Merge remote-tracking branch 'origin/master' into topic/vladg/mysql

Conflicts:
	testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
	testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
	testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log

testing/btest/scripts/base/protocols/dnp3/events.bro

@@ -82,12 +82,12 @@ event dnp3_frozen_counter_16wFlag(c: connection, is_orig: bool, flag:count, coun
 	print "dnp3_frozen_counter_16wFlag", is_orig, flag;
 	}
 
-event dnp3_frozen_counter_32wFlagTime(c: connection, is_orig: bool, flag:count, count_value: count, time48: string)
+event dnp3_frozen_counter_32wFlagTime(c: connection, is_orig: bool, flag:count, count_value: count, time48: count)
 	{
 	print "dnp3_frozen_counter_32wFlagTime", is_orig, flag;
 	}
 
-event dnp3_frozen_counter_16wFlagTime(c: connection, is_orig: bool, flag:count, count_value: count, time48: string)
+event dnp3_frozen_counter_16wFlagTime(c: connection, is_orig: bool, flag:count, count_value: count, time48: count)
 	{
 	print "dnp3_frozen_counter_16wFlagTime", is_orig, flag;
 	}
@@ -142,12 +142,12 @@ event dnp3_frozen_analog_input_16wFlag(c: connection, is_orig: bool, flag: count
 	print "dnp3_frozen_analog_input_16wFlag", is_orig, flag, frozen_value;
 	}
 
-event dnp3_frozen_analog_input_32wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string)
+event dnp3_frozen_analog_input_32wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)
 	{
 	print "dnp3_frozen_analog_input_32wTime", is_orig, flag, frozen_value, time48;
 	}
 
-event dnp3_frozen_analog_input_16wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string)
+event dnp3_frozen_analog_input_16wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)
 	{
 	print "dnp3_frozen_analog_input_16wTime", is_orig, flag, frozen_value, time48;
 	}
@@ -182,12 +182,12 @@ event dnp3_analog_input_event_16woTime(c: connection, is_orig: bool, flag: count
 	print "dnp3_analog_input_event_16woTime", is_orig, flag, value;
 	}
 
-event dnp3_analog_input_event_32wTime(c: connection, is_orig: bool, flag: count, value: count, time48: string)
+event dnp3_analog_input_event_32wTime(c: connection, is_orig: bool, flag: count, value: count, time48: count)
 	{
 	print "dnp3_analog_input_event_32wTime", is_orig, flag, value, time48;
 	}
 
-event dnp3_analog_input_16wTime(c: connection, is_orig: bool, flag: count, value: count, time48: string)
+event dnp3_analog_input_16wTime(c: connection, is_orig: bool, flag: count, value: count, time48: count)
 	{
 	print "dnp3_analog_input_event_16wTime", is_orig, flag, value, time48;
 	}
@@ -202,12 +202,12 @@ event dnp3_analog_inputDP_woTime(c: connection, is_orig: bool, flag: count, valu
 	print "dnp3_analog_input_event_DPwoTime", is_orig, flag, value_low, value_high;
 	}
 
-event dnp3_analog_inputSP_wTime(c: connection, is_orig: bool, flag: count, value: count, time48: string)
+event dnp3_analog_inputSP_wTime(c: connection, is_orig: bool, flag: count, value: count, time48: count)
 	{
 	print "dnp3_analog_input_event_SPwTime", is_orig, flag, value, time48;
 	}
 
-event dnp3_analog_inputDP_wTime(c: connection, is_orig: bool, flag: count, value_low: count, value_high: count, time48: string)
+event dnp3_analog_inputDP_wTime(c: connection, is_orig: bool, flag: count, value_low: count, value_high: count, time48: count)
 	{
 	print "dnp3_analog_input_event_DPwTime", is_orig, flag, value_low, value_high, time48;
 	}
@@ -222,12 +222,12 @@ event dnp3_frozen_analog_input_event_16woTime(c: connection, is_orig: bool, flag
 	print "dnp3_frozen_analog_input_event_16woTime", is_orig, flag, frozen_value;
 	}
 
-event dnp3_frozen_analog_input_event_32wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string)
+event dnp3_frozen_analog_input_event_32wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)
 	{
 	print "dnp3_frozen_analog_input_event_32wTime", is_orig, flag, frozen_value, time48;
 	}
 
-event dnp3_frozen_analog_input_event_16wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string)
+event dnp3_frozen_analog_input_event_16wTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)
 	{
 	print "dnp3_frozen_analog_input_event_16wTime", is_orig, flag, frozen_value, time48;
 	}
@@ -242,12 +242,12 @@ event dnp3_frozen_analog_input_event_DPwoTime(c: connection, is_orig: bool, flag
 	print "dnp3_frozen_analog_input_event_DPwoTime", is_orig, flag, frozen_value_low, frozen_value_high;
 	}
 
-event dnp3_frozen_analog_input_event_SPwTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: string)
+event dnp3_frozen_analog_input_event_SPwTime(c: connection, is_orig: bool, flag: count, frozen_value: count, time48: count)
 	{
 	print "dnp3_frozen_analog_inputeventSP_wTime", is_orig, flag, frozen_value, time48;
 	}
 
-event dnp3_frozen_analog_input_event_DPwTime(c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count, time48: string)
+event dnp3_frozen_analog_input_event_DPwTime(c: connection, is_orig: bool, flag: count, frozen_value_low: count, frozen_value_high: count, time48: count)
 	{
 	print "dnp3_frozen_analog_inputeventDP_wTime", is_orig, flag, frozen_value_low, frozen_value_high, time48;
 	}

testing/btest/scripts/base/protocols/dns/tsig.bro

@@ -0,0 +1,10 @@
+# @TEST-EXEC: bro -r $TRACES/dns-tsig.trace %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+redef dns_skip_all_addl = F;
+
+event dns_TSIG_addl(c: connection, msg: dns_msg, ans: dns_tsig_additional)
+	{
+	print ans;
+	print |ans$sig|;
+	}

testing/btest/scripts/base/protocols/http/content-range-gap-skip.bro

@@ -0,0 +1,26 @@
+# @TEST-EXEC: bro -r $TRACES/http/content-range-gap-skip.trace %INPUT
+
+# In this trace, we should be able to determine that a gap lies
+# entirely within the body of an entity that specifies Content-Range,
+# and so further deliveries after the gap can still be made.
+
+global got_gap = F;
+global got_data_after_gap = F;
+
+event http_entity_data(c: connection, is_orig: bool, length: count,
+                       data: string)
+	{
+	if ( got_gap )
+		got_data_after_gap = T;
+	}
+
+event content_gap(c: connection, is_orig: bool, seq: count, length: count)
+	{
+	got_gap = T;
+	}
+
+event bro_done()
+	{
+	if ( ! got_data_after_gap )
+		exit(1);
+	}

testing/btest/scripts/base/protocols/http/content-range-gap.bro

@@ -0,0 +1,8 @@
+# @TEST-EXEC: bro -r $TRACES/http/content-range-gap.trace %INPUT
+# @TEST-EXEC: btest-diff extract_files/thefile
+
+event file_new(f: fa_file)
+	{
+	Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
+					   [$extract_filename="thefile"]);
+	}

testing/btest/scripts/base/protocols/http/entity-gap.bro

@@ -0,0 +1,24 @@
+# @TEST-EXEC: bro -r $TRACES/http/entity_gap.trace %INPUT
+# @TEST-EXEC: btest-diff entity_data
+# @TEST-EXEC: btest-diff extract_files/file0
+
+global f = open("entity_data");
+global fn = 0;
+
+event http_entity_data(c: connection, is_orig: bool, length: count,
+                       data: string)
+	{
+	print f, data;
+	}
+
+event content_gap(c: connection, is_orig: bool, seq: count, length: count)
+	{
+	print f, fmt("<%d byte gap>", length);
+	}
+
+event file_new(f: fa_file)
+	{
+	Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
+					   [$extract_filename=fmt("file%d", fn)]);
+	++fn;
+	}

testing/btest/scripts/base/protocols/http/entity-gap2.bro

@@ -0,0 +1,24 @@
+# @TEST-EXEC: bro -r $TRACES/http/entity_gap2.trace %INPUT
+# @TEST-EXEC: btest-diff entity_data
+# @TEST-EXEC: btest-diff extract_files/file0
+
+global f = open("entity_data");
+global fn = 0;
+
+event http_entity_data(c: connection, is_orig: bool, length: count,
+                       data: string)
+	{
+	print f, data;
+	}
+
+event content_gap(c: connection, is_orig: bool, seq: count, length: count)
+	{
+	print f, fmt("<%d byte gap>", length);
+	}
+
+event file_new(f: fa_file)
+	{
+	Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
+					   [$extract_filename=fmt("file%d", fn)]);
+	++fn;
+	}

testing/btest/scripts/base/protocols/modbus/coil_parsing_big.bro

@@ -0,0 +1,47 @@
+#
+# @TEST-EXEC: bro -C -r $TRACES/modbus/modbusBig.pcap %INPUT | sort | uniq -c | sed 's/^ *//g' >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: cat output | awk '{print $2}' | grep "^modbus_" | sort | uniq | wc -l >covered
+# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/modbus/events.bif  | grep "^event modbus_" | wc -l >total
+# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage
+# @TEST-EXEC: btest-diff coverage
+
+event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool)
+{
+    print "modbus_message", c$id, headers, is_orig;
+}
+
+event modbus_exception(c: connection, headers: ModbusHeaders, code: count)
+{
+    print "modbus_exception", c$id, headers, code;
+}
+
+event modbus_read_coils_request(c: connection, headers: ModbusHeaders, start_address: count, quantity: count)
+{
+    print "modbus_read_coils_request", c$id, headers, start_address, quantity;
+}
+
+event modbus_read_coils_response(c: connection, headers: ModbusHeaders, coils: ModbusCoils)
+{
+    print "modbus_read_coils_response", c$id, headers, coils;
+}
+event modbus_write_single_coil_request(c: connection, headers: ModbusHeaders, address: count, value: bool)
+{
+    print "modbus_write_single_coil_request", c$id, headers, address, value;
+}
+
+event modbus_write_single_coil_response(c: connection, headers: ModbusHeaders, address: count, value: bool)
+{
+    print "modbus_write_single_coil_response", c$id, headers, address, value;
+}
+
+event modbus_write_multiple_coils_request(c: connection, headers: ModbusHeaders, start_address: count, coils: ModbusCoils)
+{
+    print "modbus_write_multiple_coils_request", c$id, headers, start_address, coils;
+}
+
+event modbus_write_multiple_coils_response(c: connection, headers: ModbusHeaders, start_address: count, quantity: count)
+{
+    print "modbus_write_multiple_coils_response", c$id, headers, start_address, quantity;
+}
+

testing/btest/scripts/base/protocols/modbus/coil_parsing_small.bro

@@ -0,0 +1,47 @@
+#
+# @TEST-EXEC: bro -C -r $TRACES/modbus/modbusSmall.pcap %INPUT | sort | uniq -c | sed 's/^ *//g' >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: cat output | awk '{print $2}' | grep "^modbus_" | sort | uniq | wc -l >covered
+# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/modbus/events.bif  | grep "^event modbus_" | wc -l >total
+# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage
+# @TEST-EXEC: btest-diff coverage
+
+event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool)
+{
+    print "modbus_message", c$id, headers, is_orig;
+}
+
+event modbus_exception(c: connection, headers: ModbusHeaders, code: count)
+{
+    print "modbus_exception", c$id, headers, code;
+}
+
+event modbus_read_coils_request(c: connection, headers: ModbusHeaders, start_address: count, quantity: count)
+{
+    print "modbus_read_coils_request", c$id, headers, start_address, quantity;
+}
+
+event modbus_read_coils_response(c: connection, headers: ModbusHeaders, coils: ModbusCoils)
+{
+    print "modbus_read_coils_response", c$id, headers, coils;
+}
+event modbus_write_single_coil_request(c: connection, headers: ModbusHeaders, address: count, value: bool)
+{
+    print "modbus_write_single_coil_request", c$id, headers, address, value;
+}
+
+event modbus_write_single_coil_response(c: connection, headers: ModbusHeaders, address: count, value: bool)
+{
+    print "modbus_write_single_coil_response", c$id, headers, address, value;
+}
+
+event modbus_write_multiple_coils_request(c: connection, headers: ModbusHeaders, start_address: count, coils: ModbusCoils)
+{
+    print "modbus_write_multiple_coils_request", c$id, headers, start_address, coils;
+}
+
+event modbus_write_multiple_coils_response(c: connection, headers: ModbusHeaders, start_address: count, quantity: count)
+{
+    print "modbus_write_multiple_coils_response", c$id, headers, start_address, quantity;
+}
+