Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'master' into topic/script-reference

Browse source 
Conflicts:
	aux/broccoli
	aux/broctl
	scripts/base/frameworks/notice/main.bro
	src/event.bif
This commit is contained in:
Jon Siwek 2011-12-19 16:17:58 -06:00
commit a4117016e9
124 changed files with 1145 additions and 562 deletions
Download patch file Download diff file Expand all files Collapse all files

82
CHANGES
View file

@ -1,4 +1,86 @@
2.0-beta-145 | 2011-12-19 11:37:15 -0800
* Empty fields are now logged as "(empty)" by default. (Robin
Sommer)
* In log headers, only escape information when necessary. (Robin
Sommer)
2.0-beta-139 | 2011-12-19 07:06:29 -0800
* The hostname notice email extension works now, plus a general
mechanism for adding delayed information to notices. (Seth Hall)
* Fix &default fields in records not being initialized in coerced
assignments. Addresses #722. (Jon Siwek)
* Make log headers include the type of data stored inside a set or
vector ("vector[string]"). (Bernhard Amann)
2.0-beta-126 | 2011-12-18 15:18:05 -0800
* DNS updates. (Seth Hall)
- Fixed some bugs with capturing data in the base DNS script.
- Answers and TTLs are now vectors.
- A warning that was being generated (dns_reply_seen_after_done)
from transaction ID reuse is fixed.
* SSL updates. (Seth Hall)
- Added is_orig fields to the SSL events and adapted script.
- Added a field named last_alert to the SSL log.
- The x509_certificate function has an is_orig field now instead
of is_server and its position in the argument list has moved.
- A bit of reorganization and cleanup in the core analyzer. (Seth
Hall)
2.0-beta-121 | 2011-12-18 15:10:15 -0800
* Enable warnings for malformed Broxygen xref roles. (Jon Siwek)
* Fix Broxygen confusing scoped IDs at start of line as function
parameter. (Jon Siwek)
* Allow Broxygen markup "##<" for more general use. (Jon Siwek)
2.0-beta-116 | 2011-12-16 02:38:27 -0800
* Cleanup some misc Broxygen css/js stuff. (Jon Siwek)
* Add search box to Broxygen docs. Fixes #726. (Jon Siwek)
* Fixed major bug with cluster synchronization, which was not
working. (Seth Hall)
* Fix missing action in notice policy for looking up GeoIP data.
(Jon Siwek)
* Better persistent state configuration warning messages (fixes
#433). (Jon Siwek)
* Renaming HTTP::SQL_Injection_Attack_Against to
HTTP::SQL_Injection_Victim. (Seth Hall).
* Fixed DPD signatures for IRC. Fixes #311. (Seth Hall)
* Removing Off_Port_Protocol_Found notice. (Seth Hall)
* Teach Broxygen to more generally reference attribute values by name. (Jon Siwek)
* SSH::Interesting_Hostname_Login cleanup. Fixes #664. (Seth Hall)
* Fixed bug that was causing the malware hash registry script to
break. (Seth Hall)
* Remove remnant of libmagic optionality. (Jon Siwek)
2.0-beta-98 | 2011-12-07 08:12:08 -0800 2.0-beta-98 | 2011-12-07 08:12:08 -0800
* Adapting test-suite's diff-all so that it expands globs in both * Adapting test-suite's diff-all so that it expands globs in both

2
VERSION
View file

@ -1 +1 @@
2.0-beta-98 2.0-beta-145

2
aux/binpac

@ -1 +1 @@
Subproject commit 82bd9613fb869e44f5f0d7929bdd9a88cde84077 Subproject commit e94d92b01f327655fd2061157942b95ae75b5f0f

2
aux/bro-aux

@ -1 +1 @@
Subproject commit 4d387ce660468b44df99d4c87d6016ae4ed2fdc4 Subproject commit f6b92bf5732c26e54eb4387efadc612663980389

2
aux/broccoli

@ -1 +1 @@
Subproject commit d8f9d4698e8e02f493a669c5adcf897506671b5d Subproject commit d7b8a43759bfcbe1381d132d8ab388937e52a6d4

2
aux/broctl

@ -1 +1 @@
Subproject commit be772bbada79b106db33fb9de5f56fa71226adc5 Subproject commit a42e4d133b94622c612055047f8534d5122e6e88

2
cmake

@ -1 +1 @@
Subproject commit f0f7958639bb921985c1f58f1186da4b49b5d54d Subproject commit 0c0a4697687df7f17c09391a1d0d95b25297a662

3
config.h.in
View file

@ -17,9 +17,6 @@
/* We are on a Linux system */ /* We are on a Linux system */
#cmakedefine HAVE_LINUX #cmakedefine HAVE_LINUX
/* Define if you have the <magic.h> header file. */
#cmakedefine HAVE_MAGIC_H
/* Define if you have the `mallinfo' function. */ /* Define if you have the `mallinfo' function. */
#cmakedefine HAVE_MALLINFO #cmakedefine HAVE_MALLINFO

3
doc/ext/bro.py
View file

@ -257,6 +257,9 @@ class BroDomain(Domain):
objects[objtype, target], objects[objtype, target],
objtype + '-' + target, objtype + '-' + target,
contnode, target + ' ' + objtype) contnode, target + ' ' + objtype)
else:
self.env.warn(fromdocname,
'unknown target for ":bro:%s:`%s`"' % (typ, target))
def get_objects(self): def get_objects(self):
for (typ, name), docname in self.data['objects'].iteritems(): for (typ, name), docname in self.data['objects'].iteritems():

11
doc/scripts/example.bro
View file

@ -1,5 +1,5 @@
##! This is an example script that demonstrates how to document. Comments ##! This is an example script that demonstrates documentation features.
##! of the form ``##!`` are for the script summary. The contents of ##! Comments of the form ``##!`` are for the script summary. The contents of
##! these comments are transferred directly into the auto-generated ##! these comments are transferred directly into the auto-generated
##! `reStructuredText <http://docutils.sourceforge.net/rst.html>`_ ##! `reStructuredText <http://docutils.sourceforge.net/rst.html>`_
##! (reST) document's summary section. ##! (reST) document's summary section.
@ -22,8 +22,8 @@
# field comments, it's necessary to disambiguate the field with # field comments, it's necessary to disambiguate the field with
# which a comment associates: e.g. "##<" can be used on the same line # which a comment associates: e.g. "##<" can be used on the same line
# as a field to signify the comment relates to it and not the # as a field to signify the comment relates to it and not the
# following field. "##<" is not meant for general use, just # following field. "##<" can also be used more generally in any
# record/enum fields. # variable declarations to associate with the last-declared identifier.
# #
# Generally, the auto-doc comments (##) are associated with the # Generally, the auto-doc comments (##) are associated with the
# next declaration/identifier found in the script, but the doc framework # next declaration/identifier found in the script, but the doc framework
@ -151,7 +151,7 @@ export {
const an_option: set[addr, addr, string] &redef; const an_option: set[addr, addr, string] &redef;
# default initialization will be self-documenting # default initialization will be self-documenting
const option_with_init = 0.01 secs &redef; const option_with_init = 0.01 secs &redef; ##< More docs can be added here.
############## state variables ############ ############## state variables ############
# right now, I'm defining this as any global # right now, I'm defining this as any global
@ -183,6 +183,7 @@ export {
## Summarize "an_event" here. ## Summarize "an_event" here.
## Give more details about "an_event" here. ## Give more details about "an_event" here.
## Example::an_event should not be confused as a parameter.
## name: describe the argument here ## name: describe the argument here
global an_event: event(name: string); global an_event: event(name: string);

2
scripts/base/frameworks/cluster/setup-connections.bro
View file

@ -44,7 +44,7 @@ event bro_init() &priority=9
{ {
if ( n$node_type == WORKER && n$proxy == node ) if ( n$node_type == WORKER && n$proxy == node )
Communication::nodes[i] = Communication::nodes[i] =
[$host=n$ip, $connect=F, $class=i, $events=worker2proxy_events]; [$host=n$ip, $connect=F, $class=i, $sync=T, $auth=T, $events=worker2proxy_events];
# accepts connections from the previous one. # accepts connections from the previous one.
# (This is not ideal for setups with many proxies) # (This is not ideal for setups with many proxies)

10
scripts/base/frameworks/dpd/dpd.sig
View file

@ -80,15 +80,15 @@ signature irc_server_reply {
tcp-state responder tcp-state responder
} }
signature irc_sig3 { signature irc_server_to_server1 {
ip-proto == tcp ip-proto == tcp
payload /(.*\x0a)*(\x20)*[Ss][Ee][Rr][Vv][Ee][Rr](\x20)+.+\x0a/ payload /(|.*[\r\n]) *[Ss][Ee][Rr][Vv][Ee][Rr] +[^ ]+ +[0-9]+ +:.+[\r\n]/
} }
signature irc_sig4 { signature irc_server_to_server2 {
ip-proto == tcp ip-proto == tcp
payload /(.*\x0a)*(\x20)*[Ss][Ee][Rr][Vv][Ee][Rr](\x20)+.+\x0a/ payload /(|.*[\r\n]) *[Ss][Ee][Rr][Vv][Ee][Rr] +[^ ]+ +[0-9]+ +:.+[\r\n]/
requires-reverse-signature irc_sig3 requires-reverse-signature irc_server_to_server1
enable "irc" enable "irc"
} }

5
scripts/base/frameworks/logging/writers/ascii.bro
View file

@ -21,8 +21,9 @@ export {
## Separator between set elements. ## Separator between set elements.
const set_separator = "," &redef; const set_separator = "," &redef;
## String to use for empty fields. ## String to use for empty fields. This should be different from
const empty_field = "-" &redef; ## *unset_field* to make the output non-ambigious.
const empty_field = "(empty)" &redef;
## String to use for an unset &optional field. ## String to use for an unset &optional field.
const unset_field = "-" &redef; const unset_field = "-" &redef;

1
scripts/base/frameworks/notice/actions/add-geodata.bro
View file

@ -31,6 +31,7 @@ export {
## Add a helper to the notice policy for looking up GeoIP data. ## Add a helper to the notice policy for looking up GeoIP data.
redef Notice::policy += { redef Notice::policy += {
[$pred(n: Notice::Info) = { return (n$note in Notice::lookup_location_types); }, [$pred(n: Notice::Info) = { return (n$note in Notice::lookup_location_types); },
$action = ACTION_ADD_GEODATA,
$priority = 10], $priority = 10],
}; };
} }

25
scripts/base/frameworks/notice/extend-email/hostnames.bro
View file

@ -2,7 +2,12 @@
module Notice; module Notice;
# This probably doesn't actually work due to the async lookup_addr. # We have to store references to the notices here because the when statement
# clones the frame which doesn't give us access to modify values outside
# of it's execution scope. (we get a clone of the notice instead of a
# reference to the original notice)
global tmp_notice_storage: table[string] of Notice::Info &create_expire=max_email_delay+10secs;
event Notice::notice(n: Notice::Info) &priority=10 event Notice::notice(n: Notice::Info) &priority=10
{ {
if ( ! n?$src && ! n?$dst ) if ( ! n?$src && ! n?$dst )
@ -12,21 +17,31 @@ event Notice::notice(n: Notice::Info) &priority=10
if ( ACTION_EMAIL !in n$actions ) if ( ACTION_EMAIL !in n$actions )
return; return;
# I'm not recovering gracefully from the when statements because I want
# the notice framework to detect that something has exceeded the maximum
# allowed email delay and tell the user.
local uid = unique_id("");
tmp_notice_storage[uid] = n;
local output = ""; local output = "";
if ( n?$src ) if ( n?$src )
{ {
add n$email_delay_tokens["hostnames-src"];
when ( local src_name = lookup_addr(n$src) ) when ( local src_name = lookup_addr(n$src) )
{ {
output = string_cat("orig_h/src hostname: ", src_name, "\n"); output = string_cat("orig/src hostname: ", src_name, "\n");
n$email_body_sections[|n$email_body_sections|] = output; tmp_notice_storage[uid]$email_body_sections[|tmp_notice_storage[uid]$email_body_sections|] = output;
delete tmp_notice_storage[uid]$email_delay_tokens["hostnames-src"];
} }
} }
if ( n?$dst ) if ( n?$dst )
{ {
add n$email_delay_tokens["hostnames-dst"];
when ( local dst_name = lookup_addr(n$dst) ) when ( local dst_name = lookup_addr(n$dst) )
{ {
output = string_cat("resp_h/dst hostname: ", dst_name, "\n"); output = string_cat("resp/dst hostname: ", dst_name, "\n");
n$email_body_sections[|n$email_body_sections|] = output; tmp_notice_storage[uid]$email_body_sections[|tmp_notice_storage[uid]$email_body_sections|] = output;
delete tmp_notice_storage[uid]$email_delay_tokens["hostnames-dst"];
} }
} }
} }

44
scripts/base/frameworks/notice/main.bro
View file

@ -48,7 +48,7 @@ export {
}; };
## The notice framework is able to do automatic notice supression by ## The notice framework is able to do automatic notice supression by
## utilizing the $identifier field in :bro:type:`Notice::Info` records. ## utilizing the $identifier field in :bro:type:`Info` records.
## Set this to "0secs" to completely disable automated notice suppression. ## Set this to "0secs" to completely disable automated notice suppression.
const default_suppression_interval = 1hrs &redef; const default_suppression_interval = 1hrs &redef;
@ -106,7 +106,13 @@ export {
## expand on notices that are being emailed. The normal way to add text ## expand on notices that are being emailed. The normal way to add text
## is to extend the vector by handling the :bro:id:`Notice::notice` ## is to extend the vector by handling the :bro:id:`Notice::notice`
## event and modifying the notice in place. ## event and modifying the notice in place.
email_body_sections: vector of string &default=vector(); email_body_sections: vector of string &optional;
## Adding a string "token" to this set will cause the notice framework's
## built-in emailing functionality to delay sending the email until
## either the token has been removed or the email has been delayed
## for :bro:id:`max_email_delay`.
email_delay_tokens: set[string] &optional;
## This field is to be provided when a notice is generated for the ## This field is to be provided when a notice is generated for the
## purpose of deduplicating notices. The identifier string should ## purpose of deduplicating notices. The identifier string should
@ -215,6 +221,8 @@ export {
const reply_to = "" &redef; const reply_to = "" &redef;
## Text string prefixed to the subject of all emails sent out. ## Text string prefixed to the subject of all emails sent out.
const mail_subject_prefix = "[Bro]" &redef; const mail_subject_prefix = "[Bro]" &redef;
## The maximum amount of time a plugin can delay email from being sent.
const max_email_delay = 15secs &redef;
## A log postprocessing function that implements emailing the contents ## A log postprocessing function that implements emailing the contents
## of a log upon rotation to any configured :bro:id:`Notice::mail_dest`. ## of a log upon rotation to any configured :bro:id:`Notice::mail_dest`.
@ -390,11 +398,35 @@ function email_headers(subject_desc: string, dest: string): string
return header_text; return header_text;
} }
event delay_sending_email(n: Notice::Info, dest: string, extend: bool)
{
email_notice_to(n, dest, extend);
}
function email_notice_to(n: Notice::Info, dest: string, extend: bool) function email_notice_to(n: Notice::Info, dest: string, extend: bool)
{ {
if ( reading_traces() || dest == "" ) if ( reading_traces() || dest == "" )
return; return;
if ( extend )
{
if ( |n$email_delay_tokens| > 0 )
{
# If we still are within the max_email_delay, keep delaying.
if ( n$ts + max_email_delay > network_time() )
{
schedule 1sec { delay_sending_email(n, dest, extend) };
return;
}
else
{
event reporter_info(network_time(),
fmt("Notice email delay tokens weren't released in time (%s).", n$email_delay_tokens),
"");
}
}
}
local email_text = email_headers(fmt("%s", n$note), dest); local email_text = email_headers(fmt("%s", n$note), dest);
# First off, finish the headers and include the human readable messages # First off, finish the headers and include the human readable messages
@ -420,9 +452,10 @@ function email_notice_to(n: Notice::Info, dest: string, extend: bool)
# Add the extended information if it's requested. # Add the extended information if it's requested.
if ( extend ) if ( extend )
{ {
email_text = string_cat(email_text, "\nEmail Extensions\n");
email_text = string_cat(email_text, "----------------\n");
for ( i in n$email_body_sections ) for ( i in n$email_body_sections )
{ {
email_text = string_cat(email_text, "******************\n");
email_text = string_cat(email_text, n$email_body_sections[i], "\n"); email_text = string_cat(email_text, n$email_body_sections[i], "\n");
} }
} }
@ -519,6 +552,11 @@ function apply_policy(n: Notice::Info)
if ( ! n?$actions ) if ( ! n?$actions )
n$actions = set(); n$actions = set();
if ( ! n?$email_body_sections )
n$email_body_sections = vector();
if ( ! n?$email_delay_tokens )
n$email_delay_tokens = set();
if ( ! n?$policy_items ) if ( ! n?$policy_items )
n$policy_items = set(); n$policy_items = set();

26
scripts/base/protocols/dns/main.bro
View file

@ -24,8 +24,8 @@ export {
RD: bool &log &default=F; RD: bool &log &default=F;
RA: bool &log &default=F; RA: bool &log &default=F;
Z: count &log &default=0; Z: count &log &default=0;
TTL: interval &log &optional; answers: vector of string &log &optional;
answers: set[string] &log &optional; TTLs: vector of interval &log &optional;
## This value indicates if this request/response pair is ready to be logged. ## This value indicates if this request/response pair is ready to be logged.
ready: bool &default=F; ready: bool &default=F;
@ -102,7 +102,13 @@ function new_session(c: connection, trans_id: count): Info
function set_session(c: connection, msg: dns_msg, is_query: bool) function set_session(c: connection, msg: dns_msg, is_query: bool)
{ {
if ( ! c?$dns_state || msg$id !in c$dns_state$pending ) if ( ! c?$dns_state || msg$id !in c$dns_state$pending )
{
c$dns_state$pending[msg$id] = new_session(c, msg$id); c$dns_state$pending[msg$id] = new_session(c, msg$id);
# Try deleting this transaction id from the set of finished answers.
# Sometimes hosts will reuse ports and transaction ids and this should
# be considered to be a legit scenario (although bad practice).
delete c$dns_state$finished_answers[msg$id];
}
c$dns = c$dns_state$pending[msg$id]; c$dns = c$dns_state$pending[msg$id];
@ -134,20 +140,23 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
{ {
set_session(c, msg, F); set_session(c, msg, F);
c$dns$AA = msg$AA;
c$dns$RA = msg$RA;
c$dns$TTL = ans$TTL;
if ( ans$answer_type == DNS_ANS ) if ( ans$answer_type == DNS_ANS )
{ {
c$dns$AA = msg$AA;
c$dns$RA = msg$RA;
if ( msg$id in c$dns_state$finished_answers ) if ( msg$id in c$dns_state$finished_answers )
event conn_weird("dns_reply_seen_after_done", c, ""); event conn_weird("dns_reply_seen_after_done", c, "");
if ( reply != "" ) if ( reply != "" )
{ {
if ( ! c$dns?$answers ) if ( ! c$dns?$answers )
c$dns$answers = set(); c$dns$answers = vector();
add c$dns$answers[reply]; c$dns$answers[|c$dns$answers|] = reply;
if ( ! c$dns?$TTLs )
c$dns$TTLs = vector();
c$dns$TTLs[|c$dns$TTLs|] = ans$TTL;
} }
if ( c$dns?$answers && |c$dns$answers| == c$dns$total_answers ) if ( c$dns?$answers && |c$dns$answers| == c$dns$total_answers )
@ -164,7 +173,6 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
if ( c$dns$ready ) if ( c$dns$ready )
{ {
Log::write(DNS::LOG, c$dns); Log::write(DNS::LOG, c$dns);
add c$dns_state$finished_answers[c$dns$trans_id];
# This record is logged and no longer pending. # This record is logged and no longer pending.
delete c$dns_state$pending[c$dns$trans_id]; delete c$dns_state$pending[c$dns$trans_id];
} }

41
scripts/base/protocols/ssl/consts.bro
View file

@ -13,6 +13,44 @@ export {
[TLSv11] = "TLSv11", [TLSv11] = "TLSv11",
} &default="UNKNOWN"; } &default="UNKNOWN";
const alert_levels: table[count] of string = {
[1] = "warning",
[2] = "fatal",
} &default=function(i: count):string { return fmt("unknown-%d", i); };
const alert_descriptions: table[count] of string = {
[0] = "close_notify",
[10] = "unexpected_message",
[20] = "bad_record_mac",
[21] = "decryption_failed",
[22] = "record_overflow",
[30] = "decompression_failure",
[40] = "handshake_failure",
[41] = "no_certificate",
[42] = "bad_certificate",
[43] = "unsupported_certificate",
[44] = "certificate_revoked",
[45] = "certificate_expired",
[46] = "certificate_unknown",
[47] = "illegal_parameter",
[48] = "unknown_ca",
[49] = "access_denied",
[50] = "decode_error",
[51] = "decrypt_error",
[60] = "export_restriction",
[70] = "protocol_version",
[71] = "insufficient_security",
[80] = "internal_error",
[90] = "user_canceled",
[100] = "no_renegotiation",
[110] = "unsupported_extension",
[111] = "certificate_unobtainable",
[112] = "unrecognized_name",
[113] = "bad_certificate_status_response",
[114] = "bad_certificate_hash_value",
[115] = "unknown_psk_identity",
} &default=function(i: count):string { return fmt("unknown-%d", i); };
# http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xml # http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xml
const extensions: table[count] of string = { const extensions: table[count] of string = {
[0] = "server_name", [0] = "server_name",
@ -526,8 +564,7 @@ export {
[30] = "akid issuer serial mismatch", [30] = "akid issuer serial mismatch",
[31] = "keyusage no certsign", [31] = "keyusage no certsign",
[32] = "unable to get crl issuer", [32] = "unable to get crl issuer",
[33] = "unhandled critical extension" [33] = "unhandled critical extension",
}; };
} }

18
scripts/base/protocols/ssl/main.bro
View file

@ -16,6 +16,7 @@ export {
subject: string &log &optional; subject: string &log &optional;
not_valid_before: time &log &optional; not_valid_before: time &log &optional;
not_valid_after: time &log &optional; not_valid_after: time &log &optional;
last_alert: string &log &optional;
cert: string &optional; cert: string &optional;
cert_chain: vector of string &optional; cert_chain: vector of string &optional;
@ -112,10 +113,14 @@ event ssl_server_hello(c: connection, version: count, possible_ts: time, session
c$ssl$cipher = cipher_desc[cipher]; c$ssl$cipher = cipher_desc[cipher];
} }
event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=5 event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string) &priority=5
{ {
set_session(c); set_session(c);
# We aren't doing anything with client certificates yet.
if ( is_orig )
return;
if ( chain_idx == 0 ) if ( chain_idx == 0 )
{ {
# Save the primary cert. # Save the primary cert.
@ -133,14 +138,21 @@ event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: co
} }
} }
event ssl_extension(c: connection, code: count, val: string) &priority=5 event ssl_extension(c: connection, is_orig: bool, code: count, val: string) &priority=5
{ {
set_session(c); set_session(c);
if ( extensions[code] == "server_name" ) if ( is_orig && extensions[code] == "server_name" )
c$ssl$server_name = sub_bytes(val, 6, |val|); c$ssl$server_name = sub_bytes(val, 6, |val|);
} }
event ssl_alert(c: connection, is_orig: bool, level: count, desc: count) &priority=5
{
set_session(c);
c$ssl$last_alert = alert_descriptions[desc];
}
event ssl_established(c: connection) &priority=5 event ssl_established(c: connection) &priority=5
{ {
set_session(c); set_session(c);

18
scripts/policy/frameworks/dpd/detect-protocols.bro
View file

@ -8,7 +8,6 @@ module ProtocolDetector;
export { export {
redef enum Notice::Type += { redef enum Notice::Type += {
Off_Port_Protocol_Found, # raised for each connection found
Protocol_Found, Protocol_Found,
Server_Found, Server_Found,
}; };
@ -155,13 +154,10 @@ function report_protocols(c: connection)
{ {
if ( [a, c$id$resp_h, c$id$resp_p] in valids ) if ( [a, c$id$resp_h, c$id$resp_p] in valids )
do_notice(c, a, valids[a, c$id$resp_h, c$id$resp_p]); do_notice(c, a, valids[a, c$id$resp_h, c$id$resp_p]);
else if ( [a, 0.0.0.0, c$id$resp_p] in valids ) else if ( [a, 0.0.0.0, c$id$resp_p] in valids )
do_notice(c, a, valids[a, 0.0.0.0, c$id$resp_p]); do_notice(c, a, valids[a, 0.0.0.0, c$id$resp_p]);
else else
do_notice(c, a, NONE); do_notice(c, a, NONE);
append_addl(c, analyzer_name(a));
} }
delete conns[c$id]; delete conns[c$id];
@ -218,20 +214,6 @@ event protocol_confirmation(c: connection, atype: count, aid: count)
} }
} }
# event connection_analyzer_disabled(c: connection, analyzer: count)
# {
# if ( c$id !in conns )
# return;
#
# delete conns[c$id][analyzer];
# }
function append_proto_addl(c: connection)
{
for ( a in conns[c$id] )
append_addl(c, fmt_protocol(get_protocol(c, a)));
}
function found_protocol(c: connection, analyzer: count, protocol: string) function found_protocol(c: connection, analyzer: count, protocol: string)
{ {
# Don't report anything running on a well-known port. # Don't report anything running on a well-known port.

5
scripts/policy/protocols/http/detect-MHR.bro
View file

@ -7,9 +7,12 @@
@load base/frameworks/notice @load base/frameworks/notice
@load base/protocols/http @load base/protocols/http
module HTTP;
export { export {
redef enum Notice::Type += { redef enum Notice::Type += {
## If the MD5 sum of a file transferred over HTTP ## The MD5 sum of a file transferred over HTTP matched in the
## malware hash registry.
Malware_Hash_Registry_Match Malware_Hash_Registry_Match
}; };
} }

16
scripts/policy/protocols/http/detect-sqli.bro
View file

@ -12,12 +12,12 @@ export {
SQL_Injection_Attacker, SQL_Injection_Attacker,
## Indicates that a host was seen to have SQL injection attacks against ## Indicates that a host was seen to have SQL injection attacks against
## it. This is tracked by IP address as opposed to hostname. ## it. This is tracked by IP address as opposed to hostname.
SQL_Injection_Attack_Against, SQL_Injection_Victim,
}; };
redef enum Metrics::ID += { redef enum Metrics::ID += {
SQL_ATTACKER, SQLI_ATTACKER,
SQL_ATTACKS_AGAINST, SQLI_VICTIM,
}; };
redef enum Tags += { redef enum Tags += {
@ -56,14 +56,14 @@ event bro_init() &priority=3
# determine when it looks like an actual attack and how to respond when # determine when it looks like an actual attack and how to respond when
# thresholds are crossed. # thresholds are crossed.
Metrics::add_filter(SQL_ATTACKER, [$log=F, Metrics::add_filter(SQLI_ATTACKER, [$log=F,
$notice_threshold=sqli_requests_threshold, $notice_threshold=sqli_requests_threshold,
$break_interval=sqli_requests_interval, $break_interval=sqli_requests_interval,
$note=SQL_Injection_Attacker]); $note=SQL_Injection_Attacker]);
Metrics::add_filter(SQL_ATTACKS_AGAINST, [$log=F, Metrics::add_filter(SQLI_VICTIM, [$log=F,
$notice_threshold=sqli_requests_threshold, $notice_threshold=sqli_requests_threshold,
$break_interval=sqli_requests_interval, $break_interval=sqli_requests_interval,
$note=SQL_Injection_Attack_Against]); $note=SQL_Injection_Victim]);
} }
event http_request(c: connection, method: string, original_URI: string, event http_request(c: connection, method: string, original_URI: string,
@ -73,7 +73,7 @@ event http_request(c: connection, method: string, original_URI: string,
{ {
add c$http$tags[URI_SQLI]; add c$http$tags[URI_SQLI];
Metrics::add_data(SQL_ATTACKER, [$host=c$id$orig_h], 1); Metrics::add_data(SQLI_ATTACKER, [$host=c$id$orig_h], 1);
Metrics::add_data(SQL_ATTACKS_AGAINST, [$host=c$id$resp_h], 1); Metrics::add_data(SQLI_VICTIM, [$host=c$id$resp_h], 1);
} }
} }

4
scripts/policy/protocols/ssh/interesting-hostnames.bro
View file

@ -36,7 +36,9 @@ event SSH::heuristic_successful_login(c: connection)
if ( interesting_hostnames in hostname ) if ( interesting_hostnames in hostname )
{ {
NOTICE([$note=Interesting_Hostname_Login, NOTICE([$note=Interesting_Hostname_Login,
$msg=fmt("Interesting login from hostname: %s", hostname), $msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.",
Site::is_local_addr(host) ? "local" : "remote",
host == c$id$orig_h ? "client" : "server"),
$sub=hostname, $conn=c]); $sub=hostname, $conn=c]);
} }
} }

4
scripts/policy/protocols/ssl/cert-hash.bro
View file

@ -10,11 +10,11 @@ export {
}; };
} }
event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=4 event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string) &priority=4
{ {
# We aren't tracking client certificates yet and we are also only tracking # We aren't tracking client certificates yet and we are also only tracking
# the primary cert. Watch that this came from an SSL analyzed session too. # the primary cert. Watch that this came from an SSL analyzed session too.
if ( ! is_server || chain_idx != 0 || ! c?$ssl ) if ( is_orig || chain_idx != 0 || ! c?$ssl )
return; return;
c$ssl$cert_hash = md5_hash(der_cert); c$ssl$cert_hash = md5_hash(der_cert);

5
scripts/policy/protocols/ssl/expiring-certs.bro
View file

@ -33,10 +33,11 @@ export {
const notify_when_cert_expiring_in = 30days &redef; const notify_when_cert_expiring_in = 30days &redef;
} }
event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=3 event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string) &priority=3
{ {
# If this isn't the host cert or we aren't interested in the server, just return. # If this isn't the host cert or we aren't interested in the server, just return.
if ( chain_idx != 0 || if ( is_orig ||
chain_idx != 0 ||
! c$ssl?$cert_hash || ! c$ssl?$cert_hash ||
! addr_matches_host(c$id$resp_h, notify_certs_expiration) ) ! addr_matches_host(c$id$resp_h, notify_certs_expiration) )
return; return;

4
scripts/policy/protocols/ssl/known-certs.bro
View file

@ -44,10 +44,10 @@ event bro_init() &priority=5
Log::create_stream(Known::CERTS_LOG, [$columns=CertsInfo, $ev=log_known_certs]); Log::create_stream(Known::CERTS_LOG, [$columns=CertsInfo, $ev=log_known_certs]);
} }
event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string) &priority=3 event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string) &priority=3
{ {
# Make sure this is the server cert and we have a hash for it. # Make sure this is the server cert and we have a hash for it.
if ( chain_idx != 0 || ! c$ssl?$cert_hash ) if ( is_orig || chain_idx != 0 || ! c$ssl?$cert_hash )
return; return;
local host = c$id$resp_h; local host = c$id$resp_h;

11
src/Attr.cc
View file

@ -60,16 +60,19 @@ void Attr::DescribeReST(ODesc* d) const
d->Add("="); d->Add("=");
d->SP(); d->SP();
if ( expr->Type()->Tag() == TYPE_FUNC )
d->Add(":bro:type:`func`");
else if ( expr->Type()->Tag() == TYPE_ENUM ) if ( expr->Tag() == EXPR_NAME )
{ {
d->Add(":bro:enum:`"); d->Add(":bro:see:`");
expr->Describe(d); expr->Describe(d);
d->Add("`"); d->Add("`");
} }
else if ( expr->Type()->Tag() == TYPE_FUNC )
{
d->Add(":bro:type:`func`");
}
else else
{ {
d->Add("``"); d->Add("``");

3
src/BroDocObj.cc
View file

@ -4,9 +4,12 @@
#include "ID.h" #include "ID.h"
#include "BroDocObj.h" #include "BroDocObj.h"
BroDocObj* BroDocObj::last = 0;
BroDocObj::BroDocObj(const ID* id, std::list<std::string>*& reST, BroDocObj::BroDocObj(const ID* id, std::list<std::string>*& reST,
bool is_fake) bool is_fake)
{ {
last = this;
broID = id; broID = id;
reST_doc_strings = reST; reST_doc_strings = reST;
reST = 0; reST = 0;

14
src/BroDocObj.h
View file

@ -103,6 +103,20 @@ public:
*/ */
int LongestShortDescLen() const; int LongestShortDescLen() const;
/**
* Adds a reST documentation string to this BroDocObj's list.
* @param s the documentation string to append.
*/
void AddDocString(const std::string& s)
{
if ( ! reST_doc_strings )
reST_doc_strings = new std::list<std::string>();
reST_doc_strings->push_back(s);
FormulateShortDesc();
}
static BroDocObj* last;
protected: protected:
std::list<std::string>* reST_doc_strings; std::list<std::string>* reST_doc_strings;
std::list<std::string> short_desc; std::list<std::string> short_desc;

74
src/Desc.cc
View file

@ -41,8 +41,7 @@ ODesc::ODesc(desc_type t, BroFile* arg_f)
do_flush = 1; do_flush = 1;
include_stats = 0; include_stats = 0;
indent_with_spaces = 0; indent_with_spaces = 0;
escape = 0; escape = false;
escape_len = 0;
} }
ODesc::~ODesc() ODesc::~ODesc()
@ -56,10 +55,9 @@ ODesc::~ODesc()
free(base); free(base);
} }
void ODesc::SetEscape(const char* arg_escape, int len) void ODesc::EnableEscaping()
{ {
escape = arg_escape; escape = true;
escape_len = len;
} }
void ODesc::PushIndent() void ODesc::PushIndent()
@ -228,6 +226,25 @@ static const char* find_first_unprintable(ODesc* d, const char* bytes, unsigned
return 0; return 0;
} }
pair<const char*, size_t> ODesc::FirstEscapeLoc(const char* bytes, size_t n)
{
pair<const char*, size_t> p(find_first_unprintable(this, bytes, n), 1);
string str(bytes, n);
list<string>::const_iterator it;
for ( it = escape_sequences.begin(); it != escape_sequences.end(); ++it )
{
size_t pos = str.find(*it);
if ( pos != string::npos && (p.first == 0 || bytes + pos < p.first) )
{
p.first = bytes + pos;
p.second = it->size();
}
}
return p;
}
void ODesc::AddBytes(const void* bytes, unsigned int n) void ODesc::AddBytes(const void* bytes, unsigned int n)
{ {
if ( ! escape ) if ( ! escape )
@ -241,45 +258,30 @@ void ODesc::AddBytes(const void* bytes, unsigned int n)
while ( s < e ) while ( s < e )
{ {
const char* t1 = (const char*) memchr(s, escape[0], e - s); pair<const char*, size_t> p = FirstEscapeLoc(s, e - s);
if ( p.first )
if ( ! t1 ) {
t1 = e; AddBytesRaw(s, p.first - s);
if ( p.second == 1 )
const char* t2 = find_first_unprintable(this, s, t1 - s);
if ( t2 && t2 < t1 )
{ {
AddBytesRaw(s, t2 - s);
char hex[6] = "\\x00"; char hex[6] = "\\x00";
hex[2] = hex_chars[((*t2) & 0xf0) >> 4]; hex[2] = hex_chars[((*p.first) & 0xf0) >> 4];
hex[3] = hex_chars[(*t2) & 0x0f]; hex[3] = hex_chars[(*p.first) & 0x0f];
AddBytesRaw(hex, 4); AddBytesRaw(hex, 4);
s = t2 + 1;
continue;
} }
else
if ( memcmp(t1, escape, escape_len) != 0 )
break;
AddBytesRaw(s, t1 - s);
for ( int i = 0; i < escape_len; ++i )
{ {
char hex[5] = "\\x00"; string esc_str = get_escaped_string(string(p.first, p.second), true);
hex[2] = hex_chars[((*t1) & 0xf0) >> 4]; AddBytesRaw(esc_str.c_str(), esc_str.size());
hex[3] = hex_chars[(*t1) & 0x0f];
AddBytesRaw(hex, 4);
++t1;
} }
s = p.first + p.second;
s = t1;
} }
else
if ( s < e ) {
AddBytesRaw(s, e - s); AddBytesRaw(s, e - s);
break;
}
}
} }
void ODesc::AddBytesRaw(const void* bytes, unsigned int n) void ODesc::AddBytesRaw(const void* bytes, unsigned int n)

28
src/Desc.h
View file

@ -4,6 +4,8 @@
#define descriptor_h #define descriptor_h
#include <stdio.h> #include <stdio.h>
#include <list>
#include <utility>
#include "BroString.h" #include "BroString.h"
typedef enum { typedef enum {
@ -48,8 +50,13 @@ public:
void SetFlush(int arg_do_flush) { do_flush = arg_do_flush; } void SetFlush(int arg_do_flush) { do_flush = arg_do_flush; }
// The string passed in must remain valid as long as this object lives. void EnableEscaping();
void SetEscape(const char* escape, int len); void AddEscapeSequence(const char* s) { escape_sequences.push_back(s); }
void AddEscapeSequence(const char* s, size_t n)
{ escape_sequences.push_back(string(s, n)); }
void RemoveEscapeSequence(const char* s) { escape_sequences.remove(s); }
void RemoveEscapeSequence(const char* s, size_t n)
{ escape_sequences.remove(string(s, n)); }
void PushIndent(); void PushIndent();
void PopIndent(); void PopIndent();
@ -133,6 +140,19 @@ protected:
void OutOfMemory(); void OutOfMemory();
/**
* Returns the location of the first place in the bytes to be hex-escaped.
*
* @param bytes the starting memory address to start searching for
* escapable character.
* @param n the maximum number of bytes to search.
* @return a pair whose first element represents a starting memory address
* to be escaped up to the number of characters indicated by the
* second element. The first element may be 0 if nothing is
* to be escaped.
*/
pair<const char*, size_t> FirstEscapeLoc(const char* bytes, size_t n);
desc_type type; desc_type type;
desc_style style; desc_style style;
@ -140,8 +160,8 @@ protected:
unsigned int offset; // where we are in the buffer unsigned int offset; // where we are in the buffer
unsigned int size; // size of buffer in bytes unsigned int size; // size of buffer in bytes
int escape_len; // number of bytes in to escape sequence bool escape; // escape unprintable characters in output?
const char* escape; // bytes to escape on output list<string> escape_sequences; // additional sequences of chars to escape
BroFile* f; // or the file we're using. BroFile* f; // or the file we're using.

10
src/Expr.cc
View file

@ -359,7 +359,7 @@ bool NameExpr::DoUnserialize(UnserialInfo* info)
if ( id ) if ( id )
::Ref(id); ::Ref(id);
else else
reporter->Warning("unserialized unknown global name"); reporter->Warning("configuration changed: unserialized unknown global name from persistent state");
delete [] name; delete [] name;
} }
@ -4052,9 +4052,17 @@ Val* RecordCoerceExpr::Fold(Val* v) const
val->Assign(i, rhs); val->Assign(i, rhs);
} }
else
{
const Attr* def =
Type()->AsRecordType()->FieldDecl(i)->FindAttr(ATTR_DEFAULT);
if ( def )
val->Assign(i, def->AttrExpr()->Eval(0));
else else
val->Assign(i, 0); val->Assign(i, 0);
} }
}
return val; return val;
} }

14
src/LogMgr.cc
View file

@ -81,16 +81,18 @@ struct LogMgr::Stream {
bool LogField::Read(SerializationFormat* fmt) bool LogField::Read(SerializationFormat* fmt)
{ {
int t; int t;
int st;
bool success = (fmt->Read(&name, "name") && fmt->Read(&t, "type")); bool success = (fmt->Read(&name, "name") && fmt->Read(&t, "type") && fmt->Read(&st, "subtype") );
type = (TypeTag) t; type = (TypeTag) t;
subtype = (TypeTag) st;
return success; return success;
} }
bool LogField::Write(SerializationFormat* fmt) const bool LogField::Write(SerializationFormat* fmt) const
{ {
return (fmt->Write(name, "name") && fmt->Write((int)type, "type")); return (fmt->Write(name, "name") && fmt->Write((int)type, "type") && fmt->Write((int)subtype, "subtype"));
} }
LogVal::~LogVal() LogVal::~LogVal()
@ -707,6 +709,14 @@ bool LogMgr::TraverseRecord(Stream* stream, Filter* filter, RecordType* rt,
LogField* field = new LogField(); LogField* field = new LogField();
field->name = new_path; field->name = new_path;
field->type = t->Tag(); field->type = t->Tag();
if ( field->type == TYPE_TABLE )
{
field->subtype = t->AsSetType()->Indices()->PureType()->Tag();
}
else if ( field->type == TYPE_VECTOR )
{
field->subtype = t->AsVectorType()->YieldType()->Tag();
}
filter->fields[filter->num_fields - 1] = field; filter->fields[filter->num_fields - 1] = field;
} }

6
src/LogMgr.h
View file

@ -15,10 +15,12 @@ class SerializationFormat;
struct LogField { struct LogField {
string name; string name;
TypeTag type; TypeTag type;
// inner type of sets
TypeTag subtype;
LogField() { } LogField() { subtype = TYPE_VOID; }
LogField(const LogField& other) LogField(const LogField& other)
: name(other.name), type(other.type) { } : name(other.name), type(other.type), subtype(other.subtype) { }
// (Un-)serialize. // (Un-)serialize.
bool Read(SerializationFormat* fmt); bool Read(SerializationFormat* fmt);

54
src/LogWriterAscii.cc
View file

@ -6,27 +6,6 @@
#include "LogWriterAscii.h" #include "LogWriterAscii.h"
#include "NetVar.h" #include "NetVar.h"
/**
* Takes a string, escapes each character into its equivalent hex code (\x##), and
* returns a string containing all escaped values.
*
* @param str string to escape
* @return A std::string containing a list of escaped hex values of the form \x##
*/
static string get_escaped_string(const std::string& str)
{
char tbuf[16];
string esc = "";
for ( size_t i = 0; i < str.length(); ++i )
{
snprintf(tbuf, sizeof(tbuf), "\\x%02x", str[i]);
esc += tbuf;
}
return esc;
}
LogWriterAscii::LogWriterAscii() LogWriterAscii::LogWriterAscii()
{ {
file = 0; file = 0;
@ -59,7 +38,8 @@ LogWriterAscii::LogWriterAscii()
memcpy(header_prefix, BifConst::LogAscii::header_prefix->Bytes(), memcpy(header_prefix, BifConst::LogAscii::header_prefix->Bytes(),
header_prefix_len); header_prefix_len);
desc.SetEscape(separator, separator_len); desc.EnableEscaping();
desc.AddEscapeSequence(separator, separator_len);
} }
LogWriterAscii::~LogWriterAscii() LogWriterAscii::~LogWriterAscii()
@ -102,13 +82,19 @@ bool LogWriterAscii::DoInit(string path, int num_fields,
{ {
string str = string(header_prefix, header_prefix_len) string str = string(header_prefix, header_prefix_len)
+ "separator " // Always use space as separator here. + "separator " // Always use space as separator here.
+ get_escaped_string(string(separator, separator_len)) + get_escaped_string(string(separator, separator_len), false)
+ "\n"; + "\n";
if( fwrite(str.c_str(), str.length(), 1, file) != 1 ) if( fwrite(str.c_str(), str.length(), 1, file) != 1 )
goto write_error; goto write_error;
if ( ! WriteHeaderField("path", path) ) if ( ! (WriteHeaderField("set_separator", get_escaped_string(
string(set_separator, set_separator_len), false)) &&
WriteHeaderField("empty_field", get_escaped_string(
string(empty_field, empty_field_len), false)) &&
WriteHeaderField("unset_field", get_escaped_string(
string(unset_field, unset_field_len), false)) &&
WriteHeaderField("path", get_escaped_string(path, false))) )
goto write_error; goto write_error;
string names; string names;
@ -125,6 +111,12 @@ bool LogWriterAscii::DoInit(string path, int num_fields,
const LogField* field = fields[i]; const LogField* field = fields[i];
names += field->name; names += field->name;
types += type_name(field->type); types += type_name(field->type);
if ( (field->type == TYPE_TABLE) || (field->type == TYPE_VECTOR) )
{
types += "[";
types += type_name(field->subtype);
types += "]";
}
} }
if ( ! (WriteHeaderField("fields", names) if ( ! (WriteHeaderField("fields", names)
@ -238,14 +230,19 @@ bool LogWriterAscii::DoWriteOne(ODesc* desc, LogVal* val, const LogField* field)
break; break;
} }
desc->AddEscapeSequence(set_separator, set_separator_len);
for ( int j = 0; j < val->val.set_val.size; j++ ) for ( int j = 0; j < val->val.set_val.size; j++ )
{ {
if ( j > 0 ) if ( j > 0 )
desc->AddN(set_separator, set_separator_len); desc->AddRaw(set_separator, set_separator_len);
if ( ! DoWriteOne(desc, val->val.set_val.vals[j], field) ) if ( ! DoWriteOne(desc, val->val.set_val.vals[j], field) )
{
desc->RemoveEscapeSequence(set_separator, set_separator_len);
return false; return false;
} }
}
desc->RemoveEscapeSequence(set_separator, set_separator_len);
break; break;
} }
@ -258,14 +255,19 @@ bool LogWriterAscii::DoWriteOne(ODesc* desc, LogVal* val, const LogField* field)
break; break;
} }
desc->AddEscapeSequence(set_separator, set_separator_len);
for ( int j = 0; j < val->val.vector_val.size; j++ ) for ( int j = 0; j < val->val.vector_val.size; j++ )
{ {
if ( j > 0 ) if ( j > 0 )
desc->AddN(set_separator, set_separator_len); desc->AddRaw(set_separator, set_separator_len);
if ( ! DoWriteOne(desc, val->val.vector_val.vals[j], field) ) if ( ! DoWriteOne(desc, val->val.vector_val.vals[j], field) )
{
desc->RemoveEscapeSequence(set_separator, set_separator_len);
return false; return false;
} }
}
desc->RemoveEscapeSequence(set_separator, set_separator_len);
break; break;
} }

30
src/event.bif
View file

@ -4614,6 +4614,8 @@ event ssl_server_hello%(c: connection, version: count, possible_ts: time, sessio
## ##
## c: The connection. ## c: The connection.
## ##
## is_orig: True if event is raised for originator side of the connection.
##
## code: The numerical code of the extension. The values are standardized as ## code: The numerical code of the extension. The values are standardized as
## part of the SSL/TLS protocol. The :bro:id:`SSL::extensions` table maps them to ## part of the SSL/TLS protocol. The :bro:id:`SSL::extensions` table maps them to
## descriptive names. ## descriptive names.
@ -4622,9 +4624,7 @@ event ssl_server_hello%(c: connection, version: count, possible_ts: time, sessio
## ##
## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
## x509_certificate x509_error x509_extension ## x509_certificate x509_error x509_extension
## event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
## .. todo: The event lacks a ``is_orig`` parameter.
event ssl_extension%(c: connection, code: count, val: string%);
## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
## an unencrypted handshake, and Bro extracts as much information out of that as ## an unencrypted handshake, and Bro extracts as much information out of that as
@ -4652,6 +4652,8 @@ event ssl_established%(c: connection%);
## ##
## c: The connection. ## c: The connection.
## ##
## is_orig: True if event is raised for originator side of the connection.
##
## level: The severity level, as sent in the *alert*. The values are defined as ## level: The severity level, as sent in the *alert*. The values are defined as
## part of the SSL/TLS protocol. ## part of the SSL/TLS protocol.
## ##
@ -4660,9 +4662,7 @@ event ssl_established%(c: connection%);
## ##
## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello ## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello
## x509_certificate x509_error x509_extension ## x509_certificate x509_error x509_extension
## event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%);
## .. todo: The event lacks a ``is_orig`` parameter.
event ssl_alert%(c: connection, level: count, desc: count%);
## Generated for x509 certificates seen in SSL/TLS connections. During the initial ## Generated for x509 certificates seen in SSL/TLS connections. During the initial
## SSL/TLS handshake, certificates are exchanged in the clear. Bro raises this ## SSL/TLS handshake, certificates are exchanged in the clear. Bro raises this
@ -4674,9 +4674,9 @@ event ssl_alert%(c: connection, level: count, desc: count%);
## ##
## c: The connection. ## c: The connection.
## ##
## cert: The parsed certificate. ## is_orig: True if event is raised for originator side of the connection.
## ##
## is_server: True if the certificate was sent by the server. ## cert: The parsed certificate.
## ##
## chain_idx: The index in the validation chain that this cert has. Index zero ## chain_idx: The index in the validation chain that this cert has. Index zero
## indicates an endpoints primary cert, while higher indices ## indicates an endpoints primary cert, while higher indices
@ -4691,7 +4691,7 @@ event ssl_alert%(c: connection, level: count, desc: count%);
## ##
## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
## ssl_server_hello x509_error x509_extension x509_verify ## ssl_server_hello x509_error x509_extension x509_verify
event x509_certificate%(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string%); event x509_certificate%(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string%);
## Generated for X.509 extensions seen in a certificate. ## Generated for X.509 extensions seen in a certificate.
## ##
@ -4700,13 +4700,13 @@ event x509_certificate%(c: connection, cert: X509, is_server: bool, chain_idx: c
## ##
## c: The connection. ## c: The connection.
## ##
## is_orig: True if event is raised for originator side of the connection.
##
## data: The raw data associated with the extension. ## data: The raw data associated with the extension.
## ##
## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
## ssl_server_hello x509_certificate x509_error x509_verify ## ssl_server_hello x509_certificate x509_error x509_verify
## event x509_extension%(c: connection, is_orig: bool, data: string%);
## .. todo: The event lacks a ``is_orig`` parameter.
event x509_extension%(c: connection, data: string%);
## Generated when errors occur during parsing an X.509 certificate. ## Generated when errors occur during parsing an X.509 certificate.
## ##
@ -4715,14 +4715,14 @@ event x509_extension%(c: connection, data: string%);
## ##
## c: The connection. ## c: The connection.
## ##
## is_orig: True if event is raised for originator side of the connection.
##
## err: An error code describing what went wrong. :bro:id:`SSL::x509_errors` maps ## err: An error code describing what went wrong. :bro:id:`SSL::x509_errors` maps
## error codes to a textual description. ## error codes to a textual description.
## ##
## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
## ssl_server_hello x509_certificate x509_extension x509_err2str x509_verify ## ssl_server_hello x509_certificate x509_extension x509_err2str x509_verify
## event x509_error%(c: connection, is_orig: bool, err: count%);
## .. todo: The event lacks a ``is_orig`` parameter.
event x509_error%(c: connection, err: count%);
## TODO. ## TODO.
## ##

9
src/scan.l
View file

@ -167,7 +167,7 @@ ESCSEQ (\\([^\n]|[0-7]+|x[[:xdigit:]]+))
return TOK_POST_DOC; return TOK_POST_DOC;
} }
<DOC>##{OWS}{ID}:.* { <DOC>##{OWS}{ID}:{WS}.* {
const char* id_start = skip_whitespace(yytext + 2); const char* id_start = skip_whitespace(yytext + 2);
yylval.str = copy_string(canon_doc_func_param(id_start).c_str()); yylval.str = copy_string(canon_doc_func_param(id_start).c_str());
return TOK_DOC; return TOK_DOC;
@ -181,7 +181,7 @@ ESCSEQ (\\([^\n]|[0-7]+|x[[:xdigit:]]+))
} }
} }
##{OWS}{ID}:.* { ##{OWS}{ID}:{WS}.* {
if ( generate_documentation ) if ( generate_documentation )
{ {
// Comment is documenting either a function parameter or return type, // Comment is documenting either a function parameter or return type,
@ -201,6 +201,11 @@ ESCSEQ (\\([^\n]|[0-7]+|x[[:xdigit:]]+))
} }
} }
##<.* {
if ( generate_documentation && BroDocObj::last )
BroDocObj::last->AddDocString(canon_doc_comment(yytext + 3));
}
##.* { ##.* {
if ( generate_documentation && (yytext[2] != '#') ) if ( generate_documentation && (yytext[2] != '#') )
{ {

20
src/ssl-analyzer.pac
View file

@ -22,11 +22,17 @@
} }
}; };
string orig_label(bool is_orig);
void free_X509(void *); void free_X509(void *);
X509* d2i_X509_binpac(X509** px, const uint8** in, int len); X509* d2i_X509_binpac(X509** px, const uint8** in, int len);
%} %}
%code{ %code{
string orig_label(bool is_orig)
{
return string(is_orig ? "originator" :"responder");
}
void free_X509(void* cert) void free_X509(void* cert)
{ {
X509_free((X509*) cert); X509_free((X509*) cert);
@ -117,7 +123,7 @@ refine connection SSL_Conn += {
function proc_alert(rec: SSLRecord, level : int, desc : int) : bool function proc_alert(rec: SSLRecord, level : int, desc : int) : bool
%{ %{
BifEvent::generate_ssl_alert(bro_analyzer(), bro_analyzer()->Conn(), BifEvent::generate_ssl_alert(bro_analyzer(), bro_analyzer()->Conn(),
level, desc); ${rec.is_orig}, level, desc);
return true; return true;
%} %}
@ -200,11 +206,11 @@ refine connection SSL_Conn += {
return true; return true;
%} %}
function proc_ssl_extension(type: int, data: bytestring) : bool function proc_ssl_extension(rec: SSLRecord, type: int, data: bytestring) : bool
%{ %{
if ( ssl_extension ) if ( ssl_extension )
BifEvent::generate_ssl_extension(bro_analyzer(), BifEvent::generate_ssl_extension(bro_analyzer(),
bro_analyzer()->Conn(), type, bro_analyzer()->Conn(), ${rec.is_orig}, type,
new StringVal(data.length(), (const char*) data.data())); new StringVal(data.length(), (const char*) data.data()));
return true; return true;
%} %}
@ -231,7 +237,7 @@ refine connection SSL_Conn += {
if ( ! pTemp ) if ( ! pTemp )
{ {
BifEvent::generate_x509_error(bro_analyzer(), bro_analyzer()->Conn(), BifEvent::generate_x509_error(bro_analyzer(), bro_analyzer()->Conn(),
ERR_get_error()); ${rec.is_orig}, ERR_get_error());
return false; return false;
} }
@ -257,8 +263,8 @@ refine connection SSL_Conn += {
StringVal* der_cert = new StringVal(cert.length(), (const char*) cert.data()); StringVal* der_cert = new StringVal(cert.length(), (const char*) cert.data());
BifEvent::generate_x509_certificate(bro_analyzer(), bro_analyzer()->Conn(), BifEvent::generate_x509_certificate(bro_analyzer(), bro_analyzer()->Conn(),
${rec.is_orig},
pX509Cert, pX509Cert,
! ${rec.is_orig},
i, certificates->size(), i, certificates->size(),
der_cert); der_cert);
@ -284,7 +290,7 @@ refine connection SSL_Conn += {
StringVal* value = new StringVal(length, (char*)pBuffer); StringVal* value = new StringVal(length, (char*)pBuffer);
BifEvent::generate_x509_extension(bro_analyzer(), BifEvent::generate_x509_extension(bro_analyzer(),
bro_analyzer()->Conn(), value); bro_analyzer()->Conn(), ${rec.is_orig}, value);
OPENSSL_free(pBuffer); OPENSSL_free(pBuffer);
} }
} }
@ -445,5 +451,5 @@ refine typeattr CiphertextRecord += &let {
} }
refine typeattr SSLExtension += &let { refine typeattr SSLExtension += &let {
proc : bool = $context.connection.proc_ssl_extension(type, data); proc : bool = $context.connection.proc_ssl_extension(rec, type, data);
}; };

27
src/ssl-protocol.pac
View file

@ -22,7 +22,6 @@ type uint24 = record {
}; };
string state_label(int state_nr); string state_label(int state_nr);
string orig_label(bool is_orig);
double get_time_from_asn1(const ASN1_TIME * atime); double get_time_from_asn1(const ASN1_TIME * atime);
string handshake_type_label(int type); string handshake_type_label(int type);
%} %}
@ -35,7 +34,7 @@ type SSLRecord(is_orig: bool) = record {
head2 : uint8; head2 : uint8;
head3 : uint8; head3 : uint8;
head4 : uint8; head4 : uint8;
rec : RecordText(this, is_orig)[] &length=length, &requires(content_type); rec : RecordText(this)[] &length=length, &requires(content_type);
} &length = length+5, &byteorder=bigendian, } &length = length+5, &byteorder=bigendian,
&let { &let {
version : int = version : int =
@ -54,25 +53,25 @@ type SSLRecord(is_orig: bool) = record {
}; };
}; };
type RecordText(rec: SSLRecord, is_orig: bool) = case $context.connection.state() of { type RecordText(rec: SSLRecord) = case $context.connection.state() of {
STATE_ABBREV_SERVER_ENCRYPTED, STATE_CLIENT_ENCRYPTED, STATE_ABBREV_SERVER_ENCRYPTED, STATE_CLIENT_ENCRYPTED,
STATE_COMM_ENCRYPTED, STATE_CONN_ESTABLISHED STATE_COMM_ENCRYPTED, STATE_CONN_ESTABLISHED
-> ciphertext : CiphertextRecord(rec, is_orig); -> ciphertext : CiphertextRecord(rec);
default default
-> plaintext : PlaintextRecord(rec, is_orig); -> plaintext : PlaintextRecord(rec);
}; };
type PossibleEncryptedHandshake(rec: SSLRecord, is_orig: bool) = case $context.connection.state() of { type PossibleEncryptedHandshake(rec: SSLRecord) = case $context.connection.state() of {
# Deal with encrypted handshakes before the server cipher spec change. # Deal with encrypted handshakes before the server cipher spec change.
STATE_CLIENT_FINISHED, STATE_CLIENT_ENCRYPTED STATE_CLIENT_FINISHED, STATE_CLIENT_ENCRYPTED
-> ct : CiphertextRecord(rec, is_orig); -> ct : CiphertextRecord(rec);
default -> hs : Handshake(rec); default -> hs : Handshake(rec);
}; };
type PlaintextRecord(rec: SSLRecord, is_orig: bool) = case rec.content_type of { type PlaintextRecord(rec: SSLRecord) = case rec.content_type of {
CHANGE_CIPHER_SPEC -> ch_cipher : ChangeCipherSpec(rec); CHANGE_CIPHER_SPEC -> ch_cipher : ChangeCipherSpec(rec);
ALERT -> alert : Alert(rec); ALERT -> alert : Alert(rec);
HANDSHAKE -> handshake : PossibleEncryptedHandshake(rec, is_orig); HANDSHAKE -> handshake : PossibleEncryptedHandshake(rec);
APPLICATION_DATA -> app_data : ApplicationData(rec); APPLICATION_DATA -> app_data : ApplicationData(rec);
V2_ERROR -> v2_error : V2Error(rec); V2_ERROR -> v2_error : V2Error(rec);
V2_CLIENT_HELLO -> v2_client_hello : V2ClientHello(rec); V2_CLIENT_HELLO -> v2_client_hello : V2ClientHello(rec);
@ -81,7 +80,7 @@ type PlaintextRecord(rec: SSLRecord, is_orig: bool) = case rec.content_type of {
default -> unknown_record : UnknownRecord(rec); default -> unknown_record : UnknownRecord(rec);
}; };
type SSLExtension = record { type SSLExtension(rec: SSLRecord) = record {
type: uint16; type: uint16;
data_len: uint16; data_len: uint16;
data: bytestring &length=data_len; data: bytestring &length=data_len;
@ -156,10 +155,6 @@ enum AnalyzerState {
} }
} }
string orig_label(bool is_orig)
{
return string(is_orig ? "originator" :"responder");
}
double get_time_from_asn1(const ASN1_TIME * atime) double get_time_from_asn1(const ASN1_TIME * atime)
{ {
@ -389,7 +384,7 @@ type ClientHello(rec: SSLRecord) = record {
# This weirdness is to deal with the possible existence or absence # This weirdness is to deal with the possible existence or absence
# of the following fields. # of the following fields.
ext_len: uint16[] &until($element == 0 || $element != 0); ext_len: uint16[] &until($element == 0 || $element != 0);
extensions : SSLExtension[] &until($input.length() == 0); extensions : SSLExtension(rec)[] &until($input.length() == 0);
} &let { } &let {
state_changed : bool = state_changed : bool =
$context.connection.transition(STATE_INITIAL, $context.connection.transition(STATE_INITIAL,
@ -663,7 +658,7 @@ type UnknownRecord(rec: SSLRecord) = record {
state_changed : bool = $context.connection.lost_track(); state_changed : bool = $context.connection.lost_track();
}; };
type CiphertextRecord(rec: SSLRecord, is_orig: bool) = record { type CiphertextRecord(rec: SSLRecord) = record {
cont : bytestring &restofdata &transient; cont : bytestring &restofdata &transient;
} &let { } &let {
state_changed : bool = state_changed : bool =

31
src/util.cc
View file

@ -41,6 +41,37 @@
#include "Net.h" #include "Net.h"
#include "Reporter.h" #include "Reporter.h"
/**
* Takes a string, escapes characters into equivalent hex codes (\x##), and
* returns a string containing all escaped values.
*
* @param str string to escape
* @param escape_all If true, all characters are escaped. If false, only
* characters are escaped that are either whitespace or not printable in
* ASCII.
* @return A std::string containing a list of escaped hex values of the form
* \x## */
std::string get_escaped_string(const std::string& str, bool escape_all)
{
char tbuf[16];
string esc = "";
for ( size_t i = 0; i < str.length(); ++i )
{
char c = str[i];
if ( escape_all || isspace(c) || ! isascii(c) || ! isprint(c) )
{
snprintf(tbuf, sizeof(tbuf), "\\x%02x", str[i]);
esc += tbuf;
}
else
esc += c;
}
return esc;
}
char* copy_string(const char* s) char* copy_string(const char* s)
{ {
char* c = new char[strlen(s)+1]; char* c = new char[strlen(s)+1];

2
src/util.h
View file

@ -89,6 +89,8 @@ void delete_each(T* t)
delete *it; delete *it;
} }
std::string get_escaped_string(const std::string& str, bool escape_all);
extern char* copy_string(const char* s); extern char* copy_string(const char* s);
extern int streq(const char* s1, const char* s2); extern int streq(const char* s1, const char* s2);

4
testing/btest/Baseline/bifs.records_fields/out
View file

@ -1,6 +1,6 @@
[a=42, b=<uninitialized>, c=<uninitialized>, d=Bar] [a=42, b=Foo, c=<uninitialized>, d=Bar]
{ {
[b] = [type_name=record, log=F, value=<uninitialized>, default_val=Foo], [b] = [type_name=record, log=F, value=Foo, default_val=Foo],
[d] = [type_name=record, log=T, value=Bar, default_val=<uninitialized>], [d] = [type_name=record, log=T, value=Bar, default_val=<uninitialized>],
[c] = [type_name=record, log=F, value=<uninitialized>, default_val=<uninitialized>], [c] = [type_name=record, log=F, value=<uninitialized>, default_val=<uninitialized>],
[a] = [type_name=record, log=F, value=42, default_val=<uninitialized>] [a] = [type_name=record, log=F, value=42, default_val=<uninitialized>]

21
testing/btest/Baseline/core.expr-exception/reporter.log
View file

@ -1,13 +1,16 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path reporter #path reporter
#fields ts level message location #fields ts level message location
#types time enum string string #types time enum string string
1300475168.783842 Reporter::ERROR field value missing [c$ftp] /home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8 1300475168.783842 Reporter::ERROR field value missing [c$ftp] /Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
1300475168.915940 Reporter::ERROR field value missing [c$ftp] /home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8 1300475168.915940 Reporter::ERROR field value missing [c$ftp] /Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
1300475168.916118 Reporter::ERROR field value missing [c$ftp] /home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8 1300475168.916118 Reporter::ERROR field value missing [c$ftp] /Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
1300475168.918295 Reporter::ERROR field value missing [c$ftp] /home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8 1300475168.918295 Reporter::ERROR field value missing [c$ftp] /Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
1300475168.952193 Reporter::ERROR field value missing [c$ftp] /home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8 1300475168.952193 Reporter::ERROR field value missing [c$ftp] /Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
1300475168.952228 Reporter::ERROR field value missing [c$ftp] /home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8 1300475168.952228 Reporter::ERROR field value missing [c$ftp] /Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
1300475168.954761 Reporter::ERROR field value missing [c$ftp] /home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8 1300475168.954761 Reporter::ERROR field value missing [c$ftp] /Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
1300475168.962628 Reporter::ERROR field value missing [c$ftp] /home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8 1300475168.962628 Reporter::ERROR field value missing [c$ftp] /Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8
1300475169.780331 Reporter::ERROR field value missing [c$ftp] /home/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8 1300475169.780331 Reporter::ERROR field value missing [c$ftp] /Users/robin/bro/master/testing/btest/.tmp/core.expr-exception/expr-exception.bro, line 8

3
testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log
View file

@ -1,4 +1,7 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn #path conn
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes
#types time string addr port addr port enum string interval count count string bool count string count count count count #types time string addr port addr port enum string interval count count string bool count string count count count count

20
testing/btest/Baseline/core.print-bpf-filters-ipv4/output
View file

@ -1,20 +1,32 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path packet_filter #path packet_filter
#fields ts node filter init success #fields ts node filter init success
#types time string string bool bool #types time string string bool bool
1320367155.152502 - not ip6 T T 1324314285.981347 - not ip6 T T
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path packet_filter #path packet_filter
#fields ts node filter init success #fields ts node filter init success
#types time string string bool bool #types time string string bool bool
1320367155.379066 - (((((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (port 6669)) or (udp and port 5353)) or (port 6668)) or (udp and port 5355)) or (tcp port 22)) or (tcp port 995)) or (port 21)) or (tcp port 25 or tcp port 587)) or (port 6667)) or (tcp port 614)) or (tcp port 990)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666)) and (not ip6) T T 1324314286.168294 - (((((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (port 6669)) or (udp and port 5353)) or (port 6668)) or (udp and port 5355)) or (tcp port 22)) or (tcp port 995)) or (port 21)) or (tcp port 25 or tcp port 587)) or (port 6667)) or (tcp port 614)) or (tcp port 990)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666)) and (not ip6) T T
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path packet_filter #path packet_filter
#fields ts node filter init success #fields ts node filter init success
#types time string string bool bool #types time string string bool bool
1320367155.601980 - port 42 T T 1324314286.350780 - port 42 T T
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path packet_filter #path packet_filter
#fields ts node filter init success #fields ts node filter init success
#types time string string bool bool #types time string string bool bool
1320367155.826539 - port 56730 T T 1324314286.530768 - port 56730 T T

2
testing/btest/Baseline/core.reporter-error-in-handler/output
View file

@ -1,2 +1,2 @@
error in /da/home/robin/bro/seth/testing/btest/.tmp/core.reporter-error-in-handler/reporter-error-in-handler.bro, line 22: no such index (a[2]) error in /Users/robin/bro/master/testing/btest/.tmp/core.reporter-error-in-handler/reporter-error-in-handler.bro, line 22: no such index (a[2])
1st error printed on script level 1st error printed on script level

2
testing/btest/Baseline/core.reporter-fmt-strings/output
View file

@ -1 +1 @@
error in /Users/jsiwek/tmp/bro/testing/btest/.tmp/core.reporter-fmt-strings/reporter-fmt-strings.bro, line 9: not an event (dont_interpret_this(%s)) error in /Users/robin/bro/master/testing/btest/.tmp/core.reporter-fmt-strings/reporter-fmt-strings.bro, line 9: not an event (dont_interpret_this(%s))

2
testing/btest/Baseline/core.reporter-parse-error/output
View file

@ -1 +1 @@
error in /da/home/robin/bro/seth/testing/btest/.tmp/core.reporter-parse-error/reporter-parse-error.bro, line 7: unknown identifier TESTFAILURE, at or near "TESTFAILURE" error in /Users/robin/bro/master/testing/btest/.tmp/core.reporter-parse-error/reporter-parse-error.bro, line 7: unknown identifier TESTFAILURE, at or near "TESTFAILURE"

2
testing/btest/Baseline/core.reporter-runtime-error/output
View file

@ -1 +1 @@
error in /Users/seth/bro.git9/testing/btest/.tmp/core.reporter-runtime-error/reporter-runtime-error.bro, line 12: no such index (a[1]) error in /Users/robin/bro/master/testing/btest/.tmp/core.reporter-runtime-error/reporter-runtime-error.bro, line 12: no such index (a[1])

6
testing/btest/Baseline/core.reporter-type-mismatch/output
View file

@ -1,3 +1,3 @@
error in string and /da/home/robin/bro/seth/testing/btest/.tmp/core.reporter-type-mismatch/reporter-type-mismatch.bro, line 11: arithmetic mixed with non-arithmetic (string and 42) error in string and /Users/robin/bro/master/testing/btest/.tmp/core.reporter-type-mismatch/reporter-type-mismatch.bro, line 11: arithmetic mixed with non-arithmetic (string and 42)
error in /da/home/robin/bro/seth/testing/btest/.tmp/core.reporter-type-mismatch/reporter-type-mismatch.bro, line 11 and string: type mismatch (42 and string) error in /Users/robin/bro/master/testing/btest/.tmp/core.reporter-type-mismatch/reporter-type-mismatch.bro, line 11 and string: type mismatch (42 and string)
error in /da/home/robin/bro/seth/testing/btest/.tmp/core.reporter-type-mismatch/reporter-type-mismatch.bro, line 11: argument type mismatch in event invocation (foo(42)) error in /Users/robin/bro/master/testing/btest/.tmp/core.reporter-type-mismatch/reporter-type-mismatch.bro, line 11: argument type mismatch in event invocation (foo(42))

12
testing/btest/Baseline/core.reporter/logger-test.log
View file

@ -1,6 +1,6 @@
reporter_info|init test-info|/da/home/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 8|0.000000 reporter_info|init test-info|/Users/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 8|0.000000
reporter_warning|init test-warning|/da/home/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 9|0.000000 reporter_warning|init test-warning|/Users/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 9|0.000000
reporter_error|init test-error|/da/home/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 10|0.000000 reporter_error|init test-error|/Users/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 10|0.000000
reporter_info|done test-info|/da/home/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 15|0.000000 reporter_info|done test-info|/Users/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 15|0.000000
reporter_warning|done test-warning|/da/home/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 16|0.000000 reporter_warning|done test-warning|/Users/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 16|0.000000
reporter_error|done test-error|/da/home/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 17|0.000000 reporter_error|done test-error|/Users/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 17|0.000000

6
testing/btest/Baseline/core.reporter/output
View file

@ -1,3 +1,3 @@
/da/home/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 52: pre test-info /Users/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 52: pre test-info
warning in /da/home/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 53: pre test-warning warning in /Users/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 53: pre test-warning
error in /da/home/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 54: pre test-error error in /Users/robin/bro/master/testing/btest/.tmp/core.reporter/reporter.bro, line 54: pre test-error

3
testing/btest/Baseline/core.vlan-mpls/conn.log
View file

@ -1,4 +1,7 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn #path conn
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes
#types time string addr port addr port enum string interval count count string bool count string count count count count #types time string addr port addr port enum string interval count count string bool count string count count count count

3
testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
View file

@ -1,4 +1,7 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path loaded_scripts #path loaded_scripts
#fields name #fields name
#types string #types string

3
testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
View file

@ -1,4 +1,7 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path loaded_scripts #path loaded_scripts
#fields name #fields name
#types string #types string

9
testing/btest/Baseline/doc.autogen-reST-example/example.rst
View file

@ -7,8 +7,8 @@ example.bro
Overview Overview
-------- --------
This is an example script that demonstrates how to document. Comments This is an example script that demonstrates documentation features.
of the form ``##!`` are for the script summary. The contents of Comments of the form ``##!`` are for the script summary. The contents of
these comments are transferred directly into the auto-generated these comments are transferred directly into the auto-generated
`reStructuredText <http://docutils.sourceforge.net/rst.html>`_ `reStructuredText <http://docutils.sourceforge.net/rst.html>`_
(reST) document's summary section. (reST) document's summary section.
@ -34,7 +34,7 @@ Options
============================================================================ ====================================== ============================================================================ ======================================
:bro:id:`Example::an_option`: :bro:type:`set` :bro:attr:`&redef` add documentation for "an_option" here :bro:id:`Example::an_option`: :bro:type:`set` :bro:attr:`&redef` add documentation for "an_option" here
:bro:id:`Example::option_with_init`: :bro:type:`interval` :bro:attr:`&redef` :bro:id:`Example::option_with_init`: :bro:type:`interval` :bro:attr:`&redef` More docs can be added here.
============================================================================ ====================================== ============================================================================ ======================================
State Variables State Variables
@ -128,6 +128,8 @@ Options
:Attributes: :bro:attr:`&redef` :Attributes: :bro:attr:`&redef`
:Default: ``10.0 msecs`` :Default: ``10.0 msecs``
More docs can be added here.
State Variables State Variables
~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
.. bro:id:: Example::a_var .. bro:id:: Example::a_var
@ -217,6 +219,7 @@ Events
Summarize "an_event" here. Summarize "an_event" here.
Give more details about "an_event" here. Give more details about "an_event" here.
Example::an_event should not be confused as a parameter.
:param name: describe the argument here :param name: describe the argument here

6
testing/btest/Baseline/istate.broccoli/bro.log
View file

@ -1,3 +1,3 @@
ping received, seq 0, 1303093042.542125 at src, 1303093042.583423 at dest, ping received, seq 0, 1324314397.698781 at src, 1324314397.699240 at dest,
ping received, seq 1, 1303093043.543167 at src, 1303093043.544026 at dest, ping received, seq 1, 1324314398.698905 at src, 1324314398.699094 at dest,
ping received, seq 2, 1303093044.544115 at src, 1303093044.545008 at dest, ping received, seq 2, 1324314399.699012 at src, 1324314399.699231 at dest,

7
testing/btest/Baseline/istate.events-ssl/receiver.http.log
View file

@ -1,5 +1,8 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http #path http
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
#types time string addr port addr port count string string string string string count count count string count string string table string string table string string file #types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
1319568535.914761 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - - - - - text/html - - 1324314406.995958 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - -

7
testing/btest/Baseline/istate.events-ssl/sender.http.log
View file

@ -1,5 +1,8 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http #path http
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
#types time string addr port addr port count string string string string string count count count string count string string table string string table string string file #types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
1319568535.914761 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - - - - - text/html - - 1324314406.995958 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - -

7
testing/btest/Baseline/istate.events/receiver.http.log
View file

@ -1,5 +1,8 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http #path http
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
#types time string addr port addr port count string string string string string count count count string count string string table string string table string string file #types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
1319568558.542142 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - - - - - text/html - - 1324314415.616486 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - -

7
testing/btest/Baseline/istate.events/sender.http.log
View file

@ -1,5 +1,8 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http #path http
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
#types time string addr port addr port count string string string string string count count count string count string string table string string table string string file #types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
1319568558.542142 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - - - - - text/html - - 1324314415.616486 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - -

4
testing/btest/Baseline/language.record-default-coercion/out Normal file
View file

@ -0,0 +1,4 @@
[a=13, c=13, v=[]]
0
[a=13, c=13, v=[test]]
1

2
testing/btest/Baseline/language.wrong-delete-field/output
View file

@ -1 +1 @@
error in /da/home/robin/bro/seth/testing/btest/.tmp/language.wrong-delete-field/wrong-delete-field.bro, line 10: illegal delete statement (delete x$a) error in /Users/robin/bro/master/testing/btest/.tmp/language.wrong-delete-field/wrong-delete-field.bro, line 10: illegal delete statement (delete x$a)

27
testing/btest/Baseline/scripts.base.frameworks.communication.communication_log_baseline/send.log
View file

@ -1,16 +1,19 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path communication #path communication
#fields ts peer src_name connected_peer_desc connected_peer_addr connected_peer_port level message #fields ts peer src_name connected_peer_desc connected_peer_addr connected_peer_port level message
#types time string string string addr port string string #types time string string string addr port string string
1322788789.351248 bro parent - - - info [#1/127.0.0.1:47757] added peer 1324314302.411344 bro parent - - - info [#1/127.0.0.1:47757] added peer
1322788789.354851 bro child - - - info [#1/127.0.0.1:47757] connected 1324314302.414978 bro child - - - info [#1/127.0.0.1:47757] connected
1322788789.354956 bro parent - - - info [#1/127.0.0.1:47757] peer connected 1324314302.415099 bro parent - - - info [#1/127.0.0.1:47757] peer connected
1322788789.354956 bro parent - - - info [#1/127.0.0.1:47757] phase: version 1324314302.415099 bro parent - - - info [#1/127.0.0.1:47757] phase: version
1322788789.355429 bro script - - - info connection established 1324314302.417446 bro script - - - info connection established
1322788789.355429 bro script - - - info requesting events matching /^?(NOTHING)$?/ 1324314302.417446 bro script - - - info requesting events matching /^?(NOTHING)$?/
1322788789.355429 bro script - - - info accepting state 1324314302.417446 bro script - - - info accepting state
1322788789.355967 bro parent - - - info [#1/127.0.0.1:47757] phase: handshake 1324314302.418003 bro parent - - - info [#1/127.0.0.1:47757] phase: handshake
1322788789.355967 bro parent - - - info warning: no events to request 1324314302.418003 bro parent - - - info warning: no events to request
1322788789.355967 bro parent - - - info terminating... 1324314302.418003 bro parent - - - info terminating...
1322788789.355967 bro parent - - - info [#1/127.0.0.1:47757] peer_description is bro 1324314302.418003 bro parent - - - info [#1/127.0.0.1:47757] peer_description is bro
1322788789.355967 bro parent - - - info [#1/127.0.0.1:47757] closing connection 1324314302.418003 bro parent - - - info [#1/127.0.0.1:47757] closing connection

7
testing/btest/Baseline/scripts.base.frameworks.logging.adapt-filter/ssh-new-default.log
View file

@ -1,6 +1,9 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssh-new-default #path ssh-new-default
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
1315167052.603186 1.2.3.4 1234 2.3.4.5 80 success unknown 1324314313.140603 1.2.3.4 1234 2.3.4.5 80 success unknown
1315167052.603186 1.2.3.4 1234 2.3.4.5 80 failure US 1324314313.140603 1.2.3.4 1234 2.3.4.5 80 failure US

5
testing/btest/Baseline/scripts.base.frameworks.logging.ascii-binary/ssh.log
View file

@ -1,4 +1,7 @@
#separator \x7c #separator |
#set_separator|,
#empty_field|(empty)
#unset_field|-
#path|ssh #path|ssh
#fields|data|data2 #fields|data|data2
#types|string|string #types|string|string

15
testing/btest/Baseline/scripts.base.frameworks.logging.ascii-empty/ssh.log
View file

@ -1,9 +1,12 @@
PREFIX<>separator \x7c PREFIX<>separator |
PREFIX<>set_separator|,
PREFIX<>empty_field|EMPTY
PREFIX<>unset_field|NOT-SET
PREFIX<>path|ssh PREFIX<>path|ssh
PREFIX<>fields|t|id.orig_h|id.orig_p|id.resp_h|id.resp_p|status|country|b PREFIX<>fields|t|id.orig_h|id.orig_p|id.resp_h|id.resp_p|status|country|b
PREFIX<>types|time|addr|port|addr|port|string|string|bool PREFIX<>types|time|addr|port|addr|port|string|string|bool
1315167052.828457|1.2.3.4|1234|2.3.4.5|80|success|unknown|NOT-SET 1324314313.345323|1.2.3.4|1234|2.3.4.5|80|success|unknown|NOT-SET
1315167052.828457|1.2.3.4|1234|2.3.4.5|80|NOT-SET|US|NOT-SET 1324314313.345323|1.2.3.4|1234|2.3.4.5|80|NOT-SET|US|NOT-SET
1315167052.828457|1.2.3.4|1234|2.3.4.5|80|failure|UK|NOT-SET 1324314313.345323|1.2.3.4|1234|2.3.4.5|80|failure|UK|NOT-SET
1315167052.828457|1.2.3.4|1234|2.3.4.5|80|NOT-SET|BR|NOT-SET 1324314313.345323|1.2.3.4|1234|2.3.4.5|80|NOT-SET|BR|NOT-SET
1315167052.828457|1.2.3.4|1234|2.3.4.5|80|failure|EMPTY|T 1324314313.345323|1.2.3.4|1234|2.3.4.5|80|failure|EMPTY|T

5
testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-notset-str/test.log
View file

@ -1,5 +1,8 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test #path test
#fields x y z #fields x y z
#types string string string #types string string string
\x2d - - \x2d - (empty)

7
testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-odd-url/http.log
View file

@ -1,5 +1,8 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http #path http
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
#types time string addr port addr port count string string string string string count count count string count string string table string string table string string file #types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
1315799856.264750 UWkUyAuUGXf 10.0.1.104 64216 193.40.5.162 80 1 GET lepo.it.da.ut.ee /~cect/teoreetilised seminarid_2010/arheoloogia_uurimisr\xfchma_seminar/Joyce et al - The Languages of Archaeology ~ Dialogue, Narrative and Writing.pdf - Wget/1.12 (darwin10.8.0) 0 346 404 Not Found - - - - - - - text/html - - 1315799856.264750 UWkUyAuUGXf 10.0.1.104 64216 193.40.5.162 80 1 GET lepo.it.da.ut.ee /~cect/teoreetilised seminarid_2010/arheoloogia_uurimisr\xfchma_seminar/Joyce et al - The Languages of Archaeology ~ Dialogue, Narrative and Writing.pdf - Wget/1.12 (darwin10.8.0) 0 346 404 Not Found - - - (empty) - - - text/html - -

8
testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-set-separator/test.log Normal file
View file

@ -0,0 +1,8 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test
#fields ss
#types table[string]
CC,AA,\x2c,\x2c\x2c

15
testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape/ssh.log
View file

@ -1,9 +1,12 @@
#separator \x7c\x7c #separator ||
#set_separator||,
#empty_field||(empty)
#unset_field||-
#path||ssh #path||ssh
#fields||t||id.orig_h||id.orig_p||id.resp_h||id.resp_p||status||country #fields||t||id.orig_h||id.orig_p||id.resp_h||id.resp_p||status||country
#types||time||addr||port||addr||port||string||string #types||time||addr||port||addr||port||string||string
1315802040.006123||1.2.3.4||1234||2.3.4.5||80||success||unknown 1324314313.899736||1.2.3.4||1234||2.3.4.5||80||success||unknown
1315802040.006123||1.2.3.4||1234||2.3.4.5||80||failure||US 1324314313.899736||1.2.3.4||1234||2.3.4.5||80||failure||US
1315802040.006123||1.2.3.4||1234||2.3.4.5||80||fa\x7c\x7cure||UK 1324314313.899736||1.2.3.4||1234||2.3.4.5||80||fa\x7c\x7cure||UK
1315802040.006123||1.2.3.4||1234||2.3.4.5||80||su\x7c\x7cess||BR 1324314313.899736||1.2.3.4||1234||2.3.4.5||80||su\x7c\x7cess||BR
1315802040.006123||1.2.3.4||1234||2.3.4.5||80||failure||MX 1324314313.899736||1.2.3.4||1234||2.3.4.5||80||failure||MX

10
testing/btest/Baseline/scripts.base.frameworks.logging.ascii-options/ssh.log
View file

@ -1,5 +1,5 @@
1299718506.38074|1.2.3.4|1234|2.3.4.5|80|success|unknown 1324314313.990741|1.2.3.4|1234|2.3.4.5|80|success|unknown
1299718506.38074|1.2.3.4|1234|2.3.4.5|80|failure|US 1324314313.990741|1.2.3.4|1234|2.3.4.5|80|failure|US
1299718506.38074|1.2.3.4|1234|2.3.4.5|80|failure|UK 1324314313.990741|1.2.3.4|1234|2.3.4.5|80|failure|UK
1299718506.38074|1.2.3.4|1234|2.3.4.5|80|success|BR 1324314313.990741|1.2.3.4|1234|2.3.4.5|80|success|BR
1299718506.38074|1.2.3.4|1234|2.3.4.5|80|failure|MX 1324314313.990741|1.2.3.4|1234|2.3.4.5|80|failure|MX

3
testing/btest/Baseline/scripts.base.frameworks.logging.ascii-timestamps/test.log
View file

@ -1,4 +1,7 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test #path test
#fields data #fields data
#types time #types time

3
testing/btest/Baseline/scripts.base.frameworks.logging.attr-extend/ssh.log
View file

@ -1,4 +1,7 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssh #path ssh
#fields status country a1 b1 b2 #fields status country a1 b1 b2
#types string string count count count #types string string count count count

3
testing/btest/Baseline/scripts.base.frameworks.logging.attr/ssh.log
View file

@ -1,4 +1,7 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssh #path ssh
#fields status country #fields status country
#types string string #types string string

13
testing/btest/Baseline/scripts.base.frameworks.logging.empty-event/ssh.log
View file

@ -1,9 +1,12 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssh #path ssh
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
1315167053.369918 1.2.3.4 1234 2.3.4.5 80 success unknown 1324314314.443785 1.2.3.4 1234 2.3.4.5 80 success unknown
1315167053.369918 1.2.3.4 1234 2.3.4.5 80 failure US 1324314314.443785 1.2.3.4 1234 2.3.4.5 80 failure US
1315167053.369918 1.2.3.4 1234 2.3.4.5 80 failure UK 1324314314.443785 1.2.3.4 1234 2.3.4.5 80 failure UK
1315167053.369918 1.2.3.4 1234 2.3.4.5 80 success BR 1324314314.443785 1.2.3.4 1234 2.3.4.5 80 success BR
1315167053.369918 1.2.3.4 1234 2.3.4.5 80 failure MX 1324314314.443785 1.2.3.4 1234 2.3.4.5 80 failure MX

4
testing/btest/Baseline/scripts.base.frameworks.logging.events/output
View file

@ -1,2 +1,2 @@
[t=1299718502.96511, id=[orig_h=1.2.3.4, orig_p=1234/tcp, resp_h=2.3.4.5, resp_p=80/tcp], status=success, country=<uninitialized>] [t=1324314314.738385, id=[orig_h=1.2.3.4, orig_p=1234/tcp, resp_h=2.3.4.5, resp_p=80/tcp], status=success, country=unknown]
[t=1299718502.96511, id=[orig_h=1.2.3.4, orig_p=1234/tcp, resp_h=2.3.4.5, resp_p=80/tcp], status=failure, country=US] [t=1324314314.738385, id=[orig_h=1.2.3.4, orig_p=1234/tcp, resp_h=2.3.4.5, resp_p=80/tcp], status=failure, country=US]

3
testing/btest/Baseline/scripts.base.frameworks.logging.exclude/ssh.log
View file

@ -1,4 +1,7 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssh #path ssh
#fields id.orig_p id.resp_h id.resp_p status country #fields id.orig_p id.resp_h id.resp_p status country
#types port addr port string string #types port addr port string string

5
testing/btest/Baseline/scripts.base.frameworks.logging.file/ssh.log
View file

@ -1,5 +1,8 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssh #path ssh
#fields t f #fields t f
#types time file #types time file
1315167053.585834 Foo.log 1324314314.940195 Foo.log

13
testing/btest/Baseline/scripts.base.frameworks.logging.include/ssh.log
View file

@ -1,9 +1,12 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssh #path ssh
#fields t id.orig_h #fields t id.orig_h
#types time addr #types time addr
1315167053.694473 1.2.3.4 1324314315.040480 1.2.3.4
1315167053.694473 1.2.3.4 1324314315.040480 1.2.3.4
1315167053.694473 1.2.3.4 1324314315.040480 1.2.3.4
1315167053.694473 1.2.3.4 1324314315.040480 1.2.3.4
1315167053.694473 1.2.3.4 1324314315.040480 1.2.3.4

3
testing/btest/Baseline/scripts.base.frameworks.logging.path-func-column-demote/local.log
View file

@ -1,4 +1,7 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path local #path local
#fields ts id.orig_h #fields ts id.orig_h
#types time addr #types time addr

3
testing/btest/Baseline/scripts.base.frameworks.logging.path-func-column-demote/remote.log
View file

@ -1,4 +1,7 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path remote #path remote
#fields ts id.orig_h #fields ts id.orig_h
#types time addr #types time addr

35
testing/btest/Baseline/scripts.base.frameworks.logging.path-func/output
View file

@ -6,37 +6,58 @@ static-prefix-1-US.log
static-prefix-2-MX2.log static-prefix-2-MX2.log
static-prefix-2-UK.log static-prefix-2-UK.log
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path static-prefix-0-BR #path static-prefix-0-BR
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
1315167053.803346 1.2.3.4 1234 2.3.4.5 80 success BR 1324314315.385189 1.2.3.4 1234 2.3.4.5 80 success BR
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path static-prefix-0-MX3 #path static-prefix-0-MX3
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
1315167053.803346 1.2.3.4 1234 2.3.4.5 80 failure MX3 1324314315.385189 1.2.3.4 1234 2.3.4.5 80 failure MX3
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path static-prefix-0-unknown #path static-prefix-0-unknown
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
1315167053.803346 1.2.3.4 1234 2.3.4.5 80 success unknown 1324314315.385189 1.2.3.4 1234 2.3.4.5 80 success unknown
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path static-prefix-1-MX #path static-prefix-1-MX
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
1315167053.803346 1.2.3.4 1234 2.3.4.5 80 failure MX 1324314315.385189 1.2.3.4 1234 2.3.4.5 80 failure MX
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path static-prefix-1-US #path static-prefix-1-US
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
1315167053.803346 1.2.3.4 1234 2.3.4.5 80 failure US 1324314315.385189 1.2.3.4 1234 2.3.4.5 80 failure US
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path static-prefix-2-MX2 #path static-prefix-2-MX2
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
1315167053.803346 1.2.3.4 1234 2.3.4.5 80 failure MX2 1324314315.385189 1.2.3.4 1234 2.3.4.5 80 failure MX2
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path static-prefix-2-UK #path static-prefix-2-UK
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
1315167053.803346 1.2.3.4 1234 2.3.4.5 80 failure UK 1324314315.385189 1.2.3.4 1234 2.3.4.5 80 failure UK

5
testing/btest/Baseline/scripts.base.frameworks.logging.pred/test.failure.log
View file

@ -1,5 +1,8 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test.failure #path test.failure
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
1315167053.923545 1.2.3.4 1234 2.3.4.5 80 failure US 1324314315.498365 1.2.3.4 1234 2.3.4.5 80 failure US

5
testing/btest/Baseline/scripts.base.frameworks.logging.pred/test.success.log
View file

@ -1,5 +1,8 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test.success #path test.success
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
1315167053.923545 1.2.3.4 1234 2.3.4.5 80 success - 1324314315.498365 1.2.3.4 1234 2.3.4.5 80 success unknown

7
testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log
View file

@ -1,5 +1,8 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field EMPTY
#unset_field -
#path test #path test
#fields b i e c p sn a d t iv s sc ss se vc ve #fields b i e c p sn a d t iv s sc ss se vc ve
#types bool int enum count port subnet addr double time interval string table table table vector vector #types bool int enum count port subnet addr double time interval string table[count] table[string] table[string] vector[count] vector[string]
T -42 Test::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315167054.320958 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY T -42 Test::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1324314315.880694 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY

9
testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.failure.log
View file

@ -1,7 +1,10 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test.failure #path test.failure
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 failure US 1324314321.061516 1.2.3.4 1234 2.3.4.5 80 failure US
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 failure UK 1324314321.061516 1.2.3.4 1234 2.3.4.5 80 failure UK
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 failure MX 1324314321.061516 1.2.3.4 1234 2.3.4.5 80 failure MX

13
testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.log
View file

@ -1,9 +1,12 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test #path test
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 success - 1324314321.061516 1.2.3.4 1234 2.3.4.5 80 success unknown
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 failure US 1324314321.061516 1.2.3.4 1234 2.3.4.5 80 failure US
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 failure UK 1324314321.061516 1.2.3.4 1234 2.3.4.5 80 failure UK
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 success BR 1324314321.061516 1.2.3.4 1234 2.3.4.5 80 success BR
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 failure MX 1324314321.061516 1.2.3.4 1234 2.3.4.5 80 failure MX

7
testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.success.log
View file

@ -1,6 +1,9 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test.success #path test.success
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 success - 1324314321.061516 1.2.3.4 1234 2.3.4.5 80 success unknown
1315167059.502670 1.2.3.4 1234 2.3.4.5 80 success BR 1324314321.061516 1.2.3.4 1234 2.3.4.5 80 success BR

7
testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.failure.log
View file

@ -1,6 +1,9 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssh.failure #path ssh.failure
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
1315167066.575996 1.2.3.4 1234 2.3.4.5 80 failure US 1324314328.196443 1.2.3.4 1234 2.3.4.5 80 failure US
1315167066.575996 1.2.3.4 1234 2.3.4.5 80 failure UK 1324314328.196443 1.2.3.4 1234 2.3.4.5 80 failure UK

9
testing/btest/Baseline/scripts.base.frameworks.logging.remove/ssh.log
View file

@ -1,7 +1,10 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssh #path ssh
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
1315167066.575996 1.2.3.4 1234 2.3.4.5 80 failure US 1324314328.196443 1.2.3.4 1234 2.3.4.5 80 failure US
1315167066.575996 1.2.3.4 1234 2.3.4.5 80 failure UK 1324314328.196443 1.2.3.4 1234 2.3.4.5 80 failure UK
1315167066.575996 1.2.3.4 1234 2.3.4.5 80 failure BR 1324314328.196443 1.2.3.4 1234 2.3.4.5 80 failure BR

3
testing/btest/Baseline/scripts.base.frameworks.logging.rotate-custom/out
View file

@ -18,11 +18,14 @@ custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_11.00.05.log, pat
custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_11.59.55.log, path=test2, open=1299499195.0, close=1299499205.0, terminating=F] custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_11.59.55.log, path=test2, open=1299499195.0, close=1299499205.0, terminating=F]
custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_12.00.05.log, path=test2, open=1299499205.0, close=1299502795.0, terminating=F] custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_12.00.05.log, path=test2, open=1299499205.0, close=1299502795.0, terminating=F]
custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_12.59.55.log, path=test2, open=1299502795.0, close=1299502795.0, terminating=T] custom rotate, [writer=Log::WRITER_ASCII, fname=test2-11-03-07_12.59.55.log, path=test2, open=1299502795.0, close=1299502795.0, terminating=T]
#empty_field (empty)
#fields t id.orig_h id.orig_p id.resp_h id.resp_p #fields t id.orig_h id.orig_p id.resp_h id.resp_p
#path test #path test
#path test2 #path test2
#separator \x09 #separator \x09
#set_separator ,
#types time addr port addr port #types time addr port addr port
#unset_field -
1299466805.000000 10.0.0.1 20 10.0.0.2 1024 1299466805.000000 10.0.0.1 20 10.0.0.2 1024
1299470395.000000 10.0.0.2 20 10.0.0.3 0 1299470395.000000 10.0.0.2 20 10.0.0.3 0
1299470405.000000 10.0.0.1 20 10.0.0.2 1025 1299470405.000000 10.0.0.1 20 10.0.0.2 1025

30
testing/btest/Baseline/scripts.base.frameworks.logging.rotate/out
View file

@ -10,6 +10,9 @@ test.2011-03-07-11-00-05.log test 11-03-07_11.00.05 11-03-07_12.00.05 0
test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1 test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1
> test.2011-03-07-03-00-05.log > test.2011-03-07-03-00-05.log
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test #path test
#fields t id.orig_h id.orig_p id.resp_h id.resp_p #fields t id.orig_h id.orig_p id.resp_h id.resp_p
#types time addr port addr port #types time addr port addr port
@ -17,6 +20,9 @@ test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1
1299470395.000000 10.0.0.2 20 10.0.0.3 0 1299470395.000000 10.0.0.2 20 10.0.0.3 0
> test.2011-03-07-04-00-05.log > test.2011-03-07-04-00-05.log
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test #path test
#fields t id.orig_h id.orig_p id.resp_h id.resp_p #fields t id.orig_h id.orig_p id.resp_h id.resp_p
#types time addr port addr port #types time addr port addr port
@ -24,6 +30,9 @@ test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1
1299473995.000000 10.0.0.2 20 10.0.0.3 1 1299473995.000000 10.0.0.2 20 10.0.0.3 1
> test.2011-03-07-05-00-05.log > test.2011-03-07-05-00-05.log
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test #path test
#fields t id.orig_h id.orig_p id.resp_h id.resp_p #fields t id.orig_h id.orig_p id.resp_h id.resp_p
#types time addr port addr port #types time addr port addr port
@ -31,6 +40,9 @@ test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1
1299477595.000000 10.0.0.2 20 10.0.0.3 2 1299477595.000000 10.0.0.2 20 10.0.0.3 2
> test.2011-03-07-06-00-05.log > test.2011-03-07-06-00-05.log
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test #path test
#fields t id.orig_h id.orig_p id.resp_h id.resp_p #fields t id.orig_h id.orig_p id.resp_h id.resp_p
#types time addr port addr port #types time addr port addr port
@ -38,6 +50,9 @@ test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1
1299481195.000000 10.0.0.2 20 10.0.0.3 3 1299481195.000000 10.0.0.2 20 10.0.0.3 3
> test.2011-03-07-07-00-05.log > test.2011-03-07-07-00-05.log
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test #path test
#fields t id.orig_h id.orig_p id.resp_h id.resp_p #fields t id.orig_h id.orig_p id.resp_h id.resp_p
#types time addr port addr port #types time addr port addr port
@ -45,6 +60,9 @@ test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1
1299484795.000000 10.0.0.2 20 10.0.0.3 4 1299484795.000000 10.0.0.2 20 10.0.0.3 4
> test.2011-03-07-08-00-05.log > test.2011-03-07-08-00-05.log
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test #path test
#fields t id.orig_h id.orig_p id.resp_h id.resp_p #fields t id.orig_h id.orig_p id.resp_h id.resp_p
#types time addr port addr port #types time addr port addr port
@ -52,6 +70,9 @@ test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1
1299488395.000000 10.0.0.2 20 10.0.0.3 5 1299488395.000000 10.0.0.2 20 10.0.0.3 5
> test.2011-03-07-09-00-05.log > test.2011-03-07-09-00-05.log
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test #path test
#fields t id.orig_h id.orig_p id.resp_h id.resp_p #fields t id.orig_h id.orig_p id.resp_h id.resp_p
#types time addr port addr port #types time addr port addr port
@ -59,6 +80,9 @@ test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1
1299491995.000000 10.0.0.2 20 10.0.0.3 6 1299491995.000000 10.0.0.2 20 10.0.0.3 6
> test.2011-03-07-10-00-05.log > test.2011-03-07-10-00-05.log
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test #path test
#fields t id.orig_h id.orig_p id.resp_h id.resp_p #fields t id.orig_h id.orig_p id.resp_h id.resp_p
#types time addr port addr port #types time addr port addr port
@ -66,6 +90,9 @@ test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1
1299495595.000000 10.0.0.2 20 10.0.0.3 7 1299495595.000000 10.0.0.2 20 10.0.0.3 7
> test.2011-03-07-11-00-05.log > test.2011-03-07-11-00-05.log
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test #path test
#fields t id.orig_h id.orig_p id.resp_h id.resp_p #fields t id.orig_h id.orig_p id.resp_h id.resp_p
#types time addr port addr port #types time addr port addr port
@ -73,6 +100,9 @@ test.2011-03-07-12-00-05.log test 11-03-07_12.00.05 11-03-07_12.59.55 1
1299499195.000000 10.0.0.2 20 10.0.0.3 8 1299499195.000000 10.0.0.2 20 10.0.0.3 8
> test.2011-03-07-12-00-05.log > test.2011-03-07-12-00-05.log
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path test #path test
#fields t id.orig_h id.orig_p id.resp_h id.resp_p #fields t id.orig_h id.orig_p id.resp_h id.resp_p
#types time addr port addr port #types time addr port addr port

13
testing/btest/Baseline/scripts.base.frameworks.logging.stdout/output
View file

@ -1,9 +1,12 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path /dev/stdout #path /dev/stdout
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
1315167067.393739 1.2.3.4 1234 2.3.4.5 80 success unknown 1324314328.844271 1.2.3.4 1234 2.3.4.5 80 success unknown
1315167067.393739 1.2.3.4 1234 2.3.4.5 80 failure US 1324314328.844271 1.2.3.4 1234 2.3.4.5 80 failure US
1315167067.393739 1.2.3.4 1234 2.3.4.5 80 failure UK 1324314328.844271 1.2.3.4 1234 2.3.4.5 80 failure UK
1315167067.393739 1.2.3.4 1234 2.3.4.5 80 success BR 1324314328.844271 1.2.3.4 1234 2.3.4.5 80 success BR
1315167067.393739 1.2.3.4 1234 2.3.4.5 80 failure MX 1324314328.844271 1.2.3.4 1234 2.3.4.5 80 failure MX

13
testing/btest/Baseline/scripts.base.frameworks.logging.test-logging/ssh.log
View file

@ -1,9 +1,12 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssh #path ssh
#fields t id.orig_h id.orig_p id.resp_h id.resp_p status country #fields t id.orig_h id.orig_p id.resp_h id.resp_p status country
#types time addr port addr port string string #types time addr port addr port string string
1315167067.507542 1.2.3.4 1234 2.3.4.5 80 success unknown 1324314328.950525 1.2.3.4 1234 2.3.4.5 80 success unknown
1315167067.507542 1.2.3.4 1234 2.3.4.5 80 failure US 1324314328.950525 1.2.3.4 1234 2.3.4.5 80 failure US
1315167067.507542 1.2.3.4 1234 2.3.4.5 80 failure UK 1324314328.950525 1.2.3.4 1234 2.3.4.5 80 failure UK
1315167067.507542 1.2.3.4 1234 2.3.4.5 80 success BR 1324314328.950525 1.2.3.4 1234 2.3.4.5 80 success BR
1315167067.507542 1.2.3.4 1234 2.3.4.5 80 failure MX 1324314328.950525 1.2.3.4 1234 2.3.4.5 80 failure MX

7
testing/btest/Baseline/scripts.base.frameworks.logging.types/ssh.log
View file

@ -1,5 +1,8 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field EMPTY
#unset_field -
#path ssh #path ssh
#fields b i e c p sn a d t iv s sc ss se vc ve f #fields b i e c p sn a d t iv s sc ss se vc ve f
#types bool int enum count port subnet addr double time interval string table table table vector vector func #types bool int enum count port subnet addr double time interval string table[count] table[string] table[string] vector[count] vector[string] func
T -42 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a} T -42 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1324314329.051618 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}

3
testing/btest/Baseline/scripts.base.frameworks.logging.unset-record/testing.log
View file

@ -1,4 +1,7 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path testing #path testing
#fields a.val1 a.val2 b #fields a.val1 a.val2 b
#types count count count #types count count count

5
testing/btest/Baseline/scripts.base.frameworks.logging.vec/ssh.log
View file

@ -1,5 +1,8 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssh #path ssh
#fields vec #fields vec
#types vector #types vector[string]
-,2,-,-,5 -,2,-,-,5

9
testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log
View file

@ -1,7 +1,10 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path metrics #path metrics
#fields ts metric_id filter_name index.host index.str index.network value #fields ts metric_id filter_name index.host index.str index.network value
#types time enum string addr string subnet count #types time enum string addr string subnet count
1317950616.401733 TEST_METRIC foo-bar 6.5.4.3 - - 4 1324314335.570789 TEST_METRIC foo-bar 6.5.4.3 - - 4
1317950616.401733 TEST_METRIC foo-bar 1.2.3.4 - - 6 1324314335.570789 TEST_METRIC foo-bar 1.2.3.4 - - 6
1317950616.401733 TEST_METRIC foo-bar 7.2.1.5 - - 2 1324314335.570789 TEST_METRIC foo-bar 7.2.1.5 - - 2

9
testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log
View file

@ -1,7 +1,10 @@
#separator \x09 #separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path metrics #path metrics
#fields ts metric_id filter_name index.host index.str index.network value #fields ts metric_id filter_name index.host index.str index.network value
#types time enum string addr string subnet count #types time enum string addr string subnet count
1315167083.455574 TEST_METRIC foo-bar 6.5.4.3 - - 2 1324314344.807073 TEST_METRIC foo-bar 6.5.4.3 - - 2
1315167083.455574 TEST_METRIC foo-bar 1.2.3.4 - - 3 1324314344.807073 TEST_METRIC foo-bar 1.2.3.4 - - 3
1315167083.455574 TEST_METRIC foo-bar 7.2.1.5 - - 1 1324314344.807073 TEST_METRIC foo-bar 7.2.1.5 - - 1

Some files were not shown because too many files have changed in this diff Show more