From c7c3ff7af9fb1ae71c66cba892f5241043cb5b39 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 15 Jun 2012 16:01:59 -0700
Subject: [PATCH] Adding a SOCKS test case.

However, I'm not sure the output is right.
---
 scripts/base/protocols/socks/main.bro         | 101 ------------------
 .../Baseline/core.tunnels.socks/conn.log      |   8 ++
 .../Baseline/core.tunnels.socks/http.log      |   8 ++
 .../btest/Baseline/core.tunnels.socks/output  |  11 ++
 .../Baseline/core.tunnels.socks/tunnel.log    |   9 ++
 testing/btest/Traces/tunnels/socks.pcap       | Bin 0 -> 5446 bytes
 testing/btest/core/tunnels/socks.bro          |  19 ++++
 7 files changed, 55 insertions(+), 101 deletions(-)
 create mode 100644 testing/btest/Baseline/core.tunnels.socks/conn.log
 create mode 100644 testing/btest/Baseline/core.tunnels.socks/http.log
 create mode 100644 testing/btest/Baseline/core.tunnels.socks/output
 create mode 100644 testing/btest/Baseline/core.tunnels.socks/tunnel.log
 create mode 100644 testing/btest/Traces/tunnels/socks.pcap
 create mode 100644 testing/btest/core/tunnels/socks.bro

diff --git a/scripts/base/protocols/socks/main.bro b/scripts/base/protocols/socks/main.bro
index bd27f4fb85..54d181e43e 100644
--- a/scripts/base/protocols/socks/main.bro
+++ b/scripts/base/protocols/socks/main.bro
@@ -13,104 +13,3 @@ event socks_request(c: connection, request_type: count, dstaddr: addr, dstname:
 	{
 	Tunnel::register([$cid=c$id, $tunnel_type=Tunnel::SOCKS, $uid=c$uid]);
 	}
-
-#
-#global output = open_log_file("socks");
-#
-#type socks_conn: record {
-#	id: conn_id;
-#	t: time;
-#	req: socks_request_type &optional;
-#	dstaddr: addr &optional;
-#	dstname: string &optional;
-#	p: port &optional;
-#	user: string &optional;
-#	service: string &optional;
-#	variant: string &default = "SOCKS v4";
-#	granted: string &default = "no-reply";
-#};
-#
-#
-#global conns: table[conn_id] of socks_conn;
-#global proxies: set[addr] &read_expire = 24hrs;
-#
-#event socks_request(c: connection, t: socks_request_type, dstaddr: addr, dstname: string, p: port, user: string)
-#	{
-#	local id = c$id;
-#
-#	local sc: socks_conn;
-#	sc$id = id;
-#	sc$t = c$start_time;
-#	sc$req = t;
-#	
-#	if ( dstaddr != 0.0.0.0 )
-#		sc$dstaddr = dstaddr;
-#	
-#	if ( dstname != "" )
-#		sc$dstname = dstname;
-#	
-#	if ( p != 0/tcp )
-#		sc$p = p;
-#	
-#	if ( user != "" )
-#		sc$user = user;
-#	
-#	conns[id] = sc;
-#	}
-#
-#event socks_reply(c: connection, granted: bool, dst: addr, p: port)
-#	{
-#	local id = c$id;
-#	local sc: socks_conn;
-#	
-#	if ( id in conns )
-#		sc = conns[id];
-#	else
-#		{
-#		sc$id = id;
-#		sc$t = c$start_time;
-#		conns[id] = sc;
-#		}
-#
-#	sc$granted = granted ? "ok" : "denied";
-#	
-#	local proxy = c$id$resp_h;
-#	
-#	if ( proxy !in proxies )
-#		{
-#		NOTICE([$note=SOCKSProxy, $src=proxy, $sub=sc$variant,
-#				   $msg=fmt("SOCKS proxy seen at %s (%s)", proxy, sc$variant)]);
-#		add proxies[proxy];
-#		}
-#	}
-#
-#function print_conn(sc: socks_conn)
-#	{
-#	local req = "<unknown-type>";
-#	if ( sc?$req )
-#		{
-#		if ( sc$req == SOCKS_CONNECTION )
-#			req = "relay-to";
-#		if ( sc$req == SOCKS_PORT )
-#			req = "bind-port";
-#		}
-#	
-#	local p = sc?$p ? fmt("%s", sc$p) : "<no-port>";
-#	
-#	local dest = sc?$dstaddr 
-#		? (fmt("%s:%s%s", sc$dstaddr, p, (sc?$dstname ? fmt(" (%s)", sc$dstname) : "")))
-#		: (sc?$dstname ? fmt("%s:%s", sc$dstname, p) : "<no-dest>");
-#	local user = sc?$user ? fmt(" (user %s)", sc?$user) : "";
-#	
-#	local service = sc?$service ? fmt(" [%s]", sc$service) : "";
-#	
-#	print output, fmt("%.6f %s %s %s %s-> %s%s", sc$t, id_string(sc$id), req, 
-#			dest, user, sc$granted, service);
-#	}
-#
-#event connection_state_remove(c: connection)
-#	{
-#	if ( c$id in conns )
-#		print_conn(conns[c$id]);
-#	}
-#
diff --git a/testing/btest/Baseline/core.tunnels.socks/conn.log b/testing/btest/Baseline/core.tunnels.socks/conn.log
new file mode 100644
index 0000000000..9d5ae8efb1
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.socks/conn.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1208299429.265243	UWkUyAuUGXf	127.0.0.1	62270	127.0.0.1	1080	tcp	http,socks	0.008138	152	3950	SF	-	0	ShAaDdfF	9	632	9	4430	(empty)
diff --git a/testing/btest/Baseline/core.tunnels.socks/http.log b/testing/btest/Baseline/core.tunnels.socks/http.log
new file mode 100644
index 0000000000..2dcab3f254
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.socks/http.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
+1208299429.270361	UWkUyAuUGXf	127.0.0.1	62270	127.0.0.1	1080	1	GET	www.icir.org	/	-	curl/7.16.3 (powerpc-apple-darwin9.0) libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3	0	3677	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
diff --git a/testing/btest/Baseline/core.tunnels.socks/output b/testing/btest/Baseline/core.tunnels.socks/output
new file mode 100644
index 0000000000..8bf984a58a
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.socks/output
@@ -0,0 +1,11 @@
+[id=[orig_h=127.0.0.1, orig_p=62270/tcp, resp_h=127.0.0.1, resp_p=1080/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=177, flow_label=0], resp=[size=8, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0], start_time=1208299429.265243, duration=0.002565, service={
+SOCKS
+}, addl=, hot=0, history=ShAaDd, uid=UWkUyAuUGXf, tunnel=[], dpd=<uninitialized>, conn=[ts=1208299429.265243, uid=UWkUyAuUGXf, id=[orig_h=127.0.0.1, orig_p=62270/tcp, resp_h=127.0.0.1, resp_p=1080/tcp], proto=tcp, service=<uninitialized>, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=<uninitialized>, local_orig=<uninitialized>, missed_bytes=0, history=<uninitialized>, orig_pkts=<uninitialized>, orig_ip_bytes=<uninitialized>, resp_pkts=<uninitialized>, resp_ip_bytes=<uninitialized>, parents={
+
+}], extract_orig=F, extract_resp=F, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, ssh=<uninitialized>, ssl=<uninitialized>, syslog=<uninitialized>]
+---
+1
+192.150.187.12
+
+80/tcp
+
diff --git a/testing/btest/Baseline/core.tunnels.socks/tunnel.log b/testing/btest/Baseline/core.tunnels.socks/tunnel.log
new file mode 100644
index 0000000000..9ccbe8af26
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.socks/tunnel.log
@@ -0,0 +1,9 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	action	tunnel_type
+#types	time	string	addr	port	addr	port	enum	enum
+1208299429.267808	UWkUyAuUGXf	127.0.0.1	62270	127.0.0.1	1080	Tunnel::DISCOVER	Tunnel::SOCKS
+1208299429.273401	UWkUyAuUGXf	127.0.0.1	62270	127.0.0.1	1080	Tunnel::CLOSE	Tunnel::SOCKS
diff --git a/testing/btest/Traces/tunnels/socks.pcap b/testing/btest/Traces/tunnels/socks.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..d70e2cb7dcbeefefc6e3ff9907f53a069e59e9bd
GIT binary patch
literal 5446
zcmcIo&2!{N6`%DERIJ260!8t0>4*Y$7fYJ)$J(CNXl;+j_7K}+JaV=cs@U{MJu|)5
zNJ@9hlgR;c;6PEu70x+u;X;Z_QpJTL2l59{l??}~_K+L5oH)Spx~2Khc)a0)s$@&8
z?qC1<y<flgdj9s|AKzUl6bqy4*|YTNch(mUzx`6Num`X5UVyt^C~W`!Tib>0FBS?v
zFBERb`!lDw`Q`JM9XaZ~g=f$Hvj%;O_n+LjdGqFt8!u>!I);`)p$GsH^G9<qYb1|Z
z-2BXWyx=|o-23mnG9Odojxc`$n42(%yfdC_&o1+r8PEHG`^h_B0nA%KKI12`B)9Gy
zoPWQP$H};TBDr0MV}7Yv*a0r`&iGV+{UDE%<MR#RQ_k}#-YA^@`8R)hNg3@P0M0J(
zgP-OBr-&V1M+|+vSl9+q^3I6aU$dWsBZ-yr#0o!#!Ei}~8Gtv->sJ?fylkO|VECuk
z@p>0<{tB4#&Uk(JY4bTalGporUI%p-S?JJpPpz_9UeeAvVa86Egrb7Hgay`yS-xwo
zqFZq^AT0I_9LE7Me9Q(k+%ikIQ9#?%9h)%;TdgCjWNw)o0eTxg1M-Twx}+UO98d>?
zfk{2e%!qZDv>neQF|^*X?ks6bnl#TJ=9uR%yZL2hZhH!P`uIBYd=nK5zkIQv?$kUl
z{^F7U92_vu;xKQXkzvqEsf3!ZEopmLkP31WvW&{>XeVa!%O+Y`sjRJ5*0#{WvAd+T
z2)iV#0-v$hBi0Hm|1P?<PyC4C+e_LJ=E69ReA=PJub|^71h7rCPueM1d9|{>Rw>_2
z!RjvVR*+s^TPu}_LDqevys@#h1=H#y^BHG2>=Ir<?V%uiNvlPn01p~RB<zY_1+CuQ
z*ifw@@dS-RaBUEAGU@0JV_20SZwad>`oTTq^)TZ^RL|XgV^ccDes!-|b0418K`X~c
z==6N|s8K_@VObAWYnHX=?xi2r%u*S-42PV`nQ&lP^%Gt12@zK;OZtAWDm`zxXKJc7
zD~N!K=?h<XU>3vJi%=K|M0_fc=uwVvA|enZVPJYcouxwqaxd+|nP<J_M;=GAks}&%
zL9lNk!*Fc582AhCj(uErcaY>^kT(;0S=C2Yl8e`om)fkV&#?mKk+HeCzGakk$L3-f
z5F}tw*4N`)chENN#}N|<_RK9^^)cm#+xL)dsaMAqR0PCvdjvIVtp++FVi2(l8g|hE
zi;@@_s0p&Uq-0=QX<yq)xwj*Kh}vB*3L;k3ztd5dt{euhC3Wer6T=I5U0+$>+qkPE
zJoA2;e|My@59>R7^)qQIf!naGcEo%FQ<QWxpuXr;^>V57U9b)b0uE{hvg+d%E&#yb
z_D923S78(|=!R82ARPgQvjliyeh&}SN*D-WadC0P<jQKVa2RuSG=$Vh<{)@fFM#8N
z%rWQSCbc#e4RmywaS~AsPLuO3+P#(QodO<MnFf`M$Y!%(#fq?{@a6OK*2rkL2WC(s
zFzPYVsZMVT>Tzne3A-Qx8JfgTEa)rO^1REY{VswXP}SkVlBzNv$6bBejW`fhJ)73T
z6OxiW(3O@^N^qN}=%{h>8al3@oTHPS*Bb{rZlif3wc*ptktwByz?Yw|mKgi~NG&s-
zlUf-&qK!ELP$EJ7YZR0DEVCeboiGlu1(nSb>=`7(DT<SJKzR=WgbbtQ&1DrzQ-9=^
zYQbXu7ye_luSsTLE7&bZ^?et$8hiB_`vCE2UFB8*!EC^AT-DS6u$59x%1r_Ld9u&e
zOEA%tr8^Aw38I4Z^X(xt>y8`6pcp${&D5wYjKPqR#!PDzRZJNUA!=aOh0qS77=5ro
z7*qXY5<!l?()(03&-P`}<EuTP5i$+X%i|_(ezmW3oQGwynC;JFXp7j@F|F)_!cR?*
z{gojm=cv~CZeGjq^{jDlnECN|r*VRIn|lvc2+Zp*=hHconNhWhkz>`bOdKl%XeuGl
z$s}-QVcM}fka-~e<U@N0dyro+qc~XZk>HXDFp|k3uM$Q(%DqwuRej_`XySrJVRy=_
zSwm_jIZYOX)rLspwPUw~$h&wmi3D*pO|xT1lNo9(hpEhcB}C~?L&oh;c@GDu7WLx<
z8nl*2N$5eIgJetvG)W3b=5p8$p%JsF1KC}sYV{SKkTyG`4<+Id_oB%3qP}%Tx@kFa
z{;2inQA<EAz^xhthEBvnime)y8_=?w1yC70N6&KZWu#3yn+VAzb|V~c6m_7=ASj$9
z<E~1^n30NRTVM`plktOQCjrzc0d=&~gz<zRMmWLD>mi6p5-Bwa5lA+|_Vq-<2*RNc
zJp)z3OwC0(K=5UlNFt`Nn1Qcp3|$e1a_y1?Lunw1J)Y~<thHoig}uHitvH3;+3$l5
zT8)ER^Y~a<Uox0CiZanr!@!$o?!N4MThi6IfWMge9L=4LlF7LGXq=ok36(E$i`r$>
z??Tli>-+CRT|RsKp>O5u^6dEY@#BRz%GcHR@82mFPT&YG@3g)z{_wX(9w$8~yir!?
z1gP&9?&s@!DFYm%Hh7<q8UKxqJzCUIc~QO*=E2598kO=VTyUto5vcl-%A6-vP7=YO
z2dFdYqd^aPAt*Uu2T8&86Oq72&_*wWZ9N5qJRAZW1j!R{Iq}VrG%TgNksh@N1oiMG
zbiCqI*w5YZ0Sh!B-<1GFg!ly!pj7EypK>qZKqq0T%#_pQbeZHeyX`<OWeH}(ESa{Q
z3Ti_CbceuphMYE;|8X=5?~c}^3=E;B1rs2iNSlF*WwbzXlpYTFcs6S)2+hmcSy-P6
z-1(rM%kZxn#(uNu*3VF@e!6qE<2F@++hahN_plE^Gkeexr*FfnEbGUk{tv})dHwT>
z;SE`2XJyW~7@n^D#yi)vYR%J!$`UQzsYUTnl|`^Nh#D%+nz^#kZbOwijkFK`=trPO
z8iH&3Dt05>j*{%S1qlXDA<L+bX@Km81CeEWbY8cuh6B+vhiC7e<tK0>h*Rn;G$zeK
z)*%QY&HhdjCR}a+72c>ADxJU%!r?HF4SPlEvj;yM@ChT_PB_VPnqo9tgHIbjt03n|
zOdhcy%&QZlj8Y##beWA(cV?o?Bue=Q*F~wPb8!Ct)p=3MKTuKX<@vv|{c{e^KVHb=
uO!2w)$E;6(aCKcD&HvR8qOX7W&NY1gH3#Qs-^=q!qpyDm>v}TJKK})-%m&W@

literal 0
HcmV?d00001

diff --git a/testing/btest/core/tunnels/socks.bro b/testing/btest/core/tunnels/socks.bro
new file mode 100644
index 0000000000..8ab288c9bd
--- /dev/null
+++ b/testing/btest/core/tunnels/socks.bro
@@ -0,0 +1,19 @@
+# @TEST-EXEC: bro -Cr $TRACES/tunnels/socks.pcap %INPUT >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: btest-diff tunnel.log
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff http.log
+
+event socks_request(c: connection, request_type: count, dstaddr: addr,
+		    dstname: string, p: port, user: string)
+	{
+	print c;
+	print "---";
+	print request_type;
+	print dstaddr;
+	print dstname;
+	print p;
+	print user;
+	}
+
+