mirror of
https://github.com/zeek/zeek.git
synced 2025-10-17 05:58:20 +00:00
Merge remote-tracking branch 'origin/master' into topic/johanna/tls13-details
This commit is contained in:
Johanna Amann
commit
af59ed6bdb
1479 changed files with 7554 additions and 13599 deletions
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/arp-leak.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/arp-leak.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/arp-who-has.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/arp-who-has.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/arp-who-has-radiotap.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/arp-who-has-radiotap.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/arp-who-has-wlanmon.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/arp-who-has-wlanmon.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
|
||||
|
|
|
|||
|
|
@ -1,3 +1,3 @@
|
|||
# @TEST-EXEC: bro -f "tcp port 21" -r $TRACES/ftp/ipv6.trace "Conn::default_extract=T"
|
||||
# @TEST-EXEC: zeek -f "tcp port 21" -r $TRACES/ftp/ipv6.trace "Conn::default_extract=T"
|
||||
# @TEST-EXEC: btest-diff contents_[2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185-[2001:470:4867:99::21]:21_orig.dat
|
||||
# @TEST-EXEC: btest-diff contents_[2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185-[2001:470:4867:99::21]:21_resp.dat
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/irc-dcc-send.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event new_connection_contents(c: connection)
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# @TEST-EXEC: bro -b -r $TRACES/http/100-continue.trace %INPUT >out1
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/100-continue.trace %INPUT >out1
|
||||
# @TEST-EXEC: btest-diff out1
|
||||
# @TEST-EXEC: bro -b -r $TRACES/http/100-continue.trace %INPUT stop_cnt=2 >out2
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/http/100-continue.trace %INPUT stop_cnt=2 >out2
|
||||
# @TEST-EXEC: btest-diff out2
|
||||
|
||||
@load base/protocols/conn
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/irc-dcc-send.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event connection_established(c: connection)
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -b -C -r $TRACES/dce-rpc/cs_window7-join_stream092.pcap %INPUT >out
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/dce-rpc/cs_window7-join_stream092.pcap %INPUT >out
|
||||
# @TEST-EXEC: btest-diff out
|
||||
# @TEST-EXEC: btest-diff dce_rpc.log
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -b -r $TRACES/dce-rpc/mapi.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/dce-rpc/mapi.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff dce_rpc.log
|
||||
# @TEST-EXEC: btest-diff ntlm.log
|
||||
|
||||
|
|
|
|||
|
|
@ -2,5 +2,5 @@
|
|||
# The trace has a message of each DHCP message type,
|
||||
# but only one lease should show up in the logs.
|
||||
|
||||
# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp_ack_subscriber_id_and_agent_remote_id.trace %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/dhcp/dhcp_ack_subscriber_id_and_agent_remote_id.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff dhcp.log
|
||||
|
|
|
|||
|
|
@ -2,5 +2,5 @@
|
|||
# The trace has a message of each DHCP message type,
|
||||
# but only one lease should show up in the logs.
|
||||
|
||||
# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp.trace %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/dhcp/dhcp.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff dhcp.log
|
||||
|
|
|
|||
|
|
@ -2,5 +2,5 @@
|
|||
# The trace has a message of each DHCP message type,
|
||||
# but only one lease should show up in the logs.
|
||||
|
||||
# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp_discover_param_req_and_client_id.trace %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/dhcp/dhcp_discover_param_req_and_client_id.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff dhcp.log
|
||||
|
|
|
|||
|
|
@ -1,2 +1,2 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp_ack_subscriber_id_and_agent_remote_id.trace %INPUT protocols/dhcp/sub-opts
|
||||
# @TEST-EXEC: zeek -r $TRACES/dhcp/dhcp_ack_subscriber_id_and_agent_remote_id.trace %INPUT protocols/dhcp/sub-opts
|
||||
# @TEST-EXEC: btest-diff dhcp.log
|
||||
|
|
|
|||
|
|
@ -0,0 +1,12 @@
|
|||
# @TEST-EXEC: zeek -b -r $TRACES/dhcp/dhcp_time_and_nameserver.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load base/protocols/dhcp
|
||||
|
||||
event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options) &priority=5
|
||||
{
|
||||
print "time_offset", options$time_offset;
|
||||
print "timeserver_list", options$time_servers;
|
||||
print "nameserver_list", options$name_servers;
|
||||
print "ntpserver_list", options$ntp_servers;
|
||||
}
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
# DHCPINFORM leases are special-cased in the code.
|
||||
# This tests that those leases are correctly logged.
|
||||
|
||||
# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp_inform.trace %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/dhcp/dhcp_inform.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff dhcp.log
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_del_measure.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_del_measure.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
|
||||
# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_en_spon.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_en_spon.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
|
||||
# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_file_del.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_file_del.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
|
||||
# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_file_read.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_file_read.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
|
||||
# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_file_write.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_file_write.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
|
||||
# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# @TEST-EXEC: bro -C -r $TRACES/dnp3/dnp3_link_only.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/dnp3/dnp3_link_only.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
|
||||
# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_read.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_read.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
|
||||
# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_rec_time.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_rec_time.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
|
||||
# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_select_operate.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_select_operate.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
|
||||
# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_en_spon.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_udp_en_spon.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
|
||||
# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_read.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_udp_read.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
|
||||
# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_select_operate.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_udp_select_operate.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
|
||||
# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_write.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_udp_write.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
|
||||
# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_write.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_write.pcap %DIR/events.zeek >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
|
||||
# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3.trace %INPUT >output
|
||||
# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3.trace %INPUT >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
|
||||
# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif | grep "^event dnp3_" | wc -l >total
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/dns-caa.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/dns-caa.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event dns_CAA_reply(c: connection, msg: dns_msg, ans: dns_answer, flags: count, tag: string, value: string)
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# Making sure DNSKEY gets logged as such.
|
||||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/dnssec/dnskey2.pcap
|
||||
# @TEST-EXEC: zeek -r $TRACES/dnssec/dnskey2.pcap
|
||||
# @TEST-EXEC: btest-diff dns.log
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -C -r $TRACES/dnssec/dnskey.pcap %INPUT > output
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/dnssec/dnskey.pcap %INPUT > output
|
||||
# @TEST-EXEC: btest-diff dns.log
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -C -r $TRACES/dnssec/ds.pcap %INPUT > output
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/dnssec/ds.pcap %INPUT > output
|
||||
# @TEST-EXEC: btest-diff dns.log
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# This tests the case where the DNS server responded with zero RRs.
|
||||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/dns-two-responses.trace
|
||||
# @TEST-EXEC: zeek -r $TRACES/dns-two-responses.trace
|
||||
# @TEST-EXEC: btest-diff dns.log
|
||||
|
|
|
|||
|
|
@ -1,3 +1,3 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/dns53.pcap
|
||||
# @TEST-EXEC: zeek -r $TRACES/dns53.pcap
|
||||
# @TEST-EXEC: btest-diff dns.log
|
||||
# If the DNS reply is seen first, should be able to correctly set orig/resp.
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/dns-huge-ttl.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/dns-huge-ttl.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# This tests the case where the DNS server responded with zero RRs.
|
||||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/dns-txt-multiple.trace
|
||||
# @TEST-EXEC: zeek -r $TRACES/dns-txt-multiple.trace
|
||||
# @TEST-EXEC: btest-diff dns.log
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -C -r $TRACES/dnssec/nsec.pcap %INPUT > output
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/dnssec/nsec.pcap %INPUT > output
|
||||
# @TEST-EXEC: btest-diff dns.log
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -C -r $TRACES/dnssec/nsec3.pcap %INPUT > output
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/dnssec/nsec3.pcap %INPUT > output
|
||||
# @TEST-EXEC: btest-diff dns.log
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -C -r $TRACES/dnssec/rrsig.pcap %INPUT > output
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/dnssec/rrsig.pcap %INPUT > output
|
||||
# @TEST-EXEC: btest-diff dns.log
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/dns-tsig.trace %INPUT >out
|
||||
# @TEST-EXEC: zeek -r $TRACES/dns-tsig.trace %INPUT >out
|
||||
# @TEST-EXEC: btest-diff out
|
||||
|
||||
redef dns_skip_all_addl = F;
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# This tests the case where the DNS server responded with zero RRs.
|
||||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/dns-zero-RRs.trace
|
||||
# @TEST-EXEC: zeek -r $TRACES/dns-zero-RRs.trace
|
||||
# @TEST-EXEC: btest-diff dns.log
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/ftp/cwd-navigation.pcap >output.log %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/ftp/cwd-navigation.pcap >output.log %INPUT
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff ftp.log
|
||||
# @TEST-EXEC: btest-diff output.log
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# This tests extracting the server reported file size
|
||||
# from FTP sessions.
|
||||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/ftp/ftp-with-numbers-in-filename.pcap
|
||||
# @TEST-EXEC: zeek -r $TRACES/ftp/ftp-with-numbers-in-filename.pcap
|
||||
# @TEST-EXEC: btest-diff ftp.log
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# This tests both active and passive FTP over IPv4.
|
||||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/ftp/ipv4.trace
|
||||
# @TEST-EXEC: zeek -r $TRACES/ftp/ipv4.trace
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff ftp.log
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# This tests both active and passive FTP over IPv6.
|
||||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/ftp/ipv6.trace
|
||||
# @TEST-EXEC: zeek -r $TRACES/ftp/ipv6.trace
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff ftp.log
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/globus-url-copy.trace %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/globus-url-copy.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff notice.log
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff ssl.log
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
# a given request. The http scripts should also be able log such replies
|
||||
# in a way that correlates the final response with the request.
|
||||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/http/100-continue.trace %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/http/100-continue.trace %INPUT
|
||||
# @TEST-EXEC: test ! -f weird.log
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
# This tests that the HTTP analyzer does not generate a dpd error as a
|
||||
# result of seeing an upgraded connection.
|
||||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/http/websocket.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/http/websocket.pcap %INPUT
|
||||
# @TEST-EXEC: test ! -f dpd.log
|
||||
# @TEST-EXEC: test ! -f weird.log
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/http/content-range-gap-skip.trace %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/http/content-range-gap-skip.trace %INPUT
|
||||
|
||||
# In this trace, we should be able to determine that a gap lies
|
||||
# entirely within the body of an entity that specifies Content-Range,
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/http/content-range-gap.trace %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/http/content-range-gap.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff extract_files/thefile
|
||||
|
||||
event file_new(f: fa_file)
|
||||
|
|
|
|||
|
|
@ -1,3 +1,3 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/http/content-range-less-than-len.pcap
|
||||
# @TEST-EXEC: zeek -r $TRACES/http/content-range-less-than-len.pcap
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
# @TEST-EXEC: btest-diff weird.log
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/http/entity_gap.trace %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/http/entity_gap.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff entity_data
|
||||
# @TEST-EXEC: btest-diff extract_files/file0
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/http/entity_gap2.trace %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/http/entity_gap2.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff entity_data
|
||||
# @TEST-EXEC: btest-diff extract_files/file0
|
||||
|
||||
|
|
|
|||
|
|
@ -1,2 +1,2 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/http/fake-content-length.pcap
|
||||
# @TEST-EXEC: zeek -r $TRACES/http/fake-content-length.pcap
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -Cr $TRACES/http/http-bad-request-with-version.trace %INPUT
|
||||
# @TEST-EXEC: zeek -Cr $TRACES/http/http-bad-request-with-version.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
# @TEST-EXEC: btest-diff weird.log
|
||||
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
# This tests that the HTTP analyzer handles HTTP CONNECT proxying correctly
|
||||
# when the server include a header line into its response.
|
||||
#
|
||||
# @TEST-EXEC: bro -C -r $TRACES/http/connect-with-header.trace %INPUT
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/http/connect-with-header.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
# @TEST-EXEC: btest-diff tunnel.log
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# This tests that the HTTP analyzer handles HTTP CONNECT proxying correctly.
|
||||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/http/connect-with-smtp.trace %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/http/connect-with-smtp.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
# @TEST-EXEC: btest-diff smtp.log
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# This tests that the HTTP analyzer handles filenames over HTTP correctly.
|
||||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/http/http-filename.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/http/http-filename.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
|
||||
# The base analysis scripts are loaded by default.
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
# it gets confused whether it's in a header or not; it shouldn't report
|
||||
# the http_no_crlf_in_header_list wierd.
|
||||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/http/byteranges.trace %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/http/byteranges.trace %INPUT
|
||||
# @TEST-EXEC: test ! -f weird.log
|
||||
|
||||
# The base analysis scripts are loaded by default.
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# This tests that the HTTP analyzer handles strange HTTP methods properly.
|
||||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/http/methods.trace %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/http/methods.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff weird.log
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/http/pipelined-requests.trace %INPUT > output
|
||||
# @TEST-EXEC: zeek -r $TRACES/http/pipelined-requests.trace %INPUT > output
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
|
||||
# mime type is irrelevant to this test, so filter it out
|
||||
|
|
|
|||
|
|
@ -2,5 +2,5 @@
|
|||
# include an appropriate ZLIB header on deflated
|
||||
# content.
|
||||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/http/missing-zlib-header.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/http/missing-zlib-header.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -C -r $TRACES/http/multipart.trace %INPUT
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/http/multipart.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
# @TEST-EXEC: cat extract_files/http-item-* | sort > extractions
|
||||
|
||||
|
|
|
|||
|
|
@ -1,10 +1,10 @@
|
|||
# @TEST-EXEC: bro -C -r $TRACES/http/multipart.trace
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/http/multipart.trace
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
# @TEST-EXEC: bro -C -r $TRACES/http/multipart.trace %INPUT >out-limited
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/http/multipart.trace %INPUT >out-limited
|
||||
# @TEST-EXEC: mv http.log http-limited.log
|
||||
# @TEST-EXEC: btest-diff http-limited.log
|
||||
# @TEST-EXEC: btest-diff out-limited
|
||||
# @TEST-EXEC: bro -C -r $TRACES/http/multipart.trace %INPUT ignore_http_file_limit=T >out-limit-ignored
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/http/multipart.trace %INPUT ignore_http_file_limit=T >out-limit-ignored
|
||||
# @TEST-EXEC: mv http.log http-limit-ignored.log
|
||||
# @TEST-EXEC: btest-diff http-limit-ignored.log
|
||||
# @TEST-EXEC: btest-diff out-limit-ignored
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -Cr $TRACES/http/no-uri.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -Cr $TRACES/http/no-uri.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
# @TEST-EXEC: btest-diff weird.log
|
||||
|
||||
|
|
|
|||
|
|
@ -1,3 +1,3 @@
|
|||
# @TEST-EXEC: bro -Cr $TRACES/http/no-version.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -Cr $TRACES/http/no-version.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -Cr $TRACES/http/percent-end-of-line.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -Cr $TRACES/http/percent-end-of-line.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
# @TEST-EXEC: btest-diff weird.log
|
||||
|
||||
|
|
|
|||
|
|
@ -1,2 +1,2 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/http/x-gzip.pcap
|
||||
# @TEST-EXEC: zeek -r $TRACES/http/x-gzip.pcap
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
# files when there isn't actually any body there and shouldn't
|
||||
# create a file.
|
||||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/http/zero-length-bodies-with-drops.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/http/zero-length-bodies-with-drops.pcap %INPUT
|
||||
|
||||
# There shouldn't be a files log (no files!)
|
||||
# @TEST-EXEC: test ! -f files.log
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -b -C -r $TRACES/tls/imap-starttls.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/imap-starttls.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load base/protocols/ssl
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -b -C -r $TRACES/tls/imap-starttls.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/imap-starttls.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff ssl.log
|
||||
# @TEST-EXEC: btest-diff x509.log
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
# This tests that basic IRC commands (NICK, USER, JOIN, DCC SEND)
|
||||
# are logged for a client.
|
||||
|
||||
# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/irc-dcc-send.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff irc.log
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
# Test IRC events
|
||||
|
||||
# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT
|
||||
# @TEST-EXEC: bro -r $TRACES/irc-basic.trace %INPUT
|
||||
# @TEST-EXEC: bro -r $TRACES/irc-whitespace.trace %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/irc-dcc-send.trace %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/irc-basic.trace %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/irc-whitespace.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event irc_privmsg_message(c: connection, is_orig: bool, source: string, target: string, message: string)
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# This tests that an excessively long line is truncated by the contentline
|
||||
# analyzer
|
||||
|
||||
# @TEST-EXEC: bro -C -r $TRACES/contentline-irc-5k-line.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/contentline-irc-5k-line.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff weird.log
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -C -r $TRACES/irc-353.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/irc-353.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff weird.log
|
||||
|
||||
event irc_names_info(c: connection, is_orig: bool, c_type: string, channel: string, users: string_set)
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -b -C -r $TRACES/tls/irc-starttls.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/irc-starttls.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff ssl.log
|
||||
# @TEST-EXEC: btest-diff x509.log
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# This test exercises many of the Linux kinit options against a KDC
|
||||
|
||||
# @TEST-EXEC: bro -b -r $TRACES/krb/kinit.trace %INPUT > output
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/krb/kinit.trace %INPUT > output
|
||||
# @TEST-EXEC: btest-diff kerberos.log
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
|
|
|
|||
|
|
@ -2,10 +2,10 @@
|
|||
# Kerberos analyzer can open the AD ticket in the Negociate
|
||||
# Protocol Request and find the user.
|
||||
#
|
||||
# @TEST-REQUIRES: grep -q "#define USE_KRB5" $BUILD/bro-config.h
|
||||
# @TEST-REQUIRES: grep -q "#define USE_KRB5" $BUILD/zeek-config.h
|
||||
#
|
||||
# @TEST-COPY-FILE: ${TRACES}/krb/smb2_krb.keytab
|
||||
# @TEST-EXEC: bro -b -C -r $TRACES/krb/smb2_krb.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/krb/smb2_krb.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
redef KRB::keytab = "smb2_krb.keytab";
|
||||
|
|
|
|||
|
|
@ -1,10 +1,10 @@
|
|||
# This test verifies that without a keytab file no entries are
|
||||
# created and no errors happen.
|
||||
#
|
||||
# @TEST-REQUIRES: grep -q "#define USE_KRB5" $BUILD/bro-config.h
|
||||
# @TEST-REQUIRES: grep -q "#define USE_KRB5" $BUILD/zeek-config.h
|
||||
#
|
||||
# @TEST-COPY-FILE: ${TRACES}/krb/smb2_krb.keytab
|
||||
# @TEST-EXEC: bro -C -r $TRACES/krb/smb2_krb.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/krb/smb2_krb.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
# @TEST-EXEC: btest-diff .stderr
|
||||
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
# SMB authentication event and therfore relies on the SMB
|
||||
# analyzer as well.
|
||||
|
||||
# @TEST-EXEC: bro -b -C -r $TRACES/krb/smb_gssapi.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -C -r $TRACES/krb/smb_gssapi.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff kerberos.log
|
||||
# @TEST-EXEC: btest-diff-rst scripts.base.protocols.krb
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# This test exercises a Kerberos authentication to a Kerberized SSH server
|
||||
|
||||
# @TEST-EXEC: bro -b -r $TRACES/krb/auth.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/krb/auth.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff kerberos.log
|
||||
|
||||
@load base/protocols/krb
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# @TEST-EXEC: bro -C -r $TRACES/modbus/modbusBig.pcap %INPUT | sort | uniq -c | sed 's/^ *//g' >output
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/modbus/modbusBig.pcap %INPUT | sort | uniq -c | sed 's/^ *//g' >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
# @TEST-EXEC: cat output | awk '{print $2}' | grep "^modbus_" | sort | uniq | wc -l >covered
|
||||
# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/modbus/events.bif | grep "^event modbus_" | wc -l >total
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# @TEST-EXEC: bro -C -r $TRACES/modbus/modbusSmall.pcap %INPUT | sort | uniq -c | sed 's/^ *//g' >output
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/modbus/modbusSmall.pcap %INPUT | sort | uniq -c | sed 's/^ *//g' >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
# @TEST-EXEC: cat output | awk '{print $2}' | grep "^modbus_" | sort | uniq | wc -l >covered
|
||||
# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/modbus/events.bif | grep "^event modbus_" | wc -l >total
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/modbus/modbus.trace %INPUT | sort | uniq -c | sed 's/^ *//g' >output
|
||||
# @TEST-EXEC: zeek -r $TRACES/modbus/modbus.trace %INPUT | sort | uniq -c | sed 's/^ *//g' >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
# @TEST-EXEC: cat output | awk '{print $2}' | grep "^modbus_" | sort | uniq | wc -l >covered
|
||||
# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/modbus/events.bif | grep "^event modbus_" | wc -l >total
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/modbus/fuzz-72.trace
|
||||
# @TEST-EXEC: zeek -r $TRACES/modbus/fuzz-72.trace
|
||||
# @TEST-EXEC: btest-diff modbus.log
|
||||
|
||||
# The pcap has a flow with some fuzzed modbus traffic in it that should cause
|
||||
# the binpac-generated analyzer code to throw a binpac::ExceptionOutOfBound.
|
||||
# This should be correctly caught as a type of binpac::Exception and the
|
||||
# binpac::ModbusTCP::Exception type that's defined as part of the analyzer
|
||||
# shouldn't interfere with that handling and definitely shouldn't crash bro.
|
||||
# shouldn't interfere with that handling and definitely shouldn't crash Zeek.
|
||||
|
|
|
|||
|
|
@ -11,4 +11,4 @@
|
|||
# as that can cause reading from a location that exceeds the end of the
|
||||
# data buffer.
|
||||
|
||||
# @TEST-EXEC: bro -r $TRACES/modbus/4SICS-GeekLounge-151022-min.pcap
|
||||
# @TEST-EXEC: zeek -r $TRACES/modbus/4SICS-GeekLounge-151022-min.pcap
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# @TEST-EXEC: bro -r $TRACES/modbus/modbus.trace %INPUT
|
||||
# @TEST-EXEC: zeek -r $TRACES/modbus/modbus.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff modbus.log
|
||||
# @TEST-EXEC: btest-diff modbus_register_change.log
|
||||
# @TEST-EXEC: btest-diff known_modbus.log
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/modbus/fuzz-1011.trace %INPUT >output
|
||||
# @TEST-EXEC: zeek -r $TRACES/modbus/fuzz-1011.trace %INPUT >output
|
||||
# @TEST-EXEC: btest-diff modbus.log
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -b -r $TRACES/mount/mount_base.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/mount/mount_base.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
global mount_ports: set[port] = { 635/tcp, 635/udp, 20048/tcp, 20048/udp } &redef;
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# This tests that successful/unsuccesful auth attempts get logged correctly
|
||||
|
||||
# @TEST-EXEC: bro -b -r $TRACES/mysql/auth.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/mysql/auth.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff mysql.log
|
||||
|
||||
@load base/protocols/mysql
|
||||
|
|
@ -1,8 +1,9 @@
|
|||
# This tests how Bro deals with encrypted connections. Right now, it doesn't log them as it
|
||||
# can't parse much of value. We're testing for an empty mysql.log file.
|
||||
# This tests how Zeek deals with encrypted connections. Right now, it
|
||||
# doesn't log them as it can't parse much of value. We're testing for an
|
||||
# empty mysql.log file.
|
||||
|
||||
# @TEST-EXEC: touch mysql.log
|
||||
# @TEST-EXEC: bro -b -r $TRACES/mysql/encrypted.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/mysql/encrypted.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff mysql.log
|
||||
|
||||
@load base/protocols/mysql
|
||||
@load base/protocols/mysql
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# This tests a PCAP with a few MySQL commands from the Wireshark samples.
|
||||
|
||||
# @TEST-EXEC: bro -b -r $TRACES/mysql/mysql.trace %INPUT >out
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/mysql/mysql.trace %INPUT >out
|
||||
# @TEST-EXEC: btest-diff out
|
||||
# @TEST-EXEC: btest-diff mysql.log
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -C -r $TRACES/ncp.pcap %INPUT >out
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/ncp.pcap %INPUT >out
|
||||
# @TEST-EXEC: btest-diff out
|
||||
|
||||
redef likely_server_ports += { 524/tcp };
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -C -r $TRACES/ncp.pcap %INPUT NCP::max_frame_size=150 >out
|
||||
# @TEST-EXEC: zeek -C -r $TRACES/ncp.pcap %INPUT NCP::max_frame_size=150 >out
|
||||
# @TEST-EXEC: btest-diff out
|
||||
|
||||
redef likely_server_ports += { 524/tcp };
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -b -r $TRACES/nfs/nfs_base.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/nfs/nfs_base.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
global nfs_ports: set[port] = { 2049/tcp, 2049/udp } &redef;
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# @TEST-EXEC: bro -C -b -r $TRACES/tls/pop3-starttls.pcap %INPUT
|
||||
# @TEST-EXEC: zeek -C -b -r $TRACES/tls/pop3-starttls.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff ssl.log
|
||||
# @TEST-EXEC: btest-diff x509.log
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# This tests that a RADIUS authentication gets logged correctly
|
||||
|
||||
# @TEST-EXEC: bro -b -r $TRACES/radius/radius.trace %INPUT
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/radius/radius.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff radius.log
|
||||
|
||||
@load base/protocols/radius
|
||||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Add a link
Reference in a new issue