mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Rework Sessions::Weird
This commit is contained in:
Tim Wojtulewicz
parent
b1e517e863
commit
a99b540e46
17 changed files with 130 additions and 128 deletions
|
|
@ -159,7 +159,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt)
|
|||
}
|
||||
|
||||
default:
|
||||
Weird("unknown_protocol", pkt, pkt->encap, util::fmt("%d", proto));
|
||||
Weird("unknown_protocol", pkt, util::fmt("%d", proto));
|
||||
return;
|
||||
}
|
||||
|
||||
|
|
@ -296,13 +296,13 @@ bool NetSessions::CheckHeaderTrunc(int proto, uint32_t len, uint32_t caplen,
|
|||
|
||||
if ( len < min_hdr_len )
|
||||
{
|
||||
Weird("truncated_header", p, p->encap);
|
||||
Weird("truncated_header", p);
|
||||
return true;
|
||||
}
|
||||
|
||||
if ( caplen < min_hdr_len )
|
||||
{
|
||||
Weird("internally_truncated_header", p, p->encap);
|
||||
Weird("internally_truncated_header", p);
|
||||
return true;
|
||||
}
|
||||
|
||||
|
|
@ -679,28 +679,26 @@ bool NetSessions::WantConnection(uint16_t src_port, uint16_t dst_port,
|
|||
return true;
|
||||
}
|
||||
|
||||
void NetSessions::Weird(const char* name, const Packet* pkt,
|
||||
const std::shared_ptr<EncapsulationStack>& encap,
|
||||
const char* addl)
|
||||
void NetSessions::Weird(const char* name, const Packet* pkt, const char* addl)
|
||||
{
|
||||
if ( pkt )
|
||||
pkt->dump_packet = true;
|
||||
|
||||
if ( encap && encap->LastType() != BifEnum::Tunnel::NONE )
|
||||
reporter->Weird(util::fmt("%s_in_tunnel", name), addl);
|
||||
const char* weird_name;
|
||||
if ( pkt->encap && pkt->encap->LastType() != BifEnum::Tunnel::NONE )
|
||||
weird_name = util::fmt("%s_in_tunnel", name);
|
||||
else
|
||||
reporter->Weird(name, addl);
|
||||
weird_name = name;
|
||||
|
||||
if ( pkt->ip_hdr )
|
||||
reporter->Weird(pkt->ip_hdr->SrcAddr(), pkt->ip_hdr->DstAddr(), weird_name, addl);
|
||||
else
|
||||
reporter->Weird(weird_name, addl);
|
||||
}
|
||||
|
||||
void NetSessions::Weird(const char* name, const IP_Hdr* ip,
|
||||
const std::shared_ptr<EncapsulationStack>& encap,
|
||||
const char* addl)
|
||||
void NetSessions::Weird(const char* name, const IP_Hdr* ip, const char* addl)
|
||||
{
|
||||
if ( encap && encap->LastType() != BifEnum::Tunnel::NONE )
|
||||
reporter->Weird(ip->SrcAddr(), ip->DstAddr(),
|
||||
util::fmt("%s_in_tunnel", name), addl);
|
||||
else
|
||||
reporter->Weird(ip->SrcAddr(), ip->DstAddr(), name, addl);
|
||||
reporter->Weird(ip->SrcAddr(), ip->DstAddr(), name, addl);
|
||||
}
|
||||
|
||||
unsigned int NetSessions::ConnectionMemoryUsage()
|
||||
|
|
|
|||
|
|
@ -71,10 +71,8 @@ public:
|
|||
void GetStats(SessionStats& s) const;
|
||||
|
||||
void Weird(const char* name, const Packet* pkt,
|
||||
const std::shared_ptr<EncapsulationStack>& encap = nullptr,
|
||||
const char* addl = "");
|
||||
void Weird(const char* name, const IP_Hdr* ip,
|
||||
const std::shared_ptr<EncapsulationStack>& encap = nullptr,
|
||||
const char* addl = "");
|
||||
|
||||
detail::PacketFilter* GetPacketFilter(bool init=true)
|
||||
|
|
|
|||
|
|
@ -89,9 +89,9 @@ const IP_Hdr Packet::IP() const
|
|||
return IP_Hdr((struct ip *) (data + hdr_size), false);
|
||||
}
|
||||
|
||||
void Packet::Weird(const char* name, const std::shared_ptr<EncapsulationStack>& encap)
|
||||
void Packet::Weird(const char* name)
|
||||
{
|
||||
sessions->Weird(name, this, encap);
|
||||
sessions->Weird(name, this);
|
||||
}
|
||||
|
||||
RecordValPtr Packet::ToRawPktHdrVal() const
|
||||
|
|
|
|||
|
|
@ -130,7 +130,7 @@ public:
|
|||
RecordVal* BuildPktHdrVal() const;
|
||||
|
||||
// Wrapper to generate a packet-level weird. Has to be public for llanalyzers to use it.
|
||||
void Weird(const char* name, const std::shared_ptr<EncapsulationStack>& encap = nullptr);
|
||||
void Weird(const char* name);
|
||||
|
||||
/**
|
||||
* Maximal length of a layer 2 address.
|
||||
|
|
|
|||
|
|
@ -50,7 +50,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
|||
|
||||
if ( ! BifConst::Tunnel::enable_gre )
|
||||
{
|
||||
sessions->Weird("GRE_tunnel", packet->ip_hdr.get(), packet->encap);
|
||||
sessions->Weird("GRE_tunnel", packet);
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
@ -68,8 +68,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
|||
|
||||
if ( gre_version != 0 && gre_version != 1 )
|
||||
{
|
||||
sessions->Weird("unknown_gre_version", packet->ip_hdr.get(), packet->encap,
|
||||
util::fmt("%d", gre_version));
|
||||
sessions->Weird("unknown_gre_version", packet, util::fmt("%d", gre_version));
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
@ -86,7 +85,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
|||
}
|
||||
else
|
||||
{
|
||||
sessions->Weird("truncated_GRE", packet->ip_hdr.get(), packet->encap);
|
||||
sessions->Weird("truncated_GRE", packet);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
@ -103,7 +102,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
|||
}
|
||||
else
|
||||
{
|
||||
sessions->Weird("truncated_GRE", packet->ip_hdr.get(), packet->encap);
|
||||
sessions->Weird("truncated_GRE", packet);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
@ -126,7 +125,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
|||
erspan_len += 8;
|
||||
else
|
||||
{
|
||||
sessions->Weird("truncated_GRE", packet->ip_hdr.get(), packet->encap);
|
||||
sessions->Weird("truncated_GRE", packet);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
@ -135,7 +134,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
|||
}
|
||||
else
|
||||
{
|
||||
sessions->Weird("truncated_GRE", packet->ip_hdr.get(), packet->encap);
|
||||
sessions->Weird("truncated_GRE", packet);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
@ -146,8 +145,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
|||
if ( proto_typ != 0x880b )
|
||||
{
|
||||
// Enhanced GRE payload must be PPP.
|
||||
sessions->Weird("egre_protocol_type", packet->ip_hdr.get(), packet->encap,
|
||||
util::fmt("%d", proto_typ));
|
||||
sessions->Weird("egre_protocol_type", packet, util::fmt("%d", proto_typ));
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
@ -157,20 +155,20 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
|||
// RFC 2784 deprecates the variable length routing field
|
||||
// specified by RFC 1701. It could be parsed here, but easiest
|
||||
// to just skip for now.
|
||||
sessions->Weird("gre_routing", packet->ip_hdr.get(), packet->encap);
|
||||
sessions->Weird("gre_routing", packet);
|
||||
return false;
|
||||
}
|
||||
|
||||
if ( flags_ver & 0x0078 )
|
||||
{
|
||||
// Expect last 4 bits of flags are reserved, undefined.
|
||||
sessions->Weird("unknown_gre_flags", packet->ip_hdr.get(), packet->encap);
|
||||
sessions->Weird("unknown_gre_flags", packet);
|
||||
return false;
|
||||
}
|
||||
|
||||
if ( len < gre_len + ppp_len + eth_len + erspan_len )
|
||||
{
|
||||
sessions->Weird("truncated_GRE", packet->ip_hdr.get(), packet->encap);
|
||||
sessions->Weird("truncated_GRE", packet);
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
@ -180,8 +178,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
|||
|
||||
if ( ppp_proto != 0x0021 && ppp_proto != 0x0057 )
|
||||
{
|
||||
sessions->Weird("non_ip_packet_in_encap", packet->ip_hdr.get(),
|
||||
packet->encap);
|
||||
sessions->Weird("non_ip_packet_in_encap", packet);
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
|||
// check ipv4 here. We'll check ipv6 later once we determine we have an ipv6 header.
|
||||
if ( len < sizeof(struct ip) )
|
||||
{
|
||||
packet->Weird("truncated_IP");
|
||||
sessions->Weird("truncated_IP", packet);
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
@ -58,7 +58,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
|||
{
|
||||
if ( len < sizeof(struct ip6_hdr) )
|
||||
{
|
||||
packet->Weird("truncated_IP");
|
||||
sessions->Weird("truncated_IP", packet);
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
@ -67,7 +67,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
|||
}
|
||||
else
|
||||
{
|
||||
packet->Weird("unknown_ip_version");
|
||||
sessions->Weird("unknown_ip_version", packet);
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
@ -78,7 +78,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
|||
if ( total_len == 0 )
|
||||
{
|
||||
// TCP segmentation offloading can zero out the ip_len field.
|
||||
packet->Weird("ip_hdr_len_zero", packet->encap);
|
||||
sessions->Weird("ip_hdr_len_zero", packet);
|
||||
|
||||
// Cope with the zero'd out ip_len field by using the caplen.
|
||||
total_len = packet->cap_len - packet->hdr_size;
|
||||
|
|
@ -86,7 +86,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
|||
|
||||
if ( packet->len < total_len + packet->hdr_size )
|
||||
{
|
||||
packet->Weird("truncated_IPv6", packet->encap);
|
||||
sessions->Weird("truncated_IPv6", packet);
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
@ -95,13 +95,13 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
|||
uint16_t ip_hdr_len = packet->ip_hdr->HdrLen();
|
||||
if ( ip_hdr_len > total_len )
|
||||
{
|
||||
sessions->Weird("invalid_IP_header_size", packet->ip_hdr.get(), packet->encap);
|
||||
sessions->Weird("invalid_IP_header_size", packet);
|
||||
return false;
|
||||
}
|
||||
|
||||
if ( ip_hdr_len > len )
|
||||
{
|
||||
sessions->Weird("internally_truncated_header", packet->ip_hdr.get(), packet->encap);
|
||||
sessions->Weird("internally_truncated_header", packet);
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
@ -109,7 +109,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
|||
{
|
||||
if ( ip_hdr_len < sizeof(struct ip) )
|
||||
{
|
||||
packet->Weird("IPv4_min_header_size");
|
||||
sessions->Weird("IPv4_min_header_size", packet);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
@ -117,7 +117,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
|||
{
|
||||
if ( ip_hdr_len < sizeof(struct ip6_hdr) )
|
||||
{
|
||||
packet->Weird("IPv6_min_header_size");
|
||||
sessions->Weird("IPv6_min_header_size", packet);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
@ -130,7 +130,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
|||
if ( ! packet->l2_checksummed && ! detail::ignore_checksums && ip4 &&
|
||||
detail::in_cksum(reinterpret_cast<const uint8_t*>(ip4), ip_hdr_len) != 0xffff )
|
||||
{
|
||||
sessions->Weird("bad_IP_checksum", packet, packet->encap);
|
||||
sessions->Weird("bad_IP_checksum", packet);
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
@ -145,7 +145,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
|||
|
||||
if ( len < total_len )
|
||||
{
|
||||
sessions->Weird("incompletely_captured_fragment", packet->ip_hdr.get(), packet->encap);
|
||||
sessions->Weird("incompletely_captured_fragment", packet);
|
||||
|
||||
// Don't try to reassemble, that's doomed.
|
||||
// Discard all except the first fragment (which
|
||||
|
|
@ -175,7 +175,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
|||
|
||||
if ( ip_hdr_len > total_len )
|
||||
{
|
||||
sessions->Weird("invalid_IP_header_size", packet->ip_hdr.get(), packet->encap);
|
||||
sessions->Weird("invalid_IP_header_size", packet);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
@ -204,7 +204,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
|||
|
||||
if ( ! ignore_checksums && mobility_header_checksum(packet->ip_hdr) != 0xffff )
|
||||
{
|
||||
sessions->Weird("bad_MH_checksum", packet, packet->encap);
|
||||
sessions->Weird("bad_MH_checksum", packet);
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
@ -212,7 +212,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
|
|||
event_mgr.Enqueue(mobile_ipv6_message, packet->ip_hdr->ToPktHdrVal());
|
||||
|
||||
if ( packet->ip_hdr->NextProto() != IPPROTO_NONE )
|
||||
sessions->Weird("mobility_piggyback", packet, packet->encap);
|
||||
sessions->Weird("mobility_piggyback", packet);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,14 +28,14 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
|
|||
|
||||
if ( ! BifConst::Tunnel::enable_ip )
|
||||
{
|
||||
sessions->Weird("IP_tunnel", packet->ip_hdr.get(), packet->encap);
|
||||
sessions->Weird("IP_tunnel", packet);
|
||||
return false;
|
||||
}
|
||||
|
||||
if ( packet->encap &&
|
||||
packet->encap->Depth() >= BifConst::Tunnel::max_depth )
|
||||
{
|
||||
sessions->Weird("exceeded_tunnel_max_depth", packet->ip_hdr.get(), packet->encap);
|
||||
sessions->Weird("exceeded_tunnel_max_depth", packet);
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
@ -51,11 +51,11 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
|
|||
// Check for a valid inner packet first.
|
||||
int result = sessions->ParseIPPacket(len, data, proto, inner);
|
||||
if ( result == -2 )
|
||||
sessions->Weird("invalid_inner_IP_version", packet->ip_hdr.get(), packet->encap);
|
||||
sessions->Weird("invalid_inner_IP_version", packet);
|
||||
else if ( result < 0 )
|
||||
sessions->Weird("truncated_inner_IP", packet->ip_hdr.get(), packet->encap);
|
||||
sessions->Weird("truncated_inner_IP", packet);
|
||||
else if ( result > 0 )
|
||||
sessions->Weird("inner_IP_payload_length_mismatch", packet->ip_hdr.get(), packet->encap);
|
||||
sessions->Weird("inner_IP_payload_length_mismatch", packet);
|
||||
|
||||
if ( result != 0 )
|
||||
{
|
||||
|
|
|
|||
|
|
@ -3,101 +3,101 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2019-06-07-02-20-03
|
||||
#open 2020-10-14-18-44-07
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1332784981.078396 - - - - - bad_IP_checksum - F zeek
|
||||
#close 2019-06-07-02-20-03
|
||||
1332784981.078396 - 127.0.0.1 0 127.0.0.1 0 bad_IP_checksum - F zeek
|
||||
#close 2020-10-14-18-44-07
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2019-06-07-02-20-03
|
||||
#open 2020-10-14-18-44-08
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1332784885.686428 CHhAvVGS1DHFjwGM9 127.0.0.1 30000 127.0.0.1 80 bad_TCP_checksum - F zeek
|
||||
#close 2019-06-07-02-20-03
|
||||
#close 2020-10-14-18-44-08
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2019-06-07-02-20-04
|
||||
#open 2020-10-14-18-44-08
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1332784933.501023 CHhAvVGS1DHFjwGM9 127.0.0.1 30000 127.0.0.1 13000 bad_UDP_checksum - F zeek
|
||||
#close 2019-06-07-02-20-04
|
||||
#close 2020-10-14-18-44-08
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2019-06-07-02-20-04
|
||||
#open 2020-10-14-18-44-09
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1334075363.536871 CHhAvVGS1DHFjwGM9 192.168.1.100 8 192.168.1.101 0 bad_ICMP_checksum - F zeek
|
||||
#close 2019-06-07-02-20-04
|
||||
#close 2020-10-14-18-44-09
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2019-06-07-02-20-05
|
||||
#open 2020-10-14-18-44-10
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1332785210.013051 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F zeek
|
||||
1332785210.013051 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:78:1:32::2 80 bad_TCP_checksum - F zeek
|
||||
#close 2019-06-07-02-20-05
|
||||
#close 2020-10-14-18-44-10
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2019-06-07-02-20-05
|
||||
#open 2020-10-14-18-44-10
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1332782580.798420 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F zeek
|
||||
1332782580.798420 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:78:1:32::2 13000 bad_UDP_checksum - F zeek
|
||||
#close 2019-06-07-02-20-05
|
||||
#close 2020-10-14-18-44-10
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2019-06-07-02-20-06
|
||||
#open 2020-10-14-18-44-11
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1334075111.800086 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek
|
||||
1334075111.800086 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 128 2001:78:1:32::1 129 bad_ICMP_checksum - F zeek
|
||||
#close 2019-06-07-02-20-06
|
||||
#close 2020-10-14-18-44-11
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2019-06-07-02-20-06
|
||||
#open 2020-10-14-18-44-11
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1332785250.469132 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:4f8:4:7:2e0:81ff:fe52:9a6b 80 bad_TCP_checksum - F zeek
|
||||
#close 2019-06-07-02-20-06
|
||||
#close 2020-10-14-18-44-11
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2019-06-07-02-20-06
|
||||
#open 2020-10-14-18-44-12
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1332781342.923813 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 30000 2001:4f8:4:7:2e0:81ff:fe52:9a6b 13000 bad_UDP_checksum - F zeek
|
||||
#close 2019-06-07-02-20-07
|
||||
#close 2020-10-14-18-44-12
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2019-06-07-02-20-07
|
||||
#open 2020-10-14-18-44-12
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1334074939.467194 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 128 2001:4f8:4:7:2e0:81ff:fe52:9a6b 129 bad_ICMP_checksum - F zeek
|
||||
#close 2019-06-07-02-20-07
|
||||
#close 2020-10-14-18-44-12
|
||||
|
|
|
|||
|
|
@ -3,68 +3,68 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2019-06-07-02-20-07
|
||||
#open 2020-10-14-18-44-12
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1334074939.467194 CHhAvVGS1DHFjwGM9 2001:4f8:4:7:2e0:81ff:fe52:ffff 128 2001:4f8:4:7:2e0:81ff:fe52:9a6b 129 bad_ICMP_checksum - F zeek
|
||||
#close 2019-06-07-02-20-07
|
||||
#close 2020-10-14-18-44-12
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2019-06-07-02-20-08
|
||||
#open 2020-10-14-18-44-15
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1332785125.596793 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F zeek
|
||||
#close 2019-06-07-02-20-08
|
||||
#close 2020-10-14-18-44-15
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2019-06-07-02-20-09
|
||||
#open 2020-10-14-18-44-15
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1332782508.592037 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::2 0 routing0_hdr - F zeek
|
||||
#close 2019-06-07-02-20-09
|
||||
#close 2020-10-14-18-44-15
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2019-06-07-02-20-09
|
||||
#open 2020-10-14-18-44-16
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1334075027.053380 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek
|
||||
#close 2019-06-07-02-20-09
|
||||
#close 2020-10-14-18-44-16
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2019-06-07-02-20-09
|
||||
#open 2020-10-14-18-44-16
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1334075027.053380 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek
|
||||
#close 2019-06-07-02-20-09
|
||||
#close 2020-10-14-18-44-16
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2019-06-07-02-20-09
|
||||
#open 2020-10-14-18-44-16
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1334075027.053380 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek
|
||||
#close 2019-06-07-02-20-09
|
||||
#close 2020-10-14-18-44-16
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2019-06-07-02-20-09
|
||||
#open 2020-10-14-18-44-16
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1334075027.053380 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:78:1:32::1 0 routing0_hdr - F zeek
|
||||
#close 2019-06-07-02-20-09
|
||||
#close 2020-10-14-18-44-16
|
||||
|
|
|
|||
|
|
@ -3,8 +3,8 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2020-09-15-17-17-50
|
||||
#open 2020-10-14-18-44-54
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1333663011.602839 - - - - - no_suitable_analyzer_found - F zeek
|
||||
#close 2020-09-15-17-17-50
|
||||
1333663011.602839 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:4f8:4:7:2e0:81ff:fe52:9a6b 0 no_suitable_analyzer_found - F zeek
|
||||
#close 2020-10-14-18-44-54
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2020-09-10-22-34-02
|
||||
#open 2020-10-14-18-45-20
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1500557630.000000 - b100:7265::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
|
|
@ -91,7 +91,7 @@
|
|||
1500557631.000000 - b000:7265:6374:6929::8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557631.000000 - 0:7265:6374:6929:ff:27:a800:ff 0 100:0:143:4f4e:5445:4e54:535f:524c 0 invalid_inner_IP_version - F zeek
|
||||
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:f9fe:ffbf:ffff:0:ff28:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557631.000000 - - - - - ip_hdr_len_zero - F zeek
|
||||
1500557631.000000 - 0.0.0.0 0 0.0.65.95 0 ip_hdr_len_zero - F zeek
|
||||
1500557631.000000 - 0.0.0.0 0 0.0.65.95 0 invalid_IP_header_size - F zeek
|
||||
1500557631.000000 - b100:7265:6374:7129:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557631.000000 - b101:0:74:6929::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
|
|
@ -126,6 +126,7 @@
|
|||
1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:ffff:f7fd:ffff 0 invalid_inner_IP_version - F zeek
|
||||
1500557631.000000 - b104:7265:6374:2a29::6904:ff 0 3bbf:ff03:40:0:ffff:ffff:f5fd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557631.000000 - b100:7265:6374:6929:8000:0:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557631.000000 - 0.0.0.0 0 0.0.255.255 0 ip_hdr_len_zero - F zeek
|
||||
1500557631.000000 - 0.0.0.0 0 0.0.255.255 0 invalid_IP_header_size - F zeek
|
||||
1500557631.000000 - b100:7265:6374:6900:8000:400:2a29:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557631.000000 - b100:7265:6374:6929::4:ff 0 3bbf:4900:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
|
|
@ -153,6 +154,7 @@
|
|||
1500557631.000000 - b100:7265:6300:0:100:0:8004:ff 0 3bbf:ff01:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557631.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:3600:82b:0:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bb7:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557631.000000 - 0.0.0.0 0 0.53.0.0 0 ip_hdr_len_zero - F zeek
|
||||
1500557631.000000 - 0.0.0.0 0 0.53.0.0 0 invalid_IP_header_size - F zeek
|
||||
1500557631.000000 - b100:7265:6374:6929::8004:ff 0 3bbf:ff00:39:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557631.000000 - 9c00:722a:6374:6929::6904:ff 0 3bbf:ff00:40:ffff:fbfd:ffff:0:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
|
|
@ -180,6 +182,7 @@
|
|||
1500557631.000000 - b100:7265:2100::8004:ef 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557631.000000 - b100:7265:6374:2a29:ffff:ffff:ffff:ffff 0 3bbf:ff00:40:6e:756d:5f70:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557631.000000 - b100:7265:6300:69:7429:0:6904:ff 0 3bbf:ff00:40:0:ffff:100:: 0 invalid_inner_IP_version - F zeek
|
||||
1500557631.000000 - 0.0.0.0 0 0.0.0.0 0 ip_hdr_len_zero - F zeek
|
||||
1500557631.000000 - 0.0.0.0 0 0.0.0.0 0 invalid_IP_header_size - F zeek
|
||||
1500557631.000000 - b100:7265:6374:6929:1:0:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557631.000000 - b100:7265:6374:6929::6904:ff 0 3bbf:ff00:40:ff:ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
|
|
@ -215,6 +218,7 @@
|
|||
1500557632.000000 - 32.0.8.99 0 0.0.0.0 0 invalid_IP_header_size - F zeek
|
||||
1500557632.000000 - b100:6500:72:6369:2a29:0:6980:ff 0 3bbf:8000:40:0:16ef:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557632.000000 - b100:7265:6374:6929::693b:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557632.000000 - 0.0.0.0 0 0.255.255.255 0 ip_hdr_len_zero - F zeek
|
||||
1500557632.000000 - 0.0.0.0 0 0.255.255.255 0 invalid_IP_header_size - F zeek
|
||||
1500557632.000000 - b100:7265:6374:6929::6928:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557632.000000 - b100:5049:415f:5544:5000:0:6904:5544 0 50bf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
|
|
@ -278,6 +282,7 @@
|
|||
1500557632.000000 - b100:7265:6374:6929::6904:ff 0 3bff:4000:bf00:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557632.000000 - b100:5265:6300::8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557632.000000 - b100:7218:400:65:6327:fffe:bfff:ff 0 ffff:20:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557632.000000 - 71.97.99.109 0 0.16.0.41 0 ip_hdr_len_zero - F zeek
|
||||
1500557632.000000 - 71.97.99.109 0 0.16.0.41 0 invalid_IP_header_size - F zeek
|
||||
1500557632.000000 - b100:7221:6374:2a29::6904:2aff 0 3bbf:ff00:40:21:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557632.000000 - b100:7265:6374:6929:ffff:ffff:6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
|
|
@ -311,6 +316,7 @@
|
|||
1500557632.000000 - b100:7265:6300:69:7429:0:690a:ff 0 40:0:ff3b:bf:ffff:ffff:fdff:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557632.000000 - 9c00:7265:6374:6929::6927:10ff 0 0:7265:6374:6929::6904:ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557632.000000 - b100:7265:6329:ffff:2a74:ffff:ffff:ffff 0 3bbf:ff00:40:6e:756d:3b70:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557632.000000 - 143.9.0.0 0 0.98.0.237 0 ip_hdr_len_zero - F zeek
|
||||
1500557632.000000 - 143.9.0.0 0 0.98.0.237 0 invalid_IP_header_size - F zeek
|
||||
1500557632.000000 - b100:7265:6374:6929::4:ff 0 3bbf:ff00:40:0:ffff:feff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557632.000000 - b100:7265:6300:2704:0:fffe:bfff:ff 0 fffb:0:ffff:ff3a:2000:82b:0:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
|
|
@ -398,6 +404,7 @@
|
|||
1500557633.000000 - b100:7265:6500:0:100:0:8004:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557633.000000 - b100:7265:6374:6929:0:a:4:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557633.000000 - b100:7265:6374:6900::2900:0 0 80:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557633.000000 - 68.80.95.104 0 109.115.117.0 0 ip_hdr_len_zero - F zeek
|
||||
1500557633.000000 - 68.80.95.104 0 109.115.117.0 0 invalid_IP_header_size - F zeek
|
||||
1500557633.000000 - 9c00:7265:6374:6929::6927:ff 0 0:7265:6374:692b::6904:ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557633.000000 - b100:7265:6374:6900:29:0:6914:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
|
|
@ -428,6 +435,7 @@
|
|||
1500557633.000000 - 4f00:7265:6374:6929::6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557633.000000 - b100:7265:6374:6929::6904:ff 0 3b1e:8000::6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557633.000000 - b100:7265:6374:6929:1:400:8004:ff 0 3bbf:ff80:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557633.000000 - 0.255.255.0 0 0.0.0.0 0 ip_hdr_len_zero - F zeek
|
||||
1500557633.000000 - 0.255.255.0 0 0.0.0.0 0 invalid_IP_header_size - F zeek
|
||||
1500557633.000000 - b100:7265:6374:6929:4:0:6904:ff 0 3b1e:400:ff:0:6929:0:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557633.000000 - b100:7200:400:65:6327:fffe:bfff:ff 0 ffff:0:ffff:ff3a:2000:342b:0:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
|
|
@ -460,4 +468,4 @@
|
|||
1500557634.000000 - b100:7265:6374:6929:ff:ffff:ff04:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557634.000000 - b100:7265:0:ff00:69:2980:0:69 0 c4ff:bf00:ff00:3b:40ff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
1500557634.000000 - 9c00:7265:6374:69d1::6904:ff 0 3bbf:ff00:40:0:ffff:ffff:fffd:f7ff 0 invalid_inner_IP_version - F zeek
|
||||
#close 2020-09-10-22-34-02
|
||||
#close 2020-10-14-18-45-20
|
||||
|
|
|
|||
|
|
@ -18,14 +18,14 @@ flow weird, excessively_small_fragment, 128.32.46.142, 10.0.0.1
|
|||
flow weird, excessively_small_fragment, 128.32.46.142, 10.0.0.1
|
||||
flow weird, fragment_inconsistency, 128.32.46.142, 10.0.0.1
|
||||
----------------------
|
||||
net_weird, truncated_IPv6
|
||||
net_weird, truncated_IPv6
|
||||
net_weird, truncated_IPv6
|
||||
net_weird, truncated_IPv6
|
||||
flow weird, truncated_IPv6, 63.193.213.194, 128.3.97.175
|
||||
flow weird, truncated_IPv6, 63.193.213.194, 128.3.97.175
|
||||
flow weird, truncated_IPv6, 63.193.213.194, 128.3.97.175
|
||||
flow weird, truncated_IPv6, 63.193.213.194, 128.3.97.175
|
||||
rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfOOOOOOOOOOOOOOOOOOOOOOOOOOOO, nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfqkrodjdmrqfpiodgphidfliidlhd, A
|
||||
rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], dgphrodofqhq, orgmmpelofil, A
|
||||
rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], lenhfdqhqfgs, dfpqssidkpdg, A
|
||||
rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfOOOOOOOOOOOOOOOOOOOOOOOOOOOO, nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfqkrodjdmrqfpiodgphidfliislrr, A
|
||||
rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], iokgedlsdkjkiefgmeqkfjoh, ggdeolssksemrhedoledddml, A
|
||||
net_weird, truncated_IPv6
|
||||
flow weird, truncated_IPv6, 63.193.213.194, 128.3.97.175
|
||||
rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO HTTP/1.1\x0d\x0aHost: 127.0.0.1\x0d\x0aContent-Type: text/xml\x0d\x0aContent-length: 1\x0d\x0a\x0d\x0aO<?xml version="1.0"?>\x0d\x0a<g:searchrequest xmlns:g=, OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO HTTP/1.1\x0d\x0aHost: 127.0.0.1\x0d\x0aContent-Type: text/xml\x0d\x0aContent-length: 1\x0d\x0a\x0d\x0aO<?xml version="1.0"?igplqgeqsonkllfshdjplhjspmde, AP
|
||||
|
|
|
|||
|
|
@ -3,78 +3,79 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2020-10-09-19-23-22
|
||||
#open 2020-10-14-19-20-15
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1334160095.895421 - - - - - truncated_IP - F zeek
|
||||
#close 2020-10-09-19-23-22
|
||||
#close 2020-10-14-19-20-15
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2020-10-09-19-23-23
|
||||
#open 2020-10-14-19-20-16
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1334156241.519125 - - - - - truncated_IP - F zeek
|
||||
#close 2020-10-09-19-23-23
|
||||
#close 2020-10-14-19-20-16
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2020-10-09-19-23-23
|
||||
#open 2020-10-14-19-20-16
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1334094648.590126 - - - - - truncated_IPv6 - F zeek
|
||||
#close 2020-10-09-19-23-23
|
||||
1334094648.590126 - 2001:4f8:4:7:2e0:81ff:fe52:ffff 0 2001:4f8:4:7:2e0:81ff:fe52:9a6b 0 truncated_IPv6 - F zeek
|
||||
#close 2020-10-14-19-20-16
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2020-10-09-19-23-24
|
||||
#open 2020-10-14-19-20-17
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1338328954.078361 - - - - - internally_truncated_header - F zeek
|
||||
#close 2020-10-09-19-23-24
|
||||
1338328954.078361 - 10.0.0.1 0 192.0.43.10 0 internally_truncated_header - F zeek
|
||||
1338328954.099743 - 192.0.43.10 0 10.0.0.1 0 internally_truncated_header - F zeek
|
||||
#close 2020-10-14-19-20-17
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2020-10-09-19-23-25
|
||||
#open 2020-10-14-19-20-18
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1404148886.981015 - - - - - truncated_ethernet_frame - F zeek
|
||||
#close 2020-10-09-19-23-25
|
||||
#close 2020-10-14-19-20-18
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2020-10-09-19-23-26
|
||||
#open 2020-10-14-19-20-19
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1508360735.834163 - 163.253.48.183 0 192.150.187.43 0 invalid_IP_header_size - F zeek
|
||||
#close 2020-10-09-19-23-26
|
||||
#close 2020-10-14-19-20-19
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2020-10-09-19-23-26
|
||||
#open 2020-10-14-19-20-19
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1508360735.834163 - 163.253.48.183 0 192.150.187.43 0 internally_truncated_header - F zeek
|
||||
#close 2020-10-09-19-23-26
|
||||
#close 2020-10-14-19-20-19
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2020-10-09-19-23-27
|
||||
#open 2020-10-14-19-20-20
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1500557630.000000 - 0.255.0.255 0 15.254.2.1 0 invalid_IP_header_size_in_tunnel - F zeek
|
||||
#close 2020-10-09-19-23-27
|
||||
#close 2020-10-14-19-20-20
|
||||
|
|
|
|||
|
|
@ -3,18 +3,18 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path conn
|
||||
#open 2020-10-09-19-25-26
|
||||
#open 2020-10-14-18-47-28
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1599068759.619112 CHhAvVGS1DHFjwGM9 172.22.214.60 8 192.0.78.212 0 icmp - - - - OTH - - 0 - 1 28 0 0 -
|
||||
#close 2020-10-09-19-25-26
|
||||
#close 2020-10-14-18-47-28
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path weird
|
||||
#open 2020-10-09-19-25-26
|
||||
#open 2020-10-14-18-47-28
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
||||
#types time string addr port addr port string string bool string
|
||||
1599068759.647566 - - - - - truncated_IPv6 - F zeek
|
||||
#close 2020-10-09-19-25-26
|
||||
1599068759.647566 - 108.97.116.105 0 110.103.32.73 0 truncated_IPv6 - F zeek
|
||||
#close 2020-10-14-18-47-28
|
||||
|
|
|
|||
|
|
@ -4,9 +4,9 @@ raw_layer_message (Message = 'I am encapsulating IP', Protocol = 4950)
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path conn
|
||||
#open 2020-09-03-17-54-45
|
||||
#open 2020-10-14-18-47-51
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
|
||||
1599068759.647566 ClEkJM2Vm5giqnMf4h 172.22.214.60 8 192.0.78.150 0 icmp - - - - OTH - - 0 - 1 28 0 0 -
|
||||
1599068759.619112 CHhAvVGS1DHFjwGM9 172.22.214.60 8 192.0.78.212 0 icmp - - - - OTH - - 0 - 1 28 0 0 -
|
||||
#close 2020-09-03-17-54-45
|
||||
#close 2020-10-14-18-47-51
|
||||
|
|
|
|||
2
testing/external/commit-hash.zeek-testing
vendored
2
testing/external/commit-hash.zeek-testing
vendored
|
|
@ -1 +1 @@
|
|||
91a1eb998845aa370a1924e5510df7b2c974c5ed
|
||||
2167512e9e02d540b08464b5e6323cdfe4ea65f8
|
||||
|
|
@ -1 +1 @@
|
|||
0f49f7352e19a4422ccbdba0d15a2df5abdb128f
|
||||
41ea99ae0d9290aa7c29116dc38a074a45733a72
|
||||
Loading…
Add table
Add a link
Reference in a new issue