Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-11 11:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/master' into topic/johanna/tls12-decryption

Browse source
This commit is contained in:
Johanna Amann 2021-10-13 10:49:29 +01:00
commit b8b6ac744e
1531 changed files with 109968 additions and 46436 deletions
Download patch file Download diff file Expand all files Collapse all files

7
testing/btest/scripts/base/protocols/dce-rpc/dce_rpc_netlogon.zeek Normal file
View file

@ -0,0 +1,7 @@
# @TEST-EXEC: zeek -b -r $TRACES/dce-rpc/dce_rpc_netlogon.pcap %INPUT
# @TEST-EXEC: btest-diff weird.log
# @TEST-EXEC: btest-diff dce_rpc.log
@load base/protocols/dce-rpc
@load base/protocols/ntlm
@load base/frameworks/notice/weird

5
testing/btest/scripts/base/protocols/dce-rpc/dce_rpc_ntlm.zeek Normal file
View file

@ -0,0 +1,5 @@
# @TEST-EXEC: zeek -b -r $TRACES/dce-rpc/dce_rpc_ntlm.pcap %INPUT
# @TEST-EXEC: btest-diff ntlm.log
@load base/protocols/dce-rpc
@load base/protocols/ntlm

10
testing/btest/scripts/base/protocols/dns/binds.zeek Normal file
View file

@ -0,0 +1,10 @@
# @TEST-EXEC: zeek -b -C -r $TRACES/dns/dns-binds.pcap %INPUT > output
# @TEST-EXEC: btest-diff dns.log
# @TEST-EXEC: btest-diff output
@load policy/protocols/dns/auth-addl
event dns_BINDS(c: connection, msg: dns_msg, ans: dns_answer, binds: dns_binds_rr)
{
print "BINDS", binds;
}

9
testing/btest/scripts/base/protocols/dns/hinfo.zeek Normal file
View file

@ -0,0 +1,9 @@
# @TEST-EXEC: zeek -b -r $TRACES/dns/hinfo.pcap %INPUT
# @TEST-EXEC: btest-diff .stdout
@load base/protocols/dns
event dns_HINFO_reply(c: connection, msg: dns_msg, ans: dns_answer, cpu: string, os: string)
{
print "HINFO", msg, ans, cpu, os;
}

11
testing/btest/scripts/base/protocols/dns/nsec3param.zeek Normal file
View file

@ -0,0 +1,11 @@
# @TEST-EXEC: zeek -b -C -r $TRACES/dnssec/nsec3param.pcap %INPUT > output
# @TEST-EXEC: btest-diff dns.log
# @TEST-EXEC: btest-diff output
@load policy/protocols/dns/auth-addl
event dns_NSEC3PARAM(c: connection, msg: dns_msg, ans: dns_answer, nsec3param: dns_nsec3param_rr)
{
print "NSEC3PARAM", nsec3param,
bytestring_to_hexstr(nsec3param$nsec_salt);
}

10
testing/btest/scripts/base/protocols/dns/wks.zeek Normal file
View file

@ -0,0 +1,10 @@
# @TEST-EXEC: zeek -b -C -r $TRACES/dns/dns-wks.pcap %INPUT > output
# @TEST-EXEC: btest-diff dns.log
# @TEST-EXEC: btest-diff output
@load policy/protocols/dns/auth-addl
event dns_WKS_reply(c: connection, msg: dns_msg, ans: dns_answer)
{
print "WKS", dns_msg, dns_answer;
}

2
testing/btest/scripts/base/protocols/ftp/gridftp.test
View file

@ -10,6 +10,8 @@ module GridFTP;
redef size_threshold = 2;
redef X509::relog_known_certificates_after = 0secs;
redef enum Notice::Type += {
Data_Channel
};

10
testing/btest/scripts/base/protocols/http/http-no-crlf.zeek Normal file
View file

@ -0,0 +1,10 @@
# This tests that the HTTP analyzer handles HTTP with no CRLF at end correctly.
# @TEST-EXEC: zeek -b -r $TRACES/http/no_crlf.pcap %INPUT
# @TEST-EXEC: btest-diff conn.log
# @TEST-EXEC: btest-diff http.log
# @TEST-EXEC: test ! -f weird.log
@load base/protocols/conn
@load base/protocols/http
@load base/frameworks/dpd

2
testing/btest/scripts/base/protocols/imap/starttls.test
View file

@ -9,6 +9,8 @@
@load base/frameworks/dpd
@load base/protocols/imap
redef SSL::log_include_server_certificate_subject_issuer=T;
event imap_starttls(c: connection)
{
print "Tls started for connection";

2
testing/btest/scripts/base/protocols/rdp/rdp-to-ssl.zeek
View file

@ -4,3 +4,5 @@
@load base/protocols/rdp
@load base/protocols/ssl
redef SSL::log_include_server_certificate_subject_issuer=T;

117
testing/btest/scripts/base/protocols/ssh/set_version.zeek Normal file
View file

@ -0,0 +1,117 @@
# @TEST-EXEC: zeek -b %INPUT >output
# @TEST-EXEC: btest-diff output
@load base/bif/event.bif.zeek
@load base/protocols/ssh
module SSH;
# Creates a mock connection. This connection is good enough for e.g.,
# `SSH::set_version`, but not in line with what Zeek considers active
# connections.
function make_conn(server: string, client: string): connection
{
local c: connection;
c$uid = "uid";
local id: conn_id;
id$orig_h = 127.0.0.1;
id$resp_h = 127.0.0.1;
id$orig_p = 40/tcp;
id$resp_p = 40/tcp;
c$id = id;
local ssh: SSH::Info;
ssh$ts = network_time();
ssh$server = server;
ssh$client = client;
c$ssh = ssh;
SSH::set_session(c);
delete c$ssh$version;
return c;
}
# While `SSH::set_version` triggers a `conn_weird` we are dealing with mock
# connections which since they are injected are always considered expired by
# Zeek.
event expired_conn_weird(name: string, id: conn_id, uid: string, addl: string, source: string)
{
print "conn_weird:", name, id, addl, source;
}
const v1 = "SSH-1.5-OpenSSH_6.2";
const v199 = "SSH-1.99-OpenSSH_3.1p1";
const v2 = "SSH-2.0-OpenSSH_5.9";
event zeek_init()
{
local c: connection;
# Good cases.
{
# SSH1 vs SSH1 -> 1.
c = make_conn(v1, v1);
SSH::set_version(c);
print "SSH1 vs SSH1", c$ssh$version;
# SSH199 vs SSH1 -> 1.
c = make_conn(v1, v199);
SSH::set_version(c);
print "SSH199 vs SSH1", c$ssh$version; # 1.
# SSH2 vs SSH2 -> 2.
c = make_conn(v2, v2);
SSH::set_version(c);
print "SSH2 vs SSH2", c$ssh$version; # 2.
# SSH199 vs SSH2 -> 2.
c = make_conn(v2, v199);
SSH::set_version(c);
print "SSH199 vs SSH2", c$ssh$version; # 2.
}
# Error cases.
{
# Unset vs unset -> unset.
c = make_conn("", "");
c$ssh$version = 42;
SSH::set_version(c);
print "unset vs unset", c$ssh?$version; # Unset.
# Client unset.
c = make_conn(v2, "");
c$ssh$version = 42;
SSH::set_version(c);
print "client unset", c$ssh?$version; # Unset.
# Server unset.
c = make_conn("", v2);
c$ssh$version = 42;
SSH::set_version(c);
print "server unset", c$ssh?$version; # Unset.
# Unable to extract full server version.
c = make_conn("SSH", v1);
c$ssh$version = 42;
SSH::set_version(c);
print "incomplete server version", c$ssh?$version;
# Unable to extract full client version.
c = make_conn(v1, "SSH");
c$ssh$version = 42;
SSH::set_version(c);
print "incomplete client version", c$ssh?$version;
# SSH1 vs SSH2.
c = make_conn(v1, v2);
SSH::set_version(c);
print "SSH1 vs SSH2", c$ssh?$version; # Unset.
# SSH2 vs SSH1.
c = make_conn(v2, v1);
SSH::set_version(c);
print "SSH2 vs SSH1", c$ssh?$version; # Unset.
}
}

1
testing/btest/scripts/base/protocols/ssl/basic.test
View file

@ -4,3 +4,4 @@
# @TEST-EXEC: btest-diff ssl.log
# @TEST-EXEC: btest-diff x509.log
# @TEST-EXEC: test ! -f dpd.log
# @TEST-EXEC: test ! -f files.log

3
testing/btest/scripts/base/protocols/ssl/dtls-stun-dpd.test
View file

@ -6,6 +6,9 @@
@load base/protocols/ssl
@load base/frameworks/dpd
redef SSL::log_include_client_certificate_subject_issuer = T;
redef SSL::log_include_server_certificate_subject_issuer = T;
event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
{
print version, client_random, session_id, ciphers;

3
testing/btest/scripts/base/protocols/ssl/fragment.test
View file

@ -6,6 +6,9 @@
@load base/protocols/ssl
redef SSL::log_include_client_certificate_subject_issuer = T;
redef SSL::log_include_server_certificate_subject_issuer = T;
# Certificate has 10,000 alternative names :)
event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativeName)
{

2
testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test
View file

@ -4,8 +4,6 @@
# @TEST-EXEC: btest-diff ocsp.log
# @TEST-EXEC: btest-diff .stdout
@load files/x509/log-ocsp
event zeek_init()
{
Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");

2
testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test
View file

@ -3,8 +3,6 @@
# @TEST-EXEC: zeek -C -r $TRACES/tls/ocsp-request-only.pcap %INPUT
# @TEST-EXEC: btest-diff .stdout
@load files/x509/log-ocsp
event zeek_init()
{
Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");

2
testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test
View file

@ -4,8 +4,6 @@
# @TEST-EXEC: btest-diff ocsp.log
# @TEST-EXEC: btest-diff .stdout
@load files/x509/log-ocsp
event zeek_init()
{
Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");

2
testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test
View file

@ -4,8 +4,6 @@
# @TEST-EXEC: btest-diff ocsp.log
# @TEST-EXEC: btest-diff .stdout
@load files/x509/log-ocsp
event zeek_init()
{
Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");

2
testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test
View file

@ -4,8 +4,6 @@
# @TEST-EXEC: btest-diff ocsp.log
# @TEST-EXEC: btest-diff .stdout
@load files/x509/log-ocsp
event zeek_init()
{
Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");

6
testing/btest/scripts/base/protocols/tcp/timestamp.zeek Normal file
View file

@ -0,0 +1,6 @@
# @TEST-EXEC: zeek -b -C -r $TRACES/tcp/timestamp.pcap %INPUT
# @TEST-EXEC: btest-diff .stdout
event connection_SYN_packet(c: connection, pkt: SYN_packet) {
print pkt;
}