From ac7bbe69492e21c16da1c049d0a94cbe2fac41b0 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 23 Jan 2025 12:12:23 +0000 Subject: [PATCH] Make conn.log service field ordered This changes service set in the connection record, and thus also the conn.log service field to being ordered. Speficically, the order of the entries in the service field will be the same order in which protocols will be confirmed. This means that it now is possible to see which protocols were layered over each other in which order by looking at the respective conn.log entry. --- scripts/base/init-bare.zeek | 2 +- scripts/base/protocols/conn/main.zeek | 6 ++++-- src/Conn.cc | 6 ++++-- testing/btest/Baseline/plugins.writer/output | 2 +- .../Baseline/scripts.base.protocols.ftp.gridftp/conn.log | 2 +- .../conn.log | 2 +- .../scripts.base.protocols.http.http-connect/conn.log | 2 +- .../tls-12.conn.log | 2 +- .../tls-13.conn.log | 2 +- .../scripts.base.protocols.mysql.encrypted/conn.log | 2 +- .../Baseline/scripts.base.protocols.pop3.starttls/conn.log | 2 +- .../conn.cut | 2 +- .../conn.cut | 2 +- .../scripts.base.protocols.quic.chromium/conn.log.cut | 2 +- .../scripts.base.protocols.quic.curl-http3/conn.log.cut | 2 +- .../scripts.base.protocols.quic.firefox/conn.log.cut | 2 +- .../conn.log.cut | 2 +- .../conn.log.cut | 2 +- .../conn.log.cut | 2 +- .../conn.log.cut | 4 ++-- .../scripts.base.protocols.quic.quicdoq/conn.log.cut | 2 +- .../conn.log.cut | 2 +- .../conn.log.cut | 2 +- .../scripts.base.protocols.quic.run-pcap/conn.log.cut | 2 +- .../conn.log.cut | 2 +- .../conn.log.cut | 2 +- .../conn.log.cut | 2 +- .../conn.log.cut | 2 +- .../conn.log.cut | 4 ++-- .../conn.log.cut | 4 ++-- .../conn.log.cut.spicy | 4 ++-- .../conn.log.cut | 4 ++-- .../Baseline/scripts.base.protocols.xmpp.starttls/conn.log | 2 +- 33 files changed, 44 insertions(+), 40 deletions(-) diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 6fce72055b..3f6a311e85 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -554,7 +554,7 @@ type connection: record { ## principle it is possible that more than one protocol analyzer is able ## to parse the same data. If so, all will be recorded. Also note that ## the recorded services are independent of any transport-level protocols. - service: set[string]; + service: set[string] &ordered; history: string; ##< State history of connections. See *history* in :zeek:see:`Conn::Info`. ## A globally unique connection identifier. For each connection, Zeek ## creates an ID that is very likely unique across independent Zeek runs. diff --git a/scripts/base/protocols/conn/main.zeek b/scripts/base/protocols/conn/main.zeek index 81ce786b7d..9853207d15 100644 --- a/scripts/base/protocols/conn/main.zeek +++ b/scripts/base/protocols/conn/main.zeek @@ -27,8 +27,10 @@ export { id: conn_id &log; ## The transport layer protocol of the connection. proto: transport_proto &log; - ## An identification of an application protocol being sent over - ## the connection. + ## The identification of the application protocol(s) being sent over + ## the connection. Can list more than one protocol separated with + ## colons. Protocols listed are in the order in which they are + ## confirmed. service: string &log &optional; ## How long the connection lasted. ## diff --git a/src/Conn.cc b/src/Conn.cc index cbf95b8fff..5e7f065033 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -224,8 +224,10 @@ const RecordValPtr& Connection::GetVal() { conn_val->Assign(1, std::move(orig_endp)); conn_val->Assign(2, std::move(resp_endp)); // 3 and 4 are set below. - conn_val->Assign(5, make_intrusive(id::string_set)); // service - conn_val->Assign(6, val_mgr->EmptyString()); // history + // Do not assign to 5 (service). It is a non-optional set, which will be default-initialized + // using the script-level settings; this easily applies the &ordered attribute to it. + // conn_val->Assign(5, make_intrusive(id::ordered_string_set)); // service + conn_val->Assign(6, val_mgr->EmptyString()); // history if ( ! uid ) uid.Set(zeek::detail::bits_per_uid); diff --git a/testing/btest/Baseline/plugins.writer/output b/testing/btest/Baseline/plugins.writer/output index a3c33207be..351f741c45 100644 --- a/testing/btest/Baseline/plugins.writer/output +++ b/testing/btest/Baseline/plugins.writer/output @@ -12,7 +12,7 @@ Demo::Foo - A Foo test logging writer (dynamic, version 1.0.0) [analyzer] XXXXXXXXXX.XXXXXX|violation|protocol|DCE_RPC|ClEkJM2Vm5giqnMf4h|-|10.0.0.55|53994|60.190.189.214|8124|Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers|- [analyzer] XXXXXXXXXX.XXXXXX|violation|protocol|DCE_RPC|ClEkJM2Vm5giqnMf4h|-|10.0.0.55|53994|60.190.189.214|8124|Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers|- [conn] XXXXXXXXXX.XXXXXX|CHhAvVGS1DHFjwGM9|10.0.0.55|53994|60.190.189.214|8124|tcp|-|4.314406|0|0|S0|T|F|0|S|5|320|0|0|-|6 -[conn] XXXXXXXXXX.XXXXXX|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|tcp|http,socks|13.839419|3860|2934|SF|T|F|0|ShADadfF|23|5080|20|3986|-|6 +[conn] XXXXXXXXXX.XXXXXX|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|tcp|socks,http|13.839419|3860|2934|SF|T|F|0|ShADadfF|23|5080|20|3986|-|6 [conn] XXXXXXXXXX.XXXXXX|C4J4Th3PJpwUYZZ6gc|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|T|F|0|F|1|52|0|0|-|6 [conn] XXXXXXXXXX.XXXXXX|CtPZjS20MLrsMUOJi2|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|T|F|0|F|1|52|0|0|-|6 [conn] XXXXXXXXXX.XXXXXX|CUM0KZ3MLUfNB0cl11|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|T|F|0|F|1|52|0|0|-|6 diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log index 8fee6546a7..241f1125e6 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log @@ -8,5 +8,5 @@ #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents ip_proto #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] count XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.57.103 60108 192.168.57.101 2811 tcp ftp,ssl,gridftp 0.294743 4491 6659 SF T T 0 ShAdDaFf 22 5643 21 7759 - 6 -XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.57.103 35391 192.168.57.101 55968 tcp gridftp-data,ssl 0.010760 2109 3196 S1 T T 0 ShADad 7 2481 6 3516 - 6 +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.57.103 35391 192.168.57.101 55968 tcp ssl,gridftp-data 0.010760 2109 3196 S1 T T 0 ShADad 7 2481 6 3516 - 6 #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/conn.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/conn.log index 2ded9d823c..bfeb969d1f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/conn.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents ip_proto #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] count -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ::1 52522 ::1 80 tcp ssl,http 0.691241 3644 55499 S1 T T 0 ShAaDd 29 5744 29 57599 - 6 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ::1 52522 ::1 80 tcp http,ssl 0.691241 3644 55499 S1 T T 0 ShAaDd 29 5744 29 57599 - 6 #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log index 7f7b5dccce..01be2facd2 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents ip_proto #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] count -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 79.26.245.236 3378 254.228.86.79 8240 tcp smtp,http 6.722274 1685 223 SF F T 0 ShADadtTfF 14 2257 16 944 - 6 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 79.26.245.236 3378 254.228.86.79 8240 tcp http,smtp 6.722274 1685 223 SF F T 0 ShADadtTfF 14 2257 16 944 - 6 #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-12.conn.log b/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-12.conn.log index c374cbb0a0..4b3399b8fb 100644 --- a/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-12.conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-12.conn.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents ip_proto #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] count -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.87.25 58132 79.107.90.25 3306 tcp ssl,mysql 2.043921 724 3255 SF F F 0 ShAdDaFf 14 1460 11 3835 - 6 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.87.25 58132 79.107.90.25 3306 tcp mysql,ssl 2.043921 724 3255 SF F F 0 ShAdDaFf 14 1460 11 3835 - 6 #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-13.conn.log b/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-13.conn.log index 7059498553..d4c1ab00a6 100644 --- a/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-13.conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-13.conn.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents ip_proto #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] count -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.87.25 57902 79.107.90.25 3306 tcp ssl,mysql 6.756360 1076 3776 SF F F 0 ShAdDaFf 19 2072 14 4512 - 6 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 82.239.87.25 57902 79.107.90.25 3306 tcp mysql,ssl 6.756360 1076 3776 SF F F 0 ShAdDaFf 19 2072 14 4512 - 6 #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted/conn.log b/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted/conn.log index fbf6293848..ba96ccbe3e 100644 --- a/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted/conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted/conn.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents ip_proto #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] count -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 59272 127.0.0.1 3306 tcp ssl,mysql 0.021783 713 1959 SF T T 0 ShAdDaFf 10 1241 8 2383 - 6 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 59272 127.0.0.1 3306 tcp mysql,ssl 0.021783 713 1959 SF T T 0 ShAdDaFf 10 1241 8 2383 - 6 #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/conn.log b/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/conn.log index 3fc69f6c3e..2942d9a503 100644 --- a/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/conn.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents ip_proto #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] count -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 54775 192.168.4.149 110 tcp ssl,pop3 2.489002 851 2590 SF T T 0 ShAadDfFr 16 1695 17 3462 - 6 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 54775 192.168.4.149 110 tcp pop3,ssl 2.489002 851 2590 SF T T 0 ShAadDfFr 16 1695 17 3462 - 6 #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/conn.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/conn.cut index 62a51c0bf1..697313a33d 100644 --- a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/conn.cut +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/conn.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid id.orig_h id.orig_p id.resp_h id.resp_p service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36934 52.200.36.167 15432 ssl,postgresql +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36934 52.200.36.167 15432 postgresql,ssl diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/conn.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/conn.cut index d5b92b5fe9..c2be47ab61 100644 --- a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/conn.cut +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/conn.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid id.orig_h id.orig_p id.resp_h id.resp_p service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36934 52.200.36.167 5432 ssl,postgresql +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36934 52.200.36.167 5432 postgresql,ssl diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.chromium/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.chromium/conn.log.cut index 46d72b1541..f95a354194 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.chromium/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.chromium/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.curl-http3/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.curl-http3/conn.log.cut index 46d72b1541..f95a354194 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.curl-http3/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.curl-http3/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.firefox/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.firefox/conn.log.cut index 46d72b1541..f95a354194 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.firefox/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.firefox/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.fragmented-crypto/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.fragmented-crypto/conn.log.cut index 46d72b1541..f95a354194 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.fragmented-crypto/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.fragmented-crypto/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/conn.log.cut index 6eadcd2f9d..91c6575829 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/conn.log.cut @@ -2,4 +2,4 @@ ts uid history service 0.015059 ClEkJM2Vm5giqnMf4h - - 0.001000 CHhAvVGS1DHFjwGM9 - - -0.648580 C4J4Th3PJpwUYZZ6gc Dd quic,ssl +0.648580 C4J4Th3PJpwUYZZ6gc Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/conn.log.cut index f60a9d33e6..82447e238b 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/conn.log.cut @@ -2,4 +2,4 @@ ts uid history service 0.000000 CHhAvVGS1DHFjwGM9 - - 0.016059 ClEkJM2Vm5giqnMf4h - - -0.669020 C4J4Th3PJpwUYZZ6gc Dd quic,ssl +0.669020 C4J4Th3PJpwUYZZ6gc Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/conn.log.cut index 01d1a432a4..8fa1c1ad8f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/conn.log.cut @@ -2,5 +2,5 @@ ts uid history service 0.015059 ClEkJM2Vm5giqnMf4h - - 0.001000 CHhAvVGS1DHFjwGM9 - - -0.790739 CtPZjS20MLrsMUOJi2 Dd quic,ssl -0.718160 C4J4Th3PJpwUYZZ6gc Dd quic,ssl +0.790739 CtPZjS20MLrsMUOJi2 Dd ssl,quic +0.718160 C4J4Th3PJpwUYZZ6gc Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/conn.log.cut index 46d72b1541..f95a354194 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/conn.log.cut index 46d72b1541..f95a354194 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/conn.log.cut index 46d72b1541..f95a354194 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.run-pcap/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.run-pcap/conn.log.cut index 46d72b1541..f95a354194 100644 --- a/testing/btest/Baseline/scripts.base.protocols.quic.run-pcap/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.quic.run-pcap/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd quic,ssl +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 Dd ssl,quic diff --git a/testing/btest/Baseline/scripts.base.protocols.websocket.broker-websocket/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.websocket.broker-websocket/conn.log.cut index f5bd2aa2ab..a9226b32b3 100644 --- a/testing/btest/Baseline/scripts.base.protocols.websocket.broker-websocket/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.websocket.broker-websocket/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadfF websocket,http +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadfF http,websocket diff --git a/testing/btest/Baseline/scripts.base.protocols.websocket.jupyter-websocket/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.websocket.jupyter-websocket/conn.log.cut index f5bd2aa2ab..a9226b32b3 100644 --- a/testing/btest/Baseline/scripts.base.protocols.websocket.jupyter-websocket/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.websocket.jupyter-websocket/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadfF websocket,http +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadfF http,websocket diff --git a/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-http/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-http/conn.log.cut index bb892cdeb5..4e74781615 100644 --- a/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-http/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-http/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadFR websocket,http +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadFR http,websocket diff --git a/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-https/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-https/conn.log.cut index b61cd3bda1..34aa0f7c1f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-https/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-https/conn.log.cut @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadFR websocket,ssl,http +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadFR http,ssl,websocket diff --git a/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh-configure-wrong/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh-configure-wrong/conn.log.cut index e8d2c4ae9a..0dc087d250 100644 --- a/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh-configure-wrong/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh-configure-wrong/conn.log.cut @@ -1,4 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadR websocket,http -XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h ShADadR websocket,http +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadR http,websocket +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h ShADadR http,websocket diff --git a/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh-configure/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh-configure/conn.log.cut index 72dcb1c5fa..bf5724eb72 100644 --- a/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh-configure/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh-configure/conn.log.cut @@ -1,4 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadR websocket,ssh,http -XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h ShADadR websocket,ssh,http +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadR http,websocket,ssh +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h ShADadR http,websocket,ssh diff --git a/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh-spicy/conn.log.cut.spicy b/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh-spicy/conn.log.cut.spicy index 3e8944eb50..affc0e0a0f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh-spicy/conn.log.cut.spicy +++ b/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh-spicy/conn.log.cut.spicy @@ -1,4 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadR ssh,websocket,http -XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h ShADadR ssh,websocket,http +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadR http,ssh,websocket +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h ShADadR http,ssh,websocket diff --git a/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh/conn.log.cut index 72dcb1c5fa..bf5724eb72 100644 --- a/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh/conn.log.cut +++ b/testing/btest/Baseline/scripts.base.protocols.websocket.wstunnel-ssh/conn.log.cut @@ -1,4 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ts uid history service -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadR websocket,ssh,http -XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h ShADadR websocket,ssh,http +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 ShADadR http,websocket,ssh +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h ShADadR http,websocket,ssh diff --git a/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/conn.log b/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/conn.log index c0879be9b1..aa2012bfc3 100644 --- a/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/conn.log +++ b/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/conn.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents ip_proto #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] count -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 198.128.203.95 56048 146.255.57.229 5222 tcp ssl,xmpp 2.213218 676 4678 SF F F 0 ShADadfFr 19 1676 15 5442 - 6 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 198.128.203.95 56048 146.255.57.229 5222 tcp xmpp,ssl 2.213218 676 4678 SF F F 0 ShADadfFr 19 1676 15 5442 - 6 #close XXXX-XX-XX-XX-XX-XX