Merge remote-tracking branch 'origin/master' into topic/johanna/tls-more-data

testing/btest/scripts/base/protocols/arp/bad.test

@@ -0,0 +1,17 @@
+# @TEST-EXEC: bro -r $TRACES/arp-leak.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print "REQ", mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
+event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print "REP", mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
+event bad_arp(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string)
+	{
+	print "BAD", SPA, SHA, TPA, THA, explanation;
+	}

testing/btest/scripts/base/protocols/arp/radiotap.test

@@ -0,0 +1,13 @@
+# @TEST-EXEC: bro -r $TRACES/arp-who-has-radiotap.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
+event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+

testing/btest/scripts/base/protocols/arp/wlanmon.test

@@ -0,0 +1,13 @@
+# @TEST-EXEC: bro -r $TRACES/arp-who-has-wlanmon.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
+event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+

testing/btest/scripts/base/protocols/dhcp/dhcp-ack-msg-types.btest

@@ -0,0 +1,6 @@
+# This tests that DHCP leases are logged in dhcp.log
+# The trace has a message of each DHCP message type,
+# but only one lease should show up in the logs.
+
+# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp_ack_subscriber_id_and_agent_remote_id.trace %INPUT
+# @TEST-EXEC: btest-diff dhcp.log

testing/btest/scripts/base/protocols/dhcp/dhcp-discover-msg-types.btest

@@ -0,0 +1,6 @@
+# This tests that DHCP leases are logged in dhcp.log
+# The trace has a message of each DHCP message type,
+# but only one lease should show up in the logs.
+
+# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp_discover_param_req_and_client_id.trace %INPUT
+# @TEST-EXEC: btest-diff dhcp.log

testing/btest/scripts/base/protocols/dhcp/dhcp-sub-opts.btest

@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp_ack_subscriber_id_and_agent_remote_id.trace %INPUT protocols/dhcp/sub-opts
+# @TEST-EXEC: btest-diff dhcp.log

testing/btest/scripts/base/protocols/dnp3/events.bro

@@ -27,9 +27,9 @@ event dnp3_object_prefix(c: connection, is_orig: bool, prefix_value: count)
 	print "dnp3_object_prefix", is_orig, prefix_value;
 	}
 
-event dnp3_header_block(c: connection, is_orig: bool, start: count, len: count, ctrl: count, dest_addr: count, src_addr: count)
+event dnp3_header_block(c: connection, is_orig: bool, len: count, ctrl: count, dest_addr: count, src_addr: count)
 	{
-	print "dnp3_header_block", is_orig, start, len, ctrl, dest_addr, src_addr;
+	print "dnp3_header_block", is_orig, len, ctrl, dest_addr, src_addr;
 	}
 
 event dnp3_response_data_object(c: connection, is_orig: bool, data_value: count)

testing/btest/scripts/base/protocols/http/101-switching-protocols.bro

@@ -0,0 +1,13 @@
+# This tests that the HTTP analyzer does not generate a dpd error as a
+# result of seeing an upgraded connection.
+#
+# @TEST-EXEC: bro -r $TRACES/http/websocket.pcap %INPUT
+# @TEST-EXEC: test ! -f dpd.log
+# @TEST-EXEC: test ! -f weird.log
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff .stdout
+
+event http_connection_upgrade(c: connection, protocol: string)
+	{
+	print fmt("Connection upgraded to %s", protocol);
+	}

testing/btest/scripts/base/protocols/http/content-range-less-than-len.bro

@@ -0,0 +1,3 @@
+# @TEST-EXEC: bro -r $TRACES/http/content-range-less-than-len.pcap
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff weird.log

testing/btest/scripts/base/protocols/http/fake-content-length.bro

@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -r $TRACES/http/fake-content-length.pcap
+# @TEST-EXEC: btest-diff http.log

testing/btest/scripts/base/protocols/http/percent-end-of-line.bro

@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -Cr $TRACES/http/percent-end-of-line.pcap %INPUT
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff weird.log
+

testing/btest/scripts/base/protocols/http/x-gzip.bro

@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -r $TRACES/http/x-gzip.pcap
+# @TEST-EXEC: btest-diff http.log

testing/btest/scripts/base/protocols/irc/longline.test

@@ -0,0 +1,6 @@
+# This tests that an excessively long line is truncated by the contentline
+# analyzer
+
+# @TEST-EXEC: bro -C -r $TRACES/contentline-irc-5k-line.pcap %INPUT
+# @TEST-EXEC: btest-diff weird.log
+

testing/btest/scripts/base/protocols/krb/smb2_krb.test

@@ -0,0 +1,21 @@
+# This test verifies that given the proper keytab file, the
+# Kerberos analyzer can open the AD ticket in the Negociate
+# Protocol Request and find the user.
+#
+# @TEST-REQUIRES: grep -q "#define USE_KRB5" $BUILD/bro-config.h
+#
+# @TEST-COPY-FILE: ${TRACES}/krb/smb2_krb.keytab
+# @TEST-EXEC: bro -b -C -r $TRACES/krb/smb2_krb.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+redef KRB::keytab = "smb2_krb.keytab";
+global monitor_ports: set[port] = { 445/tcp, 139/tcp } &redef;
+
+event bro_init() &priority=5{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_SMB, monitor_ports);
+}
+
+event krb_ap_request(c: connection, ticket: KRB::Ticket, opts:  KRB::AP_Options){
+   print ticket$authenticationinfo;
+}
+

testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test

@@ -0,0 +1,20 @@
+# This test verifies that without a keytab file no entries are
+# created and no errors happen.
+#
+# @TEST-REQUIRES: grep -q "#define USE_KRB5" $BUILD/bro-config.h
+#
+# @TEST-COPY-FILE: ${TRACES}/krb/smb2_krb.keytab
+# @TEST-EXEC: bro -C -r $TRACES/krb/smb2_krb.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: btest-diff .stderr
+
+global monitor_ports: set[port] = { 445/tcp, 139/tcp } &redef;
+
+event bro_init() &priority=5{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_SMB, monitor_ports);
+}
+
+event krb_ap_request(c: connection, ticket: KRB::Ticket, opts:  KRB::AP_Options){
+   print ticket?$authenticationinfo;
+}
+

testing/btest/scripts/base/protocols/krb/smb_gssapi.test

@@ -0,0 +1,11 @@
+# This test verifies that GSSAPI is correctly passing events to
+#   the Kerberos analyzer.  The specific trace example is a
+#   SMB authentication event and therfore relies on the SMB
+#   analyzer as well.
+
+# @TEST-EXEC: bro -b -C -r $TRACES/krb/smb_gssapi.trace %INPUT
+# @TEST-EXEC: btest-diff kerberos.log
+# @TEST-EXEC: btest-diff-rst scripts.base.protocols.krb
+
+@load base/protocols/krb
+@load base/protocols/smb

testing/btest/scripts/base/protocols/modbus/length_mismatch.bro

@@ -0,0 +1,15 @@
+# The parser generated by BinPAC needs to handle this pcap without crashing
+# or asserting.  Specifically, pasing Function Code 23,
+# ReadWriteMultipleRegistersRequest, has a field:
+#
+#     uint16[write_quantity] &length=write_byte_count;
+#
+# And the pcap has mismatching values for those quantities.
+# The use of &length on arrays previously caused array elements to
+# be treated as already having a bounds check in the parsing-loop, which
+# is problematic in the case where (write_quantity * 2) > write_byte_count
+# as that can cause reading from a location that exceeds the end of the
+# data buffer.
+
+# @TEST-EXEC: bro -r $TRACES/modbus/4SICS-GeekLounge-151022-min.pcap
+# @TEST-EXEC: btest-diff weird.log

testing/btest/scripts/base/protocols/mount/basic.test

@@ -0,0 +1,31 @@
+# @TEST-EXEC: bro -b -r $TRACES/mount/mount_base.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+global mount_ports: set[port] = { 635/tcp, 635/udp, 20048/tcp, 20048/udp } &redef;
+redef ignore_checksums = T;
+
+event bro_init()
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_MOUNT, mount_ports);
+	Analyzer::enable_analyzer(Analyzer::ANALYZER_MOUNT);
+	}
+
+event mount_proc_mnt(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t, rep: MOUNT3::mnt_reply_t)
+	{
+	print(fmt("mount_proc_mnt: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event mount_proc_umnt(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t)
+	{
+	print(fmt("mount_proc_umnt: %s\n\t%s\n\t%s\n", c, info, req));
+	}
+
+event mount_proc_umnt_all(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t)
+	{
+	print(fmt("mount_proc_umnt_all: %s\n\t%s\n\t%s\n", c, info, req));
+	}
+
+event mount_proc_not_implemented(c: connection, info: MOUNT3::info_t, proc: MOUNT3::proc_t)
+	{
+	print(fmt("mount_proc_not_implemented: %s\n\t%s\n\t%s\n", c, info, proc));
+	}

testing/btest/scripts/base/protocols/mysql/wireshark.test

@@ -1,6 +1,27 @@
 # This tests a PCAP with a few MySQL commands from the Wireshark samples.
 
-# @TEST-EXEC: bro -b -r $TRACES/mysql/mysql.trace %INPUT
+# @TEST-EXEC: bro -b -r $TRACES/mysql/mysql.trace %INPUT >out
+# @TEST-EXEC: btest-diff out
 # @TEST-EXEC: btest-diff mysql.log
 
-@load base/protocols/mysql
+@load base/protocols/mysql
+
+event mysql_ok(c: connection, affected_rows: count)
+	{
+	print "mysql ok", affected_rows;
+	}
+
+event mysql_result_row(c: connection, row: string_vec)
+	{
+	print "mysql result row", row;
+	}
+
+event mysql_error(c: connection, code: count, msg: string)
+	{
+	print "mysql error", code, msg;
+	}
+
+event mysql_command_request(c: connection, command: count, arg: string)
+	{
+	print "mysql request", command, arg;
+	}

testing/btest/scripts/base/protocols/ncp/event.bro

@@ -0,0 +1,20 @@
+# @TEST-EXEC: bro -C -r $TRACES/ncp.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+redef likely_server_ports += { 524/tcp };
+
+event bro_init()
+	{
+	const ports = { 524/tcp };
+	Analyzer::register_for_ports(Analyzer::ANALYZER_NCP, ports);
+	}
+
+event ncp_request(c: connection, frame_type: count, length: count, func: count)
+	{
+	print "ncp request", frame_type, length, func;
+	}
+
+event ncp_reply(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count)
+	{
+	print "ncp reply", frame_type, length, req_frame, req_func, completion_code;
+	}

testing/btest/scripts/base/protocols/ncp/frame_size_tuning.bro

@@ -0,0 +1,20 @@
+# @TEST-EXEC: bro -C -r $TRACES/ncp.pcap %INPUT NCP::max_frame_size=150 >out
+# @TEST-EXEC: btest-diff out
+
+redef likely_server_ports += { 524/tcp };
+
+event bro_init()
+	{
+	const ports = { 524/tcp };
+	Analyzer::register_for_ports(Analyzer::ANALYZER_NCP, ports);
+	}
+
+event ncp_request(c: connection, frame_type: count, length: count, func: count)
+	{
+	print "ncp request", frame_type, length, func;
+	}
+
+event ncp_reply(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count)
+	{
+	print "ncp reply", frame_type, length, req_frame, req_func, completion_code;
+	}

testing/btest/scripts/base/protocols/nfs/basic.test

@@ -0,0 +1,82 @@
+# @TEST-EXEC: bro -b -r $TRACES/nfs/nfs_base.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+global nfs_ports: set[port] = { 2049/tcp, 2049/udp } &redef;
+redef ignore_checksums = T;
+
+event bro_init()
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_NFS, nfs_ports);
+	Analyzer::enable_analyzer(Analyzer::ANALYZER_NFS);
+	}
+
+event nfs_proc_lookup(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::lookup_reply_t )
+	{
+	print(fmt("nfs_proc_lookup: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event nfs_proc_read(c: connection , info: NFS3::info_t , req: NFS3::readargs_t , rep: NFS3::read_reply_t )
+	{
+	print(fmt("nfs_proc_read: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event nfs_proc_readlink(c: connection , info: NFS3::info_t , fh: string , rep: NFS3::readlink_reply_t )
+	{
+	print(fmt("nfs_proc_readlink: %s\n\t%s\n\t%s\n\t%s\n", c, info, fh, rep));
+	}
+
+event nfs_proc_write(c: connection , info: NFS3::info_t , req: NFS3::writeargs_t , rep: NFS3::write_reply_t )
+	{
+	print(fmt("nfs_proc_write: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event nfs_proc_create(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::newobj_reply_t )
+	{
+	print(fmt("nfs_proc_create: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event nfs_proc_mkdir(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::newobj_reply_t )
+	{
+	print(fmt("nfs_proc_mkdir: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event nfs_proc_remove(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::delobj_reply_t )
+	{
+	print(fmt("nfs_proc_remove: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event nfs_proc_rmdir(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::delobj_reply_t )
+	{
+	print(fmt("nfs_proc_rmdir: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event nfs_proc_readdir(c: connection , info: NFS3::info_t , req: NFS3::readdirargs_t , rep: NFS3::readdir_reply_t )
+	{
+	print(fmt("nfs_proc_readdir: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event nfs_proc_rename(c: connection , info: NFS3::info_t , req: NFS3::renameopargs_t , rep: NFS3::renameobj_reply_t )
+	{
+	print(fmt("nfs_proc_rename: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event nfs_proc_sattr(c: connection, info: NFS3::info_t, req: NFS3::sattrargs_t, rep: NFS3::sattr_reply_t)
+	{
+	print(fmt("nfs_proc_sattr: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event nfs_proc_link(c: connection, info: NFS3::info_t, req: NFS3::linkargs_t, rep: NFS3::link_reply_t)
+	{
+	print(fmt("nfs_proc_link: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event nfs_proc_symlink(c: connection, info: NFS3::info_t, req: NFS3::symlinkargs_t, rep: NFS3::newobj_reply_t)
+	{
+	print(fmt("nfs_proc_symlink: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event nfs_proc_not_implemented(c: connection , info: NFS3::info_t , proc: NFS3::proc_t )
+	{
+	print(fmt("nfs_proc_not_implemented: %s\n\t%s\n\t%s\n", c, info, proc));
+	}
+

testing/btest/scripts/base/protocols/radius/radius-multiple-attempts.test

@@ -0,0 +1,6 @@
+# Test a more complicated radius session with multiple attempts
+
+# @TEST-EXEC: bro -b -C -r $TRACES/radius/radius_localhost.pcapng %INPUT
+# @TEST-EXEC: btest-diff radius.log
+
+@load base/protocols/radius

testing/btest/scripts/base/protocols/rdp/rdp-x509.bro

@@ -1,5 +1,5 @@
 # @TEST-EXEC: bro -r $TRACES/rdp/rdp-x509.pcap %INPUT
 # @TEST-EXEC: btest-diff rdp.log
-# @TEST-EXEC: btest-diff x509.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-timestamps | $SCRIPTS/diff-remove-x509-key-info" btest-diff x509.log
 
 @load base/protocols/rdp

testing/btest/scripts/base/protocols/smb/disabled-dce-rpc.test

@@ -1,7 +1,7 @@
 # @TEST-EXEC: bro -C -r $TRACES/smb/dssetup_DsRoleGetPrimaryDomainInformation_standalone_workstation.cap %INPUT
 # @TEST-EXEC: [ ! -f dce_rpc.log ]
 
-@load policy/protocols/smb
+@load base/protocols/smb
 
 # The DCE_RPC analyzer is a little weird since it's instantiated
 # by the SMB analyzer directly in some cases.  Care needs to be

testing/btest/scripts/base/protocols/smb/raw-ntlm.test

@@ -2,7 +2,7 @@
 #@TEST-EXEC: btest-diff .stdout
 
 @load base/protocols/ntlm
-@load policy/protocols/smb
+@load base/protocols/smb
 
 # Just verify that the session key is grabbed correctly from NTLM
 # carried raw over SMB.

testing/btest/scripts/base/protocols/smb/smb1-transaction-dcerpc.test

@@ -2,4 +2,4 @@
 # @TEST-EXEC: btest-diff dce_rpc.log
 
 @load base/protocols/dce-rpc
-@load policy/protocols/smb
+@load base/protocols/smb

testing/btest/scripts/base/protocols/smb/smb1-transaction-request.test

@@ -0,0 +1,12 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction_request.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+@load base/protocols/smb
+
+# Check that smb1_transaction requests are parsed correctly
+
+event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count, parameters: string, data: string)
+{
+	print fmt("smb1_transaction_request hdr: %s, name: %s, sub_cmd: %x, params: %s, data: %s", hdr, name, sub_cmd, parameters, data);
+}

testing/btest/scripts/base/protocols/smb/smb1-transaction-response.test

@@ -0,0 +1,12 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction_response.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+@load base/protocols/smb
+
+# Check that smb1_transaction_response requests are parsed correctly
+
+event smb1_transaction_response(c: connection, hdr: SMB1::Header, parameters: string, data: string)
+{
+	print fmt("smb1_transaction_response hdr: %s, params: %s, data: %s", hdr, parameters, data);
+}

testing/btest/scripts/base/protocols/smb/smb1-transaction-secondary-request.test

@@ -0,0 +1,12 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction_secondary_request.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+@load base/protocols/smb
+
+# Check that smb1_transaction_secondary requests are parsed correctly
+
+event smb1_transaction_secondary_request(c: connection, hdr: SMB1::Header, args: SMB1::Trans_Sec_Args, parameters: string, data: string)
+{
+	print fmt("smb1_transaction_secondary_request hdr: %s, args: %s, params: %s, data: %s", hdr, args, parameters, data);
+}

testing/btest/scripts/base/protocols/smb/smb1-transaction2-request.test

@@ -0,0 +1,12 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction2_request.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+@load base/protocols/smb
+
+# Check that smb1_transaction2 requests are parsed correctly
+
+event smb1_transaction2_request(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Args, sub_cmd: count)
+{
+	print fmt("smb1_transaction2_request hdr: %s, args: %s, sub_cmd: %x", hdr, args, sub_cmd);
+}

testing/btest/scripts/base/protocols/smb/smb1-transaction2-secondary-request.test

@@ -0,0 +1,12 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction2_secondary_request.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+@load base/protocols/smb
+
+# Check that smb1_transaction2_secondary requests are parsed correctly
+
+event smb1_transaction2_secondary_request(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Sec_Args, parameters: string, data: string)
+{
+	print fmt("smb1_transaction2_secondary_request hdr: %s, args: %s, params: %s, data: %s", hdr, args, parameters, data);
+}

testing/btest/scripts/base/protocols/smb/smb1.test

@@ -1,4 +1,4 @@
 # @TEST-EXEC: bro -b -r $TRACES/smb/smb1.pcap %INPUT
 # @TEST-EXEC: btest-diff smb_files.log
 
-@load policy/protocols/smb
+@load base/protocols/smb

testing/btest/scripts/base/protocols/smb/smb2.test

@@ -4,6 +4,23 @@
 # @TEST-EXEC: btest-diff files.log
 # @TEST-EXEC: test ! -f dpd.log
 # @TEST-EXEC: test ! -f weird.log
+# @TEST-EXEC: btest-diff .stdout
 
-@load policy/protocols/smb
+@load base/protocols/smb
 
+# Add some tests for SMB2 create request and response.
+event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest)
+	{
+	print fmt("smb2_create_request %s -> %s:%d %s", c$id$orig_h, c$id$resp_h, c$id$resp_p, request);
+	}
+
+event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse)
+	{
+	print fmt("smb2_create_response %s -> %s:%d %s", c$id$orig_h, c$id$resp_h, c$id$resp_p, response);
+	}
+
+event smb2_file_sattr(c: connection, hdr: SMB2::Header, file_id:
+                      SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs)
+	{
+	print fmt("smb2_file_sattr %s -> %s:%d %s MACTimes:%s FileAttrs:%s", c$id$orig_h, c$id$resp_h, c$id$resp_p, file_id, times, attrs);
+	}

testing/btest/scripts/base/protocols/socks/socks-auth.bro

@@ -3,3 +3,9 @@
 # @TEST-EXEC: btest-diff tunnel.log
 
 @load base/protocols/socks
+
+redef SOCKS::default_capture_password = T;
+
+@TEST-START-NEXT
+
+@load base/protocols/socks

testing/btest/scripts/base/protocols/ssh/curve25519_kex.test

@@ -0,0 +1,6 @@
+# This tests a successful login with pubkey using curve25519 as the KEX algorithm
+
+# @TEST-EXEC: bro -b -r $TRACES/ssh/ssh_kex_curve25519.pcap %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+@load base/protocols/ssh

testing/btest/scripts/base/protocols/ssl/basic.test

@@ -3,3 +3,4 @@
 # @TEST-EXEC: bro -r $TRACES/tls/tls-conn-with-extensions.trace %INPUT
 # @TEST-EXEC: btest-diff ssl.log
 # @TEST-EXEC: btest-diff x509.log
+# @TEST-EXEC: test ! -f dpd.log

testing/btest/scripts/base/protocols/ssl/dpd.test

@@ -2,6 +2,7 @@
 # @TEST-EXEC: bro -b -r $TRACES/tls/ssl.v3.trace %INPUT
 # @TEST-EXEC: bro -b -r $TRACES/tls/tls1.2.trace %INPUT
 # @TEST-EXEC: bro -b -r $TRACES/tls/tls-early-alert.trace %INPUT
+# @TEST-EXEC: bro -b -r $TRACES/tls/tls-13draft19-early-data.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout
 
 @load base/frameworks/dpd

testing/btest/scripts/base/protocols/ssl/dtls.test

@@ -1,5 +1,10 @@
 # This tests a normal SSL connection and the log it outputs.
 
-# @TEST-EXEC: bro -r $TRACES/tls/dtls-openssl.pcap %INPUT
+# @TEST-EXEC: bro -r $TRACES/tls/dtls1_0.pcap %INPUT
 # @TEST-EXEC: btest-diff ssl.log
 # @TEST-EXEC: btest-diff x509.log
+# @TEST-EXEC: bro -r $TRACES/tls/dtls1_2.pcap %INPUT
+# @TEST-EXEC: cp ssl.log ssl1_2.log
+# @TEST-EXEC: cp x509.log x5091_2.log
+# @TEST-EXEC: btest-diff ssl1_2.log
+# @TEST-EXEC: btest-diff x5091_2.log

testing/btest/scripts/base/protocols/ssl/keyexchange.test

@@ -0,0 +1,126 @@
+# @TEST-EXEC: bro -r $TRACES/tls/dhe.pcap %INPUT
+# @TEST-EXEC: cat ssl.log > ssl-all.log
+# @TEST-EXEC: bro -r $TRACES/tls/ecdhe.pcap %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: bro -r $TRACES/tls/ssl.v3.trace %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: bro -r $TRACES/tls/tls1_1.pcap %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: bro -r $TRACES/tls/dtls1_0.pcap %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: bro -r $TRACES/tls/dtls1_2.pcap %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: btest-diff ssl-all.log
+
+# Test the new client and server key exchange events.
+
+@load base/protocols/ssl
+@load base/files/x509
+@load protocols/ssl/extract-certs-pem.bro
+
+module SSL;
+
+export {
+	redef record Info += {
+		# ClientHello
+		client_random: string &log &optional;
+		client_cipher_suites: string &log &optional;
+
+		# ServerHello
+		server_random: string &log &optional;
+
+		# ServerKeyExchange
+		server_dh_p: string &log &optional;
+		server_dh_q: string &log &optional;
+		server_dh_Ys: string &log &optional;
+		server_ecdh_point: string &log &optional;
+		server_signature_sig_alg: count &log &optional;
+		server_signature_hash_alg: count &log &optional;
+		server_signature: string &log &optional;
+
+		# ServerCertificate
+		server_cert_sha1: string &log &optional;
+
+		# ClientKeyExchange
+		client_rsa_pms: string &log &optional;
+		client_dh_Yc: string &log &optional;
+		client_ecdh_point: string &log &optional;
+	};
+
+	## Control if host certificates offered by the defined hosts
+	## will be written to the PEM certificates file.
+	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
+	redef extract_certs_pem = ALL_HOSTS;
+}
+
+event ssl_established(c: connection) &priority=5
+	{
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
+	     ! c$ssl$cert_chain[0]?$x509 )
+		return;
+
+	c$ssl$server_cert_sha1 = c$ssl$cert_chain[0]$sha1;
+	}
+
+event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5
+	{
+	set_session(c);
+	c$ssl$client_random = bytestring_to_hexstr(client_random);
+
+	local ciphers_str = "";
+	for (i in ciphers)
+		{
+			ciphers_str += cipher_desc[ciphers[i]];
+			if ( i != |ciphers|-1)
+				{
+					ciphers_str += ",";
+				}
+		}
+	c$ssl$client_cipher_suites = ciphers_str;
+	}
+
+event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5
+	{
+	set_session(c);
+	c$ssl$server_random = bytestring_to_hexstr(server_random);
+	}
+
+event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$server_dh_p = bytestring_to_hexstr(p);
+	c$ssl$server_dh_q = bytestring_to_hexstr(q);
+	c$ssl$server_dh_Ys = bytestring_to_hexstr(Ys);
+	}
+
+event ssl_ecdh_server_params(c: connection, curve: count, point: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$server_ecdh_point = bytestring_to_hexstr(point);
+	}
+
+event ssl_server_signature(c: connection, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$server_signature_sig_alg = signature_and_hashalgorithm$SignatureAlgorithm;
+	c$ssl$server_signature_hash_alg = signature_and_hashalgorithm$HashAlgorithm;
+	c$ssl$server_signature = bytestring_to_hexstr(signature);
+	}
+
+event ssl_rsa_client_pms(c: connection, pms: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$client_rsa_pms = bytestring_to_hexstr(pms);
+	}
+
+event ssl_dh_client_params(c: connection, Yc: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$client_dh_Yc = bytestring_to_hexstr(Yc);
+	}
+
+event ssl_ecdh_client_params(c: connection, point: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$client_ecdh_point = bytestring_to_hexstr(point);
+	}

testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test

@@ -0,0 +1,43 @@
+# This tests a normal OCSP request sent through HTTP GET
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-http-get.pcap %INPUT
+# @TEST-EXEC: btest-diff ocsp.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load files/x509/log-ocsp
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
+	{
+	print "extension: ", ext, global_resp;
+	}
+
+event ocsp_request(f: fa_file, version: count)
+	{
+	print "request", version, "";
+	}
+
+event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
+	{
+	print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
+	}
+
+event ocsp_response_status(f: fa_file, status: string)
+	{
+	print "ocsp_response_status", status;
+	}
+
+event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+	{
+	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
+	}

testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test

@@ -0,0 +1,42 @@
+# This tests a OCSP request missing response
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-request-only.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+@load files/x509/log-ocsp
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
+	{
+	print "extension: ", ext, global_resp;
+	}
+
+event ocsp_request(f: fa_file, version: count)
+	{
+	print "request", version, "";
+	}
+
+event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
+	{
+	print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
+	}
+
+event ocsp_response_status(f: fa_file, status: string)
+	{
+	print "ocsp_response_status", status;
+	}
+
+event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+	{
+	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
+	}

testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test

@@ -0,0 +1,43 @@
+# This tests a pair of normal OCSP request and response
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-request-response.pcap %INPUT
+# @TEST-EXEC: btest-diff ocsp.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load files/x509/log-ocsp
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
+	{
+	print "extension: ", ext, global_resp;
+	}
+
+event ocsp_request(f: fa_file, version: count)
+	{
+	print "request", version, "";
+	}
+
+event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
+	{
+	print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
+	}
+
+event ocsp_response_status(f: fa_file, status: string)
+	{
+	print "ocsp_response_status", status;
+	}
+
+event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+	{
+	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
+	}

testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test

@@ -0,0 +1,43 @@
+# This tests a normal OCSP response missing request
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-response-only.pcap %INPUT
+# @TEST-EXEC: btest-diff ocsp.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load files/x509/log-ocsp
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
+	{
+	print "extension: ", ext, global_resp;
+	}
+
+event ocsp_request(f: fa_file, version: count)
+	{
+	print "request", version, "";
+	}
+
+event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
+	{
+	print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
+	}
+
+event ocsp_response_status(f: fa_file, status: string)
+	{
+	print "ocsp_response_status", status;
+	}
+
+event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+	{
+	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
+	}

testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test

@@ -0,0 +1,43 @@
+# This tests OCSP response with revocation
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-revoked.pcap %INPUT
+# @TEST-EXEC: btest-diff ocsp.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load files/x509/log-ocsp
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
+	{
+	print "extension: ", ext, global_resp;
+	}
+
+event ocsp_request(f: fa_file, version: count)
+	{
+	print "request", version, "";
+	}
+
+event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
+	{
+	print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
+	}
+
+event ocsp_response_status(f: fa_file, status: string)
+	{
+	print "ocsp_response_status", status;
+	}
+
+event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+	{
+	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
+	}

testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test

@@ -0,0 +1,49 @@
+# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT
+#
+# The following file contains a tls 1.0 connection with a SCT in a TLS extension.
+# This is interesting because the digitally-signed struct in TLS 1.0 does not come
+# with a SignatureAndHashAlgorithm structure. The digitally-signed struct in the
+# SCT is, however, based on the TLS 1.2 RFC, no matter which version of TLS one
+# uses in the end. So this one does have a Signature/Hash alg, even if the protocol
+# itself does not carry it in the same struct.
+#
+# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp_tls1_0.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: test ! -f dpd.log
+
+export {
+	type LogInfo: record {
+		version: count;
+		logid: string;
+		timestamp: count;
+		sig_alg: count;
+		hash_alg: count;
+		signature: string;
+	};
+}
+
+redef record SSL::Info += {
+	ct_proofs: vector of LogInfo &default=vector();
+};
+
+event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string)
+	{
+	print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), signature_and_hashalgorithm;
+	c$ssl$ct_proofs[|c$ssl$ct_proofs|] = LogInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_and_hashalgorithm$SignatureAlgorithm, $hash_alg=signature_and_hashalgorithm$HashAlgorithm, $signature=signature);
+	}
+
+event ssl_established(c: connection)
+	{
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
+		return;
+
+	local cert = c$ssl$cert_chain[0]$x509$handle;
+
+	for ( i in c$ssl$ct_proofs )
+		{
+		local log = c$ssl$ct_proofs[i];
+
+		print "Verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp, log$hash_alg);
+		print "Bad verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp+1, log$hash_alg);
+		}
+	}

testing/btest/scripts/base/protocols/ssl/tls-extension-events.test

@@ -1,4 +1,5 @@
 # @TEST-EXEC: bro -C -r $TRACES/tls/chrome-34-google.trace %INPUT
+# @TEST-EXEC: bro -C -r $TRACES/tls/tls-13draft19-early-data.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout
 
 event ssl_extension_elliptic_curves(c: connection, is_orig: bool, curves: index_vec)
@@ -33,3 +34,17 @@ event ssl_extension_signature_algorithm(c: connection, is_orig: bool, signature_
 		print SSL::hash_algorithms[signature_algorithms[i]$HashAlgorithm], SSL::signature_algorithms[signature_algorithms[i]$SignatureAlgorithm];
 		}
 	}
+
+event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec)
+	{
+	print "supported_versions(", c$id$orig_h, c$id$resp_h;
+	for ( i in versions )
+		print SSL::version_strings[versions[i]];
+	}
+
+event ssl_extension_psk_key_exchange_modes(c: connection, is_orig: bool, modes: index_vec)
+	{
+	print "psk_key_exchange_modes", c$id$orig_h, c$id$resp_h;
+	for ( i in modes )
+		print modes[i];
+	}

testing/btest/scripts/base/protocols/ssl/tls13-experiment.test

@@ -0,0 +1,19 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/chrome-63.0.3211.0-canary-tls_experiment.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff .stdout
+
+# This is a trace that uses a completely non-standard way of establishing TLS 1.3; this seems
+# to be an undocumented extension where the TLS version is negotiated via the server sending back
+# an supported_versions extension (which, according to the RFC is strictly prohibited).
+#
+# This only seems to happen with Chrome talking to google servers. We do not recognize this as
+# TLS 1.3, but we do not abort when encountering traffic like this.
+#
+# In the meantime this way of establishing TLS 1.3 was standardized. Still keeping the test even
+# though we parse this correctly now.
+
+event ssl_extension(c: connection, is_orig: bool, code: count, val: string)
+	{
+	if ( ! is_orig && code == 43 )
+		print bytestring_to_hexstr(val);
+	}

testing/btest/scripts/base/protocols/ssl/tls13-version.test

@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/tls13draft23-chrome67.0.3368.0-canary.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+
+# Test that we correctly parse the version out of the extension in an 1.3 connection

testing/btest/scripts/base/protocols/ssl/tls1_1.test

@@ -0,0 +1,6 @@
+# This tests a normal SSL connection and the log it outputs.
+
+# @TEST-EXEC: bro -r $TRACES/tls/tls1_1.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff x509.log
+# @TEST-EXEC: test ! -f dpd.log

testing/btest/scripts/base/protocols/ssl/x509-invalid-extension.test

@@ -0,0 +1,11 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event x509_extension(f: fa_file, ext: X509::Extension)
+	{
+	if ( ext$oid != "1.3.6.1.5.5.7.1.12" )
+		return;
+
+	print ext$short_name;
+	print ext$value;
+	}