mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Going over initial parts of the scripting overview.
I made a light pass over the text. Switched the includes over to the new btest-include and adapted the other TEXT-EXECs a bit. Also includes more tweaking all over the Sphinx setup.
This commit is contained in:
Robin Sommer
parent
f8c9d5e3d3
commit
b74bf10565
169 changed files with 2421 additions and 804 deletions
|
|
@ -1 +1 @@
|
|||
Subproject commit 35bb074c1c5173e44689df680a24ba13fea39a11
|
||||
Subproject commit 9726c5b982ee0e3e730a15dcd65f49bdee3fe458
|
||||
|
|
@ -41,10 +41,10 @@ btest_tests="doc/sphinx"
|
|||
|
||||
# Add any Sphinx extension module names here, as strings. They can be extensions
|
||||
# coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
|
||||
extensions += ['bro', 'rst_directive', 'sphinx.ext.todo', 'adapt-toc',
|
||||
'rootedliteralinclude']
|
||||
extensions += ['bro', 'rst_directive', 'sphinx.ext.todo', 'adapt-toc']
|
||||
|
||||
os.environ["BRO_SRC_ROOT"] = "@CMAKE_SOURCE_DIR@"
|
||||
os.environ["DOC_ROOT"] = "@CMAKE_SOURCE_DIR@/doc"
|
||||
|
||||
# Add any paths that contain templates here, relative to this directory.
|
||||
templates_path = ['sphinx-sources/_templates', 'sphinx-sources/_static']
|
||||
|
|
@ -83,7 +83,7 @@ today_fmt = '%B %d, %Y'
|
|||
|
||||
# List of patterns, relative to source directory, that match files and
|
||||
# directories to ignore when looking for source files.
|
||||
exclude_patterns = []
|
||||
exclude_patterns = [".#*"]
|
||||
|
||||
# The reST default role (used for this markup: `text`) to use for all documents.
|
||||
#default_role = None
|
||||
|
|
|
|||
|
|
@ -1,25 +0,0 @@
|
|||
import os
|
||||
from sphinx.directives.code import LiteralInclude
|
||||
|
||||
def setup(app):
|
||||
app.add_directive('rootedliteralinclude', RootedLiteralInclude)
|
||||
|
||||
class RootedLiteralInclude(LiteralInclude):
|
||||
"""
|
||||
Like ``.. literalinclude::``, but the argument is an absolute path
|
||||
which may contain environment variables which will be expanded when
|
||||
generating documents.
|
||||
"""
|
||||
|
||||
def run(self):
|
||||
document = self.state.document
|
||||
if not document.settings.file_insertion_enabled:
|
||||
return [document.reporter.warning('File insertion disabled',
|
||||
line=self.lineno)]
|
||||
env = document.settings.env
|
||||
|
||||
expanded_arg = os.path.expandvars(self.arguments[0])
|
||||
sphinx_src_relation = os.path.relpath(expanded_arg, env.srcdir)
|
||||
self.arguments[0] = os.path.join(os.sep, sphinx_src_relation)
|
||||
|
||||
return super(RootedLiteralInclude, self).run()
|
||||
|
|
@ -9,8 +9,8 @@ Bro Documentation
|
|||
:maxdepth: 2
|
||||
|
||||
intro/index.rst
|
||||
quickstart/index.rst
|
||||
install/index.rst
|
||||
quickstart/index.rst
|
||||
using/index.rst
|
||||
scripting/index.rst
|
||||
frameworks/index.rst
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
|
||||
===========================================
|
||||
Comprehensive Version History (aka CHANGES)
|
||||
===========================================
|
||||
========================
|
||||
Detailed Version History
|
||||
========================
|
||||
|
||||
.. contents::
|
||||
|
||||
|
|
|
|||
|
|
@ -7,9 +7,6 @@ Quick Start Guide
|
|||
|
||||
.. contents::
|
||||
|
||||
Installation
|
||||
============
|
||||
|
||||
Bro works on most modern, Unix-based systems and requires no custom
|
||||
hardware. It can be downloaded in either pre-built binary package or
|
||||
source code forms. See :ref:`installing-bro` for instructions on how to
|
||||
|
|
|
|||
6
doc/scripting/connection_record_01.bro
Normal file
6
doc/scripting/connection_record_01.bro
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
@load base/protocols/conn
|
||||
|
||||
event connection_state_remove(c: connection)
|
||||
{
|
||||
print c;
|
||||
}
|
||||
7
doc/scripting/connection_record_02.bro
Normal file
7
doc/scripting/connection_record_02.bro
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
@load base/protocols/conn
|
||||
@load base/protocols/dns
|
||||
|
||||
event connection_state_remove(c: connection)
|
||||
{
|
||||
print c;
|
||||
}
|
||||
22
doc/scripting/data_struct_record_01.bro
Normal file
22
doc/scripting/data_struct_record_01.bro
Normal file
|
|
@ -0,0 +1,22 @@
|
|||
type Service: record {
|
||||
name: string;
|
||||
ports: set[port];
|
||||
rfc: count;
|
||||
};
|
||||
|
||||
function print_service(serv: Service): string
|
||||
{
|
||||
print fmt("Service: %s(RFC%d)",serv$name, serv$rfc);
|
||||
|
||||
for ( p in serv$ports )
|
||||
print fmt(" port: %s", p);
|
||||
}
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
local dns: Service = [$name="dns", $ports=set(53/udp, 53/tcp), $rfc=1035];
|
||||
local http: Service = [$name="http", $ports=set(80/tcp, 8080/tcp), $rfc=2616];
|
||||
|
||||
print_service(dns);
|
||||
print_service(http);
|
||||
}
|
||||
|
|
@ -1,6 +1,3 @@
|
|||
# @TEST-EXEC: bro %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
type Service: record {
|
||||
name: string;
|
||||
ports: set[port];
|
||||
|
|
@ -12,23 +9,20 @@ type System: record {
|
|||
services: set[Service];
|
||||
};
|
||||
|
||||
|
||||
function print_service(serv: Service): string
|
||||
{
|
||||
print fmt(" Service: %s(RFC%d)",serv$name, serv$rfc);
|
||||
for (p in serv$ports)
|
||||
{
|
||||
|
||||
for ( p in serv$ports )
|
||||
print fmt(" port: %s", p);
|
||||
}
|
||||
}
|
||||
|
||||
function print_system(sys: System): string
|
||||
{
|
||||
print fmt("System: %s", sys$name);
|
||||
for (s in sys$services)
|
||||
{
|
||||
|
||||
for ( s in sys$services )
|
||||
print_service(s);
|
||||
}
|
||||
}
|
||||
|
||||
event bro_init()
|
||||
|
|
@ -1,10 +1,8 @@
|
|||
# @TEST-EXEC: bro %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
local ssl_ports: set[port];
|
||||
local non_ssl_ports = set( 23/tcp, 80/tcp, 143/tcp, 25/tcp );
|
||||
|
||||
# SSH
|
||||
add ssl_ports[22/tcp];
|
||||
# HTTPS
|
||||
|
|
@ -14,17 +12,11 @@ event bro_init()
|
|||
|
||||
# Check for SMTPS
|
||||
if ( 587/tcp !in ssl_ports )
|
||||
{
|
||||
add ssl_ports[587/tcp];
|
||||
}
|
||||
|
||||
for ( i in ssl_ports )
|
||||
{
|
||||
print fmt("SSL Port: %s", i);
|
||||
}
|
||||
|
||||
for ( i in non_ssl_ports )
|
||||
{
|
||||
print fmt("Non-SSL Port: %s", i);
|
||||
}
|
||||
}
|
||||
|
|
@ -1,17 +1,13 @@
|
|||
# @TEST-EXEC: bro %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
local samurai_flicks: table[string, string, count, string] of string;
|
||||
|
||||
samurai_flicks["Kihachi Okamoto", "Toho", 1968, "Tatsuya Nakadai"] = "Kiru";
|
||||
samurai_flicks["Hideo Gosha", "Fuji", 1969, "Tatsuya Nakadai"] = "Goyokin";
|
||||
samurai_flicks["Masaki Kobayashi", "Shochiku Eiga", 1962, "Tatsuya Nakadai" ] = "Harakiri";
|
||||
samurai_flicks["Yoji Yamada", "Eisei Gekijo", 2002, "Hiroyuki Sanada" ] = "Tasogare Seibei";
|
||||
|
||||
for ( [d, s, y, a] in samurai_flicks )
|
||||
{
|
||||
print fmt("%s was released in %d by %s studios, directed by %s and starring %s", samurai_flicks[d, s, y, a], y, s, d, a);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -1,19 +1,13 @@
|
|||
# @TEST-EXEC: bro %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
local ssl_services: table[string] of port;
|
||||
|
||||
ssl_services = table(["SSH"] = 22/tcp, ["HTTPS"] = 443/tcp);
|
||||
ssl_services["IMAPS"] = 993/tcp;
|
||||
|
||||
if ( "SMTPS" !in ssl_services )
|
||||
{
|
||||
ssl_services["SMTPS"] = 587/tcp;
|
||||
}
|
||||
|
||||
for ( k in ssl_services )
|
||||
{
|
||||
print fmt("Service Name: %s - Common Port: %s", k, ssl_services[k]);
|
||||
}
|
||||
}
|
||||
|
|
@ -1,6 +1,3 @@
|
|||
# @TEST-EXEC: bro %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
local v: vector of count = vector(1, 2, 3, 4);
|
||||
|
|
@ -1,14 +1,13 @@
|
|||
# @TEST-EXEC: bro %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
local v1: vector of count;
|
||||
local v2 = vector(1, 2, 3, 4);
|
||||
|
||||
v1[|v1|] = 1;
|
||||
v1[|v1|] = 2;
|
||||
v1[|v1|] = 3;
|
||||
v1[|v1|] = 4;
|
||||
|
||||
print fmt("contents of v1: %s", v1);
|
||||
print fmt("length of v1: %d", |v1|);
|
||||
print fmt("contents of v1: %s", v2);
|
||||
7
doc/scripting/data_struct_vector_iter.bro
Normal file
7
doc/scripting/data_struct_vector_iter.bro
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
event bro_init()
|
||||
{
|
||||
local addr_vector: vector of addr = vector(1.2.3.4, 2.3.4.5, 3.4.5.6);
|
||||
|
||||
for (i in addr_vector)
|
||||
print mask_addr(addr_vector[i], 18);
|
||||
}
|
||||
9
doc/scripting/data_type_const.bro
Normal file
9
doc/scripting/data_type_const.bro
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
const port_list: table[port] of string &redef;
|
||||
|
||||
redef port_list += { [6666/tcp] = "IRC"};
|
||||
redef port_list += { [80/tcp] = "WWW" };
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
print port_list;
|
||||
}
|
||||
|
|
@ -1,6 +1,3 @@
|
|||
# @TEST-EXEC: bro -b %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load base/protocols/http
|
||||
|
||||
redef HTTP::default_capture_password = T;
|
||||
9
doc/scripting/data_type_declaration.bro
Normal file
9
doc/scripting/data_type_declaration.bro
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
event bro_init()
|
||||
{
|
||||
local a: int;
|
||||
a = 10;
|
||||
local b = 10;
|
||||
|
||||
if ( a == b )
|
||||
print fmt("A: %d, B: %d", a, b);
|
||||
}
|
||||
|
|
@ -1,6 +1,3 @@
|
|||
# @TEST-EXEC: bro -b -r $TRACES/wikipedia.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
# Store the time the previous connection was established.
|
||||
global last_connection_time: time;
|
||||
|
||||
|
|
@ -8,13 +5,14 @@ global last_connection_time: time;
|
|||
global connection_seen: bool = F;
|
||||
|
||||
event connection_established(c: connection)
|
||||
{
|
||||
{
|
||||
local net_time: time = network_time();
|
||||
|
||||
print fmt("%s: New connection established from %s to %s", strftime("%Y/%M/%d %H:%m:%S", net_time), c$id$orig_h, c$id$resp_h);
|
||||
if (connection_seen)
|
||||
{
|
||||
|
||||
if ( connection_seen )
|
||||
print fmt(" Time since last connection: %s", net_time - last_connection_time);
|
||||
}
|
||||
|
||||
last_connection_time = net_time;
|
||||
connection_seen = T;
|
||||
}
|
||||
}
|
||||
11
doc/scripting/data_type_local.bro
Normal file
11
doc/scripting/data_type_local.bro
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
function add_two(i: count): count
|
||||
{
|
||||
local added_two = i+2;
|
||||
print fmt("i + 2 = %d", added_two);
|
||||
return added_two;
|
||||
}
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
local test = add_two(10);
|
||||
}
|
||||
|
|
@ -1,14 +1,13 @@
|
|||
# @TEST-EXEC: bro %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
local test_string = "The quick brown fox jumped over the lazy dog.";
|
||||
local test_pattern = /quick|lazy/;
|
||||
|
||||
if (test_pattern in test_string)
|
||||
if ( test_pattern in test_string )
|
||||
{
|
||||
local results = split(test_string, test_pattern);
|
||||
print results[1];
|
||||
print results[2];
|
||||
print results[3];
|
||||
}
|
||||
}
|
||||
|
|
@ -1,6 +1,3 @@
|
|||
# @TEST-EXEC: bro %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
local test_string = "equality";
|
||||
|
|
@ -11,4 +8,3 @@ event bro_init()
|
|||
test_pattern = /equality/;
|
||||
print fmt("%s and %s %s equal", test_string, test_pattern, test_pattern == test_string ? "are" : "are not");
|
||||
}
|
||||
|
||||
15
doc/scripting/data_type_subnets.bro
Normal file
15
doc/scripting/data_type_subnets.bro
Normal file
|
|
@ -0,0 +1,15 @@
|
|||
event bro_init()
|
||||
{
|
||||
local subnets = vector(172.16.0.0/20, 172.16.16.0/20, 172.16.32.0/20, 172.16.48.0/20);
|
||||
local addresses = vector(172.16.4.56, 172.16.47.254, 172.16.22.45, 172.16.1.1);
|
||||
|
||||
for ( a in addresses )
|
||||
{
|
||||
for ( s in subnets )
|
||||
{
|
||||
if ( addresses[a] in subnets[s] )
|
||||
print fmt("%s belongs to subnet %s", addresses[a], subnets[s]);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
4
doc/scripting/data_type_time.bro
Normal file
4
doc/scripting/data_type_time.bro
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
event connection_established(c: connection)
|
||||
{
|
||||
print fmt("%s: New connection established from %s to %s\n", strftime("%Y/%M/%d %H:%m:%S", network_time()), c$id$orig_h, c$id$resp_h);
|
||||
}
|
||||
19
doc/scripting/framework_logging_factorial_01.bro
Normal file
19
doc/scripting/framework_logging_factorial_01.bro
Normal file
|
|
@ -0,0 +1,19 @@
|
|||
module Factor;
|
||||
|
||||
function factorial(n: count): count
|
||||
{
|
||||
if ( n == 0 )
|
||||
return 1;
|
||||
else
|
||||
return ( n * factorial(n - 1) );
|
||||
}
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);
|
||||
|
||||
for ( n in numbers )
|
||||
print fmt("%d", factorial(numbers[n]));
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -1,6 +1,3 @@
|
|||
# @TEST-EXEC: bro %INPUT
|
||||
# @TEST-EXEC: btest-diff factor.log
|
||||
|
||||
module Factor;
|
||||
|
||||
export {
|
||||
|
|
@ -15,13 +12,10 @@ export {
|
|||
function factorial(n: count): count
|
||||
{
|
||||
if ( n == 0 )
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
|
||||
else
|
||||
{
|
||||
return ( n * factorial(n - 1) );
|
||||
}
|
||||
}
|
||||
|
||||
event bro_init()
|
||||
|
|
@ -33,8 +27,6 @@ event bro_done()
|
|||
{
|
||||
local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);
|
||||
for ( n in numbers )
|
||||
{
|
||||
Log::write( Factor::LOG, [$num=numbers[n],
|
||||
$factorial_num=factorial(numbers[n])]);
|
||||
}
|
||||
}
|
||||
|
|
@ -1,7 +1,3 @@
|
|||
# @TEST-EXEC: bro %INPUT
|
||||
# @TEST-EXEC: btest-diff factor-mod5.log
|
||||
# @TEST-EXEC: btest-diff factor-non5.log
|
||||
|
||||
module Factor;
|
||||
|
||||
export {
|
||||
|
|
@ -16,44 +12,33 @@ export {
|
|||
function factorial(n: count): count
|
||||
{
|
||||
if ( n == 0 )
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
else
|
||||
{
|
||||
return ( n * factorial(n - 1) );
|
||||
}
|
||||
}
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(LOG, [$columns=Info]);
|
||||
else
|
||||
return (n * factorial(n - 1));
|
||||
}
|
||||
|
||||
event bro_done()
|
||||
{
|
||||
local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);
|
||||
for ( n in numbers )
|
||||
{
|
||||
Log::write( Factor::LOG, [$num=numbers[n],
|
||||
$factorial_num=factorial(numbers[n])]);
|
||||
}
|
||||
}
|
||||
|
||||
function mod5(id: Log::ID, path: string, rec: Factor::Info) : string
|
||||
{
|
||||
if ( rec$factorial_num % 5 == 0 )
|
||||
{
|
||||
return "factor-mod5";
|
||||
}
|
||||
|
||||
else
|
||||
{
|
||||
return "factor-non5";
|
||||
}
|
||||
}
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(LOG, [$columns=Info]);
|
||||
|
||||
local filter: Log::Filter = [$name="split-mod5s", $path_func=mod5];
|
||||
Log::add_filter(Factor::LOG, filter);
|
||||
Log::remove_filter(Factor::LOG, "default");
|
||||
|
|
@ -1,7 +1,3 @@
|
|||
# @TEST-EXEC: bro %INPUT
|
||||
# @TEST-EXEC: btest-diff factor-mod5.log
|
||||
# @TEST-EXEC: btest-diff factor-non5.log
|
||||
|
||||
module Factor;
|
||||
|
||||
export {
|
||||
|
|
@ -18,13 +14,10 @@ export {
|
|||
function factorial(n: count): count
|
||||
{
|
||||
if ( n == 0 )
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
|
||||
else
|
||||
{
|
||||
return ( n * factorial(n - 1) );
|
||||
}
|
||||
return (n * factorial(n - 1));
|
||||
}
|
||||
|
||||
event bro_init()
|
||||
|
|
@ -36,22 +29,17 @@ event bro_done()
|
|||
{
|
||||
local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);
|
||||
for ( n in numbers )
|
||||
{
|
||||
Log::write( Factor::LOG, [$num=numbers[n],
|
||||
$factorial_num=factorial(numbers[n])]);
|
||||
}
|
||||
}
|
||||
|
||||
function mod5(id: Log::ID, path: string, rec: Factor::Info) : string
|
||||
{
|
||||
if ( rec$factorial_num % 5 == 0 )
|
||||
{
|
||||
return "factor-mod5";
|
||||
}
|
||||
|
||||
else
|
||||
{
|
||||
return "factor-non5";
|
||||
}
|
||||
}
|
||||
|
||||
event bro_init()
|
||||
7
doc/scripting/framework_notice_hook_01.bro
Normal file
7
doc/scripting/framework_notice_hook_01.bro
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
@load policy/protocols/ssh/interesting-hostnames.bro
|
||||
|
||||
hook Notice::policy(n: Notice::Info)
|
||||
{
|
||||
if ( n$note == SSH::Interesting_Hostname_Login )
|
||||
add n$actions[Notice::ACTION_EMAIL];
|
||||
}
|
||||
7
doc/scripting/framework_notice_hook_suppression_01.bro
Normal file
7
doc/scripting/framework_notice_hook_suppression_01.bro
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
@load policy/protocols/ssl/expiring-certs.bro
|
||||
|
||||
hook Notice::policy(n: Notice::Info)
|
||||
{
|
||||
if ( n$note == SSL::Certificate_Expires_Soon )
|
||||
n$suppress_for = 12hrs;
|
||||
}
|
||||
|
|
@ -1,6 +1,3 @@
|
|||
# @TEST-EXEC: bro %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load policy/protocols/ssh/interesting-hostnames.bro
|
||||
@load base/protocols/ssh/
|
||||
|
||||
|
|
@ -1,6 +1,3 @@
|
|||
# @TEST-EXEC: bro %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
@load policy/protocols/ssh/interesting-hostnames.bro
|
||||
@load base/protocols/ssh/
|
||||
|
||||
File diff suppressed because it is too large
Load diff
|
|
@ -44,7 +44,8 @@ the Unix utility ``head`` and outputting the first lines of the file:
|
|||
|
||||
.. btest:: using_bro
|
||||
|
||||
@TEST-EXEC: btest-rst-cmd "bro -r $TRACES/wikipedia.trace && head -15 conn.log"
|
||||
@TEST-EXEC: btest-rst-cmd bro -r $TRACES/wikipedia.trace
|
||||
@TEST-EXEC: btest-rst-include -n 15 conn.log
|
||||
|
||||
As you can see, the header consists of lines prefixed by ``#`` and
|
||||
includes information such as what separators are being used for
|
||||
|
|
|
|||
|
|
@ -0,0 +1,11 @@
|
|||
.. code-block:: none
|
||||
:linenos:
|
||||
:emphasize-lines: 1,1
|
||||
|
||||
# bro -b -r dns-session.trace connection_record_01.bro
|
||||
[id=[orig_h=212.180.42.100, orig_p=25000/tcp, resp_h=131.243.64.3, resp_p=53/tcp], orig=[size=29, state=5, num_pkts=6, num_bytes_ip=273, flow_label=0], resp=[size=44, state=5, num_pkts=5, num_bytes_ip=248, flow_label=0], start_time=930613226.067666, duration=0.709643, service={
|
||||
|
||||
}, addl=, hot=0, history=ShADadFf, uid=UWkUyAuUGXf, tunnel=<uninitialized>, conn=[ts=930613226.067666, uid=UWkUyAuUGXf, id=[orig_h=212.180.42.100, orig_p=25000/tcp, resp_h=131.243.64.3, resp_p=53/tcp], proto=tcp, service=<uninitialized>, duration=0.709643, orig_bytes=29, resp_bytes=44, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=6, orig_ip_bytes=273, resp_pkts=5, resp_ip_bytes=248, tunnel_parents={
|
||||
|
||||
}], extract_orig=F, extract_resp=F]
|
||||
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
.. code-block:: none
|
||||
:linenos:
|
||||
:emphasize-lines: 1,1
|
||||
|
||||
# bro -b -r dns-session.trace connection_record_02.bro
|
||||
[id=[orig_h=212.180.42.100, orig_p=25000/tcp, resp_h=131.243.64.3, resp_p=53/tcp], orig=[size=29, state=5, num_pkts=6, num_bytes_ip=273, flow_label=0], resp=[size=44, state=5, num_pkts=5, num_bytes_ip=248, flow_label=0], start_time=930613226.067666, duration=0.709643, service={
|
||||
|
||||
}, addl=, hot=0, history=ShADadFf, uid=UWkUyAuUGXf, tunnel=<uninitialized>, conn=[ts=930613226.067666, uid=UWkUyAuUGXf, id=[orig_h=212.180.42.100, orig_p=25000/tcp, resp_h=131.243.64.3, resp_p=53/tcp], proto=tcp, service=<uninitialized>, duration=0.709643, orig_bytes=29, resp_bytes=44, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=6, orig_ip_bytes=273, resp_pkts=5, resp_ip_bytes=248, tunnel_parents={
|
||||
|
||||
}], extract_orig=F, extract_resp=F, dns=<uninitialized>, dns_state=[pending={
|
||||
[34798] = [initialized=T, vals={
|
||||
|
||||
}, settings=[max_len=<uninitialized>], top=1, bottom=1, size=0]
|
||||
}, finished_answers={
|
||||
|
||||
}]]
|
||||
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
.. code-block:: none
|
||||
:linenos:
|
||||
:emphasize-lines: 1,1
|
||||
|
||||
# bro data_struct_record_01.bro
|
||||
Service: dns(RFC1035)
|
||||
port: 53/tcp
|
||||
port: 53/udp
|
||||
Service: http(RFC2616)
|
||||
port: 80/tcp
|
||||
port: 8080/tcp
|
||||
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
.. code-block:: none
|
||||
:linenos:
|
||||
:emphasize-lines: 1,1
|
||||
|
||||
# bro data_struct_record_02.bro
|
||||
System: morlock
|
||||
Service: dns(RFC1035)
|
||||
port: 53/tcp
|
||||
port: 53/udp
|
||||
Service: http(RFC2616)
|
||||
port: 80/tcp
|
||||
port: 8080/tcp
|
||||
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
.. code-block:: none
|
||||
:linenos:
|
||||
:emphasize-lines: 1,1
|
||||
|
||||
# bro data_struct_set_declaration.bro
|
||||
SSL Port: 993/tcp
|
||||
SSL Port: 22/tcp
|
||||
SSL Port: 587/tcp
|
||||
SSL Port: 443/tcp
|
||||
Non-SSL Port: 143/tcp
|
||||
Non-SSL Port: 25/tcp
|
||||
Non-SSL Port: 80/tcp
|
||||
Non-SSL Port: 23/tcp
|
||||
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
.. code-block:: none
|
||||
:linenos:
|
||||
:emphasize-lines: 1,1
|
||||
|
||||
# bro -b data_struct_table_complex.bro
|
||||
Kiru was released in 1968 by Toho studios, directed by Kihachi Okamoto and starring Tatsuya Nakadai
|
||||
Goyokin was released in 1969 by Fuji studios, directed by Hideo Gosha and starring Tatsuya Nakadai
|
||||
Harakiri was released in 1962 by Shochiku Eiga studios, directed by Masaki Kobayashi and starring Tatsuya Nakadai
|
||||
Tasogare Seibei was released in 2002 by Eisei Gekijo studios, directed by Yoji Yamada and starring Hiroyuki Sanada
|
||||
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
.. code-block:: none
|
||||
:linenos:
|
||||
:emphasize-lines: 1,1
|
||||
|
||||
# bro data_struct_table_declaration.bro
|
||||
Service Name: IMAPS - Common Port: 993/tcp
|
||||
Service Name: HTTPS - Common Port: 443/tcp
|
||||
Service Name: SSH - Common Port: 22/tcp
|
||||
Service Name: SMTPS - Common Port: 587/tcp
|
||||
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
.. code-block:: none
|
||||
:linenos:
|
||||
:emphasize-lines: 1,1
|
||||
|
||||
# bro data_struct_vector_declaration.bro
|
||||
contents of v1: [1, 2, 3, 4]
|
||||
length of v1: 4
|
||||
contents of v1: [1, 2, 3, 4]
|
||||
length of v2: 4
|
||||
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
.. code-block:: none
|
||||
:linenos:
|
||||
:emphasize-lines: 1,1
|
||||
|
||||
# bro -b data_struct_vector_iter.bro
|
||||
1.2.0.0/18
|
||||
2.3.0.0/18
|
||||
3.4.0.0/18
|
||||
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
.. code-block:: none
|
||||
:linenos:
|
||||
:emphasize-lines: 1,1
|
||||
|
||||
# bro -b data_type_const.bro
|
||||
{
|
||||
[6666/tcp] = IRC,
|
||||
[80/tcp] = WWW
|
||||
}
|
||||
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
.. code-block:: none
|
||||
:linenos:
|
||||
:emphasize-lines: 1,1
|
||||
|
||||
# bro -r wikipedia.trace data_type_interval.bro
|
||||
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.118
|
||||
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3
|
||||
Time since last connection: 132.0 msecs 97.0 usecs
|
||||
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3
|
||||
Time since last connection: 177.0 usecs
|
||||
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3
|
||||
Time since last connection: 2.0 msecs 177.0 usecs
|
||||
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3
|
||||
Time since last connection: 33.0 msecs 898.0 usecs
|
||||
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3
|
||||
Time since last connection: 35.0 usecs
|
||||
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3
|
||||
Time since last connection: 2.0 msecs 532.0 usecs
|
||||
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.2
|
||||
Time since last connection: 7.0 msecs 866.0 usecs
|
||||
2011/06/18 19:03:09: New connection established from 141.142.220.235 to 173.192.163.128
|
||||
Time since last connection: 817.0 msecs 703.0 usecs
|
||||
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
.. code-block:: none
|
||||
:linenos:
|
||||
:emphasize-lines: 1,1
|
||||
|
||||
# bro data_type_pattern_01.bro
|
||||
The
|
||||
brown fox jumped over the
|
||||
dog.
|
||||
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
.. code-block:: none
|
||||
:linenos:
|
||||
:emphasize-lines: 1,1
|
||||
|
||||
# bro data_type_pattern_02.bro
|
||||
equality and /^?(equal)$?/ are not equal
|
||||
equality and /^?(equality)$?/ are equal
|
||||
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
.. code-block:: none
|
||||
:linenos:
|
||||
:emphasize-lines: 1,1
|
||||
|
||||
# bro data_type_subnets.bro
|
||||
172.16.4.56 belongs to subnet 172.16.0.0/20
|
||||
172.16.47.254 belongs to subnet 172.16.32.0/20
|
||||
172.16.22.45 belongs to subnet 172.16.16.0/20
|
||||
172.16.1.1 belongs to subnet 172.16.0.0/20
|
||||
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
.. code-block:: none
|
||||
:linenos:
|
||||
:emphasize-lines: 1,1
|
||||
|
||||
# bro -r wikipedia.trace data_type_time.bro
|
||||
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.118^J
|
||||
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3^J
|
||||
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3^J
|
||||
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3^J
|
||||
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3^J
|
||||
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3^J
|
||||
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.3^J
|
||||
2011/06/18 19:03:08: New connection established from 141.142.220.118 to 208.80.152.2^J
|
||||
2011/06/18 19:03:09: New connection established from 141.142.220.235 to 173.192.163.128^J
|
||||
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
.. code-block:: none
|
||||
:linenos:
|
||||
:emphasize-lines: 1,1
|
||||
|
||||
# bro framework_logging_factorial_02.bro
|
||||
|
||||
.. code-block:: guess
|
||||
:linenos:
|
||||
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path factor
|
||||
#open 2013-08-30-23-20-49
|
||||
#fields num factorial_num
|
||||
#types count count
|
||||
1 1
|
||||
2 2
|
||||
3 6
|
||||
4 24
|
||||
5 120
|
||||
6 720
|
||||
7 5040
|
||||
8 40320
|
||||
9 362880
|
||||
10 3628800
|
||||
#close 2013-08-30-23-20-49
|
||||
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
.. code-block:: none
|
||||
:linenos:
|
||||
:emphasize-lines: 1,1
|
||||
|
||||
# bro framework_logging_factorial_03.bro
|
||||
|
||||
.. code-block:: guess
|
||||
:linenos:
|
||||
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path factor-mod5
|
||||
#open 2013-08-30-23-20-49
|
||||
#fields num factorial_num
|
||||
#types count count
|
||||
5 120
|
||||
6 720
|
||||
7 5040
|
||||
8 40320
|
||||
9 362880
|
||||
10 3628800
|
||||
#close 2013-08-30-23-20-49
|
||||
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
.. code-block:: none
|
||||
:linenos:
|
||||
:emphasize-lines: 1,1
|
||||
|
||||
# bro framework_logging_factorial_01.bro
|
||||
1
|
||||
2
|
||||
6
|
||||
24
|
||||
120
|
||||
720
|
||||
5040
|
||||
40320
|
||||
362880
|
||||
3628800
|
||||
|
||||
|
|
@ -1,10 +1,11 @@
|
|||
# @TEST-EXEC: bro -b -r $TRACES/dns-session.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- connection_record_02.bro
|
||||
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/dns
|
||||
|
||||
event connection_state_remove(c: connection)
|
||||
{
|
||||
{
|
||||
print c;
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- connection_record_02.bro
|
||||
|
||||
@load base/protocols/conn
|
||||
@load base/protocols/dns
|
||||
|
||||
event connection_state_remove(c: connection)
|
||||
{
|
||||
print c;
|
||||
}
|
||||
|
|
@ -1,5 +1,6 @@
|
|||
# @TEST-EXEC: bro %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- data_struct_record_01.bro
|
||||
|
||||
type Service: record {
|
||||
name: string;
|
||||
|
|
@ -10,16 +11,16 @@ type Service: record {
|
|||
function print_service(serv: Service): string
|
||||
{
|
||||
print fmt("Service: %s(RFC%d)",serv$name, serv$rfc);
|
||||
for (p in serv$ports)
|
||||
{
|
||||
|
||||
for ( p in serv$ports )
|
||||
print fmt(" port: %s", p);
|
||||
}
|
||||
}
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
local dns: Service = [ $name="dns", $ports=set(53/udp, 53/tcp), $rfc=1035];
|
||||
local http: Service = [ $name="http", $ports=set(80/tcp, 8080/tcp), $rfc=2616];
|
||||
local dns: Service = [$name="dns", $ports=set(53/udp, 53/tcp), $rfc=1035];
|
||||
local http: Service = [$name="http", $ports=set(80/tcp, 8080/tcp), $rfc=2616];
|
||||
|
||||
print_service(dns);
|
||||
print_service(http);
|
||||
}
|
||||
|
|
@ -0,0 +1,45 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- data_struct_record_02.bro
|
||||
|
||||
type Service: record {
|
||||
name: string;
|
||||
ports: set[port];
|
||||
rfc: count;
|
||||
};
|
||||
|
||||
type System: record {
|
||||
name: string;
|
||||
services: set[Service];
|
||||
};
|
||||
|
||||
function print_service(serv: Service): string
|
||||
{
|
||||
print fmt(" Service: %s(RFC%d)",serv$name, serv$rfc);
|
||||
|
||||
for ( p in serv$ports )
|
||||
print fmt(" port: %s", p);
|
||||
}
|
||||
|
||||
function print_system(sys: System): string
|
||||
{
|
||||
print fmt("System: %s", sys$name);
|
||||
|
||||
for ( s in sys$services )
|
||||
print_service(s);
|
||||
}
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
local server01: System;
|
||||
server01$name = "morlock";
|
||||
add server01$services[[ $name="dns", $ports=set(53/udp, 53/tcp), $rfc=1035]];
|
||||
add server01$services[[ $name="http", $ports=set(80/tcp, 8080/tcp), $rfc=2616]];
|
||||
print_system(server01);
|
||||
|
||||
|
||||
# local dns: Service = [ $name="dns", $ports=set(53/udp, 53/tcp), $rfc=1035];
|
||||
# local http: Service = [ $name="http", $ports=set(80/tcp, 8080/tcp), $rfc=2616];
|
||||
# print_service(dns);
|
||||
# print_service(http);
|
||||
}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- data_struct_set_declaration.bro
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
local ssl_ports: set[port];
|
||||
local non_ssl_ports = set( 23/tcp, 80/tcp, 143/tcp, 25/tcp );
|
||||
}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- data_struct_set_declaration.bro
|
||||
|
||||
for ( i in ssl_ports )
|
||||
print fmt("SSL Port: %s", i);
|
||||
|
||||
for ( i in non_ssl_ports )
|
||||
print fmt("Non-SSL Port: %s", i);
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- data_struct_set_declaration.bro
|
||||
|
||||
# Check for SMTPS
|
||||
if ( 587/tcp !in ssl_ports )
|
||||
add ssl_ports[587/tcp];
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- data_struct_set_declaration.bro
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
local ssl_ports: set[port];
|
||||
local non_ssl_ports = set( 23/tcp, 80/tcp, 143/tcp, 25/tcp );
|
||||
|
||||
# SSH
|
||||
add ssl_ports[22/tcp];
|
||||
# HTTPS
|
||||
add ssl_ports[443/tcp];
|
||||
# IMAPS
|
||||
add ssl_ports[993/tcp];
|
||||
|
||||
# Check for SMTPS
|
||||
if ( 587/tcp !in ssl_ports )
|
||||
add ssl_ports[587/tcp];
|
||||
|
||||
for ( i in ssl_ports )
|
||||
print fmt("SSL Port: %s", i);
|
||||
|
||||
for ( i in non_ssl_ports )
|
||||
print fmt("Non-SSL Port: %s", i);
|
||||
}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- data_struct_table_complex.bro
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
local samurai_flicks: table[string, string, count, string] of string;
|
||||
|
||||
samurai_flicks["Kihachi Okamoto", "Toho", 1968, "Tatsuya Nakadai"] = "Kiru";
|
||||
samurai_flicks["Hideo Gosha", "Fuji", 1969, "Tatsuya Nakadai"] = "Goyokin";
|
||||
samurai_flicks["Masaki Kobayashi", "Shochiku Eiga", 1962, "Tatsuya Nakadai" ] = "Harakiri";
|
||||
samurai_flicks["Yoji Yamada", "Eisei Gekijo", 2002, "Hiroyuki Sanada" ] = "Tasogare Seibei";
|
||||
|
||||
for ( [d, s, y, a] in samurai_flicks )
|
||||
print fmt("%s was released in %d by %s studios, directed by %s and starring %s", samurai_flicks[d, s, y, a], y, s, d, a);
|
||||
}
|
||||
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- data_struct_table_declaration.bro
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
local ssl_services: table[string] of port;
|
||||
|
||||
ssl_services = table(["SSH"] = 22/tcp, ["HTTPS"] = 443/tcp);
|
||||
ssl_services["IMAPS"] = 993/tcp;
|
||||
|
||||
if ( "SMTPS" !in ssl_services )
|
||||
ssl_services["SMTPS"] = 587/tcp;
|
||||
|
||||
for ( k in ssl_services )
|
||||
print fmt("Service Name: %s - Common Port: %s", k, ssl_services[k]);
|
||||
}
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- data_struct_vector_declaration.bro
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
local v1: vector of count;
|
||||
local v2 = vector(1, 2, 3, 4);
|
||||
|
||||
v1[|v1|] = 1;
|
||||
v1[|v1|] = 2;
|
||||
v1[|v1|] = 3;
|
||||
v1[|v1|] = 4;
|
||||
|
||||
print fmt("contents of v1: %s", v1);
|
||||
print fmt("length of v1: %d", |v1|);
|
||||
print fmt("contents of v1: %s", v2);
|
||||
print fmt("length of v2: %d", |v2|);
|
||||
}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- data_struct_vector_iter.bro
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
local addr_vector: vector of addr = vector(1.2.3.4, 2.3.4.5, 3.4.5.6);
|
||||
|
||||
for (i in addr_vector)
|
||||
print mask_addr(addr_vector[i], 18);
|
||||
}
|
||||
|
|
@ -1,5 +1,6 @@
|
|||
# @TEST-EXEC: bro -b %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- data_type_const.bro
|
||||
|
||||
const port_list: table[port] of string &redef;
|
||||
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- data_type_const_simple.bro
|
||||
|
||||
@load base/protocols/http
|
||||
|
||||
redef HTTP::default_capture_password = T;
|
||||
|
||||
|
|
@ -1,5 +1,6 @@
|
|||
# @TEST-EXEC: bro %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- data_type_declaration.bro
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
|
|
@ -7,8 +8,6 @@ event bro_init()
|
|||
a = 10;
|
||||
local b = 10;
|
||||
|
||||
if (a == b)
|
||||
{
|
||||
if ( a == b )
|
||||
print fmt("A: %d, B: %d", a, b);
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- data_type_interval.bro
|
||||
|
||||
# Store the time the previous connection was established.
|
||||
global last_connection_time: time;
|
||||
|
||||
# boolean value to indicate whether we have seen a previous connection.
|
||||
global connection_seen: bool = F;
|
||||
|
||||
event connection_established(c: connection)
|
||||
{
|
||||
local net_time: time = network_time();
|
||||
|
||||
print fmt("%s: New connection established from %s to %s", strftime("%Y/%M/%d %H:%m:%S", net_time), c$id$orig_h, c$id$resp_h);
|
||||
|
||||
if ( connection_seen )
|
||||
print fmt(" Time since last connection: %s", net_time - last_connection_time);
|
||||
|
||||
last_connection_time = net_time;
|
||||
connection_seen = T;
|
||||
}
|
||||
|
|
@ -1,5 +1,6 @@
|
|||
# @TEST-EXEC: bro %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- data_type_local.bro
|
||||
|
||||
function add_two(i: count): count
|
||||
{
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- data_type_pattern_01.bro
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
local test_string = "The quick brown fox jumped over the lazy dog.";
|
||||
local test_pattern = /quick|lazy/;
|
||||
|
||||
if ( test_pattern in test_string )
|
||||
{
|
||||
local results = split(test_string, test_pattern);
|
||||
print results[1];
|
||||
print results[2];
|
||||
print results[3];
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- data_type_pattern_02.bro
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
local test_string = "equality";
|
||||
|
||||
local test_pattern = /equal/;
|
||||
print fmt("%s and %s %s equal", test_string, test_pattern, test_pattern == test_string ? "are" : "are not");
|
||||
|
||||
test_pattern = /equality/;
|
||||
print fmt("%s and %s %s equal", test_string, test_pattern, test_pattern == test_string ? "are" : "are not");
|
||||
}
|
||||
|
|
@ -1,22 +1,19 @@
|
|||
# @TEST-EXEC: bro -b %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- data_type_subnets.bro
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
local subnets = vector(172.16.0.0/20, 172.16.16.0/20, 172.16.32.0/20, 172.16.48.0/20);
|
||||
local addresses = vector(172.16.4.56, 172.16.47.254, 172.16.22.45, 172.16.1.1);
|
||||
for (a in addresses)
|
||||
|
||||
for ( a in addresses )
|
||||
{
|
||||
for (s in subnets)
|
||||
for ( s in subnets )
|
||||
{
|
||||
if (addresses[a] in subnets[s])
|
||||
{
|
||||
if ( addresses[a] in subnets[s] )
|
||||
print fmt("%s belongs to subnet %s", addresses[a], subnets[s]);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
|
@ -1,7 +1,8 @@
|
|||
# @TEST-EXEC: bro -b -r $TRACES/wikipedia.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- data_type_time.bro
|
||||
|
||||
event connection_established(c: connection)
|
||||
{
|
||||
{
|
||||
print fmt("%s: New connection established from %s to %s\n", strftime("%Y/%M/%d %H:%m:%S", network_time()), c$id$orig_h, c$id$resp_h);
|
||||
}
|
||||
}
|
||||
|
|
@ -1,27 +1,23 @@
|
|||
# @TEST-EXEC: bro %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- framework_logging_factorial_01.bro
|
||||
|
||||
module Factor;
|
||||
|
||||
function factorial(n: count): count
|
||||
{
|
||||
if ( n == 0 )
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
else
|
||||
{
|
||||
return ( n * factorial(n - 1) );
|
||||
}
|
||||
}
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);
|
||||
|
||||
for ( n in numbers )
|
||||
{
|
||||
print fmt("%d", factorial(numbers[n]));
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -0,0 +1,36 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- framework_logging_factorial_02.bro
|
||||
|
||||
module Factor;
|
||||
|
||||
export {
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
type Info: record {
|
||||
num: count &log;
|
||||
factorial_num: count &log;
|
||||
};
|
||||
}
|
||||
|
||||
function factorial(n: count): count
|
||||
{
|
||||
if ( n == 0 )
|
||||
return 1;
|
||||
|
||||
else
|
||||
return ( n * factorial(n - 1) );
|
||||
}
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(LOG, [$columns=Info]);
|
||||
}
|
||||
|
||||
event bro_done()
|
||||
{
|
||||
local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);
|
||||
for ( n in numbers )
|
||||
Log::write( Factor::LOG, [$num=numbers[n],
|
||||
$factorial_num=factorial(numbers[n])]);
|
||||
}
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- framework_logging_factorial_03.bro
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(LOG, [$columns=Info]);
|
||||
|
||||
local filter: Log::Filter = [$name="split-mod5s", $path_func=mod5];
|
||||
Log::add_filter(Factor::LOG, filter);
|
||||
Log::remove_filter(Factor::LOG, "default");
|
||||
}
|
||||
|
|
@ -0,0 +1,54 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- framework_logging_factorial_04.bro
|
||||
|
||||
module Factor;
|
||||
|
||||
export {
|
||||
redef enum Log::ID += { LOG };
|
||||
|
||||
type Info: record {
|
||||
num: count &log;
|
||||
factorial_num: count &log;
|
||||
};
|
||||
|
||||
global log_factor: event(rec: Info);
|
||||
}
|
||||
|
||||
function factorial(n: count): count
|
||||
{
|
||||
if ( n == 0 )
|
||||
return 1;
|
||||
|
||||
else
|
||||
return (n * factorial(n - 1));
|
||||
}
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(LOG, [$columns=Info, $ev=log_factor]);
|
||||
}
|
||||
|
||||
event bro_done()
|
||||
{
|
||||
local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);
|
||||
for ( n in numbers )
|
||||
Log::write( Factor::LOG, [$num=numbers[n],
|
||||
$factorial_num=factorial(numbers[n])]);
|
||||
}
|
||||
|
||||
function mod5(id: Log::ID, path: string, rec: Factor::Info) : string
|
||||
{
|
||||
if ( rec$factorial_num % 5 == 0 )
|
||||
return "factor-mod5";
|
||||
|
||||
else
|
||||
return "factor-non5";
|
||||
}
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
local filter: Log::Filter = [$name="split-mod5s", $path_func=mod5];
|
||||
Log::add_filter(Factor::LOG, filter);
|
||||
Log::remove_filter(Factor::LOG, "default");
|
||||
}
|
||||
|
|
@ -1,12 +1,11 @@
|
|||
# @TEST-EXEC: bro %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- framework_notice_hook_01.bro
|
||||
|
||||
@load policy/protocols/ssh/interesting-hostnames.bro
|
||||
|
||||
hook Notice::policy(n: Notice::Info)
|
||||
{
|
||||
if ( n$note == SSH::Interesting_Hostname_Login )
|
||||
{
|
||||
add n$actions[Notice::ACTION_EMAIL];
|
||||
}
|
||||
}
|
||||
|
|
@ -1,12 +1,11 @@
|
|||
# @TEST-EXEC: bro %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- framework_notice_hook_suppression_01.bro
|
||||
|
||||
@load policy/protocols/ssl/expiring-certs.bro
|
||||
|
||||
hook Notice::policy(n: Notice::Info)
|
||||
{
|
||||
if ( n$note == SSL::Certificate_Expires_Soon )
|
||||
{
|
||||
n$suppress_for = 12hrs;
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- framework_notice_shortcuts_01.bro
|
||||
|
||||
@load policy/protocols/ssh/interesting-hostnames.bro
|
||||
@load base/protocols/ssh/
|
||||
|
||||
redef Notice::emailed_types += {
|
||||
SSH::Interesting_Hostname_Login,
|
||||
SSH::Login
|
||||
};
|
||||
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- framework_notice_shortcuts_02.bro
|
||||
|
||||
@load policy/protocols/ssh/interesting-hostnames.bro
|
||||
@load base/protocols/ssh/
|
||||
|
||||
redef Notice::type_suppression_intervals += {
|
||||
[SSH::Interesting_Hostname_Login] = 1day,
|
||||
[SSH::Login] = 12hrs,
|
||||
};
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- event.bif.bro
|
||||
|
||||
## script-level cleanup that needs to be performed for every connection. This
|
||||
## event is generated not only for TCP sessions but also for UDP and ICMP
|
||||
## flows.
|
||||
##
|
||||
##
|
||||
global connection_external: event(c: connection , tag: string );
|
||||
|
||||
|
||||
## Generated when a UDP session for a supported protocol has finished. Some of
|
||||
## Bro's application-layer UDP analyzers flag the end of a session by raising
|
||||
## Generated when a connection is seen that is marked as being expected.
|
||||
|
||||
|
||||
global ipv6_ext_headers: event(c: connection , p: pkt_hdr );
|
||||
## their specifics differ slightly. Often, however, both will be raised for
|
||||
## the same connection if some of its data is missing. We should eventually
|
||||
## merge the two.
|
||||
global ack_above_hole: event(c: connection );
|
||||
|
||||
|
||||
##
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- Bro_DNS.events.bif.bro
|
||||
|
||||
## Generated for DNS requests. For requests with multiple queries, this event
|
||||
## is raised once for each.
|
||||
##
|
||||
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
|
||||
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
|
||||
## sessions.
|
||||
##
|
||||
## c: The connection, which may be UDP or TCP depending on the type of the
|
||||
## transport-layer session being analyzed.
|
||||
##
|
||||
## msg: The parsed DNS message header.
|
||||
##
|
||||
## query: The queried name.
|
||||
##
|
||||
## qtype: The queried resource record type.
|
||||
##
|
||||
## qclass: The queried resource record class.
|
||||
##
|
||||
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
|
||||
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
|
||||
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
|
||||
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
|
||||
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
|
||||
## dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
|
||||
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
|
||||
global dns_request: event(c: connection , msg: dns_msg , query: string , qtype: count , qclass: count );
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- init-bare.bro
|
||||
|
||||
type string_array: table[count] of string;
|
||||
type string_set: set[string];
|
||||
type addr_set: set[addr];
|
||||
|
|
@ -0,0 +1,28 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- main.bro
|
||||
|
||||
module Conn;
|
||||
|
||||
export {
|
||||
## The record type which contains column fields of the connection log.
|
||||
type Info: record {
|
||||
ts: time &log;
|
||||
uid: string &log;
|
||||
id: conn_id &log;
|
||||
proto: transport_proto &log;
|
||||
service: string &log &optional;
|
||||
duration: interval &log &optional;
|
||||
orig_bytes: count &log &optional;
|
||||
resp_bytes: count &log &optional;
|
||||
conn_state: string &log &optional;
|
||||
local_orig: bool &log &optional;
|
||||
missed_bytes: count &log &default=0;
|
||||
history: string &log &optional;
|
||||
orig_pkts: count &log &optional;
|
||||
orig_ip_bytes: count &log &optional;
|
||||
resp_pkts: count &log &optional;
|
||||
resp_ip_bytes: count &log &optional;
|
||||
tunnel_parents: set[string] &log;
|
||||
};
|
||||
}
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- main.bro
|
||||
|
||||
module HTTP;
|
||||
|
||||
export {
|
||||
## This setting changes if passwords used in Basic-Auth are captured or not.
|
||||
const default_capture_password = F &redef;
|
||||
}
|
||||
|
|
@ -0,0 +1,61 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- detect-MHR.bro
|
||||
|
||||
##! Detect file downloads that have hash values matching files in Team
|
||||
##! Cymru's Malware Hash Registry (http://www.team-cymru.org/Services/MHR/).
|
||||
|
||||
@load base/frameworks/files
|
||||
@load base/frameworks/notice
|
||||
@load frameworks/files/hash-all-files
|
||||
|
||||
module TeamCymruMalwareHashRegistry;
|
||||
|
||||
export {
|
||||
redef enum Notice::Type += {
|
||||
## The hash value of a file transferred over HTTP matched in the
|
||||
## malware hash registry.
|
||||
Match
|
||||
};
|
||||
|
||||
## File types to attempt matching against the Malware Hash Registry.
|
||||
const match_file_types = /application\/x-dosexec/ |
|
||||
/application\/vnd.ms-cab-compressed/ |
|
||||
/application\/pdf/ |
|
||||
/application\/x-shockwave-flash/ |
|
||||
/application\/x-java-applet/ |
|
||||
/application\/jar/ |
|
||||
/video\/mp4/ &redef;
|
||||
|
||||
## The malware hash registry runs each malware sample through several A/V engines.
|
||||
## Team Cymru returns a percentage to indicate how many A/V engines flagged the
|
||||
## sample as malicious. This threshold allows you to require a minimum detection
|
||||
## rate.
|
||||
const notice_threshold = 10 &redef;
|
||||
}
|
||||
|
||||
event file_hash(f: fa_file, kind: string, hash: string)
|
||||
{
|
||||
if ( kind=="sha1" && match_file_types in f$mime_type )
|
||||
{
|
||||
local hash_domain = fmt("%s.malware.hash.cymru.com", hash);
|
||||
when ( local MHR_result = lookup_hostname_txt(hash_domain) )
|
||||
{
|
||||
# Data is returned as "<dateFirstDetected> <detectionRate>"
|
||||
local MHR_answer = split1(MHR_result, / /);
|
||||
if ( |MHR_answer| == 2 )
|
||||
{
|
||||
local mhr_first_detected = double_to_time(to_double(MHR_answer[1]));
|
||||
local mhr_detect_rate = to_count(MHR_answer[2]);
|
||||
|
||||
local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
|
||||
if ( mhr_detect_rate >= notice_threshold )
|
||||
{
|
||||
local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected);
|
||||
local virustotal_url = fmt("https://www.virustotal.com/en/file/%s/analysis/", hash);
|
||||
NOTICE([$note=Match, $msg=message, $sub=virustotal_url, $f=f]);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- detect-MHR.bro
|
||||
|
||||
|
||||
module TeamCymruMalwareHashRegistry;
|
||||
|
||||
export {
|
||||
redef enum Notice::Type += {
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- detect-MHR.bro
|
||||
|
||||
## The hash value of a file transferred over HTTP matched in the
|
||||
## malware hash registry.
|
||||
Match
|
||||
};
|
||||
|
||||
## File types to attempt matching against the Malware Hash Registry.
|
||||
const match_file_types = /application\/x-dosexec/ |
|
||||
/application\/vnd.ms-cab-compressed/ |
|
||||
/application\/pdf/ |
|
||||
/application\/x-shockwave-flash/ |
|
||||
/application\/x-java-applet/ |
|
||||
/application\/jar/ |
|
||||
/video\/mp4/ &redef;
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- detect-MHR.bro
|
||||
|
||||
## The malware hash registry runs each malware sample through several A/V engines.
|
||||
## Team Cymru returns a percentage to indicate how many A/V engines flagged the
|
||||
## sample as malicious. This threshold allows you to require a minimum detection
|
||||
## rate.
|
||||
const notice_threshold = 10 &redef;
|
||||
}
|
||||
|
||||
event file_hash(f: fa_file, kind: string, hash: string)
|
||||
{
|
||||
if ( kind=="sha1" && match_file_types in f$mime_type )
|
||||
{
|
||||
local hash_domain = fmt("%s.malware.hash.cymru.com", hash);
|
||||
when ( local MHR_result = lookup_hostname_txt(hash_domain) )
|
||||
{
|
||||
# Data is returned as "<dateFirstDetected> <detectionRate>"
|
||||
local MHR_answer = split1(MHR_result, / /);
|
||||
if ( |MHR_answer| == 2 )
|
||||
{
|
||||
local mhr_first_detected = double_to_time(to_double(MHR_answer[1]));
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- known-hosts.bro
|
||||
|
||||
module Known;
|
||||
|
||||
export {
|
||||
global known_hosts: set[addr] &create_expire=1day &synchronized &redef;
|
||||
}
|
||||
|
|
@ -0,0 +1,50 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- interesting-hostnames.bro
|
||||
|
||||
##! This script will generate a notice if an apparent SSH login originates
|
||||
##! or heads to a host with a reverse hostname that looks suspicious. By
|
||||
##! default, the regular expression to match "interesting" hostnames includes
|
||||
##! names that are typically used for infrastructure hosts like nameservers,
|
||||
##! mail servers, web servers and ftp servers.
|
||||
|
||||
@load base/frameworks/notice
|
||||
|
||||
module SSH;
|
||||
|
||||
export {
|
||||
redef enum Notice::Type += {
|
||||
## Generated if a login originates or responds with a host where the
|
||||
## reverse hostname lookup resolves to a name matched by the
|
||||
## :bro:id:`SSH::interesting_hostnames` regular expression.
|
||||
Interesting_Hostname_Login,
|
||||
};
|
||||
|
||||
## Strange/bad host names to see successful SSH logins from or to.
|
||||
const interesting_hostnames =
|
||||
/^d?ns[0-9]*\./ |
|
||||
/^smtp[0-9]*\./ |
|
||||
/^mail[0-9]*\./ |
|
||||
/^pop[0-9]*\./ |
|
||||
/^imap[0-9]*\./ |
|
||||
/^www[0-9]*\./ |
|
||||
/^ftp[0-9]*\./ &redef;
|
||||
}
|
||||
|
||||
event SSH::heuristic_successful_login(c: connection)
|
||||
{
|
||||
for ( host in set(c$id$orig_h, c$id$resp_h) )
|
||||
{
|
||||
when ( local hostname = lookup_addr(host) )
|
||||
{
|
||||
if ( interesting_hostnames in hostname )
|
||||
{
|
||||
NOTICE([$note=Interesting_Hostname_Login,
|
||||
$msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.",
|
||||
Site::is_local_addr(host) ? "local" : "remote",
|
||||
host == c$id$orig_h ? "client" : "server"),
|
||||
$sub=hostname, $conn=c]);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
# @TEST-EXEC: btest-diff %INPUT
|
||||
|
||||
-- expiring-certs.bro
|
||||
|
||||
NOTICE([$note=Certificate_Expires_Soon,
|
||||
$msg=fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after),
|
||||
$conn=c, $suppress_for=1day,
|
||||
$identifier=cat(c$id$resp_h, c$id$resp_p, c$ssl$cert_hash)]);
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
.. code-block:: none
|
||||
|
||||
# bro -r wikipedia.trace
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
# cat http.log | bro-cut ts id.orig_h | head -5
|
||||
1300475168.843894 141.142.220.118
|
||||
1300475168.975800 141.142.220.118
|
||||
1300475168.976327 141.142.220.118
|
||||
1300475168.979160 141.142.220.118
|
||||
1300475169.012666 141.142.220.118
|
||||
|
||||
|
|
@ -1,12 +1,18 @@
|
|||
.. code-block:: none
|
||||
:linenos:
|
||||
:emphasize-lines: 1,1
|
||||
|
||||
# bro -r wikipedia.trace
|
||||
|
||||
.. code-block:: guess
|
||||
:linenos:
|
||||
|
||||
# bro -r wikipedia.trace && head -15 conn.log
|
||||
#separator \x09
|
||||
#set_separator ,
|
||||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path conn
|
||||
#open 2013-08-22-22-52-46
|
||||
#open 2013-08-30-23-20-51
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
|
||||
#types time string addr port addr port enum string interval count count string bool count string count count count count table[string]
|
||||
1300475167.096535 UWkUyAuUGXf 141.142.220.202 5353 224.0.0.251 5353 udp dns - - - S0 - 0 D 1 73 0 0 (empty)
|
||||
|
|
@ -16,4 +22,5 @@
|
|||
1300475168.854378 FrJExwHcSal 141.142.220.118 37676 141.142.2.2 53 udp dns 0.000420 52 99 SF - 0 Dd 1 80 1 127 (empty)
|
||||
1300475168.854837 5OKnoww6xl4 141.142.220.118 40526 141.142.2.2 53 udp dns 0.000392 38 183 SF - 0 Dd 1 66 1 211 (empty)
|
||||
1300475168.857956 fRFu0wcOle6 141.142.220.118 32902 141.142.2.2 53 udp dns 0.000317 38 89 SF - 0 Dd 1 66 1 117 (empty)
|
||||
[...]
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,6 @@
|
|||
.. code-block:: none
|
||||
:linenos:
|
||||
:emphasize-lines: 1,1
|
||||
|
||||
# cat conn.log | bro-cut id.orig_h id.orig_p id.resp_h duration
|
||||
141.142.220.202 5353 224.0.0.251 -
|
||||
|
|
|
|||
|
|
@ -1,4 +1,6 @@
|
|||
.. code-block:: none
|
||||
:linenos:
|
||||
:emphasize-lines: 1,1
|
||||
|
||||
# awk '/^[^#]/ {print $3, $4, $5, $6, $9}' conn.log
|
||||
141.142.220.202 5353 224.0.0.251 5353 -
|
||||
|
|
|
|||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Add a link
Reference in a new issue