From a76b2148c622d6dbb42c50b4cd9b09a736e86bf4 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 6 Aug 2025 14:37:50 +0100 Subject: [PATCH] Merge remote-tracking branch 'origin/topic/johanna/analyzer-log-proto' * origin/topic/johanna/analyzer-log-proto: Add proto to analyzer.log (cherry picked from commit 2f2f328a722c38c9d53aa3812e3b35724c7f9e9f) --- CHANGES | 11 +++++++++++ VERSION | 2 +- scripts/base/frameworks/analyzer/logging.zeek | 5 ++++- .../analyzer.log | 6 +++--- .../analyzer.log | 6 +++--- .../analyzer.log | 6 +++--- .../analyzer.log | 6 +++--- .../analyzer.log | 6 +++--- .../analyzer.log | 6 +++--- .../analyzer.log | 6 +++--- .../analyzer.cut | 4 ++-- .../analyzer.log | 6 +++--- testing/btest/Baseline/spicy.parse-error/analyzer.log | 6 +++--- testing/external/commit-hash.zeek-testing | 2 +- testing/external/commit-hash.zeek-testing-private | 2 +- 15 files changed, 47 insertions(+), 33 deletions(-) diff --git a/CHANGES b/CHANGES index 80bc23b3a0..98b1aa42a4 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,14 @@ +8.0.0-rc1.2 | 2025-08-11 11:33:46 -0700 + + * Add proto to analyzer.log (Johanna Amann, Corelight) + + The analyzer.log file was missing the protocol field to distinguish + tcp/udp connections. + + (cherry picked from commit 2f2f328a722c38c9d53aa3812e3b35724c7f9e9f) + + * Update zeek-aux submodule with c++20 changes (Tim Wojtulewicz, Corelight) + 8.0.0-rc1 | 2025-08-04 09:39:08 -0700 * Release 8.0.0-rc1. diff --git a/VERSION b/VERSION index 71f2983501..e19097d063 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -8.0.0-rc1 +8.0.0-rc1.2 diff --git a/scripts/base/frameworks/analyzer/logging.zeek b/scripts/base/frameworks/analyzer/logging.zeek index 260bb5c4ec..11ad3dd8d3 100644 --- a/scripts/base/frameworks/analyzer/logging.zeek +++ b/scripts/base/frameworks/analyzer/logging.zeek @@ -23,8 +23,10 @@ export { uid: string &log &optional; ## File UID if available. fuid: string &log &optional; - ## Connection identifier if available + ## Connection identifier if available. id: conn_id &log &optional; + ## Transport protocol for the violation, if available. + proto: transport_proto &log &optional; ## Failure or violation reason, if available. failure_reason: string &log; ## Data causing failure or violation if available. Truncated @@ -62,6 +64,7 @@ function log_analyzer_failure(ts: time, atype: AllAnalyzers::Tag, info: Analyzer { rec$id = info$c$id; rec$uid = info$c$uid; + rec$proto = get_port_transport_proto(info$c$id$orig_p); } if ( info?$f ) diff --git a/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/analyzer.log b/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/analyzer.log index e246a5a9a7..4c1ad5c577 100644 --- a/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/analyzer.log +++ b/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/analyzer.log @@ -5,7 +5,7 @@ #unset_field - #path analyzer #open XXXX-XX-XX-XX-XX-XX -#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data -#types time string string string string addr port addr port string string -XXXXXXXXXX.XXXXXX packet GTPV1 CHhAvVGS1DHFjwGM9 - 173.86.159.28 2152 213.72.147.186 2152 Truncated GTPv1 - +#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data +#types time string string string string addr port addr port enum string string +XXXXXXXXXX.XXXXXX packet GTPV1 CHhAvVGS1DHFjwGM9 - 173.86.159.28 2152 213.72.147.186 2152 udp Truncated GTPv1 - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-empty-av-pair-seq/analyzer.log b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-empty-av-pair-seq/analyzer.log index bd4f3053a5..15f36babc1 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-empty-av-pair-seq/analyzer.log +++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-empty-av-pair-seq/analyzer.log @@ -5,7 +5,7 @@ #unset_field - #path analyzer #open XXXX-XX-XX-XX-XX-XX -#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data -#types time string string string string addr port addr port string string -XXXXXXXXXX.XXXXXX protocol NTLM CHhAvVGS1DHFjwGM9 - 192.168.0.173 1068 192.168.0.2 4997 NTLM AV Pair loop underflow - +#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data +#types time string string string string addr port addr port enum string string +XXXXXXXXXX.XXXXXX protocol NTLM CHhAvVGS1DHFjwGM9 - 192.168.0.173 1068 192.168.0.2 4997 tcp NTLM AV Pair loop underflow - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-unterminated-av-pair-seq/analyzer.log b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-unterminated-av-pair-seq/analyzer.log index bd4f3053a5..15f36babc1 100644 --- a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-unterminated-av-pair-seq/analyzer.log +++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-unterminated-av-pair-seq/analyzer.log @@ -5,7 +5,7 @@ #unset_field - #path analyzer #open XXXX-XX-XX-XX-XX-XX -#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data -#types time string string string string addr port addr port string string -XXXXXXXXXX.XXXXXX protocol NTLM CHhAvVGS1DHFjwGM9 - 192.168.0.173 1068 192.168.0.2 4997 NTLM AV Pair loop underflow - +#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data +#types time string string string string addr port addr port enum string string +XXXXXXXXXX.XXXXXX protocol NTLM CHhAvVGS1DHFjwGM9 - 192.168.0.173 1068 192.168.0.2 4997 tcp NTLM AV Pair loop underflow - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/analyzer.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/analyzer.log index 5580d6bee8..e87f618b36 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/analyzer.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/analyzer.log @@ -5,7 +5,7 @@ #unset_field - #path analyzer #open XXXX-XX-XX-XX-XX-XX -#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data -#types time string string string string addr port addr port string string -XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 127.0.0.1 51354 127.0.0.1 21 non-numeric reply code 99 PASV invalid +#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data +#types time string string string string addr port addr port enum string string +XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 127.0.0.1 51354 127.0.0.1 21 tcp non-numeric reply code 99 PASV invalid #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/analyzer.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/analyzer.log index d798bd340f..c9c8bf938f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/analyzer.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/analyzer.log @@ -5,7 +5,7 @@ #unset_field - #path analyzer #open XXXX-XX-XX-XX-XX-XX -#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data -#types time string string string string addr port addr port string string -XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 127.0.0.1 51344 127.0.0.1 21 non-numeric reply code SYST not supported +#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data +#types time string string string string addr port addr port enum string string +XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 127.0.0.1 51344 127.0.0.1 21 tcp non-numeric reply code SYST not supported #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/analyzer.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/analyzer.log index 5cc8cbbb69..2bc4e2b987 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/analyzer.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/analyzer.log @@ -5,7 +5,7 @@ #unset_field - #path analyzer #open XXXX-XX-XX-XX-XX-XX -#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data -#types time string string string string addr port addr port string string -XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 127.0.0.1 51346 127.0.0.1 21 invalid reply line 230_no_space +#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data +#types time string string string string addr port addr port enum string string +XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 127.0.0.1 51346 127.0.0.1 21 tcp invalid reply line 230_no_space #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-11-request-then-cruft/analyzer.log b/testing/btest/Baseline/scripts.base.protocols.http.http-11-request-then-cruft/analyzer.log index b9e08e7109..4cd07a87e6 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-11-request-then-cruft/analyzer.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-11-request-then-cruft/analyzer.log @@ -5,7 +5,7 @@ #unset_field - #path analyzer #open XXXX-XX-XX-XX-XX-XX -#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data -#types time string string string string addr port addr port string string -XXXXXXXXXX.XXXXXX protocol HTTP CHhAvVGS1DHFjwGM9 - 192.168.12.5 51792 192.0.78.212 80 not a http request line - +#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data +#types time string string string string addr port addr port enum string string +XXXXXXXXXX.XXXXXX protocol HTTP CHhAvVGS1DHFjwGM9 - 192.168.12.5 51792 192.0.78.212 80 tcp not a http request line - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/analyzer.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/analyzer.cut index c2e3790441..29d3e0f76a 100644 --- a/testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/analyzer.cut +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/analyzer.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data -1673270800.189652 protocol POSTGRESQL CHhAvVGS1DHFjwGM9 - 127.0.0.1 54958 127.0.0.1 5432 error while parsing PostgreSQL: &requires failed: (self.length >= 4) (...) - +ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data +1673270800.189652 protocol POSTGRESQL CHhAvVGS1DHFjwGM9 - 127.0.0.1 54958 127.0.0.1 5432 tcp error while parsing PostgreSQL: &requires failed: (self.length >= 4) (...) - diff --git a/testing/btest/Baseline/scripts.policy.frameworks.analyzer.packet-segment-logging/analyzer.log b/testing/btest/Baseline/scripts.policy.frameworks.analyzer.packet-segment-logging/analyzer.log index 95635816cd..55a5dae609 100644 --- a/testing/btest/Baseline/scripts.policy.frameworks.analyzer.packet-segment-logging/analyzer.log +++ b/testing/btest/Baseline/scripts.policy.frameworks.analyzer.packet-segment-logging/analyzer.log @@ -5,7 +5,7 @@ #unset_field - #path analyzer #open XXXX-XX-XX-XX-XX-XX -#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data packet_segment -#types time string string string string addr port addr port string string string -XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 2001:470:1f05:17a6:d69a:20ff:fefd:6b88 24316 2001:6a8:a40::21 21 non-numeric reply code SSH-2.0-mod_sftp/0.9.7 \xd4\x9a \xfdk\x88\x00\x80\xc8\xb9\xc2\x06\x86\xdd`\x00\x00\x00\x00t\x067 \x01\x06\xa8\x0a@\x00\x00\x00\x00\x00\x00\x00\x00\x00! \x01\x04p\x1f\x05\x17\xa6\xd6\x9a \xff\xfe\xfdk\x88\x00\x15^\xfc\x1f]\xed\x1b\xa9\x9f`\xf1P\x18\x00\x09~n\x00\x00SSH-2.0-mod_sftp/0.9.7\x0d\x0a\x00\x00\x00D\x08\x01\x00\x00\x00\x0c\x00\x00\x00)Maximum connections for host/user reached\x00\x00\x00\x05en-USI\xf8\xb9C\xae\xcf`\xc4 +#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data packet_segment +#types time string string string string addr port addr port enum string string string +XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 2001:470:1f05:17a6:d69a:20ff:fefd:6b88 24316 2001:6a8:a40::21 21 tcp non-numeric reply code SSH-2.0-mod_sftp/0.9.7 \xd4\x9a \xfdk\x88\x00\x80\xc8\xb9\xc2\x06\x86\xdd`\x00\x00\x00\x00t\x067 \x01\x06\xa8\x0a@\x00\x00\x00\x00\x00\x00\x00\x00\x00! \x01\x04p\x1f\x05\x17\xa6\xd6\x9a \xff\xfe\xfdk\x88\x00\x15^\xfc\x1f]\xed\x1b\xa9\x9f`\xf1P\x18\x00\x09~n\x00\x00SSH-2.0-mod_sftp/0.9.7\x0d\x0a\x00\x00\x00D\x08\x01\x00\x00\x00\x0c\x00\x00\x00)Maximum connections for host/user reached\x00\x00\x00\x05en-USI\xf8\xb9C\xae\xcf`\xc4 #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/spicy.parse-error/analyzer.log b/testing/btest/Baseline/spicy.parse-error/analyzer.log index 5686afd30b..9cb8dcb920 100644 --- a/testing/btest/Baseline/spicy.parse-error/analyzer.log +++ b/testing/btest/Baseline/spicy.parse-error/analyzer.log @@ -5,7 +5,7 @@ #unset_field - #path analyzer #open XXXX-XX-XX-XX-XX-XX -#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data -#types time string string string string addr port addr port string string -XXXXXXXXXX.XXXXXX protocol SPICY_SSH CHhAvVGS1DHFjwGM9 - 192.150.186.169 49244 131.159.14.23 22 failed to match regular expression (<...>/test.spicy:9:15-9:22) SSH-2.0-OpenSSH_3.8.1p1\x0a +#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data +#types time string string string string addr port addr port enum string string +XXXXXXXXXX.XXXXXX protocol SPICY_SSH CHhAvVGS1DHFjwGM9 - 192.150.186.169 49244 131.159.14.23 22 tcp failed to match regular expression (<...>/test.spicy:9:15-9:22) SSH-2.0-OpenSSH_3.8.1p1\x0a #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/external/commit-hash.zeek-testing b/testing/external/commit-hash.zeek-testing index 09e14d7010..4d12c67ff0 100644 --- a/testing/external/commit-hash.zeek-testing +++ b/testing/external/commit-hash.zeek-testing @@ -1 +1 @@ -270d4b46fa1ab9f2951c2945937bdf739e864304 +6dafc6fd68d9821f33b7f8f4d7d4d877b5827ae3 diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private index 544bc35294..f01f56f57a 100644 --- a/testing/external/commit-hash.zeek-testing-private +++ b/testing/external/commit-hash.zeek-testing-private @@ -1 +1 @@ -034c859753b435dc2a6368fa46ecf3e92c98d9da +1edbd3ae959471e8573c9edc0374235727970710