diff --git a/scripts/base/frameworks/dpd/__load__.zeek b/scripts/base/frameworks/dpd/__load__.zeek deleted file mode 100644 index 643addd66b..0000000000 --- a/scripts/base/frameworks/dpd/__load__.zeek +++ /dev/null @@ -1,3 +0,0 @@ -@deprecated "Remove in v6.1 - now loaded automatically"; - -@load base/frameworks/analyzer diff --git a/scripts/policy/frameworks/files/deprecated-txhosts-rxhosts-connuids.zeek b/scripts/policy/frameworks/files/deprecated-txhosts-rxhosts-connuids.zeek deleted file mode 100644 index 93d81a29f7..0000000000 --- a/scripts/policy/frameworks/files/deprecated-txhosts-rxhosts-connuids.zeek +++ /dev/null @@ -1,64 +0,0 @@ -##! This script can be used to add back the fields ``tx_hosts``, ``rx_hosts`` -##! and ``conn_uids`` to the :zeek:see:`Files::Info` record and thereby also -##! back into the ``files.log``. These fields have been removed in Zeek 5.1 -##! and replaced with the more commonly used ``uid`` and ``id`` fields. -##! -##! It's only purpose is to provide an easy way to add back the fields such that -##! existing downstream processes continue to work without the need to adapt them. -##! This script will be removed with Zeek 6.1 at which point downstream processes -##! hopefully have switched over to use ``uid`` and ``id`` instead. - -# Remove in v6.1. - -@load base/frameworks/files - -module Files; - -# Add back the fields to Files::Info. -redef record Info += { - ## If this file was transferred over a network - ## connection this should show the host or hosts that - ## the data sourced from. - tx_hosts: set[addr] &default=addr_set() &log; - - ## If this file was transferred over a network - ## connection this should show the host or hosts that - ## the data traveled to. - rx_hosts: set[addr] &default=addr_set() &log; - - ## Connection UIDs over which the file was transferred. - conn_uids: set[string] &default=string_set() &log; -}; - -event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=9 - { - local cid = c$id; - add f$info$conn_uids[c$uid]; - add f$info$tx_hosts[f$is_orig ? cid$orig_h : cid$resp_h]; - add f$info$rx_hosts[f$is_orig ? cid$resp_h : cid$orig_h]; - } - -# For every log write to files.log, ensure tx_hosts, rx_hosts and conn_uids -# hold just a single value. Use a high priority for this handler to ensure -# this happens before any user defined hooks. -hook Log::log_stream_policy(rec: any, id: Log::ID) &priority=100 - { - if ( id != Files::LOG ) - return; - - local info = rec as Files::Info; - - # In the common case of a single connection (or the less common case - # of no connection), there's nothing to do in this hook. - if ( |info$conn_uids| == 1 || ! info?$id ) - return; - - # Make singular tx_hosts, rx_hosts and conn_uids fields based on - # the active uid. Note, this currently assumes that Files::Info$is_orig - # is the same for all connections. This seems reasonable given that - # all connections will use the same protocol. - local cid = info$id; - info$conn_uids = set(info$uid); - info$tx_hosts = set(info$is_orig ? cid$orig_h : cid$resp_h); - info$rx_hosts = set(info$is_orig ? cid$resp_h : cid$orig_h); - } diff --git a/scripts/policy/misc/scan.zeek b/scripts/policy/misc/scan.zeek deleted file mode 100644 index 6e37b99500..0000000000 --- a/scripts/policy/misc/scan.zeek +++ /dev/null @@ -1,184 +0,0 @@ -##! TCP Scan detection. - -# ..Authors: Sheharbano Khattak -# Seth Hall -# All the authors of the old scan.bro - -@deprecated "Remove in v6.1. Use the external github.com/ncsa/bro-simple-scan package instead (e.g., by installing it via `zkg install ncsa/bro-simple-scan`). The misc/scan.zeek script hasn't been maintained since 2013. Further, the external bro-simple-scan package from NCSA (Justin Azoff) has become the recommended alternative for TCP scan detection." - -@load base/frameworks/notice -@load base/frameworks/sumstats - -@load base/utils/time - -module Scan; - -export { - redef enum Notice::Type += { - ## Address scans detect that a host appears to be scanning some - ## number of destinations on a single port. This notice is - ## generated when more than :zeek:id:`Scan::addr_scan_threshold` - ## unique hosts are seen over the previous - ## :zeek:id:`Scan::addr_scan_interval` time range. - Address_Scan, - - ## Port scans detect that an attacking host appears to be - ## scanning a single victim host on several ports. This notice - ## is generated when an attacking host attempts to connect to - ## :zeek:id:`Scan::port_scan_threshold` - ## unique ports on a single host over the previous - ## :zeek:id:`Scan::port_scan_interval` time range. - Port_Scan, - }; - - ## Failed connection attempts are tracked over this time interval for - ## the address scan detection. A higher interval will detect slower - ## scanners, but may also yield more false positives. - const addr_scan_interval = 5min &redef; - - ## Failed connection attempts are tracked over this time interval for - ## the port scan detection. A higher interval will detect slower - ## scanners, but may also yield more false positives. - const port_scan_interval = 5min &redef; - - ## The threshold of the unique number of hosts a scanning host has to - ## have failed connections with on a single port. - const addr_scan_threshold = 25.0 &redef; - - ## The threshold of the number of unique ports a scanning host has to - ## have failed connections with on a single victim host. - const port_scan_threshold = 15.0 &redef; - - global Scan::addr_scan_policy: hook(scanner: addr, victim: addr, scanned_port: port); - global Scan::port_scan_policy: hook(scanner: addr, victim: addr, scanned_port: port); -} - -event zeek_init() &priority=5 - { - local r1: SumStats::Reducer = [$stream="scan.addr.fail", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(addr_scan_threshold+2)]; - SumStats::create([$name="addr-scan", - $epoch=addr_scan_interval, - $reducers=set(r1), - $threshold_val(key: SumStats::Key, result: SumStats::Result) = - { - return result["scan.addr.fail"]$unique+0.0; - }, - #$threshold_func=check_addr_scan_threshold, - $threshold=addr_scan_threshold, - $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = - { - local r = result["scan.addr.fail"]; - local side = Site::is_local_addr(key$host) ? "local" : "remote"; - local dur = duration_to_mins_secs(r$end-r$begin); - local message=fmt("%s scanned at least %d unique hosts on port %s in %s", key$host, r$unique, key$str, dur); - NOTICE([$note=Address_Scan, - $src=key$host, - $p=to_port(key$str), - $sub=side, - $msg=message, - $identifier=cat(key$host)]); - }]); - - # Note: port scans are tracked similar to: table[src_ip, dst_ip] of set(port); - local r2: SumStats::Reducer = [$stream="scan.port.fail", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(port_scan_threshold+2)]; - SumStats::create([$name="port-scan", - $epoch=port_scan_interval, - $reducers=set(r2), - $threshold_val(key: SumStats::Key, result: SumStats::Result) = - { - return result["scan.port.fail"]$unique+0.0; - }, - $threshold=port_scan_threshold, - $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = - { - local r = result["scan.port.fail"]; - local side = Site::is_local_addr(key$host) ? "local" : "remote"; - local dur = duration_to_mins_secs(r$end-r$begin); - local message = fmt("%s scanned at least %d unique ports of host %s in %s", key$host, r$unique, key$str, dur); - NOTICE([$note=Port_Scan, - $src=key$host, - $dst=to_addr(key$str), - $sub=side, - $msg=message, - $identifier=cat(key$host)]); - }]); - } - -function add_sumstats(id: conn_id, reverse: bool) - { - local scanner = id$orig_h; - local victim = id$resp_h; - local scanned_port = id$resp_p; - - if ( reverse ) - { - scanner = id$resp_h; - victim = id$orig_h; - scanned_port = id$orig_p; - } - - if ( hook Scan::addr_scan_policy(scanner, victim, scanned_port) ) - SumStats::observe("scan.addr.fail", [$host=scanner, $str=cat(scanned_port)], [$str=cat(victim)]); - - if ( hook Scan::port_scan_policy(scanner, victim, scanned_port) ) - SumStats::observe("scan.port.fail", [$host=scanner, $str=cat(victim)], [$str=cat(scanned_port)]); - } - -function is_failed_conn(c: connection): bool - { - # Sr || ( (hR || ShR) && (data not sent in any direction) ) - if ( (c$orig$state == TCP_SYN_SENT && c$resp$state == TCP_RESET) || - (((c$orig$state == TCP_RESET && c$resp$state == TCP_SYN_ACK_SENT) || - (c$orig$state == TCP_RESET && c$resp$state == TCP_ESTABLISHED && "S" in c$history ) - ) && /[Dd]/ !in c$history ) - ) - return T; - return F; - } - -function is_reverse_failed_conn(c: connection): bool - { - # reverse scan i.e. conn dest is the scanner - # sR || ( (Hr || sHr) && (data not sent in any direction) ) - if ( (c$resp$state == TCP_SYN_SENT && c$orig$state == TCP_RESET) || - (((c$resp$state == TCP_RESET && c$orig$state == TCP_SYN_ACK_SENT) || - (c$resp$state == TCP_RESET && c$orig$state == TCP_ESTABLISHED && "s" in c$history ) - ) && /[Dd]/ !in c$history ) - ) - return T; - return F; - } - -event connection_attempt(c: connection) - { - local is_reverse_scan = F; - if ( "H" in c$history ) - is_reverse_scan = T; - - add_sumstats(c$id, is_reverse_scan); - } - -event connection_rejected(c: connection) - { - local is_reverse_scan = F; - if ( "s" in c$history ) - is_reverse_scan = T; - - add_sumstats(c$id, is_reverse_scan); - } - -event connection_reset(c: connection) - { - if ( is_failed_conn(c) ) - add_sumstats(c$id, F); - else if ( is_reverse_failed_conn(c) ) - add_sumstats(c$id, T); - } - -event connection_pending(c: connection) - { - if ( is_failed_conn(c) ) - add_sumstats(c$id, F); - else if ( is_reverse_failed_conn(c) ) - add_sumstats(c$id, T); - } diff --git a/scripts/policy/protocols/mqtt/__load__.zeek b/scripts/policy/protocols/mqtt/__load__.zeek deleted file mode 100644 index 1e81f375eb..0000000000 --- a/scripts/policy/protocols/mqtt/__load__.zeek +++ /dev/null @@ -1,4 +0,0 @@ -@deprecated "Remove in v6.1. The MQTT scripts have been moved out of policy/ into base and are loaded by default" - -# For those running bare-mode and loading protocols/mqtt from policy. -@load base/protocols/mqtt diff --git a/scripts/test-all-policy.zeek b/scripts/test-all-policy.zeek index ac6fb4b38f..c244518408 100644 --- a/scripts/test-all-policy.zeek +++ b/scripts/test-all-policy.zeek @@ -62,7 +62,6 @@ @load frameworks/intel/seen/where-locations.zeek @load frameworks/intel/seen/x509.zeek @load frameworks/netcontrol/catch-and-release.zeek -@load frameworks/files/deprecated-txhosts-rxhosts-connuids.zeek @load frameworks/files/detect-MHR.zeek @load frameworks/files/entropy-test-all-files.zeek #@load frameworks/files/extract-all-files.zeek @@ -88,7 +87,6 @@ @load misc/load-balancing.zeek @load misc/loaded-scripts.zeek @load misc/profiling.zeek -@load misc/scan.zeek @load misc/stats.zeek @load misc/weird-stats.zeek @load misc/trim-trace-file.zeek @@ -119,7 +117,6 @@ @load protocols/krb/ticket-logging.zeek @load protocols/modbus/known-masters-slaves.zeek @load protocols/modbus/track-memmap.zeek -#@load protocols/mqtt/__load__.zeek @load protocols/mysql/software.zeek @load protocols/rdp/indicate_ssl.zeek @load protocols/smb/log-cmds.zeek diff --git a/scripts/zeekygen/__load__.zeek b/scripts/zeekygen/__load__.zeek index b97b08ab2f..734ed2fc81 100644 --- a/scripts/zeekygen/__load__.zeek +++ b/scripts/zeekygen/__load__.zeek @@ -1,7 +1,6 @@ @load test-all-policy.zeek # Scripts which are commented out in test-all-policy.zeek. -@load protocols/mqtt/__load__.zeek @load protocols/ssl/decryption.zeek @load frameworks/cluster/nodes-experimental/manager.zeek @load frameworks/control/controllee.zeek diff --git a/testing/btest/Baseline/coverage.bare-mode-errors/errors b/testing/btest/Baseline/coverage.bare-mode-errors/errors index 56081d837b..b1bb951e92 100644 --- a/testing/btest/Baseline/coverage.bare-mode-errors/errors +++ b/testing/btest/Baseline/coverage.bare-mode-errors/errors @@ -1,3 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### NOTE: This file has been sorted with diff-sort. -warning in <...>/__load__.zeek, line 1: deprecated script loaded from command line arguments "Remove in v6.1 - now loaded automatically"; diff --git a/testing/btest/Baseline/coverage.init-default/missing_loads b/testing/btest/Baseline/coverage.init-default/missing_loads index 33a5c60cfb..ac50729b9a 100644 --- a/testing/btest/Baseline/coverage.init-default/missing_loads +++ b/testing/btest/Baseline/coverage.init-default/missing_loads @@ -5,7 +5,6 @@ -./frameworks/cluster/nodes/proxy.zeek -./frameworks/cluster/nodes/worker.zeek -./frameworks/cluster/setup-connections.zeek --./frameworks/dpd/__load__.zeek -./frameworks/intel/cluster.zeek -./frameworks/netcontrol/cluster.zeek -./frameworks/openflow/cluster.zeek diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.log-files-event-flattening/out.new b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.log-files-event-flattening/out similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.log-files-event-flattening/out.new rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.log-files-event-flattening/out diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.log-files-event-flattening/out.deprecated b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.log-files-event-flattening/out.deprecated deleted file mode 100644 index 8b6e2d4062..0000000000 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.log-files-event-flattening/out.deprecated +++ /dev/null @@ -1,4 +0,0 @@ -### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -C4J4Th3PJpwUYZZ6gc, [orig_h=192.168.0.107, orig_p=58720/tcp, resp_h=88.198.248.254, resp_p=80/tcp], {\x0a\x0988.198.248.254\x0a}, {\x0a\x09192.168.0.107\x0a}, {\x0aC4J4Th3PJpwUYZZ6gc\x0a} -CHhAvVGS1DHFjwGM9, [orig_h=192.168.0.107, orig_p=58716/tcp, resp_h=88.198.248.254, resp_p=80/tcp], {\x0a\x0988.198.248.254\x0a}, {\x0a\x09192.168.0.107\x0a}, {\x0aCHhAvVGS1DHFjwGM9\x0a} -ClEkJM2Vm5giqnMf4h, [orig_h=192.168.0.107, orig_p=58718/tcp, resp_h=88.198.248.254, resp_p=80/tcp], {\x0a\x0988.198.248.254\x0a}, {\x0a\x09192.168.0.107\x0a}, {\x0aClEkJM2Vm5giqnMf4h\x0a} diff --git a/testing/btest/Baseline/scripts.policy.frameworks.files.deprecated-fields/files.log.deprecated b/testing/btest/Baseline/scripts.policy.frameworks.files.deprecated-fields/files.log.deprecated deleted file mode 100644 index 4664ffb864..0000000000 --- a/testing/btest/Baseline/scripts.policy.frameworks.files.deprecated-fields/files.log.deprecated +++ /dev/null @@ -1,11 +0,0 @@ -### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path files -#open XXXX-XX-XX-XX-XX-XX -#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid tx_hosts rx_hosts conn_uids -#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string set[addr] set[addr] set[string] -XXXXXXXXXX.XXXXXX FMnxxt3xjVcWNS2141 CHhAvVGS1DHFjwGM9 141.142.228.5 59856 192.150.187.43 80 HTTP 0 (empty) text/plain - 0.000263 F F 4705 4705 0 0 F - 192.150.187.43 141.142.228.5 CHhAvVGS1DHFjwGM9 -#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.frameworks.files.deprecated-fields/files.log.new b/testing/btest/Baseline/scripts.policy.frameworks.files.deprecated-fields/files.log.new deleted file mode 100644 index 1e6ed8b6c8..0000000000 --- a/testing/btest/Baseline/scripts.policy.frameworks.files.deprecated-fields/files.log.new +++ /dev/null @@ -1,11 +0,0 @@ -### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path files -#open XXXX-XX-XX-XX-XX-XX -#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid -#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string -XXXXXXXXXX.XXXXXX FMnxxt3xjVcWNS2141 CHhAvVGS1DHFjwGM9 141.142.228.5 59856 192.150.187.43 80 HTTP 0 (empty) text/plain - 0.000263 F F 4705 4705 0 0 F - -#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.frameworks.files.deprecated-fields/out.deprecated b/testing/btest/Baseline/scripts.policy.frameworks.files.deprecated-fields/out.deprecated deleted file mode 100644 index 49d861c74c..0000000000 --- a/testing/btest/Baseline/scripts.policy.frameworks.files.deprecated-fields/out.deprecated +++ /dev/null @@ -1 +0,0 @@ -### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. diff --git a/testing/btest/Baseline/scripts.policy.frameworks.files.deprecated-fields/out.new b/testing/btest/Baseline/scripts.policy.frameworks.files.deprecated-fields/out.new deleted file mode 100644 index 49d861c74c..0000000000 --- a/testing/btest/Baseline/scripts.policy.frameworks.files.deprecated-fields/out.new +++ /dev/null @@ -1 +0,0 @@ -### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. diff --git a/testing/btest/core/tunnels/teredo-known-services.test b/testing/btest/core/tunnels/teredo-known-services.test index c5a687527c..07455a5932 100644 --- a/testing/btest/core/tunnels/teredo-known-services.test +++ b/testing/btest/core/tunnels/teredo-known-services.test @@ -1,4 +1,4 @@ -# @TEST-EXEC: zeek -b -r $TRACES/tunnels/Teredo.pcap base/frameworks/dpd base/protocols/tunnels base/protocols/dns protocols/conn/known-services Tunnel::delay_teredo_confirmation=T "Site::local_nets+={192.168.2.0/24}" +# @TEST-EXEC: zeek -b -r $TRACES/tunnels/Teredo.pcap base/protocols/tunnels base/protocols/dns protocols/conn/known-services Tunnel::delay_teredo_confirmation=T "Site::local_nets+={192.168.2.0/24}" # @TEST-EXEC: btest-diff known_services.log # Expect known_services.log to NOT indicate any service using teredo. diff --git a/testing/btest/scripts/base/frameworks/analyzer/enable-analyzer.zeek b/testing/btest/scripts/base/frameworks/analyzer/enable-analyzer.zeek index 148d9b4846..a925783b8a 100644 --- a/testing/btest/scripts/base/frameworks/analyzer/enable-analyzer.zeek +++ b/testing/btest/scripts/base/frameworks/analyzer/enable-analyzer.zeek @@ -1,5 +1,5 @@ # -# @TEST-EXEC: zeek -b -r ${TRACES}/var-services-std-ports.trace %INPUT base/protocols/dns base/protocols/conn base/frameworks/dpd +# @TEST-EXEC: zeek -b -r ${TRACES}/var-services-std-ports.trace %INPUT base/protocols/dns base/protocols/conn # @TEST-EXEC: cat conn.log | zeek-cut service | grep -q dns # @@ -9,5 +9,3 @@ event zeek_init() { Analyzer::enable_analyzer(Analyzer::ANALYZER_DNS); } - - diff --git a/testing/btest/scripts/base/frameworks/analyzer/register-for-port.zeek b/testing/btest/scripts/base/frameworks/analyzer/register-for-port.zeek index d37212a2d2..63ac9f701b 100644 --- a/testing/btest/scripts/base/frameworks/analyzer/register-for-port.zeek +++ b/testing/btest/scripts/base/frameworks/analyzer/register-for-port.zeek @@ -2,15 +2,13 @@ # some runs having complaints that there are no scripts. # @TEST-REQUIRES: test "${ZEEK_USE_CPP}" != "1" -# @TEST-EXEC: zeek -b -r ${TRACES}/ssh/ssh-on-port-80.trace %INPUT dpd_buffer_size=0 base/protocols/conn base/protocols/ssh base/frameworks/dpd +# @TEST-EXEC: zeek -b -r ${TRACES}/ssh/ssh-on-port-80.trace %INPUT dpd_buffer_size=0 base/protocols/conn base/protocols/ssh # @TEST-EXEC: cat conn.log | zeek-cut service | grep -q ssh # -# @TEST-EXEC: zeek -b -r ${TRACES}/ssh/ssh-on-port-80.trace dpd_buffer_size=0 base/protocols/conn base/protocols/ssh base/frameworks/dpd +# @TEST-EXEC: zeek -b -r ${TRACES}/ssh/ssh-on-port-80.trace dpd_buffer_size=0 base/protocols/conn base/protocols/ssh # @TEST-EXEC: cat conn.log | zeek-cut service | grep -vq ssh event zeek_init() { Analyzer::register_for_port(Analyzer::ANALYZER_SSH, 80/tcp); } - - diff --git a/testing/btest/scripts/base/frameworks/file-analysis/log-files-event-flattening.zeek b/testing/btest/scripts/base/frameworks/file-analysis/log-files-event-flattening.zeek index 56d15b9f4b..ca8c7dc27a 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/log-files-event-flattening.zeek +++ b/testing/btest/scripts/base/frameworks/file-analysis/log-files-event-flattening.zeek @@ -1,10 +1,7 @@ # @TEST-DOC: Implement Files::log_files and verify it is seeing unique File::Info records. -# @TEST-EXEC: zeek -b -r $TRACES/http/concurrent-range-requests.pcap uid-id.zeek >out.new -# @TEST-EXEC: zeek -b -r $TRACES/http/concurrent-range-requests.pcap frameworks/files/deprecated-txhosts-rxhosts-connuids uid-id-deprecated.zeek >out.deprecated -# @TEST-EXEC: btest-diff out.new -# @TEST-EXEC: btest-diff out.deprecated +# @TEST-EXEC: zeek -b -r $TRACES/http/concurrent-range-requests.pcap %INPUT >out +# @TEST-EXEC: btest-diff out -@TEST-START-FILE uid-id.zeek @load base/frameworks/files @load base/protocols/http @@ -12,15 +9,3 @@ event Files::log_files(rec: Files::Info) { print rec$uid, rec$id; } -@TEST-END-FILE - - -@TEST-START-FILE uid-id-deprecated.zeek -@load base/frameworks/files -@load base/protocols/http - -event Files::log_files(rec: Files::Info) - { - print rec$uid, rec$id, cat(rec$tx_hosts), cat(rec$rx_hosts), cat(rec$conn_uids); - } -@TEST-END-FILE diff --git a/testing/btest/scripts/base/protocols/mqtt/mqtt-payload-cap-dynamic.test b/testing/btest/scripts/base/protocols/mqtt/mqtt-payload-cap-dynamic.test index 09dd2cdc91..c987e0b889 100644 --- a/testing/btest/scripts/base/protocols/mqtt/mqtt-payload-cap-dynamic.test +++ b/testing/btest/scripts/base/protocols/mqtt/mqtt-payload-cap-dynamic.test @@ -1,7 +1,7 @@ # @TEST-EXEC: zeek -b -r $TRACES/mqtt.pcap %INPUT > out # @TEST-EXEC: btest-diff out -@load policy/protocols/mqtt +@load base/protocols/mqtt @load base/frameworks/config event mqtt_publish(c: connection, is_orig: bool, msg_id: count, msg: MQTT::PublishMsg) diff --git a/testing/btest/scripts/base/protocols/mqtt/mqtt-payload-cap.test b/testing/btest/scripts/base/protocols/mqtt/mqtt-payload-cap.test index 5304cbc914..76d2b20435 100644 --- a/testing/btest/scripts/base/protocols/mqtt/mqtt-payload-cap.test +++ b/testing/btest/scripts/base/protocols/mqtt/mqtt-payload-cap.test @@ -3,4 +3,4 @@ redef MQTT::max_payload_size = 8; -@load policy/protocols/mqtt +@load base/protocols/mqtt diff --git a/testing/btest/scripts/base/protocols/mqtt/mqtt.test b/testing/btest/scripts/base/protocols/mqtt/mqtt.test index 553bc8bb3e..25f3046a4c 100644 --- a/testing/btest/scripts/base/protocols/mqtt/mqtt.test +++ b/testing/btest/scripts/base/protocols/mqtt/mqtt.test @@ -3,4 +3,4 @@ # @TEST-EXEC: btest-diff mqtt_subscribe.log # @TEST-EXEC: btest-diff mqtt_publish.log -@load policy/protocols/mqtt +@load base/protocols/mqtt diff --git a/testing/btest/scripts/policy/frameworks/files/deprecated-fields-concurrent-range-requests.zeek b/testing/btest/scripts/policy/frameworks/files/deprecated-fields-concurrent-range-requests.zeek deleted file mode 100644 index 681114acaa..0000000000 --- a/testing/btest/scripts/policy/frameworks/files/deprecated-fields-concurrent-range-requests.zeek +++ /dev/null @@ -1,15 +0,0 @@ -# @TEST-DOC: The pcap contains 3 connections with range requests for the same file. We expect 3 files.log entries all with the same fuid, but different uids. With the deprecated fields, we expect tx_hosts, rx_hosts and conn_uuids to agree with the uid and id fields. -# @TEST-EXEC: zeek -b -r $TRACES/http/concurrent-range-requests.pcap %INPUT 2>&1 > out -# @TEST-EXEC: mv files.log files.log.new -# @TEST-EXEC: mv out out.new -# @TEST-EXEC: btest-diff out.new -# @TEST-EXEC: btest-diff files.log.new - -# @TEST-EXEC: zeek -b -r $TRACES/http/concurrent-range-requests.pcap %INPUT frameworks/files/deprecated-txhosts-rxhosts-connuids 2>&1 > out -# @TEST-EXEC: mv files.log files.log.deprecated -# @TEST-EXEC: mv out out.deprecated -# @TEST-EXEC: btest-diff out.deprecated -# @TEST-EXEC: btest-diff files.log.deprecated - -@load base/frameworks/files -@load base/protocols/http diff --git a/testing/btest/scripts/policy/frameworks/files/deprecated-fields.zeek b/testing/btest/scripts/policy/frameworks/files/deprecated-fields.zeek deleted file mode 100644 index 3e791a15aa..0000000000 --- a/testing/btest/scripts/policy/frameworks/files/deprecated-fields.zeek +++ /dev/null @@ -1,15 +0,0 @@ -# @TEST-DOC: Verify the files.log with and without the tx_hosts, rx_hosts and conn_uids fields -# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT 2>&1 > out -# @TEST-EXEC: mv files.log files.log.new -# @TEST-EXEC: mv out out.new -# @TEST-EXEC: btest-diff out.new -# @TEST-EXEC: btest-diff files.log.new - -# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT frameworks/files/deprecated-txhosts-rxhosts-connuids 2>&1 > out -# @TEST-EXEC: mv files.log files.log.deprecated -# @TEST-EXEC: mv out out.deprecated -# @TEST-EXEC: btest-diff out.deprecated -# @TEST-EXEC: btest-diff files.log.deprecated - -@load base/frameworks/files -@load base/protocols/http