Merge remote-tracking branch 'origin/master' into topic/johanna/openflow

testing/btest/scripts/base/files/pe/basic.test

@@ -0,0 +1,5 @@
+# This tests the PE analyzer against a PCAP of 4 PE files being downloaded via FTP.
+# The files are a mix of DLL/EXEs, signed/unsigned, and 32/64-bit files.
+
+# @TEST-EXEC: bro -r $TRACES/pe/pe.trace %INPUT
+# @TEST-EXEC: btest-diff pe.log

testing/btest/scripts/base/frameworks/logging/ascii-escape-binary.bro

@@ -0,0 +1,48 @@
+# @TEST-EXEC: bro -b %INPUT >output
+# @TEST-EXEC: btest-diff test.log
+# @TEST-EXEC: btest-diff output
+
+module Test;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		s: string;
+	} &log;
+}
+
+event bro_init()
+{
+	local a = "abc\0def";
+	local b = escape_string(a);
+	local c = fmt("%s", a);
+
+	Log::create_stream(Test::LOG, [$columns=Log]);
+	Log::write(Test::LOG, [$s="AB\0CD\0"]);
+	Log::write(Test::LOG, [$s="AB\xffCD\0"]);
+	Log::write(Test::LOG, [$s="AB\\xffCD\0"]);
+	Log::write(Test::LOG, [$s=" "]);
+	Log::write(Test::LOG, [$s=b]);
+	Log::write(Test::LOG, [$s=" "]);
+	Log::write(Test::LOG, [$s=c]);
+	Log::write(Test::LOG, [$s=" "]);
+	Log::write(Test::LOG, [$s="foo \xc2\xae bar \\xc2\\xae baz"]);
+	Log::write(Test::LOG, [$s="foo\x00bar\\0baz"]);
+	Log::write(Test::LOG, [$s="foo \16 bar ^N baz"]);
+
+	print "AB\0CD\0";
+	print "AB\xffCD\0";
+	print "AB\\xffCD\0";
+	print "";
+	print b;
+	print "";
+	print c;
+	print "";
+	print "foo \xc2\xae bar \\xc2\\xae baz";
+	print "foo\x00bar\\0baz";
+	print "foo \16 bar ^N baz";
+
+	print "";
+}
+

testing/btest/scripts/base/protocols/http/zero-length-bodies-with-drops.bro

@@ -0,0 +1,10 @@
+# This tests an issue with interaction between zero length
+# http bodies and the file analysis code.  It is creating
+# files when there isn't actually any body there and shouldn't
+# create a file.
+#
+# @TEST-EXEC: bro -r $TRACES/http/zero-length-bodies-with-drops.pcap %INPUT
+
+# There shouldn't be a files log (no files!)
+# @TEST-EXEC: test ! -f files.log
+

testing/btest/scripts/base/protocols/krb/kinit.test

@@ -0,0 +1,16 @@
+# This test exercises many of the Linux kinit options against a KDC
+
+# @TEST-EXEC: bro -b -r $TRACES/krb/kinit.trace %INPUT > output
+# @TEST-EXEC: btest-diff kerberos.log
+# @TEST-EXEC: btest-diff output
+
+@load base/protocols/krb
+
+event krb_ap_request(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options)
+	{
+	print "KRB_AP_REQUEST";
+	print ticket;
+	print opts;
+	}
+
+

testing/btest/scripts/base/protocols/krb/tgs.test

@@ -0,0 +1,7 @@
+# This test exercises a Kerberos authentication to a Kerberized SSH server
+
+# @TEST-EXEC: bro -b -r $TRACES/krb/auth.trace %INPUT
+# @TEST-EXEC: btest-diff kerberos.log
+
+@load base/protocols/krb
+

testing/btest/scripts/base/protocols/sip/wireshark.test

@@ -0,0 +1,6 @@
+# This tests a PCAP with a few SIP commands from the Wireshark samples.
+
+# @TEST-EXEC: bro -b -r $TRACES/sip/wireshark.trace %INPUT
+# @TEST-EXEC: btest-diff sip.log
+
+@load base/protocols/sip

testing/btest/scripts/site/local-compat.test

@@ -10,6 +10,95 @@
 # how to migrate to the new version and this test's TEST-START-FILE
 # should be updated with the latest contents of site/local.bro.
 
+@TEST-START-FILE local-2.4.bro
+##! Local site policy. Customize as appropriate. 
+##!
+##! This file will not be overwritten when upgrading or reinstalling!
+
+# This script logs which scripts were loaded during each run.
+@load misc/loaded-scripts
+
+# Apply the default tuning scripts for common tuning settings.
+@load tuning/defaults
+
+# Load the scan detection script.
+@load misc/scan
+
+# Log some information about web applications being used by users 
+# on your network.
+@load misc/app-stats
+
+# Detect traceroute being run on the network.  
+@load misc/detect-traceroute
+
+# Generate notices when vulnerable versions of software are discovered.
+# The default is to only monitor software found in the address space defined
+# as "local".  Refer to the software framework's documentation for more 
+# information.
+@load frameworks/software/vulnerable
+
+# Detect software changing (e.g. attacker installing hacked SSHD).
+@load frameworks/software/version-changes
+
+# This adds signatures to detect cleartext forward and reverse windows shells.
+@load-sigs frameworks/signatures/detect-windows-shells
+
+# Load all of the scripts that detect software in various protocols.
+@load protocols/ftp/software
+@load protocols/smtp/software
+@load protocols/ssh/software
+@load protocols/http/software
+# The detect-webapps script could possibly cause performance trouble when 
+# running on live traffic.  Enable it cautiously.
+#@load protocols/http/detect-webapps
+
+# This script detects DNS results pointing toward your Site::local_nets 
+# where the name is not part of your local DNS zone and is being hosted 
+# externally.  Requires that the Site::local_zones variable is defined.
+@load protocols/dns/detect-external-names
+
+# Script to detect various activity in FTP sessions.
+@load protocols/ftp/detect
+
+# Scripts that do asset tracking.
+@load protocols/conn/known-hosts
+@load protocols/conn/known-services
+@load protocols/ssl/known-certs
+
+# This script enables SSL/TLS certificate validation.
+@load protocols/ssl/validate-certs
+
+# This script prevents the logging of SSL CA certificates in x509.log
+@load protocols/ssl/log-hostcerts-only
+
+# Uncomment the following line to check each SSL certificate hash against the ICSI
+# certificate notary service; see http://notary.icsi.berkeley.edu .
+# @load protocols/ssl/notary
+
+# If you have libGeoIP support built in, do some geographic detections and 
+# logging for SSH traffic.
+@load protocols/ssh/geo-data
+# Detect hosts doing SSH bruteforce attacks.
+@load protocols/ssh/detect-bruteforcing
+# Detect logins using "interesting" hostnames.
+@load protocols/ssh/interesting-hostnames
+
+# Detect SQL injection attacks.
+@load protocols/http/detect-sqli
+
+#### Network File Handling ####
+
+# Enable MD5 and SHA1 hashing for all files.
+@load frameworks/files/hash-all-files
+
+# Detect SHA1 sums in Team Cymru's Malware Hash Registry.
+@load frameworks/files/detect-MHR
+
+# Uncomment the following line to enable detection of the heartbleed attack. Enabling
+# this might impact performance a bit.
+# @load policy/protocols/ssl/heartbleed
+@TEST-END-FILE
+
 @TEST-START-FILE local-2.3.bro
 ##! Local site policy. Customize as appropriate. 
 ##!