From a940cf3fb57c802bb0bc8efc4e5c6bf61d93fa3b Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 27 Jun 2019 18:05:32 -0700 Subject: [PATCH] Remove InterConn analyzer --- NEWS | 11 + scripts/base/frameworks/analyzer/main.zeek | 1 - scripts/base/init-bare.zeek | 32 -- src/NetVar.cc | 16 - src/NetVar.h | 8 - src/Sessions.cc | 2 - src/analyzer/Manager.cc | 7 - src/analyzer/Manager.h | 1 - src/analyzer/protocol/CMakeLists.txt | 1 - .../protocol/interconn/CMakeLists.txt | 9 - src/analyzer/protocol/interconn/InterConn.cc | 274 ------------------ src/analyzer/protocol/interconn/InterConn.h | 88 ------ src/analyzer/protocol/interconn/Plugin.cc | 25 -- src/analyzer/protocol/interconn/events.bif | 8 - .../canonified_loaded_scripts.log | 1 - .../canonified_loaded_scripts.log | 1 - testing/btest/Baseline/plugins.hooks/output | 23 +- 17 files changed, 18 insertions(+), 490 deletions(-) delete mode 100644 src/analyzer/protocol/interconn/CMakeLists.txt delete mode 100644 src/analyzer/protocol/interconn/InterConn.cc delete mode 100644 src/analyzer/protocol/interconn/InterConn.h delete mode 100644 src/analyzer/protocol/interconn/Plugin.cc delete mode 100644 src/analyzer/protocol/interconn/events.bif diff --git a/NEWS b/NEWS index 26695d19eb..29ea654d75 100644 --- a/NEWS +++ b/NEWS @@ -411,6 +411,8 @@ Removed Functionality - ``software_unparsed_version_found`` - ``software_parse_error`` - ``print_hook`` + - ``interconn_stats`` + - ``interconn_remove_conn`` - The following types/records were deprecated in version 2.6 or below and are removed from this release: @@ -441,6 +443,13 @@ Removed Functionality - ``ssl_passphrase`` - ``suppress_local_output`` - ``irc_servers`` + - ``interconn_min_interarrival`` + - ``interconn_max_interarrival`` + - ``interconn_max_keystroke_pkt_size`` + - ``interconn_default_pkt_size`` + - ``interconn_stat_period`` + - ``interconn_stat_backoff`` + - ``interconn_endp_stats`` - The following constants were used as part of deprecated functionality in version 2.6 or below and are removed from this release: @@ -486,6 +495,8 @@ Removed Functionality This is typically not necessary and it's a problem that is more appropriately addressed at the system configuration level. +- Removed the InterConn analyzer. + Deprecated Functionality ------------------------ diff --git a/scripts/base/frameworks/analyzer/main.zeek b/scripts/base/frameworks/analyzer/main.zeek index 8fd986e497..cfadffb739 100644 --- a/scripts/base/frameworks/analyzer/main.zeek +++ b/scripts/base/frameworks/analyzer/main.zeek @@ -124,7 +124,6 @@ export { ## A set of analyzers to disable by default at startup. The default set ## contains legacy analyzers that are no longer supported. global disabled_analyzers: set[Analyzer::Tag] = { - ANALYZER_INTERCONN, ANALYZER_STEPPINGSTONE, ANALYZER_BACKDOOR, ANALYZER_TCPSTATS, diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index efef93d200..e505698434 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -3864,38 +3864,6 @@ const stp_idle_min: interval &redef; ## Internal to the stepping stone detector. global stp_skip_src: set[addr] &redef; -## Deprecated. -const interconn_min_interarrival: interval &redef; - -## Deprecated. -const interconn_max_interarrival: interval &redef; - -## Deprecated. -const interconn_max_keystroke_pkt_size: count &redef; - -## Deprecated. -const interconn_default_pkt_size: count &redef; - -## Deprecated. -const interconn_stat_period: interval &redef; - -## Deprecated. -const interconn_stat_backoff: double &redef; - -## Deprecated. -type interconn_endp_stats: record { - num_pkts: count; - num_keystrokes_two_in_row: count; - num_normal_interarrivals: count; - num_8k0_pkts: count; - num_8k4_pkts: count; - is_partial: bool; - num_bytes: count; - num_7bit_ascii: count; - num_lines: count; - num_normal_lines: count; -}; - ## Deprecated. const backdoor_stat_period: interval &redef; diff --git a/src/NetVar.cc b/src/NetVar.cc index 922d5ffe4a..5ef7e9b9c5 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -125,14 +125,6 @@ double stp_delta; double stp_idle_min; TableVal* stp_skip_src; -double interconn_min_interarrival; -double interconn_max_interarrival; -int interconn_max_keystroke_pkt_size; -int interconn_default_pkt_size; -double interconn_stat_period; -double interconn_stat_backoff; -RecordType* interconn_endp_stats; - double backdoor_stat_period; double backdoor_stat_backoff; @@ -389,14 +381,6 @@ void init_net_var() stp_idle_min = opt_internal_double("stp_idle_min"); stp_skip_src = internal_val("stp_skip_src")->AsTableVal(); - interconn_min_interarrival = opt_internal_double("interconn_min_interarrival"); - interconn_max_interarrival = opt_internal_double("interconn_max_interarrival"); - interconn_max_keystroke_pkt_size = opt_internal_int("interconn_max_keystroke_pkt_size"); - interconn_default_pkt_size = opt_internal_int("interconn_default_pkt_size"); - interconn_stat_period = opt_internal_double("interconn_stat_period"); - interconn_stat_backoff = opt_internal_double("interconn_stat_backoff"); - interconn_endp_stats = internal_type("interconn_endp_stats")->AsRecordType(); - backdoor_stat_period = opt_internal_double("backdoor_stat_period"); backdoor_stat_backoff = opt_internal_double("backdoor_stat_backoff"); backdoor_endp_stats = internal_type("backdoor_endp_stats")->AsRecordType(); diff --git a/src/NetVar.h b/src/NetVar.h index f2b3353f56..28936b9c61 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -128,14 +128,6 @@ extern double stp_delta; extern double stp_idle_min; extern TableVal* stp_skip_src; -extern double interconn_min_interarrival; -extern double interconn_max_interarrival; -extern int interconn_max_keystroke_pkt_size; -extern int interconn_default_pkt_size; -extern double interconn_stat_period; -extern double interconn_stat_backoff; -extern RecordType* interconn_endp_stats; - extern double backdoor_stat_period; extern double backdoor_stat_backoff; diff --git a/src/Sessions.cc b/src/Sessions.cc index e668815cfb..019082a6f0 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -22,8 +22,6 @@ #include "analyzer/protocol/stepping-stone/events.bif.h" #include "analyzer/protocol/backdoor/BackDoor.h" #include "analyzer/protocol/backdoor/events.bif.h" -#include "analyzer/protocol/interconn/InterConn.h" -#include "analyzer/protocol/interconn/events.bif.h" #include "analyzer/protocol/arp/ARP.h" #include "analyzer/protocol/arp/events.bif.h" #include "Discard.h" diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index c7e156b41e..d62749284d 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -8,7 +8,6 @@ #include "protocol/backdoor/BackDoor.h" #include "protocol/conn-size/ConnSize.h" #include "protocol/icmp/ICMP.h" -#include "protocol/interconn/InterConn.h" #include "protocol/pia/PIA.h" #include "protocol/stepping-stone/SteppingStone.h" #include "protocol/tcp/TCP.h" @@ -89,7 +88,6 @@ void Manager::InitPreScript() // Cache these tags. analyzer_backdoor = GetComponentTag("BACKDOOR"); analyzer_connsize = GetComponentTag("CONNSIZE"); - analyzer_interconn = GetComponentTag("INTERCONN"); analyzer_stepping = GetComponentTag("STEPPINGSTONE"); analyzer_tcpstats = GetComponentTag("TCPSTATS"); } @@ -466,11 +464,6 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn) // can handle both reassembled and non-reassembled input. tcp->AddChildAnalyzer(new backdoor::BackDoor_Analyzer(conn), false); - if ( IsEnabled(analyzer_interconn) ) - // Add a InterConn analyzer if requested. This analyzer - // can handle both reassembled and non-reassembled input. - tcp->AddChildAnalyzer(new interconn::InterConn_Analyzer(conn), false); - if ( IsEnabled(analyzer_stepping) ) { // Add a SteppingStone analyzer if requested. The port diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h index 8f6d982394..1f9fc21090 100644 --- a/src/analyzer/Manager.h +++ b/src/analyzer/Manager.h @@ -357,7 +357,6 @@ private: Tag analyzer_backdoor; Tag analyzer_connsize; - Tag analyzer_interconn; Tag analyzer_stepping; Tag analyzer_tcpstats; diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt index 8ebded627b..906f5e32dc 100644 --- a/src/analyzer/protocol/CMakeLists.txt +++ b/src/analyzer/protocol/CMakeLists.txt @@ -18,7 +18,6 @@ add_subdirectory(http) add_subdirectory(icmp) add_subdirectory(ident) add_subdirectory(imap) -add_subdirectory(interconn) add_subdirectory(irc) add_subdirectory(krb) add_subdirectory(login) diff --git a/src/analyzer/protocol/interconn/CMakeLists.txt b/src/analyzer/protocol/interconn/CMakeLists.txt deleted file mode 100644 index c1cf40da3f..0000000000 --- a/src/analyzer/protocol/interconn/CMakeLists.txt +++ /dev/null @@ -1,9 +0,0 @@ - -include(ZeekPlugin) - -include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) - -zeek_plugin_begin(Zeek InterConn) -zeek_plugin_cc(InterConn.cc Plugin.cc) -zeek_plugin_bif(events.bif) -zeek_plugin_end() diff --git a/src/analyzer/protocol/interconn/InterConn.cc b/src/analyzer/protocol/interconn/InterConn.cc deleted file mode 100644 index e9a9378c90..0000000000 --- a/src/analyzer/protocol/interconn/InterConn.cc +++ /dev/null @@ -1,274 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#include "zeek-config.h" - -#include "InterConn.h" -#include "Event.h" -#include "Net.h" -#include "analyzer/protocol/tcp/TCP.h" - -#include "events.bif.h" - -using namespace analyzer::interconn; - -InterConnEndpoint::InterConnEndpoint(tcp::TCP_Endpoint* e) - { - endp = e; - max_top_seq = 0; - num_pkts = num_keystrokes_two_in_a_row = num_normal_interarrivals = - num_8k0_pkts = num_8k4_pkts = num_bytes = num_7bit_ascii = - num_lines = num_normal_lines = 0; - is_partial = keystroke_just_seen = 0; - last_keystroke_time = 0.0; - } - -#define NORMAL_LINE_LENGTH 80 - -int InterConnEndpoint::DataSent(double t, uint64 seq, int len, int caplen, - const u_char* data, const IP_Hdr* /* ip */, - const struct tcphdr* /* tp */) - { - if ( caplen < len ) - len = caplen; - - if ( len <= 0 ) - return 0; - - if ( endp->state == tcp::TCP_ENDPOINT_PARTIAL ) - is_partial = 1; - - uint64 ack = endp->ToRelativeSeqSpace(endp->AckSeq(), endp->AckWraps()); - uint64 top_seq = seq + len; - - if ( top_seq <= ack || top_seq <= max_top_seq ) - // There is no new data in this packet - return 0; - - if ( seq < max_top_seq ) - { // Only consider new data - int64 amount_seen = max_top_seq - seq; - seq += amount_seen; - data += amount_seen; - len -= amount_seen; - } - - if ( max_top_seq && seq > max_top_seq ) - // We've got a pkt above a hole - num_pkts += EstimateGapPacketNum(seq - max_top_seq); - - ++num_pkts; - max_top_seq = top_seq; - - // Count the bytes. - num_bytes += len; - - int last_char = 0; - int offset = 0; // where we consider the latest line to have begun - - for ( int i = 0; i < len; ++i ) - { - unsigned int c = data[i]; - - if ( c == '\n' && last_char == '\r' ) - { - // Compress CRLF to just one line termination. - last_char = c; - continue; - } - - if ( c == '\n' || c == '\r' ) - { - ++num_lines; - if ( i - offset <= NORMAL_LINE_LENGTH ) - ++num_normal_lines; - offset = i; - } - - else if ( c != 0 && c < 128 ) - ++num_7bit_ascii; - - last_char = c; - } - - if ( IsPotentialKeystrokePacket(len) ) - { - if ( keystroke_just_seen ) - { - ++num_keystrokes_two_in_a_row; - - if ( IsNormalKeystrokeInterarrival(t - last_keystroke_time) ) - ++num_normal_interarrivals; - } - else - keystroke_just_seen = 1; - - // Look for packets matching the SSH signature of - // being either 0 or 4 modulo 8. - switch ( len & 7 ) { - case 0: - if ( len >= 16 ) - ++num_8k0_pkts; - break; - - case 4: - ++num_8k4_pkts; - break; - } - - last_keystroke_time = t; - } - else - keystroke_just_seen = 0; - - return 1; - } - -RecordVal* InterConnEndpoint::BuildStats() - { - RecordVal* stats = new RecordVal(interconn_endp_stats); - - stats->Assign(0, val_mgr->GetCount(num_pkts)); - stats->Assign(1, val_mgr->GetCount(num_keystrokes_two_in_a_row)); - stats->Assign(2, val_mgr->GetCount(num_normal_interarrivals)); - stats->Assign(3, val_mgr->GetCount(num_8k0_pkts)); - stats->Assign(4, val_mgr->GetCount(num_8k4_pkts)); - stats->Assign(5, val_mgr->GetBool(is_partial)); - stats->Assign(6, val_mgr->GetCount(num_bytes)); - stats->Assign(7, val_mgr->GetCount(num_7bit_ascii)); - stats->Assign(8, val_mgr->GetCount(num_lines)); - stats->Assign(9, val_mgr->GetCount(num_normal_lines)); - - return stats; - } - -int InterConnEndpoint::EstimateGapPacketNum(int gap) const - { - return (gap + interconn_default_pkt_size - 1) / interconn_default_pkt_size; - } - -int InterConnEndpoint::IsPotentialKeystrokePacket(int len) const - { - return len <= interconn_max_keystroke_pkt_size; - } - -int InterConnEndpoint::IsNormalKeystrokeInterarrival(double t) const - { - return interconn_min_interarrival <= t && t <= interconn_max_interarrival; - } - -InterConn_Analyzer::InterConn_Analyzer(Connection* c) -: tcp::TCP_ApplicationAnalyzer("INTERCONN", c) - { - orig_endp = resp_endp = 0; - orig_stream_pos = resp_stream_pos = 1; - - timeout = backdoor_stat_period; - backoff = backdoor_stat_backoff; - - c->GetTimerMgr()->Add(new InterConnTimer(network_time + timeout, this)); - } - -InterConn_Analyzer::~InterConn_Analyzer() - { - Unref(orig_endp); - Unref(resp_endp); - } - -void InterConn_Analyzer::Init() - { - tcp::TCP_ApplicationAnalyzer::Init(); - - assert(TCP()); - orig_endp = new InterConnEndpoint(TCP()->Orig()); - resp_endp = new InterConnEndpoint(TCP()->Resp()); - } - -void InterConn_Analyzer::DeliverPacket(int len, const u_char* data, - bool is_orig, uint64 seq, const IP_Hdr* ip, int caplen) - { - tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, - seq, ip, caplen); - - if ( is_orig ) - orig_endp->DataSent(network_time, seq, len, caplen, data, 0, 0); - else - resp_endp->DataSent(network_time, seq, len, caplen, data, 0, 0); - } - -void InterConn_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) - { - tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); - - if ( is_orig ) - { - orig_endp->DataSent(network_time, orig_stream_pos, len, len, data, 0, 0); - orig_stream_pos += len; - } - - else - { - resp_endp->DataSent(network_time, resp_stream_pos, len, len, data, 0, 0); - resp_stream_pos += len; - } - } - -void InterConn_Analyzer::Done() - { - if ( ! IsFinished() ) - { - if ( ! Conn()->Skipping() ) - StatEvent(); - - RemoveEvent(); - } - - tcp::TCP_ApplicationAnalyzer::Done(); - } - -void InterConn_Analyzer::StatTimer(double t, int is_expire) - { - if ( IsFinished() || Conn()->Skipping() ) - return; - - StatEvent(); - - if ( ! is_expire ) - { - timeout *= backoff; - timer_mgr->Add(new InterConnTimer(t + timeout, this)); - } - } - -void InterConn_Analyzer::StatEvent() - { - if ( interconn_stats ) - Conn()->ConnectionEventFast(interconn_stats, this, { - Conn()->BuildConnVal(), - orig_endp->BuildStats(), - resp_endp->BuildStats(), - }); - } - -void InterConn_Analyzer::RemoveEvent() - { - if ( interconn_remove_conn ) - Conn()->ConnectionEventFast(interconn_remove_conn, this, {Conn()->BuildConnVal()}); - } - -InterConnTimer::InterConnTimer(double t, InterConn_Analyzer* a) -: Timer(t, TIMER_INTERCONN) - { - analyzer = a; - // Make sure connection does not expire. - Ref(a->Conn()); - } - -InterConnTimer::~InterConnTimer() - { - Unref(analyzer->Conn()); - } - -void InterConnTimer::Dispatch(double t, int is_expire) - { - analyzer->StatTimer(t, is_expire); - } diff --git a/src/analyzer/protocol/interconn/InterConn.h b/src/analyzer/protocol/interconn/InterConn.h deleted file mode 100644 index 04d5a2b5c6..0000000000 --- a/src/analyzer/protocol/interconn/InterConn.h +++ /dev/null @@ -1,88 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#ifndef ANALYZER_PROTOCOL_INTERCONN_INTERCONN_H -#define ANALYZER_PROTOCOL_INTERCONN_INTERCONN_H - -#include "analyzer/protocol/tcp/TCP.h" -#include "Timer.h" -#include "NetVar.h" - -namespace analyzer { namespace interconn { - -class InterConnEndpoint : public BroObj { -public: - explicit InterConnEndpoint(tcp::TCP_Endpoint* e); - - int DataSent(double t, uint64 seq, int len, int caplen, const u_char* data, - const IP_Hdr* ip, const struct tcphdr* tp); - - RecordVal* BuildStats(); - -protected: - int EstimateGapPacketNum(int gap) const; - int IsPotentialKeystrokePacket(int len) const; - int IsNormalKeystrokeInterarrival(double t) const; - - tcp::TCP_Endpoint* endp; - double last_keystroke_time; - uint64 max_top_seq; - uint32 num_pkts; - uint32 num_keystrokes_two_in_a_row; - uint32 num_normal_interarrivals; - uint32 num_8k4_pkts; - uint32 num_8k0_pkts; - uint32 num_bytes; - uint32 num_7bit_ascii; - uint32 num_lines; - uint32 num_normal_lines; - int is_partial; - int keystroke_just_seen; -}; - - -class InterConn_Analyzer : public tcp::TCP_ApplicationAnalyzer { -public: - explicit InterConn_Analyzer(Connection* c); - ~InterConn_Analyzer() override; - - void Init() override; - void Done() override; - void StatTimer(double t, int is_expire); - - static analyzer::Analyzer* Instantiate(Connection* conn) - { return new InterConn_Analyzer(conn); } - -protected: - // We support both packet and stream input and can be put in place even - // if the TCP analyzer is not yet reassembling. - void DeliverPacket(int len, const u_char* data, bool is_orig, - uint64 seq, const IP_Hdr* ip, int caplen) override; - void DeliverStream(int len, const u_char* data, bool is_orig) override; - - void StatEvent(); - void RemoveEvent(); - - InterConnEndpoint* orig_endp; - InterConnEndpoint* resp_endp; - - int orig_stream_pos; - int resp_stream_pos; - - double timeout; - double backoff; -}; - -class InterConnTimer : public Timer { -public: - InterConnTimer(double t, InterConn_Analyzer* a); - ~InterConnTimer() override; - - void Dispatch(double t, int is_expire) override; - -protected: - InterConn_Analyzer* analyzer; -}; - -} } // namespace analyzer::* - -#endif diff --git a/src/analyzer/protocol/interconn/Plugin.cc b/src/analyzer/protocol/interconn/Plugin.cc deleted file mode 100644 index bbd1b866ed..0000000000 --- a/src/analyzer/protocol/interconn/Plugin.cc +++ /dev/null @@ -1,25 +0,0 @@ -// See the file in the main distribution directory for copyright. - - -#include "plugin/Plugin.h" - -#include "InterConn.h" - -namespace plugin { -namespace Zeek_InterConn { - -class Plugin : public plugin::Plugin { -public: - plugin::Configuration Configure() - { - AddComponent(new ::analyzer::Component("InterConn", ::analyzer::interconn::InterConn_Analyzer::Instantiate)); - - plugin::Configuration config; - config.name = "Zeek::InterConn"; - config.description = "InterConn analyzer deprecated"; - return config; - } -} plugin; - -} -} diff --git a/src/analyzer/protocol/interconn/events.bif b/src/analyzer/protocol/interconn/events.bif deleted file mode 100644 index 6e859da668..0000000000 --- a/src/analyzer/protocol/interconn/events.bif +++ /dev/null @@ -1,8 +0,0 @@ -# ##### Deprecated events. Proposed for removal. - -## Deprecated. Will be removed. -event interconn_stats%(c: connection, os: interconn_endp_stats, rs: interconn_endp_stats%); - -## Deprecated. Will be removed. -event interconn_remove_conn%(c: connection%); - diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 8fa1ab560a..8a1f6fd603 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -85,7 +85,6 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_Ident.events.bif.zeek build/scripts/base/bif/plugins/Zeek_IMAP.events.bif.zeek - build/scripts/base/bif/plugins/Zeek_InterConn.events.bif.zeek build/scripts/base/bif/plugins/Zeek_IRC.events.bif.zeek build/scripts/base/bif/plugins/Zeek_KRB.events.bif.zeek build/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 0b68a0ce83..361019899c 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -85,7 +85,6 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_Ident.events.bif.zeek build/scripts/base/bif/plugins/Zeek_IMAP.events.bif.zeek - build/scripts/base/bif/plugins/Zeek_InterConn.events.bif.zeek build/scripts/base/bif/plugins/Zeek_IRC.events.bif.zeek build/scripts/base/bif/plugins/Zeek_KRB.events.bif.zeek build/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 37c2f126e3..4d70a144e8 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -1,5 +1,4 @@ 0.000000 MetaHookPost CallFunction(Analyzer::__disable_analyzer, , (Analyzer::ANALYZER_BACKDOOR)) -> -0.000000 MetaHookPost CallFunction(Analyzer::__disable_analyzer, , (Analyzer::ANALYZER_INTERCONN)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__disable_analyzer, , (Analyzer::ANALYZER_STEPPINGSTONE)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__disable_analyzer, , (Analyzer::ANALYZER_TCPSTATS)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> @@ -66,7 +65,6 @@ 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_BACKDOOR)) -> -0.000000 MetaHookPost CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_INTERCONN)) -> 0.000000 MetaHookPost CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_STEPPINGSTONE)) -> 0.000000 MetaHookPost CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_TCPSTATS)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> @@ -278,7 +276,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1560631035.263667, node=zeek, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) -> @@ -459,7 +457,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1560631035.263667, node=zeek, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -605,7 +603,6 @@ 0.000000 MetaHookPost LoadFile(0, .<...>/Zeek_IMAP.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Zeek_IRC.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Zeek_Ident.events.bif.zeek) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Zeek_InterConn.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Zeek_KRB.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Zeek_KRB.types.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Zeek_Login.events.bif.zeek) -> -1 @@ -896,7 +893,6 @@ 0.000000 MetaHookPost QueueEvent(filter_change_tracking()) -> false 0.000000 MetaHookPost QueueEvent(zeek_init()) -> false 0.000000 MetaHookPre CallFunction(Analyzer::__disable_analyzer, , (Analyzer::ANALYZER_BACKDOOR)) -0.000000 MetaHookPre CallFunction(Analyzer::__disable_analyzer, , (Analyzer::ANALYZER_INTERCONN)) 0.000000 MetaHookPre CallFunction(Analyzer::__disable_analyzer, , (Analyzer::ANALYZER_STEPPINGSTONE)) 0.000000 MetaHookPre CallFunction(Analyzer::__disable_analyzer, , (Analyzer::ANALYZER_TCPSTATS)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_AYIYA, 5072/udp)) @@ -963,7 +959,6 @@ 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_BACKDOOR)) -0.000000 MetaHookPre CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_INTERCONN)) 0.000000 MetaHookPre CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_STEPPINGSTONE)) 0.000000 MetaHookPre CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_TCPSTATS)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_AYIYA, 5072/udp)) @@ -1175,7 +1170,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1560631035.263667, node=zeek, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Config::LOG)) @@ -1356,7 +1351,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1560631035.263667, node=zeek, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1502,7 +1497,6 @@ 0.000000 MetaHookPre LoadFile(0, .<...>/Zeek_IMAP.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, .<...>/Zeek_IRC.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, .<...>/Zeek_Ident.events.bif.zeek) -0.000000 MetaHookPre LoadFile(0, .<...>/Zeek_InterConn.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, .<...>/Zeek_KRB.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, .<...>/Zeek_KRB.types.bif.zeek) 0.000000 MetaHookPre LoadFile(0, .<...>/Zeek_Login.events.bif.zeek) @@ -1793,7 +1787,6 @@ 0.000000 MetaHookPre QueueEvent(filter_change_tracking()) 0.000000 MetaHookPre QueueEvent(zeek_init()) 0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_BACKDOOR) -0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_INTERCONN) 0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_STEPPINGSTONE) 0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_TCPSTATS) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp) @@ -1860,7 +1853,6 @@ 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp) 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_BACKDOOR) -0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_INTERCONN) 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_STEPPINGSTONE) 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_TCPSTATS) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp) @@ -2071,7 +2063,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1560631035.263667, node=zeek, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG) @@ -2252,7 +2244,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1560631035.263667, node=zeek, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2398,7 +2390,6 @@ 0.000000 | HookLoadFile .<...>/Zeek_IMAP.events.bif.zeek 0.000000 | HookLoadFile .<...>/Zeek_IRC.events.bif.zeek 0.000000 | HookLoadFile .<...>/Zeek_Ident.events.bif.zeek -0.000000 | HookLoadFile .<...>/Zeek_InterConn.events.bif.zeek 0.000000 | HookLoadFile .<...>/Zeek_KRB.events.bif.zeek 0.000000 | HookLoadFile .<...>/Zeek_KRB.types.bif.zeek 0.000000 | HookLoadFile .<...>/Zeek_Login.events.bif.zeek @@ -2684,7 +2675,7 @@ 0.000000 | HookLoadFile base<...>/xmpp 0.000000 | HookLoadFile base<...>/zeek.bif.zeek 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} -0.000000 | HookLogWrite packet_filter [ts=1560631035.263667, node=zeek, filter=ip or not ip, init=T, success=T] +0.000000 | HookLogWrite packet_filter [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() 0.000000 | HookQueueEvent filter_change_tracking() 0.000000 | HookQueueEvent zeek_init()