diff --git a/testing/btest/Baseline/scripts.policy.frameworks.software.version-changes/notice.log b/testing/btest/Baseline/scripts.policy.frameworks.software.version-changes/notice.log index 0bc9c55342..f33b35d3c7 100644 --- a/testing/btest/Baseline/scripts.policy.frameworks.software.version-changes/notice.log +++ b/testing/btest/Baseline/scripts.policy.frameworks.software.version-changes/notice.log @@ -5,13 +5,13 @@ #unset_field - #path notice #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude -#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval string string string double double -XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.0.0 to 1.1.0 my_fake_software 1.1.0 127.0.0.1 - - - - Notice::ACTION_LOG 3600.000000 - - - - - -XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.1.0 to 1.2.0 my_fake_software 1.2.0 127.0.0.1 - - - - Notice::ACTION_LOG 3600.000000 - - - - - -XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.2.0 to 1.0.0 my_fake_software 1.0.0 127.0.0.1 - - - - Notice::ACTION_LOG 3600.000000 - - - - - -XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.0.0 to 1.1.0 my_fake_software 1.1.0 127.0.0.1 - - - - Notice::ACTION_LOG 3600.000000 - - - - - -XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.1.0 to 1.2.0 my_fake_software 1.2.0 127.0.0.1 - - - - Notice::ACTION_LOG 3600.000000 - - - - - -XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.2.0 to 1.0.0 my_fake_software 1.0.0 127.0.0.1 - - - - Notice::ACTION_LOG 3600.000000 - - - - - -XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.0.0 to 1.1.0 my_fake_software 1.1.0 127.0.0.1 - - - - Notice::ACTION_LOG 3600.000000 - - - - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude +#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double +XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.0.0 to 1.1.0 my_fake_software 1.1.0 127.0.0.1 - - - - Notice::ACTION_LOG - 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.1.0 to 1.2.0 my_fake_software 1.2.0 127.0.0.1 - - - - Notice::ACTION_LOG - 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.2.0 to 1.0.0 my_fake_software 1.0.0 127.0.0.1 - - - - Notice::ACTION_LOG - 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.0.0 to 1.1.0 my_fake_software 1.1.0 127.0.0.1 - - - - Notice::ACTION_LOG - 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.1.0 to 1.2.0 my_fake_software 1.2.0 127.0.0.1 - - - - Notice::ACTION_LOG - 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.2.0 to 1.0.0 my_fake_software 1.0.0 127.0.0.1 - - - - Notice::ACTION_LOG - 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Software_Version_Change XXXXXXXXXX.XXXXXX Software::UNKNOWN 'my_fake_software' version changed from 1.0.0 to 1.1.0 my_fake_software 1.1.0 127.0.0.1 - - - - Notice::ACTION_LOG - 3600.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log b/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log index 058a5a6fcf..8f7b5f5066 100644 --- a/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log +++ b/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log @@ -5,8 +5,8 @@ #unset_field - #path notice #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude -#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval string string string double double -XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Vulnerable_Version 1.2.3.4 is running Java 1.7.0.15 which is vulnerable. Java 1.7.0.15 1.2.3.4 - - - - Notice::ACTION_LOG 3600.000000 - - - - - -XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Vulnerable_Version 1.2.3.5 is running Java 1.6.0.43 which is vulnerable. Java 1.6.0.43 1.2.3.5 - - - - Notice::ACTION_LOG 3600.000000 - - - - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude +#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double +XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Vulnerable_Version 1.2.3.4 is running Java 1.7.0.15 which is vulnerable. Java 1.7.0.15 1.2.3.4 - - - - Notice::ACTION_LOG - 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX - - - - - - - - - Software::Vulnerable_Version 1.2.3.5 is running Java 1.6.0.43 which is vulnerable. Java 1.6.0.43 1.2.3.5 - - - - Notice::ACTION_LOG - 3600.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.misc.capture-loss/notice.log b/testing/btest/Baseline/scripts.policy.misc.capture-loss/notice.log index 93bb6ae3f8..e8d0bb9319 100644 --- a/testing/btest/Baseline/scripts.policy.misc.capture-loss/notice.log +++ b/testing/btest/Baseline/scripts.policy.misc.capture-loss/notice.log @@ -5,7 +5,7 @@ #unset_field - #path notice #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude -#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval string string string double double -XXXXXXXXXX.XXXXXX - - - - - - - - - CaptureLoss::Too_Little_Traffic Only observed 0 TCP ACKs and was expecting at least 1. - - - - - - Notice::ACTION_LOG 3600.000000 - - - - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude +#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double +XXXXXXXXXX.XXXXXX - - - - - - - - - CaptureLoss::Too_Little_Traffic Only observed 0 TCP ACKs and was expecting at least 1. - - - - - - Notice::ACTION_LOG - 3600.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssh.detect-bruteforcing/notice.log b/testing/btest/Baseline/scripts.policy.protocols.ssh.detect-bruteforcing/notice.log index c612b9ed8c..be9974c985 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssh.detect-bruteforcing/notice.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssh.detect-bruteforcing/notice.log @@ -5,7 +5,7 @@ #unset_field - #path notice #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude -#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval string string string double double -XXXXXXXXXX.XXXXXX - - - - - - - - - SSH::Password_Guessing 192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections). Sampled servers: 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103 192.168.56.1 - - - - Notice::ACTION_LOG 3600.000000 - - - - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude +#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double +XXXXXXXXXX.XXXXXX - - - - - - - - - SSH::Password_Guessing 192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections). Sampled servers: 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103 192.168.56.1 - - - - Notice::ACTION_LOG - 3600.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.expiring-certs/notice.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.expiring-certs/notice.log index 5ad6abdd9a..353d8cd185 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.expiring-certs/notice.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.expiring-certs/notice.log @@ -5,8 +5,8 @@ #unset_field - #path notice #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude -#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval string string string double double -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 60539 87.98.220.10 443 FDiucV3BOTYQ5gNgwb - - tcp SSL::Certificate_Expired Certificate CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated expired at 2014-03-04-23:59:59.000000000 - 192.168.4.149 87.98.220.10 443 - - Notice::ACTION_LOG 86400.000000 - - - - - -XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.4.149 60540 122.1.240.204 443 FxC5Iy4Ds1GrAC8Wi4 - - tcp SSL::Certificate_Expires_Soon Certificate CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP is going to expire at 2014-03-14-23:59:59.000000000 - 192.168.4.149 122.1.240.204 443 - - Notice::ACTION_LOG 86400.000000 - - - - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude +#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 60539 87.98.220.10 443 FDiucV3BOTYQ5gNgwb - - tcp SSL::Certificate_Expired Certificate CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated expired at 2014-03-04-23:59:59.000000000 - 192.168.4.149 87.98.220.10 443 - - Notice::ACTION_LOG - 86400.000000 - - - - - +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.4.149 60540 122.1.240.204 443 FxC5Iy4Ds1GrAC8Wi4 - - tcp SSL::Certificate_Expires_Soon Certificate CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP is going to expire at 2014-03-14-23:59:59.000000000 - 192.168.4.149 122.1.240.204 443 - - Notice::ACTION_LOG - 86400.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log index 2cca390d2b..09970b7acf 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log @@ -5,9 +5,9 @@ #unset_field - #path notice #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude -#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval string string string double double -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 54233 162.219.2.166 4443 - - - tcp Heartbleed::SSL_Heartbeat_Attack Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_orig: 1 - 192.168.4.149 162.219.2.166 4443 32 - Notice::ACTION_LOG 3600.000000 - - - - - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 54233 162.219.2.166 4443 - - - tcp Heartbleed::SSL_Heartbeat_Odd_Length Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/ - 192.168.4.149 162.219.2.166 4443 32 - Notice::ACTION_LOG 3600.000000 - - - - - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 54233 162.219.2.166 4443 - - - tcp Heartbleed::SSL_Heartbeat_Attack_Success An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 48. Time: 0.351035 - 192.168.4.149 162.219.2.166 4443 - - Notice::ACTION_LOG 3600.000000 - - - - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude +#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 54233 162.219.2.166 4443 - - - tcp Heartbleed::SSL_Heartbeat_Attack Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_orig: 1 - 192.168.4.149 162.219.2.166 4443 32 - Notice::ACTION_LOG - 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 54233 162.219.2.166 4443 - - - tcp Heartbleed::SSL_Heartbeat_Odd_Length Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/ - 192.168.4.149 162.219.2.166 4443 32 - Notice::ACTION_LOG - 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 54233 162.219.2.166 4443 - - - tcp Heartbleed::SSL_Heartbeat_Attack_Success An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 48. Time: 0.351035 - 192.168.4.149 162.219.2.166 4443 - - Notice::ACTION_LOG - 3600.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log index b1f2a6b416..dab76fff92 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log @@ -5,9 +5,9 @@ #unset_field - #path notice #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude -#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval string string string double double -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59676 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_orig: 1 - 192.168.4.149 107.170.241.107 443 32 - Notice::ACTION_LOG 3600.000000 - - - - - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59676 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Odd_Length Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/ - 192.168.4.149 107.170.241.107 443 32 - Notice::ACTION_LOG 3600.000000 - - - - - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59676 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack_Success An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 16416. Time: 0.035413 - 192.168.4.149 107.170.241.107 443 - - Notice::ACTION_LOG 3600.000000 - - - - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude +#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59676 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_orig: 1 - 192.168.4.149 107.170.241.107 443 32 - Notice::ACTION_LOG - 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59676 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Odd_Length Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/ - 192.168.4.149 107.170.241.107 443 32 - Notice::ACTION_LOG - 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59676 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack_Success An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 16416. Time: 0.035413 - 192.168.4.149 107.170.241.107 443 - - Notice::ACTION_LOG - 3600.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log index 09da24d714..e50370eb5a 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log @@ -5,7 +5,7 @@ #unset_field - #path notice #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude -#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval string string string double double -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 54.221.166.250 56323 162.219.2.166 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack Heartbeat before ciphertext. Probable attack or scan. Length: 86, is_orig: 1 - 54.221.166.250 162.219.2.166 443 86 - Notice::ACTION_LOG 3600.000000 - - - - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude +#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 54.221.166.250 56323 162.219.2.166 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack Heartbeat before ciphertext. Probable attack or scan. Length: 86, is_orig: 1 - 54.221.166.250 162.219.2.166 443 86 - Notice::ACTION_LOG - 3600.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log index 5467450ef9..17b2ebf35c 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log @@ -5,8 +5,8 @@ #unset_field - #path notice #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude -#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval string string string double double -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 173.203.79.216 41459 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack An TLS heartbleed attack was detected! Record length 16368. Payload length 16365 - 173.203.79.216 107.170.241.107 443 - - Notice::ACTION_LOG 3600.000000 - - - - - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 173.203.79.216 41459 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack_Success An TLS heartbleed attack detected before was probably exploited. Message length: 16384. Payload length: 16365 - 173.203.79.216 107.170.241.107 443 - - Notice::ACTION_LOG 3600.000000 - - - - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude +#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 173.203.79.216 41459 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack An TLS heartbleed attack was detected! Record length 16368. Payload length 16365 - 173.203.79.216 107.170.241.107 443 - - Notice::ACTION_LOG - 3600.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 173.203.79.216 41459 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack_Success An TLS heartbleed attack detected before was probably exploited. Message length: 16384. Payload length: 16365 - 173.203.79.216 107.170.241.107 443 - - Notice::ACTION_LOG - 3600.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed.log index eaeb40991e..75d652bef5 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed.log @@ -5,7 +5,7 @@ #unset_field - #path notice #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude -#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval string string string double double -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 173.203.79.216 46592 162.219.2.166 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack An TLS heartbleed attack was detected! Record length 16368. Payload length 16365 - 173.203.79.216 162.219.2.166 443 - - Notice::ACTION_LOG 3600.000000 - - - - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude +#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 173.203.79.216 46592 162.219.2.166 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack An TLS heartbleed attack was detected! Record length 16368. Payload length 16365 - 173.203.79.216 162.219.2.166 443 - - Notice::ACTION_LOG - 3600.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-out.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-out.log index fbcddae975..759dcc49f1 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-out.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-out.log @@ -5,11 +5,11 @@ #unset_field - #path notice #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude -#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval string string string double double -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::Weak_Key Host uses weak DH parameters with 1024 key bits - 192.168.18.50 162.219.2.166 443 - - Notice::ACTION_LOG 86400.000000 - - - - - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::Weak_Key DH key length of 1024 bits is smaller certificate key length of 2048 bits - 192.168.18.50 162.219.2.166 443 - - Notice::ACTION_LOG 86400.000000 - - - - - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::Weak_Key Host uses weak certificate with 2048 bit key - 192.168.18.50 162.219.2.166 443 - - Notice::ACTION_LOG 86400.000000 - - - - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude +#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::Weak_Key Host uses weak DH parameters with 1024 key bits - 192.168.18.50 162.219.2.166 443 - - Notice::ACTION_LOG - 86400.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::Weak_Key DH key length of 1024 bits is smaller certificate key length of 2048 bits - 192.168.18.50 162.219.2.166 443 - - Notice::ACTION_LOG - 86400.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::Weak_Key Host uses weak certificate with 2048 bit key - 192.168.18.50 162.219.2.166 443 - - Notice::ACTION_LOG - 86400.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , @@ -17,9 +17,9 @@ XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.18.50 62277 162.219.2.166 443 - - - #unset_field - #path notice #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude -#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval string string string double double -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59062 91.227.4.92 443 - - - tcp SSL::Old_Version Host uses protocol version SSLv2 which is lower than the safe minimum TLSv10 - 192.168.4.149 91.227.4.92 443 - - Notice::ACTION_LOG 86400.000000 - - - - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude +#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59062 91.227.4.92 443 - - - tcp SSL::Old_Version Host uses protocol version SSLv2 which is lower than the safe minimum TLSv10 - 192.168.4.149 91.227.4.92 443 - - Notice::ACTION_LOG - 86400.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX #separator \x09 #set_separator , @@ -27,8 +27,8 @@ XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59062 91.227.4.92 443 - - - tc #unset_field - #path notice #open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude -#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval string string string double double -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.150.187.164 58868 194.127.84.106 443 - - - tcp SSL::Weak_Cipher Host established connection using unsafe ciper suite TLS_RSA_WITH_RC4_128_MD5 - 192.150.187.164 194.127.84.106 443 - - Notice::ACTION_LOG 86400.000000 - - - - - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.150.187.164 58868 194.127.84.106 443 - - - tcp SSL::Weak_Key Host uses weak certificate with 1024 bit key - 192.150.187.164 194.127.84.106 443 - - Notice::ACTION_LOG 86400.000000 - - - - - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude +#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.150.187.164 58868 194.127.84.106 443 - - - tcp SSL::Weak_Cipher Host established connection using unsafe ciper suite TLS_RSA_WITH_RC4_128_MD5 - 192.150.187.164 194.127.84.106 443 - - Notice::ACTION_LOG - 86400.000000 - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.150.187.164 58868 194.127.84.106 443 - - - tcp SSL::Weak_Key Host uses weak certificate with 1024 bit key - 192.150.187.164 194.127.84.106 443 - - Notice::ACTION_LOG - 86400.000000 - - - - - #close XXXX-XX-XX-XX-XX-XX