diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 6fce72055b..3f6a311e85 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -554,7 +554,7 @@ type connection: record { ## principle it is possible that more than one protocol analyzer is able ## to parse the same data. If so, all will be recorded. Also note that ## the recorded services are independent of any transport-level protocols. - service: set[string]; + service: set[string] &ordered; history: string; ##< State history of connections. See *history* in :zeek:see:`Conn::Info`. ## A globally unique connection identifier. For each connection, Zeek ## creates an ID that is very likely unique across independent Zeek runs. diff --git a/scripts/base/protocols/conn/main.zeek b/scripts/base/protocols/conn/main.zeek index 81ce786b7d..9853207d15 100644 --- a/scripts/base/protocols/conn/main.zeek +++ b/scripts/base/protocols/conn/main.zeek @@ -27,8 +27,10 @@ export { id: conn_id &log; ## The transport layer protocol of the connection. proto: transport_proto &log; - ## An identification of an application protocol being sent over - ## the connection. + ## The identification of the application protocol(s) being sent over + ## the connection. Can list more than one protocol separated with + ## colons. Protocols listed are in the order in which they are + ## confirmed. service: string &log &optional; ## How long the connection lasted. ## diff --git a/src/Conn.cc b/src/Conn.cc index cbf95b8fff..5e7f065033 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -224,8 +224,10 @@ const RecordValPtr& Connection::GetVal() { conn_val->Assign(1, std::move(orig_endp)); conn_val->Assign(2, std::move(resp_endp)); // 3 and 4 are set below. - conn_val->Assign(5, make_intrusive(id::string_set)); // service - conn_val->Assign(6, val_mgr->EmptyString()); // history + // Do not assign to 5 (service). It is a non-optional set, which will be default-initialized + // using the script-level settings; this easily applies the &ordered attribute to it. + // conn_val->Assign(5, make_intrusive(id::ordered_string_set)); // service + conn_val->Assign(6, val_mgr->EmptyString()); // history if ( ! uid ) uid.Set(zeek::detail::bits_per_uid); diff --git a/testing/btest/Baseline/plugins.writer/output b/testing/btest/Baseline/plugins.writer/output index a3c33207be..351f741c45 100644 --- a/testing/btest/Baseline/plugins.writer/output +++ b/testing/btest/Baseline/plugins.writer/output @@ -12,7 +12,7 @@ Demo::Foo - A Foo test logging writer (dynamic, version 1.0.0) [analyzer] XXXXXXXXXX.XXXXXX|violation|protocol|DCE_RPC|ClEkJM2Vm5giqnMf4h|-|10.0.0.55|53994|60.190.189.214|8124|Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers|- [analyzer] XXXXXXXXXX.XXXXXX|violation|protocol|DCE_RPC|ClEkJM2Vm5giqnMf4h|-|10.0.0.55|53994|60.190.189.214|8124|Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers|- [conn] XXXXXXXXXX.XXXXXX|CHhAvVGS1DHFjwGM9|10.0.0.55|53994|60.190.189.214|8124|tcp|-|4.314406|0|0|S0|T|F|0|S|5|320|0|0|-|6 -[conn] XXXXXXXXXX.XXXXXX|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|tcp|http,socks|13.839419|3860|2934|SF|T|F|0|ShADadfF|23|5080|20|3986|-|6 +[conn] XXXXXXXXXX.XXXXXX|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|tcp|socks,http|13.839419|3860|2934|SF|T|F|0|ShADadfF|23|5080|20|3986|-|6 [conn] XXXXXXXXXX.XXXXXX|C4J4Th3PJpwUYZZ6gc|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|T|F|0|F|1|52|0|0|-|6 [conn] XXXXXXXXXX.XXXXXX|CtPZjS20MLrsMUOJi2|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|T|F|0|F|1|52|0|0|-|6 [conn] XXXXXXXXXX.XXXXXX|CUM0KZ3MLUfNB0cl11|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|T|F|0|F|1|52|0|0|-|6 diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log index 8fee6546a7..241f1125e6 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log @@ -8,5 +8,5 @@ #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents ip_proto #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] count XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.57.103 60108 192.168.57.101 2811 tcp ftp,ssl,gridftp 0.294743 4491 6659 SF T T 0 ShAdDaFf 22 5643 21 7759 - 6 -XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.57.103 35391 192.168.57.101 55968 tcp gridftp-data,ssl 0.010760 2109 3196 S1 T T 0 ShADad 7 2481 6 3516 - 6 +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.57.103 35391 192.168.57.101 55968 tcp ssl,gridftp-data 0.010760 2109 3196 S1 T T 0 ShADad 7 2481 6 3516 - 6 #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/conn.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/conn.log index 2ded9d823c..bfeb969d1f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/conn.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents ip_proto #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] count -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ::1 52522 ::1 80 tcp ssl,http 0.691241 3644 55499 S1 T T 0 ShAaDd 29 5744 29 57599 - 6 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ::1 52522 ::1 80 tcp http,ssl 0.691241 3644 55499 S1 T T 0 ShAaDd 29 5744 29 57599 - 6 #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log index 7f7b5dccce..01be2facd2 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents ip_proto #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] count -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 79.26.245.236 3378 254.228.86.79 8240 tcp smtp,http 6.722274 1685 223 SF F T 0 ShADadtTfF 14 2257 16 944 - 6 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 79.26.245.236 3378 254.228.86.79 8240 tcp http,smtp 6.722274 1685 223 SF F T 0 ShADadtTfF 14 2257 16 944 - 6 #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-12.conn.log b/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-12.conn.log index c374cbb0a0..4b3399b8fb 100644 --- a/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-12.conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-12.conn.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents ip_proto #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] count -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.87.25 58132 79.107.90.25 3306 tcp ssl,mysql 2.043921 724 3255 SF F F 0 ShAdDaFf 14 1460 11 3835 - 6 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.87.25 58132 79.107.90.25 3306 tcp mysql,ssl 2.043921 724 3255 SF F F 0 ShAdDaFf 14 1460 11 3835 - 6 #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-13.conn.log b/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-13.conn.log index 7059498553..d4c1ab00a6 100644 --- a/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-13.conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-13.conn.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents ip_proto #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] count -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.87.25 57902 79.107.90.25 3306 tcp ssl,mysql 6.756360 1076 3776 SF F F 0 ShAdDaFf 19 2072 14 4512 - 6 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.87.25 57902 79.107.90.25 3306 tcp mysql,ssl 6.756360 1076 3776 SF F F 0 ShAdDaFf 19 2072 14 4512 - 6 #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted/conn.log b/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted/conn.log index fbf6293848..ba96ccbe3e 100644 --- a/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted/conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted/conn.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents ip_proto #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] count -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 59272 127.0.0.1 3306 tcp ssl,mysql 0.021783 713 1959 SF T T 0 ShAdDaFf 10 1241 8 2383 - 6 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 59272 127.0.0.1 3306 tcp mysql,ssl 0.021783 713 1959 SF T T 0 ShAdDaFf 10 1241 8 2383 - 6 #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/conn.log b/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/conn.log index 3fc69f6c3e..2942d9a503 100644 --- a/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/conn.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents ip_proto #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] count -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 54775 192.168.4.149 110 tcp ssl,pop3 2.489002 851 2590 SF T T 0 ShAadDfFr 16 1695 17 3462 - 6 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 54775 192.168.4.149 110 tcp pop3,ssl 2.489002 851 2590 SF T T 0 ShAadDfFr 16 1695 17 3462 - 6 #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/conn.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/conn.cut index 62a51c0bf1..697313a33d 100644 --- a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/conn.cut +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/conn.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid id.orig_h id.orig_p id.resp_h id.resp_p service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36934 52.200.36.167 15432 ssl,postgresql +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36934 52.200.36.167 15432 postgresql,ssl diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/conn.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/conn.cut index d5b92b5fe9..c2be47ab61 100644 --- a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/conn.cut +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/conn.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid id.orig_h id.orig_p id.resp_h id.resp_p service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36934 52.200.36.167 5432 ssl,postgresql +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36934 52.200.36.167 5432 postgresql,ssl diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.chromium/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.chromium/conn.log.cut index 46d72b1541..f95a354194 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.chromium/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.chromium/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.curl-http3/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.curl-http3/conn.log.cut index 46d72b1541..f95a354194 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.curl-http3/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.curl-http3/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.firefox/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.firefox/conn.log.cut index 46d72b1541..f95a354194 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.firefox/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.firefox/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.fragmented-crypto/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.fragmented-crypto/conn.log.cut index 46d72b1541..f95a354194 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.fragmented-crypto/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.fragmented-crypto/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/conn.log.cut index 6eadcd2f9d..91c6575829 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/conn.log.cut @@ -2,4 +2,4 @@ ts uid history service 0.015059 ClEkJM2Vm5giqnMf4h - - 0.001000 CHhAvVGS1DHFjwGM9 - - -0.648580 C4J4Th3PJpwUYZZ6gc Dd quic,ssl +0.648580 C4J4Th3PJpwUYZZ6gc Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/conn.log.cut index f60a9d33e6..82447e238b 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/conn.log.cut @@ -2,4 +2,4 @@ ts uid history service 0.000000 CHhAvVGS1DHFjwGM9 - - 0.016059 ClEkJM2Vm5giqnMf4h - - -0.669020 C4J4Th3PJpwUYZZ6gc Dd quic,ssl +0.669020 C4J4Th3PJpwUYZZ6gc Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/conn.log.cut index 01d1a432a4..8fa1c1ad8f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/conn.log.cut @@ -2,5 +2,5 @@ ts uid history service 0.015059 ClEkJM2Vm5giqnMf4h - - 0.001000 CHhAvVGS1DHFjwGM9 - - -0.790739 CtPZjS20MLrsMUOJi2 Dd quic,ssl -0.718160 C4J4Th3PJpwUYZZ6gc Dd quic,ssl +0.790739 CtPZjS20MLrsMUOJi2 Dd ssl,quic +0.718160 C4J4Th3PJpwUYZZ6gc Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/conn.log.cut index 46d72b1541..f95a354194 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/conn.log.cut index 46d72b1541..f95a354194 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/conn.log.cut index 46d72b1541..f95a354194 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.run-pcap/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.run-pcap/conn.log.cut index 46d72b1541..f95a354194 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.run-pcap/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.run-pcap/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.websocket.broker-websocket/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.websocket.broker-websocket/conn.log.cut index f5bd2aa2ab..a9226b32b3 100644 --- a/testing/btest/Baseline/scripts.base.protocols.websocket.broker-websocket/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.websocket.broker-websocket/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadfF websocket,http +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadfF http,websocket diff --git a/testing/btest/Baseline/scripts.base.protocols.websocket.jupyter-websocket/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.websocket.jupyter-websocket/conn.log.cut index f5bd2aa2ab..a9226b32b3 100644 --- a/testing/btest/Baseline/scripts.base.protocols.websocket.jupyter-websocket/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.websocket.jupyter-websocket/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadfF websocket,http +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadfF http,websocket diff --git a/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-http/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-http/conn.log.cut index bb892cdeb5..4e74781615 100644 --- a/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-http/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-http/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadFR websocket,http +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadFR http,websocket diff --git a/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-https/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-https/conn.log.cut index b61cd3bda1..34aa0f7c1f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-https/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-https/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadFR websocket,ssl,http +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadFR http,ssl,websocket diff --git a/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh-configure-wrong/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh-configure-wrong/conn.log.cut index e8d2c4ae9a..0dc087d250 100644 --- a/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh-configure-wrong/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh-configure-wrong/conn.log.cut @@ -1,4 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadR websocket,http -XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h ShADadR websocket,http +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadR http,websocket +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h ShADadR http,websocket diff --git a/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh-configure/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh-configure/conn.log.cut index 72dcb1c5fa..bf5724eb72 100644 --- a/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh-configure/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh-configure/conn.log.cut @@ -1,4 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadR websocket,ssh,http -XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h ShADadR websocket,ssh,http +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadR http,websocket,ssh +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h ShADadR http,websocket,ssh diff --git a/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh-spicy/conn.log.cut.spicy b/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh-spicy/conn.log.cut.spicy index 3e8944eb50..affc0e0a0f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh-spicy/conn.log.cut.spicy +++ b/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh-spicy/conn.log.cut.spicy @@ -1,4 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadR ssh,websocket,http -XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h ShADadR ssh,websocket,http +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadR http,ssh,websocket +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h ShADadR http,ssh,websocket diff --git a/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh/conn.log.cut index 72dcb1c5fa..bf5724eb72 100644 --- a/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh/conn.log.cut @@ -1,4 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadR websocket,ssh,http -XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h ShADadR websocket,ssh,http +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadR http,websocket,ssh +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h ShADadR http,websocket,ssh diff --git a/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/conn.log b/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/conn.log index c0879be9b1..aa2012bfc3 100644 --- a/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/conn.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents ip_proto #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] count -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 198.128.203.95 56048 146.255.57.229 5222 tcp ssl,xmpp 2.213218 676 4678 SF F F 0 ShADadfFr 19 1676 15 5442 - 6 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 198.128.203.95 56048 146.255.57.229 5222 tcp xmpp,ssl 2.213218 676 4678 SF F F 0 ShADadfFr 19 1676 15 5442 - 6 #close XXXX-XX-XX-XX-XX-XX