Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-06 16:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Adding a SOCKS test case.

Browse source 
However, I'm not sure the output is right.
This commit is contained in:
Robin Sommer 2012-06-15 16:01:59 -07:00
parent d727b4f68a
commit c7c3ff7af9
7 changed files with 55 additions and 101 deletions
Download patch file Download diff file Expand all files Collapse all files

101
scripts/base/protocols/socks/main.bro
View file

@ -13,104 +13,3 @@ event socks_request(c: connection, request_type: count, dstaddr: addr, dstname:
{ {
Tunnel::register([$cid=c$id, $tunnel_type=Tunnel::SOCKS, $uid=c$uid]); Tunnel::register([$cid=c$id, $tunnel_type=Tunnel::SOCKS, $uid=c$uid]);
} }
#
#global output = open_log_file("socks");
#
#type socks_conn: record {
# id: conn_id;
# t: time;
# req: socks_request_type &optional;
# dstaddr: addr &optional;
# dstname: string &optional;
# p: port &optional;
# user: string &optional;
# service: string &optional;
# variant: string &default = "SOCKS v4";
# granted: string &default = "no-reply";
#};
#
#
#global conns: table[conn_id] of socks_conn;
#global proxies: set[addr] &read_expire = 24hrs;
#
#event socks_request(c: connection, t: socks_request_type, dstaddr: addr, dstname: string, p: port, user: string)
# {
# local id = c$id;
#
# local sc: socks_conn;
# sc$id = id;
# sc$t = c$start_time;
# sc$req = t;
#
# if ( dstaddr != 0.0.0.0 )
# sc$dstaddr = dstaddr;
#
# if ( dstname != "" )
# sc$dstname = dstname;
#
# if ( p != 0/tcp )
# sc$p = p;
#
# if ( user != "" )
# sc$user = user;
#
# conns[id] = sc;
# }
#
#event socks_reply(c: connection, granted: bool, dst: addr, p: port)
# {
# local id = c$id;
# local sc: socks_conn;
#
# if ( id in conns )
# sc = conns[id];
# else
# {
# sc$id = id;
# sc$t = c$start_time;
# conns[id] = sc;
# }
#
# sc$granted = granted ? "ok" : "denied";
#
# local proxy = c$id$resp_h;
#
# if ( proxy !in proxies )
# {
# NOTICE([$note=SOCKSProxy, $src=proxy, $sub=sc$variant,
# $msg=fmt("SOCKS proxy seen at %s (%s)", proxy, sc$variant)]);
# add proxies[proxy];
# }
# }
#
#function print_conn(sc: socks_conn)
# {
# local req = "<unknown-type>";
# if ( sc?$req )
# {
# if ( sc$req == SOCKS_CONNECTION )
# req = "relay-to";
# if ( sc$req == SOCKS_PORT )
# req = "bind-port";
# }
#
# local p = sc?$p ? fmt("%s", sc$p) : "<no-port>";
#
# local dest = sc?$dstaddr
# ? (fmt("%s:%s%s", sc$dstaddr, p, (sc?$dstname ? fmt(" (%s)", sc$dstname) : "")))
# : (sc?$dstname ? fmt("%s:%s", sc$dstname, p) : "<no-dest>");
# local user = sc?$user ? fmt(" (user %s)", sc?$user) : "";
#
# local service = sc?$service ? fmt(" [%s]", sc$service) : "";
#
# print output, fmt("%.6f %s %s %s %s-> %s%s", sc$t, id_string(sc$id), req,
# dest, user, sc$granted, service);
# }
#
#event connection_state_remove(c: connection)
# {
# if ( c$id in conns )
# print_conn(conns[c$id]);
# }
#

8
testing/btest/Baseline/core.tunnels.socks/conn.log Normal file
View file

@ -0,0 +1,8 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes parents
#types time string addr port addr port enum string interval count count string bool count string count count count count table[string]
1208299429.265243 UWkUyAuUGXf 127.0.0.1 62270 127.0.0.1 1080 tcp http,socks 0.008138 152 3950 SF - 0 ShAaDdfF 9 632 9 4430 (empty)

8
testing/btest/Baseline/core.tunnels.socks/http.log Normal file
View file

@ -0,0 +1,8 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
1208299429.270361 UWkUyAuUGXf 127.0.0.1 62270 127.0.0.1 1080 1 GET www.icir.org / - curl/7.16.3 (powerpc-apple-darwin9.0) libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3 0 3677 200 OK - - - (empty) - - - text/html - -

11
testing/btest/Baseline/core.tunnels.socks/output Normal file
View file

@ -0,0 +1,11 @@
[id=[orig_h=127.0.0.1, orig_p=62270/tcp, resp_h=127.0.0.1, resp_p=1080/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=177, flow_label=0], resp=[size=8, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0], start_time=1208299429.265243, duration=0.002565, service={
SOCKS
}, addl=, hot=0, history=ShAaDd, uid=UWkUyAuUGXf, tunnel=[], dpd=<uninitialized>, conn=[ts=1208299429.265243, uid=UWkUyAuUGXf, id=[orig_h=127.0.0.1, orig_p=62270/tcp, resp_h=127.0.0.1, resp_p=1080/tcp], proto=tcp, service=<uninitialized>, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=<uninitialized>, local_orig=<uninitialized>, missed_bytes=0, history=<uninitialized>, orig_pkts=<uninitialized>, orig_ip_bytes=<uninitialized>, resp_pkts=<uninitialized>, resp_ip_bytes=<uninitialized>, parents={
}], extract_orig=F, extract_resp=F, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, ssh=<uninitialized>, ssl=<uninitialized>, syslog=<uninitialized>]
---
1
192.150.187.12
80/tcp

9
testing/btest/Baseline/core.tunnels.socks/tunnel.log Normal file
View file

@ -0,0 +1,9 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path tunnel
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p action tunnel_type
#types time string addr port addr port enum enum
1208299429.267808 UWkUyAuUGXf 127.0.0.1 62270 127.0.0.1 1080 Tunnel::DISCOVER Tunnel::SOCKS
1208299429.273401 UWkUyAuUGXf 127.0.0.1 62270 127.0.0.1 1080 Tunnel::CLOSE Tunnel::SOCKS

BIN
testing/btest/Traces/tunnels/socks.pcap Normal file
View file

Binary file not shown.

19
testing/btest/core/tunnels/socks.bro Normal file
View file

@ -0,0 +1,19 @@
# @TEST-EXEC: bro -Cr $TRACES/tunnels/socks.pcap %INPUT >output
# @TEST-EXEC: btest-diff output
# @TEST-EXEC: btest-diff tunnel.log
# @TEST-EXEC: btest-diff conn.log
# @TEST-EXEC: btest-diff http.log
event socks_request(c: connection, request_type: count, dstaddr: addr,
dstname: string, p: port, user: string)
{
print c;
print "---";
print request_type;
print dstaddr;
print dstname;
print p;
print user;
}