Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add cleaned-up version of zeek-aux

Browse source 
This is the zeek-aux repository with all of the git-related stuff removed,
including all of the pre-commit configuration files, git directories,
and submodules. It has a modified version of the CMake configuration
that uses Zeek's variables and paths, making zeek-aux effectively just a
subdirectory to Zeek. All of the source files now have Zeek's license
header in them as well.
This commit is contained in:
Tim Wojtulewicz 2025-08-07 13:45:09 -07:00
parent c090ec1ccd
commit a1d0cebca4
213 changed files with 7611 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

49
auxil/zeek-aux/CMakeLists.txt Normal file
View file

@ -0,0 +1,49 @@
cmake_minimum_required(VERSION 3.15 FATAL_ERROR)
# ##############################################################################
# Dependency Configuration
find_package(PCAP REQUIRED)
include_directories(BEFORE ${PCAP_INCLUDE_DIR})
# ##############################################################################
# System Introspection
include(CheckHeaders)
include(CheckFunctions)
include(CheckNameserCompat)
include(MiscTests)
configure_file(${CMAKE_CURRENT_SOURCE_DIR}/config.h.in ${CMAKE_CURRENT_BINARY_DIR}/config.h)
include_directories(BEFORE ${CMAKE_CURRENT_BINARY_DIR})
# ##############################################################################
# Recurse on sub-directories
# For binary packaging or if this is the main CMake project, go through the
# regular install target, else use a custom target so programs have to be
# explicitly installed by the user via "make install-aux"
macro (AddAuxInstallTarget _target)
add_custom_target(
install-${_target} COMMAND ${CMAKE_COMMAND} -E make_directory
${CMAKE_INSTALL_PREFIX}/bin
COMMAND ${CMAKE_COMMAND} -E copy $<TARGET_FILE:${_target}> ${CMAKE_INSTALL_PREFIX}/bin)
add_dependencies(install-${_target} ${_target})
set(AUX_TARGETS install-${_target};${AUX_TARGETS})
set(AUX_TARGETS ${AUX_TARGETS} PARENT_SCOPE)
endmacro (AddAuxInstallTarget)
if (NOT ZEEK_MAN_INSTALL_PATH)
set(ZEEK_MAN_INSTALL_PATH ${CMAKE_INSTALL_PREFIX}/share/man)
endif ()
add_subdirectory(adtrace)
add_subdirectory(zeek-archiver)
add_subdirectory(zeek-cut)
add_subdirectory(rst)
add_custom_target(install-aux
COMMENT "Zeek auxiliary tools installed to ${CMAKE_INSTALL_PREFIX}/bin")
add_dependencies(install-aux ${AUX_TARGETS})

107
auxil/zeek-aux/README Normal file
View file

@ -0,0 +1,107 @@
.. -*- mode: rst; -*-
..
.. Version number is filled in automatically.
.. |version| replace:: 0.50-174
=======================
Zeek Auxiliary Programs
=======================
.. contents::
:Version: |version|
Handy auxiliary programs related to the use of the Zeek Network Security
Monitor (https://www.zeek.org).
Installation
============
Installation is simple and standard::
./configure
make
make install
adtrace
=======
The "adtrace" utility is used to compute the
network address that compose the internal and extern nets that Zeek
is monitoring. This program just reads a pcap
(tcpdump) file and writes out the src MAC, dst MAC, src IP, dst
IP for each packet seen in the file.
zeek-archiver
=============
This is a modern replacement for Zeek's historical log-archival process. For
details, please refer to its dedicated README in the zeek-archiver subdirectory.
zeek-cut
========
The "zeek-cut" utility reads ASCII Zeek logs on standard input
and outputs them to standard output with only the specified columns (the
column names can be found in each log file in the "#fields" header line).
If no column names are specified, then "zeek-cut" simply outputs all columns.
There are several command-line options available to modify the output (run
"zeek-cut -h" to see a list of all options). There are options to convert
timestamps into human-readable format, and options to specify whether or not
to include the format header lines in the output (by default, they're not
included).
For example, the following command will output the three specified columns
from conn.log with the timestamps from the "ts" column being converted to
human-readable format::
cat conn.log | zeek-cut -d ts id.orig_h id.orig_p
The specified order of the column names determines the output order of the
columns (i.e., "zeek-cut" can reorder the columns).
The "zeek-cut" utility can read the concatenation of one or more uncompressed
ASCII log files (however, JSON format is not supported) produced by Zeek
version 2.0 or newer, as long as each log file contains format header
lines (these are the lines at the beginning of the file starting with "#").
In fact, "zeek-cut" can process the concatenation of multiple ASCII log files
that have different column layouts.
To read a compressed log file, a tool such as "zcat" must be used to
uncompress the file. For example, "zeek-cut" can read a group of compressed
conn.log files with a command like this::
zcat conn.*.log.gz | zeek-cut
devel-tools
===========
A set of scripts used commonly for Zeek development. Note that none of
these scripts are installed by 'make install'.
extract-conn-by-uid
Extracts a connection from a trace file based
on its UID found in Zeek's conn.log
gen-mozilla-ca-list.rb
Generates list of Mozilla SSL root certificates in
a format readable by Zeek.
update-changes
A script to maintain the CHANGES and VERSION files.
git-show-fastpath
Show commits to the fastpath branch not yet merged into master.
cpu-bench-with-trace
Run a number of Zeek benchmarks on a trace file.
rst
===
The "rst" utility can be invoked by a Zeek script to terminate an
established TCP connection by forging RST tear-down packets.

1
auxil/zeek-aux/README.rst Symbolic link
View file

@ -0,0 +1 @@
README

8
auxil/zeek-aux/adtrace/CMakeLists.txt Normal file
View file

@ -0,0 +1,8 @@
find_package(PCAP REQUIRED)
set(adtrace_SRCS adtrace.c)
add_executable(adtrace ${adtrace_SRCS})
target_include_directories(adtrace BEFORE PRIVATE ${PCAP_INCLUDE_DIR})
target_link_libraries(adtrace ${PCAP_LIBRARY})
AddAuxInstallTarget(adtrace)

91
auxil/zeek-aux/adtrace/adtrace.c Normal file
View file

@ -0,0 +1,91 @@
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <pcap.h>
#include "ip.h"
#include "ether.h"
#include "ethertype.h"
pcap_t *p;
const u_char* printEAddr(const u_char* pkt, u_char* endp){
const struct ether_header *ep;
int i=0;
ep = (const struct ether_header*) pkt;
if (pkt+ETHER_HDRLEN > endp ||
ntohs(ep->ether_type) != ETHERTYPE_IP){
return 0;
}
for (i = 0; i<ETHER_ADDR_LEN; i++){
if (i>0) putchar(':');
printf("%02x", ep->ether_shost[i]);
}
putchar (' ');
for (i = 0; i<ETHER_ADDR_LEN; i++){
if (i>0) putchar(':');
printf("%02x", ep->ether_dhost[i]);
}
putchar(' ');
return (pkt+ETHER_HDRLEN);
}
void printIPAddr(const u_char* pkt, u_char* endp){
const struct ip* iph;
if (pkt+sizeof(struct ip) > endp) return;
iph = (const struct ip*) pkt;
fputs ((char*) inet_ntoa(iph->ip_src), stdout);
putchar(' ');
puts ((char*) inet_ntoa(iph->ip_dst));
}
void handler(u_char *user, const struct pcap_pkthdr *head, const u_char *packet){
u_char* endp;
endp =(u_char*) packet + head->caplen;
packet = printEAddr(packet, endp);
if (packet)
printIPAddr(packet, endp);
}
void usage(char *av[])
{
fprintf(stderr,"usage: %s filename \n", av[0]);
exit(1);
}
int main (int argc, char *argv[])
{
char *file;
char errbuf[PCAP_ERRBUF_SIZE];
u_char* pkt, endp;
struct pcap_pkthdr *head;
if ( argc != 2 )
usage(argv);
file = argv[1];
p = pcap_open_offline(file, errbuf);
if(p==NULL){
fprintf (stderr, "cannot open %s: %s\n", file, errbuf);
exit(2);
}
if (pcap_datalink(p) != DLT_EN10MB){
fputs ("sorry, currently only ethernet links supported\n", stderr);
exit(1); //if it is not ethernet we are watching we won't have MACs
}
pcap_loop(p, -1, handler, NULL);
pcap_close(p);
return(0);
}

59
auxil/zeek-aux/adtrace/ether.h Normal file
View file

@ -0,0 +1,59 @@
/* @(#) $Header$ (LBL) */
/*
* Copyright (c) 1982, 1986, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)if_ether.h 8.3 (Berkeley) 5/2/95
*/
#define ETHERMTU 1500
/*
* The number of bytes in an ethernet (MAC) address.
*/
#define ETHER_ADDR_LEN 6
/*
* Structure of a DEC/Intel/Xerox or 802.3 Ethernet header.
*/
struct ether_header {
u_int8_t ether_dhost[ETHER_ADDR_LEN];
u_int8_t ether_shost[ETHER_ADDR_LEN];
u_int16_t ether_type;
};
/*
* Length of a DEC/Intel/Xerox or 802.3 Ethernet header; note that some
* compilers may pad "struct ether_header" to a multiple of 4 bytes,
* for example, so "sizeof (struct ether_header)" may not give the right
* answer.
*/
#define ETHER_HDRLEN 14

122
auxil/zeek-aux/adtrace/ethertype.h Normal file
View file

@ -0,0 +1,122 @@
/*
* Copyright (c) 1993, 1994, 1996
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that: (1) source code distributions
* retain the above copyright notice and this paragraph in its entirety, (2)
* distributions including binary code include the above copyright notice and
* this paragraph in its entirety in the documentation or other materials
* provided with the distribution, and (3) all advertising materials mentioning
* features or use of this software display the following acknowledgement:
* ``This product includes software developed by the University of California,
* Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
* the University nor the names of its contributors may be used to endorse
* or promote products derived from this software without specific prior
* written permission.
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*
* @(#) $Header$ (LBL)
*/
/*
* Ethernet types.
*
* We wrap the declarations with #ifdef, so that if a file includes
* <netinet/if_ether.h>, which may declare some of these, we don't
* get a bunch of complaints from the C compiler about redefinitions
* of these values.
*
* We declare all of them here so that no file has to include
* <netinet/if_ether.h> if all it needs are ETHERTYPE_ values.
*/
#ifndef ETHERTYPE_PUP
#define ETHERTYPE_PUP 0x0200 /* PUP protocol */
#endif
#ifndef ETHERTYPE_IP
#define ETHERTYPE_IP 0x0800 /* IP protocol */
#endif
#ifndef ETHERTYPE_ARP
#define ETHERTYPE_ARP 0x0806 /* Addr. resolution protocol */
#endif
#ifndef ETHERTYPE_REVARP
#define ETHERTYPE_REVARP 0x8035 /* reverse Addr. resolution protocol */
#endif
#ifndef ETHERTYPE_NS
#define ETHERTYPE_NS 0x0600
#endif
#ifndef ETHERTYPE_SPRITE
#define ETHERTYPE_SPRITE 0x0500
#endif
#ifndef ETHERTYPE_TRAIL
#define ETHERTYPE_TRAIL 0x1000
#endif
#ifndef ETHERTYPE_MOPDL
#define ETHERTYPE_MOPDL 0x6001
#endif
#ifndef ETHERTYPE_MOPRC
#define ETHERTYPE_MOPRC 0x6002
#endif
#ifndef ETHERTYPE_DN
#define ETHERTYPE_DN 0x6003
#endif
#ifndef ETHERTYPE_LAT
#define ETHERTYPE_LAT 0x6004
#endif
#ifndef ETHERTYPE_SCA
#define ETHERTYPE_SCA 0x6007
#endif
#ifndef ETHERTYPE_REVARP
#define ETHERTYPE_REVARP 0x8035
#endif
#ifndef ETHERTYPE_LANBRIDGE
#define ETHERTYPE_LANBRIDGE 0x8038
#endif
#ifndef ETHERTYPE_DECDNS
#define ETHERTYPE_DECDNS 0x803c
#endif
#ifndef ETHERTYPE_DECDTS
#define ETHERTYPE_DECDTS 0x803e
#endif
#ifndef ETHERTYPE_VEXP
#define ETHERTYPE_VEXP 0x805b
#endif
#ifndef ETHERTYPE_VPROD
#define ETHERTYPE_VPROD 0x805c
#endif
#ifndef ETHERTYPE_ATALK
#define ETHERTYPE_ATALK 0x809b
#endif
#ifndef ETHERTYPE_AARP
#define ETHERTYPE_AARP 0x80f3
#endif
#ifndef ETHERTYPE_8021Q
#define ETHERTYPE_8021Q 0x8100
#endif
#ifndef ETHERTYPE_IPX
#define ETHERTYPE_IPX 0x8137
#endif
#ifndef ETHERTYPE_IPV6
#define ETHERTYPE_IPV6 0x86dd
#endif
#ifndef ETHERTYPE_PPP
#define ETHERTYPE_PPP 0x880b
#endif
#ifndef ETHERTYPE_MPLS
#define ETHERTYPE_MPLS 0x8847
#endif
#ifndef ETHERTYPE_MPLS_MULTI
#define ETHERTYPE_MPLS_MULTI 0x8848
#endif
#ifndef ETHERTYPE_PPPOED
#define ETHERTYPE_PPPOED 0x8863
#endif
#ifndef ETHERTYPE_PPPOES
#define ETHERTYPE_PPPOES 0x8864
#endif
#ifndef ETHERTYPE_LOOPBACK
#define ETHERTYPE_LOOPBACK 0x9000
#endif

159
auxil/zeek-aux/adtrace/ip.h Normal file
View file

@ -0,0 +1,159 @@
/* @(#) $Header$ (LBL) */
/*
* Copyright (c) 1982, 1986, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)ip.h 8.2 (Berkeley) 6/1/94
*/
/*
* Definitions for internet protocol version 4.
* Per RFC 791, September 1981.
*/
#define IPVERSION 4
/*
* Structure of an internet header, naked of options.
*
* We declare ip_len and ip_off to be short, rather than u_short
* pragmatically since otherwise unsigned comparisons can result
* against negative integers quite easily, and fail in subtle ways.
*/
struct ip {
u_int8_t ip_vhl; /* header length, version */
#define IP_V(ip) (((ip)->ip_vhl & 0xf0) >> 4)
#define IP_HL(ip) ((ip)->ip_vhl & 0x0f)
u_int8_t ip_tos; /* type of service */
u_int16_t ip_len; /* total length */
u_int16_t ip_id; /* identification */
u_int16_t ip_off; /* fragment offset field */
#define IP_DF 0x4000 /* dont fragment flag */
#define IP_MF 0x2000 /* more fragments flag */
#define IP_OFFMASK 0x1fff /* mask for fragmenting bits */
u_int8_t ip_ttl; /* time to live */
u_int8_t ip_p; /* protocol */
u_int16_t ip_sum; /* checksum */
struct in_addr ip_src,ip_dst; /* source and dest address */
};
#define IP_MAXPACKET 65535 /* maximum packet size */
/*
* Definitions for IP type of service (ip_tos)
*/
#define IPTOS_LOWDELAY 0x10
#define IPTOS_THROUGHPUT 0x08
#define IPTOS_RELIABILITY 0x04
/*
* Definitions for IP precedence (also in ip_tos) (hopefully unused)
*/
#define IPTOS_PREC_NETCONTROL 0xe0
#define IPTOS_PREC_INTERNETCONTROL 0xc0
#define IPTOS_PREC_CRITIC_ECP 0xa0
#define IPTOS_PREC_FLASHOVERRIDE 0x80
#define IPTOS_PREC_FLASH 0x60
#define IPTOS_PREC_IMMEDIATE 0x40
#define IPTOS_PREC_PRIORITY 0x20
#define IPTOS_PREC_ROUTINE 0x00
/*
* Definitions for options.
*/
#define IPOPT_COPIED(o) ((o)&0x80)
#define IPOPT_CLASS(o) ((o)&0x60)
#define IPOPT_NUMBER(o) ((o)&0x1f)
#define IPOPT_CONTROL 0x00
#define IPOPT_RESERVED1 0x20
#define IPOPT_DEBMEAS 0x40
#define IPOPT_RESERVED2 0x60
#define IPOPT_EOL 0 /* end of option list */
#define IPOPT_NOP 1 /* no operation */
#define IPOPT_RR 7 /* record packet route */
#define IPOPT_TS 68 /* timestamp */
#define IPOPT_SECURITY 130 /* provide s,c,h,tcc */
#define IPOPT_LSRR 131 /* loose source route */
#define IPOPT_SATID 136 /* satnet id */
#define IPOPT_SSRR 137 /* strict source route */
/*
* Offsets to fields in options other than EOL and NOP.
*/
#define IPOPT_OPTVAL 0 /* option ID */
#define IPOPT_OLEN 1 /* option length */
#define IPOPT_OFFSET 2 /* offset within option */
#define IPOPT_MINOFF 4 /* min value of above */
/*
* Time stamp option structure.
*/
struct ip_timestamp {
u_int8_t ipt_code; /* IPOPT_TS */
u_int8_t ipt_len; /* size of structure (variable) */
u_int8_t ipt_ptr; /* index of current entry */
u_int8_t ipt_oflwflg; /* flags, overflow counter */
#define IPTS_OFLW(ip) (((ipt)->ipt_oflwflg & 0xf0) >> 4)
#define IPTS_FLG(ip) ((ipt)->ipt_oflwflg & 0x0f)
union ipt_timestamp {
u_int32_t ipt_time[1];
struct ipt_ta {
struct in_addr ipt_addr;
u_int32_t ipt_time;
} ipt_ta[1];
} ipt_timestamp;
};
/* flag bits for ipt_flg */
#define IPOPT_TS_TSONLY 0 /* timestamps only */
#define IPOPT_TS_TSANDADDR 1 /* timestamps and addresses */
#define IPOPT_TS_PRESPEC 3 /* specified modules only */
/* bits for security (not byte swapped) */
#define IPOPT_SECUR_UNCLASS 0x0000
#define IPOPT_SECUR_CONFID 0xf135
#define IPOPT_SECUR_EFTO 0x789a
#define IPOPT_SECUR_MMMM 0xbc4d
#define IPOPT_SECUR_RESTR 0xaf13
#define IPOPT_SECUR_SECRET 0xd788
#define IPOPT_SECUR_TOPSECRET 0x6bc5
/*
* Internet implementation parameters.
*/
#define MAXTTL 255 /* maximum time to live (seconds) */
#define IPDEFTTL 64 /* default ttl, from RFC 1340 */
#define IPFRAGTTL 60 /* time to live for frags, slowhz */
#define IPTTLDEC 1 /* subtracted when forwarding */
#define IP_MSS 576 /* default maximum segment size */

28
auxil/zeek-aux/config.h.in Normal file
View file

@ -0,0 +1,28 @@
/* These autoconf variables are obsolete; it's portable to assume C89
and signal handlers that return void */
#define RETSIGTYPE void
#define RETSIGVAL
/* Define if you have the `sigaction' function. */
#cmakedefine HAVE_SIGACTION
/* Define if you have the `sigset' function. */
#cmakedefine HAVE_SIGSET
/* Define if you have the <memory.h> header file. */
#cmakedefine HAVE_MEMORY_H
/* Define if you have the `strerror' function. */
#cmakedefine HAVE_STRERROR
/* should explicitly declare socket() and friends */
#cmakedefine DO_SOCK_DECL
/* Compatibility for Darwin */
#cmakedefine NEED_NAMESER_COMPAT_H
/* have os-proto.h */
#cmakedefine HAVE_OS_PROTO_H
/* have sin_len field in sockaddr_in */
#cmakedefine SIN_LEN

15
auxil/zeek-aux/devel-tools/check-release Executable file
View file

@ -0,0 +1,15 @@
#! /usr/bin/env bash
#
# Checks the current repository and all if its submodules for being
# in "release shape".
repo_status="$(cd $(dirname $0) && pwd)/repo-status"
check_cmd="test -e CHANGES && $repo_status"
printf ' %20s %-10s %-8s %-8s %-7s %-5s %-15s %s\n' "" "Branch" "CHANGES" "Pending" "Modif" "Sub" "VERSION" "Tags"
(
eval $check_cmd
git submodule foreach -q --recursive "$check_cmd; true"
) |
awk '/!/{print "- ", $0; next;} {print "+ ", $0; next;}'

32
auxil/zeek-aux/devel-tools/cpu-bench-with-trace Executable file
View file

@ -0,0 +1,32 @@
#! /usr/bin/env bash
#
# This runs a number of Zeek configurations on trace $2. It
# starts with the bare config and then
# kept adding the scripts load from init-default.zeek and local.zeek one
# by one, measuring user time for each run (i.e., the measurements are
# cumulative).
if [ "$2" == "" ]; then
echo "usage: $(basename $0) <zeekdir> <trace>"
exit 1
fi
zeek=$1
trace=$2
tmp=/tmp/bench.$$.zeek
export ZEEKPATH=$($zeek/build/zeek-path-dev)
cat </dev/null >$tmp
cat $zeek/scripts/base/init-default.zeek $zeek/scripts/site/local.zeek | grep '^ *@load' | while read line; do
echo $line >>$tmp
script=$(echo $line | awk '{print $2}' | sed 's#/#.#g')
output="bench.output.$script.log"
(time -p $zeek/build/src/zeek -b -r $trace $tmp) >$output 2>&1
user=$(cat $output | grep user | awk '{print $2}')
printf "%40s %s\n" $script $user
done
rm -f $tmp

42
auxil/zeek-aux/devel-tools/extract-conn-by-uid Executable file
View file

@ -0,0 +1,42 @@
#! /usr/bin/env bash
#
# Searches the connection with UID $1 in conn.log, and then extracts
# it from trace file $2.
if [ $# != 2 ]; then
echo "usage: $(basename $0) <uid> <trace>"
exit 1
fi
uid=$1
trace=$2
if [ ! -e conn.log ]; then
echo "no conn.log found"
exit 1
fi
if [ ! -e $trace ]; then
echo "trace $trace not found"
exit 1
fi
filter=$(awk -v uid=$uid '$2==uid { printf("host %s and port %s and host %s and port %s\n", $3, $4, $5, $6)}' <conn.log)
if [ "$filter" == "" ]; then
echo uid $uid not found in conn.log
exit 1
fi
echo filter: $filter
out=$(basename $trace).$uid
if echo $trace | grep -q '\.gz$'; then
cat $trace | gunzip | tcpdump -r - -w $out "$filter"
else
tcpdump -r $trace -w $out "$filter"
fi
echo connection in $out
ls -al $out

62
auxil/zeek-aux/devel-tools/gen-ct-list.pl Executable file
View file

@ -0,0 +1,62 @@
#!/usr/bin/env perl
#
# Generate the Zeek file containing the current list of known
# Certificate Transparency logs from the source file provided
# by Google.
#
use 5.14.1;
use strict;
use warnings;
# This is the only kind-of user-configurable line
my $google_log_url = "https://www.gstatic.com/ct/log_list/v3/log_list.json";
# And begin with loading everything we need.
# I was lazy and you probably will have to install a few of these.
use Carp;
use autodie;
use Net::SSLeay;
use HTML::HeadParser;
use LWP::Protocol::https;
use LWP::UserAgent;
use LWP::Simple;
use JSON::Parse qw/parse_json/;
use MIME::Base64;
use Digest::SHA qw/sha256/;
use Mozilla::CA;
my $ua = LWP::UserAgent->new();
my $google_known_logs_json = $ua->get($google_log_url);
croak("Could not get $google_log_url") unless defined($google_known_logs_json);
my $list = parse_json($google_known_logs_json->content);
say "#\n# Do not edit this file. This file is automatically generated by gen-ct-list.pl";
say "# File generated at ".localtime;
say "# File generated from ".$google_log_url;
say "# Source file generated at: ".$list->{log_list_timestamp};
say "# Source file version: ".$list->{version};
say "#";
say "";
say '@load base/protocols/ssl';
say "module SSL;";
say "";
say '## @docs-omit-value';
say "redef ct_logs += {";
for my $operator (@{$list->{operators}}) {
my $opname = $operator->{name};
for my $log (@{$operator->{logs}}) {
my $key = join('', map {"\\x$_" } unpack("(H2)*", decode_base64($log->{key})));
my $logid = join('', map {"\\x$_" } unpack("(H2)*", sha256(decode_base64($log->{key}))));
my $mmd = $log->{mmd};
my $url = $log->{url};
my $desc = $log->{description};
say "[\"$logid\"] = CTInfo(\$description=\"$desc\", \$operator=\"$opname\", \$url=\"$url\", \$maximum_merge_delay=$mmd, \$key=\"$key\"),";
}
}
say "};";

84
auxil/zeek-aux/devel-tools/gen-mozilla-ca-list.rb Executable file
View file

@ -0,0 +1,84 @@
#!/usr/bin/env ruby
tmpcert = "/tmp/tmpcert.der"
incert=false
intrust=false
if ARGV.length != 1
abort "\nPass path to the certdata.txt you want to add as first input argument to this script\n\n"+
"certdata.txt can be retrieved from the newest NSS release."
end
url = 'http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1'
io = open(ARGV[0]);
puts "# Don't edit! This file is automatically generated."
puts "# Generated at: #{Time.now}"
puts "# Generated from: #{url}"
puts "#"
puts "# The original source file comes with this licensing statement:"
puts "#"
puts "# This Source Code Form is subject to the terms of the Mozilla Public"
puts "# License, v. 2.0. If a copy of the MPL was not distributed with this"
puts "# file, You can obtain one at http://mozilla.org/MPL/2.0/."
puts ""
puts "@load base/protocols/ssl"
puts "module SSL;";
puts "";
puts "## @docs-omit-value"
puts "redef root_certs += {";
all_certs = []
all_subjects = []
cert_name = ""
cert = ""
io.each do |line|
line.chomp!
if intrust
if line =~ /^CKA_TRUST_SERVER_AUTH/
if line =~ /CKT_NSS_TRUSTED_DELEGATOR/
File.open(tmpcert, "wb") do |f|
byteArray = cert.split("\\x")
max = byteArray.length() - 1
byteArray[1..max].each do | byte |
f.print byte.hex.chr
end
end
cert_subj = `openssl x509 -in #{tmpcert} -inform DER -noout -subject -nameopt RFC2253`
cert_subj["subject="]= ""
cert_subj.chomp!
File.delete(tmpcert)
if not all_subjects.include?(cert_subj)
puts " [\"#{cert_subj}\"] = \"#{cert}\","
all_subjects << cert_subj
end
end
intrust=false
end
else
if line =~ /^CKA_LABEL/
cert_name = line.sub(/.*\"(.*)\".*/, "\\1")
i = 0
while all_certs.include?(cert_name)
i+=1
cert_name += " #{i}"
end
all_certs << cert_name
elsif line =~ /^CKA_VALUE MULTILINE_OCTAL/
incert=true
cert=""
elsif line =~ /^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/
intrust=true
elsif line =~ /^END/
incert=false
elsif incert
cert += line.split(/\\/).collect { |x| x.oct.chr.unpack("H2")[0].upcase if x!="" }.join("\\x")
end
end
end
puts "};"

32
auxil/zeek-aux/devel-tools/git-delete-old-branches Executable file
View file

@ -0,0 +1,32 @@
# ! /usr/bin/env bash
#
# Adapted from http://devblog.springest.com/a-script-to-remove-old-git-branches
#
# This has to be run from master
git checkout master
# Update our list of remotes
git fetch
git remote prune origin
# # Remove local fully merged branches
# git branch --merged master | grep -v 'master$' | xargs git branch -d
# Show remote fully merged branches
echo "The following remote branches are fully merged and will be removed:"
git branch -r --merged master | sed 's/ *origin\///' | grep '^topic/'
if [ $? != 0 ]; then
exit 0
fi
read -p "Continue (y/n)? "
if [ "$REPLY" == "y" ]
then
# Remove remote fully merged branches
git branch -r --merged master | sed 's/ *origin\///' \
| grep '^topic/' | xargs -I% git push origin :%
echo "Done!"
fi

77
auxil/zeek-aux/devel-tools/git-move-submodules Executable file
View file

@ -0,0 +1,77 @@
#! /usr/bin/env bash
#
# Recursively check outs the most recent version of all submodules on a given
# branch, and commits the updates to the parents.
branch=$1
if [ "$branch" == "" ]; then
echo "usage: $(basename $0) <branch>"
exit 1
fi
paths_to_push=()
function update_module {
local cwd=$1
local i
local modules=""
cd $cwd
# These submodules should be ignored by the loop below.
local ignored_modules=(
"3rdparty"
"IXWebSocket"
"c-ares"
"caf"
"cppzmq"
"expected-lite"
"filesystem"
"highwayhash"
"libkqueue"
"libunistd"
"out_ptr"
"prometheus-cpp"
"rapidjson"
"vcpkg")
# Note we don't use --recursive here, as we want to do a depth-first
# search so that we update children first.
for i in $(git submodule foreach -q 'echo $path' | grep -vE $(
IFS="|"
echo "${ignored_modules[*]}"
)); do
# See if repository has a branch of the given name. Otherwise leave it alone.
(cd $i && git show-ref --verify --quiet refs/heads/$branch) || continue
modules="$modules $i"
echo "--- Checking out $branch of $(basename $i)"
cd $i
git fetch -q || exit 1
git checkout -q $branch || exit 1
git merge origin/master || exit 1
update_module $cwd/$i
cd $cwd
done
if [ "$modules" != "" ]; then
if [ -n "$(git status --untracked-files=no --porcelain)" ]; then
echo "+++ Committing updates to $(basename $cwd)"
git commit -m 'Updating submodule(s) [nomail]' --only $modules
paths_to_push+=($cwd)
fi
fi
}
update_module $(pwd)
echo
echo "Added ${#paths_to_push[@]} commits. Run the following commands to push them:"
for path in "${paths_to_push[@]}"; do
echo "(cd ${path} && git push)"
done

31
auxil/zeek-aux/devel-tools/git-pre-push-hook Executable file
View file

@ -0,0 +1,31 @@
#!/bin/sh
#
# A pre-push hook that makes sure all testing/external changes
# have been pushed already. If not, it will abort. Note that
# it will only check for unpushed commits, not for uncommitted
# changes.
#
# To install this, copy it into you Zeek tree's .git/hooks/pre-push.
#
# This hook is called with the following parameters:
#
# $1 -- Name of the remote to which the push is being done
# $2 -- URL to which the push is being done
#
# If this script exits with a non-zero status nothing will be pushed.
test -d testing/external || exit 0
cd testing/external
base=$(pwd)
abort=0
for repo in $(./scripts/find-git-repos); do
cd ${base}/${repo} &&
git rev-list @{u}.. | grep -q . &&
echo "ERROR: testing/external/$(basename $repo) has commits that are not pushed." &&
abort=1
done
exit ${abort}

19
auxil/zeek-aux/devel-tools/git-show-fastpath Executable file
View file

@ -0,0 +1,19 @@
#! /usr/bin/env bash
#
# Shows pending fastpath commits for all modules.
show="git show-ref -q origin/fastpath && git --no-pager log --format=oneline origin/fastpath ^master || exit 0"
(echo "Entering <top-level>" && eval $show && git submodule foreach --recursive "$show") | awk '
/Entering/ { current = $2; next }
{
if ( current != "" )
print "==" current;
print;
current = "";
}
'

461
auxil/zeek-aux/devel-tools/github-manage Executable file
View file

@ -0,0 +1,461 @@
#! /usr/bin/env python3
#
# https://pypi.org/project/argcomplete/#global-completion
# PYTHON_ARGCOMPLETE_OK
"""This script provides tooling to administrate the github.com/zeek organization."""
import argparse
import json
import os
import sys
from enum import IntEnum
from pathlib import Path
# This is the high-level error for API problems, per
# https://github.com/fastai/ghapi/issues/138 and confirmed
# in manual testing
from urllib.error import HTTPError
def print_err(*args, **kwargs):
print(*args, file=sys.stderr, **kwargs)
try:
import yaml
except ImportError:
# PyYAML is optional; we will see below whether we need it as we retrieve
# the auth token.
pass
try:
from ghapi.all import GhApi, paged
except ImportError:
print_err("This requires the Python Github API package: https://ghapi.fast.ai")
sys.exit(1)
try:
# Argcomplete provides command-line completion for users of argparse.
# We support it if available, but don't complain when it isn't.
import argcomplete
except ImportError:
pass
GITHUB_SERVER = "github.com"
GITHUB_ORG = "zeek"
# There's a mismatch between how Github shows access levels in the UI vs how
# they work in the API. We use the UI-level ones here and provide helper
# functions to translate. The discrepancies are "read" being "pull" in the API,
# and "write" being "push". The others match.
AccessLevel = IntEnum("AccessLevel", ["READ", "TRIAGE", "WRITE", "MAINTAIN", "ADMIN"])
def get_api_token(args):
if args.auth_token:
return args.auth_token
# This is the ghapi-recommended way to configure your token and works
# transparently:
token = os.getenv("GITHUB_TOKEN")
if token:
return token
# Try somewhat hard to locate gh's config file:
gh_host_config = (
Path(os.getenv("XDG_CONFIG_HOME", default=Path.home() / ".config"))
/ "gh"
/ "hosts.yml"
)
if gh_host_config.is_file():
if "yaml" not in sys.modules:
print_err(
"This requires PyYAML to use your existing gh config. See: https://pyyaml.org"
)
print_err(
"Please set the GITHUB_TOKEN environment variable to your Github API token."
)
sys.exit(1)
try:
with open(gh_host_config) as stream:
ymldata = yaml.safe_load(stream)
return ymldata[GITHUB_SERVER]["oauth_token"]
except (OSError, yaml.YAMLError, KeyError) as error:
print_err(f"Unexpected gh configuration ({error}).")
print_err(
"Please set the GITHUB_TOKEN environment variable to your Github API token."
)
sys.exit(1)
print_err(
"Please provide a Github API token via --auth-token or set the GITHUB_TOKEN environment variable"
)
sys.exit(1)
def get_access_level_string(perms):
res = get_access_level(perms)
if not res:
return None
return res.name.lower()
def access_level_to_github(level):
if level == AccessLevel.ADMIN:
return "admin"
if level == AccessLevel.MAINTAIN:
return "maintain"
if level == AccessLevel.WRITE:
return "push"
if level == AccessLevel.TRIAGE:
return "triage"
if level == AccessLevel.READ:
return "pull"
return None
def access_level_from_github(level):
if level == "admin":
return AccessLevel.ADMIN
if level == "maintain":
return AccessLevel.MAINTAIN
if level == "push":
return AccessLevel.WRITE
if level == "triage":
return AccessLevel.TRIAGE
if level == "pull":
return AccessLevel.READ
return None
def get_access_level(perm):
"""Returns the access level for a given user/team as shown on the access
settings page of a repo, based on the given set of permissions. This returns
an AccessLevel, or None when no access level was identifiable.
"""
# This is a bit messy because permissions are presented differently in
# different corners of the API. Sometimes it's a string, sometimes an
# object with individual permission bits. For now just check if it's a
# string and handle that separately.
if isinstance(perm, str):
return access_level_from_github(perm)
try:
if perm.admin:
return AccessLevel.ADMIN
if perm.maintain:
return AccessLevel.MAINTAIN
if perm.push:
return AccessLevel.WRITE
if perm.triage:
return AccessLevel.TRIAGE
if perm.pull:
return AccessLevel.READ
except AttributeError:
pass
return None
def get_all_repos(api):
"""Returns a list of all repos in the GITHUB_ORG, sorted by name."""
repos = []
for page in paged(api.repos.list_for_org, org=GITHUB_ORG, per_page=100):
repos.extend(page)
repos.sort(key=lambda repo: repo.name)
return repos
def cmd_repos_list_access(api, args):
result = []
for repo in get_all_repos(api):
teams = api.repos.list_teams(repo.name)
teams_results = []
for team in sorted(teams, key=lambda t: t.name):
teams_results.append(
{
"name": team.name,
"access": get_access_level_string(team.permissions),
}
)
# "direct" here means we don't list each individual member of teams that
# also have access to the repo:
users = api.repos.list_collaborators(repo.name, affiliation="direct")
users_results = []
for user in sorted(users, key=lambda u: u.login):
users_results.append(
{
"name": user.login,
"access": get_access_level_string(user.permissions),
}
)
result.append(
{
"repo": repo.name,
"teams": teams_results,
"users": users_results,
}
)
print(json.dumps(result, sort_keys=True))
return True
def cmd_repos_list_redundant_users(api, args):
result = []
for repo in get_all_repos(api):
teams = api.repos.list_teams(repo.name)
teams_data = {}
for team in teams:
teams_data[team.name] = {
"permission": team.permission,
"users": [
member.login
for member in api.teams.list_members_in_org(GITHUB_ORG, team.slug)
],
}
# "direct" here means we don't list each individual member of teams that
# also have access to the repo:
users = api.repos.list_collaborators(repo.name, affiliation="direct")
for user in sorted(users, key=lambda u: u.login):
for team, data in teams_data.items():
if user.login not in data["users"]:
continue
# This repo gives access to a team that already includes the
# explicitly listed user. See if the user is added with
# greater permissions, otherwise this user is redundant.
team_access = get_access_level(data["permission"])
user_access = get_access_level(user.permissions)
if user_access <= team_access:
result.append(
{
"repo": repo.name,
"user": user.login,
"redundancy": team,
}
)
print(json.dumps(result, sort_keys=True))
return True
def cmd_repos_remove_redundant_users(api, args):
result = []
outcome = True
for repo in get_all_repos(api):
teams = api.repos.list_teams(repo.name)
teams_data = {}
for team in teams:
teams_data[team.name] = {
"permission": team.permission,
"users": [
member.login
for member in api.teams.list_members_in_org(GITHUB_ORG, team.slug)
],
}
# "direct" here means we don't list each individual member of teams that
# also have access to the repo:
users = api.repos.list_collaborators(repo.name, affiliation="direct")
for user in sorted(users, key=lambda u: u.login):
for team, data in teams_data.items():
if user.login not in data["users"]:
continue
# This repo gives access to a team that already includes the
# explicitly listed user. See if the user is added with
# greater permissions, otherwise this user is redundant.
team_access = get_access_level(data["permission"])
user_access = get_access_level(user.permissions)
if user_access <= team_access:
try:
if not args.dry_run:
api.repos.remove_collaborator(repo.name, user.login)
result.append(
{
"repo": repo.name,
"user": user.login,
"success": True,
}
)
except HTTPError as err:
result.append(
{
"repo": repo.name,
"user": user.login,
"success": False,
"code": err.code,
"reason": err.reason,
}
)
outcome = False
print(json.dumps(result, sort_keys=True))
return outcome
def cmd_repos_add_team(api, args):
if args.access_level not in [level.name.lower() for level in AccessLevel]:
print_err(
f"The given access level '{args.access_level}' is not valid. See --help.\n"
)
return False
access_level = access_level_to_github(AccessLevel[args.access_level.upper()])
# Resolve the given team name to a slug:
team_slug = None
teams = sorted(api.teams.list(GITHUB_ORG), key=lambda t: t.name)
for team in teams:
if (
team.name.lower() == args.team.lower()
or team.slug.lower() == args.team.lower()
):
team_slug = team.slug
break
if not team_slug:
print_err(
f"Team '{args.team}' is not valid for the '{GITHUB_ORG}' organization."
)
print_err(f"Must be one of {', '.join(["'" + t.name + "'" for t in teams])}.")
return False
result = []
outcome = True
for repo in get_all_repos(api):
try:
if not args.dry_run:
api.teams.add_or_update_repo_permissions_in_org(
GITHUB_ORG, team_slug, repo.name, access_level
)
result.append(
{
"repo": repo.name,
"success": True,
}
)
except HTTPError as err:
result.append(
{
"repo": repo.name,
"success": False,
"code": err.code,
"reason": err.reason,
}
)
outcome = False
print(json.dumps(result, sort_keys=True))
return outcome
def main():
top_parser = argparse.ArgumentParser(
description="Helpers for automated Zeek repo administration on Github."
)
top_parser.add_argument(
"--auth-token",
default=None,
help="Your Github API token. You can also use the GITHUB_TOKEN environment "
"variable to provide this. As a fallback, this script tries to use your "
"gh configuration, if available.",
)
cmd_parser = top_parser.add_subparsers(
title="commands",
dest="command",
help="See `%(prog)s <command> -h` for per-command usage info.",
)
repos_parser = cmd_parser.add_parser(
"repos", help="Do something for every repo in the Zeek organization."
)
repos_cmd_parser = repos_parser.add_subparsers(
title="commands",
dest="command",
help="See `%(prog)s <command> -h` for per-command usage info.",
)
repos_list_access_cmd_parser = repos_cmd_parser.add_parser(
"list-access",
help="List all users and teams that have access to a repo, along with the access level.",
)
repos_list_access_cmd_parser.set_defaults(run_cmd=cmd_repos_list_access)
repos_list_redundant_users_cmd_parser = repos_cmd_parser.add_parser(
"list-redundant-users",
help="List users already covered via teams providing at least the same access level.",
)
repos_list_redundant_users_cmd_parser.set_defaults(
run_cmd=cmd_repos_list_redundant_users
)
repos_remove_redundant_user_cmd_parser = repos_cmd_parser.add_parser(
"remove-redundant-users",
help="Remove users already included via a team that provides at least the same access level.",
)
repos_remove_redundant_user_cmd_parser.set_defaults(
run_cmd=cmd_repos_remove_redundant_users
)
repos_remove_redundant_user_cmd_parser.add_argument(
"--dry-run",
action="store_true",
help="Don't make any changes, just pretend API calls succeed",
)
repos_add_team_cmd_parser = repos_cmd_parser.add_parser(
"add-team",
help="Add the given team to each repository at the given access level. Teams that already have access are updated to the provided level.",
)
repos_add_team_cmd_parser.set_defaults(run_cmd=cmd_repos_add_team)
repos_add_team_cmd_parser.add_argument(
"--dry-run",
action="store_true",
help="Don't make any changes, just pretend API calls succeed",
)
repos_add_team_cmd_parser.add_argument(
"--team", required=True, help="The name or slug of the team. Case-insensitive."
)
repos_add_team_cmd_parser.add_argument(
"--access-level",
required=True,
help=f"The access level. One of {', '.join(["'" + level.name.lower() + "'" for level in AccessLevel])}.",
)
if "argcomplete" in sys.modules:
argcomplete.autocomplete(top_parser)
args = top_parser.parse_args()
api = GhApi(owner=GITHUB_ORG, token=get_api_token(args))
try:
return args.run_cmd(api, args)
except HTTPError as err:
sys.stderr.write(f"API error at {err.url}: {err.code}, {err.reason}\n")
return False
except KeyboardInterrupt:
return False
if __name__ == "__main__":
sys.exit(0 if main() else 1)

129
auxil/zeek-aux/devel-tools/make-release Executable file
View file

@ -0,0 +1,129 @@
#! /usr/bin/env bash
#
# Makes release tarballs for the repository in the current directory;
# and if --recursive is given, also for all submodules.
DEST="$(pwd)/build/dist" # Where to put the TGZs.
LOGS="$DEST/.log" # Where to put build logs.
dists=""
function usage() {
echo "Usage: $(basename $0) [--recursive]"
}
function release() {
mod=$1
tmp="$LOGS/make-release.$(basename $mod).log"
cat </dev/null >$tmp
echo "--- Building distribution for $mod" >&2
echo "Log in $tmp." >&2
make dist >$tmp 2>&1
cat $tmp | awk '/CPack:.*generated/ {print $4} /^Package: / {print $2}' | while read tgz; do
if echo $tgz | grep -qv ^/; then
tgz="$(pwd)/$tgz"
fi
version=$(git tag --contains HEAD | grep -E '^(release|beta)$')
if [ "$version" == "" ]; then
version="git"
fi
echo "Distribution in $tgz ($version)" >&2
ls -al $tgz | awk '{print " ", $0; }' >&2
echo "$tgz#$version"
done
}
if [ "$1" == "--recursive" ]; then
submodules=1
shift
fi
if [ "$submodules" == "1" ]; then
mods=$(git submodule foreach -q --recursive pwd | grep -v /cmake)
fi
if [ -e $DEST ]; then
echo
echo "$DEST exists already, proceeding will delete it."
echo ">> Continue? (y/n)"
read line
if [ "$line" != "y" ]; then
exit 1
fi
fi
rm -rf $DEST
install -d $DEST
install -d $LOGS
mods="$mods ."
build=
for mod in $mods; do
cwd=$(pwd)
cd $mod
if [ "$mod" = "." ]; then
mod=$(pwd)
mod=$(basename $mod)
fi
if [ ! '(' -e CMakeLists.txt -o -e Makefile ')' ]; then
echo "No CMakeLists.txt or Makefile in $mod, skipping."
cd $cwd
continue
fi
ignore=1
if [ "$(git describe HEAD)" = "$(git describe release 2>/dev/null)" ]; then
ignore=0
fi
if [ "$(git describe HEAD)" = "$(git describe beta 2>/dev/null)" ]; then
ignore=0
fi
if [ "$ignore" = "1" ]; then
echo "Module $mod is not tagged for release or beta, skipping."
cd $cwd
continue
fi
dist=$(release $mod)
(echo $dist | grep -qv "^ *$") || echo "No distribution found for $mod."
dists="$dists $dist"
echo
cd $cwd
done
for dist in $dists; do
tgz=$(echo $dist | cut -d '#' -f 1)
version=$(echo $dist | cut -d '#' -f 2)
dst=$(basename $tgz)
dst="$DEST/$version/$(echo $dst | sed 's/\.tgz/.tar.gz/g')"
install -d $DEST/$version
mv $tgz $dst
echo Signing $dst ...
sign-file $dst
done
echo "--- All distributions in $DEST:"
all=$(find $DEST -path '*gz*')
test "$all" != "" && ls -rl $all || echo "None."
echo

230
auxil/zeek-aux/devel-tools/perf-benchmark Executable file
View file

@ -0,0 +1,230 @@
#!/bin/sh
ZEEK_BUILD=""
DATA_FILE=""
MODE="intf"
INTERFACE=""
SEED_FILE=""
# Path where flamegraph is installed
FLAMEGRAPH_PATH=""
FLAMEGRAPH_PREFIX="benchmark"
usage() {
usage="\
Usage: $0 -z [zeek binary path] -d [data file path]
Options:
-b, --build PATH The path to a Zeek binary to benchmark
-d, --data-file PATH The path to a data file to read from for replay
-m, --mode MODE This can be one of three possible values:
intf, read, or flamegraph. This controls what
mode is used for the benchmark run, and defaults
to intf if not passed. The modes are described
below.
-i, --interface INTF The network interface to use for capturing data.
This interface should be completely idle, since
tcpreplay will be using it to replay the data.
This argument is ignored if the mode is 'file'.
-f, --flamegraph PATH The path to the directory where Flamegraph is
installed. This argument is required if the mode
is 'flamegraph', but is ignored otherwise.
-o, --output FILE The file prefix to use as output for Flamegraph.
This defaults to 'benchmark'. This argument is ignored
if the mode is not 'flamegraph'.
-s, --seed FILE (optional) A path to a Zeek random seed file.
This is used control the generation of connection
IDs and other data so it is consistent between
benchmarking runs.
By default or when 'intf' is passed for the mode argument, the output will
include CPU, memory, etc statistics from Zeek processing all of the data
in the data file as if it was reading it live from the network. This mode
requires an interface to be passed using the -i argument.
When 'file' is passed for the mode (-m) argument, the output will include
the runtime and maximum memory usage of Zeek when reading the data file
directly from disk.
When 'flamegraph' is passed for the mode (-m) argument, this script will
output two flamegraphs for the process runtime in svg format. The first
flamegraph is a standard graph showing the time spent in functions,
stacked in the normal manner. The second graph is 'stack-reversed'.
Symbols in Flamegraph outputs may not correctly stack unless the various
libraries linked into Zeek are built with frame pointers. This includes
glibc, libpcap, and openssl. Rebuilding those libraries with the
-fno-omit-frame-pointer compiler flag may provide more accurate output.
You can set libraries that get preloaded by setting the PRELOAD_LIBS
variable in the script.
This script assumes that it is being run on a system with a large number
of CPU cores. If being used on a smaller system, modify this script and
set the ZEEK_CPU and TCPREPLAY_CPU variables to smaller values.
"
echo "${usage}"
exit 1
}
while ( ("$#")); do
case "$1" in
-d | --data-file)
DATA_FILE=$2
shift 2
;;
-b | --build)
ZEEK_BUILD=$2
shift 2
;;
-m | --mode)
MODE=$2
shift 2
;;
-i | --interface)
INTERFACE=$2
shift 2
;;
-f | --flamegraph)
FLAMEGRAPH_PATH=$2
shift 2
;;
-o | --output)
FLAMEGRAPH_PREFIX=$2
shift 2
;;
-s | --seed)
SEED_FILE=$2
shift 2
;;
esac
done
if [ "${MODE}" != "intf" -a "${MODE}" != "file" -a "${MODE}" != "flamegraph" ]; then
echo "Error: -m argument should be one of 'intf', 'file', or 'flamegraph'"
echo
usage
fi
if [ -z "${ZEEK_BUILD}" ]; then
echo "Error: -b argument is required and should point at a Zeek binary"
echo
usage
fi
if [ -z "${DATA_FILE}" ]; then
echo "Error: -d argument is required and should point at a pcap file to replay"
echo
usage
fi
if [ "${MODE}" != "file" -a -z "${INTERFACE}" ]; then
echo "Error: -i argument is required for the ${MODE} mode and should point to an idle network interface"
echo
usage
fi
# Various run-time options
ZEEK_CPU=10
TCPREPLAY_CPU=11
PRELOAD_LIBS=""
ZEEK_ARGS=""
if [ "${MODE}" != "file" ]; then
ZEEK_ARGS="-i af_packet::${INTERFACE}"
fi
if [ -n "${SEED_FILE}" ]; then
ZEEK_ARGS="${ZEEK_ARGS} -G ${SEED_FILE}"
fi
if [ "${MODE}" = "intf" ]; then
TIME_FILE=$(mktemp)
echo "####### Testing reading data file from a network interface #######"
echo "Running '${ZEEK_BUILD} ${ZEEK_ARGS}' against ${DATA_FILE}"
# Start zeek, find it's PID, then wait 10s to let it reach a steady state
taskset --cpu-list $ZEEK_CPU time -f "%M" -o $TIME_FILE $ZEEK_BUILD $ZEEK_ARGS &
TIME_PID=$!
sleep 5
ZEEK_PID=$(ps -ef | awk -v timepid="${TIME_PID}" '{ if ($3 == timepid) { print $2 } }')
renice -20 -p $ZEEK_PID >/dev/null
sleep 5
echo "Zeek running on PID ${ZEEK_PID}"
# Start perf stat on the zeek process
perf stat -p $ZEEK_PID &
PERF_PID=$!
# Start replaying the data
echo "Starting replay"
taskset --cpu-list $TCPREPLAY_CPU tcpreplay -i $INTERFACE -q $DATA_FILE
# Capture the average CPU usage of the process
CPU_USAGE=$(ps -p $ZEEK_PID -o %cpu=)
# Kill everything
echo
kill -2 $ZEEK_PID
wait $TIME_PID
wait $PERF_PID
echo "Maximum memory usage (max_rss): $(head -n 1 ${TIME_FILE}) bytes"
echo "Average CPU usage: ${CPU_USAGE}%"
rm $TIME_FILE
elif [ "${MODE}" = "file" ]; then
TIME_FILE=$(mktemp)
echo "####### Testing reading the file directly from disk #######"
taskset --cpu-list $ZEEK_CPU time -f "%e %M" -o $TIME_FILE $ZEEK_BUILD $ZEEK_ARGS -r $DATA_FILE
TIME_PID=$!
ZEEK_PID=$(ps -ef | awk -v timepid="${TIME_PID}" '{ if ($3 == timepid) { print $2 } }')
renice -20 -p $ZEEK_PID >/dev/null
awk '{print "Time spent: " $1 " seconds\nMax memory usage: " $2 " bytes"}' $TIME_FILE
rm $TIME_FILE
elif [ "${MODE}" = "flamegraph" ]; then
echo "####### Generating flamegraph data #######"
PERF_RECORD_FILE=$(mktemp)
PERF_COLLAPSED_FILE=$(mktemp)
# Start zeek under perf record, then sleep for a few seconds to let it actually start up. For runs with
# shorter amounts of data or with slower traffic, you can add '-c 499' here to get finer-grained results.
# With big data sets, it just results in the graph getting blown out by waits in the IO loop.
LD_PRELOAD=${PRELOAD_LIBS} perf record -g -o $PERF_RECORD_FILE -- $ZEEK_BUILD $ZEEK_ARGS &
PERF_PID=$!
sleep 5
ZEEK_PID=$(ps -ef | awk -v perfpid="${PERF_PID}" '{ if ($3 == perfpid) { print $2 } }')
echo "Zeek running on PID ${ZEEK_PID}"
# Start replaying the data
echo "Starting replay"
taskset --cpu-list $TCPREPLAY_CPU tcpreplay -i $INTERFACE -q $DATA_FILE
# Kill everything
echo
kill -2 $ZEEK_PID
wait $PERF_PID
echo
echo "####### Collapsing perf stack data #######"
perf script -i $PERF_RECORD_FILE | ${FLAMEGRAPH_PATH}/stackcollapse-perf.pl >$PERF_COLLAPSED_FILE
echo "####### Building normal flamegraph, writing to ${FLAMEGRAPH_PREFIX}.svg #######"
cat $PERF_COLLAPSED_FILE | ${FLAMEGRAPH_PATH}/flamegraph.pl >"${FLAMEGRAPH_PREFIX}.svg"
echo "####### Building reverse flamegraph, writing to ${FLAMEGRAPH_PREFIX}-reversed.svg #######"
cat $PERF_COLLAPSED_FILE | ${FLAMEGRAPH_PATH}/flamegraph.pl --reverse >"${FLAMEGRAPH_PREFIX}-reversed.svg"
rm $PERF_RECORD_FILE
rm $PERF_COLLAPSED_FILE
fi

18
auxil/zeek-aux/devel-tools/repo-status Executable file
View file

@ -0,0 +1,18 @@
#! /usr/bin/env bash
#
# Helper for check-release.
repo=$(basename $(git config --get remote.origin.url) | sed 's/^[^:]*://')
head=$(basename $(git symbolic-ref -q HEAD))
update_changes="$(dirname $0)/update-changes"
printf "%20s " "$repo"
printf "%-10s " "$head"
printf "%-8s " $($update_changes -c | grep -q NOT && echo 'old!' || echo ok)
printf "%-8s " $(git log --oneline $head ^origin/$head | wc -l | awk '$1==0{printf("%s",$1)} $1!=0{printf("%s!",$1)}')
printf "%-7s " $(git status --porcelain | awk 'NF!=1' | grep -q '.' && echo 'Mod!' || echo ok)
printf "%-5s " $(git submodule status --recursive | sed 's/^\(\.\).*/\1/g' | grep -q '^ $' && echo 'Mod!' || echo ok)
printf "%-15s " $(cat VERSION | awk '/-/{printf("%s!", $1); next} {printf("%s", $1)}')
printf "%s" $(git tag -l --contains HEAD | sort -r | paste -sd ',' | awk '/release|beta/{printf("%s",$1); next;} {printf("%s!",$1)}')
echo

29
auxil/zeek-aux/devel-tools/sign-file Executable file
View file

@ -0,0 +1,29 @@
#! /usr/bin/env bash
#
# Signs $1 with the Zeek GPG key. Signature will be written to $1.asc.
#
# GPG agent needs to be running.
#
# Needs gpg2.
GPG=$(which gpg2)
KEY=F8CB8019
if [ "$GPG" == "" ]; then
echo "Can't find gpg2."
exit 1
fi
if [ "$#" != 1 ]; then
echo "usage: $(basename $0) <file>"
exit 1
fi
if ! gpg-agent -q; then
echo "GPG agent not running."
exit 1
fi
FILE=$1
$GPG --detach-sign -a -u $KEY --openpgp -o $FILE.asc $FILE

630
auxil/zeek-aux/devel-tools/update-changes Executable file
View file

@ -0,0 +1,630 @@
#! /usr/bin/env bash
#
# Assembles a draft CHANGES entry out of revisions committed since the last
# entry was added. The entry is prepended to the current CHANGES file, and the
# user then gets a chance to further edit it in the editor before it gets
# committed.
#
# The script also maintains and updates a VERSION file.
#
# If the script finds a file called .update-changes.cfg it sources it at the
# beginning. That script can define a function "new_version_hook" that will be
# called with the new version number. It may use any of the replace_version_*
# functions defined below to update other files as necessary.
#
# If $1 is given, it's interpreted as a release version and a corresponding
# tag is created.
#
# To start using update-changes in a new project, proceed as follows:
#
# (1) Run "update-changes -I". This will initialize the CHANGES file and, if
# needed, establish suitable git tags that update-changes requires in order
# to start enumerating commits after a release. You can also prepare the
# initial version number in the VERSION file if you prefer that approach.
#
# (2) If you're planning to use an .update-changes.cfg file, add it as well as
# any corresponding changes it requires. Continue regular development, and
# when ready, run update-changes to reflect the first actual changeset in
# the CHANGES file.
#
file_changes="CHANGES" # The CHANGES file.
file_version="VERSION" # The VERSION file.
file_config=".update-changes.cfg" # This will be sourced if available.
new_version_hook="new_version_hook" # Function that will be called with new version number.
new_commit_msg="Updating CHANGES and VERSION." # Commit message when creating a new commit.
init_commit_msg="Starting CHANGES." # Commit message when we initialize CHANGES
show_authors=1 # Include author names with commit.
# The command line used to generate a revision's version string, such as
# v1.0.0-23-gabcdef. This relies on tags to work, which update-changes checks
# for. By default this only finds annotated tags; to allow lightweight ones as
# well, add --tags.
git_describe="git describe --tags" # {rev} will be added.
# The command line used to generate a revision's date. The revision will be
# appended. Not used with Zeek-style CHANGES file.
git_rev_date="git show -s --pretty=tformat:%ci"
# The command line used to generate the list of revisions between old and new
# state.
git_rev_list="git rev-list --topo-order HEAD" # ^{past-rev} will be added.
# The command line used to show the one-line summary of a revision before
# editing.
git_rev_summary="git show -s '--pretty=tformat: %h | %aN | %s'" # {rev} will be added.
# The command line used to get a revision's author.
git_author="git show -s --pretty=format:%aN" # {rev} will be added.
git_author_email="git show -s --pretty=format:%aE" # {rev} will be added.
# The command line used to get a revision's message.
git_msg=default_format_msg # {rev} will be added.
# Portable access to ERE, see e.g. https://unix.stackexchange.com/a/131940
if [ $(uname) == "Linux" ]; then
sed="sed -r"
else
sed="sed -E"
fi
function usage {
echo "usage: $(basename $0) [options]"
echo
echo " -p <rev> Explicitly name the past revision to compare with."
echo " -R <tag> Tag the current revision as a release. Update VERSION to use that."
echo " -B <tag> Tag the current revision as a beta release. Update VERSION to use that."
echo " -r Tag the current revision as a release, using the next point version as version tag."
echo " -I Initialize a new, initially empty CHANGES file."
echo " -c Check whether CHANGES is up to date."
echo " -n Do not amend the HEAD commit when feasible, create a new one."
echo
exit 1
}
# Takes a version string as input and turns it into a Python-styled one. For
# example, input "1.2-23" becomes "1.2.dev23". Other formats remain
# unchanged. See: https://peps.python.org/pep-0440/#version-scheme
function pythonic_version {
echo "$1" | $sed "s#-#.dev#"
}
### Functions that can be used to replace version strings in other files.
### To use them, create a file $file_config and define a function
### "new_version_hook" in there that does whatever is necessary, like calling
### any of these.
# Function that looks for lines of the form 'VERSION="1.2.3"' in $1. It will
# replace the version number with $2 and then git-adds the change.
function replace_version_in_script {
file=$1
version=$2
cat $file | $sed "s#^([[:blank:]]*VERSION[[:blank:]]*=[[:blank:]]*)\"([0-9.-]+)\"#\1\"$version\"#g" >$file.tmp
cat $file.tmp >$file
rm -f $file.tmp
git add $file
}
# Function that looks for lines of the form '.. |version| replace:: 0.3' in $1.
# It will replace the version number with $2 and then git-adds the change.
function replace_version_in_rst {
file=$1
version=$2
cat $file | $sed "s#^([[:blank:]]*\.\.[[:blank:]]*\|version\|[[:blank:]]*replace::[[:blank:]]*)([0-9a-zA-Z.-]+)#\1$version#g" >$file.tmp
cat $file.tmp >$file
rm -f $file.tmp
git add $file
}
# Function that checks file $1 for lines starting with 'version =
# "<version>"', where the version string can be of release form (e.g. "1.2.3")
# or a development one, expressed as "1.2-23" or the Python-styled "1.2.dev23".
# It will replace the version number with a Python-styled form of $2, then
# git-add the change.
function replace_version_in_setup_py {
file=$1
version=$(pythonic_version $2)
# The version string can be a sequence of digits and dots, optionally
# followed by either "-" or ".dev" plus at least one digit.
cat $file | $sed "s#^([[:blank:]]*version[[:blank:]]*=[[:blank:]]*)\"[0-9.]+((-|\.dev)[0-9]+)?\"#\1\"$version\"#g" >$file.tmp
cat $file.tmp >$file
rm -f $file.tmp
git add $file
}
# Function that checks file $1 for lines starting with '__version__ =
# "<version>"', where the version string can be of release form (e.g. "1.2.3")
# or a development one, expressed as "1.2-23" or the Python-styled "1.2.dev23".
# It will replace the version number with a Python-styled form of $2, then
# git-add the change.
function replace_version_in_python_package {
file=$1
version=$(pythonic_version $2)
# The version string can be a sequence of digits and dots, optionally
# followed by either "-" or ".dev" plus at least one digit.
cat $file | $sed "s#^([[:blank:]]*__version__[[:blank:]]*=[[:blank:]]*)\"[0-9.]+((-|\.dev)[0-9]+)?\"#\1\"$version\"#g" >$file.tmp
cat $file.tmp >$file
rm -f $file.tmp
git add $file
}
# Function that looks for lines of the form "#define .*VERSION "0.3"", with the
# number being "version * 100". It will replace the version with $2 and then
# git-adds the change.
function replace_version_in_c_header {
file=$1
version=$2
cat $file | $sed "s#([[:blank:]]*\#define[[:blank:]]*[_A-Za-z0-9]*_VERSION[[:blank:]]*)\"[0-9.-]+\"#\1\"$version\"#g" >$file.tmp
mv $file.tmp $file
git add $file
}
# Default function for preparing commit message. This scans the message for
# GitHub issue references to include.
function default_format_msg {
if command -v gawk &>/dev/null; then
# We need gawk for the match().
git show -s --pretty=format:%B $1 |
gawk '
match($0, "([Ii]ssue|[Gg][Hh]|#)[ _-]?([0-9]+)", x) { issues[x[2]] = 1; }
{ msg = msg $0 "\n"; }
END {
if ( ! match(msg, "^GH-[0-9]+") ) {
for ( i in issues )
printf("GH-%s: ", i);
}
print msg;
}'
else
git show -s --pretty=format:%B $1
fi
}
###
function version {
rev=$1
$git_describe $rev --match "v*" 2>/dev/null | $sed 's/^v//g' | $sed 's/-g.*//g' | $sed 's/-([[:alnum:]]+)-([0-9]+)$/-\1.\2/g'
}
function start_changes_entry {
version=$1
dst=$2
if [ "$zeek_style" == "0" ]; then
date=$($git_rev_date HEAD)
printf '%s | %s\n' "$version" "$date" >>$dst
else
date=$(date)
printf '%s %s\n' "$version" "$date" >>$dst
fi
}
function add_to_changes_entry {
rev=$1
dst=$2
msg=$3
author=""
if [ "$msg" == "" ]; then
if [ "$show_authors" == "1" ]; then
author_email=$($git_author_email $rev)
author=$($git_author $rev)
if [[ "$author_email" == *@corelight.com ]]; then
author=" ($author, Corelight)"
else
author=" ($author)"
fi
fi
msg=$($git_msg $rev)
fi
if [ "$msg" == "" ]; then
return 1
fi
if echo $msg | grep -q "^$new_commit_msg\$"; then
# Ignore our own automated commits.
return 1
fi
if [[ $(git show --no-patch --format='%P' "$rev" | wc -w) -gt 1 ]]; then
# Ignore merge commits, i.e., commits with more than one parent.
return 1
fi
echo >>$dst
if [ "$zeek_style" == "0" ]; then
bullet=" *"
else
bullet="-"
fi
echo -n "$msg" |
awk -v bullet="$bullet" -v author="$author" 'NR==1{printf "%s %s%s\n", bullet, $0, author; next }{printf " %s\n", $0}' |
$sed 's/[[:blank:]]*$//' >>$dst
return 0
}
function init_changes {
for rev in $(git rev-list HEAD); do
version=$(version $rev)
[ -n "$version" ] && break
done
git_version=$version
if [ "$version" == "" ] && [ -f $file_version ]; then
# git doesn't offer version info, but there's a VERSION file.
# Consider it if the user's okay with it.
version=$(cat $file_version | head -1)
if [ -n "$version" ]; then
echo "This git repo doesn't yet offer suitable version tags."
read -p "Use '$version' from $file_version? Y/n " -n 1 -r
echo
if [ -n "$REPLY" ] && [[ $REPLY != [Yy] ]]; then
version=
fi
fi
fi
if [ "$version" == "" ]; then
read -p "No initial version available, please provide one (e.g. 0.1, 1.0.0): " -r version
if [[ "$version" == v* ]]; then
# We don't need a "v" prefix here, it only exists in the git tags.
version=${version:1}
fi
fi
# Subtle: if we're basing this CHANGES intro on a git tag, then we have a
# chicken-and-egg problem with correct numbering of the commit introducing
# CHANGES. It is itself going to be the _next_ commit. We could increment
# the git-derived version number arithmetically, but it's easier to just
# commit an empty CHANGES and then augment that below.
if [ -n "$git_version" ]; then
touch $file_changes
git add $file_changes
git commit -m "$init_commit_msg"
version=$(version HEAD)
flags="--amend"
fi
start_changes_entry $version $file_changes
echo >>$file_changes
echo " * Starting $file_changes." >>$file_changes
git add $file_changes
git commit $flags -m "$init_commit_msg"
if [ -z "$git_version" ]; then
git tag "v$version"
fi
}
function get_last_rev {
version=$(cat $file_changes | grep -E '^[0-9a-zA-Z.-]+ *\|' | head -1 | awk '{print $1}')
if echo $version | grep -q -- '-'; then
# version is now e.g. 1.0.4-14 -- find the revision with that number.
for rev in $(git rev-list HEAD); do
v=$(version $rev)
if [ "$v" == "$version" ]; then
echo $rev
return
fi
done
echo "Cannot determine revision for version $version." >/dev/stderr
exit 1
else
# A tag.
echo "v$version"
fi
}
function check_release_tag {
if [ "$release" != "" ]; then
git tag -d $release 2>/dev/null
git tag -a $release -m "Version tag"
echo "Tagged with new tag $release."
echo
echo "Push with: "
echo
echo " git push origin && git push origin $release"
echo
fi
}
function check_beta_tag {
if [ "$beta" != "" ]; then
git tag -d $beta 2>/dev/null
git tag -a $beta -m "Beta version tag"
echo "Tagged with new tag $beta."
echo
echo "Push with: "
echo
echo " git push origin && git push origin $beta"
echo
fi
}
function check_submodules {
if git submodule status --recursive | grep ^+; then
cat <<EOF
The revision recorded for the module(s) above does not
match the one currently checked out in the respective
subdirs.
Please either update or checkout the recorded revision(s).
Aborting.
EOF
exit 1
fi
}
function get_release_version {
# If $1 is provided, return that. Otherwise look for most recent release
# version in CHANGES and increase its point version.
test -n "$1" && echo "$1" && return
old=$(cat $file_changes | grep -E '^[0-9]+\.[0-9]+\.[0-9]+(-(dev\.)?[0-9]+)? ' | cut -d ' ' -f 1 | head -1)
test -z "${old}" && echo "" && return
point=$(echo ${old} | cut -d - -f 1 | cut -d . -f 3)
point=$((${point} + 1))
new="$(echo ${old} | cut -d . -f 1-2).${point}"
echo v${new}
}
######
last_rev=""
release=""
beta=""
init=0
check=0
quiet=0
no_amends=0
while getopts "hp:rR:B:Icn" opt; do
case "$opt" in
p) last_rev="$OPTARG" ;;
R) release="$OPTARG" ;;
r)
release=$(get_release_version)
if [ -z "${release}" ]; then
echo "Cannot determine release version."
exit 1
fi
;;
B) beta="$OPTARG" ;;
I) init=1 ;;
c)
check=1
quiet=1
;;
n) no_amends=1 ;;
*) usage ;;
esac
done
if [ -e $file_config ]; then
if [ "$quiet" != "1" ]; then
echo Reading $file_config ...
fi
source ./$file_config
fi
if [ "$release" != "" -a "$beta" != "" ]; then
echo "Cannot tag as both beta and release."
exit 1
fi
if [ "$release" == "VERSION" ]; then
release="v$(cat VERSION)"
fi
if [ "$beta" == "VERSION" ]; then
beta="v$(cat VERSION)"
fi
zeek_style=0 # If 1, we use a slightly different format.
if [ "$init" != "0" ]; then
if [ -e $file_changes ]; then
echo "$file_changes already exists, remove it first."
exit 1
else
echo "Initializing $file_changes ..."
init_changes
exit 0
fi
else
if [ ! -e $file_changes ]; then
echo "$file_changes does not exist, initialize it with '-I'."
exit 1
else
# If we find this marker, it's Zeek-style CHANGES file.
grep -vq -- '-+-+-+-+-+-+-+-+-+-' $file_changes
zeek_style=$?
fi
fi
if [ "$release" != "" ]; then
if ! echo $release | grep -E -q '^v[0-9]+\.[0-9]+'; then
echo "Release tag must be of the form vX.Y[.Z]"
exit 1
fi
check_submodules
fi
if [ "$beta" != "" ]; then
if ! echo $beta | grep -E -q '^v[0-9]+\.[0-9]+(\.[0-9]+)?-(beta|rc)'; then
echo "Release tag must be of the form vX.Y[.Z]-(beta|rc)*"
exit 1
fi
check_submodules
fi
if [ "$last_rev" == "" ]; then
last_rev=$(get_last_rev)
fi
if [ "$last_rev" == "" ]; then
echo 'Cannot determine previous revision to compare with, specify with "-p <rev>".'
exit 1
fi
auto_version=$(version HEAD)
if [ "$auto_version" == "" ]; then
echo "Cannot determine version, checking HEAD did not return anything."
exit 1
fi
tmp=${file_changes}.$$.tmp
trap "rm -f $tmp" EXIT
rm -f $tmp
found=0
new_version=$auto_version
version=$(version $rev)
if [ "$version" == "" ]; then
echo "Cannot determine version for $rev."
exit 1
fi
if [ "$release" != "" ]; then
new_version=$(echo $release | sed 's/v//g')
fi
if [ "$beta" != "" ]; then
new_version=$(echo $beta | sed 's/v//g')
fi
if [ "$quiet" != "1" ]; then
echo "New version is $new_version."
echo "Listing revisions committed since $(version $last_rev) ($last_rev) ... "
echo
fi
start_changes_entry $new_version $tmp
for rev in $($git_rev_list ^$last_rev); do
version=$(version $rev)
if [ "$version" == "" ]; then
version="<no-version>"
fi
# printf "%15s |" $version
if add_to_changes_entry $rev $tmp; then
found=1
if [ "$quiet" != "1" ]; then
eval "$git_rev_summary $rev | grep -v '^$' | cat"
fi
fi
done
if [ "$found" == "0" ]; then
if [ "$check" == "1" ]; then
echo "CHANGES is up to date."
exit 0
fi
echo " None."
echo
if [ "$release" != "" -o "$beta" != "" ]; then
add_to_changes_entry head $tmp "Release $new_version."
else
exit 0
fi
fi
if [ "$check" == "1" ]; then
echo "CHANGES is NOT up to date."
exit 1
fi
echo >>$tmp
cat $file_changes >>$tmp
# If we are ahead of origin, we can amend. If not, we need to create a new
# commit even if the user wants otherwise. If the user requested -n (no
# amendments), we skip all of this.
amend=0
if [ $no_amends == "0" ] &&
git remote | grep -q origin &&
git rev-list origin/$(git rev-parse --abbrev-ref HEAD)..HEAD | grep -q .; then
amend=1
fi
echo
if [ "$amend" == "0" ]; then
echo Update to $file_changes will become a new commit.
else
echo Update to $file_changes will be amended to last commit.
fi
echo
echo Type Enter to edit new $file_changes, or CTRL-C to abort without any modifications.
read
# Run editor.
if [ -z "$EDITOR" ]; then
EDITOR=vi
fi
eval $EDITOR $tmp
# Put changes in place.
mv $tmp $file_changes
echo "Updated $file_changes."
if [ "$file_version" != "" ]; then
echo $new_version >$file_version
echo "Updated $version to $new_version."
fi
# Call hook function if it exists.
if type $new_version_hook >/dev/null 2>&1; then
$new_version_hook $new_version
fi
# Commit changes.
git add $file_changes $file_version
if [ "$amend" == "1" ]; then
git commit --amend
else
git commit -m "$new_commit_msg"
fi
echo "Updates committed."
check_release_tag
check_beta_tag

57
auxil/zeek-aux/devel-tools/zeek_lldb_utils.py Normal file
View file

@ -0,0 +1,57 @@
import lldb
from ansi.color import fg
from ansi.color.fx import reset
from linereader import getline
# Cache script lines and files so that we don't have to load files repeatedly
script_lines = {}
# TODO: make this check that the thread is actually stopped and return an error if not
@lldb.command("btz")
def backtrace_zeek(debugger, command, exe_ctx, result, d):
selected_thread = exe_ctx.GetProcess().GetSelectedThread()
thread = exe_ctx.GetThread()
# I'd prefer to retrieve this from LLDB somehow, but the earlier versions
# don't have SDDebugger.GetSetting(), and I'm not really sure we could use
# the output from that anyways.
thread_format = f"{'*' if selected_thread.idx == thread.idx else ' '} thread #{thread.idx}, name = '{thread.name}', queue = {fg.green}'{thread.queue}'{reset}, stop reason = {fg.red}{thread.GetStopDescription(100)}{reset}"
print(thread_format)
selected_frame = thread.GetSelectedFrame().idx
for frame in thread.get_thread_frames():
frame_output = f" {'*' if frame.idx == selected_frame else ' '} "
frame_output += f"{frame}"
this = frame.FindVariable("this")
if this:
loc_ptr = this.GetChildMemberWithName("location")
if loc_ptr and loc_ptr.GetType().GetName() == "zeek::detail::Location *":
if loc_ptr.GetValueAsUnsigned() != 0:
loc = frame.EvaluateExpression("*(this->location)")
fname = (
loc.GetChildMemberWithName("filename").GetSummary().strip('"')
)
line_no = loc.GetChildMemberWithName(
"first_line"
).GetValueAsUnsigned()
frame_output += f"\n {fg.green}zeek script:{reset} {fname}"
fileinfo = f"{fname}:{line_no}"
if fileinfo in script_lines:
line = script_lines[fileinfo]
else:
line = getline(fname, line_no)
line = line.strip()
script_lines[fileinfo] = line
if line:
line_hdr = f"line {line_no}"
frame_output += (
f"\n {fg.green}{line_hdr: >11}:{reset} {line}"
)
print(frame_output)

4
auxil/zeek-aux/plugin-support/README Normal file
View file

@ -0,0 +1,4 @@
The init-plugin script instantiates a plugin template to provide you with a good
starting point for your next Zeek plugin. Use this only if you want to develop
a "pure" Zeek plugin -- if you're looking to start a Zeek package for the zkg
package manager, then use the "zkg create" command instead.

96
auxil/zeek-aux/plugin-support/init-plugin Executable file
View file

@ -0,0 +1,96 @@
#! /usr/bin/env bash
function abspath {
(
cd "$1"
pwd
)
}
function relpath {
echo "$1" | sed "s#$(pwd)/\{0,1\}##g"
}
function lower {
echo "$1" | tr A-Z a-z
}
function upper {
echo "$1" | tr a-z A-Z
}
function init-skeleton {
for i in $(cd ${skeleton} && find * -type d); do
mkdir -p $(echo ${plugin_src}/$i)
done
for i in $(cd ${skeleton} && find * .??* -type f); do
src=${skeleton}/$i
dst=$(echo ${plugin_src}/$i)
dst=$(echo $dst | sed "s#%NS_LOWER#${plugin_ns_lower}#g")
dst=$(echo $dst | sed "s#%NAME_LOWER#${plugin_name_lower}#g")
dst=$(echo $dst | sed "s#%NS#${plugin_ns}#g")
dst=$(echo $dst | sed "s#%NAME#${plugin_name}#g")
dst=$(echo $dst | sed "s#@#/#g")
tmp=$dst.$$.tmp
mkdir -p $(dirname ${dst})
cp -p ${src} ${tmp} # Copy first to preserve permissions.
cat ${src} |
sed "s/@PLUGIN_NAME@/${plugin_name}/g" |
sed "s/@PLUGIN_NAMESPACE@/${plugin_ns}/g" |
sed "s/@PLUGIN_NAME_UPPER@/${plugin_name_upper}/g" |
sed "s/@PLUGIN_NAMESPACE_UPPER@/${plugin_ns_upper}/g" |
sed "s/@PLUGIN_NAME_LOWER@/${plugin_name_lower}/g" |
sed "s/@PLUGIN_NAMESPACE_LOWER@/${plugin_ns_lower}/g" \
>${tmp}
if [ -e ${dst} ]; then
cmp -s ${tmp} ${dst} || echo "$(relpath ${dst}) exists, not installing new version"
rm -f ${tmp}
continue
fi
echo Installing $(relpath ${dst}) ...
mv ${tmp} ${dst}
done
}
update=0
if [ "$1" == "-u" ]; then
update=1
shift
fi
if [ $# != 3 ]; then
echo "Usage: $(basename $0) [-u] <dst-dir> <namespace> <plugin name>"
exit 1
fi
dstdir=$1
if [ -e "${dstdir}" -a ${update} != 1 ]; then
echo "error: ${dstdir} already exists, use -u if you want to update skeleton files in there."
exit 1
fi
mkdir -p ${dstdir}
dstdir=$(abspath ${dstdir})
basedir=$(dirname $0)
skeleton=$(abspath ${basedir})/skeleton
plugin_ns=$2
plugin_name=$3
plugin_ns_lower=$(lower $2)
plugin_name_lower=$(lower $3)
plugin_ns_upper=$(upper $2)
plugin_name_upper=$(upper $3)
plugin_src=${dstdir}
plugin_build=${dstdir}/dylib
init-skeleton
which git >/dev/null 2>&1 && (cd ${dstdir} && git init . && git add .)

3
auxil/zeek-aux/plugin-support/skeleton/.gitignore vendored Normal file
View file

@ -0,0 +1,3 @@
build
*.log
.state

0
auxil/zeek-aux/plugin-support/skeleton/CHANGES Normal file
View file

21
auxil/zeek-aux/plugin-support/skeleton/CMakeLists.txt Normal file
View file

@ -0,0 +1,21 @@
cmake_minimum_required(VERSION 3.15 FATAL_ERROR)
project(ZeekPlugin@PLUGIN_NAME@)
include(ZeekPlugin)
zeek_plugin_begin(@PLUGIN_NAMESPACE@ @PLUGIN_NAME@ ${ZEEK_PLUGIN_BEGIN_OPTS})
zeek_plugin_cc(src/Plugin.cc)
zeek_plugin_bif(src/@PLUGIN_NAME_LOWER@.bif)
zeek_plugin_dist_files(README CHANGES COPYING VERSION)
zeek_plugin_scripts(scripts/__load__.zeek scripts/__preload__.zeek scripts/types.zeek
scripts/@PLUGIN_NAMESPACE@/@PLUGIN_NAME@/__load__.zeek)
zeek_plugin_end()
file(STRINGS "${CMAKE_CURRENT_SOURCE_DIR}/VERSION" VERSION LIMIT_COUNT 1)
if ("${PROJECT_SOURCE_DIR}" STREQUAL "${CMAKE_SOURCE_DIR}")
# Allows building rpm/deb packages via "make package" in build dir.
include(ConfigurePackaging)
ConfigurePackaging(${VERSION})
endif ()

35
auxil/zeek-aux/plugin-support/skeleton/COPYING.edit-me Normal file
View file

@ -0,0 +1,35 @@
###
### This is a BSD-style license. If you're happy with it, just edit
### the XXX parts below and remove this comment. Otherwise, put in
### your own license instead.
###
Copyright (c) 2018 by <XXX YOU or YOUR ORGANIZATION XXX>
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
(1) Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
(2) Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the
distribution.
(3) Neither the name of <XXX YOU and/or YOUR ORGANIZATION XXX>, nor
the names of contributors may be used to endorse or promote
products derived from this software without specific prior written
permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.

29
auxil/zeek-aux/plugin-support/skeleton/Makefile Normal file
View file

@ -0,0 +1,29 @@
#
# Convenience Makefile providing a few common top-level targets.
#
cmake_build_dir=build
arch=`uname -s | tr A-Z a-z`-`uname -m`
all: build-it
build-it:
@test -e $(cmake_build_dir)/config.status || ./configure
-@test -e $(cmake_build_dir)/CMakeCache.txt && \
test $(cmake_build_dir)/CMakeCache.txt -ot `cat $(cmake_build_dir)/CMakeCache.txt | grep ZEEK_DIST | cut -d '=' -f 2`/build/CMakeCache.txt && \
echo Updating stale CMake cache && \
touch $(cmake_build_dir)/CMakeCache.txt
( cd $(cmake_build_dir) && make )
install:
( cd $(cmake_build_dir) && make install )
clean:
( cd $(cmake_build_dir) && make clean )
distclean:
rm -rf $(cmake_build_dir)
test:
make -C tests

5
auxil/zeek-aux/plugin-support/skeleton/README Normal file
View file

@ -0,0 +1,5 @@
@PLUGIN_NAMESPACE@::@PLUGIN_NAME@
=================================
<Insert plugin documentation here.>

1
auxil/zeek-aux/plugin-support/skeleton/VERSION Normal file
View file

@ -0,0 +1 @@
0.1.0

190
auxil/zeek-aux/plugin-support/skeleton/configure vendored Executable file
View file

@ -0,0 +1,190 @@
#!/bin/sh
#
# Wrapper for viewing/setting options that the plugin's CMake
# scripts will recognize.
#
# Don't edit this. Edit configure.plugin to add plugin-specific options.
#
set -e
command="$0 $*"
if [ -e $(dirname $0)/configure.plugin ]; then
# Include custom additions.
. $(dirname $0)/configure.plugin
fi
usage() {
cat 1>&2 <<EOF
Usage: $0 [OPTIONS]
Plugin Options:
--cmake=PATH Path to CMake binary
--zeek-dist=DIR Path to Zeek source tree
--install-root=DIR Path where to install plugin into
--with-binpac=DIR Path to BinPAC installation root
--with-broker=DIR Path to Broker installation root
--with-bifcl=PATH Path to bifcl executable
--enable-debug Compile in debugging mode
--disable-cpp-tests Don't build C++ unit tests
EOF
if type plugin_usage >/dev/null 2>&1; then
plugin_usage 1>&2
fi
echo
exit 1
}
# Function to append a CMake cache entry definition to the
# CMakeCacheEntries variable
# $1 is the cache entry variable name
# $2 is the cache entry variable type
# $3 is the cache entry variable value
append_cache_entry() {
CMakeCacheEntries="$CMakeCacheEntries -D $1:$2=$3"
}
# set defaults
builddir=build
zeekdist=""
installroot="default"
zeek_plugin_begin_opts=""
CMakeCacheEntries=""
while [ $# -ne 0 ]; do
case "$1" in
-*=*) optarg=$(echo "$1" | sed 's/[-_a-zA-Z0-9]*=//') ;;
*) optarg= ;;
esac
case "$1" in
--help | -h)
usage
;;
--cmake=*)
CMakeCommand=$optarg
;;
--zeek-dist=*)
zeekdist=$(cd $optarg && pwd)
;;
--install-root=*)
installroot=$optarg
;;
--with-binpac=*)
append_cache_entry BinPAC_ROOT_DIR PATH $optarg
binpac_root=$optarg
;;
--with-broker=*)
append_cache_entry BROKER_ROOT_DIR PATH $optarg
broker_root=$optarg
;;
--with-bifcl=*)
append_cache_entry BifCl_EXE PATH $optarg
;;
--enable-debug)
append_cache_entry BRO_PLUGIN_ENABLE_DEBUG BOOL true
;;
--disable-cpp-tests)
zeek_plugin_begin_opts="DISABLE_CPP_TESTS;$zeek_plugin_begin_opts"
;;
*)
if type plugin_option >/dev/null 2>&1; then
plugin_option $1 && shift && continue
fi
echo "Invalid option '$1'. Try $0 --help to see available options."
exit 1
;;
esac
shift
done
if [ -z "$CMakeCommand" ]; then
# prefer cmake3 over "regular" cmake (cmake == cmake2 on RHEL)
if command -v cmake3 >/dev/null 2>&1; then
CMakeCommand="cmake3"
elif command -v cmake >/dev/null 2>&1; then
CMakeCommand="cmake"
else
echo "This plugin requires CMake, please install it first."
echo "Then you may use this script to configure the CMake build."
echo "Note: pass --cmake=PATH to use cmake in non-standard locations."
exit 1
fi
fi
if [ -z "$zeekdist" ]; then
if type zeek-config >/dev/null 2>&1; then
zeek_config="zeek-config"
else
echo "Either 'zeek-config' must be in PATH or '--zeek-dist=<path>' used"
exit 1
fi
append_cache_entry BRO_CONFIG_PREFIX PATH $(${zeek_config} --prefix)
append_cache_entry BRO_CONFIG_INCLUDE_DIR PATH $(${zeek_config} --include_dir)
append_cache_entry BRO_CONFIG_PLUGIN_DIR PATH $(${zeek_config} --plugin_dir)
append_cache_entry BRO_CONFIG_LIB_DIR PATH $(${zeek_config} --lib_dir)
append_cache_entry BRO_CONFIG_CMAKE_DIR PATH $(${zeek_config} --cmake_dir)
append_cache_entry CMAKE_MODULE_PATH PATH $(${zeek_config} --cmake_dir)
build_type=$(${zeek_config} --build_type)
if [ "$build_type" = "debug" ]; then
append_cache_entry BRO_PLUGIN_ENABLE_DEBUG BOOL true
fi
if [ -z "$binpac_root" ]; then
append_cache_entry BinPAC_ROOT_DIR PATH $(${zeek_config} --binpac_root)
fi
if [ -z "$broker_root" ]; then
append_cache_entry BROKER_ROOT_DIR PATH $(${zeek_config} --broker_root)
fi
else
if [ ! -e "$zeekdist/zeek-path-dev.in" ]; then
echo "$zeekdist does not appear to be a valid Zeek source tree."
exit 1
fi
append_cache_entry ZEEK_DIST PATH $zeekdist
append_cache_entry CMAKE_MODULE_PATH PATH $zeekdist/cmake
fi
if [ "$installroot" != "default" ]; then
mkdir -p $installroot
append_cache_entry BRO_PLUGIN_INSTALL_ROOT PATH $installroot
fi
if [ -n "$zeek_plugin_begin_opts" ]; then
append_cache_entry ZEEK_PLUGIN_BEGIN_OPTS STRING "$zeek_plugin_begin_opts"
fi
if type plugin_addl >/dev/null 2>&1; then
plugin_addl
fi
echo "Build Directory : $builddir"
echo "Zeek Source Directory : $zeekdist"
mkdir -p $builddir
cd $builddir
"$CMakeCommand" $CMakeCacheEntries ..
echo "# This is the command used to configure this build" >config.status
echo $command >>config.status
chmod u+x config.status

31
auxil/zeek-aux/plugin-support/skeleton/configure.plugin Normal file
View file

@ -0,0 +1,31 @@
#!/bin/sh
#
# Hooks to add custom options to the configure script.
#
plugin_usage()
{
: # Do nothing
# cat <<EOF
# --with-foo=DIR Path to foo
# EOF
}
plugin_option()
{
case "$1" in
# --with-foo=*)
# append_cache_entry FOO_DIR PATH $optarg
# return 0
# ;;
*)
return 1;
;;
esac
}
plugin_addl()
{
: # Do nothing
}

9
auxil/zeek-aux/plugin-support/skeleton/scripts/%NS@%NAME@__load__.zeek Normal file
View file

@ -0,0 +1,9 @@
#
# This is processed when a user explicitly loads the plugin's script module
# through `@load <plugin-namespace>/<plugin-name>`. Include code here that
# should execute at that point. This is the most common entry point to
# your plugin's accompanying scripts.
#
# @load ./bar

10
auxil/zeek-aux/plugin-support/skeleton/scripts/__load__.zeek Normal file
View file

@ -0,0 +1,10 @@
#
# This is loaded automatically at Zeek startup once the plugin gets activated
# and its BiF elements have become available. Include code here that should
# always execute unconditionally at that time.
#
# Note that often you may want your plugin's accompanying scripts not here, but
# in scripts/<plugin-namespace>/<plugin-name>/__load__.zeek. That's processed
# only on explicit `@load <plugin-namespace>/<plugin-name>`.
#

11
auxil/zeek-aux/plugin-support/skeleton/scripts/__preload__.zeek Normal file
View file

@ -0,0 +1,11 @@
#
# This is loaded automatically at Zeek startup once the plugin gets activated,
# but before any of the BiFs that the plugin defines become available.
#
# This is primarily for defining types that BiFs already depend on. If you
# need to do any other unconditional initialization, that should go into
# __load__.zeek instead.
#
@load ./types

1
auxil/zeek-aux/plugin-support/skeleton/scripts/types.zeek Normal file
View file

@ -0,0 +1 @@

1
auxil/zeek-aux/plugin-support/skeleton/src/%NAME_LOWER.bif Normal file
View file

@ -0,0 +1 @@

17
auxil/zeek-aux/plugin-support/skeleton/src/Plugin.cc Normal file
View file

@ -0,0 +1,17 @@
#include "Plugin.h"
namespace plugin { namespace @PLUGIN_NAMESPACE@_@PLUGIN_NAME@ { Plugin plugin; } }
using namespace plugin::@PLUGIN_NAMESPACE@_@PLUGIN_NAME@;
zeek::plugin::Configuration Plugin::Configure()
{
zeek::plugin::Configuration config;
config.name = "@PLUGIN_NAMESPACE@::@PLUGIN_NAME@";
config.description = "<Insert description>";
config.version.major = 0;
config.version.minor = 1;
config.version.patch = 0;
return config;
}

19
auxil/zeek-aux/plugin-support/skeleton/src/Plugin.h Normal file
View file

@ -0,0 +1,19 @@
#pragma once
#include <zeek/plugin/Plugin.h>
namespace plugin {
namespace @PLUGIN_NAMESPACE@_@PLUGIN_NAME@ {
class Plugin : public zeek::plugin::Plugin
{
protected:
// Overridden from zeek::plugin::Plugin.
zeek::plugin::Configuration Configure() override;
};
extern Plugin plugin;
}
}

2
auxil/zeek-aux/plugin-support/skeleton/tests/%NAME_LOWER@show-plugin.zeek Normal file
View file

@ -0,0 +1,2 @@
# @TEST-EXEC: zeek -NN @PLUGIN_NAMESPACE@::@PLUGIN_NAME@ |sed -e 's/version.*)/version)/g' >output
# @TEST-EXEC: btest-diff output

2
auxil/zeek-aux/plugin-support/skeleton/tests/.gitignore vendored Normal file
View file

@ -0,0 +1,2 @@
.btest.failed.dat
.tmp

2
auxil/zeek-aux/plugin-support/skeleton/tests/Baseline@%NAME_LOWER.show-plugin@output Normal file
View file

@ -0,0 +1,2 @@
@PLUGIN_NAMESPACE@::@PLUGIN_NAME@ - <Insert description> (dynamic, version)

3
auxil/zeek-aux/plugin-support/skeleton/tests/Makefile Normal file
View file

@ -0,0 +1,3 @@
test:
@btest

13
auxil/zeek-aux/plugin-support/skeleton/tests/Scripts/diff-remove-timestamps Executable file
View file

@ -0,0 +1,13 @@
#! /usr/bin/env bash
#
# Replace anything which looks like timestamps with XXXs (including the #start/end markers in logs).
# Get us "modern" regexps with sed.
if [ $(uname) == "Linux" ]; then
sed="sed -r"
else
sed="sed -E"
fi
$sed 's/(0\.000000)|([0-9]{9,10}\.[0-9]{2,8})/XXXXXXXXXX.XXXXXX/g' |
$sed 's/^ *#(open|close).(19|20)..-..-..-..-..-..$/#\1 XXXX-XX-XX-XX-XX-XX/g'

36
auxil/zeek-aux/plugin-support/skeleton/tests/Scripts/get-zeek-env Executable file
View file

@ -0,0 +1,36 @@
#! /bin/sh
#
# BTest helper for getting values for Zeek-related environment variables.
base=$(dirname $0)
zeek_dist=$(cat ${base}/../../build/CMakeCache.txt | grep ZEEK_DIST | cut -d = -f 2)
if [ -n "${zeek_dist}" ]; then
if [ "$1" = "zeekpath" ]; then
${zeek_dist}/build/zeek-path-dev
elif [ "$1" = "zeek_plugin_path" ]; then
(cd ${base}/../.. && pwd)
elif [ "$1" = "path" ]; then
echo ${zeek_dist}/build/src:${zeek_dist}/aux/btest:${zeek_dist}/auxil/btest:${base}/:${zeek_dist}/aux/zeek-cut:${zeek_dist}/auxil/zeek-cut:$PATH
else
echo "usage: $(basename $0) <var>" >&2
exit 1
fi
else
# Use Zeek installation for testing. In this case zeek-config must be in PATH.
if ! which zeek-config >/dev/null; then
echo "zeek-config not found" >&2
exit 1
fi
if [ "$1" = "zeekpath" ]; then
zeek-config --zeekpath
elif [ "$1" = "zeek_plugin_path" ]; then
(cd ${base}/../.. && pwd)
elif [ "$1" = "path" ]; then
echo ${PATH}
else
echo "usage: $(basename $0) <var>" >&2
exit 1
fi
fi

17
auxil/zeek-aux/plugin-support/skeleton/tests/btest.cfg Normal file
View file

@ -0,0 +1,17 @@
[btest]
TestDirs = @PLUGIN_NAME_LOWER@
TmpDir = %(testbase)s/.tmp
BaselineDir = %(testbase)s/Baseline
IgnoreDirs = .svn CVS .tmp
IgnoreFiles = *.tmp *.swp #* *.trace .DS_Store
[environment]
ZEEKPATH=`%(testbase)s/Scripts/get-zeek-env zeekpath`
ZEEK_PLUGIN_PATH=`%(testbase)s/Scripts/get-zeek-env zeek_plugin_path`
ZEEK_SEED_FILE=%(testbase)s/random.seed
PATH=`%(testbase)s/Scripts/get-zeek-env path`
TZ=UTC
LC_ALL=C
TRACES=%(testbase)s/Traces
TMPDIR=%(testbase)s/.tmp
TEST_DIFF_CANONIFIER=%(testbase)s/Scripts/diff-remove-timestamps

21
auxil/zeek-aux/plugin-support/skeleton/tests/random.seed Normal file
View file

@ -0,0 +1,21 @@
2983378351
1299727368
0
310447
0
1409073626
3975311262
34130240
1450515018
1466150520
1342286698
1193956778
2188527278
3361989254
3912865238
3596260151
517973768
1462428821
0
2278350848
32767

5
auxil/zeek-aux/rst/CMakeLists.txt Normal file
View file

@ -0,0 +1,5 @@
set(rst_SRCS rst.c)
add_executable(rst ${rst_SRCS})
AddAuxInstallTarget(rst)

408
auxil/zeek-aux/rst/rst.c Normal file
View file

@ -0,0 +1,408 @@
/* Derived from traceroute, which has the following copyright:
*
* Copyright (c) 1999, 2002
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that: (1) source code distributions
* retain the above copyright notice and this paragraph in its entirety, (2)
* distributions including binary code include the above copyright notice and
* this paragraph in its entirety in the documentation or other materials
* provided with the distribution, and (3) all advertising materials mentioning
* features or use of this software display the following acknowledgement:
* ``This product includes software developed by the University of California,
* Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
* the University nor the names of its contributors may be used to endorse
* or promote products derived from this software without specific prior
* written permission.
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
#ifndef lint
static const char copyright[] =
"@(#) Copyright (c) 1999, 2002\nThe Regents of the University of California. All rights reserved.\n";
#endif
/* need this due to linux's funny idea of a tcphdr */
#if defined(__linux__)
#define _DEFAULT_SOURCE
#define _BSD_SOURCE /* Deprecated, but still needed by older Linux. */
#endif
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include "config.h"
/* Forwards */
void gripe(const char *, const char *);
void pgripe(const char *);
uint16_t in_cksum(register uint16_t *, register int);
int ones_complement_checksum(const void *, int, uint32_t);
int tcp_checksum(const struct ip *, const struct tcphdr *, int);
void send_pkt(int, struct in_addr, int, uint32_t, struct in_addr,
int, uint32_t, int, int, int, int, const char *);
void terminate(int, const char *, int, uint32_t, const char *,
int, uint32_t, int, int, int, int, const char *);
void usage(void);
int main(int, char **);
const char *prog_name;
void gripe(const char *fmt, const char *arg)
{
fprintf(stderr, "%s: ", prog_name);
fprintf(stderr, fmt, arg);
fprintf(stderr, "\n");
}
void pgripe(const char *msg)
{
fprintf(stderr, "%s: %s (%s)\n", prog_name, msg, strerror(errno));
exit(1);
}
/*
* Checksum routine for Internet Protocol family headers (C Version)
*/
uint16_t
in_cksum(register uint16_t *addr, register int len)
{
register int nleft = len;
register uint16_t *w = addr;
register uint16_t answer;
register int sum = 0;
/*
* Our algorithm is simple, using a 32 bit accumulator (sum),
* we add sequential 16 bit words to it, and at the end, fold
* back all the carry bits from the top 16 bits into the lower
* 16 bits.
*/
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
/* mop up an odd byte, if necessary */
if (nleft == 1)
sum += *(u_char *)w;
/*
* add back carry outs from top 16 bits to low 16 bits
*/
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* truncate to 16 bits */
return (answer);
}
// - adapted from tcpdump
// Returns the ones-complement checksum of a chunk of b short-aligned bytes.
int ones_complement_checksum(const void *p, int b, uint32_t sum)
{
const uint16_t *sp = (uint16_t *) p; // better be aligned!
b /= 2; // convert to count of short's
/* No need for endian conversions. */
while ( --b >= 0 )
sum += *sp++;
while ( sum > 0xffff )
sum = (sum & 0xffff) + (sum >> 16);
return sum;
}
int tcp_checksum(const struct ip *ip, const struct tcphdr *tp, int len)
{
int tcp_len = tp->th_off * 4 + len;
uint32_t sum = 0;
// There's a weird bug in some versions of GCC where building with -O2 or
// higher will cause the initialization here to get optimized away, and
// lead to the compiler warning that this variable is used uninitialized.
// Using 'volatile' here short-circuits that optimization and fixes the
// warning.
volatile uint32_t addl_pseudo = 0;
if ( len % 2 == 1 )
// Add in pad byte.
sum = htons(((const u_char*) tp)[tcp_len - 1] << 8);
else
sum = 0;
sum = ones_complement_checksum((void*) &ip->ip_src.s_addr, 4, sum);
sum = ones_complement_checksum((void*) &ip->ip_dst.s_addr, 4, sum);
addl_pseudo = (htons(IPPROTO_TCP) << 16) | htons((unsigned short) tcp_len);
sum = ones_complement_checksum((void*) &addl_pseudo, 4, sum);
sum = ones_complement_checksum((void*) tp, tcp_len, sum);
return sum;
}
void send_pkt(int s, struct in_addr from, int from_port, uint32_t from_seq,
struct in_addr to, int to_port, uint32_t to_seq,
int size, int redundancy, int delay, int flags,
const char *inject)
{
int cc;
int pktlen = 40 + size;
const int max_injection_size = 4096;
char *pkt = malloc(pktlen + max_injection_size + 1024 /* slop */);
struct ip *ip = (struct ip *) pkt;
struct tcphdr *tcp = (struct tcphdr *) &pkt[20];
if ( ! pkt )
pgripe("couldn't malloc memory");
if ( inject && *inject ) {
size = strlen(inject);
if ( size > max_injection_size )
gripe("injection text too large%s", "");
pktlen = 40 + size;
}
memset(pkt, 0, pktlen);
ip->ip_v = IPVERSION;
ip->ip_len = pktlen; /* on FreeBSD, don't use htons(); YMMV */
ip->ip_off = 0;
ip->ip_src = from;
ip->ip_dst = to;
ip->ip_hl = 5;
ip->ip_p = IPPROTO_TCP;
ip->ip_ttl = 255;
ip->ip_id = 0;
ip->ip_sum = in_cksum((uint16_t *) ip, sizeof(*ip));
if (ip->ip_sum == 0)
ip->ip_sum = 0xffff;
tcp->th_sport = htons(from_port);
tcp->th_dport = htons(to_port);
tcp->th_seq = htonl(from_seq);
tcp->th_ack = htonl(to_seq);
tcp->th_off = 5;
tcp->th_flags = flags;
tcp->th_win = 0;
tcp->th_urp = 0;
tcp->th_sum = 0;
if ( inject && *inject ) {
char *payload = &pkt[40];
strcpy(payload, inject);
} else if ( size > 0 )
{
const char *fill_string =
(inject && *inject) ? inject : "BRO-RST\n";
char *payload = &pkt[40];
int n = strlen(fill_string);
int i;
for ( i = size; i > n + 1; i -= n )
{
strcpy(payload, fill_string);
payload += n;
}
for ( ; i > 0; --i )
*(payload++) = '\n';
}
tcp->th_sum = ~tcp_checksum(ip, tcp, size);
while ( redundancy-- > 0 )
{
cc = send(s, (char *) ip, pktlen, 0);
if (cc < 0 || cc != pktlen)
pgripe("problem in sendto()");
usleep(delay * 1000);
}
free(pkt);
}
void terminate(int s, const char *from_addr, int from_port, uint32_t from_seq,
const char *to_addr, int to_port, uint32_t to_seq,
int num, int redundancy, int stride, int delay,
const char *inject)
{
struct sockaddr_in where_from, where_to;
struct sockaddr_in *from = (struct sockaddr_in *) &where_from;
struct sockaddr_in *to = (struct sockaddr_in *) &where_to;
memset(from, 0, sizeof(*from));
memset(to, 0, sizeof(*to));
#ifdef SIN_LEN
from->sin_len = to->sin_len = sizeof(*to);
#endif /* SIN_LEN */
from->sin_family = to->sin_family = AF_INET;
if ( inet_aton(from_addr, (struct in_addr *) &from->sin_addr) == 0 )
gripe("bad from address %s", from_addr);
if ( inet_aton(to_addr, (struct in_addr *) &to->sin_addr) == 0 )
gripe("bad to address %s", to_addr);
if ( connect(s, (struct sockaddr *) &where_to, sizeof(where_to)) < 0 )
pgripe("can't connect");
while ( num-- > 0 )
{
send_pkt(s, from->sin_addr, from_port, from_seq,
to->sin_addr, to_port, to_seq, 0, redundancy, delay,
(*inject ? 0 : TH_RST) | TH_ACK, inject);
if ( num > 0 && stride > 1 )
send_pkt(s, from->sin_addr, from_port, from_seq,
to->sin_addr, to_port, to_seq, stride,
redundancy, delay, TH_ACK, inject);
from_seq += stride;
}
}
void usage()
{
#if defined(__linux__)
fprintf(stderr, "%s [-R] [-I text-to-inject] [-i interface] [-d delay-msec] [-n num] [-r redundancy] [-s stride] from_addr from_port from_seq to_addr to_port to_seq\n", prog_name);
#else
fprintf(stderr, "%s [-R] [-I text-to-inject] [-d delay-msec] [-n num] [-r redundancy] [-s stride] from_addr from_port from_seq to_addr to_port to_seq\n", prog_name);
#endif
exit(0);
}
int main(int argc, char **argv)
{
extern char* optarg;
extern int optind, opterr;
const char *from_addr, *to_addr;
char inject[8192];
int from_port, to_port;
uint32_t from_seq, to_seq;
int delay = 0.0;
int redundancy = 1;
int num = 1;
int stride = 1;
int reverse = 0;
int s;
int on = 1;
int op;
prog_name = argv[0];
opterr = 0;
inject[0] = 0;
#if defined(__linux__)
char *interface = NULL;
while ( (op = getopt(argc, argv, "RI:i:d:n:r:s:")) != EOF )
#else
while ( (op = getopt(argc, argv, "RI:d:n:r:s:")) != EOF )
#endif
switch ( op ) {
case 'R':
reverse = 1;
break;
case 'I':
{
char *ap = optarg;
char *ip;
for ( ip = inject; *ap; ++ip, ++ap ) {
if ( ap[0] == '\\' && ap[1] == 'n' )
*ip = '\n', ++ap;
else
*ip = *ap;
}
}
break;
#if defined(__linux__)
case 'i':
interface = optarg;
break;
#endif
case 'd':
delay = atoi(optarg);
break;
case 'n':
num = atoi(optarg);
break;
case 'r':
redundancy = atoi(optarg);
break;
case 's':
stride = atoi(optarg);
break;
default:
usage();
break;
}
if ( argc - optind != 6 )
usage();
s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if ( s < 0 )
pgripe("couldn't create raw socket");
if ( setuid(getuid()) )
pgripe("couldn't lower privileges");
if ( setsockopt(s, 0, IP_HDRINCL, (char *) &on, sizeof(on)) < 0 )
pgripe("can't turn on IP_HDRINCL");
#if defined(__linux__)
if ( interface ){
if ( setsockopt(s, SOL_SOCKET, SO_BINDTODEVICE, interface, strlen(interface)) < 0 )
pgripe("can't set interface");
}
#endif
from_addr = argv[optind++];
from_port = atoi(argv[optind++]);
from_seq = strtoul(argv[optind++], 0, 10);
to_addr = argv[optind++];
to_port = atoi(argv[optind++]);
to_seq = strtoul(argv[optind++], 0, 10);
if ( reverse )
terminate(s, to_addr, to_port, to_seq,
from_addr, from_port, from_seq,
num, redundancy, stride, delay, inject);
else
terminate(s, from_addr, from_port, from_seq,
to_addr, to_port, to_seq,
num, redundancy, stride, delay, inject);
return 0;
}

3
auxil/zeek-aux/testing/.gitignore vendored Normal file
View file

@ -0,0 +1,3 @@
.btest.failed.dat
diag.log
.tmp

5
auxil/zeek-aux/testing/Baseline/update-changes.replace-version-in-c-header/header.h Normal file
View file

@ -0,0 +1,5 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#define ZEEK_VERSION "1.0.0-2" /* with comment */
#define ZEEK_VERSION "1.0.0-2" /* with comment */
#define FOO_VERSION "1.0.0-2" // another comment
...

7
auxil/zeek-aux/testing/Baseline/update-changes.replace-version-in-python-package/__init__.py Normal file
View file

@ -0,0 +1,7 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
__version__ = "1.0.0.dev2", # with comment
__version__ = "1.0.0.dev2", # another comment
__version__ = "1.0.0.dev2", # Python style
__version__ = "0.0.1.nope" # should not change
version = "0.0.1" # should not change
print('Additional change')

7
auxil/zeek-aux/testing/Baseline/update-changes.replace-version-in-rst/test.rst Normal file
View file

@ -0,0 +1,7 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
.. |version| replace:: 1.0.0-2
.. |version| replace:: 1.0.0-2
.. |version| replace:: 1.0.0-2
.. |version| replace:: 1.0.0-2
.. |version| replace:: 1.0.0-2
...

8
auxil/zeek-aux/testing/Baseline/update-changes.replace-version-in-script/test.pl Normal file
View file

@ -0,0 +1,8 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
VERSION="1.0.0-2"
VERSION="1.0.0-2"
VERSION="1.0.0-2"
VERSION="1.0.0-2"
VERSION = "1.0.0-2" # with some comment
VERSION = "2.0.0-nope" # with some comment
...

8
auxil/zeek-aux/testing/Baseline/update-changes.replace-version-in-setup-py/setup.py Normal file
View file

@ -0,0 +1,8 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
version = "1.0.0.dev2", # short
version = "1.0.0.dev2", # with dev update
version = "1.0.0.dev2", # long
version = "1.0.0.dev2", # long with dev update
version = "1.0.0.dev2", # Python style
version = "0.0.1.nope" # should not change, invalid suffix
print('Additional change')

2
auxil/zeek-aux/testing/Baseline/zeek-cut.bad-logs/missing-fields-header Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
zeek-cut: bad log header (missing #fields line)

6
auxil/zeek-aux/testing/Baseline/zeek-cut.bad-logs/missing-sep-header Normal file
View file

@ -0,0 +1,6 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
CjhGID4nQcgTWjvg4c tcp
CCvvfg3TEfuqmmG4bh tcp
CsRx2w45OKnoww6xl4 tcp
CRJuHdVW0XPVINV8a tcp
CXWv6p3arKYeMETxOg tcp

2
auxil/zeek-aux/testing/Baseline/zeek-cut.bad-logs/missing-separator Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
zeek-cut: bad log header (invalid #separator line)

6
auxil/zeek-aux/testing/Baseline/zeek-cut.bad-logs/no-header-column Normal file
View file

@ -0,0 +1,6 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.

6
auxil/zeek-aux/testing/Baseline/zeek-cut.bad-logs/no-header-not-column Normal file
View file

@ -0,0 +1,6 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.

6
auxil/zeek-aux/testing/Baseline/zeek-cut.bad-logs/no-header-show Normal file
View file

@ -0,0 +1,6 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.

2
auxil/zeek-aux/testing/Baseline/zeek-cut.bad-logs/null-separator Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
zeek-cut: bad log header (invalid #separator line)

7
auxil/zeek-aux/testing/Baseline/zeek-cut.columns/all Normal file
View file

@ -0,0 +1,7 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
1329327783.316897 CjhGID4nQcgTWjvg4c 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49186 2001:470:4867:99::21
1329327786.524332 CCvvfg3TEfuqmmG4bh 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49187 2001:470:4867:99::21
1329327787.289095 CsRx2w45OKnoww6xl4 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49188 2001:470:4867:99::21
1329327795.571921 CRJuHdVW0XPVINV8a 2001:470:4867:99::21 55785 2001:470:1f11:81f:c999:d94:aa7c:2e3e
1329327777.822004 CXWv6p3arKYeMETxOg 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21
1329327800.017649 CPbrpk1qSsw6ESzHV4 2001:470:4867:99::21 55647 2001:470:1f11:81f:c999:d94:aa7c:2e3e

11
auxil/zeek-aux/testing/Baseline/zeek-cut.columns/different-col-order Normal file
View file

@ -0,0 +1,11 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
1329843175.736107 CjhGID4nQcgTWjvg4c
1329843179.871641 CCvvfg3TEfuqmmG4bh
1329843194.151526 CsRx2w45OKnoww6xl4
1329843197.783443 CRJuHdVW0XPVINV8a
1329843161.968492 CXWv6p3arKYeMETxOg
1329843175.736107 CjhGID4nQcgTWjvg4c
1329843179.871641 CCvvfg3TEfuqmmG4bh
1329843194.151526 CsRx2w45OKnoww6xl4
1329843197.783443 CRJuHdVW0XPVINV8a
1329843161.968492 CXWv6p3arKYeMETxOg

11
auxil/zeek-aux/testing/Baseline/zeek-cut.columns/nondefault-separator Normal file
View file

@ -0,0 +1,11 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
tcp CjhGID4nQcgTWjvg4c
tcp CCvvfg3TEfuqmmG4bh
tcp CsRx2w45OKnoww6xl4
tcp CRJuHdVW0XPVINV8a
tcp CXWv6p3arKYeMETxOg
tcp,CNbXUV0IZ29or3MK6
tcp,CJ8woc3c6CfBLdiyp5
tcp,CXlgj54ftP8Yc2GSnb
tcp,Czw8Gd1zEVn3Xz5x7i
tcp,Cys4aQ15qDqHzsIk3l

6
auxil/zeek-aux/testing/Baseline/zeek-cut.columns/one Normal file
View file

@ -0,0 +1,6 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
CjhGID4nQcgTWjvg4c
CCvvfg3TEfuqmmG4bh
CsRx2w45OKnoww6xl4
CRJuHdVW0XPVINV8a
CXWv6p3arKYeMETxOg

12
auxil/zeek-aux/testing/Baseline/zeek-cut.columns/one-nonexistent-1 Normal file
View file

@ -0,0 +1,12 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
CjhGID4nQcgTWjvg4c tcp
CCvvfg3TEfuqmmG4bh tcp
CsRx2w45OKnoww6xl4 tcp
CRJuHdVW0XPVINV8a tcp
CXWv6p3arKYeMETxOg tcp
CjhGID4nQcgTWjvg4c
CCvvfg3TEfuqmmG4bh
CsRx2w45OKnoww6xl4
CRJuHdVW0XPVINV8a
CXWv6p3arKYeMETxOg
CPbrpk1qSsw6ESzHV4

12
auxil/zeek-aux/testing/Baseline/zeek-cut.columns/one-nonexistent-2 Normal file
View file

@ -0,0 +1,12 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
CjhGID4nQcgTWjvg4c
CCvvfg3TEfuqmmG4bh
CsRx2w45OKnoww6xl4
CRJuHdVW0XPVINV8a
CXWv6p3arKYeMETxOg
CPbrpk1qSsw6ESzHV4
CjhGID4nQcgTWjvg4c tcp
CCvvfg3TEfuqmmG4bh tcp
CsRx2w45OKnoww6xl4 tcp
CRJuHdVW0XPVINV8a tcp
CXWv6p3arKYeMETxOg tcp

2
auxil/zeek-aux/testing/Baseline/zeek-cut.columns/only Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
79.26.245.236

6
auxil/zeek-aux/testing/Baseline/zeek-cut.columns/swap-order Normal file
View file

@ -0,0 +1,6 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
tcp CjhGID4nQcgTWjvg4c
tcp CCvvfg3TEfuqmmG4bh
tcp CsRx2w45OKnoww6xl4
tcp CRJuHdVW0XPVINV8a
tcp CXWv6p3arKYeMETxOg

25
auxil/zeek-aux/testing/Baseline/zeek-cut.help/show-help Normal file
View file

@ -0,0 +1,25 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
zeek-cut [options] [<columns>]
Extracts the given columns from ASCII Zeek logs on standard input, and outputs
them to standard output. If no columns are given, all are selected.
By default, zeek-cut does not include format header blocks in the output.
Example: cat conn.log | zeek-cut -d ts id.orig_h id.orig_p
-c Include the first format header block in the output.
-C Include all format header blocks in the output.
-m Include the first format header blocks in the output in minimal view.
-M Include all format header blocks in the output in minimal view.
-d Convert time values into human-readable format.
-D <fmt> Like -d, but specify format for time (see strftime(3) for syntax).
-F <ofs> Sets a different output field separator character.
-h Show help.
-n Print all fields *except* those specified.
-u Like -d, but print timestamps in UTC instead of local time.
-U <fmt> Like -D, but print timestamps in UTC instead of local time.
For time conversion option -d or -u, the format string can be specified by
setting an environment variable ZEEK_CUT_TIMEFMT.

13
auxil/zeek-aux/testing/Baseline/zeek-cut.minimal-view/both-c-m-opts-m Normal file
View file

@ -0,0 +1,13 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
uid ts
CjhGID4nQcgTWjvg4c 1329843175.736107
CCvvfg3TEfuqmmG4bh 1329843179.871641
CsRx2w45OKnoww6xl4 1329843194.151526
CRJuHdVW0XPVINV8a 1329843197.783443
CXWv6p3arKYeMETxOg 1329843161.968492
CjhGID4nQcgTWjvg4c 1329327783.316897
CCvvfg3TEfuqmmG4bh 1329327786.524332
CsRx2w45OKnoww6xl4 1329327787.289095
CRJuHdVW0XPVINV8a 1329327795.571921
CXWv6p3arKYeMETxOg 1329327777.822004
CPbrpk1qSsw6ESzHV4 1329327800.017649

20
auxil/zeek-aux/testing/Baseline/zeek-cut.minimal-view/both-m-c-opts-c Normal file
View file

@ -0,0 +1,20 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2014-04-01-23-15-49
#fields uid ts
#types string time
CjhGID4nQcgTWjvg4c 1329843175.736107
CCvvfg3TEfuqmmG4bh 1329843179.871641
CsRx2w45OKnoww6xl4 1329843194.151526
CRJuHdVW0XPVINV8a 1329843197.783443
CXWv6p3arKYeMETxOg 1329843161.968492
CjhGID4nQcgTWjvg4c 1329327783.316897
CCvvfg3TEfuqmmG4bh 1329327786.524332
CsRx2w45OKnoww6xl4 1329327787.289095
CRJuHdVW0XPVINV8a 1329327795.571921
CXWv6p3arKYeMETxOg 1329327777.822004
CPbrpk1qSsw6ESzHV4 1329327800.017649

14
auxil/zeek-aux/testing/Baseline/zeek-cut.minimal-view/both-m-opts-all Normal file
View file

@ -0,0 +1,14 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
uid ts
CjhGID4nQcgTWjvg4c 1329843175.736107
CCvvfg3TEfuqmmG4bh 1329843179.871641
CsRx2w45OKnoww6xl4 1329843194.151526
CRJuHdVW0XPVINV8a 1329843197.783443
CXWv6p3arKYeMETxOg 1329843161.968492
uid ts
CjhGID4nQcgTWjvg4c 1329327783.316897
CCvvfg3TEfuqmmG4bh 1329327786.524332
CsRx2w45OKnoww6xl4 1329327787.289095
CRJuHdVW0XPVINV8a 1329327795.571921
CXWv6p3arKYeMETxOg 1329327777.822004
CPbrpk1qSsw6ESzHV4 1329327800.017649

13
auxil/zeek-aux/testing/Baseline/zeek-cut.minimal-view/both-m-opts-one Normal file
View file

@ -0,0 +1,13 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
uid ts
CjhGID4nQcgTWjvg4c 1329843175.736107
CCvvfg3TEfuqmmG4bh 1329843179.871641
CsRx2w45OKnoww6xl4 1329843194.151526
CRJuHdVW0XPVINV8a 1329843197.783443
CXWv6p3arKYeMETxOg 1329843161.968492
CjhGID4nQcgTWjvg4c 1329327783.316897
CCvvfg3TEfuqmmG4bh 1329327786.524332
CsRx2w45OKnoww6xl4 1329327787.289095
CRJuHdVW0XPVINV8a 1329327795.571921
CXWv6p3arKYeMETxOg 1329327777.822004
CPbrpk1qSsw6ESzHV4 1329327800.017649

13
auxil/zeek-aux/testing/Baseline/zeek-cut.minimal-view/different-col-order Normal file
View file

@ -0,0 +1,13 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
1329843175.736107 CjhGID4nQcgTWjvg4c 141.142.220.235 37604 199.233.217.249 56666 tcp ftp-data 0.112432 0 342 SF - 0 ShAdfFa 4 216 4 562 (empty)
1329843179.871641 CCvvfg3TEfuqmmG4bh 141.142.220.235 59378 199.233.217.249 56667 tcp ftp-data 0.111218 0 77 SF - 0 ShAdfFa 4 216 4 297 (empty)
1329843194.151526 CsRx2w45OKnoww6xl4 199.233.217.249 61920 141.142.220.235 33582 tcp ftp-data 0.056211 342 0 SF - 0 ShADaFf 5 614 3 164 (empty)
1329843197.783443 CRJuHdVW0XPVINV8a 199.233.217.249 61918 141.142.220.235 37835 tcp ftp-data 0.056005 77 0 SF - 0 ShADaFf 5 349 3 164 (empty)
1329843161.968492 CXWv6p3arKYeMETxOg 141.142.220.235 50003 199.233.217.249 21 tcp ftp 38.055625 180 3146 SF - 0 ShAdDfFa 38 2164 25 4458 (empty)
uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents ts
CjhGID4nQcgTWjvg4c 141.142.220.235 37604 199.233.217.249 56666 tcp ftp-data 0.112432 0 342 SF - 0 ShAdfFa 4 216 4 562 (empty) 1329843175.736107
CCvvfg3TEfuqmmG4bh 141.142.220.235 59378 199.233.217.249 56667 tcp ftp-data 0.111218 0 77 SF - 0 ShAdfFa 4 216 4 297 (empty) 1329843179.871641
CsRx2w45OKnoww6xl4 199.233.217.249 61920 141.142.220.235 33582 tcp ftp-data 0.056211 342 0 SF - 0 ShADaFf 5 614 3 164 (empty) 1329843194.151526
CRJuHdVW0XPVINV8a 199.233.217.249 61918 141.142.220.235 37835 tcp ftp-data 0.056005 77 0 SF - 0 ShADaFf 5 349 3 164 (empty) 1329843197.783443
CXWv6p3arKYeMETxOg 141.142.220.235 50003 199.233.217.249 21 tcp ftp 38.055625 180 3146 SF - 0 ShAdDfFa 38 2164 25 4458 (empty) 1329843161.968492

13
auxil/zeek-aux/testing/Baseline/zeek-cut.minimal-view/different-col-order-some Normal file
View file

@ -0,0 +1,13 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid
1329843175.736107 CjhGID4nQcgTWjvg4c
1329843179.871641 CCvvfg3TEfuqmmG4bh
1329843194.151526 CsRx2w45OKnoww6xl4
1329843197.783443 CRJuHdVW0XPVINV8a
1329843161.968492 CXWv6p3arKYeMETxOg
ts uid
1329843175.736107 CjhGID4nQcgTWjvg4c
1329843179.871641 CCvvfg3TEfuqmmG4bh
1329843194.151526 CsRx2w45OKnoww6xl4
1329843197.783443 CRJuHdVW0XPVINV8a
1329843161.968492 CXWv6p3arKYeMETxOg

13
auxil/zeek-aux/testing/Baseline/zeek-cut.minimal-view/nondefault-separator Normal file
View file

@ -0,0 +1,13 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
proto uid
tcp CjhGID4nQcgTWjvg4c
tcp CCvvfg3TEfuqmmG4bh
tcp CsRx2w45OKnoww6xl4
tcp CRJuHdVW0XPVINV8a
tcp CXWv6p3arKYeMETxOg
proto,uid
tcp,CNbXUV0IZ29or3MK6
tcp,CJ8woc3c6CfBLdiyp5
tcp,CXlgj54ftP8Yc2GSnb
tcp,Czw8Gd1zEVn3Xz5x7i
tcp,Cys4aQ15qDqHzsIk3l

7
auxil/zeek-aux/testing/Baseline/zeek-cut.minimal-view/one-all-nocols Normal file
View file

@ -0,0 +1,7 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
1329843175.736107 CjhGID4nQcgTWjvg4c 141.142.220.235 37604 199.233.217.249 56666 tcp ftp-data 0.112432 0 342 SF - 0 ShAdfFa 4 216 4 562 (empty)
1329843179.871641 CCvvfg3TEfuqmmG4bh 141.142.220.235 59378 199.233.217.249 56667 tcp ftp-data 0.111218 0 77 SF - 0 ShAdfFa 4 216 4 297 (empty)
1329843194.151526 CsRx2w45OKnoww6xl4 199.233.217.249 61920 141.142.220.235 33582 tcp ftp-data 0.056211 342 0 SF - 0 ShADaFf 5 614 3 164 (empty)
1329843197.783443 CRJuHdVW0XPVINV8a 199.233.217.249 61918 141.142.220.235 37835 tcp ftp-data 0.056005 77 0 SF - 0 ShADaFf 5 349 3 164 (empty)
1329843161.968492 CXWv6p3arKYeMETxOg 141.142.220.235 50003 199.233.217.249 21 tcp ftp 38.055625 180 3146 SF - 0 ShAdDfFa 38 2164 25 4458 (empty)

13
auxil/zeek-aux/testing/Baseline/zeek-cut.minimal-view/two-1st-withcols Normal file
View file

@ -0,0 +1,13 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
uid ts
CjhGID4nQcgTWjvg4c 1329843175.736107
CCvvfg3TEfuqmmG4bh 1329843179.871641
CsRx2w45OKnoww6xl4 1329843194.151526
CRJuHdVW0XPVINV8a 1329843197.783443
CXWv6p3arKYeMETxOg 1329843161.968492
CjhGID4nQcgTWjvg4c 1329327783.316897
CCvvfg3TEfuqmmG4bh 1329327786.524332
CsRx2w45OKnoww6xl4 1329327787.289095
CRJuHdVW0XPVINV8a 1329327795.571921
CXWv6p3arKYeMETxOg 1329327777.822004
CPbrpk1qSsw6ESzHV4 1329327800.017649

13
auxil/zeek-aux/testing/Baseline/zeek-cut.minimal-view/two-1st-withcols-custom-sep Normal file
View file

@ -0,0 +1,13 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
uid,ts
CjhGID4nQcgTWjvg4c,1329843175.736107
CCvvfg3TEfuqmmG4bh,1329843179.871641
CsRx2w45OKnoww6xl4,1329843194.151526
CRJuHdVW0XPVINV8a,1329843197.783443
CXWv6p3arKYeMETxOg,1329843161.968492
CjhGID4nQcgTWjvg4c,1329327783.316897
CCvvfg3TEfuqmmG4bh,1329327786.524332
CsRx2w45OKnoww6xl4,1329327787.289095
CRJuHdVW0XPVINV8a,1329327795.571921
CXWv6p3arKYeMETxOg,1329327777.822004
CPbrpk1qSsw6ESzHV4,1329327800.017649

14
auxil/zeek-aux/testing/Baseline/zeek-cut.minimal-view/two-all-withcols Normal file
View file

@ -0,0 +1,14 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
uid ts
CjhGID4nQcgTWjvg4c 1329843175.736107
CCvvfg3TEfuqmmG4bh 1329843179.871641
CsRx2w45OKnoww6xl4 1329843194.151526
CRJuHdVW0XPVINV8a 1329843197.783443
CXWv6p3arKYeMETxOg 1329843161.968492
uid ts
CjhGID4nQcgTWjvg4c 1329327783.316897
CCvvfg3TEfuqmmG4bh 1329327786.524332
CsRx2w45OKnoww6xl4 1329327787.289095
CRJuHdVW0XPVINV8a 1329327795.571921
CXWv6p3arKYeMETxOg 1329327777.822004
CPbrpk1qSsw6ESzHV4 1329327800.017649

14
auxil/zeek-aux/testing/Baseline/zeek-cut.minimal-view/two-all-withcols-custom-sep Normal file
View file

@ -0,0 +1,14 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
uid,ts
CjhGID4nQcgTWjvg4c,1329843175.736107
CCvvfg3TEfuqmmG4bh,1329843179.871641
CsRx2w45OKnoww6xl4,1329843194.151526
CRJuHdVW0XPVINV8a,1329843197.783443
CXWv6p3arKYeMETxOg,1329843161.968492
uid,ts
CjhGID4nQcgTWjvg4c,1329327783.316897
CCvvfg3TEfuqmmG4bh,1329327786.524332
CsRx2w45OKnoww6xl4,1329327787.289095
CRJuHdVW0XPVINV8a,1329327795.571921
CXWv6p3arKYeMETxOg,1329327777.822004
CPbrpk1qSsw6ESzHV4,1329327800.017649

6
auxil/zeek-aux/testing/Baseline/zeek-cut.no-options/no-opts Normal file
View file

@ -0,0 +1,6 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
1329843175.736107 CjhGID4nQcgTWjvg4c 141.142.220.235 37604 199.233.217.249 56666 tcp ftp-data 0.112432 0 342 SF - 0 ShAdfFa 4 216 4 562 (empty)
1329843179.871641 CCvvfg3TEfuqmmG4bh 141.142.220.235 59378 199.233.217.249 56667 tcp ftp-data 0.111218 0 77 SF - 0 ShAdfFa 4 216 4 297 (empty)
1329843194.151526 CsRx2w45OKnoww6xl4 199.233.217.249 61920 141.142.220.235 33582 tcp ftp-data 0.056211 342 0 SF - 0 ShADaFf 5 614 3 164 (empty)
1329843197.783443 CRJuHdVW0XPVINV8a 199.233.217.249 61918 141.142.220.235 37835 tcp ftp-data 0.056005 77 0 SF - 0 ShADaFf 5 349 3 164 (empty)
1329843161.968492 CXWv6p3arKYeMETxOg 141.142.220.235 50003 199.233.217.249 21 tcp ftp 38.055625 180 3146 SF - 0 ShAdDfFa 38 2164 25 4458 (empty)

7
auxil/zeek-aux/testing/Baseline/zeek-cut.no-options/tsv Normal file
View file

@ -0,0 +1,7 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.

11
auxil/zeek-aux/testing/Baseline/zeek-cut.not-columns/different-col-order Normal file
View file

@ -0,0 +1,11 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
141.142.220.235 37604 199.233.217.249 56666 tcp ftp-data 0.112432 0 342 SF - 0 ShAdfFa 4 216 4 562 (empty)
141.142.220.235 59378 199.233.217.249 56667 tcp ftp-data 0.111218 0 77 SF - 0 ShAdfFa 4 216 4 297 (empty)
199.233.217.249 61920 141.142.220.235 33582 tcp ftp-data 0.056211 342 0 SF - 0 ShADaFf 5 614 3 164 (empty)
199.233.217.249 61918 141.142.220.235 37835 tcp ftp-data 0.056005 77 0 SF - 0 ShADaFf 5 349 3 164 (empty)
141.142.220.235 50003 199.233.217.249 21 tcp ftp 38.055625 180 3146 SF - 0 ShAdDfFa 38 2164 25 4458 (empty)
141.142.220.235 37604 199.233.217.249 56666 tcp ftp-data 0.112432 0 342 SF - 0 ShAdfFa 4 216 4 562 (empty)
141.142.220.235 59378 199.233.217.249 56667 tcp ftp-data 0.111218 0 77 SF - 0 ShAdfFa 4 216 4 297 (empty)
199.233.217.249 61920 141.142.220.235 33582 tcp ftp-data 0.056211 342 0 SF - 0 ShADaFf 5 614 3 164 (empty)
199.233.217.249 61918 141.142.220.235 37835 tcp ftp-data 0.056005 77 0 SF - 0 ShADaFf 5 349 3 164 (empty)
141.142.220.235 50003 199.233.217.249 21 tcp ftp 38.055625 180 3146 SF - 0 ShAdDfFa 38 2164 25 4458 (empty)

7
auxil/zeek-aux/testing/Baseline/zeek-cut.not-columns/not-all Normal file
View file

@ -0,0 +1,7 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.

7
auxil/zeek-aux/testing/Baseline/zeek-cut.not-columns/not-none Normal file
View file

@ -0,0 +1,7 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
1329327783.316897 CjhGID4nQcgTWjvg4c 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49186 2001:470:4867:99::21
1329327786.524332 CCvvfg3TEfuqmmG4bh 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49187 2001:470:4867:99::21
1329327787.289095 CsRx2w45OKnoww6xl4 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49188 2001:470:4867:99::21
1329327795.571921 CRJuHdVW0XPVINV8a 2001:470:4867:99::21 55785 2001:470:1f11:81f:c999:d94:aa7c:2e3e
1329327777.822004 CXWv6p3arKYeMETxOg 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21
1329327800.017649 CPbrpk1qSsw6ESzHV4 2001:470:4867:99::21 55647 2001:470:1f11:81f:c999:d94:aa7c:2e3e

7
auxil/zeek-aux/testing/Baseline/zeek-cut.not-columns/not-one Normal file
View file

@ -0,0 +1,7 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
1329327783.316897 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49186 2001:470:4867:99::21
1329327786.524332 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49187 2001:470:4867:99::21
1329327787.289095 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49188 2001:470:4867:99::21
1329327795.571921 2001:470:4867:99::21 55785 2001:470:1f11:81f:c999:d94:aa7c:2e3e
1329327777.822004 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21
1329327800.017649 2001:470:4867:99::21 55647 2001:470:1f11:81f:c999:d94:aa7c:2e3e

7
auxil/zeek-aux/testing/Baseline/zeek-cut.not-columns/not-one-nonexistent Normal file
View file

@ -0,0 +1,7 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
1329327783.316897 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49186 2001:470:4867:99::21
1329327786.524332 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49187 2001:470:4867:99::21
1329327787.289095 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49188 2001:470:4867:99::21
1329327795.571921 2001:470:4867:99::21 55785 2001:470:1f11:81f:c999:d94:aa7c:2e3e
1329327777.822004 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21
1329327800.017649 2001:470:4867:99::21 55647 2001:470:1f11:81f:c999:d94:aa7c:2e3e

15
auxil/zeek-aux/testing/Baseline/zeek-cut.not-columns/not-one-show-header Normal file
View file

@ -0,0 +1,15 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test
#open 2014-04-01-23-15-51
#fields ts id.orig_h id.orig_p id.resp_h
#types time addr port addr
1329327783.316897 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49186 2001:470:4867:99::21
1329327786.524332 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49187 2001:470:4867:99::21
1329327787.289095 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49188 2001:470:4867:99::21
1329327795.571921 2001:470:4867:99::21 55785 2001:470:1f11:81f:c999:d94:aa7c:2e3e
1329327777.822004 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21
1329327800.017649 2001:470:4867:99::21 55647 2001:470:1f11:81f:c999:d94:aa7c:2e3e

7
auxil/zeek-aux/testing/Baseline/zeek-cut.not-columns/not-one-twice Normal file
View file

@ -0,0 +1,7 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
1329327783.316897 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49186 2001:470:4867:99::21
1329327786.524332 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49187 2001:470:4867:99::21
1329327787.289095 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49188 2001:470:4867:99::21
1329327795.571921 2001:470:4867:99::21 55785 2001:470:1f11:81f:c999:d94:aa7c:2e3e
1329327777.822004 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21
1329327800.017649 2001:470:4867:99::21 55647 2001:470:1f11:81f:c999:d94:aa7c:2e3e

2
auxil/zeek-aux/testing/Baseline/zeek-cut.not-columns/not-only Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.

7
auxil/zeek-aux/testing/Baseline/zeek-cut.not-columns/not-two-swapped Normal file
View file

@ -0,0 +1,7 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
1329327783.316897 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49186
1329327786.524332 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49187
1329327787.289095 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49188
1329327795.571921 2001:470:4867:99::21 55785
1329327777.822004 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185
1329327800.017649 2001:470:4867:99::21 55647

11
auxil/zeek-aux/testing/Baseline/zeek-cut.ofs/nondefault-separator Normal file
View file

@ -0,0 +1,11 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
tcp:CjhGID4nQcgTWjvg4c
tcp:CCvvfg3TEfuqmmG4bh
tcp:CsRx2w45OKnoww6xl4
tcp:CRJuHdVW0XPVINV8a
tcp:CXWv6p3arKYeMETxOg
tcp:CNbXUV0IZ29or3MK6
tcp:CJ8woc3c6CfBLdiyp5
tcp:CXlgj54ftP8Yc2GSnb
tcp:Czw8Gd1zEVn3Xz5x7i
tcp:Cys4aQ15qDqHzsIk3l

2
auxil/zeek-aux/testing/Baseline/zeek-cut.ofs/only-column Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
79.26.245.236

Some files were not shown because too many files have changed in this diff Show more