From a60153060d4280c58df83ae9b930a11720cd0fb1 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Wed, 20 Jun 2012 14:19:49 -0400
Subject: [PATCH] SOCKS and tunnel test updates.

---
 .../Baseline/core.tunnels.ayiya/tunnel.log    | 10 +++++-----
 .../Baseline/core.tunnels.socks/conn.log      |  8 --------
 .../Baseline/core.tunnels.socks/http.log      |  8 --------
 .../btest/Baseline/core.tunnels.socks/output  |  9 ---------
 .../Baseline/core.tunnels.socks/tunnel.log    |  9 ---------
 .../Baseline/core.tunnels.teredo/tunnel.log   | 14 +++++++-------
 .../tunnel.log                                | 14 +++++++-------
 .../tunnel.log                                |  8 ++++++++
 testing/btest/core/tunnels/socks.bro          | 19 -------------------
 .../scripts/base/protocols/socks/trace1.test  |  1 -
 .../scripts/base/protocols/socks/trace3.test  |  4 ++++
 11 files changed, 31 insertions(+), 73 deletions(-)
 delete mode 100644 testing/btest/Baseline/core.tunnels.socks/conn.log
 delete mode 100644 testing/btest/Baseline/core.tunnels.socks/http.log
 delete mode 100644 testing/btest/Baseline/core.tunnels.socks/output
 delete mode 100644 testing/btest/Baseline/core.tunnels.socks/tunnel.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.socks.trace3/tunnel.log
 delete mode 100644 testing/btest/core/tunnels/socks.bro
 create mode 100644 testing/btest/scripts/base/protocols/socks/trace3.test

diff --git a/testing/btest/Baseline/core.tunnels.ayiya/tunnel.log b/testing/btest/Baseline/core.tunnels.ayiya/tunnel.log
index 512f49b6ee..b4ef2781c6 100644
--- a/testing/btest/Baseline/core.tunnels.ayiya/tunnel.log
+++ b/testing/btest/Baseline/core.tunnels.ayiya/tunnel.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	tunnel
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	action	tunnel_type
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
 #types	time	string	addr	port	addr	port	enum	enum
-1257655293.629048	UWkUyAuUGXf	192.168.3.101	53796	216.14.98.22	5072	Tunnel::DISCOVER	Tunnel::AYIYA
-1257655296.585034	k6kgXLOoSKl	192.168.3.101	53859	216.14.98.22	5072	Tunnel::DISCOVER	Tunnel::AYIYA
-1257655317.464035	k6kgXLOoSKl	192.168.3.101	53859	216.14.98.22	5072	Tunnel::CLOSE	Tunnel::AYIYA
-1257655317.464035	UWkUyAuUGXf	192.168.3.101	53796	216.14.98.22	5072	Tunnel::CLOSE	Tunnel::AYIYA
+1257655293.629048	UWkUyAuUGXf	192.168.3.101	53796	216.14.98.22	5072	Tunnel::AYIYA	Tunnel::DISCOVER
+1257655296.585034	k6kgXLOoSKl	192.168.3.101	53859	216.14.98.22	5072	Tunnel::AYIYA	Tunnel::DISCOVER
+1257655317.464035	k6kgXLOoSKl	192.168.3.101	53859	216.14.98.22	5072	Tunnel::AYIYA	Tunnel::CLOSE
+1257655317.464035	UWkUyAuUGXf	192.168.3.101	53796	216.14.98.22	5072	Tunnel::AYIYA	Tunnel::CLOSE
diff --git a/testing/btest/Baseline/core.tunnels.socks/conn.log b/testing/btest/Baseline/core.tunnels.socks/conn.log
deleted file mode 100644
index f8a684d4c6..0000000000
--- a/testing/btest/Baseline/core.tunnels.socks/conn.log
+++ /dev/null
@@ -1,8 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	conn
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
-1208299429.265243	UWkUyAuUGXf	127.0.0.1	62270	127.0.0.1	1080	tcp	http,socks	0.008138	152	3950	SF	-	0	ShAaDdfF	9	632	9	4430	(empty)
diff --git a/testing/btest/Baseline/core.tunnels.socks/http.log b/testing/btest/Baseline/core.tunnels.socks/http.log
deleted file mode 100644
index 2dcab3f254..0000000000
--- a/testing/btest/Baseline/core.tunnels.socks/http.log
+++ /dev/null
@@ -1,8 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	http
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
-1208299429.270361	UWkUyAuUGXf	127.0.0.1	62270	127.0.0.1	1080	1	GET	www.icir.org	/	-	curl/7.16.3 (powerpc-apple-darwin9.0) libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3	0	3677	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
diff --git a/testing/btest/Baseline/core.tunnels.socks/output b/testing/btest/Baseline/core.tunnels.socks/output
deleted file mode 100644
index ee5c5b5c20..0000000000
--- a/testing/btest/Baseline/core.tunnels.socks/output
+++ /dev/null
@@ -1,9 +0,0 @@
-[id=[orig_h=127.0.0.1, orig_p=62270/tcp, resp_h=127.0.0.1, resp_p=1080/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=177, flow_label=0], resp=[size=8, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0], start_time=1208299429.265243, duration=0.002565, service={
-SOCKS
-}, addl=, hot=0, history=ShAaDd, uid=UWkUyAuUGXf, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, ssh=<uninitialized>, ssl=<uninitialized>, syslog=<uninitialized>]
----
-1
-192.150.187.12
-
-80/tcp
-
diff --git a/testing/btest/Baseline/core.tunnels.socks/tunnel.log b/testing/btest/Baseline/core.tunnels.socks/tunnel.log
deleted file mode 100644
index 9ccbe8af26..0000000000
--- a/testing/btest/Baseline/core.tunnels.socks/tunnel.log
+++ /dev/null
@@ -1,9 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	tunnel
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	action	tunnel_type
-#types	time	string	addr	port	addr	port	enum	enum
-1208299429.267808	UWkUyAuUGXf	127.0.0.1	62270	127.0.0.1	1080	Tunnel::DISCOVER	Tunnel::SOCKS
-1208299429.273401	UWkUyAuUGXf	127.0.0.1	62270	127.0.0.1	1080	Tunnel::CLOSE	Tunnel::SOCKS
diff --git a/testing/btest/Baseline/core.tunnels.teredo/tunnel.log b/testing/btest/Baseline/core.tunnels.teredo/tunnel.log
index 5a2114dd1c..9cead25be1 100644
--- a/testing/btest/Baseline/core.tunnels.teredo/tunnel.log
+++ b/testing/btest/Baseline/core.tunnels.teredo/tunnel.log
@@ -3,11 +3,11 @@
 #empty_field	(empty)
 #unset_field	-
 #path	tunnel
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	action	tunnel_type
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
 #types	time	string	addr	port	addr	port	enum	enum
-1210953052.202579	nQcgTWjvg4c	192.168.2.16	3797	65.55.158.80	3544	Tunnel::DISCOVER	Tunnel::TEREDO
-1210953052.324629	TEfuqmmG4bh	192.168.2.16	3797	65.55.158.81	3544	Tunnel::DISCOVER	Tunnel::TEREDO
-1210953061.292918	GSxOnSLghOa	192.168.2.16	3797	83.170.1.38	32900	Tunnel::DISCOVER	Tunnel::TEREDO
-1210953076.058333	nQcgTWjvg4c	192.168.2.16	3797	65.55.158.80	3544	Tunnel::CLOSE	Tunnel::TEREDO
-1210953076.058333	GSxOnSLghOa	192.168.2.16	3797	83.170.1.38	32900	Tunnel::CLOSE	Tunnel::TEREDO
-1210953076.058333	TEfuqmmG4bh	192.168.2.16	3797	65.55.158.81	3544	Tunnel::CLOSE	Tunnel::TEREDO
+1210953052.202579	nQcgTWjvg4c	192.168.2.16	3797	65.55.158.80	3544	Tunnel::TEREDO	Tunnel::DISCOVER
+1210953052.324629	TEfuqmmG4bh	192.168.2.16	3797	65.55.158.81	3544	Tunnel::TEREDO	Tunnel::DISCOVER
+1210953061.292918	GSxOnSLghOa	192.168.2.16	3797	83.170.1.38	32900	Tunnel::TEREDO	Tunnel::DISCOVER
+1210953076.058333	nQcgTWjvg4c	192.168.2.16	3797	65.55.158.80	3544	Tunnel::TEREDO	Tunnel::CLOSE
+1210953076.058333	GSxOnSLghOa	192.168.2.16	3797	83.170.1.38	32900	Tunnel::TEREDO	Tunnel::CLOSE
+1210953076.058333	TEfuqmmG4bh	192.168.2.16	3797	65.55.158.81	3544	Tunnel::TEREDO	Tunnel::CLOSE
diff --git a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/tunnel.log b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/tunnel.log
index 3f47321245..30f88ed251 100644
--- a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/tunnel.log
+++ b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/tunnel.log
@@ -3,11 +3,11 @@
 #empty_field	(empty)
 #unset_field	-
 #path	tunnel
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	action	tunnel_type
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
 #types	time	string	addr	port	addr	port	enum	enum
-1340127577.336558	UWkUyAuUGXf	192.168.2.16	3797	65.55.158.80	3544	Tunnel::DISCOVER	Tunnel::TEREDO
-1340127577.339015	k6kgXLOoSKl	192.168.2.16	3797	65.55.158.81	3544	Tunnel::DISCOVER	Tunnel::TEREDO
-1340127577.351747	j4u32Pc5bif	192.168.2.16	3797	83.170.1.38	32900	Tunnel::DISCOVER	Tunnel::TEREDO
-1340127577.406995	UWkUyAuUGXf	192.168.2.16	3797	65.55.158.80	3544	Tunnel::CLOSE	Tunnel::TEREDO
-1340127577.406995	j4u32Pc5bif	192.168.2.16	3797	83.170.1.38	32900	Tunnel::CLOSE	Tunnel::TEREDO
-1340127577.406995	k6kgXLOoSKl	192.168.2.16	3797	65.55.158.81	3544	Tunnel::CLOSE	Tunnel::TEREDO
+1340127577.336558	UWkUyAuUGXf	192.168.2.16	3797	65.55.158.80	3544	Tunnel::TEREDO	Tunnel::DISCOVER
+1340127577.339015	k6kgXLOoSKl	192.168.2.16	3797	65.55.158.81	3544	Tunnel::TEREDO	Tunnel::DISCOVER
+1340127577.351747	j4u32Pc5bif	192.168.2.16	3797	83.170.1.38	32900	Tunnel::TEREDO	Tunnel::DISCOVER
+1340127577.406995	UWkUyAuUGXf	192.168.2.16	3797	65.55.158.80	3544	Tunnel::TEREDO	Tunnel::CLOSE
+1340127577.406995	j4u32Pc5bif	192.168.2.16	3797	83.170.1.38	32900	Tunnel::TEREDO	Tunnel::CLOSE
+1340127577.406995	k6kgXLOoSKl	192.168.2.16	3797	65.55.158.81	3544	Tunnel::TEREDO	Tunnel::CLOSE
diff --git a/testing/btest/Baseline/scripts.base.protocols.socks.trace3/tunnel.log b/testing/btest/Baseline/scripts.base.protocols.socks.trace3/tunnel.log
new file mode 100644
index 0000000000..4723cb99c4
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.socks.trace3/tunnel.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+1208299429.265774	-	127.0.0.1	0	127.0.0.1	1080	Tunnel::SOCKS	Tunnel::DISCOVER
diff --git a/testing/btest/core/tunnels/socks.bro b/testing/btest/core/tunnels/socks.bro
deleted file mode 100644
index 8ab288c9bd..0000000000
--- a/testing/btest/core/tunnels/socks.bro
+++ /dev/null
@@ -1,19 +0,0 @@
-# @TEST-EXEC: bro -Cr $TRACES/tunnels/socks.pcap %INPUT >output
-# @TEST-EXEC: btest-diff output
-# @TEST-EXEC: btest-diff tunnel.log
-# @TEST-EXEC: btest-diff conn.log
-# @TEST-EXEC: btest-diff http.log
-
-event socks_request(c: connection, request_type: count, dstaddr: addr,
-		    dstname: string, p: port, user: string)
-	{
-	print c;
-	print "---";
-	print request_type;
-	print dstaddr;
-	print dstname;
-	print p;
-	print user;
-	}
-
-
diff --git a/testing/btest/scripts/base/protocols/socks/trace1.test b/testing/btest/scripts/base/protocols/socks/trace1.test
index fb65b33cbc..fb1d9ebaf2 100644
--- a/testing/btest/scripts/base/protocols/socks/trace1.test
+++ b/testing/btest/scripts/base/protocols/socks/trace1.test
@@ -1,6 +1,5 @@
 # @TEST-EXEC: bro -r $TRACES/socks.trace %INPUT
 # @TEST-EXEC: btest-diff socks.log
-# @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff tunnel.log
 
 @load base/protocols/socks
diff --git a/testing/btest/scripts/base/protocols/socks/trace3.test b/testing/btest/scripts/base/protocols/socks/trace3.test
new file mode 100644
index 0000000000..c3b3b091eb
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/socks/trace3.test
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -C -r $TRACES/tunnels/socks.pcap %INPUT
+# @TEST-EXEC: btest-diff tunnel.log
+
+@load base/protocols/socks