash, r$description); - } - -global malware_source = "/var/db/malware"; - -event file_hash(f: fa_file, kind: string, hash: string) - { - - # check all sha1 hashes - if ( kind=="sha1" ) - { - Input::add_event( - [ - $source=malware_source, - $name=hash, - $fields=Val, - $ev=line, - $want_record=T, - $config=table( - ["query"] = fmt("select * from malware_hashes where hash='%s';", hash) - ), - $reader=Input::READER_SQLITE - ]); - } - } - -event Input::end_of_data(name: string, source:string) - { - if ( source == malware_source ) - Input::remove(name); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_sqlite-read-table_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_sqlite-read-table_bro/output deleted file mode 100644 index dea06055ea..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_sqlite-read-table_bro/output +++ /dev/null @@ -1,39 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -sqlite-read-table.bro - -type Idx: record { - host: addr; -}; - -type Val: record { - users: set[string]; -}; - -global hostslist: table[addr] of Val = table(); - -event bro_init() - { - Input::add_table([$source="/var/db/hosts", - $name="hosts", - $idx=Idx, - $val=Val, - $destination=hostslist, - $reader=Input::READER_SQLITE, - $config=table(["query"] = "select * from machines_to_users;") - ]); - - Input::remove("hosts"); - } - -event Input::end_of_data(name: string, source: string) - { - if ( name != "hosts" ) - return; - - # now all data is in the table - print "Hosts list has been successfully imported"; - - # List the users of one host. - print hostslist[192.168.17.1]$users; - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_sumstats-countconns_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_sumstats-countconns_bro/output deleted file mode 100644 index 0ec0c9ce70..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_sumstats-countconns_bro/output +++ /dev/null @@ -1,40 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -sumstats-countconns.bro - -@load base/frameworks/sumstats - -event connection_established(c: connection) - { - # Make an observation! - # This observation is global so the key is empty. - # Each established connection counts as one so the observation is always 1. - SumStats::observe("conn established", - SumStats::Key(), - SumStats::Observation($num=1)); - } - -event bro_init() - { - # Create the reducer. - # The reducer attaches to the "conn established" observation stream - # and uses the summing calculation on the observations. - local r1 = SumStats::Reducer($stream="conn established", - $apply=set(SumStats::SUM)); - - # Create the final sumstat. - # We give it an arbitrary name and make it collect data every minute. - # The reducer is then attached and a $epoch_result callback is given - # to finally do something with the data collected. - SumStats::create([$name = "counting connections", - $epoch = 1min, - $reducers = set(r1), - $epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) = - { - # This is the body of the callback that is called when a single - # result has been collected. We are just printing the total number - # of connections that were seen. The $sum field is provided as a - # double type value so we need to use %f as the format specifier. - print fmt("Number of connections established: %.0f", result["conn established"]$sum); - }]); - } \ No newline at end of file diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_sumstats-toy-scan_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_sumstats-toy-scan_bro/output deleted file mode 100644 index b1b46b3b39..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_sumstats-toy-scan_bro/output +++ /dev/null @@ -1,49 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -sumstats-toy-scan.bro - -@load base/frameworks/sumstats - -# We use the connection_attempt event to limit our observations to those -# which were attempted and not successful. -event connection_attempt(c: connection) - { - # Make an observation! - # This observation is about the host attempting the connection. - # Each established connection counts as one so the observation is always 1. - SumStats::observe("conn attempted", - SumStats::Key($host=c$id$orig_h), - SumStats::Observation($num=1)); - } - -event bro_init() - { - # Create the reducer. - # The reducer attaches to the "conn attempted" observation stream - # and uses the summing calculation on the observations. Keep - # in mind that there will be one result per key (connection originator). - local r1 = SumStats::Reducer($stream="conn attempted", - $apply=set(SumStats::SUM)); - - # Create the final sumstat. - # This is slightly different from the last example since we're providing - # a callback to calculate a value to check against the threshold with - # $threshold_val. The actual threshold itself is provided with $threshold. - # Another callback is provided for when a key crosses the threshold. - SumStats::create([$name = "finding scanners", - $epoch = 5min, - $reducers = set(r1), - # Provide a threshold. - $threshold = 5.0, - # Provide a callback to calculate a value from the result - # to check against the threshold field. - $threshold_val(key: SumStats::Key, result: SumStats::Result) = - { - return result["conn attempted"]$sum; - }, - # Provide a callback for when a key crosses the threshold. - $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = - { - print fmt("%s attempted %.0f or more connections", key$host, result["conn attempted"]$sum); - }]); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output deleted file mode 100644 index 729947ff72..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_file_extraction_bro/output +++ /dev/null @@ -1,28 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -file_extraction.bro - - -global mime_to_ext: table[string] of string = { - ["application/x-dosexec"] = "exe", - ["text/plain"] = "txt", - ["image/jpeg"] = "jpg", - ["image/png"] = "png", - ["text/html"] = "html", -}; - -event file_sniff(f: fa_file, meta: fa_metadata) - { - if ( f$source != "HTTP" ) - return; - - if ( ! meta?$mime_type ) - return; - - if ( meta$mime_type !in mime_to_ext ) - return; - - local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[meta$mime_type]); - print fmt("Extracting file %s", fname); - Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_http_proxy_01_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_http_proxy_01_bro/output deleted file mode 100644 index 4e10859d98..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_http_proxy_01_bro/output +++ /dev/null @@ -1,9 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -http_proxy_01.bro - -event http_reply(c: connection, version: string, code: count, reason: string) - { - if ( /^[hH][tT][tT][pP]:/ in c$http$uri && c$http$status_code == 200 ) - print fmt("A local server is acting as an open proxy: %s", c$id$resp_h); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_http_proxy_02_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_http_proxy_02_bro/output deleted file mode 100644 index 01e3822001..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_http_proxy_02_bro/output +++ /dev/null @@ -1,30 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -http_proxy_02.bro - - -module HTTP; - -export { - - global success_status_codes: set[count] = { - 200, - 201, - 202, - 203, - 204, - 205, - 206, - 207, - 208, - 226, - 304 - }; -} - -event http_reply(c: connection, version: string, code: count, reason: string) - { - if ( /^[hH][tT][tT][pP]:/ in c$http$uri && - c$http$status_code in HTTP::success_status_codes ) - print fmt("A local server is acting as an open proxy: %s", c$id$resp_h); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_http_proxy_03_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_http_proxy_03_bro/output deleted file mode 100644 index 5139fa8c49..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_http_proxy_03_bro/output +++ /dev/null @@ -1,35 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -http_proxy_03.bro - - -@load base/utils/site - -redef Site::local_nets += { 192.168.0.0/16 }; - -module HTTP; - -export { - - global success_status_codes: set[count] = { - 200, - 201, - 202, - 203, - 204, - 205, - 206, - 207, - 208, - 226, - 304 - }; -} - -event http_reply(c: connection, version: string, code: count, reason: string) - { - if ( Site::is_local_addr(c$id$resp_h) && - /^[hH][tT][tT][pP]:/ in c$http$uri && - c$http$status_code in HTTP::success_status_codes ) - print fmt("A local server is acting as an open proxy: %s", c$id$resp_h); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_http_proxy_04_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_http_proxy_04_bro/output deleted file mode 100644 index a8ca8e19b2..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_httpmonitor_http_proxy_04_bro/output +++ /dev/null @@ -1,44 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -http_proxy_04.bro - -@load base/utils/site -@load base/frameworks/notice - -redef Site::local_nets += { 192.168.0.0/16 }; - -module HTTP; - -export { - - redef enum Notice::Type += { - Open_Proxy - }; - - global success_status_codes: set[count] = { - 200, - 201, - 202, - 203, - 204, - 205, - 206, - 207, - 208, - 226, - 304 - }; -} - -event http_reply(c: connection, version: string, code: count, reason: string) - { - if ( Site::is_local_addr(c$id$resp_h) && - /^[hH][tT][tT][pP]:/ in c$http$uri && - c$http$status_code in HTTP::success_status_codes ) - NOTICE([$note=HTTP::Open_Proxy, - $msg=fmt("A local server is acting as an open proxy: %s", - c$id$resp_h), - $conn=c, - $identifier=cat(c$id$resp_h), - $suppress_for=1day]); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_mimestats_mimestats_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_mimestats_mimestats_bro/output deleted file mode 100644 index ef537b6c53..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_mimestats_mimestats_bro/output +++ /dev/null @@ -1,39 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -mimestats.bro - -module MimeMetrics; - -export { - - redef enum Log::ID += { LOG }; - - type Info: record { - ## Timestamp when the log line was finished and written. - ts: time &log; - ## Time interval that the log line covers. - ts_delta: interval &log; - ## The mime type - mtype: string &log; - ## The number of unique local hosts that fetched this mime type - uniq_hosts: count &log; - ## The number of hits to the mime type - hits: count &log; - ## The total number of bytes received by this mime type - bytes: count &log; - }; - - ## The frequency of logging the stats collected by this script. - const break_interval = 5mins &redef; -} -event HTTP::log_http(rec: HTTP::Info) - { - if ( Site::is_local_addr(rec$id$orig_h) && rec?$resp_mime_types ) - { - local mime_type = rec$resp_mime_types[0]; - SumStats::observe("mime.bytes", [$str=mime_type], - [$num=rec$response_body_len]); - SumStats::observe("mime.hits", [$str=mime_type], - [$str=cat(rec$id$orig_h)]); - } - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_mimestats_mimestats_bro@2/output b/testing/btest/Baseline/doc.sphinx.include-doc_mimestats_mimestats_bro@2/output deleted file mode 100644 index 027eade4dc..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_mimestats_mimestats_bro@2/output +++ /dev/null @@ -1,8 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -mimestats.bro - - local r1: SumStats::Reducer = [$stream="mime.bytes", - $apply=set(SumStats::SUM)]; - local r2: SumStats::Reducer = [$stream="mime.hits", - $apply=set(SumStats::UNIQUE)]; diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_mimestats_mimestats_bro@3/output b/testing/btest/Baseline/doc.sphinx.include-doc_mimestats_mimestats_bro@3/output deleted file mode 100644 index e410c6ebb9..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_mimestats_mimestats_bro@3/output +++ /dev/null @@ -1,18 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -mimestats.bro - - SumStats::create([$name="mime-metrics", - $epoch=break_interval, - $reducers=set(r1, r2), - $epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) = - { - local l: Info; - l$ts = network_time(); - l$ts_delta = break_interval; - l$mtype = key$str; - l$bytes = double_to_count(floor(result["mime.bytes"]$sum)); - l$hits = result["mime.hits"]$num; - l$uniq_hosts = result["mime.hits"]$unique; - Log::write(MimeMetrics::LOG, l); - }]); diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_mimestats_mimestats_bro@4/output b/testing/btest/Baseline/doc.sphinx.include-doc_mimestats_mimestats_bro@4/output deleted file mode 100644 index 10c7b6bb34..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_mimestats_mimestats_bro@4/output +++ /dev/null @@ -1,68 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -mimestats.bro - -@load base/utils/site -@load base/frameworks/sumstats - -redef Site::local_nets += { 10.0.0.0/8 }; - -module MimeMetrics; - -export { - - redef enum Log::ID += { LOG }; - - type Info: record { - ## Timestamp when the log line was finished and written. - ts: time &log; - ## Time interval that the log line covers. - ts_delta: interval &log; - ## The mime type - mtype: string &log; - ## The number of unique local hosts that fetched this mime type - uniq_hosts: count &log; - ## The number of hits to the mime type - hits: count &log; - ## The total number of bytes received by this mime type - bytes: count &log; - }; - - ## The frequency of logging the stats collected by this script. - const break_interval = 5mins &redef; -} - -event bro_init() &priority=3 - { - Log::create_stream(MimeMetrics::LOG, [$columns=Info, $path="mime_metrics"]); - local r1: SumStats::Reducer = [$stream="mime.bytes", - $apply=set(SumStats::SUM)]; - local r2: SumStats::Reducer = [$stream="mime.hits", - $apply=set(SumStats::UNIQUE)]; - SumStats::create([$name="mime-metrics", - $epoch=break_interval, - $reducers=set(r1, r2), - $epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) = - { - local l: Info; - l$ts = network_time(); - l$ts_delta = break_interval; - l$mtype = key$str; - l$bytes = double_to_count(floor(result["mime.bytes"]$sum)); - l$hits = result["mime.hits"]$num; - l$uniq_hosts = result["mime.hits"]$unique; - Log::write(MimeMetrics::LOG, l); - }]); - } - -event HTTP::log_http(rec: HTTP::Info) - { - if ( Site::is_local_addr(rec$id$orig_h) && rec?$resp_mime_types ) - { - local mime_type = rec$resp_mime_types[0]; - SumStats::observe("mime.bytes", [$str=mime_type], - [$num=rec$response_body_len]); - SumStats::observe("mime.hits", [$str=mime_type], - [$str=cat(rec$id$orig_h)]); - } - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_quickstart_conditional-notice_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_quickstart_conditional-notice_bro/output deleted file mode 100644 index 8412154ec4..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_quickstart_conditional-notice_bro/output +++ /dev/null @@ -1,28 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -conditional-notice.bro - -@load protocols/ssl/expiring-certs - -const watched_servers: set[addr] = { - 87.98.220.10, -} &redef; - -# Site::local_nets usually isn't something you need to modify if -# BroControl automatically sets it up from networks.cfg. It's -# shown here for completeness. -redef Site::local_nets += { - 87.98.0.0/16, -}; - -hook Notice::policy(n: Notice::Info) - { - if ( n$note != SSL::Certificate_Expired ) - return; - - if ( n$id$resp_h !in watched_servers ) - return; - - add n$actions[Notice::ACTION_EMAIL]; - } - diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_connection_record_01_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_connection_record_01_bro/output deleted file mode 100644 index 34303a12ad..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_connection_record_01_bro/output +++ /dev/null @@ -1,10 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -connection_record_01.bro - -@load base/protocols/conn - -event connection_state_remove(c: connection) - { - print c; - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_connection_record_02_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_connection_record_02_bro/output deleted file mode 100644 index 12092ee2a0..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_connection_record_02_bro/output +++ /dev/null @@ -1,11 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -connection_record_02.bro - -@load base/protocols/conn -@load base/protocols/http - -event connection_state_remove(c: connection) - { - print c; - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_record_01_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_record_01_bro/output deleted file mode 100644 index e67783fdeb..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_record_01_bro/output +++ /dev/null @@ -1,26 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_struct_record_01.bro - -type Service: record { - name: string; - ports: set[port]; - rfc: count; -}; - -function print_service(serv: Service) - { - print fmt("Service: %s(RFC%d)",serv$name, serv$rfc); - - for ( p in serv$ports ) - print fmt(" port: %s", p); - } - -event bro_init() - { - local dns: Service = [$name="dns", $ports=set(53/udp, 53/tcp), $rfc=1035]; - local http: Service = [$name="http", $ports=set(80/tcp, 8080/tcp), $rfc=2616]; - - print_service(dns); - print_service(http); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_record_02_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_record_02_bro/output deleted file mode 100644 index 04da3522f2..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_record_02_bro/output +++ /dev/null @@ -1,45 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_struct_record_02.bro - -type Service: record { - name: string; - ports: set[port]; - rfc: count; - }; - -type System: record { - name: string; - services: set[Service]; - }; - -function print_service(serv: Service) - { - print fmt(" Service: %s(RFC%d)",serv$name, serv$rfc); - - for ( p in serv$ports ) - print fmt(" port: %s", p); - } - -function print_system(sys: System) - { - print fmt("System: %s", sys$name); - - for ( s in sys$services ) - print_service(s); - } - -event bro_init() - { - local server01: System; - server01$name = "morlock"; - add server01$services[[ $name="dns", $ports=set(53/udp, 53/tcp), $rfc=1035]]; - add server01$services[[ $name="http", $ports=set(80/tcp, 8080/tcp), $rfc=2616]]; - print_system(server01); - - - # local dns: Service = [ $name="dns", $ports=set(53/udp, 53/tcp), $rfc=1035]; - # local http: Service = [ $name="http", $ports=set(80/tcp, 8080/tcp), $rfc=2616]; - # print_service(dns); - # print_service(http); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_set_declaration_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_set_declaration_bro/output deleted file mode 100644 index 47aa12030b..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_set_declaration_bro/output +++ /dev/null @@ -1,9 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_struct_set_declaration.bro - -event bro_init() - { - local ssl_ports: set[port]; - local non_ssl_ports = set( 23/tcp, 80/tcp, 143/tcp, 25/tcp ); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_set_declaration_bro@2/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_set_declaration_bro@2/output deleted file mode 100644 index 12020f4b67..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_set_declaration_bro@2/output +++ /dev/null @@ -1,9 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_struct_set_declaration.bro - - for ( i in ssl_ports ) - print fmt("SSL Port: %s", i); - - for ( i in non_ssl_ports ) - print fmt("Non-SSL Port: %s", i); diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_set_declaration_bro@3/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_set_declaration_bro@3/output deleted file mode 100644 index b7a68af4aa..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_set_declaration_bro@3/output +++ /dev/null @@ -1,7 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_struct_set_declaration.bro - - # Check for SMTPS - if ( 587/tcp !in ssl_ports ) - add ssl_ports[587/tcp]; diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_set_declaration_bro@4/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_set_declaration_bro@4/output deleted file mode 100644 index 53b193850c..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_set_declaration_bro@4/output +++ /dev/null @@ -1,26 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_struct_set_declaration.bro - -event bro_init() - { - local ssl_ports: set[port]; - local non_ssl_ports = set( 23/tcp, 80/tcp, 143/tcp, 25/tcp ); - - # SSH - add ssl_ports[22/tcp]; - # HTTPS - add ssl_ports[443/tcp]; - # IMAPS - add ssl_ports[993/tcp]; - - # Check for SMTPS - if ( 587/tcp !in ssl_ports ) - add ssl_ports[587/tcp]; - - for ( i in ssl_ports ) - print fmt("SSL Port: %s", i); - - for ( i in non_ssl_ports ) - print fmt("Non-SSL Port: %s", i); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_table_complex_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_table_complex_bro/output deleted file mode 100644 index c92d338cec..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_table_complex_bro/output +++ /dev/null @@ -1,17 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_struct_table_complex.bro - -event bro_init() - { - local samurai_flicks: table[string, string, count, string] of string; - - samurai_flicks["Kihachi Okamoto", "Toho", 1968, "Tatsuya Nakadai"] = "Kiru"; - samurai_flicks["Hideo Gosha", "Fuji", 1969, "Tatsuya Nakadai"] = "Goyokin"; - samurai_flicks["Masaki Kobayashi", "Shochiku Eiga", 1962, "Tatsuya Nakadai" ] = "Harakiri"; - samurai_flicks["Yoji Yamada", "Eisei Gekijo", 2002, "Hiroyuki Sanada" ] = "Tasogare Seibei"; - - for ( [d, s, y, a] in samurai_flicks ) - print fmt("%s was released in %d by %s studios, directed by %s and starring %s", samurai_flicks[d, s, y, a], y, s, d, a); - } - diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_table_declaration_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_table_declaration_bro/output deleted file mode 100644 index f6d38e1618..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_table_declaration_bro/output +++ /dev/null @@ -1,23 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_struct_table_declaration.bro - -event bro_init() - { - # Declaration of the table. - local ssl_services: table[string] of port; - - # Initialize the table. - ssl_services = table(["SSH"] = 22/tcp, ["HTTPS"] = 443/tcp); - - # Insert one key-yield pair into the table. - ssl_services["IMAPS"] = 993/tcp; - - # Check if the key "SMTPS" is not in the table. - if ( "SMTPS" !in ssl_services ) - ssl_services["SMTPS"] = 587/tcp; - - # Iterate over each key in the table. - for ( k in ssl_services ) - print fmt("Service Name: %s - Common Port: %s", k, ssl_services[k]); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_vector_declaration_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_vector_declaration_bro/output deleted file mode 100644 index 22790f45fe..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_vector_declaration_bro/output +++ /dev/null @@ -1,19 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_struct_vector_declaration.bro - -event bro_init() - { - local v1: vector of count; - local v2 = vector(1, 2, 3, 4); - - v1 += 1; - v1 += 2; - v1 += 3; - v1 += 4; - - print fmt("contents of v1: %s", v1); - print fmt("length of v1: %d", |v1|); - print fmt("contents of v2: %s", v2); - print fmt("length of v2: %d", |v2|); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_vector_iter_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_vector_iter_bro/output deleted file mode 100644 index 5f16dcc5af..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_vector_iter_bro/output +++ /dev/null @@ -1,11 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_struct_vector_iter.bro - -event bro_init() - { - local addr_vector: vector of addr = vector(1.2.3.4, 2.3.4.5, 3.4.5.6); - - for (i in addr_vector) - print mask_addr(addr_vector[i], 18); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_const_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_const_bro/output deleted file mode 100644 index 20a4f8d71e..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_const_bro/output +++ /dev/null @@ -1,13 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_type_const.bro - -const port_list: table[port] of string &redef; - -redef port_list += { [6666/tcp] = "IRC"}; -redef port_list += { [80/tcp] = "WWW" }; - -event bro_init() - { - print port_list; - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_const_simple_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_const_simple_bro/output deleted file mode 100644 index 29844f2b01..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_const_simple_bro/output +++ /dev/null @@ -1,8 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_type_const_simple.bro - -@load base/protocols/http - -redef HTTP::default_capture_password = T; - diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_declaration_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_declaration_bro/output deleted file mode 100644 index a153f3066c..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_declaration_bro/output +++ /dev/null @@ -1,13 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_type_declaration.bro - -event bro_init() - { - local a: int; - a = 10; - local b = 10; - - if ( a == b ) - print fmt("A: %d, B: %d", a, b); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_interval_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_interval_bro/output deleted file mode 100644 index 25076f3e8e..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_interval_bro/output +++ /dev/null @@ -1,22 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_type_interval.bro - -# Store the time the previous connection was established. -global last_connection_time: time; - -# boolean value to indicate whether we have seen a previous connection. -global connection_seen: bool = F; - -event connection_established(c: connection) - { - local net_time: time = network_time(); - - print fmt("%s: New connection established from %s to %s", strftime("%Y/%M/%d %H:%m:%S", net_time), c$id$orig_h, c$id$resp_h); - - if ( connection_seen ) - print fmt(" Time since last connection: %s", net_time - last_connection_time); - - last_connection_time = net_time; - connection_seen = T; - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_local_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_local_bro/output deleted file mode 100644 index 0e034dddd2..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_local_bro/output +++ /dev/null @@ -1,15 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_type_local.bro - -function add_two(i: count): count - { - local added_two = i+2; - print fmt("i + 2 = %d", added_two); - return added_two; - } - -event bro_init() - { - local test = add_two(10); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_pattern_01_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_pattern_01_bro/output deleted file mode 100644 index cca008116e..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_pattern_01_bro/output +++ /dev/null @@ -1,17 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_type_pattern_01.bro - -event bro_init() - { - local test_string = "The quick brown fox jumps over the lazy dog."; - local test_pattern = /quick|lazy/; - - if ( test_pattern in test_string ) - { - local results = split(test_string, test_pattern); - print results[1]; - print results[2]; - print results[3]; - } - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_pattern_02_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_pattern_02_bro/output deleted file mode 100644 index 4e4d8992df..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_pattern_02_bro/output +++ /dev/null @@ -1,14 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_type_pattern_02.bro - -event bro_init() - { - local test_string = "equality"; - - local test_pattern = /equal/; - print fmt("%s and %s %s equal", test_string, test_pattern, test_pattern == test_string ? "are" : "are not"); - - test_pattern = /equality/; - print fmt("%s and %s %s equal", test_string, test_pattern, test_pattern == test_string ? "are" : "are not"); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_record_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_record_bro/output deleted file mode 100644 index 6d8760700a..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_record_bro/output +++ /dev/null @@ -1,29 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_type_record.bro - -module Conn; - -export { - ## The record type which contains column fields of the connection log. - type Info: record { - ts: time &log; - uid: string &log; - id: conn_id &log; - proto: transport_proto &log; - service: string &log &optional; - duration: interval &log &optional; - orig_bytes: count &log &optional; - resp_bytes: count &log &optional; - conn_state: string &log &optional; - local_orig: bool &log &optional; - local_resp: bool &log &optional; - missed_bytes: count &log &default=0; - history: string &log &optional; - orig_pkts: count &log &optional; - orig_ip_bytes: count &log &optional; - resp_pkts: count &log &optional; - resp_ip_bytes: count &log &optional; - tunnel_parents: set[string] &log; - }; -} diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_subnets_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_subnets_bro/output deleted file mode 100644 index 75600794ec..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_subnets_bro/output +++ /dev/null @@ -1,19 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_type_subnets.bro - -event bro_init() - { - local subnets = vector(172.16.0.0/20, 172.16.16.0/20, 172.16.32.0/20, 172.16.48.0/20); - local addresses = vector(172.16.4.56, 172.16.47.254, 172.16.22.45, 172.16.1.1); - - for ( a in addresses ) - { - for ( s in subnets ) - { - if ( addresses[a] in subnets[s] ) - print fmt("%s belongs to subnet %s", addresses[a], subnets[s]); - } - } - - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_time_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_time_bro/output deleted file mode 100644 index 00a3e20813..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_time_bro/output +++ /dev/null @@ -1,8 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_type_time.bro - -event connection_established(c: connection) - { - print fmt("%s: New connection established from %s to %s\n", strftime("%Y/%M/%d %H:%m:%S", network_time()), c$id$orig_h, c$id$resp_h); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_logging_factorial_01_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_logging_factorial_01_bro/output deleted file mode 100644 index e542572647..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_logging_factorial_01_bro/output +++ /dev/null @@ -1,23 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -framework_logging_factorial_01.bro - -module Factor; - -function factorial(n: count): count - { - if ( n == 0 ) - return 1; - else - return ( n * factorial(n - 1) ); - } - -event bro_init() - { - local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10); - - for ( n in numbers ) - print fmt("%d", factorial(numbers[n])); - } - - diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_logging_factorial_02_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_logging_factorial_02_bro/output deleted file mode 100644 index 19932699b6..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_logging_factorial_02_bro/output +++ /dev/null @@ -1,39 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -framework_logging_factorial_02.bro - -module Factor; - -export { - # Append the value LOG to the Log::ID enumerable. - redef enum Log::ID += { LOG }; - - # Define a new type called Factor::Info. - type Info: record { - num: count &log; - factorial_num: count &log; - }; - } - -function factorial(n: count): count - { - if ( n == 0 ) - return 1; - - else - return ( n * factorial(n - 1) ); - } - -event bro_init() - { - # Create the logging stream. - Log::create_stream(LOG, [$columns=Info, $path="factor"]); - } - -event bro_done() - { - local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10); - for ( n in numbers ) - Log::write( Factor::LOG, [$num=numbers[n], - $factorial_num=factorial(numbers[n])]); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_logging_factorial_03_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_logging_factorial_03_bro/output deleted file mode 100644 index 01ed659c75..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_logging_factorial_03_bro/output +++ /dev/null @@ -1,49 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -framework_logging_factorial_03.bro - -module Factor; - -export { - redef enum Log::ID += { LOG }; - - type Info: record { - num: count &log; - factorial_num: count &log; - }; - } - -function factorial(n: count): count - { - if ( n == 0 ) - return 1; - - else - return (n * factorial(n - 1)); - } - -event bro_done() - { - local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10); - for ( n in numbers ) - Log::write( Factor::LOG, [$num=numbers[n], - $factorial_num=factorial(numbers[n])]); - } - -function mod5(id: Log::ID, path: string, rec: Factor::Info) : string - { - if ( rec$factorial_num % 5 == 0 ) - return "factor-mod5"; - - else - return "factor-non5"; - } - -event bro_init() - { - Log::create_stream(LOG, [$columns=Info, $path="factor"]); - - local filter: Log::Filter = [$name="split-mod5s", $path_func=mod5]; - Log::add_filter(Factor::LOG, filter); - Log::remove_filter(Factor::LOG, "default"); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_logging_factorial_04_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_logging_factorial_04_bro/output deleted file mode 100644 index c0f8d8ddac..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_logging_factorial_04_bro/output +++ /dev/null @@ -1,54 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -framework_logging_factorial_04.bro - -module Factor; - -export { - redef enum Log::ID += { LOG }; - - type Info: record { - num: count &log; - factorial_num: count &log; - }; - - global log_factor: event(rec: Info); - } - -function factorial(n: count): count - { - if ( n == 0 ) - return 1; - - else - return (n * factorial(n - 1)); - } - -event bro_init() - { - Log::create_stream(LOG, [$columns=Info, $ev=log_factor, $path="factor"]); - } - -event bro_done() - { - local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10); - for ( n in numbers ) - Log::write( Factor::LOG, [$num=numbers[n], - $factorial_num=factorial(numbers[n])]); - } - -function mod5(id: Log::ID, path: string, rec: Factor::Info) : string - { - if ( rec$factorial_num % 5 == 0 ) - return "factor-mod5"; - - else - return "factor-non5"; - } - -event bro_init() - { - local filter: Log::Filter = [$name="split-mod5s", $path_func=mod5]; - Log::add_filter(Factor::LOG, filter); - Log::remove_filter(Factor::LOG, "default"); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_notice_hook_01_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_notice_hook_01_bro/output deleted file mode 100644 index 96a3b5a921..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_notice_hook_01_bro/output +++ /dev/null @@ -1,11 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -framework_notice_hook_01.bro - -@load policy/protocols/ssh/interesting-hostnames.bro - -hook Notice::policy(n: Notice::Info) - { - if ( n$note == SSH::Interesting_Hostname_Login ) - add n$actions[Notice::ACTION_EMAIL]; - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_notice_hook_suppression_01_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_notice_hook_suppression_01_bro/output deleted file mode 100644 index b51bd2eebe..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_notice_hook_suppression_01_bro/output +++ /dev/null @@ -1,11 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -framework_notice_hook_suppression_01.bro - -@load policy/protocols/ssl/expiring-certs.bro - -hook Notice::policy(n: Notice::Info) - { - if ( n$note == SSL::Certificate_Expires_Soon ) - n$suppress_for = 12hrs; - } diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_notice_shortcuts_01_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_notice_shortcuts_01_bro/output deleted file mode 100644 index 7a0eaf5cb4..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_notice_shortcuts_01_bro/output +++ /dev/null @@ -1,11 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -framework_notice_shortcuts_01.bro - -@load policy/protocols/ssh/interesting-hostnames.bro -@load base/protocols/ssh/ - -redef Notice::emailed_types += { - SSH::Interesting_Hostname_Login -}; - diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_notice_shortcuts_02_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_notice_shortcuts_02_bro/output deleted file mode 100644 index 0e92c5ea32..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_notice_shortcuts_02_bro/output +++ /dev/null @@ -1,10 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -framework_notice_shortcuts_02.bro - -@load policy/protocols/ssh/interesting-hostnames.bro -@load base/protocols/ssh/ - -redef Notice::type_suppression_intervals += { - [SSH::Interesting_Hostname_Login] = 1day, -}; diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_http_main_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_http_main_bro/output deleted file mode 100644 index 9f49450799..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_http_main_bro/output +++ /dev/null @@ -1,11 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -http_main.bro - -module HTTP; - -export { - ## This setting changes if passwords used in Basic-Auth are captured or - ## not. - const default_capture_password = F &redef; -} diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_base_bif_event_bif_bro/output b/testing/btest/Baseline/doc.sphinx.include-scripts_base_bif_event_bif_bro/output deleted file mode 100644 index c77e08c5a1..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-scripts_base_bif_event_bif_bro/output +++ /dev/null @@ -1,21 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -event.bif.bro - -## Generated for every new connection. This event is raised with the first -## packet of a previously unknown connection. Bro uses a flow-based definition -## of "connection" here that includes not only TCP sessions but also UDP and -## ICMP flows. -global new_connection: event(c: connection ); -## Generated when a TCP connection timed out. This event is raised when -## no activity was seen for an interval of at least -## :bro:id:`tcp_connection_linger`, and either one endpoint has already -## closed the connection or one side never became active. -global connection_timeout: event(c: connection ); -## Generated when a connection's internal state is about to be removed from -## memory. Bro generates this event reliably once for every connection when it -## is about to delete the internal state. As such, the event is well-suited for -## script-level cleanup that needs to be performed for every connection. This -## event is generated not only for TCP sessions but also for UDP and ICMP -## flows. -global connection_state_remove: event(c: connection ); diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_base_bif_plugins_Bro_DNS_events_bif_bro/output b/testing/btest/Baseline/doc.sphinx.include-scripts_base_bif_plugins_Bro_DNS_events_bif_bro/output deleted file mode 100644 index 6e15ece5e0..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-scripts_base_bif_plugins_Bro_DNS_events_bif_bro/output +++ /dev/null @@ -1,30 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -Bro_DNS.events.bif.bro - -## Generated for DNS requests. For requests with multiple queries, this event -## is raised once for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## query: The queried name. -## -## qtype: The queried resource record type. -## -## qclass: The queried resource record class. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -global dns_request: event(c: connection , msg: dns_msg , query: string , qtype: count , qclass: count ); diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_base_init-bare_bro/output b/testing/btest/Baseline/doc.sphinx.include-scripts_base_init-bare_bro/output deleted file mode 100644 index 0057a78cc4..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-scripts_base_init-bare_bro/output +++ /dev/null @@ -1,7 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -init-bare.bro - -type string_array: table[count] of string; -type string_set: set[string]; -type addr_set: set[addr]; diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output deleted file mode 100644 index 1ecfcf027a..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output +++ /dev/null @@ -1,76 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -detect-MHR.bro - -##! Detect file downloads that have hash values matching files in Team -##! Cymru's Malware Hash Registry (http://www.team-cymru.org/Services/MHR/). - -@load base/frameworks/files -@load base/frameworks/notice -@load frameworks/files/hash-all-files - -module TeamCymruMalwareHashRegistry; - -export { - redef enum Notice::Type += { - ## The hash value of a file transferred over HTTP matched in the - ## malware hash registry. - Match - }; - - ## File types to attempt matching against the Malware Hash Registry. - option match_file_types = /application\/x-dosexec/ | - /application\/vnd.ms-cab-compressed/ | - /application\/pdf/ | - /application\/x-shockwave-flash/ | - /application\/x-java-applet/ | - /application\/jar/ | - /video\/mp4/; - - ## The Match notice has a sub message with a URL where you can get more - ## information about the file. The %s will be replaced with the SHA-1 - ## hash of the file. - option match_sub_url = "https://www.virustotal.com/en/search/?query=%s"; - - ## The malware hash registry runs each malware sample through several - ## A/V engines. Team Cymru returns a percentage to indicate how - ## many A/V engines flagged the sample as malicious. This threshold - ## allows you to require a minimum detection rate. - option notice_threshold = 10; -} - -function do_mhr_lookup(hash: string, fi: Notice::FileInfo) - { - local hash_domain = fmt("%s.malware.hash.cymru.com", hash); - - when ( local MHR_result = lookup_hostname_txt(hash_domain) ) - { - # Data is returned as " " - local MHR_answer = split_string1(MHR_result, / /); - - if ( |MHR_answer| == 2 ) - { - local mhr_detect_rate = to_count(MHR_answer[1]); - - if ( mhr_detect_rate >= notice_threshold ) - { - local mhr_first_detected = double_to_time(to_double(MHR_answer[0])); - local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected); - local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); - local virustotal_url = fmt(match_sub_url, hash); - # We don't have the full fa_file record here in order to - # avoid the "when" statement cloning it (expensive!). - local n: Notice::Info = Notice::Info($note=Match, $msg=message, $sub=virustotal_url); - Notice::populate_file_info2(fi, n); - NOTICE(n); - } - } - } - } - -event file_hash(f: fa_file, kind: string, hash: string) - { - if ( kind == "sha1" && f?$info && f$info?$mime_type && - match_file_types in f$info$mime_type ) - do_mhr_lookup(hash, Notice::create_file_info(f)); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@2/output b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@2/output deleted file mode 100644 index 4ce4383efb..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@2/output +++ /dev/null @@ -1,7 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -detect-MHR.bro - -@load base/frameworks/files -@load base/frameworks/notice -@load frameworks/files/hash-all-files diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@3/output b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@3/output deleted file mode 100644 index 3b1cd60810..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@3/output +++ /dev/null @@ -1,31 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -detect-MHR.bro - -export { - redef enum Notice::Type += { - ## The hash value of a file transferred over HTTP matched in the - ## malware hash registry. - Match - }; - - ## File types to attempt matching against the Malware Hash Registry. - option match_file_types = /application\/x-dosexec/ | - /application\/vnd.ms-cab-compressed/ | - /application\/pdf/ | - /application\/x-shockwave-flash/ | - /application\/x-java-applet/ | - /application\/jar/ | - /video\/mp4/; - - ## The Match notice has a sub message with a URL where you can get more - ## information about the file. The %s will be replaced with the SHA-1 - ## hash of the file. - option match_sub_url = "https://www.virustotal.com/en/search/?query=%s"; - - ## The malware hash registry runs each malware sample through several - ## A/V engines. Team Cymru returns a percentage to indicate how - ## many A/V engines flagged the sample as malicious. This threshold - ## allows you to require a minimum detection rate. - option notice_threshold = 10; -} diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output deleted file mode 100644 index 55950caf6b..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output +++ /dev/null @@ -1,38 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -detect-MHR.bro - -function do_mhr_lookup(hash: string, fi: Notice::FileInfo) - { - local hash_domain = fmt("%s.malware.hash.cymru.com", hash); - - when ( local MHR_result = lookup_hostname_txt(hash_domain) ) - { - # Data is returned as " " - local MHR_answer = split_string1(MHR_result, / /); - - if ( |MHR_answer| == 2 ) - { - local mhr_detect_rate = to_count(MHR_answer[1]); - - if ( mhr_detect_rate >= notice_threshold ) - { - local mhr_first_detected = double_to_time(to_double(MHR_answer[0])); - local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected); - local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); - local virustotal_url = fmt(match_sub_url, hash); - # We don't have the full fa_file record here in order to - # avoid the "when" statement cloning it (expensive!). - local n: Notice::Info = Notice::Info($note=Match, $msg=message, $sub=virustotal_url); - Notice::populate_file_info2(fi, n); - NOTICE(n); - } - } - } - } - -event file_hash(f: fa_file, kind: string, hash: string) - { - if ( kind == "sha1" && f?$info && f$info?$mime_type && - match_file_types in f$info$mime_type ) - do_mhr_lookup(hash, Notice::create_file_info(f)); diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ftp_detect-bruteforcing_bro/output b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ftp_detect-bruteforcing_bro/output deleted file mode 100644 index 59d57223d9..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ftp_detect-bruteforcing_bro/output +++ /dev/null @@ -1,21 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -detect-bruteforcing.bro - -module FTP; - -export { - redef enum Notice::Type += { - ## Indicates a host bruteforcing FTP logins by watching for too - ## many rejected usernames or failed passwords. - Bruteforcing - }; - - ## How many rejected usernames or passwords are required before being - ## considered to be bruteforcing. - const bruteforce_threshold: double = 20 &redef; - - ## The time period in which the threshold needs to be crossed before - ## being reset. - const bruteforce_measurement_interval = 15mins &redef; -} diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ftp_detect-bruteforcing_bro@2/output b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ftp_detect-bruteforcing_bro@2/output deleted file mode 100644 index 648fe8a559..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ftp_detect-bruteforcing_bro@2/output +++ /dev/null @@ -1,13 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -detect-bruteforcing.bro - -event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) - { - local cmd = c$ftp$cmdarg$cmd; - if ( cmd == "USER" || cmd == "PASS" ) - { - if ( FTP::parse_ftp_reply_code(code)$x == 5 ) - SumStats::observe("ftp.failed_auth", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]); - } - } diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ftp_detect-bruteforcing_bro@3/output b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ftp_detect-bruteforcing_bro@3/output deleted file mode 100644 index f81c9f50ba..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ftp_detect-bruteforcing_bro@3/output +++ /dev/null @@ -1,27 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -detect-bruteforcing.bro - -event bro_init() - { - local r1: SumStats::Reducer = [$stream="ftp.failed_auth", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(bruteforce_threshold+2)]; - SumStats::create([$name="ftp-detect-bruteforcing", - $epoch=bruteforce_measurement_interval, - $reducers=set(r1), - $threshold_val(key: SumStats::Key, result: SumStats::Result) = - { - return result["ftp.failed_auth"]$num+0.0; - }, - $threshold=bruteforce_threshold, - $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = - { - local r = result["ftp.failed_auth"]; - local dur = duration_to_mins_secs(r$end-r$begin); - local plural = r$unique>1 ? "s" : ""; - local message = fmt("%s had %d failed logins on %d FTP server%s in %s", key$host, r$num, r$unique, plural, dur); - NOTICE([$note=FTP::Bruteforcing, - $src=key$host, - $msg=message, - $identifier=cat(key$host)]); - }]); - } diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ftp_detect-bruteforcing_bro@4/output b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ftp_detect-bruteforcing_bro@4/output deleted file mode 100644 index bb7b0fd078..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ftp_detect-bruteforcing_bro@4/output +++ /dev/null @@ -1,64 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -detect-bruteforcing.bro - -##! FTP brute-forcing detector, triggering when too many rejected usernames or -##! failed passwords have occurred from a single address. - -@load base/protocols/ftp -@load base/frameworks/sumstats - -@load base/utils/time - -module FTP; - -export { - redef enum Notice::Type += { - ## Indicates a host bruteforcing FTP logins by watching for too - ## many rejected usernames or failed passwords. - Bruteforcing - }; - - ## How many rejected usernames or passwords are required before being - ## considered to be bruteforcing. - const bruteforce_threshold: double = 20 &redef; - - ## The time period in which the threshold needs to be crossed before - ## being reset. - const bruteforce_measurement_interval = 15mins &redef; -} - - -event bro_init() - { - local r1: SumStats::Reducer = [$stream="ftp.failed_auth", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(bruteforce_threshold+2)]; - SumStats::create([$name="ftp-detect-bruteforcing", - $epoch=bruteforce_measurement_interval, - $reducers=set(r1), - $threshold_val(key: SumStats::Key, result: SumStats::Result) = - { - return result["ftp.failed_auth"]$num+0.0; - }, - $threshold=bruteforce_threshold, - $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = - { - local r = result["ftp.failed_auth"]; - local dur = duration_to_mins_secs(r$end-r$begin); - local plural = r$unique>1 ? "s" : ""; - local message = fmt("%s had %d failed logins on %d FTP server%s in %s", key$host, r$num, r$unique, plural, dur); - NOTICE([$note=FTP::Bruteforcing, - $src=key$host, - $msg=message, - $identifier=cat(key$host)]); - }]); - } - -event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) - { - local cmd = c$ftp$cmdarg$cmd; - if ( cmd == "USER" || cmd == "PASS" ) - { - if ( FTP::parse_ftp_reply_code(code)$x == 5 ) - SumStats::observe("ftp.failed_auth", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]); - } - } diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ssh_interesting-hostnames_bro/output b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ssh_interesting-hostnames_bro/output deleted file mode 100644 index 8ed5d89543..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ssh_interesting-hostnames_bro/output +++ /dev/null @@ -1,56 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -interesting-hostnames.bro - -##! This script will generate a notice if an apparent SSH login originates -##! or heads to a host with a reverse hostname that looks suspicious. By -##! default, the regular expression to match "interesting" hostnames includes -##! names that are typically used for infrastructure hosts like nameservers, -##! mail servers, web servers and ftp servers. - -@load base/frameworks/notice - -module SSH; - -export { - redef enum Notice::Type += { - ## Generated if a login originates or responds with a host where - ## the reverse hostname lookup resolves to a name matched by the - ## :bro:id:`SSH::interesting_hostnames` regular expression. - Interesting_Hostname_Login, - }; - - ## Strange/bad host names to see successful SSH logins from or to. - option interesting_hostnames = - /^d?ns[0-9]*\./ | - /^smtp[0-9]*\./ | - /^mail[0-9]*\./ | - /^pop[0-9]*\./ | - /^imap[0-9]*\./ | - /^www[0-9]*\./ | - /^ftp[0-9]*\./; -} - -function check_ssh_hostname(id: conn_id, uid: string, host: addr) - { - when ( local hostname = lookup_addr(host) ) - { - if ( interesting_hostnames in hostname ) - { - NOTICE([$note=Interesting_Hostname_Login, - $msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.", - Site::is_local_addr(host) ? "local" : "remote", - host == id$orig_h ? "client" : "server"), - $sub=hostname, $id=id, $uid=uid]); - } - } - } - -event ssh_auth_successful(c: connection, auth_method_none: bool) - { - for ( host in set(c$id$orig_h, c$id$resp_h) ) - { - check_ssh_hostname(c$id, c$uid, host); - } - } - diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ssl_expiring-certs_bro/output b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ssl_expiring-certs_bro/output deleted file mode 100644 index cc2d8817bd..0000000000 --- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ssl_expiring-certs_bro/output +++ /dev/null @@ -1,9 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -expiring-certs.bro - - NOTICE([$note=Certificate_Expires_Soon, - $msg=fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after), - $conn=c, $suppress_for=1day, - $identifier=cat(c$id$resp_h, c$id$resp_p, hash), - $fuid=fuid]); diff --git a/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1 b/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1 deleted file mode 100644 index 3dcac30c13..0000000000 --- a/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1 +++ /dev/null @@ -1,30 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -r http/bro.org.pcap mimestats.bro - -.. rst-class:: btest-include - - .. code-block:: guess - :linenos: - - #separator \x09 - #set_separator , - #empty_field (empty) - #unset_field - - #path mime_metrics - #open 2016-07-13-16-13-23 - #fields ts ts_delta mtype uniq_hosts hits bytes - #types time interval string count count count - 1389719059.311698 300.000000 image/png 1 9 82176 - 1389719059.311698 300.000000 image/gif 1 1 172 - 1389719059.311698 300.000000 image/x-icon 1 2 2300 - 1389719059.311698 300.000000 text/html 1 2 42231 - 1389719059.311698 300.000000 text/plain 1 15 128001 - 1389719059.311698 300.000000 image/jpeg 1 1 186859 - 1389719059.311698 300.000000 application/pgp-signature 1 1 836 - #close 2016-07-13-16-13-23 - diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-1-drop-with-debug.bro/btest-doc.sphinx.netcontrol-1-drop-with-debug.bro#1 b/testing/btest/Baseline/doc.sphinx.netcontrol-1-drop-with-debug.bro/btest-doc.sphinx.netcontrol-1-drop-with-debug.bro#1 deleted file mode 100644 index 91f41babb3..0000000000 --- a/testing/btest/Baseline/doc.sphinx.netcontrol-1-drop-with-debug.bro/btest-doc.sphinx.netcontrol-1-drop-with-debug.bro#1 +++ /dev/null @@ -1,32 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -C -r tls/ecdhe.pcap netcontrol-1-drop-with-debug.bro - netcontrol debug (Debug-All): init - netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.18.50, orig_p=56981/tcp, resp_h=74.125.239.97, resp_p=443/tcp], flow=, ip=, mac=], expire=20.0 secs, priority=0, location=, out_port=, mod=, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F] - -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # cat netcontrol.log - #separator \x09 - #set_separator , - #empty_field (empty) - #unset_field - - #path netcontrol - #open 2016-06-22-22-58-31 - #fields ts rule_id category cmd state action target entity_type entity mod msg priority expire location plugin - #types time string enum string enum string enum string string string string int interval string string - 0.000000 - NetControl::MESSAGE - - - - - - - activating plugin with priority 0 - - - Debug-All - 0.000000 - NetControl::MESSAGE - - - - - - - activation finished - - - Debug-All - 0.000000 - NetControl::MESSAGE - - - - - - - plugin initialization done - - - - - 1398529018.678276 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::CONNECTION 192.168.18.50/56981<->74.125.239.97/443 - - 0 20.000000 - Debug-All - 1398529018.678276 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::CONNECTION 192.168.18.50/56981<->74.125.239.97/443 - - 0 20.000000 - Debug-All - #close 2016-06-22-22-58-31 - diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-1-drop-with-debug.bro/btest-doc.sphinx.netcontrol-1-drop-with-debug.bro#2 b/testing/btest/Baseline/doc.sphinx.netcontrol-1-drop-with-debug.bro/btest-doc.sphinx.netcontrol-1-drop-with-debug.bro#2 deleted file mode 100644 index 5c361dba1c..0000000000 --- a/testing/btest/Baseline/doc.sphinx.netcontrol-1-drop-with-debug.bro/btest-doc.sphinx.netcontrol-1-drop-with-debug.bro#2 +++ /dev/null @@ -1,18 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # cat netcontrol_drop.log - #separator \x09 - #set_separator , - #empty_field (empty) - #unset_field - - #path netcontrol_drop - #open 2016-06-22-22-58-31 - #fields ts rule_id orig_h orig_p resp_h resp_p expire location - #types time string addr port addr port interval string - 1398529018.678276 2 192.168.18.50 56981 74.125.239.97 443 20.000000 - - #close 2016-06-22-22-58-31 - diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-2-ssh-guesser.bro/btest-doc.sphinx.netcontrol-2-ssh-guesser.bro#1 b/testing/btest/Baseline/doc.sphinx.netcontrol-2-ssh-guesser.bro/btest-doc.sphinx.netcontrol-2-ssh-guesser.bro#1 deleted file mode 100644 index da4c7a78d1..0000000000 --- a/testing/btest/Baseline/doc.sphinx.netcontrol-2-ssh-guesser.bro/btest-doc.sphinx.netcontrol-2-ssh-guesser.bro#1 +++ /dev/null @@ -1,32 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -C -r ssh/sshguess.pcap netcontrol-2-ssh-guesser.bro - netcontrol debug (Debug-All): init - netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=, flow=, ip=192.168.56.1/32, mac=], expire=1.0 hr, priority=0, location=, out_port=, mod=, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F] - -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # cat netcontrol.log - #separator \x09 - #set_separator , - #empty_field (empty) - #unset_field - - #path netcontrol - #open 2016-06-22-22-58-36 - #fields ts rule_id category cmd state action target entity_type entity mod msg priority expire location plugin - #types time string enum string enum string enum string string string string int interval string string - 0.000000 - NetControl::MESSAGE - - - - - - - activating plugin with priority 0 - - - Debug-All - 0.000000 - NetControl::MESSAGE - - - - - - - activation finished - - - Debug-All - 0.000000 - NetControl::MESSAGE - - - - - - - plugin initialization done - - - - - 1427726711.398575 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.56.1/32 - - 0 3600.000000 - Debug-All - 1427726711.398575 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.56.1/32 - - 0 3600.000000 - Debug-All - #close 2016-06-22-22-58-36 - diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#1 b/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#1 deleted file mode 100644 index 5f899ce9c0..0000000000 --- a/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#1 +++ /dev/null @@ -1,32 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -C -r ssh/sshguess.pcap netcontrol-3-ssh-guesser.bro - netcontrol debug (Debug-All): init - netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=, flow=, ip=192.168.56.1/32, mac=], expire=10.0 mins, priority=0, location=ACTION_DROP: T, out_port=, mod=, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F] - -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # cat netcontrol.log - #separator \x09 - #set_separator , - #empty_field (empty) - #unset_field - - #path netcontrol - #open 2017-12-21-18-58-53 - #fields ts rule_id category cmd state action target entity_type entity mod msg priority expire location plugin - #types time string enum string enum string enum string string string string int interval string string - 0.000000 - NetControl::MESSAGE - - - - - - - activating plugin with priority 0 - - - Debug-All - 0.000000 - NetControl::MESSAGE - - - - - - - activation finished - - - Debug-All - 0.000000 - NetControl::MESSAGE - - - - - - - plugin initialization done - - - - - 1427726759.303199 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.56.1/32 - - 0 600.000000 ACTION_DROP: T Debug-All - 1427726759.303199 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.56.1/32 - - 0 600.000000 ACTION_DROP: T Debug-All - #close 2017-12-21-18-58-53 - diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#2 b/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#2 deleted file mode 100644 index 039821c266..0000000000 --- a/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#2 +++ /dev/null @@ -1,18 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # cat notice.log - #separator \x09 - #set_separator , - #empty_field (empty) - #unset_field - - #path notice - #open 2017-12-21-18-58-53 - #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude - #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double - 1427726759.303199 - - - - - - - - - SSH::Password_Guessing 192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections). Sampled servers: 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103 192.168.56.1 - - - - Notice::ACTION_DROP,Notice::ACTION_LOG 3600.000000 F - - - - - - #close 2017-12-21-18-58-53 - diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-4-drop.bro/btest-doc.sphinx.netcontrol-4-drop.bro#1 b/testing/btest/Baseline/doc.sphinx.netcontrol-4-drop.bro/btest-doc.sphinx.netcontrol-4-drop.bro#1 deleted file mode 100644 index 437d9ba58f..0000000000 --- a/testing/btest/Baseline/doc.sphinx.netcontrol-4-drop.bro/btest-doc.sphinx.netcontrol-4-drop.bro#1 +++ /dev/null @@ -1,32 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -C -r tls/ecdhe.pcap netcontrol-4-drop.bro - netcontrol debug (Debug-All): init - netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.18.50, orig_p=56981/tcp, resp_h=74.125.239.97, resp_p=443/tcp], flow=, ip=, mac=], expire=20.0 secs, priority=0, location=, out_port=, mod=, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F] - -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # cat netcontrol.log - #separator \x09 - #set_separator , - #empty_field (empty) - #unset_field - - #path netcontrol - #open 2016-06-22-22-58-42 - #fields ts rule_id category cmd state action target entity_type entity mod msg priority expire location plugin - #types time string enum string enum string enum string string string string int interval string string - 0.000000 - NetControl::MESSAGE - - - - - - - activating plugin with priority 0 - - - Debug-All - 0.000000 - NetControl::MESSAGE - - - - - - - activation finished - - - Debug-All - 0.000000 - NetControl::MESSAGE - - - - - - - plugin initialization done - - - - - 1398529018.678276 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::CONNECTION 192.168.18.50/56981<->74.125.239.97/443 - - 0 20.000000 - Debug-All - 1398529018.678276 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::CONNECTION 192.168.18.50/56981<->74.125.239.97/443 - - 0 20.000000 - Debug-All - #close 2016-06-22-22-58-42 - diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-5-hook.bro/btest-doc.sphinx.netcontrol-5-hook.bro#1 b/testing/btest/Baseline/doc.sphinx.netcontrol-5-hook.bro/btest-doc.sphinx.netcontrol-5-hook.bro#1 deleted file mode 100644 index 0dd5d01130..0000000000 --- a/testing/btest/Baseline/doc.sphinx.netcontrol-5-hook.bro/btest-doc.sphinx.netcontrol-5-hook.bro#1 +++ /dev/null @@ -1,10 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -C -r tls/ecdhe.pcap netcontrol-5-hook.bro - netcontrol debug (Debug-All): init - Ignored connection from, 192.168.18.50 - diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-6-find.bro/btest-doc.sphinx.netcontrol-6-find.bro#1 b/testing/btest/Baseline/doc.sphinx.netcontrol-6-find.bro/btest-doc.sphinx.netcontrol-6-find.bro#1 deleted file mode 100644 index 66846d738d..0000000000 --- a/testing/btest/Baseline/doc.sphinx.netcontrol-6-find.bro/btest-doc.sphinx.netcontrol-6-find.bro#1 +++ /dev/null @@ -1,12 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -C -r tls/google-duplicate.trace netcontrol-6-find.bro - netcontrol debug (Debug-All): init - netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.4.149, orig_p=60623/tcp, resp_h=74.125.239.129, resp_p=443/tcp], flow=, ip=, mac=], expire=20.0 secs, priority=0, location=, out_port=, mod=, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F] - Rule added - Rule already exists - diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-7-catch-release.bro/btest-doc.sphinx.netcontrol-7-catch-release.bro#1 b/testing/btest/Baseline/doc.sphinx.netcontrol-7-catch-release.bro/btest-doc.sphinx.netcontrol-7-catch-release.bro#1 deleted file mode 100644 index ed2d956171..0000000000 --- a/testing/btest/Baseline/doc.sphinx.netcontrol-7-catch-release.bro/btest-doc.sphinx.netcontrol-7-catch-release.bro#1 +++ /dev/null @@ -1,10 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -C -r tls/ecdhe.pcap netcontrol-7-catch-release.bro - netcontrol debug (Debug-All): init - netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=, flow=, ip=192.168.18.50/32, mac=], expire=10.0 mins, priority=0, location=, out_port=, mod=, id=2, cid=2, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F] - diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-7-catch-release.bro/btest-doc.sphinx.netcontrol-7-catch-release.bro#2 b/testing/btest/Baseline/doc.sphinx.netcontrol-7-catch-release.bro/btest-doc.sphinx.netcontrol-7-catch-release.bro#2 deleted file mode 100644 index df2080fc59..0000000000 --- a/testing/btest/Baseline/doc.sphinx.netcontrol-7-catch-release.bro/btest-doc.sphinx.netcontrol-7-catch-release.bro#2 +++ /dev/null @@ -1,19 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # cat netcontrol_catch_release.log - #separator \x09 - #set_separator , - #empty_field (empty) - #unset_field - - #path netcontrol_catch_release - #open 2016-06-22-22-58-49 - #fields ts rule_id ip action block_interval watch_interval blocked_until watched_until num_blocked location message - #types time string addr enum interval interval time time count string string - 1398529018.678276 2 192.168.18.50 NetControl::DROP 600.000000 3600.000000 1398529618.678276 1398532618.678276 1 - - - 1398529018.678276 2 192.168.18.50 NetControl::DROPPED 600.000000 3600.000000 1398529618.678276 1398532618.678276 1 - - - #close 2016-06-22-22-58-49 - diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#1 b/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#1 deleted file mode 100644 index 3f48475e7e..0000000000 --- a/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#1 +++ /dev/null @@ -1,10 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro netcontrol-8-multiple.bro - netcontrol debug (Debug-All): init - netcontrol debug (Debug-All): add_rule: [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::ADDRESS, conn=, flow=, ip=192.168.17.2/32, mac=], expire=1.0 min, priority=0, location=, out_port=, mod=, id=3, cid=3, _plugin_ids={\x0a\x0a}, _active_plugin_ids={\x0a\x0a}, _no_expire_plugins={\x0a\x0a}, _added=F] - diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#2 b/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#2 deleted file mode 100644 index 435078d4fb..0000000000 --- a/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#2 +++ /dev/null @@ -1,28 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # cat netcontrol.log - #separator \x09 - #set_separator , - #empty_field (empty) - #unset_field - - #path netcontrol - #open 2016-06-22-22-58-52 - #fields ts rule_id category cmd state action target entity_type entity mod msg priority expire location plugin - #types time string enum string enum string enum string string string string int interval string string - 1466636332.844326 - NetControl::MESSAGE - - - - - - - activating plugin with priority 0 - - - Debug-All - 1466636332.844326 - NetControl::MESSAGE - - - - - - - activation finished - - - Debug-All - 1466636332.844326 - NetControl::MESSAGE - - - - - - - activating plugin with priority 10 - - - Openflow-Log-42 - 1466636332.844326 - NetControl::MESSAGE - - - - - - - activation finished - - - Openflow-Log-42 - 1466636332.844326 - NetControl::MESSAGE - - - - - - - plugin initialization done - - - - - 1466636332.844326 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 10.0.0.1/32 - - 0 60.000000 - Openflow-Log-42 - 1466636332.844326 3 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.17.2/32 - - 0 60.000000 - Debug-All - 1466636332.844326 4 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.2/32 - - 0 60.000000 - Openflow-Log-42 - 1466636332.844326 3 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.17.2/32 - - 0 60.000000 - Debug-All - 1466636332.844326 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 10.0.0.1/32 - - 0 60.000000 - Openflow-Log-42 - 1466636332.844326 4 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::ADDRESS 192.168.18.2/32 - - 0 60.000000 - Openflow-Log-42 - #close 2016-06-22-22-58-52 - diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#3 b/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#3 deleted file mode 100644 index 7094c08b74..0000000000 --- a/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#3 +++ /dev/null @@ -1,21 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # cat openflow.log - #separator \x09 - #set_separator , - #empty_field (empty) - #unset_field - - #path openflow - #open 2016-06-22-22-58-52 - #fields ts dpid match.in_port match.dl_src match.dl_dst match.dl_vlan match.dl_vlan_pcp match.dl_type match.nw_tos match.nw_proto match.nw_src match.nw_dst match.tp_src match.tp_dst flow_mod.cookie flow_mod.table_id flow_mod.command flow_mod.idle_timeout flow_mod.hard_timeout flow_mod.priority flow_mod.out_port flow_mod.out_group flow_mod.flags flow_mod.actions.out_ports flow_mod.actions.vlan_vid flow_mod.actions.vlan_pcp flow_mod.actions.vlan_strip flow_mod.actions.dl_src flow_mod.actions.dl_dst flow_mod.actions.nw_tos flow_mod.actions.nw_src flow_mod.actions.nw_dst flow_mod.actions.tp_src flow_mod.actions.tp_dst - #types time count count string string count count count count count subnet subnet count count count count enum count count count count count count vector[count] count count bool string string count addr addr count count - 1466636332.844326 42 - - - - - 2048 - - 10.0.0.1/32 - - - 4398046511108 - OpenFlow::OFPFC_ADD 0 60 0 - - 1 (empty) - - F - - - - - - - - 1466636332.844326 42 - - - - - 2048 - - - 10.0.0.1/32 - - 4398046511109 - OpenFlow::OFPFC_ADD 0 60 0 - - 1 (empty) - - F - - - - - - - - 1466636332.844326 42 - - - - - 2048 - - 192.168.18.2/32 - - - 4398046511112 - OpenFlow::OFPFC_ADD 0 60 0 - - 1 (empty) - - F - - - - - - - - 1466636332.844326 42 - - - - - 2048 - - - 192.168.18.2/32 - - 4398046511113 - OpenFlow::OFPFC_ADD 0 60 0 - - 1 (empty) - - F - - - - - - - - #close 2016-06-22-22-58-52 - diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#4 b/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#4 deleted file mode 100644 index 941d9336c9..0000000000 --- a/testing/btest/Baseline/doc.sphinx.netcontrol-8-multiple.bro/btest-doc.sphinx.netcontrol-8-multiple.bro#4 +++ /dev/null @@ -1,15 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -C -r tls/ecdhe.pcap netcontrol-10-use-skeleton.bro - add, [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.18.50, orig_p=56981/tcp, resp_h=74.125.239.97, resp_p=443/tcp], flow=, ip=, mac=], expire=20.0 secs, priority=0, location=, out_port=, mod=, id=2, cid=2, _plugin_ids={ - - }, _active_plugin_ids={ - - }, _no_expire_plugins={ - - }, _added=F] - diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-9-skeleton.bro/btest-doc.sphinx.netcontrol-9-skeleton.bro#1 b/testing/btest/Baseline/doc.sphinx.netcontrol-9-skeleton.bro/btest-doc.sphinx.netcontrol-9-skeleton.bro#1 deleted file mode 100644 index 941d9336c9..0000000000 --- a/testing/btest/Baseline/doc.sphinx.netcontrol-9-skeleton.bro/btest-doc.sphinx.netcontrol-9-skeleton.bro#1 +++ /dev/null @@ -1,15 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -C -r tls/ecdhe.pcap netcontrol-10-use-skeleton.bro - add, [ty=NetControl::DROP, target=NetControl::FORWARD, entity=[ty=NetControl::CONNECTION, conn=[orig_h=192.168.18.50, orig_p=56981/tcp, resp_h=74.125.239.97, resp_p=443/tcp], flow=, ip=, mac=], expire=20.0 secs, priority=0, location=, out_port=, mod=, id=2, cid=2, _plugin_ids={ - - }, _active_plugin_ids={ - - }, _no_expire_plugins={ - - }, _added=F] - diff --git a/testing/btest/Baseline/doc.sphinx.notice_ssh_guesser.bro/btest-doc.sphinx.notice_ssh_guesser.bro#1 b/testing/btest/Baseline/doc.sphinx.notice_ssh_guesser.bro/btest-doc.sphinx.notice_ssh_guesser.bro#1 deleted file mode 100644 index 56918146fa..0000000000 --- a/testing/btest/Baseline/doc.sphinx.notice_ssh_guesser.bro/btest-doc.sphinx.notice_ssh_guesser.bro#1 +++ /dev/null @@ -1,26 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -C -r ssh/sshguess.pcap notice_ssh_guesser.bro - -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # cat notice.log - #separator \x09 - #set_separator , - #empty_field (empty) - #unset_field - - #path notice - #open 2017-12-21-02-24-48 - #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude - #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double - 1427726759.303199 - - - - - - - - - SSH::Password_Guessing 192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections). Sampled servers: 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103 192.168.56.1 - - - - Notice::ACTION_EMAIL,Notice::ACTION_LOG 3600.000000 F - - - - - - #close 2017-12-21-02-24-48 - diff --git a/testing/btest/Baseline/doc.sphinx.sumstats-countconns/btest-doc.sphinx.sumstats-countconns#1 b/testing/btest/Baseline/doc.sphinx.sumstats-countconns/btest-doc.sphinx.sumstats-countconns#1 deleted file mode 100644 index b7126957ce..0000000000 --- a/testing/btest/Baseline/doc.sphinx.sumstats-countconns/btest-doc.sphinx.sumstats-countconns#1 +++ /dev/null @@ -1,9 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -r workshop_2011_browse.trace sumstats-countconns.bro - Number of connections established: 6 - diff --git a/testing/btest/Baseline/doc.sphinx.sumstats-toy-scan/btest-doc.sphinx.sumstats-toy-scan#1 b/testing/btest/Baseline/doc.sphinx.sumstats-toy-scan/btest-doc.sphinx.sumstats-toy-scan#1 deleted file mode 100644 index f5db95c5f3..0000000000 --- a/testing/btest/Baseline/doc.sphinx.sumstats-toy-scan/btest-doc.sphinx.sumstats-toy-scan#1 +++ /dev/null @@ -1,9 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -r nmap-vsn.trace sumstats-toy-scan.bro - 192.168.1.71 attempted 5 or more connections - diff --git a/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#1 b/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#1 deleted file mode 100644 index f64da50784..0000000000 --- a/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#1 +++ /dev/null @@ -1,30 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro -r wikipedia.trace - -.. rst-class:: btest-include - - .. code-block:: guess - :linenos: - - #separator \x09 - #set_separator , - #empty_field (empty) - #unset_field - - #path conn - #open 2018-01-12-21-43-52 - #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents - #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] - 1300475167.096535 CHhAvVGS1DHFjwGM9 141.142.220.202 5353 224.0.0.251 5353 udp dns - - - S0 - - 0 D 1 73 0 0 - - 1300475167.097012 ClEkJM2Vm5giqnMf4h fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp dns - - - S0 - - 0 D 1 199 0 0 - - 1300475167.099816 C4J4Th3PJpwUYZZ6gc 141.142.220.50 5353 224.0.0.251 5353 udp dns - - - S0 - - 0 D 1 179 0 0 - - 1300475168.853899 CmES5u32sYpV7JYN 141.142.220.118 43927 141.142.2.2 53 udp dns 0.000435 38 89 SF - - 0 Dd 1 66 1 117 - - 1300475168.854378 CP5puj4I8PtEU4qzYg 141.142.220.118 37676 141.142.2.2 53 udp dns 0.000420 52 99 SF - - 0 Dd 1 80 1 127 - - 1300475168.854837 C37jN32gN3y3AZzyf6 141.142.220.118 40526 141.142.2.2 53 udp dns 0.000392 38 183 SF - - 0 Dd 1 66 1 211 - - 1300475168.857956 C0LAHyvtKSQHyJxIl 141.142.220.118 32902 141.142.2.2 53 udp dns 0.000317 38 89 SF - - 0 Dd 1 66 1 117 - - [...] - diff --git a/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#2 b/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#2 deleted file mode 100644 index 2b060fc2ff..0000000000 --- a/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#2 +++ /dev/null @@ -1,19 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # cat conn.log | bro-cut id.orig_h id.orig_p id.resp_h duration - 141.142.220.202 5353 224.0.0.251 - - fe80::217:f2ff:fed7:cf65 5353 ff02::fb - - 141.142.220.50 5353 224.0.0.251 - - 141.142.220.118 43927 141.142.2.2 0.000435 - 141.142.220.118 37676 141.142.2.2 0.000420 - 141.142.220.118 40526 141.142.2.2 0.000392 - 141.142.220.118 32902 141.142.2.2 0.000317 - 141.142.220.118 59816 141.142.2.2 0.000343 - 141.142.220.118 59714 141.142.2.2 0.000375 - 141.142.220.118 58206 141.142.2.2 0.000339 - [...] - diff --git a/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#3 b/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#3 deleted file mode 100644 index 92378e6c08..0000000000 --- a/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#3 +++ /dev/null @@ -1,19 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # awk '/^[^#]/ {print $3, $4, $5, $6, $9}' conn.log - 141.142.220.202 5353 224.0.0.251 5353 - - fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 - - 141.142.220.50 5353 224.0.0.251 5353 - - 141.142.220.118 43927 141.142.2.2 53 0.000435 - 141.142.220.118 37676 141.142.2.2 53 0.000420 - 141.142.220.118 40526 141.142.2.2 53 0.000392 - 141.142.220.118 32902 141.142.2.2 53 0.000317 - 141.142.220.118 59816 141.142.2.2 53 0.000343 - 141.142.220.118 59714 141.142.2.2 53 0.000375 - 141.142.220.118 58206 141.142.2.2 53 0.000339 - [...] - diff --git a/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#4 b/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#4 deleted file mode 100644 index c5c8e310c7..0000000000 --- a/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#4 +++ /dev/null @@ -1,14 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro-cut -d ts uid host uri < http.log - 2011-03-18T19:06:08+0000 CUM0KZ3MLUfNB0cl11 bits.wikimedia.org /skins-1.5/monobook/main.css - 2011-03-18T19:06:08+0000 CwjjYJ2WqgTbAqiHl6 upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png - 2011-03-18T19:06:08+0000 C3eiCBGOLw3VtHfOj upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png - 2011-03-18T19:06:08+0000 Ck51lg1bScffFj34Ri upload.wikimedia.org /wikipedia/commons/b/bd/Bookshelf-40x201_6.png - 2011-03-18T19:06:08+0000 CtxTCR2Yer0FR1tIBg upload.wikimedia.org /wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png - [...] - diff --git a/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#5 b/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#5 deleted file mode 100644 index aaa93f5073..0000000000 --- a/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#5 +++ /dev/null @@ -1,14 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro-cut -u ts uid host uri < http.log - 2011-03-18T19:06:08+0000 CUM0KZ3MLUfNB0cl11 bits.wikimedia.org /skins-1.5/monobook/main.css - 2011-03-18T19:06:08+0000 CwjjYJ2WqgTbAqiHl6 upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png - 2011-03-18T19:06:08+0000 C3eiCBGOLw3VtHfOj upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png - 2011-03-18T19:06:08+0000 Ck51lg1bScffFj34Ri upload.wikimedia.org /wikipedia/commons/b/bd/Bookshelf-40x201_6.png - 2011-03-18T19:06:08+0000 CtxTCR2Yer0FR1tIBg upload.wikimedia.org /wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png - [...] - diff --git a/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#6 b/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#6 deleted file mode 100644 index 1489b54426..0000000000 --- a/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#6 +++ /dev/null @@ -1,14 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # bro-cut -D %d-%m-%YT%H:%M:%S%z ts uid host uri < http.log - 18-03-2011T19:06:08+0000 CUM0KZ3MLUfNB0cl11 bits.wikimedia.org /skins-1.5/monobook/main.css - 18-03-2011T19:06:08+0000 CwjjYJ2WqgTbAqiHl6 upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png - 18-03-2011T19:06:08+0000 C3eiCBGOLw3VtHfOj upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png - 18-03-2011T19:06:08+0000 Ck51lg1bScffFj34Ri upload.wikimedia.org /wikipedia/commons/b/bd/Bookshelf-40x201_6.png - 18-03-2011T19:06:08+0000 CtxTCR2Yer0FR1tIBg upload.wikimedia.org /wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png - [...] - diff --git a/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#7 b/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#7 deleted file mode 100644 index 22172b1ac6..0000000000 --- a/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#7 +++ /dev/null @@ -1,13 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # cat conn.log | bro-cut uid resp_bytes | sort -nrk2 | head -5 - CwjjYJ2WqgTbAqiHl6 734 - CtxTCR2Yer0FR1tIBg 734 - Ck51lg1bScffFj34Ri 734 - CLNN1k2QMum1aexUK7 734 - CykQaM33ztNt0csB9a 733 - diff --git a/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#8 b/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#8 deleted file mode 100644 index 7a041756e8..0000000000 --- a/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#8 +++ /dev/null @@ -1,9 +0,0 @@ -.. rst-class:: btest-cmd - - .. code-block:: none - :linenos: - :emphasize-lines: 1,1 - - # cat http.log | bro-cut uid id.resp_h method status_code host uri | grep UM0KZ3MLUfNB0cl11 - CUM0KZ3MLUfNB0cl11 208.80.152.118 GET 304 bits.wikimedia.org /skins-1.5/monobook/main.css - diff --git a/testing/btest/btest.cfg b/testing/btest/btest.cfg index 1c93c9cb6b..6624d70431 100644 --- a/testing/btest/btest.cfg +++ b/testing/btest/btest.cfg @@ -4,7 +4,6 @@ TmpDir = %(testbase)s/.tmp BaselineDir = %(testbase)s/Baseline IgnoreDirs = .svn CVS .tmp IgnoreFiles = *.tmp *.swp #* *.trace .DS_Store -PartFinalizer = btest-diff-rst [environment] BROPATH=`bash -c %(testbase)s/../../build/bro-path-dev` diff --git a/testing/btest/doc/sphinx/conditional-notice.btest b/testing/btest/doc/sphinx/conditional-notice.btest deleted file mode 100644 index ff3eea1132..0000000000 --- a/testing/btest/doc/sphinx/conditional-notice.btest +++ /dev/null @@ -1,2 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/tls/tls-expired-cert.trace ${DOC_ROOT}/quickstart/conditional-notice.bro -@TEST-EXEC: btest-rst-cmd cat notice.log diff --git a/testing/btest/doc/sphinx/connection-record-01.btest b/testing/btest/doc/sphinx/connection-record-01.btest deleted file mode 100644 index 3704d58932..0000000000 --- a/testing/btest/doc/sphinx/connection-record-01.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -b -r ${TRACES}/http/get.trace ${DOC_ROOT}/scripting/connection_record_01.bro diff --git a/testing/btest/doc/sphinx/connection-record-02.btest b/testing/btest/doc/sphinx/connection-record-02.btest deleted file mode 100644 index 0b0c87c1f2..0000000000 --- a/testing/btest/doc/sphinx/connection-record-02.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -b -r ${TRACES}/http/get.trace ${DOC_ROOT}/scripting/connection_record_02.bro diff --git a/testing/btest/doc/sphinx/data_struct_record_01.btest b/testing/btest/doc/sphinx/data_struct_record_01.btest deleted file mode 100644 index ae52b9a24d..0000000000 --- a/testing/btest/doc/sphinx/data_struct_record_01.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/data_struct_record_01.bro diff --git a/testing/btest/doc/sphinx/data_struct_record_02.btest b/testing/btest/doc/sphinx/data_struct_record_02.btest deleted file mode 100644 index d978224e3b..0000000000 --- a/testing/btest/doc/sphinx/data_struct_record_02.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/data_struct_record_02.bro diff --git a/testing/btest/doc/sphinx/data_struct_set_declaration.btest b/testing/btest/doc/sphinx/data_struct_set_declaration.btest deleted file mode 100644 index 2812479dff..0000000000 --- a/testing/btest/doc/sphinx/data_struct_set_declaration.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/data_struct_set_declaration.bro diff --git a/testing/btest/doc/sphinx/data_struct_table_complex.btest b/testing/btest/doc/sphinx/data_struct_table_complex.btest deleted file mode 100644 index 99117130f8..0000000000 --- a/testing/btest/doc/sphinx/data_struct_table_complex.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -b ${DOC_ROOT}/scripting/data_struct_table_complex.bro diff --git a/testing/btest/doc/sphinx/data_struct_table_declaration.btest b/testing/btest/doc/sphinx/data_struct_table_declaration.btest deleted file mode 100644 index ac83e84e45..0000000000 --- a/testing/btest/doc/sphinx/data_struct_table_declaration.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/data_struct_table_declaration.bro diff --git a/testing/btest/doc/sphinx/data_struct_vector_declaration.btest b/testing/btest/doc/sphinx/data_struct_vector_declaration.btest deleted file mode 100644 index b017f84aed..0000000000 --- a/testing/btest/doc/sphinx/data_struct_vector_declaration.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/data_struct_vector_declaration.bro diff --git a/testing/btest/doc/sphinx/data_struct_vector_iter.btest b/testing/btest/doc/sphinx/data_struct_vector_iter.btest deleted file mode 100644 index f5e6c2a0ba..0000000000 --- a/testing/btest/doc/sphinx/data_struct_vector_iter.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -b ${DOC_ROOT}/scripting/data_struct_vector_iter.bro diff --git a/testing/btest/doc/sphinx/data_type_const.bro.btest b/testing/btest/doc/sphinx/data_type_const.bro.btest deleted file mode 100644 index 903fed3fbf..0000000000 --- a/testing/btest/doc/sphinx/data_type_const.bro.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -b ${DOC_ROOT}/scripting/data_type_const.bro diff --git a/testing/btest/doc/sphinx/data_type_interval.btest b/testing/btest/doc/sphinx/data_type_interval.btest deleted file mode 100644 index 0c1baa1372..0000000000 --- a/testing/btest/doc/sphinx/data_type_interval.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/wikipedia.trace ${DOC_ROOT}/scripting/data_type_interval.bro diff --git a/testing/btest/doc/sphinx/data_type_pattern.btest b/testing/btest/doc/sphinx/data_type_pattern.btest deleted file mode 100644 index 30ba3c6fe0..0000000000 --- a/testing/btest/doc/sphinx/data_type_pattern.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/data_type_pattern_01.bro diff --git a/testing/btest/doc/sphinx/data_type_pattern_02.btest b/testing/btest/doc/sphinx/data_type_pattern_02.btest deleted file mode 100644 index b197cef792..0000000000 --- a/testing/btest/doc/sphinx/data_type_pattern_02.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/data_type_pattern_02.bro diff --git a/testing/btest/doc/sphinx/data_type_subnets.btest b/testing/btest/doc/sphinx/data_type_subnets.btest deleted file mode 100644 index c78fe8c71c..0000000000 --- a/testing/btest/doc/sphinx/data_type_subnets.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/data_type_subnets.bro diff --git a/testing/btest/doc/sphinx/data_type_time.btest b/testing/btest/doc/sphinx/data_type_time.btest deleted file mode 100644 index 29dee6002f..0000000000 --- a/testing/btest/doc/sphinx/data_type_time.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/wikipedia.trace ${DOC_ROOT}/scripting/data_type_time.bro diff --git a/testing/btest/doc/sphinx/file-analysis-01.btest b/testing/btest/doc/sphinx/file-analysis-01.btest deleted file mode 100644 index 6dac37ee38..0000000000 --- a/testing/btest/doc/sphinx/file-analysis-01.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/http/get.trace ${DOC_ROOT}/frameworks/file_analysis_01.bro diff --git a/testing/btest/doc/sphinx/file-analysis-02.btest b/testing/btest/doc/sphinx/file-analysis-02.btest deleted file mode 100644 index ea359e1bca..0000000000 --- a/testing/btest/doc/sphinx/file-analysis-02.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/http/get.trace ${DOC_ROOT}/frameworks/file_analysis_02.bro diff --git a/testing/btest/doc/sphinx/file-analysis-03.btest b/testing/btest/doc/sphinx/file-analysis-03.btest deleted file mode 100644 index 6ad81d6a76..0000000000 --- a/testing/btest/doc/sphinx/file-analysis-03.btest +++ /dev/null @@ -1,2 +0,0 @@ -@TEST-EXEC: echo "Hello world" > myfile -@TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/frameworks/file_analysis_03.bro diff --git a/testing/btest/doc/sphinx/file_extraction.btest b/testing/btest/doc/sphinx/file_extraction.btest deleted file mode 100644 index 76ebd82474..0000000000 --- a/testing/btest/doc/sphinx/file_extraction.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd -n 5 bro -r ${TRACES}/http/bro.org.pcap ${DOC_ROOT}/httpmonitor/file_extraction.bro diff --git a/testing/btest/doc/sphinx/framework_logging_factorial-2.btest b/testing/btest/doc/sphinx/framework_logging_factorial-2.btest deleted file mode 100644 index c0f1262217..0000000000 --- a/testing/btest/doc/sphinx/framework_logging_factorial-2.btest +++ /dev/null @@ -1,2 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/framework_logging_factorial_02.bro -@TEST-EXEC: btest-rst-include factor.log diff --git a/testing/btest/doc/sphinx/framework_logging_factorial-3.btest b/testing/btest/doc/sphinx/framework_logging_factorial-3.btest deleted file mode 100644 index 75f2054661..0000000000 --- a/testing/btest/doc/sphinx/framework_logging_factorial-3.btest +++ /dev/null @@ -1,2 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/framework_logging_factorial_03.bro -@TEST-EXEC: btest-rst-include factor-mod5.log diff --git a/testing/btest/doc/sphinx/framework_logging_factorial.btest b/testing/btest/doc/sphinx/framework_logging_factorial.btest deleted file mode 100644 index 798b821f87..0000000000 --- a/testing/btest/doc/sphinx/framework_logging_factorial.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/framework_logging_factorial_01.bro diff --git a/testing/btest/doc/sphinx/ftp-bruteforce.btest b/testing/btest/doc/sphinx/ftp-bruteforce.btest deleted file mode 100644 index 0a9c89c22e..0000000000 --- a/testing/btest/doc/sphinx/ftp-bruteforce.btest +++ /dev/null @@ -1,2 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/ftp/bruteforce.pcap protocols/ftp/detect-bruteforcing.bro -@TEST-EXEC: btest-rst-include notice.log diff --git a/testing/btest/doc/sphinx/http_proxy_01.btest b/testing/btest/doc/sphinx/http_proxy_01.btest deleted file mode 100644 index 95c212876d..0000000000 --- a/testing/btest/doc/sphinx/http_proxy_01.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/http/proxy.pcap ${DOC_ROOT}/httpmonitor/http_proxy_01.bro diff --git a/testing/btest/doc/sphinx/http_proxy_02.btest b/testing/btest/doc/sphinx/http_proxy_02.btest deleted file mode 100644 index 886177a025..0000000000 --- a/testing/btest/doc/sphinx/http_proxy_02.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/http/proxy.pcap ${DOC_ROOT}/httpmonitor/http_proxy_02.bro diff --git a/testing/btest/doc/sphinx/http_proxy_03.btest b/testing/btest/doc/sphinx/http_proxy_03.btest deleted file mode 100644 index fe1e22f58c..0000000000 --- a/testing/btest/doc/sphinx/http_proxy_03.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/http/proxy.pcap ${DOC_ROOT}/httpmonitor/http_proxy_03.bro diff --git a/testing/btest/doc/sphinx/http_proxy_04.btest b/testing/btest/doc/sphinx/http_proxy_04.btest deleted file mode 100644 index 1c2dcb707e..0000000000 --- a/testing/btest/doc/sphinx/http_proxy_04.btest +++ /dev/null @@ -1,2 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/http/proxy.pcap ${DOC_ROOT}/httpmonitor/http_proxy_04.bro -@TEST-EXEC: btest-rst-include notice.log diff --git a/testing/btest/doc/sphinx/include-build_scripts_base_bif_plugins_Bro_DNS_events_bif_bro.btest b/testing/btest/doc/sphinx/include-build_scripts_base_bif_plugins_Bro_DNS_events_bif_bro.btest deleted file mode 100644 index 6e15ece5e0..0000000000 --- a/testing/btest/doc/sphinx/include-build_scripts_base_bif_plugins_Bro_DNS_events_bif_bro.btest +++ /dev/null @@ -1,30 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -Bro_DNS.events.bif.bro - -## Generated for DNS requests. For requests with multiple queries, this event -## is raised once for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## query: The queried name. -## -## qtype: The queried resource record type. -## -## qclass: The queried resource record class. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -global dns_request: event(c: connection , msg: dns_msg , query: string , qtype: count , qclass: count ); diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-connector_bro.btest deleted file mode 100644 index d2916a4c4f..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-connector_bro.btest +++ /dev/null @@ -1,16 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -connecting-connector.bro - -redef exit_only_after_terminate = T; - -event bro_init() - { - Broker::peer("127.0.0.1"); - } - -event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) - { - print "peer added", endpoint; - terminate(); - } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-listener_bro.btest deleted file mode 100644 index b15bac75c0..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-listener_bro.btest +++ /dev/null @@ -1,21 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -connecting-listener.bro - -redef exit_only_after_terminate = T; - -event bro_init() - { - Broker::listen("127.0.0.1"); - } - -event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) - { - print "peer added", endpoint; - } - -event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) - { - print "peer lost", endpoint; - terminate(); - } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-connector_bro.btest deleted file mode 100644 index 96616dbd3c..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-connector_bro.btest +++ /dev/null @@ -1,39 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -events-connector.bro - -redef exit_only_after_terminate = T; -global my_event: event(msg: string, c: count); -global my_auto_event: event(msg: string, c: count); - -event bro_init() - { - Broker::peer("127.0.0.1"); - Broker::auto_publish("bro/event/my_auto_event", my_auto_event); - } - -event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) - { - print "peer added", endpoint; - Broker::publish("bro/event/my_event", my_event, "hi", 0); - event my_auto_event("stuff", 88); - Broker::publish("bro/event/my_event", my_event, "...", 1); - event my_auto_event("more stuff", 51); - local e = Broker::make_event(my_event, "bye", 2); - Broker::publish("bro/event/my_event", e); - } - -event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) - { - terminate(); - } - -event my_event(msg: string, c: count) - { - print "got my_event", msg, c; - } - -event my_auto_event(msg: string, c: count) - { - print "got my_auto_event", msg, c; - } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-listener_bro.btest deleted file mode 100644 index 928ba60311..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-listener_bro.btest +++ /dev/null @@ -1,37 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -events-listener.bro - -redef exit_only_after_terminate = T; -global msg_count = 0; -global my_event: event(msg: string, c: count); -global my_auto_event: event(msg: string, c: count); - -event bro_init() - { - Broker::subscribe("bro/event/"); - Broker::listen("127.0.0.1"); - } - -event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) - { - print "peer added", endpoint; - } - -event my_event(msg: string, c: count) - { - ++msg_count; - print "got my_event", msg, c; - - if ( msg_count == 5 ) - terminate(); - } - -event my_auto_event(msg: string, c: count) - { - ++msg_count; - print "got my_auto_event", msg, c; - - if ( msg_count == 5 ) - terminate(); - } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-connector_bro.btest deleted file mode 100644 index 84d0a60391..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-connector_bro.btest +++ /dev/null @@ -1,40 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -logs-connector.bro - -@load ./testlog - -redef exit_only_after_terminate = T; -global n = 0; - -event bro_init() - { - Broker::peer("127.0.0.1"); - } - -event do_write() - { - if ( n == 6 ) - return; - - Log::write(Test::LOG, [$msg = "ping", $num = n]); - ++n; - event do_write(); - } - -event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) - { - print "peer added", endpoint; - event do_write(); - } - -event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) - { - terminate(); - } - -event Test::log_test(rec: Test::Info) - { - print "wrote log", rec; - Broker::publish("bro/logs/forward/test", Test::log_test, rec); - } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-listener_bro.btest deleted file mode 100644 index 359a88b476..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-listener_bro.btest +++ /dev/null @@ -1,26 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -logs-listener.bro - -@load ./testlog - -redef exit_only_after_terminate = T; - -event bro_init() - { - Broker::subscribe("bro/logs"); - Broker::listen("127.0.0.1"); - } - -event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) - { - print "peer added", endpoint; - } - -event Test::log_test(rec: Test::Info) - { - print "got log event", rec; - - if ( rec$num == 5 ) - terminate(); - } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-connector_bro.btest deleted file mode 100644 index 8ef4dca1f5..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-connector_bro.btest +++ /dev/null @@ -1,33 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -stores-connector.bro - -redef exit_only_after_terminate = T; - -global h: opaque of Broker::Store; - -global ready: event(); - -event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) - { - terminate(); - } - -event bro_init() - { - h = Broker::create_master("mystore"); - - local myset: set[string] = {"a", "b", "c"}; - local myvec: vector of string = {"alpha", "beta", "gamma"}; - Broker::put(h, "one", 110); - Broker::put(h, "two", 223); - Broker::put(h, "myset", myset); - Broker::put(h, "myvec", myvec); - Broker::increment(h, "one"); - Broker::decrement(h, "two"); - Broker::insert_into_set(h, "myset", "d"); - Broker::remove_from(h, "myset", "b"); - Broker::push(h, "myvec", "delta"); - - Broker::peer("127.0.0.1"); - } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-listener_bro.btest deleted file mode 100644 index 571ede2687..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-listener_bro.btest +++ /dev/null @@ -1,83 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -stores-listener.bro - -redef exit_only_after_terminate = T; - -global h: opaque of Broker::Store; -global expected_key_count = 4; -global key_count = 0; - -# Lookup a value in the store based on an arbitrary key string. -function do_lookup(key: string) - { - when ( local res = Broker::get(h, key) ) - { - ++key_count; - print "lookup", key, res; - - # End after we iterated over looking up each key in the store twice. - if ( key_count == expected_key_count * 2 ) - terminate(); - } - # All data store queries must specify a timeout - timeout 3sec - { print "timeout", key; } - } - -event check_keys() - { - # Here we just query for the list of keys in the store, and show how to - # look up each one's value. - when ( local res = Broker::keys(h) ) - { - print "clone keys", res; - - if ( res?$result ) - { - # Since we know that the keys we are storing are all strings, - # we can conveniently cast the result of Broker::keys to - # a native Bro type, namely 'set[string]'. - for ( k in res$result as string_set ) - do_lookup(k); - - # Alternatively, we can use a generic iterator to iterate - # over the results (which we know is of the 'set' type because - # that's what Broker::keys() always returns). If the keys - # we stored were not all of the same type, then you would - # likely want to use this method of inspecting the store's keys. - local i = Broker::set_iterator(res$result); - - while ( ! Broker::set_iterator_last(i) ) - { - do_lookup(Broker::set_iterator_value(i) as string); - Broker::set_iterator_next(i); - } - } - } - # All data store queries must specify a timeout. - # You also might see timeouts on connecting/initializing a clone since - # it hasn't had time to get fully set up yet. - timeout 1sec - { - print "timeout"; - schedule 1sec { check_keys() }; - } - } - -event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) - { - print "peer added"; - # We could create a clone early, like in bro_init and it will periodically - # try to synchronize with its master once it connects, however, we just - # create it now since we know the peer w/ the master store has just - # connected. - h = Broker::create_clone("mystore"); - - event check_keys(); - } - -event bro_init() - { - Broker::listen("127.0.0.1"); - } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_testlog_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_testlog_bro.btest deleted file mode 100644 index 8d779a1b92..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_testlog_bro.btest +++ /dev/null @@ -1,21 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -testlog.bro - -module Test; - -export { - redef enum Log::ID += { LOG }; - - type Info: record { - msg: string &log; - num: count &log; - }; - - global log_test: event(rec: Test::Info); -} - -event bro_init() &priority=5 - { - Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test, $path="test"]); - } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_01_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_01_bro.btest deleted file mode 100644 index 045fa5ff9f..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_01_bro.btest +++ /dev/null @@ -1,24 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -file_analysis_01.bro - -event connection_state_remove(c: connection) - { - print "connection_state_remove"; - print c$uid; - print c$id; - for ( s in c$service ) - print s; - } - -event file_state_remove(f: fa_file) - { - print "file_state_remove"; - print f$id; - for ( cid in f$conns ) - { - print f$conns[cid]$uid; - print cid; - } - print f$source; - } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_02_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_02_bro.btest deleted file mode 100644 index 7c0b7eb8f0..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_02_bro.btest +++ /dev/null @@ -1,16 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -file_analysis_02.bro - -event file_sniff(f: fa_file, meta: fa_metadata) - { - if ( ! meta?$mime_type ) return; - print "new file", f$id; - if ( meta$mime_type == "text/plain" ) - Files::add_analyzer(f, Files::ANALYZER_MD5); - } - -event file_hash(f: fa_file, kind: string, hash: string) - { - print "file_hash", f$id, kind, hash; - } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_03_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_03_bro.btest deleted file mode 100644 index 4084169945..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_file_analysis_03_bro.btest +++ /dev/null @@ -1,29 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -file_analysis_03.bro - -redef exit_only_after_terminate = T; - -event file_new(f: fa_file) - { - print "new file", f$id; - Files::add_analyzer(f, Files::ANALYZER_MD5); - } - -event file_state_remove(f: fa_file) - { - print "file_state_remove"; - Input::remove(f$source); - terminate(); - } - -event file_hash(f: fa_file, kind: string, hash: string) - { - print "file_hash", f$id, kind, hash; - } - -event bro_init() - { - local source: string = "./myfile"; - Input::add_analysis([$source=source, $name=source]); - } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-1-drop-with-debug_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-1-drop-with-debug_bro.btest deleted file mode 100644 index b451d5aa4f..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-1-drop-with-debug_bro.btest +++ /dev/null @@ -1,14 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -netcontrol-1-drop-with-debug.bro - -event NetControl::init() - { - local debug_plugin = NetControl::create_debug(T); - NetControl::activate(debug_plugin, 0); - } - -event connection_established(c: connection) - { - NetControl::drop_connection(c$id, 20 secs); - } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-10-use-skeleton_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-10-use-skeleton_bro.btest deleted file mode 100644 index 331afbc80d..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-10-use-skeleton_bro.btest +++ /dev/null @@ -1,14 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -netcontrol-10-use-skeleton.bro - -event NetControl::init() - { - local skeleton_plugin = NetControl::create_skeleton(""); - NetControl::activate(skeleton_plugin, 0); - } - -event connection_established(c: connection) - { - NetControl::drop_connection(c$id, 20 secs); - } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-2-ssh-guesser_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-2-ssh-guesser_bro.btest deleted file mode 100644 index 87c8cdda7a..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-2-ssh-guesser_bro.btest +++ /dev/null @@ -1,20 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -netcontrol-2-ssh-guesser.bro - - -@load protocols/ssh/detect-bruteforcing - -redef SSH::password_guesses_limit=10; - -event NetControl::init() - { - local debug_plugin = NetControl::create_debug(T); - NetControl::activate(debug_plugin, 0); - } - -hook Notice::policy(n: Notice::Info) - { - if ( n$note == SSH::Password_Guessing ) - NetControl::drop_address(n$src, 60min); - } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-3-ssh-guesser_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-3-ssh-guesser_bro.btest deleted file mode 100644 index 228856f00a..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-3-ssh-guesser_bro.btest +++ /dev/null @@ -1,20 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -netcontrol-3-ssh-guesser.bro - - -@load protocols/ssh/detect-bruteforcing - -redef SSH::password_guesses_limit=10; - -event NetControl::init() - { - local debug_plugin = NetControl::create_debug(T); - NetControl::activate(debug_plugin, 0); - } - -hook Notice::policy(n: Notice::Info) - { - if ( n$note == SSH::Password_Guessing ) - add n$actions[Notice::ACTION_DROP]; - } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-4-drop_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-4-drop_bro.btest deleted file mode 100644 index e7b15fd91b..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-4-drop_bro.btest +++ /dev/null @@ -1,30 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -netcontrol-4-drop.bro - -function our_drop_connection(c: conn_id, t: interval) - { - # As a first step, create the NetControl::Entity that we want to block - local e = NetControl::Entity($ty=NetControl::CONNECTION, $conn=c); - # Then, use the entity to create the rule to drop the entity in the forward path - local r = NetControl::Rule($ty=NetControl::DROP, - $target=NetControl::FORWARD, $entity=e, $expire=t); - - # Add the rule - local id = NetControl::add_rule(r); - - if ( id == "" ) - print "Error while dropping"; - } - -event NetControl::init() - { - local debug_plugin = NetControl::create_debug(T); - NetControl::activate(debug_plugin, 0); - } - -event connection_established(c: connection) - { - our_drop_connection(c$id, 20 secs); - } - diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-5-hook_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-5-hook_bro.btest deleted file mode 100644 index d27e3f9a6a..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-5-hook_bro.btest +++ /dev/null @@ -1,26 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -netcontrol-5-hook.bro - -hook NetControl::rule_policy(r: NetControl::Rule) - { - if ( r$ty == NetControl::DROP && - r$entity$ty == NetControl::CONNECTION && - r$entity$conn$orig_h in 192.168.0.0/16 ) - { - print "Ignored connection from", r$entity$conn$orig_h; - break; - } - } - -event NetControl::init() - { - local debug_plugin = NetControl::create_debug(T); - NetControl::activate(debug_plugin, 0); - } - -event connection_established(c: connection) - { - NetControl::drop_connection(c$id, 20 secs); - } - diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-6-find_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-6-find_bro.btest deleted file mode 100644 index bcc5199590..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-6-find_bro.btest +++ /dev/null @@ -1,21 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -netcontrol-6-find.bro - -event NetControl::init() - { - local netcontrol_debug = NetControl::create_debug(T); - NetControl::activate(netcontrol_debug, 0); - } - -event connection_established(c: connection) - { - if ( |NetControl::find_rules_addr(c$id$orig_h)| > 0 ) - { - print "Rule already exists"; - return; - } - - NetControl::drop_connection(c$id, 20 secs); - print "Rule added"; - } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-7-catch-release_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-7-catch-release_bro.btest deleted file mode 100644 index aa10d8cc01..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-7-catch-release_bro.btest +++ /dev/null @@ -1,14 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -netcontrol-7-catch-release.bro - -event NetControl::init() - { - local debug_plugin = NetControl::create_debug(T); - NetControl::activate(debug_plugin, 0); - } - -event connection_established(c: connection) - { - NetControl::drop_address_catch_release(c$id$orig_h); - } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-8-multiple_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-8-multiple_bro.btest deleted file mode 100644 index f9bac69f44..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-8-multiple_bro.btest +++ /dev/null @@ -1,33 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -netcontrol-8-multiple.bro - -function our_openflow_check(p: NetControl::PluginState, r: NetControl::Rule): bool - { - if ( r$ty == NetControl::DROP && - r$entity$ty == NetControl::ADDRESS && - subnet_width(r$entity$ip) == 32 && - subnet_to_addr(r$entity$ip) in 192.168.17.0/24 ) - return F; - - return T; - } - -event NetControl::init() - { - # Add debug plugin with low priority - local debug_plugin = NetControl::create_debug(T); - NetControl::activate(debug_plugin, 0); - - # Instantiate OpenFlow debug plugin with higher priority - local of_controller = OpenFlow::log_new(42); - local netcontrol_of = NetControl::create_openflow(of_controller, [$check_pred=our_openflow_check]); - NetControl::activate(netcontrol_of, 10); - } - -event NetControl::init_done() - { - NetControl::drop_address(10.0.0.1, 1min); - NetControl::drop_address(192.168.17.2, 1min); - NetControl::drop_address(192.168.18.2, 1min); - } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-9-skeleton_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-9-skeleton_bro.btest deleted file mode 100644 index 0fed26184f..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_netcontrol-9-skeleton_bro.btest +++ /dev/null @@ -1,43 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -netcontrol-9-skeleton.bro - -module NetControl; - -export { - ## Instantiates the plugin. - global create_skeleton: function(argument: string) : PluginState; -} - -function skeleton_name(p: PluginState) : string - { - return "NetControl skeleton plugin"; - } - -function skeleton_add_rule_fun(p: PluginState, r: Rule) : bool - { - print "add", r; - event NetControl::rule_added(r, p); - return T; - } - -function skeleton_remove_rule_fun(p: PluginState, r: Rule, reason: string &default="") : bool - { - print "remove", r; - event NetControl::rule_removed(r, p); - return T; - } - -global skeleton_plugin = Plugin( - $name = skeleton_name, - $can_expire = F, - $add_rule = skeleton_add_rule_fun, - $remove_rule = skeleton_remove_rule_fun - ); - -function create_skeleton(argument: string) : PluginState - { - local p = PluginState($plugin=skeleton_plugin); - - return p; - } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_notice_ssh_guesser_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_notice_ssh_guesser_bro.btest deleted file mode 100644 index 11b77dd1ba..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_notice_ssh_guesser_bro.btest +++ /dev/null @@ -1,14 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -notice_ssh_guesser.bro - - -@load protocols/ssh/detect-bruteforcing - -redef SSH::password_guesses_limit=10; - -hook Notice::policy(n: Notice::Info) - { - if ( n$note == SSH::Password_Guessing && /192\.168\.56\.103/ in n$sub ) - add n$actions[Notice::ACTION_EMAIL]; - } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_sqlite-conn-filter_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_sqlite-conn-filter_bro.btest deleted file mode 100644 index dc42f0bce1..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_sqlite-conn-filter_bro.btest +++ /dev/null @@ -1,16 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -sqlite-conn-filter.bro - -event bro_init() - { - local filter: Log::Filter = - [ - $name="sqlite", - $path="/var/db/conn", - $config=table(["tablename"] = "conn"), - $writer=Log::WRITER_SQLITE - ]; - - Log::add_filter(Conn::LOG, filter); - } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_sqlite-read-events_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_sqlite-read-events_bro.btest deleted file mode 100644 index 6703c4ca7e..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_sqlite-read-events_bro.btest +++ /dev/null @@ -1,44 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -sqlite-read-events.bro - -@load frameworks/files/hash-all-files - -type Val: record { - hash: string; - description: string; -}; - -event line(description: Input::EventDescription, tpe: Input::Event, r: Val) - { - print fmt("malware-hit with hash %s, description %s", r$hash, r$description); - } - -global malware_source = "/var/db/malware"; - -event file_hash(f: fa_file, kind: string, hash: string) - { - - # check all sha1 hashes - if ( kind=="sha1" ) - { - Input::add_event( - [ - $source=malware_source, - $name=hash, - $fields=Val, - $ev=line, - $want_record=T, - $config=table( - ["query"] = fmt("select * from malware_hashes where hash='%s';", hash) - ), - $reader=Input::READER_SQLITE - ]); - } - } - -event Input::end_of_data(name: string, source:string) - { - if ( source == malware_source ) - Input::remove(name); - } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_sqlite-read-table_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_sqlite-read-table_bro.btest deleted file mode 100644 index dea06055ea..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_sqlite-read-table_bro.btest +++ /dev/null @@ -1,39 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -sqlite-read-table.bro - -type Idx: record { - host: addr; -}; - -type Val: record { - users: set[string]; -}; - -global hostslist: table[addr] of Val = table(); - -event bro_init() - { - Input::add_table([$source="/var/db/hosts", - $name="hosts", - $idx=Idx, - $val=Val, - $destination=hostslist, - $reader=Input::READER_SQLITE, - $config=table(["query"] = "select * from machines_to_users;") - ]); - - Input::remove("hosts"); - } - -event Input::end_of_data(name: string, source: string) - { - if ( name != "hosts" ) - return; - - # now all data is in the table - print "Hosts list has been successfully imported"; - - # List the users of one host. - print hostslist[192.168.17.1]$users; - } diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_sumstats-countconns_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_sumstats-countconns_bro.btest deleted file mode 100644 index 0ec0c9ce70..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_sumstats-countconns_bro.btest +++ /dev/null @@ -1,40 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -sumstats-countconns.bro - -@load base/frameworks/sumstats - -event connection_established(c: connection) - { - # Make an observation! - # This observation is global so the key is empty. - # Each established connection counts as one so the observation is always 1. - SumStats::observe("conn established", - SumStats::Key(), - SumStats::Observation($num=1)); - } - -event bro_init() - { - # Create the reducer. - # The reducer attaches to the "conn established" observation stream - # and uses the summing calculation on the observations. - local r1 = SumStats::Reducer($stream="conn established", - $apply=set(SumStats::SUM)); - - # Create the final sumstat. - # We give it an arbitrary name and make it collect data every minute. - # The reducer is then attached and a $epoch_result callback is given - # to finally do something with the data collected. - SumStats::create([$name = "counting connections", - $epoch = 1min, - $reducers = set(r1), - $epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) = - { - # This is the body of the callback that is called when a single - # result has been collected. We are just printing the total number - # of connections that were seen. The $sum field is provided as a - # double type value so we need to use %f as the format specifier. - print fmt("Number of connections established: %.0f", result["conn established"]$sum); - }]); - } \ No newline at end of file diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_sumstats-toy-scan_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_sumstats-toy-scan_bro.btest deleted file mode 100644 index b1b46b3b39..0000000000 --- a/testing/btest/doc/sphinx/include-doc_frameworks_sumstats-toy-scan_bro.btest +++ /dev/null @@ -1,49 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -sumstats-toy-scan.bro - -@load base/frameworks/sumstats - -# We use the connection_attempt event to limit our observations to those -# which were attempted and not successful. -event connection_attempt(c: connection) - { - # Make an observation! - # This observation is about the host attempting the connection. - # Each established connection counts as one so the observation is always 1. - SumStats::observe("conn attempted", - SumStats::Key($host=c$id$orig_h), - SumStats::Observation($num=1)); - } - -event bro_init() - { - # Create the reducer. - # The reducer attaches to the "conn attempted" observation stream - # and uses the summing calculation on the observations. Keep - # in mind that there will be one result per key (connection originator). - local r1 = SumStats::Reducer($stream="conn attempted", - $apply=set(SumStats::SUM)); - - # Create the final sumstat. - # This is slightly different from the last example since we're providing - # a callback to calculate a value to check against the threshold with - # $threshold_val. The actual threshold itself is provided with $threshold. - # Another callback is provided for when a key crosses the threshold. - SumStats::create([$name = "finding scanners", - $epoch = 5min, - $reducers = set(r1), - # Provide a threshold. - $threshold = 5.0, - # Provide a callback to calculate a value from the result - # to check against the threshold field. - $threshold_val(key: SumStats::Key, result: SumStats::Result) = - { - return result["conn attempted"]$sum; - }, - # Provide a callback for when a key crosses the threshold. - $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = - { - print fmt("%s attempted %.0f or more connections", key$host, result["conn attempted"]$sum); - }]); - } diff --git a/testing/btest/doc/sphinx/include-doc_httpmonitor_file_extraction_bro.btest b/testing/btest/doc/sphinx/include-doc_httpmonitor_file_extraction_bro.btest deleted file mode 100644 index 729947ff72..0000000000 --- a/testing/btest/doc/sphinx/include-doc_httpmonitor_file_extraction_bro.btest +++ /dev/null @@ -1,28 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -file_extraction.bro - - -global mime_to_ext: table[string] of string = { - ["application/x-dosexec"] = "exe", - ["text/plain"] = "txt", - ["image/jpeg"] = "jpg", - ["image/png"] = "png", - ["text/html"] = "html", -}; - -event file_sniff(f: fa_file, meta: fa_metadata) - { - if ( f$source != "HTTP" ) - return; - - if ( ! meta?$mime_type ) - return; - - if ( meta$mime_type !in mime_to_ext ) - return; - - local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[meta$mime_type]); - print fmt("Extracting file %s", fname); - Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]); - } diff --git a/testing/btest/doc/sphinx/include-doc_httpmonitor_http_proxy_01_bro.btest b/testing/btest/doc/sphinx/include-doc_httpmonitor_http_proxy_01_bro.btest deleted file mode 100644 index 4e10859d98..0000000000 --- a/testing/btest/doc/sphinx/include-doc_httpmonitor_http_proxy_01_bro.btest +++ /dev/null @@ -1,9 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -http_proxy_01.bro - -event http_reply(c: connection, version: string, code: count, reason: string) - { - if ( /^[hH][tT][tT][pP]:/ in c$http$uri && c$http$status_code == 200 ) - print fmt("A local server is acting as an open proxy: %s", c$id$resp_h); - } diff --git a/testing/btest/doc/sphinx/include-doc_httpmonitor_http_proxy_02_bro.btest b/testing/btest/doc/sphinx/include-doc_httpmonitor_http_proxy_02_bro.btest deleted file mode 100644 index 01e3822001..0000000000 --- a/testing/btest/doc/sphinx/include-doc_httpmonitor_http_proxy_02_bro.btest +++ /dev/null @@ -1,30 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -http_proxy_02.bro - - -module HTTP; - -export { - - global success_status_codes: set[count] = { - 200, - 201, - 202, - 203, - 204, - 205, - 206, - 207, - 208, - 226, - 304 - }; -} - -event http_reply(c: connection, version: string, code: count, reason: string) - { - if ( /^[hH][tT][tT][pP]:/ in c$http$uri && - c$http$status_code in HTTP::success_status_codes ) - print fmt("A local server is acting as an open proxy: %s", c$id$resp_h); - } diff --git a/testing/btest/doc/sphinx/include-doc_httpmonitor_http_proxy_03_bro.btest b/testing/btest/doc/sphinx/include-doc_httpmonitor_http_proxy_03_bro.btest deleted file mode 100644 index 5139fa8c49..0000000000 --- a/testing/btest/doc/sphinx/include-doc_httpmonitor_http_proxy_03_bro.btest +++ /dev/null @@ -1,35 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -http_proxy_03.bro - - -@load base/utils/site - -redef Site::local_nets += { 192.168.0.0/16 }; - -module HTTP; - -export { - - global success_status_codes: set[count] = { - 200, - 201, - 202, - 203, - 204, - 205, - 206, - 207, - 208, - 226, - 304 - }; -} - -event http_reply(c: connection, version: string, code: count, reason: string) - { - if ( Site::is_local_addr(c$id$resp_h) && - /^[hH][tT][tT][pP]:/ in c$http$uri && - c$http$status_code in HTTP::success_status_codes ) - print fmt("A local server is acting as an open proxy: %s", c$id$resp_h); - } diff --git a/testing/btest/doc/sphinx/include-doc_httpmonitor_http_proxy_04_bro.btest b/testing/btest/doc/sphinx/include-doc_httpmonitor_http_proxy_04_bro.btest deleted file mode 100644 index a8ca8e19b2..0000000000 --- a/testing/btest/doc/sphinx/include-doc_httpmonitor_http_proxy_04_bro.btest +++ /dev/null @@ -1,44 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -http_proxy_04.bro - -@load base/utils/site -@load base/frameworks/notice - -redef Site::local_nets += { 192.168.0.0/16 }; - -module HTTP; - -export { - - redef enum Notice::Type += { - Open_Proxy - }; - - global success_status_codes: set[count] = { - 200, - 201, - 202, - 203, - 204, - 205, - 206, - 207, - 208, - 226, - 304 - }; -} - -event http_reply(c: connection, version: string, code: count, reason: string) - { - if ( Site::is_local_addr(c$id$resp_h) && - /^[hH][tT][tT][pP]:/ in c$http$uri && - c$http$status_code in HTTP::success_status_codes ) - NOTICE([$note=HTTP::Open_Proxy, - $msg=fmt("A local server is acting as an open proxy: %s", - c$id$resp_h), - $conn=c, - $identifier=cat(c$id$resp_h), - $suppress_for=1day]); - } diff --git a/testing/btest/doc/sphinx/include-doc_mimestats_mimestats_bro.btest b/testing/btest/doc/sphinx/include-doc_mimestats_mimestats_bro.btest deleted file mode 100644 index ef537b6c53..0000000000 --- a/testing/btest/doc/sphinx/include-doc_mimestats_mimestats_bro.btest +++ /dev/null @@ -1,39 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -mimestats.bro - -module MimeMetrics; - -export { - - redef enum Log::ID += { LOG }; - - type Info: record { - ## Timestamp when the log line was finished and written. - ts: time &log; - ## Time interval that the log line covers. - ts_delta: interval &log; - ## The mime type - mtype: string &log; - ## The number of unique local hosts that fetched this mime type - uniq_hosts: count &log; - ## The number of hits to the mime type - hits: count &log; - ## The total number of bytes received by this mime type - bytes: count &log; - }; - - ## The frequency of logging the stats collected by this script. - const break_interval = 5mins &redef; -} -event HTTP::log_http(rec: HTTP::Info) - { - if ( Site::is_local_addr(rec$id$orig_h) && rec?$resp_mime_types ) - { - local mime_type = rec$resp_mime_types[0]; - SumStats::observe("mime.bytes", [$str=mime_type], - [$num=rec$response_body_len]); - SumStats::observe("mime.hits", [$str=mime_type], - [$str=cat(rec$id$orig_h)]); - } - } diff --git a/testing/btest/doc/sphinx/include-doc_mimestats_mimestats_bro@2.btest b/testing/btest/doc/sphinx/include-doc_mimestats_mimestats_bro@2.btest deleted file mode 100644 index 027eade4dc..0000000000 --- a/testing/btest/doc/sphinx/include-doc_mimestats_mimestats_bro@2.btest +++ /dev/null @@ -1,8 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -mimestats.bro - - local r1: SumStats::Reducer = [$stream="mime.bytes", - $apply=set(SumStats::SUM)]; - local r2: SumStats::Reducer = [$stream="mime.hits", - $apply=set(SumStats::UNIQUE)]; diff --git a/testing/btest/doc/sphinx/include-doc_mimestats_mimestats_bro@3.btest b/testing/btest/doc/sphinx/include-doc_mimestats_mimestats_bro@3.btest deleted file mode 100644 index e410c6ebb9..0000000000 --- a/testing/btest/doc/sphinx/include-doc_mimestats_mimestats_bro@3.btest +++ /dev/null @@ -1,18 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -mimestats.bro - - SumStats::create([$name="mime-metrics", - $epoch=break_interval, - $reducers=set(r1, r2), - $epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) = - { - local l: Info; - l$ts = network_time(); - l$ts_delta = break_interval; - l$mtype = key$str; - l$bytes = double_to_count(floor(result["mime.bytes"]$sum)); - l$hits = result["mime.hits"]$num; - l$uniq_hosts = result["mime.hits"]$unique; - Log::write(MimeMetrics::LOG, l); - }]); diff --git a/testing/btest/doc/sphinx/include-doc_mimestats_mimestats_bro@4.btest b/testing/btest/doc/sphinx/include-doc_mimestats_mimestats_bro@4.btest deleted file mode 100644 index 10c7b6bb34..0000000000 --- a/testing/btest/doc/sphinx/include-doc_mimestats_mimestats_bro@4.btest +++ /dev/null @@ -1,68 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -mimestats.bro - -@load base/utils/site -@load base/frameworks/sumstats - -redef Site::local_nets += { 10.0.0.0/8 }; - -module MimeMetrics; - -export { - - redef enum Log::ID += { LOG }; - - type Info: record { - ## Timestamp when the log line was finished and written. - ts: time &log; - ## Time interval that the log line covers. - ts_delta: interval &log; - ## The mime type - mtype: string &log; - ## The number of unique local hosts that fetched this mime type - uniq_hosts: count &log; - ## The number of hits to the mime type - hits: count &log; - ## The total number of bytes received by this mime type - bytes: count &log; - }; - - ## The frequency of logging the stats collected by this script. - const break_interval = 5mins &redef; -} - -event bro_init() &priority=3 - { - Log::create_stream(MimeMetrics::LOG, [$columns=Info, $path="mime_metrics"]); - local r1: SumStats::Reducer = [$stream="mime.bytes", - $apply=set(SumStats::SUM)]; - local r2: SumStats::Reducer = [$stream="mime.hits", - $apply=set(SumStats::UNIQUE)]; - SumStats::create([$name="mime-metrics", - $epoch=break_interval, - $reducers=set(r1, r2), - $epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) = - { - local l: Info; - l$ts = network_time(); - l$ts_delta = break_interval; - l$mtype = key$str; - l$bytes = double_to_count(floor(result["mime.bytes"]$sum)); - l$hits = result["mime.hits"]$num; - l$uniq_hosts = result["mime.hits"]$unique; - Log::write(MimeMetrics::LOG, l); - }]); - } - -event HTTP::log_http(rec: HTTP::Info) - { - if ( Site::is_local_addr(rec$id$orig_h) && rec?$resp_mime_types ) - { - local mime_type = rec$resp_mime_types[0]; - SumStats::observe("mime.bytes", [$str=mime_type], - [$num=rec$response_body_len]); - SumStats::observe("mime.hits", [$str=mime_type], - [$str=cat(rec$id$orig_h)]); - } - } diff --git a/testing/btest/doc/sphinx/include-doc_quickstart_conditional-notice_bro.btest b/testing/btest/doc/sphinx/include-doc_quickstart_conditional-notice_bro.btest deleted file mode 100644 index 8412154ec4..0000000000 --- a/testing/btest/doc/sphinx/include-doc_quickstart_conditional-notice_bro.btest +++ /dev/null @@ -1,28 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -conditional-notice.bro - -@load protocols/ssl/expiring-certs - -const watched_servers: set[addr] = { - 87.98.220.10, -} &redef; - -# Site::local_nets usually isn't something you need to modify if -# BroControl automatically sets it up from networks.cfg. It's -# shown here for completeness. -redef Site::local_nets += { - 87.98.0.0/16, -}; - -hook Notice::policy(n: Notice::Info) - { - if ( n$note != SSL::Certificate_Expired ) - return; - - if ( n$id$resp_h !in watched_servers ) - return; - - add n$actions[Notice::ACTION_EMAIL]; - } - diff --git a/testing/btest/doc/sphinx/include-doc_scripting_connection_record_01_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_connection_record_01_bro.btest deleted file mode 100644 index 34303a12ad..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_connection_record_01_bro.btest +++ /dev/null @@ -1,10 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -connection_record_01.bro - -@load base/protocols/conn - -event connection_state_remove(c: connection) - { - print c; - } diff --git a/testing/btest/doc/sphinx/include-doc_scripting_connection_record_02_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_connection_record_02_bro.btest deleted file mode 100644 index 12092ee2a0..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_connection_record_02_bro.btest +++ /dev/null @@ -1,11 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -connection_record_02.bro - -@load base/protocols/conn -@load base/protocols/http - -event connection_state_remove(c: connection) - { - print c; - } diff --git a/testing/btest/doc/sphinx/include-doc_scripting_data_struct_record_01_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_data_struct_record_01_bro.btest deleted file mode 100644 index e67783fdeb..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_data_struct_record_01_bro.btest +++ /dev/null @@ -1,26 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_struct_record_01.bro - -type Service: record { - name: string; - ports: set[port]; - rfc: count; -}; - -function print_service(serv: Service) - { - print fmt("Service: %s(RFC%d)",serv$name, serv$rfc); - - for ( p in serv$ports ) - print fmt(" port: %s", p); - } - -event bro_init() - { - local dns: Service = [$name="dns", $ports=set(53/udp, 53/tcp), $rfc=1035]; - local http: Service = [$name="http", $ports=set(80/tcp, 8080/tcp), $rfc=2616]; - - print_service(dns); - print_service(http); - } diff --git a/testing/btest/doc/sphinx/include-doc_scripting_data_struct_record_02_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_data_struct_record_02_bro.btest deleted file mode 100644 index 04da3522f2..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_data_struct_record_02_bro.btest +++ /dev/null @@ -1,45 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_struct_record_02.bro - -type Service: record { - name: string; - ports: set[port]; - rfc: count; - }; - -type System: record { - name: string; - services: set[Service]; - }; - -function print_service(serv: Service) - { - print fmt(" Service: %s(RFC%d)",serv$name, serv$rfc); - - for ( p in serv$ports ) - print fmt(" port: %s", p); - } - -function print_system(sys: System) - { - print fmt("System: %s", sys$name); - - for ( s in sys$services ) - print_service(s); - } - -event bro_init() - { - local server01: System; - server01$name = "morlock"; - add server01$services[[ $name="dns", $ports=set(53/udp, 53/tcp), $rfc=1035]]; - add server01$services[[ $name="http", $ports=set(80/tcp, 8080/tcp), $rfc=2616]]; - print_system(server01); - - - # local dns: Service = [ $name="dns", $ports=set(53/udp, 53/tcp), $rfc=1035]; - # local http: Service = [ $name="http", $ports=set(80/tcp, 8080/tcp), $rfc=2616]; - # print_service(dns); - # print_service(http); - } diff --git a/testing/btest/doc/sphinx/include-doc_scripting_data_struct_set_declaration_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_data_struct_set_declaration_bro.btest deleted file mode 100644 index 47aa12030b..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_data_struct_set_declaration_bro.btest +++ /dev/null @@ -1,9 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_struct_set_declaration.bro - -event bro_init() - { - local ssl_ports: set[port]; - local non_ssl_ports = set( 23/tcp, 80/tcp, 143/tcp, 25/tcp ); - } diff --git a/testing/btest/doc/sphinx/include-doc_scripting_data_struct_set_declaration_bro@2.btest b/testing/btest/doc/sphinx/include-doc_scripting_data_struct_set_declaration_bro@2.btest deleted file mode 100644 index 12020f4b67..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_data_struct_set_declaration_bro@2.btest +++ /dev/null @@ -1,9 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_struct_set_declaration.bro - - for ( i in ssl_ports ) - print fmt("SSL Port: %s", i); - - for ( i in non_ssl_ports ) - print fmt("Non-SSL Port: %s", i); diff --git a/testing/btest/doc/sphinx/include-doc_scripting_data_struct_set_declaration_bro@3.btest b/testing/btest/doc/sphinx/include-doc_scripting_data_struct_set_declaration_bro@3.btest deleted file mode 100644 index b7a68af4aa..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_data_struct_set_declaration_bro@3.btest +++ /dev/null @@ -1,7 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_struct_set_declaration.bro - - # Check for SMTPS - if ( 587/tcp !in ssl_ports ) - add ssl_ports[587/tcp]; diff --git a/testing/btest/doc/sphinx/include-doc_scripting_data_struct_set_declaration_bro@4.btest b/testing/btest/doc/sphinx/include-doc_scripting_data_struct_set_declaration_bro@4.btest deleted file mode 100644 index 53b193850c..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_data_struct_set_declaration_bro@4.btest +++ /dev/null @@ -1,26 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_struct_set_declaration.bro - -event bro_init() - { - local ssl_ports: set[port]; - local non_ssl_ports = set( 23/tcp, 80/tcp, 143/tcp, 25/tcp ); - - # SSH - add ssl_ports[22/tcp]; - # HTTPS - add ssl_ports[443/tcp]; - # IMAPS - add ssl_ports[993/tcp]; - - # Check for SMTPS - if ( 587/tcp !in ssl_ports ) - add ssl_ports[587/tcp]; - - for ( i in ssl_ports ) - print fmt("SSL Port: %s", i); - - for ( i in non_ssl_ports ) - print fmt("Non-SSL Port: %s", i); - } diff --git a/testing/btest/doc/sphinx/include-doc_scripting_data_struct_table_complex_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_data_struct_table_complex_bro.btest deleted file mode 100644 index c92d338cec..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_data_struct_table_complex_bro.btest +++ /dev/null @@ -1,17 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_struct_table_complex.bro - -event bro_init() - { - local samurai_flicks: table[string, string, count, string] of string; - - samurai_flicks["Kihachi Okamoto", "Toho", 1968, "Tatsuya Nakadai"] = "Kiru"; - samurai_flicks["Hideo Gosha", "Fuji", 1969, "Tatsuya Nakadai"] = "Goyokin"; - samurai_flicks["Masaki Kobayashi", "Shochiku Eiga", 1962, "Tatsuya Nakadai" ] = "Harakiri"; - samurai_flicks["Yoji Yamada", "Eisei Gekijo", 2002, "Hiroyuki Sanada" ] = "Tasogare Seibei"; - - for ( [d, s, y, a] in samurai_flicks ) - print fmt("%s was released in %d by %s studios, directed by %s and starring %s", samurai_flicks[d, s, y, a], y, s, d, a); - } - diff --git a/testing/btest/doc/sphinx/include-doc_scripting_data_struct_table_declaration_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_data_struct_table_declaration_bro.btest deleted file mode 100644 index f6d38e1618..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_data_struct_table_declaration_bro.btest +++ /dev/null @@ -1,23 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_struct_table_declaration.bro - -event bro_init() - { - # Declaration of the table. - local ssl_services: table[string] of port; - - # Initialize the table. - ssl_services = table(["SSH"] = 22/tcp, ["HTTPS"] = 443/tcp); - - # Insert one key-yield pair into the table. - ssl_services["IMAPS"] = 993/tcp; - - # Check if the key "SMTPS" is not in the table. - if ( "SMTPS" !in ssl_services ) - ssl_services["SMTPS"] = 587/tcp; - - # Iterate over each key in the table. - for ( k in ssl_services ) - print fmt("Service Name: %s - Common Port: %s", k, ssl_services[k]); - } diff --git a/testing/btest/doc/sphinx/include-doc_scripting_data_struct_vector_declaration_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_data_struct_vector_declaration_bro.btest deleted file mode 100644 index 22790f45fe..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_data_struct_vector_declaration_bro.btest +++ /dev/null @@ -1,19 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_struct_vector_declaration.bro - -event bro_init() - { - local v1: vector of count; - local v2 = vector(1, 2, 3, 4); - - v1 += 1; - v1 += 2; - v1 += 3; - v1 += 4; - - print fmt("contents of v1: %s", v1); - print fmt("length of v1: %d", |v1|); - print fmt("contents of v2: %s", v2); - print fmt("length of v2: %d", |v2|); - } diff --git a/testing/btest/doc/sphinx/include-doc_scripting_data_struct_vector_iter_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_data_struct_vector_iter_bro.btest deleted file mode 100644 index 5f16dcc5af..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_data_struct_vector_iter_bro.btest +++ /dev/null @@ -1,11 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_struct_vector_iter.bro - -event bro_init() - { - local addr_vector: vector of addr = vector(1.2.3.4, 2.3.4.5, 3.4.5.6); - - for (i in addr_vector) - print mask_addr(addr_vector[i], 18); - } diff --git a/testing/btest/doc/sphinx/include-doc_scripting_data_type_const_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_data_type_const_bro.btest deleted file mode 100644 index 20a4f8d71e..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_data_type_const_bro.btest +++ /dev/null @@ -1,13 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_type_const.bro - -const port_list: table[port] of string &redef; - -redef port_list += { [6666/tcp] = "IRC"}; -redef port_list += { [80/tcp] = "WWW" }; - -event bro_init() - { - print port_list; - } diff --git a/testing/btest/doc/sphinx/include-doc_scripting_data_type_const_simple_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_data_type_const_simple_bro.btest deleted file mode 100644 index 29844f2b01..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_data_type_const_simple_bro.btest +++ /dev/null @@ -1,8 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_type_const_simple.bro - -@load base/protocols/http - -redef HTTP::default_capture_password = T; - diff --git a/testing/btest/doc/sphinx/include-doc_scripting_data_type_declaration_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_data_type_declaration_bro.btest deleted file mode 100644 index a153f3066c..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_data_type_declaration_bro.btest +++ /dev/null @@ -1,13 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_type_declaration.bro - -event bro_init() - { - local a: int; - a = 10; - local b = 10; - - if ( a == b ) - print fmt("A: %d, B: %d", a, b); - } diff --git a/testing/btest/doc/sphinx/include-doc_scripting_data_type_interval_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_data_type_interval_bro.btest deleted file mode 100644 index 25076f3e8e..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_data_type_interval_bro.btest +++ /dev/null @@ -1,22 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_type_interval.bro - -# Store the time the previous connection was established. -global last_connection_time: time; - -# boolean value to indicate whether we have seen a previous connection. -global connection_seen: bool = F; - -event connection_established(c: connection) - { - local net_time: time = network_time(); - - print fmt("%s: New connection established from %s to %s", strftime("%Y/%M/%d %H:%m:%S", net_time), c$id$orig_h, c$id$resp_h); - - if ( connection_seen ) - print fmt(" Time since last connection: %s", net_time - last_connection_time); - - last_connection_time = net_time; - connection_seen = T; - } diff --git a/testing/btest/doc/sphinx/include-doc_scripting_data_type_local_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_data_type_local_bro.btest deleted file mode 100644 index 0e034dddd2..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_data_type_local_bro.btest +++ /dev/null @@ -1,15 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_type_local.bro - -function add_two(i: count): count - { - local added_two = i+2; - print fmt("i + 2 = %d", added_two); - return added_two; - } - -event bro_init() - { - local test = add_two(10); - } diff --git a/testing/btest/doc/sphinx/include-doc_scripting_data_type_pattern_01_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_data_type_pattern_01_bro.btest deleted file mode 100644 index cca008116e..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_data_type_pattern_01_bro.btest +++ /dev/null @@ -1,17 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_type_pattern_01.bro - -event bro_init() - { - local test_string = "The quick brown fox jumps over the lazy dog."; - local test_pattern = /quick|lazy/; - - if ( test_pattern in test_string ) - { - local results = split(test_string, test_pattern); - print results[1]; - print results[2]; - print results[3]; - } - } diff --git a/testing/btest/doc/sphinx/include-doc_scripting_data_type_pattern_02_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_data_type_pattern_02_bro.btest deleted file mode 100644 index 4e4d8992df..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_data_type_pattern_02_bro.btest +++ /dev/null @@ -1,14 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_type_pattern_02.bro - -event bro_init() - { - local test_string = "equality"; - - local test_pattern = /equal/; - print fmt("%s and %s %s equal", test_string, test_pattern, test_pattern == test_string ? "are" : "are not"); - - test_pattern = /equality/; - print fmt("%s and %s %s equal", test_string, test_pattern, test_pattern == test_string ? "are" : "are not"); - } diff --git a/testing/btest/doc/sphinx/include-doc_scripting_data_type_record_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_data_type_record_bro.btest deleted file mode 100644 index 6d8760700a..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_data_type_record_bro.btest +++ /dev/null @@ -1,29 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_type_record.bro - -module Conn; - -export { - ## The record type which contains column fields of the connection log. - type Info: record { - ts: time &log; - uid: string &log; - id: conn_id &log; - proto: transport_proto &log; - service: string &log &optional; - duration: interval &log &optional; - orig_bytes: count &log &optional; - resp_bytes: count &log &optional; - conn_state: string &log &optional; - local_orig: bool &log &optional; - local_resp: bool &log &optional; - missed_bytes: count &log &default=0; - history: string &log &optional; - orig_pkts: count &log &optional; - orig_ip_bytes: count &log &optional; - resp_pkts: count &log &optional; - resp_ip_bytes: count &log &optional; - tunnel_parents: set[string] &log; - }; -} diff --git a/testing/btest/doc/sphinx/include-doc_scripting_data_type_subnets_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_data_type_subnets_bro.btest deleted file mode 100644 index 75600794ec..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_data_type_subnets_bro.btest +++ /dev/null @@ -1,19 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_type_subnets.bro - -event bro_init() - { - local subnets = vector(172.16.0.0/20, 172.16.16.0/20, 172.16.32.0/20, 172.16.48.0/20); - local addresses = vector(172.16.4.56, 172.16.47.254, 172.16.22.45, 172.16.1.1); - - for ( a in addresses ) - { - for ( s in subnets ) - { - if ( addresses[a] in subnets[s] ) - print fmt("%s belongs to subnet %s", addresses[a], subnets[s]); - } - } - - } diff --git a/testing/btest/doc/sphinx/include-doc_scripting_data_type_time_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_data_type_time_bro.btest deleted file mode 100644 index 00a3e20813..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_data_type_time_bro.btest +++ /dev/null @@ -1,8 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -data_type_time.bro - -event connection_established(c: connection) - { - print fmt("%s: New connection established from %s to %s\n", strftime("%Y/%M/%d %H:%m:%S", network_time()), c$id$orig_h, c$id$resp_h); - } diff --git a/testing/btest/doc/sphinx/include-doc_scripting_framework_logging_factorial_01_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_framework_logging_factorial_01_bro.btest deleted file mode 100644 index e542572647..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_framework_logging_factorial_01_bro.btest +++ /dev/null @@ -1,23 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -framework_logging_factorial_01.bro - -module Factor; - -function factorial(n: count): count - { - if ( n == 0 ) - return 1; - else - return ( n * factorial(n - 1) ); - } - -event bro_init() - { - local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10); - - for ( n in numbers ) - print fmt("%d", factorial(numbers[n])); - } - - diff --git a/testing/btest/doc/sphinx/include-doc_scripting_framework_logging_factorial_02_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_framework_logging_factorial_02_bro.btest deleted file mode 100644 index 19932699b6..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_framework_logging_factorial_02_bro.btest +++ /dev/null @@ -1,39 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -framework_logging_factorial_02.bro - -module Factor; - -export { - # Append the value LOG to the Log::ID enumerable. - redef enum Log::ID += { LOG }; - - # Define a new type called Factor::Info. - type Info: record { - num: count &log; - factorial_num: count &log; - }; - } - -function factorial(n: count): count - { - if ( n == 0 ) - return 1; - - else - return ( n * factorial(n - 1) ); - } - -event bro_init() - { - # Create the logging stream. - Log::create_stream(LOG, [$columns=Info, $path="factor"]); - } - -event bro_done() - { - local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10); - for ( n in numbers ) - Log::write( Factor::LOG, [$num=numbers[n], - $factorial_num=factorial(numbers[n])]); - } diff --git a/testing/btest/doc/sphinx/include-doc_scripting_framework_logging_factorial_03_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_framework_logging_factorial_03_bro.btest deleted file mode 100644 index 01ed659c75..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_framework_logging_factorial_03_bro.btest +++ /dev/null @@ -1,49 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -framework_logging_factorial_03.bro - -module Factor; - -export { - redef enum Log::ID += { LOG }; - - type Info: record { - num: count &log; - factorial_num: count &log; - }; - } - -function factorial(n: count): count - { - if ( n == 0 ) - return 1; - - else - return (n * factorial(n - 1)); - } - -event bro_done() - { - local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10); - for ( n in numbers ) - Log::write( Factor::LOG, [$num=numbers[n], - $factorial_num=factorial(numbers[n])]); - } - -function mod5(id: Log::ID, path: string, rec: Factor::Info) : string - { - if ( rec$factorial_num % 5 == 0 ) - return "factor-mod5"; - - else - return "factor-non5"; - } - -event bro_init() - { - Log::create_stream(LOG, [$columns=Info, $path="factor"]); - - local filter: Log::Filter = [$name="split-mod5s", $path_func=mod5]; - Log::add_filter(Factor::LOG, filter); - Log::remove_filter(Factor::LOG, "default"); - } diff --git a/testing/btest/doc/sphinx/include-doc_scripting_framework_logging_factorial_04_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_framework_logging_factorial_04_bro.btest deleted file mode 100644 index c0f8d8ddac..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_framework_logging_factorial_04_bro.btest +++ /dev/null @@ -1,54 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -framework_logging_factorial_04.bro - -module Factor; - -export { - redef enum Log::ID += { LOG }; - - type Info: record { - num: count &log; - factorial_num: count &log; - }; - - global log_factor: event(rec: Info); - } - -function factorial(n: count): count - { - if ( n == 0 ) - return 1; - - else - return (n * factorial(n - 1)); - } - -event bro_init() - { - Log::create_stream(LOG, [$columns=Info, $ev=log_factor, $path="factor"]); - } - -event bro_done() - { - local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10); - for ( n in numbers ) - Log::write( Factor::LOG, [$num=numbers[n], - $factorial_num=factorial(numbers[n])]); - } - -function mod5(id: Log::ID, path: string, rec: Factor::Info) : string - { - if ( rec$factorial_num % 5 == 0 ) - return "factor-mod5"; - - else - return "factor-non5"; - } - -event bro_init() - { - local filter: Log::Filter = [$name="split-mod5s", $path_func=mod5]; - Log::add_filter(Factor::LOG, filter); - Log::remove_filter(Factor::LOG, "default"); - } diff --git a/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_hook_01_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_hook_01_bro.btest deleted file mode 100644 index 96a3b5a921..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_hook_01_bro.btest +++ /dev/null @@ -1,11 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -framework_notice_hook_01.bro - -@load policy/protocols/ssh/interesting-hostnames.bro - -hook Notice::policy(n: Notice::Info) - { - if ( n$note == SSH::Interesting_Hostname_Login ) - add n$actions[Notice::ACTION_EMAIL]; - } diff --git a/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_hook_suppression_01_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_hook_suppression_01_bro.btest deleted file mode 100644 index b51bd2eebe..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_hook_suppression_01_bro.btest +++ /dev/null @@ -1,11 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -framework_notice_hook_suppression_01.bro - -@load policy/protocols/ssl/expiring-certs.bro - -hook Notice::policy(n: Notice::Info) - { - if ( n$note == SSL::Certificate_Expires_Soon ) - n$suppress_for = 12hrs; - } diff --git a/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_shortcuts_01_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_shortcuts_01_bro.btest deleted file mode 100644 index 7a0eaf5cb4..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_shortcuts_01_bro.btest +++ /dev/null @@ -1,11 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -framework_notice_shortcuts_01.bro - -@load policy/protocols/ssh/interesting-hostnames.bro -@load base/protocols/ssh/ - -redef Notice::emailed_types += { - SSH::Interesting_Hostname_Login -}; - diff --git a/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_shortcuts_02_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_shortcuts_02_bro.btest deleted file mode 100644 index 0e92c5ea32..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_shortcuts_02_bro.btest +++ /dev/null @@ -1,10 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -framework_notice_shortcuts_02.bro - -@load policy/protocols/ssh/interesting-hostnames.bro -@load base/protocols/ssh/ - -redef Notice::type_suppression_intervals += { - [SSH::Interesting_Hostname_Login] = 1day, -}; diff --git a/testing/btest/doc/sphinx/include-doc_scripting_http_main_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_http_main_bro.btest deleted file mode 100644 index 9f49450799..0000000000 --- a/testing/btest/doc/sphinx/include-doc_scripting_http_main_bro.btest +++ /dev/null @@ -1,11 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -http_main.bro - -module HTTP; - -export { - ## This setting changes if passwords used in Basic-Auth are captured or - ## not. - const default_capture_password = F &redef; -} diff --git a/testing/btest/doc/sphinx/include-scripts_base_bif_event_bif_bro.btest b/testing/btest/doc/sphinx/include-scripts_base_bif_event_bif_bro.btest deleted file mode 100644 index c77e08c5a1..0000000000 --- a/testing/btest/doc/sphinx/include-scripts_base_bif_event_bif_bro.btest +++ /dev/null @@ -1,21 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -event.bif.bro - -## Generated for every new connection. This event is raised with the first -## packet of a previously unknown connection. Bro uses a flow-based definition -## of "connection" here that includes not only TCP sessions but also UDP and -## ICMP flows. -global new_connection: event(c: connection ); -## Generated when a TCP connection timed out. This event is raised when -## no activity was seen for an interval of at least -## :bro:id:`tcp_connection_linger`, and either one endpoint has already -## closed the connection or one side never became active. -global connection_timeout: event(c: connection ); -## Generated when a connection's internal state is about to be removed from -## memory. Bro generates this event reliably once for every connection when it -## is about to delete the internal state. As such, the event is well-suited for -## script-level cleanup that needs to be performed for every connection. This -## event is generated not only for TCP sessions but also for UDP and ICMP -## flows. -global connection_state_remove: event(c: connection ); diff --git a/testing/btest/doc/sphinx/include-scripts_base_bif_plugins_Bro_DNS_events_bif_bro.btest b/testing/btest/doc/sphinx/include-scripts_base_bif_plugins_Bro_DNS_events_bif_bro.btest deleted file mode 100644 index 6e15ece5e0..0000000000 --- a/testing/btest/doc/sphinx/include-scripts_base_bif_plugins_Bro_DNS_events_bif_bro.btest +++ /dev/null @@ -1,30 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -Bro_DNS.events.bif.bro - -## Generated for DNS requests. For requests with multiple queries, this event -## is raised once for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## query: The queried name. -## -## qtype: The queried resource record type. -## -## qclass: The queried resource record class. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -global dns_request: event(c: connection , msg: dns_msg , query: string , qtype: count , qclass: count ); diff --git a/testing/btest/doc/sphinx/include-scripts_base_init-bare_bro.btest b/testing/btest/doc/sphinx/include-scripts_base_init-bare_bro.btest deleted file mode 100644 index 0057a78cc4..0000000000 --- a/testing/btest/doc/sphinx/include-scripts_base_init-bare_bro.btest +++ /dev/null @@ -1,7 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -init-bare.bro - -type string_array: table[count] of string; -type string_set: set[string]; -type addr_set: set[addr]; diff --git a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest deleted file mode 100644 index 1ecfcf027a..0000000000 --- a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest +++ /dev/null @@ -1,76 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -detect-MHR.bro - -##! Detect file downloads that have hash values matching files in Team -##! Cymru's Malware Hash Registry (http://www.team-cymru.org/Services/MHR/). - -@load base/frameworks/files -@load base/frameworks/notice -@load frameworks/files/hash-all-files - -module TeamCymruMalwareHashRegistry; - -export { - redef enum Notice::Type += { - ## The hash value of a file transferred over HTTP matched in the - ## malware hash registry. - Match - }; - - ## File types to attempt matching against the Malware Hash Registry. - option match_file_types = /application\/x-dosexec/ | - /application\/vnd.ms-cab-compressed/ | - /application\/pdf/ | - /application\/x-shockwave-flash/ | - /application\/x-java-applet/ | - /application\/jar/ | - /video\/mp4/; - - ## The Match notice has a sub message with a URL where you can get more - ## information about the file. The %s will be replaced with the SHA-1 - ## hash of the file. - option match_sub_url = "https://www.virustotal.com/en/search/?query=%s"; - - ## The malware hash registry runs each malware sample through several - ## A/V engines. Team Cymru returns a percentage to indicate how - ## many A/V engines flagged the sample as malicious. This threshold - ## allows you to require a minimum detection rate. - option notice_threshold = 10; -} - -function do_mhr_lookup(hash: string, fi: Notice::FileInfo) - { - local hash_domain = fmt("%s.malware.hash.cymru.com", hash); - - when ( local MHR_result = lookup_hostname_txt(hash_domain) ) - { - # Data is returned as " " - local MHR_answer = split_string1(MHR_result, / /); - - if ( |MHR_answer| == 2 ) - { - local mhr_detect_rate = to_count(MHR_answer[1]); - - if ( mhr_detect_rate >= notice_threshold ) - { - local mhr_first_detected = double_to_time(to_double(MHR_answer[0])); - local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected); - local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); - local virustotal_url = fmt(match_sub_url, hash); - # We don't have the full fa_file record here in order to - # avoid the "when" statement cloning it (expensive!). - local n: Notice::Info = Notice::Info($note=Match, $msg=message, $sub=virustotal_url); - Notice::populate_file_info2(fi, n); - NOTICE(n); - } - } - } - } - -event file_hash(f: fa_file, kind: string, hash: string) - { - if ( kind == "sha1" && f?$info && f$info?$mime_type && - match_file_types in f$info$mime_type ) - do_mhr_lookup(hash, Notice::create_file_info(f)); - } diff --git a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@2.btest b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@2.btest deleted file mode 100644 index 4ce4383efb..0000000000 --- a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@2.btest +++ /dev/null @@ -1,7 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -detect-MHR.bro - -@load base/frameworks/files -@load base/frameworks/notice -@load frameworks/files/hash-all-files diff --git a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@3.btest b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@3.btest deleted file mode 100644 index 3b1cd60810..0000000000 --- a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@3.btest +++ /dev/null @@ -1,31 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -detect-MHR.bro - -export { - redef enum Notice::Type += { - ## The hash value of a file transferred over HTTP matched in the - ## malware hash registry. - Match - }; - - ## File types to attempt matching against the Malware Hash Registry. - option match_file_types = /application\/x-dosexec/ | - /application\/vnd.ms-cab-compressed/ | - /application\/pdf/ | - /application\/x-shockwave-flash/ | - /application\/x-java-applet/ | - /application\/jar/ | - /video\/mp4/; - - ## The Match notice has a sub message with a URL where you can get more - ## information about the file. The %s will be replaced with the SHA-1 - ## hash of the file. - option match_sub_url = "https://www.virustotal.com/en/search/?query=%s"; - - ## The malware hash registry runs each malware sample through several - ## A/V engines. Team Cymru returns a percentage to indicate how - ## many A/V engines flagged the sample as malicious. This threshold - ## allows you to require a minimum detection rate. - option notice_threshold = 10; -} diff --git a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest deleted file mode 100644 index 55950caf6b..0000000000 --- a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest +++ /dev/null @@ -1,38 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -detect-MHR.bro - -function do_mhr_lookup(hash: string, fi: Notice::FileInfo) - { - local hash_domain = fmt("%s.malware.hash.cymru.com", hash); - - when ( local MHR_result = lookup_hostname_txt(hash_domain) ) - { - # Data is returned as " " - local MHR_answer = split_string1(MHR_result, / /); - - if ( |MHR_answer| == 2 ) - { - local mhr_detect_rate = to_count(MHR_answer[1]); - - if ( mhr_detect_rate >= notice_threshold ) - { - local mhr_first_detected = double_to_time(to_double(MHR_answer[0])); - local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected); - local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); - local virustotal_url = fmt(match_sub_url, hash); - # We don't have the full fa_file record here in order to - # avoid the "when" statement cloning it (expensive!). - local n: Notice::Info = Notice::Info($note=Match, $msg=message, $sub=virustotal_url); - Notice::populate_file_info2(fi, n); - NOTICE(n); - } - } - } - } - -event file_hash(f: fa_file, kind: string, hash: string) - { - if ( kind == "sha1" && f?$info && f$info?$mime_type && - match_file_types in f$info$mime_type ) - do_mhr_lookup(hash, Notice::create_file_info(f)); diff --git a/testing/btest/doc/sphinx/include-scripts_policy_protocols_ftp_detect-bruteforcing_bro.btest b/testing/btest/doc/sphinx/include-scripts_policy_protocols_ftp_detect-bruteforcing_bro.btest deleted file mode 100644 index 59d57223d9..0000000000 --- a/testing/btest/doc/sphinx/include-scripts_policy_protocols_ftp_detect-bruteforcing_bro.btest +++ /dev/null @@ -1,21 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -detect-bruteforcing.bro - -module FTP; - -export { - redef enum Notice::Type += { - ## Indicates a host bruteforcing FTP logins by watching for too - ## many rejected usernames or failed passwords. - Bruteforcing - }; - - ## How many rejected usernames or passwords are required before being - ## considered to be bruteforcing. - const bruteforce_threshold: double = 20 &redef; - - ## The time period in which the threshold needs to be crossed before - ## being reset. - const bruteforce_measurement_interval = 15mins &redef; -} diff --git a/testing/btest/doc/sphinx/include-scripts_policy_protocols_ftp_detect-bruteforcing_bro@2.btest b/testing/btest/doc/sphinx/include-scripts_policy_protocols_ftp_detect-bruteforcing_bro@2.btest deleted file mode 100644 index 648fe8a559..0000000000 --- a/testing/btest/doc/sphinx/include-scripts_policy_protocols_ftp_detect-bruteforcing_bro@2.btest +++ /dev/null @@ -1,13 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -detect-bruteforcing.bro - -event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) - { - local cmd = c$ftp$cmdarg$cmd; - if ( cmd == "USER" || cmd == "PASS" ) - { - if ( FTP::parse_ftp_reply_code(code)$x == 5 ) - SumStats::observe("ftp.failed_auth", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]); - } - } diff --git a/testing/btest/doc/sphinx/include-scripts_policy_protocols_ftp_detect-bruteforcing_bro@3.btest b/testing/btest/doc/sphinx/include-scripts_policy_protocols_ftp_detect-bruteforcing_bro@3.btest deleted file mode 100644 index f81c9f50ba..0000000000 --- a/testing/btest/doc/sphinx/include-scripts_policy_protocols_ftp_detect-bruteforcing_bro@3.btest +++ /dev/null @@ -1,27 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -detect-bruteforcing.bro - -event bro_init() - { - local r1: SumStats::Reducer = [$stream="ftp.failed_auth", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(bruteforce_threshold+2)]; - SumStats::create([$name="ftp-detect-bruteforcing", - $epoch=bruteforce_measurement_interval, - $reducers=set(r1), - $threshold_val(key: SumStats::Key, result: SumStats::Result) = - { - return result["ftp.failed_auth"]$num+0.0; - }, - $threshold=bruteforce_threshold, - $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = - { - local r = result["ftp.failed_auth"]; - local dur = duration_to_mins_secs(r$end-r$begin); - local plural = r$unique>1 ? "s" : ""; - local message = fmt("%s had %d failed logins on %d FTP server%s in %s", key$host, r$num, r$unique, plural, dur); - NOTICE([$note=FTP::Bruteforcing, - $src=key$host, - $msg=message, - $identifier=cat(key$host)]); - }]); - } diff --git a/testing/btest/doc/sphinx/include-scripts_policy_protocols_ftp_detect-bruteforcing_bro@4.btest b/testing/btest/doc/sphinx/include-scripts_policy_protocols_ftp_detect-bruteforcing_bro@4.btest deleted file mode 100644 index bb7b0fd078..0000000000 --- a/testing/btest/doc/sphinx/include-scripts_policy_protocols_ftp_detect-bruteforcing_bro@4.btest +++ /dev/null @@ -1,64 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -detect-bruteforcing.bro - -##! FTP brute-forcing detector, triggering when too many rejected usernames or -##! failed passwords have occurred from a single address. - -@load base/protocols/ftp -@load base/frameworks/sumstats - -@load base/utils/time - -module FTP; - -export { - redef enum Notice::Type += { - ## Indicates a host bruteforcing FTP logins by watching for too - ## many rejected usernames or failed passwords. - Bruteforcing - }; - - ## How many rejected usernames or passwords are required before being - ## considered to be bruteforcing. - const bruteforce_threshold: double = 20 &redef; - - ## The time period in which the threshold needs to be crossed before - ## being reset. - const bruteforce_measurement_interval = 15mins &redef; -} - - -event bro_init() - { - local r1: SumStats::Reducer = [$stream="ftp.failed_auth", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(bruteforce_threshold+2)]; - SumStats::create([$name="ftp-detect-bruteforcing", - $epoch=bruteforce_measurement_interval, - $reducers=set(r1), - $threshold_val(key: SumStats::Key, result: SumStats::Result) = - { - return result["ftp.failed_auth"]$num+0.0; - }, - $threshold=bruteforce_threshold, - $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = - { - local r = result["ftp.failed_auth"]; - local dur = duration_to_mins_secs(r$end-r$begin); - local plural = r$unique>1 ? "s" : ""; - local message = fmt("%s had %d failed logins on %d FTP server%s in %s", key$host, r$num, r$unique, plural, dur); - NOTICE([$note=FTP::Bruteforcing, - $src=key$host, - $msg=message, - $identifier=cat(key$host)]); - }]); - } - -event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) - { - local cmd = c$ftp$cmdarg$cmd; - if ( cmd == "USER" || cmd == "PASS" ) - { - if ( FTP::parse_ftp_reply_code(code)$x == 5 ) - SumStats::observe("ftp.failed_auth", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]); - } - } diff --git a/testing/btest/doc/sphinx/include-scripts_policy_protocols_ssh_interesting-hostnames_bro.btest b/testing/btest/doc/sphinx/include-scripts_policy_protocols_ssh_interesting-hostnames_bro.btest deleted file mode 100644 index 8ed5d89543..0000000000 --- a/testing/btest/doc/sphinx/include-scripts_policy_protocols_ssh_interesting-hostnames_bro.btest +++ /dev/null @@ -1,56 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -interesting-hostnames.bro - -##! This script will generate a notice if an apparent SSH login originates -##! or heads to a host with a reverse hostname that looks suspicious. By -##! default, the regular expression to match "interesting" hostnames includes -##! names that are typically used for infrastructure hosts like nameservers, -##! mail servers, web servers and ftp servers. - -@load base/frameworks/notice - -module SSH; - -export { - redef enum Notice::Type += { - ## Generated if a login originates or responds with a host where - ## the reverse hostname lookup resolves to a name matched by the - ## :bro:id:`SSH::interesting_hostnames` regular expression. - Interesting_Hostname_Login, - }; - - ## Strange/bad host names to see successful SSH logins from or to. - option interesting_hostnames = - /^d?ns[0-9]*\./ | - /^smtp[0-9]*\./ | - /^mail[0-9]*\./ | - /^pop[0-9]*\./ | - /^imap[0-9]*\./ | - /^www[0-9]*\./ | - /^ftp[0-9]*\./; -} - -function check_ssh_hostname(id: conn_id, uid: string, host: addr) - { - when ( local hostname = lookup_addr(host) ) - { - if ( interesting_hostnames in hostname ) - { - NOTICE([$note=Interesting_Hostname_Login, - $msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.", - Site::is_local_addr(host) ? "local" : "remote", - host == id$orig_h ? "client" : "server"), - $sub=hostname, $id=id, $uid=uid]); - } - } - } - -event ssh_auth_successful(c: connection, auth_method_none: bool) - { - for ( host in set(c$id$orig_h, c$id$resp_h) ) - { - check_ssh_hostname(c$id, c$uid, host); - } - } - diff --git a/testing/btest/doc/sphinx/include-scripts_policy_protocols_ssl_expiring-certs_bro.btest b/testing/btest/doc/sphinx/include-scripts_policy_protocols_ssl_expiring-certs_bro.btest deleted file mode 100644 index cc2d8817bd..0000000000 --- a/testing/btest/doc/sphinx/include-scripts_policy_protocols_ssl_expiring-certs_bro.btest +++ /dev/null @@ -1,9 +0,0 @@ -# @TEST-EXEC: cat %INPUT >output && btest-diff output - -expiring-certs.bro - - NOTICE([$note=Certificate_Expires_Soon, - $msg=fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after), - $conn=c, $suppress_for=1day, - $identifier=cat(c$id$resp_h, c$id$resp_p, hash), - $fuid=fuid]); diff --git a/testing/btest/doc/sphinx/mimestats.btest b/testing/btest/doc/sphinx/mimestats.btest deleted file mode 100644 index 06e47ea888..0000000000 --- a/testing/btest/doc/sphinx/mimestats.btest +++ /dev/null @@ -1,2 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/http/bro.org.pcap ${DOC_ROOT}/mimestats/mimestats.bro -@TEST-EXEC: btest-rst-include mime_metrics.log diff --git a/testing/btest/doc/sphinx/netcontrol-1-drop-with-debug.bro.btest b/testing/btest/doc/sphinx/netcontrol-1-drop-with-debug.bro.btest deleted file mode 100644 index ca5a6aec02..0000000000 --- a/testing/btest/doc/sphinx/netcontrol-1-drop-with-debug.bro.btest +++ /dev/null @@ -1,2 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-1-drop-with-debug.bro -@TEST-EXEC: btest-rst-cmd cat netcontrol.log diff --git a/testing/btest/doc/sphinx/netcontrol-1-drop-with-debug.bro.btest#2 b/testing/btest/doc/sphinx/netcontrol-1-drop-with-debug.bro.btest#2 deleted file mode 100644 index 03d4fe15f4..0000000000 --- a/testing/btest/doc/sphinx/netcontrol-1-drop-with-debug.bro.btest#2 +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd cat netcontrol_drop.log diff --git a/testing/btest/doc/sphinx/netcontrol-2-ssh-guesser.bro.btest b/testing/btest/doc/sphinx/netcontrol-2-ssh-guesser.bro.btest deleted file mode 100644 index 76b3ef2568..0000000000 --- a/testing/btest/doc/sphinx/netcontrol-2-ssh-guesser.bro.btest +++ /dev/null @@ -1,2 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/ssh/sshguess.pcap ${DOC_ROOT}/frameworks/netcontrol-2-ssh-guesser.bro -@TEST-EXEC: btest-rst-cmd cat netcontrol.log diff --git a/testing/btest/doc/sphinx/netcontrol-3-ssh-guesser.bro.btest b/testing/btest/doc/sphinx/netcontrol-3-ssh-guesser.bro.btest deleted file mode 100644 index 4a8b749f0f..0000000000 --- a/testing/btest/doc/sphinx/netcontrol-3-ssh-guesser.bro.btest +++ /dev/null @@ -1,2 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/ssh/sshguess.pcap ${DOC_ROOT}/frameworks/netcontrol-3-ssh-guesser.bro -@TEST-EXEC: btest-rst-cmd cat netcontrol.log diff --git a/testing/btest/doc/sphinx/netcontrol-3-ssh-guesser.bro.btest#2 b/testing/btest/doc/sphinx/netcontrol-3-ssh-guesser.bro.btest#2 deleted file mode 100644 index 8447c8cf90..0000000000 --- a/testing/btest/doc/sphinx/netcontrol-3-ssh-guesser.bro.btest#2 +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd cat notice.log diff --git a/testing/btest/doc/sphinx/netcontrol-4-drop.bro.btest b/testing/btest/doc/sphinx/netcontrol-4-drop.bro.btest deleted file mode 100644 index 44808d18a4..0000000000 --- a/testing/btest/doc/sphinx/netcontrol-4-drop.bro.btest +++ /dev/null @@ -1,2 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-4-drop.bro -@TEST-EXEC: btest-rst-cmd cat netcontrol.log diff --git a/testing/btest/doc/sphinx/netcontrol-5-hook.bro.btest b/testing/btest/doc/sphinx/netcontrol-5-hook.bro.btest deleted file mode 100644 index d2d7ab4d28..0000000000 --- a/testing/btest/doc/sphinx/netcontrol-5-hook.bro.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-5-hook.bro diff --git a/testing/btest/doc/sphinx/netcontrol-6-find.bro.btest b/testing/btest/doc/sphinx/netcontrol-6-find.bro.btest deleted file mode 100644 index dd8abab8f3..0000000000 --- a/testing/btest/doc/sphinx/netcontrol-6-find.bro.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/google-duplicate.trace ${DOC_ROOT}/frameworks/netcontrol-6-find.bro diff --git a/testing/btest/doc/sphinx/netcontrol-7-catch-release.bro.btest b/testing/btest/doc/sphinx/netcontrol-7-catch-release.bro.btest deleted file mode 100644 index ec49c2d2ba..0000000000 --- a/testing/btest/doc/sphinx/netcontrol-7-catch-release.bro.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-7-catch-release.bro diff --git a/testing/btest/doc/sphinx/netcontrol-7-catch-release.bro.btest#2 b/testing/btest/doc/sphinx/netcontrol-7-catch-release.bro.btest#2 deleted file mode 100644 index 72a79f9639..0000000000 --- a/testing/btest/doc/sphinx/netcontrol-7-catch-release.bro.btest#2 +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd cat netcontrol_catch_release.log diff --git a/testing/btest/doc/sphinx/netcontrol-8-multiple.bro.btest b/testing/btest/doc/sphinx/netcontrol-8-multiple.bro.btest deleted file mode 100644 index 790bac070d..0000000000 --- a/testing/btest/doc/sphinx/netcontrol-8-multiple.bro.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/frameworks/netcontrol-8-multiple.bro diff --git a/testing/btest/doc/sphinx/netcontrol-8-multiple.bro.btest#2 b/testing/btest/doc/sphinx/netcontrol-8-multiple.bro.btest#2 deleted file mode 100644 index 24ef5ee2f9..0000000000 --- a/testing/btest/doc/sphinx/netcontrol-8-multiple.bro.btest#2 +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd cat netcontrol.log diff --git a/testing/btest/doc/sphinx/netcontrol-8-multiple.bro.btest#3 b/testing/btest/doc/sphinx/netcontrol-8-multiple.bro.btest#3 deleted file mode 100644 index ad47aa86bf..0000000000 --- a/testing/btest/doc/sphinx/netcontrol-8-multiple.bro.btest#3 +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd cat openflow.log diff --git a/testing/btest/doc/sphinx/netcontrol-8-multiple.bro.btest#4 b/testing/btest/doc/sphinx/netcontrol-8-multiple.bro.btest#4 deleted file mode 100644 index 76b34fa474..0000000000 --- a/testing/btest/doc/sphinx/netcontrol-8-multiple.bro.btest#4 +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-9-skeleton.bro ${DOC_ROOT}/frameworks/netcontrol-10-use-skeleton.bro diff --git a/testing/btest/doc/sphinx/netcontrol-9-skeleton.bro.btest b/testing/btest/doc/sphinx/netcontrol-9-skeleton.bro.btest deleted file mode 100644 index 76b34fa474..0000000000 --- a/testing/btest/doc/sphinx/netcontrol-9-skeleton.bro.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/tls/ecdhe.pcap ${DOC_ROOT}/frameworks/netcontrol-9-skeleton.bro ${DOC_ROOT}/frameworks/netcontrol-10-use-skeleton.bro diff --git a/testing/btest/doc/sphinx/notice_ssh_guesser.bro.btest b/testing/btest/doc/sphinx/notice_ssh_guesser.bro.btest deleted file mode 100644 index 50d6f17694..0000000000 --- a/testing/btest/doc/sphinx/notice_ssh_guesser.bro.btest +++ /dev/null @@ -1,2 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/ssh/sshguess.pcap ${DOC_ROOT}/frameworks/notice_ssh_guesser.bro -@TEST-EXEC: btest-rst-cmd cat notice.log diff --git a/testing/btest/doc/sphinx/sqlite-conn-filter-check.btest b/testing/btest/doc/sphinx/sqlite-conn-filter-check.btest deleted file mode 100644 index c34319428f..0000000000 --- a/testing/btest/doc/sphinx/sqlite-conn-filter-check.btest +++ /dev/null @@ -1,2 +0,0 @@ -# Make sure this parses correctly at least. -@TEST-EXEC: bro ${DOC_ROOT}/frameworks/sqlite-conn-filter.bro diff --git a/testing/btest/doc/sphinx/sqlite-read-events-check.btest b/testing/btest/doc/sphinx/sqlite-read-events-check.btest deleted file mode 100644 index 7a0f291882..0000000000 --- a/testing/btest/doc/sphinx/sqlite-read-events-check.btest +++ /dev/null @@ -1,2 +0,0 @@ -# Make sure this parses correctly at least. -@TEST-EXEC: bro ${DOC_ROOT}/frameworks/sqlite-read-events.bro diff --git a/testing/btest/doc/sphinx/sqlite-read-table-check.btest b/testing/btest/doc/sphinx/sqlite-read-table-check.btest deleted file mode 100644 index f696e30f1a..0000000000 --- a/testing/btest/doc/sphinx/sqlite-read-table-check.btest +++ /dev/null @@ -1,2 +0,0 @@ -# Make sure this parses correctly at least. -@TEST-EXEC: bro ${DOC_ROOT}/frameworks/sqlite-read-table.bro diff --git a/testing/btest/doc/sphinx/sumstats-countconns.btest b/testing/btest/doc/sphinx/sumstats-countconns.btest deleted file mode 100644 index fd375af5fb..0000000000 --- a/testing/btest/doc/sphinx/sumstats-countconns.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/workshop_2011_browse.trace ${DOC_ROOT}/frameworks/sumstats-countconns.bro diff --git a/testing/btest/doc/sphinx/sumstats-toy-scan.btest b/testing/btest/doc/sphinx/sumstats-toy-scan.btest deleted file mode 100644 index 8756f1cfc0..0000000000 --- a/testing/btest/doc/sphinx/sumstats-toy-scan.btest +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/nmap-vsn.trace ${DOC_ROOT}/frameworks/sumstats-toy-scan.bro diff --git a/testing/btest/doc/sphinx/using_bro.btest b/testing/btest/doc/sphinx/using_bro.btest deleted file mode 100644 index 233f415942..0000000000 --- a/testing/btest/doc/sphinx/using_bro.btest +++ /dev/null @@ -1,2 +0,0 @@ -@TEST-EXEC: btest-rst-cmd bro -r $TRACES/wikipedia.trace -@TEST-EXEC: btest-rst-include -n 15 conn.log diff --git a/testing/btest/doc/sphinx/using_bro.btest#2 b/testing/btest/doc/sphinx/using_bro.btest#2 deleted file mode 100644 index afa29e6184..0000000000 --- a/testing/btest/doc/sphinx/using_bro.btest#2 +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd -n 10 "cat conn.log | bro-cut id.orig_h id.orig_p id.resp_h duration" diff --git a/testing/btest/doc/sphinx/using_bro.btest#3 b/testing/btest/doc/sphinx/using_bro.btest#3 deleted file mode 100644 index a3ce44357e..0000000000 --- a/testing/btest/doc/sphinx/using_bro.btest#3 +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd -n 10 awk \'/^[^#]/ {print \$3, \$4, \$5, \$6, \$9}\' conn.log diff --git a/testing/btest/doc/sphinx/using_bro.btest#4 b/testing/btest/doc/sphinx/using_bro.btest#4 deleted file mode 100644 index ce10bba56a..0000000000 --- a/testing/btest/doc/sphinx/using_bro.btest#4 +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd -n 5 "bro-cut -d ts uid host uri < http.log" diff --git a/testing/btest/doc/sphinx/using_bro.btest#5 b/testing/btest/doc/sphinx/using_bro.btest#5 deleted file mode 100644 index 786aebffab..0000000000 --- a/testing/btest/doc/sphinx/using_bro.btest#5 +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd -n 5 "bro-cut -u ts uid host uri < http.log" diff --git a/testing/btest/doc/sphinx/using_bro.btest#6 b/testing/btest/doc/sphinx/using_bro.btest#6 deleted file mode 100644 index cc52531b9c..0000000000 --- a/testing/btest/doc/sphinx/using_bro.btest#6 +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd -n 5 "bro-cut -D %d-%m-%YT%H:%M:%S%z ts uid host uri < http.log" diff --git a/testing/btest/doc/sphinx/using_bro.btest#7 b/testing/btest/doc/sphinx/using_bro.btest#7 deleted file mode 100644 index 4662f67c88..0000000000 --- a/testing/btest/doc/sphinx/using_bro.btest#7 +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd "cat conn.log | bro-cut uid resp_bytes | sort -nrk2 | head -5" diff --git a/testing/btest/doc/sphinx/using_bro.btest#8 b/testing/btest/doc/sphinx/using_bro.btest#8 deleted file mode 100644 index 0657c14dab..0000000000 --- a/testing/btest/doc/sphinx/using_bro.btest#8 +++ /dev/null @@ -1 +0,0 @@ -@TEST-EXEC: btest-rst-cmd "cat http.log | bro-cut uid id.resp_h method status_code host uri | grep UM0KZ3MLUfNB0cl11"