Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

inlining of Zeek script functions

Browse source
This commit is contained in:
Vern Paxson 2020-11-19 16:05:42 -08:00
parent 3c39f11726
commit c42586af2c
63 changed files with 21807 additions and 171 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/CMakeLists.txt
View file

@ -322,6 +322,12 @@ set(MAIN_SRCS
plugin/Manager.cc
plugin/Plugin.cc
script_opt/Expr.cc
script_opt/Inline.cc
script_opt/ProfileFunc.cc
script_opt/ScriptOpt.cc
script_opt/Stmt.cc
nb_dns.c
digest.h
)

79
src/Expr.cc
View file

@ -39,7 +39,12 @@ const char* expr_name(BroExprTag t)
"$=", "in", "<<>>",
"()", "function()", "event", "schedule",
"coerce", "record_coerce", "table_coerce", "vector_coerce",
"sizeof", "cast", "is", "[:]="
"sizeof", "cast", "is", "[:]=",
#include "zeek/script_opt/ExprOpt-Names.h"
"nop",
};
if ( int(t) >= NUM_EXPRS )
@ -74,6 +79,12 @@ ListExpr* Expr::AsListExpr()
return (ListExpr*) this;
}
ListExprPtr Expr::AsListExprPtr()
{
CHECK_TAG(tag, EXPR_LIST, "ExprVal::AsListExpr", expr_name)
return {NewRef{}, (ListExpr*) this};
}
const NameExpr* Expr::AsNameExpr() const
{
CHECK_TAG(tag, EXPR_NAME, "ExprVal::AsNameExpr", expr_name)
@ -86,6 +97,18 @@ NameExpr* Expr::AsNameExpr()
return (NameExpr*) this;
}
const ConstExpr* Expr::AsConstExpr() const
{
CHECK_TAG(tag, EXPR_CONST, "ExprVal::AsConstExpr", expr_name)
return (const ConstExpr*) this;
}
const CallExpr* Expr::AsCallExpr() const
{
CHECK_TAG(tag, EXPR_CALL, "ExprVal::AsCallExpr", expr_name)
return (const CallExpr*) this;
}
const AssignExpr* Expr::AsAssignExpr() const
{
CHECK_TAG(tag, EXPR_ASSIGN, "ExprVal::AsAssignExpr", expr_name)
@ -110,6 +133,18 @@ IndexExpr* Expr::AsIndexExpr()
return (IndexExpr*) this;
}
const EventExpr* Expr::AsEventExpr() const
{
CHECK_TAG(tag, EXPR_EVENT, "ExprVal::AsEventExpr", expr_name)
return (const EventExpr*) this;
}
EventExprPtr Expr::AsEventExprPtr()
{
CHECK_TAG(tag, EXPR_EVENT, "ExprVal::AsEventExpr", expr_name)
return {NewRef{}, (EventExpr*) this};
}
bool Expr::CanAdd() const
{
return false;
@ -244,7 +279,7 @@ void Expr::ExprError(const char msg[])
void Expr::RuntimeError(const std::string& msg) const
{
reporter->ExprRuntimeError(this, "%s", msg.data());
reporter->ExprRuntimeError(Original(), "%s", msg.data());
}
void Expr::RuntimeErrorWithCallStack(const std::string& msg) const
@ -252,13 +287,14 @@ void Expr::RuntimeErrorWithCallStack(const std::string& msg) const
auto rcs = render_call_stack();
if ( rcs.empty() )
reporter->ExprRuntimeError(this, "%s", msg.data());
reporter->ExprRuntimeError(Original(), "%s", msg.data());
else
{
ODesc d;
d.SetShort();
Describe(&d);
reporter->RuntimeError(GetLocationInfo(), "%s, expression: %s, call stack: %s",
reporter->RuntimeError(Original()->GetLocationInfo(),
"%s, expression: %s, call stack: %s",
msg.data(), d.Description(), rcs.data());
}
}
@ -934,6 +970,17 @@ void BinaryExpr::PromoteType(TypeTag t, bool is_vector)
SetType(base_type(t));
}
void BinaryExpr::PromoteForInterval(ExprPtr& op)
{
if ( is_vector(op1) || is_vector(op2) )
SetType(make_intrusive<VectorType>(base_type(TYPE_INTERVAL)));
else
SetType(base_type(TYPE_INTERVAL));
if ( op->GetType()->Tag() != TYPE_DOUBLE )
op = make_intrusive<ArithCoerceExpr>(op, TYPE_DOUBLE);
}
CloneExpr::CloneExpr(ExprPtr arg_op)
: UnaryExpr(EXPR_CLONE, std::move(arg_op))
{
@ -1416,12 +1463,7 @@ TimesExpr::TimesExpr(ExprPtr arg_op1, ExprPtr arg_op2)
if ( bt1 == TYPE_INTERVAL || bt2 == TYPE_INTERVAL )
{
if ( IsArithmetic(bt1) || IsArithmetic(bt2) )
{
if ( is_vector(op1) && is_vector(op2) )
SetType(make_intrusive<VectorType>(base_type(TYPE_INTERVAL)));
else
PromoteType(TYPE_INTERVAL, is_vector(op1) || is_vector(op2) );
}
PromoteForInterval(IsArithmetic(bt1) ? op1 : op2);
else
ExprError("multiplication with interval requires arithmetic operand");
}
@ -1457,12 +1499,7 @@ DivideExpr::DivideExpr(ExprPtr arg_op1, ExprPtr arg_op2)
if ( bt1 == TYPE_INTERVAL || bt2 == TYPE_INTERVAL )
{
if ( IsArithmetic(bt1) || IsArithmetic(bt2) )
{
if ( is_vector(op1) && is_vector(op2) )
SetType(make_intrusive<VectorType>(base_type(TYPE_INTERVAL)));
else
PromoteType(TYPE_INTERVAL, is_vector(op1) || is_vector(op2));
}
PromoteForInterval(IsArithmetic(bt1) ? op1 : op2);
else if ( bt1 == TYPE_INTERVAL && bt2 == TYPE_INTERVAL )
{
if ( is_vector(op1) || is_vector(op2) )
@ -3153,7 +3190,8 @@ TraversalCode RecordConstructorExpr::Traverse(TraversalCallback* cb) const
TableConstructorExpr::TableConstructorExpr(ListExprPtr constructor_list,
std::unique_ptr<std::vector<AttrPtr>> arg_attrs,
TypePtr arg_type)
TypePtr arg_type,
AttributesPtr arg_attrs2)
: UnaryExpr(EXPR_TABLE_CONSTRUCTOR, std::move(constructor_list))
{
if ( IsError() )
@ -3189,6 +3227,8 @@ TableConstructorExpr::TableConstructorExpr(ListExprPtr constructor_list,
if ( arg_attrs )
attrs = make_intrusive<Attributes>(std::move(*arg_attrs), type, false, false);
else
attrs = arg_attrs2;
const auto& indices = type->AsTableType()->GetIndices()->GetTypes();
const ExprPList& cle = op->AsListExpr()->Exprs();
@ -3288,7 +3328,8 @@ void TableConstructorExpr::ExprDescribe(ODesc* d) const
SetConstructorExpr::SetConstructorExpr(ListExprPtr constructor_list,
std::unique_ptr<std::vector<AttrPtr>> arg_attrs,
TypePtr arg_type)
TypePtr arg_type,
AttributesPtr arg_attrs2)
: UnaryExpr(EXPR_SET_CONSTRUCTOR, std::move(constructor_list))
{
if ( IsError() )
@ -3321,6 +3362,8 @@ SetConstructorExpr::SetConstructorExpr(ListExprPtr constructor_list,
if ( arg_attrs )
attrs = make_intrusive<Attributes>(std::move(*arg_attrs), type, false, false);
else
attrs = arg_attrs2;
const auto& indices = type->AsTableType()->GetIndices()->GetTypes();
ExprPList& cle = op->AsListExpr()->Exprs();

201
src/Expr.h
View file

@ -10,6 +10,7 @@
#include "zeek/ZeekList.h"
#include "zeek/IntrusivePtr.h"
#include "zeek/StmtBase.h"
#include "zeek/Timer.h"
#include "zeek/Type.h"
#include "zeek/EventHandler.h"
@ -66,13 +67,19 @@ enum BroExprTag : int {
EXPR_CAST,
EXPR_IS,
EXPR_INDEX_SLICE_ASSIGN,
#define NUM_EXPRS (int(EXPR_INDEX_SLICE_ASSIGN) + 1)
#include "zeek/script_opt/ExprOpt-Enums.h"
EXPR_NOP,
#define NUM_EXPRS (int(EXPR_NOP) + 1)
};
extern const char* expr_name(BroExprTag t);
class ListExpr;
class NameExpr;
class ConstExpr;
class IndexExpr;
class AssignExpr;
class CallExpr;
@ -82,7 +89,7 @@ class Stmt;
class Expr;
using ExprPtr = IntrusivePtr<Expr>;
using EventExprPtr = IntrusivePtr<EventExpr>;
using ListExprPtr = IntrusivePtr<ListExpr>;
using StmtPtr = IntrusivePtr<Stmt>;
class Expr : public Obj {
public:
@ -99,6 +106,7 @@ public:
BroExprTag Tag() const { return tag; }
Expr* Ref() { zeek::Ref(this); return this; }
ExprPtr ThisPtr() { return {NewRef{}, this}; }
// Evaluates the expression and returns a corresponding Val*,
// or nil if the expression's value isn't fixed.
@ -171,22 +179,26 @@ public:
void MarkParen() { paren = true; }
bool IsParen() const { return paren; }
const ListExpr* AsListExpr() const;
ListExpr* AsListExpr();
#undef ACCESSORS
#define ACCESSORS(ctype) \
const ctype* As ## ctype () const; \
ctype* As ## ctype (); \
IntrusivePtr<ctype> As ## ctype ## Ptr ();
const NameExpr* AsNameExpr() const;
NameExpr* AsNameExpr();
const AssignExpr* AsAssignExpr() const;
AssignExpr* AsAssignExpr();
const IndexExpr* AsIndexExpr() const;
IndexExpr* AsIndexExpr();
ACCESSORS(ListExpr)
ACCESSORS(NameExpr)
ACCESSORS(ConstExpr)
ACCESSORS(CallExpr)
ACCESSORS(AssignExpr)
ACCESSORS(IndexExpr)
ACCESSORS(EventExpr)
void Describe(ODesc* d) const override final;
virtual TraversalCode Traverse(TraversalCallback* cb) const = 0;
#include "zeek/script_opt/ExprOpt-Public.h"
protected:
Expr() = default;
explicit Expr(BroExprTag arg_tag);
@ -211,6 +223,8 @@ protected:
BroExprTag tag;
TypePtr type;
bool paren;
#include "zeek/script_opt/ExprOpt-Private.h"
};
class NameExpr final : public Expr {
@ -226,6 +240,9 @@ public:
TraversalCode Traverse(TraversalCallback* cb) const override;
// Optimization-related:
ExprPtr Duplicate() override;
protected:
void ExprDescribe(ODesc* d) const override;
@ -238,11 +255,15 @@ public:
explicit ConstExpr(ValPtr val);
Val* Value() const { return val.get(); }
ValPtr ValuePtr() const { return val; }
ValPtr Eval(Frame* f) const override;
TraversalCode Traverse(TraversalCallback* cb) const override;
// Optimization-related:
ExprPtr Duplicate() override;
protected:
void ExprDescribe(ODesc* d) const override;
ValPtr val;
@ -261,6 +282,9 @@ public:
TraversalCode Traverse(TraversalCallback* cb) const override;
// Optimization-related:
ExprPtr Inline(Inliner* inl) override;
protected:
UnaryExpr(BroExprTag arg_tag, ExprPtr arg_op);
@ -286,6 +310,9 @@ public:
TraversalCode Traverse(TraversalCallback* cb) const override;
// Optimization-related:
ExprPtr Inline(Inliner* inl) override;
protected:
BinaryExpr(BroExprTag arg_tag,
ExprPtr arg_op1, ExprPtr arg_op2)
@ -325,6 +352,11 @@ protected:
// operands and also set expression's type).
void PromoteType(TypeTag t, bool is_vector);
// Promote one of the operands to be "double" (if not already),
// to make it suitable for combining with the other "interval"
// operand, yielding an "interval" type.
void PromoteForInterval(ExprPtr& op);
void ExprDescribe(ODesc* d) const override;
ExprPtr op1;
@ -336,6 +368,9 @@ public:
explicit CloneExpr(ExprPtr op);
ValPtr Eval(Frame* f) const override;
// Optimization-related:
ExprPtr Duplicate() override;
protected:
ValPtr Fold(Val* v) const override;
};
@ -347,12 +382,18 @@ public:
ValPtr Eval(Frame* f) const override;
ValPtr DoSingleEval(Frame* f, Val* v) const;
bool IsPure() const override;
// Optimization-related:
ExprPtr Duplicate() override;
};
class ComplementExpr final : public UnaryExpr {
public:
explicit ComplementExpr(ExprPtr op);
// Optimization-related:
ExprPtr Duplicate() override;
protected:
ValPtr Fold(Val* v) const override;
};
@ -361,6 +402,9 @@ class NotExpr final : public UnaryExpr {
public:
explicit NotExpr(ExprPtr op);
// Optimization-related:
ExprPtr Duplicate() override;
protected:
ValPtr Fold(Val* v) const override;
};
@ -369,6 +413,9 @@ class PosExpr final : public UnaryExpr {
public:
explicit PosExpr(ExprPtr op);
// Optimization-related:
ExprPtr Duplicate() override;
protected:
ValPtr Fold(Val* v) const override;
};
@ -377,6 +424,9 @@ class NegExpr final : public UnaryExpr {
public:
explicit NegExpr(ExprPtr op);
// Optimization-related:
ExprPtr Duplicate() override;
protected:
ValPtr Fold(Val* v) const override;
};
@ -386,6 +436,9 @@ public:
explicit SizeExpr(ExprPtr op);
ValPtr Eval(Frame* f) const override;
// Optimization-related:
ExprPtr Duplicate() override;
protected:
ValPtr Fold(Val* v) const override;
};
@ -394,35 +447,53 @@ class AddExpr final : public BinaryExpr {
public:
AddExpr(ExprPtr op1, ExprPtr op2);
void Canonicize() override;
// Optimization-related:
ExprPtr Duplicate() override;
};
class AddToExpr final : public BinaryExpr {
public:
AddToExpr(ExprPtr op1, ExprPtr op2);
ValPtr Eval(Frame* f) const override;
// Optimization-related:
ExprPtr Duplicate() override;
};
class RemoveFromExpr final : public BinaryExpr {
public:
RemoveFromExpr(ExprPtr op1, ExprPtr op2);
ValPtr Eval(Frame* f) const override;
// Optimization-related:
ExprPtr Duplicate() override;
};
class SubExpr final : public BinaryExpr {
public:
SubExpr(ExprPtr op1, ExprPtr op2);
// Optimization-related:
ExprPtr Duplicate() override;
};
class TimesExpr final : public BinaryExpr {
public:
TimesExpr(ExprPtr op1, ExprPtr op2);
void Canonicize() override;
// Optimization-related:
ExprPtr Duplicate() override;
};
class DivideExpr final : public BinaryExpr {
public:
DivideExpr(ExprPtr op1, ExprPtr op2);
// Optimization-related:
ExprPtr Duplicate() override;
protected:
ValPtr AddrFold(Val* v1, Val* v2) const override;
};
@ -430,6 +501,9 @@ protected:
class ModExpr final : public BinaryExpr {
public:
ModExpr(ExprPtr op1, ExprPtr op2);
// Optimization-related:
ExprPtr Duplicate() override;
};
class BoolExpr final : public BinaryExpr {
@ -438,11 +512,17 @@ public:
ValPtr Eval(Frame* f) const override;
ValPtr DoSingleEval(Frame* f, ValPtr v1, Expr* op2) const;
// Optimization-related:
ExprPtr Duplicate() override;
};
class BitExpr final : public BinaryExpr {
public:
BitExpr(BroExprTag tag, ExprPtr op1, ExprPtr op2);
// Optimization-related:
ExprPtr Duplicate() override;
};
class EqExpr final : public BinaryExpr {
@ -450,6 +530,9 @@ public:
EqExpr(BroExprTag tag, ExprPtr op1, ExprPtr op2);
void Canonicize() override;
// Optimization-related:
ExprPtr Duplicate() override;
protected:
ValPtr Fold(Val* v1, Val* v2) const override;
};
@ -458,6 +541,9 @@ class RelExpr final : public BinaryExpr {
public:
RelExpr(BroExprTag tag, ExprPtr op1, ExprPtr op2);
void Canonicize() override;
// Optimization-related:
ExprPtr Duplicate() override;
};
class CondExpr final : public Expr {
@ -473,6 +559,10 @@ public:
TraversalCode Traverse(TraversalCallback* cb) const override;
// Optimization-related:
ExprPtr Duplicate() override;
ExprPtr Inline(Inliner* inl) override;
protected:
void ExprDescribe(ODesc* d) const override;
@ -487,6 +577,9 @@ public:
void Assign(Frame* f, ValPtr v) override;
ExprPtr MakeLvalue() override;
// Optimization-related:
ExprPtr Duplicate() override;
};
class AssignExpr : public BinaryExpr {
@ -509,6 +602,9 @@ public:
op2 = std::move(e);
}
// Optimization-related:
ExprPtr Duplicate() override;
protected:
bool TypeCheck(const AttributesPtr& attrs = nullptr);
bool TypeCheckArithmetics(TypeTag bt1, TypeTag bt2);
@ -522,6 +618,9 @@ public:
IndexSliceAssignExpr(ExprPtr op1,
ExprPtr op2, bool is_init);
ValPtr Eval(Frame* f) const override;
// Optimization-related:
ExprPtr Duplicate() override;
};
class IndexExpr : public BinaryExpr {
@ -546,6 +645,9 @@ public:
bool IsSlice() const { return is_slice; }
// Optimization-related:
ExprPtr Duplicate() override;
protected:
ValPtr Fold(Val* v1, Val* v2) const override;
@ -585,6 +687,9 @@ public:
return v;
}
// Optimization-related:
ExprPtr Duplicate() override;
};
class FieldExpr final : public UnaryExpr {
@ -602,6 +707,9 @@ public:
ExprPtr MakeLvalue() override;
// Optimization-related:
ExprPtr Duplicate() override;
protected:
ValPtr Fold(Val* v) const override;
@ -621,6 +729,9 @@ public:
const char* FieldName() const { return field_name; }
// Optimization-related:
ExprPtr Duplicate() override;
protected:
ValPtr Fold(Val* v) const override;
@ -643,6 +754,9 @@ public:
TraversalCode Traverse(TraversalCallback* cb) const override;
// Optimization-related:
ExprPtr Duplicate() override;
protected:
ValPtr InitVal(const zeek::Type* t, ValPtr aggr) const override;
@ -655,7 +769,8 @@ class TableConstructorExpr final : public UnaryExpr {
public:
TableConstructorExpr(ListExprPtr constructor_list,
std::unique_ptr<std::vector<AttrPtr>> attrs,
TypePtr arg_type = nullptr);
TypePtr arg_type = nullptr,
AttributesPtr arg_attrs = nullptr);
[[deprecated("Remove in v4.1. Use GetAttrs().")]]
Attributes* Attrs() { return attrs.get(); }
@ -665,6 +780,9 @@ public:
ValPtr Eval(Frame* f) const override;
// Optimization-related:
ExprPtr Duplicate() override;
protected:
ValPtr InitVal(const zeek::Type* t, ValPtr aggr) const override;
@ -677,7 +795,8 @@ class SetConstructorExpr final : public UnaryExpr {
public:
SetConstructorExpr(ListExprPtr constructor_list,
std::unique_ptr<std::vector<AttrPtr>> attrs,
TypePtr arg_type = nullptr);
TypePtr arg_type = nullptr,
AttributesPtr arg_attrs = nullptr);
[[deprecated("Remove in v4.1. Use GetAttrs().")]]
Attributes* Attrs() { return attrs.get(); }
@ -687,6 +806,9 @@ public:
ValPtr Eval(Frame* f) const override;
// Optimization-related:
ExprPtr Duplicate() override;
protected:
ValPtr InitVal(const zeek::Type* t, ValPtr aggr) const override;
@ -702,6 +824,9 @@ public:
ValPtr Eval(Frame* f) const override;
// Optimization-related:
ExprPtr Duplicate() override;
protected:
ValPtr InitVal(const zeek::Type* t, ValPtr aggr) const override;
@ -717,6 +842,9 @@ public:
void EvalIntoAggregate(const zeek::Type* t, Val* aggr, Frame* f) const override;
bool IsRecordElement(TypeDecl* td) const override;
// Optimization-related:
ExprPtr Duplicate() override;
protected:
void ExprDescribe(ODesc* d) const override;
@ -727,6 +855,9 @@ class ArithCoerceExpr final : public UnaryExpr {
public:
ArithCoerceExpr(ExprPtr op, TypeTag t);
// Optimization-related:
ExprPtr Duplicate() override;
protected:
ValPtr FoldSingleVal(Val* v, InternalTypeTag t) const;
ValPtr Fold(Val* v) const override;
@ -737,6 +868,9 @@ public:
RecordCoerceExpr(ExprPtr op, RecordTypePtr r);
~RecordCoerceExpr() override;
// Optimization-related:
ExprPtr Duplicate() override;
protected:
ValPtr InitVal(const zeek::Type* t, ValPtr aggr) const override;
ValPtr Fold(Val* v) const override;
@ -752,6 +886,9 @@ public:
TableCoerceExpr(ExprPtr op, TableTypePtr r);
~TableCoerceExpr() override;
// Optimization-related:
ExprPtr Duplicate() override;
protected:
ValPtr Fold(Val* v) const override;
};
@ -761,6 +898,9 @@ public:
VectorCoerceExpr(ExprPtr op, VectorTypePtr v);
~VectorCoerceExpr() override;
// Optimization-related:
ExprPtr Duplicate() override;
protected:
ValPtr Fold(Val* v) const override;
};
@ -790,6 +930,10 @@ public:
TraversalCode Traverse(TraversalCallback* cb) const override;
// Optimization-related:
ExprPtr Duplicate() override;
ExprPtr Inline(Inliner* inl) override;
protected:
void ExprDescribe(ODesc* d) const override;
@ -801,6 +945,9 @@ class InExpr final : public BinaryExpr {
public:
InExpr(ExprPtr op1, ExprPtr op2);
// Optimization-related:
ExprPtr Duplicate() override;
protected:
ValPtr Fold(Val* v1, Val* v2) const override;
@ -820,6 +967,10 @@ public:
TraversalCode Traverse(TraversalCallback* cb) const override;
// Optimization-related:
ExprPtr Duplicate() override;
ExprPtr Inline(Inliner* inl) override;
protected:
void ExprDescribe(ODesc* d) const override;
@ -843,6 +994,10 @@ public:
Scope* GetScope() const;
// Optimization-related:
ExprPtr Duplicate() override;
ExprPtr Inline(Inliner* inl) override;
protected:
void ExprDescribe(ODesc* d) const override;
@ -865,6 +1020,10 @@ public:
TraversalCode Traverse(TraversalCallback* cb) const override;
// Optimization-related:
ExprPtr Duplicate() override;
ExprPtr Inline(Inliner* inl) override;
protected:
void ExprDescribe(ODesc* d) const override;
@ -896,6 +1055,10 @@ public:
TraversalCode Traverse(TraversalCallback* cb) const override;
// Optimization-related:
ExprPtr Duplicate() override;
ExprPtr Inline(Inliner* inl) override;
protected:
ValPtr AddSetInit(const zeek::Type* t, ValPtr aggr) const;
@ -914,6 +1077,9 @@ class CastExpr final : public UnaryExpr {
public:
CastExpr(ExprPtr op, TypePtr t);
// Optimization-related:
ExprPtr Duplicate() override;
protected:
ValPtr Eval(Frame* f) const override;
void ExprDescribe(ODesc* d) const override;
@ -923,6 +1089,9 @@ class IsExpr final : public UnaryExpr {
public:
IsExpr(ExprPtr op, TypePtr t);
// Optimization-related:
ExprPtr Duplicate() override;
protected:
ValPtr Fold(Val* v) const override;
void ExprDescribe(ODesc* d) const override;
@ -931,6 +1100,10 @@ private:
TypePtr t;
};
#include "zeek/script_opt/ExprOpt-Subclasses.h"
inline Val* Expr::ExprVal() const
{
if ( ! IsConst() )

14
src/Frame.cc
View file

@ -30,6 +30,8 @@ Frame::Frame(int arg_size, const ScriptFunc* func, const zeek::Args* fn_args)
delayed = false;
closure = nullptr;
current_offset = 0;
}
Frame::~Frame()
@ -68,12 +70,16 @@ void Frame::SetElement(int n, Val* v)
void Frame::SetElement(int n, ValPtr v)
{
n += current_offset;
ClearElement(n);
frame[n] = {std::move(v), false};
}
void Frame::SetElementWeak(int n, Val* v)
{
n += current_offset;
ClearElement(n);
frame[n] = {{AdoptRef{}, v}, true};
}
@ -120,10 +126,10 @@ const ValPtr& Frame::GetElementByID(const ID* id) const
{
auto where = offset_map->find(std::string(id->Name()));
if ( where != offset_map->end() )
return frame[where->second].val;
return frame[where->second + current_offset].val;
}
return frame[id->Offset()].val;
return frame[id->Offset() + current_offset].val;
}
void Frame::Reset(int startIdx)
@ -142,7 +148,7 @@ void Frame::Reset(int startIdx)
functions_with_closure_frame_reference.reset();
}
for ( int i = startIdx; i < size; ++i )
for ( int i = startIdx + current_offset; i < size; ++i )
ClearElement(i);
}
@ -244,7 +250,7 @@ Frame* Frame::SelectiveClone(const IDPList& selection, ScriptFunc* func) const
}
}
if ( ! frame[id->Offset()].val )
if ( ! frame[id->Offset() + current_offset].val )
reporter->InternalError("Attempted to clone an id ('%s') with no associated value.", id->Name());
CloneNonFuncElement(id->Offset(), func, other);

15
src/Frame.h
View file

@ -98,6 +98,15 @@ public:
Val* GetElement(const ID* id) const
{ return GetElementByID(id).get(); }
/**
* Increases the current offset being used for frame accesses.
* This is in support of inlined functions.
*
* @param incr Amount by which to increase the frame offset.
* Use a negative value to shrink the offset.
*/
void IncreaseOffset(int incr) { current_offset += incr; }
/**
* Resets all of the indexes from [*startIdx, frame_size) in
* the Frame.
@ -316,6 +325,12 @@ private:
/** Associates ID's offsets with values. */
std::unique_ptr<Element[]> frame;
/** The offset we're currently using for references into the frame.
* This is how we support inlined functions without having to
* alter the offsets associated with their local variables.
*/
int current_offset;
/** The enclosing frame of this frame. */
Frame* closure;

8
src/Func.cc
View file

@ -115,7 +115,7 @@ std::string render_call_stack()
if ( ci.call )
{
auto loc = ci.call->GetLocationInfo();
auto loc = ci.call->Original()->GetLocationInfo();
rval += util::fmt(" at %s:%d", loc->filename, loc->first_line);
}
@ -310,6 +310,7 @@ ScriptFunc::ScriptFunc(const IDPtr& arg_id, StmtPtr arg_body,
{
Body b;
b.stmts = AddInits(std::move(arg_body), aggr_inits);
current_body = b.stmts;
b.priority = priority;
bodies.push_back(b);
}
@ -385,7 +386,7 @@ ValPtr ScriptFunc::Invoke(zeek::Args* args, Frame* parent) const
{
if ( sample_logger )
sample_logger->LocationSeen(
body.stmts->GetLocationInfo());
body.stmts->Original()->GetLocationInfo());
// Fill in the rest of the frame with the function's arguments.
for ( auto j = 0u; j < args->size(); ++j )
@ -497,6 +498,8 @@ void ScriptFunc::AddBody(StmtPtr new_body,
b.stmts = new_body;
b.priority = priority;
current_body = new_body;
bodies.push_back(b);
sort(bodies.begin(), bodies.end());
}
@ -627,6 +630,7 @@ BuiltinFunc::BuiltinFunc(built_in_func arg_func, const char* arg_name,
type = id->GetType<FuncType>();
id->SetVal(make_intrusive<Val>(IntrusivePtr{NewRef{}, this}));
id->SetConst();
}
BuiltinFunc::~BuiltinFunc()

34
src/Func.h
View file

@ -10,6 +10,7 @@
#include <type_traits>
#include "zeek/ZeekList.h"
#include "zeek/Stmt.h"
#include "zeek/Obj.h"
#include "zeek/IntrusivePtr.h"
#include "zeek/Type.h" /* for function_flavor */
@ -43,6 +44,8 @@ using ScopePtr = IntrusivePtr<Scope>;
using IDPtr = IntrusivePtr<ID>;
using StmtPtr = IntrusivePtr<Stmt>;
class ScriptFunc;
} // namespace detail
class Func;
@ -60,6 +63,18 @@ public:
~Func() override;
zeek::detail::ScriptFunc* AsScriptFunc()
{
return GetKind() == SCRIPT_FUNC ?
(zeek::detail::ScriptFunc*) this : nullptr;
}
const zeek::detail::ScriptFunc* AsScriptFunc() const
{
return GetKind() == SCRIPT_FUNC ?
(zeek::detail::ScriptFunc*) this : nullptr;
}
virtual bool IsPure() const = 0;
FunctionFlavor Flavor() const { return GetType()->Flavor(); }
@ -193,6 +208,22 @@ public:
const std::vector<IDPtr>& new_inits,
size_t new_frame_size, int priority) override;
StmtPtr CurrentBody() const { return current_body; }
/**
* Returns the function's frame size.
* @return The number of ValPtr slots in the function's frame.
*/
int FrameSize() const { return frame_size; }
/**
* Changes the function's frame size to a new size - used for
* script optimization/compilation.
*
* @param new_size The frame size the function should use.
*/
void SetFrameSize(int new_size) { frame_size = new_size; }
/** Sets this function's outer_id list. */
void SetOuterIDs(IDPList ids)
{ outer_ids = std::move(ids); }
@ -226,6 +257,9 @@ private:
// The frame the ScriptFunc was initialized in.
Frame* closure = nullptr;
bool weak_closure_ref = false;
// The most recently added/updated body.
StmtPtr current_body;
};
using built_in_func = BifReturnVal (*)(Frame* frame, const Args* args);

32
src/Options.cc
View file

@ -3,6 +3,7 @@
#include "zeek-config.h"
#include "zeek/Options.h"
#include "zeek/script_opt/ScriptOpt.h"
#include <unistd.h>
@ -104,6 +105,7 @@ void usage(const char* prog, int code)
fprintf(stderr, " -H|--save-seeds <file> | save seeds to given file\n");
fprintf(stderr, " -I|--print-id <ID name> | print out given ID\n");
fprintf(stderr, " -N|--print-plugins | print available plugins and exit (-NN for verbose)\n");
fprintf(stderr, " -O|--optimize[=<option>] | enable script optimization (use -O help for options)\n");
fprintf(stderr, " -P|--prime-dns | prime DNS\n");
fprintf(stderr, " -Q|--time | print execution time summary to stderr\n");
fprintf(stderr, " -S|--debug-rules | enable rule debugging\n");
@ -141,6 +143,30 @@ void usage(const char* prog, int code)
exit(code);
}
static void set_analysis_option(const char* opt, Options& opts)
{
if ( util::streq(opt, "help") )
{
fprintf(stderr, "--optimize options:\n");
fprintf(stderr, " help print this list\n");
fprintf(stderr, " inline inline function calls\n");
fprintf(stderr, " recursive report on recursive functions and exit\n");
exit(0);
}
if ( util::streq(opt, "inline") )
opts.analysis_options.inliner = true;
else if ( util::streq(opt, "recursive") )
opts.analysis_options.inliner =
opts.analysis_options.report_recursive = true;
else
{
fprintf(stderr,"zeek: unrecognized --optimize option: %s\n", opt);
exit(1);
}
}
Options parse_cmdline(int argc, char** argv)
{
Options rval;
@ -252,6 +278,7 @@ Options parse_cmdline(int argc, char** argv)
{"load-seeds", required_argument, nullptr, 'G'},
{"save-seeds", required_argument, nullptr, 'H'},
{"print-plugins", no_argument, nullptr, 'N'},
{"optimize", required_argument, nullptr, 'O'},
{"prime-dns", no_argument, nullptr, 'P'},
{"time", no_argument, nullptr, 'Q'},
{"debug-rules", no_argument, nullptr, 'S'},
@ -279,7 +306,7 @@ Options parse_cmdline(int argc, char** argv)
};
char opts[256];
util::safe_strncpy(opts, "B:e:f:G:H:I:i:j::n:p:r:s:T:t:U:w:X:CDFNPQSWabdhv",
util::safe_strncpy(opts, "B:e:f:G:H:I:i:j::n:O:p:r:s:T:t:U:w:X:CDFNPQSWabdhv",
sizeof(opts));
#ifdef USE_PERFTOOLS_DEBUG
@ -401,6 +428,9 @@ Options parse_cmdline(int argc, char** argv)
case 'N':
++rval.print_plugins;
break;
case 'O':
set_analysis_option(optarg, rval);
break;
case 'P':
if ( rval.dns_mode != detail::DNS_DEFAULT )
usage(zargs[0], 1);

4
src/Options.h
View file

@ -7,6 +7,7 @@
#include <vector>
#include "zeek/DNS_Mgr.h"
#include "zeek/script_opt/ScriptOpt.h"
namespace zeek {
@ -76,6 +77,9 @@ struct Options {
std::vector<std::string> script_options_to_set;
std::vector<std::string> script_args;
// For script optimization:
detail::AnalyOpt analysis_options;
};
/**

1
src/Scope.cc
View file

@ -188,6 +188,7 @@ IDPtr install_ID(const char* name, const char* module_name,
void push_existing_scope(Scope* scope)
{
top_scope = scope;
scopes.push_back(scope);
}

17
src/Scope.h
View file

@ -44,9 +44,14 @@ public:
{ return Find(name).get(); }
template<typename N, typename I>
void Insert(N&& name, I&& id) { local[std::forward<N>(name)] = std::forward<I>(id); }
void Insert(N&& name, I&& id)
{
local[std::forward<N>(name)] = std::forward<I>(id);
ordered_vars.push_back(std::forward<I>(id));
}
IDPtr Remove(std::string_view name);
[[deprecated("Remove in v4.1 as an unused API call.")]]
[[deprecated("Remove in v4.1. Use GetID().")]]
ID* ScopeID() const { return scope_id.get(); }
@ -64,7 +69,8 @@ public:
{ return return_type; }
size_t Length() const { return local.size(); }
const auto& Vars() { return local; }
const auto& Vars() const { return local; }
const auto& OrderedVars() const { return ordered_vars; }
IDPtr GenerateTemporary(const char* name);
@ -86,6 +92,13 @@ protected:
TypePtr return_type;
std::map<std::string, IDPtr, std::less<>> local;
std::vector<IDPtr> inits;
// We keep track of identifiers in the order that they're added.
// This is necessary for script optimization to be able to find
// event/hook parameters for instances where the declaration of
// an additional handler uses different names for the parameters
// than the original declaration.
std::vector<IntrusivePtr<ID>> ordered_vars;
};
// If no_global is true, don't search in the default "global" namespace.

2
src/ScriptCoverageManager.cc
View file

@ -133,7 +133,7 @@ bool ScriptCoverageManager::WriteStats()
it != stmts.end(); ++it )
{
ODesc location_info;
(*it)->GetLocationInfo()->Describe(&location_info);
(*it)->Original()->GetLocationInfo()->Describe(&location_info);
ODesc desc_info;
(*it)->Describe(&desc_info);
string desc(desc_info.Description());

100
src/Stmt.cc
View file

@ -70,6 +70,30 @@ ForStmt* Stmt::AsForStmt()
return (ForStmt*) this;
}
const ForStmt* Stmt::AsForStmt() const
{
CHECK_TAG(tag, STMT_FOR, "Stmt::AsForStmt", stmt_name)
return (const ForStmt*) this;
}
const InitStmt* Stmt::AsInitStmt() const
{
CHECK_TAG(tag, STMT_INIT, "Stmt::AsInitStmt", stmt_name)
return (const InitStmt*) this;
}
const WhenStmt* Stmt::AsWhenStmt() const
{
CHECK_TAG(tag, STMT_WHEN, "Stmt::AsWhenStmt", stmt_name)
return (const WhenStmt*) this;
}
const SwitchStmt* Stmt::AsSwitchStmt() const
{
CHECK_TAG(tag, STMT_SWITCH, "Stmt::AsSwitchStmt", stmt_name)
return (const SwitchStmt*) this;
}
bool Stmt::SetLocationInfo(const Location* start, const Location* end)
{
if ( ! Obj::SetLocationInfo(start, end) )
@ -83,7 +107,8 @@ bool Stmt::SetLocationInfo(const Location* start, const Location* end)
Filemap& map = *(map_iter->second);
StmtLocMapping* new_mapping = new StmtLocMapping(GetLocationInfo(), this);
StmtLocMapping* new_mapping =
new StmtLocMapping(Original()->GetLocationInfo(), this);
// Optimistically just put it at the end.
map.push_back(new_mapping);
@ -111,6 +136,11 @@ bool Stmt::IsPure() const
}
void Stmt::Describe(ODesc* d) const
{
StmtDescribe(d);
}
void Stmt::StmtDescribe(ODesc* d) const
{
if ( ! d->IsReadable() || Tag() != STMT_EXPR )
AddTag(d);
@ -163,7 +193,7 @@ ExprListStmt::ExprListStmt(StmtTag t, ListExprPtr arg_l)
Error("value of type void illegal");
}
SetLocationInfo(l->GetLocationInfo());
SetLocationInfo(l->Original()->GetLocationInfo());
}
ExprListStmt::~ExprListStmt() = default;
@ -181,9 +211,9 @@ ValPtr ExprListStmt::Exec(Frame* f, StmtFlowType& flow) const
return nullptr;
}
void ExprListStmt::Describe(ODesc* d) const
void ExprListStmt::StmtDescribe(ODesc* d) const
{
Stmt::Describe(d);
Stmt::StmtDescribe(d);
l->Describe(d);
DescribeDone(d);
}
@ -314,13 +344,13 @@ ExprStmt::ExprStmt(ExprPtr arg_e) : Stmt(STMT_EXPR), e(std::move(arg_e))
if ( e && e->IsPure() )
Warn("expression value ignored");
SetLocationInfo(e->GetLocationInfo());
SetLocationInfo(e->Original()->GetLocationInfo());
}
ExprStmt::ExprStmt(StmtTag t, ExprPtr arg_e) : Stmt(t), e(std::move(arg_e))
{
if ( e )
SetLocationInfo(e->GetLocationInfo());
SetLocationInfo(e->Original()->GetLocationInfo());
}
ExprStmt::~ExprStmt() = default;
@ -348,9 +378,9 @@ bool ExprStmt::IsPure() const
return ! e || e->IsPure();
}
void ExprStmt::Describe(ODesc* d) const
void ExprStmt::StmtDescribe(ODesc* d) const
{
Stmt::Describe(d);
Stmt::StmtDescribe(d);
if ( d->IsReadable() && Tag() == STMT_IF )
d->Add("(");
@ -393,8 +423,8 @@ IfStmt::IfStmt(ExprPtr test,
if ( ! e->IsError() && ! IsBool(e->GetType()->Tag()) )
e->Error("conditional in test must be boolean");
const Location* loc1 = s1->GetLocationInfo();
const Location* loc2 = s2->GetLocationInfo();
const Location* loc1 = s1->Original()->GetLocationInfo();
const Location* loc2 = s2->Original()->GetLocationInfo();
SetLocationInfo(loc1, loc2);
}
@ -425,9 +455,9 @@ bool IfStmt::IsPure() const
return e->IsPure() && s1->IsPure() && s2->IsPure();
}
void IfStmt::Describe(ODesc* d) const
void IfStmt::StmtDescribe(ODesc* d) const
{
ExprStmt::Describe(d);
ExprStmt::StmtDescribe(d);
d->PushIndent();
s1->AccessStats(d);
@ -775,7 +805,7 @@ bool SwitchStmt::AddCaseLabelValueMapping(const Val* v, int idx)
if ( ! hk )
{
reporter->PushLocation(e->GetLocationInfo());
reporter->PushLocation(e->Original()->GetLocationInfo());
reporter->InternalError("switch expression type mismatch (%s/%s)",
type_name(v->GetType()->Tag()),
type_name(e->GetType()->Tag()));
@ -816,7 +846,7 @@ std::pair<int, ID*> SwitchStmt::FindCaseLabelMatch(const Val* v) const
if ( ! hk )
{
reporter->PushLocation(e->GetLocationInfo());
reporter->PushLocation(e->Original()->GetLocationInfo());
reporter->Error("switch expression type mismatch (%s/%s)",
type_name(v->GetType()->Tag()),
type_name(e->GetType()->Tag()));
@ -895,9 +925,9 @@ bool SwitchStmt::IsPure() const
return true;
}
void SwitchStmt::Describe(ODesc* d) const
void SwitchStmt::StmtDescribe(ODesc* d) const
{
ExprStmt::Describe(d);
ExprStmt::StmtDescribe(d);
if ( ! d->IsBinary() )
d->Add("{");
@ -1048,9 +1078,9 @@ bool WhileStmt::IsPure() const
return loop_condition->IsPure() && body->IsPure();
}
void WhileStmt::Describe(ODesc* d) const
void WhileStmt::StmtDescribe(ODesc* d) const
{
Stmt::Describe(d);
Stmt::StmtDescribe(d);
if ( d->IsReadable() )
d->Add("(");
@ -1326,9 +1356,9 @@ bool ForStmt::IsPure() const
return e->IsPure() && body->IsPure();
}
void ForStmt::Describe(ODesc* d) const
void ForStmt::StmtDescribe(ODesc* d) const
{
Stmt::Describe(d);
Stmt::StmtDescribe(d);
if ( d->IsReadable() )
d->Add("(");
@ -1395,9 +1425,9 @@ bool NextStmt::IsPure() const
return true;
}
void NextStmt::Describe(ODesc* d) const
void NextStmt::StmtDescribe(ODesc* d) const
{
Stmt::Describe(d);
Stmt::StmtDescribe(d);
Stmt::DescribeDone(d);
}
@ -1422,9 +1452,9 @@ bool BreakStmt::IsPure() const
return true;
}
void BreakStmt::Describe(ODesc* d) const
void BreakStmt::StmtDescribe(ODesc* d) const
{
Stmt::Describe(d);
Stmt::StmtDescribe(d);
Stmt::DescribeDone(d);
}
@ -1449,9 +1479,9 @@ bool FallthroughStmt::IsPure() const
return false;
}
void FallthroughStmt::Describe(ODesc* d) const
void FallthroughStmt::StmtDescribe(ODesc* d) const
{
Stmt::Describe(d);
Stmt::StmtDescribe(d);
Stmt::DescribeDone(d);
}
@ -1519,9 +1549,9 @@ ValPtr ReturnStmt::Exec(Frame* f, StmtFlowType& flow) const
return nullptr;
}
void ReturnStmt::Describe(ODesc* d) const
void ReturnStmt::StmtDescribe(ODesc* d) const
{
Stmt::Describe(d);
Stmt::StmtDescribe(d);
if ( ! d->IsReadable() )
d->Add(e != nullptr);
@ -1581,7 +1611,7 @@ bool StmtList::IsPure() const
return true;
}
void StmtList::Describe(ODesc* d) const
void StmtList::StmtDescribe(ODesc* d) const
{
if ( ! d->IsReadable() )
{
@ -1657,7 +1687,7 @@ ValPtr EventBodyList::Exec(Frame* f, StmtFlowType& flow) const
return nullptr;
}
void EventBodyList::Describe(ODesc* d) const
void EventBodyList::StmtDescribe(ODesc* d) const
{
if ( d->IsReadable() && stmts.length() > 0 )
{
@ -1681,7 +1711,7 @@ void EventBodyList::Describe(ODesc* d) const
}
else
StmtList::Describe(d);
StmtList::StmtDescribe(d);
}
InitStmt::InitStmt(std::vector<IDPtr> arg_inits) : Stmt(STMT_INIT)
@ -1724,7 +1754,7 @@ ValPtr InitStmt::Exec(Frame* f, StmtFlowType& flow) const
return nullptr;
}
void InitStmt::Describe(ODesc* d) const
void InitStmt::StmtDescribe(ODesc* d) const
{
AddTag(d);
@ -1769,7 +1799,7 @@ bool NullStmt::IsPure() const
return true;
}
void NullStmt::Describe(ODesc* d) const
void NullStmt::StmtDescribe(ODesc* d) const
{
if ( d->IsReadable() )
DescribeDone(d);
@ -1831,9 +1861,9 @@ bool WhenStmt::IsPure() const
return cond->IsPure() && s1->IsPure() && (! s2 || s2->IsPure());
}
void WhenStmt::Describe(ODesc* d) const
void WhenStmt::StmtDescribe(ODesc* d) const
{
Stmt::Describe(d);
Stmt::StmtDescribe(d);
if ( d->IsReadable() )
d->Add("(");

180
src/Stmt.h
View file

@ -2,86 +2,27 @@
#pragma once
// Zeek statements.
#include "zeek/StmtBase.h"
#include "zeek/ZeekList.h"
#include "zeek/Dict.h"
#include "zeek/ID.h"
#include "zeek/Obj.h"
#include "zeek/StmtEnums.h"
#include "zeek/TraverseTypes.h"
ZEEK_FORWARD_DECLARE_NAMESPACED(CompositeHash, zeek::detail);
ZEEK_FORWARD_DECLARE_NAMESPACED(Frame, zeek::detail);
namespace zeek::run_state { extern double network_time; }
namespace zeek::detail {
class StmtList;
class ForStmt;
class EventExpr;
class ListExpr;
using EventExprPtr = IntrusivePtr<EventExpr>;
using ListExprPtr = IntrusivePtr<ListExpr>;
class Stmt;
using StmtPtr = IntrusivePtr<Stmt>;
class Stmt : public Obj {
public:
StmtTag Tag() const { return tag; }
~Stmt() override;
virtual ValPtr Exec(Frame* f, StmtFlowType& flow) const = 0;
Stmt* Ref() { zeek::Ref(this); return this; }
bool SetLocationInfo(const Location* loc) override
{ return Stmt::SetLocationInfo(loc, loc); }
bool SetLocationInfo(const Location* start, const Location* end) override;
// True if the statement has no side effects, false otherwise.
virtual bool IsPure() const;
StmtList* AsStmtList();
const StmtList* AsStmtList() const;
ForStmt* AsForStmt();
void RegisterAccess() const { last_access = run_state::network_time; access_count++; }
void AccessStats(ODesc* d) const;
uint32_t GetAccessCount() const { return access_count; }
void Describe(ODesc* d) const override;
virtual void IncrBPCount() { ++breakpoint_count; }
virtual void DecrBPCount();
virtual unsigned int BPCount() const { return breakpoint_count; }
virtual TraversalCode Traverse(TraversalCallback* cb) const = 0;
protected:
explicit Stmt(StmtTag arg_tag);
void AddTag(ODesc* d) const;
void DescribeDone(ODesc* d) const;
StmtTag tag;
int breakpoint_count; // how many breakpoints on this statement
// FIXME: Learn the exact semantics of mutable.
mutable double last_access; // time of last execution
mutable uint32_t access_count; // number of executions
};
class ExprListStmt : public Stmt {
public:
const ListExpr* ExprList() const { return l.get(); }
TraversalCode Traverse(TraversalCallback* cb) const override;
// Optimization-related:
void Inline(Inliner* inl) override;
protected:
ExprListStmt(StmtTag t, ListExprPtr arg_l);
@ -91,7 +32,7 @@ protected:
virtual ValPtr DoExec(std::vector<ValPtr> vals,
StmtFlowType& flow) const = 0;
void Describe(ODesc* d) const override;
void StmtDescribe(ODesc* d) const override;
ListExprPtr l;
};
@ -101,6 +42,9 @@ public:
template<typename L>
explicit PrintStmt(L&& l) : ExprListStmt(STMT_PRINT, std::forward<L>(l)) { }
// Optimization-related:
StmtPtr Duplicate() override;
protected:
ValPtr DoExec(std::vector<ValPtr> vals,
StmtFlowType& flow) const override;
@ -115,10 +59,14 @@ public:
const Expr* StmtExpr() const { return e.get(); }
void Describe(ODesc* d) const override;
void StmtDescribe(ODesc* d) const override;
TraversalCode Traverse(TraversalCallback* cb) const override;
// Optimization-related:
StmtPtr Duplicate() override;
void Inline(Inliner* inl) override;
protected:
ExprStmt(StmtTag t, ExprPtr e);
@ -137,10 +85,14 @@ public:
const Stmt* TrueBranch() const { return s1.get(); }
const Stmt* FalseBranch() const { return s2.get(); }
void Describe(ODesc* d) const override;
void StmtDescribe(ODesc* d) const override;
TraversalCode Traverse(TraversalCallback* cb) const override;
// Optimization-related:
StmtPtr Duplicate() override;
void Inline(Inliner* inl) override;
protected:
ValPtr DoExec(Frame* f, Val* v, StmtFlowType& flow) const override;
bool IsPure() const override;
@ -167,6 +119,9 @@ public:
TraversalCode Traverse(TraversalCallback* cb) const;
// Optimization-related:
IntrusivePtr<Case> Duplicate();
protected:
ListExprPtr expr_cases;
IDPList* type_cases;
@ -182,10 +137,14 @@ public:
const case_list* Cases() const { return cases; }
void Describe(ODesc* d) const override;
void StmtDescribe(ODesc* d) const override;
TraversalCode Traverse(TraversalCallback* cb) const override;
// Optimization-related:
StmtPtr Duplicate() override;
void Inline(Inliner* inl) override;
protected:
ValPtr DoExec(Frame* f, Val* v, StmtFlowType& flow) const override;
bool IsPure() const override;
@ -224,6 +183,9 @@ public:
ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
TraversalCode Traverse(TraversalCallback* cb) const override;
// Optimization-related:
StmtPtr Duplicate() override;
};
class DelStmt final : public ExprStmt {
@ -234,6 +196,9 @@ public:
ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
TraversalCode Traverse(TraversalCallback* cb) const override;
// Optimization-related:
StmtPtr Duplicate() override;
};
class EventStmt final : public ExprStmt {
@ -244,6 +209,9 @@ public:
TraversalCode Traverse(TraversalCallback* cb) const override;
// Optimization-related:
StmtPtr Duplicate() override;
protected:
EventExprPtr event_expr;
};
@ -256,15 +224,27 @@ public:
bool IsPure() const override;
void Describe(ODesc* d) const override;
void StmtDescribe(ODesc* d) const override;
TraversalCode Traverse(TraversalCallback* cb) const override;
// Optimization-related:
const Stmt* CondStmt() const
{ return loop_cond_stmt ? loop_cond_stmt.get() : nullptr; }
StmtPtr Duplicate() override;
void Inline(Inliner* inl) override;
protected:
ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
ExprPtr loop_condition;
StmtPtr body;
// Optimization-related member variables.
// When in reduced form, the following holds a statement (which
// might be a block) for evaluating the loop's conditional.
StmtPtr loop_cond_stmt = nullptr;
};
class ForStmt final : public ExprStmt {
@ -276,16 +256,21 @@ public:
void AddBody(StmtPtr arg_body) { body = std::move(arg_body); }
const IDPList* LoopVar() const { return loop_vars; }
const IDPList* LoopVars() const { return loop_vars; }
IDPtr ValueVar() const { return value_var; }
const Expr* LoopExpr() const { return e.get(); }
const Stmt* LoopBody() const { return body.get(); }
bool IsPure() const override;
void Describe(ODesc* d) const override;
void StmtDescribe(ODesc* d) const override;
TraversalCode Traverse(TraversalCallback* cb) const override;
// Optimization-related:
StmtPtr Duplicate() override;
void Inline(Inliner* inl) override;
protected:
ValPtr DoExec(Frame* f, Val* v, StmtFlowType& flow) const override;
@ -303,10 +288,12 @@ public:
ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
bool IsPure() const override;
void Describe(ODesc* d) const override;
void StmtDescribe(ODesc* d) const override;
TraversalCode Traverse(TraversalCallback* cb) const override;
// Optimization-related:
StmtPtr Duplicate() override { return SetSucc(new NextStmt()); }
protected:
};
@ -317,10 +304,13 @@ public:
ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
bool IsPure() const override;
void Describe(ODesc* d) const override;
void StmtDescribe(ODesc* d) const override;
TraversalCode Traverse(TraversalCallback* cb) const override;
// Optimization-related:
StmtPtr Duplicate() override { return SetSucc(new BreakStmt()); }
protected:
};
@ -331,10 +321,14 @@ public:
ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
bool IsPure() const override;
void Describe(ODesc* d) const override;
void StmtDescribe(ODesc* d) const override;
TraversalCode Traverse(TraversalCallback* cb) const override;
// Optimization-related:
StmtPtr Duplicate() override
{ return SetSucc(new FallthroughStmt()); }
protected:
};
@ -344,7 +338,14 @@ public:
ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
void Describe(ODesc* d) const override;
void StmtDescribe(ODesc* d) const override;
// Optimization-related:
StmtPtr Duplicate() override;
// Constructor used for duplication, when we've already done
// all of the type-checking.
ReturnStmt(ExprPtr e, bool ignored);
};
class StmtList : public Stmt {
@ -357,10 +358,14 @@ public:
const StmtPList& Stmts() const { return stmts; }
StmtPList& Stmts() { return stmts; }
void Describe(ODesc* d) const override;
void StmtDescribe(ODesc* d) const override;
TraversalCode Traverse(TraversalCallback* cb) const override;
// Optimization-related:
StmtPtr Duplicate() override;
void Inline(Inliner* inl) override;
protected:
bool IsPure() const override;
@ -374,7 +379,7 @@ public:
ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
void Describe(ODesc* d) const override;
void StmtDescribe(ODesc* d) const override;
// "Topmost" means that this is the main body of a function or event.
// void SetTopmost(bool is_topmost) { topmost = is_topmost; }
@ -393,10 +398,13 @@ public:
const std::vector<IDPtr>& Inits() const
{ return inits; }
void Describe(ODesc* d) const override;
void StmtDescribe(ODesc* d) const override;
TraversalCode Traverse(TraversalCallback* cb) const override;
// Optimization-related:
StmtPtr Duplicate() override;
protected:
std::vector<IDPtr> inits;
};
@ -408,9 +416,12 @@ public:
ValPtr Exec(Frame* f, StmtFlowType& flow) const override;
bool IsPure() const override;
void Describe(ODesc* d) const override;
void StmtDescribe(ODesc* d) const override;
TraversalCode Traverse(TraversalCallback* cb) const override;
// Optimization-related:
StmtPtr Duplicate() override { return SetSucc(new NullStmt()); }
};
class WhenStmt final : public Stmt {
@ -429,10 +440,14 @@ public:
const Expr* TimeoutExpr() const { return timeout.get(); }
const Stmt* TimeoutBody() const { return s2.get(); }
void Describe(ODesc* d) const override;
void StmtDescribe(ODesc* d) const override;
TraversalCode Traverse(TraversalCallback* cb) const override;
// Optimization-related:
StmtPtr Duplicate() override;
void Inline(Inliner* inl) override;
protected:
ExprPtr cond;
StmtPtr s1;
@ -443,7 +458,6 @@ protected:
} // namespace zeek::detail
using Stmt [[deprecated("Remove in v4.1. Use zeek::detail::Stmt instead.")]] = zeek::detail::Stmt;
using ExprListStmt [[deprecated("Remove in v4.1. Use zeek::detail::ExprListStmt instead.")]] = zeek::detail::ExprListStmt;
using PrintStmt [[deprecated("Remove in v4.1. Use zeek::detail::PrintStmt instead.")]] = zeek::detail::PrintStmt;
using ExprStmt [[deprecated("Remove in v4.1. Use zeek::detail::ExprStmt instead.")]] = zeek::detail::ExprStmt;

105
src/StmtBase.h Normal file
View file

@ -0,0 +1,105 @@
// See the file "COPYING" in the main distribution directory for copyright.
#pragma once
// Base class for Zeek statements. We maintain it separately from
// the bulk of Stmt.h to allow Expr.h to include it, necessary for
// Expr.h to use StmtPtr.
#include "zeek/Obj.h"
#include "zeek/IntrusivePtr.h"
#include "zeek/StmtEnums.h"
#include "zeek/TraverseTypes.h"
#include "zeek/util.h"
ZEEK_FORWARD_DECLARE_NAMESPACED(CompositeHash, zeek::detail);
ZEEK_FORWARD_DECLARE_NAMESPACED(Frame, zeek::detail);
namespace zeek::run_state { extern double network_time; }
namespace zeek {
class Val;
using ValPtr = IntrusivePtr<Val>;
}
namespace zeek::detail {
class StmtList;
class ForStmt;
class InitStmt;
class WhenStmt;
class SwitchStmt;
class EventExpr;
class ListExpr;
using EventExprPtr = IntrusivePtr<EventExpr>;
using ListExprPtr = IntrusivePtr<ListExpr>;
class Inliner;
class Stmt;
using StmtPtr = IntrusivePtr<Stmt>;
class Stmt : public Obj {
public:
StmtTag Tag() const { return tag; }
~Stmt() override;
virtual ValPtr Exec(Frame* f, StmtFlowType& flow) const = 0;
Stmt* Ref() { zeek::Ref(this); return this; }
bool SetLocationInfo(const Location* loc) override
{ return Stmt::SetLocationInfo(loc, loc); }
bool SetLocationInfo(const Location* start, const Location* end) override;
// True if the statement has no side effects, false otherwise.
virtual bool IsPure() const;
StmtList* AsStmtList();
const StmtList* AsStmtList() const;
ForStmt* AsForStmt();
const ForStmt* AsForStmt() const;
const InitStmt* AsInitStmt() const;
const WhenStmt* AsWhenStmt() const;
const SwitchStmt* AsSwitchStmt() const;
void RegisterAccess() const { last_access = run_state::network_time; access_count++; }
void AccessStats(ODesc* d) const;
uint32_t GetAccessCount() const { return access_count; }
void Describe(ODesc* d) const final;
virtual void IncrBPCount() { ++breakpoint_count; }
virtual void DecrBPCount();
virtual unsigned int BPCount() const { return breakpoint_count; }
virtual TraversalCode Traverse(TraversalCallback* cb) const = 0;
#include "zeek/script_opt/StmtOpt-Public.h"
protected:
explicit Stmt(StmtTag arg_tag);
void AddTag(ODesc* d) const;
virtual void StmtDescribe(ODesc* d) const;
void DescribeDone(ODesc* d) const;
StmtTag tag;
int breakpoint_count; // how many breakpoints on this statement
// FIXME: Learn the exact semantics of mutable.
mutable double last_access; // time of last execution
mutable uint32_t access_count; // number of executions
#include "zeek/script_opt/StmtOpt-Private.h"
};
} // namespace zeek::detail
using Stmt [[deprecated("Remove in v4.1. Use zeek::detail::Stmt instead.")]] = zeek::detail::Stmt;

8
src/TraverseTypes.h
View file

@ -16,8 +16,10 @@ enum TraversalCode {
#define HANDLE_TC_STMT_PRE(code) \
{ \
if ( (code) == zeek::detail::TC_ABORTALL || (code) == zeek::detail::TC_ABORTSTMT ) \
if ( (code) == zeek::detail::TC_ABORTALL ) \
return (code); \
else if ( (code) == zeek::detail::TC_ABORTSTMT ) \
return zeek::detail::TC_CONTINUE; \
}
#define HANDLE_TC_STMT_POST(code) \
@ -32,8 +34,10 @@ enum TraversalCode {
#define HANDLE_TC_EXPR_PRE(code) \
{ \
if ( (code) != zeek::detail::TC_CONTINUE ) \
if ( (code) == zeek::detail::TC_ABORTALL ) \
return (code); \
else if ( (code) == zeek::detail::TC_ABORTSTMT ) \
return zeek::detail::TC_CONTINUE; \
}
#define HANDLE_TC_EXPR_POST(code) \

20
src/Var.cc
View file

@ -17,6 +17,8 @@
#include "zeek/module_util.h"
#include "zeek/ID.h"
#include "zeek/script_opt/ScriptOpt.h"
namespace zeek::detail {
static ValPtr init_val(Expr* init, const Type* t, ValPtr aggr)
@ -701,8 +703,20 @@ TraversalCode OuterIDBindingFinder::PostExpr(const Expr* expr)
return TC_CONTINUE;
}
static bool duplicate_ASTs = getenv("ZEEK_DUPLICATE_ASTS");
void end_func(StmtPtr body)
{
if ( duplicate_ASTs && reporter->Errors() == 0 )
// Only try duplication in the absence of errors. If errors
// have occurred, they can be re-generated during the
// duplication process, leading to regression failures due
// to duplicated error messages.
//
// We duplicate twice to make sure that the AST produced
// by duplicating can itself be correctly duplicated.
body = body->Duplicate()->Duplicate();
auto ingredients = std::make_unique<function_ingredients>(pop_scope(), std::move(body));
if ( ingredients->id->HasVal() )
@ -724,7 +738,11 @@ void end_func(StmtPtr body)
ingredients->id->SetConst();
}
ingredients->id->GetVal()->AsFunc()->SetScope(ingredients->scope);
auto func = ingredients->id->GetVal()->AsFunc()->AsScriptFunc();
func->SetScope(ingredients->scope);
analyze_func({NewRef{}, func});
// Note: ideally, something would take ownership of this memory until the
// end of script execution, but that's essentially the same as the
// lifetime of the process at the moment, so ok to "leak" it.

3
src/main.cc
View file

@ -15,6 +15,9 @@ int main(int argc, char** argv)
if ( setup_result.code )
return setup_result.code;
if ( setup_result.parse_only )
return 0;
auto& options = setup_result.options;
auto do_net_run = zeek::iosource_mgr->Size() > 0 ||
zeek::run_state::detail::have_pending_timers ||

10
src/reporter.bif
View file

@ -22,7 +22,7 @@ module Reporter;
## .. zeek:see:: reporter_info
function Reporter::info%(msg: string%): bool
%{
reporter->PushLocation(frame->GetCall()->GetLocationInfo());
reporter->PushLocation(frame->GetCall()->Original()->GetLocationInfo());
reporter->Info("%s", msg->CheckString());
reporter->PopLocation();
return zeek::val_mgr->True();
@ -37,7 +37,7 @@ function Reporter::info%(msg: string%): bool
## .. zeek:see:: reporter_warning
function Reporter::warning%(msg: string%): bool
%{
reporter->PushLocation(frame->GetCall()->GetLocationInfo());
reporter->PushLocation(frame->GetCall()->Original()->GetLocationInfo());
reporter->Warning("%s", msg->CheckString());
reporter->PopLocation();
return zeek::val_mgr->True();
@ -53,7 +53,7 @@ function Reporter::warning%(msg: string%): bool
## .. zeek:see:: reporter_error
function Reporter::error%(msg: string%): bool
%{
reporter->PushLocation(frame->GetCall()->GetLocationInfo());
reporter->PushLocation(frame->GetCall()->Original()->GetLocationInfo());
reporter->Error("%s", msg->CheckString());
reporter->PopLocation();
return zeek::val_mgr->True();
@ -66,7 +66,7 @@ function Reporter::error%(msg: string%): bool
## Returns: Always true.
function Reporter::fatal%(msg: string%): bool
%{
reporter->PushLocation(frame->GetCall()->GetLocationInfo());
reporter->PushLocation(frame->GetCall()->Original()->GetLocationInfo());
reporter->FatalError("%s", msg->CheckString());
reporter->PopLocation();
return zeek::val_mgr->True();
@ -80,7 +80,7 @@ function Reporter::fatal%(msg: string%): bool
## Returns: Always true.
function Reporter::fatal_error_with_core%(msg: string%): bool
%{
reporter->PushLocation(frame->GetCall()->GetLocationInfo());
reporter->PushLocation(frame->GetCall()->Original()->GetLocationInfo());
reporter->FatalErrorWithCore("%s", msg->CheckString());
reporter->PopLocation();
return zeek::val_mgr->True();

547
src/script_opt/Expr.cc Normal file
View file

@ -0,0 +1,547 @@
// See the file "COPYING" in the main distribution directory for copyright.
// Optimization-related methods for Expr classes.
#include "zeek/Expr.h"
#include "zeek/Stmt.h"
#include "zeek/Func.h"
#include "zeek/Frame.h"
#include "zeek/Scope.h"
#include "zeek/Desc.h"
#include "zeek/Traverse.h"
#include "zeek/Reporter.h"
#include "zeek/script_opt/Inline.h"
namespace zeek::detail {
ExprPtr NameExpr::Duplicate()
{
return SetSucc(new NameExpr(id, in_const_init));
}
ExprPtr ConstExpr::Duplicate()
{
return SetSucc(new ConstExpr(val));
}
ExprPtr UnaryExpr::Inline(Inliner* inl)
{
op = op->Inline(inl);
return ThisPtr();
}
ExprPtr BinaryExpr::Inline(Inliner* inl)
{
op1 = op1->Inline(inl);
op2 = op2->Inline(inl);
return ThisPtr();
}
ExprPtr CloneExpr::Duplicate()
{
// oh the irony
return SetSucc(new CloneExpr(op->Duplicate()));
}
ExprPtr IncrExpr::Duplicate()
{
return SetSucc(new IncrExpr(tag, op->Duplicate()));
}
ExprPtr ComplementExpr::Duplicate()
{
return SetSucc(new ComplementExpr(op->Duplicate()));
}
ExprPtr NotExpr::Duplicate()
{
return SetSucc(new NotExpr(op->Duplicate()));
}
ExprPtr PosExpr::Duplicate()
{
return SetSucc(new PosExpr(op->Duplicate()));
}
ExprPtr NegExpr::Duplicate()
{
return SetSucc(new NegExpr(op->Duplicate()));
}
ExprPtr SizeExpr::Duplicate()
{
return SetSucc(new SizeExpr(op->Duplicate()));
}
ExprPtr AddExpr::Duplicate()
{
auto op1_d = op1->Duplicate();
auto op2_d = op2->Duplicate();
return SetSucc(new AddExpr(op1_d, op2_d));
}
ExprPtr AddToExpr::Duplicate()
{
auto op1_d = op1->Duplicate();
auto op2_d = op2->Duplicate();
return SetSucc(new AddToExpr(op1_d, op2_d));
}
ExprPtr SubExpr::Duplicate()
{
auto op1_d = op1->Duplicate();
auto op2_d = op2->Duplicate();
return SetSucc(new SubExpr(op1_d, op2_d));
}
ExprPtr RemoveFromExpr::Duplicate()
{
auto op1_d = op1->Duplicate();
auto op2_d = op2->Duplicate();
return SetSucc(new RemoveFromExpr(op1_d, op2_d));
}
ExprPtr TimesExpr::Duplicate()
{
auto op1_d = op1->Duplicate();
auto op2_d = op2->Duplicate();
return SetSucc(new TimesExpr(op1_d, op2_d));
}
ExprPtr DivideExpr::Duplicate()
{
auto op1_d = op1->Duplicate();
auto op2_d = op2->Duplicate();
return SetSucc(new DivideExpr(op1_d, op2_d));
}
ExprPtr ModExpr::Duplicate()
{
auto op1_d = op1->Duplicate();
auto op2_d = op2->Duplicate();
return SetSucc(new ModExpr(op1_d, op2_d));
}
ExprPtr BoolExpr::Duplicate()
{
auto op1_d = op1->Duplicate();
auto op2_d = op2->Duplicate();
return SetSucc(new BoolExpr(tag, op1_d, op2_d));
}
ExprPtr BitExpr::Duplicate()
{
auto op1_d = op1->Duplicate();
auto op2_d = op2->Duplicate();
return SetSucc(new BitExpr(tag, op1_d, op2_d));
}
ExprPtr EqExpr::Duplicate()
{
auto op1_d = op1->Duplicate();
auto op2_d = op2->Duplicate();
return SetSucc(new EqExpr(tag, op1_d, op2_d));
}
ExprPtr RelExpr::Duplicate()
{
auto op1_d = op1->Duplicate();
auto op2_d = op2->Duplicate();
return SetSucc(new RelExpr(tag, op1_d, op2_d));
}
ExprPtr CondExpr::Duplicate()
{
auto op1_d = op1->Duplicate();
auto op2_d = op2->Duplicate();
auto op3_d = op3->Duplicate();
return SetSucc(new CondExpr(op1_d, op2_d, op3_d));
}
ExprPtr CondExpr::Inline(Inliner* inl)
{
op1 = op1->Inline(inl);
op2 = op2->Inline(inl);
op3 = op3->Inline(inl);
return ThisPtr();
}
ExprPtr RefExpr::Duplicate()
{
return SetSucc(new RefExpr(op->Duplicate()));
}
ExprPtr AssignExpr::Duplicate()
{
auto op1_d = op1->Duplicate();
auto op2_d = op2->Duplicate();
return SetSucc(new AssignExpr(op1_d, op2_d, is_init, val));
}
ExprPtr IndexSliceAssignExpr::Duplicate()
{
auto op1_d = op1->Duplicate();
auto op2_d = op2->Duplicate();
return SetSucc(new IndexSliceAssignExpr(op1_d, op2_d, is_init));
}
ExprPtr IndexExpr::Duplicate()
{
auto op1_d = op1->Duplicate();
auto op2_l = op2->Duplicate()->AsListExprPtr();
return SetSucc(new IndexExpr(op1_d, op2_l, is_slice));
}
ExprPtr IndexExprWhen::Duplicate()
{
auto op1_d = op1->Duplicate();
auto op2_l = op2->Duplicate()->AsListExprPtr();
return SetSucc(new IndexExprWhen(op1_d, op2_l, is_slice));
}
ExprPtr FieldExpr::Duplicate()
{
return SetSucc(new FieldExpr(op->Duplicate(), field_name));
}
ExprPtr HasFieldExpr::Duplicate()
{
return SetSucc(new HasFieldExpr(op->Duplicate(), field_name));
}
ExprPtr RecordConstructorExpr::Duplicate()
{
auto op_l = op->Duplicate()->AsListExprPtr();
return SetSucc(new RecordConstructorExpr(op_l));
}
ExprPtr TableConstructorExpr::Duplicate()
{
auto op_l = op->Duplicate()->AsListExprPtr();
TypePtr t;
if ( (type && type->GetName().size() > 0) ||
! op->AsListExpr()->Exprs().empty() )
t = type;
else
// Use a null type rather than the one inferred, to instruct
// the constructor to again infer the type.
t = nullptr;
return SetSucc(new TableConstructorExpr(op_l, nullptr, t, attrs));
}
ExprPtr SetConstructorExpr::Duplicate()
{
auto op_l = op->Duplicate()->AsListExprPtr();
TypePtr t;
if ( (type && type->GetName().size() > 0) ||
! op->AsListExpr()->Exprs().empty() )
t = type;
else
// Use a null type rather than the one inferred, to instruct
// the constructor to again infer the type.
t = nullptr;
return SetSucc(new SetConstructorExpr(op_l, nullptr, t, attrs));
}
ExprPtr VectorConstructorExpr::Duplicate()
{
auto op_l = op->Duplicate()->AsListExprPtr();
if ( op->AsListExpr()->Exprs().empty() )
return SetSucc(new VectorConstructorExpr(op_l, nullptr));
else
return SetSucc(new VectorConstructorExpr(op_l, type));
}
ExprPtr FieldAssignExpr::Duplicate()
{
auto op_dup = op->Duplicate();
return SetSucc(new FieldAssignExpr(field_name.c_str(), op_dup));
}
ExprPtr ArithCoerceExpr::Duplicate()
{
auto op_dup = op->Duplicate();
TypeTag tag;
if ( type->Tag() == TYPE_VECTOR )
tag = type->AsVectorType()->Yield()->Tag();
else
tag = type->Tag();
return SetSucc(new ArithCoerceExpr(op_dup, tag));
}
ExprPtr RecordCoerceExpr::Duplicate()
{
auto op_dup = op->Duplicate();
auto rt = GetType()->AsRecordType();
RecordTypePtr rt_p = {NewRef{}, rt};
return SetSucc(new RecordCoerceExpr(op_dup, rt_p));
}
ExprPtr TableCoerceExpr::Duplicate()
{
auto op_dup = op->Duplicate();
auto tt = GetType()->AsTableType();
TableTypePtr tt_p = {NewRef{}, tt};
return SetSucc(new TableCoerceExpr(op_dup, tt_p));
}
ExprPtr VectorCoerceExpr::Duplicate()
{
auto op_dup = op->Duplicate();
auto vt = GetType()->AsVectorType();
VectorTypePtr vt_p = {NewRef{}, vt};
return SetSucc(new VectorCoerceExpr(op_dup, vt_p));
}
ExprPtr ScheduleExpr::Duplicate()
{
auto when_d = when->Duplicate();
auto event_d = event->Duplicate()->AsEventExprPtr();
return SetSucc(new ScheduleExpr(when_d, event_d));
}
ExprPtr ScheduleExpr::Inline(Inliner* inl)
{
when = when->Inline(inl);
event = event->Inline(inl)->AsEventExprPtr();
return ThisPtr();
}
ExprPtr InExpr::Duplicate()
{
auto op1_d = op1->Duplicate();
auto op2_d = op2->Duplicate();
return SetSucc(new InExpr(op1_d, op2_d));
}
ExprPtr CallExpr::Duplicate()
{
auto func_d = func->Duplicate();
auto args_d = args->Duplicate()->AsListExprPtr();
auto func_type = func->GetType();
auto in_hook = func_type->AsFuncType()->Flavor() == FUNC_FLAVOR_HOOK;
return SetSucc(new CallExpr(func_d, args_d, in_hook));
}
ExprPtr CallExpr::Inline(Inliner* inl)
{
auto new_me = inl->CheckForInlining({NewRef{}, this});
if ( new_me.get() != this )
return new_me;
// We're not inlining, but perhaps our elements should be.
func = func->Inline(inl);
auto new_args = args->Inline(inl);
args = {NewRef{}, new_args->AsListExpr()};
return ThisPtr();
}
ExprPtr LambdaExpr::Duplicate()
{
auto ingr = std::make_unique<function_ingredients>(*ingredients);
ingr->body = ingr->body->Duplicate();
return SetSucc(new LambdaExpr(std::move(ingr), outer_ids));
}
ExprPtr LambdaExpr::Inline(Inliner* inl)
{
// Don't inline these, we currently don't get the closure right.
return ThisPtr();
}
ExprPtr EventExpr::Duplicate()
{
auto args_d = args->Duplicate()->AsListExprPtr();
return SetSucc(new EventExpr(name.c_str(), args_d));
}
ExprPtr EventExpr::Inline(Inliner* inl)
{
auto el = args->Inline(inl)->AsListExpr();
args = {NewRef{}, el};
return ThisPtr();
}
ExprPtr ListExpr::Duplicate()
{
auto new_l = new ListExpr();
loop_over_list(exprs, i)
new_l->Append(exprs[i]->Duplicate());
return SetSucc(new_l);
}
ExprPtr ListExpr::Inline(Inliner* inl)
{
loop_over_list(exprs, i)
exprs[i] = exprs[i]->Inline(inl).release();
return ThisPtr();
}
ExprPtr CastExpr::Duplicate()
{
return SetSucc(new CastExpr(op->Duplicate(), type));
}
ExprPtr IsExpr::Duplicate()
{
return SetSucc(new IsExpr(op->Duplicate(), t));
}
InlineExpr::InlineExpr(ListExprPtr arg_args, IDPList* arg_params,
StmtPtr arg_body, int _frame_offset, TypePtr ret_type)
: Expr(EXPR_INLINE), args(std::move(arg_args)), body(std::move(arg_body))
{
params = arg_params;
frame_offset = _frame_offset;
type = ret_type;
}
bool InlineExpr::IsPure() const
{
return args->IsPure() && body->IsPure();
}
ValPtr InlineExpr::Eval(Frame* f) const
{
auto v = eval_list(f, args.get());
if ( ! v )
return nullptr;
int nargs = args->Exprs().length();
f->Reset(frame_offset + nargs);
f->IncreaseOffset(frame_offset);
// Assign the arguments.
for ( auto i = 0; i < nargs; ++i )
f->SetElement(i, (*v)[i]);
auto flow = FLOW_NEXT;
ValPtr result;
try
{
result = body->Exec(f, flow);
}
catch ( InterpreterException& e )
{
f->IncreaseOffset(-frame_offset);
throw;
}
f->IncreaseOffset(-frame_offset);
return result;
}
ExprPtr InlineExpr::Duplicate()
{
auto args_d = args->Duplicate()->AsListExprPtr();
auto body_d = body->Duplicate();
return SetSucc(new InlineExpr(args_d, params, body_d, frame_offset,
type));
}
TraversalCode InlineExpr::Traverse(TraversalCallback* cb) const
{
TraversalCode tc = cb->PreExpr(this);
HANDLE_TC_EXPR_PRE(tc);
tc = args->Traverse(cb);
HANDLE_TC_EXPR_PRE(tc);
tc = body->Traverse(cb);
HANDLE_TC_EXPR_PRE(tc);
tc = cb->PostExpr(this);
HANDLE_TC_EXPR_POST(tc);
}
void InlineExpr::ExprDescribe(ODesc* d) const
{
if ( d->IsReadable() || d->IsPortable() )
{
d->Add("inline(");
args->Describe(d);
d->Add("){");
body->Describe(d);
d->Add("}");
}
else
{
args->Describe(d);
body->Describe(d);
}
}
} // namespace zeek::detail

5
src/script_opt/ExprOpt-Enums.h Normal file
View file

@ -0,0 +1,5 @@
// See the file "COPYING" in the main distribution directory for copyright.
// Enums associated with script optimization.
EXPR_INLINE,

6
src/script_opt/ExprOpt-Names.h Normal file
View file

@ -0,0 +1,6 @@
// See the file "COPYING" in the main distribution directory for copyright.
// Names of Expr subclasses associated with script optimization.
// Companion to script_opt/ExprOpt-Enums.h.
"inline()",

13
src/script_opt/ExprOpt-Private.h Normal file
View file

@ -0,0 +1,13 @@
// See the file "COPYING" in the main distribution directory for copyright.
// Private (protected) Expr methods and member varibles associated
// with script optimization. See script_opt/ExprOpt-public.h for
// why these aren't factored into a separate class.
//
// Right now, this file is small, but it will grow as we expand into
// other forms of script optimization.
// The original expression from which this statement was
// derived, if any. Used as an aid for generating meaningful
// and correctly-localized error messages.
ExprPtr original = nullptr;

44
src/script_opt/ExprOpt-Public.h Normal file
View file

@ -0,0 +1,44 @@
// See the file "COPYING" in the main distribution directory for copyright.
// Public Expr methods associated with script optimization.
//
// We can't effectively factor these out into a separate class to
// include via multiple inheritance, because in general they rely
// on other Expr methods or member variables, so to do so we'd
// have to (1) make all of the methods virtual, and (2) still
// include (re-)definitions for them in Expr.h, defeating most
// of the benefits of using a separate class.
// Returns a duplicate of the expression.
virtual ExprPtr Duplicate() = 0;
// Recursively traverses the AST to inline eligible function calls.
virtual ExprPtr Inline(Inliner* inl) { return ThisPtr(); }
// Access to the original expression from which this one is derived,
// or this one if we don't have an original. Returns a bare pointer
// rather than an ExprPtr to emphasize that the access is read-only.
const Expr* Original() const
{ return original ? original->Original() : this; }
// Designate the given Expr node as the original for this one.
void SetOriginal(ExprPtr _orig)
{
if ( ! original )
original = std::move(_orig);
}
// A convenience function for taking a newly-created Expr,
// making it point to us as the successor, and returning it.
//
// Takes an Expr* rather than a ExprPtr to de-clutter the calling
// code, which is always passing in "new XyzExpr(...)". This
// call, as a convenient side effect, transforms that bare pointer
// into an ExprPtr.
virtual ExprPtr SetSucc(Expr* succ)
{
succ->SetOriginal(ThisPtr());
if ( IsParen() )
succ->MarkParen();
return {AdoptRef{}, succ};
}

29
src/script_opt/ExprOpt-Subclasses.h Normal file
View file

@ -0,0 +1,29 @@
// See the file "COPYING" in the main distribution directory for copyright.
// Expr subclasses and associated functions associated with script
// optimization.
class InlineExpr : public Expr {
public:
InlineExpr(ListExprPtr arg_args, IDPList* params, StmtPtr body,
int frame_offset, TypePtr ret_type);
bool IsPure() const override;
ListExprPtr Args() const { return args; }
StmtPtr Body() const { return body; }
ValPtr Eval(Frame* f) const override;
ExprPtr Duplicate() override;
TraversalCode Traverse(TraversalCallback* cb) const override;
protected:
void ExprDescribe(ODesc* d) const override;
IDPList* params;
int frame_offset;
ListExprPtr args;
StmtPtr body;
};

238
src/script_opt/Inline.cc Normal file
View file

@ -0,0 +1,238 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/script_opt/Inline.h"
#include "zeek/script_opt/ScriptOpt.h"
#include "zeek/script_opt/ProfileFunc.h"
#include "zeek/Desc.h"
namespace zeek::detail {
void Inliner::Analyze()
{
// Locate self- and indirectly recursive functions.
// Maps each function to any functions that it calls, either
// directly or (ultimately) indirectly.
std::unordered_map<const Func*, std::unordered_set<const Func*>> call_set;
// Prime the call set for each function with the functions it
// directly calls.
for ( auto& f : funcs )
{
std::unordered_set<const Func*> cs;
// Aspirational ....
non_recursive_funcs.insert(f->Func());
for ( auto& func : f->Profile()->ScriptCalls() )
{
cs.insert(func);
if ( func == f->Func() )
{
if ( report_recursive )
printf("%s is directly recursive\n",
func->Name());
non_recursive_funcs.erase(func);
}
}
call_set[f->Func()] = cs;
}
// Transitive closure. If we had any self-respect, we'd implement
// Warshall's algorithm. What we do here is feasible though since
// Zeek call graphs tend not to be super-deep. (We could also save
// cycles by only analyzing non-[direct-or-indirect] leaves, as
// was computed by the previous version of this code. But in
// practice, the execution time for this is completely dwarfed
// by the expense of compiling inlined functions, so we keep it
// simple.)
// Whether a change has occurred.
bool did_addition = true;
while ( did_addition )
{
did_addition = false;
// Loop over all the functions of interest.
for ( auto& c : call_set )
{
// For each of them, loop over the set of functions
// they call.
std::unordered_set<const Func*> addls;
for ( auto& cc : c.second )
{
if ( cc == c.first )
// Don't loop over ourselves.
continue;
// For each called function, pull up *its*
// set of called functions.
for ( auto& ccc : call_set[cc] )
{
// For each of those, if we don't
// already have it, add it.
if ( c.second.count(ccc) > 0 )
// We already have it.
continue;
addls.insert(ccc);
if ( ccc != c.first )
// Non-recursive.
continue;
if ( report_recursive )
printf("%s is indirectly recursive, called by %s\n",
c.first->Name(),
cc->Name());
non_recursive_funcs.erase(c.first);
non_recursive_funcs.erase(cc);
}
}
if ( addls.size() > 0 )
{
did_addition = true;
for ( auto& a : addls )
c.second.insert(a);
}
}
}
// Functions that are candidates for inlining.
std::unordered_set<FuncInfo*> candidates;
for ( auto& f : funcs )
// Candidates are non-event, non-hook, non-recursive
// functions ... that don't use lambdas or when's,
// since we don't currently compute the closures/frame
// sizes for them correctly, and more fundamentally since
// we don't compile them and hence inlining them will
// make the parent non-compilable.
if ( f->Func()->Flavor() == FUNC_FLAVOR_FUNCTION &&
non_recursive_funcs.count(f->Func()) > 0 &&
f->Profile()->NumLambdas() == 0 &&
f->Profile()->NumWhenStmts() == 0 )
inline_ables.insert(f->Func());
for ( auto& f : funcs )
{
// Processing optimization: only spend time trying to inline f
// if we haven't marked it as inlineable. This trades off a
// bunch of compilation load (inlining every single function,
// even though almost none will be called directly) for a
// modest gain of having compiled code for those rare
// circumstances in which a Zeek function can be called
// not ultimately stemming from an event (such as global
// scripting, or expiration functions).
if ( inline_ables.count(f->Func()) == 0 )
InlineFunction(f);
}
}
void Inliner::InlineFunction(FuncInfo* f)
{
max_inlined_frame_size = 0;
// It's important that we take the current frame size from the
// *scope* and not f->Func(). The latter tracks the maximum required
// across all bodies, but we want to track the size for this
// particular body.
curr_frame_size = f->Scope()->Length();
f->Body()->Inline(this);
int new_frame_size = curr_frame_size + max_inlined_frame_size;
if ( new_frame_size > f->Func()->FrameSize() )
f->Func()->SetFrameSize(new_frame_size);
}
ExprPtr Inliner::CheckForInlining(IntrusivePtr<CallExpr> c)
{
auto f = c->Func();
if ( f->Tag() != EXPR_NAME )
// We don't inline indirect calls.
return std::move(c);
auto n = f->AsNameExpr();
auto func = n->Id();
if ( ! func->IsGlobal() )
return std::move(c);
auto func_v = func->GetVal();
if ( ! func_v )
return std::move(c);
auto func_vf = func_v->AsFunc()->AsScriptFunc();
if ( ! func_vf )
return std::move(c);
if ( inline_ables.count(func_vf) == 0 )
return std::move(c);
ListExprPtr args = {NewRef{}, c->Args()};
auto body = func_vf->GetBodies()[0].stmts; // there's only 1 body
auto t = c->GetType();
// Getting the names of the parameters is tricky. It's tempting
// to take them from the function's type declaration, but alas
// Zeek allows forward-declaring a function with one set of parameter
// names and then defining a later instance of it with different
// names, as long as the types match. So we have to glue together
// the type declaration, which gives us the number of parameters,
// with the scope, which gives us all the variables declared in
// the function, *using the knowledge that the parameters are
// declared first*.
auto scope = func_vf->GetScope();
auto vars = scope->OrderedVars();
int nparam = func_vf->GetType()->Params()->NumFields();
auto params = new IDPList;
for ( int i = 0; i < nparam; ++i )
params->append(vars[i].get());
auto body_dup = body->Duplicate();
// Recursively inline the body. This is safe to do because we've
// ensured there are no recursive loops ... but we have to be
// careful in accounting for the frame sizes.
int frame_size = func_vf->FrameSize();
int hold_curr_frame_size = curr_frame_size;
curr_frame_size = frame_size;
int hold_max_inlined_frame_size = max_inlined_frame_size;
max_inlined_frame_size = 0;
body_dup->Inline(this);
curr_frame_size = hold_curr_frame_size;
int new_frame_size = frame_size + max_inlined_frame_size;
if ( new_frame_size > hold_max_inlined_frame_size )
max_inlined_frame_size = new_frame_size;
else
max_inlined_frame_size = hold_max_inlined_frame_size;
auto ie = make_intrusive<InlineExpr>(args, params, body_dup,
curr_frame_size, t);
ie->SetOriginal(c);
return ie;
}
} // namespace zeek::detail

62
src/script_opt/Inline.h Normal file
View file

@ -0,0 +1,62 @@
// See the file "COPYING" in the main distribution directory for copyright.
// Class that manages the process of (recursively) inlining function bodies.
#pragma once
#include "zeek/Func.h"
#include "zeek/Scope.h"
#include <unordered_set>
namespace zeek::detail {
class FuncInfo;
class Inliner {
public:
// First argument is a collection of information about *all* of
// the script functions. Second argument states whether to report
// recursive functions (of interest as they're not in-lineable).
Inliner(std::vector<FuncInfo*>& _funcs, bool _report_recursive)
: funcs(_funcs), report_recursive(_report_recursive)
{ Analyze(); }
// Either returns the original CallExpr if it's not inline-able,
// or an InlineExpr if it is.
ExprPtr CheckForInlining(IntrusivePtr<CallExpr> c);
// True if the given function has been inlined.
bool WasInlined(Func* f) { return inline_ables.count(f) > 0; }
protected:
// Driver routine that analyzes all of the script functions and
// recursively inlines eligible ones.
void Analyze();
// Recursively inlines any calls associated with the given function.
void InlineFunction(FuncInfo* f);
// Information about all of the functions (and events/hooks) in
// the full set of scripts.
std::vector<FuncInfo*>& funcs;
// Functions that we've determined to be suitable for inlining.
std::unordered_set<Func*> inline_ables;
// As we do inlining for a given function, this tracks the
// largest frame size of any inlined function.
int max_inlined_frame_size;
// The size of the frame of the currently-being-inlined function,
// prior to increasing it to accommodate inlining.
int curr_frame_size;
// Whether to generate a report about functions either directly and
// indirectly recursive.
bool report_recursive;
};
} // namespace zeek::detail

218
src/script_opt/ProfileFunc.cc Normal file
View file

@ -0,0 +1,218 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/script_opt/ProfileFunc.h"
#include "zeek/Desc.h"
#include "zeek/Stmt.h"
#include "zeek/Func.h"
namespace zeek::detail {
TraversalCode ProfileFunc::PreStmt(const Stmt* s)
{
++num_stmts;
auto tag = s->Tag();
if ( compute_hash )
UpdateHash(int(tag));
if ( tag == STMT_INIT )
{
for ( auto id : s->AsInitStmt()->Inits() )
inits.insert(id.get());
// Don't recurse into these, as we don't want to consider
// a local that only appears in an initialization as a
// relevant local.
return TC_ABORTSTMT;
}
switch ( tag ) {
case STMT_WHEN:
++num_when_stmts;
in_when = true;
s->AsWhenStmt()->Cond()->Traverse(this);
in_when = false;
// It doesn't do any harm for us to re-traverse the
// conditional, so we don't bother hand-traversing the
// rest of the when but just let the usual processing do it.
break;
case STMT_FOR:
{
auto sf = s->AsForStmt();
auto loop_vars = sf->LoopVars();
auto value_var = sf->ValueVar();
for ( auto id : *loop_vars )
locals.insert(id);
if ( value_var )
locals.insert(value_var.get());
}
break;
case STMT_SWITCH:
{
// If this is a type-case switch statement, then find the
// identifiers created so we can add them to our list of
// locals. Ideally this wouldn't be necessary since *surely*
// if one bothers to define such an identifier then it'll be
// subsequently used, and we'll pick up the local that way ...
// but if for some reason it's not, then we would have an
// incomplete list of locals that need to be tracked.
auto sw = s->AsSwitchStmt();
for ( auto& c : *sw->Cases() )
{
auto idl = c->TypeCases();
if ( idl )
{
for ( auto id : *idl )
locals.insert(id);
}
}
}
break;
default:
break;
}
return TC_CONTINUE;
}
TraversalCode ProfileFunc::PreExpr(const Expr* e)
{
++num_exprs;
auto tag = e->Tag();
if ( compute_hash )
UpdateHash(int(tag));
switch ( tag ) {
case EXPR_CONST:
if ( compute_hash )
{
CheckType(e->GetType());
UpdateHash(e->AsConstExpr()->ValuePtr());
}
break;
case EXPR_NAME:
{
auto n = e->AsNameExpr();
auto id = n->Id();
if ( id->IsGlobal() )
globals.insert(id);
else
locals.insert(id);
if ( compute_hash )
{
UpdateHash({NewRef{}, id});
CheckType(e->GetType());
}
break;
}
case EXPR_CALL:
{
auto c = e->AsCallExpr();
auto f = c->Func();
if ( f->Tag() != EXPR_NAME )
{
does_indirect_calls = true;
return TC_CONTINUE;
}
auto n = f->AsNameExpr();
IDPtr func = {NewRef{}, n->Id()};
if ( ! func->IsGlobal() )
{
does_indirect_calls = true;
return TC_CONTINUE;
}
auto func_v = func->GetVal();
if ( func_v )
{
auto func_vf = func_v->AsFunc();
auto bf = func_vf->AsScriptFunc();
if ( bf )
{
script_calls.insert(bf);
if ( in_when )
when_calls.insert(bf);
}
else
BiF_calls.insert(func_vf);
}
else
{
// We could complain, but for now we don't because
// if we're invoked prior to full Zeek initialization,
// the value might indeed not there.
// printf("no function value for global %s\n", func->Name());
}
// Recurse into the arguments.
auto args = c->Args();
args->Traverse(this);
return TC_ABORTSTMT;
}
case EXPR_EVENT:
events.insert(e->AsEventExpr()->Name());
break;
case EXPR_LAMBDA:
++num_lambdas;
break;
default:
break;
}
return TC_CONTINUE;
}
void ProfileFunc::CheckType(const TypePtr& t)
{
auto& tn = t->GetName();
if ( tn.size() > 0 && seen_types.count(tn) > 0 )
// No need to hash this in again, as we've already done so.
return;
if ( seen_type_ptrs.count(t.get()) > 0 )
// We've seen the raw pointer, even though it doesn't have
// a name.
return;
seen_types.insert(tn);
seen_type_ptrs.insert(t.get());
UpdateHash(t);
}
void ProfileFunc::UpdateHash(const IntrusivePtr<zeek::Obj>& o)
{
ODesc d;
o->Describe(&d);
std::string desc(d.Description());
auto h = std::hash<std::string>{}(desc);
MergeInHash(h);
}
} // namespace zeek::detail

123
src/script_opt/ProfileFunc.h Normal file
View file

@ -0,0 +1,123 @@
// See the file "COPYING" in the main distribution directory for copyright.
// Class for traversing a function body's AST to build up a profile
// of its various elements.
#pragma once
#include "zeek/Expr.h"
#include "zeek/Stmt.h"
#include "zeek/Traverse.h"
namespace zeek::detail {
class ProfileFunc : public TraversalCallback {
public:
// If the argument is true, then we compute a hash over the function's
// AST to (pseudo-)uniquely identify it.
ProfileFunc(bool _compute_hash = false)
{ compute_hash = _compute_hash; }
std::unordered_set<const ID*>& Globals() { return globals; }
std::unordered_set<const ID*>& Locals() { return locals; }
std::unordered_set<const ID*>& Inits() { return inits; }
std::unordered_set<ScriptFunc*>& ScriptCalls() { return script_calls; }
std::unordered_set<Func*>& BiFCalls() { return BiF_calls; }
std::unordered_set<ScriptFunc*>& WhenCalls() { return when_calls; }
std::unordered_set<const char*>& Events() { return events; }
bool DoesIndirectCalls() { return does_indirect_calls; }
std::size_t HashVal() { return hash_val; }
int NumStmts() { return num_stmts; }
int NumWhenStmts() { return num_when_stmts; }
int NumExprs() { return num_exprs; }
int NumLambdas() { return num_lambdas; }
protected:
TraversalCode PreStmt(const Stmt*) override;
TraversalCode PreExpr(const Expr*) override;
// Globals seen in the function.
//
// Does *not* include globals solely seen as the function being
// called in a call.
std::unordered_set<const ID*> globals;
// Locals seen in the function.
std::unordered_set<const ID*> locals;
// Same for locals seen in initializations, so we can find
// unused aggregates.
std::unordered_set<const ID*> inits;
// Script functions that this script calls.
std::unordered_set<ScriptFunc*> script_calls;
// Same for BiF's.
std::unordered_set<Func*> BiF_calls;
// Script functions appearing in "when" clauses.
std::unordered_set<ScriptFunc*> when_calls;
// Names of generated events.
std::unordered_set<const char*> events;
// True if the function makes a call through an expression rather
// than simply a function's (global) name.
bool does_indirect_calls = false;
// Hash value. Only valid if constructor requested it.
std::size_t hash_val = 0;
// How many statements / when statements / lambda expressions /
// expressions appear in the function body.
int num_stmts = 0;
int num_when_stmts = 0;
int num_lambdas = 0;
int num_exprs = 0;
// Whether we're separately processing a "when" condition to
// mine out its script calls.
bool in_when = false;
// We only compute a hash over the function if requested, since
// it's somewhat expensive.
bool compute_hash;
// The following are for computing a consistent hash that isn't
// too profligate in how much it needs to compute over.
// Checks whether we've already noted this type, and, if not,
// updates the hash with it.
void CheckType(const TypePtr& t);
void UpdateHash(int val)
{
auto h = std::hash<int>{}(val);
MergeInHash(h);
}
void UpdateHash(const IntrusivePtr<Obj>& o);
void MergeInHash(std::size_t h)
{
// Taken from Boost. See for example
// https://www.boost.org/doc/libs/1_35_0/doc/html/boost/hash_combine_id241013.html
// or
// https://stackoverflow.com/questions/4948780/magic-number-in-boosthash-combine
hash_val ^= h + 0x9e3779b9 + (hash_val << 6) + (hash_val >> 2);
}
// Types that we've already processed. Hashing types can be
// quite expensive since some of the common Zeek record types
// (e.g., notices) are huge, so useful to not do them more than
// once. We track two forms, one by name (if available) and one
// by raw pointer (if not). Doing so allows us to track named
// sub-records but also records that have no names.
std::unordered_set<std::string> seen_types;
std::unordered_set<const Type*> seen_type_ptrs;
};
} // namespace zeek::detail

65
src/script_opt/ScriptOpt.cc Normal file
View file

@ -0,0 +1,65 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/Options.h"
#include "zeek/script_opt/ScriptOpt.h"
#include "zeek/script_opt/ProfileFunc.h"
#include "zeek/script_opt/Inline.h"
namespace zeek::detail {
std::unordered_set<const Func*> non_recursive_funcs;
// Tracks all of the loaded functions (including event handlers and hooks).
static std::vector<FuncInfo*> funcs;
FuncInfo::~FuncInfo()
{
delete pf;
delete save_file;
}
void analyze_func(ScriptFuncPtr f)
{
auto info = new FuncInfo(f, {NewRef{}, f->GetScope()}, f->CurrentBody());
funcs.push_back(info);
}
static void check_env_opt(const char* opt, bool& opt_flag)
{
if ( getenv(opt) )
opt_flag = true;
}
void analyze_scripts(Options& opts)
{
auto& analysis_options = opts.analysis_options;
static bool did_init = false;
if ( ! did_init )
{
check_env_opt("ZEEK_INLINE", analysis_options.inliner);
did_init = true;
}
if ( ! analysis_options.inliner )
return;
for ( auto& f : funcs )
{
f->SetProfile(new ProfileFunc(true));
f->Body()->Traverse(f->Profile());
}
Inliner* inl = nullptr;
if ( analysis_options.inliner )
inl = new Inliner(funcs, analysis_options.report_recursive);
delete inl;
}
} // namespace zeek::detail

79
src/script_opt/ScriptOpt.h Normal file
View file

@ -0,0 +1,79 @@
// See the file "COPYING" in the main distribution directory for copyright.
// Classes for controlling/orchestrating script optimization & compilation.
#pragma once
#include "zeek/Func.h"
#include "zeek/Expr.h"
#include "zeek/Scope.h"
namespace zeek { struct Options; }
namespace zeek::detail {
// Flags controlling what sorts of analysis to do.
struct AnalyOpt {
// If true, do global inlining.
bool inliner = false;
// If true, report which functions are directly and indirectly
// recursive, and exit. Only germane if running the inliner.
bool report_recursive = false;
};
class ProfileFunc;
using ScriptFuncPtr = IntrusivePtr<ScriptFunc>;
// Info we need for tracking an instance of a function.
class FuncInfo {
public:
FuncInfo(ScriptFuncPtr _func, ScopePtr _scope, StmtPtr _body)
{
func = _func;
scope = _scope;
body = _body;
}
~FuncInfo();
ScriptFunc* Func() { return func.get(); }
ScriptFuncPtr FuncPtr() { return func; }
ScopePtr Scope() { return scope; }
StmtPtr Body() { return body; }
ProfileFunc* Profile() { return pf; }
const char* SaveFile() { return save_file; }
void SetProfile(ProfileFunc* _pf) { pf = _pf; }
void SetSaveFile(const char* _sf);
protected:
ScriptFuncPtr func;
ScopePtr scope;
StmtPtr body;
ProfileFunc* pf = nullptr;
// If we're saving this function in a file, this is the name
// of the file to use.
char* save_file = nullptr;
};
// We track which functions are definitely not recursive. We do this
// as the negative, rather than tracking functions known to be recursive,
// so that if we don't do the analysis at all (it's driven by inlining),
// we err on the conservative side and assume every function is recursive.
extern std::unordered_set<const Func*> non_recursive_funcs;
// Analyze a given function for optimization.
extern void analyze_func(ScriptFuncPtr f);
// Analyze all of the parsed scripts collectively for optimization.
extern void analyze_scripts(Options& opts);
} // namespace zeek::detail

212
src/script_opt/Stmt.cc Normal file
View file

@ -0,0 +1,212 @@
// See the file "COPYING" in the main distribution directory for copyright.
// Optimization-related methods for Stmt classes.
#include "zeek/Stmt.h"
#include "zeek/Expr.h"
namespace zeek::detail {
void ExprListStmt::Inline(Inliner* inl)
{
auto& e = l->Exprs();
for ( auto i = 0; i < e.length(); ++i )
e.replace(i, e[i]->Inline(inl).release());
}
StmtPtr PrintStmt::Duplicate()
{
return SetSucc(new PrintStmt(l->Duplicate()->AsListExprPtr()));
}
StmtPtr ExprStmt::Duplicate()
{
return SetSucc(new ExprStmt(e ? e->Duplicate() : nullptr));
}
void ExprStmt::Inline(Inliner* inl)
{
if ( e )
e = e->Inline(inl);
}
StmtPtr IfStmt::Duplicate()
{
return SetSucc(new IfStmt(e->Duplicate(), s1->Duplicate(),
s2->Duplicate()));
}
void IfStmt::Inline(Inliner* inl)
{
ExprStmt::Inline(inl);
if ( s1 )
s1->Inline(inl);
if ( s2 )
s2->Inline(inl);
}
IntrusivePtr<Case> Case::Duplicate()
{
if ( expr_cases )
{
auto new_exprs = expr_cases->Duplicate()->AsListExprPtr();
return make_intrusive<Case>(new_exprs, type_cases, s->Duplicate());
}
else
return make_intrusive<Case>(nullptr, type_cases, s->Duplicate());
}
StmtPtr SwitchStmt::Duplicate()
{
auto new_cases = new case_list;
loop_over_list(*cases, i)
new_cases->append((*cases)[i]->Duplicate().release());
return SetSucc(new SwitchStmt(e->Duplicate(), new_cases));
}
void SwitchStmt::Inline(Inliner* inl)
{
ExprStmt::Inline(inl);
for ( auto c : *cases )
// In principle this can do the operation multiple times
// for a given body, but that's no big deal as repeated
// calls won't do anything.
c->Body()->Inline(inl);
}
StmtPtr AddStmt::Duplicate()
{
return SetSucc(new AddStmt(e->Duplicate()));
}
StmtPtr DelStmt::Duplicate()
{
return SetSucc(new DelStmt(e->Duplicate()));
}
StmtPtr EventStmt::Duplicate()
{
return SetSucc(new EventStmt(e->Duplicate()->AsEventExprPtr()));
}
StmtPtr WhileStmt::Duplicate()
{
return SetSucc(new WhileStmt(loop_condition->Duplicate(),
body->Duplicate()));
}
void WhileStmt::Inline(Inliner* inl)
{
loop_condition = loop_condition->Inline(inl);
if ( loop_cond_stmt )
loop_cond_stmt->Inline(inl);
if ( body )
body->Inline(inl);
}
StmtPtr ForStmt::Duplicate()
{
auto expr_copy = e->Duplicate();
auto new_loop_vars = new zeek::IDPList;
loop_over_list(*loop_vars, i)
{
auto id = (*loop_vars)[i];
zeek::Ref(id);
new_loop_vars->append(id);
}
ForStmt* f;
if ( value_var )
f = new ForStmt(new_loop_vars, expr_copy, value_var);
else
f = new ForStmt(new_loop_vars, expr_copy);
f->AddBody(body->Duplicate());
return SetSucc(f);
}
void ForStmt::Inline(Inliner* inl)
{
ExprStmt::Inline(inl);
body->Inline(inl);
}
StmtPtr ReturnStmt::Duplicate()
{
return SetSucc(new ReturnStmt(e ? e->Duplicate() : nullptr, true));
}
ReturnStmt::ReturnStmt(ExprPtr arg_e, bool ignored)
: ExprStmt(STMT_RETURN, std::move(arg_e))
{
}
StmtPtr StmtList::Duplicate()
{
auto new_sl = new StmtList();
for ( auto& stmt : Stmts() )
new_sl->Stmts().push_back(stmt->Duplicate().release());
return SetSucc(new_sl);
}
void StmtList::Inline(Inliner* inl)
{
for ( const auto& stmt : Stmts() )
stmt->Inline(inl);
}
StmtPtr InitStmt::Duplicate()
{
// Need to duplicate the initializer list since later reductions
// can modify it in place.
std::vector<IDPtr> new_inits;
for ( auto id : inits )
new_inits.push_back(id);
return SetSucc(new InitStmt(new_inits));
}
StmtPtr WhenStmt::Duplicate()
{
auto cond_d = cond->Duplicate();
auto s1_d = s1->Duplicate();
auto s2_d = s2 ? s2->Duplicate() : nullptr;
auto timeout_d = timeout ? timeout->Duplicate() : nullptr;
return SetSucc(new WhenStmt(cond_d, s1_d, s2_d, timeout_d, is_return));
}
void WhenStmt::Inline(Inliner* inl)
{
// Don't inline, since we currently don't correctly capture
// the frames of closures.
}
} // namespace zeek::detail

13
src/script_opt/StmtOpt-Private.h Normal file
View file

@ -0,0 +1,13 @@
// See the file "COPYING" in the main distribution directory for copyright.
// Private (protected) Stmt methods and member varibles associated
// with script optimization. See script_opt/ExprOpt-public.h for
// why these aren't factored into a separate class.
//
// Right now, this file is small, but it will grow as we expand into
// other forms of script optimization.
// The original statement from which this statement was
// derived, if any. Used as an aid for generating meaningful
// and correctly-localized error messages.
StmtPtr original = nullptr;

37
src/script_opt/StmtOpt-Public.h Normal file
View file

@ -0,0 +1,37 @@
// See the file "COPYING" in the main distribution directory for copyright.
// Stmt methods and member varibles associated with script optimization.
// See script_opt/ExprOpt-public.h for why these aren't factored into a
// separate class.
// Returns a duplicate of the statement.
virtual StmtPtr Duplicate() = 0;
// Recursively traverses the AST to inline eligible function calls.
virtual void Inline(Inliner* inl) { }
// Access to the original statement from which this one is derived,
// or this one if we don't have an original. Returns a bare pointer
// rather than a StmtPtr to emphasize that the access is read-only.
const Stmt* Original() const
{ return original ? original->Original() : this; }
// Designate the given Stmt node as the original for this one.
void SetOriginal(StmtPtr _orig)
{
if ( ! original )
original = std::move(_orig);
}
// A convenience function for taking a newly-created Stmt,
// making it point to us as the successor, and returning it.
//
// Takes a Stmt* rather than a StmtPtr to de-clutter the calling
// code, which is always passing in "new XyzStmt(...)". This
// call, as a convenient side effect, transforms that bare pointer
// into a StmtPtr.
virtual StmtPtr SetSucc(Stmt* succ)
{
succ->SetOriginal({NewRef{}, this});
return {AdoptRef{}, succ};
}

10
src/zeek-setup.cc
View file

@ -54,6 +54,8 @@ extern "C" {
#include "zeek/ScannedFile.h"
#include "zeek/Frag.h"
#include "zeek/script_opt/ScriptOpt.h"
#include "zeek/supervisor/Supervisor.h"
#include "zeek/threading/Manager.h"
#include "zeek/input/Manager.h"
@ -788,6 +790,14 @@ SetupResult setup(int argc, char** argv, Options* zopts)
}
}
analyze_scripts(options);
auto& analysis_options = options.analysis_options;
if ( analysis_options.report_recursive )
// This option is report-and-exit.
return {0, std::move(options), true};
if ( dns_type != DNS_PRIME )
run_state::detail::init_run(options.interface, options.pcap_file, options.pcap_output_file, options.use_watchdog);

1
src/zeek-setup.h
View file

@ -9,6 +9,7 @@ namespace zeek::detail {
struct SetupResult {
int code = 0;
Options options;
bool parse_only = false;
};
/**

2
src/zeek.bif
View file

@ -2333,7 +2333,7 @@ function backtrace%(%): Backtrace
if ( ci.call )
{
auto loc = ci.call->GetLocationInfo();
auto loc = ci.call->Original()->GetLocationInfo();
elem->Assign<StringVal>(file_location_idx, loc->filename);
elem->Assign(line_location_idx, val_mgr->Count(loc->first_line));
}

4
testing/btest/Baseline.dup/broker.store.invalid-handle/out Normal file
View file

@ -0,0 +1,4 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
expression error in <...>/invalid-handle.zeek, lines 16-22: invalid Broker store handle (0), during call: (Broker::is_closed(a))
error in <...>/invalid-handle.zeek, lines 4-14: invalid Broker store handle (Broker::keys(a) and 0)
keys, [status=Broker::FAILURE, result=[data=<uninitialized>]]

2
testing/btest/Baseline.dup/coverage.zeek-profiler-file/step1.out Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
0 ./profiling-test1.zeek, line 2 print new conn;

2
testing/btest/Baseline.dup/coverage.zeek-profiler-file/step2.out Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
0 ./profiling-test1.zeek, line 2 print new conn;

3
testing/btest/Baseline.dup/coverage.zeek-profiler-file/step3.out Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
0 ./profiling-test1.zeek, line 2 print new conn;
0 ./profiling-test2.zeek, line 2 print new conn;

41
testing/btest/Baseline.dup/language.deprecated/no-warnings.out Normal file
View file

@ -0,0 +1,41 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
warning in ./no-warnings.zeek, line 27: deprecated (ONE)
warning in ./no-warnings.zeek, line 28: deprecated (TWO)
warning in ./no-warnings.zeek, line 30: deprecated (GREEN)
warning in ./no-warnings.zeek, line 31: deprecated (BLUE)
warning in ./no-warnings.zeek, line 33: deprecated (blah)
warning in ./no-warnings.zeek, line 37: deprecated (my_event)
warning in ./no-warnings.zeek, line 38: deprecated (my_event)
warning in ./no-warnings.zeek, line 39: deprecated (my_hook)
warning in ./no-warnings.zeek, line 41: deprecated (my_record$b)
warning in ./no-warnings.zeek, line 42: deprecated (my_record$b)
warning in ./no-warnings.zeek, line 43: deprecated (my_record$b)
warning in ./no-warnings.zeek, line 45: deprecated (my_record?$b)
warning in ./no-warnings.zeek, line 46: deprecated (my_record$b)
warning in ./no-warnings.zeek, line 49: deprecated (my_record$b)
warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
warning in ./no-warnings.zeek, line 50: deprecated (my_record?$b)
warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
warning in ./no-warnings.zeek, line 50: deprecated (my_record?$b)
warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
warning in ./no-warnings.zeek, line 50: deprecated (my_record$b)
warning in ./no-warnings.zeek, line 52: deprecated (my_event)
warning in ./no-warnings.zeek, line 57: deprecated (my_hook)
warning in ./no-warnings.zeek, line 62: deprecated (blah)
warning in ./no-warnings.zeek, line 71: deprecated (dont_use_me)
warning in ./no-warnings.zeek, line 76: deprecated (dont_use_me_either)
ZERO
ONE
TWO
RED
GREEN
BLUE
generate my_hook please
generate my_event please
schedule my_event please

41
testing/btest/Baseline.dup/language.deprecated/warnings.out Normal file
View file

@ -0,0 +1,41 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
warning in ./warnings.zeek, line 27: deprecated (ONE): one warning
warning in ./warnings.zeek, line 28: deprecated (TWO): two warning
warning in ./warnings.zeek, line 30: deprecated (GREEN): green warning
warning in ./warnings.zeek, line 31: deprecated (BLUE): red warning
warning in ./warnings.zeek, line 33: deprecated (blah): type warning
warning in ./warnings.zeek, line 37: deprecated (my_event): event warning
warning in ./warnings.zeek, line 38: deprecated (my_event): event warning
warning in ./warnings.zeek, line 39: deprecated (my_hook): hook warning
warning in ./warnings.zeek, line 41: deprecated (my_record$b): record warning
warning in ./warnings.zeek, line 42: deprecated (my_record$b): record warning
warning in ./warnings.zeek, line 43: deprecated (my_record$b): record warning
warning in ./warnings.zeek, line 45: deprecated (my_record?$b): record warning
warning in ./warnings.zeek, line 46: deprecated (my_record$b): record warning
warning in ./warnings.zeek, line 49: deprecated (my_record$b): record warning
warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
warning in ./warnings.zeek, line 50: deprecated (my_record?$b): record warning
warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
warning in ./warnings.zeek, line 50: deprecated (my_record?$b): record warning
warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
warning in ./warnings.zeek, line 50: deprecated (my_record$b): record warning
warning in ./warnings.zeek, line 52: deprecated (my_event): event warning
warning in ./warnings.zeek, line 57: deprecated (my_hook): hook warning
warning in ./warnings.zeek, line 62: deprecated (blah): type warning
warning in ./warnings.zeek, line 71: deprecated (dont_use_me): global function warning
warning in ./warnings.zeek, line 76: deprecated (dont_use_me_either): function warning
ZERO
ONE
TWO
RED
GREEN
BLUE
generate my_hook please
generate my_event please
schedule my_event please

3553
testing/btest/Baseline.dup/plugins.hooks/output Normal file
View file

File diff suppressed because it is too large Load diff

1509
testing/btest/Baseline.dup/scripts.base.frameworks.input.reread/out Normal file
View file

File diff suppressed because it is too large Load diff

7
testing/btest/Baseline.inline/bifs.backtrace/out Normal file
View file

@ -0,0 +1,7 @@
--- Backtrace ---
--- Backtrace ---
--- Backtrace ---

4
testing/btest/Baseline.inline/broker.store.invalid-handle/out Normal file
View file

@ -0,0 +1,4 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
expression error in <no location>: invalid Broker store handle (0), during call: (Broker::__is_closed(Broker::h))
error in <...>/invalid-handle.zeek, line 6: invalid Broker store handle (Broker::keys(a) and 0)
keys, [status=Broker::FAILURE, result=[data=<uninitialized>]]

5
testing/btest/Baseline.inline/language.index-assignment-invalid/out Normal file
View file

@ -0,0 +1,5 @@
runtime error in /Users/vern/warehouse/zeek-bvu-change/scripts/base/utils/queue.zeek, line 152: vector index assignment failed for invalid type 'myrec', value: [a=T, b=hi, c=<uninitialized>], expression: Queue::ret[Queue::j], call stack:
#0 zeek_init()

1
testing/btest/Baseline.inline/plugins.func-hook/output Normal file
View file

@ -0,0 +1 @@
foo, 1, 2, 3, yo

2497
testing/btest/Baseline.inline/plugins.hooks/output Normal file
View file

File diff suppressed because it is too large Load diff

1
testing/btest/Baseline.inline/plugins.legacy-func-hook/output Normal file
View file

@ -0,0 +1 @@
foo, 1, 2, 3, yo

9
testing/btest/Baseline.inline/scripts.base.frameworks.file-analysis.bifs.file_exists_lookup_file/.stdout Normal file
View file

@ -0,0 +1,9 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
error: file ID asdf not a known file
This should fail but not crash
This should return F
F
lookup fid: FMnxxt3xjVcWNS2141
We should have found the file id: FMnxxt3xjVcWNS2141
This should return T
T

160
testing/btest/Baseline.inline/scripts.base.frameworks.input.raw.basic/out Normal file
View file

@ -0,0 +1,160 @@
[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line
{
print outfile, A::description;
print outfile, A::tpe;
print outfile, A::s;
try = try + 1;
if (8 == try)
{
inline(input){{
return (Input::__remove_stream(Input::id));
}};
close(outfile);
terminate();
}
}, error_ev=<uninitialized>, config={
}]
Input::EVENT_NEW
sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF
[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line
{
print outfile, A::description;
print outfile, A::tpe;
print outfile, A::s;
try = try + 1;
if (8 == try)
{
inline(input){{
return (Input::__remove_stream(Input::id));
}};
close(outfile);
terminate();
}
}, error_ev=<uninitialized>, config={
}]
Input::EVENT_NEW
DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF
[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line
{
print outfile, A::description;
print outfile, A::tpe;
print outfile, A::s;
try = try + 1;
if (8 == try)
{
inline(input){{
return (Input::__remove_stream(Input::id));
}};
close(outfile);
terminate();
}
}, error_ev=<uninitialized>, config={
}]
Input::EVENT_NEW
q3r3057fdf
[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line
{
print outfile, A::description;
print outfile, A::tpe;
print outfile, A::s;
try = try + 1;
if (8 == try)
{
inline(input){{
return (Input::__remove_stream(Input::id));
}};
close(outfile);
terminate();
}
}, error_ev=<uninitialized>, config={
}]
Input::EVENT_NEW
sdfs\d
[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line
{
print outfile, A::description;
print outfile, A::tpe;
print outfile, A::s;
try = try + 1;
if (8 == try)
{
inline(input){{
return (Input::__remove_stream(Input::id));
}};
close(outfile);
terminate();
}
}, error_ev=<uninitialized>, config={
}]
Input::EVENT_NEW
[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line
{
print outfile, A::description;
print outfile, A::tpe;
print outfile, A::s;
try = try + 1;
if (8 == try)
{
inline(input){{
return (Input::__remove_stream(Input::id));
}};
close(outfile);
terminate();
}
}, error_ev=<uninitialized>, config={
}]
Input::EVENT_NEW
dfsdf
[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line
{
print outfile, A::description;
print outfile, A::tpe;
print outfile, A::s;
try = try + 1;
if (8 == try)
{
inline(input){{
return (Input::__remove_stream(Input::id));
}};
close(outfile);
terminate();
}
}, error_ev=<uninitialized>, config={
}]
Input::EVENT_NEW
sdf
[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=A::Val, want_record=F, ev=line
{
print outfile, A::description;
print outfile, A::tpe;
print outfile, A::s;
try = try + 1;
if (8 == try)
{
inline(input){{
return (Input::__remove_stream(Input::id));
}};
close(outfile);
terminate();
}
}, error_ev=<uninitialized>, config={
}]
Input::EVENT_NEW
3rw43wRRERLlL#RWERERERE.

15
testing/btest/Baseline.inline/scripts.base.frameworks.input.raw.execute/out Normal file
View file

@ -0,0 +1,15 @@
[source=wc -l ../input.log |, reader=Input::READER_RAW, mode=Input::MANUAL, name=input, fields=Val, want_record=F, ev=line
{
print outfile, description;
print outfile, tpe;
print outfile, s;
inline(input){{
return (Input::__remove_stream(Input::id));
}};
close(outfile);
terminate();
}, error_ev=<uninitialized>, config={
}]
Input::EVENT_NEW
8 ../input.log

320
testing/btest/Baseline.inline/scripts.base.frameworks.input.raw.rereadraw/out Normal file
View file

@ -0,0 +1,320 @@
[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
{
print outfile, A::description;
print outfile, A::tpe;
print outfile, A::s;
try = try + 1;
if (16 == try)
{
inline(input){{
return (Input::__remove_stream(Input::id));
}};
close(outfile);
terminate();
}
}, error_ev=<uninitialized>, config={
}]
Input::EVENT_NEW
sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF
[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
{
print outfile, A::description;
print outfile, A::tpe;
print outfile, A::s;
try = try + 1;
if (16 == try)
{
inline(input){{
return (Input::__remove_stream(Input::id));
}};
close(outfile);
terminate();
}
}, error_ev=<uninitialized>, config={
}]
Input::EVENT_NEW
DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF
[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
{
print outfile, A::description;
print outfile, A::tpe;
print outfile, A::s;
try = try + 1;
if (16 == try)
{
inline(input){{
return (Input::__remove_stream(Input::id));
}};
close(outfile);
terminate();
}
}, error_ev=<uninitialized>, config={
}]
Input::EVENT_NEW
q3r3057fdf
[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
{
print outfile, A::description;
print outfile, A::tpe;
print outfile, A::s;
try = try + 1;
if (16 == try)
{
inline(input){{
return (Input::__remove_stream(Input::id));
}};
close(outfile);
terminate();
}
}, error_ev=<uninitialized>, config={
}]
Input::EVENT_NEW
sdfs\d
[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
{
print outfile, A::description;
print outfile, A::tpe;
print outfile, A::s;
try = try + 1;
if (16 == try)
{
inline(input){{
return (Input::__remove_stream(Input::id));
}};
close(outfile);
terminate();
}
}, error_ev=<uninitialized>, config={
}]
Input::EVENT_NEW
[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
{
print outfile, A::description;
print outfile, A::tpe;
print outfile, A::s;
try = try + 1;
if (16 == try)
{
inline(input){{
return (Input::__remove_stream(Input::id));
}};
close(outfile);
terminate();
}
}, error_ev=<uninitialized>, config={
}]
Input::EVENT_NEW
dfsdf
[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
{
print outfile, A::description;
print outfile, A::tpe;
print outfile, A::s;
try = try + 1;
if (16 == try)
{
inline(input){{
return (Input::__remove_stream(Input::id));
}};
close(outfile);
terminate();
}
}, error_ev=<uninitialized>, config={
}]
Input::EVENT_NEW
sdf
[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
{
print outfile, A::description;
print outfile, A::tpe;
print outfile, A::s;
try = try + 1;
if (16 == try)
{
inline(input){{
return (Input::__remove_stream(Input::id));
}};
close(outfile);
terminate();
}
}, error_ev=<uninitialized>, config={
}]
Input::EVENT_NEW
3rw43wRRERLlL#RWERERERE.
[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
{
print outfile, A::description;
print outfile, A::tpe;
print outfile, A::s;
try = try + 1;
if (16 == try)
{
inline(input){{
return (Input::__remove_stream(Input::id));
}};
close(outfile);
terminate();
}
}, error_ev=<uninitialized>, config={
}]
Input::EVENT_NEW
sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF
[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
{
print outfile, A::description;
print outfile, A::tpe;
print outfile, A::s;
try = try + 1;
if (16 == try)
{
inline(input){{
return (Input::__remove_stream(Input::id));
}};
close(outfile);
terminate();
}
}, error_ev=<uninitialized>, config={
}]
Input::EVENT_NEW
DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF
[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
{
print outfile, A::description;
print outfile, A::tpe;
print outfile, A::s;
try = try + 1;
if (16 == try)
{
inline(input){{
return (Input::__remove_stream(Input::id));
}};
close(outfile);
terminate();
}
}, error_ev=<uninitialized>, config={
}]
Input::EVENT_NEW
q3r3057fdf
[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
{
print outfile, A::description;
print outfile, A::tpe;
print outfile, A::s;
try = try + 1;
if (16 == try)
{
inline(input){{
return (Input::__remove_stream(Input::id));
}};
close(outfile);
terminate();
}
}, error_ev=<uninitialized>, config={
}]
Input::EVENT_NEW
sdfs\d
[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
{
print outfile, A::description;
print outfile, A::tpe;
print outfile, A::s;
try = try + 1;
if (16 == try)
{
inline(input){{
return (Input::__remove_stream(Input::id));
}};
close(outfile);
terminate();
}
}, error_ev=<uninitialized>, config={
}]
Input::EVENT_NEW
[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
{
print outfile, A::description;
print outfile, A::tpe;
print outfile, A::s;
try = try + 1;
if (16 == try)
{
inline(input){{
return (Input::__remove_stream(Input::id));
}};
close(outfile);
terminate();
}
}, error_ev=<uninitialized>, config={
}]
Input::EVENT_NEW
dfsdf
[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
{
print outfile, A::description;
print outfile, A::tpe;
print outfile, A::s;
try = try + 1;
if (16 == try)
{
inline(input){{
return (Input::__remove_stream(Input::id));
}};
close(outfile);
terminate();
}
}, error_ev=<uninitialized>, config={
}]
Input::EVENT_NEW
sdf
[source=../input.log, reader=Input::READER_RAW, mode=Input::REREAD, name=input, fields=A::Val, want_record=F, ev=line
{
print outfile, A::description;
print outfile, A::tpe;
print outfile, A::s;
try = try + 1;
if (16 == try)
{
inline(input){{
return (Input::__remove_stream(Input::id));
}};
close(outfile);
terminate();
}
}, error_ev=<uninitialized>, config={
}]
Input::EVENT_NEW
3rw43wRRERLlL#RWERERERE.

236
testing/btest/Baseline.inline/scripts.policy.misc.dump-events/all-events-no-args.log Normal file
View file

@ -0,0 +1,236 @@
0.000000 zeek_init
0.000000 NetControl::init
0.000000 filter_change_tracking
1254722767.492060 Broker::log_flush
1254722767.492060 ChecksumOffloading::check
1254722767.492060 filter_change_tracking
1254722767.492060 new_connection
1254722767.492060 dns_message
1254722767.492060 dns_request
1254722767.492060 protocol_confirmation
1254722767.492060 dns_end
1254722767.526085 dns_message
1254722767.526085 dns_CNAME_reply
1254722767.526085 dns_A_reply
1254722767.526085 dns_end
1254722767.529046 new_connection
1254722767.875996 connection_established
1254722768.219663 smtp_reply
1254722768.219663 smtp_reply
1254722768.219663 smtp_reply
1254722768.224809 protocol_confirmation
1254722768.224809 smtp_request
1254722768.565386 Broker::log_flush
1254722768.566183 smtp_reply
1254722768.566183 smtp_reply
1254722768.566183 smtp_reply
1254722768.566183 smtp_reply
1254722768.566183 smtp_reply
1254722768.566183 smtp_reply
1254722768.568729 smtp_request
1254722768.911081 smtp_reply
1254722768.911655 smtp_request
1254722769.253544 smtp_reply
1254722769.254118 smtp_request
1254722769.613798 Broker::log_flush
1254722769.613798 smtp_reply
1254722769.614414 smtp_request
1254722769.956765 smtp_reply
1254722769.957250 smtp_request
1254722770.319708 smtp_reply
1254722770.320203 smtp_request
1254722770.320203 mime_begin_entity
1254722770.661679 Broker::log_flush
1254722770.661679 smtp_reply
1254722770.692743 mime_one_header
1254722770.692743 mime_one_header
1254722770.692743 mime_one_header
1254722770.692743 mime_one_header
1254722770.692743 mime_one_header
1254722770.692743 mime_one_header
1254722770.692743 mime_one_header
1254722770.692743 mime_one_header
1254722770.692743 mime_one_header
1254722770.692743 mime_one_header
1254722770.692743 mime_one_header
1254722770.692743 mime_one_header
1254722770.692743 mime_begin_entity
1254722770.692743 mime_one_header
1254722770.692743 mime_begin_entity
1254722770.692743 mime_one_header
1254722770.692743 mime_one_header
1254722770.692743 get_file_handle
1254722770.692743 file_new
1254722770.692743 file_over_new_connection
1254722770.692743 mime_end_entity
1254722770.692743 get_file_handle
1254722770.692743 file_sniff
1254722770.692743 file_state_remove
1254722770.692743 get_file_handle
1254722770.692743 mime_begin_entity
1254722770.692743 mime_one_header
1254722770.692743 mime_one_header
1254722770.692743 get_file_handle
1254722770.692743 file_new
1254722770.692743 file_over_new_connection
1254722770.692804 mime_end_entity
1254722770.692804 get_file_handle
1254722770.692804 file_sniff
1254722770.692804 file_state_remove
1254722770.692804 get_file_handle
1254722770.692804 mime_end_entity
1254722770.692804 get_file_handle
1254722770.692804 get_file_handle
1254722770.692804 mime_begin_entity
1254722770.692804 mime_one_header
1254722770.692804 mime_one_header
1254722770.692804 mime_one_header
1254722770.692804 get_file_handle
1254722770.692804 file_new
1254722770.692804 file_over_new_connection
1254722770.695115 new_connection
1254722771.494181 file_sniff
1254722771.834595 Broker::log_flush
1254722771.858334 mime_end_entity
1254722771.858334 get_file_handle
1254722771.858334 file_state_remove
1254722771.858334 get_file_handle
1254722771.858334 mime_end_entity
1254722771.858334 get_file_handle
1254722771.858334 get_file_handle
1254722771.858334 get_file_handle
1254722771.858334 get_file_handle
1254722771.858334 smtp_request
1254722772.248789 smtp_reply
1254722774.763825 Broker::log_flush
1254722774.763825 smtp_request
1254722775.105467 smtp_reply
1254722776.690444 Broker::log_flush
1254722776.690444 new_connection
1437831776.764391 ChecksumOffloading::check
1437831776.764391 connection_state_remove
1437831776.764391 Broker::log_flush
1437831776.764391 connection_state_remove
1437831776.764391 connection_state_remove
1437831776.764391 connection_state_remove
1437831776.764391 filter_change_tracking
1437831776.764391 new_connection
1437831787.856895 Broker::log_flush
1437831787.856895 new_connection
1437831787.861602 connection_established
1437831787.867142 smtp_reply
1437831787.883306 protocol_confirmation
1437831787.883306 smtp_request
1437831787.886281 smtp_reply
1437831787.886281 smtp_reply
1437831787.886281 smtp_reply
1437831787.886281 smtp_reply
1437831787.887031 smtp_request
1437831787.889785 smtp_reply
1437831787.890232 smtp_request
1437831787.892986 smtp_reply
1437831787.893587 smtp_request
1437831787.897624 smtp_reply
1437831787.898413 smtp_request
1437831787.901069 smtp_reply
1437831787.901697 smtp_request
1437831787.901697 mime_begin_entity
1437831787.904758 smtp_reply
1437831787.905375 mime_one_header
1437831787.905375 mime_one_header
1437831787.905375 mime_one_header
1437831787.905375 mime_one_header
1437831787.905375 mime_one_header
1437831787.905375 mime_one_header
1437831787.905375 mime_one_header
1437831787.905375 mime_one_header
1437831787.905375 mime_one_header
1437831787.905375 mime_one_header
1437831787.905375 mime_one_header
1437831787.905375 mime_one_header
1437831787.905375 get_file_handle
1437831787.905375 file_new
1437831787.905375 file_over_new_connection
1437831787.905375 mime_end_entity
1437831787.905375 get_file_handle
1437831787.905375 file_sniff
1437831787.905375 file_state_remove
1437831787.905375 get_file_handle
1437831787.905375 get_file_handle
1437831787.905375 get_file_handle
1437831787.905375 smtp_request
1437831787.914113 smtp_reply
1437831798.533593 Broker::log_flush
1437831798.533593 new_connection
1437831799.262632 new_connection
1437831799.461152 new_connection
1437831799.610433 Broker::log_flush
1437831799.610433 connection_established
1437831799.611764 ssl_extension_server_name
1437831799.611764 ssl_extension
1437831799.611764 ssl_extension
1437831799.611764 ssl_extension
1437831799.611764 ssl_extension
1437831799.611764 ssl_extension
1437831799.611764 protocol_confirmation
1437831799.611764 ssl_client_hello
1437831799.611764 ssl_handshake_message
1437831799.611764 ssl_plaintext_data
1437831799.764576 ssl_extension
1437831799.764576 ssl_server_hello
1437831799.764576 ssl_handshake_message
1437831799.764576 file_new
1437831799.764576 file_over_new_connection
1437831799.764576 file_sniff
1437831799.764576 file_hash
1437831799.764576 file_hash
1437831799.764576 x509_certificate
1437831799.764576 x509_extension
1437831799.764576 x509_extension
1437831799.764576 x509_extension
1437831799.764576 x509_ext_basic_constraints
1437831799.764576 x509_extension
1437831799.764576 x509_extension
1437831799.764576 x509_extension
1437831799.764576 x509_extension
1437831799.764576 x509_extension
1437831799.764576 x509_extension
1437831799.764576 x509_ext_subject_alternative_name
1437831799.764576 file_hash
1437831799.764576 file_state_remove
1437831799.764576 file_new
1437831799.764576 file_over_new_connection
1437831799.764576 file_sniff
1437831799.764576 file_hash
1437831799.764576 file_hash
1437831799.764576 x509_certificate
1437831799.764576 x509_extension
1437831799.764576 x509_extension
1437831799.764576 x509_extension
1437831799.764576 x509_ext_basic_constraints
1437831799.764576 x509_extension
1437831799.764576 x509_extension
1437831799.764576 x509_extension
1437831799.764576 x509_extension
1437831799.764576 file_hash
1437831799.764576 file_state_remove
1437831799.764576 ssl_handshake_message
1437831799.764576 ssl_handshake_message
1437831799.764576 ssl_plaintext_data
1437831799.838196 ssl_handshake_message
1437831799.838196 ssl_plaintext_data
1437831799.838197 ssl_change_cipher_spec
1437831799.838197 ssl_plaintext_data
1437831800.045701 ssl_change_cipher_spec
1437831800.045701 ssl_plaintext_data
1437831800.045701 ssl_established
1437831800.217854 net_done
1437831800.217854 Broker::log_flush
1437831800.217854 filter_change_tracking
1437831800.217854 connection_state_remove
1437831800.217854 connection_state_remove
1437831800.217854 connection_state_remove
1437831800.217854 connection_state_remove
1437831800.217854 connection_state_remove
1437831800.217854 zeek_done
1437831800.217854 ChecksumOffloading::check

1075
testing/btest/Baseline.inline/scripts.policy.misc.dump-events/all-events.log Normal file
View file

File diff suppressed because one or more lines are too long

9512
testing/btest/Baseline.inline/scripts.policy.misc.dump-events/really-all-events.log Normal file
View file

File diff suppressed because one or more lines are too long

320
testing/btest/Baseline.inline/scripts.policy.misc.dump-events/smtp-events.log Normal file
View file

@ -0,0 +1,320 @@
1254722768.219663 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=690.0 msecs 616.846085 usecs, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 220
[3] cmd: string = >
[4] msg: string = xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500
[5] cont_resp: bool = T
1254722768.219663 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=690.0 msecs 616.846085 usecs, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 220
[3] cmd: string = >
[4] msg: string = We do not authorize the use of this system to transport unsolicited,
[5] cont_resp: bool = T
1254722768.219663 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=690.0 msecs 616.846085 usecs, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 220
[3] cmd: string = >
[4] msg: string = and/or bulk e-mail.
[5] cont_resp: bool = F
1254722768.224809 smtp_request
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=695.0 msecs 762.872696 usecs, service={\x0aSMTP\x0a}, history=ShAdD, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = T
[2] command: string = EHLO
[3] arg: string = GP
1254722768.566183 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 37.0 msecs 137.031555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 250
[3] cmd: string = EHLO
[4] msg: string = xc90.websitewelcome.com Hello GP [122.162.143.157]
[5] cont_resp: bool = T
1254722768.566183 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 37.0 msecs 137.031555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 250
[3] cmd: string = EHLO
[4] msg: string = SIZE 52428800
[5] cont_resp: bool = T
1254722768.566183 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 37.0 msecs 137.031555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 250
[3] cmd: string = EHLO
[4] msg: string = PIPELINING
[5] cont_resp: bool = T
1254722768.566183 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 37.0 msecs 137.031555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 250
[3] cmd: string = EHLO
[4] msg: string = AUTH PLAIN LOGIN
[5] cont_resp: bool = T
1254722768.566183 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 37.0 msecs 137.031555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 250
[3] cmd: string = EHLO
[4] msg: string = STARTTLS
[5] cont_resp: bool = T
1254722768.566183 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 37.0 msecs 137.031555 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 250
[3] cmd: string = EHLO
[4] msg: string = HELP
[5] cont_resp: bool = F
1254722768.568729 smtp_request
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 39.0 msecs 682.865143 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = T
[2] command: string = AUTH
[3] arg: string = LOGIN
1254722768.911081 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 382.0 msecs 35.017014 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 334
[3] cmd: string = AUTH
[4] msg: string = VXNlcm5hbWU6
[5] cont_resp: bool = F
1254722768.911655 smtp_request
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 382.0 msecs 608.890533 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = T
[2] command: string = **
[3] arg: string = Z3VycGFydGFwQHBhdHJpb3RzLmlu
1254722769.253544 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 724.0 msecs 498.033524 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 334
[3] cmd: string = AUTH_ANSWER
[4] msg: string = UGFzc3dvcmQ6
[5] cont_resp: bool = F
1254722769.254118 smtp_request
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.0 sec 725.0 msecs 71.907043 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = T
[2] command: string = **
[3] arg: string = cHVuamFiQDEyMw==
1254722769.613798 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.0 secs 84.0 msecs 751.844406 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 235
[3] cmd: string = AUTH_ANSWER
[4] msg: string = Authentication succeeded
[5] cont_resp: bool = F
1254722769.614414 smtp_request
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.0 secs 85.0 msecs 367.918015 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = T
[2] command: string = MAIL
[3] arg: string = FROM: <gurpartap@patriots.in>
1254722769.956765 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.0 secs 427.0 msecs 718.877792 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 250
[3] cmd: string = MAIL
[4] msg: string = OK
[5] cont_resp: bool = F
1254722769.957250 smtp_request
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.0 secs 428.0 msecs 204.059601 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = T
[2] command: string = RCPT
[3] arg: string = TO: <raj_deol2002in@yahoo.co.in>
1254722770.319708 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.0 secs 790.0 msecs 662.050247 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 250
[3] cmd: string = RCPT
[4] msg: string = Accepted
[5] cont_resp: bool = F
1254722770.320203 smtp_request
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.0 secs 791.0 msecs 157.007217 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = T
[2] command: string = DATA
[3] arg: string =
1254722770.661679 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.0 secs 132.0 msecs 632.97081 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 354
[3] cmd: string = DATA
[4] msg: string = Enter message, ending with "." on a line by itself
[5] cont_resp: bool = F
1254722771.858334 smtp_request
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.0 secs 329.0 msecs 288.005829 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = T
[2] command: string = .
[3] arg: string = .
1254722772.248789 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.0 secs 719.0 msecs 743.013382 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FmFp351N5nhsMmAfQg, Fqrb1K5DWEfgy4WU2, FEFYSd1s8Onn9LynKj]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 250
[3] cmd: string = .
[4] msg: string = OK id=1Mugho-0003Dg-Un
[5] cont_resp: bool = F
1254722774.763825 smtp_request
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.0 secs 234.0 msecs 778.881073 usecs, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = T
[2] command: string = QUIT
[3] arg: string =
1254722775.105467 smtp_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.0 secs 576.0 msecs 421.022415 usecs, service={\x0aSMTP\x0a}, history=ShAdDaTF, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 221
[3] cmd: string = QUIT
[4] msg: string = xc90.websitewelcome.com closing connection
[5] cont_resp: bool = F
1437831787.867142 smtp_reply
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=10.0 msecs 246.992111 usecs, service={\x0a\x0a}, history=ShAd, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 220
[3] cmd: string = >
[4] msg: string = uprise ESMTP SubEthaSMTP null
[5] cont_resp: bool = F
1437831787.883306 smtp_request
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=26.0 msecs 411.056519 usecs, service={\x0aSMTP\x0a}, history=ShAdD, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = T
[2] command: string = EHLO
[3] arg: string = [192.168.133.100]
1437831787.886281 smtp_reply
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=29.0 msecs 386.043549 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 250
[3] cmd: string = EHLO
[4] msg: string = uprise
[5] cont_resp: bool = T
1437831787.886281 smtp_reply
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=29.0 msecs 386.043549 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 uprise, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 250
[3] cmd: string = EHLO
[4] msg: string = 8BITMIME
[5] cont_resp: bool = T
1437831787.886281 smtp_reply
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=29.0 msecs 386.043549 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 8BITMIME, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 250
[3] cmd: string = EHLO
[4] msg: string = AUTH LOGIN
[5] cont_resp: bool = T
1437831787.886281 smtp_reply
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=29.0 msecs 386.043549 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH LOGIN, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 250
[3] cmd: string = EHLO
[4] msg: string = Ok
[5] cont_resp: bool = F
1437831787.887031 smtp_request
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=5, num_bytes_ip=296, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=30.0 msecs 136.108398 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = T
[2] command: string = MAIL
[3] arg: string = FROM:<albert@example.com>
1437831787.889785 smtp_reply
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=6, num_bytes_ip=380, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=32.0 msecs 890.081406 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 250
[3] cmd: string = MAIL
[4] msg: string = Ok
[5] cont_resp: bool = F
1437831787.890232 smtp_request
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=7, num_bytes_ip=432, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=33.0 msecs 337.116241 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = T
[2] command: string = RCPT
[3] arg: string = TO:<ericlim220@yahoo.com>
1437831787.892986 smtp_reply
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=8, num_bytes_ip=516, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=36.0 msecs 91.089249 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 250
[3] cmd: string = RCPT
[4] msg: string = Ok
[5] cont_resp: bool = F
1437831787.893587 smtp_request
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=9, num_bytes_ip=568, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=36.0 msecs 692.142487 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = T
[2] command: string = RCPT
[3] arg: string = TO:<felica4uu@hotmail.com>
1437831787.897624 smtp_reply
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=10, num_bytes_ip=653, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=40.0 msecs 729.045868 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 250
[3] cmd: string = RCPT
[4] msg: string = Ok
[5] cont_resp: bool = F
1437831787.898413 smtp_request
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=11, num_bytes_ip=705, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=41.0 msecs 517.972946 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = T
[2] command: string = RCPT
[3] arg: string = TO:<davis_mark1@outlook.com>
1437831787.901069 smtp_reply
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=12, num_bytes_ip=792, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=44.0 msecs 173.955917 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 250
[3] cmd: string = RCPT
[4] msg: string = Ok
[5] cont_resp: bool = F
1437831787.901697 smtp_request
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=44.0 msecs 801.950455 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = T
[2] command: string = DATA
[3] arg: string =
1437831787.904758 smtp_reply
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=14, num_bytes_ip=902, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=47.0 msecs 863.006592 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 354
[3] cmd: string = DATA
[4] msg: string = End data with <CR><LF>.<CR><LF>
[5] cont_resp: bool = F
1437831787.905375 smtp_request
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=48.0 msecs 480.033875 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0afelica4uu@hotmail.com,\x0adavis_mark1@outlook.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fc5KpS3kUYqDLwWSMf]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = T
[2] command: string = .
[3] arg: string = .
1437831787.914113 smtp_reply
[0] c: connection = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=16, num_bytes_ip=1813, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=57.0 msecs 218.074799 usecs, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09inline(SMTP::c){{ \x0a\x09\x09if (SMTP::c$smtp$has_client_activity) \x0a\x09\x09\x09{ \x0a\x09\x09\x09inline(SMTP::LOG, SMTP::c$smtp){{ \x0a\x09\x09\x09return (Log::__write(Log::id, Log::columns));\x0a\x09\x09\x09}};\x0a\x09\x09\x09SMTP::c$smtp = inline(SMTP::c){{ \x0a\x09\x09\x09<init> SMTP::l;\x0a\x09\x09\x09{ \x0a\x09\x09\x09;\x0a\x09\x09\x09SMTP::l$ts = network_time();\x0a\x09\x09\x09SMTP::l$uid = SMTP::c$uid;\x0a\x09\x09\x09SMTP::l$id = SMTP::c$id;\x0a\x09\x09\x09SMTP::l$trans_depth = SMTP::c$smtp_state$messages_transferred + 1;\x0a\x09\x09\x09if (SMTP::c$smtp_state?$helo) \x0a\x09\x09\x09\x09SMTP::l$helo = SMTP::c$smtp_state$helo;\x0a\x0a\x09\x09\x09SMTP::l$path = vector(SMTP::c$id$resp_h, SMTP::c$id$orig_h);\x0a\x09\x09\x09inline(SMTP::c, SMTP::finalize_smtp){{ \x0a\x09\x09\x09if (Conn::c?$removal_hooks) \x0a\x09\x09\x09\x09{ \x0a\x09\x09\x09\x09if (Conn::hk in Conn::c$removal_hooks) \x0a\x09\x09\x09\x09\x09return (F);\x0a\x0a\x09\x09\x09\x09add Conn::c$removal_hooks[Conn::hk];\x0a\x09\x09\x09\x09return (T);\x0a\x09\x09\x09\x09}\x0a\x0a\x09\x09\x09Conn::c$removal_hooks = set(Conn::hk);\x0a\x09\x09\x09return (T);\x0a\x09\x09\x09}};\x0a\x09\x09\x09return (SMTP::l);\x0a\x09\x09\x09}\x0a\x09\x09\x09}};\x0a\x09\x09\x09}\x0a\x0a\x09\x09}};\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0afelica4uu@hotmail.com,\x0adavis_mark1@outlook.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fc5KpS3kUYqDLwWSMf]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F
[2] code: count = 250
[3] cmd: string = .
[4] msg: string = Ok
[5] cont_resp: bool = F

10
testing/btest/Baseline/opt.pure-inlining/output Normal file
View file

@ -0,0 +1,10 @@
non_recursiveA\x0a{ \x0areturn (x + (coerce 2 to double) * y);\x0a}
non_recursiveB\x0a{ \x0areturn (x + (coerce 3 to double) * non_recursiveA(y, x));\x0a}
recursive\x0a{ \x0aif (0 < n) \x0a\x09return (recursive(n - 1, k + 1) * n);\x0aelse\x0a\x09return (k);\x0a\x0a}
mutually_recursiveA\x0a{ \x0aif (0 < n) \x0a\x09return (mutually_recursiveB(n - 1, k + 1) * n);\x0aelse\x0a\x09return (k);\x0a\x0a}
mutually_recursiveB\x0a{ \x0areturn (mutually_recursiveA(n, k + 1));\x0a}
my_handler\x0a{ \x0aprint inline((coerce -3 to double), (coerce 2 to double)){{ \x0areturn (x + (coerce 2 to double) * y);\x0a}};\x0aprint inline((coerce -3 to double), (coerce 2 to double)){{ \x0areturn (x + (coerce 3 to double) * inline(y, x){{ \x0areturn (x + (coerce 2 to double) * y);\x0a}});\x0a}};\x0aprint recursive(5, 7);\x0aprint mutually_recursiveA(6, 4);\x0a}
1.0
-15.0
1440
11520

34
testing/btest/btest.cfg
View file

@ -32,3 +32,37 @@ ZEEK_DISABLE_ZEEKYGEN=1
ZEEK_ALLOW_INIT_ERRORS=1
ZEEK_SUPERVISOR_NO_SIGKILL=1
UBSAN_OPTIONS=print_stacktrace=1
[environment-AST-dup]
# Environment for testing AST duplication functionality, which is
# needed for script optimization but isn't otherwise exercised.
#
# 5 tests differ, for the following reasons:
#
# language.deprecated
# Some deprecation messages get reported multiple times, first when
# constructing the original AST node, and then when duplicating it.
#
# scripts.base.frameworks.input.reread
# plugins.hooks
# When lambdas are duplicated they get a new UID, which differs
# from the original.
#
# broker.store.invalid-handle
# Line numbers in some error messages differ. The duplicated
# ones are "wider" (entire function) than the originals. Most
# such differences have been already fixed; this one is a bit
# puzzling, but doesn't seem worth trying to fix.
#
# coverage.zeek-profiler-file
# Not sure what's going on here, but best guess the problem is
# that the coverage tracking is looking for execution of the
# original statements and is not able to associate the duplicated
# statements with these. Doesn't seem worth trying to fix.
#
ZEEK_DUPLICATE_ASTS=1
BTEST_BASELINE_DIR=%(testbase)s/Baseline.dup:%(testbase)s/Baseline
[environment-inline]
ZEEK_INLINE=1
BTEST_BASELINE_DIR=%(testbase)s/Baseline.inline:%(testbase)s/Baseline

67
testing/btest/opt/pure-inlining.zeek Normal file
View file

@ -0,0 +1,67 @@
# @TEST-EXEC: zeek -b -O inline %INPUT >output
# @TEST-EXEC: btest-diff output
# Tests pure inlining of scripts (no other optimization/compilation used).
# The non-recursive functions should be (recursively!) inlined into the
# body of my_handler, while neither the directly-recursive nor the
# mutually recursive ones should be. We print out each function body
# in its transformed form (format %S) to test this.
function non_recursiveA(x: double, y: double): double
{
return x + 2 * y;
}
function non_recursiveB(x: double, y: double): double
{
# When printed, this function's body will *not* indicate inlining,
# because this function is itself inlined (and thus will not be
# called directly, so we avoid the work of inlining it itself).
#
# We reverse arguments in the call to make sure that parameters get
# correctly assigned when executing inlined blocks.
return x + non_recursiveA(y, x) * 3;
}
function recursive(n: count, k: count): count
{
if ( n > 0 )
return n * recursive(n-1, k + 1);
else
return k;
}
global mutually_recursiveB: function(n: count, k: count): count;
function mutually_recursiveA(n: count, k: count): count
{
if ( n > 0 )
return n * mutually_recursiveB(n-1, k + 1);
else
return k;
}
function mutually_recursiveB(n: count, k: count): count
{
return mutually_recursiveA(n, k + 1);
}
event my_handler()
{
print non_recursiveA(-3, 2);
print non_recursiveB(-3, 2);
print recursive(5, 7);
print mutually_recursiveA(6, 4);
}
event zeek_init()
{
print fmt("%S", non_recursiveA);
print fmt("%S", non_recursiveB);
print fmt("%S", recursive);
print fmt("%S", mutually_recursiveA);
print fmt("%S", mutually_recursiveB);
print fmt("%S", my_handler);
event my_handler();
}

3
testing/btest/scripts/base/frameworks/file-analysis/bifs/file_exists_lookup_file.zeek
View file

@ -6,6 +6,9 @@
event zeek_init()
{
print "This should fail but not crash";
# The following produces a run-time warning, "non-void function
# returning without a value" ... but not when inlined, since then
# there's no call to a script function occurring.
print Files::lookup_file("asdf");
print "This should return F";